feat: Introduce resources

- Introduce resource types (stream, llm, all) for privileges

Author: parmesant

src/handlers/http/modal/query/querier_rbac.rs

@@ -31,7 +31,7 @@ use crate::{
         rbac::RBACError,
     },
     rbac::{
-        map::{mut_users, roles, write_user_groups},
+        map::{roles, write_user_groups},
         user, Users,
     },
     validator,
@@ -127,22 +127,6 @@ pub async fn delete_user(username: web::Path<String>) -> Result<impl Responder,
         };
     }
 
-    // ensure that the users remove the user group from their map
-    [&username]
-        .iter()
-        .map(|user| {
-            if let Some(user) = mut_users().get_mut(*user) {
-                for group in groups_to_update.iter() {
-                    user.user_groups.remove(&group.name);
-                }
-
-                metadata.users.retain(|u| u.username() != user.username());
-                metadata.users.push(user.clone());
-            }
-        })
-        .for_each(drop);
-    put_metadata(&metadata).await?;
-
     // update in metadata user group
     metadata
         .user_groups

src/handlers/http/rbac.rs

@@ -21,7 +21,7 @@ use std::collections::{HashMap, HashSet};
 use crate::{
     rbac::{
         self,
-        map::{mut_users, read_user_groups, roles, write_user_groups},
+        map::{read_user_groups, roles, write_user_groups},
         role::model::DefaultPrivilege,
         user,
         utils::to_prism_user,
@@ -250,22 +250,6 @@ pub async fn delete_user(username: web::Path<String>) -> Result<impl Responder,
         };
     }
 
-    // ensure that the users remove the user group from their map
-    [&username]
-        .iter()
-        .map(|user| {
-            if let Some(user) = mut_users().get_mut(*user) {
-                for group in groups_to_update.iter() {
-                    user.user_groups.remove(&group.name);
-                }
-
-                metadata.users.retain(|u| u.username() != user.username());
-                metadata.users.push(user.clone());
-            }
-        })
-        .for_each(drop);
-    put_metadata(&metadata).await?;
-
     // update in metadata user groups
     metadata
         .user_groups

src/migration/mod.rs

@@ -62,7 +62,6 @@ pub async fn run_metadata_migration(
             .and_then(|version| version.as_str())
     }
 
-    warn!(verion=?get_version(storage_metadata.as_ref().unwrap()));
     // if storage metadata is none do nothing
     if let Some(storage_metadata) = storage_metadata {
         match get_version(&storage_metadata) {

src/rbac/map.rs

@@ -16,6 +16,7 @@
  *
  */
 
+use crate::rbac::role::ParseableResourceType;
 use crate::rbac::user::{User, UserGroup};
 use crate::{parseable::PARSEABLE, storage::StorageMetadata};
 use std::collections::HashSet;
@@ -221,7 +222,7 @@ impl Sessions {
         &self,
         key: &SessionKey,
         required_action: Action,
-        context_stream: Option<&str>,
+        context_resource: Option<&str>,
         context_user: Option<&str>,
     ) -> Option<Response> {
         self.active_sessions.get(key).map(|(username, perms)| {
@@ -256,15 +257,23 @@ impl Sessions {
                 match *user_perm {
                     // if any action is ALL then we we authorize
                     Permission::Unit(action) => action == required_action || action == Action::All,
-                    Permission::Stream(action, ref stream)
-                    | Permission::StreamWithTag(action, ref stream, _) => {
-                        let ok_stream = if let Some(context_stream) = context_stream {
-                            stream == context_stream || stream == "*"
-                        } else {
-                            // if no stream to match then stream check is not needed
-                            true
-                        };
-                        (action == required_action || action == Action::All) && ok_stream
+                    Permission::Resource(action, ref resource_type) => {
+                        match resource_type {
+                            ParseableResourceType::Stream(resource_id)
+                            | ParseableResourceType::Llm(resource_id) => {
+                                let ok_resource = if let Some(context_resource_id) = context_resource {
+                                    resource_id == context_resource_id || resource_id == "*"
+                                } else {
+                                    // if no resource to match then resource check is not needed
+                                    // WHEN IS THIS VALID?? 
+                                    true
+                                };
+                                (action == required_action || action == Action::All) && ok_resource
+                            }
+                            ParseableResourceType::All => {
+                                action == required_action || action == Action::All
+                            },
+                        }
                     }
                     Permission::SelfUser if required_action == Action::GetUserRoles => {
                         context_user.map(|x| x == username).unwrap_or_default()

src/rbac/role.rs

@@ -77,52 +77,67 @@ pub enum Action {
     PutCorrelation,
 }
 
+#[derive(Debug, Clone, PartialEq, Eq, Hash, serde::Serialize, serde::Deserialize)]
+pub enum ParseableResourceType {
+    #[serde(rename="stream")]
+    Stream(String),
+    #[serde(rename="llm")]
+    Llm(String),
+    #[serde(rename="all")]
+    All
+}
+
 #[derive(Debug, Clone, PartialEq, Eq, Hash)]
 pub enum Permission {
     Unit(Action),
-    Stream(Action, String),
-    StreamWithTag(Action, String, Option<String>),
-    Resource(Action, Option<String>, Option<String>),
+    // Stream(Action, String),
+    // StreamWithTag(Action, String, Option<String>),
+    Resource(Action, ParseableResourceType),
     SelfUser,
 }
 
 // Currently Roles are tied to one stream
 #[derive(Debug, Default)]
 pub struct RoleBuilder {
     actions: Vec<Action>,
-    stream: Option<String>,
-    tag: Option<String>,
-    resource_id: Option<String>,
-    resource_type: Option<String>,
+    // stream: Option<String>,
+    // tag: Option<String>,
+    // resource_id: Option<String>,
+    resource_type: Option<ParseableResourceType>,
 }
 
 // R x P
 impl RoleBuilder {
-    pub fn with_stream(mut self, stream: String) -> Self {
-        self.stream = Some(stream);
+    pub fn with_resource(
+        mut self,
+        resource_type: ParseableResourceType,
+        // resource_id: String,
+    ) -> Self {
+        self.resource_type = Some(resource_type);
+        // self.resource_id = Some(resource_id);
         self
     }
 
-    pub fn with_tag(mut self, tag: String) -> Self {
-        self.tag = Some(tag);
-        self
-    }
+    // pub fn with_stream(mut self, stream: String) -> Self {
+    //     self.stream = Some(stream);
+    //     self
+    // }
 
-    pub fn with_resource(mut self, resource_id: String, resource_type: String) -> Self {
-        self.resource_id = Some(resource_id);
-        self.resource_type = Some(resource_type);
-        self
-    }
+    // pub fn with_tag(mut self, tag: String) -> Self {
+    //     self.tag = Some(tag);
+    //     self
+    // }
+
+    // pub fn with_resource(mut self, resource_id: String, resource_type: ParseableResourceType) -> Self {
+    //     self.resource_id = Some(resource_id);
+    //     self.resource_type = Some(resource_type);
+    //     self
+    // }
 
     pub fn build(self) -> Vec<Permission> {
         let mut perms = Vec::new();
         for action in self.actions {
             let perm = match action {
-                Action::Query => Permission::StreamWithTag(
-                    action,
-                    self.stream.clone().unwrap(),
-                    self.tag.clone(),
-                ),
                 Action::Login
                 | Action::Metrics
                 | Action::PutUser
@@ -164,23 +179,24 @@ impl RoleBuilder {
                 | Action::DeleteUserGroup
                 | Action::ModifyUserGroup
                 | Action::GetAnalytics => Permission::Unit(action),
-                Action::QueryLLM
+                Action::Query
+                | Action::QueryLLM
                 | Action::AddLLM
                 | Action::DeleteLLM
                 | Action::GetLLM
-                | Action::ListLLM => Permission::Resource(
-                    action,
-                    self.resource_type.clone(),
-                    self.resource_id.clone(),
-                ),
-                Action::Ingest
+                | Action::ListLLM
+                | Action::Ingest
                 | Action::ListStream
                 | Action::GetSchema
                 | Action::DetectSchema
                 | Action::GetStats
                 | Action::GetRetention
                 | Action::PutRetention
-                | Action::All => Permission::Stream(action, self.stream.clone().unwrap()),
+                | Action::All => Permission::Resource(
+                    action,
+                    self.resource_type.clone().unwrap(),
+                    // self.resource_id.clone().unwrap(),
+                ),
             };
             perms.push(perm);
         }
@@ -193,26 +209,25 @@ impl RoleBuilder {
 // we can put same model in the backend
 // user -> Vec<DefaultRoles>
 pub mod model {
+    use crate::rbac::role::ParseableResourceType;
+
     use super::{Action, RoleBuilder};
 
