This is an automated email from the ASF dual-hosted git repository.
av pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ignite.git
The following commit(s) were added to refs/heads/master by this push:
new 9e2e2a69276 IGNITE-21240 Removed deprecated authorization methods from
Security Context. (#11174)
9e2e2a69276 is described below
commit 9e2e2a692763a22e89cea9101d325d6dbd62d32f
Author: Mikhail Petrov <[email protected]>
AuthorDate: Fri Jan 19 15:44:15 2024 +0300
IGNITE-21240 Removed deprecated authorization methods from Security
Context. (#11174)
---
.../IgniteAuthenticationProcessor.java | 27 ---
.../security/IgniteSecurityProcessor.java | 3 +-
.../processors/security/SecurityContext.java | 48 ----
.../ignite/plugin/security/SecuritySubject.java | 11 -
.../ignite/spi/discovery/tcp/ServerImpl.java | 85 +------
.../security/cluster/NodeJoinPermissionsTest.java | 243 +--------------------
.../impl/TestCertificateSecurityProcessor.java | 24 +-
.../security/impl/TestSecurityContext.java | 82 -------
.../security/impl/TestSecurityProcessor.java | 72 +++++-
.../security/impl/TestSecuritySubject.java | 46 +---
.../spi/discovery/tcp/TestReconnectProcessor.java | 26 ---
.../zk/internal/ZookeeperDiscoveryMiscTest.java | 21 --
12 files changed, 91 insertions(+), 597 deletions(-)
diff --git
a/modules/core/src/main/java/org/apache/ignite/internal/processors/authentication/IgniteAuthenticationProcessor.java
b/modules/core/src/main/java/org/apache/ignite/internal/processors/authentication/IgniteAuthenticationProcessor.java
index 1d3f458a064..b4a39621e0f 100644
---
a/modules/core/src/main/java/org/apache/ignite/internal/processors/authentication/IgniteAuthenticationProcessor.java
+++
b/modules/core/src/main/java/org/apache/ignite/internal/processors/authentication/IgniteAuthenticationProcessor.java
@@ -71,7 +71,6 @@ import
org.apache.ignite.plugin.security.AuthenticationContext;
import org.apache.ignite.plugin.security.SecurityCredentials;
import org.apache.ignite.plugin.security.SecurityException;
import org.apache.ignite.plugin.security.SecurityPermission;
-import org.apache.ignite.plugin.security.SecurityPermissionSet;
import org.apache.ignite.plugin.security.SecuritySubject;
import org.apache.ignite.plugin.security.SecuritySubjectType;
import org.apache.ignite.spi.discovery.DiscoveryDataBag;
@@ -89,7 +88,6 @@ import static
org.apache.ignite.internal.IgniteNodeAttributes.ATTR_IGNITE_INSTAN
import static
org.apache.ignite.internal.processors.authentication.UserManagementOperation.OperationType.ADD;
import static
org.apache.ignite.internal.processors.authentication.UserManagementOperation.OperationType.REMOVE;
import static
org.apache.ignite.internal.processors.authentication.UserManagementOperation.OperationType.UPDATE;
-import static
org.apache.ignite.plugin.security.SecurityPermissionSetBuilder.ALL_PERMISSIONS;
import static
org.apache.ignite.plugin.security.SecuritySubjectType.REMOTE_CLIENT;
import static
org.apache.ignite.plugin.security.SecuritySubjectType.REMOTE_NODE;
@@ -1405,11 +1403,6 @@ public class IgniteAuthenticationProcessor extends
GridProcessorAdapter implemen
return addr;
}
- /** {@inheritDoc} */
- @Override public SecurityPermissionSet permissions() {
- return ALL_PERMISSIONS;
- }
-
/** {@inheritDoc} */
@Override public String toString() {
return S.toString(SecuritySubjectImpl.class, this);
@@ -1433,25 +1426,5 @@ public class IgniteAuthenticationProcessor extends
GridProcessorAdapter implemen
@Override public SecuritySubject subject() {
return subj;
}
-
- /** {@inheritDoc} */
- @Override public boolean taskOperationAllowed(String taskClsName,
SecurityPermission perm) {
- return true;
- }
-
- /** {@inheritDoc} */
- @Override public boolean cacheOperationAllowed(String cacheName,
SecurityPermission perm) {
- return true;
- }
-
- /** {@inheritDoc} */
- @Override public boolean serviceOperationAllowed(String srvcName,
SecurityPermission perm) {
- return true;
- }
-
- /** {@inheritDoc} */
- @Override public boolean systemOperationAllowed(SecurityPermission
perm) {
- return true;
- }
}
}
diff --git
a/modules/core/src/main/java/org/apache/ignite/internal/processors/security/IgniteSecurityProcessor.java
b/modules/core/src/main/java/org/apache/ignite/internal/processors/security/IgniteSecurityProcessor.java
index 65c983f8435..88e80b7ff3f 100644
---
a/modules/core/src/main/java/org/apache/ignite/internal/processors/security/IgniteSecurityProcessor.java
+++
b/modules/core/src/main/java/org/apache/ignite/internal/processors/security/IgniteSecurityProcessor.java
@@ -463,8 +463,7 @@ public class IgniteSecurityProcessor extends
IgniteSecurityAdapter {
);
try {
- if (!secCtx.systemOperationAllowed(JOIN_AS_SERVER))
- secPrc.authorize(null, JOIN_AS_SERVER, secCtx);
+ secPrc.authorize(null, JOIN_AS_SERVER, secCtx);
return null;
}
diff --git
a/modules/core/src/main/java/org/apache/ignite/internal/processors/security/SecurityContext.java
b/modules/core/src/main/java/org/apache/ignite/internal/processors/security/SecurityContext.java
index 90ba76328c7..70f8eb498fd 100644
---
a/modules/core/src/main/java/org/apache/ignite/internal/processors/security/SecurityContext.java
+++
b/modules/core/src/main/java/org/apache/ignite/internal/processors/security/SecurityContext.java
@@ -17,7 +17,6 @@
package org.apache.ignite.internal.processors.security;
-import org.apache.ignite.plugin.security.SecurityPermission;
import org.apache.ignite.plugin.security.SecuritySubject;
/**
@@ -28,51 +27,4 @@ public interface SecurityContext {
* @return Security subject.
