updates for sync

Author: parmesant

src/handlers/http/cluster/mod.rs

@@ -523,6 +523,7 @@ pub async fn sync_users_with_roles_with_ingestors(
     let userid = userid.to_owned();
     let headers = req.headers().clone();
     let op = operation.to_string();
+    let caller_userid = get_user_from_request(req).unwrap();
     for_each_live_node(tenant_id, move |ingestor| {
         let url = format!(
             "{}{}/user/{}/role/sync/{}",
@@ -533,7 +534,8 @@ pub async fn sync_users_with_roles_with_ingestors(
         );
 
         let role_data = role_data.clone();
-        let headermap = create_intracluster_auth_headermap(&headers, &ingestor.token, &userid);
+        let headermap =
+            create_intracluster_auth_headermap(&headers, &ingestor.token, &caller_userid);
         async move {
             let res = INTRA_CLUSTER_CLIENT
                 .patch(url)
@@ -572,6 +574,7 @@ pub async fn sync_user_deletion_with_ingestors(
     tenant_id: &Option<String>,
 ) -> Result<(), RBACError> {
     let userid = userid.to_owned();
+    let caller_userid = get_user_from_request(req).unwrap();
     let headers = req.headers().clone();
     for_each_live_node(tenant_id, move |ingestor| {
         let url = format!(
@@ -580,7 +583,8 @@ pub async fn sync_user_deletion_with_ingestors(
             base_path_without_preceding_slash(),
             userid
         );
-        let headermap = create_intracluster_auth_headermap(&headers, &ingestor.token, &userid);
+        let headermap =
+            create_intracluster_auth_headermap(&headers, &ingestor.token, &caller_userid);
         async move {
             let res = INTRA_CLUSTER_CLIENT
                 .delete(url)
@@ -629,6 +633,7 @@ pub async fn sync_user_creation(
         RBACError::SerdeError(err)
     })?;
 
+    let caller_userid = get_user_from_request(req)?;
     let userid = userid.to_string();
     let headers = req.headers().clone();
     for_each_live_node(tenant_id, move |node| {
@@ -638,7 +643,7 @@ pub async fn sync_user_creation(
             base_path_without_preceding_slash(),
             userid
         );
-        let headermap = create_intracluster_auth_headermap(&headers, &node.token, &userid);
+        let headermap = create_intracluster_auth_headermap(&headers, &node.token, &caller_userid);
         let user_data = user_data.clone();
 
         async move {
@@ -678,6 +683,7 @@ pub async fn sync_password_reset_with_ingestors(
 ) -> Result<(), RBACError> {
     let userid = username.to_owned();
     let tenant_id = get_tenant_id_from_request(&req);
+    let caller_userid = get_user_from_request(&req).unwrap();
     let headers = req.headers().clone();
     for_each_live_node(&tenant_id, move |ingestor| {
         let url = format!(
@@ -686,7 +692,8 @@ pub async fn sync_password_reset_with_ingestors(
             base_path_without_preceding_slash(),
             userid
         );
-        let headermap = create_intracluster_auth_headermap(&headers, &ingestor.token, &userid);
+        let headermap =
+            create_intracluster_auth_headermap(&headers, &ingestor.token, &caller_userid);
         async move {
             let res = INTRA_CLUSTER_CLIENT
                 .post(url)
@@ -767,6 +774,52 @@ pub async fn sync_role_update(
     .await
 }
 
+// forward the put role request to all ingestors and queriers to keep them in sync
+pub async fn sync_role_delete(
+    req: &HttpRequest,
+    name: String,
+    tenant_id: &Option<String>,
+) -> Result<(), RoleError> {
+    let userid = get_user_from_request(req).unwrap();
+    let headers = req.headers().clone();
+    for_each_live_node(tenant_id, move |node| {
+        let url = format!(
+            "{}{}/role/{}/sync",
+            node.domain_name,
+            base_path_without_preceding_slash(),
+            name
+        );
+
+        let headermap = create_intracluster_auth_headermap(&headers, &node.token, &userid);
+        async move {
+            let res = INTRA_CLUSTER_CLIENT
+                .delete(url)
+                .headers(headermap)
+                .header(header::CONTENT_TYPE, "application/json")
+                .send()
+                .await
+                .map_err(|err| {
+                    error!(
+                        "Fatal: failed to forward request to node: {}\n Error: {:?}",
+                        node.domain_name, err
+                    );
+                    RoleError::Network(err)
+                })?;
+
+            if !res.status().is_success() {
+                error!(
+                    "failed to forward request to node: {}\nResponse Returned: {:?}",
+                    node.domain_name,
+                    res.text().await
+                );
+            }
+
+            Ok(())
+        }
+    })
+    .await
+}
+
 pub fn fetch_daily_stats(
     date: &str,
     stream_meta_list: &[ObjectStoreFormat],

src/handlers/http/modal/ingest/ingestor_rbac.rs

@@ -35,14 +35,14 @@ use crate::{
     utils::get_tenant_id_from_request,
 };
 
