Add support for authentication and authorization#405
Merged
Conversation
There was a problem hiding this comment.
Pull request overview
This PR introduces a new authentication/authorization structure across the ModelarDB Flight server and clients by adding a dedicated modelardb_auth crate, a tower middleware layer in the server to enforce permissions, and token plumbing (CLI/env + embedded bindings) to attach bearer tokens to outgoing requests.
Changes:
- Added
modelardb_authcrate withPermission,Authenticatortrait,NoAuth, and aBearerInterceptorfor client-side auth header injection. - Added a
towermiddlewareAuthLayerto the server’s Arrow Flight stack to map operations/SQL to permissions and authorize requests. - Extended
modelardb_clientandmodelardb_embedded(C/Python bindings) to accept an optional bearer token and send it as theauthorizationmetadata header.
Reviewed changes
Copilot reviewed 18 out of 19 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| crates/modelardb_server/src/remote/mod.rs | Applies the new auth middleware layer and forwards authorization metadata to remote DoGet calls. |
| crates/modelardb_server/src/remote/auth_layer.rs | New tower middleware implementing request authorization (path-based + SQL-based for DoGet) with tests. |
| crates/modelardb_server/src/main.rs | Wires the server to start with a default NoAuth authenticator. |
| crates/modelardb_server/Cargo.toml | Adds dependencies needed for middleware (http, http-body-util, tower, sqlparser) and modelardb_auth. |
| crates/modelardb_embedded/src/operations/data_folder.rs | Updates embedded tests to construct a Flight client with the new interceptor type. |
| crates/modelardb_embedded/src/operations/client.rs | Adds optional token to embedded client connect and uses BearerInterceptor. |
| crates/modelardb_embedded/src/capi.rs | Extends C API connect to accept an optional token pointer and passes it through. |
| crates/modelardb_embedded/Cargo.toml | Adds dependency on modelardb_auth. |
| crates/modelardb_embedded/bindings/python/modelardb/operations.py | Extends Python connect APIs to accept an optional token and pass it through the C API. |
| crates/modelardb_embedded/bindings/c/modelardb_embedded.h | Updates C header signature for modelardb_embedded_connect to include an optional token. |
| crates/modelardb_client/src/main.rs | Adds --token / MODELARDB_TOKEN support and attaches bearer tokens via interceptor. |
| crates/modelardb_client/Cargo.toml | Adds dependency on modelardb_auth. |
| crates/modelardb_auth/src/lib.rs | New auth crate root with Permission and client-side BearerInterceptor. |
| crates/modelardb_auth/src/authenticator/mod.rs | Defines the Authenticator trait and modules for implementations/testing. |
| crates/modelardb_auth/src/authenticator/no_auth.rs | Adds NoAuth authenticator implementation. |
| crates/modelardb_auth/src/authenticator/mock.rs | Adds test-only mock authenticator (feature-gated). |
| crates/modelardb_auth/Cargo.toml | New crate manifest with a testing feature. |
| Cargo.toml | Adds shared workspace deps (http, http-body-util, tower). |
| Cargo.lock | Adds lock entries for new crate/dependencies. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
skejserjensen
requested changes
Jul 1, 2026
skejserjensen
approved these changes
Jul 2, 2026
chrthomsen
approved these changes
Jul 3, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR adds the structure for authentication and authorization in the Apache Arrow Flight server by adding a new
modelardb_authcrate with anAuthenticatortrait that can provide permission-based authorization. Read, Write, and Admin permissions are used. The authenticator is called by a newtowermiddleware layer that is applied to the Apache Arrow Flight server. This layer intercepts all requests to the server, maps the operation in the request to a permission, and authorizes the request.Note that this PR only adds the structure for authentication and authorization. Currently we only have the
NoAuthauthenticator that lets all requests through but theAuthenticatortrait can be implemented to support any type of external system, for example Microsoft Entra ID.This PR also adds support in
modelardb_clientfor passing a token through a CLI flag or env varible and support for passing a token as an argument inmodelardb_embedded.