Skip to content

Commit b8f13be

Browse files
parmesantparmesant
committed
updates for new privileges
- roles don't need any migration - auth flow modified to account for resource type
1 parent 4d3fa6a commit b8f13be

File tree

9 files changed

+82
-96
lines changed

9 files changed

+82
-96
lines changed

src/handlers/http/middleware.rs

Lines changed: 14 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -59,7 +59,7 @@ pub struct CommonAttributes {
5959

6060
pub trait RouteExt {
6161
fn authorize(self, action: Action) -> Self;
62-
fn authorize_for_stream(self, action: Action) -> Self;
62+
fn authorize_for_resource(self, action: Action) -> Self;
6363
fn authorize_for_user(self, action: Action) -> Self;
6464
}
6565

@@ -71,10 +71,10 @@ impl RouteExt for Route {
7171
})
7272
}
7373

74-
fn authorize_for_stream(self, action: Action) -> Self {
74+
fn authorize_for_resource(self, action: Action) -> Self {
7575
self.wrap(Auth {
7676
action,
77-
method: auth_stream_context,
77+
method: auth_resource_context,
7878
})
7979
}
8080

@@ -182,18 +182,26 @@ pub fn auth_no_context(req: &mut ServiceRequest, action: Action) -> Result<rbac:
182182
creds.map(|key| Users.authorize(key, action, None, None))
183183
}
184184

185-
pub fn auth_stream_context(
185+
pub fn auth_resource_context(
186186
req: &mut ServiceRequest,
187187
action: Action,
188188
) -> Result<rbac::Response, Error> {
189189
let creds = extract_session_key(req);
190+
let usergroup = req.match_info().get("usergroup");
191+
let llmid = req.match_info().get("llmid");
190192
let mut stream = req.match_info().get("logstream");
191-
if stream.is_none() {
193+
if let Some(usergroup) = usergroup {
194+
creds.map(|key| Users.authorize(key, action, Some(usergroup), None))
195+
} else if let Some(llmid) = llmid {
196+
creds.map(|key| Users.authorize(key, action, Some(llmid), None))
197+
} else if let Some(stream) = stream {
198+
creds.map(|key| Users.authorize(key, action, Some(stream), None))
199+
} else {
192200
if let Some(stream_name) = req.headers().get(STREAM_NAME_HEADER_KEY) {
193201
stream = Some(stream_name.to_str().unwrap());
194202
}
203+
creds.map(|key| Users.authorize(key, action, stream, None))
195204
}
196-
creds.map(|key| Users.authorize(key, action, stream, None))
197205
}
198206

199207
pub fn auth_user_context(

src/handlers/http/modal/ingest_server.rs

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -237,7 +237,7 @@ impl IngestServer {
237237
.route(
238238
web::post()
239239
.to(ingest::post_event)
240-
.authorize_for_stream(Action::Ingest),
240+
.authorize_for_resource(Action::Ingest),
241241
)
242242
.wrap(from_fn(
243243
resource_check::check_resource_utilization_middleware,
@@ -255,31 +255,31 @@ impl IngestServer {
255255
.route(
256256
web::put()
257257
.to(ingestor_logstream::put_stream)
258-
.authorize_for_stream(Action::CreateStream),
258+
.authorize_for_resource(Action::CreateStream),
259259
),
260260
)
261261
.service(
262262
// GET "/logstream/{logstream}/info" ==> Get info for given log stream
263263
web::resource("/info").route(
264264
web::get()
265265
.to(logstream::get_stream_info)
266-
.authorize_for_stream(Action::GetStreamInfo),
266+
.authorize_for_resource(Action::GetStreamInfo),
267267
),
268268
)
269269
.service(
270270
// GET "/logstream/{logstream}/stats" ==> Get stats for given log stream
271271
web::resource("/stats").route(
272272
web::get()
273273
.to(logstream::get_stats)
274-
.authorize_for_stream(Action::GetStats),
274+
.authorize_for_resource(Action::GetStats),
275275
),
276276
)
277277
.service(
278278
web::scope("/retention").service(
279279
web::resource("/cleanup").route(
280280
web::post()
281281
.to(ingestor_logstream::retention_cleanup)
282-
.authorize_for_stream(Action::PutRetention),
282+
.authorize_for_resource(Action::PutRetention),
283283
),
284284
),
285285
),

