From 5a924f62c1c6b51176a84aa0f163462d3a62ec0b Mon Sep 17 00:00:00 2001 From: Paul Masurel Date: Wed, 30 Oct 2024 17:41:00 +0900 Subject: [PATCH] authorization layer --- quickwit/Cargo.lock | 17 + quickwit/Cargo.toml | 8 +- quickwit/quickwit-codegen/example/Cargo.toml | 1 + .../example/src/authorization.rs | 26 ++ .../example/src/codegen/hello.rs | 36 +- quickwit/quickwit-codegen/example/src/lib.rs | 1 + quickwit/quickwit-codegen/src/codegen.rs | 28 +- quickwit/quickwit-ingest/Cargo.toml | 1 + quickwit/quickwit-ingest/src/authorize.rs | 25 ++ .../src/codegen/ingest_service.rs | 33 +- quickwit/quickwit-ingest/src/lib.rs | 1 + quickwit/quickwit-proto/Cargo.toml | 2 + quickwit/quickwit-proto/src/authorization.rs | 326 +++++++++++++++++ .../src/codegen/quickwit/quickwit.cluster.rs | 11 +- .../quickwit/quickwit.control_plane.rs | 99 ++++-- .../codegen/quickwit/quickwit.developer.rs | 11 +- .../src/codegen/quickwit/quickwit.indexing.rs | 11 +- .../quickwit/quickwit.ingest.ingester.rs | 102 ++++-- .../quickwit/quickwit.ingest.router.rs | 11 +- .../codegen/quickwit/quickwit.metastore.rs | 330 +++++++++++++----- quickwit/quickwit-proto/src/lib.rs | 1 + 21 files changed, 894 insertions(+), 187 deletions(-) create mode 100644 quickwit/quickwit-codegen/example/src/authorization.rs create mode 100644 quickwit/quickwit-ingest/src/authorize.rs create mode 100644 quickwit/quickwit-proto/src/authorization.rs diff --git a/quickwit/Cargo.lock b/quickwit/Cargo.lock index 558fe3bdede..f1851bba250 100644 --- a/quickwit/Cargo.lock +++ b/quickwit/Cargo.lock @@ -5947,6 +5947,19 @@ dependencies = [ "tracing", ] +[[package]] +name = "quickwit-auth" +version = "0.8.0" +dependencies = [ + "biscuit-auth", + "http 0.2.12", + "serde", + "thiserror", + "tokio", + "tonic", + "tracing", +] + [[package]] name = "quickwit-aws" version = "0.8.0" @@ -6072,6 +6085,7 @@ dependencies = [ "mockall", "prost 0.11.9", "quickwit-actors", + "quickwit-auth", "quickwit-codegen", "quickwit-common", "quickwit-proto", @@ -6350,6 +6364,7 @@ dependencies = [ "once_cell", "prost 0.11.9", "quickwit-actors", + "quickwit-auth", "quickwit-cluster", "quickwit-codegen", "quickwit-common", @@ -6601,6 +6616,7 @@ version = "0.8.0" dependencies = [ "anyhow", "async-trait", + "biscuit-auth", "bytes", "bytesize", "bytestring", @@ -6613,6 +6629,7 @@ dependencies = [ "prost-build", "prost-types 0.11.9", "quickwit-actors", + "quickwit-auth", "quickwit-codegen", "quickwit-common", "sea-query", diff --git a/quickwit/Cargo.toml b/quickwit/Cargo.toml index b91068fe5a3..082748687a8 100644 --- a/quickwit/Cargo.toml +++ b/quickwit/Cargo.toml @@ -2,6 +2,7 @@ resolver = "2" members = [ "quickwit-actors", + "quickwit-auth", "quickwit-aws", "quickwit-cli", "quickwit-cluster", @@ -20,6 +21,7 @@ members = [ "quickwit-jaeger", "quickwit-janitor", "quickwit-lambda", + "quickwit-license", "quickwit-macros", "quickwit-metastore", @@ -34,13 +36,14 @@ members = [ "quickwit-serve", "quickwit-storage", "quickwit-telemetry", - "quickwit-license", + "quickwit-telemetry", ] # The following list excludes `quickwit-metastore-utils` and `quickwit-lambda` # from the default member to ease build/deps. default-members = [ "quickwit-actors", + "quickwit-auth", "quickwit-aws", "quickwit-cli", "quickwit-cluster", @@ -52,6 +55,7 @@ default-members = [ "quickwit-datetime", "quickwit-directories", "quickwit-doc-mapper", + "quickwit-license", "quickwit-index-management", "quickwit-indexing", "quickwit-ingest", @@ -89,7 +93,6 @@ async-trait = "0.1" base64 = "0.22" binggan = { version = "0.14" } biscuit-auth = "5.0.0" - bytes = { version = "1", features = ["serde"] } bytesize = { version = "1.3.0", features = ["serde"] } bytestring = "1.3.0" @@ -303,6 +306,7 @@ opendal = { version = "0.44", default-features = false } reqsign = { version = "0.14", default-features = false } quickwit-actors = { path = "quickwit-actors" } +quickwit-auth = { path = "quickwit-auth" } quickwit-aws = { path = "quickwit-aws" } quickwit-cli = { path = "quickwit-cli" } quickwit-cluster = { path = "quickwit-cluster" } diff --git a/quickwit/quickwit-codegen/example/Cargo.toml b/quickwit/quickwit-codegen/example/Cargo.toml index e6380b1fb20..69617d20d8f 100644 --- a/quickwit/quickwit-codegen/example/Cargo.toml +++ b/quickwit/quickwit-codegen/example/Cargo.toml @@ -27,6 +27,7 @@ tower = { workspace = true } utoipa = { workspace = true } quickwit-actors = { workspace = true } +quickwit-auth = { workspace = true } quickwit-common = { workspace = true } quickwit-proto = { workspace = true } diff --git a/quickwit/quickwit-codegen/example/src/authorization.rs b/quickwit/quickwit-codegen/example/src/authorization.rs new file mode 100644 index 00000000000..fa4e0bf0f3d --- /dev/null +++ b/quickwit/quickwit-codegen/example/src/authorization.rs @@ -0,0 +1,26 @@ +use quickwit_auth::Authorization; +use quickwit_auth::AuthorizationError; +use quickwit_auth::AuthorizationToken; +use quickwit_auth::StreamAuthorization; + +use crate::GoodbyeRequest; +use crate::HelloRequest; +use crate::PingRequest; + +impl Authorization for HelloRequest { + fn attenuate(&self, auth_token: quickwit_auth::AuthorizationToken) -> Result { + Ok(auth_token) + } +} + +impl Authorization for GoodbyeRequest { + fn attenuate(&self, auth_token: quickwit_auth::AuthorizationToken) -> Result { + Ok(auth_token) + } +} + +impl StreamAuthorization for PingRequest { + fn attenuate(auth_token: quickwit_auth::AuthorizationToken) -> Result { + Ok(auth_token) + } +} diff --git a/quickwit/quickwit-codegen/example/src/codegen/hello.rs b/quickwit/quickwit-codegen/example/src/codegen/hello.rs index 93b9b634ce7..38dee0dc214 100644 --- a/quickwit/quickwit-codegen/example/src/codegen/hello.rs +++ b/quickwit/quickwit-codegen/example/src/codegen/hello.rs @@ -805,9 +805,14 @@ impl hello_grpc_server::HelloGrpc for HelloGrpcServerAdapter { &self, request: tonic::Request, ) -> Result, tonic::Status> { - self.inner - .0 - .hello(request.into_inner()) + let auth_token = quickwit_auth::get_auth_token(request.metadata())?; + let req = { + let req = request.into_inner(); + req + }; + quickwit_auth::authorize(&req, &auth_token)?; + quickwit_auth::AUTHORIZATION_TOKEN + .scope(auth_token, self.inner.0.hello(req)) .await .map(tonic::Response::new) .map_err(crate::error::grpc_error_to_grpc_status) @@ -816,9 +821,14 @@ impl hello_grpc_server::HelloGrpc for HelloGrpcServerAdapter { &self, request: tonic::Request, ) -> Result, tonic::Status> { - self.inner - .0 - .goodbye(request.into_inner()) + let auth_token = quickwit_auth::get_auth_token(request.metadata())?; + let req = { + let req = request.into_inner(); + req + }; + quickwit_auth::authorize(&req, &auth_token)?; + quickwit_auth::AUTHORIZATION_TOKEN + .scope(auth_token, self.inner.0.goodbye(req)) .await .map(tonic::Response::new) .map_err(crate::error::grpc_error_to_grpc_status) @@ -828,12 +838,14 @@ impl hello_grpc_server::HelloGrpc for HelloGrpcServerAdapter { &self, request: tonic::Request>, ) -> Result, tonic::Status> { - self.inner - .0 - .ping({ - let streaming: tonic::Streaming<_> = request.into_inner(); - quickwit_common::ServiceStream::from(streaming) - }) + let auth_token = quickwit_auth::get_auth_token(request.metadata())?; + let req = { + let streaming: tonic::Streaming<_> = request.into_inner(); + quickwit_common::ServiceStream::from(streaming) + }; + quickwit_auth::authorize_stream::(&auth_token)?; + quickwit_auth::AUTHORIZATION_TOKEN + .scope(auth_token, self.inner.0.ping(req)) .await .map(|stream| tonic::Response::new( stream.map_err(crate::error::grpc_error_to_grpc_status), diff --git a/quickwit/quickwit-codegen/example/src/lib.rs b/quickwit/quickwit-codegen/example/src/lib.rs index 31572dafd94..6ff2bd41fac 100644 --- a/quickwit/quickwit-codegen/example/src/lib.rs +++ b/quickwit/quickwit-codegen/example/src/lib.rs @@ -21,6 +21,7 @@ mod error; #[path = "codegen/hello.rs"] mod hello; +mod authorization; use std::sync::atomic::{AtomicUsize, Ordering}; use std::sync::Arc; diff --git a/quickwit/quickwit-codegen/src/codegen.rs b/quickwit/quickwit-codegen/src/codegen.rs index 2775d712b1c..198ab048b14 100644 --- a/quickwit/quickwit-codegen/src/codegen.rs +++ b/quickwit/quickwit-codegen/src/codegen.rs @@ -1231,7 +1231,12 @@ fn generate_grpc_server_adapter_methods(context: &CodegenContext) -> TokenStream } } } else { - quote! { request.into_inner() } + quote! { + { + let req = request.into_inner(); + req + } + } }; let response_type = if syn_method.server_streaming { let associated_type_name = quote::format_ident!("{}Stream", syn_method.proto_name); @@ -1253,14 +1258,25 @@ fn generate_grpc_server_adapter_methods(context: &CodegenContext) -> TokenStream } else { quote! { tonic::Response::new } }; + + let authorize_block = if syn_method.client_streaming { + let stream_item = &syn_method.request_type; + quote! { + quickwit_auth::authorize_stream::<#stream_item>(&auth_token)?; + } + } else { + quote! { + quickwit_auth::authorize(&req, &auth_token)?; + } + }; let method = quote! { #associated_type async fn #method_name(&self, request: tonic::Request<#request_type>) -> Result, tonic::Status> { - self.inner - .0 - .#method_name(#method_arg) - .await + let auth_token = quickwit_auth::get_auth_token(request.metadata())?; + let req = #method_arg; + #authorize_block; + quickwit_auth::AUTHORIZATION_TOKEN.scope(auth_token, self.inner.0.#method_name(req)).await .map(#into_response_type) .map_err(crate::error::grpc_error_to_grpc_status) } @@ -1270,6 +1286,8 @@ fn generate_grpc_server_adapter_methods(context: &CodegenContext) -> TokenStream stream } + + /// A [`ServiceGenerator`] wrapper that appends a suffix to the name of the wrapped service. It is /// used to add a `Grpc` suffix to the service, client, and server generated by tonic. struct WithSuffixServiceGenerator { diff --git a/quickwit/quickwit-ingest/Cargo.toml b/quickwit/quickwit-ingest/Cargo.toml index 5ac233859f8..3577addff50 100644 --- a/quickwit/quickwit-ingest/Cargo.toml +++ b/quickwit/quickwit-ingest/Cargo.toml @@ -36,6 +36,7 @@ ulid = { workspace = true } utoipa = { workspace = true } quickwit-actors = { workspace = true } +quickwit-auth = { workspace = true } quickwit-cluster = { workspace = true } quickwit-common = { workspace = true, features = ["testsuite"] } quickwit-config = { workspace = true } diff --git a/quickwit/quickwit-ingest/src/authorize.rs b/quickwit/quickwit-ingest/src/authorize.rs new file mode 100644 index 00000000000..c739f2adb1a --- /dev/null +++ b/quickwit/quickwit-ingest/src/authorize.rs @@ -0,0 +1,25 @@ +use quickwit_auth::Authorization; +use quickwit_auth::AuthorizationError; +use quickwit_auth::AuthorizationToken; + +use crate::FetchRequest; +use crate::IngestRequest; +use crate::TailRequest; + +impl Authorization for TailRequest { + fn attenuate(&self, auth_token: AuthorizationToken) -> Result { + Ok(auth_token) + } +} + +impl Authorization for IngestRequest { + fn attenuate(&self, auth_token: AuthorizationToken) -> Result { + Ok(auth_token) + } +} + +impl Authorization for FetchRequest { + fn attenuate(&self, auth_token: AuthorizationToken) -> Result { + Ok(auth_token) + } +} diff --git a/quickwit/quickwit-ingest/src/codegen/ingest_service.rs b/quickwit/quickwit-ingest/src/codegen/ingest_service.rs index ac03fd52faf..8aeec3f2e86 100644 --- a/quickwit/quickwit-ingest/src/codegen/ingest_service.rs +++ b/quickwit/quickwit-ingest/src/codegen/ingest_service.rs @@ -872,9 +872,14 @@ impl ingest_service_grpc_server::IngestServiceGrpc for IngestServiceGrpcServerAd &self, request: tonic::Request, ) -> Result, tonic::Status> { - self.inner - .0 - .ingest(request.into_inner()) + let auth_token = quickwit_auth::get_auth_token(request.metadata())?; + let req = { + let req = request.into_inner(); + req + }; + quickwit_auth::authorize(&req, &auth_token)?; + quickwit_auth::AUTHORIZATION_TOKEN + .scope(auth_token, self.inner.0.ingest(req)) .await .map(tonic::Response::new) .map_err(crate::error::grpc_error_to_grpc_status) @@ -883,9 +888,14 @@ impl ingest_service_grpc_server::IngestServiceGrpc for IngestServiceGrpcServerAd &self, request: tonic::Request, ) -> Result, tonic::Status> { - self.inner - .0 - .fetch(request.into_inner()) + let auth_token = quickwit_auth::get_auth_token(request.metadata())?; + let req = { + let req = request.into_inner(); + req + }; + quickwit_auth::authorize(&req, &auth_token)?; + quickwit_auth::AUTHORIZATION_TOKEN + .scope(auth_token, self.inner.0.fetch(req)) .await .map(tonic::Response::new) .map_err(crate::error::grpc_error_to_grpc_status) @@ -894,9 +904,14 @@ impl ingest_service_grpc_server::IngestServiceGrpc for IngestServiceGrpcServerAd &self, request: tonic::Request, ) -> Result, tonic::Status> { - self.inner - .0 - .tail(request.into_inner()) + let auth_token = quickwit_auth::get_auth_token(request.metadata())?; + let req = { + let req = request.into_inner(); + req + }; + quickwit_auth::authorize(&req, &auth_token)?; + quickwit_auth::AUTHORIZATION_TOKEN + .scope(auth_token, self.inner.0.tail(req)) .await .map(tonic::Response::new) .map_err(crate::error::grpc_error_to_grpc_status) diff --git a/quickwit/quickwit-ingest/src/lib.rs b/quickwit/quickwit-ingest/src/lib.rs index 12807f637b6..3bed1dd7833 100644 --- a/quickwit/quickwit-ingest/src/lib.rs +++ b/quickwit/quickwit-ingest/src/lib.rs @@ -31,6 +31,7 @@ mod mrecordlog_async; mod notifications; mod position; mod queue; +mod authorize; use std::collections::HashMap; use std::path::{Path, PathBuf}; diff --git a/quickwit/quickwit-proto/Cargo.toml