http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/9d7a6960/geode-core/src/test/java/org/apache/geode/security/templates/PKCSAuthenticator.java ---------------------------------------------------------------------- diff --git a/geode-core/src/test/java/org/apache/geode/security/templates/PKCSAuthenticator.java b/geode-core/src/test/java/org/apache/geode/security/templates/PKCSAuthenticator.java new file mode 100755 index 0000000..ac5939d --- /dev/null +++ b/geode-core/src/test/java/org/apache/geode/security/templates/PKCSAuthenticator.java @@ -0,0 +1,158 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.gemstone.gemfire.security.templates; + +import java.io.FileInputStream; +import java.security.KeyStore; +import java.security.NoSuchAlgorithmException; +import java.security.Principal; +import java.security.Signature; +import java.security.cert.Certificate; +import java.security.cert.X509Certificate; +import java.security.spec.InvalidKeySpecException; +import java.util.Enumeration; +import java.util.HashMap; +import java.util.Map; +import java.util.Properties; + +import org.apache.logging.log4j.Logger; + +import com.gemstone.gemfire.LogWriter; +import com.gemstone.gemfire.distributed.DistributedMember; +import com.gemstone.gemfire.internal.logging.LogService; +import com.gemstone.gemfire.security.AuthenticationFailedException; +import com.gemstone.gemfire.security.Authenticator; + +/** + * An implementation of {@link Authenticator} that uses PKCS. + */ +public class PKCSAuthenticator implements Authenticator { + + private static final Logger logger = LogService.getLogger(); + + public static final String PUBLIC_KEY_FILE = "security-publickey-filepath"; + public static final String PUBLIC_KEYSTORE_PASSWORD = "security-publickey-pass"; + + private String pubKeyFilePath; + private String pubKeyPass; + private Map aliasCertificateMap; + + private LogWriter systemLogWriter; + private LogWriter securityLogWriter; + + public static Authenticator create() { + return new PKCSAuthenticator(); + } + + @Override + public void init(final Properties securityProperties, final LogWriter systemLogWriter, final LogWriter securityLogWriter) throws AuthenticationFailedException { + this.systemLogWriter = systemLogWriter; + this.securityLogWriter = securityLogWriter; + + this.pubKeyFilePath = securityProperties.getProperty(PUBLIC_KEY_FILE); + if (this.pubKeyFilePath == null) { + throw new AuthenticationFailedException("PKCSAuthenticator: property " + PUBLIC_KEY_FILE + " not specified as the public key file."); + } + + this.pubKeyPass = securityProperties.getProperty(PUBLIC_KEYSTORE_PASSWORD); + this.aliasCertificateMap = new HashMap(); + + populateMap(); + } + + @Override + public Principal authenticate(final Properties credentials, final DistributedMember member) throws AuthenticationFailedException { + final String alias = (String)credentials.get(PKCSAuthInit.KEYSTORE_ALIAS); + if (alias == null || alias.length() <= 0) { + throw new AuthenticationFailedException("No alias received"); + } + + try { + final X509Certificate cert = getCertificate(alias); + if (cert == null) { + throw newException("No certificate found for alias:" + alias); + } + + final byte[] signatureBytes = (byte[])credentials.get(PKCSAuthInit.SIGNATURE_DATA); + if (signatureBytes == null) { + throw newException("signature data property [" + PKCSAuthInit.SIGNATURE_DATA + "] not provided"); + } + + final Signature sig = Signature.getInstance(cert.getSigAlgName()); + sig.initVerify(cert); + sig.update(alias.getBytes("UTF-8")); + + if (!sig.verify(signatureBytes)) { + throw newException("verification of client signature failed"); + } + + return new PKCSPrincipal(alias); + + } catch (Exception ex) { + throw newException(ex.toString(), ex); + } + } + + @Override + public void close() { + } + + private void populateMap() { + try { + final KeyStore keyStore = KeyStore.getInstance("JKS"); + final char[] passPhrase = this.pubKeyPass != null ? this.pubKeyPass.toCharArray() : null; + final FileInputStream keyStoreFile = new FileInputStream(this.pubKeyFilePath); + + try { + keyStore.load(keyStoreFile, passPhrase); + } finally { + keyStoreFile.close(); + } + + for (Enumeration e = keyStore.aliases(); e.hasMoreElements();) { + final Object alias = e.nextElement(); + final Certificate cert = keyStore.getCertificate((String)alias); + if (cert instanceof X509Certificate) { + this.aliasCertificateMap.put(alias, cert); + } + } + + } catch (Exception e) { + throw new AuthenticationFailedException("Exception while getting public keys: " + e.getMessage(), e); + } + } + + private AuthenticationFailedException newException(final String message, final Exception cause) { + final String fullMessage = "PKCSAuthenticator: Authentication of client failed due to: " + message; + if (cause != null) { + return new AuthenticationFailedException(fullMessage, cause); + } else { + return new AuthenticationFailedException(fullMessage); + } + } + + private AuthenticationFailedException newException(final String message) { + return newException(message, null); + } + + private X509Certificate getCertificate(final String alias) throws NoSuchAlgorithmException, InvalidKeySpecException { + if (this.aliasCertificateMap.containsKey(alias)) { + return (X509Certificate) this.aliasCertificateMap.get(alias); + } + return null; + } +}
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/9d7a6960/geode-core/src/test/java/org/apache/geode/security/templates/PKCSPrincipal.java ---------------------------------------------------------------------- diff --git a/geode-core/src/test/java/org/apache/geode/security/templates/PKCSPrincipal.java b/geode-core/src/test/java/org/apache/geode/security/templates/PKCSPrincipal.java new file mode 100755 index 0000000..4a6c45e --- /dev/null +++ b/geode-core/src/test/java/org/apache/geode/security/templates/PKCSPrincipal.java @@ -0,0 +1,40 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.gemstone.gemfire.security.templates; + +import java.io.Serializable; +import java.security.Principal; + +public class PKCSPrincipal implements Principal, Serializable { + + private final String alias; + + public PKCSPrincipal(final String alias) { + this.alias = alias; + } + + @Override + public String getName() { + return this.alias; + } + + @Override + public String toString() { + return this.alias; + } +} http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/9d7a6960/geode-core/src/test/java/org/apache/geode/security/templates/PKCSPrincipalTest.java ---------------------------------------------------------------------- diff --git a/geode-core/src/test/java/org/apache/geode/security/templates/PKCSPrincipalTest.java b/geode-core/src/test/java/org/apache/geode/security/templates/PKCSPrincipalTest.java new file mode 100644 index 0000000..95cd99c --- /dev/null +++ b/geode-core/src/test/java/org/apache/geode/security/templates/PKCSPrincipalTest.java @@ -0,0 +1,50 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.gemstone.gemfire.security.templates; + +import static org.assertj.core.api.Assertions.*; + +import java.io.Serializable; + +import org.apache.commons.lang.SerializationUtils; +import org.junit.Test; +import org.junit.experimental.categories.Category; + +import com.gemstone.gemfire.test.junit.categories.SecurityTest; +import com.gemstone.gemfire.test.junit.categories.UnitTest; + +/** + * Unit tests for {@link PKCSPrincipal} + */ +@Category({ UnitTest.class, SecurityTest.class }) +public class PKCSPrincipalTest { + + @Test + public void isSerializable() throws Exception { + assertThat(PKCSPrincipal.class).isInstanceOf(Serializable.class); + } + + @Test + public void canBeSerialized() throws Exception { + String name = "jsmith"; + PKCSPrincipal instance = new PKCSPrincipal(name); + + PKCSPrincipal cloned = (PKCSPrincipal) SerializationUtils.clone(instance); + + assertThat(cloned.getName()).isEqualTo(name); + } +} http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/9d7a6960/geode-core/src/test/java/org/apache/geode/security/templates/UserPasswordAuthInit.java ---------------------------------------------------------------------- diff --git a/geode-core/src/test/java/org/apache/geode/security/templates/UserPasswordAuthInit.java b/geode-core/src/test/java/org/apache/geode/security/templates/UserPasswordAuthInit.java new file mode 100755 index 0000000..76c6987 --- /dev/null +++ b/geode-core/src/test/java/org/apache/geode/security/templates/UserPasswordAuthInit.java @@ -0,0 +1,75 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.gemstone.gemfire.security.templates; + +import java.util.Properties; + +import com.gemstone.gemfire.LogWriter; +import com.gemstone.gemfire.distributed.DistributedMember; +import com.gemstone.gemfire.security.AuthInitialize; +import com.gemstone.gemfire.security.AuthenticationFailedException; + +/** + * An {@link AuthInitialize} implementation that obtains the user name and + * password as the credentials from the given set of properties. + * + * To use this class the {@code security-client-auth-init} property should be + * set to the fully qualified name the static {@code create} method + * viz. {@code