src/handlers/http/modal/query_server.rs

Lines changed: 11 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -273,19 +273,19 @@ impl QueryServer {
273273
.route(
274274
web::put()
275275
.to(querier_logstream::put_stream)
276-
.authorize_for_stream(Action::CreateStream),
276+
.authorize_for_resource(Action::CreateStream),
277277
)
278278
// POST "/logstream/{logstream}" ==> Post logs to given log stream
279279
.route(
280280
web::post()
281281
.to(querier_ingest::post_event)
282-
.authorize_for_stream(Action::Ingest),
282+
.authorize_for_resource(Action::Ingest),
283283
)
284284
// DELETE "/logstream/{logstream}" ==> Delete log stream
285285
.route(
286286
web::delete()
287287
.to(querier_logstream::delete)
288-
.authorize_for_stream(Action::DeleteStream),
288+
.authorize_for_resource(Action::DeleteStream),
289289
)
290290
.app_data(web::JsonConfig::default().limit(MAX_EVENT_PAYLOAD_SIZE)),
291291
)
@@ -294,23 +294,23 @@ impl QueryServer {
294294
web::resource("/info").route(
295295
web::get()
296296
.to(logstream::get_stream_info)
297-
.authorize_for_stream(Action::GetStreamInfo),
297+
.authorize_for_resource(Action::GetStreamInfo),
298298
),
299299
)
300300
.service(
301301
// GET "/logstream/{logstream}/schema" ==> Get schema for given log stream
302302
web::resource("/schema").route(
303303
web::get()
304304
.to(logstream::get_schema)
305-
.authorize_for_stream(Action::GetSchema),
305+
.authorize_for_resource(Action::GetSchema),
306306
),
307307
)
308308
.service(
309309
// GET "/logstream/{logstream}/stats" ==> Get stats for given log stream
310310
web::resource("/stats").route(
311311
web::get()
312312
.to(querier_logstream::get_stats)
313-
.authorize_for_stream(Action::GetStats),
313+
.authorize_for_resource(Action::GetStats),
314314
),
315315
)
316316
.service(
@@ -319,13 +319,13 @@ impl QueryServer {
319319
.route(
320320
web::put()
321321
.to(logstream::put_retention)
322-
.authorize_for_stream(Action::PutRetention),
322+
.authorize_for_resource(Action::PutRetention),
323323
)
324324
// GET "/logstream/{logstream}/retention" ==> Get retention for given logstream
325325
.route(
326326
web::get()
327327
.to(logstream::get_retention)
328-
.authorize_for_stream(Action::GetRetention),
328+
.authorize_for_resource(Action::GetRetention),
329329
),
330330
)
331331
.service(
@@ -334,17 +334,17 @@ impl QueryServer {
334334
.route(
335335
web::put()
336336
.to(logstream::put_stream_hot_tier)
337-
.authorize_for_stream(Action::PutHotTierEnabled),
337+
.authorize_for_resource(Action::PutHotTierEnabled),
338338
)
339339
.route(
340340
web::get()
341341
.to(logstream::get_stream_hot_tier)
342-
.authorize_for_stream(Action::GetHotTierEnabled),
342+
.authorize_for_resource(Action::GetHotTierEnabled),
343343
)
344344
.route(
345345
web::delete()
346346
.to(logstream::delete_stream_hot_tier)
347-
.authorize_for_stream(Action::DeleteHotTierEnabled),
347+
.authorize_for_resource(Action::DeleteHotTierEnabled),
348348
),
349349
),
350350
)