b/quickwit/quickwit-proto/Cargo.toml index 8ba844df054..088235e9c28 100644 --- a/quickwit/quickwit-proto/Cargo.toml +++ b/quickwit/quickwit-proto/Cargo.toml @@ -12,6 +12,7 @@ license.workspace = true [dependencies] anyhow = { workspace = true } async-trait = { workspace = true } +biscuit-auth = { workspace = true } bytes = { workspace = true } bytesize = { workspace = true } bytestring = { workspace = true } @@ -36,6 +37,7 @@ utoipa = { workspace = true } zstd = { workspace = true } quickwit-actors = { workspace = true } +quickwit-auth = { workspace = true } quickwit-common = { workspace = true } [dev-dependencies] diff --git a/quickwit/quickwit-proto/src/authorization.rs b/quickwit/quickwit-proto/src/authorization.rs new file mode 100644 index 00000000000..6316aaac9e8 --- /dev/null +++ b/quickwit/quickwit-proto/src/authorization.rs @@ -0,0 +1,326 @@ +use std::time::Duration; +use std::time::SystemTime; + +use biscuit_auth::builder_ext::BuilderExt; +use quickwit_auth::Authorization; +use quickwit_auth::AuthorizationError; +use quickwit_auth::AuthorizationToken; +use quickwit_auth::StreamAuthorization; +use crate::cluster::FetchClusterStateRequest; +use crate::control_plane::AdviseResetShardsRequest; +use crate::control_plane::GetOrCreateOpenShardsRequest; +use crate::developer::GetDebugInfoRequest; +use crate::indexing::ApplyIndexingPlanRequest; +use crate::ingest::ingester::CloseShardsRequest; +use crate::ingest::ingester::DecommissionRequest; +use crate::ingest::ingester::InitShardsRequest; +use crate::ingest::ingester::OpenFetchStreamRequest; +use crate::ingest::ingester::OpenObservationStreamRequest; +use crate::ingest::ingester::PersistRequest; +use crate::ingest::ingester::RetainShardsRequest; +use crate::ingest::ingester::SynReplicationMessage; +use crate::ingest::ingester::TruncateShardsRequest; +use crate::ingest::router::IngestRequestV2; +use crate::metastore::DeleteQuery; +use crate::metastore::GetIndexTemplateRequest; +use crate::metastore::IndexMetadataRequest; +use crate::metastore::LastDeleteOpstampRequest; +use crate::metastore::ListDeleteTasksRequest; +use crate::metastore::ListIndexTemplatesRequest; +use crate::metastore::ListIndexesMetadataRequest; +use crate::metastore::ListShardsRequest; +use crate::metastore::ListSplitsRequest; +use crate::metastore::ListStaleSplitsRequest; +use crate::metastore::OpenShardsRequest; +use crate::metastore::PruneShardsRequest; +use crate::metastore::PublishSplitsRequest; +use crate::metastore::StageSplitsRequest; +use crate::metastore::UpdateSplitsDeleteOpstampRequest; +use biscuit_auth::macros::*; + +impl Authorization for crate::metastore::AcquireShardsRequest { + fn attenuate(&self, auth_token: AuthorizationToken) -> Result { + Ok(auth_token) + } +} + +impl Authorization for crate::metastore::AddSourceRequest { + fn attenuate(&self, auth_token: AuthorizationToken) -> Result { + Ok(auth_token) + } +} + + + +impl Authorization for crate::metastore::CreateIndexRequest { + fn attenuate(&self, auth_token: AuthorizationToken) -> Result { + let mut builder = block!(r#"check if operation("create_index");"#); + builder.check_expiration_date(SystemTime::now() + Duration::from_secs(60)); + let new_auth_token = auth_token.append(builder)?; + Ok(new_auth_token) + } +} + +impl Authorization for crate::metastore::CreateIndexTemplateRequest { + fn attenuate(&self, auth_token: AuthorizationToken) -> Result { + Ok(auth_token) + } +} + +impl Authorization for crate::metastore::DeleteIndexRequest { + fn attenuate(&self, auth_token: AuthorizationToken) -> Result { + Ok(auth_token) + } +} + +impl Authorization for crate::metastore::DeleteIndexTemplatesRequest { + fn attenuate(&self, auth_token: AuthorizationToken) -> Result { + Ok(auth_token) + } +} + +impl Authorization for crate::metastore::DeleteShardsRequest { + fn attenuate(&self, auth_token: AuthorizationToken) -> Result { + Ok(auth_token) + } +} + +impl Authorization for crate::metastore::DeleteSourceRequest { + fn attenuate(&self, auth_token: AuthorizationToken) -> Result { + Ok(auth_token) + } +} + +impl Authorization for crate::metastore::DeleteSplitsRequest { + fn attenuate(&self, auth_token: AuthorizationToken) -> Result { + Ok(auth_token) + } +} + +impl Authorization for crate::metastore::FindIndexTemplateMatchesRequest { + fn attenuate(&self, auth_token: AuthorizationToken) -> Result { + Ok(auth_token) + } +} + +impl Authorization for crate::metastore::IndexesMetadataRequest { + fn attenuate(&self, auth_token: AuthorizationToken) -> Result { + Ok(auth_token) + } +} + +impl Authorization for crate::metastore::ToggleSourceRequest { + fn attenuate(&self, auth_token: AuthorizationToken) -> Result { + Ok(auth_token) + } +} + +impl Authorization for crate::metastore::MarkSplitsForDeletionRequest { + fn attenuate(&self, auth_token: AuthorizationToken) -> Result { + Ok(auth_token) + } +} + +impl Authorization for crate::metastore::ResetSourceCheckpointRequest { + fn attenuate(&self, auth_token: AuthorizationToken) -> Result { + Ok(auth_token) + } +} + +impl Authorization for crate::metastore::UpdateIndexRequest { + fn attenuate(&self, auth_token: AuthorizationToken) -> Result { + Ok(auth_token) + } +} + +impl Authorization for OpenObservationStreamRequest { + fn attenuate(&self, auth_token: AuthorizationToken) -> Result { + Ok(auth_token) + } +} + +impl Authorization for InitShardsRequest { + fn attenuate(&self, auth_token: AuthorizationToken) -> Result { + Ok(auth_token) + } +} + +impl Authorization for OpenShardsRequest { + fn attenuate(&self, auth_token: AuthorizationToken) -> Result { + Ok(auth_token) + } +} + +impl Authorization for FetchClusterStateRequest { + fn attenuate(&self, auth_token: AuthorizationToken) -> Result { + Ok(auth_token) + } +} + +impl Authorization for GetIndexTemplateRequest { + fn attenuate(&self, auth_token: AuthorizationToken) -> Result { + Ok(auth_token) + } +} + +impl Authorization for ListIndexTemplatesRequest { + fn attenuate(&self, auth_token: AuthorizationToken) -> Result { + Ok(auth_token) + } +} + +impl Authorization for PruneShardsRequest { + fn attenuate(&self, auth_token: AuthorizationToken) -> Result { + Ok(auth_token) + } +} + +impl Authorization for ListShardsRequest { + fn attenuate(&self, auth_token: AuthorizationToken) -> Result { + Ok(auth_token) + } +} + +impl Authorization for ListStaleSplitsRequest { + fn attenuate(&self, auth_token: AuthorizationToken) -> Result { + Ok(auth_token) + } +} + +impl Authorization for ListDeleteTasksRequest { + fn attenuate(&self, auth_token: AuthorizationToken) -> Result { + Ok(auth_token) + } +} + +impl Authorization for UpdateSplitsDeleteOpstampRequest { + fn attenuate(&self, auth_token: AuthorizationToken) -> Result { + Ok(auth_token) + } +} + + +impl