You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@kylin.apache.org by li...@apache.org on 2017/04/26 07:49:46 UTC
[10/14] kylin git commit: KYLIN-2555 Implicitly give
ADMIN=ADMIN+MODELER+ANALYST and MODELER=MODELER+ANALYST
KYLIN-2555 Implicitly give ADMIN=ADMIN+MODELER+ANALYST and MODELER=MODELER+ANALYST
Project: http://git-wip-us.apache.org/repos/asf/kylin/repo
Commit: http://git-wip-us.apache.org/repos/asf/kylin/commit/3c70b8b9
Tree: http://git-wip-us.apache.org/repos/asf/kylin/tree/3c70b8b9
Diff: http://git-wip-us.apache.org/repos/asf/kylin/diff/3c70b8b9
Branch: refs/heads/master-hadoop3.0
Commit: 3c70b8b96176c58b784cda48afee8f560ace848f
Parents: 6d6e862
Author: Hongbin Ma <ma...@apache.org>
Authored: Wed Apr 19 19:19:18 2017 +0800
Committer: Hongbin Ma <ma...@apache.org>
Committed: Wed Apr 19 19:21:44 2017 +0800
----------------------------------------------------------------------
.../rest/security/AuthoritiesPopulator.java | 15 ++++++++----
.../apache/kylin/rest/service/AclService.java | 3 ++-
.../apache/kylin/rest/service/UserService.java | 5 ++++
server/src/main/resources/kylinSecurity.xml | 4 ++--
.../rest/controller/UserControllerTest.java | 3 ++-
.../kylin/rest/service/ServiceTestBase.java | 25 +++++++++++++++++++-
.../kylin/rest/service/UserServiceTest.java | 7 +++---
7 files changed, 49 insertions(+), 13 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/kylin/blob/3c70b8b9/server-base/src/main/java/org/apache/kylin/rest/security/AuthoritiesPopulator.java
----------------------------------------------------------------------
diff --git a/server-base/src/main/java/org/apache/kylin/rest/security/AuthoritiesPopulator.java b/server-base/src/main/java/org/apache/kylin/rest/security/AuthoritiesPopulator.java
index 7983fc0..2b290ce 100644
--- a/server-base/src/main/java/org/apache/kylin/rest/security/AuthoritiesPopulator.java
+++ b/server-base/src/main/java/org/apache/kylin/rest/security/AuthoritiesPopulator.java
@@ -21,6 +21,8 @@ package org.apache.kylin.rest.security;
import java.util.HashSet;
import java.util.Set;
+import org.apache.commons.lang.ArrayUtils;
+import org.apache.commons.lang.StringUtils;
import org.apache.kylin.rest.constant.Constant;
import org.springframework.ldap.core.ContextSource;
import org.springframework.security.core.GrantedAuthority;
@@ -33,7 +35,6 @@ import org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopul
*/
public class AuthoritiesPopulator extends DefaultLdapAuthoritiesPopulator {
- String adminRole;
SimpleGrantedAuthority adminRoleAsAuthority;
SimpleGrantedAuthority adminAuthority = new SimpleGrantedAuthority(Constant.ROLE_ADMIN);
@@ -48,12 +49,12 @@ public class AuthoritiesPopulator extends DefaultLdapAuthoritiesPopulator {
*/
public AuthoritiesPopulator(ContextSource contextSource, String groupSearchBase, String adminRole, String defaultRole) {
super(contextSource, groupSearchBase);
- this.adminRole = adminRole;
this.adminRoleAsAuthority = new SimpleGrantedAuthority(adminRole);
- if (defaultRole.contains(Constant.ROLE_MODELER))
+ String[] defaultRoles = StringUtils.split(defaultRole, ",");
+ if (ArrayUtils.contains(defaultRoles, Constant.ROLE_MODELER))
this.defaultAuthorities.add(modelerAuthority);
- if (defaultRole.contains(Constant.ROLE_ANALYST))
+ if (ArrayUtils.contains(defaultRoles, Constant.ROLE_ANALYST))
this.defaultAuthorities.add(analystAuthority);
}
@@ -61,13 +62,17 @@ public class AuthoritiesPopulator extends DefaultLdapAuthoritiesPopulator {
public Set<GrantedAuthority> getGroupMembershipRoles(String userDn, String username) {
