-
Notifications
You must be signed in to change notification settings - Fork 835
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
raft(rbac): persist RBCA changes in all nodes
- Loading branch information
Showing
12 changed files
with
688 additions
and
169 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 1,39 @@ | ||
// _ _ | ||
// __ _____ __ ___ ___ __ _| |_ ___ | ||
// \ \ /\ / / _ \/ _` \ \ / / |/ _` | __/ _ \ | ||
// \ V V / __/ (_| |\ V /| | (_| | || __/ | ||
// \_/\_/ \___|\__,_| \_/ |_|\__,_|\__\___| | ||
// | ||
// Copyright © 2016 - 2024 Weaviate B.V. All rights reserved. | ||
// | ||
// CONTACT: [email protected] | ||
// | ||
|
||
package api | ||
|
||
import ( | ||
"github.com/weaviate/weaviate/entities/models" | ||
) | ||
|
||
type CreateRolesRequest struct { | ||
Roles []*models.Role | ||
} | ||
|
||
type DeleteRolesRequest struct { | ||
Roles []string | ||
} | ||
|
||
type RemovePermissionsRequest struct { | ||
Role string | ||
Permissions []*models.Permission | ||
} | ||
|
||
type AddRolesForUsersRequest struct { | ||
User string | ||
Roles []string | ||
} | ||
|
||
type RevokeRolesForUserRequest struct { | ||
User string | ||
Roles []string | ||
} |
File renamed without changes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 1,118 @@ | ||
// _ _ | ||
// __ _____ __ ___ ___ __ _| |_ ___ | ||
// \ \ /\ / / _ \/ _` \ \ / / |/ _` | __/ _ \ | ||
// \ V V / __/ (_| |\ V /| | (_| | || __/ | ||
// \_/\_/ \___|\__,_| \_/ |_|\__,_|\__\___| | ||
// | ||
// Copyright © 2016 - 2024 Weaviate B.V. All rights reserved. | ||
// | ||
// CONTACT: [email protected] | ||
// | ||
|
||
package cluster | ||
|
||
import ( | ||
"context" | ||
"encoding/json" | ||
"fmt" | ||
|
||
cmd "github.com/weaviate/weaviate/cluster/proto/api" | ||
"github.com/weaviate/weaviate/cluster/schema" | ||
"github.com/weaviate/weaviate/entities/models" | ||
) | ||
|
||
func (s *Raft) UpsertRoles(roles ...*models.Role) error { | ||
if len(roles) == 0 { | ||
return fmt.Errorf("no roles to create: %w", schema.ErrBadRequest) | ||
} | ||
|
||
req := cmd.CreateRolesRequest{Roles: roles} | ||
subCommand, err := json.Marshal(&req) | ||
if err != nil { | ||
return fmt.Errorf("marshal request: %w", err) | ||
} | ||
command := &cmd.ApplyRequest{ | ||
Type: cmd.ApplyRequest_TYPE_UPSERT_ROLES, | ||
SubCommand: subCommand, | ||
} | ||
if _, err := s.Execute(context.Background(), command); err != nil { | ||
return err | ||
} | ||
return nil | ||
} | ||
|
||
func (s *Raft) DeleteRoles(names ...string) error { | ||
if len(names) == 0 { | ||
return fmt.Errorf("no roles to delete: %w", schema.ErrBadRequest) | ||
} | ||
req := cmd.DeleteRolesRequest{Roles: names} | ||
subCommand, err := json.Marshal(&req) | ||
if err != nil { | ||
return fmt.Errorf("marshal request: %w", err) | ||
} | ||
command := &cmd.ApplyRequest{ | ||
Type: cmd.ApplyRequest_TYPE_DELETE_ROLES, | ||
SubCommand: subCommand, | ||
} | ||
if _, err := s.Execute(context.Background(), command); err != nil { | ||
return err | ||
} | ||
return nil | ||
} | ||
|
||
func (s *Raft) RemovePermissions(role string, permissions []*models.Permission) error { | ||
if role == "" { | ||
return fmt.Errorf("no roles to remove permissions from: %w", schema.ErrBadRequest) | ||
} | ||
req := cmd.RemovePermissionsRequest{Role: role, Permissions: permissions} | ||
subCommand, err := json.Marshal(&req) | ||
if err != nil { | ||
return fmt.Errorf("marshal request: %w", err) | ||
} | ||
command := &cmd.ApplyRequest{ | ||
Type: cmd.ApplyRequest_TYPE_REMOVE_PERMISSIONS, | ||
SubCommand: subCommand, | ||
} | ||
if _, err := s.Execute(context.Background(), command); err != nil { | ||
return err | ||
} | ||
return nil | ||
} | ||
|
||
func (s *Raft) AddRolesForUser(user string, roles []string) error { | ||
if len(roles) == 0 { | ||
return fmt.Errorf("no roles to assign: %w", schema.ErrBadRequest) | ||
} | ||
req := cmd.AddRolesForUsersRequest{User: user, Roles: roles} | ||
subCommand, err := json.Marshal(&req) | ||
if err != nil { | ||
return fmt.Errorf("marshal request: %w", err) | ||
} | ||
command := &cmd.ApplyRequest{ | ||
Type: cmd.ApplyRequest_TYPE_ADD_ROLES_FOR_USER, | ||
SubCommand: subCommand, | ||
} | ||
if _, err := s.Execute(context.Background(), command); err != nil { | ||
return err | ||
} | ||
return nil | ||
} | ||
|
||
func (s *Raft) RevokeRolesForUser(user string, roles ...string) error { | ||
