Example 1 with Roles
use of org.graylog2.shared.users.Roles in project graylog2-server by Graylog2.
the class UserPermissionMigrationPeriodical method doRun.
@Override
public void doRun() {
final List<User> users = userService.loadAll();
final String adminRoleId = roleService.getAdminRoleObjectId();
final String readerRoleId = roleService.getReaderRoleObjectId();
for (User user : users) {
if (user.isLocalAdmin()) {
log.debug("Skipping local admin user.");
continue;
}
final Set<String> fixedPermissions = Sets.newHashSet();
final Set<String> fixedRoleIds = Sets.newHashSet(user.getRoleIds());
final Set<String> permissionSet = Sets.newHashSet(user.getPermissions());
boolean hasWildcardPermission = permissionSet.contains("*");
if (hasWildcardPermission && !user.getRoleIds().contains(adminRoleId)) {
// need to add the admin role to this user
fixedRoleIds.add(adminRoleId);
}
final Set<String> basePermissions = permissions.readerPermissions(user.getName());
final boolean hasCompleteReaderSet = permissionSet.containsAll(basePermissions);
// - it has the wildcard permissions
if (!user.getRoleIds().isEmpty() && hasCompleteReaderSet && hasWildcardPermission) {
log.debug("Not migrating user {}, it has already been migrated.", user.getName());
continue;
}
if (hasCompleteReaderSet && !user.getRoleIds().contains(readerRoleId)) {
// need to add the reader role to this user
fixedRoleIds.add(readerRoleId);
}
// filter out the individual permissions to dashboards and streams
final List<String> dashboardStreamPermissions = Lists.newArrayList(Sets.filter(permissionSet, permission -> !basePermissions.contains(permission) && !"*".equals(permission)));
// add the minimal permission set back to the user
fixedPermissions.addAll(permissions.userSelfEditPermissions(user.getName()));
fixedPermissions.addAll(dashboardStreamPermissions);
log.info("Migrating permissions to roles for user {} from permissions {} and roles {} to new permissions {} and roles {}", user.getName(), permissionSet, user.getRoleIds(), fixedPermissions, fixedRoleIds);
user.setRoleIds(fixedRoleIds);
user.setPermissions(Lists.newArrayList(fixedPermissions));
try {
userService.save(user);
} catch (ValidationException e) {
log.error("Unable to migrate user permissions for user " + user.getName(), e);
}
}
log.info("Marking user permission migration as done.");
clusterConfigService.write(UserPermissionMigrationState.create(true));
}
Also used :
Logger(org.slf4j.Logger)
RoleService(org.graylog2.users.RoleService)
LoggerFactory(org.slf4j.LoggerFactory)
Set(java.util.Set)
Sets(com.google.common.collect.Sets)
Inject(javax.inject.Inject)
Periodical(org.graylog2.plugin.periodical.Periodical)
List(java.util.List)
Lists(com.google.common.collect.Lists)
ClusterConfigService(org.graylog2.plugin.cluster.ClusterConfigService)
UserService(org.graylog2.shared.users.UserService)
Predicate(com.google.common.base.Predicate)
ValidationException(org.graylog2.plugin.database.ValidationException)
UserPermissionMigrationState(org.graylog2.cluster.UserPermissionMigrationState)
User(org.graylog2.plugin.database.users.User)
Permissions(org.graylog2.shared.security.Permissions)
User(org.graylog2.plugin.database.users.User)
ValidationException(org.graylog2.plugin.database.ValidationException)
Example 2 with Roles
use of org.graylog2.shared.users.Roles in project graylog2-server by Graylog2.
the class SyslogCodecTest method testDecodeStructuredIssue549.
