User manager in meta

src/common/base/Status.h

@@ -102,6 +102,7 @@ class Status final {
  STATUS_GENERATOR(HostNotFound);
  STATUS_GENERATOR(TagNotFound);
  STATUS_GENERATOR(EdgeNotFound);
+ STATUS_GENERATOR(UserNotFound);
 
 #undef STATUS_GENERATOR
 
@@ -128,6 +129,7 @@ class Status final {
  kHostNotFound = 405,
  kTagNotFound = 406,
  kEdgeNotFound = 407,
+ kUserNotFound = 408,
  };
 
  Code code() const {

src/common/base/ThriftTypes.h

@@ -25,6 +25,7 @@ using EdgeType = int32_t;
 using EdgeRanking = int64_t;
 using EdgeVersion = int64_t;
 using SchemaVer = int64_t;
+using UserID = int32_t;
 
 } // namespace nebula
 #endif // COMMON_BASE_THRIFTTYPES_H_

src/graph/PermissionManager.h

@@ -0,0 +1,47 @@
+/* Copyright (c) 2019 vesoft inc. All rights reserved.
+ *
+ * This source code is licensed under Apache 2.0 License,
+ * attached with Common Clause Condition 1.0, found in the LICENSES directory.
+ */
+
+
+#ifndef GRAPH_PERMISSIONMANAGER_H
+#define GRAPH_PERMISSIONMANAGER_H
+
+// Operation and permission define:
+// Operation | GOD | ADMIN | USER | GUEST
+// ---------------- | ------------- | ------------- | ------------- | -------------
+// kGo | Y | Y | Y | Y
+// kSet | Y | Y | Y | Y
+// kPipe | Y | Y | Y | Y
+// kUse | Y | Y | Y | Y
+// kMatch | Y | Y | Y | Y
+// kAssignment | Y | Y | Y | Y
+// kCreateTag | Y | Y | |
+// kAlterTag | Y | Y | |
+// kCreateEdge | Y | Y | |
+// kAlterEdge | Y | Y | |
+// kDescribeTag | Y | Y | Y | Y
+// kDescribeEdge | Y | Y | Y | Y
+// kRemoveTag | Y | Y | |
+// kRemoveEdge | Y | Y | |
+// kInsertVertex | Y | Y | Y |
+// kInsertEdge | Y | Y | Y |
+// kShow | Y | Y | Y | Y
+// kDeleteVertex | Y | Y | Y |
+// kDeleteEdge | Y | Y | Y |
+// kFind | Y | Y | Y | Y
+// kAddHosts | Y | | |
+// kRemoveHosts | Y | | |
+// kCreateSpace | Y | | |
+// kDropSpace | Y | Y | |
+// kYield | Y | Y | Y | Y
+// kCreateUser | Y | | |
+// kDropUser | Y | | |
+// kAlterUser | Y | Y | Y | Y
+// kGrant | Y | Y | |
+// kRevoke | Y | Y | |
+// kChangePassword | Y | Y | Y | Y
+
+
+#endif // GRAPH_PERMISSIONMANAGER_H

src/interface/common.thrift

@@ -23,6 +23,8 @@ typedef i32 (cpp.type = "nebula::Port") Port
 
 typedef i64 (cpp.type = "nebula::SchemaVer") SchemaVer
 
+typedef i32 (cpp.type = "nebula::UserID") UserID
+
 // These are all data types supported in the graph properties
 enum SupportedType {
  UNKNOWN = 0,

src/interface/meta.thrift

@@ -31,6 +31,9 @@ enum ErrorCode {
  E_STORE_FAILURE = -31,
  E_STORE_SEGMENT_ILLEGAL = -32,
 
+ E_INVALID_PASSWORD = -41,
+ E_INPROPER_ROLE = -42,
+
  E_UNKNOWN = -99,
 } (cpp.enum_strict)
 
@@ -42,11 +45,27 @@ enum AlterSchemaOp {
  UNKNOWN = 0x04,
 } (cpp.enum_strict)
 
+/**
+** GOD is A global senior administrator.like root of Linux systems.
+** ADMIN is an administrator for a given Graph Space.
+** USER is a normal user for a given Graph Space. A User can access (read and write) the data in the Graph Space.
+** GUEST is a read-only role for a given Graph Space. A Guest cannot modify the data in the Graph Space.
+** Refer to header file src/graph/PermissionManager.h for details.
+**/
+
+enum RoleType {
+ GOD = 0x01,
+ ADMIN = 0x02,
+ USER = 0x03,
+ GUEST = 0x04,
+} (cpp.enum_strict)
+
 
 union ID {
  1: common.GraphSpaceID space_id,
  2: common.TagID tag_id,
  3: common.EdgeType edge_type,
+ 4: common.UserID user_id,
 }
 
 struct IdName {
@@ -100,6 +119,26 @@ struct HostItem {
  2: HostStatus status,
 }
 
