mirror of
https://github.com/scylladb/scylladb.git
synced 2026-06-07 07:23:15 +00:00
1bb22bb190
This change generalizes the implementation of a `resource` to many
different kinds of resources, though there is still only one
kind (`data`). In the future, we also expect resource kinds for roles,
user-defined functions (UDFs), and possibly on particular REST
end-points.
I considered several approaches to generalizing to different kinds of
resources.
One approach is to have a base class that is inherited from by different
resource kinds. The common functionality would be accessed through
virtual member functions and kind-specific functions would exist in
sub-classes. I rejected this approach because dealing with different
kinds of resources uniformly requires storage and life-time management
through something like `std::unique_ptr<auth::resource>`, which means
that we lose value semantics (including comparison) and must deal with
complications around ownership.
Another option was to use `boost::variant` (or, in future,
`std::variant`). This is closer to what we want, since there a static
set of resource kinds that we support. I rejected this approach for two
reasons. The first is that all resource kinds share the same data (a
list of segments and a root identifier), which would be duplicated in
each type that composed the variant. The second is that the complexity
and source-code overhead of `boost::variant` didn't seem warranted.
The solution I ended up with is home-grown variant. All resources are
described in the same `final` class: `auth::resource`. This class has
value semantics, supports equality comparison, and has a strict
ordering. All resources have in common a tag ("kind") and a list of
parts. Most operations on resources don't care about the kind of
resource (like getting its name, parsing a name, querying for the
parent, etc). These are just member functions of the class.
When we care about a kind-specific interpretation of a resource, we can
produce a "view" of the resource. For example, `data_resource_view`
allows for accessing the (optional) keyspace and table names.
I anticipate in the future to add functions for creating role
resources (`auth::resource::role`) and also `role_resource_view`.
The functional behaviour of the system should be unchanged with this
patch.
I've added new unit tests in `auth_resource_test.cc` and removed the old
test from `auth_test.cc`.
Fixes #3027.
205 lines
7.4 KiB
C++
205 lines
7.4 KiB
C++
/*
|
|
* Licensed to the Apache Software Foundation (ASF) under one
|
|
* or more contributor license agreements. See the NOTICE file
|
|
* distributed with this work for additional information
|
|
* regarding copyright ownership. The ASF licenses this file
|
|
* to you under the Apache License, Version 2.0 (the
|
|
* "License"); you may not use this file except in compliance
|
|
* with the License. You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*/
|
|
|
|
/*
|
|
* Copyright (C) 2016 ScyllaDB
|
|
*
|
|
* Modified by ScyllaDB
|
|
*/
|
|
|
|
/*
|
|
* This file is part of Scylla.
|
|
*
|
|
* Scylla is free software: you can redistribute it and/or modify
|
|
* it under the terms of the GNU Affero General Public License as published by
|
|
* the Free Software Foundation, either version 3 of the License, or
|
|
* (at your option) any later version.
|
|
*
|
|
* Scylla is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License
|
|
* along with Scylla. If not, see <http://www.gnu.org/licenses/>.
|
|
*/
|
|
|
|
#include "client_state.hh"
|
|
#include "auth/authorizer.hh"
|
|
#include "auth/authenticator.hh"
|
|
#include "auth/common.hh"
|
|
#include "exceptions/exceptions.hh"
|
|
#include "validation.hh"
|
|
#include "db/system_keyspace.hh"
|
|
#include "db/schema_tables.hh"
|
|
#include "tracing/trace_keyspace_helper.hh"
|
|
|
|
void service::client_state::set_login(::shared_ptr<auth::authenticated_user> user) {
|
|
if (user == nullptr) {
|
|
throw std::invalid_argument("Must provide user");
|
|
}
|
|
_user = std::move(user);
|
|
}
|
|
|
|
future<> service::client_state::check_user_exists() {
|
|
if (_user->is_anonymous()) {
|
|
return make_ready_future();
|
|
}
|
|
|
|
return _auth_service->is_existing_user(_user->name()).then([user = _user](bool exists) mutable {
|
|
if (!exists) {
|
|
throw exceptions::authentication_exception(
|
|
sprint("User %s doesn't exist - create it with CREATE USER query first",
|
|
user->name()));
|
|
}
|
|
return make_ready_future();
|
|
});
|
|
}
|
|
|
|
void service::client_state::validate_login() const {
|
|
if (!_user) {
