fix: pipeline rbac fixes (#4976)

Subhra264 · taimingl · web-flow · commit 287185ac46ab · 2024-11-04T10:50:20.000-08:00
Fixes #4982 - Adds migration for pipelines for ofga tuple database. - Fixes some rbac permission logic for pipelines. Co-authored-by: Taiming Liu <liutaiming3@gmail.com>
diff --git a/src/common/infra/ofga.rs b/src/common/infra/ofga.rs
@@ -21,7 +21,8 @@ use o2_enterprise::enterprise::{
     common::infra::config::get_config as get_o2_config,
     openfga::{
         authorizer::authz::{
-            get_index_creation_tuples, get_org_creation_tuples, get_user_role_tuple, update_tuples,
+            add_tuple_for_pipeline, get_index_creation_tuples, get_org_creation_tuples,
+            get_ownership_all_org_tuple, get_user_role_tuple, update_tuples,
         },
         meta::mapping::{NON_OWNING_ORG, OFGA_MODELS},
     },
@@ -44,6 +45,7 @@ pub async fn init() -> Result<(), anyhow::Error> {
     let mut init_tuples = vec![];
     let mut migrate_native_objects = false;
     let mut need_migrate_index_streams = false;
+    let mut need_pipeline_migration = false;
     let mut existing_meta = match db::ofga::get_ofga_model().await {
         Ok(Some(model)) => Some(model),
         Ok(None) | Err(_) => {
@@ -110,9 +112,13 @@ pub async fn init() -> Result<(), anyhow::Error> {
             version_compare::Version::from(&existing_model.version).unwrap();
         let v0_0_4 = version_compare::Version::from("0.0.4").unwrap();
         let v0_0_5 = version_compare::Version::from("0.0.5").unwrap();
+        let v0_0_6 = version_compare::Version::from("0.0.6").unwrap();
         if meta_version > v0_0_4 && existing_model_version < v0_0_5 {
             need_migrate_index_streams = true;
         }
+        if meta_version > v0_0_5 && existing_model_version < v0_0_6 {
+            need_pipeline_migration = true;
+        }
     }
 
     // 1. create a cluster lock
@@ -189,7 +195,26 @@ pub async fn init() -> Result<(), anyhow::Error> {
                 }
             } else {
                 for org_name in orgs {
-                    get_index_creation_tuples(org_name, &mut tuples).await;
+                    if need_migrate_index_streams {
+                        get_index_creation_tuples(org_name, &mut tuples).await;
+                    }
+                    if need_pipeline_migration {
+                        get_ownership_all_org_tuple(org_name, "pipelines", &mut tuples);
+                        match db::pipeline::list_by_org(org_name).await {
+                            Ok(pipelines) => {
+                                for pipeline in pipelines {
+                                    add_tuple_for_pipeline(org_name, &pipeline.id, &mut tuples);
+                                }
+                            }
+                            Err(e) => {
+                                log::error!(
+                                    "Failed to migrate RBAC for org {} pipelines: {}",
+                                    org_name,
+                                    e
+                                );
+                            }
+                        }
+                    }
                 }
             }
 
