WIP implementation opa-role-mapping

Author: Maleware

rust/crd/src/lib.rs

@@ -86,6 +86,9 @@ pub enum SupersetConfigOptions {
     AuthLdapTlsCertfile,
     AuthLdapTlsKeyfile,
     AuthLdapTlsCacertfile,
+    CustomSecurityManager,
+    StackableOpaEndpoint,
+    OpaPackageName,
 }
 
 impl SupersetConfigOptions {
@@ -133,6 +136,10 @@ impl FlaskAppConfigOptions for SupersetConfigOptions {
             SupersetConfigOptions::AuthLdapTlsCertfile => PythonType::StringLiteral,
             SupersetConfigOptions::AuthLdapTlsKeyfile => PythonType::StringLiteral,
             SupersetConfigOptions::AuthLdapTlsCacertfile => PythonType::StringLiteral,
+            SupersetConfigOptions::CustomSecurityManager => PythonType::StringLiteral,
+            SupersetConfigOptions::StackableOpaEndpoint => PythonType::StringLiteral,
+            SupersetConfigOptions::OpaPackageName => PythonType::StringLiteral,
+            // TODO: Set new options for OpaSecurityManager like:
         }
     }
 }

rust/operator-binary/src/authorization/opa.rs

@@ -1,11 +1,14 @@
+use std::collections::BTreeMap;
+
 use stackable_operator::{
     client::Client,
     commons::opa::{OpaApiVersion, OpaConfig},
 };
 use stackable_superset_crd::SupersetCluster;
 
 pub struct SupersetOpaConfig {
-    opa_role_mapping: bool,
+    opa_endpoint: String,
+    opa_package: Option<String>,
 }
 
 impl SupersetOpaConfig {
@@ -14,8 +17,44 @@ impl SupersetOpaConfig {
         superset: &SupersetCluster,
         opa_config: &OpaConfig,
     ) -> Result<Self, stackable_operator::commons::opa::Error> {
+        // Get opa_base_url for later use in CustomOpaSecurityManager
+        let opa_endpoint = opa_config
+            .full_document_url_from_config_map(client, superset, None, OpaApiVersion::V1)
+            .await?;
+
+        let opa_package = opa_config.package.clone();
         Ok(SupersetOpaConfig {
-            opa_role_mapping: true,
+            opa_endpoint,
+            opa_package,
         })
     }
+
+    // Adding necessary configurations. Imports are solved in config.rs
+    pub fn as_config(&self) -> BTreeMap<String, Option<String>> {
+        let config = BTreeMap::from([
+            (
+                "CUSTOM_SECURITY_MANAGER".to_string(),
+                Some("OpaSupersetSecurityManager".to_string()),
+            ),
+            (
+                "AUTH_USER_REGISTRATION_ROLE".to_string(),
+                Some("os.getenv('AUTH_USER_REGISTRATION_ROLE', 'Public')".to_string()),
+            ),
+            // TODO: Figure out how to tell a what are the
+            // rule names used.
+            (
+                "STACKABLE_OPA_RULE".to_string(),
+                Some("os.getenv('STACKABLE_OPA_RULE', 'user_roles')".to_string()),
+            ),
+            (
+                "STACKABLE_OPA_ENDPOINT".to_string(),
+                Some(self.opa_endpoint.clone()),
+            ),
+            (
+                "STACKABLE_OPA_PACKAGE".to_string(),
+                self.opa_package.clone(),
+            ),
+        ]);
+        config
+    }
 }

rust/operator-binary/src/config.rs

@@ -35,6 +35,10 @@ pub const PYTHON_IMPORTS: &[&str] = &[
     "from log_config import StackableLoggingConfigurator",
     ];
 
+// TODO: Eihter use or remove this
+pub const OPA_IMPORTS: &[&str] =
+    &["from superset.security.manager import OpaSupersetSecurityManager"];
+
 pub fn add_superset_config(
     config: &mut BTreeMap<String, String>,
     authentication_config: &SupersetClientAuthenticationDetailsResolved,

rust/operator-binary/src/superset_controller.rs

@@ -77,7 +77,7 @@ use strum::{EnumDiscriminants, IntoStaticStr};
 use crate::{
     authorization::opa::SupersetOpaConfig,
     commands::add_cert_to_python_certifi_command,
-    config::{self, PYTHON_IMPORTS},
+    config::{self, OPA_IMPORTS, PYTHON_IMPORTS},
     controller_commons::{self, CONFIG_VOLUME_NAME, LOG_CONFIG_VOLUME_NAME, LOG_VOLUME_NAME},
     operations::{graceful_shutdown::add_graceful_shutdown_config, pdb::add_pdbs},
     product_logging::{
@@ -426,6 +426,7 @@ pub async fn reconcile_superset(
             &rolegroup,
             rolegroup_config,
             &auth_config,
+            &superset_opa_config,
             &config.logging,
             vector_aggregator_address.as_deref(),
         )?;
@@ -553,11 +554,12 @@ fn build_rolegroup_config_map(
     rolegroup: &RoleGroupRef<SupersetCluster>,
     rolegroup_config: &HashMap<PropertyNameKind, BTreeMap<String, String>>,
     authentication_config: &SupersetClientAuthenticationDetailsResolved,
+    superset_opa_config: &Option<SupersetOpaConfig>,
     logging: &Logging<Container>,
     vector_aggregator_address: Option<&str>,
 ) -> Result<ConfigMap, Error> {
     let mut config_properties = BTreeMap::new();
-
+    let imports = PYTHON_IMPORTS;
     // TODO: this is true per default for versions 3.0.0 and up.
     //    We deactivate it here to keep existing functionality.
     //    However this is a security issue and should be configured properly
@@ -567,6 +569,18 @@ fn build_rolegroup_config_map(
     config::add_superset_config(&mut config_properties, authentication_config)
         .context(AddSupersetConfigSnafu)?;
 
+    // Adding opa configuration properties to config_properties.
+    // This will be injected as key/value pair in superset_config.py
+    if let Some(opa_config) = superset_opa_config {
+        for (k, v) in opa_config.as_config() {
+            config_properties.insert(k, v.unwrap_or_default());
+        }
+        // If opa role mapping is configured, insert CustomOpaSecurityManager import
+        for opa_import in OPA_IMPORTS {
+            imports.to_vec().push(&opa_import);
+        }
+    }
+
     // The order here should be kept in order to preserve overrides.
     // No properties should be added after this extend.
     config_properties.extend(
@@ -590,7 +604,7 @@ fn build_rolegroup_config_map(
     flask_app_config_writer::write::<SupersetConfigOptions, _, _>(
         &mut config_file,
         config_properties.iter(),
-        PYTHON_IMPORTS,
+        imports,
     )
     .with_context(|_| BuildRoleGroupConfigFileSnafu {
         rolegroup: rolegroup.clone(),