Repository: incubator-geode
Updated Branches:
  refs/heads/develop cf3fea30f -> d639eefd3


GEODE-1909: add authorization in GMSAuthenticator


Project: http://git-wip-us.apache.org/repos/asf/incubator-geode/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-geode/commit/d639eefd
Tree: http://git-wip-us.apache.org/repos/asf/incubator-geode/tree/d639eefd
Diff: http://git-wip-us.apache.org/repos/asf/incubator-geode/diff/d639eefd

Branch: refs/heads/develop
Commit: d639eefd3d42374da987d89f5dfc2d4f83d330eb
Parents: cf3fea3
Author: Jinmei Liao <jil...@pivotal.io>
Authored: Mon Sep 19 13:53:04 2016 -0700
Committer: Jinmei Liao <jil...@pivotal.io>
Committed: Thu Sep 22 07:34:36 2016 -0700

----------------------------------------------------------------------
 .../membership/gms/GMSMemberFactory.java        |  22 ++--
 .../membership/gms/auth/GMSAuthenticator.java   |   8 +-
 .../membership/gms/membership/GMSJoinLeave.java |  51 ++++++---
 .../geode/internal/i18n/LocalizedStrings.java   |   4 +-
 .../GMSAuthenticatorWithAuthenticatorTest.java  |  42 +++----
 ...GMSAuthenticatorWithSecurityManagerTest.java |  14 +--
 ...tegratedSecurityPeerAuthDistributedTest.java |  10 +-
 .../security/P2PAuthenticationDUnitTest.java    |  40 +++----
 .../security/StartServerAuthorizationTest.java  | 113 +++++++++++++++++++
 .../internal/security/cacheServer.json          |   8 ++
 .../org/apache/geode/security/peerAuth.json     |  13 +++
 11 files changed, 241 insertions(+), 84 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/d639eefd/geode-core/src/main/java/org/apache/geode/distributed/internal/membership/gms/GMSMemberFactory.java
----------------------------------------------------------------------
diff --git 
a/geode-core/src/main/java/org/apache/geode/distributed/internal/membership/gms/GMSMemberFactory.java
 
b/geode-core/src/main/java/org/apache/geode/distributed/internal/membership/gms/GMSMemberFactory.java
index 08178e9..970d8cc 100755
--- 
a/geode-core/src/main/java/org/apache/geode/distributed/internal/membership/gms/GMSMemberFactory.java
+++ 
b/geode-core/src/main/java/org/apache/geode/distributed/internal/membership/gms/GMSMemberFactory.java
@@ -16,25 +16,28 @@
  */
 package org.apache.geode.distributed.internal.membership.gms;
 
+import java.io.File;
+import java.net.InetAddress;
+import java.net.UnknownHostException;
+
 import org.apache.geode.GemFireConfigException;
 import org.apache.geode.SystemConnectException;
 import org.apache.geode.distributed.internal.DMStats;
 import org.apache.geode.distributed.internal.DistributionConfig;
 import org.apache.geode.distributed.internal.DistributionException;
 import org.apache.geode.distributed.internal.LocatorStats;
-import org.apache.geode.distributed.internal.membership.*;
+import 
org.apache.geode.distributed.internal.membership.DistributedMembershipListener;
+import org.apache.geode.distributed.internal.membership.MemberAttributes;
+import org.apache.geode.distributed.internal.membership.MemberServices;
+import org.apache.geode.distributed.internal.membership.MembershipManager;
+import org.apache.geode.distributed.internal.membership.NetMember;
 import org.apache.geode.distributed.internal.membership.gms.locator.GMSLocator;
-import org.apache.geode.internal.net.SocketCreator;
 import org.apache.geode.internal.Version;
 import org.apache.geode.internal.admin.remote.RemoteTransportConfig;
 import org.apache.geode.internal.i18n.LocalizedStrings;
+import org.apache.geode.internal.net.SocketCreator;
 import org.apache.geode.internal.tcp.ConnectionException;
-import org.apache.geode.security.AuthenticationFailedException;
-import org.apache.geode.security.AuthenticationRequiredException;
-
-import java.io.File;
-import java.net.InetAddress;
-import java.net.UnknownHostException;
+import org.apache.geode.security.GemFireSecurityException;
 
 /**
  * Create a new Member based on the given inputs.
@@ -105,8 +108,7 @@ public class GMSMemberFactory implements MemberServices {
     }
     catch (GemFireConfigException
         | SystemConnectException
-        | AuthenticationFailedException
-        | AuthenticationRequiredException e) {
+        | GemFireSecurityException e) {
       throw e;
     }
     catch (RuntimeException e) {

