KYLIN-2760 Enhance ACL Logic
Project: http://git-wip-us.apache.org/repos/asf/kylin/repo Commit: http://git-wip-us.apache.org/repos/asf/kylin/commit/7a9f74c8 Tree: http://git-wip-us.apache.org/repos/asf/kylin/tree/7a9f74c8 Diff: http://git-wip-us.apache.org/repos/asf/kylin/diff/7a9f74c8 Branch: refs/heads/master Commit: 7a9f74c8a0f70480f40c6e88e0aeb71824fd7884 Parents: fa7eb69 Author: tttMelody <245915...@qq.com> Authored: Wed Aug 16 14:35:08 2017 +0800 Committer: Hongbin Ma <m...@kyligence.io> Committed: Wed Aug 16 16:04:09 2017 +0800 ---------------------------------------------------------------------- .../org/apache/kylin/cube/CubeInstance.java | 6 + .../java/org/apache/kylin/job/JobInstance.java | 2 +- .../kylin/metadata/model/DataModelDesc.java | 7 +- .../apache/kylin/rest/constant/Constant.java | 11 +- .../rest/controller/ProjectController.java | 25 +--- .../rest/controller/StreamingController.java | 37 +++--- .../rest/controller2/CubeDescControllerV2.java | 10 +- .../rest/controller2/ModelControllerV2.java | 23 ++-- .../rest/controller2/ModelDescControllerV2.java | 18 +-- .../rest/controller2/StreamingControllerV2.java | 33 ++--- .../rest/controller2/TableControllerV2.java | 2 +- .../kylin/rest/service/AccessService.java | 5 + .../apache/kylin/rest/service/CubeService.java | 83 ++++-------- .../kylin/rest/service/DiagnosisService.java | 18 ++- .../kylin/rest/service/HybridService.java | 16 ++- .../apache/kylin/rest/service/JobService.java | 35 ++--- .../kylin/rest/service/KafkaConfigService.java | 25 ++-- .../apache/kylin/rest/service/ModelService.java | 71 ++++++---- .../kylin/rest/service/ProjectService.java | 29 +--- .../apache/kylin/rest/service/QueryService.java | 10 +- .../kylin/rest/service/StreamingService.java | 22 ++-- .../apache/kylin/rest/service/TableService.java | 27 ++-- .../org/apache/kylin/rest/util/AclEvaluate.java | 131 +++++++++++++++++++ .../org/apache/kylin/rest/util/AclUtil.java | 39 ++++-- .../org/apache/kylin/rest/bean/BeanTest.java | 7 +- .../rest/controller/AccessControllerTest.java | 25 +++- 26 files changed, 440 insertions(+), 277 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/kylin/blob/7a9f74c8/core-cube/src/main/java/org/apache/kylin/cube/CubeInstance.java ---------------------------------------------------------------------- diff --git a/core-cube/src/main/java/org/apache/kylin/cube/CubeInstance.java b/core-cube/src/main/java/org/apache/kylin/cube/CubeInstance.java index 4d205eb..4c57db8 100644 --- a/core-cube/src/main/java/org/apache/kylin/cube/CubeInstance.java +++ b/core-cube/src/main/java/org/apache/kylin/cube/CubeInstance.java @@ -36,6 +36,8 @@ import org.apache.kylin.metadata.model.MeasureDesc; import org.apache.kylin.metadata.model.SegmentStatusEnum; import org.apache.kylin.metadata.model.Segments; import org.apache.kylin.metadata.model.TblColRef; +import org.apache.kylin.metadata.project.ProjectInstance; +import org.apache.kylin.metadata.project.ProjectManager; import org.apache.kylin.metadata.realization.CapabilityResult; import org.apache.kylin.metadata.realization.CapabilityResult.CapabilityInfluence; import org.apache.kylin.metadata.realization.IRealization; @@ -385,6 +387,10 @@ public class CubeInstance extends RootPersistentEntity implements IRealization, return getDescriptor().getProject(); } + public ProjectInstance getProjectInstance() { + return ProjectManager.getInstance(getConfig()).getProject(getProject()); + } + @Override public int getSourceType() { return getModel().getRootFactTable().getTableDesc().getSourceType(); http://git-wip-us.apache.org/repos/asf/kylin/blob/7a9f74c8/core-job/src/main/java/org/apache/kylin/job/JobInstance.java ---------------------------------------------------------------------- diff --git a/core-job/src/main/java/org/apache/kylin/job/JobInstance.java b/core-job/src/main/java/org/apache/kylin/job/JobInstance.java index 3778834..bbbbb94 100644 --- a/core-job/src/main/java/org/apache/kylin/job/JobInstance.java +++ b/core-job/src/main/java/org/apache/kylin/job/JobInstance.java @@ -167,7 +167,7 @@ public class JobInstance extends RootPersistentEntity implements Comparable<JobI this.duration = duration; } - public String getRelatedCube() { + public String getRelatedCube() { // if model check, return model name. return relatedCube; } http://git-wip-us.apache.org/repos/asf/kylin/blob/7a9f74c8/core-metadata/src/main/java/org/apache/kylin/metadata/model/DataModelDesc.java ---------------------------------------------------------------------- diff --git a/core-metadata/src/main/java/org/apache/kylin/metadata/model/DataModelDesc.java b/core-metadata/src/main/java/org/apache/kylin/metadata/model/DataModelDesc.java index f82c996..2037420 100644 --- a/core-metadata/src/main/java/org/apache/kylin/metadata/model/DataModelDesc.java +++ b/core-metadata/src/main/java/org/apache/kylin/metadata/model/DataModelDesc.java @@ -40,6 +40,7 @@ import org.apache.kylin.common.util.Pair; import org.apache.kylin.common.util.StringUtil; import org.apache.kylin.metadata.MetadataConstants; import org.apache.kylin.metadata.model.JoinsTree.Chain; +import org.apache.kylin.metadata.project.ProjectInstance; import org.apache.kylin.metadata.project.ProjectManager; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -827,7 +828,11 @@ public class DataModelDesc extends RootPersistentEntity { } public String getProject() { - return ProjectManager.getInstance(getConfig()).getProjectOfModel(this.getName()).getName(); + return ProjectManager.getInstance(KylinConfig.getInstanceFromEnv()).getProjectOfModel(this.getName()).getName(); + } + + public ProjectInstance getProjectInstance() { + return ProjectManager.getInstance(KylinConfig.getInstanceFromEnv()).getProjectOfModel(this.getName()); } public static DataModelDesc getCopyOf(DataModelDesc orig) { http://git-wip-us.apache.org/repos/asf/kylin/blob/7a9f74c8/server-base/src/main/java/org/apache/kylin/rest/constant/Constant.java ---------------------------------------------------------------------- diff --git a/server-base/src/main/java/org/apache/kylin/rest/constant/Constant.java b/server-base/src/main/java/org/apache/kylin/rest/constant/Constant.java index 5d326e9..697a660 100644 --- a/server-base/src/main/java/org/apache/kylin/rest/constant/Constant.java +++ b/server-base/src/main/java/org/apache/kylin/rest/constant/Constant.java @@ -35,9 +35,14 @@ public class Constant { public final static String ROLE_ANALYST = "ROLE_ANALYST"; public final static String ACCESS_HAS_ROLE_ADMIN = "hasRole('ROLE_ADMIN')"; -// public final static String ACCESS_HAS_ROLE_MODELER = "hasRole('ROLE_MODELER')"; - - public final static String ACCESS_POST_FILTER_READ = "hasRole('ROLE_ADMIN') or hasPermission(filterObject, 'READ') or hasPermission(filterObject, 'MANAGEMENT') " + "or hasPermission(filterObject, 'OPERATION') or hasPermission(filterObject, 'ADMINISTRATION')"; + //public final static String ACCESS_HAS_ROLE_MODELER = "hasRole('ROLE_MODELER')"; + + public final static String ACCESS_POST_FILTER_READ = + "hasRole('ROLE_ADMIN') " + + " or hasPermission(filterObject, 'ADMINISTRATION')"+ + " or hasPermission(filterObject, 'MANAGEMENT')" + + " or hasPermission(filterObject, 'OPERATION')" + + " or hasPermission(filterObject, 'READ')"; public final static String SERVER_MODE_QUERY = "query"; public final static String SERVER_MODE_JOB = "job"; http://git-wip-us.apache.org/repos/asf/kylin/blob/7a9f74c8/server-base/src/main/java/org/apache/kylin/rest/controller/ProjectController.java ---------------------------------------------------------------------- diff --git a/server-base/src/main/java/org/apache/kylin/rest/controller/ProjectController.java b/server-base/src/main/java/org/apache/kylin/rest/controller/ProjectController.java index 74e806e..4bb8e82 100644 --- a/server-base/src/main/java/org/apache/kylin/rest/controller/ProjectController.java +++ b/server-base/src/main/java/org/apache/kylin/rest/controller/ProjectController.java @@ -24,7 +24,6 @@ import java.util.List; import org.apache.commons.lang.StringUtils; import org.apache.kylin.common.util.JsonUtil; -import org.apache.kylin.cube.CubeInstance; import org.apache.kylin.metadata.project.ProjectInstance; import org.apache.kylin.rest.exception.BadRequestException; import org.apache.kylin.rest.exception.InternalErrorException; @@ -32,7 +31,7 @@ import org.apache.kylin.rest.request.ProjectRequest; import org.apache.kylin.rest.service.AccessService; import org.apache.kylin.rest.service.CubeService; import org.apache.kylin.rest.service.ProjectService; -import org.apache.kylin.rest.util.AclUtil; +import org.apache.kylin.rest.util.AclEvaluate; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; @@ -68,7 +67,7 @@ public class ProjectController extends BasicController { @Qualifier("cubeMgmtService") private CubeService cubeService; @Autowired - private AclUtil aclUtil; + private AclEvaluate aclEvaluate; /** * Get available project list @@ -99,29 +98,11 @@ public class ProjectController extends BasicController { boolean hasProjectPermission = false; try { - hasProjectPermission = aclUtil.hasProjectReadPermission(projectInstance); + hasProjectPermission = aclEvaluate.hasProjectReadPermission(projectInstance); } catch (AccessDeniedException e) { //ignore to continue } - if (!hasProjectPermission) { - List<CubeInstance> cubeInstances = cubeService.listAllCubes(projectInstance.getName()); - - for (CubeInstance cubeInstance : cubeInstances) { - if (cubeInstance == null) { - continue; - } - - try { - aclUtil.hasCubeReadPermission(cubeInstance); - hasProjectPermission = true; - break; - } catch (AccessDeniedException e) { - //ignore to continue - } - } - } - if (hasProjectPermission) { readableProjects.add(projectInstance); } http://git-wip-us.apache.org/repos/asf/kylin/blob/7a9f74c8/server-base/src/main/java/org/apache/kylin/rest/controller/StreamingController.java ---------------------------------------------------------------------- diff --git a/server-base/src/main/java/org/apache/kylin/rest/controller/StreamingController.java b/server-base/src/main/java/org/apache/kylin/rest/controller/StreamingController.java index b0bb02a..593abea 100644 --- a/server-base/src/main/java/org/apache/kylin/rest/controller/StreamingController.java +++ b/server-base/src/main/java/org/apache/kylin/rest/controller/StreamingController.java @@ -77,10 +77,11 @@ public class StreamingController extends BasicController { @RequestMapping(value = "/getConfig", method = { RequestMethod.GET }, produces = { "application/json" }) @ResponseBody - public List<StreamingConfig> getStreamings(@RequestParam(value = "table", required = false) String table, @RequestParam(value = "limit", required = false) Integer limit, @RequestParam(value = "offset", required = false) Integer offset) { + public List<StreamingConfig> getStreamings(@RequestParam(value = "table", required = false) String table, @RequestParam(value = "project", required = false) String project, @RequestParam(value = "limit", required = false) Integer limit, @RequestParam(value = "offset", required = false) Integer offset) { try { - return streamingService.getStreamingConfigs(table, limit, offset); + return streamingService.getStreamingConfigs(table, project, limit, offset); } catch (IOException e) { + logger.error("Failed to deal with the request:" + e.getLocalizedMessage(), e); throw new InternalErrorException("Failed to deal with the request: " + e.getLocalizedMessage()); } @@ -88,9 +89,9 @@ public class StreamingController extends BasicController { @RequestMapping(value = "/getKfkConfig", method = { RequestMethod.GET }, produces = { "application/json" }) @ResponseBody - public List<KafkaConfig> getKafkaConfigs(@RequestParam(value = "kafkaConfigName", required = false) String kafkaConfigName, @RequestParam(value = "limit", required = false) Integer limit, @RequestParam(value = "offset", required = false) Integer offset) { + public List<KafkaConfig> getKafkaConfigs(@RequestParam(value = "kafkaConfigName", required = false) String kafkaConfigName, @RequestParam(value = "project", required = false) String project, @RequestParam(value = "limit", required = false) Integer limit, @RequestParam(value = "offset", required = false) Integer offset) { try { - return kafkaConfigService.getKafkaConfigs(kafkaConfigName, limit, offset); + return kafkaConfigService.getKafkaConfigs(kafkaConfigName, project, limit, offset); } catch (IOException e) { logger.error("Failed to deal with the request:" + e.getLocalizedMessage(), e); throw new InternalErrorException("Failed to deal with the request: " + e.getLocalizedMessage()); @@ -131,7 +132,7 @@ public class StreamingController extends BasicController { } try { streamingConfig.setUuid(UUID.randomUUID().toString()); - streamingService.createStreamingConfig(streamingConfig); + streamingService.createStreamingConfig(streamingConfig, project); saveStreamingSuccess = true; } catch (IOException e) { logger.error("Failed to save StreamingConfig:" + e.getLocalizedMessage(), e); @@ -139,11 +140,11 @@ public class StreamingController extends BasicController { } try { kafkaConfig.setUuid(UUID.randomUUID().toString()); - kafkaConfigService.createKafkaConfig(kafkaConfig); + kafkaConfigService.createKafkaConfig(kafkaConfig, project); saveKafkaSuccess = true; } catch (IOException e) { try { - streamingService.dropStreamingConfig(streamingConfig); + streamingService.dropStreamingConfig(streamingConfig, project); } catch (IOException e1) { throw new InternalErrorException("StreamingConfig is created, but failed to create KafkaConfig: " + e.getLocalizedMessage()); } @@ -156,15 +157,15 @@ public class StreamingController extends BasicController { if (saveStreamingSuccess == true) { StreamingConfig sConfig = streamingService.getStreamingManager().getStreamingConfig(streamingConfig.getName()); try { - streamingService.dropStreamingConfig(sConfig); + streamingService.dropStreamingConfig(sConfig, project); } catch (IOException e) { throw new InternalErrorException("Action failed and failed to rollback the created streaming config: " + e.getLocalizedMessage()); } } if (saveKafkaSuccess == true) { try { - KafkaConfig kConfig = kafkaConfigService.getKafkaConfig(kafkaConfig.getName()); - kafkaConfigService.dropKafkaConfig(kConfig); + KafkaConfig kConfig = kafkaConfigService.getKafkaConfig(kafkaConfig.getName(), project); + kafkaConfigService.dropKafkaConfig(kConfig, project); } catch (IOException e) { throw new InternalErrorException("Action failed and failed to rollback the created kafka config: " + e.getLocalizedMessage()); } @@ -181,12 +182,12 @@ public class StreamingController extends BasicController { public StreamingRequest updateStreamingConfig(@RequestBody StreamingRequest streamingRequest) throws JsonProcessingException { StreamingConfig streamingConfig = deserializeSchemalDesc(streamingRequest); KafkaConfig kafkaConfig = deserializeKafkaSchemalDesc(streamingRequest); - + String project = streamingRequest.getProject(); if (streamingConfig == null) { return streamingRequest; } try { - streamingConfig = streamingService.updateStreamingConfig(streamingConfig); + streamingConfig = streamingService.updateStreamingConfig(streamingConfig, project); } catch (AccessDeniedException accessDeniedException) { throw new ForbiddenException("You don't have right to update this StreamingConfig."); } catch (Exception e) { @@ -194,7 +195,7 @@ public class StreamingController extends BasicController { throw new InternalErrorException("Failed to deal with the request: " + e.getLocalizedMessage()); } try { - kafkaConfig = kafkaConfigService.updateKafkaConfig(kafkaConfig); + kafkaConfig = kafkaConfigService.updateKafkaConfig(kafkaConfig, project); } catch (AccessDeniedException accessDeniedException) { throw new ForbiddenException("You don't have right to update this KafkaConfig."); } catch (Exception e) { @@ -207,17 +208,17 @@ public class StreamingController extends BasicController { return streamingRequest; } - @RequestMapping(value = "/{configName}", method = { RequestMethod.DELETE }, produces = { "application/json" }) + @RequestMapping(value = "/{project}/{configName}", method = { RequestMethod.DELETE }, produces = { "application/json" }) @ResponseBody - public void deleteConfig(@PathVariable String configName) throws IOException { + public void deleteConfig(@PathVariable String project, @PathVariable String configName) throws IOException { StreamingConfig config = streamingService.getStreamingManager().getStreamingConfig(configName); - KafkaConfig kafkaConfig = kafkaConfigService.getKafkaConfig(configName); + KafkaConfig kafkaConfig = kafkaConfigService.getKafkaConfig(configName, project); if (null == config) { throw new NotFoundException("StreamingConfig with name " + configName + " not found.."); } try { - streamingService.dropStreamingConfig(config); - kafkaConfigService.dropKafkaConfig(kafkaConfig); + streamingService.dropStreamingConfig(config, project); + kafkaConfigService.dropKafkaConfig(kafkaConfig, project); } catch (Exception e) { logger.error(e.getLocalizedMessage(), e); throw new InternalErrorException("Failed to delete StreamingConfig. " + " Caused by: " + e.getMessage(), e); http://git-wip-us.apache.org/repos/asf/kylin/blob/7a9f74c8/server-base/src/main/java/org/apache/kylin/rest/controller2/CubeDescControllerV2.java ---------------------------------------------------------------------- diff --git a/server-base/src/main/java/org/apache/kylin/rest/controller2/CubeDescControllerV2.java b/server-base/src/main/java/org/apache/kylin/rest/controller2/CubeDescControllerV2.java index 3382445..5e2eb34 100644 --- a/server-base/src/main/java/org/apache/kylin/rest/controller2/CubeDescControllerV2.java +++ b/server-base/src/main/java/org/apache/kylin/rest/controller2/CubeDescControllerV2.java @@ -51,15 +51,15 @@ public class CubeDescControllerV2 extends BasicController { @Qualifier("cubeMgmtService") private CubeService cubeService; - @RequestMapping(value = "/{cubeName}", method = { RequestMethod.GET }, produces = { - "application/vnd.apache.kylin-v2+json" }) + @RequestMapping(value = "/{projectName}/{cubeName}", method = {RequestMethod.GET}, produces = { + "application/vnd.apache.kylin-v2+json"}) @ResponseBody - public EnvelopeResponse getDescV2(@PathVariable String cubeName) throws IOException { + public EnvelopeResponse getDescV2(@PathVariable String projectName, @PathVariable String cubeName) throws IOException { Message msg = MsgPicker.getMsg(); CubeInstance cube = cubeService.getCubeManager().getCube(cubeName); - Draft draft = cubeService.getCubeDraft(cubeName); - + Draft draft = cubeService.getCubeDraft(cubeName, projectName); + if (cube == null && draft == null) { throw new BadRequestException(String.format(msg.getCUBE_NOT_FOUND(), cubeName)); } http://git-wip-us.apache.org/repos/asf/kylin/blob/7a9f74c8/server-base/src/main/java/org/apache/kylin/rest/controller2/ModelControllerV2.java ---------------------------------------------------------------------- diff --git a/server-base/src/main/java/org/apache/kylin/rest/controller2/ModelControllerV2.java b/server-base/src/main/java/org/apache/kylin/rest/controller2/ModelControllerV2.java index 58f6bee..f7cb844 100644 --- a/server-base/src/main/java/org/apache/kylin/rest/controller2/ModelControllerV2.java +++ b/server-base/src/main/java/org/apache/kylin/rest/controller2/ModelControllerV2.java @@ -201,21 +201,20 @@ public class ModelControllerV2 extends BasicController { return new EnvelopeResponse(ResponseCode.CODE_SUCCESS, data, ""); } - @RequestMapping(value = "/{modelName}", method = { RequestMethod.DELETE }, produces = { - "application/vnd.apache.kylin-v2+json" }) + @RequestMapping(value = "/{projectName}/{modelName}", method = {RequestMethod.DELETE}, produces = { + "application/vnd.apache.kylin-v2+json"}) @ResponseBody - public void deleteModelV2(@PathVariable String modelName) throws IOException { + public void deleteModelV2(@PathVariable String projectName, @PathVariable String modelName) throws IOException { Message msg = MsgPicker.getMsg(); - DataModelDesc model = modelService.getMetadataManager().getDataModelDesc(modelName); - Draft draft = modelService.getModelDraft(modelName); - + DataModelDesc model = modelService.getModel(modelName, projectName); + Draft draft = modelService.getModelDraft(modelName, projectName); if (null == model && null == draft) throw new BadRequestException(String.format(msg.getMODEL_NOT_FOUND(), modelName)); - + if (model != null) modelService.dropModel(model); - + if (draft != null) modelService.getDraftManager().delete(draft.getUuid()); } @@ -283,18 +282,18 @@ public class ModelControllerV2 extends BasicController { return desc; } - @RequestMapping(value = "/{modelName}/usedCols", method = RequestMethod.GET, produces = { + @RequestMapping(value = "/{modelName}/{projectName}/usedCols", method = RequestMethod.GET, produces = { "application/vnd.apache.kylin-v2+json" }) @ResponseBody - public EnvelopeResponse getUsedColsV2(@PathVariable String modelName) { + public EnvelopeResponse getUsedColsV2(@PathVariable String projectName, @PathVariable String modelName) { Map<String, Set<String>> data = new HashMap<>(); - for (Map.Entry<TblColRef, Set<CubeInstance>> entry : modelService.getUsedDimCols(modelName).entrySet()) { + for (Map.Entry<TblColRef, Set<CubeInstance>> entry : modelService.getUsedDimCols(modelName, projectName).entrySet()) { populateUsedColResponse(entry.getKey(), entry.getValue(), data); } - for (Map.Entry<TblColRef, Set<CubeInstance>> entry : modelService.getUsedNonDimCols(modelName).entrySet()) { + for (Map.Entry<TblColRef, Set<CubeInstance>> entry : modelService.getUsedNonDimCols(modelName, projectName).entrySet()) { populateUsedColResponse(entry.getKey(), entry.getValue(), data); } http://git-wip-us.apache.org/repos/asf/kylin/blob/7a9f74c8/server-base/src/main/java/org/apache/kylin/rest/controller2/ModelDescControllerV2.java ---------------------------------------------------------------------- diff --git a/server-base/src/main/java/org/apache/kylin/rest/controller2/ModelDescControllerV2.java b/server-base/src/main/java/org/apache/kylin/rest/controller2/ModelDescControllerV2.java index 5deced3..88089f5 100644 --- a/server-base/src/main/java/org/apache/kylin/rest/controller2/ModelDescControllerV2.java +++ b/server-base/src/main/java/org/apache/kylin/rest/controller2/ModelDescControllerV2.java @@ -62,27 +62,27 @@ public class ModelDescControllerV2 extends BasicController { /** * Get detail information of the "Model ID" - * + * * @param modelName * Model ID * @return * @throws IOException */ - @RequestMapping(value = "/{modelName}", method = { RequestMethod.GET }, produces = { + @RequestMapping(value = "/{projectName}/{modelName}", method = { RequestMethod.GET }, produces = { "application/vnd.apache.kylin-v2+json" }) @ResponseBody - public EnvelopeResponse getModelV2(@PathVariable String modelName) throws IOException { + public EnvelopeResponse getModelV2(@PathVariable String projectName, @PathVariable String modelName) throws IOException { Message msg = MsgPicker.getMsg(); KylinConfig config = KylinConfig.getInstanceFromEnv(); MetadataManager metaMgr = MetadataManager.getInstance(config); - - DataModelDesc model = metaMgr.getDataModelDesc(modelName); - Draft draft = modelService.getModelDraft(modelName); - + + DataModelDesc model = modelService.getModel(modelName, projectName); + Draft draft = modelService.getModelDraft(modelName, projectName); + if (model == null && draft == null) throw new BadRequestException(String.format(msg.getMODEL_NOT_FOUND(), modelName)); - + // figure out project String project = null; if (model != null) { @@ -90,7 +90,7 @@ public class ModelDescControllerV2 extends BasicController { } else { project = draft.getProject(); } - + // result HashMap<String, DataModelDescResponse> result = new HashMap<String, DataModelDescResponse>(); if (model != null) { http://git-wip-us.apache.org/repos/asf/kylin/blob/7a9f74c8/server-base/src/main/java/org/apache/kylin/rest/controller2/StreamingControllerV2.java ---------------------------------------------------------------------- diff --git a/server-base/src/main/java/org/apache/kylin/rest/controller2/StreamingControllerV2.java b/server-base/src/main/java/org/apache/kylin/rest/controller2/StreamingControllerV2.java index 5e93e59..54733ea 100644 --- a/server-base/src/main/java/org/apache/kylin/rest/controller2/StreamingControllerV2.java +++ b/server-base/src/main/java/org/apache/kylin/rest/controller2/StreamingControllerV2.java @@ -81,6 +81,7 @@ public class StreamingControllerV2 extends BasicController { "application/vnd.apache.kylin-v2+json" }) @ResponseBody public EnvelopeResponse getStreamingsV2(@RequestParam(value = "table", required = false) String table, + @RequestParam(value = "project", required = true) String project, @RequestParam(value = "pageOffset", required = false, defaultValue = "0") Integer pageOffset, @RequestParam(value = "pageSize", required = false, defaultValue = "10") Integer pageSize) throws IOException { @@ -89,7 +90,7 @@ public class StreamingControllerV2 extends BasicController { int limit = pageSize; return new EnvelopeResponse(ResponseCode.CODE_SUCCESS, - streamingService.getStreamingConfigs(table, limit, offset), ""); + streamingService.getStreamingConfigs(table, project, limit, offset), ""); } @RequestMapping(value = "/getKfkConfig", method = { RequestMethod.GET }, produces = { @@ -97,6 +98,7 @@ public class StreamingControllerV2 extends BasicController { @ResponseBody public EnvelopeResponse getKafkaConfigsV2( @RequestParam(value = "kafkaConfigName", required = false) String kafkaConfigName, + @RequestParam(value = "project", required = true) String project, @RequestParam(value = "pageOffset", required = false, defaultValue = "0") Integer pageOffset, @RequestParam(value = "pageSize", required = false, defaultValue = "10") Integer pageSize) throws IOException { @@ -105,7 +107,7 @@ public class StreamingControllerV2 extends BasicController { int limit = pageSize; return new EnvelopeResponse(ResponseCode.CODE_SUCCESS, - kafkaConfigService.getKafkaConfigs(kafkaConfigName, limit, offset), ""); + kafkaConfigService.getKafkaConfigs(kafkaConfigName, project, limit, offset), ""); } /** @@ -145,7 +147,7 @@ public class StreamingControllerV2 extends BasicController { } try { streamingConfig.setUuid(UUID.randomUUID().toString()); - streamingService.createStreamingConfig(streamingConfig); + streamingService.createStreamingConfig(streamingConfig, project); saveStreamingSuccess = true; } catch (IOException e) { logger.error("Failed to save StreamingConfig:" + e.getLocalizedMessage(), e); @@ -153,11 +155,11 @@ public class StreamingControllerV2 extends BasicController { } try { kafkaConfig.setUuid(UUID.randomUUID().toString()); - kafkaConfigService.createKafkaConfig(kafkaConfig); + kafkaConfigService.createKafkaConfig(kafkaConfig, project); saveKafkaSuccess = true; } catch (IOException e) { try { - streamingService.dropStreamingConfig(streamingConfig); + streamingService.dropStreamingConfig(streamingConfig, project); } catch (IOException e1) { throw new InternalErrorException(msg.getCREATE_KAFKA_CONFIG_FAIL()); } @@ -171,15 +173,15 @@ public class StreamingControllerV2 extends BasicController { StreamingConfig sConfig = streamingService.getStreamingManager() .getStreamingConfig(streamingConfig.getName()); try { - streamingService.dropStreamingConfig(sConfig); + streamingService.dropStreamingConfig(sConfig, project); } catch (IOException e) { throw new InternalErrorException(msg.getROLLBACK_STREAMING_CONFIG_FAIL()); } } if (saveKafkaSuccess == true) { try { - KafkaConfig kConfig = kafkaConfigService.getKafkaConfig(kafkaConfig.getName()); - kafkaConfigService.dropKafkaConfig(kConfig); + KafkaConfig kConfig = kafkaConfigService.getKafkaConfig(kafkaConfig.getName(), project); + kafkaConfigService.dropKafkaConfig(kConfig, project); } catch (IOException