kylin-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From liy...@apache.org
Subject [1/4] kylin git commit: KYLIN-2555 minor issues about acl and granted autority [Forced Update!]
Date Thu, 20 Apr 2017 01:36:45 GMT
Repository: kylin
Updated Branches:
  refs/heads/2.0.x-hbase0.98 39782f68e -> 2de455de3 (forced update)


KYLIN-2555 minor issues about acl and granted autority


Project: http://git-wip-us.apache.org/repos/asf/kylin/repo
Commit: http://git-wip-us.apache.org/repos/asf/kylin/commit/3fb74fe4
Tree: http://git-wip-us.apache.org/repos/asf/kylin/tree/3fb74fe4
Diff: http://git-wip-us.apache.org/repos/asf/kylin/diff/3fb74fe4

Branch: refs/heads/2.0.x-hbase0.98
Commit: 3fb74fe49fb6308444f80080b87c0fd3160302a9
Parents: d31e7e0
Author: Hongbin Ma <mahongbin@apache.org>
Authored: Wed Apr 19 19:28:39 2017 +0800
Committer: Hongbin Ma <mahongbin@apache.org>
Committed: Wed Apr 19 19:28:39 2017 +0800

----------------------------------------------------------------------
 .../rest/security/AuthoritiesPopulator.java     | 15 ++++++++----
 .../apache/kylin/rest/service/AclService.java   | 14 ++++++++++-
 .../apache/kylin/rest/service/UserService.java  |  5 ++++
 server/src/main/resources/kylinSecurity.xml     |  4 ++--
 .../rest/controller/UserControllerTest.java     |  3 ++-
 .../kylin/rest/service/ServiceTestBase.java     | 25 +++++++++++++++++++-
 .../kylin/rest/service/UserServiceTest.java     |  7 +++---
 7 files changed, 60 insertions(+), 13 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/kylin/blob/3fb74fe4/server-base/src/main/java/org/apache/kylin/rest/security/AuthoritiesPopulator.java
----------------------------------------------------------------------
diff --git a/server-base/src/main/java/org/apache/kylin/rest/security/AuthoritiesPopulator.java
b/server-base/src/main/java/org/apache/kylin/rest/security/AuthoritiesPopulator.java
index 7983fc0..2b290ce 100644
--- a/server-base/src/main/java/org/apache/kylin/rest/security/AuthoritiesPopulator.java
+++ b/server-base/src/main/java/org/apache/kylin/rest/security/AuthoritiesPopulator.java
@@ -21,6 +21,8 @@ package org.apache.kylin.rest.security;
 import java.util.HashSet;
 import java.util.Set;
 
+import org.apache.commons.lang.ArrayUtils;
+import org.apache.commons.lang.StringUtils;
 import org.apache.kylin.rest.constant.Constant;
 import org.springframework.ldap.core.ContextSource;
 import org.springframework.security.core.GrantedAuthority;
@@ -33,7 +35,6 @@ import org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopul
  */
 public class AuthoritiesPopulator extends DefaultLdapAuthoritiesPopulator {
 
-    String adminRole;
     SimpleGrantedAuthority adminRoleAsAuthority;
 
     SimpleGrantedAuthority adminAuthority = new SimpleGrantedAuthority(Constant.ROLE_ADMIN);
@@ -48,12 +49,12 @@ public class AuthoritiesPopulator extends DefaultLdapAuthoritiesPopulator
{
      */
     public AuthoritiesPopulator(ContextSource contextSource, String groupSearchBase, String
adminRole, String defaultRole) {
         super(contextSource, groupSearchBase);
-        this.adminRole = adminRole;
         this.adminRoleAsAuthority = new SimpleGrantedAuthority(adminRole);
 
-        if (defaultRole.contains(Constant.ROLE_MODELER))
+        String[] defaultRoles = StringUtils.split(defaultRole, ",");
+        if (ArrayUtils.contains(defaultRoles, Constant.ROLE_MODELER))
             this.defaultAuthorities.add(modelerAuthority);
-        if (defaultRole.contains(Constant.ROLE_ANALYST))
+        if (ArrayUtils.contains(defaultRoles, Constant.ROLE_ANALYST))
             this.defaultAuthorities.add(analystAuthority);
     }
 
@@ -61,13 +62,17 @@ public class AuthoritiesPopulator extends DefaultLdapAuthoritiesPopulator
{
     public Set<GrantedAuthority> getGroupMembershipRoles(String userDn, String username)
{
         Set<GrantedAuthority> authorities = super.getGroupMembershipRoles(userDn, username);
 
