func (self *ClusterConfiguration) AuthenticateClusterAdmin(username, password string) (common.User, error) {
user := self.clusterAdmins[username]
if user == nil {
return nil, common.NewAuthorizationError("Invalid username/password")
}
if user.isValidPwd(password) {
return user, nil
}
return nil, common.NewAuthorizationError("Invalid username/password")
}
func (self *ClusterConfiguration) AuthenticateDbUser(db, username, password string) (common.User, error) {
dbUsers := self.dbUsers[db]
if dbUsers == nil || dbUsers[username] == nil {
return nil, common.NewAuthorizationError("Invalid username/password")
}
user := dbUsers[username]
if user.isValidPwd(password) {
return user, nil
}
return nil, common.NewAuthorizationError("Invalid username/password")
}
func (self *Permissions) AuthorizeChangeDbUserPassword(user common.User, db string, targetUsername string) (ok bool, err common.AuthorizationError) {
if !user.IsDbAdmin(db) && !(user.GetDb() == db && user.GetName() == targetUsername) {
return false, common.NewAuthorizationError("Insufficient permissions to change db user password for %s on %s", targetUsername, db)
}
return true, ""
}
func (self *Permissions) AuthorizeChangeClusterAdminPassword(user common.User) (ok bool, err common.AuthorizationError) {
if !user.IsClusterAdmin() {
return false, common.NewAuthorizationError("Insufficient permissions to change cluster admin password")
}
return true, ""
}
func (self *Permissions) AuthorizeDeleteClusterAdmin(user common.User) (ok bool, err common.AuthorizationError) {
if !user.IsClusterAdmin() {
return false, common.NewAuthorizationError("Insufficient permissions to delete cluster admin")
}
return true, ""
}
func (self *Permissions) AuthorizeDeleteQuery(user common.User, db string) (ok bool, err common.AuthorizationError) {
if !user.IsDbAdmin(db) {
return false, common.NewAuthorizationError("Insufficient permission to write to %s", db)
}
return true, ""
}
func (self *Permissions) AuthorizeDropDatabase(user common.User) (ok bool, err common.AuthorizationError) {
if !user.IsClusterAdmin() {
return false, common.NewAuthorizationError("Insufficient permissions to drop database")
}
return true, ""
}
func (self *Permissions) AuthorizeListContinuousQueries(user common.User, db string) (ok bool, err common.AuthorizationError) {
if !user.IsDbAdmin(db) {
return false, common.NewAuthorizationError("Insufficient permissions to list continuous queries")
}
return true, ""
}
func (self *Permissions) AuthorizeDropSeries(user common.User, db string, seriesName string) (ok bool, err common.AuthorizationError) {
if !user.IsDbAdmin(db) && !user.HasWriteAccess(seriesName) {
return false, common.NewAuthorizationError("Insufficient permissions to drop series")
}
return true, ""
}
func (self *Permissions) AuthorizeGrantDbUserAdmin(user common.User, db string) (ok bool, err common.AuthorizationError) {
if !user.IsDbAdmin(db) {
return false, common.NewAuthorizationError("Insufficient permissions to grant db user admin privileges on %s", db)
}
return true, ""
}
func (self *Permissions) AuthorizeChangeDbUserPermissions(user common.User, db string) (ok bool, err common.AuthorizationError) {
if !user.IsDbAdmin(db) {
return false, common.NewAuthorizationError("Insufficient permissions to change db user permissions on %s", db)
}
return true, ""
}
func (self *Coordinator) WriteSeriesData(user common.User, db string, series []*protocol.Series) error {
// make sure that the db exist
if !self.clusterConfiguration.DatabasesExists(db) {
return fmt.Errorf("Database %s doesn't exist", db)
}
for _, s := range series {
seriesName := s.GetName()
if user.HasWriteAccess(seriesName) {
continue
}
return common.NewAuthorizationError("User %s doesn't have write permissions for %s", user.GetName(), seriesName)
}
err := self.CommitSeriesData(db, series, false)
if err != nil {
return err
}
for _, s := range series {
self.ProcessContinuousQueries(db, s)
}
return err
}
func (self *Permissions) AuthorizeSelectQuery(user common.User, db string, querySpec *parser.QuerySpec) (ok bool, err common.AuthorizationError) {
// if this isn't a regex query do the permission check here
fromClause := querySpec.SelectQuery().GetFromClause()
for _, n := range fromClause.Names {
