/** * Create a copy of this SecurityContext with the provided mode. */ public SecurityContext withMode( AccessMode mode ) { return new SecurityContext( subject, mode ); }
@Description( "List all native users." ) @Procedure( name = "dbms.security.listUsers", mode = DBMS ) public Stream<UserResult> listUsers() { securityContext.assertCredentialsNotExpired(); Set<String> usernames = userManager.getAllUsernames(); if ( usernames.isEmpty() ) { return showCurrentUser(); } else { return usernames.stream().map( this::userResultForName ); } }
public void assertAllows( Function<AccessMode,Boolean> allows, String mode ) { AccessMode accessMode = securityContext().mode(); if ( !allows.apply( accessMode ) ) { throw accessMode.onViolation( format( "%s operations are not allowed for %s.", mode, securityContext().description() ) ); } }
@Test public void shouldMakeNiceDescriptionOverridden() { SecurityContext overridden = context.withMode( new OverriddenAccessMode( context.mode(), AccessMode.Static.READ ) ); assertThat( overridden.description(), equalTo( "user 'johan' with FULL overridden by READ" ) ); }
@Override public AuthSubject subjectOrAnonymous() { SecurityContext context = this.securityContext; return context == null ? AuthSubject.ANONYMOUS : context.subject(); }
securityContext.assertCredentialsNotExpired(); if ( !securityContext.isAdmin() )
@Description( "Delete the specified user." ) @Procedure( name = "dbms.security.deleteUser", mode = DBMS ) public void deleteUser( @Name( "username" ) String username ) throws InvalidArgumentsException, IOException { securityContext.assertCredentialsNotExpired(); if ( securityContext.subject().hasUsername( username ) ) { throw new InvalidArgumentsException( "Deleting yourself (user '" + username + "') is not allowed." ); } userManager.deleteUser( username ); }
@Override public RawIterator<Object[],ProcedureException> procedureCallWriteOverride( QualifiedName name, Object[] arguments ) throws ProcedureException { return callProcedure( name, arguments, new OverriddenAccessMode( ktx.securityContext().mode(), AccessMode.Static.TOKEN_WRITE ) ); }
public static void checkAdmin(SecurityContext securityContext, String procedureName) { if (!securityContext.isAdmin()) throw new RuntimeException("This procedure "+ procedureName +" is only available to admin users"); }
private UserAggregator aggregationFunction( int id, final AccessMode mode ) throws ProcedureException { ktx.assertOpen(); SecurityContext securityContext = ktx.securityContext().withMode( mode ); try ( KernelTransaction.Revertable ignore = ktx.overrideWith( securityContext ) ) { return procedures.createAggregationFunction( prepareContext( securityContext ), id ); } }
@Test public void shouldMakeNiceDescriptionWithMode() { SecurityContext modified = context.withMode( AccessMode.Static.WRITE ); assertThat( modified.description(), equalTo( "user 'johan' with WRITE" ) ); }
@Test public void shouldMakeNiceDescription() { assertThat( context.description(), equalTo( "user 'johan' with FULL" ) ); }
@Override public AnyValue functionCall( int id, AnyValue[] arguments ) throws ProcedureException { if ( !ktx.securityContext().mode().allowsReads() ) { throw ktx.securityContext().mode().onViolation( format( "Read operations are not allowed for %s.", ktx.securityContext().description() ) ); } return callFunction( id, arguments, new RestrictedAccessMode( ktx.securityContext().mode(), AccessMode.Static.READ ) ); }
@Override public String username() { return transaction.securityContext().subject().username(); }
private void checkSecurity() throws AuthorizationViolationException { securityContext.assertCredentialsNotExpired(); if ( !securityContext.isAdmin() ) { throw new AuthorizationViolationException( PERMISSION_DENIED ); } }
@Description( "Delete the specified user." ) @Procedure( name = "dbms.security.deleteUser", mode = DBMS ) public void deleteUser( @Name( "username" ) String username ) throws InvalidArgumentsException, IOException { securityContext.assertCredentialsNotExpired(); if ( securityContext.subject().hasUsername( username ) ) { throw new InvalidArgumentsException( "Deleting yourself (user '" + username + "') is not allowed." ); } userManager.deleteUser( username ); }
@Test public void shouldMakeNiceDescriptionAuthDisabledAndRestricted() { SecurityContext disabled = SecurityContext.AUTH_DISABLED; SecurityContext restricted = disabled.withMode( new RestrictedAccessMode( disabled.mode(), AccessMode.Static.READ ) ); assertThat( restricted.description(), equalTo( "AUTH_DISABLED with FULL restricted to READ" ) ); }
@Override public RawIterator<Object[],ProcedureException> procedureCallReadOverride( int id, Object[] arguments ) throws ProcedureException { return callProcedure( id, arguments, new OverriddenAccessMode( ktx.securityContext().mode(), AccessMode.Static.READ ) ); }