+        authorities.addAll(defaultAuthorities);
+
         if (authorities.contains(adminRoleAsAuthority)) {
             authorities.add(adminAuthority);
             authorities.add(modelerAuthority);
             authorities.add(analystAuthority);
         }
 
-        authorities.addAll(defaultAuthorities);
+        if (authorities.contains(modelerAuthority)) {
+            authorities.add(analystAuthority);
+        }
 
         return authorities;
     }

http://git-wip-us.apache.org/repos/asf/kylin/blob/3fb74fe4/server-base/src/main/java/org/apache/kylin/rest/service/AclService.java
----------------------------------------------------------------------
diff --git a/server-base/src/main/java/org/apache/kylin/rest/service/AclService.java b/server-base/src/main/java/org/apache/kylin/rest/service/AclService.java
index 3e3efec..b80d97d 100644
--- a/server-base/src/main/java/org/apache/kylin/rest/service/AclService.java
+++ b/server-base/src/main/java/org/apache/kylin/rest/service/AclService.java
@@ -66,6 +66,7 @@ import org.springframework.security.acls.model.PermissionGrantingStrategy;
 import org.springframework.security.acls.model.Sid;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.core.userdetails.UsernameNotFoundException;
 import org.springframework.security.util.FieldUtils;
 import org.springframework.stereotype.Component;
 import org.springframework.util.Assert;
@@ -75,7 +76,6 @@ import com.fasterxml.jackson.databind.JsonMappingException;
 
 /**
  * @author xduo
- * 
  */
 @Component("aclService")
 public class AclService implements MutableAclService {
@@ -111,6 +111,9 @@ public class AclService implements MutableAclService {
     @Autowired
     protected AclHBaseStorage aclHBaseStorage;
 
+    @Autowired
+    protected UserService userService;
+
     public AclService() throws IOException {
         fieldAces.setAccessible(true);
         fieldAcl.setAccessible(true);
@@ -297,6 +300,13 @@ public class AclService implements MutableAclService {
             }
 
             for (AccessControlEntry ace : acl.getEntries()) {
+                if (ace.getSid() instanceof PrincipalSid) {
+                    PrincipalSid psid = (PrincipalSid) ace.getSid();
+                    String userName = psid.getPrincipal();
+                    logger.debug("ACE SID name: " + userName);
+                    if (!userService.userExists(userName))
+                        throw new UsernameNotFoundException("User " + userName + " does not
exist. Please make sure the user has logged in before");
+                }
                 AceInfo aceInfo = new AceInfo(ace);
                 put.addColumn(Bytes.toBytes(AclHBaseStorage.ACL_ACES_FAMILY), Bytes.toBytes(aceInfo.getSidInfo().getSid()),
aceSerializer.serialize(aceInfo));
             }
@@ -315,6 +325,7 @@ public class AclService implements MutableAclService {
         return (MutableAcl) readAclById(acl.getObjectIdentity());
     }
 
+
     private void genAces(List<Sid> sids, Result result, AclImpl acl) throws JsonParseException,
JsonMappingException, IOException {
         List<AceInfo> aceInfos = new ArrayList<AceInfo>();
         if (null != sids) {
@@ -459,4 +470,5 @@ public class AclService implements MutableAclService {
         }
     }
 
+
 }

http://git-wip-us.apache.org/repos/asf/kylin/blob/3fb74fe4/server-base/src/main/java/org/apache/kylin/rest/service/UserService.java
----------------------------------------------------------------------
diff --git a/server-base/src/main/java/org/apache/kylin/rest/service/UserService.java b/server-base/src/main/java/org/apache/kylin/rest/service/UserService.java
index ab54882..9d94de1 100644
--- a/server-base/src/main/java/org/apache/kylin/rest/service/UserService.java
+++ b/server-base/src/main/java/org/apache/kylin/rest/service/UserService.java
@@ -37,9 +37,11 @@ import org.apache.hadoop.hbase.client.Scan;
 import org.apache.hadoop.hbase.client.Table;
 import org.apache.kylin.common.util.Bytes;
 import org.apache.kylin.common.util.Pair;
+import org.apache.kylin.rest.constant.Constant;
 import org.apache.kylin.rest.security.AclHBaseStorage;
 import org.apache.kylin.rest.util.Serializer;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetails;
@@ -138,11 +140,13 @@ public class UserService implements UserDetailsManager {
     }
 
     @Override
+    @PreAuthorize(Constant.ACCESS_HAS_ROLE_ADMIN)
     public void createUser(UserDetails user) {
         updateUser(user);
     }
 
