You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by rg...@apache.org on 2013/04/22 12:36:02 UTC
svn commit: r1470438 - in /qpid/branches/QPID-4659/qpid/java: ./
amqp-1-0-client-jms/ amqp-1-0-client/ amqp-1-0-common/
broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/
broker/ broker/bin/ broker/etc/ broker/sr...
Author: rgodfrey
Date: Mon Apr 22 10:36:01 2013
New Revision: 1470438
URL: http://svn.apache.org/r1470438
Log:
QPID-4678 : merged to QPID-4659 branch
Added:
qpid/branches/QPID-4659/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/OperationLoggingDetails.java
- copied unchanged from r1462551, qpid/trunk/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/OperationLoggingDetails.java
qpid/branches/QPID-4659/qpid/java/systests/src/main/java/org/apache/qpid/systest/rest/acl/BrokerACLTest.java
- copied unchanged from r1462551, qpid/trunk/qpid/java/systests/src/main/java/org/apache/qpid/systest/rest/acl/BrokerACLTest.java
Modified:
qpid/branches/QPID-4659/qpid/java/ (props changed)
qpid/branches/QPID-4659/qpid/java/amqp-1-0-client/ (props changed)
qpid/branches/QPID-4659/qpid/java/amqp-1-0-client-jms/ (props changed)
qpid/branches/QPID-4659/qpid/java/amqp-1-0-common/ (props changed)
qpid/branches/QPID-4659/qpid/java/broker/ (props changed)
qpid/branches/QPID-4659/qpid/java/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/PlainConfigurationTest.java
qpid/branches/QPID-4659/qpid/java/broker/bin/ (props changed)
qpid/branches/QPID-4659/qpid/java/broker/etc/broker_example.acl
qpid/branches/QPID-4659/qpid/java/broker/src/main/java/org/apache/qpid/server/model/adapter/AbstractAdapter.java
qpid/branches/QPID-4659/qpid/java/broker/src/main/java/org/apache/qpid/server/model/adapter/AuthenticationProviderAdapter.java
qpid/branches/QPID-4659/qpid/java/broker/src/main/java/org/apache/qpid/server/model/adapter/BrokerAdapter.java
qpid/branches/QPID-4659/qpid/java/broker/src/main/java/org/apache/qpid/server/model/adapter/PortAdapter.java
qpid/branches/QPID-4659/qpid/java/broker/src/main/java/org/apache/qpid/server/model/adapter/VirtualHostAdapter.java
qpid/branches/QPID-4659/qpid/java/broker/src/main/java/org/apache/qpid/server/protocol/v1_0/ (props changed)
qpid/branches/QPID-4659/qpid/java/broker/src/main/java/org/apache/qpid/server/protocol/v1_0/MessageMetaData_1_0.java (props changed)
qpid/branches/QPID-4659/qpid/java/broker/src/main/java/org/apache/qpid/server/protocol/v1_0/ProtocolEngine_1_0_0.java (props changed)
qpid/branches/QPID-4659/qpid/java/broker/src/main/java/org/apache/qpid/server/protocol/v1_0/ProtocolEngine_1_0_0_SASL.java (props changed)
qpid/branches/QPID-4659/qpid/java/broker/src/main/java/org/apache/qpid/server/queue/ (props changed)
qpid/branches/QPID-4659/qpid/java/broker/src/main/java/org/apache/qpid/server/security/SecurityManager.java
qpid/branches/QPID-4659/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/ObjectProperties.java
qpid/branches/QPID-4659/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/ObjectType.java
qpid/branches/QPID-4659/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/Operation.java
qpid/branches/QPID-4659/qpid/java/broker/src/main/java/org/apache/qpid/server/virtualhost/ (props changed)
qpid/branches/QPID-4659/qpid/java/management/common/src/main/java/org/apache/qpid/management/common/mbeans/LoggingManagement.java (props changed)
qpid/branches/QPID-4659/qpid/java/management/common/src/main/java/org/apache/qpid/management/common/mbeans/ManagedBroker.java (props changed)
qpid/branches/QPID-4659/qpid/java/management/common/src/main/java/org/apache/qpid/management/common/mbeans/ManagedConnection.java (props changed)
qpid/branches/QPID-4659/qpid/java/management/common/src/main/java/org/apache/qpid/management/common/mbeans/ManagedExchange.java (props changed)
qpid/branches/QPID-4659/qpid/java/management/common/src/main/java/org/apache/qpid/management/common/mbeans/ManagedQueue.java (props changed)
qpid/branches/QPID-4659/qpid/java/management/common/src/main/java/org/apache/qpid/management/common/mbeans/UserManagement.java (props changed)
qpid/branches/QPID-4659/qpid/java/management/common/src/main/java/org/apache/qpid/management/common/mbeans/annotations/MBeanAttribute.java (props changed)
qpid/branches/QPID-4659/qpid/java/management/common/src/main/java/org/apache/qpid/management/common/mbeans/annotations/MBeanConstructor.java (props changed)
qpid/branches/QPID-4659/qpid/java/management/common/src/main/java/org/apache/qpid/management/common/mbeans/annotations/MBeanDescription.java (props changed)
qpid/branches/QPID-4659/qpid/java/management/common/src/main/java/org/apache/qpid/management/common/mbeans/annotations/MBeanOperation.java (props changed)
qpid/branches/QPID-4659/qpid/java/management/common/src/main/java/org/apache/qpid/management/common/mbeans/annotations/MBeanOperationParameter.java (props changed)
qpid/branches/QPID-4659/qpid/java/systests/src/main/java/org/apache/qpid/server/SupportedProtocolVersionsTest.java (props changed)
qpid/branches/QPID-4659/qpid/java/systests/src/main/java/org/apache/qpid/systest/rest/QpidRestTestCase.java
qpid/branches/QPID-4659/qpid/java/systests/src/main/java/org/apache/qpid/test/utils/QpidBrokerTestCase.java (props changed)
qpid/branches/QPID-4659/qpid/java/test-profiles/ (props changed)
