This is an automated email from the ASF dual-hosted git repository.
dingtao pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ozhera.git
The following commit(s) were added to refs/heads/master by this push:
new 8f43b9ce feat: space\store permission check (#658)
8f43b9ce is described below
commit 8f43b9ceb1898e4f8d16397be8e1c973f8cc1ddf
Author: lhhhhf <[email protected]>
AuthorDate: Wed Apr 15 16:37:14 2026 +0800
feat: space\store permission check (#658)
* feat: space 绑定 iam
* fix space extension service
* fix: change log-manager version
* fix: update space tenant id
* refactor: change space permission check return type from String to Result
* feat: store permission check
* feat: log store add tenantId
* fix: fix space tpc permission
---------
Co-authored-by: liuhaifeng7 <[email protected]>
---
ozhera-log/log-manager/pom.xml | 2 +-
.../log/manager/model/pojo/MilogLogStoreDO.java | 5 +++
.../ozhera/log/manager/model/vo/LogStoreParam.java | 2 +
.../space/DefaultSpaceExtensionService.java | 47 ++++++++++++++++++++++
.../extension/space/SpaceExtensionService.java | 35 ++++++++++++++++
.../space/SpaceExtensionServiceFactory.java | 37 +++++++++++++++++
.../store/DefaultStoreExtensionService.java | 16 ++++++++
.../extension/store/StoreExtensionService.java | 7 ++++
.../manager/service/impl/LogSpaceServiceImpl.java | 46 +++++++++++++++++----
.../manager/service/impl/LogStoreServiceImpl.java | 15 +++++++
10 files changed, 204 insertions(+), 8 deletions(-)
diff --git a/ozhera-log/log-manager/pom.xml b/ozhera-log/log-manager/pom.xml
index 22a71c1a..445fc330 100644
--- a/ozhera-log/log-manager/pom.xml
+++ b/ozhera-log/log-manager/pom.xml
@@ -28,7 +28,7 @@ http://www.apache.org/licenses/LICENSE-2.0
<modelVersion>4.0.0</modelVersion>
<artifactId>log-manager</artifactId>
- <version>2.3.2-SNAPSHOT</version>
+ <version>2.3.3-SNAPSHOT</version>
<properties>
<maven.compiler.source>21</maven.compiler.source>
diff --git
a/ozhera-log/log-manager/src/main/java/org/apache/ozhera/log/manager/model/pojo/MilogLogStoreDO.java
b/ozhera-log/log-manager/src/main/java/org/apache/ozhera/log/manager/model/pojo/MilogLogStoreDO.java
index b3d888cf..1f07c858 100644
---
a/ozhera-log/log-manager/src/main/java/org/apache/ozhera/log/manager/model/pojo/MilogLogStoreDO.java
+++
b/ozhera-log/log-manager/src/main/java/org/apache/ozhera/log/manager/model/pojo/MilogLogStoreDO.java
@@ -84,6 +84,11 @@ public class MilogLogStoreDO extends BaseCommon {
@Default("false")
private Boolean usePlatformResource;
+ @Column(value = "tenant_id")
+ @ColDefine(customType = "bigint")
+ @Comment("Tenant ID")
+ private Long tenantId;
+
@Column(value = "es_index")
@ColDefine(type = ColType.VARCHAR, width = 256)
@Comment("es index:milog_logstoreName")
diff --git
a/ozhera-log/log-manager/src/main/java/org/apache/ozhera/log/manager/model/vo/LogStoreParam.java
b/ozhera-log/log-manager/src/main/java/org/apache/ozhera/log/manager/model/vo/LogStoreParam.java
index 592928a7..1fd0820a 100644
---
a/ozhera-log/log-manager/src/main/java/org/apache/ozhera/log/manager/model/vo/LogStoreParam.java
+++
b/ozhera-log/log-manager/src/main/java/org/apache/ozhera/log/manager/model/vo/LogStoreParam.java
@@ -56,6 +56,8 @@ public class LogStoreParam {
private String storageType;
+ private Long tenantId;
+
private Boolean nameSameStatus = Boolean.FALSE;
public boolean isPlatformResourceStore() {
diff --git
a/ozhera-log/log-manager/src/main/java/org/apache/ozhera/log/manager/service/extension/space/DefaultSpaceExtensionService.java
b/ozhera-log/log-manager/src/main/java/org/apache/ozhera/log/manager/service/extension/space/DefaultSpaceExtensionService.java
new file mode 100644
index 00000000..ac825a42
--- /dev/null
+++
b/ozhera-log/log-manager/src/main/java/org/apache/ozhera/log/manager/service/extension/space/DefaultSpaceExtensionService.java
@@ -0,0 +1,47 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ozhera.log.manager.service.extension.space;
+
+import com.xiaomi.youpin.docean.anno.Service;
+import lombok.extern.slf4j.Slf4j;
+import org.apache.ozhera.log.common.Result;
+import org.apache.ozhera.log.manager.model.MilogSpaceParam;
+
+import static
org.apache.ozhera.log.manager.service.extension.space.SpaceExtensionService.DEFAULT_SPACE_EXTENSION_SERVICE_KEY;
+
+@Service(name = DEFAULT_SPACE_EXTENSION_SERVICE_KEY)
+@Slf4j
+public class DefaultSpaceExtensionService implements SpaceExtensionService {
+
+ @Override
+ public Result<String> checkCreatePermission(Long tenantId) {
+ return Result.success();
+ }
+
+ @Override
+ public Result<String> checkUpdatePermission(MilogSpaceParam param) {
+ return Result.success();
+ }
+
+ @Override
+ public Result<String> checkDeletePermission(Long id) {
+ return Result.success();
+ }
+}
diff --git
a/ozhera-log/log-manager/src/main/java/org/apache/ozhera/log/manager/service/extension/space/SpaceExtensionService.java
b/ozhera-log/log-manager/src/main/java/org/apache/ozhera/log/manager/service/extension/space/SpaceExtensionService.java
new file mode 100644
index 00000000..0c233850
--- /dev/null
+++
b/ozhera-log/log-manager/src/main/java/org/apache/ozhera/log/manager/service/extension/space/SpaceExtensionService.java
@@ -0,0 +1,35 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ozhera.log.manager.service.extension.space;
+
+import org.apache.ozhera.log.common.Result;
+import org.apache.ozhera.log.manager.model.MilogSpaceParam;
+
+public interface SpaceExtensionService {
+
+
+ String DEFAULT_SPACE_EXTENSION_SERVICE_KEY =
"defaultSpaceExtensionService";
+
+ Result<String> checkCreatePermission(Long tenantId);
+
+ Result<String> checkUpdatePermission(MilogSpaceParam param);
+
+ Result<String> checkDeletePermission(Long id);
+}
diff --git
a/ozhera-log/log-manager/src/main/java/org/apache/ozhera/log/manager/service/extension/space/SpaceExtensionServiceFactory.java
b/ozhera-log/log-manager/src/main/java/org/apache/ozhera/log/manager/service/extension/space/SpaceExtensionServiceFactory.java
new file mode 100644
index 00000000..ef116068
--- /dev/null
+++
b/ozhera-log/log-manager/src/main/java/org/apache/ozhera/log/manager/service/extension/space/SpaceExtensionServiceFactory.java
@@ -0,0 +1,37 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ozhera.log.manager.service.extension.space;
+
+import com.xiaomi.youpin.docean.Ioc;
+import lombok.extern.slf4j.Slf4j;
+import org.apache.ozhera.log.common.Config;
+
+import static
org.apache.ozhera.log.manager.service.extension.space.SpaceExtensionService.DEFAULT_SPACE_EXTENSION_SERVICE_KEY;
+
+@Slf4j
+public class SpaceExtensionServiceFactory {
+ private static String factualServiceName;
+
+ public static SpaceExtensionService getSpaceExtensionService() {