com.gemstone.gemfire.security.templates.UserPasswordAuthInit.create} + * + * @since GemFire 5.5 + */ +public class UserPasswordAuthInit implements AuthInitialize { + + public static final String USER_NAME = "security-username"; + public static final String PASSWORD = "security-password"; + + protected LogWriter systemLogWriter; + protected LogWriter securityLogWriter; + + public static AuthInitialize create() { + return new UserPasswordAuthInit(); + } + + @Override + public void init(final LogWriter systemLogWriter, final LogWriter securityLogWriter) throws AuthenticationFailedException { + this.systemLogWriter = systemLogWriter; + this.securityLogWriter = securityLogWriter; + } + + @Override + public Properties getCredentials(final Properties securityProperties, final DistributedMember server, final boolean isPeer) throws AuthenticationFailedException { + String userName = securityProperties.getProperty(USER_NAME); + if (userName == null) { + throw new AuthenticationFailedException("UserPasswordAuthInit: user name property [" + USER_NAME + "] not set."); + } + + String password = securityProperties.getProperty(PASSWORD); + if (password == null) { + password = ""; + } + + Properties securityPropertiesCopy = new Properties(); + securityPropertiesCopy.setProperty(USER_NAME, userName); + securityPropertiesCopy.setProperty(PASSWORD, password); + return securityPropertiesCopy; + } + + @Override + public void close() { + } +} http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/9d7a6960/geode-core/src/test/java/org/apache/geode/security/templates/UsernamePrincipal.java ---------------------------------------------------------------------- diff --git a/geode-core/src/test/java/org/apache/geode/security/templates/UsernamePrincipal.java b/geode-core/src/test/java/org/apache/geode/security/templates/UsernamePrincipal.java new file mode 100755 index 0000000..4eefe46 --- /dev/null +++ b/geode-core/src/test/java/org/apache/geode/security/templates/UsernamePrincipal.java @@ -0,0 +1,44 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.gemstone.gemfire.security.templates; + +import java.io.Serializable; +import java.security.Principal; + +/** + * An implementation of {@link Principal} class for a simple user name. + * + * @since GemFire 5.5 + */ +public class UsernamePrincipal implements Principal, Serializable { + + private final String userName; + + public UsernamePrincipal(final String userName) { + this.userName = userName; + } + + @Override + public String getName() { + return this.userName; + } + + @Override + public String toString() { + return this.userName; + } +} http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/9d7a6960/geode-core/src/test/java/org/apache/geode/security/templates/UsernamePrincipalTest.java ---------------------------------------------------------------------- diff --git a/geode-core/src/test/java/org/apache/geode/security/templates/UsernamePrincipalTest.java b/geode-core/src/test/java/org/apache/geode/security/templates/UsernamePrincipalTest.java new file mode 100644 index 0000000..7fbb454 --- /dev/null +++ b/geode-core/src/test/java/org/apache/geode/security/templates/UsernamePrincipalTest.java @@ -0,0 +1,50 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.gemstone.gemfire.security.templates; + +import static org.assertj.core.api.Assertions.*; + +import java.io.Serializable; + +import org.apache.commons.lang.SerializationUtils; +import org.junit.Test; +import org.junit.experimental.categories.Category; + +import com.gemstone.gemfire.test.junit.categories.SecurityTest; +import com.gemstone.gemfire.test.junit.categories.UnitTest; + +/** + * Unit tests for {@link UsernamePrincipal} + */ +@Category({ UnitTest.class, SecurityTest.class }) +public class UsernamePrincipalTest { + + @Test + public void isSerializable() throws Exception { + assertThat(UsernamePrincipal.class).isInstanceOf(Serializable.class); + } + + @Test + public void canBeSerialized() throws Exception { + String name = "jsmith"; + UsernamePrincipal instance = new UsernamePrincipal(name); + + UsernamePrincipal cloned = (UsernamePrincipal) SerializationUtils.clone(instance); + + assertThat(cloned.getName()).isEqualTo(name); + } +} http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/9d7a6960/geode-core/src/test/java/org/apache/geode/security/templates/XmlAuthorization.java ---------------------------------------------------------------------- diff --git a/geode-core/src/test/java/org/apache/geode/security/templates/XmlAuthorization.java b/geode-core/src/test/java/org/apache/geode/security/templates/XmlAuthorization.java new file mode 100755 index 0000000..4349260 --- /dev/null +++ b/geode-core/src/test/java/org/apache/geode/security/templates/XmlAuthorization.java @@ -0,0 +1,615 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.gemstone.gemfire.security.templates; + +import java.io.IOException; +import java.io.InputStream; +import java.security.Principal; +import java.util.ArrayList; +import java.util.HashMap; +import java.util.HashSet; +import java.util.Map; +import java.util.Set; +import java.util.regex.Matcher; +import java.util.regex.Pattern; +import javax.xml.parsers.DocumentBuilder; +import javax.xml.parsers.DocumentBuilderFactory; + +import org.w3c.dom.Attr; +import org.w3c.dom.Document; +import org.w3c.dom.NamedNodeMap; +import org.w3c.dom.Node; +import org.w3c.dom.NodeList; +import org.xml.sax.EntityResolver; +import org.xml.sax.InputSource; +import org.xml.sax.SAXException; +import org.xml.sax.SAXParseException; + +import com.gemstone.gemfire.LogWriter; +import com.gemstone.gemfire.cache.Cache; +import com.gemstone.gemfire.cache.operations.ExecuteFunctionOperationContext; +import com.gemstone.gemfire.cache.operations.OperationContext; +import com.gemstone.gemfire.cache.operations.OperationContext.OperationCode; +import com.gemstone.gemfire.cache.operations.QueryOperationContext; +import com.gemstone.gemfire.distributed.DistributedMember; +import com.gemstone.gemfire.security.AccessControl; +import com.gemstone.gemfire.security.NotAuthorizedException; + +/** + * An implementation of the {@link AccessControl} interface that allows + * authorization using the permissions as specified in the given XML + * file. + * + * The format of the XML file is specified in <a href="authz5_5.dtd"/>. It + * implements a role-based authorization at the operation level for each region. + * Each principal name may be associated with a set of roles. The name of the + * principal is obtained using the {@link Principal#getName()} method and no other + * information of the principal is utilized. Each role can be provided + * permissions to execute operations for each region. + * + * The top-level element in the XML is "acl" tag that contains the "role" and + * "permission" tags. The "role" tag contains the list of users that have been + * given that role. The name of the role is specified in the "role" attribute + * and the users are contained in the "user" tags insided the "role" tag. + * + * The "permissions" tag contains the list of operations allowed for a + * particular region. The role name is specified as the "role" attribute, the + * list of comma separated region names as the optional "regions" attribute and + * the operation names are contained in the "operation" tags inside the + * "permissions" tag. The allowed operation names are: GET, PUT, PUTALL, + * DESTROY, REGISTER_INTEREST, UNREGISTER_INTEREST, CONTAINS_KEY, KEY_SET, + * QUERY, EXECUTE_CQ, STOP_CQ, CLOSE_CQ, REGION_CLEAR, REGION_CREATE, + * REGION_DESTROY. These correspond to the operations in the + * {@link OperationCode} enumeration with the same name. + * + * When no region name is specified then the operation is allowed for all + * regions in the cache. Any permissions specified for regions using the + * "regions" attribute override these permissions. This allows users to provide + * generic permissions without any region name, and override for specific + * regions specified using the "regions" attribute. A cache-level operation + * (e.g. {@link OperationCode#REGION_DESTROY}) specified for a particular region + * is ignored i.e. the cache-level operations are only applicable when no region + * name is specified. A {@link OperationCode#QUERY} operation is permitted when + * either the {@code QUERY} permission is provided at the cache-level for + * the user or when {@code QUERY} permission is provided for all the + * regions that are part of the query string. + * + * Any roles specified in the "user" tag that do not have a specified permission + * set using the "permission" tags are ignored. When no {@link Principal} is + * associated with the current connection, then empty user name is used to + * search for the roles so an empty user name can be used to specify roles of + * unauthenticated clients (i.e. {@code Everyone}). + * + * This sample implementation is useful only for pre-operation checks and should + * not be used for post-operation authorization since it does nothing useful for + * post-operation case. + * + * @since GemFire 5.5 + */ +public class XmlAuthorization implements AccessControl { + + public static final String