Caideyipi commented on code in PR #13158:
URL: https://github.com/apache/iotdb/pull/13158#discussion_r1924655430
##########
iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/entity/IEntityAccessor.java:
##########
@@ -16,60 +16,52 @@
* specific language governing permissions and limitations
* under the License.
*/
-package org.apache.iotdb.commons.auth.user;
+package org.apache.iotdb.commons.auth.entity;
-import org.apache.iotdb.commons.auth.entity.User;
import org.apache.iotdb.commons.snapshot.SnapshotProcessor;
import java.io.IOException;
import java.util.List;
-/** This interface manages the serialization/deserialization of the user
objects. */
-public interface IUserAccessor extends SnapshotProcessor {
+/** This interface manages the serialization/deserialization of the entry
objects. */
Review Comment:
Change all the "entry"s
##########
iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/role/IEntityManager.java:
##########
@@ -0,0 +1,84 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.iotdb.commons.auth.role;
+
+import org.apache.iotdb.commons.auth.AuthException;
+import org.apache.iotdb.commons.auth.entity.PrivilegeUnion;
+import org.apache.iotdb.commons.auth.entity.Role;
+import org.apache.iotdb.commons.snapshot.SnapshotProcessor;
+
+import java.util.List;
+
+/** We can call user or role as entry of access control, they all can obtain
privileges */
+public interface IEntityManager extends SnapshotProcessor {
+
+ /**
+ * Get an entry object.
+ *
+ * @param entryName The name of the role.
+ * @return A role object whose name is entryName or null if such role does
not exist.
+ * @throws AuthException if exception is raised while getting the role.
+ */
+ Role getEntity(String entryName) throws AuthException;
Review Comment:
Better change all the "entry"s....
##########
iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/authorizer/IAuthorizer.java:
##########
@@ -56,36 +58,28 @@ public interface IAuthorizer extends SnapshotProcessor {
*
* @param username the username of the user.
* @throws AuthException When attempting to delete the default administrator
or the user does not
- * exists.
+ * exist.
*/
void deleteUser(String username) throws AuthException;
/**
* Grant a privilege on a seriesPath to a user.
*
- * @param username The username of the user to which the privilege should be
added.
- * @param path The seriesPath on which the privilege takes effect. If the
privilege is a
- * seriesPath-free privilege, this should be "root".
- * @param privilegeId An integer that represents a privilege.
- * @param grantOpt Whether the privilege is grant option.
+ * @param userName The username of the user to which the privilege should be
added.
+ * @param union A combination of user permissions and scope, and tags
* @throws AuthException If the user does not exist or the privilege or the
seriesPath is illegal
* or the permission already exists.
*/
- void grantPrivilegeToUser(String username, PartialPath path, int
privilegeId, boolean grantOpt)
- throws AuthException;
+ void grantPrivilegeToUser(String userName, PrivilegeUnion union) throws
AuthException;
/**
* Revoke a privilege on seriesPath from a user.
*
- * @param username The username of the user from which the privilege should
be removed.
- * @param path The seriesPath on which the privilege takes effect. If the
privilege is a
- * seriesPath-free privilege, this should be "root".
- * @param privilegeId An integer that represents a privilege.
+ * @param userName The username of the user from which the privilege should
be removed.
Review Comment:
Better add description for "union" in all the file
##########
iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/role/BasicRoleManager.java:
##########
@@ -35,197 +36,196 @@
import java.util.HashMap;
import java.util.List;
import java.util.Map;
-import java.util.Map.Entry;
/**
* This class reads roles from local files through LocalFileRoleAccessor and
manages them in a hash
* map. We save all roles in our memory. Before providing service, we should
load all role
* information from filesystem. Access filesystem only happens at
starting、taking snapshot、 loading
* snapshot.
