RBAC conductor implementation

Type: Improvement
JIRA: DEP-686
Signed-off-by: jmasar <[email protected]>

client/src/main/java/com/netflix/conductor/client/http/ClientRequestHandler.java

@@ -60,24 +60,33 @@ public BulkResponse delete(URI uri, Object body) {
         if (body != null) {
             return client.resource(uri)
                     .type(MediaType.APPLICATION_JSON_TYPE)
+                    .header("from", "admin")
+                    .header("x-auth-user-roles", "admin")
                     .delete(BulkResponse.class, body);
         } else {
-            client.resource(uri).delete();
+            client.resource(uri)
+                    .header("from", "admin")
+                    .header("x-auth-user-roles", "admin")
+                    .delete();
         }
         return null;
     }
 
     public ClientResponse get(URI uri) {
         return client.resource(uri)
                 .accept(MediaType.APPLICATION_JSON, MediaType.TEXT_PLAIN)
+                .header("from", "admin")
+                .header("x-auth-user-roles", "admin")
                 .get(ClientResponse.class);
     }
 
     public WebResource.Builder getWebResourceBuilder(URI URI, Object entity) {
         return client.resource(URI)
                 .type(MediaType.APPLICATION_JSON)
                 .entity(entity)
-                .accept(MediaType.TEXT_PLAIN, MediaType.APPLICATION_JSON);
+                .accept(MediaType.TEXT_PLAIN, MediaType.APPLICATION_JSON)
+                .header("From", "admin")
+                .header("x-auth-user-roles", "admin");
     }
 
     private boolean isNewerJacksonVersion() {

core/src/main/java/com/netflix/conductor/core/dal/ExecutionDAOFacade.java

@@ -759,6 +759,22 @@ public void populateTaskData(TaskModel taskModel) {
         }
     }
 
+    public List<String> getLabels(String wfId) {
+        return executionDAO.getLabels(wfId);
+    }
+
+    public List<String> getTaskDescription(String taskType) {
+        return executionDAO.getTaskDescription(taskType);
+    }
+
+    public SearchResult<WorkflowSummary> getUserSummaries(List<String> groupsAndRoles) {
+        return indexDAO.getUserSummaries(groupsAndRoles);
+    }
+
+    public List<String> getUserIds(List<String> groupsAndRoles, List<String> wfIds) {
+        return executionDAO.getUserIds(groupsAndRoles, wfIds);
+    }
+
     class DelayWorkflowUpdate implements Runnable {
 
         private final String workflowId;

core/src/main/java/com/netflix/conductor/core/execution/WorkflowExecutor.java

@@ -1790,4 +1790,8 @@ private void expediteLazyWorkflowEvaluation(String workflowId) {
 
         LOGGER.info("Pushed workflow {} to {} for expedited evaluation", workflowId, DECIDER_QUEUE);
     }
+
+    public List<String> getUserIds(List<String> groupsAndRoles, List<String> wfIds) {
+        return executionDAOFacade.getUserIds(groupsAndRoles, wfIds);
+    }
 }

core/src/main/java/com/netflix/conductor/core/index/NoopIndexDAO.java

@@ -160,4 +160,9 @@ public List<String> searchArchivableWorkflows(String indexName, long archiveTtlD
     public long getWorkflowCount(String query, String freeText) {
         return 0;
     }
+
+    @Override
+    public SearchResult<WorkflowSummary> getUserSummaries(List<String> groupsAndRoles) {
+        return null;
+    }
 }

core/src/main/java/com/netflix/conductor/dao/ExecutionDAO.java

@@ -222,4 +222,10 @@ List<WorkflowModel> getWorkflowsByCorrelationId(
     default List<WorkflowModel> getWorkflowFamily(String workflowId, boolean summaryOnly) {
         throw new UnsupportedOperationException();
     }
+
+    List<String> getLabels(String wfId);
+
+    List<String> getTaskDescription(String taskType);
+
+    List<String> getUserIds(List<String> groupsAndRoles, List<String> wfIds);
 }

core/src/main/java/com/netflix/conductor/dao/IndexDAO.java

@@ -247,4 +247,6 @@ CompletableFuture<Void> asyncUpdateTask(
      * @return Number of matches for the query
      */
     long getWorkflowCount(String query, String freeText);
+
+    SearchResult<WorkflowSummary> getUserSummaries(List<String> groupsAndRoles);
 }

core/src/main/java/com/netflix/conductor/dao/MetadataDAO.java

@@ -15,6 +15,7 @@
 import java.util.List;
 import java.util.Optional;
 
