feat: Enrich Authorizer for Namespaces and Warehouses (lakekeeper#1480)

Author: c-thiel

…85dd9bb7b2a4facd301be48ce088f39cb02.json …f5c5e48aefc4990b3804bf23c8ee6c9df53.json.sqlx/query-8818aabd4a0acdb79ff4ce5c3c64b85dd9bb7b2a4facd301be48ce088f39cb02.json renamed to .sqlx/query-5bd88e2962ade07ae621b69644240f5c5e48aefc4990b3804bf23c8ee6c9df53.json .sqlx/query-8818aabd4a0acdb79ff4ce5c3c64b85dd9bb7b2a4facd301be48ce088f39cb02.json renamed to .sqlx/query-5bd88e2962ade07ae621b69644240f5c5e48aefc4990b3804bf23c8ee6c9df53.json

@@ -1704,7 +1704,7 @@ mod tests {
 
     mod openfga_integration_tests {
         use lakekeeper::{
-            service::{authn::UserId, authz::Authorizer},
+            service::{authn::UserId, authz::Authorizer, ResolvedWarehouse},
             tokio,
         };
         use openfga_client::client::TupleKey;
@@ -1822,6 +1822,7 @@ mod tests {
             let res = authorizer
                 .are_allowed_namespace_actions_impl(
                     &RequestMetadata::random_human(user_id_assignee.clone()),
+                    &ResolvedWarehouse::new_random(),
                     &namespaces
                         .iter()
                         .map(|id| (id, AllNamespaceRelations::CanDelete))
@@ -1843,6 +1844,7 @@ mod tests {
             let res = authorizer
                 .are_allowed_namespace_actions_impl(
                     &RequestMetadata::random_human(user_id_assignee.clone()),
+                    &ResolvedWarehouse::new_random(),
                     &namespaces
                         .iter()
                         .map(|id| (id, AllNamespaceRelations::CanDelete))

…70521a648955229029d9b79da336aa82f2e.json …8e2aa7e421e9c65624695c8078f83d6b011.json.sqlx/query-699149ae3d1c7432aae5ad504fa8170521a648955229029d9b79da336aa82f2e.json renamed to .sqlx/query-763b066e0be1435303b875e81fe228e2aa7e421e9c65624695c8078f83d6b011.json .sqlx/query-699149ae3d1c7432aae5ad504fa8170521a648955229029d9b79da336aa82f2e.json renamed to .sqlx/query-763b066e0be1435303b875e81fe228e2aa7e421e9c65624695c8078f83d6b011.json

@@ -12,7 +12,8 @@ use lakekeeper::{
         },
         health::Health,
         Actor, AuthZTableInfo, AuthZViewInfo, CatalogStore, ErrorModel, NamespaceHierarchy,
-        NamespaceId, RoleId, SecretStore, ServerId, State, TableId, UserId, ViewId,
+        NamespaceId, ResolvedWarehouse, RoleId, SecretStore, ServerId, State, TableId, UserId,
+        ViewId,
     },
     tokio::sync::RwLock,
     ProjectId, WarehouseId,
@@ -292,13 +293,13 @@ impl Authorizer for OpenFGAAuthorizer {
     async fn is_allowed_warehouse_action_impl(
         &self,
         metadata: &RequestMetadata,
-        warehouse_id: WarehouseId,
+        warehouse: &ResolvedWarehouse,
         action: Self::WarehouseAction,
     ) -> Result<bool, AuthorizationBackendUnavailable> {
         self.check(CheckRequestTupleKey {
             user: metadata.actor().to_openfga(),
             relation: action.to_string(),
-            object: warehouse_id.to_openfga(),
+            object: warehouse.warehouse_id.to_openfga(),
         })
         .await
         .map_err(Into::into)
@@ -307,14 +308,14 @@ impl Authorizer for OpenFGAAuthorizer {
     async fn are_allowed_warehouse_actions_impl(
         &self,
         metadata: &RequestMetadata,
-        warehouses_with_actions: &[(WarehouseId, Self::WarehouseAction)],
+        warehouses_with_actions: &[(&ResolvedWarehouse, Self::WarehouseAction)],
     ) -> std::result::Result<Vec<bool>, AuthorizationBackendUnavailable> {
         let items: Vec<_> = warehouses_with_actions
             .iter()
-            .map(|(id, a)| CheckRequestTupleKey {
+            .map(|(wh, a)| CheckRequestTupleKey {
                 user: metadata.actor().to_openfga(),
                 relation: a.to_string(),
-                object: id.to_openfga(),
+                object: wh.warehouse_id.to_openfga(),
             })
             .collect();
         self.batch_check(items).await.map_err(Into::into)
@@ -323,6 +324,7 @@ impl Authorizer for OpenFGAAuthorizer {
     async fn is_allowed_namespace_action_impl(
         &self,
         metadata: &RequestMetadata,
+        _warehouse: &ResolvedWarehouse,
         namespace: &NamespaceHierarchy,
         action: Self::NamespaceAction,
     ) -> Result<bool, AuthorizationBackendUnavailable> {
@@ -338,6 +340,7 @@ impl Authorizer for OpenFGAAuthorizer {
     async fn are_allowed_namespace_actions_impl(
         &self,
         metadata: &RequestMetadata,
+        _warehouse: &ResolvedWarehouse,
         actions: &[(&NamespaceHierarchy, Self::NamespaceAction)],
     ) -> Result<Vec<bool>, AuthorizationBackendUnavailable> {
         let items: Vec<_> = actions

