diff --git a/auth/pom.xml b/auth/pom.xml
new file mode 100644
index 0000000000..4804075f8c
--- /dev/null
+++ b/auth/pom.xml
@@ -0,0 +1,51 @@
+
+ 4.0.0
+
+ dev.feast
+ feast-parent
+ ${revision}
+
+ feast-auth
+
+ Feast Authentication and Authorization
+
+
+
+ dev.feast
+ feast-common
+ ${project.version}
+
+
+ net.devh
+ grpc-server-spring-boot-starter
+ 2.4.0.RELEASE
+
+
+ org.springframework.security
+ spring-security-oauth2-resource-server
+ 5.3.0.RELEASE
+
+
+ org.springframework.security
+ spring-security-oauth2-jose
+ 5.3.0.RELEASE
+
+
+ sh.ory.keto
+ keto-client
+ 0.4.4-alpha.1
+
+
+ org.projectlombok
+ lombok
+
+
+ org.hibernate.validator
+ hibernate-validator
+ 6.1.2.Final
+
+
+
+
diff --git a/core/src/main/java/feast/core/auth/authentication/DefaultJwtAuthenticationProvider.java b/auth/src/main/java/feast/auth/authentication/DefaultJwtAuthenticationProvider.java
similarity index 98%
rename from core/src/main/java/feast/core/auth/authentication/DefaultJwtAuthenticationProvider.java
rename to auth/src/main/java/feast/auth/authentication/DefaultJwtAuthenticationProvider.java
index a39e673ada..b64eccdccf 100644
--- a/core/src/main/java/feast/core/auth/authentication/DefaultJwtAuthenticationProvider.java
+++ b/auth/src/main/java/feast/auth/authentication/DefaultJwtAuthenticationProvider.java
@@ -14,7 +14,7 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
-package feast.core.auth.authentication;
+package feast.auth.authentication;
import java.util.Map;
import org.springframework.security.authentication.AuthenticationProvider;
diff --git a/core/src/main/java/feast/core/auth/authorization/AuthorizationProvider.java b/auth/src/main/java/feast/auth/authorization/AuthorizationProvider.java
similarity index 96%
rename from core/src/main/java/feast/core/auth/authorization/AuthorizationProvider.java
rename to auth/src/main/java/feast/auth/authorization/AuthorizationProvider.java
index 3d504be3ff..7d4d77b792 100644
--- a/core/src/main/java/feast/core/auth/authorization/AuthorizationProvider.java
+++ b/auth/src/main/java/feast/auth/authorization/AuthorizationProvider.java
@@ -14,7 +14,7 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
-package feast.core.auth.authorization;
+package feast.auth.authorization;
import org.springframework.security.core.Authentication;
diff --git a/core/src/main/java/feast/core/auth/authorization/AuthorizationResult.java b/auth/src/main/java/feast/auth/authorization/AuthorizationResult.java
similarity index 98%
rename from core/src/main/java/feast/core/auth/authorization/AuthorizationResult.java
rename to auth/src/main/java/feast/auth/authorization/AuthorizationResult.java
index bbf4220b31..b365355162 100644
--- a/core/src/main/java/feast/core/auth/authorization/AuthorizationResult.java
+++ b/auth/src/main/java/feast/auth/authorization/AuthorizationResult.java
@@ -14,7 +14,7 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
-package feast.core.auth.authorization;
+package feast.auth.authorization;
import java.util.Optional;
import javax.annotation.Nullable;
diff --git a/core/src/main/java/feast/core/auth/authorization/Keto/KetoAuthorizationProvider.java b/auth/src/main/java/feast/auth/authorization/Keto/KetoAuthorizationProvider.java
similarity index 96%
rename from core/src/main/java/feast/core/auth/authorization/Keto/KetoAuthorizationProvider.java
rename to auth/src/main/java/feast/auth/authorization/Keto/KetoAuthorizationProvider.java
index 0c0197f0f4..6350bc1848 100644
--- a/core/src/main/java/feast/core/auth/authorization/Keto/KetoAuthorizationProvider.java
+++ b/auth/src/main/java/feast/auth/authorization/Keto/KetoAuthorizationProvider.java
@@ -14,10 +14,10 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
-package feast.core.auth.authorization.Keto;
+package feast.auth.authorization.Keto;
-import feast.core.auth.authorization.AuthorizationProvider;
-import feast.core.auth.authorization.AuthorizationResult;
+import feast.auth.authorization.AuthorizationProvider;
+import feast.auth.authorization.AuthorizationResult;
import java.util.List;
import java.util.Map;
import org.hibernate.validator.internal.constraintvalidators.bv.EmailValidator;
