-
Notifications
You must be signed in to change notification settings - Fork 0
PDP 42 (New Resource String Format for Authorization)
Status: In Review
Table of Contents:
This proposal is for modifying the resource string format used for authorizing Controller, Segment Store and Schema Registry operations, so that resources can be identified precisely, uniquely and consistently, for the purposes of authorization.
Authorization in Pravega protects resources like scopes, streams, reader groups, and key-value tables against unauthorized access. The resources are uniquely identified using a character-based "resource string".
Here are a few examples from the current scheme:
-
MarketData- A scope with nameMarketData. -
MarketData/Prices- A stream with namePricesunder the same scope. -
MarketData/PriceChangeCalculator- A reader group with namePriceChangeCalculatorin the same scope, which reads from a specified stream in the same scope.
More examples can be found here.
The main problems with the current scheme are:
- Certain resources cannot be distinguished. For example, both Reader Groups and Streams are represented as
<scope-name>/<resource-name>. So, if a stream and a reader group shared the same name, providing access to one'd provide access to the other too. - The structure of the resource strings has started to diverge. For example. Key Value Tables, for example, are identified using
<scope-name>/_kvtable/<resource-name>, which is inconsistent with the rest of the resource types. These divergences shall make it harder and harder for admins to specify Access Control Lists (ACL). - The current scheme works for two-level hierarchies alone in Pravega main code. The default Password-Based Auth Handler doesn't understand three-level hierarchy. Schema Registry uses a three-level hierarchy.
- The new scheme must allow for distinguishing resources of different types.
- The format should work uniformly for resources in Pravega, Schema Registry, and components that may be introduced in the future.
Here are the key design goals:
- Extensibility: As new resource types are introduced, authorization shall be extended to cover those resource types as well.
- Consistency: Understanding a few instances of the resources should enable developers and admins to guess what should it be for other resource types.
- Efficiency: Processing the resource string for authorization must not require complex and inefficient logic.
Here are the key constraints:
-
Authorization is performed for both application-created resources and internal resources created for internal purposes. Examples of the latter are: a) the
_systemscope, and b)MarketData/_RGPriceChangeCalculator.Internal resources tend to have names containing the prefix
_. So, the scheme should avoid the use of the character_.
The following is the general format of the resource string:
domain::resource-id
The domain indicates the susbsystem where the resource string apply, and can take on values prn (For Pravega Resource Name) and prn.scheme-registry.
The domain part may be omitted in ACLs. If omitted, it is derived based on the context. For example, / (as opposed to prn::/ or prn::/) denotes the root resource in the respective domains Pravega and Schema Registry.
Unlike the domain part, the resource-id part is mandatory. The specific format of the resource id part depends on the resource type. All resource strings follow these common rules:
-
All resource types except the root resource are indicated using corresponding tags.
prn::/ <--- the root resource prn::/scope:myscope <--- a specific scope prn::/scope:myscope/stream:mystream <--- a specific stream -
Forward slashes indicate hierarchical relationships. For example, a scope is under the root resource
/, and a stream is under a scope. So, a streammystreamin scopemyscopeis represented as:prn/scope:myscope/stream:mystream` -
The following are the supported tags for denoting resource types. Additional tags may be added in the future. Also, as is illustrated below, multiple words are separated using the
-character.-
Pravega:
scope,stream,reader-group,key-value-table -
Schema registry:
group,namespace
Accordingly, a
myrgreader group resource is represented asprn::/scope:myscope/reader-group:myrg -
Pravega:
See some more examples in the next section.
The table below lists a few examples of resource strings that can be used for making authorization decisions.
| Resource type | Resource String Example | Description of the example resource |
|---|---|---|
| Root | prn::/ |
Used for creating and listing root level resources like Scopes |
| Scope | prn::/scope:MarketData |
A Scope with name MarketData
|
| Stream | prn::/scope:MarketData/stream:Prices |
A Stream Prices in Scope MarketData
|
| ReaderGroup | prn::/scope:MarketData/reader-group:Prices |
A Reader Group PriceChangeCalculator in Scope MarketData
|
| Key Value Table | prn::/scope:MarketData/key-value-table:LatestScriptPrices |
A Key Value Table LatestScriptPrices in Scope MarketData
|
| Schema Registry Group | prn.schema-registry::/namespace:mynamespace/group:mygroup |
A group mygroup in mynamespace namespace |
The table below shows a few examples of resource patterns that Auth Handler plugin (like the built-in Password Auth Handler) may use in their ACEs, to reference multiple resource instances.
| Resource Pattern | What does it reference? |
|---|---|
* |
All resources in the system |
prn::/scope:* |
All the Scopes in the system |
prn::/scope:MarketData |
The MarketData scope |
prn::/scope:MarketData/* |
All direct and indirect child objects under the MarketData scope. |
prn::/scope:MarketData/stream:* |
All streams in scope MarketData
|
prn::/scope:MarketData/stream:str* |
All streams with names starting from str
|
prn::/scope:MarketData/key-value-table:* |
All key-value tables (KVT) in scope MarketData
|
prn::/scope:MarketData/key-value-table:kvt123 |
A KVT with name kvt123
|
Pravega - Streaming as a new software defined storage primitive
- Contributing
- Guidelines for committers
- Testing
-
Pravega Design Documents (PDPs)
- PDP-19: Retention
- PDP-20: Txn Timeouts
- PDP-21: Protocol Revisioning
- PDP-22: Bookkeeper Based Tier-2
- PDP-23: Pravega Security
- PDP-24: Rolling Transactions
- PDP-25: Read-Only Segment Store
- PDP-26: Ingestion Watermarks
- PDP-27: Admin Tools
- PDP-28: Cross Routing Key Ordering
- PDP-29: Tables
- PDP-30: Byte Stream API
- PDP-31: End-to-End Request Tags
- PDP-32: Controller Metadata Scalability
- PDP-33: Watermarking
- PDP-34: Simplified-Tier-2
- PDP-35: Move Controller Metadata to KVS
- PDP-36: Connection Pooling
- PDP-37: Server-Side Compression
- PDP-38: Schema Registry
- PDP-39: Key-Value Tables Beta 1
- PDP-40: Consistent Order Guarantees for Storage Flushes
- PDP-41: Enabling Transport Layer Security (TLS) for External Clients
- PDP-42: New Resource String Format for Authorization
- PDP-43: Large Events
- PDP-44: Lightweight Transactions
- PDP-45: Health Check
- PDP-46: Read Only Permissions For Reading Data
- PDP-47: Pravega Message Queues
- PDP-48: Key-Value Tables Beta 2
- PDP-49: Segment Store Admin Gateway
- PDP-50: Stream Tags
- PDP-51: Segment Container Event Processor
- PDP-53: Robust Garbage Collection for SLTS