+struct UserItem {
+ 1: string account;
+ // Disable user if lock status is true.
+ 2: bool is_lock,
+ // The number of queries an account can issue per hour
+ 3: i32 max_queries_per_hour,
+ // The number of updates an account can issue per hour
+ 4: i32 max_updates_per_hour,
+ // The number of times an account can connect to the server per hour
+ 5: i32 max_connections_per_hour,
+ // The number of simultaneous connections to the server by an account
+ 6: i32 max_user_connections,
+}
+
+struct RoleItem {
+ 1: common.UserID user_id,
+ 2: common.GraphSpaceID space_id,
+ 3: RoleType role_type,
+}
+
 struct ExecResp {
  1: ErrorCode code,
  // For custom kv operations, it is useless.
@@ -311,6 +350,72 @@ struct HBReq {
  1: common.HostAddr host,
 }
 
+struct CreateUserReq {
+ 1: UserItem user,
+ 2: string encoded_pwd,
+ 3: bool missing_ok,
+}
+
+struct DropUserReq {
+ 1: string account,
+ 2: bool missing_ok,
+}
+
+struct AlterUserReq {
+ 1: UserItem user_item,
+}
+
+struct GrantRoleReq {
+ 1: RoleItem role_item,
+}
+
+struct RevokeRoleReq {
+ 1: RoleItem role_item,
+}
+
+struct GetUserReq {
+ 1: string account,
+}
+
+struct GetUserResp {
+ 1: ErrorCode code,
+ // Valid if ret equals E_LEADER_CHANGED.
+ 2: common.HostAddr leader, 
+ 3: UserItem user_item,
+}
+
+struct ListUsersReq {
+}
+
+struct ListUsersResp {
+ 1: ErrorCode code,
+ // Valid if ret equals E_LEADER_CHANGED.
+ 2: common.HostAddr leader, 
+ 3: map<common.UserID, UserItem>(cpp.template = "std::unordered_map") users,
+}
+
+struct ListRolesReq {
+ 1: common.GraphSpaceID space_id,
+}
+
+struct ListRolesResp {
+ 1: ErrorCode code,
+ // Valid if ret equals E_LEADER_CHANGED.
+ 2: common.HostAddr leader, 
+ 3: list<RoleItem> roles,
+}
+
+struct ChangePasswordReq {
+ 1: string account,
+ 2: string new_encoded_pwd,
+ 3: string old_encoded_pwd,
+}
+
+struct CheckPasswordReq {
+ 1: string account,
+ 2: string encoded_pwd,
+}
+
 service MetaService {
  ExecResp createSpace(1: CreateSpaceReq req);
  ExecResp dropSpace(1: DropSpaceReq req);
@@ -343,5 +448,17 @@ service MetaService {
  ScanResp scan(1: ScanReq req);
 
  HBResp heartBeat(1: HBReq req);
+
+ ExecResp createUser(1: CreateUserReq req);
+ ExecResp dropUser(1: DropUserReq req);
+ ExecResp alterUser(1: AlterUserReq req);
+ ExecResp grantRole(1: GrantRoleReq req);
+ ExecResp revokeRole(1: RevokeRoleReq req);
+ GetUserResp getUser(1: GetUserReq req);
+ ListUsersResp listUsers(1: ListUsersReq req);
+ ListRolesResp listRoles(1: ListRolesReq req);
+ ExecResp changePassword(1: ChangePasswordReq req);
+ ExecResp checkPassword(1: CheckPasswordReq req);
+
 }
 

src/meta/CMakeLists.txt

@@ -37,6 +37,7 @@ add_library(
  processors/customKV/RemoveRangeProcessor.cpp
  processors/customKV/ScanProcessor.cpp
  processors/admin/HBProcessor.cpp
+ processors/usersMan/AuthenticationProcessor.cpp
 )
 add_dependencies(
  meta_service_handler

src/meta/MetaServiceHandler.cpp

@@ -31,6 +31,7 @@
 #include "meta/processors/customKV/RemoveProcessor.h"
 #include "meta/processors/customKV/RemoveRangeProcessor.h"
 #include "meta/processors/admin/HBProcessor.h"
+#include "meta/processors/usersMan/AuthenticationProcessor.h"
 
