vesoft-inc · boshengchen · May 15, 2019 · May 27, 2019 · May 29, 2019 · Jun 6, 2019
diff --git a/src/common/base/MD5Utils.h b/src/common/base/MD5Utils.h
@@ -0,0 +1,22 @@
+/* Copyright (c) 2019 vesoft inc. All rights reserved.
+ *
+ * This source code is licensed under Apache 2.0 License,
+ * attached with Common Clause Condition 1.0, found in the LICENSES directory.
+ */
+
+#ifndef COMMON_BASE_MD5UTILS_H
+#define COMMON_BASE_MD5UTILS_H
+
+#include "proxygen/lib/utils/CryptUtil.h"
+
+namespace nebula {
+class MD5Utils final {
+public:
+static std::string md5Encode(const std::string &str) {
+ return proxygen::md5Encode(folly::ByteRange(
+ reinterpret_cast<const unsigned char*>(str.c_str()),
+ str.length()));
+}
+};
+}
+#endif // COMMON_BASE_MD5UTILS_H
diff --git a/src/common/base/Status.h b/src/common/base/Status.h
@@ -102,6 +102,7 @@ class Status final {
  STATUS_GENERATOR(HostNotFound);
  STATUS_GENERATOR(TagNotFound);
  STATUS_GENERATOR(EdgeNotFound);
+ STATUS_GENERATOR(UserNotFound);
 
 #undef STATUS_GENERATOR
 
@@ -128,6 +129,7 @@ class Status final {
  kHostNotFound = 405,
  kTagNotFound = 406,
  kEdgeNotFound = 407,
+ kUserNotFound = 408,
  };
 
  Code code() const {

diff --git a/src/common/base/ThriftTypes.h b/src/common/base/ThriftTypes.h
@@ -25,6 +25,7 @@ using EdgeType = int32_t;
 using EdgeRanking = int64_t;
 using EdgeVersion = int64_t;
 using SchemaVer = int64_t;
+using UserID = int32_t;
 
 } // namespace nebula
 #endif // COMMON_BASE_THRIFTTYPES_H_

diff --git a/src/graph/AddHostsExecutor.cpp b/src/graph/AddHostsExecutor.cpp
@@ -20,6 +20,7 @@ Status AddHostsExecutor::prepare() {
  if (hosts_.size() == 0) {
  return Status::Error("Host address illegal");
  }
+ ACL_CHECK();
  return Status::OK();
 }
 

diff --git a/src/graph/AlterEdgeExecutor.cpp b/src/graph/AlterEdgeExecutor.cpp
@@ -17,7 +17,12 @@ AlterEdgeExecutor::AlterEdgeExecutor(Sentence *sentence,
 
 
 Status AlterEdgeExecutor::prepare() {
- return checkIfGraphSpaceChosen();
+ auto status = checkIfGraphSpaceChosen();
+ if (!status.ok()) {
+ return status;
+ }
+ ACL_CHECK();
+ return Status::OK();
 }
 
 

diff --git a/src/graph/AlterTagExecutor.cpp b/src/graph/AlterTagExecutor.cpp
@@ -16,7 +16,12 @@ AlterTagExecutor::AlterTagExecutor(Sentence *sentence,
 }
 
 Status AlterTagExecutor::prepare() {
- return checkIfGraphSpaceChosen();
+ auto status = checkIfGraphSpaceChosen();
+ if (!status.ok()) {
+ return status;
+ }
+ ACL_CHECK();
+ return Status::OK();
 }
 
 void AlterTagExecutor::execute() {

diff --git a/src/graph/AssignmentExecutor.cpp b/src/graph/AssignmentExecutor.cpp
@@ -25,6 +25,8 @@ Status AssignmentExecutor::prepare() {
  return status;
  }
 
+ ACL_CHECK();
+
  var_ = sentence_->var();
  executor_ = TraverseExecutor::makeTraverseExecutor(sentence_->sentence(), ectx());
  status = executor_->prepare();

diff --git a/src/graph/CMakeLists.txt b/src/graph/CMakeLists.txt
@@ -33,6 +33,8 @@ add_library(
  DescribeSpaceExecutor.cpp
  ShowExecutor.cpp
  YieldExecutor.cpp
+ UserExecutor.cpp
+ UserAccessControl.cpp
 )
 add_dependencies(
  graph_obj

diff --git a/src/graph/CreateEdgeExecutor.cpp b/src/graph/CreateEdgeExecutor.cpp
@@ -18,7 +18,12 @@ CreateEdgeExecutor::CreateEdgeExecutor(Sentence *sentence,
 
