You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@geode.apache.org by je...@apache.org on 2016/03/01 23:24:34 UTC
[5/5] incubator-geode git commit: GEODE-17: Initial integration work
GEODE-17: Initial integration work
- Fix failing tests
Project: http://git-wip-us.apache.org/repos/asf/incubator-geode/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-geode/commit/406a80f8
Tree: http://git-wip-us.apache.org/repos/asf/incubator-geode/tree/406a80f8
Diff: http://git-wip-us.apache.org/repos/asf/incubator-geode/diff/406a80f8
Branch: refs/heads/feature/GEODE-17-2
Commit: 406a80f8060fe10ed8144ce9e0ff6ca6860dc33f
Parents: 19a8f0a
Author: Jens Deppe <jd...@pivotal.io>
Authored: Tue Mar 1 14:24:04 2016 -0800
Committer: Jens Deppe <jd...@pivotal.io>
Committed: Tue Mar 1 14:24:04 2016 -0800
----------------------------------------------------------------------
.../internal/security/AccessControl.java | 57 ----
.../internal/security/AccessControlMBean.java | 59 ++++
.../internal/security/JSONAuthorization.java | 308 -------------------
.../security/ManagementInterceptor.java | 88 +++---
.../security/ResourceOperationContext.java | 2 +-
.../controllers/AbstractCommandsController.java | 46 +--
.../DiskStoreCommandsController.java | 1 -
.../EnvironmentVariablesHandlerInterceptor.java | 44 +--
.../cli/commands/CliCommandTestBase.java | 4 +-
.../cli/shell/GfshHistoryJUnitTest.java | 3 -
...horizeOperationForMBeansIntegrationTest.java | 12 +-
...erationForRegionCommandsIntegrationTest.java | 20 +-
.../internal/security/JSONAuthorization.java | 307 ++++++++++++++++++
...tionCodesForDistributedSystemMXBeanTest.java | 10 +-
.../ReadOpFileAccessControllerJUnitTest.java | 19 +-
.../management/internal/security/auth3.json | 55 ++--
16 files changed, 498 insertions(+), 537 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/406a80f8/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/AccessControl.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/AccessControl.java b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/AccessControl.java
deleted file mode 100644
index f20ea22..0000000
--- a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/AccessControl.java
+++ /dev/null
@@ -1,57 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package com.gemstone.gemfire.management.internal.security;
-
-import java.security.AccessControlContext;
-import java.security.AccessController;
-import java.security.Principal;
-import java.util.Set;
-
-import javax.management.remote.JMXPrincipal;
-import javax.security.auth.Subject;
-
-/**
- * AccessControlMBean Implementation. This retrieves JMXPrincipal from AccessController
- * and performs authorization for given role using gemfire AccessControl Plugin
- *
- * @author tushark
- * @since 9.0
- */
-public class AccessControl implements AccessControlMXBean {
-
- private ManagementInterceptor interceptor;
-
- public AccessControl(ManagementInterceptor interceptor) {
- this.interceptor = interceptor;
- }
-
- @Override
- public boolean authorize(String role) {
- AccessControlContext acc = AccessController.getContext();
- Subject subject = Subject.getSubject(acc);
- Set<JMXPrincipal> principals = subject.getPrincipals(JMXPrincipal.class);
- if (principals == null || principals.isEmpty()) {
- throw new SecurityException("Access denied");
- }
- Principal principal = principals.iterator().next();
- com.gemstone.gemfire.security.AccessControl gemAccControl = interceptor.getAccessControl(principal, false);
- boolean authorized = gemAccControl.authorizeOperation(null,
- new com.gemstone.gemfire.management.internal.security.AccessControlContext(role));
- return authorized;
- }
-
-}
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/406a80f8/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/AccessControlMBean.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/AccessControlMBean.java b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/AccessControlMBean.java
new file mode 100644
index 0000000..a525416
--- /dev/null
+++ b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/AccessControlMBean.java
@@ -0,0 +1,59 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.gemstone.gemfire.management.internal.security;
+
+import com.gemstone.gemfire.security.AccessControl;
+
+import java.security.AccessControlContext;
+import java.security.AccessController;
+import java.security.Principal;
+import java.util.Set;
+
+import javax.management.remote.JMXPrincipal;
+import javax.security.auth.Subject;
+
+/**
+ * AccessControlMBean Implementation. This retrieves JMXPrincipal from AccessController
+ * and performs authorization for given role using gemfire AccessControl Plugin
+ *
+ * @author tushark
+ * @since 9.0
+ */
+public class AccessControlMBean implements AccessControlMXBean {
+
+ private ManagementInterceptor interceptor;
+
+ public AccessControlMBean(ManagementInterceptor interceptor) {
+ this.interceptor = interceptor;
+ }
+
+ @Override
+ public boolean authorize(String role) {
+ AccessControlContext acc = AccessController.getContext();
+ Subject subject = Subject.getSubject(acc);
+ Set<JMXPrincipal> principals = subject.getPrincipals(JMXPrincipal.class);
+ if (principals == null || principals.isEmpty()) {
+ throw new SecurityException("Access denied");
+ }
+ Principal principal = principals.iterator().next();
+ AccessControl gemAccControl = interceptor.getAccessControl(principal, false);
+ boolean authorized = gemAccControl.authorizeOperation(null,
+ new com.gemstone.gemfire.management.internal.security.AccessControlContext(role));
+ return authorized;
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/406a80f8/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/JSONAuthorization.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/JSONAuthorization.java b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/JSONAuthorization.java
deleted file mode 100644
index 004117f..0000000
--- a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/JSONAuthorization.java
+++ /dev/null
@@ -1,308 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package com.gemstone.gemfire.management.internal.security;
-
-import java.io.File;
-import java.io.FileReader;
-import java.io.IOException;
-import java.security.Principal;
-import java.util.HashMap;
-import java.util.HashSet;
-import java.util.Map;
-import java.util.Properties;
-import java.util.Set;
-
-import javax.management.remote.JMXPrincipal;
-
-import org.json.JSONArray;
-import org.json.JSONException;
-import org.json.JSONObject;
-
-import com.gemstone.gemfire.GemFireConfigException;
-import com.gemstone.gemfire.LogWriter;
-import com.gemstone.gemfire.cache.Cache;