DOC_URI_PROP_NAME = "security-authz-xml-uri"; + + private static final Object sync = new Object(); + private static final String EMPTY_VALUE = ""; + + private static final String TAG_ROLE = "role"; + private static final String TAG_USER = "user"; + private static final String TAG_PERMS = "permission"; + private static final String TAG_OP = "operation"; + + private static final String ATTR_ROLENAME = "name"; + private static final String ATTR_ROLE = "role"; + private static final String ATTR_REGIONS = "regions"; + private static final String ATTR_FUNCTION_IDS = "functionIds"; + private static final String ATTR_FUNCTION_OPTIMIZE_FOR_WRITE = "optimizeForWrite"; + private static final String ATTR_FUNCTION_KEY_SET = "keySet"; + + private static String currentDocUri = null; + private static Map<String, HashSet<String>> userRoles = null; + private static Map<String, Map<String, Map<OperationCode, FunctionSecurityPrmsHolder>>> rolePermissions = null; + private static NotAuthorizedException xmlLoadFailure = null; + + private final Map<String, Map<OperationCode, FunctionSecurityPrmsHolder>> allowedOps; + + protected LogWriter systemLogWriter; + protected LogWriter securityLogWriter; + + /** + * Public static factory method to create an instance of + * {@code XmlAuthorization}. The fully qualified name of the class + * ({@code com.gemstone.gemfire.security.templates.XmlAuthorization.create}) + * should be mentioned as the {@code security-client-accessor} system + * property to enable pre-operation authorization checks as implemented in + * this class. + * + * @return an object of {@code XmlAuthorization} class + */ + public static AccessControl create() { + return new XmlAuthorization(); + } + + /** + * Clear all the statically cached information. + */ + public static void clear() { + XmlAuthorization.currentDocUri = null; + if (XmlAuthorization.userRoles != null) { + XmlAuthorization.userRoles.clear(); + XmlAuthorization.userRoles = null; + } + if (XmlAuthorization.rolePermissions != null) { + XmlAuthorization.rolePermissions.clear(); + XmlAuthorization.rolePermissions = null; + } + XmlAuthorization.xmlLoadFailure = null; + } + + /** + * Change the region name to a standard format having single '/' as separator + * and starting with a '/' as in standard POSIX paths + */ + public static String normalizeRegionName(final String regionName) { + if (regionName == null || regionName.length() == 0) { + return EMPTY_VALUE; + } + + char[] resultName = new char[regionName.length() + 1]; + boolean changed = false; + boolean isPrevCharSlash = false; + int startIndex; + + if (regionName.charAt(0) != '/') { + changed = true; + startIndex = 0; + } else { + isPrevCharSlash = true; + startIndex = 1; + } + + resultName[0] = '/'; + int resultLength = 1; + + // Replace all more than one '/'s with a single '/' + for (int index = startIndex; index < regionName.length(); ++index) { + char currChar = regionName.charAt(index); + if (currChar == '/') { + if (isPrevCharSlash) { + changed = true; + continue; + } + isPrevCharSlash = true; + } else { + isPrevCharSlash = false; + } + resultName[resultLength++] = currChar; + } + + // Remove any trailing slash + if (resultName[resultLength - 1] == '/') { + --resultLength; + changed = true; + } + + if (changed) { + return new String(resultName, 0, resultLength); + } else { + return regionName; + } + } + + private XmlAuthorization() { + this.allowedOps = new HashMap<String, Map<OperationCode, FunctionSecurityPrmsHolder>>(); + this.systemLogWriter = null; + this.securityLogWriter = null; + } + + /** + * Initialize the {@code XmlAuthorization} callback for a client having + * the given principal. + * + * This method caches the full XML authorization file the first time it is + * invoked and caches all the permissions for the provided + * {@code principal} to speed up lookup the + * {@code authorizeOperation} calls. The permissions for the principal + * are maintained as a {@link Map} of region name to the {@link HashSet} of + * operations allowed for that region. A global entry with region name as + * empty string is also made for permissions provided for all the regions. + * + * @param principal + * the principal associated with the authenticated client + * @param cache + * reference to the cache object + * @param remoteMember + * the {@link DistributedMember} object for the remote authenticated + * client + * + * @throws NotAuthorizedException + * if some exception condition happens during the initialization + * while reading the XML; in such a case all subsequent client + * operations will throw {@code NotAuthorizedException} + */ + @Override + public void init(final Principal principal, final DistributedMember remoteMember, final Cache cache) throws NotAuthorizedException { + synchronized (sync) { + XmlAuthorization.init(cache); + } + + this.systemLogWriter = cache.getLogger(); + this.securityLogWriter = cache.getSecurityLogger(); + + String name; + if (principal != null) { + name = principal.getName(); + } else { + name = EMPTY_VALUE; + } + + HashSet<String> roles = XmlAuthorization.userRoles.get(name); + if (roles != null) { + for (String roleName : roles) { + Map<String, Map<OperationCode, FunctionSecurityPrmsHolder>> regionOperationMap = XmlAuthorization.rolePermissions.get(roleName); + if (regionOperationMap != null) { + for (Map.Entry<String, Map<OperationCode, FunctionSecurityPrmsHolder>> regionEntry : regionOperationMap.entrySet()) { + String regionName = regionEntry.getKey(); + Map<OperationCode, FunctionSecurityPrmsHolder> regionOperations = this.allowedOps.get(regionName); + if (regionOperations == null) { + regionOperations = new HashMap<OperationCode, FunctionSecurityPrmsHolder>(); + this.allowedOps.put(regionName, regionOperations); + } + regionOperations.putAll(regionEntry.getValue()); + } + } + } + } + } + + /** + * Return true if the given operation is allowed for the cache/region. + * + * This looks up the cached permissions of the principal in the map for the + * provided region name. If none are found then the global permissions with + * empty region name are looked up. The operation is allowed if it is found + * this permission list. + * + * @param regionName + * When null then it indicates a cache-level operation, else the + * name of the region for the operation. + * @param context + * the data required by the operation + * + * @return true if the operation is authorized and false otherwise + */ + @Override + public boolean authorizeOperation(String regionName, final OperationContext context) { + Map<OperationCode, FunctionSecurityPrmsHolder> operationMap; + + // Check GET permissions for updates from server to client + if (context.isClientUpdate()) { + operationMap = this.allowedOps.get(regionName); + if (operationMap == null && regionName.length() > 0) { + operationMap = this.allowedOps.get(EMPTY_VALUE); + } + if (operationMap != null) { + return operationMap.containsKey(OperationCode.GET); + } + return false; + } + + OperationCode opCode = context.getOperationCode(); + if (opCode.isQuery() || opCode.isExecuteCQ() || opCode.isCloseCQ() || opCode.isStopCQ()) { + // First check if cache-level permission has been provided + operationMap = this.allowedOps.get(EMPTY_VALUE); + boolean globalPermission = (operationMap != null && operationMap .containsKey(opCode)); + Set<String> regionNames = ((QueryOperationContext)context) .getRegionNames(); + if (regionNames == null || regionNames.size() == 0) { + return globalPermission; + } + + for (String r : regionNames) { + regionName = normalizeRegionName(r); + operationMap = this.allowedOps.get(regionName); + if (operationMap == null) { + if (!globalPermission) { + return false; + } + } else if (!operationMap.containsKey(opCode)) { + return false; + } + } + return true; + } + + final String normalizedRegionName = normalizeRegionName(regionName); + operationMap = this.allowedOps.get(normalizedRegionName); + if (operationMap == null && normalizedRegionName.length() > 0) { + operationMap = this.allowedOps.get(EMPTY_VALUE); + } + if (operationMap != null) { + if (context.getOperationCode() != OperationCode.EXECUTE_FUNCTION) { + return operationMap.containsKey(context.getOperationCode()); + + } else { + if (!operationMap.containsKey(context.getOperationCode())) { + return false; + + } else { + if (!context.isPostOperation()) { + FunctionSecurityPrmsHolder functionParameter = operationMap.get(context.getOperationCode()); + ExecuteFunctionOperationContext functionContext = (ExecuteFunctionOperationContext) context; + // OnRegion execution + if (functionContext.getRegionName() != null) { + if (functionParameter.isOptimizeForWrite() != null && functionParameter.isOptimizeForWrite().booleanValue() != functionContext.isOptimizeForWrite()) { + return false; + } + if (functionParameter.getFunctionIds() != null && !functionParameter.getFunctionIds().contains( functionContext.getFunctionId())) { + return false; + } + if (functionParameter.getKeySet() != null && functionContext.getKeySet() != null) { + if (functionContext.getKeySet().containsAll( functionParameter.getKeySet())) { + return false; + } + } + return true; + + } else {// On