Merge branch 'release/0.9'

.version

@@ -1 +1 @@
-0.8.2
+0.9.0

CHANGELOG.md

@@ -1,6 +1,33 @@
 ## Changelog
 
-#### Version 0.9.0 (TBD)
+#### Version 0.9.0 (May 30, 2018)
+
+##### Vulnerabilities
+* Fixed a vulnerability that made it possible for a malicious plugin archive that contained entry names with path traversal elements to execute arbitrary code on the filesystem, if installed. This vulnerability, which was first disclosed by the [Snyk Security Research Team](https://snyk.io/docs/security), existed because Concourse did not verify that an entry, potentially extracted from a zipfile, would exist within the target directory if actually extracted. We've fixed this vulnerability by switching to the [zt-zip](https://github.com/zeroturnaround/zt-zip) library for internal zip handling. In addition to having protections against this vulnerability, `zt-zip` is battle-tested and well maintained by [ZeroTurnaround](https://zeroturnaround.com/). Thanks again to the Snyk Security Research Team for disclosing this vulnerability.
+
+##### Security Model
+* Added a notion of *user roles*. Each user account can either have the `ADMIN` or `USER` role. `ADMIN` users are permitted to invoke management functions whereas accounts with the `USER` role are not.
+	* All previously existing users are assigned the `ADMIN` role on upgrade. You can change a user's role using the `users` CLI.
+	* The `users create` command now requires a role to be provided interactively when prompted or non-interactively using the `--set-role` parameter.
+* Added an `edit` option to the `users` CLI that allows for setting a user's role and/or changing the password. The password can also still be changed using the `password` option of the `users` CLI.
+* Removed a constraint the prevented the default `admin` user account from being deleted.
+* Added additional logging around the upgrade process.
+* Fixed a bug that prevented upgrade tasks from being run when upgrading a Concourse Server instance that was never started prior to the upgrade.
+* Upgraded some internal libraries to help make server startup time faster.
+* Fixed a bug in `concourse-driver-java` that caused the `navigate` functions to report errors incorrectly.
+* Added *user permissions*. Each non-admin user account can be granted permission to `READ` or `WRITE` data within a specific environment:
+	* Permissions can be granted and revoked for a non-admin role user by a user who has the admin role.
+	* Permissions are granted on a per environment basis.
+	* A user with `READ` permission can read data from an environment but cannot write data.
+	* A user with `WRITE` permission can read and write data in an environment.
+	* Users with the admin role implicitly have `WRITE` permission to every environment.
+	* If a user's role is downgraded from admin to user, she will have the permissions she has before being assigned the admin role.
+	* If a user attempts to invoke a function for which she doesn't have permission, a `PermissionException` will be thrown, but the user's session will not terminate.
+	* A user with the admin role cannot have any of her permissions revoked.
+	* Plugins automatically inherit a user's access (based on role and permission).
+	* Service users that operate on behalf of plugins have `WRITE` access to every environment.
+
+##### Data Types
 * Added a `Criteria#at(Timestamp)` method to transform any `Criteria` object into one that has all clauses pinned to a specific `Timestamp`.
 * Added a static `Criteria#parse(String)` method to parse a CCL statement and produce an analogous `Criteria` object.
 * Streamlined the logic for server-side atomic operations to unlock higher performance potential.
@@ -12,9 +39,22 @@
 	* The `concourse-driver-ruby` uses the [`DateTime`](https://ruby-doc.org/stdlib-2.3.1/libdoc/date/rdoc/DateTime.html) class to represent `TIMESTAMP` values.
 	* The Concourse REST API allows specifying `TIMESTAMP` values as strings by prepending and appending a `|` to the value (e.g. `|December 30, 1987|`). It is also possible to specify a formatting pattern after the value like `|December 30, 1987|MMM dd, yyyy|`.
 * Added a `Timestamp#isDateOnly` method that returns `true` if a `Timestamp` does not contain a relevant temporal component (e.g. the `Timestamp` was created from a date string instead of a datetime string or a timestring).
+
+##### Performance
 * Upgraded the CCL parser to a newer and more efficient version. This change will yield general performance improvements in methods that parse CCL statements during evaluation.
+
+##### Developer Experience
 * The test Concourse instance used in a `ClientServerTest` will no longer be automatically deleted when the test fails. This will allow for manual inspection of the instance when debugging the test failure.
+* Added additional logging for plugin errors.
+* Added a `manage` interface to the driver APIs. This interface exposes a limited number of management methods that can be invoked programatically.
+
+##### Bug Fixes
 * Fixed a bug that caused the server to fail to start if the `conf/stopwords.txt` configuration file did not exist.
+* Fixed a bug that caused `PrettyLinkedHashMap#toString` to render improperly if data was added using the `putAll` method.
+* Fixed a bug in the `ConcourseImportDryRun#dump` method that caused the method to return an invalid JSON string.
+* Fixed a bug where a users whose access had been `disabled` was automatically re-enabled if her password was changed.
+
+##### Miscellaneous
 * Added the ability for the storage engine to track stats and metadata about database structures.
 