+import com.netflix.conductor.common.metadata.BaseDef;
 import com.netflix.conductor.common.metadata.tasks.TaskDef;
 import com.netflix.conductor.common.metadata.workflow.WorkflowDef;
 
@@ -86,4 +87,10 @@ public interface MetadataDAO {
      * @return List the latest versions of the workflow definitions
      */
     List<WorkflowDef> getAllWorkflowDefsLatestVersions();
+
+    List<String> getDescription(BaseDef def);
+
+    List<WorkflowDef> getUserWorkflowDefs(List<String> groupsAndRoles);
+
+    List<TaskDef> getUserTaskDefs(List<String> groupsAndRoles);
 }

core/src/main/java/com/netflix/conductor/service/ExecutionService.java

@@ -611,4 +611,16 @@ public ExternalStorageLocation getExternalStorageLocation(
     public List<String> getWorkflowPath(String workflowId) {
         return executionDAOFacade.getWorkflowPath(workflowId);
     }
+
+    public List<String> getLabels(String wfId) {
+        return executionDAOFacade.getLabels(wfId);
+    }
+
+    public List<String> getTaskDescription(String taskType) {
+        return executionDAOFacade.getTaskDescription(taskType);
+    }
+
+    public SearchResult<WorkflowSummary> getUserSummaries(List<String> groupsAndRoles) {
+        return executionDAOFacade.getUserSummaries(groupsAndRoles);
+    }
 }

core/src/main/java/com/netflix/conductor/service/MetadataService.java

@@ -156,4 +156,12 @@ List<EventHandler> getEventHandlersForEvent(
             boolean activeOnly);
 
     List<WorkflowDef> getWorkflowDefsLatestVersions();
+
+    List<String> getWorkflowDescription(String id, Integer version);
+
+    List<String> getTaskDescription(String id);
+
+    List<WorkflowDef> getUserWorkflowDefs(List<String> groupsAndRoles);
+
+    List<TaskDef> getUserTaskDefs(List<String> groupsAndRoles);
 }

core/src/main/java/com/netflix/conductor/service/MetadataServiceImpl.java

@@ -223,6 +223,26 @@ public List<WorkflowDef> getWorkflowDefsLatestVersions() {
         return metadataDAO.getAllWorkflowDefsLatestVersions();
     }
 
+    @Override
+    public List<String> getWorkflowDescription(String name, Integer version) {
+        return metadataDAO.getDescription(getWorkflowDef(name, version));
+    }
+
+    @Override
+    public List<String> getTaskDescription(String name) {
+        return metadataDAO.getDescription(getTaskDef(name));
+    }
+
+    @Override
+    public List<WorkflowDef> getUserWorkflowDefs(List<String> groupsAndRoles) {
+        return metadataDAO.getUserWorkflowDefs(groupsAndRoles);
+    }
+
+    @Override
+    public List<TaskDef> getUserTaskDefs(List<String> groupsAndRoles) {
+        return metadataDAO.getUserTaskDefs(groupsAndRoles);
+    }
+
     public Map<String, ? extends Iterable<WorkflowDefSummary>> getWorkflowNamesAndVersions() {
         List<WorkflowDef> workflowDefs = metadataDAO.getAllWorkflowDefs();
 

core/src/main/java/com/netflix/conductor/service/TaskService.java

@@ -250,4 +250,6 @@ SearchResult<TaskSummary> search(
      */
     ExternalStorageLocation getExternalStorageLocation(
             String path, String operation, String payloadType);
+
+    List<String> getTaskDefinition(String taskType);
 }

