public User removeUser(Long userId) { User userToRemove = getUser(userId); if (userToRemove != null) { if (userToRemove.getRoles() != null) { userToRemove.getRoles().forEach(roleName -> { Optional<Role> r = getRole(roleName); if (r.isPresent()) { removeUserRole(userId, r.get().getId()); } }); } // remove permissions assigned to user LOG.debug("Removing ACL entries for user {}", userToRemove); List<QueryParam> qps = QueryParam.params(AclEntry.SID_ID, String.valueOf(userId), AclEntry.SID_TYPE, AclEntry.SidType.USER.toString()); listAcls(qps).forEach(aclEntry -> removeAcl(aclEntry.getId())); return dao.remove(new StorableKey(User.NAMESPACE, userToRemove.getPrimaryKey())); } throw new IllegalArgumentException("No user with id: " + userId); }
@POST @Path("/acls") @Timed public Response addAcl(AclEntry aclEntry, @Context SecurityContext securityContext) { mayBeFillSidId(aclEntry); checkAclOp(aclEntry, securityContext, this::shouldAllowAclAddOrUpdate); AclEntry createdAcl = catalogService.addAcl(aclEntry); return WSUtils.respondEntity(createdAcl, CREATED); }
@POST @Path("/roles/{parentRoleName}/children") @Timed public Response addChildRoles(@PathParam("parentRoleName") String parentRoleName, Set<String> childRoleNames, @Context SecurityContext securityContext) throws Exception { SecurityUtil.checkRole(authorizer, securityContext, ROLE_SECURITY_ADMIN); Long parentId = getIdFromRoleName(parentRoleName); Set<Long> childIds = new HashSet<>(); childRoleNames.forEach(childRoleName -> { if (childRoleName.equals(parentRoleName)) { throw new IllegalArgumentException("Child role(s) contain parent role"); } childIds.add(getIdFromRoleName(childRoleName)); }); Set<RoleHierarchy> res = new HashSet<>(); childIds.forEach(childId -> res.add(catalogService.addChildRole(parentId, childId))); return WSUtils.respondEntities(res, OK); }
private Response addOrUpdateRoleUsers(Long roleId, Set<Long> userIds) { List<UserRole> userRoles = new ArrayList<>(); Role roleToQuery = catalogService.getRole(roleId); Set<Long> currentUserIds = catalogService.listUsers(roleToQuery).stream().map(User::getId).collect(Collectors.toSet()); Set<Long> userIdsToAdd = Sets.difference(userIds, currentUserIds); Set<Long> userIdsToRemove = Sets.difference(currentUserIds, userIds); Sets.intersection(currentUserIds, userIds).forEach(userId -> { userRoles.add(new UserRole(userId, roleId)); }); userIdsToRemove.forEach(userId -> catalogService.removeUserRole(userId, roleId)); userIdsToAdd.forEach(userId -> { userRoles.add(catalogService.addUserRole(userId, roleId)); }); return WSUtils.respondEntities(userRoles, OK); }
public Collection<User> listUsers(Role role) { List<QueryParam> qps = QueryParam.params(UserRole.ROLE_ID, role.getId().toString()); return listUserRoles(qps).stream().map(ur -> getUser(ur.getUserId())).collect(Collectors.toSet()); }
private void validateAcl(AclEntry aclEntry) { Long sidId = aclEntry.getSidId(); if (aclEntry.getSidType() == USER) { if (getUser(sidId) == null) { throw new IllegalArgumentException("No user with id: " + sidId); } } else if (aclEntry.getSidType() == ROLE) { if (getRole(sidId) == null) { throw new IllegalArgumentException("No role with id: " + sidId); } } }
public User addOrUpdateUser(Long id, User user) { user.setId(id); user.setTimestamp(System.currentTimeMillis()); validateUser(user); this.dao.addOrUpdate(user); // update user - role association if (user.getRoles() != null) { List<QueryParam> qps = QueryParam.params(UserRole.USER_ID, String.valueOf(user.getId())); Set<Long> existing = listUserRoles(qps).stream().map(UserRole::getRoleId).collect(Collectors.toSet()); Set<Long> newRoles = user.getRoles().stream().map(this::getRole).filter(Optional::isPresent) .map(role -> role.get().getId()).collect(Collectors.toSet()); Sets.difference(existing, newRoles).forEach(roleId -> removeUserRole(id, roleId)); Sets.difference(newRoles, existing).forEach(roleId -> { if (getRole(roleId) == null) { throw new IllegalArgumentException("No role with id: " + roleId); } addUserRole(id, roleId); }); } return user; }
