Repository: kylin Updated Branches: refs/heads/2.0.x-hbase0.98 39782f68e -> 2de455de3 (forced update)
KYLIN-2555 minor issues about acl and granted autority Project: http://git-wip-us.apache.org/repos/asf/kylin/repo Commit: http://git-wip-us.apache.org/repos/asf/kylin/commit/3fb74fe4 Tree: http://git-wip-us.apache.org/repos/asf/kylin/tree/3fb74fe4 Diff: http://git-wip-us.apache.org/repos/asf/kylin/diff/3fb74fe4 Branch: refs/heads/2.0.x-hbase0.98 Commit: 3fb74fe49fb6308444f80080b87c0fd3160302a9 Parents: d31e7e0 Author: Hongbin Ma <mahong...@apache.org> Authored: Wed Apr 19 19:28:39 2017 +0800 Committer: Hongbin Ma <mahong...@apache.org> Committed: Wed Apr 19 19:28:39 2017 +0800 ---------------------------------------------------------------------- .../rest/security/AuthoritiesPopulator.java | 15 ++++++++---- .../apache/kylin/rest/service/AclService.java | 14 ++++++++++- .../apache/kylin/rest/service/UserService.java | 5 ++++ server/src/main/resources/kylinSecurity.xml | 4 ++-- .../rest/controller/UserControllerTest.java | 3 ++- .../kylin/rest/service/ServiceTestBase.java | 25 +++++++++++++++++++- .../kylin/rest/service/UserServiceTest.java | 7 +++--- 7 files changed, 60 insertions(+), 13 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/kylin/blob/3fb74fe4/server-base/src/main/java/org/apache/kylin/rest/security/AuthoritiesPopulator.java ---------------------------------------------------------------------- diff --git a/server-base/src/main/java/org/apache/kylin/rest/security/AuthoritiesPopulator.java b/server-base/src/main/java/org/apache/kylin/rest/security/AuthoritiesPopulator.java index 7983fc0..2b290ce 100644 --- a/server-base/src/main/java/org/apache/kylin/rest/security/AuthoritiesPopulator.java +++ b/server-base/src/main/java/org/apache/kylin/rest/security/AuthoritiesPopulator.java @@ -21,6 +21,8 @@ package org.apache.kylin.rest.security; import java.util.HashSet; import java.util.Set; +import org.apache.commons.lang.ArrayUtils; +import org.apache.commons.lang.StringUtils; import org.apache.kylin.rest.constant.Constant; import org.springframework.ldap.core.ContextSource; import org.springframework.security.core.GrantedAuthority; @@ -33,7 +35,6 @@ import org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopul */ public class AuthoritiesPopulator extends DefaultLdapAuthoritiesPopulator { - String adminRole; SimpleGrantedAuthority adminRoleAsAuthority; SimpleGrantedAuthority adminAuthority = new SimpleGrantedAuthority(Constant.ROLE_ADMIN); @@ -48,12 +49,12 @@ public class AuthoritiesPopulator extends DefaultLdapAuthoritiesPopulator { */ public AuthoritiesPopulator(ContextSource contextSource, String groupSearchBase, String adminRole, String defaultRole) { super(contextSource, groupSearchBase); - this.adminRole = adminRole; this.adminRoleAsAuthority = new SimpleGrantedAuthority(adminRole); - if (defaultRole.contains(Constant.ROLE_MODELER)) + String[] defaultRoles = StringUtils.split(defaultRole, ","); + if (ArrayUtils.contains(defaultRoles, Constant.ROLE_MODELER)) this.defaultAuthorities.add(modelerAuthority); - if (defaultRole.contains(Constant.ROLE_ANALYST)) + if (ArrayUtils.contains(defaultRoles, Constant.ROLE_ANALYST)) this.defaultAuthorities.add(analystAuthority); } @@ -61,13 +62,17 @@ public class AuthoritiesPopulator extends DefaultLdapAuthoritiesPopulator { public Set<GrantedAuthority> getGroupMembershipRoles(String userDn, String username) { Set<GrantedAuthority> authorities = super.getGroupMembershipRoles(userDn, username); + authorities.addAll(defaultAuthorities); + if (authorities.contains(adminRoleAsAuthority)) { authorities.add(adminAuthority); authorities.add(modelerAuthority); authorities.add(analystAuthority); } - authorities.addAll(defaultAuthorities); + if (authorities.contains(modelerAuthority)) { + authorities.add(analystAuthority); + } return