Skip to content

Commit 1838f89

Browse files
parmesantparmesant
committed
updates for new privileges
- roles don't need any migration - auth flow modified to account for resource type
1 parent 3e24e08 commit 1838f89

File tree

9 files changed

+82
-96
lines changed

9 files changed

+82
-96
lines changed

src/handlers/http/middleware.rs

Lines changed: 14 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -59,7 +59,7 @@ pub struct CommonAttributes {
5959

6060
pub trait RouteExt {
6161
fn authorize(self, action: Action) -> Self;
62-
fn authorize_for_stream(self, action: Action) -> Self;
62+
fn authorize_for_resource(self, action: Action) -> Self;
6363
fn authorize_for_user(self, action: Action) -> Self;
6464
}
6565

@@ -71,10 +71,10 @@ impl RouteExt for Route {
7171
})
7272
}
7373

74-
fn authorize_for_stream(self, action: Action) -> Self {
74+
fn authorize_for_resource(self, action: Action) -> Self {
7575
self.wrap(Auth {
7676
action,
77-
method: auth_stream_context,
77+
method: auth_resource_context,
7878
})
7979
}
8080

@@ -182,18 +182,26 @@ pub fn auth_no_context(req: &mut ServiceRequest, action: Action) -> Result<rbac:
182182
creds.map(|key| Users.authorize(key, action, None, None))
183183
}
184184

185-
pub fn auth_stream_context(
185+
pub fn auth_resource_context(
186186
req: &mut ServiceRequest,
187187
action: Action,
188188
) -> Result<rbac::Response, Error> {
189189
let creds = extract_session_key(req);
190+
let usergroup = req.match_info().get("usergroup");
191+
let llmid = req.match_info().get("llmid");
190192
let mut stream = req.match_info().get("logstream");
191-
if stream.is_none() {
193+
if let Some(usergroup) = usergroup {
194+
creds.map(|key| Users.authorize(key, action, Some(usergroup), None))
195+
} else if let Some(llmid) = llmid {
196+
creds.map(|key| Users.authorize(key, action, Some(llmid), None))
197+
} else if let Some(stream) = stream {
198+
creds.map(|key| Users.authorize(key, action, Some(stream), None))
199+
} else {
192200
if let Some(stream_name) = req.headers().get(STREAM_NAME_HEADER_KEY) {
193201
stream = Some(stream_name.to_str().unwrap());
194202
}
203+
creds.map(|key| Users.authorize(key, action, stream, None))
195204
}
196-
creds.map(|key| Users.authorize(key, action, stream, None))
197205
}
198206

199207
pub fn auth_user_context(

src/handlers/http/modal/ingest_server.rs

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -237,7 +237,7 @@ impl IngestServer {
237237
.route(
238238
web::post()
239239
.to(ingest::post_event)
240-
.authorize_for_stream(Action::Ingest),
240+
.authorize_for_resource(Action::Ingest),
241241
)
242242
.wrap(from_fn(
243243
resource_check::check_resource_utilization_middleware,
@@ -255,31 +255,31 @@ impl IngestServer {
255255
.route(
256256
web::put()
257257
.to(ingestor_logstream::put_stream)
258-
.authorize_for_stream(Action::CreateStream),
258+
.authorize_for_resource(Action::CreateStream),
259259
),
260260
)
261261
.service(
262262
// GET "/logstream/{logstream}/info" ==> Get info for given log stream
263263
web::resource("/info").route(
264264
web::get()
265265
.to(logstream::get_stream_info)
266-
.authorize_for_stream(Action::GetStreamInfo),
266+
.authorize_for_resource(Action::GetStreamInfo),
267267
),
268268
)
269269
.service(
270270
// GET "/logstream/{logstream}/stats" ==> Get stats for given log stream
271271
web::resource("/stats").route(
272272
web::get()
273273
.to(logstream::get_stats)
274-
.authorize_for_stream(Action::GetStats),
274+
.authorize_for_resource(Action::GetStats),
275275
),
276276
)
277277
.service(
278278
web::scope("/retention").service(
279279
web::resource("/cleanup").route(
280280
web::post()
281281
.to(ingestor_logstream::retention_cleanup)
282-
.authorize_for_stream(Action::PutRetention),
282+
.authorize_for_resource(Action::PutRetention),
283283
),
284284
),
285285
),

