You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-commits@jackrabbit.apache.org by an...@apache.org on 2013/02/26 11:59:17 UTC
svn commit: r1450128 - in /jackrabbit/oak/trunk: oak-core/
oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/
oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/user/action/
oak-jcr/src/main/java/org/apache/jackrabbit/o...
Author: angela
Date: Tue Feb 26 10:59:17 2013
New Revision: 1450128
URL: http://svn.apache.org/r1450128
Log:
OAK-51 : Access Control Management (WIP)
Modified:
jackrabbit/oak/trunk/oak-core/pom.xml
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlConfigurationImpl.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/user/action/AccessControlAction.java
jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/SessionDelegate.java
jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/SessionImpl.java
Modified: jackrabbit/oak/trunk/oak-core/pom.xml
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/pom.xml?rev=1450128&r1=1450127&r2=1450128&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/pom.xml (original)
+++ jackrabbit/oak/trunk/oak-core/pom.xml Tue Feb 26 10:59:17 2013
@@ -66,6 +66,7 @@
org.apache.jackrabbit.oak.spi.state,
org.apache.jackrabbit.oak.spi.security,
org.apache.jackrabbit.oak.spi.security.authentication,
+ org.apache.jackrabbit.oak.spi.security.authorization,
org.apache.jackrabbit.oak.spi.security.principal,
org.apache.jackrabbit.oak.spi.security.privilege,
org.apache.jackrabbit.oak.spi.security.user,
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlConfigurationImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlConfigurationImpl.java?rev=1450128&r1=1450127&r2=1450128&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlConfigurationImpl.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlConfigurationImpl.java Tue Feb 26 10:59:17 2013
@@ -98,8 +98,7 @@ public class AccessControlConfigurationI
//-----------------------------------------< AccessControlConfiguration >---
@Override
public AccessControlManager getAccessControlManager(Root root, NamePathMapper namePathMapper) {
- // TODO OAK-51
- throw new UnsupportedOperationException("not yet implemented");
+ return new AccessControlManagerImpl(root, namePathMapper, securityProvider);
}
@Nonnull
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/user/action/AccessControlAction.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/user/action/AccessControlAction.java?rev=1450128&r1=1450127&r2=1450128&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/user/action/AccessControlAction.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/user/action/AccessControlAction.java Tue Feb 26 10:59:17 2013
@@ -33,6 +33,7 @@ import org.apache.jackrabbit.oak.api.Roo
import org.apache.jackrabbit.oak.namepath.NamePathMapper;
import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters;
import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
+import org.apache.jackrabbit.oak.spi.security.user.util.UserUtility;
import org.apache.jackrabbit.util.Text;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -157,6 +158,10 @@ public class AccessControlAction extends
if (securityProvider == null) {
throw new IllegalStateException("Not initialized");
}
+ if (isSystemUser(authorizable)) {
+ log.debug("System user: " + authorizable.getID() + "; omit ac setup");
+ return;
+ }
String path = authorizable.getPath();
AccessControlManager acMgr = securityProvider.getAccessControlConfiguration().getAccessControlManager(root, namePathMapper);
JackrabbitAccessControlList acl = null;
@@ -191,6 +196,15 @@ public class AccessControlAction extends
}
}
+ private boolean isSystemUser(Authorizable authorizable) throws RepositoryException {
+ if (authorizable.isGroup()) {
+ return false;
+ }
+ ConfigurationParameters userConfig = securityProvider.getUserConfiguration().getConfigurationParameters();
+ String userId = authorizable.getID();
+ return UserUtility.getAdminId(userConfig).equals(userId) || UserUtility.getAnonymousId(userConfig).equals(userId);
+ }
+
/**
* Retrieve privileges for the specified privilege names.
