You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@geode.apache.org by je...@apache.org on 2018/01/10 19:02:44 UTC
[geode] branch develop updated: GEODE-3974: Improve permissions for
geode-modules functions (#1258)
This is an automated email from the ASF dual-hosted git repository.
jensdeppe pushed a commit to branch develop
in repository https://gitbox.apache.org/repos/asf/geode.git
The following commit(s) were added to refs/heads/develop by this push:
new 90f8f62 GEODE-3974: Improve permissions for geode-modules functions (#1258)
90f8f62 is described below
commit 90f8f6242927c5e16da64f38bba9abf3d450a305
Author: Jens Deppe <jd...@pivotal.io>
AuthorDate: Wed Jan 10 11:02:42 2018 -0800
GEODE-3974: Improve permissions for geode-modules functions (#1258)
---
.../geode/modules/util/BootstrappingFunction.java | 9 +++
.../geode/modules/util/CreateRegionFunction.java | 13 +++-
.../geode/modules/util/RegionSizeFunction.java | 9 +++
.../TouchPartitionedRegionEntriesFunction.java | 9 +++
.../util/TouchReplicatedRegionEntriesFunction.java | 9 +++
.../modules/util/ModuleFunctionsSecurityTest.java | 91 ++++++++++++++++++++++
.../cli/functions/RegionCreateFunction.java | 9 +++
7 files changed, 145 insertions(+), 4 deletions(-)
diff --git a/extensions/geode-modules/src/main/java/org/apache/geode/modules/util/BootstrappingFunction.java b/extensions/geode-modules/src/main/java/org/apache/geode/modules/util/BootstrappingFunction.java
index 82ca3e3..4d64a78 100644
--- a/extensions/geode-modules/src/main/java/org/apache/geode/modules/util/BootstrappingFunction.java
+++ b/extensions/geode-modules/src/main/java/org/apache/geode/modules/util/BootstrappingFunction.java
@@ -17,6 +17,8 @@ package org.apache.geode.modules.util;
import java.io.DataInput;
import java.io.DataOutput;
import java.io.IOException;
+import java.util.Collection;
+import java.util.Collections;
import java.util.List;
import java.util.Set;
@@ -32,6 +34,8 @@ import org.apache.geode.distributed.internal.DistributionManager;
import org.apache.geode.distributed.internal.InternalDistributedSystem;
import org.apache.geode.distributed.internal.MembershipListener;
import org.apache.geode.distributed.internal.membership.InternalDistributedMember;
+import org.apache.geode.management.internal.security.ResourcePermissions;
+import org.apache.geode.security.ResourcePermission;
public class BootstrappingFunction implements Function, MembershipListener, DataSerializable {
@@ -87,6 +91,11 @@ public class BootstrappingFunction implements Function, MembershipListener, Data
return cache;
}
+ @Override
+ public Collection<ResourcePermission> getRequiredPermissions(String regionName) {
+ return Collections.singletonList(ResourcePermissions.CLUSTER_MANAGE);
+ }
+
private void registerAsMembershipListener(Cache cache) {
DistributionManager dm =
((InternalDistributedSystem) cache.getDistributedSystem()).getDistributionManager();
diff --git a/extensions/geode-modules/src/main/java/org/apache/geode/modules/util/CreateRegionFunction.java b/extensions/geode-modules/src/main/java/org/apache/geode/modules/util/CreateRegionFunction.java
index 7c89cb0..bf998d1 100644
--- a/extensions/geode-modules/src/main/java/org/apache/geode/modules/util/CreateRegionFunction.java
+++ b/extensions/geode-modules/src/main/java/org/apache/geode/modules/util/CreateRegionFunction.java
@@ -20,10 +20,10 @@ import java.io.File;
import java.io.FileWriter;
import java.io.IOException;
import java.io.PrintWriter;
+import java.util.Collection;
+import java.util.Collections;
import java.util.Properties;
-import javax.xml.crypto.Data;
-
import org.apache.geode.DataSerializable;
import org.apache.geode.InternalGemFireError;
import org.apache.geode.cache.AttributesFactory;
@@ -32,8 +32,6 @@ import org.apache.geode.cache.CacheFactory;
import org.apache.geode.cache.Declarable;
import org.apache.geode.cache.Region;
