CASSSIDECAR-161: Add RBAC Authorization support in Sidecar #165
Conversation
server-common/src/main/java/org/apache/cassandra/sidecar/db/schema/AbstractSchema.java
Outdated
Show resolved
Hide resolved
server/src/main/java/org/apache/cassandra/sidecar/acl/authorization/Action.java
Outdated
Show resolved
Hide resolved
server/src/main/java/org/apache/cassandra/sidecar/acl/authorization/Action.java
Outdated
Show resolved
Hide resolved
server/src/main/java/org/apache/cassandra/sidecar/acl/authorization/AllowAllAuthorization.java
Outdated
Show resolved
Hide resolved
server/src/main/java/org/apache/cassandra/sidecar/acl/authorization/AdminIdentityResolver.java
Outdated
Show resolved
Hide resolved
.../main/java/org/apache/cassandra/sidecar/acl/authorization/AllowAllAuthorizationProvider.java
Outdated
Show resolved
Hide resolved
client-common/src/main/java/org/apache/cassandra/sidecar/common/ApiEndpointsV1.java
Show resolved
Hide resolved
...n/java/org/apache/cassandra/sidecar/common/server/exceptions/SchemaUnavailableException.java
Outdated
Show resolved
Hide resolved
server-common/src/main/java/org/apache/cassandra/sidecar/db/schema/AbstractSchema.java
Outdated
Show resolved
Hide resolved
server/src/main/java/org/apache/cassandra/sidecar/acl/authorization/Action.java
Outdated
Show resolved
Hide resolved
server/src/main/java/org/apache/cassandra/sidecar/db/SystemAuthDatabaseAccessor.java
Show resolved
Hide resolved
server/src/main/java/org/apache/cassandra/sidecar/routes/AccessProtectedRouteBuilder.java
Outdated
Show resolved
Hide resolved
server/src/main/java/org/apache/cassandra/sidecar/routes/RingHandler.java
Show resolved
Hide resolved
...test/integration/org/apache/cassandra/sidecar/acl/RoleBasedAuthorizationIntegrationTest.java
Show resolved
Hide resolved
server/src/test/java/org/apache/cassandra/sidecar/acl/authorization/ActionTest.java
Outdated
Show resolved
Hide resolved
server/src/main/java/org/apache/cassandra/sidecar/acl/authorization/CassandraActions.java
Outdated
Show resolved
Hide resolved
server/src/main/java/org/apache/cassandra/sidecar/acl/authorization/Action.java
Outdated
Show resolved
Hide resolved
...er/src/main/java/org/apache/cassandra/sidecar/acl/authorization/RoleAuthorizationsCache.java
Outdated
Show resolved
Hide resolved
...er/src/main/java/org/apache/cassandra/sidecar/acl/authorization/RoleAuthorizationsCache.java
Outdated
Show resolved
Hide resolved
server/src/main/java/org/apache/cassandra/sidecar/acl/authorization/StandardAction.java
Outdated
Show resolved
Hide resolved
server/src/main/java/org/apache/cassandra/sidecar/acl/authorization/StandardAction.java
Outdated
Show resolved
Hide resolved
|
Thanks for the review @nvharikrishna and @bbotella appreciate it, addressed your comments. |
sarankk
force-pushed
the
authorization
branch
2 times, most recently
from
bd34d9e to
d88b2db
Compare
server/src/main/java/org/apache/cassandra/sidecar/acl/authorization/Action.java
Outdated
Show resolved
Hide resolved
server/src/main/java/org/apache/cassandra/sidecar/acl/authorization/Action.java
Outdated
Show resolved
Hide resolved
server/src/main/java/org/apache/cassandra/sidecar/acl/authorization/Action.java
Outdated
Show resolved
Hide resolved
server/src/main/java/org/apache/cassandra/sidecar/acl/authorization/AdminIdentityResolver.java
Outdated
Show resolved
Hide resolved
server/src/main/java/org/apache/cassandra/sidecar/acl/authorization/AdminIdentityResolver.java
Outdated
Show resolved
Hide resolved
server/src/main/java/org/apache/cassandra/sidecar/db/schema/SystemAuthSchema.java
Outdated
Show resolved
Hide resolved
server/src/main/java/org/apache/cassandra/sidecar/db/schema/SystemAuthSchema.java
Show resolved
Hide resolved
server/src/main/java/org/apache/cassandra/sidecar/routes/AccessProtectedRouteBuilder.java
Show resolved
Hide resolved