     @Override
+    @PreAuthorize(Constant.ACCESS_HAS_ROLE_ADMIN)
     public void updateUser(UserDetails user) {
         Table htable = null;
         try {
@@ -162,6 +166,7 @@ public class UserService implements UserDetailsManager {
     }
 
     @Override
+    @PreAuthorize(Constant.ACCESS_HAS_ROLE_ADMIN)
     public void deleteUser(String username) {
         Table htable = null;
         try {

http://git-wip-us.apache.org/repos/asf/kylin/blob/3fb74fe4/server/src/main/resources/kylinSecurity.xml
----------------------------------------------------------------------
diff --git a/server/src/main/resources/kylinSecurity.xml b/server/src/main/resources/kylinSecurity.xml
index 3f4abdc..9d633ee 100644
--- a/server/src/main/resources/kylinSecurity.xml
+++ b/server/src/main/resources/kylinSecurity.xml
@@ -142,7 +142,7 @@
 		<scr:authentication-manager alias="testingAuthenticationManager">
 			<scr:authentication-provider>
 				<scr:user-service>
-					<scr:user name="MODELER" password="$2a$10$Le5ernTeGNIARwMJsY0WaOLioNQdb0QD11DwjeyNqqNRp5NaDo2FG"
authorities="ROLE_MODELER" />
+					<scr:user name="MODELER" password="$2a$10$Le5ernTeGNIARwMJsY0WaOLioNQdb0QD11DwjeyNqqNRp5NaDo2FG"
authorities="ROLE_MODELER, ROLE_ANALYST" />
 					<scr:user name="ANALYST" password="$2a$10$s4INO3XHjPP5Vm2xH027Ce9QeXWdrfq5pvzuGr9z/lQmHqi0rsbNi"
authorities="ROLE_ANALYST" />
 					<scr:user name="ADMIN" password="$2a$10$o3ktIWsGYxXNuUWQiYlZXOW5hWcqyNAFQsSSCSEWoC/BRVMAUjL32"
authorities="ROLE_MODELER, ROLE_ANALYST, ROLE_ADMIN" />
 				</scr:user-service>
@@ -503,4 +503,4 @@
 
 		<bean id="parserPoolHolder" class="org.springframework.security.saml.parser.ParserPoolHolder"/>
 	</beans>
-</beans>
\ No newline at end of file
+</beans>

http://git-wip-us.apache.org/repos/asf/kylin/blob/3fb74fe4/server/src/test/java/org/apache/kylin/rest/controller/UserControllerTest.java
----------------------------------------------------------------------
diff --git a/server/src/test/java/org/apache/kylin/rest/controller/UserControllerTest.java
b/server/src/test/java/org/apache/kylin/rest/controller/UserControllerTest.java
index ab77a9a..767aaf1 100644
--- a/server/src/test/java/org/apache/kylin/rest/controller/UserControllerTest.java
+++ b/server/src/test/java/org/apache/kylin/rest/controller/UserControllerTest.java
@@ -22,6 +22,7 @@ import java.io.IOException;
 import java.util.ArrayList;
 import java.util.List;
 
+import org.apache.kylin.rest.constant.Constant;
 import org.apache.kylin.rest.service.ServiceTestBase;
 import org.junit.Assert;
 import org.junit.Before;
@@ -46,7 +47,7 @@ public class UserControllerTest extends ServiceTestBase {
         staticCreateTestMetadata();
         List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
         User user = new User("ADMIN", "ADMIN", authorities);
-        Authentication authentication = new TestingAuthenticationToken(user, "ADMIN", "ROLE_ADMIN");
+        Authentication authentication = new TestingAuthenticationToken(user, "ADMIN", Constant.ROLE_ADMIN);
         SecurityContextHolder.getContext().setAuthentication(authentication);
     }
 

http://git-wip-us.apache.org/repos/asf/kylin/blob/3fb74fe4/server/src/test/java/org/apache/kylin/rest/service/ServiceTestBase.java
----------------------------------------------------------------------
diff --git a/server/src/test/java/org/apache/kylin/rest/service/ServiceTestBase.java b/server/src/test/java/org/apache/kylin/rest/service/ServiceTestBase.java
index 3a587e4..a47fdd2 100644
--- a/server/src/test/java/org/apache/kylin/rest/service/ServiceTestBase.java
+++ b/server/src/test/java/org/apache/kylin/rest/service/ServiceTestBase.java
@@ -18,18 +18,23 @@
 
 package org.apache.kylin.rest.service;
 
