You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@geode.apache.org by je...@apache.org on 2016/03/31 19:00:32 UTC
incubator-geode git commit: GEODE-17: Authorization tests for
WanCommands
Repository: incubator-geode
Updated Branches:
refs/heads/feature/GEODE-17-2 035ff5b52 -> 5e51d7c74
GEODE-17: Authorization tests for WanCommands
Project: http://git-wip-us.apache.org/repos/asf/incubator-geode/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-geode/commit/5e51d7c7
Tree: http://git-wip-us.apache.org/repos/asf/incubator-geode/tree/5e51d7c7
Diff: http://git-wip-us.apache.org/repos/asf/incubator-geode/diff/5e51d7c7
Branch: refs/heads/feature/GEODE-17-2
Commit: 5e51d7c740a25450796cd88726eef8dfc8d6535f
Parents: 035ff5b
Author: Jens Deppe <jd...@pivotal.io>
Authored: Thu Mar 31 10:00:28 2016 -0700
Committer: Jens Deppe <jd...@pivotal.io>
Committed: Thu Mar 31 10:00:28 2016 -0700
----------------------------------------------------------------------
.../security/WanCommandsSecurityTest.java | 106 +++++++++++++++++++
.../internal/security/cacheServer.json | 28 +++++
2 files changed, 134 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/5e51d7c7/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/WanCommandsSecurityTest.java
----------------------------------------------------------------------
diff --git a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/WanCommandsSecurityTest.java b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/WanCommandsSecurityTest.java
new file mode 100644
index 0000000..771458c
--- /dev/null
+++ b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/WanCommandsSecurityTest.java
@@ -0,0 +1,106 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.gemstone.gemfire.management.internal.security;
+
+import com.gemstone.gemfire.internal.AvailablePort;
+import com.gemstone.gemfire.management.MemberMXBean;
+import com.gemstone.gemfire.test.junit.categories.IntegrationTest;
+import org.junit.Before;
+import org.junit.ClassRule;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.experimental.categories.Category;
+
+import static org.assertj.core.api.Assertions.assertThatThrownBy;
+
+@Category(IntegrationTest.class)
+public class WanCommandsSecurityTest {
+ private static int jmxManagerPort = AvailablePort.getRandomAvailablePort(AvailablePort.SOCKET);
+
+ private MemberMXBean bean;
+
+ @ClassRule
+ public static JsonAuthorizationCacheStartRule serverRule = new JsonAuthorizationCacheStartRule(
+ jmxManagerPort, "cacheServer.json");
+
+ @Rule
+ public MBeanServerConnectionRule connectionRule = new MBeanServerConnectionRule(jmxManagerPort);
+
+ @Before
+ public void setUp() throws Exception {
+ bean = connectionRule.getProxyMBean(MemberMXBean.class);
+ }
+
+ @Test
+ @JMXConnectionConfiguration(user = "adminUser", password = "1234567")
+ public void testAdminUser() throws Exception {
+ bean.processCommand("create gateway-sender --id=sender1 --remote-distributed-system-id=2");
+ bean.processCommand("start gateway-sender --id=sender1");
+ bean.processCommand("pause gateway-sender --id=sender1");
+ bean.processCommand("resume gateway-sender --id=sender1");
+ bean.processCommand("stop gateway-sender --id=sender1");
+ bean.processCommand("list gateways");
+ bean.processCommand("create gateway-receiver");
+ bean.processCommand("start gateway-receiver");
+ bean.processCommand("stop gateway-receiver");
+ bean.processCommand("status gateway-receiver");
+ }
+
+ // dataUser has all the permissions granted, but not to region2 (only to region1)
+ @Test
