[auth] Renaming AccessControl to ThirdEyeAuthorizer

startreedata · Nov 8, 2023 · 315e015 · 315e015
1 parent b08e39e
commit 315e015
Show file tree

Hide file tree

Showing 11 changed files with 97 additions and 60 deletions.
diff --git a/thirdeye-server/src/main/java/ai/startree/thirdeye/PluginLoader.java b/thirdeye-server/src/main/java/ai/startree/thirdeye/PluginLoader.java
@@ -16,8 +16,8 @@
 import static ai.startree.thirdeye.spi.util.SpiUtils.optional;
 import static java.util.Objects.requireNonNull;
 
-import ai.startree.thirdeye.auth.AccessControlProvider;
 import ai.startree.thirdeye.auth.AuthRegistry;
+import ai.startree.thirdeye.auth.ThirdEyeAuthorizerProvider;
 import ai.startree.thirdeye.core.BootstrapResourcesRegistry;
 import ai.startree.thirdeye.datasource.DataSourcesLoader;
 import ai.startree.thirdeye.detectionpipeline.DetectionRegistry;
@@ -71,7 +71,7 @@ public class PluginLoader {
   private final ContributorsFinderRunner contributorsFinderRunner;
   private final BootstrapResourcesRegistry bootstrapResourcesRegistry;
   private final PostProcessorRegistry postProcessorRegistry;
-  private final AccessControlProvider accessControlProvider;
+  private final ThirdEyeAuthorizerProvider accessControlProvider;
 
   private final AtomicBoolean loading = new AtomicBoolean();
   private final File pluginsDir;
@@ -85,7 +85,7 @@ public PluginLoader(
       final ContributorsFinderRunner contributorsFinderRunner,
       final BootstrapResourcesRegistry bootstrapResourcesRegistry,
       final PostProcessorRegistry postProcessorRegistry,
-      final AccessControlProvider accessControlProvider,
+      final ThirdEyeAuthorizerProvider accessControlProvider,
       final PluginLoaderConfiguration config) {
     this.authRegistry = authRegistry;
     this.dataSourcesLoader = dataSourcesLoader;

diff --git a/thirdeye-server/src/main/java/ai/startree/thirdeye/ThirdEyeServerModule.java b/thirdeye-server/src/main/java/ai/startree/thirdeye/ThirdEyeServerModule.java
@@ -13,15 +13,15 @@
  */
 package ai.startree.thirdeye;
 
-import ai.startree.thirdeye.auth.AccessControlProvider;
 import ai.startree.thirdeye.auth.AuthConfiguration;
 import ai.startree.thirdeye.auth.ThirdEyeAuthModule;
+import ai.startree.thirdeye.auth.ThirdEyeAuthorizerProvider;
 import ai.startree.thirdeye.config.ThirdEyeServerConfiguration;
 import ai.startree.thirdeye.detectionpipeline.ThirdEyeDetectionPipelineModule;
 import ai.startree.thirdeye.notification.ThirdEyeNotificationModule;
 import ai.startree.thirdeye.scheduler.ThirdEyeSchedulerModule;
 import ai.startree.thirdeye.scheduler.events.MockEventsConfiguration;
-import ai.startree.thirdeye.spi.auth.AccessControl;
+import ai.startree.thirdeye.spi.auth.ThirdEyeAuthorizer;
 import ai.startree.thirdeye.worker.ThirdEyeWorkerModule;
 import com.codahale.metrics.MetricRegistry;
 import com.google.inject.AbstractModule;
@@ -34,7 +34,7 @@ public class ThirdEyeServerModule extends AbstractModule {
   private final ThirdEyeServerConfiguration configuration;
   private final DataSource dataSource;
   private final MetricRegistry metricRegistry;
-  private final AccessControlProvider accessControlProvider;
+  private final ThirdEyeAuthorizerProvider accessControlProvider;
 
   public ThirdEyeServerModule(
       final ThirdEyeServerConfiguration configuration,
@@ -44,7 +44,7 @@ public ThirdEyeServerModule(
     this.dataSource = dataSource;
     this.metricRegistry = metricRegistry;
 
-    this.accessControlProvider = new AccessControlProvider(
+    this.accessControlProvider = new ThirdEyeAuthorizerProvider(
         configuration.getAccessControlConfiguration());
   }
 
@@ -76,13 +76,13 @@ public MockEventsConfiguration getMockEventsLoaderConfiguration() {
 
   @Singleton
   @Provides
-  public AccessControlProvider getAccessControlProvider() {
+  public ThirdEyeAuthorizerProvider getAccessControlProvider() {
     return this.accessControlProvider;
   }
 