Server execution + if (functionParameter.getFunctionIds() != null && !functionParameter.getFunctionIds().contains(functionContext.getFunctionId())) { + return false; + } + return true; + } + + } else { + ExecuteFunctionOperationContext functionContext = (ExecuteFunctionOperationContext)context; + FunctionSecurityPrmsHolder functionParameter = operationMap.get(context.getOperationCode()); + if (functionContext.getRegionName() != null) { + if (functionContext.getResult() instanceof ArrayList && functionParameter.getKeySet() != null) { + ArrayList<String> resultList = (ArrayList)functionContext.getResult(); + Set<String> nonAllowedKeys = functionParameter.getKeySet(); + if (resultList.containsAll(nonAllowedKeys)) { + return false; + } + } + return true; + + } else { + ArrayList<String> resultList = (ArrayList)functionContext.getResult(); + final String inSecureItem = "Insecure item"; + if (resultList.contains(inSecureItem)) { + return false; + } + return true; + } + } + } + } + } + return false; + } + + /** + * Clears the cached information for this principal. + */ + @Override + public void close() { + this.allowedOps.clear(); + } + + /** Get the attribute value for a given attribute name of a node. */ + private static String getAttributeValue(final Node node, final String attrName) { + NamedNodeMap attrMap = node.getAttributes(); + Node attrNode; + if (attrMap != null && (attrNode = attrMap.getNamedItem(attrName)) != null) { + return ((Attr)attrNode).getValue(); + } + return EMPTY_VALUE; + } + + /** Get the string contained in the first text child of the node. */ + private static String getNodeValue(final Node node) { + NodeList childNodes = node.getChildNodes(); + for (int index = 0; index < childNodes.getLength(); index++) { + Node childNode = childNodes.item(index); + if (childNode.getNodeType() == Node.TEXT_NODE) { + return childNode.getNodeValue(); + } + } + return EMPTY_VALUE; + } + + /** + * Cache authorization information for all users statically. This method is + * not thread-safe and is should either be invoked only once, or the caller + * should take the appropriate locks. + * + * @param cache reference to the cache object for the distributed system + */ + private static void init(final Cache cache) throws NotAuthorizedException { + final LogWriter systemLogWriter = cache.getLogger(); + final String xmlDocumentUri = (String)cache.getDistributedSystem().getSecurityProperties().get(DOC_URI_PROP_NAME); + + try { + if (xmlDocumentUri == null) { + throw new NotAuthorizedException("No ACL file defined using tag [" + DOC_URI_PROP_NAME + "] in system properties"); + } + if (xmlDocumentUri.equals(XmlAuthorization.currentDocUri)) { + if (XmlAuthorization.xmlLoadFailure != null) { + throw XmlAuthorization.xmlLoadFailure; + } + return; + } + + final DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + factory.setIgnoringComments(true); + factory.setIgnoringElementContentWhitespace(true); + factory.setValidating(true); + + final DocumentBuilder builder = factory.newDocumentBuilder(); + final XmlErrorHandler errorHandler = new XmlErrorHandler(systemLogWriter, xmlDocumentUri); + builder.setErrorHandler(errorHandler); + builder.setEntityResolver(new AuthzDtdResolver()); + + final Document xmlDocument = builder.parse(xmlDocumentUri); + + XmlAuthorization.userRoles = new HashMap<String, HashSet<String>>(); + XmlAuthorization.rolePermissions = new HashMap<String, Map<String, Map<OperationCode, FunctionSecurityPrmsHolder>>>(); + + final NodeList roleUserNodes = xmlDocument.getElementsByTagName(TAG_ROLE); + + for (int roleIndex = 0; roleIndex < roleUserNodes.getLength(); roleIndex++) { + final Node roleUserNode = roleUserNodes.item(roleIndex); + final String roleName = getAttributeValue(roleUserNode, ATTR_ROLENAME); + final NodeList userNodes = roleUserNode.getChildNodes(); + + for (int userIndex = 0; userIndex < userNodes.getLength(); userIndex++) { + final Node userNode = userNodes.item(userIndex); + + if (TAG_USER.equals(userNode.getNodeName())) { + final String userName = getNodeValue(userNode); + HashSet<String> userRoleSet = XmlAuthorization.userRoles.get(userName); + if (userRoleSet == null) { + userRoleSet = new HashSet<String>(); + XmlAuthorization.userRoles.put(userName, userRoleSet); + } + userRoleSet.add(roleName); + + } else { + throw new SAXParseException("Unknown tag [" + userNode.getNodeName() + "] as child of tag [" + TAG_ROLE + ']', null); + } + } + } + + final NodeList rolePermissionNodes = xmlDocument.getElementsByTagName(TAG_PERMS); + + for (int permIndex = 0; permIndex < rolePermissionNodes.getLength(); permIndex++) { + final Node rolePermissionNode = rolePermissionNodes.item(permIndex); + final String roleName = getAttributeValue(rolePermissionNode, ATTR_ROLE); + Map<String, Map<OperationCode, FunctionSecurityPrmsHolder>> regionOperationMap = XmlAuthorization.rolePermissions.get(roleName); + + if (regionOperationMap == null) { + regionOperationMap = new HashMap<String, Map<OperationCode, FunctionSecurityPrmsHolder>>(); + XmlAuthorization.rolePermissions.put(roleName, regionOperationMap); + } + + final NodeList operationNodes = rolePermissionNode.getChildNodes(); + final HashMap<OperationCode, FunctionSecurityPrmsHolder> operationMap = new HashMap<OperationCode, FunctionSecurityPrmsHolder>(); + + for (int opIndex = 0; opIndex < operationNodes.getLength(); opIndex++) { + final Node operationNode = operationNodes.item(opIndex); + + if (TAG_OP.equals(operationNode.getNodeName())) { + final String operationName = getNodeValue(operationNode); + final OperationCode code = OperationCode.valueOf(operationName); + + if (code == null) { + throw new SAXParseException("Unknown operation [" + operationName + ']', null); + } + + if (code != OperationCode.EXECUTE_FUNCTION) { + operationMap.put(code, null); + + } else { + final String optimizeForWrite = getAttributeValue(operationNode, ATTR_FUNCTION_OPTIMIZE_FOR_WRITE); + final String functionAttr = getAttributeValue(operationNode, ATTR_FUNCTION_IDS); + final String keysAttr = getAttributeValue(operationNode, ATTR_FUNCTION_KEY_SET); + + Boolean isOptimizeForWrite; + HashSet<String> functionIds; + HashSet<String> keySet; + + if (optimizeForWrite == null || optimizeForWrite.length() == 0) { + isOptimizeForWrite = null; + } else { + isOptimizeForWrite = Boolean.parseBoolean(optimizeForWrite); + } + + if (functionAttr == null || functionAttr.length() == 0) { + functionIds = null; + } else { + final String[] functionArray = functionAttr.split(","); + functionIds = new HashSet<String>(); + for (int strIndex = 0; strIndex < functionArray.length; ++strIndex) { + functionIds.add((functionArray[strIndex])); + } + } + + if (keysAttr == null || keysAttr.length() == 0) { + keySet = null; + } else { + final String[] keySetArray = keysAttr.split(","); + keySet = new HashSet<String>(); + for (int strIndex = 0; strIndex < keySetArray.length; ++strIndex) { + keySet.add((keySetArray[strIndex])); + } + } + + final FunctionSecurityPrmsHolder functionContext = new FunctionSecurityPrmsHolder(isOptimizeForWrite, functionIds, keySet); + operationMap.put(code, functionContext); + } + + } else { + throw new SAXParseException("Unknown tag [" + operationNode.getNodeName() + "] as child of tag [" + TAG_PERMS + ']', null); + } + } + + final String regionNames = getAttributeValue(rolePermissionNode, ATTR_REGIONS); + if (regionNames == null || regionNames.length() == 0) { + regionOperationMap.put(EMPTY_VALUE, operationMap); + } else { + final String[] regionNamesSplit = regionNames.split(","); + for (int strIndex = 0; strIndex < regionNamesSplit.length; ++strIndex) { + regionOperationMap.put(normalizeRegionName(regionNamesSplit[strIndex]), operationMap); + } + } + } + XmlAuthorization.currentDocUri = xmlDocumentUri; + + } catch (Exception ex) { + String message; + if (ex instanceof NotAuthorizedException) { + message = ex.getMessage(); + } + else { + message = ex.getClass().getName() + ": " + ex.getMessage(); + } + systemLogWriter.warning("XmlAuthorization.init: " + message); + XmlAuthorization.xmlLoadFailure = new NotAuthorizedException(message, ex); + throw XmlAuthorization.xmlLoadFailure; + } + } + + private static class AuthzDtdResolver implements EntityResolver { + final Pattern authzPattern = Pattern.compile("authz.