You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@geode.apache.org by ji...@apache.org on 2016/05/03 19:14:16 UTC
incubator-geode git commit: GEODE-17 - use null instead of "NULL" for
regionName
Repository: incubator-geode
Updated Branches:
refs/heads/develop 51e4e71ef -> b8fc3c706
GEODE-17 - use null instead of "NULL" for regionName
* create an example JSONAuthorization that initialize with a default security.json file.
Project: http://git-wip-us.apache.org/repos/asf/incubator-geode/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-geode/commit/b8fc3c70
Tree: http://git-wip-us.apache.org/repos/asf/incubator-geode/tree/b8fc3c70
Diff: http://git-wip-us.apache.org/repos/asf/incubator-geode/diff/b8fc3c70
Branch: refs/heads/develop
Commit: b8fc3c706ef672c48a04f7c6ec4bf593414c6494
Parents: 51e4e71
Author: Jinmei Liao <ji...@pivotal.io>
Authored: Mon May 2 07:26:27 2016 -0700
Committer: Jinmei Liao <ji...@pivotal.io>
Committed: Tue May 3 07:55:25 2016 -0700
----------------------------------------------------------------------
.../security/ResourceOperationContext.java | 9 +-
.../security/ExampleJSONAuthorization.java | 197 +++++++++++++++++++
.../internal/security/JSONAuthorization.java | 5 +-
.../ResourceOperationContextJUnitTest.java | 8 +-
4 files changed, 203 insertions(+), 16 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/b8fc3c70/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/ResourceOperationContext.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/ResourceOperationContext.java b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/ResourceOperationContext.java
index 7f6f72e..2e46104 100644
--- a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/ResourceOperationContext.java
+++ b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/ResourceOperationContext.java
@@ -18,8 +18,6 @@ package com.gemstone.gemfire.management.internal.security;
import com.gemstone.gemfire.cache.operations.OperationContext;
-import org.apache.shiro.authz.Permission;
-
/**
* This is base class for OperationContext for resource (JMX and CLI) operations
*/
@@ -30,7 +28,7 @@ public class ResourceOperationContext extends OperationContext {
private Resource resource = Resource.NULL;
private OperationCode operation = OperationCode.NULL;
- private String regionName = "NULL";
+ private String regionName = null;
public ResourceOperationContext() {
this(null, null, null);
@@ -81,9 +79,4 @@ public class ResourceOperationContext extends OperationContext {
public Object getOperationResult() {
return this.opResult;
}
-
- @Override
- public boolean implies(Permission p){
- return super.implies(p);
- }
}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/b8fc3c70/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/ExampleJSONAuthorization.java
----------------------------------------------------------------------
diff --git a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/ExampleJSONAuthorization.java b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/ExampleJSONAuthorization.java
new file mode 100644
index 0000000..f34be0b
--- /dev/null
+++ b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/ExampleJSONAuthorization.java
@@ -0,0 +1,197 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.gemstone.gemfire.management.internal.security;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.StringWriter;
+import java.security.Principal;
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Map;
+import java.util.Properties;
+import java.util.Set;
+import javax.management.remote.JMXPrincipal;
+
+import com.gemstone.gemfire.LogWriter;
+import com.gemstone.gemfire.cache.Cache;
+import com.gemstone.gemfire.cache.operations.OperationContext;
+import com.gemstone.gemfire.distributed.DistributedMember;
+import com.gemstone.gemfire.internal.logging.LogService;
+import com.gemstone.gemfire.security.AccessControl;
+import com.gemstone.gemfire.security.AuthenticationFailedException;
+import com.gemstone.gemfire.security.Authenticator;
+import com.gemstone.gemfire.security.NotAuthorizedException;
+
+import org.apache.commons.io.IOUtils;
+import org.json.JSONArray;
+import org.json.JSONException;
+import org.json.JSONObject;
+
+public class ExampleJSONAuthorization implements AccessControl, Authenticator {
+
+ public static class Role {
+ List<OperationContext> permissions = new ArrayList<>();
+ String name;
+ String serverGroup;
+ }
+
+ public static class User {
+ String name;
+ Set<Role> roles = new HashSet<>();
+ String pwd;
+ }
+
+ private static Map<String, User> acl = null;
+
+ public static ExampleJSONAuthorization create() throws IOException, JSONException {
+ return new ExampleJSONAuthorization();
+ }
+
+ public ExampleJSONAuthorization() throws IOException, JSONException {
+ setUpWithJsonFile("security.json");
+ }
+
+ public static void setUpWithJsonFile(String jsonFileName) throws IOException, JSONException {
+ InputStream input = ExampleJSONAuthorization.class.getResourceAsStream(jsonFileName);
+ if(input==null){
+ throw new RuntimeException("Could not find resource " + jsonFileName);
+ }
+
+ StringWriter writer = new StringWriter();
+ IOUtils.copy(input, writer, "UTF-8");
+ String json = writer.toString();
+ readSecurityDescriptor(json);
+ }
+
+ private static void readSecurityDescriptor(String json) throws IOException, JSONException {
+ JSONObject jsonBean = new JSONObject(json);
+ acl = new HashMap<>();
+ Map<String, Role> roleMap = readRoles(jsonBean);
+ readUsers(acl, jsonBean, roleMap);
+ }
+
+ private static void readUsers(Map<String, User> acl, JSONObject jsonBean, Map<String, Role> roleMap)
+ throws JSONException {
+ JSONArray array = jsonBean.getJSONArray("users");
+ for (int i = 0; i < array.length(); i++) {
+ JSONObject obj = array.getJSONObject(i);
+ User user = new User();
+ user.name = obj.getString("name");