*/
public SecuritySubject subject();
-
- /**
- * Checks whether task operation is allowed.
- *
- * @param taskClsName Task class name.
- * @param perm Permission to check.
- * @return {@code True} if task operation is allowed.
- * @deprecated Use {@link IgniteSecurity#authorize(String,
SecurityPermission)} instead.
- * This method will be removed in the future releases.
- */
- @Deprecated
- public boolean taskOperationAllowed(String taskClsName, SecurityPermission
perm);
-
- /**
- * Checks whether cache operation is allowed.
- *
- * @param cacheName Cache name.
- * @param perm Permission to check.
- * @return {@code True} if cache operation is allowed.
- * @deprecated Use {@link IgniteSecurity#authorize(String,
SecurityPermission)} instead.
- * This method will be removed in the future releases.
- */
- @Deprecated
- public boolean cacheOperationAllowed(String cacheName, SecurityPermission
perm);
-
- /**
- * Checks whether service operation is allowed.
- *
- * @param srvcName Service name.
- * @param perm Permission to check.
- * @return {@code True} if task operation is allowed.
- * @deprecated Use {@link IgniteSecurity#authorize(String,
SecurityPermission)} instead.
- * This method will be removed in the future releases.
- */
- @Deprecated
- public boolean serviceOperationAllowed(String srvcName, SecurityPermission
perm);
-
- /**
- * Checks whether system-wide permission is allowed (excluding Visor task
operations).
- *
- * @param perm Permission to check.
- * @return {@code True} if system operation is allowed.
- * @deprecated Use {@link IgniteSecurity#authorize(SecurityPermission)}
instead.
- * This method will be removed in the future releases.
- */
- @Deprecated
- public boolean systemOperationAllowed(SecurityPermission perm);
}
diff --git
a/modules/core/src/main/java/org/apache/ignite/plugin/security/SecuritySubject.java
b/modules/core/src/main/java/org/apache/ignite/plugin/security/SecuritySubject.java
index f83fe3d9643..491a1454744 100644
---
a/modules/core/src/main/java/org/apache/ignite/plugin/security/SecuritySubject.java
+++
b/modules/core/src/main/java/org/apache/ignite/plugin/security/SecuritySubject.java
@@ -66,17 +66,6 @@ public interface SecuritySubject extends Serializable {
return null;
}
- /**
- * Authorized permission set for the subject.
- *
- * @return Authorized permission set for the subject.
- * @deprecated {@link SecuritySubject} must contain only immutable set of
- * information that represents a security principal. Security permissions
are part of authorization process
- * and have nothing to do with {@link SecuritySubject}. This method will
be removed in the future releases.
- */
- @Deprecated
- public SecurityPermissionSet permissions();
-
/**
* @return Permissions for SecurityManager checks.
* @deprecated {@link SecuritySubject} must contain only immutable set of
diff --git
a/modules/core/src/main/java/org/apache/ignite/spi/discovery/tcp/ServerImpl.java
b/modules/core/src/main/java/org/apache/ignite/spi/discovery/tcp/ServerImpl.java
index c28c88b851f..3480d54e067 100644
---
a/modules/core/src/main/java/org/apache/ignite/spi/discovery/tcp/ServerImpl.java
+++
b/modules/core/src/main/java/org/apache/ignite/spi/discovery/tcp/ServerImpl.java
@@ -114,7 +114,6 @@ import org.apache.ignite.lang.IgniteInClosure;
import org.apache.ignite.lang.IgniteProductVersion;
import org.apache.ignite.lang.IgniteUuid;
import org.apache.ignite.plugin.security.SecurityCredentials;
-import org.apache.ignite.plugin.security.SecurityPermissionSet;
import org.apache.ignite.spi.IgniteNodeValidationResult;
import org.apache.ignite.spi.IgniteSpiContext;
import org.apache.ignite.spi.IgniteSpiException;
@@ -182,7 +181,6 @@ import static
org.apache.ignite.internal.IgniteNodeAttributes.ATTR_MARSHALLER_CO
import static
org.apache.ignite.internal.IgniteNodeAttributes.ATTR_MARSHALLER_USE_BINARY_STRING_SER_VER_2;
import static
org.apache.ignite.internal.IgniteNodeAttributes.ATTR_MARSHALLER_USE_DFLT_SUID;
import static
org.apache.ignite.internal.processors.security.SecurityUtils.authenticateLocalNode;
-import static
org.apache.ignite.internal.processors.security.SecurityUtils.nodeSecurityContext;
import static
org.apache.ignite.internal.processors.security.SecurityUtils.withSecurityContext;
import static org.apache.ignite.spi.IgnitePortProtocol.TCP;
import static
org.apache.ignite.spi.discovery.tcp.TcpDiscoverySpi.DFLT_DISCOVERY_CLIENT_RECONNECT_HISTORY_SIZE;
@@ -2160,28 +2158,6 @@ class ServerImpl extends TcpDiscoveryImpl {
!(msg instanceof TcpDiscoveryConnectionCheckMessage);
}
- /**
- * Checks if two given {@link SecurityPermissionSet} objects contain the
same permissions.
