You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ignite.apache.org by sb...@apache.org on 2016/11/09 09:27:12 UTC
[02/17] ignite git commit: ignite-4178 support permission builder
ignite-4178 support permission builder
Project: http://git-wip-us.apache.org/repos/asf/ignite/repo
Commit: http://git-wip-us.apache.org/repos/asf/ignite/commit/40ef2f5a
Tree: http://git-wip-us.apache.org/repos/asf/ignite/tree/40ef2f5a
Diff: http://git-wip-us.apache.org/repos/asf/ignite/diff/40ef2f5a
Branch: refs/heads/ignite-4154
Commit: 40ef2f5ae42826fe8fd077e3013e8f55c8512bdd
Parents: 175da6b
Author: Dmitriy Govorukhin <dg...@gridgain.com>
Authored: Mon Nov 7 12:09:41 2016 +0300
Committer: Dmitriy Govorukhin <dg...@gridgain.com>
Committed: Mon Nov 7 12:09:41 2016 +0300
----------------------------------------------------------------------
.../security/SecurityBasicPermissionSet.java | 107 +++++++++
.../security/SecurityPermissionSetBuilder.java | 222 +++++++++++++++++++
.../SecurityPermissionSetBuilderTest.java | 93 ++++++++
.../ignite/testsuites/IgniteBasicTestSuite.java | 3 +
4 files changed, 425 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ignite/blob/40ef2f5a/modules/core/src/main/java/org/apache/ignite/plugin/security/SecurityBasicPermissionSet.java
----------------------------------------------------------------------
diff --git a/modules/core/src/main/java/org/apache/ignite/plugin/security/SecurityBasicPermissionSet.java b/modules/core/src/main/java/org/apache/ignite/plugin/security/SecurityBasicPermissionSet.java
new file mode 100644
index 0000000..5b50c56
--- /dev/null
+++ b/modules/core/src/main/java/org/apache/ignite/plugin/security/SecurityBasicPermissionSet.java
@@ -0,0 +1,107 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.ignite.plugin.security;
+
+import java.util.Map;
+import java.util.HashMap;
+import java.util.ArrayList;
+import java.util.Collection;
+import org.apache.ignite.internal.util.typedef.internal.S;
+import org.jetbrains.annotations.Nullable;
+
+/**
+ * Simple implementation of {@link SecurityPermissionSet} interface. Provides
+ * convenient way to specify permission set in the XML configuration.
+ */
+public class SecurityBasicPermissionSet implements SecurityPermissionSet {
+ /** Serial version uid. */
+ private static final long serialVersionUID = 0L;
+
+ /** Cache permissions. */
+ private Map<String, Collection<SecurityPermission>> cachePerms = new HashMap<>();
+
+ /** Task permissions. */
+ private Map<String, Collection<SecurityPermission>> taskPerms = new HashMap<>();
+
+ /** System permissions. */
+ private Collection<SecurityPermission> sysPerms = new ArrayList<>();
+
+ /** Default allow all. */
+ private boolean dfltAllowAll;
+
+ /**
+ * Setter for set cache permission map.
+ *
+ * @param cachePerms Cache permissions.
+ */
+ public void setCachePermissions(Map<String, Collection<SecurityPermission>> cachePerms) {
+ this.cachePerms = cachePerms;
+ }
+
+ /**
+ * Setter for set task permission map.
+ *
+ * @param taskPerms Task permissions.
+ */
+ public void setTaskPermissions(Map<String, Collection<SecurityPermission>> taskPerms) {
+ this.taskPerms = taskPerms;
+ }
+
+ /**
+ * Setter for set collection system permission.
+ *
+ * @param sysPerms System permissions.
+ */
+ public void setSystemPermissions(Collection<SecurityPermission> sysPerms) {
+ this.sysPerms = sysPerms;
+ }
+
+ /**
+ * Setter for set default allow all.
+ *
+ * @param dfltAllowAll Default allow all.
