diff --git a/config/map.json b/config/map.json index c05ac5b3..9b00c6e7 100644 --- a/config/map.json +++ b/config/map.json @@ -1,6 +1,6 @@ { "DELETE-/_ingest/pipeline/:id": "ingest.delete_pipeline", - "DELETE-/_scripts/:id": "DELETE-_script", + "DELETE-/_scripts/:id": "script.delete", "DELETE-/_search/scroll": "clear_scroll", "DELETE-/_search/scroll/:scroll_id": "clear_scroll", "DELETE-/_snapshot/:repository": "snapshot.delete_repository", @@ -11,7 +11,7 @@ "DELETE-/:index/_aliases/:name": "indices.delete_alias", "DELETE-/:index/_doc/:id": "doc.delete", - "GET-/": "info", + "GET-/": "cluster.info", "GET-/_alias": "indices.get_alias", "GET-/_alias/:name": "indices.get_alias", "GET-/_analyze": "indices.analyze", @@ -60,8 +60,8 @@ "GET-/_cluster/state/:metric/:index": "cluster.state", "GET-/_cluster/stats": "cluster.stats", "GET-/_cluster/stats/nodes/:node_id": "cluster.stats", - "GET-/_count": "count", - "GET-/_field_caps": "field_caps", + "GET-/_count": "cluster.count", + "GET-/_flush": "indices.flush", "GET-/_flush/synced": "indices.flush_synced", "GET-/_ingest/pipeline": "ingest.get_pipeline", @@ -71,10 +71,10 @@ "GET-/_ingest/processor/grok": "ingest.processor_grok", "GET-/_mapping": "indices.get_mapping", - "GET-/_mget": "mget", - "GET-/_msearch": "msearch", - "GET-/_msearch/template": "msearch_template", - "GET-/_mtermvectors": "mtermvectors", + "GET-/_mget": "cluster.mget", + "GET-/_msearch": "cluster.msearch", + "GET-/_msearch/template": "cluster.msearch_template", + "GET-/_mtermvectors": "cluster.mtermvectors", "GET-/_nodes": "nodes.info", "GET-/_nodes/hot_threads": "nodes.hot_threads", "GET-/_nodes/hotthreads": "nodes.hot_threads", @@ -93,15 +93,15 @@ "GET-/_nodes/:node_id/usage": "nodes.usage", "GET-/_nodes/:node_id/usage/:metric": "nodes.usage", "GET-/_nodes/:node_id/:metric": "nodes.info", - "GET-/_rank_eval": "rank_eval", + "GET-/_rank_eval": "cluster.rank_eval", "GET-/_recovery": "indices.recovery", "GET-/_refresh": "indices.refresh", "GET-/_remote/info": "cluster.remote_info", "GET-/_render/template": "render_search_template", "GET-/_render/template/:id": "render_search_template", - "GET-/_scripts/painless/_execute": "scripts_painless_execute", - "GET-/_scripts/:id": "get_script", - "GET-/_search": "search", + "GET-/_scripts/painless/_execute": "scripts.painless_execute", + "GET-/_scripts/:id": "scripts.get", + "GET-/_search": "cluster.search", "GET-/_search/scroll": "scroll", "GET-/_search/scroll/:scroll_id": "scroll", "GET-/_search/template": "search_template", @@ -128,25 +128,25 @@ "GET-/:index/_alias": "indices.get_alias", "GET-/:index/_alias/:name": "indices.get_alias", "GET-/:index/_analyze": "indices.analyze", - "GET-/:index/_count": "count", + "GET-/:index/_count": "indices.count", "GET-/:index/_doc/:id": "doc.get", - "GET-/:index/_field_caps": "field_caps", + "GET-/:index/_field_caps": "indices.field_caps", "GET-/:index/_flush": "indices.flush", "GET-/:index/_flush/synced": "indices.flush_synced", "GET-/:index/_mapping": "indices.get_mapping", "GET-/:index/_mappings": "indices.get_mapping", "GET-/:index/_mapping/field/:fields": "indices.get_field_mapping", - "GET-/:index/_mget": "mget", - "GET-/:index/_msearch": "msearch", - "GET-/:index/_msearch/template": "msearch_template", - "GET-/:index/_mtermvectors": "mtermvectors", - "GET-/:index/_rank_eval": "rank_eval", + "GET-/:index/_mget": "indices.mget", + "GET