core/src/main/java/com/netflix/conductor/service/TaskServiceImpl.java

@@ -366,4 +366,9 @@ public ExternalStorageLocation getExternalStorageLocation(
             String path, String operation, String type) {
         return executionService.getExternalStorageLocation(path, operation, type);
     }
+
+    @Override
+    public List<String> getTaskDefinition(String taskType) {
+        return executionService.getTaskDescription(taskType);
+    }
 }

core/src/main/java/com/netflix/conductor/service/WorkflowBulkService.java

@@ -67,4 +67,6 @@ BulkResponse terminate(
                                     "Cannot process more than {max} workflows. Please use multiple requests.")
                     List<String> workflowIds,
             String reason);
+
+    List<String> getUserIds(List<String> groupsAndRoles, List<String> wfIds);
 }

core/src/main/java/com/netflix/conductor/service/WorkflowBulkServiceImpl.java

@@ -164,4 +164,9 @@ public BulkResponse terminate(List<String> workflowIds, String reason) {
         }
         return bulkResponse;
     }
+
+    @Override
+    public List<String> getUserIds(List<String> groupsAndRoles, List<String> wfIds) {
+        return workflowExecutor.getUserIds(groupsAndRoles, wfIds);
+    }
 }

core/src/main/java/com/netflix/conductor/service/WorkflowService.java

@@ -401,4 +401,10 @@ ExternalStorageLocation getExternalStorageLocation(
     List<String> getWorkflowPath(String workflowId);
 
     List<Workflow> getWorkflowFamily(String workflowId, boolean summaryOnly);
+
+    List<String> getWorkflowDescription(String id, Integer version);
+
+    List<String> getLabels(String wfId);
+
+    SearchResult<WorkflowSummary> getUserSummaries(List<String> groupsAndRoles);
 }

core/src/main/java/com/netflix/conductor/service/WorkflowServiceImpl.java

@@ -195,6 +195,21 @@ public List<Workflow> getWorkflowFamily(String workflowId, boolean summaryOnly)
         return workflows;
     }
 
+    @Override
+    public List<String> getWorkflowDescription(String id, Integer version) {
+        return metadataService.getWorkflowDescription(id, version);
+    }
+
+    @Override
+    public List<String> getLabels(String wfId) {
+        return executionService.getLabels(wfId);
+    }
+
+    @Override
+    public SearchResult<WorkflowSummary> getUserSummaries(List<String> groupsAndRoles) {
+        return executionService.getUserSummaries(groupsAndRoles);
+    }
+
     /**
      * Removes the workflow from the system.
      *

es6-persistence/src/main/java/com/netflix/conductor/es6/dao/index/ElasticSearchDAOV6.java

@@ -680,6 +680,11 @@ public long getWorkflowCount(String query, String freeText) {
         return count(query, freeText, WORKFLOW_DOC_TYPE);
     }
 
+    @Override
+    public SearchResult<WorkflowSummary> getUserSummaries(List<String> groupsAndRoles) {
+        return null;
+    }
+
     @Override
     public SearchResult<String> searchTasks(
             String query, String freeText, int start, int count, List<String> sort) {

es6-persistence/src/main/java/com/netflix/conductor/es6/dao/index/ElasticSearchRestDAOV6.java

@@ -1117,6 +1117,11 @@ public long getWorkflowCount(String query, String freeText) {
         }
     }
 
+    @Override
+    public SearchResult<WorkflowSummary> getUserSummaries(List<String> groupsAndRoles) {
+        return null;
+    }
+
     private long getObjectCounts(String structuredQuery, String freeTextQuery, String docType)
             throws ParserException, IOException {
         QueryBuilder queryBuilder = boolQueryBuilder(structuredQuery, freeTextQuery);

redis-persistence/src/main/java/com/netflix/conductor/redis/dao/RedisExecutionDAO.java

@@ -726,6 +726,21 @@ public void removeEventExecution(EventExecution eventExecution) {
         }
     }
 
