Authorization migration #3791
Draft
Authorization migration #3791
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This class holds information about the current user and his or her access rights. An instance is created during authentication. Signed-off-by: Oliver Heger <[email protected]>
Add a new property to `EffectiveRole` that holds the superuser status, so that this can be checked efficiently. Extend `DbAuthorizationService` to set this flag correctly. Add more test cases for role assignments on the superuser level. Signed-off-by: Oliver Heger <[email protected]>
This interface defines a generic mechanism to perform checks for required permissions when handling requests. It is going to be used in an extended DSL to define routes that can handle such checks automatically. Signed-off-by: Oliver Heger <[email protected]>
Extend the Ktor DSL for route definitions by functions that perform an automatic check for permissions based on provided `AuthorizationChecker` objects. This enables a declarative approach for permission checks. Provide a concrete `AuthorizationChecker` implementation for organization permissions. Add a test class to test this approach. Note that currently failed permission checks yield a return status code of 401 rather than 403. This is going to be changed in an upcoming commit. Signed-off-by: Oliver Heger <[email protected]>
If a request fails because of missing permissions, return the correct status code 403. Add a new `AuthorizationException` that is thrown in this case and can be mapped to the corresponding status code. Signed-off-by: Oliver Heger <[email protected]>
Add support for permissions on product and repository level and superuser checks. Signed-off-by: Oliver Heger <[email protected]>
oheger-bosch
force-pushed
the
oheger-bosch/db_authorization_migration
branch
from
c81aa3a to
0c77c5d
Compare
Extend `KeycloakAuthorizationService` by a function that can create structures in the database that correspond to the roles and permissions currently kept in Keycloak. The function is going to be called on startup of ORT Server to perform a one-time migration. Signed-off-by: Oliver Heger <[email protected]>
Instead of doing a synchronization of roles in Keycloak, trigger a migration to new access rights structures on startup of the core component. Signed-off-by: Oliver Heger <[email protected]>
oheger-bosch
force-pushed
the
oheger-bosch/db_authorization_migration
branch
from
0c77c5d to
7fe4de2
Compare
Contributor
|
Just curious, after the migration, will there be another follow-up PR that removes old code? |
Contributor
Author
For the migration, the old code is still required. I assume, we need to keep this for a while, since users might not immediately switch to a new version and should still be able to migrate later. But after a grace period, the whole There should also be less functionality for the interaction with Keycloak required. So, the Keycloak client could be stripped down (or replaced by the official one?). |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR implements a one-time migration to the new authorization component. The migration is triggered once on ORT Server startup. It creates entries in the database corresponding to the roles and permissions stored in Keycloak.
This should not be merged before all permission checks have been migrated to the new authorization component.