You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@geode.apache.org by ji...@apache.org on 2016/04/08 00:05:56 UTC
incubator-geode git commit: GEODE-17: fix pulse authorization
Repository: incubator-geode
Updated Branches:
refs/heads/feature/GEODE-17-2 d0c4a991a -> 66c45f97c
GEODE-17: fix pulse authorization
Project: http://git-wip-us.apache.org/repos/asf/incubator-geode/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-geode/commit/66c45f97
Tree: http://git-wip-us.apache.org/repos/asf/incubator-geode/tree/66c45f97
Diff: http://git-wip-us.apache.org/repos/asf/incubator-geode/diff/66c45f97
Branch: refs/heads/feature/GEODE-17-2
Commit: 66c45f97c83ea895c66eb3ad94b3e4cdd7863a87
Parents: d0c4a99
Author: Jinmei Liao <ji...@pivotal.io>
Authored: Thu Apr 7 15:05:39 2016 -0700
Committer: Jinmei Liao <ji...@pivotal.io>
Committed: Thu Apr 7 15:05:39 2016 -0700
----------------------------------------------------------------------
.../pulse/internal/data/PulseConstants.java | 4 +--
.../security/GemFireAuthentication.java | 33 ++------------------
.../src/main/webapp/WEB-INF/spring-security.xml | 20 ++++++------
.../tools/pulse/tests/PulseAutomatedTest.java | 1 +
geode-pulse/src/test/resources/pulse-auth.json | 5 ++-
5 files changed, 18 insertions(+), 45 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/66c45f97/geode-pulse/src/main/java/com/vmware/gemfire/tools/pulse/internal/data/PulseConstants.java
----------------------------------------------------------------------
diff --git a/geode-pulse/src/main/java/com/vmware/gemfire/tools/pulse/internal/data/PulseConstants.java b/geode-pulse/src/main/java/com/vmware/gemfire/tools/pulse/internal/data/PulseConstants.java
index e5e3b66..956ba57 100644
--- a/geode-pulse/src/main/java/com/vmware/gemfire/tools/pulse/internal/data/PulseConstants.java
+++ b/geode-pulse/src/main/java/com/vmware/gemfire/tools/pulse/internal/data/PulseConstants.java
@@ -414,8 +414,8 @@ public class PulseConstants {
MBEAN_ATTRIBUTE_ENTRYSIZE, MBEAN_ATTRIBUTE_NUMBEROFROWS };
public static final String PULSE_ROLES[] = {
- "PULSE_DASHBOARD",
- "PULSE_DATABROWSER"
+ "CLUSTER:READ",
+ "DATA:READ"
};
// SSL Related attributes
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/66c45f97/geode-pulse/src/main/java/com/vmware/gemfire/tools/pulse/internal/security/GemFireAuthentication.java
----------------------------------------------------------------------
diff --git a/geode-pulse/src/main/java/com/vmware/gemfire/tools/pulse/internal/security/GemFireAuthentication.java b/geode-pulse/src/main/java/com/vmware/gemfire/tools/pulse/internal/security/GemFireAuthentication.java
index e066865..fb40a20 100644
--- a/geode-pulse/src/main/java/com/vmware/gemfire/tools/pulse/internal/security/GemFireAuthentication.java
+++ b/geode-pulse/src/main/java/com/vmware/gemfire/tools/pulse/internal/security/GemFireAuthentication.java
@@ -22,7 +22,6 @@ import org.springframework.security.authentication.UsernamePasswordAuthenticatio
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.SpringSecurityCoreVersion;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
-import org.springframework.security.core.context.SecurityContextHolder;
import javax.management.InstanceNotFoundException;
import javax.management.MBeanException;