+ */
+ public void setDefaultAllowAll(boolean dfltAllowAll) {
+ this.dfltAllowAll = dfltAllowAll;
+ }
+
+ /** {@inheritDoc} */
+ @Override public Map<String, Collection<SecurityPermission>> cachePermissions() {
+ return cachePerms;
+ }
+
+ /** {@inheritDoc} */
+ @Override public Map<String, Collection<SecurityPermission>> taskPermissions() {
+ return taskPerms;
+ }
+
+ /** {@inheritDoc} */
+ @Nullable @Override public Collection<SecurityPermission> systemPermissions() {
+ return sysPerms;
+ }
+
+ /** {@inheritDoc} */
+ @Override public boolean defaultAllowAll() {
+ return dfltAllowAll;
+ }
+
+ /** {@inheritDoc} */
+ @Override public String toString() {
+ return S.toString(SecurityBasicPermissionSet.class, this);
+ }
+}
http://git-wip-us.apache.org/repos/asf/ignite/blob/40ef2f5a/modules/core/src/main/java/org/apache/ignite/plugin/security/SecurityPermissionSetBuilder.java
----------------------------------------------------------------------
diff --git a/modules/core/src/main/java/org/apache/ignite/plugin/security/SecurityPermissionSetBuilder.java b/modules/core/src/main/java/org/apache/ignite/plugin/security/SecurityPermissionSetBuilder.java
new file mode 100644
index 0000000..61ad77c
--- /dev/null
+++ b/modules/core/src/main/java/org/apache/ignite/plugin/security/SecurityPermissionSetBuilder.java
@@ -0,0 +1,222 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.ignite.plugin.security;
+
+import java.util.Map;
+import java.util.List;
+import java.util.HashMap;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.Collections;
+import org.apache.ignite.IgniteException;
+
+import static java.util.Collections.unmodifiableList;
+import static java.util.Collections.unmodifiableMap;
+
+/**
+ * Provides a convenient way to create a permission set.
+ * <p>
+ * Here is example:
+ * <pre>
+ * SecurityPermissionSet permsSet = new SecurityPermissionSetBuilder()
+ * .appendCachePermissions("cache1", CACHE_PUT, CACHE_REMOVE)
+ * .appendCachePermissions("cache2", CACHE_READ)
+ * .appendTaskPermissions("task1", TASK_CANCEL)
+ * .appendTaskPermissions("task2", TASK_EXECUTE)
+ * .appendSystemPermissions(ADMIN_VIEW, EVENTS_ENABLE)
+ * .build();
+ * </pre>
+ * <p>
+ * The builder also does additional validation. For example, if you try to
+ * append {@code EVENTS_ENABLE} permission for a cache, exception will be thrown:
+ * <pre>
+ * SecurityPermissionSet permsSet = new SecurityPermissionSetBuilder()
+ * .appendCachePermissions("cache1", EVENTS_ENABLE)
+ * .build();
+ * </pre>
+ */
+public class SecurityPermissionSetBuilder {
+ /** Cache permissions.*/
+ private Map<String, Collection<SecurityPermission>> cachePerms = new HashMap<>();
+
+ /** Task permissions.*/
+ private Map<String, Collection<SecurityPermission>> taskPerms = new HashMap<>();
+
+ /** System permissions.*/
+ private List<SecurityPermission> sysPerms = new ArrayList<>();
+
+ /** Default allow all.*/
+ private boolean dfltAllowAll;
+
+ /**
+ * Static factory method for create new permission builder.
+ *
+ * @return SecurityPermissionSetBuilder
+ */
+ public static SecurityPermissionSetBuilder create(){
+ return new SecurityPermissionSetBuilder();
+ }
+
+ /**
+ * Append default all flag.
+ *
+ * @param dfltAllowAll Default allow all.
+ * @return SecurityPermissionSetBuilder refer to same permission builder.
+ */
+ public SecurityPermissionSetBuilder defaultAllowAll(boolean dfltAllowAll) {
+ this.dfltAllowAll = dfltAllowAll;
+
+ return this;
+ }
+
+ /**
+ * Append permission set form {@link org.apache.ignite.IgniteCompute task} with {@code name}.
+ *
+ * @param name String for map some task to permission set.
+ * @param perms Permissions.
+ * @return SecurityPermissionSetBuilder refer to same permission builder.
+ */
+ public SecurityPermissionSetBuilder appendTaskPermissions(String name, SecurityPermission... perms) {
+ validate(toCollection("TASK_"), perms);
+
+ append(taskPerms, name, toCollection(perms));
+
+ return this;
+ }
+
+ /**
+ * Append permission set form {@link org.apache.ignite.IgniteCache cache} with {@code name}.
+ *
+ * @param name String for map some cache to permission set.
+ * @param perms Permissions.
+ * @return {@link SecurityPermissionSetBuilder} refer to same permission builder.
+ */
+ public SecurityPermissionSetBuilder appendCachePermissions(String name, SecurityPermission... perms) {
+ validate(toCollection("CACHE_"), perms);
+
+ append(cachePerms, name, toCollection(perms));
+
+ return this;
+ }
+
+ /**
+ * Append system permission set.
+ *
+ * @param perms Permission.
+ * @return {@link SecurityPermissionSetBuilder} refer to same permission builder.
