fix permission (#292)

oceanbase · Sep 10, 2023 · e95c648 · e95c648
1 parent b528db7
commit e95c648
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 3 deletions.
diff --git a/server/odc-service/src/main/java/com/oceanbase/odc/service/connection/ConnectionService.java b/server/odc-service/src/main/java/com/oceanbase/odc/service/connection/ConnectionService.java
@@ -577,13 +577,16 @@ public ConnectionConfig getForConnectionSkipPermissionCheck(@NotNull Long id) {
     @Transactional(rollbackFor = Exception.class)
     @PreAuthenticate(actions = "update", resourceType = "ODC_CONNECTION", indexOfIdParam = 0)
     public ConnectionConfig getForConnect(@NotNull Long id) {
-        return getForConnectionSkipPermissionCheck(id);
+        ConnectionConfig connection = getForConnectionSkipPermissionCheck(id);
+        permissionValidator.checkCurrentOrganization(connection);
+        return connection;
     }
 
     @SkipAuthorize("check permission inside")
     public boolean checkPermission(@NotNull Long connectionId, @NotEmpty List<String> actions) {
         try {
             ConnectionConfig connection = internalGetSkipUserCheck(connectionId, false);
+            permissionValidator.checkCurrentOrganization(connection);
             securityManager.checkPermission(
                     securityManager.getPermissionByActions(connection, actions));
         } catch (Exception ex) {

diff --git a/...-service/src/main/java/com/oceanbase/odc/service/connection/database/DatabaseService.java b/...-service/src/main/java/com/oceanbase/odc/service/connection/database/DatabaseService.java
@@ -51,6 +51,7 @@
 import com.oceanbase.odc.core.authority.util.SkipAuthorize;
 import com.oceanbase.odc.core.session.ConnectionSession;
 import com.oceanbase.odc.core.session.ConnectionSessionConstants;
+import com.oceanbase.odc.core.shared.constant.ConnectionVisibleScope;
 import com.oceanbase.odc.core.shared.constant.ErrorCodes;
 import com.oceanbase.odc.core.shared.constant.OrganizationType;
 import com.oceanbase.odc.core.shared.constant.ResourceRoleName;
@@ -77,6 +78,7 @@
 import com.oceanbase.odc.service.connection.model.ConnectionConfig;
 import com.oceanbase.odc.service.db.DBIdentitiesService;
 import com.oceanbase.odc.service.db.DBSchemaService;
+import com.oceanbase.odc.service.iam.HorizontalDataPermissionValidator;
 import com.oceanbase.odc.service.iam.auth.AuthenticationFacade;
 import com.oceanbase.odc.service.iam.auth.AuthorizationFacade;
 import com.oceanbase.odc.service.session.factory.DefaultConnectSessionFactory;
@@ -128,6 +130,9 @@ public class DatabaseService {
     @Autowired
     private JdbcLockRegistry jdbcLockRegistry;
 
+    @Autowired
+    private HorizontalDataPermissionValidator horizontalDataPermissionValidator;
+
     @Transactional(rollbackFor = Exception.class)
     @SkipAuthorize("internal authenticated")
     public Database detail(@NonNull Long id) {
@@ -154,7 +159,9 @@ public Page<Database> listDatabasesByDataSource(@NonNull Long id, String name, @
                 .connectionIdEquals(id)
                 .and(DatabaseSpecs.nameLike(name));
         Page<DatabaseEntity> entities = databaseRepository.findAll(specs, pageable);
-        return entitiesToModels(entities);
+        Page<Database> databases = entitiesToModels(entities);
+        horizontalDataPermissionValidator.checkCurrentOrganization(databases.getContent());
+        return databases;
     }
 
     @Transactional(rollbackFor = Exception.class)
@@ -364,9 +371,11 @@ public Boolean internalSyncDataSourceSchemas(@NonNull Long dataSourceId) throws
                 return false;
             }
             ConnectionConfig connection = connectionService.getForConnectionSkipPermissionCheck(dataSourceId);
-            if (connection.getEnvironmentId().longValue() == -1L) {
+            if (connection.getEnvironmentId().longValue() == -1L
+                    || connection.getVisibleScope() == ConnectionVisibleScope.PRIVATE) {
                 return false;
             }
+            horizontalDataPermissionValidator.checkCurrentOrganization(connection);
             DefaultConnectSessionFactory factory = new DefaultConnectSessionFactory(connection);
             connectionSession = factory.generateSession();
             List<DatabaseEntity> latestDatabases =

diff --git a/...er/odc-service/src/main/java/com/oceanbase/odc/service/session/ConnectSessionService.java b/...er/odc-service/src/main/java/com/oceanbase/odc/service/session/ConnectSessionService.java
@@ -79,6 +79,7 @@
 import com.oceanbase.odc.service.db.DBCharsetService;
 import com.oceanbase.odc.service.db.session.DBSessionService;
 import com.oceanbase.odc.service.feature.VersionDiffConfigService;
+import com.oceanbase.odc.service.iam.HorizontalDataPermissionValidator;
 import com.oceanbase.odc.service.iam.auth.AuthenticationFacade;
 import com.oceanbase.odc.service.iam.auth.AuthorizationFacade;
 import com.oceanbase.odc.service.lab.model.LabProperties;
@@ -131,6 +132,8 @@ public class ConnectSessionService {
     private DBSessionService dbSessionService;
     @Autowired
     private EnvironmentRepository environmentRepository;
+    @Autowired
+    private HorizontalDataPermissionValidator horizontalDataPermissionValidator;
 
     @PostConstruct
     public void init() {
@@ -212,6 +215,7 @@ private ConnectionSession create(@NotNull Long dataSourceId, String schemaName)
         preCheckSessionLimit();
 
         ConnectionConfig connection = connectionService.getForConnectionSkipPermissionCheck(dataSourceId);
+        horizontalDataPermissionValidator.checkCurrentOrganization(connection);
         log.info("Begin to create session, connection id={}, name={}", connection.id(), connection.getName());
         Set<String> actions = authorizationFacade.getAllPermittedActions(authenticationFacade.currentUser(),
                 ResourceType.ODC_CONNECTION, "" + dataSourceId);