feat(security): implement meta server access controller (#655)

include/dsn/tool-api/network.h

@@ -244,6 +244,9 @@ class rpc_session : public ref_counter
     void set_negotiation_succeed();
     bool is_negotiation_succeed() const;
 
+    void set_client_username(const std::string &user_name);
+    const std::string &get_client_username() const;
+
 public:
     ///
     /// for subclass to implement receiving message
@@ -328,6 +331,10 @@ class rpc_session : public ref_counter
     rpc_client_matcher *_matcher;
 
     std::atomic_int _delay_server_receive_ms;
+
+    // _client_username is only valid if it is a server rpc_session.
+    // it represents the name of the corresponding client
+    std::string _client_username;
 };
 
 // --------- inline implementation --------------

include/dsn/utility/error_code.h

@@ -125,4 +125,5 @@ DEFINE_ERR_CODE(ERR_KRB5_INTERNAL)
 
 DEFINE_ERR_CODE(ERR_SASL_INTERNAL)
 DEFINE_ERR_CODE(ERR_SASL_INCOMPLETE)
+DEFINE_ERR_CODE(ERR_ACL_DENY)
 } // namespace dsn

include/dsn/utility/strings.h

@@ -4,6 +4,7 @@
 #include <vector>
 #include <list>
 #include <map>
+#include <unordered_set>
 #include <iostream>
 
 namespace dsn {
@@ -14,6 +15,11 @@ void split_args(const char *args,
                 char splitter = ' ',
                 bool keep_place_holder = false);
 
+void split_args(const char *args,
+                /*out*/ std::unordered_set<std::string> &sargs,
+                char splitter = ' ',
+                bool keep_place_holder = false);
+
 void split_args(const char *args, /*out*/ std::list<std::string> &sargs, char splitter = ' ');
 
 // kv_map sample (when item_splitter = ',' and kv_splitter = ':'):

src/meta/meta_service.cpp

@@ -47,6 +47,7 @@
 #include "meta/duplication/meta_duplication_service.h"
 #include "meta_split_service.h"
 #include "meta_bulk_load_service.h"
+#include "runtime/security/access_controller.h"
 
 namespace dsn {
 namespace replication {
@@ -76,6 +77,8 @@ meta_service::meta_service()
         "replica server disconnect count in the recent period");
     _unalive_nodes_count.init_app_counter(
         "eon.meta_service", "unalive_nodes", COUNTER_TYPE_NUMBER, "current count of unalive nodes");
+
+    _access_controller = security::create_meta_access_controller();
 }
 
 meta_service::~meta_service()
@@ -120,6 +123,12 @@ int meta_service::check_leader(TRpcHolder rpc, rpc_address *forward_address)
 template <typename TRpcHolder>
 bool meta_service::check_status(TRpcHolder rpc, rpc_address *forward_address)
 {
+    if (!_access_controller->allowed(rpc.dsn_request())) {
+        rpc.response().err = ERR_ACL_DENY;
+        ddebug("reject request with ERR_ACL_DENY");
+        return false;
+    }
+
     int result = check_leader(rpc, forward_address);
     if (result == 0)
         return false;
@@ -141,6 +150,13 @@ bool meta_service::check_status(TRpcHolder rpc, rpc_address *forward_address)
 template <typename TRespType>
 bool meta_service::check_status_with_msg(message_ex *req, TRespType &response_struct)
 {
+    if (!_access_controller->allowed(req)) {
+        ddebug("reject request with ERR_ACL_DENY");
+        response_struct.err = ERR_ACL_DENY;
+        reply(req, response_struct);
+        return false;
+    }
+
     int result = check_leader(req, nullptr);
     if (result == 0) {
         return false;

src/meta/meta_service.h

@@ -49,6 +49,9 @@
 #include "block_service/block_service_manager.h"
 
 namespace dsn {
+namespace security {
+class access_controller;
+} // namespace security
 namespace replication {
 
 class server_state;
@@ -261,6 +264,8 @@ class meta_service : public serverlet<meta_service>
     perf_counter_wrapper _unalive_nodes_count;
 
     dsn::task_tracker _tracker;
+
+    std::unique_ptr<security::access_controller> _access_controller;
 };
 
 } // namespace replication

src/runtime/rpc/network.cpp

@@ -495,6 +495,13 @@ bool rpc_session::is_negotiation_succeed() const
     }
 }
 
+void rpc_session::set_client_username(const std::string &user_name)
+{
+    _client_username = user_name;
+}
+
+const std::string &rpc_session::get_client_username() const { return _client_username; }
+
 ////////////////////////////////////////////////////////////////////////////////////////////////
 network::network(rpc_engine *srv, network *inner_provider)
     : _engine(srv), _client_hdr_format(NET_HDR_DSN), _unknown_msg_header_format(NET_HDR_INVALID)

src/runtime/security/access_controller.cpp

@@ -0,0 +1,47 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+#include "access_controller.h"
+
+#include <dsn/utility/flags.h>
+#include <dsn/utility/strings.h>
+#include <dsn/utility/smart_pointers.h>
+#include "meta_access_controller.h"
+
+namespace dsn {
+namespace security {
+DSN_DEFINE_bool("security", enable_acl, false, "whether enable access controller or not");
+DSN_DEFINE_string("security", super_users, "", "super user for access controller");
+
+access_controller::access_controller() { utils::split_args(FLAGS_super_users, _super_users, ','); }
+
+access_controller::~access_controller() {}
+
+bool access_controller::pre_check(const std::string &user_name)
+{
+    if (!FLAGS_enable_acl || _super_users.find(user_name) != _super_users.end()) {
+        return true;
+    }
+    return false;
+}
+
+std::unique_ptr<access_controller> create_meta_access_controller()
+{
+    return make_unique<meta_access_controller>();
+}
+} // namespace security
+} // namespace dsn

