Uploaded image for project: 'TinkerPop'
  1. TinkerPop
  2. TINKERPOP-2389

Authorization support in TinkerPop

    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: 3.4.7
    • Fix Version/s: 3.5.0
    • Component/s: server
    • Labels:
      None

      Description

      Use case:

      1. Tinkerpop supports multiple graphs using a single API and admin might want to restrict access to some of the graphs.
      2. Admin might want to restrict read/write access to certain users.

       

      Proposal

      Add read/write access restrictions at graph level. We can extend it to executing scripts by adding execute privileges.

       

      Changes required

      Add `authorizer` block similar to `authentication` block in yaml file

       

      authorization: {
        authorizer: org.apache.tinkerpop.gremlin.server.authorization.AllowAllAuthorizer,
        authorizationHandler: org.apache.tinkerpop.gremlin.server.handler.SaslAuthorizationHandler,
        config: {
         }
      }

       

      Authorization will be done only if authentication is enabled. Authentication is done at per session basis while authorization will be done for each and every request.

      In `SaslAuthorizationHandler` or `HttpAuthorizationHandler` query will be parsed and depending on the step instructions, the query will be marked as of type read or write and then privilege evaluation will be done by calling `isAccessAllowed` method of `Authorizer`

      public interface Authorizer {
          /**
           * Whether or not the authorization requires check.
           * If false will not authorzie user.
           */
          public boolean requireAuthorization();
      
          /**
           * Setup is called once upon system startup to initialize the {@code Authorizer}.
           */
          public void setup(final Map<String, Object> config);
      
          /**
           * A "standard" authorization implementation
           */
          public boolean isAccessAllowed(AuthorizationRequest authorizationRequest) throws AuthorizationException;
      
      }
      

      Access policies can be defined in tools like `Apache Ranger`, sample policy:

       

       

       

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                spmallette Stephen Mallette
                Reporter:
                sb58 Shekhar Bansal
              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: