Repository: incubator-geode Updated Branches: refs/heads/develop cf3fea30f -> d639eefd3
GEODE-1909: add authorization in GMSAuthenticator Project: http://git-wip-us.apache.org/repos/asf/incubator-geode/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-geode/commit/d639eefd Tree: http://git-wip-us.apache.org/repos/asf/incubator-geode/tree/d639eefd Diff: http://git-wip-us.apache.org/repos/asf/incubator-geode/diff/d639eefd Branch: refs/heads/develop Commit: d639eefd3d42374da987d89f5dfc2d4f83d330eb Parents: cf3fea3 Author: Jinmei Liao <[email protected]> Authored: Mon Sep 19 13:53:04 2016 -0700 Committer: Jinmei Liao <[email protected]> Committed: Thu Sep 22 07:34:36 2016 -0700 ---------------------------------------------------------------------- .../membership/gms/GMSMemberFactory.java | 22 ++-- .../membership/gms/auth/GMSAuthenticator.java | 8 +- .../membership/gms/membership/GMSJoinLeave.java | 51 ++++++--- .../geode/internal/i18n/LocalizedStrings.java | 4 +- .../GMSAuthenticatorWithAuthenticatorTest.java | 42 +++---- ...GMSAuthenticatorWithSecurityManagerTest.java | 14 +-- ...tegratedSecurityPeerAuthDistributedTest.java | 10 +- .../security/P2PAuthenticationDUnitTest.java | 40 +++---- .../security/StartServerAuthorizationTest.java | 113 +++++++++++++++++++ .../internal/security/cacheServer.json | 8 ++ .../org/apache/geode/security/peerAuth.json | 13 +++ 11 files changed, 241 insertions(+), 84 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/d639eefd/geode-core/src/main/java/org/apache/geode/distributed/internal/membership/gms/GMSMemberFactory.java ---------------------------------------------------------------------- diff --git a/geode-core/src/main/java/org/apache/geode/distributed/internal/membership/gms/GMSMemberFactory.java b/geode-core/src/main/java/org/apache/geode/distributed/internal/membership/gms/GMSMemberFactory.java index 08178e9..970d8cc 100755 --- a/geode-core/src/main/java/org/apache/geode/distributed/internal/membership/gms/GMSMemberFactory.java +++ b/geode-core/src/main/java/org/apache/geode/distributed/internal/membership/gms/GMSMemberFactory.java @@ -16,25 +16,28 @@ */ package org.apache.geode.distributed.internal.membership.gms; +import java.io.File; +import java.net.InetAddress; +import java.net.UnknownHostException; + import org.apache.geode.GemFireConfigException; import org.apache.geode.SystemConnectException; import org.apache.geode.distributed.internal.DMStats; import org.apache.geode.distributed.internal.DistributionConfig; import org.apache.geode.distributed.internal.DistributionException; import org.apache.geode.distributed.internal.LocatorStats; -import org.apache.geode.distributed.internal.membership.*; +import org.apache.geode.distributed.internal.membership.DistributedMembershipListener; +import org.apache.geode.distributed.internal.membership.MemberAttributes; +import org.apache.geode.distributed.internal.membership.MemberServices; +import org.apache.geode.distributed.internal.membership.MembershipManager; +import org.apache.geode.distributed.internal.membership.NetMember; import org.apache.geode.distributed.internal.membership.gms.locator.GMSLocator; -import org.apache.geode.internal.net.SocketCreator; import org.apache.geode.internal.Version; import org.apache.geode.internal.admin.remote.RemoteTransportConfig; import org.apache.geode.internal.i18n.LocalizedStrings; +import org.apache.geode.internal.net.SocketCreator; import org.apache.geode.internal.tcp.ConnectionException; -import org.apache.geode.security.AuthenticationFailedException; -import org.apache.geode.security.AuthenticationRequiredException; - -import java.io.File; -import java.net.InetAddress; -import java.net.UnknownHostException; +import org.apache.geode.security.GemFireSecurityException; /** * Create a new Member based on the given inputs. @@ -105,8 +108,7 @@ public class GMSMemberFactory implements MemberServices { } catch (GemFireConfigException | SystemConnectException - | AuthenticationFailedException - | AuthenticationRequiredException e) { + | GemFireSecurityException e) { throw e; } catch (RuntimeException e) { http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/d639eefd/geode-core/src/main/java/org/apache/geode/distributed/internal/membership/gms/auth/GMSAuthenticator.java ---------------------------------------------------------------------- diff --git a/geode-core/src/main/java/org/apache/geode/distributed/internal/membership/gms/auth/GMSAuthenticator.java b/geode-core/src/main/java/org/apache/geode/distributed/internal/membership/gms/auth/GMSAuthenticator.java index 3f030c9..8e4c15d 100755 --- a/geode-core/src/main/java/org/apache/geode/distributed/internal/membership/gms/auth/GMSAuthenticator.java +++ b/geode-core/src/main/java/org/apache/geode/distributed/internal/membership/gms/auth/GMSAuthenticator.java @@ -99,13 +99,13 @@ public class GMSAuthenticator implements Authenticator { */ @Override public String authenticate(InternalDistributedMember member, Properties credentials) throws AuthenticationFailedException { - return authenticate(member, credentials, this.securityProps, this.services.getJoinLeave().getMemberID()); + return authenticate(member, credentials, this.securityProps); } /** * Method is package protected to be used in testing. */ - String authenticate(DistributedMember member, Properties credentials, Properties secProps, DistributedMember localMember) throws AuthenticationFailedException { + String authenticate(DistributedMember member, Properties credentials, Properties secProps) throws AuthenticationFailedException { if (!securityService.isPeerSecurityRequired()) { return null; } @@ -121,6 +121,7 @@ public class GMSAuthenticator implements Authenticator { try { if(this.securityService.isIntegratedSecurity()){ this.securityService.login(credentials); + this.securityService.authorizeClusterManage(); } else { invokeAuthenticator(secProps, member, credentials); @@ -129,8 +130,9 @@ public class GMSAuthenticator implements Authenticator { securityLogWriter.warning(AUTH_PEER_AUTHENTICATION_FAILED_WITH_EXCEPTION, new Object[] { member, ex.getLocalizedMessage() }, ex); - failMsg = AUTH_PEER_AUTHENTICATION_FAILED.toLocalizedString(localMember); + failMsg = AUTH_PEER_AUTHENTICATION_FAILED.toLocalizedString(ex.getLocalizedMessage()); } + return failMsg; } http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/d639eefd/geode-core/src/main/java/org/apache/geode/distributed/internal/membership/gms/membership/GMSJoinLeave.java ---------------------------------------------------------------------- diff --git a/geode-core/src/main/java/org/apache/geode/distributed/internal/membership/gms/membership/GMSJoinLeave.java b/geode-core/src/main/java/org/apache/geode/distributed/internal/membership/gms/membership/GMSJoinLeave.java index d15e8bf..89a9a37 100644 --- a/geode-core/src/main/java/org/apache/geode/distributed/internal/membership/gms/membership/GMSJoinLeave.java +++ b/geode-core/src/main/java/org/apache/geode/distributed/internal/membership/gms/membership/GMSJoinLeave.java @@ -16,6 +16,31 @@ */ package org.apache.geode.distributed.internal.membership.gms.membership; +import static org.apache.geode.distributed.ConfigurationProperties.*; +import static org.apache.geode.distributed.internal.membership.gms.ServiceConfig.*; +import static org.apache.geode.internal.DataSerializableFixedID.*; + +import java.io.IOException; +import java.net.InetSocketAddress; +import java.util.ArrayList; +import java.util.Collection; +import java.util.Collections; +import java.util.HashMap; +import java.util.HashSet; +import java.util.Iterator; +import java.util.LinkedList; +import java.util.List; +import java.util.Map; +import java.util.Properties; +import java.util.Set; +import java.util.TimerTask; +import java.util.concurrent.Callable; +import java.util.concurrent.ExecutorService; +import java.util.concurrent.Executors; +import java.util.concurrent.Future; +import java.util.concurrent.ThreadFactory; +import java.util.concurrent.atomic.AtomicInteger; + import org.apache.geode.GemFireConfigException; import org.apache.geode.SystemConnectException; import org.apache.geode.distributed.DistributedMember; @@ -34,26 +59,20 @@ import org.apache.geode.distributed.internal.membership.gms.interfaces.JoinLeave import org.apache.geode.distributed.internal.membership.gms.interfaces.MessageHandler; import org.apache.geode.distributed.internal.membership.gms.locator.FindCoordinatorRequest; import org.apache.geode.distributed.internal.membership.gms.locator.FindCoordinatorResponse; -import org.apache.geode.distributed.internal.membership.gms.messages.