Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RBAC support and authorization in all gRPC [WIP] #5533

Draft
wants to merge 6 commits into
base: license
Choose a base branch
from
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions config/quickwit.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -150,3 +150,9 @@ indexer:

jaeger:
enable_endpoint: ${QW_ENABLE_JAEGER_ENDPOINT:-true}

license: ${QW_LICENSE}

# authorization:
# root_key: ${QW_ROOT_KEY}
# node_token: ${QW_NODE_TOKEN}
80 changes: 59 additions & 21 deletions quickwit/Cargo.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

8 changes: 6 additions & 2 deletions quickwit/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@
resolver = "2"
members = [
"quickwit-actors",
"quickwit-authorize",
"quickwit-aws",
"quickwit-cli",
"quickwit-cluster",
Expand All @@ -20,6 +21,7 @@ members = [
"quickwit-jaeger",
"quickwit-janitor",
"quickwit-lambda",
"quickwit-license",
"quickwit-macros",
"quickwit-metastore",

Expand All @@ -34,13 +36,13 @@ members = [
"quickwit-serve",
"quickwit-storage",
"quickwit-telemetry",
"quickwit-license",
]

# The following list excludes `quickwit-metastore-utils` and `quickwit-lambda`
# from the default member to ease build/deps.
default-members = [
"quickwit-actors",
"quickwit-authorize",
"quickwit-aws",
"quickwit-cli",
"quickwit-cluster",
Expand All @@ -52,6 +54,7 @@ default-members = [
"quickwit-datetime",
"quickwit-directories",
"quickwit-doc-mapper",
"quickwit-license",
"quickwit-index-management",
"quickwit-indexing",
"quickwit-ingest",
Expand Down Expand Up @@ -89,7 +92,6 @@ async-trait = "0.1"
base64 = "0.22"
binggan = { version = "0.14" }
biscuit-auth = "5.0.0"

bytes = { version = "1", features = ["serde"] }
bytesize = { version = "1.3.0", features = ["serde"] }
bytestring = "1.3.0"
Expand Down Expand Up @@ -238,6 +240,7 @@ tikv-jemalloc-ctl = "0.5"
tikv-jemallocator = "0.5"
time = { version = "0.3", features = ["std", "formatting", "macros"] }
tokio = { version = "1.40", features = ["full"] }
tokio-inherit-task-local = "0.2"
tokio-metrics = { version = "0.3.1", features = ["rt"] }
tokio-stream = { version = "0.1", features = ["sync"] }
tokio-util = { version = "0.7", features = ["full"] }
Expand Down Expand Up @@ -303,6 +306,7 @@ opendal = { version = "0.44", default-features = false }
reqsign = { version = "0.14", default-features = false }

quickwit-actors = { path = "quickwit-actors" }
quickwit-authorize = { path = "quickwit-authorize" }
quickwit-aws = { path = "quickwit-aws" }
quickwit-cli = { path = "quickwit-cli" }
quickwit-cluster = { path = "quickwit-cluster" }
Expand Down
29 changes: 29 additions & 0 deletions quickwit/quickwit-authorize/Cargo.toml
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
[package]
name = "quickwit-authorize"
version.workspace = true
edition.workspace = true
homepage.workspace = true
documentation.workspace = true
repository.workspace = true
authors.workspace = true
license.workspace = true

[dependencies]
anyhow = { workspace = true, optional = true }
tower = { workspace = true}
biscuit-auth = { workspace = true, optional=true }
futures = { workspace = true }
http = { workspace = true }
itertools = { workspace = true }
tokio-inherit-task-local = { workspace = true }
serde = { workspace = true }
thiserror = { workspace = true }
tonic = { workspace = true }
tokio = { workspace = true }
tracing = { workspace = true }
pin-project = { workspace = true }

quickwit-common = { workspace = true }

[features]
enterprise = ["dep:biscuit-auth", "dep:anyhow"]
85 changes: 85 additions & 0 deletions quickwit/quickwit-authorize/src/community/mod.rs
Original file line number Diff line number Diff line change
@@ -0,0 +1,85 @@
// Copyright (C) 2024 Quickwit, Inc.
//
// Quickwit is offered under the AGPL v3.0 and as commercial software.
// For commercial licensing, contact us at [email protected].
//
// AGPL:
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as
// published by the Free Software Foundation, either version 3 of the
// License, or (at your option) any later version.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program. If not, see <http://www.gnu.org/licenses/>.

use std::future::Future;

use crate::AuthorizationError;

pub type AuthorizationToken = ();

pub trait Authorization {
fn attenuate(
&self,
_auth_token: AuthorizationToken,
) -> Result<AuthorizationToken, AuthorizationError> {
Ok(())
}
}

impl<T> Authorization for T {}

pub trait StreamAuthorization {
fn attenuate(
_auth_token: AuthorizationToken,
) -> std::result::Result<AuthorizationToken, AuthorizationError> {
Ok(())
}
}

impl<T> StreamAuthorization for T {}

pub fn extract_auth_token(
_req_metadata: &tonic::metadata::MetadataMap,
) -> Result<AuthorizationToken, AuthorizationError> {
Ok(())
}

pub fn set_auth_token(
_auth_token: &AuthorizationToken,
_req_metadata: &mut tonic::metadata::MetadataMap,
) {
}

pub fn authorize<R: Authorization>(
_req: &R,
_auth_token: &AuthorizationToken,
) -> Result<(), AuthorizationError> {
Ok(())
}

pub fn build_tonic_request_with_auth_token<R: Authorization>(
req: R,
) -> Result<tonic::Request<R>, AuthorizationError> {
Ok(tonic::Request::new(req))
}

pub fn authorize_stream<R: StreamAuthorization>(
_auth_token: &AuthorizationToken,
) -> Result<(), AuthorizationError> {
Ok(())
}

pub fn execute_with_authorization<F, O>(_: AuthorizationToken, f: F) -> impl Future<Output = O>
where F: Future<Output = O> {
f
}

pub fn authorize_request<R: Authorization>(_req: &R) -> Result<(), AuthorizationError> {
Ok(())
}
Loading
Loading