-import com.gemstone.gemfire.cache.operations.OperationContext;
-import com.gemstone.gemfire.distributed.DistributedMember;
-import com.gemstone.gemfire.internal.logging.LogService;
-import com.gemstone.gemfire.management.internal.security.ResourceOperationContext.ResourceOperationCode;
-import com.gemstone.gemfire.security.AccessControl;
-import com.gemstone.gemfire.security.AuthenticationFailedException;
-import com.gemstone.gemfire.security.Authenticator;
-import com.gemstone.gemfire.security.NotAuthorizedException;
-
-public class JSONAuthorization implements AccessControl, Authenticator {
-
- public static class Role{
- String[] permissions;
- String name;
- String regionName;
- String serverGroup;
- }
-
- public static class User{
- String name;
- Role[] roles;
- String pwd;
- }
-
- private static Map<String,User> acl = null;
-
- public static JSONAuthorization create() throws IOException, JSONException {
- if(acl==null){
- readSecurityDescriptor(readDefault());
- }
- return new JSONAuthorization();
- }
-
- public JSONAuthorization() {
- if (acl == null) {
- try {
- readSecurityDescriptor(readDefault());
- } catch (IOException e) {
- throw new GemFireConfigException("Error creating JSONAuth", e);
- } catch (JSONException e) {
- throw new GemFireConfigException("Error creating JSONAuth", e);
- }
- }
- }
-
- public static Set<ResourceOperationCode> getAuthorizedOps(User user, ResourceOperationContext context) {
- Set<ResourceOperationCode> codeList = new HashSet<ResourceOperationCode>();
- for(Role role : user.roles) {
- for (String perm : role.permissions) {
- ResourceOperationCode code = ResourceOperationCode.parse(perm);
- if (role.regionName == null && role.serverGroup == null) {
- addPermissions(code, codeList);
- } else if (role.regionName != null) {
- LogService.getLogger().info("This role requires region=" + role.regionName);
- if (context instanceof CLIOperationContext) {
- CLIOperationContext cliContext = (CLIOperationContext) context;
- String region = cliContext.getCommandOptions().get("region");
- if (region != null && region.equals(role.regionName)) {
- addPermissions(code, codeList);
- } else {
- LogService.getLogger().info("Not adding permission " + code + " since region=" + region + " does not match");
- }
- }
- }
- // Same to be implemented for ServerGroup
- }
- }
- LogService.getLogger().info("Final set of permisions " + codeList);
- return codeList;
- }
-
- private static void addPermissions(ResourceOperationCode code, Set<ResourceOperationCode> codeList) {
- if(code!=null) {
- if(code.getChildren()==null)
- codeList.add(code);
- else {
- for(ResourceOperationCode c : code.getChildren()){
- codeList.add(c);
- }
- }
- }
- }
-
- private static String readDefault() throws IOException, JSONException {
- String str = System.getProperty(ResourceConstants.RESORUCE_SEC_DESCRIPTOR, ResourceConstants.RESORUCE_DEFAULT_SEC_DESCRIPTOR);
- File file = new File(str);
- FileReader reader = new FileReader(file);
- char[] buffer = new char[(int) file.length()];
- reader.read(buffer);
- String json = new String(buffer);
- reader.close();
- return json;
- }
-
- public JSONAuthorization(String json) throws IOException, JSONException{
- readSecurityDescriptor(json);
- }
-
-
- private static void readSecurityDescriptor(String json) throws IOException, JSONException {
- JSONObject jsonBean = new JSONObject(json);
- acl = new HashMap<String,User>();
- Map<String,Role> roleMap = readRoles(jsonBean);
- readUsers(acl,jsonBean,roleMap);
- }
-
- private static void readUsers(Map<String, User> acl, JSONObject jsonBean,
- Map<String, Role> roleMap) throws JSONException {
- JSONArray array = jsonBean.getJSONArray("users");
- for(int i=0;i<array.length();i++){
- JSONObject obj = array.getJSONObject(i);
- User user = new User();
- user.name = obj.getString("name");
- if(obj.has("password"))
- user.pwd = obj.getString("password");
- else
- user.pwd = user.name;
-
- JSONArray ops = obj.getJSONArray("roles");
- user.roles = new Role[ops.length()];
- for(int j=0;j<ops.length();j++){
- String roleName = ops.getString(j);
- user.roles[j] = roleMap.get(roleName);
- if(user.roles[j]==null){
- throw new RuntimeException("Role not present " + roleName);
- }
- }
- acl.put(user.name, user);
- }
- }
-
- private static Map<String, Role> readRoles(JSONObject jsonBean) throws JSONException {
- Map<String,Role> roleMap = new HashMap<String,Role>();
- JSONArray array = jsonBean.getJSONArray("roles");
- for(int i=0;i<array.length();i++){
- JSONObject obj = array.getJSONObject(i);
- Role role = new Role();
- role.name = obj.getString("name");
-
- if(obj.has("operationsAllowed")){
- JSONArray ops = obj.getJSONArray("operationsAllowed");
- role.permissions = new String[ops.length()];
- for(int j=0;j<ops.length();j++){
- role.permissions[j] = ops.getString(j);
- }
- }else {
- if (!obj.has("inherit"))
- throw new RuntimeException(
- "Role "
- + role.name
- + " does not have any permission neither it inherits any parent role");
- }
-
- roleMap.put(role.name,role);
-
- if(obj.has("region")){
- role.regionName = obj.getString("region");
- }
-
- if(obj.has("serverGroup")){
- role.serverGroup = obj.getString("serverGroup");
- }
- }
-
- for(int i=0;i<array.length();i++){
- JSONObject obj = array.getJSONObject(i);
- String name = obj.getString("name");
- Role role = roleMap.get(name);
- if (role == null) {
- throw new RuntimeException("Role not present "
- + role);
- }
- if(obj.has("inherit")){
- JSONArray parentRoles = obj.getJSONArray("inherit");
- for (int m = 0; m < parentRoles.length(); m++) {
- String parentRoleName = parentRoles.getString(m);
- Role parentRole = roleMap.get(parentRoleName);
- if (parentRole == null) {
- throw new RuntimeException("Role not present "
- + parentRoleName);
- }
- int oldLenth=0;
- if(role.permissions!=null)
- oldLenth = role.permissions.length;
- int newLength = oldLenth + parentRole.permissions.length;
- String[] str = new String[newLength];
- int k = 0;
- if(role.permissions!=null) {
- for (; k < role.permissions.length; k++) {
- str[k] = role.permissions[k];
- }
- }
-
- for (int l = 0; l < parentRole.permissions.length; l++) {
- str[k + l] = parentRole.permissions[l];
- }
- role.permissions = str;
- }
- }
-
- }
- return roleMap;
- }
-
- public static Map<String, User> getAcl() {
- return acl;
- }
-
- private Principal principal=null;
-
- @Override
- public void close() {
-
- }
-
- @Override
- public boolean authorizeOperation(String arg0, OperationContext context) {
-
- if(principal!=null) {
- User user = acl.get(principal.getName());
- if(user!=null) {
- LogService.getLogger().info("Context received " + context);