server/src/main/java/org/apache/cassandra/sidecar/routes/AccessProtectedRouteBuilder.java
Outdated
Show resolved
Hide resolved
server/src/main/java/org/apache/cassandra/sidecar/routes/AccessProtectedRouteBuilder.java
Outdated
Show resolved
Hide resolved
...er/src/main/java/org/apache/cassandra/sidecar/acl/authorization/RoleAuthorizationsCache.java
Show resolved
Hide resolved
...test/integration/org/apache/cassandra/sidecar/acl/RoleBasedAuthorizationIntegrationTest.java
Show resolved
Hide resolved
...er/src/main/java/org/apache/cassandra/sidecar/acl/authorization/RoleAuthorizationsCache.java
Outdated
Show resolved
Hide resolved
...er/src/main/java/org/apache/cassandra/sidecar/acl/authorization/RoleAuthorizationsCache.java
Outdated
Show resolved
Hide resolved
...er/src/main/java/org/apache/cassandra/sidecar/acl/authorization/RoleAuthorizationsCache.java
Outdated
Show resolved
Hide resolved
...er/src/main/java/org/apache/cassandra/sidecar/acl/authorization/RoleAuthorizationsCache.java
Show resolved
Hide resolved
...main/java/org/apache/cassandra/sidecar/acl/authorization/RoleBasedAuthorizationProvider.java
Outdated
Show resolved
Hide resolved
server/src/main/java/org/apache/cassandra/sidecar/acl/authorization/SidecarPermissions.java
Outdated
Show resolved
Hide resolved
| // SSTable related permissions | ||
| public static final Permission UPLOAD_SSTABLE = new WildcardPermission("UPLOAD:SSTABLE"); | ||
| public static final Permission IMPORT_SSTABLE = new WildcardPermission("IMPORT:SSTABLE"); | ||
| public static final Permission STREAM_SSTABLE = new WildcardPermission("STREAM:SSTABLE"); |
There was a problem hiding this comment.
What about using READ to replace both VIEW and STREAM? Do we need to distinguish between those 2 read operations?
There was a problem hiding this comment.
Should we have READ and STREAM. We can use read for listing snapshots, reading topology, listing restore job in place of VIEW to align with http methods. STREAM feels like a separate action, hence distinction?
There was a problem hiding this comment.
One for use case for separating READ and STREAM . We have to allow permission for listing cdc segments and streaming them, currently we have READ:CDC and STREAM:CDC separately.
server/src/main/java/org/apache/cassandra/sidecar/acl/authorization/SidecarPermissions.java
Outdated
Show resolved
Hide resolved
server/src/main/java/org/apache/cassandra/sidecar/acl/authorization/SidecarPermissions.java
Outdated
Show resolved
Hide resolved
server/src/main/java/org/apache/cassandra/sidecar/acl/authorization/SidecarPermissions.java
Outdated
Show resolved
Hide resolved
server/src/main/java/org/apache/cassandra/sidecar/routes/KeyspaceRingHandler.java
Show resolved
Hide resolved
server/src/main/java/org/apache/cassandra/sidecar/routes/KeyspaceSchemaHandler.java
Show resolved
Hide resolved
server/src/main/java/org/apache/cassandra/sidecar/routes/KeyspaceRingHandler.java
Outdated
Show resolved
Hide resolved
server/src/main/java/org/apache/cassandra/sidecar/routes/restore/RestoreJobProgressHandler.java
Outdated
Show resolved
Hide resolved
server/src/main/java/org/apache/cassandra/sidecar/routes/restore/RestoreJobSummaryHandler.java
Outdated
Show resolved
Hide resolved
server/src/test/java/org/apache/cassandra/sidecar/server/ServerTest.java
Outdated
Show resolved
Hide resolved
Currently operators will have to directly insert into sidecar role_permissions_v1 table for granting sidecar related permissions and use |
|
|
||
| /** | ||
| * sidecar_internal.role_permissions_v1 table holds custom sidecar permissions that are not stored in Cassandra. | ||
| * Permissions are stored against resource. |
There was a problem hiding this comment.
Permissions are stored against both role and resource right (both role and resource are part of primary key)?
There was a problem hiding this comment.
