Repository: incubator-ignite Updated Branches: refs/heads/ignite-gg-10610 e64e89613 -> c1ecb3720
#ignite-gg-10610: add security check for data streamer update job. Project: http://git-wip-us.apache.org/repos/asf/incubator-ignite/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ignite/commit/c1ecb372 Tree: http://git-wip-us.apache.org/repos/asf/incubator-ignite/tree/c1ecb372 Diff: http://git-wip-us.apache.org/repos/asf/incubator-ignite/diff/c1ecb372 Branch: refs/heads/ignite-gg-10610 Commit: c1ecb37207c24099e360b5ba8ebac2d5d6ae2930 Parents: e64e896 Author: ivasilinets <ivasilin...@gridgain.com> Authored: Tue Jul 28 16:17:21 2015 +0300 Committer: ivasilinets <ivasilin...@gridgain.com> Committed: Tue Jul 28 16:17:21 2015 +0300 ---------------------------------------------------------------------- .../datastreamer/DataStreamerImpl.java | 11 +++++----- .../datastreamer/DataStreamerUpdateJob.java | 22 ++++++++++++++++---- .../plugin/security/SecurityPermission.java | 6 ------ 3 files changed, 23 insertions(+), 16 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ignite/blob/c1ecb372/modules/core/src/main/java/org/apache/ignite/internal/processors/datastreamer/DataStreamerImpl.java ---------------------------------------------------------------------- diff --git a/modules/core/src/main/java/org/apache/ignite/internal/processors/datastreamer/DataStreamerImpl.java b/modules/core/src/main/java/org/apache/ignite/internal/processors/datastreamer/DataStreamerImpl.java index 13223fd..5fae676 100644 --- a/modules/core/src/main/java/org/apache/ignite/internal/processors/datastreamer/DataStreamerImpl.java +++ b/modules/core/src/main/java/org/apache/ignite/internal/processors/datastreamer/DataStreamerImpl.java @@ -414,7 +414,7 @@ public class DataStreamerImpl<K, V> implements IgniteDataStreamer<K, V>, Delayed @Override public IgniteFuture<?> addData(Collection<? extends Map.Entry<K, V>> entries) { A.notEmpty(entries, "entries"); - checkSecurityPermission(SecurityPermission.STREAMING_ADD); + checkSecurityPermission(SecurityPermission.CACHE_PUT); enterBusy(); @@ -516,8 +516,6 @@ public class DataStreamerImpl<K, V> implements IgniteDataStreamer<K, V>, Delayed @Override public IgniteFuture<?> addData(Map.Entry<K, V> entry) { A.notNull(entry, "entry"); - checkSecurityPermission(SecurityPermission.STREAMING_ADD); - return addData(F.asList(entry)); } @@ -525,7 +523,10 @@ public class DataStreamerImpl<K, V> implements IgniteDataStreamer<K, V>, Delayed @Override public IgniteFuture<?> addData(K key, V val) { A.notNull(key, "key"); - checkSecurityPermission(SecurityPermission.STREAMING_ADD); + if (val == null) + checkSecurityPermission(SecurityPermission.CACHE_REMOVE); + else + checkSecurityPermission(SecurityPermission.CACHE_PUT); KeyCacheObject key0 = cacheObjProc.toCacheKeyObject(cacheObjCtx, key, true); CacheObject val0 = cacheObjProc.toCacheObject(cacheObjCtx, val, true); @@ -535,8 +536,6 @@ public class DataStreamerImpl<K, V> implements IgniteDataStreamer<K, V>, Delayed /** {@inheritDoc} */ @Override public IgniteFuture<?> removeData(K key) { - checkSecurityPermission(SecurityPermission.STREAMING_REMOVE); - return addData(key, null); } http://git-wip-us.apache.org/repos/asf/incubator-ignite/blob/c1ecb372/modules/core/src/main/java/org/apache/ignite/internal/processors/datastreamer/DataStreamerUpdateJob.java ---------------------------------------------------------------------- diff --git a/modules/core/src/main/java/org/apache/ignite/internal/processors/datastreamer/DataStreamerUpdateJob.java b/modules/core/src/main/java/org/apache/ignite/internal/processors/datastreamer/DataStreamerUpdateJob.java index e6ae4ac..9e0703a 100644 --- a/modules/core/src/main/java/org/apache/ignite/internal/processors/datastreamer/DataStreamerUpdateJob.java +++ b/modules/core/src/main/java/org/apache/ignite/internal/processors/datastreamer/DataStreamerUpdateJob.java @@ -93,9 +93,6 @@ class DataStreamerUpdateJob implements GridPlainCallable<Object> { cache.context().awaitStarted(); - if (ctx.security().enabled()) - ctx.security().authorize(cacheName, SecurityPermission.STREAMING_ADD, null); - if (skipStore) cache = (IgniteCacheProxy<?, ?>)cache.withSkipStore(); @@ -110,8 +107,13 @@ class DataStreamerUpdateJob implements GridPlainCallable<Object> { CacheObject val = e.getValue(); - if (val != null) + if (val != null) { + checkSecurityPermission(SecurityPermission.CACHE_PUT); + val.finishUnmarshal(cctx.cacheObjectContext(), cctx.deploy().globalLoader()); + } + else + checkSecurityPermission(SecurityPermission.CACHE_REMOVE); } if (unwrapEntries()) { @@ -143,4 +145,16 @@ class DataStreamerUpdateJob implements GridPlainCallable<Object> { private boolean unwrapEntries() { return !(rcvr instanceof DataStreamerCacheUpdaters.InternalUpdater); } + + /** + * @param perm Security permission. + * @throws org.apache.ignite.plugin.security.SecurityException If permission is not enough. + */ + private void checkSecurityPermission(SecurityPermission perm) + throws org.apache.ignite.plugin.security.SecurityException { + if (!ctx.security().enabled()) + return; + + ctx.security().authorize(cacheName, perm, null); + } } http://git-wip-us.apache.org/repos/asf/incubator-ignite/blob/c1ecb372/modules/core/src/main/java/org/apache/ignite/plugin/security/SecurityPermission.java ---------------------------------------------------------------------- diff --git a/modules/core/src/main/java/org/apache/ignite/plugin/security/SecurityPermission.java b/modules/core/src/main/java/org/apache/ignite/plugin/security/SecurityPermission.java index 5738133..0e660d2 100644 --- a/modules/core/src/main/java/org/apache/ignite/plugin/security/SecurityPermission.java +++ b/modules/core/src/main/java/org/apache/ignite/plugin/security/SecurityPermission.java @@ -33,12 +33,6 @@ public enum SecurityPermission { /** Cache {@code remove} permission. */ CACHE_REMOVE, - /** Streaming permission for add. */ - STREAMING_ADD, - - /** Streaming permission for remove. */ - STREAMING_REMOVE, - /** Task {@code execute} permission. */ TASK_EXECUTE,