- ResourceOperationContext ctx = (ResourceOperationContext)context;
- LogService.getLogger().info("Checking for code " + ctx.getResourceOperationCode());
-
- //TODO : This is for un-annotated commands
- if(ctx.getResourceOperationCode()==null)
- return true;
-
- boolean found = false;
- for(ResourceOperationCode code : getAuthorizedOps(user, (ResourceOperationContext) context)) {
- if(ctx.getResourceOperationCode().equals(code)){
- found =true;
- LogService.getLogger().info("found code " + code.toString());
- break;
- }
- }
- if(found)
- return true;
- LogService.getLogger().info("Did not find code " + ctx.getResourceOperationCode());
- return false;
- }
- }
- return false;
- }
-
- @Override
- public void init(Principal principal, DistributedMember arg1, Cache arg2) throws NotAuthorizedException {
- this.principal = principal;
- }
-
- @Override
- public Principal authenticate(Properties props, DistributedMember arg1) throws AuthenticationFailedException {
- String user = props.getProperty(ResourceConstants.USER_NAME);
- String pwd = props.getProperty(ResourceConstants.PASSWORD);
- User userObj = acl.get(user);
- if(userObj==null)
- throw new AuthenticationFailedException("Wrong username/password");
- LogService.getLogger().info("User="+user + " pwd="+pwd);
- if (user!=null && !userObj.pwd.equals(pwd) && !"".equals(user))
- throw new AuthenticationFailedException("Wrong username/password");
- LogService.getLogger().info("Authentication successful!! for " + user);
- return new JMXPrincipal(user);
- }
-
- @Override
- public void init(Properties arg0, LogWriter arg1, LogWriter arg2) throws AuthenticationFailedException {
-
- }
-
-}
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/406a80f8/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/ManagementInterceptor.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/ManagementInterceptor.java b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/ManagementInterceptor.java
index 8282ab0..7b285f6 100644
--- a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/ManagementInterceptor.java
+++ b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/ManagementInterceptor.java
@@ -16,30 +16,19 @@
*/
package com.gemstone.gemfire.management.internal.security;
-import static com.gemstone.gemfire.management.internal.security.ResourceConstants.ACCESS_DENIED_MESSAGE;
-import static com.gemstone.gemfire.management.internal.security.ResourceConstants.GET_ATTRIBUTE;
-import static com.gemstone.gemfire.management.internal.security.ResourceConstants.GET_ATTRIBUTES;
-import static com.gemstone.gemfire.management.internal.security.ResourceConstants.GET_PREFIX;
-import static com.gemstone.gemfire.management.internal.security.ResourceConstants.PASSWORD;
-import static com.gemstone.gemfire.management.internal.security.ResourceConstants.PROCESS_COMMAND;
-import static com.gemstone.gemfire.management.internal.security.ResourceConstants.SET_ATTRIBUTE;
-import static com.gemstone.gemfire.management.internal.security.ResourceConstants.SET_ATTRIBUTES;
-import static com.gemstone.gemfire.management.internal.security.ResourceConstants.SET_PREFIX;
-import static com.gemstone.gemfire.management.internal.security.ResourceConstants.USER_NAME;
-import static com.gemstone.gemfire.management.internal.security.ResourceConstants.WRONGE_CREDENTIALS_MESSAGE;
-
-import java.lang.management.ManagementFactory;
-import java.lang.reflect.Method;
-import java.security.AccessControlContext;
-import java.security.AccessController;
-import java.security.Principal;
-import java.util.Collections;
-import java.util.List;
-import java.util.Map.Entry;
-import java.util.Properties;
-import java.util.Set;
-import java.util.concurrent.ConcurrentHashMap;
-import java.util.concurrent.ConcurrentMap;
+import com.gemstone.gemfire.GemFireConfigException;
+import com.gemstone.gemfire.cache.Cache;
+import com.gemstone.gemfire.distributed.DistributedSystem;
+import com.gemstone.gemfire.distributed.internal.DistributionConfig;
+import com.gemstone.gemfire.internal.ClassLoadUtil;
+import com.gemstone.gemfire.internal.i18n.LocalizedStrings;
+import com.gemstone.gemfire.internal.lang.StringUtils;
+import com.gemstone.gemfire.internal.logging.InternalLogWriter;
+import com.gemstone.gemfire.management.internal.ManagementConstants;
+import com.gemstone.gemfire.security.AccessControl;
+import com.gemstone.gemfire.security.AuthenticationFailedException;
+import com.gemstone.gemfire.security.Authenticator;
+import org.apache.logging.log4j.Logger;
import javax.management.Attribute;
import javax.management.AttributeList;
@@ -53,21 +42,20 @@ import javax.management.remote.JMXAuthenticator;
import javax.management.remote.JMXPrincipal;
import javax.management.remote.MBeanServerForwarder;
import javax.security.auth.Subject;
+import java.lang.management.ManagementFactory;
+import java.lang.reflect.Method;
+import java.security.AccessControlContext;
+import java.security.AccessController;
+import java.security.Principal;
+import java.util.Collections;
+import java.util.List;
+import java.util.Map.Entry;
+import java.util.Properties;
+import java.util.Set;
+import java.util.concurrent.ConcurrentHashMap;
+import java.util.concurrent.ConcurrentMap;
-import org.apache.logging.log4j.Logger;
-
-import com.gemstone.gemfire.GemFireConfigException;
-import com.gemstone.gemfire.cache.Cache;
-import com.gemstone.gemfire.distributed.DistributedSystem;
-import com.gemstone.gemfire.distributed.internal.DistributionConfig;
-import com.gemstone.gemfire.internal.ClassLoadUtil;
-import com.gemstone.gemfire.internal.i18n.LocalizedStrings;
-import com.gemstone.gemfire.internal.lang.StringUtils;
-import com.gemstone.gemfire.internal.logging.InternalLogWriter;
-import com.gemstone.gemfire.management.internal.ManagementConstants;
-import com.gemstone.gemfire.security.AccessControl;
-import com.gemstone.gemfire.security.AuthenticationFailedException;
-import com.gemstone.gemfire.security.Authenticator;
+import static com.gemstone.gemfire.management.internal.security.ResourceConstants.*;
/**
*
@@ -116,7 +104,7 @@ public class ManagementInterceptor implements JMXAuthenticator {
*/
private void registerAccessContorlMbean() {
try {
- com.gemstone.gemfire.management.internal.security.AccessControl acc = new com.gemstone.gemfire.management.internal.security.AccessControl(this);
+ AccessControlMBean acc = new AccessControlMBean(this);
accessControlMBeanON = new ObjectName(ResourceConstants.OBJECT_NAME_ACCESSCONTROL);
MBeanServer platformMBeanServer = ManagementFactory.getPlatformMBeanServer();
Set<ObjectName> names = platformMBeanServer.queryNames(accessControlMBeanON, null);