Yes, I ported over the same schema we have in Cassandra
| return getAllRolesAndPermissions; | ||
| } | ||
|
|
||
| private static class CqlLiterals |
There was a problem hiding this comment.
This private static class is holding only one static method. Any reason to have this class? Can the static method of this class can be part of its parent?
There was a problem hiding this comment.
We have followed this approach in other TableSchema classes, I followed pattern for consistency
server/src/main/java/org/apache/cassandra/sidecar/db/schema/SidecarRolePermissionsSchema.java
Outdated
Show resolved
Hide resolved
server/src/main/java/org/apache/cassandra/sidecar/db/schema/SystemAuthSchema.java
Outdated
Show resolved
Hide resolved
server/src/main/java/org/apache/cassandra/sidecar/routes/AccessProtectedRouteBuilder.java
Outdated
Show resolved
Hide resolved
server/src/main/java/org/apache/cassandra/sidecar/routes/KeyspaceSchemaHandler.java
Outdated
Show resolved
Hide resolved
| public Set<Authorization> requiredAuthorizations() | ||
| { | ||
| List<String> eligibleResources = VariableAwareResource.DATA_WITH_KEYSPACE.expandedResources(); | ||
| return Collections.singleton(SidecarPermissions.READ_RING.toAuthorization(eligibleResources)); |
There was a problem hiding this comment.
Doesn't it need authorization/permission for keyspace?
There was a problem hiding this comment.
Yes it does, in Cassandra if user has permission for data resource then they get access to all keyspaces under data. Hence we are expanding resources to allow access when user has access to a wider resource.
| /** | ||
| * Test for {@link AccessProtectedRouteBuilder} | ||
| */ | ||
| public class AccessProtectedRouteBuilderTest |
There was a problem hiding this comment.
Can you add 1) a positive test and 2) build AcessProtectedRouteBuilder without any AccessProtected handler?
server/src/main/java/org/apache/cassandra/sidecar/routes/RingHandler.java
Show resolved
Hide resolved
server/src/main/java/org/apache/cassandra/sidecar/routes/AccessProtectedRouteBuilder.java
Outdated
Show resolved
Hide resolved
frankgh
force-pushed
the
authorization
branch
from
58fa80f to
f4af6be
Compare
Co-authored-by: Raymond Welgosh <[email protected]> Co-authored-by: Saranya Krishnakumar <[email protected]>
| @@ -16,21 +16,21 @@ | |||
| * limitations under the License. | |||
| */ | |||
|
|
|||
| package org.apache.cassandra.sidecar.exceptions; | |||
| package org.apache.cassandra.sidecar.common.server.exceptions; | |||
There was a problem hiding this comment.
let's avoid moving classes to another package.
There was a problem hiding this comment.
I don't see the exception there I see it under org.apache.cassandra.sidecar.exceptions
There was a problem hiding this comment.
oh looks like this is a old comment
| @@ -1,101 +1,38 @@ | |||
| /* | |||
There was a problem hiding this comment.
we should preserve the license header.
There was a problem hiding this comment.
again looks like an old comment.
| Preconditions.checkArgument(router != null, "Router must be set"); | ||
| Preconditions.checkArgument(method != null, "Http method must be set"); | ||
| Preconditions.checkArgument(endpoint != null && !endpoint.isEmpty(), "Endpoint must be set"); |
There was a problem hiding this comment.
NIT, use Objects.requireNonNull instead
There was a problem hiding this comment.
I check for empty string too endpoint != null && !endpoint.isEmpty()
server/src/main/java/org/apache/cassandra/sidecar/routes/KeyspaceSchemaHandler.java
Outdated
Show resolved
Hide resolved
...r/src/main/java/org/apache/cassandra/sidecar/routes/sstableuploads/SSTableImportHandler.java
Show resolved
Hide resolved
| CassandraInputValidationConfiguration inputValidationConfiguration | ||
| = new CassandraInputValidationConfigurationImpl(DEFAULT_FORBIDDEN_KEYSPACES, | ||
| // some tests generate table folders with - | ||
| "[a-zA-Z][a-zA-Z0-9_-]{0,47}", |
There was a problem hiding this comment.
this is not correct. For the stream sstable from snapshot endpoint we will get a table from the path that has the tableId. We should remove tableId from the path to be able to correctly validate. Otherwise my suspicion is that you will always get unauthorized for the table, because it won't match the table name
There was a problem hiding this comment.
Good catch, will update this
No description provided.