Commit 0e05788
authored
feat(calm-hub): hierarchical namespace entitlements (finos#2640)
* feat(calm-hub): allow * as reserved public-access username
Update USERNAME_REGEX to accept the literal * character as a valid
username, representing public/anyone access. Prevents collision with
real OIDC identities. Tests verify * is accepted and ** is rejected.
* feat(calm-hub): add getGrantsForUser to UserAccessStore
New store method returns a user's own grants plus * (public) grants
in a single query, avoiding two round-trips per permission check.
Returns an empty list rather than throwing when no grants exist.
Implemented for both Mongo and Nitrite backends.
* feat(calm-hub): implement hierarchical namespace permission checks
Replace flat exact-match logic with ancestor-chain evaluation:
- READ: AND-based — every ancestor level must have a grant (user or *)
- WRITE/ADMIN: OR-based — any ancestor grant is sufficient
Introduces ancestorChain() helper, switches hasNamespaceAccess to use
getGrantsForUser for a single store round-trip. Domain checks and
global admin are unchanged. Corrects a logic error in the docs example
(mark cannot read a child namespace without a grant at that level).
* feat(calm-hub): introduce NamespaceService with default public read grant
NamespaceResource now delegates all namespace operations through
NamespaceService, removing direct store access from the resource.
On namespace creation the service inserts a * read grant automatically,
making every new namespace publicly readable by default.
* feat(calm-hub): add NamespaceMigrationService to backfill * read grants
On startup, inserts a * read grant for any namespace that has no grants
at all, preserving public visibility after the hierarchical model is
deployed. Namespaces with existing grants (even user-specific ones) are
left untouched — the admin configured them intentionally and backfilling
would grant unintended additional access. Operation is idempotent.
* feat(calm-hub): apply hierarchical AND rule to getReadableNamespaces
Switch from getUserAccessForUsername (flat, misses * grants) to
getGrantsForUser (user + * grants in one call), then apply the same
AND ancestor-chain check as canRead: a namespace is included only if
every level in its chain has a READ-sufficient grant. Guarantees search
results never include namespaces that would return 403 on click-through.
* docs(calm-hub): document hierarchical entitlement model
Update PERMISSIONS.md as the internal developer reference covering the
AND/OR ancestor-chain rules, key classes, and store method distinction.
Add an Access Control section to calm-hub.md linking to the new
calm-hub-entitlements.md user-facing page.
* fix(calm-hub): add * read grants and fix counter in mongo seed data
The MongoDB init script bypasses NamespaceService (direct db.namespaces
insert), so the auto-inserted * read grant from NamespaceService never ran.
NamespaceMigrationService then skips finos/workshop/traderx at startup
because they already have named-user grants (demo/demo_admin).
Add explicit * read grants (IDs 7-10) for all four seeded namespaces so
the seed matches the default-open behaviour of NamespaceService, and
bump userAccessStoreCounter from 6 to 11 (was off-by-one: 6 docs with
IDs 1-6 existed, but counter was initialised to 6 instead of 7).
* fix(calm-hub): skip namespace migration in test mode via LaunchMode check
NamespaceMigrationService.onStart() returns immediately when
LaunchMode.current() == TEST, preventing it from attempting a MongoDB
connection during @QuarkusTest and @testprofile startups where DevServices
does not re-patch the connection string after a profile restart.
Pure Mockito unit tests are unaffected: LaunchMode.current() returns NORMAL
when no Quarkus context is active, so all nine migration unit tests
continue to exercise the full migration path.
* test(calm-hub): mock UserAccessStore in TestSecurityResponseHeadersShould
createNamespace() now also inserts a * read grant via UserAccessStore.
The POST /calm/namespaces test in TestSecurityResponseHeadersShould was
not mocking UserAccessStore, so the real MongoDB implementation timed out
in CI where MongoDB is not available at localhost:27017.
* fix(calm-hub): address Copilot PR review comments
- NamespaceMigrationService Javadoc: clarify that backfill is skipped
when any grant exists (wildcard or named-user), not just wildcard grants
- CalmHubPermissionChecker: downgrade per-request auth outcome logs from
INFO/WARN to DEBUG to avoid flooding production logs
- UserAccessValidator.getReadableNamespaces(): return Optional<Set<String>>
where Optional.empty() signals "all namespaces" (no filter). Short-circuit
to Optional.empty() when calm.auth.allow-public-read=true or the user
holds a GLOBAL admin grant, so search results match canRead() in all cases
- SearchTools: unwrap the Optional directly from getReadableNamespaces()
- Tests: use containsInAnyOrder for order-independent assertions in
getGrantsForUser tests; add bypass-case coverage for UserAccessValidator
Rejected: O(ancestors×grants) optimisation (premature at realistic scale)
* fix(calm-hub): update SearchResource and test to use Optional<Set<String>> return type
getReadableNamespaces() now returns Optional<Set<String>> to distinguish
unconstrained access (empty Optional) from no access (Optional of empty set).
