User manager in meta (vesoft-inc#400)

* User manager of Meta Server * 1, Changed user data transport protocol from dataman to thrift. 2, Removed user property email and phone. 3, Added new user property lock status * 1,Refactor user processors code structure. 2,Remove user properties first name and last name. 3, Add new user properties of resource limit. 4, Changed related thrift structure from 'name' to 'id', 5,Add some comments for role. * To improve the drop space , on't delete useless role data * Rebased and added (raftex_obj raftex_thrift_obj wal_obj time_obj) to authentication_test module * Rebased and resolved some conflicts * Address laura-ding's comment * Resolved code alignment
tong-hao · Jun 19, 2019 · c946713 · c946713
1 parent 4cbb608
commit c946713
Show file tree

Hide file tree

Showing 18 changed files with 1,303 additions and 1 deletion.
diff --git a/src/common/base/Status.h b/src/common/base/Status.h
@@ -102,6 +102,7 @@ class Status final {
  STATUS_GENERATOR(HostNotFound);
  STATUS_GENERATOR(TagNotFound);
  STATUS_GENERATOR(EdgeNotFound);
+ STATUS_GENERATOR(UserNotFound);
 
 #undef STATUS_GENERATOR
 
@@ -128,6 +129,7 @@ class Status final {
  kHostNotFound = 405,
  kTagNotFound = 406,
  kEdgeNotFound = 407,
+ kUserNotFound = 408,
  };
 
  Code code() const {

diff --git a/src/common/base/ThriftTypes.h b/src/common/base/ThriftTypes.h
@@ -25,6 +25,7 @@ using EdgeType = int32_t;
 using EdgeRanking = int64_t;
 using EdgeVersion = int64_t;
 using SchemaVer = int64_t;
+using UserID = int32_t;
 
 } // namespace nebula
 #endif // COMMON_BASE_THRIFTTYPES_H_

diff --git a/src/graph/PermissionManager.h b/src/graph/PermissionManager.h
@@ -0,0 +1,47 @@
+/* Copyright (c) 2019 vesoft inc. All rights reserved.
+ *
+ * This source code is licensed under Apache 2.0 License,
+ * attached with Common Clause Condition 1.0, found in the LICENSES directory.
+ */
+
+
+#ifndef GRAPH_PERMISSIONMANAGER_H
+#define GRAPH_PERMISSIONMANAGER_H
+
+// Operation and permission define:
+// Operation | GOD | ADMIN | USER | GUEST
+// ---------------- | ------------- | ------------- | ------------- | -------------
+// kGo | Y | Y | Y | Y
+// kSet | Y | Y | Y | Y
+// kPipe | Y | Y | Y | Y
+// kUse | Y | Y | Y | Y
+// kMatch | Y | Y | Y | Y
+// kAssignment | Y | Y | Y | Y
+// kCreateTag | Y | Y | |
+// kAlterTag | Y | Y | |
+// kCreateEdge | Y | Y | |
+// kAlterEdge | Y | Y | |
+// kDescribeTag | Y | Y | Y | Y
+// kDescribeEdge | Y | Y | Y | Y
+// kRemoveTag | Y | Y | |
+// kRemoveEdge | Y | Y | |
+// kInsertVertex | Y | Y | Y |
+// kInsertEdge | Y | Y | Y |
+// kShow | Y | Y | Y | Y
+// kDeleteVertex | Y | Y | Y |
+// kDeleteEdge | Y | Y | Y |
+// kFind | Y | Y | Y | Y
+// kAddHosts | Y | | |
+// kRemoveHosts | Y | | |
+// kCreateSpace | Y | | |
+// kDropSpace | Y | Y | |
+// kYield | Y | Y | Y | Y
+// kCreateUser | Y | | |
+// kDropUser | Y | | |
+// kAlterUser | Y | Y | Y | Y
+// kGrant | Y | Y | |
+// kRevoke | Y | Y | |
+// kChangePassword | Y | Y | Y | Y
+
+
+#endif // GRAPH_PERMISSIONMANAGER_H
diff --git a/src/interface/common.thrift b/src/interface/common.thrift
@@ -23,6 +23,8 @@ typedef i32 (cpp.type = "nebula::Port") Port
 
 typedef i64 (cpp.type = "nebula::SchemaVer") SchemaVer
 
+typedef i32 (cpp.type = "nebula::UserID") UserID
+
 // These are all data types supported in the graph properties
 enum SupportedType {
  UNKNOWN = 0,

diff --git a/src/interface/meta.thrift b/src/interface/meta.thrift
@@ -31,6 +31,9 @@ enum ErrorCode {
  E_STORE_FAILURE = -31,
  E_STORE_SEGMENT_ILLEGAL = -32,
 
+ E_INVALID_PASSWORD = -41,
+ E_INPROPER_ROLE = -42,
+
  E_UNKNOWN = -99,
 } (cpp.enum_strict)
 
@@ -42,11 +45,27 @@ enum AlterSchemaOp {
  UNKNOWN = 0x04,
 } (cpp.enum_strict)
 
