use of io.pravega.controller.server.security.auth.StreamAuthParams in project pravega by pravega.
the class ControllerServiceImpl method createStream.
@Override
public void createStream(StreamConfig request, StreamObserver<CreateStreamStatus> responseObserver) {
String scope = request.getStreamInfo().getScope();
String stream = request.getStreamInfo().getStream();
RequestTag requestTag = requestTracker.initializeAndTrackRequestTag(controllerService.nextRequestId(), CREATE_STREAM, scope, stream);
log.info(requestTag.getRequestId(), "createStream called for stream {}/{}.", scope, stream);
StreamAuthParams streamAuthParams = new StreamAuthParams(scope, stream, this.isRGStreamWritesWithReadPermEnabled);
AuthHandler.Permissions requiredPermission = streamAuthParams.requiredPermissionForWrites();
log.debug(requestTag.getRequestId(), "Creating stream : requiredPermission is [{}], for scope [{}] and stream [{}]", requiredPermission, scope, stream);
authenticateExecuteAndProcessResults(() -> this.grpcAuthHelper.checkAuthorizationAndCreateToken(authorizationResource.ofStreamsInScope(scope), requiredPermission), delegationToken -> controllerService.createStream(scope, stream, ModelHelper.encode(request), System.currentTimeMillis(), requestTag.getRequestId()), responseObserver, requestTag);
}
use of io.pravega.controller.server.security.auth.StreamAuthParams in project pravega by pravega.
the class ControllerServiceImpl method delegationTokenSupplier.
@VisibleForTesting
public Supplier<String> delegationTokenSupplier(StreamInfo request) {
return () -> {
if (!this.isAuthEnabled()) {
return "";
}
StreamAuthParams authParams = new StreamAuthParams(request.getScope(), request.getStream(), translate(request.getAccessOperation()), this.isRGStreamWritesWithReadPermEnabled);
// StreamResource will be a stream representation (ex: "prn:://scope:myScope/stream:_RGmyApp") of the
// reader group (ex: "prn:://scope:myScope/reader-group:myApp). We use stream representation in claims
// put in delegation tokens for Segment Store's use, even though we use the regular representation for
// authorization here in the Controller.
String streamResource = authParams.streamResourceString();
String resource = authParams.resourceString();
if (authParams.isAccessOperationUnspecified()) {
// For backward compatibility: Older clients will not send access operation in the request.
log.debug("Access operation was unspecified for request with scope {} and stream {}", request.getScope(), request.getStream());
final AuthHandler.Permissions authAndTokenPermission = AuthHandler.Permissions.READ_UPDATE;
this.grpcAuthHelper.checkAuthorization(resource, authAndTokenPermission);
return this.grpcAuthHelper.createDelegationToken(streamResource, authAndTokenPermission);
} else {
log.trace("Access operation was {} for request with scope {} and stream {}", translate(request.getAccessOperation()), request.getScope(), request.getStream());
// The resource string that'll be used in the delegation token for use of the segment store
final String tokenResource;
// The operation that'll be specified as granted for the resource in the token. The bearer of the token
// will be allowed to perform the specified operation.
final AuthHandler.Permissions tokenPermission;
// This is the permission that the client is requesting to be assigned on the delegation token.
AuthHandler.Permissions requestedPermissions = authParams.requestedPermission();
if (authParams.isStreamUserDefined()) {
// The operation itself requires the caller to possess read permissions.
AuthHandler.Permissions minimumPermissions = AuthHandler.Permissions.READ;
if (requestedPermissions.equals(AuthHandler.Permissions.READ_UPDATE) || requestedPermissions.equals(minimumPermissions)) {
this.grpcAuthHelper.checkAuthorization(streamResource, requestedPermissions);
tokenResource = streamResource;
tokenPermission = requestedPermissions;
} else {
// The minimum permission that the user must have to be able to invoke this call. This
// authorizes the operation.
this.grpcAuthHelper.checkAuthorization(streamResource, minimumPermissions);
// Here, we check whether the user is authorized for the requested access.
this.grpcAuthHelper.checkAuthorization(streamResource, requestedPermissions);
tokenResource = streamResource;
tokenPermission = requestedPermissions;
}
} else {
final AuthHandler.Permissions authorizationPermission;
if (requestedPermissions.equals(AuthHandler.Permissions.READ_UPDATE)) {
authorizationPermission = authParams.requiredPermissionForWrites();
tokenPermission = AuthHandler.Permissions.READ_UPDATE;
} else if (requestedPermissions.equals(AuthHandler.Permissions.READ)) {
authorizationPermission = AuthHandler.Permissions.READ;
tokenPermission = requestedPermissions;
} else {
authorizationPermission = AuthHandler.Permissions.READ;
tokenPermission = AuthHandler.Permissions.READ;
}
log.trace("resource: {}, authorizationPermission: {}", authParams.resourceString(), authorizationPermission);
this.grpcAuthHelper.checkAuthorization(authParams.resourceString(), authorizationPermission);
tokenResource = streamResource;
}
return this.grpcAuthHelper.createDelegationToken(tokenResource, tokenPermission);
}
};
}
Aggregations