New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Gh-2991: Improve User Authorisation in GafferPop #3202
Gh-2991: Improve User Authorisation in GafferPop #3202
Conversation
...op/src/main/java/uk/gov/gchq/gaffer/tinkerpop/server/auth/DefaultGafferPopAuthenticator.java
Fixed
Show fixed
Hide fixed
...op/src/main/java/uk/gov/gchq/gaffer/tinkerpop/server/auth/DefaultGafferPopAuthenticator.java
Fixed
Show fixed
Hide fixed
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## develop #3202 +/- ##
=============================================
+ Coverage 66.78% 66.80% +0.02%
+ Complexity 2558 2556 -2
=============================================
Files 910 912 +2
Lines 29217 29279 +62
Branches 3256 3269 +13
=============================================
+ Hits 19512 19560 +48
- Misses 8261 8268 +7
- Partials 1444 1451 +7 ☔ View full report in Codecov by Sentry. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To check my understanding, when these new classes are not used, the default user for GafferPop is used as the Gaffer user, and when they are used, the username is added using with
.
I'm assuming a username still be supplied using with
(as before) if these classes are not enabled in config?
...op/src/main/java/uk/gov/gchq/gaffer/tinkerpop/server/auth/DefaultGafferPopAuthenticator.java
Outdated
Show resolved
Hide resolved
...op/src/main/java/uk/gov/gchq/gaffer/tinkerpop/server/auth/DefaultGafferPopAuthenticator.java
Outdated
Show resolved
Hide resolved
Correct, when you don't specify any auth classes the user ID in the When the |
This adds the relevant hooks and framework for full user auth for gremlin server connections to GafferPop. It utilises the existing frameworks provided by Tinkerpop to ensure the authenticated user ID is passed on to the graph to use for the query. The way this works is by leveraging the custom
GafferPopGraphStep
to inject theuserId
via awith()
step on the requested traversal, this is then passed onto the graph variables and used in the query. There are checks in place to prevent manually adding awith()
step that sets theuserId
so that only the currently authorised user ID is used.There is a example/default
Authenticator
class provided but this is intended to be used as a template for a specific implementation for a production environment's auth mechanism (for example tinkerpop provide a kerberos version here).The way the authentication classes are activated is by adding the following config to the gremlin server yaml:
Related issue