You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tinkerpop.apache.org by "Rusi Popov (Jira)" <ji...@apache.org> on 2022/08/07 08:44:00 UTC
[jira] [Updated] (TINKERPOP-2782) WebSocketAuthorizationHandler does not transfer the request's sessionId, needed in UnifiedHandler
[ https://issues.apache.org/jira/browse/TINKERPOP-2782?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Rusi Popov updated TINKERPOP-2782:
----------------------------------
Description:
When the gremlin-server.yaml configures the gremlin server to use the UnifiedChannelizer with an explicit Authorizer:
{code:yaml}
channelizer: org.apache.tinkerpop.gremlin.server.channel.UnifiedChannelizer
authorization:
authorizer: <some class>
{code}
the UnifiedChannelizer registers org.apache.tinkerpop.gremlin.server.handler.WebSocketAuthorizationHandler before org.apache.tinkerpop.gremlin.server.handler.UnifiedHandler in the pipeline.
The WebSocketAuthorizationHandler uses the Authorizer to transform the bytecode, builds a new request message with the transformed bytecode, and pushes the new message down the pipeline for processing:
(in 3.6.1 these are lines 66-77)
{code:java}
case Tokens.OPS_BYTECODE:
final Bytecode bytecode = (Bytecode) requestMessage.getArgs().get(Tokens.ARGS_GREMLIN);
final Map<String, String> aliases = (Map<String, String>) requestMessage.getArgs().get(Tokens.ARGS_ALIASES);
final Bytecode restrictedBytecode = authorizer.authorize(user, bytecode, aliases);
final RequestMessage restrictedMsg = RequestMessage.build(Tokens.OPS_BYTECODE).
overrideRequestId(requestMessage.getRequestId()).
processor("traversal").
addArg(Tokens.ARGS_GREMLIN, restrictedBytecode).
addArg(Tokens.ARGS_ALIASES, aliases).create();
ctx.fireChannelRead(restrictedMsg);
break;
{code}
Next is the org.apache.tinkerpop.gremlin.server.handler.UnifiedHandler, which uses session ID for session detection:
(lines 146-147)
{code:java}
final Optional<String> optMultiTaskSession = msg.optionalArgs(Tokens.ARGS_SESSION);
final String sessionId = optMultiTaskSession.orElse(msg.getRequestId().toString());
{code}
*The problem:*
WebSocketAuthorizationHandler does not transfer the Tokens.ARGS_SESSION to the UnifiedHandler so it uses request's ID as every time a new session ID
*Suggestion:*
in WebSocketAuthorizationHandler iterate on the args and copy every arg but ARGS_GREMLIN, then set the latter to the restricted bytecode.
was:
When the gremlin-server.yaml configures the gremlin server to use the UnifiedChannelizer with an explicit Authorizer:
{code:yaml}
channelizer: org.apache.tinkerpop.gremlin.server.channel.UnifiedChannelizer
authorization:
authorizer: <some class>
{code}
the UnifiedChannelizer registers org.apache.tinkerpop.gremlin.server.handler.WebSocketAuthorizationHandler before org.apache.tinkerpop.gremlin.server.handler.UnifiedHandler in the pipeline.
The WebSocketAuthorizationHandler uses the Authorizer to transform the bytecode, builds a new request message with the transformed bytecode, and pushes the new message down the pipeline for processing:
(in 3.6.1 these are lines)
{code:java}
case Tokens.OPS_BYTECODE:
final Bytecode bytecode = (Bytecode) requestMessage.getArgs().get(Tokens.ARGS_GREMLIN);
final Map<String, String> aliases = (Map<String, String>) requestMessage.getArgs().get(Tokens.ARGS_ALIASES);
final Bytecode restrictedBytecode = authorizer.authorize(user, bytecode, aliases);
final RequestMessage restrictedMsg = RequestMessage.build(Tokens.OPS_BYTECODE).
overrideRequestId(requestMessage.getRequestId()).
processor("traversal").
addArg(Tokens.ARGS_GREMLIN, restrictedBytecode).
addArg(Tokens.ARGS_ALIASES, aliases).create();
ctx.fireChannelRead(restrictedMsg);
break;
{code}
Next is the org.apache.tinkerpop.gremlin.server.handler.UnifiedHandler, which uses session ID for session detection:
(lines 146-147)
{code:java}
final Optional<String> optMultiTaskSession = msg.optionalArgs(Tokens.ARGS_SESSION);
final String sessionId = optMultiTaskSession.orElse(msg.getRequestId().toString());
{code}
*The problem:*
WebSocketAuthorizationHandler does not transfer the Tokens.ARGS_SESSION to the UnifiedHandler so it uses request's ID as every time a new session ID
*Suggestion:*
in WebSocketAuthorizationHandler iterate on the args and copy every arg but ARGS_GREMLIN, then set the latter to the restricted bytecode.
> WebSocketAuthorizationHandler does not transfer the request's sessionId, needed in UnifiedHandler
> -------------------------------------------------------------------------------------------------
>
> Key: TINKERPOP-2782
> URL: https://issues.apache.org/jira/browse/TINKERPOP-2782
> Project: TinkerPop
> Issue Type: Bug
> Components: server
> Affects Versions: 3.6.0, 3.5.2, 3.5.3, 3.6.1, 3.5.4
> Reporter: Rusi Popov
> Priority: Major
>
> When the gremlin-server.yaml configures the gremlin server to use the UnifiedChannelizer with an explicit Authorizer:
> {code:yaml}
> channelizer: org.apache.tinkerpop.gremlin.server.channel.UnifiedChannelizer
> authorization:
> authorizer: <some class>
> {code}
> the UnifiedChannelizer registers org.apache.tinkerpop.gremlin.server.handler.WebSocketAuthorizationHandler before org.apache.tinkerpop.gremlin.server.handler.UnifiedHandler in the pipeline.
> The WebSocketAuthorizationHandler uses the Authorizer to transform the bytecode, builds a new request message with the transformed bytecode, and pushes the new message down the pipeline for processing:
> (in 3.6.1 these are lines 66-77)
> {code:java}
> case Tokens.OPS_BYTECODE:
> final Bytecode bytecode = (Bytecode) requestMessage.getArgs().get(Tokens.ARGS_GREMLIN);
> final Map<String, String> aliases = (Map<String, String>) requestMessage.getArgs().get(Tokens.ARGS_ALIASES);
> final Bytecode restrictedBytecode = authorizer.authorize(user, bytecode, aliases);
> final RequestMessage restrictedMsg = RequestMessage.build(Tokens.OPS_BYTECODE).
> overrideRequestId(requestMessage.getRequestId()).
> processor("traversal").
> addArg(Tokens.ARGS_GREMLIN, restrictedBytecode).
> addArg(Tokens.ARGS_ALIASES, aliases).create();
> ctx.fireChannelRead(restrictedMsg);
> break;
> {code}
> Next is the org.apache.tinkerpop.gremlin.server.handler.UnifiedHandler, which uses session ID for session detection:
> (lines 146-147)
> {code:java}
> final Optional<String> optMultiTaskSession = msg.optionalArgs(Tokens.ARGS_SESSION);
> final String sessionId = optMultiTaskSession.orElse(msg.getRequestId().toString());
> {code}
> *The problem:*
> WebSocketAuthorizationHandler does not transfer the Tokens.ARGS_SESSION to the UnifiedHandler so it uses request's ID as every time a new session ID
> *Suggestion:*
> in WebSocketAuthorizationHandler iterate on the args and copy every arg but ARGS_GREMLIN, then set the latter to the restricted bytecode.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)