+ */
+ public SecurityPermissionSetBuilder appendSystemPermissions(SecurityPermission... perms) {
+ validate(toCollection("EVENTS_", "ADMIN_"), perms);
+
+ sysPerms.addAll(toCollection(perms));
+
+ return this;
+ }
+
+ /**
+ * Validate method use patterns.
+ *
+ * @param ptrns Pattern.
+ * @param perms Permissions.
+ */
+ private void validate(Collection<String> ptrns, SecurityPermission... perms) {
+ assert ptrns != null;
+ assert perms != null;
+
+ for (SecurityPermission perm : perms)
+ validate(ptrns, perm);
+ }
+
+ /**
+ * @param ptrns Patterns.
+ * @param perm Permission.
+ */
+ private void validate(Collection<String> ptrns, SecurityPermission perm) {
+ assert ptrns != null;
+ assert perm != null;
+
+ boolean ex = true;
+
+ String name = perm.name();
+
+ for (String ptrn : ptrns) {
+ if (name.startsWith(ptrn)) {
+ ex = false;
+
+ break;
+ }
+ }
+
+ if (ex)
+ throw new IgniteException("you can assign permission only start with " + ptrns + ", but you try " + name);
+ }
+
+ /**
+ * Convert vararg to {@link Collection}.
+ *
+ * @param perms Permissions.
+ */
+ @SafeVarargs
+ private final <T> Collection<T> toCollection(T... perms) {
+ assert perms != null;
+
+ Collection<T> col = new ArrayList<>(perms.length);
+
+ Collections.addAll(col, perms);
+
+ return col;
+ }
+
+ /**
+ * @param permsMap Permissions map.
+ * @param name Name.
+ * @param perms Permission.
+ */
+ private void append(
+ Map<String, Collection<SecurityPermission>> permsMap,
+ String name,
+ Collection<SecurityPermission> perms
+ ) {
+ assert permsMap != null;
+ assert name != null;
+ assert perms != null;
+
+ Collection<SecurityPermission> col = permsMap.get(name);
+
+ if (col == null)
+ permsMap.put(name, perms);
+ else
+ col.addAll(perms);
+ }
+
+ /**
+ * Builds the {@link SecurityPermissionSet}.
+ *
+ * @return {@link SecurityPermissionSet} instance.
+ */
+ public SecurityPermissionSet build() {
+ SecurityBasicPermissionSet permSet = new SecurityBasicPermissionSet();
+
+ permSet.setDefaultAllowAll(dfltAllowAll);
+ permSet.setCachePermissions(unmodifiableMap(cachePerms));
+ permSet.setTaskPermissions(unmodifiableMap(taskPerms));
+ permSet.setSystemPermissions(unmodifiableList(sysPerms));
+
+ return permSet;
+ }
+}
http://git-wip-us.apache.org/repos/asf/ignite/blob/40ef2f5a/modules/core/src/test/java/org/apache/ignite/plugin/security/SecurityPermissionSetBuilderTest.java
----------------------------------------------------------------------
diff --git a/modules/core/src/test/java/org/apache/ignite/plugin/security/SecurityPermissionSetBuilderTest.java b/modules/core/src/test/java/org/apache/ignite/plugin/security/SecurityPermissionSetBuilderTest.java
new file mode 100644
index 0000000..1d951cf
--- /dev/null
+++ b/modules/core/src/test/java/org/apache/ignite/plugin/security/SecurityPermissionSetBuilderTest.java
@@ -0,0 +1,93 @@
+package org.apache.ignite.plugin.security;
+
+import java.util.Map;
+import java.util.Arrays;
+import java.util.HashMap;
+import java.util.Collection;
+import java.util.concurrent.Callable;
+import org.apache.ignite.IgniteException;
+import org.apache.ignite.testframework.junits.common.GridCommonAbstractTest;
+
+import static org.apache.ignite.plugin.security.SecurityPermission.CACHE_PUT;
+import static org.apache.ignite.plugin.security.SecurityPermission.CACHE_READ;
+import static org.apache.ignite.plugin.security.SecurityPermission.CACHE_REMOVE;
+import static org.apache.ignite.plugin.security.SecurityPermission.TASK_CANCEL;
+import static org.apache.ignite.plugin.security.SecurityPermission.TASK_EXECUTE;
+import static org.apache.ignite.plugin.security.SecurityPermission.EVENTS_ENABLE;
+import static org.apache.ignite.plugin.security.SecurityPermission.ADMIN_VIEW;
+import static org.apache.ignite.testframework.GridTestUtils.assertThrows;
