[ISSUE alibaba#10583]修复权限 (alibaba#10587)

* 修复权限 * 修改为console * 修改为console
wukong121 · Aug 3, 2023 · 579940a · 579940a
1 parent 3767c84
commit 579940a
Show file tree

Hide file tree

Showing 5 changed files with 24 additions and 0 deletions.
diff --git a/config/src/main/java/com/alibaba/nacos/config/server/controller/ClientMetricsController.java b/config/src/main/java/com/alibaba/nacos/config/server/controller/ClientMetricsController.java
@@ -18,6 +18,7 @@
 
 import com.alibaba.nacos.api.config.remote.request.ClientConfigMetricRequest;
 import com.alibaba.nacos.api.config.remote.response.ClientConfigMetricResponse;
+import com.alibaba.nacos.auth.annotation.Secured;
 import com.alibaba.nacos.common.http.Callback;
 import com.alibaba.nacos.common.http.HttpClientBeanHolder;
 import com.alibaba.nacos.common.http.HttpUtils;
@@ -34,6 +35,8 @@
 import com.alibaba.nacos.core.remote.ConnectionManager;
 import com.alibaba.nacos.core.utils.GenericType;
 import com.alibaba.nacos.core.utils.Loggers;
+import com.alibaba.nacos.plugin.auth.constant.ActionTypes;
+import com.alibaba.nacos.plugin.auth.constant.SignType;
 import com.alibaba.nacos.sys.env.EnvUtil;
 import org.springframework.http.ResponseEntity;
 import org.springframework.web.bind.annotation.GetMapping;
@@ -76,6 +79,7 @@ public ClientMetricsController(ServerMemberManager serverMemberManager, Connecti
      * @return ResponseEntity
      */
     @GetMapping("/cluster")
+    @Secured(resource = Constants.METRICS_CONTROLLER_PATH, action = ActionTypes.READ, signType = SignType.CONFIG)
     public ResponseEntity metric(@RequestParam("ip") String ip,
             @RequestParam(value = "dataId", required = false) String dataId,
             @RequestParam(value = "group", required = false) String group,
@@ -132,6 +136,7 @@ public void onCancel() {
      * Get client config listener lists of subscriber in local machine.
      */
     @GetMapping("/current")
+    @Secured(resource = Constants.METRICS_CONTROLLER_PATH, action = ActionTypes.READ, signType = SignType.CONFIG)
     public Map<String, Object> getClientMetrics(@RequestParam("ip") String ip,
             @RequestParam(value = "dataId", required = false) String dataId,
             @RequestParam(value = "group", required = false) String group,

diff --git a/config/src/main/java/com/alibaba/nacos/config/server/controller/ConfigOpsController.java b/config/src/main/java/com/alibaba/nacos/config/server/controller/ConfigOpsController.java
@@ -30,6 +30,7 @@
 import com.alibaba.nacos.persistence.repository.embedded.operate.DatabaseOperate;
 import com.alibaba.nacos.config.server.utils.LogUtil;
 import com.alibaba.nacos.core.utils.WebUtils;
+import com.alibaba.nacos.plugin.auth.constant.SignType;
 import com.alibaba.nacos.sys.utils.ApplicationUtils;
 import com.alibaba.nacos.common.utils.StringUtils;
 import org.slf4j.Logger;
@@ -70,6 +71,7 @@ public ConfigOpsController(DumpService dumpService) {
      * Manually trigger dump of a local configuration file.
      */
     @PostMapping(value = "/localCache")
+    @Secured(resource = Constants.OPS_CONTROLLER_PATH, action = ActionTypes.WRITE, signType = SignType.CONSOLE)
     public String updateLocalCacheFromStore() {
         LOGGER.info("start to dump all data from store.");
         dumpService.dumpAll();
@@ -78,6 +80,7 @@ public String updateLocalCacheFromStore() {
     }
 
     @PutMapping(value = "/log")
+    @Secured(resource = Constants.OPS_CONTROLLER_PATH, action = ActionTypes.WRITE, signType = SignType.CONSOLE)
     public String setLogLevel(@RequestParam String logName, @RequestParam String logLevel) {
         LogUtil.setLogLevel(logName, logLevel);
         return HttpServletResponse.SC_OK + "";

diff --git a/config/src/main/java/com/alibaba/nacos/config/server/controller/ListenerController.java b/config/src/main/java/com/alibaba/nacos/config/server/controller/ListenerController.java
@@ -16,12 +16,15 @@
 
 package com.alibaba.nacos.config.server.controller;
 
+import com.alibaba.nacos.auth.annotation.Secured;
 import com.alibaba.nacos.common.utils.StringUtils;
 import com.alibaba.nacos.config.server.constant.Constants;
 import com.alibaba.nacos.config.server.model.GroupkeyListenserStatus;
 import com.alibaba.nacos.config.server.model.SampleResult;
 import com.alibaba.nacos.config.server.service.ConfigSubService;
 import com.alibaba.nacos.config.server.utils.GroupKey2;
+import com.alibaba.nacos.plugin.auth.constant.ActionTypes;
+import com.alibaba.nacos.plugin.auth.constant.SignType;
 import org.springframework.ui.ModelMap;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -50,6 +53,7 @@ public ListenerController(ConfigSubService configSubService) {
      * Get subscribe information from client side.
      */
     @GetMapping
+    @Secured(resource = Constants.LISTENER_CONTROLLER_PATH, action = ActionTypes.READ, signType = SignType.CONFIG)
     public GroupkeyListenserStatus getAllSubClientConfigByIp(@RequestParam("ip") String ip,
             @RequestParam(value = "all", required = false) boolean all,
             @RequestParam(value = "tenant", required = false) String tenant,

