You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by or...@apache.org on 2015/03/10 09:03:39 UTC
svn commit: r1665410 [1/3] - in /qpid/trunk/qpid/java:
bdbstore/src/main/java/org/apache/qpid/server/virtualhostnode/berkeleydb/
bdbstore/src/test/java/org/apache/qpid/server/virtualhostnode/berkeleydb/
bdbstore/systests/src/test/java/org/apache/qpid/s...
Author: orudyy
Date: Tue Mar 10 08:03:38 2015
New Revision: 1665410
URL: http://svn.apache.org/r1665410
Log:
QPID-6436: [Java Broker] Move ACL functionality scattered over the configured objects into SecurityManager and AbstractConfiguredObjects
Modified:
qpid/trunk/qpid/java/bdbstore/src/main/java/org/apache/qpid/server/virtualhostnode/berkeleydb/BDBHARemoteReplicationNodeImpl.java
qpid/trunk/qpid/java/bdbstore/src/test/java/org/apache/qpid/server/virtualhostnode/berkeleydb/BDBHARemoteReplicationNodeTest.java
qpid/trunk/qpid/java/bdbstore/systests/src/test/java/org/apache/qpid/server/store/berkeleydb/replication/BDBHAVirtualHostNodeRestTest.java
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/binding/BindingImpl.java
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/exchange/AbstractExchange.java
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/model/AbstractConfiguredObject.java
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/model/adapter/AbstractPluginAdapter.java
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/model/adapter/BrokerAdapter.java
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/model/adapter/FileBasedGroupProviderImpl.java
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/model/adapter/FileSystemPreferencesProviderImpl.java
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/model/port/AbstractPort.java
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/queue/AbstractQueue.java
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/queue/QueueConsumerImpl.java
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/FileKeyStoreImpl.java
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/FileTrustStoreImpl.java
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/NonJavaKeyStoreImpl.java
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/NonJavaTrustStoreImpl.java
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/SecurityManager.java
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/access/ObjectProperties.java
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/AbstractAuthenticationManager.java
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/ConfigModelPasswordManagingAuthenticationProvider.java
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/ManagedUser.java
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/PrincipalDatabaseAuthenticationManager.java
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/virtualhost/AbstractVirtualHost.java
qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/virtualhostnode/AbstractVirtualHostNode.java
qpid/trunk/qpid/java/broker-core/src/test/java/org/apache/qpid/server/exchange/FanoutExchangeTest.java
qpid/trunk/qpid/java/broker-core/src/test/java/org/apache/qpid/server/exchange/HeadersExchangeTest.java
qpid/trunk/qpid/java/broker-core/src/test/java/org/apache/qpid/server/model/VirtualHostTest.java
qpid/trunk/qpid/java/broker-core/src/test/java/org/apache/qpid/server/model/testmodels/hierarchy/TestKitCarImpl.java
qpid/trunk/qpid/java/broker-core/src/test/java/org/apache/qpid/server/model/testmodels/hierarchy/TestStandardCarImpl.java
qpid/trunk/qpid/java/broker-core/src/test/java/org/apache/qpid/server/model/testmodels/lifecycle/TestConfiguredObject.java
qpid/trunk/qpid/java/broker-core/src/test/java/org/apache/qpid/server/model/testmodels/singleton/TestSingletonImpl.java
qpid/trunk/qpid/java/broker-core/src/test/java/org/apache/qpid/server/security/FileKeyStoreTest.java
qpid/trunk/qpid/java/broker-core/src/test/java/org/apache/qpid/server/security/FileTrustStoreTest.java
qpid/trunk/qpid/java/broker-core/src/test/java/org/apache/qpid/server/security/SecurityManagerTest.java
qpid/trunk/qpid/java/broker-core/src/test/java/org/apache/qpid/server/util/BrokerTestHelper.java
qpid/trunk/qpid/java/broker-core/src/test/java/org/apache/qpid/server/virtualhost/AbstractVirtualHostTest.java
qpid/trunk/qpid/java/broker-core/src/test/java/org/apache/qpid/server/virtualhost/VirtualHostQueueCreationTest.java
qpid/trunk/qpid/java/broker-core/src/test/java/org/apache/qpid/server/virtualhostnode/AbstractStandardVirtualHostNodeTest.java
qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/plugins/ACLFileAccessControlProviderImpl.java
qpid/trunk/qpid/java/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/plugins/RuleSetTest.java
qpid/trunk/qpid/java/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/UserPreferencesServlet.java
qpid/trunk/qpid/java/broker-plugins/management-jmx/src/main/java/org/apache/qpid/server/jmx/mbeans/VirtualHostManagerMBean.java
qpid/trunk/qpid/java/broker-plugins/management-jmx/src/test/java/org/apache/qpid/server/jmx/mbeans/VirtualHostManagerMBeanTest.java
Modified: qpid/trunk/qpid/java/bdbstore/src/main/java/org/apache/qpid/server/virtualhostnode/berkeleydb/BDBHARemoteReplicationNodeImpl.java
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/bdbstore/src/main/java/org/apache/qpid/server/virtualhostnode/berkeleydb/BDBHARemoteReplicationNodeImpl.java?rev=1665410&r1=1665409&r2=1665410&view=diff
==============================================================================
--- qpid/trunk/qpid/java/bdbstore/src/main/java/org/apache/qpid/server/virtualhostnode/berkeleydb/BDBHARemoteReplicationNodeImpl.java (original)
+++ qpid/trunk/qpid/java/bdbstore/src/main/java/org/apache/qpid/server/virtualhostnode/berkeleydb/BDBHARemoteReplicationNodeImpl.java Tue Mar 10 08:03:38 2015
@@ -21,10 +21,8 @@
package org.apache.qpid.server.virtualhostnode.berkeleydb;
-import java.security.AccessControlException;
import java.util.Map;
import java.util.Set;
-import java.util.concurrent.atomic.AtomicReference;
import com.sleepycat.je.rep.MasterStateException;
@@ -43,7 +41,6 @@ import org.apache.qpid.server.model.Stat
import org.apache.qpid.server.model.StateTransition;
import org.apache.qpid.server.model.SystemConfig;
import org.apache.qpid.server.model.VirtualHostNode;
-import org.apache.qpid.server.security.access.Operation;
import org.apache.qpid.server.store.berkeleydb.replication.ReplicatedEnvironmentFacade;
public class BDBHARemoteReplicationNodeImpl extends AbstractConfiguredObject<BDBHARemoteReplicationNodeImpl> implements BDBHARemoteReplicationNode<BDBHARemoteReplicationNodeImpl>
@@ -121,27 +118,6 @@ public class BDBHARemoteReplicationNodeI
super.deleted();
}
-
- @Override
- protected void authoriseSetAttributes(final ConfiguredObject<?> proxyForValidation,
- final Set<String> modifiedAttributes)
- {
- _broker.getSecurityManager().authoriseVirtualHostNode(getName(), Operation.UPDATE);
- }
-
- @Override
- protected void authoriseSetDesiredState(State desiredState) throws AccessControlException
- {
- if(desiredState == State.DELETED)
- {
- _broker.getSecurityManager().authoriseVirtualHostNode(getName(), Operation.DELETE);
- }
- else
- {
- _broker.getSecurityManager().authoriseVirtualHostNode(getName(), Operation.UPDATE);
- }
- }
-
@Override
public String toString()
{
Modified: qpid/trunk/qpid/java/bdbstore/src/test/java/org/apache/qpid/server/virtualhostnode/berkeleydb/BDBHARemoteReplicationNodeTest.java
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/bdbstore/src/test/java/org/apache/qpid/server/virtualhostnode/berkeleydb/BDBHARemoteReplicationNodeTest.java?rev=1665410&r1=1665409&r2=1665410&view=diff
==============================================================================
--- qpid/trunk/qpid/java/bdbstore/src/test/java/org/apache/qpid/server/virtualhostnode/berkeleydb/BDBHARemoteReplicationNodeTest.java (original)
+++ qpid/trunk/qpid/java/bdbstore/src/test/java/org/apache/qpid/server/virtualhostnode/berkeleydb/BDBHARemoteReplicationNodeTest.java Tue Mar 10 08:03:38 2015
@@ -36,7 +36,6 @@ import org.apache.qpid.server.model.Conf
import org.apache.qpid.server.model.VirtualHost;
import org.apache.qpid.server.model.VirtualHostNode;
import org.apache.qpid.server.security.SecurityManager;
-import org.apache.qpid.server.security.access.Operation;
import org.apache.qpid.server.store.DurableConfigurationStore;
import org.apache.qpid.server.store.berkeleydb.replication.ReplicatedEnvironmentFacade;
import org.apache.qpid.server.util.BrokerTestHelper;
@@ -106,9 +105,7 @@ public class BDBHARemoteReplicationNodeT
String remoteReplicationName = getName();
BDBHARemoteReplicationNode remoteReplicationNode = createRemoteReplicationNode(remoteReplicationName);
- doThrow(new AccessControlException("mocked ACL exception")).when(_mockSecurityManager).authoriseVirtualHostNode(
- remoteReplicationName,
- Operation.UPDATE);
+ doThrow(new AccessControlException("mocked ACL exception")).when(_mockSecurityManager).authoriseUpdate(remoteReplicationNode);
assertNull(remoteReplicationNode.getDescription());
@@ -130,9 +127,7 @@ public class BDBHARemoteReplicationNodeT
String remoteReplicationName = getName();
BDBHARemoteReplicationNode remoteReplicationNode = createRemoteReplicationNode(remoteReplicationName);
- doThrow(new AccessControlException("mocked ACL exception")).when(_mockSecurityManager).authoriseVirtualHostNode(
- remoteReplicationName,
- Operation.DELETE);
+ doThrow(new AccessControlException("mocked ACL exception")).when(_mockSecurityManager).authoriseDelete(remoteReplicationNode);
assertNull(remoteReplicationNode.getDescription());
Modified: qpid/trunk/qpid/java/bdbstore/systests/src/test/java/org/apache/qpid/server/store/berkeleydb/replication/BDBHAVirtualHostNodeRestTest.java