+ if (obj.has("password")) {
+ user.pwd = obj.getString("password");
+ } else {
+ user.pwd = user.name;
+ }
+
+ JSONArray ops = obj.getJSONArray("roles");
+ for (int j = 0; j < ops.length(); j++) {
+ String roleName = ops.getString(j);
+ user.roles.add(roleMap.get(roleName));
+ }
+ acl.put(user.name, user);
+ }
+ }
+
+ private static Map<String, Role> readRoles(JSONObject jsonBean) throws JSONException {
+ Map<String, Role> roleMap = new HashMap<>();
+ JSONArray array = jsonBean.getJSONArray("roles");
+ for (int i = 0; i < array.length(); i++) {
+ JSONObject obj = array.getJSONObject(i);
+ Role role = new Role();
+ role.name = obj.getString("name");
+ String regionNames = null;
+ if(obj.has("regions")) {
+ regionNames = obj.getString("regions");
+ }
+ JSONArray ops = obj.getJSONArray("operationsAllowed");
+ for (int j = 0; j < ops.length(); j++) {
+ String[] parts = ops.getString(j).split(":");
+ if(regionNames!=null) {
+ role.permissions.add(new ResourceOperationContext(parts[0], parts[1], regionNames));
+ }
+ else
+ role.permissions.add(new ResourceOperationContext(parts[0], parts[1], "*"));
+ }
+
+ roleMap.put(role.name, role);
+
+ if (obj.has("serverGroup")) {
+ role.serverGroup = obj.getString("serverGroup");
+ }
+ }
+
+ return roleMap;
+ }
+
+ public static Map<String, User> getAcl() {
+ return acl;
+ }
+
+ private Principal principal = null;
+
+ @Override
+ public void close() {
+
+ }
+
+ @Override
+ public boolean authorizeOperation(String region, OperationContext context) {
+ if (principal == null)
+ return false;
+
+ User user = acl.get(principal.getName());
+ if(user == null)
+ return false; // this user is not authorized to do anything
+
+ // check if the user has this permission defined in the context
+ for(Role role:acl.get(user.name).roles) {
+ for (OperationContext permitted : role.permissions) {
+ if (permitted.implies(context)) {
+ return true;
+ }
+ }
+ }
+
+ return false;
+ }
+
+ @Override
+ public void init(Principal principal, DistributedMember arg1, Cache arg2) throws NotAuthorizedException {
+ this.principal = principal;
+ }
+
+ @Override
+ public Principal authenticate(Properties props, DistributedMember arg1) throws AuthenticationFailedException {
+ String user = props.getProperty(ResourceConstants.USER_NAME);
+ String pwd = props.getProperty(ResourceConstants.PASSWORD);
+ User userObj = acl.get(user);
+ if (userObj == null) throw new AuthenticationFailedException("Wrong username/password");
+ LogService.getLogger().info("User=" + user + " pwd=" + pwd);
+ if (user != null && !userObj.pwd.equals(pwd) && !"".equals(user))
+ throw new AuthenticationFailedException("Wrong username/password");
+ return new JMXPrincipal(user);
+ }
+
+ @Override
+ public void init(Properties arg0, LogWriter arg1, LogWriter arg2) throws AuthenticationFailedException {
+
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/b8fc3c70/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/JSONAuthorization.java
----------------------------------------------------------------------
diff --git a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/JSONAuthorization.java b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/JSONAuthorization.java
index 7f1d2bf..e14d1de 100644
--- a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/JSONAuthorization.java
+++ b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/JSONAuthorization.java
@@ -64,10 +64,7 @@ public class JSONAuthorization implements AccessControl, Authenticator {
return new JSONAuthorization();
}
- public JSONAuthorization() throws IOException, JSONException {
- // initialize with a default json file
- //setUpWithJsonFile("shiro-ini.json");
- }
+ public JSONAuthorization() throws IOException, JSONException {}
public JSONAuthorization(String jsonFileName) throws IOException, JSONException {
setUpWithJsonFile(jsonFileName);
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/b8fc3c70/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/ResourceOperationContextJUnitTest.java
----------------------------------------------------------------------
diff --git a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/ResourceOperationContextJUnitTest.java b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/ResourceOperationContextJUnitTest.java
index 318d327..9e2e41a 100644
--- a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/ResourceOperationContextJUnitTest.java
+++ b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/ResourceOperationContextJUnitTest.java
@@ -37,7 +37,7 @@ public class ResourceOperationContextJUnitTest {
context = new ResourceOperationContext();
assertEquals(Resource.NULL, context.getResource());
assertEquals(OperationCode.NULL, context.getOperationCode());
- assertEquals("NULL", context.getRegionName());
+ assertEquals(null, context.getRegionName());
}
@Test
@@ -51,17 +51,17 @@ public class ResourceOperationContextJUnitTest {
context = new ResourceOperationContext(null, null, null);
assertEquals(Resource.NULL, context.getResource());
assertEquals(OperationCode.NULL, context.getOperationCode());
- assertEquals("NULL", context.getRegionName());
+ assertEquals(null, context.getRegionName());
context = new ResourceOperationContext(null, null);
assertEquals(Resource.NULL, context.getResource());
assertEquals(OperationCode.NULL, context.getOperationCode());
- assertEquals("NULL", context.getRegionName());
+ assertEquals(null, context.getRegionName());
context = new ResourceOperationContext("DATA", null, null);
assertEquals(Resource.DATA, context.getResource());
assertEquals(OperationCode.NULL, context.getOperationCode());
- assertEquals("NULL", context.getRegionName());
+ assertEquals(null, context.getRegionName());
context = new ResourceOperationContext(null, "MANAGE", "REGIONA");
assertEquals(Resource.NULL, context.getResource());