Release v2021.07.17.1 (#961)

*: Add OIDC SSO support (#960)
pingcap · Jul 16, 2021 · 2226872 · 2226872
1 parent 07fe6d3
commit 2226872
Show file tree

Hide file tree

Showing 52 changed files with 2,443 additions and 699 deletions.
diff --git a/go.mod b/go.mod
@@ -12,6 +12,7 @@ require (
 	github.com/dgrijalva/jwt-go v3.2.0+incompatible
 	github.com/gin-contrib/gzip v0.0.1
 	github.com/gin-gonic/gin v1.5.0
+	github.com/go-resty/resty/v2 v2.6.0
 	github.com/go-sql-driver/mysql v1.6.0
 	github.com/goccy/go-graphviz v0.0.5
 	github.com/google/pprof v0.0.0-20200407044318-7d83b28da2e9
@@ -40,6 +41,7 @@ require (
 	go.uber.org/atomic v1.6.0
 	go.uber.org/fx v1.10.0
 	go.uber.org/zap v1.16.0
+	golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be
 	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c
 	google.golang.org/grpc v1.25.1
 	gorm.io/driver/mysql v1.0.6

diff --git a/go.sum b/go.sum
@@ -101,6 +101,8 @@ github.com/go-playground/locales v0.12.1/go.mod h1:IUMDtCfWo/w/mtMfIE/IG2K+Ey3yg
 github.com/go-playground/overalls v0.0.0-20180201144345-22ec1a223b7c/go.mod h1:UqxAgEOt89sCiXlrc/ycnx00LVvUO/eS8tMUkWX4R7w=
 github.com/go-playground/universal-translator v0.16.0 h1:X++omBR/4cE2MNg91AoC3rmGrCjJ8eAeUP/K/EKx4DM=
 github.com/go-playground/universal-translator v0.16.0/go.mod h1:1AnU7NaIRDWWzGEKwgtJRd2xk99HeFyHw3yid4rvQIY=
+github.com/go-resty/resty/v2 v2.6.0 h1:joIR5PNLM2EFqqESUjCMGXrWmXNHEU9CEiK813oKYS4=
+github.com/go-resty/resty/v2 v2.6.0/go.mod h1:PwvJS6hvaPkjtjNg9ph+VrSD92bi5Zq73w/BIH7cC3Q=
 github.com/go-sql-driver/mysql v1.6.0 h1:BCTh4TKNUYmOmMUcQ3IipzF5prigylS7XXjEkfCHuOE=
 github.com/go-sql-driver/mysql v1.6.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg=
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
@@ -396,8 +398,10 @@ golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7/go.mod h1:z5CRVTTTmAJ677TzLL
 golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20191002035440-2ec189313ef0/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200301022130-244492dfa37a/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20201021035429-f5854403a974 h1:IX6qOQeG5uLjB/hjjwjedwfjND0hgjPMMyO1RoIXQNI=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
+golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4 h1:4nGaVu0QrbjT/AK2PRLuQfQuh6DJve+pELhqTdAj3x0=
+golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
+golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be h1:vEDujvNQGv4jgYKudGeI/+DAX4Jffq6hpD55MmoEvKs=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -420,8 +424,11 @@ golang.org/x/sys v0.0.0-20190813064441-fde4db37ae7a/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20190826190057-c7b8b68b1456/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210217105451-b926d437f341 h1:2/QtM1mL37YmcsT8HaDNHDgTqqFVw+zr8UzMiBVLzYU=
+golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210217105451-b926d437f341/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44 h1:Bli41pIlzTzf3KEY06n+xnzK/BESIg2ze4Pgfh/aI8c=
+golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3 h1:cokOdA+Jmi5PJGXLlLllQSgYigAEfHXJAERHVMaCc2k=

diff --git a/pkg/apiserver/apiserver.go b/pkg/apiserver/apiserver.go
@@ -34,6 +34,11 @@ import (
 	"github.com/pingcap/tidb-dashboard/pkg/apiserver/metrics"
 	"github.com/pingcap/tidb-dashboard/pkg/apiserver/profiling"
 	"github.com/pingcap/tidb-dashboard/pkg/apiserver/queryeditor"
+	"github.com/pingcap/tidb-dashboard/pkg/apiserver/user/code"
+	"github.com/pingcap/tidb-dashboard/pkg/apiserver/user/code/codeauth"
+	"github.com/pingcap/tidb-dashboard/pkg/apiserver/user/sqlauth"
+	"github.com/pingcap/tidb-dashboard/pkg/apiserver/user/sso"
+	"github.com/pingcap/tidb-dashboard/pkg/apiserver/user/sso/ssoauth"
 	"github.com/pingcap/tidb-dashboard/pkg/tiflash"
 
