You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ignite.apache.org by sb...@apache.org on 2017/05/04 13:37:40 UTC
[36/67] [abbrv] ignite git commit: IGNITE-5077 - Support service
security permissions
IGNITE-5077 - Support service security permissions
Project: http://git-wip-us.apache.org/repos/asf/ignite/repo
Commit: http://git-wip-us.apache.org/repos/asf/ignite/commit/6236b5f7
Tree: http://git-wip-us.apache.org/repos/asf/ignite/tree/6236b5f7
Diff: http://git-wip-us.apache.org/repos/asf/ignite/diff/6236b5f7
Branch: refs/heads/ignite-5075
Commit: 6236b5f7721f92acceb1b3b814d6ce0987178033
Parents: c9a11d4
Author: dkarachentsev <dk...@gridgain.com>
Authored: Fri Apr 28 11:46:23 2017 +0300
Committer: dkarachentsev <dk...@gridgain.com>
Committed: Fri Apr 28 11:46:23 2017 +0300
----------------------------------------------------------------------
.../processors/security/SecurityContext.java | 9 ++++++
.../service/GridServiceProcessor.java | 11 +++++++
.../security/SecurityBasicPermissionSet.java | 17 +++++++++++
.../plugin/security/SecurityPermission.java | 13 ++++++--
.../plugin/security/SecurityPermissionSet.java | 8 +++++
.../security/SecurityPermissionSetBuilder.java | 19 ++++++++++++
.../SecurityPermissionSetBuilderTest.java | 32 ++++++++++++++++----
.../junits/spi/GridSpiAbstractTest.java | 5 +++
8 files changed, 106 insertions(+), 8 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ignite/blob/6236b5f7/modules/core/src/main/java/org/apache/ignite/internal/processors/security/SecurityContext.java
----------------------------------------------------------------------
diff --git a/modules/core/src/main/java/org/apache/ignite/internal/processors/security/SecurityContext.java b/modules/core/src/main/java/org/apache/ignite/internal/processors/security/SecurityContext.java
index ef46713..bf5894e 100644
--- a/modules/core/src/main/java/org/apache/ignite/internal/processors/security/SecurityContext.java
+++ b/modules/core/src/main/java/org/apache/ignite/internal/processors/security/SecurityContext.java
@@ -48,6 +48,15 @@ public interface SecurityContext {
public boolean cacheOperationAllowed(String cacheName, SecurityPermission perm);
/**
+ * Checks whether service operation is allowed.
+ *
+ * @param srvcName Service name.
+ * @param perm Permission to check.
+ * @return {@code True} if task operation is allowed.
+ */
+ public boolean serviceOperationAllowed(String srvcName, SecurityPermission perm);
+
+ /**
* Checks whether system-wide permission is allowed (excluding Visor task operations).
*
* @param perm Permission to check.
http://git-wip-us.apache.org/repos/asf/ignite/blob/6236b5f7/modules/core/src/main/java/org/apache/ignite/internal/processors/service/GridServiceProcessor.java
----------------------------------------------------------------------
diff --git a/modules/core/src/main/java/org/apache/ignite/internal/processors/service/GridServiceProcessor.java b/modules/core/src/main/java/org/apache/ignite/internal/processors/service/GridServiceProcessor.java
index 0c8f857..dda4328 100644
--- a/modules/core/src/main/java/org/apache/ignite/internal/processors/service/GridServiceProcessor.java
+++ b/modules/core/src/main/java/org/apache/ignite/internal/processors/service/GridServiceProcessor.java
@@ -91,6 +91,7 @@ import org.apache.ignite.lang.IgniteCallable;
import org.apache.ignite.lang.IgniteFuture;
import org.apache.ignite.lang.IgniteUuid;
import org.apache.ignite.marshaller.Marshaller;
+import org.apache.ignite.plugin.security.SecurityPermission;
import org.apache.ignite.resources.IgniteInstanceResource;
import org.apache.ignite.resources.JobContextResource;
import org.apache.ignite.resources.LoggerResource;
@@ -490,6 +491,8 @@ public class GridServiceProcessor extends GridProcessorAdapter implements Ignite
validate(cfg);
+ ctx.security().authorize(cfg.getName(), SecurityPermission.SERVICE_DEPLOY, null);
+
if (!state.srvcCompatibility) {
Marshaller marsh = ctx.config().getMarshaller();
@@ -624,6 +627,8 @@ public class GridServiceProcessor extends GridProcessorAdapter implements Ignite
* @return Future.