+
+/**
+ * Test for check correct work {@link SecurityPermissionSetBuilder permission builder}
+ */
+public class SecurityPermissionSetBuilderTest extends GridCommonAbstractTest {
+ /**
+ *
+ */
+ public void testPermissionBuilder() {
+ SecurityBasicPermissionSet exp = new SecurityBasicPermissionSet();
+
+ Map<String, Collection<SecurityPermission>> permCache = new HashMap<>();
+ permCache.put("cache1", Arrays.asList(CACHE_PUT, CACHE_REMOVE));
+ permCache.put("cache2", Arrays.asList(CACHE_READ));
+
+ exp.setCachePermissions(permCache);
+
+ Map<String, Collection<SecurityPermission>> permTask = new HashMap<>();
+ permTask.put("task1", Arrays.asList(TASK_CANCEL));
+ permTask.put("task2", Arrays.asList(TASK_EXECUTE));
+
+ exp.setTaskPermissions(permTask);
+
+ exp.setSystemPermissions(Arrays.asList(ADMIN_VIEW, EVENTS_ENABLE));
+
+ final SecurityPermissionSetBuilder permsBuilder = new SecurityPermissionSetBuilder();
+
+ assertThrows(log, new Callable<Object>() {
+ @Override
+ public Object call() throws Exception {
+ permsBuilder.appendCachePermissions("cache", ADMIN_VIEW);
+ return null;
+ }
+ }, IgniteException.class,
+ "you can assign permission only start with [CACHE_], but you try ADMIN_VIEW"
+ );
+
+ assertThrows(log, new Callable<Object>() {
+ @Override
+ public Object call() throws Exception {
+ permsBuilder.appendTaskPermissions("task", CACHE_READ);
+ return null;
+ }
+ }, IgniteException.class,
+ "you can assign permission only start with [TASK_], but you try CACHE_READ"
+ );
+
+ assertThrows(log, new Callable<Object>() {
+ @Override
+ public Object call() throws Exception {
+ permsBuilder.appendSystemPermissions(TASK_EXECUTE, CACHE_PUT);
+ return null;
+ }
+ }, IgniteException.class,
+ "you can assign permission only start with [EVENTS_, ADMIN_], but you try TASK_EXECUTE"
+ );
+
+ permsBuilder.appendCachePermissions(
+ "cache1", CACHE_PUT, CACHE_REMOVE
+ ).appendCachePermissions(
+ "cache2", CACHE_READ
+ ).appendTaskPermissions(
+ "task1", TASK_CANCEL
+ ).appendTaskPermissions(
+ "task2", TASK_EXECUTE
+ ).appendSystemPermissions(ADMIN_VIEW, EVENTS_ENABLE);
+
+ SecurityPermissionSet actual = permsBuilder.build();
+
+ assertEquals(exp.cachePermissions(), actual.cachePermissions());
+ assertEquals(exp.taskPermissions(), actual.taskPermissions());
+ assertEquals(exp.systemPermissions(), actual.systemPermissions());
+ assertEquals(exp.defaultAllowAll(), actual.defaultAllowAll());
+ }
+}
http://git-wip-us.apache.org/repos/asf/ignite/blob/40ef2f5a/modules/core/src/test/java/org/apache/ignite/testsuites/IgniteBasicTestSuite.java
----------------------------------------------------------------------
diff --git a/modules/core/src/test/java/org/apache/ignite/testsuites/IgniteBasicTestSuite.java b/modules/core/src/test/java/org/apache/ignite/testsuites/IgniteBasicTestSuite.java
index 62c2eb3..6ab0885 100644
--- a/modules/core/src/test/java/org/apache/ignite/testsuites/IgniteBasicTestSuite.java
+++ b/modules/core/src/test/java/org/apache/ignite/testsuites/IgniteBasicTestSuite.java
@@ -53,6 +53,7 @@ import org.apache.ignite.marshaller.DynamicProxySerializationMultiJvmSelfTest;
import org.apache.ignite.messaging.GridMessagingNoPeerClassLoadingSelfTest;
import org.apache.ignite.messaging.GridMessagingSelfTest;
import org.apache.ignite.messaging.IgniteMessagingWithClientTest;
+import org.apache.ignite.plugin.security.SecurityPermissionSetBuilderTest;
import org.apache.ignite.spi.GridSpiLocalHostInjectionTest;
import org.apache.ignite.startup.properties.NotStringSystemPropertyTest;
import org.apache.ignite.testframework.GridTestUtils;
@@ -143,6 +144,8 @@ public class IgniteBasicTestSuite extends TestSuite {
suite.addTestSuite(MarshallerContextLockingSelfTest.class);
+ suite.addTestSuite(SecurityPermissionSetBuilderTest.class);
+
return suite;
}
}