Adding userName based access control for table and database operations. (Netflix#285)

* Adding acl for table and database operations

* reverting other minor changes

* Refactoring the defaultAuthorizationService

Author: zhljen

metacat-client/src/main/java/com/netflix/metacat/client/module/MetacatErrorDecoder.java

@@ -25,6 +25,7 @@
 import com.netflix.metacat.common.exception.MetacatNotSupportedException;
 import com.netflix.metacat.common.exception.MetacatPreconditionFailedException;
 import com.netflix.metacat.common.exception.MetacatTooManyRequestsException;
+import com.netflix.metacat.common.exception.MetacatUnAuthorizedException;
 import com.netflix.metacat.common.json.MetacatJson;
 import com.netflix.metacat.common.json.MetacatJsonException;
 import feign.Response;
@@ -64,6 +65,8 @@ public Exception decode(final String methodKey, final Response response) {
                     return new MetacatNotSupportedException(message);
                 case 400: //BAD_REQUEST
                     return new MetacatBadRequestException(message);
+                case 403: //Forbidden
+                    return new MetacatUnAuthorizedException(message);
                 case 404: //NOT_FOUND
                     return new MetacatNotFoundException(message);
                 case 409: //CONFLICT

metacat-common-server/src/main/java/com/netflix/metacat/common/server/properties/AuthorizationServiceProperties.java

@@ -0,0 +1,126 @@
+/*
+ *  Copyright 2018 Netflix, Inc.
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License");
+ *  you may not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ */
+
+package com.netflix.metacat.common.server.properties;
+
+import com.netflix.metacat.common.QualifiedName;
+import com.netflix.metacat.common.exception.MetacatException;
+import com.netflix.servo.util.VisibleForTesting;
+import lombok.Data;
+import lombok.NonNull;
+import org.apache.commons.lang3.StringUtils;
+
+import java.util.Arrays;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.Map;
+import java.util.Set;
+
+/**
+ * Properties related to authorization.
+ *
+ * @author zhenl
+ * @since 1.2.0
+ */
+@Data
+public class AuthorizationServiceProperties {
+    private boolean enabled;
+    @NonNull
+    private CreateAcl createAcl = new CreateAcl();
+    @NonNull
+    private DeleteAcl deleteAcl = new DeleteAcl();
+
+    /**
+     * Create Acl properties.
+     *
+     * @author zhenl
+     * @since 1.2.0
+     */
+    @Data
+    public static class CreateAcl {
+        private String createAclStr;
+        private Map<QualifiedName, Set<String>> createAclMap;
+
+        /**
+         * Get the create acl map.
+         *
+         * @return The create acl map
+         */
+        public Map<QualifiedName, Set<String>> getCreateAclMap() {
+             if (createAclMap == null) {
+                createAclMap = createAclStr == null ? new HashMap<>()
+                    : getAclMap(createAclStr);
+            }
+            return createAclMap;
+        }
+    }
+
+    /**
+     * Delete Acl properties.
+     *
+     * @author zhenl
+     * @since 1.2.0
+     */
+    @Data
+    public static class DeleteAcl {
+        private String deleteAclStr;
+        private Map<QualifiedName, Set<String>> deleteAclMap;
+
+        /**
+         * Get the delete acl map.
+         *
+         * @return The delete acl map
+         */
+        public Map<QualifiedName, Set<String>> getDeleteAclMap() {
+            if (deleteAclMap == null) {
+                deleteAclMap = deleteAclStr == null ? new HashMap<>()
+                    : getAclMap(deleteAclStr);
+            }
+            return deleteAclMap;
+        }
+    }
+
+    /**
+     * Parse the configuration to get operation control. The control is at userName level
+     * and the controlled operations include create, delete, and rename for table.
+     * The format is below.
+     * db1:user1,user2|db2:user1,user2
+     *
+     * @param aclConfig the config strings for dbs
+     * @return acl config
+     */
+    @VisibleForTesting
+    private static Map<QualifiedName, Set<String>> getAclMap(final String aclConfig) {
+        final Map<QualifiedName, Set<String>> aclMap = new HashMap<>();
+        try {
+            for (String aclstr : StringUtils.split(aclConfig, "|")) {
+                for (QualifiedName key
+                    : PropertyUtils.delimitedStringsToQualifiedNamesList(
+                    aclstr.substring(0, aclstr.indexOf(":")), ',')) {
+                    aclMap.put(key,
+                        new HashSet<>(Arrays.asList(
+                            StringUtils.split(aclstr.substring(aclstr.indexOf(":") + 1), ","))));
+                }
+
+            }
+
+        } catch (Exception e) {
+            throw new MetacatException("metacat acl property parsing error" + e.getMessage());
+        }
+        return aclMap;
+    }
+}

metacat-common-server/src/main/java/com/netflix/metacat/common/server/properties/Config.java

@@ -16,6 +16,7 @@
 import com.netflix.metacat.common.QualifiedName;
 
 import java.util.List;
+import java.util.Map;
 import java.util.Set;
 
