feat: Support OPA role mapping

CHANGELOG.md

@@ -6,6 +6,7 @@
 
 - Run a `containerdebug` process in the background of each Superset container to collect debugging information ([#578]).
 - Aggregate emitted Kubernetes events on the CustomResources ([#585]).
+- Opa Role mapping as optional custom manager for superset ([#582]).
 
 ### Changed
 
@@ -21,6 +22,7 @@
 [#568]: https://github.com/stackabletech/superset-operator/pull/568
 [#569]: https://github.com/stackabletech/superset-operator/pull/569
 [#578]: https://github.com/stackabletech/superset-operator/pull/578
+[#582]: https://github.com/stackabletech/superset-operator/pull/582
 [#585]: https://github.com/stackabletech/superset-operator/pull/585
 
 ## [24.11.0] - 2024-11-18

Cargo.toml

@@ -31,3 +31,5 @@ tracing = "0.1"
 # [patch."https://github.com/stackabletech/operator-rs.git"]
 # stackable-operator = { git = "https://github.com/stackabletech//operator-rs.git", branch = "main" }
 # stackable-operator = { path = "../operator-rs/crates/stackable-operator" }
+[patch."https://github.com/stackabletech/operator-rs.git"]
+stackable-operator = { git = "https://github.com/stackabletech//operator-rs.git", branch = "feat/cache" }

deploy/helm/superset-operator/crds/crds.yaml

@@ -71,6 +71,40 @@ spec:
                           - authenticationClass
                         type: object
                       type: array
+                    authorization:
+                      description: 'Authorziation options for Superset. Currently only role mapping is enabled. This means if a user logs in and Opa authorization is enabled user roles got synced from opa into superset roles. Roles get created automated. Warning: This will discard all roles managed by the superset administrator.'
+                      nullable: true
+                      properties:
+                        opa:
+                          description: Configure the OPA stacklet [discovery ConfigMap](https://docs.stackable.tech/home/nightly/concepts/service_discovery) and the name of the Rego package containing your authorization rules. Consult the [OPA authorization documentation](https://docs.stackable.tech/home/nightly/concepts/opa) to learn how to deploy Rego authorization rules with OPA.
+                          nullable: true
+                          properties:
+                            cache:
+                              description: Configuration for an superset-internal cache for calls to OPA
+                              properties:
+                                entryTimeToLive:
+                                  default: 30s
+                                  description: Time to live per entry; Entries which were not queried within the given duration, are removed.
+                                  type: string
+                                maxEntries:
+                                  default: 1000
+                                  description: Maximum number of entries in the cache; If this threshold is reached then the least recently used item is removed.
+                                  format: uint32
+                                  minimum: 0.0
+                                  type: integer
+                              type: object
+                            configMapName:
+                              description: The [discovery ConfigMap](https://docs.stackable.tech/home/nightly/concepts/service_discovery) for the OPA stacklet that should be used for authorization requests.
+                              type: string
+                            package:
+                              description: The name of the Rego package containing the Rego rules for the product.
+                              nullable: true
+                              type: string
+                          required:
+                            - cache
+                            - configMapName
+                          type: object
+                      type: object
                     clusterOperation:
                       default:
                         reconciliationPaused: false

docs/modules/superset/pages/usage-guide/security.adoc

@@ -126,6 +126,68 @@ Further information for specifying an AuthenticationClass for an OIDC provider c
 Superset has a concept called `Roles` which allows you to grant user permissions based on roles.
 Have a look at the {superset-security}[Superset documentation on Security^{external-link-icon}^].
 
+=== [[Opa]] Opa Roles Mapping
+
+Superset can sync roles from open policy agent. Currently only mapping is enabled as a larger refactoring of the upstream superset concerning their security management is announced.
+
+In order to map roles from Opa into superset, we expect rego rules with a rule name `user_roles`. In the below example two users `admin` and `testuser` have roles defined as rego rule in Rego V1 to be complient with OPA v1.0.0 release.
+
+IMPORTANT: Only role mapping is enabled. Permissions can only be added through the Superset UI. RBAC through OPA is not implemented.
+
+OPA rules can be synced using the xref:opa:usage-guide:user-info-fetcher[user-info-fetcher].
+
+[source,yaml]
+----
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: superset-opa-regorules
+  labels:
+    opa.stackable.tech/bundle: "true"
+data:
+  roles.rego: |
+    package superset
+
+    import rego.v1
+
+    default user_roles := []
+
+    user_roles := roles if {
+        some user in users
+        roles := user.roles
+        user.username == input.username
+    }
+# TODO: User opainfofetcher()
+    users := [
+        {"username": "admin", "roles": ["Admin", "Test"]},
+        {"username": "testuser", "roles": ["El_Testos", "Custom2"]}
+    ]
+----
+
+Mounting this `configMap` in superset as follows:
+
+[source,yaml]
+----
+apiVersion: superset.stackable.tech/v1alpha1
+kind: SupersetCluster
+metadata:
+  name: superset-with-opa-role-mapping
+spec:
+  clusterConfig:
+    authorization:
+      roleMappingFromOpa:
+        configMapName: superset-opa-regorules # <1>
+        package: superset
+        cache: # <2>
+          entryTimeToLive: 10s # <3>
+          maxEntries: 5 # <4>
+----
+
+<1> ConfigMap name containing rego rules
+<2> Mandatory Opa caching. If not set, default settings apply.
+<3> Time for cached entries per user can live. Defaults to 30s.
+<4> Number of maximum entries, defaults to 1000. Cache will be disabled for maxEntries: 0.
+
 === Superset database
 