qpid/branches/QPID-4659/qpid/java/test-profiles/CPPExcludes (props changed)
qpid/branches/QPID-4659/qpid/java/test-profiles/Excludes (props changed)
qpid/branches/QPID-4659/qpid/java/test-profiles/JavaBDBExcludes (props changed)
qpid/branches/QPID-4659/qpid/java/test-profiles/JavaExcludes (props changed)
qpid/branches/QPID-4659/qpid/java/test-profiles/JavaPre010Excludes (props changed)
qpid/branches/QPID-4659/qpid/java/test-profiles/JavaTransientExcludes (props changed)
qpid/branches/QPID-4659/qpid/java/test-profiles/XAExcludes (props changed)
qpid/branches/QPID-4659/qpid/java/test-profiles/cpp.async.testprofile (props changed)
qpid/branches/QPID-4659/qpid/java/test-profiles/cpp.cluster.testprofile (props changed)
qpid/branches/QPID-4659/qpid/java/test-profiles/cpp.noprefetch.testprofile (props changed)
qpid/branches/QPID-4659/qpid/java/test-profiles/cpp.ssl.excludes (props changed)
qpid/branches/QPID-4659/qpid/java/test-profiles/cpp.ssl.testprofile (props changed)
qpid/branches/QPID-4659/qpid/java/test-profiles/cpp.testprofile (props changed)
qpid/branches/QPID-4659/qpid/java/test-profiles/java-bdb-spawn.0-9-1.testprofile (props changed)
qpid/branches/QPID-4659/qpid/java/test-profiles/java-bdb.0-9-1.testprofile (props changed)
qpid/branches/QPID-4659/qpid/java/test-profiles/java-dby-spawn.0-9-1.testprofile (props changed)
qpid/branches/QPID-4659/qpid/java/test-profiles/java-dby.0-9-1.testprofile (props changed)
qpid/branches/QPID-4659/qpid/java/test-profiles/java-mms-spawn.0-10.testprofile (props changed)
qpid/branches/QPID-4659/qpid/java/test-profiles/java-mms-spawn.0-9-1.testprofile (props changed)
qpid/branches/QPID-4659/qpid/java/test-profiles/java-mms.0-9-1.testprofile (props changed)
qpid/branches/QPID-4659/qpid/java/test-profiles/log4j-test.xml (props changed)
qpid/branches/QPID-4659/qpid/java/test-profiles/test-provider.properties (props changed)
qpid/branches/QPID-4659/qpid/java/test-profiles/test_resources/ (props changed)
qpid/branches/QPID-4659/qpid/java/test-profiles/testprofile.defaults (props changed)
Propchange: qpid/branches/QPID-4659/qpid/java/
------------------------------------------------------------------------------
Merged /qpid/trunk/qpid/java:r1462551
Propchange: qpid/branches/QPID-4659/qpid/java/amqp-1-0-client/
------------------------------------------------------------------------------
Merged /qpid/trunk/qpid/java/amqp-1-0-client:r1462551
Propchange: qpid/branches/QPID-4659/qpid/java/amqp-1-0-client-jms/
------------------------------------------------------------------------------
Merged /qpid/trunk/qpid/java/amqp-1-0-client-jms:r1462551
Propchange: qpid/branches/QPID-4659/qpid/java/amqp-1-0-common/
------------------------------------------------------------------------------
Merged /qpid/trunk/qpid/java/amqp-1-0-common:r1462551
Propchange: qpid/branches/QPID-4659/qpid/java/broker/
------------------------------------------------------------------------------
Merged /qpid/trunk/qpid/java/broker:r1462551
Modified: qpid/branches/QPID-4659/qpid/java/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/PlainConfigurationTest.java
URL: http://svn.apache.org/viewvc/qpid/branches/QPID-4659/qpid/java/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/PlainConfigurationTest.java?rev=1470438&r1=1470437&r2=1470438&view=diff
==============================================================================
--- qpid/branches/QPID-4659/qpid/java/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/PlainConfigurationTest.java (original)
+++ qpid/branches/QPID-4659/qpid/java/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/PlainConfigurationTest.java Mon Apr 22 10:36:01 2013
@@ -447,6 +447,13 @@ public class PlainConfigurationTest exte
"user1", Operation.ACCESS, ObjectType.MANAGEMENT, ObjectProperties.EMPTY);
}
+ public void testBrokerRuleParsing() throws Exception
+ {
+ validateRule(writeACLConfig("ACL ALLOW user1 CONFIGURE BROKER"), "user1", Operation.CONFIGURE, ObjectType.BROKER,
+ ObjectProperties.EMPTY);
+ validateRule(writeACLConfig("ACL ALLOW user1 ALL BROKER"), "user1", Operation.ALL, ObjectType.BROKER, ObjectProperties.EMPTY);
+ }
+
private void validateRule(final PlainConfiguration config, String username, Operation operation, ObjectType objectType, ObjectProperties objectProperties)
{
final RuleSet rs = config.getConfiguration();
Propchange: qpid/branches/QPID-4659/qpid/java/broker/bin/
------------------------------------------------------------------------------
Merged /qpid/trunk/qpid/java/broker/bin:r1462551
Modified: qpid/branches/QPID-4659/qpid/java/broker/etc/broker_example.acl
URL: http://svn.apache.org/viewvc/qpid/branches/QPID-4659/qpid/java/broker/etc/broker_example.acl?rev=1470438&r1=1470437&r2=1470438&view=diff
==============================================================================
--- qpid/branches/QPID-4659/qpid/java/broker/etc/broker_example.acl (original)
+++ qpid/branches/QPID-4659/qpid/java/broker/etc/broker_example.acl Mon Apr 22 10:36:01 2013
@@ -72,6 +72,9 @@ ACL ALLOW-LOG webadmins UPDATE USER
ACL ALLOW-LOG webadmins UPDATE METHOD
+# authorise operations changing broker model
+ACL ALLOW-LOG webadmins CONFIGURE BROKER
+
# at the moment only the following UPDATE METHOD rules are supported by web management console
#ACL ALLOW-LOG webadmins UPDATE METHOD component="VirtualHost.Queue" name="moveMessages"
