Fix(ACL) : Disallow deleting of groot user and guardians group #6580
Conversation
vmrajas
requested review from
pawanrawal,
abhimanyusinghgaur and
animesh2049
vmrajas
requested review from
manishrjain and
vvbalaji-dgraph
as code owners
There was a problem hiding this comment.
Reviewable status: 0 of 4 files reviewed, 4 unresolved discussions (waiting on @abhimanyusinghgaur, @animesh2049, @manishrjain, @pawanrawal, @vmrajas, and @vvbalaji-dgraph)
edgraph/access_ee.go, line 49 at r1 (raw file):
} type groupNode struct {
They are being used only once. I don't think we should create global type for them. Maybe just define them inside the function.
ee/acl/acl_test.go, line 3117 at r1 (raw file):
} func TestDeleteGuardiansGroupShouldFail(t *testing.T) {
Please add tests for mutations with *
query/mutation.go, line 51 at r1 (raw file):
for _, edge := range m.Edges { // Disallow deleting of guardians group if edge.Entity == guardianGroupUid && edge.Attr == "dgraph.xid" && edge.Op == pb.DirectedEdge_DEL {
I think we might miss deletion with * operator.
<guardians_id> * * .
The above query would still delete the guardians group.
According to me, better approach will be to allow only password change operation on groot and no change for guardians. Block any other operation involving them.
x/x.go, line 175 at r1 (raw file):
AcceptedOrigins = atomic.Value{} // GuardiansGroupUid is Uid of guardians group node. GuardiansGroupUid = atomic.Value{}
Any specific reason for using atomic.Value ? Can't GuardiansGroupUid and GrootUserUid simply be 2 uint64 and we can use atomic.LoadUint64 and atomic.StoreUint64 on them?
There was a problem hiding this comment.
Reviewable status: 0 of 4 files reviewed, 4 unresolved discussions (waiting on @abhimanyusinghgaur, @manishrjain, @pawanrawal, @vmrajas, and @vvbalaji-dgraph)
query/mutation.go, line 51 at r1 (raw file):
Previously, animesh2049 (Animesh Chandra Pathak) wrote…
I think we might miss deletion with
*operator.<guardians_id> * * .The above query would still delete the guardians group.
According to me, better approach will be to allow only password change operation ongrootand no change forguardians. Block any other operation involving them.
I forgot the fact that start will be expanded before coming here. But I feel later part is still valid.
vmrajas
force-pushed
the
rajas/fix_guardians_deletion
branch
from
b28f567 to
7724581
Compare
There was a problem hiding this comment.
Reviewable status: 0 of 4 files reviewed, 4 unresolved discussions (waiting on @abhimanyusinghgaur, @animesh2049, @manishrjain, @pawanrawal, @vmrajas, and @vvbalaji-dgraph)
edgraph/access_ee.go, line 49 at r1 (raw file):
Previously, animesh2049 (Animesh Chandra Pathak) wrote…
They are being used only once. I don't think we should create global type for them. Maybe just define them inside the function.
Done.
query/mutation.go, line 51 at r1 (raw file):
Previously, animesh2049 (Animesh Chandra Pathak) wrote…
I forgot the fact that start will be expanded before coming here. But I feel later part is still valid.
Done.
x/x.go, line 175 at r1 (raw file):
Previously, animesh2049 (Animesh Chandra Pathak) wrote…
Any specific reason for using
atomic.Value? Can'tGuardiansGroupUidandGrootUserUidsimply be 2uint64and we can useatomic.LoadUint64andatomic.StoreUint64on them?
Done.
There was a problem hiding this comment.
Reviewable status: 0 of 4 files reviewed, 5 unresolved discussions (waiting on @abhimanyusinghgaur, @animesh2049, @manishrjain, @pawanrawal, @vmrajas, and @vvbalaji-dgraph)
query/mutation.go, line 259 at r2 (raw file):
// Disallow deleting of guardians group if edge.Entity == guardianGroupUid && edge.Op == pb.DirectedEdge_DEL { glog.Info("Trying to delete guardians group. Operation not allowed.")
