Major Description
Use case:
- Tinkerpop supports multiple graphs using a single API and admin might want to restrict access to some of the graphs.
- Admin might want to restrict read/write access to certain users.
Proposal
Add read/write access restrictions at graph level. We can extend it to executing scripts by adding execute privileges.
Changes required
Add `authorizer` block similar to `authentication` block in yaml file
authorization: {
authorizer: org.apache.tinkerpop.gremlin.server.authorization.AllowAllAuthorizer,
authorizationHandler: org.apache.tinkerpop.gremlin.server.handler.SaslAuthorizationHandler,
config: {
}
}
Authorization will be done only if authentication is enabled. Authentication is done at per session basis while authorization will be done for each and every request.
In `SaslAuthorizationHandler` or `HttpAuthorizationHandler` query will be parsed and depending on the step instructions, the query will be marked as of type read or write and then privilege evaluation will be done by calling `isAccessAllowed` method of `Authorizer`
public interface Authorizer { /** * Whether or not the authorization requires check. * If false will not authorzie user. */ public boolean requireAuthorization(); /** * Setup is called once upon system startup to initialize the {@code Authorizer}. */ public void setup(final Map<String, Object> config); /** * A "standard" authorization implementation */ public boolean isAccessAllowed(AuthorizationRequest authorizationRequest) throws AuthorizationException; }
Access policies can be defined in tools like `Apache Ranger`, sample policy:
Attachments
Attachments
Issue Links
- relates to
-
TINKERPOP-2418 Store authenticated user on server pipeline
-
- Closed
-
- links to