crates/authz-openfga/src/api.rs

@@ -4,12 +4,14 @@ use lakekeeper::{
     axum::{extract::State as AxumState, Extension, Json},
     iceberg::{NamespaceIdent, TableIdent},
     service::{
-        authz::{AuthZTableOps, AuthZViewOps, Authorizer, AuthzNamespaceOps as _},
+        authz::{
+            AuthZTableOps, AuthZViewOps, Authorizer, AuthzNamespaceOps as _, AuthzWarehouseOps,
+        },
         AuthZTableInfo, AuthZViewInfo as _, CatalogNamespaceOps, CatalogStore, CatalogTabularOps,
-        NamespaceId, NamespaceIdentOrId, Result, SecretStore, State, TableId, TableIdentOrId,
-        TabularListFlags, ViewId, ViewIdentOrId,
+        CatalogWarehouseOps, NamespaceId, NamespaceIdentOrId, Result, SecretStore, State, TableId,
+        TableIdentOrId, TabularListFlags, ViewId, ViewIdentOrId,
     },
-    ProjectId, WarehouseId,
+    tokio, ProjectId, WarehouseId,
 };
 use openfga_client::client::CheckRequestTupleKey;
 use serde::{Deserialize, Serialize};
@@ -217,14 +219,17 @@ async fn check_namespace<C: CatalogStore, S: SecretStore>(
             warehouse_id,
         } => (*warehouse_id, NamespaceIdentOrId::from(namespace.clone())),
     };
-    let namespace = C::get_namespace(
-        warehouse_id,
-        user_provided_ns.clone(),
-        api_context.v1_state.catalog,
-    )
-    .await;
+    let (warehouse, namespace) = tokio::join!(
+        C::get_active_warehouse_by_id(warehouse_id, api_context.v1_state.catalog.clone(),),
+        C::get_namespace(
+            warehouse_id,
+            user_provided_ns.clone(),
+            api_context.v1_state.catalog,
+        )
+    );
+    let warehouse = authorizer.require_warehouse_presence(warehouse_id, warehouse)?;
     let namespace = authorizer
-        .require_namespace_action(metadata, warehouse_id, user_provided_ns, namespace, action)
+        .require_namespace_action(metadata, &warehouse, user_provided_ns, namespace, action)
         .await?;
 
     Ok(namespace.namespace_id().to_openfga())

crates/authz-openfga/src/authorizer.rs

@@ -4,8 +4,9 @@ use super::{ApiServer, ProtectionResponse};
 use crate::{
     api::{ApiContext, RequestMetadata, Result},
     service::{
-        authz::{Authorizer, AuthzNamespaceOps, CatalogNamespaceAction},
-        CatalogNamespaceOps, CatalogStore, NamespaceId, SecretStore, State, Transaction,
+        authz::{Authorizer, AuthzNamespaceOps, AuthzWarehouseOps, CatalogNamespaceAction},
+        CatalogNamespaceOps, CatalogStore, CatalogWarehouseOps, NamespaceId, SecretStore, State,
+        Transaction,
     },
     WarehouseId,
 };
@@ -30,13 +31,16 @@ where
         //  ------------------- AUTHZ -------------------
         let authorizer = state.v1_state.authz.clone();
 
