jiulinxiri/rocketmq-dashboard
1
0
Fork 0
mirror of https://github.com/apache/rocketmq-dashboard.git synced 2025-09-10 19:48:29 +08:00
Code Issues Packages Projects Releases Wiki Activity

[ISSUE #5]Add permission control when loginRequired is true. (#6)

Browse Source 
* [ISSUE #5]Add permission control when loginRequired is true.

* optimize the code

* Wildcard characters are supported

* add Apache License headers

Co-authored-by: zhangjidi2016 <zhangjidi@cmss.chinamobile.com>
This commit is contained in:
zhangjidi2016
2021-09-01 20:05:36 +08:00
committed by GitHub
parent 25129169d5
commit 5b2a027cd8
24 changed files with 714 additions and 60 deletions
Download Patch File Download Diff File Expand all files Collapse all files

41
docs/1_0_0/UserGuide_CN.md
View File

@@ -91,7 +91,7 @@ server.port=8443
## 登录访问Dashboard
在访问Dashboard时支持按用户名和密码登录控制台在操作完成后登出。需要做如下的设置:
* 1.在Spring配置文件resources/application.properties中修改 开启登录功能
* 1.在Spring配置文件resources/application.properties中修改rocketmq.config.loginRequired=true开启登录功能
```$xslt
# 开启登录功能
rocketmq.config.loginRequired=true
@@ -112,4 +112,41 @@ admin=admin,1
user1=user1
user2=user2
```
* 3. 启动控制台则开启了登录功能
* 3.启动控制台则开启了登录功能
## 权限检验
如果用户访问console时开启了登录功能会按照登录的角色对访问的接口进行权限控制。
* 1.在Spring配置文件resources/application.properties中修改rocketmq.config.loginRequired=true开启登录功能
```$xslt
# 开启登录功能
rocketmq.config.loginRequired=true
# Dashboard文件目录登录用户配置文件所在目录
rocketmq.config.dataPath=/tmp/rocketmq-console/data
```
* 2.确保${rocketmq.config.dataPath}定义的目录存在,并且该目录下创建访问权限配置文件"role-permission.yml",
如果该目录下不存在此文件则默认使用resources/role-permission.yml文件。该文件保存了普通用户角色所有能访问的接口地址。
role-permission.yml文件格式为:
```$xslt
# 该文件支持热修改即添加和修改用户时不需要重新启动console
# 格式,如果增加和删除接口权限,直接在列表中增加和删除接口地址即可。
# 接口路径配置支持通配符
# * 表示匹配0或多个不是/的字符
# ** 表示匹配0或多个任意字符
# ? 表示匹配1个任意字符
rolePerms:
# 普通用户
ordinary:
- /rocketmq/nsaddr
- /ops/*
- /dashboard/**
- /topic/*.query
- /topic/sendTopicMessage.do
- /producer/*.query
- /message/*
- /messageTrace/*
- /monitor/*
....
```
* 3.前端页面显示上为了更好区分普通用户和admin用户权限关于资源的删除、更新等操作按钮不对普通用户角色显示如果要执行资源相关操作需要退出使用admin角色登录。

42
docs/1_0_0/UserGuide_EN.md
View File

@@ -115,4 +115,44 @@ admin=admin,1
user1=user1
user2=user2
```
* 3. Restart Dashboard Application after above configuration setting well.
* 3.Restart Console Application after above configuration setting well.
## Permission Control
If the login function is enabled when a user accesses the Console, the user controls the access permission of the interface based on the login role.
* 1.Turn on the property in resources/application.properties.
```$xslt
# open the login func
rocketmq.config.loginRequired=true
# Directory of ashboard & login user configure file
rocketmq.config.dataPath=/tmp/rocketmq-console/data
```
* 2.Make sure the directory defined in property ${rocketmq.config.dataPath} exists and the permission control file "role-permission.yml" is created under it.