diff --git a/src/common/utils/auth.rs b/src/common/utils/auth.rs
@@ -340,7 +340,11 @@ impl FromRequest for AuthExtractor {
                         .map_or(path_columns[1], |model| model.key),
                     path_columns[2]
                 )
-            } else if method.eq("PUT") && path_columns[1] != "streams" || method.eq("DELETE") {
+            } else if method.eq("PUT")
+                && path_columns[1] != "streams"
+                && path_columns[1] != "pipelines"
+                || method.eq("DELETE")
+            {
                 format!(
                     "{}:{}",
                     OFGA_MODELS
@@ -349,9 +353,6 @@ impl FromRequest for AuthExtractor {
                     path_columns[3]
                 )
             } else {
-                if method.eq("POST") && path_columns[3].eq("pipelines") {
-                    method = "PUT".to_string();
-                }
                 format!(
                     "{}:{}",
                     OFGA_MODELS
@@ -401,7 +402,6 @@ impl FromRequest for AuthExtractor {
                 || path.contains("/format_query")
                 || path.contains("/prometheus/api/v1/series")
                 || path.contains("/traces/latest")
-                || (method.eq("LIST") && path.contains("pipelines"))
                 || path.contains("clusters")
                 || path.contains("query_manager")
                 || path.contains("/short")
diff --git a/src/handler/http/request/pipeline.rs b/src/handler/http/request/pipeline.rs
@@ -74,12 +74,16 @@ async fn list_pipelines(
     // Get List of allowed objects
     #[cfg(feature = "enterprise")]
     {
+        use o2_enterprise::enterprise::openfga::meta::mapping::OFGA_MODELS;
+
         let user_id = _req.headers().get("user_id").unwrap();
         match crate::handler::http::auth::validator::list_objects_for_user(
             &org_id,
             user_id.to_str().unwrap(),
             "GET",
-            "logs",
+            OFGA_MODELS
+                .get("pipelines")
+                .map_or("pipelines", |model| model.key),
         )
         .await
         {
diff --git a/src/service/pipeline/mod.rs b/src/service/pipeline/mod.rs
@@ -173,11 +173,11 @@ pub async fn list_pipelines(
                 || permitted
                     .as_ref()
                     .unwrap()
-                    .contains(&format!("pipelines:{}", pipeline.id))
+                    .contains(&format!("pipeline:{}", pipeline.id))
                 || permitted
                     .as_ref()
                     .unwrap()
-                    .contains(&format!("pipelines:_all_{}", org_id))
+                    .contains(&format!("pipeline:_all_{}", org_id))
             {
                 result.push(pipeline)
             }
diff --git a/web/src/components/iam/roles/EditRole.vue b/web/src/components/iam/roles/EditRole.vue
@@ -326,6 +326,7 @@ import {
 import { useQuasar } from "quasar";
 import type { AxiosPromise } from "axios";
 import streamService from "@/services/stream";
+import pipelineService from "@/services/pipelines";
 import alertService from "@/services/alerts";
 import reportService from "@/services/reports";
 import templateService from "@/services/alert_templates";
@@ -1251,6 +1252,7 @@ const getResourceEntities = (resource: Resource | Entity) => {
     alert: getAlerts,
     template: getTemplates,
     destination: getDestinations,
+    pipeline: getPipelines,
     enrichment_table: getEnrichmentTables,
     function: getFunctions,
     org: getOrgs,
@@ -1432,6 +1434,18 @@ const getTemplates = async () => {
   });
 };
 
+const getPipelines = async () => {
+  const pipelines = await pipelineService.getPipelines(
+    store.state.selectedOrganization.identifier
+  );
+
+  updateResourceEntities("pipeline", ["name"], [...pipelines.data.list]);
+
+  return new Promise((resolve) => {
+    resolve(true);
+  });
+};
+
 const getAlerts = async () => {
   const alerts = await alertService.list(
     1,

Original file line number	Diff line number	Diff line change
`@@ -74,12 +74,16 @@ async fn list_pipelines(`
`74`	`74`	`// Get List of allowed objects`
`75`	`75`	`#[cfg(feature = "enterprise")]`
`76`	`76`	`{`
	`77`	`+ use o2_enterprise::enterprise::openfga::meta::mapping::OFGA_MODELS;`
	`78`	`+`
`77`	`79`	`let user_id = _req.headers().get("user_id").unwrap();`
`78`	`80`	`match crate::handler::http::auth::validator::list_objects_for_user(`
`79`	`81`	`&org_id,`
`80`	`82`	`user_id.to_str().unwrap(),`
`81`	`83`	`"GET",`
`82`		`- "logs",`
	`84`	`+ OFGA_MODELS`
	`85`	`+ .get("pipelines")`
	`86`	`+ .map_or("pipelines", \|model\| model.key),`
`83`	`87`	`)`
`84`	`88`	`.await`
`85`	`89`	`{`
Original file line number	Diff line number	Diff line change
`@@ -173,11 +173,11 @@ pub async fn list_pipelines(`
`173`	`173`	`\|\| permitted`
`174`	`174`	`.as_ref()`
`175`	`175`	`.unwrap()`
`176`		`- .contains(&format!("pipelines:{}", pipeline.id))`
	`176`	`+ .contains(&format!("pipeline:{}", pipeline.id))`
`177`	`177`	`\|\| permitted`
`178`	`178`	`.as_ref()`
`179`	`179`	`.unwrap()`
`180`		`- .contains(&format!("pipelines:_all_{}", org_id))`
	`180`	`+ .contains(&format!("pipeline:_all_{}", org_id))`
`181`	`181`	`{`
`182`	`182`	`result.push(pipeline)`
`183`	`183`	`}`