Repository: knox Updated Branches: refs/heads/KNOX-1204 27d381dcc -> d5885d145
KNOX-1204 - Pull idbroker out of knoxs3 and refactor Project: http://git-wip-us.apache.org/repos/asf/knox/repo Commit: http://git-wip-us.apache.org/repos/asf/knox/commit/d5885d14 Tree: http://git-wip-us.apache.org/repos/asf/knox/tree/d5885d14 Diff: http://git-wip-us.apache.org/repos/asf/knox/diff/d5885d14 Branch: refs/heads/KNOX-1204 Commit: d5885d145559fd4ed06c050e0839094fbe5c2584 Parents: 27d381d Author: Larry McCay <[email protected]> Authored: Tue Jun 19 10:02:28 2018 -0700 Committer: Larry McCay <[email protected]> Committed: Tue Jun 19 10:02:28 2018 -0700 ---------------------------------------------------------------------- gateway-release/pom.xml | 4 + gateway-service-idbroker/pom.xml | 99 +++++++++++ .../AbstractKnoxCloudCredentialsClient.java | 34 ++++ .../idbroker/IdBrokerServiceMessages.java | 32 ++++ .../idbroker/IdentityBrokerConfigException.java | 29 ++++ .../idbroker/IdentityBrokerResource.java | 127 ++++++++++++++ .../idbroker/KnoxCloudCredentialsClient.java | 51 ++++++ .../KnoxCloudCredentiatlsClientManager.java | 75 +++++++++ .../idbroker/KnoxCloudPolicyProvider.java | 51 ++++++ .../idbroker/KnoxPolicyProviderManager.java | 72 ++++++++ .../service/idbroker/aws/AWSPolicyModel.java | 60 +++++++ .../service/idbroker/aws/KnoxAWSClient.java | 77 +++++++++ .../idbroker/aws/KnoxAWSPolicyProvider.java | 168 +++++++++++++++++++ .../IdBrokerServiceDeploymentContributor.java | 55 ++++++ ....gateway.deploy.ServiceDeploymentContributor | 19 +++ ....service.idbroker.KnoxCloudCredentialsClient | 19 +++ ...way.service.idbroker.KnoxCloudPolicyProvider | 19 +++ .../service/knoxs3/S3BucketsResourceTest.java | 80 +++++++++ pom.xml | 6 + 19 files changed, 1077 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/knox/blob/d5885d14/gateway-release/pom.xml ---------------------------------------------------------------------- diff --git a/gateway-release/pom.xml b/gateway-release/pom.xml index b65c2ef..ce13f24 100644 --- a/gateway-release/pom.xml +++ b/gateway-release/pom.xml @@ -217,6 +217,10 @@ </dependency> <dependency> <groupId>${gateway-group}</groupId> + <artifactId>gateway-service-idbroker</artifactId> + </dependency> + <dependency> + <groupId>${gateway-group}</groupId> <artifactId>gateway-service-knoxs3</artifactId> </dependency> <dependency> http://git-wip-us.apache.org/repos/asf/knox/blob/d5885d14/gateway-service-idbroker/pom.xml ---------------------------------------------------------------------- diff --git a/gateway-service-idbroker/pom.xml b/gateway-service-idbroker/pom.xml new file mode 100644 index 0000000..5e8f1ce --- /dev/null +++ b/gateway-service-idbroker/pom.xml @@ -0,0 +1,99 @@ +<?xml version="1.0"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<project xmlns="http://maven.apache.org/POM/4.0.0"; + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; + xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd";> + <modelVersion>4.0.0</modelVersion> + <parent> + <groupId>org.apache.knox</groupId> + <artifactId>gateway</artifactId> + <version>1.1.0-SNAPSHOT</version> + </parent> + <groupId>org.apache.knox</groupId> + <artifactId>gateway-service-idbroker</artifactId> + <version>1.1.0-SNAPSHOT</version> + <name>gateway-service-idbroker</name> + <url>http://maven.apache.org</url> + <properties> + <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding> + </properties> + + <dependencyManagement> + <dependencies> + <dependency> + <groupId>com.amazonaws</groupId> + <artifactId>aws-java-sdk-bom</artifactId> + <version>1.11.106</version> + <type>pom</type> + <scope>import</scope> + </dependency> + </dependencies> + </dependencyManagement> + + <dependencies> + <dependency> + <groupId>${gateway-group}</groupId> + <artifactId>gateway-util-common</artifactId> + </dependency> + <dependency> + <groupId>${gateway-group}</groupId> + <artifactId>gateway-spi</artifactId> + </dependency> + <dependency> + <groupId>${gateway-group}</groupId> + <artifactId>gateway-provider-rewrite</artifactId> + </dependency> + <dependency> + <groupId>${gateway-group}</groupId> + <artifactId>gateway-provider-jersey</artifactId> + </dependency> + <dependency> + <groupId>junit</groupId> + <artifactId>junit</artifactId> + <scope>test</scope> + </dependency> + <dependency> + <groupId>org.apache.knox</groupId> + <artifactId>gateway-test-utils</artifactId> + <scope>test</scope> + </dependency> + <dependency> + <groupId>org.easymock</groupId> + <artifactId>easymock</artifactId> + <scope>test</scope> + </dependency> + <dependency> + <groupId>io.dropwizard.metrics</groupId> + <artifactId>metrics-servlets</artifactId> + </dependency> + <dependency> + <groupId>org.apache.knox</groupId> + <artifactId>gateway-server</artifactId> + </dependency> + <dependency> + <groupId>com.amazonaws</groupId> + <artifactId>aws-java-sdk-s3</artifactId> + <version>1.11.106</version> + </dependency> + <dependency> + <groupId>com.amazonaws</groupId> + <artifactId>aws-java-sdk-sts</artifactId> + <version>1.11.106</version> + </dependency> + </dependencies> +</project> http://git-wip-us.apache.org/repos/asf/knox/blob/d5885d14/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/AbstractKnoxCloudCredentialsClient.java ---------------------------------------------------------------------- diff --git a/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/AbstractKnoxCloudCredentialsClient.java b/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/AbstractKnoxCloudCredentialsClient.java new file mode 100644 index 0000000..b150d28 --- /dev/null +++ b/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/AbstractKnoxCloudCredentialsClient.java @@ -0,0 +1,34 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.knox.gateway.service.idbroker; + +public class AbstractKnoxCloudCredentialsClient { + private KnoxCloudPolicyProvider policyProvider = null; + + public AbstractKnoxCloudCredentialsClient() { + super(); + } + + public KnoxCloudPolicyProvider getPolicyProvider() { + return policyProvider; + } + + public void setPolicyProvider(KnoxCloudPolicyProvider policyProvider) { + this.policyProvider = policyProvider; + } +} \ No newline at end of file http://git-wip-us.apache.org/repos/asf/knox/blob/d5885d14/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/IdBrokerServiceMessages.java ---------------------------------------------------------------------- diff --git a/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/IdBrokerServiceMessages.java b/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/IdBrokerServiceMessages.java new file mode 100644 index 0000000..1dc4e6d --- /dev/null +++ b/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/IdBrokerServiceMessages.java @@ -0,0 +1,32 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.knox.gateway.service.idbroker; + +import org.apache.knox.gateway.i18n.messages.Message; +import org.apache.knox.gateway.i18n.messages.MessageLevel; +import org.apache.knox.gateway.i18n.messages.Messages; +import org.apache.knox.gateway.i18n.messages.StackTrace; + +@Messages(logger = "org.apache.knox.gateway.service.idbroker") +public interface IdBrokerServiceMessages { + @Message(level = MessageLevel.INFO, text = "{0}") + void basicInfo(String original); + + @Message(level = MessageLevel.ERROR, text = "Unable to get credentials for {0}, due to {1}") + void logException(String name, @StackTrace(level = MessageLevel.DEBUG) Exception e); +} \ No newline at end of file http://git-wip-us.apache.org/repos/asf/knox/blob/d5885d14/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/IdentityBrokerConfigException.java ---------------------------------------------------------------------- diff --git a/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/IdentityBrokerConfigException.java b/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/IdentityBrokerConfigException.java new file mode 100644 index 0000000..d9599d1 --- /dev/null +++ b/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/IdentityBrokerConfigException.java @@ -0,0 +1,29 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.knox.gateway.service.idbroker; + +public class IdentityBrokerConfigException extends Exception { + /** + * + */ + private static final long serialVersionUID = 1L; + + public IdentityBrokerConfigException(String name) { + super("Unable to load pluggable aspect as configured with name: " + name); + } +} http://git-wip-us.apache.org/repos/asf/knox/blob/d5885d14/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/IdentityBrokerResource.java ---------------------------------------------------------------------- diff --git a/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/IdentityBrokerResource.java b/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/IdentityBrokerResource.java new file mode 100644 index 0000000..1167011 --- /dev/null +++ b/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/IdentityBrokerResource.java @@ -0,0 +1,127 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.knox.gateway.service.idbroker; + +import org.apache.knox.gateway.i18n.messages.MessagesFactory; + +import javax.annotation.PostConstruct; +import javax.servlet.ServletContext; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import javax.ws.rs.GET; +import javax.ws.rs.Path; +import javax.ws.rs.Produces; +import javax.ws.rs.core.Context; +import javax.ws.rs.core.Response; +import java.io.PrintWriter; +import java.util.Enumeration; +import java.util.Properties; + +import static javax.ws.rs.core.MediaType.APPLICATION_JSON; + +@Path(IdentityBrokerResource.RESOURCE_PATH) +public class IdentityBrokerResource { + private static final String CREDENTIALS_API_PATH = "credentials"; + private static final String USER_CREDENTIALS_API_PATH = "credentials/{id}"; + private static IdBrokerServiceMessages log = MessagesFactory.get(IdBrokerServiceMessages.class); + private static final String VERSION_TAG = "api/v1"; + static final String RESOURCE_PATH = "/idbroker/" + VERSION_TAG; + + private static final String CONTENT_TYPE = "application/json"; + private static final String CACHE_CONTROL = "Cache-Control"; + private static final String NO_CACHE = "must-revalidate,no-cache,no-store"; + + private KnoxCloudPolicyProvider policyProvider = new KnoxPolicyProviderManager(); + private KnoxCloudCredentialsClient credentialsClient = new KnoxCloudCredentiatlsClientManager(); + + @Context + HttpServletRequest request; + + @Context + private HttpServletResponse response; + + @Context + ServletContext context; + + @PostConstruct + public void init() { + Properties props = getProperties(); + policyProvider.init(props); + credentialsClient.init(props); + credentialsClient.setPolicyProvider(policyProvider); + } + + private Properties getProperties() { + Properties props = new Properties(); + String paramName = null; + Enumeration<String> e = context.getInitParameterNames(); + while (e.hasMoreElements()) { + paramName = (String)e.nextElement(); + props.setProperty(paramName, context.getInitParameter(paramName)); + } + + return props; + } + + @GET + @Produces({APPLICATION_JSON}) + @Path(CREDENTIALS_API_PATH) + public Response getCredentials() { + return getCredentialsResponse(); + } + + @GET + @Produces({APPLICATION_JSON}) + @Path(USER_CREDENTIALS_API_PATH) + public Response getUserCredentials() { + return getCredentialsResponse(); + } + + private Response getCredentialsResponse() { + response.setHeader(CACHE_CONTROL, NO_CACHE); + response.setContentType(CONTENT_TYPE); + PrintWriter writer = null; + try { + writer = response.getWriter(); + writer.println(getFederationToken().toString()); + } catch (Exception e) { + log.logException("list", e); + return Response.serverError().entity(String.format("Failed to reply correctly due to : %s ", e)).build(); + } finally { + if (writer != null) { + try { + writer.close(); + } + catch (Exception e) { + // NOP + } + } + } + return Response.ok().build(); + } + + protected String getFederationToken() { +// Subject subject = Subject.getSubject(AccessController.getContext()); +// String username = getEffectiveUserName(subject); + + // TODO: make sure that the toString behavior is polymorphic here + // we have to avoid any cloud vendor specific casting here + Object creds = credentialsClient.getCredentials(); + return creds.toString(); + } +} http://git-wip-us.apache.org/repos/asf/knox/blob/d5885d14/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/KnoxCloudCredentialsClient.java ---------------------------------------------------------------------- diff --git a/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/KnoxCloudCredentialsClient.java b/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/KnoxCloudCredentialsClient.java new file mode 100644 index 0000000..c494d04 --- /dev/null +++ b/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/KnoxCloudCredentialsClient.java @@ -0,0 +1,51 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.knox.gateway.service.idbroker; + +import java.util.Properties; + +public interface KnoxCloudCredentialsClient { + /** + * initialize client with the context from the topology + * params that are relevant to the particular cloud client + * @param context + */ + void init(Properties context); + + /** + * Get an opaque Object representation of the