diff --git a/hugegraph-api/src/main/java/com/baidu/hugegraph/auth/HugeGraphAuthProxy.java b/hugegraph-api/src/main/java/com/baidu/hugegraph/auth/HugeGraphAuthProxy.java index a6a3cd1f05..880cf4a02b 100644 --- a/hugegraph-api/src/main/java/com/baidu/hugegraph/auth/HugeGraphAuthProxy.java +++ b/hugegraph-api/src/main/java/com/baidu/hugegraph/auth/HugeGraphAuthProxy.java @@ -684,7 +684,7 @@ public void truncateBackend() { try { this.hugegraph.truncateBackend(); } finally { - if (admin != null && userManager instanceof StandardAuthManager) { + if (admin != null && StandardAuthManager.isLocal(userManager)) { // Restore admin user to continue to do any operation userManager.createUser(admin); } diff --git a/hugegraph-api/src/main/java/com/baidu/hugegraph/auth/StandardAuthenticator.java b/hugegraph-api/src/main/java/com/baidu/hugegraph/auth/StandardAuthenticator.java index fb2e67796e..838650e29b 100644 --- a/hugegraph-api/src/main/java/com/baidu/hugegraph/auth/StandardAuthenticator.java +++ b/hugegraph-api/src/main/java/com/baidu/hugegraph/auth/StandardAuthenticator.java @@ -52,7 +52,9 @@ private void initAdminUser() throws Exception { E.checkState(caller.equals("main"), "Invalid caller '%s'", caller); AuthManager authManager = this.graph().hugegraph().authManager(); - if (authManager.findUser(HugeAuthenticator.USER_ADMIN) == null) { + // Only init user when local mode and user has not been initialized + if (StandardAuthManager.isLocal(authManager) && + authManager.findUser(HugeAuthenticator.USER_ADMIN) == null) { HugeUser admin = new HugeUser(HugeAuthenticator.USER_ADMIN); admin.password(StringEncoding.hashPassword(this.inputPassword())); admin.creator(HugeAuthenticator.USER_SYSTEM); diff --git a/hugegraph-core/src/main/java/com/baidu/hugegraph/StandardHugeGraph.java b/hugegraph-core/src/main/java/com/baidu/hugegraph/StandardHugeGraph.java index 91fb652fbf..962e8b326d 100644 --- a/hugegraph-core/src/main/java/com/baidu/hugegraph/StandardHugeGraph.java +++ b/hugegraph-core/src/main/java/com/baidu/hugegraph/StandardHugeGraph.java @@ -40,8 +40,8 @@ import com.baidu.hugegraph.analyzer.Analyzer; import com.baidu.hugegraph.analyzer.AnalyzerFactory; -import com.baidu.hugegraph.auth.StandardAuthManager; import com.baidu.hugegraph.auth.AuthManager; +import com.baidu.hugegraph.auth.StandardAuthManager; import com.baidu.hugegraph.backend.BackendException; import com.baidu.hugegraph.backend.cache.CachedGraphTransaction; import com.baidu.hugegraph.backend.cache.CachedSchemaTransaction; @@ -816,7 +816,9 @@ public synchronized void close() throws Exception { } LOG.info("Close graph {}", this); - this.authManager.close(); + if (StandardAuthManager.isLocal(this.authManager)) { + this.authManager.close(); + } this.taskManager.closeScheduler(this.params); try { this.closeTx(); diff --git a/hugegraph-core/src/main/java/com/baidu/hugegraph/auth/StandardAuthManager.java b/hugegraph-core/src/main/java/com/baidu/hugegraph/auth/StandardAuthManager.java index 13d1170fbb..21cc1cac0a 100644 --- a/hugegraph-core/src/main/java/com/baidu/hugegraph/auth/StandardAuthManager.java +++ b/hugegraph-core/src/main/java/com/baidu/hugegraph/auth/StandardAuthManager.java @@ -420,4 +420,11 @@ public RolePermission loginUser(String username, String password) { } return this.rolePermission(user); } + + /** + * Maybe can define an proxy class to choose forward or call local + */ + public static boolean isLocal(AuthManager authManager) { + return authManager instanceof StandardAuthManager; + } } diff --git a/hugegraph-core/src/main/java/com/baidu/hugegraph/security/HugeSecurityManager.java b/hugegraph-core/src/main/java/com/baidu/hugegraph/security/HugeSecurityManager.java index 55cb393eeb..a97f385bea 100644 --- a/hugegraph-core/src/main/java/com/baidu/hugegraph/security/HugeSecurityManager.java +++ b/hugegraph-core/src/main/java/com/baidu/hugegraph/security/HugeSecurityManager.java @@ -109,6 +109,10 @@ public class HugeSecurityManager extends SecurityManager { "com.baidu.hugegraph.backend.store.raft.rpc.RpcForwarder" ); + private