Skip to content

Commit f23765e

Browse files
david-leifkerdavid-leifker
authoredSep 11, 2024
feat(auth): implement session authorization cache (datahub-project#11327)
1 parent dfa9775 commit f23765e

File tree

89 files changed

+1140
-1144
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

89 files changed

+1140
-1144
lines changed
 

‎datahub-frontend/app/auth/AuthModule.java

+3-3
Original file line numberDiff line numberDiff line change
@@ -25,7 +25,7 @@
2525
import java.util.Collections;
2626

2727
import io.datahubproject.metadata.context.ActorContext;
28-
import io.datahubproject.metadata.context.AuthorizerContext;
28+
import io.datahubproject.metadata.context.AuthorizationContext;
2929
import io.datahubproject.metadata.context.EntityRegistryContext;
3030
import io.datahubproject.metadata.context.OperationContext;
3131
import io.datahubproject.metadata.context.OperationContextConfig;
@@ -183,10 +183,10 @@ protected OperationContext provideOperationContext(
183183
return OperationContext.builder()
184184
.operationContextConfig(systemConfig)
185185
.systemActorContext(systemActorContext)
186+
// Authorizer.EMPTY is fine since it doesn't actually apply to system auth
187+
.authorizationContext(AuthorizationContext.builder().authorizer(Authorizer.EMPTY).build())
186188
.searchContext(SearchContext.EMPTY)
187189
.entityRegistryContext(EntityRegistryContext.builder().build(EmptyEntityRegistry.EMPTY))
188-
// Authorizer.EMPTY doesn't actually apply to system auth
189-
.authorizerContext(AuthorizerContext.builder().authorizer(Authorizer.EMPTY).build())
190190
.build(systemAuthentication);
191191
}
192192

‎datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/authorization/AuthorizationUtils.java

+25-81
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,6 @@
1111
import com.datahub.authorization.ConjunctivePrivilegeGroup;
1212
import com.datahub.authorization.DisjunctivePrivilegeGroup;
1313
import com.datahub.authorization.EntitySpec;
14-
import com.datahub.plugins.auth.authorization.Authorizer;
1514
import com.google.common.collect.ImmutableList;
1615
import com.linkedin.common.urn.Urn;
1716
import com.linkedin.datahub.graphql.QueryContext;
@@ -21,7 +20,6 @@
2120
import java.lang.reflect.InvocationTargetException;
2221
import java.lang.reflect.Method;
2322
import java.util.List;
24-
import java.util.Set;
2523
import javax.annotation.Nonnull;
2624
import lombok.extern.slf4j.Slf4j;
2725
import org.apache.commons.lang3.reflect.ConstructorUtils;
@@ -40,29 +38,25 @@ public class AuthorizationUtils {
4038

4139
public static boolean canManageUsersAndGroups(@Nonnull QueryContext context) {
4240
return AuthUtil.isAuthorizedEntityType(
43-
context.getActorUrn(),
44-
context.getAuthorizer(),
41+
context.getOperationContext(),
4542
MANAGE,
4643
List.of(CORP_USER_ENTITY_NAME, CORP_GROUP_ENTITY_NAME));
4744
}
4845

4946
public static boolean canManagePolicies(@Nonnull QueryContext context) {
5047
return AuthUtil.isAuthorizedEntityType(
51-
context.getActorUrn(), context.getAuthorizer(), MANAGE, List.of(POLICY_ENTITY_NAME));
48+
context.getOperationContext(), MANAGE, List.of(POLICY_ENTITY_NAME));
5249
}
5350

5451
public static boolean canGeneratePersonalAccessToken(@Nonnull QueryContext context) {
5552
return AuthUtil.isAuthorized(
56-
context.getAuthorizer(),
57-
context.getActorUrn(),
58-
PoliciesConfig.GENERATE_PERSONAL_ACCESS_TOKENS_PRIVILEGE)
59-
|| AuthUtil.isAuthorized(
60-
context.getAuthorizer(), context.getActorUrn(), MANAGE_ACCESS_TOKENS);
53+
context.getOperationContext(), PoliciesConfig.GENERATE_PERSONAL_ACCESS_TOKENS_PRIVILEGE)
54+
|| AuthUtil.isAuthorized(context.getOperationContext(), MANAGE_ACCESS_TOKENS);
6155
}
6256

6357
public static boolean canManageTokens(@Nonnull QueryContext context) {
6458
return AuthUtil.isAuthorizedEntityType(
65-
context.getActorUrn(), context.getAuthorizer(), MANAGE, List.of(ACCESS_TOKEN_ENTITY_NAME));
59+
context.getOperationContext(), MANAGE, List.of(ACCESS_TOKEN_ENTITY_NAME));
6660
}
6761

6862
/**
@@ -78,13 +72,12 @@ public static boolean canCreateDomains(@Nonnull QueryContext context) {
7872
new ConjunctivePrivilegeGroup(
7973
ImmutableList.of(PoliciesConfig.MANAGE_DOMAINS_PRIVILEGE.getType()))));
8074