@@ -90,31 +89,6 @@ public class GemFireAuthentication extends UsernamePasswordAuthenticationToken {
throw new RuntimeException(e);
}
}
-
- public static boolean authorize(String role){
- try {
- GemFireAuthentication authentication = (GemFireAuthentication) SecurityContextHolder
- .getContext().getAuthentication();
- MBeanServerConnection mbeanServer = authentication
- .getRemoteMBeanServer();
- LOGGER.fine("#GemFireAuthentication : Checking for role="+role);
- ObjectName name = new ObjectName(PulseConstants.OBJECT_NAME_ACCESSCONTROL_MBEAN);
- Object[] params = new Object[] {role};
- String[] signature = new String[] {String.class.getCanonicalName()};
- Boolean result = (Boolean)mbeanServer.invoke(name, "authorize", params, signature);
- return result;
- } catch (MalformedObjectNameException e) {
- throw new RuntimeException(e);
- } catch (InstanceNotFoundException e) {
- throw new RuntimeException(e);
- } catch (MBeanException e) {
- throw new RuntimeException(e);
- } catch (ReflectionException e) {
- throw new RuntimeException(e);
- } catch (IOException e) {
- throw new RuntimeException(e);
- }
- }
public static ArrayList<GrantedAuthority> populateAuthorities(JMXConnector jmxc) {
ObjectName name;
@@ -122,14 +96,13 @@ public class GemFireAuthentication extends UsernamePasswordAuthenticationToken {
name = new ObjectName(PulseConstants.OBJECT_NAME_ACCESSCONTROL_MBEAN);
MBeanServerConnection mbeanServer = jmxc.getMBeanServerConnection();
ArrayList<GrantedAuthority> authorities = new ArrayList<>();
- authorities.add(new SimpleGrantedAuthority("ROLE_USER"));
for(String role : PulseConstants.PULSE_ROLES){
- Object[] params = new Object[] {"PULSE", role};
+ Object[] params = role.split(":");
String[] signature = new String[] {String.class.getCanonicalName(), String.class.getCanonicalName()};
boolean result = (Boolean)mbeanServer.invoke(name, "authorize", params, signature);
if(result){
//spring sec require ROLE_ prefix
- authorities.add(new SimpleGrantedAuthority("ROLE_"+role));
+ authorities.add(new SimpleGrantedAuthority(role));
}
}
return authorities;
@@ -143,7 +116,7 @@ public class GemFireAuthentication extends UsernamePasswordAuthenticationToken {
throw new RuntimeException(e);
} catch (IOException e) {
throw new RuntimeException(e);
- }
+ }
}
public JMXConnector getJmxc() {
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/66c45f97/geode-pulse/src/main/webapp/WEB-INF/spring-security.xml
----------------------------------------------------------------------
diff --git a/geode-pulse/src/main/webapp/WEB-INF/spring-security.xml b/geode-pulse/src/main/webapp/WEB-INF/spring-security.xml
index 5ff1f31..3ba3876 100644
--- a/geode-pulse/src/main/webapp/WEB-INF/spring-security.xml
+++ b/geode-pulse/src/main/webapp/WEB-INF/spring-security.xml
@@ -36,16 +36,16 @@
<!-- Can be invoked w/o auth -->
<!-- Restricted urls -->
- <intercept-url pattern="/DataBrowser.html" access="hasRole('ROLE_PULSE_DASHBOARD') and hasRole('ROLE_PULSE_DATABROWSER')" />
- <intercept-url pattern="/clusterDetail.html" access="hasRole('ROLE_PULSE_DASHBOARD')" />
- <intercept-url pattern="/MemberDetails.html" access="hasRole('ROLE_PULSE_DASHBOARD')" />
- <intercept-url pattern="/regionDetail.html" access="hasRole('ROLE_PULSE_DASHBOARD')" />
