arjunashok commented on code in PR #131:
URL: https://github.com/apache/cassandra-sidecar/pull/131#discussion_r1719069504
##########
src/main/java/org/apache/cassandra/sidecar/server/MainModule.java:
##########
@@ -217,129 +322,412 @@ public Router vertxRouter(Vertx vertx,
// Add custom routers
// Provides a simple REST endpoint to determine if Sidecar is available
router.get(ApiEndpointsV1.HEALTH_ROUTE)
+ .handler(authorizationHandler(sidecarConfiguration,
+ permissionsAccessor,
+ requiredPermissionsProvider,
+ "GET /api/v1/__health",
+ new ArrayList<>()))
.handler(context -> context.json(OK_STATUS));
// Backwards compatibility for the Cassandra health endpoint
//noinspection deprecation
router.get(ApiEndpointsV1.CASSANDRA_HEALTH_ROUTE)
+ .handler(authorizationHandler(sidecarConfiguration,
+ permissionsAccessor,
+ requiredPermissionsProvider,
+ "GET /api/v1/cassandra/__health",
+ new ArrayList<>()))
.handler(cassandraHealthHandler);
router.get(ApiEndpointsV1.CASSANDRA_NATIVE_HEALTH_ROUTE)
+ .handler(authorizationHandler(sidecarConfiguration,
+ permissionsAccessor,
+ requiredPermissionsProvider,
+ "GET
/api/v1/cassandra/native/__health",
+ new ArrayList<>()))
.handler(cassandraHealthHandler);
router.get(ApiEndpointsV1.CASSANDRA_JMX_HEALTH_ROUTE)
+ .handler(authorizationHandler(sidecarConfiguration,
+ permissionsAccessor,
+ requiredPermissionsProvider,
+ "GET
/api/v1/cassandra/jmx/__health",
+ new ArrayList<>()))
.handler(cassandraHealthHandler);
//noinspection deprecation
router.get(ApiEndpointsV1.DEPRECATED_COMPONENTS_ROUTE)
+ .handler(authorizationHandler(sidecarConfiguration,
+ permissionsAccessor,
+ requiredPermissionsProvider,
+ "GET
/api/v1/keyspace/:keyspace/table/:table/snapshots/:snapshot/component/:component",
+ Arrays.asList(STREAM_SSTABLES)))
.handler(streamSSTableComponentHandler)
.handler(fileStreamHandler);
router.get(ApiEndpointsV1.COMPONENTS_ROUTE)
+ .handler(authorizationHandler(sidecarConfiguration,
+ permissionsAccessor,
+ requiredPermissionsProvider,
+ "GET
/api/v1/keyspaces/:keyspace/tables/:table/snapshots/:snapshot/components/:component",
+ Arrays.asList(STREAM_SSTABLES)))
.handler(streamSSTableComponentHandler)
.handler(fileStreamHandler);
// Support for routes that want to stream SStable index components
router.get(ApiEndpointsV1.COMPONENTS_WITH_SECONDARY_INDEX_ROUTE_SUPPORT)
+ .handler(authorizationHandler(sidecarConfiguration,
+ permissionsAccessor,
+ requiredPermissionsProvider,
+ "GET
/api/v1/keyspaces/:keyspace/tables/:table/snapshots/:snapshot/components/:index/:component",
+ Arrays.asList(STREAM_SSTABLES)))
.handler(streamSSTableComponentHandler)
.handler(fileStreamHandler);
//noinspection deprecation
router.get(ApiEndpointsV1.DEPRECATED_SNAPSHOTS_ROUTE)
+ .handler(authorizationHandler(sidecarConfiguration,
+ permissionsAccessor,
+ requiredPermissionsProvider,
+ "GET
/api/v1/keyspace/:keyspace/table/:table/snapshots/:snapshot",
+ Arrays.asList(LIST_SNAPSHOTS)))
.handler(listSnapshotHandler);
router.get(ApiEndpointsV1.SNAPSHOTS_ROUTE)
+ .handler(authorizationHandler(sidecarConfiguration,
+ permissionsAccessor,
+ requiredPermissionsProvider,
+ "GET
/api/v1/keyspaces/:keyspace/tables/:table/snapshots/:snapshot",
+ Arrays.asList(LIST_SNAPSHOTS)))
.handler(listSnapshotHandler);
router.delete(ApiEndpointsV1.SNAPSHOTS_ROUTE)
// Leverage the validateTableExistence. Currently, JMX does not
validate for non-existent keyspace.
// Additionally, the current JMX implementation to clear
snapshots does not support passing a table
// as a parameter.
