root
/
rabbitmq-server
mirror of https://github.com/rabbitmq/rabbitmq-server.git
1
0
Fork 0
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'master' into rabbitmq-management-460

This commit is contained in:
Michael Klishin 2017-08-03 16:16:19 +03:00
parent 6b2cb31773 bd2e5f6da0
commit 2158cb3ef7
4 changed files with 85 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
deps/rabbitmq_management/priv/www/js/formatters.js vendored
View File

@ -633,7 +633,7 @@ function link_conn(name, desc) {
}
function link_channel(name) {
return _link_to(short_chan(name), '#/channels/' + esc(name))
return _link_to(short_chan(name), '#/channels/' + esc(name));
}
function link_exchange(vhost, name, args) {
@ -646,19 +646,19 @@ function link_queue(vhost, name, args) {
}
function link_vhost(name) {
return _link_to(name, '#/vhosts/' + esc(name))
return _link_to(name, '#/vhosts/' + esc(name));
}
function link_user(name) {
return _link_to(name, '#/users/' + esc(name))
return _link_to(name, '#/users/' + esc(name));
}
function link_node(name) {
return _link_to(name, '#/nodes/' + esc(name))
return _link_to(name, '#/nodes/' + esc(name));
}
function link_policy(vhost, name) {
return _link_to(name, '#/policies/' + esc(vhost) + '/' + esc(name))
return _link_to(name, '#/policies/' + esc(vhost) + '/' + esc(name));
}
function _link_to(name, url, highlight, args) {

5
deps/rabbitmq_management/priv/www/js/tmpl/topic-permissions.ejs vendored
View File

@ -76,10 +76,9 @@ for (var i = 0; i < topic_permissions.length; i++) {
<tr>
<th><label>Exchange:</label></th>
<td>
<% console.log(exchanges) %>
<div id='list-exchanges'>
<div id='list-exchanges'>
<%= format('list-exchanges', {'exchanges': exchanges}) %>
</div>
</div>
</td>
</tr>
<tr>

27
deps/rabbitmq_management/src/rabbit_mgmt_util.erl vendored
View File

@ -92,15 +92,15 @@ is_authorized_monitor(ReqData, Context) ->
is_authorized_vhost(ReqData, Context) ->
is_authorized(ReqData, Context,
<<"User not authorised to access virtual host">>,
fun(User) ->
user_matches_vhost(ReqData, User)
fun(#user{tags = Tags} = User) ->
is_admin(Tags) orelse user_matches_vhost(ReqData, User)
end).
is_authorized_vhost_visible(ReqData, Context) ->
is_authorized(ReqData, Context,
<<"User not authorised to access virtual host">>,
fun(User) ->
user_matches_vhost_visible(ReqData, User)
fun(#user{tags = Tags} = User) ->
is_admin(Tags) orelse user_matches_vhost_visible(ReqData, User)
end).
user_matches_vhost(ReqData, User) ->
@ -136,8 +136,9 @@ is_authorized_policies(ReqData, Context) ->
is_authorized(ReqData, Context,
<<"User not authorised to access object">>,
fun(User = #user{tags = Tags}) ->
is_policymaker(Tags) andalso
user_matches_vhost(ReqData, User)
is_admin(Tags) orelse
(is_policymaker(Tags) andalso
user_matches_vhost(ReqData, User))
end).
%% For global parameters. Must be policymaker.
@ -877,7 +878,12 @@ all_or_one_vhost(ReqData, Fun) ->
end.
filter_vhost(List, ReqData, Context) ->
VHosts = list_login_vhosts(Context#context.user, cowboy_req:get(socket, ReqData)),
User = #user{tags = Tags} = Context#context.user,
Fn = case is_admin(Tags) of
true -> fun list_visible_vhosts/2;
false -> fun list_login_vhosts/2
end,
VHosts = Fn(User, cowboy_req:get(socket, ReqData)),
[I || I <- List, lists:member(pget(vhost, I), VHosts)].
filter_user(List, _ReqData, #context{user = User}) ->
@ -924,12 +930,9 @@ is_mgmt_user(T) -> intersects(T, [administrator, monitoring, policymaker,
intersects(A, B) -> lists:any(fun(I) -> lists:member(I, B) end, A).
%% The distinction between list_visible_vhosts and list_login_vhosts
%% is there to ensure that admins / monitors can always learn of the
%% is there to ensure that monitors can always learn of the
%% existence of all vhosts, and can always see their contribution to
%% global stats. However, if an admin / monitor does not have any
%% permissions for a vhost, it's probably less confusing to make that
%% prevent them from seeing "into" it, than letting them see stuff
%% that they then can't touch.
%% global stats.
list_visible_vhosts(User) ->
list_visible_vhosts(User, undefined).