src/handlers/http/modal/server.rs

Lines changed: 21 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -182,9 +182,9 @@ impl Server {
182182
web::resource("/info").route(
183183
web::get()
184184
.to(http::prism_logstream::get_info)
185-
.authorize_for_stream(Action::GetStreamInfo)
186-
.authorize_for_stream(Action::GetStats)
187-
.authorize_for_stream(Action::GetRetention),
185+
.authorize_for_resource(Action::GetStreamInfo)
186+
.authorize_for_resource(Action::GetStats)
187+
.authorize_for_resource(Action::GetRetention),
188188
),
189189
),
190190
)
@@ -195,9 +195,9 @@ impl Server {
195195
"",
196196
web::post()
197197
.to(http::prism_logstream::post_datasets)
198-
.authorize_for_stream(Action::GetStreamInfo)
199-
.authorize_for_stream(Action::GetStats)
200-
.authorize_for_stream(Action::GetRetention),
198+
.authorize_for_resource(Action::GetStreamInfo)
199+
.authorize_for_resource(Action::GetStats)
200+
.authorize_for_resource(Action::GetRetention),
201201
)
202202
}
203203

@@ -408,13 +408,13 @@ impl Server {
408408
.route(
409409
web::put()
410410
.to(logstream::put_stream)
411-
.authorize_for_stream(Action::CreateStream),
411+
.authorize_for_resource(Action::CreateStream),
412412
)
413413
// POST "/logstream/{logstream}" ==> Post logs to given log stream
414414
.route(
415415
web::post()
416416
.to(ingest::post_event)
417-
.authorize_for_stream(Action::Ingest)
417+
.authorize_for_resource(Action::Ingest)
418418
.wrap(from_fn(
419419
resource_check::check_resource_utilization_middleware,
420420
)),
@@ -423,7 +423,7 @@ impl Server {
423423
.route(
424424
web::delete()
425425
.to(logstream::delete)
426-
.authorize_for_stream(Action::DeleteStream),
426+
.authorize_for_resource(Action::DeleteStream),
427427
)
428428
.app_data(web::JsonConfig::default().limit(MAX_EVENT_PAYLOAD_SIZE)),
429429
)
@@ -432,23 +432,23 @@ impl Server {
432432
web::resource("/info").route(
433433
web::get()
434434
.to(logstream::get_stream_info)
435-
.authorize_for_stream(Action::GetStreamInfo),
435+
.authorize_for_resource(Action::GetStreamInfo),
436436
),
437437
)
438438
.service(
439439
// GET "/logstream/{logstream}/schema" ==> Get schema for given log stream
440440
web::resource("/schema").route(
441441
web::get()
442442
.to(logstream::get_schema)
443-
.authorize_for_stream(Action::GetSchema),
443+
.authorize_for_resource(Action::GetSchema),
444444
),
445445
)
446446
.service(
447447
// GET "/logstream/{logstream}/stats" ==> Get stats for given log stream
448448
web::resource("/stats").route(
449449
web::get()
450450
.to(logstream::get_stats)
451-
.authorize_for_stream(Action::GetStats),
451+
.authorize_for_resource(Action::GetStats),
452452
),
453453
)
454454
.service(
@@ -457,13 +457,13 @@ impl Server {
457457
.route(
458458
web::put()
459459
.to(logstream::put_retention)
460-
.authorize_for_stream(Action::PutRetention),
460+
.authorize_for_resource(Action::PutRetention),
461461
)
462462
// GET "/logstream/{logstream}/retention" ==> Get retention for given logstream
463463
.route(
464464
web::get()
465465
.to(logstream::get_retention)
466-
.authorize_for_stream(Action::GetRetention),
466+
.authorize_for_resource(Action::GetRetention),
467467
),
468468
)
469469
.service(
@@ -472,17 +472,17 @@ impl Server {
472472
.route(
473473
web::put()
474474
.to(logstream::put_stream_hot_tier)
475-
.authorize_for_stream(Action::PutHotTierEnabled),
475+
.authorize_for_resource(Action::PutHotTierEnabled),
476476
)
477477
.route(
478478
web::get()
479479
.to(logstream::get_stream_hot_tier)
480-
.authorize_for_stream(Action::GetHotTierEnabled),
480+
.authorize_for_resource(Action::GetHotTierEnabled),
481481
)
482482
.route(
483483
web::delete()
484484
.to(logstream::delete_stream_hot_tier)
485-
.authorize_for_stream(Action::DeleteHotTierEnabled),
485+
.authorize_for_resource(Action::DeleteHotTierEnabled),
486486
),
487487
),
488488
)
@@ -494,7 +494,7 @@ impl Server {
494494
.route(
495495
web::post()
496496
.to(ingest::ingest)
497-
.authorize_for_stream(Action::Ingest),
497+
.authorize_for_resource(Action::Ingest),
498498
)
499499
.app_data(web::JsonConfig::default().limit(MAX_EVENT_PAYLOAD_SIZE))
500500
}
@@ -507,7 +507,7 @@ impl Server {
507507
.route(
508508
web::post()
509509
.to(ingest::handle_otel_logs_ingestion)
510-
.authorize_for_stream(Action::Ingest),
510+
.authorize_for_resource(Action::Ingest),
511511
)
512512
.app_data(web::JsonConfig::default().limit(MAX_EVENT_PAYLOAD_SIZE)),
513513
)
@@ -516,7 +516,7 @@ impl Server {
516516
.route(
517517
web::post()
518518
.to(ingest::handle_otel_metrics_ingestion)
519-
.authorize_for_stream(Action::Ingest),
519+
.authorize_for_resource(Action::Ingest),
520520
)
521521
.app_data(web::JsonConfig::default().limit(MAX_EVENT_PAYLOAD_SIZE)),
522522
)
@@ -525,7 +525,7 @@ impl Server {
525525
.route(
526526
web::post()
527527
.to(ingest::handle_otel_traces_ingestion)
528-
.authorize_for_stream(Action::Ingest),
528+
.authorize_for_resource(Action::Ingest),
529529
)
530530
.app_data(web::JsonConfig::default().limit(MAX_EVENT_PAYLOAD_SIZE)),
531531
)