+ .handler(authorizationHandler(sidecarConfiguration,
+ permissionsAccessor,
+ requiredPermissionsProvider,
+ "DELETE
/api/v1/keyspaces/:keyspace/tables/:table/snapshots/:snapshot",
+ Arrays.asList(CLEAR_SNAPSHOTS)))
.handler(validateTableExistence)
.handler(clearSnapshotHandler);
router.put(ApiEndpointsV1.SNAPSHOTS_ROUTE)
+ .handler(authorizationHandler(sidecarConfiguration,
+ permissionsAccessor,
+ requiredPermissionsProvider,
+ "PUT
/api/v1/keyspaces/:keyspace/tables/:table/snapshots/:snapshot",
+ Arrays.asList(CREATE_SNAPSHOT)))
.handler(createSnapshotHandler);
//noinspection deprecation
router.get(ApiEndpointsV1.DEPRECATED_ALL_KEYSPACES_SCHEMA_ROUTE)
+ .handler(authorizationHandler(sidecarConfiguration,
+ permissionsAccessor,
+ requiredPermissionsProvider,
+ "GET /api/v1/schema/keyspaces",
+ Arrays.asList(KEYSPACE_SCHEMA)))
.handler(schemaHandler);
router.get(ApiEndpointsV1.ALL_KEYSPACES_SCHEMA_ROUTE)
+ .handler(authorizationHandler(sidecarConfiguration,
+ permissionsAccessor,
+ requiredPermissionsProvider,
+ "GET /api/v1/cassandra/schema",
+ Arrays.asList(KEYSPACE_SCHEMA)))
.handler(schemaHandler);
//noinspection deprecation
router.get(ApiEndpointsV1.DEPRECATED_KEYSPACE_SCHEMA_ROUTE)
+ .handler(authorizationHandler(sidecarConfiguration,
+ permissionsAccessor,
+ requiredPermissionsProvider,
+ "GET
/api/v1/schema/keyspaces/:keyspace",
+ Arrays.asList(KEYSPACE_SCHEMA)))
.handler(schemaHandler);
router.get(ApiEndpointsV1.KEYSPACE_SCHEMA_ROUTE)
+ .handler(authorizationHandler(sidecarConfiguration,
+ permissionsAccessor,
+ requiredPermissionsProvider,
+ "GET
/api/v1/keyspaces/:keyspace/schema",
+ Arrays.asList(KEYSPACE_SCHEMA)))
.handler(schemaHandler);
router.get(ApiEndpointsV1.RING_ROUTE)
+ .handler(authorizationHandler(sidecarConfiguration,
+ permissionsAccessor,
+ requiredPermissionsProvider,
+ "GET /api/v1/cassandra/ring",
+ Arrays.asList(RING)))
.handler(ringHandler);
router.get(ApiEndpointsV1.RING_ROUTE_PER_KEYSPACE)
+ .handler(authorizationHandler(sidecarConfiguration,
+ permissionsAccessor,
+ requiredPermissionsProvider,
+ "GET
/api/v1/cassandra/ring/keyspaces/:keyspace",
+ Arrays.asList(RING)))
.handler(ringHandler);
router.put(ApiEndpointsV1.SSTABLE_UPLOAD_ROUTE)
+ .handler(authorizationHandler(sidecarConfiguration,
+ permissionsAccessor,
+ requiredPermissionsProvider,
+ "PUT
/api/v1/uploads/:uploadId/keyspaces/:keyspace/tables/:table/components/:component",
+ Arrays.asList(UPLOAD_SSTABLE)))
.handler(ssTableUploadHandler);
router.get(ApiEndpointsV1.KEYSPACE_TOKEN_MAPPING_ROUTE)
+ .handler(authorizationHandler(sidecarConfiguration,
+ permissionsAccessor,
+ requiredPermissionsProvider,
+ "GET
/api/v1/keyspaces/:keyspace/token-range-replicas",
+
Arrays.asList(KEYSPACE_TOKEN_MAPPING)))
.handler(tokenRangeHandler);
router.put(ApiEndpointsV1.SSTABLE_IMPORT_ROUTE)
+ .handler(authorizationHandler(sidecarConfiguration,
+ permissionsAccessor,
+ requiredPermissionsProvider,
+ "PUT
/api/v1/uploads/:uploadId/keyspaces/:keyspace/tables/:table/import",
+ Arrays.asList(UPLOAD_SSTABLE)))
.handler(ssTableImportHandler);
router.delete(ApiEndpointsV1.SSTABLE_CLEANUP_ROUTE)
+ .handler(authorizationHandler(sidecarConfiguration,
+ permissionsAccessor,
+ requiredPermissionsProvider,
+ "DELETE /api/v1/uploads/:uploadId",
+ Arrays.asList(CLEANUP_SSTABLE)))
.handler(ssTableCleanupHandler);
router.get(ApiEndpointsV1.GOSSIP_INFO_ROUTE)
+ .handler(authorizationHandler(sidecarConfiguration,
+ permissionsAccessor,
+ requiredPermissionsProvider,
+ "GET /api/v1/cassandra/gossip",
+ Arrays.asList(GOSSIP_INFO)))
.handler(gossipInfoHandler);
router.get(ApiEndpointsV1.TIME_SKEW_ROUTE)
+ .handler(authorizationHandler(sidecarConfiguration,
+ permissionsAccessor,
+ requiredPermissionsProvider,
+ "GET /api/v1/time-skew",
+ Arrays.asList()))