private void mayBeAssignAdminRole() { LOG.info("Checking if admin users have admin role"); Role adminRole = catalogService.getRole(Roles.ROLE_ADMIN) .orElseGet(() -> { Role admin = new Role(); admin.setName("ROLE_ADMIN"); admin.setDisplayName("Admin"); admin.setDescription("Super user role that has all the system roles and privileges"); admin.setMetadata("{\"colorCode\":\"#8261be\",\"colorLabel\":\"purple\",\"icon\":\"gears\", \"menu\": [\"schemaRegistry\", \"modelRegistry\", \"udf\", \"dashboard\", \"topology\", \"authorizer\", \"notifier\", \"customprocessor\", \"servicepool\", \"environments\"], \"capabilities\": [{\"Applications\": \"Edit\"}, {\"Service Pool\": \"Edit\"}, {\"Environments\": \"Edit\"}, {\"Users\": \"Edit\"}, {\"Dashboard\": \"Edit\"}]}"); admin.setSystem(false); return catalogService.addRole(admin); }); adminUsers.stream() .map(userName -> catalogService.getUser(userName)) .filter(user -> { if (userHasRole(user, Roles.ROLE_ADMIN)) { LOG.info("user '{}' already has '{}'", user, Roles.ROLE_ADMIN); return false; } else { return true; } }) .forEach(user -> catalogService.addUserRole(user.getId(), adminRole.getId())); }
public boolean checkUserPermissions(String objectNamespace, Long objectId, Long userId, EnumSet<Permission> required) { User user = getUser(userId); if (user == null) { return false; AclEntry.SID_TYPE, USER.toString(), AclEntry.SID_ID, String.valueOf(userId)); Collection<AclEntry> acls = listAcls(qps); if (acls.size() > 1) { throw new IllegalStateException("More than one ACL entry for " + qps); AclEntry.OBJECT_ID, String.valueOf(objectId), AclEntry.SID_TYPE, AclEntry.SidType.ROLE.toString()); acls = listAcls(qps); Set<Role> userRoles = getAllUserRoles(user); Iterator<AclEntry> it = acls.iterator(); while (!remaining.isEmpty() && it.hasNext()) { AclEntry roleEntry = it.next(); if (userRoles.contains(getRole(roleEntry.getSidId()))) { remaining.removeAll(roleEntry.getPermissions());
@Override public void removeAcl(AuthenticationContext ctx, String targetEntityNamespace, Long targetEntityId) { validateAuthenticationContext(ctx); String userName = SecurityUtil.getUserName(ctx); User user = catalogService.getUser(userName); if (user == null || user.getId() == null) { String msg = String.format("No such user '%s'", userName); LOG.warn(msg); throw new AuthorizationException(msg); } catalogService.listUserAcls(user.getId(), targetEntityNamespace, targetEntityId).forEach(acl -> { LOG.debug("Removing Acl {}", acl); catalogService.removeAcl(acl.getId()); }); }
public User addUser(User user) { if (user.getId() == null) { user.setId(this.dao.nextId(User.NAMESPACE)); } if (user.getTimestamp() == null) { user.setTimestamp(System.currentTimeMillis()); } validateUser(user); this.dao.add(user); // create user - role association if (user.getRoles() != null) { user.getRoles().forEach(roleName -> { Optional<Role> role = getRole(roleName); if (!role.isPresent()) { removeUser(user.getId()); throw new IllegalArgumentException("No such role: " + roleName); } addUserRole(user.getId(), role.get().getId()); }); } return user; }
private Long getUserId(String userName) { User user = catalogService.getUser(userName); if (user != null) { return user.getId(); } else { throw EntityNotFoundException.byName(userName); } }
private void mayBeAddAdminUsers() { LOG.info("Checking user entries for admin users"); adminUsers.stream() .filter(name -> { User user = catalogService.getUser(name); if (user != null) { LOG.info("Entry for user '{}' already exists", name); return false; } else { return true; } }) .forEach(name -> { User user = new User(); user.setName(name); user.setEmail(name + "@auto-generated.com"); user.setMetadata("{\"colorCode\":\"#8261be\",\"colorLabel\":\"purple\",\"icon\":\"gears\"}"); try { User addedUser = catalogService.addUser(user); LOG.info("Added admin user entry: {}", addedUser); } catch (DuplicateEntityException exception) { // In HA setup the other server may have already added the user. LOG.info("Caught exception: " + ExceptionUtils.getStackTrace(exception)); LOG.info("Admin user entry: {} already exists.", user); } }); }
