This is an automated email from the ASF dual-hosted git repository.
peacewong pushed a commit to branch dev-1.3.2
in repository https://gitbox.apache.org/repos/asf/linkis.git
The following commit(s) were added to refs/heads/dev-1.3.2 by this push:
new d5f3ad35d EntranceRestfulApi kill job api add access control (#4305)
d5f3ad35d is described below
commit d5f3ad35da3782ca1f785f104ac7a7e7e6c9290e
Author: Casion <[email protected]>
AuthorDate: Mon Mar 6 14:54:48 2023 +0800
EntranceRestfulApi kill job api add access control (#4305)
* kill job api add user permission check
---
.../apache/linkis/common/conf/Configuration.scala | 4 +++
.../entrance/restful/EntranceRestfulApi.java | 30 ++++++++++++++++++++--
2 files changed, 32 insertions(+), 2 deletions(-)
diff --git
a/linkis-commons/linkis-common/src/main/scala/org/apache/linkis/common/conf/Configuration.scala
b/linkis-commons/linkis-common/src/main/scala/org/apache/linkis/common/conf/Configuration.scala
index a23a9fcae..29febf0b3 100644
---
a/linkis-commons/linkis-common/src/main/scala/org/apache/linkis/common/conf/Configuration.scala
+++
b/linkis-commons/linkis-common/src/main/scala/org/apache/linkis/common/conf/Configuration.scala
@@ -107,6 +107,10 @@ object Configuration extends Logging {
!isAdmin(username)
}
+ def isNotJobHistoryAdmin(username: String): Boolean = {
+ !isJobHistoryAdmin(username)
+ }
+
def isJobHistoryAdmin(username: String): Boolean = {
getJobHistoryAdmin()
.exists(username.equalsIgnoreCase)
diff --git
a/linkis-computation-governance/linkis-entrance/src/main/java/org/apache/linkis/entrance/restful/EntranceRestfulApi.java
b/linkis-computation-governance/linkis-entrance/src/main/java/org/apache/linkis/entrance/restful/EntranceRestfulApi.java
index 324187fc2..c94bdd79a 100644
---
a/linkis-computation-governance/linkis-entrance/src/main/java/org/apache/linkis/entrance/restful/EntranceRestfulApi.java
+++
b/linkis-computation-governance/linkis-entrance/src/main/java/org/apache/linkis/entrance/restful/EntranceRestfulApi.java
@@ -17,6 +17,7 @@
package org.apache.linkis.entrance.restful;
+import org.apache.linkis.common.conf.Configuration;
import org.apache.linkis.common.log.LogUtils;
import org.apache.linkis.entrance.EntranceServer;
import org.apache.linkis.entrance.conf.EntranceConfiguration;
@@ -513,7 +514,8 @@ public class EntranceRestfulApi implements
EntranceRestfulRemote {
JsonNode idNode = jsonNode.get("idList");
JsonNode taskIDNode = jsonNode.get("taskIDList");
ArrayList<Long> waitToForceKill = new ArrayList<>();
- ModuleUserUtils.getOperationUser(req, "killJobs");
+ String userName = ModuleUserUtils.getOperationUser(req, "killJobs");
+
if (idNode.size() != taskIDNode.size()) {
return Message.error(
"The length of the ID list does not match the length of the TASKID
list(id列表的长度与taskId列表的长度不一致)");
@@ -550,6 +552,17 @@ public class EntranceRestfulApi implements
EntranceRestfulRemote {
} else {
try {
logger.info("begin to kill job {} ", job.get().getId());
+
+ if (job.get() instanceof EntranceJob) {
+ EntranceJob entranceJob = (EntranceJob) job.get();
+ JobRequest jobReq = entranceJob.getJobRequest();
+ if (!userName.equals(jobReq.getExecuteUser())
+ && Configuration.isNotJobHistoryAdmin(userName)) {
+ return Message.error(
+ "You have no permission to kill this job, excecute by user:"
+ + jobReq.getExecuteUser());
+ }
+ }
job.get().kill();
message = Message.ok("Successfully killed the job(成功kill了job)");
message.setMethod("/api/entrance/" + id + "/kill");
@@ -607,7 +620,8 @@ public class EntranceRestfulApi implements
EntranceRestfulRemote {
@PathVariable("id") String id,
@RequestParam(value = "taskID", required = false) Long taskID) {
String realId = ZuulEntranceUtils.parseExecID(id)[3];
- ModuleUserUtils.getOperationUser(req, "kill realId:" + realId);
+ String userName = ModuleUserUtils.getOperationUser(req, "kill task
realId:" + realId);
+
Option<Job> job = Option.apply(null);
try {
job = entranceServer.getJob(realId);
@@ -631,6 +645,18 @@ public class EntranceRestfulApi implements
EntranceRestfulRemote {
return message;
} else {
try {
+
+ if (job.get() instanceof EntranceJob) {
+ EntranceJob entranceJob = (EntranceJob) job.get();
+ JobRequest jobReq = entranceJob.getJobRequest();
+ if (!userName.equals(jobReq.getExecuteUser())
+ && Configuration.isNotJobHistoryAdmin(userName)) {
+ return Message.error(
+ "You have no permission to kill this job, excecute by user:"
+ + jobReq.getExecuteUser());
+ }
+ }
+
logger.info("begin to kill job {} ", job.get().getId());
job.get().kill();
message = Message.ok("Successfully killed the job(成功kill了job)");
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
