You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@knox.apache.org by lm...@apache.org on 2019/10/24 20:48:50 UTC
[knox] branch master updated: KNOX-2066 - Composite Authz Provider
This is an automated email from the ASF dual-hosted git repository.
lmccay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/knox.git
The following commit(s) were added to refs/heads/master by this push:
new f3eddab KNOX-2066 - Composite Authz Provider
new 15a85c0 Merge branch 'master' into KNOX-2066
f3eddab is described below
commit f3eddab9b854f1774ecf89ac39ec03566e296113
Author: lmccay <lm...@apache.org>
AuthorDate: Thu Oct 24 16:35:04 2019 -0400
KNOX-2066 - Composite Authz Provider
---
gateway-provider-security-authz-composite/pom.xml | 64 ++++++++++++++++
.../impl/CompositeAuthzDeploymentContributor.java | 89 ++++++++++++++++++++++
...ox.gateway.deploy.ProviderDeploymentContributor | 18 +++++
.../deploy/impl/CompositeAuthzProviderTest.java | 67 ++++++++++++++++
gateway-release/pom.xml | 4 +
pom.xml | 6 ++
6 files changed, 248 insertions(+)
diff --git a/gateway-provider-security-authz-composite/pom.xml b/gateway-provider-security-authz-composite/pom.xml
new file mode 100644
index 0000000..fd1f962
--- /dev/null
+++ b/gateway-provider-security-authz-composite/pom.xml
@@ -0,0 +1,64 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+ <modelVersion>4.0.0</modelVersion>
+ <parent>
+ <groupId>org.apache.knox</groupId>
+ <artifactId>gateway</artifactId>
+ <version>1.4.0-SNAPSHOT</version>
+ </parent>
+ <artifactId>gateway-provider-security-authz-composite</artifactId>
+ <name>gateway-provider-security-authz-composite</name>
+ <description>Provides authorization support through the use of multiple providers.</description>
+
+ <dependencies>
+ <dependency>
+ <groupId>org.apache.knox</groupId>
+ <artifactId>gateway-i18n</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.knox</groupId>
+ <artifactId>gateway-server</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.knox</groupId>
+ <artifactId>gateway-spi</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.knox</groupId>
+ <artifactId>gateway-util-common</artifactId>
+ </dependency>
+
+ <dependency>
+ <groupId>commons-io</groupId>
+ <artifactId>commons-io</artifactId>
+ </dependency>
+
+ <dependency>
+ <groupId>javax.servlet</groupId>
+ <artifactId>javax.servlet-api</artifactId>
+ </dependency>
+
+ <dependency>
+ <groupId>org.apache.knox</groupId>
+ <artifactId>gateway-test-utils</artifactId>
+ <scope>test</scope>
+ </dependency>
+ </dependencies>
+</project>
diff --git a/gateway-provider-security-authz-composite/src/main/java/org/apache/knox/gateway/deploy/impl/CompositeAuthzDeploymentContributor.java b/gateway-provider-security-authz-composite/src/main/java/org/apache/knox/gateway/deploy/impl/CompositeAuthzDeploymentContributor.java
new file mode 100644
index 0000000..5e7562c
--- /dev/null
+++ b/gateway-provider-security-authz-composite/src/main/java/org/apache/knox/gateway/deploy/impl/CompositeAuthzDeploymentContributor.java
@@ -0,0 +1,89 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.knox.gateway.deploy.impl;
+
+import org.apache.knox.gateway.deploy.DeploymentContext;
+import org.apache.knox.gateway.deploy.DeploymentFactory;
+import org.apache.knox.gateway.deploy.ProviderDeploymentContributorBase;
+import org.apache.knox.gateway.descriptor.FilterParamDescriptor;
+import org.apache.knox.gateway.descriptor.ResourceDescriptor;
+import org.apache.knox.gateway.topology.Provider;
+import org.apache.knox.gateway.topology.Service;
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Locale;
+import java.util.Map;
+import java.util.Map.Entry;
+
+public class CompositeAuthzDeploymentContributor extends ProviderDeploymentContributorBase {
+ @Override
+ public String getRole() {
+ return "authorization";
+ }
+
+ @Override
+ public String getName() {
+ return "CompositeAuthz";
+ }
+
+ @Override
+ public void initializeContribution(DeploymentContext context) {
+ super.initializeContribution(context);
+ }
+
+ @Override
+ public void contributeProvider( DeploymentContext context, Provider provider ) {
+ }
+
+ @Override
+ public void contributeFilter( DeploymentContext context, Provider provider, Service service,
+ ResourceDescriptor resource, List<FilterParamDescriptor> params ) {
+
+ if (params == null) {
+ params = new ArrayList<>();
+ }
+
+ Map<String, String> providerParams = provider.getParams();
+ String providerNames = providerParams.get("composite.provider.names");
+ String[] names = parseProviderNames(providerNames);
+ for (String name : names) {
+ getProviderSpecificParams(resource, params, providerParams, name);
+ DeploymentFactory.getProviderContributor("authorization", name)
+ .contributeFilter(context, provider, service, resource, params);
+ params.clear();
+ }
+ }
+
+ String[] parseProviderNames(String providerNames) {
+ String[] names = providerNames.split(",\\s*");
+ return names;
+ }
+
+ void getProviderSpecificParams(ResourceDescriptor resource, List<FilterParamDescriptor> params,
