a88929da15
queries In order to be able to manage service_level configuration one must be authorized to do so, or to be a superuser. This commit adds the support for service_levels resource. Since service_levels are relative, reconfiguring one service level is not locallized only to that service level and will affect the QOS for all of the service levels, so there is not much sense of granting permissions to manage individual service_levels. This is why only root resource named service_levels that represents all service levels is used. This commit also implements the unit test additions for the newly introduced resource. Message-Id: <81ab16fa813b61be117155feea405da6266921e3.1609237687.git.sarna@scylladb.com>
289 lines
8.2 KiB
C++
289 lines
8.2 KiB
C++
/*
|
|
* Licensed to the Apache Software Foundation (ASF) under one
|
|
* or more contributor license agreements. See the NOTICE file
|
|
* distributed with this work for additional information
|
|
* regarding copyright ownership. The ASF licenses this file
|
|
* to you under the Apache License, Version 2.0 (the
|
|
* "License"); you may not use this file except in compliance
|
|
* with the License. You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*/
|
|
|
|
/*
|
|
* Copyright (C) 2016 ScyllaDB
|
|
*
|
|
* Modified by ScyllaDB
|
|
*/
|
|
|
|
/*
|
|
* This file is part of Scylla.
|
|
*
|
|
* Scylla is free software: you can redistribute it and/or modify
|
|
* it under the terms of the GNU Affero General Public License as published by
|
|
* the Free Software Foundation, either version 3 of the License, or
|
|
* (at your option) any later version.
|
|
*
|
|
* Scylla is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License
|
|
* along with Scylla. If not, see <http://www.gnu.org/licenses/>.
|
|
*/
|
|
|
|
#pragma once
|
|
|
|
#include <string_view>
|
|
#include <iostream>
|
|
#include <optional>
|
|
#include <stdexcept>
|
|
#include <tuple>
|
|
#include <vector>
|
|
#include <unordered_set>
|
|
|
|
#include <seastar/core/print.hh>
|
|
#include <seastar/core/sstring.hh>
|
|
|
|
#include "auth/permission.hh"
|
|
#include "seastarx.hh"
|
|
#include "utils/hash.hh"
|
|
#include "utils/small_vector.hh"
|
|
|
|
namespace auth {
|
|
|
|
class invalid_resource_name : public std::invalid_argument {
|
|
public:
|
|
explicit invalid_resource_name(std::string_view name)
|
|
: std::invalid_argument(format("The resource name '{}' is invalid.", name)) {
|
|
}
|
|
};
|
|
|
|
enum class resource_kind {
|
|
data, role, service_level
|
|
};
|
|
|
|
std::ostream& operator<<(std::ostream&, resource_kind);
|
|
|
|
///
|
|
/// Type tag for constructing data resources.
|
|
///
|
|
struct data_resource_t final {};
|
|
|
|
///
|
|
/// Type tag for constructing role resources.
|
|
///
|
|
struct role_resource_t final {};
|
|
|
|
///
|
|
/// Type tag for constructing service_level resources.
|
|
///
|
|
struct service_level_resource_t final {};
|
|
|
|
///
|
|
/// Resources are entities that users can be granted permissions on.
|
|
///
|
|
/// There are data (keyspaces and tables) and role resources. There may be other kinds of resources in the future.
|
|
///
|
|
/// When they are stored as system metadata, resources have the form `root/part_0/part_1/.../part_n`. Each kind of
|
|
/// resource has a specific root prefix, followed by a maximum of `n` parts (where `n` is distinct for each kind of
|
|
/// resource as well). In this code, this form is called the "name".
|
|
///
|
|
/// Since all resources have this same structure, all the different kinds are stored in instances of the same class:
|
|
/// \ref resource. When we wish to query a resource for kind-specific data (like the table of a "data" resource), we
|
|
/// create a kind-specific "view" of the resource.
|
|
///
|
|
class resource final {
|
|
resource_kind _kind;
|
|
|
|
utils::small_vector<sstring, 3> _parts;
|
|
|
|
public:
|
|
///
|
|
/// A root resource of a particular kind.
|
|
///
|
|
explicit resource(resource_kind);
|
|
resource(data_resource_t, std::string_view keyspace);
|
|
resource(data_resource_t, std::string_view keyspace, std::string_view table);
|
|
resource(role_resource_t, std::string_view role);
|
|
resource(service_level_resource_t);
|
|
|
|
resource_kind kind() const noexcept {
|
|
return _kind;
|
|
}
|
|
|
|
///
|
|
/// A machine-friendly identifier unique to each resource.