#ACL ALLOW-LOG webadmins UPDATE METHOD component="VirtualHost.Queue" name="copyMessages"
Modified: qpid/branches/QPID-4659/qpid/java/broker/src/main/java/org/apache/qpid/server/model/adapter/AbstractAdapter.java
URL: http://svn.apache.org/viewvc/qpid/branches/QPID-4659/qpid/java/broker/src/main/java/org/apache/qpid/server/model/adapter/AbstractAdapter.java?rev=1470438&r1=1470437&r2=1470438&view=diff
==============================================================================
--- qpid/branches/QPID-4659/qpid/java/broker/src/main/java/org/apache/qpid/server/model/adapter/AbstractAdapter.java (original)
+++ qpid/branches/QPID-4659/qpid/java/broker/src/main/java/org/apache/qpid/server/model/adapter/AbstractAdapter.java Mon Apr 22 10:36:01 2013
@@ -90,6 +90,7 @@ abstract class AbstractAdapter implement
public final State setDesiredState(final State currentState, final State desiredState)
throws IllegalStateTransitionException, AccessControlException
{
+ authoriseSetDesiredState(currentState, desiredState);
if (_taskExecutor.isTaskExecutorThread())
{
if (setState(currentState, desiredState))
@@ -224,6 +225,7 @@ abstract class AbstractAdapter implement
public Object setAttribute(final String name, final Object expected, final Object desired)
throws IllegalStateException, AccessControlException, IllegalArgumentException
{
+ authoriseSetAttribute(name, expected, desired);
if (_taskExecutor.isTaskExecutorThread())
{
if (changeAttribute(name, expected, desired))
@@ -302,6 +304,7 @@ abstract class AbstractAdapter implement
@Override
public <C extends ConfiguredObject> C createChild(Class<C> childClass, Map<String, Object> attributes, ConfiguredObject... otherParents)
{
+ authoriseCreateChild(childClass, attributes, otherParents);
if (_taskExecutor.isTaskExecutorThread())
{
C child = addChild(childClass, attributes, otherParents);
@@ -331,6 +334,7 @@ abstract class AbstractAdapter implement
@Override
public void setAttributes(final Map<String, Object> attributes) throws IllegalStateException, AccessControlException, IllegalArgumentException
{
+ authoriseSetAttributes(attributes);
if (getTaskExecutor().isTaskExecutorThread())
{
changeAttributes(attributes);
@@ -357,4 +361,24 @@ abstract class AbstractAdapter implement
}
}
}
+
+ protected void authoriseSetDesiredState(State currentState, State desiredState) throws AccessControlException
+ {
+ // allowed by default
+ }
+
+ protected void authoriseSetAttribute(String name, Object expected, Object desired) throws AccessControlException
+ {
+ // allowed by default
+ }
+
+ protected <C extends ConfiguredObject> void authoriseCreateChild(Class<C> childClass, Map<String, Object> attributes, ConfiguredObject... otherParents) throws AccessControlException
+ {
+ // allowed by default
+ }
+
+ protected void authoriseSetAttributes(Map<String, Object> attributes) throws AccessControlException
+ {
+ // allowed by default
+ }
}
Modified: qpid/branches/QPID-4659/qpid/java/broker/src/main/java/org/apache/qpid/server/model/adapter/AuthenticationProviderAdapter.java
URL: http://svn.apache.org/viewvc/qpid/branches/QPID-4659/qpid/java/broker/src/main/java/org/apache/qpid/server/model/adapter/AuthenticationProviderAdapter.java?rev=1470438&r1=1470437&r2=1470438&view=diff
==============================================================================
--- qpid/branches/QPID-4659/qpid/java/broker/src/main/java/org/apache/qpid/server/model/adapter/AuthenticationProviderAdapter.java (original)
+++ qpid/branches/QPID-4659/qpid/java/broker/src/main/java/org/apache/qpid/server/model/adapter/AuthenticationProviderAdapter.java Mon Apr 22 10:36:01 2013
@@ -316,6 +316,36 @@ public abstract class AuthenticationProv
return manager;
}
+ @Override
+ protected void authoriseSetDesiredState(State currentState, State desiredState) throws AccessControlException
+ {
+ if(desiredState == State.DELETED)
+ {
+ if (!_broker.getSecurityManager().authoriseConfiguringBroker(getName(), AuthenticationProvider.class, Operation.DELETE))
+ {
+ throw new AccessControlException("Deletion of authentication provider is denied");
+ }
+ }
+ }
+
+ @Override
+ protected void authoriseSetAttribute(String name, Object expected, Object desired) throws AccessControlException
+ {
+ if (!_broker.getSecurityManager().authoriseConfiguringBroker(getName(), AuthenticationProvider.class, Operation.UPDATE))
+ {
+ throw new AccessControlException("Setting of authentication provider attributes is denied");
+ }
+ }
+
+ @Override
+ protected void authoriseSetAttributes(Map<String, Object> attributes) throws AccessControlException
+ {
+ if (!_broker.getSecurityManager().authoriseConfiguringBroker(getName(), AuthenticationProvider.class, Operation.UPDATE))
+ {
+ throw new AccessControlException("Setting of authentication provider attributes is denied");
+ }
+ }
+
public static class SimpleAuthenticationProviderAdapter extends AuthenticationProviderAdapter<AuthenticationManager>
{
Modified: qpid/branches/QPID-4659/qpid/java/broker/src/main/java/org/apache/qpid/server/model/adapter/BrokerAdapter.java
URL: http://svn.apache.org/viewvc/qpid/branches/QPID-4659/qpid/java/broker/src/main/java/org/apache/qpid/server/model/adapter/BrokerAdapter.java?rev=1470438&r1=1470437&r2=1470438&view=diff
==============================================================================
