Skip to content

Static authorization server interceptor implementation#8934

Merged
ashithasantosh merged 15 commits into
grpc:masterfrom
ashithasantosh:interceptor_impl
Dec 21, 2022
Merged

Static authorization server interceptor implementation#8934
ashithasantosh merged 15 commits into
grpc:masterfrom
ashithasantosh:interceptor_impl

Conversation

@ashithasantosh

@ashithasantosh ashithasantosh commented Feb 21, 2022

Copy link
Copy Markdown
Contributor
  1. Implements static authorization server interceptor with end to end tests.
  2. Adds support for "v3" HeaderMatcher proto by handling new fields like string_match.

@ashithasantosh ashithasantosh marked this pull request as ready for review February 22, 2022 17:50

@ejona86 ejona86 left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Was there a reason you didn't use RbacFilter directly?

CC @YifeiZhuang

@ashithasantosh

ashithasantosh commented Feb 25, 2022

Copy link
Copy Markdown
Contributor Author

Was there a reason you didn't use RbacFilter directly?

I moved the rbac parsing logic to a common location in io.grpc.xds.internal.rbac.engine package due to following reasons

  1. to avoid dependency on xds. Also RbacFilter is not public in io.grpc.xds; cannot be accessed from outside package
  2. for code readability. the code seemed more readable to me if we split the rbac parsing code into a different class, instead of depending on RbacFilter implementation

@YifeiZhuang

Copy link
Copy Markdown
Member

Was there a reason you didn't use RbacFilter directly?

I moved the rbac parsing logic to a common location in io.grpc.xds.internal.rbac.engine package due to following reasons

  1. to avoid dependency on xds. Also RbacFilter is not public in io.grpc.xds; cannot be accessed from outside package
  2. for code readability. the code seemed more readable to me if we split the rbac parsing code into a different class, instead of depending on RbacFilter implementation

I think Eric is saying you only need to call rbacfilter.buildServerIntercetor()
but yea we have to make RbacFilter accessible from auth

@ashithasantosh

ashithasantosh commented Mar 1, 2022

Copy link
Copy Markdown
Contributor Author

I think Eric is saying you only need to call rbacfilter.buildServerIntercetor() but yea we have to make RbacFilter accessible from auth

In non-xDS authorization, we have upto two RBAC engines per Server Interceptor. And the grpc user can use the factory method to create the interceptor and attach it to server enabling grpc authorization.
gRPC Java authz API design

If we use rbac filter's method to generate server interceptor, then we would have upto two interceptors. This could complicate the API that we expose to the users or we could have two interceptors within an interceptor and keep the API unchanged. Also, when we introduce dynamic file reloading support, that is we reload the authorization policy periodically from file system, we would keep on creating new server interceptors as the policy changes, and this could complicate the design like we would have to consider the conditions where both interceptors aren't updated atomically, and we have authorization decisions being made with stale and new interceptor say. Plus code wise, I don't see any code duplication, just the creation and interception of interceptor, so I feel like we should keep xds and non-xds separate.

**EDIT: We can just swap the old with new internal static interceptor in file watcher to deal with synchronization issues. I still prefer keeping them separate as it simplifies code.

@ejona86

ejona86 commented Apr 4, 2022

Copy link
Copy Markdown
Member

This would complicate the API that we expose to the users

No. Two vs 1 interceptor internally should have no bearing on the API we expose to users.

I suggest we do something like

private static ClientInterceptor combineInterceptors(final List<ClientInterceptor> interceptors) {

@ashithasantosh

Copy link
Copy Markdown
Contributor Author

This would complicate the API that we expose to the users

No. Two vs 1 interceptor internally should have no bearing on the API we expose to users.

Right! I meant the same thing above (quoting previous message "or we could have two interceptors within an interceptor and keep the API unchanged")
I updated the implementation based on the comment. Please take a look. Sorry it took so long. I was on a month long vacation and was busy catching up on some work.

@ashithasantosh

Copy link
Copy Markdown
Contributor Author

@ejona86 Please take a look at the PR when you find time. Thank you:)

@ashithasantosh

Copy link
Copy Markdown
Contributor Author

@ejona86 Friendly ping!:)

@ashithasantosh

Copy link
Copy Markdown
Contributor Author

@ejona86 PTAL

1 similar comment
@ashithasantosh

Copy link
Copy Markdown
Contributor Author

@ejona86 PTAL

Comment thread authz/src/main/java/io/grpc/authz/AuthorizationServerInterceptor.java Outdated
@ejona86 ejona86 requested a review from YifeiZhuang December 8, 2022 23:31
@ejona86

ejona86 commented Dec 8, 2022

Copy link
Copy Markdown
Member

@YifeiZhuang, do you know how we were missing contains and stringMatcher?

@ejona86

ejona86 commented Dec 8, 2022

Copy link
Copy Markdown
Member

@YifeiZhuang, do you know how we were missing contains and stringMatcher?

Oh, apparently they aren't used by this code, so that resolves some of my questions. I think they were just added later. @ashithasantosh simply noticed they were missing when comparing to C++, which makes sense.

Comment thread authz/src/test/java/io/grpc/authz/AuthorizationEnd2EndTest.java
Comment thread xds/src/main/java/io/grpc/xds/internal/Matchers.java Outdated

@ejona86 ejona86 left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good to me (modulo my comments), for the parts I've looked at. I'll let Yifei do the final full review.

Comment thread xds/src/main/java/io/grpc/xds/InternalRbacFilter.java
Comment thread authz/src/main/java/io/grpc/authz/AuthorizationServerInterceptor.java Outdated
@ashithasantosh

Copy link
Copy Markdown
Contributor Author

@ejona86 Thank you for the review. PTAL I resolved all the comments.
@YifeiZhuang already approved the PR, should I wait on a final review?

Comment thread authz/src/main/java/io/grpc/authz/AuthorizationServerInterceptor.java Outdated
Comment thread authz/src/main/java/io/grpc/authz/AuthorizationServerInterceptor.java Outdated
Comment thread authz/src/main/java/io/grpc/authz/AuthorizationServerInterceptor.java Outdated
Comment thread authz/src/main/java/io/grpc/authz/AuthorizationServerInterceptor.java Outdated
Comment thread xds/src/main/java/io/grpc/xds/InternalRbacFilter.java
@ashithasantosh ashithasantosh merged commit 0194ae9 into grpc:master Dec 21, 2022
@github-actions github-actions Bot locked as resolved and limited conversation to collaborators Mar 22, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants