[jira] [Commented] (KYLIN-5688) After a system admin user without data permission is added to a user group with data permission for a project, the system admin still has no data permission for this project

[Yaguang Jia (Jira)]

    [ 
https://issues.apache.org/jira/browse/KYLIN-5688?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17754492#comment-17754492
 ] 

Yaguang Jia commented on KYLIN-5688:
------------------------------------

*Background*


The data permissions of system administrators and regular users are recorded in 
different metadata locations.
The data permissions of system administrators are recorded at the global level, 
with the metadata path being */_global/sys_acl/user/\{userName}* This records 
whether they have global data permissions (configurable in the interface) and 
which projects' data permissions they have.
The data permissions of regular users and groups are recorded at the project 
level, with the metadata path being */_global/acl/\{projectUuid}* This records 
specific data permissions.

 

*Root Cause*
Currently, when determining if a system administrator (non-super admin) has 
specific project's data permission, only two scenarios are considered:
1. Whether the user has global data permission.
2. Whether the user has data permission for that project.
If either condition is met, it is assumed that the system administrator has 
data permission for that project. However, it does not consider whether the 
user group to which the system administrator belongs has project's data 
permission.

 

*Dev Design*
Add logic to check for system administrator's group-level permissions.
Specifically modify as follows: When it is determined that a system 
administrator does not have both global data permission and specific project's 
data permission, do not return quickly but continue with subsequent checks for 
group-level permissions.

 
----
*背景*

系统管理员 与 普通用户 的数据权限记录在不同的元数据位置上

系统管理员的数据权限记录在全局级别，元数据路径为{{{} 
/_global/sys_acl/user/\{userName}{}}}，记录了是否拥有全局数据权限（在界面上可以配置），以及拥有哪些项目的数据权限

普通用户和组的数据权限记录在项目级别，元数据路径为 {{{}/_global/acl/\{projectUuid}{}}}，记录了具体的数据权限

 

*RootCause*

目前判断一个系统管理员(非超级管理员)是否具有特定项目的数据权限时，仅考虑了以下两种情况：
 # 该用户是否具有全局数据权限

 # 该用户是否具有该项目的数据权限

任意一条成立即认为该系统管理员具有该项目的数据权限

并没有考虑系统管理员所在用户组是否拥有项目的数据权限

 

*DevDesign*

增加判断系统管理员所在用户组权限的逻辑

具体修改为：当判断到系统管理员不具有 *全局数据权限* 和 *特定项目的数据权限* 时，不做快速返回，继续后续的用户组权限检查

> After a system admin user without data permission is added to a user group 
> with data permission for a project, the system admin still has no data 
> permission for this project
> -----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: KYLIN-5688
>                 URL: https://issues.apache.org/jira/browse/KYLIN-5688
>             Project: Kylin
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: 5.0-alpha
>            Reporter: Yaguang Jia
>            Assignee: Zhiting Guo
>            Priority: Minor
>             Fix For: 5.0-beta
>
>




--
This message was sent by Atlassian Jira
(v8.20.10#820010)