Minor: trying to delete guardians group might not be appropriate every time. Sometimes it might just be trying to delete some edge of guardian. Same for groot and the error message being returned.
There was a problem hiding this comment.
Reviewable status: 0 of 4 files reviewed, 8 unresolved discussions (waiting on @abhimanyusinghgaur, @animesh2049, @manishrjain, @pawanrawal, @vmrajas, and @vvbalaji-dgraph)
ee/acl/acl_test.go, line 3117 at r1 (raw file):
Previously, animesh2049 (Animesh Chandra Pathak) wrote…
Please add tests for mutations with
*
Might be hard to test this automatically as we won't have the uid for groot or guardians. Though worth testing manually.
query/mutation.go, line 245 at r2 (raw file):
func checkIfDeletingAclOperation(edges []*pb.DirectedEdge) error {
Can we verify that drop_data and drop_all should still work?
Currently after drop all/drop data the groot and guardian group are re-added. Are there uids refreshed currently or only after a restart?
query/mutation.go, line 265 at r2 (raw file):
// Disallow deleting of groot user if edge.Entity == grootUserUid && edge.Op == pb.DirectedEdge_DEL { glog.Info("Trying to delete groot user. Operation not allowed.")
I don't think we need these info logs because we are returning an error here.
query/mutation.go, line 271 at r2 (raw file):
} if isDeleteAclOperation { return errors.Errorf("guardians group and groot user cannot be deleted.")
Properties of guardians group and groot user...
There was a problem hiding this comment.
Reviewable status: 0 of 4 files reviewed, 7 unresolved discussions (waiting on @abhimanyusinghgaur, @animesh2049, @manishrjain, @pawanrawal, and @vvbalaji-dgraph)
ee/acl/acl_test.go, line 3117 at r1 (raw file):
Previously, pawanrawal (Pawan Rawal) wrote…
Might be hard to test this automatically as we won't have the uid for
grootorguardians. Though worth testing manually.
Done.
query/mutation.go, line 245 at r2 (raw file):
Previously, pawanrawal (Pawan Rawal) wrote…
Can we verify that
drop_dataanddrop_allshould still work?Currently after drop all/drop data the groot and guardian group are re-added. Are there uids refreshed currently or only after a restart?
Done.
query/mutation.go, line 265 at r2 (raw file):
Previously, pawanrawal (Pawan Rawal) wrote…
I don't think we need these info logs because we are returning an error here.
Done.
query/mutation.go, line 271 at r2 (raw file):
Previously, pawanrawal (Pawan Rawal) wrote…
Properties of guardians group and groot user...
Done.
There was a problem hiding this comment.
Reviewable status: 0 of 4 files reviewed, 6 unresolved discussions (waiting on @abhimanyusinghgaur, @animesh2049, @manishrjain, @pawanrawal, @vmrajas, and @vvbalaji-dgraph)
edgraph/access_ee.go, line 457 at r3 (raw file):
atomic.StoreUint64(&x.GuardiansGroupUid, guardiansGroupUidUint) glog.Infof("guardians group uid: %d", guardiansGroupUidUint)
Don't print this.
edgraph/access_ee.go, line 526 at r3 (raw file):
} atomic.StoreUint64(&x.GrootUserUid, grootUserUidUint) glog.Infof("groot user uid: %d", grootUserUidUint)
We don't need to really print this id here.
vmrajas
force-pushed
the
rajas/fix_guardians_deletion
branch
from
940a922 to
29f9ffe
Compare
There was a problem hiding this comment.
Reviewable status: 0 of 4 files reviewed, 6 unresolved discussions (waiting on @abhimanyusinghgaur, @animesh2049, @manishrjain, @pawanrawal, and @vvbalaji-dgraph)
edgraph/access_ee.go, line 457 at r3 (raw file):
Previously, pawanrawal (Pawan Rawal) wrote…
Don't print this.
Done.
edgraph/access_ee.go, line 526 at r3 (raw file):
Previously, pawanrawal (Pawan Rawal) wrote…
We don't need to really print this id here.
Done.