*
Modified: jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/SessionDelegate.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/SessionDelegate.java?rev=1450128&r1=1450127&r2=1450128&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/SessionDelegate.java (original)
+++ jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/SessionDelegate.java Tue Feb 26 10:59:17 2013
@@ -31,17 +31,17 @@ import javax.jcr.Workspace;
import javax.jcr.lock.LockManager;
import javax.jcr.nodetype.NodeTypeManager;
import javax.jcr.observation.ObservationManager;
+import javax.jcr.security.AccessControlManager;
import javax.jcr.version.VersionManager;
-import com.google.common.collect.Maps;
import org.apache.jackrabbit.api.security.authorization.PrivilegeManager;
import org.apache.jackrabbit.api.security.principal.PrincipalManager;
import org.apache.jackrabbit.api.security.user.UserManager;
import org.apache.jackrabbit.oak.api.AuthInfo;
import org.apache.jackrabbit.oak.api.CommitFailedException;
import org.apache.jackrabbit.oak.api.ContentSession;
-import org.apache.jackrabbit.oak.api.QueryEngine;
import org.apache.jackrabbit.oak.api.Root;
+import org.apache.jackrabbit.oak.api.QueryEngine;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.api.TreeLocation;
import org.apache.jackrabbit.oak.commons.PathUtils;
@@ -54,11 +54,13 @@ import org.apache.jackrabbit.oak.plugins
import org.apache.jackrabbit.oak.plugins.nodetype.DefinitionProvider;
import org.apache.jackrabbit.oak.plugins.nodetype.EffectiveNodeTypeProvider;
import org.apache.jackrabbit.oak.plugins.observation.ObservationManagerImpl;
-import org.apache.jackrabbit.oak.plugins.value.ValueFactoryImpl;
import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
+import org.apache.jackrabbit.oak.plugins.value.ValueFactoryImpl;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
+import com.google.common.collect.Maps;
+
import static com.google.common.base.Preconditions.checkNotNull;
public class SessionDelegate {
@@ -82,19 +84,19 @@ public class SessionDelegate {
private PrincipalManager principalManager;
private UserManager userManager;
private PrivilegeManager privilegeManager;
+ private AccessControlManager accessControlManager;
private boolean isAlive = true;
private int sessionOpCount;
private int revision;
- SessionDelegate(
- Repository repository, ScheduledExecutorService executor,
- ContentSession contentSession, SecurityProvider securityProvider,
- boolean autoRefresh) {
+ SessionDelegate(@Nonnull Repository repository, @Nonnull ScheduledExecutorService executor,
+ @Nonnull ContentSession contentSession, @Nonnull SecurityProvider securityProvider,
+ boolean autoRefresh) {
this.repository = checkNotNull(repository);
this.executor = executor;
this.contentSession = checkNotNull(contentSession);
- this.securityProvider = securityProvider;
+ this.securityProvider = checkNotNull(securityProvider);
this.autoRefresh = autoRefresh;
this.root = contentSession.getLatestRoot();
@@ -489,14 +491,17 @@ public class SessionDelegate {
return root.getLocation(path);
}
+ @CheckForNull
+ AccessControlManager getAccessControlManager() throws RepositoryException {
+ if (accessControlManager == null) {
+ accessControlManager = securityProvider.getAccessControlConfiguration().getAccessControlManager(root, getNamePathMapper());
+ }
+ return accessControlManager;
+ }
@Nonnull
PrincipalManager getPrincipalManager() throws RepositoryException {
if (principalManager == null) {
- if (securityProvider != null) {
- principalManager = securityProvider.getPrincipalConfiguration().getPrincipalManager(root, getNamePathMapper());
- } else {
- throw new UnsupportedRepositoryOperationException("Principal management not supported.");
- }
+ principalManager = securityProvider.getPrincipalConfiguration().getPrincipalManager(root, getNamePathMapper());
}
return principalManager;
}
@@ -504,11 +509,7 @@ public class SessionDelegate {
@Nonnull
UserManager getUserManager() throws UnsupportedRepositoryOperationException {