*/
public IgniteInternalFuture<?> cancel(String name) {
+ ctx.security().authorize(name, SecurityPermission.SERVICE_CANCEL, null);
+
while (true) {
try {
GridFutureAdapter<?> fut = new GridFutureAdapter<>();
@@ -761,6 +766,8 @@ public class GridServiceProcessor extends GridProcessorAdapter implements Ignite
*/
@SuppressWarnings("unchecked")
public <T> T service(String name) {
+ ctx.security().authorize(name, SecurityPermission.SERVICE_INVOKE, null);
+
Collection<ServiceContextImpl> ctxs;
synchronized (locSvcs) {
@@ -825,6 +832,8 @@ public class GridServiceProcessor extends GridProcessorAdapter implements Ignite
@SuppressWarnings("unchecked")
public <T> T serviceProxy(ClusterGroup prj, String name, Class<? super T> svcItf, boolean sticky, long timeout)
throws IgniteException {
+ ctx.security().authorize(name, SecurityPermission.SERVICE_INVOKE, null);
+
if (hasLocalNode(prj)) {
ServiceContextImpl ctx = serviceContext(name);
@@ -864,6 +873,8 @@ public class GridServiceProcessor extends GridProcessorAdapter implements Ignite
*/
@SuppressWarnings("unchecked")
public <T> Collection<T> services(String name) {
+ ctx.security().authorize(name, SecurityPermission.SERVICE_INVOKE, null);
+
Collection<ServiceContextImpl> ctxs;
synchronized (locSvcs) {
http://git-wip-us.apache.org/repos/asf/ignite/blob/6236b5f7/modules/core/src/main/java/org/apache/ignite/plugin/security/SecurityBasicPermissionSet.java
----------------------------------------------------------------------
diff --git a/modules/core/src/main/java/org/apache/ignite/plugin/security/SecurityBasicPermissionSet.java b/modules/core/src/main/java/org/apache/ignite/plugin/security/SecurityBasicPermissionSet.java
index 5b50c56..7521dff 100644
--- a/modules/core/src/main/java/org/apache/ignite/plugin/security/SecurityBasicPermissionSet.java
+++ b/modules/core/src/main/java/org/apache/ignite/plugin/security/SecurityBasicPermissionSet.java
@@ -38,6 +38,9 @@ public class SecurityBasicPermissionSet implements SecurityPermissionSet {
/** Task permissions. */
private Map<String, Collection<SecurityPermission>> taskPerms = new HashMap<>();
+ /** Service permissions. */
+ private Map<String, Collection<SecurityPermission>> srvcPerms = new HashMap<>();
+
/** System permissions. */
private Collection<SecurityPermission> sysPerms = new ArrayList<>();
@@ -63,6 +66,15 @@ public class SecurityBasicPermissionSet implements SecurityPermissionSet {
}
/**
+ * Setter for set service permission map.
+ *
+ * @param srvcPerms Service permissions.
+ */
+ public void setServicePermissions(Map<String, Collection<SecurityPermission>> srvcPerms) {
+ this.srvcPerms = srvcPerms;
+ }
+
+ /**
* Setter for set collection system permission.
*
* @param sysPerms System permissions.