import org.apache.geode.cache.RegionAttributes;
-import org.apache.geode.cache.RegionFactory;
-import org.apache.geode.cache.RegionShortcut;
import org.apache.geode.cache.Scope;
import org.apache.geode.cache.client.ClientCache;
import org.apache.geode.cache.execute.Function;
@@ -46,6 +44,8 @@ import org.apache.geode.internal.cache.InternalRegionArguments;
import org.apache.geode.internal.cache.PartitionedRegion;
import org.apache.geode.internal.cache.xmlcache.CacheXmlGenerator;
import org.apache.geode.internal.i18n.LocalizedStrings;
+import org.apache.geode.management.internal.security.ResourcePermissions;
+import org.apache.geode.security.ResourcePermission;
public class CreateRegionFunction implements Function, Declarable, DataSerializable {
@@ -96,6 +96,11 @@ public class CreateRegionFunction implements Function, Declarable, DataSerializa
context.getResultSender().lastResult(status);
}
+ @Override
+ public Collection<ResourcePermission> getRequiredPermissions(String regionName) {
+ return Collections.singletonList(ResourcePermissions.DATA_MANAGE);
+ }
+
private RegionStatus createOrRetrieveRegion(RegionConfiguration configuration) {
RegionStatus status = null;
String regionName = configuration.getRegionName();
diff --git a/extensions/geode-modules/src/main/java/org/apache/geode/modules/util/RegionSizeFunction.java b/extensions/geode-modules/src/main/java/org/apache/geode/modules/util/RegionSizeFunction.java
index 328d490..a45e472 100644
--- a/extensions/geode-modules/src/main/java/org/apache/geode/modules/util/RegionSizeFunction.java
+++ b/extensions/geode-modules/src/main/java/org/apache/geode/modules/util/RegionSizeFunction.java
@@ -17,6 +17,8 @@ package org.apache.geode.modules.util;
import java.io.DataInput;
import java.io.DataOutput;
import java.io.IOException;
+import java.util.Collection;
+import java.util.Collections;
import java.util.Properties;
import org.apache.geode.DataSerializable;
@@ -24,6 +26,7 @@ import org.apache.geode.cache.Declarable;
import org.apache.geode.cache.execute.Function;
import org.apache.geode.cache.execute.FunctionContext;
import org.apache.geode.cache.execute.RegionFunctionContext;
+import org.apache.geode.security.ResourcePermission;
public class RegionSizeFunction implements Function, Declarable, DataSerializable {
@@ -38,6 +41,12 @@ public class RegionSizeFunction implements Function, Declarable, DataSerializabl
context.getResultSender().lastResult(rfc.getDataSet().size());
}
+ @Override
+ public Collection<ResourcePermission> getRequiredPermissions(String regionName) {
+ return Collections.singletonList(new ResourcePermission(ResourcePermission.Resource.DATA,
+ ResourcePermission.Operation.READ, regionName));
+ }
+
public String getId() {
return ID;
}
diff --git a/extensions/geode-modules/src/main/java/org/apache/geode/modules/util/TouchPartitionedRegionEntriesFunction.java b/extensions/geode-modules/src/main/java/org/apache/geode/modules/util/TouchPartitionedRegionEntriesFunction.java
index 01b1685..d503359 100644
--- a/extensions/geode-modules/src/main/java/org/apache/geode/modules/util/TouchPartitionedRegionEntriesFunction.java
+++ b/extensions/geode-modules/src/main/java/org/apache/geode/modules/util/TouchPartitionedRegionEntriesFunction.java
@@ -17,6 +17,8 @@ package org.apache.geode.modules.util;
import java.io.DataInput;
import java.io.DataOutput;
import java.io.IOException;
+import java.util.Collection;
+import java.util.Collections;
import java.util.Properties;
import java.util.Set;
@@ -29,6 +31,7 @@ import org.apache.geode.cache.execute.Function;
import org.apache.geode.cache.execute.FunctionContext;
import org.apache.geode.cache.execute.RegionFunctionContext;
import org.apache.geode.cache.partition.PartitionRegionHelper;
+import org.apache.geode.security.ResourcePermission;
/**
* Touches the keys contained in the set of keys by performing a get on the partitioned region.