*\\.dtd"); + + @Override + public InputSource resolveEntity(final String publicId, final String systemId) throws SAXException, IOException { + try { + final Matcher matcher = authzPattern.matcher(systemId); + if (matcher.find()) { + final String dtdName = matcher.group(0); + final InputStream stream = XmlAuthorization.class.getResourceAsStream(dtdName); + return new InputSource(stream); + } + + } catch(Exception e) { + //do nothing, use the default resolver + } + + return null; + } + } +} http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/9d7a6960/geode-core/src/test/java/org/apache/geode/security/templates/XmlErrorHandler.java ---------------------------------------------------------------------- diff --git a/geode-core/src/test/java/org/apache/geode/security/templates/XmlErrorHandler.java b/geode-core/src/test/java/org/apache/geode/security/templates/XmlErrorHandler.java new file mode 100755 index 0000000..c770eb7 --- /dev/null +++ b/geode-core/src/test/java/org/apache/geode/security/templates/XmlErrorHandler.java @@ -0,0 +1,75 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.gemstone.gemfire.security.templates; + +import org.apache.logging.log4j.Logger; +import org.xml.sax.ErrorHandler; +import org.xml.sax.SAXException; +import org.xml.sax.SAXParseException; + +import com.gemstone.gemfire.LogWriter; +import com.gemstone.gemfire.internal.logging.LogService; + +/** + * Implementation of {@link ErrorHandler} interface to handle validation errors + * while XML parsing. + * + * This throws back exceptions raised for {@code error} and {@code fatalError} + * cases while a {@link LogWriter#warning(String)} level logging is done for + * the {@code warning} case. + * + * @since GemFire 5.5 + */ +public class XmlErrorHandler implements ErrorHandler { + + private static final Logger logger = LogService.getLogger(); + + private final LogWriter systemLogWriter; + private final String xmlFileName; + + public XmlErrorHandler(final LogWriter systemLogWriter, final String xmlFileName) { + this.systemLogWriter = systemLogWriter; + this.xmlFileName = xmlFileName; + } + + /** + * Throws back the exception with the name of the XML file and the position + * where the exception occurred. + */ + @Override + public void error(final SAXParseException exception) throws SAXException { + throw new SAXParseException("Error while parsing XML at line " + exception.getLineNumber() + " column " + exception.getColumnNumber() + ": " + exception.getMessage(), null, exception); + } + + /** + * Throws back the exception with the name of the XML file and the position + * where the exception occurred. + */ + @Override + public void fatalError(final SAXParseException exception) throws SAXException { + throw new SAXParseException("Fatal error while parsing XML at line " + exception.getLineNumber() + " column " + exception.getColumnNumber() + ": " + exception.getMessage(), null, exception); + } + + /** + * Log the exception at {@link LogWriter#warning(String)} level with XML + * filename and the position of exception in the file. + */ + @Override + public void warning(final SAXParseException exception) throws SAXException { + this.systemLogWriter.warning("Warning while parsing XML [" + this.xmlFileName + "] at line " + exception.getLineNumber() + " column " + exception.getColumnNumber() + ": " + exception.getMessage(), exception); + } +} http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/9d7a6960/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/authz-dummy.xml ---------------------------------------------------------------------- diff --git a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/authz-dummy.xml b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/authz-dummy.xml deleted file mode 100644 index de0cd17..0000000 --- a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/authz-dummy.xml +++ /dev/null @@ -1,124 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> - -<!-- - ~ Licensed to the Apache Software Foundation (ASF) under one or more - ~ contributor license agreements. See the NOTICE file distributed with - ~ this work for additional information regarding copyright ownership. - ~ The ASF licenses this file to You under the Apache License, Version 2.0 - ~ (the "License"); you may not use this file except in compliance with - ~ the License. You may obtain a copy of the License at - ~ - ~ http://www.apache.org/licenses/LICENSE-2.0 - ~ - ~ Unless required by applicable law or agreed to in writing, software - ~ distributed under the License is distributed on an "AS IS" BASIS, - ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - ~ See the License for the specific language governing permissions and - ~ limitations under the License. - --> - -<!DOCTYPE acl PUBLIC "-//GemStone Systems, Inc.//GemFire XML Authorization 1.0//EN" - "com/gemstone/gemfire/security/templates/authz6_0.dtd" > -<acl> - - <role name="reader"> - <user>reader0</user> - <user>reader1</user> - <user>reader2</user> - <user>root</user> - <user>admin</user> - <user>administrator</user> - </role> - - <role name="writer"> - <user>writer0</user> - <user>writer1</user> - <user>writer2</user> - <user>root</user> - <user>admin</user> - <user>administrator</user> - </role> - - <role name="cacheOps"> - <user>root</user> - <user>admin</user> - <user>administrator</user> - </role> - - <role name="queryRegions"> - <user>reader3</user> - <user>reader4</user> - </role> - - <role name="registerInterest"> - <user>reader5</user> - <user>reader6</user> - </role> - - <role name="unregisterInterest"> - <user>reader5</user> - <user>reader7</user> - </role> - - <role name="onRegionFunctionExecutor"> - <user>reader8</user> - </role> - - <role name="onServerFunctionExecutor"> - <user>reader9</user> - </role> - - <permission role="cacheOps"> - <operation>QUERY</operation> - <operation>EXECUTE_CQ</operation> - <operation>STOP_CQ</operation> - <operation>CLOSE_CQ</operation> - <operation>REGION_CREATE</operation> - <operation>REGION_DESTROY</operation> - </permission> - - <permission role="reader"> - <operation>GET</operation> - <operation>REGISTER_INTEREST</operation> - <operation>UNREGISTER_INTEREST</operation> - <operation>KEY_SET</operation> - <operation>CONTAINS_KEY</operation> - <operation>EXECUTE_FUNCTION</operation> - </permission> - - <permission role="writer"> - <operation>PUT</operation> - <operation>PUTALL</operation> - <operation>DESTROY</operation> - <operation>INVALIDATE</operation> - <operation>REGION_CLEAR</operation> - </permission> - - <permission role="queryRegions" regions="//Portfolios,/Positions/,AuthRegion"> - <operation>QUERY</operation> - <operation>EXECUTE_CQ</operation> - <operation>STOP_CQ</operation> - <operation>CLOSE_CQ</operation> - </permission> - - <permission role="onRegionFunctionExecutor" regions="secureRegion,Positions"> - <operation>PUT</operation> - <operation functionIds="SecureFunction,OptimizationFunction" optimizeForWrite="false" keySet="KEY-0,KEY-1">EXECUTE_FUNCTION</operation> - </permission> - - <permission role="onServerFunctionExecutor" > - <operation>PUT</operation> - <operation functionIds="SecureFunction,OptimizationFunction">EXECUTE_FUNCTION</operation> - </permission> - - <permission role="registerInterest"> - <operation>REGISTER_INTEREST</operation> - <operation>GET</operation> - </permission> - - <permission role="unregisterInterest"> - <operation>UNREGISTER_INTEREST</operation> - <operation>GET</operation> - </permission> - -</acl> http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/9d7a6960/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/authz-ldap.xml ---------------------------------------------------------------------- diff --git a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/authz-ldap.xml b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/authz-ldap.xml deleted file mode 100644 index cdfd478..0000000 --- a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/authz-ldap.xml +++ /dev/null @@ -1,83 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> - -<!-- - ~ Licensed to the Apache Software Foundation (ASF) under one or more - ~ contributor license agreements. See the NOTICE file distributed with - ~ this work for additional information regarding copyright ownership. - ~ The ASF licenses this file to You under the Apache License, Version 2.0 - ~ (the "License"); you may not use this file except in compliance with - ~ the License. You may obtain a copy of the License at - ~ - ~ http://www.apache.org/licenses/LICENSE-2.0 - ~ - ~ Unless required by applicable law or agreed to in writing, software - ~ distributed under the License is distributed on an "AS IS" BASIS, - ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - ~ See the License for the specific language governing permissions and - ~ limitations under the License. - --> - -<!DOCTYPE acl PUBLIC "-//GemStone Systems, Inc.//GemFire XML Authorization 1.0//EN" - "com/gemstone/gemfire/security/templates/authz5_5.dtd" > -<acl> - - <role name="reader"> - <user>gemfire1</user> - <user>gemfire2</user> - <user>gemfire3</user> - <user>gemfire4</user> - <user>gemfire5</user> - </role> - - <role name="writer"> - <user>gemfire1</user> - <user>gemfire2</user> - <user>gemfire6</user> - <user>gemfire7</user> - <user>gemfire8</user> - </role> - - <role name="cacheOps"> - <user>gemfire1</user> - <user>gemfire2</user> - </role> - - <role name="queryRegions"> - <user>gemfire9</user> - <user>gemfire10</user> - </role> - - <permission role="cacheOps"> - <operation>QUERY</operation> - <operation>EXECUTE_CQ</operation> - <operation>STOP_CQ</operation> - <operation>CLOSE_CQ</operation> - <operation>REGION_CREATE</operation> - <operation>REGION_DESTROY</operation> - </permission> - - <permission role="reader"> - <operation>GET</operation> - <operation>REGISTER_INTEREST</operation> - <operation>UNREGISTER_INTEREST</operation> - <operation>KEY_SET</operation> - <operation>CONTAINS_KEY</operation> - <operation>EXECUTE_FUNCTION</operation> - </permission> - - <permission role="writer"> - <operation>PUT</operation> - <operation>PUTALL</operation> - <operation>DESTROY</operation> - <operation>INVALIDATE</operation> - <operation>REGION_CLEAR</operation> - </permission> - - <permission role="queryRegions" regions="Portfolios,/Positions//,/AuthRegion"> - <operation>QUERY</operation> - <operation>EXECUTE_CQ</operation> - <operation>STOP_CQ</operation> - <operation>CLOSE_CQ</operation> - </permission> - -</acl> http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/9d7a6960/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/authz-multiUser-dummy.xml ---------------------------------------------------------------------- diff --git a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/authz-multiUser-dummy.xml b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/authz-multiUser-dummy.xml deleted file mode 100644 index f64eb2e..0000000 --- a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/authz-multiUser-dummy.xml +++ /dev/null @@ -1,104 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> - -<!