Closed tb06904 closed 2 months ago
Attention: Patch coverage is 84.12698%
with 10 lines
in your changes are missing coverage. Please review.
Project coverage is 66.80%. Comparing base (
c0b950f
) to head (27e8d3b
).
:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.
To check my understanding, when these new classes are not used, the default user for GafferPop is used as the Gaffer user, and when they are used, the username is added using
with
.I'm assuming a username still be supplied using
with
(as before) if these classes are not enabled in config?
Correct, when you don't specify any auth classes the user ID in the gafferpop.properties
file will be used to construct the Gaffer user and you can arbitrarily set it via a with("userId", "id")
to anything for a given query.
When the GafferPopAuthoriser
is used it will block any attempts at setting the ID via a with()
and instead pass on the ID of the current authorised user (from the authenticator class) by injecting its own with()
into the query.
This adds the relevant hooks and framework for full user auth for gremlin server connections to GafferPop. It utilises the existing frameworks provided by Tinkerpop to ensure the authenticated user ID is passed on to the graph to use for the query. The way this works is by leveraging the custom
GafferPopGraphStep
to inject theuserId
via awith()
step on the requested traversal, this is then passed onto the graph variables and used in the query. There are checks in place to prevent manually adding awith()
step that sets theuserId
so that only the currently authorised user ID is used.There is a example/default
Authenticator
class provided but this is intended to be used as a template for a specific implementation for a production environment's auth mechanism (for example tinkerpop provide a kerberos version here).The way the authentication classes are activated is by adding the following config to the gremlin server yaml:
Related issue