   @Singleton
   @Provides
-  public AccessControl getAccessControl() {
+  public ThirdEyeAuthorizer getAccessControl() {
     return this.accessControlProvider;
   }
 }
diff --git a/thirdeye-server/src/main/java/ai/startree/thirdeye/auth/AuthorizationManager.java b/thirdeye-server/src/main/java/ai/startree/thirdeye/auth/AuthorizationManager.java
@@ -19,10 +19,10 @@
 
 import ai.startree.thirdeye.alert.AlertTemplateRenderer;
 import ai.startree.thirdeye.datalayer.dao.SubEntities;
-import ai.startree.thirdeye.spi.auth.AccessControl;
 import ai.startree.thirdeye.spi.auth.AccessType;
 import ai.startree.thirdeye.spi.auth.AuthenticationType;
 import ai.startree.thirdeye.spi.auth.ResourceIdentifier;
+import ai.startree.thirdeye.spi.auth.ThirdEyeAuthorizer;
 import ai.startree.thirdeye.spi.datalayer.dto.AbstractDTO;
 import ai.startree.thirdeye.spi.datalayer.dto.AlertDTO;
 import ai.startree.thirdeye.spi.datalayer.dto.AlertTemplateDTO;
@@ -47,16 +47,16 @@ public class AuthorizationManager {
       "thirdeye-internal", RandomStringUtils.random(1024, true, true), AuthenticationType.INTERNAL);
 
   private final AlertTemplateRenderer alertTemplateRenderer;
-  private final AccessControl accessControl;
+  private final ThirdEyeAuthorizer thirdEyeAuthorizer;
   private final NamespaceResolver namespaceResolver;
 
   @Inject
   public AuthorizationManager(
       final AlertTemplateRenderer alertTemplateRenderer,
-      final AccessControl accessControl,
+      final ThirdEyeAuthorizer thirdEyeAuthorizer,
       final NamespaceResolver namespaceResolver) {
     this.alertTemplateRenderer = alertTemplateRenderer;
-    this.accessControl = accessControl;
+    this.thirdEyeAuthorizer = thirdEyeAuthorizer;
     this.namespaceResolver = namespaceResolver;
   }
 
@@ -117,7 +117,7 @@ public boolean hasAccess(final ThirdEyePrincipal principal,
     } else if (principal.getAuthenticationType() == AuthenticationType.BASIC_AUTH) {
       return true;
     } else {
-      return accessControl.hasAccess(principal.getAuthToken(), identifier, accessType);
+      return thirdEyeAuthorizer.authorize(principal.getAuthToken(), identifier, accessType);
     }
   }
 
@@ -132,7 +132,7 @@ public void ensureHasRootAccess(final ThirdEyePrincipal principal) {
 
   public boolean hasRootAccess(final ThirdEyePrincipal principal) {
     return INTERNAL_VALID_PRINCIPAL.equals(principal) ||
-        accessControl.hasAccess(principal.getAuthToken(), ROOT_RESOURCE_ID, AccessType.WRITE);
+        thirdEyeAuthorizer.authorize(principal.getAuthToken(), ROOT_RESOURCE_ID, AccessType.WRITE);
   }
 
   // Returns the resource identifier for a dto.

diff --git a/.../thirdeye/auth/AccessControlProvider.java → ...deye/auth/ThirdEyeAuthorizerProvider.java b/.../thirdeye/auth/AccessControlProvider.java → ...deye/auth/ThirdEyeAuthorizerProvider.java
@@ -15,33 +15,33 @@
 
 import static com.google.common.base.Preconditions.checkState;
 
-import ai.startree.thirdeye.spi.auth.AccessControl;
 import ai.startree.thirdeye.spi.auth.AccessControlFactory;
 import ai.startree.thirdeye.spi.auth.AccessType;
 import ai.startree.thirdeye.spi.auth.ResourceIdentifier;
+import ai.startree.thirdeye.spi.auth.ThirdEyeAuthorizer;
 
 /**
  * AccessControlProvider serves as a mutable layer between Guice bindings and the access control
  * implementation from plugins.
  */
-public class AccessControlProvider implements AccessControl {
+public class ThirdEyeAuthorizerProvider implements ThirdEyeAuthorizer {
 
-  public final static AccessControl ALWAYS_ALLOW = (
+  public final static ThirdEyeAuthorizer ALWAYS_ALLOW = (
       final String token,
       final ResourceIdentifier identifiers,
       final AccessType accessType
   ) -> true;
 
