You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@karaf.apache.org by ff...@apache.org on 2014/05/26 10:21:32 UTC

git commit: [KARAF-3002]RBAC-add a jmx.acl.whitelist so that all ObjectName in this list will bypass the RBAC (cherry picked from commit c10cf26eab91ace8bb8e8bdbf4ec781c3abfd794)

Repository: karaf
Updated Branches:
  refs/heads/master 4f88beb55 -> 687ba2869


[KARAF-3002]RBAC-add a jmx.acl.whitelist so that all ObjectName in this list will bypass the RBAC
(cherry picked from commit c10cf26eab91ace8bb8e8bdbf4ec781c3abfd794)

Conflicts:
	management/server/src/main/java/org/apache/karaf/management/KarafMBeanServerGuard.java


Project: http://git-wip-us.apache.org/repos/asf/karaf/repo
Commit: http://git-wip-us.apache.org/repos/asf/karaf/commit/687ba286
Tree: http://git-wip-us.apache.org/repos/asf/karaf/tree/687ba286
Diff: http://git-wip-us.apache.org/repos/asf/karaf/diff/687ba286

Branch: refs/heads/master
Commit: 687ba286974f1edd15c5bae0330864d3502b8339
Parents: 4f88beb
Author: Freeman Fang <fr...@gmail.com>
Authored: Mon May 26 16:03:49 2014 +0800
Committer: Freeman Fang <fr...@gmail.com>
Committed: Mon May 26 16:20:56 2014 +0800

----------------------------------------------------------------------
 .../karaf/management/KarafMBeanServerGuard.java | 34 ++++++++++++++++++++
 .../management/KarafMBeanServerGuardTest.java   |  2 ++
 2 files changed, 36 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/karaf/blob/687ba286/management/server/src/main/java/org/apache/karaf/management/KarafMBeanServerGuard.java
----------------------------------------------------------------------
diff --git a/management/server/src/main/java/org/apache/karaf/management/KarafMBeanServerGuard.java b/management/server/src/main/java/org/apache/karaf/management/KarafMBeanServerGuard.java
index 746c35b..c2cf224 100644
--- a/management/server/src/main/java/org/apache/karaf/management/KarafMBeanServerGuard.java
+++ b/management/server/src/main/java/org/apache/karaf/management/KarafMBeanServerGuard.java
@@ -36,6 +36,9 @@ import java.util.*;
 public class KarafMBeanServerGuard implements InvocationHandler {
 
     private static final String JMX_ACL_PID_PREFIX = "jmx.acl";
+    
+    private static final String JMX_ACL_WHITELIST = "jmx.acl.whitelist";
+
 
     private ConfigurationAdmin configAdmin;
 
@@ -170,6 +173,9 @@ public class KarafMBeanServerGuard implements InvocationHandler {
     }
 
     private boolean canInvoke(ObjectName objectName, String methodName, String[] signature) throws IOException {
+        if (canBypassRBAC(objectName)) {
+            return true;
+        }
         for (String role : getRequiredRoles(objectName, methodName, signature)) {
             if (JaasHelper.currentUserHasRole(role))
                 return true;
@@ -220,7 +226,35 @@ public class KarafMBeanServerGuard implements InvocationHandler {
         }
     }
 
+    private boolean canBypassRBAC(ObjectName objectName) {
+        List<String> allBypassObjectName = new ArrayList<String>();
+        try {
+            for (Configuration config : configAdmin.listConfigurations("(service.pid=" + JMX_ACL_WHITELIST + ")")) {
+                Enumeration<String> keys = config.getProperties().keys();
+                while (keys.hasMoreElements()) {
+                    String element = keys.nextElement();
+                    allBypassObjectName.add(element);
+                }
+            }
+        } catch (InvalidSyntaxException ise) {
+            throw new RuntimeException(ise);
+        } catch (IOException e) {
+            throw new RuntimeException(e);
+        } 
+
+        for (String pid : iterateDownPids(getNameSegments(objectName))) {
+            if (!pid.equals("jmx.acl") 
+                && allBypassObjectName.contains(pid.substring("jmx.acl.".length()))) {
+                return true;
+            }
+        }
+        return false;
+    }
+
     void handleInvoke(ObjectName objectName, String operationName, Object[] params, String[] signature) throws IOException {
+        if (canBypassRBAC(objectName)) {
+            return;
+        }
         for (String role : getRequiredRoles(objectName, operationName, params, signature)) {
             if (JaasHelper.currentUserHasRole(role))
                 return;

http://git-wip-us.apache.org/repos/asf/karaf/blob/687ba286/management/server/src/test/java/org/apache/karaf/management/KarafMBeanServerGuardTest.java
----------------------------------------------------------------------
diff --git a/management/server/src/test/java/org/apache/karaf/management/KarafMBeanServerGuardTest.java b/management/server/src/test/java/org/apache/karaf/management/KarafMBeanServerGuardTest.java
index 8dfb42e..ac52c30 100644
--- a/management/server/src/test/java/org/apache/karaf/management/KarafMBeanServerGuardTest.java
+++ b/management/server/src/test/java/org/apache/karaf/management/KarafMBeanServerGuardTest.java
@@ -376,6 +376,8 @@ public class KarafMBeanServerGuardTest extends TestCase {
         }
         EasyMock.expect(ca.listConfigurations(EasyMock.eq("(service.pid=jmx.acl*)"))).andReturn(
                 allConfigs.toArray(new Configuration[]{})).anyTimes();
+        EasyMock.expect(ca.listConfigurations(EasyMock.eq("(service.pid=jmx.acl.whitelist)"))).andReturn(
+                allConfigs.toArray(new Configuration[]{})).anyTimes();
         EasyMock.replay(ca);
         return ca;
     }