The console system will use the resources/role-permission.yml by default if a customized file is not found。
The format in the content of role-permission.yml:
```$xslt
# This file supports hot change, any change will be auto-reloaded without Console restarting.
# Format: To add or delete interface permissions, add or delete interface addresses from the list.
# the interface paths can be configured with wildcard characters.
# ?: Matches 1 characters.
# *: Matches 0 or more characters that are not /.
# **: Matches 0 or more characters.
rolePerms:
# ordinary user
ordinary:
- /rocketmq/nsaddr
- /ops/*
- /dashboard/**
- /topic/*.query
- /topic/sendTopicMessage.do
- /producer/*.query
- /message/*
- /messageTrace/*
- /monitor/*
....
```
* 3.On the front page, operation buttons such as deleting and updating resources are not displayed for common users in order to better distinguish the rights of common users and admin users. If need to operate related resources, log out and use the admin role to log in

2
src/main/java/org/apache/rocketmq/dashboard/controller/ClusterController.java
View File

@@ -16,6 +16,7 @@
*/
package org.apache.rocketmq.dashboard.controller;
import org.apache.rocketmq.dashboard.permisssion.Permission;
import org.apache.rocketmq.dashboard.service.ClusterService;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
@@ -27,6 +28,7 @@ import org.springframework.web.bind.annotation.ResponseBody;
@Controller
@RequestMapping("/cluster")
@Permission
public class ClusterController {
@Resource

2
src/main/java/org/apache/rocketmq/dashboard/controller/ConsumerController.java
View File

@@ -24,6 +24,7 @@ import org.apache.rocketmq.dashboard.model.ConnectionInfo;
import org.apache.rocketmq.dashboard.model.request.ConsumerConfigInfo;
import org.apache.rocketmq.dashboard.model.request.DeleteSubGroupRequest;
import org.apache.rocketmq.dashboard.model.request.ResetOffsetRequest;
import org.apache.rocketmq.dashboard.permisssion.Permission;
import org.apache.rocketmq.dashboard.service.ConsumerService;
import org.apache.rocketmq.dashboard.util.JsonUtil;
import org.slf4j.Logger;
@@ -37,6 +38,7 @@ import org.springframework.web.bind.annotation.ResponseBody;
@Controller
@RequestMapping("/consumer")
@Permission
public class ConsumerController {
private Logger logger = LoggerFactory.getLogger(ConsumerController.class);

2
src/main/java/org/apache/rocketmq/dashboard/controller/DashboardController.java
View File

@@ -20,6 +20,7 @@ package org.apache.rocketmq.dashboard.controller;
import javax.annotation.Resource;
import com.google.common.base.Strings;
import org.apache.rocketmq.dashboard.permisssion.Permission;
import org.apache.rocketmq.dashboard.service.DashboardService;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
@@ -29,6 +30,7 @@ import org.springframework.web.bind.annotation.ResponseBody;
@Controller
@RequestMapping("/dashboard")
@Permission
public class DashboardController {
@Resource

2
src/main/java/org/apache/rocketmq/dashboard/controller/MessageController.java
View File

@@ -22,6 +22,7 @@ import org.apache.rocketmq.common.protocol.body.ConsumeMessageDirectlyResult;
import org.apache.rocketmq.dashboard.model.MessagePage;
import org.apache.rocketmq.dashboard.model.MessageView;
import org.apache.rocketmq.dashboard.model.request.MessageQuery;
import org.apache.rocketmq.dashboard.permisssion.Permission;
import org.apache.rocketmq.dashboard.service.MessageService;
import org.apache.rocketmq.dashboard.util.JsonUtil;
import org.apache.rocketmq.tools.admin.api.MessageTrack;
@@ -41,6 +42,7 @@ import java.util.Map;
@Controller
@RequestMapping("/message")
@Permission
public class MessageController {
private Logger logger = LoggerFactory.getLogger(MessageController.class);
@Resource

2
src/main/java/org/apache/rocketmq/dashboard/controller/MessageTraceController.java