Set<GrantedAuthority> authorities = super.getGroupMembershipRoles(userDn, username);
+ authorities.addAll(defaultAuthorities);
+
if (authorities.contains(adminRoleAsAuthority)) {
authorities.add(adminAuthority);
authorities.add(modelerAuthority);
authorities.add(analystAuthority);
}
- authorities.addAll(defaultAuthorities);
+ if (authorities.contains(modelerAuthority)) {
+ authorities.add(analystAuthority);
+ }
return authorities;
}
http://git-wip-us.apache.org/repos/asf/kylin/blob/3c70b8b9/server-base/src/main/java/org/apache/kylin/rest/service/AclService.java
----------------------------------------------------------------------
diff --git a/server-base/src/main/java/org/apache/kylin/rest/service/AclService.java b/server-base/src/main/java/org/apache/kylin/rest/service/AclService.java
index c0ece1d..b80d97d 100644
--- a/server-base/src/main/java/org/apache/kylin/rest/service/AclService.java
+++ b/server-base/src/main/java/org/apache/kylin/rest/service/AclService.java
@@ -66,6 +66,7 @@ import org.springframework.security.acls.model.PermissionGrantingStrategy;
import org.springframework.security.acls.model.Sid;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.util.FieldUtils;
import org.springframework.stereotype.Component;
import org.springframework.util.Assert;
@@ -304,7 +305,7 @@ public class AclService implements MutableAclService {
String userName = psid.getPrincipal();
logger.debug("ACE SID name: " + userName);
if (!userService.userExists(userName))
- throw new NotFoundException("User : " + userName + " not exists. Please check or create user first");
+ throw new UsernameNotFoundException("User " + userName + " does not exist. Please make sure the user has logged in before");
}
AceInfo aceInfo = new AceInfo(ace);
put.addColumn(Bytes.toBytes(AclHBaseStorage.ACL_ACES_FAMILY), Bytes.toBytes(aceInfo.getSidInfo().getSid()), aceSerializer.serialize(aceInfo));
http://git-wip-us.apache.org/repos/asf/kylin/blob/3c70b8b9/server-base/src/main/java/org/apache/kylin/rest/service/UserService.java
----------------------------------------------------------------------
diff --git a/server-base/src/main/java/org/apache/kylin/rest/service/UserService.java b/server-base/src/main/java/org/apache/kylin/rest/service/UserService.java
index ab54882..9d94de1 100644
--- a/server-base/src/main/java/org/apache/kylin/rest/service/UserService.java
+++ b/server-base/src/main/java/org/apache/kylin/rest/service/UserService.java
@@ -37,9 +37,11 @@ import org.apache.hadoop.hbase.client.Scan;
import org.apache.hadoop.hbase.client.Table;
import org.apache.kylin.common.util.Bytes;
import org.apache.kylin.common.util.Pair;
+import org.apache.kylin.rest.constant.Constant;
import org.apache.kylin.rest.security.AclHBaseStorage;
import org.apache.kylin.rest.util.Serializer;
import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
@@ -138,11 +140,13 @@ public class UserService implements UserDetailsManager {
}
@Override
+ @PreAuthorize(Constant.ACCESS_HAS_ROLE_ADMIN)
public void createUser(UserDetails user) {
updateUser(user);
}
@Override
+ @PreAuthorize(Constant.ACCESS_HAS_ROLE_ADMIN)
public void updateUser(UserDetails user) {
Table htable = null;
try {
@@ -162,6 +166,7 @@ public class UserService implements UserDetailsManager {
}
@Override
+ @PreAuthorize(Constant.ACCESS_HAS_ROLE_ADMIN)
public void deleteUser(String username) {
Table htable = null;
try {
http://git-wip-us.apache.org/repos/asf/kylin/blob/3c70b8b9/server/src/main/resources/kylinSecurity.xml
----------------------------------------------------------------------
