You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@rocketmq.apache.org by GitBox <gi...@apache.org> on 2021/08/18 02:23:44 UTC
[GitHub] [rocketmq-dashboard] vongosling commented on a change in pull request #6: [ISSUE #5]Add permission control when loginRequired is true.
vongosling commented on a change in pull request #6:
URL: https://github.com/apache/rocketmq-dashboard/pull/6#discussion_r690844961
##########
File path: doc/1_0_0/UserGuide_CN.md
##########
@@ -112,4 +112,35 @@ admin=admin,1
user1=user1
user2=user2
```
-* 3. 启动控制台则开启了登录功能
\ No newline at end of file
+* 3.启动控制台则开启了登录功能
+
+## 权限检验
+如果用户访问console时开启了登录功能,会按照登录的角色对访问的接口进行权限控制。
+* 1.在Spring配置文件resources/application.properties中修改 开启登录功能
+```$xslt
+ # 开启登录功能
+ rocketmq.config.loginRequired=true
+
+ # Dashboard文件目录,登录用户配置文件所在目录
+ rocketmq.config.dataPath=/tmp/rocketmq-console/data
+```
+* 2.确保${rocketmq.config.dataPath}定义的目录存在,并且该目录下创建登录配置文件"role-permission.yml",
+如果该目录下不存在此文件,则默认使用resources/role-permission.yml文件。改文件保存了普通用户角色所有能访问的接口地址。
Review comment:
改-> 该
如果resources/role-permission.yml也不存在,会怎样?请把错误的退避规则描述的更精致一些:-)
##########
File path: doc/1_0_0/UserGuide_CN.md
##########
@@ -112,4 +112,35 @@ admin=admin,1
user1=user1
user2=user2
```
-* 3. 启动控制台则开启了登录功能
\ No newline at end of file
+* 3.启动控制台则开启了登录功能
+
+## 权限检验
+如果用户访问console时开启了登录功能,会按照登录的角色对访问的接口进行权限控制。
+* 1.在Spring配置文件resources/application.properties中修改 开启登录功能
+```$xslt
+ # 开启登录功能
+ rocketmq.config.loginRequired=true
+
+ # Dashboard文件目录,登录用户配置文件所在目录
+ rocketmq.config.dataPath=/tmp/rocketmq-console/data
+```
+* 2.确保${rocketmq.config.dataPath}定义的目录存在,并且该目录下创建登录配置文件"role-permission.yml",
+如果该目录下不存在此文件,则默认使用resources/role-permission.yml文件。改文件保存了普通用户角色所有能访问的接口地址。
+role-permission.yml文件格式为:
+```$xslt
+# 该文件支持热修改,即添加和修改用户时,不需要重新启动console
+# 格式,如果增加和删除接口权限,直接在列表中增加和删除接口地址即可。
+
+# 普通用户
+rolePerms:
+ ordinary:
+ - /rocketmq/nsaddr
+ - /ops/homepage.query
+ - /cluster/list.query
+ - /cluster/brokerConfig.query
+ - /dashboard/broker.query
+ - /dashboard/topic.query
+ - /dashboard/topicCurrent
+ ....
Review comment:
考虑通配支持,后续维护太复杂否则
##########
File path: src/main/java/org/apache/rocketmq/dashboard/permisssion/Permission.java
##########
@@ -0,0 +1,29 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.rocketmq.dashboard.permisssion;
+
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+
+@Target({ElementType.TYPE, ElementType.METHOD})
+@Retention(RetentionPolicy.RUNTIME)
+public @interface Permission {
+
+ String value() default "";
Review comment:
It would be helpful if we could leave the concrete field in here. such as read-only, write...
##########
File path: src/main/java/org/apache/rocketmq/dashboard/permisssion/PermissionAspect.java
##########
@@ -0,0 +1,82 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.rocketmq.dashboard.permisssion;
+
+import java.util.List;
+import java.util.Map;
+import javax.annotation.Resource;
+import javax.servlet.http.HttpServletRequest;
+import org.apache.rocketmq.dashboard.config.RMQConfigure;
+import org.apache.rocketmq.dashboard.exception.ServiceException;
+import org.apache.rocketmq.dashboard.model.UserInfo;
+import org.apache.rocketmq.dashboard.service.PermissionService;
+import org.apache.rocketmq.dashboard.util.WebUtil;
+import org.aspectj.lang.ProceedingJoinPoint;
+import org.aspectj.lang.annotation.Around;
+import org.aspectj.lang.annotation.Aspect;
+import org.aspectj.lang.annotation.Pointcut;
+import org.springframework.stereotype.Component;
+import org.springframework.web.context.request.RequestContextHolder;
+import org.springframework.web.context.request.ServletRequestAttributes;
+
+@Aspect
+@Component
+public class PermissionAspect {
+
+ public static final String ORDINARY = "ordinary";
+ public static final String ADMIN = "admin";
+
+ @Resource
+ private RMQConfigure configure;
+
+ @Resource
+ private PermissionService permissionService;
+
+ /**
+ * @Permission can be applied to the Controller class to implement Permission verification on all methods in the class
+ * can also be applied to methods in a class for fine control
+ */
+ @Pointcut("@annotation(org.apache.rocketmq.dashboard.permisssion.Permission) || @within(org.apache.rocketmq.dashboard.permisssion.Permission)")
+ private void permission() {
Review comment:
Does within[1] annotation work well here?
[1] https://docs.spring.io/spring-framework/docs/2.0.x/reference/aop.html
##########
File path: src/main/java/org/apache/rocketmq/dashboard/controller/ConsumerController.java
##########
@@ -37,6 +38,7 @@
@Controller
@RequestMapping("/consumer")
+@Permission
Review comment:
I still recommend using the unified configuration, which can be unified in one directory, without annotating each method.