View File

@@ -26,6 +26,7 @@ import javax.annotation.Resource;
import org.apache.rocketmq.common.Pair;
import org.apache.rocketmq.dashboard.model.MessageView;
import org.apache.rocketmq.dashboard.model.trace.MessageTraceGraph;
import org.apache.rocketmq.dashboard.permisssion.Permission;
import org.apache.rocketmq.dashboard.service.MessageService;
import org.apache.rocketmq.dashboard.service.MessageTraceService;
import org.apache.rocketmq.tools.admin.api.MessageTrack;
@@ -37,6 +38,7 @@ import org.springframework.web.bind.annotation.ResponseBody;
@Controller
@RequestMapping("/messageTrace")
@Permission
public class MessageTraceController {
@Resource

2
src/main/java/org/apache/rocketmq/dashboard/controller/MonitorController.java
View File

@@ -18,6 +18,7 @@ package org.apache.rocketmq.dashboard.controller;
import javax.annotation.Resource;
import org.apache.rocketmq.dashboard.model.ConsumerMonitorConfig;
import org.apache.rocketmq.dashboard.permisssion.Permission;
import org.apache.rocketmq.dashboard.service.MonitorService;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -29,6 +30,7 @@ import org.springframework.web.bind.annotation.ResponseBody;
@Controller
@RequestMapping("/monitor")
@Permission
public class MonitorController {
private Logger logger = LoggerFactory.getLogger(MonitorController.class);

2
src/main/java/org/apache/rocketmq/dashboard/controller/NamesvrController.java
View File

@@ -18,6 +18,7 @@ package org.apache.rocketmq.dashboard.controller;
import javax.annotation.Resource;
import org.apache.rocketmq.dashboard.aspect.admin.annotation.OriginalControllerReturnValue;
import org.apache.rocketmq.dashboard.permisssion.Permission;
import org.apache.rocketmq.dashboard.service.OpsService;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
@@ -26,6 +27,7 @@ import org.springframework.web.bind.annotation.ResponseBody;
@Controller
@RequestMapping("/rocketmq")
@Permission
public class NamesvrController {
@Resource
private OpsService opsService;

2
src/main/java/org/apache/rocketmq/dashboard/controller/OpsController.java
View File

@@ -17,6 +17,7 @@
package org.apache.rocketmq.dashboard.controller;
import javax.annotation.Resource;
import org.apache.rocketmq.dashboard.permisssion.Permission;
import org.apache.rocketmq.dashboard.service.OpsService;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
@@ -26,6 +27,7 @@ import org.springframework.web.bind.annotation.ResponseBody;
@Controller
@RequestMapping("/ops")
@Permission
public class OpsController {
@Resource

2
src/main/java/org/apache/rocketmq/dashboard/controller/ProducerController.java
View File

@@ -19,6 +19,7 @@ package org.apache.rocketmq.dashboard.controller;
import javax.annotation.Resource;
import org.apache.rocketmq.common.protocol.body.ProducerConnection;
import org.apache.rocketmq.dashboard.model.ConnectionInfo;
import org.apache.rocketmq.dashboard.permisssion.Permission;
import org.apache.rocketmq.dashboard.service.ProducerService;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
@@ -28,6 +29,7 @@ import org.springframework.web.bind.annotation.ResponseBody;
@Controller
@RequestMapping("/producer")
@Permission
public class ProducerController {
@Resource

2
src/main/java/org/apache/rocketmq/dashboard/controller/TopicController.java
View File

@@ -17,6 +17,7 @@
package org.apache.rocketmq.dashboard.controller;
import org.apache.rocketmq.client.exception.MQClientException;
import org.apache.rocketmq.dashboard.permisssion.Permission;
import org.apache.rocketmq.remoting.exception.RemotingException;
import org.apache.rocketmq.dashboard.model.request.SendTopicMessageRequest;
import org.apache.rocketmq.dashboard.model.request.TopicConfigInfo;
@@ -38,6 +39,7 @@ import org.springframework.web.bind.annotation.ResponseBody;
@Controller