+/**
+** GOD is A global senior administrator.like root of Linux systems.
+** ADMIN is an administrator for a given Graph Space.
+** USER is a normal user for a given Graph Space. A User can access (read and write) the data in the Graph Space.
+** GUEST is a read-only role for a given Graph Space. A Guest cannot modify the data in the Graph Space.
+** Refer to header file src/graph/PermissionManager.h for details.
+**/
+
+enum RoleType {
+ GOD = 0x01,
+ ADMIN = 0x02,
+ USER = 0x03,
+ GUEST = 0x04,
+} (cpp.enum_strict)
+
 
 union ID {
  1: common.GraphSpaceID space_id,
  2: common.TagID tag_id,
  3: common.EdgeType edge_type,
+ 4: common.UserID user_id,
 }
 
 struct IdName {
@@ -100,6 +119,26 @@ struct HostItem {
  2: HostStatus status,
 }
 
+struct UserItem {
+ 1: string account;
+ // Disable user if lock status is true.
+ 2: bool is_lock,
+ // The number of queries an account can issue per hour
+ 3: i32 max_queries_per_hour,
+ // The number of updates an account can issue per hour
+ 4: i32 max_updates_per_hour,
+ // The number of times an account can connect to the server per hour
+ 5: i32 max_connections_per_hour,
+ // The number of simultaneous connections to the server by an account
+ 6: i32 max_user_connections,
+}
+
+struct RoleItem {
+ 1: common.UserID user_id,
+ 2: common.GraphSpaceID space_id,
+ 3: RoleType role_type,
+}
+
 struct ExecResp {
  1: ErrorCode code,
  // For custom kv operations, it is useless.
@@ -311,6 +350,72 @@ struct HBReq {
  1: common.HostAddr host,
 }
 
+struct CreateUserReq {
+ 1: UserItem user,
+ 2: string encoded_pwd,
+ 3: bool missing_ok,
+}
+
+struct DropUserReq {
+ 1: string account,
+ 2: bool missing_ok,
+}
+
+struct AlterUserReq {
+ 1: UserItem user_item,
+}
+
+struct GrantRoleReq {
+ 1: RoleItem role_item,
+}
+
+struct RevokeRoleReq {
+ 1: RoleItem role_item,
+}
+
+struct GetUserReq {
+ 1: string account,
+}
+
+struct GetUserResp {
+ 1: ErrorCode code,
+ // Valid if ret equals E_LEADER_CHANGED.
+ 2: common.HostAddr leader, 
+ 3: UserItem user_item,
+}
+
+struct ListUsersReq {
+}
+
+struct ListUsersResp {
+ 1: ErrorCode code,
+ // Valid if ret equals E_LEADER_CHANGED.
+ 2: common.HostAddr leader, 
+ 3: map<common.UserID, UserItem>(cpp.template = "std::unordered_map") users,
+}
+
+struct ListRolesReq {
+ 1: common.GraphSpaceID space_id,
+}
+
+struct ListRolesResp {
+ 1: ErrorCode code,
+ // Valid if ret equals E_LEADER_CHANGED.
+ 2: common.HostAddr leader, 
+ 3: list<RoleItem> roles,
+}
+
+struct ChangePasswordReq {
+ 1: string account,
+ 2: string new_encoded_pwd,
+ 3: string old_encoded_pwd,
+}
+
+struct CheckPasswordReq {
+ 1: string account,
+ 2: string encoded_pwd,
+}
+
 service MetaService {
  ExecResp createSpace(1: CreateSpaceReq req);
  ExecResp dropSpace(1: DropSpaceReq req);
@@ -343,5 +448,17 @@ service MetaService {
  ScanResp scan(1: ScanReq req);
 
  HBResp heartBeat(1: HBReq req);
+
+ ExecResp createUser(1: CreateUserReq req);
+ ExecResp dropUser(1: DropUserReq req);
+ ExecResp alterUser(1: AlterUserReq req);
+ ExecResp grantRole(1: GrantRoleReq req);
+ ExecResp revokeRole(1: RevokeRoleReq req);
+ GetUserResp getUser(1: GetUserReq req);
+ ListUsersResp listUsers(1: ListUsersReq req);
+ ListRolesResp listRoles(1: ListRolesReq req);
+ ExecResp changePassword(1: ChangePasswordReq req);
+ ExecResp checkPassword(1: CheckPasswordReq req);
+
 }
 
diff --git a/src/meta/CMakeLists.txt b/src/meta/CMakeLists.txt
@@ -37,6 +37,7 @@ add_library(
  processors/customKV/RemoveRangeProcessor.cpp
  processors/customKV/ScanProcessor.cpp
  processors/admin/HBProcessor.cpp
+ processors/usersMan/AuthenticationProcessor.cpp
 )
 add_dependencies(
  meta_service_handler

diff --git a/src/meta/MetaServiceHandler.cpp b/src/meta/MetaServiceHandler.cpp
@@ -31,6 +31,7 @@
 #include "meta/processors/customKV/RemoveProcessor.h"
 #include "meta/processors/customKV/RemoveRangeProcessor.h"
 #include "meta/processors/admin/HBProcessor.h"
+#include "meta/processors/usersMan/AuthenticationProcessor.h"
 