e) { throw new InternalErrorException(msg.getROLLBACK_KAFKA_CONFIG_FAIL()); } @@ -196,36 +198,37 @@ public class StreamingControllerV2 extends BasicController { StreamingConfig streamingConfig = deserializeSchemalDescV2(streamingRequest); KafkaConfig kafkaConfig = deserializeKafkaSchemalDescV2(streamingRequest); + String project = streamingRequest.getProject(); if (streamingConfig == null) { throw new BadRequestException(msg.getINVALID_STREAMING_CONFIG_DEFINITION()); } try { - streamingService.updateStreamingConfig(streamingConfig); + streamingService.updateStreamingConfig(streamingConfig, project); } catch (AccessDeniedException accessDeniedException) { throw new ForbiddenException(msg.getUPDATE_STREAMING_CONFIG_NO_RIGHT()); } try { - kafkaConfigService.updateKafkaConfig(kafkaConfig); + kafkaConfigService.updateKafkaConfig(kafkaConfig, project); } catch (AccessDeniedException accessDeniedException) { throw new ForbiddenException(msg.getUPDATE_KAFKA_CONFIG_NO_RIGHT()); } } - @RequestMapping(value = "/{configName}", method = { RequestMethod.DELETE }, produces = { + @RequestMapping(value = "/{project}/{configName}", method = { RequestMethod.DELETE }, produces = { "application/vnd.apache.kylin-v2+json" }) @ResponseBody - public void deleteConfigV2(@PathVariable String configName) throws IOException { + public void deleteConfigV2(@PathVariable String project, @PathVariable String configName) throws IOException { Message msg = MsgPicker.getMsg(); StreamingConfig config = streamingService.getStreamingManager().getStreamingConfig(configName); - KafkaConfig kafkaConfig = kafkaConfigService.getKafkaConfig(configName); + KafkaConfig kafkaConfig = kafkaConfigService.getKafkaConfig(configName, project); if (null == config) { throw new BadRequestException(String.format(msg.getSTREAMING_CONFIG_NOT_FOUND(), configName)); } - streamingService.dropStreamingConfig(config); - kafkaConfigService.dropKafkaConfig(kafkaConfig); + streamingService.dropStreamingConfig(config, project); + kafkaConfigService.dropKafkaConfig(kafkaConfig, project); } private TableDesc deserializeTableDescV2(StreamingRequest streamingRequest) throws IOException { http://git-wip-us.apache.org/repos/asf/kylin/blob/7a9f74c8/server-base/src/main/java/org/apache/kylin/rest/controller2/TableControllerV2.java ---------------------------------------------------------------------- diff --git a/server-base/src/main/java/org/apache/kylin/rest/controller2/TableControllerV2.java b/server-base/src/main/java/org/apache/kylin/rest/controller2/TableControllerV2.java index 5a500b8..39c6c32 100644 --- a/server-base/src/main/java/org/apache/kylin/rest/controller2/TableControllerV2.java +++ b/server-base/src/main/java/org/apache/kylin/rest/controller2/TableControllerV2.java @@ -79,7 +79,7 @@ public class TableControllerV2 extends BasicController { * @return Table metadata array * @throws IOException */ - @RequestMapping(value = "/{tableName:.+}", method = { RequestMethod.GET }, produces = { + @RequestMapping(value = "/{project}/{tableName:.+}", method = { RequestMethod.GET }, produces = { "application/vnd.apache.kylin-v2+json" }) @ResponseBody public EnvelopeResponse getTableDescV2(@PathVariable String tableName, @PathVariable String project) { http://git-wip-us.apache.org/repos/asf/kylin/blob/7a9f74c8/server-base/src/main/java/org/apache/kylin/rest/service/AccessService.java ---------------------------------------------------------------------- diff --git a/server-base/src/main/java/org/apache/kylin/rest/service/AccessService.java b/server-base/src/main/java/org/apache/kylin/rest/service/AccessService.java index ae7ac6e..a46b866 100644 --- a/server-base/src/main/java/org/apache/kylin/rest/service/AccessService.java +++ b/server-base/src/main/java/org/apache/kylin/rest/service/AccessService.java @@ -273,6 +273,11 @@ public class AccessService { return AclEntityFactory.createAclEntity(entityType, uuid); } + @PreAuthorize(Constant.ACCESS_HAS_ROLE_ADMIN + + " or hasPermission(#ae, 'ADMINISTRATION')" + + " or hasPermission(#ae, 'MANAGEMENT')" + + " or hasPermission(#ae, 'OPERATION')" + + " or hasPermission(#ae, 'READ')") public Acl getAcl(AclEntity ae) { if (null == ae) { return null; http://git-wip-us.apache.org/repos/asf/kylin/blob/7a9f74c8/server-base/src/main/java/org/apache/kylin/rest/service/CubeService.java ---------------------------------------------------------------------- diff --git a/server-base/src/main/java/org/apache/kylin/rest/service/CubeService.java b/server-base/src/main/java/org/apache/kylin/rest/service/CubeService.java index 4820ccd..16e94c7 100644 --- a/server-base/src/main/java/org/apache/kylin/rest/service/CubeService.java +++ b/server-base/src/main/java/org/apache/kylin/rest/service/CubeService.java @@ -58,13 +58,12 @@ import org.apache.kylin.rest.request.MetricsRequest; import org.apache.kylin.rest.response.HBaseResponse; import org.apache.kylin.rest.response.MetricsResponse; import org.apache.kylin.rest.security.AclPermission; -import org.apache.kylin.rest.util.AclUtil; +import org.apache.kylin.rest.util.AclEvaluate; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Qualifier; import org.springframework.security.access.AccessDeniedException; -import org.springframework.security.access.prepost.PostFilter; import org.springframework.security.access.prepost.PreAuthorize; import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.stereotype.Component; @@ -99,18 +98,19 @@ public class CubeService extends BasicService { private ModelService modelService; @Autowired - private AclUtil aclUtil; + private AclEvaluate aclEvaluate; - @PostFilter(Constant.ACCESS_POST_FILTER_READ) public List<CubeInstance> listAllCubes(final String cubeName, final String projectName, final String modelName, - boolean exactMatch) { + boolean exactMatch) { List<CubeInstance> cubeInstances = null; ProjectInstance project = (null != projectName) ? getProjectManager().getProject(projectName) : null; if (null == project) { cubeInstances = getCubeManager().listAllCubes(); + aclEvaluate.checkIsGlobalAdmin(); } else { cubeInstances = listAllCubes(projectName); + aclEvaluate.hasProjectReadPermission(project); } List<CubeInstance> filterModelCubes = new ArrayList<CubeInstance>(); @@ -141,10 +141,8 @@ public class CubeService extends BasicService { return filterCubes; } - @PreAuthorize(Constant.ACCESS_HAS_ROLE_ADMIN - + " or hasPermission(#cube, 'ADMINISTRATION') or hasPermission(#cube, 'MANAGEMENT')") public CubeInstance updateCubeCost(CubeInstance cube, int cost) throws IOException { - + aclEvaluate.hasProjectWritePermission(cube.getProjectInstance()); if (cube.getCost() == cost) { // Do nothing return cube; @@ -235,10 +233,9 @@ public class CubeService extends BasicService { return false; } - @PreAuthorize(Constant.ACCESS_HAS_ROLE_ADMIN - + " or hasPermission(#cube, 'ADMINISTRATION') or hasPermission(#cube, 'MANAGEMENT')") public CubeDesc updateCubeAndDesc(CubeInstance cube, CubeDesc desc, String newProjectName, boolean forceUpdate) throws IOException { + aclEvaluate.hasProjectWritePermission(cube.getProjectInstance()); Message msg = MsgPicker.getMsg(); final List<CubingJob> cubingJobs = jobService.listJobsByRealizationName(cube.getName(), null, @@ -268,9 +265,8 @@ public class CubeService extends BasicService { return updatedCubeDesc; } - @PreAuthorize(Constant.ACCESS_HAS_ROLE_ADMIN - + " or hasPermission(#cube, 'ADMINISTRATION') or hasPermission(#cube, 'MANAGEMENT')") public void deleteCube(CubeInstance cube) throws IOException { + aclEvaluate.hasProjectWritePermission(cube.getProjectInstance()); Message msg = MsgPicker.getMsg(); final List<CubingJob> cubingJobs = jobService.listJobsByRealizationName(cube.getName(), null, @@ -299,9 +295,8 @@ public class CubeService extends BasicService { * @throws IOException * @throws JobException */ - @PreAuthorize(Constant.ACCESS_HAS_ROLE_ADMIN - + " or hasPermission(#cube, 'ADMINISTRATION') or hasPermission(#cube, 'OPERATION') or hasPermission(#cube, 'MANAGEMENT')") public CubeInstance purgeCube(CubeInstance cube) throws IOException { + aclEvaluate.hasProjectOperationPermission(cube.getProjectInstance()); Message msg = MsgPicker.getMsg(); String cubeName = cube.getName(); @@ -322,9 +317,8 @@ public class CubeService extends BasicService { * @throws IOException * @throws JobException */ - @PreAuthorize(Constant.ACCESS_HAS_ROLE_ADMIN - + " or hasPermission(#cube, 'ADMINISTRATION') or hasPermission(#cube, 'OPERATION') or hasPermission(#cube, 'MANAGEMENT')") public CubeInstance disableCube(CubeInstance cube) throws IOException { + aclEvaluate.hasProjectWritePermission(cube.getProjectInstance()); Message msg = MsgPicker.getMsg(); String cubeName = cube.getName(); @@ -352,9 +346,8 @@ public class CubeService extends BasicService { * @return * @throws IOException */ - @PreAuthorize(Constant.ACCESS_HAS_ROLE_ADMIN - + " or hasPermission(#cube, 'ADMINISTRATION') or hasPermission(#cube, 'OPERATION') or hasPermission(#cube, 'MANAGEMENT')") public CubeInstance enableCube(CubeInstance cube) throws IOException { + aclEvaluate.hasProjectWritePermission(cube.getProjectInstance()); Message msg = MsgPicker.getMsg(); String cubeName = cube.getName(); @@ -441,27 +434,24 @@ public class CubeService extends BasicService { return hr; } - @PreAuthorize(Constant.ACCESS_HAS_ROLE_ADMIN - + " or