@@ -76,6 +79,12 @@ public class TouchPartitionedRegionEntriesFunction
context.getResultSender().lastResult(true);
}
+ @Override
+ public Collection<ResourcePermission> getRequiredPermissions(String regionName) {
+ return Collections.singletonList(new ResourcePermission(ResourcePermission.Resource.DATA,
+ ResourcePermission.Operation.READ, regionName));
+ }
+
public String getId() {
return ID;
}
diff --git a/extensions/geode-modules/src/main/java/org/apache/geode/modules/util/TouchReplicatedRegionEntriesFunction.java b/extensions/geode-modules/src/main/java/org/apache/geode/modules/util/TouchReplicatedRegionEntriesFunction.java
index f48c117..7fcb0e9 100644
--- a/extensions/geode-modules/src/main/java/org/apache/geode/modules/util/TouchReplicatedRegionEntriesFunction.java
+++ b/extensions/geode-modules/src/main/java/org/apache/geode/modules/util/TouchReplicatedRegionEntriesFunction.java
@@ -17,6 +17,8 @@ package org.apache.geode.modules.util;
import java.io.DataInput;
import java.io.DataOutput;
import java.io.IOException;
+import java.util.Collection;
+import java.util.Collections;
import java.util.Properties;
import java.util.Set;
@@ -27,6 +29,7 @@ import org.apache.geode.cache.Declarable;
import org.apache.geode.cache.Region;
import org.apache.geode.cache.execute.Function;
import org.apache.geode.cache.execute.FunctionContext;
+import org.apache.geode.security.ResourcePermission;
/**
* Touches the keys contained in the set of keys by performing a get on the replicated region. This
@@ -71,6 +74,12 @@ public class TouchReplicatedRegionEntriesFunction
context.getResultSender().lastResult(true);
}
+ @Override
+ public Collection<ResourcePermission> getRequiredPermissions(String regionName) {
+ return Collections.singletonList(new ResourcePermission(ResourcePermission.Resource.DATA,
+ ResourcePermission.Operation.READ, regionName));
+ }
+
public String getId() {
return ID;
}
diff --git a/extensions/geode-modules/src/test/java/org/apache/geode/modules/util/ModuleFunctionsSecurityTest.java b/extensions/geode-modules/src/test/java/org/apache/geode/modules/util/ModuleFunctionsSecurityTest.java
new file mode 100644
index 0000000..1a0548d
--- /dev/null
+++ b/extensions/geode-modules/src/test/java/org/apache/geode/modules/util/ModuleFunctionsSecurityTest.java
@@ -0,0 +1,91 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more contributor license
+ * agreements. See the NOTICE file distributed with this work for additional information regarding
+ * copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance with the License. You may obtain a
+ * copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under the License
+ * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+ * or implied. See the License for the specific language governing permissions and limitations under
+ * the License.
