Introduce StreamEvents capability

This change introduces new global capability for streaming Gerrit events. Only admins and users with this capability are able to run gerrit stream-events. Change-Id: I0a8a110758b0ac43969e5b8ae799b9b89db318e2 Signed-off-by: Ed Bartosh <bartosh@gmail.com> Signed-off-by: Alexander Kanevskiy <kad@blackcatlinux.com>
2013-04-13 20:15:58 +03:00
parent 72b714137b
commit d168b81bbb
7 changed files with 29 additions and 1 deletions
--- a/Documentation/access-control.txt
+++ b/Documentation/access-control.txt
@@ -1166,6 +1166,15 @@ Allow access to execute `replication start` command, if the
 replication plugin is installed on the server.


+[[capability_streamEvents]]
+Stream Events
+~~~~~~~~~~~~~
+
+Allow performing streaming of Gerrit events. This capability
+allows the granted group to
+link:cmd-stream-events.html[stream Gerrit events via ssh].
+
+
 [[capability_viewCaches]]
 View Caches
 ~~~~~~~~~~~
--- a/Documentation/cmd-stream-events.txt
+++ b/Documentation/cmd-stream-events.txt
@@ -23,7 +23,9 @@ Event output is in JSON, one event per line.

 ACCESS
 ------
-Any user who has configured an SSH key.
+Caller must be a member of the privileged 'Administrators' group,
+or have been granted
+link:access-control.html#capability_streamEvents[the 'Stream Events' global capability].

 SCRIPTING
 ---------
--- a/gerrit-common/src/main/java/com/google/gerrit/common/data/GlobalCapability.java
+++ b/gerrit-common/src/main/java/com/google/gerrit/common/data/GlobalCapability.java
@@ -73,6 +73,9 @@ public class GlobalCapability {
  /** Forcefully restart replication to any configured destination. */
  public static final String START_REPLICATION = "startReplication";

+  /** Can perform streaming of Gerrit events. */
+  public static final String STREAM_EVENTS = "streamEvents";
+
  /** Can view the server's current cache states. */
  public static final String VIEW_CACHES = "viewCaches";

@@ -99,6 +102,7 @@ public class GlobalCapability {
    NAMES_ALL.add(QUERY_LIMIT);
    NAMES_ALL.add(RUN_GC);
    NAMES_ALL.add(START_REPLICATION);
+    NAMES_ALL.add(STREAM_EVENTS);
    NAMES_ALL.add(VIEW_CACHES);
    NAMES_ALL.add(VIEW_CONNECTIONS);
    NAMES_ALL.add(VIEW_QUEUE);
--- a/gerrit-gwtui/src/main/java/com/google/gerrit/client/admin/AdminConstants.properties
+++ b/gerrit-gwtui/src/main/java/com/google/gerrit/client/admin/AdminConstants.properties
@@ -158,6 +158,7 @@ capabilityNames = \
  queryLimit, \
  runGC, \
  startReplication, \
+  streamEvents, \
  viewCaches, \
  viewConnections, \
  viewQueue
@@ -173,6 +174,7 @@ priority = Priority
 queryLimit = Query Limit
 runGC = Run Garbage Collection
 startReplication = Start Replication
+streamEvents = Stream Events
 viewCaches = View Caches
 viewConnections = View Connections
 viewQueue = View Queue
--- a/gerrit-server/src/main/java/com/google/gerrit/server/account/CapabilityControl.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/account/CapabilityControl.java
@@ -142,6 +142,12 @@ public class CapabilityControl {
        || canAdministrateServer();
  }

+  /** @return true if the user can stream Gerrit events. */
+  public boolean canStreamEvents() {
+    return canPerform(GlobalCapability.STREAM_EVENTS)
+        || canAdministrateServer();
+  }
+
  /** @return true if the user can run the Git garbage collection. */
  public boolean canRunGC() {
    return canPerform(GlobalCapability.RUN_GC)
--- a/gerrit-server/src/main/java/com/google/gerrit/server/account/GetCapabilities.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/account/GetCapabilities.java
@@ -24,6 +24,7 @@ import static com.google.gerrit.common.data.GlobalCapability.KILL_TASK;
 import static com.google.gerrit.common.data.GlobalCapability.PRIORITY;
 import static com.google.gerrit.common.data.GlobalCapability.RUN_GC;
 import static com.google.gerrit.common.data.GlobalCapability.START_REPLICATION;
+import static com.google.gerrit.common.data.GlobalCapability.STREAM_EVENTS;
 import static com.google.gerrit.common.data.GlobalCapability.VIEW_CACHES;
 import static com.google.gerrit.common.data.GlobalCapability.VIEW_CONNECTIONS;
 import static com.google.gerrit.common.data.GlobalCapability.VIEW_QUEUE;
@@ -104,6 +105,7 @@ class GetCapabilities implements RestReadView<AccountResource> {
    have.put(VIEW_QUEUE, cc.canViewQueue());
    have.put(RUN_GC, cc.canRunGC());
    have.put(START_REPLICATION, cc.canStartReplication());
+    have.put(STREAM_EVENTS, cc.canStreamEvents());
    have.put(ACCESS_DATABASE, cc.canAccessDatabase());

    QueueProvider.QueueType queue = cc.getQueueType();
--- a/gerrit-sshd/src/main/java/com/google/gerrit/sshd/commands/StreamEvents.java
+++ b/gerrit-sshd/src/main/java/com/google/gerrit/sshd/commands/StreamEvents.java
@@ -16,6 +16,8 @@ package com.google.gerrit.sshd.commands;

 import com.google.gerrit.common.ChangeHooks;
 import com.google.gerrit.common.ChangeListener;
+import com.google.gerrit.common.data.GlobalCapability;
+import com.google.gerrit.extensions.annotations.RequiresCapability;
 import com.google.gerrit.server.IdentifiedUser;
 import com.google.gerrit.server.events.ChangeEvent;
 import com.google.gerrit.server.git.WorkQueue;
@@ -33,6 +35,7 @@ import java.io.PrintWriter;
 import java.util.concurrent.Future;
 import java.util.concurrent.LinkedBlockingQueue;

+@RequiresCapability(GlobalCapability.STREAM_EVENTS)
@CommandMetaData(name = "stream-events", descr = "Monitor events occurring in real time")
 final class StreamEvents extends BaseCommand {
  /** Maximum number of events that may be queued up for each connection. */