81-
return AuthUtil.isAuthorized(
82-
context.getAuthorizer(), context.getActorUrn(), orPrivilegeGroups, null);
75+
return AuthUtil.isAuthorized(context.getOperationContext(), orPrivilegeGroups, null);
8376
}
8477

8578
public static boolean canManageDomains(@Nonnull QueryContext context) {
8679
return AuthUtil.isAuthorized(
87-
context.getAuthorizer(), context.getActorUrn(), PoliciesConfig.MANAGE_DOMAINS_PRIVILEGE);
80+
context.getOperationContext(), PoliciesConfig.MANAGE_DOMAINS_PRIVILEGE);
8881
}
8982

9083
/**
@@ -100,25 +93,22 @@ public static boolean canCreateTags(@Nonnull QueryContext context) {
10093
new ConjunctivePrivilegeGroup(
10194
ImmutableList.of(PoliciesConfig.MANAGE_TAGS_PRIVILEGE.getType()))));
10295

103-
return AuthUtil.isAuthorized(
104-
context.getAuthorizer(), context.getActorUrn(), orPrivilegeGroups, null);
96+
return AuthUtil.isAuthorized(context.getOperationContext(), orPrivilegeGroups, null);
10597
}
10698

10799
public static boolean canManageTags(@Nonnull QueryContext context) {
108100
return AuthUtil.isAuthorized(
109-
context.getAuthorizer(), context.getActorUrn(), PoliciesConfig.MANAGE_TAGS_PRIVILEGE);
101+
context.getOperationContext(), PoliciesConfig.MANAGE_TAGS_PRIVILEGE);
110102
}
111103

112104
public static boolean canDeleteEntity(@Nonnull Urn entityUrn, @Nonnull QueryContext context) {
113105
return AuthUtil.isAuthorizedEntityUrns(
114-
context.getAuthorizer(), context.getActorUrn(), DELETE, List.of(entityUrn));
106+
context.getOperationContext(), DELETE, List.of(entityUrn));
115107
}
116108

117109
public static boolean canManageUserCredentials(@Nonnull QueryContext context) {
118110
return AuthUtil.isAuthorized(
119-
context.getAuthorizer(),
120-
context.getActorUrn(),
121-
PoliciesConfig.MANAGE_USER_CREDENTIALS_PRIVILEGE);
111+
context.getOperationContext(), PoliciesConfig.MANAGE_USER_CREDENTIALS_PRIVILEGE);
122112
}
123113

124114
public static boolean canEditGroupMembers(
@@ -130,12 +120,7 @@ public static boolean canEditGroupMembers(
130120
new ConjunctivePrivilegeGroup(
131121
ImmutableList.of(PoliciesConfig.EDIT_GROUP_MEMBERS_PRIVILEGE.getType()))));
132122

133-
return isAuthorized(
134-
context.getAuthorizer(),
135-
context.getActorUrn(),
136-
CORP_GROUP_ENTITY_NAME,
137-
groupUrnStr,
138-
orPrivilegeGroups);
123+
return isAuthorized(context, CORP_GROUP_ENTITY_NAME, groupUrnStr, orPrivilegeGroups);
139124
}
140125

141126
public static boolean canCreateGlobalAnnouncements(@Nonnull QueryContext context) {
@@ -149,27 +134,21 @@ public static boolean canCreateGlobalAnnouncements(@Nonnull QueryContext context
149134
ImmutableList.of(
150135
PoliciesConfig.MANAGE_GLOBAL_ANNOUNCEMENTS_PRIVILEGE.getType()))));
151136

152-
return AuthUtil.isAuthorized(
153-
context.getAuthorizer(), context.getActorUrn(), orPrivilegeGroups, null);
137+
return AuthUtil.isAuthorized(context.getOperationContext(), orPrivilegeGroups, null);
154138
}
155139

156140
public static boolean canManageGlobalAnnouncements(@Nonnull QueryContext context) {
157141
return AuthUtil.isAuthorized(
158-
context.getAuthorizer(),
159-
context.getActorUrn(),
160-
PoliciesConfig.MANAGE_GLOBAL_ANNOUNCEMENTS_PRIVILEGE);
142+
context.getOperationContext(), PoliciesConfig.MANAGE_GLOBAL_ANNOUNCEMENTS_PRIVILEGE);
161143
}
162144

163145
public static boolean canManageGlobalViews(@Nonnull QueryContext context) {
164-
return AuthUtil.isAuthorized(
165-
context.getAuthorizer(), context.getActorUrn(), PoliciesConfig.MANAGE_GLOBAL_VIEWS);
146+
return AuthUtil.isAuthorized(context.getOperationContext(), PoliciesConfig.MANAGE_GLOBAL_VIEWS);
166147
}
167148

168149
public static boolean canManageOwnershipTypes(@Nonnull QueryContext context) {
169150
return AuthUtil.isAuthorized(
170-
context.getAuthorizer(),
171-
context.getActorUrn(),
172-
PoliciesConfig.MANAGE_GLOBAL_OWNERSHIP_TYPES);
151+
context.getOperationContext(), PoliciesConfig.MANAGE_GLOBAL_OWNERSHIP_TYPES);
173152
}
174153