if len(roles) == 0 { | ||
return fmt.Errorf("no roles to revoke: %w", schema.ErrBadRequest) | ||
} | ||
req := cmd.RevokeRolesForUserRequest{User: user, Roles: roles} | ||
subCommand, err := json.Marshal(&req) | ||
if err != nil { | ||
return fmt.Errorf("marshal request: %w", err) | ||
} | ||
command := &cmd.ApplyRequest{ | ||
Type: cmd.ApplyRequest_TYPE_REVOKE_ROLES_FOR_USER, | ||
SubCommand: subCommand, | ||
} | ||
if _, err := s.Execute(context.Background(), command); err != nil { | ||
return err | ||
} | ||
return nil | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 1,28 @@ | ||
// _ _ | ||
// __ _____ __ ___ ___ __ _| |_ ___ | ||
// \ \ /\ / / _ \/ _` \ \ / / |/ _` | __/ _ \ | ||
// \ V V / __/ (_| |\ V /| | (_| | || __/ | ||
// \_/\_/ \___|\__,_| \_/ |_|\__,_|\__\___| | ||
// | ||
// Copyright © 2016 - 2024 Weaviate B.V. All rights reserved. | ||
// | ||
// CONTACT: [email protected] | ||
// | ||
|
||
package cluster | ||
|
||
import ( | ||
"github.com/weaviate/weaviate/entities/models" | ||
) | ||
|
||
func (s *Raft) GetRoles(names ...string) ([]*models.Role, error) { | ||
return s.store.authZManager.GetRoles(names...) | ||
} | ||
|
||
func (s *Raft) GetRolesForUser(user string) ([]*models.Role, error) { | ||
return s.store.authZManager.GetRolesForUser(user) | ||
} | ||
|
||
func (s *Raft) GetUsersForRole(role string) ([]string, error) { | ||
return s.store.authZManager.GetUsersForRole(role) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 1,91 @@ | ||
// _ _ | ||
// __ _____ __ ___ ___ __ _| |_ ___ | ||
// \ \ /\ / / _ \/ _` \ \ / / |/ _` | __/ _ \ | ||
// \ V V / __/ (_| |\ V /| | (_| | || __/ | ||
// \_/\_/ \___|\__,_| \_/ |_|\__,_|\__\___| | ||
// | ||
// Copyright © 2016 - 2024 Weaviate B.V. All rights reserved. | ||
// | ||
// CONTACT: [email protected] | ||
// | ||
|
||
package rbac | ||
|
||
import ( | ||
"encoding/json" | ||
"errors" | ||
"fmt" | ||
|
||
"github.com/sirupsen/logrus" | ||
cmd "github.com/weaviate/weaviate/cluster/proto/api" | ||
"github.com/weaviate/weaviate/entities/models" | ||
"github.com/weaviate/weaviate/usecases/auth/authorization" | ||
) | ||
|
||
var ErrBadRequest = errors.New("bad request") | ||
|
||
type Manager struct { | ||
authZ authorization.Controller | ||
logger logrus.FieldLogger | ||
} | ||
|
||
func NewManager(authZ authorization.Controller, logger logrus.FieldLogger) *Manager { | ||
return &Manager{authZ: authZ, logger: logger} | ||
} | ||
|
||
func (m *Manager) GetRoles(names ...string) ([]*models.Role, error) { | ||
return m.authZ.GetRoles(names...) | ||
} | ||
|
||
func (m *Manager) GetRolesForUser(user string) ([]*models.Role, error) { | ||
return m.authZ.GetRolesForUser(user) | ||
} | ||
|
||
func (m *Manager) GetUsersForRole(role string) ([]string, error) { | ||
return m.authZ.GetUsersForRole(role) | ||
} | ||
|
||
func (m *Manager) UpsertRoles(c *cmd.ApplyRequest) error { | ||
req := &cmd.CreateRolesRequest{} | ||
if err := json.Unmarshal(c.SubCommand, req); err != nil { | ||
return fmt.Errorf("%w: %w", ErrBadRequest, err) | ||
} | ||
|
||
return m.authZ.UpsertRoles(req.Roles...) | ||
} | ||
|
||
func (m *Manager) DeleteRoles(c *cmd.ApplyRequest) error { | ||
req := &cmd.DeleteRolesRequest{} | ||
if err := json.Unmarshal(c.SubCommand, req); err != nil { | ||
return fmt.Errorf("%w: %w", ErrBadRequest, err) | ||
} | ||
|
||
return m.authZ.DeleteRoles(req.Roles...) | ||
} | ||
|
||
func (m *Manager) AddRolesForUser(c *cmd.ApplyRequest) error { | ||
req := &cmd.AddRolesForUsersRequest{} | ||
if err := json.Unmarshal(c.SubCommand, req); err != nil { | ||
return fmt.Errorf("%w: %w", ErrBadRequest, err) | ||
} | ||
|
||
return m.authZ.AddRolesForUser(req.User, req.Roles) | ||
} | ||
|
||
func (m *Manager) RemovePermissions(c *cmd.ApplyRequest) error { | ||
req := &cmd.RemovePermissionsRequest{} | ||
if err := json.Unmarshal(c.SubCommand, req); err != nil { | ||
return fmt.Errorf("%w: %w", ErrBadRequest, err) | ||
} | ||
|
||
return m.authZ.RemovePermissions(req.Role, req.Permissions) | ||
} | ||
|
||
func (m *Manager) RevokeRolesForUser(c *cmd.ApplyRequest) error { | ||
req := &cmd.RevokeRolesForUserRequest{} | ||
if err := json.Unmarshal(c.SubCommand, req); err != nil { | ||
return fmt.Errorf("%w: %w", ErrBadRequest, err) | ||
} | ||
|
||
return m.authZ.RevokeRolesForUser(req.User, req.Roles...) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.