-
Notifications
You must be signed in to change notification settings - Fork 5.1k
[Improvement-18383][API] Disable create user, reset password, and username edit in non-PASSWORD auth modes #18384
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: dev
Are you sure you want to change the base?
Changes from all commits
1034ad3
459902d
5392230
5e15c20
1aa0807
4e6537d
268207d
a0b19e0
9e69f05
ea8f6c9
322475b
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -21,6 +21,7 @@ | |
|
|
||
| import org.apache.dolphinscheduler.api.enums.Status; | ||
| import org.apache.dolphinscheduler.api.exceptions.ServiceException; | ||
| import org.apache.dolphinscheduler.api.security.AuthenticationType; | ||
| import org.apache.dolphinscheduler.api.service.SessionService; | ||
| import org.apache.dolphinscheduler.api.service.UsersService; | ||
| import org.apache.dolphinscheduler.api.utils.CheckUtils; | ||
|
|
@@ -64,6 +65,7 @@ | |
| import lombok.extern.slf4j.Slf4j; | ||
|
|
||
| import org.springframework.beans.factory.annotation.Autowired; | ||
| import org.springframework.beans.factory.annotation.Value; | ||
| import org.springframework.stereotype.Service; | ||
| import org.springframework.transaction.annotation.Transactional; | ||
|
|
||
|
|
@@ -101,6 +103,20 @@ public class UsersServiceImpl extends BaseServiceImpl implements UsersService { | |
| @Autowired | ||
| private SessionService sessionService; | ||
|
|
||
| @Value("${security.authentication.type:PASSWORD}") | ||
| private String securityAuthenticationType = AuthenticationType.PASSWORD.name(); | ||
|
|
||
| @Value("${security.authentication.oauth2.enable:false}") | ||
| private boolean oauth2Enabled; | ||
|
|
||
| private boolean isPasswordManagementDisabled() { | ||
| if (oauth2Enabled) { | ||
| return true; | ||
| } | ||
| return StringUtils.isNotBlank(securityAuthenticationType) | ||
| && !AuthenticationType.PASSWORD.name().equals(securityAuthenticationType); | ||
| } | ||
|
|
||
| /** | ||
| * create user, only system admin have permission | ||
| * | ||
|
|
@@ -128,6 +144,10 @@ public User createUser(User loginUser, | |
| throw new ServiceException(Status.USER_NO_OPERATION_PERM); | ||
| } | ||
|
|
||
| if (isPasswordManagementDisabled()) { | ||
| throw new ServiceException(Status.OPERATION_NOT_ALLOWED_IN_NON_PASSWORD_MODE); | ||
| } | ||
|
|
||
| // check all user params | ||
| String msg = this.checkUserParams(userName, userPassword, email, phone); | ||
| if (!StringUtils.isEmpty(msg)) { | ||
|
|
@@ -356,7 +376,11 @@ public User updateUser(User loginUser, | |
| } | ||
| } | ||
|
|
||
| if (StringUtils.isNotEmpty(userName)) { | ||
| if (StringUtils.isNotEmpty(userName) && !StringUtils.equals(userName, user.getUserName())) { | ||
|
|
||
| if (isPasswordManagementDisabled()) { | ||
| throw new ServiceException(Status.OPERATION_NOT_ALLOWED_IN_NON_PASSWORD_MODE); | ||
|
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This rejects unchanged usernames too. Normal non-credential edits such as email/phone/tenant/state now fail in LDAP/OIDC/SSO mode.
