Pass users original role for impersonation#25371
Conversation
homar
force-pushed
the
homar/add_set_original_role
branch
2 times, most recently
from
32c54d4 to
e1f25b2
Compare
homar
force-pushed
the
homar/add_set_original_role
branch
from
e1f25b2 to
e66a3e1
Compare
homar
changed the title
homar
force-pushed
the
homar/add_set_original_role
branch
from
e66a3e1 to
bd91d3a
Compare
|
This relates to #25166 |
There was a problem hiding this comment.
How do we pass original user info?
There was a problem hiding this comment.
Via sessionUser AFAIK, see
There was a problem hiding this comment.
Optional collection is smelly. Can we remove the optional here?
There was a problem hiding this comment.
ok so actually this is a little hack. The idea is to have one field instead of two to make code simpler.
- if optional is empty this impersonation mechanism is disabled
- it it is not empty but it doesn't contain checked role then impersonation check fails
- if it contains role then impersonation is allowed.
Alternatively you would need one variable to check if this mechanism is enabled at all and if it is enabled then a Set to check if specific role allows for impersonation.
If you believe having 2 variables is better I will change.
There was a problem hiding this comment.
Why? It is explains why it is done this way. Assuming we will stay with Optional<Set>>
There was a problem hiding this comment.
I see exactly the same in line below in java. I mean the comment is obvious. It is a nit btw.
There was a problem hiding this comment.
testImpersonationAllowedByRole
There was a problem hiding this comment.
Also this should be something that holds authorization trinity. You need to have subject, action (here it is know that it is impersonation) and entity. So you need to hold pair of who (subject) can impersonate who (entity). And subject here is an (user with his roles), entity is just user.
There was a problem hiding this comment.
Why? That would make this much more complex. Here I only store roles that allow impersonations, this is for tests only and trino doesn't even have good support for roles in general..
There was a problem hiding this comment.
I mean there is some thinking here in the class and you are introducing new concept of access control to this testing class which makes it harder. I would like us to reuse what we have and rewrite the test.
There was a problem hiding this comment.
Add also testImpersonationAllowedByUser
There was a problem hiding this comment.
What is the point? If I understand correctly there are such tests here: TestSetSessionAuthorization
The entire point of this change is to fix the scenario that is role based not user based.
There was a problem hiding this comment.
I think we have some utilities for that in trino-jdbc tests.
homar
force-pushed
the
homar/add_set_original_role
branch
from
bd91d3a to
02a102f
Compare
|
@wendigo can you please take a look too? |
There was a problem hiding this comment.
separate commit for the refactor or undo
There was a problem hiding this comment.
I wouldn't say it is a refactor but sure I will undo this
There was a problem hiding this comment.
It can depend on scope tests right?
There was a problem hiding this comment.
Please add more tests. For impersonation with user, with role none and all roles.
There was a problem hiding this comment.
I am not sure I understand the part about impersonation with user :/
There was a problem hiding this comment.
I mean when grant for impersonation is given to the user directly, not to the role.
There was a problem hiding this comment.
- This PR is about roles not grants, so I am not sure why this would matter here
- I am not sure I even know how to do that.
TestingSystemSecurityMetadatadoesn't support that andTestingAccessControlManageronly supports denies
There was a problem hiding this comment.
I see exactly the same in line below in java. I mean the comment is obvious. It is a nit btw.
homar
force-pushed
the
homar/add_set_original_role
branch
2 times, most recently
from
c8dcf21 to
8d27298
Compare
Without this the way impersonation work is broken. Considering followin scenarion - there are 2 users: alice and bob - there is a role alice_role that allows for bob impersonation If alice sets alice_role and then calls SET SESSION AUTHORIZATION `bob` access control will make a check `canImpersonateUser`, because alice_role allows for that impersonation it will succeed. However every next query will also call this `canImpersonateUser` check and because alice_role is not assigned anymore it will fail every time. The idea behind the fix is to pass roles of the original user, alice from the example above, between server and clients using new headers X-Trino-Set-Original-Roles. Then roles obtained in this way can be used in the checkCanImpersonate to make sure it passes.
homar
force-pushed
the
homar/add_set_original_role
branch
3 times, most recently
from
2b21afd to
e5dda50
Compare
2 participants
Description
Pass users original role for impersonation
Without this the way impersonation work is broken.
Considering followin scenarion
If alice sets alice_role and then calls SET SESSION AUTHORIZATION
bobaccess control will make a check
canImpersonateUser, because alice_roleallows for that impersonation it will succeed.
However every next query will also call this
canImpersonateUsercheckand because alice_role is not assigned anymore it will fail every time.
The idea behind the fix is to pass roles of the original user, alice
from the example above, between server and clients using new headers
X-Trino-Set-Original-Roles. Then roles obtained in this way can be used
in the checkCanImpersonate to make sure it passes
Additional context and related issues
Release notes
( ) This is not user-visible or is docs only, and no release notes are required.
( ) Release notes are required. Please propose a release note for me.
(x) Release notes are required, with the following suggested text:
Fixes #25166