tenthe commented on code in PR #4074: URL: https://github.com/apache/streampipes/pull/4074#discussion_r2667507824
########## ui/cypress/tests/userManagement/testUserRoleDataset.spec.ts: ########## @@ -0,0 +1,219 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +import { UserRole } from '../../../src/app/_enums/user-role.enum'; +import { UserUtils } from '../../support/utils/UserUtils'; +import { ConnectUtils } from '../../support/utils/connect/ConnectUtils'; +import { User } from '../../support/model/User'; +import { DataExplorerUtils } from '../../support/utils/dataExplorer/DataExplorerUtils'; +import { PermissionUtils } from '../../support/utils/user/PermissionUtils'; +import { DataExplorerBtns } from '../../support/utils/dataExplorer/DataExplorerBtns'; +import { DatasetUtils } from '../../support/utils/dataset/DatasetUtils'; +import { GeneralUtils } from '../../support/utils/GeneralUtils'; + +describe('Test Dataset Permissions', () => { + const datasetName = 'Persist simulator'; + let datasetUser1: User; + let datasetAdmin1: User; + let datasetAdmin2: User; + let chartAdmin1: User; + let chartUser1: User; + let dashboardAdmin1: User; + + beforeEach('Setup Test', () => { + cy.initStreamPipesTest(); + + datasetUser1 = UserUtils.createUser( + 'datasetUser1', + UserRole.ROLE_PIPELINE_USER, + ); + + datasetAdmin1 = UserUtils.createUser( + 'datasetAdmin1', + UserRole.ROLE_CONNECT_ADMIN, + UserRole.ROLE_PIPELINE_ADMIN, + ); + + datasetAdmin2 = UserUtils.createUser( + 'datasetAdmin2', + UserRole.ROLE_PIPELINE_ADMIN, + ); + + chartAdmin1 = UserUtils.createUser( + 'chartAdmin1', + UserRole.ROLE_DATA_EXPLORER_ADMIN, + ); + + chartUser1 = UserUtils.createUser( + 'chartUser1', + UserRole.ROLE_DATA_EXPLORER_USER, + ); + + dashboardAdmin1 = UserUtils.createUser( + 'dashboardAdmin1', + UserRole.ROLE_DASHBOARD_ADMIN, + ); + }); + + it('Dataset is not shared with other users', () => { + generateDataset(); + + assertDatasetIsVisibleAndEditableCanChangePermissions( + UserUtils.adminUser, + ); + + assertDatasetIsNotVisible(datasetUser1); + + UserUtils.switchUser(datasetUser1); + + assertDatasetIsNotVisible(datasetAdmin2); + }); + + it('Datasets only usable in charts if permissions were configured', () => { + generateDataset(); + + UserUtils.switchUser(chartAdmin1); + + assertDatasetAvailabilityInCharts(false); + + authUserOnDataset('[email protected]'); + + UserUtils.switchUser(chartAdmin1); + + assertDatasetAvailabilityInCharts(true); + + DataExplorerUtils.goToDatalake(); + + PermissionUtils.authorizeUser( + 'test', + '[email protected]', + ); + + DataExplorerBtns.confirmSave().click(); + + UserUtils.switchUser(chartUser1); + + DataExplorerUtils.checkAmountOfCharts(1); + + GeneralUtils.openMenuForRow('test'); + + DataExplorerBtns.viewWidget('test').click(); + + assertAlertBanner(true); + + assertDatasetIsNotVisible(chartUser1); + + authUserOnDataset('[email protected]'); + + UserUtils.switchUser(chartUser1); + + DataExplorerUtils.checkAmountOfCharts(1); + + GeneralUtils.openMenuForRow('test'); + + DataExplorerBtns.viewWidget('test').click(); + + assertAlertBanner(false); + }); + + it('Data only shown in dashboard if permissions were configured', () => { + generateDataset(); + + authUserOnDataset('[email protected]'); + + UserUtils.switchUser(chartAdmin1); + + assertDatasetAvailabilityInCharts(true); + + PermissionUtils.authorizeUser( + 'test', + '[email protected]', + ); + + UserUtils.switchUser(dashboardAdmin1); + + generateDashboard('TestDB'); + + assertAlertBanner(true); + + DataExplorerBtns.discardDashboard().click(); + + assertDatasetIsNotVisible(dashboardAdmin1); + + authUserOnDataset('[email protected]'); + + UserUtils.switchUser(dashboardAdmin1); + + generateDashboard('TestDB2'); + + assertAlertBanner(false); + }); + function assertDatasetAvailabilityInCharts(available: boolean) { + DataExplorerUtils.goToDatalake(); + DataExplorerBtns.openNewDataViewBtn().click(); + if (!available) { + cy.get('sp-alert-banner').should('be.visible'); + } else { + DataExplorerUtils.assertSelectDataSet('simulator'); + DataExplorerUtils.addDataViewAndTableWidget( + 'test', + 'simulator', + true, + ); + DataExplorerUtils.saveDataViewConfiguration(); + } + } + + function generateDataset() { + UserUtils.switchUser(datasetAdmin1); + ConnectUtils.addMachineDataSimulator('simulator', true); + } + + function generateDashboard(name: string) { + DataExplorerUtils.goToDashboard(); + DataExplorerUtils.createNewDashboard(name); + DataExplorerUtils.editDashboard(name); + DataExplorerUtils.addDataViewToDashboard('test', true); + } + function assertDatasetIsVisibleAndEditableCanChangePermissions(user: User) { + UserUtils.switchUser(user); + DatasetUtils.goToDatasets(); + DatasetUtils.checkAmountOfDatasets(1); + PermissionUtils.validateUserCanChangePermissions(datasetName); + } + + function assertDatasetIsNotVisible(user: User) { + UserUtils.switchUser(user); + DatasetUtils.goToDatasets(); + DatasetUtils.checkAmountOfDatasets(0); + } + + function assertAlertBanner(exists: boolean) { + if (exists) { + cy.get('sp-alert-banner[type="error"]').should('exist'); Review Comment: Can you change this to use the data-cy id? `cy.dataCy` ########## ui/src/app/dataset/components/datalake-configuration/datalake-configuration.component.ts: ########## @@ -110,6 +119,12 @@ export class DatalakeConfigurationComponent implements OnInit, AfterViewInit { ]); this.loadAvailableMeasurements(); this.loadAvailableExportProvider(); + const currentUser = this.currentUserService.getCurrentUser(); + this.isAdmin = currentUser.roles.indexOf(UserRole.ROLE_ADMIN) > -1; + this.writeAccess = + currentUser.roles.indexOf(UserPrivilege.PRIVILEGE_WRITE_DATASET) > + -1 || this.isAdmin; + console.log(currentUser); Review Comment: Remove console.log ########## streampipes-rest/src/main/java/org/apache/streampipes/rest/impl/datalake/AbstractDataLakeResource.java: ########## @@ -0,0 +1,76 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ +package org.apache.streampipes.rest.impl.datalake; + +import org.apache.streampipes.dataexplorer.api.IDataExplorerSchemaManagement; +import org.apache.streampipes.dataexplorer.management.DataExplorerDispatcher; +import org.apache.streampipes.model.client.user.DefaultPrivilege; +import org.apache.streampipes.rest.core.base.impl.AbstractAuthGuardedRestResource; +import org.apache.streampipes.rest.security.SpPermissionEvaluator; + +import org.springframework.security.core.context.SecurityContextHolder; + +public class AbstractDataLakeResource extends AbstractAuthGuardedRestResource { + + final IDataExplorerSchemaManagement dataLakeMeasureManagement; + + + + public AbstractDataLakeResource() { + this.dataLakeMeasureManagement = new DataExplorerDispatcher().getDataExplorerManager() + .getSchemaManagement(); + } + + /** + * required by Spring expression + */ + public boolean hasReadAuthority() { + return isAdminOrHasAnyAuthority(DefaultPrivilege.Constants.PRIVILEGE_READ_DATASET_VALUE); + } + + /** + * required by Spring expression + */ + public boolean hasWriteAuthority() { + return isAdminOrHasAnyAuthority(DefaultPrivilege.Constants.PRIVILEGE_WRITE_DATASET_VALUE); + } + + public boolean checkPermission(String measurementName, + String permission) { + + var spPermissionEvaluator = new SpPermissionEvaluator(); + var authentication = SecurityContextHolder.getContext() + .getAuthentication(); + return spPermissionEvaluator.hasPermission( + authentication, + measurementName, + permission); + } + + public boolean checkDatasetPermission(String measurementId, Review Comment: Same here `checkPermissionById`? ########## streampipes-rest/src/main/java/org/apache/streampipes/rest/impl/datalake/AbstractDataLakeResource.java: ########## @@ -0,0 +1,76 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ +package org.apache.streampipes.rest.impl.datalake; + +import org.apache.streampipes.dataexplorer.api.IDataExplorerSchemaManagement; +import org.apache.streampipes.dataexplorer.management.DataExplorerDispatcher; +import org.apache.streampipes.model.client.user.DefaultPrivilege; +import org.apache.streampipes.rest.core.base.impl.AbstractAuthGuardedRestResource; +import org.apache.streampipes.rest.security.SpPermissionEvaluator; + +import org.springframework.security.core.context.SecurityContextHolder; + +public class AbstractDataLakeResource extends AbstractAuthGuardedRestResource { + + final IDataExplorerSchemaManagement dataLakeMeasureManagement; + + + + public AbstractDataLakeResource() { + this.dataLakeMeasureManagement = new DataExplorerDispatcher().getDataExplorerManager() + .getSchemaManagement(); + } + + /** + * required by Spring expression + */ + public boolean hasReadAuthority() { + return isAdminOrHasAnyAuthority(DefaultPrivilege.Constants.PRIVILEGE_READ_DATASET_VALUE); + } + + /** + * required by Spring expression + */ + public boolean hasWriteAuthority() { + return isAdminOrHasAnyAuthority(DefaultPrivilege.Constants.PRIVILEGE_WRITE_DATASET_VALUE); + } + + public boolean checkPermission(String measurementName, Review Comment: Does it make sense to rename it to something like `checkPermissionByName`? ########## streampipes-pipeline-management/src/main/java/org/apache/streampipes/manager/pipeline/PipelineManager.java: ########## @@ -82,6 +83,8 @@ public static String addPipeline( Permission permission = new PermissionManager().makePermission(pipeline, principalSid); getPermissionStorage().persist(permission); + + new