You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@geode.apache.org by ji...@apache.org on 2016/03/14 17:24:40 UTC
incubator-geode git commit: GEODE-17: added AccessControlMBean test
Repository: incubator-geode
Updated Branches:
refs/heads/feature/GEODE-17-2 a646879a6 -> c55aa9501
GEODE-17: added AccessControlMBean test
* added AccessControlMBean test
* Authenticated users can create beans that are not in the GemFire domain
* Any authenticated user can call "authorize" method in the AccessControlMXBean
Project: http://git-wip-us.apache.org/repos/asf/incubator-geode/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-geode/commit/c55aa950
Tree: http://git-wip-us.apache.org/repos/asf/incubator-geode/tree/c55aa950
Diff: http://git-wip-us.apache.org/repos/asf/incubator-geode/diff/c55aa950
Branch: refs/heads/feature/GEODE-17-2
Commit: c55aa9501c2c2d8044500d5b01d8921eaf053965
Parents: a646879
Author: Jinmei Liao <ji...@pivotal.io>
Authored: Mon Mar 14 09:02:18 2016 -0700
Committer: Jinmei Liao <ji...@pivotal.io>
Committed: Mon Mar 14 09:22:57 2016 -0700
----------------------------------------------------------------------
.../internal/security/AccessControlMBean.java | 5 +-
.../internal/security/AccessControlMXBean.java | 6 +-
.../internal/security/MBeanServerWrapper.java | 24 ++++++--
.../security/AccessControlMBeanJUnitTest.java | 58 ++++++++++++++++++++
...CacheServerMBeanAuthenticationJUnitTest.java | 2 +-
.../CacheServerMBeanAuthorizationJUnitTest.java | 4 +-
.../security/MBeanSecurityJUnitTest.java | 6 +-
.../security/MBeanServerConnectionRule.java | 12 ++--
.../security/MemberMBeanSecurityJUnitTest.java | 2 +-
9 files changed, 94 insertions(+), 25 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/c55aa950/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/AccessControlMBean.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/AccessControlMBean.java b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/AccessControlMBean.java
index 0153c07..ea83771 100644
--- a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/AccessControlMBean.java
+++ b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/AccessControlMBean.java
@@ -16,7 +16,6 @@
*/
package com.gemstone.gemfire.management.internal.security;
-import com.gemstone.gemfire.cache.operations.OperationContext;
import com.gemstone.gemfire.security.AccessControl;
import javax.management.remote.JMXPrincipal;
@@ -42,7 +41,7 @@ public class AccessControlMBean implements AccessControlMXBean {
}
@Override
- public boolean authorize(String role) {
+ public boolean authorize(String resource, String permission) {
AccessControlContext acc = AccessController.getContext();
Subject subject = Subject.getSubject(acc);
Set<JMXPrincipal> principals = subject.getPrincipals(JMXPrincipal.class);
@@ -52,7 +51,7 @@ public class AccessControlMBean implements AccessControlMXBean {
Principal principal = principals.iterator().next();
AccessControl gemAccControl = interceptor.getAccessControl(principal, false);
boolean authorized = gemAccControl.authorizeOperation(null,
- new ResourceOperationContext(Resource.DEFAULT, OperationContext.OperationCode.valueOf(role)));
+ new ResourceOperationContext(resource, permission));
return authorized;
}
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/c55aa950/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/AccessControlMXBean.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/AccessControlMXBean.java b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/AccessControlMXBean.java
index a7001ee..a3ccb1e 100644
--- a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/AccessControlMXBean.java
+++ b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/AccessControlMXBean.java
@@ -16,16 +16,12 @@
*/
package com.gemstone.gemfire.management.internal.security;
-import static com.gemstone.gemfire.cache.operations.OperationContext.OperationCode;
-
/**
* Interface for AccessControlMBean
- * @author tushark
* @since 9.0
*/
public interface AccessControlMXBean {
- @ResourceOperation(resource = Resource.MEMBER, operation = OperationCode.ALL)
- public boolean authorize(String role);
+ public boolean authorize(String resource, String permission);
}
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/c55aa950/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/MBeanServerWrapper.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/MBeanServerWrapper.java b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/MBeanServerWrapper.java
index d12a5de..0cbd23f 100644
--- a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/MBeanServerWrapper.java
+++ b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/MBeanServerWrapper.java
@@ -16,6 +16,7 @@
*/
package com.gemstone.gemfire.management.internal.security;
+import com.gemstone.gemfire.management.internal.ManagementConstants;
import com.gemstone.gemfire.security.GemFireSecurityException;
import javax.management.Attribute;
@@ -76,42 +77,53 @@ public class MBeanServerWrapper implements MBeanServerForwarder {
interceptor.postAuthorize(context);
}
+ private void checkDomain(ObjectName name){
+ if (ManagementConstants.OBJECTNAME__DEFAULTDOMAIN.equals(name.getDomain()))
+ throw new SecurityException(ResourceConstants.ACCESS_DENIED_MESSAGE);
+ }
+
@Override
public ObjectInstance createMBean(String className, ObjectName name) throws ReflectionException,
InstanceAlreadyExistsException, MBeanException, NotCompliantMBeanException {
- throw new SecurityException(ResourceConstants.ACCESS_DENIED_MESSAGE);
+ checkDomain(name);
+ return mbs.createMBean(className, name);
}
@Override
public ObjectInstance createMBean(String className, ObjectName name, ObjectName loaderName)
throws ReflectionException, InstanceAlreadyExistsException, MBeanException,
NotCompliantMBeanException, InstanceNotFoundException {
- throw new SecurityException(ResourceConstants.ACCESS_DENIED_MESSAGE);
+ checkDomain(name);
+ return mbs.createMBean(className, name, loaderName);
}
@Override
public ObjectInstance createMBean(String className, ObjectName name, Object[] params, String[] signature)
throws ReflectionException, InstanceAlreadyExistsException, MBeanException,
NotCompliantMBeanException {
- throw new SecurityException(ResourceConstants.ACCESS_DENIED_MESSAGE);
+ checkDomain(name);
+ return mbs.createMBean(className, name, params, signature);
}
@Override
public ObjectInstance createMBean(String className, ObjectName name, ObjectName loaderName, Object[] params,
String[] signature) throws ReflectionException, InstanceAlreadyExistsException,
MBeanException, NotCompliantMBeanException, InstanceNotFoundException {
- throw new SecurityException(ResourceConstants.ACCESS_DENIED_MESSAGE);
+ checkDomain(name);
+ return mbs.createMBean(className, name, loaderName, params, signature);
}
@Override
public ObjectInstance registerMBean(Object object, ObjectName name) throws InstanceAlreadyExistsException,
MBeanRegistrationException, NotCompliantMBeanException {
- throw new SecurityException(ResourceConstants.ACCESS_DENIED_MESSAGE);
+ checkDomain(name);
+ return mbs.registerMBean(object, name);
}
@Override
public void unregisterMBean(ObjectName name) throws InstanceNotFoundException, MBeanRegistrationException {
- throw new SecurityException(ResourceConstants.ACCESS_DENIED_MESSAGE);
+ checkDomain(name);
+ mbs.unregisterMBean(name);
}
@Override
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/c55aa950/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/AccessControlMBeanJUnitTest.java
----------------------------------------------------------------------
diff --git a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/AccessControlMBeanJUnitTest.java b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/AccessControlMBeanJUnitTest.java
new file mode 100644
index 0000000..fef306a
--- /dev/null
+++ b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/AccessControlMBeanJUnitTest.java
@@ -0,0 +1,58 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.gemstone.gemfire.management.internal.security;
+
+import com.gemstone.gemfire.internal.AvailablePort;
+import com.gemstone.gemfire.test.junit.categories.IntegrationTest;
+import org.junit.Before;
+import org.junit.ClassRule;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.experimental.categories.Category;
+
+import static org.assertj.core.api.Assertions.*;
+
+@Category(IntegrationTest.class)
+public class AccessControlMBeanJUnitTest {
+ private static int jmxManagerPort = AvailablePort.getRandomAvailablePort(AvailablePort.SOCKET);
+
+ private AccessControlMXBean bean;
+
+ @ClassRule
+ public static JsonAuthorizationCacheStartRule serverRule = new JsonAuthorizationCacheStartRule(
+ jmxManagerPort, "cacheServer.json");
+
+ @Rule
+ public MBeanServerConnectionRule connectionRule = new MBeanServerConnectionRule(jmxManagerPort);
+
+ @Before
+ public void setUp() throws Exception {
+ bean = connectionRule.getAccessControlMBean();
+ }
+
+ /**
+ * Test that any authenticated user can access this method
+ * @throws Exception
+ */
+ @Test
+ @JMXConnectionConfiguration(user = "user", password = "1234567")
+ public void testAnyAccess() throws Exception {
+ assertThat(bean.authorize("DISTRIBUTED_SYSTEM", "LIST_DS")).isEqualTo(true);
+ assertThat(bean.authorize("INDEX", "DESTROY")).isEqualTo(false);
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/c55aa950/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/CacheServerMBeanAuthenticationJUnitTest.java
----------------------------------------------------------------------
diff --git a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/CacheServerMBeanAuthenticationJUnitTest.java b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/CacheServerMBeanAuthenticationJUnitTest.java
index cf70f43..4cf7857 100644
--- a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/CacheServerMBeanAuthenticationJUnitTest.java
+++ b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/CacheServerMBeanAuthenticationJUnitTest.java
@@ -36,7 +36,7 @@ public class CacheServerMBeanAuthenticationJUnitTest {
jmxManagerPort, "cacheServer.json", false);
@Rule
- public MBeanServerConnectionRule<CacheServerMXBean> connectionRule = new MBeanServerConnectionRule(jmxManagerPort);
+ public MBeanServerConnectionRule connectionRule = new MBeanServerConnectionRule(jmxManagerPort);
@Before
public void setUp() throws Exception {
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/c55aa950/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/CacheServerMBeanAuthorizationJUnitTest.java
----------------------------------------------------------------------
diff --git a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/CacheServerMBeanAuthorizationJUnitTest.java b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/CacheServerMBeanAuthorizationJUnitTest.java
index 3f2b01a..60a49ad 100644
