Reimplement auth model to use per-namespace permissions and Quarkus Security#2535
Open
willosborne wants to merge 29 commits into
Open
Reimplement auth model to use per-namespace permissions and Quarkus Security#2535willosborne wants to merge 29 commits into
willosborne wants to merge 29 commits into
Conversation
…nd inject user via header
willosborne
requested review from
a team,
Thels,
grahampacker-ms,
jpgough-ms,
markscott-ms and
rocketstack-matt
as code owners
… longer use scopes
willosborne
commented
May 29, 2026
Member
Author
There was a problem hiding this comment.
Removing all this since we aren't using scopes any more. OAuth is just to provide the identity of the user.
Contributor
There was a problem hiding this comment.
Pull request overview
Reimplements the CalmHub auth model: replaces JWT-scope/PermittedScopes-based RBAC with a per-namespace (and per-domain) entitlements model stored in the DB, enforced via Quarkus @PermissionsAllowed and a custom CalmHubPermissionChecker. Adds a new proxy-auth profile for header-based identity propagation behind an upstream proxy, and a default open no-auth mode driven by calm.hub.no.auth.enabled. Adds domain-scoped user-access management and removes the legacy ResourceType/scope machinery.
Changes:
- Replace scope-based filter (
AccessControlFilter,PermittedScopes,UserAccessValidator.isUserAuthorized) withCalmHubPermissionCheckerexposingread/write/admin/global_admin/domain_read/domain_writepermissions; update all REST resources and MCP tools to use@PermissionsAllowed/@Authenticated. - Introduce three authentication paths: OIDC (
secureprofile), header-drivenProxyAuthenticationMechanism/ProxyIdentityProvider(proxy-auth), and an openNoAuthAuthenticationMechanismcontrolled bycalm.hub.no.auth.enabled(the new default). - Drop
ResourceTypefromUserAccess, adddomainfield andadminpermission, addDomainUserAccessResourceand corresponding store APIs, update Keycloak realm and integration tests.
Reviewed changes
Copilot reviewed 88 out of 89 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| calm-hub/src/main/java/org/finos/calm/security/CalmHubPermissionChecker.java | New permission checker driving all access decisions from UserAccessStore |
| calm-hub/src/main/java/org/finos/calm/security/CalmHubScopes.java | Replace per-resource scopes with read/write/admin/global_admin/domain_* |
| calm-hub/src/main/java/org/finos/calm/security/AccessControlFilter.java, PermittedScopes.java, UserRequestAttributes.java | Removed — replaced by Quarkus Security permission machinery |
| calm-hub/src/main/java/org/finos/calm/security/UserAccessValidator.java | Trimmed to namespace-set lookup; now also active in proxy-auth |
| calm-hub/src/main/java/org/finos/calm/security/NoAuthAuthenticationMechanism.java, ProxyAuthenticationMechanism.java, ProxyIdentityProvider.java | New authentication mechanisms for no-auth and header-based proxy modes |
| calm-hub/src/main/java/org/finos/calm/domain/UserAccess.java, UserAction.java | Drop ResourceType, add domain + admin permission, introduce UserAction enum |
| calm-hub/src/main/java/org/finos/calm/store/{UserAccessStore,mongo/MongoUserAccessStore,nitrite/NitriteUserAccessStore}.java | Add domain-scoped create/read methods; remove resourceType persistence |
| calm-hub/src/main/java/org/finos/calm/resources/*.java | Replace @PermittedScopes with @PermissionsAllowed/@Authenticated on every endpoint |
| calm-hub/src/main/java/org/finos/calm/resources/DomainUserAccessResource.java | New REST resource for domain-scoped user-access grants |
| calm-hub/src/main/java/org/finos/calm/mcp/tools/*.java | Annotate MCP tool methods with the new permission scopes |
| calm-hub/src/main/java/org/finos/calm/resources/SearchResource.java | Resolve current username from JWT or proxy header for namespace filtering |
| calm-hub/src/main/resources/application*.properties | Add calm.hub.no.auth.enabled (default true), new application-proxy-auth.properties, secure logging defaults |
| calm-hub/src/test/resources/secure-profile/realm.json | Strip per-resource scopes/roles from Keycloak realm |
| calm-hub/src/integration-test/java/integration/{ProxyAuthIntegration,IntegrationTestProxyAuthProfile,PermittedScopesIntegration,UserAccessGrantsIntegration}.java | Rewrite integration tests for DB-driven entitlements; add proxy-auth tests |
| calm-hub/src/test/java/org/finos/calm/**/*.java | Add @TestSecurity(authorizationEnabled=false) to resource tests; new tests for permission checker, proxy/no-auth mechanisms; update store/domain tests for the new shape |
| calm-hub/PERMISSIONS.md, README.md | Document the new entitlement model and profiles |
| calm-hub/mongo/init-mongo.js | Seed grants using the new schema (admin/read, no resourceType) |
| calm-hub/pom.xml | Add quarkus-test-security |
| package-lock.json | Unrelated reclassification of platform-specific deps as dev/peer |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| description = "Creates a timeline for a given namespace with an allocated ID and version 1.0.0" | ||
| ) | ||
| @PermittedScopes({CalmHubScopes.ARCHITECTURES_ALL}) | ||
| @PermissionsAllowed(CalmHubScopes.READ) |
|
|
||
| ### Secure profile | ||
|
|
||
| There are two secure profiles, `secure` and `proxy`. |
|
|
||
| However, for local testing and development purposes, CalmHub includes a simple pre-configured IdP, Keycloak, that you can spin up locally to simulate a real IdP. | ||
|
|
||
| The following sections descibe how to start Keycloak, and how to configure CalmHub to use it correctly. |
| | Action | Description | | ||
| |---------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | ||
| | `read` | Can read any documents of that type in the namespace. | | ||
| | `write` | Can write any documents of that type in the namespace. This includes deleting them. Note that by default resources in CalmHub are immutable, so this usually means 'create' only. |
| boolean granted = | ||
| userAccessStore.getUserAccessForUsername(username) | ||
| .stream() | ||
| .anyMatch(grant -> "GLOBAL".equals(grant.getNamespace()) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Implement a databse-driven entitlements model and authentication framework based on four entitlement levels:
Type of Change
Affected Components
cli/)calm/)calm-ai/)calm-hub/)calm-hub-ui/)calm-server/)calm-widgets/)docs/)shared/)calm-plugins/vscode/)Commit Message Format ✅
Testing
Checklist