Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Static authorization server interceptor implementation #8934

Merged
merged 15 commits into from
Dec 21, 2022
Merged

Static authorization server interceptor implementation #8934

merged 15 commits into from
Dec 21, 2022

Conversation

ashithasantosh
Copy link
Contributor

@ashithasantosh ashithasantosh commented Feb 21, 2022
edited
Loading

  1. Implements static authorization server interceptor with end to end tests.
  2. Adds support for "v3" HeaderMatcher proto by handling new fields like string_match.

@ashithasantosh ashithasantosh marked this pull request as ready for review February 22, 2022 17:50
ejona86
ejona86 reviewed Feb 25, 2022
View reviewed changes
Copy link
Member

@ejona86 ejona86 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Was there a reason you didn't use RbacFilter directly?

CC @YifeiZhuang

@ashithasantosh
Copy link
Contributor Author

ashithasantosh commented Feb 25, 2022
edited by YifeiZhuang
Loading

Was there a reason you didn't use RbacFilter directly?

I moved the rbac parsing logic to a common location in io.grpc.xds.internal.rbac.engine package due to following reasons

  1. to avoid dependency on xds. Also RbacFilter is not public in io.grpc.xds; cannot be accessed from outside package
  2. for code readability. the code seemed more readable to me if we split the rbac parsing code into a different class, instead of depending on RbacFilter implementation

@YifeiZhuang
Copy link
Contributor

Was there a reason you didn't use RbacFilter directly?

I moved the rbac parsing logic to a common location in io.grpc.xds.internal.rbac.engine package due to following reasons

  1. to avoid dependency on xds. Also RbacFilter is not public in io.grpc.xds; cannot be accessed from outside package
  2. for code readability. the code seemed more readable to me if we split the rbac parsing code into a different class, instead of depending on RbacFilter implementation

I think Eric is saying you only need to call rbacfilter.buildServerIntercetor()
but yea we have to make RbacFilter accessible from auth

@ashithasantosh
Copy link
Contributor Author

ashithasantosh commented Mar 1, 2022
edited
Loading

I think Eric is saying you only need to call rbacfilter.buildServerIntercetor() but yea we have to make RbacFilter accessible from auth

In non-xDS authorization, we have upto two RBAC engines per Server Interceptor. And the grpc user can use the factory method to create the interceptor and attach it to server enabling grpc authorization.
gRPC Java authz API design

If we use rbac filter's method to generate server interceptor, then we would have upto two interceptors. This could complicate the API that we expose to the users or we could have two interceptors within an interceptor and keep the API unchanged. Also, when we introduce dynamic file reloading support, that is we reload the authorization policy periodically from file system, we would keep on creating new server interceptors as the policy changes, and this could complicate the design like we would have to consider the conditions where both interceptors aren't updated atomically, and we have authorization decisions being made with stale and new interceptor say. Plus code wise, I don't see any code duplication, just the creation and interception of interceptor, so I feel like we should keep xds and non-xds separate.

**EDIT: We can just swap the old with new internal static interceptor in file watcher to deal with synchronization issues. I still prefer keeping them separate as it simplifies code.

@ejona86
Copy link
Member

ejona86 commented Apr 4, 2022

This would complicate the API that we expose to the users

No. Two vs 1 interceptor internally should have no bearing on the API we expose to users.

I suggest we do something like

grpc-java/xds/src/main/java/io/grpc/xds/XdsNameResolver.java

Line 602 in 79f2562

private static ClientInterceptor combineInterceptors(final List<ClientInterceptor> interceptors) {

@ejona86 ejona86 mentioned this pull request May 18, 2022
Closed
@ashithasantosh
Copy link
Contributor Author

This would complicate the API that we expose to the users

No. Two vs 1 interceptor internally should have no bearing on the API we expose to users.

Right! I meant the same thing above (quoting previous message "or we could have two interceptors within an interceptor and keep the API unchanged")
I updated the implementation based on the comment. Please take a look. Sorry it took so long. I was on a month long vacation and was busy catching up on some work.

@ashithasantosh
Copy link
Contributor Author

@ejona86 Please take a look at the PR when you find time. Thank you:)

@ashithasantosh
Copy link
Contributor Author

@ejona86 Friendly ping!:)

@ashithasantosh
Copy link
Contributor Author

@ejona86 PTAL

1 similar comment
@ashithasantosh
Copy link
Contributor Author

@ejona86 PTAL

@ejona86
Copy link
Member

ejona86 commented Dec 8, 2022

@YifeiZhuang, do you know how we were missing contains and stringMatcher?

@ejona86
Copy link
Member

ejona86 commented Dec 8, 2022

@YifeiZhuang, do you know how we were missing contains and stringMatcher?

Oh, apparently they aren't used by this code, so that resolves some of my questions. I think they were just added later. @ashithasantosh simply noticed they were missing when comparing to C++, which makes sense.

ejona86
ejona86 reviewed Dec 20, 2022
View reviewed changes
Copy link
Member

@ejona86 ejona86 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good to me (modulo my comments), for the parts I've looked at. I'll let Yifei do the final full review.

xds/src/main/java/io/grpc/xds/InternalRbacFilter.java Show resolved Hide resolved
authz/src/main/java/io/grpc/authz/AuthorizationServerInterceptor.java Show resolved Hide resolved
authz/src/main/java/io/grpc/authz/AuthorizationServerInterceptor.java Outdated Show resolved Hide resolved
@ashithasantosh
Copy link
Contributor Author

@ejona86 Thank you for the review. PTAL I resolved all the comments.
@YifeiZhuang already approved the PR, should I wait on a final review?

@ashithasantosh ashithasantosh merged commit 0194ae9 into grpc:master Dec 21, 2022
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Mar 22, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@YifeiZhuang YifeiZhuang YifeiZhuang approved these changes

@ejona86 ejona86 ejona86 approved these changes

Assignees

@ejona86 ejona86

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ashithasantosh @YifeiZhuang @ejona86