diff --git a/core/src/main/java/feast/core/config/SecurityConfig.java b/auth/src/main/java/feast/auth/config/SecurityConfig.java
similarity index 75%
rename from core/src/main/java/feast/core/config/SecurityConfig.java
rename to auth/src/main/java/feast/auth/config/SecurityConfig.java
index f77e20ba10..f5f14ccaef 100644
--- a/core/src/main/java/feast/core/config/SecurityConfig.java
+++ b/auth/src/main/java/feast/auth/config/SecurityConfig.java
@@ -14,21 +14,16 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
-package feast.core.config;
+package feast.auth.config;
-import feast.core.auth.authentication.DefaultJwtAuthenticationProvider;
-import feast.core.auth.authorization.AuthorizationProvider;
-import feast.core.auth.authorization.Keto.KetoAuthorizationProvider;
-import feast.core.config.FeastProperties.SecurityProperties;
-import feast.proto.core.CoreServiceGrpc;
+import feast.auth.authentication.DefaultJwtAuthenticationProvider;
+import feast.auth.authorization.AuthorizationProvider;
+import feast.auth.authorization.Keto.KetoAuthorizationProvider;
import java.util.ArrayList;
import java.util.List;
import net.devh.boot.grpc.server.security.authentication.BearerAuthenticationReader;
import net.devh.boot.grpc.server.security.authentication.GrpcAuthenticationReader;
-import net.devh.boot.grpc.server.security.check.AccessPredicate;
import net.devh.boot.grpc.server.security.check.AccessPredicateVoter;
-import net.devh.boot.grpc.server.security.check.GrpcSecurityMetadataSource;
-import net.devh.boot.grpc.server.security.check.ManualGrpcSecurityMetadataSource;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
@@ -45,8 +40,8 @@ public class SecurityConfig {
private final SecurityProperties securityProperties;
- public SecurityConfig(FeastProperties feastProperties) {
- this.securityProperties = feastProperties.getSecurity();
+ public SecurityConfig(SecurityProperties securityProperties) {
+ this.securityProperties = securityProperties;
}
/**
@@ -86,26 +81,6 @@ GrpcAuthenticationReader authenticationReader() {
return new BearerAuthenticationReader(BearerTokenAuthenticationToken::new);
}
- /**
- * Creates a SecurityMetadataSource when authentication is enabled. This allows for the
- * configuration of endpoint level security rules.
- *
- * @return GrpcSecurityMetadataSource
- */
- @Bean
- @ConditionalOnProperty(prefix = "feast.security.authentication", name = "enabled")
- GrpcSecurityMetadataSource grpcSecurityMetadataSource() {
- final ManualGrpcSecurityMetadataSource source = new ManualGrpcSecurityMetadataSource();
-
- // Authentication is enabled for all gRPC endpoints
- source.setDefault(AccessPredicate.authenticated());
-
- // The following endpoints allow unauthenticated access
- source.set(CoreServiceGrpc.getGetFeastCoreVersionMethod(), AccessPredicate.permitAll());
-
- return source;
- }
-
/**
* Creates an AccessDecisionManager if authorization is enabled. This object determines the policy
* used to make authorization decisions.
diff --git a/auth/src/main/java/feast/auth/config/SecurityProperties.java b/auth/src/main/java/feast/auth/config/SecurityProperties.java
new file mode 100644
index 0000000000..4d875caeb5
--- /dev/null
+++ b/auth/src/main/java/feast/auth/config/SecurityProperties.java
@@ -0,0 +1,59 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ * Copyright 2018-2020 The Feast Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package feast.auth.config;
+
+import feast.common.validators.OneOfStrings;
+import java.util.Map;
+import lombok.Getter;
+import lombok.Setter;
+
+@Getter
+@Setter
+public class SecurityProperties {
+ private AuthenticationProperties authentication;
+ private AuthorizationProperties authorization;
+
+ @Getter
+ @Setter
+ public static class AuthenticationProperties {
+
+ // Enable authentication
+ private boolean enabled;
+
+ // Named authentication provider to use
+ @OneOfStrings({"jwt"})
+ private String provider;
+
+ // K/V options to initialize the provider with
+ private Map options;
+ }
+
+ @Getter
+ @Setter
+ public static class AuthorizationProperties {
+
+ // Enable authorization. Authentication must be enabled if authorization is enabled.