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/d639eefd/geode-core/src/main/java/org/apache/geode/distributed/internal/membership/gms/auth/GMSAuthenticator.java
----------------------------------------------------------------------
diff --git 
a/geode-core/src/main/java/org/apache/geode/distributed/internal/membership/gms/auth/GMSAuthenticator.java
 
b/geode-core/src/main/java/org/apache/geode/distributed/internal/membership/gms/auth/GMSAuthenticator.java
index 3f030c9..8e4c15d 100755
--- 
a/geode-core/src/main/java/org/apache/geode/distributed/internal/membership/gms/auth/GMSAuthenticator.java
+++ 
b/geode-core/src/main/java/org/apache/geode/distributed/internal/membership/gms/auth/GMSAuthenticator.java
@@ -99,13 +99,13 @@ public class GMSAuthenticator implements Authenticator {
    */
   @Override
   public String authenticate(InternalDistributedMember member, Properties 
credentials) throws AuthenticationFailedException {
-    return authenticate(member, credentials, this.securityProps, 
this.services.getJoinLeave().getMemberID());
+    return authenticate(member, credentials, this.securityProps);
   }
 
   /**
    * Method is package protected to be used in testing.
    */
-  String authenticate(DistributedMember member, Properties credentials, 
Properties secProps, DistributedMember localMember) throws 
AuthenticationFailedException {
+  String authenticate(DistributedMember member, Properties credentials, 
Properties secProps) throws AuthenticationFailedException {
     if (!securityService.isPeerSecurityRequired()) {
       return null;
     }
@@ -121,6 +121,7 @@ public class GMSAuthenticator implements Authenticator {
     try {
       if(this.securityService.isIntegratedSecurity()){
         this.securityService.login(credentials);
+        this.securityService.authorizeClusterManage();
       }
       else {
         invokeAuthenticator(secProps, member, credentials);
@@ -129,8 +130,9 @@ public class GMSAuthenticator implements Authenticator {
       
securityLogWriter.warning(AUTH_PEER_AUTHENTICATION_FAILED_WITH_EXCEPTION, new 
Object[] {
         member, ex.getLocalizedMessage()
       }, ex);
-      failMsg = AUTH_PEER_AUTHENTICATION_FAILED.toLocalizedString(localMember);
+      failMsg = 
AUTH_PEER_AUTHENTICATION_FAILED.toLocalizedString(ex.getLocalizedMessage());
     }
+
     return failMsg;
   }
 

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/d639eefd/geode-core/src/main/java/org/apache/geode/distributed/internal/membership/gms/membership/GMSJoinLeave.java
----------------------------------------------------------------------
diff --git 
a/geode-core/src/main/java/org/apache/geode/distributed/internal/membership/gms/membership/GMSJoinLeave.java
 
b/geode-core/src/main/java/org/apache/geode/distributed/internal/membership/gms/membership/GMSJoinLeave.java
index d15e8bf..89a9a37 100644
--- 
a/geode-core/src/main/java/org/apache/geode/distributed/internal/membership/gms/membership/GMSJoinLeave.java
+++ 
b/geode-core/src/main/java/org/apache/geode/distributed/internal/membership/gms/membership/GMSJoinLeave.java
@@ -16,6 +16,31 @@
  */
 package org.apache.geode.distributed.internal.membership.gms.membership;
 
+import static org.apache.geode.distributed.ConfigurationProperties.*;
+import static 
org.apache.geode.distributed.internal.membership.gms.ServiceConfig.*;
+import static org.apache.geode.internal.DataSerializableFixedID.*;
+
+import java.io.IOException;
+import java.net.InetSocketAddress;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.Iterator;
+import java.util.LinkedList;
+import java.util.List;
+import java.util.Map;
+import java.util.Properties;
+import java.util.Set;
+import java.util.TimerTask;
+import java.util.concurrent.Callable;
+import java.util.concurrent.ExecutorService;
+import java.util.concurrent.Executors;
+import java.util.concurrent.Future;
+import java.util.concurrent.ThreadFactory;
+import java.util.concurrent.atomic.AtomicInteger;
+
 import org.apache.geode.GemFireConfigException;
 import org.apache.geode.SystemConnectException;
 import org.apache.geode.distributed.DistributedMember;
@@ -34,26 +59,20 @@ import 
org.apache.geode.distributed.internal.membership.gms.interfaces.JoinLeave
 import 
org.apache.geode.distributed.internal.membership.gms.interfaces.MessageHandler;
 import 
org.apache.geode.distributed.internal.membership.gms.locator.FindCoordinatorRequest;
 import 
org.apache.geode.distributed.internal.membership.gms.locator.FindCoordinatorResponse;
-import org.apache.geode.distributed.internal.membership.gms.messages.*;
+import 
org.apache.geode.distributed.internal.membership.gms.messages.HasMemberID;
+import 
org.apache.geode.distributed.internal.membership.gms.messages.InstallViewMessage;
+import 
org.apache.geode.distributed.internal.membership.gms.messages.JoinRequestMessage;
+import 
org.apache.geode.distributed.internal.membership.gms.messages.JoinResponseMessage;
+import 
org.apache.geode.distributed.internal.membership.gms.messages.LeaveRequestMessage;
+import 
org.apache.geode.distributed.internal.membership.gms.messages.NetworkPartitionMessage;
+import 
org.apache.geode.distributed.internal.membership.gms.messages.RemoveMemberMessage;
+import 
org.apache.geode.distributed.internal.membership.gms.messages.ViewAckMessage;
 import org.apache.geode.distributed.internal.tcpserver.TcpClient;
 import org.apache.geode.internal.Version;
 import org.apache.geode.internal.i18n.LocalizedStrings;
-import org.apache.geode.internal.net.*;
-import org.apache.geode.security.AuthenticationFailedException;
-
+import org.apache.geode.security.GemFireSecurityException;
 import org.apache.logging.log4j.Logger;
 