+ factualServiceName = Config.ins().get("space.extension.service",
DEFAULT_SPACE_EXTENSION_SERVICE_KEY);
+ log.debug("SpaceExtensionServiceFactory factualServiceName:{}",
factualServiceName);
+ return Ioc.ins().getBean(factualServiceName);
+ }
+}
\ No newline at end of file
diff --git
a/ozhera-log/log-manager/src/main/java/org/apache/ozhera/log/manager/service/extension/store/DefaultStoreExtensionService.java
b/ozhera-log/log-manager/src/main/java/org/apache/ozhera/log/manager/service/extension/store/DefaultStoreExtensionService.java
index c7b48938..33fc13f1 100644
---
a/ozhera-log/log-manager/src/main/java/org/apache/ozhera/log/manager/service/extension/store/DefaultStoreExtensionService.java
+++
b/ozhera-log/log-manager/src/main/java/org/apache/ozhera/log/manager/service/extension/store/DefaultStoreExtensionService.java
@@ -23,6 +23,7 @@ import com.baomidou.mybatisplus.core.toolkit.Wrappers;
import org.apache.ozhera.log.api.enums.LogStorageTypeEnum;
import org.apache.ozhera.log.api.enums.OperateEnum;
import org.apache.ozhera.log.api.model.vo.ResourceUserSimple;
+import org.apache.ozhera.log.common.Result;
import org.apache.ozhera.log.manager.common.ManagerConstant;
import org.apache.ozhera.log.manager.dao.MilogLogstoreDao;
import org.apache.ozhera.log.manager.domain.EsIndexTemplate;
@@ -71,6 +72,21 @@ public class DefaultStoreExtensionService implements
StoreExtensionService {
@Resource
private DorisLogStorageService dorisLogStorageService;
+ @Override
+ public Result<String> checkCreatePermission(LogStoreParam param) {
+ return Result.success();
+ }
+
+ @Override
+ public Result<String> checkUpdatePermission(LogStoreParam param) {
+ return Result.success();
+ }
+
+ @Override
+ public Result<String> checkDeletePermission(Long id) {
+ return Result.success();
+ }
+
@Override
public boolean storeInfoCheck(LogStoreParam param) {
return false;
diff --git
a/ozhera-log/log-manager/src/main/java/org/apache/ozhera/log/manager/service/extension/store/StoreExtensionService.java
b/ozhera-log/log-manager/src/main/java/org/apache/ozhera/log/manager/service/extension/store/StoreExtensionService.java
index 057e0446..41f53b63 100644
---
a/ozhera-log/log-manager/src/main/java/org/apache/ozhera/log/manager/service/extension/store/StoreExtensionService.java
+++
b/ozhera-log/log-manager/src/main/java/org/apache/ozhera/log/manager/service/extension/store/StoreExtensionService.java
@@ -19,6 +19,7 @@
package org.apache.ozhera.log.manager.service.extension.store;
import org.apache.ozhera.log.api.enums.OperateEnum;
+import org.apache.ozhera.log.common.Result;
import org.apache.ozhera.log.manager.model.pojo.MilogLogStoreDO;
import org.apache.ozhera.log.manager.model.vo.LogStoreParam;
@@ -32,6 +33,12 @@ public interface StoreExtensionService {
String DEFAULT_STORE_EXTENSION_SERVICE_KEY =
"defaultStoreExtensionService";
+ Result<String> checkCreatePermission(LogStoreParam param);
+
+ Result<String> checkUpdatePermission(LogStoreParam param);
+
+ Result<String> checkDeletePermission(Long id);
+
boolean storeInfoCheck(LogStoreParam param);
/**
diff --git
a/ozhera-log/log-manager/src/main/java/org/apache/ozhera/log/manager/service/impl/LogSpaceServiceImpl.java
b/ozhera-log/log-manager/src/main/java/org/apache/ozhera/log/manager/service/impl/LogSpaceServiceImpl.java
index dc2e113a..867bb38e 100644
---