 #### Version 0.8.2 (April 17, 2018)

LICENSE-examples

@@ -5,7 +5,7 @@ Unless stated otherwise all examples are made available under the following lice
 
 The MIT License (MIT)
 
-Copyright (c) 2013-2017 Cinchapi Inc.
+Copyright (c) 2013-2018 Cinchapi Inc.
 
 Permission is hereby granted, free of charge, to any person obtaining a copy of
 this software and associated documentation files (the "Software"), to deal in

NOTICE

@@ -3,7 +3,7 @@
  ==============================================================================
 
                                 Concourse
-                    Copyright 2013-2017 Cinchapi Inc.
+                    Copyright 2013-2018 Cinchapi Inc.
 
   1. Includes software developed at Cinchapi (https://cinchapi.com).
 
@@ -22,6 +22,13 @@
      https://github.com/cinchapi/bucket
      Copyright 2017 Cinchapi Inc.
 
+     CCL
+     ---
+     The official specification and API library for the Concourse Criteria Language (CCL).
+
+     https://github.com/cinchapi/ccl
+     Copyright 2018 Cinchapi Inc.
+
   2. Includes software developed by the Apache Software Foundation
      (http://www.apache.org) or released under the Apache License,
      Version 2.0:
@@ -349,6 +356,13 @@
       https://github.com/xerial/sqlite-jdbc
       Copyright Taro L. Saito, David Crawshaw and associated authors
 
+      zt-zip
+      ------
+      The zt-zip project, started and coded by Rein Raudjärv and maintained by ZeroTurnaround, is a library for handling zip files programmatically.
+
+      https://zeroturnaround.com/
+      Copyright 2012 ZeroTurnaround LLC.
+
   3. Includes software released under the MIT License, which is compatible with
      the Apache License, Version 2.0:
 

README.md

@@ -1,13 +1,13 @@
 # Concourse
 
- ![](https://img.shields.io/badge/version-0.8.2-green.svg)
+ ![](https://img.shields.io/badge/version-0.9.0-green.svg)
  ![](https://img.shields.io/badge/status-alpha-orange.svg) ![](https://img.shields.io/badge/license-Apache%202-blue.svg)
  [![Join the chat at https://gitter.im/cinchapi/concourse](https://badges.gitter.im/Join%20Chat.svg)](https://gitter.im/cinchapi/concourse?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)
  [![](https://circleci.com/gh/cinchapi/concourse.svg?style=shield&circle-token=954a20e6114d649b1b6a046d95b953e7d05d2e2f)](https://circleci.com/gh/cinchapi/concourse)
 
 > [Concourse](http://concoursedb.com) is a self-tuning database for both ACID transactions and ad-hoc analytics across time. Developers prefer Concourse because it makes it easy to build operational software with on-demand data intelligence. Furthermore, Concourse greatly simplifies end-to-end data management by requiring no extra infrastructure, no prior configuration and no continuous tuning–all of which greatly reduce costs, and allow developers to focus on core business problems.
 
-This is version 0.8.2 of Concourse.
+This is version 0.9.0 of Concourse.
 
 ## Quickstart
 [![Deploy to Heroku](https://www.herokucdn.com/deploy/button.svg)](https://heroku.com/deploy?template=https://github.com/cinchapi/concourse/tree/develop)
@@ -137,6 +137,6 @@ Read the [contributing guidelines](CONTRIBUTING.md) to learn how to get involved
 
 ##### License
 
-Copyright © 2013-2017 Cinchapi Inc.
+Copyright © 2013-2018 Cinchapi Inc.
 
