Skip to content

Add support for authentication and authorization#405

Merged
CGodiksen merged 62 commits into
mainfrom
dev/security-manager
Jul 3, 2026
Merged

Add support for authentication and authorization#405
CGodiksen merged 62 commits into
mainfrom
dev/security-manager

Conversation

@CGodiksen

Copy link
Copy Markdown
Collaborator

This PR adds the structure for authentication and authorization in the Apache Arrow Flight server by adding a new modelardb_auth crate with an Authenticator trait that can provide permission-based authorization. Read, Write, and Admin permissions are used. The authenticator is called by a new tower middleware layer that is applied to the Apache Arrow Flight server. This layer intercepts all requests to the server, maps the operation in the request to a permission, and authorizes the request.

Note that this PR only adds the structure for authentication and authorization. Currently we only have the NoAuth authenticator that lets all requests through but the Authenticator trait can be implemented to support any type of external system, for example Microsoft Entra ID.

This PR also adds support in modelardb_client for passing a token through a CLI flag or env varible and support for passing a token as an argument in modelardb_embedded.

CGodiksen added 30 commits June 22, 2026 06:46

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR introduces a new authentication/authorization structure across the ModelarDB Flight server and clients by adding a dedicated modelardb_auth crate, a tower middleware layer in the server to enforce permissions, and token plumbing (CLI/env + embedded bindings) to attach bearer tokens to outgoing requests.

Changes:

  • Added modelardb_auth crate with Permission, Authenticator trait, NoAuth, and a BearerInterceptor for client-side auth header injection.
  • Added a tower middleware AuthLayer to the server’s Arrow Flight stack to map operations/SQL to permissions and authorize requests.
  • Extended modelardb_client and modelardb_embedded (C/Python bindings) to accept an optional bearer token and send it as the authorization metadata header.

Reviewed changes

Copilot reviewed 18 out of 19 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
crates/modelardb_server/src/remote/mod.rs Applies the new auth middleware layer and forwards authorization metadata to remote DoGet calls.
crates/modelardb_server/src/remote/auth_layer.rs New tower middleware implementing request authorization (path-based + SQL-based for DoGet) with tests.
crates/modelardb_server/src/main.rs Wires the server to start with a default NoAuth authenticator.
crates/modelardb_server/Cargo.toml Adds dependencies needed for middleware (http, http-body-util, tower, sqlparser) and modelardb_auth.
crates/modelardb_embedded/src/operations/data_folder.rs Updates embedded tests to construct a Flight client with the new interceptor type.
crates/modelardb_embedded/src/operations/client.rs Adds optional token to embedded client connect and uses BearerInterceptor.
crates/modelardb_embedded/src/capi.rs Extends C API connect to accept an optional token pointer and passes it through.
crates/modelardb_embedded/Cargo.toml Adds dependency on modelardb_auth.
crates/modelardb_embedded/bindings/python/modelardb/operations.py Extends Python connect APIs to accept an optional token and pass it through the C API.
crates/modelardb_embedded/bindings/c/modelardb_embedded.h Updates C header signature for modelardb_embedded_connect to include an optional token.
crates/modelardb_client/src/main.rs Adds --token / MODELARDB_TOKEN support and attaches bearer tokens via interceptor.
crates/modelardb_client/Cargo.toml Adds dependency on modelardb_auth.
crates/modelardb_auth/src/lib.rs New auth crate root with Permission and client-side BearerInterceptor.
crates/modelardb_auth/src/authenticator/mod.rs Defines the Authenticator trait and modules for implementations/testing.
crates/modelardb_auth/src/authenticator/no_auth.rs Adds NoAuth authenticator implementation.
crates/modelardb_auth/src/authenticator/mock.rs Adds test-only mock authenticator (feature-gated).
crates/modelardb_auth/Cargo.toml New crate manifest with a testing feature.
Cargo.toml Adds shared workspace deps (http, http-body-util, tower).
Cargo.lock Adds lock entries for new crate/dependencies.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread crates/modelardb_server/src/remote/auth_layer.rs
Comment thread crates/modelardb_server/src/remote/auth_layer.rs
Comment thread crates/modelardb_server/src/remote/auth_layer.rs
Comment thread crates/modelardb_auth/src/authenticator/mock.rs
Comment thread crates/modelardb_auth/src/authenticator/mock.rs Outdated
Comment thread crates/modelardb_auth/src/authenticator/mock.rs Outdated
Comment thread crates/modelardb_auth/src/authenticator/mock.rs Outdated
Comment thread crates/modelardb_auth/src/authenticator/mock.rs
Comment thread crates/modelardb_server/src/remote/auth_layer.rs Outdated
Comment thread crates/modelardb_server/src/remote/auth_layer.rs Outdated
Comment thread crates/modelardb_server/src/remote/auth_layer.rs Outdated
Comment thread crates/modelardb_server/src/remote/auth_layer.rs Outdated
Comment thread crates/modelardb_server/src/remote/auth_layer.rs
@CGodiksen CGodiksen requested a review from skejserjensen July 2, 2026 06:16
@CGodiksen CGodiksen requested a review from chrthomsen July 2, 2026 10:48
@CGodiksen CGodiksen merged commit 713ec0b into main Jul 3, 2026
5 checks passed
@CGodiksen CGodiksen deleted the dev/security-manager branch July 3, 2026 11:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants