#gg-9809: add temp class SecurityContextImpl in GridOsSecurityProcessor instead of using GridSecurityContext.
Project: http://git-wip-us.apache.org/repos/asf/incubator-ignite/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ignite/commit/17fa00b2 Tree: http://git-wip-us.apache.org/repos/asf/incubator-ignite/tree/17fa00b2 Diff: http://git-wip-us.apache.org/repos/asf/incubator-ignite/diff/17fa00b2 Branch: refs/heads/sprint-2 Commit: 17fa00b21822c704a843f0dfd99e03d297c442f0 Parents: c507676 Author: ivasilinets <ivasilin...@gridgain.com> Authored: Wed Feb 18 14:42:48 2015 +0300 Committer: ivasilinets <ivasilin...@gridgain.com> Committed: Wed Feb 18 14:42:48 2015 +0300 ---------------------------------------------------------------------- .../security/os/GridOsSecurityProcessor.java | 262 ++++++++++++++++++- .../discovery/AbstractDiscoverySelfTest.java | 3 +- .../tcp/TcpDiscoverySpiStartStopSelfTest.java | 3 +- .../junits/spi/GridSpiAbstractTest.java | 2 +- 4 files changed, 264 insertions(+), 6 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ignite/blob/17fa00b2/modules/core/src/main/java/org/apache/ignite/internal/processors/security/os/GridOsSecurityProcessor.java ---------------------------------------------------------------------- diff --git a/modules/core/src/main/java/org/apache/ignite/internal/processors/security/os/GridOsSecurityProcessor.java b/modules/core/src/main/java/org/apache/ignite/internal/processors/security/os/GridOsSecurityProcessor.java index 54bf946..b83935e 100644 --- a/modules/core/src/main/java/org/apache/ignite/internal/processors/security/os/GridOsSecurityProcessor.java +++ b/modules/core/src/main/java/org/apache/ignite/internal/processors/security/os/GridOsSecurityProcessor.java @@ -28,6 +28,7 @@ import org.apache.ignite.internal.util.typedef.internal.*; import org.apache.ignite.plugin.security.*; import org.jetbrains.annotations.*; +import java.io.*; import java.net.*; import java.util.*; @@ -77,7 +78,7 @@ public class GridOsSecurityProcessor extends GridProcessorAdapter implements Gri s.permissions(ALLOW_ALL); - return new GridSecurityContext(s); + return new SecurityContextImpl(s); } /** {@inheritDoc} */ @@ -95,7 +96,7 @@ public class GridOsSecurityProcessor extends GridProcessorAdapter implements Gri if (authCtx.credentials() != null) s.login(authCtx.credentials().getLogin()); - return new GridSecurityContext(s); + return new SecurityContextImpl(s); } /** {@inheritDoc} */ @@ -116,7 +117,7 @@ public class GridOsSecurityProcessor extends GridProcessorAdapter implements Gri /** {@inheritDoc} */ @Override public SecurityContext createSecurityContext(GridSecuritySubject subj) { - return new GridSecurityContext(subj); + return new SecurityContextImpl(subj); } /** {@inheritDoc} */ @@ -220,4 +221,259 @@ public class GridOsSecurityProcessor extends GridProcessorAdapter implements Gri return S.toString(GridSecuritySubjectAdapter.class, this); } } + + /** + * TODO: remove + */ + private class SecurityContextImpl implements SecurityContext, Externalizable { + /** */ + private static final long serialVersionUID = 0L; + + /** + * Visor ignite tasks prefix. + */ + private static final String VISOR_IGNITE_TASK_PREFIX = "org.apache.ignite.internal.visor."; + + /** + * Visor gridgain tasks prefix. + */ + private static final String VISOR_GRIDGAIN_TASK_PREFIX = "org.gridgain.grid.internal.visor."; + + /** + * Cache query task name. + */ + public static final String VISOR_CACHE_QUERY_TASK_NAME = + "org.apache.ignite.internal.visor.query.VisorQueryTask"; + + /** + * Cache load task name. + */ + public static final String VISOR_CACHE_LOAD_TASK_NAME = + "org.apache.ignite.internal.visor.cache.VisorCacheLoadTask"; + + /** + * Cache clear task name. + */ + public static final String VISOR_CACHE_CLEAR_TASK_NAME = + "org.apache.ignite.internal.visor.query.VisorQueryCleanupTask"; + + /** + * Security subject. + */ + private GridSecuritySubject subj; + + /** + * String task permissions. + */ + private Map<String, Collection<GridSecurityPermission>> strictTaskPermissions = new LinkedHashMap<>(); + + /** + * String task permissions. + */ + private Map<String, Collection<GridSecurityPermission>> wildcardTaskPermissions = new LinkedHashMap<>(); + + /** + * String task permissions. + */ + private Map<String, Collection<GridSecurityPermission>> strictCachePermissions = new LinkedHashMap<>(); + + /** + * String task permissions. + */ + private Map<String, Collection<GridSecurityPermission>> wildcardCachePermissions = new LinkedHashMap<>(); + + /** + * System-wide permissions. + */ + private Collection<GridSecurityPermission> sysPermissions; + + /** + * Empty constructor required by {@link Externalizable}. + */ + public SecurityContextImpl() { + // No-op. + } + + /** + * @param subj Subject. + */ + public SecurityContextImpl(GridSecuritySubject subj) { + this.subj = subj; + + initRules(); + } + + /** + * @return Security subject. + */ + public GridSecuritySubject subject() { + return subj; + } + + /** + * Checks whether task operation is allowed. + * + * @param taskClsName Task class name. + * @param perm Permission to check. + * @return {@code True} if task operation is allowed. + */ + public boolean taskOperationAllowed(String taskClsName, GridSecurityPermission perm) { + assert perm == GridSecurityPermission.TASK_EXECUTE || perm == GridSecurityPermission.TASK_CANCEL; + + if (visorTask(taskClsName)) + return visorTaskAllowed(taskClsName); + + Collection<GridSecurityPermission> p = strictTaskPermissions.get(taskClsName); + + if (p != null) + return p.contains(perm); + + for (Map.Entry<String, Collection<GridSecurityPermission>> entry : wildcardTaskPermissions.entrySet()) { + if (taskClsName.startsWith(entry.getKey())) + return entry.getValue().contains(perm); + } + + return subj.permissions().defaultAllowAll(); + } + + /** + * Checks whether cache operation is allowed. + * + * @param cacheName Cache name. + * @param perm Permission to check. + * @return {@code True} if cache operation is allowed. + */ + public boolean cacheOperationAllowed(String cacheName, GridSecurityPermission perm) { + assert perm == GridSecurityPermission.CACHE_PUT || perm == GridSecurityPermission.CACHE_READ || + perm == GridSecurityPermission.CACHE_REMOVE; + + Collection<GridSecurityPermission> p = strictCachePermissions.get(cacheName); + + if (p != null) + return p.contains(perm); + + for (Map.Entry<String, Collection<GridSecurityPermission>> entry : wildcardCachePermissions.entrySet()) { + if (cacheName != null) { + if (cacheName.startsWith(entry.getKey())) + return entry.getValue().contains(perm); + } else { + // Match null cache to '*' + if (entry.getKey().isEmpty()) + return entry.getValue().contains(perm); + } + } + + return subj.permissions().defaultAllowAll(); + } + + /** + * Checks whether system-wide permission is allowed (excluding Visor task operations). + * + * @param perm Permission to check. + * @return {@code True} if