Package com.linkedin.venice.acl.handler

Class AbstractStoreAclHandler<REQUEST_TYPE>

java.lang.Object

io.netty.channel.ChannelHandlerAdapter

io.netty.channel.ChannelInboundHandlerAdapter

io.netty.channel.SimpleChannelInboundHandler<io.netty.handler.codec.http.HttpRequest>

com.linkedin.venice.acl.handler.AbstractStoreAclHandler<REQUEST_TYPE>

All Implemented Interfaces:

io.netty.channel.ChannelHandler, io.netty.channel.ChannelInboundHandler

Direct Known Subclasses:

RouterStoreAclHandler, ServerStoreAclHandler

@Sharable
public abstract class AbstractStoreAclHandler<REQUEST_TYPE>
extends io.netty.channel.SimpleChannelInboundHandler<io.netty.handler.codec.http.HttpRequest>

Store-level access control handler, which is being used by both Router and Server.

Nested Class Summary

Nested classes/interfaces inherited from interface io.netty.channel.ChannelHandler

io.netty.channel.ChannelHandler.Sharable

Field Summary

Fields

Modifier and Type	Field	Description
static final String	STORE_ACL_CHECK_RESULT
static final io.netty.util.AttributeKey<VeniceConcurrentHashMap<String,com.linkedin.venice.acl.handler.AbstractStoreAclHandler.CachedAcl>>	STORE_ACL_CHECK_RESULT_ATTRIBUTE_KEY

Constructor Summary

Constructors

Constructor	Description
AbstractStoreAclHandler(IdentityParser identityParser, DynamicAccessController accessController, ReadOnlyStoreRepository metadataRepository, int cacheTTLMs)
AbstractStoreAclHandler(IdentityParser identityParser, DynamicAccessController accessController, ReadOnlyStoreRepository metadataRepository, int cacheTTLMs, Time time)

Method Summary

Modifier and Type	Method	Description
void	channelRead0(io.netty.channel.ChannelHandlerContext ctx, io.netty.handler.codec.http.HttpRequest req)	Verify if client has permission to access.
protected AccessResult	checkAccess(String uri, X509Certificate clientCert, String storeName, String method)	N.B.: This function is called on the hot path, so it's important to make it as efficient as possible.
protected abstract String	extractStoreName(REQUEST_TYPE requestType, String[] requestParts)
protected boolean	isAccessAlreadyApproved(io.netty.channel.Channel originalChannel)
protected abstract boolean	needsAclValidation(REQUEST_TYPE requestType)
protected abstract REQUEST_TYPE	validateRequest(String[] requestParts)	Validate the request and return the request type.

Methods inherited from class io.netty.channel.SimpleChannelInboundHandler

acceptInboundMessage, channelRead

Methods inherited from class io.netty.channel.ChannelInboundHandlerAdapter

channelActive, channelInactive, channelReadComplete, channelRegistered, channelUnregistered, channelWritabilityChanged, exceptionCaught, userEventTriggered

Methods inherited from class io.netty.channel.ChannelHandlerAdapter

ensureNotSharable, handlerAdded, handlerRemoved, isSharable

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface io.netty.channel.ChannelHandler

handlerAdded, handlerRemoved

Field Details

STORE_ACL_CHECK_RESULT

public static final String STORE_ACL_CHECK_RESULT

See Also:

• Constant Field Values

STORE_ACL_CHECK_RESULT_ATTRIBUTE_KEY

public static final io.netty.util.AttributeKey<VeniceConcurrentHashMap<String,com.linkedin.venice.acl.handler.AbstractStoreAclHandler.CachedAcl>> STORE_ACL_CHECK_RESULT_ATTRIBUTE_KEY

Constructor Details

AbstractStoreAclHandler

public AbstractStoreAclHandler(IdentityParser identityParser,
 DynamicAccessController accessController,
 ReadOnlyStoreRepository metadataRepository,
 int cacheTTLMs)

AbstractStoreAclHandler

public AbstractStoreAclHandler(IdentityParser identityParser,
 DynamicAccessController accessController,
 ReadOnlyStoreRepository metadataRepository,
 int cacheTTLMs,
 Time time)

Method Details

channelRead0

public void channelRead0(io.netty.channel.ChannelHandlerContext ctx,
 io.netty.handler.codec.http.HttpRequest req)
                  throws SSLPeerUnverifiedException

Verify if client has permission to access.

Specified by:

channelRead0 in class io.netty.channel.SimpleChannelInboundHandler<io.netty.handler.codec.http.HttpRequest>

Parameters:

ctx -

req -

Throws:

SSLPeerUnverifiedException

isAccessAlreadyApproved

protected boolean isAccessAlreadyApproved(io.netty.channel.Channel originalChannel)

needsAclValidation

protected abstract boolean needsAclValidation(REQUEST_TYPE requestType)

extractStoreName

protected abstract String extractStoreName(REQUEST_TYPE requestType,
 String[] requestParts)

validateRequest

protected abstract REQUEST_TYPE validateRequest(String[] requestParts)

Validate the request and return the request type. If the request is invalid, return null

Parameters:

requestParts - the parts of the request URI

Returns:

the request type; null if the request is invalid

checkAccess

protected AccessResult checkAccess(String uri,
 X509Certificate clientCert,
 String storeName,
 String method)

N.B.: This function is called on the hot path, so it's important to make it as efficient as possible. The order of operations is carefully considered so that short-circuiting comes into play as much as possible. We also try to minimize the overhead of logging wherever possible (e.g., by minimizing expensive calls, such as the one to IdentityParser.parseIdentityFromCert(X509Certificate)).