+    @Override
+    public List<String> getLabels(String wfId) {
+        return null;
+    }
+
+    @Override
+    public List<String> getTaskDescription(String taskType) {
+        return null;
+    }
+
+    @Override
+    public List<String> getUserIds(List<String> groupsAndRoles, List<String> wfIds) {
+        return null;
+    }
+
     public List<EventExecution> getEventExecutions(
             String eventHandlerName, String eventName, String messageId, int max) {
         try {

redis-persistence/src/main/java/com/netflix/conductor/redis/dao/RedisMetadataDAO.java

@@ -29,6 +29,7 @@
 import org.springframework.context.annotation.Conditional;
 import org.springframework.stereotype.Component;
 
+import com.netflix.conductor.common.metadata.BaseDef;
 import com.netflix.conductor.common.metadata.tasks.TaskDef;
 import com.netflix.conductor.common.metadata.workflow.WorkflowDef;
 import com.netflix.conductor.core.config.ConductorProperties;
@@ -320,6 +321,21 @@ public List<WorkflowDef> getAllWorkflowDefsLatestVersions() {
         return workflows;
     }
 
+    @Override
+    public List<String> getDescription(BaseDef def) {
+        return null;
+    }
+
+    @Override
+    public List<WorkflowDef> getUserWorkflowDefs(List<String> groupsAndRoles) {
+        return null;
+    }
+
+    @Override
+    public List<TaskDef> getUserTaskDefs(List<String> groupsAndRoles) {
+        return null;
+    }
+
     private void _createOrUpdate(WorkflowDef workflowDef) {
         // First set the workflow def
         jedisProxy.hset(

rest/build.gradle

@@ -1,5 +1,6 @@
 dependencies {
 
+    implementation project(':conductor-client')
     implementation project(':conductor-common')
     implementation project(':conductor-core')
 

rest/src/main/java/com/netflix/conductor/rest/controllers/EventResource.java

@@ -14,6 +14,8 @@
 
 import java.util.List;
 
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.http.HttpStatus;
 import org.springframework.web.bind.annotation.DeleteMapping;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PathVariable;
@@ -23,8 +25,10 @@
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.RestController;
+import org.springframework.web.client.HttpServerErrorException;
 
 import com.netflix.conductor.common.metadata.events.EventHandler;
+import com.netflix.conductor.rest.rbac.HeaderValidatorFilter;
 import com.netflix.conductor.service.EventService;
 
 import io.swagger.v3.oas.annotations.Operation;
@@ -41,16 +45,28 @@ public EventResource(EventService eventService) {
         this.eventService = eventService;
     }
 
+    @Autowired HeaderValidatorFilter filter;
+
     @PostMapping
     @Operation(summary = "Add a new event handler.")
     public void addEventHandler(@RequestBody EventHandler eventHandler) {
-        eventService.addEventHandler(eventHandler);
+
+        if (filter.getUser().isAdmin()) {
+            eventService.addEventHandler(eventHandler);
+        } else {
+            throw new HttpServerErrorException(HttpStatus.UNAUTHORIZED);
+        }
     }
 
     @PutMapping
     @Operation(summary = "Update an existing event handler.")
     public void updateEventHandler(@RequestBody EventHandler eventHandler) {
-        eventService.updateEventHandler(eventHandler);
+
+        if (filter.getUser().isAdmin()) {
+            eventService.updateEventHandler(eventHandler);
+        } else {
+            throw new HttpServerErrorException(HttpStatus.UNAUTHORIZED);
+        }
     }
 
     @DeleteMapping("/{name}")
@@ -62,7 +78,11 @@ public void removeEventHandlerStatus(@PathVariable("name") String name) {
     @GetMapping
     @Operation(summary = "Get all the event handlers")
     public List<EventHandler> getEventHandlers() {
-        return eventService.getEventHandlers();
+
+        if (filter.getUser().isAdmin()) {
+            return eventService.getEventHandlers();
+        }
+        throw new HttpServerErrorException(HttpStatus.UNAUTHORIZED);
     }
 
     @GetMapping("/{event}")