-import java.io.IOException;
-import java.net.InetSocketAddress;
-import java.util.*;
-import java.util.concurrent.*;
-import java.util.concurrent.atomic.AtomicInteger;
-
-import static org.apache.geode.distributed.ConfigurationProperties.LOCATORS;
-import static 
org.apache.geode.distributed.ConfigurationProperties.START_LOCATOR;
-import static 
org.apache.geode.distributed.internal.membership.gms.ServiceConfig.MEMBER_REQUEST_COLLECTION_INTERVAL;
-import static org.apache.geode.internal.DataSerializableFixedID.*;
-
 /**
  * GMSJoinLeave handles membership communication with other processes in the
  * distributed system.  It replaces the JGroups channel membership services
@@ -394,7 +413,7 @@ public class GMSJoinLeave implements JoinLeave, 
MessageHandler {
           || failReason.contains("15806")) {
         throw new SystemConnectException(failReason);
       }
-      throw new AuthenticationFailedException(failReason);
+      throw new GemFireSecurityException(failReason);
     }
     
     //there is no way we can rech here right now

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/d639eefd/geode-core/src/main/java/org/apache/geode/internal/i18n/LocalizedStrings.java
----------------------------------------------------------------------
diff --git 
a/geode-core/src/main/java/org/apache/geode/internal/i18n/LocalizedStrings.java 
b/geode-core/src/main/java/org/apache/geode/internal/i18n/LocalizedStrings.java
index 29dc500..d341f51 100755
--- 
a/geode-core/src/main/java/org/apache/geode/internal/i18n/LocalizedStrings.java
+++ 
b/geode-core/src/main/java/org/apache/geode/internal/i18n/LocalizedStrings.java
@@ -3704,8 +3704,8 @@ public class LocalizedStrings {
   public static final StringId Network_partition_detected = new StringId(6607, 
"Exiting due to possible network partition event due to loss of {0} cache 
processes: {1}");
 
   // GMSAuthenticator
-  public static final StringId AUTH_PEER_AUTHENTICATION_FAILED_WITH_EXCEPTION 
= new StringId(6608, "Authentication failed for [{0}]. {1}");
-  public static final StringId AUTH_PEER_AUTHENTICATION_FAILED = new 
StringId(6609, "Authentication failed. See coordinator [{0}] logs for 
details.");
+  public static final StringId AUTH_PEER_AUTHENTICATION_FAILED_WITH_EXCEPTION 
= new StringId(6608, "Security check failed for [{0}]. {1}");
+  public static final StringId AUTH_PEER_AUTHENTICATION_FAILED = new 
StringId(6609, "Security check failed. {0}");
   public static final StringId AUTH_PEER_AUTHENTICATION_MISSING_CREDENTIALS = 
new StringId(6610, "Failed to find credentials from [{0}]");
   public static final StringId AUTH_FAILED_TO_ACQUIRE_AUTHINITIALIZE_INSTANCE 
= new StringId(6611, "AuthInitialize instance could not be obtained");
   public static final StringId 
AUTH_FAILED_TO_OBTAIN_CREDENTIALS_IN_0_USING_AUTHINITIALIZE_1_2 = new 
StringId(6612, "Failed to obtain credentials using AuthInitialize [{1}]. {2}");

