minor, revoke user's project permission when user has been deleted
Project: http://git-wip-us.apache.org/repos/asf/kylin/repo Commit: http://git-wip-us.apache.org/repos/asf/kylin/commit/4c1c0aa0 Tree: http://git-wip-us.apache.org/repos/asf/kylin/tree/4c1c0aa0 Diff: http://git-wip-us.apache.org/repos/asf/kylin/diff/4c1c0aa0 Branch: refs/heads/master Commit: 4c1c0aa0bf6c06f090a67403812bd913c1f2f862 Parents: 604b3e0 Author: Jiatao Tao <245915...@qq.com> Authored: Fri Sep 8 19:22:13 2017 +0800 Committer: GitHub <nore...@github.com> Committed: Fri Sep 8 19:22:13 2017 +0800 ---------------------------------------------------------------------- .../kylin/rest/service/AccessService.java | 37 ++++++++++++++++++++ .../apache/kylin/rest/service/UserService.java | 30 ++++++++++++++++ 2 files changed, 67 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/kylin/blob/4c1c0aa0/server-base/src/main/java/org/apache/kylin/rest/service/AccessService.java ---------------------------------------------------------------------- diff --git a/server-base/src/main/java/org/apache/kylin/rest/service/AccessService.java b/server-base/src/main/java/org/apache/kylin/rest/service/AccessService.java index a46b866..5b2e33c 100644 --- a/server-base/src/main/java/org/apache/kylin/rest/service/AccessService.java +++ b/server-base/src/main/java/org/apache/kylin/rest/service/AccessService.java @@ -206,6 +206,43 @@ public class AccessService { } @Transactional + @PreAuthorize(Constant.ACCESS_HAS_ROLE_ADMIN + " or hasPermission(#ae, 'ADMINISTRATION')") + public Acl revoke(AclEntity ae, String username) { + Message msg = MsgPicker.getMsg(); + + if (ae == null) + throw new BadRequestException(msg.getACL_DOMAIN_NOT_FOUND()); + if (username == null) { + throw new BadRequestException(msg.getACE_ID_REQUIRED()); + } + + ObjectIdentity objectIdentity = new ObjectIdentityImpl(ae.getClass(), ae.getId()); + MutableAcl acl = (MutableAcl) aclService.readAclById(objectIdentity); + int indexOfAce = -1; + + for (int i = 0; i < acl.getEntries().size(); i++) { + AccessControlEntry ace = acl.getEntries().get(i); + if (((PrincipalSid) ace.getSid()).getPrincipal().equals(username)) { + indexOfAce = i; + break; + } + } + + if (indexOfAce != -1) { + secureOwner(acl, indexOfAce); + + try { + acl.deleteAce(indexOfAce); + acl = aclService.updateAcl(acl); + } catch (NotFoundException e) { + //do nothing? + } + } + + return acl; + } + + @Transactional public void inherit(AclEntity ae, AclEntity parentAe) { Message msg = MsgPicker.getMsg(); http://git-wip-us.apache.org/repos/asf/kylin/blob/4c1c0aa0/server-base/src/main/java/org/apache/kylin/rest/service/UserService.java ---------------------------------------------------------------------- diff --git a/server-base/src/main/java/org/apache/kylin/rest/service/UserService.java b/server-base/src/main/java/org/apache/kylin/rest/service/UserService.java index 24e2e30..aa48e1f 100644 --- a/server-base/src/main/java/org/apache/kylin/rest/service/UserService.java +++ b/server-base/src/main/java/org/apache/kylin/rest/service/UserService.java @@ -25,15 +25,22 @@ import java.util.List; import javax.annotation.PostConstruct; import org.apache.kylin.common.KylinConfig; +import org.apache.kylin.common.persistence.AclEntity; import org.apache.kylin.common.persistence.JsonSerializer; import org.apache.kylin.common.persistence.ResourceStore; import org.apache.kylin.common.persistence.Serializer; +import org.apache.kylin.metadata.project.ProjectInstance; import org.apache.kylin.rest.exception.InternalErrorException; import org.apache.kylin.rest.msg.Message; import org.apache.kylin.rest.msg.MsgPicker; import org.apache.kylin.rest.security.ManagedUser; import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.beans.factory.annotation.Qualifier; +import org.springframework.security.acls.domain.PrincipalSid; +import org.springframework.security.acls.model.AccessControlEntry; +import org.springframework.security.acls.model.Acl; import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.core.userdetails.UsernameNotFoundException; @@ -59,6 +66,14 @@ public class UserService implements UserDetailsManager { private boolean evictCacheFlag = false; + @Autowired + @Qualifier("accessService") + private AccessService accessService; + + @Autowired + @Qualifier("projectService") + private ProjectService projectService; + public boolean isEvictCacheFlag() { return evictCacheFlag; } @@ -98,6 +113,21 @@ public class UserService implements UserDetailsManager { throw new InternalErrorException("User " + userName + " is not allowed to be deleted."); try { + //revoke user's project permission + List<ProjectInstance> projectInstances = projectService.listProjects(null, null); + for (ProjectInstance pi : projectInstances) { + AclEntity ae = accessService.getAclEntity("ProjectInstance", pi.getUuid()); + Acl acl = accessService.getAcl(ae); + + if (acl != null) { + for (AccessControlEntry ace : acl.getEntries()) { + if (((PrincipalSid) ace.getSid()).getPrincipal().equals(userName)) { + accessService.revoke(ae, userName); + } + } + } + } + String id = getId(userName); aclStore.deleteResource(id); logger.trace("delete user : {}", userName);