 /**
@@ -38,14 +39,18 @@ public interface Config {
 
     /**
      * Enable publishing partitions to elastic search.
+     *
      * @return true if publishing partitions to elastic search is enabled
      */
     boolean isElasticSearchPublishPartitionEnabled();
+
     /**
      * Enable publishing metacat es error logs to elastic search.
+     *
      * @return true if publishing metacat es error logs to elastic search is enabled
      */
     boolean isElasticSearchPublishMetacatLogEnabled();
+
     /**
      * Elastic search cluster name.
      *
@@ -348,4 +353,26 @@ public interface Config {
      * @return true if cache is enabled
      */
     boolean isCacheEnabled();
+
+    /**
+     * Enable authorization.
+     *
+     * @return true if authorization is enabled
+     */
+    boolean isAuthorizationEnabled();
+
+    /**
+     * Get the metacat create acl property.
+     *
+     * @return The metacat create acl property
+     */
+    Map<QualifiedName, Set<String>> getMetacatCreateAcl();
+
+    /**
+     * Get the metacat delete acl property.
+     *
+     * @return The metacat delete acl property
+     */
+    Map<QualifiedName, Set<String>> getMetacatDeleteAcl();
 }
+

metacat-common-server/src/main/java/com/netflix/metacat/common/server/properties/DefaultConfigImpl.java

@@ -22,6 +22,7 @@
 
 import javax.annotation.Nonnull;
 import java.util.List;
+import java.util.Map;
 import java.util.Set;
 
 /**
@@ -419,4 +420,20 @@ public Set<QualifiedName> getNamesEnabledForDefinitionMetadataDelete() {
     public boolean isCacheEnabled() {
         return this.metacatProperties.getCache().isEnabled();
     }
+
+
+    @Override
+    public boolean isAuthorizationEnabled() {
+        return this.metacatProperties.getAuthorization().isEnabled();
+    }
+
+    @Override
+    public Map<QualifiedName, Set<String>> getMetacatCreateAcl() {
+        return this.metacatProperties.getAuthorization().getCreateAcl().getCreateAclMap();
+    }
+
+    @Override
+    public Map<QualifiedName, Set<String>> getMetacatDeleteAcl() {
+        return this.metacatProperties.getAuthorization().getDeleteAcl().getDeleteAclMap();
+    }
 }

metacat-common-server/src/main/java/com/netflix/metacat/common/server/properties/MetacatProperties.java

@@ -61,4 +61,6 @@ public class MetacatProperties {
     private UserMetadata usermetadata = new UserMetadata();
     @NonNull
     private CacheProperties cache = new CacheProperties();
+    @NonNull
+    private AuthorizationServiceProperties authorization = new AuthorizationServiceProperties();
 }

metacat-common-server/src/main/java/com/netflix/metacat/common/server/usermetadata/AuthorizationService.java

@@ -0,0 +1,42 @@
+/*
+ *  Copyright 2018 Netflix, Inc.
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License");
+ *  you may not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ */
+
+package com.netflix.metacat.common.server.usermetadata;
+
+import com.netflix.metacat.common.QualifiedName;
+
+/**
+ * Authorization Service API.
+ *
+ * @author zhenl
+ * @since 1.2.0
+ */
+public interface AuthorizationService {
+    /**
+     * Check metacat acl property if this operation is permitted.
+     *
+     * @param userName username
+     * @param name     qualified Name
+     * @param op       operation
+     */
+    default void checkPermission(final String userName,
+                                 final QualifiedName name,
+                                 final MetacatOperation op) {
+
+    }
+
+}

metacat-common-server/src/main/java/com/netflix/metacat/common/server/usermetadata/DefaultAuthorizationService.java

@@ -0,0 +1,85 @@
+/*
+ *  Copyright 2018 Netflix, Inc.
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License");
+ *  you may not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ */
+
+package com.netflix.metacat.common.server.usermetadata;
+
+import com.netflix.metacat.common.QualifiedName;
+import com.netflix.metacat.common.exception.MetacatUnAuthorizedException;
+import com.netflix.metacat.common.server.properties.Config;
+
+import java.util.Map;
+import java.util.Set;
+
+/**
+ * Config based authorization service implementation.
+ *
+ * @author zhenl
+ * @since 1.2.0
+ */
+public class DefaultAuthorizationService implements AuthorizationService {
+    private final Config config;
+
+    /**
+     * Constructor.
+     *
+     * @param config metacat config
+     */
+    public DefaultAuthorizationService(
+        final Config config
+    ) {
+        this.config = config;
+    }
+
+    /**
+     * {@inheritDoc}
+     */
+    @Override
+    public void checkPermission(final String userName,
+                                final QualifiedName name,
+                                final MetacatOperation op) {
+        if (config.isAuthorizationEnabled()) {
+            switch (op) {
+                case CREATE:
+                    checkPermit(config.getMetacatCreateAcl(), userName, name, op);
+                    break;
+                case RENAME:
+                case DELETE:
+                    checkPermit(config.getMetacatDeleteAcl(), userName, name, op);
+                    break;
+                default:
+
+            }
+        }
+    }
+
+    /**
+     * Check at database level.
+     */
+    private void checkPermit(final Map<QualifiedName, Set<String>> accessACL,
+                             final String userName,
+                             final QualifiedName name,
+                             final MetacatOperation op) {
+        final Set<String> users =
+            accessACL.get(QualifiedName.ofDatabase(name.getCatalogName(), name.getDatabaseName()));
+        if ((users != null) && !users.isEmpty() && !users.contains(userName)) {
+            throw new MetacatUnAuthorizedException(String.format("%s is not permitted for %s %s",
+                userName, op.name(), name
+            ));
+        }
+    }
+
+}