|
|
///
|
|
sstring name() const;
|
|
|
|
std::optional<resource> parent() const;
|
|
|
|
permission_set applicable_permissions() const;
|
|
|
|
private:
|
|
resource(resource_kind, utils::small_vector<sstring, 3> parts);
|
|
|
|
friend class std::hash<resource>;
|
|
friend class data_resource_view;
|
|
friend class role_resource_view;
|
|
friend class service_level_resource_view;
|
|
|
|
friend bool operator<(const resource&, const resource&);
|
|
friend bool operator==(const resource&, const resource&);
|
|
friend resource parse_resource(std::string_view);
|
|
};
|
|
|
|
bool operator<(const resource&, const resource&);
|
|
|
|
inline bool operator==(const resource& r1, const resource& r2) {
|
|
return (r1._kind == r2._kind) && (r1._parts == r2._parts);
|
|
}
|
|
|
|
inline bool operator!=(const resource& r1, const resource& r2) {
|
|
return !(r1 == r2);
|
|
}
|
|
|
|
std::ostream& operator<<(std::ostream&, const resource&);
|
|
|
|
class resource_kind_mismatch : public std::invalid_argument {
|
|
public:
|
|
explicit resource_kind_mismatch(resource_kind expected, resource_kind actual)
|
|
: std::invalid_argument(
|
|
format("This resource has kind '{}', but was expected to have kind '{}'.", actual, expected)) {
|
|
}
|
|
};
|
|
|
|
/// A "data" view of \ref resource.
|
|
///
|
|
/// If neither `keyspace` nor `table` is present, this is the root resource.
|
|
class data_resource_view final {
|
|
const resource& _resource;
|
|
|
|
public:
|
|
///
|
|
/// \throws `resource_kind_mismatch` if the argument is not a `data` resource.
|
|
///
|
|
explicit data_resource_view(const resource& r);
|
|
|
|
std::optional<std::string_view> keyspace() const;
|
|
|
|
std::optional<std::string_view> table() const;
|
|
};
|
|
|
|
std::ostream& operator<<(std::ostream&, const data_resource_view&);
|
|
|
|
///
|
|
/// A "role" view of \ref resource.
|
|
///
|
|
/// If `role` is not present, this is the root resource.
|
|
///
|
|
class role_resource_view final {
|
|
const resource& _resource;
|
|
|
|
public:
|
|
///
|
|
/// \throws \ref resource_kind_mismatch if the argument is not a "role" resource.
|
|
///
|
|
explicit role_resource_view(const resource&);
|
|
|
|
std::optional<std::string_view> role() const;
|
|
};
|
|
|
|
std::ostream& operator<<(std::ostream&, const role_resource_view&);
|
|
|
|
///
|
|
/// A "service_level" view of \ref resource.
|
|
///
|
|
class service_level_resource_view final {
|
|
const resource& _resource;
|
|
|
|
public:
|
|
///
|
|
/// \throws \ref resource_kind_mismatch if the argument is not a "service_level" resource.
|
|
///
|
|
explicit service_level_resource_view(const resource&);
|
|
|
|
};
|
|
|
|
std::ostream& operator<<(std::ostream&, const service_level_resource_view&);
|
|
|
|
///
|
|
/// Parse a resource from its name.
|
|
///
|
|
/// \throws \ref invalid_resource_name when the name is malformed.
|
|
///
|
|
resource parse_resource(std::string_view name);
|
|
|
|
const resource& root_data_resource();
|
|
|
|
inline resource make_data_resource(std::string_view keyspace) {
|
|
return resource(data_resource_t{}, keyspace);
|
|
}
|
|
inline resource make_data_resource(std::string_view keyspace, std::string_view table) {
|
|
return resource(data_resource_t{}, keyspace, table);
|
|
}
|
|
|
|
const resource& root_role_resource();
|
|
|
|
inline resource make_role_resource(std::string_view role) {
|
|
return resource(role_resource_t{}, role);
|
|
}
|
|
|
|
const resource& root_service_level_resource();
|
|
|
|
inline resource make_service_level_resource() {
|
|
return resource(service_level_resource_t{});
|
|
}
|
|
|
|
}
|
|
|
|
namespace std {
|
|
|
|
template <>
|
|
struct hash<auth::resource> {
|
|
static size_t hash_data(const auth::data_resource_view& dv) {
|
|
return utils::tuple_hash()(std::make_tuple(auth::resource_kind::data, dv.keyspace(), dv.table()));
|
|
}
|
|
|
|
static size_t hash_role(const auth::role_resource_view& rv) {
|
|
return utils::tuple_hash()(std::make_tuple(auth::resource_kind::role, rv.role()));
|
|
}
|
|
|
|
static size_t hash_service_level(const auth::service_level_resource_view& rv) {
|
|
return utils::tuple_hash()(std::make_tuple(auth::resource_kind::service_level));
|
|
}
|
|
|
|
size_t operator()(const auth::resource& r) const {
|
|
std::size_t value;
|
|
|
|
switch (r._kind) {
|
|
case auth::resource_kind::data: value = hash_data(auth::data_resource_view(r)); break;
|
|
case auth::resource_kind::role: value = hash_role(auth::role_resource_view(r)); break;
|
|
case auth::resource_kind::service_level: value = hash_service_level(auth::service_level_resource_view(r)); break;
|
|
}
|
|
|
|
return value;
|
|
}
|
|
};
|
|
|
|
}
|
|
|
|
namespace auth {
|
|
|
|
using resource_set = std::unordered_set<resource>;
|
|
|
|
//
|
|
// A resource and all of its parents.
|
|
//
|
|
resource_set expand_resource_family(const resource&);
|
|
|
|
}
|