hasPermission(#cube, 'ADMINISTRATION') or hasPermission(#cube, 'OPERATION') or hasPermission(#cube, 'MANAGEMENT')") public void updateCubeNotifyList(CubeInstance cube, List<String> notifyList) throws IOException { + aclEvaluate.hasProjectOperationPermission(cube.getProjectInstance()); CubeDesc desc = cube.getDescriptor(); desc.setNotifyList(notifyList); getCubeDescManager().updateCubeDesc(desc); } - @PreAuthorize(Constant.ACCESS_HAS_ROLE_ADMIN - + " or hasPermission(#cube, 'ADMINISTRATION') or hasPermission(#cube, 'OPERATION') or hasPermission(#cube, 'MANAGEMENT')") public CubeInstance rebuildLookupSnapshot(CubeInstance cube, String segmentName, String lookupTable) throws IOException { + aclEvaluate.hasProjectOperationPermission(cube.getProjectInstance()); CubeSegment seg = cube.getSegment(segmentName, SegmentStatusEnum.READY); getCubeManager().buildSnapshotTable(seg, lookupTable); return cube; } - @PreAuthorize(Constant.ACCESS_HAS_ROLE_ADMIN - + " or hasPermission(#cube, 'ADMINISTRATION') or hasPermission(#cube, 'OPERATION') or hasPermission(#cube, 'MANAGEMENT')") public CubeInstance deleteSegment(CubeInstance cube, String segmentName) throws IOException { + aclEvaluate.hasProjectOperationPermission(cube.getProjectInstance()); Message msg = MsgPicker.getMsg(); if (!segmentName.equals(cube.getSegments().get(0).getName()) @@ -641,7 +631,7 @@ public class CubeService extends BasicService { } @PreAuthorize(Constant.ACCESS_HAS_ROLE_ADMIN - + " or hasPermission(#cube, 'ADMINISTRATION') or hasPermission(#cube, 'MANAGEMENT')") + + " or hasPermission(#project, 'ADMINISTRATION') or hasPermission(#project, 'MANAGEMENT')") public void saveDraft(ProjectInstance project, CubeInstance cube, String uuid, RootPersistentEntity... entities) throws IOException { Draft draft = new Draft(); @@ -662,12 +652,12 @@ public class CubeService extends BasicService { } public void deleteDraft(Draft draft) throws IOException { + aclEvaluate.hasProjectWritePermission(getProjectManager().getProject(draft.getProject())); getDraftManager().delete(draft.getUuid()); } - @PreAuthorize(Constant.ACCESS_HAS_ROLE_ADMIN - + " or hasPermission(#cube, 'ADMINISTRATION') or hasPermission(#cube, 'MANAGEMENT')") public CubeDesc updateCube(CubeInstance cube, CubeDesc desc, ProjectInstance project) throws IOException { + aclEvaluate.hasProjectWritePermission(cube.getProjectInstance()); Message msg = MsgPicker.getMsg(); String projectName = project.getName(); @@ -690,8 +680,8 @@ public class CubeService extends BasicService { return desc; } - public Draft getCubeDraft(String cubeName) throws IOException { - for (Draft d : listCubeDrafts(cubeName, null, null, true)) { + public Draft getCubeDraft(String cubeName, String projectName) throws IOException { + for (Draft d : listCubeDrafts(cubeName, null, projectName, true)) { return d; } return null; @@ -699,6 +689,11 @@ public class CubeService extends BasicService { public List<Draft> listCubeDrafts(String cubeName, String modelName, String project, boolean exactMatch) throws IOException { + if (null == project) { + aclEvaluate.checkIsGlobalAdmin(); + } else { + aclEvaluate.hasProjectReadPermission(getProjectManager().getProject(project)); + } List<Draft> result = new ArrayList<>(); for (Draft d : getDraftManager().list(project)) { @@ -712,34 +707,6 @@ public class CubeService extends BasicService { } } } - - List<Draft> filtered = new ArrayList<>(); - - // if cube's there, follow cube permission. otherwise follow project permission - for (Draft d : result) { - CubeDesc desc = (CubeDesc) d.getEntity(); - CubeInstance cube = getCubeManager().getCube(desc.getName()); - - if (cube == null) { - try { - project = project == null ? d.getProject() : project; - if (aclUtil.hasProjectReadPermission(getProjectManager().getProject(project))) { - filtered.add(d); - } - } catch (Exception e) { - // do nothing - } - } else { - try { - if (aclUtil.hasCubeReadPermission(cube)) { - filtered.add(d); - } - } catch (Exception e) { - // do nothing - } - } - } - - return filtered; + return result; } } http://git-wip-us.apache.org/repos/asf/kylin/blob/7a9f74c8/server-base/src/main/java/org/apache/kylin/rest/service/DiagnosisService.java ---------------------------------------------------------------------- diff --git a/server-base/src/main/java/org/apache/kylin/rest/service/DiagnosisService.java b/server-base/src/main/java/org/apache/kylin/rest/service/DiagnosisService.java index 35b018c..50f9c56 100644 --- a/server-base/src/main/java/org/apache/kylin/rest/service/DiagnosisService.java +++ b/server-base/src/main/java/org/apache/kylin/rest/service/DiagnosisService.java @@ -27,13 +27,13 @@ import org.apache.kylin.common.KylinConfig; import org.apache.kylin.common.util.CliCommandExecutor; import org.apache.kylin.common.util.Pair; import org.apache.kylin.metadata.badquery.BadQueryHistory; -import org.apache.kylin.rest.constant.Constant; import org.apache.kylin.rest.exception.BadRequestException; import org.apache.kylin.rest.msg.Message; import org.apache.kylin.rest.msg.MsgPicker; +import org.apache.kylin.rest.util.AclEvaluate; import org.slf4j.Logger; import org.slf4j.LoggerFactory; -import org.springframework.security.access.prepost.PreAuthorize; +import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Component; import com.google.common.io.Files; @@ -47,6 +47,12 @@ public class DiagnosisService extends BasicService { return Files.createTempDir(); } + @Autowired + private AclEvaluate aclEvaluate; + + @Autowired + private JobService jobService; + private String getDiagnosisPackageName(File destDir) { Message msg = MsgPicker.getMsg(); @@ -66,23 +72,23 @@ public class DiagnosisService extends BasicService { throw new BadRequestException(String.format(msg.getDIAG_PACKAGE_NOT_FOUND(), destDir.getAbsolutePath())); } - @PreAuthorize(Constant.ACCESS_HAS_ROLE_ADMIN) public BadQueryHistory getProjectBadQueryHistory(String project) throws IOException { + aclEvaluate.checkProjectOperationPermission(project); return getBadQueryHistoryManager().getBadQueriesForProject(project); } - @PreAuthorize(Constant.ACCESS_HAS_ROLE_ADMIN) public String dumpProjectDiagnosisInfo(String project) throws IOException { + aclEvaluate.checkProjectOperationPermission(project); File exportPath = getDumpDir(); String[] args = { project, exportPath.getAbsolutePath() }; runDiagnosisCLI(args); return getDiagnosisPackageName(exportPath); } - @PreAuthorize(Constant.ACCESS_HAS_ROLE_ADMIN) public String dumpJobDiagnosisInfo(String jobId) throws IOException { + aclEvaluate.checkProjectOperationPermission(jobService.getJobInstance(jobId)); File exportPath = getDumpDir(); - String[] args = { jobId, exportPath.getAbsolutePath() }; + String[] args = {jobId, exportPath.getAbsolutePath()}; runDiagnosisCLI(args); return getDiagnosisPackageName(exportPath); } http://git-wip-us.apache.org/repos/asf/kylin/blob/7a9f74c8/server-base/src/main/java/org/apache/kylin/rest/service/HybridService.java ---------------------------------------------------------------------- diff --git a/server-base/src/main/java/org/apache/kylin/rest/service/HybridService.java b/server-base/src/main/java/org/apache/kylin/rest/service/HybridService.java index b718edf..cad39b4 100644 --- a/server-base/src/main/java/org/apache/kylin/rest/service/HybridService.java +++ b/server-base/src/main/java/org/apache/kylin/rest/service/HybridService.java @@ -27,13 +27,12 @@ import org.apache.kylin.metadata.model.DataModelDesc; import org.apache.kylin.metadata.project.ProjectInstance; import org.apache.kylin.metadata.project.RealizationEntry; import org.apache.kylin.metadata.realization.RealizationType; -import org.apache.kylin.rest.constant.Constant; import org.apache.kylin.rest.job.HybridCubeCLI; +import org.apache.kylin.rest.util.AclEvaluate; import org.apache.kylin.storage.hybrid.HybridInstance; import org.slf4j.Logger; import org.slf4j.LoggerFactory; -import org.springframework.security.access.prepost.PostFilter; -import org.springframework.security.access.prepost.PreAuthorize; +import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Component; @Component("hybridService") @@ -41,8 +40,11 @@ public class HybridService extends BasicService { private static final Logger logger = LoggerFactory.getLogger(HybridService.class); - @PreAuthorize(Constant.ACCESS_HAS_ROLE_ADMIN) + @Autowired + private AclEvaluate aclEvaluate; + public HybridInstance createHybridCube(String hybridName, String projectName, String modelName, String[] cubeNames) { + aclEvaluate.checkProjectWritePermission(projectName); List<String> args = new ArrayList<String>(); args.add("-name"); args.add(hybridName); @@ -63,8 +65,8 @@ public class HybridService extends BasicService { return getHybridInstance(hybridName); } - @PreAuthorize(Constant.ACCESS_HAS_ROLE_ADMIN + " or hasPermission(#cube, 'ADMINISTRATION') or hasPermission(#cube, 'MANAGEMENT')") public HybridInstance updateHybridCube(String hybridName, String projectName, String modelName, String[] cubeNames) { + aclEvaluate.checkProjectWritePermission(projectName); List<String> args = new ArrayList<String>(); args.add("-name"); args.add(hybridName); @@ -85,8 +87,8 @@ public class HybridService extends BasicService { return getHybridInstance(hybridName); } - @PreAuthorize(Constant.ACCESS_HAS_ROLE_ADMIN + " or hasPermission(#cube, 