From a1ee1d1ed99b189d0f971ad2b25dd286958300a1 Mon Sep 17 00:00:00 2001
From: liningrui <liningrui@baidu.com>
Date: Fri, 5 Mar 2021 17:48:48 +0800
Subject: [PATCH] Fix AuthManager will find other nodes when init store

Change-Id: I4437c89da5290a14a8233c082bd9922714a027b9
---
 .../hugegraph/auth/HugeGraphAuthProxy.java    |  2 +-
 .../hugegraph/auth/StandardAuthenticator.java |  4 ++-
 .../baidu/hugegraph/StandardHugeGraph.java    |  6 ++--
 .../hugegraph/auth/StandardAuthManager.java   |  7 +++++
 .../security/HugeSecurityManager.java         | 28 ++++++++++++-------
 5 files changed, 33 insertions(+), 14 deletions(-)

diff --git a/hugegraph-api/src/main/java/com/baidu/hugegraph/auth/HugeGraphAuthProxy.java b/hugegraph-api/src/main/java/com/baidu/hugegraph/auth/HugeGraphAuthProxy.java
index 85f77b1fd7..6da10bdad6 100644
--- a/hugegraph-api/src/main/java/com/baidu/hugegraph/auth/HugeGraphAuthProxy.java
+++ b/hugegraph-api/src/main/java/com/baidu/hugegraph/auth/HugeGraphAuthProxy.java
@@ -684,7 +684,7 @@ public void truncateBackend() {
         try {
             this.hugegraph.truncateBackend();
         } finally {
-            if (admin != null && userManager instanceof StandardAuthManager) {
+            if (admin != null && StandardAuthManager.isLocal(userManager)) {
                 // Restore admin user to continue to do any operation
                 userManager.createUser(admin);
             }
diff --git a/hugegraph-api/src/main/java/com/baidu/hugegraph/auth/StandardAuthenticator.java b/hugegraph-api/src/main/java/com/baidu/hugegraph/auth/StandardAuthenticator.java
index fb2e67796e..838650e29b 100644
--- a/hugegraph-api/src/main/java/com/baidu/hugegraph/auth/StandardAuthenticator.java
+++ b/hugegraph-api/src/main/java/com/baidu/hugegraph/auth/StandardAuthenticator.java
@@ -52,7 +52,9 @@ private void initAdminUser() throws Exception {
         E.checkState(caller.equals("main"), "Invalid caller '%s'", caller);
 
         AuthManager authManager = this.graph().hugegraph().authManager();
-        if (authManager.findUser(HugeAuthenticator.USER_ADMIN) == null) {
+        // Only init user when local mode and user has not been initialized
+        if (StandardAuthManager.isLocal(authManager) &&
+            authManager.findUser(HugeAuthenticator.USER_ADMIN) == null) {
             HugeUser admin = new HugeUser(HugeAuthenticator.USER_ADMIN);
             admin.password(StringEncoding.hashPassword(this.inputPassword()));
             admin.creator(HugeAuthenticator.USER_SYSTEM);
diff --git a/hugegraph-core/src/main/java/com/baidu/hugegraph/StandardHugeGraph.java b/hugegraph-core/src/main/java/com/baidu/hugegraph/StandardHugeGraph.java
index 91fb652fbf..962e8b326d 100644
--- a/hugegraph-core/src/main/java/com/baidu/hugegraph/StandardHugeGraph.java
+++ b/hugegraph-core/src/main/java/com/baidu/hugegraph/StandardHugeGraph.java
@@ -40,8 +40,8 @@
 
 import com.baidu.hugegraph.analyzer.Analyzer;
 import com.baidu.hugegraph.analyzer.AnalyzerFactory;
-import com.baidu.hugegraph.auth.StandardAuthManager;
 import com.baidu.hugegraph.auth.AuthManager;
+import com.baidu.hugegraph.auth.StandardAuthManager;
 import com.baidu.hugegraph.backend.BackendException;
 import com.baidu.hugegraph.backend.cache.CachedGraphTransaction;
 import com.baidu.hugegraph.backend.cache.CachedSchemaTransaction;
@@ -816,7 +816,9 @@ public synchronized void close() throws Exception {
         }
 
         LOG.info("Close graph {}", this);
-        this.authManager.close();
+        if (StandardAuthManager.isLocal(this.authManager)) {
+            this.authManager.close();
+        }
         this.taskManager.closeScheduler(this.params);
         try {
             this.closeTx();
diff --git a/hugegraph-core/src/main/java/com/baidu/hugegraph/auth/StandardAuthManager.java b/hugegraph-core/src/main/java/com/baidu/hugegraph/auth/StandardAuthManager.java
index 13d1170fbb..21cc1cac0a 100644
--- a/hugegraph-core/src/main/java/com/baidu/hugegraph/auth/StandardAuthManager.java
+++ b/hugegraph-core/src/main/java/com/baidu/hugegraph/auth/StandardAuthManager.java
@@ -420,4 +420,11 @@ public RolePermission loginUser(String username, String password) {
         }
         return this.rolePermission(user);
     }
+
+    /**
+     * Maybe can define an proxy class to choose forward or call local
+     */
+    public static boolean isLocal(AuthManager authManager) {
+        return authManager instanceof StandardAuthManager;
+    }
 }
diff --git a/hugegraph-core/src/main/java/com/baidu/hugegraph/security/HugeSecurityManager.java b/hugegraph-core/src/main/java/com/baidu/hugegraph/security/HugeSecurityManager.java
index 55cb393eeb..a97f385bea 100644
--- a/hugegraph-core/src/main/java/com/baidu/hugegraph/security/HugeSecurityManager.java
+++ b/hugegraph-core/src/main/java/com/baidu/hugegraph/security/HugeSecurityManager.java
@@ -109,6 +109,10 @@ public class HugeSecurityManager extends SecurityManager {
             "com.baidu.hugegraph.backend.store.raft.rpc.RpcForwarder"
     );
 
