You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tinkerpop.apache.org by "Rusi Popov (Jira)" <ji...@apache.org> on 2022/08/07 08:44:00 UTC

[jira] [Updated] (TINKERPOP-2782) WebSocketAuthorizationHandler does not transfer the request's sessionId, needed in UnifiedHandler

     [ https://issues.apache.org/jira/browse/TINKERPOP-2782?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Rusi Popov updated TINKERPOP-2782:
----------------------------------
    Description: 
When the gremlin-server.yaml configures the gremlin server to use the UnifiedChannelizer with an explicit Authorizer:
{code:yaml}
channelizer: org.apache.tinkerpop.gremlin.server.channel.UnifiedChannelizer
authorization: 

     authorizer: <some class>
{code}
the UnifiedChannelizer registers org.apache.tinkerpop.gremlin.server.handler.WebSocketAuthorizationHandler before org.apache.tinkerpop.gremlin.server.handler.UnifiedHandler in the pipeline.

The WebSocketAuthorizationHandler uses the Authorizer to transform the bytecode, builds a new request message with the transformed bytecode, and pushes the new message down the pipeline for processing:
(in 3.6.1 these are lines 66-77)
{code:java}
case Tokens.OPS_BYTECODE:
    final Bytecode bytecode = (Bytecode) requestMessage.getArgs().get(Tokens.ARGS_GREMLIN);
    final Map<String, String> aliases = (Map<String, String>) requestMessage.getArgs().get(Tokens.ARGS_ALIASES);
    final Bytecode restrictedBytecode = authorizer.authorize(user, bytecode, aliases);
    final RequestMessage restrictedMsg = RequestMessage.build(Tokens.OPS_BYTECODE).
            overrideRequestId(requestMessage.getRequestId()).
            processor("traversal").
            addArg(Tokens.ARGS_GREMLIN, restrictedBytecode).
            addArg(Tokens.ARGS_ALIASES, aliases).create();
    ctx.fireChannelRead(restrictedMsg);
    break;
{code}
Next is the org.apache.tinkerpop.gremlin.server.handler.UnifiedHandler, which uses session ID for session detection:
(lines 146-147)
{code:java}
final Optional<String> optMultiTaskSession = msg.optionalArgs(Tokens.ARGS_SESSION);
final String sessionId = optMultiTaskSession.orElse(msg.getRequestId().toString());
{code}
*The problem:*
WebSocketAuthorizationHandler does not transfer the Tokens.ARGS_SESSION to the UnifiedHandler so it uses request's ID as every time a new session ID

*Suggestion:*
in WebSocketAuthorizationHandler iterate on the args and copy every arg but ARGS_GREMLIN, then set the latter to the restricted bytecode.

  was:
When the gremlin-server.yaml configures the gremlin server to use the UnifiedChannelizer with an explicit Authorizer:

{code:yaml}
channelizer: org.apache.tinkerpop.gremlin.server.channel.UnifiedChannelizer
authorization:

     authorizer: <some class>
{code}
the UnifiedChannelizer registers org.apache.tinkerpop.gremlin.server.handler.WebSocketAuthorizationHandler before org.apache.tinkerpop.gremlin.server.handler.UnifiedHandler in the pipeline.

The WebSocketAuthorizationHandler uses the Authorizer to transform the bytecode, builds a new request message with the transformed bytecode, and pushes the new message down the pipeline for processing:
(in 3.6.1 these are lines) 
{code:java}
case Tokens.OPS_BYTECODE:
    final Bytecode bytecode = (Bytecode) requestMessage.getArgs().get(Tokens.ARGS_GREMLIN);
    final Map<String, String> aliases = (Map<String, String>) requestMessage.getArgs().get(Tokens.ARGS_ALIASES);
    final Bytecode restrictedBytecode = authorizer.authorize(user, bytecode, aliases);
    final RequestMessage restrictedMsg = RequestMessage.build(Tokens.OPS_BYTECODE).
            overrideRequestId(requestMessage.getRequestId()).
            processor("traversal").
            addArg(Tokens.ARGS_GREMLIN, restrictedBytecode).
            addArg(Tokens.ARGS_ALIASES, aliases).create();
    ctx.fireChannelRead(restrictedMsg);
    break;
{code}

