New authorizer #349
New authorizer #349
Conversation
# Conflicts: # src/main/java/cn/edu/tsinghua/iotdb/qp/executor/OverflowQPExecutor.java # src/test/java/cn/edu/tsinghua/iotdb/utils/EnvironmentUtils.java
| private static TsfileDBConfig config = TsfileDBDescriptor.getInstance().getConfig(); | ||
| private LocalFileAuthorizer() { | ||
| super(new LocalFileUserManager(config.dataDir + File.separator + "users" + File.separator), | ||
| new cn.edu.tsinghua.iotdb.auth.Role.LocalFileRoleManager(config.dataDir + File.separator + "roles" + File.separator)); |
| CREATE_ROLE, DELETE_ROLE, LIST_ROLE, GRANT_ROLE_PRIVILEGE, REVOKE_ROLE_PRIVILEGE; | ||
|
|
||
| public static boolean isPathRelevant(int type) { | ||
| return type <= DELETE_TIMESERIES.ordinal(); |
There was a problem hiding this comment.
有些权限需要和路径绑定(数据的增删改查),因此需要提供一个路径,而有些不用(用户的增删改查)。这个方法用于判断哪些权限需要路径。
| if (o == null || getClass() != o.getClass()) return false; | ||
| Role role = (Role) o; | ||
| return Objects.equals(name, role.name) && | ||
| Objects.equals(privilegeList, role.privilegeList); |
There was a problem hiding this comment.
这个是ArrayList(实际上是其父类AbstractList)的equals方法。
| try { | ||
| createUser(TsFileDBConstant.ADMIN_NAME, TsFileDBConstant.ADMIN_PW); | ||
| } catch (AuthException e) { | ||
| logger.error("Cannot create admin because {}", e.getMessage()); |
There was a problem hiding this comment.
这个地方创建失败了应该直接抛异常把。不应该在下面显示Admin initialized
|
|
||
| @Override | ||
| public User getUser(String username) throws AuthException { | ||
| lock.readLock(username); |
There was a problem hiding this comment.
是的,需要短暂阻塞对同一用户(或角色)的修改操作。
| import java.util.concurrent.atomic.AtomicInteger; | ||
|
|
||
| /** | ||
| * This class represent a privilege on a specific path. If the privilege is path-free, the path will be null. |
There was a problem hiding this comment.
This class represents a privilege
| public String path; | ||
|
|
||
| /** | ||
| * This field record how many times this privilege is referenced during a life cycle (from being loaded to being discarded). |
| /** | ||
| * Create a user with given username and password. New users will only be granted no privileges. | ||
| * | ||
| * @param username is not null or empty |
There was a problem hiding this comment.
不行,目前要求字符长度至少为4。并且antlr不太可能解析出一个空字符串。
| for(PrivilegeType privilegeType : types) { | ||
| if(s.equalsIgnoreCase(privilegeType.name())) { | ||
| result.add(privilegeType.ordinal()); | ||
| legal = true; |
There was a problem hiding this comment.
这里legal=true了可以break出来了把?还需要后续的判断吗?
|
|
||
| @Override | ||
| public void reset() { | ||
| new File(roleDirPath).mkdirs(); |
There was a problem hiding this comment.
不需要,这个只是为了保证系统启动时相应目录存在,并不是进行清理。
| public List<String> listAllUsers() { | ||
| List<String> rtlist = accessor.listAllUsers(); | ||
| rtlist.sort(null); | ||
| return rtlist; |
There was a problem hiding this comment.
list all user的同步性如何控制?我看底层是对文件进行查询,如果没有lock等同步机制会不会出问题。
因为前边的所有方法都有lock的控制。
There was a problem hiding this comment.
这个操作不保证同步性,也就是说据此拿到的userList可能包含当前已经被删除的用户,但是它表示某一时刻(执行File.list()那一瞬间)的用户存在状态。如果需要对某用户进一步操作,需要使用者自行检查用户的存在性。
| String userName = IOUtils.readString(dataInputStream, STRING_ENCODING, strBufferLocal); | ||
| userList.add(userName); | ||
| } | ||
| user.roleList = userList; |
|
|
||
| @Override | ||
| public List<String> listAllUsers() { | ||
| File roleDir = new File(userDirPath); |
| } | ||
| try { | ||
| locks[i].writeLock().unlock(); | ||
| } catch (Exception ignored) { |
There was a problem hiding this comment.
这里所的unlock是有问题的把?只有lock的线程才有能力unlock,如果是其他现在来unlock是不会起作用的
There was a problem hiding this comment.
这个方法是测试用的,避免某些测试遗漏解锁影响其他测试。
| private static TsfileDBConfig config = TsfileDBDescriptor.getInstance().getConfig(); | ||
| private LocalFileAuthorizer() { | ||
| super(new LocalFileUserManager(config.dataDir + File.separator + "users" + File.separator), | ||
| new cn.edu.tsinghua.iotdb.auth.Role.LocalFileRoleManager(config.dataDir + File.separator + "roles" + File.separator)); |
There was a problem hiding this comment.
这样的import的内容有问题cn.edu.tsinghua.iotdb.auth.Role.
https://tower.im/projects/36de8571a0ff4833ae9d7f1c5c400c22/todos/0890c06f33dd46daa60fa1f97e97c28b/