- * Each permission belongs to one of three groups : cache, task or system.
- *
- * @param locPerms The first set of permissions.
- * @param rmtPerms The second set of permissions.
- * @return {@code True} if given parameters contain the same permissions,
{@code False} otherwise.
- */
- private boolean permissionsEqual(@Nullable SecurityPermissionSet locPerms,
- @Nullable SecurityPermissionSet rmtPerms) {
- if (locPerms == null || rmtPerms == null)
- return false;
-
- boolean dfltAllowMatch = locPerms.defaultAllowAll() ==
rmtPerms.defaultAllowAll();
-
- boolean bothHaveSamePerms =
F.eqNotOrdered(rmtPerms.systemPermissions(), locPerms.systemPermissions()) &&
- F.eqNotOrdered(rmtPerms.cachePermissions(),
locPerms.cachePermissions()) &&
- F.eqNotOrdered(rmtPerms.taskPermissions(),
locPerms.taskPermissions());
-
- return dfltAllowMatch && bothHaveSamePerms;
- }
-
/**
* @param msg Message.
* @param nodeId Node ID.
@@ -4993,11 +4969,7 @@ class ServerImpl extends TcpDiscoveryImpl {
else {
SecurityContext subj =
spi.nodeAuth.authenticateNode(node, cred);
- SecurityContext coordSubj = nodeSecurityContext(
- spi.marshaller(),
U.resolveClassLoader(spi.ignite().configuration()), node
- );
-
- if (!permissionsEqual(getPermissions(coordSubj),
getPermissions(subj))) {
+ if (subj == null) {
// Node has not pass authentication.
LT.warn(log, "Authentication failed [nodeId="
+ node.id() +
", addrs=" + U.addressesAsString(node) +
']');
@@ -5082,50 +5054,6 @@ class ServerImpl extends TcpDiscoveryImpl {
if (top != null && !top.isEmpty()) {
spi.gridStartTime = msg.gridStartTime();
- if (spi.nodeAuth != null &&
spi.nodeAuth.isGlobalNodeAuthentication()) {
- TcpDiscoveryAbstractMessage authFail =
- new
TcpDiscoveryAuthFailedMessage(locNodeId, spi.locHost, node.id());
-
- try {
- ClassLoader ldr =
U.resolveClassLoader(spi.ignite().configuration());
-
- SecurityContext rmCrd =
nodeSecurityContext(
- spi.marshaller(), ldr, node
- );
-
- SecurityContext locCrd =
nodeSecurityContext(
- spi.marshaller(), ldr, locNode
- );
-
- if
(!permissionsEqual(getPermissions(locCrd), getPermissions(rmCrd))) {
- // Node has not pass authentication.
- LT.warn(log,
- "Failed to authenticate local node
" +
- "(local authentication result
is different from rest of topology) " +
- "[nodeId=" + node.id() + ",
addrs=" + U.addressesAsString(node) + ']');
-
- joinRes.set(authFail);
-
- spiState = AUTH_FAILED;
-
- mux.notifyAll();
-
- return;
- }
- }
- catch (IgniteException e) {
- U.error(log, "Failed to verify node
permissions consistency (will drop the node): " + node, e);
-
- joinRes.set(authFail);
-
- spiState = AUTH_FAILED;
-
- mux.notifyAll();
-
- return;
- }
- }
-
for (TcpDiscoveryNode n : top) {
assert n.internalOrder() <
node.internalOrder() :
"Invalid node [topNode=" + n + ", added="
+ node + ']';
@@ -5205,17 +5133,6 @@ class ServerImpl extends TcpDiscoveryImpl {
sendMessageAcrossRing(msg);
}
- /**
- * @param secCtx Security context.
- * @return Security permission set.
- */
- private @Nullable SecurityPermissionSet getPermissions(SecurityContext
secCtx) {
- if (secCtx == null || secCtx.subject() == null)
- return null;
-
- return secCtx.subject().permissions();
- }
-
/**
* Processes node add finished message.
*
diff --git
a/modules/core/src/test/java/org/apache/ignite/internal/processors/security/cluster/NodeJoinPermissionsTest.java
b/modules/core/src/test/java/org/apache/ignite/internal/processors/security/cluster/NodeJoinPermissionsTest.java
index b641cd7b634..0c3829f0d3f 100644
---
a/modules/core/src/test/java/org/apache/ignite/internal/processors/security/cluster/NodeJoinPermissionsTest.java
+++
b/modules/core/src/test/java/org/apache/ignite/internal/processors/security/cluster/NodeJoinPermissionsTest.java
@@ -17,56 +17,22 @@
package org.apache.ignite.internal.processors.security.cluster;
-import java.io.Serializable;
-import java.net.InetSocketAddress;
-import java.util.Arrays;
-import java.util.Collection;
-import java.util.Map;
-import java.util.Objects;
import java.util.concurrent.CountDownLatch;
import java.util.concurrent.TimeUnit;
-import org.apache.ignite.cluster.ClusterNode;
import org.apache.ignite.configuration.IgniteConfiguration;
-import org.apache.ignite.internal.GridKernalContext;
import org.apache.ignite.internal.processors.security.AbstractSecurityTest;
-import
org.apache.ignite.internal.processors.security.AbstractTestSecurityPluginProvider;
-import org.apache.ignite.internal.processors.security.GridSecurityProcessor;
-import org.apache.ignite.internal.processors.security.SecurityContext;
-import org.apache.ignite.internal.processors.security.impl.TestSecurityData;
import
org.apache.ignite.internal.processors.security.impl.TestSecurityPluginProvider;
-import
