update platform permission enum
This commit is contained in:
liugq
parent
51497469e4
commit
abe934cef3
|
|
@ -41,59 +41,90 @@ const (
|
|||
|
||||
ClusterOverviewRead = "cluster.overview:read"
|
||||
ClusterOverviewAll = "cluster.overview:all"
|
||||
ElasticsearchRead = "cluster.elasticsearch:read"
|
||||
ElasticsearchAll = "cluster.elasticsearch:all"
|
||||
MonitoringRead = "cluster.monitoring:read"
|
||||
MonitoringAll = "cluster.monitoring:all"
|
||||
ActivitiesRead = "cluster.activities:read"
|
||||
ActivitiesAll = "cluster.activities:all"
|
||||
)
|
||||
|
||||
const (
|
||||
PermissionUserRead string = "user:read"
|
||||
PermissionUserWrite = "user:write"
|
||||
PermissionRoleRead = "role:read"
|
||||
PermissionRoleWrite = "role:write"
|
||||
PermissionCommandRead = "command:read"
|
||||
PermissionCommandWrite = "command:write"
|
||||
PermissionElasticsearchClusterRead = "es.cluster:read"
|
||||
PermissionElasticsearchClusterWrite = "es.cluster:write" // es cluster
|
||||
PermissionElasticsearchIndexRead = "es.index:read"
|
||||
PermissionElasticsearchIndexWrite = "es.index:write" // es index metadata
|
||||
PermissionElasticsearchNodeRead = "es.node:read" //es node metadata
|
||||
PermissionActivityRead = "activity:read"
|
||||
PermissionActivityWrite = "activity:write"
|
||||
PermissionAlertRuleRead = "alert.rule:read"
|
||||
PermissionAlertRuleWrite = "alert.rule:write"
|
||||
PermissionAlertHistoryRead = "alert.history:read"
|
||||
PermissionAlertHistoryWrite = "alert.history:write"
|
||||
PermissionAlertChannelRead = "alert.channel:read"
|
||||
PermissionAlertChannelWrite = "alert.channel:write"
|
||||
PermissionViewRead = "view:read"
|
||||
PermissionViewWrite = "view:write"
|
||||
PermissionGatewayInstanceRead = "gateway.instance:read"
|
||||
PermissionGatewayInstanceWrite = "gateway.instance:write"
|
||||
PermissionGatewayEntryRead = "gateway.entry:read"
|
||||
PermissionGatewayEntryWrite = "gateway.entry:write"
|
||||
PermissionGatewayRouterRead = "gateway.router:read"
|
||||
PermissionGatewayRouterWrite = "gateway.router:write"
|
||||
PermissionGatewayFlowRead = "gateway.flow:read"
|
||||
PermissionGatewayFlowWrite = "gateway.flow:write"
|
||||
PermissionElasticsearchMetricRead = "es.metric:read"
|
||||
)
|
||||
|
||||
var (
|
||||
UserReadPermission = []string{"user:read"}
|
||||
UserAllPermission = []string{"user:read", "user:write"}
|
||||
UserReadPermission = []string{PermissionUserRead}
|
||||
UserAllPermission = []string{PermissionUserRead, PermissionUserWrite,PermissionRoleRead}
|
||||
|
||||
RoleReadPermission = []string{"role:read"}
|
||||
RoleAllPermission = []string{"role:read", "role:write"}
|
||||
RoleReadPermission = []string{PermissionRoleRead}
|
||||
RoleAllPermission = []string{PermissionRoleRead, PermissionRoleWrite}
|
||||
|
||||
ClusterReadPermission = []string{"cluster:read"}
|
||||
ClusterAllPermission = []string{"cluster:read", "cluster:write"}
|
||||
ClusterReadPermission = []string{PermissionElasticsearchClusterRead}
|
||||
ClusterAllPermission = []string{PermissionElasticsearchClusterRead, PermissionElasticsearchClusterWrite}
|
||||
|
||||
CommandReadPermission = []string{"command:read"}
|
||||
CommandAllPermission = []string{"command:read", "command:write"}
|
||||
CommandReadPermission = []string{PermissionCommandRead}
|
||||
CommandAllPermission = []string{PermissionCommandRead, PermissionCommandWrite}
