You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@knox.apache.org by lm...@apache.org on 2014/03/08 00:12:52 UTC
git commit: KNOX-303 - Added logging and replaced the invalid ACL
within the message with the resourceRole that is bound to the invalid ACL. So
as not to leak authz policy.
Repository: knox
Updated Branches:
refs/heads/master bfe4ce7e7 -> 99ba394a4
KNOX-303 - Added logging and replaced the invalid ACL within the message with the resourceRole that is bound to the invalid ACL. So as not to leak authz policy.
Project: http://git-wip-us.apache.org/repos/asf/knox/repo
Commit: http://git-wip-us.apache.org/repos/asf/knox/commit/99ba394a
Tree: http://git-wip-us.apache.org/repos/asf/knox/tree/99ba394a
Diff: http://git-wip-us.apache.org/repos/asf/knox/diff/99ba394a
Branch: refs/heads/master
Commit: 99ba394a41db5c866c418760ee737720f358117c
Parents: bfe4ce7
Author: Larry McCay <lm...@hortonworks.com>
Authored: Fri Mar 7 18:12:35 2014 -0500
Committer: Larry McCay <lm...@hortonworks.com>
Committed: Fri Mar 7 18:12:35 2014 -0500
----------------------------------------------------------------------
.../apache/hadoop/gateway/filter/AclParser.java | 35 +++++--------------
.../gateway/filter/AclsAuthorizationFilter.java | 2 +-
.../hadoop/gateway/filter/AclParserTest.java | 36 ++++++++++----------
3 files changed, 27 insertions(+), 46 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/knox/blob/99ba394a/gateway-provider-security-authz-acls/src/main/java/org/apache/hadoop/gateway/filter/AclParser.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-authz-acls/src/main/java/org/apache/hadoop/gateway/filter/AclParser.java b/gateway-provider-security-authz-acls/src/main/java/org/apache/hadoop/gateway/filter/AclParser.java
index a568537..13499c3 100644
--- a/gateway-provider-security-authz-acls/src/main/java/org/apache/hadoop/gateway/filter/AclParser.java
+++ b/gateway-provider-security-authz-acls/src/main/java/org/apache/hadoop/gateway/filter/AclParser.java
@@ -20,53 +20,34 @@ package org.apache.hadoop.gateway.filter;
import java.util.ArrayList;
import java.util.Collections;
+import org.apache.hadoop.gateway.i18n.messages.MessagesFactory;
import org.apache.hadoop.gateway.util.IpAddressValidator;
/**
- * @author larry
*/
public class AclParser {
+ private static AclsAuthorizationMessages log = MessagesFactory.get( AclsAuthorizationMessages.class );
- /**
- *
- */
+ public String resourceRole;
public ArrayList<String> users;
- /**
- *
- */
public ArrayList<String> groups;
- /**
- *
- */
public boolean anyUser = true;
- /**
- *
- */
public boolean anyGroup = true;
- /**
- *
- */
public IpAddressValidator ipv;
- /**
- *
- */
public AclParser() {
}
- public void parseAcls(String acls) throws InvalidACLException {
+ public void parseAcls(String resourceRole, String acls) throws InvalidACLException {
if (acls != null) {
String[] parts = acls.split(";");
if (parts.length != 3) {
- //log.invalidAclsFoundForResource(resourceRole);
- // TODO: should probably throw an exception since this can leave
- // us in an insecure state - either that or lock it down so that
- // it isn't unprotected
- throw new InvalidACLException("Invalid ACLs specified: " + acls);
+ log.invalidAclsFoundForResource(resourceRole);
+ throw new InvalidACLException("Invalid ACLs specified for requested resource: " + resourceRole);
}
else {
- //log.aclsFoundForResource(resourceRole);