@@ -91,6 +103,11 @@ public class SecurityBasicPermissionSet implements SecurityPermissionSet {
}
/** {@inheritDoc} */
+ @Override public Map<String, Collection<SecurityPermission>> servicePermissions() {
+ return srvcPerms;
+ }
+
+ /** {@inheritDoc} */
@Nullable @Override public Collection<SecurityPermission> systemPermissions() {
return sysPerms;
}
http://git-wip-us.apache.org/repos/asf/ignite/blob/6236b5f7/modules/core/src/main/java/org/apache/ignite/plugin/security/SecurityPermission.java
----------------------------------------------------------------------
diff --git a/modules/core/src/main/java/org/apache/ignite/plugin/security/SecurityPermission.java b/modules/core/src/main/java/org/apache/ignite/plugin/security/SecurityPermission.java
index 9f63c1e..5436161 100644
--- a/modules/core/src/main/java/org/apache/ignite/plugin/security/SecurityPermission.java
+++ b/modules/core/src/main/java/org/apache/ignite/plugin/security/SecurityPermission.java
@@ -21,7 +21,7 @@ import org.jetbrains.annotations.Nullable;
/**
* Supported security permissions within grid. Permissions
- * are specified on per-cache or per-task level.
+ * are specified on per-cache, per-task or per-service level.
*/
public enum SecurityPermission {
/** Cache {@code read} permission. */
@@ -55,7 +55,16 @@ public enum SecurityPermission {
ADMIN_CACHE,
/** Visor admin operations permissions. */
- ADMIN_OPS;
+ ADMIN_OPS,
+
+ /** Service deploy permission. */
+ SERVICE_DEPLOY,
+
+ /** Service cancel permission. */
+ SERVICE_CANCEL,
+
+ /** Service invoke permission. */
+ SERVICE_INVOKE;
/** Enumerated values. */
private static final SecurityPermission[] VALS = values();
http://git-wip-us.apache.org/repos/asf/ignite/blob/6236b5f7/modules/core/src/main/java/org/apache/ignite/plugin/security/SecurityPermissionSet.java
----------------------------------------------------------------------
diff --git a/modules/core/src/main/java/org/apache/ignite/plugin/security/SecurityPermissionSet.java b/modules/core/src/main/java/org/apache/ignite/plugin/security/SecurityPermissionSet.java
index 2415fad..96340d8 100644
--- a/modules/core/src/main/java/org/apache/ignite/plugin/security/SecurityPermissionSet.java
+++ b/modules/core/src/main/java/org/apache/ignite/plugin/security/SecurityPermissionSet.java
@@ -58,6 +58,14 @@ public interface SecurityPermissionSet extends Serializable {
public Map<String, Collection<SecurityPermission>> cachePermissions();
/**
+ * Map of service names to service permissions. Wildcards are allowed at the
+ * end of service names.
+ *
+ * @return Map of service names to service permissions.
+ */
+ public Map<String, Collection<SecurityPermission>> servicePermissions();
+
+ /**
* Collection of system-wide permissions (events enable/disable, Visor task execution).
*
* @return Collection of system-wide permissions.
http://git-wip-us.apache.org/repos/asf/ignite/blob/6236b5f7/modules/core/src/main/java/org/apache/ignite/plugin/security/SecurityPermissionSetBuilder.java
----------------------------------------------------------------------
diff --git a/modules/core/src/main/java/org/apache/ignite/plugin/security/SecurityPermissionSetBuilder.java b/modules/core/src/main/java/org/apache/ignite/plugin/security/SecurityPermissionSetBuilder.java
index 61ad77c..cf38c0f 100644
--- a/modules/core/src/main/java/org/apache/ignite/plugin/security/SecurityPermissionSetBuilder.java
+++ b/modules/core/src/main/java/org/apache/ignite/plugin/security/SecurityPermissionSetBuilder.java
@@ -57,6 +57,9 @@ public class SecurityPermissionSetBuilder {
/** Task permissions.*/
private Map<String, Collection<SecurityPermission>> taskPerms = new HashMap<>();
+ /** Service permissions.*/
+ private Map<String, Collection<SecurityPermission>> srvcPerms = new HashMap<>();
+
/** System permissions.*/
private List<SecurityPermission> sysPerms = new ArrayList<>();
@@ -100,6 +103,21 @@ public class SecurityPermissionSetBuilder {
}
/**
+ * Append permission set form {@link org.apache.ignite.IgniteServices service} with {@code name}.
