use of org.graylog2.shared.users.Role in project graylog2-server by Graylog2.
the class UserPermissionMigrationPeriodical method doRun.
@Override
public void doRun() {
final List<User> users = userService.loadAll();
final String adminRoleId = roleService.getAdminRoleObjectId();
final String readerRoleId = roleService.getReaderRoleObjectId();
for (User user : users) {
if (user.isLocalAdmin()) {
log.debug("Skipping local admin user.");
continue;
}
final Set<String> fixedPermissions = Sets.newHashSet();
final Set<String> fixedRoleIds = Sets.newHashSet(user.getRoleIds());
final Set<String> permissionSet = Sets.newHashSet(user.getPermissions());
boolean hasWildcardPermission = permissionSet.contains("*");
if (hasWildcardPermission && !user.getRoleIds().contains(adminRoleId)) {
// need to add the admin role to this user
fixedRoleIds.add(adminRoleId);
}
final Set<String> basePermissions = permissions.readerPermissions(user.getName());
final boolean hasCompleteReaderSet = permissionSet.containsAll(basePermissions);
// - it has the wildcard permissions
if (!user.getRoleIds().isEmpty() && hasCompleteReaderSet && hasWildcardPermission) {
log.debug("Not migrating user {}, it has already been migrated.", user.getName());
continue;
}
if (hasCompleteReaderSet && !user.getRoleIds().contains(readerRoleId)) {
// need to add the reader role to this user
fixedRoleIds.add(readerRoleId);
}
// filter out the individual permissions to dashboards and streams
final List<String> dashboardStreamPermissions = Lists.newArrayList(Sets.filter(permissionSet, permission -> !basePermissions.contains(permission) && !"*".equals(permission)));
// add the minimal permission set back to the user
fixedPermissions.addAll(permissions.userSelfEditPermissions(user.getName()));
fixedPermissions.addAll(dashboardStreamPermissions);
log.info("Migrating permissions to roles for user {} from permissions {} and roles {} to new permissions {} and roles {}", user.getName(), permissionSet, user.getRoleIds(), fixedPermissions, fixedRoleIds);
user.setRoleIds(fixedRoleIds);
user.setPermissions(Lists.newArrayList(fixedPermissions));
try {
userService.save(user);
} catch (ValidationException e) {
log.error("Unable to migrate user permissions for user " + user.getName(), e);
}
}
log.info("Marking user permission migration as done.");
clusterConfigService.write(UserPermissionMigrationState.create(true));
}
use of org.graylog2.shared.users.Role in project graylog2-server by Graylog2.
the class LdapUserAuthenticator method updateFromLdap.
private void updateFromLdap(User user, LdapEntry userEntry, LdapSettings ldapSettings, String username) {
final String displayNameAttribute = ldapSettings.getDisplayNameAttribute();
final String fullName = firstNonNull(userEntry.get(displayNameAttribute), username);
user.setName(username);
user.setFullName(fullName);
user.setExternal(true);
if (user.getTimeZone() == null) {
user.setTimeZone(rootTimeZone);
}
final String email = userEntry.getEmail();
if (isNullOrEmpty(email)) {
LOG.debug("No email address found for user {} in LDAP. Using {}@localhost", username, username);
user.setEmail(username + "@localhost");
} else {
user.setEmail(email);
}
// TODO This is a crude hack until we have a proper way to distinguish LDAP users from normal users
if (isNullOrEmpty(user.getHashedPassword())) {
((UserImpl) user).setHashedPassword("User synced from LDAP.");
}
// map ldap groups to user roles, if the mapping is present
final Set<String> translatedRoleIds = Sets.newHashSet(Sets.union(Sets.newHashSet(ldapSettings.getDefaultGroupId()), ldapSettings.getAdditionalDefaultGroupIds()));
if (!userEntry.getGroups().isEmpty()) {
// ldap search returned groups, these always override the ones set on the user
try {
final Map<String, Role> roleNameToRole = roleService.loadAllLowercaseNameMap();
for (String ldapGroupName : userEntry.getGroups()) {
final String roleName = ldapSettings.getGroupMapping().get(ldapGroupName);
if (roleName == null) {
LOG.debug("User {}: No group mapping for ldap group <{}>", username, ldapGroupName);
continue;
}
final Role role = roleNameToRole.get(roleName.toLowerCase(Locale.ENGLISH));
if (role != null) {
LOG.debug("User {}: Mapping ldap group <{}> to role <{}>", username, ldapGroupName, role.getName());
translatedRoleIds.add(role.getId());
} else {
LOG.warn("User {}: No role found for ldap group <{}>", username, ldapGroupName);
}
}
} catch (NotFoundException e) {
LOG.error("Unable to load user roles", e);
}
} else if (ldapSettings.getGroupMapping().isEmpty() || ldapSettings.getGroupSearchBase().isEmpty() || ldapSettings.getGroupSearchPattern().isEmpty() || ldapSettings.getGroupIdAttribute().isEmpty()) {
// no group mapping or configuration set, we'll leave the previously set groups alone on sync
// when first creating the user these will be empty
translatedRoleIds.addAll(user.getRoleIds());
}
user.setRoleIds(translatedRoleIds);
// preserve the raw permissions (the ones without the synthetic self-edit permissions or the "*" admin one)
user.setPermissions(user.getPermissions());
}
use of org.graylog2.shared.users.Role in project graylog2-server by Graylog2.