 #define RETURN_FUTURE(processor) \
  auto f = processor->getFuture(); \
@@ -190,5 +191,65 @@ MetaServiceHandler::future_heartBeat(const cpp2::HBReq& req) {
  RETURN_FUTURE(processor);
 }
 
+folly::Future<cpp2::ExecResp>
+MetaServiceHandler::future_createUser(const cpp2::CreateUserReq& req) {
+ auto* processor = CreateUserProcessor::instance(kvstore_);
+ RETURN_FUTURE(processor);
+}
+
+folly::Future<cpp2::ExecResp>
+MetaServiceHandler::future_dropUser(const cpp2::DropUserReq& req) {
+ auto* processor = DropUserProcessor::instance(kvstore_);
+ RETURN_FUTURE(processor);
+}
+
+folly::Future<cpp2::ExecResp>
+MetaServiceHandler::future_alterUser(const cpp2::AlterUserReq& req) {
+ auto* processor = AlterUserProcessor::instance(kvstore_);
+ RETURN_FUTURE(processor);
+}
+
+folly::Future<cpp2::ExecResp>
+MetaServiceHandler::future_grantRole(const cpp2::GrantRoleReq& req) {
+ auto* processor = GrantProcessor::instance(kvstore_);
+ RETURN_FUTURE(processor);
+}
+
+folly::Future<cpp2::ExecResp>
+MetaServiceHandler::future_revokeRole(const cpp2::RevokeRoleReq& req) {
+ auto* processor = RevokeProcessor::instance(kvstore_);
+ RETURN_FUTURE(processor);
+}
+
+folly::Future<cpp2::GetUserResp>
+MetaServiceHandler::future_getUser(const cpp2::GetUserReq& req) {
+ auto* processor = GetUserProcessor::instance(kvstore_);
+ RETURN_FUTURE(processor);
+}
+
+folly::Future<cpp2::ListUsersResp>
+MetaServiceHandler::future_listUsers(const cpp2::ListUsersReq& req) {
+ auto* processor = ListUsersProcessor::instance(kvstore_);
+ RETURN_FUTURE(processor);
+}
+
+folly::Future<cpp2::ListRolesResp>
+MetaServiceHandler::future_listRoles(const cpp2::ListRolesReq& req) {
+ auto* processor = ListRolesProcessor::instance(kvstore_);
+ RETURN_FUTURE(processor);
+}
+
+folly::Future<cpp2::ExecResp>
+MetaServiceHandler::future_changePassword(const cpp2::ChangePasswordReq& req) {
+ auto* processor = ChangePasswordProcessor::instance(kvstore_);
+ RETURN_FUTURE(processor);
+}
+
+folly::Future<cpp2::ExecResp>
+MetaServiceHandler::future_checkPassword(const cpp2::CheckPasswordReq& req) {
+ auto* processor = CheckPasswordProcessor::instance(kvstore_);
+ RETURN_FUTURE(processor);
+}
+
 } // namespace meta
 } // namespace nebula
diff --git a/src/meta/MetaServiceHandler.h b/src/meta/MetaServiceHandler.h
@@ -107,6 +107,39 @@ class MetaServiceHandler final : public cpp2::MetaServiceSvIf {
  folly::Future<cpp2::HBResp>
  future_heartBeat(const cpp2::HBReq& req) override;
 
+ /**
+ * User manager
+ **/
+ folly::Future<cpp2::ExecResp>
+ future_createUser(const cpp2::CreateUserReq& req) override;
+
+ folly::Future<cpp2::ExecResp>
+ future_dropUser(const cpp2::DropUserReq& req) override;
+
+ folly::Future<cpp2::ExecResp>
+ future_alterUser(const cpp2::AlterUserReq& req) override;
+
+ folly::Future<cpp2::ExecResp>
+ future_grantRole(const cpp2::GrantRoleReq& req) override;
+
+ folly::Future<cpp2::ExecResp>
+ future_revokeRole(const cpp2::RevokeRoleReq& req) override;
+
+ folly::Future<cpp2::GetUserResp>
+ future_getUser(const cpp2::GetUserReq& req) override;
+
+ folly::Future<cpp2::ListUsersResp>
+ future_listUsers(const cpp2::ListUsersReq& req) override;
+
+ folly::Future<cpp2::ListRolesResp>
+ future_listRoles(const cpp2::ListRolesReq& req) override;
+
+ folly::Future<cpp2::ExecResp>
+ future_changePassword(const cpp2::ChangePasswordReq& req) override;
+
+ folly::Future<cpp2::ExecResp>
+ future_checkPassword(const cpp2::CheckPasswordReq& req) override;
+
 private:
  kvstore::KVStore* kvstore_ = nullptr;
 };