@@ -240,34 +228,34 @@ public class ManagementInterceptor implements JMXAuthenticator {
List<Attribute> list = attrList.asList();
ResourceOperationContext setterContext = null;
SetAttributesOperationContext resourceContext = new SetAttributesOperationContext();
- for(int i=0;i<list.size();i++) {
+ for (int i = 0; i < list.size(); i++) {
Attribute attribute = list.get(i);
String setter = SET_PREFIX + attribute.getName();
- setterContext = buildContext(name,setter,null);
+ setterContext = buildContext(name, setter, null);
boolean authorized = accessControl.authorizeOperation(null, setterContext);
if (logger.isDebugEnabled()) {
- logger.debug("Name=" + name + " methodName=" + methodName + " result=" + authorized + " principal="
- + principal.getName());
+ logger.debug(
+ "Name=" + name + " methodName=" + methodName + " result=" + authorized + " principal=" + principal.getName());
}
- if(!authorized)
+ if (!authorized) {
throw new SecurityException(ACCESS_DENIED_MESSAGE);
- else
+ } else {
resourceContext.addAttribute(attribute.getName(), setterContext);
+ }
}
return resourceContext;
} else {
ResourceOperationContext resourceContext = buildContext(name, method, params);
boolean authorized = accessControl.authorizeOperation(null, resourceContext);
if (logger.isDebugEnabled()) {
- logger.debug("Name=" + name + " methodName=" + methodName + " result=" + authorized + " principal="
- + principal.getName());
+ logger.debug(
+ "Name=" + name + " methodName=" + methodName + " result=" + authorized + " principal=" + principal.getName());
}
- if (!authorized)
- throw new SecurityException(ACCESS_DENIED_MESSAGE);
+ if (!authorized) throw new SecurityException(ACCESS_DENIED_MESSAGE);
return resourceContext;
}
- }
+ }
public MBeanServerForwarder getMBeanServerForwarder() {
return mBeanServerForwarder;
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/406a80f8/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/ResourceOperationContext.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/ResourceOperationContext.java b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/ResourceOperationContext.java
index 56d6b2c..d53b253 100644
--- a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/ResourceOperationContext.java
+++ b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/ResourceOperationContext.java
@@ -310,7 +310,7 @@ public abstract class ResourceOperationContext extends OperationContext {
}
public List<ResourceOperationCode> getChildren() {
- return Collections.unmodifiableList(children);
+ return children != null ? Collections.unmodifiableList(children) : null;
}
public void addChild(ResourceOperationCode code) {
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/406a80f8/geode-core/src/main/java/com/gemstone/gemfire/management/internal/web/controllers/AbstractCommandsController.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/web/controllers/AbstractCommandsController.java b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/web/controllers/AbstractCommandsController.java
index 64c5a73..ce91b30 100644
--- a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/web/controllers/AbstractCommandsController.java
+++ b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/web/controllers/AbstractCommandsController.java
@@ -17,29 +17,6 @@
package com.gemstone.gemfire.management.internal.web.controllers;
-import static com.gemstone.gemfire.management.internal.security.ResourceConstants.ACCESS_DENIED_MESSAGE;
-
-import java.io.PrintWriter;
-import java.io.StringWriter;
-import java.lang.management.ManagementFactory;
-import java.net.URI;
-import java.security.Principal;
-import java.util.Collection;
-import java.util.HashMap;
-import java.util.Iterator;
-import java.util.Map;
-import java.util.Properties;
-import java.util.Set;
-import javax.management.JMX;
-import javax.management.MBeanServer;
-import javax.management.MalformedObjectNameException;
-import javax.management.ObjectName;
-import javax.management.Query;
-import javax.management.QueryExp;
-import javax.management.remote.JMXPrincipal;
-import javax.security.auth.Subject;
-
-import com.gemstone.gemfire.GemFireConfigException;
import com.gemstone.gemfire.cache.CacheFactory;
import com.gemstone.gemfire.internal.cache.GemFireCacheImpl;
import com.gemstone.gemfire.internal.lang.StringUtils;
@@ -55,15 +32,10 @@ import com.gemstone.gemfire.management.internal.SystemManagementService;
import com.gemstone.gemfire.management.internal.cli.shell.Gfsh;
import com.gemstone.gemfire.management.internal.cli.util.CommandStringBuilder;
import com.gemstone.gemfire.management.internal.security.CLIOperationContext;
-import com.gemstone.gemfire.management.internal.security.MBeanServerWrapper;
-import com.gemstone.gemfire.management.internal.security.ResourceConstants;
import com.gemstone.gemfire.management.internal.security.ResourceOperationContext;
import com.gemstone.gemfire.management.internal.web.controllers.support.EnvironmentVariablesHandlerInterceptor;
import com.gemstone.gemfire.management.internal.web.controllers.support.MemberMXBeanAdapter;
import com.gemstone.gemfire.management.internal.web.util.UriUtils;
-import com.gemstone.gemfire.security.AccessControl;
-import com.gemstone.gemfire.security.Authenticator;
-
import org.apache.logging.log4j.Logger;
import org.springframework.beans.propertyeditors.StringArrayPropertyEditor;
import org.springframework.http.HttpStatus;
@@ -75,7 +47,23 @@ import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.ResponseStatus;
import org.springframework.web.context.request.WebRequest;
import org.springframework.web.servlet.support.ServletUriComponentsBuilder;
-import org.springframework.web.util.UriComponentsBuilder;
+
+import javax.management.JMX;
+import javax.management.MBeanServer;
+import javax.management.MalformedObjectNameException;
+import javax.management.ObjectName;
+import javax.management.Query;
+import javax.management.QueryExp;
+import java.io.PrintWriter;
+import java.io.StringWriter;
+import java.lang.management.ManagementFactory;
+import java.net.URI;
+import java.util.Collection;
+import java.util.HashMap;
+import java.util.Iterator;
+import java.util.Map;
+import java.util.Properties;
+import java.util.Set;
/**
* The AbstractCommandsController class is the abstract base class encapsulating common functionality across all
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/406a80f8/geode-core/src/main/java/com/gemstone/gemfire/management/internal/web/controllers/DiskStoreCommandsController.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/web/controllers/DiskStoreCommandsController.java b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/web/controllers/DiskStoreCommandsController.java