*; +import org.apache.geode.distributed.internal.membership.gms.messages.HasMemberID; +import org.apache.geode.distributed.internal.membership.gms.messages.InstallViewMessage; +import org.apache.geode.distributed.internal.membership.gms.messages.JoinRequestMessage; +import org.apache.geode.distributed.internal.membership.gms.messages.JoinResponseMessage; +import org.apache.geode.distributed.internal.membership.gms.messages.LeaveRequestMessage; +import org.apache.geode.distributed.internal.membership.gms.messages.NetworkPartitionMessage; +import org.apache.geode.distributed.internal.membership.gms.messages.RemoveMemberMessage; +import org.apache.geode.distributed.internal.membership.gms.messages.ViewAckMessage; import org.apache.geode.distributed.internal.tcpserver.TcpClient; import org.apache.geode.internal.Version; import org.apache.geode.internal.i18n.LocalizedStrings; -import org.apache.geode.internal.net.*; -import org.apache.geode.security.AuthenticationFailedException; - +import org.apache.geode.security.GemFireSecurityException; import org.apache.logging.log4j.Logger; -import java.io.IOException; -import java.net.InetSocketAddress; -import java.util.*; -import java.util.concurrent.*; -import java.util.concurrent.atomic.AtomicInteger; - -import static org.apache.geode.distributed.ConfigurationProperties.LOCATORS; -import static org.apache.geode.distributed.ConfigurationProperties.START_LOCATOR; -import static org.apache.geode.distributed.internal.membership.gms.ServiceConfig.MEMBER_REQUEST_COLLECTION_INTERVAL; -import static org.apache.geode.internal.DataSerializableFixedID.*; - /** * GMSJoinLeave handles membership communication with other processes in the * distributed system. It replaces the JGroups channel membership services @@ -394,7 +413,7 @@ public class GMSJoinLeave implements JoinLeave, MessageHandler { || failReason.contains("15806")) { throw new SystemConnectException(failReason); } - throw new AuthenticationFailedException(failReason); + throw new GemFireSecurityException(failReason); } //there is no way we can rech here right now http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/d639eefd/geode-core/src/main/java/org/apache/geode/internal/i18n/LocalizedStrings.java ---------------------------------------------------------------------- diff --git a/geode-core/src/main/java/org/apache/geode/internal/i18n/LocalizedStrings.java b/geode-core/src/main/java/org/apache/geode/internal/i18n/LocalizedStrings.java index 29dc500..d341f51 100755 --- a/geode-core/src/main/java/org/apache/geode/internal/i18n/LocalizedStrings.java +++ b/geode-core/src/main/java/org/apache/geode/internal/i18n/LocalizedStrings.java @@ -3704,8 +3704,8 @@ public class LocalizedStrings { public static final StringId Network_partition_detected = new StringId(6607, "Exiting due to possible network partition event due to loss of {0} cache processes: {1}"); // GMSAuthenticator - public static final StringId AUTH_PEER_AUTHENTICATION_FAILED_WITH_EXCEPTION = new StringId(6608, "Authentication failed for [{0}]. {1}"); - public static final StringId AUTH_PEER_AUTHENTICATION_FAILED = new StringId(6609, "Authentication failed. See coordinator [{0}] logs for details."); + public static final StringId AUTH_PEER_AUTHENTICATION_FAILED_WITH_EXCEPTION = new StringId(6608, "Security check failed for [{0}]. {1}"); + public static final StringId AUTH_PEER_AUTHENTICATION_FAILED = new StringId(6609, "Security check failed. {0}"); public static final StringId AUTH_PEER_AUTHENTICATION_MISSING_CREDENTIALS = new StringId(6610, "Failed to find credentials from [{0}]"); public static final StringId AUTH_FAILED_TO_ACQUIRE_AUTHINITIALIZE_INSTANCE = new StringId(6611, "AuthInitialize instance could not be obtained"); public static final StringId AUTH_FAILED_TO_OBTAIN_CREDENTIALS_IN_0_USING_AUTHINITIALIZE_1_2 = new StringId(6612, "Failed to obtain credentials using AuthInitialize [{1}]. {2}"); http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/d639eefd/geode-core/src/test/java/org/apache/geode/distributed/internal/membership/gms/auth/GMSAuthenticatorWithAuthenticatorTest.java ---------------------------------------------------------------------- diff --git a/geode-core/src/test/java/org/apache/geode/distributed/internal/membership/gms/auth/GMSAuthenticatorWithAuthenticatorTest.java b/geode-core/src/test/java/org/apache/geode/distributed/internal/membership/gms/auth/GMSAuthenticatorWithAuthenticatorTest.java index 45a5881..c6cbf88 100644 --- a/geode-core/src/test/java/org/apache/geode/distributed/internal/membership/gms/auth/GMSAuthenticatorWithAuthenticatorTest.java +++ b/geode-core/src/test/java/org/apache/geode/distributed/internal/membership/gms/auth/GMSAuthenticatorWithAuthenticatorTest.java @@ -21,12 +21,12 @@ import static org.assertj.core.api.Assertions.