+import java.util.Arrays;
+
 import org.apache.kylin.common.KylinConfig;
 import org.apache.kylin.common.util.LocalFileMetadataTestCase;
 import org.apache.kylin.metadata.cachesync.Broadcaster;
+import org.apache.kylin.rest.constant.Constant;
 import org.junit.After;
 import org.junit.AfterClass;
 import org.junit.Before;
 import org.junit.BeforeClass;
 import org.junit.Test;
 import org.junit.runner.RunWith;
+import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.authentication.TestingAuthenticationToken;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.core.userdetails.User;
 import org.springframework.test.context.ActiveProfiles;
 import org.springframework.test.context.ContextConfiguration;
 import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
@@ -42,10 +47,13 @@ import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
 @ActiveProfiles("testing")
 public class ServiceTestBase extends LocalFileMetadataTestCase {
 
+    @Autowired
+    UserService userService;
+
     @BeforeClass
     public static void setupResource() throws Exception {
         staticCreateTestMetadata();
-        Authentication authentication = new TestingAuthenticationToken("ADMIN", "ADMIN",
"ROLE_ADMIN");
+        Authentication authentication = new TestingAuthenticationToken("ADMIN", "ADMIN",
Constant.ROLE_ADMIN);
         SecurityContextHolder.getContext().setAuthentication(authentication);
     }
 
@@ -59,6 +67,21 @@ public class ServiceTestBase extends LocalFileMetadataTestCase {
 
         KylinConfig config = KylinConfig.getInstanceFromEnv();
         Broadcaster.getInstance(config).notifyClearAll();
+
+        if (!userService.userExists("ADMIN")) {
+            userService.createUser(new User("ADMIN", "KYLIN", Arrays.asList(//
+                    new UserService.UserGrantedAuthority(Constant.ROLE_ADMIN), new UserService.UserGrantedAuthority(Constant.ROLE_ANALYST),
new UserService.UserGrantedAuthority(Constant.ROLE_MODELER))));
+        }
+
+        if (!userService.userExists("MODELER")) {
+            userService.createUser(new User("MODELER", "MODELER", Arrays.asList(//
+                    new UserService.UserGrantedAuthority(Constant.ROLE_ANALYST), new UserService.UserGrantedAuthority(Constant.ROLE_MODELER))));
+        }
+
+        if (!userService.userExists("ROLE_ANALYST")) {
+            userService.createUser(new User("ROLE_ANALYST", "ROLE_ANALYST", Arrays.asList(//
+                    new UserService.UserGrantedAuthority(Constant.ROLE_ANALYST))));
+        }
     }
 
     @After

http://git-wip-us.apache.org/repos/asf/kylin/blob/3fb74fe4/server/src/test/java/org/apache/kylin/rest/service/UserServiceTest.java
----------------------------------------------------------------------
diff --git a/server/src/test/java/org/apache/kylin/rest/service/UserServiceTest.java b/server/src/test/java/org/apache/kylin/rest/service/UserServiceTest.java
index 28515be..36c554e 100644
--- a/server/src/test/java/org/apache/kylin/rest/service/UserServiceTest.java
+++ b/server/src/test/java/org/apache/kylin/rest/service/UserServiceTest.java
@@ -21,6 +21,7 @@ package org.apache.kylin.rest.service;
 import java.util.ArrayList;
 import java.util.List;
 
+import org.apache.kylin.rest.constant.Constant;
 import org.junit.Assert;
 import org.junit.Test;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -43,7 +44,7 @@ public class UserServiceTest extends ServiceTestBase {
         Assert.assertTrue(!userService.userExists("ADMIN"));
 
         List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
-        authorities.add(new SimpleGrantedAuthority("ROLE_ADMIN"));
+        authorities.add(new SimpleGrantedAuthority(Constant.ROLE_ADMIN));
         User user = new User("ADMIN", "PWD", authorities);
         userService.createUser(user);
 
@@ -52,9 +53,9 @@ public class UserServiceTest extends ServiceTestBase {
         UserDetails ud = userService.loadUserByUsername("ADMIN");
         Assert.assertEquals("ADMIN", ud.getUsername());
         Assert.assertEquals("PWD", ud.getPassword());
-        Assert.assertEquals("ROLE_ADMIN", ud.getAuthorities().iterator().next().getAuthority());
+        Assert.assertEquals(Constant.ROLE_ADMIN, ud.getAuthorities().iterator().next().getAuthority());
         Assert.assertEquals(1, ud.getAuthorities().size());
 
-        Assert.assertTrue(userService.listUserAuthorities().contains("ROLE_ADMIN"));
+        Assert.assertTrue(userService.listUserAuthorities().contains(Constant.ROLE_ADMIN));
     }
 }


Mime
View raw message