CASSSIDECAR-161: Add RBAC Authorization support in Sidecar

CHANGES.txt

@@ -1,5 +1,6 @@
 1.0.0
 -----
+ * Add RBAC Authorization support in Sidecar (CASSSIDECAR-161)
  * Mechanism to have a reduced number of Sidecar instances run operations (CASSSIDECAR-174)
  * Adding support for CDC APIs into sidecar client (CASSSIDECAR-172)
  * Stopping Sidecar can take a long time (CASSSIDECAR-178)

client-common/src/main/java/org/apache/cassandra/sidecar/common/ApiEndpointsV1.java

@@ -32,8 +32,10 @@ public final class ApiEndpointsV1
 
     public static final String NATIVE = "/native";
     public static final String JMX = "/jmx";
-    public static final String KEYSPACE_PATH_PARAM = ":keyspace";
-    public static final String TABLE_PATH_PARAM = ":table";
+    public static final String KEYSPACE = "keyspace";
+    public static final String TABLE = "table";
+    public static final String KEYSPACE_PATH_PARAM = ":" + KEYSPACE;
+    public static final String TABLE_PATH_PARAM = ":" + TABLE;
     public static final String SNAPSHOT_PATH_PARAM = ":snapshot";
     public static final String COMPONENT_PATH_PARAM = ":component";
     public static final String INDEX_PATH_PARAM = ":index";

conf/sidecar.yaml

@@ -174,6 +174,13 @@ access_control:
         #
         # other options are, io.vertx.ext.auth.mtls.impl.SpiffeIdentityExtractor.
         certificate_identity_extractor: org.apache.cassandra.sidecar.acl.authentication.CassandraIdentityExtractor
+  authorizer:
+    # AuthorizationProvider provides authorizations an authenticated user holds.
+    #
+    # org.apache.cassandra.sidecar.acl.authorization.AllowAllAuthorizationProvider marks all requests as authorized.
+    # Other options are org.apache.cassandra.sidecar.acl.authorization.RoleBaseAuthorizationProvider, it validates
+    # role associated with authenticated user has permission for resource it accesses.
+    - class_name: org.apache.cassandra.sidecar.acl.authorization.AllowAllAuthorizationProvider
   # Identities that are authenticated and authorized.
   admin_identities:
 #    - spiffe://authorized/admin/identities

server-common/src/main/java/org/apache/cassandra/sidecar/db/schema/AbstractSchema.java

@@ -80,6 +80,7 @@ protected boolean initializeInternal(@NotNull Session session,
         }
 
         prepareStatements(session);
+        logger.info("{} is initialized!", this.getClass().getSimpleName());
         return true;
     }
 

server/src/main/java/org/apache/cassandra/sidecar/acl/AuthCache.java

@@ -34,6 +34,7 @@
 import org.apache.cassandra.sidecar.concurrent.ExecutorPools;
 import org.apache.cassandra.sidecar.concurrent.TaskExecutorPool;
 import org.apache.cassandra.sidecar.config.CacheConfiguration;
+import org.apache.cassandra.sidecar.exceptions.SchemaUnavailableException;
 import org.jetbrains.annotations.VisibleForTesting;
 
 import static org.apache.cassandra.sidecar.server.SidecarServerEvents.ON_SIDECAR_SCHEMA_INITIALIZED;
@@ -164,6 +165,10 @@ protected void warmUp(int availableRetries)
         {
             cache.putAll(bulkLoadFunction.get());
         }
+        catch (SchemaUnavailableException sue)
+        {
+            LOGGER.warn("Auth schema is unavailable. Skip warming up cache", sue);
+        }
         catch (Exception e)
         {
             LOGGER.warn("Unexpected error encountered during pre-warming of cache={} ", name, e);

server/src/main/java/org/apache/cassandra/sidecar/acl/authorization/AdminIdentityResolver.java

@@ -0,0 +1,65 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.cassandra.sidecar.acl.authorization;
+
+import java.util.Set;
+
+import com.google.inject.Inject;
+import com.google.inject.Singleton;
+import io.netty.handler.codec.http.HttpResponseStatus;
+import io.vertx.ext.web.handler.HttpException;
+import org.apache.cassandra.sidecar.acl.IdentityToRoleCache;
+import org.apache.cassandra.sidecar.config.SidecarConfiguration;
+
+/**
+ * Evaluates if provided identity is an admin identity.
+ */
+@Singleton
+public class AdminIdentityResolver
+{
+    private final IdentityToRoleCache identityToRoleCache;
+    private final SuperUserCache superUserCache;
+    private final Set<String> adminIdentities;
+
+    @Inject
+    public AdminIdentityResolver(IdentityToRoleCache identityToRoleCache,
+                                 SuperUserCache superUserCache,
+                                 SidecarConfiguration sidecarConfiguration)
+    {
+        this.identityToRoleCache = identityToRoleCache;
+        this.superUserCache = superUserCache;
+        this.adminIdentities = sidecarConfiguration.accessControlConfiguration().adminIdentities();
+    }
+
+    public boolean isAdmin(String identity)
+    {
+        if (adminIdentities.contains(identity))
+        {
+            return true;
+        }
+
+        String role = identityToRoleCache.get(identity);
+        if (role == null)
+        {
+            return false;
+        }
+        // Cassandra superusers have admin privileges
+        return superUserCache.isSuperUser(role);
+    }
+}

server/src/main/java/org/apache/cassandra/sidecar/acl/authorization/AllowAllAuthorization.java