*/
-public abstract class BasicRoleManager implements IRoleManager {
+public abstract class BasicRoleManager implements IEntityManager,
SnapshotProcessor {
- protected Map<String, Role> roleMap;
- protected IRoleAccessor accessor;
- protected HashLock lock;
- private boolean preVersion = false;
+ protected Map<String, Role> entityMap;
+ protected IEntityAccessor accessor;
+ protected HashLock lock;
private static final Logger LOGGER =
LoggerFactory.getLogger(BasicRoleManager.class);
- BasicRoleManager(LocalFileRoleAccessor accessor) {
- this.roleMap = new HashMap<>();
+ protected TSStatusCode getEntityNotExistErrorCode() {
+ return TSStatusCode.ROLE_NOT_EXIST;
+ }
+
+ protected String getNoSuchEntityError() {
+ return "No such role %s";
+ }
+
+ protected BasicRoleManager() {
+ this.entityMap = new HashMap<>();
+ this.lock = new HashLock();
+ }
+
+ protected BasicRoleManager(IEntityAccessor accessor) {
+ this.entityMap = new HashMap<>();
this.accessor = accessor;
this.lock = new HashLock();
this.accessor.reset();
}
- @Override
- public Role getRole(String rolename) {
- lock.readLock(rolename);
- Role role = roleMap.get(rolename);
- lock.readUnlock(rolename);
+ public Role getEntity(String entityName) {
+ lock.readLock(entityName);
+ Role role = entityMap.get(entityName);
+ lock.readUnlock(entityName);
return role;
}
- @Override
- public boolean createRole(String rolename) throws AuthException {
-
- Role role = getRole(rolename);
+ public boolean createRole(String entityName) {
+ Role role = getEntity(entityName);
if (role != null) {
return false;
}
- lock.writeLock(rolename);
- role = new Role(rolename);
- roleMap.put(rolename, role);
- lock.writeUnlock(rolename);
+ lock.writeLock(entityName);
+ role = new Role(entityName);
+ entityMap.put(entityName, role);
+ lock.writeUnlock(entityName);
return true;
}
- @Override
- public boolean deleteRole(String rolename) {
- lock.writeLock(rolename);
- try {
- return roleMap.remove(rolename) != null;
- } finally {
- lock.writeUnlock(rolename);
- }
+ public boolean deleteEntity(String entityName) {
+ lock.writeLock(entityName);
+ boolean result = entityMap.remove(entityName) != null;
+ lock.writeUnlock(entityName);
+ return result;
}
- @Override
- public void grantPrivilegeToRole(
- String rolename, PartialPath path, int privilegeId, boolean grantOpt)
throws AuthException {
- lock.writeLock(rolename);
+ public void grantPrivilegeToEntity(String entityName, PrivilegeUnion
privilegeUnion)
+ throws AuthException {
+ lock.writeLock(entityName);
try {
- Role role = getRole(rolename);
+ Role role = getEntity(entityName);
if (role == null) {
throw new AuthException(
- TSStatusCode.ROLE_NOT_EXIST, String.format("No such role %s",
rolename));
+ getEntityNotExistErrorCode(),
String.format(getNoSuchEntityError(), entityName));
}
- // Pre version's operation:
- // all privileges are stored in path privileges.
- // global privileges will come with root.**
- // need to handle privileges ALL there.
- if (preVersion) {
- AuthUtils.validatePath(path);
- if (privilegeId == PriPrivilegeType.ALL.ordinal()) {
- for (PriPrivilegeType type : PriPrivilegeType.values()) {
- role.addPathPrivilege(path, type.ordinal(), false);
+ switch (privilegeUnion.getModelType()) {
+ case TREE:
+ AuthUtils.validatePatternPath(privilegeUnion.getPath());
+ role.grantPathPrivilege(
+ privilegeUnion.getPath(),
+ privilegeUnion.getPrivilegeType(),
+ privilegeUnion.isGrantOption());
+ break;
+ case SYSTEM:
+ PrivilegeType type = privilegeUnion.getPrivilegeType();
+ role.grantSysPrivilege(type, privilegeUnion.isGrantOption());
+ break;
+ case RELATIONAL:
+ if (privilegeUnion.isForAny()) {
+ role.grantAnyScopePrivilege(
+ privilegeUnion.getPrivilegeType(),
privilegeUnion.isGrantOption());
+ break;
}
- } else {
- role.addPathPrivilege(path, privilegeId, false);
- }
- // mark that the user has pre Version's privilege.
- if (role.getServiceReady()) {
- role.setServiceReady(false);
- }
- return;
- }
-
- if (path != null) {
- AuthUtils.validatePatternPath(path);
- role.addPathPrivilege(path, privilegeId, grantOpt);
- } else {
- role.getSysPrivilege().add(privilegeId);
- if (grantOpt) {
- role.getSysPriGrantOpt().add(privilegeId);
- }
+ if (privilegeUnion.getDBName() != null && privilegeUnion.getTbName()
== null) {
+ role.grantDBPrivilege(
+ privilegeUnion.getDBName(),
+ privilegeUnion.getPrivilegeType(),
+ privilegeUnion.isGrantOption());
+ } else if (privilegeUnion.getDBName() != null &&
privilegeUnion.getTbName() != null) {
+ role.grantTBPrivilege(
+ privilegeUnion.getDBName(),
+ privilegeUnion.getTbName(),
+ privilegeUnion.getPrivilegeType(),
+ privilegeUnion.isGrantOption());
+ }
+ break;
+ default:
+ LOGGER.warn("Not support model type {}",
privilegeUnion.getModelType());
}
} finally {
- lock.writeUnlock(rolename);
+ lock.writeUnlock(entityName);
}
}
- @Override
- public boolean revokePrivilegeFromRole(String rolename, PartialPath path,
int privilegeId)
+ public void revokePrivilegeFromEntity(String entityName, PrivilegeUnion
privilegeUnion)
Review Comment:
Do not delete the "@Override"s...
