Gh-2991: Improve User Authorisation in GafferPop

[tb06904]

This adds the relevant hooks and framework for full user auth for gremlin server connections to GafferPop. It utilises the existing frameworks provided by Tinkerpop to ensure the authenticated user ID is passed on to the graph to use for the query. The way this works is by leveraging the custom GafferPopGraphStep to inject the userId via a with() step on the requested traversal, this is then passed onto the graph variables and used in the query. There are checks in place to prevent manually adding a with() step that sets the userId so that only the currently authorised user ID is used.

There is a example/default Authenticator class provided but this is intended to be used as a template for a specific implementation for a production environment's auth mechanism (for example tinkerpop provide a kerberos version here).

The way the authentication classes are activated is by adding the following config to the gremlin server yaml:

authentication: {
  authenticator: uk.gov.gchq.gaffer.tinkerpop.server.auth.DefaultGafferPopAuthenticator
}
authorization: {
  authorizer: uk.gov.gchq.gaffer.tinkerpop.server.auth.GafferPopAuthoriser
}

Related issue

• Resolve Improve user auth in gafferpop #2991

[codecov]

Codecov Report

Attention: Patch coverage is 84.12698% with 10 lines in your changes are missing coverage. Please review.

Project coverage is 66.80%. Comparing base (c0b950f) to head (27e8d3b).

Files	Patch %	Lines
...pop/server/auth/ExampleGafferPopAuthenticator.java	77.77%	4 Missing and 4 partials ⚠️
...fer/tinkerpop/server/auth/GafferPopAuthoriser.java	92.00%	1 Missing and 1 partial ⚠️

Additional details and impacted files

@@              Coverage Diff              @@
##             develop    #3202      +/-   ##
=============================================
+ Coverage      66.78%   66.80%   +0.02%     
+ Complexity      2558     2556       -2     
=============================================
  Files            910      912       +2     
  Lines          29217    29279      +62     
  Branches        3256     3269      +13     
=============================================
+ Hits           19512    19560      +48     
- Misses          8261     8268       +7     
- Partials        1444     1451       +7     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[GCHQDeveloper314]

To check my understanding, when these new classes are not used, the default user for GafferPop is used as the Gaffer user, and when they are used, the username is added using with.

I'm assuming a username still be supplied using with (as before) if these classes are not enabled in config?

[tb06904]

To check my understanding, when these new classes are not used, the default user for GafferPop is used as the Gaffer user, and when they are used, the username is added using with.

I'm assuming a username still be supplied using with (as before) if these classes are not enabled in config?

Correct, when you don't specify any auth classes the user ID in the gafferpop.properties file will be used to construct the Gaffer user and you can arbitrarily set it via a with("userId", "id") to anything for a given query.

When the GafferPopAuthoriser is used it will block any attempts at setting the ID via a with() and instead pass on the ID of the current authorised user (from the authenticator class) by injecting its own with() into the query.