You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@geode.apache.org by kl...@apache.org on 2016/05/03 23:52:17 UTC
[28/50] [abbrv] incubator-geode git commit: GEODE-17: enhance the
GeodeSecurityUtil and review changes
GEODE-17: enhance the GeodeSecurityUtil and review changes
* allow operations that does not require any authorizations
* put/get, import/export and locate entry will check region access
* rename EnvronmentVariablesHandlerInterceptor
* rename ShiroUtil to GeodeSecurityUtil
* reformat code and review changes
Project: http://git-wip-us.apache.org/repos/asf/incubator-geode/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-geode/commit/7c38f0d8
Tree: http://git-wip-us.apache.org/repos/asf/incubator-geode/tree/7c38f0d8
Diff: http://git-wip-us.apache.org/repos/asf/incubator-geode/diff/7c38f0d8
Branch: refs/heads/feature/GEODE-1255
Commit: 7c38f0d8811874509ae93dbd9a4a9f7b05ce0d01
Parents: 0c0825a
Author: Jinmei Liao <ji...@pivotal.io>
Authored: Tue Apr 26 07:30:27 2016 -0700
Committer: Jinmei Liao <ji...@pivotal.io>
Committed: Fri Apr 29 08:29:28 2016 -0700
----------------------------------------------------------------------
.../cache/operations/OperationContext.java | 13 +-
.../management/DistributedSystemMXBean.java | 6 +-
.../gemfire/management/MemberMXBean.java | 10 +-
.../CreateAlterDestroyRegionCommands.java | 12 +-
.../internal/cli/commands/DataCommands.java | 22 +-
.../internal/cli/commands/RegionCommands.java | 3 +-
.../internal/cli/remote/CommandProcessor.java | 7 +-
.../internal/security/AccessControlMBean.java | 4 +-
.../internal/security/MBeanServerWrapper.java | 23 +-
.../internal/security/ResourceOperation.java | 13 +-
.../security/ResourceOperationContext.java | 45 +-
.../controllers/AbstractCommandsController.java | 17 +-
.../EnvironmentVariablesHandlerInterceptor.java | 121 ---
.../support/LoginHandlerInterceptor.java | 122 +++
.../web/shell/RestHttpOperationInvoker.java | 4 -
.../gemfire/security/CustomAuthRealm.java | 7 +-
.../gemfire/security/GeodeSecurityUtil.java | 163 ++++
.../gemfire/security/JMXShiroAuthenticator.java | 4 +-
.../gemstone/gemfire/security/ShiroUtil.java | 116 ---
.../CacheServerMBeanAuthorizationJUnitTest.java | 26 +-
.../CacheServerMBeanShiroJUnitTest.java | 36 +-
.../security/CliCommandsSecurityTest.java | 17 +-
.../security/DataCommandsSecurityTest.java | 7 +-
.../DiskStoreMXBeanSecurityJUnitTest.java | 20 +-
.../GatewayReceiverMBeanSecurityTest.java | 17 +-
.../GatewaySenderMBeanSecurityTest.java | 24 +-
.../GeodeSecurityUtilCustomRealmJUnitTest.java | 52 ++
.../GeodeSecurityUtilWithIniFileJUnitTest.java | 147 +++
.../security/GfshCommandsSecurityTest.java | 6 +-
.../internal/security/JSONAuthorization.java | 77 +-
.../LockServiceMBeanAuthorizationJUnitTest.java | 10 +-
.../ManagerMBeanAuthorizationJUnitTest.java | 4 +-
.../security/MemberMBeanSecurityJUnitTest.java | 30 +-
.../ResourceOperationContextJUnitTest.java | 88 ++
.../internal/security/TestCommand.java | 178 ++--
.../management/internal/security/auth3.json | 2 +-
.../internal/security/cacheServer.json | 10 +-
.../management/internal/security/shiro-ini.json | 87 ++
.../internal/security/testInheritRole.json | 40 -
.../security/testSimpleUserAndRole.json | 18 -
.../testUserAndRoleRegionServerGroup.json | 20 -
.../internal/security/testUserMultipleRole.json | 26 -
geode-core/src/test/resources/shiro.ini | 13 +-
.../junit/rules/DescribedExternalResource.java | 11 +-
.../security/GemFireAuthentication.java | 114 +--
.../security/GemFireAuthenticationProvider.java | 9 +-
.../pulse/internal/security/LogoutHandler.java | 12 +-
.../tools/pulse/tests/PulseAbstractTest.java | 904 ++++++++++---------
.../gemfire/tools/pulse/tests/Region.java | 2 +-
.../src/main/webapp/WEB-INF/gemfire-servlet.xml | 2 +-
...entVariablesHandlerInterceptorJUnitTest.java | 272 ------
.../LoginHandlerInterceptorJUnitTest.java | 274 ++++++
52 files changed, 1758 insertions(+), 1509 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/7c38f0d8/geode-core/src/main/java/com/gemstone/gemfire/cache/operations/OperationContext.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/cache/operations/OperationContext.java b/geode-core/src/main/java/com/gemstone/gemfire/cache/operations/OperationContext.java
index dd290c5..b632edb 100644
--- a/geode-core/src/main/java/com/gemstone/gemfire/cache/operations/OperationContext.java
+++ b/geode-core/src/main/java/com/gemstone/gemfire/cache/operations/OperationContext.java
@@ -33,6 +33,7 @@ import org.apache.shiro.authz.permission.WildcardPermission;
public abstract class OperationContext extends WildcardPermission{
public enum Resource {
+ NULL,
CLUSTER,
DATA
};
@@ -76,6 +77,7 @@ public abstract class OperationContext extends WildcardPermission{
EXECUTE_FUNCTION,
@Deprecated
GET_DURABLE_CQS,
+ NULL,
MANAGE,
WRITE,
READ;
@@ -298,11 +300,15 @@ public abstract class OperationContext extends WildcardPermission{
public abstract OperationCode getOperationCode();
public Resource getResource(){
- return Resource.DATA;
+ return Resource.NULL;
}
+ /**
+ *
+ * @return
+ */
public String getRegionName(){
- return null;
+ return "NULL";
}
/**
@@ -356,7 +362,4 @@ public abstract class OperationContext extends WildcardPermission{
|| opCode.isRegionDestroy() || opCode.isRegionClear());
}
- public String toString(){
- return getResource() + ":"+ getOperationCode();
- }
}
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/7c38f0d8/geode-core/src/main/java/com/gemstone/gemfire/management/DistributedSystemMXBean.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/management/DistributedSystemMXBean.java b/geode-core/src/main/java/com/gemstone/gemfire/management/DistributedSystemMXBean.java
index a27d92f..6dac6af 100644
--- a/geode-core/src/main/java/com/gemstone/gemfire/management/DistributedSystemMXBean.java
+++ b/geode-core/src/main/java/com/gemstone/gemfire/management/DistributedSystemMXBean.java
@@ -72,14 +72,16 @@ import com.gemstone.gemfire.management.internal.security.ResourceOperation;
* @since 7.0
*
*/
-//@ResourceOperation(resource = Resource.CLUSTER, operation = OperationCode.READ)
+@ResourceOperation(resource = Resource.CLUSTER, operation = OperationCode.READ)
public interface DistributedSystemMXBean {
/**
* Returns the ID of thie DistributedSystem.
+ * allow anyone to access this method
*
* @return The DistributedSystem ID or -1 if not set.
*/
+ @ResourceOperation()
public int getDistributedSystemId();
/**
@@ -351,7 +353,9 @@ public interface DistributedSystemMXBean {
/**
* Returns the object name for a {@link MemberMXBean} used to access
* this distributed member.
+ * allow anyone to access this method
*/
+ @ResourceOperation()
public ObjectName getMemberObjectName();
/**
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/7c38f0d8/geode-core/src/main/java/com/gemstone/gemfire/management/MemberMXBean.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/management/MemberMXBean.java b/geode-core/src/main/java/com/gemstone/gemfire/management/MemberMXBean.java
index 5f656a9..c5d9933 100644
--- a/geode-core/src/main/java/com/gemstone/gemfire/management/MemberMXBean.java
+++ b/geode-core/src/main/java/com/gemstone/gemfire/management/MemberMXBean.java
@@ -16,13 +16,12 @@
*/
package com.gemstone.gemfire.management;
-import com.gemstone.gemfire.distributed.DistributedMember;
-import com.gemstone.gemfire.management.internal.security.ResourceOperation;
+import static com.gemstone.gemfire.cache.operations.OperationContext.*;
import java.util.Map;
-import static com.gemstone.gemfire.cache.operations.OperationContext.OperationCode;
-import static com.gemstone.gemfire.cache.operations.OperationContext.Resource;
+import com.gemstone.gemfire.distributed.DistributedMember;
+import com.gemstone.gemfire.management.internal.security.ResourceOperation;
/**
* MBean that provides access to information and management functionality for a
@@ -199,6 +198,7 @@ public interface MemberMXBean {
*
* @return Result of the execution in JSON format.
*/
+ @ResourceOperation()
String processCommand(String commandString);
/**
@@ -210,6 +210,7 @@ public interface MemberMXBean {
* Environmental properties to use during command execution.
* @return Result of the execution in JSON format.
*/
+ @ResourceOperation()
String processCommand(String commandString, Map<String, String> env);
/**
@@ -223,6 +224,7 @@ public interface MemberMXBean {
* Binary data specific to the command being executed.
* @return Result of the execution in JSON format.