86
deps/rabbitmq_management/test/rabbit_mgmt_http_SUITE.erl vendored
View File

@ -189,6 +189,12 @@ end_per_testcase0(vhost_limit_set_test, Config) ->
rabbit_ct_broker_helpers:delete_vhost(Config, <<"limit_test_vhost_1">>),
rabbit_ct_broker_helpers:delete_user(Config, <<"limit_test_vhost_1_user">>),
Config;
end_per_testcase0(permissions_vhost_test, Config) ->
rabbit_ct_broker_helpers:delete_vhost(Config, <<"myvhost1">>),
rabbit_ct_broker_helpers:delete_vhost(Config, <<"myvhost2">>),
rabbit_ct_broker_helpers:delete_user(Config, <<"myuser1">>),
rabbit_ct_broker_helpers:delete_user(Config, <<"myuser2">>),
Config;
end_per_testcase0(_, Config) -> Config.
%% -------------------------------------------------------------------
%% Testcases.
@ -1008,8 +1014,6 @@ permissions_administrator_test(Config) ->
http_get(Config, Path, "isadmin", "isadmin", ?OK),
http_get(Config, Path, "guest", "guest", ?OK)
end,
%% All users can get a list of vhosts. It may be filtered.
%%Test("/vhosts"),
Test("/vhosts/%2f"),
Test("/vhosts/%2f/permissions"),
Test("/users"),
@ -1024,6 +1028,8 @@ permissions_administrator_test(Config) ->
permissions_vhost_test(Config) ->
QArgs = #{},
PermArgs = [{configure, <<".*">>}, {write, <<".*">>}, {read, <<".*">>}],
http_put(Config, "/users/myadmin", [{password, <<"myadmin">>},
{tags, <<"administrator">>}], {group, '2xx'}),
http_put(Config, "/users/myuser", [{password, <<"myuser">>},
{tags, <<"management">>}], {group, '2xx'}),
http_put(Config, "/vhosts/myvhost1", none, {group, '2xx'}),
@ -1055,14 +1061,22 @@ permissions_vhost_test(Config) ->
http_get(Config, Path1 ++ "/myvhost2/" ++ Path2, "myuser", "myuser",
?NOT_AUTHORISED)
end,
Test3 =
fun(Path1) ->
http_get(Config, Path1 ++ "/myvhost1/", "myadmin", "myadmin",
?OK)
end,
Test1("/exchanges"),
Test2("/exchanges", ""),
Test2("/exchanges", "amq.direct"),
Test3("/exchanges"),
Test1("/queues"),
Test2("/queues", ""),
Test3("/queues"),
Test2("/queues", "myqueue"),
Test1("/bindings"),
Test2("/bindings", ""),
Test3("/bindings"),
Test2("/queues", "myqueue/bindings"),
Test2("/exchanges", "amq.default/bindings/source"),
Test2("/exchanges", "amq.default/bindings/destination"),
@ -1071,6 +1085,7 @@ permissions_vhost_test(Config) ->
http_delete(Config, "/vhosts/myvhost1", {group, '2xx'}),
http_delete(Config, "/vhosts/myvhost2", {group, '2xx'}),
http_delete(Config, "/users/myuser", {group, '2xx'}),
http_delete(Config, "/users/myadmin", {group, '2xx'}),
passed.
permissions_amqp_test(Config) ->
@ -1716,15 +1731,19 @@ exchanges_pagination_test(Config) ->
exchanges_pagination_permissions_test(Config) ->
http_put(Config, "/users/admin", [{password, <<"admin">>},
{tags, <<"administrator">>}], {group, '2xx'}),
http_put(Config, "/users/non-admin", [{password, <<"non-admin">>},
{tags, <<"management">>}], {group, '2xx'}),
Perms = [{configure, <<".*">>},
{write, <<".*">>},
{read, <<".*">>}],
http_put(Config, "/vhosts/vh1", none, {group, '2xx'}),
http_put(Config, "/permissions/vh1/non-admin", Perms, {group, '2xx'}),
http_put(Config, "/permissions/%2f/admin", Perms, {group, '2xx'}),