--- a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/CacheServerMBeanAuthorizationJUnitTest.java
+++ b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/CacheServerMBeanAuthorizationJUnitTest.java
@@ -38,11 +38,11 @@ public class CacheServerMBeanAuthorizationJUnitTest {
jmxManagerPort, "cacheServer.json");
@Rule
- public MBeanServerConnectionRule<CacheServerMXBean> connectionRule = new MBeanServerConnectionRule(jmxManagerPort);
+ public MBeanServerConnectionRule connectionRule = new MBeanServerConnectionRule(jmxManagerPort);
@Before
public void setUp() throws Exception {
- cacheServerMXBean = connectionRule.getProxyMBean(CacheServerMXBean.class, "GemFire:service=CacheServer,*");
+ cacheServerMXBean = connectionRule.getProxyMBean(CacheServerMXBean.class);
}
@Test
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/c55aa950/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/MBeanSecurityJUnitTest.java
----------------------------------------------------------------------
diff --git a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/MBeanSecurityJUnitTest.java b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/MBeanSecurityJUnitTest.java
index 4b3b6c5..5944363 100644
--- a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/MBeanSecurityJUnitTest.java
+++ b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/MBeanSecurityJUnitTest.java
@@ -52,7 +52,7 @@ public class MBeanSecurityJUnitTest {
/**
- * No user can call createBean or unregisterBean of any domain
+ * No user can call createBean or unregisterBean of GemFire Domain
*/
@Test
@JMXConnectionConfiguration(user = "superuser", password = "1234567")
@@ -66,10 +66,10 @@ public class MBeanSecurityJUnitTest {
() -> con.unregisterMBean(new ObjectName("GemFire", "name", "foo"))
).isInstanceOf(SecurityException.class);
- // user is not allowed to create beans of other domains either
+ // user is allowed to create beans of other domains
assertThatThrownBy(
() -> con.createMBean("FakeClassName", new ObjectName("OtherDomain", "name", "foo"))
- ).isInstanceOf(SecurityException.class);
+ ).isInstanceOf(ReflectionException.class);
}
/*
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/c55aa950/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/MBeanServerConnectionRule.java
----------------------------------------------------------------------
diff --git a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/MBeanServerConnectionRule.java b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/MBeanServerConnectionRule.java
index b634271..5b1ca3c 100644
--- a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/MBeanServerConnectionRule.java
+++ b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/MBeanServerConnectionRule.java
@@ -39,7 +39,7 @@ import java.util.Set;
* it allows for the creation of per-test connections with different user/password combinations.
*
*/
-public class MBeanServerConnectionRule<T> extends DescribedExternalResource {
+public class MBeanServerConnectionRule extends DescribedExternalResource {
private final int jmxServerPort;
private JMXConnector jmxConnector;
@@ -60,7 +60,7 @@ public class MBeanServerConnectionRule<T> extends DescribedExternalResource {
*
* @return A new proxy MBean of the same type with which the class was constructed
*/
- public T getProxyMBean(Class<T> proxyClass, String beanQueryName) throws MalformedObjectNameException, IOException {
+ public <T> T getProxyMBean(Class<T> proxyClass, String beanQueryName) throws MalformedObjectNameException, IOException {
ObjectName name = null;
QueryExp query = null;
@@ -80,16 +80,20 @@ public class MBeanServerConnectionRule<T> extends DescribedExternalResource {
return JMX.newMXBeanProxy(con, ((ObjectInstance) beans.toArray()[0]).getObjectName(), proxyClass);
}
+ public AccessControlMXBean getAccessControlMBean() throws Exception{
+ return JMX.newMXBeanProxy(con, new ObjectName("GemFire:service=AccessControl,type=Distributed"), AccessControlMXBean.class);
+ }
+
/**
* Retrieve a new proxy MBean
*
* @return A new proxy MBean of the same type with which the class was constructed
*/
- public Object getProxyMBean(Class proxyClass) throws MalformedObjectNameException, IOException {
+ public <T> T getProxyMBean(Class<T> proxyClass) throws MalformedObjectNameException, IOException {
return getProxyMBean(proxyClass, null);
}
- public Object getProxyMBean(String beanQueryName) throws MalformedObjectNameException, IOException {
+ public <T> T getProxyMBean(String beanQueryName) throws MalformedObjectNameException, IOException {
return getProxyMBean(null, beanQueryName);
}
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/c55aa950/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/MemberMBeanSecurityJUnitTest.java
----------------------------------------------------------------------
diff --git a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/MemberMBeanSecurityJUnitTest.java b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/MemberMBeanSecurityJUnitTest.java
index edb0bc2..a4177e6 100644
--- a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/MemberMBeanSecurityJUnitTest.java
+++ b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/MemberMBeanSecurityJUnitTest.java
@@ -42,7 +42,7 @@ public class MemberMBeanSecurityJUnitTest {
@Before
public void setUp() throws Exception {
- bean = (MemberMXBean) connectionRule.getProxyMBean(MemberMXBean.class);
+ bean = connectionRule.getProxyMBean(MemberMXBean.class);
}
@Test