Search in sources :

Example 1 with Permission

use of org.graylog2.plugin.security.Permission in project graylog2-server by Graylog2.

the class UserPermissionMigrationPeriodical method doRun.

@Override
public void doRun() {
    final List<User> users = userService.loadAll();
    final String adminRoleId = roleService.getAdminRoleObjectId();
    final String readerRoleId = roleService.getReaderRoleObjectId();
    for (User user : users) {
        if (user.isLocalAdmin()) {
            log.debug("Skipping local admin user.");
            continue;
        }
        final Set<String> fixedPermissions = Sets.newHashSet();
        final Set<String> fixedRoleIds = Sets.newHashSet(user.getRoleIds());
        final Set<String> permissionSet = Sets.newHashSet(user.getPermissions());
        boolean hasWildcardPermission = permissionSet.contains("*");
        if (hasWildcardPermission && !user.getRoleIds().contains(adminRoleId)) {
            // need to add the admin role to this user
            fixedRoleIds.add(adminRoleId);
        }
        final Set<String> basePermissions = permissions.readerPermissions(user.getName());
        final boolean hasCompleteReaderSet = permissionSet.containsAll(basePermissions);
        //   - it has the wildcard permissions
        if (!user.getRoleIds().isEmpty() && hasCompleteReaderSet && hasWildcardPermission) {
            log.debug("Not migrating user {}, it has already been migrated.", user.getName());
            continue;
        }
        if (hasCompleteReaderSet && !user.getRoleIds().contains(readerRoleId)) {
            // need to add the reader role to this user
            fixedRoleIds.add(readerRoleId);
        }
        // filter out the individual permissions to dashboards and streams
        final List<String> dashboardStreamPermissions = Lists.newArrayList(Sets.filter(permissionSet, permission -> !basePermissions.contains(permission) && !"*".equals(permission)));
        // add the minimal permission set back to the user
        fixedPermissions.addAll(permissions.userSelfEditPermissions(user.getName()));
        fixedPermissions.addAll(dashboardStreamPermissions);
        log.info("Migrating permissions to roles for user {} from permissions {} and roles {} to new permissions {} and roles {}", user.getName(), permissionSet, user.getRoleIds(), fixedPermissions, fixedRoleIds);
        user.setRoleIds(fixedRoleIds);
        user.setPermissions(Lists.newArrayList(fixedPermissions));
        try {
            userService.save(user);
        } catch (ValidationException e) {
            log.error("Unable to migrate user permissions for user " + user.getName(), e);
        }
    }
    log.info("Marking user permission migration as done.");
    clusterConfigService.write(UserPermissionMigrationState.create(true));
}
Also used : Logger(org.slf4j.Logger) RoleService(org.graylog2.users.RoleService) LoggerFactory(org.slf4j.LoggerFactory) Set(java.util.Set) Sets(com.google.common.collect.Sets) Inject(javax.inject.Inject) Periodical(org.graylog2.plugin.periodical.Periodical) List(java.util.List) Lists(com.google.common.collect.Lists) ClusterConfigService(org.graylog2.plugin.cluster.ClusterConfigService) UserService(org.graylog2.shared.users.UserService) Predicate(com.google.common.base.Predicate) ValidationException(org.graylog2.plugin.database.ValidationException) UserPermissionMigrationState(org.graylog2.cluster.UserPermissionMigrationState) User(org.graylog2.plugin.database.users.User) Permissions(org.graylog2.shared.security.Permissions) User(org.graylog2.plugin.database.users.User) ValidationException(org.graylog2.plugin.database.ValidationException)

Example 2 with Permission

use of org.graylog2.plugin.security.Permission in project graylog2-server by Graylog2.

the class SystemJobResource method list.

@GET
@Timed
@ApiOperation(value = "List currently running jobs")
@Produces(MediaType.APPLICATION_JSON)
public Map<String, List<SystemJobSummary>> list() {
    final List<SystemJobSummary> jobs = Lists.newArrayListWithCapacity(systemJobManager.getRunningJobs().size());
    for (Map.Entry<String, SystemJob> entry : systemJobManager.getRunningJobs().entrySet()) {
        // TODO jobId is ephemeral, this is not a good key for permission checks. we should use the name of the job type (but there is no way to get it yet)
        if (isPermitted(RestPermissions.SYSTEMJOBS_READ, entry.getKey())) {
            final SystemJob systemJob = entry.getValue();
            jobs.add(SystemJobSummary.create(UUID.fromString(systemJob.getId()), systemJob.getDescription(), systemJob.getClassName(), systemJob.getInfo(), nodeId.toString(), systemJob.getStartedAt(), systemJob.getProgress(), systemJob.isCancelable(), systemJob.providesProgress()));
        }
    }
    return ImmutableMap.of("jobs", jobs);
}
Also used : SystemJob(org.graylog2.system.jobs.SystemJob) SystemJobSummary(org.graylog2.rest.models.system.SystemJobSummary) Map(java.util.Map) ImmutableMap(com.google.common.collect.ImmutableMap) Produces(javax.ws.rs.Produces) Timed(com.codahale.metrics.annotation.Timed) GET(javax.ws.rs.GET) ApiOperation(io.swagger.annotations.ApiOperation)

Example 3 with Permission

use of org.graylog2.plugin.security.Permission in project graylog2-server by Graylog2.

the class UsersResource method get.