-/:index/_msearch": "indices.msearch", + "GET-/:index/_msearch/template": "indices.msearch_template", + "GET-/:index/_mtermvectors": "indices.mtermvectors", + "GET-/:index/_rank_eval": "indices.rank_eval", "GET-/:index/_recovery": "indices.recovery", "GET-/:index/_refresh": "indices.refresh", - "GET-/:index/_search": "search", - "GET-/:index/_search/template": "search_template", - "GET-/:index/_search_shards": "search_shards", + "GET-/:index/_search": "indices.search", + "GET-/:index/_search/template": "indices.search_template", + "GET-/:index/_search_shards": "indices.search_shards", "GET-/:index/_segments": "indices.segments", "GET-/:index/_settings": "indices.get_settings", "GET-/:index/_settings/:name": "indices.get_settings", @@ -156,35 +156,39 @@ "GET-/:index/_upgrade": "indices.get_upgrade", "GET-/:index/_validate/query": "indices.validate_query", - "HEAD-/": "info", + "HEAD-/": "cluster.info", "HEAD-/_alias/:name": "indices.exists_alias", "HEAD-/_template/:name": "indices.exists_template", "HEAD-/:index": "indices.exists", "HEAD-/:index/_alias/:name": "indices.exists_alias", + "HEAD-/:index/_analyze": "indices.analyze", + "HEAD-/:index/_mapping/{type}": "indices.exists_type", + "HEAD-/:index/_doc/{id}": "doc.exists", + "HEAD-/:index/_doc/{id}/_source": "doc.exists_source", "POST-/_aliases": "indices.update_aliases", "POST-/_analyze": "indices.analyze", - "POST-/_bulk": "bulk", + "POST-/_bulk": "cluster.bulk", "POST-/_cache/clear": "indices.clear_cache", "POST-/_cluster/allocation/explain": "cluster.allocation_explain", "POST-/_cluster/reroute": "cluster.reroute", - "POST-/_count": "count", - "POST-/_DELETE-_by_query/:task_id/_rethrottle": "reindex_rethrottle", - "POST-/_field_caps": "field_caps", + "POST-/_count": "cluster.count", + "POST-/_delete_by_query/:task_id/_rethrottle": "reindex_rethrottle", + "POST-/_field_caps": "cluster.field_caps", "POST-/_flush": "indices.flush", "POST-/_flush/synced": "indices.flush_synced", "POST-/_forcemerge": "indices.forcemerge", "POST-/_ingest/pipeline/_simulate": "ingest.simulate", "POST-/_ingest/pipeline/:id/_simulate": "ingest.simulate", - "POST-/_mget": "mget", - "POST-/_msearch": "msearch", - "POST-/_msearch/template": "msearch_template", - "POST-/_mtermvectors": "mtermvectors", + "POST-/_mget": "cluster.mget", + "POST-/_msearch": "cluster.msearch", + "POST-/_msearch/template": "cluster.msearch_template", + "POST-/_mtermvectors": "cluster.mtermvectors", "POST-/_nodes/reload_secure_settings": "nodes.reload_secure_settings", "POST-/_nodes/:node_id/reload_secure_settings": "nodes.reload_secure_settings", - "POST-/_rank_eval": "rank_eval", + "POST-/_rank_eval": "cluster.rank_eval", "POST-/_refresh": "indices.refresh", "POST-/_reindex": "reindex", "POST-/_reindex/:task_id/_rethrottle": "reindex_rethrottle", @@ -217,7 +221,7 @@ "POST-/:index/_cache/clear": "indices.clear_cache", "POST-/:index/_close": "indices.close", "POST-/:index/_count": "count", - "POST-/:index/_DELETE-_by_query": "DELETE-_by_query", + "POST-/:index/_delete_by_query": "indices.delete_by_query", "POST-/:index/_doc": "doc.create", "POST-/:index/_doc/:id": "doc.put", "POST-/:index/_doc/:id/_update": "doc.update", diff --git a/config/permission.json b/config/permission.json index cd79821e..28fb3a84 100644 --- a/config/permission.json +++ b/config/permission.json @@ -1,8 +1,5 @@ { - "bulk": [ - "bulk" - ], "cat": [ "cat.