use of org.graylog2.plugin.security.Permission in project graylog2-server by Graylog2.
the class UserPermissionMigrationPeriodical method doRun.
@Override
public void doRun() {
final List<User> users = userService.loadAll();
final String adminRoleId = roleService.getAdminRoleObjectId();
final String readerRoleId = roleService.getReaderRoleObjectId();
for (User user : users) {
if (user.isLocalAdmin()) {
log.debug("Skipping local admin user.");
continue;
}
final Set<String> fixedPermissions = Sets.newHashSet();
final Set<String> fixedRoleIds = Sets.newHashSet(user.getRoleIds());
final Set<String> permissionSet = Sets.newHashSet(user.getPermissions());
boolean hasWildcardPermission = permissionSet.contains("*");
if (hasWildcardPermission && !user.getRoleIds().contains(adminRoleId)) {
// need to add the admin role to this user
fixedRoleIds.add(adminRoleId);
}
final Set<String> basePermissions = permissions.readerPermissions(user.getName());
final boolean hasCompleteReaderSet = permissionSet.containsAll(basePermissions);
// - it has the wildcard permissions
if (!user.getRoleIds().isEmpty() && hasCompleteReaderSet && hasWildcardPermission) {
log.debug("Not migrating user {}, it has already been migrated.", user.getName());
continue;
}
if (hasCompleteReaderSet && !user.getRoleIds().contains(readerRoleId)) {
// need to add the reader role to this user
fixedRoleIds.add(readerRoleId);
}
// filter out the individual permissions to dashboards and streams
final List<String> dashboardStreamPermissions = Lists.newArrayList(Sets.filter(permissionSet, permission -> !basePermissions.contains(permission) && !"*".equals(permission)));
// add the minimal permission set back to the user
fixedPermissions.addAll(permissions.userSelfEditPermissions(user.getName()));
fixedPermissions.addAll(dashboardStreamPermissions);
log.info("Migrating permissions to roles for user {} from permissions {} and roles {} to new permissions {} and roles {}", user.getName(), permissionSet, user.getRoleIds(), fixedPermissions, fixedRoleIds);
user.setRoleIds(fixedRoleIds);
user.setPermissions(Lists.newArrayList(fixedPermissions));
try {
userService.save(user);
} catch (ValidationException e) {
log.error("Unable to migrate user permissions for user " + user.getName(), e);
}
}
log.info("Marking user permission migration as done.");
clusterConfigService.write(UserPermissionMigrationState.create(true));
}
use of org.graylog2.plugin.security.Permission in project graylog2-server by Graylog2.
the class SystemJobResource method list.
@GET
@Timed
@ApiOperation(value = "List currently running jobs")
@Produces(MediaType.APPLICATION_JSON)
public Map<String, List<SystemJobSummary>> list() {
final List<SystemJobSummary> jobs = Lists.newArrayListWithCapacity(systemJobManager.getRunningJobs().size());
for (Map.Entry<String, SystemJob> entry : systemJobManager.getRunningJobs().entrySet()) {
// TODO jobId is ephemeral, this is not a good key for permission checks. we should use the name of the job type (but there is no way to get it yet)
if (isPermitted(RestPermissions.SYSTEMJOBS_READ, entry.getKey())) {
final SystemJob systemJob = entry.getValue();
jobs.add(SystemJobSummary.create(UUID.fromString(systemJob.getId()), systemJob.getDescription(), systemJob.getClassName(), systemJob.getInfo(), nodeId.toString(), systemJob.getStartedAt(), systemJob.getProgress(), systemJob.isCancelable(), systemJob.providesProgress()));
}
}
return ImmutableMap.of("jobs", jobs);
}
use of org.graylog2.plugin.security.Permission in project graylog2-server by Graylog2.
the class UsersResource method get.
@GET
@Path("{username}")
@ApiOperation(value = "Get user details", notes = "The user's permissions are only included if a user asks for his " + "own account or for users with the necessary permissions to edit permissions.")
@ApiResponses({ @ApiResponse(code = 404, message = "The user could not be found.") })
public UserSummary get(@ApiParam(name = "username", value = "The username to return information for.", required = true) @PathParam("username") String username) {
final User user = userService.load(username);
if (user == null) {
throw new NotFoundException("Couldn't find user " + username);
}
// if the requested username does not match the authenticated user, then we don't return permission information
final boolean allowedToSeePermissions = isPermitted(USERS_PERMISSIONSEDIT, username);
final boolean permissionsAllowed = getSubject().getPrincipal().toString().equals(username) || allowedToSeePermissions;
return toUserResponse(user, permissionsAllowed, Optional.empty());
}
use of org.graylog2.plugin.security.Permission in project graylog2-server by Graylog2.
the class UsersResource method savePreferences.
@PUT
@Path("{username}/preferences")
@ApiOperation("Update a user's preferences set.")
@ApiResponses({ @ApiResponse(code = 400, message = "Missing or invalid permission data.") })
@AuditEvent(type = AuditEventTypes.USER_PREFERENCES_UPDATE)
public void savePreferences(@ApiParam(name = "username", value = "The name of the user to modify.", required = true) @PathParam("username") String username, @ApiParam(name = "JSON body", value = "The map of preferences to assign to the user.", required = true) UpdateUserPreferences preferencesRequest) throws ValidationException {
final User user = userService.load(username);
checkPermission(RestPermissions.USERS_EDIT, username);
if (user == null) {
throw new NotFoundException("Couldn't find user " + username);
}
user.setPreferences(preferencesRequest.preferences());
userService.save(user);
}
use of org.graylog2.plugin.security.Permission in project graylog2-server by Graylog2.
the class PermissionsTest method testPluginPermissions.
@Test
public void testPluginPermissions() throws Exception {
final ImmutableSet<Permission> pluginPermissions = ImmutableSet.of(Permission.create("foo:bar", "bar"), Permission.create("foo:baz", "baz"), Permission.create("hello:world", "hello"));
final PermissionsPluginPermissions plugin = new PermissionsPluginPermissions(pluginPermissions);
final Permissions permissions = new Permissions(ImmutableSet.of(restPermissions, plugin));
assertThat(permissions.allPermissionsMap().get("foo")).containsOnly("bar", "baz");
assertThat(permissions.allPermissionsMap().get("hello")).containsOnly("world");
}
Aggregations