+ Map<String, String> providerParams, String name) {
+ String entryName;
+ for(Entry<String, String> entry : providerParams.entrySet()) {
+ if (entry.getKey().startsWith(name + ".")) {
+ entryName = entry.getKey().substring(entry.getKey().indexOf('.') + 1);
+ FilterParamDescriptor fpd = resource.createFilterParam();
+ params.add(fpd.name(entryName.toLowerCase(Locale.ROOT)).value(entry.getValue()));
+ }
+ }
+ }
+}
diff --git a/gateway-provider-security-authz-composite/src/main/resources/META-INF/services/org.apache.knox.gateway.deploy.ProviderDeploymentContributor b/gateway-provider-security-authz-composite/src/main/resources/META-INF/services/org.apache.knox.gateway.deploy.ProviderDeploymentContributor
new file mode 100644
index 0000000..33362c5
--- /dev/null
+++ b/gateway-provider-security-authz-composite/src/main/resources/META-INF/services/org.apache.knox.gateway.deploy.ProviderDeploymentContributor
@@ -0,0 +1,18 @@
+##########################################################################
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+##########################################################################
+org.apache.knox.gateway.deploy.impl.CompositeAuthzDeploymentContributor
diff --git a/gateway-provider-security-authz-composite/src/test/java/org/apache/knox/gateway/deploy/impl/CompositeAuthzProviderTest.java b/gateway-provider-security-authz-composite/src/test/java/org/apache/knox/gateway/deploy/impl/CompositeAuthzProviderTest.java
new file mode 100644
index 0000000..eadb2d6
--- /dev/null
+++ b/gateway-provider-security-authz-composite/src/test/java/org/apache/knox/gateway/deploy/impl/CompositeAuthzProviderTest.java
@@ -0,0 +1,67 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.knox.gateway.deploy.impl;
+
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+import org.apache.knox.gateway.descriptor.FilterParamDescriptor;
+import org.apache.knox.gateway.descriptor.ResourceDescriptor;
+import org.junit.Test;
+
+import static org.junit.Assert.assertEquals;
+
+import static org.easymock.EasyMock.createMock;
+import static org.easymock.EasyMock.expect;
+import static org.easymock.EasyMock.replay;
+
+public class CompositeAuthzProviderTest {
+ @Test
+ public void testParsingProviderParams() throws Exception {
+ String name = "AclsAuthz";
+ Map<String, String> providerParams = new HashMap<>();
+ // provider params are disambiguated by prefixing them with
+ // the provider name. Therefore the following should only
+ // result in a single param making it through since only
+ // one has a prefix that matches the name.
+ providerParams.put("AclsAuthz.webhdfs.acl", "admin;*;*");
+ providerParams.put("SomeOther.webhdfs.acl", "admin;*;*");
+ List<FilterParamDescriptor> params = new ArrayList<>();
+ ResourceDescriptor resource = createMock(ResourceDescriptor.class);
+ FilterParamDescriptor fpd = createMock(FilterParamDescriptor.class);
+ expect(resource.createFilterParam()).andReturn(fpd).atLeastOnce();
+ expect(fpd.name("webhdfs.acl")).andReturn(fpd).once();
+ expect(fpd.value("admin;*;*")).andReturn(fpd).once();
+ replay(resource, fpd);
+ CompositeAuthzDeploymentContributor c = new CompositeAuthzDeploymentContributor();
+ c.getProviderSpecificParams(resource, params, providerParams, name);
+ }
+
+ @Test
+ public void testParsingProviderNames() throws Exception {
+ String names = "AclsAuthz, SomeOther,TheOtherOne";
+ CompositeAuthzDeploymentContributor c = new CompositeAuthzDeploymentContributor();
+ String[] providerNames = c.parseProviderNames(names);
+ assertEquals(providerNames.length, 3);
+ assertEquals(providerNames[0], "AclsAuthz");
+ assertEquals(providerNames[1], "SomeOther");
+ assertEquals(providerNames[2], "TheOtherOne");
+ }
+}
diff --git a/gateway-release/pom.xml b/gateway-release/pom.xml
index fdc4536..2306a3d 100644
--- a/gateway-release/pom.xml
+++ b/gateway-release/pom.xml
@@ -348,6 +348,10 @@
</dependency>
<dependency>
<groupId>org.apache.knox</groupId>
+ <artifactId>gateway-provider-security-authz-composite</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.knox</groupId>
<artifactId>gateway-provider-identity-assertion-common</artifactId>
</dependency>
<dependency>
diff --git a/pom.xml b/pom.xml
index c0ef103..fd97b52 100644
--- a/pom.xml
+++ b/pom.xml
@@ -89,6 +89,7 @@
<module>gateway-provider-security-shiro</module>
<module>gateway-provider-security-pac4j</module>
<module>gateway-provider-security-authz-acls</module>
+ <module>gateway-provider-security-authz-composite</module>
<module>gateway-provider-security-authc-anon</module>
<module>gateway-provider-identity-assertion-common</module>
<module>gateway-provider-identity-assertion-concat</module>
@@ -847,6 +848,11 @@
</dependency>
<dependency>
<groupId>org.apache.knox</groupId>
+ <artifactId>gateway-provider-security-authz-composite</artifactId>
+ <version>${project.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.knox</groupId>
<artifactId>gateway-provider-identity-assertion-common</artifactId>
<version>${project.version}</version>
</dependency>