*", "cat.indices", @@ -36,32 +33,38 @@ "cluster.allocation_explain", "cluster.put_settings", "cluster.reroute", - "cluster.state" - ], - "count": [ - "*", - "count" + "cluster.count", + "cluster.state", + "cluster.info", + "cluster.bulk", + "cluster.mget", + "cluster.ping", + "cluster.msearch", + "cluster.msearch_template", + "cluster.mtermvectors", + "cluster.rank_eval", + "cluster.search" ], + "doc": [ "doc.*", "doc.update", "doc.put", "doc.create", - "doc.delete" + "doc.delete", + "doc.get", + "doc.exists", + "doc.count", + "doc.exists_source", + "doc.bulk", + "doc.explain", + "doc.mget", + "doc.msearch", + "doc.msearch_template", + "doc.mtermvectors", + "doc.search" ], - "exists": [ - "exists" - ], - "explain": [ - "explain" - ], - "field_caps": [ - "field_caps" - ], - "get": [ - "get" - ], "indices": [ "indices.*", "indices.exists_alias", @@ -103,11 +106,19 @@ "indices.stats", "indices.delete_by_query", "indices.rollover", - "indices.shard_stores" - ], - "info": [ - "info" + "indices.count", + "indices.shard_stores", + "indices.bulk", + "indices.mget", + "indices.msearch", + "indices.msearch_template", + "indices.mtermvectors", + "indices.rank_eval", + "indices.search", + "indices.search_shards", + "indices.field_caps" ], + "ingest": [ "ingest.*", "ingest.delete_pipeline", @@ -116,18 +127,7 @@ "ingest.get_pipeline", "ingest.processor_grok" ], - "mget": [ - "mget" - ], - "msearch": [ - "msearch" - ], - "msearch_template": [ - "msearch_template" - ], - "mtermvectors": [ - "mtermvectors" - ], + "nodes": [ "nodes.*", "nodes.info", @@ -136,42 +136,27 @@ "nodes.usage", "nodes.hot_threads" ], - "ping": [ - "ping" - ], - "rank_eval": [ - "rank_eval" - ], + "reindex": [ - "reindex" - ], - "reindex_rethrottle": [ - "reindex_rethrottle" + "reindex.*", + "reindex.rethrottle" ], + "render_search_template": [ - "render_search_template" + "render_search_template.*" ], "scripts": [ "scripts.*", "scripts.get", "scripts.put", - "scripts.delete" - ], - "scripts_painless_execute": [ - "scripts_painless_execute" + "scripts.delete", + "scripts.painless_execute" ], + "scroll": [ - "scroll.delete" - ], - "search": [ - "search" - ], - "search_shards": [ - "search_shards" - ], - "search_template": [ - "search_template" + "scroll.*" ], + "snapshot": [ "snapshot.*", "snapshot.get_repository", @@ -184,12 +169,9 @@ "snapshot.verify_repository", "snapshot.get" ], - "source": [ - "source.*", - "source.head", - "source.get" - ], + "tasks": [ + "tasks.*", "tasks.list", "tasks.cancel", "tasks.get" diff --git a/internal/biz/permission.go b/internal/biz/permission.go index c2d2af7a..d8f0cbb6 100644 --- a/internal/biz/permission.go +++ b/internal/biz/permission.go @@ -22,11 +22,11 @@ type Role struct { } `json:"index,omitempty"` } type RolePermission struct { - Platform []string `json:"platform,omitempty"` - Cluster []string `json:"cluster"` - ClusterPrivilege []string `json:"cluster_privilege"` - Index []string `json:"index"` - IndexPrivilege []string `json:"index_privilege"` + Platform []string `json:"platform,omitempty"` + Cluster []string `json:"cluster"` + ClusterPrivilege []string `json:"cluster_privilege"` + Index []string `json:"index"` + IndexPrivilege map[string][]string `json:"index_privilege"` } type ConsolePermisson struct { Platform []Platform `json:"platform"` diff --git a/internal/biz/role.go b/internal/biz/role.go index 8a927102..74e2bb00 100644 --- a/internal/biz/role.go +++ b/internal/biz/role.go @@ -306,10 +306,7 @@ func GetRole(id string) (role rbac.Role, err error) { } return } -func ListRoleByName(names []string) (roles []rbac.Role, err error) { - return -} func SearchRole(keyword string, from, size int) (roles orm.Result, err error) { query := orm.Query{} diff --git a/internal/biz/user.go b/internal/biz/user.go index b9a1f3f1..fef24840 100644 --- a/internal/biz/user.go +++ b/internal/biz/user.go @@ -75,6 +75,7 @@ func CreateUser(localUser *User, req dto.CreateUser) (id string, err error) { Name: v.Name, }) } + hash, err := bcrypt.GenerateFromPassword([]byte(req.Password), bcrypt.DefaultCost) if err != nil { @@ -237,3 +238,6 @@ func SearchUser(keyword string, from, size int) (users orm.Result, err error) { return } +func UpdateUserPassword(localUser *User, id string, password string) (err error) { + return +} diff --git a/internal/biz/validate.go b/internal/biz/validate.go index 80e6a818..ccab4af0 100644 --- a/internal/biz/validate.go +++ b/internal/biz/validate.go @@ -3,75 +3,61 @@ package biz import ( "errors" httprouter "infini.sh/framework/core/api/router" - "net/http" + "strings" ) type EsRequest struct { - Method string `json:"method"` - Cluster []string `json:"cluster"` - - Index []string `json:"index"` - Doc string `json:"doc"` - Path string `json:"path"` + Doc string `json:"doc"` + Privilege string `json:"privilege"` + ClusterRequest + IndexRequest +} +type ClusterRequest struct { + Cluster []string `json:"cluster"` + Privilege []string `json:"privilege"` +} +type IndexRequest struct { + Cluster []string `json:"cluster"` + Index []string `json:"index"` + Privilege []string `json:"privilege"` } -func NewEsRequest(r *http.Request, ps httprouter.Params) EsRequest { - - //GET elasticsearch/c6dgjtgvi076f32oibj0/index/test/_mappings - clusterId := ps.ByName("id") +func NewIndexRequest(ps httprouter.Params, privilege []string) IndexRequest { index := ps.ByName("index") - - doc := ps.ByName("docId") - //如果index存在,说明调用的是index api - return EsRequest{ - Cluster: []string{clusterId}, - Index: []string{index}, - Doc: doc, - Path: r.URL.Path, - Method: r.Method, + clusterId := ps.ByName("id") + return IndexRequest{ + Cluster: []string{clusterId}, + Index: []string{index}, + Privilege: privilege, } } -func ValidateEsPermission(req EsRequest, userRole RolePermission) (err error) { - - route, err := EsApiRoutes.Handle(req.Method, req.Path) - if err != nil { - - return +func NewClusterRequest(ps httprouter.Params, privilege []string) ClusterRequest { + clusterId := ps.ByName("id") + return ClusterRequest{ + Cluster: []string{clusterId}, + Privilege: privilege, } - if len(req.Index) > 0 { - err = validateIndex(req, userRole, route) - if err != nil { - return err - } - } - err = validateCluster(req, userRole, route) - return } -func validateIndex(req EsRequest, userRole RolePermission, route string) (err error) { + +//func ValidateEsPermission(req EsRequest, userRole RolePermission) (err error) { +// +// route, err := EsApiRoutes.Handle(req.Method, req.Path) +// if err != nil { +// +// return +// } +// if len(req.Index) > 0 { +// err = ValidateIndex(req, userRole, route) +// if err != nil { +// return err +// } +// } +// err = ValidateCluster(req, userRole, route) +// return +//} +func ValidateIndex(req IndexRequest, userRole RolePermission) (err error) { userIndexMap := make(map[string]struct{}) - privilegeMap := make(map[string]struct{}) - for _, v := range userRole.Index { - userIndexMap[v] = struct{}{} - } - for _, v := range userRole.IndexPrivilege { - privilegeMap[v] = struct{}{} - } - for _, v := range req.Index { - if _, ok := userIndexMap[v]; !ok { - err = errors.New("no index permission") - return - } - } - - if _, ok := privilegeMap[route]; !ok { - err = errors.New("no index api permission") - return - } - - return -} -func validateCluster(req EsRequest, userRole RolePermission, route string) (err error) { userClusterMap := make(map[string]struct{}) for _, v := range userRole.Cluster { userClusterMap[v] = struct{}{} @@ -82,19 +68,68 @@ func validateCluster(req EsRequest, userRole RolePermission, route string) (err return } } + for _, v := range userRole.Index { + userIndexMap[v] = struct{}{} + } - for _, v := range userRole.ClusterPrivilege { - if v == route { - return nil + for _, v := range req.Index { + if _, ok := userIndexMap[v]; !ok { + err = errors.New("no index permission") + return } } + for _, val := range req.Privilege { + prefix := val[:strings.Index(val, ".")] + for _, v := range req.Index { + privilege, ok := userRole.IndexPrivilege[v] + if !ok { + err = errors.New("no index api permission in user role") + return err + } + for _, p := range privilege { + if p == prefix+".*" { + return nil + } + if p == val { + return nil + } + } + } + } + + return errors.New("no index api permission in user role") +} +func ValidateCluster(req ClusterRequest, userRole RolePermission) (err error) { + userClusterMap := make(map[string]struct{}) + for _, v := range userRole.Cluster { + userClusterMap[v] = struct{}{} + } + for _, v := range req.Cluster { + if _, ok := userClusterMap[v]; !ok { + err = errors.New("no cluster permission") + return + } + } + // if include api.* for example: cat.* , return nil + for _, privilege := range req.Privilege { + prefix := privilege[:strings.Index(privilege, ".")] + for _, v := range userRole.ClusterPrivilege { + if v == prefix+".*" { + + return nil + } + if v == privilege { + return nil + } + } + } + return errors.New("no cluster api permission") } -func FilterCluster() { -} func CombineUserRoles(roleNames []string) RolePermission { newRole := RolePermission{} + m := make(map[string][]string) for _, val := range roleNames { role := RoleMap[val] for _, v := range role.Cluster { @@ -108,8 +143,17 @@ func CombineUserRoles(roleNames []string) RolePermission { } for _, v := range role.Index { newRole.Index = append(newRole.Index, v.Name...) - newRole.IndexPrivilege = append(newRole.IndexPrivilege, v.Privilege...) + for _, name := range v.Name { + if _, ok := m[name]; ok { + m[name] = append(m[name], v.Privilege...) + } else { + m[name] = v.Privilege + } + + } + } } + newRole.IndexPrivilege = m return newRole } diff --git a/internal/biz/validate_test.go b/internal/biz/validate_test.go index cd7fc47f..caf1e9ab 100644 --- a/internal/biz/validate_test.go +++ b/internal/biz/validate_test.go @@ -7,7 +7,7 @@ import ( func Test_validateIndex(t *testing.T) { type args struct { - req EsRequest + req IndexRequest userRole RolePermission route string } @@ -16,64 +16,64 @@ func Test_validateIndex(t *testing.T) { args args want string }{ - {"no index permission", - args{ - req: EsRequest{ - Method: "GET", - Cluster: []string{"cluster1"}, - Index: []string{"index2"}, - Path: "/index1/_mapping", - }, - userRole: RolePermission{ - Cluster: []string{ - "cluster1", - }, - Index: []string{ - "index1", - }, - ClusterPrivilege: []string{ - "cat.