src/handlers/http/rbac.rs

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -425,6 +425,8 @@ pub enum RBACError {
425425
InvalidSyncOperation(String),
426426
#[error("User group still being used by users: {0}")]
427427
UserGroupNotEmpty(String),
428+
#[error("Resource in use: {0}")]
429+
ResourceInUse(String),
428430
}
429431

430432
impl actix_web::ResponseError for RBACError {
@@ -445,6 +447,7 @@ impl actix_web::ResponseError for RBACError {
445447
Self::InvalidUserGroupRequest(_) => StatusCode::BAD_REQUEST,
446448
Self::InvalidSyncOperation(_) => StatusCode::BAD_REQUEST,
447449
Self::UserGroupNotEmpty(_) => StatusCode::BAD_REQUEST,
450+
Self::ResourceInUse(_) => StatusCode::BAD_REQUEST,
448451
}
449452
}
450453

src/rbac/map.rs

Lines changed: 9 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -261,18 +261,19 @@ impl Sessions {
261261
match resource_type {
262262
ParseableResourceType::Stream(resource_id)
263263
| ParseableResourceType::Llm(resource_id) => {
264-
let ok_resource = if let Some(context_resource_id) = context_resource {
265-
resource_id == context_resource_id || resource_id == "*"
266-
} else {
267-
// if no resource to match then resource check is not needed
268-
// WHEN IS THIS VALID??
269-
true
270-
};
264+
let ok_resource =
265+
if let Some(context_resource_id) = context_resource {
266+
resource_id == context_resource_id || resource_id == "*"
267+
} else {
268+
// if no resource to match then resource check is not needed
269+
// WHEN IS THIS VALID??
270+
true
271+
};
271272
(action == required_action || action == Action::All) && ok_resource
272273
}
273274
ParseableResourceType::All => {
274275
action == required_action || action == Action::All
275-
},
276+
}
276277
}
277278
}
278279
Permission::SelfUser if required_action == Action::GetUserRoles => {

0 commit comments

Comments
 (0)