Authentication and Authorization into feast-auth module.

auth/pom.xml

@@ -0,0 +1,51 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>dev.feast</groupId>
+        <artifactId>feast-parent</artifactId>
+        <version>${revision}</version>
+    </parent>
+    <artifactId>feast-auth</artifactId>
+
+    <name>Feast Authentication and Authorization</name>
+
+    <dependencies>
+        <dependency>
+            <groupId>dev.feast</groupId>
+            <artifactId>feast-common</artifactId>
+            <version>${project.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>net.devh</groupId>
+            <artifactId>grpc-server-spring-boot-starter</artifactId>
+            <version>2.4.0.RELEASE</version>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.security</groupId>
+            <artifactId>spring-security-oauth2-resource-server</artifactId>
+            <version>5.3.0.RELEASE</version>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.security</groupId>
+            <artifactId>spring-security-oauth2-jose</artifactId>
+            <version>5.3.0.RELEASE</version>
+        </dependency>
+        <dependency>
+            <groupId>sh.ory.keto</groupId>
+            <artifactId>keto-client</artifactId>
+            <version>0.4.4-alpha.1</version>
+        </dependency>
+        <dependency>
+            <groupId>org.projectlombok</groupId>
+            <artifactId>lombok</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.hibernate.validator</groupId>
+            <artifactId>hibernate-validator</artifactId>
+            <version>6.1.2.Final</version>
+        </dependency>
+    </dependencies>
+
+</project>

core/src/main/java/feast/core/auth/authentication/DefaultJwtAuthenticationProvider.java → auth/src/main/java/feast/auth/authentication/DefaultJwtAuthenticationProvider.java

@@ -14,7 +14,7 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package feast.core.auth.authentication;
+package feast.auth.authentication;
 
 import java.util.Map;
 import org.springframework.security.authentication.AuthenticationProvider;

core/src/main/java/feast/core/auth/authorization/AuthorizationProvider.java → auth/src/main/java/feast/auth/authorization/AuthorizationProvider.java

@@ -14,7 +14,7 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package feast.core.auth.authorization;
+package feast.auth.authorization;
 
 import org.springframework.security.core.Authentication;
 

core/src/main/java/feast/core/auth/authorization/AuthorizationResult.java → auth/src/main/java/feast/auth/authorization/AuthorizationResult.java

@@ -14,7 +14,7 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package feast.core.auth.authorization;
+package feast.auth.authorization;
 
 import java.util.Optional;
 import javax.annotation.Nullable;

core/src/main/java/feast/core/auth/authorization/Keto/KetoAuthorizationProvider.java → auth/src/main/java/feast/auth/authorization/Keto/KetoAuthorizationProvider.java

@@ -14,10 +14,10 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package feast.core.auth.authorization.Keto;
+package feast.auth.authorization.Keto;
 
-import feast.core.auth.authorization.AuthorizationProvider;
-import feast.core.auth.authorization.AuthorizationResult;
+import feast.auth.authorization.AuthorizationProvider;
+import feast.auth.authorization.AuthorizationResult;
 import java.util.List;
 import java.util.Map;
 import org.hibernate.validator.internal.constraintvalidators.bv.EmailValidator;

core/src/main/java/feast/core/config/SecurityConfig.java → auth/src/main/java/feast/auth/config/SecurityConfig.java

@@ -14,21 +14,16 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package feast.core.config;
+package feast.auth.config;
 
-import feast.core.auth.authentication.DefaultJwtAuthenticationProvider;
-import feast.core.auth.authorization.AuthorizationProvider;
-import feast.core.auth.authorization.Keto.KetoAuthorizationProvider;
-import feast.core.config.FeastProperties.SecurityProperties;
-import feast.proto.core.CoreServiceGrpc;
+import feast.auth.authentication.DefaultJwtAuthenticationProvider;
+import feast.auth.authorization.AuthorizationProvider;
+import feast.auth.authorization.Keto.KetoAuthorizationProvider;
 import java.util.ArrayList;
 import java.util.List;
 import net.devh.boot.grpc.server.security.authentication.BearerAuthenticationReader;
 import net.devh.boot.grpc.server.security.authentication.GrpcAuthenticationReader;
-import net.devh.boot.grpc.server.security.check.AccessPredicate;
 import net.devh.boot.grpc.server.security.check.AccessPredicateVoter;
-import net.devh.boot.grpc.server.security.check.GrpcSecurityMetadataSource;
-import net.devh.boot.grpc.server.security.check.ManualGrpcSecurityMetadataSource;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
@@ -45,8 +40,8 @@ public class SecurityConfig {
 