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/bdbstore/systests/src/test/java/org/apache/qpid/server/store/berkeleydb/replication/BDBHAVirtualHostNodeRestTest.java?rev=1665410&r1=1665409&r2=1665410&view=diff
==============================================================================
--- qpid/trunk/qpid/java/bdbstore/systests/src/test/java/org/apache/qpid/server/store/berkeleydb/replication/BDBHAVirtualHostNodeRestTest.java (original)
+++ qpid/trunk/qpid/java/bdbstore/systests/src/test/java/org/apache/qpid/server/store/berkeleydb/replication/BDBHAVirtualHostNodeRestTest.java Tue Mar 10 08:03:38 2015
@@ -398,9 +398,9 @@ public class BDBHAVirtualHostNodeRestTes
assertNotNull("Node " + name + " has unexpected lastKnownReplicationId", lastKnownTransactionId);
assertTrue("Node " + name + " has unexpected lastKnownReplicationId " + lastKnownTransactionId, lastKnownTransactionId > 0);
- Long joinTime = (Long) nodeData.get(BDBHAVirtualHostNode.JOIN_TIME);
+ Number joinTime = (Number) nodeData.get(BDBHAVirtualHostNode.JOIN_TIME);
assertNotNull("Node " + name + " has unexpected joinTime", joinTime);
- assertTrue("Node " + name + " has unexpected joinTime " + joinTime, joinTime > 0);
+ assertTrue("Node " + name + " has unexpected joinTime " + joinTime, joinTime.longValue() > 0);
}
private void assertActualAndDesiredStates(final String restUrl,
Modified: qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/binding/BindingImpl.java
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/binding/BindingImpl.java?rev=1665410&r1=1665409&r2=1665410&view=diff
==============================================================================
--- qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/binding/BindingImpl.java (original)
+++ qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/binding/BindingImpl.java Tue Mar 10 08:03:38 2015
@@ -45,6 +45,7 @@ import org.apache.qpid.server.model.Queu
import org.apache.qpid.server.model.State;
import org.apache.qpid.server.model.StateTransition;
import org.apache.qpid.server.queue.AMQQueue;
+import org.apache.qpid.server.security.SecurityManager;
import org.apache.qpid.server.util.StateChangeListener;
public class BindingImpl
@@ -249,7 +250,7 @@ public class BindingImpl
@Override
public void validateOnCreate()
{
- _queue.getVirtualHost().getSecurityManager().authoriseCreateBinding(this);
+ authoriseCreate(this);
AMQQueue queue = getAMQQueue();
Map<String, Object> arguments = getArguments();
@@ -266,4 +267,10 @@ public class BindingImpl
}
}
+ @Override
+ protected SecurityManager getSecurityManager()
+ {
+ return _queue.getVirtualHost().getSecurityManager();
+ }
+
}
Modified: qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/exchange/AbstractExchange.java
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/exchange/AbstractExchange.java?rev=1665410&r1=1665409&r2=1665410&view=diff
==============================================================================
--- qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/exchange/AbstractExchange.java (original)
+++ qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/exchange/AbstractExchange.java Tue Mar 10 08:03:38 2015
@@ -20,7 +20,6 @@
*/
package org.apache.qpid.server.exchange;
-import java.security.AccessControlException;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
@@ -136,12 +135,6 @@ public abstract class AbstractExchange<T
}
@Override
- public void validateOnCreate()
- {
- _virtualHost.getSecurityManager().authoriseCreateExchange(this);
- }
-
- @Override
public void onValidate()
{
super.onValidate();
@@ -190,8 +183,6 @@ public abstract class AbstractExchange<T
@Override
public void deleteWithChecks()
{
- _virtualHost.getSecurityManager().authoriseDelete(this);
-
if(hasReferrers())
{
throw new ExchangeIsAlternateException(getName());
@@ -634,7 +625,7 @@ public abstract class AbstractExchange<T
}
// Check access
- _virtualHost.getSecurityManager().authoriseUnbind(binding);
+ authoriseDelete(binding);
BindingImpl b = _bindingsMap.remove(new BindingIdentifier(bindingKey,queue));
@@ -755,7 +746,7 @@ public abstract class AbstractExchange<T
preSetAlternateExchange();
setState(State.DELETED);
}
- catch (ExchangeIsAlternateException | RequiredExchangeException e)
+ catch (ExchangeIsAlternateException e)
{
return;
}
@@ -869,10 +860,4 @@ public abstract class AbstractExchange<T
return binding;
}
- @Override
- protected void authoriseSetAttributes(ConfiguredObject<?> modified, Set<String> attributes) throws AccessControlException
- {
- _virtualHost.getSecurityManager().authoriseUpdate(this);
- }
-
}
Modified: qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/model/AbstractConfiguredObject.java
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/model/AbstractConfiguredObject.java?rev=1665410&r1=1665409&r2=1665410&view=diff
==============================================================================
--- qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/model/AbstractConfiguredObject.java (original)
+++ qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/model/AbstractConfiguredObject.java Tue Mar 10 08:03:38 2015
@@ -1036,8 +1036,6 @@ public abstract class AbstractConfigured
}
else
{
- authoriseSetDesiredState(desiredState);
-
setAttributes(Collections.<String, Object>singletonMap(DESIRED_STATE,
desiredState));
@@ -1544,12 +1542,6 @@ public abstract class AbstractConfigured
});
}
- protected void authoriseSetAttributes(final ConfiguredObject<?> proxyForValidation,
- final Set<String> modifiedAttributes)
- {
-
- }
-
protected void changeAttributes(final Map<String, Object> attributes)
{
validateChange(createProxyForValidation(attributes), attributes.keySet());
@@ -1608,17 +1600,61 @@ public abstract class AbstractConfigured
{
return (ConfiguredObject<?>) Proxy.newProxyInstance(getClass().getClassLoader(),
new Class<?>[]{_bestFitInterface},
- new AttributeGettingHandler(attributes));
+ new AttributeGettingHandler(attributes, _attributeTypes, this));
+ }
+
+ private ConfiguredObject<?> createProxyForAuthorisation(final Class<? extends ConfiguredObject> category,
+ final Map<String, Object> attributes,
+ final ConfiguredObject<?> parent,
+ final ConfiguredObject<?>... otherParents)
+ {
+ return (ConfiguredObject<?>) Proxy.newProxyInstance(getClass().getClassLoader(),
+ new Class<?>[]{category},
+ new AuthorisationProxyInvocationHandler(attributes,
+ getModel().getTypeRegistry().getAttributeTypes(category),
+ category, parent, otherParents));
}
- protected void authoriseSetDesiredState(State desiredState) throws AccessControlException
+ protected final <C extends ConfiguredObject<?>> void authoriseCreateChild(Class<C> childClass, Map<String, Object> attributes, ConfiguredObject... otherParents) throws AccessControlException
{
- // allowed by default
+ ConfiguredObject<?> configuredObject = createProxyForAuthorisation(childClass, attributes, this, otherParents);
+ getSecurityManager().authoriseCreate(configuredObject);
}
- protected <C extends ConfiguredObject> void authoriseCreateChild(Class<C> childClass, Map<String, Object> attributes, ConfiguredObject... otherParents) throws AccessControlException
+ protected final void authoriseCreate(ConfiguredObject<?> object) throws AccessControlException
{
- // allowed by default
+ getSecurityManager().authoriseCreate(object);
+ }
+
+ protected final void authoriseSetAttributes(final ConfiguredObject<?> proxyForValidation,
+ final Set<String> modifiedAttributes)
+ {
+ if (modifiedAttributes.contains(DESIRED_STATE) && State.DELETED.equals(proxyForValidation.getDesiredState()))
+ {
+ authoriseDelete(this);
+ if (modifiedAttributes.size() == 1)
+ {
+ // nothing left to authorize
+ return;
+ }
+ }
+ getSecurityManager().authoriseUpdate(this);
+ }
+
+ protected final void authoriseDelete(ConfiguredObject<?> object)
+ {
+ getSecurityManager().authoriseDelete(object);
+ }
+
+ protected SecurityManager getSecurityManager()
+ {
+ Broker broker = getModel().getAncestor(Broker.class, getCategoryClass(), this);
+ if (broker != null )
+ {
+ return broker.getSecurityManager();
+ }
+ LOGGER.warn("Broker parent is not found for " + getName() + " of type " + getClass());
+ return null;
}
@Override
@@ -1903,15 +1939,23 @@ public abstract class AbstractConfigured
}
- private class AttributeGettingHandler implements InvocationHandler
+ private static class AttributeGettingHandler implements InvocationHandler
{
- private Map<String,Object> _attributes;
+ private final Map<String,Object> _attributes;
+ private final Map<String, ConfiguredObjectAttribute<?,?>> _attributeTypes;
+ private final ConfiguredObject<?> _configuredObject;
- AttributeGettingHandler(final Map<String, Object> modifiedAttributes)
+ AttributeGettingHandler(final Map<String, Object> modifiedAttributes, Map<String, ConfiguredObjectAttribute<?,?>> attributeTypes, ConfiguredObject<?> configuredObject)
{
- Map<String,Object> combinedAttributes = new HashMap<String, Object>(getActualAttributes());
+ Map<String,Object> combinedAttributes = new HashMap<>();
+ if (configuredObject != null)
+ {
+ combinedAttributes.putAll(configuredObject.getActualAttributes());
+ }
combinedAttributes.putAll(modifiedAttributes);
_attributes = combinedAttributes;
+ _attributeTypes = attributeTypes;
+ _configuredObject = configuredObject;
}
@Override
@@ -1940,16 +1984,26 @@ public abstract class AbstractConfigured
protected Object getValue(final ConfiguredObjectAttribute attribute)
{
+ Object value;
if(attribute.isAutomated())
{
- ConfiguredAutomatedAttribute autoAttr = (ConfiguredAutomatedAttribute)attribute;
- Object value = _attributes.get(attribute.getName());
- return attribute.convert(value == null && !"".equals(autoAttr.defaultValue()) ? autoAttr.defaultValue() : value , AbstractConfiguredObject.this);
+ ConfiguredAutomatedAttribute autoAttr = (ConfiguredAutomatedAttribute) attribute;