--- qpid/branches/QPID-4659/qpid/java/broker/src/main/java/org/apache/qpid/server/model/adapter/BrokerAdapter.java (original)
+++ qpid/branches/QPID-4659/qpid/java/broker/src/main/java/org/apache/qpid/server/model/adapter/BrokerAdapter.java Mon Apr 22 10:36:01 2013
@@ -59,8 +59,7 @@ import org.apache.qpid.server.model.Trus
import org.apache.qpid.server.model.UUIDGenerator;
import org.apache.qpid.server.model.VirtualHost;
import org.apache.qpid.server.configuration.updater.TaskExecutor;
-import org.apache.qpid.server.security.auth.manager.Base64MD5PasswordFileAuthenticationManagerFactory;
-import org.apache.qpid.server.security.auth.manager.PlainPasswordFileAuthenticationManagerFactory;
+import org.apache.qpid.server.security.access.Operation;
import org.apache.qpid.server.security.group.FileGroupManager;
import org.apache.qpid.server.security.group.GroupManager;
import org.apache.qpid.server.security.SecurityManager;
@@ -390,7 +389,18 @@ public class BrokerAdapter extends Abstr
final VirtualHostAdapter virtualHostAdapter = new VirtualHostAdapter(UUID.randomUUID(), attributes, this,
_statisticsGatherer, getTaskExecutor());
addVirtualHost(virtualHostAdapter);
- virtualHostAdapter.setDesiredState(State.INITIALISING, State.ACTIVE);
+
+ // permission has already been granted to create the virtual host
+ // disable further access check on other operations, e.g. create exchange
+ _securityManager.setAccessChecksDisabled(true);
+ try
+ {
+ virtualHostAdapter.setDesiredState(State.INITIALISING, State.ACTIVE);
+ }
+ finally
+ {
+ _securityManager.setAccessChecksDisabled(false);
+ }
return virtualHostAdapter;
}
@@ -1031,7 +1041,6 @@ public class BrokerAdapter extends Abstr
@Override
protected void changeAttributes(Map<String, Object> attributes)
{
- //TODO: Add ACL check
//TODO: Add management mode check
Map<String, Object> convertedAttributes = MapValueConverter.convert(attributes, ATTRIBUTE_TYPES);
validateAttributes(convertedAttributes);
@@ -1200,4 +1209,32 @@ public class BrokerAdapter extends Abstr
}
}
}
+
+ @Override
+ protected void authoriseSetAttribute(String name, Object expected, Object desired) throws AccessControlException
+ {
+ if (!_securityManager.authoriseConfiguringBroker(getName(), Broker.class, Operation.UPDATE))
+ {
+ throw new AccessControlException("Setting of broker attributes is denied");
+ }
+ }
+
+ @Override
+ protected <C extends ConfiguredObject> void authoriseCreateChild(Class<C> childClass, Map<String, Object> attributes,
+ ConfiguredObject... otherParents) throws AccessControlException
+ {
+ if (!_securityManager.authoriseConfiguringBroker(String.valueOf(attributes.get(NAME)), childClass, Operation.CREATE))
+ {
+ throw new AccessControlException("Creation of new broker level entity is denied");
+ }
+ }
+
+ @Override
+ protected void authoriseSetAttributes(Map<String, Object> attributes) throws AccessControlException
+ {
+ if (!_securityManager.authoriseConfiguringBroker(getName(), Broker.class, Operation.UPDATE))
+ {
+ throw new AccessControlException("Setting of broker attributes is denied");
+ }
+ }
}
Modified: qpid/branches/QPID-4659/qpid/java/broker/src/main/java/org/apache/qpid/server/model/adapter/PortAdapter.java
URL: http://svn.apache.org/viewvc/qpid/branches/QPID-4659/qpid/java/broker/src/main/java/org/apache/qpid/server/model/adapter/PortAdapter.java?rev=1470438&r1=1470437&r2=1470438&view=diff
==============================================================================
--- qpid/branches/QPID-4659/qpid/java/broker/src/main/java/org/apache/qpid/server/model/adapter/PortAdapter.java (original)
+++ qpid/branches/QPID-4659/qpid/java/broker/src/main/java/org/apache/qpid/server/model/adapter/PortAdapter.java Mon Apr 22 10:36:01 2013
@@ -45,6 +45,7 @@ import org.apache.qpid.server.model.Stat
import org.apache.qpid.server.model.Transport;
import org.apache.qpid.server.model.VirtualHost;
import org.apache.qpid.server.model.VirtualHostAlias;
+import org.apache.qpid.server.security.access.Operation;
import org.apache.qpid.server.util.MapValueConverter;
import org.apache.qpid.server.util.ParameterizedTypeImpl;
import org.apache.qpid.server.configuration.updater.TaskExecutor;
@@ -356,4 +357,34 @@ public class PortAdapter extends Abstrac
}
super.changeAttributes(MapValueConverter.convert(attributes, ATTRIBUTE_TYPES));
}
+
+ @Override
+ protected void authoriseSetDesiredState(State currentState, State desiredState) throws AccessControlException
+ {
+ if(desiredState == State.DELETED)
+ {
+ if (!_broker.getSecurityManager().authoriseConfiguringBroker(getName(), Port.class, Operation.DELETE))
+ {
+ throw new AccessControlException("Deletion of port is denied");
+ }
+ }
+ }
+
+ @Override
+ protected void authoriseSetAttribute(String name, Object expected, Object desired) throws AccessControlException
+ {
+ if (!_broker.getSecurityManager().authoriseConfiguringBroker(getName(), Port.class, Operation.UPDATE))
+ {
+ throw new AccessControlException("Setting of port attributes is denied");
+ }
+ }
+
+ @Override
+ protected void authoriseSetAttributes(Map<String, Object> attributes) throws AccessControlException
+ {
+ if (!_broker.getSecurityManager().authoriseConfiguringBroker(getName(), Port.class, Operation.UPDATE))
+ {
+ throw new AccessControlException("Setting of port attributes is denied");