   private final SecurityProperties securityProperties;
 
-  public SecurityConfig(FeastProperties feastProperties) {
-    this.securityProperties = feastProperties.getSecurity();
+  public SecurityConfig(SecurityProperties securityProperties) {
+    this.securityProperties = securityProperties;
   }
 
   /**
@@ -86,26 +81,6 @@ GrpcAuthenticationReader authenticationReader() {
     return new BearerAuthenticationReader(BearerTokenAuthenticationToken::new);
   }
 
-  /**
-   * Creates a SecurityMetadataSource when authentication is enabled. This allows for the
-   * configuration of endpoint level security rules.
-   *
-   * @return GrpcSecurityMetadataSource
-   */
-  @Bean
-  @ConditionalOnProperty(prefix = "feast.security.authentication", name = "enabled")
-  GrpcSecurityMetadataSource grpcSecurityMetadataSource() {
-    final ManualGrpcSecurityMetadataSource source = new ManualGrpcSecurityMetadataSource();
-
-    // Authentication is enabled for all gRPC endpoints
-    source.setDefault(AccessPredicate.authenticated());
-
-    // The following endpoints allow unauthenticated access
-    source.set(CoreServiceGrpc.getGetFeastCoreVersionMethod(), AccessPredicate.permitAll());
-
-    return source;
-  }
-
   /**
    * Creates an AccessDecisionManager if authorization is enabled. This object determines the policy
    * used to make authorization decisions.

auth/src/main/java/feast/auth/config/SecurityProperties.java

@@ -0,0 +1,59 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ * Copyright 2018-2020 The Feast Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package feast.auth.config;
+
+import feast.common.validators.OneOfStrings;
+import java.util.Map;
+import lombok.Getter;
+import lombok.Setter;
+
+@Getter
+@Setter
+public class SecurityProperties {
+  private AuthenticationProperties authentication;
+  private AuthorizationProperties authorization;
+
+  @Getter
+  @Setter
+  public static class AuthenticationProperties {
+
+    // Enable authentication
+    private boolean enabled;
+
+    // Named authentication provider to use
+    @OneOfStrings({"jwt"})
+    private String provider;
+
+    // K/V options to initialize the provider with
+    private Map<String, String> options;
+  }
+
+  @Getter
+  @Setter
+  public static class AuthorizationProperties {
+
+    // Enable authorization. Authentication must be enabled if authorization is enabled.
+    private boolean enabled;
+
+    // Named authorization provider to use.
+    @OneOfStrings({"none", "keto"})
+    private String provider;
+
+    // K/V options to initialize the provider with
+    private Map<String, String> options;
+  }
+}

common/pom.xml

@@ -55,6 +55,11 @@
             <groupId>org.projectlombok</groupId>
             <artifactId>lombok</artifactId>
         </dependency>
+        <dependency>
+			<groupId>javax.validation</groupId>
+			<artifactId>validation-api</artifactId>
+			<version>2.0.0.Final</version>
+		</dependency>
         <dependency>
             <groupId>junit</groupId>
             <artifactId>junit</artifactId>

core/src/main/java/feast/core/validators/OneOfStringValidator.java → common/src/main/java/feast/common/validators/OneOfStringValidator.java

@@ -14,7 +14,7 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package feast.core.validators;
+package feast.common.validators;
 
 import java.util.Arrays;
 import javax.validation.ConstraintValidator;

core/src/main/java/feast/core/validators/OneOfStrings.java → common/src/main/java/feast/common/validators/OneOfStrings.java