@Test
public void testDecodeStructuredIssue549() throws Exception {
final Message message = codec.decode(buildRawMessage(STRUCTURED_ISSUE_549));
assertNotNull(message);
assertEquals(message.getMessage(), "RT_FLOW_SESSION_DENY [junos@2636.1.1.1.2.39 source-address=\"1.2.3.4\" source-port=\"56639\" destination-address=\"5.6.7.8\" destination-port=\"2003\" service-name=\"None\" protocol-id=\"6\" icmp-type=\"0\" policy-name=\"log-all-else\" source-zone-name=\"campus\" destination-zone-name=\"mngmt\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth6.0\" encrypted=\"No\"]");
assertEquals(((DateTime) message.getField("timestamp")).withZone(DateTimeZone.UTC), new DateTime("2014-05-01T08:26:51.179Z", DateTimeZone.UTC));
assertEquals(message.getField("source-address"), "1.2.3.4");
assertEquals(message.getField("source-port"), "56639");
assertEquals(message.getField("destination-address"), "5.6.7.8");
assertEquals(message.getField("destination-port"), "2003");
assertEquals(message.getField("service-name"), "None");
assertEquals(message.getField("protocol-id"), "6");
assertEquals(message.getField("icmp-type"), "0");
assertEquals(message.getField("policy-name"), "log-all-else");
assertEquals(message.getField("source-zone-name"), "campus");
assertEquals(message.getField("destination-zone-name"), "mngmt");
assertEquals(message.getField("application"), "UNKNOWN");
assertEquals(message.getField("nested-application"), "UNKNOWN");
assertEquals(message.getField("username"), "N/A");
assertEquals(message.getField("roles"), "N/A");
assertEquals(message.getField("packet-incoming-interface"), "reth6.0");
assertEquals(message.getField("encrypted"), "No");
}
Also used :
RawMessage(org.graylog2.plugin.journal.RawMessage)
Message(org.graylog2.plugin.Message)
DateTime(org.joda.time.DateTime)
Test(org.junit.Test)
Example 3 with Roles
use of org.graylog2.shared.users.Roles in project graylog2-server by Graylog2.
the class RolesResource method listAll.
@GET
@RequiresPermissions(RestPermissions.ROLES_READ)
@ApiOperation(value = "List all roles", notes = "")
public RolesResponse listAll() throws NotFoundException {
final Set<Role> roles = roleService.loadAll();
Set<RoleResponse> roleResponses = Sets.newHashSet();
for (Role role : roles) {
roleResponses.add(RoleResponse.create(role.getName(), Optional.fromNullable(role.getDescription()), role.getPermissions(), role.isReadOnly()));
}
return RolesResponse.create(roleResponses);
}
Also used :
Role(org.graylog2.shared.users.Role)
RoleResponse(org.graylog2.rest.models.roles.responses.RoleResponse)
RequiresPermissions(org.apache.shiro.authz.annotation.RequiresPermissions)
GET(javax.ws.rs.GET)
ApiOperation(io.swagger.annotations.ApiOperation)
Example 4 with Roles
use of org.graylog2.shared.users.Roles in project graylog2-server by Graylog2.
the class LdapUserAuthenticator method updateFromLdap.
