make sure the local admin user always has the builtin Admin role

Graylog2 · Aug 19, 2015 · 3d5397f · 3d5397f
1 parent baeb147
commit 3d5397f
Show file tree

Hide file tree

Showing 4 changed files with 26 additions and 11 deletions.
diff --git a/graylog2-server/src/main/java/org/graylog2/users/RoleService.java b/graylog2-server/src/main/java/org/graylog2/users/RoleService.java
@@ -47,4 +47,6 @@ public interface RoleService {
      * @return the number of deleted roles
      */
     int delete(String roleName);
+
+    String getAdminRoleObjectId();
 }
diff --git a/graylog2-server/src/main/java/org/graylog2/users/RoleServiceImpl.java b/graylog2-server/src/main/java/org/graylog2/users/RoleServiceImpl.java
@@ -59,6 +59,7 @@ public class RoleServiceImpl implements RoleService {
 
     private final JacksonDBCollection<RoleImpl, ObjectId> dbCollection;
     private final Validator validator;
+    private final String adminRoleObjectId;
 
     @Inject
     protected RoleServiceImpl(MongoConnection mongoConnection,
@@ -75,16 +76,16 @@ protected RoleServiceImpl(MongoConnection mongoConnection,
         dbCollection.createIndex(new BasicDBObject(NAME_LOWER, 1), new BasicDBObject("unique", true));
 
         // make sure the two built-in roles actually exist
-        ensureBuiltinRole(ADMIN_ROLENAME, Sets.newHashSet("*"), "Admin",
+        adminRoleObjectId = ensureBuiltinRole(ADMIN_ROLENAME, Sets.newHashSet("*"), "Admin",
-                          "Grants all permissions for Graylog administrators (built-in)");
+                                              "Grants all permissions for Graylog administrators (built-in)");
         ensureBuiltinRole(READER_ROLENAME, RestPermissions.READER_BASE_PERMISSIONS, "Reader",
                           "Grants basic permissions for every Graylog user (built-in)");
 
     }
 
-    private void ensureBuiltinRole(String roleName,
+    private String ensureBuiltinRole(String roleName,
-                                   Set<String> expectedPermissions,
+                                     Set<String> expectedPermissions,
-                                   String name, String description) {
+                                     String name, String description) {
         RoleImpl previousRole = null;
         try {
             previousRole = load(roleName);
@@ -104,11 +105,17 @@ private void ensureBuiltinRole(String roleName,
             fixedAdmin.setDescription(description);
             fixedAdmin.setPermissions(expectedPermissions);
             try {
-                save(fixedAdmin);
+                final RoleImpl savedRole = save(fixedAdmin);
+                return savedRole.getId();
             } catch (DuplicateKeyException | ValidationException e) {
                 log.error("Unable to save fixed " + roleName + " role, please restart Graylog to fix this.", e);
             }
         }
+        if (previousRole == null) {
+            log.error("Unable to access fixed " + roleName + " role, please restart Graylog to fix this.");
+            return null;
+        }
+        return previousRole.getId();
     }
 
     @Override
@@ -185,5 +192,8 @@ public int delete(String roleName) {
         return dbCollection.remove(nameMatchesAndNotReadonly).getN();
     }
 
-
+    @Override
+    public String getAdminRoleObjectId() {
+        return adminRoleObjectId;
+    }
 }
diff --git a/graylog2-server/src/main/java/org/graylog2/users/UserImpl.java b/graylog2-server/src/main/java/org/graylog2/users/UserImpl.java
@@ -18,6 +18,7 @@
 
 import com.google.common.collect.Collections2;
 import com.google.common.collect.ImmutableMap;
+import com.google.common.collect.ImmutableSet;
 import com.google.common.collect.Lists;
 import com.google.common.collect.Maps;
 import com.google.common.collect.Sets;
@@ -286,10 +287,12 @@ public void setStartpage(final String type, final String id) {
 
     public static class LocalAdminUser extends UserImpl {
         private final Configuration configuration;
+        private final Set<String> roles;
 
-        public LocalAdminUser(Configuration configuration) {
+        public LocalAdminUser(Configuration configuration, String adminRoleObjectId) {
             super(null, Collections.<String, Object>emptyMap());
             this.configuration = configuration;
+            this.roles = ImmutableSet.of(adminRoleObjectId);
         }
 
         @Override
@@ -349,7 +352,7 @@ public boolean isLocalAdmin() {
         @Nonnull
         @Override
         public Set<String> getRoleIds() {
-            return Collections.emptySet();
+            return roles;
         }
 
         @Override

diff --git a/graylog2-server/src/main/java/org/graylog2/users/UserServiceImpl.java b/graylog2-server/src/main/java/org/graylog2/users/UserServiceImpl.java
@@ -72,7 +72,7 @@ public User load(final String username) {
         // special case for the locally defined user, we don't store that in MongoDB.
         if (configuration.getRootUsername().equals(username)) {
             LOG.debug("User {} is the built-in admin user", username);
-            return new UserImpl.LocalAdminUser(configuration);
+            return new UserImpl.LocalAdminUser(configuration, roleService.getAdminRoleObjectId());
         }
 
         final DBObject query = new BasicDBObject();
@@ -219,7 +219,7 @@ public <T extends Persisted> String save(T model) throws ValidationException {
 
     @Override
     public User getAdminUser() {
-        return new UserImpl.LocalAdminUser(configuration);
+        return new UserImpl.LocalAdminUser(configuration, roleService.getAdminRoleObjectId());
     }
 
     @Override