*/
+ @ResourceOperation()
String processCommand(String commandString, Map<String, String> env, Byte[][] binaryData);
/**
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/7c38f0d8/geode-core/src/main/java/com/gemstone/gemfire/management/internal/cli/commands/CreateAlterDestroyRegionCommands.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/cli/commands/CreateAlterDestroyRegionCommands.java b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/cli/commands/CreateAlterDestroyRegionCommands.java
index cdbd3db..06c096f 100644
--- a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/cli/commands/CreateAlterDestroyRegionCommands.java
+++ b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/cli/commands/CreateAlterDestroyRegionCommands.java
@@ -79,7 +79,7 @@ import com.gemstone.gemfire.management.internal.cli.util.RegionPath;
import com.gemstone.gemfire.management.internal.configuration.SharedConfigurationWriter;
import com.gemstone.gemfire.management.internal.configuration.domain.XmlEntity;
import com.gemstone.gemfire.management.internal.security.ResourceOperation;
-import com.gemstone.gemfire.security.ShiroUtil;
+
import org.springframework.shell.core.annotation.CliAvailabilityIndicator;
import org.springframework.shell.core.annotation.CliCommand;
import org.springframework.shell.core.annotation.CliOption;
@@ -437,7 +437,7 @@ public class CreateAlterDestroyRegionCommands extends AbstractCommandsSupport {
@CliCommand (value = CliStrings.ALTER_REGION, help = CliStrings.ALTER_REGION__HELP)
@CliMetaData (relatedTopic = CliStrings.TOPIC_GEMFIRE_REGION, writesToSharedConfiguration = true)
- @ResourceOperation(resource = Resource.DATA, operation = OperationCode.MANAGE)
+ @ResourceOperation(resource=Resource.DATA, operation = OperationCode.MANAGE)
public Result alterRegion(
@CliOption (key = CliStrings.ALTER_REGION__REGION,
mandatory = true,
@@ -528,9 +528,6 @@ public class CreateAlterDestroyRegionCommands extends AbstractCommandsSupport {
specifiedDefaultValue = "0",
help = CliStrings.ALTER_REGION__EVICTIONMAX__HELP)
Integer evictionMax) {
-
- ShiroUtil.authorize("DATA", "MANAGE", regionPath);
-
Result result = null;
XmlEntity xmlEntity = null;
@@ -999,16 +996,13 @@ public class CreateAlterDestroyRegionCommands extends AbstractCommandsSupport {
@CliCommand(value = { CliStrings.DESTROY_REGION }, help = CliStrings.DESTROY_REGION__HELP)
@CliMetaData(shellOnly = false, relatedTopic = CliStrings.TOPIC_GEMFIRE_REGION, writesToSharedConfiguration = true)
- @ResourceOperation(resource = Resource.DATA, operation = OperationCode.MANAGE)
+ @ResourceOperation(resource=Resource.DATA, operation = OperationCode.MANAGE)
public Result destroyRegion(
@CliOption(key = CliStrings.DESTROY_REGION__REGION,
optionContext = ConverterHint.REGIONPATH,
mandatory = true,
help = CliStrings.DESTROY_REGION__REGION__HELP)
String regionPath) {
-
- ShiroUtil.authorize("DATA", "MANAGE", regionPath);
-
if (regionPath == null) {
return ResultBuilder.createInfoResult(CliStrings.DESTROY_REGION__MSG__SPECIFY_REGIONPATH_TO_DESTROY);
}
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/7c38f0d8/geode-core/src/main/java/com/gemstone/gemfire/management/internal/cli/commands/DataCommands.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/cli/commands/DataCommands.java b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/cli/commands/DataCommands.java
index c1c04a3..61803fe 100644
--- a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/cli/commands/DataCommands.java
+++ b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/cli/commands/DataCommands.java
@@ -73,7 +73,8 @@ import com.gemstone.gemfire.management.internal.cli.result.ResultBuilder;
import com.gemstone.gemfire.management.internal.cli.result.TabularResultData;
import com.gemstone.gemfire.management.internal.cli.shell.Gfsh;
import com.gemstone.gemfire.management.internal.security.ResourceOperation;
-import com.gemstone.gemfire.security.ShiroUtil;
+import com.gemstone.gemfire.security.GeodeSecurityUtil;
+
import org.springframework.shell.core.CommandMarker;
import org.springframework.shell.core.annotation.CliAvailabilityIndicator;
import org.springframework.shell.core.annotation.CliCommand;
@@ -834,13 +835,12 @@ public class DataCommands implements CommandMarker {
@CliCommand(value = CliStrings.EXPORT_DATA, help = CliStrings.EXPORT_DATA__HELP)
@CliMetaData(relatedTopic = { CliStrings.TOPIC_GEMFIRE_DATA,
CliStrings.TOPIC_GEMFIRE_REGION })
- @ResourceOperation(resource = Resource.DATA, operation = OperationCode.READ)
public Result exportData(
@CliOption(key = CliStrings.EXPORT_DATA__REGION, mandatory = true, optionContext = ConverterHint.REGIONPATH, help = CliStrings.EXPORT_DATA__REGION__HELP) String regionName,
@CliOption(key = CliStrings.EXPORT_DATA__FILE, unspecifiedDefaultValue = CliMetaData.ANNOTATION_NULL_VALUE, mandatory = true, help = CliStrings.EXPORT_DATA__FILE__HELP) String filePath,
@CliOption(key = CliStrings.EXPORT_DATA__MEMBER, unspecifiedDefaultValue = CliMetaData.ANNOTATION_NULL_VALUE, optionContext = ConverterHint.MEMBERIDNAME, mandatory = true, help = CliStrings.EXPORT_DATA__MEMBER__HELP) String memberNameOrId) {
- ShiroUtil.authorize("DATA", "READ", regionName);
+ GeodeSecurityUtil.authorizeRegionRead(regionName);
final Cache cache = CacheFactory.getAnyInstance();
final DistributedMember targetMember = CliUtil
.getDistributedMemberByNameOrId(memberNameOrId);
@@ -891,13 +891,12 @@ public class DataCommands implements CommandMarker {
@CliCommand(value = CliStrings.IMPORT_DATA, help = CliStrings.IMPORT_DATA__HELP)
@CliMetaData(relatedTopic = { CliStrings.TOPIC_GEMFIRE_DATA,
CliStrings.TOPIC_GEMFIRE_REGION })
- @ResourceOperation(resource = Resource.DATA, operation = OperationCode.WRITE)
public Result importData(
@CliOption(key = CliStrings.IMPORT_DATA__REGION, optionContext = ConverterHint.REGIONPATH, mandatory = true, help = CliStrings.IMPORT_DATA__REGION__HELP) String regionName,
@CliOption(key = CliStrings.IMPORT_DATA__FILE, mandatory = true, unspecifiedDefaultValue = CliMetaData.ANNOTATION_NULL_VALUE, help = CliStrings.IMPORT_DATA__FILE__HELP) String filePath,
@CliOption(key = CliStrings.IMPORT_DATA__MEMBER, mandatory = true, unspecifiedDefaultValue = CliMetaData.ANNOTATION_NULL_VALUE, optionContext = ConverterHint.MEMBERIDNAME, help = CliStrings.IMPORT_DATA__MEMBER__HELP) String memberNameOrId) {
- ShiroUtil.authorize("DATA", "WRITE", regionName);
+ GeodeSecurityUtil.authorizeRegionWrite(regionName);
Result result = null;
@@ -949,7 +948,6 @@ public class DataCommands implements CommandMarker {
@CliMetaData(shellOnly = false, relatedTopic = {
CliStrings.TOPIC_GEMFIRE_DATA, CliStrings.TOPIC_GEMFIRE_REGION })
@CliCommand(value = { CliStrings.PUT }, help = CliStrings.PUT__HELP)
- @ResourceOperation(resource = Resource.DATA, operation = OperationCode.WRITE)
public Result put(
@CliOption(key = { CliStrings.PUT__KEY }, mandatory = true, help = CliStrings.PUT__KEY__HELP) String key,
@CliOption(key = { CliStrings.PUT__VALUE }, mandatory = true, help = CliStrings.PUT__VALUE__HELP) String value,
@@ -958,7 +956,7 @@ public class DataCommands implements CommandMarker {
@CliOption(key = { CliStrings.PUT__VALUEKLASS }, help = CliStrings.PUT__VALUEKLASS__HELP) String valueClass,
@CliOption(key = { CliStrings.PUT__PUTIFABSENT }, help = CliStrings.PUT__PUTIFABSENT__HELP, unspecifiedDefaultValue = "false") boolean putIfAbsent) {
- ShiroUtil.authorize("DATA", "WRITE", regionPath);
+ GeodeSecurityUtil.authorizeRegionWrite(regionPath);
Cache cache = CacheFactory.getAnyInstance();
DataCommandResult dataResult = null;
if (regionPath == null || regionPath.isEmpty()) {
@@ -1018,7 +1016,6 @@ public class DataCommands implements CommandMarker {
@CliMetaData(shellOnly = false, relatedTopic = {
CliStrings.TOPIC_GEMFIRE_DATA, CliStrings.TOPIC_GEMFIRE_REGION })
@CliCommand(value = { CliStrings.GET }, help = CliStrings.GET__HELP)
- @ResourceOperation(resource = Resource.DATA, operation= OperationCode.READ)
public Result get(
@CliOption(key = { CliStrings.GET__KEY }, mandatory = true, help = CliStrings.GET__KEY__HELP) String key,
@CliOption(key = { CliStrings.GET__REGIONNAME }, mandatory = true, help = CliStrings.GET__REGIONNAME__HELP, optionContext = ConverterHint.REGIONPATH) String regionPath,
@@ -1026,7 +1023,7 @@ public class DataCommands implements CommandMarker {
@CliOption(key = { CliStrings.GET__VALUEKLASS }, help = CliStrings.GET__VALUEKLASS__HELP) String valueClass,
@CliOption(key = CliStrings.GET__LOAD, unspecifiedDefaultValue = "true", specifiedDefaultValue = "true", help = CliStrings.GET__LOAD__HELP) Boolean loadOnCacheMiss)
{
- ShiroUtil.authorize("DATA", "READ", regionPath);
+ GeodeSecurityUtil.authorizeRegionRead(regionPath);
Cache cache = CacheFactory.getAnyInstance();
DataCommandResult dataResult = null;
@@ -1074,14 +1071,14 @@ public class DataCommands implements CommandMarker {
@CliMetaData(shellOnly = false, relatedTopic = {
CliStrings.TOPIC_GEMFIRE_DATA, CliStrings.TOPIC_GEMFIRE_REGION })
@CliCommand(value = { CliStrings.LOCATE_ENTRY }, help = CliStrings.LOCATE_ENTRY__HELP)
- @ResourceOperation(resource = Resource.DATA, operation = OperationCode.READ)
public Result locateEntry(
@CliOption(key = { CliStrings.LOCATE_ENTRY__KEY }, mandatory = true, help = CliStrings.LOCATE_ENTRY__KEY__HELP) String key,
@CliOption(key = { CliStrings.LOCATE_ENTRY__REGIONNAME }, mandatory = true, help = CliStrings.LOCATE_ENTRY__REGIONNAME__HELP, optionContext = ConverterHint.REGIONPATH) String regionPath,