if (userManager == null) {
- if (securityProvider != null) {
- userManager = securityProvider.getUserConfiguration().getUserManager(root, getNamePathMapper());
- } else {
- throw new UnsupportedRepositoryOperationException("User management not supported.");
- }
+ userManager = securityProvider.getUserConfiguration().getUserManager(root, getNamePathMapper());
}
return userManager;
}
@@ -516,11 +517,7 @@ public class SessionDelegate {
@Nonnull
PrivilegeManager getPrivilegeManager() throws UnsupportedRepositoryOperationException {
if (privilegeManager == null) {
- if (securityProvider != null) {
- privilegeManager = securityProvider.getPrivilegeConfiguration().getPrivilegeManager(root, getNamePathMapper());
- } else {
- throw new UnsupportedRepositoryOperationException("Privilege management not supported.");
- }
+ privilegeManager = securityProvider.getPrivilegeConfiguration().getPrivilegeManager(root, getNamePathMapper());
}
return privilegeManager;
}
Modified: jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/SessionImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/SessionImpl.java?rev=1450128&r1=1450127&r2=1450128&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/SessionImpl.java (original)
+++ jackrabbit/oak/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/SessionImpl.java Tue Feb 26 10:59:17 2013
@@ -21,7 +21,6 @@ import java.util.HashSet;
import java.util.Locale;
import java.util.Map;
import java.util.Set;
-
import javax.annotation.Nonnull;
import javax.jcr.AccessDeniedException;
import javax.jcr.Credentials;
@@ -40,15 +39,11 @@ import javax.jcr.Workspace;
import javax.jcr.retention.RetentionManager;
import javax.jcr.security.AccessControlException;
import javax.jcr.security.AccessControlManager;
-import javax.jcr.security.AccessControlPolicy;
-import javax.jcr.security.AccessControlPolicyIterator;
-import javax.jcr.security.Privilege;
import org.apache.jackrabbit.api.JackrabbitSession;
import org.apache.jackrabbit.api.security.principal.PrincipalManager;
import org.apache.jackrabbit.api.security.user.UserManager;
import org.apache.jackrabbit.commons.AbstractSession;
-import org.apache.jackrabbit.commons.iterator.AccessControlPolicyIteratorAdapter;
import org.apache.jackrabbit.oak.api.TreeLocation;
import org.apache.jackrabbit.oak.commons.PathUtils;
import org.apache.jackrabbit.oak.jcr.xml.XmlImportHandler;
@@ -384,55 +379,8 @@ public class SessionImpl extends Abstrac
@Override
@Nonnull
- public AccessControlManager getAccessControlManager()
- throws RepositoryException {
- return TODO.unimplemented().returnValue(new AccessControlManager() {
- @Override
- public void setPolicy(String absPath, AccessControlPolicy policy) throws AccessControlException {
- throw new AccessControlException(policy.toString());
- }
-
- @Override
- public void removePolicy(String absPath, AccessControlPolicy policy) throws AccessControlException {
- throw new AccessControlException(policy.toString());
- }
-
- @Override
- public Privilege privilegeFromName(String privilegeName)
- throws AccessControlException, RepositoryException {
- return dlg.getPrivilegeManager().getPrivilege(privilegeName);
- }
-
- @Override
- public boolean hasPrivileges(String absPath, Privilege[] privileges) {
- return true;
- }
-
- @Override
- public Privilege[] getSupportedPrivileges(String absPath) {
- return new Privilege[0];
- }
-
- @Override
- public Privilege[] getPrivileges(String absPath) {
- return new Privilege[0];
- }
-
- @Override
- public AccessControlPolicy[] getPolicies(String absPath) {
- return new AccessControlPolicy[0];
- }
-
- @Override
- public AccessControlPolicy[] getEffectivePolicies(String absPath) {
- return new AccessControlPolicy[0];
- }
-
- @Override
- public AccessControlPolicyIterator getApplicablePolicies(String absPath) {
- return AccessControlPolicyIteratorAdapter.EMPTY;
- }
- });
+ public AccessControlManager getAccessControlManager() throws RepositoryException {
+ return dlg.getAccessControlManager();
}
/**