-  public final static AccessControl ALWAYS_DENY = (
+  public final static ThirdEyeAuthorizer ALWAYS_DENY = (
       final String token,
       final ResourceIdentifier identifiers,
       final AccessType accessType
   ) -> false;
 
   private final AccessControlConfiguration config;
-  private AccessControl accessControl = null;
+  private ThirdEyeAuthorizer thirdEyeAuthorizer = null;
 
-  public AccessControlProvider(final AccessControlConfiguration config) {
+  public ThirdEyeAuthorizerProvider(final AccessControlConfiguration config) {
     this.config = config;
   }
 
@@ -56,29 +56,29 @@ public void addAccessControlFactory(final AccessControlFactory f) {
       return;
     }
 
-    if (this.accessControl != null) {
+    if (this.thirdEyeAuthorizer != null) {
       throw new RuntimeException("Access control source can only be set once!");
     }
-    this.accessControl = accessControl;
+    this.thirdEyeAuthorizer = accessControl;
   }
 
-  public AccessControl getAccessControl() {
+  public ThirdEyeAuthorizer getAccessControl() {
     if (!config.isEnabled()) {
       return ALWAYS_ALLOW;
     }
 
-    checkState(this.accessControl != null,
+    checkState(this.thirdEyeAuthorizer != null,
         "Access control is enabled, but no provider has been configured!");
-    return this.accessControl;
+    return this.thirdEyeAuthorizer;
   }
 
   public AccessControlConfiguration getConfig() {
     return config;
   }
 
   @Override
-  public boolean hasAccess(final String token, final ResourceIdentifier identifier,
+  public boolean authorize(final String token, final ResourceIdentifier identifier,
       final AccessType accessType) {
-    return getAccessControl().hasAccess(token, identifier, accessType);
+    return getAccessControl().authorize(token, identifier, accessType);
   }
 }
diff --git a/thirdeye-server/src/test/java/ai/startree/thirdeye/resources/AlertResourceTest.java b/thirdeye-server/src/test/java/ai/startree/thirdeye/resources/AlertResourceTest.java
@@ -23,9 +23,9 @@
 import ai.startree.thirdeye.alert.AlertEvaluator;
 import ai.startree.thirdeye.alert.AlertInsightsProvider;
 import ai.startree.thirdeye.alert.AlertTemplateRenderer;
-import ai.startree.thirdeye.auth.AccessControlProvider;
 import ai.startree.thirdeye.auth.AuthorizationManager;
 import ai.startree.thirdeye.auth.NamespaceResolver;
+import ai.startree.thirdeye.auth.ThirdEyeAuthorizerProvider;
 import ai.startree.thirdeye.auth.ThirdEyePrincipal;
 import ai.startree.thirdeye.service.AlertService;
 import ai.startree.thirdeye.service.AppAnalyticsService;
@@ -36,10 +36,10 @@
 import ai.startree.thirdeye.spi.api.DetectionEvaluationApi;
 import ai.startree.thirdeye.spi.api.EnumerationItemApi;
 import ai.startree.thirdeye.spi.api.PlanNodeApi;
-import ai.startree.thirdeye.spi.auth.AccessControl;
 import ai.startree.thirdeye.spi.auth.AccessType;
 import ai.startree.thirdeye.spi.auth.AuthenticationType;
 import ai.startree.thirdeye.spi.auth.ResourceIdentifier;
+import ai.startree.thirdeye.spi.auth.ThirdEyeAuthorizer;
 import ai.startree.thirdeye.spi.datalayer.bao.AlertManager;
 import ai.startree.thirdeye.spi.datalayer.bao.AlertTemplateManager;
 import ai.startree.thirdeye.spi.datalayer.dto.AlertDTO;
@@ -68,8 +68,9 @@ static ThirdEyePrincipal nobody() {
 
   private static AlertResource newAlertResource(final AlertManager alertManager,
       final AlertTemplateRenderer alertTemplateRenderer,
-      final AccessControl accessControl) {
-    final AuthorizationManager authorizationManager = newAuthorizationManager(alertTemplateRenderer, accessControl);
+      final ThirdEyeAuthorizer thirdEyeAuthorizer) {
+    final AuthorizationManager authorizationManager = newAuthorizationManager(alertTemplateRenderer,
+        thirdEyeAuthorizer);
     return new AlertResource(newAlertService(alertManager, authorizationManager));
   }
 
@@ -132,10 +133,12 @@ public void testCreateMultiple_withNoAccessToTemplate() {
     final AlertTemplateRenderer alertTemplateRenderer = new AlertTemplateRenderer(
         mock(AlertManager.class), alertTemplateManager);
 