-- - ~ Licensed to the Apache Software Foundation (ASF) under one or more - ~ contributor license agreements. See the NOTICE file distributed with - ~ this work for additional information regarding copyright ownership. - ~ The ASF licenses this file to You under the Apache License, Version 2.0 - ~ (the "License"); you may not use this file except in compliance with - ~ the License. You may obtain a copy of the License at - ~ - ~ http://www.apache.org/licenses/LICENSE-2.0 - ~ - ~ Unless required by applicable law or agreed to in writing, software - ~ distributed under the License is distributed on an "AS IS" BASIS, - ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - ~ See the License for the specific language governing permissions and - ~ limitations under the License. - --> - -<!DOCTYPE acl PUBLIC "-//GemStone Systems, Inc.//GemFire XML Authorization 1.0//EN" - "com/gemstone/gemfire/security/templates/authz6_0.dtd" > -<acl> - - <role name="reader"> - <user>user1</user> - <user>user2</user> - <user>root</user> - <user>admin</user> - <user>administrator</user> - </role> - - <role name="writer"> - <user>user3</user> - <user>user4</user> - <user>root</user> - <user>admin</user> - <user>administrator</user> - </role> - - <role name="cacheOps"> - <user>user1</user> - <user>user2</user> - <user>root</user> - <user>admin</user> - <user>administrator</user> - </role> - - <role name="queryRegions"> - <user>user5</user> - <user>user6</user> - </role> - - <role name="registerInterest"> - <user>user7</user> - <user>user8</user> - </role> - - <role name="unregisterInterest"> - <user>user5</user> - <user>user7</user> - </role> - - <permission role="cacheOps"> - <operation>QUERY</operation> - <operation>EXECUTE_CQ</operation> - <operation>STOP_CQ</operation> - <operation>CLOSE_CQ</operation> - </permission> - - <permission role="reader"> - <operation>GET</operation> - <operation>REGISTER_INTEREST</operation> - <operation>UNREGISTER_INTEREST</operation> - <operation>KEY_SET</operation> - <operation>CONTAINS_KEY</operation> - <operation>EXECUTE_FUNCTION</operation> - </permission> - - <permission role="writer"> - <operation>PUT</operation> - <operation>PUTALL</operation> - <operation>DESTROY</operation> - <operation>INVALIDATE</operation> - <operation>REGION_CLEAR</operation> - </permission> - - <permission role="queryRegions" regions="//Portfolios,/Positions/,AuthRegion"> - <operation>QUERY</operation> - <operation>EXECUTE_CQ</operation> - <operation>STOP_CQ</operation> - <operation>CLOSE_CQ</operation> - </permission> - - <permission role="registerInterest"> - <operation>REGISTER_INTEREST</operation> - <operation>GET</operation> - </permission> - - <permission role="unregisterInterest"> - <operation>UNREGISTER_INTEREST</operation> - <operation>GET</operation> - </permission> - -</acl> http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/9d7a6960/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/authz-multiUser-ldap.xml ---------------------------------------------------------------------- diff --git a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/authz-multiUser-ldap.xml b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/authz-multiUser-ldap.xml deleted file mode 100644 index 5469972..0000000 --- a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/authz-multiUser-ldap.xml +++ /dev/null @@ -1,81 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> - -<!-- - ~ Licensed to the Apache Software Foundation (ASF) under one or more - ~ contributor license agreements. See the NOTICE file distributed with - ~ this work for additional information regarding copyright ownership. - ~ The ASF licenses this file to You under the Apache License, Version 2.0 - ~ (the "License"); you may not use this file except in compliance with - ~ the License. You may obtain a copy of the License at - ~ - ~ http://www.apache.org/licenses/LICENSE-2.0 - ~ - ~ Unless required by applicable law or agreed to in writing, software - ~ distributed under the License is distributed on an "AS IS" BASIS, - ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - ~ See the License for the specific language governing permissions and - ~ limitations under the License. - --> - -<!DOCTYPE acl PUBLIC "-//GemStone Systems, Inc.//GemFire XML Authorization 1.0//EN" - "com/gemstone/gemfire/security/templates/authz5_5.dtd" > -<acl> - - <role name="reader"> - <user>gemfire1</user> - <user>gemfire2</user> - <user>gemfire3</user> - <user>gemfire4</user> - <user>gemfire5</user> - </role> - - <role name="writer"> - <user>gemfire1</user> - <user>gemfire2</user> - <user>gemfire6</user> - <user>gemfire7</user> - <user>gemfire8</user> - </role> - - <role name="cacheOps"> - <user>gemfire1</user> - <user>gemfire2</user> - </role> - - <role name="queryRegions"> - <user>gemfire9</user> - <user>gemfire10</user> - </role> - - <permission role="cacheOps"> - <operation>QUERY</operation> - <operation>EXECUTE_CQ</operation> - <operation>STOP_CQ</operation> - <operation>CLOSE_CQ</operation> - </permission> - - <permission role="reader"> - <operation>GET</operation> - <operation>REGISTER_INTEREST</operation> - <operation>UNREGISTER_INTEREST</operation> - <operation>KEY_SET</operation> - <operation>CONTAINS_KEY</operation> - <operation>EXECUTE_FUNCTION</operation> - </permission> - - <permission role="writer"> - <operation>PUT</operation> - <operation>PUTALL</operation> - <operation>DESTROY</operation> - <operation>INVALIDATE</operation> - <operation>REGION_CLEAR</operation> - </permission> - - <permission role="queryRegions" regions="Portfolios,/Positions//,/AuthRegion"> - <operation>QUERY</operation> - <operation>EXECUTE_CQ</operation> - <operation>STOP_CQ</operation> - <operation>CLOSE_CQ</operation> - </permission> - -</acl> http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/9d7a6960/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire1.keystore ---------------------------------------------------------------------- diff --git a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire1.keystore b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire1.keystore deleted file mode 100644 index 15270bb..0000000 Binary files a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire1.keystore and /dev/null differ http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/9d7a6960/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire10.keystore ---------------------------------------------------------------------- diff --git a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire10.keystore b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire10.keystore deleted file mode 100644 index bb6f827..0000000 Binary files a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire10.keystore and /dev/null differ http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/9d7a6960/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire11.keystore ---------------------------------------------------------------------- diff --git a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire11.keystore b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire11.keystore deleted file mode 100644 index 6839c74..0000000 Binary files a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire11.keystore and /dev/null differ http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/9d7a6960/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire2.keystore ---------------------------------------------------------------------- diff --git a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire2.keystore b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire2.keystore deleted file mode 100644 index fcb7ab8..0000000 Binary files a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire2.keystore and /dev/null differ http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/9d7a6960/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire3.keystore ---------------------------------------------------------------------- diff --git a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire3.keystore b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire3.keystore