system operation is allowed. + */ + public boolean systemOperationAllowed(GridSecurityPermission perm) { + if (sysPermissions == null) + return subj.permissions().defaultAllowAll(); + + boolean ret = sysPermissions.contains(perm); + + if (!ret && (perm == GridSecurityPermission.EVENTS_ENABLE || perm == GridSecurityPermission.EVENTS_DISABLE)) + ret = sysPermissions.contains(GridSecurityPermission.ADMIN_VIEW); + + return ret; + } + + /** + * Checks if task is Visor task. + * + * @param taskCls Task class name. + * @return {@code True} if task is Visor task. + */ + private boolean visorTask(String taskCls) { + return taskCls.startsWith(VISOR_IGNITE_TASK_PREFIX) || taskCls.startsWith(VISOR_GRIDGAIN_TASK_PREFIX); + } + + /** + * Checks if Visor task is allowed for execution. + * + * @param taskName Task name. + * @return {@code True} if execution is allowed. + */ + private boolean visorTaskAllowed(String taskName) { + if (sysPermissions == null) + return subj.permissions().defaultAllowAll(); + + switch (taskName) { + case VISOR_CACHE_QUERY_TASK_NAME: + return sysPermissions.contains(GridSecurityPermission.ADMIN_QUERY); + case VISOR_CACHE_LOAD_TASK_NAME: + case VISOR_CACHE_CLEAR_TASK_NAME: + return sysPermissions.contains(GridSecurityPermission.ADMIN_CACHE); + default: + return sysPermissions.contains(GridSecurityPermission.ADMIN_VIEW); + } + } + + /** + * Init rules. + */ + private void initRules() { + GridSecurityPermissionSet permSet = subj.permissions(); + + for (Map.Entry<String, Collection<GridSecurityPermission>> entry : permSet.taskPermissions().entrySet()) { + String ptrn = entry.getKey(); + + Collection<GridSecurityPermission> vals = Collections.unmodifiableCollection(entry.getValue()); + + if (ptrn.endsWith("*")) { + String noWildcard = ptrn.substring(0, ptrn.length() - 1); + + wildcardTaskPermissions.put(noWildcard, vals); + } else + strictTaskPermissions.put(ptrn, vals); + } + + for (Map.Entry<String, Collection<GridSecurityPermission>> entry : permSet.cachePermissions().entrySet()) { + String ptrn = entry.getKey(); + + Collection<GridSecurityPermission> vals = Collections.unmodifiableCollection(entry.getValue()); + + if (ptrn != null && ptrn.endsWith("*")) { + String noWildcard = ptrn.substring(0, ptrn.length() - 1); + + wildcardCachePermissions.put(noWildcard, vals); + } else + strictCachePermissions.put(ptrn, vals); + } + + sysPermissions = permSet.systemPermissions(); + } + + /** + * {@inheritDoc} + */ + @Override + public void writeExternal(ObjectOutput out) throws IOException { + out.writeObject(subj); + } + + /** + * {@inheritDoc} + */ + @Override + public void readExternal(ObjectInput in) throws IOException, ClassNotFoundException { + subj = (GridSecuritySubject) in.readObject(); + + initRules(); + } + + /** + * {@inheritDoc} + */ + @Override + public String toString() { + return S.toString(SecurityContextImpl.class, this); + } + } } http://git-wip-us.apache.org/repos/asf/incubator-ignite/blob/17fa00b2/modules/core/src/test/java/org/apache/ignite/spi/discovery/AbstractDiscoverySelfTest.java ---------------------------------------------------------------------- diff --git a/modules/core/src/test/java/org/apache/ignite/spi/discovery/AbstractDiscoverySelfTest.java b/modules/core/src/test/java/org/apache/ignite/spi/discovery/AbstractDiscoverySelfTest.java index 00423dd..e0717f4 100644 --- a/modules/core/src/test/java/org/apache/ignite/spi/discovery/AbstractDiscoverySelfTest.java +++ b/modules/core/src/test/java/org/apache/ignite/spi/discovery/AbstractDiscoverySelfTest.java @@ -19,6 +19,7 @@ package org.apache.ignite.spi.discovery; import mx4j.tools.adaptor.http.