+ */
+
+package org.apache.geode.modules.util;
+
+import org.junit.BeforeClass;
+import org.junit.ClassRule;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.experimental.categories.Category;
+
+import org.apache.geode.cache.RegionShortcut;
+import org.apache.geode.cache.execute.FunctionService;
+import org.apache.geode.examples.SimpleSecurityManager;
+import org.apache.geode.test.junit.categories.IntegrationTest;
+import org.apache.geode.test.junit.categories.SecurityTest;
+import org.apache.geode.test.junit.rules.ConnectionConfiguration;
+import org.apache.geode.test.junit.rules.GfshCommandRule;
+import org.apache.geode.test.junit.rules.ServerStarterRule;
+
+@Category({IntegrationTest.class, SecurityTest.class})
+public class ModuleFunctionsSecurityTest {
+
+ @ClassRule
+ public static ServerStarterRule server =
+ new ServerStarterRule().withJMXManager().withSecurityManager(SimpleSecurityManager.class)
+ .withRegion(RegionShortcut.REPLICATE, "REPLICATE_1")
+ .withRegion(RegionShortcut.PARTITION, "PARTITION_1").withAutoStart();
+
+ @Rule
+ public GfshCommandRule gfsh =
+ new GfshCommandRule(server::getJmxPort, GfshCommandRule.PortType.jmxManager);
+
+ @BeforeClass
+ public static void setupClass() {
+ FunctionService.registerFunction(new BootstrappingFunction());
+ FunctionService.registerFunction(new CreateRegionFunction());
+ FunctionService.registerFunction(new RegionSizeFunction());
+ FunctionService.registerFunction(new TouchPartitionedRegionEntriesFunction());
+ FunctionService.registerFunction(new TouchReplicatedRegionEntriesFunction());
+ }
+
+ @Test
+ @ConnectionConfiguration(user = "dataWrite", password = "dataWrite")
+ public void testInvalidPermissionsForBootstrappingFunction() throws Exception {
+ gfsh.executeAndAssertThat("execute function --id=" + BootstrappingFunction.ID)
+ .containsOutput("not authorized for CLUSTER:MANAGE").statusIsSuccess();
+ }
+
+ @Test
+ @ConnectionConfiguration(user = "dataWrite", password = "dataWrite")
+ public void testInvalidPermissionsForCreateRegionFunction() throws Exception {
+ gfsh.executeAndAssertThat("execute function --id=" + CreateRegionFunction.ID)
+ .containsOutput("not authorized for DATA:MANAGE").statusIsSuccess();
+ }
+
+ @Test
+ @ConnectionConfiguration(user = "dataWrite", password = "dataWrite")
+ public void testInvalidPermissionsForRegionSizeFunction() throws Exception {
+ gfsh.executeAndAssertThat("execute function --region=REPLICATE_1 --id=" + RegionSizeFunction.ID)
+ .containsOutput("not authorized for DATA:READ:REPLICATE_1").statusIsSuccess();
+ }
+
+ @Test
+ @ConnectionConfiguration(user = "dataWrite", password = "dataWrite")
+ public void testInvalidPermissionsForTouchPartitionedRegionEntriesFunction() throws Exception {
+ gfsh.executeAndAssertThat(
+ "execute function --region=PARTITION_1 --id=" + TouchPartitionedRegionEntriesFunction.ID)
+ .containsOutput("not authorized for DATA:READ:PARTITION_1").statusIsSuccess();
+ }
+
+ @Test
+ @ConnectionConfiguration(user = "dataWrite", password = "dataWrite")
+ public void testInvalidPermissionsForTouchReplicatedRegionEntriesFunction() throws Exception {
+ gfsh.executeAndAssertThat(
+ "execute function --region=REPLICATE_1 --id=" + TouchReplicatedRegionEntriesFunction.ID)
+ .containsOutput("not authorized for DATA:READ:REPLICATE_1").statusIsSuccess();
+ }
+}
diff --git a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/RegionCreateFunction.java b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/RegionCreateFunction.java
index 8098566..3729d75 100644
--- a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/RegionCreateFunction.java
+++ b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/RegionCreateFunction.java
@@ -14,6 +14,8 @@
*/
package org.apache.geode.management.internal.cli.functions;
+import java.util.Collection;
+import java.util.Collections;
import java.util.Set;
import org.apache.commons.lang.StringUtils;
@@ -49,6 +51,8 @@ import org.apache.geode.management.internal.cli.commands.RegionCommandsUtils;
import org.apache.geode.management.internal.cli.i18n.CliStrings;
import org.apache.geode.management.internal.cli.util.RegionPath;
import org.apache.geode.management.internal.configuration.domain.XmlEntity;
+import org.apache.geode.management.internal.security.ResourcePermissions;
+import org.apache.geode.security.ResourcePermission;
/**
*
@@ -121,6 +125,11 @@ public class RegionCreateFunction implements Function, InternalEntity {
}
}
+ @Override
+ public Collection<ResourcePermission> getRequiredPermissions(String regionName) {
+ return Collections.singletonList(ResourcePermissions.DATA_MANAGE);
+ }
+
private CliFunctionResult handleException(final String memberNameOrId, final String exceptionMsg,
final Exception e) {
if (e != null && logger.isDebugEnabled()) {
--
To stop receiving notification emails like this one, please contact
['"commits@geode.apache.org" <co...@geode.apache.org>'].