+ value = _attributes.get(attribute.getName());
+ if (value == null && !"".equals(autoAttr.defaultValue()))
+ {
+ value = autoAttr.defaultValue();
+ }
}
else
{
- return _attributes.get(attribute.getName());
+ value = _attributes.get(attribute.getName());
}
+ return convert(attribute, value);
+ }
+
+ protected Object convert(ConfiguredObjectAttribute attribute, Object value)
+ {
+ return attribute.convert(value, _configuredObject);
}
private ConfiguredObjectAttribute getAttributeFromMethod(final Method method)
@@ -1966,6 +2020,54 @@ public abstract class AbstractConfigured
}
}
+ private static class AuthorisationProxyInvocationHandler extends AttributeGettingHandler
+ {
+ private final Class<? extends ConfiguredObject> _category;
+ private final Map<Class<? extends ConfiguredObject>, ConfiguredObject<?>> _parents;
+ private final ConfiguredObject<?> _parent ;
+
+ AuthorisationProxyInvocationHandler(Map<String, Object> attributes,
+ Map<String, ConfiguredObjectAttribute<?, ?>> attributeTypes,
+ Class<? extends ConfiguredObject> categoryClass,
+ ConfiguredObject<?> parent,
+ ConfiguredObject<?>... parents)
+ {
+ super(attributes, attributeTypes, null);
+ _parent = parent;
+ _category = categoryClass;
+ _parents = new HashMap<>();
+ if (parents != null)
+ {
+ for (ConfiguredObject<?> parentObject : parents)
+ {
+ _parents.put(parentObject.getCategoryClass(), parentObject);
+ }
+ }
+ _parents.put(parent.getCategoryClass(), parent);
+ }
+
+ @Override
+ public Object invoke(final Object proxy, final Method method, final Object[] args) throws Throwable
+ {
+ if(method.getName().equals("getParent") && args != null && args.length == 1 && args[0] instanceof Class)
+ {
+ Class<ConfiguredObject> parentClass = (Class<ConfiguredObject> )args[0];
+ return _parents.get(parentClass);
+ }
+ else if(method.getName().equals("getCategoryClass"))
+ {
+ return _category;
+ }
+ return super.invoke(proxy, method, args);
+ }
+
+ @Override
+ protected Object convert(ConfiguredObjectAttribute attribute, Object value)
+ {
+ return attribute.convert(value, _parent);
+ }
+ }
+
protected final static class DuplicateIdException extends IllegalArgumentException
{
public DuplicateIdException(final ConfiguredObject<?> child)
Modified: qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/model/adapter/AbstractPluginAdapter.java
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/model/adapter/AbstractPluginAdapter.java?rev=1665410&r1=1665409&r2=1665410&view=diff
==============================================================================
--- qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/model/adapter/AbstractPluginAdapter.java (original)
+++ qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/model/adapter/AbstractPluginAdapter.java Tue Mar 10 08:03:38 2015
@@ -20,7 +20,6 @@
*/
package org.apache.qpid.server.model.adapter;
-import java.security.AccessControlException;
import java.util.Collection;
import java.util.Collections;
import java.util.Map;
@@ -30,8 +29,6 @@ import org.apache.qpid.server.model.Abst
import org.apache.qpid.server.model.Broker;
import org.apache.qpid.server.model.ConfiguredObject;
import org.apache.qpid.server.model.Plugin;
-import org.apache.qpid.server.model.State;
-import org.apache.qpid.server.security.access.Operation;
public abstract class AbstractPluginAdapter<X extends Plugin<X>> extends AbstractConfiguredObject<X> implements Plugin<X>
{
@@ -70,27 +67,6 @@ public abstract class AbstractPluginAdap
return Collections.emptyList();
}
- @Override
- protected void authoriseSetDesiredState(State desiredState) throws AccessControlException
- {
- if(desiredState == State.DELETED)
- {
- if (!_broker.getSecurityManager().authoriseConfiguringBroker(getName(), Plugin.class, Operation.DELETE))
- {
- throw new AccessControlException("Deletion of plugin is denied");
- }
- }
- }
-
- @Override
- protected void authoriseSetAttributes(ConfiguredObject<?> modified, Set<String> attributes) throws AccessControlException
- {
- if (!_broker.getSecurityManager().authoriseConfiguringBroker(getName(), Plugin.class, Operation.UPDATE))
- {
- throw new AccessControlException("Setting of plugin attributes is denied");
- }
- }
-
protected Broker<?> getBroker()
{
return _broker;
Modified: qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/model/adapter/BrokerAdapter.java
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/model/adapter/BrokerAdapter.java?rev=1665410&r1=1665409&r2=1665410&view=diff
==============================================================================
--- qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/model/adapter/BrokerAdapter.java (original)
+++ qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/model/adapter/BrokerAdapter.java Tue Mar 10 08:03:38 2015
@@ -51,7 +51,6 @@ import org.apache.qpid.server.plugin.Con
import org.apache.qpid.server.plugin.PluggableFactoryLoader;
import org.apache.qpid.server.security.SecurityManager;
import org.apache.qpid.server.security.SubjectCreator;
-import org.apache.qpid.server.security.access.Operation;
import org.apache.qpid.server.security.auth.manager.SimpleAuthenticationManager;
import org.apache.qpid.server.stats.StatisticsCounter;
import org.apache.qpid.server.stats.StatisticsGatherer;
@@ -878,35 +877,6 @@ public class BrokerAdapter extends Abstr
}
@Override
- protected <C extends ConfiguredObject> void authoriseCreateChild(Class<C> childClass, Map<String, Object> attributes,
- ConfiguredObject... otherParents) throws AccessControlException
- {
- if (childClass == VirtualHostNode.class)
- {
- _securityManager.authoriseVirtualHostNode(String.valueOf(attributes.get(NAME)), Operation.CREATE);
-
- }
- else
- {
- if (!_securityManager.authoriseConfiguringBroker(String.valueOf(attributes.get(NAME)),
- childClass,
- Operation.CREATE))
- {
- throw new AccessControlException("Creation of new broker level entity is denied");
- }
- }
- }
-
- @Override
- protected void authoriseSetAttributes(ConfiguredObject<?> modified, Set<String> attributes) throws AccessControlException
- {
- if (!_securityManager.authoriseConfiguringBroker(getName(), Broker.class, Operation.UPDATE))
- {
- throw new AccessControlException("Setting of broker attributes is denied");
- }
- }
-
- @Override
public boolean isManagementMode()
{
return _parent.isManagementMode();
Modified: qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/model/adapter/FileBasedGroupProviderImpl.java
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/model/adapter/FileBasedGroupProviderImpl.java?rev=1665410&r1=1665409&r2=1665410&view=diff
==============================================================================
--- qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/model/adapter/FileBasedGroupProviderImpl.java (original)
+++ qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/model/adapter/FileBasedGroupProviderImpl.java Tue Mar 10 08:03:38 2015
@@ -21,7 +21,6 @@ package org.apache.qpid.server.model.ada
import java.io.File;
import java.io.IOException;
-import java.security.AccessControlException;
import java.security.Principal;
import java.util.ArrayList;
import java.util.Collection;
@@ -47,7 +46,6 @@ import org.apache.qpid.server.model.Mana
import org.apache.qpid.server.model.State;
import org.apache.qpid.server.model.StateTransition;
import org.apache.qpid.server.security.SecurityManager;
-import org.apache.qpid.server.security.access.Operation;
import org.apache.qpid.server.security.auth.UsernamePrincipal;
import org.apache.qpid.server.security.group.FileGroupDatabase;
import org.apache.qpid.server.security.group.GroupPrincipal;
@@ -215,8 +213,6 @@ public class FileBasedGroupProviderImpl
{
String groupName = (String) attributes.get(Group.NAME);
- getSecurityManager().authoriseGroupOperation(Operation.CREATE, groupName);
-
if (getState() != State.ACTIVE)
{
throw new IllegalConfigurationException(String.format("Group provider '%s' is not activated. Cannot create a group.", getName()));
@@ -258,8 +254,8 @@ public class FileBasedGroupProviderImpl
}
}
-
- private SecurityManager getSecurityManager()
+ @Override
+ protected SecurityManager getSecurityManager()
{
return _broker.getSecurityManager();
}
@@ -337,27 +333,6 @@ public class FileBasedGroupProviderImpl
// no-op, as per above, groups are not in the store
}
- @Override
- protected void authoriseSetDesiredState(State desiredState) throws AccessControlException
- {
- if(desiredState == State.DELETED)
- {
- if (!_broker.getSecurityManager().authoriseConfiguringBroker(getName(), GroupProvider.class, Operation.DELETE))
- {
- throw new AccessControlException("Deletion of groups provider is denied");
- }
- }
- }
-
- @Override
- protected void authoriseSetAttributes(ConfiguredObject<?> modified, Set<String> attributes) throws AccessControlException
- {
- if (!_broker.getSecurityManager().authoriseConfiguringBroker(getName(), GroupProvider.class, Operation.UPDATE))
- {
- throw new AccessControlException("Setting of group provider attributes is denied");
- }
- }
-
private class GroupAdapter extends AbstractConfiguredObject<GroupAdapter> implements Group<GroupAdapter>
{
private GroupPrincipal _groupPrincipal;
@@ -440,8 +415,6 @@ public class FileBasedGroupProviderImpl
{
String memberName = (String) attributes.get(GroupMember.NAME);
- getSecurityManager().authoriseGroupOperation(Operation.UPDATE, getName());
-
_groupDatabase.addUserToGroup(memberName, getName());
UUID id = UUID.randomUUID();
Map<String,Object> attrMap = new HashMap<String, Object>();
@@ -461,7 +434,6 @@ public class FileBasedGroupProviderImpl
@StateTransition( currentState = State.ACTIVE, desiredState = State.DELETED )
private void doDelete()
{
- getSecurityManager().authoriseGroupOperation(Operation.DELETE, getName());