@RequestMapping("/topic")
@Permission
public class TopicController {
private Logger logger = LoggerFactory.getLogger(TopicController.class);

27
src/main/java/org/apache/rocketmq/dashboard/permisssion/Permission.java Normal file
View File

@@ -0,0 +1,27 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.rocketmq.dashboard.permisssion;
import java.lang.annotation.ElementType;
import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
import java.lang.annotation.Target;
@Target({ElementType.TYPE, ElementType.METHOD})
@Retention(RetentionPolicy.RUNTIME)
public @interface Permission {
}

69
src/main/java/org/apache/rocketmq/dashboard/permisssion/PermissionAspect.java Normal file
View File

@@ -0,0 +1,69 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.rocketmq.dashboard.permisssion;
import javax.annotation.Resource;
import javax.servlet.http.HttpServletRequest;
import org.apache.rocketmq.dashboard.config.RMQConfigure;
import org.apache.rocketmq.dashboard.exception.ServiceException;
import org.apache.rocketmq.dashboard.model.UserInfo;
import org.apache.rocketmq.dashboard.service.PermissionService;
import org.apache.rocketmq.dashboard.util.WebUtil;
import org.aspectj.lang.ProceedingJoinPoint;
import org.aspectj.lang.annotation.Around;
import org.aspectj.lang.annotation.Aspect;
import org.aspectj.lang.annotation.Pointcut;
import org.springframework.stereotype.Component;
import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.context.request.ServletRequestAttributes;
@Aspect
@Component
public class PermissionAspect {
@Resource
private RMQConfigure configure;
@Resource
private PermissionService permissionService;
/**
* @Permission can be applied to the Controller class to implement Permission verification on all methods in the class
* can also be applied to methods in a class for fine control
*/
@Pointcut("@annotation(org.apache.rocketmq.dashboard.permisssion.Permission) || @within(org.apache.rocketmq.dashboard.permisssion.Permission)")
private void permission() {
}
@Around("permission()")
public Object checkPermission(ProceedingJoinPoint joinPoint) throws Throwable {
if (configure.isLoginRequired()) {
HttpServletRequest request = ((ServletRequestAttributes) RequestContextHolder.getRequestAttributes()).getRequest();
String url = request.getRequestURI();
UserInfo userInfo = (UserInfo) request.getSession().getAttribute(WebUtil.USER_INFO);
if (userInfo == null || userInfo.getUser() == null) {
throw new ServiceException(-1, "user not login");
}
boolean checkResult = permissionService.checkUrlAvailable(userInfo, url);
if (!checkResult) {
throw new ServiceException(-1, "no permission");
}
}
return joinPoint.proceed();
}
}

38
src/main/java/org/apache/rocketmq/dashboard/permisssion/UserRoleEnum.java Normal file
View File

@@ -0,0 +1,38 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.rocketmq.dashboard.permisssion;
public enum UserRoleEnum {
ADMIN(1, "admin"),
ORDINARY(0, "ordinary");
private int roleType;
private String roleName;
UserRoleEnum(int roleType, String roleName) {
this.roleType = roleType;
this.roleName = roleName;
}
public int getRoleType() {
return roleType;
}
public String getRoleName() {
return roleName;
}
}

24
src/main/java/org/apache/rocketmq/dashboard/service/PermissionService.java Normal file
View File

@@ -0,0 +1,24 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.rocketmq.dashboard.service;
import org.apache.rocketmq.dashboard.model.UserInfo;
public interface PermissionService {
boolean checkUrlAvailable(UserInfo userInfo, String url);
}

83
src/main/java/org/apache/rocketmq/dashboard/service/impl/AbstractFileStore.java Normal file
View File

@@ -0,0 +1,83 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.rocketmq.dashboard.service.impl;
import java.io.File;
import java.io.IOException;
