KYLIN-2555 Implicitly give ADMIN=ADMIN+MODELER+ANALYST and MODELER=MODELER+ANALYST
Project: http://git-wip-us.apache.org/repos/asf/kylin/repo Commit: http://git-wip-us.apache.org/repos/asf/kylin/commit/3c70b8b9 Tree: http://git-wip-us.apache.org/repos/asf/kylin/tree/3c70b8b9 Diff: http://git-wip-us.apache.org/repos/asf/kylin/diff/3c70b8b9 Branch: refs/heads/master-hadoop3.0 Commit: 3c70b8b96176c58b784cda48afee8f560ace848f Parents: 6d6e862 Author: Hongbin Ma <mahong...@apache.org> Authored: Wed Apr 19 19:19:18 2017 +0800 Committer: Hongbin Ma <mahong...@apache.org> Committed: Wed Apr 19 19:21:44 2017 +0800 ---------------------------------------------------------------------- .../rest/security/AuthoritiesPopulator.java | 15 ++++++++---- .../apache/kylin/rest/service/AclService.java | 3 ++- .../apache/kylin/rest/service/UserService.java | 5 ++++ server/src/main/resources/kylinSecurity.xml | 4 ++-- .../rest/controller/UserControllerTest.java | 3 ++- .../kylin/rest/service/ServiceTestBase.java | 25 +++++++++++++++++++- .../kylin/rest/service/UserServiceTest.java | 7 +++--- 7 files changed, 49 insertions(+), 13 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/kylin/blob/3c70b8b9/server-base/src/main/java/org/apache/kylin/rest/security/AuthoritiesPopulator.java ---------------------------------------------------------------------- diff --git a/server-base/src/main/java/org/apache/kylin/rest/security/AuthoritiesPopulator.java b/server-base/src/main/java/org/apache/kylin/rest/security/AuthoritiesPopulator.java index 7983fc0..2b290ce 100644 --- a/server-base/src/main/java/org/apache/kylin/rest/security/AuthoritiesPopulator.java +++ b/server-base/src/main/java/org/apache/kylin/rest/security/AuthoritiesPopulator.java @@ -21,6 +21,8 @@ package org.apache.kylin.rest.security; import java.util.HashSet; import java.util.Set; +import org.apache.commons.lang.ArrayUtils; +import org.apache.commons.lang.StringUtils; import org.apache.kylin.rest.constant.Constant; import org.springframework.ldap.core.ContextSource; import org.springframework.security.core.GrantedAuthority; @@ -33,7 +35,6 @@ import org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopul */ public class AuthoritiesPopulator extends DefaultLdapAuthoritiesPopulator { - String adminRole; SimpleGrantedAuthority adminRoleAsAuthority; SimpleGrantedAuthority adminAuthority = new SimpleGrantedAuthority(Constant.ROLE_ADMIN); @@ -48,12 +49,12 @@ public class AuthoritiesPopulator extends DefaultLdapAuthoritiesPopulator { */ public AuthoritiesPopulator(ContextSource contextSource, String groupSearchBase, String adminRole, String defaultRole) { super(contextSource, groupSearchBase); - this.adminRole = adminRole; this.adminRoleAsAuthority = new SimpleGrantedAuthority(adminRole); - if (defaultRole.contains(Constant.ROLE_MODELER)) + String[] defaultRoles = StringUtils.split(defaultRole, ","); + if (ArrayUtils.contains(defaultRoles, Constant.ROLE_MODELER)) this.defaultAuthorities.add(modelerAuthority); - if (defaultRole.contains(Constant.ROLE_ANALYST)) + if (ArrayUtils.contains(defaultRoles, Constant.ROLE_ANALYST)) this.defaultAuthorities.add(analystAuthority); } @@ -61,13 +62,17 @@ public class AuthoritiesPopulator extends DefaultLdapAuthoritiesPopulator { public Set<GrantedAuthority> getGroupMembershipRoles(String userDn, String username) { Set<GrantedAuthority> authorities = super.getGroupMembershipRoles(userDn, username); + authorities.addAll(defaultAuthorities); + if (authorities.contains(adminRoleAsAuthority)) { authorities.add(adminAuthority); authorities.add(modelerAuthority); authorities.add(analystAuthority); } - authorities.addAll(defaultAuthorities); + if (authorities.contains(modelerAuthority)) { + authorities.add(analystAuthority); + } return authorities; } http://git-wip-us.apache.org/repos/asf/kylin/blob/3c70b8b9/server-base/src/main/java/org/apache/kylin/rest/service/AclService.java ---------------------------------------------------------------------- diff --git a/server-base/src/main/java/org/apache/kylin/rest/service/AclService.java b/server-base/src/main/java/org/apache/kylin/rest/service/AclService.java index c0ece1d..b80d97d 100644 --- a/server-base/src/main/java/org/apache/kylin/rest/service/AclService.java +++ b/server-base/src/main/java/org/apache/kylin/rest/service/AclService.java @@ -66,6 +66,7 @@ import org.springframework.security.acls.model.PermissionGrantingStrategy; import org.springframework.security.acls.model.Sid; import org.springframework.security.core.Authentication; import org.springframework.security.core.context.SecurityContextHolder; +import org.springframework.security.core.userdetails.UsernameNotFoundException; import org.springframework.security.util.FieldUtils; import org.springframework.stereotype.Component; import org.springframework.util.Assert; @@ -304,7 +305,7 @@ public class AclService implements MutableAclService { String userName = psid.getPrincipal(); logger.debug("ACE SID name: " + userName); if (!userService.userExists(userName)) - throw new NotFoundException("User : " + userName + " not exists. Please check or create user first"); + throw new UsernameNotFoundException("User " + userName + " does not exist. Please make sure the user has logged in before"); } AceInfo aceInfo = new AceInfo(ace); put.addColumn(Bytes.toBytes(AclHBaseStorage.ACL_ACES_FAMILY), Bytes.toBytes(aceInfo.getSidInfo().getSid()), aceSerializer.serialize(aceInfo)); http://git-wip-us.apache.org/repos/asf/kylin/blob/3c70b8b9/server-base/src/main/java/org/apache/kylin/rest/service/UserService.java ---------------------------------------------------------------------- diff --git a/server-base/src/main/java/org/apache/kylin/rest/service/UserService.java b/server-base/src/main/java/org/apache/kylin/rest/service/UserService.java index ab54882..9d94de1 100644 --- a/server-base/src/main/java/org/apache/kylin/rest/service/UserService.java +++ b/server-base/src/main/java/org/apache/kylin/rest/service/UserService.java @@ -37,9 +37,11 @@ import org.apache.hadoop.hbase.client.Scan; import org.apache.hadoop.hbase.client.Table; import org.apache.kylin.common.util.Bytes; import org.apache.kylin.common.util.Pair; +import org.apache.kylin.rest.constant.Constant; import org.apache.kylin.rest.security.AclHBaseStorage; import org.apache.kylin.rest.util.Serializer; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.security.access.prepost.PreAuthorize; import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.userdetails.User; import org.springframework.security.core.userdetails.UserDetails; @@ -138,11 +140,13 @@ public class UserService implements UserDetailsManager { } @Override + @PreAuthorize(Constant.ACCESS_HAS_ROLE_ADMIN) public void createUser(UserDetails user) { updateUser(user); } @Override + @PreAuthorize(Constant.ACCESS_HAS_ROLE_ADMIN) public void updateUser(UserDetails user) { Table htable = null; try { @@ -162,6 +166,7 @@ public class UserService implements UserDetailsManager { } @Override + @PreAuthorize(Constant.ACCESS_HAS_ROLE_ADMIN) public void deleteUser(String username) { Table htable = null; try { http://git-wip-us.apache.org/repos/asf/kylin/blob/3c70b8b9/server/src/main/resources/kylinSecurity.xml ---------------------------------------------------------------------- diff --git