org.apache.ignite.internal.processors.security.impl.TestSecurityProcessor;
-import org.apache.ignite.internal.processors.security.impl.TestSecuritySubject;
-import org.apache.ignite.internal.util.typedef.F;
-import org.apache.ignite.plugin.security.AuthenticationContext;
-import org.apache.ignite.plugin.security.SecurityCredentials;
-import org.apache.ignite.plugin.security.SecurityException;
import org.apache.ignite.plugin.security.SecurityPermission;
-import org.apache.ignite.plugin.security.SecurityPermissionSet;
-import org.apache.ignite.plugin.security.SecuritySubject;
import org.apache.ignite.spi.IgniteSpiException;
import org.apache.ignite.testframework.GridTestUtils;
import org.junit.Test;
-import org.junit.runner.RunWith;
-import org.junit.runners.Parameterized;
import static org.apache.ignite.events.EventType.EVT_CLIENT_NODE_RECONNECTED;
import static
org.apache.ignite.plugin.security.SecurityPermission.JOIN_AS_SERVER;
import static
org.apache.ignite.plugin.security.SecurityPermissionSetBuilder.systemPermissions;
-import static
org.apache.ignite.plugin.security.SecuritySubjectType.REMOTE_NODE;
/** */
-@RunWith(Parameterized.class)
public class NodeJoinPermissionsTest extends AbstractSecurityTest {
- /** */
- @Parameterized.Parameter
- public boolean isLegacyAuthApproach;
-
- /** */
- @Parameterized.Parameters(name = "isLegacyAuthorizationApproach={0}")
- public static Object[] parameters() {
- return new Object[] { false, true };
- }
-
/** {@inheritDoc} */
@Override protected void beforeTest() throws Exception {
super.beforeTest();
@@ -78,19 +44,14 @@ public class NodeJoinPermissionsTest extends
AbstractSecurityTest {
private IgniteConfiguration configuration(int idx, SecurityPermission...
sysPermissions) throws Exception {
String login = getTestIgniteInstanceName(idx);
- AbstractTestSecurityPluginProvider secPuginProv = isLegacyAuthApproach
- ? new TestSecurityPluginProvider(
+ return getConfiguration(
+ login,
+ new TestSecurityPluginProvider(
login,
"",
systemPermissions(sysPermissions),
- false)
- : new SecurityPluginProvider(
- login,
- "",
- systemPermissions(sysPermissions),
- false);
-
- return getConfiguration(login, secPuginProv);
+ false
+ ));
}
/** */
@@ -132,198 +93,4 @@ public class NodeJoinPermissionsTest extends
AbstractSecurityTest {
assertEquals(3, grid(0).cluster().nodes().size());
}
-
- /** */
- private static class SecurityPluginProvider extends
TestSecurityPluginProvider {
- /** */
- public SecurityPluginProvider(
- String login,
- String pwd,
- SecurityPermissionSet perms,
- boolean globalAuth,
- TestSecurityData... clientData
- ) {
- super(login, pwd, perms, globalAuth, clientData);
- }
-
- /** {@inheritDoc} */
- @Override protected GridSecurityProcessor
securityProcessor(GridKernalContext ctx) {
- return new SecurityProcessor(
- ctx,
- new TestSecurityData(login, pwd, perms, sandboxPerms),
- Arrays.asList(clientData),
- globalAuth
- );
- }
- }
-
- /**
- * Security Processor implementaiton that does not pass user security
permissions to the Security Context and
- * expects all authorization checks to be delegated exclusively to {@link
GridSecurityProcessor#authorize}.
- */
- private static class SecurityProcessor extends TestSecurityProcessor {
- /** */
- public SecurityProcessor(
- GridKernalContext ctx,
- TestSecurityData nodeSecData,
- Collection<TestSecurityData> predefinedAuthData,
- boolean globalAuth
- ) {
- super(ctx, nodeSecData, predefinedAuthData, globalAuth);
- }
-
- /** {@inheritDoc} */
- @Override public SecurityContext authenticateNode(ClusterNode node,
SecurityCredentials cred) {
- TestSecurityData data = USERS.get(cred.getLogin());
-
- if (data == null || !Objects.equals(cred, data.credentials()))
- return null;
-
- SecurityContext res = new TestSecurityContext(
- new TestSecuritySubject()
- .setType(REMOTE_NODE)
- .setId(node.id())
- .setAddr(new InetSocketAddress(F.first(node.addresses()),
0))
- .setLogin(cred.getLogin())
- .sandboxPermissions(data.sandboxPermissions())
- );
-
- SECURITY_CONTEXTS.put(res.subject().id(), res);
-
- return res;
- }
-
- /** {@inheritDoc} */
- @Override public SecurityContext authenticate(AuthenticationContext
ctx) {
- TestSecurityData data = USERS.get(ctx.credentials().getLogin());
-
- if (data == null || !Objects.equals(ctx.credentials(),
data.credentials()))
- return null;
-
- SecurityContext res = new TestSecurityContext(
- new TestSecuritySubject()
- .setType(ctx.subjectType())
- .setId(ctx.subjectId())
- .setAddr(ctx.address())
- .setLogin(ctx.credentials().getLogin())
- .setCerts(ctx.certificates())
- .sandboxPermissions(data.sandboxPermissions())
- );
-
- SECURITY_CONTEXTS.put(res.subject().id(), res);
-
- return res;
- }
-
- /** {@inheritDoc} */
- @Override public void authorize(
- String name,