authorities; } http://git-wip-us.apache.org/repos/asf/kylin/blob/3fb74fe4/server-base/src/main/java/org/apache/kylin/rest/service/AclService.java ---------------------------------------------------------------------- diff --git a/server-base/src/main/java/org/apache/kylin/rest/service/AclService.java b/server-base/src/main/java/org/apache/kylin/rest/service/AclService.java index 3e3efec..b80d97d 100644 --- a/server-base/src/main/java/org/apache/kylin/rest/service/AclService.java +++ b/server-base/src/main/java/org/apache/kylin/rest/service/AclService.java @@ -66,6 +66,7 @@ import org.springframework.security.acls.model.PermissionGrantingStrategy; import org.springframework.security.acls.model.Sid; import org.springframework.security.core.Authentication; import org.springframework.security.core.context.SecurityContextHolder; +import org.springframework.security.core.userdetails.UsernameNotFoundException; import org.springframework.security.util.FieldUtils; import org.springframework.stereotype.Component; import org.springframework.util.Assert; @@ -75,7 +76,6 @@ import com.fasterxml.jackson.databind.JsonMappingException; /** * @author xduo - * */ @Component("aclService") public class AclService implements MutableAclService { @@ -111,6 +111,9 @@ public class AclService implements MutableAclService { @Autowired protected AclHBaseStorage aclHBaseStorage; + @Autowired + protected UserService userService; + public AclService() throws IOException { fieldAces.setAccessible(true); fieldAcl.setAccessible(true); @@ -297,6 +300,13 @@ public class AclService implements MutableAclService { } for (AccessControlEntry ace : acl.getEntries()) { + if (ace.getSid() instanceof PrincipalSid) { + PrincipalSid psid = (PrincipalSid) ace.getSid(); + String userName = psid.getPrincipal(); + logger.debug("ACE SID name: " + userName); + if (!userService.userExists(userName)) + throw new UsernameNotFoundException("User " + userName + " does not exist. Please make sure the user has logged in before"); + } AceInfo aceInfo = new AceInfo(ace); put.addColumn(Bytes.toBytes(AclHBaseStorage.ACL_ACES_FAMILY), Bytes.toBytes(aceInfo.getSidInfo().getSid()), aceSerializer.serialize(aceInfo)); } @@ -315,6 +325,7 @@ public class AclService implements MutableAclService { return (MutableAcl) readAclById(acl.getObjectIdentity()); } + private void genAces(List<Sid> sids, Result result, AclImpl acl) throws JsonParseException, JsonMappingException, IOException { List<AceInfo> aceInfos = new ArrayList<AceInfo>(); if (null != sids) { @@ -459,4 +470,5 @@ public class AclService implements MutableAclService { } } + } http://git-wip-us.apache.org/repos/asf/kylin/blob/3fb74fe4/server-base/src/main/java/org/apache/kylin/rest/service/UserService.java ---------------------------------------------------------------------- diff --git a/server-base/src/main/java/org/apache/kylin/rest/service/UserService.java b/server-base/src/main/java/org/apache/kylin/rest/service/UserService.java index ab54882..9d94de1 100644 --- a/server-base/src/main/java/org/apache/kylin/rest/service/UserService.java +++ b/server-base/src/main/java/org/apache/kylin/rest/service/UserService.java @@ -37,9 +37,11 @@ import org.apache.hadoop.hbase.client.Scan; import org.apache.hadoop.hbase.client.Table; import org.apache.kylin.common.util.Bytes; import org.apache.kylin.common.util.Pair; +import org.apache.kylin.rest.constant.Constant; import org.apache.kylin.rest.security.AclHBaseStorage; import org.apache.kylin.rest.util.Serializer; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.security.access.prepost.PreAuthorize; import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.userdetails.User; import org.springframework.security.core.userdetails.UserDetails; @@ -138,11 +140,13 @@ public class UserService implements UserDetailsManager { } @Override + @PreAuthorize(Constant.ACCESS_HAS_ROLE_ADMIN) public void createUser(UserDetails user) { updateUser(user); } @Override + @PreAuthorize(Constant.ACCESS_HAS_ROLE_ADMIN) public void updateUser(UserDetails user) { Table htable = null; try { @@ -162,6 +166,7 @@ public class UserService implements UserDetailsManager { } @Override + @PreAuthorize(Constant.ACCESS_HAS_ROLE_ADMIN) public void deleteUser(String username) { Table htable = null; try { http://git-wip-us.apache.org/repos/asf/kylin/blob/3fb74fe4/server/src/main/resources/kylinSecurity.xml ---------------------------------------------------------------------- diff --git a/server/src/main/resources/kylinSecurity.xml b/server/src/main/resources/kylinSecurity.xml index 3f4abdc..9d633ee 100644 --- a/server/src/main/resources/kylinSecurity.xml +++ b/server/src/main/resources/kylinSecurity.xml @@ -142,7 +142,7 @@ <scr:authentication-manager alias="testingAuthenticationManager"> <scr:authentication-provider> <scr:user-service> - <scr:user name="MODELER" password="$2a$10$Le5ernTeGNIARwMJsY0WaOLioNQdb0QD11DwjeyNqqNRp5NaDo2FG" authorities="ROLE_MODELER" /> + <scr:user name="MODELER" password="$2a$10$Le5ernTeGNIARwMJsY0WaOLioNQdb0QD11DwjeyNqqNRp5NaDo2FG" authorities="ROLE_MODELER, ROLE_ANALYST" /> <scr:user name="ANALYST" password="$2a$10$s4INO3XHjPP5Vm2xH027Ce9QeXWdrfq5pvzuGr9z/lQmHqi0rsbNi" authorities="ROLE_ANALYST" /> <scr:user name="ADMIN" password="$2a$10$o3ktIWsGYxXNuUWQiYlZXOW5hWcqyNAFQsSSCSEWoC/BRVMAUjL32" authorities="ROLE_MODELER, ROLE_ANALYST, ROLE_ADMIN" /> </scr:user-service> @@ -503,4 +503,4 @@ <bean id="parserPoolHolder" class="org.springframework.security.saml.parser.ParserPoolHolder"/> </beans> -</beans> \ No newline at end of file +</beans> http://git-wip-us.apache.org/repos/asf/kylin/blob/3fb74fe4/server/src/test/java/org/apache/kylin/rest/controller/UserControllerTest.java ---------------------------------------------------------------------- diff --git a/server/src/test/java/org/apache/kylin/rest/controller/UserControllerTest.java b/server/src/test/java/org/apache/kylin/rest/controller/UserControllerTest.java index ab77a9a..767aaf1 100644 --- a/server/src/test/java/org/apache/kylin/rest/controller/UserControllerTest.java +++ b/server/src/test/java/org/apache/kylin/rest/controller/UserControllerTest.java @@ -22,6 +22,7 @@ import java.io.IOException; import java.util.ArrayList; import java.util.List; +import org.apache.kylin.rest.constant.Constant; import org.apache.kylin.rest.service.ServiceTestBase; import org.junit.Assert; import org.junit.Before; @@ -46,7 +47,7 @@ public class UserControllerTest extends ServiceTestBase { staticCreateTestMetadata(); List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>(); User user = new User("ADMIN", "ADMIN", authorities); - Authentication authentication = new TestingAuthenticationToken(user, "ADMIN", "ROLE_ADMIN"); + Authentication authentication = new TestingAuthenticationToken(user, "ADMIN", Constant.ROLE_ADMIN); SecurityContextHolder.getContext().setAuthentication(authentication); } http://git-wip-us.apache.org/repos/asf/kylin/blob/3fb74fe4/server/src/test/java/org/apache/kylin/rest/service/ServiceTestBase.java ---------------------------------------------------------------------- diff --git a/server/src/test/java/org/apache/kylin/rest/service/ServiceTestBase.java b/server/src/test/java/org/apache/kylin/rest/service/ServiceTestBase.java index 3a587e4..a47fdd2 100644 --- a/server/src/test/java/org/apache/kylin/rest/service/ServiceTestBase.java +++ b/server/src/test/java/org/apache/kylin/rest/service/ServiceTestBase.java @@ -18,18 +18,23 @@ package org.apache.kylin.rest.service; +import java.util.Arrays; + import org.apache.kylin.common.KylinConfig; import org.apache.kylin.common.util.LocalFileMetadataTestCase; import org.apache.kylin.metadata.cachesync.Broadcaster; +import org.apache.kylin.rest.constant.Constant; import org.junit.After; import org.junit.AfterClass; import org.junit.Before; import org.junit.BeforeClass; import org.junit.Test; import org.junit.runner.RunWith; +import