Fine grained config and state resources

[pjain1]

Motivation

This proposal is to introduce fine grained config and state resources for better access controls. For example, for a user we may want to allow them the permission to view the status of a node but do not want to allow by default access to all other state resources like load queue, list of servers or list of tasks for a worker etc. Another example, we may want to give permissions to a user to just query the datasources but not read/change any state or config of the cluster, however even for showing the datasource list on console, a read on config is required to fetch compaction status for the datasource.

Proposed changes

The current design has the same resource name for all STATE and CONFIG resources which are state and config respectively. To achieve the desired results, different resource names will need to be set for these resources. For example, for druid/coordinator/v1/config/compaction the resource name can be COMPACTION and resource type is CONFIG so a GET on this endpoint will be a READ on COMPACTION CONFIG instead of READ on CONFIG CONFIG. Similarly appropriate names will be chosen for resources. The design always had this provision for future improvement, see here and here.

• StateResourceFilter and ConfigResourceFilter will be changed to introspect the requested url and set the resource name accordingly before performing authorization.
• Endpoints that do authorization in the method itself will be changed to set the resource names appropriately before authorizing.

Rationale

Having fine grained access controls.

Operational impact

If the security extension uses state and config as resource name for STATE and CONFIG resource types for auth checks then they would need to change the implementation to allow any name as valid and just check the resource type to preserve the old behaviour.

Backwards Compatibility

Its backward compatible as long as exact resource name match is not done for CONFIG and STATE resource types in the security extension.

[jon-wei]

StateResourceFilter and ConfigResourceFilter will be changed to introspect the requested url and set the resource name accordingly before performing authorization.

Can you describe the introspection checks in more detail?

[tsmethurst]

I'm interested in implementing this for a use case we have at Klarrio, where we want to expose the Druid UI in a multi-tenant environment. Did anyone else start working on this already? What design steps does this need to go through to reach approval? Or should I just start working on it already and make a PR?

[pjain1]

@jon-wei sorry for the delayed response, I will try to put some basic code out describing the checks soon.

@tsmethurst I have been working on defining resource names for the state and config resources here - https://docs.google.com/spreadsheets/d/1fXD5n9gHIL0RbAoiFnu9s_2So2c2K4W8dtQZVeCaux8/edit?usp=sharing any comments/contribution to it would be welcome and speed things up.

[tsmethurst]

@pjain1 Thanks for sharing. I'm still looking through and familiarising myself with the code, but beginning to see where the necessary changes will have to be made. The google doc is very useful in terms of finding my bearings, but before I can make any really constructive suggestions I still need to work through and compare that against the API and the http part of the server code. Looks promising though, I think this is doable.

[pjain1]

@jon-wei @gianm @tsmethurst I have completed the google docs sheet with what I think would be the finer permissions, any comments would be useful. I have also added possible improvement in a column.

From implementation point of view, as you can see in the sheet there is a column listing new Resource Names, so I am thinking that there would be Resource Filters corresponding to these names and they would be applied to the endpoints. These new filters will extend the existing Config and StateResourceFilter but will pass in the resource name while doing the filter. This way any extension can also extend them and provide their own resource name if needed. Here's a prototype of what I am thinking - https://github.com/apache/druid/compare/master...pjain1:finer_permissions_poc?expand=1

One question from my side is do we need to keep it backwards compatible or is it ok ?

[tsmethurst]

@pjain1 I've gone ahead and implemented most of the changes for STATE on this branch of our Klarrio fork:
https://github.com/apache/druid/compare/master...Klarrio:granular_permissions?expand=1
Sharing this in the interest of getting feedback. Is that what you had in mind?

Note that my preferred way of doing this would not be to create a whole bunch of new ResourceFilter implementations with just the resource name changed. Suggestions on the best way of doing this are very welcome.

[pjain1]

Thanks @tsmethurst ! this looks good, that's what I had in mind. Apart from these, STATE permissions are also checked while accessing system schema through sql, so will have to apply similar fix here and also check if there are any other places like these (probably not).

However, generally just waiting for feedback from others in the community that this is the right way to go.

[tsmethurst]

@pjain1 quick update before the weekend: I've added the CONFIG stuff as well, and made a few other changes to avoid code duplication and hardcoded resource name strings. Feel free to have a look and see if you have any thoughts on how I've done it :)

https://github.com/apache/druid/compare/master...Klarrio:granular_permissions?expand=1

Enjoy the weekend!

[pjain1]

@tsmethurst hey this looks good, lets wait for a few days for comments from @jon-wei or any other community members, otherwise lets just a raise PR and get comments there.

[tsmethurst]

@pjain1 I've opened a Work-In-Progress PR here:

#9725

[jon-wei]

I took some time to review the proposal, currently documenting my thoughts and I'll have something to share soon