src/handlers/http/modal/query_server.rs

Lines changed: 11 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -273,19 +273,19 @@ impl QueryServer {
273273
.route(
274274
web::put()
275275
.to(querier_logstream::put_stream)
276-
.authorize_for_stream(Action::CreateStream),
276+
.authorize_for_resource(Action::CreateStream),
277277
)
278278
// POST "/logstream/{logstream}" ==> Post logs to given log stream
279279
.route(
280280
web::post()
281281
.to(querier_ingest::post_event)
282-
.authorize_for_stream(Action::Ingest),
282+
.authorize_for_resource(Action::Ingest),
283283
)
284284
// DELETE "/logstream/{logstream}" ==> Delete log stream
285285
.route(
286286
web::delete()
287287
.to(querier_logstream::delete)
288-
.authorize_for_stream(Action::DeleteStream),
288+
.authorize_for_resource(Action::DeleteStream),
289289
)
290290
.app_data(web::JsonConfig::default().limit(MAX_EVENT_PAYLOAD_SIZE)),
291291
)
@@ -294,23 +294,23 @@ impl QueryServer {
294294
web::resource("/info").route(
295295
web::get()
296296
.to(logstream::get_stream_info)
297-
.authorize_for_stream(Action::GetStreamInfo),
297+
.authorize_for_resource(Action::GetStreamInfo),
298298
),
299299
)
300300
.service(
301301
// GET "/logstream/{logstream}/schema" ==> Get schema for given log stream
302302
web::resource("/schema").route(
303303
web::get()
304304
.to(logstream::get_schema)
305-
.authorize_for_stream(Action::GetSchema),
305+
.authorize_for_resource(Action::GetSchema),
306306
),
307307
)
308308
.service(
309309
// GET "/logstream/{logstream}/stats" ==> Get stats for given log stream
310310
web::resource("/stats").route(
311311
web::get()
312312
.to(querier_logstream::get_stats)
313-
.authorize_for_stream(Action::GetStats),
313+
.authorize_for_resource(Action::GetStats),
314314
),
315315
)
316316
.service(
@@ -319,13 +319,13 @@ impl QueryServer {
319319
.route(
320320
web::put()
321321
.to(logstream::put_retention)
322-
.authorize_for_stream(Action::PutRetention),
322+
.authorize_for_resource(Action::PutRetention),
323323
)
324324
// GET "/logstream/{logstream}/retention" ==> Get retention for given logstream
325325
.route(
326326
web::get()
327327
.to(logstream::get_retention)
328-
.authorize_for_stream(Action::GetRetention),
328+
.authorize_for_resource(Action::GetRetention),
329329
),
330330
)
331331
.service(
@@ -334,17 +334,17 @@ impl QueryServer {
334334
.route(
335335
web::put()
336336
.to(logstream::put_stream_hot_tier)
337-
.authorize_for_stream(Action::PutHotTierEnabled),
337+
.authorize_for_resource(Action::PutHotTierEnabled),
338338
)
339339
.route(
340340
web::get()
341341
.to(logstream::get_stream_hot_tier)
342-
.authorize_for_stream(Action::GetHotTierEnabled),
342+
.authorize_for_resource(Action::GetHotTierEnabled),
343343
)
344344
.route(
345345
web::delete()
346346
.to(logstream::delete_stream_hot_tier)
347-
.authorize_for_stream(Action::DeleteHotTierEnabled),
347+
.authorize_for_resource(Action::DeleteHotTierEnabled),
348348
),
349349
),
350350
)