deleted file mode 100644 index 19afc4b..0000000 Binary files a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire3.keystore and /dev/null differ http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/9d7a6960/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire4.keystore ---------------------------------------------------------------------- diff --git a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire4.keystore b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire4.keystore deleted file mode 100644 index c65916a..0000000 Binary files a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire4.keystore and /dev/null differ http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/9d7a6960/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire5.keystore ---------------------------------------------------------------------- diff --git a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire5.keystore b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire5.keystore deleted file mode 100644 index d738cca..0000000 Binary files a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire5.keystore and /dev/null differ http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/9d7a6960/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire6.keystore ---------------------------------------------------------------------- diff --git a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire6.keystore b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire6.keystore deleted file mode 100644 index 1fea2d3..0000000 Binary files a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire6.keystore and /dev/null differ http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/9d7a6960/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire7.keystore ---------------------------------------------------------------------- diff --git a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire7.keystore b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire7.keystore deleted file mode 100644 index 7a3187c..0000000 Binary files a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire7.keystore and /dev/null differ http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/9d7a6960/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire8.keystore ---------------------------------------------------------------------- diff --git a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire8.keystore b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire8.keystore deleted file mode 100644 index a3bb886..0000000 Binary files a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire8.keystore and /dev/null differ http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/9d7a6960/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire9.keystore ---------------------------------------------------------------------- diff --git a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire9.keystore b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire9.keystore deleted file mode 100644 index 674b4e6..0000000 Binary files a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire9.keystore and /dev/null differ http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/9d7a6960/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire1.keystore ---------------------------------------------------------------------- diff --git a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire1.keystore b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire1.keystore deleted file mode 100644 index 4f9120c..0000000 Binary files a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire1.keystore and /dev/null differ http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/9d7a6960/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire10.keystore ---------------------------------------------------------------------- diff --git a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire10.keystore b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire10.keystore deleted file mode 100644 index 0bd97d77..0000000 Binary files a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire10.keystore and /dev/null differ http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/9d7a6960/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire11.keystore ---------------------------------------------------------------------- diff --git a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire11.keystore b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire11.keystore deleted file mode 100644 index 62ae3c7..0000000 Binary files a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire11.keystore and /dev/null differ http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/9d7a6960/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire2.keystore ---------------------------------------------------------------------- diff --git a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire2.keystore b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire2.keystore deleted file mode 100644 index c65bc81..0000000 Binary files a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire2.keystore and /dev/null differ http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/9d7a6960/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire3.keystore ---------------------------------------------------------------------- diff --git a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire3.keystore b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire3.keystore deleted file mode 100644 index b0796e0..0000000 Binary files a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire3.keystore and /dev/null differ http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/9d7a6960/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire4.keystore ---------------------------------------------------------------------- diff --git a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire4.keystore b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire4.keystore deleted file mode 100644 index 9c94018..0000000 Binary files a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire4.keystore and /dev/null differ http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/9d7a6960/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire5.keystore ---------------------------------------------------------------------- diff --git a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire5.keystore b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire5.keystore deleted file mode 100644 index 33f6937..0000000 Binary files a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire5.keystore and /dev/null differ http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/9d7a6960/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire6.keystore ---------------------------------------------------------------------- diff --git a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire6.keystore b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire6.keystore deleted file mode 100644 index 568f674..0000000 Binary files a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire6.keystore and /dev/null differ http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/9d7a6960/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire7.keystore ---------------------------------------------------------------------- diff --git a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire7.keystore b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire7.keystore deleted file mode 100644 index 80e2d80..0000000 Binary files a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire7.keystore and /dev/null differ http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/9d7a6960/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire8.keystore ---------------------------------------------------------------------- diff --git a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire8.keystore b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire8.keystore deleted file mode 100644 index a15def5..0000000 Binary files a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire8.keystore and /dev/null differ http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/9d7a6960/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire9.keystore ---------------------------------------------------------------------- diff --git a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire9.keystore b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire9.keystore deleted file mode 100644 index 72087f3..0000000 Binary files a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire9.keystore and /dev/null differ http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/9d7a6960/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/publickeyfile ---------------------------------------------------------------------- diff --git a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/publickeyfile b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/publickeyfile deleted file mode 100644 index 1b13872..0000000 Binary files a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/publickeyfile and /dev/null differ http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/9d7a6960/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/publickeyfile ---------------------------------------------------------------------- diff --git a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/publickeyfile b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/publickeyfile deleted file mode 100644 index 9c2daa3..0000000 Binary files a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/publickeyfile and /dev/null differ http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/9d7a6960/geode-core/src/test/resources/com/gemstone/gemfire/security/peerAuth.json ---------------------------------------------------------------------- diff --git a/geode-core/src/test/resources/com/gemstone/gemfire/security/peerAuth.json b/geode-core/src/test/resources/com/gemstone/gemfire/security/peerAuth.json deleted file mode 100644 index 9bd8936..0000000 --- a/geode-core/src/test/resources/com/gemstone/gemfire/security/peerAuth.