feat: Support short and long usernames in rego (#5)

sbernauer · web-flow · commit 0c93fa753648 · 2024-02-23T11:33:18.000Z
diff --git a/rego/hdfs.rego b/rego/hdfs.rego
@@ -7,7 +7,7 @@ default allow = false
 # HDFS authorizer
 allow if {
     some acl in acls
-    matches_identity(input.callerUgi.shortUserName, acl.identity)
+    matches_identity(acl.identity)
     matches_resource(input.path, acl.resource)
     action_sufficient_for_operation(acl.action, input.operationName)
 }
@@ -19,14 +19,19 @@ groups := {group |
     group := trim_prefix(raw, "/")
 }
 
-# Identity mentions the user explicitly
-matches_identity(user, identity) if {
-    identity == concat("", ["user:", user])
+# Identity mentions the (long) userName explicitly
+matches_identity(identity) if {
+    identity == concat("", ["user:", input.callerUgi.userName])
 }
 
-# Identity mentions group the user is part of
-matches_identity(user, identity) if {
-    some group in groups_for_user[user]
+# Identity mentions the shortUserName explicitly
+matches_identity(identity) if {
+    identity == concat("", ["shortUser:", input.callerUgi.shortUserName])
+}
+
+# Identity mentions group the user is part of (by looking up using the (long) userName)
+matches_identity(identity) if {
+    some group in groups_for_user[input.callerUgi.userName]
     identity == concat("", ["group:", group])
 }
 
@@ -171,7 +176,11 @@ admin_actions := {
     "transitionToStandby": "full",
 }
 
-groups_for_user := {"admin": ["admins"], "alice": ["developers"], "bob": []}
+groups_for_user := {
+    "admin/test-hdfs-permissions.default.svc.cluster.local@CLUSTER.LOCAL": ["admins"],
+    "alice/test-hdfs-permissions.default.svc.cluster.local@CLUSTER.LOCAL": ["developers"],
+    "bob/test-hdfs-permissions.default.svc.cluster.local@CLUSTER.LOCAL": []
+}
 