credentials. + * This method will only be called by callers that are aware + * of the actual form of the credentials in the given context + * and therefore able to cast it appropriately. + * @return opaque object + */ + Object getCredentials(); + + KnoxCloudPolicyProvider getPolicyProvider(); + + void setPolicyProvider(KnoxCloudPolicyProvider policyProvider); + + /** + * Name of the specific provider implementation to be resolved + * by the KnoxCloudClientFactory via ServiceLoader and the name + * configured within the topology. + * @return + */ + String getName(); + +} \ No newline at end of file http://git-wip-us.apache.org/repos/asf/knox/blob/d5885d14/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/KnoxCloudCredentiatlsClientManager.java ---------------------------------------------------------------------- diff --git a/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/KnoxCloudCredentiatlsClientManager.java b/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/KnoxCloudCredentiatlsClientManager.java new file mode 100644 index 0000000..6db5193 --- /dev/null +++ b/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/KnoxCloudCredentiatlsClientManager.java @@ -0,0 +1,75 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.knox.gateway.service.idbroker; + +import java.util.Iterator; +import java.util.Properties; +import java.util.ServiceLoader; + +public class KnoxCloudCredentiatlsClientManager implements KnoxCloudCredentialsClient { + + private static final String CLOUD_CLIENT_PROVIDER = "cloud.client.provider"; + private KnoxCloudCredentialsClient delegate = null; + + @Override + public Object getCredentials() { + return delegate.getCredentials(); + } + + @Override + public KnoxCloudPolicyProvider getPolicyProvider() { + return delegate.getPolicyProvider(); + } + + @Override + public void setPolicyProvider(KnoxCloudPolicyProvider policyProvider) { + delegate.setPolicyProvider(policyProvider); + } + + @Override + public String getName() { + return delegate.getName(); + } + + @Override + public void init(Properties context) { + try { + delegate = loadDelegate(context.getProperty(CLOUD_CLIENT_PROVIDER)); + } + catch (IdentityBrokerConfigException e) { + e.printStackTrace(); + } + } + + public KnoxCloudCredentialsClient loadDelegate(String name) throws IdentityBrokerConfigException { + KnoxCloudCredentialsClient delegate = null; + ServiceLoader<KnoxCloudCredentialsClient> loader = ServiceLoader.load(KnoxCloudCredentialsClient.class); + Iterator<KnoxCloudCredentialsClient> iterator = loader.iterator(); + while(iterator.hasNext()) { + delegate = iterator.next(); + if (name.equals(delegate.getName())) { + break; + } + } + if (delegate == null) { + throw new IdentityBrokerConfigException(name); + } + return delegate; + } + +} http://git-wip-us.apache.org/repos/asf/knox/blob/d5885d14/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/KnoxCloudPolicyProvider.java ---------------------------------------------------------------------- diff --git a/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/KnoxCloudPolicyProvider.java b/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/KnoxCloudPolicyProvider.java new file mode 100644 index 0000000..eac1bcf --- /dev/null +++ b/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/KnoxCloudPolicyProvider.java @@ -0,0 +1,51 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.knox.gateway.service.idbroker; + +import java.util.Properties; + +import javax.security.auth.Subject; + +public interface KnoxCloudPolicyProvider { + + /** + * initialize config provider with the context from the topology + * params that are relevant to the particular config provider + * @param context + */ + void init(Properties context); + + /** + * Name of the specific provider implementation to be resolved + * by the KnoxCloudPolicyProviderFactory via ServiceLoader and the name + * configured within the topology. + * @return + */ + String getName(); + + /** + * Get the string representation of the cloud specific policy when appropriate. + * Some implementations may NOP this method as they may not support external policy + * filtering or management. They may also return a parseable string that represents + * configuration for specific cloud vendor client. + * @param username + * @param subject + * @return + */ + String buildPolicy(String username, Subject subject); +} \ No newline at end of file