 Concourse is released under the Apache License, Version 2.0. For more information see LICENSE, which is included with this package.

build.gradle

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2013-2017 Cinchapi Inc.
+ * Copyright (c) 2013-2018 Cinchapi Inc.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -89,8 +89,18 @@ subprojects {
         all*.exclude group: 'com.google.code.findbugs', module: 'annotations'
     }
 
+    // Ensure that these transitive dependencies are excluded so we don't get version clashes
+    def exclusions = [[group : 'com.google.guava', module: 'guava']]
+    exclusions.each { exclusion ->
+        configurations.compile.dependencies.all {
+            if (name != exclusion.name || group != exclusion.group) {
+                exclude group: exclusion.group, module: exclusion.module
+            }
+        }
+    }
+
     dependencies {
-        compile 'com.google.guava:guava:19.0'
+        compile 'com.google.guava:guava:25.1-jre'
         compile 'org.mockito:mockito-all:1.9.5'
         compile 'commons-codec:commons-codec:1.8'
         compile 'com.google.code.findbugs:jsr305:2.0.1'
@@ -99,9 +109,7 @@ subprojects {
         compile 'joda-time:joda-time:2.2'
         compile 'org.apache.thrift:libthrift:0.9.3'
         compile 'commons-configuration:commons-configuration:1.9'
-        compile (group: 'com.cinchapi', name: 'accent4j', version: '1.0.0-SNAPSHOT', changing:true) {
-            exclude group: 'com.google.guava', module: 'guava'
-        }
+        compile group: 'com.cinchapi', name: 'accent4j', version: '1.0.0-SNAPSHOT', changing:true
         testCompile 'junit:junit:4.11'
     }
 
@@ -113,6 +121,10 @@ subprojects {
 
     group = 'com.cinchapi'
     version = globalVersion
+
+    // Versions for some shared (but non-global) dependencies
+    ext.bucketVersion = '1.4.1'
+
     // Drop the build component from version number and use that for
     // publishing
     ext.mavenVersion = version.split('\\.')

circle.yml

@@ -1,4 +1,4 @@
-# Copyright (c) 2013-2017 Cinchapi Inc.
+# Copyright (c) 2013-2018 Cinchapi Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

concourse-cli/build.gradle

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2013-2017 Cinchapi Inc.
+ * Copyright (c) 2013-2018 Cinchapi Inc.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

concourse-cli/gradlew

@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 
-# Copyright (c) 2013-2017 Cinchapi Inc.
+# Copyright (c) 2013-2018 Cinchapi Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

concourse-cli/src/main/java/com/cinchapi/concourse/cli/CommandLineInterface.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2013-2017 Cinchapi Inc.
+ * Copyright (c) 2013-2018 Cinchapi Inc.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

concourse-cli/src/main/java/com/cinchapi/concourse/cli/CommandLineInterfaceRunner.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2013-2017 Cinchapi Inc.
+ * Copyright (c) 2013-2018 Cinchapi Inc.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

concourse-cli/src/main/java/com/cinchapi/concourse/cli/NoOptions.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2013-2017 Cinchapi Inc.
+ * Copyright (c) 2013-2018 Cinchapi Inc.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

concourse-cli/src/main/java/com/cinchapi/concourse/cli/Options.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2013-2017 Cinchapi Inc.
+ * Copyright (c) 2013-2018 Cinchapi Inc.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

concourse-cli/src/main/java/com/cinchapi/concourse/cli/util/CommandLineInterfaces.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2013-2017 Cinchapi Inc.
+ * Copyright (c) 2013-2018 Cinchapi Inc.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

concourse-driver-java/README.md

@@ -12,14 +12,14 @@ The concourse jar is available at [Maven Central](http://search.maven.org/#searc
 	}
 
 	dependencies {
-    	compile 'com.cinchapi:concourse-driver-java:0.8.2+'
+    	compile 'com.cinchapi:concourse-driver-java:0.9.0+'
 	}
 
 If you prefer to use another dependency manager like Maven or Ivy, then use the following project information when declaring the dependency:
 
 	GroupId: com.cinchapi
 	ArtifactId: concourse-driver-java
-	Version: 0.8.2+
+	Version: 0.9.0+
 
 Alternatively, you can [download](http://cinchapi.org/concourse/download-api) the latest jar and manually add it to your project's classpath.
 

concourse-driver-java/build.gradle

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2013-2017 Cinchapi Inc.
+ * Copyright (c) 2013-2018 Cinchapi Inc.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -25,14 +25,12 @@ dependencies {
     compile 'org.slf4j:log4j-over-slf4j:1.7.5'
     compile 'org.slf4j:jcl-over-slf4j:1.7.5'
     compile 'com.google.code.gson:gson:2.5'
-    compile ('com.cinchapi:ccl:1.0.0'){
-        exclude group: 'com.google.guava', module:'guava'
-    }
+    compile group: 'com.cinchapi', name: 'ccl', version:'2.4.0'
 
     testCompile project(':concourse-unit-test-core')
     testCompile 'com.github.marschall:memoryfilesystem:0.9.0'
 }
 