+ }
+ }
}
Modified: qpid/branches/QPID-4659/qpid/java/broker/src/main/java/org/apache/qpid/server/model/adapter/VirtualHostAdapter.java
URL: http://svn.apache.org/viewvc/qpid/branches/QPID-4659/qpid/java/broker/src/main/java/org/apache/qpid/server/model/adapter/VirtualHostAdapter.java?rev=1470438&r1=1470437&r2=1470438&view=diff
==============================================================================
--- qpid/branches/QPID-4659/qpid/java/broker/src/main/java/org/apache/qpid/server/model/adapter/VirtualHostAdapter.java (original)
+++ qpid/branches/QPID-4659/qpid/java/broker/src/main/java/org/apache/qpid/server/model/adapter/VirtualHostAdapter.java Mon Apr 22 10:36:01 2013
@@ -71,6 +71,7 @@ import org.apache.qpid.server.queue.AMQQ
import org.apache.qpid.server.queue.QueueEntry;
import org.apache.qpid.server.queue.QueueRegistry;
import org.apache.qpid.server.security.SecurityManager;
+import org.apache.qpid.server.security.access.Operation;
import org.apache.qpid.server.security.auth.AuthenticatedPrincipal;
import org.apache.qpid.server.stats.StatisticsGatherer;
import org.apache.qpid.server.store.MessageStore;
@@ -980,8 +981,6 @@ public final class VirtualHostAdapter ex
}
else if (desiredState == State.DELETED)
{
- //TODO: add ACL check to authorize the operation
-
String hostName = getName();
if (hostName.equals(_broker.getAttribute(Broker.DEFAULT_VIRTUAL_HOST)))
@@ -1091,4 +1090,34 @@ public final class VirtualHostAdapter ex
{
throw new UnsupportedOperationException("Changing attributes on virtualhosts is not supported.");
}
+
+ @Override
+ protected void authoriseSetDesiredState(State currentState, State desiredState) throws AccessControlException
+ {
+ if(desiredState == State.DELETED)
+ {
+ if (!_broker.getSecurityManager().authoriseConfiguringBroker(getName(), VirtualHost.class, Operation.DELETE))
+ {
+ throw new AccessControlException("Deletion of virtual host is denied");
+ }
+ }
+ }
+
+ @Override
+ protected void authoriseSetAttribute(String name, Object expected, Object desired) throws AccessControlException
+ {
+ if (!_broker.getSecurityManager().authoriseConfiguringBroker(getName(), VirtualHost.class, Operation.UPDATE))
+ {
+ throw new AccessControlException("Setting of virtual host attributes is denied");
+ }
+ }
+
+ @Override
+ protected void authoriseSetAttributes(Map<String, Object> attributes) throws AccessControlException
+ {
+ if (!_broker.getSecurityManager().authoriseConfiguringBroker(getName(), VirtualHost.class, Operation.UPDATE))
+ {
+ throw new AccessControlException("Setting of virtual host attributes is denied");
+ }
+ }
}
Propchange: qpid/branches/QPID-4659/qpid/java/broker/src/main/java/org/apache/qpid/server/protocol/v1_0/
------------------------------------------------------------------------------
Merged /qpid/trunk/qpid/java/broker/src/main/java/org/apache/qpid/server/protocol/v1_0:r1462551
Propchange: qpid/branches/QPID-4659/qpid/java/broker/src/main/java/org/apache/qpid/server/protocol/v1_0/MessageMetaData_1_0.java
------------------------------------------------------------------------------
Merged /qpid/trunk/qpid/java/broker/src/main/java/org/apache/qpid/server/protocol/v1_0/MessageMetaData_1_0.java:r1462551
Propchange: qpid/branches/QPID-4659/qpid/java/broker/src/main/java/org/apache/qpid/server/protocol/v1_0/ProtocolEngine_1_0_0.java
------------------------------------------------------------------------------
Merged /qpid/trunk/qpid/java/broker/src/main/java/org/apache/qpid/server/protocol/v1_0/ProtocolEngine_1_0_0.java:r1462551
Propchange: qpid/branches/QPID-4659/qpid/java/broker/src/main/java/org/apache/qpid/server/protocol/v1_0/ProtocolEngine_1_0_0_SASL.java
------------------------------------------------------------------------------
Merged /qpid/trunk/qpid/java/broker/src/main/java/org/apache/qpid/server/protocol/v1_0/ProtocolEngine_1_0_0_SASL.java:r1462551
Propchange: qpid/branches/QPID-4659/qpid/java/broker/src/main/java/org/apache/qpid/server/queue/
------------------------------------------------------------------------------
Merged /qpid/trunk/qpid/java/broker/src/main/java/org/apache/qpid/server/queue:r1462551
Modified: qpid/branches/QPID-4659/qpid/java/broker/src/main/java/org/apache/qpid/server/security/SecurityManager.java
URL: http://svn.apache.org/viewvc/qpid/branches/QPID-4659/qpid/java/broker/src/main/java/org/apache/qpid/server/security/SecurityManager.java?rev=1470438&r1=1470437&r2=1470438&view=diff
==============================================================================
--- qpid/branches/QPID-4659/qpid/java/broker/src/main/java/org/apache/qpid/server/security/SecurityManager.java (original)
+++ qpid/branches/QPID-4659/qpid/java/broker/src/main/java/org/apache/qpid/server/security/SecurityManager.java Mon Apr 22 10:36:01 2013
@@ -33,7 +33,9 @@ import org.apache.qpid.server.queue.AMQQ
import org.apache.qpid.server.security.access.ObjectProperties;
import org.apache.qpid.server.security.access.ObjectType;
import org.apache.qpid.server.security.access.Operation;
+import org.apache.qpid.server.security.access.OperationLoggingDetails;
+import static org.apache.qpid.server.security.access.ObjectType.BROKER;
import static org.apache.qpid.server.security.access.ObjectType.EXCHANGE;
import static org.apache.qpid.server.security.access.ObjectType.GROUP;
