Skip to content

feat(access-control-service): add access-control-service to authorize the requests to /wsapi and Computing Unit endpoints #3598

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 92 commits into from
Oct 8, 2025
Merged

feat(access-control-service): add access-control-service to authorize the requests to /wsapi and Computing Unit endpoints #3598

merged 92 commits into from
Oct 8, 2025

Conversation

@aicam
Copy link
Contributor

@aicam aicam commented Jul 28, 2025
edited
Loading

Access Control Service

This service is currently used only by envoy as authorization service. It act as a third party service to authorize any request sent to the computing unit to get socket connection through /wsapi. It parses the user-token from URL parameters and then check user access to the computing unit by checking the database and add the corresponding information to the following headers:

  • x-user-cu-access
  • x-user-id
  • x-user-name
  • x-user-email
    If the service can not parse the token or fail for any reason, the access to computing unit is denied by envoy. If the authorization succeed, the user is directly connected to computing unit using Upgrade on the first HTTP handshake request so the latency will not change.

The new connection flow

489656839-e09b06ee-3915-4c18-9584-e880bc06011d
  1. A user initiates an HTTP request to connect to a specific Computing Unit.
  2. The request is first routed through the Gateway to Envoy.
  3. Envoy pauses the request and sends a query to the Access Control Service to get an authorization decision.
  4. The Access Control Service verifies the user's token and checks a PostgreSQL database to see if the user has the necessary permissions for the target Computing Unit.
  5. If authorized, the service injects specific HTTP headers (x-user-cu-access, x-user-id, x-user-name) into the request and sends an approval back to Envoy.
  6. Envoy then forwards the approved request to the Computing Unit.
  7. The connection is then upgraded to a WebSocket, establishing a secure, interactive session.

If authorization fails at any point, Envoy immediately denies the connection request, and the user is prevented from accessing the Computing Unit. This new process provides enhanced security, a centralized authorization logic, and is designed to have no performance impact on the established WebSocket connection since the check is performed only on the initial handshake.

Summary of file changes

Component/Flow File Description
Database Access Logic core/auth/src/main/scala/edu/uci/ics/texera/auth/util/ComputingUnitAccess.scala Implements the logic to query the PostgreSQL database and determine a user's access privilege (READ, WRITE, NONE) for a given Computing Unit.
core/auth/src/main/scala/edu/uci/ics/texera/auth/util/HeaderField.scala Defines constants for the custom HTTP headers (x-user-cu-access, x-user-id, etc.) that are injected by the Access Control Service.
WebSocket Connection Handling core/amber/src/main/scala/edu/uci/ics/texera/web/ServletAwareConfigurator.scala Modified to read the new authorization headers during the WebSocket handshake. If headers are present, it creates the User object from them; otherwise, it falls back to the old method of parsing the JWT from URL parameters for single-node mode.
core/amber/src/main/scala/edu/uci/ics/texera/web/SessionState.scala Updated to store the user's access privilege level for the current computing unit within the session.
core/amber/src/main/scala/edu/uci/ics/texera/web/resource/WorkflowWebsocketResource.scala Enforces the access control by checking if the user has WRITE privilege before allowing a WorkflowExecuteRequest.
Deployment & Routing deployment/access-control-service.dockerfile New Dockerfile for building and containerizing the Access Control Service.
deployment/k8s/texera-helmchart/templates/access-control-service-deployment.yaml New Kubernetes manifest to deploy the Access Control Service.
deployment/k8s/texera-helmchart/templates/access-control-service-service.yaml New Kubernetes service manifest to expose the Access Control Service within the cluster.
deployment/k8s/texera-helmchart/templates/envoy-config.yaml Key change: Configures Envoy to use the new service as an external authorization filter (ext_authz). It intercepts relevant requests, forwards them for an authorization check, and then passes the injected headers to the upstream service (AmberMaster).
deployment/k8s/texera-helmchart/values.yaml Adds the configuration parameters for the new Access Control Service to the Helm chart.
Frontend UI core/gui/src/app/workspace/component/menu/menu.component.ts & .html The frontend is updated to disable the "Run" button if the connected user does not have WRITE access to the selected Computing Unit, providing immediate visual feedback.
Build & Configuration core/build.sbt The root SBT build file is updated to include the new AccessControlService module.
core/config/src/main/scala/edu/uci/ics/amber/util/PathUtils.scala Adds a path helper for the new service's directory structure.