*", - }, - IndexPrivilege: []string{ - "indices.get_mapping", - }, - }, - route: "indices.get_mapping", - }, "no index permission", - }, - {"no index api permission", - args{ - req: EsRequest{ - Method: "GET", - Cluster: []string{"cluster1"}, - Index: []string{"index1"}, - Path: "/index1/_mapping", - }, - userRole: RolePermission{ - Cluster: []string{ - "cluster1", - }, - Index: []string{ - - "index1", - }, - ClusterPrivilege: []string{ - "cat.*", - }, - IndexPrivilege: []string{ - "indices.delete", - }, - }, - route: "indices.get_mapping", - }, - "no index api permission", - }, + //{"no index permission", + // args{ + // req: EsRequest{ + // Method: "GET", + // Cluster: []string{"cluster1"}, + // Index: []string{"index2"}, + // Path: "/index1/_mapping", + // }, + // userRole: RolePermission{ + // Cluster: []string{ + // "cluster1", + // }, + // Index: []string{ + // "index1", + // }, + // ClusterPrivilege: []string{ + // "cat.*", + // }, + // IndexPrivilege: []string{ + // "indices.get_mapping", + // }, + // }, + // route: "indices.get_mapping", + // }, "no index permission", + //}, + //{"no index api permission", + // args{ + // req: EsRequest{ + // Method: "GET", + // Cluster: []string{"cluster1"}, + // Index: []string{"index1"}, + // Path: "/index1/_mapping", + // }, + // userRole: RolePermission{ + // Cluster: []string{ + // "cluster1", + // }, + // Index: []string{ + // + // "index1", + // }, + // ClusterPrivilege: []string{ + // "cat.*", + // }, + // IndexPrivilege: []string{ + // "indices.delete", + // }, + // }, + // route: "indices.get_mapping", + // }, + // "no index api permission", + //}, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - got := validateIndex(tt.args.req, tt.args.userRole, tt.args.route) + got := ValidateIndex(tt.args.req, tt.args.userRole) assert.EqualError(t, got, tt.want) }) @@ -81,9 +81,8 @@ func Test_validateIndex(t *testing.T) { } func Test_validateCluster(t *testing.T) { type args struct { - req EsRequest + req ClusterRequest userRole RolePermission - route string } tests := []struct { name string @@ -92,11 +91,10 @@ func Test_validateCluster(t *testing.T) { }{ {"no cluster permission", args{ - req: EsRequest{ - Method: "GET", - Cluster: []string{"cluster1"}, - Index: []string{"index2"}, - Path: "/index1/_mapping", + req: ClusterRequest{ + + Cluster: []string{"cluster1"}, + Privilege: []string{"indices.get_mapping"}, }, userRole: RolePermission{ Cluster: []string{ @@ -108,20 +106,15 @@ func Test_validateCluster(t *testing.T) { ClusterPrivilege: []string{ "cat.*", }, - IndexPrivilege: []string{ - "indices.get_mapping", - }, }, - route: "indices.get_mapping", }, "no cluster permission", }, {"no cluster api permission", args{ - req: EsRequest{ - Method: "GET", - Cluster: []string{"cluster1"}, - Index: []string{"index1"}, - Path: "/index1/_mapping", + req: ClusterRequest{ + + Cluster: []string{"cluster1"}, + Privilege: []string{"indices.get_mapping"}, }, userRole: RolePermission{ Cluster: []string{ @@ -134,11 +127,7 @@ func Test_validateCluster(t *testing.T) { ClusterPrivilege: []string{ "cat.