Search in sources :

Example 1 with StreamAuthParams

use of io.pravega.controller.server.security.auth.StreamAuthParams in project pravega by pravega.

the class ControllerServiceImpl method createStream.

@Override
public void createStream(StreamConfig request, StreamObserver<CreateStreamStatus> responseObserver) {
    String scope = request.getStreamInfo().getScope();
    String stream = request.getStreamInfo().getStream();
    RequestTag requestTag = requestTracker.initializeAndTrackRequestTag(controllerService.nextRequestId(), CREATE_STREAM, scope, stream);
    log.info(requestTag.getRequestId(), "createStream called for stream {}/{}.", scope, stream);
    StreamAuthParams streamAuthParams = new StreamAuthParams(scope, stream, this.isRGStreamWritesWithReadPermEnabled);
    AuthHandler.Permissions requiredPermission = streamAuthParams.requiredPermissionForWrites();
    log.debug(requestTag.getRequestId(), "Creating stream : requiredPermission is [{}], for scope [{}] and stream [{}]", requiredPermission, scope, stream);
    authenticateExecuteAndProcessResults(() -> this.grpcAuthHelper.checkAuthorizationAndCreateToken(authorizationResource.ofStreamsInScope(scope), requiredPermission), delegationToken -> controllerService.createStream(scope, stream, ModelHelper.encode(request), System.currentTimeMillis(), requestTag.getRequestId()), responseObserver, requestTag);
}
Also used : AuthHandler(io.pravega.auth.AuthHandler) StreamAuthParams(io.pravega.controller.server.security.auth.StreamAuthParams) RequestTag(io.pravega.common.tracing.RequestTag)

Example 2 with StreamAuthParams

use of io.pravega.controller.server.security.auth.StreamAuthParams in project pravega by pravega.

the class ControllerServiceImpl method delegationTokenSupplier.

@VisibleForTesting
public Supplier<String> delegationTokenSupplier(StreamInfo request) {
    return () -> {
        if (!this.isAuthEnabled()) {
            return "";
        }
        StreamAuthParams authParams = new StreamAuthParams(request.getScope(), request.getStream(), translate(request.getAccessOperation()), this.isRGStreamWritesWithReadPermEnabled);
        // StreamResource will be a stream representation (ex: "prn:://scope:myScope/stream:_RGmyApp") of the
        // reader group (ex: "prn:://scope:myScope/reader-group:myApp). We use stream representation in claims
        // put in delegation tokens for Segment Store's use, even though we use the regular representation for
        // authorization here in the Controller.
        String streamResource = authParams.streamResourceString();
        String resource = authParams.resourceString();
        if (authParams.isAccessOperationUnspecified()) {
            // For backward compatibility: Older clients will not send access operation in the request.
            log.debug("Access operation was unspecified for request with scope {} and stream {}", request.getScope(), request.getStream());
            final AuthHandler.Permissions authAndTokenPermission = AuthHandler.Permissions.READ_UPDATE;
            this.grpcAuthHelper.checkAuthorization(resource, authAndTokenPermission);
            return this.grpcAuthHelper.createDelegationToken(streamResource, authAndTokenPermission);
        } else {
            log.trace("Access operation was {} for request with scope {} and stream {}", translate(request.getAccessOperation()), request.getScope(), request.getStream());
            // The resource string that'll be used in the delegation token for use of the segment store
            final String tokenResource;
            // The operation that'll be specified as granted for the resource in the token. The bearer of the token
            // will be allowed to perform the specified operation.
            final AuthHandler.Permissions tokenPermission;
            // This is the permission that the client is requesting to be assigned on the delegation token.
            AuthHandler.Permissions requestedPermissions = authParams.requestedPermission();
            if (authParams.isStreamUserDefined()) {
                // The operation itself requires the caller to possess read permissions.
                AuthHandler.Permissions minimumPermissions = AuthHandler.Permissions.READ;
                if (requestedPermissions.equals(AuthHandler.Permissions.READ_UPDATE) || requestedPermissions.equals(minimumPermissions)) {
                    this.grpcAuthHelper.checkAuthorization(streamResource, requestedPermissions);
                    tokenResource = streamResource;
                    tokenPermission = requestedPermissions;
                } else {
                    // The minimum permission that the user must have to be able to invoke this call. This
                    // authorizes the operation.
                    this.grpcAuthHelper.checkAuthorization(streamResource, minimumPermissions);
                    // Here, we check whether the user is authorized for the requested access.
                    this.grpcAuthHelper.checkAuthorization(streamResource, requestedPermissions);
                    tokenResource = streamResource;
                    tokenPermission = requestedPermissions;
                }
            } else {
                final AuthHandler.Permissions authorizationPermission;
                if (requestedPermissions.equals(AuthHandler.Permissions.READ_UPDATE)) {
                    authorizationPermission = authParams.requiredPermissionForWrites();
                    tokenPermission = AuthHandler.Permissions.READ_UPDATE;
                } else if (requestedPermissions.equals(AuthHandler.Permissions.READ)) {
                    authorizationPermission = AuthHandler.Permissions.READ;
                    tokenPermission = requestedPermissions;
                } else {
                    authorizationPermission = AuthHandler.Permissions.READ;
                    tokenPermission = AuthHandler.Permissions.READ;
                }
                log.trace("resource: {}, authorizationPermission: {}", authParams.resourceString(), authorizationPermission);
                this.grpcAuthHelper.checkAuthorization(authParams.resourceString(), authorizationPermission);
                tokenResource = streamResource;
            }
            return this.grpcAuthHelper.createDelegationToken(tokenResource, tokenPermission);
        }
    };
}
Also used : StreamAuthParams(io.pravega.controller.server.security.auth.StreamAuthParams) VisibleForTesting(com.google.common.annotations.VisibleForTesting)

Aggregations

StreamAuthParams (io.pravega.controller.server.security.auth.StreamAuthParams)2 VisibleForTesting (com.google.common.annotations.VisibleForTesting)1 AuthHandler (io.pravega.auth.AuthHandler)1 RequestTag (io.pravega.common.tracing.RequestTag)1