(kylin) 13/35: KYLIN-5807 Fix query execute as user without data query acl

Fri, 12 Apr 2024 01:26:47 -0700 

This is an automated email from the ASF dual-hosted git repository.

liyang pushed a commit to branch kylin5
in repository https://gitbox.apache.org/repos/asf/kylin.git

commit a212350a518cde5fa1fe0357a71b806f5533e2c3
Author: Zhimin Wu <596361...@qq.com>
AuthorDate: Fri Sep 1 18:26:22 2023 +0800

    KYLIN-5807 Fix query execute as user without data query acl
    
    Co-authored-by: Feng Zhu <fish...@outlook.com>
---
 .../java/org/apache/kylin/rest/service/AccessService.java  | 14 ++++++++++----
 .../java/org/apache/kylin/rest/service/QueryService.java   | 13 +++++++++++++
 .../org/apache/kylin/rest/service/QueryServiceTest.java    |  2 ++
 3 files changed, 25 insertions(+), 4 deletions(-)

diff --git 
a/src/common-service/src/main/java/org/apache/kylin/rest/service/AccessService.java
 
b/src/common-service/src/main/java/org/apache/kylin/rest/service/AccessService.java
index 54dcf242c8..031282378f 100644
--- 
a/src/common-service/src/main/java/org/apache/kylin/rest/service/AccessService.java
+++ 
b/src/common-service/src/main/java/org/apache/kylin/rest/service/AccessService.java
@@ -756,13 +756,19 @@ public class AccessService extends BasicService {
         return sidWithPermissions;
     }
 
-    @SneakyThrows(IOException.class)
     public Set<String> getUserNormalExtPermissions(String project) {
-        String projectUuid = 
NProjectManager.getInstance(KylinConfig.getInstanceFromEnv()).getProject(project)
-                .getUuid();
         Authentication authentication = 
SecurityContextHolder.getContext().getAuthentication();
         if (Objects.nonNull(authentication)) {
-            val userName = authentication.getName();
+            return getUserNormalExtPermissionsByUserInProject(project, 
authentication.getName());
+        }
+        return new HashSet<>();
+    }
+
+    @SneakyThrows(IOException.class)
+    public Set<String> getUserNormalExtPermissionsByUserInProject(String 
project, String userName) {
+        String projectUuid = 
NProjectManager.getInstance(KylinConfig.getInstanceFromEnv()).getProject(project)
+                .getUuid();
+        if (Objects.nonNull(userName)) {
             if (userAclService.canAdminUserQuery(userName)) {
                 return Collections.singleton(AclConstants.DATA_QUERY);
             }
diff --git 
a/src/query-service/src/main/java/org/apache/kylin/rest/service/QueryService.java
 
b/src/query-service/src/main/java/org/apache/kylin/rest/service/QueryService.java
index 60837454a0..7b10e1eb67 100644
--- 
a/src/query-service/src/main/java/org/apache/kylin/rest/service/QueryService.java
+++ 
b/src/query-service/src/main/java/org/apache/kylin/rest/service/QueryService.java
@@ -81,6 +81,7 @@ import org.apache.kylin.common.util.AddressUtil;
 import org.apache.kylin.common.util.JsonUtil;
 import org.apache.kylin.common.util.Pair;
 import org.apache.kylin.common.util.SetThreadName;
+import org.apache.kylin.constants.AclConstants;
 import org.apache.kylin.engine.spark.filter.BloomFilterSkipCollector;
 import org.apache.kylin.engine.spark.filter.ParquetPageFilterCollector;
 import org.apache.kylin.guava30.shaded.common.annotations.VisibleForTesting;
@@ -567,6 +568,18 @@ public class QueryService extends BasicService implements 
CacheSignatureQuerySup
         if (!grantedProjects.contains(sqlRequest.getProject())) {
             throw new KylinException(ACCESS_DENIED, "Access is denied.");
         }
+
+        val isDataPermissionDefaultEnabled = 
KylinConfig.getInstanceFromEnv().isDataPermissionDefaultEnabled();
+        if (isDataPermissionDefaultEnabled) {
+            try {
+                Set<String> extPermissions = 
accessService.getUserNormalExtPermissionsByUserInProject(sqlRequest.getProject(),
 executeUser);
+                if (!extPermissions.contains(AclConstants.DATA_QUERY)) {
+                    throw new KylinException(ACCESS_DENIED, "Access is 
denied.");
+                }
+            } catch (Exception e) {
+                throw new KylinException(ACCESS_DENIED, e);
+            }
+        }
     }
 
     private void checkSqlRequest(SQLRequest sqlRequest) {
diff --git 
a/src/query-service/src/test/java/org/apache/kylin/rest/service/QueryServiceTest.java
 
b/src/query-service/src/test/java/org/apache/kylin/rest/service/QueryServiceTest.java
index 200fbb960f..89fead0d99 100644
--- 
a/src/query-service/src/test/java/org/apache/kylin/rest/service/QueryServiceTest.java
+++ 
b/src/query-service/src/test/java/org/apache/kylin/rest/service/QueryServiceTest.java
@@ -230,6 +230,8 @@ public class QueryServiceTest extends 
NLocalFileMetadataTestCase {
         ReflectionTestUtils.setField(queryService, "aclTCRService", 
aclTCRService);
         ReflectionTestUtils.setField(accessService, "userService", 
userService);
         ReflectionTestUtils.setField(accessService, "aclService", aclService);
+        ReflectionTestUtils.setField(accessService, "userAclService", 
userAclService);
+        ReflectionTestUtils.setField(userAclService, "userService", 
userService);
         ReflectionTestUtils.setField(aclTCRService, "accessService", 
accessService);
         ReflectionTestUtils.setField(aclTCRService, "userService", 
userService);
         ReflectionTestUtils.setField(queryService, "appConfig", appConfig);

Reply via email to