-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
User permission manager #1873
Merged
dangleptr
merged 5 commits into
vesoft-inc:master
from
bright-starry-sky:user_permission_manager
Mar 19, 2020
Merged
User permission manager #1873
Changes from all commits
Commits
Show all changes
5 commits
Select commit
Hold shift + click to select a range
4e8673c
user permission manager
e61cb6a
Addressed dangleptr's comments
d57fff8
1,cache user pwd; 2,check god by user name root;3,move FLAGS_enable_a…
a9436b8
Changed the method name from canReadSchemaData to canReadSchemaOrData
03a20e0
fixed comment typo error
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
nebula_add_library( | ||
permission_obj OBJECT | ||
PermissionManager.cpp | ||
) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,223 @@ | ||
/* Copyright (c) 2020 vesoft inc. All rights reserved. | ||
* | ||
* This source code is licensed under Apache 2.0 License, | ||
* attached with Common Clause Condition 1.0, found in the LICENSES directory. | ||
*/ | ||
|
||
#include "permission/PermissionManager.h" | ||
|
||
namespace nebula { | ||
namespace permission { | ||
|
||
// static | ||
bool PermissionManager::canReadSpace(session::Session *session, GraphSpaceID spaceId) { | ||
if (!FLAGS_enable_authorize) { | ||
return true; | ||
} | ||
if (session->isGod()) { | ||
return true; | ||
} | ||
bool havePermission = false; | ||
switch (session->roleWithSpace(spaceId)) { | ||
case session::Role::GOD : | ||
case session::Role::ADMIN : | ||
case session::Role::DBA : | ||
case session::Role::USER : | ||
case session::Role::GUEST : { | ||
havePermission = true; | ||
break; | ||
} | ||
case session::Role::INVALID_ROLE : { | ||
break; | ||
} | ||
} | ||
return havePermission; | ||
} | ||
|
||
// static | ||
bool PermissionManager::canReadSchemaOrData(session::Session *session) { | ||
if (session->space() == -1) { | ||
LOG(ERROR) << "The space name is not set"; | ||
return false; | ||
} | ||
if (session->isGod()) { | ||
return true; | ||
} | ||
bool havePermission = false; | ||
switch (session->roleWithSpace(session->space())) { | ||
case session::Role::GOD : | ||
case session::Role::ADMIN : | ||
case session::Role::DBA : | ||
case session::Role::USER : | ||
case session::Role::GUEST : { | ||
havePermission = true; | ||
break; | ||
} | ||
case session::Role::INVALID_ROLE : { | ||
break; | ||
} | ||
} | ||
return havePermission; | ||
} | ||
|
||
// static | ||
bool PermissionManager::canWriteSpace(session::Session *session) { | ||
return session->isGod(); | ||
} | ||
|
||
// static | ||
bool PermissionManager::canWriteSchema(session::Session *session) { | ||
if (session->space() == -1) { | ||
LOG(ERROR) << "The space name is not set"; | ||
return false; | ||
} | ||
if (session->isGod()) { | ||
return true; | ||
} | ||
bool havePermission = false; | ||
switch (session->roleWithSpace(session->space())) { | ||
case session::Role::GOD : | ||
case session::Role::ADMIN : | ||
case session::Role::DBA : { | ||
havePermission = true; | ||
break; | ||
} | ||
case session::Role::USER : | ||
case session::Role::GUEST : | ||
case session::Role::INVALID_ROLE : { | ||
break; | ||
} | ||
} | ||
return havePermission; | ||
} | ||
|
||
// static | ||
bool PermissionManager::canWriteUser(session::Session *session) { | ||
return session->isGod(); | ||
} | ||
|
||
bool PermissionManager::canWriteRole(session::Session *session, | ||
session::Role targetRole, | ||
GraphSpaceID spaceId, | ||
const std::string& targetUser) { | ||
if (!FLAGS_enable_authorize) { | ||
return true; | ||
} | ||
/** | ||
* Reject grant or revoke to himself. | ||
*/ | ||
if (session->user() == targetUser) { | ||
return false; | ||
} | ||
/* | ||
* Reject any user grant or revoke role to GOD | ||
*/ | ||
if (targetRole == session::Role::GOD) { | ||
return false; | ||
} | ||
/* | ||
* God user can be grant or revoke any one. | ||
*/ | ||
if (session->isGod()) { | ||
return true; | ||
} | ||
/** | ||
* Only allow ADMIN user grant or revoke other user to DBA, USER, GUEST. | ||
*/ | ||
auto role = session->roleWithSpace(spaceId); | ||
if (role == session::Role::ADMIN && targetRole != session::Role::ADMIN) { | ||
return true; | ||
} | ||
return false; | ||
} | ||
|
||
// static | ||
bool PermissionManager::canWriteData(session::Session *session) { | ||
if (session->space() == -1) { | ||
bright-starry-sky marked this conversation as resolved.