@CliOption(key = { CliStrings.LOCATE_ENTRY__KEYCLASS }, help = CliStrings.LOCATE_ENTRY__KEYCLASS__HELP) String keyClass,
@CliOption(key = { CliStrings.LOCATE_ENTRY__VALUEKLASS }, help = CliStrings.LOCATE_ENTRY__VALUEKLASS__HELP) String valueClass,
@CliOption(key = { CliStrings.LOCATE_ENTRY__RECURSIVE }, help = CliStrings.LOCATE_ENTRY__RECURSIVE__HELP, unspecifiedDefaultValue = "false") boolean recursive) {
- ShiroUtil.authorize("DATA", "READ", regionPath);
+
+ GeodeSecurityUtil.authorizeRegionRead(regionPath);
// Cache cache = CacheFactory.getAnyInstance();
DataCommandResult dataResult = null;
@@ -1122,13 +1119,12 @@ public class DataCommands implements CommandMarker {
@CliMetaData(shellOnly = false, relatedTopic = {
CliStrings.TOPIC_GEMFIRE_DATA, CliStrings.TOPIC_GEMFIRE_REGION })
@CliCommand(value = { CliStrings.REMOVE }, help = CliStrings.REMOVE__HELP)
- @ResourceOperation(resource = Resource.DATA, operation = OperationCode.MANAGE)
+ @ResourceOperation(resource=Resource.DATA, operation = OperationCode.MANAGE)
public Result remove(
@CliOption(key = { CliStrings.REMOVE__KEY }, help = CliStrings.REMOVE__KEY__HELP) String key,
@CliOption(key = { CliStrings.REMOVE__REGION }, mandatory = true, help = CliStrings.REMOVE__REGION__HELP, optionContext = ConverterHint.REGIONPATH) String regionPath,
@CliOption(key = CliStrings.REMOVE__ALL, help = CliStrings.REMOVE__ALL__HELP, specifiedDefaultValue = "true", unspecifiedDefaultValue = "false") boolean removeAllKeys,
@CliOption(key = { CliStrings.REMOVE__KEYCLASS }, help = CliStrings.REMOVE__KEYCLASS__HELP) String keyClass) {
-
Cache cache = CacheFactory.getAnyInstance();
DataCommandResult dataResult = null;
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/7c38f0d8/geode-core/src/main/java/com/gemstone/gemfire/management/internal/cli/commands/RegionCommands.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/cli/commands/RegionCommands.java b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/cli/commands/RegionCommands.java
index ac69d32..0408675 100644
--- a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/cli/commands/RegionCommands.java
+++ b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/cli/commands/RegionCommands.java
@@ -52,7 +52,7 @@ import com.gemstone.gemfire.management.internal.cli.result.TabularResultData;
import com.gemstone.gemfire.management.internal.cli.shell.Gfsh;
import com.gemstone.gemfire.management.internal.cli.util.RegionAttributesNames;
import com.gemstone.gemfire.management.internal.security.ResourceOperation;
-import com.gemstone.gemfire.security.ShiroUtil;
+
import org.springframework.shell.core.CommandMarker;
import org.springframework.shell.core.annotation.CliAvailabilityIndicator;
import org.springframework.shell.core.annotation.CliCommand;
@@ -163,7 +163,6 @@ public class RegionCommands implements CommandMarker {
mandatory = true)
String regionName) {
- ShiroUtil.authorize("CLUSTER", "READ", regionName);
Result result = null;
try {
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/7c38f0d8/geode-core/src/main/java/com/gemstone/gemfire/management/internal/cli/remote/CommandProcessor.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/cli/remote/CommandProcessor.java b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/cli/remote/CommandProcessor.java
index 87053cc..c3b0b7f 100755
--- a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/cli/remote/CommandProcessor.java
+++ b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/cli/remote/CommandProcessor.java
@@ -31,7 +31,8 @@ import com.gemstone.gemfire.management.internal.cli.result.ResultBuilder;
import com.gemstone.gemfire.management.internal.cli.util.CommentSkipHelper;
import com.gemstone.gemfire.management.internal.security.ResourceOperation;
import com.gemstone.gemfire.security.GemFireSecurityException;
-import com.gemstone.gemfire.security.ShiroUtil;
+import com.gemstone.gemfire.security.GeodeSecurityUtil;
+
import org.springframework.shell.core.Parser;
import org.springframework.shell.event.ParseResult;
@@ -108,9 +109,7 @@ public class CommandProcessor {
//do general authorization check here
Method method = parseResult.getMethod();
ResourceOperation resourceOperation = method.getAnnotation(ResourceOperation.class);
- if(resourceOperation!=null){
- ShiroUtil.authorize(resourceOperation);
- }
+ GeodeSecurityUtil.authorize(resourceOperation);
result = executionStrategy.execute(parseResult);
if (result instanceof Result) {
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/7c38f0d8/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/AccessControlMBean.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/AccessControlMBean.java b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/AccessControlMBean.java
index 9921538..33b80e2 100644
--- a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/AccessControlMBean.java
+++ b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/AccessControlMBean.java
@@ -17,7 +17,7 @@
package com.gemstone.gemfire.management.internal.security;
import com.gemstone.gemfire.security.GemFireSecurityException;
-import com.gemstone.gemfire.security.ShiroUtil;
+import com.gemstone.gemfire.security.GeodeSecurityUtil;
/**
* AccessControlMBean Implementation. This retrieves JMXPrincipal from AccessController
@@ -30,7 +30,7 @@ public class AccessControlMBean implements AccessControlMXBean {
@Override
public boolean authorize(String resource, String permission) {
try {
- ShiroUtil.authorize(resource, permission);
+ GeodeSecurityUtil.authorize(resource, permission);
return true;
}
catch (GemFireSecurityException e){
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/7c38f0d8/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/MBeanServerWrapper.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/MBeanServerWrapper.java b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/MBeanServerWrapper.java
index bbc0442..8d1031a 100644
--- a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/MBeanServerWrapper.java
+++ b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/MBeanServerWrapper.java
@@ -46,7 +46,7 @@ import javax.management.remote.MBeanServerForwarder;
import com.gemstone.gemfire.management.internal.ManagementConstants;
import com.gemstone.gemfire.security.GemFireSecurityException;
-import com.gemstone.gemfire.security.ShiroUtil;
+import com.gemstone.gemfire.security.GeodeSecurityUtil;
/**
* This class intercepts all MBean requests for GemFire MBeans and passed it to
@@ -60,14 +60,6 @@ public class MBeanServerWrapper implements MBeanServerForwarder {
public MBeanServerWrapper(){
}
- private void doAuthorization(ResourceOperationContext context){
- // allow operations which requires no permissions
- if(context == null)
- return;
-
- ShiroUtil.authorize(context);
- }
-
private void doAuthorizationPost(ResourceOperationContext context){
if(context == null)
return;
@@ -161,7 +153,7 @@ public class MBeanServerWrapper implements MBeanServerForwarder {
public Object getAttribute(ObjectName name, String attribute) throws MBeanException, InstanceNotFoundException,
ReflectionException {
ResourceOperationContext ctx = getOperationContext(name, attribute, false);
- doAuthorization(ctx);
+ GeodeSecurityUtil.authorize(ctx);
Object result;
try {
result = mbs.getAttribute(name, attribute);
@@ -195,7 +187,7 @@ public class MBeanServerWrapper implements MBeanServerForwarder {
public void setAttribute(ObjectName name, Attribute attribute) throws InstanceNotFoundException,
AttributeNotFoundException, InvalidAttributeValueException, MBeanException, ReflectionException {
ResourceOperationContext ctx = getOperationContext(name, attribute.getName(), false);
- doAuthorization(ctx);
+ GeodeSecurityUtil.authorize(ctx);
mbs.setAttribute(name, attribute);
}
@@ -216,12 +208,9 @@ public class MBeanServerWrapper implements MBeanServerForwarder {
@Override
public Object invoke(ObjectName name, String operationName, Object[] params, String[] signature)
throws InstanceNotFoundException, MBeanException, ReflectionException {
- // skip authorization check if operation is "processCommand" since we will check authorization in the command itself
- ResourceOperationContext ctx = null;
- if(!"processCommand".equals(operationName)) {
- ctx = getOperationContext(name, operationName, true);
- doAuthorization(ctx);
- }
+
+ ResourceOperationContext ctx = getOperationContext(name, operationName, true);
+ GeodeSecurityUtil.authorize(ctx);
Object result = mbs.invoke(name, operationName, params, signature);
if(ctx!=null)
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/7c38f0d8/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/ResourceOperation.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/ResourceOperation.java b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/ResourceOperation.java
index f72a835..8b50183 100644
--- a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/ResourceOperation.java
+++ b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/ResourceOperation.java
@@ -16,25 +16,22 @@
*/
package com.gemstone.gemfire.management.internal.security;
-import javax.management.DescriptorKey;
+import static com.gemstone.gemfire.cache.operations.OperationContext.*;
+
import java.lang.annotation.ElementType;
import java.lang.annotation.Inherited;
import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