 You can view all the available roles in the web interface of Superset and can also assign users to these roles.

rust/crd/src/lib.rs

@@ -7,14 +7,19 @@ use snafu::{OptionExt, ResultExt, Snafu};
 use stackable_operator::{
     commons::{
         affinity::StackableAffinity,
+        cache::TtlCache,
         cluster_operation::ClusterOperation,
+        opa::OpaConfig,
         product_image_selection::ProductImage,
         resources::{
             CpuLimitsFragment, MemoryLimitsFragment, NoRuntimeLimits, NoRuntimeLimitsFragment,
             Resources, ResourcesFragment,
         },
     },
-    config::{fragment, fragment::Fragment, fragment::ValidationError, merge::Merge},
+    config::{
+        fragment::{self, Fragment, ValidationError},
+        merge::Merge,
+    },
     k8s_openapi::apimachinery::pkg::api::resource::Quantity,
     kube::{runtime::reflector::ObjectRef, CustomResource, ResourceExt},
     memory::{BinaryMultiple, MemoryQuantity},
@@ -85,6 +90,12 @@ pub enum SupersetConfigOptions {
     AuthLdapTlsCertfile,
     AuthLdapTlsKeyfile,
     AuthLdapTlsCacertfile,
+    CustomSecurityManager,
+    StackableOpaBaseUrl,
+    StackableOpaPackage,
+    StackableOpaRule,
+    StackableOpaCacheMaxEntries,
+    StackableOpaCacheEntryTTL,
 }
 
 impl SupersetConfigOptions {
@@ -115,6 +126,7 @@ impl FlaskAppConfigOptions for SupersetConfigOptions {
             SupersetConfigOptions::LoggingConfigurator => PythonType::Expression,
             SupersetConfigOptions::AuthType => PythonType::Expression,
             SupersetConfigOptions::AuthUserRegistration => PythonType::BoolLiteral,
+            // Going to be an expression as we default it from env, if and only if opa is used
             SupersetConfigOptions::AuthUserRegistrationRole => PythonType::StringLiteral,
             SupersetConfigOptions::AuthRolesSyncAtLogin => PythonType::BoolLiteral,
             SupersetConfigOptions::AuthLdapServer => PythonType::StringLiteral,
@@ -132,6 +144,13 @@ impl FlaskAppConfigOptions for SupersetConfigOptions {
             SupersetConfigOptions::AuthLdapTlsCertfile => PythonType::StringLiteral,
             SupersetConfigOptions::AuthLdapTlsKeyfile => PythonType::StringLiteral,
             SupersetConfigOptions::AuthLdapTlsCacertfile => PythonType::StringLiteral,
+            // Configuration options used by CustomOpaSecurityManager
+            SupersetConfigOptions::CustomSecurityManager => PythonType::Expression,
+            SupersetConfigOptions::StackableOpaBaseUrl => PythonType::StringLiteral,
+            SupersetConfigOptions::StackableOpaPackage => PythonType::StringLiteral,
+            SupersetConfigOptions::StackableOpaRule => PythonType::StringLiteral,
+            SupersetConfigOptions::StackableOpaCacheMaxEntries => PythonType::IntLiteral,
+            SupersetConfigOptions::StackableOpaCacheEntryTTL => PythonType::IntLiteral,
         }
     }
 }
@@ -175,6 +194,13 @@ pub struct SupersetClusterConfig {
     #[serde(default)]
     pub authentication: Vec<SupersetClientAuthenticationDetails>,
 
+    /// Authorziation options for Superset.
+    /// Currently only role mapping is enabled. This means if a user logs in and Opa authorization is enabled
+    /// user roles got synced from opa into superset roles. Roles get created automated.
+    /// Warning: This will discard all roles managed by the superset administrator.
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub authorization: Option<SupersetAuthorization>,
+
     /// The name of the Secret object containing the admin user credentials and database connection details.
     /// Read the
     /// [getting started guide first steps](DOCS_BASE_URL_PLACEHOLDER/superset/getting_started/first_steps)
@@ -238,6 +264,41 @@ impl CurrentlySupportedListenerClasses {
         }
     }
 }
+#[derive(Clone, Deserialize, Serialize, Eq, JsonSchema, Debug, PartialEq)]
+#[serde(rename_all = "camelCase")]
+pub struct SupersetOpaConfig {
+    #[serde(flatten)]
+    pub opa: OpaConfig,
+
+    /// Configuration for an superset-internal cache for calls to OPA
+    pub cache: TtlCache<30, 1000>,
+}
+
+#[derive(Clone, Deserialize, Serialize, Eq, JsonSchema, Debug, PartialEq)]
+#[serde(rename_all = "camelCase")]
+pub struct SupersetOpaCacheConfig {
+    /// Cache duration , e.g. `30m`, `1h` or `2d`
+    #[serde(default = "cache_ttl_default")]
+    pub entry_time_to_live: Duration,
+
+    /// Number of maximum user-role mappings cached concurrently
+    #[serde(default = "cache_max_entries_default")]
+    pub max_entries: u32,
+}
+
+fn cache_max_entries_default() -> u32 {
+    128
+}
+
+fn cache_ttl_default() -> Duration {
+    Duration::from_secs(30)
+}
+
+#[derive(Clone, Debug, Deserialize, Eq, JsonSchema, PartialEq, Serialize)]
+#[serde(rename_all = "camelCase")]
+pub struct SupersetAuthorization {
+    pub opa: Option<SupersetOpaConfig>,
+}
 