+ log.aclsFoundForResource(resourceRole);
}
parseUserAcls(parts);
@@ -75,7 +56,7 @@ public class AclParser {
parseIpAddressAcls(parts);
}
else {
- //log.noAclsFoundForResource(resourceRole);
+ log.noAclsFoundForResource(resourceRole);
users = new ArrayList<String>();
groups = new ArrayList<String>();
ipv = new IpAddressValidator(null);
http://git-wip-us.apache.org/repos/asf/knox/blob/99ba394a/gateway-provider-security-authz-acls/src/main/java/org/apache/hadoop/gateway/filter/AclsAuthorizationFilter.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-authz-acls/src/main/java/org/apache/hadoop/gateway/filter/AclsAuthorizationFilter.java b/gateway-provider-security-authz-acls/src/main/java/org/apache/hadoop/gateway/filter/AclsAuthorizationFilter.java
index 45d3a4d..343d87f 100644
--- a/gateway-provider-security-authz-acls/src/main/java/org/apache/hadoop/gateway/filter/AclsAuthorizationFilter.java
+++ b/gateway-provider-security-authz-acls/src/main/java/org/apache/hadoop/gateway/filter/AclsAuthorizationFilter.java
@@ -69,7 +69,7 @@ public class AclsAuthorizationFilter implements Filter {
}
log.aclProcessingMode(aclProcessingMode);
String acls = getInitParameter(filterConfig, resourceRole + ".acl");
- parser.parseAcls(acls);
+ parser.parseAcls(resourceRole, acls);
}
private String getInitParameter(FilterConfig filterConfig, String paramName) {
http://git-wip-us.apache.org/repos/asf/knox/blob/99ba394a/gateway-provider-security-authz-acls/src/test/java/org/apache/hadoop/gateway/filter/AclParserTest.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-authz-acls/src/test/java/org/apache/hadoop/gateway/filter/AclParserTest.java b/gateway-provider-security-authz-acls/src/test/java/org/apache/hadoop/gateway/filter/AclParserTest.java
index c071ea9..3a2e746 100644
--- a/gateway-provider-security-authz-acls/src/test/java/org/apache/hadoop/gateway/filter/AclParserTest.java
+++ b/gateway-provider-security-authz-acls/src/test/java/org/apache/hadoop/gateway/filter/AclParserTest.java
@@ -29,13 +29,13 @@ public class AclParserTest {
@Test
public void testValidAcls() throws Exception {
AclParser p = new AclParser();
- p.parseAcls("guest;*;*");
+ p.parseAcls("test", "guest;*;*");
assertTrue(p.users.contains("guest"));
assertTrue(p.anyGroup);
assertTrue(p.ipv.allowsAnyIP());
p = new AclParser();
- p.parseAcls("*;admins;*");
+ p.parseAcls("test", "*;admins;*");
assertFalse(p.users.contains("guest"));
assertTrue(p.anyUser);
assertFalse(p.anyGroup);
@@ -43,7 +43,7 @@ public class AclParserTest {
assertTrue(p.ipv.allowsAnyIP());
p = new AclParser();
- p.parseAcls("*;*;127.0.0.1");
+ p.parseAcls("test", "*;*;127.0.0.1");
assertFalse(p.users.contains("guest"));
assertTrue(p.anyUser);
assertTrue(p.anyGroup);
@@ -52,7 +52,7 @@ public class AclParserTest {
assertTrue(p.ipv.getIPAddresses().contains("127.0.0.1"));
p = new AclParser();
- p.parseAcls("*;admins;127.0.0.1");
+ p.parseAcls("test", "*;admins;127.0.0.1");
assertFalse(p.users.contains("guest"));
assertTrue(p.anyUser);
assertFalse(p.anyGroup);
@@ -61,7 +61,7 @@ public class AclParserTest {
assertTrue(p.ipv.getIPAddresses().contains("127.0.0.1"));
p = new AclParser();
- p.parseAcls("guest;admins;127.0.0.1");
+ p.parseAcls("test", "guest;admins;127.0.0.1");
assertTrue(p.users.contains("guest"));
assertFalse(p.anyUser);
assertFalse(p.anyGroup);
@@ -70,7 +70,7 @@ public class AclParserTest {
assertTrue(p.ipv.getIPAddresses().contains("127.0.0.1"));