'ADMINISTRATION') or hasPermission(#cube, 'MANAGEMENT')") public void deleteHybridCube(String hybridName, String projectName, String modelName) { + aclEvaluate.checkProjectWritePermission(projectName); List<String> args = new ArrayList<String>(); args.add("-name"); args.add(hybridName); @@ -109,8 +111,8 @@ public class HybridService extends BasicService { return hybridInstance; } - @PostFilter(Constant.ACCESS_POST_FILTER_READ) public List<HybridInstance> listHybrids(final String projectName, final String modelName) { + aclEvaluate.checkProjectReadPermission(projectName); ProjectInstance project = (null != projectName) ? getProjectManager().getProject(projectName) : null; List<HybridInstance> hybridsInProject = new ArrayList<HybridInstance>(); http://git-wip-us.apache.org/repos/asf/kylin/blob/7a9f74c8/server-base/src/main/java/org/apache/kylin/rest/service/JobService.java ---------------------------------------------------------------------- diff --git a/server-base/src/main/java/org/apache/kylin/rest/service/JobService.java b/server-base/src/main/java/org/apache/kylin/rest/service/JobService.java index 5dafa08..346b131 100644 --- a/server-base/src/main/java/org/apache/kylin/rest/service/JobService.java +++ b/server-base/src/main/java/org/apache/kylin/rest/service/JobService.java @@ -50,10 +50,10 @@ import org.apache.kylin.job.execution.Output; import org.apache.kylin.job.lock.JobLock; import org.apache.kylin.metadata.model.SegmentStatusEnum; import org.apache.kylin.metadata.realization.RealizationStatusEnum; -import org.apache.kylin.rest.constant.Constant; import org.apache.kylin.rest.exception.BadRequestException; import org.apache.kylin.rest.msg.Message; import org.apache.kylin.rest.msg.MsgPicker; +import org.apache.kylin.rest.util.AclEvaluate; import org.apache.kylin.source.ISource; import org.apache.kylin.source.SourceFactory; import org.apache.kylin.source.SourcePartition; @@ -63,7 +63,6 @@ import org.springframework.beans.factory.InitializingBean; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Qualifier; import org.springframework.context.annotation.EnableAspectJAutoProxy; -import org.springframework.security.access.prepost.PreAuthorize; import org.springframework.stereotype.Component; import javax.annotation.Nullable; @@ -93,6 +92,9 @@ public class JobService extends BasicService implements InitializingBean { @Qualifier("accessService") private AccessService accessService; + @Autowired + private AclEvaluate aclEvaluate; + /* * (non-Javadoc) * @@ -198,11 +200,10 @@ public class JobService extends BasicService implements InitializingBean { } } - @PreAuthorize(Constant.ACCESS_HAS_ROLE_ADMIN - + " or hasPermission(#cube, 'ADMINISTRATION') or hasPermission(#cube, 'OPERATION') or hasPermission(#cube, 'MANAGEMENT')") public JobInstance submitJob(CubeInstance cube, long startDate, long endDate, long startOffset, long endOffset, // - Map<Integer, Long> sourcePartitionOffsetStart, Map<Integer, Long> sourcePartitionOffsetEnd, - CubeBuildTypeEnum buildType, boolean force, String submitter) throws IOException { + Map<Integer, Long> sourcePartitionOffsetStart, Map<Integer, Long> sourcePartitionOffsetEnd, + CubeBuildTypeEnum buildType, boolean force, String submitter) throws IOException { + aclEvaluate.checkProjectOperationPermission(cube); JobInstance jobInstance = submitJobInternal(cube, startDate, endDate, startOffset, endOffset, sourcePartitionOffsetStart, sourcePartitionOffsetEnd, buildType, force, submitter); @@ -313,21 +314,18 @@ public class JobService extends BasicService implements InitializingBean { return result; } - @PreAuthorize(Constant.ACCESS_HAS_ROLE_ADMIN - + " or hasPermission(#job, 'ADMINISTRATION') or hasPermission(#job, 'OPERATION') or hasPermission(#job, 'MANAGEMENT')") public void resumeJob(JobInstance job) { + aclEvaluate.checkProjectOperationPermission(job); getExecutableManager().resumeJob(job.getId()); } - @PreAuthorize(Constant.ACCESS_HAS_ROLE_ADMIN - + " or hasPermission(#job, 'ADMINISTRATION') or hasPermission(#job, 'OPERATION') or hasPermission(#job, 'MANAGEMENT')") public void rollbackJob(JobInstance job, String stepId) { + aclEvaluate.checkProjectOperationPermission(job); getExecutableManager().rollbackJob(job.getId(), stepId); } - @PreAuthorize(Constant.ACCESS_HAS_ROLE_ADMIN - + " or hasPermission(#job, 'ADMINISTRATION') or hasPermission(#job, 'OPERATION') or hasPermission(#job, 'MANAGEMENT')") public JobInstance cancelJob(JobInstance job) throws IOException { + aclEvaluate.checkProjectOperationPermission(job); if (null == job.getRelatedCube() || null == getCubeManager().getCube(job.getRelatedCube()) || null == job.getRelatedSegment()) { getExecutableManager().discardJob(job.getId()); return job; @@ -349,16 +347,14 @@ public class JobService extends BasicService implements InitializingBean { return job; } - @PreAuthorize(Constant.ACCESS_HAS_ROLE_ADMIN - + " or hasPermission(#job, 'ADMINISTRATION') or hasPermission(#job, 'OPERATION') or hasPermission(#job, 'MANAGEMENT')") public JobInstance pauseJob(JobInstance job) { + aclEvaluate.checkProjectOperationPermission(job); getExecutableManager().pauseJob(job.getId()); return job; } - @PreAuthorize(Constant.ACCESS_HAS_ROLE_ADMIN - + " or hasPermission(#job, 'ADMINISTRATION') or hasPermission(#job, 'OPERATION') or hasPermission(#job, 'MANAGEMENT')") public void dropJob(JobInstance job) throws IOException { + aclEvaluate.checkProjectOperationPermission(job); getExecutableManager().deleteJob(job.getId()); } @@ -397,7 +393,12 @@ public class JobService extends BasicService implements InitializingBean { } public List<JobInstance> innerSearchCubingJobs(final String cubeName, final String jobName, - final String projectName, final List<JobStatusEnum> statusList, final JobTimeFilterEnum timeFilter) { + final String projectName, final List<JobStatusEnum> statusList, final JobTimeFilterEnum timeFilter) { + if (null == projectName) { + aclEvaluate.checkIsGlobalAdmin(); + } else { + aclEvaluate.checkProjectOperationPermission(projectName); + } // prepare time range Calendar calendar = Calendar.getInstance(); calendar.setTime(new Date()); http://git-wip-us.apache.org/repos/asf/kylin/blob/7a9f74c8/server-base/src/main/java/org/apache/kylin/rest/service/KafkaConfigService.java ---------------------------------------------------------------------- diff --git a/server-base/src/main/java/org/apache/kylin/rest/service/KafkaConfigService.java b/server-base/src/main/java/org/apache/kylin/rest/service/KafkaConfigService.java index 0dbe6f2..3983a30 100644 --- a/server-base/src/main/java/org/apache/kylin/rest/service/KafkaConfigService.java +++ b/server-base/src/main/java/org/apache/kylin/rest/service/KafkaConfigService.java @@ -22,18 +22,19 @@ import java.io.IOException; import java.util.ArrayList; import java.util.List; -import org.apache.kylin.rest.constant.Constant; import org.apache.kylin.rest.exception.BadRequestException; import org.apache.kylin.rest.msg.Message; import org.apache.kylin.rest.msg.MsgPicker; +import org.apache.kylin.rest.util.AclEvaluate; import org.apache.kylin.source.kafka.config.KafkaConfig; -import org.springframework.security.access.prepost.PostFilter; +import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Component; @Component("kafkaMgmtService") public class KafkaConfigService extends BasicService { + @Autowired + private AclEvaluate aclEvaluate; - @PostFilter(Constant.ACCESS_POST_FILTER_READ) public List<KafkaConfig> listAllKafkaConfigs(final String kafkaConfigName) throws IOException { List<KafkaConfig> kafkaConfigs = new ArrayList<KafkaConfig>(); // CubeInstance cubeInstance = (null != cubeName) ? getCubeManager().getCube(cubeName) : null; @@ -51,8 +52,8 @@ public class KafkaConfigService extends BasicService { return kafkaConfigs; } - public List<KafkaConfig> getKafkaConfigs(final String kafkaConfigName, final Integer limit, final Integer offset) throws IOException { - + public List<KafkaConfig> getKafkaConfigs(final String kafkaConfigName, final String project, final Integer limit, final Integer offset) throws IOException { + aclEvaluate.checkProjectWritePermission(project); List<KafkaConfig> kafkaConfigs; kafkaConfigs = listAllKafkaConfigs(kafkaConfigName); @@ -67,7 +68,8 @@ public class KafkaConfigService extends BasicService { return kafkaConfigs.subList(offset, offset + limit); } - public KafkaConfig createKafkaConfig(KafkaConfig config) throws IOException { + public KafkaConfig createKafkaConfig(KafkaConfig config, String project) throws IOException { + aclEvaluate.checkProjectWritePermission(project); Message msg = MsgPicker.getMsg(); if (getKafkaManager().getKafkaConfig(config.getName()) != null) { @@ -77,17 +79,18 @@ public class KafkaConfigService extends BasicService { return config; } - // @PreAuthorize(Constant.ACCESS_HAS_ROLE_ADMIN + " or hasPermission(#desc, 'ADMINISTRATION') or hasPermission(#desc, 'MANAGEMENT')") - public KafkaConfig updateKafkaConfig(KafkaConfig config) throws IOException { + public KafkaConfig updateKafkaConfig(KafkaConfig config, String project) throws IOException { + aclEvaluate.checkProjectWritePermission(project); return getKafkaManager().updateKafkaConfig(config); } - public KafkaConfig getKafkaConfig(String configName) throws IOException { + public KafkaConfig getKafkaConfig(String