|
|
throw exceptions::unauthorized_exception("You have not logged in");
|
|
}
|
|
}
|
|
|
|
void service::client_state::ensure_not_anonymous() const {
|
|
validate_login();
|
|
if (_user->is_anonymous()) {
|
|
throw exceptions::unauthorized_exception("You have to be logged in and not anonymous to perform this request");
|
|
}
|
|
}
|
|
|
|
void service::client_state::merge(const client_state& other) {
|
|
if (other._dirty) {
|
|
_keyspace = other._keyspace;
|
|
}
|
|
if (_user == nullptr) {
|
|
_user = other._user;
|
|
}
|
|
_last_timestamp_micros = std::max(_last_timestamp_micros, other._last_timestamp_micros);
|
|
}
|
|
|
|
future<> service::client_state::has_all_keyspaces_access(
|
|
auth::permission p) const {
|
|
if (_is_internal) {
|
|
return make_ready_future();
|
|
}
|
|
validate_login();
|
|
return ensure_has_permission(p, auth::resource::root_of(auth::resource_kind::data));
|
|
}
|
|
|
|
future<> service::client_state::has_keyspace_access(const sstring& ks,
|
|
auth::permission p) const {
|
|
return has_access(ks, p, auth::resource::data(ks));
|
|
}
|
|
|
|
future<> service::client_state::has_column_family_access(const sstring& ks,
|
|
const sstring& cf, auth::permission p) const {
|
|
validation::validate_column_family(ks, cf);
|
|
return has_access(ks, p, auth::resource::data(ks, cf));
|
|
}
|
|
|
|
future<> service::client_state::has_schema_access(const schema& s, auth::permission p) const {
|
|
return has_access(s.ks_name(), p, auth::resource::data(s.ks_name(), s.cf_name()));
|
|
}
|
|
|
|
future<> service::client_state::has_access(const sstring& ks, auth::permission p, auth::resource resource) const {
|
|
if (ks.empty()) {
|
|
throw exceptions::invalid_request_exception("You have not set a keyspace for this session");
|
|
}
|
|
if (_is_internal) {
|
|
return make_ready_future();
|
|
}
|
|
|
|
validate_login();
|
|
|
|
// we only care about schema modification.
|
|
if (auth::permissions::ALTERATIONS.contains(p)) {
|
|
// prevent system keyspace modification
|
|
auto name = ks;
|
|
std::transform(name.begin(), name.end(), name.begin(), ::tolower);
|
|
if (is_system_keyspace(name)) {
|
|
throw exceptions::unauthorized_exception(ks + " keyspace is not user-modifiable.");
|
|
}
|
|
|
|
// we want to allow altering AUTH_KS and TRACING_KS.
|
|
for (auto& n : { auth::meta::AUTH_KS, tracing::trace_keyspace_helper::KEYSPACE_NAME }) {
|
|
if (name == n && p == auth::permission::DROP) {
|
|
throw exceptions::unauthorized_exception(sprint("Cannot %s %s", auth::permissions::to_string(p), resource));
|
|
}
|
|
}
|
|
}
|
|
|
|
static thread_local std::set<auth::resource> readable_system_resources = [] {
|
|
std::set<auth::resource> tmp;
|
|
for (auto cf : { db::system_keyspace::LOCAL, db::system_keyspace::PEERS }) {
|
|
tmp.insert(auth::resource::data(db::system_keyspace::NAME, cf));
|
|
}
|
|
for (auto cf : db::schema_tables::ALL) {
|
|
tmp.insert(auth::resource::data(db::schema_tables::NAME, cf));
|
|
}
|
|
return tmp;
|
|
}();
|
|
|
|
if (p == auth::permission::SELECT && readable_system_resources.count(resource) != 0) {
|
|
return make_ready_future();
|
|
}
|
|
if (auth::permissions::ALTERATIONS.contains(p)) {
|
|
for (auto& s : { _auth_service->underlying_authorizer().protected_resources(),
|
|
_auth_service->underlying_authorizer().protected_resources() }) {
|
|
if (s.count(resource)) {
|
|
throw exceptions::unauthorized_exception(
|
|
sprint("%s schema is protected",
|
|
resource));
|
|
}
|
|
}
|
|
}
|
|
|
|
return ensure_has_permission(p, std::move(resource));
|
|
}
|
|
|
|
future<bool> service::client_state::check_has_permission(auth::permission p, auth::resource resource) const {
|
|
if (_is_internal) {
|
|
return make_ready_future<bool>(true);
|
|
}
|
|
|
|
std::experimental::optional<auth::resource> parent = resource.parent();
|
|
|
|
return _auth_service->get_permissions(_user, resource).then([this, p, parent = std::move(parent)](auth::permission_set set) {
|
|
if (set.contains(p)) {
|
|
return make_ready_future<bool>(true);
|
|
}
|
|
if (parent) {
|
|
return check_has_permission(p, std::move(*parent));
|
|
}
|
|
return make_ready_future<bool>(false);
|
|
});
|
|
}
|
|
|
|
future<> service::client_state::ensure_has_permission(auth::permission p, auth::resource resource) const {
|
|
return check_has_permission(p, resource).then([this, p, resource](bool ok) {
|
|
if (!ok) {
|
|
throw exceptions::unauthorized_exception(sprint("User %s has no %s permission on %s or any of its parents",
|
|
_user->name(),
|
|
auth::permissions::to_string(p),
|
|
resource));
|
|
}
|
|
});
|
|
}
|
|
|