Add AuthAdmin

[brfrn169]

Description

This PR adds the AuthAdmin interface for administrative operations related to ScalarDB Auth (authentication and authorization). As ScalarDB Auth is an enterprise feature, this PR only introduces the interface without any implementations in this repository.

Related issues and/or PRs

N/A

Changes made

• Added the AuthAdmin interface for administrative operations for ScalarDB
• Modify exceptions to support authentication and authorization errors

Checklist

• I have commented my code, particularly in hard-to-understand areas.
• I have updated the documentation to reflect the changes.
• Any remaining open issues linked to this PR are documented and up-to-date (Jira, GitHub, etc.).
• Tests (unit, integration, etc.) have been added for the changes.
• My changes generate no new warnings.
• Any dependent changes in other PRs have been merged and published.

Additional notes (optional)

• Documentation for this will be added in a separate PR.

Release notes

N/A

[brfrn169]

Added AuthAdmin for administrative operations for ScalarDB Auth.

[brfrn169]

Made DistributedTransactionAdmin extend AuthAdmin.

[brfrn169]

Added flags to the exceptions to indicate authentication and authorization errors. Initially, I considered introducing new exceptions for these errors, but to maintain backward compatibility, I opted for this approach.

[brfrn169]

No implementations are added here as it's an enterprise feature.

[komamitsu]

How about moving these default implementations throwing the exception to AuthAdmin as default methods so that all classes which inherit AuthAdmin don't need to implement these ones?

[brfrn169]

I had the same thought, but I didn't do that because I was not sure for which methods we should add a default implementation. In other words, should we add default implementations for the existing methods (createTable(), getTableMetadata(), etc.) as well? What do you think?

[komamitsu]

I think only the methods of AuthAdmin should have default methods to throw the exception since those features aren't supported in the community edition. As for the existing methods coming from DistributedTransactionAdmin, we should keep them available in the community edition and don't need default impl for them. But I might be missing something on the background of this auth feature.

[brfrn169]

Okay, I think that's reasonable. Let me add default implementations to the methods in AuthAdmin. Thanks.

[brfrn169]

Fixed in ca46a9d. Thanks.

[komamitsu]

This exception should have the same error message as the exceptions ConsensusCommitAdmin's methods throw?

[brfrn169]

Initially, I didn't add any message here because we were going to remove the JDBC transaction and ScalarDB Server components. However, recent discussions have raised the possibility of retaining the JDBC transaction. Therefore, I will add a message depending on the outcome of this discussion:
#1318 (comment)

Thanks.

[komamitsu]

This seems like an union of privileges for user (admin) operations, namespace operations and table operations. For instance, GRANT is for user (admin) operations and TRUNCATE is for table operations. Another option is to separate this set of privileges into each type of operations like UserPrivilege, NamespacePrivilege and TablePrivilege. This option requires additional enum definitions, but it might beneficial in the long run to avoid wrong privilege usage (e.g, TRUNCATE for a user). What do you think?

[brfrn169]

Let me clarify the specification to ensure we are on the same page.

Currently, we can grant privileges to a user for either a specific namespace or a table. I think we can imagine the SQL GRANT statement as follows:

For table privileges:

GRANT READ, WRITE, CREATE ON <TABLE> TO <USER> WITH GRANT OPTION

In this case, the user has READ, WRITE, CREATE and GRANT privileges for the specified table.

• READ: The user can read the table.
• WRITE: The user can write the table.
• CREATE: The user can create indexes on the table.
• GRANT: The user can grant privileges on the table to other users.

For namespace privileges:

GRANT READ, WRITE, CREATE ON NAMESPACE <NAMESPACE> TO <USER> WITH GRANT OPTION

In this case, the user has READ, WRITE, CREATE and GRANT privileges for all tables in the namespace.

• READ: The user can read all tables in the namespace.
• WRITE: The user can write all tables in the namespace.
• CREATE: The user can create a table in the namespace or create indexes on all tables in the namespace.
• GRANT: The user can grant privileges on all tables in the namespace to other users.

Given this, I believe the approach is consistent and there's no need for separate privilege types for tables, namespaces, and users. What are your thoughts?

[komamitsu]

Thanks for clarifying the usage. I understand how to use GRANT.

GRANT privilege seems a bit different type (more metadata-like?) attribute to me from other privileges (e.g. CREATE). It's like between UserOption and Privilege? It might fit PrivilegeOption.