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/d639eefd/geode-core/src/test/java/org/apache/geode/distributed/internal/membership/gms/auth/GMSAuthenticatorWithAuthenticatorTest.java
----------------------------------------------------------------------
diff --git 
a/geode-core/src/test/java/org/apache/geode/distributed/internal/membership/gms/auth/GMSAuthenticatorWithAuthenticatorTest.java
 
b/geode-core/src/test/java/org/apache/geode/distributed/internal/membership/gms/auth/GMSAuthenticatorWithAuthenticatorTest.java
index 45a5881..c6cbf88 100644
--- 
a/geode-core/src/test/java/org/apache/geode/distributed/internal/membership/gms/auth/GMSAuthenticatorWithAuthenticatorTest.java
+++ 
b/geode-core/src/test/java/org/apache/geode/distributed/internal/membership/gms/auth/GMSAuthenticatorWithAuthenticatorTest.java
@@ -21,12 +21,12 @@ import static org.assertj.core.api.Assertions.*;
 
 import java.util.Properties;
 
-import org.apache.geode.test.junit.categories.SecurityTest;
-import org.apache.geode.test.junit.categories.UnitTest;
-
 import org.junit.Test;
 import org.junit.experimental.categories.Category;
 
+import org.apache.geode.test.junit.categories.SecurityTest;
+import org.apache.geode.test.junit.categories.UnitTest;
+
 /**
  * Unit tests GMSAuthenticator using old security.
  */
@@ -41,17 +41,17 @@ public class GMSAuthenticatorWithAuthenticatorTest extends 
AbstractGMSAuthentica
   @Test
   public void nullAuthenticatorShouldReturnNull() throws Exception {
     assertThat(securityProps).doesNotContainKey(SECURITY_PEER_AUTHENTICATOR);
-    String result = authenticator.authenticate(member, securityProps, 
securityProps, member);
+    String result = authenticator.authenticate(member, securityProps, 
securityProps);
     // assertThat(result).isNull(); NOTE: old security used to return null
-    assertThat(result).contains("Authentication failed");
+    assertThat(result).contains("Security check failed");
   }
 
   @Test
   public void emptyAuthenticatorShouldReturnNull() throws Exception {
     securityProps.setProperty(SECURITY_PEER_AUTHENTICATOR, "");
-    String result = authenticator.authenticate(member, securityProps, 
securityProps, member);
+    String result = authenticator.authenticate(member, securityProps, 
securityProps);
     // assertThat(result).isNull(); NOTE: old security used to return null
-    assertThat(result).contains("Authentication failed");
+    assertThat(result).contains("Security check failed");
   }
 
   @Test
@@ -127,7 +127,7 @@ public class GMSAuthenticatorWithAuthenticatorTest extends 
AbstractGMSAuthentica
     assertThat(auth.isClosed()).isFalse();
 
     SpyAuthenticator.setAuthenticator(auth);
-    String result = authenticator.authenticate(member, props, props, member);
+    String result = authenticator.authenticate(member, props, props);
 
     assertThat(result).isNull();
     assertThat(auth.isClosed()).isTrue();
@@ -136,51 +136,51 @@ public class GMSAuthenticatorWithAuthenticatorTest 
extends AbstractGMSAuthentica
 
   @Test
   public void authenticateShouldReturnNullIfPeerAuthenticatorIsNull() throws 
Exception {
-    String result = authenticator.authenticate(member, props, props, member);
+    String result = authenticator.authenticate(member, props, props);
     //assertThat(result).isNull(); // NOTE: old security used to return null
-    assertThat(result).contains("Authentication failed. See coordinator 
[member] logs for details.");
+    assertThat(result).contains("Security check failed. Instance could not be 
obtained from null");
   }
 
   @Test
   public void authenticateShouldReturnNullIfPeerAuthenticatorIsEmpty() throws 
Exception {
     props.setProperty(SECURITY_PEER_AUTHENTICATOR, "");
-    String result = authenticator.authenticate(member, props, props, member);
+    String result = authenticator.authenticate(member, props, props);
     //assertThat(result).isNull(); // NOTE: old security used to return null
-    assertThat(result).contains("Authentication failed. See coordinator 
[member] logs for details.");
+    assertThat(result).contains("Security check failed. Instance could not be 
obtained from");
   }
 
   @Test
   public void 
authenticateShouldReturnFailureMessageIfPeerAuthenticatorDoesNotExist() throws 
Exception {
     props.setProperty(SECURITY_PEER_AUTHENTICATOR, getClass().getName() + 
"$NotExistAuth.create");
-    String result = authenticator.authenticate(member, props, props, member);
-    assertThat(result).startsWith("Authentication failed. See coordinator");
+    String result = authenticator.authenticate(member, props, props);
+    assertThat(result).startsWith("Security check failed. Instance could not 
be obtained from");
   }
 
   @Test
   public void 
authenticateShouldReturnFailureMessageIfAuthenticateReturnsNull() throws 
Exception {
     props.setProperty(SECURITY_PEER_AUTHENTICATOR, 
AuthenticatorReturnsNulls.class.getName() + ".create");
-    String result = authenticator.authenticate(member, props, props, member);
-    assertThat(result).startsWith("Authentication failed. See coordinator");
+    String result = authenticator.authenticate(member, props, props);
+    assertThat(result).startsWith("Security check failed. Instance could not 
be obtained");
   }
 
   @Test
   public void authenticateShouldReturnFailureMessageIfNullCredentials() throws 
Exception {
     props.setProperty(SECURITY_PEER_AUTHENTICATOR, 
AuthenticatorReturnsNulls.class.getName() + ".create");
-    String result = authenticator.authenticate(member, null, props, member);
+    String result = authenticator.authenticate(member, null, props);
     assertThat(result).startsWith("Failed to find credentials from");
   }
 
   @Test
   public void authenticateShouldReturnFailureMessageIfAuthenticateInitThrows() 
throws Exception {
     props.setProperty(SECURITY_PEER_AUTHENTICATOR, 
AuthenticatorInitThrows.class.getName() + ".create");
-    String result = authenticator.authenticate(member, props, props, member);
-    assertThat(result).startsWith("Authentication failed. See coordinator");
+    String result = authenticator.authenticate(member, props, props);
+    assertThat(result).startsWith("Security check failed. expected init 
error");
   }
 
   @Test
   public void authenticateShouldReturnFailureMessageIfAuthenticateThrows() 
throws Exception {
     props.setProperty(SECURITY_PEER_AUTHENTICATOR, 
AuthenticatorAuthenticateThrows.class.getName() + ".create");
-    String result = authenticator.authenticate(member, props, props, member);
-    assertThat(result).startsWith("Authentication failed. See coordinator");
+    String result = authenticator.authenticate(member, props, props);
+    assertThat(result).startsWith("Security check failed. expected 
authenticate error");
   }
 }

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/d639eefd/geode-core/src/test/java/org/apache/geode/distributed/internal/membership/gms/auth/GMSAuthenticatorWithSecurityManagerTest.java
----------------------------------------------------------------------
diff --git 
a/geode-core/src/test/java/org/apache/geode/distributed/internal/membership/gms/auth/GMSAuthenticatorWithSecurityManagerTest.java
 
b/geode-core/src/test/java/org/apache/geode/distributed/internal/membership/gms/auth/GMSAuthenticatorWithSecurityManagerTest.java
index ddb208d..49475e0 100644
--- 
a/geode-core/src/test/java/org/apache/geode/distributed/internal/membership/gms/auth/GMSAuthenticatorWithSecurityManagerTest.java
+++ 
b/geode-core/src/test/java/org/apache/geode/distributed/internal/membership/gms/auth/GMSAuthenticatorWithSecurityManagerTest.java
@@ -43,14 +43,14 @@ public class GMSAuthenticatorWithSecurityManagerTest 
extends AbstractGMSAuthenti
   @Test
   public void nullManagerShouldReturnNull() throws Exception {
     assertThat(securityProps).doesNotContainKey(SECURITY_MANAGER);
-    String result = authenticator.authenticate(member, securityProps, 
securityProps, member);
+    String result = authenticator.authenticate(member, securityProps, 
securityProps);
     assertThat(result).isNull();
   }
 
   @Test
   public void emptyAuthenticatorShouldReturnNull() throws Exception {
     securityProps.setProperty(SECURITY_MANAGER, "");
-    String result = authenticator.authenticate(member, securityProps, 
securityProps, member);
+    String result = authenticator.authenticate(member, securityProps, 
securityProps);
     assertThat(result).isNull();
   }
 
@@ -123,13 +123,13 @@ public class GMSAuthenticatorWithSecurityManagerTest 
extends AbstractGMSAuthenti
   @Test
   public void authenticateShouldReturnNullIfSuccessful() throws Exception {
     props.setProperty(SECURITY_MANAGER, "dummy");
-    String result = authenticator.authenticate(member, props, props, member);
+    String result = authenticator.authenticate(member, props, props);
     assertThat(result).isNull();
   }
 
   @Test
   public void authenticateShouldReturnNullIfNoSecurityManager() throws 
Exception {
-    String result = authenticator.authenticate(member, props, props, member);
+    String result = authenticator.authenticate(member, props, props);
     assertThat(result).isNull();
   }
 
@@ -137,14 +137,14 @@ public class GMSAuthenticatorWithSecurityManagerTest 
extends AbstractGMSAuthenti
   public void authenticateShouldReturnFailureMessageIfLoginThrows() throws 
Exception {
     when(securityService.login(any(Properties.class))).thenThrow(new 
GemFireSecurityException("dummy"));
     props.setProperty(SECURITY_MANAGER, "dummy");
-    String result = authenticator.authenticate(member, props, props, member);
-    assertThat(result).startsWith("Authentication failed. See coordinator");
+    String result = authenticator.authenticate(member, props, props);
+    assertThat(result).startsWith("Security check failed. dummy");
   }
 