src/handlers/http/modal/server.rs

Lines changed: 21 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -182,9 +182,9 @@ impl Server {
182182
web::resource("/info").route(
183183
web::get()
184184
.to(http::prism_logstream::get_info)
185-
.authorize_for_stream(Action::GetStreamInfo)
186-
.authorize_for_stream(Action::GetStats)
187-
.authorize_for_stream(Action::GetRetention),
185+
.authorize_for_resource(Action::GetStreamInfo)
186+
.authorize_for_resource(Action::GetStats)
187+
.authorize_for_resource(Action::GetRetention),
188188
),
189189
),
190190
)
@@ -195,9 +195,9 @@ impl Server {
195195
"",
196196
web::post()
197197
.to(http::prism_logstream::post_datasets)
198-
.authorize_for_stream(Action::GetStreamInfo)
199-
.authorize_for_stream(Action::GetStats)
200-
.authorize_for_stream(Action::GetRetention),
198+
.authorize_for_resource(Action::GetStreamInfo)
199+
.authorize_for_resource(Action::GetStats)
200+
.authorize_for_resource(Action::GetRetention),
201201
)
202202
}
203203

@@ -394,13 +394,13 @@ impl Server {
394394
.route(
395395
web::put()
396396
.to(logstream::put_stream)
397-
.authorize_for_stream(Action::CreateStream),
397+
.authorize_for_resource(Action::CreateStream),
398398
)
399399
// POST "/logstream/{logstream}" ==> Post logs to given log stream
400400
.route(
401401
web::post()
402402
.to(ingest::post_event)
403-
.authorize_for_stream(Action::Ingest)
403+
.authorize_for_resource(Action::Ingest)
404404
.wrap(from_fn(
405405
resource_check::check_resource_utilization_middleware,
406406
)),
@@ -409,7 +409,7 @@ impl Server {
409409
.route(
410410
web::delete()
411411
.to(logstream::delete)
412-
.authorize_for_stream(Action::DeleteStream),
412+
.authorize_for_resource(Action::DeleteStream),
413413
)
414414
.app_data(web::JsonConfig::default().limit(MAX_EVENT_PAYLOAD_SIZE)),
415415
)
@@ -418,23 +418,23 @@ impl Server {
418418
web::resource("/info").route(
419419
web::get()
420420
.to(logstream::get_stream_info)
421-
.authorize_for_stream(Action::GetStreamInfo),
421+
.authorize_for_resource(Action::GetStreamInfo),
422422
),
423423
)
424424
.service(
425425
// GET "/logstream/{logstream}/schema" ==> Get schema for given log stream
426426
web::resource("/schema").route(
427427
web::get()
428428
.to(logstream::get_schema)
429-
.authorize_for_stream(Action::GetSchema),
429+
.authorize_for_resource(Action::GetSchema),
430430
),
431431
)
432432
.service(
433433
// GET "/logstream/{logstream}/stats" ==> Get stats for given log stream
434434
web::resource("/stats").route(
435435
web::get()
436436
.to(logstream::get_stats)
437-
.authorize_for_stream(Action::GetStats),
437+
.authorize_for_resource(Action::GetStats),
438438
),
439439
)
440440
.service(
@@ -443,13 +443,13 @@ impl Server {
443443
.route(
444444
web::put()
445445
.to(logstream::put_retention)
446-
.authorize_for_stream(Action::PutRetention),
446+
.authorize_for_resource(Action::PutRetention),
447447
)
448448
// GET "/logstream/{logstream}/retention" ==> Get retention for given logstream
449449
.route(
450450
web::get()
451451
.to(logstream::get_retention)
452-
.authorize_for_stream(Action::GetRetention),
452+
.authorize_for_resource(Action::GetRetention),
453453
),
454454
)
455455
.service(
@@ -458,17 +458,17 @@ impl Server {
458458
.route(
459459
web::put()
460460
.to(logstream::put_stream_hot_tier)
461-
.authorize_for_stream(Action::PutHotTierEnabled),
461+
.authorize_for_resource(Action::PutHotTierEnabled),
462462
)
463463
.route(
464464
web::get()
465465
.to(logstream::get_stream_hot_tier)
466-
.authorize_for_stream(Action::GetHotTierEnabled),
466+
.authorize_for_resource(Action::GetHotTierEnabled),
467467
)
468468
.route(
469469
web::delete()
470470
.to(logstream::delete_stream_hot_tier)
471-
.authorize_for_stream(Action::DeleteHotTierEnabled),
471+
.authorize_for_resource(Action::DeleteHotTierEnabled),
472472
),
473473
),
474474
)
@@ -480,7 +480,7 @@ impl Server {
480480
.route(
481481
web::post()
482482
.to(ingest::ingest)
483-
.authorize_for_stream(Action::Ingest),
483+
.authorize_for_resource(Action::Ingest),
484484
)
485485
.app_data(web::JsonConfig::default().limit(MAX_EVENT_PAYLOAD_SIZE))
486486
}
@@ -493,7 +493,7 @@ impl Server {
493493
.route(
494494
web::post()
495495
.to(ingest::handle_otel_logs_ingestion)
496-
.authorize_for_stream(Action::Ingest),
496+
.authorize_for_resource(Action::Ingest),
497497
)
498498
.app_data(web::JsonConfig::default().limit(MAX_EVENT_PAYLOAD_SIZE)),
499499
)
@@ -502,7 +502,7 @@ impl Server {
502502
.route(
503503
web::post()
504504
.to(ingest::handle_otel_metrics_ingestion)
505-
.authorize_for_stream(Action::Ingest),
505+
.authorize_for_resource(Action::Ingest),
506506
)
507507
.app_data(web::JsonConfig::default().limit(MAX_EVENT_PAYLOAD_SIZE)),
508508
)
@@ -511,7 +511,7 @@ impl Server {
511511
.route(
512512
web::post()
513513
.to(ingest::handle_otel_traces_ingestion)
514-
.authorize_for_stream(Action::Ingest),
514+
.authorize_for_resource(Action::Ingest),
515515
)
516516
.app_data(web::JsonConfig::default().limit(MAX_EVENT_PAYLOAD_SIZE)),
517517
)