diff --git a/server/src/main/resources/kylinSecurity.xml b/server/src/main/resources/kylinSecurity.xml
index 3f4abdc..9d633ee 100644
--- a/server/src/main/resources/kylinSecurity.xml
+++ b/server/src/main/resources/kylinSecurity.xml
@@ -142,7 +142,7 @@
<scr:authentication-manager alias="testingAuthenticationManager">
<scr:authentication-provider>
<scr:user-service>
- <scr:user name="MODELER" password="$2a$10$Le5ernTeGNIARwMJsY0WaOLioNQdb0QD11DwjeyNqqNRp5NaDo2FG" authorities="ROLE_MODELER" />
+ <scr:user name="MODELER" password="$2a$10$Le5ernTeGNIARwMJsY0WaOLioNQdb0QD11DwjeyNqqNRp5NaDo2FG" authorities="ROLE_MODELER, ROLE_ANALYST" />
<scr:user name="ANALYST" password="$2a$10$s4INO3XHjPP5Vm2xH027Ce9QeXWdrfq5pvzuGr9z/lQmHqi0rsbNi" authorities="ROLE_ANALYST" />
<scr:user name="ADMIN" password="$2a$10$o3ktIWsGYxXNuUWQiYlZXOW5hWcqyNAFQsSSCSEWoC/BRVMAUjL32" authorities="ROLE_MODELER, ROLE_ANALYST, ROLE_ADMIN" />
</scr:user-service>
@@ -503,4 +503,4 @@
<bean id="parserPoolHolder" class="org.springframework.security.saml.parser.ParserPoolHolder"/>
</beans>
-</beans>
\ No newline at end of file
+</beans>
http://git-wip-us.apache.org/repos/asf/kylin/blob/3c70b8b9/server/src/test/java/org/apache/kylin/rest/controller/UserControllerTest.java
----------------------------------------------------------------------
diff --git a/server/src/test/java/org/apache/kylin/rest/controller/UserControllerTest.java b/server/src/test/java/org/apache/kylin/rest/controller/UserControllerTest.java
index ab77a9a..767aaf1 100644
--- a/server/src/test/java/org/apache/kylin/rest/controller/UserControllerTest.java
+++ b/server/src/test/java/org/apache/kylin/rest/controller/UserControllerTest.java
@@ -22,6 +22,7 @@ import java.io.IOException;
import java.util.ArrayList;
import java.util.List;
+import org.apache.kylin.rest.constant.Constant;
import org.apache.kylin.rest.service.ServiceTestBase;
import org.junit.Assert;
import org.junit.Before;
@@ -46,7 +47,7 @@ public class UserControllerTest extends ServiceTestBase {
staticCreateTestMetadata();
List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
User user = new User("ADMIN", "ADMIN", authorities);
- Authentication authentication = new TestingAuthenticationToken(user, "ADMIN", "ROLE_ADMIN");
+ Authentication authentication = new TestingAuthenticationToken(user, "ADMIN", Constant.ROLE_ADMIN);
SecurityContextHolder.getContext().setAuthentication(authentication);
}
http://git-wip-us.apache.org/repos/asf/kylin/blob/3c70b8b9/server/src/test/java/org/apache/kylin/rest/service/ServiceTestBase.java
----------------------------------------------------------------------
diff --git a/server/src/test/java/org/apache/kylin/rest/service/ServiceTestBase.java b/server/src/test/java/org/apache/kylin/rest/service/ServiceTestBase.java
index 3a587e4..a47fdd2 100644
--- a/server/src/test/java/org/apache/kylin/rest/service/ServiceTestBase.java
+++ b/server/src/test/java/org/apache/kylin/rest/service/ServiceTestBase.java
@@ -18,18 +18,23 @@
package org.apache.kylin.rest.service;
+import java.util.Arrays;
+
import org.apache.kylin.common.KylinConfig;
import org.apache.kylin.common.util.LocalFileMetadataTestCase;
import org.apache.kylin.metadata.cachesync.Broadcaster;
+import org.apache.kylin.rest.constant.Constant;
import org.junit.After;
import org.junit.AfterClass;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
import org.junit.runner.RunWith;
+import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.TestingAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.core.userdetails.User;
