chore: refactor rbac code (openobserve#2668)

public-repos-backup · Feb 7, 2024 · eed6625 · eed6625
1 parent 5000ffa
commit eed6625
Show file tree

Hide file tree

Showing 6 changed files with 50 additions and 20 deletions.
diff --git a/src/common/utils/auth.rs b/src/common/utils/auth.rs
@@ -70,7 +70,7 @@ pub async fn set_ownership(org_id: &str, obj_type: &str, obj: Authz) {
             OFGA_MODELS.get(obj.parent_type.as_str()).unwrap().key
         };
 
-        authorizer::set_ownership(org_id, &obj_str, &obj.parent, parent_type).await;
+        authorizer::authz::set_ownership(org_id, &obj_str, &obj.parent, parent_type).await;
     }
 }
 #[cfg(not(feature = "enterprise"))]
@@ -90,7 +90,7 @@ pub async fn remove_ownership(org_id: &str, obj_type: &str, obj: Authz) {
             OFGA_MODELS.get(obj.parent_type.as_str()).unwrap().key
         };
 
-        authorizer::remove_ownership(org_id, &obj_str, &obj.parent, parent_type).await;
+        authorizer::authz::remove_ownership(org_id, &obj_str, &obj.parent, parent_type).await;
     }
 }
 #[cfg(not(feature = "enterprise"))]
@@ -309,8 +309,26 @@ impl FromRequest for AuthExtractor {
                     }));
                 } else if object_type.starts_with("stream") && !method.eq("LIST") {
                     let object_type = match stream_type {
-                        Some(stream_type) => object_type
-                            .replace("stream:", format!("stream:{}/", stream_type).as_str()),
+                        Some(stream_type) => {
+                            if stream_type.eq(&StreamType::EnrichmentTables) {
+                                // since enrichment tables have seperate permissions
+                                let stream_type_str = format!("{stream_type}");
+
+                                object_type.replace(
+                                    "stream:",
+                                    format!(
+                                        "{}:",
+                                        OFGA_MODELS
+                                            .get(stream_type_str.as_str())
+                                            .map_or(stream_type_str.as_str(), |model| model.key)
+                                    )
+                                    .as_str(),
+                                )
+                            } else {
+                                object_type
+                                    .replace("stream:", format!("stream:{}/", stream_type).as_str())
+                            }
+                        }
                         None => object_type,
                     };
                     return ready(Ok(AuthExtractor {

diff --git a/src/handler/http/auth/jwt.rs b/src/handler/http/auth/jwt.rs
@@ -37,7 +37,7 @@ pub async fn process_token(
 
     use config::CONFIG;
     use o2_enterprise::enterprise::openfga::{
-        authorizer::{
+        authorizer::authz::{
             get_org_creation_tuples, get_user_creation_tuples, get_user_org_tuple,
             get_user_role_creation_tuple, get_user_role_deletion_tuple, update_tuples,
         },

diff --git a/src/handler/http/auth/validator.rs b/src/handler/http/auth/validator.rs
@@ -405,7 +405,7 @@ pub(crate) async fn check_permissions(user_id: &str, auth_info: AuthExtractor) -
     } else {
         object_str
     };
-    o2_enterprise::enterprise::openfga::authorizer::is_allowed(
+    o2_enterprise::enterprise::openfga::authorizer::authz::is_allowed(
         &auth_info.org_id,
         user_id,
         &auth_info.method,

diff --git a/src/handler/http/request/authz/fga.rs b/src/handler/http/request/authz/fga.rs
@@ -29,7 +29,11 @@ pub async fn create_role(
     let org_id = org_id.into_inner();
     let user_req = user_req.into_inner();
 
-    match o2_enterprise::enterprise::openfga::authorizer::create_role(&user_req.name, &org_id).await
+    match o2_enterprise::enterprise::openfga::authorizer::roles::create_role(
+        &user_req.name,
+        &org_id,
+    )
+    .await
     {
         Ok(_) => Ok(HttpResponse::Ok().finish()),
         Err(err) => Ok(HttpResponse::InternalServerError().body(err.to_string())),
@@ -50,7 +54,9 @@ pub async fn create_role(
 pub async fn delete_role(path: web::Path<(String, String)>) -> Result<HttpResponse, Error> {
     let (org_id, role_name) = path.into_inner();
 
-    match o2_enterprise::enterprise::openfga::authorizer::delete_role(&org_id, &role_name).await {
+    match o2_enterprise::enterprise::openfga::authorizer::roles::delete_role(&org_id, &role_name)
+        .await
+    {
         Ok(_) => Ok(HttpResponse::Ok().finish()),
         Err(err) => Ok(HttpResponse::InternalServerError().body(err.to_string())),
     }
@@ -66,7 +72,7 @@ pub async fn delete_role(_path: web::Path<(String, String)>) -> Result<HttpRespo
 #[get("/{org_id}/roles")]
 pub async fn get_roles(org_id: web::Path<String>) -> Result<HttpResponse, Error> {
     let org_id = org_id.into_inner();
-    match o2_enterprise::enterprise::openfga::authorizer::get_all_roles(&org_id).await {
+    match o2_enterprise::enterprise::openfga::authorizer::roles::get_all_roles(&org_id).await {
         Ok(res) => Ok(HttpResponse::Ok().json(res)),
         Err(err) => Ok(HttpResponse::InternalServerError().body(err.to_string())),
     }
@@ -87,7 +93,7 @@ pub async fn update_role(
     let (_org_id, role_id) = path.into_inner();
     let update_role = update_role.into_inner();
 
