How to handle authentication and authorization with thrift?

Question

I'm developing a system which uses thrift. I'd like clients identity to be checked and operations to be ACLed. Does Thrift provide any support for those?

Answer 1

Not directly. The only way to do this is to have an authentication method which creates a (temporary) key on the server, and then change all your methods so that the first argument is this key and they all additionally raise an not-authenticated error. For instance:

exception NotAuthorisedException {
    1: string errorMessage,
}

exception AuthTimeoutException {
    1: string errorMessage,
}

service MyAuthService {
    string authenticate( 1:string user, 2:string pass )
        throws ( 1:NotAuthorisedException e ),

    string mymethod( 1:string authstring, 2:string otherargs, ... )
        throws ( 1:AuthTimeoutException e, ... ),
}

We use this method and save our keys to a secured memcached instance with a 30min timeout for keys to keep everything "snappy". Clients who receive an AuthTimeoutException are expected to reauthorise and retry and we have some firewall rules to stop brute-force attacks.

Answer 2

Tasks like autorisation and permissions are not considered as a part of Thrift, mostly because these things are (usually) more related to the application logic than to a general RPC/serialization concept. The only Thing that Thrift supports out of the box right now is the TSASLTransport. I can't say much about that one myself, simply because I never felt the need to use it.

The other option could be to make use of THeaderTransport which unfortunately at the time of writing is only implemented with C++. Hence, if you plan to use it with some other language you may have to invest some additional work. Needless to say that we accept contributions ...