_groupDatabase.removeGroup(getName());
deleted();
setState(State.DELETED);
@@ -530,8 +502,6 @@ public class FileBasedGroupProviderImpl
@StateTransition(currentState = State.ACTIVE, desiredState = State.DELETED)
private void doDelete()
{
- getSecurityManager().authoriseGroupOperation(Operation.UPDATE, GroupAdapter.this.getName());
-
_groupDatabase.removeUserFromGroup(getName(), GroupAdapter.this.getName());
deleted();
setState(State.DELETED);
Modified: qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/model/adapter/FileSystemPreferencesProviderImpl.java
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/model/adapter/FileSystemPreferencesProviderImpl.java?rev=1665410&r1=1665409&r2=1665410&view=diff
==============================================================================
--- qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/model/adapter/FileSystemPreferencesProviderImpl.java (original)
+++ qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/model/adapter/FileSystemPreferencesProviderImpl.java Tue Mar 10 08:03:38 2015
@@ -211,6 +211,7 @@ public class FileSystemPreferencesProvid
@Override
public Map<String, Object> getPreferences(String userId)
{
+ getSecurityManager().authoriseUserUpdate(userId);
return _store == null? Collections.<String, Object>emptyMap() : _store.getPreferences(userId);
}
@@ -233,6 +234,10 @@ public class FileSystemPreferencesProvid
throw new IllegalStateException("Cannot delete preferences with preferences provider " + getName() + " in state " + getState() );
}
+ for (String userId: userIDs)
+ {
+ getSecurityManager().authoriseUserUpdate(userId);
+ }
return _store.deletePreferences(userIDs);
}
Modified: qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/model/port/AbstractPort.java
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/model/port/AbstractPort.java?rev=1665410&r1=1665409&r2=1665410&view=diff
==============================================================================
--- qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/model/port/AbstractPort.java (original)
+++ qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/model/port/AbstractPort.java Tue Mar 10 08:03:38 2015
@@ -21,7 +21,6 @@
package org.apache.qpid.server.model.port;
-import java.security.AccessControlException;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashSet;
@@ -43,7 +42,6 @@ import org.apache.qpid.server.model.Stat
import org.apache.qpid.server.model.StateTransition;
import org.apache.qpid.server.model.Transport;
import org.apache.qpid.server.model.TrustStore;
-import org.apache.qpid.server.security.access.Operation;
abstract public class AbstractPort<X extends AbstractPort<X>> extends AbstractConfiguredObject<X> implements Port<X>
{
@@ -261,28 +259,6 @@ abstract public class AbstractPort<X ext
return State.ACTIVE;
}
-
- @Override
- protected void authoriseSetDesiredState(State desiredState) throws AccessControlException
- {
- if(desiredState == State.DELETED)
- {
- if (!_broker.getSecurityManager().authoriseConfiguringBroker(getName(), Port.class, Operation.DELETE))
- {
- throw new AccessControlException("Deletion of port is denied");
- }
- }
- }
-
- @Override
- protected void authoriseSetAttributes(ConfiguredObject<?> modified, Set<String> attributes) throws AccessControlException
- {
- if (!_broker.getSecurityManager().authoriseConfiguringBroker(getName(), Port.class, Operation.UPDATE))
- {
- throw new AccessControlException("Setting of port attributes is denied");
- }
- }
-
@Override
public Collection<String> getEnabledCipherSuites()
{
Modified: qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/queue/AbstractQueue.java
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/queue/AbstractQueue.java?rev=1665410&r1=1665409&r2=1665410&view=diff
==============================================================================
--- qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/queue/AbstractQueue.java (original)
+++ qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/queue/AbstractQueue.java Tue Mar 10 08:03:38 2015
@@ -268,12 +268,6 @@ public abstract class AbstractQueue<X ex
}
@Override
- protected void validateOnCreate()
- {
- _virtualHost.getSecurityManager().authoriseCreateQueue(this);
- }
-
- @Override
protected void onCreate()
{
super.onCreate();
@@ -3006,12 +3000,6 @@ public abstract class AbstractQueue<X ex
}
}
- @Override
- protected void authoriseSetAttributes(ConfiguredObject<?> modified, Set<String> attributes) throws AccessControlException
- {
- _virtualHost.getSecurityManager().authoriseUpdate(this);
- }
-
int getMaxAsyncDeliveries()
{
return _maxAsyncDeliveries;
Modified: qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/queue/QueueConsumerImpl.java
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/queue/QueueConsumerImpl.java?rev=1665410&r1=1665409&r2=1665410&view=diff
==============================================================================
--- qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/queue/QueueConsumerImpl.java (original)
+++ qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/queue/QueueConsumerImpl.java Tue Mar 10 08:03:38 2015
@@ -51,6 +51,7 @@ import org.apache.qpid.server.model.Mana
import org.apache.qpid.server.model.State;
import org.apache.qpid.server.protocol.AMQSessionModel;
import org.apache.qpid.server.protocol.MessageConverterRegistry;
+import org.apache.qpid.server.security.SecurityManager;
import org.apache.qpid.server.util.StateChangeListener;
class QueueConsumerImpl
@@ -126,7 +127,7 @@ class QueueConsumerImpl
_queue = queue;
// Access control
- _queue.getVirtualHost().getSecurityManager().authoriseCreateConsumer(this);
+ authoriseCreate(this);
open();
@@ -145,6 +146,12 @@ class QueueConsumerImpl
_target.addStateListener(_listener);
}
+ @Override
+ protected SecurityManager getSecurityManager()
+ {
+ return _queue.getVirtualHost().getSecurityManager();
+ }
+
private static Map<String, Object> createAttributeMap(String name, FilterManager filters, EnumSet<Option> optionSet)
{
Map<String,Object> attributes = new HashMap<String, Object>();
Modified: qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/FileKeyStoreImpl.java
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/FileKeyStoreImpl.java?rev=1665410&r1=1665409&r2=1665410&view=diff
==============================================================================
--- qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/FileKeyStoreImpl.java (original)
+++ qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/FileKeyStoreImpl.java Tue Mar 10 08:03:38 2015
@@ -24,7 +24,6 @@ import java.io.File;
import java.io.IOException;
import java.net.MalformedURLException;
import java.net.URL;
-import java.security.AccessControlException;
import java.security.GeneralSecurityException;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
@@ -50,7 +49,6 @@ import org.apache.qpid.server.model.Mana
import org.apache.qpid.server.model.Port;
import org.apache.qpid.server.model.State;
import org.apache.qpid.server.model.StateTransition;
-import org.apache.qpid.server.security.access.Operation;
import org.apache.qpid.server.util.ServerScopedRuntimeException;
import org.apache.qpid.server.util.urlstreamhandler.data.Handler;
import org.apache.qpid.transport.network.security.ssl.QpidClientX509KeyManager;
@@ -122,27 +120,6 @@ public class FileKeyStoreImpl extends Ab
}
@Override
- protected void authoriseSetDesiredState(State desiredState) throws AccessControlException
- {
- if(desiredState == State.DELETED)
- {
- if (!_broker.getSecurityManager().authoriseConfiguringBroker(getName(), KeyStore.class, Operation.DELETE))
- {
- throw new AccessControlException("Deletion of key store is denied");
- }
- }
- }
-
- @Override
- protected void authoriseSetAttributes(ConfiguredObject<?> modified, Set<String> attributes) throws AccessControlException
- {
- if (!_broker.getSecurityManager().authoriseConfiguringBroker(getName(), KeyStore.class, Operation.UPDATE))
- {
- throw new AccessControlException("Setting key store attributes is denied");
- }
- }
-
- @Override
protected void validateChange(final ConfiguredObject<?> proxyForValidation, final Set<String> changedAttributes)
{
super.validateChange(proxyForValidation, changedAttributes);
Modified: qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/FileTrustStoreImpl.java
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/FileTrustStoreImpl.java?rev=1665410&r1=1665409&r2=1665410&view=diff
==============================================================================
--- qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/FileTrustStoreImpl.java (original)
+++ qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/FileTrustStoreImpl.java Tue Mar 10 08:03:38 2015
@@ -24,7 +24,6 @@ import java.io.File;
import java.io.IOException;
import java.net.MalformedURLException;
import java.net.URL;
-import java.security.AccessControlException;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.NoSuchAlgorithmException;
@@ -50,7 +49,6 @@ import org.apache.qpid.server.model.Port
import org.apache.qpid.server.model.State;
import org.apache.qpid.server.model.StateTransition;
import org.apache.qpid.server.model.TrustStore;
-import org.apache.qpid.server.security.access.Operation;
import org.apache.qpid.server.security.auth.manager.SimpleLDAPAuthenticationManager;
import org.apache.qpid.server.util.urlstreamhandler.data.Handler;
import org.apache.qpid.transport.network.security.ssl.QpidMultipleTrustManager;
@@ -148,27 +146,6 @@ public class FileTrustStoreImpl extends
}
@Override
- protected void authoriseSetDesiredState(State desiredState) throws AccessControlException
- {
- if(desiredState == State.DELETED)
- {
- if (!_broker.getSecurityManager().authoriseConfiguringBroker(getName(), TrustStore.class, Operation.DELETE))
- {