-// Handler for POST /api/v1/user/{username}
+// Handler for POST /api/v1/user/{userid}
 // Creates a new user by username if it does not exists
 pub async fn post_user(
     req: HttpRequest,
-    username: web::Path<String>,
+    userid: web::Path<String>,
     body: Option<web::Json<serde_json::Value>>,
 ) -> Result<HttpResponse, RBACError> {
-    let username = username.into_inner();
+    let username = userid.into_inner();
 
     if let Some(body) = body {
         let user: ParseableUser = serde_json::from_value(body.into_inner())?;
@@ -198,13 +198,13 @@ pub async fn remove_roles_from_user(
     Ok(HttpResponse::Ok().status(StatusCode::OK).finish())
 }
 
-// Handler for POST /api/v1/user/{username}/generate-new-password
+// Handler for POST /api/v1/user/{userid}/generate-new-password
 // Resets password for the user to a newly generated one and returns it
 pub async fn post_gen_password(
     req: HttpRequest,
-    username: web::Path<String>,
+    userid: web::Path<String>,
 ) -> Result<HttpResponse, RBACError> {
-    let username = username.into_inner();
+    let username = userid.into_inner();
     let tenant_id = get_tenant_id_from_request(&req);
     let mut new_hash = String::default();
     let mut metadata = get_metadata(&tenant_id).await?;

src/handlers/http/modal/ingest/ingestor_role.rs

@@ -93,3 +93,33 @@ pub async fn put(
 
     Ok(HttpResponse::Ok().finish())
 }
+
+// Handler for PUT /api/v1/role/{name}
+// Creates a new role or update existing one
+pub async fn delete(
+    req: HttpRequest,
+    name: web::Path<String>,
+) -> Result<impl Responder, RoleError> {
+    let name = name.into_inner();
+    let req_tenant_id = get_tenant_id_from_request(&req);
+
+    // if req_tenant.ne(DEFAULT_TENANT) && (req_tenant_id.eq(&sync_req.tenant_id)) {
+    //     return Err(RoleError::Anyhow(anyhow::Error::msg(
+    //         "non super-admin user trying to create role for another tenant",
+    //     )));
+    // }
+    let mut metadata = get_metadata(&req_tenant_id).await?;
+    metadata.roles.remove(&name);
+
+    let _ = storage::put_staging_metadata(&metadata, &req_tenant_id);
+    let tenant_id = req_tenant_id
+        .as_deref()
+        .unwrap_or(DEFAULT_TENANT)
+        .to_owned();
+    mut_roles()
+        .entry(tenant_id.clone())
+        .or_default()
+        .remove(&name);
+
+    Ok(HttpResponse::Ok().finish())
+}

src/handlers/http/modal/ingest_server.rs

@@ -185,8 +185,8 @@ impl IngestServer {
     pub fn get_user_webscope() -> Scope {
         web::scope("/user")
             .service(
-                web::resource("/{username}/sync")
-                    // POST /user/{username}/sync => Sync creation of a new user
+                web::resource("/{userid}/sync")
+                    // POST /user/{userid}/sync => Sync creation of a new user
                     .route(
                         web::post()
                             .to(ingestor_rbac::post_user)
@@ -225,8 +225,8 @@ impl IngestServer {
                     ),
             )
             .service(
-                web::resource("/{username}/generate-new-password/sync")
-                    // POST /user/{username}/generate-new-password => reset password for this user
+                web::resource("/{userid}/generate-new-password/sync")
+                    // POST /user/{userid}/generate-new-password => reset password for this user
                     .route(
                         web::post()
                             .to(ingestor_rbac::post_gen_password)

src/handlers/http/modal/query/querier_rbac.rs

@@ -39,14 +39,14 @@ use crate::{
     validator,
 };
 
-// Handler for POST /api/v1/user/{username}
+// Handler for POST /api/v1/user/{userid}
 // Creates a new user by username if it does not exists
 pub async fn post_user(
     req: HttpRequest,
-    username: web::Path<String>,
+    userid: web::Path<String>,
     body: Option<web::Json<serde_json::Value>>,
 ) -> Result<impl Responder, RBACError> {
-    let username = username.into_inner();
+    let username = userid.into_inner();
     let tenant_id = get_tenant_id_from_request(&req);
     validator::user_role_name(&username)?;
     let mut metadata = get_metadata(&tenant_id).await?;
@@ -300,13 +300,13 @@ pub async fn remove_roles_from_user(
     Ok(HttpResponse::Ok().json(format!("Roles updated successfully for {username}")))
 }
 
-// Handler for POST /api/v1/user/{username}/generate-new-password
+// Handler for POST /api/v1/user/{userid}/generate-new-password
 // Resets password for the user to a newly generated one and returns it
 pub async fn post_gen_password(
     req: HttpRequest,
-    username: web::Path<String>,
+    userid: web::Path<String>,
 ) -> Result<impl Responder, RBACError> {
-    let username = username.into_inner();
+    let username = userid.into_inner();
     let mut new_password = String::default();
     let mut new_hash = String::default();
     let tenant_id = get_tenant_id_from_request(&req);

src/handlers/http/modal/query/querier_role.rs

@@ -25,13 +25,13 @@ use actix_web::{
 
 use crate::{
     handlers::http::{
-        cluster::sync_role_update,
+        cluster::{sync_role_delete, sync_role_update},
         modal::utils::rbac_utils::{get_metadata, put_metadata},
         role::RoleError,
     },
     parseable::DEFAULT_TENANT,
     rbac::{
-        map::{mut_roles, mut_sessions, read_user_groups, users},
+        map::{mut_roles, mut_sessions, read_user_groups, roles, users},
         role::model::{Role, RoleType},
     },
     utils::get_tenant_id_from_request,
@@ -108,3 +108,70 @@ pub async fn put(
 