 	// "github.com/pingcap/tidb-dashboard/pkg/apiserver/__APP_NAME__"
@@ -130,10 +135,15 @@ func (s *Service) Start(ctx context.Context) error {
 			// __APP_NAME__.NewService,
 			// NOTE: Don't remove above comment line, it is a placeholder for code generator
 		),
+		codeauth.Module,
+		sqlauth.Module,
+		ssoauth.Module,
+		code.Module,
+		sso.Module,
+		profiling.Module,
 		statement.Module,
 		slowquery.Module,
 		debugapi.Module,
-		profiling.Module,
 		fx.Populate(&s.apiHandlerEngine),
 		fx.Invoke(
 			user.RegisterRouter,

diff --git a/pkg/apiserver/configuration/router.go b/pkg/apiserver/configuration/router.go
@@ -28,7 +28,7 @@ func RegisterRouter(r *gin.RouterGroup, auth *user.AuthService, s *Service) {
 	endpoint.Use(utils.MWConnectTiDB(s.params.TiDBClient))
 	endpoint.Use(utils.MWForbidByExperimentalFlag(s.params.Config.EnableExperimental))
 	endpoint.GET("/all", s.getHandler)
-	endpoint.POST("/edit", s.editHandler)
+	endpoint.POST("/edit", auth.MWRequireWritePriv(), s.editHandler)
 }
 
 // @ID configurationGetAll

diff --git a/pkg/apiserver/info/info.go b/pkg/apiserver/info/info.go
@@ -78,8 +78,9 @@ func (s *Service) infoHandler(c *gin.Context) {
 }
 
 type WhoAmIResponse struct {
-	Username string `json:"username"`
-	IsShared bool   `json:"is_shared"`
+	DisplayName string `json:"display_name"`
+	IsShareable bool   `json:"is_shareable"`
+	IsWriteable bool   `json:"is_writeable"`
 }
 
 // @ID infoWhoami
@@ -89,10 +90,11 @@ type WhoAmIResponse struct {
 // @Security JwtAuth
 // @Failure 401 {object} utils.APIError "Unauthorized failure"
 func (s *Service) whoamiHandler(c *gin.Context) {
-	sessionUser := c.MustGet(utils.SessionUserKey).(*utils.SessionUser)
+	sessionUser := utils.GetSession(c)
 	resp := WhoAmIResponse{
-		Username: sessionUser.TiDBUsername,
-		IsShared: sessionUser.IsShared,
+		DisplayName: sessionUser.DisplayName,
+		IsShareable: sessionUser.IsShareable,
+		IsWriteable: sessionUser.IsWriteable,
 	}
 	c.JSON(http.StatusOK, resp)
 }

diff --git a/pkg/apiserver/metrics/router.go b/pkg/apiserver/metrics/router.go
@@ -43,7 +43,7 @@ func RegisterRouter(r *gin.RouterGroup, auth *user.AuthService, s *Service) {
 	endpoint.Use(auth.MWAuthRequired())
 	endpoint.GET("/query", s.queryMetrics)
 	endpoint.GET("/prom_address", s.getPromAddressConfig)
-	endpoint.PUT("/prom_address", s.putCustomPromAddress)
+	endpoint.PUT("/prom_address", auth.MWRequireWritePriv(), s.putCustomPromAddress)
 }
 
 // @Summary Query metrics

diff --git a/pkg/apiserver/profiling/router.go b/pkg/apiserver/profiling/router.go
@@ -44,7 +44,7 @@ func RegisterRouter(r *gin.RouterGroup, auth *user.AuthService, s *Service) {
 	endpoint.GET("/single/view", s.viewSingle)
 
 	endpoint.GET("/config", auth.MWAuthRequired(), s.getDynamicConfig)
-	endpoint.PUT("/config", auth.MWAuthRequired(), s.setDynamicConfig)
+	endpoint.PUT("/config", auth.MWAuthRequired(), auth.MWRequireWritePriv(), s.setDynamicConfig)
 }
 
 // @ID startProfiling

diff --git a/pkg/apiserver/queryeditor/service.go b/pkg/apiserver/queryeditor/service.go
@@ -58,7 +58,7 @@ func RegisterRouter(r *gin.RouterGroup, auth *user.AuthService, s *Service) {
 	endpoint.Use(auth.MWAuthRequired())
 	endpoint.Use(utils.MWConnectTiDB(s.params.TiDBClient))
 	endpoint.Use(utils.MWForbidByExperimentalFlag(s.params.Config.EnableExperimental))
-	endpoint.POST("/run", s.runHandler)
+	endpoint.POST("/run", auth.MWRequireWritePriv(), s.runHandler)
 }
 
 type RunRequest struct {

diff --git a/pkg/apiserver/statement/service.go b/pkg/apiserver/statement/service.go
@@ -60,7 +60,7 @@ func registerRouter(r *gin.RouterGroup, auth *user.AuthService, s *Service) {
 		endpoint.Use(utils.MWConnectTiDB(s.params.TiDBClient))
 		{
 			endpoint.GET("/config", s.configHandler)
-			endpoint.POST("/config", s.modifyConfigHandler)
+			endpoint.POST("/config", auth.MWRequireWritePriv(), s.modifyConfigHandler)
 			endpoint.GET("/time_ranges", s.timeRangesHandler)
 			endpoint.GET("/stmt_types", s.stmtTypesHandler)
 			endpoint.GET("/list", s.listHandler)