 #[derive(Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
 #[serde(rename_all = "camelCase")]
@@ -472,6 +533,14 @@ impl SupersetCluster {
         }
     }
 
+    pub fn get_opa_config(&self) -> Option<&SupersetOpaConfig> {
+        self.spec
+            .cluster_config
+            .authorization
+            .as_ref()
+            .and_then(|a| a.opa.as_ref())
+    }
+
     /// Retrieve and merge resource configs for role and role groups
     pub fn merged_config(
         &self,

rust/operator-binary/src/authorization/mod.rs

@@ -0,0 +1 @@
+pub mod opa;

rust/operator-binary/src/authorization/opa.rs

@@ -0,0 +1,72 @@
+use stackable_operator::time::Duration;
+use std::collections::BTreeMap;
+
+use stackable_operator::{client::Client, commons::opa::OpaApiVersion};
+use stackable_superset_crd::{SupersetCluster, SupersetOpaConfig};
+
+pub struct SupersetOpaConfigResolved {
+    opa_base_url: String,
+    opa_package: Option<String>,
+    cache_max_entries: u32,
+    cache_ttl: Duration,
+}
+
+impl SupersetOpaConfigResolved {
+    pub async fn from_opa_config(
+        client: &Client,
+        superset: &SupersetCluster,
+        opa_config: &SupersetOpaConfig,
+    ) -> Result<Self, stackable_operator::commons::opa::Error> {
+        // Get opa_base_url for later use in CustomOpaSecurityManager
+        let opa_endpoint = opa_config
+            .opa
+            .full_document_url_from_config_map(client, superset, None, OpaApiVersion::V1)
+            .await?;
+
+        // striping package path from base url. Needed by CustomOpaSecurityManager.
+        let opa_base_url = match opa_config.opa.package.clone() {
+            Some(opa_package_name) => {
+                let opa_path = format!("/v1/data/{opa_package_name}");
+                opa_endpoint.replace(&opa_path, "")
+            }
+            None => opa_endpoint.replace("/v1/data/", ""),
+        };
+
+        Ok(SupersetOpaConfigResolved {
+            opa_base_url,
+            opa_package: opa_config.opa.package.to_owned(),
+            cache_max_entries: opa_config.cache.max_entries.to_owned(),
+            cache_ttl: opa_config.cache.entry_time_to_live.to_owned(),
+        })
+    }
+
+    // Adding necessary configurations. Imports are solved in config.rs
+    pub fn as_config(&self) -> BTreeMap<String, Option<String>> {
+        BTreeMap::from([
+            (
+                "CUSTOM_SECURITY_MANAGER".to_string(),
+                Some("OpaSupersetSecurityManager".to_string()),
+            ),
+            (
+                "STACKABLE_OPA_RULE".to_string(),
+                Some("user_roles".to_string()),
+            ),
+            (
+                "STACKABLE_OPA_BASE_URL".to_string(),
+                Some(self.opa_base_url.to_owned()),
+            ),
+            (
+                "STACKABLE_OPA_PACKAGE".to_string(),
+                self.opa_package.to_owned(),
+            ),
+            (
+                "STACKABLE_OPA_CACHE_MAX_ENTRIES".to_string(),
+                Some(self.cache_max_entries.to_string()),
+            ),
+            (
+                "STACKABLE_OPA_CACHE_ENTRY_TTL".to_string(),
+                Some(self.cache_ttl.as_secs().to_string()),
+            ),
+        ])
+    }
+}

rust/operator-binary/src/config.rs

@@ -35,6 +35,9 @@ pub const PYTHON_IMPORTS: &[&str] = &[
     "from log_config import StackableLoggingConfigurator",
     ];
 
+pub const OPA_IMPORTS: &[&str] =
+    &["from opa_authorizer.opa_manager import OpaSupersetSecurityManager"];
+
 pub fn add_superset_config(
     config: &mut BTreeMap<String, String>,
     authentication_config: &SupersetClientAuthenticationDetailsResolved,

rust/operator-binary/src/main.rs

@@ -29,6 +29,7 @@ use crate::{
     superset_controller::SUPERSET_FULL_CONTROLLER_NAME,
 };
 
+mod authorization;
 mod commands;
 mod config;
 mod controller_commons;