![codelingo[bot]](https://avatars.githubusercontent.com/in/14339?s=60&v=4){kind=small}
| @@ -381,7 +383,7 @@ var aclPrefixes = [][]byte{ | |||
| x.PredicatePrefix("dgraph.xid"), | |||
| } | |||
|
|
|||
| // ResetAcl clears the aclCachePtr and upserts the Groot account. | |||
| // clears the aclCachePtr and upserts the Groot account. | |||
There was a problem hiding this comment.
Every exported function in a program should have a doc comment. The first sentence should be a summary that starts with the name (ResetAcl) being declared.
From effective go.
| @@ -176,10 +176,16 @@ var ( | |||
| Nilbyte []byte | |||
| // AcceptedOrigins is allowed list of origins to make request to the graphql endpoint. | |||
| AcceptedOrigins = atomic.Value{} | |||
| // GuardiansGroupUid is Uid of guardians group node. | |||
| GuardiansGroupUid uint64 | |||
There was a problem hiding this comment.
Avoid global variables to improve readability and reduce complexity
| // GuardiansGroupUid is Uid of guardians group node. | ||
| GuardiansGroupUid uint64 | ||
| // GrootUser Uid is Uid of groot user node. | ||
| GrootUserUid uint64 |
There was a problem hiding this comment.
Avoid global variables to improve readability and reduce complexity
| @@ -83,7 +83,7 @@ func checkUserCount(t *testing.T, resp []byte, expected int) { | |||
| require.Equal(t, expected, len(r.AddUser.User)) | |||
| } | |||
|
|
|||
| func deleteUser(t *testing.T, accessToken, username string, confirmDeletion bool) { | |||
| func deleteUser(t *testing.T, accessToken, username string, confirmDeletion bool) *testutil.GraphQLResponse { | |||
There was a problem hiding this comment.
Boolean arguments can indicate low cohesion. Consider refactoring deleteUser by using a separate function for each case and helper functions for repeated code. This will make each function clearer and more modular, leading to easier maintainability.
| } | ||
|
|
||
| func deleteGroup(t *testing.T, accessToken, name string) { | ||
| func deleteGroup(t *testing.T, accessToken, name string, confirmDeletion bool) *testutil.GraphQLResponse { |
There was a problem hiding this comment.
Boolean arguments can indicate low cohesion. Consider refactoring deleteGroup by using a separate function for each case and helper functions for repeated code. This will make each function clearer and more modular, leading to easier maintainability.
| @@ -381,7 +383,7 @@ var aclPrefixes = [][]byte{ | |||
| x.PredicatePrefix("dgraph.xid"), | |||
| } | |||
|
|
|||
| // ResetAcl clears the aclCachePtr and upserts the Groot account. | |||
| // clears the aclCachePtr and upserts the Groot account. | |||
There was a problem hiding this comment.
Every exported function in a program should have a doc comment. The first sentence should be a summary that starts with the name (ResetAcl) being declared.
From effective go.
| @@ -176,10 +176,16 @@ var ( | |||
| Nilbyte []byte | |||
| // AcceptedOrigins is allowed list of origins to make request to the graphql endpoint. | |||
| AcceptedOrigins = atomic.Value{} | |||
| // GuardiansGroupUid is Uid of guardians group node. | |||
| GuardiansGroupUid uint64 | |||
There was a problem hiding this comment.
Avoid global variables to improve readability and reduce complexity
| // GuardiansGroupUid is Uid of guardians group node. | ||
| GuardiansGroupUid uint64 | ||
| // GrootUser Uid is Uid of groot user node. | ||
| GrootUserUid uint64 |
There was a problem hiding this comment.
Avoid global variables to improve readability and reduce complexity
Motivation
Currently, it is possible to delete guardians user group and groot user using a simple graphql query.
This behaviour causes bad user experience as guardians is the admin group and groot user is the primary admin user.
Once, the group has been deleted, to get back access to groot user, the user has to restart dgraph alpha again.
This PR adds fixes this. This PR makes it impossible to delete groot user and guardians group.
Related discuss issue: https://discuss.dgraph.io/t/customers-can-delete-guardians-group-and-lose-access/9614
Components affected by this PR:
Dgraph ACL
Does this PR break backwards compatibility?:
No
Fixes DGRAPH-2454
This change is
Docs Preview: