[jira] [Commented] (TINKERPOP-2389) Authorization support in TinkerPop

Wed, 09 Dec 2020 09:26:04 -0800 


    [ 
https://issues.apache.org/jira/browse/TINKERPOP-2389?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17246700#comment-17246700
 ] 

ASF GitHub Bot commented on TINKERPOP-2389:
-------------------------------------------

spmallette commented on a change in pull request #1308:
URL: https://github.com/apache/tinkerpop/pull/1308#discussion_r539499923



##########
File path: 
gremlin-server/src/main/java/org/apache/tinkerpop/gremlin/server/handler/HttpBasicAuthorizationHandler.java
##########
@@ -0,0 +1,116 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.tinkerpop.gremlin.server.handler;
+
+import io.netty.channel.ChannelFutureListener;
+import io.netty.channel.ChannelHandler;
+import io.netty.channel.ChannelHandlerContext;
+import io.netty.channel.ChannelInboundHandlerAdapter;
+import io.netty.handler.codec.http.DefaultFullHttpResponse;
+import io.netty.handler.codec.http.FullHttpMessage;
+import io.netty.handler.codec.http.FullHttpRequest;
+import io.netty.handler.codec.http.HttpResponseStatus;
+import io.netty.util.ReferenceCountUtil;
+import org.apache.tinkerpop.gremlin.driver.Tokens;
+import org.apache.tinkerpop.gremlin.driver.message.RequestMessage;
+import org.apache.tinkerpop.gremlin.server.GremlinServer;
+import org.apache.tinkerpop.gremlin.server.auth.AuthenticatedUser;
+import org.apache.tinkerpop.gremlin.server.authz.AuthorizationException;
+import org.apache.tinkerpop.gremlin.server.authz.Authorizer;
+import org.javatuples.Quartet;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.util.Map;
+
+import static io.netty.handler.codec.http.HttpResponseStatus.BAD_REQUEST;
+import static 
io.netty.handler.codec.http.HttpResponseStatus.INTERNAL_SERVER_ERROR;
+import static io.netty.handler.codec.http.HttpResponseStatus.UNAUTHORIZED;
+import static io.netty.handler.codec.http.HttpVersion.HTTP_1_1;
+
+
+/**
+ *  An authorization handler for the http channel that allows the {@link 
Authorizer} to be plugged into it.
+ *
+ * @author Marc de Lignie
+ */
+@ChannelHandler.Sharable
+public class HttpBasicAuthorizationHandler extends 
ChannelInboundHandlerAdapter {
+    private static final Logger logger = 
LoggerFactory.getLogger(HttpBasicAuthorizationHandler.class);
+    private static final Logger auditLogger = 
LoggerFactory.getLogger(GremlinServer.AUDIT_LOGGER_NAME);
+
+    private AuthenticatedUser user;
+    private final Authorizer authorizer;
+
+    public HttpBasicAuthorizationHandler(Authorizer authorizer) {
+        this.authorizer = authorizer;
+    }
+
+    @Override
+    public void channelRead(final ChannelHandlerContext ctx, final Object msg) 
{
+        if (msg instanceof FullHttpMessage){
+            final FullHttpMessage request = (FullHttpMessage) msg;
+            try {
+                user = ctx.channel().attr(StateKey.AUTHENTICATED_USER).get();
+                if (null == user) {    // This is expected when using the 
AllowAllAuthenticator
+                    user = AuthenticatedUser.ANONYMOUS_USER;
+                }
+                // ToDo: move getRequestArguments to a new preceding pipeline 
step in the Channelizer, but @Stephen,
+                //       how about the sendAndCleanupConnection logic in 
HttpGremlinEndpointHandler?

Review comment:
       As they are all static methods I think you could refactor to create a 
small final utility class to house them - `HttpUtil` or something like that?




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Authorization support in TinkerPop
> ----------------------------------
>
>                 Key: TINKERPOP-2389
>                 URL: https://issues.apache.org/jira/browse/TINKERPOP-2389
>             Project: TinkerPop
>          Issue Type: Improvement
>          Components: server
>    Affects Versions: 3.4.7
>            Reporter: Shekhar Bansal
>            Priority: Major
>         Attachments: Screenshot 2020-06-25 at 15.15.04.png
>
>
> Use case:
>  # Tinkerpop supports multiple graphs using a single API and admin might want 
> to restrict access to some of the graphs.
>  # Admin might want to restrict read/write access to certain users.
>  
> Proposal
> Add read/write access restrictions at graph level. We can extend it to 
> executing scripts by adding execute privileges.
>  
> Changes required
> Add `authorizer` block similar to `authentication` block in yaml file
>  
> {code:java}
> authorization: {
>   authorizer: 
> org.apache.tinkerpop.gremlin.server.authorization.AllowAllAuthorizer,
>   authorizationHandler: 
> org.apache.tinkerpop.gremlin.server.handler.SaslAuthorizationHandler,
>   config: {
>    }
> }{code}
>  
> Authorization will be done only if authentication is enabled. Authentication 
> is done at per session basis while authorization will be done for each and 
> every request.
> In `SaslAuthorizationHandler` or `HttpAuthorizationHandler` query will be 
> parsed and depending on the step instructions, the query will be marked as of 
> type read or write and then privilege evaluation will be done by calling 
> `isAccessAllowed` method of `Authorizer`
> {code:java}
> public interface Authorizer {
>     /**
>      * Whether or not the authorization requires check.
>      * If false will not authorzie user.
>      */
>     public boolean requireAuthorization();
>     /**
>      * Setup is called once upon system startup to initialize the {@code 
> Authorizer}.
>      */
>     public void setup(final Map<String, Object> config);
>     /**
>      * A "standard" authorization implementation
>      */
>     public boolean isAccessAllowed(AuthorizationRequest authorizationRequest) 
> throws AuthorizationException;
> }
> {code}
> Access policies can be defined in tools like `Apache Ranger`, sample policy:
> !Screenshot 2020-06-25 at 15.15.04.png|width=1017,height=548!
>  
>  
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to