import org.springframework.test.context.ActiveProfiles;
import org.springframework.test.context.ContextConfiguration;
import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
@@ -42,10 +47,13 @@ import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
@ActiveProfiles("testing")
public class ServiceTestBase extends LocalFileMetadataTestCase {
+ @Autowired
+ UserService userService;
+
@BeforeClass
public static void setupResource() throws Exception {
staticCreateTestMetadata();
- Authentication authentication = new TestingAuthenticationToken("ADMIN", "ADMIN", "ROLE_ADMIN");
+ Authentication authentication = new TestingAuthenticationToken("ADMIN", "ADMIN", Constant.ROLE_ADMIN);
SecurityContextHolder.getContext().setAuthentication(authentication);
}
@@ -59,6 +67,21 @@ public class ServiceTestBase extends LocalFileMetadataTestCase {
KylinConfig config = KylinConfig.getInstanceFromEnv();
Broadcaster.getInstance(config).notifyClearAll();
+
+ if (!userService.userExists("ADMIN")) {
+ userService.createUser(new User("ADMIN", "KYLIN", Arrays.asList(//
+ new UserService.UserGrantedAuthority(Constant.ROLE_ADMIN), new UserService.UserGrantedAuthority(Constant.ROLE_ANALYST), new UserService.UserGrantedAuthority(Constant.ROLE_MODELER))));
+ }
+
+ if (!userService.userExists("MODELER")) {
+ userService.createUser(new User("MODELER", "MODELER", Arrays.asList(//
+ new UserService.UserGrantedAuthority(Constant.ROLE_ANALYST), new UserService.UserGrantedAuthority(Constant.ROLE_MODELER))));
+ }
+
+ if (!userService.userExists("ROLE_ANALYST")) {
+ userService.createUser(new User("ROLE_ANALYST", "ROLE_ANALYST", Arrays.asList(//
+ new UserService.UserGrantedAuthority(Constant.ROLE_ANALYST))));
+ }
}
@After
http://git-wip-us.apache.org/repos/asf/kylin/blob/3c70b8b9/server/src/test/java/org/apache/kylin/rest/service/UserServiceTest.java
----------------------------------------------------------------------
diff --git a/server/src/test/java/org/apache/kylin/rest/service/UserServiceTest.java b/server/src/test/java/org/apache/kylin/rest/service/UserServiceTest.java
index 28515be..36c554e 100644
--- a/server/src/test/java/org/apache/kylin/rest/service/UserServiceTest.java
+++ b/server/src/test/java/org/apache/kylin/rest/service/UserServiceTest.java
@@ -21,6 +21,7 @@ package org.apache.kylin.rest.service;
import java.util.ArrayList;
import java.util.List;
+import org.apache.kylin.rest.constant.Constant;
import org.junit.Assert;
import org.junit.Test;
import org.springframework.beans.factory.annotation.Autowired;
@@ -43,7 +44,7 @@ public class UserServiceTest extends ServiceTestBase {
Assert.assertTrue(!userService.userExists("ADMIN"));
List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
- authorities.add(new SimpleGrantedAuthority("ROLE_ADMIN"));
+ authorities.add(new SimpleGrantedAuthority(Constant.ROLE_ADMIN));
User user = new User("ADMIN", "PWD", authorities);
userService.createUser(user);
@@ -52,9 +53,9 @@ public class UserServiceTest extends ServiceTestBase {
UserDetails ud = userService.loadUserByUsername("ADMIN");
Assert.assertEquals("ADMIN", ud.getUsername());
Assert.assertEquals("PWD", ud.getPassword());
- Assert.assertEquals("ROLE_ADMIN", ud.getAuthorities().iterator().next().getAuthority());
+ Assert.assertEquals(Constant.ROLE_ADMIN, ud.getAuthorities().iterator().next().getAuthority());
Assert.assertEquals(1, ud.getAuthorities().size());
- Assert.assertTrue(userService.listUserAuthorities().contains("ROLE_ADMIN"));
+ Assert.assertTrue(userService.listUserAuthorities().contains(Constant.ROLE_ADMIN));
}
}