Ma77Ball opened a new pull request, #5198:
URL: https://github.com/apache/texera/pull/5198
### What changes were proposed in this PR?
Finishes wiring JAX-RS role enforcement across every Texera microservice.
Each service's Jersey environment now registers the standard three-feature
stack:
1. `AuthDynamicFeature(JwtAuthFilter)` - authentication (reads the JWT,
attaches a `SessionUser`).
2. `AuthValueFactoryProvider.Binder(SessionUser)` - injects `@Auth user`
into resource methods.
3. `RolesAllowedDynamicFeature` - authorization (enforces `@RolesAllowed`
/ `@PermitAll` / `@DenyAll`).
#5049 added this trio to three services; this PR extends it to
`file-service` and `access-control-service`, fixes the filter priority on the
shared `JwtAuthFilter` so authentication runs before authorization, and tags
every endpoint with the right policy.
### What this PR adds, and where
- **`common/auth/JwtAuthFilter`** - `@Priority(Priorities.AUTHENTICATION)`
so it runs before `RolesAllowedRequestFilter`. Added `jakarta.annotation-api`
dependency.
- **`FileService.run` and `AccessControlService.run`** - register
`RolesAllowedDynamicFeature`; the existing `@RolesAllowed` annotations in those
services become live.
- **`@PermitAll`** on endpoints that must serve unauthenticated traffic:
`ConfigResource` bootstrap endpoints, the six public-dataset endpoints on
`DatasetResource`, and `AccessControlResource` (the Envoy ExtAuth callback).
- **`@RolesAllowed("REGULAR","ADMIN")`** on the LiteLLM copilot proxies.
- **`AuthResource.register`** - new local signups now default to `REGULAR`
instead of `RESTRICTED`, so registered users can immediately use role-gated
endpoints.
- **`FileService.run` reorder** - Jersey registration moved before infra
init, mirroring `ConfigService.run` and making the registrations unit-testable.
### Implementation details
- Method-level annotations beat class-level; unannotated methods default
to open (so unannotated `HealthCheckResource`s stay public for k8s probes).
- `getDatasetCover` is `@PermitAll` because it accepts optional auth; the
method body re-checks access.
- WebSocket endpoints are not affected — they use a separate query-param
token path.
### Tests added
`JwtAuthFilterSpec`, `ConfigResourceSpec`,
`AccessControlResourcePermissionsSpec`, `DatasetResourcePermissionsSpec`,
`FileServiceRunSpec`, plus an added assertion in `AccessControlServiceRunSpec`.
Together, they pin the priority annotation, the public/private policy to every
changed endpoint, and the registration of `RolesAllowedDynamicFeature` in the
two newly enforced services.
### Any related issues, documentation, or discussions?
Closes: #4904
Fixes issue found and addressed in: #5173 and #5049
### How was this PR tested?
Added six specs covering the filter priority, the
`@PermitAll`/`@RolesAllowed` tags on each affected resource, and
`RolesAllowedDynamicFeature` registration in both newly-enforced services.
Manually verified end-to-end
### Was this PR authored or co-authored using generative AI tooling?
Co-authored with Claude Opus 4.7 in compliance with ASF Generative Tooling
Guidance.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
