Search in sources :

Example 1 with Roles

use of org.graylog2.shared.users.Roles in project graylog2-server by Graylog2.

the class UserPermissionMigrationPeriodical method doRun.

@Override
public void doRun() {
    final List<User> users = userService.loadAll();
    final String adminRoleId = roleService.getAdminRoleObjectId();
    final String readerRoleId = roleService.getReaderRoleObjectId();
    for (User user : users) {
        if (user.isLocalAdmin()) {
            log.debug("Skipping local admin user.");
            continue;
        }
        final Set<String> fixedPermissions = Sets.newHashSet();
        final Set<String> fixedRoleIds = Sets.newHashSet(user.getRoleIds());
        final Set<String> permissionSet = Sets.newHashSet(user.getPermissions());
        boolean hasWildcardPermission = permissionSet.contains("*");
        if (hasWildcardPermission && !user.getRoleIds().contains(adminRoleId)) {
            // need to add the admin role to this user
            fixedRoleIds.add(adminRoleId);
        }
        final Set<String> basePermissions = permissions.readerPermissions(user.getName());
        final boolean hasCompleteReaderSet = permissionSet.containsAll(basePermissions);
        //   - it has the wildcard permissions
        if (!user.getRoleIds().isEmpty() && hasCompleteReaderSet && hasWildcardPermission) {
            log.debug("Not migrating user {}, it has already been migrated.", user.getName());
            continue;
        }
        if (hasCompleteReaderSet && !user.getRoleIds().contains(readerRoleId)) {
            // need to add the reader role to this user
            fixedRoleIds.add(readerRoleId);
        }
        // filter out the individual permissions to dashboards and streams
        final List<String> dashboardStreamPermissions = Lists.newArrayList(Sets.filter(permissionSet, permission -> !basePermissions.contains(permission) && !"*".equals(permission)));
        // add the minimal permission set back to the user
        fixedPermissions.addAll(permissions.userSelfEditPermissions(user.getName()));
        fixedPermissions.addAll(dashboardStreamPermissions);
        log.info("Migrating permissions to roles for user {} from permissions {} and roles {} to new permissions {} and roles {}", user.getName(), permissionSet, user.getRoleIds(), fixedPermissions, fixedRoleIds);
        user.setRoleIds(fixedRoleIds);
        user.setPermissions(Lists.newArrayList(fixedPermissions));
        try {
            userService.save(user);
        } catch (ValidationException e) {
            log.error("Unable to migrate user permissions for user " + user.getName(), e);
        }
    }
    log.info("Marking user permission migration as done.");
    clusterConfigService.write(UserPermissionMigrationState.create(true));
}
Also used : Logger(org.slf4j.Logger) RoleService(org.graylog2.users.RoleService) LoggerFactory(org.slf4j.LoggerFactory) Set(java.util.Set) Sets(com.google.common.collect.Sets) Inject(javax.inject.Inject) Periodical(org.graylog2.plugin.periodical.Periodical) List(java.util.List) Lists(com.google.common.collect.Lists) ClusterConfigService(org.graylog2.plugin.cluster.ClusterConfigService) UserService(org.graylog2.shared.users.UserService) Predicate(com.google.common.base.Predicate) ValidationException(org.graylog2.plugin.database.ValidationException) UserPermissionMigrationState(org.graylog2.cluster.UserPermissionMigrationState) User(org.graylog2.plugin.database.users.User) Permissions(org.graylog2.shared.security.Permissions) User(org.graylog2.plugin.database.users.User) ValidationException(org.graylog2.plugin.database.ValidationException)

Example 2 with Roles

use of org.graylog2.shared.users.Roles in project graylog2-server by Graylog2.

the class SyslogCodecTest method testDecodeStructuredIssue549.