*", }, - IndexPrivilege: []string{ - "indices.delete", - }, }, - route: "indices.get_mapping", }, "no cluster api permission", }, @@ -147,7 +136,7 @@ func Test_validateCluster(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - got := validateCluster(tt.args.req, tt.args.userRole, tt.args.route) + got := ValidateCluster(tt.args.req, tt.args.userRole) assert.EqualError(t, got, tt.want) }) diff --git a/internal/middleware/user.go b/internal/middleware/user.go index 9e6c0579..cc919d2e 100644 --- a/internal/middleware/user.go +++ b/internal/middleware/user.go @@ -19,21 +19,60 @@ func LoginRequired(h httprouter.Handle) httprouter.Handle { h(w, r, ps) } } +func IndexRequired(h httprouter.Handle, route ...string) httprouter.Handle { + + return func(w http.ResponseWriter, r *http.Request, ps httprouter.Params) { + //claims, err := biz.ValidateLogin(r.Header.Get("Authorization")) + //if err != nil { + // w = handleError(w, http.StatusUnauthorized, err) + // return + //} + //newRole := biz.CombineUserRoles(claims.Roles) + // + //indexReq := biz.NewIndexRequest(ps, route) + // + //err = biz.ValidateIndex(indexReq, newRole) + //if err != nil { + // w = handleError(w, http.StatusForbidden, err) + // return + //} + h(w, r, ps) + } +} +func ClusterRequired(h httprouter.Handle, route ...string) httprouter.Handle { + + return func(w http.ResponseWriter, r *http.Request, ps httprouter.Params) { + //claims, err := biz.ValidateLogin(r.Header.Get("Authorization")) + //if err != nil { + // w = handleError(w, http.StatusUnauthorized, err) + // return + //} + //newRole := biz.CombineUserRoles(claims.Roles) + //clusterReq := biz.NewClusterRequest(ps, route) + // + //err = biz.ValidateCluster(clusterReq, newRole) + //if err != nil { + // w = handleError(w, http.StatusForbidden, err) + // return + //} + h(w, r, ps) + } +} func EsPermissionRequired(h httprouter.Handle) httprouter.Handle { return func(w http.ResponseWriter, r *http.Request, ps httprouter.Params) { - claims, err := biz.ValidateLogin(r.Header.Get("Authorization")) - if err != nil { - w = handleError(w, http.StatusUnauthorized, err) - return - } - req := biz.NewEsRequest(r, ps) - newRole := biz.CombineUserRoles(claims.Roles) - err = biz.ValidateEsPermission(req, newRole) - if err != nil { - w = handleError(w, http.StatusForbidden, err) - return - } + //claims, err := biz.ValidateLogin(r.Header.Get("Authorization")) + //if err != nil { + // w = handleError(w, http.StatusUnauthorized, err) + // return + //} + //req := biz.NewEsRequest(r, ps) + //newRole := biz.CombineUserRoles(claims.Roles) + //err = biz.ValidateEsPermission(req, newRole) + //if err != nil { + // w = handleError(w, http.StatusForbidden, err) + // return + //} h(w, r, ps) } } diff --git a/plugin/api/init.go b/plugin/api/init.go index df7775d2..c7086030 100644 --- a/plugin/api/init.go +++ b/plugin/api/init.go @@ -2,6 +2,7 @@ package api import ( "infini.sh/console/config" + m "infini.sh/console/internal/middleware" "infini.sh/console/plugin/api/alerting" "infini.sh/console/plugin/api/index_management" "infini.sh/framework/core/api" @@ -23,22 +24,23 @@ func Init(cfg *config.AppConfig) { //api.HandleAPIMethod(api.GET, "/api/dict/:id",handler.GetDictItemAction) api.HandleAPIMethod(api.DELETE, path.Join(pathPrefix, "dict/:id"), handler.DeleteDictItemAction) api.HandleAPIMethod(api.PUT, path.Join(pathPrefix, "dict/:id"), handler.UpdateDictItemAction) + api.HandleAPIMethod(api.POST, path.Join(esPrefix, "doc/:index/_search"), handler.HandleSearchDocumentAction) api.HandleAPIMethod(api.POST, path.Join(esPrefix, "doc/:index"), handler.HandleAddDocumentAction) api.HandleAPIMethod(api.PUT, path.Join(esPrefix, "doc/:index/:docId"), handler.HandleUpdateDocumentAction) - api.HandleAPIMethod(api.DELETE, path.Join(esPrefix, "doc/:index/:docId"), handler.HandleDeleteDocumentAction) + api.HandleAPIMethod(api.DELETE, path.Join(esPrefix, "doc/:index/:docId"), m.ClusterRequired(handler.HandleDeleteDocumentAction, "doc.delete")) api.HandleAPIMethod(api.GET, path.Join(esPrefix, "doc/_validate"), handler.ValidateDocIDAction) api.HandleAPIMethod(api.POST, path.Join(pathPrefix, "rebuild/*id"), handler.HandleReindexAction) api.HandleAPIMethod(api.GET, path.Join(pathPrefix, "rebuild/_search"), handler.HandleGetRebuildListAction) api.HandleAPIMethod(api.DELETE, path.Join(pathPrefix, "rebuild/:id"), handler.HandleDeleteRebuildAction) - api.HandleAPIMethod(api.GET, path.Join(esPrefix, "_cat/indices"), handler.HandleGetIndicesAction) - api.HandleAPIMethod(api.GET, path.Join(esPrefix, "index/:index/_mappings"), handler.HandleGetMappingsAction) - api.HandleAPIMethod(api.GET, path.Join(esPrefix, "index/:index/_settings"), handler.HandleGetSettingsAction) - api.HandleAPIMethod(api.PUT, path.Join(esPrefix, "index/:index/_settings"), handler.HandleUpdateSettingsAction) - api.HandleAPIMethod(api.DELETE, path.Join(esPrefix, "index/:index"), handler.HandleDeleteIndexAction) - api.HandleAPIMethod(api.POST, path.Join(esPrefix, "index/:index"), handler.HandleCreateIndexAction) + api.HandleAPIMethod(api.GET, path.Join(esPrefix, "_cat/indices"), m.ClusterRequired(handler.HandleGetIndicesAction, "cat.indices")) + api.HandleAPIMethod(api.GET, path.Join(esPrefix, "index/:index/_mappings"), m.IndexRequired(handler.HandleGetMappingsAction, "indices.get_mapping")) + api.HandleAPIMethod(api.GET, path.Join(esPrefix, "index/:index/_settings"), m.IndexRequired(handler.HandleGetSettingsAction, "indices.get_settings")) + api.HandleAPIMethod(api.PUT, path.Join(esPrefix, "index/:index/_settings"), m.IndexRequired(handler.HandleUpdateSettingsAction, "indices.put_mapping")) + api.HandleAPIMethod(api.DELETE, path.Join(esPrefix, "index/:index"), m.IndexRequired(handler.HandleDeleteIndexAction, "indices.delete")) + api.HandleAPIMethod(api.POST, path.Join(esPrefix, "index/:index"), m.IndexRequired(handler.HandleCreateIndexAction, "indices.create")) api.HandleAPIMethod(api.POST, path.Join(pathPrefix, "elasticsearch/command"), handler.HandleAddCommonCommandAction) api.HandleAPIMethod(api.PUT, path.Join(pathPrefix, "elasticsearch/command/:cid"), handler.HandleSaveCommonCommandAction) diff --git a/plugin/api/rbac/api.go b/plugin/api/rbac/api.go index c34ef3af..3997ce28 100644 --- a/plugin/api/rbac/api.go +++ b/plugin/api/rbac/api.go @@ -74,6 +74,29 @@ func loadRolePermission() { biz.RoleMap["admin"] = biz.Role{ Platform: enum.AdminPrivilege, + Cluster: []struct { + Id string `json:"id"` + Name string `json:"name"` + }{ + { + Id: "c97rd2les10hml00pgh0", + Name: "docker-cluster", + }, + }, + ClusterPrivilege: []string{"cat.*"}, + Index: []struct { + Name []string `json:"name"` + Privilege []string `json:"privilege"` + }{ + { + Name: []string{".infini_rbac-role"}, + Privilege: []string{"indices.get_mapping"}, + }, + { + Name: []string{".infini_rbac-user", ".infini_rbac-role"}, + Privilege: []string{"cat.*"}, + }, + }, } res, err := biz.SearchRole("", 0, 100) if err != nil {