From 30af5458139d51c5a304d39a3d6a2c49289b4be6 Mon Sep 17 00:00:00 2001 From: shangeyao Date: Thu, 25 Jun 2026 20:49:54 +0800 Subject: [PATCH] [Console] Add missing RBAC checks on cluster and variable endpoints Protect Flink cluster lifecycle APIs with cluster:create/update permissions and variable list/code-check APIs with variable:view (and related) permissions. Closes #4380 Co-authored-by: Cursor --- .../core/controller/FlinkClusterController.java | 10 ++++++++++ .../console/core/controller/VariableController.java | 3 +++ 2 files changed, 13 insertions(+) diff --git a/streampark-console/streampark-console-service/src/main/java/org/apache/streampark/console/core/controller/FlinkClusterController.java b/streampark-console/streampark-console-service/src/main/java/org/apache/streampark/console/core/controller/FlinkClusterController.java index d084177085..fa6e6057c4 100644 --- a/streampark-console/streampark-console-service/src/main/java/org/apache/streampark/console/core/controller/FlinkClusterController.java +++ b/streampark-console/streampark-console-service/src/main/java/org/apache/streampark/console/core/controller/FlinkClusterController.java @@ -26,6 +26,7 @@ import org.apache.streampark.console.core.service.FlinkClusterService; import org.apache.streampark.console.core.util.ServiceHelper; +import org.apache.shiro.authz.annotation.Logical; import org.apache.shiro.authz.annotation.RequiresPermissions; import com.baomidou.mybatisplus.core.metadata.IPage; @@ -48,30 +49,35 @@ public class FlinkClusterController { private FlinkClusterService flinkClusterService; @PostMapping("page") + @RequiresPermissions(value = {"cluster:create", "cluster:update"}, logical = Logical.OR) public RestResponse findPage(FlinkCluster flinkCluster, RestRequest restRequest) { IPage flinkClusters = flinkClusterService.findPage(flinkCluster, restRequest); return RestResponse.success(flinkClusters); } @PostMapping("alive") + @RequiresPermissions(value = {"cluster:create", "cluster:update", "app:add", "app:update"}, logical = Logical.OR) public RestResponse listAvailableCluster() { List flinkClusters = flinkClusterService.listAvailableCluster(); return RestResponse.success(flinkClusters); } @PostMapping("list") + @RequiresPermissions(value = {"cluster:create", "cluster:update", "app:add", "app:update"}, logical = Logical.OR) public RestResponse list() { List flinkClusters = flinkClusterService.list(); return RestResponse.success(flinkClusters); } @PostMapping("remote_url") + @RequiresPermissions(value = {"cluster:create", "cluster:update"}, logical = Logical.OR) public RestResponse remoteUrl(Long id) { FlinkCluster cluster = flinkClusterService.getById(id); return RestResponse.success(cluster.getAddress()); } @PostMapping("check") + @RequiresPermissions(value = {"cluster:create", "cluster:update"}, logical = Logical.OR) public RestResponse check(FlinkCluster cluster) { ResponseResult checkResult = flinkClusterService.check(cluster); return RestResponse.success(checkResult); @@ -93,12 +99,14 @@ public RestResponse update(FlinkCluster cluster) { } @PostMapping("get") + @RequiresPermissions(value = {"cluster:create", "cluster:update"}, logical = Logical.OR) public RestResponse get(Long id) throws InternalException { FlinkCluster cluster = flinkClusterService.getById(id); return RestResponse.success(cluster); } @PostMapping("start") + @RequiresPermissions("cluster:update") public RestResponse start(FlinkCluster cluster) { flinkClusterService.updateClusterState(cluster.getId(), ClusterState.STARTING); flinkClusterService.start(cluster); @@ -106,6 +114,7 @@ public RestResponse start(FlinkCluster cluster) { } @PostMapping("shutdown") + @RequiresPermissions("cluster:update") public RestResponse shutdown(FlinkCluster cluster) { if (flinkClusterService.allowShutdownCluster(cluster)) { flinkClusterService.updateClusterState(cluster.getId(), ClusterState.CANCELLING); @@ -115,6 +124,7 @@ public RestResponse shutdown(FlinkCluster cluster) { } @PostMapping("delete") + @RequiresPermissions("cluster:update") public RestResponse delete(FlinkCluster cluster) { flinkClusterService.remove(cluster.getId()); return RestResponse.success(); diff --git a/streampark-console/streampark-console-service/src/main/java/org/apache/streampark/console/core/controller/VariableController.java b/streampark-console/streampark-console-service/src/main/java/org/apache/streampark/console/core/controller/VariableController.java index 1abb889fe2..f719946212 100644 --- a/streampark-console/streampark-console-service/src/main/java/org/apache/streampark/console/core/controller/VariableController.java +++ b/streampark-console/streampark-console-service/src/main/java/org/apache/streampark/console/core/controller/VariableController.java @@ -23,6 +23,7 @@ import org.apache.streampark.console.core.entity.Variable; import org.apache.streampark.console.core.service.VariableService; +import org.apache.shiro.authz.annotation.Logical; import org.apache.shiro.authz.annotation.RequiresPermissions; import com.baomidou.mybatisplus.core.metadata.IPage; @@ -75,6 +76,7 @@ public RestResponse page(RestRequest restRequest, Variable variable) { * @return */ @PostMapping("list") + @RequiresPermissions("variable:view") public RestResponse variableList(@RequestParam Long teamId, String keyword) { List variableList = variableService.listByTeamId(teamId, keyword); for (Variable v : variableList) { @@ -119,6 +121,7 @@ public RestResponse deleteVariable(@Valid Variable variable) { } @PostMapping("check/code") + @RequiresPermissions(value = {"variable:view", "variable:add", "variable:update"}, logical = Logical.OR) public RestResponse checkVariableCode( @RequestParam Long teamId, @NotBlank(message = "{required}") String variableCode) {