- <intercept-url pattern="/pulse/*" access="hasRole('ROLE_PULSE_DASHBOARD')" />
- <intercept-url pattern="/clearAlerts" access="hasRole('ROLE_PULSE_DASHBOARD')" />
- <intercept-url pattern="/acknowledgeAlert" access="hasRole('ROLE_PULSE_DASHBOARD')" />
+ <intercept-url pattern="/DataBrowser.html" access="hasRole('CLUSTER:READ') and hasRole('DATA:READ')" />
+ <intercept-url pattern="/clusterDetail.html" access="hasRole('CLUSTER:READ')" />
+ <intercept-url pattern="/MemberDetails.html" access="hasRole('CLUSTER:READ')" />
+ <intercept-url pattern="/regionDetail.html" access="hasRole('CLUSTER:READ')" />
+ <intercept-url pattern="/pulse/*" access="hasRole('CLUSTER:READ')" />
+ <intercept-url pattern="/clearAlerts" access="hasRole('CLUSTER:READ')" />
+ <intercept-url pattern="/acknowledgeAlert" access="hasRole('CLUSTER:READ')" />
<!-- /dataBrowserRegions, /dataBrowserQuery, /dataBrowserQueryHistory, /dataBrowserExport -->
- <intercept-url pattern="/dataBrowser*" access="hasRole('ROLE_PULSE_DASHBOARD') and hasRole('ROLE_PULSE_DATABROWSER')" />
- <intercept-url pattern="/getQueryStatisticsGridModel/*" access="hasRole('ROLE_PULSE_DASHBOARD') and hasRole('ROLE_PULSE_DATABROWSER')" />
+ <intercept-url pattern="/dataBrowser*" access="hasRole('CLUSTER:READ') and hasRole('DATA:READ')" />
+ <intercept-url pattern="/getQueryStatisticsGridModel/*" access="hasRole('CLUSTER:READ') and hasRole('DATA:READ')" />
<!-- Restricted urls -->
<form-login login-page="/Login.html"
@@ -83,7 +83,7 @@
<authentication-manager>
<authentication-provider>
<user-service>
- <user name="admin" password="admin" authorities="ROLE_USER,ROLE_PULSE_DASHBOARD,ROLE_PULSE_DATABROWSER" />
+ <user name="admin" password="admin" authorities="CLUSTER:READ,DATA:READ" />
</user-service>
</authentication-provider>
</authentication-manager>
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/66c45f97/geode-pulse/src/test/java/com/vmware/gemfire/tools/pulse/tests/PulseAutomatedTest.java
----------------------------------------------------------------------
diff --git a/geode-pulse/src/test/java/com/vmware/gemfire/tools/pulse/tests/PulseAutomatedTest.java b/geode-pulse/src/test/java/com/vmware/gemfire/tools/pulse/tests/PulseAutomatedTest.java
index d542276..a587b5a 100644
--- a/geode-pulse/src/test/java/com/vmware/gemfire/tools/pulse/tests/PulseAutomatedTest.java
+++ b/geode-pulse/src/test/java/com/vmware/gemfire/tools/pulse/tests/PulseAutomatedTest.java
@@ -190,6 +190,7 @@ public class PulseAutomatedTest extends PulseAbstractTest {
}
@Test
+ @Ignore("Issue with highlighting")
public void verifyHostTooltipsOfTopologyGraphTest() {
for (int i = 1; i <=3; i++) {
clickElementUsingXpath(PulseTestLocators.TopNavigation.clusterViewLinkXpath);
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/66c45f97/geode-pulse/src/test/resources/pulse-auth.json
----------------------------------------------------------------------
diff --git a/geode-pulse/src/test/resources/pulse-auth.json b/geode-pulse/src/test/resources/pulse-auth.json
index ab3c342..7565437 100644
--- a/geode-pulse/src/test/resources/pulse-auth.json
+++ b/geode-pulse/src/test/resources/pulse-auth.json
@@ -3,9 +3,8 @@
{
"name": "pulse",
"operationsAllowed": [
- "PULSE:PULSE_DASHBOARD",
- "PULSE:PULSE_DATABROWSER",
- "JMX:GET"
+ "DATA:READ",
+ "CLUSTER:READ"
]
}
],