 
 Status CreateEdgeExecutor::prepare() {
- return checkIfGraphSpaceChosen();
+ auto status = checkIfGraphSpaceChosen();
+ if (!status.ok()) {
+ return status;
+ }
+ ACL_CHECK();
+ return Status::OK();
 }
 
 

diff --git a/src/graph/CreateSpaceExecutor.cpp b/src/graph/CreateSpaceExecutor.cpp
@@ -33,6 +33,7 @@ Status CreateSpaceExecutor::prepare() {
  if (replicaFactor_ <= 0) {
  return Status::Error("Replica_factor value should be greater than zero");
  }
+ ACL_CHECK();
  return Status::OK();
 }
 

diff --git a/src/graph/CreateTagExecutor.cpp b/src/graph/CreateTagExecutor.cpp
@@ -18,7 +18,12 @@ CreateTagExecutor::CreateTagExecutor(Sentence *sentence,
 
 
 Status CreateTagExecutor::prepare() {
- return checkIfGraphSpaceChosen();
+ auto status = checkIfGraphSpaceChosen();
+ if (!status.ok()) {
+ return status;
+ }
+ ACL_CHECK();
+ return Status::OK();
 }
 
 

diff --git a/src/graph/DescribeEdgeExecutor.cpp b/src/graph/DescribeEdgeExecutor.cpp
@@ -18,7 +18,12 @@ DescribeEdgeExecutor::DescribeEdgeExecutor(Sentence *sentence,
 
 
 Status DescribeEdgeExecutor::prepare() {
- return checkIfGraphSpaceChosen();
+ auto status = checkIfGraphSpaceChosen();
+ if (!status.ok()) {
+ return status;
+ }
+ ACL_CHECK();
+ return Status::OK();
 }
 
 

diff --git a/src/graph/DescribeSpaceExecutor.cpp b/src/graph/DescribeSpaceExecutor.cpp
@@ -17,6 +17,12 @@ DescribeSpaceExecutor::DescribeSpaceExecutor(Sentence *sentence,
 }
 
 Status DescribeSpaceExecutor::prepare() {
+ auto *name = sentence_->spaceName();
+ auto spaceRet = ectx()->getMetaClient()->getSpaceIdByNameFromCache(name->data());
+ if (!spaceRet.ok()) {
+ return Status::Error("Space not found : %s", name);
+ }
+ ACL_CHECK_SPACE(spaceRet.value());
  return Status::OK();;
 }
 

diff --git a/src/graph/DescribeTagExecutor.cpp b/src/graph/DescribeTagExecutor.cpp
@@ -18,7 +18,12 @@ DescribeTagExecutor::DescribeTagExecutor(Sentence *sentence,
 
 
 Status DescribeTagExecutor::prepare() {
- return checkIfGraphSpaceChosen();
+ auto status = checkIfGraphSpaceChosen();
+ if (!status.ok()) {
+ return status;
+ }
+ ACL_CHECK();
+ return Status::OK();
 }
 
 

diff --git a/src/graph/DropEdgeExecutor.cpp b/src/graph/DropEdgeExecutor.cpp
@@ -15,7 +15,12 @@ DropEdgeExecutor::DropEdgeExecutor(Sentence *sentence,
 }
 
 Status DropEdgeExecutor::prepare() {
- return checkIfGraphSpaceChosen();
+ auto status = checkIfGraphSpaceChosen();
+ if (!status.ok()) {
+ return status;
+ }
+ ACL_CHECK();
+ return Status::OK();
 }
 
 void DropEdgeExecutor::execute() {

diff --git a/src/graph/DropSpaceExecutor.cpp b/src/graph/DropSpaceExecutor.cpp
@@ -17,6 +17,11 @@ DropSpaceExecutor::DropSpaceExecutor(Sentence *sentence,
 
