[WIP] Enable Access Control Management API & UI Page #376

Yuqing-cat · 2022-06-16T11:14:39Z

What is covered:

Items	Notes
Access Control Management APIs	3 APIs to `get`, `add`, `delete` user role records in SQL database and protected with "admin" role
JWT Auth	AAD Token supported
Access Control Management UI	The link is still hidden. But you can test with `/management` & `role-management` router.
API Spec Update	Access Control contents are added
SQL Schema & test data	Sample data and Table initialize scripts are included

What is NOT covered:

Items	Reasons
Access Control Initialized for new projects	`Init_rbac()` Function and TODO are added. However, current API server & client still have gaps
protect all registry APIs with RBAC logic	Protecting all APIs will Access Control configs may add burden to engineer test effort as the API is still under development. Will add it when API layer is stable. Current PR is the fundamental for Registry API Access Control in the future.
Access Control for other Registry backend, e.g., Purview	Purview Registry APIs are under development
Other OAuth Token	Currently, only AAD is supported by UI
Security Group Info	Will be included in future enhancement.

Yuqing-cat · 2022-06-16T11:16:04Z

Some local test screenshots:

registry/sql-registry/api-spec.md

blrchen · 2022-06-16T17:27:50Z

ui/src/api/api.tsx

-      }).then((response) => {
+  const reason = "Delete from management UI.";
+  return await Axios.post(
+    `${API_ENDPOINT}/users/${userrole.userName}/userroles/delete?code=${token}`,


${API_ENDPOINT}/users/${userrole.userName}/userroles/delete?code=${token},

accessToken should be put in header, not url query string.

Please fix same issue in other api calls.

It's suggeted to implement an interceptor which fires in every request.

Move all tokens of access control management APIs into header with a common axios.create() function.
Please check if it's an acceptable way. If so, I will implement the practice to all APIs.

registry/sql-registry/rbac/db_rbac.py

xiaoyongzhu · 2022-06-19T11:19:06Z

Would this only work for SQL based registry? Or for both purview & SQL based reigstry?

Yuqing-cat · 2022-06-20T03:47:59Z

Would this only work for SQL based registry? Or for both purview & SQL based reigstry?

In current implementation, this only work for SQL based Access Control with API layer.
It should also be able to work with purview-based registry API with a SQL server to store access control records.
To clarify, this PR only includes the fundamental infrastructure of SQL based Access Control management.

Also, I've tried to store access control records into Purview to simplify required resources. However, the concurrency control is still a big problem. If that's fixed, we can implement access control management into purview as well.

Yuqing-cat · 2022-06-28T13:51:36Z

Create a new PR for access control plugin experience: #409
Close this one.

Yuqing-cat added 3 commits June 15, 2022 20:11

save today's work

22c0faa

rbac management API

0e49836

merge conflict

0791caa

Yuqing-cat requested review from blrchen and windoze June 16, 2022 11:14

Yuqing-cat linked an issue Jun 16, 2022 that may be closed by this pull request

Implement Basic RBAC Roles (Admin, Producer, Consumer) #146

Closed

Yuqing-cat requested a review from jainr June 16, 2022 11:18

Yuqing-cat self-assigned this Jun 16, 2022

Yuqing-cat added the feature New feature or request label Jun 16, 2022

Yuqing-cat linked an issue Jun 16, 2022 that may be closed by this pull request

Add azure ad authentication to Fast API #295

Closed

Yuqing-cat changed the title ~~Enable RBAC Management API & UI Page~~ Enable Registry Access Control Management API & UI Page Jun 16, 2022

Yuqing-cat changed the title ~~Enable Registry Access Control Management API & UI Page~~ Enable Access Control Management API & UI Page Jun 16, 2022