From bd460112f77c446ec5a9283db790c93259293b74 Mon Sep 17 00:00:00 2001 From: Sergii Mikhtoniuk Date: Wed, 28 Feb 2024 12:38:15 -0800 Subject: [PATCH] Fix flow service crash due to missing subject --- CHANGELOG.md | 4 ++++ Cargo.lock | 4 ++-- Cargo.toml | 2 +- LICENSE.txt | 2 +- src/app/api-server/src/app.rs | 38 ++++++++++++++++++++++++++--------- 5 files changed, 37 insertions(+), 13 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 011c0b72..ed0ca01e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,10 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [0.13.1] - 2024-02-28 +### Fixed +- Startup crash in Flow Service that started to require admin token to operate + ## [0.13.0] - 2024-02-28 ### Changed - Updated to `kamu v0.162.0` diff --git a/Cargo.lock b/Cargo.lock index 0a01564b..af4be808 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -3018,7 +3018,7 @@ dependencies = [ [[package]] name = "kamu-api-server" -version = "0.13.0" +version = "0.13.1" dependencies = [ "arrow-flight", "async-graphql", @@ -3194,7 +3194,7 @@ dependencies = [ [[package]] name = "kamu-repo-tools" -version = "0.13.0" +version = "0.13.1" dependencies = [ "chrono", "clap", diff --git a/Cargo.toml b/Cargo.toml index f1943555..94794235 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -28,7 +28,7 @@ kamu-adapter-flight-sql = { git = "https://github.com/kamu-data/kamu-cli", tag = [workspace.package] -version = "0.13.0" +version = "0.13.1" edition = "2021" homepage = "https://github.com/kamu-data/kamu-platform" repository = "https://github.com/kamu-data/kamu-platform" diff --git a/LICENSE.txt b/LICENSE.txt index ece7e42e..7dd33986 100644 --- a/LICENSE.txt +++ b/LICENSE.txt @@ -11,7 +11,7 @@ Business Source License 1.1 Licensor: Kamu Data, Inc. -Licensed Work: Kamu Platform Version 0.13.0 +Licensed Work: Kamu Platform Version 0.13.1 The Licensed Work is © 2023 Kamu Data, Inc. Additional Use Grant: You may use the Licensed Work for any purpose, diff --git a/src/app/api-server/src/app.rs b/src/app/api-server/src/app.rs index 9dfe02d6..b877fac3 100644 --- a/src/app/api-server/src/app.rs +++ b/src/app/api-server/src/app.rs @@ -11,6 +11,8 @@ use std::path::{Path, PathBuf}; use dill::{CatalogBuilder, Component}; use internal_error::*; +use kamu::domain::CurrentAccountSubject; +use opendatafabric::AccountName; use tracing::info; use url::Url; @@ -94,6 +96,10 @@ pub async fn run(matches: clap::ArgMatches) -> Result<(), InternalError> { .map(|a| *a) .unwrap_or(std::net::Ipv4Addr::new(127, 0, 0, 1).into()); + // API servers are built from the regular catalog + // that does not contain any auth subject, thus they will rely on + // their own middlewares to authenticate per request / session and execute + // all processing in the user context. let http_server = crate::http_server::build_server( address, sub.get_one("http-port").map(|p| *p), @@ -108,25 +114,39 @@ pub async fn run(matches: clap::ArgMatches) -> Result<(), InternalError> { ) .await; - tracing::info!( - http_endpoint = format!("http://{}", http_server.local_addr()), - flightsql_endpoint = format!("flightsql://{}", flightsql_server.local_addr()), - "Serving traffic" - ); - - let task_executor = catalog + // System services are built from the special catalog that contains the admin + // subject. Thus all services that require authorization are granted full access + // to all resources. + // + // TODO: Granting admin access to all system services is a security threat. We + // should consider to instead propagate the auth info of the user who triggered + // some system flow alongside all actions to enforce proper authorization. + let system_catalog = CatalogBuilder::new_chained(&catalog) + .add_value(CurrentAccountSubject::logged( + AccountName::new_unchecked(kamu::domain::auth::DEFAULT_ACCOUNT_NAME), + true, + )) + .build(); + + let task_executor = system_catalog .get_one::() .unwrap(); - let flow_service = catalog + let flow_service = system_catalog .get_one::() .unwrap(); - let now = catalog + let now = system_catalog .get_one::() .unwrap() .now(); + tracing::info!( + http_endpoint = format!("http://{}", http_server.local_addr()), + flightsql_endpoint = format!("flightsql://{}", flightsql_server.local_addr()), + "Serving traffic" + ); + tokio::select! { res = http_server => { res.int_err() }, res = flightsql_server.run() => { res.int_err() },