First skeleton of opa integration

Author: Maleware

deploy/helm/superset-operator/crds/crds.yaml

@@ -71,6 +71,25 @@ spec:
                           - authenticationClass
                         type: object
                       type: array
+                    authorization:
+                      description: 'Authorziation options for Superset. Currently only role mapping is enabled. This means if a user logs in and Opa authorization is enabled user roles got synced from opa into superset roles. Roles get created automated. Warning: This will discard all roles managed by the superset administrator.'
+                      nullable: true
+                      properties:
+                        opa:
+                          description: Configure the OPA stacklet [discovery ConfigMap](https://docs.stackable.tech/home/nightly/concepts/service_discovery) and the name of the Rego package containing your authorization rules. Consult the [OPA authorization documentation](https://docs.stackable.tech/home/nightly/concepts/opa) to learn how to deploy Rego authorization rules with OPA.
+                          nullable: true
+                          properties:
+                            configMapName:
+                              description: The [discovery ConfigMap](https://docs.stackable.tech/home/nightly/concepts/service_discovery) for the OPA stacklet that should be used for authorization requests.
+                              type: string
+                            package:
+                              description: The name of the Rego package containing the Rego rules for the product.
+                              nullable: true
+                              type: string
+                          required:
+                            - configMapName
+                          type: object
+                      type: object
                     clusterOperation:
                       default:
                         reconciliationPaused: false

rust/crd/src/lib.rs

@@ -8,6 +8,7 @@ use stackable_operator::{
     commons::{
         affinity::StackableAffinity,
         cluster_operation::ClusterOperation,
+        opa::OpaConfig,
         product_image_selection::ProductImage,
         resources::{
             CpuLimitsFragment, MemoryLimitsFragment, NoRuntimeLimits, NoRuntimeLimitsFragment,
@@ -175,6 +176,13 @@ pub struct SupersetClusterConfig {
     #[serde(default)]
     pub authentication: Vec<SupersetClientAuthenticationDetails>,
 
+    /// Authorziation options for Superset.
+    /// Currently only role mapping is enabled. This means if a user logs in and Opa authorization is enabled
+    /// user roles got synced from opa into superset roles. Roles get created automated.
+    /// Warning: This will discard all roles managed by the superset administrator.
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub authorization: Option<SupersetAuthorization>,
+
     /// The name of the Secret object containing the admin user credentials and database connection details.
     /// Read the
     /// [getting started guide first steps](DOCS_BASE_URL_PLACEHOLDER/superset/getting_started/first_steps)
@@ -239,6 +247,12 @@ impl CurrentlySupportedListenerClasses {
     }
 }
 
+#[derive(Clone, Debug, Deserialize, Eq, JsonSchema, PartialEq, Serialize)]
+#[serde(rename_all = "camelCase")]
+pub struct SupersetAuthorization {
+    pub opa: Option<OpaConfig>,
+}
+
 #[derive(Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
 #[serde(rename_all = "camelCase")]
 pub struct SupersetCredentials {
@@ -472,6 +486,14 @@ impl SupersetCluster {
         }
     }
 
+    pub fn get_opa_config(&self) -> Option<&OpaConfig> {
+        self.spec
+            .cluster_config
+            .authorization
+            .as_ref()
+            .and_then(|a| a.opa.as_ref())
+    }
+
     /// Retrieve and merge resource configs for role and role groups
     pub fn merged_config(
         &self,

rust/operator-binary/src/authorization/mod.rs

@@ -0,0 +1 @@
+pub mod opa;

rust/operator-binary/src/authorization/opa.rs

@@ -0,0 +1,21 @@
+use stackable_operator::{
+    client::Client,
+    commons::opa::{OpaApiVersion, OpaConfig},
+};
+use stackable_superset_crd::SupersetCluster;
+
+pub struct SupersetOpaConfig {
+    opa_role_mapping: bool,
+}
+
+impl SupersetOpaConfig {
+    pub async fn from_opa_config(
+        client: &Client,
+        superset: &SupersetCluster,
+        opa_config: &OpaConfig,
+    ) -> Result<Self, stackable_operator::commons::opa::Error> {
+        Ok(SupersetOpaConfig {
+            opa_role_mapping: true,
+        })
+    }
+}

rust/operator-binary/src/main.rs

@@ -23,6 +23,7 @@ use stackable_superset_crd::{druidconnection::DruidConnection, SupersetCluster,
 use crate::druid_connection_controller::DRUID_CONNECTION_CONTROLLER_NAME;
 use crate::superset_controller::SUPERSET_CONTROLLER_NAME;
 
+mod authorization;
 mod commands;
 mod config;
 mod controller_commons;

rust/operator-binary/src/superset_controller.rs

@@ -75,6 +75,7 @@ use stackable_superset_crd::{
 use strum::{EnumDiscriminants, IntoStaticStr};
 
 use crate::{
+    authorization::opa::SupersetOpaConfig,
     commands::add_cert_to_python_certifi_command,
     config::{self, PYTHON_IMPORTS},
     controller_commons::{self, CONFIG_VOLUME_NAME, LOG_CONFIG_VOLUME_NAME, LOG_VOLUME_NAME},
@@ -283,6 +284,10 @@ pub enum Error {
     InvalidSupersetCluster {
         source: error_boundary::InvalidObject,
     },
+    #[snafu(display("invalid OpaConfig"))]
+    InvalidOpaConfig {
+        source: stackable_operator::commons::opa::Error,
+    },
 }
 
 type Result<T, E = Error> = std::result::Result<T, E>;
@@ -371,6 +376,15 @@ pub async fn reconcile_superset(
     )
     .context(CreateClusterResourcesSnafu)?;
 
+    let superset_opa_config = match superset.get_opa_config() {
+        Some(opa_config) => Some(
+            SupersetOpaConfig::from_opa_config(client, superset, opa_config)
+                .await
+                .context(InvalidOpaConfigSnafu)?,
+        ),
+        None => None,
+    };
+
     let (rbac_sa, rbac_rolebinding) = build_rbac_resources(
         superset,
         APP_NAME,