import java.lang.annotation.Target;
-
-import static com.gemstone.gemfire.cache.operations.OperationContext.OperationCode;
-import static com.gemstone.gemfire.cache.operations.OperationContext.Resource;
+import javax.management.DescriptorKey;
@Target({ElementType.METHOD, ElementType.TYPE})
@Retention(RetentionPolicy.RUNTIME)
@Inherited
public @interface ResourceOperation {
@DescriptorKey("resource")
- Resource resource();
-
- String label() default ResourceConstants.DEFAULT_LABEL;
+ Resource resource() default Resource.NULL;
@DescriptorKey("operation")
- OperationCode operation();
+ OperationCode operation() default OperationCode.NULL;
}
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/7c38f0d8/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/ResourceOperationContext.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/ResourceOperationContext.java b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/ResourceOperationContext.java
index 396cdac..50f9b78 100644
--- a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/ResourceOperationContext.java
+++ b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/ResourceOperationContext.java
@@ -18,6 +18,8 @@ package com.gemstone.gemfire.management.internal.security;
import com.gemstone.gemfire.cache.operations.OperationContext;
+import org.apache.shiro.authz.Permission;
+
/**
* This is base class for OperationContext for resource (JMX and CLI) operations
*/
@@ -25,32 +27,25 @@ public class ResourceOperationContext extends OperationContext {
private boolean isPostOperation = false;
private Object opResult = null;
- private Resource resource = null;
- private OperationCode operation = null;
- private String regionName = null;
+ private Resource resource = Resource.NULL;
+ private OperationCode operation = OperationCode.NULL;
+
+ private String regionName = "NULL";
public ResourceOperationContext() {
+ this(null, null, null);
}
- public ResourceOperationContext(Resource resource, OperationCode operation) {
- setParts(resource.name()+":"+operation.name(), false);
- this.resource = resource;
- this.operation = operation;
+ public ResourceOperationContext(String resource, String operation) {
+ this(resource, operation, null);
}
public ResourceOperationContext(String resource, String operation, String regionName) {
- setParts(resource+":"+operation+":"+regionName, false);
if (resource != null) this.resource = Resource.valueOf(resource);
if (operation != null) this.operation = OperationCode.valueOf(operation);
- this.regionName = regionName;
- }
+ if (regionName !=null ) this.regionName = regionName;
- public void setResourceOperation(ResourceOperation op) {
- if (op != null) {
- resource = op.resource();
- operation = op.operation();
- setParts(resource.name()+":"+operation.name(), false);
- }
+ setParts(this.resource.name()+":"+this.operation.name()+":"+regionName);
}
@Override
@@ -87,20 +82,8 @@ public class ResourceOperationContext extends OperationContext {
return this.opResult;
}
- public String toString(){
- if(this.regionName==null)
- return getResource() + ":"+ getOperationCode();
- else
- return getResource() + ":"+ getOperationCode()+ ":" +this.regionName;
- }
-
- public boolean equals(Object o){
- if(! (o instanceof ResourceOperationContext))
- return false;
-
- ResourceOperationContext other = (ResourceOperationContext)o;
- return (this.resource==other.getResource() && this.operation==other.getOperationCode());
+ @Override
+ public boolean implies(Permission p){
+ return super.implies(p);
}
-
-
}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/7c38f0d8/geode-core/src/main/java/com/gemstone/gemfire/management/internal/web/controllers/AbstractCommandsController.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/web/controllers/AbstractCommandsController.java b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/web/controllers/AbstractCommandsController.java
index 211d0b1..08865b4 100644
--- a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/web/controllers/AbstractCommandsController.java
+++ b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/web/controllers/AbstractCommandsController.java
@@ -47,10 +47,11 @@ import com.gemstone.gemfire.management.internal.ManagementConstants;
import com.gemstone.gemfire.management.internal.SystemManagementService;
import com.gemstone.gemfire.management.internal.cli.shell.Gfsh;
import com.gemstone.gemfire.management.internal.cli.util.CommandStringBuilder;
-import com.gemstone.gemfire.management.internal.web.controllers.support.EnvironmentVariablesHandlerInterceptor;
+import com.gemstone.gemfire.management.internal.web.controllers.support.LoginHandlerInterceptor;
import com.gemstone.gemfire.management.internal.web.controllers.support.MemberMXBeanAdapter;
import com.gemstone.gemfire.management.internal.web.util.UriUtils;
-import com.gemstone.gemfire.security.ShiroUtil;
+import com.gemstone.gemfire.security.GeodeSecurityUtil;
+
import org.apache.logging.log4j.Logger;
import org.springframework.beans.propertyeditors.StringArrayPropertyEditor;
import org.springframework.http.HttpStatus;
@@ -488,12 +489,12 @@ public abstract class AbstractCommandsController {
* Gets the environment setup during this HTTP/command request for the current command process execution.
*
* @return a mapping of environment variables to values.
- * @see com.gemstone.gemfire.management.internal.web.controllers.support.EnvironmentVariablesHandlerInterceptor#getEnvironment()
+ * @see LoginHandlerInterceptor#getEnvironment()
*/
protected Map<String, String> getEnvironment() {
final Map<String, String> environment = new HashMap<String, String>();
- environment.putAll(EnvironmentVariablesHandlerInterceptor.getEnvironment());
+ environment.putAll(LoginHandlerInterceptor.getEnvironment());
environment.put(Gfsh.ENV_APP_NAME, Gfsh.GFSH_APP_NAME);
return environment;
@@ -541,7 +542,7 @@ public abstract class AbstractCommandsController {
* @param command a String value containing a valid command String as would be entered by the user in Gfsh.
* @return a result of the command execution as a String, typically marshalled in JSON to be serialized back to Gfsh.
* @see com.gemstone.gemfire.management.internal.cli.shell.Gfsh
- * @see com.gemstone.gemfire.management.internal.web.controllers.support.EnvironmentVariablesHandlerInterceptor#getEnvironment()
+ * @see LoginHandlerInterceptor#getEnvironment()
* @see #getEnvironment()
* @see #processCommand(String, java.util.Map, byte[][])
*/
@@ -558,7 +559,7 @@ public abstract class AbstractCommandsController {
return new ResponseEntity<String>(processCommand(command, fileData), HttpStatus.OK);
}
};
- return ShiroUtil.associateWith(callable);
+ return GeodeSecurityUtil.associateWith(callable);
}
@@ -571,7 +572,7 @@ public abstract class AbstractCommandsController {
* the Manager, usually for the 'deploy' Gfsh command.
* @return a result of the command execution as a String, typically marshalled in JSON to be serialized back to Gfsh.
* @see com.gemstone.gemfire.management.internal.cli.shell.Gfsh
- * @see com.gemstone.gemfire.management.internal.web.controllers.support.EnvironmentVariablesHandlerInterceptor#getEnvironment()
+ * @see LoginHandlerInterceptor#getEnvironment()
* @see #getEnvironment()
* @see #processCommand(String, java.util.Map, byte[][])
*/
@@ -590,7 +591,7 @@ public abstract class AbstractCommandsController {
* between Gfsh and the Manager, and thus need to specify this key/value pair mapping.
* @return a result of the command execution as a String, typically marshalled in JSON to be serialized back to Gfsh.
* @see com.gemstone.gemfire.management.internal.cli.shell.Gfsh
- * @see com.gemstone.gemfire.management.internal.web.controllers.support.EnvironmentVariablesHandlerInterceptor#getEnvironment()
+ * @see LoginHandlerInterceptor#getEnvironment()
* @see #processCommand(String, java.util.Map, byte[][])
*/
protected String processCommand(final String command, final Map<String, String> environment) {
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/7c38f0d8/geode-core/src/main/java/com/gemstone/gemfire/management/internal/web/controllers/support/EnvironmentVariablesHandlerInterceptor.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/web/controllers/support/EnvironmentVariablesHandlerInterceptor.java b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/web/controllers/support/EnvironmentVariablesHandlerInterceptor.java
deleted file mode 100644
index bb7a27d..0000000
--- a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/web/controllers/support/EnvironmentVariablesHandlerInterceptor.java
+++ /dev/null
@@ -1,121 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package com.gemstone.gemfire.management.internal.web.controllers.support;
-
-import java.util.Collections;
-import java.util.Enumeration;
-import java.util.HashMap;
-import java.util.Map;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-import com.gemstone.gemfire.cache.Cache;
-import com.gemstone.gemfire.internal.logging.LogService;
-import com.gemstone.gemfire.management.internal.security.ResourceConstants;
-import com.gemstone.gemfire.security.Authenticator;
-import com.gemstone.gemfire.security.ShiroUtil;
-import org.apache.logging.log4j.Logger;
-import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;
-
-/**
- * The GetEnvironmentHandlerInterceptor class handles extracting Gfsh environment variables encoded in the HTTP request
- * message as request parameters.