import static org.apache.qpid.server.security.access.ObjectType.METHOD;
@@ -41,6 +43,7 @@ import static org.apache.qpid.server.sec
import static org.apache.qpid.server.security.access.ObjectType.USER;
import static org.apache.qpid.server.security.access.ObjectType.VIRTUALHOST;
import static org.apache.qpid.server.security.access.Operation.BIND;
+import static org.apache.qpid.server.security.access.Operation.CONFIGURE;
import static org.apache.qpid.server.security.access.Operation.CONSUME;
import static org.apache.qpid.server.security.access.Operation.CREATE;
import static org.apache.qpid.server.security.access.Operation.DELETE;
@@ -549,4 +552,20 @@ public class SecurityManager implements
}
}
+ public boolean authoriseConfiguringBroker(String configuredObjectName, Class<? extends ConfiguredObject> configuredObjectType, Operation configuredObjectOperation)
+ {
+ String description = String.format("%s %s '%s'",
+ configuredObjectOperation == null? null : configuredObjectOperation.name().toLowerCase(),
+ configuredObjectType == null ? null : configuredObjectType.getSimpleName().toLowerCase(),
+ configuredObjectName);
+ final OperationLoggingDetails properties = new OperationLoggingDetails(description);
+ return checkAllPlugins(new AccessCheck()
+ {
+ Result allowed(AccessControl plugin)
+ {
+ return plugin.authorise(CONFIGURE, BROKER, properties);
+ }
+ });
+ }
+
}
Modified: qpid/branches/QPID-4659/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/ObjectProperties.java
URL: http://svn.apache.org/viewvc/qpid/branches/QPID-4659/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/ObjectProperties.java?rev=1470438&r1=1470437&r2=1470438&view=diff
==============================================================================
--- qpid/branches/QPID-4659/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/ObjectProperties.java (original)
+++ qpid/branches/QPID-4659/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/ObjectProperties.java Mon Apr 22 10:36:01 2013
@@ -350,4 +350,9 @@ public class ObjectProperties
{
return _properties.toString();
}
+
+ public boolean isEmpty()
+ {
+ return _properties.isEmpty();
+ }
}
Modified: qpid/branches/QPID-4659/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/ObjectType.java
URL: http://svn.apache.org/viewvc/qpid/branches/QPID-4659/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/ObjectType.java?rev=1470438&r1=1470437&r2=1470438&view=diff
==============================================================================
--- qpid/branches/QPID-4659/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/ObjectType.java (original)
+++ qpid/branches/QPID-4659/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/ObjectType.java Mon Apr 22 10:36:01 2013
@@ -20,6 +20,7 @@ package org.apache.qpid.server.security.
import static org.apache.qpid.server.security.access.Operation.ACCESS;
import static org.apache.qpid.server.security.access.Operation.BIND;
+import static org.apache.qpid.server.security.access.Operation.CONFIGURE;
import static org.apache.qpid.server.security.access.Operation.CONSUME;
import static org.apache.qpid.server.security.access.Operation.CREATE;
import static org.apache.qpid.server.security.access.Operation.DELETE;
@@ -48,7 +49,8 @@ public enum ObjectType
ROUTE, // Not allowed in the Java broker
METHOD(Operation.ALL, ACCESS, UPDATE),
USER(Operation.ALL, CREATE, DELETE, UPDATE),
- GROUP(Operation.ALL, CREATE, DELETE, UPDATE);
+ GROUP(Operation.ALL, CREATE, DELETE, UPDATE),
+ BROKER(Operation.ALL, CONFIGURE);
private EnumSet<Operation> _actions;
Modified: qpid/branches/QPID-4659/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/Operation.java
URL: http://svn.apache.org/viewvc/qpid/branches/QPID-4659/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/Operation.java?rev=1470438&r1=1470437&r2=1470438&view=diff
==============================================================================
--- qpid/branches/QPID-4659/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/Operation.java (original)
+++ qpid/branches/QPID-4659/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/Operation.java Mon Apr 22 10:36:01 2013
@@ -32,8 +32,9 @@ public enum Operation
UNBIND,
DELETE,
PURGE,
- UPDATE;
-
+ UPDATE,
+ CONFIGURE;
+
public static Operation parse(String text)
{
for (Operation operation : values())
Propchange: qpid/branches/QPID-4659/qpid/java/broker/src/main/java/org/apache/qpid/server/virtualhost/
------------------------------------------------------------------------------
Merged /qpid/trunk/qpid/java/broker/src/main/java/org/apache/qpid/server/virtualhost:r1462551
Propchange: qpid/branches/QPID-4659/qpid/java/management/common/src/main/java/org/apache/qpid/management/common/mbeans/LoggingManagement.java
------------------------------------------------------------------------------
Merged /qpid/trunk/qpid/java/management/common/src/main/java/org/apache/qpid/management/common/mbeans/LoggingManagement.java:r1462551
Propchange: qpid/branches/QPID-4659/qpid/java/management/common/src/main/java/org/apache/qpid/management/common/mbeans/ManagedBroker.java
------------------------------------------------------------------------------
Merged /qpid/trunk/qpid/java/management/common/src/main/java/org/apache/qpid/management/common/mbeans/ManagedBroker.java:r1462551