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "users": [ - { - "name": "locator1", - "password": "1234567", - "roles": [ - ] - }, - { - "name": "server1", - "password": "1234567", - "roles": [ - ] - }, - { - "name": "server2", - "password": "1234567", - "roles": [ - ] - } - ] - -} - - - - - - - - - - - - - http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/9d7a6960/geode-core/src/test/resources/com/gemstone/gemfire/security/templates/authz5_5.dtd ---------------------------------------------------------------------- diff --git a/geode-core/src/test/resources/com/gemstone/gemfire/security/templates/authz5_5.dtd b/geode-core/src/test/resources/com/gemstone/gemfire/security/templates/authz5_5.dtd deleted file mode 100644 index 7080c0e..0000000 --- a/geode-core/src/test/resources/com/gemstone/gemfire/security/templates/authz5_5.dtd +++ /dev/null @@ -1,105 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!-- -Licensed to the Apache Software Foundation (ASF) under one or more -contributor license agreements. See the NOTICE file distributed with -this work for additional information regarding copyright ownership. -The ASF licenses this file to You under the Apache License, Version 2.0 -(the "License"); you may not use this file except in compliance with -the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. ---> -<!-- - -This is the XML DTD for the GemFire sample XML based authorization callback -in com.gemstone.gemfire.security.templates.XmlAuthorization. - -All XMLs must include a DOCTYPE of the following form: - - <!DOCTYPE acl PUBLIC - "-//GemStone Systems, Inc.//GemFire XML Authorization 1.0//EN" - "http://www.gemstone.com/dtd/authz5_5.dtd";> - -The contents of a declarative XML file correspond to APIs found in the - - com.gemstone.gemfire.security.AccessControl - -package. The sample implementation may be used to specify access control -policies. - ---> - -<!-- - -The following conventions apply to all GemFire sample authorization -XML file elements unless indicated otherwise. - -- In elements that contain PCDATA, leading and trailing whitespace in - the data may be ignored. - -- In elements whose value is an "enumerated type", the value is case - sensitive. - ---> - - -<!-- -The "acl" element is the root element of the authorization file. -This element contains the role to user mappings and role to permissions -mapping on a per region per operation basis. ---> - -<!ELEMENT acl (role+,permission+)> - -<!-- -The "role" element contains the set of users that have the permissions of -given role. A user can be present in more than one "role" elements in -which case the union of the permissions to all those roles determines -the full set of permissions to be given to the user. ---> - -<!ELEMENT role (user*)> -<!ATTLIST role - name CDATA #REQUIRED -> - -<!-- -The "user" element is contained within the "role" element and contains -the name of a user having the permissions of that role. ---> - -<!ELEMENT user (#PCDATA)> - -<!-- -The "permission" element specifies the list of operations that are allowed -for a particular role in the given regions as provided in the optional -"regions" attribute. The value of "regions" attribute should be a comma -separated list of region names for which permissions are to be provided. -If no "regions" attribute is provided then those permissions are provided -for all the other regions (i.e. other than those that have been explicitly -specified). Permissions for cache level operations REGION_DESTROY, -REGION_CREATE, QUERY and CQ operations should be specified with no "regions" -attribute. If cache-level permission is not provided for QUERY or CQ operations -then the permission for all the region names in the query string is checked. ---> - -<!ELEMENT permission (operation*)> -<!ATTLIST permission - role CDATA #REQUIRED - regions CDATA #IMPLIED -> - - -<!-- -The operation should be one of the following strings: - GET, PUT, PUTALL, DESTROY, REGISTER_INTEREST, UNREGISTER_INTEREST, - CONTAINS_KEY, KEY_SET, QUERY, EXECUTE_CQ, STOP_CQ, CLOSE_CQ, REGION_CLEAR, - REGION_CREATE, REGION_DESTROY ---> -<!ELEMENT operation (#PCDATA)> http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/9d7a6960/geode-core/src/test/resources/com/gemstone/gemfire/security/templates/authz6_0.dtd ---------------------------------------------------------------------- diff --git a/geode-core/src/test/resources/com/gemstone/gemfire/security/templates/authz6_0.dtd b/geode-core/src/test/resources/com/gemstone/gemfire/security/templates/authz6_0.dtd deleted file mode 100755 index a77563a..0000000 --- a/geode-core/src/test/resources/com/gemstone/gemfire/security/templates/authz6_0.dtd +++ /dev/null @@ -1,110 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!-- -Licensed to the Apache Software Foundation (ASF) under one or more -contributor license agreements. See the NOTICE file distributed with -this work for additional information regarding copyright ownership. -The ASF licenses this file to You under the Apache License, Version 2.0 -(the "License"); you may not use this file except in compliance with -the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. ---> -<!-- - -This is the XML DTD for the GemFire sample XML based authorization callback -in com.gemstone.gemfire.security.templates.XmlAuthorization. - -All XMLs must include a DOCTYPE of the following form: - - <!DOCTYPE acl PUBLIC - "-//GemStone Systems, Inc.//GemFire XML Authorization 1.0//EN" - "http://www.gemstone.com/dtd/authz5_5.dtd";> - -The contents of a declarative XML file correspond to APIs found in the - - com.gemstone.gemfire.security.AccessControl - -package. The sample implementation may be used to specify access control -policies. - ---> - -<!-- - -The following conventions apply to all GemFire sample authorization -XML file elements unless indicated otherwise. - -- In elements that contain PCDATA, leading and trailing whitespace in - the data may be ignored. - -- In elements whose value is an "enumerated type", the value is case - sensitive. - ---> - - -<!-- -The "acl" element is the root element of the authorization file. -This element contains the role to user mappings and role to permissions -mapping on a per region per operation basis. ---> - -<!ELEMENT acl (role+,permission+)> - -<!-- -The "role" element contains the set of users that have the permissions of -given role. A user can be present in more than one "role" elements in -which case the union of the permissions to all those roles determines -the full set of permissions to be given to the user. ---> - -<!ELEMENT role (user*)> -<!ATTLIST role - name CDATA #REQUIRED -> - -<!-- -The "user" element is contained within the "role" element and contains -the name of a user having the permissions of that role. ---> - -<!ELEMENT user (#PCDATA)> - -<!-- -The "permission" element specifies the list of operations that are allowed -for a particular role in the given regions as provided in the optional -"regions" attribute. The value of "regions" attribute should be a comma -separated list of region names for which permissions are to be provided. -If no "regions" attribute is provided then those permissions are provided -for all the other regions (i.e. other than those that have been explicitly -specified). Permissions for cache level operations REGION_DESTROY, -REGION_CREATE, QUERY and CQ operations should be specified with no "regions" -attribute. If cache-level permission is not provided for QUERY or CQ operations -then the permission for all the region names in the query string is checked. ---> - -<!ELEMENT permission (operation*)> -<!ATTLIST permission - role CDATA #REQUIRED - regions CDATA #IMPLIED -> - - -<!-- -The operation should be one of the following strings: - GET, PUT, PUTALL, DESTROY, REGISTER_INTEREST, UNREGISTER_INTEREST, - CONTAINS_KEY, KEY_SET, QUERY, EXECUTE_CQ, STOP_CQ, CLOSE_CQ, REGION_CLEAR, - REGION_CREATE, REGION_DESTROY ---> -<!ELEMENT operation (#PCDATA)> -<!ATTLIST operation - functionIds CDATA #IMPLIED - optimizeForWrite CDATA #IMPLIED - keySet CDATA #IMPLIED ->