@Test
public void testDecodeStructuredIssue549() throws Exception {
    final Message message = codec.decode(buildRawMessage(STRUCTURED_ISSUE_549));
    assertNotNull(message);
    assertEquals(message.getMessage(), "RT_FLOW_SESSION_DENY [junos@2636.1.1.1.2.39 source-address=\"1.2.3.4\" source-port=\"56639\" destination-address=\"5.6.7.8\" destination-port=\"2003\" service-name=\"None\" protocol-id=\"6\" icmp-type=\"0\" policy-name=\"log-all-else\" source-zone-name=\"campus\" destination-zone-name=\"mngmt\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth6.0\" encrypted=\"No\"]");
    assertEquals(((DateTime) message.getField("timestamp")).withZone(DateTimeZone.UTC), new DateTime("2014-05-01T08:26:51.179Z", DateTimeZone.UTC));
    assertEquals(message.getField("source-address"), "1.2.3.4");
    assertEquals(message.getField("source-port"), "56639");
    assertEquals(message.getField("destination-address"), "5.6.7.8");
    assertEquals(message.getField("destination-port"), "2003");
    assertEquals(message.getField("service-name"), "None");
    assertEquals(message.getField("protocol-id"), "6");
    assertEquals(message.getField("icmp-type"), "0");
    assertEquals(message.getField("policy-name"), "log-all-else");
    assertEquals(message.getField("source-zone-name"), "campus");
    assertEquals(message.getField("destination-zone-name"), "mngmt");
    assertEquals(message.getField("application"), "UNKNOWN");
    assertEquals(message.getField("nested-application"), "UNKNOWN");
    assertEquals(message.getField("username"), "N/A");
    assertEquals(message.getField("roles"), "N/A");
    assertEquals(message.getField("packet-incoming-interface"), "reth6.0");
    assertEquals(message.getField("encrypted"), "No");
}
Also used : RawMessage(org.graylog2.plugin.journal.RawMessage) Message(org.graylog2.plugin.Message) DateTime(org.joda.time.DateTime) Test(org.junit.Test)

Example 3 with Roles

use of org.graylog2.shared.users.Roles in project graylog2-server by Graylog2.

the class RolesResource method listAll.

@GET
@RequiresPermissions(RestPermissions.ROLES_READ)
@ApiOperation(value = "List all roles", notes = "")
public RolesResponse listAll() throws NotFoundException {
    final Set<Role> roles = roleService.loadAll();
    Set<RoleResponse> roleResponses = Sets.newHashSet();
    for (Role role : roles) {
        roleResponses.add(RoleResponse.create(role.getName(), Optional.fromNullable(role.getDescription()), role.getPermissions(), role.isReadOnly()));
    }
    return RolesResponse.create(roleResponses);
}
Also used : Role(org.graylog2.shared.users.Role) RoleResponse(org.graylog2.rest.models.roles.responses.RoleResponse) RequiresPermissions(org.apache.shiro.authz.annotation.RequiresPermissions) GET(javax.ws.rs.GET) ApiOperation(io.swagger.annotations.ApiOperation)

Example 4 with Roles

use of org.graylog2.shared.users.Roles in project graylog2-server by Graylog2.

the class LdapUserAuthenticator method updateFromLdap.

