Background

---

What benenfit did new implementation(KYLIN-4122) gave us?

1. Convenience for modification(If you not using LDAP)
   1. Previously, you have to know how to use Spring Security.
   2. Previously, you have to use linux shell to manipulate user information/credential in xml. Now, you can do these jobs in WEB UI.
2. Centralized storage.(If you are not using LDAP)
   1. Previously, you have to modify all related user information/credential under all kylin instances. Now they are stored in Kylin's metastore. 
   2. Previously, you have to encrypted user password yourself. Now they are encrypted automatically.
3. No breaking change, compatibility with LDAP.
   1. We suguest you continue to use LDAP to do authentication and authorization if you did have such a infrastructure(LDAP service) in your company.
4. Code change can be found at  Unable to render Jira issues macro, execution error.

Original User Management Implementation

// By Yaqian

New User Management Implementation introduced in 3.0.0-beta

---

User Management

This chapter introduces what a user is and how a user can be managed.

About Users

To use Kylin, a user must log in to the system using a user name and corresponding password. Every user is unique in a Kylin Enterprise instance, which is to say, it is not necessary to create the same user for every project in a single instance.
By default, Kylin Enterprise initializes three users, namely ADMIN, MODELER and ANALYST. The user ADMIN is a built-in system administrator, and the system administrator has all the permissions of the entire system.

Manage Users

After the system administrator logs in to Kylin , click the System button in the navigation bar to enter the system management page, and click the User field to enter the User Management page.

Add a user

On the User Management page, the system administrator can click the +Users button to add new users. In the pop-up window, please fill in the user name, password, confirm new password, select whether the user role is a system administrator or a normal user, and click Ok.

Delete a user

On the User Management page, click Action --> ... -->Drop. The system administrator can confirm to delete a user in the prompted window. User can not be restored after deleting, and user's access permission on all projects will be removed.

Enable/Disable a user

On the User Management page, click Action --> ... -->Enable/Disable. The system administrator can enable or disable a user, and disabled users cannot login to the system.

Reset password for user

Click <username\>-->Setup on the top right corner of the navigation bar. In the pop-up window, user can reset the password, need to provide the old password and repeat the new password twice.

Assign & Modify user's group membership

To modify user's group, please do the followings:
1. On the User Management page, select the user to modify the group membership.
2. Click Action --> ... --> Group Membership.
3. Select the group to be modified under Checked Group, and then click the left arrow. The group will enter into Group to be selected.
4. Click Save and the user's group membership will be modified.

User Group Management

This chapter provides an overview of what a user group is and how a user group can be managed. User Group is equivalent to ROLE.

About User Group

A user group is a collection of users, and users in a user group share the same ACL. By default, Kylin initializes four user groups, namely ALL_USERS, ROLE_ADMIN, ROLE_ANALYST, and ROLE_MODELER, and ALL_USERS group is a default user group, all users are included in the ALL_USERS user group. ALL_USERS user group cannot be modified or deleted. System administrators can add or remove users in user groups except ALL_USERS, or add a user to multiple groups except ALL_USERS. User groups cannot be renamed throughout the Kylin instance.

About User Group Permissions

The system administrator can grant the project-level access permissions to a user group. When a user group has been granted the project-level permissions, users in this group will inherit the corresponding permissions from the group.

When both a user and his/her user group are granted with access permissions at project-level, Kylin will take the highest permission for this user. For example, if User A is granted with Query permission on a project, while his/her user group is granted with Management permission, then User A will have management permission on this project.

When a user belongs to multiple groups, the user will inherit the project-level permissions from the groups he/she belongs to.

Manage user groups

Click System --> Group in the navigation bar to enter the User Group Management page.

Create a user group

On the User Group Management page, click + Group button to create a new group. In the pop-up window, the system administrator can fill in the group name and click Save to save a new user group.

Delete a user group

On the User Group Management page, click Action --> Delete. In the pop-up window, the system administrator can confirm to delete a user group, once a user group is deleted, users in this user group will not be deleted and permission grant to this user group will be removed.

Assign users to a user group

1. On the User Group Management page, select the user group to be assigned users to.
2. Click Action --> Assign Users.
3. In the pop-up window, check the users who need to be assigned to the group, click the right arrow ( > ), the user will be assigned to the Assigned User
4. Click Save and the user will be assigned to this group.

Discussion for KYLIN-4122

•  Password 加密算法的安全性 ? 

与之前使用 kylinSecurity.xml 文件来管理用户的方式相比，将password加密(通过 BCryptPasswordEncoder#encode 来进行哈希)后存储进kylin元数据的方式从安全性上来讲理论上应该没有什么不同。但是kylinSecurity.xml文件中管理用户的方式是在testing的profile下，并不推荐用户在生产环境中使用; 而在web界面中增加用户和用户组管理的模块，则更有可能使用户在生产环境中选择用这种方式，存储在元数据的密码哈希值可能会暴露用户密码，增加了风险。

•  关于用户和用户组管理模块的功能测试

可以参考与2.6.3对比的测试文档，About kylin user and user group manage modules，新增加的用户组管理存在数个bug，需要比较大的effort来修复, 详细测试还有待验证。

综上, 可以考虑将这个 feature 设置为 deprecated 并默认关闭是一个可以考虑的选项.