index cafd2d6..bbdd596 100644
--- a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/web/controllers/DiskStoreCommandsController.java
+++ b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/web/controllers/DiskStoreCommandsController.java
@@ -22,7 +22,6 @@ import java.util.concurrent.Callable;
import com.gemstone.gemfire.internal.lang.StringUtils;
import com.gemstone.gemfire.management.internal.cli.i18n.CliStrings;
import com.gemstone.gemfire.management.internal.cli.util.CommandStringBuilder;
-import com.gemstone.gemfire.management.internal.security.CLIOperationContext;
import com.gemstone.gemfire.management.internal.web.controllers.support.EnvironmentVariablesHandlerInterceptor;
import org.springframework.http.HttpStatus;
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/406a80f8/geode-core/src/main/java/com/gemstone/gemfire/management/internal/web/controllers/support/EnvironmentVariablesHandlerInterceptor.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/web/controllers/support/EnvironmentVariablesHandlerInterceptor.java b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/web/controllers/support/EnvironmentVariablesHandlerInterceptor.java
index bbc0036..f484f70 100644
--- a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/web/controllers/support/EnvironmentVariablesHandlerInterceptor.java
+++ b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/web/controllers/support/EnvironmentVariablesHandlerInterceptor.java
@@ -16,46 +16,24 @@
*/
package com.gemstone.gemfire.management.internal.web.controllers.support;
-import java.lang.reflect.Method;
-import java.security.Principal;
-import java.util.Collections;
-import java.util.Enumeration;
-import java.util.HashMap;
-import java.util.Iterator;
-import java.util.Map;
-import java.util.Properties;
-import java.util.Set;
-import java.util.Map.Entry;
-
-import javax.management.remote.JMXPrincipal;
-import javax.security.auth.Subject;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;
-
-import com.gemstone.gemfire.GemFireConfigException;
import com.gemstone.gemfire.cache.Cache;
-import com.gemstone.gemfire.cache.CacheFactory;
-import com.gemstone.gemfire.distributed.DistributedMember;
-import com.gemstone.gemfire.distributed.DistributedSystem;
-import com.gemstone.gemfire.distributed.internal.DistributionConfig;
-import com.gemstone.gemfire.internal.ClassLoadUtil;
import com.gemstone.gemfire.internal.cache.GemFireCacheImpl;
-import com.gemstone.gemfire.internal.i18n.LocalizedStrings;
-import com.gemstone.gemfire.internal.logging.InternalLogWriter;
import com.gemstone.gemfire.internal.logging.LogService;
import com.gemstone.gemfire.management.ManagementService;
import com.gemstone.gemfire.management.internal.SystemManagementService;
-import com.gemstone.gemfire.management.internal.security.CLIOperationContext;
-import com.gemstone.gemfire.management.internal.security.MBeanServerWrapper;
-import com.gemstone.gemfire.management.internal.security.ResourceConstants;
-import com.gemstone.gemfire.security.AccessControl;
-import com.gemstone.gemfire.security.AuthenticationFailedException;
-import com.gemstone.gemfire.security.AuthenticationRequiredException;
import com.gemstone.gemfire.security.Authenticator;
-
import org.apache.logging.log4j.Logger;
+import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.util.Collections;
+import java.util.Enumeration;
+import java.util.HashMap;
+import java.util.Iterator;
+import java.util.Map;
+import java.util.Map.Entry;
+import java.util.Properties;
/**
* The GetEnvironmentHandlerInterceptor class handles extracting Gfsh environment variables encoded in the HTTP request
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/406a80f8/geode-core/src/test/java/com/gemstone/gemfire/management/internal/cli/commands/CliCommandTestBase.java
----------------------------------------------------------------------
diff --git a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/cli/commands/CliCommandTestBase.java b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/cli/commands/CliCommandTestBase.java
index 664e7a6..f01c951 100644
--- a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/cli/commands/CliCommandTestBase.java
+++ b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/cli/commands/CliCommandTestBase.java
@@ -55,9 +55,7 @@ import java.util.regex.Pattern;
* @author David Hoots
* @author John Blum
*/
-public class CliCommandTestBase extends CacheTestCase {
-
- private static final long serialVersionUID = 1L;
+public abstract class CliCommandTestBase extends CacheTestCase {
protected static final String USE_HTTP_SYSTEM_PROPERTY = "useHTTP";
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/406a80f8/geode-core/src/test/java/com/gemstone/gemfire/management/internal/cli/shell/GfshHistoryJUnitTest.java
----------------------------------------------------------------------
diff --git a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/cli/shell/GfshHistoryJUnitTest.java b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/cli/shell/GfshHistoryJUnitTest.java
index 3d4615a..3ad9ce8 100644
--- a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/cli/shell/GfshHistoryJUnitTest.java
+++ b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/cli/shell/GfshHistoryJUnitTest.java
@@ -31,9 +31,6 @@ import java.util.List;
import static org.junit.Assert.assertEquals;
-/**
- * @author Jens Deppe
- */
@Category(UnitTest.class)
public class GfshHistoryJUnitTest {
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/406a80f8/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/AuthorizeOperationForMBeansIntegrationTest.java
----------------------------------------------------------------------
diff --git a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/AuthorizeOperationForMBeansIntegrationTest.java b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/AuthorizeOperationForMBeansIntegrationTest.java
index 8c51a40..59b60ac 100644
--- a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/AuthorizeOperationForMBeansIntegrationTest.java
+++ b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/AuthorizeOperationForMBeansIntegrationTest.java
@@ -80,8 +80,8 @@ public class AuthorizeOperationForMBeansIntegrationTest {
@Before
public void setUp() throws Exception {
- System.setProperty("resource-auth-accessor", TestAccessControl.class.getName());
- System.setProperty("resource-authenticator", TestAuthenticator.class.getName());
+ System.setProperty("gemfire.security-client-accessor", TestAccessControl.class.getName() + ".create");