a/ozhera-log/log-manager/src/main/java/org/apache/ozhera/log/manager/service/impl/LogSpaceServiceImpl.java
+++
b/ozhera-log/log-manager/src/main/java/org/apache/ozhera/log/manager/service/impl/LogSpaceServiceImpl.java
@@ -51,6 +51,8 @@ import
org.apache.ozhera.log.manager.model.pojo.MilogLogStoreDO;
import org.apache.ozhera.log.manager.model.pojo.MilogSpaceDO;
import org.apache.ozhera.log.manager.service.BaseService;
import org.apache.ozhera.log.manager.service.LogSpaceService;
+import
org.apache.ozhera.log.manager.service.extension.space.SpaceExtensionService;
+import
org.apache.ozhera.log.manager.service.extension.space.SpaceExtensionServiceFactory;
import org.apache.ozhera.log.manager.user.MoneUser;
import javax.annotation.Resource;
@@ -80,11 +82,20 @@ public class LogSpaceServiceImpl extends BaseService
implements LogSpaceService
@Resource
private Tpc tpc;
+ private SpaceExtensionService spaceExtensionService;
+
private static final Cache<String, List<MapDTO<String, Long>>>
SPACE_ALL_CACHE = CacheBuilder.newBuilder()
.maximumSize(100)
.expireAfterWrite(3, TimeUnit.MINUTES)
.build();
+ /**
+ * init method
+ */
+ public void init() {
+ spaceExtensionService =
SpaceExtensionServiceFactory.getSpaceExtensionService();
+ }
+
/**
* new
*
@@ -102,6 +113,11 @@ public class LogSpaceServiceImpl extends BaseService
implements LogSpaceService
return Result.failParam("There is a space name of the same name");
}
+ Result<String> checkResult =
spaceExtensionService.checkCreatePermission(param.getTenantId());
+ if (checkResult.getCode() != CommonError.Success.getCode()) {
+ return Result.failParam(checkResult.getMessage());
+ }
+
MilogSpaceDO milogSpaceDO = wrapMilogSpaceDO(param);
wrapBaseCommon(milogSpaceDO, OperateEnum.ADD_OPERATE);
@@ -145,6 +161,7 @@ public class LogSpaceServiceImpl extends BaseService
implements LogSpaceService
MilogSpaceDO milogSpaceDO = new MilogSpaceDO();
milogSpaceDO.setSpaceName(param.getSpaceName());
milogSpaceDO.setDescription(param.getDescription());
+ milogSpaceDO.setTenantId(param.getTenantId());
return milogSpaceDO;
}
@@ -272,14 +289,23 @@ public class LogSpaceServiceImpl extends BaseService
implements LogSpaceService
return new Result<>(CommonError.ParamsError.getCode(), "logSpace
does not exist", "");
}
- if (Objects.equals(param.getSpaceName(), milogSpace.getSpaceName()) &&
- Objects.equals(param.getDescription(),
milogSpace.getDescription())) {
+ if (Objects.equals(param.getSpaceName(), milogSpace.getSpaceName())
+ && Objects.equals(param.getDescription(),
milogSpace.getDescription())
+ && Objects.equals(param.getTenantId(),
milogSpace.getTenantId())) {
return Result.success("the logSpace data has not changed");
}
- if (!tpc.hasPerm(MoneUserContext.getCurrentUser(), param.getId())) {
- return Result.fail(CommonError.UNAUTHORIZED);
+ Result<String> checkResult =
spaceExtensionService.checkUpdatePermission(param);
+ if (checkResult.getCode() != CommonError.Success.getCode()) {
+ return Result.failParam(checkResult.getMessage());
}
+
+ if (param.getTenantId() == null) {
+ if (!tpc.hasPerm(MoneUserContext.getCurrentUser(), param.getId()))
{
+ return Result.fail(CommonError.UNAUTHORIZED);
+ }
+ }
+
wrapMilogSpace(milogSpace, param);
wrapBaseCommon(milogSpace, OperateEnum.UPDATE_OPERATE);
@@ -304,13 +330,19 @@ public class LogSpaceServiceImpl extends BaseService
implements LogSpaceService
if (null == id) {