static final Set SOFA_RPC_CLASSES = ImmutableSet.of( + "com.alipay.sofa.rpc.tracer.sofatracer.RpcSofaTracer" + ); + @Override public void checkPermission(Permission permission) { if (DENIED_PERMISSIONS.contains(permission.getName()) && @@ -150,7 +154,7 @@ public void checkAccess(Thread thread) { if (callFromGremlin() && !callFromCaffeine() && !callFromAsyncTasks() && !callFromEventHubNotify() && !callFromBackendThread() && !callFromBackendHbase() && - !callFromRaft()) { + !callFromRaft() && !callFromSofaRpc()) { throw newSecurityException( "Not allowed to access thread via Gremlin"); } @@ -162,7 +166,7 @@ public void checkAccess(ThreadGroup threadGroup) { if (callFromGremlin() && !callFromCaffeine() && !callFromAsyncTasks() && !callFromEventHubNotify() && !callFromBackendThread() && !callFromBackendHbase() && - !callFromRaft()) { + !callFromRaft() && !callFromSofaRpc()) { throw newSecurityException( "Not allowed to access thread group via Gremlin"); } @@ -190,7 +194,7 @@ public void checkExec(String cmd) { @Override public void checkRead(FileDescriptor fd) { if (callFromGremlin() && !callFromBackendSocket() && - !callFromRaft()) { + !callFromRaft() && !callFromSofaRpc()) { throw newSecurityException("Not allowed to read fd via Gremlin"); } super.checkRead(fd); @@ -200,7 +204,7 @@ public void checkRead(FileDescriptor fd) { public void checkRead(String file) { if (callFromGremlin() && !callFromCaffeine() && !readGroovyInCurrentDir(file) && !callFromBackendHbase() && - !callFromRaft()) { + !callFromRaft() && !callFromSofaRpc()) { throw newSecurityException( "Not allowed to read file via Gremlin: %s", file); } @@ -209,7 +213,7 @@ public void checkRead(String file) { @Override public void checkRead(String file, Object context) { - if (callFromGremlin() && !callFromRaft()) { + if (callFromGremlin() && !callFromRaft() && !callFromSofaRpc()) { throw newSecurityException( "Not allowed to read file via Gremlin: %s", file); } @@ -219,7 +223,7 @@ public void checkRead(String file, Object context) { @Override public void checkWrite(FileDescriptor fd) { if (callFromGremlin() && !callFromBackendSocket() && - !callFromRaft()) { + !callFromRaft() && !callFromSofaRpc()) { throw newSecurityException("Not allowed to write fd via Gremlin"); } super.checkWrite(fd); @@ -227,7 +231,7 @@ public void checkWrite(FileDescriptor fd) { @Override public void checkWrite(String file) { - if (callFromGremlin() && !callFromRaft()) { + if (callFromGremlin() && !callFromRaft() && !callFromSofaRpc()) { throw newSecurityException("Not allowed to write file via Gremlin"); } super.checkWrite(file); @@ -263,7 +267,7 @@ public void checkAccept(String host, int port) { @Override public void checkConnect(String host, int port) { if (callFromGremlin() && !callFromBackendSocket() && - !callFromBackendHbase() && !callFromRaft()) { + !callFromBackendHbase() && !callFromRaft() && !callFromSofaRpc()) { throw newSecurityException( "Not allowed to connect socket via Gremlin"); } @@ -307,7 +311,7 @@ public void checkSetFactory() { @Override public void checkPropertiesAccess() { - if (callFromGremlin()) { + if (callFromGremlin() && !callFromSofaRpc()) { throw newSecurityException( "Not allowed to access system properties via Gremlin"); } @@ -318,7 +322,7 @@ public void checkPropertiesAccess() { public void checkPropertyAccess(String key) { if (!callFromAcceptClassLoaders() && callFromGremlin() && !WHITE_SYSTEM_PROPERTYS.contains(key) && !callFromBackendHbase() && - !callFromRaft()) { + !callFromRaft() && !callFromSofaRpc()) { throw newSecurityException( "Not allowed to access system property(%s) via Gremlin", key); } @@ -442,6 +446,10 @@ private static boolean callFromRaft() { return callFromWorkerWithClass(RAFT_CLASSES); } + private static boolean callFromSofaRpc() { + return callFromWorkerWithClass(SOFA_RPC_CLASSES); + } + private static boolean callFromWorkerWithClass(Set classes) { Thread curThread = Thread.currentThread(); if (curThread.getName().startsWith(GREMLIN_SERVER_WORKER) ||