- throw new AccessControlException("Deletion of key store is denied");
- }
- }
- }
-
- @Override
- protected void authoriseSetAttributes(ConfiguredObject<?> modified, Set<String> attributes) throws AccessControlException
- {
- if (!_broker.getSecurityManager().authoriseConfiguringBroker(getName(), TrustStore.class, Operation.UPDATE))
- {
- throw new AccessControlException("Setting key store attributes is denied");
- }
- }
-
- @Override
protected void validateChange(final ConfiguredObject<?> proxyForValidation, final Set<String> changedAttributes)
{
super.validateChange(proxyForValidation, changedAttributes);
Modified: qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/NonJavaKeyStoreImpl.java
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/NonJavaKeyStoreImpl.java?rev=1665410&r1=1665409&r2=1665410&view=diff
==============================================================================
--- qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/NonJavaKeyStoreImpl.java (original)
+++ qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/NonJavaKeyStoreImpl.java Tue Mar 10 08:03:38 2015
@@ -32,7 +32,6 @@ import java.net.URL;
import java.nio.BufferUnderflowException;
import java.nio.ByteBuffer;
import java.nio.charset.StandardCharsets;
-import java.security.AccessControlException;
import java.security.GeneralSecurityException;
import java.security.KeyFactory;
import java.security.PrivateKey;
@@ -64,14 +63,12 @@ import org.apache.qpid.server.model.Abst
import org.apache.qpid.server.model.Broker;
import org.apache.qpid.server.model.ConfiguredObject;
import org.apache.qpid.server.model.IntegrityViolationException;
-import org.apache.qpid.server.model.KeyStore;
import org.apache.qpid.server.model.ManagedAttributeField;
import org.apache.qpid.server.model.ManagedObject;
import org.apache.qpid.server.model.ManagedObjectFactoryConstructor;
import org.apache.qpid.server.model.Port;
import org.apache.qpid.server.model.State;
import org.apache.qpid.server.model.StateTransition;
-import org.apache.qpid.server.security.access.Operation;
import org.apache.qpid.server.util.urlstreamhandler.data.Handler;
@ManagedObject( category = false )
@@ -211,28 +208,6 @@ public class NonJavaKeyStoreImpl extends
}
@Override
- protected void authoriseSetDesiredState(State desiredState) throws AccessControlException
- {
- if (desiredState == State.DELETED)
- {
- if (!_broker.getSecurityManager().authoriseConfiguringBroker(getName(), KeyStore.class, Operation.DELETE))
- {
- throw new AccessControlException("Deletion of key store is denied");
- }
- }
- }
-
- @Override
- protected void authoriseSetAttributes(ConfiguredObject<?> modified, Set<String> attributes)
- throws AccessControlException
- {
- if (!_broker.getSecurityManager().authoriseConfiguringBroker(getName(), KeyStore.class, Operation.UPDATE))
- {
- throw new AccessControlException("Setting key store attributes is denied");
- }
- }
-
- @Override
protected void validateChange(final ConfiguredObject<?> proxyForValidation, final Set<String> changedAttributes)
{
super.validateChange(proxyForValidation, changedAttributes);
Modified: qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/NonJavaTrustStoreImpl.java
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/NonJavaTrustStoreImpl.java?rev=1665410&r1=1665409&r2=1665410&view=diff
==============================================================================
--- qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/NonJavaTrustStoreImpl.java (original)
+++ qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/NonJavaTrustStoreImpl.java Tue Mar 10 08:03:38 2015
@@ -25,7 +25,6 @@ import java.io.IOException;
import java.io.InputStream;
import java.net.MalformedURLException;
import java.net.URL;
-import java.security.AccessControlException;
import java.security.GeneralSecurityException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
@@ -53,7 +52,6 @@ import org.apache.qpid.server.model.Auth
import org.apache.qpid.server.model.Broker;
import org.apache.qpid.server.model.ConfiguredObject;
import org.apache.qpid.server.model.IntegrityViolationException;
-import org.apache.qpid.server.model.KeyStore;
import org.apache.qpid.server.model.ManagedAttributeField;
import org.apache.qpid.server.model.ManagedObject;
import org.apache.qpid.server.model.ManagedObjectFactoryConstructor;
@@ -61,7 +59,6 @@ import org.apache.qpid.server.model.Port
import org.apache.qpid.server.model.State;
import org.apache.qpid.server.model.StateTransition;
import org.apache.qpid.server.model.TrustStore;
-import org.apache.qpid.server.security.access.Operation;
import org.apache.qpid.server.security.auth.manager.SimpleLDAPAuthenticationManager;
import org.apache.qpid.server.util.urlstreamhandler.data.Handler;
@@ -224,28 +221,6 @@ public class NonJavaTrustStoreImpl
}
@Override
- protected void authoriseSetDesiredState(State desiredState) throws AccessControlException
- {
- if (desiredState == State.DELETED)
- {
- if (!_broker.getSecurityManager().authoriseConfiguringBroker(getName(), KeyStore.class, Operation.DELETE))
- {
- throw new AccessControlException("Deletion of key store is denied");
- }
- }
- }
-
- @Override
- protected void authoriseSetAttributes(ConfiguredObject<?> modified, Set<String> attributes)
- throws AccessControlException
- {
- if (!_broker.getSecurityManager().authoriseConfiguringBroker(getName(), KeyStore.class, Operation.UPDATE))
- {
- throw new AccessControlException("Setting key store attributes is denied");
- }
- }
-
- @Override
protected void validateChange(final ConfiguredObject<?> proxyForValidation, final Set<String> changedAttributes)
{
super.validateChange(proxyForValidation, changedAttributes);
Modified: qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/SecurityManager.java
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/SecurityManager.java?rev=1665410&r1=1665409&r2=1665410&view=diff
==============================================================================
--- qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/SecurityManager.java (original)
+++ qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/SecurityManager.java Tue Mar 10 08:03:38 2015
@@ -20,13 +20,12 @@ package org.apache.qpid.server.security;
import static org.apache.qpid.server.security.access.ObjectType.BROKER;
import static org.apache.qpid.server.security.access.ObjectType.EXCHANGE;
-import static org.apache.qpid.server.security.access.ObjectType.GROUP;
import static org.apache.qpid.server.security.access.ObjectType.METHOD;
import static org.apache.qpid.server.security.access.ObjectType.QUEUE;
import static org.apache.qpid.server.security.access.ObjectType.USER;
-import static org.apache.qpid.server.security.access.ObjectType.VIRTUALHOST;
-import static org.apache.qpid.server.security.access.ObjectType.VIRTUALHOSTNODE;
-import static org.apache.qpid.server.security.access.Operation.*;
+import static org.apache.qpid.server.security.access.Operation.ACCESS_LOGS;
+import static org.apache.qpid.server.security.access.Operation.PUBLISH;
+import static org.apache.qpid.server.security.access.Operation.PURGE;
import java.security.AccessControlException;
import java.security.AccessController;
@@ -39,15 +38,35 @@ import java.util.concurrent.ConcurrentMa
import javax.security.auth.Subject;
-import org.apache.qpid.server.binding.BindingImpl;
-import org.apache.qpid.server.consumer.ConsumerImpl;
-import org.apache.qpid.server.exchange.ExchangeImpl;
+import org.apache.log4j.Logger;
import org.apache.qpid.server.model.AccessControlProvider;
+import org.apache.qpid.server.model.AuthenticationProvider;
+import org.apache.qpid.server.model.Binding;
import org.apache.qpid.server.model.Broker;
import org.apache.qpid.server.model.ConfiguredObject;
+import org.apache.qpid.server.model.Connection;
+import org.apache.qpid.server.model.Consumer;
+import org.apache.qpid.server.model.Exchange;
+import org.apache.qpid.server.model.ExclusivityPolicy;
+import org.apache.qpid.server.model.Group;
+import org.apache.qpid.server.model.GroupMember;
+import org.apache.qpid.server.model.GroupProvider;
+import org.apache.qpid.server.model.KeyStore;
+import org.apache.qpid.server.model.LifetimePolicy;
+import org.apache.qpid.server.model.Model;
+import org.apache.qpid.server.model.Plugin;
+import org.apache.qpid.server.model.Port;
+import org.apache.qpid.server.model.Queue;
+import org.apache.qpid.server.model.RemoteReplicationNode;
+import org.apache.qpid.server.model.Session;
import org.apache.qpid.server.model.State;
+import org.apache.qpid.server.model.TrustStore;
+import org.apache.qpid.server.model.User;
+import org.apache.qpid.server.model.VirtualHost;
+import org.apache.qpid.server.model.VirtualHostAlias;
+import org.apache.qpid.server.model.VirtualHostNode;
import org.apache.qpid.server.protocol.AMQConnectionModel;
-import org.apache.qpid.server.queue.AMQQueue;
+import org.apache.qpid.server.queue.QueueConsumer;
import org.apache.qpid.server.security.access.ObjectProperties;
import org.apache.qpid.server.security.access.ObjectProperties.Property;
import org.apache.qpid.server.security.access.ObjectType;
@@ -58,20 +77,22 @@ import org.apache.qpid.server.security.a
public class SecurityManager
{
+ private static final Logger LOGGER = Logger.getLogger(SecurityManager.class);
+
private static final Subject SYSTEM = new Subject(true,
Collections.singleton(new SystemPrincipal()),
Collections.emptySet(),
Collections.emptySet());
private final boolean _managementMode;
- private final Broker<?> _broker;
+ private final ConfiguredObject<?> _aclProvidersParent;
- private final ConcurrentMap<PublishAccessCheckCacheEntry, PublishAccessCheck> _publishAccessCheckCache = new ConcurrentHashMap<PublishAccessCheckCacheEntry, SecurityManager.PublishAccessCheck>();