+ System.setProperty("gemfire.security-client-authenticator", TestAuthenticator.class.getName() + ".create");
Properties properties = new Properties();
properties.put("name", this.testName.getMethodName());
@@ -263,6 +263,10 @@ public class AuthorizeOperationForMBeansIntegrationTest {
*/
public static class TestAuthenticator implements Authenticator {
+ public static Authenticator create() {
+ return new TestAuthenticator();
+ }
+
@Override
public void close() {
}
@@ -293,6 +297,10 @@ public class AuthorizeOperationForMBeansIntegrationTest {
public void close() {
}
+ public static AccessControl create() {
+ return new TestAccessControl();
+ }
+
@Override
public void init(final Principal principal, final DistributedMember remoteMember, final Cache cache) throws NotAuthorizedException {
this.principal = principal;
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/406a80f8/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/AuthorizeOperationForRegionCommandsIntegrationTest.java
----------------------------------------------------------------------
diff --git a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/AuthorizeOperationForRegionCommandsIntegrationTest.java b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/AuthorizeOperationForRegionCommandsIntegrationTest.java
index ecc4c72..e8620aa 100644
--- a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/AuthorizeOperationForRegionCommandsIntegrationTest.java
+++ b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/AuthorizeOperationForRegionCommandsIntegrationTest.java
@@ -16,6 +16,7 @@
*/
package com.gemstone.gemfire.management.internal.security;
+import static org.jgroups.util.Util.readFile;
import static org.junit.Assert.*;
import java.lang.management.ManagementFactory;
@@ -62,9 +63,8 @@ public class AuthorizeOperationForRegionCommandsIntegrationTest {
@Before
public void setUp() {
- System.setProperty("resource.secDescriptor", TestUtil.getResourcePath(getClass(), "auth3.json"));
- System.setProperty("resource-auth-accessor", JSONAuthorization.class.getCanonicalName());
- System.setProperty("resource-authenticator", JSONAuthorization.class.getCanonicalName());
+ System.setProperty("gemfire.security-client-accessor", JSONAuthorization.class.getName() + ".create");
+ System.setProperty("gemfire.security-client-authenticator", JSONAuthorization.class.getName() + ".create");
Properties properties = new Properties();
properties.put("name", testName.getMethodName());
@@ -95,26 +95,22 @@ public class AuthorizeOperationForRegionCommandsIntegrationTest {
@Test
public void testInheritRole() {
}
-
- @Ignore("Test was dead-coded")
- @Test
- public void testUserMultipleRole() throws Exception {
- }
-
+
@Test
public void testAuthorizeOperationWithRegionOperations() throws Exception {
- JSONAuthorization authorization = JSONAuthorization.create();
+ String json = readFile(TestUtil.getResourcePath(getClass(), "auth3.json"));
+ JSONAuthorization authorization = new JSONAuthorization(json);
authorization.init(new JMXPrincipal("tushark"), null, null);
checkAccessControlMBean();
CLIOperationContext cliContext = new CLIOperationContext("locate entry --key=k1 --region=region1");
boolean result = authorization.authorizeOperation(null, cliContext);
- assertTrue(result);
+ assertTrue("Operation not authorized", result);
cliContext = new CLIOperationContext("locate entry --key=k1 --region=secureRegion");
result = authorization.authorizeOperation(null, cliContext);
- //assertFalse(result); //this is failing due to logic issue TODO: why is this commented out?
+ assertTrue("Operation not authorized", result);
authorization.init(new JMXPrincipal("avinash"), null, null);
result = authorization.authorizeOperation(null, cliContext);
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/406a80f8/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/JSONAuthorization.java
----------------------------------------------------------------------
diff --git a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/JSONAuthorization.java b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/JSONAuthorization.java
new file mode 100644
index 0000000..2148edd
--- /dev/null
+++ b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/JSONAuthorization.java
@@ -0,0 +1,307 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.gemstone.gemfire.management.internal.security;
+
+import com.gemstone.gemfire.GemFireConfigException;
+import com.gemstone.gemfire.LogWriter;
+import com.gemstone.gemfire.cache.Cache;
+import com.gemstone.gemfire.cache.operations.OperationContext;
+import com.gemstone.gemfire.distributed.DistributedMember;
+import com.gemstone.gemfire.internal.logging.LogService;
+import com.gemstone.gemfire.management.internal.security.ResourceOperationContext.ResourceOperationCode;
+import com.gemstone.gemfire.security.AccessControl;
+import com.gemstone.gemfire.security.AuthenticationFailedException;
+import com.gemstone.gemfire.security.Authenticator;
+import com.gemstone.gemfire.security.NotAuthorizedException;
+import org.json.JSONArray;
+import org.json.JSONException;
+import org.json.JSONObject;
+
+import javax.management.remote.JMXPrincipal;
+import java.io.File;
+import java.io.FileReader;
+import java.io.IOException;
+import java.security.Principal;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.Map;
+import java.util.Properties;
+import java.util.Set;
+
+public class JSONAuthorization implements AccessControl, Authenticator {
+
+ public static class Role{
+ String[] permissions;
+ String name;
+ String regionName;
+ String serverGroup;
+ }
+
+ public static class User{
+ String name;
+ Role[] roles;
+ String pwd;
+ }
+
+ private static Map<String,User> acl = null;
+
+ public static JSONAuthorization create() throws IOException, JSONException {
+ if(acl==null){
+ readSecurityDescriptor(readDefault());
+ }
+ return new JSONAuthorization();
+ }
+
+ public JSONAuthorization() {
+ if (acl == null) {
+ try {
+ readSecurityDescriptor(readDefault());
+ } catch (IOException e) {
+ throw new GemFireConfigException("Error creating JSONAuth", e);
+ } catch (JSONException e) {
+ throw new GemFireConfigException("Error creating JSONAuth", e);
+ }
+ }
+ }
+
+ public static Set<ResourceOperationCode> getAuthorizedOps(User user, ResourceOperationContext context) {
+ Set<ResourceOperationCode> codeList = new HashSet<ResourceOperationCode>();
+ for(Role role : user.roles) {
+ for (String perm : role.permissions) {
+ ResourceOperationCode code = ResourceOperationCode.parse(perm);
+ if (role.regionName == null && role.serverGroup == null) {
