feat!: Support only sending a subset of the fields to OPA (#49)

* WIP: First implementation

* refactor: Use dynamic dispatch (something something Java :))

* bump to HDFS 3.4.0, as it's the LTS now

* Update deps

* changelog and docs

* fix: Set path to `/` when the operation `contentSummary` is called on `/`i

* changelog

* changelog

* Add benchmark shell

* linter

* refactor: Making random stuff final

* Update README.md

Co-authored-by: Lars Francke <git@lars-francke.de>

* docs: Document reduced API call

* markdown linter

* Try silencing markdown linter

* Update src/main/java/tech/stackable/hadoop/StackableAccessControlEnforcer.java

Co-authored-by: Lars Francke <git@lars-francke.de>

* Update README.md

Co-authored-by: Lars Francke <git@lars-francke.de>

* Update benchmark to use nested folder

---------

Co-authored-by: Lars Francke <git@lars-francke.de>

Author: sbernauer

.markdownlint.yaml

@@ -18,3 +18,8 @@ MD013:
 MD024:
   # Only check sibling headings
   siblings_only: true
+
+# MD033/no-inline-html Inline HTML [Element: summary]
+MD033:
+  # Allow expandable boxes
+  allowed_elements: [details, summary]

CHANGELOG.md

@@ -6,11 +6,20 @@ All notable changes to this project will be documented in this file.
 
 ### Changed
 
-- Bump okio to 1.17.6 to get rid of CVE-2023-3635 ([#46])
+- BREAKING: Only send a subset of the fields sufficient for most use-cases to OPA for performance reasons.
+  The old behavior of sending all fields can be restored by setting `hadoop.security.authorization.opa.extended-requests`
+  to `true` ([#49]).
 - Performance fixes ([#50])
-- Updates various dependencies and does a full spotless run. This will now require JDK 17 or later to build (required by later error-prone versions), the build target is still Java 11 [#51]
+- Updates various dependencies and do a full spotless run. This will now require JDK 17 or later to build
+  (required by later error-prone versions), the build target is still Java 11 [#51]
+- Bump okio to 1.17.6 to get rid of CVE-2023-3635 ([#46])
+
+### Fixed
+
+- Set path to `/` when the operation `contentSummary` is called on `/`. Previously path was set to `null` ([#49]).
 
 [#46]: https://github.com/stackabletech/hdfs-utils/pull/46
+[#49]: https://github.com/stackabletech/hdfs-utils/pull/49
 [#50]: https://github.com/stackabletech/hdfs-utils/pull/50
 [#51]: https://github.com/stackabletech/hdfs-utils/pull/51
 

README.md

@@ -26,13 +26,51 @@ The Stackable HDFS already takes care of this, you don't need to do anything in
 
 - Set `dfs.namenode.inode.attributes.provider.class` in `hdfs-site.xml` to `tech.stackable.hadoop.StackableAuthorizer`
 - Set `hadoop.security.authorization.opa.policy.url` in `core-site.xml` to the HTTP endpoint of your OPA rego rule, e.g. `http://opa.default.svc.cluster.local:8081/v1/data/hdfs/allow`
+- The property `hadoop.security.authorization.opa.extended-requests` (defaults to `false`) controls if all fields (`true`) should be sent to OPA or only a subset
+  Sending all fields degrades the performance, but allows for more advanced authorization.
 
 ### API
 
-For every action a request similar to the following is sent to OPA:
+By default for every HDFS action a request similar to the following is sent to OPA:
+
+```json
+{
+  "input": {
+    "fsOwner": "nn",
+    "supergroup": "supergroup",
+    "callerUgi": {
+      "realUser": null,
+      "userName": "alice/test-hdfs-permissions.default.svc.cluster.local@CLUSTER.LOCAL",
+      "shortUserName": "alice",
+      "primaryGroup": "developers",
+      "groups": [
+        "developers"
+      ],
+      "authenticationMethod": "KERBEROS",
+      "realAuthenticationMethod": "KERBEROS"
+    },
+    "snapshotId": 2147483646,
+    "path": "/developers-ro/hosts._COPYING_",
+    "ancestorIndex": 1,
+    "doCheckOwner": false,
+    "ignoreEmptyDir": false,
+    "operationName": "getfileinfo",
+    "callerContext": {
+      "context": "CLI",
+      "signature": null
+    }
+  }
+}
+```
+
+The contained details should be sufficient for most use-cases.
+However, if you need access to all the provided information from the `INodeAttributeProvider.AccessControlEnforcer` interface, you can instruct hdfs-utils to send all fields by setting `hadoop.security.authorization.opa.extended-requests` to `true`.
+However, please note that this results in very big JSON objects being send from HDFS to OPA, so please keep an eye on performance degradations.
+
+The following example provides an extend request sending all available fields:
 