import java.io.InputStream;
import org.apache.rocketmq.dashboard.config.RMQConfigure;
import org.apache.rocketmq.srvutil.FileWatchService;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
public abstract class AbstractFileStore {
public final Logger log = LoggerFactory.getLogger(this.getClass());
public String filePath;
public AbstractFileStore(RMQConfigure configure, String fileName) {
filePath = configure.getRocketMqDashboardDataPath() + File.separator + fileName;
if (!new File(filePath).exists()) {
// Use the default path
InputStream inputStream = getClass().getResourceAsStream("/" + fileName);
if (inputStream == null) {
log.error(String.format("Can not found the file %s in Spring Boot jar", fileName));
System.exit(1);
} else {
try {
load(inputStream);
} catch (Exception e) {
log.error("fail to load file {}", filePath, e);
} finally {
try {
inputStream.close();
} catch (IOException e) {
log.error("inputStream close exception", e);
}
}
}
} else {
log.info(String.format("configure file is %s", filePath));
load();
watch();
}
}
abstract void load(InputStream inputStream);
private void load() {
load(null);
}
private boolean watch() {
try {
FileWatchService fileWatchService = new FileWatchService(new String[] {filePath}, new FileWatchService.Listener() {
@Override
public void onChanged(String path) {
log.info("The file changed, reload the context");
load();
}
});
fileWatchService.start();
log.info("Succeed to start FileWatcherService");
return true;
} catch (Exception e) {
log.error("Failed to start FileWatcherService", e);
}
return false;
}
}

98
src/main/java/org/apache/rocketmq/dashboard/service/impl/PermissionServiceImpl.java Normal file
View File

@@ -0,0 +1,98 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.rocketmq.dashboard.service.impl;
import com.alibaba.fastjson.JSONObject;
import java.io.FileReader;
import java.io.InputStream;
import java.util.List;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
import javax.annotation.Resource;
import org.apache.rocketmq.dashboard.config.RMQConfigure;
import org.apache.rocketmq.dashboard.exception.ServiceException;
import org.apache.rocketmq.dashboard.model.UserInfo;
import org.apache.rocketmq.dashboard.service.PermissionService;
import org.apache.rocketmq.dashboard.util.MatcherUtil;
import org.springframework.beans.factory.InitializingBean;
import org.springframework.stereotype.Service;
import org.yaml.snakeyaml.Yaml;
import static org.apache.rocketmq.dashboard.permisssion.UserRoleEnum.ADMIN;
import static org.apache.rocketmq.dashboard.permisssion.UserRoleEnum.ORDINARY;
@Service
public class PermissionServiceImpl implements PermissionService, InitializingBean {
@Resource
private RMQConfigure configure;
private PermissionFileStore permissionFileStore;
@Override
public void afterPropertiesSet() {
if (configure.isLoginRequired()) {
permissionFileStore = new PermissionFileStore(configure);
}
}
@Override
public boolean checkUrlAvailable(UserInfo userInfo, String url) {
int type = userInfo.getUser().getType();
// if it is admin, it could access all resources
if (type == ADMIN.getRoleType()) {
return true;
}
String loginUserRole = ORDINARY.getRoleName();
Map<String, List<String>> rolePerms = PermissionFileStore.rolePerms;
List<String> perms = rolePerms.get(loginUserRole);
for (String perm : perms) {
if (MatcherUtil.match(perm, url)) {
return true;
}
}
return false;
}
public static class PermissionFileStore extends AbstractFileStore {
private static final String FILE_NAME = "role-permission.yml";
private static Map<String/**role**/, List<String>/**accessUrls**/> rolePerms = new ConcurrentHashMap<>();
public PermissionFileStore(RMQConfigure configure) {
super(configure, FILE_NAME);
}
@Override
public void load(InputStream inputStream) {
Yaml yaml = new Yaml();
JSONObject rolePermsData = null;