- * <p/>
- * @see javax.servlet.http.HttpServletRequest
- * @see javax.servlet.http.HttpServletResponse
- * @see org.springframework.web.servlet.handler.HandlerInterceptorAdapter
- * @since 8.0
- */
-@SuppressWarnings("unused")
-public class EnvironmentVariablesHandlerInterceptor extends HandlerInterceptorAdapter {
-
- private static final Logger logger = LogService.getLogger();
-
- private Cache cache;
-
- private Authenticator auth = null;
-
- private static final ThreadLocal<Map<String, String>> ENV = new ThreadLocal<Map<String, String>>() {
- @Override
- protected Map<String, String> initialValue() {
- return Collections.emptyMap();
- }
- };
-
- protected static final String ENVIRONMENT_VARIABLE_REQUEST_PARAMETER_PREFIX = "vf.gf.env.";
-
- protected static final String SECURITY_VARIABLE_REQUEST_HEADER_PREFIX = "security-";
-
- public static Map<String, String> getEnvironment() {
- return ENV.get();
- }
-
- @Override
- public boolean preHandle(final HttpServletRequest request, final HttpServletResponse response, final Object handler)
- throws Exception
- {
- final Map<String, String> requestParameterValues = new HashMap<String, String>();
-
- for (Enumeration<String> requestParameters = request.getParameterNames(); requestParameters.hasMoreElements(); ) {
- final String requestParameter = requestParameters.nextElement();
-
- if (requestParameter.startsWith(ENVIRONMENT_VARIABLE_REQUEST_PARAMETER_PREFIX)) {
- requestParameterValues.put(requestParameter.substring(ENVIRONMENT_VARIABLE_REQUEST_PARAMETER_PREFIX.length()),
- request.getParameter(requestParameter));
- }
- }
-
-
-
- for (Enumeration<String> requestHeaders = request.getHeaderNames(); requestHeaders.hasMoreElements();) {
-
- final String requestHeader = requestHeaders.nextElement();
-
- if (requestHeader.startsWith(SECURITY_VARIABLE_REQUEST_HEADER_PREFIX)) {
- requestParameterValues.put(requestHeader, request.getHeader(requestHeader));
- }
-
- }
-
- String username = requestParameterValues.get(ResourceConstants.USER_NAME);
- String password = requestParameterValues.get(ResourceConstants.PASSWORD);
- ShiroUtil.login(username, password);
-
- ENV.set(requestParameterValues);
-
- return true;
- }
-
-
- @Override
- public void afterCompletion(final HttpServletRequest request,
- final HttpServletResponse response,
- final Object handler,
- final Exception ex)
- throws Exception
- {
- afterConcurrentHandlingStarted(request, response, handler);
- ShiroUtil.logout();
- }
-
- @Override
- public void afterConcurrentHandlingStarted(
- HttpServletRequest request, HttpServletResponse response, Object handler)
- throws Exception {
- ENV.remove();
- }
-}
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/7c38f0d8/geode-core/src/main/java/com/gemstone/gemfire/management/internal/web/controllers/support/LoginHandlerInterceptor.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/web/controllers/support/LoginHandlerInterceptor.java b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/web/controllers/support/LoginHandlerInterceptor.java
new file mode 100644
index 0000000..5465ea3
--- /dev/null
+++ b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/web/controllers/support/LoginHandlerInterceptor.java
@@ -0,0 +1,122 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.gemstone.gemfire.management.internal.web.controllers.support;
+
+import java.util.Collections;
+import java.util.Enumeration;
+import java.util.HashMap;
+import java.util.Map;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import com.gemstone.gemfire.cache.Cache;
+import com.gemstone.gemfire.internal.logging.LogService;
+import com.gemstone.gemfire.management.internal.security.ResourceConstants;
+import com.gemstone.gemfire.security.Authenticator;
+import com.gemstone.gemfire.security.GeodeSecurityUtil;
+
+import org.apache.logging.log4j.Logger;
+import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;
+
+/**
+ * The GetEnvironmentHandlerInterceptor class handles extracting Gfsh environment variables encoded in the HTTP request
+ * message as request parameters.
+ * <p/>
+ * @see javax.servlet.http.HttpServletRequest
+ * @see javax.servlet.http.HttpServletResponse
+ * @see org.springframework.web.servlet.handler.HandlerInterceptorAdapter
+ * @since 8.0
+ */
+@SuppressWarnings("unused")
+public class LoginHandlerInterceptor extends HandlerInterceptorAdapter {
+
+ private static final Logger logger = LogService.getLogger();
+
+ private Cache cache;
+
+ private Authenticator auth = null;
+
+ private static final ThreadLocal<Map<String, String>> ENV = new ThreadLocal<Map<String, String>>() {
+ @Override
+ protected Map<String, String> initialValue() {
+ return Collections.emptyMap();
+ }
+ };
+
+ protected static final String ENVIRONMENT_VARIABLE_REQUEST_PARAMETER_PREFIX = "vf.gf.env.";
+
+ protected static final String SECURITY_VARIABLE_REQUEST_HEADER_PREFIX = "security-";
+
+ public static Map<String, String> getEnvironment() {
+ return ENV.get();
+ }
+
+ @Override
+ public boolean preHandle(final HttpServletRequest request, final HttpServletResponse response, final Object handler)
+ throws Exception
+ {
+ final Map<String, String> requestParameterValues = new HashMap<String, String>();
+
+ for (Enumeration<String> requestParameters = request.getParameterNames(); requestParameters.hasMoreElements(); ) {
+ final String requestParameter = requestParameters.nextElement();
+
+ if (requestParameter.startsWith(ENVIRONMENT_VARIABLE_REQUEST_PARAMETER_PREFIX)) {
+ requestParameterValues.put(requestParameter.substring(ENVIRONMENT_VARIABLE_REQUEST_PARAMETER_PREFIX.length()),
+ request.getParameter(requestParameter));
+ }
+ }
+
+
+
+ for (Enumeration<String> requestHeaders = request.getHeaderNames(); requestHeaders.hasMoreElements();) {
+
+ final String requestHeader = requestHeaders.nextElement();
+
+ if (requestHeader.startsWith(SECURITY_VARIABLE_REQUEST_HEADER_PREFIX)) {
+ requestParameterValues.put(requestHeader, request.getHeader(requestHeader));
+ }
+
+ }
+
+ String username = requestParameterValues.get(ResourceConstants.USER_NAME);
+ String password = requestParameterValues.get(ResourceConstants.PASSWORD);
+ GeodeSecurityUtil.login(username, password);
+
+ ENV.set(requestParameterValues);
+
+ return true;
+ }
+
+
+ @Override
+ public void afterCompletion(final HttpServletRequest request,
+ final HttpServletResponse response,
+ final Object handler,
+ final Exception ex)
+ throws Exception
+ {
+ afterConcurrentHandlingStarted(request, response, handler);
+ GeodeSecurityUtil.logout();
+ }
+
+ @Override
+ public void afterConcurrentHandlingStarted(
+ HttpServletRequest request, HttpServletResponse response, Object handler)
+ throws Exception {
+ ENV.remove();
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/7c38f0d8/geode-core/src/main/java/com/gemstone/gemfire/management/internal/web/shell/RestHttpOperationInvoker.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/web/shell/RestHttpOperationInvoker.java b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/web/shell/RestHttpOperationInvoker.java
index 439e2b4..0ead2d7 100644
--- a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/web/shell/RestHttpOperationInvoker.java
+++ b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/web/shell/RestHttpOperationInvoker.java
@@ -33,7 +33,6 @@ import com.gemstone.gemfire.internal.util.CollectionUtils;
import com.gemstone.gemfire.management.internal.cli.CommandRequest;
import com.gemstone.gemfire.management.internal.cli.i18n.CliStrings;
import com.gemstone.gemfire.management.internal.cli.shell.Gfsh;
-import com.gemstone.gemfire.management.internal.security.ResourceConstants;
import com.gemstone.gemfire.management.internal.web.domain.Link;
import com.gemstone.gemfire.management.internal.web.domain.LinkIndex;
import com.gemstone.gemfire.management.internal.web.http.ClientHttpRequest;
@@ -230,9 +229,6 @@ public class RestHttpOperationInvoker extends AbstractHttpOperationInvoker imple
protected ClientHttpRequest createHttpRequest(final CommandRequest command) {
ClientHttpRequest request = createHttpRequest(findLink(command));
- //request.getParameters().setAll(new HashMap<String, Object>(CollectionUtils.removeKeys(
- // new HashMap<String, String>(command.getParameters()), ExcludeNoValueFilter.INSTANCE)));
-
Map<String, String> commandParameters = command.getParameters();
for (Map.Entry<String, String> entry : commandParameters.entrySet()) {
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/7c38f0d8/geode-core/src/main/java/com/gemstone/gemfire/security/CustomAuthRealm.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/security/CustomAuthRealm.java b/geode-core/src/main/java/com/gemstone/gemfire/security/CustomAuthRealm.java
index 76fc852..706a7cc 100644
--- a/geode-core/src/main/java/com/gemstone/gemfire/security/CustomAuthRealm.java
+++ b/geode-core/src/main/java/com/gemstone/gemfire/security/CustomAuthRealm.java
@@ -35,7 +35,7 @@ import com.gemstone.gemfire.internal.ClassLoadUtil;
import com.gemstone.gemfire.internal.i18n.LocalizedStrings;
import com.gemstone.gemfire.internal.lang.StringUtils;
import com.gemstone.gemfire.management.internal.security.ResourceConstants;
-import com.gemstone.gemfire.management.internal.security.ResourceOperationContext;
+
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.apache.shiro.authc.AuthenticationException;
@@ -66,7 +66,6 @@ public class CustomAuthRealm extends AuthorizingRealm{
this.authenticatorFactoryName = securityProps.getProperty(DistributionConfig.SECURITY_CLIENT_AUTHENTICATOR_NAME);