*; import java.util.Properties; -import org.apache.geode.test.junit.categories.SecurityTest; -import org.apache.geode.test.junit.categories.UnitTest; - import org.junit.Test; import org.junit.experimental.categories.Category; +import org.apache.geode.test.junit.categories.SecurityTest; +import org.apache.geode.test.junit.categories.UnitTest; + /** * Unit tests GMSAuthenticator using old security. */ @@ -41,17 +41,17 @@ public class GMSAuthenticatorWithAuthenticatorTest extends AbstractGMSAuthentica @Test public void nullAuthenticatorShouldReturnNull() throws Exception { assertThat(securityProps).doesNotContainKey(SECURITY_PEER_AUTHENTICATOR); - String result = authenticator.authenticate(member, securityProps, securityProps, member); + String result = authenticator.authenticate(member, securityProps, securityProps); // assertThat(result).isNull(); NOTE: old security used to return null - assertThat(result).contains("Authentication failed"); + assertThat(result).contains("Security check failed"); } @Test public void emptyAuthenticatorShouldReturnNull() throws Exception { securityProps.setProperty(SECURITY_PEER_AUTHENTICATOR, ""); - String result = authenticator.authenticate(member, securityProps, securityProps, member); + String result = authenticator.authenticate(member, securityProps, securityProps); // assertThat(result).isNull(); NOTE: old security used to return null - assertThat(result).contains("Authentication failed"); + assertThat(result).contains("Security check failed"); } @Test @@ -127,7 +127,7 @@ public class GMSAuthenticatorWithAuthenticatorTest extends AbstractGMSAuthentica assertThat(auth.isClosed()).isFalse(); SpyAuthenticator.setAuthenticator(auth); - String result = authenticator.authenticate(member, props, props, member); + String result = authenticator.authenticate(member, props, props); assertThat(result).isNull(); assertThat(auth.isClosed()).isTrue(); @@ -136,51 +136,51 @@ public class GMSAuthenticatorWithAuthenticatorTest extends AbstractGMSAuthentica @Test public void authenticateShouldReturnNullIfPeerAuthenticatorIsNull() throws Exception { - String result = authenticator.authenticate(member, props, props, member); + String result = authenticator.authenticate(member, props, props); //assertThat(result).isNull(); // NOTE: old security used to return null - assertThat(result).contains("Authentication failed. See coordinator [member] logs for details."); + assertThat(result).contains("Security check failed. Instance could not be obtained from null"); } @Test public void authenticateShouldReturnNullIfPeerAuthenticatorIsEmpty() throws Exception { props.setProperty(SECURITY_PEER_AUTHENTICATOR, ""); - String result = authenticator.authenticate(member, props, props, member); + String result = authenticator.authenticate(member, props, props); //assertThat(result).isNull(); // NOTE: old security used to return null - assertThat(result).contains("Authentication failed. See coordinator [member] logs for details."); + assertThat(result).contains("Security check failed. Instance could not be obtained from"); } @Test public void authenticateShouldReturnFailureMessageIfPeerAuthenticatorDoesNotExist() throws Exception { props.setProperty(SECURITY_PEER_AUTHENTICATOR, getClass().getName() + "$NotExistAuth.create"); - String result = authenticator.authenticate(member, props, props, member); - assertThat(result).startsWith("Authentication failed. See coordinator"); + String result = authenticator.authenticate(member, props, props); + assertThat(result).startsWith("Security check failed. Instance could not be obtained from"); } @Test public void authenticateShouldReturnFailureMessageIfAuthenticateReturnsNull() throws Exception { props.setProperty(SECURITY_PEER_AUTHENTICATOR, AuthenticatorReturnsNulls.class.getName() + ".create"); - String result = authenticator.authenticate(member, props, props, member); - assertThat(result).startsWith("Authentication failed. See coordinator"); + String result = authenticator.authenticate(member, props, props); + assertThat(result).startsWith("Security check failed. Instance could not be obtained"); } @Test public void authenticateShouldReturnFailureMessageIfNullCredentials() throws Exception { props.setProperty(SECURITY_PEER_AUTHENTICATOR, AuthenticatorReturnsNulls.class.getName() + ".create"); - String result = authenticator.authenticate(member, null, props, member); + String result = authenticator.authenticate(member, null, props); assertThat(result).startsWith("Failed to find credentials from"); } @Test public void authenticateShouldReturnFailureMessageIfAuthenticateInitThrows() throws Exception { props.setProperty(SECURITY_PEER_AUTHENTICATOR, AuthenticatorInitThrows.class.getName() + ".create"); - String result = authenticator.authenticate(member, props, props, member); - assertThat(result).startsWith("Authentication failed. See coordinator"); + String result = authenticator.authenticate(member, props, props); + assertThat(result).startsWith("Security check failed. expected init error"); } @Test public void authenticateShouldReturnFailureMessageIfAuthenticateThrows() throws Exception { props.setProperty(SECURITY_PEER_AUTHENTICATOR, AuthenticatorAuthenticateThrows.class.getName() + ".create"); - String result = authenticator.authenticate(member, props, props, member); - assertThat(result).startsWith("Authentication failed. See coordinator"); + String result = authenticator.authenticate(member, props, props); + assertThat(result).startsWith("Security check failed. expected authenticate error"); } } http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/d639eefd/geode-core/src/test/java/org/apache/geode/distributed/internal/membership/gms/auth/GMSAuthenticatorWithSecurityManagerTest.java ---------------------------------------------------------------------- diff --git a/geode-core/src/test/java/org/apache/geode/distributed/internal/membership/gms/auth/GMSAuthenticatorWithSecurityManagerTest.java b/geode-core/src/test/java/org/apache/geode/distributed/internal/membership/gms/auth/GMSAuthenticatorWithSecurityManagerTest.java index ddb208d..49475e0 100644 --- a/geode-core/src/test/java/org/apache/geode/distributed/internal/membership/gms/auth/GMSAuthenticatorWithSecurityManagerTest.java +++ b/geode-core/src/test/java/org/apache/geode/distributed/internal/membership/gms/auth/GMSAuthenticatorWithSecurityManagerTest.java @@ -43,14 +43,14 @@ public class GMSAuthenticatorWithSecurityManagerTest extends AbstractGMSAuthenti @Test public void nullManagerShouldReturnNull() throws Exception { assertThat(securityProps).doesNotContainKey(SECURITY_MANAGER); - String result = authenticator.authenticate(member, securityProps, securityProps, member); + String result = authenticator.authenticate(member, securityProps, securityProps); assertThat(result).isNull(); } @Test public void emptyAuthenticatorShouldReturnNull() throws Exception { securityProps.setProperty(SECURITY_MANAGER, ""); - String result = authenticator.authenticate(member, securityProps, securityProps, member); + String result = authenticator.authenticate(member, securityProps, securityProps); assertThat(result).isNull(); } @@ -123,13 +123,13 @@ public class GMSAuthenticatorWithSecurityManagerTest extends AbstractGMSAuthenti @Test public void authenticateShouldReturnNullIfSuccessful() throws Exception { props.setProperty(SECURITY_MANAGER, "dummy"); - String result = authenticator.authenticate(member, props, props, member); + String result = authenticator.authenticate(member, props, props); assertThat(result).isNull(); } @Test public void authenticateShouldReturnNullIfNoSecurityManager() throws Exception { - String result = authenticator.authenticate(member, props, props, member); + String result = authenticator.authenticate(member, props, props); assertThat(result).isNull(); } @@ -137,14 +137,14 @@ public class GMSAuthenticatorWithSecurityManagerTest extends AbstractGMSAuthenti public void authenticateShouldReturnFailureMessageIfLoginThrows() throws Exception { when(securityService.login(any(Properties.class))).thenThrow(new GemFireSecurityException("dummy")); props.setProperty(SECURITY_MANAGER, "dummy"); - String result = authenticator.authenticate(member, props, props, member); - assertThat(result).startsWith("Authentication failed. See coordinator"); + String result = authenticator.authenticate(member, props, props); + assertThat(result).startsWith("Security check failed. dummy"); } @Test public void authenticateShouldReturnFailureMessageIfNullCredentials() throws Exception { props.setProperty(SECURITY_MANAGER, "dummy"); - String result = authenticator.authenticate(member, null, props, member); + String result = authenticator.authenticate(member, null, props); assertThat(result).startsWith("Failed to find credentials from"); } http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/d639eefd/geode-core/src/test/java/org/apache/geode/security/IntegratedSecurityPeerAuthDistributedTest.java ---------------------------------------------------------------------- diff --git a/geode-core/src/test/java/org/apache/geode/security/IntegratedSecurityPeerAuthDistributedTest.java b/geode-core/src/test/java/org/apache/geode/security/IntegratedSecurityPeerAuthDistributedTest.java index acc2b86..b55ca18 100644 --- a/geode-core/src/test/java/org/apache/geode/security/IntegratedSecurityPeerAuthDistributedTest.java +++ b/geode-core/src/test/java/org/apache/geode/security/IntegratedSecurityPeerAuthDistributedTest.java @@ -22,7 +22,11 @@ import static org.assertj.core.api.Assertions.*; import java.util.Properties; +import org.junit.Test; +import org.junit.experimental.categories.Category; + import org.apache.geode.internal.AvailablePort; +import org.apache.geode.security.templates.SampleSecurityManager; import org.apache.geode.security.templates.UserPasswordAuthInit; import org.apache.geode.test.dunit.DistributedTestUtils; import org.apache.geode.test.dunit.Host; @@ -32,10 +36,6 @@ import org.apache.geode.test.dunit.cache.internal.JUnit4CacheTestCase; import org.apache.geode.test.junit.categories.DistributedTest; import org.apache.geode.test.junit.categories.SecurityTest; -import org.apache.geode.security.templates.SampleSecurityManager; -import org.junit.Test; -import org.junit.experimental.categories.Category; - @Category({ DistributedTest.class, SecurityTest.class }) public class IntegratedSecurityPeerAuthDistributedTest extends JUnit4CacheTestCase{ @@ -106,7 +106,7 @@ public class IntegratedSecurityPeerAuthDistributedTest extends JUnit4CacheTestCa properties.setProperty(UserPasswordAuthInit.USER_NAME, "stranger"); properties.setProperty(UserPasswordAuthInit.PASSWORD, "1234567"); - assertThatThrownBy(() -> getSystem(properties)).isExactlyInstanceOf(AuthenticationFailedException.class); + assertThatThrownBy(() -> getSystem(properties)).isExactlyInstanceOf(GemFireSecurityException.class); } @Override http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/d639eefd/geode-core/src/test/java/org/apache/geode/security/P2PAuthenticationDUnitTest.java ---------------------------------------------------------------------- diff --git a/geode-core/src/test/java/org/apache/geode/security/P2PAuthenticationDUnitTest.java b/geode-core/src/test/java/org/apache/geode/security/P2PAuthenticationDUnitTest.java index 9fcf4cd..5ddb962 100644 --- a/geode-core/src/test/java/org/apache/geode/security/P2PAuthenticationDUnitTest.java +++ b/geode-core/src/test/java/org/apache/geode/security/P2PAuthenticationDUnitTest.java @@ -18,6 +18,22 @@ */ package org.apache.geode.security; +import static org.apache.geode.distributed.ConfigurationProperties.*; +import static org.apache.geode.internal.AvailablePort.*; +import static org.apache.geode.security.SecurityTestUtils.*; +import static org.apache.geode.test.dunit.Assert.*; +import static org.apache.geode.test.dunit.IgnoredException.*; +import static org.apache.geode.test.dunit.NetworkUtils.*; +import static org.apache.geode.test.dunit.Wait.