try {
if (inputStream == null) {
rolePermsData = yaml.loadAs(new FileReader(filePath), JSONObject.class);
} else {
rolePermsData = yaml.loadAs(inputStream, JSONObject.class);
}
} catch (Exception e) {
log.error("load user-permission.yml failed", e);
throw new ServiceException(0, String.format("Failed to load rolePermission property file: %s", filePath));
}
rolePerms.clear();
rolePerms.putAll(rolePermsData.getObject("rolePerms", Map.class));
}
}
}

65
src/main/java/org/apache/rocketmq/dashboard/service/impl/UserServiceImpl.java
View File

@@ -21,15 +21,11 @@ import org.apache.rocketmq.dashboard.config.RMQConfigure;
import org.apache.rocketmq.dashboard.exception.ServiceException;
import org.apache.rocketmq.dashboard.model.User;
import org.apache.rocketmq.dashboard.service.UserService;
import org.apache.rocketmq.srvutil.FileWatchService;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.InitializingBean;
import org.springframework.stereotype.Service;
import javax.annotation.Resource;
import javax.validation.constraints.NotNull;
import java.io.File;
import java.io.FileReader;
import java.io.InputStream;
import java.util.HashMap;
@@ -40,9 +36,9 @@ import java.util.concurrent.ConcurrentHashMap;
@Service
public class UserServiceImpl implements UserService, InitializingBean {
@Resource
RMQConfigure configure;
private RMQConfigure configure;
FileBasedUserInfoStore fileBasedUserInfoStore;
private FileBasedUserInfoStore fileBasedUserInfoStore;
@Override
public User queryByName(String name) {
@@ -61,40 +57,17 @@ public class UserServiceImpl implements UserService, InitializingBean {
}
}
public static class FileBasedUserInfoStore {
private final Logger log = LoggerFactory.getLogger(this.getClass());
public static class FileBasedUserInfoStore extends AbstractFileStore {
private static final String FILE_NAME = "users.properties";
private String filePath;
private final Map<String, User> userMap = new ConcurrentHashMap<>();
private static Map<String, User> userMap = new ConcurrentHashMap<>();
public FileBasedUserInfoStore(RMQConfigure configure) {
filePath = configure.getRocketMqDashboardDataPath() + File.separator + FILE_NAME;
if (!new File(filePath).exists()) {
//Use the default path
InputStream inputStream = getClass().getResourceAsStream("/" + FILE_NAME);
if (inputStream == null) {
log.error(String.format("Can not found the file %s in Spring Boot jar", FILE_NAME));
System.out.printf(String.format("Can not found file %s in Spring Boot jar or %s, stop the dashboard starting",
FILE_NAME, configure.getRocketMqDashboardDataPath()));
System.exit(1);
} else {
load(inputStream);
}
} else {
log.info(String.format("Login Users configure file is %s", filePath));
load();
watch();
}
super(configure, FILE_NAME);
}
private void load() {
load(null);
}
private void load(InputStream inputStream) {
@Override
public void load(InputStream inputStream) {
Properties prop = new Properties();
try {
if (inputStream == null) {
@@ -112,7 +85,8 @@ public class UserServiceImpl implements UserService, InitializingBean {
int role;
for (String key : prop.stringPropertyNames()) {
String v = prop.getProperty(key);
if (v == null) continue;
if (v == null)
continue;
arrs = v.split(",", 2);
if (arrs.length == 0) {
continue;
@@ -125,30 +99,10 @@ public class UserServiceImpl implements UserService, InitializingBean {
loadUserMap.put(key, new User(key, arrs[0].trim(), role));
}
userMap.clear();
userMap.putAll(loadUserMap);
}
private boolean watch() {
try {
FileWatchService fileWatchService = new FileWatchService(new String[]{filePath}, new FileWatchService.Listener() {
@Override
public void onChanged(String path) {
log.info("The loginUserInfo property file changed, reload the context");
load();
}
});
fileWatchService.start();
log.info("Succeed to start LoginUserWatcherService");
