Details
Major Description
I have a use case where a client would like to use Phoenix, and apply context-based security authorization for every query made, or at least for the duration of a connection. Phoenix could then allow for a custom plugin to validate that the user is allowed to run certain query types, and even start working with apps like Ranger and Atlas to provide authorization.
The first step to achieve this would be to make a small change to the wire protocol: namely, to get a token sent back as a reply upon opening a connection, and using that with every subsequent query.
Currently, the following http://calcite.apache.org/avatica/docs/protobuf_reference.html#openconnectionrequest seems to show that the connection ID is passed from the client to the server, and used throughout the connection lifecycle. If we had an extra optional token in the OpenConnectionReply with a server-specified token, that would enable a security context to be passed along every query:
message OpenConnectionResponse {
RpcMetadata metadata = 1;
string optionalSecContext = 2 ;
}
message CreateStatementRequest {
string connection_id = 1;
string optionalSecContext = 2 ;
}
....
message ExecuteBatchRequest {
string connection_id = 1;
uint32 statement_id = 2;
repeated UpdateBatch updates = 3;
string optionalSecContext = 4 ;
}
The current product does not allow for per-query contexts to be passed with each query. The current wire format returns a connection id that is client-initiated as soon as a connection request is made. Adding an extra token that is server-created and returned to the client after the connection is established, would allow the server to be able to do context-based access control on all the queries on a connection.