+    private static final Set<String> SOFA_RPC_CLASSES = ImmutableSet.of(
+            "com.alipay.sofa.rpc.tracer.sofatracer.RpcSofaTracer"
+    );
+
     @Override
     public void checkPermission(Permission permission) {
         if (DENIED_PERMISSIONS.contains(permission.getName()) &&
@@ -150,7 +154,7 @@ public void checkAccess(Thread thread) {
         if (callFromGremlin() && !callFromCaffeine() &&
             !callFromAsyncTasks() && !callFromEventHubNotify() &&
             !callFromBackendThread() && !callFromBackendHbase() &&
-            !callFromRaft()) {
+            !callFromRaft() && !callFromSofaRpc()) {
             throw newSecurityException(
                   "Not allowed to access thread via Gremlin");
         }
@@ -162,7 +166,7 @@ public void checkAccess(ThreadGroup threadGroup) {
         if (callFromGremlin() && !callFromCaffeine() &&
             !callFromAsyncTasks() && !callFromEventHubNotify() &&
             !callFromBackendThread() && !callFromBackendHbase() &&
-            !callFromRaft()) {
+            !callFromRaft() && !callFromSofaRpc()) {
             throw newSecurityException(
                   "Not allowed to access thread group via Gremlin");
         }
@@ -190,7 +194,7 @@ public void checkExec(String cmd) {
     @Override
     public void checkRead(FileDescriptor fd) {
         if (callFromGremlin() && !callFromBackendSocket() &&
-            !callFromRaft()) {
+            !callFromRaft() && !callFromSofaRpc()) {
             throw newSecurityException("Not allowed to read fd via Gremlin");
         }
         super.checkRead(fd);
@@ -200,7 +204,7 @@ public void checkRead(FileDescriptor fd) {
     public void checkRead(String file) {
         if (callFromGremlin() && !callFromCaffeine() &&
             !readGroovyInCurrentDir(file) && !callFromBackendHbase() &&
-            !callFromRaft()) {
+            !callFromRaft() && !callFromSofaRpc()) {
             throw newSecurityException(
                   "Not allowed to read file via Gremlin: %s", file);
         }
@@ -209,7 +213,7 @@ public void checkRead(String file) {
 
     @Override
     public void checkRead(String file, Object context) {
-        if (callFromGremlin() && !callFromRaft()) {
+        if (callFromGremlin() && !callFromRaft() && !callFromSofaRpc()) {
             throw newSecurityException(
                   "Not allowed to read file via Gremlin: %s", file);
         }
@@ -219,7 +223,7 @@ public void checkRead(String file, Object context) {
     @Override
     public void checkWrite(FileDescriptor fd) {
         if (callFromGremlin() && !callFromBackendSocket() &&
-            !callFromRaft()) {
+            !callFromRaft() && !callFromSofaRpc()) {
             throw newSecurityException("Not allowed to write fd via Gremlin");
         }
         super.checkWrite(fd);
@@ -227,7 +231,7 @@ public void checkWrite(FileDescriptor fd) {
 
     @Override
     public void checkWrite(String file) {
-        if (callFromGremlin() && !callFromRaft()) {
+        if (callFromGremlin() && !callFromRaft() && !callFromSofaRpc()) {
             throw newSecurityException("Not allowed to write file via Gremlin");
         }
         super.checkWrite(file);
@@ -263,7 +267,7 @@ public void checkAccept(String host, int port) {
     @Override
     public void checkConnect(String host, int port) {
         if (callFromGremlin() && !callFromBackendSocket() &&
-            !callFromBackendHbase() && !callFromRaft()) {
+            !callFromBackendHbase() && !callFromRaft() && !callFromSofaRpc()) {
             throw newSecurityException(
                   "Not allowed to connect socket via Gremlin");
         }
@@ -307,7 +311,7 @@ public void checkSetFactory() {
 
     @Override
     public void checkPropertiesAccess() {
-        if (callFromGremlin()) {
+        if (callFromGremlin() && !callFromSofaRpc()) {
             throw newSecurityException(
                   "Not allowed to access system properties via Gremlin");
         }
@@ -318,7 +322,7 @@ public void checkPropertiesAccess() {
     public void checkPropertyAccess(String key) {
         if (!callFromAcceptClassLoaders() && callFromGremlin() &&
             !WHITE_SYSTEM_PROPERTYS.contains(key) && !callFromBackendHbase() &&
-            !callFromRaft()) {
+            !callFromRaft() && !callFromSofaRpc()) {
             throw newSecurityException(
                   "Not allowed to access system property(%s) via Gremlin", key);
         }
@@ -442,6 +446,10 @@ private static boolean callFromRaft() {
         return callFromWorkerWithClass(RAFT_CLASSES);
     }
 
+    private static boolean callFromSofaRpc() {
+        return callFromWorkerWithClass(SOFA_RPC_CLASSES);
+    }
+
     private static boolean callFromWorkerWithClass(Set<String> classes) {
         Thread curThread = Thread.currentThread();
         if (curThread.getName().startsWith(GREMLIN_SERVER_WORKER) ||