DataLakePermissionManager().makeAndPersistPermission(pipeline,principalSid); Review Comment: ```suggestion new DataLakePermissionManager().makeAndPersistPermission(pipeline, principalSid); ``` ########## ui/cypress/support/utils/dataExplorer/DataExplorerBtns.ts: ########## @@ -36,6 +36,14 @@ export class DataExplorerBtns { return cy.dataCy('save-dashboard-btn'); } + public static discardDashboard() { + return cy Review Comment: Can you change this to a dataCy id? ########## streampipes-pipeline-management/src/main/java/org/apache/streampipes/manager/permission/DataLakePermissionManager.java: ########## @@ -0,0 +1,71 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ +package org.apache.streampipes.manager.permission; + +import org.apache.streampipes.model.client.user.Permission; +import org.apache.streampipes.model.client.user.PermissionBuilder; +import org.apache.streampipes.model.datalake.DataLakeMeasure; +import org.apache.streampipes.model.graph.DataSinkInvocation; +import org.apache.streampipes.model.pipeline.Pipeline; +import org.apache.streampipes.model.staticproperty.FreeTextStaticProperty; +import org.apache.streampipes.storage.api.IPermissionStorage; +import org.apache.streampipes.storage.management.StorageDispatcher; + +import java.util.Optional; + +public class DataLakePermissionManager { + + //TODO Could also be static +private static final String DATALAKE_APP_ID = + "org.apache.streampipes.sinks.internal.jvm.datalake"; +private static final String DB_MEASUREMENT = "db_measurement"; + + public void makeAndPersistPermission(Pipeline pipeline, + String ownerSid) { + pipeline.getActions().stream() + .filter(DataSinkInvocation.class::isInstance) + .map(DataSinkInvocation.class::cast) Review Comment: Can you check if this cas is redundant? ########## streampipes-service-core/src/main/java/org/apache/streampipes/service/core/migrations/v099/CreateDatasetPermissionMigration.java: ########## @@ -0,0 +1,68 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +package org.apache.streampipes.service.core.migrations.v099; + +import org.apache.streampipes.model.datalake.DataLakeMeasure; +import org.apache.streampipes.resource.management.PermissionResourceManager; +import org.apache.streampipes.service.core.migrations.Migration; +import org.apache.streampipes.storage.api.CRUDStorage; +import org.apache.streampipes.storage.api.IPermissionStorage; +import org.apache.streampipes.storage.management.StorageDispatcher; + +import java.io.IOException; +import java.util.List; + +public class CreateDatasetPermissionMigration implements Migration { + + private final CRUDStorage<DataLakeMeasure> dataLakeStorage; + private final IPermissionStorage permissionStorage; + private final PermissionResourceManager permissionResourceManager; + + + public CreateDatasetPermissionMigration() { + this.dataLakeStorage = StorageDispatcher.INSTANCE.getNoSqlStore().getDataLakeStorage(); + this.permissionStorage = StorageDispatcher.INSTANCE.getNoSqlStore().getPermissionStorage(); + this.permissionResourceManager = new PermissionResourceManager(); + } + + @Override + public boolean shouldExecute() { + return true; + } + + @Override + public void executeMigration() throws IOException { + dataLakeStorage.findAll().forEach(measure -> { + var existingPermission = permissionStorage.getObjectPermissions(List.of(measure.getMeasureName())); + if (existingPermission.isEmpty()) { + permissionResourceManager.createDefault( + measure.getMeasureName(), + DataLakeMeasure.class, + null, Review Comment: For the measurement owner: would it be possible to check whether there is a pipeline writing to this measurement? If so, we could use the pipeline owner as the default; otherwise, we would keep the value as null. What do you think? ########## streampipes-pipeline-management/src/main/java/org/apache/streampipes/manager/permission/DataLakePermissionManager.java: ########## @@ -0,0 +1,71 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ +package org.apache.streampipes.manager.permission; + +import org.apache.streampipes.model.client.user.Permission; +import org.apache.streampipes.model.client.user.PermissionBuilder; +import org.apache.streampipes.model.datalake.DataLakeMeasure; +import org.apache.streampipes.model.graph.DataSinkInvocation; +import org.apache.streampipes.model.pipeline.Pipeline; +import org.apache.streampipes.model.staticproperty.FreeTextStaticProperty; +import org.apache.streampipes.storage.api.IPermissionStorage; +import org.apache.streampipes.storage.management.StorageDispatcher; + +import java.util.Optional; + +public class DataLakePermissionManager { + + //TODO Could also be static Review Comment: Can you remove this TODO -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
