Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
More Complete ACL Implementation (#386)
* Introducing remaining ACL categories An attempt has been made to cover all commands, but more remain. A number of TODOs remain, but this gives a rough shape of how it'd work and how individual Commands or SubCommands would end up ACL'd too. * Covers most of the remaining commands. As part of this, needed to actually enumerate all commands in RespCommands which implies a lot of future cleanup in parsing and command processesing. This also uncovered a number of different gaps in implemented RESP commands, which were not addressed unless doing so was necessary for ACL testing. * Cover all remainin commands actually in Redis. Garnet-specific commands are still pending. * Handle Garnet specific commands. Introduces @garnet category. Reworks WATCH so MS and OS are proper subcommands. * Get us to all tests passing before moving onto cleanup and individual command ACL'ing. * Rework BITOP to remove last subcommand byte in parsing. Reworks parsing to remove the tuple with subcommand, as it'd always be 0 now. * DRY up ACL checking - now we only need specific call out for sub commands, while the common case is consolidated into an upfront check. Note that SET (and pseudo-variants SETEXNX, etc.) is a special case, as it lacks subcommands but has multiple command types. That could be cleaned up later, but has performance implications - so leaving it for future work. * remove CommandCategory, it is redundant * handle some todos; bring read/write command checking into line with ACL categories, replace slow temp code with better code, add tests to catch future additions; this involves reordering RespCommand yet again * lay groundwork for adding/removing individual commands from ACLs * expand tests to also exercise individual commands * knock some TODOs out, get these checks into simpler branchless range checks * expand tests to cover individual command ACL'ing * cleanup a number of style nits and analyzer/diagnostic warnings * nit: typo Co-authored-by: Lukas Maas <[email protected]> * address feedback; fix bug, skip already processed bytes in cluster session ACL validation address feedback; break CommandPermissionSet out into separate file address feedback; increment correct statistic, fixing bug address feedback; adding count is unnecessary in many places, remove that post-DRY-ing * address feedback; no reason to special case default user anymore * Rework parsing and RespCommand so RESP subcommands have entries in RespCommand. * DRY up testing for ACLs now that categories, commands, and subcommands are all covered. * Restore BITOP pseudo-subcommand parsing and cleanup treatment of similar commands; address a couple nits * Test remaining "weird" commands, including all CLUSTER subcommands. This means we now document all of these in RespCommandsInfo.json, as they're just normal commands from the perspective of ACL'ing. * Handle CustomXXX commands; this isn't amazing, because individual commands cannot be ACL'd, but ACL'ing all custom (with @Custom) or as part of Garnet extensions (with @garnet) works as does ACL'ing all custom non-object (with customcmd), object (with customobjcmd), and transaction (with customtxn) separately Fixup a number of test failures and nits. * handle some lingering TODOs and nits * implement correct ACL reporting for the new ACL implementation; as part of this, correct some places where commands weren't tagged @fast or @slow (everything should be tagged one or the other) * fixup remaining tests * Change ACL description implementation to greedily remove tokens that have no impact. This implementation isn't amazing, but ACL changing is hopefully rare and privileged enough that it is acceptable. * lots of little cleanup nits * cleanup formatting * fix formatting nits in tests * Address feedback; many style nits, restoring or correctig various error messages, and cleaning up subcommand parsing * address feedback; use compact switch, fix some nits * address feedback; remove dead test, correct more error messages * some exploratory performance changes worth about 6K PINGs / s: removes IGarnetAuthenticator check from ACL hot path simplify checking ACLs by pre-de-normalizing commands worth about 2K PINGs / s: force inlining on hot user perms path worth about 1K PINGs / s: hide more (unlikely) failed ACL logic behind a method call, pre-calculate NoAuth checks to remove a branch, move Span creation into places where it's actually needed, remove a pointer chase for ACL +@ALL special casing, removing -@ALL special casing as it's in the slow path * exploratory performance changes cache CanAuthenticate to elide a virtual call, looks like it's worth a little bit (maybe .2 - .5 us) in the no-auth case add ACL case to RespParseStress * address feedback * exploratory commit; remove some authenticator checks that badrishc (and testing) showed were redundant, removes the caching of CanAuthenticate, cleanup some of the other changes from prior commits * formatting fixes * address feedback; add a test for user auth invalidation, fix bugs with user auth invalidation, remove some optimizations that are now not actually useful after the bugfixes * fix formatting
- Loading branch information
1 parent
09db1c8
commit abfbff0