http_put(Config, "/permissions/vh1/admin", Perms, {group, '2xx'}),
QArgs = #{},
http_put(Config, "/exchanges/%2f/test0", QArgs, {group, '2xx'}),
http_put(Config, "/exchanges/vh1/test1", QArgs, "admin","admin", {group, '2xx'}),
FirstPage = http_get(Config, "/exchanges?page=1&name=test1","admin","admin", ?OK),
http_put(Config, "/exchanges/%2f/test0", QArgs, "admin", "admin", {group, '2xx'}),
http_put(Config, "/exchanges/vh1/test1", QArgs, "non-admin", "non-admin", {group, '2xx'}),
FirstPage = http_get(Config, "/exchanges?page=1&name=test1", "non-admin", "non-admin", ?OK),
?assertEqual(8, maps:get(total_count, FirstPage)),
?assertEqual(1, maps:get(item_count, FirstPage)),
?assertEqual(1, maps:get(page, FirstPage)),
@ -1733,8 +1752,9 @@ exchanges_pagination_permissions_test(Config) ->
assert_list([#{name => <<"test1">>, vhost => <<"vh1">>}
], maps:get(items, FirstPage)),
http_delete(Config, "/exchanges/%2f/test0", {group, '2xx'}),
http_delete(Config, "/exchanges/vh1/test1","admin","admin", {group, '2xx'}),
http_delete(Config, "/exchanges/vh1/test1", {group, '2xx'}),
http_delete(Config, "/users/admin", {group, '2xx'}),
http_delete(Config, "/users/non-admin", {group, '2xx'}),
passed.
@ -1895,17 +1915,21 @@ queue_pagination_columns_test(Config) ->
passed.
queues_pagination_permissions_test(Config) ->
http_put(Config, "/users/non-admin", [{password, <<"non-admin">>},
{tags, <<"management">>}], {group, '2xx'}),
http_put(Config, "/users/admin", [{password, <<"admin">>},
{tags, <<"administrator">>}], {group, '2xx'}),
Perms = [{configure, <<".*">>},
{write, <<".*">>},
{read, <<".*">>}],
http_put(Config, "/vhosts/vh1", none, {group, '2xx'}),
http_put(Config, "/permissions/vh1/non-admin", Perms, {group, '2xx'}),
http_put(Config, "/permissions/%2f/admin", Perms, {group, '2xx'}),
http_put(Config, "/permissions/vh1/admin", Perms, {group, '2xx'}),
QArgs = #{},
http_put(Config, "/queues/%2f/test0", QArgs, {group, '2xx'}),
http_put(Config, "/queues/vh1/test1", QArgs, "admin","admin", {group, '2xx'}),
FirstPage = http_get(Config, "/queues?page=1","admin","admin", ?OK),
http_put(Config, "/queues/vh1/test1", QArgs, "non-admin","non-admin", {group, '2xx'}),
FirstPage = http_get(Config, "/queues?page=1", "non-admin", "non-admin", ?OK),
?assertEqual(1, maps:get(total_count, FirstPage)),
?assertEqual(1, maps:get(item_count, FirstPage)),
?assertEqual(1, maps:get(page, FirstPage)),
@ -1913,9 +1937,21 @@ queues_pagination_permissions_test(Config) ->
?assertEqual(1, maps:get(page_count, FirstPage)),
assert_list([#{name => <<"test1">>, vhost => <<"vh1">>}
], maps:get(items, FirstPage)),
FirstPageAdm = http_get(Config, "/queues?page=1", "admin", "admin", ?OK),
?assertEqual(2, maps:get(total_count, FirstPageAdm)),
?assertEqual(2, maps:get(item_count, FirstPageAdm)),
?assertEqual(1, maps:get(page, FirstPageAdm)),
?assertEqual(100, maps:get(page_size, FirstPageAdm)),
?assertEqual(1, maps:get(page_count, FirstPageAdm)),
assert_list([#{name => <<"test1">>, vhost => <<"vh1">>},