+        let warehouse =
+            C::get_active_warehouse_by_id(warehouse_id, state.v1_state.catalog.clone()).await;
+        let warehouse = authorizer.require_warehouse_presence(warehouse_id, warehouse)?;
         let namespace =
             C::get_namespace(warehouse_id, namespace_id, state.v1_state.catalog.clone()).await;
 
         authorizer
             .require_namespace_action(
                 &request_metadata,
-                warehouse_id,
+                &warehouse,
                 namespace_id,
                 namespace,
                 CatalogNamespaceAction::CanDelete,
@@ -86,13 +90,16 @@ where
         //  ------------------- AUTHZ -------------------
         let authorizer = state.v1_state.authz.clone();
 
+        let warehouse =
+            C::get_active_warehouse_by_id(warehouse_id, state.v1_state.catalog.clone()).await;
+        let warehouse = authorizer.require_warehouse_presence(warehouse_id, warehouse)?;
         let namespace =
             C::get_namespace(warehouse_id, namespace_id, state.v1_state.catalog.clone()).await;
 
         let namespace = authorizer
             .require_namespace_action(
                 &request_metadata,
-                warehouse_id,
+                &warehouse,
                 namespace_id,
                 namespace,
                 CatalogNamespaceAction::CanGetMetadata,

crates/authz-openfga/src/check.rs

@@ -20,9 +20,9 @@ use crate::{
             ListProjectsResponse as AuthZListProjectsResponse,
         },
         secrets::SecretStore,
-        CatalogStore, State, Transaction,
+        CatalogStore, CatalogWarehouseOps, State, Transaction,
     },
-    ProjectId,
+    ProjectId, WarehouseId,
 };
 
 #[derive(Debug, Clone, Serialize)]
@@ -244,10 +244,17 @@ pub trait Service<C: CatalogStore, A: Authorizer, S: SecretStore> {
 
         match request.warehouse {
             WarehouseFilter::WarehouseId { id } => {
+                let warehouse = C::get_active_warehouse_by_id(
+                    WarehouseId::from(id),
+                    context.v1_state.catalog.clone(),
+                )
+                .await;
+
                 authorizer
                     .require_warehouse_action(
                         &request_metadata,
                         id.into(),
+                        warehouse,
                         CatalogWarehouseAction::CanGetMetadata,
                     )
                     .await?;

crates/lakekeeper/src/api/management/v1/namespace.rs

@@ -9,7 +9,7 @@ use crate::{
             AuthZCannotUseWarehouseId, AuthZTableOps, Authorizer, AuthzWarehouseOps,
             CatalogTableAction, CatalogViewAction, CatalogWarehouseAction,
         },
-        CatalogStore, CatalogTabularOps, SecretStore, State, TabularId,
+        CatalogStore, CatalogTabularOps, CatalogWarehouseOps, SecretStore, State, TabularId,
     },
     WarehouseId,
 };
@@ -33,12 +33,16 @@ where
         // -------------------- AUTHZ --------------------
         let authorizer = context.v1_state.authz;
 
+        let warehouse =
+            C::get_active_warehouse_by_id(warehouse_id, context.v1_state.catalog.clone()).await;
+        let warehouse = authorizer.require_warehouse_presence(warehouse_id, warehouse)?;
+
         let [authz_can_use, authz_list_all] = authorizer
             .are_allowed_warehouse_actions_arr(
                 &request_metadata,
                 &[
-                    (warehouse_id, CatalogWarehouseAction::CanUse),
-                    (warehouse_id, CatalogWarehouseAction::CanListEverything),
+                    (&warehouse, CatalogWarehouseAction::CanUse),
+                    (&warehouse, CatalogWarehouseAction::CanListEverything),
                 ],
             )
             .await?

