search

gchq / Gaffer

A large-scale entity and relation database supporting aggregation of properties
Apache License 2.0
1.75k stars 354 forks source link

Gh-2991: Improve User Authorisation in GafferPop #3202

Closed tb06904 closed 2 months ago

tb06904 commented 2 months ago

This adds the relevant hooks and framework for full user auth for gremlin server connections to GafferPop. It utilises the existing frameworks provided by Tinkerpop to ensure the authenticated user ID is passed on to the graph to use for the query. The way this works is by leveraging the custom GafferPopGraphStep to inject the userId via a with() step on the requested traversal, this is then passed onto the graph variables and used in the query. There are checks in place to prevent manually adding a with() step that sets the userId so that only the currently authorised user ID is used.

There is a example/default Authenticator class provided but this is intended to be used as a template for a specific implementation for a production environment's auth mechanism (for example tinkerpop provide a kerberos version here).

The way the authentication classes are activated is by adding the following config to the gremlin server yaml:

authentication: {
  authenticator: uk.gov.gchq.gaffer.tinkerpop.server.auth.DefaultGafferPopAuthenticator
}
authorization: {
  authorizer: uk.gov.gchq.gaffer.tinkerpop.server.auth.GafferPopAuthoriser
}

Related issue

codecov[bot] commented 2 months ago

Codecov Report

Attention: Patch coverage is 84.12698% with 10 lines in your changes are missing coverage. Please review.

Project coverage is 66.80%. Comparing base (c0b950f) to head (27e8d3b).

Files Patch % Lines
...pop/server/auth/ExampleGafferPopAuthenticator.java 77.77% 4 Missing and 4 partials :warning:
...fer/tinkerpop/server/auth/GafferPopAuthoriser.java 92.00% 1 Missing and 1 partial :warning:
Additional details and impacted files ```diff @@ Coverage Diff @@ ## develop #3202 +/- ## ============================================= + Coverage 66.78% 66.80% +0.02% + Complexity 2558 2556 -2 ============================================= Files 910 912 +2 Lines 29217 29279 +62 Branches 3256 3269 +13 ============================================= + Hits 19512 19560 +48 - Misses 8261 8268 +7 - Partials 1444 1451 +7 ```

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

tb06904 commented 2 months ago

To check my understanding, when these new classes are not used, the default user for GafferPop is used as the Gaffer user, and when they are used, the username is added using with.

I'm assuming a username still be supplied using with (as before) if these classes are not enabled in config?

Correct, when you don't specify any auth classes the user ID in the gafferpop.properties file will be used to construct the Gaffer user and you can arbitrarily set it via a with("userId", "id") to anything for a given query.

When the GafferPopAuthoriser is used it will block any attempts at setting the ID via a with() and instead pass on the ID of the current authorised user (from the authenticator class) by injecting its own with() into the query.