this.cachedAuthZCallback = new ConcurrentHashMap<>();
this.cachedPostAuthZCallback = new ConcurrentHashMap<>();
- logger.info("Started Management interceptor on JMX connector");
}
@Override
@@ -93,13 +92,13 @@ public class CustomAuthRealm extends AuthorizingRealm{
@Override
public boolean isPermitted(PrincipalCollection principals, Permission permission) {
- ResourceOperationContext context =(ResourceOperationContext)permission;
+ OperationContext context =(OperationContext)permission;
Principal principal = (Principal)principals.getPrimaryPrincipal();
// if no access control is specified, then we allow all
if(StringUtils.isBlank(authzFactoryName))
return true;
AccessControl accessControl = getAccessControl(principal, false);
- return accessControl.authorizeOperation(null, context);
+ return accessControl.authorizeOperation(context.getRegionName(), context);
}
public AccessControl getAccessControl(Principal principal, boolean isPost) {
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/7c38f0d8/geode-core/src/main/java/com/gemstone/gemfire/security/GeodeSecurityUtil.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/security/GeodeSecurityUtil.java b/geode-core/src/main/java/com/gemstone/gemfire/security/GeodeSecurityUtil.java
new file mode 100644
index 0000000..148a963
--- /dev/null
+++ b/geode-core/src/main/java/com/gemstone/gemfire/security/GeodeSecurityUtil.java
@@ -0,0 +1,163 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.gemstone.gemfire.security;
+
+import java.util.concurrent.Callable;
+
+import com.gemstone.gemfire.cache.operations.OperationContext;
+import com.gemstone.gemfire.cache.operations.OperationContext.OperationCode;
+import com.gemstone.gemfire.cache.operations.OperationContext.Resource;
+import com.gemstone.gemfire.internal.logging.LogService;
+import com.gemstone.gemfire.management.internal.security.ResourceOperation;
+import com.gemstone.gemfire.management.internal.security.ResourceOperationContext;
+
+import org.apache.commons.lang.StringUtils;
+import org.apache.logging.log4j.Logger;
+import org.apache.shiro.SecurityUtils;
+import org.apache.shiro.ShiroException;
+import org.apache.shiro.UnavailableSecurityManagerException;
+import org.apache.shiro.authc.UsernamePasswordToken;
+import org.apache.shiro.subject.Subject;
+import org.apache.shiro.util.ThreadContext;
+
+public class GeodeSecurityUtil {
+
+ private static Logger logger = LogService.getLogger();
+
+ public static void login(String username, String password){
+ if(!isShiroConfigured())
+ return;
+
+ Subject currentUser = SecurityUtils.getSubject();
+
+ UsernamePasswordToken token =
+ new UsernamePasswordToken(username, password);
+ try {
+ logger.info("Logging in "+username+"/"+password);
+ currentUser.login(token);
+ } catch (ShiroException e) {
+ throw new AuthenticationFailedException(e.getMessage(), e);
+ }
+ }
+
+ public static void logout(){
+ if(!isShiroConfigured())
+ return;
+
+ Subject currentUser = SecurityUtils.getSubject();
+ try {
+ logger.info("Logging out "+currentUser.getPrincipal());
+ currentUser.logout();
+ }
+ catch(ShiroException e){
+ throw new AuthenticationFailedException(e.getMessage(), e);
+ }
+ // clean out Shiro's thread local content
+ ThreadContext.remove();
+ }
+
+ public static Callable associateWith(Callable callable){
+ if(!isShiroConfigured())
+ return callable;
+
+ Subject currentUser = SecurityUtils.getSubject();
+ return currentUser.associateWith(callable);
+ }
+
+ public static void authorize(ResourceOperation resourceOperation) {
+ if(resourceOperation==null)
+ return;
+
+ authorize(resourceOperation.resource().name(),
+ resourceOperation.operation().name(),
+ null);
+ }
+
+ public static void authorizeClusterManage(){
+ authorize("CLUSTER", "MANAGE");
+ }
+
+ public static void authorizeClusterWrite(){
+ authorize("CLUSTER", "WRITE");
+ }
+
+ public static void authorizeClusterRead(){
+ authorize("CLUSTER", "READ");
+ }
+
+ public static void authorizeDataManage(){
+ authorize("DATA", "MANAGE");
+ }
+
+ public static void authorizeDataWrite(){
+ authorize("DATA", "WRITE");
+ }
+
+ public static void authorizeDataRead(){
+ authorize("DATA", "READ");
+ }
+
+ public static void authorizeRegionWrite(String regionName){
+ authorize("DATA", "WRITE", regionName);
+ }
+
+ public static void authorizeRegionRead(String regionName){
+ authorize("DATA", "READ", regionName);
+ }
+
+ public static void authorize(String resource, String operation){
+ authorize(resource, operation, null);
+ }
+
+ private static void authorize(String resource, String operation, String regionName){
+ regionName = StringUtils.stripStart(regionName, "/");
+ authorize(new ResourceOperationContext(resource, operation, regionName));
+ }
+
+ public static void authorize(OperationContext context) {
+ if(context==null)
+ return;
+
+ if(context.getResource()== Resource.NULL && context.getOperationCode()== OperationCode.NULL)
+ return;
+
+ if(!isShiroConfigured())
+ return;
+
+
+ Subject currentUser = SecurityUtils.getSubject();
+ try {
+ currentUser.checkPermission(context);
+ }
+ catch(ShiroException e){
+ logger.info(currentUser.getPrincipal() + " not authorized for " + context);
+ throw new GemFireSecurityException(e.getMessage(), e);
+ }
+ }
+
+ private static boolean isShiroConfigured(){
+ try{
+ SecurityUtils.getSecurityManager();
+ }
+ catch(UnavailableSecurityManagerException e){
+ return false;
+ }
+ return true;
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/7c38f0d8/geode-core/src/main/java/com/gemstone/gemfire/security/JMXShiroAuthenticator.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/security/JMXShiroAuthenticator.java b/geode-core/src/main/java/com/gemstone/gemfire/security/JMXShiroAuthenticator.java
index 8f86c38..c55e700 100644
--- a/geode-core/src/main/java/com/gemstone/gemfire/security/JMXShiroAuthenticator.java
+++ b/geode-core/src/main/java/com/gemstone/gemfire/security/JMXShiroAuthenticator.java
@@ -49,7 +49,7 @@ public class JMXShiroAuthenticator implements JMXAuthenticator, NotificationList
throw new SecurityException(WRONGE_CREDENTIALS_MESSAGE);
}
- ShiroUtil.login(username, password);
+ GeodeSecurityUtil.login(username, password);
return new Subject(true, Collections.singleton(new JMXPrincipal(username)), Collections.EMPTY_SET,
Collections.EMPTY_SET);
@@ -61,7 +61,7 @@ public class JMXShiroAuthenticator implements JMXAuthenticator, NotificationList
JMXConnectionNotification cxNotification = (JMXConnectionNotification) notification;
String type = cxNotification.getType();
if (JMXConnectionNotification.CLOSED.equals(type)) {
- ShiroUtil.logout();
+ GeodeSecurityUtil.logout();
}
}
}
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/7c38f0d8/geode-core/src/main/java/com/gemstone/gemfire/security/ShiroUtil.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/security/ShiroUtil.java b/geode-core/src/main/java/com/gemstone/gemfire/security/ShiroUtil.java
deleted file mode 100644
index 01914e4..0000000
--- a/geode-core/src/main/java/com/gemstone/gemfire/security/ShiroUtil.java
+++ /dev/null
@@ -1,116 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package com.gemstone.gemfire.security;
-
-import java.util.concurrent.Callable;
-
-import com.gemstone.gemfire.internal.logging.LogService;
-import com.gemstone.gemfire.management.internal.security.ResourceOperation;
-import com.gemstone.gemfire.management.internal.security.ResourceOperationContext;
-
-import org.apache.logging.log4j.Logger;
-import org.apache.shiro.SecurityUtils;
-import org.apache.shiro.ShiroException;
-import org.apache.shiro.UnavailableSecurityManagerException;
-import org.apache.shiro.authc.UsernamePasswordToken;
-import org.apache.shiro.subject.Subject;
-import org.apache.shiro.util.ThreadContext;
-
-public class ShiroUtil {
-
- private static Logger logger = LogService.getLogger();
-
- public static void login(String username, String password){
- if(!isShiroConfigured())
- return;
-
- Subject currentUser = SecurityUtils.getSubject();
-
- UsernamePasswordToken token =
- new UsernamePasswordToken(username, password);
- try {
- logger.info("Logging in "+username+"/"+password);
- currentUser.login(token);
- } catch (ShiroException e) {
- throw new AuthenticationFailedException(e.getMessage(), e);
- }
- }
-
- public static void logout(){
- if(!isShiroConfigured())
- return;
-
- Subject currentUser = SecurityUtils.getSubject();
- try {
- logger.info("Logging out "+currentUser.getPrincipal());
- currentUser.logout();
- }
- catch(ShiroException e){
- throw new AuthenticationFailedException(e.getMessage(), e);
- }
- // clean out Shiro's thread local content
- ThreadContext.remove();
- }
-
- public static Callable associateWith(Callable callable){
- if(!isShiroConfigured())
- return callable;
-
- Subject currentUser = SecurityUtils.getSubject();
- return currentUser.associateWith(callable);
- }
-
- public static void authorize(ResourceOperationContext context) {
- authorize(context.getResource().name(), context.getOperationCode().name(), context.getRegionName());
- }
-
- public static void authorize(ResourceOperation resourceOperation) {
- authorize(resourceOperation.resource().name(), resourceOperation.operation().name());
- }
-
- public static void authorize(String resource, String operation){
- authorize(resource, operation, null);
- }
-
- public static void authorize(String resource, String operation, String regionName){
- if(!isShiroConfigured())
- return;
-
- ResourceOperationContext permission = new ResourceOperationContext(resource, operation, regionName);
