Add DevUI permissions editor #37303
Add DevUI permissions editor #37303
Conversation
|
@gbourant Interesting idea, and perhaps a start for adding more security related Dev UI support. If it were to be added, I'd suggest renaming This specific feature also has to be very thoroughy tested in a real CORS setup to avoid unexpected modifications with 3rd party redirects |
|
As for review, I read it for couple of minutes and:
I'll respect if @sberyozkin think this is a way to go and I'll review it, but personally I am convinced you are heading in a wrong direction. I think this should be part of the
Maybe other extensions could profit from your PR as well. That said, @phillip-kruger can tell if my suggestion is even possible. I was wondering if by enhancing
|
| @ApplicationScoped | ||
| public class AuthJsonRPCService { | ||
| private static final Logger LOG = Logger.getLogger(AuthJsonRPCService.class.getName()); | ||
| private final List<String> METHODS = List.of("GET", "POST", "PUT", "DELETE", "PATCH", "OPTIONS", "HEAD", "CONNECT", |
There was a problem hiding this comment.
This is not full list of io.vertx.core.http.HttpMethods.
There was a problem hiding this comment.
I wonder if we could make it enum in auth config so that config form editor provides values, but it would be really long list...
| private final List<String> METHODS = List.of("GET", "POST", "PUT", "DELETE", "PATCH", "OPTIONS", "HEAD", "CONNECT", | ||
| "TRACE"); // do not change order | ||
| private final List<String> AUTH_MECHANISM = List.of(QUARKUS_NULL_VALUE, "basic", "bearer", "form"); // do not change order | ||
| private final List<String> POLICIES = List.of("permit", "deny", "authenticated"); // do not change order |
There was a problem hiding this comment.
Note // do not change order without explanation is not as useful as if you added bit more. btw fact that it is order sensitive seems strange.
There was a problem hiding this comment.
I concur; I'll enhance the comment for clarity. It's worth noting that the sequence is non-critical and remains functional in any order. The arrangement mirrors the frontend presentation, specifically within the context of Vaadin components such as vaadin-list-box and vaadin-select.
| private static final Logger LOG = Logger.getLogger(AuthJsonRPCService.class.getName()); | ||
| private final List<String> METHODS = List.of("GET", "POST", "PUT", "DELETE", "PATCH", "OPTIONS", "HEAD", "CONNECT", | ||
| "TRACE"); // do not change order | ||
| private final List<String> AUTH_MECHANISM = List.of(QUARKUS_NULL_VALUE, "basic", "bearer", "form"); // do not change order |
There was a problem hiding this comment.
there is much more of auth mechanisms and having hardcoded string list of 4 is too little, I wonder if it would be possible to collect these names from io.quarkus.smallrye.jwt.runtime.auth.JWTAuthMechanism#getCredentialTransport => io.quarkus.vertx.http.runtime.security.HttpCredentialTransport#getAuthenticationScheme that of all Instance<HttpAuthenticationMechanism> httpAuthenticationMechanism
|
@michalvavrik It can work in the configuration properties sure - but my only reservation will be a config centric view. IMHO having a security centric view is interesting, but I don't know right now what else can be added there. I guess if can imagine a few more security related views than |
But I can't see these security related views. Sure, I didn't do proper review yet. But it seems to me like this is config editor customized for security, in which case I'd prefer option for other extensions (I've mentioned creating of datasources) that will allow to auto-suggest values. If there are security views that should be implemented, then it is something that needs to be discussed and defined in Quarkus issue so that @gbourant put a lot of his valuable time in effectively. |
|
Anyway, let's hear from @phillip-kruger what is really possible, I'll read it comment again in 2 weeks. Thanks |
There was a problem hiding this comment.
I probably also lean towards just improving the config screen, but I can also see that making security setting easy does make sense from a user point of view, even if it's just changing config. I would suggest if we do want this separate from config that this work moves to the appropriate security extension and probably not copy from config, but design the screen from a security p.o.w and then we can see how the backend can update the config.
| @@ -0,0 +1,274 @@ | |||
| package io.quarkus.devui.deployment.menu; | |||
There was a problem hiding this comment.