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Very thorough. |
||
| } | ||
|
|
||
| if (!CheckUtils.checkUserName(userName)) { | ||
| throw new ServiceException(Status.REQUEST_PARAMS_NOT_VALID_ERROR, userName); | ||
|
|
@@ -371,6 +395,11 @@ public User updateUser(User loginUser, | |
| } | ||
|
|
||
| if (StringUtils.isNotEmpty(userPassword)) { | ||
|
|
||
| if (isPasswordManagementDisabled()) { | ||
| throw new ServiceException(Status.OPERATION_NOT_ALLOWED_IN_NON_PASSWORD_MODE); | ||
| } | ||
|
|
||
| if (!CheckUtils.checkPasswordLength(userPassword)) { | ||
| throw new ServiceException(Status.USER_PASSWORD_LENGTH_ERROR); | ||
| } | ||
|
|
@@ -872,6 +901,11 @@ private String checkUserParams(String userName, String password, String email, S | |
| @Override | ||
| @Transactional | ||
| public User registerUser(String userName, String userPassword, String repeatPassword, String email) { | ||
|
|
||
| if (isPasswordManagementDisabled()) { | ||
| throw new ServiceException(Status.OPERATION_NOT_ALLOWED_IN_NON_PASSWORD_MODE); | ||
| } | ||
|
|
||
| // check user params | ||
| String msg = this.checkUserParams(userName, userPassword, email, ""); | ||
| if (!StringUtils.isEmpty(msg)) { | ||
|
|
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,154 @@ | ||
| /* | ||
| * Licensed to the Apache Software Foundation (ASF) under one or more | ||
| * contributor license agreements. See the NOTICE file distributed with | ||
| * this work for additional information regarding copyright ownership. | ||
| * The ASF licenses this file to You under the Apache License, Version 2.0 | ||
| * (the "License"); you may not use this file except in compliance with | ||
| * the License. You may obtain a copy of the License at | ||
| * | ||
| * http://www.apache.org/licenses/LICENSE-2.0 | ||
| * | ||
| * Unless required by applicable law or agreed to in writing, software | ||
| * distributed under the License is distributed on an "AS IS" BASIS, | ||
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| * See the License for the specific language governing permissions and | ||
| * limitations under the License. | ||
| */ | ||
|
|
||
| package org.apache.dolphinscheduler.api.controller; | ||
|
|
||
| import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post; | ||
| import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content; | ||
| import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status; | ||
|
|
||
| import org.apache.dolphinscheduler.api.enums.Status; | ||
| import org.apache.dolphinscheduler.api.service.UsersService; | ||
| import org.apache.dolphinscheduler.api.utils.Result; | ||
| import org.apache.dolphinscheduler.common.utils.JSONUtils; | ||
| import org.apache.dolphinscheduler.dao.entity.User; | ||
|
|
||
| import org.junit.jupiter.api.Assertions; | ||
| import org.junit.jupiter.api.Test; | ||
| import org.springframework.beans.factory.annotation.Autowired; | ||
| import org.springframework.http.MediaType; | ||
| import org.springframework.test.context.TestPropertySource; | ||
| import org.springframework.test.web.servlet.MvcResult; | ||
| import org.springframework.util.LinkedMultiValueMap; | ||
| import org.springframework.util.MultiValueMap; | ||
|
|
||
| @TestPropertySource(properties = { | ||
| "security.authentication.type=PASSWORD", | ||
| "security.authentication.oauth2.enable=false" | ||
| }) | ||
| public class UsersControllerPasswordModeTest extends AbstractControllerTest { | ||
|
|
||
| @Autowired | ||
| private UsersService usersService; | ||
|
|
||
| @Test | ||
| public void testCreateUserSuccess() throws Exception { | ||
| String userName = uniqueUserName("create_success"); | ||
|
|
||
| MultiValueMap<String, String> paramsMap = new LinkedMultiValueMap<>(); | ||
| paramsMap.add("userName", userName); | ||
| paramsMap.add("userPassword", "123456qwe?"); | ||
| paramsMap.add("tenantId", "-1"); | ||
| paramsMap.add("queue", ""); | ||
| paramsMap.add("email", userName + "@example.com"); | ||
| paramsMap.add("phone", "15800000000"); | ||
| paramsMap.add("state", "1"); | ||
|
|
||
| MvcResult mvcResult = mockMvc.perform(post("/users/create") | ||
| .header(SESSION_ID, sessionId) | ||
| .params(paramsMap)) | ||
| .andExpect(status().isCreated()) | ||
| .andExpect(content().contentType(MediaType.APPLICATION_JSON)) | ||
| .andReturn(); | ||
|
|
||
| Result result = JSONUtils.parseObject(mvcResult.getResponse().getContentAsString(), Result.class); | ||