   @Test
   public void authenticateShouldReturnFailureMessageIfNullCredentials() throws 
Exception {
     props.setProperty(SECURITY_MANAGER, "dummy");
-    String result = authenticator.authenticate(member, null, props, member);
+    String result = authenticator.authenticate(member, null, props);
     assertThat(result).startsWith("Failed to find credentials from");
   }
 

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/d639eefd/geode-core/src/test/java/org/apache/geode/security/IntegratedSecurityPeerAuthDistributedTest.java
----------------------------------------------------------------------
diff --git 
a/geode-core/src/test/java/org/apache/geode/security/IntegratedSecurityPeerAuthDistributedTest.java
 
b/geode-core/src/test/java/org/apache/geode/security/IntegratedSecurityPeerAuthDistributedTest.java
index acc2b86..b55ca18 100644
--- 
a/geode-core/src/test/java/org/apache/geode/security/IntegratedSecurityPeerAuthDistributedTest.java
+++ 
b/geode-core/src/test/java/org/apache/geode/security/IntegratedSecurityPeerAuthDistributedTest.java
@@ -22,7 +22,11 @@ import static org.assertj.core.api.Assertions.*;
 
 import java.util.Properties;
 
+import org.junit.Test;
+import org.junit.experimental.categories.Category;
+
 import org.apache.geode.internal.AvailablePort;
+import org.apache.geode.security.templates.SampleSecurityManager;
 import org.apache.geode.security.templates.UserPasswordAuthInit;
 import org.apache.geode.test.dunit.DistributedTestUtils;
 import org.apache.geode.test.dunit.Host;
@@ -32,10 +36,6 @@ import 
org.apache.geode.test.dunit.cache.internal.JUnit4CacheTestCase;
 import org.apache.geode.test.junit.categories.DistributedTest;
 import org.apache.geode.test.junit.categories.SecurityTest;
 
-import org.apache.geode.security.templates.SampleSecurityManager;
-import org.junit.Test;
-import org.junit.experimental.categories.Category;
-
 @Category({ DistributedTest.class, SecurityTest.class })
 public class IntegratedSecurityPeerAuthDistributedTest extends 
JUnit4CacheTestCase{
 
@@ -106,7 +106,7 @@ public class IntegratedSecurityPeerAuthDistributedTest 
extends JUnit4CacheTestCa
     properties.setProperty(UserPasswordAuthInit.USER_NAME, "stranger");
     properties.setProperty(UserPasswordAuthInit.PASSWORD, "1234567");
 
-    assertThatThrownBy(() -> 
getSystem(properties)).isExactlyInstanceOf(AuthenticationFailedException.class);
+    assertThatThrownBy(() -> 
getSystem(properties)).isExactlyInstanceOf(GemFireSecurityException.class);
   }
 
   @Override

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/d639eefd/geode-core/src/test/java/org/apache/geode/security/P2PAuthenticationDUnitTest.java
----------------------------------------------------------------------
diff --git 
a/geode-core/src/test/java/org/apache/geode/security/P2PAuthenticationDUnitTest.java
 
b/geode-core/src/test/java/org/apache/geode/security/P2PAuthenticationDUnitTest.java
index 9fcf4cd..5ddb962 100644
--- 
a/geode-core/src/test/java/org/apache/geode/security/P2PAuthenticationDUnitTest.java
+++ 
b/geode-core/src/test/java/org/apache/geode/security/P2PAuthenticationDUnitTest.java
@@ -18,6 +18,22 @@
  */
 package org.apache.geode.security;
 
