[rest] Add server-issued view read grants#8634
Draft
leaves12138 wants to merge 4 commits into
Draft
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Purpose
Prevent view permission penetration from trusting a client-supplied
viaidentifier. A client can only use a short-lived, tamper-resistant read grant issued after the server authorizes a consistent view version and independently verifies its transitive dependency closure.This is the core/REST protocol PR split from the discussion in #8112. Engine-specific extraction and propagation of trusted view dependencies can follow separately. Until a trusted server-side analyzer supplies and verifies those dependencies, grant issuance fails closed.
Changes
View/ViewSchema, persist them in JDBC, and add an atomicUpdateDependenciesview change. Values received from REST clients are metadata hints, not authorization evidence;ReadGrantService.ViewResolver#getVerifiedDependenciesmust return the independently verified dependency list and grant issuance rejects missing or mismatched verification.Catalog#getViewForReadandPOST .../views/{view}/read-grant, which atomically return a view definition and grant after an optimistic full-closure consistency check.ReadGrantServiceand HMAC-SHA256 primitives. Grants bind a stable, non-secret authenticated subject, catalog/warehouse audience, stable root-view ID/version, expiry, nonce, and a fixed-size authorization version covering all nested-view versions, dependency edges, and target-table fingerprints. Raw Authorization headers and bearer credentials must never be embedded in claims.X-Paimon-Read-Grantheader. Grants are accepted only by read endpoints and never authorize mutations.ReadAuthorizationContext, atomically replace the grant and expiry, and retry only a 403 whoseresourceTypeisREAD_GRANT, once. Other 403 responses are terminal.FileIO, reject writes in Paimon and in the reference storage backend, reject paths outside the credential scope, and avoid caching grant-backed table objects.SnapshotLoaderImplserialization compatibility and update the REST OpenAPI contract and reference server.Apache Paimon does not contain a deployable production REST server. The reusable validation and provider contracts are production code in
paimon-api;RESTCatalogServerintegrates them as the reference implementation used by end-to-end tests. A production server must obtain the authenticated subject and verified dependency graph from its own trusted authentication and query-analysis layers.Security and revocation model
viavalue, or client-constructed dependency list grants no access.Validation
mvn -pl paimon-api -Pfast-build -DwildcardSuites=none test(69 tests)mvn -pl paimon-core -am -Pfast-build -DfailIfNoTests=false -DwildcardSuites=none -Dtest=MockRESTCatalogTest,CachingCatalogTest,RESTApiJsonTest,SnapshotLoaderImplCompatibilityTest test(189 tests)mvn -pl paimon-api,paimon-common,paimon-core -am -DskipTests compiledocs/static/rest-catalog-open-api.yamlsuccessfully.