-
Notifications
You must be signed in to change notification settings - Fork 552
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cluster integration for role_store
and related structures.
#16926
Conversation
a89fa17
to
071cfb9
Compare
/dt |
b4e06d3
to
948bec4
Compare
ducktape was retried in https://buildkite.com/redpanda/redpanda/builds/45807#018e1a40-fa2f-4866-9b43-a2d52be47444 ducktape was retried in https://buildkite.com/redpanda/redpanda/builds/45953#018e2b00-fa98-45ef-bd06-d0957ad979ce |
948bec4
to
2260cd1
Compare
force push for review comments |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, a couple of things I noticed on the second pass
src/v/cluster/security_frontend.h
Outdated
ss::future<std::error_code> update_user( | ||
security::credential_user, | ||
security::scram_credential, | ||
model::timeout_clock::time_point); | ||
|
||
// Should be called ONLY on the controller leader |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: it would be nice to add proper documentation to this class and these methods.
Also, by leader can we specify this needs to be the leader node, this way it's more clear that it can be called from any shard, not just shard0 on the leader.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fair points
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
updated existing comments, but I'm going hold off full documentation of these methods for a follow-on PR. I don't want to clutter this diff up too much.
2260cd1
to
dbcfe8f
Compare
force push CR cleanups |
src/v/cluster/commands.h
Outdated
using create_role_cmd = controller_command< | ||
security::role_name, | ||
security::role, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it is generally a good idea to completely ignore either the key or the value and create a versioned structure for the payload of each command to future proof yourself against needing to add additional context to the command. the rename
command is a good example. sure, using key=from-name and value=to-name works now, but what if you need some extra state later? you'd probably have to add a replacement command.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@mmaslankaprv is there a new/better way to handle this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
TBH we don't use the key for anything AFAIK, so I would rather just have a value and that would mean people would make their own structs for each commands, so you'd get the serde benefits. There are also things like this serde_only tag which should be the default.
I also don't love this special batch type pattern, I would rather just have the key or a header specify who owns a controller command
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
serde_only
is the default...noticed that yesterday and meant to remove the param in this PR.
create a versioned structure for the payload
that makes good sense, thanks. I see some examples of that pattern in nearby code now.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@dotnwat - this is done if you're interested in taking another look
dbcfe8f
to
f4b050a
Compare
force push contents:
|
src/v/cluster/commands.h
Outdated
using create_role_cmd = controller_command< | ||
int8_t, // unused | ||
upsert_role_cmd_data, | ||
create_role_cmd_type, | ||
model::record_batch_type::role_management_cmd>; | ||
|
||
using delete_role_cmd = controller_command< | ||
int8_t, // unused | ||
security::role_name, | ||
delete_role_cmd_type, | ||
model::record_batch_type::role_management_cmd>; | ||
|
||
using update_role_cmd = controller_command< | ||
int8_t, // unused | ||
upsert_role_cmd_data, | ||
update_role_cmd_type, | ||
model::record_batch_type::role_management_cmd>; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
considered collapsing create
and update
into one, but that would complicate the handler (and payload) somewhat. is there any reason to minimize the number of controller command types?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I cant think of any reasons
new failures in https://buildkite.com/redpanda/redpanda/builds/45852#018e1d12-b6b0-4991-a079-f2a2df1caebb:
new failures in https://buildkite.com/redpanda/redpanda/builds/45951#018e2a36-0ec4-4da2-b568-4723fb9dfc8a:
|
f4b050a
to
e482955
Compare
force push to add versioned |
/ci-repeat 1 |
/ci-repeat 1 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
Batch type (NEW): model::record_batch_type::role_management_cmd payload types: - upsert_role_cmd_data - (role_name, role) - rename_role_cmd_data - (role_name, role_name) - delete_role_cmd_data - (role_name) controller_commands: - create_role_cmd - (int8_t /*unused*/, upsert_role_cmd_data) - delete_role_cmd - (int8_t /*unused*/, delete_role_cmd_data) - update_role_cmd - (int8_t /*unused*/, upsert_role_cmd_data) - rename_role_cmd - (int8_t /*unused*/, rename_role_cmd_data) Signed-off-by: Oren Leiman <oren.leiman@redpanda.com>
cluster::errc { ... role_exists, // Cmd failed because the target role exists role_does_not_exist, // Cmd failed because the target role does not exist } Signed-off-by: Oren Leiman <oren.leiman@redpanda.com>
Fixup for clang-tidy (and general preferred practice). No functional changes.
Adds a sharded<security::role_store> to cluster::controller, which shared it down into cluster::security_manager (alongside credential_store and authorizer). The sharded role_store service is started and stopped by the controller in the usual way. Also adds controller::get_role_store. The meat of the change is in security_manager, where high level semantics and error handling for the various role_managment_cmds are applied. Signed-off-by: Oren Leiman <oren.leiman@redpanda.com>
Signed-off-by: Oren Leiman <oren.leiman@redpanda.com>
create, delete, update, rename All requests are subject to the role_based_access_control feature gate. This interface should be consumed ONLY on the controller leader. Signed-off-by: Oren Leiman <oren.leiman@redpanda.com>
New file: security_frontend_test.cc Signed-off-by: Oren Leiman <oren.leiman@redpanda.com>
e482955
to
b437374
Compare
force_push rebase on dev to fix feature_table merge conflict |
This PR introduces a new record batch type for replicated management of the in-memory
role_store
model::record_batch_type::role_management_cmd
governs four new controller commands:create_role_cmd
delete_role_cmd
update_role_cmd
rename_role_cmd
Includes integration of the role_store itself into
cluster::controller
,cluster::security_manager
as a sharded service, handlers for the commands, andcluster::security_frontend
API.Also includes a feature gate for the new commands (
feature::role_based_access_control
) and a fixture test for the whole kit.Closes https://github.com/redpanda-data/core-internal/issues/1099
Backports Required
Release Notes
feature::role_based_access_control