[
https://issues.apache.org/jira/browse/TINKERPOP-2389?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17220536#comment-17220536
]
ASF GitHub Bot commented on TINKERPOP-2389:
-------------------------------------------
vtslab commented on pull request #1308:
URL: https://github.com/apache/tinkerpop/pull/1308#issuecomment-716359919
The latest commits bring the PR somewhat closer to a completion. Apart from
being more complete, the following points were addressed:
- the AuthorizedUser was removed from the Authorizer API. As also remarked
by QwentB, it had no function.
- a mechanism was added to facilitate interaction between the Authorizer and
Authentication implementations (to support one-pass interrogation of an
external access control service), by means of the AuthenticatorAuthorizer
interface. Actually, I am still in doubt whether this is the best solution
because it lays the burden on the TinkerPop code. Alternatives are there, e.g.
by implementing the Authenticator as a singleton or even via the network. Any
thoughts?
Thanks, @QwentB, for your patient explanation about ABAC. Indeed, if
authorization is very granular, this cannot be supported with static
GraphTraversalSources. So, now I support your suggestion to have authorize()
return a RequestMessage and passing this on into the pipeline. Although this
makes the pipeline less transparent, there is already a (necessary) precedent
in tossing around with the RequestMessage in the SaslAuthenticationHandler.
@spmallette, agree?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
> Authorization support in TinkerPop
> ----------------------------------
>
> Key: TINKERPOP-2389
> URL: https://issues.apache.org/jira/browse/TINKERPOP-2389
> Project: TinkerPop
> Issue Type: Improvement
> Components: server
> Affects Versions: 3.4.7
> Reporter: Shekhar Bansal
> Priority: Major
> Attachments: Screenshot 2020-06-25 at 15.15.04.png
>
>
> Use case:
> # Tinkerpop supports multiple graphs using a single API and admin might want
> to restrict access to some of the graphs.
> # Admin might want to restrict read/write access to certain users.
>
> Proposal
> Add read/write access restrictions at graph level. We can extend it to
> executing scripts by adding execute privileges.
>
> Changes required
> Add `authorizer` block similar to `authentication` block in yaml file
>
> {code:java}
> authorization: {
> authorizer:
> org.apache.tinkerpop.gremlin.server.authorization.AllowAllAuthorizer,
> authorizationHandler:
> org.apache.tinkerpop.gremlin.server.handler.SaslAuthorizationHandler,
> config: {
> }
> }{code}
>
> Authorization will be done only if authentication is enabled. Authentication
> is done at per session basis while authorization will be done for each and
> every request.
> In `SaslAuthorizationHandler` or `HttpAuthorizationHandler` query will be
> parsed and depending on the step instructions, the query will be marked as of
> type read or write and then privilege evaluation will be done by calling
> `isAccessAllowed` method of `Authorizer`
> {code:java}
> public interface Authorizer {
> /**
> * Whether or not the authorization requires check.
> * If false will not authorzie user.
> */
> public boolean requireAuthorization();
> /**
> * Setup is called once upon system startup to initialize the {@code
> Authorizer}.
> */
> public void setup(final Map<String, Object> config);
> /**
> * A "standard" authorization implementation
> */
> public boolean isAccessAllowed(AuthorizationRequest authorizationRequest)
> throws AuthorizationException;
> }
> {code}
> Access policies can be defined in tools like `Apache Ranger`, sample policy:
> !Screenshot 2020-06-25 at 15.15.04.png|width=1017,height=548!
>
>
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