return new Result<>(CommonError.ParamsError.getCode(), "ID cannot
be empty", "");
}
- if (!tpc.hasPerm(MoneUserContext.getCurrentUser(), id)) {
- return Result.fail(CommonError.UNAUTHORIZED);
- }
MilogSpaceDO milogSpace = milogSpaceDao.getMilogSpaceById(id);
if (null == milogSpace) {
return new Result<>(CommonError.ParamsError.getCode(), "logSpace
does not exist", "");
}
+ if (milogSpace.getTenantId() == null) {
+ if (!tpc.hasPerm(MoneUserContext.getCurrentUser(), id)) {
+ return Result.fail(CommonError.UNAUTHORIZED);
+ }
+ }
+ Result<String> checkResult =
spaceExtensionService.checkDeletePermission(id);
+ if (checkResult.getCode() != CommonError.Success.getCode()) {
+ return Result.failParam(checkResult.getMessage());
+ }
List<MilogLogStoreDO> stores =
milogLogstoreDao.getMilogLogstoreBySpaceId(id);
if (stores != null && stores.size() != 0) {
return new Result<>(CommonError.ParamsError.getCode(), "There is a
store under this space and cannot be deleted", "");
diff --git
a/ozhera-log/log-manager/src/main/java/org/apache/ozhera/log/manager/service/impl/LogStoreServiceImpl.java
b/ozhera-log/log-manager/src/main/java/org/apache/ozhera/log/manager/service/impl/LogStoreServiceImpl.java
index 5a9b99eb..1ea9a310 100644
---
a/ozhera-log/log-manager/src/main/java/org/apache/ozhera/log/manager/service/impl/LogStoreServiceImpl.java
+++
b/ozhera-log/log-manager/src/main/java/org/apache/ozhera/log/manager/service/impl/LogStoreServiceImpl.java
@@ -131,6 +131,12 @@ public class LogStoreServiceImpl extends BaseService
implements LogStoreService
if (CollectionUtils.isNotEmpty(logStoreDOS)) {
return Result.failParam("The store name is duplicated, please fill
in the name again");
}
+
+ Result<String> checkResult =
storeExtensionService.checkCreatePermission(cmd);
+ if (checkResult.getCode() != CommonError.Success.getCode()) {
+ return Result.failParam(checkResult.getMessage());
+ }
+
MilogLogStoreDO storeDO =
MilogLogstoreConvert.INSTANCE.fromCommand(cmd);
wrapBaseCommon(storeDO, OperateEnum.ADD_OPERATE);
// Bind resources
@@ -233,6 +239,11 @@ public class LogStoreServiceImpl extends BaseService
implements LogStoreService
return new Result(CommonError.UnknownError.getCode(), "There is a
store name with the same name", "");
}
+ Result<String> checkResult =
storeExtensionService.checkUpdatePermission(param);
+ if (checkResult.getCode() != CommonError.Success.getCode()) {
+ return Result.failParam(checkResult.getMessage());
+ }
+
MilogLogStoreDO ml = MilogLogstoreConvert.INSTANCE.fromCommand(param);
ml.setEsClusterId(milogLogstoreDO.getEsClusterId());
ml.setEsIndex(milogLogstoreDO.getEsIndex());
@@ -261,6 +272,10 @@ public class LogStoreServiceImpl extends BaseService
implements LogStoreService
if (tails != null && tails.size() != 0) {
return new Result<>(CommonError.ParamsError.getCode(), "There is a
tail under the log store and cannot be deleted");
}
+ Result<String> checkResult =
storeExtensionService.checkDeletePermission(id);
+ if (checkResult.getCode() != CommonError.Success.getCode()) {
+ return new Result<>(checkResult.getCode(),
checkResult.getMessage());
+ }
storeExtensionService.deleteStorePostProcessing(logStore);
if (logStoreDao.deleteMilogSpace(id)) {
storeExtensionService.postProcessing(logStore, null,
OperateEnum.DELETE_OPERATE);
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