##########
iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/role/IEntityManager.java:
##########
@@ -0,0 +1,84 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.iotdb.commons.auth.role;
+
+import org.apache.iotdb.commons.auth.AuthException;
+import org.apache.iotdb.commons.auth.entity.PrivilegeUnion;
+import org.apache.iotdb.commons.auth.entity.Role;
+import org.apache.iotdb.commons.snapshot.SnapshotProcessor;
+
+import java.util.List;
+
+/** We can call user or role as entry of access control, they all can obtain
privileges */
+public interface IEntityManager extends SnapshotProcessor {
+
+ /**
+ * Get an entry object.
+ *
+ * @param entryName The name of the role.
+ * @return A role object whose name is entryName or null if such role does
not exist.
+ * @throws AuthException if exception is raised while getting the role.
+ */
+ Role getEntity(String entryName) throws AuthException;
+
+ /**
+ * Create a role/user with given entryName. New roles/users will only be
granted no privileges.
+ *
+ * @param entryName is not null or empty
+ * @return True if the role is successfully created, false when the role
already exists.
+ */
+ boolean createRole(String entryName);
+
+ /**
+ * Delete an entry.
+ *
+ * @param entryName the name of the user/role.
+ * @return boolean, true means we have the role in entryManager.
+ */
+ boolean deleteEntity(String entryName);
+
+ /**
+ * Grant a privilege to an entry.
+ *
+ * @param entryName The name of the entry to which the privilege should be
added.
+ * @param privilegeUnion The privilege will be granted to entry.
+ * @throws AuthException If the role does not exist or the privilege or the
seriesPath is illegal.
+ */
+ void grantPrivilegeToEntity(String entryName, PrivilegeUnion privilegeUnion)
throws AuthException;
+
+ /**
+ * Revoke a privilege on seriesPath from an entry.
+ *
+ * @param entryName The name of the entry from which the privilege should be
removed.
+ * @param privilegeUnion The privilege will be granted to entry.
+ * @throws AuthException If the role does not exist or the privilege or the
seriesPath is illegal.
+ */
+ void revokePrivilegeFromEntity(String entryName, PrivilegeUnion
privilegeUnion)
+ throws AuthException;
+
+ /** Re-initialize this object. */
+ void reset() throws AuthException;
+
+ /**
+ * List all users/roles in the database.
Review Comment:
May better delete "in the database"
##########
iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/role/IEntityManager.java:
##########
@@ -0,0 +1,84 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.iotdb.commons.auth.role;
+
+import org.apache.iotdb.commons.auth.AuthException;
+import org.apache.iotdb.commons.auth.entity.PrivilegeUnion;
+import org.apache.iotdb.commons.auth.entity.Role;
+import org.apache.iotdb.commons.snapshot.SnapshotProcessor;
+
+import java.util.List;
+
+/** We can call user or role as entry of access control, they all can obtain
privileges */
+public interface IEntityManager extends SnapshotProcessor {
+
+ /**
+ * Get an entry object.
+ *
+ * @param entryName The name of the role.
+ * @return A role object whose name is entryName or null if such role does
not exist.
+ * @throws AuthException if exception is raised while getting the role.
+ */
+ Role getEntity(String entryName) throws AuthException;
+
+ /**
+ * Create a role/user with given entryName. New roles/users will only be
granted no privileges.
+ *
+ * @param entryName is not null or empty
+ * @return True if the role is successfully created, false when the role
already exists.
+ */
+ boolean createRole(String entryName);
+
+ /**
+ * Delete an entry.
+ *
+ * @param entryName the name of the user/role.
+ * @return boolean, true means we have the role in entryManager.
+ */
+ boolean deleteEntity(String entryName);
+
+ /**
+ * Grant a privilege to an entry.
+ *
+ * @param entryName The name of the entry to which the privilege should be
added.
+ * @param privilegeUnion The privilege will be granted to entry.
+ * @throws AuthException If the role does not exist or the privilege or the
seriesPath is illegal.
+ */
+ void grantPrivilegeToEntity(String entryName, PrivilegeUnion privilegeUnion)
throws AuthException;
+
+ /**
+ * Revoke a privilege on seriesPath from an entry.
Review Comment:
seriesPath?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