 #define RETURN_FUTURE(processor) \
  auto f = processor->getFuture(); \
@@ -190,5 +191,65 @@ MetaServiceHandler::future_heartBeat(const cpp2::HBReq& req) {
  RETURN_FUTURE(processor);
 }
 
+folly::Future<cpp2::ExecResp>
+MetaServiceHandler::future_createUser(const cpp2::CreateUserReq& req) {
+ auto* processor = CreateUserProcessor::instance(kvstore_);
+ RETURN_FUTURE(processor);
+}
+
+folly::Future<cpp2::ExecResp>
+MetaServiceHandler::future_dropUser(const cpp2::DropUserReq& req) {
+ auto* processor = DropUserProcessor::instance(kvstore_);
+ RETURN_FUTURE(processor);
+}
+
+folly::Future<cpp2::ExecResp>
+MetaServiceHandler::future_alterUser(const cpp2::AlterUserReq& req) {
+ auto* processor = AlterUserProcessor::instance(kvstore_);
+ RETURN_FUTURE(processor);
+}
+
+folly::Future<cpp2::ExecResp>
+MetaServiceHandler::future_grantRole(const cpp2::GrantRoleReq& req) {
+ auto* processor = GrantProcessor::instance(kvstore_);
+ RETURN_FUTURE(processor);
+}
+
+folly::Future<cpp2::ExecResp>
+MetaServiceHandler::future_revokeRole(const cpp2::RevokeRoleReq& req) {
+ auto* processor = RevokeProcessor::instance(kvstore_);
+ RETURN_FUTURE(processor);
+}
+
+folly::Future<cpp2::GetUserResp>
+MetaServiceHandler::future_getUser(const cpp2::GetUserReq& req) {
+ auto* processor = GetUserProcessor::instance(kvstore_);
+ RETURN_FUTURE(processor);
+}
+
+folly::Future<cpp2::ListUsersResp>
+MetaServiceHandler::future_listUsers(const cpp2::ListUsersReq& req) {
+ auto* processor = ListUsersProcessor::instance(kvstore_);
+ RETURN_FUTURE(processor);
+}
+
+folly::Future<cpp2::ListRolesResp>
+MetaServiceHandler::future_listRoles(const cpp2::ListRolesReq& req) {
+ auto* processor = ListRolesProcessor::instance(kvstore_);
+ RETURN_FUTURE(processor);
+}
+
+folly::Future<cpp2::ExecResp>
+MetaServiceHandler::future_changePassword(const cpp2::ChangePasswordReq& req) {
+ auto* processor = ChangePasswordProcessor::instance(kvstore_);
+ RETURN_FUTURE(processor);
+}
+
+folly::Future<cpp2::ExecResp>
+MetaServiceHandler::future_checkPassword(const cpp2::CheckPasswordReq& req) {
+ auto* processor = CheckPasswordProcessor::instance(kvstore_);
+ RETURN_FUTURE(processor);
+}
+
 } // namespace meta
 } // namespace nebula

src/meta/MetaServiceHandler.h

@@ -107,6 +107,39 @@ class MetaServiceHandler final : public cpp2::MetaServiceSvIf {
  folly::Future<cpp2::HBResp>
  future_heartBeat(const cpp2::HBReq& req) override;
 
+ /**
+ * User manager
+ **/
+ folly::Future<cpp2::ExecResp>
+ future_createUser(const cpp2::CreateUserReq& req) override;
+
+ folly::Future<cpp2::ExecResp>
+ future_dropUser(const cpp2::DropUserReq& req) override;
+
+ folly::Future<cpp2::ExecResp>
+ future_alterUser(const cpp2::AlterUserReq& req) override;
+
+ folly::Future<cpp2::ExecResp>
+ future_grantRole(const cpp2::GrantRoleReq& req) override;
+
+ folly::Future<cpp2::ExecResp>
+ future_revokeRole(const cpp2::RevokeRoleReq& req) override;
+
+ folly::Future<cpp2::GetUserResp>
+ future_getUser(const cpp2::GetUserReq& req) override;
+
+ folly::Future<cpp2::ListUsersResp>
+ future_listUsers(const cpp2::ListUsersReq& req) override;
+
+ folly::Future<cpp2::ListRolesResp>
+ future_listRoles(const cpp2::ListRolesReq& req) override;
+
+ folly::Future<cpp2::ExecResp>
+ future_changePassword(const cpp2::ChangePasswordReq& req) override;
+
+ folly::Future<cpp2::ExecResp>
+ future_checkPassword(const cpp2::CheckPasswordReq& req) override;
+
 private:
  kvstore::KVStore* kvstore_ = nullptr;
 };