return true;
} catch (Exception e) {
log.error("Failed to start LoginUserWatcherService", e);
}
return false;
}
public User queryByName(String name) {
return userMap.get(name);
}
@@ -158,7 +112,6 @@ public class UserServiceImpl implements UserService, InitializingBean {
if (user != null && password.equals(user.getPassword())) {
return user.cloneOne();
}
return null;
}
}

3
src/main/java/org/apache/rocketmq/dashboard/support/GlobalExceptionHandler.java
View File

@@ -34,11 +34,12 @@ public class GlobalExceptionHandler {
public JsonResult<Object> jsonErrorHandler(HttpServletRequest req, Exception ex) throws Exception {
JsonResult<Object> value = null;
if (ex != null) {
logger.error("op=global_exception_handler_print_error", ex);
if (ex instanceof ServiceException) {
logger.error("Occur service exception: {}", ex.getMessage());
value = new JsonResult<Object>(((ServiceException) ex).getCode(), ex.getMessage());
}
else {
logger.error("op=global_exception_handler_print_error", ex);
value = new JsonResult<Object>(-1, ex.getMessage() == null ? ex.toString() : ex.getMessage());
}
}

58
src/main/java/org/apache/rocketmq/dashboard/util/MatcherUtil.java Normal file
View File

@@ -0,0 +1,58 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.rocketmq.dashboard.util;
import java.util.regex.Pattern;
public class MatcherUtil {
public static boolean match(String accessUrl, String reqPath) {
String regPath = getRegPath(accessUrl);
return Pattern.compile(regPath).matcher(reqPath).matches();
}
private static String getRegPath(String path) {
char[] chars = path.toCharArray();
int len = chars.length;
StringBuilder sb = new StringBuilder();
boolean preX = false;
for (int i = 0; i < len; i++) {
if (chars[i] == '*') {
if (preX) {
sb.append(".*");
preX = false;
} else if (i + 1 == len) {
sb.append("[^/]*");
} else {
preX = true;
continue;
}
} else {
if (preX) {
sb.append("[^/]*");
preX = false;
}
if (chars[i] == '?') {
sb.append('.');
} else {
sb.append(chars[i]);
}
}
}
return sb.toString();
}
}

35
src/main/resources/role-permission.yml Normal file
View File

@@ -0,0 +1,35 @@
#
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# This file supports hot change, any change will be auto-reloaded without Console restarting.
# the interface paths can be configured with wildcard characters.
# ?: Matches 1 characters.
# *: Matches 0 or more characters that are not /.
# **: Matches 0 or more characters.
rolePerms:
ordinary:
- /rocketmq/nsaddr
- /ops/*
- /dashboard/**
- /topic/*.query
- /topic/sendTopicMessage.do
- /producer/*.query
- /message/*
- /messageTrace/*
- /monitor/*

137
src/test/java/org/apache/rocketmq/dashboard/permission/PermissionAspectTest.java Normal file
View File

@@ -0,0 +1,137 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.rocketmq.dashboard.permission;
import com.google.common.collect.Lists;
import com.google.common.io.Files;
import java.io.File;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import org.apache.rocketmq.dashboard.BaseTest;
import org.apache.rocketmq.dashboard.config.RMQConfigure;
import org.apache.rocketmq.dashboard.model.User;
import org.apache.rocketmq.dashboard.model.UserInfo;
import org.apache.rocketmq.dashboard.permisssion.PermissionAspect;
import org.apache.rocketmq.dashboard.service.impl.PermissionServiceImpl;
import org.apache.rocketmq.dashboard.util.JsonUtil;
import org.apache.rocketmq.dashboard.util.WebUtil;
import org.aspectj.lang.ProceedingJoinPoint;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
import org.mockito.InjectMocks;
import org.mockito.Mock;
import org.mockito.MockitoAnnotations;
import org.mockito.Spy;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.test.util.ReflectionTestUtils;
import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.context.request.ServletRequestAttributes;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.when;