- Subject currentUser = SecurityUtils.getSubject();
- try {
- currentUser.checkPermission(permission);
- }
- catch(ShiroException e){
- logger.info(currentUser.getPrincipal() + " not authorized for "+resource+":"+operation+":"+regionName);
- throw new GemFireSecurityException(e.getMessage(), e);
- }
- }
-
- private static boolean isShiroConfigured(){
- try{
- SecurityUtils.getSecurityManager();
- }
- catch(UnavailableSecurityManagerException e){
- return false;
- }
- return true;
- }
-
-
-}
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/7c38f0d8/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/CacheServerMBeanAuthorizationJUnitTest.java
----------------------------------------------------------------------
diff --git a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/CacheServerMBeanAuthorizationJUnitTest.java b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/CacheServerMBeanAuthorizationJUnitTest.java
index baa8393..3ded1dc 100644
--- a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/CacheServerMBeanAuthorizationJUnitTest.java
+++ b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/CacheServerMBeanAuthorizationJUnitTest.java
@@ -49,7 +49,7 @@ public class CacheServerMBeanAuthorizationJUnitTest {
@JMXConnectionConfiguration(user = "data-admin", password = "1234567")
public void testDataAdmin() throws Exception {
bean.removeIndex("foo");
- assertThatThrownBy(() -> bean.executeContinuousQuery("bar")).hasMessageContaining("DATA:READ");
+ assertThatThrownBy(() -> bean.executeContinuousQuery("bar")).hasMessageContaining(TestCommand.dataRead.toString());
bean.fetchLoadProbe();
bean.getActiveCQCount();
bean.stopContinuousQuery("bar");
@@ -61,8 +61,8 @@ public class CacheServerMBeanAuthorizationJUnitTest {
@Test
@JMXConnectionConfiguration(user = "cluster-admin", password = "1234567")
public void testClusterAdmin() throws Exception {
- assertThatThrownBy(() -> bean.removeIndex("foo")).hasMessageContaining("DATA:MANAGE");
- assertThatThrownBy(() -> bean.executeContinuousQuery("bar")).hasMessageContaining("DATA:READ");
+ assertThatThrownBy(() -> bean.removeIndex("foo")).hasMessageContaining(TestCommand.dataManage.toString());
+ assertThatThrownBy(() -> bean.executeContinuousQuery("bar")).hasMessageContaining(TestCommand.dataRead.toString());
bean.fetchLoadProbe();
}
@@ -70,21 +70,21 @@ public class CacheServerMBeanAuthorizationJUnitTest {
@Test
@JMXConnectionConfiguration(user = "data-user", password = "1234567")
public void testDataUser() throws Exception {
- assertThatThrownBy(() -> bean.removeIndex("foo")).hasMessageContaining("DATA:MANAGE");
+ assertThatThrownBy(() -> bean.removeIndex("foo")).hasMessageContaining(TestCommand.dataManage.toString());
bean.executeContinuousQuery("bar");
- assertThatThrownBy(() -> bean.fetchLoadProbe()).hasMessageContaining("CLUSTER:READ");
+ assertThatThrownBy(() -> bean.fetchLoadProbe()).hasMessageContaining(TestCommand.clusterRead.toString());
}
@Test
@JMXConnectionConfiguration(user = "stranger", password = "1234567")
public void testNoAccess() throws Exception {
- assertThatThrownBy(() -> bean.removeIndex("foo")).hasMessageContaining("DATA:MANAGE");
- assertThatThrownBy(() -> bean.executeContinuousQuery("bar")).hasMessageContaining("DATA:READ");
- assertThatThrownBy(() -> bean.fetchLoadProbe()).hasMessageContaining("CLUSTER:READ");
- assertThatThrownBy(() -> bean.getActiveCQCount()).hasMessageContaining("CLUSTER:READ");
- assertThatThrownBy(() -> bean.stopContinuousQuery("bar")).hasMessageContaining("DATA:MANAGE");
- assertThatThrownBy(() -> bean.closeAllContinuousQuery("bar")).hasMessageContaining("DATA:MANAGE");
- assertThatThrownBy(() -> bean.isRunning()).hasMessageContaining("CLUSTER:READ");
- assertThatThrownBy(() -> bean.showClientQueueDetails("bar")).hasMessageContaining("CLUSTER:READ");
+ assertThatThrownBy(() -> bean.removeIndex("foo")).hasMessageContaining(TestCommand.dataManage.toString());
+ assertThatThrownBy(() -> bean.executeContinuousQuery("bar")).hasMessageContaining(TestCommand.dataRead.toString());
+ assertThatThrownBy(() -> bean.fetchLoadProbe()).hasMessageContaining(TestCommand.clusterRead.toString());
+ assertThatThrownBy(() -> bean.getActiveCQCount()).hasMessageContaining(TestCommand.clusterRead.toString());
+ assertThatThrownBy(() -> bean.stopContinuousQuery("bar")).hasMessageContaining(TestCommand.dataManage.toString());
+ assertThatThrownBy(() -> bean.closeAllContinuousQuery("bar")).hasMessageContaining(TestCommand.dataManage.toString());
+ assertThatThrownBy(() -> bean.isRunning()).hasMessageContaining(TestCommand.clusterRead.toString());
+ assertThatThrownBy(() -> bean.showClientQueueDetails("bar")).hasMessageContaining(TestCommand.clusterRead.toString());
}
}
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/7c38f0d8/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/CacheServerMBeanShiroJUnitTest.java
----------------------------------------------------------------------
diff --git a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/CacheServerMBeanShiroJUnitTest.java b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/CacheServerMBeanShiroJUnitTest.java
index e55623d..85a55a7 100644
--- a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/CacheServerMBeanShiroJUnitTest.java
+++ b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/CacheServerMBeanShiroJUnitTest.java
@@ -61,13 +61,33 @@ public class CacheServerMBeanShiroJUnitTest {
@Test
@JMXConnectionConfiguration(user = "guest", password = "guest")
public void testNoAccess() throws Exception {
- assertThatThrownBy(() -> bean.removeIndex("foo")).hasMessageContaining("DATA:MANAGE");
- assertThatThrownBy(() -> bean.executeContinuousQuery("bar")).hasMessageContaining("DATA:READ");
- assertThatThrownBy(() -> bean.fetchLoadProbe()).hasMessageContaining("CLUSTER:READ");
- assertThatThrownBy(() -> bean.getActiveCQCount()).hasMessageContaining("CLUSTER:READ");
- assertThatThrownBy(() -> bean.stopContinuousQuery("bar")).hasMessageContaining("DATA:MANAGE");
- assertThatThrownBy(() -> bean.closeAllContinuousQuery("bar")).hasMessageContaining("DATA:MANAGE");
- assertThatThrownBy(() -> bean.isRunning()).hasMessageContaining("CLUSTER:READ");
- assertThatThrownBy(() -> bean.showClientQueueDetails("bar")).hasMessageContaining("CLUSTER:READ");
+ assertThatThrownBy(() -> bean.removeIndex("foo")).hasMessageContaining(TestCommand.dataManage.toString());
+ assertThatThrownBy(() -> bean.executeContinuousQuery("bar")).hasMessageContaining(TestCommand.dataRead.toString());
+ assertThatThrownBy(() -> bean.fetchLoadProbe()).hasMessageContaining(TestCommand.clusterRead.toString());
+ assertThatThrownBy(() -> bean.getActiveCQCount()).hasMessageContaining(TestCommand.clusterRead.toString());
+ assertThatThrownBy(() -> bean.stopContinuousQuery("bar")).hasMessageContaining(TestCommand.dataManage.toString());
+ assertThatThrownBy(() -> bean.closeAllContinuousQuery("bar")).hasMessageContaining(TestCommand.dataManage.toString());
+ assertThatThrownBy(() -> bean.isRunning()).hasMessageContaining(TestCommand.clusterRead.toString());
+ assertThatThrownBy(() -> bean.showClientQueueDetails("bar")).hasMessageContaining(TestCommand.clusterRead.toString());
+ }
+
+ @Test
+ @JMXConnectionConfiguration(user = "regionAReader", password = "password")
+ public void testRegionAccess() throws Exception{
+ assertThatThrownBy(() -> bean.removeIndex("foo")).hasMessageContaining(TestCommand.dataManage.toString());
+ assertThatThrownBy(() -> bean.fetchLoadProbe()).hasMessageContaining(TestCommand.clusterRead.toString());
+ assertThatThrownBy(() -> bean.getActiveCQCount()).hasMessageContaining(TestCommand.clusterRead.toString());
+
+ assertThatThrownBy(() -> bean.executeContinuousQuery("bar")).hasMessageContaining(TestCommand.dataRead.toString());
+ }
+
+ @Test
+ @JMXConnectionConfiguration(user = "dataReader", password = "12345")
+ public void testDataRead() throws Exception{
+ assertThatThrownBy(() -> bean.removeIndex("foo")).hasMessageContaining(TestCommand.dataManage.toString());
+ assertThatThrownBy(() -> bean.fetchLoadProbe()).hasMessageContaining(TestCommand.clusterRead.toString());
+ assertThatThrownBy(() -> bean.getActiveCQCount()).hasMessageContaining(TestCommand.clusterRead.toString());
+
+ bean.executeContinuousQuery("bar");
}
}
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/7c38f0d8/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/CliCommandsSecurityTest.java
----------------------------------------------------------------------
diff --git a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/CliCommandsSecurityTest.java b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/CliCommandsSecurityTest.java
index 5e49f92..0864e52 100644
--- a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/CliCommandsSecurityTest.java
+++ b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/CliCommandsSecurityTest.java
@@ -24,21 +24,17 @@ import com.gemstone.gemfire.internal.AvailablePort;
import com.gemstone.gemfire.internal.logging.LogService;
import com.gemstone.gemfire.management.MemberMXBean;
import com.gemstone.gemfire.test.junit.categories.IntegrationTest;
+
import org.junit.Before;
import org.junit.ClassRule;
-import org.junit.FixMethodOrder;
import org.junit.Rule;
import org.junit.Test;
import org.junit.experimental.categories.Category;
-import org.junit.runners.MethodSorters;
/**
- * tests will be run alphabetically, in this test class, we run non-admin test first,
- * since we don't want to have the server stopped for the rest of the tests.