*; + +import java.util.Properties; + +import javax.net.ssl.SSLHandshakeException; + +import org.junit.Ignore; +import org.junit.Test; +import org.junit.experimental.categories.Category; + import org.apache.geode.distributed.ConfigurationProperties; import org.apache.geode.distributed.DistributedSystem; import org.apache.geode.distributed.Locator; @@ -36,22 +52,6 @@ import org.apache.geode.test.dunit.internal.JUnit4DistributedTestCase; import org.apache.geode.test.junit.categories.DistributedTest; import org.apache.geode.test.junit.categories.FlakyTest; import org.apache.geode.test.junit.categories.SecurityTest; -import org.junit.Ignore; -import org.junit.Test; -import org.junit.experimental.categories.Category; - -import javax.net.ssl.SSLHandshakeException; -import java.util.Properties; - -import static org.apache.geode.distributed.ConfigurationProperties.*; -import static org.apache.geode.internal.AvailablePort.SOCKET; -import static org.apache.geode.internal.AvailablePort.getRandomAvailablePort; -import static org.apache.geode.security.SecurityTestUtils.startLocator; -import static org.apache.geode.security.SecurityTestUtils.stopLocator; -import static org.apache.geode.test.dunit.Assert.*; -import static org.apache.geode.test.dunit.IgnoredException.addIgnoredException; -import static org.apache.geode.test.dunit.NetworkUtils.getIPLiteral; -import static org.apache.geode.test.dunit.Wait.pause; /** * Tests peer to peer authentication in Gemfire @@ -168,7 +168,7 @@ public class P2PAuthenticationDUnitTest extends JUnit4DistributedTestCase { new SecurityTestUtils("tmp").createSystem(props, null); fail("AuthenticationFailedException was expected as the AuthInitialize object passed is incorrect"); - } catch (AuthenticationFailedException expected) { + } catch (GemFireSecurityException expected) { // success } finally { @@ -200,7 +200,7 @@ public class P2PAuthenticationDUnitTest extends JUnit4DistributedTestCase { new SecurityTestUtils("tmp").createSystem(props, null); fail("AuthenticationFailedException was expected as the Authenticator object passed is incorrect"); - } catch (AuthenticationFailedException expected) { + } catch (GemFireSecurityException expected) { // success } finally { @@ -231,7 +231,7 @@ public class P2PAuthenticationDUnitTest extends JUnit4DistributedTestCase { new SecurityTestUtils("tmp").createSystem(props, null); fail("AuthenticationFailedException was expected as no credentials are set"); - } catch (AuthenticationFailedException expected) { + } catch (GemFireSecurityException expected) { // success } finally { @@ -301,7 +301,7 @@ public class P2PAuthenticationDUnitTest extends JUnit4DistributedTestCase { new SecurityTestUtils("tmp").createSystem(props, null); fail("AuthenticationFailedException was expected as wrong credentials were passed"); - } catch (AuthenticationFailedException expected) { + } catch (GemFireSecurityException expected) { // success } http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/d639eefd/geode-core/src/test/java/org/apache/geode/security/StartServerAuthorizationTest.java ---------------------------------------------------------------------- diff --git a/geode-core/src/test/java/org/apache/geode/security/StartServerAuthorizationTest.java b/geode-core/src/test/java/org/apache/geode/security/StartServerAuthorizationTest.java new file mode 100644 index 0000000..8468664 --- /dev/null +++ b/geode-core/src/test/java/org/apache/geode/security/StartServerAuthorizationTest.java @@ -0,0 +1,113 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.geode.security; + +import static org.apache.geode.distributed.ConfigurationProperties.*; +import static org.assertj.core.api.Assertions.*; + +import java.io.File; +import java.util.Properties; + +import org.apache.geode.distributed.Locator; +import org.apache.geode.internal.AvailablePortHelper; +import org.apache.geode.security.templates.SampleSecurityManager; +import org.apache.geode.test.dunit.Host; +import org.apache.geode.test.dunit.VM; +import org.apache.geode.test.dunit.internal.JUnit4DistributedTestCase; +import org.apache.geode.test.junit.categories.DistributedTest; +import org.apache.geode.test.junit.categories.SecurityTest; +import org.junit.Before; +import org.junit.Test; +import org.junit.experimental.categories.Category; + +@Category({ DistributedTest.class, SecurityTest.class }) +public class StartServerAuthorizationTest extends JUnit4DistributedTestCase { + private int locatorPort = 0; + + @Before + public void before() throws Exception { + final Host host = Host.getHost(0); + VM locator = host.getVM(0); + // set up locator with