Package com.linkedin.venice.listener
Class ServerStoreAclHandler
- java.lang.Object
-
- io.netty.channel.ChannelHandlerAdapter
-
- io.netty.channel.ChannelInboundHandlerAdapter
-
- io.netty.channel.SimpleChannelInboundHandler<io.netty.handler.codec.http.HttpRequest>
-
- com.linkedin.venice.acl.handler.StoreAclHandler
-
- com.linkedin.venice.listener.ServerStoreAclHandler
-
- All Implemented Interfaces:
io.grpc.ServerInterceptor
,io.netty.channel.ChannelHandler
,io.netty.channel.ChannelInboundHandler
public class ServerStoreAclHandler extends StoreAclHandler
Together withServerAclHandler
, Server will allow two kinds of access pattern: 1. Access from Router, and Router request will be validated inServerAclHandler
, andServerStoreAclHandler
will be a quick pass-through. 2. Access from Client directly, andServerAclHandler
will deny the request, andServerStoreAclHandler
will validate the request in store-level, which is exactly same as the access control behavior in Router. If both of them fail, the request will be rejected.
-
-
Constructor Summary
Constructors Constructor Description ServerStoreAclHandler(DynamicAccessController accessController, ReadOnlyStoreRepository metadataRepository)
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Modifier and Type Method Description void
channelRead0(io.netty.channel.ChannelHandlerContext ctx, io.netty.handler.codec.http.HttpRequest req)
Verify if client has permission to access.protected static boolean
checkWhetherAccessHasAlreadyApproved(io.grpc.Metadata headers)
protected static boolean
checkWhetherAccessHasAlreadyApproved(io.netty.channel.ChannelHandlerContext ctx)
protected java.security.cert.X509Certificate
extractClientCert(io.netty.channel.ChannelHandlerContext ctx)
protected java.lang.String
extractStoreName(java.lang.String resourceName)
In Venice Server, the resource name is actually a Kafka topic name.<ReqT,RespT>
io.grpc.ServerCall.Listener<ReqT>interceptCall(io.grpc.ServerCall<ReqT,RespT> call, io.grpc.Metadata headers, io.grpc.ServerCallHandler<ReqT,RespT> next)
-
Methods inherited from class com.linkedin.venice.acl.handler.StoreAclHandler
extractClientCert
-
Methods inherited from class io.netty.channel.SimpleChannelInboundHandler
acceptInboundMessage, channelRead
-
Methods inherited from class io.netty.channel.ChannelInboundHandlerAdapter
channelActive, channelInactive, channelReadComplete, channelRegistered, channelUnregistered, channelWritabilityChanged, exceptionCaught, userEventTriggered
-
Methods inherited from class io.netty.channel.ChannelHandlerAdapter
ensureNotSharable, handlerAdded, handlerRemoved, isSharable
-
-
-
-
Constructor Detail
-
ServerStoreAclHandler
public ServerStoreAclHandler(DynamicAccessController accessController, ReadOnlyStoreRepository metadataRepository)
-
-
Method Detail
-
extractStoreName
protected java.lang.String extractStoreName(java.lang.String resourceName)
In Venice Server, the resource name is actually a Kafka topic name.- Overrides:
extractStoreName
in classStoreAclHandler
-
channelRead0
public void channelRead0(io.netty.channel.ChannelHandlerContext ctx, io.netty.handler.codec.http.HttpRequest req) throws javax.net.ssl.SSLPeerUnverifiedException
Description copied from class:StoreAclHandler
Verify if client has permission to access.- Overrides:
channelRead0
in classStoreAclHandler
- Throws:
javax.net.ssl.SSLPeerUnverifiedException
-
extractClientCert
protected java.security.cert.X509Certificate extractClientCert(io.netty.channel.ChannelHandlerContext ctx) throws javax.net.ssl.SSLPeerUnverifiedException
- Overrides:
extractClientCert
in classStoreAclHandler
- Throws:
javax.net.ssl.SSLPeerUnverifiedException
-
checkWhetherAccessHasAlreadyApproved
protected static boolean checkWhetherAccessHasAlreadyApproved(io.netty.channel.ChannelHandlerContext ctx)
-
checkWhetherAccessHasAlreadyApproved
protected static boolean checkWhetherAccessHasAlreadyApproved(io.grpc.Metadata headers)
-
interceptCall
public <ReqT,RespT> io.grpc.ServerCall.Listener<ReqT> interceptCall(io.grpc.ServerCall<ReqT,RespT> call, io.grpc.Metadata headers, io.grpc.ServerCallHandler<ReqT,RespT> next)
- Specified by:
interceptCall
in interfaceio.grpc.ServerInterceptor
- Overrides:
interceptCall
in classStoreAclHandler
-
-