a/server/src/main/resources/kylinSecurity.xml b/server/src/main/resources/kylinSecurity.xml index 3f4abdc..9d633ee 100644 --- a/server/src/main/resources/kylinSecurity.xml +++ b/server/src/main/resources/kylinSecurity.xml @@ -142,7 +142,7 @@ <scr:authentication-manager alias="testingAuthenticationManager"> <scr:authentication-provider> <scr:user-service> - <scr:user name="MODELER" password="$2a$10$Le5ernTeGNIARwMJsY0WaOLioNQdb0QD11DwjeyNqqNRp5NaDo2FG" authorities="ROLE_MODELER" /> + <scr:user name="MODELER" password="$2a$10$Le5ernTeGNIARwMJsY0WaOLioNQdb0QD11DwjeyNqqNRp5NaDo2FG" authorities="ROLE_MODELER, ROLE_ANALYST" /> <scr:user name="ANALYST" password="$2a$10$s4INO3XHjPP5Vm2xH027Ce9QeXWdrfq5pvzuGr9z/lQmHqi0rsbNi" authorities="ROLE_ANALYST" /> <scr:user name="ADMIN" password="$2a$10$o3ktIWsGYxXNuUWQiYlZXOW5hWcqyNAFQsSSCSEWoC/BRVMAUjL32" authorities="ROLE_MODELER, ROLE_ANALYST, ROLE_ADMIN" /> </scr:user-service> @@ -503,4 +503,4 @@ <bean id="parserPoolHolder" class="org.springframework.security.saml.parser.ParserPoolHolder"/> </beans> -</beans> \ No newline at end of file +</beans> http://git-wip-us.apache.org/repos/asf/kylin/blob/3c70b8b9/server/src/test/java/org/apache/kylin/rest/controller/UserControllerTest.java ---------------------------------------------------------------------- diff --git a/server/src/test/java/org/apache/kylin/rest/controller/UserControllerTest.java b/server/src/test/java/org/apache/kylin/rest/controller/UserControllerTest.java index ab77a9a..767aaf1 100644 --- a/server/src/test/java/org/apache/kylin/rest/controller/UserControllerTest.java +++ b/server/src/test/java/org/apache/kylin/rest/controller/UserControllerTest.java @@ -22,6 +22,7 @@ import java.io.IOException; import java.util.ArrayList; import java.util.List; +import org.apache.kylin.rest.constant.Constant; import org.apache.kylin.rest.service.ServiceTestBase; import org.junit.Assert; import org.junit.Before; @@ -46,7 +47,7 @@ public class UserControllerTest extends ServiceTestBase { staticCreateTestMetadata(); List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>(); User user = new User("ADMIN", "ADMIN", authorities); - Authentication authentication = new TestingAuthenticationToken(user, "ADMIN", "ROLE_ADMIN"); + Authentication authentication = new TestingAuthenticationToken(user, "ADMIN", Constant.ROLE_ADMIN); SecurityContextHolder.getContext().setAuthentication(authentication); } http://git-wip-us.apache.org/repos/asf/kylin/blob/3c70b8b9/server/src/test/java/org/apache/kylin/rest/service/ServiceTestBase.java ---------------------------------------------------------------------- diff --git a/server/src/test/java/org/apache/kylin/rest/service/ServiceTestBase.java b/server/src/test/java/org/apache/kylin/rest/service/ServiceTestBase.java index 3a587e4..a47fdd2 100644 --- a/server/src/test/java/org/apache/kylin/rest/service/ServiceTestBase.java +++ b/server/src/test/java/org/apache/kylin/rest/service/ServiceTestBase.java @@ -18,18 +18,23 @@ package org.apache.kylin.rest.service; +import java.util.Arrays; + import org.apache.kylin.common.KylinConfig; import org.apache.kylin.common.util.LocalFileMetadataTestCase; import org.apache.kylin.metadata.cachesync.Broadcaster; +import org.apache.kylin.rest.constant.Constant; import org.junit.After; import org.junit.AfterClass; import org.junit.Before; import org.junit.BeforeClass; import org.junit.Test; import org.junit.runner.RunWith; +import org.springframework.beans.factory.annotation.Autowired; import org.springframework.security.authentication.TestingAuthenticationToken; import org.springframework.security.core.Authentication; import org.springframework.security.core.context.SecurityContextHolder; +import