Show resolved
Hide resolved
|
||
LOG(ERROR) << "The space name is not set"; | ||
return false; | ||
} | ||
if (session->isGod()) { | ||
return true; | ||
} | ||
bool havePermission = false; | ||
switch (session->roleWithSpace(session->space())) { | ||
case session::Role::GOD : | ||
case session::Role::ADMIN : | ||
case session::Role::DBA : | ||
case session::Role::USER : { | ||
havePermission = true; | ||
break; | ||
} | ||
case session::Role::GUEST : | ||
case session::Role::INVALID_ROLE : { | ||
break; | ||
} | ||
} | ||
return havePermission; | ||
} | ||
|
||
// static | ||
bool PermissionManager::canShow(session::Session *session, | ||
ShowSentence::ShowType type, | ||
GraphSpaceID targetSpace) { | ||
if (!FLAGS_enable_authorize) { | ||
return true; | ||
} | ||
bool havePermission = false; | ||
switch (type) { | ||
case ShowSentence::ShowType::kShowParts: | ||
case ShowSentence::ShowType::kShowTags: | ||
case ShowSentence::ShowType::kShowEdges: | ||
case ShowSentence::ShowType::kShowTagIndexes: | ||
case ShowSentence::ShowType::kShowEdgeIndexes: | ||
case ShowSentence::ShowType::kShowCreateTag: | ||
case ShowSentence::ShowType::kShowCreateEdge: | ||
case ShowSentence::ShowType::kShowCreateTagIndex: | ||
case ShowSentence::ShowType::kShowCreateEdgeIndex: | ||
case ShowSentence::ShowType::kShowTagIndexStatus: | ||
case ShowSentence::ShowType::kShowEdgeIndexStatus: { | ||
/** | ||
* Above operations can get the space id via session, | ||
* so the permission same with canReadSchemaOrData. | ||
* They've been checked by "USE SPACE", so here skip the check. | ||
*/ | ||
havePermission = true; | ||
break; | ||
} | ||
case ShowSentence::ShowType::kShowCharset: | ||
case ShowSentence::ShowType::kShowCollation: | ||
case ShowSentence::ShowType::kShowHosts: { | ||
/** | ||
* all roles can be show for above operations. | ||
*/ | ||
havePermission = true; | ||
break; | ||
} | ||
case ShowSentence::ShowType::kShowSpaces: | ||
case ShowSentence::ShowType::kShowCreateSpace: | ||
case ShowSentence::ShowType::kShowRoles: { | ||
/* | ||
* Above operations are special operation. | ||
* can not get the space id via session, | ||
* Permission checking needs to be done in their executor. | ||
*/ | ||
havePermission = canReadSpace(session, targetSpace); | ||
break; | ||
} | ||
case ShowSentence::ShowType::kShowUsers: | ||
case ShowSentence::ShowType::kShowSnapshots: { | ||
/** | ||
* Only GOD role can be show. | ||
*/ | ||
havePermission = session->isGod(); | ||
break; | ||
} | ||
case ShowSentence::ShowType::kUnknown: | ||
break; | ||
} | ||
return havePermission; | ||
} | ||
|
||
} // namespace permission | ||
} // namespace nebula |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,42 @@ | ||
/* Copyright (c) 2020 vesoft inc. All rights reserved. | ||
* | ||
* This source code is licensed under Apache 2.0 License, | ||
* attached with Common Clause Condition 1.0, found in the LICENSES directory. | ||
*/ | ||
|
||
#ifndef COMMON_PERMISSION_PERMISSIONMANAGER_H_ | ||
#define COMMON_PERMISSION_PERMISSIONMANAGER_H_ | ||
|
||
#include "base/Base.h" | ||
#include "session/Session.h" | ||
#include "meta/client/MetaClient.h" | ||
#include "parser/Sentence.h" | ||
#include "parser/UserSentences.h" | ||
#include "parser/AdminSentences.h" | ||
#include "graph/GraphFlags.h" | ||
|
||
namespace nebula { | ||
namespace permission { | ||
|
||
class PermissionManager final { | ||
public: | ||
PermissionManager() = delete; | ||
static bool canReadSpace(session::Session *session, GraphSpaceID spaceId); | ||
static bool canReadSchemaOrData(session::Session *session); | ||
static bool canWriteSpace(session::Session *session); | ||
static bool canWriteSchema(session::Session *session); | ||
static bool canWriteUser(session::Session *session); | ||
static bool canWriteRole(session::Session *session, | ||
session::Role targetRole, | ||
GraphSpaceID spaceId, | ||
const std::string& targetUser); | ||
static bool canWriteData(session::Session *session); | ||
static bool canShow(session::Session *session, | ||
ShowSentence::ShowType type, | ||
GraphSpaceID targetSpace = -1); | ||
}; | ||
} // namespace permission | ||
} // namespace nebula | ||
|
||
#endif // COMMON_PERMISSION_PERMISSIONMANAGER_H_ | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
nebula_add_library( | ||
session_obj OBJECT | ||
Session.cpp | ||
) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
/* Copyright (c) 2020 vesoft inc. All rights reserved. | ||
* | ||
* This source code is licensed under Apache 2.0 License, | ||
* attached with Common Clause Condition 1.0, found in the LICENSES directory. | ||
*/ | ||
|
||
#include "session/Session.h" | ||
|
||
namespace nebula { | ||
namespace session { | ||
|
||
Session::Session(int64_t id) { | ||
id_ = id; | ||
} | ||
|
||
std::shared_ptr<Session> Session::create(int64_t id) { | ||
return std::shared_ptr<Session>(new Session(id)); | ||
} | ||
|
||
void Session::charge() { | ||
idleDuration_.reset(); | ||
} | ||
|
||
uint64_t Session::idleSeconds() const { | ||
return idleDuration_.elapsedInSec(); | ||
} | ||
} // namespace session | ||
} // namespace nebula |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What is the difference between
session->isGod()
and session::Role::GOD ?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
session->isGod
just check if the user is god.session->roleWithSpace(spaceId)
check what role of in this space.case session::Role::GOD
still there because the compilation requirement of switch block .