Uploaded image for project: 'TinkerPop'
  1. TinkerPop
  2. TINKERPOP-2389

Authorization support in TinkerPop

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Closed
    • Major
    • Resolution: Done
    • 3.4.7
    • 3.5.0
    • server
    • None

    Description

      Use case:

      1. Tinkerpop supports multiple graphs using a single API and admin might want to restrict access to some of the graphs.
      2. Admin might want to restrict read/write access to certain users.

       

      Proposal

      Add read/write access restrictions at graph level. We can extend it to executing scripts by adding execute privileges.

       

      Changes required

      Add `authorizer` block similar to `authentication` block in yaml file

       

      authorization: {
        authorizer: org.apache.tinkerpop.gremlin.server.authorization.AllowAllAuthorizer,
        authorizationHandler: org.apache.tinkerpop.gremlin.server.handler.SaslAuthorizationHandler,
        config: {
         }
      }

       

      Authorization will be done only if authentication is enabled. Authentication is done at per session basis while authorization will be done for each and every request.

      In `SaslAuthorizationHandler` or `HttpAuthorizationHandler` query will be parsed and depending on the step instructions, the query will be marked as of type read or write and then privilege evaluation will be done by calling `isAccessAllowed` method of `Authorizer`

      public interface Authorizer {
          /**
           * Whether or not the authorization requires check.
           * If false will not authorzie user.
           */
          public boolean requireAuthorization();
      
          /**
           * Setup is called once upon system startup to initialize the {@code Authorizer}.
           */
          public void setup(final Map<String, Object> config);
      
          /**
           * A "standard" authorization implementation
           */
          public boolean isAccessAllowed(AuthorizationRequest authorizationRequest) throws AuthorizationException;
      
      }
      

      Access policies can be defined in tools like `Apache Ranger`, sample policy:

       

       

       

      Attachments

        Issue Links

          Activity

            People

              spmallette Stephen Mallette
              sb58 Shekhar Bansal
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: