Example 1 with Role
use of org.graylog2.shared.users.Role in project graylog2-server by Graylog2.
the class UserPermissionMigrationPeriodical method doRun.
@Override
public void doRun() {
final List<User> users = userService.loadAll();
final String adminRoleId = roleService.getAdminRoleObjectId();
final String readerRoleId = roleService.getReaderRoleObjectId();
for (User user : users) {
if (user.isLocalAdmin()) {
log.debug("Skipping local admin user.");
continue;
}
final Set<String> fixedPermissions = Sets.newHashSet();
final Set<String> fixedRoleIds = Sets.newHashSet(user.getRoleIds());
final Set<String> permissionSet = Sets.newHashSet(user.getPermissions());
boolean hasWildcardPermission = permissionSet.contains("*");
if (hasWildcardPermission && !user.getRoleIds().contains(adminRoleId)) {
// need to add the admin role to this user
fixedRoleIds.add(adminRoleId);
}
final Set<String> basePermissions = permissions.readerPermissions(user.getName());
final boolean hasCompleteReaderSet = permissionSet.containsAll(basePermissions);
// - it has the wildcard permissions
if (!user.getRoleIds().isEmpty() && hasCompleteReaderSet && hasWildcardPermission) {
log.debug("Not migrating user {}, it has already been migrated.", user.getName());
continue;
}
if (hasCompleteReaderSet && !user.getRoleIds().contains(readerRoleId)) {
// need to add the reader role to this user
fixedRoleIds.add(readerRoleId);
}
// filter out the individual permissions to dashboards and streams
final List<String> dashboardStreamPermissions = Lists.newArrayList(Sets.filter(permissionSet, permission -> !basePermissions.contains(permission) && !"*".equals(permission)));
// add the minimal permission set back to the user
fixedPermissions.addAll(permissions.userSelfEditPermissions(user.getName()));
fixedPermissions.addAll(dashboardStreamPermissions);
log.info("Migrating permissions to roles for user {} from permissions {} and roles {} to new permissions {} and roles {}", user.getName(), permissionSet, user.getRoleIds(), fixedPermissions, fixedRoleIds);
user.setRoleIds(fixedRoleIds);
user.setPermissions(Lists.newArrayList(fixedPermissions));
try {
userService.save(user);
} catch (ValidationException e) {
log.error("Unable to migrate user permissions for user " + user.getName(), e);
}
}
log.info("Marking user permission migration as done.");
clusterConfigService.write(UserPermissionMigrationState.create(true));
}
Also used :
Logger(org.slf4j.Logger)
RoleService(org.graylog2.users.RoleService)
LoggerFactory(org.slf4j.LoggerFactory)
Set(java.util.Set)
Sets(com.google.common.collect.Sets)
Inject(javax.inject.Inject)
Periodical(org.graylog2.plugin.periodical.Periodical)
List(java.util.List)
Lists(com.google.common.collect.Lists)
ClusterConfigService(org.graylog2.plugin.cluster.ClusterConfigService)
UserService(org.graylog2.shared.users.UserService)
Predicate(com.google.common.base.Predicate)
ValidationException(org.graylog2.plugin.database.ValidationException)
UserPermissionMigrationState(org.graylog2.cluster.UserPermissionMigrationState)
User(org.graylog2.plugin.database.users.User)
Permissions(org.graylog2.shared.security.Permissions)
User(org.graylog2.plugin.database.users.User)
ValidationException(org.graylog2.plugin.database.ValidationException)
Example 2 with Role
use of org.graylog2.shared.users.Role in project graylog2-server by Graylog2.
the class LdapUserAuthenticator method updateFromLdap.
private void updateFromLdap(User user, LdapEntry userEntry, LdapSettings ldapSettings, String username) {
final String displayNameAttribute = ldapSettings.getDisplayNameAttribute();
final String fullName = firstNonNull(userEntry.get(displayNameAttribute), username);
user.setName(username);
user.setFullName(fullName);
user.setExternal(true);
if (user.getTimeZone() == null) {
user.setTimeZone(rootTimeZone);
}
final String email = userEntry.getEmail();
if (isNullOrEmpty(email)) {
LOG.debug("No email address found for user {} in LDAP. Using {}@localhost", username, username);
user.setEmail(username + "@localhost");
} else {
user.setEmail(email);
}
// TODO This is a crude hack until we have a proper way to distinguish LDAP users from normal users
if (isNullOrEmpty(user.getHashedPassword())) {
((UserImpl) user).setHashedPassword("User synced from LDAP.");
}
// map ldap groups to user roles, if the mapping is present
final Set<String> translatedRoleIds = Sets.newHashSet(Sets.union(Sets.newHashSet(ldapSettings.getDefaultGroupId()), ldapSettings.getAdditionalDefaultGroupIds()));
if (!userEntry.getGroups().isEmpty()) {
// ldap search returned groups, these always override the ones set on the user
try {
final Map<String, Role> roleNameToRole = roleService.loadAllLowercaseNameMap();
for (String ldapGroupName : userEntry.getGroups()) {
final String roleName = ldapSettings.getGroupMapping().get(ldapGroupName);
if (roleName == null) {
LOG.debug("User {}: No group mapping for ldap group <{}>", username, ldapGroupName);
continue;
}
final Role role = roleNameToRole.get(roleName.toLowerCase(Locale.ENGLISH));
if (role != null) {
LOG.debug("User {}: Mapping ldap group <{}> to role <{}>", username, ldapGroupName, role.getName());
translatedRoleIds.add(role.getId());
} else {
LOG.warn("User {}: No role found for ldap group <{}>", username, ldapGroupName);
}
}
} catch (NotFoundException e) {
LOG.error("Unable to load user roles", e);
}
} else if (ldapSettings.getGroupMapping().isEmpty() || ldapSettings.getGroupSearchBase().isEmpty() || ldapSettings.getGroupSearchPattern().isEmpty() || ldapSettings.getGroupIdAttribute().isEmpty()) {
// no group mapping or configuration set, we'll leave the previously set groups alone on sync
// when first creating the user these will be empty
translatedRoleIds.addAll(user.getRoleIds());
}
user.setRoleIds(translatedRoleIds);
// preserve the raw permissions (the ones without the synthetic self-edit permissions or the "*" admin one)
user.setPermissions(user.getPermissions());
}
Also used :
Role(org.graylog2.shared.users.Role)
UserImpl(org.graylog2.users.UserImpl)
NotFoundException(org.graylog2.database.NotFoundException)
Example 3 with Role
use of org.graylog2.shared.users.Role in project graylog2-server by Graylog2.
the class LdapResource method updateGroupMappingSettings.
@PUT
@RequiresPermissions(value = { RestPermissions.LDAPGROUPS_EDIT, RestPermissions.LDAP_EDIT }, logical = OR)
@ApiOperation(value = "Update the LDAP group to Graylog role mapping", notes = "Corresponds directly to the output of GET /system/ldap/settings/groups")
@Path("/settings/groups")
@Consumes(MediaType.APPLICATION_JSON)
@AuditEvent(type = AuditEventTypes.LDAP_GROUP_MAPPING_UPDATE)
public Response updateGroupMappingSettings(@ApiParam(name = "JSON body", required = true, value = "A hash in which the keys are the LDAP group names and values is the Graylog role name.") @NotNull Map<String, String> groupMapping) throws ValidationException {
final LdapSettings ldapSettings = firstNonNull(ldapSettingsService.load(), ldapSettingsFactory.createEmpty());
ldapSettings.setGroupMapping(groupMapping);
ldapSettingsService.save(ldapSettings);
return Response.noContent().build();
}
Also used :
LdapSettings(org.graylog2.shared.security.ldap.LdapSettings)
Path(javax.ws.rs.Path)
RequiresPermissions(org.apache.shiro.authz.annotation.RequiresPermissions)
Consumes(javax.ws.rs.Consumes)
ApiOperation(io.swagger.annotations.ApiOperation)
NoAuditEvent(org.graylog2.audit.jersey.NoAuditEvent)
AuditEvent(org.graylog2.audit.jersey.AuditEvent)
PUT(javax.ws.rs.PUT)
Example 4 with Role
use of org.graylog2.shared.users.Role in project graylog2-server by Graylog2.
the class ViewSharingToGrantsMigration method migrateRoles.