-    match o2_enterprise::enterprise::openfga::authorizer::update_role(
+    match o2_enterprise::enterprise::openfga::authorizer::roles::update_role(
         &role_id,
         update_role.add,
         update_role.remove,
@@ -116,7 +122,7 @@ pub async fn get_role_permissions(
     path: web::Path<(String, String, String)>,
 ) -> Result<HttpResponse, Error> {
     let (org_id, role_id, resource) = path.into_inner();
-    match o2_enterprise::enterprise::openfga::authorizer::get_role_permissions(
+    match o2_enterprise::enterprise::openfga::authorizer::roles::get_role_permissions(
         &org_id, &role_id, &resource,
     )
     .await
@@ -138,8 +144,10 @@ pub async fn get_role_permissions(
 #[get("/{org_id}/roles/{role_id}/users")]
 pub async fn get_users_with_role(path: web::Path<(String, String)>) -> Result<HttpResponse, Error> {
     let (org_id, role_id) = path.into_inner();
-    match o2_enterprise::enterprise::openfga::authorizer::get_users_with_role(&org_id, &role_id)
-        .await
+    match o2_enterprise::enterprise::openfga::authorizer::roles::get_users_with_role(
+        &org_id, &role_id,
+    )
+    .await
     {
         Ok(res) => Ok(HttpResponse::Ok().json(res)),
         Err(err) => Ok(HttpResponse::InternalServerError().body(err.to_string())),
@@ -161,7 +169,7 @@ pub async fn create_group(
     let org_id = org_id.into_inner();
     let user_grp = user_group.into_inner();
 
-    match o2_enterprise::enterprise::openfga::authorizer::create_group(
+    match o2_enterprise::enterprise::openfga::authorizer::groups::create_group(
         &org_id,
         &user_grp.name,
         user_grp.users.unwrap_or_default(),
@@ -191,7 +199,7 @@ pub async fn update_group(
     let (org_id, group_name) = path.into_inner();
     let user_grp = user_group.into_inner();
 
-    match o2_enterprise::enterprise::openfga::authorizer::update_group(
+    match o2_enterprise::enterprise::openfga::authorizer::groups::update_group(
         &org_id,
         &group_name,
         user_grp.add_users,
@@ -220,7 +228,7 @@ pub async fn update_group(
 pub async fn get_groups(path: web::Path<String>) -> Result<HttpResponse, Error> {
     let org_id = path.into_inner();
 
-    match o2_enterprise::enterprise::openfga::authorizer::get_all_groups(&org_id).await {
+    match o2_enterprise::enterprise::openfga::authorizer::groups::get_all_groups(&org_id).await {
         Ok(res) => Ok(HttpResponse::Ok().json(res)),
         Err(err) => Ok(HttpResponse::InternalServerError().body(err.to_string())),
     }
@@ -237,7 +245,9 @@ pub async fn get_groups(_path: web::Path<String>) -> Result<HttpResponse, Error>
 pub async fn get_group_details(path: web::Path<(String, String)>) -> Result<HttpResponse, Error> {
     let (_org_id, group_name) = path.into_inner();
 
-    match o2_enterprise::enterprise::openfga::authorizer::get_group_details(&group_name).await {
+    match o2_enterprise::enterprise::openfga::authorizer::groups::get_group_details(&group_name)
+        .await
+    {
         Ok(res) => Ok(HttpResponse::Ok().json(res)),
         Err(err) => Ok(HttpResponse::InternalServerError().body(err.to_string())),
     }
@@ -270,7 +280,9 @@ pub async fn get_resources(_org_id: web::Path<String>) -> Result<HttpResponse, E
 pub async fn delete_group(path: web::Path<(String, String)>) -> Result<HttpResponse, Error> {
     let (org_id, group_name) = path.into_inner();
 
-    match o2_enterprise::enterprise::openfga::authorizer::delete_group(&org_id, &group_name).await {
+    match o2_enterprise::enterprise::openfga::authorizer::groups::delete_group(&org_id, &group_name)
+        .await
+    {
         Ok(_) => Ok(HttpResponse::Ok().finish()),
         Err(err) => Ok(HttpResponse::InternalServerError().body(err.to_string())),
     }

diff --git a/src/handler/http/request/enrichment_table/mod.rs b/src/handler/http/request/enrichment_table/mod.rs
@@ -29,7 +29,7 @@ use crate::{
 #[utoipa::path(
     context_path = "/api",
     tag = "Functions",
-    operation_id = "CreateEnrichmentTable",
+    operation_id = "CreateUpdateEnrichmentTable",
     security(
         ("Authorization" = [])
     ),

diff --git a/src/job/mod.rs b/src/job/mod.rs
@@ -191,7 +191,7 @@ pub async fn init() -> Result<(), anyhow::Error> {
     tokio::task::spawn(async move { alert_manager::run().await });
 
     #[cfg(feature = "enterprise")]
-    o2_enterprise::enterprise::openfga::authorizer::init_open_fga().await;
+    o2_enterprise::enterprise::openfga::authorizer::authz::init_open_fga().await;
 
     // RBAC model
     #[cfg(feature = "enterprise")]