src/handlers/http/rbac.rs

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -425,6 +425,8 @@ pub enum RBACError {
425425
InvalidSyncOperation(String),
426426
#[error("User group still being used by users: {0}")]
427427
UserGroupNotEmpty(String),
428+
#[error("Resource in use: {0}")]
429+
ResourceInUse(String),
428430
}
429431

430432
impl actix_web::ResponseError for RBACError {
@@ -445,6 +447,7 @@ impl actix_web::ResponseError for RBACError {
445447
Self::InvalidUserGroupRequest(_) => StatusCode::BAD_REQUEST,
446448
Self::InvalidSyncOperation(_) => StatusCode::BAD_REQUEST,
447449
Self::UserGroupNotEmpty(_) => StatusCode::BAD_REQUEST,
450+
Self::ResourceInUse(_) => StatusCode::BAD_REQUEST,
448451
}
449452
}
450453

src/rbac/map.rs

Lines changed: 9 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -261,18 +261,19 @@ impl Sessions {
261261
match resource_type {
262262
ParseableResourceType::Stream(resource_id)
263263
| ParseableResourceType::Llm(resource_id) => {
264-
let ok_resource = if let Some(context_resource_id) = context_resource {
265-
resource_id == context_resource_id || resource_id == "*"
266-
} else {
267-
// if no resource to match then resource check is not needed
268-
// WHEN IS THIS VALID??
269-
true
270-
};
264+
let ok_resource =
265+
if let Some(context_resource_id) = context_resource {
266+
resource_id == context_resource_id || resource_id == "*"
267+
} else {
268+
// if no resource to match then resource check is not needed
269+
// WHEN IS THIS VALID??
270+
true
271+
};
271272
(action == required_action || action == Action::All) && ok_resource
272273
}
273274
ParseableResourceType::All => {
274275
action == required_action || action == Action::All
275-
},
276+
}
276277
}
277278
}
278279
Permission::SelfUser if required_action == Action::GetUserRoles => {

0 commit comments

Comments
 (0)