You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@karaf.apache.org by ff...@apache.org on 2014/05/26 09:51:07 UTC
git commit: [KARAF-3002]RBAC-add a jmx.acl.whitelist so that all
ObjectName in this list will bypass the RBAC
Repository: karaf
Updated Branches:
refs/heads/karaf-2.x cc031a963 -> 401d196cf
[KARAF-3002]RBAC-add a jmx.acl.whitelist so that all ObjectName in this list will bypass the RBAC
Project: http://git-wip-us.apache.org/repos/asf/karaf/repo
Commit: http://git-wip-us.apache.org/repos/asf/karaf/commit/401d196c
Tree: http://git-wip-us.apache.org/repos/asf/karaf/tree/401d196c
Diff: http://git-wip-us.apache.org/repos/asf/karaf/diff/401d196c
Branch: refs/heads/karaf-2.x
Commit: 401d196cf3350ad6699d7c221e7622a2d77a4c64
Parents: cc031a9
Author: Freeman Fang <fr...@gmail.com>
Authored: Mon May 26 15:50:29 2014 +0800
Committer: Freeman Fang <fr...@gmail.com>
Committed: Mon May 26 15:50:29 2014 +0800
----------------------------------------------------------------------
.../karaf/management/KarafMBeanServerGuard.java | 35 ++++++++++++++++++++
.../management/KarafMBeanServerGuardTest.java | 2 ++
2 files changed, 37 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/karaf/blob/401d196c/management/server/src/main/java/org/apache/karaf/management/KarafMBeanServerGuard.java
----------------------------------------------------------------------
diff --git a/management/server/src/main/java/org/apache/karaf/management/KarafMBeanServerGuard.java b/management/server/src/main/java/org/apache/karaf/management/KarafMBeanServerGuard.java
index 109a3f9..e614d8b 100644
--- a/management/server/src/main/java/org/apache/karaf/management/KarafMBeanServerGuard.java
+++ b/management/server/src/main/java/org/apache/karaf/management/KarafMBeanServerGuard.java
@@ -23,7 +23,9 @@ import java.security.AccessControlContext;
import java.security.AccessController;
import java.security.Principal;
import java.util.ArrayList;
+import java.util.Collection;
import java.util.Collections;
+import java.util.Enumeration;
import java.util.List;
import javax.management.Attribute;
@@ -48,6 +50,8 @@ public class KarafMBeanServerGuard implements InvocationHandler {
private static final String JMX_ACL_PID_PREFIX = "jmx.acl";
+ private static final String JMX_ACL_WHITELIST = "jmx.acl.whitelist";
+
private static final String ROLE_WILDCARD = "*";
private ConfigurationAdmin configAdmin;
@@ -183,6 +187,9 @@ public class KarafMBeanServerGuard implements InvocationHandler {
}
private boolean canInvoke(ObjectName objectName, String methodName, String[] signature) throws IOException {
+ if (canBypassRBAC(objectName)) {
+ return true;
+ }
for (String role : getRequiredRoles(objectName, methodName, signature)) {
if (currentUserHasRole(role))
return true;
@@ -232,8 +239,36 @@ public class KarafMBeanServerGuard implements InvocationHandler {
handleSetAttribute(proxy, objectName, attr);
}
}
+
+ private boolean canBypassRBAC(ObjectName objectName) {
+ List<String> allBypassObjectName = new ArrayList<String>();
+ try {
+ for (Configuration config : configAdmin.listConfigurations("(service.pid=" + JMX_ACL_WHITELIST + ")")) {
+ Enumeration<String> keys = config.getProperties().keys();
+ while (keys.hasMoreElements()) {
+ String element = keys.nextElement();
+ allBypassObjectName.add(element);
+ }
+ }
+ } catch (InvalidSyntaxException ise) {
+ throw new RuntimeException(ise);
+ } catch (IOException e) {
+ throw new RuntimeException(e);
+ }
+
+ for (String pid : iterateDownPids(getNameSegments(objectName))) {
+ if (!pid.equals("jmx.acl")
+ && allBypassObjectName.contains(pid.substring("jmx.acl.".length()))) {
+ return true;
+ }
+ }
+ return false;
+ }
void handleInvoke(ObjectName objectName, String operationName, Object[] params, String[] signature) throws IOException {
+ if (canBypassRBAC(objectName)) {
+ return;
+ }
for (String role : getRequiredRoles(objectName, operationName, params, signature)) {
if (currentUserHasRole(role))
return;
http://git-wip-us.apache.org/repos/asf/karaf/blob/401d196c/management/server/src/test/java/org/apache/karaf/management/KarafMBeanServerGuardTest.java
----------------------------------------------------------------------
diff --git a/management/server/src/test/java/org/apache/karaf/management/KarafMBeanServerGuardTest.java b/management/server/src/test/java/org/apache/karaf/management/KarafMBeanServerGuardTest.java
index 4beebad..d153ffc 100644
--- a/management/server/src/test/java/org/apache/karaf/management/KarafMBeanServerGuardTest.java
+++ b/management/server/src/test/java/org/apache/karaf/management/KarafMBeanServerGuardTest.java
@@ -391,6 +391,8 @@ public class KarafMBeanServerGuardTest extends TestCase {
}
EasyMock.expect(ca.listConfigurations(EasyMock.eq("(service.pid=jmx.acl*)"))).andReturn(
allConfigs.toArray(new Configuration[]{})).anyTimes();
+ EasyMock.expect(ca.listConfigurations(EasyMock.eq("(service.pid=jmx.acl.whitelist)"))).andReturn(
+ allConfigs.toArray(new Configuration[]{})).anyTimes();
EasyMock.replay(ca);
return ca;
}