 acls := [
     {
@@ -190,22 +199,27 @@ acls := [
         "resource": "hdfs:dir:/developers-ro/",
     },
     {
-        "identity": "user:alice",
+        "identity": "user:alice/test-hdfs-permissions.default.svc.cluster.local@CLUSTER.LOCAL",
         "action": "rw",
         "resource": "hdfs:dir:/alice/",
     },
     {
-        "identity": "user:bob",
+        "identity": "user:bob/test-hdfs-permissions.default.svc.cluster.local@CLUSTER.LOCAL",
         "action": "rw",
         "resource": "hdfs:dir:/bob/",
     },
     {
-        "identity": "user:bob",
+        "identity": "user:bob/test-hdfs-permissions.default.svc.cluster.local@CLUSTER.LOCAL",
         "action": "ro",
         "resource": "hdfs:dir:/developers/",
     },
     {
-        "identity": "user:bob",
+        "identity": "user:bob/test-hdfs-permissions.default.svc.cluster.local@CLUSTER.LOCAL",
+        "action": "rw",
+        "resource": "hdfs:file:/developers/file-from-bob",
+    },
+    {
+        "identity": "shortUser:bob",
         "action": "rw",
         "resource": "hdfs:file:/developers/file-from-bob",
     },
diff --git a/rego/hdfs_test.rego b/rego/hdfs_test.rego
@@ -5,7 +5,8 @@ import rego.v1
 test_admin_access_to_slash if {
     allow with input as {
         "callerUgi": {
-            "shortUserName": "admin"
+            "shortUserName": "admin",
+            "userName": "admin/test-hdfs-permissions.default.svc.cluster.local@CLUSTER.LOCAL",
         },
         "path": "/top-level",
         "operationName": "setErasureCodingPolicy",
@@ -15,7 +16,8 @@ test_admin_access_to_slash if {
 test_admin_access_to_alice if {
     allow with input as {
         "callerUgi": {
-            "shortUserName": "admin"
+            "shortUserName": "admin",
+            "userName": "admin/test-hdfs-permissions.default.svc.cluster.local@CLUSTER.LOCAL",
         },
         "path": "/alice/file",
         "operationName": "create",
@@ -26,7 +28,8 @@ test_admin_access_to_alice if {
 test_admin_access_to_alice_nested_file if {
     allow with input as {
         "callerUgi": {
-            "shortUserName": "admin"
+            "shortUserName": "admin",
+            "userName": "admin/test-hdfs-permissions.default.svc.cluster.local@CLUSTER.LOCAL",
         },
         "path": "/alice/nested/file",
         "operationName": "create",
@@ -36,7 +39,8 @@ test_admin_access_to_alice_nested_file if {
 test_admin_access_to_developers if {
     allow with input as {
         "callerUgi": {
-            "shortUserName": "admin"
+            "shortUserName": "admin",
+            "userName": "admin/test-hdfs-permissions.default.svc.cluster.local@CLUSTER.LOCAL",
         },
         "path": "/developers/file",
         "operationName": "create",
@@ -48,7 +52,8 @@ test_admin_access_to_developers if {
 test_alice_access_to_alice_folder if {
     allow with input as {
         "callerUgi": {
-            "shortUserName": "alice"
+            "shortUserName": "alice",
+            "userName": "alice/test-hdfs-permissions.default.svc.cluster.local@CLUSTER.LOCAL",
         },
         "path": "/alice",
         "operationName": "create",
@@ -58,7 +63,8 @@ test_alice_access_to_alice_folder if {
 test_alice_access_to_alice if {
     allow with input as {
         "callerUgi": {
-            "shortUserName": "alice"
+            "shortUserName": "alice",
+            "userName": "alice/test-hdfs-permissions.default.svc.cluster.local@CLUSTER.LOCAL",
         },
         "path": "/alice/file",
         "operationName": "create",
@@ -68,7 +74,8 @@ test_alice_access_to_alice if {
 test_alice_no_access_to_bob if {
     not allow with input as {
         "callerUgi": {
-            "shortUserName": "alice"
+            "shortUserName": "alice",
+            "userName": "alice/test-hdfs-permissions.default.svc.cluster.local@CLUSTER.LOCAL",
         },
         "path": "/bob/file",
         "operationName": "open",
@@ -78,7 +85,8 @@ test_alice_no_access_to_bob if {
 test_alice_access_to_developers if {
     allow with input as {
         "callerUgi": {
-            "shortUserName": "alice"
+            "shortUserName": "alice",
+            "userName": "alice/test-hdfs-permissions.default.svc.cluster.local@CLUSTER.LOCAL",
         },
         "path": "/developers/file",
         "operationName": "create",
@@ -92,7 +100,8 @@ test_alice_access_to_developers if {
 test_bob_no_access_to_alice if {
     not allow with input as {
         "callerUgi": {
-            "shortUserName": "bob"
+            "shortUserName": "bob",
+            "userName": "bob/test-hdfs-permissions.default.svc.cluster.local@CLUSTER.LOCAL",
         },
         "path": "/alice/file",
         "operationName": "open",
@@ -102,7 +111,8 @@ test_bob_no_access_to_alice if {
 test_bob_access_to_bob if {
     allow with input as {
         "callerUgi": {
-            "shortUserName": "bob"
+            "shortUserName": "bob",
+            "userName": "bob/test-hdfs-permissions.default.svc.cluster.local@CLUSTER.LOCAL",
         },
         "path": "/bob/file",
         "operationName": "create",
@@ -112,7 +122,8 @@ test_bob_access_to_bob if {
 test_bob_ro_access_to_developers if {
     allow with input as {
         "callerUgi": {
-            "shortUserName": "bob"
+            "shortUserName": "bob",
+            "userName": "bob/test-hdfs-permissions.default.svc.cluster.local@CLUSTER.LOCAL",
         },
         "path": "/developers/file",
         "operationName": "open",
@@ -122,7 +133,8 @@ test_bob_ro_access_to_developers if {
 test_bob_no_rw_access_to_developers if {
     not allow with input as {
         "callerUgi": {
-            "shortUserName": "bob"
+            "shortUserName": "bob",
+            "userName": "bob/test-hdfs-permissions.default.svc.cluster.local@CLUSTER.LOCAL",
         },
         "path": "/developers/file",
         "operationName": "create",
@@ -132,7 +144,8 @@ test_bob_no_rw_access_to_developers if {
 test_bob_rw_access_to_developers_special_file if {
     allow with input as {
         "callerUgi": {
-            "shortUserName": "bob"
+            "shortUserName": "bob",
+            "userName": "bob/test-hdfs-permissions.default.svc.cluster.local@CLUSTER.LOCAL",
         },
         "path": "/developers/file-from-bob",
         "operationName": "create",