| Assertions.assertEquals(Status.SUCCESS.getCode(), result.getCode().intValue()); | ||
| } | ||
|
|
||
| @Test | ||
| public void testUpdateUserSuccess() throws Exception { | ||
| String userName = uniqueUserName("update_success"); | ||
| createUser(userName); | ||
| User user = usersService.getUserByUserName(userName); | ||
|
|
||
| MultiValueMap<String, String> paramsMap = new LinkedMultiValueMap<>(); | ||
| paramsMap.add("id", String.valueOf(user.getId())); | ||
| paramsMap.add("userName", userName + "_new"); | ||
| paramsMap.add("userPassword", ""); | ||
| paramsMap.add("tenantId", "-1"); | ||
| paramsMap.add("queue", ""); | ||
| paramsMap.add("email", "updated-" + userName + "@example.com"); | ||
| paramsMap.add("phone", "15800000001"); | ||
| paramsMap.add("state", "1"); | ||
| paramsMap.add("timeZone", "Asia/Shanghai"); | ||
|
|
||
| MvcResult mvcResult = mockMvc.perform(post("/users/update") | ||
| .header(SESSION_ID, sessionId) | ||
| .params(paramsMap)) | ||
| .andExpect(status().isOk()) | ||
| .andExpect(content().contentType(MediaType.APPLICATION_JSON)) | ||
| .andReturn(); | ||
|
|
||
| Result result = JSONUtils.parseObject(mvcResult.getResponse().getContentAsString(), Result.class); | ||
| Assertions.assertEquals(Status.SUCCESS.getCode(), result.getCode().intValue()); | ||
| } | ||
|
|
||
| @Test | ||
| public void testUpdateUserPasswordSuccess() throws Exception { | ||
| String userName = uniqueUserName("password_success"); | ||
| createUser(userName); | ||
| User user = usersService.getUserByUserName(userName); | ||
|
|
||
| MultiValueMap<String, String> paramsMap = new LinkedMultiValueMap<>(); | ||
| paramsMap.add("id", String.valueOf(user.getId())); | ||
| paramsMap.add("userName", userName); | ||
| paramsMap.add("userPassword", "updated123?"); | ||
| paramsMap.add("tenantId", "-1"); | ||
| paramsMap.add("queue", ""); | ||
| paramsMap.add("email", userName + "@example.com"); | ||
| paramsMap.add("phone", "15800000002"); | ||
| paramsMap.add("state", "1"); | ||
| paramsMap.add("timeZone", "Asia/Shanghai"); | ||
|
|
||
| MvcResult mvcResult = mockMvc.perform(post("/users/update") | ||
| .header(SESSION_ID, sessionId) | ||
| .params(paramsMap)) | ||
| .andExpect(status().isOk()) | ||
| .andExpect(content().contentType(MediaType.APPLICATION_JSON)) | ||
| .andReturn(); | ||
|
|
||
| Result result = JSONUtils.parseObject(mvcResult.getResponse().getContentAsString(), Result.class); | ||
| Assertions.assertEquals(Status.SUCCESS.getCode(), result.getCode().intValue()); | ||
| } | ||
|
|
||
| @Test | ||
| public void testRegisterUserSuccess() throws Exception { | ||
| MultiValueMap<String, String> paramsMap = new LinkedMultiValueMap<>(); | ||
| String userName = uniqueUserName("register_success"); | ||
| paramsMap.add("userName", userName); | ||
| paramsMap.add("userPassword", "123456qwe?"); | ||
| paramsMap.add("repeatPassword", "123456qwe?"); | ||
| paramsMap.add("email", userName + "@example.com"); | ||
|
|
||
| MvcResult mvcResult = mockMvc.perform(post("/users/register") | ||
| .params(paramsMap)) | ||
| .andExpect(status().isOk()) | ||
| .andExpect(content().contentType(MediaType.APPLICATION_JSON)) | ||
| .andReturn(); | ||
|
|
||
| Result result = JSONUtils.parseObject(mvcResult.getResponse().getContentAsString(), Result.class); | ||
| Assertions.assertEquals(Status.SUCCESS.getCode(), result.getCode().intValue()); | ||
| } | ||
|
|
||
| private User createUser(String userName) { | ||
| return usersService.createUser(userName, "123456qwe?", userName + "@example.com", -1, "15800000000", "", 1); | ||
| } | ||
|
|
||
| private String uniqueUserName(String prefix) { | ||
| return prefix + "_" + System.nanoTime(); | ||
| } | ||
| } |
Uh oh!
There was an error while loading. Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is an incompatible modification and needs to be added to the document.
docs/docs/en/guide/upgrade/incompatible.mddocs/docs/zh/guide/upgrade/incompatible.mdWhen
security.authentication.type = passwordandoauth2.enable=trueat the same time, it will lead to confusion for users, so we should add a unified type for users to choose.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is actually a separate issue. I plan to create a new issue to handle it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is the same kind of thing. For users, it is an incompatible changes. Please submit it in the current PR.