You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@streampark.apache.org by mu...@apache.org on 2023/04/18 02:15:21 UTC
[incubator-streampark] branch dev updated: [Improve] permission check improvement (#2647)
This is an automated email from the ASF dual-hosted git repository.
muchunjin pushed a commit to branch dev
in repository https://gitbox.apache.org/repos/asf/incubator-streampark.git
The following commit(s) were added to refs/heads/dev by this push:
new 2763f37a9 [Improve] permission check improvement (#2647)
2763f37a9 is described below
commit 2763f37a9e092542f9f4eee1667620fc75116e20
Author: benjobs <be...@apache.org>
AuthorDate: Tue Apr 18 10:15:15 2023 +0800
[Improve] permission check improvement (#2647)
---
.../console/base/exception/ApiAlertException.java | 6 +++
.../console/core/aspect/StreamParkAspect.java | 61 ++++++++++++----------
.../core/service/impl/FlinkEnvServiceImpl.java | 8 +--
3 files changed, 42 insertions(+), 33 deletions(-)
diff --git a/streampark-console/streampark-console-service/src/main/java/org/apache/streampark/console/base/exception/ApiAlertException.java b/streampark-console/streampark-console-service/src/main/java/org/apache/streampark/console/base/exception/ApiAlertException.java
index 17ddce28f..34cccf7e3 100644
--- a/streampark-console/streampark-console-service/src/main/java/org/apache/streampark/console/base/exception/ApiAlertException.java
+++ b/streampark-console/streampark-console-service/src/main/java/org/apache/streampark/console/base/exception/ApiAlertException.java
@@ -57,4 +57,10 @@ public class ApiAlertException extends AbstractApiException {
throw new ApiAlertException(errorMessage);
}
}
+
+ public static void throwIfTrue(boolean expression, String errorMessage) {
+ if (expression) {
+ throw new ApiAlertException(errorMessage);
+ }
+ }
}
diff --git a/streampark-console/streampark-console-service/src/main/java/org/apache/streampark/console/core/aspect/StreamParkAspect.java b/streampark-console/streampark-console-service/src/main/java/org/apache/streampark/console/core/aspect/StreamParkAspect.java
index bee22859e..6646ead55 100644
--- a/streampark-console/streampark-console-service/src/main/java/org/apache/streampark/console/core/aspect/StreamParkAspect.java
+++ b/streampark-console/streampark-console-service/src/main/java/org/apache/streampark/console/core/aspect/StreamParkAspect.java
@@ -30,6 +30,7 @@ import org.apache.streampark.console.core.service.ApplicationService;
import org.apache.streampark.console.core.service.CommonService;
import org.apache.streampark.console.core.task.FlinkRESTAPIWatcher;
import org.apache.streampark.console.system.entity.AccessToken;
+import org.apache.streampark.console.system.entity.Member;
import org.apache.streampark.console.system.entity.User;
import org.apache.streampark.console.system.service.MemberService;
@@ -104,44 +105,46 @@ public class StreamParkAspect {
MethodSignature methodSignature = (MethodSignature) joinPoint.getSignature();
PermissionAction permissionAction =
methodSignature.getMethod().getAnnotation(PermissionAction.class);
- String spELString = permissionAction.id();
- PermissionType permissionType = permissionAction.type();
User currentUser = commonService.getCurrentUser();
ApiAlertException.throwIfNull(currentUser, "Permission denied, please login first.");
- Long paramId = getId(joinPoint, methodSignature, spELString);
- switch (permissionType) {
- case USER:
- ApiAlertException.throwIfFalse(
- !(currentUser.getUserType() != UserType.ADMIN
- && !currentUser.getUserId().equals(paramId)),
- "Permission denied, only ADMIN user or user himself can access this permission");
- break;
- case TEAM:
- ApiAlertException.throwIfFalse(
- !(currentUser.getUserType() != UserType.ADMIN
- && memberService.findByUserName(paramId, currentUser.getUsername()) == null),
- "Permission denied, only ADMIN user or user belongs to this team can access this permission");
- break;
- case APP:
- Application app = applicationService.getById(paramId);
- ApiAlertException.throwIfFalse(
- !(app != null
- && currentUser.getUserType() != UserType.ADMIN
- && memberService.findByUserName(app.getTeamId(), currentUser.getUsername())
- == null),
- "Permission denied, only ADMIN user or user belongs to this team can access this permission");
- break;
- default:
- throw new IllegalArgumentException(
- String.format("Permission type %s is not supported.", permissionType));
+ boolean isAdmin = currentUser.getUserType() == UserType.ADMIN;
+
+ if (!isAdmin) {
+ PermissionType permissionType = permissionAction.type();
+ Long paramId = getParamId(joinPoint, methodSignature, permissionAction.id());
+
+ switch (permissionType) {
+ case USER:
+ ApiAlertException.throwIfTrue(
+ !currentUser.getUserId().equals(paramId),
+ "Permission denied, only user himself can access this permission");
+ break;
+ case TEAM:
+ Member member = memberService.findByUserName(paramId, currentUser.getUsername());
+ ApiAlertException.throwIfTrue(
+ member == null,
+ "Permission denied, only user belongs to this team can access this permission");
+ break;
+ case APP:
+ Application app = applicationService.getById(paramId);
+ ApiAlertException.throwIfTrue(app == null, "Invalid operation, application is null");
+ member = memberService.findByUserName(app.getTeamId(), currentUser.getUsername());
+ ApiAlertException.throwIfTrue(
+ member == null,
+ "Permission denied, only user belongs to this team can access this permission");
+ break;
+ default:
+ throw new IllegalArgumentException(
+ String.format("Permission type %s is not supported.", permissionType));
+ }
}
return (RestResponse) joinPoint.proceed();
}
- private Long getId(
+ private Long getParamId(
ProceedingJoinPoint joinPoint, MethodSignature methodSignature, String spELString) {
SpelExpressionParser parser = new SpelExpressionParser();
Expression expression = parser.parseExpression(spELString);
diff --git a/streampark-console/streampark-console-service/src/main/java/org/apache/streampark/console/core/service/impl/FlinkEnvServiceImpl.java b/streampark-console/streampark-console-service/src/main/java/org/apache/streampark/console/core/service/impl/FlinkEnvServiceImpl.java
index 0c44fe776..2e638c7d3 100644
--- a/streampark-console/streampark-console-service/src/main/java/org/apache/streampark/console/core/service/impl/FlinkEnvServiceImpl.java
+++ b/streampark-console/streampark-console-service/src/main/java/org/apache/streampark/console/core/service/impl/FlinkEnvServiceImpl.java
@@ -158,13 +158,13 @@ public class FlinkEnvServiceImpl extends ServiceImpl<FlinkEnvMapper, FlinkEnv>
ApiAlertException.throwIfNull(flinkEnv, "The flink home does not exist, please check.");
// 2.check if it is being used by any flink cluster
- ApiAlertException.throwIfFalse(
- !flinkClusterService.existsByFlinkEnvId(flinkEnv.getId()),
+ ApiAlertException.throwIfTrue(
+ flinkClusterService.existsByFlinkEnvId(flinkEnv.getId()),
"The flink home is still in use by some flink cluster, please check.");
// 3.check if it is being used by any application
- ApiAlertException.throwIfFalse(
- !applicationService.existsJobByFlinkEnvId(flinkEnv.getId()),
+ ApiAlertException.throwIfTrue(
+ applicationService.existsJobByFlinkEnvId(flinkEnv.getId()),
"The flink home is still in use by some application, please check.");
}
}