private void updateFromLdap(User user, LdapEntry userEntry, LdapSettings ldapSettings, String username) {
final String displayNameAttribute = ldapSettings.getDisplayNameAttribute();
final String fullName = firstNonNull(userEntry.get(displayNameAttribute), username);
user.setName(username);
user.setFullName(fullName);
user.setExternal(true);
if (user.getTimeZone() == null) {
user.setTimeZone(rootTimeZone);
}
final String email = userEntry.getEmail();
if (isNullOrEmpty(email)) {
LOG.debug("No email address found for user {} in LDAP. Using {}@localhost", username, username);
user.setEmail(username + "@localhost");
} else {
user.setEmail(email);
}
// TODO This is a crude hack until we have a proper way to distinguish LDAP users from normal users
if (isNullOrEmpty(user.getHashedPassword())) {
((UserImpl) user).setHashedPassword("User synced from LDAP.");
}
// map ldap groups to user roles, if the mapping is present
final Set<String> translatedRoleIds = Sets.newHashSet(Sets.union(Sets.newHashSet(ldapSettings.getDefaultGroupId()), ldapSettings.getAdditionalDefaultGroupIds()));
if (!userEntry.getGroups().isEmpty()) {
// ldap search returned groups, these always override the ones set on the user
try {
final Map<String, Role> roleNameToRole = roleService.loadAllLowercaseNameMap();
for (String ldapGroupName : userEntry.getGroups()) {
final String roleName = ldapSettings.getGroupMapping().get(ldapGroupName);
if (roleName == null) {
LOG.debug("User {}: No group mapping for ldap group <{}>", username, ldapGroupName);
continue;
}
final Role role = roleNameToRole.get(roleName.toLowerCase(Locale.ENGLISH));
if (role != null) {
LOG.debug("User {}: Mapping ldap group <{}> to role <{}>", username, ldapGroupName, role.getName());
translatedRoleIds.add(role.getId());
} else {
LOG.warn("User {}: No role found for ldap group <{}>", username, ldapGroupName);
}
}
} catch (NotFoundException e) {
LOG.error("Unable to load user roles", e);
}
} else if (ldapSettings.getGroupMapping().isEmpty() || ldapSettings.getGroupSearchBase().isEmpty() || ldapSettings.getGroupSearchPattern().isEmpty() || ldapSettings.getGroupIdAttribute().isEmpty()) {
// no group mapping or configuration set, we'll leave the previously set groups alone on sync
// when first creating the user these will be empty
translatedRoleIds.addAll(user.getRoleIds());
}
user.setRoleIds(translatedRoleIds);
// preserve the raw permissions (the ones without the synthetic self-edit permissions or the "*" admin one)
user.setPermissions(user.getPermissions());
}
Also used :
Role(org.graylog2.shared.users.Role)
UserImpl(org.graylog2.users.UserImpl)
NotFoundException(org.graylog2.database.NotFoundException)
Example 5 with Roles
use of org.graylog2.shared.users.Roles in project graylog2-server by Graylog2.
the class UsersResource method setUserRoles.
private void setUserRoles(@Nullable List<String> roles, User user) {
if (roles != null) {
try {
final Map<String, Role> nameMap = roleService.loadAllLowercaseNameMap();
final Iterable<String> roleIds = Iterables.transform(roles, Roles.roleNameToIdFunction(nameMap));
user.setRoleIds(Sets.newHashSet(roleIds));
} catch (org.graylog2.database.NotFoundException e) {
throw new InternalServerErrorException(e);
}
}
}
Also used :
Role(org.graylog2.shared.users.Role)
InternalServerErrorException(javax.ws.rs.InternalServerErrorException)
Aggregations
Role (org.graylog2.shared.users.Role)5
ValidationException (org.graylog2.plugin.database.ValidationException)4
User (org.graylog2.plugin.database.users.User)4
ApiOperation (io.swagger.annotations.ApiOperation)3
NotFoundException (org.graylog2.database.NotFoundException)3
BadRequestException (javax.ws.rs.BadRequestException)2
Path (javax.ws.rs.Path)2
AuditEvent (org.graylog2.audit.jersey.AuditEvent)2
Predicate (com.google.common.base.Predicate)1
Lists (com.google.common.collect.Lists)1
Sets (com.google.common.collect.Sets)1
List (java.util.List)1
Set (java.util.Set)1
Inject (javax.inject.Inject)1
DELETE (javax.ws.rs.DELETE)1
GET (javax.ws.rs.GET)1
InternalServerErrorException (javax.ws.rs.InternalServerErrorException)1
PUT (javax.ws.rs.PUT)1
RequiresPermissions (org.apache.shiro.authz.annotation.RequiresPermissions)1
UserPermissionMigrationState (org.graylog2.cluster.UserPermissionMigrationState)1
