You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@activemq.apache.org by ch...@apache.org on 2011/02/21 16:00:54 UTC
svn commit: r1073002 - in
/activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security:
AclAuthorizer.scala CertificateLoginModule.scala FileGroupLoginModule.scala
Author: chirino
Date: Mon Feb 21 15:00:53 2011
New Revision: 1073002
URL: http://svn.apache.org/viewvc?rev=1073002&view=rev
Log:
Added logging statements so that we can tell why a user action gets rejected.
Modified:
activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/AclAuthorizer.scala
activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/CertificateLoginModule.scala
activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/FileGroupLoginModule.scala
Modified: activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/AclAuthorizer.scala
URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/AclAuthorizer.scala?rev=1073002&r1=1073001&r2=1073002&view=diff
==============================================================================
--- activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/AclAuthorizer.scala (original)
+++ activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/AclAuthorizer.scala Mon Feb 21 15:00:53 2011
@@ -16,10 +16,11 @@
*/
package org.apache.activemq.apollo.broker.security
-import scala.util.continuations._
-import org.apache.activemq.apollo.util.path.Path
import org.apache.activemq.apollo.broker.{Connector, VirtualHost, Broker}
import org.apache.activemq.apollo.dto._
+import org.apache.activemq.apollo.util.Log
+
+object AclAuthorizer extends Log
/**
* <p>
@@ -31,75 +32,70 @@ import org.apache.activemq.apollo.dto._
*/
class AclAuthorizer(val default_kinds:List[String]) extends Authorizer {
import collection.JavaConversions._
+ import AclAuthorizer._
def is_in(ctx: SecurityContext, allowed:java.util.List[PrincipalDTO]):Boolean = {
ctx.is_allowed(allowed.toList, default_kinds)
}
- def can_admin(ctx: SecurityContext, broker: Broker) = {
- if( broker.config.acl!=null ) {
- is_in(ctx, broker.config.acl.admins)
- } else {
- true
+ def log_on_failure(ctx: SecurityContext, action: String, resource: =>String)(func: =>Boolean):Boolean = {
+ val rc = func
+ if( !rc ) {
+ debug("Authorization failed: '%s' does not have %s access on %s", ctx.user, action, resource)
}
+ rc
+ }
+
+ def can_admin(ctx: SecurityContext, broker: Broker) = log_on_failure(ctx, "administration", "broker") {
+ broker.config.acl==null || is_in(ctx, broker.config.acl.admins)
}
def can_connect_to(ctx: SecurityContext, host: VirtualHost, connector:Connector):Boolean = {
- if( host.config.acl!=null && !is_in(ctx, host.config.acl.connects) ) {
- return false
+ log_on_failure(ctx, "connect", "host "+host.names) {
+ host.config.acl==null || is_in(ctx, host.config.acl.connects)
+ } && log_on_failure(ctx, "connect", "connector "+connector.config.id) {
+ connector.config.acl==null || is_in(ctx, connector.config.acl.connects)
}
- if( connector.config.acl!=null && !is_in(ctx, connector.config.acl.connects) ) {
- return false
- }
- true
}
private def can_dest(ctx: SecurityContext, host: VirtualHost, dest: TopicDTO)(func: TopicAclDTO=>java.util.List[PrincipalDTO]) = {
- if( dest.acl!=null ) {
- is_in(ctx, func(dest.acl))
- } else {
- true
- }
+ dest.acl==null || is_in(ctx, func(dest.acl))
}
- def can_send_to(ctx: SecurityContext, host: VirtualHost, dest: TopicDTO) = {
+ def can_send_to(ctx: SecurityContext, host: VirtualHost, dest: TopicDTO) = log_on_failure(ctx, "send to", "topic "+dest.name) {
can_dest(ctx, host, dest)(_.sends)
}
- def can_receive_from(ctx: SecurityContext, host: VirtualHost, dest: TopicDTO) = {
+ def can_receive_from(ctx: SecurityContext, host: VirtualHost, dest: TopicDTO) = log_on_failure(ctx, "receive from", "topic "+dest.name) {
can_dest(ctx, host, dest)(_.receives)
}
- def can_destroy(ctx: SecurityContext, host: VirtualHost, dest: TopicDTO) = {
+ def can_destroy(ctx: SecurityContext, host: VirtualHost, dest: TopicDTO) = log_on_failure(ctx, "destroy", "topic "+dest.name) {
can_dest(ctx, host, dest)(_.destroys)
}
- def can_create(ctx: SecurityContext, host: VirtualHost, dest: TopicDTO) = {