Propchange: qpid/branches/QPID-4659/qpid/java/management/common/src/main/java/org/apache/qpid/management/common/mbeans/ManagedConnection.java
------------------------------------------------------------------------------
Merged /qpid/trunk/qpid/java/management/common/src/main/java/org/apache/qpid/management/common/mbeans/ManagedConnection.java:r1462551
Propchange: qpid/branches/QPID-4659/qpid/java/management/common/src/main/java/org/apache/qpid/management/common/mbeans/ManagedExchange.java
------------------------------------------------------------------------------
Merged /qpid/trunk/qpid/java/management/common/src/main/java/org/apache/qpid/management/common/mbeans/ManagedExchange.java:r1462551
Propchange: qpid/branches/QPID-4659/qpid/java/management/common/src/main/java/org/apache/qpid/management/common/mbeans/ManagedQueue.java
------------------------------------------------------------------------------
Merged /qpid/trunk/qpid/java/management/common/src/main/java/org/apache/qpid/management/common/mbeans/ManagedQueue.java:r1462551
Propchange: qpid/branches/QPID-4659/qpid/java/management/common/src/main/java/org/apache/qpid/management/common/mbeans/UserManagement.java
------------------------------------------------------------------------------
Merged /qpid/trunk/qpid/java/management/common/src/main/java/org/apache/qpid/management/common/mbeans/UserManagement.java:r1462551
Propchange: qpid/branches/QPID-4659/qpid/java/management/common/src/main/java/org/apache/qpid/management/common/mbeans/annotations/MBeanAttribute.java
------------------------------------------------------------------------------
Merged /qpid/trunk/qpid/java/management/common/src/main/java/org/apache/qpid/management/common/mbeans/annotations/MBeanAttribute.java:r1462551
Propchange: qpid/branches/QPID-4659/qpid/java/management/common/src/main/java/org/apache/qpid/management/common/mbeans/annotations/MBeanConstructor.java
------------------------------------------------------------------------------
Merged /qpid/trunk/qpid/java/management/common/src/main/java/org/apache/qpid/management/common/mbeans/annotations/MBeanConstructor.java:r1462551
Propchange: qpid/branches/QPID-4659/qpid/java/management/common/src/main/java/org/apache/qpid/management/common/mbeans/annotations/MBeanDescription.java
------------------------------------------------------------------------------
Merged /qpid/trunk/qpid/java/management/common/src/main/java/org/apache/qpid/management/common/mbeans/annotations/MBeanDescription.java:r1462551
Propchange: qpid/branches/QPID-4659/qpid/java/management/common/src/main/java/org/apache/qpid/management/common/mbeans/annotations/MBeanOperation.java
------------------------------------------------------------------------------
Merged /qpid/trunk/qpid/java/management/common/src/main/java/org/apache/qpid/management/common/mbeans/annotations/MBeanOperation.java:r1462551
Propchange: qpid/branches/QPID-4659/qpid/java/management/common/src/main/java/org/apache/qpid/management/common/mbeans/annotations/MBeanOperationParameter.java
------------------------------------------------------------------------------
Merged /qpid/trunk/qpid/java/management/common/src/main/java/org/apache/qpid/management/common/mbeans/annotations/MBeanOperationParameter.java:r1462551
Propchange: qpid/branches/QPID-4659/qpid/java/systests/src/main/java/org/apache/qpid/server/SupportedProtocolVersionsTest.java
------------------------------------------------------------------------------
Merged /qpid/trunk/qpid/java/systests/src/main/java/org/apache/qpid/server/SupportedProtocolVersionsTest.java:r1462551
Modified: qpid/branches/QPID-4659/qpid/java/systests/src/main/java/org/apache/qpid/systest/rest/QpidRestTestCase.java
URL: http://svn.apache.org/viewvc/qpid/branches/QPID-4659/qpid/java/systests/src/main/java/org/apache/qpid/systest/rest/QpidRestTestCase.java?rev=1470438&r1=1470437&r2=1470438&view=diff
==============================================================================
--- qpid/branches/QPID-4659/qpid/java/systests/src/main/java/org/apache/qpid/systest/rest/QpidRestTestCase.java (original)
+++ qpid/branches/QPID-4659/qpid/java/systests/src/main/java/org/apache/qpid/systest/rest/QpidRestTestCase.java Mon Apr 22 10:36:01 2013
@@ -95,4 +95,10 @@ public class QpidRestTestCase extends Qp
{
return _restTestHelper;
}
+
+ protected void restartBrokerInManagementMode() throws Exception
+ {
+ stopBroker();
+ startBroker(0, true);
+ }
}
Propchange: qpid/branches/QPID-4659/qpid/java/systests/src/main/java/org/apache/qpid/test/utils/QpidBrokerTestCase.java
------------------------------------------------------------------------------
Merged /qpid/trunk/qpid/java/systests/src/main/java/org/apache/qpid/test/utils/QpidBrokerTestCase.java:r1462551
Propchange: qpid/branches/QPID-4659/qpid/java/test-profiles/
------------------------------------------------------------------------------
Merged /qpid/trunk/qpid/java/test-profiles:r1462551
Propchange: qpid/branches/QPID-4659/qpid/java/test-profiles/CPPExcludes
------------------------------------------------------------------------------
Merged /qpid/trunk/qpid/java/test-profiles/CPPExcludes:r1462551
Propchange: qpid/branches/QPID-4659/qpid/java/test-profiles/Excludes
------------------------------------------------------------------------------