- SecurityPermission perm,
- SecurityContext securityCtx
- ) throws SecurityException {
- TestSecurityData userData =
USERS.get(securityCtx.subject().login());
-
- if (userData == null || !contains(userData.permissions(), name,
perm)) {
- throw new SecurityException("Authorization failed [perm=" +
perm +
- ", name=" + name +
- ", subject=" + securityCtx.subject() + ']');
- }
- }
-
- /** */
- public static boolean contains(SecurityPermissionSet userPerms, String
name, SecurityPermission perm) {
- boolean dfltAllowAll = userPerms.defaultAllowAll();
-
- switch (perm) {
- case CACHE_PUT:
- case CACHE_READ:
- case CACHE_REMOVE:
- return contains(userPerms.cachePermissions(),
dfltAllowAll, name, perm);
-
- case CACHE_CREATE:
- case CACHE_DESTROY:
- return (name != null &&
contains(userPerms.cachePermissions(), dfltAllowAll, name, perm))
- || containsSystemPermission(userPerms, perm);
-
- case TASK_CANCEL:
- case TASK_EXECUTE:
- return contains(userPerms.taskPermissions(), dfltAllowAll,
name, perm);
-
- case SERVICE_DEPLOY:
- case SERVICE_INVOKE:
- case SERVICE_CANCEL:
- return contains(userPerms.servicePermissions(),
dfltAllowAll, name, perm);
-
- default:
- return containsSystemPermission(userPerms, perm);
- }
- }
-
- /** */
- private static boolean contains(
- Map<String, Collection<SecurityPermission>> userPerms,
- boolean dfltAllowAll,
- String name,
- SecurityPermission perm
- ) {
- Collection<SecurityPermission> perms = userPerms.get(name);
-
- if (perms == null)
- return dfltAllowAll;
-
- return perms.stream().anyMatch(perm::equals);
- }
-
- /** */
- private static boolean containsSystemPermission(
- SecurityPermissionSet userPerms,
- SecurityPermission perm
- ) {
- Collection<SecurityPermission> sysPerms =
userPerms.systemPermissions();
-
- if (F.isEmpty(sysPerms))
- return userPerms.defaultAllowAll();
-
- return sysPerms.stream().anyMatch(perm::equals);
- }
- }
-
- /** */
- private static class TestSecurityContext implements SecurityContext,
Serializable {
- /** */
- private static final long serialVersionUID = 0L;
-
- /** */
- private final SecuritySubject subj;
-
- /** */
- public TestSecurityContext(SecuritySubject subj) {
- this.subj = subj;
- }
-
- /** {@inheritDoc} */
- @Override public SecuritySubject subject() {
- return subj;
- }
-
- /** {@inheritDoc} */
- @Override public boolean taskOperationAllowed(String taskClsName,
SecurityPermission perm) {
- return false;
- }
-
- /** {@inheritDoc} */
- @Override public boolean cacheOperationAllowed(String cacheName,
SecurityPermission perm) {
- return false;
- }
-
- /** {@inheritDoc} */
- @Override public boolean serviceOperationAllowed(String srvcName,
SecurityPermission perm) {
- return false;
- }
-
- /** {@inheritDoc} */
- @Override public boolean systemOperationAllowed(SecurityPermission
perm) {
- return false;
- }
- }
}
diff --git
a/modules/core/src/test/java/org/apache/ignite/internal/processors/security/impl/TestCertificateSecurityProcessor.java
b/modules/core/src/test/java/org/apache/ignite/internal/processors/security/impl/TestCertificateSecurityProcessor.java
index d69d35bc8e5..87677605f7d 100644
---
a/modules/core/src/test/java/org/apache/ignite/internal/processors/security/impl/TestCertificateSecurityProcessor.java
+++
b/modules/core/src/test/java/org/apache/ignite/internal/processors/security/impl/TestCertificateSecurityProcessor.java
@@ -29,7 +29,6 @@ import java.util.concurrent.ConcurrentHashMap;
import org.apache.ignite.IgniteCheckedException;
import org.apache.ignite.cluster.ClusterNode;
import org.apache.ignite.internal.GridKernalContext;
-import org.apache.ignite.internal.IgniteNodeAttributes;
import org.apache.ignite.internal.processors.GridProcessorAdapter;
import org.apache.ignite.internal.processors.security.GridSecurityProcessor;
import org.apache.ignite.internal.processors.security.SecurityContext;
@@ -41,6 +40,8 @@ import org.apache.ignite.plugin.security.SecurityPermission;
import org.apache.ignite.plugin.security.SecurityPermissionSet;
import org.apache.ignite.plugin.security.SecuritySubject;
+import static
org.apache.ignite.internal.IgniteNodeAttributes.ATTR_SECURITY_CREDENTIALS;
+import static
org.apache.ignite.internal.processors.security.impl.TestSecurityProcessor.contains;
import static
org.apache.ignite.plugin.security.SecurityPermissionSetBuilder.ALL_PERMISSIONS;
import static
org.apache.ignite.plugin.security.SecuritySubjectType.REMOTE_NODE;
import static org.junit.Assert.assertEquals;
@@ -78,8 +79,7 @@ public class TestCertificateSecurityProcessor extends
GridProcessorAdapter imple
.setType(REMOTE_NODE)
.setId(node.id())
.setAddr(new InetSocketAddress(F.first(node.addresses()), 0))
- .setLogin("")
- .setPerms(ALL_PERMISSIONS)
+ .setLogin(cred.getLogin())
);
