You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@karaf.apache.org by ff...@apache.org on 2014/05/26 10:21:32 UTC
git commit: [KARAF-3002]RBAC-add a jmx.acl.whitelist so that all
ObjectName in this list will bypass the RBAC (cherry picked from commit
c10cf26eab91ace8bb8e8bdbf4ec781c3abfd794)
Repository: karaf
Updated Branches:
refs/heads/master 4f88beb55 -> 687ba2869
[KARAF-3002]RBAC-add a jmx.acl.whitelist so that all ObjectName in this list will bypass the RBAC
(cherry picked from commit c10cf26eab91ace8bb8e8bdbf4ec781c3abfd794)
Conflicts:
management/server/src/main/java/org/apache/karaf/management/KarafMBeanServerGuard.java
Project: http://git-wip-us.apache.org/repos/asf/karaf/repo
Commit: http://git-wip-us.apache.org/repos/asf/karaf/commit/687ba286
Tree: http://git-wip-us.apache.org/repos/asf/karaf/tree/687ba286
Diff: http://git-wip-us.apache.org/repos/asf/karaf/diff/687ba286
Branch: refs/heads/master
Commit: 687ba286974f1edd15c5bae0330864d3502b8339
Parents: 4f88beb
Author: Freeman Fang <fr...@gmail.com>
Authored: Mon May 26 16:03:49 2014 +0800
Committer: Freeman Fang <fr...@gmail.com>
Committed: Mon May 26 16:20:56 2014 +0800
----------------------------------------------------------------------
.../karaf/management/KarafMBeanServerGuard.java | 34 ++++++++++++++++++++
.../management/KarafMBeanServerGuardTest.java | 2 ++
2 files changed, 36 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/karaf/blob/687ba286/management/server/src/main/java/org/apache/karaf/management/KarafMBeanServerGuard.java
----------------------------------------------------------------------
diff --git a/management/server/src/main/java/org/apache/karaf/management/KarafMBeanServerGuard.java b/management/server/src/main/java/org/apache/karaf/management/KarafMBeanServerGuard.java
index 746c35b..c2cf224 100644
--- a/management/server/src/main/java/org/apache/karaf/management/KarafMBeanServerGuard.java
+++ b/management/server/src/main/java/org/apache/karaf/management/KarafMBeanServerGuard.java
@@ -36,6 +36,9 @@ import java.util.*;
public class KarafMBeanServerGuard implements InvocationHandler {
private static final String JMX_ACL_PID_PREFIX = "jmx.acl";
+
+ private static final String JMX_ACL_WHITELIST = "jmx.acl.whitelist";
+
private ConfigurationAdmin configAdmin;
@@ -170,6 +173,9 @@ public class KarafMBeanServerGuard implements InvocationHandler {
}
private boolean canInvoke(ObjectName objectName, String methodName, String[] signature) throws IOException {
+ if (canBypassRBAC(objectName)) {
+ return true;
+ }
for (String role : getRequiredRoles(objectName, methodName, signature)) {
if (JaasHelper.currentUserHasRole(role))
return true;
@@ -220,7 +226,35 @@ public class KarafMBeanServerGuard implements InvocationHandler {
}
}
+ private boolean canBypassRBAC(ObjectName objectName) {
+ List<String> allBypassObjectName = new ArrayList<String>();
+ try {
+ for (Configuration config : configAdmin.listConfigurations("(service.pid=" + JMX_ACL_WHITELIST + ")")) {
+ Enumeration<String> keys = config.getProperties().keys();
+ while (keys.hasMoreElements()) {
+ String element = keys.nextElement();
+ allBypassObjectName.add(element);
+ }
+ }
+ } catch (InvalidSyntaxException ise) {
+ throw new RuntimeException(ise);
+ } catch (IOException e) {
+ throw new RuntimeException(e);
+ }
+
+ for (String pid : iterateDownPids(getNameSegments(objectName))) {
+ if (!pid.equals("jmx.acl")
+ && allBypassObjectName.contains(pid.substring("jmx.acl.".length()))) {
+ return true;
+ }
+ }
+ return false;
+ }
+
void handleInvoke(ObjectName objectName, String operationName, Object[] params, String[] signature) throws IOException {
+ if (canBypassRBAC(objectName)) {
+ return;
+ }
for (String role : getRequiredRoles(objectName, operationName, params, signature)) {
if (JaasHelper.currentUserHasRole(role))
return;
http://git-wip-us.apache.org/repos/asf/karaf/blob/687ba286/management/server/src/test/java/org/apache/karaf/management/KarafMBeanServerGuardTest.java
----------------------------------------------------------------------
diff --git a/management/server/src/test/java/org/apache/karaf/management/KarafMBeanServerGuardTest.java b/management/server/src/test/java/org/apache/karaf/management/KarafMBeanServerGuardTest.java
index 8dfb42e..ac52c30 100644
--- a/management/server/src/test/java/org/apache/karaf/management/KarafMBeanServerGuardTest.java
+++ b/management/server/src/test/java/org/apache/karaf/management/KarafMBeanServerGuardTest.java
@@ -376,6 +376,8 @@ public class KarafMBeanServerGuardTest extends TestCase {
}
EasyMock.expect(ca.listConfigurations(EasyMock.eq("(service.pid=jmx.acl*)"))).andReturn(
allConfigs.toArray(new Configuration[]{})).anyTimes();
+ EasyMock.expect(ca.listConfigurations(EasyMock.eq("(service.pid=jmx.acl.whitelist)"))).andReturn(
+ allConfigs.toArray(new Configuration[]{})).anyTimes();
EasyMock.replay(ca);
return ca;
}