You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@karaf.apache.org by ff...@apache.org on 2014/05/26 09:51:07 UTC

git commit: [KARAF-3002]RBAC-add a jmx.acl.whitelist so that all ObjectName in this list will bypass the RBAC

Repository: karaf
Updated Branches:
  refs/heads/karaf-2.x cc031a963 -> 401d196cf


[KARAF-3002]RBAC-add a jmx.acl.whitelist so that all ObjectName in this list will bypass the RBAC


Project: http://git-wip-us.apache.org/repos/asf/karaf/repo
Commit: http://git-wip-us.apache.org/repos/asf/karaf/commit/401d196c
Tree: http://git-wip-us.apache.org/repos/asf/karaf/tree/401d196c
Diff: http://git-wip-us.apache.org/repos/asf/karaf/diff/401d196c

Branch: refs/heads/karaf-2.x
Commit: 401d196cf3350ad6699d7c221e7622a2d77a4c64
Parents: cc031a9
Author: Freeman Fang <fr...@gmail.com>
Authored: Mon May 26 15:50:29 2014 +0800
Committer: Freeman Fang <fr...@gmail.com>
Committed: Mon May 26 15:50:29 2014 +0800

----------------------------------------------------------------------
 .../karaf/management/KarafMBeanServerGuard.java | 35 ++++++++++++++++++++
 .../management/KarafMBeanServerGuardTest.java   |  2 ++
 2 files changed, 37 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/karaf/blob/401d196c/management/server/src/main/java/org/apache/karaf/management/KarafMBeanServerGuard.java
----------------------------------------------------------------------
diff --git a/management/server/src/main/java/org/apache/karaf/management/KarafMBeanServerGuard.java b/management/server/src/main/java/org/apache/karaf/management/KarafMBeanServerGuard.java
index 109a3f9..e614d8b 100644
--- a/management/server/src/main/java/org/apache/karaf/management/KarafMBeanServerGuard.java
+++ b/management/server/src/main/java/org/apache/karaf/management/KarafMBeanServerGuard.java
@@ -23,7 +23,9 @@ import java.security.AccessControlContext;
 import java.security.AccessController;
 import java.security.Principal;
 import java.util.ArrayList;
+import java.util.Collection;
 import java.util.Collections;
+import java.util.Enumeration;
 import java.util.List;
 
 import javax.management.Attribute;
@@ -48,6 +50,8 @@ public class KarafMBeanServerGuard implements InvocationHandler {
 
     private static final String JMX_ACL_PID_PREFIX = "jmx.acl";
     
+    private static final String JMX_ACL_WHITELIST = "jmx.acl.whitelist";
+    
     private static final String ROLE_WILDCARD = "*";
 
     private ConfigurationAdmin configAdmin;
@@ -183,6 +187,9 @@ public class KarafMBeanServerGuard implements InvocationHandler {
     }
 
     private boolean canInvoke(ObjectName objectName, String methodName, String[] signature) throws IOException {
+        if (canBypassRBAC(objectName)) {
+            return true;
+        }
         for (String role : getRequiredRoles(objectName, methodName, signature)) {
             if (currentUserHasRole(role))
                 return true;
@@ -232,8 +239,36 @@ public class KarafMBeanServerGuard implements InvocationHandler {
             handleSetAttribute(proxy, objectName, attr);
         }
     }
+    
+    private boolean canBypassRBAC(ObjectName objectName) {
+        List<String> allBypassObjectName = new ArrayList<String>();
+        try {
+            for (Configuration config : configAdmin.listConfigurations("(service.pid=" + JMX_ACL_WHITELIST + ")")) {
+                Enumeration<String> keys = config.getProperties().keys();
+                while (keys.hasMoreElements()) {
+                    String element = keys.nextElement();
+                    allBypassObjectName.add(element);
+                }
+            }
+        } catch (InvalidSyntaxException ise) {
+            throw new RuntimeException(ise);
+        } catch (IOException e) {
+            throw new RuntimeException(e);
+        } 
+
+        for (String pid : iterateDownPids(getNameSegments(objectName))) {
+            if (!pid.equals("jmx.acl") 
+                && allBypassObjectName.contains(pid.substring("jmx.acl.".length()))) {
+                return true;
+            }
+        }
+        return false;
+    }
 
     void handleInvoke(ObjectName objectName, String operationName, Object[] params, String[] signature) throws IOException {
+        if (canBypassRBAC(objectName)) {
+            return;
+        }
         for (String role : getRequiredRoles(objectName, operationName, params, signature)) {
             if (currentUserHasRole(role))
                 return;

http://git-wip-us.apache.org/repos/asf/karaf/blob/401d196c/management/server/src/test/java/org/apache/karaf/management/KarafMBeanServerGuardTest.java
----------------------------------------------------------------------
diff --git a/management/server/src/test/java/org/apache/karaf/management/KarafMBeanServerGuardTest.java b/management/server/src/test/java/org/apache/karaf/management/KarafMBeanServerGuardTest.java
index 4beebad..d153ffc 100644
--- a/management/server/src/test/java/org/apache/karaf/management/KarafMBeanServerGuardTest.java
+++ b/management/server/src/test/java/org/apache/karaf/management/KarafMBeanServerGuardTest.java
@@ -391,6 +391,8 @@ public class KarafMBeanServerGuardTest extends TestCase {
         }
         EasyMock.expect(ca.listConfigurations(EasyMock.eq("(service.pid=jmx.acl*)"))).andReturn(
                 allConfigs.toArray(new Configuration[]{})).anyTimes();
+        EasyMock.expect(ca.listConfigurations(EasyMock.eq("(service.pid=jmx.acl.whitelist)"))).andReturn(
+                allConfigs.toArray(new Configuration[]{})).anyTimes();
         EasyMock.replay(ca);
         return ca;
     }