@@ -14,7 +14,7 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package feast.core.validators;
+package feast.common.validators;
 
 import java.lang.annotation.*;
 import javax.validation.Constraint;

core/pom.xml

@@ -81,6 +81,11 @@
             <artifactId>feast-common</artifactId>
             <version>${project.version}</version>
         </dependency>
+        <dependency>
+            <groupId>dev.feast</groupId>
+            <artifactId>feast-auth</artifactId>
+            <version>${project.version}</version>
+        </dependency>
 
         <!-- Hot reloading for Spring Boot. spring-boot-maven-plugin removes
              this automatically when packaging. -->
@@ -134,16 +139,11 @@
 			<artifactId>spring-security-web</artifactId>
 			<version>5.3.0.RELEASE</version>
 		</dependency>
-		<dependency>
-			<groupId>org.springframework.security</groupId>
-			<artifactId>spring-security-oauth2-resource-server</artifactId>
-			<version>5.3.0.RELEASE</version>
-		</dependency>
 		<dependency>
 			<groupId>org.springframework.security</groupId>
 			<artifactId>spring-security-oauth2-jose</artifactId>
 			<version>5.3.0.RELEASE</version>
-		</dependency>
+		</dependency> 
 		<dependency>
 			<groupId>net.devh</groupId>
 			<artifactId>grpc-server-spring-boot-starter</artifactId>
@@ -266,11 +266,6 @@
 			<version>3.10.0</version>
 		</dependency>
 
-		<dependency>
-			<groupId>sh.ory.keto</groupId>
-			<artifactId>keto-client</artifactId>
-			<version>0.4.4-alpha.1</version>
-		</dependency>
         <!--testCompile 'com.jayway.jsonpath:json-path-assert:2.2.0'-->
         <dependency>
             <groupId>com.jayway.jsonpath</groupId>
@@ -300,16 +295,6 @@
             <artifactId>flyway-core</artifactId>
             <version>${flyway.version}</version>
         </dependency>
-		<dependency>
-			<groupId>javax.validation</groupId>
-			<artifactId>validation-api</artifactId>
-			<version>2.0.0.Final</version>
-		</dependency>
-		<dependency>
-			<groupId>org.hibernate.validator</groupId>
-			<artifactId>hibernate-validator</artifactId>
-			<version>6.1.2.Final</version>
-		</dependency>
 		<dependency>
 			<groupId>org.hibernate.validator</groupId>
 			<artifactId>hibernate-validator-annotation-processor</artifactId>

core/src/main/java/feast/core/config/CoreSecurityConfig.java

@@ -0,0 +1,51 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ * Copyright 2018-2020 The Feast Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package feast.core.config;
+
+import feast.proto.core.CoreServiceGrpc;
+import lombok.extern.slf4j.Slf4j;
+import net.devh.boot.grpc.server.security.check.AccessPredicate;
+import net.devh.boot.grpc.server.security.check.GrpcSecurityMetadataSource;
+import net.devh.boot.grpc.server.security.check.ManualGrpcSecurityMetadataSource;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+
+@Configuration
+@Slf4j
+public class CoreSecurityConfig {
+
+  /**
+   * Creates a SecurityMetadataSource when authentication is enabled. This allows for the
+   * configuration of endpoint level security rules.
+   *
+   * @return GrpcSecurityMetadataSource
+   */
+  @Bean
+  @ConditionalOnProperty(prefix = "feast.security.authentication", name = "enabled")
+  GrpcSecurityMetadataSource grpcSecurityMetadataSource() {
+    final ManualGrpcSecurityMetadataSource source = new ManualGrpcSecurityMetadataSource();
+
+    // Authentication is enabled for all gRPC endpoints
+    source.setDefault(AccessPredicate.authenticated());
+
+    // The following endpoints allow unauthenticated access
+    source.set(CoreServiceGrpc.getGetFeastCoreVersionMethod(), AccessPredicate.permitAll());
+
+    return source;
+  }
+}