-
Notifications
You must be signed in to change notification settings - Fork 556
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add auth data to RecordMetadata #13993
Conversation
protocol-impl/src/test/java/io/camunda/zeebe/protocol/impl/AuthInfoTest.java
Dismissed
Show dismissed
Hide dismissed
531d13f
to
58a8977
Compare
c1e776c
to
f8efe8c
Compare
58a8977
to
7fb7523
Compare
fcab2eb
to
418e72d
Compare
protocol-impl/src/test/java/io/camunda/zeebe/protocol/impl/RecordMetadataTest.java
Dismissed
Show dismissed
Hide dismissed
51e5367
to
6ee79ba
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @koevskinikola 🏆
I think there is 1 comment which isn't true. Please change this, I'll still approve the PR as it's only a comment 😄
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Awesome stuff @koevskinikola 👏
👍 I really like how you've set up the authorization metadata to be swappable using a format property
❌ Two things require attention:
- I think we cannot bump the protocol version safely. This leads to rolling update problems, e.g. on followers replaying newer events. Do you see any other solutions for this? If not, I propose we discuss this with ZDP.
- Instead of depending on auth0's jwt library, the procotol-impl should depend on our zeebe-auth module.
🔧 The rest of my comments are suggestions
protocol/src/main/java/io/camunda/zeebe/protocol/record/value/TenantOwned.java
Show resolved
Hide resolved
protocol/src/main/java/io/camunda/zeebe/protocol/record/Record.java
Outdated
Show resolved
Hide resolved
stream-platform/src/test/java/io/camunda/zeebe/stream/impl/RecordBatchTest.java
Outdated
Show resolved
Hide resolved
Include the default tenant id in the TenantOwned interface.
Add an authorization field to the RecordMetadata SBE message of the Zeebe protocol. Initially,the authorization field will be populated only for Command records, and this data won't be exported. The field will contain information on the authorizations of the user that made the client request that created the Command record. The field type is of variable length, as authorizations may vary per user.
Add the AuthInfo class, which is an implementation for the authorization field of Record Metadata. The class contains format and authData properties. The authData property is encoded into a String value, and the format property provides information on what mechanism encoded/decodes the authData value. Initially, only the JWT format is available, but new ones can easily be added (ex. msg-pack).
Test the new authorization field of the RecordMetadata class
Extends the ExecuteCommandRequest to contain authorization data. The ExecuteCommandRequest class is used to forward requests from the Zeebe Gateway to the Broker. Since auth data originates in the Gateway, it needs to be provided to the Broker request there.
Add the new authorizations property to the Elasticsearch and OpenSearch record index templates.
The RecordMetadata now contains a new authorizations property that increases the general size of a record. This causes certain test cases that depend on the record size to fail. This commit adjusts the expected record sizes to account for the increase of the metadata.
Adjust a helper method for the TenantAuthorizationChecker to make it easier for use with the AuthInfo and Record classes by accepting a Map instead of a JWT decoder instance.
Bump protocol version since the addition of the variable length authorization fields is incompatible with records from older versions, i.e. they can't be SBE decoded correctly.
* Move the default values for the issuer, audience, and subject claims of the encoder and decoder to the builder for easier maintenance. * Set the value of the subject claim to zeebe-client instead to make it easiert to understand from where the auth data comes from. * Remove a comment about keeping the java-jwt library version aligned with the identity-sdk. The Zeebe auth module was designed to be flexible on what encoding/decoding mechanism is used and it shouldn't be tied to the libraries that Identity uses. * Adjust JSON serialization test to account for the changed JWT subject.
Move the AUTHORIZED_TENANTS_CLAIM constant to the Authorization class to make it less coupled with the JWT implementation.
Avoid using java-jwt APIs outside of the Zeebe auth module to avoid tightly coupling the JWT library with the rest of Zeebe. Instead, return a Map<String, Object> instance to provide the various authorizations.
8077876
to
d3598ff
Compare
Expand the Record#getAuthorizations() javadoc to explain what entries the authorizations Map may provide.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @koevskinikola 🚀
LGTM 👍
bors merge |
Build succeeded: |
Description
Includes (encoded) auth data in the
RecordMetadata
andExecuteCommandRequest
classes.ℹ️
main
branch.Related issues
closes #13989
Definition of Done
Not all items need to be done depending on the issue and the pull request.
Code changes:
backport stable/1.3
) to the PR, in case that fails you need to create backports manually.Testing:
Documentation:
Other teams:
If the change impacts another team an issue has been created for this team, explaining what they need to do to support this change.
Please refer to our review guidelines.