secCtxs.put(res.subject().id(), res);
@@ -114,7 +114,6 @@ public class TestCertificateSecurityProcessor extends
GridProcessorAdapter imple
.setId(ctx.subjectId())
.setAddr(ctx.address())
.setLogin(cn)
- .setPerms(PERMS.get(cn))
.setCerts(ctx.certificates())
);
@@ -139,13 +138,20 @@ public class TestCertificateSecurityProcessor extends
GridProcessorAdapter imple
}
/** {@inheritDoc} */
- @Override public void authorize(String name, SecurityPermission perm,
SecurityContext securityCtx)
- throws SecurityException {
+ @Override public void authorize(
+ String name,
+ SecurityPermission perm,
+ SecurityContext securityCtx
+ ) throws SecurityException {
+ String username = (String)securityCtx.subject().login();
- if (!((TestSecurityContext)securityCtx).operationAllowed(name, perm))
+ SecurityPermissionSet userPerms = PERMS.get(username);
+
+ if (userPerms == null || !contains(userPerms, name, perm)) {
throw new SecurityException("Authorization failed [perm=" + perm +
", name=" + name +
", subject=" + securityCtx.subject() + ']');
+ }
}
/** {@inheritDoc} */
@@ -162,7 +168,9 @@ public class TestCertificateSecurityProcessor extends
GridProcessorAdapter imple
@Override public void start() throws IgniteCheckedException {
super.start();
- ctx.addNodeAttribute(IgniteNodeAttributes.ATTR_SECURITY_CREDENTIALS,
new SecurityCredentials("", ""));
+ ctx.addNodeAttribute(ATTR_SECURITY_CREDENTIALS, new
SecurityCredentials(ctx.igniteInstanceName(), ""));
+
+ PERMS.put(ctx.igniteInstanceName(), ALL_PERMISSIONS);
for (TestSecurityData data : predefinedAuthData)
PERMS.put(data.credentials().getLogin().toString(),
data.permissions());
diff --git
a/modules/core/src/test/java/org/apache/ignite/internal/processors/security/impl/TestSecurityContext.java
b/modules/core/src/test/java/org/apache/ignite/internal/processors/security/impl/TestSecurityContext.java
index c02d4b557fb..c3077c60c33 100644
---
a/modules/core/src/test/java/org/apache/ignite/internal/processors/security/impl/TestSecurityContext.java
+++
b/modules/core/src/test/java/org/apache/ignite/internal/processors/security/impl/TestSecurityContext.java
@@ -18,10 +18,7 @@
package org.apache.ignite.internal.processors.security.impl;
import java.io.Serializable;
-import java.util.Collection;
import org.apache.ignite.internal.processors.security.SecurityContext;
-import org.apache.ignite.internal.util.typedef.F;
-import org.apache.ignite.plugin.security.SecurityPermission;
import org.apache.ignite.plugin.security.SecuritySubject;
/**
@@ -38,90 +35,11 @@ public class TestSecurityContext implements
SecurityContext, Serializable {
this.subject = subject;
}
- /**
- * @param opName Op name.
- * @param perm Permission.
- */
- public boolean operationAllowed(String opName, SecurityPermission perm) {
- switch (perm) {
- case CACHE_CREATE:
- case CACHE_DESTROY:
- return systemOperationAllowed(perm) ||
cacheOperationAllowed(opName, perm);
-
- case CACHE_PUT:
- case CACHE_READ:
- case CACHE_REMOVE:
- return cacheOperationAllowed(opName, perm);
-
- case TASK_CANCEL:
- case TASK_EXECUTE:
- return taskOperationAllowed(opName, perm);
-
- case SERVICE_DEPLOY:
- case SERVICE_INVOKE:
- case SERVICE_CANCEL:
- return serviceOperationAllowed(opName, perm);
-
- case EVENTS_DISABLE:
- case EVENTS_ENABLE:
- case ADMIN_VIEW:
- case ADMIN_CACHE:
- case ADMIN_QUERY:
- case ADMIN_OPS:
- case ADMIN_SNAPSHOT:
- case ADMIN_CLUSTER_STATE:
- case JOIN_AS_SERVER:
- case ADMIN_KILL:
- case ADMIN_USER_ACCESS:
- case ADMIN_CLUSTER_NODE_STOP:
- case ADMIN_CLUSTER_NODE_START:
- return systemOperationAllowed(perm);
-
- default:
- throw new IllegalStateException("Invalid security permission:
" + perm);
- }
- }
-
/** {@inheritDoc} */
@Override public SecuritySubject subject() {
return subject;
}
- /** {@inheritDoc} */
- @Override public boolean taskOperationAllowed(String taskClsName,
SecurityPermission perm) {
- return
hasPermission(subject.permissions().taskPermissions().get(taskClsName), perm);
- }
-
- /** {@inheritDoc} */
- @Override public boolean cacheOperationAllowed(String cacheName,
SecurityPermission perm) {
- return
hasPermission(subject.permissions().cachePermissions().get(cacheName), perm);
- }
-
- /** {@inheritDoc} */
- @Override public boolean serviceOperationAllowed(String srvcName,
SecurityPermission perm) {
- return
hasPermission(subject.permissions().servicePermissions().get(srvcName), perm);
- }
-
- /** {@inheritDoc} */
- @Override public boolean systemOperationAllowed(SecurityPermission perm) {
- Collection<SecurityPermission> perms =
subject.permissions().systemPermissions();
-
- if (F.isEmpty(perms))
- return subject.permissions().defaultAllowAll();
-
- return perms.stream().anyMatch(p -> perm == p);
- }
-
- /**
- * @param perms Permissions.
- * @param perm Permission.
