Re: [I] [EPIC] feat(mcp-server): enterprise governance — identity propagation, authorization-scoped discovery, write denial, and audit [gravitino]

[via GitHub]

Ben-Home commented on issue #11573:
URL: https://github.com/apache/gravitino/issues/11573#issuecomment-4671684196

   Solid EPIC breakdown. A few production-hardening patterns from running 50+ 
MCP connectors with per-user identity:
   
   **Token envelope encryption (#11565 adjacent)**
   
   Don't store Bearer tokens in plaintext config files. Use a per-instance 
encryption key (derived from a KMS or vault) and store tokens as encrypted 
envelopes. On each request, decrypt the envelope → inject into headers → zero 
the plaintext after the call. This prevents tokens from appearing in logs, core 
dumps, or debug output.
   
   **Authorization-scoped discovery gotcha**
   
   The note about inheriting FILTER_*_AUTHORIZATION_EXPRESSION from the REST 
layer is the right approach, but there's a subtle edge case: the MCP 
`tools/list` response should also reflect the principal's scope. If a user has 
read-only access to a subset of catalogs, the MCP client should only see tools 
that operate on those catalogs — not the full tool list. Otherwise the AI agent 
will attempt to use tools it can't access and the failure mode is confusing.
   
   Pattern we use:
   ```python
   def scoped_discovery(principal, all_tools):
       allowed_catalogs = resolve_permissions(principal)
       return [t for t in all_tools 
               if t.get("catalog") in allowed_catalogs 
               or t.get("requires_catalog") is False]
   ```
   
   **Audit trail structure (#11568)**
   
   Recommend logging: `{principal, tool_name, args_hash, result_status, 
duration_ms, catalog_scope}`. Hash the args instead of logging them raw — they 
may contain PII or query text. The hash lets you correlate audit records 
without storing sensitive data.
   
   **Write denial response shape (#11567)**
   
   When denying a write, return a structured error with a distinct error code 
(not a generic 403). The AI agent needs to distinguish "you don't have 
permission" from "the operation failed for technical reasons" to adjust its 
behavior correctly.
   
   ```json
   {"error": "AUTHORIZATION_DENIED", "message": "Write access to catalog 
'prod_warehouse' requires role 'data_engineer'", "required_role": 
"data_engineer"}
   ```
   
   This is a well-scoped EPIC — the task decomposition into transport 
isolation, audit, and integration tests is exactly the right order.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscr...@gravitino.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org