+import static org.apache.geode.distributed.ConfigurationProperties.*;
+import static org.apache.geode.internal.AvailablePort.*;
+import static org.apache.geode.security.SecurityTestUtils.*;
+import static org.apache.geode.test.dunit.Assert.*;
+import static org.apache.geode.test.dunit.IgnoredException.*;
+import static org.apache.geode.test.dunit.NetworkUtils.*;
+import static org.apache.geode.test.dunit.Wait.*;
+
+import java.util.Properties;
+
+import javax.net.ssl.SSLHandshakeException;
+
+import org.junit.Ignore;
+import org.junit.Test;
+import org.junit.experimental.categories.Category;
+
 import org.apache.geode.distributed.ConfigurationProperties;
 import org.apache.geode.distributed.DistributedSystem;
 import org.apache.geode.distributed.Locator;
@@ -36,22 +52,6 @@ import 
org.apache.geode.test.dunit.internal.JUnit4DistributedTestCase;
 import org.apache.geode.test.junit.categories.DistributedTest;
 import org.apache.geode.test.junit.categories.FlakyTest;
 import org.apache.geode.test.junit.categories.SecurityTest;
-import org.junit.Ignore;
-import org.junit.Test;
-import org.junit.experimental.categories.Category;
-
-import javax.net.ssl.SSLHandshakeException;
-import java.util.Properties;
-
-import static org.apache.geode.distributed.ConfigurationProperties.*;
-import static org.apache.geode.internal.AvailablePort.SOCKET;
-import static org.apache.geode.internal.AvailablePort.getRandomAvailablePort;
-import static org.apache.geode.security.SecurityTestUtils.startLocator;
-import static org.apache.geode.security.SecurityTestUtils.stopLocator;
-import static org.apache.geode.test.dunit.Assert.*;
-import static org.apache.geode.test.dunit.IgnoredException.addIgnoredException;
-import static org.apache.geode.test.dunit.NetworkUtils.getIPLiteral;
-import static org.apache.geode.test.dunit.Wait.pause;
 
 /**
  * Tests peer to peer authentication in Gemfire
@@ -168,7 +168,7 @@ public class P2PAuthenticationDUnitTest extends 
JUnit4DistributedTestCase {
       new SecurityTestUtils("tmp").createSystem(props, null);
       fail("AuthenticationFailedException was expected as the AuthInitialize 
object passed is incorrect");
 
-    } catch (AuthenticationFailedException expected) {
+    } catch (GemFireSecurityException expected) {
       // success
 
     } finally {
@@ -200,7 +200,7 @@ public class P2PAuthenticationDUnitTest extends 
JUnit4DistributedTestCase {
       new SecurityTestUtils("tmp").createSystem(props, null);
       fail("AuthenticationFailedException was expected as the Authenticator 
object passed is incorrect");
 
-    } catch (AuthenticationFailedException expected) {
+    } catch (GemFireSecurityException expected) {
       // success
 
     } finally {
@@ -231,7 +231,7 @@ public class P2PAuthenticationDUnitTest extends 
JUnit4DistributedTestCase {
       new SecurityTestUtils("tmp").createSystem(props, null);
       fail("AuthenticationFailedException was expected as no credentials are 
set");
 
-    } catch (AuthenticationFailedException expected) {
+    } catch (GemFireSecurityException expected) {
       // success
 
     } finally {
@@ -301,7 +301,7 @@ public class P2PAuthenticationDUnitTest extends 
JUnit4DistributedTestCase {
         new SecurityTestUtils("tmp").createSystem(props, null);
         fail("AuthenticationFailedException was expected as wrong credentials 
were passed");
 
-      } catch (AuthenticationFailedException expected) {
+      } catch (GemFireSecurityException expected) {
         // success
       }
 

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/d639eefd/geode-core/src/test/java/org/apache/geode/security/StartServerAuthorizationTest.java
----------------------------------------------------------------------
diff --git 
a/geode-core/src/test/java/org/apache/geode/security/StartServerAuthorizationTest.java
 
