KYLO-599: No longer removed original nodes on allowed actions copy

sqjsun · May 9, 2017 · 62f2b76 · 62f2b76
1 parent e1be1e8
commit 62f2b76
Show file tree

Hide file tree

Showing 5 changed files with 69 additions and 14 deletions.
diff --git a/...src/main/java/com/thinkbiganalytics/metadata/modeshape/security/JcrAccessControlUtil.java b/...src/main/java/com/thinkbiganalytics/metadata/modeshape/security/JcrAccessControlUtil.java
@@ -117,6 +117,7 @@ public static boolean addPermissions(Session session, String path, Principal pri
                 // to an existing principal.  This can be considered a bug in ModeShape.
                 SimplePrincipal simple = SimplePrincipal.newInstance(principal.getName());
                 boolean added = acl.addAccessControlEntry(simple, privileges);
+//                validate(acl);
                 acm.setPolicy(path, acl);
 
                 return added;
@@ -130,6 +131,57 @@ public static boolean addPermissions(Session session, String path, Principal pri
 
     }
 
+    /**
+     * Validate that the given policy will not result in a frozen access control state.
+     * I.e. verifies that at least one entry exists with the the JCR_MODIFY_ACCESS_CONTROL
+     * privilege; either directly or via an aggregate privilege.
+     */
+    private static void validate(AccessControlList acl) {
+        try {
+            for (AccessControlEntry entry : acl.getAccessControlEntries()) {
+                if (impliesAny(entry.getPrivileges(), Privilege.JCR_MODIFY_ACCESS_CONTROL)) {
+                    return;
+                }
+            }
+
+            throw new IllegalStateException("The specified ACL will result in a frozed access control state: " + acl);
+        } catch (RepositoryException e) {
+            throw new MetadataRepositoryException("Failed to access ACL: " + acl, e);
+        }
+    }
+
+    /**
+     * Tests if the specified privilege implies, either directly or as an aggregate, the named privilege.
+     * @param checked the privilege being checked
+     * @param implied the name of the privilege to be implied
+     * @return true if the check privilege implies the given privilege name
+     */
+    private static boolean implies(Privilege checked, String implied) {
+        if (checked.getName().equals(implied)) {
+            return true;
+        } else if (checked.isAggregate()) {
+            return impliesAny(checked.getAggregatePrivileges(), implied);
+        } else {
+            return false;
+        }
+    }
+
+    /**
+     * Tests if any of the specified privileges imply, either directly or as an aggregate, the named privilege.
+     * @param privileges an array of privileges
+     * @param implied the name of the privilege to be implied
+     * @return true if the any of the privileges implies the given privilege name
+     */
+    public static boolean impliesAny(Privilege[] privileges, String implied) {
+        for (Privilege checked : privileges) {
+            if (implies(checked, implied)) {
+                return true;
+            }
+        }
+
+        return false;
+    }
+
     /**
      * Adds the specified privilege to the node hierarchy starting at a child node and proceeding through its parents until
      * the destination node is reached.

diff --git a/...main/java/com/thinkbiganalytics/metadata/modeshape/security/action/JcrAllowedActions.java b/...main/java/com/thinkbiganalytics/metadata/modeshape/security/action/JcrAllowedActions.java
@@ -232,9 +232,10 @@ public JcrAllowedActions copy(Node allowedNode, Principal principal, String... p
 
     public JcrAllowedActions copy(Node allowedNode, boolean includeDescr, Principal principal, String... privilegeNames) {
         try {
-            for (Node existing : JcrUtil.getInterableChildren(allowedNode)) {
-                existing.remove();
-            }
+            // TODO Remove extraneous nodes in destination
+//            for (Node existing : JcrUtil.getIterableChildren(allowedNode)) {
+//                existing.remove();
+//            }
 