+ private final ConcurrentMap<PublishAccessCheckCacheEntry, PublishAccessCheck> _publishAccessCheckCache = new ConcurrentHashMap<>();
- public SecurityManager(Broker<?> broker, boolean managementMode)
+ public SecurityManager(ConfiguredObject<?> aclProvidersParent, boolean managementMode)
{
_managementMode = managementMode;
- _broker = broker;
+ _aclProvidersParent = aclProvidersParent;
}
public static Subject getSubjectWithAddedSystemRights()
@@ -99,11 +120,6 @@ public class SecurityManager
return subject;
}
- private String getPluginTypeName(AccessControl accessControl)
- {
- return accessControl.getClass().getName();
- }
-
public static boolean isSystemProcess()
{
Subject subject = Subject.getSubject(AccessController.getContext());
@@ -161,7 +177,7 @@ public class SecurityManager
}
- Collection<AccessControlProvider<?>> accessControlProviders = _broker.getAccessControlProviders();
+ Collection<AccessControlProvider> accessControlProviders = _aclProvidersParent.getChildren(AccessControlProvider.class);
if(accessControlProviders != null && !accessControlProviders.isEmpty())
{
AccessControlProvider<?> accessControlProvider = accessControlProviders.iterator().next();
@@ -184,22 +200,6 @@ public class SecurityManager
return true;
}
- public void authoriseCreateBinding(final BindingImpl binding)
- {
- boolean allowed = checkAllPlugins(new AccessCheck()
- {
- Result allowed(AccessControl plugin)
- {
- return plugin.authorise(BIND, EXCHANGE, new ObjectProperties(binding));
- }
- });
-
- if(!allowed)
- {
- throw new AccessControlException("Permission denied: binding " + binding.getBindingKey());
- }
- }
-
public void authoriseMethod(final Operation operation, final String componentName, final String methodName, final String virtualHostName)
{
boolean allowed = checkAllPlugins(new AccessCheck()
@@ -239,176 +239,300 @@ public class SecurityManager
}
}
- public void authoriseVirtualHostNode(final String virtualHostNodeName, final Operation operation)
+ public void authoriseCreateConnection(final AMQConnectionModel connection)
{
- if(!checkAllPlugins(new AccessCheck()
- {
- Result allowed(AccessControl plugin)
- {
- ObjectProperties properties = new ObjectProperties(virtualHostNodeName);
- return plugin.authorise(operation, VIRTUALHOSTNODE, properties);
- }
- }))
+ String virtualHostName = connection.getVirtualHostName();
+ ObjectProperties properties = new ObjectProperties(virtualHostName);
+ properties.put(Property.VIRTUALHOST_NAME, virtualHostName);
+ if (!checkAllPlugins(ObjectType.VIRTUALHOST, properties, Operation.ACCESS))
{
- throw new AccessControlException(operation + " permission denied for " + VIRTUALHOSTNODE
- + " : " + virtualHostNodeName);
+ throw new AccessControlException("Permission denied: " + virtualHostName);
}
}
- public void authoriseVirtualHost(final String virtualHostName, final Operation operation)
+ public void authoriseCreate(ConfiguredObject<?> object)
{
- if(!checkAllPlugins(new AccessCheck()
- {
- Result allowed(AccessControl plugin)
- {
- // We put the name into the properties under both name and virtualhost_name so the user may express predicates using either.
- ObjectProperties properties = new ObjectProperties(virtualHostName);
- properties.put(Property.VIRTUALHOST_NAME, virtualHostName);
- return plugin.authorise(operation, VIRTUALHOST, properties);
- }
- }))
- {
- throw new AccessControlException(operation + " permission denied for " + VIRTUALHOST
- + " : " + virtualHostName);
- }
+ authorise(Operation.CREATE, object);
}
- public void authoriseCreateConnection(final AMQConnectionModel connection)
+ public void authoriseUpdate(ConfiguredObject<?> configuredObject)
{
- String virtualHostName = connection.getVirtualHostName();
- try
- {
- authoriseVirtualHost(virtualHostName, Operation.ACCESS);
- }
- catch (AccessControlException ace)
- {
- throw new AccessControlException("Permission denied: " + virtualHostName);
- }
+ authorise(Operation.UPDATE, configuredObject);
}
- public void authoriseCreateConsumer(final ConsumerImpl consumer)
+ public void authoriseDelete(ConfiguredObject<?> configuredObject)
{
- // TODO - remove cast to AMQQueue and allow testing of consumption from any MessageSource
- final AMQQueue queue = (AMQQueue) consumer.getMessageSource();
+ authorise(Operation.DELETE, configuredObject);
+ }
- if(!checkAllPlugins(new AccessCheck()
- {
- Result allowed(AccessControl plugin)
- {
- return plugin.authorise(CONSUME, QUEUE, new ObjectProperties(queue));
- }
- }))
+ public void authorise(Operation operation, ConfiguredObject<?> configuredObject)
+ {
+ // If we are running as SYSTEM then no ACL checking
+ if(isSystemProcess() || _managementMode)
{
- throw new AccessControlException("Permission denied: consume from queue '" + queue.getName() + "'.");
+ return;
}
- }
- public void authoriseCreateExchange(final ExchangeImpl exchange)
- {
- final String exchangeName = exchange.getName();
- if(!checkAllPlugins(new AccessCheck()
+ if (Operation.CREATE == operation && configuredObject instanceof RemoteReplicationNode)
{
- Result allowed(AccessControl plugin)
- {
- return plugin.authorise(CREATE, EXCHANGE, new ObjectProperties(exchange));
- }
- }))
+ // creation of remote replication node is out of control for user of this broker
+ return;
+ }
+
+ Class<? extends ConfiguredObject> categoryClass = configuredObject.getCategoryClass();
+ ObjectType objectType = getACLObjectTypeManagingConfiguredObjectOfCategory(categoryClass);
+ if (objectType == null)
{
- throw new AccessControlException("Permission denied: exchange-name '" + exchangeName + "'");
+ LOGGER.warn("Cannot determine object type for " + configuredObject.getName() + " of category "
+ + categoryClass + ". Skipping ACL check...");
+ return;
}
- }
- public void authoriseCreateQueue(final AMQQueue queue)
- {
- final String queueName = queue.getName();
- if(! checkAllPlugins(new AccessCheck()
+ ObjectProperties properties = getACLObjectProperties(configuredObject, operation);
+ Operation authoriseOperation = validateAuthoriseOperation(operation, categoryClass);
+ if(!checkAllPlugins(objectType, properties, authoriseOperation))
{
- Result allowed(AccessControl plugin)
+ String objectName = (String)configuredObject.getAttribute(ConfiguredObject.NAME);
+ StringBuilder exceptionMessage = new StringBuilder(String.format("Permission %s %s is denied for : %s %s '%s'",
+ authoriseOperation.name(), objectType.name(), operation.name(), categoryClass.getSimpleName(), objectName ));
+ Model model = getModel();
+
+ Collection<Class<? extends ConfiguredObject>> parentClasses = model.getParentTypes(categoryClass);
+ if (parentClasses != null)
{
- return plugin.authorise(CREATE, QUEUE, new ObjectProperties(queue));
+ exceptionMessage.append(" on");
+ for (Class<? extends ConfiguredObject> parentClass: parentClasses)
+ {
+ String objectCategory = parentClass.getSimpleName();
+ ConfiguredObject<?> parent = configuredObject.getParent(parentClass);
+ exceptionMessage.append(" ").append(objectCategory);
+ if (parent != null)
+ {
+ exceptionMessage.append(" '").append(parent.getAttribute(ConfiguredObject.NAME)).append("'");
+ }
+ }
}
- }))
- {
- throw new AccessControlException("Permission denied: queue-name '" + queueName + "'");
+ throw new AccessControlException(exceptionMessage.toString());
}
}
+ private Model getModel()
+ {
+ return _aclProvidersParent.getModel();
+ }
- public void authoriseDelete(final AMQQueue queue)
+ private boolean checkAllPlugins(final ObjectType objectType, final ObjectProperties properties, final Operation authoriseOperation)
{
- if(!checkAllPlugins(new AccessCheck()
+ return checkAllPlugins(new AccessCheck()
{
Result allowed(AccessControl plugin)
{
- return plugin.authorise(DELETE, QUEUE, new ObjectProperties(queue));
+ return plugin.authorise(authoriseOperation, objectType, properties);
}
- }))
- {
- throw new AccessControlException("Permission denied, delete queue: " + queue.getName());
- }
+ });
}
-
- public void authoriseUpdate(final AMQQueue queue)
+ private Operation validateAuthoriseOperation(Operation operation, Class<? extends ConfiguredObject> category)
{
- if(!checkAllPlugins(new AccessCheck()
+ if (operation == Operation.CREATE || operation == Operation.UPDATE)
{
- Result allowed(AccessControl plugin)
+ if (Binding.class.isAssignableFrom(category))
{
- return plugin.authorise(UPDATE, QUEUE, new ObjectProperties(queue));
+ // CREATE BINDING is transformed into BIND EXCHANGE rule
+ return Operation.BIND;
}
- }))
+ else if (Consumer.class.isAssignableFrom(category))
+ {
+ // CREATE CONSUMER is transformed into CONSUME QUEUE rule
+ return Operation.CONSUME;
+ }
+ else if (GroupMember.class.isAssignableFrom(category))
+ {
+ // CREATE GROUP MEMBER is transformed into UPDATE GROUP rule
+ return Operation.UPDATE;
+ }
+ else if (isBrokerOrBrokerChild(category))
+ {
+ // CREATE/UPDATE broker child is transformed into CONFIGURE BROKER rule
+ return Operation.CONFIGURE;
+ }
+ }
+ else if (operation == Operation.DELETE)
{
- throw new AccessControlException("Permission denied: update queue: " + queue.getName());
+ if (Binding.class.isAssignableFrom(category))
+ {
+ // DELETE BINDING is transformed into UNBIND EXCHANGE rule
+ return Operation.UNBIND;
+ }
+ else if (isBrokerOrBrokerChild(category))
+ {
+ // DELETE broker child is transformed into CONFIGURE BROKER rule
+ return Operation.CONFIGURE;
+ }
+ else if (GroupMember.class.isAssignableFrom(category))
+ {
+ // DELETE GROUP MEMBER is transformed into UPDATE GROUP rule
+ return Operation.UPDATE;
+ }
}
+ return operation;
}
+ private boolean isBrokerOrBrokerChild(Class<? extends ConfiguredObject> category)
+ {
+ return Broker.class.isAssignableFrom(category)
+ || Port.class.isAssignableFrom(category)
+ || AuthenticationProvider.class.isAssignableFrom(category)