In this case, the user has READ, WRITE, CREATE and GRANT privileges for all tables in the namespace.

Understood. So, the enum is like TablePrivilege. BTW, we don't need to another type of privileges to allow or prohibit operations for namespaces like GRANT CREATE ON DATABASE?

[brfrn169]

Ah sorry, the explanation of GRANT for namespace privileges was wrong.

The correct explanation is as follows

• GRANT: The user can grant/revoke privileges on all tables in the namespace to/from other users. Also the user can grant/revoke privileges on the namespace to/from other users.

So for example, if a superuser issues the following:

GRANT ... ON NAMESPACE ns TO user1 WITH GRANT OPTION

Then user1 can issue GRANT... ON NAMESPACE ns to ... for other users. Also, user1 can issue GRANT on all tables in the ns namespace for other users.

What do you think?

[brfrn169]

One more thing, if a superuser issues the following GRANT command:

GRANT DROP ON NAMESPACE ns TO user1

Then, user1 can drop the ns namespace as well as all tables in the ns namespace.

That sounds inconsistent to you?

[komamitsu]

GRANT DROP ON NAMESPACE ns TO user1

As we talked offline, this semantics of dropping a specific namespace seems inconsistent with other GRANT statements that affect tables. Perhaps, we can defer considering how to permit/prohibit manipulation of namespace.

As for Privilege.GRANT, I still think it might belong to a different layer, but I don't have a so strong opinion on it. Let's proceed with the current design.

[brfrn169]

Thank you for summarizing the discussion. I've fixed the Javadoc slightly and renamed several methods.

I think we can support something like the following grammar in ScalarDB SQL:

GRANT { { SELECT | INSERT | UPDATE | DELETE | CREATE | DROP | TRUNCATE | ALTER } [, ...] | ALL [ PRIVILEGES ] }
    ON { [ TABLE ] table_name [, ...] | ON NAMESPACE namespace_name [, ...] }
    TO user_name [, ...] [ WITH GRANT OPTION ]

If a user specified ON [TABLE] table_name in the GRANT statement, we call the AuthAdmin.grant(String username, String namespaceName, String tableName, Privilege... privileges) method. And if a user specified ON NAMESPACE namespace_name in the GRANT statement, we call the AuthAdmin.grant(String username, String namespaceName, Privilege... privileges) method.

Also, if a user specified WITH GRANT OPTION and ON [TABLE] table_name in the GRANT statement, the granted user can issue GRANT statements, and they can grant privileges on the specified table to other users.

And if a user specified WITH GRANT OPTION and ALL TABLES IN NAMESPACE namespace_name in the GRANT statement, they can grant privileges on all tables in the specified namespace to other users.

Note that users can only grant privileges that they have to other users.

Does that make sense?

[komamitsu]

Yes. The syntax of the GRANT statement and the behavior looks good 👍

As for Privilege.GRANT, I still think it might belong to a different layer, but I don't have a so strong opinion on it. Let's proceed with the current design.

This comment only considers the internal design and implementation since I still think WITH GRANT OPTION is a sort of option not a normal privilege. The above GRANT statement syntax itself also seems to handle GRANT option differently from other privileges (e.g., UPDATE). I checked the PostgreSQL source code, and it doesn't handle GRANT OPTION as well as other privileges https://github.com/postgres/postgres/blob/5ad49322e50459444b201e624d5df706751c9d41/src/include/nodes/parsenodes.h#L74-L93. So, IMO, maybe Privilege.GRANT should be removed from the enum and handled differently, although it might be a matter of taste.

[brfrn169]

As discussed offline, we have reached a conclusion regarding the behavior mentioned in the following comment:
#1318 (comment)

I've also revised the Javadoc and revered the method names in ad52e62.

@komamitsu Can you please take a quick look at it? Thanks.

[komamitsu]

Thanks. Looks good!

[komamitsu]

LGTM! 👍

[feeblefakie]

Overall, looking good. Thank you!
I left one comment. PTAL!

[feeblefakie]

Instead of adding an argument only for authentication, it might be better to define an error code and add it here or something?
Since we don't define error code yet, I understand it's hard to do so now...

[brfrn169]

Yeah, at the moment, it's hard to do so since we need to define error codes for all errors for that. Anyway, I think we can add error codes later on.

[feeblefakie]

LGTM! Thank you!