Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added Access Control for Network Interface #683

Merged
merged 129 commits into from
Apr 16, 2024
Merged
Show file tree
Hide file tree
Changes from 121 commits
Commits
Show all changes
129 commits
Select commit Hold shift + click to select a range
66f41d8
Code move
OlivierHecart Oct 12, 2023
ec960ea
Code move
OlivierHecart Nov 2, 2023
939daa4
Use RoutingContext type
OlivierHecart Nov 2, 2023
6e1c124
Structs split
OlivierHecart Nov 7, 2023
239d8cb
Renaming
OlivierHecart Nov 7, 2023
b0f999b
Visibility
OlivierHecart Nov 7, 2023
2a5466b
Move ingress/egress filters out of pubsub
OlivierHecart Nov 13, 2023
0f2fa24
Make hat abstract
OlivierHecart Nov 15, 2023
002db77
Abstract missing close_face fn
OlivierHecart Nov 15, 2023
a33fcf1
Duplicate hat
OlivierHecart Nov 15, 2023
6b61780
Move Primitives
OlivierHecart Nov 16, 2023
0a76ae3
Move link_id into HatFace
OlivierHecart Nov 22, 2023
ef541d8
Change face initialization
OlivierHecart Nov 22, 2023
1755ba9
Interceptors
OlivierHecart Nov 22, 2023
cb693dc
Interceptor types renaming
OlivierHecart Nov 23, 2023
c520168
Rename RoutingContext
OlivierHecart Nov 23, 2023
a4a672e
Add RoutingContext and LoggerInterceptor
OlivierHecart Dec 1, 2023
59e8de7
Interceptors can access the Config at construction
OlivierHecart Dec 5, 2023
9c94df5
Split linkstate and p2p peer hats
OlivierHecart Dec 5, 2023
0096e59
Simplify HatTrait init function
OlivierHecart Dec 7, 2023
d4fac3d
Hats cleanup
OlivierHecart Dec 11, 2023
7c8732c
Reintroduce routes precomputation
OlivierHecart Dec 22, 2023
b2a7ee2
Improve routes precomputation
OlivierHecart Dec 22, 2023
43fcb78
Reintroduce matching pulls precomputation
OlivierHecart Dec 22, 2023
7cd513a
Perf improvements
OlivierHecart Jan 5, 2024
b530da2
Perf improvements
OlivierHecart Jan 5, 2024
05e9c3b
Merge branch 'master' into router-reorg
OlivierHecart Jan 9, 2024
d5fcdfa
Remove files wrongly reintroduced by merge
OlivierHecart Jan 9, 2024
331cb3f
Fix complete_n build
OlivierHecart Jan 9, 2024
458e64c
Remove useless checks
OlivierHecart Jan 9, 2024
b69ae82
Fix OAM handling
OlivierHecart Jan 10, 2024
60f0ed0
Remove commented code
OlivierHecart Jan 10, 2024
27e1974
Simplified routes computation hats api
OlivierHecart Jan 11, 2024
7cdfc44
Move matching pulls computation out of hats
OlivierHecart Jan 11, 2024
567feb9
Fix query routes update
OlivierHecart Jan 11, 2024
57a5d8f
Fix copy-paste error
OlivierHecart Jan 12, 2024
62049b1
Renaming
OlivierHecart Jan 15, 2024
a1301d5
Add missing query routes deactivations
OlivierHecart Jan 17, 2024
6d9f2f6
Refactor code
OlivierHecart Jan 17, 2024
7af8480
Improve perfromances
OlivierHecart Jan 18, 2024
d47b4fd
WIP: added pep pdp points
kauncoder Jan 26, 2024
c5579c9
WIP:added interceptor code and PEP logic
kauncoder Jan 26, 2024
99d1284
WIP:added datastructures for policy and PDP logic
kauncoder Jan 29, 2024
e11313f
WIP:first basic acl prototype
kauncoder Jan 30, 2024
74e12fd
WIP:first acl prototype
kauncoder Jan 30, 2024
e2a59c7
WIP:first acl prototype
kauncoder Jan 30, 2024
e4d1014
WIP:ACL phase 1
kauncoder Jan 31, 2024
b72d85e
WIP:ACL phase 1
kauncoder Feb 1, 2024
f7a26e2
WIP:Modified ACL for attributes
kauncoder Feb 8, 2024
f52d3cd
WIP:Modified ACL for attributes
kauncoder Feb 8, 2024
39a4f78
WIP:Cleaned code
kauncoder Feb 19, 2024
52baaf3
WIP:merging code
kauncoder Feb 19, 2024
b7f9c71
WIP:merging code
kauncoder Feb 19, 2024
45eac35
WIP:adding config conditions
kauncoder Feb 20, 2024
264f861
WIP:merging with DS
kauncoder Feb 20, 2024
7636090
WIP:moved rules into config file
kauncoder Feb 21, 2024
99c2efa
WIP:moved rules into config file
kauncoder Feb 21, 2024
50c9f0e
WIP:merging changes
kauncoder Feb 21, 2024
a8bb31e
Revert "WIP:merging changes"
kauncoder Feb 21, 2024
187c4cb
WIP:merging new changes
kauncoder Feb 21, 2024
a1fda63
WIP:merging new changes
kauncoder Feb 21, 2024
fd674e2
WIP:ACL with networkinterface
kauncoder Feb 28, 2024
1b4a949
WIP:ACL with networkinterface
kauncoder Feb 28, 2024
f933843
