Skip to content

chore(acl): Implicit categories #3411

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Nov 8, 2024
Merged

chore(acl): Implicit categories #3411

merged 3 commits into from
Nov 8, 2024

Conversation

dranikpg
Copy link
Contributor

My weekly cleanup idea. Most of our CO:: categories became meaningless with the introduction of acl. For example, CO::FAST literally doesn't mean anything, it's never read or used.

The two options are either removing outdated categories or using the rules for acl category deduction:

https://github.com/redis/redis/blob/93fb83b4cb5090b7b48f5466924237558685b811/src/server.c#L3008

@dranikpg dranikpg requested a review from kostasrim July 30, 2024 19:38
@kostasrim
Copy link
Contributor

@dranikpg acl_fam unit failing

kostasrim
kostasrim reviewed Jul 31, 2024
View reviewed changes
src/server/command_registry.cc
if (mask & CO::BLOCKING)
out |= acl::BLOCKING;

if ((out & acl::FAST) == 0)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A counter example to this is HGETALL which we mark as:

<< CI{"HGETALL", CO::FAST | CO::READONLY, 2, 1, 1, acl::kHGetAll}.HFUNC(HGetAll)

which according to the rules above would mark it as FAST instead of SLOW.

My concern here is that we have to manually check all of these commands and the CO:: variants actually do map to the rules implemented in ImplicitAclCategories (and if the above mapping has no mistakes as well)

Another concern I have is that if we have bugs in our CO:: variants the Implicit rules describe above will insert a bugs in our ACL rules.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Another concern I have is that if we have bugs

You can apply that concern to any code, I've added an option to return acl categories from COMMAND, so we can compare before and after and see the differences

before.txt

A counter example to this is HGETALL which we mark as:

It's not a counter example, we just remove CO::FAST. Again, the CO tags don't mean anything now

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice, in fact a diff on this will also hinter any errors. I like that

kostasrim
kostasrim reviewed Jul 31, 2024
View reviewed changes
src/server/string_family.cc
<< CI{"SETRANGE", CO::WRITE | CO::FAST | CO::DENYOOM, 4, 1, 1, acl::kSetRange}.HFUNC(SetRange)
<< CI{"CL.THROTTLE", CO::WRITE | CO::DENYOOM | CO::FAST, -5, 1, 1, acl::kClThrottle}.HFUNC(
ClThrottle);
registry->StartFamily(acl::STRING);
Copy link
Contributor

@kostasrim kostasrim Jul 31, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe we can create a class template that is implicitly convertible to CommandId and during that conversion it injects the acl family like acl::STRING here which will move away the logic from registry. But IMO I am mostly worried about correctness than syntactic sugar

@dranikpg
chore(acl): Implicit categories
0789942 
Signed-off-by: Vladislav Oleshko <vlad@dragonflydb.io>
@dranikpg
Copy link
Contributor Author

dranikpg commented Nov 8, 2024 

import redis
import json

def set_default(obj):
    if isinstance(obj, set):
        return sorted(list(obj))
    raise TypeError

cmds = redis.Redis(protocol=3, decode_responses=True).execute_command("COMMAND")
print(json.dumps(cmds, indent=2, sort_keys=True, default=set_default))

after.txt
before.txt

4 commands had a conflict between CO::FAST and acl::kFast, being either of them, but not both. Fixed this

--- before.txt  2024-11-08 10:38:51.213266052 +0300
+++ after.txt   2024-11-08 10:46:28.593254864 +0300
@@ -1231,21 +1231,20 @@
   },
   "GETRANGE": {
     "acl_categories": [
       "@READ",
       "@STRING",
       "@SLOW"
     ],
     "arity": 4,
     "first_key_pos": 1,
     "flags": [
-      "fast",
       "readonly"
     ],
     "last_key_pos": 1,
     "name": "GETRANGE",
     "step_count": 1
   },
   "GETSET": {
     "acl_categories": [
       "@WRITE",
       "@STRING",
@@ -3014,37 +3013,37 @@
   "SETNX": {
     "acl_categories": [
       "@WRITE",
       "@STRING",
       "@FAST"
     ],
     "arity": 3,
     "first_key_pos": 1,
     "flags": [
       "denyoom",
+      "fast",
       "write"
     ],
     "last_key_pos": 1,
     "name": "SETNX",
     "step_count": 1
   },
   "SETRANGE": {
     "acl_categories": [
       "@WRITE",
       "@STRING",
       "@SLOW"
     ],
     "arity": 4,
     "first_key_pos": 1,
     "flags": [
       "denyoom",
-      "fast",
       "write"
     ],
     "last_key_pos": 1,
     "name": "SETRANGE",
     "step_count": 1
   },
   "SHUTDOWN": {
     "acl_categories": [
       "@ADMIN",
       "@SLOW",
@@ -3337,21 +3336,20 @@
   },
   "SUBSTR": {
     "acl_categories": [
       "@READ",
       "@STRING",
       "@SLOW"
     ],
     "arity": 4,
     "first_key_pos": 1,
     "flags": [
-      "fast",
       "readonly"
     ],
     "last_key_pos": 1,
     "name": "SUBSTR",
     "step_count": 1
   },
   "SUNION": {
     "acl_categories": [
       "@READ",
       "@SET",

@dranikpg dranikpg requested a review from kostasrim November 8, 2024 07:45
@dranikpg dranikpg marked this pull request as ready for review November 8, 2024 08:47
kostasrim
kostasrim approved these changes Nov 8, 2024
View reviewed changes
Copy link
Contributor

@kostasrim kostasrim left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💯 When I get a chance I will help apply it to the rest of the families

@kostasrim kostasrim merged commit b860b71 into dragonflydb:main Nov 8, 2024
9 checks passed
@dranikpg dranikpg mentioned this pull request Nov 8, 2024
Open
kostasrim pushed a commit that referenced this pull request Nov 8, 2024
@dranikpg @kostasrim
chore(acl): Implicit categories (#3411)
1b61953 
Most of our CO:: categories became meaningless with the introduction of acl. For example, CO::FAST literally doesn't mean anything, it's never read or used.

* add implicit categories

---------

Signed-off-by: Vladislav Oleshko <vlad@dragonflydb.io>
romange pushed a commit that referenced this pull request Nov 9, 2024
@dranikpg @romange
chore(acl): Implicit categories (#3411)
10547f7 
Most of our CO:: categories became meaningless with the introduction of acl. For example, CO::FAST literally doesn't mean anything, it's never read or used.

* add implicit categories

---------

Signed-off-by: Vladislav Oleshko <vlad@dragonflydb.io>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kostasrim kostasrim kostasrim approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@dranikpg @kostasrim