 <details>
-<summary>Example request</summary>
+<summary>Example extended request</summary>
 
 ```json
 {

src/main/java/tech/stackable/hadoop/OpaException.java

@@ -2,7 +2,6 @@
 
 import static tech.stackable.hadoop.StackableGroupMapper.OPA_MAPPING_URL_PROP;
 
-import java.net.URI;
 import java.net.http.HttpResponse;
 
 public abstract class OpaException extends RuntimeException {
@@ -22,7 +21,7 @@ public UriMissing(String configuration) {
   }
 
   public static final class UriInvalid extends OpaException {
-    public UriInvalid(URI uri, Throwable cause) {
+    public UriInvalid(String uri, Throwable cause) {
       super(
           "Open Policy Agent URI is invalid (see configuration property \""
               + OPA_MAPPING_URL_PROP

src/main/java/tech/stackable/hadoop/OpaReducedAllowQuery.java

@@ -0,0 +1,43 @@
+package tech.stackable.hadoop;
+
+import org.apache.hadoop.hdfs.server.namenode.INodeAttributeProvider;
+
+public class OpaReducedAllowQuery {
+  public final OpaReducedAllowQueryInput input;
+
+  public OpaReducedAllowQuery(OpaReducedAllowQueryInput input) {
+    this.input = input;
+  }
+
+  /**
+   * Similar to {@link OpaAllowQuery.OpaAllowQueryInput}, but this class only contains a subset of
+   * fields that should be sufficient for most use-cases, but offer a much better performance. See
+   * <a href="https://github.com/stackabletech/hdfs-utils/issues/48">this issue</a> for details.
+   */
+  public static class OpaReducedAllowQueryInput {
+    public String fsOwner;
+    public String supergroup;
+    // Wrapping this
+    public OpaQueryUgi callerUgi;
+    public int snapshotId;
+    public String path;
+    public int ancestorIndex;
+    public boolean doCheckOwner;
+    public boolean ignoreEmptyDir;
+    public String operationName;
+    public org.apache.hadoop.ipc.CallerContext callerContext;
+
+    public OpaReducedAllowQueryInput(INodeAttributeProvider.AuthorizationContext context) {
+      this.fsOwner = context.getFsOwner();
+      this.supergroup = context.getSupergroup();
+      this.callerUgi = new OpaQueryUgi(context.getCallerUgi());
+      this.snapshotId = context.getSnapshotId();
+      this.path = context.getPath();
+      this.ancestorIndex = context.getAncestorIndex();
+      this.doCheckOwner = context.isDoCheckOwner();
+      this.ignoreEmptyDir = context.isIgnoreEmptyDir();
+      this.operationName = context.getOperationName();
+      this.callerContext = context.getCallerContext();
+    }
+  }
+}

src/main/java/tech/stackable/hadoop/StackableAccessControlEnforcer.java

@@ -52,11 +52,14 @@ public class StackableAccessControlEnforcer
   private static final Logger LOG = LoggerFactory.getLogger(StackableAccessControlEnforcer.class);
 
   public static final String OPA_POLICY_URL_PROP = "hadoop.security.authorization.opa.policy.url";
+  public static final String EXTENDED_REQUESTS_PROP =
+      "hadoop.security.authorization.opa.extended-requests";
 
   private static final HttpClient HTTP_CLIENT =
       HttpClient.newBuilder().connectTimeout(Duration.ofSeconds(30)).build();
   private final ObjectMapper json;
-  private URI opaUri;
+  private final URI opaUri;
+  private final boolean extendedRequests;
 
   public StackableAccessControlEnforcer() {
     LOG.debug("Starting StackableAccessControlEnforcer");
@@ -72,9 +75,11 @@ public StackableAccessControlEnforcer() {
     try {
       opaUri = URI.create(opaPolicyUrl);
     } catch (Exception e) {
-      throw new OpaException.UriInvalid(opaUri, e);
+      throw new OpaException.UriInvalid(opaPolicyUrl, e);
     }
 
+    extendedRequests = configuration.getBoolean(EXTENDED_REQUESTS_PROP, false);
+
     json =
         new ObjectMapper()