+ || AccessControlProvider.class.isAssignableFrom(category)
+ || GroupProvider.class.isAssignableFrom(category)
+ || KeyStore.class.isAssignableFrom(category)
+ || TrustStore.class.isAssignableFrom(category)
+ || Plugin.class.isAssignableFrom(category);
+ }
- public void authoriseUpdate(final ExchangeImpl exchange)
+ private ObjectProperties getACLObjectProperties(ConfiguredObject<?> configuredObject, Operation configuredObjectOperation)
{
- if(!checkAllPlugins(new AccessCheck()
+ String objectName = (String)configuredObject.getAttribute(ConfiguredObject.NAME);
+ Class<? extends ConfiguredObject> configuredObjectType = configuredObject.getCategoryClass();
+ ObjectProperties properties = new ObjectProperties(objectName);
+ if (configuredObject instanceof Binding)
{
- Result allowed(AccessControl plugin)
- {
- return plugin.authorise(UPDATE, EXCHANGE, new ObjectProperties(exchange));
- }
- }))
+ Exchange<?> exchange = (Exchange<?>)configuredObject.getParent(Exchange.class);
+ Queue<?> queue = (Queue<?>)configuredObject.getParent(Queue.class);
+ properties.setName((String)exchange.getAttribute(Exchange.NAME));
+ properties.put(Property.QUEUE_NAME, (String)queue.getAttribute(Queue.NAME));
+ properties.put(Property.ROUTING_KEY, (String)configuredObject.getAttribute(Binding.NAME));
+ properties.put(Property.VIRTUALHOST_NAME, (String)queue.getParent(VirtualHost.class).getAttribute(VirtualHost.NAME));
+
+ // The temporary attribute (inherited from the binding's queue) seems to exist to allow the user to
+ // express rules about the binding of temporary queues (whose names cannot be predicted).
+ properties.put(Property.TEMPORARY, queue.getAttribute(Queue.LIFETIME_POLICY) != LifetimePolicy.PERMANENT);
+ properties.put(Property.DURABLE, (Boolean)queue.getAttribute(Queue.DURABLE));
+ }
+ else if (configuredObject instanceof Queue)
+ {
+ setQueueProperties(configuredObject, properties);
+ }
+ else if (configuredObject instanceof Exchange)
{
- throw new AccessControlException("Permission denied: update exchange: " + exchange.getName());
+ Object lifeTimePolicy = configuredObject.getAttribute(ConfiguredObject.LIFETIME_POLICY);
+ properties.put(Property.AUTO_DELETE, lifeTimePolicy != LifetimePolicy.PERMANENT);
+ properties.put(Property.TEMPORARY, lifeTimePolicy != LifetimePolicy.PERMANENT);
+ properties.put(Property.DURABLE, (Boolean) configuredObject.getAttribute(ConfiguredObject.DURABLE));
+ properties.put(Property.TYPE, (String) configuredObject.getAttribute(Exchange.TYPE));
+ VirtualHost virtualHost = configuredObject.getParent(VirtualHost.class);
+ properties.put(Property.VIRTUALHOST_NAME, (String)virtualHost.getAttribute(virtualHost.NAME));
}
+ else if (configuredObject instanceof QueueConsumer)
+ {
+ Queue<?> queue = (Queue<?>)configuredObject.getParent(Queue.class);
+ setQueueProperties(queue, properties);
+ }
+ else if (isBrokerOrBrokerChild(configuredObjectType))
+ {
+ String description = String.format("%s %s '%s'",
+ configuredObjectOperation == null? null : configuredObjectOperation.name().toLowerCase(),
+ configuredObjectType == null ? null : configuredObjectType.getSimpleName().toLowerCase(),
+ objectName);
+ properties = new OperationLoggingDetails(description);
+ }
+ return properties;
}
- public void authoriseDelete(final ExchangeImpl exchange)
+ private void setQueueProperties(ConfiguredObject<?> queue, ObjectProperties properties)
{
- if(! checkAllPlugins(new AccessCheck()
+ properties.setName((String)queue.getAttribute(Exchange.NAME));
+ Object lifeTimePolicy = queue.getAttribute(ConfiguredObject.LIFETIME_POLICY);
+ properties.put(Property.AUTO_DELETE, lifeTimePolicy!= LifetimePolicy.PERMANENT);
+ properties.put(Property.TEMPORARY, lifeTimePolicy != LifetimePolicy.PERMANENT);
+ properties.put(Property.DURABLE, (Boolean)queue.getAttribute(ConfiguredObject.DURABLE));
+ properties.put(Property.EXCLUSIVE, queue.getAttribute(Queue.EXCLUSIVE) != ExclusivityPolicy.NONE);
+ Object alternateExchange = queue.getAttribute(Queue.ALTERNATE_EXCHANGE);
+ if (alternateExchange != null)
{
- Result allowed(AccessControl plugin)
- {
- return plugin.authorise(DELETE, EXCHANGE, new ObjectProperties(exchange));
- }
- }))
+ String name = alternateExchange instanceof ConfiguredObject ?
+ (String)((ConfiguredObject)alternateExchange).getAttribute(ConfiguredObject.NAME) :
+ String.valueOf(alternateExchange);
+ properties.put(Property.ALTERNATE,name);
+ }
+ String owner = (String)queue.getAttribute(Queue.OWNER);
+ if (owner != null)
{
- throw new AccessControlException("Permission denied, delete exchange: '" + exchange.getName() + "'");
+ properties.put(Property.OWNER, owner);
}
+ VirtualHost virtualHost = queue.getParent(VirtualHost.class);
+ properties.put(Property.VIRTUALHOST_NAME, (String)virtualHost.getAttribute(virtualHost.NAME));
}
- public void authoriseGroupOperation(final Operation operation, final String groupName)
+ private ObjectType getACLObjectTypeManagingConfiguredObjectOfCategory(Class<? extends ConfiguredObject> category)
{
- if(!checkAllPlugins(new AccessCheck()
+ if (Binding.class.isAssignableFrom(category))
{
- Result allowed(AccessControl plugin)
- {
- return plugin.authorise(operation, GROUP, new ObjectProperties(groupName));
- }
- }))
+ return ObjectType.EXCHANGE;
+ }
+ else if (VirtualHostNode.class.isAssignableFrom(category))
{
- throw new AccessControlException("Do not have permission" +
- " to perform the " + operation + " on the group " + groupName);
+ return ObjectType.VIRTUALHOSTNODE;
+ }
+ else if (isBrokerOrBrokerChild(category))
+ {
+ return ObjectType.BROKER;
+ }
+ else if (Group.class.isAssignableFrom(category))
+ {
+ return ObjectType.GROUP;
}
+ else if (GroupMember.class.isAssignableFrom(category))
+ {
+ // UPDATE GROUP
+ return ObjectType.GROUP;
+ }
+ else if (User.class.isAssignableFrom(category))
+ {
+ return ObjectType.USER;
+ }
+ else if (VirtualHost.class.isAssignableFrom(category))
+ {
+ return ObjectType.VIRTUALHOST;
+ }
+ else if (VirtualHostAlias.class.isAssignableFrom(category))
+ {
+ return ObjectType.VIRTUALHOST;
+ }
+ else if (Queue.class.isAssignableFrom(category))
+ {
+ return ObjectType.QUEUE;
+ }
+ else if (Exchange.class.isAssignableFrom(category))
+ {
+ return ObjectType.EXCHANGE;
+ }
+ else if (Connection.class.isAssignableFrom(category))
+ {
+ // ACCESS VIRTUALHOST
+ return ObjectType.VIRTUALHOST;
+ }
+ else if (Session.class.isAssignableFrom(category))
+ {
+ // PUBLISH EXCHANGE
+ return ObjectType.EXCHANGE;
+ }
+ else if (Consumer.class.isAssignableFrom(category))
+ {
+ // CONSUME QUEUE
+ return ObjectType.QUEUE;
+ }
+ else if (RemoteReplicationNode.class.isAssignableFrom(category))
+ {
+ // VHN permissions apply to remote nodes
+ return ObjectType.VIRTUALHOSTNODE;
+ }
+ return null;
}
- public void authoriseUserOperation(final Operation operation, final String userName)
+ public void authoriseUserUpdate(final String userName)
{
+ final Operation operation = Operation.UPDATE;
if(! checkAllPlugins(new AccessCheck()
{
Result allowed(AccessControl plugin)
@@ -437,13 +561,15 @@ public class SecurityManager
}
}
- public void authorisePurge(final AMQQueue queue)
+ public void authorisePurge(final Queue queue)
{
+ final ObjectProperties properties = new ObjectProperties();
+ setQueueProperties(queue, properties);
if(!checkAllPlugins(new AccessCheck()
{
Result allowed(AccessControl plugin)
{
- return plugin.authorise(PURGE, QUEUE, new ObjectProperties(queue));
+ return plugin.authorise(PURGE, QUEUE, properties);
}
}))
{
@@ -451,21 +577,6 @@ public class SecurityManager
}
}
- public void authoriseUnbind(final BindingImpl binding)
- {
- if(! checkAllPlugins(new AccessCheck()
- {
- Result allowed(AccessControl plugin)
- {
- return plugin.authorise(UNBIND, EXCHANGE, new ObjectProperties(binding));
- }
- }))
- {
- throw new AccessControlException("Permission denied: unbinding " + binding.getBindingKey());
- }
- }
-
-
private class PublishAccessCheck extends AccessCheck
{
private final ObjectProperties _props;
@@ -481,22 +592,6 @@ public class SecurityManager
}
}
- public boolean authoriseConfiguringBroker(String configuredObjectName, Class<? extends ConfiguredObject> configuredObjectType, Operation configuredObjectOperation)
- {
- String description = String.format("%s %s '%s'",
- configuredObjectOperation == null? null : configuredObjectOperation.name().toLowerCase(),
- configuredObjectType == null ? null : configuredObjectType.getSimpleName().toLowerCase(),
- configuredObjectName);
- final OperationLoggingDetails properties = new OperationLoggingDetails(description);
- return checkAllPlugins(new AccessCheck()
- {
- Result allowed(AccessControl plugin)
- {
- return plugin.authorise(CONFIGURE, BROKER, properties);
- }
- });
- }
-
public boolean authoriseLogsAccess()
{
return checkAllPlugins(new AccessCheck()
Modified: qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/access/ObjectProperties.java
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/access/ObjectProperties.java?rev=1665410&r1=1665409&r2=1665410&view=diff
==============================================================================
--- qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/access/ObjectProperties.java (original)
+++ qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/access/ObjectProperties.java Tue Mar 10 08:03:38 2015
@@ -26,11 +26,6 @@ import java.util.Map;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.lang.builder.EqualsBuilder;
-import org.apache.qpid.server.binding.BindingImpl;
-import org.apache.qpid.server.exchange.ExchangeImpl;
-import org.apache.qpid.server.model.LifetimePolicy;
-import org.apache.qpid.server.model.VirtualHost;
-import org.apache.qpid.server.queue.AMQQueue;
/**
* An set of properties for an access control v2 rule {@link ObjectType}.