crates/lakekeeper/src/api/management/v1/project.rs

@@ -21,9 +21,9 @@ use crate::{
             TaskEntityNamed, TaskFilter, TaskId, TaskOutcome as TQTaskOutcome, TaskQueueName,
             TaskStatus as TQTaskStatus,
         },
-        CatalogStore, CatalogTabularOps, CatalogTaskOps, InvalidTabularIdentifier, ResolvedTask,
-        Result, SecretStore, State, TableNamed, TabularId, TabularListFlags, Transaction,
-        ViewNamed, ViewOrTableInfo,
+        CatalogStore, CatalogTabularOps, CatalogTaskOps, CatalogWarehouseOps,
+        InvalidTabularIdentifier, ResolvedTask, ResolvedWarehouse, Result, SecretStore, State,
+        TableNamed, TabularId, TabularListFlags, Transaction, ViewNamed, ViewOrTableInfo,
     },
     WarehouseId,
 };
@@ -350,11 +350,15 @@ pub(crate) trait Service<C: CatalogStore, A: Authorizer, S: SecretStore> {
         // -------------------- AUTHZ --------------------
         let authorizer = context.v1_state.authz;
 
+        let warehouse =
+            C::get_active_warehouse_by_id(warehouse_id, context.v1_state.catalog.clone()).await;
+        let warehouse = authorizer.require_warehouse_presence(warehouse_id, warehouse)?;
+
         authorize_list_tasks::<A, C>(
             &authorizer,
             context.v1_state.catalog.clone(),
             &request_metadata,
-            warehouse_id,
+            &warehouse,
             query.entities.as_ref(),
         )
         .await?;
@@ -377,12 +381,16 @@ pub(crate) trait Service<C: CatalogStore, A: Authorizer, S: SecretStore> {
         // -------------------- AUTHZ --------------------
         let authorizer = context.v1_state.authz;
 
+        let warehouse =
+            C::get_active_warehouse_by_id(warehouse_id, context.v1_state.catalog.clone()).await;
+        let warehouse = authorizer.require_warehouse_presence(warehouse_id, warehouse)?;
+
         let [authz_can_use, authz_get_all_warehouse] = authorizer
             .are_allowed_warehouse_actions_arr(
                 &request_metadata,
                 &[
-                    (warehouse_id, CatalogWarehouseAction::CanUse),
-                    (warehouse_id, CAN_GET_ALL_TASKS_DETAILS_WAREHOUSE_PERMISSION),
+                    (&warehouse, CatalogWarehouseAction::CanUse),
+                    (&warehouse, CAN_GET_ALL_TASKS_DETAILS_WAREHOUSE_PERMISSION),
                 ],
             )
             .await?
@@ -437,12 +445,16 @@ pub(crate) trait Service<C: CatalogStore, A: Authorizer, S: SecretStore> {
         // -------------------- AUTHZ --------------------
         let authorizer = context.v1_state.authz;
 
+        let warehouse =
+            C::get_active_warehouse_by_id(warehouse_id, context.v1_state.catalog.clone()).await;
+        let warehouse = authorizer.require_warehouse_presence(warehouse_id, warehouse)?;
+
         let [authz_can_use, authz_control_all] = authorizer
             .are_allowed_warehouse_actions_arr(
                 &request_metadata,
                 &[
-                    (warehouse_id, CatalogWarehouseAction::CanUse),
-                    (warehouse_id, CONTROL_TASK_WAREHOUSE_PERMISSION),
+                    (&warehouse, CatalogWarehouseAction::CanUse),
+                    (&warehouse, CONTROL_TASK_WAREHOUSE_PERMISSION),
                 ],
             )
             .await?
@@ -518,15 +530,17 @@ async fn authorize_list_tasks<A: Authorizer, C: CatalogStore>(
     authorizer: &A,
     catalog_state: C::State,
     request_metadata: &RequestMetadata,
-    warehouse_id: WarehouseId,
+    warehouse: &ResolvedWarehouse,
     entities: Option<&Vec<TaskEntity>>,
 ) -> Result<()> {
+    let warehouse_id = warehouse.warehouse_id;
+
     let [can_use, can_list_everything] = authorizer
         .are_allowed_warehouse_actions_arr(
             request_metadata,
             &[
-                (warehouse_id, CatalogWarehouseAction::CanUse),
-                (warehouse_id, CatalogWarehouseAction::CanListEverything),
+                (warehouse, CatalogWarehouseAction::CanUse),
+                (warehouse, CatalogWarehouseAction::CanListEverything),
             ],
         )
         .await?