SearchResource and TestSearchResourceFilteringShould updated to match.1 parent 0c85722 commit 0e05788
27 files changed
Lines changed: 1320 additions & 153 deletions
File tree
- calm-hub
- mongo
- src
- main/java/org/finos/calm
- mcp/tools
- resources
- security
- services
- store
- mongo
- nitrite
- test/java/org/finos/calm
- mcp/tools
- resources
- security
- services
- store
- mongo
- nitrite
- docs/docs/working-with-calm
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
1 | | - | |
| 1 | + | |
2 | 2 | | |
3 | | - | |
4 | | - | |
| 3 | + | |
5 | 4 | | |
6 | | - | |
| 5 | + | |
7 | 6 | | |
8 | | - | |
| 7 | + | |
9 | 8 | | |
10 | | - | |
| 9 | + | |
| 10 | + | |
| 11 | + | |
| 12 | + | |
| 13 | + | |
11 | 14 | | |
12 | | - | |
13 | | - | |
14 | | - | |
15 | | - | |
16 | | - | |
| 15 | + | |
17 | 16 | | |
18 | | - | |
| 17 | + | |
19 | 18 | | |
20 | | - | |
21 | | - | |
| 19 | + | |
22 | 20 | | |
23 | | - | |
| 21 | + | |
| 22 | + | |
| 23 | + | |
| 24 | + | |
| 25 | + | |
24 | 26 | | |
25 | | - | |
26 | | - | |
| 27 | + | |
27 | 28 | | |
28 | | - | |
29 | | - | |
| 29 | + | |
30 | 30 | | |
31 | | - | |
| 31 | + | |
32 | 32 | | |
33 | | - | |
| 33 | + | |
34 | 34 | | |
35 | | - | |
36 | | - | |
| 35 | + | |
| 36 | + | |
| 37 | + | |
| 38 | + | |
| 39 | + | |
| 40 | + | |
| 41 | + | |
37 | 42 | | |
| 43 | + | |
| 44 | + | |
| 45 | + | |
| 46 | + | |
| 47 | + | |
| 48 | + | |
| 49 | + | |
| 50 | + | |
| 51 | + | |
| 52 | + | |
| 53 | + | |
| 54 | + | |
| 55 | + | |
| 56 | + | |
| 57 | + | |
| 58 | + | |
| 59 | + | |
| 60 | + | |
| 61 | + | |
| 62 | + | |
| 63 | + | |
| 64 | + | |
| 65 | + | |
| 66 | + | |
| 67 | + | |
| 68 | + | |
| 69 | + | |
| 70 | + | |
| 71 | + | |
| 72 | + | |
| 73 | + | |
| 74 | + | |
| 75 | + | |
| 76 | + | |
| 77 | + | |
| 78 | + | |
| 79 | + | |
| 80 | + | |
| 81 | + | |
| 82 | + | |
| 83 | + | |
| 84 | + | |
| 85 | + | |
| 86 | + | |
| 87 | + | |
| 88 | + | |
| 89 | + | |
| 90 | + | |
| 91 | + | |
| 92 | + | |
| 93 | + | |
| 94 | + | |
| 95 | + | |
| 96 | + | |
| 97 | + | |
| 98 | + | |
| 99 | + | |
| 100 | + | |
| 101 | + | |
| 102 | + | |
| 103 | + | |
| 104 | + | |
| 105 | + | |
| 106 | + | |
| 107 | + | |
| 108 | + | |
| 109 | + | |
| 110 | + | |
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
84 | 84 | | |
85 | 85 | | |
86 | 86 | | |
87 | | - | |
| 87 | + | |
88 | 88 | | |
89 | | - | |
| 89 | + | |
90 | 90 | | |
91 | 91 | | |
92 | 92 | | |
| |||
2532 | 2532 | | |
2533 | 2533 | | |
2534 | 2534 | | |
| 2535 | + | |
| 2536 | + | |
| 2537 | + | |
| 2538 | + | |
| 2539 | + | |
| 2540 | + | |
| 2541 | + | |
| 2542 | + | |
| 2543 | + | |
| 2544 | + | |
| 2545 | + | |
| 2546 | + | |
| 2547 | + | |
| 2548 | + | |
| 2549 | + | |
| 2550 | + | |
| 2551 | + | |
| 2552 | + | |
