search

Netflix / metacat

Apache License 2.0
1.61k stars 281 forks source link

Auth Module for Connector Services #571

Closed amboz closed 7 months ago

amboz commented 8 months ago

This PR introduces the following:

  1. An authorization interface for connector services to authorize requests based on MetacatRequestContext and return an AuthorizationStatus. DefaultAuthorization can be overridden as needed with custom auth logic
  2. ValidatingConnector{Catalog/Database/Partition/Table}Service classes (e.g. ValidatingConnectorTableService) which subsume the existing throttling functionality and also include the new auth functionality
  3. ConnectorFactoryDecorator decorates connector services with validating connector services based on whether rate limiting and/or auth is enabled. Enablement of auth is based on the connector.authorization-exempted config (ref).
  4. Tests to validate: (1) decoration and delegation for ConnectorFactoryManager, (2) auth and rate limiting application in validating connector services (example), and (3) ConnectorManager functionality under all possible combinations of auth and/or rate limiting enablement.
stevie9868 commented 7 months ago

Looks like previously, there are two places where we don't checkThrottling

ThrottlingConnectorPartitionService getPartitionNames and ThrottlingConnectorTableService.java getTableNames

Do we know why these two calls can be exempted from throttling check?

amboz commented 7 months ago

Looks like previously, there are two places where we don't checkThrottling

ThrottlingConnectorPartitionService getPartitionNames and ThrottlingConnectorTableService.java getTableNames

Do we know why these two calls can be exempted from throttling check?

@stevie9868 my undersanding these methods dont have a qualified resource associated with them, just prefix searches, and rate limiting is currently only on a per-resource basis