Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix AuthManager will find other nodes when init store #1381

Merged
merged 1 commit into from
Mar 11, 2021
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -684,7 +684,7 @@ public void truncateBackend() {
try {
this.hugegraph.truncateBackend();
} finally {
if (admin != null && userManager instanceof StandardAuthManager) {
if (admin != null && StandardAuthManager.isLocal(userManager)) {
// Restore admin user to continue to do any operation
userManager.createUser(admin);
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,9 @@ private void initAdminUser() throws Exception {
E.checkState(caller.equals("main"), "Invalid caller '%s'", caller);

AuthManager authManager = this.graph().hugegraph().authManager();
if (authManager.findUser(HugeAuthenticator.USER_ADMIN) == null) {
// Only init user when local mode and user has not been initialized
if (StandardAuthManager.isLocal(authManager) &&
authManager.findUser(HugeAuthenticator.USER_ADMIN) == null) {
HugeUser admin = new HugeUser(HugeAuthenticator.USER_ADMIN);
admin.password(StringEncoding.hashPassword(this.inputPassword()));
admin.creator(HugeAuthenticator.USER_SYSTEM);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -40,8 +40,8 @@

import com.baidu.hugegraph.analyzer.Analyzer;
import com.baidu.hugegraph.analyzer.AnalyzerFactory;
import com.baidu.hugegraph.auth.StandardAuthManager;
import com.baidu.hugegraph.auth.AuthManager;
import com.baidu.hugegraph.auth.StandardAuthManager;
import com.baidu.hugegraph.backend.BackendException;
import com.baidu.hugegraph.backend.cache.CachedGraphTransaction;
import com.baidu.hugegraph.backend.cache.CachedSchemaTransaction;
Expand Down Expand Up @@ -816,7 +816,9 @@ public synchronized void close() throws Exception {
}

LOG.info("Close graph {}", this);
this.authManager.close();
if (StandardAuthManager.isLocal(this.authManager)) {
this.authManager.close();
}
this.taskManager.closeScheduler(this.params);
try {
this.closeTx();
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -420,4 +420,11 @@ public RolePermission loginUser(String username, String password) {
}
return this.rolePermission(user);
}

/**
* Maybe can define an proxy class to choose forward or call local
*/
public static boolean isLocal(AuthManager authManager) {
return authManager instanceof StandardAuthManager;
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -109,6 +109,10 @@ public class HugeSecurityManager extends SecurityManager {
"com.baidu.hugegraph.backend.store.raft.rpc.RpcForwarder"
);

private static final Set<String> SOFA_RPC_CLASSES = ImmutableSet.of(
"com.alipay.sofa.rpc.tracer.sofatracer.RpcSofaTracer"
);

@Override
public void checkPermission(Permission permission) {
if (DENIED_PERMISSIONS.contains(permission.getName()) &&
Expand Down Expand Up @@ -150,7 +154,7 @@ public void checkAccess(Thread thread) {
if (callFromGremlin() && !callFromCaffeine() &&
!callFromAsyncTasks() && !callFromEventHubNotify() &&
!callFromBackendThread() && !callFromBackendHbase() &&
!callFromRaft()) {
!callFromRaft() && !callFromSofaRpc()) {
throw newSecurityException(
"Not allowed to access thread via Gremlin");
}
Expand All @@ -162,7 +166,7 @@ public void checkAccess(ThreadGroup threadGroup) {
if (callFromGremlin() && !callFromCaffeine() &&
!callFromAsyncTasks() && !callFromEventHubNotify() &&
!callFromBackendThread() && !callFromBackendHbase() &&
!callFromRaft()) {
!callFromRaft() && !callFromSofaRpc()) {
throw newSecurityException(
"Not allowed to access thread group via Gremlin");
}
Expand Down Expand Up @@ -190,7 +194,7 @@ public void checkExec(String cmd) {
@Override
public void checkRead(FileDescriptor fd) {
if (callFromGremlin() && !callFromBackendSocket() &&
!callFromRaft()) {
!callFromRaft() && !callFromSofaRpc()) {
throw newSecurityException("Not allowed to read fd via Gremlin");
}
super.checkRead(fd);
Expand All @@ -200,7 +204,7 @@ public void checkRead(FileDescriptor fd) {
public void checkRead(String file) {
if (callFromGremlin() && !callFromCaffeine() &&
!readGroovyInCurrentDir(file) && !callFromBackendHbase() &&
!callFromRaft()) {
!callFromRaft() && !callFromSofaRpc()) {
throw newSecurityException(
"Not allowed to read file via Gremlin: %s", file);
}
Expand All @@ -209,7 +213,7 @@ public void checkRead(String file) {

@Override
public void checkRead(String file, Object context) {
if (callFromGremlin() && !callFromRaft()) {
if (callFromGremlin() && !callFromRaft() && !callFromSofaRpc()) {
throw newSecurityException(
"Not allowed to read file via Gremlin: %s", file);
}
Expand All @@ -219,15 +223,15 @@ public void checkRead(String file, Object context) {
@Override
public void checkWrite(FileDescriptor fd) {
if (callFromGremlin() && !callFromBackendSocket() &&
!callFromRaft()) {
!callFromRaft() && !callFromSofaRpc()) {
throw newSecurityException("Not allowed to write fd via Gremlin");
}
super.checkWrite(fd);
}

@Override
public void checkWrite(String file) {
if (callFromGremlin() && !callFromRaft()) {
if (callFromGremlin() && !callFromRaft() && !callFromSofaRpc()) {
throw newSecurityException("Not allowed to write file via Gremlin");
}
super.checkWrite(file);
Expand Down Expand Up @@ -263,7 +267,7 @@ public void checkAccept(String host, int port) {
@Override
public void checkConnect(String host, int port) {
if (callFromGremlin() && !callFromBackendSocket() &&
!callFromBackendHbase() && !callFromRaft()) {
!callFromBackendHbase() && !callFromRaft() && !callFromSofaRpc()) {
throw newSecurityException(
"Not allowed to connect socket via Gremlin");
}
Expand Down Expand Up @@ -307,7 +311,7 @@ public void checkSetFactory() {

@Override
public void checkPropertiesAccess() {
if (callFromGremlin()) {
if (callFromGremlin() && !callFromSofaRpc()) {
throw newSecurityException(
"Not allowed to access system properties via Gremlin");
}
Expand All @@ -318,7 +322,7 @@ public void checkPropertiesAccess() {
public void checkPropertyAccess(String key) {
if (!callFromAcceptClassLoaders() && callFromGremlin() &&
!WHITE_SYSTEM_PROPERTYS.contains(key) && !callFromBackendHbase() &&
!callFromRaft()) {
!callFromRaft() && !callFromSofaRpc()) {
throw newSecurityException(
"Not allowed to access system property(%s) via Gremlin", key);
}
Expand Down Expand Up @@ -442,6 +446,10 @@ private static boolean callFromRaft() {
return callFromWorkerWithClass(RAFT_CLASSES);
}

private static boolean callFromSofaRpc() {
return callFromWorkerWithClass(SOFA_RPC_CLASSES);
}

private static boolean callFromWorkerWithClass(Set<String> classes) {
Thread curThread = Thread.currentThread();
if (curThread.getName().startsWith(GREMLIN_SERVER_WORKER) ||
Expand Down