diff --git a/server/odc-service/src/main/java/com/oceanbase/odc/service/connection/ConnectionService.java b/server/odc-service/src/main/java/com/oceanbase/odc/service/connection/ConnectionService.java index 16dc737499..3188677a61 100644 --- a/server/odc-service/src/main/java/com/oceanbase/odc/service/connection/ConnectionService.java +++ b/server/odc-service/src/main/java/com/oceanbase/odc/service/connection/ConnectionService.java @@ -577,13 +577,16 @@ public ConnectionConfig getForConnectionSkipPermissionCheck(@NotNull Long id) { @Transactional(rollbackFor = Exception.class) @PreAuthenticate(actions = "update", resourceType = "ODC_CONNECTION", indexOfIdParam = 0) public ConnectionConfig getForConnect(@NotNull Long id) { - return getForConnectionSkipPermissionCheck(id); + ConnectionConfig connection = getForConnectionSkipPermissionCheck(id); + permissionValidator.checkCurrentOrganization(connection); + return connection; } @SkipAuthorize("check permission inside") public boolean checkPermission(@NotNull Long connectionId, @NotEmpty List actions) { try { ConnectionConfig connection = internalGetSkipUserCheck(connectionId, false); + permissionValidator.checkCurrentOrganization(connection); securityManager.checkPermission( securityManager.getPermissionByActions(connection, actions)); } catch (Exception ex) { diff --git a/server/odc-service/src/main/java/com/oceanbase/odc/service/connection/database/DatabaseService.java b/server/odc-service/src/main/java/com/oceanbase/odc/service/connection/database/DatabaseService.java index 894a9d466d..c2698ec7fe 100644 --- a/server/odc-service/src/main/java/com/oceanbase/odc/service/connection/database/DatabaseService.java +++ b/server/odc-service/src/main/java/com/oceanbase/odc/service/connection/database/DatabaseService.java @@ -51,6 +51,7 @@ import com.oceanbase.odc.core.authority.util.SkipAuthorize; import com.oceanbase.odc.core.session.ConnectionSession; import com.oceanbase.odc.core.session.ConnectionSessionConstants; +import com.oceanbase.odc.core.shared.constant.ConnectionVisibleScope; import com.oceanbase.odc.core.shared.constant.ErrorCodes; import com.oceanbase.odc.core.shared.constant.OrganizationType; import com.oceanbase.odc.core.shared.constant.ResourceRoleName; @@ -77,6 +78,7 @@ import com.oceanbase.odc.service.connection.model.ConnectionConfig; import com.oceanbase.odc.service.db.DBIdentitiesService; import com.oceanbase.odc.service.db.DBSchemaService; +import com.oceanbase.odc.service.iam.HorizontalDataPermissionValidator; import com.oceanbase.odc.service.iam.auth.AuthenticationFacade; import com.oceanbase.odc.service.iam.auth.AuthorizationFacade; import com.oceanbase.odc.service.session.factory.DefaultConnectSessionFactory; @@ -128,6 +130,9 @@ public class DatabaseService { @Autowired private JdbcLockRegistry jdbcLockRegistry; + @Autowired + private HorizontalDataPermissionValidator horizontalDataPermissionValidator; + @Transactional(rollbackFor = Exception.class) @SkipAuthorize("internal authenticated") public Database detail(@NonNull Long id) { @@ -154,7 +159,9 @@ public Page listDatabasesByDataSource(@NonNull Long id, String name, @ .connectionIdEquals(id) .and(DatabaseSpecs.nameLike(name)); Page entities = databaseRepository.findAll(specs, pageable); - return entitiesToModels(entities); + Page databases = entitiesToModels(entities); + horizontalDataPermissionValidator.checkCurrentOrganization(databases.getContent()); + return databases; } @Transactional(rollbackFor = Exception.class) @@ -364,9 +371,11 @@ public Boolean internalSyncDataSourceSchemas(@NonNull Long dataSourceId) throws return false; } ConnectionConfig connection = connectionService.getForConnectionSkipPermissionCheck(dataSourceId); - if (connection.getEnvironmentId().longValue() == -1L) { + if (connection.getEnvironmentId().longValue() == -1L + || connection.getVisibleScope() == ConnectionVisibleScope.PRIVATE) { return false; } + horizontalDataPermissionValidator.checkCurrentOrganization(connection); DefaultConnectSessionFactory factory = new DefaultConnectSessionFactory(connection); connectionSession = factory.generateSession(); List latestDatabases = diff --git a/server/odc-service/src/main/java/com/oceanbase/odc/service/session/ConnectSessionService.java b/server/odc-service/src/main/java/com/oceanbase/odc/service/session/ConnectSessionService.java index fe78b31a37..4a25562b13 100644 --- a/server/odc-service/src/main/java/com/oceanbase/odc/service/session/ConnectSessionService.java +++ b/server/odc-service/src/main/java/com/oceanbase/odc/service/session/ConnectSessionService.java @@ -79,6 +79,7 @@ import com.oceanbase.odc.service.db.DBCharsetService; import com.oceanbase.odc.service.db.session.DBSessionService; import com.oceanbase.odc.service.feature.VersionDiffConfigService; +import com.oceanbase.odc.service.iam.HorizontalDataPermissionValidator; import com.oceanbase.odc.service.iam.auth.AuthenticationFacade; import com.oceanbase.odc.service.iam.auth.AuthorizationFacade; import com.oceanbase.odc.service.lab.model.LabProperties; @@ -131,6 +132,8 @@ public class ConnectSessionService { private DBSessionService dbSessionService; @Autowired private EnvironmentRepository environmentRepository; + @Autowired + private HorizontalDataPermissionValidator horizontalDataPermissionValidator; @PostConstruct public void init() { @@ -212,6 +215,7 @@ private ConnectionSession create(@NotNull Long dataSourceId, String schemaName) preCheckSessionLimit(); ConnectionConfig connection = connectionService.getForConnectionSkipPermissionCheck(dataSourceId); + horizontalDataPermissionValidator.checkCurrentOrganization(connection); log.info("Begin to create session, connection id={}, name={}", connection.id(), connection.getName()); Set actions = authorizationFacade.getAllPermittedActions(authenticationFacade.currentUser(), ResourceType.ODC_CONNECTION, "" + dataSourceId);