@PUT @Path("/roles/{parentRoleName}/children") @Timed public Response addOrUpdateChildRoles(@PathParam("parentRoleName") String parentRoleName, Set<String> childRoleNames, @Context SecurityContext securityContext) throws Exception { SecurityUtil.checkRole(authorizer, securityContext, ROLE_SECURITY_ADMIN); Long parentId = getIdFromRoleName(parentRoleName); Set<Long> currentChildIds = new HashSet<>(); catalogService.getChildRoles(parentId).forEach(role -> currentChildIds.add(role.getId())); Set<Long> updatedChildIds = new HashSet<>(); childRoleNames.forEach(childRoleName -> { if (childRoleName.equals(parentRoleName)) { throw new IllegalArgumentException("Child role(s) contain parent role"); } updatedChildIds.add(getIdFromRoleName(childRoleName)); }); Set<Long> childIdsToAdd = Sets.difference(updatedChildIds, currentChildIds); Set<Long> childIdsToRemove = Sets.difference(currentChildIds, updatedChildIds); childIdsToRemove.forEach(childId -> catalogService.removeChildRole(parentId, childId)); Set<RoleHierarchy> res = new HashSet<>(); Sets.intersection(currentChildIds, updatedChildIds).forEach(childId -> res.add(new RoleHierarchy(parentId, childId))); childIdsToAdd.forEach(childId -> res.add(catalogService.addChildRole(parentId, childId))); return WSUtils.respondEntities(res, OK); }
private boolean checkPermissions(AuthenticationContext ctx, String targetEntityNamespace, Long targetEntityId, EnumSet<Permission> permissions) { validateAuthenticationContext(ctx); String userName = SecurityUtil.getUserName(ctx); User user = catalogService.getUser(userName); if (user == null || user.getId() == null) { String msg = String.format("No such user '%s'", userName); LOG.warn(msg); throw new AuthorizationException(msg); } return userHasRole(user, Roles.ROLE_ADMIN) || catalogService.checkUserPermissions(targetEntityNamespace, targetEntityId, user.getId(), permissions); }
@Override public void addAcl(AuthenticationContext ctx, String targetEntityNamespace, Long targetEntityId, boolean owner, boolean grant, EnumSet<Permission> permissions) { validateAuthenticationContext(ctx); String userName = SecurityUtil.getUserName(ctx); User user = catalogService.getUser(userName); if (user == null || user.getId() == null) { String msg = String.format("No such user '%s'", userName); LOG.warn(msg); throw new AuthorizationException(msg); } AclEntry aclEntry = new AclEntry(); aclEntry.setObjectId(targetEntityId); aclEntry.setObjectNamespace(targetEntityNamespace); aclEntry.setSidId(user.getId()); aclEntry.setSidType(AclEntry.SidType.USER); aclEntry.setOwner(owner); aclEntry.setGrant(grant); aclEntry.setPermissions(permissions); catalogService.addAcl(aclEntry); }
@POST @Path("/roles/{parentRoleName}/children/{childRoleName}") @Timed public Response addChildRole(@PathParam("parentRoleName") String parentRoleName, @PathParam("childRoleName") String childRoleName, @Context SecurityContext securityContext) throws Exception { SecurityUtil.checkRole(authorizer, securityContext, ROLE_SECURITY_ADMIN); if (childRoleName.equals(parentRoleName)) { throw new IllegalArgumentException("Child role is same as parent role"); } Long parentId = getIdFromRoleName(parentRoleName); Long childId = getIdFromRoleName(childRoleName); Role childRole = catalogService.getRole(childId); if (childRole != null) { RoleHierarchy roleHierarchy = catalogService.addChildRole(parentId, childId); return WSUtils.respondEntity(roleHierarchy, OK); } throw EntityNotFoundException.byId(childId.toString()); }
private Response addRoleUsers(Long roleId, Set<Long> userIds) { List<UserRole> userRoles = new ArrayList<>(); userIds.forEach(userId -> { userRoles.add(catalogService.addUserRole(userId, roleId)); }); return WSUtils.respondEntities(userRoles, OK); }
@PUT @Path("/users/{id}") @Timed public Response addOrUpdateUser(@PathParam("id") Long userId, User user, @Context SecurityContext securityContext) { SecurityUtil.checkRole(authorizer, securityContext, ROLE_SECURITY_ADMIN); User newUser = catalogService.addOrUpdateUser(userId, user); return WSUtils.respondEntity(newUser, OK); }
@PUT @Path("/roles/{id}") @Timed public Response addOrUpdateRole(@PathParam("id") Long roleId, Role role, @Context SecurityContext securityContext) { SecurityUtil.checkRole(authorizer, securityContext, ROLE_SECURITY_ADMIN); Role newRole = catalogService.addOrUpdateRole(roleId, role); return WSUtils.respondEntity(newRole, OK); }