     #[derive(Debug, Clone, PartialEq, Eq, serde::Serialize, serde::Deserialize, Hash)]
-    #[serde(tag = "privilege", content = "resource", rename_all = "lowercase")]
+    #[serde(tag = "privilege", rename_all = "lowercase")]
     pub enum DefaultPrivilege {
         Admin,
         Editor,
         Writer {
-            stream: String,
+            resource: ParseableResourceType,
+            // resource_id: String,
         },
         Ingestor {
-            stream: String,
+            resource: ParseableResourceType,
         },
         Reader {
-            stream: String,
-            tag: Option<String>,
-        },
-        Resource {
-            resource_id: String,
-            resource_type: String,
+            resource: ParseableResourceType,
+            // resource_id: String,
         },
     }
 
@@ -221,35 +236,29 @@ pub mod model {
             match value {
                 DefaultPrivilege::Admin => admin_perm_builder(),
                 DefaultPrivilege::Editor => editor_perm_builder(),
-                DefaultPrivilege::Writer { stream } => {
-                    writer_perm_builder().with_stream(stream.to_owned())
-                }
-                DefaultPrivilege::Reader { stream, tag } => {
-                    let mut reader = reader_perm_builder().with_stream(stream.to_owned());
-                    if let Some(tag) = tag {
-                        reader = reader.with_tag(tag.to_owned())
-                    }
-                    reader
-                }
-                DefaultPrivilege::Ingestor { stream } => {
-                    ingest_perm_builder().with_stream(stream.to_owned())
-                }
-                DefaultPrivilege::Resource {
-                    resource_id,
-                    resource_type,
-                } => resource_perm_builder()
-                    .with_resource(resource_id.clone(), resource_type.clone()),
+                DefaultPrivilege::Writer {
+                    resource,
+                    // resource_id,
+                } => writer_perm_builder()
+                    .with_resource(resource.to_owned()),
+                DefaultPrivilege::Reader {
+                    resource,
+                    // resource_id,
+                } => reader_perm_builder()
+                    .with_resource(resource.to_owned()),
+                DefaultPrivilege::Ingestor { resource } => ingest_perm_builder()
+                    .with_resource(resource.to_owned()),
             }
         }
     }
 
     fn admin_perm_builder() -> RoleBuilder {
         RoleBuilder {
             actions: vec![Action::All],
-            stream: Some("*".to_string()),
-            tag: None,
-            resource_type: Some("*".to_string()),
-            resource_id: Some("*".to_string()),
+            // stream: Some("*".to_string()),
+            // tag: None,
+            resource_type: Some(ParseableResourceType::All),
+            // resource_id: Some("*".to_string()),
         }
     }
 
@@ -295,10 +304,10 @@ pub mod model {
                 Action::DeleteDashboard,
                 Action::GetUserRoles,
             ],
-            stream: Some("*".to_string()),
-            tag: None,
-            resource_id: None,
-            resource_type: None,
+            // stream: Some("*".to_string()),
+            // tag: None,
+            // resource_id: Some("*".to_string()),
+            resource_type: Some(ParseableResourceType::All),
         }
     }
 
@@ -338,9 +347,9 @@ pub mod model {
                 Action::DeleteFilter,
                 Action::GetUserRoles,
             ],
-            stream: None,
-            tag: None,
-            resource_id: None,
+            // stream: None,
+            // tag: None,
+            // resource_id: None,
             resource_type: None,
         }
     }
@@ -374,29 +383,19 @@ pub mod model {
                 Action::GetUserRoles,
                 Action::GetAlert,
             ],
-            stream: None,
-            tag: None,
-            resource_id: None,
-            resource_type: None,
-        }
-    }
-
-    fn resource_perm_builder() -> RoleBuilder {
-        RoleBuilder {
-            actions: vec![Action::GetLLM, Action::ListLLM, Action::QueryLLM],
-            stream: None,
-            tag: None,
-            resource_id: None,
+            // stream: None,
+            // tag: None,
+            // resource_id: None,
             resource_type: None,
         }
     }
 
     fn ingest_perm_builder() -> RoleBuilder {
         RoleBuilder {
             actions: vec![Action::Ingest],
-            stream: None,
-            tag: None,
-            resource_id: None,
+            // stream: None,
+            // tag: None,
+            // resource_id: None,
             resource_type: None,
         }
     }