WIP:ACL with networkinterface
kauncoder Feb 28, 2024
fb83d00
WIP:ACL with networkinterface
kauncoder Feb 28, 2024
9257ac7
WIP:Added multi-interface funcionality
kauncoder Feb 29, 2024
3cb97d2
WIP: Improved code design for ACL
kauncoder Feb 29, 2024
9af653e
WIP: Modified for new config style
kauncoder Mar 1, 2024
c2e41a1
WIP: Modified for new config style
kauncoder Mar 1, 2024
47b2b9f
WIP: Added changes for default behaviour
kauncoder Mar 1, 2024
7cda036
WIP: Added changes for default behaviour
kauncoder Mar 3, 2024
2430355
WIP: Added changes for default behaviour
kauncoder Mar 3, 2024
7985826
WIP: Cleaning code
kauncoder Mar 4, 2024
c6378d1
WIP: Config changes after discussion
kauncoder Mar 5, 2024
a19608c
WIP: Config changes after discussion
kauncoder Mar 5, 2024
0a94a11
Merge branch 'main' into wip/authz/initial_modules
snehilzs Mar 5, 2024
6cd0c76
Merge branch 'eclipse-zenoh:main' into wip/authz/initial_modules
snehilzs Mar 6, 2024
23128e2
WIP: Adding Queryable
kauncoder Mar 6, 2024
f066a76
WIP: Adding key-expr caching
kauncoder Mar 8, 2024
152938d
Cleaning config file
kauncoder Mar 8, 2024
875977c
Merge branch 'main' into wip/authz/initial_modules
kauncoder Mar 26, 2024
7439dba
made review changes
kauncoder Mar 28, 2024
0a8bf04
made review changes
kauncoder Mar 28, 2024
87333fe
adding review changes for logs and removing bool values
kauncoder Mar 28, 2024
3b4091e
adding review changes
kauncoder Mar 28, 2024
c7d0475
adding actions for both ingress and egress
kauncoder Mar 29, 2024
e8ac3e6
adding ingress and egress flow
kauncoder Apr 2, 2024
af4141e
cleaning code
kauncoder Apr 2, 2024
74c58e5
adding tests
kauncoder Apr 3, 2024
eae9df7
cleaning policy code
kauncoder Apr 3, 2024
8e7ebf6
acl tests for queryable
kauncoder Apr 4, 2024
4a341e2
replaced nested Vec with structs
kauncoder Apr 4, 2024
fd9d0d9
fixed queryable test issue
kauncoder Apr 4, 2024
34db54e
fixed cache downcast error
kauncoder Apr 5, 2024
a02ffad
fixed interface issue in tests
kauncoder Apr 5, 2024
266d926
move acl config out of transport
kauncoder Apr 7, 2024
7eb121a
move acl config out of transport
kauncoder Apr 7, 2024
98a3704
clean tests code
kauncoder Apr 7, 2024
6881e6d
clean tests code
kauncoder Apr 7, 2024
f239a4d
clean config file
kauncoder Apr 7, 2024
fbfed48
clean config file
kauncoder Apr 7, 2024
4be148d
clean code
kauncoder Apr 8, 2024
fc4a66c
resolve conflicts
kauncoder Apr 8, 2024
eb9d40a
Merge branch 'main' into wip/authz/initial_modules
kauncoder Apr 8, 2024
d847de1
resolve conflicts issues
kauncoder Apr 8, 2024
73a5eaf
refactor code
kauncoder Apr 9, 2024
a63b460
refactor code
kauncoder Apr 9, 2024
aeda020
refactor code
kauncoder Apr 10, 2024
a8b88b6
refactor code for review changes
kauncoder Apr 10, 2024
88e1dff
refactor code for review changes
kauncoder Apr 10, 2024
00ccb40
fix acl tests issue
kauncoder Apr 10, 2024
b9832bf
fix acl tests issue
kauncoder Apr 10, 2024
76b7671
fix acl tests issue
kauncoder Apr 10, 2024
e2e2f90
fix acl tests issue
kauncoder Apr 11, 2024
92a0c1f
fix acl tests issue
kauncoder Apr 11, 2024
0788248
resolve merge conflicts
kauncoder Apr 11, 2024
5fd083b
resolve merge conflicts
kauncoder Apr 11, 2024
c24fbf5
Update DEFAULT_CONFIG.json5
snehilzs Apr 12, 2024
ea927a5
change acl to access_control for clarity
kauncoder Apr 15, 2024
8172dfb
fix: Remove sync-lockfiles workflow (#925)
fuzzypixelz Apr 11, 2024
3c70890
modify actions values in config file
kauncoder Apr 16, 2024
40a2020
remove [ACCESS LOG] string from the logs
kauncoder Apr 16, 2024
648ac09
Remove [ACCESS LOG] from logging
Mallets Apr 16, 2024
e3ef202
rework access control logging
Mallets Apr 16, 2024
93163f6
Add ingress/egress logs
Mallets Apr 16, 2024
79de84c
add interface name in access logs
kauncoder Apr 16, 2024
b9f7c3e
Fix log level
Mallets Apr 16, 2024
33ab251
Add missing header
Mallets Apr 16, 2024
b5617b7
Add missing header files
Mallets Apr 16, 2024
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
131 changes: 0 additions & 131 deletions .github/workflows/sync-lockfiles.yml

