Repository: incubator-ignite Updated Branches: refs/heads/ignite-283-tx 29684e3ae -> 9b51b3235
#gg-9809: add temp class SecurityContextImpl. Project: http://git-wip-us.apache.org/repos/asf/incubator-ignite/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ignite/commit/15a5c084 Tree: http://git-wip-us.apache.org/repos/asf/incubator-ignite/tree/15a5c084 Diff: http://git-wip-us.apache.org/repos/asf/incubator-ignite/diff/15a5c084 Branch: refs/heads/ignite-283-tx Commit: 15a5c084fb2689b8511f6b1e069e3ccb9364252e Parents: f9f27f0 Author: ivasilinets <ivasilin...@gridgain.com> Authored: Wed Feb 18 15:23:33 2015 +0300 Committer: ivasilinets <ivasilin...@gridgain.com> Committed: Wed Feb 18 15:23:33 2015 +0300 ---------------------------------------------------------------------- .../security/os/GridOsSecurityProcessor.java | 256 ------------------ .../security/os/SecurityContextImpl.java | 265 +++++++++++++++++++ 2 files changed, 265 insertions(+), 256 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ignite/blob/15a5c084/modules/core/src/main/java/org/apache/ignite/internal/processors/security/os/GridOsSecurityProcessor.java ---------------------------------------------------------------------- diff --git a/modules/core/src/main/java/org/apache/ignite/internal/processors/security/os/GridOsSecurityProcessor.java b/modules/core/src/main/java/org/apache/ignite/internal/processors/security/os/GridOsSecurityProcessor.java index b83935e..8366b77 100644 --- a/modules/core/src/main/java/org/apache/ignite/internal/processors/security/os/GridOsSecurityProcessor.java +++ b/modules/core/src/main/java/org/apache/ignite/internal/processors/security/os/GridOsSecurityProcessor.java @@ -28,7 +28,6 @@ import org.apache.ignite.internal.util.typedef.internal.*; import org.apache.ignite.plugin.security.*; import org.jetbrains.annotations.*; -import java.io.*; import java.net.*; import java.util.*; @@ -221,259 +220,4 @@ public class GridOsSecurityProcessor extends GridProcessorAdapter implements Gri return S.toString(GridSecuritySubjectAdapter.class, this); } } - - /** - * TODO: remove - */ - private class SecurityContextImpl implements SecurityContext, Externalizable { - /** */ - private static final long serialVersionUID = 0L; - - /** - * Visor ignite tasks prefix. - */ - private static final String VISOR_IGNITE_TASK_PREFIX = "org.apache.ignite.internal.visor."; - - /** - * Visor gridgain tasks prefix. - */ - private static final String VISOR_GRIDGAIN_TASK_PREFIX = "org.gridgain.grid.internal.visor."; - - /** - * Cache query task name. - */ - public static final String VISOR_CACHE_QUERY_TASK_NAME = - "org.apache.ignite.internal.visor.query.VisorQueryTask"; - - /** - * Cache load task name. - */ - public static final String VISOR_CACHE_LOAD_TASK_NAME = - "org.apache.ignite.internal.visor.cache.VisorCacheLoadTask"; - - /** - * Cache clear task name. - */ - public static final String VISOR_CACHE_CLEAR_TASK_NAME = - "org.apache.ignite.internal.visor.query.VisorQueryCleanupTask"; - - /** - * Security subject. - */ - private GridSecuritySubject subj; - - /** - * String task permissions. - */ - private Map<String, Collection<GridSecurityPermission>> strictTaskPermissions = new LinkedHashMap<>(); - - /** - * String task permissions. - */ - private Map<String, Collection<GridSecurityPermission>> wildcardTaskPermissions = new LinkedHashMap<>(); - - /** - * String task permissions. - */ - private Map<String, Collection<GridSecurityPermission>> strictCachePermissions = new LinkedHashMap<>(); - - /** - * String task permissions. - */ - private Map<String, Collection<GridSecurityPermission>> wildcardCachePermissions = new LinkedHashMap<>(); - - /** - * System-wide permissions. - */ - private Collection<GridSecurityPermission> sysPermissions; - - /** - * Empty constructor required by {@link Externalizable}. - */ - public SecurityContextImpl() { - // No-op. - } - - /** - * @param subj Subject. - */ - public SecurityContextImpl(GridSecuritySubject subj) { - this.subj = subj; - - initRules(); - } - - /** - * @return Security subject. - */ - public GridSecuritySubject subject() { - return subj; - } - - /** - * Checks whether task operation is allowed. - * - * @param