Merged /qpid/trunk/qpid/java/test-profiles/Excludes:r1462551
Propchange: qpid/branches/QPID-4659/qpid/java/test-profiles/JavaBDBExcludes
------------------------------------------------------------------------------
Merged /qpid/trunk/qpid/java/test-profiles/JavaBDBExcludes:r1462551
Propchange: qpid/branches/QPID-4659/qpid/java/test-profiles/JavaExcludes
------------------------------------------------------------------------------
Merged /qpid/trunk/qpid/java/test-profiles/JavaExcludes:r1462551
Propchange: qpid/branches/QPID-4659/qpid/java/test-profiles/JavaPre010Excludes
------------------------------------------------------------------------------
Merged /qpid/trunk/qpid/java/test-profiles/JavaPre010Excludes:r1462551
Propchange: qpid/branches/QPID-4659/qpid/java/test-profiles/JavaTransientExcludes
------------------------------------------------------------------------------
Merged /qpid/trunk/qpid/java/test-profiles/JavaTransientExcludes:r1462551
Propchange: qpid/branches/QPID-4659/qpid/java/test-profiles/XAExcludes
------------------------------------------------------------------------------
Merged /qpid/trunk/qpid/java/test-profiles/XAExcludes:r1462551
Propchange: qpid/branches/QPID-4659/qpid/java/test-profiles/cpp.async.testprofile
------------------------------------------------------------------------------
Merged /qpid/trunk/qpid/java/test-profiles/cpp.async.testprofile:r1462551
Propchange: qpid/branches/QPID-4659/qpid/java/test-profiles/cpp.cluster.testprofile
------------------------------------------------------------------------------
Merged /qpid/trunk/qpid/java/test-profiles/cpp.cluster.testprofile:r1462551
Propchange: qpid/branches/QPID-4659/qpid/java/test-profiles/cpp.noprefetch.testprofile
------------------------------------------------------------------------------
Merged /qpid/trunk/qpid/java/test-profiles/cpp.noprefetch.testprofile:r1462551
Propchange: qpid/branches/QPID-4659/qpid/java/test-profiles/cpp.ssl.excludes
------------------------------------------------------------------------------
Merged /qpid/trunk/qpid/java/test-profiles/cpp.ssl.excludes:r1462551
Propchange: qpid/branches/QPID-4659/qpid/java/test-profiles/cpp.ssl.testprofile
------------------------------------------------------------------------------
Merged /qpid/trunk/qpid/java/test-profiles/cpp.ssl.testprofile:r1462551
Propchange: qpid/branches/QPID-4659/qpid/java/test-profiles/cpp.testprofile
------------------------------------------------------------------------------
Merged /qpid/trunk/qpid/java/test-profiles/cpp.testprofile:r1462551
Propchange: qpid/branches/QPID-4659/qpid/java/test-profiles/java-bdb-spawn.0-9-1.testprofile
------------------------------------------------------------------------------
Merged /qpid/trunk/qpid/java/test-profiles/java-bdb-spawn.0-9-1.testprofile:r1462551
Propchange: qpid/branches/QPID-4659/qpid/java/test-profiles/java-bdb.0-9-1.testprofile
------------------------------------------------------------------------------
Merged /qpid/trunk/qpid/java/test-profiles/java-bdb.0-9-1.testprofile:r1462551
Propchange: qpid/branches/QPID-4659/qpid/java/test-profiles/java-dby-spawn.0-9-1.testprofile
------------------------------------------------------------------------------
Merged /qpid/trunk/qpid/java/test-profiles/java-dby-spawn.0-9-1.testprofile:r1462551
Propchange: qpid/branches/QPID-4659/qpid/java/test-profiles/java-dby.0-9-1.testprofile
------------------------------------------------------------------------------
Merged /qpid/trunk/qpid/java/test-profiles/java-dby.0-9-1.testprofile:r1462551
Propchange: qpid/branches/QPID-4659/qpid/java/test-profiles/java-mms-spawn.0-10.testprofile
------------------------------------------------------------------------------
Merged /qpid/trunk/qpid/java/test-profiles/java-mms-spawn.0-10.testprofile:r1462551
Propchange: qpid/branches/QPID-4659/qpid/java/test-profiles/java-mms-spawn.0-9-1.testprofile
------------------------------------------------------------------------------
Merged /qpid/trunk/qpid/java/test-profiles/java-mms-spawn.0-9-1.testprofile:r1462551
Propchange: qpid/branches/QPID-4659/qpid/java/test-profiles/java-mms.0-9-1.testprofile
------------------------------------------------------------------------------
Merged /qpid/trunk/qpid/java/test-profiles/java-mms.0-9-1.testprofile:r1462551
Propchange: qpid/branches/QPID-4659/qpid/java/test-profiles/log4j-test.xml
------------------------------------------------------------------------------
Merged /qpid/trunk/qpid/java/test-profiles/log4j-test.xml:r1462551
Propchange: qpid/branches/QPID-4659/qpid/java/test-profiles/test-provider.properties
------------------------------------------------------------------------------
Merged /qpid/trunk/qpid/java/test-profiles/test-provider.properties:r1462551
Propchange: qpid/branches/QPID-4659/qpid/java/test-profiles/test_resources/
------------------------------------------------------------------------------
Merged /qpid/trunk/qpid/java/test-profiles/test_resources:r1462551
Propchange: qpid/branches/QPID-4659/qpid/java/test-profiles/testprofile.defaults
------------------------------------------------------------------------------
Merged /qpid/trunk/qpid/java/test-profiles/testprofile.defaults:r1462551
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org