@@ -139,42 +134,6 @@ public class ObjectProperties
setName(name);
}
- public ObjectProperties(AMQQueue queue)
- {
- setName(queue.getName());
-
- put(Property.AUTO_DELETE, queue.getLifetimePolicy() != LifetimePolicy.PERMANENT);
- put(Property.TEMPORARY, queue.getLifetimePolicy() != LifetimePolicy.PERMANENT);
- put(Property.DURABLE, queue.isDurable());
- put(Property.EXCLUSIVE, queue.isExclusive());
- if (queue.getAlternateExchange() != null)
- {
- put(Property.ALTERNATE, queue.getAlternateExchange().getName());
- }
- if (queue.getOwner() != null)
- {
- put(Property.OWNER, queue.getOwner());
- }
- put(Property.VIRTUALHOST_NAME, queue.getParent(VirtualHost.class).getName());
- }
-
- public ObjectProperties(BindingImpl binding)
- {
- ExchangeImpl<?> exch = binding.getExchange();
- AMQQueue<?> queue = binding.getAMQQueue();
- String routingKey = binding.getBindingKey();
-
- setName(exch.getName());
-
- put(Property.QUEUE_NAME, queue.getName());
- put(Property.ROUTING_KEY, routingKey);
- put(Property.VIRTUALHOST_NAME, queue.getParent(VirtualHost.class).getName());
-
- // The temporary attribute (inherited from the binding's queue) seems to exist to allow the user to
- // express rules about the binding of temporary queues (whose names cannot be predicted).
- put(Property.TEMPORARY, queue.getLifetimePolicy() != LifetimePolicy.PERMANENT);
- put(Property.DURABLE, queue.isDurable());
- }
public ObjectProperties(String virtualHostName, String exchangeName, String routingKey, Boolean immediate)
{
@@ -187,29 +146,6 @@ public class ObjectProperties
put(Property.VIRTUALHOST_NAME, virtualHostName);
}
- public ObjectProperties(ExchangeImpl<?> exchange)
- {
- super();
-
- setName(exchange.getName());
-
- put(Property.AUTO_DELETE, exchange.isAutoDelete());
- put(Property.TEMPORARY, exchange.getLifetimePolicy() != LifetimePolicy.PERMANENT);
- put(Property.DURABLE, exchange.isDurable());
- put(Property.TYPE, exchange.getType());
- put(Property.VIRTUALHOST_NAME, exchange.getParent(VirtualHost.class).getName());
- }
-
- public ObjectProperties(Boolean exclusive, Boolean noAck, Boolean noLocal, Boolean nowait, AMQQueue queue)
- {
- this(queue);
-
- put(Property.NO_LOCAL, noLocal);
- put(Property.NO_ACK, noAck);
- put(Property.EXCLUSIVE, exclusive);
- put(Property.NO_WAIT, nowait);
- }
-
public Boolean isSet(Property key)
{
return _properties.containsKey(key) && Boolean.valueOf(_properties.get(key));
Modified: qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/AbstractAuthenticationManager.java
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/AbstractAuthenticationManager.java?rev=1665410&r1=1665409&r2=1665410&view=diff
==============================================================================
--- qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/AbstractAuthenticationManager.java (original)
+++ qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/AbstractAuthenticationManager.java Tue Mar 10 08:03:38 2015
@@ -20,7 +20,6 @@
*/
package org.apache.qpid.server.security.auth.manager;
-import java.security.AccessControlException;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashMap;
@@ -45,7 +44,6 @@ import org.apache.qpid.server.model.User
import org.apache.qpid.server.model.VirtualHostAlias;
import org.apache.qpid.server.model.port.AbstractPortWithAuthProvider;
import org.apache.qpid.server.security.SubjectCreator;
-import org.apache.qpid.server.security.access.Operation;
public abstract class AbstractAuthenticationManager<T extends AbstractAuthenticationManager<T>>
extends AbstractConfiguredObject<T>
@@ -152,28 +150,6 @@ public abstract class AbstractAuthentica
throw new IllegalArgumentException("Cannot create child of class " + childClass.getSimpleName());
}
-
- @Override
- protected void authoriseSetDesiredState(State desiredState) throws AccessControlException
- {
- if(desiredState == State.DELETED)
- {
- if (!_broker.getSecurityManager().authoriseConfiguringBroker(getName(), AuthenticationProvider.class, Operation.DELETE))
- {
- throw new AccessControlException("Deletion of authentication provider is denied");
- }
- }
- }
-
- @Override
- protected void authoriseSetAttributes(ConfiguredObject<?> modified, Set<String> attributes) throws AccessControlException
- {
- if (!_broker.getSecurityManager().authoriseConfiguringBroker(getName(), AuthenticationProvider.class, Operation.UPDATE))
- {
- throw new AccessControlException("Setting of authentication provider attributes is denied");
- }
- }
-
@StateTransition( currentState = State.UNINITIALIZED, desiredState = State.QUIESCED )
protected void startQuiesced()
{
Modified: qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/ConfigModelPasswordManagingAuthenticationProvider.java
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/ConfigModelPasswordManagingAuthenticationProvider.java?rev=1665410&r1=1665409&r2=1665410&view=diff
==============================================================================
--- qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/ConfigModelPasswordManagingAuthenticationProvider.java (original)
+++ qpid/trunk/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/ConfigModelPasswordManagingAuthenticationProvider.java Tue Mar 10 08:03:38 2015
@@ -70,27 +70,21 @@ public abstract class ConfigModelPasswor
@Override
public Boolean execute()
{
- getSecurityManager().authoriseUserOperation(Operation.CREATE, username);
- if (_users.containsKey(username))
- {
- throw new IllegalArgumentException("User '" + username + "' already exists");
- }
Map<String, Object> userAttrs = new HashMap<>();
userAttrs.put(User.ID, UUID.randomUUID());
userAttrs.put(User.NAME, username);
- userAttrs.put(User.PASSWORD, createStoredPassword(password));
+ userAttrs.put(User.PASSWORD, password);
userAttrs.put(User.TYPE, ManagedUser.MANAGED_USER_TYPE);
- ManagedUser user = new ManagedUser(userAttrs, ConfigModelPasswordManagingAuthenticationProvider.this);
- user.create();
-
- return true;
+ User user = createChild(User.class, userAttrs);
+ return user != null;
}
});
}
- SecurityManager getSecurityManager()
+ @Override
+ protected SecurityManager getSecurityManager()
{
return getBroker().getSecurityManager();
}
@@ -208,20 +202,15 @@ public abstract class ConfigModelPasswor
{
if(childClass == User.class)
{
- String username = (String) attributes.get("name");
- String password = (String) attributes.get("password");
-
- if(createUser(username, password,null))
+ String username = (String) attributes.get(User.NAME);
+ if (_users.containsKey(username))
{
- @SuppressWarnings("unchecked")
- C user = (C) getUser(username);
- return user;
- }
- else
- {
- return null;
-
+ throw new IllegalArgumentException("User '" + username + "' already exists");
}
+ attributes.put(User.PASSWORD, createStoredPassword((String) attributes.get(User.PASSWORD)));
+ ManagedUser user = new ManagedUser(attributes, ConfigModelPasswordManagingAuthenticationProvider.this);
+ user.create();
+ return (C)getUser(username);
}
return super.addChild(childClass, attributes, otherParents);
}
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org