+ private boolean enabled;
+
+ // Named authorization provider to use.
+ @OneOfStrings({"none", "keto"})
+ private String provider;
+
+ // K/V options to initialize the provider with
+ private Map options;
+ }
+}
diff --git a/common/pom.xml b/common/pom.xml
index 58c51dde6b..db681090fe 100644
--- a/common/pom.xml
+++ b/common/pom.xml
@@ -55,6 +55,11 @@
org.projectlombok
lombok
+
+ javax.validation
+ validation-api
+ 2.0.0.Final
+
junit
junit
diff --git a/core/src/main/java/feast/core/validators/OneOfStringValidator.java b/common/src/main/java/feast/common/validators/OneOfStringValidator.java
similarity index 98%
rename from core/src/main/java/feast/core/validators/OneOfStringValidator.java
rename to common/src/main/java/feast/common/validators/OneOfStringValidator.java
index 6b84e44b01..42428bd8c0 100644
--- a/core/src/main/java/feast/core/validators/OneOfStringValidator.java
+++ b/common/src/main/java/feast/common/validators/OneOfStringValidator.java
@@ -14,7 +14,7 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
-package feast.core.validators;
+package feast.common.validators;
import java.util.Arrays;
import javax.validation.ConstraintValidator;
diff --git a/core/src/main/java/feast/core/validators/OneOfStrings.java b/common/src/main/java/feast/common/validators/OneOfStrings.java
similarity index 98%
rename from core/src/main/java/feast/core/validators/OneOfStrings.java
rename to common/src/main/java/feast/common/validators/OneOfStrings.java
index dba290438c..b0acfae09d 100644
--- a/core/src/main/java/feast/core/validators/OneOfStrings.java
+++ b/common/src/main/java/feast/common/validators/OneOfStrings.java
@@ -14,7 +14,7 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
-package feast.core.validators;
+package feast.common.validators;
import java.lang.annotation.*;
import javax.validation.Constraint;
diff --git a/core/pom.xml b/core/pom.xml
index 737a5c1d68..4a0d3791c9 100644
--- a/core/pom.xml
+++ b/core/pom.xml
@@ -81,6 +81,11 @@
feast-common
${project.version}
+
+ dev.feast
+ feast-auth
+ ${project.version}
+
@@ -134,16 +139,11 @@
spring-security-web
5.3.0.RELEASE
-
- org.springframework.security
- spring-security-oauth2-resource-server
- 5.3.0.RELEASE
-
org.springframework.security
spring-security-oauth2-jose
5.3.0.RELEASE
-
+
net.devh
grpc-server-spring-boot-starter
@@ -266,11 +266,6 @@
3.10.0
-
- sh.ory.keto
- keto-client
- 0.4.4-alpha.1
-
com.jayway.jsonpath
@@ -300,16 +295,6 @@
flyway-core
${flyway.version}
-
- javax.validation
- validation-api
- 2.0.0.Final
-
-
- org.hibernate.validator
- hibernate-validator
- 6.1.2.Final
-
org.hibernate.validator
hibernate-validator-annotation-processor
diff --git a/core/src/main/java/feast/core/config/CoreSecurityConfig.java b/core/src/main/java/feast/core/config/CoreSecurityConfig.java
new file mode 100644
index 0000000000..a8fe68eeb7
--- /dev/null
+++ b/core/src/main/java/feast/core/config/CoreSecurityConfig.java
@@ -0,0 +1,51 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ * Copyright 2018-2020 The Feast Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package feast.core.config;
+
+import feast.proto.core.CoreServiceGrpc;
+import lombok.extern.slf4j.Slf4j;
+import net.devh.boot.grpc.server.security.check.AccessPredicate;
+import net.devh.boot.grpc.server.security.check.GrpcSecurityMetadataSource;
+import net.devh.boot.grpc.server.security.check.ManualGrpcSecurityMetadataSource;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+
+@Configuration
+@Slf4j
+public class CoreSecurityConfig {
+
+ /**
+ * Creates a SecurityMetadataSource when authentication is enabled. This allows for the
+ * configuration of endpoint level security rules.