diff --git a/core/src/main/java/com/alibaba/nacos/core/controller/CoreOpsController.java b/core/src/main/java/com/alibaba/nacos/core/controller/CoreOpsController.java
@@ -24,6 +24,7 @@
 import com.alibaba.nacos.core.distributed.id.IdGeneratorManager;
 import com.alibaba.nacos.core.utils.Commons;
 import com.alibaba.nacos.core.utils.Loggers;
+import com.alibaba.nacos.plugin.auth.constant.SignType;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.PutMapping;
@@ -80,6 +81,7 @@ public RestResult<Map<String, Map<Object, Object>>> idInfo() {
     }
 
     @PutMapping(value = "/log")
+    @Secured(action = ActionTypes.WRITE, resource = "nacos/admin", signType = SignType.CONSOLE)
     public String setLogLevel(@RequestParam String logName, @RequestParam String logLevel) {
         Loggers.setLogLevel(logName, logLevel);
         return HttpServletResponse.SC_OK + "";

diff --git a/core/src/main/java/com/alibaba/nacos/core/controller/NacosClusterController.java b/core/src/main/java/com/alibaba/nacos/core/controller/NacosClusterController.java
@@ -16,6 +16,7 @@
 
 package com.alibaba.nacos.core.controller;
 
+import com.alibaba.nacos.auth.annotation.Secured;
 import com.alibaba.nacos.common.model.RestResult;
 import com.alibaba.nacos.common.model.RestResultUtils;
 import com.alibaba.nacos.common.utils.JacksonUtils;
@@ -26,6 +27,8 @@
 import com.alibaba.nacos.core.cluster.ServerMemberManager;
 import com.alibaba.nacos.core.utils.Commons;
 import com.alibaba.nacos.core.utils.Loggers;
+import com.alibaba.nacos.plugin.auth.constant.ActionTypes;
+import com.alibaba.nacos.plugin.auth.constant.SignType;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestBody;
@@ -52,6 +55,7 @@ public NacosClusterController(ServerMemberManager memberManager) {
     }
 
     @GetMapping(value = "/self")
+    @Secured(resource = Commons.NACOS_CORE_CONTEXT + "/cluster", action = ActionTypes.READ, signType = SignType.CONSOLE)
     public RestResult<Member> self() {
         return RestResultUtils.success(memberManager.getSelf());
     }
@@ -63,6 +67,7 @@ public RestResult<Member> self() {
      * @return all members
      */
     @GetMapping(value = "/nodes")
+    @Secured(resource = Commons.NACOS_CORE_CONTEXT + "/cluster", action = ActionTypes.READ, signType = SignType.CONSOLE)
     public RestResult<Collection<Member>> listNodes(
             @RequestParam(value = "keyword", required = false) String ipKeyWord) {
         Collection<Member> members = memberManager.allMembers();
@@ -86,11 +91,13 @@ public RestResult<Collection<Member>> listNodes(
     // cluster according to this interface
 
     @GetMapping(value = "/simple/nodes")
+    @Secured(resource = Commons.NACOS_CORE_CONTEXT + "/cluster", action = ActionTypes.READ, signType = SignType.CONSOLE)
     public RestResult<Collection<String>> listSimpleNodes() {
         return RestResultUtils.success(memberManager.getMemberAddressInfos());
     }
 
     @GetMapping("/health")
+    @Secured(resource = Commons.NACOS_CORE_CONTEXT + "/cluster", action = ActionTypes.READ, signType = SignType.CONSOLE)
     public RestResult<String> getHealth() {
         return RestResultUtils.success(memberManager.getSelf().getState().name());
     }
@@ -103,6 +110,7 @@ public RestResult<String> getHealth() {
      */
     @Deprecated
     @PostMapping(value = {"/report"})
+    @Secured(resource = Commons.NACOS_CORE_CONTEXT + "/cluster", action = ActionTypes.WRITE, signType = SignType.CONSOLE)
     public RestResult<String> report(@RequestBody Member node) {
         if (!node.check()) {
             return RestResultUtils.failedWithMsg(400, "Node information is illegal");
@@ -121,6 +129,7 @@ public RestResult<String> report(@RequestBody Member node) {
      * @return {@link RestResult}
      */
     @PostMapping(value = "/switch/lookup")
+    @Secured(resource = Commons.NACOS_CORE_CONTEXT + "/cluster", action = ActionTypes.WRITE, signType = SignType.CONSOLE)
     public RestResult<String> switchLookup(@RequestParam(name = "type") String type) {
         try {
             memberManager.switchLookup(type);
@@ -138,6 +147,7 @@ public RestResult<String> switchLookup(@RequestParam(name = "type") String type)
      * @throws Exception {@link Exception}
      */
     @PostMapping("/server/leave")
+    @Secured(resource = Commons.NACOS_CORE_CONTEXT + "/cluster", action = ActionTypes.WRITE, signType = SignType.CONSOLE)
     public RestResult<String> leave(@RequestBody Collection<String> params,
             @RequestParam(defaultValue = "true") Boolean notifyOtherMembers) throws Exception {
         return RestResultUtils.failed(405, "/v1/core/cluster/server/leave API not allow to use temporarily.");