Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pika 支持 ACL 多租户功能 #1284

Closed
wanghenshui opened this issue Feb 20, 2023 · 13 comments · Fixed by #2013
Closed

Pika 支持 ACL 多租户功能 #1284

wanghenshui opened this issue Feb 20, 2023 · 13 comments · Fixed by #2013
Assignees
@lqxhub
Labels
enhancement

Comments

@wanghenshui
Copy link
Collaborator

wanghenshui commented Feb 20, 2023
edited by luky116
Loading

基本信息

项目难度:中
支持语言:中文/英文
项目社区导师:李谦祥
导师联系邮箱:lqxlucky@qq.com
技术领域:C++、NoSQL
开源协议:BSDv3

项目简述

Pika 是一个持久化的海量存储服务,目前支持的存储介质主要包括闪存和磁盘等本地存储。但是 Pika 中没有用户的概念,不能很好的对权限做控制。本项目的目标是,让 Pika 支持根据不同的租户来分配不同的权限,以达到控制权限的目的。

本项目任务包括:

  • 研究 redis 的 ACL 相关的设计与实现。
  • 在 Pika 中兼容 redis ACL 的相关命令,详情参考:https://redis.io/docs/management/security/acl/。
  • 编写相应的文档,包括项目方案、设计文档、测试用例文档和使用文档。
  • 进行测试和验证,确保 Pika 的 ACL 功能能正常运行。

issue: #1284

项目产出要求

  1. 设计项目方案,并定期产出相关文档。
  2. Pika 支持多租户的权限隔离功能。
  3. 文档完善,包括项目方案、设计文档和使用文档。
  4. 能够通过 PR 形式提交代码并通过 Pika 社区审核后合并。

项目技术要求

  • 熟悉 C++ 编程语言。
  • 熟悉 Redis/Pika 的基本使用。
  • 了解 Redis ACL 功能的实现原理。
  • 具备良好的软件设计和文档编写能力。

项目成果仓库

https://github.com/OpenAtomFoundation/pika
@wanghenshui wanghenshui mentioned this issue Feb 22, 2023
Closed
78 tasks
@AlexStocks
Copy link
Collaborator

@lqxhub

@AlexStocks
Copy link
Collaborator

redis 会保存一个 acl 文件,保存每个用户的权限。不用用户可以访问不同的 db、key、命令。

@luky116 luky116 changed the title Redis API: acl support [GitLink] Pika 支持 ACL 多租户功能 May 27, 2023
@luky116 luky116 mentioned this issue May 27, 2023
Closed
@XiaoYaoheihei
Copy link

申请意向+1

@cheniujh
Copy link
Collaborator

我想竞争一下

@yaoyinnan yaoyinnan removed the GitLink label Jun 27, 2023
@yaoyinnan yaoyinnan changed the title [GitLink] Pika 支持 ACL 多租户功能 Pika 支持 ACL 多租户功能 Jun 27, 2023
@AlexStocks
Copy link
Collaborator

AlexStocks commented Jul 7, 2023
edited by Mixficsol
Loading 

        * 0429 lqx 
        * 0506 lqx 继续推进
        * 0520 lqx 参考redis实现
        * 0527 lqx 担任导师,指导其他同学跟进
        * 0624 lqx 继续跟进
        * 0701 lqx 整理 redis ACL 笔记,俊华一起跟进
        * 0805 qx 在写,写了1/2了
        * 0813 qx还在写,50%左右
        * 0819 写了三分之二
        * 0826 3.5做完了,需要每个命令都做适配,上次和雨哥讨论直接在4.0分支做 ,正在往4.0迁移
        * 0902 3.5 做完了,需要每个命令都做适配,上次和雨哥讨论直接在 4.0 分支做,正在往 4.0 迁移,
        * 0909先合进去command

@luky116
Copy link
Collaborator

luky116 commented Jul 8, 2023

1、字符串前缀匹配的功能打算删除

@lqxhub
Copy link
Collaborator

lqxhub commented Jul 8, 2023

redis acl 文档

+|first-arg: Allow a specific first argument of an otherwise disabled command. It is only supported on commands with no sub-commands, and is not allowed as negative form like -SELECT|1, only additive starting with "+". This feature is deprecated and may be removed in the future.

我查到这个命令主要用在 select N 这个命令上,而且这样的命令也有问题,只是限制了这个用户 不能选择这个库,但是一样可以操作这个库, 比如限制用户 lqx 只能select 1 但是使用默认用户select 6 以后,再auth lqx 一样能操作6这个库

redis 社区的讨论

skip-sanitize-payloadsanitize-payload

dumprestore 命令有关,pika目前应该是没有相关的东西,是否可以去掉

@lqxhub
Copy link
Collaborator

lqxhub commented Jul 14, 2023

今天想到一个问题, 在redis中, 有子命令的概念,

比如 config 命令中, config getconfig set 是两个命令, 在ACL处理中, 是用不同的id 在区分命令的

在pika中, config 是一个命令, 然后用第二个参数来区分不同的作用的,

想到了三种处理方式

  1. 在pika中加入子命令的概念 改动较大
  2. 用pika现有的结构, 自己实现一下 同一个命令下 不同参数的区分
  3. 先不实现 子命令的权限, 比如只限制 config 这个命令, 不区分是 config get 还是 config set