the class LdapResource method updateGroupMappingSettings.
@PUT
@RequiresPermissions(value = { RestPermissions.LDAPGROUPS_EDIT, RestPermissions.LDAP_EDIT }, logical = OR)
@ApiOperation(value = "Update the LDAP group to Graylog role mapping", notes = "Corresponds directly to the output of GET /system/ldap/settings/groups")
@Path("/settings/groups")
@Consumes(MediaType.APPLICATION_JSON)
@AuditEvent(type = AuditEventTypes.LDAP_GROUP_MAPPING_UPDATE)
public Response updateGroupMappingSettings(@ApiParam(name = "JSON body", required = true, value = "A hash in which the keys are the LDAP group names and values is the Graylog role name.") @NotNull Map<String, String> groupMapping) throws ValidationException {
final LdapSettings ldapSettings = firstNonNull(ldapSettingsService.load(), ldapSettingsFactory.createEmpty());
ldapSettings.setGroupMapping(groupMapping);
ldapSettingsService.save(ldapSettings);
return Response.noContent().build();
}
use of org.graylog2.shared.users.Role in project graylog2-server by Graylog2.
the class ViewSharingToGrantsMigration method migrateRoles.
private void migrateRoles(String viewId, Collection<String> roleNames) {
final GRN target = getTarget(viewId);
LOG.info("Migrate roles for view <{}> to grants: {}", target, roleNames);
final Set<Role> roles = roleNames.stream().map(roleName -> {
try {
return Optional.of(roleService.load(roleName));
} catch (NotFoundException e) {
return Optional.<Role>empty();
}
}).filter(Optional::isPresent).map(Optional::get).collect(Collectors.toSet());
for (final Role role : roles) {
for (final User user : userService.loadAllForRole(role)) {
ensureGrant(user, target);
}
}
}
use of org.graylog2.shared.users.Role in project graylog2-server by Graylog2.
the class MongoDbAuthorizationRealm method doGetAuthorizationInfo.
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
LOG.debug("Retrieving authorization information for: {}", principals);
// This realm can handle both, user String principals and GRN principals.
final GRN principal = getUserPrincipal(principals).orElseGet(() -> getGRNPrincipal(principals).orElse(null));
if (principal == null) {
return new SimpleAuthorizationInfo();
}
LOG.debug("GRN principal: {}", principal);
final ImmutableSet.Builder<Permission> permissionsBuilder = ImmutableSet.builder();
final ImmutableSet.Builder<String> rolesBuilder = ImmutableSet.builder();
// Resolve grant permissions and roles for the GRN
permissionsBuilder.addAll(permissionAndRoleResolver.resolvePermissionsForPrincipal(principal));
rolesBuilder.addAll(permissionAndRoleResolver.resolveRolesForPrincipal(principal));
if (GRNTypes.USER.equals(principal.grnType())) {
// If the principal is a user, we also need to load permissions and roles from the user object
final User user = userService.loadById(principal.entity());
if (user != null) {
final Set<Permission> userPermissions = user.getObjectPermissions();
permissionsBuilder.addAll(userPermissions);
rolesBuilder.addAll(user.getRoleIds());
} else {
LOG.warn("User <{}> not found for permission and role resolving", principal);
}
}
final SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
info.setObjectPermissions(permissionsBuilder.build());
info.setRoles(rolesBuilder.build());
if (LOG.isDebugEnabled()) {
LOG.debug("Authorization info for {} - permissions: {}", principal, info.getObjectPermissions());
LOG.debug("Authorization info for {} - roles: {}", principal, info.getRoles());
}
return info;
}
Aggregations