You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tinkerpop.apache.org by "Stephen Mallette (Jira)" <ji...@apache.org> on 2020/06/25 11:05:00 UTC

[jira] [Updated] (TINKERPOP-2389) Authorization support in TinkerPop

     [ https://issues.apache.org/jira/browse/TINKERPOP-2389?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Stephen Mallette updated TINKERPOP-2389:
----------------------------------------
    Summary: Authorization support in TinkerPop  (was: Authorization support in Tinkerpop)

> Authorization support in TinkerPop
> ----------------------------------
>
>                 Key: TINKERPOP-2389
>                 URL: https://issues.apache.org/jira/browse/TINKERPOP-2389
>             Project: TinkerPop
>          Issue Type: Improvement
>          Components: server
>    Affects Versions: 3.4.7
>            Reporter: Shekhar Bansal
>            Priority: Major
>         Attachments: Screenshot 2020-06-25 at 15.15.04.png
>
>
> Use case:
>  # Tinkerpop supports multiple graphs using a single API and admin might want to restrict access to some of the graphs.
>  # Admin might want to restrict read/write access to certain users.
>  
> Proposal
> Add read/write access restrictions at graph level. We can extend it to executing scripts by adding execute privileges.
>  
> Changes required
> Add `authorizer` block similar to `authentication` block in yaml file
>  
> {code:java}
> authorization: {
>   authorizer: org.apache.tinkerpop.gremlin.server.authorization.AllowAllAuthorizer,
>   authorizationHandler: org.apache.tinkerpop.gremlin.server.handler.SaslAuthorizationHandler,
>   config: {
>    }
> }{code}
>  
> Authorization will be done only if authentication is enabled. Authentication is done at per session basis while authorization will be done for each and every request.
> In `SaslAuthorizationHandler` or `HttpAuthorizationHandler` query will be parsed and depending on the step instructions, the query will be marked as of type read or write and then privilege evaluation will be done by calling `isAccessAllowed` method of `Authorizer`
> {code:java}
> public interface Authorizer {
>     /**
>      * Whether or not the authorization requires check.
>      * If false will not authorzie user.
>      */
>     public boolean requireAuthorization();
>     /**
>      * Setup is called once upon system startup to initialize the {@code Authorizer}.
>      */
>     public void setup(final Map<String, Object> config);
>     /**
>      * A "standard" authorization implementation
>      */
>     public boolean isAccessAllowed(AuthorizationRequest authorizationRequest) throws AuthorizationException;
> }
> {code}
> Access policies can be defined in tools like `Apache Ranger`, sample policy:
> !Screenshot 2020-06-25 at 15.15.04.png|width=1017,height=548!
>  
>  
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)