.handler(timeSkewHandler);
router.get(ApiEndpointsV1.NODE_SETTINGS_ROUTE)
+ .handler(authorizationHandler(sidecarConfiguration,
+ permissionsAccessor,
+ requiredPermissionsProvider,
+ "GET /api/v1/cassandra/settings",
+ Arrays.asList()))
.handler(nodeSettingsHandler);
router.post(ApiEndpointsV1.CREATE_RESTORE_JOB_ROUTE)
.handler(BodyHandler.create())
+ .handler(authorizationHandler(sidecarConfiguration,
+ permissionsAccessor,
+ requiredPermissionsProvider,
+ "POST
/api/v1/keyspaces/:keyspace/tables/:table/restore-jobs",
+ Arrays.asList(CREATE_RESTORE_JOB)))
.handler(validateTableExistence)
.handler(validateRestoreJobRequest)
.handler(createRestoreJobHandler);
router.post(ApiEndpointsV1.RESTORE_JOB_SLICES_ROUTE)
.handler(BodyHandler.create())
+ .handler(authorizationHandler(sidecarConfiguration,
+ permissionsAccessor,
+ requiredPermissionsProvider,
+ "POST
/api/v1/keyspaces/:keyspace/tables/:table/restore-jobs/:jobId/slices",
+ Arrays.asList(CREATE_RESTORE_JOB)))
.handler(diskSpaceProtection) // reject creating slice if short
of disk space
.handler(validateTableExistence)
.handler(validateRestoreJobRequest)
.handler(createRestoreSliceHandler);
router.get(ApiEndpointsV1.RESTORE_JOB_ROUTE)
+ .handler(authorizationHandler(sidecarConfiguration,
+ permissionsAccessor,
+ requiredPermissionsProvider,
+ "GET
/api/v1/keyspaces/:keyspace/tables/:table/restore-jobs/:jobId",
+ Arrays.asList(RESTORE_JOB)))
.handler(validateTableExistence)
.handler(validateRestoreJobRequest)
.handler(restoreJobSummaryHandler);
router.patch(ApiEndpointsV1.RESTORE_JOB_ROUTE)
.handler(BodyHandler.create())
+ .handler(authorizationHandler(sidecarConfiguration,
+ permissionsAccessor,
+ requiredPermissionsProvider,
+ "PATCH
/api/v1/keyspaces/:keyspace/tables/:table/restore-jobs/:jobId",
+ Arrays.asList(PATCH_RESTORE_JOB)))
.handler(validateTableExistence)
.handler(validateRestoreJobRequest)
.handler(updateRestoreJobHandler);
router.post(ApiEndpointsV1.ABORT_RESTORE_JOB_ROUTE)
.handler(BodyHandler.create())
+ .handler(authorizationHandler(sidecarConfiguration,
+ permissionsAccessor,
+ requiredPermissionsProvider,
+ "POST
/api/v1/keyspaces/:keyspace/tables/:table/restore-jobs/:jobId/abort",
+ Arrays.asList(ABORT_RESTORE_JOB)))
.handler(validateTableExistence)
.handler(validateRestoreJobRequest)
.handler(abortRestoreJobHandler);
router.get(ApiEndpointsV1.RESTORE_JOB_PROGRESS_ROUTE)
+ .handler(authorizationHandler(sidecarConfiguration,
+ permissionsAccessor,
+ requiredPermissionsProvider,
+ "GET
/api/v1/keyspaces/:keyspace/tables/:table/restore-jobs/:jobId/ progress",
+
Arrays.asList(RESTORE_JOB_PROGRESS)))
.handler(validateTableExistence)
.handler(validateRestoreJobRequest)
.handler(restoreJobProgressHandler);
return router;
}
+ public AuthorizationHandler authorizationHandler(SidecarConfiguration conf,
+ PermissionsAccessor
permissionsAccessor,
+
RequiredPermissionsProvider requiredPermissionsProvider,
+ String endpoint,
+
List<MutualTlsPermissions> permissions)
+ {
+ requiredPermissionsProvider.putPermissionsMapping(endpoint,
permissions);
+
+ AuthorizationProvider authProvider;
+ if (conf.authenticatorConfiguration() != null &&
+ conf.authenticatorConfiguration().authConfig() != null &&
+
conf.authorizerConfiguration().authConfig().equals(AuthorizerConfig.MutualTlsAuthorizer))
+ {
+ authProvider = new
MutualTlsAuthorizationProvider(permissionsAccessor);
+ }
+ else if (conf.authenticatorConfiguration() != null &&
+ conf.authenticatorConfiguration().authConfig() != null &&
+
conf.authorizerConfiguration().authConfig().equals(AuthorizerConfig.AllowAllAuthorizer))
Review Comment:
Note: Addressed this in my most recent commit to your branch. Just has some
minor refactoring of enums and defaults.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