security + int[] ports = AvailablePortHelper.getRandomAvailableTCPPorts(2); + this.locatorPort = ports[0]; + int jmxPort = ports[1]; + locator.invoke(()->{ + Properties props = new Properties(); + props.setProperty(SampleSecurityManager.SECURITY_JSON, "org/apache/geode/management/internal/security/cacheServer.json"); + props.setProperty(SECURITY_MANAGER, SampleSecurityManager.class.getName()); + props.setProperty(MCAST_PORT, "0"); + props.put(JMX_MANAGER, "true"); + props.put(JMX_MANAGER_START, "true"); + props.put(JMX_MANAGER_PORT, jmxPort+""); + props.setProperty(SECURITY_POST_PROCESSOR, PDXPostProcessor.class.getName()); + Locator.startLocatorAndDS(locatorPort, new File("locator.log"), props); + }); + } + + @Test + public void testStartServerWithInvalidCredential() throws Exception{ + // set up server with security + String locators = "localhost[" + locatorPort + "]"; + + Properties props = new Properties(); + props.setProperty(MCAST_PORT, "0"); + props.setProperty(LOCATORS, locators); + + // the following are needed for peer-to-peer authentication + props.setProperty("security-username", "stranger"); + props.setProperty("security-password", "wrongPswd"); + + assertThatThrownBy(()->getSystem(props)).isInstanceOf(GemFireSecurityException.class).hasMessageContaining("Authentication error. Please check your credentials."); + } + + @Test + public void testStartServerWithInsufficientPrevilage() throws Exception{ + // set up server with security + String locators = "localhost[" + locatorPort + "]"; + + Properties props = new Properties(); + props.setProperty(MCAST_PORT, "0"); + props.setProperty(LOCATORS, locators); + + // the following are needed for peer-to-peer authentication + props.setProperty("security-username", "stranger"); + props.setProperty("security-password", "1234567"); + + + assertThatThrownBy(()->getSystem(props)).isInstanceOf(GemFireSecurityException.class).hasMessageContaining("stranger not authorized for CLUSTER:MANAGE"); + } + + @Test + public void testStartServerWithSufficientPrevilage() throws Exception{ + // set up server with security + String locators = "localhost[" + locatorPort + "]"; + + Properties props = new Properties(); + props.setProperty(MCAST_PORT, "0"); + props.setProperty(LOCATORS, locators); + + // the following are needed for peer-to-peer authentication + props.setProperty("security-username", "cluster-manager"); + props.setProperty("security-password", "1234567"); + + // No exception should be thrown + getSystem(props); + } + +} http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/d639eefd/geode-core/src/test/resources/org/apache/geode/management/internal/security/cacheServer.json ---------------------------------------------------------------------- diff --git a/geode-core/src/test/resources/org/apache/geode/management/internal/security/cacheServer.json b/geode-core/src/test/resources/org/apache/geode/management/internal/security/cacheServer.json index 3bb3e2f..d11a408 100644 --- a/geode-core/src/test/resources/org/apache/geode/management/internal/security/cacheServer.json +++ b/geode-core/src/test/resources/org/apache/geode/management/internal/security/cacheServer.json @@ -171,6 +171,14 @@ ] }, { + "name": "reader", + "password": "1234567", + "roles": [ + "data-read", + "cluster-read" + ] + }, + { "name": "data-writer", "password": "1234567", "roles": [ http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/d639eefd/geode-core/src/test/resources/org/apache/geode/security/peerAuth.json ---------------------------------------------------------------------- diff --git a/geode-core/src/test/resources/org/apache/geode/security/peerAuth.json b/geode-core/src/test/resources/org/apache/geode/security/peerAuth.json index 9bd8936..898e9c0 100644 --- a/geode-core/src/test/resources/org/apache/geode/security/peerAuth.json +++ b/geode-core/src/test/resources/org/apache/geode/security/peerAuth.json @@ -1,21 +1,34 @@ { + "roles": [ + { + "name": "cluster", + "operationsAllowed": [ + "CLUSTER:MANAGE", + "CLUSTER:WRITE", + "CLUSTER:READ" + ] + } + ], "users": [ { "name": "locator1", "password": "1234567", "roles": [ + "cluster" ] }, { "name": "server1", "password": "1234567", "roles": [ + "cluster" ] }, { "name": "server2", "password": "1234567", "roles": [ + "cluster" ] } ]