|
||||
|
||||
InstanceReadPermission = []string{"instance:read"}
|
||||
InstanceAllPermission = []string{"instance:read", "instance:write"}
|
||||
InstanceReadPermission = []string{PermissionGatewayInstanceRead}
|
||||
InstanceAllPermission = []string{PermissionGatewayInstanceRead,PermissionGatewayInstanceWrite}
|
||||
|
||||
EntryReadPermission = []string{"entry:read"}
|
||||
EntryAllPermission = []string{"entry:read", "entry:write"}
|
||||
EntryReadPermission = []string{PermissionGatewayEntryRead}
|
||||
EntryAllPermission = []string{PermissionGatewayEntryRead, PermissionGatewayEntryWrite}
|
||||
|
||||
RouterReadPermission = []string{"router:read"}
|
||||
RouterAllPermission = []string{"router:read", "entry:write"}
|
||||
RouterReadPermission = []string{PermissionGatewayRouterRead}
|
||||
RouterAllPermission = []string{PermissionGatewayRouterRead, PermissionGatewayRouterWrite}
|
||||
|
||||
FlowReadPermission = []string{"flow:read"}
|
||||
FlowAllPermission = []string{"flow:read", "flow:write"}
|
||||
FlowReadPermission = []string{PermissionGatewayFlowRead}
|
||||
FlowAllPermission = []string{PermissionGatewayFlowRead, PermissionGatewayFlowWrite}
|
||||
|
||||
IndexAllPermission = []string{"index:read"}
|
||||
IndexReadPermission = []string{"index:read", "index:write"}
|
||||
ViewsAllPermission = []string{"views:read"}
|
||||
ViewsReadPermission = []string{"views:read", "views:write"}
|
||||
DiscoverReadPermission = []string{"discover:read"}
|
||||
DiscoverAllPermission = []string{"discover:read", "discover:write"}
|
||||
ViewsAllPermission = []string{PermissionViewRead}
|
||||
ViewsReadPermission = []string{PermissionViewRead, PermissionViewWrite}
|
||||
DiscoverReadPermission = []string{PermissionViewRead}
|
||||
DiscoverAllPermission = []string{PermissionViewRead}
|
||||
|
||||
RuleReadPermission = []string{"rule:read"}
|
||||
RuleAllPermission = []string{"rule:read", "rule:write"}
|
||||
AlertReadPermission = []string{"alert:read"}
|
||||
AlertAllPermission = []string{"alert:read", "alert:write"}
|
||||
ChannelReadPermission = []string{"channel:read"}
|
||||
ChannelAllPermission = []string{"channel:read", "channel:write"}
|
||||
RuleReadPermission = []string{PermissionAlertRuleRead}
|
||||
RuleAllPermission = []string{PermissionAlertRuleRead, PermissionAlertRuleWrite}
|
||||
AlertReadPermission = []string{PermissionAlertHistoryRead}
|
||||
AlertAllPermission = []string{PermissionAlertHistoryRead, PermissionAlertHistoryWrite}
|
||||
ChannelReadPermission = []string{PermissionAlertChannelRead}
|
||||
ChannelAllPermission = []string{PermissionAlertChannelRead, PermissionAlertChannelWrite}
|
||||
|
||||
ClusterOverviewReadPermission = []string{"clusterOverview:read"}
|
||||
ClusterOverviewAllPermission = []string{"clusterOverview:read", "clusterOverview:write"}
|
||||
ClusterOverviewReadPermission = []string{PermissionElasticsearchClusterRead, PermissionElasticsearchIndexRead, PermissionElasticsearchNodeRead, PermissionElasticsearchMetricRead}
|
||||
ClusterOverviewAllPermission = ClusterOverviewReadPermission
|
||||
MonitoringReadPermission = ClusterOverviewAllPermission
|
||||
|
||||
ElasticsearchReadPermission = []string{"elasticsearch:read"}
|
||||
ElasticsearchAllPermission = []string{"elasticsearch:read", "elasticsearch:write"}
|
||||
|
||||
ActivitiesReadPermission = []string{"activities:read"}
|
||||