public class PermissionAspectTest extends BaseTest {
@InjectMocks
private PermissionAspect permissionAspect;
@Mock
private RMQConfigure configure;
@Spy
private PermissionServiceImpl permissionService;
@Before
public void init() {
MockitoAnnotations.initMocks(this);
autoInjection();
when(configure.isLoginRequired()).thenReturn(true);
when(configure.getDashboardCollectData()).thenReturn("/tmp/rocketmq-console/test/data");
}
@Test
public void testCheckPermission() throws Throwable {
ReflectionTestUtils.setField(permissionAspect, "configure", configure);
ProceedingJoinPoint joinPoint = mock(ProceedingJoinPoint.class);
permissionService.afterPropertiesSet();
ReflectionTestUtils.setField(permissionAspect, "permissionService", permissionService);
// user not login
MockHttpServletRequest request = new MockHttpServletRequest();
RequestContextHolder.setRequestAttributes(new ServletRequestAttributes(request));
try {
permissionAspect.checkPermission(joinPoint);
} catch (Throwable throwable) {
Assert.assertEquals(throwable.getMessage(), "user not login");
}
// userRole is admin
UserInfo info = new UserInfo();
User adminUser = new User("admin", "admin", 1);
info.setUser(adminUser);
request.getSession().setAttribute(WebUtil.USER_INFO, info);
RequestContextHolder.setRequestAttributes(new ServletRequestAttributes(request));
permissionAspect.checkPermission(joinPoint);
// userRole is ordinary
User ordinaryUser = new User("user1", "user1", 0);
info.setUser(ordinaryUser);
request = new MockHttpServletRequest("", "/topic/deleteTopic.do");
request.getSession().setAttribute(WebUtil.USER_INFO, info);
RequestContextHolder.setRequestAttributes(new ServletRequestAttributes(request));
try {
permissionAspect.checkPermission(joinPoint);
} catch (Throwable throwable) {
Assert.assertEquals(throwable.getMessage(), "no permission");
}
// no permission
request = new MockHttpServletRequest("", "/topic/route.query");
request.getSession().setAttribute(WebUtil.USER_INFO, info);
RequestContextHolder.setRequestAttributes(new ServletRequestAttributes(request));
permissionAspect.checkPermission(joinPoint);
}
@Test
public void testFileBasedPermissionStoreWatch() throws Exception {
when(configure.getRocketMqDashboardDataPath()).thenReturn("/tmp/rocketmq-console/test/data");
Map<String, Map<String, List<String>>> rolePermsMap = new HashMap<>();
Map<String, List<String>> rolePerms = new HashMap<>();
List<String> accessUrls = Lists.asList("/topic/route.query", new String[] {"/topic/stats.query"});
rolePerms.put("admin", accessUrls);
rolePermsMap.put("rolePerms", rolePerms);
File file = createTestFile(rolePermsMap);
new PermissionServiceImpl.PermissionFileStore(configure);
rolePerms.put("ordinary", accessUrls);
// Update file and flush to yaml file
Files.write(JsonUtil.obj2String(rolePerms).getBytes(), file);
Thread.sleep(1000);
if (file != null && file.exists()) {
file.delete();
}
}
private File createTestFile(Map map) throws Exception {
String fileName = "/tmp/rocketmq-console/test/data/role-permission.yml";
File file = new File(fileName);
file.delete();
file.createNewFile();
Files.write(JsonUtil.obj2String(map).getBytes(), file);
return file;
}
}

34
src/test/java/org/apache/rocketmq/dashboard/util/MatcherUtilTest.java Normal file
View File

@@ -0,0 +1,34 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.rocketmq.dashboard.util;
import org.junit.Assert;
import org.junit.Test;
public class MatcherUtilTest {
@Test
public void testMatch() {
boolean b = MatcherUtil.match("/topic/*.query", "/topic/route.query");
boolean b1 = MatcherUtil.match("/**/**.do", "/consumer/route.do");
boolean b2 = MatcherUtil.match("/*", "/topic/qqq/route.do");
Assert.assertTrue(b);
Assert.assertTrue(b1);
Assert.assertFalse(b2);
}
}