| 2553 | + | |
| 2554 | + | |
| 2555 | + | |
| 2556 | + | |
| 2557 | + | |
| 2558 | + | |
2535 | 2559 | | |
2536 | 2560 | | |
2537 | | - | |
| 2561 | + | |
2538 | 2562 | | |
2539 | 2563 | | |
2540 | 2564 | | |
| |||
Lines changed: 1 addition & 1 deletion
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
102 | 102 | | |
103 | 103 | | |
104 | 104 | | |
105 | | - | |
| 105 | + | |
106 | 106 | | |
107 | 107 | | |
108 | 108 | | |
| |||
Lines changed: 6 additions & 6 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
16 | 16 | | |
17 | 17 | | |
18 | 18 | | |
19 | | - | |
| 19 | + | |
20 | 20 | | |
21 | 21 | | |
22 | 22 | | |
| |||
25 | 25 | | |
26 | 26 | | |
27 | 27 | | |
28 | | - | |
| 28 | + | |
29 | 29 | | |
30 | 30 | | |
31 | | - | |
32 | | - | |
| 31 | + | |
| 32 | + | |
33 | 33 | | |
34 | 34 | | |
35 | 35 | | |
| |||
39 | 39 | | |
40 | 40 | | |
41 | 41 | | |
42 | | - | |
| 42 | + | |
43 | 43 | | |
44 | 44 | | |
45 | 45 | | |
| |||
62 | 62 | | |
63 | 63 | | |
64 | 64 | | |
65 | | - | |
| 65 | + | |
66 | 66 | | |
67 | 67 | | |
68 | 68 | | |
| |||
Lines changed: 3 additions & 3 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
6 | 6 | | |
7 | 7 | | |
8 | 8 | | |
9 | | - | |
10 | | - | |
11 | | - | |
| 9 | + | |
| 10 | + | |
| 11 | + | |
12 | 12 | | |
13 | 13 | | |
14 | 14 | | |
| |||
Lines changed: 1 addition & 1 deletion
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
81 | 81 | | |
82 | 82 | | |
83 | 83 | | |
84 | | - | |
| 84 | + | |
85 | 85 | | |
86 | 86 | | |
87 | 87 | | |
| |||
Lines changed: 45 additions & 6 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
12 | 12 | | |
13 | 13 | | |
14 | 14 | | |
| 15 | + | |
| 16 | + | |
15 | 17 | | |
16 | 18 | | |
17 | 19 | | |
| |||
102 | 104 | | |
103 | 105 | | |
104 | 106 | | |
105 | | - | |
| 107 | + | |
106 | 108 | | |
107 | | - | |
| 109 | + | |
108 | 110 | | |
109 | 111 | | |
110 | 112 | | |
| |||
114 | 116 | | |
115 | 117 | | |
116 | 118 | | |
117 | | - | |
118 | | - | |
| 119 | + | |
| 120 | + | |
| 121 | + | |
| 122 | + | |
| 123 | + | |
| 124 | + | |
| 125 | + | |
| 126 | + | |
| 127 | + | |
| 128 | + | |
| 129 | + | |
| 130 | + | |
| 131 | + | |
| 132 | + | |
| 133 | + | |
| 134 | + | |
| 135 | + | |
| 136 | + | |
| 137 | + | |
| 138 | + | |
| 139 | + | |
| 140 | + | |
| 141 | + | |
| 142 | + | |
| 143 | + | |
| 144 | + | |
| 145 | + | |
| 146 | + | |
| 147 | + | |
| 148 | + | |
| 149 | + | |
| 150 | + | |
| 151 | + | |
| 152 | + | |
| 153 | + | |
| 154 | + | |
| 155 | + | |
| 156 | + | |
| 157 | + | |
119 | 158 | | |
120 | 159 | | |
121 | 160 | | |
| |||
132 | 171 | | |
133 | 172 | | |
134 | 173 | | |
135 | | - | |
| 174 | + | |
136 | 175 | | |
137 | | - | |
| 176 | + | |
138 | 177 | | |
139 | 178 | | |
140 | 179 | | |
| |||
0 commit comments