This should probably live in the security extension and not in vertx. Config lives in vertx as it's core to quarkus (there is not extension, everybody has it) but not everyone will add security.
There was a problem hiding this comment.
This must live in vertx-http extension because that's where HTTP permissions are.
There was a problem hiding this comment.
However it can be in different package if you deem it more suitable.
There was a problem hiding this comment.
ok, then it's fine. So are you saying that without adding any security extensions, I can secure a HTTP Endpoint ?
There was a problem hiding this comment.
ok, then it's fine. So are you saying that without adding any security extensions, I can secure a HTTP Endpoint ?
no, I don't say that :-D I realize this is not straight forward, but there are some parts of Vert.x HTTP extension only added (registered as CDI beans etc.) when Security extension is present. However HTTP Security policy configuration belongs to Vert.x HTTP extension because it is HTTP specific and there is config root.
There was a problem hiding this comment.
We don't want the menu item there if there will be no effect if you configure it, that is why I thought it should live in security somewhere.
There was a problem hiding this comment.
Understood. I don't have answer now, let's wait for @gbourant to answer. I think it is still a lot of code that could be avoided if form config editor was enhanced instead. There are things we can make to autosuggest configuration there better:
- HTTP method can be enum, though there is downside of really extensive list
- permission policy is half-closed world, most of the time they will be either builtin policies (deny, authenticated, permit) or role-based policy that can be suggested based on existing configuration properties (
quarkus.http.auth.policy."my-name".*tells you you can suggestmy-name).
| */ | ||
| public class AuthProcessor { | ||
|
|
||
| private static final String NAME_SPACE = "devui-auth"; |
There was a problem hiding this comment.
Namespace would not be needed if this moves to an extension
| @BuildStep(onlyIf = IsDevelopment.class) | ||
| InternalPageBuildItem createAuthPages() { | ||
|
|
||
| InternalPageBuildItem configurationPages = new InternalPageBuildItem("Auth", 21); |
There was a problem hiding this comment.
You will not be using InternalPageBuildItem when this moves to the extension
|
@gbourant sorry not to hear back from you, you did a lot of work here, I just think these kind of PRs are better to discuss in GH issue, so that there is some compromise between our views.
Couldn't this be avoided if you relied on existing functionality that is already implemented by config form editor? I hope you could avoid methods like |
| AuthProcessor.configDescriptionBuildItems = configDescriptionBuildItems; | ||
| AuthProcessor.devServicesLauncherConfig = devServicesLauncherConfig; | ||
| AuthProcessor.recorder = recorder; | ||
| AuthProcessor.current = (SmallRyeConfig) ConfigProvider.getConfig(); |
There was a problem hiding this comment.
Maybe this hack could work as we are talking DEV mode, but if it works it's IMO bug.
You can only work with runtime configuration when io.quarkus.deployment.builditem.RuntimeConfigSetupCompleteBuildItem is produced and you should do this inside recorder because not all config sources will be available during build time. I remember there is missing feature in SR Config that classic config sources in META-INF are also loaded at build time, but Quarkus also provides runtime-only config sources defined by io.quarkus.deployment.builditem.RunTimeConfigBuilderBuildItem.
There was a problem hiding this comment.
Correction, I have seen using ConfigProvider.getConfig() since then many times and used it as well in the deployment module. I think there are occasional related issues (Yoann mentioned some), let's keep it. Please add the @Consume(RuntimeConfigSetupCompleteBuildItem.class) that I have mentioned. Thanks
| PERMISSION_PATHS(AuthConfigType.PERMISSION, "paths"), | ||
| PERMISSION_AUTH_MECHANISM(AuthConfigType.PERMISSION, "auth-mechanism"), | ||
| POLICY_ROLES_ALLOWED(AuthConfigType.POLICY, "roles-allowed"), | ||
| POLICY_PERMISSIONS(AuthConfigType.POLICY, "permissions"), |
There was a problem hiding this comment.
There is new property roles on the role-based permissions that is missing here.