 Status DropSpaceExecutor::prepare() {
  spaceName_ = sentence_->spaceName();
+ auto spaceRet = ectx()->getMetaClient()->getSpaceIdByNameFromCache(spaceName_->data());
+ if (!spaceRet.ok()) {
+ return Status::Error("Space not found : %s", spaceName_);
+ }
+ ACL_CHECK_SPACE(spaceRet.value());
  return Status::OK();
 }
 

diff --git a/src/graph/DropTagExecutor.cpp b/src/graph/DropTagExecutor.cpp
@@ -15,7 +15,12 @@ DropTagExecutor::DropTagExecutor(Sentence *sentence,
 }
 
 Status DropTagExecutor::prepare() {
- return checkIfGraphSpaceChosen();
+ auto status = checkIfGraphSpaceChosen();
+ if (!status.ok()) {
+ return status;
+ }
+ ACL_CHECK();
+ return Status::OK();
 }
 
 void DropTagExecutor::execute() {

diff --git a/src/graph/Executor.cpp b/src/graph/Executor.cpp
@@ -31,6 +31,7 @@
 #include "graph/DescribeSpaceExecutor.h"
 #include "graph/DropSpaceExecutor.h"
 #include "graph/YieldExecutor.h"
+#include "graph/UserExecutor.h"
 
 namespace nebula {
 namespace graph {
@@ -102,6 +103,24 @@ std::unique_ptr<Executor> Executor::makeExecutor(Sentence *sentence) {
  case Sentence::Kind::kYield:
  executor = std::make_unique<YieldExecutor>(sentence, ectx());
  break;
+ case Sentence::Kind::kCreateUser:
+ executor = std::make_unique<CreateUserExecutor>(sentence, ectx());
+ break;
+ case Sentence::Kind::kDropUser:
+ executor = std::make_unique<DropUserExecutor>(sentence, ectx());
+ break;
+ case Sentence::Kind::kAlterUser:
+ executor = std::make_unique<AlterUserExecutor>(sentence, ectx());
+ break;
+ case Sentence::Kind::kGrant:
+ executor = std::make_unique<GrantExecutor>(sentence, ectx());
+ break;
+ case Sentence::Kind::kRevoke:
+ executor = std::make_unique<RevokeExecutor>(sentence, ectx());
+ break;
+ case Sentence::Kind::kChangePassword:
+ executor = std::make_unique<ChangePasswordExecutor>(sentence, ectx());
+ break;
  case Sentence::Kind::kUnknown:
  LOG(FATAL) << "Sentence kind unknown";
  break;

diff --git a/src/graph/Executor.h b/src/graph/Executor.h
@@ -12,6 +12,7 @@
 #include "cpp/helpers.h"
 #include "graph/ExecutionContext.h"
 #include "gen-cpp2/common_types.h"
+#include "graph/UserAccessControl.h"
 
 
 /**
@@ -21,6 +22,41 @@
 namespace nebula {
 namespace graph {
 
+#define ACL_CHECK() \
+ do { \
+ auto spaceId = ectx()->rctx()->session()->space(); \
+ if (spaceId == -1) { \
+ spaceId = ectx()->getMetaClient()-> \
+ getMetaDefaultSpaceIdInCache(); \
+ } \
+ auto aclStatus = checkACL(spaceId, \
+ ectx()->rctx()->session()->user(), \
+ sentence_->kind()); \
+ if (!aclStatus.ok()) { \
+ return aclStatus; \
+ } \
+ } while (false)
+
+#define ACL_CHECK_SPACE(spaceId) \
+ do { \
+ auto aclStatus = checkACL(spaceId, \
+ ectx()->rctx()->session()->user(), \
+ sentence_->kind()); \
+ if (!aclStatus.ok()) { \
+ return aclStatus; \
+ } \
+ } while (false)
+
+#define ACL_CHECK_IS_GOD() \
+ do { \
+ const auto& userName = ectx()->rctx()->session()->user(); \
+ auto isGod = ectx()->getMetaClient()-> \
+ checkIsGodUserInCache(userName); \
+ if (FLAGS_security_authorization_enable && !isGod) { \
+ return Status::Error("God role requested"); \
+ } \
+ } while (false)
+
 class Executor : public cpp::NonCopyable, public cpp::NonMovable {
 public:
  explicit Executor(ExecutionContext *ectx) {
@@ -85,6 +121,38 @@ class Executor : public cpp::NonCopyable, public cpp::NonMovable {
  return Status::OK();
  }
 
