Cluster integration for role_store and related structures.
#16926
Conversation
oleiman
force-pushed
the
rbac/controller-cmd
branch
from
a89fa17
to
071cfb9
Compare
|
/dt |
oleiman
force-pushed
the
rbac/controller-cmd
branch
2 times, most recently
from
b4e06d3
to
948bec4
Compare
oleiman
requested review from
michael-redpanda,
rockwotj,
graphcareful and
BenPope
|
ducktape was retried in https://buildkite.com/redpanda/redpanda/builds/45807#018e1a40-fa2f-4866-9b43-a2d52be47444 ducktape was retried in https://buildkite.com/redpanda/redpanda/builds/45953#018e2b00-fa98-45ef-bd06-d0957ad979ce |
oleiman
force-pushed
the
rbac/controller-cmd
branch
from
948bec4
to
2260cd1
Compare
|
force push for review comments |
src/v/cluster/security_frontend.h
Outdated
| ss::future<std::error_code> update_user( | ||
| security::credential_user, | ||
| security::scram_credential, | ||
| model::timeout_clock::time_point); | ||
|
|
||
| // Should be called ONLY on the controller leader |
There was a problem hiding this comment.
nit: it would be nice to add proper documentation to this class and these methods.
Also, by leader can we specify this needs to be the leader node, this way it's more clear that it can be called from any shard, not just shard0 on the leader.
There was a problem hiding this comment.
updated existing comments, but I'm going hold off full documentation of these methods for a follow-on PR. I don't want to clutter this diff up too much.
oleiman
force-pushed
the
rbac/controller-cmd
branch
from
2260cd1
to
dbcfe8f
Compare
|
force push CR cleanups |
src/v/cluster/commands.h
Outdated
| using create_role_cmd = controller_command< | ||
| security::role_name, | ||
| security::role, |
There was a problem hiding this comment.
I think it is generally a good idea to completely ignore either the key or the value and create a versioned structure for the payload of each command to future proof yourself against needing to add additional context to the command. the rename command is a good example. sure, using key=from-name and value=to-name works now, but what if you need some extra state later? you'd probably have to add a replacement command.
There was a problem hiding this comment.
@mmaslankaprv is there a new/better way to handle this?
There was a problem hiding this comment.
TBH we don't use the key for anything AFAIK, so I would rather just have a value and that would mean people would make their own structs for each commands, so you'd get the serde benefits. There are also things like this serde_only tag which should be the default.
I also don't love this special batch type pattern, I would rather just have the key or a header specify who owns a controller command
There was a problem hiding this comment.
serde_only is the default...noticed that yesterday and meant to remove the param in this PR.
create a versioned structure for the payload
that makes good sense, thanks. I see some examples of that pattern in nearby code now.
There was a problem hiding this comment.
@dotnwat - this is done if you're interested in taking another look
oleiman
force-pushed
the
rbac/controller-cmd
branch
from
dbcfe8f
to
f4b050a
Compare
|
force push contents:
|
src/v/cluster/commands.h
Outdated
| using create_role_cmd = controller_command< | ||
| int8_t, // unused | ||
| upsert_role_cmd_data, | ||
| create_role_cmd_type, | ||
| model::record_batch_type::role_management_cmd>; | ||
|
|
||
| using delete_role_cmd = controller_command< | ||
| int8_t, // unused | ||
| security::role_name, | ||
| delete_role_cmd_type, | ||
| model::record_batch_type::role_management_cmd>; | ||
|
|
||
| using update_role_cmd = controller_command< | ||
| int8_t, // unused | ||
| upsert_role_cmd_data, | ||
| update_role_cmd_type, | ||
| model::record_batch_type::role_management_cmd>; |
There was a problem hiding this comment.
considered collapsing create and update into one, but that would complicate the handler (and payload) somewhat. is there any reason to minimize the number of controller command types?
There was a problem hiding this comment.
I cant think of any reasons
|
new failures in https://buildkite.com/redpanda/redpanda/builds/45852#018e1d12-b6b0-4991-a079-f2a2df1caebb: new failures in https://buildkite.com/redpanda/redpanda/builds/45951#018e2a36-0ec4-4da2-b568-4723fb9dfc8a: |
oleiman
force-pushed
the
rbac/controller-cmd
branch
from
f4b050a
to
e482955
Compare
|
force push to add versioned |
|
/ci-repeat 1 |
|
/ci-repeat 1 |
Batch type (NEW): model::record_batch_type::role_management_cmd payload types: - upsert_role_cmd_data - (role_name, role) - rename_role_cmd_data - (role_name, role_name) - delete_role_cmd_data - (role_name) controller_commands: - create_role_cmd - (int8_t /*unused*/, upsert_role_cmd_data) - delete_role_cmd - (int8_t /*unused*/, delete_role_cmd_data) - update_role_cmd - (int8_t /*unused*/, upsert_role_cmd_data) - rename_role_cmd - (int8_t /*unused*/, rename_role_cmd_data) Signed-off-by: Oren Leiman <oren.leiman@redpanda.com>
cluster::errc {
...
role_exists, // Cmd failed because the target role exists
role_does_not_exist, // Cmd failed because the target role does not exist
}
Signed-off-by: Oren Leiman <oren.leiman@redpanda.com>
Fixup for clang-tidy (and general preferred practice). No functional changes.
Adds a sharded<security::role_store> to cluster::controller, which shared it down into cluster::security_manager (alongside credential_store and authorizer). The sharded role_store service is started and stopped by the controller in the usual way. Also adds controller::get_role_store. The meat of the change is in security_manager, where high level semantics and error handling for the various role_managment_cmds are applied. Signed-off-by: Oren Leiman <oren.leiman@redpanda.com>
Signed-off-by: Oren Leiman <oren.leiman@redpanda.com>
create, delete, update, rename All requests are subject to the role_based_access_control feature gate. This interface should be consumed ONLY on the controller leader. Signed-off-by: Oren Leiman <oren.leiman@redpanda.com>
New file: security_frontend_test.cc Signed-off-by: Oren Leiman <oren.leiman@redpanda.com>
oleiman
force-pushed
the
rbac/controller-cmd
branch
from
e482955
to
b437374
Compare
|
force_push rebase on dev to fix feature_table merge conflict |
This PR introduces a new record batch type for replicated management of the in-memory
role_storemodel::record_batch_type::role_management_cmdgoverns four new controller commands:create_role_cmddelete_role_cmdupdate_role_cmdrename_role_cmdIncludes integration of the role_store itself into
cluster::controller,cluster::security_manageras a sharded service, handlers for the commands, andcluster::security_frontendAPI.Also includes a feature gate for the new commands (
feature::role_based_access_control) and a fixture test for the whole kit.Closes https://github.com/redpanda-data/core-internal/issues/1099
Backports Required
Release Notes
feature::role_based_access_control