     Ok(HttpResponse::Ok().finish())
 }
+
+// Handler for DELETE /api/v1/role/{name}
+// Delete existing role
+pub async fn delete(
+    req: HttpRequest,
+    name: web::Path<String>,
+) -> Result<impl Responder, RoleError> {
+    let name = name.into_inner();
+    let tenant_id = get_tenant_id_from_request(&req);
+    let tenant = tenant_id.as_deref().unwrap_or(DEFAULT_TENANT);
+    if let Some(tenant_roles) = roles().get(tenant)
+        && let Some(role) = tenant_roles.get(&name)
+        && role.role_type().eq(&RoleType::Internal)
+    {
+        return Err(RoleError::ProtectedRole);
+    }
+
+    // check if the role is being used by any user or group
+    let mut metadata = get_metadata(&tenant_id).await?;
+    if metadata.users.iter().any(|user| user.roles.contains(&name)) {
+        return Err(RoleError::RoleInUse);
+    }
+    if metadata
+        .user_groups
+        .iter()
+        .any(|user_group| user_group.roles.contains(&name))
+    {
+        return Err(RoleError::RoleInUse);
+    }
+    metadata.roles.remove(&name);
+    put_metadata(&metadata, &tenant_id).await?;
+
+    mut_roles()
+        .entry(tenant.to_owned())
+        .or_default()
+        .remove(&name);
+    // mut_roles().remove(&name);
+
+    // refresh the sessions of all users using this role
+    // for this, iterate over all user_groups and users and create a hashset of users
+    let mut session_refresh_users: HashSet<String> = HashSet::new();
+    if let Some(groups) = read_user_groups().get(tenant) {
+        for user_group in groups.values() {
+            if user_group.roles.contains(&name) {
+                session_refresh_users
+                    .extend(user_group.users.iter().map(|u| u.userid().to_string()));
+            }
+        }
+    }
+
+    // iterate over all users to see if they have this role
+    if let Some(users) = users().get(tenant) {
+        for user in users.values() {
+            if user.roles.contains(&name) {
+                session_refresh_users.insert(user.userid().to_string());
+            }
+        }
+    }
+
+    for userid in session_refresh_users {
+        mut_sessions().remove_user(&userid, tenant);
+    }
+
+    sync_role_delete(&req, name.clone(), &tenant_id).await?;
+
+    Ok(HttpResponse::Ok().finish())
+}

src/handlers/http/modal/query_server.rs

@@ -181,7 +181,11 @@ impl QueryServer {
                 // PUT, GET, DELETE Roles
                 resource("/{name}")
                     .route(web::put().to(querier_role::put).authorize(Action::PutRole))
-                    .route(web::delete().to(role::delete).authorize(Action::DeleteRole))
+                    .route(
+                        web::delete()
+                            .to(querier_role::delete)
+                            .authorize(Action::DeleteRole),
+                    )
                     .route(web::get().to(role::get).authorize(Action::GetRole)),
             )
     }
@@ -195,8 +199,8 @@ impl QueryServer {
                     .route(web::get().to(rbac::list_users).authorize(Action::ListUser)),
             )
             .service(
-                web::resource("/{username}")
-                    // POST /user/{username} => Create a new user
+                web::resource("/{userid}")
+                    // POST /user/{userid} => Create a new user
                     .route(
                         web::post()
                             .to(querier_rbac::post_user)
@@ -222,7 +226,7 @@ impl QueryServer {
                     // PATCH /user/{userid}/role/add => Add roles to a user
                     .route(
                         web::patch()
-                            .to(rbac::add_roles_to_user)
+                            .to(querier_rbac::add_roles_to_user)
                             .authorize(Action::PutUserRoles)
                             .wrap(DisAllowRootUser),
                     ),
@@ -232,14 +236,14 @@ impl QueryServer {
                     // PATCH /user/{userid}/role/remove => Remove roles from a user
                     .route(
                         web::patch()
-                            .to(rbac::remove_roles_from_user)
+                            .to(querier_rbac::remove_roles_from_user)
                             .authorize(Action::PutUserRoles)
                             .wrap(DisAllowRootUser),
                     ),
             )
             .service(
-                web::resource("/{username}/generate-new-password")
-                    // POST /user/{username}/generate-new-password => reset password for this user
+                web::resource("/{userid}/generate-new-password")
+                    // POST /user/{userid}/generate-new-password => reset password for this user
                     .route(
                         web::post()
                             .to(querier_rbac::post_gen_password)