[
https://issues.apache.org/jira/browse/TINKERPOP-2389?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17221355#comment-17221355
]
ASF GitHub Bot commented on TINKERPOP-2389:
-------------------------------------------
spmallette commented on a change in pull request #1308:
URL: https://github.com/apache/tinkerpop/pull/1308#discussion_r512632352
##########
File path: docs/src/dev/provider/index.asciidoc
##########
@@ -1147,25 +1147,64 @@ one key value pair present (since only one `Traversal`
is being submitted, there
single alias).
|=========================================================
-=== Authentication
+=== Authentication and authorization
Review comment:
nit: Capital "A" in "Authorization" please since it's a title.
nit: There's a bit more formatting to do in the text like enclosing class
names in backticks.
I think it would be worth adding some note here to providers to say that
while Gremlin Server supports this authorization feature it is not a feature
that TinkerPop requires of graph providers as part of the agreement between
client and server. Graph providers may choose to implement their own methods
for authorization in the manner they see fit. I would say a similar
"IMPORTANT" callout box should probably be added to the reference documentation
to alert users to this notion. Finally, as you draw closer to a final body of
work, this is a neat new feature that should have upgrade documentation. (and
perhaps more user facing documentation?))
UPDATE: I read a bit further on and saw you linked from the user
documentation to this page....that could suffice, but if I'm thinking of this
feature right I sense that users will write these authorizors and i think it
could be a popular feature which means more front facing documentation.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
> Authorization support in TinkerPop
> ----------------------------------
>
> Key: TINKERPOP-2389
> URL: https://issues.apache.org/jira/browse/TINKERPOP-2389
> Project: TinkerPop
> Issue Type: Improvement
> Components: server
> Affects Versions: 3.4.7
> Reporter: Shekhar Bansal
> Priority: Major
> Attachments: Screenshot 2020-06-25 at 15.15.04.png
>
>
> Use case:
> # Tinkerpop supports multiple graphs using a single API and admin might want
> to restrict access to some of the graphs.
> # Admin might want to restrict read/write access to certain users.
>
> Proposal
> Add read/write access restrictions at graph level. We can extend it to
> executing scripts by adding execute privileges.
>
> Changes required
> Add `authorizer` block similar to `authentication` block in yaml file
>
> {code:java}
> authorization: {
> authorizer:
> org.apache.tinkerpop.gremlin.server.authorization.AllowAllAuthorizer,
> authorizationHandler:
> org.apache.tinkerpop.gremlin.server.handler.SaslAuthorizationHandler,
> config: {
> }
> }{code}
>
> Authorization will be done only if authentication is enabled. Authentication
> is done at per session basis while authorization will be done for each and
> every request.
> In `SaslAuthorizationHandler` or `HttpAuthorizationHandler` query will be
> parsed and depending on the step instructions, the query will be marked as of
> type read or write and then privilege evaluation will be done by calling
> `isAccessAllowed` method of `Authorizer`
> {code:java}
> public interface Authorizer {
> /**
> * Whether or not the authorization requires check.
> * If false will not authorzie user.
> */
> public boolean requireAuthorization();
> /**
> * Setup is called once upon system startup to initialize the {@code
> Authorizer}.
> */
> public void setup(final Map<String, Object> config);
> /**
> * A "standard" authorization implementation
> */
> public boolean isAccessAllowed(AuthorizationRequest authorizationRequest)
> throws AuthorizationException;
> }
> {code}
> Access policies can be defined in tools like `Apache Ranger`, sample policy:
> !Screenshot 2020-06-25 at 15.15.04.png|width=1017,height=548!
>
>
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
