Add group-based and owner-based query access rules #9811
Conversation
| @JsonProperty("role") Optional<Pattern> roleRegex) | ||
| @JsonProperty("role") Optional<Pattern> roleRegex, | ||
| @JsonProperty("group") Optional<Pattern> groupRegex, | ||
| @JsonProperty("owner") Optional<Pattern> ownerRegex) |
There was a problem hiding this comment.
Now can grant alice to access to execute query that belongs to bob which does not make sense.
How about introducing "owner" in separate pull request where we can think of such corner cases? Or we should add check that execute cannot be used together with owner?
There was a problem hiding this comment.
I see where you're going with this. I like the idea of validating that an owner rule can't have execute. However, that does mean (in relation to your other comment) that queries that aren't yet executing should be considered "owner-less", imo. My concern is with a configuration like this one:
{
"group": "staff",
"owner": "alice",
"allow": ["view"]
},
{
"allow": ["execute"]
}In the above example, assuming that user alice is a member of group staff, if user alice is already considered the owner of a query when they try to execute, the first rule will match. And since execute isn't in the allow list, the call to canExecuteQuery will ultimately return false. We need that first rule to not match in order for alice to be allowed to execute queries.
I will add a commit to validate that any owner based rules do not allow execute.
There was a problem hiding this comment.
@kokosing I've added that validation, along with additional tests to cover the situation I outlined in my previous reply. I also updated the docs to include a note about this restriction.
If you still feel that the owner-based rules belong in a separate PR, I can split it. Please let me know.
There was a problem hiding this comment.
If you still feel that the owner-based rules belong in a separate PR, I can split it. Please let me know.
I think it is fine. However I would make this PR to have 2 commits. Notice the PR title Add group-based and owner-based query access rules. It is natural to split this using "delimiter" and into:
Add group-based query file based access rules.Add owner-based query file based access rules.
There was a problem hiding this comment.
No problem, I can do that.
| @@ -327,15 +327,15 @@ public void checkCanSetUser(Optional<Principal> principal, String userName) | |||
| @Override | |||
| public void checkCanExecuteQuery(SystemSecurityContext context) | |||
| { | |||
| if (!canAccessQuery(context.getIdentity(), QueryAccessRule.AccessMode.EXECUTE)) { | |||
| if (!canAccessQuery(context.getIdentity(), Optional.empty(), QueryAccessRule.AccessMode.EXECUTE)) { | |||
There was a problem hiding this comment.
Isn't the owner of the query is context.getIdentity().getUser()?
There was a problem hiding this comment.
The way I was looking at it, a query that is not yet executing doesn't yet have an owner.
| "queries": [ | ||
| { | ||
| "group": "contractors", | ||
| "owner": "alice|dave", |
There was a problem hiding this comment.
When I look at this json I find owner to be very misleading. It looks like a property of user like group and it takes me a while to recall that it is about the query not the user. How about using queryOwnedBy. IMO the best would be onQueryOwnedBy then it would be more or less like DSL. "group": "contractors", "allow": ["execute"], "onQueryOwnedBy": "alice|dave". However prefix on does not match the existing convention for other rules.
There was a problem hiding this comment.
I have no objections. I do want to note however that the owner field was already in the documentation - it was simply ignored by the code. If you're ok with changing it, then so am I! :)
You prefer queryOwnedBy over queryOwner? I don't mind either way - just checking.
I'll be honest, I'm assuming it's just a matter of time for someone to request support for queryOwnerMemberOf (for groups) and queryOwnerHasRole...
There was a problem hiding this comment.
Ok, I've split the commits and renamed the owner field to onQueryOwnedBy, as discussed.
| @JsonProperty("role") Optional<Pattern> roleRegex) | ||
| @JsonProperty("role") Optional<Pattern> roleRegex, | ||
| @JsonProperty("group") Optional<Pattern> groupRegex, | ||
| @JsonProperty("owner") Optional<Pattern> ownerRegex) |
There was a problem hiding this comment.
If you still feel that the owner-based rules belong in a separate PR, I can split it. Please let me know.
I think it is fine. However I would make this PR to have 2 commits. Notice the PR title Add group-based and owner-based query access rules. It is natural to split this using "delimiter" and into:
Add group-based query file based access rules.Add owner-based query file based access rules.
cccs-tom
force-pushed
the
feature/fix-9484
branch
from
182bef3 to
568680d
Compare
| * ``owner`` (optional): regex to match against the query owner name. Defaults to ``.*``. | ||
| * ``role`` (optional): regex to match against role names. Defaults to ``.*``. | ||
| * ``group`` (optional): regex to match against group names. Defaults to ``.*``. | ||
| * ``onQueryOwnedBy`` (optional): regex to match against the query owner name. Defaults to ``.*``. |
cccs-tom
force-pushed
the
feature/fix-9484
branch
from
568680d to
2138865
Compare
|
Merged, thanks! |
|
Thanks a lot for working on this @cccs-tom! |
Fixes #9484.
QueryAccessRule now supports a
groupregex to enable rules based on group membership and anownerregex to enable rules based on the query's owner.