+ *
+ * @return GrpcSecurityMetadataSource
+ */
+ @Bean
+ @ConditionalOnProperty(prefix = "feast.security.authentication", name = "enabled")
+ GrpcSecurityMetadataSource grpcSecurityMetadataSource() {
+ final ManualGrpcSecurityMetadataSource source = new ManualGrpcSecurityMetadataSource();
+
+ // Authentication is enabled for all gRPC endpoints
+ source.setDefault(AccessPredicate.authenticated());
+
+ // The following endpoints allow unauthenticated access
+ source.set(CoreServiceGrpc.getGetFeastCoreVersionMethod(), AccessPredicate.permitAll());
+
+ return source;
+ }
+}
diff --git a/core/src/main/java/feast/core/config/FeastProperties.java b/core/src/main/java/feast/core/config/FeastProperties.java
index 590d47857b..799000631d 100644
--- a/core/src/main/java/feast/core/config/FeastProperties.java
+++ b/core/src/main/java/feast/core/config/FeastProperties.java
@@ -16,8 +16,9 @@
*/
package feast.core.config;
+import feast.auth.config.SecurityProperties;
+import feast.common.validators.OneOfStrings;
import feast.core.config.FeastProperties.StreamProperties.FeatureStreamOptions;
-import feast.core.validators.OneOfStrings;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.util.ArrayList;
@@ -39,11 +40,12 @@
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.context.properties.ConfigurationProperties;
import org.springframework.boot.info.BuildProperties;
-import org.springframework.stereotype.Component;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
@Getter
@Setter
-@Component
+@Configuration
@ConfigurationProperties(prefix = "feast", ignoreInvalidFields = true)
public class FeastProperties {
@@ -72,6 +74,11 @@ public FeastProperties() {}
private SecurityProperties security;
+ @Bean
+ SecurityProperties securityProperties() {
+ return this.getSecurity();
+ }
+
/** Feast job properties. These properties are used for ingestion jobs. */
@Getter
@Setter
@@ -272,42 +279,4 @@ public void validate() {
}
}
}
-
- @Getter
- @Setter
- public static class SecurityProperties {
-
- private AuthenticationProperties authentication;
- private AuthorizationProperties authorization;
-
- @Getter
- @Setter
- public static class AuthenticationProperties {
-
- // Enable authentication
- private boolean enabled;
-
- // Named authentication provider to use
- @OneOfStrings({"jwt"})
- private String provider;
-
- // K/V options to initialize the provider with
- private Map options;
- }
-
- @Getter
- @Setter
- public static class AuthorizationProperties {
-
- // Enable authorization. Authentication must be enabled if authorization is enabled.
- private boolean enabled;
-
- // Named authorization provider to use.