Next is the  org.apache.tinkerpop.gremlin.server.handler.UnifiedHandler, which uses session ID for session detection:
(lines 146-147)
{code:java}
final Optional<String> optMultiTaskSession = msg.optionalArgs(Tokens.ARGS_SESSION);
final String sessionId = optMultiTaskSession.orElse(msg.getRequestId().toString());
{code}

*The problem:*
WebSocketAuthorizationHandler does not transfer the Tokens.ARGS_SESSION to the UnifiedHandler so it uses request's ID as every time a new session ID 

*Suggestion:*
in WebSocketAuthorizationHandler iterate on the args and copy every arg but ARGS_GREMLIN, then set the latter to the restricted bytecode.


> WebSocketAuthorizationHandler does not transfer the request's sessionId, needed in UnifiedHandler
> -------------------------------------------------------------------------------------------------
>
>                 Key: TINKERPOP-2782
>                 URL: https://issues.apache.org/jira/browse/TINKERPOP-2782
>             Project: TinkerPop
>          Issue Type: Bug
>          Components: server
>    Affects Versions: 3.6.0, 3.5.2, 3.5.3, 3.6.1, 3.5.4
>            Reporter: Rusi Popov
>            Priority: Major
>
> When the gremlin-server.yaml configures the gremlin server to use the UnifiedChannelizer with an explicit Authorizer:
> {code:yaml}
> channelizer: org.apache.tinkerpop.gremlin.server.channel.UnifiedChannelizer
> authorization: 
>      authorizer: <some class>
> {code}
> the UnifiedChannelizer registers org.apache.tinkerpop.gremlin.server.handler.WebSocketAuthorizationHandler before org.apache.tinkerpop.gremlin.server.handler.UnifiedHandler in the pipeline.
> The WebSocketAuthorizationHandler uses the Authorizer to transform the bytecode, builds a new request message with the transformed bytecode, and pushes the new message down the pipeline for processing:
> (in 3.6.1 these are lines 66-77)
> {code:java}
> case Tokens.OPS_BYTECODE:
>     final Bytecode bytecode = (Bytecode) requestMessage.getArgs().get(Tokens.ARGS_GREMLIN);
>     final Map<String, String> aliases = (Map<String, String>) requestMessage.getArgs().get(Tokens.ARGS_ALIASES);
>     final Bytecode restrictedBytecode = authorizer.authorize(user, bytecode, aliases);
>     final RequestMessage restrictedMsg = RequestMessage.build(Tokens.OPS_BYTECODE).
>             overrideRequestId(requestMessage.getRequestId()).
>             processor("traversal").
>             addArg(Tokens.ARGS_GREMLIN, restrictedBytecode).
>             addArg(Tokens.ARGS_ALIASES, aliases).create();
>     ctx.fireChannelRead(restrictedMsg);
>     break;
> {code}
> Next is the org.apache.tinkerpop.gremlin.server.handler.UnifiedHandler, which uses session ID for session detection:
> (lines 146-147)
> {code:java}
> final Optional<String> optMultiTaskSession = msg.optionalArgs(Tokens.ARGS_SESSION);
> final String sessionId = optMultiTaskSession.orElse(msg.getRequestId().toString());
> {code}
> *The problem:*
> WebSocketAuthorizationHandler does not transfer the Tokens.ARGS_SESSION to the UnifiedHandler so it uses request's ID as every time a new session ID
> *Suggestion:*
> in WebSocketAuthorizationHandler iterate on the args and copy every arg but ARGS_GREMLIN, then set the latter to the restricted bytecode.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)