- */
- private boolean hasPermission(Collection<SecurityPermission> perms,
SecurityPermission perm) {
- if (perms == null)
- return subject.permissions().defaultAllowAll();
-
- return perms.stream().anyMatch(p -> perm == p);
- }
/** {@inheritDoc} */
@Override public String toString() {
diff --git
a/modules/core/src/test/java/org/apache/ignite/internal/processors/security/impl/TestSecurityProcessor.java
b/modules/core/src/test/java/org/apache/ignite/internal/processors/security/impl/TestSecurityProcessor.java
index 308e1d6c9cd..679a59d2258 100644
---
a/modules/core/src/test/java/org/apache/ignite/internal/processors/security/impl/TestSecurityProcessor.java
+++
b/modules/core/src/test/java/org/apache/ignite/internal/processors/security/impl/TestSecurityProcessor.java
@@ -40,6 +40,7 @@ import
org.apache.ignite.plugin.security.AuthenticationContext;
import org.apache.ignite.plugin.security.SecurityCredentials;
import org.apache.ignite.plugin.security.SecurityException;
import org.apache.ignite.plugin.security.SecurityPermission;
+import org.apache.ignite.plugin.security.SecurityPermissionSet;
import org.apache.ignite.plugin.security.SecuritySubject;
import static
org.apache.ignite.plugin.security.SecurityPermissionSetBuilder.ALL_PERMISSIONS;
@@ -95,7 +96,6 @@ public class TestSecurityProcessor extends
GridProcessorAdapter implements GridS
.setId(node.id())
.setAddr(new InetSocketAddress(F.first(node.addresses()), 0))
.setLogin(cred.getLogin())
- .setPerms(data.permissions())
.sandboxPermissions(data.sandboxPermissions())
);
@@ -127,7 +127,6 @@ public class TestSecurityProcessor extends
GridProcessorAdapter implements GridS
.setId(ctx.subjectId())
.setAddr(ctx.address())
.setLogin(ctx.credentials().getLogin())
- .setPerms(data.permissions())
.setCerts(ctx.certificates())
.sandboxPermissions(data.sandboxPermissions())
);
@@ -153,12 +152,18 @@ public class TestSecurityProcessor extends
GridProcessorAdapter implements GridS
}
/** {@inheritDoc} */
- @Override public void authorize(String name, SecurityPermission perm,
SecurityContext securityCtx)
- throws SecurityException {
- if (!((TestSecurityContext)securityCtx).operationAllowed(name, perm))
+ @Override public void authorize(
+ String name,
+ SecurityPermission perm,
+ SecurityContext securityCtx
+ ) throws SecurityException {
+ TestSecurityData userData = USERS.get(securityCtx.subject().login());
+
+ if (userData == null || !contains(userData.permissions(), name, perm))
{
throw new SecurityException("Authorization failed [perm=" + perm +
", name=" + name +
", subject=" + securityCtx.subject() + ']');
+ }
}
/** {@inheritDoc} */
@@ -219,4 +224,61 @@ public class TestSecurityProcessor extends
GridProcessorAdapter implements GridS
public static void registerExternalSystemTypes(Class<?>... cls) {
EXT_SYS_CLASSES.addAll(Arrays.asList(cls));
}
+
+ /** */
+ public static boolean contains(SecurityPermissionSet userPerms, String
name, SecurityPermission perm) {
+ boolean dfltAllowAll = userPerms.defaultAllowAll();
+
+ switch (perm) {
+ case CACHE_PUT:
+ case CACHE_READ:
+ case CACHE_REMOVE:
+ return contains(userPerms.cachePermissions(), dfltAllowAll,
name, perm);
+
+ case CACHE_CREATE:
+ case CACHE_DESTROY:
+ return (name != null && contains(userPerms.cachePermissions(),
dfltAllowAll, name, perm))
+ || containsSystemPermission(userPerms, perm);
+
+ case TASK_CANCEL:
+ case TASK_EXECUTE:
+ return contains(userPerms.taskPermissions(), dfltAllowAll,
name, perm);
+
+ case SERVICE_DEPLOY:
+ case SERVICE_INVOKE:
+ case SERVICE_CANCEL:
+ return contains(userPerms.servicePermissions(), dfltAllowAll,
name, perm);
+
+ default:
+ return containsSystemPermission(userPerms, perm);
+ }
+ }
+
+ /** */
+ private static boolean contains(
+ Map<String, Collection<SecurityPermission>> userPerms,
+ boolean dfltAllowAll,
+ String name,
+ SecurityPermission perm
+ ) {
+ Collection<SecurityPermission> perms = userPerms.get(name);
+
+ if (perms == null)
+ return dfltAllowAll;
+
+ return perms.stream().anyMatch(perm::equals);
+ }
+
+ /** */
+ private static boolean containsSystemPermission(
+ SecurityPermissionSet userPerms,
+ SecurityPermission perm
+ ) {
+ Collection<SecurityPermission> sysPerms =
userPerms.systemPermissions();
+
+ if (F.isEmpty(sysPerms))
+ return userPerms.defaultAllowAll();
+
+ return sysPerms.stream().anyMatch(perm::equals);
+ }
}
diff --git
a/modules/core/src/test/java/org/apache/ignite/internal/processors/security/impl/TestSecuritySubject.java
b/modules/core/src/test/java/org/apache/ignite/internal/processors/security/impl/TestSecuritySubject.java
index 2e27355f687..c1c7dcc0103 100644
---
a/modules/core/src/test/java/org/apache/ignite/internal/processors/security/impl/TestSecuritySubject.java
+++
b/modules/core/src/test/java/org/apache/ignite/internal/processors/security/impl/TestSecuritySubject.java
@@ -21,7 +21,6 @@ import java.net.InetSocketAddress;
import java.security.PermissionCollection;
import java.security.cert.Certificate;
import java.util.UUID;
-import org.apache.ignite.plugin.security.SecurityPermissionSet;
import org.apache.ignite.plugin.security.SecuritySubject;
import org.apache.ignite.plugin.security.SecuritySubjectType;
@@ -41,38 +40,12 @@ public class TestSecuritySubject implements SecuritySubject
{
/** Address. */
private InetSocketAddress addr;
- /** Permissions. */
- private SecurityPermissionSet perms;
-
/** Permissions for Sandbox checks. */
private PermissionCollection sandboxPerms;
/** Client certificates. */
private Certificate[] certs;
- /**
- * Default constructor.