175154
public static boolean canEditProperties(@Nonnull Urn targetUrn, @Nonnull QueryContext context) {
@@ -183,11 +162,7 @@ public static boolean canEditProperties(@Nonnull Urn targetUrn, @Nonnull QueryCo
183162
ImmutableList.of(PoliciesConfig.EDIT_ENTITY_PROPERTIES_PRIVILEGE.getType()))));
184163

185164
return AuthorizationUtils.isAuthorized(
186-
context.getAuthorizer(),
187-
context.getActorUrn(),
188-
targetUrn.getEntityType(),
189-
targetUrn.toString(),
190-
orPrivilegeGroups);
165+
context, targetUrn.getEntityType(), targetUrn.toString(), orPrivilegeGroups);
191166
}
192167

193168
public static boolean canEditEntityQueries(
@@ -202,11 +177,7 @@ public static boolean canEditEntityQueries(
202177
.allMatch(
203178
entityUrn ->
204179
isAuthorized(
205-
context.getAuthorizer(),
206-
context.getActorUrn(),
207-
entityUrn.getEntityType(),
208-
entityUrn.toString(),
209-
orPrivilegeGroups));
180+
context, entityUrn.getEntityType(), entityUrn.toString(), orPrivilegeGroups));
210181
}
211182

212183
public static boolean canCreateQuery(
@@ -251,28 +222,7 @@ public static boolean canView(@Nonnull OperationContext opContext, @Nonnull Urn
251222
&& !opContext.isSystemAuth()
252223
&& VIEW_RESTRICTED_ENTITY_TYPES.contains(urn.getEntityType())) {
253224

254-
return opContext
255-
.getViewAuthorizationContext()
256-
.map(
257-
viewAuthContext -> {
258-
259-
// check cache
260-
if (viewAuthContext.canView(Set.of(urn))) {
261-
return true;
262-
}
263-
264-
if (!canViewEntity(
265-
opContext.getSessionAuthentication().getActor().toUrnStr(),
266-
opContext.getAuthorizerContext().getAuthorizer(),
267-
urn)) {
268-
return false;
269-
}
270-
271-
// cache viewable urn
272-
viewAuthContext.addViewableUrns(Set.of(urn));
273-
return true;
274-
})
275-
.orElse(false);
225+
return canViewEntity(opContext, urn);
276226
}
277227
return true;
278228
}
@@ -386,38 +336,32 @@ public static <T> T restrictEntity(@Nonnull Object entity, Class<T> clazz) {
386336

387337
public static boolean canManageStructuredProperties(@Nonnull QueryContext context) {
388338
return AuthUtil.isAuthorized(
389-
context.getAuthorizer(),
390-
context.getActorUrn(),
391-
PoliciesConfig.MANAGE_STRUCTURED_PROPERTIES_PRIVILEGE);
339+
context.getOperationContext(), PoliciesConfig.MANAGE_STRUCTURED_PROPERTIES_PRIVILEGE);
392340
}
393341

394342
public static boolean canManageForms(@Nonnull QueryContext context) {
395343
return AuthUtil.isAuthorized(
396-
context.getAuthorizer(),
397-
context.getActorUrn(),
398-
PoliciesConfig.MANAGE_DOCUMENTATION_FORMS_PRIVILEGE);
344+
context.getOperationContext(), PoliciesConfig.MANAGE_DOCUMENTATION_FORMS_PRIVILEGE);
399345
}
400346

401347
public static boolean canManageFeatures(@Nonnull QueryContext context) {
402348
return AuthUtil.isAuthorized(
403-
context.getAuthorizer(), context.getActorUrn(), PoliciesConfig.MANAGE_FEATURES_PRIVILEGE);
349+
context.getOperationContext(), PoliciesConfig.MANAGE_FEATURES_PRIVILEGE);
404350
}
405351

406352
public static boolean isAuthorized(
407-
@Nonnull Authorizer authorizer,
408-
@Nonnull String actor,
353+
@Nonnull QueryContext context,
409354
@Nonnull String resourceType,
410355
@Nonnull String resource,
411356
@Nonnull DisjunctivePrivilegeGroup privilegeGroup) {
412357
final EntitySpec resourceSpec = new EntitySpec(resourceType, resource);
413-
return AuthUtil.isAuthorized(authorizer, actor, privilegeGroup, resourceSpec);
358+
return AuthUtil.isAuthorized(context.getOperationContext(), privilegeGroup, resourceSpec);
414359
}
415360

416361
public static boolean isViewDatasetUsageAuthorized(
417362
final QueryContext context, final Urn resourceUrn) {
418363
return AuthUtil.isAuthorized(
419-
context.getAuthorizer(),
420-
context.getActorUrn(),
364+
context.getOperationContext(),
421365
PoliciesConfig.VIEW_DATASET_USAGE_PRIVILEGE,
422366
new EntitySpec(resourceUrn.getEntityType(), resourceUrn.toString()));
423367
}

0 commit comments

Comments
 (0)
Please sign in to comment.