New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Migrate user permissions to roles #1389

Merged
merged 4 commits into from Sep 3, 2015

Conversation

Projects
None yet
2 participants
@kroepke
Member

kroepke commented Sep 2, 2015

add periodical to migrate user's permissions to admin or reader roles during startup of the master

  • existing stream and dashboard permissions are preserved
  • existing other permissions set via the API are preserved
  • RestPermissions.readerPermissions are migrated to reader role
  • '*' is migrated to admin role

fixes #1382

add periodical to migrate user's permissions to admin or reader roles…
… during startup of the master

 - existing stream and dashboard permissions are preserved
 - existing other permissions set via the API are preserved
 - RestPermissions.readerPermissions are migrated to reader role
 - '*' is migrated to admin role

fixes #1382

@kroepke kroepke added this to the 1.2.0 milestone Sep 2, 2015

@joschi joschi self-assigned this Sep 2, 2015

final Set<String> fixedPermissions = Sets.newHashSet();
final Set<String> fixedRoleIds = Sets.newHashSet(user.getRoleIds());
final HashSet<String> permissionSet = Sets.newHashSet(user.getPermissions());

This comment has been minimized.

@joschi

joschi Sep 2, 2015

Contributor

Minor nitpick: Why declare the variable as HashSet (implementation) instead of Set (interface)?

This comment has been minimized.

@kroepke

kroepke Sep 2, 2015

Member

because alt-cmd-v did it.
i'll change it (how can i make intellij make a better choice!?)

final String adminRoleId = roleService.getAdminRoleObjectId();
final String readerRoleId = roleService.getReaderRoleObjectId();
for (User user : users) {

This comment has been minimized.

@joschi

joschi Sep 2, 2015

Contributor

So the migration process will always run on start. Is there some easy way to just run it only once?

This comment has been minimized.

@joschi

joschi Sep 2, 2015

Contributor

For example you could store a simple boolean in MongoDB using ClusterConfigService.

This comment has been minimized.

@kroepke

kroepke Sep 2, 2015

Member

will do, even though i think it will not make much of a difference, because it won't touch users after they are migrated.
still might be confusing people on debug level

This comment has been minimized.

@joschi

joschi Sep 3, 2015

Contributor

fixedRoleIds.add(readerRoleId);
}
// filter out the individual permissions to dashboards and streams
final ArrayList<String> dashboardStreamPermissions = Lists.newArrayList(

This comment has been minimized.

@joschi

joschi Sep 2, 2015

Contributor

Minor nitpick: Why declare the variable as ArrayList (implementation) instead of List (interface)?

public boolean apply(
String permission) {
return !basePermissions.contains(
permission) && !permission.equals(

This comment has been minimized.

@joschi

joschi Sep 2, 2015

Contributor

This formatting looks weird.

final UserPermissionMigrationState migrationState =
clusterConfigService.getOrDefault(UserPermissionMigrationState.class,
UserPermissionMigrationState.create(false));
if (migrationState.migrationDone()) {

This comment has been minimized.

@joschi

joschi Sep 2, 2015

Contributor

We could probably just move this into the startOnThisNode() method and return !migrationState.migrationDone(), which would just not run the periodical in clusters which have already been migrated.

This comment has been minimized.

@kroepke

kroepke Sep 2, 2015

Member

JA 👍

@joschi

This comment has been minimized.

Contributor

joschi commented Sep 3, 2015

LGTM. 👍

joschi added a commit that referenced this pull request Sep 3, 2015

Merge pull request #1389 from Graylog2/issue-1382
Migrate pre-1.2.0 user permissions to roles

@joschi joschi merged commit 460a121 into 1.2 Sep 3, 2015

3 checks passed

ci Jenkins build graylog2-server-integration-pr 210 has succeeded
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
continuous-integration/travis-ci/push The Travis CI build passed
Details

@joschi joschi deleted the issue-1382 branch Sep 3, 2015

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment