forked from datahub-project/datahub
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(metadata-service): Supporting a configurable Authorizer Chain (d…
- Loading branch information
1 parent
e3ca561
commit 77bc648
Showing
21 changed files
with
364 additions
and
76 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
19 changes: 19 additions & 0 deletions
19
...-service/auth-api/src/main/java/com/datahub/authorization/AuthorizationConfiguration.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
package com.datahub.authorization; | ||
|
||
import java.util.List; | ||
import lombok.Data; | ||
|
||
/** | ||
* POJO representing the "authentication" configuration block in application.yml. | ||
*/ | ||
@Data | ||
public class AuthorizationConfiguration { | ||
/** | ||
* Configuration for the default DataHub Policies-based authorizer. | ||
*/ | ||
private DefaultAuthorizerConfiguration defaultAuthorizer; | ||
/** | ||
* List of configurations for {@link Authorizer}s to be registered | ||
*/ | ||
private List<AuthorizerConfiguration> authorizers; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
31 changes: 25 additions & 6 deletions
31
metadata-service/auth-api/src/main/java/com/datahub/authorization/AuthorizationResult.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,22 +1,41 @@ | ||
package com.datahub.authorization; | ||
|
||
import com.linkedin.policy.DataHubPolicyInfo; | ||
import java.util.Optional; | ||
import lombok.AllArgsConstructor; | ||
import lombok.Data; | ||
|
||
|
||
/** | ||
* A result returned after requesting authorization for a particular privilege. | ||
*/ | ||
@Data | ||
@AllArgsConstructor | ||
public class AuthorizationResult { | ||
/** | ||
* The original authorization request | ||
*/ | ||
AuthorizationRequest request; | ||
|
||
Optional<DataHubPolicyInfo> policy; | ||
|
||
Type type; | ||
|
||
/** | ||
* The result type. Allow or deny the authorization request for the actor. | ||
*/ | ||
public enum Type { | ||
/** | ||
* Allow the request - the requested actor is privileged. | ||
*/ | ||
ALLOW, | ||
/** | ||
* Deny the request - the requested actor is not privileged. | ||
*/ | ||
DENY | ||
} | ||
|
||
/** | ||
* The decision - whether to allow or deny the request. | ||
*/ | ||
Type type; | ||
|
||
/** | ||
* Optional message associated with the decision. Useful for debugging. | ||
*/ | ||
String message; | ||
} |
29 changes: 13 additions & 16 deletions
29
metadata-service/auth-api/src/main/java/com/datahub/authorization/Authorizer.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,26 +1,23 @@ | ||
package com.datahub.authorization; | ||
|
||
public interface Authorizer { | ||
import java.util.Map; | ||
import javax.annotation.Nonnull; | ||
|
||
enum AuthorizationMode { | ||
/** | ||
* Default mode simply means that authorization is enforced, with a DENY result returned | ||
*/ | ||
DEFAULT, | ||
/** | ||
* Allow all means that the AuthorizationManager will allow all actions. This is used as an override to disable the | ||
* policies feature. | ||
*/ | ||
ALLOW_ALL | ||
} | ||
|
||
/** | ||
* An Authorizer is responsible for determining whether an actor should be granted a specific privilege. | ||
*/ | ||
public interface Authorizer { | ||
/** | ||
* Authorizes an action based on the actor, the resource, & required privileges. | ||
* Initialize the Authorizer. Invoked once at boot time. | ||
* | ||
* @param authorizerConfig config provided to the authenticator derived from the Metadata Service YAML config. This | ||
* config comes from the "authorization.authorizers.config" configuration. | ||
*/ | ||
AuthorizationResult authorize(AuthorizationRequest request); | ||
void init(@Nonnull final Map<String, Object> authorizerConfig); | ||
|
||
/** | ||
* Returns the mode the Authorizer is operating in. | ||
* Authorizes an action based on the actor, the resource, & required privileges. | ||
*/ | ||
AuthorizationMode mode(); | ||
AuthorizationResult authorize(AuthorizationRequest request); | ||
} |
20 changes: 20 additions & 0 deletions
20
...ata-service/auth-api/src/main/java/com/datahub/authorization/AuthorizerConfiguration.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
package com.datahub.authorization; | ||
|
||
import java.util.Map; | ||
import lombok.Data; | ||
|
||
|
||
/** | ||
* POJO representing {@link Authorizer} configurations provided in the application.yml. | ||
*/ | ||
@Data | ||
public class AuthorizerConfiguration { | ||
/** | ||
* A fully-qualified class name for the {@link Authorizer} implementation to be registered. | ||
*/ | ||
private String type; | ||
/** | ||
* A set of authorizer-specific configurations passed through during "init" of the authorizer. | ||
*/ | ||
private Map<String, Object> configs; | ||
} |
15 changes: 15 additions & 0 deletions
15
...vice/auth-api/src/main/java/com/datahub/authorization/DefaultAuthorizerConfiguration.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
package com.datahub.authorization; | ||
|
||
import lombok.Data; | ||
|
||
@Data | ||
public class DefaultAuthorizerConfiguration { | ||
/** | ||
* Whether authorization via DataHub policies is enabled. | ||
*/ | ||
private boolean enabled; | ||
/** | ||
* The duration between policies cache refreshes. | ||
*/ | ||
private int cacheRefreshIntervalSecs; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.