private void migrateRoles(String viewId, Collection<String> roleNames) {
final GRN target = getTarget(viewId);
LOG.info("Migrate roles for view <{}> to grants: {}", target, roleNames);
final Set<Role> roles = roleNames.stream().map(roleName -> {
try {
return Optional.of(roleService.load(roleName));
} catch (NotFoundException e) {
return Optional.<Role>empty();
}
}).filter(Optional::isPresent).map(Optional::get).collect(Collectors.toSet());
for (final Role role : roles) {
for (final User user : userService.loadAllForRole(role)) {
ensureGrant(user, target);
}
}
}
Also used :
Role(org.graylog2.shared.users.Role)
Document(org.bson.Document)
MongoCollection(com.mongodb.client.MongoCollection)
Capability(org.graylog.security.Capability)
RoleService(org.graylog2.users.RoleService)
LoggerFactory(org.slf4j.LoggerFactory)
GRNRegistry(org.graylog.grn.GRNRegistry)
ViewDTO(org.graylog.plugins.views.search.views.ViewDTO)
Filters(com.mongodb.client.model.Filters)
DBGrantService(org.graylog.security.DBGrantService)
Named(javax.inject.Named)
NotFoundException(org.graylog2.database.NotFoundException)
Logger(org.slf4j.Logger)
GRNTypes(org.graylog.grn.GRNTypes)
Collection(java.util.Collection)
Set(java.util.Set)
GRNType(org.graylog.grn.GRNType)
Collectors(java.util.stream.Collectors)
GRN(org.graylog.grn.GRN)
Objects(java.util.Objects)
UserService(org.graylog2.shared.users.UserService)
ObjectId(org.bson.types.ObjectId)
Optional(java.util.Optional)
ViewService(org.graylog.plugins.views.search.views.ViewService)
MongoConnection(org.graylog2.database.MongoConnection)
User(org.graylog2.plugin.database.users.User)
Role(org.graylog2.shared.users.Role)
GRN(org.graylog.grn.GRN)
User(org.graylog2.plugin.database.users.User)
Optional(java.util.Optional)
NotFoundException(org.graylog2.database.NotFoundException)
Example 5 with Role
use of org.graylog2.shared.users.Role in project graylog2-server by Graylog2.
the class MongoDbAuthorizationRealm method doGetAuthorizationInfo.
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
LOG.debug("Retrieving authorization information for: {}", principals);
// This realm can handle both, user String principals and GRN principals.
final GRN principal = getUserPrincipal(principals).orElseGet(() -> getGRNPrincipal(principals).orElse(null));
if (principal == null) {
return new SimpleAuthorizationInfo();
}
LOG.debug("GRN principal: {}", principal);
final ImmutableSet.Builder<Permission> permissionsBuilder = ImmutableSet.builder();
final ImmutableSet.Builder<String> rolesBuilder = ImmutableSet.builder();
// Resolve grant permissions and roles for the GRN
permissionsBuilder.addAll(permissionAndRoleResolver.resolvePermissionsForPrincipal(principal));
rolesBuilder.addAll(permissionAndRoleResolver.resolveRolesForPrincipal(principal));
if (GRNTypes.USER.equals(principal.grnType())) {
// If the principal is a user, we also need to load permissions and roles from the user object
final User user = userService.loadById(principal.entity());
if (user != null) {
final Set<Permission> userPermissions = user.getObjectPermissions();
permissionsBuilder.addAll(userPermissions);
rolesBuilder.addAll(user.getRoleIds());
} else {
LOG.warn("User <{}> not found for permission and role resolving", principal);
}
}
final SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
info.setObjectPermissions(permissionsBuilder.build());
info.setRoles(rolesBuilder.build());
if (LOG.isDebugEnabled()) {
LOG.debug("Authorization info for {} - permissions: {}", principal, info.getObjectPermissions());
LOG.debug("Authorization info for {} - roles: {}", principal, info.getRoles());
}
return info;
}
Also used :
GRN(org.graylog.grn.GRN)
SimpleAuthorizationInfo(org.apache.shiro.authz.SimpleAuthorizationInfo)
User(org.graylog2.plugin.database.users.User)
ImmutableSet(com.google.common.collect.ImmutableSet)
Permission(org.apache.shiro.authz.Permission)
Aggregations
Role (org.graylog2.shared.users.Role)22
User (org.graylog2.plugin.database.users.User)18
ApiOperation (io.swagger.annotations.ApiOperation)11
ValidationException (org.graylog2.plugin.database.ValidationException)10
Path (javax.ws.rs.Path)9
AuditEvent (org.graylog2.audit.jersey.AuditEvent)8
NotFoundException (org.graylog2.database.NotFoundException)8
Test (org.junit.Test)8
BadRequestException (javax.ws.rs.BadRequestException)7
ObjectId (org.bson.types.ObjectId)5
ImmutableSet (com.google.common.collect.ImmutableSet)4
DBObject (com.mongodb.DBObject)4
DELETE (javax.ws.rs.DELETE)4
GET (javax.ws.rs.GET)4
RequiresPermissions (org.apache.shiro.authz.annotation.RequiresPermissions)4
GRN (org.graylog.grn.GRN)4
RoleImpl (org.graylog2.users.RoleImpl)4
List (java.util.List)3
Optional (java.util.Optional)3
Set (java.util.Set)3