src/runtime/security/access_controller.h

@@ -0,0 +1,54 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+#pragma once
+
+#include <memory>
+#include <unordered_set>
+
+namespace dsn {
+class message_ex;
+namespace security {
+
+class access_controller
+{
+public:
+    access_controller();
+    virtual ~access_controller() = 0;
+
+    /**
+     * reset the access controller
+     *    acls - the new acls to reset
+     **/
+    virtual void reset(const std::string &acls){};
+
+    /**
+     * check if the message received is allowd to do something.
+     *   msg - the message received
+     **/
+    virtual bool allowed(message_ex *msg) = 0;
+
+protected:
+    bool pre_check(const std::string &user_name);
+    friend class meta_access_controller_test;
+
+    std::unordered_set<std::string> _super_users;
+};
+
+std::unique_ptr<access_controller> create_meta_access_controller();
+} // namespace security
+} // namespace dsn

src/runtime/security/meta_access_controller.cpp

@@ -0,0 +1,69 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+#include "meta_access_controller.h"
+
+#include <dsn/tool-api/rpc_message.h>
+#include <dsn/utility/flags.h>
+#include <dsn/tool-api/network.h>
+#include <dsn/dist/fmt_logging.h>
+
+namespace dsn {
+namespace security {
+DSN_DEFINE_string("security",
+                  meta_acl_rpc_allow_list,
+                  "",
+                  "allowed list of rpc codes for meta_access_controller");
+
+meta_access_controller::meta_access_controller()
+{
+    // MetaServer serves the allow-list RPC from all users. RPCs unincluded are accessible to only
+    // superusers.
+    if (strlen(FLAGS_meta_acl_rpc_allow_list) == 0) {
+        register_allowed_list("RPC_CM_LIST_APPS");
+        register_allowed_list("RPC_CM_LIST_NODES");
+        register_allowed_list("RPC_CM_CLUSTER_INFO");
+        register_allowed_list("RPC_CM_QUERY_PARTITION_CONFIG_BY_INDEX");
+    } else {
+        std::vector<std::string> rpc_code_white_list;
+        utils::split_args(FLAGS_meta_acl_rpc_allow_list, rpc_code_white_list, ',');
+        for (const auto &rpc_code : rpc_code_white_list) {
+            register_allowed_list(rpc_code);
+        }
+    }
+}
+
+bool meta_access_controller::allowed(message_ex *msg)
+{
+    if (pre_check(msg->io_session->get_client_username()) ||
+        _allowed_rpc_code_list.find(msg->rpc_code().code()) != _allowed_rpc_code_list.end()) {
+        return true;
+    }
+    return false;
+}
+
+void meta_access_controller::register_allowed_list(const std::string &rpc_code)
+{
+    auto code = task_code::try_get(rpc_code, TASK_CODE_INVALID);
+    dassert_f(code != TASK_CODE_INVALID,
+              "invalid task code({}) in rpc_code_white_list of security section",
+              rpc_code);
+
+    _allowed_rpc_code_list.insert(code);
+}
+} // namespace security
+} // namespace dsn

src/runtime/security/meta_access_controller.h

@@ -0,0 +1,40 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+#pragma once
+
+#include "access_controller.h"
+
+#include <unordered_set>
+
+namespace dsn {
+class message_ex;
+namespace security {
+
+class meta_access_controller : public access_controller
+{
+public:
+    meta_access_controller();
+    bool allowed(message_ex *msg) override;
+
+private:
+    void register_allowed_list(const std::string &rpc_code);
+
+    std::unordered_set<int> _allowed_rpc_code_list;
+};
+} // namespace security
+} // namespace dsn

src/runtime/security/sasl_wrapper.cpp

@@ -20,6 +20,7 @@
 #include "sasl_client_wrapper.h"
 
 #include <sasl/sasl.h>
+#include <dsn/utility/fail_point.h>
 
 namespace dsn {
 namespace security {
@@ -39,6 +40,26 @@ sasl_wrapper::~sasl_wrapper()
     }
 }
 
+error_s sasl_wrapper::retrive_username(std::string &output)
+{
+    FAIL_POINT_INJECT_F("sasl_wrapper_retrive_username", [](dsn::string_view str) {
+        error_code err = error_code::try_get(str.data(), ERR_UNKNOWN);
+        return error_s::make(err);
+    });
+
+    // retrive username from _conn.
+    // If this is a sasl server, it gets the name of the corresponding sasl client.
+    // But if this is a sasl client, it gets the name of itself
+    char *username = nullptr;
+    error_s err_s = wrap_error(sasl_getprop(_conn, SASL_USERNAME, (const void **)&username));
+    if (err_s.is_ok()) {
+        output = username;
+        output = output.substr(0, output.find_last_of('@'));
+        output = output.substr(0, output.find_first_of('/'));
+    }
+    return err_s;
+}
+
 error_s sasl_wrapper::wrap_error(int sasl_err)
 {
     error_s ret;

src/runtime/security/sasl_wrapper.h

@@ -31,6 +31,12 @@ class sasl_wrapper
     virtual error_s init() = 0;
     virtual error_s start(const std::string &mechanism, const blob &input, blob &output) = 0;
     virtual error_s step(const blob &input, blob &output) = 0;
+    /**
+     * retrive username from sasl connection.
+     * If this is a sasl server, it gets the name of the corresponding sasl client.
+     * But if this is a sasl client, it gets the name of itself
+     **/
+    error_s retrive_username(/*out*/ std::string &output);
 
 protected:
     sasl_wrapper() = default;