ActivitiesAllPermission = []string{"activities:read", "activities:write"}
|
||||
ActivitiesReadPermission = []string{PermissionActivityRead}
|
||||
ActivitiesAllPermission = []string{PermissionActivityRead, PermissionActivityWrite}
|
||||
)
|
||||
|
||||
var AdminPrivilege = []string{
|
||||
|
|
@ -101,7 +132,7 @@ var AdminPrivilege = []string{
|
|||
InstanceAll, EntryAll, RouterAll, FlowAll,
|
||||
IndexAll, ViewsAll, DiscoverAll,
|
||||
RuleAll, AlertAll, ChannelAll,
|
||||
ClusterOverviewAll, ElasticsearchAll, ActivitiesAll,
|
||||
ClusterOverviewAll, MonitoringAll, ActivitiesAll,
|
||||
}
|
||||
|
||||
var BuildRoles = make(map[string]map[string]interface{}, 0)
|
||||
|
|
@ -111,7 +142,7 @@ func init() {
|
|||
BuildRoles["admin"] = map[string]interface{}{
|
||||
"id": "admin",
|
||||
"name": "管理员",
|
||||
"type": "console",
|
||||
"type": "platform",
|
||||
"platform": AdminPrivilege,
|
||||
"builtin": true,
|
||||
"description": "is admin",
|
||||
|
|
@ -152,8 +183,8 @@ func init() {
|
|||
|
||||
ClusterOverviewRead: ClusterOverviewReadPermission,
|
||||
ClusterOverviewAll: ClusterOverviewAllPermission,
|
||||
ElasticsearchAll: ElasticsearchAllPermission,
|
||||
ElasticsearchRead: ElasticsearchReadPermission,
|
||||
MonitoringAll: MonitoringReadPermission,
|
||||
MonitoringRead: MonitoringReadPermission,
|
||||
ActivitiesAll: ActivitiesAllPermission,
|
||||
ActivitiesRead: ActivitiesReadPermission,
|
||||
}
|
||||
|
|
|
|||
|
|
@ -29,7 +29,6 @@ type RolePermission struct {
|
|||
IndexPrivilege map[string][]string `json:"index_privilege"`
|
||||
}
|
||||
|
||||
|
||||
func ListElasticsearchPermission() interface{} {
|
||||
list := ElasticsearchPermission{
|
||||
ClusterPrivileges: ClusterApis,
|
||||
|
|
|
|||
|
|
@ -191,7 +191,7 @@ func ValidateLogin(authorizationHeader string) (clams *UserClaims, err error) {
|
|||
err = errors.New("user id is empty")
|
||||
return
|
||||
}
|
||||
fmt.Println("user token", clams.UserId, TokenMap[clams.UserId])
|
||||
//fmt.Println("user token", clams.UserId, TokenMap[clams.UserId])
|
||||
tokenVal, ok := TokenMap[clams.UserId]
|
||||
if !ok {
|
||||
err = errors.New("token is invalid")
|
||||
|
|
@ -227,12 +227,6 @@ func ValidatePermission(claims *UserClaims, permissions []string) (err error) {
|
|||
if _, ok := RoleMap[role]; ok {
|
||||
for _, v := range RoleMap[role].Privilege.Platform {
|
||||
userPermissions = append(userPermissions, v)
|
||||
|
||||
//all include read
|
||||
if strings.Contains(v, "all") {
|
||||
key := v[:len(v)-3] + "read"
|
||||
userPermissions = append(userPermissions, key)
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -244,17 +238,12 @@ func ValidatePermission(claims *UserClaims, permissions []string) (err error) {
|
|||
|
||||
}
|
||||
|
||||
var count int
|
||||
for _, v := range permissions {
|
||||
if _, ok := userPermissionMap[v]; ok {
|
||||
count++
|
||||
continue
|
||||
if _, ok := userPermissionMap[v]; !ok {
|
||||
err = errors.New("permission denied")
|
||||
return
|
||||
}
|
||||
}
|
||||
if count == len(permissions) {
|
||||
return nil
|
||||
}
|
||||
err = errors.New("permission denied")
|
||||
return
|
||||
return nil
|
||||
|
||||
}
|
||||
|
|
|
|||
|
|
@ -145,152 +145,3 @@ func TestStringInArray(t *testing.T) {
|
|||
assert.Equal(t, true, util.StringInArray(array, "c"))
|
||||
assert.Equal(t, false, util.StringInArray(array, "h"))
|
||||
}
|
||||
