[
https://issues.apache.org/jira/browse/TINKERPOP-2389?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Shekhar Bansal updated TINKERPOP-2389:
--------------------------------------
Description:
Use case:
# Tinkerpop supports multiple graphs using a single API and admin might want
to restrict access to some of the graphs.
# Admin might want to restrict read/write access to certain users.
Proposal
Add read/write access restrictions at graph level. We can extend it to
executing scripts by adding execute privileges.
Changes required
Add `authorizer` block similar to `authentication` block in yaml file
{code:java}
authorization: {
authorizer:
org.apache.tinkerpop.gremlin.server.authorization.AllowAllAuthorizer,
authorizationHandler:
org.apache.tinkerpop.gremlin.server.handler.SaslAuthorizationHandler,
config: {
}
}{code}
Authorization will be done only if authentication is enabled. Authentication is
done at per session basis while authorization will be done for each and every
request.
In `SaslAuthorizationHandler` or `HttpAuthorizationHandler` query will be
parsed and depending on the step instructions, the query will be marked as of
type read or write and then privilege evaluation will be done by calling
`isAccessAllowed` method of `Authorizer`
{code:java}
public interface Authorizer {
/**
* Whether or not the authorization requires check.
* If false will not authorzie user.
*/
public boolean requireAuthorization();
/**
* Setup is called once upon system startup to initialize the {@code
Authorizer}.
*/
public void setup(final Map<String, Object> config);
/**
* A "standard" authorization implementation
*/
public boolean isAccessAllowed(AuthorizationRequest authorizationRequest)
throws AuthorizationException;
}
{code}
Access policies can be defined in tools like `Apache Ranger`, sample policy:
!Screenshot 2020-06-25 at 15.15.04.png!
was:
Use case:
# Tinkerpop supports multiple graphs using single API and admin might want to
restrict access to some of the graphs.
# Admin might want to restrict read/write access on certain graph.
Proposal
Add read/write access restrictions at graph level. We can extend it to
executing scripts by adding execute privileges.
Changes required
Add `authorizer` block similar to `authentication` block in yaml file
{code:java}
authorization: {
authorizer:
org.apache.tinkerpop.gremlin.server.authorization.AllowAllAuthorizer,
authorizationHandler:
org.apache.tinkerpop.gremlin.server.handler.SaslAuthorizationHandler,
config: {
}
}{code}
Authorization will be done only if authentication is enabled. Authentication is
done at per session basis while authorization will be done for each and every
request.
In `SaslAuthorizationHandler` or `HttpAuthorizationHandler` query will be
parsed and depending on the step instructions, the query will be marked as of
type read or write and then privilege evaluation will be done by calling
`isAccessAllowed` method of `Authorizer`
{code:java}
public interface Authorizer {
/**
* Whether or not the authorization requires check.
* If false will not authorzie user.
*/
public boolean requireAuthorization();
/**
* Setup is called once upon system startup to initialize the {@code
Authorizer}.
*/
public void setup(final Map<String, Object> config);
/**
* A "standard" authorization implementation
*/
public boolean isAccessAllowed(AuthorizationRequest authorizationRequest)
throws AuthorizationException;
}
{code}
Access policies can be defined in tools like `Apache Ranger`, sample policy:
!Screenshot 2020-06-25 at 15.15.04.png!
> Authorization support in Tinkerpop
> ----------------------------------
>
> Key: TINKERPOP-2389
> URL: https://issues.apache.org/jira/browse/TINKERPOP-2389
> Project: TinkerPop
> Issue Type: Improvement
> Components: server
> Affects Versions: 3.4.7
> Reporter: Shekhar Bansal
> Priority: Major
> Attachments: Screenshot 2020-06-25 at 15.15.04.png
>
>
> Use case:
> # Tinkerpop supports multiple graphs using a single API and admin might want
> to restrict access to some of the graphs.
> # Admin might want to restrict read/write access to certain users.
>
> Proposal
> Add read/write access restrictions at graph level. We can extend it to
> executing scripts by adding execute privileges.
>
> Changes required
> Add `authorizer` block similar to `authentication` block in yaml file
>
> {code:java}
> authorization: {
> authorizer:
> org.apache.tinkerpop.gremlin.server.authorization.AllowAllAuthorizer,
> authorizationHandler:
> org.apache.tinkerpop.gremlin.server.handler.SaslAuthorizationHandler,
> config: {
> }
> }{code}
>
> Authorization will be done only if authentication is enabled. Authentication
> is done at per session basis while authorization will be done for each and
> every request.
> In `SaslAuthorizationHandler` or `HttpAuthorizationHandler` query will be
> parsed and depending on the step instructions, the query will be marked as of
> type read or write and then privilege evaluation will be done by calling
> `isAccessAllowed` method of `Authorizer`
> {code:java}
> public interface Authorizer {
> /**
> * Whether or not the authorization requires check.
> * If false will not authorzie user.
> */
> public boolean requireAuthorization();
> /**
> * Setup is called once upon system startup to initialize the {@code
> Authorizer}.
> */
> public void setup(final Map<String, Object> config);
> /**
> * A "standard" authorization implementation
> */
> public boolean isAccessAllowed(AuthorizationRequest authorizationRequest)
> throws AuthorizationException;
> }
> {code}
> Access policies can be defined in tools like `Apache Ranger`, sample policy:
> !Screenshot 2020-06-25 at 15.15.04.png!
>
>
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
