[jira] [Commented] (TINKERPOP-2389) Authorization support in Tinkerpop

[Stephen Mallette (Jira)]

    [ 
https://issues.apache.org/jira/browse/TINKERPOP-2389?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17144838#comment-17144838
 ] 

Stephen Mallette commented on TINKERPOP-2389:
---------------------------------------------

Added the DISCUSS thread from the dev list:

https://lists.apache.org/thread.html/r3821545a4ba2065ea8e0fa4d57b1669062366d44abc52f5844d41f61%40%3Cdev.tinkerpop.apache.org%3E

> Authorization support in Tinkerpop
> ----------------------------------
>
>                 Key: TINKERPOP-2389
>                 URL: https://issues.apache.org/jira/browse/TINKERPOP-2389
>             Project: TinkerPop
>          Issue Type: Improvement
>          Components: server
>    Affects Versions: 3.4.7
>            Reporter: Shekhar Bansal
>            Priority: Major
>         Attachments: Screenshot 2020-06-25 at 15.15.04.png
>
>
> Use case:
>  # Tinkerpop supports multiple graphs using a single API and admin might want 
> to restrict access to some of the graphs.
>  # Admin might want to restrict read/write access to certain users.
>  
> Proposal
> Add read/write access restrictions at graph level. We can extend it to 
> executing scripts by adding execute privileges.
>  
> Changes required
> Add `authorizer` block similar to `authentication` block in yaml file
>  
> {code:java}
> authorization: {
>   authorizer: 
> org.apache.tinkerpop.gremlin.server.authorization.AllowAllAuthorizer,
>   authorizationHandler: 
> org.apache.tinkerpop.gremlin.server.handler.SaslAuthorizationHandler,
>   config: {
>    }
> }{code}
>  
> Authorization will be done only if authentication is enabled. Authentication 
> is done at per session basis while authorization will be done for each and 
> every request.
> In `SaslAuthorizationHandler` or `HttpAuthorizationHandler` query will be 
> parsed and depending on the step instructions, the query will be marked as of 
> type read or write and then privilege evaluation will be done by calling 
> `isAccessAllowed` method of `Authorizer`
> {code:java}
> public interface Authorizer {
>     /**
>      * Whether or not the authorization requires check.
>      * If false will not authorzie user.
>      */
>     public boolean requireAuthorization();
>     /**
>      * Setup is called once upon system startup to initialize the {@code 
> Authorizer}.
>      */
>     public void setup(final Map<String, Object> config);
>     /**
>      * A "standard" authorization implementation
>      */
>     public boolean isAccessAllowed(AuthorizationRequest authorizationRequest) 
> throws AuthorizationException;
> }
> {code}
> Access policies can be defined in tools like `Apache Ranger`, sample policy:
> !Screenshot 2020-06-25 at 15.15.04.png|width=1017,height=548!
>  
>  
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)