+ *
+ * @param name String for map some service to permission set.
+ * @param perms Permissions.
+ * @return SecurityPermissionSetBuilder refer to same permission builder.
+ */
+ public SecurityPermissionSetBuilder appendServicePermissions(String name, SecurityPermission... perms) {
+ validate(toCollection("SERVICE_"), perms);
+
+ append(srvcPerms, name, toCollection(perms));
+
+ return this;
+ }
+
+ /**
* Append permission set form {@link org.apache.ignite.IgniteCache cache} with {@code name}.
*
* @param name String for map some cache to permission set.
@@ -215,6 +233,7 @@ public class SecurityPermissionSetBuilder {
permSet.setDefaultAllowAll(dfltAllowAll);
permSet.setCachePermissions(unmodifiableMap(cachePerms));
permSet.setTaskPermissions(unmodifiableMap(taskPerms));
+ permSet.setServicePermissions(unmodifiableMap(srvcPerms));
permSet.setSystemPermissions(unmodifiableList(sysPerms));
return permSet;
http://git-wip-us.apache.org/repos/asf/ignite/blob/6236b5f7/modules/core/src/test/java/org/apache/ignite/plugin/security/SecurityPermissionSetBuilderTest.java
----------------------------------------------------------------------
diff --git a/modules/core/src/test/java/org/apache/ignite/plugin/security/SecurityPermissionSetBuilderTest.java b/modules/core/src/test/java/org/apache/ignite/plugin/security/SecurityPermissionSetBuilderTest.java
index f63f9a7..5443cfd 100644
--- a/modules/core/src/test/java/org/apache/ignite/plugin/security/SecurityPermissionSetBuilderTest.java
+++ b/modules/core/src/test/java/org/apache/ignite/plugin/security/SecurityPermissionSetBuilderTest.java
@@ -28,6 +28,8 @@ import org.apache.ignite.testframework.junits.common.GridCommonAbstractTest;
import static org.apache.ignite.plugin.security.SecurityPermission.CACHE_PUT;
import static org.apache.ignite.plugin.security.SecurityPermission.CACHE_READ;
import static org.apache.ignite.plugin.security.SecurityPermission.CACHE_REMOVE;
+import static org.apache.ignite.plugin.security.SecurityPermission.SERVICE_DEPLOY;
+import static org.apache.ignite.plugin.security.SecurityPermission.SERVICE_INVOKE;
import static org.apache.ignite.plugin.security.SecurityPermission.TASK_CANCEL;
import static org.apache.ignite.plugin.security.SecurityPermission.TASK_EXECUTE;
import static org.apache.ignite.plugin.security.SecurityPermission.EVENTS_ENABLE;
@@ -41,6 +43,7 @@ public class SecurityPermissionSetBuilderTest extends GridCommonAbstractTest {
/**
*
*/
+ @SuppressWarnings({"ThrowableNotThrown", "ArraysAsListWithZeroOrOneArgument"})
public void testPermissionBuilder() {
SecurityBasicPermissionSet exp = new SecurityBasicPermissionSet();
@@ -56,13 +59,18 @@ public class SecurityPermissionSetBuilderTest extends GridCommonAbstractTest {
exp.setTaskPermissions(permTask);
+ Map<String, Collection<SecurityPermission>> permSrvc = new HashMap<>();
+ permSrvc.put("service1", Arrays.asList(SERVICE_DEPLOY));
+ permSrvc.put("service2", Arrays.asList(SERVICE_INVOKE));
+
+ exp.setServicePermissions(permSrvc);
+
exp.setSystemPermissions(Arrays.asList(ADMIN_VIEW, EVENTS_ENABLE));
final SecurityPermissionSetBuilder permsBuilder = new SecurityPermissionSetBuilder();
assertThrows(log, new Callable<Object>() {