func TestFilterCluster(t *testing.T) {
|
||||
RoleMap["test"] = Role{
|
||||
Cluster: []struct {
|
||||
Id string `json:"id"`
|
||||
Name string `json:"name"`
|
||||
}{
|
||||
{
|
||||
Id: "c97rd2les10hml00pgh0",
|
||||
Name: "docker-cluster",
|
||||
},
|
||||
},
|
||||
ClusterPrivilege: []string{"cat.*"},
|
||||
Index: []struct {
|
||||
Name []string `json:"name"`
|
||||
Privilege []string `json:"privilege"`
|
||||
}{
|
||||
{
|
||||
Name: []string{".infini_rbac-role"},
|
||||
Privilege: []string{"indices.get_mapping"},
|
||||
},
|
||||
{
|
||||
Name: []string{".infini_rbac-user", ".infini_rbac-role"},
|
||||
Privilege: []string{"cat.*"},
|
||||
},
|
||||
},
|
||||
}
|
||||
type args struct {
|
||||
roles []string
|
||||
cluster []string
|
||||
}
|
||||
tests := []struct {
|
||||
name string
|
||||
args args
|
||||
want []string
|
||||
}{
|
||||
{
|
||||
name: "empty",
|
||||
args: args{
|
||||
roles: []string{"test"},
|
||||
cluster: []string{
|
||||
"cluser1", "cluster2",
|
||||
},
|
||||
},
|
||||
want: []string{},
|
||||
},
|
||||
{
|
||||
name: "one",
|
||||
args: args{
|
||||
roles: []string{"test"},
|
||||
cluster: []string{
|
||||
"cluser1", "cluster2", "c97rd2les10hml00pgh0",
|
||||
},
|
||||
},
|
||||
want: []string{"c97rd2les10hml00pgh0"},
|
||||
},
|
||||
{
|
||||
name: "only",
|
||||
args: args{
|
||||
roles: []string{"test"},
|
||||
cluster: []string{
|
||||
"c97rd2les10hml00pgh0",
|
||||
},
|
||||
},
|
||||
want: []string{"c97rd2les10hml00pgh0"},
|
||||
},
|
||||
}
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
got := FilterCluster(tt.args.roles, tt.args.cluster)
|
||||
assert.Equal(t, got, tt.want)
|
||||
})
|
||||
}
|
||||
|
||||
}
|
||||
func TestFilterIndex(t *testing.T) {
|
||||
RoleMap["test"] = Role{
|
||||
Cluster: []struct {
|
||||
Id string `json:"id"`
|
||||
Name string `json:"name"`
|
||||
}{
|
||||
{
|
||||
Id: "c97rd2les10hml00pgh0",
|
||||
Name: "docker-cluster",
|
||||
},
|
||||
},
|
||||
ClusterPrivilege: []string{"cat.*"},
|
||||
Index: []struct {
|
||||
Name []string `json:"name"`
|
||||
Privilege []string `json:"privilege"`
|
||||
}{
|
||||
{
|
||||
Name: []string{".infini_rbac-role"},
|
||||
Privilege: []string{"indices.get_mapping"},
|
||||
},
|
||||
{
|
||||
Name: []string{".infini_rbac-user", ".infini_rbac-role"},
|
||||
Privilege: []string{"cat.*"},
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
type args struct {
|
||||
roles []string
|
||||
index []string
|
||||
}
|
||||
tests := []struct {
|
||||
name string
|
||||
args args
|
||||
want []string
|
||||
}{
|
||||
{
|
||||
name: "empty",
|
||||
args: args{
|
||||
roles: []string{"test"},
|
||||
index: []string{
|
||||
"index1", "index2",
|
||||
},
|
||||
},
|
||||
want: []string{},
|
||||
},
|
||||
{
|
||||
name: "one",
|
||||
args: args{
|
||||
roles: []string{"test"},
|
||||
index: []string{
|
||||
"index1", "index2", ".infini_rbac-user",
|
||||
},
|
||||
},
|
||||
want: []string{".infini_rbac-user"},
|
||||
},
|
||||
{
|
||||
name: "only",
|
||||
args: args{
|
||||
roles: []string{"test"},
|
||||
index: []string{
|
||||
".infini_rbac-user",
|
||||
},
|
||||
},
|
||||
want: []string{".infini_rbac-user"},
|
||||
},
|
||||
}
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
got := FilterIndex(tt.args.roles, tt.args.index)
|
||||
assert.Equal(t, got, tt.want)
|
||||
})
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue