Support rbac control for the data access · tikv/tikv#8621

(1 评论) (5 反应) (0 负责人)Rust (15,922 star) (2,189 fork)batch import

component/securityhelp wantedsig/scheduling

描述

Feature Request

Is your feature request related to a problem? Please describe:

Currently, the user who have the pd address will have the ability to do every action in pd and tikv (read/write/delete). However, in real world users might need to have the different rights to access the data. (like mysql rbac control)

Describe the feature you'd like:

Adding rbac control for the TiKV and PD so that each request for access data to TiKV and PD will be checked by authorization and authentication.

The whole task would be split into following steps:

design authorization and authentication for PD to control the whole rbac process.
support authorization and authentication in PD for the PD API by rbac control
support rbac ability for pdclient in TiKV
support authorization and authentication in TiKV (metadata would be saved in PD)
support rbac ability for tikv-client.

Describe alternatives you've considered:

Teachability, Documentation, Adoption, Migration Strategy:

The detailed design document would be released recently by @Yisaer

贡献者指南

技术栈: rust
领域: backendsecurityauthenticationauthorization
议题类型: feature
难度: 5
预计时间: over 1 week
活动状态: stale
清晰度: needs investigation
前置要求: Understanding of TiKV architectureKnowledge of RBAC conceptsFamiliarity with PDRust programming
新手友好度: 15
研究方向: This feature request is large and requires a detailed design document that is promised but not yet available. First, read the existing codebase for any current authentication/authorization mechanisms, particularly in the PD server and TiKV's client handling. Check any open discussions or linked issues on RBAC. The design by @Yisaer will outline the steps; until then, it's hard to proceed. The issue is over 2 years old with no assignee, indicating it may be stalled. A newcomer would need to study the entire TiKV/PD architecture and wait for maintainer guidance.