+ @JMXConnectionConfiguration(user = "dataUser", password = "1234567")
+ public void testNoAccess(){
+ assertThatThrownBy(() -> bean.processCommand("create gateway-sender --id=sender1 --remote-distributed-system-id=2"))
+ .isInstanceOf(SecurityException.class)
+ .hasMessageStartingWith("Access Denied: Not authorized for GATEWAY_SENDER:CREATE");
+
+ assertThatThrownBy(() -> bean.processCommand("start gateway-sender --id=sender1"))
+ .isInstanceOf(SecurityException.class)
+ .hasMessageStartingWith("Access Denied: Not authorized for GATEWAY_SENDER:START");
+
+ assertThatThrownBy(() -> bean.processCommand("pause gateway-sender --id=sender1"))
+ .isInstanceOf(SecurityException.class)
+ .hasMessageStartingWith("Access Denied: Not authorized for GATEWAY_SENDER:PAUSE");
+
+ assertThatThrownBy(() -> bean.processCommand("resume gateway-sender --id=sender1"))
+ .isInstanceOf(SecurityException.class)
+ .hasMessageStartingWith("Access Denied: Not authorized for GATEWAY_SENDER:RESUME");
+
+ assertThatThrownBy(() -> bean.processCommand("stop gateway-sender --id=sender1"))
+ .isInstanceOf(SecurityException.class)
+ .hasMessageStartingWith("Access Denied: Not authorized for GATEWAY_SENDER:STOP");
+
+ bean.processCommand("list gateways");
+
+ assertThatThrownBy(() -> bean.processCommand("create gateway-receiver"))
+ .isInstanceOf(SecurityException.class)
+ .hasMessageStartingWith("Access Denied: Not authorized for GATEWAY_RECEIVER:CREATE");
+
+ assertThatThrownBy(() -> bean.processCommand("start gateway-receiver"))
+ .isInstanceOf(SecurityException.class)
+ .hasMessageStartingWith("Access Denied: Not authorized for GATEWAY_RECEIVER:START");
+
+ assertThatThrownBy(() -> bean.processCommand("stop gateway-receiver"))
+ .isInstanceOf(SecurityException.class)
+ .hasMessageStartingWith("Access Denied: Not authorized for GATEWAY_RECEIVER:STOP");
+
+ assertThatThrownBy(() -> bean.processCommand("status gateway-receiver"))
+ .isInstanceOf(SecurityException.class)
+ .hasMessageStartingWith("Access Denied: Not authorized for GATEWAY_RECEIVER:STATUS");
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/5e51d7c7/geode-core/src/test/resources/com/gemstone/gemfire/management/internal/security/cacheServer.json
----------------------------------------------------------------------
diff --git a/geode-core/src/test/resources/com/gemstone/gemfire/management/internal/security/cacheServer.json b/geode-core/src/test/resources/com/gemstone/gemfire/management/internal/security/cacheServer.json
index 20376b8..5dd08af 100644
--- a/geode-core/src/test/resources/com/gemstone/gemfire/management/internal/security/cacheServer.json
+++ b/geode-core/src/test/resources/com/gemstone/gemfire/management/internal/security/cacheServer.json
@@ -1,6 +1,26 @@
{
"roles": [
{
+ "name": "admin",
+ "operationsAllowed": [
+ "DISTRIBUTED_SYSTEM:LIST",
+ "GATEWAY_RECEIVER:CREATE",
+ "GATEWAY_RECEIVER:START",
+ "GATEWAY_RECEIVER:STOP",
+ "GATEWAY_RECEIVER:STATUS",
+ "GATEWAY_SENDER:CREATE",
+ "GATEWAY_SENDER:START",
+ "GATEWAY_SENDER:PAUSE",
+ "GATEWAY_SENDER:RESUME",
+ "GATEWAY_SENDER:STOP"
+ ]
+ },
+ {
+ "name": "data-admin",
+ "operationsAllowed": [
+ ]
+ },
+ {
"name": "everything",
"operationsAllowed": [
"DISTRIBUTED_SYSTEM:LIST_DS",
@@ -51,6 +71,7 @@
{
"name": "dataUsers",
"operationsAllowed": [
+ "DISTRIBUTED_SYSTEM:LIST",
"REGION:GET",
"REGION:REBALANCE",
"REGION:EXPORT",
@@ -72,6 +93,13 @@
],
"users": [
{
+ "name": "adminUser",
+ "password": "1234567",
+ "roles": [
+ "admin"
+ ]
+ },
+ {
"name": "superuser",
"password": "1234567",
"roles": [