taskClsName Task class name. - * @param perm Permission to check. - * @return {@code True} if task operation is allowed. - */ - public boolean taskOperationAllowed(String taskClsName, GridSecurityPermission perm) { - assert perm == GridSecurityPermission.TASK_EXECUTE || perm == GridSecurityPermission.TASK_CANCEL; - - if (visorTask(taskClsName)) - return visorTaskAllowed(taskClsName); - - Collection<GridSecurityPermission> p = strictTaskPermissions.get(taskClsName); - - if (p != null) - return p.contains(perm); - - for (Map.Entry<String, Collection<GridSecurityPermission>> entry : wildcardTaskPermissions.entrySet()) { - if (taskClsName.startsWith(entry.getKey())) - return entry.getValue().contains(perm); - } - - return subj.permissions().defaultAllowAll(); - } - - /** - * Checks whether cache operation is allowed. - * - * @param cacheName Cache name. - * @param perm Permission to check. - * @return {@code True} if cache operation is allowed. - */ - public boolean cacheOperationAllowed(String cacheName, GridSecurityPermission perm) { - assert perm == GridSecurityPermission.CACHE_PUT || perm == GridSecurityPermission.CACHE_READ || - perm == GridSecurityPermission.CACHE_REMOVE; - - Collection<GridSecurityPermission> p = strictCachePermissions.get(cacheName); - - if (p != null) - return p.contains(perm); - - for (Map.Entry<String, Collection<GridSecurityPermission>> entry : wildcardCachePermissions.entrySet()) { - if (cacheName != null) { - if (cacheName.startsWith(entry.getKey())) - return entry.getValue().contains(perm); - } else { - // Match null cache to '*' - if (entry.getKey().isEmpty()) - return entry.getValue().contains(perm); - } - } - - return subj.permissions().defaultAllowAll(); - } - - /** - * Checks whether system-wide permission is allowed (excluding Visor task operations). - * - * @param perm Permission to check. - * @return {@code True} if system operation is allowed. - */ - public boolean systemOperationAllowed(GridSecurityPermission perm) { - if (sysPermissions == null) - return subj.permissions().defaultAllowAll(); - - boolean ret = sysPermissions.contains(perm); - - if (!ret && (perm == GridSecurityPermission.EVENTS_ENABLE || perm == GridSecurityPermission.EVENTS_DISABLE)) - ret = sysPermissions.contains(GridSecurityPermission.ADMIN_VIEW); - - return ret; - } - - /** - * Checks if task is Visor task. - * - * @param taskCls Task class name. - * @return {@code True} if task is Visor task. - */ - private boolean visorTask(String taskCls) { - return taskCls.startsWith(VISOR_IGNITE_TASK_PREFIX) || taskCls.startsWith(VISOR_GRIDGAIN_TASK_PREFIX); - } - - /** - * Checks if Visor task is allowed for execution. - * - * @param taskName Task name. - * @return {@code True} if execution is allowed. - */ - private boolean visorTaskAllowed(String taskName) { - if (sysPermissions == null) - return subj.permissions().defaultAllowAll(); - - switch (taskName) { - case VISOR_CACHE_QUERY_TASK_NAME: - return sysPermissions.contains(GridSecurityPermission.ADMIN_QUERY); - case VISOR_CACHE_LOAD_TASK_NAME: - case VISOR_CACHE_CLEAR_TASK_NAME: - return sysPermissions.contains(GridSecurityPermission.ADMIN_CACHE); - default: - return sysPermissions.contains(GridSecurityPermission.ADMIN_VIEW); - } - } - - /** - * Init rules. - */ - private void initRules() { - GridSecurityPermissionSet permSet = subj.permissions(); - - for (Map.Entry<String, Collection<GridSecurityPermission>> entry : permSet.taskPermissions().entrySet()) { - String ptrn = entry.getKey(); - - Collection<GridSecurityPermission> vals = Collections.unmodifiableCollection(entry.getValue()); - - if (ptrn.endsWith("*")) { - String noWildcard = ptrn.substring(0, ptrn.length() - 1); - - wildcardTaskPermissions.put(noWildcard, vals); - } else - strictTaskPermissions.put(ptrn, vals); - } - - for (Map.Entry<String, Collection<GridSecurityPermission>> entry : permSet.cachePermissions().entrySet()) { - String ptrn = entry.getKey(); - - Collection<GridSecurityPermission> vals = Collections.unmodifiableCollection(entry.getValue()); - - if (ptrn != null && ptrn.endsWith("*")) { - String noWildcard = ptrn.substring(0, ptrn.length() - 1); - - wildcardCachePermissions.put(noWildcard, vals); - } else - strictCachePermissions.put(ptrn, vals); - } - - sysPermissions = permSet.systemPermissions(); - } - - /** - * {@inheritDoc} - */ - @Override - public void writeExternal(ObjectOutput out) throws IOException { - out.writeObject(subj); - } - - /** - * {@inheritDoc} - */ - @Override - public void readExternal(ObjectInput in) throws IOException, ClassNotFoundException { - subj = (GridSecuritySubject) in.readObject(); - - initRules(); - } - - /** - * {@inheritDoc} - */ - @Override - public String toString() { - return S.toString(SecurityContextImpl.class, this); - } - } } http://git-wip-us.apache.org/repos/asf/incubator-ignite/blob/15a5c084/modules/core/src/main/java/org/apache/ignite/internal/processors/security/os/SecurityContextImpl.java ---------------------------------------------------------------------- diff --git a/modules/core/src/main/java/org/apache/ignite/internal/processors/security/os/SecurityContextImpl.java b/modules/core/src/main/java/org/apache/ignite/internal/processors/security/os/SecurityContextImpl.java new file mode 100644 index 0000000..136ab3f --- /dev/null +++ b/modules/core/src/main/java/org/apache/ignite/internal/processors/security/os/SecurityContextImpl.java @@ -0,0 +1,265 @@ +package org.apache.ignite.internal.processors.security.os; + +import org.apache.ignite.internal.processors.security.*; +import org.apache.ignite.internal.util.typedef.internal.*; +import org.apache.ignite.plugin.security.*; + +import java.io.*; +import java.util.*; + +/** + * TODO: remove + */ +public class SecurityContextImpl implements SecurityContext, Externalizable + + { + /** */ + private static final long serialVersionUID = 0L; + + /** + * Visor ignite tasks prefix. + */ + private static final String VISOR_IGNITE_TASK_PREFIX = "org.apache.ignite.internal.visor."; + + /** + * Visor gridgain tasks prefix. + */ + private static final String VISOR_GRIDGAIN_TASK_PREFIX = "org.gridgain.grid.internal.visor."; + + /** + * Cache query task name. + */ + public static final String VISOR_CACHE_QUERY_TASK_NAME = + "org.apache.ignite.internal.visor.query.VisorQueryTask"; + + /** + * Cache load task name. + */ + public static final String VISOR_CACHE_LOAD_TASK_NAME = + "org.apache.ignite.internal.visor.cache.VisorCacheLoadTask"; + + /** + * Cache clear task name. + */ + public static final String VISOR_CACHE_CLEAR_TASK_NAME = + "org.apache.ignite.internal.visor.query.VisorQueryCleanupTask"; + + /** + * Security subject. + */ + private GridSecuritySubject subj; + + /** + * String task permissions. + */ + private Map<String, Collection<GridSecurityPermission>> strictTaskPermissions = new LinkedHashMap<>(); + + /** + * String task permissions. + */ + private Map<String, Collection<GridSecurityPermission>> wildcardTaskPermissions = new LinkedHashMap<>(); + + /** + * String task permissions. + */ + private Map<String, Collection<GridSecurityPermission>> strictCachePermissions = new LinkedHashMap<>(); + + /** + * String task permissions. + */ + private Map<String, Collection<GridSecurityPermission>> wildcardCachePermissions = new LinkedHashMap<>(); + + /** + * System-wide permissions. + */ + private Collection<GridSecurityPermission> sysPermissions; + + /** + * Empty constructor required by {@link Externalizable}. + */ + public SecurityContextImpl() { + // No-op. + } + + /** + * @param subj Subject. + */ + public SecurityContextImpl(GridSecuritySubject subj) { + this.subj = subj; + + initRules(); + } + + /** + * @return Security subject. + */ + public GridSecuritySubject subject() { + return subj; + } + + /** + * Checks whether task operation is allowed. + * + * @param taskClsName Task class name. + * @param perm Permission to check. + * @return {@code True} if task operation is allowed. + */ + public boolean taskOperationAllowed(String taskClsName, GridSecurityPermission perm) { + assert perm == GridSecurityPermission.TASK_EXECUTE || perm == GridSecurityPermission.TASK_CANCEL; + + if (visorTask(taskClsName)) + return visorTaskAllowed(taskClsName); + + Collection<GridSecurityPermission> p = strictTaskPermissions.get(taskClsName); + + if (p != null) + return p.contains(perm); + + for (Map.Entry<String, Collection<GridSecurityPermission>> entry : wildcardTaskPermissions.entrySet()) { + if (taskClsName.startsWith(entry.getKey())) + return entry.getValue().contains(perm); + } + + return subj.permissions().defaultAllowAll(); + } + + /** + * Checks whether cache operation is allowed. + * + * @param cacheName Cache name. + * @param perm Permission to check. + * @return {@code True} if cache operation is allowed. + */ + public boolean cacheOperationAllowed(String cacheName, GridSecurityPermission perm) { + assert perm == GridSecurityPermission.CACHE_PUT || perm == GridSecurityPermission.CACHE_READ || + perm == GridSecurityPermission.CACHE_REMOVE; + + Collection<GridSecurityPermission> p = strictCachePermissions.get(cacheName); + + if (p != null) + return p.contains(perm); + + for (Map.Entry<String, Collection<GridSecurityPermission>> entry : wildcardCachePermissions.entrySet()) { + if (cacheName != null) { + if (cacheName.startsWith(entry.getKey())) + return entry.getValue().contains(perm); + } else { + // Match null cache to '*' + if (entry.getKey().isEmpty()) + return entry.getValue().contains(perm); + } + } + + return subj.permissions().defaultAllowAll(); + } + + /** + * Checks whether system-wide permission is allowed (excluding Visor task operations). + * + * @param perm Permission to check. + * @return {@code True} if system operation is allowed. + */ + public boolean systemOperationAllowed(GridSecurityPermission perm) { + if (sysPermissions == null) + return subj.permissions().defaultAllowAll(); + + boolean ret = sysPermissions.contains(perm); + + if (!ret && (perm == GridSecurityPermission.EVENTS_ENABLE || perm == GridSecurityPermission.EVENTS_DISABLE)) + ret = sysPermissions.contains(GridSecurityPermission.ADMIN_VIEW); + + return ret; + } + + /** + * Checks if task is Visor task. + * + * @param taskCls Task class name. + * @return {@code True} if task is Visor task. + */ + private boolean visorTask(String taskCls) { + return taskCls.startsWith(VISOR_IGNITE_TASK_PREFIX) || taskCls.startsWith(VISOR_GRIDGAIN_TASK_PREFIX); + } + + /** + * Checks if Visor task is allowed for execution. + * + * @param taskName Task name. + * @return {@code True} if execution is allowed. + */ + private boolean visorTaskAllowed(String taskName) { + if (sysPermissions == null) + return subj.permissions().defaultAllowAll(); + + switch (taskName) { + case VISOR_CACHE_QUERY_TASK_NAME: + return sysPermissions.contains(GridSecurityPermission.ADMIN_QUERY); + case VISOR_CACHE_LOAD_TASK_NAME: + case VISOR_CACHE_CLEAR_TASK_NAME: + return sysPermissions.contains(GridSecurityPermission.ADMIN_CACHE); + default: + return sysPermissions.contains(GridSecurityPermission.ADMIN_VIEW); + } + } + + /** + * Init rules. + */ + private void initRules() { + GridSecurityPermissionSet permSet = subj.permissions(); + + for (Map.Entry<String, Collection<GridSecurityPermission>> entry : permSet.taskPermissions().entrySet()) { + String ptrn = entry.getKey(); + + Collection<GridSecurityPermission> vals = Collections.unmodifiableCollection(entry.getValue()); + + if (ptrn.endsWith("*")) { + String noWildcard = ptrn.substring(0, ptrn.length() - 1); + + wildcardTaskPermissions.put(noWildcard, vals); + } else + strictTaskPermissions.put(ptrn, vals); + } + + for (Map.Entry<String, Collection<GridSecurityPermission>> entry : permSet.cachePermissions().entrySet()) { + String ptrn = entry.getKey(); + + Collection<GridSecurityPermission> vals = Collections.unmodifiableCollection(entry.getValue()); + + if (ptrn != null && ptrn.endsWith("*")) { + String noWildcard = ptrn.substring(0, ptrn.length() - 1); + + wildcardCachePermissions.put(noWildcard, vals); + } else + strictCachePermissions.put(ptrn, vals); + } + + sysPermissions = permSet.systemPermissions(); + } + + /** + * {@inheritDoc} + */ + @Override + public void writeExternal(ObjectOutput out) throws IOException { + out.writeObject(subj); + } + + /** + * {@inheritDoc} + */ + @Override + public void readExternal(ObjectInput in) throws IOException, ClassNotFoundException { + subj = (GridSecuritySubject) in.readObject(); + + initRules(); + } + + /** + * {@inheritDoc} + */ + @Override + public String toString() { + return S.toString(SecurityContextImpl.class, this); + } +}