configName, String project) throws IOException { + aclEvaluate.checkProjectWritePermission(project); return getKafkaManager().getKafkaConfig(configName); } - // @PreAuthorize(Constant.ACCESS_HAS_ROLE_ADMIN + " or hasPermission(#desc, 'ADMINISTRATION') or hasPermission(#desc, 'MANAGEMENT')") - public void dropKafkaConfig(KafkaConfig config) throws IOException { + public void dropKafkaConfig(KafkaConfig config, String project) throws IOException { + aclEvaluate.checkProjectWritePermission(project); getKafkaManager().removeKafkaConfig(config); } } http://git-wip-us.apache.org/repos/asf/kylin/blob/7a9f74c8/server-base/src/main/java/org/apache/kylin/rest/service/ModelService.java ---------------------------------------------------------------------- diff --git a/server-base/src/main/java/org/apache/kylin/rest/service/ModelService.java b/server-base/src/main/java/org/apache/kylin/rest/service/ModelService.java index d95dff8..4efb894 100644 --- a/server-base/src/main/java/org/apache/kylin/rest/service/ModelService.java +++ b/server-base/src/main/java/org/apache/kylin/rest/service/ModelService.java @@ -37,19 +37,17 @@ import org.apache.kylin.metadata.model.ModelDimensionDesc; import org.apache.kylin.metadata.model.TableDesc; import org.apache.kylin.metadata.model.TblColRef; import org.apache.kylin.metadata.project.ProjectInstance; -import org.apache.kylin.rest.constant.Constant; import org.apache.kylin.rest.exception.BadRequestException; import org.apache.kylin.rest.exception.ForbiddenException; import org.apache.kylin.rest.msg.Message; import org.apache.kylin.rest.msg.MsgPicker; import org.apache.kylin.rest.security.AclPermission; +import org.apache.kylin.rest.util.AclEvaluate; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Qualifier; import org.springframework.security.access.AccessDeniedException; -import org.springframework.security.access.prepost.PostFilter; -import org.springframework.security.access.prepost.PreAuthorize; import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.stereotype.Component; @@ -72,14 +70,18 @@ public class ModelService extends BasicService { @Qualifier("cubeMgmtService") private CubeService cubeService; - @PostFilter(Constant.ACCESS_POST_FILTER_READ) + @Autowired + private AclEvaluate aclEvaluate; + public List<DataModelDesc> listAllModels(final String modelName, final String projectName, boolean exactMatch) throws IOException { List<DataModelDesc> models; ProjectInstance project = (null != projectName) ? getProjectManager().getProject(projectName) : null; if (null == project) { + aclEvaluate.checkIsGlobalAdmin(); models = getMetadataManager().getModels(); } else { + aclEvaluate.hasProjectReadPermission(project); models = getMetadataManager().getModels(projectName); } @@ -114,6 +116,7 @@ public class ModelService extends BasicService { } public DataModelDesc createModelDesc(String projectName, DataModelDesc desc) throws IOException { + aclEvaluate.hasProjectWritePermission(getProjectManager().getProject(projectName)); Message msg = MsgPicker.getMsg(); if (getMetadataManager().getDataModelDesc(desc.getName()) != null) { @@ -131,19 +134,15 @@ public class ModelService extends BasicService { return createdDesc; } - @PreAuthorize(Constant.ACCESS_HAS_ROLE_ADMIN - + " or hasPermission(#desc, 'ADMINISTRATION') or hasPermission(#desc, 'MANAGEMENT')") public DataModelDesc updateModelAndDesc(DataModelDesc desc) throws IOException { - + aclEvaluate.hasProjectWritePermission(desc.getProjectInstance()); getMetadataManager().updateDataModelDesc(desc); return desc; } - @PreAuthorize(Constant.ACCESS_HAS_ROLE_ADMIN - + " or hasPermission(#desc, 'ADMINISTRATION') or hasPermission(#desc, 'MANAGEMENT')") public void dropModel(DataModelDesc desc) throws IOException { + aclEvaluate.hasProjectWritePermission(desc.getProjectInstance()); Message msg = MsgPicker.getMsg(); - //check cube desc exist List<CubeDesc> cubeDescs = getCubeDescManager().listAllDesc(); for (CubeDesc cubeDesc : cubeDescs) { @@ -169,9 +168,9 @@ public class ModelService extends BasicService { return getMetadataManager().getModelsUsingTable(table, project); } - public Map<TblColRef, Set<CubeInstance>> getUsedDimCols(String modelName) { + public Map<TblColRef, Set<CubeInstance>> getUsedDimCols(String modelName, String project) { Map<TblColRef, Set<CubeInstance>> ret = Maps.newHashMap(); - List<CubeInstance> cubeInstances = cubeService.listAllCubes(null, null, modelName, true); + List<CubeInstance> cubeInstances = cubeService.listAllCubes(null, project, modelName, true); for (CubeInstance cubeInstance : cubeInstances) { CubeDesc cubeDesc = cubeInstance.getDescriptor(); for (TblColRef tblColRef : cubeDesc.listDimensionColumnsIncludingDerived()) { @@ -186,9 +185,9 @@ public class ModelService extends BasicService { return ret; } - public Map<TblColRef, Set<CubeInstance>> getUsedNonDimCols(String modelName) { + public Map<TblColRef, Set<CubeInstance>> getUsedNonDimCols(String modelName, String project) { Map<TblColRef, Set<CubeInstance>> ret = Maps.newHashMap(); - List<CubeInstance> cubeInstances = cubeService.listAllCubes(null, null, modelName, true); + List<CubeInstance> cubeInstances = cubeService.listAllCubes(null, project, modelName, true); for (CubeInstance cubeInstance : cubeInstances) { CubeDesc cubeDesc = cubeInstance.getDescriptor(); Set<TblColRef> tblColRefs = Sets.newHashSet(cubeDesc.listAllColumns());//make a copy @@ -205,9 +204,9 @@ public class ModelService extends BasicService { return ret; } - private boolean validateUpdatingModel(DataModelDesc dataModelDesc) throws IOException { + private boolean validateUpdatingModel(DataModelDesc dataModelDesc, String project) throws IOException { String modelName = dataModelDesc.getName(); - List<CubeInstance> cubes = cubeService.listAllCubes(null, null, modelName, true); + List<CubeInstance> cubes = cubeService.listAllCubes(null, project, modelName, true); if (cubes != null && cubes.size() != 0) { dataModelDesc.init(getConfig(), getMetadataManager().getAllTablesMap(dataModelDesc.getProject()), getMetadataManager().listDataModels()); @@ -231,8 +230,8 @@ public class ModelService extends BasicService { dimAndMCols.add(measure); } - Set<TblColRef> usedDimCols = getUsedDimCols(modelName).keySet(); - Set<TblColRef> usedNonDimCols = getUsedNonDimCols(modelName).keySet(); + Set<TblColRef> usedDimCols = getUsedDimCols(modelName, project).keySet(); + Set<TblColRef> usedNonDimCols = getUsedNonDimCols(modelName, project).keySet(); for (TblColRef tblColRef : usedDimCols) { if (!dimCols.contains(tblColRef.getTableAlias() + "." + tblColRef.getName())) @@ -244,8 +243,7 @@ public class ModelService extends BasicService { return false; } - DataModelDesc originDataModelDesc = listAllModels(modelName, null, true).get(0); - + DataModelDesc originDataModelDesc = listAllModels(modelName, project, true).get(0); if (!dataModelDesc.getRootFactTable().equals(originDataModelDesc.getRootFactTable())) return false; @@ -276,6 +274,7 @@ public class ModelService extends BasicService { } public DataModelDesc updateModelToResourceStore(DataModelDesc modelDesc, String projectName) throws IOException { + aclEvaluate.hasProjectWritePermission(getProjectManager().getProject(projectName)); Message msg = MsgPicker.getMsg(); modelDesc.setDraft(false); @@ -288,7 +287,7 @@ public class ModelService extends BasicService { modelDesc = createModelDesc(projectName, modelDesc); } else { // update - if (!validateUpdatingModel(modelDesc)) { + if (!validateUpdatingModel(modelDesc, projectName)) { throw new BadRequestException(msg.getUPDATE_MODEL_KEY_FIELD()); } modelDesc = updateModelAndDesc(modelDesc); @@ -304,17 +303,35 @@ public class ModelService extends BasicService { return modelDesc; } - public Draft getModelDraft(String modelName) throws IOException { - for (Draft d : listModelDrafts(modelName, null)) { + public DataModelDesc getModel(final String modelName, final String projectName) throws IOException { + ProjectInstance project = (null != projectName) ? getProjectManager().getProject(projectName) : null; + if (null == project) { + aclEvaluate.checkIsGlobalAdmin(); + } else { + aclEvaluate.hasProjectReadPermission(project); + } + + return getMetadataManager().getDataModelDesc(modelName); + } + + public Draft getModelDraft(String modelName, String projectName) throws IOException { + for (Draft d : listModelDrafts(modelName, projectName)) { return d; } return null; } - - public List<Draft> listModelDrafts(String modelName, String project) throws IOException { + + public List<Draft> listModelDrafts(String modelName, String projectName) throws IOException { + ProjectInstance project = (null != projectName) ? getProjectManager().getProject(projectName) : null; + if (null == project) { + aclEvaluate.checkIsGlobalAdmin(); + } else { + aclEvaluate.hasProjectReadPermission(project); + } + List<Draft> result = new ArrayList<>(); - - for (Draft d : getDraftManager().list(project)) { + + for (Draft d : getDraftManager().list(projectName)) { RootPersistentEntity e = d.getEntity(); if (e instanceof DataModelDesc) { DataModelDesc m = (DataModelDesc) e; http://git-wip-us.apache.org/repos/asf/kylin/blob/7a9f74c8/server-base/src/main/java/org/apache/kylin/rest/service/ProjectService.java ---------------------------------------------------------------------- diff --git a/server-base/src/main/java/org/apache/kylin/rest/service/ProjectService.java b/server-base/src/main/java/org/apache/kylin/rest/service/ProjectService.java index cd60128..a369942 100644 --- a/server-base/src/main/java/org/apache/kylin/rest/service/ProjectService.java +++ b/server-base/src/main/java/org/apache/kylin/rest/service/ProjectService.java @@ -27,7 +27,6 @@ import java.util.List; import javax.annotation.Nullable; import org.apache.directory.api.util.Strings; -import org.apache.kylin.cube.CubeInstance; import org.apache.kylin.metadata.draft.Draft; import org.apache.kylin.metadata.project.ProjectInstance; import org.apache.kylin.metadata.project.ProjectManager; @@ -37,7 +36,7 @@ import org.apache.kylin.rest.exception.BadRequestException; import org.apache.kylin.rest.msg.Message; import org.apache.kylin.rest.msg.MsgPicker; import org.apache.kylin.rest.security.AclPermission; -import org.apache.kylin.rest.util.AclUtil; +import org.apache.kylin.rest.util.AclEvaluate; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; @@ -70,7 +69,7 @@ public class ProjectService extends BasicService { private CubeService cubeService; @Autowired - private AclUtil aclUtil; + private AclEvaluate aclEvaluate; @PreAuthorize(Constant.ACCESS_HAS_ROLE_ADMIN) public ProjectInstance createProject(ProjectInstance newProject) throws IOException { @@ -93,7 +92,7 @@ public class ProjectService extends BasicService { return createdProject; } - @PreAuthorize(Constant.ACCESS_HAS_ROLE_ADMIN + " or hasPermission(#currentProject, 'ADMINISTRATION') or hasPermission(#currentProject, 'MANAGEMENT')") + @PreAuthorize(Constant.ACCESS_HAS_ROLE_ADMIN + " or hasPermission(#currentProject, 'ADMINISTRATION')") public ProjectInstance updateProject(ProjectInstance newProject, ProjectInstance currentProject) throws IOException { if (!newProject.getName().equals(currentProject.getName())) { return renameProject(newProject, currentProject); @@ -152,7 +151,7 @@ public class ProjectService extends BasicService { return projects.subList(coffset, coffset + climit); } - @PreAuthorize(Constant.ACCESS_HAS_ROLE_ADMIN + " or hasPermission(#project, 'ADMINISTRATION') or hasPermission(#project, 'MANAGEMENT')") + @PreAuthorize(Constant.ACCESS_HAS_ROLE_ADMIN) public void deleteProject(String projectName, ProjectInstance project) throws IOException { getProjectManager().dropProject(projectName); @@ -212,34 +211,18 @@ public class ProjectService extends BasicService { boolean hasProjectPermission = false; try { - hasProjectPermission = aclUtil.hasProjectReadPermission(projectInstance); + hasProjectPermission = aclEvaluate.hasProjectReadPermission(projectInstance); } catch (AccessDeniedException e) { //ignore to continue } - if (!hasProjectPermission) { - List<CubeInstance> cubeInstances = cubeService.listAllCubes(projectInstance.getName()); - - for (CubeInstance cubeInstance : cubeInstances) { - if (cubeInstance == null) { - continue; - } - - try { - aclUtil.hasCubeReadPermission(cubeInstance); - hasProjectPermission = true; - break; - } catch (AccessDeniedException e) { - //ignore to continue - } - } - } if (hasProjectPermission) { readableProjects.add(projectInstance); } } + // listAll method may not need a single param.But almost all listAll method pass if (!Strings.isEmpty(projectName)) { readableProjects = Lists .newArrayList(Iterators.filter(readableProjects.iterator(), new Predicate<ProjectInstance>() { http://git-wip-us.apache.org/repos/asf/kylin/blob/7a9f74c8/server-base/src/main/java/org/apache/kylin/rest/service/QueryService.java ---------------------------------------------------------------------- diff --git a/server-base/src/main/java/org/apache/kylin/rest/service/QueryService.java b/server-base/src/main/java/org/apache/kylin/rest/service/QueryService.java index a2d6b4d..f469117 100644 --- a/server-base/src/main/java/org/apache/kylin/rest/service/QueryService.java +++ b/server-base/src/main/java/org/apache/kylin/rest/service/QueryService.java @@ -93,7 +93,7 @@ import org.apache.kylin.rest.msg.MsgPicker; import org.apache.kylin.rest.request.PrepareSqlRequest; import org.apache.kylin.rest.request.SQLRequest; import org.apache.kylin.rest.response.SQLResponse; -import org.apache.kylin.rest.util.AclUtil; +import org.apache.kylin.rest.util.AclEvaluate; import org.apache.kylin.query.util.PushDownUtil; import org.apache.kylin.rest.util.TableauInterceptor; import org.apache.kylin.storage.hybrid.HybridInstance; @@ -142,7 +142,7 @@ public class QueryService extends BasicService { private ModelService modelService; @Autowired - private AclUtil aclUtil; + private AclEvaluate aclEvaluate; public QueryService() { queryStore = ResourceStore.getStore(getConfig()); @@ -231,7 +231,7 @@ public class QueryService extends BasicService { } public void logQuery(final SQLRequest request, final SQLResponse response) { - final String user = aclUtil.getCurrentUserName(); + final String user = aclEvaluate.getCurrentUserName(); final List<String> realizationNames = new LinkedList<>(); final Set<Long> cuboidIds = new HashSet<Long>(); float duration = response.getDuration() / (float) 1000; @@ -289,7 +289,7 @@ public class QueryService extends BasicService { //project ProjectInstance projectInstance = getProjectManager().getProject(project); try { - if (aclUtil.hasProjectReadPermission(projectInstance)) { + if (aclEvaluate.hasProjectReadPermission(projectInstance)) { return; } } catch (AccessDeniedException e) { @@ -325,7 +325,7 @@ public class QueryService extends BasicService { } private void checkCubeAuthorization(CubeInstance cube) throws AccessDeniedException { - Preconditions.checkState(aclUtil.hasCubeReadPermission(cube)); + Preconditions.checkState(aclEvaluate.hasCubeReadPermission(cube)); } private void checkHybridAuthorization(HybridInstance hybridInstance) throws AccessDeniedException { http://git-wip-us.apache.org/repos/asf/kylin/blob/7a9f74c8/server-base/src/main/java/org/apache/kylin/rest/service/StreamingService.java ---------------------------------------------------------------------- diff --git a/server-base/src/main/java/org/apache/kylin/rest/service/StreamingService.java b/server-base/src/main/java/org/apache/kylin/rest/service/StreamingService.java index adae67c..2871285 100644 --- a/server-base/src/main/java/org/apache/kylin/rest/service/StreamingService.java +++ b/server-base/src/main/java/org/apache/kylin/rest/service/StreamingService.java @@ -24,17 +24,18 @@ import java.util.List; import org.apache.commons.lang3.StringUtils; import org.apache.kylin.metadata.streaming.StreamingConfig; -import org.apache.kylin.rest.constant.Constant; import org.apache.kylin.rest.exception.BadRequestException; import org.apache.kylin.rest.msg.Message; import org.apache.kylin.rest.msg.MsgPicker; -import org.springframework.security.access.prepost.PostFilter; +import org.apache.kylin.rest.util.AclEvaluate; +import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Component; @Component("streamingMgmtService") public class StreamingService extends BasicService { + @Autowired + private AclEvaluate aclEvaluate; - @PostFilter(Constant.ACCESS_POST_FILTER_READ) public List<StreamingConfig> listAllStreamingConfigs(final String table) throws IOException { List<StreamingConfig> streamingConfigs = new ArrayList(); if (StringUtils.isEmpty(table)) { @@ -49,8 +50,8 @@ public class StreamingService extends BasicService { return streamingConfigs; } - public List<StreamingConfig> getStreamingConfigs(final String table, final Integer limit, final Integer offset) throws IOException { - + public List<StreamingConfig> getStreamingConfigs(final String table, final String project, final Integer limit, final Integer offset) throws IOException { + aclEvaluate.checkProjectWritePermission(project); List<StreamingConfig> streamingConfigs; streamingConfigs = listAllStreamingConfigs(table); @@ -65,7 +66,8 @@ public class StreamingService extends BasicService { return streamingConfigs.subList(offset, offset + limit); } - public StreamingConfig createStreamingConfig(StreamingConfig config) throws IOException { + public StreamingConfig createStreamingConfig(StreamingConfig config, String project) throws IOException { + aclEvaluate.checkProjectWritePermission(project); Message msg = MsgPicker.getMsg(); if (getStreamingManager().getStreamingConfig(config.getName()) != null) { @@ -75,13 +77,13 @@ public class StreamingService extends BasicService { return streamingConfig; } - // @PreAuthorize(Constant.ACCESS_HAS_ROLE_ADMIN + " or hasPermission(#desc, 'ADMINISTRATION') or hasPermission(#desc, 'MANAGEMENT')") - public StreamingConfig updateStreamingConfig(StreamingConfig config) throws IOException { + public StreamingConfig updateStreamingConfig(StreamingConfig config, String project) throws IOException { + aclEvaluate.checkProjectWritePermission(project); return getStreamingManager().updateStreamingConfig(config); } - // @PreAuthorize(Constant.ACCESS_HAS_ROLE_ADMIN + " or hasPermission(#desc, 'ADMINISTRATION') or hasPermission(#desc, 'MANAGEMENT')") - public void dropStreamingConfig(StreamingConfig config) throws IOException { + public void dropStreamingConfig(StreamingConfig config, String project) throws IOException { + aclEvaluate.checkProjectWritePermission(project); getStreamingManager().removeStreamingConfig(config); }