@@ -0,0 +1,53 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.cassandra.sidecar.acl.authorization;
+
+import io.vertx.ext.auth.authorization.Authorization;
+import io.vertx.ext.auth.authorization.AuthorizationContext;
+
+/**
+ * {@code Authorization} implementation to allow access for all users regardless of their authorizations.
+ */
+public class AllowAllAuthorization implements Authorization
+{
+    public static final AllowAllAuthorization INSTANCE = new AllowAllAuthorization();
+
+    // use static INSTANCE
+    private AllowAllAuthorization()
+    {
+    }
+
+    /**
+     * Marks match as true regardless of the {@link AuthorizationContext} shared
+     */
+    @Override
+    public boolean match(AuthorizationContext context)
+    {
+        return true;
+    }
+
+    /**
+     * Allows access regardless of {@link Authorization} shared.
+     */
+    @Override
+    public boolean verify(Authorization authorization)
+    {
+        return true;
+    }
+}

server/src/main/java/org/apache/cassandra/sidecar/acl/authorization/AllowAllAuthorizationProvider.java

@@ -0,0 +1,65 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.cassandra.sidecar.acl.authorization;
+
+import io.vertx.core.AsyncResult;
+import io.vertx.core.Future;
+import io.vertx.core.Handler;
+import io.vertx.ext.auth.User;
+import io.vertx.ext.auth.authorization.AuthorizationProvider;
+
+/**
+ * {@link AuthorizationProvider} implementation to allow all requests regardless of authorizations user holds.
+ */
+public class AllowAllAuthorizationProvider implements AuthorizationProvider
+{
+    public static final AllowAllAuthorizationProvider INSTANCE = new AllowAllAuthorizationProvider();
+
+    // use static INSTANCE
+    private AllowAllAuthorizationProvider()
+    {
+    }
+
+    /**
+     * @return unique id representing {@code AllowAllAuthorizationProvider}
+     */
+    @Override
+    public String getId()
+    {
+        return "AllowAll";
+    }
+
+    @Override
+    public void getAuthorizations(User user, Handler<AsyncResult<Void>> handler)
+    {
+        getAuthorizations(user).onComplete(handler);
+    }
+
+    @Override
+    public Future<Void> getAuthorizations(User user)
+    {
+        if (user == null)
+        {
+            return Future.failedFuture("User cannot be null");
+        }
+
+        user.authorizations().add(getId(), AllowAllAuthorization.INSTANCE);
+        return Future.succeededFuture();
+    }
+}

server/src/main/java/org/apache/cassandra/sidecar/acl/authorization/AuthorizationWithAdminBypassHandler.java

@@ -0,0 +1,64 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.cassandra.sidecar.acl.authorization;
+
+import java.util.List;
+
+import io.netty.handler.codec.http.HttpResponseStatus;
+import io.vertx.ext.auth.authorization.Authorization;
+import io.vertx.ext.web.RoutingContext;
+import io.vertx.ext.web.handler.HttpException;
+import io.vertx.ext.web.handler.impl.AuthorizationHandlerImpl;
+
+import static org.apache.cassandra.sidecar.utils.AuthUtils.extractIdentities;
+
+/**
+ * Verifies user has required authorizations. Allows admin identities to bypass authorization checks.
+ */
+public class AuthorizationWithAdminBypassHandler extends AuthorizationHandlerImpl
+{
+    private final AdminIdentityResolver adminIdentityResolver;
+
+    public AuthorizationWithAdminBypassHandler(AdminIdentityResolver adminIdentityResolver,
+                                               Authorization authorization)
+    {
+        super(authorization);
+        this.adminIdentityResolver = adminIdentityResolver;
+    }
+
+    @Override
+    public void handle(RoutingContext ctx)
+    {
+        List<String> identities = extractIdentities(ctx.user());
+
+        if (identities.isEmpty())
+        {
+            throw new HttpException(HttpResponseStatus.FORBIDDEN.code(), "Missing client identities");
+        }
+
+        // Admin identities bypass route specific authorization checks
+        if (identities.stream().anyMatch(adminIdentityResolver::isAdmin))
+        {
+            ctx.next();
+            return;
+        }
+
+        super.handle(ctx);
+    }
+}

server/src/main/java/org/apache/cassandra/sidecar/acl/authorization/CassandraPermissions.java

@@ -0,0 +1,36 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.cassandra.sidecar.acl.authorization;
+
+/**
+ * Cassandra permissions allowed.
+ */
+public class CassandraPermissions
+{
+    public static final Permission CREATE = new StandardPermission("CREATE");
+    public static final Permission ALTER = new StandardPermission("ALTER");
+    public static final Permission DROP = new StandardPermission("DROP");
+    public static final Permission SELECT = new StandardPermission("SELECT");
+    public static final Permission MODIFY = new StandardPermission("MODIFY");
+    public static final Permission AUTHORIZE = new StandardPermission("AUTHORIZE");
+    public static final Permission DESCRIBE = new StandardPermission("DESCRIBE");
+    public static final Permission EXECUTE = new StandardPermission("EXECUTE");
+    public static final Permission UNMASK = new StandardPermission("UNMASK");
+    public static final Permission SELECT_MASKED = new StandardPermission("SELECT_MASKED");
+}

server/src/main/java/org/apache/cassandra/sidecar/acl/authorization/Permission.java

@@ -0,0 +1,46 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.cassandra.sidecar.acl.authorization;
+
+import io.vertx.ext.auth.authorization.Authorization;
+
+/**
+ * Represents a permission that can be granted to a user
+ */
+public interface Permission
+{
+    /**
+     * @return name of permission
+     */
+    String name();
+
+    /**
+     * @return {@link Authorization} created from permission. Most sidecar endpoints require a resource.
+     * This method is used in testing
+     */
+    default Authorization toAuthorization()
+    {
+        return toAuthorization(null);
+    }
+
+    /**
+     * @return {@link Authorization} created from permission for a resource.
+     */
+    Authorization toAuthorization(String resource);
+}