+ addPermissions(code, codeList);
+ } else if (role.regionName != null) {
+ LogService.getLogger().info("This role requires region=" + role.regionName);
+ if (context instanceof CLIOperationContext) {
+ CLIOperationContext cliContext = (CLIOperationContext) context;
+ String region = cliContext.getCommandOptions().get("region");
+ if (region != null && region.equals(role.regionName)) {
+ addPermissions(code, codeList);
+ } else {
+ LogService.getLogger().info("Not adding permission " + code + " since region=" + region + " does not match");
+ }
+ }
+ }
+ // Same to be implemented for ServerGroup
+ }
+ }
+ LogService.getLogger().info("Final set of permisions " + codeList);
+ return codeList;
+ }
+
+ private static void addPermissions(ResourceOperationCode code, Set<ResourceOperationCode> codeList) {
+ if (code == null) {
+ return;
+ }
+
+ codeList.add(code);
+ if (code.getChildren() != null) {
+ for (ResourceOperationCode c : code.getChildren()) {
+ codeList.add(c);
+ }
+ }
+ }
+
+ private static String readDefault() throws IOException, JSONException {
+ String str = System.getProperty(ResourceConstants.RESORUCE_SEC_DESCRIPTOR, ResourceConstants.RESORUCE_DEFAULT_SEC_DESCRIPTOR);
+ File file = new File(str);
+ FileReader reader = new FileReader(file);
+ char[] buffer = new char[(int) file.length()];
+ reader.read(buffer);
+ String json = new String(buffer);
+ reader.close();
+ return json;
+ }
+
+ public JSONAuthorization(String json) throws IOException, JSONException{
+ readSecurityDescriptor(json);
+ }
+
+ private static void readSecurityDescriptor(String json) throws IOException, JSONException {
+ JSONObject jsonBean = new JSONObject(json);
+ acl = new HashMap<String,User>();
+ Map<String,Role> roleMap = readRoles(jsonBean);
+ readUsers(acl,jsonBean,roleMap);
+ }
+
+ private static void readUsers(Map<String, User> acl, JSONObject jsonBean,
+ Map<String, Role> roleMap) throws JSONException {
+ JSONArray array = jsonBean.getJSONArray("users");
+ for(int i=0;i<array.length();i++){
+ JSONObject obj = array.getJSONObject(i);
+ User user = new User();
+ user.name = obj.getString("name");
+ if(obj.has("password")) {
+ user.pwd = obj.getString("password");
+ } else {
+ user.pwd = user.name;
+ }
+
+ JSONArray ops = obj.getJSONArray("roles");
+ user.roles = new Role[ops.length()];
+ for(int j=0;j<ops.length();j++){
+ String roleName = ops.getString(j);
+ user.roles[j] = roleMap.get(roleName);
+ if(user.roles[j]==null){
+ throw new RuntimeException("Role not present " + roleName);
+ }
+ }
+ acl.put(user.name, user);
+ }
+ }
+
+ private static Map<String, Role> readRoles(JSONObject jsonBean) throws JSONException {
+ Map<String,Role> roleMap = new HashMap<String,Role>();
+ JSONArray array = jsonBean.getJSONArray("roles");
+ for(int i=0;i<array.length();i++){
+ JSONObject obj = array.getJSONObject(i);
+ Role role = new Role();
+ role.name = obj.getString("name");
+
+ if(obj.has("operationsAllowed")){
+ JSONArray ops = obj.getJSONArray("operationsAllowed");
+ role.permissions = new String[ops.length()];
+ for(int j=0;j<ops.length();j++){
+ role.permissions[j] = ops.getString(j);
+ }
+ }else {
+ if (!obj.has("inherit"))
+ throw new RuntimeException(
+ "Role "
+ + role.name
+ + " does not have any permission neither it inherits any parent role");
+ }
+
+ roleMap.put(role.name,role);
+
+ if(obj.has("region")){
+ role.regionName = obj.getString("region");
+ }
+
+ if(obj.has("serverGroup")){
+ role.serverGroup = obj.getString("serverGroup");
+ }
+ }
+
+ for(int i=0;i<array.length();i++){
+ JSONObject obj = array.getJSONObject(i);
+ String name = obj.getString("name");
+ Role role = roleMap.get(name);
+ if (role == null) {
+ throw new RuntimeException("Role not present "
+ + role);
+ }
+ if(obj.has("inherit")){
+ JSONArray parentRoles = obj.getJSONArray("inherit");
+ for (int m = 0; m < parentRoles.length(); m++) {
+ String parentRoleName = parentRoles.getString(m);
+ Role parentRole = roleMap.get(parentRoleName);
+ if (parentRole == null) {
+ throw new RuntimeException("Role not present "
+ + parentRoleName);
+ }
+ int oldLenth=0;
+ if(role.permissions!=null)
+ oldLenth = role.permissions.length;
+ int newLength = oldLenth + parentRole.permissions.length;
+ String[] str = new String[newLength];
+ int k = 0;
+ if(role.permissions!=null) {
+ for (; k < role.permissions.length; k++) {
+ str[k] = role.permissions[k];
+ }
+ }
+
+ for (int l = 0; l < parentRole.permissions.length; l++) {
+ str[k + l] = parentRole.permissions[l];
+ }
+ role.permissions = str;
+ }
+ }
+
+ }
+ return roleMap;
+ }
+
+ public static Map<String, User> getAcl() {
+ return acl;
+ }
+
+ private Principal principal=null;
+
+ @Override
+ public void close() {
+
+ }
+
+ @Override
+ public boolean authorizeOperation(String arg0, OperationContext context) {
+
+ if(principal!=null) {
+ User user = acl.get(principal.getName());
+ if(user!=null) {
+ LogService.getLogger().info("Context received " + context);
+ ResourceOperationContext ctx = (ResourceOperationContext)context;
+ LogService.getLogger().info("Checking for code " + ctx.getResourceOperationCode());
+
+ //TODO : This is for un-annotated commands
+ if(ctx.getResourceOperationCode()==null)
+ return true;
+
+ boolean found = false;
+ for(ResourceOperationCode code : getAuthorizedOps(user, (ResourceOperationContext) context)) {
+ if(ctx.getResourceOperationCode().equals(code)){
+ found =true;
+ LogService.getLogger().info("found code " + code.toString());
+ break;
+ }
+ }
+ if(found)
+ return true;
+ LogService.getLogger().info("Did not find code " + ctx.getResourceOperationCode());
+ return false;
+ }
+ }
+ return false;
+ }
+
+ @Override
+ public void init(Principal principal, DistributedMember arg1, Cache arg2) throws NotAuthorizedException {
+ this.principal = principal;
+ }
+
+ @Override
+ public Principal authenticate(Properties props, DistributedMember arg1) throws AuthenticationFailedException {
+ String user = props.getProperty(ResourceConstants.USER_NAME);
+ String pwd = props.getProperty(ResourceConstants.PASSWORD);
+ User userObj = acl.get(user);
+ if(userObj==null)
+ throw new AuthenticationFailedException("Wrong username/password");
+ LogService.getLogger().info("User="+user + " pwd="+pwd);
+ if (user!=null && !userObj.pwd.equals(pwd) && !"".equals(user))
+ throw new AuthenticationFailedException("Wrong username/password");
+ LogService.getLogger().info("Authentication successful!! for " + user);
+ return new JMXPrincipal(user);
+ }
+
+ @Override
+ public void init(Properties arg0, LogWriter arg1, LogWriter arg2) throws AuthenticationFailedException {
+