private void updateFromLdap(User user, LdapEntry userEntry, LdapSettings ldapSettings, String username) {
    final String displayNameAttribute = ldapSettings.getDisplayNameAttribute();
    final String fullName = firstNonNull(userEntry.get(displayNameAttribute), username);
    user.setName(username);
    user.setFullName(fullName);
    user.setExternal(true);
    if (user.getTimeZone() == null) {
        user.setTimeZone(rootTimeZone);
    }
    final String email = userEntry.getEmail();
    if (isNullOrEmpty(email)) {
        LOG.debug("No email address found for user {} in LDAP. Using {}@localhost", username, username);
        user.setEmail(username + "@localhost");
    } else {
        user.setEmail(email);
    }
    // TODO This is a crude hack until we have a proper way to distinguish LDAP users from normal users
    if (isNullOrEmpty(user.getHashedPassword())) {
        ((UserImpl) user).setHashedPassword("User synced from LDAP.");
    }
    // map ldap groups to user roles, if the mapping is present
    final Set<String> translatedRoleIds = Sets.newHashSet(Sets.union(Sets.newHashSet(ldapSettings.getDefaultGroupId()), ldapSettings.getAdditionalDefaultGroupIds()));
    if (!userEntry.getGroups().isEmpty()) {
        // ldap search returned groups, these always override the ones set on the user
        try {
            final Map<String, Role> roleNameToRole = roleService.loadAllLowercaseNameMap();
            for (String ldapGroupName : userEntry.getGroups()) {
                final String roleName = ldapSettings.getGroupMapping().get(ldapGroupName);
                if (roleName == null) {
                    LOG.debug("User {}: No group mapping for ldap group <{}>", username, ldapGroupName);
                    continue;
                }
                final Role role = roleNameToRole.get(roleName.toLowerCase(Locale.ENGLISH));
                if (role != null) {
                    LOG.debug("User {}: Mapping ldap group <{}> to role <{}>", username, ldapGroupName, role.getName());
                    translatedRoleIds.add(role.getId());
                } else {
                    LOG.warn("User {}: No role found for ldap group <{}>", username, ldapGroupName);
                }
            }
        } catch (NotFoundException e) {
            LOG.error("Unable to load user roles", e);
        }
    } else if (ldapSettings.getGroupMapping().isEmpty() || ldapSettings.getGroupSearchBase().isEmpty() || ldapSettings.getGroupSearchPattern().isEmpty() || ldapSettings.getGroupIdAttribute().isEmpty()) {
        // no group mapping or configuration set, we'll leave the previously set groups alone on sync
        // when first creating the user these will be empty
        translatedRoleIds.addAll(user.getRoleIds());
    }
    user.setRoleIds(translatedRoleIds);
    // preserve the raw permissions (the ones without the synthetic self-edit permissions or the "*" admin one)
    user.setPermissions(user.getPermissions());
}
Also used : Role(org.graylog2.shared.users.Role) UserImpl(org.graylog2.users.UserImpl) NotFoundException(org.graylog2.database.NotFoundException)

Example 5 with Roles

use of org.graylog2.shared.users.Roles in project graylog2-server by Graylog2.

the class UsersResource method setUserRoles.

private void setUserRoles(@Nullable List<String> roles, User user) {
    if (roles != null) {
        try {
            final Map<String, Role> nameMap = roleService.loadAllLowercaseNameMap();
            final Iterable<String> roleIds = Iterables.transform(roles, Roles.roleNameToIdFunction(nameMap));
            user.setRoleIds(Sets.newHashSet(roleIds));
        } catch (org.graylog2.database.NotFoundException e) {
            throw new InternalServerErrorException(e);
        }
    }
}
Also used : Role(org.graylog2.shared.users.Role) InternalServerErrorException(javax.ws.rs.InternalServerErrorException)

Aggregations

Role (org.graylog2.shared.users.Role)5 ValidationException (org.graylog2.plugin.database.ValidationException)4 User (org.graylog2.plugin.database.users.User)4 ApiOperation (io.swagger.annotations.ApiOperation)3 NotFoundException (org.graylog2.database.NotFoundException)3 BadRequestException (javax.ws.rs.BadRequestException)2 Path (javax.ws.rs.Path)2 AuditEvent (org.graylog2.audit.jersey.AuditEvent)2 Predicate (com.google.common.base.Predicate)1 Lists (com.google.common.collect.Lists)1 Sets (com.google.common.collect.Sets)1 List (java.util.List)1 Set (java.util.Set)1 Inject (javax.inject.Inject)1 DELETE (javax.ws.rs.DELETE)1 GET (javax.ws.rs.GET)1 InternalServerErrorException (javax.ws.rs.InternalServerErrorException)1 PUT (javax.ws.rs.PUT)1 RequiresPermissions (org.apache.shiro.authz.annotation.RequiresPermissions)1 UserPermissionMigrationState (org.graylog2.cluster.UserPermissionMigrationState)1