Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[bugfix] security: fix check grant god when FLAGS_enable_authorize is… #4840

Merged
merged 8 commits into from
Nov 17, 2022
Merged

[bugfix] security: fix check grant god when FLAGS_enable_authorize is… #4840

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
756f0ca
[bugfix] security: fix check grant god when FLAGS_enable_authorize is…
codesigner Nov 9, 2022
78bb7f9
update test case
codesigner Nov 9, 2022
cc58dfd
Merge branch 'master' into fix-grant-god
codesigner Nov 10, 2022
ccf397a
refine test, add cloud auth type scenario
codesigner Nov 10, 2022
005373f
Merge branch 'master' into fix-grant-god
codesigner Nov 14, 2022
991ccc9
Merge branch 'master' into fix-grant-god
codesigner Nov 15, 2022
a4ac15e
Merge branch 'master' into fix-grant-god
codesigner Nov 16, 2022
380b9b6
Merge branch 'master' into fix-grant-god
codesigner Nov 17, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 10 additions & 9 deletions src/graph/service/PermissionManager.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -133,25 +133,26 @@ Status PermissionManager::canWriteRole(ClientSession *session,
meta::cpp2::RoleType targetRole,
GraphSpaceID spaceId,
const std::string &targetUser) {
if (!FLAGS_enable_authorize) {
return Status::OK();
// Some check should be done no matter FLAGS_enable_authorize is true or false
// Check 1. Reject any user grant or revoke role to GOD,
if (targetRole == meta::cpp2::RoleType::GOD) {
return Status::PermissionError("No permission to grant/revoke god user.");
}
// Cloud auth user cannot grant role

// Check 2. Cloud auth user cannot grant role
if (FLAGS_auth_type == "cloud") {
return Status::PermissionError("Cloud authenticate user can't write role.");
}

if (!FLAGS_enable_authorize) {
return Status::OK();
}
/**
* Reject grant or revoke to himself.
*/
if (session->user() == targetUser) {
return Status::PermissionError("No permission to grant/revoke yourself.");
}
/*
* Reject any user grant or revoke role to GOD
*/
if (targetRole == meta::cpp2::RoleType::GOD) {
return Status::PermissionError("No permission to grant/revoke god user.");
}
/*
* God user can be grant or revoke any one.
*/
Expand Down
20 changes: 19 additions & 1 deletion tests/tck/cluster/Example.feature
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ Feature: Example
"""
GRANT ROLE god on s1 to user1
"""
Then the execution should be successful
Then an PermissionError should be raised at runtime: No permission to grant/revoke god user.

Scenario: test with enable authorize
Given a nebulacluster with 1 graphd and 1 metad and 1 storaged:
Expand All @@ -39,3 +39,21 @@ Feature: Example
GRANT ROLE god on s1 to user1
"""
Then an PermissionError should be raised at runtime: No permission to grant/revoke god user.

Scenario: test with auth type is cloud
Given a nebulacluster with 1 graphd and 1 metad and 1 storaged:
"""
graphd:auth_type=cloud
"""
When executing query:
"""
CREATE USER user1 WITH PASSWORD 'nebula';
CREATE SPACE s1(vid_type=int)
"""
And wait 3 seconds
Then the execution should be successful
When executing query:
"""
GRANT ROLE god on s1 to user1
"""
Then an PermissionError should be raised at runtime: Cloud authenticate user can't write role.