             // OPA server can send other fields, such as `decision_id`` when enabling decision logs
@@ -98,7 +103,14 @@ public StackableAccessControlEnforcer() {
             // recursion (StackOverflowError)
             .addMixIn(DatanodeDescriptor.class, DatanodeDescriptorMixin.class);
 
-    LOG.debug("Started HdfsOpaAccessControlEnforcer");
+    StringBuilder logStartupStatement = new StringBuilder("Started StackableAccessControlEnforcer");
+    if (this.extendedRequests) {
+      logStartupStatement.append(" sending extended requests");
+    } else {
+      logStartupStatement.append(" sending reduced requests");
+    }
+    logStartupStatement.append(" to OPA url ").append(this.opaUri);
+    LOG.debug(logStartupStatement.toString());
   }
 
   private static class OpaQueryResult {
@@ -158,7 +170,21 @@ public void checkPermission(
   @Override
   public void checkPermissionWithContext(INodeAttributeProvider.AuthorizationContext authzContext)
       throws AccessControlException {
-    OpaAllowQuery query = new OpaAllowQuery(new OpaAllowQuery.OpaAllowQueryInput(authzContext));
+    // When executing "hdfs dfs -du /" the path is set to null. This does not worsen security, as
+    // "/" is the highest level of access that a user can have.
+    if (authzContext.getOperationName().equals("contentSummary")
+        && authzContext.getPath() == null) {
+      authzContext.setPath("/");
+    }
+
+    Object query;
+    if (this.extendedRequests) {
+      query = new OpaAllowQuery(new OpaAllowQuery.OpaAllowQueryInput(authzContext));
+    } else {
+      query =
+          new OpaReducedAllowQuery(
+              new OpaReducedAllowQuery.OpaReducedAllowQueryInput(authzContext));
+    }
 
     String body;
     try {

src/main/java/tech/stackable/hadoop/StackableGroupMapper.java

@@ -23,7 +23,7 @@ public class StackableGroupMapper implements GroupMappingServiceProvider {
   private static final HttpClient HTTP_CLIENT =
       HttpClient.newBuilder().connectTimeout(Duration.ofSeconds(30)).build();
   private final ObjectMapper json;
-  private URI opaUri;
+  private final URI opaUri;
 
   public StackableGroupMapper() {
     // Guaranteed to be only called once (Effective Java: Item 3)
@@ -37,7 +37,7 @@ public StackableGroupMapper() {
     try {
       this.opaUri = URI.create(opaMappingUrl);
     } catch (Exception e) {
-      throw new OpaException.UriInvalid(opaUri, e);
+      throw new OpaException.UriInvalid(opaMappingUrl, e);
     }
 
     LOG.debug("OPA mapping URL: {}", opaMappingUrl);

test/stack/20-hdfs.yaml

@@ -51,6 +51,9 @@ spec:
                 level: INFO
               tech.stackable.hadoop:
                 level: DEBUG
+    # configOverrides:
+    #   hdfs-site.xml:
+    #     hadoop.security.authorization.opa.extended-requests: "true"
     roleGroups:
       default:
         replicas: 2

test/stack/31-benchmark-shell.yaml

@@ -27,14 +27,13 @@ spec:
 
               log_in admin
 
-              bin/hdfs dfs -mkdir -p /bench
-              bin/hdfs dfs -ls /bench
+              bin/hdfs dfs -mkdir -p /bench/deep/path/with/many/sub/sub/dirs/
 
-              # for i in $(seq 0 10); do echo "Creating $i" && bin/hdfs dfs -put -f /etc/hosts /bench/$i; done
+              # for i in $(seq 0 100); do echo "Creating $i" && bin/hdfs dfs -put -f /etc/hosts /bench/deep/path/with/many/sub/sub/dirs/$i; done
 
               # Watch out for the exact command you are using! (e.g. don't use "du -h /""). Checl the NameNode logs to
               # make sure you actually produce enough OPA calls.
-              # time bin/hdfs dfs -du -h /bench
+              # time bin/hdfs dfs -du -h /bench/deep/path/with/many/sub/sub/dirs
 
               # So that you can run the benchmark manually
               sleep infinity