You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ignite.apache.org by vo...@apache.org on 2018/10/26 08:32:02 UTC

ignite git commit: IGNITE-9454: Fixed SecurityPermissionSetBuilder. This closes #5066.

Repository: ignite
Updated Branches:
  refs/heads/master b94efd511 -> 1f3648b75


IGNITE-9454: Fixed SecurityPermissionSetBuilder. This closes #5066.


Project: http://git-wip-us.apache.org/repos/asf/ignite/repo
Commit: http://git-wip-us.apache.org/repos/asf/ignite/commit/1f3648b7
Tree: http://git-wip-us.apache.org/repos/asf/ignite/tree/1f3648b7
Diff: http://git-wip-us.apache.org/repos/asf/ignite/diff/1f3648b7

Branch: refs/heads/master
Commit: 1f3648b75d36bd8a601b1860c98a1a917b442620
Parents: b94efd5
Author: Ilya Kasnacheev <il...@gmail.com>
Authored: Fri Oct 26 11:31:51 2018 +0300
Committer: devozerov <pp...@gmail.com>
Committed: Fri Oct 26 11:31:51 2018 +0300

----------------------------------------------------------------------
 .../security/SecurityPermissionSetBuilder.java  |  9 ++++++--
 .../SecurityPermissionSetBuilderTest.java       | 24 ++++++++++++++++----
 2 files changed, 26 insertions(+), 7 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/ignite/blob/1f3648b7/modules/core/src/main/java/org/apache/ignite/plugin/security/SecurityPermissionSetBuilder.java
----------------------------------------------------------------------
diff --git a/modules/core/src/main/java/org/apache/ignite/plugin/security/SecurityPermissionSetBuilder.java b/modules/core/src/main/java/org/apache/ignite/plugin/security/SecurityPermissionSetBuilder.java
index abac541..659613a 100644
--- a/modules/core/src/main/java/org/apache/ignite/plugin/security/SecurityPermissionSetBuilder.java
+++ b/modules/core/src/main/java/org/apache/ignite/plugin/security/SecurityPermissionSetBuilder.java
@@ -126,6 +126,11 @@ public class SecurityPermissionSetBuilder {
      * @return {@link SecurityPermissionSetBuilder} refer to same permission builder.
      */
     public SecurityPermissionSetBuilder appendCachePermissions(String name, SecurityPermission... perms) {
+        for (SecurityPermission perm : perms) {
+            if (perm == SecurityPermission.CACHE_CREATE || perm == SecurityPermission.CACHE_DESTROY)
+                throw new IgniteException(perm + " should be assigned as system permission, not cache permission");
+        }
+
         validate(toCollection("CACHE_"), perms);
 
         append(cachePerms, name, toCollection(perms));
@@ -140,7 +145,7 @@ public class SecurityPermissionSetBuilder {
      * @return {@link SecurityPermissionSetBuilder} refer to same permission builder.
      */
     public SecurityPermissionSetBuilder appendSystemPermissions(SecurityPermission... perms) {
-        validate(toCollection("EVENTS_", "ADMIN_"), perms);
+        validate(toCollection("EVENTS_", "ADMIN_", "CACHE_CREATE", "CACHE_DESTROY", "JOIN_AS_SERVER"), perms);
 
         sysPerms.addAll(toCollection(perms));
 
@@ -194,7 +199,7 @@ public class SecurityPermissionSetBuilder {
     private final <T> Collection<T> toCollection(T... perms) {
         assert perms != null;
 
-        Collection<T> col = U.newHashSet(perms.length);
+        Collection<T> col = U.newLinkedHashSet(perms.length);
 
         Collections.addAll(col, perms);
 

http://git-wip-us.apache.org/repos/asf/ignite/blob/1f3648b7/modules/core/src/test/java/org/apache/ignite/plugin/security/SecurityPermissionSetBuilderTest.java
----------------------------------------------------------------------
diff --git a/modules/core/src/test/java/org/apache/ignite/plugin/security/SecurityPermissionSetBuilderTest.java b/modules/core/src/test/java/org/apache/ignite/plugin/security/SecurityPermissionSetBuilderTest.java
index 0ac7bc7..338034f 100644
--- a/modules/core/src/test/java/org/apache/ignite/plugin/security/SecurityPermissionSetBuilderTest.java
+++ b/modules/core/src/test/java/org/apache/ignite/plugin/security/SecurityPermissionSetBuilderTest.java
@@ -27,9 +27,12 @@ import org.apache.ignite.internal.util.typedef.internal.U;
 import org.apache.ignite.testframework.junits.common.GridCommonAbstractTest;
 