-    final AccessControl accessControl = (String token, ResourceIdentifier identifier, AccessType accessType)
+    final ThirdEyeAuthorizer thirdEyeAuthorizer = (String token, ResourceIdentifier identifier, AccessType accessType)
         -> identifier.getName().equals("0");
 
-    newAlertResource(mock(AlertManager.class), alertTemplateRenderer, accessControl).createMultiple(
+    newAlertResource(mock(AlertManager.class),
+        alertTemplateRenderer,
+        thirdEyeAuthorizer).createMultiple(
         nobody(),
         Collections.singletonList(
             new AlertApi().setName("alert1").setTemplate(new AlertTemplateApi().setId(2L))
@@ -149,7 +152,9 @@ public void testRunTask_withNoAccess() {
     final AlertTemplateRenderer alertTemplateRenderer = new AlertTemplateRenderer(alertManager,
         mock(AlertTemplateManager.class));
 
-    newAlertResource(alertManager, alertTemplateRenderer, AccessControlProvider.ALWAYS_DENY).runTask(
+    newAlertResource(alertManager,
+        alertTemplateRenderer,
+        ThirdEyeAuthorizerProvider.ALWAYS_DENY).runTask(
         nobody(),
         1L,
         0L,
@@ -160,7 +165,7 @@ public void testRunTask_withNoAccess() {
   public void testValidate_withNoAccess() {
     newAlertResource(mock(AlertManager.class),
         mock(AlertTemplateRenderer.class),
-        AccessControlProvider.ALWAYS_DENY).validateMultiple(
+        ThirdEyeAuthorizerProvider.ALWAYS_DENY).validateMultiple(
         nobody(),
         Collections.singletonList(
             new AlertApi().setTemplate(new AlertTemplateApi().setId(1L)).setName("alert1")
@@ -176,12 +181,12 @@ public void testValidate_withNoAccessToTemplate() {
     final AlertTemplateRenderer alertTemplateRenderer = new AlertTemplateRenderer(
         mock(AlertManager.class), alertTemplateManager);
 
-    final AccessControl accessControl = (String token, ResourceIdentifier identifier, AccessType accessType)
+    final ThirdEyeAuthorizer thirdEyeAuthorizer = (String token, ResourceIdentifier identifier, AccessType accessType)
         -> identifier.getName().equals("alert1");
 
     newAlertResource(mock(AlertManager.class),
         alertTemplateRenderer,
-        accessControl).validateMultiple(
+        thirdEyeAuthorizer).validateMultiple(
         nobody(),
         Collections.singletonList(
             new AlertApi().setTemplate(new AlertTemplateApi().setId(1L)).setName("alert1")
@@ -200,7 +205,7 @@ public void testEvaluate_withNoAccessToTemplate() throws ExecutionException {
 
     newAlertResource(mock(AlertManager.class),
         alertTemplateRenderer,
-        AccessControlProvider.ALWAYS_DENY).evaluate(nobody(),
+        ThirdEyeAuthorizerProvider.ALWAYS_DENY).evaluate(nobody(),
         new AlertEvaluationApi()
             .setAlert(new AlertApi().setTemplate(new AlertTemplateApi().setId(1L)))
             .setStart(new Date())
@@ -403,8 +408,10 @@ public void testEvaluate_withNewAlertAndWriteAccessToAlertAndPartialAccessToEnum
   }
 
   private static AuthorizationManager newAuthorizationManager(
-      final AlertTemplateRenderer alertTemplateRenderer, final AccessControl accessControl) {
-    return new AuthorizationManager(alertTemplateRenderer, accessControl, new NamespaceResolver(null, null, null));
+      final AlertTemplateRenderer alertTemplateRenderer,
+      final ThirdEyeAuthorizer thirdEyeAuthorizer) {
+    return new AuthorizationManager(alertTemplateRenderer,
+        thirdEyeAuthorizer, new NamespaceResolver(null, null, null));
   }
 
   @Test(expectedExceptions = ForbiddenException.class)
@@ -414,7 +421,9 @@ public void testReset_withNoAccess() {
     final AlertTemplateRenderer alertTemplateRenderer = new AlertTemplateRenderer(alertManager,
         mock(AlertTemplateManager.class));
 
-    newAlertResource(alertManager, alertTemplateRenderer, AccessControlProvider.ALWAYS_DENY).reset(
+    newAlertResource(alertManager,
+        alertTemplateRenderer,
+        ThirdEyeAuthorizerProvider.ALWAYS_DENY).reset(
         nobody(),
         1L);
   }