+ Status checkACL(GraphSpaceID spaceId, const std::string& user, Sentence::Kind op) {
+ if (!FLAGS_security_authorization_enable) {
+ return Status::OK();
+ }
+ auto userRet = ectx()->getMetaClient()->getUserIdByNameFromCache(user);
+ if (!userRet.ok()) {
+ return userRet.status();
+ }
+ auto ret = UserAccessControl::checkPerms(spaceId,
+ userRet.value(),
+ op,
+ ectx()->getMetaClient());
+ if (!ret.ok()) {
+ return ret;
+ }
+ return Status::OK();
+ }
+
+ meta::cpp2::RoleType toRole(RoleTypeClause::RoleType type) {
+ switch (type) {
+ case RoleTypeClause::RoleType::GOD:
+ return meta::cpp2::RoleType::GOD;
+ case RoleTypeClause::RoleType::ADMIN:
+ return meta::cpp2::RoleType::ADMIN;
+ case RoleTypeClause::RoleType::USER:
+ return meta::cpp2::RoleType::USER;
+ case RoleTypeClause::RoleType::GUEST:
+ return meta::cpp2::RoleType::GUEST;
+ }
+ return meta::cpp2::RoleType::UNKNOWN;
+ }
+
 protected:
  ExecutionContext *ectx_;
  std::function<void()> onFinish_;

diff --git a/src/graph/GoExecutor.cpp b/src/graph/GoExecutor.cpp
@@ -60,7 +60,8 @@ Status GoExecutor::prepare() {
  return status;
  }
 
- return status;
+ ACL_CHECK();
+ return Status::OK();
 }
 
 

diff --git a/src/graph/GraphFlags.cpp b/src/graph/GraphFlags.cpp
@@ -27,3 +27,5 @@ DEFINE_string(stderr_log_file, "graphd-stderr.log", "Destination filename of std
 DEFINE_bool(daemonize, true, "Whether run as a daemon process");
 DEFINE_string(meta_server_addrs, "", "list of meta server addresses,"
  "the format looks like ip1:port1, ip2:port2, ip3:port3");
+DEFINE_bool(security_authorization_enable, false, "Whether to turn on security "
+ "authorization management");
diff --git a/src/graph/GraphFlags.h b/src/graph/GraphFlags.h
@@ -25,6 +25,6 @@ DECLARE_string(stdout_log_file);
 DECLARE_string(stderr_log_file);
 DECLARE_bool(daemonize);
 DECLARE_string(meta_server_addrs);
-
+DECLARE_bool(security_authorization_enable);
 
 #endif // GRAPH_GRAPHFLAGS_H_
diff --git a/src/graph/InsertEdgeExecutor.cpp b/src/graph/InsertEdgeExecutor.cpp
@@ -42,6 +42,7 @@ Status InsertEdgeExecutor::prepare() {
  status = Status::Error("No schema found for '%s'", sentence_->edge()->c_str());
  break;
  }
+ ACL_CHECK_SPACE(spaceId);
  } while (false);
 
  return status;

diff --git a/src/graph/InsertVertexExecutor.cpp b/src/graph/InsertVertexExecutor.cpp
@@ -57,6 +57,7 @@ Status InsertVertexExecutor::prepare() {
  status = Status::Error("No schema found for '%s'", tagName->c_str());
  break;
  }
+ ACL_CHECK_SPACE(spaceId);
  } while (false);
 
  return status;

diff --git a/src/graph/PipeExecutor.cpp b/src/graph/PipeExecutor.cpp
@@ -22,6 +22,8 @@ Status PipeExecutor::prepare() {
  return status;
  }
 
+ ACL_CHECK();
+
  left_ = makeTraverseExecutor(sentence_->left());
  right_ = makeTraverseExecutor(sentence_->right());
  DCHECK(left_ != nullptr);

diff --git a/src/graph/RemoveHostsExecutor.cpp b/src/graph/RemoveHostsExecutor.cpp
@@ -20,6 +20,7 @@ Status RemoveHostsExecutor::prepare() {
  if (host_.size() == 0) {
  return Status::Error("Host address illegal");
  }
+ ACL_CHECK();
  return Status::OK();
 }