Skip to content

feat: Support short and long usernames in rego #5

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
sbernauer merged 1 commit into from
Feb 23, 2024
Merged

feat: Support short and long usernames in rego #5

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 26 additions & 12 deletions rego/hdfs.rego
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ default allow = false
# HDFS authorizer
allow if {
some acl in acls
matches_identity(input.callerUgi.shortUserName, acl.identity)
matches_identity(acl.identity)
matches_resource(input.path, acl.resource)
action_sufficient_for_operation(acl.action, input.operationName)
}
Expand All @@ -19,14 +19,19 @@ groups := {group |
group := trim_prefix(raw, "/")
}

# Identity mentions the user explicitly
matches_identity(user, identity) if {
identity == concat("", ["user:", user])
# Identity mentions the (long) userName explicitly
matches_identity(identity) if {
identity == concat("", ["user:", input.callerUgi.userName])
}

# Identity mentions group the user is part of
matches_identity(user, identity) if {
some group in groups_for_user[user]
# Identity mentions the shortUserName explicitly
matches_identity(identity) if {
identity == concat("", ["shortUser:", input.callerUgi.shortUserName])
}

# Identity mentions group the user is part of (by looking up using the (long) userName)
matches_identity(identity) if {
some group in groups_for_user[input.callerUgi.userName]
identity == concat("", ["group:", group])
}

Expand Down Expand Up @@ -171,7 +176,11 @@ admin_actions := {
"transitionToStandby": "full",
}

groups_for_user := {"admin": ["admins"], "alice": ["developers"], "bob": []}
groups_for_user := {
"admin/test-hdfs-permissions.default.svc.cluster.local@CLUSTER.LOCAL": ["admins"],
"alice/test-hdfs-permissions.default.svc.cluster.local@CLUSTER.LOCAL": ["developers"],
"bob/test-hdfs-permissions.default.svc.cluster.local@CLUSTER.LOCAL": []
}