+ def can_create(ctx: SecurityContext, host: VirtualHost, dest: TopicDTO) = log_on_failure(ctx, "create", "topic "+dest.name) {
can_dest(ctx, host, dest)(_.creates)
}
private def can_queue(ctx: SecurityContext, host: VirtualHost, queue: QueueDTO)(func: QueueAclDTO=>java.util.List[PrincipalDTO]) = {
- if( queue.acl!=null ) {
- is_in(ctx, func(queue.acl))
- } else {
- true
- }
+ queue.acl==null || is_in(ctx, func(queue.acl))
}
- def can_send_to(ctx: SecurityContext, host: VirtualHost, queue: QueueDTO) = {
+ def can_send_to(ctx: SecurityContext, host: VirtualHost, queue: QueueDTO) = log_on_failure(ctx, "send to", "queue "+queue.name) {
can_queue(ctx, host, queue)(_.sends)
}
- def can_receive_from(ctx: SecurityContext, host: VirtualHost, queue: QueueDTO) = {
+ def can_receive_from(ctx: SecurityContext, host: VirtualHost, queue: QueueDTO) = log_on_failure(ctx, "receive from", "queue "+queue.name) {
can_queue(ctx, host, queue)(_.receives)
}
- def can_destroy(ctx: SecurityContext, host: VirtualHost, queue: QueueDTO) = {
+ def can_destroy(ctx: SecurityContext, host: VirtualHost, queue: QueueDTO) = log_on_failure(ctx, "destroy", "queue "+queue.name) {
can_queue(ctx, host, queue)(_.destroys)
}
- def can_create(ctx: SecurityContext, host: VirtualHost, queue: QueueDTO) = {
+ def can_create(ctx: SecurityContext, host: VirtualHost, queue: QueueDTO) = log_on_failure(ctx, "create", "queue "+queue.name) {
can_queue(ctx, host, queue)(_.creates)
}
- def can_consume_from(ctx: SecurityContext, host: VirtualHost, queue: QueueDTO) = {
+ def can_consume_from(ctx: SecurityContext, host: VirtualHost, queue: QueueDTO) = log_on_failure(ctx, "consume from", "queue "+queue.name) {
can_queue(ctx, host, queue)(_.consumes)
}
Modified: activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/CertificateLoginModule.scala
URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/CertificateLoginModule.scala?rev=1073002&r1=1073001&r2=1073002&view=diff
==============================================================================
--- activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/CertificateLoginModule.scala (original)
+++ activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/CertificateLoginModule.scala Mon Feb 21 15:00:53 2011
@@ -30,7 +30,7 @@ import org.yaml.snakeyaml.Yaml
import org.apache.activemq.apollo.util.{FileSupport, Log}
import java.lang.String
import org.apache.activemq.jaas.{UserPrincipal, CertificateCallback}
-import java.util.{LinkedList, Properties, HashSet}
+import java.util.LinkedList
/**
* <p>
@@ -98,6 +98,7 @@ class CertificateLoginModule {
file match {
case None =>
for (cert <- certificates) {
+ debug("Adding certificiate principal: '%s'", cert.getSubjectX500Principal.getName)
principals.add(cert.getSubjectX500Principal)
}
@@ -120,8 +121,12 @@ class CertificateLoginModule {
val alias = users.get(dn)
if( alias!=null ) {
principals.add(new UserPrincipal(alias.toString))
+ debug("Adding user principal: '%s'", alias.toString)
}
principals.add(cert.getSubjectX500Principal)
+ debug("Adding certificiate principal: '%s'", dn)
+ } else {
+ debug("Distinguished name: '%s' not found in dn file", dn)
}
}
Modified: activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/FileGroupLoginModule.scala
URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/FileGroupLoginModule.scala?rev=1073002&r1=1073001&r2=1073002&view=diff
==============================================================================
--- activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/FileGroupLoginModule.scala (original)
+++ activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/FileGroupLoginModule.scala Mon Feb 21 15:00:53 2011
@@ -121,14 +121,15 @@ class FileGroupLoginModule extends Login
val group_name = en.nextElement().asInstanceOf[String]
val users = groups.getProperty(group_name).split(Pattern.quote(separator)).map(_.trim)
users.foreach { x =>
+ debug("Searching for groups with member: '%s'", x)
if ( principles.contains(x) ) {
principals.add(new GroupPrincipal(group_name))
+ debug("Added group principal: '%s'", group_name)
}
}
}
subject.getPrincipals().addAll(principals)
- debug("commit")
return true
}