b/geode-core/src/test/java/org/apache/geode/security/StartServerAuthorizationTest.java
new file mode 100644
index 0000000..8468664
--- /dev/null
+++ 
b/geode-core/src/test/java/org/apache/geode/security/StartServerAuthorizationTest.java
@@ -0,0 +1,113 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.geode.security;
+
+import static org.apache.geode.distributed.ConfigurationProperties.*;
+import static org.assertj.core.api.Assertions.*;
+
+import java.io.File;
+import java.util.Properties;
+
+import org.apache.geode.distributed.Locator;
+import org.apache.geode.internal.AvailablePortHelper;
+import org.apache.geode.security.templates.SampleSecurityManager;
+import org.apache.geode.test.dunit.Host;
+import org.apache.geode.test.dunit.VM;
+import org.apache.geode.test.dunit.internal.JUnit4DistributedTestCase;
+import org.apache.geode.test.junit.categories.DistributedTest;
+import org.apache.geode.test.junit.categories.SecurityTest;
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.experimental.categories.Category;
+
+@Category({ DistributedTest.class, SecurityTest.class })
+public class StartServerAuthorizationTest extends JUnit4DistributedTestCase {
+  private int locatorPort = 0;
+
+  @Before
+  public void before() throws Exception {
+    final Host host = Host.getHost(0);
+    VM locator = host.getVM(0);
+    // set up locator with security
+    int[] ports = AvailablePortHelper.getRandomAvailableTCPPorts(2);
+    this.locatorPort = ports[0];
+    int jmxPort = ports[1];
+    locator.invoke(()->{
+      Properties props = new Properties();
+      props.setProperty(SampleSecurityManager.SECURITY_JSON, 
"org/apache/geode/management/internal/security/cacheServer.json");
+      props.setProperty(SECURITY_MANAGER, 
SampleSecurityManager.class.getName());
+      props.setProperty(MCAST_PORT, "0");
+      props.put(JMX_MANAGER, "true");
+      props.put(JMX_MANAGER_START, "true");
+      props.put(JMX_MANAGER_PORT, jmxPort+"");
+      props.setProperty(SECURITY_POST_PROCESSOR, 
PDXPostProcessor.class.getName());
+      Locator.startLocatorAndDS(locatorPort, new File("locator.log"), props);
+    });
+  }
+
+  @Test
+  public void testStartServerWithInvalidCredential() throws Exception{
+    // set up server with security
+    String locators = "localhost[" + locatorPort + "]";
+
+    Properties props = new Properties();
+    props.setProperty(MCAST_PORT, "0");
+    props.setProperty(LOCATORS, locators);
+
+    // the following are needed for peer-to-peer authentication
+    props.setProperty("security-username", "stranger");
+    props.setProperty("security-password", "wrongPswd");
+
+    
assertThatThrownBy(()->getSystem(props)).isInstanceOf(GemFireSecurityException.class).hasMessageContaining("Authentication
 error. Please check your credentials.");
+  }
+
+  @Test
+  public void testStartServerWithInsufficientPrevilage() throws Exception{
+    // set up server with security
+    String locators = "localhost[" + locatorPort + "]";
+
+    Properties props = new Properties();
+    props.setProperty(MCAST_PORT, "0");
+    props.setProperty(LOCATORS, locators);
+
+    // the following are needed for peer-to-peer authentication
+    props.setProperty("security-username", "stranger");
+    props.setProperty("security-password", "1234567");
+
+
+    
assertThatThrownBy(()->getSystem(props)).isInstanceOf(GemFireSecurityException.class).hasMessageContaining("stranger
 not authorized for CLUSTER:MANAGE");
+  }
+
+  @Test
+  public void testStartServerWithSufficientPrevilage() throws Exception{
+    // set up server with security
+    String locators = "localhost[" + locatorPort + "]";
+
+    Properties props = new Properties();
+    props.setProperty(MCAST_PORT, "0");
+    props.setProperty(LOCATORS, locators);
+
+    // the following are needed for peer-to-peer authentication
+    props.setProperty("security-username", "cluster-manager");
+    props.setProperty("security-password", "1234567");
+
+    // No exception should be thrown
+    getSystem(props);
+  }
+
+}

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/d639eefd/geode-core/src/test/resources/org/apache/geode/management/internal/security/cacheServer.json
----------------------------------------------------------------------
diff --git 
a/geode-core/src/test/resources/org/apache/geode/management/internal/security/cacheServer.json
 
b/geode-core/src/test/resources/org/apache/geode/management/internal/security/cacheServer.json
index 3bb3e2f..d11a408 100644
--- 
a/geode-core/src/test/resources/org/apache/geode/management/internal/security/cacheServer.json
+++ 
b/geode-core/src/test/resources/org/apache/geode/management/internal/security/cacheServer.json
@@ -171,6 +171,14 @@
       ]
     },
     {
+      "name": "reader",
+      "password": "1234567",
+      "roles": [
+        "data-read",
+        "cluster-read"
+      ]
+    },
+    {
       "name": "data-writer",
       "password": "1234567",
       "roles": [

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/d639eefd/geode-core/src/test/resources/org/apache/geode/security/peerAuth.json
----------------------------------------------------------------------
diff --git 
a/geode-core/src/test/resources/org/apache/geode/security/peerAuth.json 
b/geode-core/src/test/resources/org/apache/geode/security/peerAuth.json
index 9bd8936..898e9c0 100644
--- a/geode-core/src/test/resources/org/apache/geode/security/peerAuth.json
+++ b/geode-core/src/test/resources/org/apache/geode/security/peerAuth.json
@@ -1,21 +1,34 @@
 {
+  "roles": [
+    {
+      "name": "cluster",
+      "operationsAllowed": [
+        "CLUSTER:MANAGE",
+        "CLUSTER:WRITE",
+        "CLUSTER:READ"
+      ]
+    }
+    ],
   "users": [
     {
       "name": "locator1",
       "password": "1234567",
       "roles": [
+        "cluster"
       ]
     },
     {
       "name": "server1",
       "password": "1234567",
       "roles": [
+        "cluster"
       ]
     },
     {
       "name": "server2",
       "password": "1234567",
       "roles": [
+        "cluster"
       ]
     }
   ]

Reply via email to