@wanghenshui
Copy link
Collaborator Author

wanghenshui commented Jul 14, 2023 via email

@yaoyinnan
Copy link
Contributor

qx 在写,写了1/3了

@lqxhub
Copy link
Collaborator

lqxhub commented Aug 16, 2023 

# The [password of administrator], which is empty by default.
# [NOTICE] If this admin password is the same as user password (including both being empty),
# the value of userpass will be ignored and all users are considered as administrators,
# in this scenario, users are not subject to the restrictions imposed by the userblacklist.
# PS: "user password" refers to value of the parameter below: userpass.
requirepass :

# Password for replication verify, used for authentication when a slave
# connects to a master to request replication.
# [NOTICE] The value of this parameter must match the "requirepass" setting on the master.
masterauth :

# The [password of user], which is empty by default.
# [NOTICE] If this user password is the same as admin password (including both being empty),
# the value of this parameter will be ignored and all users are considered as administrators,
# in this scenario, users are not subject to the restrictions imposed by the userblacklist.
# PS: "admin password" refers to value of the parameter above: requirepass.
userpass :

# The blacklist of commands for users that logged in by userpass,
# the commands that added to this list will not be available for users except for administrator.
# [Advice] It's recommended to add high-risk commands to this list.
# [Format] Commands should be separated by ",". For example: FLUSHALL, SHUTDOWN, KEYS, CONFIG
# By default, this list is empty.
userblacklist

以前 pika 分两种用户, root 和普通, root用户可以执行 任何命令(不受限制), 普通用户 不能执行 userblacklist 下的命令
这两个用户在 AUTH 时 通过不同的密码区分

现在有了ACL 还要这个功能吗

我现在想了两个方案

  1. 抛弃现有的命令区分, 通过 conf文件里认证的用户是root用户(也就是redis里的default用户) 取消原来的普通用户, 后面 用户的权限 完全通过 ACL 控制
  2. 保持现有的逻辑, 相比redis, pika有两个 default 用户, 这两个用户不受 ACL 约束, 非root 用户 受 userblacklist约束, 其他用户 通过 ACL认证

我倾向于第一种方案, 第二种感觉把 ACL 规则割裂了

如果有更好的方案 欢迎指正

@wanghenshui
Copy link
Collaborator Author 

# The [password of administrator], which is empty by default.
# [NOTICE] If this admin password is the same as user password (including both being empty),
# the value of userpass will be ignored and all users are considered as administrators,
# in this scenario, users are not subject to the restrictions imposed by the userblacklist.
# PS: "user password" refers to value of the parameter below: userpass.
requirepass :

# Password for replication verify, used for authentication when a slave
# connects to a master to request replication.
# [NOTICE] The value of this parameter must match the "requirepass" setting on the master.
masterauth :

# The [password of user], which is empty by default.
# [NOTICE] If this user password is the same as admin password (including both being empty),
# the value of this parameter will be ignored and all users are considered as administrators,
# in this scenario, users are not subject to the restrictions imposed by the userblacklist.
# PS: "admin password" refers to value of the parameter above: requirepass.
userpass :

# The blacklist of commands for users that logged in by userpass,
# the commands that added to this list will not be available for users except for administrator.
# [Advice] It's recommended to add high-risk commands to this list.
# [Format] Commands should be separated by ",". For example: FLUSHALL, SHUTDOWN, KEYS, CONFIG
# By default, this list is empty.
userblacklist

以前 pika 分两种用户, root 和普通, root用户可以执行 任何命令(不受限制), 普通用户 不能执行 userblacklist 下的命令 这两个用户在 AUTH 时 通过不同的密码区分

现在有了ACL 还要这个功能吗

我现在想了两个方案

1. 抛弃现有的命令区分, 通过 conf文件里认证的用户是root用户(也就是redis里的default用户) 取消原来的普通用户, 后面 用户的权限 完全通过 ACL 控制

2. 保持现有的逻辑, 相比redis, pika有两个 `default` 用户, 这两个用户不受 ACL 约束,  非root 用户 受 `userblacklist`约束, 其他用户 通过 ACL认证

我倾向于第一种方案, 第二种感觉把 ACL 规则割裂了

如果有更好的方案 欢迎指正

选1

原来两个密码的逻辑给用户造成很多困扰

@lqxhub
Copy link
Collaborator

lqxhub commented Aug 16, 2023

@wanghenshui OK

@lqxhub lqxhub mentioned this issue Sep 22, 2023
Merged
@lqxhub lqxhub linked a pull request Nov 24, 2023 that will close this issue
feat:pika support acl #2013
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lqxhub lqxhub

Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat:pika support acl lqxhub/pika
7 participants
@AlexStocks @wanghenshui @lqxhub @yaoyinnan @luky116 @cheniujh @XiaoYaoheihei