*/
@Category(IntegrationTest.class)
-@FixMethodOrder(MethodSorters.NAME_ASCENDING)
public class CliCommandsSecurityTest {
private static int jmxManagerPort = AvailablePort.getRandomAvailablePort(AvailablePort.SOCKET);
@@ -60,11 +56,8 @@ public class CliCommandsSecurityTest {
@Test
@JMXConnectionConfiguration(user = "stranger", password = "1234567")
- // the tests are run in alphabetical order, so the naming of the tests do matter
- public void a_testNoAccess(){
-// List<TestCommand> clusterReads = new ArrayList<>();
-// clusterReads.add(new TestCommand("deploy --jar=group1_functions.jar --group=Group1", "CLUSTER:MANAGE"));
- for (TestCommand command:commands) {
+ public void testNoAccess(){
+ for (TestCommand command:commands) {
LogService.getLogger().info("processing: "+command.getCommand());
// for those commands that don't require any permission, any user can execute them
if(command.getPermission()==null){
@@ -72,14 +65,14 @@ public class CliCommandsSecurityTest {
}
else {
assertThatThrownBy(() -> bean.processCommand(command.getCommand()))
- .hasMessageContaining(command.getPermission());
+ .hasMessageContaining(command.getPermission().toString());
}
}
}
@Test
@JMXConnectionConfiguration(user = "super-user", password = "1234567")
- public void b_testAdminUser() throws Exception {
+ public void testAdminUser() throws Exception {
for (TestCommand command:commands) {
LogService.getLogger().info("processing: "+command.getCommand());
bean.processCommand(command.getCommand());
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/7c38f0d8/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/DataCommandsSecurityTest.java
----------------------------------------------------------------------
diff --git a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/DataCommandsSecurityTest.java b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/DataCommandsSecurityTest.java
index 7517f49..97260d8 100644
--- a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/DataCommandsSecurityTest.java
+++ b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/DataCommandsSecurityTest.java
@@ -68,15 +68,16 @@ public class DataCommandsSecurityTest {
@Test
public void testRegionAcess(){
assertThatThrownBy(() -> bean.processCommand("rebalance --include-region=region2")).isInstanceOf(GemFireSecurityException.class)
- .hasMessageContaining("DATA:MANAGE");
+ .hasMessageContaining(TestCommand.dataManage.toString());
assertThatThrownBy(() -> bean.processCommand("export data --region=region2 --file=foo.txt --member=value")).isInstanceOf(GemFireSecurityException.class);
assertThatThrownBy(() -> bean.processCommand("import data --region=region2 --file=foo.txt --member=value")).isInstanceOf(GemFireSecurityException.class);
assertThatThrownBy(() -> bean.processCommand("put --key=key1 --value=value1 --region=region2")).isInstanceOf(GemFireSecurityException.class)
- .hasMessageContaining("DATA:WRITE");
+ .hasMessageContaining("[data]:[write]:[region2]");
- assertThatThrownBy(() -> bean.processCommand("get --key=key1 --region=region2")).isInstanceOf(GemFireSecurityException.class);
+ assertThatThrownBy(() -> bean.processCommand("get --key=key1 --region=region2")).isInstanceOf(GemFireSecurityException.class)
+ .hasMessageContaining("[data]:[read]:[region2]");
}
}
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/7c38f0d8/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/DiskStoreMXBeanSecurityJUnitTest.java
----------------------------------------------------------------------
diff --git a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/DiskStoreMXBeanSecurityJUnitTest.java b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/DiskStoreMXBeanSecurityJUnitTest.java
index f248736..05d3e3d 100644
--- a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/DiskStoreMXBeanSecurityJUnitTest.java
+++ b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/DiskStoreMXBeanSecurityJUnitTest.java
@@ -69,15 +69,15 @@ public class DiskStoreMXBeanSecurityJUnitTest {
@Test
@JMXConnectionConfiguration(user = "data-user", password = "1234567")
public void testNoAccess() throws Exception {
- assertThatThrownBy(() -> bean.flush()).hasMessageContaining("DATA:MANAGE");
- assertThatThrownBy(() -> bean.forceCompaction()).hasMessageContaining("DATA:MANAGE");
- assertThatThrownBy(() -> bean.forceRoll()).hasMessageContaining("DATA:MANAGE");
- assertThatThrownBy(() -> bean.getCompactionThreshold()).hasMessageContaining("CLUSTER:READ");
- assertThatThrownBy(() -> bean.getDiskDirectories()).hasMessageContaining("CLUSTER:READ");
- assertThatThrownBy(() -> bean.getDiskReadsRate()).hasMessageContaining("CLUSTER:READ");
- assertThatThrownBy(() -> bean.isAutoCompact()).hasMessageContaining("CLUSTER:READ");
- assertThatThrownBy(() -> bean.isForceCompactionAllowed()).hasMessageContaining("CLUSTER:READ");
- assertThatThrownBy(() -> bean.setDiskUsageCriticalPercentage(0.5f)).hasMessageContaining("DATA:MANAGE");
- assertThatThrownBy(() -> bean.setDiskUsageWarningPercentage(0.5f)).hasMessageContaining("DATA:MANAGE");
+ assertThatThrownBy(() -> bean.flush()).hasMessageContaining(TestCommand.dataManage.toString());
+ assertThatThrownBy(() -> bean.forceCompaction()).hasMessageContaining(TestCommand.dataManage.toString());
+ assertThatThrownBy(() -> bean.forceRoll()).hasMessageContaining(TestCommand.dataManage.toString());
+ assertThatThrownBy(() -> bean.getCompactionThreshold()).hasMessageContaining(TestCommand.clusterRead.toString());
+ assertThatThrownBy(() -> bean.getDiskDirectories()).hasMessageContaining(TestCommand.clusterRead.toString());
+ assertThatThrownBy(() -> bean.getDiskReadsRate()).hasMessageContaining(TestCommand.clusterRead.toString());
+ assertThatThrownBy(() -> bean.isAutoCompact()).hasMessageContaining(TestCommand.clusterRead.toString());
+ assertThatThrownBy(() -> bean.isForceCompactionAllowed()).hasMessageContaining(TestCommand.clusterRead.toString());
+ assertThatThrownBy(() -> bean.setDiskUsageCriticalPercentage(0.5f)).hasMessageContaining(TestCommand.dataManage.toString());
+ assertThatThrownBy(() -> bean.setDiskUsageWarningPercentage(0.5f)).hasMessageContaining(TestCommand.dataManage.toString());
}
}
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/7c38f0d8/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/GatewayReceiverMBeanSecurityTest.java
----------------------------------------------------------------------
diff --git a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/GatewayReceiverMBeanSecurityTest.java b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/GatewayReceiverMBeanSecurityTest.java
index b28069f..6c97694 100644
--- a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/GatewayReceiverMBeanSecurityTest.java
+++ b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/GatewayReceiverMBeanSecurityTest.java
@@ -16,10 +16,16 @@
*/
package com.gemstone.gemfire.management.internal.security;
+import static org.assertj.core.api.Assertions.*;
+import static org.mockito.Mockito.*;
+
+import javax.management.ObjectName;
+
import com.gemstone.gemfire.internal.AvailablePort;
import com.gemstone.gemfire.management.GatewayReceiverMXBean;
import com.gemstone.gemfire.management.ManagementService;
import com.gemstone.gemfire.test.junit.categories.IntegrationTest;
+
import org.junit.AfterClass;
import org.junit.Before;
import org.junit.BeforeClass;
@@ -28,11 +34,6 @@ import org.junit.Rule;
import org.junit.Test;
import org.junit.experimental.categories.Category;
-import javax.management.ObjectName;
-
-import static org.assertj.core.api.Assertions.assertThatThrownBy;
-import static org.mockito.Mockito.mock;
-
@Category(IntegrationTest.class)
public class GatewayReceiverMBeanSecurityTest {
private static int jmxManagerPort = AvailablePort.getRandomAvailablePort(AvailablePort.SOCKET);
@@ -81,9 +82,9 @@ public class GatewayReceiverMBeanSecurityTest {
@Test
@JMXConnectionConfiguration(user = "data-user", password = "1234567")
public void testNoAccess() throws Exception {
- assertThatThrownBy(() -> bean.getTotalConnectionsTimedOut()).hasMessageContaining("CLUSTER:READ");
- assertThatThrownBy(() -> bean.start()).hasMessageContaining("DATA:MANAGE");
- assertThatThrownBy(() -> bean.stop()).hasMessageContaining("DATA:MANAGE");
+ assertThatThrownBy(() -> bean.getTotalConnectionsTimedOut()).hasMessageContaining(TestCommand.clusterRead.toString());
+ assertThatThrownBy(() -> bean.start()).hasMessageContaining(TestCommand.dataManage.toString());
+ assertThatThrownBy(() -> bean.stop()).hasMessageContaining(TestCommand.dataManage.toString());
}
}
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/7c38f0d8/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/GatewaySenderMBeanSecurityTest.java
----------------------------------------------------------------------
diff --git a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/GatewaySenderMBeanSecurityTest.java b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/GatewaySenderMBeanSecurityTest.java
index 3a9412d..4806464 100644
--- a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/GatewaySenderMBeanSecurityTest.java
+++ b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/GatewaySenderMBeanSecurityTest.java
@@ -88,18 +88,18 @@ public class GatewaySenderMBeanSecurityTest {
@Test
@JMXConnectionConfiguration(user = "stranger", password = "1234567")
public void testNoAccess() throws Exception {
- assertThatThrownBy(() -> bean.getAlertThreshold()).hasMessageContaining("CLUSTER:READ");
- assertThatThrownBy(() -> bean.getAverageDistributionTimePerBatch()).hasMessageContaining("CLUSTER:READ");
- assertThatThrownBy(() -> bean.getBatchSize()).hasMessageContaining("CLUSTER:READ");
- assertThatThrownBy(() -> bean.getMaximumQueueMemory()).hasMessageContaining("CLUSTER:READ");
- assertThatThrownBy(() -> bean.getOrderPolicy()).hasMessageContaining("CLUSTER:READ");
- assertThatThrownBy(() -> bean.isBatchConflationEnabled()).hasMessageContaining("CLUSTER:READ");
- assertThatThrownBy(() -> bean.isManualStart()).hasMessageContaining("CLUSTER:READ");
- assertThatThrownBy(() -> bean.pause()).hasMessageContaining("DATA:MANAGE");
- assertThatThrownBy(() -> bean.rebalance()).hasMessageContaining("DATA:MANAGE");
- assertThatThrownBy(() -> bean.resume()).hasMessageContaining("DATA:MANAGE");
- assertThatThrownBy(() -> bean.start()).hasMessageContaining("DATA:MANAGE");
- assertThatThrownBy(() -> bean.stop()).hasMessageContaining("DATA:MANAGE");
+ assertThatThrownBy(() -> bean.getAlertThreshold()).hasMessageContaining(TestCommand.clusterRead.toString());
+ assertThatThrownBy(() -> bean.getAverageDistributionTimePerBatch()).hasMessageContaining(TestCommand.clusterRead.toString());
+ assertThatThrownBy(() -> bean.getBatchSize()).hasMessageContaining(TestCommand.clusterRead.toString());
+ assertThatThrownBy(() -> bean.getMaximumQueueMemory()).hasMessageContaining(TestCommand.clusterRead.toString());
+ assertThatThrownBy(() -> bean.getOrderPolicy()).hasMessageContaining(TestCommand.clusterRead.toString());
+ assertThatThrownBy(() -> bean.isBatchConflationEnabled()).hasMessageContaining(TestCommand.clusterRead.toString());
+ assertThatThrownBy(() -> bean.isManualStart()).hasMessageContaining(TestCommand.clusterRead.toString());
+ assertThatThrownBy(() -> bean.pause()).hasMessageContaining(TestCommand.dataManage.toString());
+ assertThatThrownBy(() -> bean.rebalance()).hasMessageContaining(TestCommand.dataManage.toString());
+ assertThatThrownBy(() -> bean.resume()).hasMessageContaining(TestCommand.dataManage.toString());
+ assertThatThrownBy(() -> bean.start()).hasMessageContaining(TestCommand.dataManage.toString());
+ assertThatThrownBy(() -> bean.stop()).hasMessageContaining(TestCommand.dataManage.toString());
}
}