p = new AclParser();
- p.parseAcls("guest;*;127.0.0.1");
+ p.parseAcls("test", "guest;*;127.0.0.1");
assertTrue(p.users.contains("guest"));
assertFalse(p.anyUser);
assertTrue(p.anyGroup);
@@ -79,7 +79,7 @@ public class AclParserTest {
assertTrue(p.ipv.getIPAddresses().contains("127.0.0.1"));
p = new AclParser();
- p.parseAcls("*;admins;127.0.0.1");
+ p.parseAcls("test", "*;admins;127.0.0.1");
assertFalse(p.users.contains("guest"));
assertTrue(p.anyUser);
assertFalse(p.anyGroup);
@@ -92,7 +92,7 @@ public class AclParserTest {
@Test
public void testValidMultiValuedAcls() throws Exception {
AclParser p = new AclParser();
- p.parseAcls("*;admins;127.0.0.1,127.0.0.2");
+ p.parseAcls("test", "*;admins;127.0.0.1,127.0.0.2");
assertFalse(p.users.contains("guest"));
assertTrue(p.anyUser);
assertFalse(p.anyGroup);
@@ -103,7 +103,7 @@ public class AclParserTest {
assertFalse(p.ipv.getIPAddresses().contains("127.0.0.3"));
p = new AclParser();
- p.parseAcls("*;admins,users;127.0.0.1,127.0.0.2");
+ p.parseAcls("test", "*;admins,users;127.0.0.1,127.0.0.2");
assertFalse(p.users.contains("guest"));
assertTrue(p.anyUser);
assertFalse(p.anyGroup);
@@ -116,7 +116,7 @@ public class AclParserTest {
assertFalse(p.ipv.getIPAddresses().contains("127.0.0.3"));
p = new AclParser();
- p.parseAcls("guest,visitor;admins,users;127.0.0.1,127.0.0.2");
+ p.parseAcls("test", "guest,visitor;admins,users;127.0.0.1,127.0.0.2");
assertTrue(p.users.contains("guest"));
assertTrue(p.users.contains("visitor"));
assertFalse(p.users.contains("missing-guy"));
@@ -135,7 +135,7 @@ public class AclParserTest {
public void testNullACL() throws Exception {
AclParser p = new AclParser();
try {
- p.parseAcls(null);
+ p.parseAcls("test", null);
}
catch (InvalidACLException sle) {
// expected
@@ -147,7 +147,7 @@ public class AclParserTest {
public void testInvalidAcls() throws Exception {
AclParser p = new AclParser();
try {
- p.parseAcls("guest");
+ p.parseAcls("test", "guest");
fail("Invalid acl should have thrown InvalidACLException.");
}
catch (InvalidACLException sle) {
@@ -156,7 +156,7 @@ public class AclParserTest {
p = new AclParser();
try {
- p.parseAcls("guest;;");
+ p.parseAcls("test", "guest;;");
fail("Invalid acl should have thrown InvalidACLException.");
}
catch (InvalidACLException sle) {
@@ -165,7 +165,7 @@ public class AclParserTest {
p = new AclParser();
try {
- p.parseAcls(";;");
+ p.parseAcls("test", ";;");
fail("Invalid acl should have thrown InvalidACLException.");
}
catch (InvalidACLException sle) {
@@ -174,7 +174,7 @@ public class AclParserTest {
p = new AclParser();
try {
- p.parseAcls(";");
+ p.parseAcls("test", ";");
fail("Invalid acl should have thrown InvalidACLException.");
}
catch (InvalidACLException sle) {
@@ -183,7 +183,7 @@ public class AclParserTest {
p = new AclParser();
try {
- p.parseAcls("guest;");
+ p.parseAcls("test", "guest;");
fail("Invalid acl should have thrown InvalidACLException.");
}
catch (InvalidACLException sle) {
@@ -192,7 +192,7 @@ public class AclParserTest {
p = new AclParser();
try {
- p.parseAcls(";admins");
+ p.parseAcls("test", ";admins");
fail("Invalid acl should have thrown InvalidACLException.");
}
catch (InvalidACLException sle) {
@@ -201,7 +201,7 @@ public class AclParserTest {
p = new AclParser();
try {
- p.parseAcls("");
+ p.parseAcls("test", "");
fail("Invalid acl should have thrown InvalidACLException.");
}
catch (InvalidACLException sle) {