- */
- public TestSecuritySubject() {
- // No-op.
- }
-
- /**
- * @param id Id.
- * @param login Login.
- * @param addr Address.
- * @param perms Permissions.
- */
- public TestSecuritySubject(UUID id,
- Object login,
- InetSocketAddress addr,
- SecurityPermissionSet perms) {
- this.id = id;
- this.login = login;
- this.addr = addr;
- this.perms = perms;
- }
-
/** {@inheritDoc} */
@Override public UUID id() {
return id;
@@ -129,20 +102,6 @@ public class TestSecuritySubject implements
SecuritySubject {
return this;
}
- /** {@inheritDoc} */
- @Override public SecurityPermissionSet permissions() {
- return perms;
- }
-
- /**
- * @param perms Permissions.
- */
- public TestSecuritySubject setPerms(SecurityPermissionSet perms) {
- this.perms = perms;
-
- return this;
- }
-
/** {@inheritDoc} */
@Override public PermissionCollection sandboxPermissions() {
return sandboxPerms;
@@ -160,16 +119,13 @@ public class TestSecuritySubject implements
SecuritySubject {
return certs;
}
- /**
- * @param perms Permissions.
- */
+ /** */
public TestSecuritySubject setCerts(Certificate[] certs) {
this.certs = certs;
return this;
}
-
/** {@inheritDoc} */
@Override public String toString() {
return "TestSecuritySubject{" +
diff --git
a/modules/core/src/test/java/org/apache/ignite/spi/discovery/tcp/TestReconnectProcessor.java
b/modules/core/src/test/java/org/apache/ignite/spi/discovery/tcp/TestReconnectProcessor.java
index 41befe948d2..95eeeb81fb9 100644
---
a/modules/core/src/test/java/org/apache/ignite/spi/discovery/tcp/TestReconnectProcessor.java
+++
b/modules/core/src/test/java/org/apache/ignite/spi/discovery/tcp/TestReconnectProcessor.java
@@ -33,7 +33,6 @@ import
org.apache.ignite.plugin.security.AuthenticationContext;
import org.apache.ignite.plugin.security.SecurityCredentials;
import org.apache.ignite.plugin.security.SecurityException;
import org.apache.ignite.plugin.security.SecurityPermission;
-import org.apache.ignite.plugin.security.SecurityPermissionSet;
import org.apache.ignite.plugin.security.SecuritySubject;
import org.apache.ignite.plugin.security.SecuritySubjectType;
import org.jetbrains.annotations.Nullable;
@@ -140,11 +139,6 @@ public class TestReconnectProcessor extends
GridProcessorAdapter implements Grid
@Override public InetSocketAddress address() {
return null;
}
-
- /** {@inheritDoc} */
- @Override public SecurityPermissionSet permissions() {
- return null;
- }
}
/**
@@ -168,25 +162,5 @@ public class TestReconnectProcessor extends
GridProcessorAdapter implements Grid
@Override public SecuritySubject subject() {
return subj;
}
-
- /** {@inheritDoc} */
- @Override public boolean taskOperationAllowed(String taskClsName,
SecurityPermission perm) {
- return true;
- }
-
- /** {@inheritDoc} */
- @Override public boolean cacheOperationAllowed(String cacheName,
SecurityPermission perm) {
- return true;
- }
-
- /** {@inheritDoc} */
- @Override public boolean serviceOperationAllowed(String srvcName,
SecurityPermission perm) {
- return true;
- }
-
- /** {@inheritDoc} */
- @Override public boolean systemOperationAllowed(SecurityPermission
perm) {
- return true;
- }
}
}
diff --git
a/modules/zookeeper/src/test/java/org/apache/ignite/spi/discovery/zk/internal/ZookeeperDiscoveryMiscTest.java
b/modules/zookeeper/src/test/java/org/apache/ignite/spi/discovery/zk/internal/ZookeeperDiscoveryMiscTest.java
index 57aae67fe44..40833523480 100644
---
a/modules/zookeeper/src/test/java/org/apache/ignite/spi/discovery/zk/internal/ZookeeperDiscoveryMiscTest.java
+++
b/modules/zookeeper/src/test/java/org/apache/ignite/spi/discovery/zk/internal/ZookeeperDiscoveryMiscTest.java
@@ -42,7 +42,6 @@ import org.apache.ignite.lang.IgniteOutClosure;
import org.apache.ignite.lang.IgnitePredicate;
import org.apache.ignite.marshaller.jdk.JdkMarshaller;
import org.apache.ignite.plugin.security.SecurityCredentials;
-import org.apache.ignite.plugin.security.SecurityPermission;
import org.apache.ignite.plugin.security.SecuritySubject;
import org.apache.ignite.spi.IgniteSpiException;
import org.apache.ignite.spi.discovery.DiscoverySpiNodeAuthenticator;
@@ -597,26 +596,6 @@ public class ZookeeperDiscoveryMiscTest extends
ZookeeperDiscoverySpiTestBase {
@Override public SecuritySubject subject() {
return null;
}
-
- /** {@inheritDoc} */
- @Override public boolean taskOperationAllowed(String taskClsName,
SecurityPermission perm) {
- return true;
- }
-
- /** {@inheritDoc} */
- @Override public boolean cacheOperationAllowed(String cacheName,
SecurityPermission perm) {
- return true;
- }
-
- /** {@inheritDoc} */
- @Override public boolean serviceOperationAllowed(String srvcName,
SecurityPermission perm) {
- return true;
- }
-
- /** {@inheritDoc} */
- @Override public boolean systemOperationAllowed(SecurityPermission
perm) {
- return true;
- }
}
}
}