             JcrAccessControlUtil.addPermissions(allowedNode, principal, privilegeNames);
 

diff --git a/...thinkbiganalytics/metadata/modeshape/security/action/JcrAllowedEntityActionsProvider.java b/...thinkbiganalytics/metadata/modeshape/security/action/JcrAllowedEntityActionsProvider.java
@@ -89,15 +89,12 @@ public JcrAllowedActions createEntityAllowedActions(String entityName, Node dest
              .map(protoAllowed -> { 
                      Principal mgmtPrincipal = new ModeShapeAdminPrincipal();
                      JcrAllowedActions jcrProtoAllowed = (JcrAllowedActions) protoAllowed;
-                     Node securityNode = JcrUtil.getNode(JcrMetadataAccess.getActiveSession(), SecurityPaths.SECURITY.toString());
-                     Node svcAllowedNode = JcrUtil.getOrCreateNode(securityNode, AllowedActions.SERVICES, JcrAllowedActions.NODE_TYPE);
+                     JcrAllowedActions entityAllowed = jcrProtoAllowed.copy(destActionsNode, mgmtPrincipal, Privilege.JCR_ALL);
 
-                     JcrAllowedActions entityAllowed = jcrProtoAllowed.copy(svcAllowedNode, mgmtPrincipal, Privilege.JCR_ALL);
+                     JcrAccessControlUtil.addPermissions(destActionsNode, mgmtPrincipal, Privilege.JCR_ALL);
+                     JcrAccessControlUtil.addPermissions(destActionsNode, SimplePrincipal.EVERYONE, Privilege.JCR_READ);
 
-                     JcrAccessControlUtil.addPermissions(svcAllowedNode, mgmtPrincipal, Privilege.JCR_ALL);
-                     JcrAccessControlUtil.addPermissions(svcAllowedNode, SimplePrincipal.EVERYONE, Privilege.JCR_READ);
-
-                     for (Node actionNode : JcrUtil.getNodesOfType(svcAllowedNode, JcrAllowableAction.NODE_TYPE)) {
+                     for (Node actionNode : JcrUtil.getNodesOfType(destActionsNode, JcrAllowableAction.NODE_TYPE)) {
                          // Initially only allow the mgmt principal access to the actions themselves
                          JcrAccessControlUtil.addPermissions(actionNode, mgmtPrincipal, Privilege.JCR_ALL);
                      }

diff --git a/...ata-modeshape/src/main/java/com/thinkbiganalytics/metadata/modeshape/support/JcrUtil.java b/...ata-modeshape/src/main/java/com/thinkbiganalytics/metadata/modeshape/support/JcrUtil.java
@@ -156,7 +156,7 @@ public static Node getParent(Node node) {
      */
     public static List<Node> getNodeList(Node parent, String name) {
         return StreamSupport
-            .stream(getInterableChildren(parent, name).spliterator(), false)
+            .stream(getIterableChildren(parent, name).spliterator(), false)
             .collect(Collectors.toList());
     }
 
@@ -263,11 +263,11 @@ public static List<Node> getNodesOfType(Node parentNode, String nodeType) {
         }
     }
 
-    public static Iterable<Node> getInterableChildren(Node parent) {
-        return getInterableChildren(parent, null);
+    public static Iterable<Node> getIterableChildren(Node parent) {
+        return getIterableChildren(parent, null);
     }
 
-    public static Iterable<Node> getInterableChildren(Node parent, String name) {
+    public static Iterable<Node> getIterableChildren(Node parent, String name) {
         @SuppressWarnings("unchecked")
         Iterable<Node> itr = () -> {
             try {

diff --git a/...rade-service/src/main/java/com/thinkbiganalytics/metadata/upgrade/UpgradeKyloService.java b/...rade-service/src/main/java/com/thinkbiganalytics/metadata/upgrade/UpgradeKyloService.java
@@ -89,6 +89,11 @@
 @Order(PostMetadataConfigAction.LATE_ORDER + 100)
 public class UpgradeKyloService implements PostMetadataConfigAction {
 //public class UpgradeKyloService {
+
+//    public static final KyloVersion[] UPGRADE_VERSIONS = new KyloVersion[] 
+//                    {
+//                     KyloVersionUtil.version("0.7.")
+//                    };
 
     private static final Logger log = LoggerFactory.getLogger(UpgradeKyloService.class);
     @Inject