From ba42bf6d9867e5360314803c4e887144dbf91eeb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E8=B5=96=E8=BF=8E=E6=98=A5?= Date: Wed, 26 Apr 2023 15:52:46 +0800 Subject: [PATCH] [SKV-627] feat(security): Use Apache Ranger for access control(2/n) (#1375) --- src/rdsn/src/meta/meta_service.h | 2 + .../ranger/ranger_resource_policy_manager.cpp | 101 ++++++++++++++++++ .../ranger/ranger_resource_policy_manager.h | 63 +++++++++++ 3 files changed, 166 insertions(+) create mode 100644 src/rdsn/src/runtime/ranger/ranger_resource_policy_manager.cpp create mode 100644 src/rdsn/src/runtime/ranger/ranger_resource_policy_manager.h diff --git a/src/rdsn/src/meta/meta_service.h b/src/rdsn/src/meta/meta_service.h index b8b50967e1..f6fec22cde 100644 --- a/src/rdsn/src/meta/meta_service.h +++ b/src/rdsn/src/meta/meta_service.h @@ -176,6 +176,8 @@ class meta_service : public serverlet return metas.substr(0, metas.length() - 1); } + std::string cluster_root() const { return _cluster_root; } + private: void register_rpc_handlers(); void register_ctrl_commands(); diff --git a/src/rdsn/src/runtime/ranger/ranger_resource_policy_manager.cpp b/src/rdsn/src/runtime/ranger/ranger_resource_policy_manager.cpp new file mode 100644 index 0000000000..700ee941da --- /dev/null +++ b/src/rdsn/src/runtime/ranger/ranger_resource_policy_manager.cpp @@ -0,0 +1,101 @@ +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +#include +#include "meta/meta_options.h" +#include "ranger_resource_policy_manager.h" + +namespace dsn { +namespace ranger { + +namespace { +// Register access types of 'rpc_codes' as 'ac_type' to 'ac_type_of_rpc'. +// TODO(wanghao): A better way is to define the ac_type when defining rpc, and traverse all RPCs to +// register to avoid omission or duplication. +void register_rpc_access_type(access_type ac_type, + const std::vector &rpc_codes, + access_type_of_rpc_code &ac_type_of_rpc) +{ + for (const auto &rpc_code : rpc_codes) { + auto code = task_code::try_get(rpc_code, TASK_CODE_INVALID); + dassert_f(code == TASK_CODE_INVALID, ""); + ac_type_of_rpc.emplace(code, ac_type); + } +} +} // anonymous namespace + +ranger_resource_policy_manager::ranger_resource_policy_manager( + dsn::replication::meta_service *meta_svc) + : _meta_svc(meta_svc), _local_policy_version(0) +{ + _ranger_policy_meta_root = dsn::replication::meta_options::concat_path_unix_style( + _meta_svc->cluster_root(), "ranger_policy_meta_root"); + + // GLOBAL - KMetadata + register_rpc_access_type( + access_type::KMetadata, + {"RPC_CM_LIST_NODES", "RPC_CM_CLUSTER_INFO", "RPC_CM_LIST_APPS", "RPC_QUERY_DISK_INFO"}, + _ac_type_of_global_rpcs); + // GLOBAL - KControl + register_rpc_access_type(access_type::KControl, + {"RPC_HTTP_SERVICE", + "RPC_CM_CONTROL_META", + "RPC_CM_START_RECOVERY", + "RPC_REPLICA_DISK_MIGRATE", + "RPC_ADD_NEW_DISK", + "RPC_DETECT_HOTKEY", + "RPC_CLI_CLI_CALL_ACK"}, + _ac_type_of_global_rpcs); + // DATABASE - KList + register_rpc_access_type(access_type::KList, {"RPC_CM_LIST_APPS"}, _ac_type_of_database_rpcs); + // DATABASE - KCreate + register_rpc_access_type( + access_type::KCreate, {"RPC_CM_CREATE_APP"}, _ac_type_of_database_rpcs); + // DATABASE - KDrop + register_rpc_access_type( + access_type::KDrop, {"RPC_CM_DROP_APP", "RPC_CM_RECALL_APP"}, _ac_type_of_database_rpcs); + // DATABASE - KMetadata + register_rpc_access_type(access_type::KMetadata, + {"RPC_CM_QUERY_BACKUP_STATUS", + "RPC_CM_QUERY_RESTORE_STATUS", + "RPC_CM_QUERY_DUPLICATION", + "RPC_CM_QUERY_PARTITION_SPLIT", + "RPC_CM_QUERY_BULK_LOAD_STATUS", + "RPC_CM_QUERY_MANUAL_COMPACT_STATUS", + "RPC_CM_GET_MAX_REPLICA_COUNT"}, + _ac_type_of_database_rpcs); + // DATABASE - KControl + register_rpc_access_type(access_type::KControl, + {"RPC_CM_START_BACKUP_APP", + "RPC_CM_START_RESTORE", + "RPC_CM_PROPOSE_BALANCER", + "RPC_CM_ADD_DUPLICATION", + "RPC_CM_MODIFY_DUPLICATION", + "RPC_CM_UPDATE_APP_ENV", + "RPC_CM_DDD_DIAGNOSE", + "RPC_CM_START_PARTITION_SPLIT", + "RPC_CM_CONTROL_PARTITION_SPLIT", + "RPC_CM_START_BULK_LOAD", + "RPC_CM_CONTROL_BULK_LOAD", + "RPC_CM_CLEAR_BULK_LOAD", + "RPC_CM_START_MANUAL_COMPACT", + "RPC_CM_SET_MAX_REPLICA_COUNT", + "RPC_CM_RENAME_APP"}, + _ac_type_of_database_rpcs); +} +} // namespace ranger +} // namespace dsn diff --git a/src/rdsn/src/runtime/ranger/ranger_resource_policy_manager.h b/src/rdsn/src/runtime/ranger/ranger_resource_policy_manager.h new file mode 100644 index 0000000000..59f60c5273 --- /dev/null +++ b/src/rdsn/src/runtime/ranger/ranger_resource_policy_manager.h @@ -0,0 +1,63 @@ +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +#pragma once + +#include +#include +#include + +#include "meta/meta_service.h" +#include "ranger_resource_policy.h" +#include +#include + +namespace dsn { + +namespace replication { +class meta_service; +} + +namespace ranger { + +// Range access type of rpc codes +using access_type_of_rpc_code = std::unordered_map; + +class ranger_resource_policy_manager +{ +public: + ranger_resource_policy_manager(dsn::replication::meta_service *meta_svc); + + ~ranger_resource_policy_manager() = default; + +private: + // The path where policies to be saved in remote storage. + std::string _ranger_policy_meta_root; + + replication::meta_service *_meta_svc; + + // The access type of RPCs which access global level resources. + access_type_of_rpc_code _ac_type_of_global_rpcs; + + // The access type of RPCs which access database level resources. + access_type_of_rpc_code _ac_type_of_database_rpcs; + + // The Ranger policy version to determine whether to update. + int _local_policy_version; +}; +} // namespace ranger +} // namespace dsn