Skip to content

feat(access-control-service): AccessControlService added as a new micro service #3767

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 38 commits into from
Sep 26, 2025
Merged

feat(access-control-service): AccessControlService added as a new micro service #3767

merged 38 commits into from
Sep 26, 2025

Conversation

@aicam
Copy link
Contributor

@aicam aicam commented Sep 25, 2025
edited
Loading

Overview

This PR is fixing the first part of #3634. The full PR had so many changes so we broke it down into two PRs. This PR is the first one that introduce Access Control Service only without its usage in any part of the system.

Test cases

  • Empty authorization token
  • Wrong CUID format
  • Request access for a user without access to the computing unit
  • Request access for a user with access to the computing unit

Changes

Currently, the folder named access-control-service is added with its dependencies to auth folder. Currently, it has test cases to make sure its functionality is working correctly.

Screenshot from 2025-09-25 15-46-55
Component/Flow File Description
New AccessControl Service core/access-control-service/... A new Dropwizard-based microservice responsible for authorizing user requests to computing units. This includes its build configuration, application setup (AccessControlService.scala), configuration model (AccessControlServiceConfiguration.scala), authorization logic, REST endpoint (AccessControlResource.scala), and unit tests (AccessControlResourceSpec.scala).
Database Access Logic core/auth/src/main/scala/edu/uci/ics/texera/auth/util/ComputingUnitAccess.scala Implements the logic to query the PostgreSQL database and determine a user's access privilege (READ, WRITE, NONE) for a given Computing Unit.
core/auth/src/main/scala/edu/uci/ics/texera/auth/util/HeaderField.scala Defines constants for the custom HTTP headers (x-user-cu-access, x-user-id, etc.) that are injected by the Access Control Service.

aicam and others added 30 commits July 28, 2025 21:30
@aicam
fix: arrow failed test case
d6cb177
@aicam
fix: downgrading arrow lib in R
0e581e7
@aicam
fix: downgrading arrow lib in R
c0102f4
@aicam
fix: downgrading arrow lib in R
12cdf7d
@aicam
fix: downgrading arrow lib in R
4d6af65
@aicam
fix: downgrading arrow lib in R
fd6c9ad
@aicam
fix: downgrading arrow lib in R
82be22a
@aicam
fix: downgrading arrow lib in R
10c05f6
@aicam
fix: downgrading arrow lib in R
c97227b
@aicam
fix: downgrading arrow lib in R
27d4afb
@aicam
fix: downgrading arrow lib in R
e76a6e7
@aicam
fix: downgrading arrow lib in R
aec7aee
@aicam
fix: downgrading arrow lib in R
c65a1db
@aicam
fix: downgrading arrow lib in R
377863f
@aicam
fix: downgrading arrow lib in R
5cb1037
@aicam
fix: downgrading arrow lib in R
9da3556
@aicam
fix: downgrading arrow lib in R
65b065c
@aicam
Merge branch 'Texera:master' into master
38d9bf7
@aicam
Merge branch 'apache:master' into master
ed19464
@aicam
Merge branch 'apache:master' into master
2043ec9
@aicam
Merge branch 'apache:master' into master
51fac50
@aicam
Merge branch 'apache:master' into master
946c6ff
@aicam
Merge branch 'apache:master' into master
98120f9
@aicam
Merge branch 'apache:master' into master
1b1cd29
@aicam
Merge branch 'apache:main' into master
ca9a4be
@aicam
Merge branch 'apache:main' into main
879659b
@aicam
Merge branch 'apache:main' into main
feb2c4d
@aicam
Merge branch 'apache:main' into main
7d67268
@aicam
Merge branch 'apache:main' into main
009e88d
@aicam
Merge branch 'apache:main' into main
6806ded
@aicam aicam self-assigned this Sep 25, 2025
Copilot AI review requested due to automatic review settings September 25, 2025 14:15
Copilot AI reviewed Sep 25, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR introduces a new Access Control Service as a standalone microservice to handle user authorization for computing unit requests. The service validates JWT tokens, checks user permissions against computing units in the PostgreSQL database, and returns authorization decisions with appropriate user metadata headers.

  • Adds a new Dropwizard-based microservice for access control authorization
  • Implements database queries to determine user privileges (READ/WRITE/NONE) for computing units
  • Creates shared utilities for HTTP header constants used by the access control system

Reviewed Changes

Copilot reviewed 14 out of 14 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
core/config/src/main/scala/edu/uci/ics/amber/util/PathUtils.scala Adds path constant for the new access control service directory
core/build.sbt Defines the AccessControlService project with dependencies on Auth, Config, and DAO modules
core/auth/src/main/scala/edu/uci/ics/texera/auth/util/HeaderField.scala Defines HTTP header constants for user metadata passed by the access control service
core/auth/src/main/scala/edu/uci/ics/texera/auth/util/ComputingUnitAccess.scala Implements database logic to query user access privileges for computing units
core/access-control-service/src/test/scala/edu/uci/ics/texera/AccessControlResourceSpec.scala Comprehensive test suite covering authorization scenarios including valid/invalid tokens and access permissions
core/access-control-service/src/main/scala/edu/uci/ics/texera/service/resource/HealthCheckResource.scala Simple health check endpoint for service monitoring
core/access-control-service/src/main/scala/edu/uci/ics/texera/service/resource/AccessControlResource.scala REST endpoints for GET/POST authorization requests
core/access-control-service/src/main/scala/edu/uci/ics/texera/service/access/AccessChecker.scala Core authorization logic with path matching and computing unit access validation
core/access-control-service/src/main/scala/edu/uci/ics/texera/service/AccessControlServiceConfiguration.scala Dropwizard configuration class
core/access-control-service/src/main/scala/edu/uci/ics/texera/service/AccessControlService.scala Main Dropwizard application entry point
core/access-control-service/src/main/resources/logback.xml Logging configuration
core/access-control-service/src/main/resources/access-control-service-web-config.yaml Service configuration for port 9096
core/access-control-service/project/build.properties SBT version configuration
core/access-control-service/build.sbt Build configuration with Dropwizard dependencies

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

@aicam aicam changed the title Access control Service added as a new microservice feat(access-control-service): Access control Service added as a new microservice Sep 25, 2025
@aicam aicam requested review from bobbai00 and chenlica September 25, 2025 14:20
bobbai00
bobbai00 reviewed Sep 25, 2025
View reviewed changes
Copy link
Contributor

@bobbai00 bobbai00 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good start! I left some comments.

@aicam aicam requested a review from bobbai00 September 25, 2025 20:27
bobbai00
bobbai00 approved these changes Sep 25, 2025
View reviewed changes
Copy link
Contributor

@bobbai00 bobbai00 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@aicam aicam linked an issue Sep 25, 2025 that may be closed by this pull request
Access Control service for /wsapi and Computing Unit endpoints security #3634
Closed
chenlica
chenlica approved these changes Sep 25, 2025
View reviewed changes
Copy link
Contributor

@chenlica chenlica left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

After a few iterations of discussion, this PR is in a good shape.

@bobbai00 bobbai00 changed the title feat(access-control-service): Access control Service added as a new microservice feat(access-control-service): AccessControlService added as a new micro service Sep 25, 2025
@aicam aicam enabled auto-merge (squash) September 26, 2025 15:37
@aicam aicam merged commit dbeb0a0 into apache:main Sep 26, 2025
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@chenlica chenlica chenlica approved these changes

@bobbai00 bobbai00 bobbai00 approved these changes

Assignees

@aicam aicam

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Access Control service for /wsapi and Computing Unit endpoints security

3 participants

@aicam @chenlica @bobbai00