@GET
@Path("{username}")
@ApiOperation(value = "Get user details", notes = "The user's permissions are only included if a user asks for his " + "own account or for users with the necessary permissions to edit permissions.")
@ApiResponses({ @ApiResponse(code = 404, message = "The user could not be found.") })
public UserSummary get(@ApiParam(name = "username", value = "The username to return information for.", required = true) @PathParam("username") String username) {
    final User user = userService.load(username);
    if (user == null) {
        throw new NotFoundException("Couldn't find user " + username);
    }
    // if the requested username does not match the authenticated user, then we don't return permission information
    final boolean allowedToSeePermissions = isPermitted(USERS_PERMISSIONSEDIT, username);
    final boolean permissionsAllowed = getSubject().getPrincipal().toString().equals(username) || allowedToSeePermissions;
    return toUserResponse(user, permissionsAllowed, Optional.empty());
}
Also used : User(org.graylog2.plugin.database.users.User) NotFoundException(javax.ws.rs.NotFoundException) Path(javax.ws.rs.Path) GET(javax.ws.rs.GET) ApiOperation(io.swagger.annotations.ApiOperation) ApiResponses(io.swagger.annotations.ApiResponses)

Example 4 with Permission

use of org.graylog2.plugin.security.Permission in project graylog2-server by Graylog2.

the class UsersResource method savePreferences.

@PUT
@Path("{username}/preferences")
@ApiOperation("Update a user's preferences set.")
@ApiResponses({ @ApiResponse(code = 400, message = "Missing or invalid permission data.") })
@AuditEvent(type = AuditEventTypes.USER_PREFERENCES_UPDATE)
public void savePreferences(@ApiParam(name = "username", value = "The name of the user to modify.", required = true) @PathParam("username") String username, @ApiParam(name = "JSON body", value = "The map of preferences to assign to the user.", required = true) UpdateUserPreferences preferencesRequest) throws ValidationException {
    final User user = userService.load(username);
    checkPermission(RestPermissions.USERS_EDIT, username);
    if (user == null) {
        throw new NotFoundException("Couldn't find user " + username);
    }
    user.setPreferences(preferencesRequest.preferences());
    userService.save(user);
}
Also used : User(org.graylog2.plugin.database.users.User) NotFoundException(javax.ws.rs.NotFoundException) Path(javax.ws.rs.Path) ApiOperation(io.swagger.annotations.ApiOperation) AuditEvent(org.graylog2.audit.jersey.AuditEvent) PUT(javax.ws.rs.PUT) ApiResponses(io.swagger.annotations.ApiResponses)

Example 5 with Permission

use of org.graylog2.plugin.security.Permission in project graylog2-server by Graylog2.

the class PermissionsTest method testPluginPermissions.

@Test
public void testPluginPermissions() throws Exception {
    final ImmutableSet<Permission> pluginPermissions = ImmutableSet.of(Permission.create("foo:bar", "bar"), Permission.create("foo:baz", "baz"), Permission.create("hello:world", "hello"));
    final PermissionsPluginPermissions plugin = new PermissionsPluginPermissions(pluginPermissions);
    final Permissions permissions = new Permissions(ImmutableSet.of(restPermissions, plugin));
    assertThat(permissions.allPermissionsMap().get("foo")).containsOnly("bar", "baz");
    assertThat(permissions.allPermissionsMap().get("hello")).containsOnly("world");
}
Also used : Permission(org.graylog2.plugin.security.Permission) PluginPermissions(org.graylog2.plugin.security.PluginPermissions) Test(org.junit.Test)

Aggregations

ApiOperation (io.swagger.annotations.ApiOperation)6 ApiResponses (io.swagger.annotations.ApiResponses)5 NotFoundException (javax.ws.rs.NotFoundException)4 Path (javax.ws.rs.Path)4 User (org.graylog2.plugin.database.users.User)4 Timed (com.codahale.metrics.annotation.Timed)3 GET (javax.ws.rs.GET)3 Produces (javax.ws.rs.Produces)3 AuditEvent (org.graylog2.audit.jersey.AuditEvent)3 PUT (javax.ws.rs.PUT)2 SystemJob (org.graylog2.system.jobs.SystemJob)2 Predicate (com.google.common.base.Predicate)1 ImmutableMap (com.google.common.collect.ImmutableMap)1 Lists (com.google.common.collect.Lists)1 Sets (com.google.common.collect.Sets)1 URI (java.net.URI)1 List (java.util.List)1 Map (java.util.Map)1 Set (java.util.Set)1 Inject (javax.inject.Inject)1