Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Define and use roles for authorization #8874

Merged
merged 21 commits into from Mar 26, 2019

Conversation

Projects
None yet
3 participants
@mpolden
Copy link
Member

mpolden commented Mar 22, 2019

There are some minor test updates due to ambiguities in the original
authorization logic.

@mpolden mpolden requested review from jonmv and tokle Mar 22, 2019

@mpolden mpolden force-pushed the mpolden/roles-and-policies branch from f2e5ec7 to 75a3f48 Mar 22, 2019

Show resolved Hide resolved ...rver/src/main/java/com/yahoo/vespa/hosted/controller/role/PathGroup.java Outdated
Show resolved Hide resolved ...rver/src/main/java/com/yahoo/vespa/hosted/controller/role/PathGroup.java
return get(path).filter(p -> {
boolean match = true;
String tenant = p.get("tenant");
if (tenant != null && context.tenant().isPresent()) {

This comment has been minimized.

Copy link
@jonmv

jonmv Mar 22, 2019

Contributor

I find it a bit strange that if the context has a tenant, but the path doesn't, it's a "match". Likewise for application.

This comment has been minimized.

Copy link
@jonmv

jonmv Mar 22, 2019

Contributor

And the other way around.

Show resolved Hide resolved ...er-server/src/main/java/com/yahoo/vespa/hosted/controller/role/Role.java Outdated
Show resolved Hide resolved ...server/src/main/java/com/yahoo/vespa/hosted/controller/role/Context.java
* Paths used for deployments by build service(s). Note that context is ignored in these paths as build service
* roles are not granted in specific contexts.
*/
buildService("/zone/v1/{*}",

This comment has been minimized.

Copy link
@jonmv

jonmv Mar 22, 2019

Contributor

This API is used by users to deploy to dev.
A better solution would probably be to expose a deploy API path with environment (dev or perf) directly under an application, which picks the correct region, but that is some work and not really part of this.

}

static {
// Ensure that all path spec sets are disjoint

This comment has been minimized.

Copy link
@freva

freva Mar 22, 2019

Contributor

Shouldn't this just be a test?

This comment has been minimized.

Copy link
@mpolden

mpolden Mar 25, 2019

Author Member

Sure, I just prefer to keep contracts within the class (similar requireSomething methods) when possible. If validation is a lot of code and/or needs other classes to do the validation, it can be moved to a test.

Set<String> overlapping = new LinkedHashSet<>(pg.pathSpecs);
overlapping.retainAll(pg2.pathSpecs);
if (!overlapping.isEmpty()) {
throw new AssertionError("The following path specs overlap in " + pg + " and " + pg2 +

This comment has been minimized.

Copy link
@mpolden

mpolden Mar 25, 2019

Author Member

Use junit assertions with message instead of throwing.

&& ! (parts1[i].startsWith("{") && parts1[i].endsWith("}"))
&& ! (parts2[i].startsWith("{") && parts2[i].endsWith("}"))) break;

if (i == end) throw new AssertionError("Paths '" + path1 + "' and '" + path2 +"' overlap.");

This comment has been minimized.

Copy link
@mpolden

mpolden Mar 25, 2019

Author Member

Same as above.

@jonmv

This comment has been minimized.

Copy link
Contributor

jonmv commented Mar 26, 2019

@mpolden and @tokle PTAL.

@@ -37,7 +49,7 @@ public String toString() {
* membership to a {@link RoleMembership}.
*/
public interface Resolver {
RoleMembership membership();
RoleMembership membership(Principal user);

This comment has been minimized.

Copy link
@mpolden

mpolden Mar 26, 2019

Author Member

I liked it better before, with the resolving inside the resolver. How about making it membership(Optional<Principal>)? That way the context can be set for the current system, as before.

This comment has been minimized.

Copy link
@jonmv

jonmv Mar 26, 2019

Contributor

After discussion with @tokle we agreed the Principal should not be optional — it is a setup error if this filter is run without a Principal being set in the request.

@mpolden

This comment has been minimized.

Copy link
Member Author

mpolden commented Mar 26, 2019

LGTM

@jonmv jonmv merged commit 763d6a3 into master Mar 26, 2019

2 of 3 checks passed

continuous-integration/travis-ci/pr The Travis CI build is in progress
Details
Merge Stop Enforcer Check preventing merges at merge stop.
cla/licenses User has a valid Oath CLA
Details

@jonmv jonmv deleted the mpolden/roles-and-policies branch Mar 26, 2019

@jonmv

This comment has been minimized.

Copy link
Contributor

jonmv commented Mar 26, 2019

Let's see how it fares :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.