Re: [PR] feat(access-control-service): add `access-control-service` to authorize the requests to `/wsapi` [texera]

Tue, 19 Aug 2025 09:24:38 -0700 


bobbai00 commented on code in PR #3598:
URL: https://github.com/apache/texera/pull/3598#discussion_r2285728999


##########
core/access-control-service/src/main/scala/edu/uci/ics/texera/service/resource/AccessControlResource.scala:
##########
@@ -0,0 +1,93 @@
+package edu.uci.ics.texera.service.resource
+
+import com.typesafe.scalalogging.LazyLogging
+import edu.uci.ics.texera.auth.JwtParser.parseToken
+import edu.uci.ics.texera.auth.SessionUser
+import edu.uci.ics.texera.dao.SqlServer
+import edu.uci.ics.texera.dao.jooq.generated.enums.PrivilegeEnum
+import edu.uci.ics.texera.service.util.ComputingUnit
+import jakarta.ws.rs.{GET, POST, Path, PathParam, Produces}
+import jakarta.ws.rs.core.{Context, HttpHeaders, MediaType, Response, UriInfo}
+
+import java.util.Optional
+import scala.jdk.CollectionConverters.{CollectionHasAsScala, MapHasAsScala}
+
+@Produces(Array(MediaType.APPLICATION_JSON))
+@Path("/authorize")
+class AccessControlResource extends LazyLogging {

Review Comment:
   Seems not changed



##########
core/build.sbt:
##########
@@ -27,6 +27,14 @@ lazy val ConfigService = (project in file("config-service"))
       "com.fasterxml.jackson.module" %% "jackson-module-scala" % "2.17.0"
     )
   )
+lazy val PermissionService = (project in file("access-control-service"))
+  .dependsOn(Auth, Config)

Review Comment:
   Seems not changed. As we are using `access-control-service` as the folder 
name, let's use `AccessControlService`



##########
core/amber/src/main/scala/edu/uci/ics/texera/web/ServletAwareConfigurator.scala:
##########
@@ -29,46 +30,76 @@ import java.nio.charset.Charset
 import javax.websocket.HandshakeResponse
 import javax.websocket.server.{HandshakeRequest, ServerEndpointConfig}
 import scala.jdk.CollectionConverters.ListHasAsScala
+import scala.jdk.CollectionConverters._
 
 /**
-  * This configurator extracts HTTPSession and associates it to 
ServerEndpointConfig,
-  * allow it to be accessed by Websocket connections.
-  * <pre>
-  * See <a 
href="https://stackoverflow.com/questions/17936440/accessing-httpsession-
-  * from-httpservletrequest-in-a-web-socket-serverendpoint"></a>
-  * </pre>
-  */
+ * This configurator extracts HTTPSession and associates it to 
ServerEndpointConfig,
+ * allow it to be accessed by Websocket connections.
+ * <pre>
+ * See <a 
href="https://stackoverflow.com/questions/17936440/accessing-httpsession-
+ * from-httpservletrequest-in-a-web-socket-serverendpoint"></a>
+ * </pre>
+ */
 class ServletAwareConfigurator extends ServerEndpointConfig.Configurator with 
LazyLogging {
 
   override def modifyHandshake(
-      config: ServerEndpointConfig,
-      request: HandshakeRequest,
-      response: HandshakeResponse
-  ): Unit = {
+                                config: ServerEndpointConfig,
+                                request: HandshakeRequest,
+                                response: HandshakeResponse
+                              ): Unit = {
     try {
-      val params =
-        URLEncodedUtils.parse(new URI("?" + request.getQueryString), 
Charset.defaultCharset())
-      params.asScala
-        .map(pair => pair.getName -> pair.getValue)
-        .toMap
-        .get("access-token")
-        .map(token => {
-          val claims = jwtConsumer.process(token).getJwtClaims
-          config.getUserProperties.put(
-            classOf[User].getName,
-            new User(
-              claims.getClaimValue("userId").asInstanceOf[Long].toInt,
-              claims.getSubject,
-              
String.valueOf(claims.getClaimValue("email").asInstanceOf[String]),
-              null,
-              null,
-              null,
-              null,
-              null
-            )
+      if (KubernetesConfig.kubernetesComputingUnitEnabled) {
+        // KUBERNETES MODE: Construct the User object from trusted headers
+        // coming from envoy and generated by permission service.
+        val headers = 
request.getHeaders.asScala.view.mapValues(_.asScala.headOption).toMap
+
+        val userId = headers.get("x-user-id").flatten.map(_.toInt).get

Review Comment:
   OK. Instead of using a `if 
(KubernetesConfig.kubernetesComputingUnitEnabled)`, you can do the following:
   - check if user information is already in the header, e.g. x-user-name, 
email..., if so use these to create a session user
   - else, check if access-token is in the request, if so, build the user using 
token
   - else, reject the request
   -  check if cu access is in the request, if so, add it to session config
   This way can decouple the logic of parsing token with 
`KubernetesConfig.kubernetesComputingUnitEnabled`



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to