Authorization for LastDeleteOpstampRequest { + fn attenuate(&self, auth_token: AuthorizationToken) -> Result { + Ok(auth_token) + } +} + + +impl Authorization for DeleteQuery { + fn attenuate(&self, auth_token: AuthorizationToken) -> Result { + Ok(auth_token) + } +} + + +impl Authorization for GetOrCreateOpenShardsRequest { + fn attenuate(&self, auth_token: AuthorizationToken) -> Result { + Ok(auth_token) + } +} + + +impl Authorization for AdviseResetShardsRequest { + fn attenuate(&self, auth_token: AuthorizationToken) -> Result { + Ok(auth_token) + } +} + + +impl Authorization for GetDebugInfoRequest { + fn attenuate(&self, auth_token: AuthorizationToken) -> Result { + Ok(auth_token) + } +} + + +impl Authorization for StageSplitsRequest { + fn attenuate(&self, auth_token: AuthorizationToken) -> Result { + Ok(auth_token) + } +} + + +impl Authorization for ListSplitsRequest { + fn attenuate(&self, auth_token: AuthorizationToken) -> Result { + Ok(auth_token) + } +} + + +impl Authorization for PublishSplitsRequest { + fn attenuate(&self, auth_token: AuthorizationToken) -> Result { + Ok(auth_token) + } +} + + +impl Authorization for ListIndexesMetadataRequest { + fn attenuate(&self, auth_token: AuthorizationToken) -> Result { + Ok(auth_token) + } +} + +impl Authorization for TruncateShardsRequest { + fn attenuate(&self, auth_token: AuthorizationToken) -> Result { + Ok(auth_token) + } +} + + +impl Authorization for CloseShardsRequest { + fn attenuate(&self, auth_token: AuthorizationToken) -> Result { + Ok(auth_token) + } +} + + +impl Authorization for RetainShardsRequest { + fn attenuate(&self, auth_token: AuthorizationToken) -> Result { + Ok(auth_token) + } +} + +impl Authorization for ApplyIndexingPlanRequest { + fn attenuate(&self, auth_token: AuthorizationToken) -> Result { + Ok(auth_token) + } +} + +impl Authorization for PersistRequest { + fn attenuate(&self, auth_token: AuthorizationToken) -> Result { + Ok(auth_token) + } +} + +impl Authorization for IndexMetadataRequest { + fn attenuate(&self, auth_token: AuthorizationToken) -> Result { + Ok(auth_token) + } +} + +impl StreamAuthorization for SynReplicationMessage { + fn attenuate(auth_token: AuthorizationToken) -> Result { + Ok(auth_token) + } +} + +impl Authorization for IngestRequestV2 { + fn attenuate(&self, auth_token: AuthorizationToken) -> Result { + Ok(auth_token) + } +} + +impl Authorization for OpenFetchStreamRequest { + fn attenuate(&self, auth_token: AuthorizationToken) -> Result { + Ok(auth_token) + } +} + + +impl Authorization for DecommissionRequest { + fn attenuate(&self, auth_token: AuthorizationToken) -> Result { + Ok(auth_token) + } +} diff --git a/quickwit/quickwit-proto/src/codegen/quickwit/quickwit.cluster.rs b/quickwit/quickwit-proto/src/codegen/quickwit/quickwit.cluster.rs index 38471f0ad7b..2b54c972f75 100644 --- a/quickwit/quickwit-proto/src/codegen/quickwit/quickwit.cluster.rs +++ b/quickwit/quickwit-proto/src/codegen/quickwit/quickwit.cluster.rs @@ -542,9 +542,14 @@ for ClusterServiceGrpcServerAdapter { &self, request: tonic::Request, ) -> Result, tonic::Status> { - self.inner - .0 - .fetch_cluster_state(request.into_inner()) + let auth_token = quickwit_auth::get_auth_token(request.metadata())?; + let req = { + let req = request.into_inner(); + req + }; + quickwit_auth::authorize(&req, &auth_token)?; + quickwit_auth::AUTHORIZATION_TOKEN + .scope(auth_token, self.inner.0.fetch_cluster_state(req)) .await .map(tonic::Response::new) .map_err(crate::error::grpc_error_to_grpc_status) diff --git a/quickwit/quickwit-proto/src/codegen/quickwit/quickwit.control_plane.rs b/quickwit/quickwit-proto/src/codegen/quickwit/quickwit.control_plane.rs index c14ef724de0..5de613c9a05 100644 --- a/quickwit/quickwit-proto/src/codegen/quickwit/quickwit.control_plane.rs +++ b/quickwit/quickwit-proto/src/codegen/quickwit/quickwit.control_plane.rs @@ -1779,9 +1779,14 @@ for ControlPlaneServiceGrpcServerAdapter { &self, request: tonic::Request, ) -> Result, tonic::Status> { - self.inner - .0 - .create_index(request.into_inner()) + let auth_token = quickwit_auth::get_auth_token(request.metadata())?; + let req = { + let req = request.into_inner(); + req + }; + quickwit_auth::authorize(&req, &auth_token)?; + quickwit_auth::AUTHORIZATION_TOKEN + .scope(auth_token, self.inner.0.create_index(req)) .await .map(tonic::Response::new) .map_err(crate::error::grpc_error_to_grpc_status) @@ -1793,9 +1798,14 @@ for ControlPlaneServiceGrpcServerAdapter { tonic::Response, tonic::Status, > { - self.inner - .0 - .update_index(request.into_inner()) + let auth_token = quickwit_auth::get_auth_token(request.metadata())?; + let req = { + let req = request.into_inner(); + req + }; + quickwit_auth::authorize(&req, &auth_token)?; + quickwit_auth::AUTHORIZATION_TOKEN + .scope(auth_token, self.inner.0.update_index(req)) .await .map(tonic::Response::new) .map_err(crate::error::grpc_error_to_grpc_status) @@ -1804,9 +1814,14 @@ for ControlPlaneServiceGrpcServerAdapter { &self, request: tonic::Request, ) -> Result, tonic::Status> { - self.inner - .0 - .delete_index(request.into_inner()) + let auth_token = quickwit_auth::get_auth_token(request.metadata())?; + let req = { + let req = request.into_inner(); + req + }; + quickwit_auth::authorize(&req, &auth_token)?; + quickwit_auth::AUTHORIZATION_TOKEN + .scope(auth_token, self.inner.0.delete_index(req)) .await .map(tonic::Response::new) .map_err(crate::error::grpc_error_to_grpc_status) @@ -1815,9 +1830,14 @@ for ControlPlaneServiceGrpcServerAdapter { &self, request: tonic::Request, ) -> Result, tonic::Status> { - self.inner - .0 - .add_source(request.into_inner()) + let auth_token = quickwit_auth::get_auth_token(request.metadata())?; + let req = { + let req = request.into_inner(); + req + }; + quickwit_auth::authorize(&req, &auth_token)?; + quickwit_auth::AUTHORIZATION_TOKEN + .scope(auth_token, self.inner.0.add_source(req)) .await .map(tonic::Response::new) .map_err(crate::error::grpc_error_to_grpc_status) @@ -1826,9 +1846,14 @@ for ControlPlaneServiceGrpcServerAdapter { &self, request: tonic::Request, ) -> Result, tonic::Status> { - self.inner - .0 - .toggle_source(request.into_inner()) + let auth_token = quickwit_auth::get_auth_token(request.metadata())?; + let req = { + let req = request.into_inner(); + req + }; + quickwit_auth::authorize(&req, &auth_token)?; + quickwit_auth::AUTHORIZATION_TOKEN + .scope(auth_token, self.inner.0.toggle_source(req)) .await .map(tonic::Response::new) .map_err(crate::error::grpc_error_to_grpc_status) @@ -1837,9 +1862,14 @@ for ControlPlaneServiceGrpcServerAdapter { &self, request: tonic::Request, ) -> Result, tonic::Status> { - self.inner - .0 - .delete_source(request.into_inner()) + let auth_token = quickwit_auth::get_auth_token(request.metadata())?; + let req = { + let req = request.into_inner(); + req + }; + quickwit_auth::authorize(&req, &auth_token)?; + quickwit_auth::AUTHORIZATION_TOKEN + .scope(auth_token, self.inner.0.delete_source(req)) .await .map(tonic::Response::new) .map_err(crate::error::grpc_error_to_grpc_status) @@ -1848,9 +1878,14 @@ for ControlPlaneServiceGrpcServerAdapter { &self, request: tonic::Request, ) -> Result, tonic::Status> { - self.inner - .0 - .get_or_create_open_shards(request.into_inner()) + let auth_token = quickwit_auth::get_auth_token(request.metadata())?; + let req = { + let req = request.into_inner(); + req + }; + quickwit_auth::authorize(&req, &auth_token)?; + quickwit_auth::AUTHORIZATION_TOKEN + .scope(auth_token, self.inner.0.get_or_create_open_shards(req)) .await .map(tonic::Response::new) .map_err(crate::error::grpc_error_to_grpc_status) @@ -1859,9 +1894,14 @@ for ControlPlaneServiceGrpcServerAdapter { &self, request: tonic::Request, ) -> Result, tonic::Status> { - self.inner - .0 - .advise_reset_shards(request.into_inner()) + let auth_token = quickwit_auth::get_auth_token(request.metadata())?; + let req = { + let req = request.into_inner(); + req + }; + quickwit_auth::authorize(&req, &auth_token)?; + quickwit_auth::AUTHORIZATION_TOKEN + .scope(auth_token, self.inner.0.advise_reset_shards(req)) .await .map(tonic::Response::new) .map_err(crate::error::grpc_error_to_grpc_status) @@ -1870,9 +1910,14 @@ for ControlPlaneServiceGrpcServerAdapter { &self, request: tonic::Request, ) -> Result, tonic::Status> { - self.inner - .0 - .prune_shards(request.into_inner()) + let auth_token = quickwit_auth::get_auth_token(request.metadata())?; + let req = { + let req = request.into_inner(); + req + }; + quickwit_auth::authorize(&req, &auth_token)?; + quickwit_auth::AUTHORIZATION_TOKEN + .scope(auth_token, self.inner.0.prune_shards(req)) .await .map(tonic::Response::new) .map_err(crate::error::grpc_error_to_grpc_status) diff --git a/quickwit/quickwit-proto/src/codegen/quickwit/quickwit.developer.rs b/quickwit/quickwit-proto/src/codegen/quickwit/quickwit.developer.rs index b05cc01aef8..cbe28bd2eb2 100644 --- a/quickwit/quickwit-proto/src/codegen/quickwit/quickwit.developer.rs +++ b/quickwit/quickwit-proto/src/codegen/quickwit/quickwit.developer.rs @@ -478,9 +478,14 @@ for DeveloperServiceGrpcServerAdapter { &self, request: tonic::Request, ) -> Result, tonic::Status> { - self.inner - .0 - .get_debug_info(request.into_inner()) + let auth_token = quickwit_auth::get_auth_token(request.metadata())?; + let req = { + let req = request.into_inner(); + req + }; + quickwit_auth::authorize(&req, &auth_token)?; + quickwit_auth::AUTHORIZATION_TOKEN + .scope(auth_token, self.inner.0.get_debug_info(req)) .await .map(tonic::Response::new) .map_err(crate::error::grpc_error_to_grpc_status) diff --git a/quickwit/quickwit-proto/src/codegen/quickwit/quickwit.indexing.rs b/quickwit/quickwit-proto/src/codegen/quickwit/quickwit.indexing.rs index ae0ef465968..42514ba5003 100644 --- a/quickwit/quickwit-proto/src/codegen/quickwit/quickwit.indexing.rs +++ b/quickwit/quickwit-proto/src/codegen/quickwit/quickwit.indexing.rs @@ -491,9 +491,14 @@ for IndexingServiceGrpcServerAdapter { &self, request: tonic::Request, ) -> Result, tonic::Status> { - self.inner - .0 - .apply_indexing_plan(request.into_inner()) + let auth_token = quickwit_auth::get_auth_token(request.metadata())?; + let req = { + let req = request.into_inner(); + req + }; + quickwit_auth::authorize(&req, &auth_token)?; + quickwit_auth::AUTHORIZATION_TOKEN + .scope(auth_token, self.inner.0.apply_indexing_plan(req)) .await .map(tonic::Response::new) .map_err(crate::error::grpc_error_to_grpc_status) diff --git a/quickwit/quickwit-proto/src/codegen/quickwit/quickwit.ingest.ingester.rs b/quickwit/quickwit-proto/src/codegen/quickwit/quickwit.ingest.ingester.rs index ccb13a5e44d..e18cc626151 100644 --- a/quickwit/quickwit-proto/src/codegen/quickwit/quickwit.ingest.ingester.rs +++ b/quickwit/quickwit-proto/src/codegen/quickwit/quickwit.ingest.ingester.rs @@ -2209,9 +2209,14 @@ for IngesterServiceGrpcServerAdapter { &self, request: tonic::Request, ) -> Result, tonic::Status> { - self.inner - .0 - .persist(request.into_inner()) + let auth_token = quickwit_auth::get_auth_token(request.metadata())?; + let req = { + let req = request.into_inner(); + req + }; + quickwit_auth::authorize(&req, &auth_token)?; + quickwit_auth::AUTHORIZATION_TOKEN + .scope(auth_token, self.inner.0.persist(req)) .await .map(tonic::Response::new) .map_err(crate::error::grpc_error_to_grpc_status) @@ -2223,12 +2228,14 @@ for IngesterServiceGrpcServerAdapter { &self, request: tonic::Request>, ) -> Result, tonic::Status> { - self.inner - .0 - .open_replication_stream({ - let streaming: tonic::Streaming<_> = request.into_inner(); - quickwit_common::ServiceStream::from(streaming) - }) + let auth_token = quickwit_auth::get_auth_token(request.metadata())?; + let req = { + let streaming: tonic::Streaming<_> = request.into_inner(); + quickwit_common::ServiceStream::from(streaming) + }; + quickwit_auth::authorize_stream::(&auth_token)?; + quickwit_auth::AUTHORIZATION_TOKEN + .scope(auth_token, self.inner.0.open_replication_stream(req)) .await .map(|stream| tonic::Response::new( stream.map_err(crate::error::grpc_error_to_grpc_status), @@ -2242,9 +2249,14 @@ for IngesterServiceGrpcServerAdapter { &self, request: tonic::Request, ) -> Result, tonic::Status> { - self.inner - .0 - .open_fetch_stream(request.into_inner()) + let auth_token = quickwit_auth::get_auth_token(request.metadata())?; + let req = { + let req = request.into_inner(); + req + }; + quickwit_auth::authorize(&req, &auth_token)?; + quickwit_auth::AUTHORIZATION_TOKEN + .scope(auth_token, self.inner.0.open_fetch_stream(req)) .await .map(|stream| tonic::Response::new( stream.map_err(crate::error::grpc_error_to_grpc_status), @@ -2258,9 +2270,14 @@ for IngesterServiceGrpcServerAdapter { &self, request: tonic::Request, ) -> Result, tonic::Status> { - self.inner - .0 - .open_observation_stream(request.into_inner()) + let auth_token = quickwit_auth::get_auth_token(request.metadata())?; + let req = { + let req = request.into_inner(); + req + }; + quickwit_auth::authorize(&req, &auth_token)?; + quickwit_auth::AUTHORIZATION_TOKEN + .scope(auth_token, self.inner.0.open_observation_stream(req)) .await .map(|stream| tonic::Response::new( stream.map_err(crate::error::grpc_error_to_grpc_status), @@ -2271,9 +2288,14 @@ for IngesterServiceGrpcServerAdapter { &self, request: tonic::Request, ) -> Result, tonic::Status> { - self.inner - .0 - .init_shards(request.into_inner()) + let auth_token = quickwit_auth::get_auth_token(request.metadata())?; + let req = { + let req = request.into_inner(); + req + }; + quickwit_auth::authorize(&req, &auth_token)?; + quickwit_auth::AUTHORIZATION_TOKEN + .scope(auth_token, self.inner.0.init_shards(req)) .await .map(tonic::Response::new) .map_err(crate::error::grpc_error_to_grpc_status) @@ -2282,9 +2304,14 @@ for IngesterServiceGrpcServerAdapter { &self, request: tonic::Request, ) -> Result, tonic::Status> { - self.inner - .0 - .retain_shards(request.into_inner()) + let auth_token = quickwit_auth::get_auth_token(request.metadata())?; + let req = { + let req = request.into_inner(); + req + }; + quickwit_auth::authorize(&req, &auth_token)?; + quickwit_auth::AUTHORIZATION_TOKEN + .scope(auth_token, self.inner.0.retain_shards(req)) .await .map(tonic::Response::new) .map_err(crate::error::grpc_error_to_grpc_status) @@ -2293,9 +2320,14 @@ for IngesterServiceGrpcServerAdapter { &self, request: tonic::Request, ) -> Result, tonic::Status> { - self.inner - .0 - .truncate_shards(request.into_inner()) + let auth_token = quickwit_auth::get_auth_token(request.metadata())?; + let req = { + let req = request.into_inner(); + req + }; + quickwit_auth::authorize(&req, &auth_token)?; + quickwit_auth::AUTHORIZATION_TOKEN + .scope(auth_token, self.inner.0.truncate_shards(req)) .await .map(tonic::Response::new) .map_err(crate::error::grpc_error_to_grpc_status) @@ -2304,9 +2336,14 @@ for IngesterServiceGrpcServerAdapter { &self, request: tonic::Request, ) -> Result, tonic::Status> { - self.inner - .0 - .close_shards(request.into_inner()) + let auth_token = quickwit_auth::get_auth_token(request.metadata())?; + let req = { + let req = request.into_inner(); + req + }; + quickwit_auth::authorize(&req, &auth_token)?; + quickwit_auth::AUTHORIZATION_TOKEN + .scope(auth_token, self.inner.0.close_shards(req)) .await .map(tonic::Response::new) .map_err(crate::error::grpc_error_to_grpc_status) @@ -2315,9 +2352,14 @@ for IngesterServiceGrpcServerAdapter { &self, request: tonic::Request, ) -> Result, tonic::Status> { - self.inner - .0 - .decommission(request.into_inner()) + let auth_token = quickwit_auth::get_auth_token(request.metadata())?; + let req = { + let req = request.into_inner(); + req + }; + quickwit_auth::authorize(&req, &auth_token)?; + quickwit_auth::AUTHORIZATION_TOKEN + .scope(auth_token, self.inner.0.decommission(req)) .await .map(tonic::Response::new) .map_err(crate::error::grpc_error_to_grpc_status) diff --git a/quickwit/quickwit-proto/src/codegen/quickwit/quickwit.ingest.router.rs b/quickwit/quickwit-proto/src/codegen/quickwit/quickwit.ingest.router.rs index 1f43bd342ca..16a078d360a 100644 --- a/quickwit/quickwit-proto/src/codegen/quickwit/quickwit.ingest.router.rs +++ b/quickwit/quickwit-proto/src/codegen/quickwit/quickwit.ingest.router.rs @@ -601,9 +601,14 @@ for IngestRouterServiceGrpcServerAdapter { &self, request: tonic::Request, ) -> Result, tonic::Status> { - self.inner - .0 - .ingest(request.into_inner()) + let auth_token = quickwit_auth::get_auth_token(request.metadata())?; + let req = { + let req = request.into_inner(); + req + }; + quickwit_auth::authorize(&req, &auth_token)?; + quickwit_auth::AUTHORIZATION_TOKEN + .scope(auth_token, self.inner.0.ingest(req)) .await .map(tonic::Response::new) .map_err(crate::error::grpc_error_to_grpc_status) diff --git a/quickwit/quickwit-proto/src/codegen/quickwit/quickwit.metastore.rs b/quickwit/quickwit-proto/src/codegen/quickwit/quickwit.metastore.rs index 08b12006db3..1ca889eaf00 100644 --- a/quickwit/quickwit-proto/src/codegen/quickwit/quickwit.metastore.rs +++ b/quickwit/quickwit-proto/src/codegen/quickwit/quickwit.metastore.rs @@ -5327,9 +5327,14 @@ for MetastoreServiceGrpcServerAdapter { &self, request: tonic::Request, ) -> Result, tonic::Status> { - self.inner - .0 - .create_index(request.into_inner()) + let auth_token = quickwit_auth::get_auth_token(request.metadata())?; + let req = { + let req = request.into_inner(); + req + }; + quickwit_auth::authorize(&req, &auth_token)?; + quickwit_auth::AUTHORIZATION_TOKEN + .scope(auth_token, self.inner.0.create_index(req)) .await .map(tonic::Response::new) .map_err(crate::error::grpc_error_to_grpc_status) @@ -5338,9 +5343,14 @@ for MetastoreServiceGrpcServerAdapter { &self, request: tonic::Request, ) -> Result, tonic::Status> { - self.inner - .0 - .update_index(request.into_inner()) + let auth_token = quickwit_auth::get_auth_token(request.metadata())?; + let req = { + let req = request.into_inner(); + req + }; + quickwit_auth::authorize(&req, &auth_token)?; + quickwit_auth::AUTHORIZATION_TOKEN + .scope(auth_token, self.inner.0.update_index(req)) .await .map(tonic::Response::new) .map_err(crate::error::grpc_error_to_grpc_status) @@ -5349,9 +5359,14 @@ for MetastoreServiceGrpcServerAdapter { &self, request: tonic::Request, ) -> Result, tonic::Status> { - self.inner - .0 - .index_metadata(request.into_inner()) + let auth_token = quickwit_auth::get_auth_token(request.metadata())?; + let req = { + let req = request.into_inner(); + req + }; + quickwit_auth::authorize(&req, &auth_token)?; + quickwit_auth::AUTHORIZATION_TOKEN + .scope(auth_token, self.inner.0.index_metadata(req)) .await .map(tonic::Response::new) .map_err(crate::error::grpc_error_to_grpc_status) @@ -5360,9 +5375,14 @@ for MetastoreServiceGrpcServerAdapter { &self, request: tonic::Request, ) -> Result, tonic::Status> { - self.inner - .0 - .indexes_metadata(request.into_inner()) + let auth_token = quickwit_auth::get_auth_token(request.metadata())?; + let req = { + let req = request.into_inner(); + req + }; + quickwit_auth::authorize(&req, &auth_token)?; + quickwit_auth::AUTHORIZATION_TOKEN + .scope(auth_token, self.inner.0.indexes_metadata(req)) .await .map(tonic::Response::new) .map_err(crate::error::grpc_error_to_grpc_status) @@ -5371,9 +5391,14 @@ for MetastoreServiceGrpcServerAdapter { &self, request: tonic::Request, ) -> Result, tonic::Status> { - self.inner - .0 - .list_indexes_metadata(request.into_inner()) + let auth_token = quickwit_auth::get_auth_token(request.metadata())?; + let req = { + let req = request.into_inner(); + req + }; + quickwit_auth::authorize(&req, &auth_token)?; + quickwit_auth::AUTHORIZATION_TOKEN + .scope(auth_token, self.inner.0.list_indexes_metadata(req)) .await .map(tonic::Response::new) .map_err(crate::error::grpc_error_to_grpc_status) @@ -5382,9 +5407,14 @@ for MetastoreServiceGrpcServerAdapter { &self, request: tonic::Request, ) -> Result, tonic::Status> { - self.inner - .0 - .delete_index(request.into_inner()) + let auth_token = quickwit_auth::get_auth_token(request.metadata())?; + let req = { + let req = request.into_inner(); + req + }; + quickwit_auth::authorize(&req, &auth_token)?; + quickwit_auth::AUTHORIZATION_TOKEN + .scope(auth_token, self.inner.0.delete_index(req)) .await .map(tonic::Response::new) .map_err(crate::error::grpc_error_to_grpc_status) @@ -5396,9 +5426,14 @@ for MetastoreServiceGrpcServerAdapter { &self, request: tonic::Request, ) -> Result, tonic::Status> { - self.inner - .0 - .list_splits(request.into_inner()) + let auth_token = quickwit_auth::get_auth_token(request.metadata())?; + let req = { + let req = request.into_inner(); + req + }; + quickwit_auth::authorize(&req, &auth_token)?; + quickwit_auth::AUTHORIZATION_TOKEN + .scope(auth_token, self.inner.0.list_splits(req)) .await .map(|stream| tonic::Response::new( stream.map_err(crate::error::grpc_error_to_grpc_status), @@ -5409,9 +5444,14 @@ for MetastoreServiceGrpcServerAdapter { &self, request: tonic::Request, ) -> Result, tonic::Status> { - self.inner - .0 - .stage_splits(request.into_inner()) + let auth_token = quickwit_auth::get_auth_token(request.metadata())?; + let req = { + let req = request.into_inner(); + req + }; + quickwit_auth::authorize(&req, &auth_token)?; + quickwit_auth::AUTHORIZATION_TOKEN + .scope(auth_token, self.inner.0.stage_splits(req)) .await .map(tonic::Response::new) .map_err(crate::error::grpc_error_to_grpc_status) @@ -5420,9 +5460,14 @@ for MetastoreServiceGrpcServerAdapter { &self, request: tonic::Request, ) -> Result, tonic::Status> { - self.inner - .0 - .publish_splits(request.into_inner()) + let auth_token = quickwit_auth::get_auth_token(request.metadata())?; + let req = { + let req = request.into_inner(); + req + }; + quickwit_auth::authorize(&req, &auth_token)?; + quickwit_auth::AUTHORIZATION_TOKEN + .scope(auth_token, self.inner.0.publish_splits(req)) .await .map(tonic::Response::new) .map_err(crate::error::grpc_error_to_grpc_status) @@ -5431,9 +5476,14 @@ for MetastoreServiceGrpcServerAdapter { &self, request: tonic::Request, ) -> Result, tonic::Status> { - self.inner - .0 - .mark_splits_for_deletion(request.into_inner()) + let auth_token = quickwit_auth::get_auth_token(request.metadata())?; + let req = { + let req = request.into_inner(); + req + }; + quickwit_auth::authorize(&req, &auth_token)?; + quickwit_auth::AUTHORIZATION_TOKEN + .scope(auth_token, self.inner.0.mark_splits_for_deletion(req)) .await .map(tonic::Response::new) .map_err(crate::error::grpc_error_to_grpc_status) @@ -5442,9 +5492,14 @@ for MetastoreServiceGrpcServerAdapter { &self, request: tonic::Request, ) -> Result, tonic::Status> { - self.inner - .0 - .delete_splits(request.into_inner()) + let auth_token = quickwit_auth::get_auth_token(request.metadata())?; + let req = { + let req = request.into_inner(); + req + }; + quickwit_auth::authorize(&req, &auth_token)?; + quickwit_auth::AUTHORIZATION_TOKEN + .scope(auth_token, self.inner.0.delete_splits(req)) .await .map(tonic::Response::new) .map_err(crate::error::grpc_error_to_grpc_status) @@ -5453,9 +5508,14 @@ for MetastoreServiceGrpcServerAdapter { &self, request: tonic::Request, ) -> Result, tonic::Status> { - self.inner - .0 - .add_source(request.into_inner()) + let auth_token = quickwit_auth::get_auth_token(request.metadata())?; + let req = { + let req = request.into_inner(); + req + }; + quickwit_auth::authorize(&req, &auth_token)?; + quickwit_auth::AUTHORIZATION_TOKEN + .scope(auth_token, self.inner.0.add_source(req)) .await .map(tonic::Response::new) .map_err(crate::error::grpc_error_to_grpc_status) @@ -5464,9 +5524,14 @@ for MetastoreServiceGrpcServerAdapter { &self, request: tonic::Request, ) -> Result, tonic::Status> { - self.inner - .0 - .toggle_source(request.into_inner()) + let auth_token = quickwit_auth::get_auth_token(request.metadata())?; + let req = { + let req = request.into_inner(); + req + }; + quickwit_auth::authorize(&req, &auth_token)?; + quickwit_auth::AUTHORIZATION_TOKEN + .scope(auth_token, self.inner.0.toggle_source(req)) .await .map(tonic::Response::new) .map_err(crate::error::grpc_error_to_grpc_status) @@ -5475,9 +5540,14 @@ for MetastoreServiceGrpcServerAdapter { &self, request: tonic::Request, ) -> Result, tonic::Status> { - self.inner - .0 - .delete_source(request.into_inner()) + let auth_token = quickwit_auth::get_auth_token(request.metadata())?; + let req = { + let req = request.into_inner(); + req + }; + quickwit_auth::authorize(&req, &auth_token)?; + quickwit_auth::AUTHORIZATION_TOKEN + .scope(auth_token, self.inner.0.delete_source(req)) .await .map(tonic::Response::new) .map_err(crate::error::grpc_error_to_grpc_status) @@ -5486,9 +5556,14 @@ for MetastoreServiceGrpcServerAdapter { &self, request: tonic::Request, ) -> Result, tonic::Status> { - self.inner - .0 - .reset_source_checkpoint(request.into_inner()) + let auth_token = quickwit_auth::get_auth_token(request.metadata())?; + let req = { + let req = request.into_inner(); + req + }; + quickwit_auth::authorize(&req, &auth_token)?; + quickwit_auth::AUTHORIZATION_TOKEN + .scope(auth_token, self.inner.0.reset_source_checkpoint(req)) .await .map(tonic::Response::new) .map_err(crate::error::grpc_error_to_grpc_status) @@ -5497,9 +5572,14 @@ for MetastoreServiceGrpcServerAdapter { &self, request: tonic::Request, ) -> Result, tonic::Status> { - self.inner - .0 - .last_delete_opstamp(request.into_inner()) + let auth_token = quickwit_auth::get_auth_token(request.metadata())?; + let req = { + let req = request.into_inner(); + req + }; + quickwit_auth::authorize(&req, &auth_token)?; + quickwit_auth::AUTHORIZATION_TOKEN + .scope(auth_token, self.inner.0.last_delete_opstamp(req)) .await .map(tonic::Response::new) .map_err(crate::error::grpc_error_to_grpc_status) @@ -5508,9 +5588,14 @@ for MetastoreServiceGrpcServerAdapter { &self, request: tonic::Request, ) -> Result, tonic::Status> { - self.inner - .0 - .create_delete_task(request.into_inner()) + let auth_token = quickwit_auth::get_auth_token(request.metadata())?; + let req = { + let req = request.into_inner(); + req + }; + quickwit_auth::authorize(&req, &auth_token)?; + quickwit_auth::AUTHORIZATION_TOKEN + .scope(auth_token, self.inner.0.create_delete_task(req)) .await .map(tonic::Response::new) .map_err(crate::error::grpc_error_to_grpc_status) @@ -5519,9 +5604,14 @@ for MetastoreServiceGrpcServerAdapter { &self, request: tonic::Request, ) -> Result, tonic::Status> { - self.inner - .0 - .update_splits_delete_opstamp(request.into_inner()) + let auth_token = quickwit_auth::get_auth_token(request.metadata())?; + let req = { + let req = request.into_inner(); + req + }; + quickwit_auth::authorize(&req, &auth_token)?; + quickwit_auth::AUTHORIZATION_TOKEN + .scope(auth_token, self.inner.0.update_splits_delete_opstamp(req)) .await .map(tonic::Response::new) .map_err(crate::error::grpc_error_to_grpc_status) @@ -5530,9 +5620,14 @@ for MetastoreServiceGrpcServerAdapter { &self, request: tonic::Request, ) -> Result, tonic::Status> { - self.inner - .0 - .list_delete_tasks(request.into_inner()) + let auth_token = quickwit_auth::get_auth_token(request.metadata())?; + let req = { + let req = request.into_inner(); + req + }; + quickwit_auth::authorize(&req, &auth_token)?; + quickwit_auth::AUTHORIZATION_TOKEN + .scope(auth_token, self.inner.0.list_delete_tasks(req)) .await .map(tonic::Response::new) .map_err(crate::error::grpc_error_to_grpc_status) @@ -5541,9 +5636,14 @@ for MetastoreServiceGrpcServerAdapter { &self, request: tonic::Request, ) -> Result, tonic::Status> { - self.inner - .0 - .list_stale_splits(request.into_inner()) + let auth_token = quickwit_auth::get_auth_token(request.metadata())?; + let req = { + let req = request.into_inner(); + req + }; + quickwit_auth::authorize(&req, &auth_token)?; + quickwit_auth::AUTHORIZATION_TOKEN + .scope(auth_token, self.inner.0.list_stale_splits(req)) .await .map(tonic::Response::new) .map_err(crate::error::grpc_error_to_grpc_status) @@ -5552,9 +5652,14 @@ for MetastoreServiceGrpcServerAdapter { &self, request: tonic::Request, ) -> Result, tonic::Status> { - self.inner - .0 - .open_shards(request.into_inner()) + let auth_token = quickwit_auth::get_auth_token(request.metadata())?; + let req = { + let req = request.into_inner(); + req + }; + quickwit_auth::authorize(&req, &auth_token)?; + quickwit_auth::AUTHORIZATION_TOKEN + .scope(auth_token, self.inner.0.open_shards(req)) .await .map(tonic::Response::new) .map_err(crate::error::grpc_error_to_grpc_status) @@ -5563,9 +5668,14 @@ for MetastoreServiceGrpcServerAdapter { &self, request: tonic::Request, ) -> Result, tonic::Status> { - self.inner - .0 - .acquire_shards(request.into_inner()) + let auth_token = quickwit_auth::get_auth_token(request.metadata())?; + let req = { + let req = request.into_inner(); + req + }; + quickwit_auth::authorize(&req, &auth_token)?; + quickwit_auth::AUTHORIZATION_TOKEN + .scope(auth_token, self.inner.0.acquire_shards(req)) .await .map(tonic::Response::new) .map_err(crate::error::grpc_error_to_grpc_status) @@ -5574,9 +5684,14 @@ for MetastoreServiceGrpcServerAdapter { &self, request: tonic::Request, ) -> Result, tonic::Status> { - self.inner - .0 - .delete_shards(request.into_inner()) + let auth_token = quickwit_auth::get_auth_token(request.metadata())?; + let req = { + let req = request.into_inner(); + req + }; + quickwit_auth::authorize(&req, &auth_token)?; + quickwit_auth::AUTHORIZATION_TOKEN + .scope(auth_token, self.inner.0.delete_shards(req)) .await .map(tonic::Response::new) .map_err(crate::error::grpc_error_to_grpc_status) @@ -5585,9 +5700,14 @@ for MetastoreServiceGrpcServerAdapter { &self, request: tonic::Request, ) -> Result, tonic::Status> { - self.inner - .0 - .prune_shards(request.into_inner()) + let auth_token = quickwit_auth::get_auth_token(request.metadata())?; + let req = { + let req = request.into_inner(); + req + }; + quickwit_auth::authorize(&req, &auth_token)?; + quickwit_auth::AUTHORIZATION_TOKEN + .scope(auth_token, self.inner.0.prune_shards(req)) .await .map(tonic::Response::new) .map_err(crate::error::grpc_error_to_grpc_status) @@ -5596,9 +5716,14 @@ for MetastoreServiceGrpcServerAdapter { &self, request: tonic::Request, ) -> Result, tonic::Status> { - self.inner - .0 - .list_shards(request.into_inner()) + let auth_token = quickwit_auth::get_auth_token(request.metadata())?; + let req = { + let req = request.into_inner(); + req + }; + quickwit_auth::authorize(&req, &auth_token)?; + quickwit_auth::AUTHORIZATION_TOKEN + .scope(auth_token, self.inner.0.list_shards(req)) .await .map(tonic::Response::new) .map_err(crate::error::grpc_error_to_grpc_status) @@ -5607,9 +5732,14 @@ for MetastoreServiceGrpcServerAdapter { &self, request: tonic::Request, ) -> Result, tonic::Status> { - self.inner - .0 - .create_index_template(request.into_inner()) + let auth_token = quickwit_auth::get_auth_token(request.metadata())?; + let req = { + let req = request.into_inner(); + req + }; + quickwit_auth::authorize(&req, &auth_token)?; + quickwit_auth::AUTHORIZATION_TOKEN + .scope(auth_token, self.inner.0.create_index_template(req)) .await .map(tonic::Response::new) .map_err(crate::error::grpc_error_to_grpc_status) @@ -5618,9 +5748,14 @@ for MetastoreServiceGrpcServerAdapter { &self, request: tonic::Request, ) -> Result, tonic::Status> { - self.inner - .0 - .get_index_template(request.into_inner()) + let auth_token = quickwit_auth::get_auth_token(request.metadata())?; + let req = { + let req = request.into_inner(); + req + }; + quickwit_auth::authorize(&req, &auth_token)?; + quickwit_auth::AUTHORIZATION_TOKEN + .scope(auth_token, self.inner.0.get_index_template(req)) .await .map(tonic::Response::new) .map_err(crate::error::grpc_error_to_grpc_status) @@ -5629,9 +5764,14 @@ for MetastoreServiceGrpcServerAdapter { &self, request: tonic::Request, ) -> Result, tonic::Status> { - self.inner - .0 - .find_index_template_matches(request.into_inner()) + let auth_token = quickwit_auth::get_auth_token(request.metadata())?; + let req = { + let req = request.into_inner(); + req + }; + quickwit_auth::authorize(&req, &auth_token)?; + quickwit_auth::AUTHORIZATION_TOKEN + .scope(auth_token, self.inner.0.find_index_template_matches(req)) .await .map(tonic::Response::new) .map_err(crate::error::grpc_error_to_grpc_status) @@ -5640,9 +5780,14 @@ for MetastoreServiceGrpcServerAdapter { &self, request: tonic::Request, ) -> Result, tonic::Status> { - self.inner - .0 - .list_index_templates(request.into_inner()) + let auth_token = quickwit_auth::get_auth_token(request.metadata())?; + let req = { + let req = request.into_inner(); + req + }; + quickwit_auth::authorize(&req, &auth_token)?; + quickwit_auth::AUTHORIZATION_TOKEN + .scope(auth_token, self.inner.0.list_index_templates(req)) .await .map(tonic::Response::new) .map_err(crate::error::grpc_error_to_grpc_status) @@ -5651,9 +5796,14 @@ for MetastoreServiceGrpcServerAdapter { &self, request: tonic::Request, ) -> Result, tonic::Status> { - self.inner - .0 - .delete_index_templates(request.into_inner()) + let auth_token = quickwit_auth::get_auth_token(request.metadata())?; + let req = { + let req = request.into_inner(); + req + }; + quickwit_auth::authorize(&req, &auth_token)?; + quickwit_auth::AUTHORIZATION_TOKEN + .scope(auth_token, self.inner.0.delete_index_templates(req)) .await .map(tonic::Response::new) .map_err(crate::error::grpc_error_to_grpc_status) diff --git a/quickwit/quickwit-proto/src/lib.rs b/quickwit/quickwit-proto/src/lib.rs index c5a2aa5034d..14d1969c573 100644 --- a/quickwit/quickwit-proto/src/lib.rs +++ b/quickwit/quickwit-proto/src/lib.rs @@ -32,6 +32,7 @@ use tracing_opentelemetry::OpenTelemetrySpanExt; pub mod cluster; pub mod control_plane; +mod authorization; pub use {bytes, tonic}; pub mod developer; pub mod error;