 import static org.apache.ignite.plugin.security.SecurityPermission.ADMIN_VIEW;
+import static org.apache.ignite.plugin.security.SecurityPermission.CACHE_CREATE;
+import static org.apache.ignite.plugin.security.SecurityPermission.CACHE_DESTROY;
 import static org.apache.ignite.plugin.security.SecurityPermission.CACHE_PUT;
 import static org.apache.ignite.plugin.security.SecurityPermission.CACHE_READ;
 import static org.apache.ignite.plugin.security.SecurityPermission.CACHE_REMOVE;
+import static org.apache.ignite.plugin.security.SecurityPermission.JOIN_AS_SERVER;
 import static org.apache.ignite.plugin.security.SecurityPermission.SERVICE_DEPLOY;
 import static org.apache.ignite.plugin.security.SecurityPermission.SERVICE_INVOKE;
 import static org.apache.ignite.plugin.security.SecurityPermission.EVENTS_ENABLE;
@@ -65,7 +68,7 @@ public class SecurityPermissionSetBuilderTest extends GridCommonAbstractTest {
 
         exp.setServicePermissions(permSrvc);
 
-        exp.setSystemPermissions(permissions(ADMIN_VIEW, EVENTS_ENABLE));
+        exp.setSystemPermissions(permissions(ADMIN_VIEW, EVENTS_ENABLE, JOIN_AS_SERVER, CACHE_CREATE, CACHE_DESTROY));
 
         final SecurityPermissionSetBuilder permsBuilder = new SecurityPermissionSetBuilder();
 
@@ -80,7 +83,7 @@ public class SecurityPermissionSetBuilderTest extends GridCommonAbstractTest {
 
         assertThrows(log, new Callable<Object>() {
                     @Override public Object call() throws Exception {
-                        permsBuilder.appendTaskPermissions("task", CACHE_READ);
+                        permsBuilder.appendTaskPermissions("task", CACHE_READ, JOIN_AS_SERVER);
                         return null;
                     }
                 }, IgniteException.class,
@@ -93,7 +96,7 @@ public class SecurityPermissionSetBuilderTest extends GridCommonAbstractTest {
                         return null;
                     }
                 }, IgniteException.class,
-                "you can assign permission only start with [EVENTS_, ADMIN_], but you try TASK_EXECUTE"
+                "you can assign permission only start with [EVENTS_, ADMIN_, CACHE_CREATE, CACHE_DESTROY, JOIN_AS_SERVER], but you try TASK_EXECUTE"
         );
 
         assertThrows(log, new Callable<Object>() {
@@ -102,7 +105,16 @@ public class SecurityPermissionSetBuilderTest extends GridCommonAbstractTest {
                     return null;
                 }
             }, IgniteException.class,
-            "you can assign permission only start with [EVENTS_, ADMIN_], but you try SERVICE_INVOKE"
+            "you can assign permission only start with [EVENTS_, ADMIN_, CACHE_CREATE, CACHE_DESTROY, JOIN_AS_SERVER], but you try SERVICE_INVOKE"
+        );
+
+        assertThrows(log, new Callable<Object>() {
+                @Override public Object call() throws Exception {
+                    permsBuilder.appendCachePermissions("cache", CACHE_CREATE);
+                    return null;
+                }
+            }, IgniteException.class,
+            "CACHE_CREATE should be assigned as system permission, not cache permission"
         );
 
         permsBuilder
@@ -116,7 +128,9 @@ public class SecurityPermissionSetBuilderTest extends GridCommonAbstractTest {
             .appendServicePermissions("service2", SERVICE_INVOKE)
             .appendServicePermissions("service2", SERVICE_INVOKE)
             .appendSystemPermissions(ADMIN_VIEW)
-            .appendSystemPermissions(ADMIN_VIEW, EVENTS_ENABLE);
+            .appendSystemPermissions(ADMIN_VIEW, EVENTS_ENABLE)
+            .appendSystemPermissions(JOIN_AS_SERVER)
+            .appendSystemPermissions(CACHE_CREATE, CACHE_DESTROY);
 
         SecurityPermissionSet actual = permsBuilder.build();