##########
File path: src/main/java/org/apache/rocketmq/dashboard/service/impl/PermissionServiceImpl.java
##########
@@ -0,0 +1,119 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.rocketmq.dashboard.service.impl;
+
+import com.alibaba.fastjson.JSONObject;
+import java.io.File;
+import java.io.FileReader;
+import java.io.InputStream;
+import java.util.List;
+import java.util.Map;
+import java.util.concurrent.ConcurrentHashMap;
+import javax.annotation.Resource;
+import org.apache.rocketmq.dashboard.config.RMQConfigure;
+import org.apache.rocketmq.dashboard.exception.ServiceException;
+import org.apache.rocketmq.dashboard.service.PermissionService;
+import org.apache.rocketmq.srvutil.FileWatchService;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.InitializingBean;
+import org.springframework.stereotype.Service;
+import org.yaml.snakeyaml.Yaml;
+
+@Service
+public class PermissionServiceImpl implements PermissionService, InitializingBean {
+
+ @Resource
+ RMQConfigure configure;
+
+ FileBasedPermissionStore fileBasedPermissionStore;
+
+ @Override
+ public Map<String, List<String>> queryRolePerms() {
+ return fileBasedPermissionStore.rolePerms;
+ }
+
+ @Override
+ public void afterPropertiesSet() {
+ if (configure.isLoginRequired()) {
+ fileBasedPermissionStore = new FileBasedPermissionStore(configure);
+ }
+ }
+
+ public static class FileBasedPermissionStore {
+ private final Logger log = LoggerFactory.getLogger(this.getClass());
+ private static final String FILE_NAME = "role-permission.yml";
+
+ private String filePath;
+ private Map<String/**role**/, List<String>/**accessUrls**/> rolePerms = new ConcurrentHashMap<>();
+
+ public FileBasedPermissionStore(RMQConfigure configure) {
+ filePath = configure.getRocketMqDashboardDataPath() + File.separator + FILE_NAME;
+ if (!new File(filePath).exists()) {
+ InputStream inputStream = getClass().getResourceAsStream("/" + FILE_NAME);
+ if (inputStream == null) {
+ log.error(String.format("Can not found the file %s in Spring Boot jar", FILE_NAME));
+ System.exit(1);
+ } else {
+ load(inputStream);
+ }
+ } else {
+ log.info(String.format("User Permission configure file is %s", filePath));
Review comment:
Any resource leak if we do not use try with?
##########
File path: doc/1_0_0/UserGuide_EN.md
##########
@@ -115,4 +115,38 @@ admin=admin,1
user1=user1
user2=user2
```
-* 3. Restart Dashboard Application after above configuration setting well.
\ No newline at end of file
+* 3.Restart Console Application after above configuration setting well.
+
+
+## Permission Control
+If the login function is enabled when a user accesses the Console, the user controls the access permission of the interface based on the login role.
+
+* 1.Turn on the property in resources/application.properties.
+```$xslt
+# open the login func
+rocketmq.config.loginRequired=true
+
+# Directory of ashboard & login user configure file
+rocketmq.config.dataPath=/tmp/rocketmq-console/data
+```
+* 2.Make sure the directory defined in property ${rocketmq.config.dataPath} exists and the file "role-permission.yml" is created under it.
+The console system will use the resources/role-permission.yml by default if a customized file is not found。
+
+The format in the content of role-permission.yml:
+```$xslt
+# This file supports hot change, any change will be auto-reloaded without Console restarting.
+# Format: To add or delete interface permissions, add or delete interface addresses from the list.
+
+# ordinary user
+rolePerms:
+ ordinary:
+ - /rocketmq/nsaddr
+ - /ops/homepage.query
Review comment:
Change description corresponds with CN.
##########
File path: doc/1_0_0/UserGuide_CN.md
##########
@@ -112,4 +112,35 @@ admin=admin,1
user1=user1
user2=user2
```
-* 3. 启动控制台则开启了登录功能
\ No newline at end of file
+* 3.启动控制台则开启了登录功能
+
+## 权限检验
+如果用户访问console时开启了登录功能,会按照登录的角色对访问的接口进行权限控制。
+* 1.在Spring配置文件resources/application.properties中修改 开启登录功能
+```$xslt
+ # 开启登录功能
+ rocketmq.config.loginRequired=true
+
+ # Dashboard文件目录,登录用户配置文件所在目录
+ rocketmq.config.dataPath=/tmp/rocketmq-console/data
+```
+* 2.确保${rocketmq.config.dataPath}定义的目录存在,并且该目录下创建登录配置文件"role-permission.yml",
+如果该目录下不存在此文件,则默认使用resources/role-permission.yml文件。改文件保存了普通用户角色所有能访问的接口地址。
+role-permission.yml文件格式为:
+```$xslt
+# 该文件支持热修改,即添加和修改用户时,不需要重新启动console
+# 格式,如果增加和删除接口权限,直接在列表中增加和删除接口地址即可。
+
+# 普通用户
+rolePerms:
+ ordinary:
+ - /rocketmq/nsaddr
+ - /ops/homepage.query
+ - /cluster/list.query
+ - /cluster/brokerConfig.query
+ - /dashboard/broker.query
+ - /dashboard/topic.query
+ - /dashboard/topicCurrent
+ ....
+```
+* 3.前端页面显示上,为了更好区分普通用户和admin用户权限,关于资源的删除、更新等操作按钮不对普通用户角色显示。
Review comment:
考虑重签功能,要么退出换角色登入,要么支持管理员到普通账户的一键切换
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@rocketmq.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org