This sort of consistency is one of reasons why I hoped only config form editor was enhanced instead of new AuthProcessor. We don't have tests for UI as it's difficult and they are generally slower (we Quarkus QE have some and it's generally slow to download and start playwright comparing to QuarkusTest without container) and there is no way to ensure someone will not forget to update AuthFieldType.
|
I've thoroughly reviewed the entire discussion, but I haven't had the opportunity to respond yet due to work commitments. As of my understanding there are two valid but diverge opinions. The first one is that we should update the configuration editor and the second one is to create a dedicated view (this PR). By updating the current configuration editor, we mitigate the maintenance effort, though complete elimination is not achieved. Additionally, adopting the updating the configuration editor might not evoke the same level of "Developer Joy" as the second option. So which option are we adopting? |
that is absolutely precise summary, since I already provided my view on this, I'll let @sberyozkin to have his say |
|
This looks interesting and it's a bit of a shame we let it rot. My personal opinion is that permissions are a complex enough beast that having a dedicated UI could make sense. @phillip-kruger it would be great if you could give some clear guidelines to the OP if he's willing to pursue this. |
|
I'm still interested in this pull request, if this is something that we want i will start working on this pull request, otherwise i will build it outside of the Quarkus repo. |
| AuthProcessor.configDescriptionBuildItems = configDescriptionBuildItems; | ||
| AuthProcessor.devServicesLauncherConfig = devServicesLauncherConfig; | ||
| AuthProcessor.recorder = recorder; | ||
| AuthProcessor.current = (SmallRyeConfig) ConfigProvider.getConfig(); |
There was a problem hiding this comment.
you don't know whether config is ready, you need something like @Consume(RuntimeConfigSetupCompleteBuildItem.class).
OP ? |
| DevConsoleManager.register("update-permission-set", map -> { | ||
| updateConfig(map); | ||
| register(AuthProcessor.configDescriptionBuildItems, AuthProcessor.devServicesLauncherConfig, | ||
| AuthProcessor.recorder); |
There was a problem hiding this comment.
you have recorder as a build step parameter and but you pass down the one stored on processor; these build steps can run in parallel. there can be race, please don't store the recorder on the processor
I don't have anything to add to my previous comments. I'd wait till users tell us setting these properties in config editor is hard for them, we have to maintain this (and possibly fix if ever problem occur), because now that I re-read your PR it's not trivial. However IIUC @gsmet and @sberyozkin (and possibly @gastaldi based on his thumb up) likes this feature, for that reason we should proceed. Regarding current state of your PR:
Most importantly @gbourant whatever I say are just my personal opinions, do not get discouraged by me, they are probably not shared by others. Also, if you want to improve security DEV UI, please talk to @sberyozkin , I am sure he can suggest other issues as well. Thank you |
I am not aware we did, we comment on specific things in code and our comments were not addressed. Also I spend decent time putting answering any questions and reasons why we should/should not do this. So we were active.
That could be true if this PR make things easier to understand, if it validated inputs, we it checked that configured properties are securing paths or whatsoever. My understanding of this PR is that it allows you to set
None of these things are addressed by this PR (and frankly cannot be), you need to read https://quarkus.io/guides/security-authorize-web-endpoints-reference (maybe someone would suggest to give AI that text and ask it :-( ). Again, I never tried to hinder this PR, I tried to help with review. |
|
Hope this is won't confuse things, but today I stumble on #43229 and linked PR (which provides a lot of information in comments) and I think it shows sort of issue we could run into if this PR will manually edit application properties and try to synchronize it. I am happy to be proved wrong. My point is, it can get complex or we will need to say "this supports scenarios XYZ" and limit what is supported. Which is fine as well. |
|
@sberyozkin @gbourant @michalvavrik What's the status on this? |
In short: I wrote down my arguments against this many times, see above. There is support for this from several people and I respect that. If this is going in, let's make sure it is easy to maintain. There are comments from me and Phillip that were not addressed, I could provide more if this was active PR. |
I have created a DevUI permissions editor (policy editor is coming soon too)
The Quarkus internals gave me a headache so i decided to push this so i can get some feedback.
At the moment everything is working great but when i save/update/delete/add a permission the backend still sees the old config so the front end is not updated correctly.
How i can make
AuthProcessor.javaat line 94current.getConfigSources()see the new config file when it's edited?