Copilot AI review requested due to automatic review settings July 28, 2025 16:46

This comment was marked as off-topic.

Sign in to view

aicam and others added 25 commits July 28, 2025 09:50
@aicam
Merge branch 'master' into permission-service
0f7e184 
# Conflicts:
#	core/computing-unit-managing-service/src/main/scala/edu/uci/ics/texera/service/resource/ComputingUnitManagingResource.scala
@aicam
fix: service build
83745c3
@aicam
fix: arrow failed test case
d6cb177
@aicam
fix: downgrading arrow lib in R
0e581e7
@aicam
fix: downgrading arrow lib in R
c0102f4
@aicam
fix: downgrading arrow lib in R
12cdf7d
@aicam
fix: downgrading arrow lib in R
4d6af65
@aicam
fix: downgrading arrow lib in R
fd6c9ad
@aicam
fix: downgrading arrow lib in R
82be22a
@aicam
fix: downgrading arrow lib in R
10c05f6
@aicam
fix: downgrading arrow lib in R
c97227b
@aicam
fix: downgrading arrow lib in R
27d4afb
@aicam
fix: downgrading arrow lib in R
e76a6e7
@aicam
fix: downgrading arrow lib in R
aec7aee
@aicam
fix: downgrading arrow lib in R
c65a1db
@aicam
fix: downgrading arrow lib in R
377863f
@aicam
fix: downgrading arrow lib in R
5cb1037
@aicam
fix: downgrading arrow lib in R
9da3556
@aicam
fix: downgrading arrow lib in R
65b065c
@aicam
Merge branch 'Texera:master' into master
38d9bf7
@aicam
Merge branch 'refs/heads/master' into permission-service
d054a39
@aicam
Merge branch 'apache:master' into master
ed19464
@aicam
fix: access usage
a7cfdc1
@aicam
Merge branch 'master' into permission-service
4dd56ad
@aicam
fix: rename and front
a6a4ec4
@aicam aicam linked an issue Aug 11, 2025 that may be closed by this pull request
Access Control service for /wsapi and Computing Unit endpoints security #3634
Closed
bobbai00
bobbai00 approved these changes Oct 2, 2025
View reviewed changes
Copy link
Contributor

@bobbai00 bobbai00 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@bobbai00
Copy link
Contributor

bobbai00 commented Oct 2, 2025

Can you also include the design diagram in the PR description?

@github-actions github-actions bot added engine dependencies Pull requests that update a dependency file frontend Changes related to the frontend GUI backend Anything related to backend services build labels Oct 3, 2025
@github-actions github-actions bot removed the backend Anything related to backend services label Oct 4, 2025
chenlica
chenlica reviewed Oct 5, 2025
View reviewed changes
Copy link
Contributor

@chenlica chenlica left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please check those comments.

@chenlica
Copy link
Contributor

chenlica commented Oct 5, 2025

This PR has 16 files. Can we divide it into smaller PRs?

@aicam aicam mentioned this pull request Oct 8, 2025
Merged
@aicam aicam mentioned this pull request Oct 8, 2025
Merged
aicam added a commit that referenced this pull request Oct 8, 2025
@aicam
fix(access-control-service): fix service file formats (#3840)
e6c9d7d 
## Update
This PR fixes formatting issues that introduce redundant file changes in
the core [PR](#3598).
@aicam aicam requested a review from chenlica October 8, 2025 04:09
chenlica
chenlica approved these changes Oct 8, 2025
View reviewed changes
Copy link
Contributor

@chenlica chenlica left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@aicam aicam merged commit 8b28c19 into apache:main Oct 8, 2025
11 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bobbai00 bobbai00 bobbai00 approved these changes

Copilot code review Copilot Copilot left review comments

@chenlica chenlica chenlica approved these changes

Assignees

@aicam aicam

Labels

build dependencies Pull requests that update a dependency file engine frontend Changes related to the frontend GUI

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Access Control service for /wsapi and Computing Unit endpoints security

3 participants

@aicam @bobbai00 @chenlica