Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Df 269 add df classification validation #34

Merged
merged 23 commits into from
Aug 19, 2024
Merged

Df 269 add df classification validation #34

merged 23 commits into from
Aug 19, 2024

Conversation

Cap-n-Cook
Copy link

Overview

Added df-classification support. Changes needed to be made in a few unexpected places, namely the OpaClient and the Argument class in order to support classification structure used by df-classification.

More likely than not, more work needs to be done to fully support df-classification classifications, but this will be handled in a separate PR.

I removed any methods that IntelliJ highlighted as "safe delete," meaning they weren't being used for the sake of readability. I also removed commented out code blocks for the same reason.

Another major change is the classification validation no longer checks if a classification is supported by the deployment. This is handled by df-classification, which uses the cluster classification level defined in .Values.global.classification to determine if a classification is valid for the system.

Related Issues

Part of DATAFABRIC-269

Test Procedure

  1. Bring up a cluster with the df-269-add-df-classification-to-arcadedb branch in data fabric
  2. clone the df-269-add-security-marking-validation branch of df-classification & run make kind
  3. clone the df-269-add-security-marking-validation branch of df-arcadedb & run make kind
  4. change the images of the df-arcadedb pod to use the dev tag for arcadedb and classification containers
  5. login to keycloak and remove the user from the data stewards group
  6. in the arcade UI, to run this query (this should fail):
INSERT INTO People CONTENT
{
  firstName: 'Enzo2',
  lastName: 'Ferrari',
  classification:{
  	components: {
    	classification: ['SECRET'],
        disseminationControls: ['REL'],
        releasableTo: ['USA', 'FVEY'],
        ownerProducer: ['USA']
    },
    attributes:{
    	firstName: 'U',
        lastName: 'U'
    }
  }
 }
  1. For the above query to save, you have to change the user's clearance_usa attribute to S AND you'll have to update the CLASSIFICATION_LEVEL on the df-classification pod to SECRET. To do this, navigate to the raft-arcadedb deployment.yaml and replace the .Values.global.classification with SECRET. Once this is done, redeploy the pod using
    dfdev cluster deploy -x raft-arcadedb.
  2. Re-run the above query and confirm that the document is accepted.

@Cap-n-Cook
Added DF_CLASSIFICATION_URL to GlobalConfiguration
b732a21
@Cap-n-Cook
Added logs to ServerSecurity
65064bf
@Cap-n-Cook
Logging out opa result.
6af4cda
@Cap-n-Cook
Removed unused methods.
03e4547
@Cap-n-Cook
Added df-classification client
85e4d03
@Cap-n-Cook
Removed unused methods.
e7f2598
@Cap-n-Cook
Removed commented code block
c11439d
@Cap-n-Cook
Moved dfClassificationClient to arcadedb-engine
fcbd31c
@Cap-n-Cook
Moved comment around for readability
51732e8
@Cap-n-Cook
Updated DocumentValidator to use Df-classification client, temporarir…
f6cc7b7 
…ly removed sources check.
@Cap-n-Cook
Fixed url reference.
2db0447
@Cap-n-Cook
Fixed default url
ec2dd28
@Cap-n-Cook
Rewrote df classification client.
d373199
@Cap-n-Cook
Added TODO for bug in OpaClient
f092f25
@Cap-n-Cook
Added mapping for full classification names to OpaClient. This preven…
6cfcf22 
…ts documents that are df-classification compliant from being filtered out.
@Cap-n-Cook
Added logging statement for debugging.
9f5beb1
@Cap-n-Cook
Fixed concurrentModificationException
64891a2
@Cap-n-Cook
Fixed bug with components.classifications values evaluation.
20d31da
@Cap-n-Cook Cap-n-Cook marked this pull request as draft August 1, 2024 12:47
@Cap-n-Cook
Copy link
Author

Converted this to a draft so I can resolve conflicts. Dev has new keycloak attributes changes.

@Cap-n-Cook Cap-n-Cook marked this pull request as ready for review August 1, 2024 16:09
@patstevens4 patstevens4 merged commit f6fadec into dev Aug 19, 2024
1 check passed
@patstevens4 patstevens4 deleted the df-269-add-df-classification-validation branch August 19, 2024 14:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@patstevens4 patstevens4 patstevens4 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Cap-n-Cook @patstevens4