This file was deleted.

11 changes: 6 additions & 5 deletions Cargo.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -218,4 +218,4 @@ debug = false # If you want debug symbol in release mode, set the env variab
lto = "fat"
codegen-units = 1
opt-level = 3
panic = "abort"
panic = "abort"
26 changes: 24 additions & 2 deletions DEFAULT_CONFIG.json5
Original file line number Diff line number Diff line change
Expand Up @@ -175,7 +175,30 @@
// ],
// },
// ],

// /// configure access control (ACL) rules
// access_control: {
// ///[true/false] acl will be activated only if this is set to true
// "enabled": false,
// ///[deny/allow] default permission is deny (even if this is left empty or not specified)
// "default_permission": "deny",
// ///rule set for permissions allowing or denying access to key-expressions
// "rules":
// [
// {
// "actions": [
snehilzs marked this conversation as resolved.
Show resolved Hide resolved
// "put", "get", "declare_subscriber", "declare_queryable"
// ],
// "flows":["egress","ingress"],
// "permission": "allow",
// "key_exprs": [
// "test/demo"
// ],
// "interfaces": [
// "lo0"
// ]
// },
// ]
//},
/// Configure internal transport parameters
transport: {
unicast: {
Expand Down Expand Up @@ -318,7 +341,6 @@
shared_memory: {
enabled: false,
},
/// Access control configuration
auth: {
/// The configuration of authentification.
/// A password implies a username is required.
Expand Down
10 changes: 10 additions & 0 deletions commons/zenoh-config/src/defaults.rs
Original file line number Diff line number Diff line change
Expand Up @@ -221,6 +221,16 @@ impl Default for SharedMemoryConf {
}
}

impl Default for AclConfig {
fn default() -> Self {
Self {
enabled: false,
default_permission: Permission::Deny,
snehilzs marked this conversation as resolved.
Show resolved Hide resolved
rules: None,
}
}
}

pub const DEFAULT_CONNECT_TIMEOUT_MS: ModeDependentValue<i64> =
ModeDependentValue::Dependent(ModeValues {
client: Some(0),
Expand Down
55 changes: 52 additions & 3 deletions commons/zenoh-config/src/lib.rs
Original file line number Diff line number Diff line change
Expand Up @@ -73,9 +73,9 @@ impl Zeroize for SecretString {

pub type SecretValue = Secret<SecretString>;

#[derive(Debug, Deserialize, Serialize, Clone)]
#[derive(Debug, Deserialize, Serialize, Clone, Copy)]
#[serde(rename_all = "lowercase")]
pub enum DownsamplingFlow {
pub enum InterceptorFlow {
Egress,
Ingress,
}
Expand All @@ -97,7 +97,48 @@ pub struct DownsamplingItemConf {
/// A list of interfaces to which the downsampling will be applied.
pub rules: Vec<DownsamplingRuleConf>,
/// Downsampling flow direction: egress, ingress
pub flow: DownsamplingFlow,
pub flow: InterceptorFlow,
}

#[derive(Serialize, Debug, Deserialize, Clone)]
pub struct AclConfigRules {
pub interfaces: Vec<String>,
pub key_exprs: Vec<String>,
pub actions: Vec<Action>,
pub flows: Vec<InterceptorFlow>,
pub permission: Permission,
}

#[derive(Clone, Serialize, Debug, Deserialize)]
pub struct PolicyRule {
pub subject: Subject,
pub key_expr: String,
pub action: Action,
pub permission: Permission,
pub flow: InterceptorFlow,
}

#[derive(Serialize, Debug, Deserialize, Eq, PartialEq, Hash, Clone)]
#[serde(untagged)]
#[serde(rename_all = "snake_case")]
pub enum Subject {
Interface(String),
}

#[derive(Clone, Copy, Debug, Serialize, Deserialize, Eq, Hash, PartialEq)]
#[serde(rename_all = "snake_case")]
pub enum Action {
Put,
DeclareSubscriber,
Get,
DeclareQueryable,
}

#[derive(Clone, Copy, Debug, Serialize, Deserialize, Eq, Hash, PartialEq)]
#[serde(rename_all = "lowercase")]
pub enum Permission {
Allow,
Deny,
}

pub trait ConfigValidator: Send + Sync {
Expand Down Expand Up @@ -431,6 +472,7 @@ validated_struct::validator! {
known_keys_file: Option<String>,
},
},

},
/// Configuration of the admin space.
pub adminspace: #[derive(Default)]
Expand All @@ -456,6 +498,13 @@ validated_struct::validator! {
/// Configuration of the downsampling.
downsampling: Vec<DownsamplingItemConf>,

///Configuration of the access control (ACL)
pub access_control: AclConfig {
pub enabled: bool,
pub default_permission: Permission,
pub rules: Option<Vec<AclConfigRules>>
},

/// A list of directories where plugins may be searched for if no `__path__` was specified for them.
/// The executable's current directory will be added to the search paths.
plugins_search_dirs: Vec<String>, // TODO (low-prio): Switch this String to a PathBuf? (applies to other paths in the config as well)
Expand Down
3 changes: 2 additions & 1 deletion zenoh/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@ transport_tls = ["zenoh-transport/transport_tls"]
transport_udp = ["zenoh-transport/transport_udp"]
transport_unixsock-stream = ["zenoh-transport/transport_unixsock-stream"]
transport_ws = ["zenoh-transport/transport_ws"]
transport_vsock= ["zenoh-transport/transport_vsock"]
transport_vsock = ["zenoh-transport/transport_vsock"]
unstable = []
default = [
"auth_pubkey",
Expand All @@ -66,6 +66,7 @@ default = [
[dependencies]
tokio = { workspace = true, features = ["rt", "macros", "time"] }
tokio-util = { workspace = true }
ahash = { workspace = true }
async-trait = { workspace = true }
base64 = { workspace = true }
const_format = { workspace = true }
Expand Down
Loading
Loading