if _, ok := n.Name.GetCompiledRegex(); ok {
break
} else if name := n.Name.Name; !user.HasReadAccess(name) {
return false, common.NewAuthorizationError("User doesn't have read access to %s", name)
}
}
return true, ""
}
func (self *PermissionsSuite) TestAuthorizeDeleteQuery(c *C) {
var ok bool
var err common.AuthorizationError
authErr := common.NewAuthorizationError("Insufficient permission to write to db")
ok, err = self.permissions.AuthorizeDeleteQuery(self.commonUser, "db")
c.Assert(ok, Equals, false)
c.Assert(err, Equals, authErr)
ok, _ = self.permissions.AuthorizeDeleteQuery(self.dbAdmin, "db")
c.Assert(ok, Equals, true)
ok, _ = self.permissions.AuthorizeDeleteQuery(self.clusterAdmin, "db")
c.Assert(ok, Equals, true)
}
func (self *PermissionsSuite) TestAuthorizeListContinuousQueries(c *C) {
var ok bool
var err common.AuthorizationError
authErr := common.NewAuthorizationError("Insufficient permissions to list continuous queries")
ok, err = self.permissions.AuthorizeListContinuousQueries(self.commonUser, "db")
c.Assert(ok, Equals, false)
c.Assert(err, Equals, authErr)
ok, _ = self.permissions.AuthorizeListContinuousQueries(self.dbAdmin, "db")
c.Assert(ok, Equals, true)
ok, _ = self.permissions.AuthorizeListContinuousQueries(self.clusterAdmin, "db")
c.Assert(ok, Equals, true)
}
func (self *PermissionsSuite) TestAuthorizeGrantDbUserAdmin(c *C) {
var ok bool
var err common.AuthorizationError
authErr := common.NewAuthorizationError("Insufficient permissions to grant db user admin privileges on db")
ok, err = self.permissions.AuthorizeGrantDbUserAdmin(self.commonUser, "db")
c.Assert(ok, Equals, false)
c.Assert(err, Equals, authErr)
ok, _ = self.permissions.AuthorizeGrantDbUserAdmin(self.dbAdmin, "db")
c.Assert(ok, Equals, true)
ok, _ = self.permissions.AuthorizeGrantDbUserAdmin(self.clusterAdmin, "db")
c.Assert(ok, Equals, true)
}
func (self *PermissionsSuite) TestAuthorizeChangeDbUserPermissions(c *C) {
var ok bool
var err common.AuthorizationError
authErr := common.NewAuthorizationError("Insufficient permissions to change db user permissions on db")
ok, err = self.permissions.AuthorizeChangeDbUserPermissions(self.commonUser, "db")
c.Assert(ok, Equals, false)
c.Assert(err, Equals, authErr)
ok, _ = self.permissions.AuthorizeChangeDbUserPermissions(self.dbAdmin, "db")
c.Assert(ok, Equals, true)
ok, _ = self.permissions.AuthorizeChangeDbUserPermissions(self.clusterAdmin, "db")
c.Assert(ok, Equals, true)
}
func (self *PermissionsSuite) TestAuthorizeDropDatabase(c *C) {
var ok bool
var err common.AuthorizationError
authErr := common.NewAuthorizationError("Insufficient permissions to drop database")
ok, err = self.permissions.AuthorizeDropDatabase(self.commonUser)
c.Assert(ok, Equals, false)
c.Assert(err, Equals, authErr)
ok, _ = self.permissions.AuthorizeDropDatabase(self.dbAdmin)
c.Assert(ok, Equals, false)
c.Assert(err, Equals, authErr)
ok, _ = self.permissions.AuthorizeDropDatabase(self.clusterAdmin)
c.Assert(ok, Equals, true)
}
func (self *PermissionsSuite) TestAuthorizeChangeClusterAdminPassword(c *C) {
var ok bool
var err common.AuthorizationError
authErr := common.NewAuthorizationError("Insufficient permissions to change cluster admin password")
ok, err = self.permissions.AuthorizeChangeClusterAdminPassword(self.commonUser)
c.Assert(ok, Equals, false)
c.Assert(err, Equals, authErr)
ok, _ = self.permissions.AuthorizeChangeClusterAdminPassword(self.dbAdmin)
c.Assert(ok, Equals, false)
c.Assert(err, Equals, authErr)
ok, _ = self.permissions.AuthorizeChangeClusterAdminPassword(self.clusterAdmin)
c.Assert(ok, Equals, true)
}
func (self *PermissionsSuite) TestAuthorizeDropSeries(c *C) {
var ok bool
var err common.AuthorizationError
authErr := common.NewAuthorizationError("Insufficient permissions to drop series")
ok, _ = self.permissions.AuthorizeDropSeries(self.dbAdmin, "db", "series")
c.Assert(ok, Equals, true)
ok, _ = self.permissions.AuthorizeDropSeries(self.clusterAdmin, "db", "series")
c.Assert(ok, Equals, true)
ok, _ = self.permissions.AuthorizeDropSeries(self.commonUser, "db", "series")
c.Assert(ok, Equals, false)
ok, err = self.permissions.AuthorizeDropSeries(self.commonUserNoWrite, "db", "series")
c.Assert(ok, Equals, false)
c.Assert(err, Equals, authErr)
}
