auth: add resource metrics_read (#1355)

* auth: add resource metrics_read
* auth: keep single proxy instead of multi proxy for each graph
* not allowed to call HugeFactory.open() by gremlin
* don't shield HugeUser,RolePermission,HugeResource due to rpc access

Change-Id: Iba110199addbfae220616ed69754dcac82fbc848

hugegraph-api/src/main/java/com/baidu/hugegraph/api/filter/AuthenticationFilter.java

@@ -43,7 +43,7 @@
 import org.slf4j.Logger;
 
 import com.baidu.hugegraph.auth.HugeAuthenticator;
-import com.baidu.hugegraph.auth.HugeAuthenticator.RoleAction;
+import com.baidu.hugegraph.auth.HugeAuthenticator.RequiredPerm;
 import com.baidu.hugegraph.auth.HugeAuthenticator.RolePerm;
 import com.baidu.hugegraph.auth.HugeAuthenticator.User;
 import com.baidu.hugegraph.auth.RolePermission;
@@ -192,18 +192,18 @@ private boolean matchPermission(String required) {
             }
 
             // Permission format like: "$owner=$graph $action=vertex-write"
-            RoleAction roleAction = RoleAction.fromPermission(required);
+            RequiredPerm requiredPerm = RequiredPerm.fromPermission(required);
 
             // Replace owner value(may be variable) if needed
-            String owner = roleAction.owner();
+            String owner = requiredPerm.owner();
             if (owner.startsWith(HugeAuthenticator.VAR_PREFIX)) {
                 assert owner.length() > HugeAuthenticator.VAR_PREFIX.length();
                 owner = owner.substring(HugeAuthenticator.VAR_PREFIX.length());
                 owner = this.getPathParameter(owner);
-                roleAction.owner(owner);
+                requiredPerm.owner(owner);
             }
 
-            return RolePerm.match(this.role(), roleAction);
+            return RolePerm.match(this.role(), requiredPerm);
         }
 
         private String getPathParameter(String key) {

hugegraph-api/src/main/java/com/baidu/hugegraph/api/metrics/MetricsAPI.java

@@ -67,7 +67,7 @@ public MetricsAPI() {
     @Timed
     @Path("system")
     @Produces(APPLICATION_JSON_WITH_CHARSET)
-    @RolesAllowed("admin")
+    @RolesAllowed({"admin", "$owner= $action=metrics_read"})
     public String system() {
         return JsonUtil.toJson(this.systemMetrics.metrics());
     }
@@ -76,7 +76,7 @@ public String system() {
     @Timed
     @Path("backend")
     @Produces(APPLICATION_JSON_WITH_CHARSET)
-    @RolesAllowed("admin")
+    @RolesAllowed({"admin", "$owner= $action=metrics_read"})
     public String backend(@Context GraphManager manager) {
         Map<String, Map<String, Object>> results = InsertionOrderUtil.newMap();
         for (String graph : manager.graphs()) {
@@ -97,7 +97,7 @@ public String backend(@Context GraphManager manager) {
     @GET
     @Timed
     @Produces(APPLICATION_JSON_WITH_CHARSET)
-    @RolesAllowed("admin")
+    @RolesAllowed({"admin", "$owner= $action=metrics_read"})
     public String all() {
         ServerReporter reporter = ServerReporter.instance();
         Map<String, Map<String, ? extends Metric>> result = new LinkedHashMap<>();
@@ -113,7 +113,7 @@ public String all() {
     @Timed
     @Path("gauges")
     @Produces(APPLICATION_JSON_WITH_CHARSET)
-    @RolesAllowed("admin")
+    @RolesAllowed({"admin", "$owner= $action=metrics_read"})
     public String gauges() {
         ServerReporter reporter = ServerReporter.instance();
         return JsonUtil.toJson(reporter.gauges());
@@ -123,7 +123,7 @@ public String gauges() {
     @Timed
     @Path("counters")
     @Produces(APPLICATION_JSON_WITH_CHARSET)
-    @RolesAllowed("admin")
+    @RolesAllowed({"admin", "$owner= $action=metrics_read"})
     public String counters() {
         ServerReporter reporter = ServerReporter.instance();
         return JsonUtil.toJson(reporter.counters());
@@ -133,7 +133,7 @@ public String counters() {
     @Timed
     @Path("histograms")
     @Produces(APPLICATION_JSON_WITH_CHARSET)
-    @RolesAllowed("admin")
+    @RolesAllowed({"admin", "$owner= $action=metrics_read"})
     public String histograms() {
         ServerReporter reporter = ServerReporter.instance();
         return JsonUtil.toJson(reporter.histograms());
@@ -143,7 +143,7 @@ public String histograms() {
     @Timed
     @Path("meters")
     @Produces(APPLICATION_JSON_WITH_CHARSET)
-    @RolesAllowed("admin")
+    @RolesAllowed({"admin", "$owner= $action=metrics_read"})
     public String meters() {
         ServerReporter reporter = ServerReporter.instance();
         return JsonUtil.toJson(reporter.meters());
@@ -153,7 +153,7 @@ public String meters() {
     @Timed
     @Path("timers")
     @Produces(APPLICATION_JSON_WITH_CHARSET)
-    @RolesAllowed("admin")
+    @RolesAllowed({"admin", "$owner= $action=metrics_read"})
     public String timers() {
         ServerReporter reporter = ServerReporter.instance();
         return JsonUtil.toJson(reporter.timers());

hugegraph-api/src/main/java/com/baidu/hugegraph/api/profile/GraphsAPI.java

@@ -43,7 +43,7 @@
 
 import com.baidu.hugegraph.HugeGraph;
 import com.baidu.hugegraph.api.API;
-import com.baidu.hugegraph.auth.HugeAuthenticator.RoleAction;
+import com.baidu.hugegraph.auth.HugeAuthenticator.RequiredPerm;
 import com.baidu.hugegraph.auth.HugePermission;
 import com.baidu.hugegraph.config.HugeConfig;
 import com.baidu.hugegraph.core.GraphManager;
@@ -73,7 +73,7 @@ public Object list(@Context GraphManager manager,
         // Filter by user role
         Set<String> filterGraphs = new HashSet<>();
         for (String graph : graphs) {
-            String role = RoleAction.roleFor(graph, HugePermission.READ);
+            String role = RequiredPerm.roleFor(graph, HugePermission.READ);
             if (sc.isUserInRole(role)) {
                 try {
                     HugeGraph g = graph(manager, graph);
@@ -143,7 +143,7 @@ public void clear(@Context GraphManager manager,
     @Path("{name}/mode")
     @Consumes(APPLICATION_JSON)
     @Produces(APPLICATION_JSON_WITH_CHARSET)
-    @RolesAllowed("admin")
+    @RolesAllowed({"admin", "$owner=$name"})
     public Map<String, GraphMode> mode(@Context GraphManager manager,
                                        @PathParam("name") String name,
                                        GraphMode mode) {