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/406a80f8/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/OperationCodesForDistributedSystemMXBeanTest.java
----------------------------------------------------------------------
diff --git a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/OperationCodesForDistributedSystemMXBeanTest.java b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/OperationCodesForDistributedSystemMXBeanTest.java
index 65fcf56..f4ef154 100755
--- a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/OperationCodesForDistributedSystemMXBeanTest.java
+++ b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/OperationCodesForDistributedSystemMXBeanTest.java
@@ -16,7 +16,7 @@
*/
package com.gemstone.gemfire.management.internal.security;
-import static org.assertj.core.api.Assertions.assertThat;
+import static org.junit.Assert.assertEquals;
import javax.management.ObjectName;
@@ -52,9 +52,9 @@ public class OperationCodesForDistributedSystemMXBeanTest {
private final ResourceOperationCode[] distributedSystemResourceOperationCodes = {
ResourceOperationCode.LIST_DS,
ResourceOperationCode.LIST_DS,
- ResourceOperationCode.GET,
+ ResourceOperationCode.LIST_DS,
ResourceOperationCode.QUERY,
- ResourceOperationCode.GET,
+ ResourceOperationCode.LIST_DS,
ResourceOperationCode.CHANGE_ALERT_LEVEL,
ResourceOperationCode.BACKUP_MEMBERS,
ResourceOperationCode.REVOKE_MISSING_DISKSTORE,
@@ -69,8 +69,8 @@ public class OperationCodesForDistributedSystemMXBeanTest {
ObjectName objectName = MBeanJMXAdapter.getDistributedSystemName();
for (int i = 0; i < distributedSystemMXBeanOperations.length; i++) {
JMXOperationContext context = new JMXOperationContext(objectName, distributedSystemMXBeanOperations[i]);
- assertThat(context.getResourceOperationCode()).isEqualTo(distributedSystemResourceOperationCodes[i]);
- assertThat(context.getOperationCode()).isEqualTo(OperationCode.RESOURCE);
+ assertEquals(distributedSystemResourceOperationCodes[i], context.getResourceOperationCode());
+ assertEquals(OperationCode.RESOURCE, context.getOperationCode());
}
}
}
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/406a80f8/geode-core/src/test/java/com/gemstone/gemfire/management/internal/unsafe/ReadOpFileAccessControllerJUnitTest.java
----------------------------------------------------------------------
diff --git a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/unsafe/ReadOpFileAccessControllerJUnitTest.java b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/unsafe/ReadOpFileAccessControllerJUnitTest.java
index 47b86f3..6aa1072 100644
--- a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/unsafe/ReadOpFileAccessControllerJUnitTest.java
+++ b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/unsafe/ReadOpFileAccessControllerJUnitTest.java
@@ -47,6 +47,7 @@ import javax.management.remote.JMXServiceURL;
import org.junit.After;
import org.junit.Before;
+import org.junit.Rule;
import org.junit.Test;
import org.junit.experimental.categories.Category;
@@ -56,6 +57,7 @@ import com.gemstone.gemfire.distributed.DistributedSystem;
import com.gemstone.gemfire.internal.cache.GemFireCacheImpl;
import com.gemstone.gemfire.management.ManagementService;
import com.gemstone.gemfire.test.junit.categories.IntegrationTest;
+import org.junit.rules.TemporaryFolder;
/**
* Test ReadOnly operations are accesible from RMI Connector with readOnly user
@@ -75,6 +77,9 @@ public class ReadOpFileAccessControllerJUnitTest {
public static final String SERVICE_URLPREFIX = "service:jmx:rmi:///jndi/rmi:";
private static final String NEW_LINE = System.getProperty("line.separator");
+
+ @Rule
+ public TemporaryFolder tempFolder = new TemporaryFolder();
@Before
public void setUp() throws Exception {
@@ -89,6 +94,7 @@ public class ReadOpFileAccessControllerJUnitTest {
connector.close();
rmiConnector.stop();
cache.close();
+ ds.disconnect();
UnicastRemoteObject.unexportObject(registry, true);
}
@@ -145,12 +151,7 @@ public class ReadOpFileAccessControllerJUnitTest {
}
private void createConnector(String accessFileName, String pwFile) throws IOException {
-
- try {
- registry = LocateRegistry.createRegistry(port);
- } catch (Exception e) {
- throw new RuntimeException(e);
- }
+ registry = LocateRegistry.createRegistry(port);
MBeanServer mbs = ManagementFactory.getPlatformMBeanServer();
String serviceUrl = SERVICE_URLPREFIX + "//" + hostname + ":" + port
+ "/jmxconnector";
@@ -169,8 +170,7 @@ public class ReadOpFileAccessControllerJUnitTest {
}
private String createAccessFile() throws IOException {
- File file = new File("jmxremote.access");
- assertTrue(file.createNewFile());
+ File file = tempFolder.newFile("jmxremote.access");
BufferedWriter writer = new BufferedWriter(new FileWriter(file));
writer.append("admin readwrite");
writer.append(NEW_LINE);
@@ -182,8 +182,7 @@ public class ReadOpFileAccessControllerJUnitTest {
}
private String createPasswordFile() throws IOException {
- File file = new File("jmxremote.password");
- assertTrue(file.createNewFile());
+ File file = tempFolder.newFile("jmxremote.password");
BufferedWriter writer = new BufferedWriter(new FileWriter(file));
writer.append("admin admin");
writer.append(NEW_LINE);
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/406a80f8/geode-core/src/test/resources/com/gemstone/gemfire/management/internal/security/auth3.json
----------------------------------------------------------------------
diff --git a/geode-core/src/test/resources/com/gemstone/gemfire/management/internal/security/auth3.json b/geode-core/src/test/resources/com/gemstone/gemfire/management/internal/security/auth3.json
index 274eb89..5adee52 100644
--- a/geode-core/src/test/resources/com/gemstone/gemfire/management/internal/security/auth3.json
+++ b/geode-core/src/test/resources/com/gemstone/gemfire/management/internal/security/auth3.json
@@ -1,25 +1,34 @@
{
-"roles" : [
- {
- "name" : "dataUsers",
- "operationsAllowed" : ["LOCATE_ENTRY"],
- },
- {
- "name" : "secureDataUsers",
- "operationsAllowed" : ["LOCATE_ENTRY"],
- "region" : "secureRegion"
- }
- ],
-users : [
- {
- "name" : "tushark",
- "password" : "1234567",
- "roles" : ["dataUsers"]
- },
- {
- "name" : "avinash",
- "password" : "1234567",
- "roles" : ["secureDataUsers", "dataUsers"]
- }
- ]
+ "roles": [
+ {
+ "name": "dataUsers",
+ "operationsAllowed": [
+ "LOCATE_ENTRY"
+ ]
+ },
+ {
+ "name": "secureDataUsers",
+ "operationsAllowed": [
+ "LOCATE_ENTRY"
+ ],
+ "region": "secureRegion"
+ }
+ ],
+ "users": [
+ {
+ "name": "tushark",
+ "password": "1234567",
+ "roles": [
+ "dataUsers"
+ ]
+ },
+ {
+ "name": "avinash",
+ "password": "1234567",
+ "roles": [
+ "secureDataUsers",
+ "dataUsers"
+ ]
+ }
+ ]
}