acls := [
{
Expand All @@ -190,22 +199,27 @@ acls := [
"resource": "hdfs:dir:/developers-ro/",
},
{
"identity": "user:alice",
"identity": "user:alice/test-hdfs-permissions.default.svc.cluster.local@CLUSTER.LOCAL",
"action": "rw",
"resource": "hdfs:dir:/alice/",
},
{
"identity": "user:bob",
"identity": "user:bob/test-hdfs-permissions.default.svc.cluster.local@CLUSTER.LOCAL",
"action": "rw",
"resource": "hdfs:dir:/bob/",
},
{
"identity": "user:bob",
"identity": "user:bob/test-hdfs-permissions.default.svc.cluster.local@CLUSTER.LOCAL",
"action": "ro",
"resource": "hdfs:dir:/developers/",
},
{
"identity": "user:bob",
"identity": "user:bob/test-hdfs-permissions.default.svc.cluster.local@CLUSTER.LOCAL",
"action": "rw",
"resource": "hdfs:file:/developers/file-from-bob",
},
{
"identity": "shortUser:bob",
"action": "rw",
"resource": "hdfs:file:/developers/file-from-bob",
},
Expand Down
39 changes: 26 additions & 13 deletions rego/hdfs_test.rego
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,8 @@ import rego.v1
test_admin_access_to_slash if {
allow with input as {
"callerUgi": {
"shortUserName": "admin"
"shortUserName": "admin",
"userName": "admin/test-hdfs-permissions.default.svc.cluster.local@CLUSTER.LOCAL",
},
"path": "/top-level",
"operationName": "setErasureCodingPolicy",
Expand All @@ -15,7 +16,8 @@ test_admin_access_to_slash if {
test_admin_access_to_alice if {
allow with input as {
"callerUgi": {
"shortUserName": "admin"
"shortUserName": "admin",
"userName": "admin/test-hdfs-permissions.default.svc.cluster.local@CLUSTER.LOCAL",
},
"path": "/alice/file",
"operationName": "create",
Expand All @@ -26,7 +28,8 @@ test_admin_access_to_alice if {
test_admin_access_to_alice_nested_file if {
allow with input as {
"callerUgi": {
"shortUserName": "admin"
"shortUserName": "admin",
"userName": "admin/test-hdfs-permissions.default.svc.cluster.local@CLUSTER.LOCAL",
},
"path": "/alice/nested/file",
"operationName": "create",
Expand All @@ -36,7 +39,8 @@ test_admin_access_to_alice_nested_file if {
test_admin_access_to_developers if {
allow with input as {
"callerUgi": {
"shortUserName": "admin"
"shortUserName": "admin",
"userName": "admin/test-hdfs-permissions.default.svc.cluster.local@CLUSTER.LOCAL",
},
"path": "/developers/file",
"operationName": "create",
Expand All @@ -48,7 +52,8 @@ test_admin_access_to_developers if {
test_alice_access_to_alice_folder if {
allow with input as {
"callerUgi": {
"shortUserName": "alice"
"shortUserName": "alice",
"userName": "alice/test-hdfs-permissions.default.svc.cluster.local@CLUSTER.LOCAL",
},
"path": "/alice",
"operationName": "create",
Expand All @@ -58,7 +63,8 @@ test_alice_access_to_alice_folder if {
test_alice_access_to_alice if {
allow with input as {
"callerUgi": {
"shortUserName": "alice"
"shortUserName": "alice",
"userName": "alice/test-hdfs-permissions.default.svc.cluster.local@CLUSTER.LOCAL",
},
"path": "/alice/file",
"operationName": "create",
Expand All @@ -68,7 +74,8 @@ test_alice_access_to_alice if {
test_alice_no_access_to_bob if {
not allow with input as {
"callerUgi": {
"shortUserName": "alice"
"shortUserName": "alice",
"userName": "alice/test-hdfs-permissions.default.svc.cluster.local@CLUSTER.LOCAL",
},
"path": "/bob/file",
"operationName": "open",
Expand All @@ -78,7 +85,8 @@ test_alice_no_access_to_bob if {
test_alice_access_to_developers if {
allow with input as {
"callerUgi": {
"shortUserName": "alice"
"shortUserName": "alice",
"userName": "alice/test-hdfs-permissions.default.svc.cluster.local@CLUSTER.LOCAL",
},
"path": "/developers/file",
"operationName": "create",
Expand All @@ -92,7 +100,8 @@ test_alice_access_to_developers if {
test_bob_no_access_to_alice if {
not allow with input as {
"callerUgi": {
"shortUserName": "bob"
"shortUserName": "bob",
"userName": "bob/test-hdfs-permissions.default.svc.cluster.local@CLUSTER.LOCAL",
},
"path": "/alice/file",
"operationName": "open",
Expand All @@ -102,7 +111,8 @@ test_bob_no_access_to_alice if {
test_bob_access_to_bob if {
allow with input as {
"callerUgi": {
"shortUserName": "bob"
"shortUserName": "bob",
"userName": "bob/test-hdfs-permissions.default.svc.cluster.local@CLUSTER.LOCAL",
},
"path": "/bob/file",
"operationName": "create",
Expand All @@ -112,7 +122,8 @@ test_bob_access_to_bob if {
test_bob_ro_access_to_developers if {
allow with input as {
"callerUgi": {
"shortUserName": "bob"
"shortUserName": "bob",
"userName": "bob/test-hdfs-permissions.default.svc.cluster.local@CLUSTER.LOCAL",
},
"path": "/developers/file",
"operationName": "open",
Expand All @@ -122,7 +133,8 @@ test_bob_ro_access_to_developers if {
test_bob_no_rw_access_to_developers if {
not allow with input as {
"callerUgi": {
"shortUserName": "bob"
"shortUserName": "bob",
"userName": "bob/test-hdfs-permissions.default.svc.cluster.local@CLUSTER.LOCAL",
},
"path": "/developers/file",
"operationName": "create",
Expand All @@ -132,7 +144,8 @@ test_bob_no_rw_access_to_developers if {
test_bob_rw_access_to_developers_special_file if {
allow with input as {
"callerUgi": {
"shortUserName": "bob"
"shortUserName": "bob",
"userName": "bob/test-hdfs-permissions.default.svc.cluster.local@CLUSTER.LOCAL",
},
"path": "/developers/file-from-bob",
"operationName": "create",
Expand Down