- @Override
- public Object call() throws Exception {
+ @Override public Object call() throws Exception {
permsBuilder.appendCachePermissions("cache", ADMIN_VIEW);
return null;
}
@@ -71,8 +79,7 @@ public class SecurityPermissionSetBuilderTest extends GridCommonAbstractTest {
);
assertThrows(log, new Callable<Object>() {
- @Override
- public Object call() throws Exception {
+ @Override public Object call() throws Exception {
permsBuilder.appendTaskPermissions("task", CACHE_READ);
return null;
}
@@ -81,8 +88,7 @@ public class SecurityPermissionSetBuilderTest extends GridCommonAbstractTest {
);
assertThrows(log, new Callable<Object>() {
- @Override
- public Object call() throws Exception {
+ @Override public Object call() throws Exception {
permsBuilder.appendSystemPermissions(TASK_EXECUTE, CACHE_PUT);
return null;
}
@@ -90,6 +96,15 @@ public class SecurityPermissionSetBuilderTest extends GridCommonAbstractTest {
"you can assign permission only start with [EVENTS_, ADMIN_], but you try TASK_EXECUTE"
);
+ assertThrows(log, new Callable<Object>() {
+ @Override public Object call() throws Exception {
+ permsBuilder.appendSystemPermissions(SERVICE_INVOKE, CACHE_REMOVE);
+ return null;
+ }
+ }, IgniteException.class,
+ "you can assign permission only start with [EVENTS_, ADMIN_], but you try SERVICE_INVOKE"
+ );
+
permsBuilder.appendCachePermissions(
"cache1", CACHE_PUT, CACHE_REMOVE
).appendCachePermissions(
@@ -98,12 +113,17 @@ public class SecurityPermissionSetBuilderTest extends GridCommonAbstractTest {
"task1", TASK_CANCEL
).appendTaskPermissions(
"task2", TASK_EXECUTE
+ ).appendServicePermissions(
+ "service1", SERVICE_DEPLOY
+ ).appendServicePermissions(
+ "service2", SERVICE_INVOKE
).appendSystemPermissions(ADMIN_VIEW, EVENTS_ENABLE);
SecurityPermissionSet actual = permsBuilder.build();
assertEquals(exp.cachePermissions(), actual.cachePermissions());
assertEquals(exp.taskPermissions(), actual.taskPermissions());
+ assertEquals(exp.servicePermissions(), actual.servicePermissions());
assertEquals(exp.systemPermissions(), actual.systemPermissions());
assertEquals(exp.defaultAllowAll(), actual.defaultAllowAll());
}
http://git-wip-us.apache.org/repos/asf/ignite/blob/6236b5f7/modules/core/src/test/java/org/apache/ignite/testframework/junits/spi/GridSpiAbstractTest.java
----------------------------------------------------------------------
diff --git a/modules/core/src/test/java/org/apache/ignite/testframework/junits/spi/GridSpiAbstractTest.java b/modules/core/src/test/java/org/apache/ignite/testframework/junits/spi/GridSpiAbstractTest.java
index 091abd7..101d016 100644
--- a/modules/core/src/test/java/org/apache/ignite/testframework/junits/spi/GridSpiAbstractTest.java
+++ b/modules/core/src/test/java/org/apache/ignite/testframework/junits/spi/GridSpiAbstractTest.java
@@ -721,6 +721,11 @@ public abstract class GridSpiAbstractTest<T extends IgniteSpi> extends GridAbstr
}
/** {@inheritDoc} */
+ @Override public Map<String, Collection<SecurityPermission>> servicePermissions() {
+ return Collections.emptyMap();
+ }
+
+ /** {@inheritDoc} */
@Nullable @Override public Collection<SecurityPermission> systemPermissions() {
return null;
}