org.springframework.beans.factory.annotation.Autowired; import org.springframework.security.authentication.TestingAuthenticationToken; import org.springframework.security.core.Authentication; import org.springframework.security.core.context.SecurityContextHolder; +import org.springframework.security.core.userdetails.User; import org.springframework.test.context.ActiveProfiles; import org.springframework.test.context.ContextConfiguration; import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; @@ -42,10 +47,13 @@ import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; @ActiveProfiles("testing") public class ServiceTestBase extends LocalFileMetadataTestCase { + @Autowired + UserService userService; + @BeforeClass public static void setupResource() throws Exception { staticCreateTestMetadata(); - Authentication authentication = new TestingAuthenticationToken("ADMIN", "ADMIN", "ROLE_ADMIN"); + Authentication authentication = new TestingAuthenticationToken("ADMIN", "ADMIN", Constant.ROLE_ADMIN); SecurityContextHolder.getContext().setAuthentication(authentication); } @@ -59,6 +67,21 @@ public class ServiceTestBase extends LocalFileMetadataTestCase { KylinConfig config = KylinConfig.getInstanceFromEnv(); Broadcaster.getInstance(config).notifyClearAll(); + + if (!userService.userExists("ADMIN")) { + userService.createUser(new User("ADMIN", "KYLIN", Arrays.asList(// + new UserService.UserGrantedAuthority(Constant.ROLE_ADMIN), new UserService.UserGrantedAuthority(Constant.ROLE_ANALYST), new UserService.UserGrantedAuthority(Constant.ROLE_MODELER)))); + } + + if (!userService.userExists("MODELER")) { + userService.createUser(new User("MODELER", "MODELER", Arrays.asList(// + new UserService.UserGrantedAuthority(Constant.ROLE_ANALYST), new UserService.UserGrantedAuthority(Constant.ROLE_MODELER)))); + } + + if (!userService.userExists("ROLE_ANALYST")) { + userService.createUser(new User("ROLE_ANALYST", "ROLE_ANALYST", Arrays.asList(// + new UserService.UserGrantedAuthority(Constant.ROLE_ANALYST)))); + } } @After http://git-wip-us.apache.org/repos/asf/kylin/blob/3fb74fe4/server/src/test/java/org/apache/kylin/rest/service/UserServiceTest.java ---------------------------------------------------------------------- diff --git a/server/src/test/java/org/apache/kylin/rest/service/UserServiceTest.java b/server/src/test/java/org/apache/kylin/rest/service/UserServiceTest.java index 28515be..36c554e 100644 --- a/server/src/test/java/org/apache/kylin/rest/service/UserServiceTest.java +++ b/server/src/test/java/org/apache/kylin/rest/service/UserServiceTest.java @@ -21,6 +21,7 @@ package org.apache.kylin.rest.service; import java.util.ArrayList; import java.util.List; +import org.apache.kylin.rest.constant.Constant; import org.junit.Assert; import org.junit.Test; import org.springframework.beans.factory.annotation.Autowired; @@ -43,7 +44,7 @@ public class UserServiceTest extends ServiceTestBase { Assert.assertTrue(!userService.userExists("ADMIN")); List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>(); - authorities.add(new SimpleGrantedAuthority("ROLE_ADMIN")); + authorities.add(new SimpleGrantedAuthority(Constant.ROLE_ADMIN)); User user = new User("ADMIN", "PWD", authorities); userService.createUser(user); @@ -52,9 +53,9 @@ public class UserServiceTest extends ServiceTestBase { UserDetails ud = userService.loadUserByUsername("ADMIN"); Assert.assertEquals("ADMIN", ud.getUsername()); Assert.assertEquals("PWD", ud.getPassword()); - Assert.assertEquals("ROLE_ADMIN", ud.getAuthorities().iterator().next().getAuthority()); + Assert.assertEquals(Constant.ROLE_ADMIN, ud.getAuthorities().iterator().next().getAuthority()); Assert.assertEquals(1, ud.getAuthorities().size()); - Assert.assertTrue(userService.listUserAuthorities().contains("ROLE_ADMIN")); + Assert.assertTrue(userService.listUserAuthorities().contains(Constant.ROLE_ADMIN)); } }