- @OneOfStrings({"none", "keto"})
- private String provider;
-
- // K/V options to initialize the provider with
- private Map options;
- }
- }
}
diff --git a/core/src/main/java/feast/core/service/AccessManagementService.java b/core/src/main/java/feast/core/service/AccessManagementService.java
index f0ab571464..dea284c230 100644
--- a/core/src/main/java/feast/core/service/AccessManagementService.java
+++ b/core/src/main/java/feast/core/service/AccessManagementService.java
@@ -16,10 +16,10 @@
*/
package feast.core.service;
-import feast.core.auth.authorization.AuthorizationProvider;
-import feast.core.auth.authorization.AuthorizationResult;
+import feast.auth.authorization.AuthorizationProvider;
+import feast.auth.authorization.AuthorizationResult;
+import feast.auth.config.SecurityProperties;
import feast.core.config.FeastProperties;
-import feast.core.config.FeastProperties.SecurityProperties;
import feast.core.dao.ProjectRepository;
import feast.core.model.Project;
import java.util.List;
@@ -38,6 +38,7 @@
public class AccessManagementService {
private SecurityProperties securityProperties;
+
private AuthorizationProvider authorizationProvider;
private ProjectRepository projectRepository;
diff --git a/core/src/test/java/feast/core/auth/AuthConfigTest.java b/core/src/test/java/feast/core/auth/AuthConfigTest.java
index c54493489a..dd5a1e3a76 100644
--- a/core/src/test/java/feast/core/auth/AuthConfigTest.java
+++ b/core/src/test/java/feast/core/auth/AuthConfigTest.java
@@ -18,7 +18,7 @@
import static org.junit.Assert.assertNotNull;
-import feast.core.config.SecurityConfig;
+import feast.auth.config.SecurityConfig;
import javax.inject.Inject;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.extension.ExtendWith;
diff --git a/core/src/test/java/feast/core/grpc/CoreServiceAuthTest.java b/core/src/test/java/feast/core/grpc/CoreServiceAuthTest.java
index 471b2c78d4..e7619b1d6a 100644
--- a/core/src/test/java/feast/core/grpc/CoreServiceAuthTest.java
+++ b/core/src/test/java/feast/core/grpc/CoreServiceAuthTest.java
@@ -24,10 +24,10 @@
import static org.mockito.Mockito.when;
import com.google.protobuf.InvalidProtocolBufferException;
-import feast.core.auth.authorization.AuthorizationProvider;
-import feast.core.auth.authorization.AuthorizationResult;
+import feast.auth.authorization.AuthorizationProvider;
+import feast.auth.authorization.AuthorizationResult;
+import feast.auth.config.SecurityProperties;
import feast.core.config.FeastProperties;
-import feast.core.config.FeastProperties.SecurityProperties;
import feast.core.dao.ProjectRepository;
import feast.core.model.Entity;
import feast.core.model.Feature;
@@ -73,10 +73,10 @@ class CoreServiceAuthTest {
CoreServiceAuthTest() {
MockitoAnnotations.initMocks(this);
- FeastProperties.SecurityProperties.AuthorizationProperties authProp =
- new FeastProperties.SecurityProperties.AuthorizationProperties();
+ SecurityProperties.AuthorizationProperties authProp =
+ new SecurityProperties.AuthorizationProperties();
authProp.setEnabled(true);
- FeastProperties.SecurityProperties sp = new SecurityProperties();
+ SecurityProperties sp = new SecurityProperties();
sp.setAuthorization(authProp);
FeastProperties feastProperties = new FeastProperties();
feastProperties.setSecurity(sp);
diff --git a/core/src/test/java/feast/core/service/AccessManagementServiceTest.java b/core/src/test/java/feast/core/service/AccessManagementServiceTest.java
index 6e7affa412..fa69a7e7a8 100644
--- a/core/src/test/java/feast/core/service/AccessManagementServiceTest.java
+++ b/core/src/test/java/feast/core/service/AccessManagementServiceTest.java
@@ -23,9 +23,9 @@
import static org.mockito.Mockito.when;
import static org.mockito.MockitoAnnotations.initMocks;
-import feast.core.auth.authorization.AuthorizationProvider;
+import feast.auth.authorization.AuthorizationProvider;
+import feast.auth.config.SecurityProperties;
import feast.core.config.FeastProperties;
-import feast.core.config.FeastProperties.SecurityProperties;
import feast.core.dao.ProjectRepository;
import feast.core.model.Project;
import java.util.Arrays;
@@ -50,10 +50,10 @@ public class AccessManagementServiceTest {
public void setUp() {
initMocks(this);
projectRepository = mock(ProjectRepository.class);
- FeastProperties.SecurityProperties.AuthorizationProperties authProp =
- new FeastProperties.SecurityProperties.AuthorizationProperties();
+ SecurityProperties.AuthorizationProperties authProp =
+ new SecurityProperties.AuthorizationProperties();
authProp.setEnabled(false);
- FeastProperties.SecurityProperties sp = new SecurityProperties();
+ SecurityProperties sp = new SecurityProperties();
sp.setAuthorization(authProp);
FeastProperties feastProperties = new FeastProperties();
feastProperties.setSecurity(sp);
diff --git a/pom.xml b/pom.xml
index 5c7924ac33..4f1a5dc624 100644
--- a/pom.xml
+++ b/pom.xml
@@ -37,6 +37,7 @@
sdk/java
docs/coverage/java
common
+ auth