*; import org.apache.ignite.cluster.*; +import org.apache.ignite.internal.*; import org.apache.ignite.internal.processors.security.*; import org.apache.ignite.internal.util.typedef.internal.*; import org.apache.ignite.marshaller.*; @@ -393,7 +394,7 @@ public abstract class AbstractDiscoverySelfTest<T extends IgniteSpi> extends Gri @Override public SecurityContext authenticateNode(ClusterNode n, GridSecurityCredentials cred) { GridSecuritySubject subj = getGridSecuritySubject(GridSecuritySubjectType.REMOTE_NODE, n.id()); - return new GridSecurityContext(subj); + return ((IgniteKernal) grid()).context().security().createSecurityContext(subj); } @Override public boolean isGlobalNodeAuthentication() { http://git-wip-us.apache.org/repos/asf/incubator-ignite/blob/17fa00b2/modules/core/src/test/java/org/apache/ignite/spi/discovery/tcp/TcpDiscoverySpiStartStopSelfTest.java ---------------------------------------------------------------------- diff --git a/modules/core/src/test/java/org/apache/ignite/spi/discovery/tcp/TcpDiscoverySpiStartStopSelfTest.java b/modules/core/src/test/java/org/apache/ignite/spi/discovery/tcp/TcpDiscoverySpiStartStopSelfTest.java index 089da9d..2b6bcdd 100644 --- a/modules/core/src/test/java/org/apache/ignite/spi/discovery/tcp/TcpDiscoverySpiStartStopSelfTest.java +++ b/modules/core/src/test/java/org/apache/ignite/spi/discovery/tcp/TcpDiscoverySpiStartStopSelfTest.java @@ -18,6 +18,7 @@ package org.apache.ignite.spi.discovery.tcp; import org.apache.ignite.cluster.*; +import org.apache.ignite.internal.*; import org.apache.ignite.internal.processors.security.*; import org.apache.ignite.plugin.security.*; import org.apache.ignite.spi.*; @@ -68,7 +69,7 @@ public class TcpDiscoverySpiStartStopSelfTest extends GridSpiStartStopAbstractTe @Override public SecurityContext authenticateNode(ClusterNode n, GridSecurityCredentials cred) { GridSecuritySubject subj = getGridSecuritySubject(GridSecuritySubjectType.REMOTE_NODE, n.id()); - return new GridSecurityContext(subj); + return ((IgniteKernal) grid()).context().security().createSecurityContext(subj); } @Override public boolean isGlobalNodeAuthentication() { http://git-wip-us.apache.org/repos/asf/incubator-ignite/blob/17fa00b2/modules/core/src/test/java/org/apache/ignite/testframework/junits/spi/GridSpiAbstractTest.java ---------------------------------------------------------------------- diff --git a/modules/core/src/test/java/org/apache/ignite/testframework/junits/spi/GridSpiAbstractTest.java b/modules/core/src/test/java/org/apache/ignite/testframework/junits/spi/GridSpiAbstractTest.java index b7c197a..c524398 100644 --- a/modules/core/src/test/java/org/apache/ignite/testframework/junits/spi/GridSpiAbstractTest.java +++ b/modules/core/src/test/java/org/apache/ignite/testframework/junits/spi/GridSpiAbstractTest.java @@ -336,7 +336,7 @@ public abstract class GridSpiAbstractTest<T extends IgniteSpi> extends GridAbstr @Override public SecurityContext authenticateNode(ClusterNode n, GridSecurityCredentials cred) { GridSecuritySubject subj = getGridSecuritySubject(GridSecuritySubjectType.REMOTE_NODE, n.id()); - return new GridSecurityContext(subj); + return ((IgniteKernal) grid()).context().security().createSecurityContext(subj); } @Override public boolean isGlobalNodeAuthentication() {