org.springframework.security.core.userdetails.User; import org.springframework.test.context.ActiveProfiles; import org.springframework.test.context.ContextConfiguration; import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; @@ -42,10 +47,13 @@ import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; @ActiveProfiles("testing") public class ServiceTestBase extends LocalFileMetadataTestCase { + @Autowired + UserService userService; + @BeforeClass public static void setupResource() throws Exception { staticCreateTestMetadata(); - Authentication authentication = new TestingAuthenticationToken("ADMIN", "ADMIN", "ROLE_ADMIN"); + Authentication authentication = new TestingAuthenticationToken("ADMIN", "ADMIN", Constant.ROLE_ADMIN); SecurityContextHolder.getContext().setAuthentication(authentication); } @@ -59,6 +67,21 @@ public class ServiceTestBase extends LocalFileMetadataTestCase { KylinConfig config = KylinConfig.getInstanceFromEnv(); Broadcaster.getInstance(config).notifyClearAll(); + + if (!userService.userExists("ADMIN")) { + userService.createUser(new User("ADMIN", "KYLIN", Arrays.asList(// + new UserService.UserGrantedAuthority(Constant.ROLE_ADMIN), new UserService.UserGrantedAuthority(Constant.ROLE_ANALYST), new UserService.UserGrantedAuthority(Constant.ROLE_MODELER)))); + } + + if (!userService.userExists("MODELER")) { + userService.createUser(new User("MODELER", "MODELER", Arrays.asList(// + new UserService.UserGrantedAuthority(Constant.ROLE_ANALYST), new UserService.UserGrantedAuthority(Constant.ROLE_MODELER)))); + } + + if (!userService.userExists("ROLE_ANALYST")) { + userService.createUser(new User("ROLE_ANALYST", "ROLE_ANALYST", Arrays.asList(// + new UserService.UserGrantedAuthority(Constant.ROLE_ANALYST)))); + } } @After http://git-wip-us.apache.org/repos/asf/kylin/blob/3c70b8b9/server/src/test/java/org/apache/kylin/rest/service/UserServiceTest.java ---------------------------------------------------------------------- diff --git a/server/src/test/java/org/apache/kylin/rest/service/UserServiceTest.java b/server/src/test/java/org/apache/kylin/rest/service/UserServiceTest.java index 28515be..36c554e 100644 --- a/server/src/test/java/org/apache/kylin/rest/service/UserServiceTest.java +++ b/server/src/test/java/org/apache/kylin/rest/service/UserServiceTest.java @@ -21,6 +21,7 @@ package org.apache.kylin.rest.service; import java.util.ArrayList; import java.util.List; +import org.apache.kylin.rest.constant.Constant; import org.junit.Assert; import org.junit.Test; import org.springframework.beans.factory.annotation.Autowired; @@ -43,7 +44,7 @@ public class UserServiceTest extends ServiceTestBase { Assert.assertTrue(!userService.userExists("ADMIN")); List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>(); - authorities.add(new SimpleGrantedAuthority("ROLE_ADMIN")); + authorities.add(new SimpleGrantedAuthority(Constant.ROLE_ADMIN)); User user = new User("ADMIN", "PWD", authorities); userService.createUser(user); @@ -52,9 +53,9 @@ public class UserServiceTest extends ServiceTestBase { UserDetails ud = userService.loadUserByUsername("ADMIN"); Assert.assertEquals("ADMIN", ud.getUsername()); Assert.assertEquals("PWD", ud.getPassword()); - Assert.assertEquals("ROLE_ADMIN", ud.getAuthorities().iterator().next().getAuthority()); + Assert.assertEquals(Constant.ROLE_ADMIN, ud.getAuthorities().iterator().next().getAuthority()); Assert.assertEquals(1, ud.getAuthorities().size()); - Assert.assertTrue(userService.listUserAuthorities().contains("ROLE_ADMIN")); + Assert.assertTrue(userService.listUserAuthorities().contains(Constant.ROLE_ADMIN)); } }