#{name => <<"test0">>, vhost => <<"/">>}
], maps:get(items, FirstPageAdm)),
http_delete(Config, "/queues/%2f/test0", {group, '2xx'}),
http_delete(Config, "/queues/vh1/test1","admin","admin", {group, '2xx'}),
http_delete(Config, "/users/admin", {group, '2xx'}),
http_delete(Config, "/users/non-admin", {group, '2xx'}),
passed.
samples_range_test(Config) ->
@ -2380,17 +2416,15 @@ policy_permissions_test(Config) ->
http_put(Config, "/parameters/test/%2f/good", Param, {group, '2xx'}),
Pos = fun (U) ->
Expected = case U of "admin" -> ?CREATED; _ -> ?NO_CONTENT end,
http_put(Config, "/policies/v/HA", Policy, U, U, Expected),
http_put(Config,
"/parameters/test/v/good", Param, U, U, {group, '2xx'}),
1 = length(http_get(Config, "/policies", U, U, ?OK)),
1 = length(http_get(Config, "/parameters/test", U, U, ?OK)),
1 = length(http_get(Config, "/parameters", U, U, ?OK)),
1 = length(http_get(Config, "/policies/v", U, U, ?OK)),
1 = length(http_get(Config, "/parameters/test/v", U, U, ?OK)),
http_get(Config, "/policies/v/HA", U, U, ?OK),
http_get(Config, "/parameters/test/v/good", U, U, ?OK)
http_put(Config, "/policies/v/HA", Policy, U, U, {group, '2xx'}),
http_put(Config, "/parameters/test/v/good", Param, U, U, {group, '2xx'}),
http_get(Config, "/policies", U, U, {group, '2xx'}),
http_get(Config, "/parameters/test", U, U, {group, '2xx'}),
http_get(Config, "/parameters", U, U, {group, '2xx'}),
http_get(Config, "/policies/v", U, U, {group, '2xx'}),
http_get(Config, "/parameters/test/v", U, U, {group, '2xx'}),
http_get(Config, "/policies/v/HA", U, U, {group, '2xx'}),
http_get(Config, "/parameters/test/v/good", U, U, {group, '2xx'})
end,
Neg = fun (U) ->
http_put(Config, "/policies/v/HA", Policy, U, U, ?NOT_AUTHORISED),
@ -2410,15 +2444,22 @@ policy_permissions_test(Config) ->
AlwaysNeg =
fun (U) ->
http_put(Config, "/policies/%2f/HA", Policy, U, U, ?NOT_AUTHORISED),
http_put(Config,
"/parameters/test/%2f/good", Param, U, U, ?NOT_AUTHORISED),
http_put(Config, "/parameters/test/%2f/good", Param, U, U, ?NOT_AUTHORISED),
http_get(Config, "/policies/%2f/HA", U, U, ?NOT_AUTHORISED),
http_get(Config, "/parameters/test/%2f/good", U, U, ?NOT_AUTHORISED)
end,
AdminPos =
fun (U) ->
http_put(Config, "/policies/%2f/HA", Policy, U, U, {group, '2xx'}),
http_put(Config, "/parameters/test/%2f/good", Param, U, U, {group, '2xx'}),
http_get(Config, "/policies/%2f/HA", U, U, {group, '2xx'}),
http_get(Config, "/parameters/test/%2f/good", U, U, {group, '2xx'})
end,
[Neg(U) || U <- ["mon", "mgmt"]],
[Pos(U) || U <- ["admin", "policy"]],
[AlwaysNeg(U) || U <- ["mon", "mgmt", "admin", "policy"]],
[AlwaysNeg(U) || U <- ["mon", "mgmt", "policy"]],
[AdminPos(U) || U <- ["admin"]],
%% This one is deliberately different between admin and policymaker.
http_put(Config, "/parameters/test/v/admin", Param, "admin", "admin", {group, '2xx'}),
@ -2706,4 +2747,3 @@ wait_until(Fun, N) ->
http_post_json(Config, Path, Body, Assertion) ->
http_upload_raw(Config, post, Path, Body, "guest", "guest",
Assertion, [{"Content-Type", "application/json"}]).