 ext.uploadEnabled = true
 ext.title = 'Concourse'
-ext.description = 'Concourse is a self-tuning database that is designed for both ad hoc analytics and high volume transactions at scale. Developers use Concourse to quickly build mission critical software while also benefiting from real time insight into their most important data. With Concourse, end-to-end data management requires no extra infrastructure, no prior configuration and no additional coding–all of which greatly reduce costs and allow developers to focus on core business problems.'
+ext.description = 'Concourse is a distributed database warehouse for transactions, search, and analytics across time. Developers use Concourse to quickly build mission critical software while also benefiting from real time insight into their most important data. With Concourse, end-to-end data management requires no extra infrastructure, no prior configuration and no additional coding–all of which greatly reduce costs and allow developers to focus on core business problems.'

concourse-driver-java/gradlew

@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 
-# Copyright (c) 2013-2017 Cinchapi Inc.
+# Copyright (c) 2013-2018 Cinchapi Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

concourse-driver-java/src/main/java/com/cinchapi/concourse/CachedConnectionPool.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2013-2017 Cinchapi Inc.
+ * Copyright (c) 2013-2018 Cinchapi Inc.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

concourse-driver-java/src/main/java/com/cinchapi/concourse/Calculator.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2013-2017 Cinchapi Inc.
+ * Copyright (c) 2013-2018 Cinchapi Inc.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

concourse-driver-java/src/main/java/com/cinchapi/concourse/Concourse.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2013-2017 Cinchapi Inc.
+ * Copyright (c) 2013-2018 Cinchapi Inc.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -161,6 +161,12 @@ public static Concourse copyExistingConnection(Concourse concourse) {
      */
     private Calculator calculator = null;
 
+    /**
+     * The interface to all of Concourse's client-side {@link #manage()
+     * management} methods.
+     */
+    private Manager manager = null;
+
     /**
      * Abort the current transaction and discard any changes that are currently
      * staged.
@@ -2226,6 +2232,19 @@ public abstract Map<Long, Boolean> link(String key,
      */
     public abstract boolean link(String key, long destination, long source);
 
+    /**
+     * Return a {@link Manager} to perform management operations to the
+     * connected Concourse Server deployment.
+     * 
+     * @return the {@link Manager management} interface
+     */
+    public Manager manage() {
+        if(manager == null) {
+            manager = new Manager(this);
+        }
+        return manager;
+    }
+
     /**
      * Traverse the document-graph along each of the navigation {@code keys},
      * starting at each of the {@code records} and return the data contained at

concourse-driver-java/src/main/java/com/cinchapi/concourse/ConcourseThriftDriver.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2013-2017 Cinchapi Inc.
+ * Copyright (c) 2013-2018 Cinchapi Inc.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -32,6 +32,7 @@
 import org.apache.thrift.transport.TTransport;
 import org.apache.thrift.transport.TTransportException;
 
+import com.cinchapi.common.base.CheckedExceptions;
 import com.cinchapi.concourse.config.ConcourseClientPreferences;
 import com.cinchapi.concourse.lang.BuildableState;
 import com.cinchapi.concourse.lang.Criteria;
@@ -53,7 +54,6 @@
 import com.cinchapi.concourse.util.PrettyLinkedHashMap;
 import com.cinchapi.concourse.util.PrettyLinkedTableMap;
 import com.cinchapi.concourse.util.Transformers;
-import com.google.common.base.Throwables;
 import com.google.common.collect.Lists;
 import com.google.common.collect.Sets;
 
@@ -826,7 +826,7 @@ public void exit() {
             // delete all previously issued tokens.
         }
         catch (Exception e) {
-            throw Throwables.propagate(e);
+            throw CheckedExceptions.wrapAsRuntimeException(e);
         }
     }
 
@@ -2662,8 +2662,14 @@ <T> T execute(Callable<T> callable) {
         catch (com.cinchapi.concourse.thrift.ParseException e) {
             throw new ParseException(e);
         }
+        catch (com.cinchapi.concourse.thrift.PermissionException e) {
+            throw new PermissionException(e);
+        }
+        catch (com.cinchapi.concourse.thrift.ManagementException e) {
+            throw new ManagementException(e);
+        }
         catch (Exception e) {
-            throw Throwables.propagate(e);
+            throw CheckedExceptions.wrapAsRuntimeException(e);
         }
     }
 
@@ -2704,7 +2710,7 @@ private void authenticate() {
                     ClientSecurity.decrypt(password), environment);
         }
         catch (TException e) {
-            throw Throwables.propagate(e);
+            throw CheckedExceptions.wrapAsRuntimeException(e);
         }
     }