http://git-wip-us.apache.org/repos/asf/knox/blob/d5885d14/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/KnoxPolicyProviderManager.java ---------------------------------------------------------------------- diff --git a/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/KnoxPolicyProviderManager.java b/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/KnoxPolicyProviderManager.java new file mode 100644 index 0000000..1105b16 --- /dev/null +++ b/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/KnoxPolicyProviderManager.java @@ -0,0 +1,72 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.knox.gateway.service.idbroker; + +import java.util.Iterator; +import java.util.Properties; +import java.util.ServiceLoader; + +import javax.security.auth.Subject; + +public class KnoxPolicyProviderManager implements KnoxCloudPolicyProvider { + + private static final String DEFAULT_CLOUD_POLICY_CONFIG_PROVIDER = "default"; + private static final String CLOUD_POLICY_CONFIG_PROVIDER = "cloud.policy.config.provider"; + + private Properties properties = null; + private KnoxCloudPolicyProvider delegate = null; + + @Override + public void init(Properties context) { + properties = context; + try { + delegate = loadDelegate(context.getProperty(CLOUD_POLICY_CONFIG_PROVIDER)); + delegate.init(context); + } + catch (IdentityBrokerConfigException e) { + e.printStackTrace(); + } + } + + @Override + public String getName() { + return properties.getProperty(CLOUD_POLICY_CONFIG_PROVIDER, + DEFAULT_CLOUD_POLICY_CONFIG_PROVIDER); + } + + @Override + public String buildPolicy(String username, Subject subject) { + return delegate.buildPolicy(username, subject); + } + + public KnoxCloudPolicyProvider loadDelegate(String name) throws IdentityBrokerConfigException { + KnoxCloudPolicyProvider delegate = null; + ServiceLoader<KnoxCloudPolicyProvider> loader = ServiceLoader.load(KnoxCloudPolicyProvider.class); + Iterator<KnoxCloudPolicyProvider> iterator = loader.iterator(); + while(iterator.hasNext()) { + delegate = iterator.next(); + if (name.equals(delegate.getName())) { + break; + } + } + if (delegate == null) { + throw new IdentityBrokerConfigException(name); + } + return delegate; + } +} http://git-wip-us.apache.org/repos/asf/knox/blob/d5885d14/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/aws/AWSPolicyModel.java ---------------------------------------------------------------------- diff --git a/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/aws/AWSPolicyModel.java b/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/aws/AWSPolicyModel.java new file mode 100644 index 0000000..404ba05 --- /dev/null +++ b/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/aws/AWSPolicyModel.java @@ -0,0 +1,60 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.knox.gateway.service.idbroker.aws; + +import java.util.ArrayList; +import java.util.HashMap; +import java.util.Map; + +import org.apache.knox.gateway.util.JsonUtils; + +public class AWSPolicyModel { + HashMap<String, Object> policyModel = new HashMap<String, Object>(); + ArrayList<String> actionArray = new ArrayList<String>(); + HashMap<String, Object> statementMap = new HashMap<String, Object>(); + ArrayList<String> resourcesArray = new ArrayList<String>(); + + public AWSPolicyModel() { + policyModel.put("Version", "2012-10-17"); + ArrayList<Map<String, Object>> statement = new ArrayList<Map<String, Object>>(); + policyModel.put("Statement", statement ); + statement.add(statementMap); + statementMap.put("Action", actionArray ); + statementMap.put("Resource", resourcesArray); + } + + public void setEffect(String effect) { + statementMap.put("Effect", effect); + } + + public void addAction(String action) { + actionArray.add(action); + } + + public void addResource(String resource) { + resourcesArray.add(resource); + } + + public void setResource(String resource) { + statementMap.put("Resource", resource); + } + + public String toString() { + return JsonUtils.renderAsJsonString(policyModel); + } +} http://git-wip-us.apache.org/repos/asf/knox/blob/d5885d14/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/aws/KnoxAWSClient.java ---------------------------------------------------------------------- diff --git a/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/aws/KnoxAWSClient.java b/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/aws/KnoxAWSClient.java new file mode 100644 index 0000000..bdc8f79 --- /dev/null +++ b/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/aws/KnoxAWSClient.java @@ -0,0 +1,77 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.knox.gateway.service.idbroker.aws; + +import java.security.AccessController; +import java.util.Properties; + +import javax.security.auth.Subject; + +import org.apache.knox.gateway.security.SubjectUtils; +import org.apache.knox.gateway.service.idbroker.AbstractKnoxCloudCredentialsClient; +import org.apache.knox.gateway.service.idbroker.KnoxCloudCredentialsClient; + +import com.amazonaws.regions.Regions; +import com.amazonaws.services.securitytoken.AWSSecurityTokenService; +import com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClientBuilder; +import com.amazonaws.services.securitytoken.model.GetFederationTokenRequest; +import com.amazonaws.services.securitytoken.model.GetFederationTokenResult; + +public class KnoxAWSClient extends AbstractKnoxCloudCredentialsClient implements KnoxCloudCredentialsClient { + /* (non-Javadoc) + * @see org.apache.knox.gateway.service.idbroker.KnoxCloudCredentialsClient#getCredentials() + */ + @Override + public Object getCredentials() { + GetFederationTokenResult token = getFederationTokenResult(); + if (token == null) { + // TODO: handle this more appropriately for an API!!! + throw new RuntimeException("No AWS credentials available."); + } + return token; + } + + private GetFederationTokenResult getFederationTokenResult() { + String policy; + AWSSecurityTokenService sts_client = AWSSecurityTokenServiceClientBuilder.standard().withRegion(Regions.US_EAST_1).build(); + String username = null; + Subject subject = Subject.getSubject(AccessController.getContext()); + username = getEffectiveUserName(subject); + policy = getPolicyProvider().buildPolicy(username, subject); + GetFederationTokenResult result = null; + if (policy != null) { + GetFederationTokenRequest request = new GetFederationTokenRequest(username).withPolicy(policy); + result = sts_client.getFederationToken(request); + System.out.println(result.getCredentials()); + } + return result; + } + + private String getEffectiveUserName(Subject subject) { + return SubjectUtils.getEffectivePrincipalName(subject); + } + + @Override + public String getName() { + return "AWS"; + } + + @Override + public void init(Properties context) { + } +} http://git-wip-us.apache.org/repos/asf/knox/blob/d5885d14/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/aws/KnoxAWSPolicyProvider.java ---------------------------------------------------------------------- diff --git a/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/aws/KnoxAWSPolicyProvider.java b/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/aws/KnoxAWSPolicyProvider.java new file mode 100644 index 0000000..9fbbc94 --- /dev/null +++ b/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/aws/KnoxAWSPolicyProvider.java @@ -0,0 +1,168 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.knox.gateway.service.idbroker.aws; + +import java.security.Principal; +import java.util.ArrayList; +import java.util.Enumeration; +import java.util.HashMap; +import java.util.List; +import java.util.Map; +import java.util.Properties; + +import javax.security.auth.Subject; + +import org.apache.knox.gateway.security.GroupPrincipal; +import org.apache.knox.gateway.service.idbroker.KnoxCloudPolicyProvider; + +public class KnoxAWSPolicyProvider implements KnoxCloudPolicyProvider { + private Map<String, PolicyConfig> userPolicyConfig = new HashMap<String, PolicyConfig>(); + private Map<String, PolicyConfig> groupPolicyConfig = new HashMap<String, PolicyConfig>(); + + public KnoxAWSPolicyProvider() { + } + + /* (non-Javadoc) + * @see org.apache.knox.gateway.service.idbroker.KnoxCloudPolicyProvider#init(java.util.Properties) + */ + @Override + public void init(Properties context) { + buildPolicyMaps(context); + } + + private void buildPolicyMaps(Properties context) { + /* + <service> + <role>IDBROKER</role> + <param> + <name>3.user.policy.action.guest</name> + <value>s3:Get*,s3:List*</value> + </param> + <param> + <name>s3.user.policy.resource.guest</name> + <value>*</value> + </param> + <param> + <name>s3.group.policy.action.admin</name> + <value>*</value> + </param> + <param> + <name>s3.group.policy.resource.admin</name> + <value>*</value> + </param> + </service> + */ + + String paramName = null; + Enumeration<Object> e = context.keys(); + while (e.hasMoreElements()) { + paramName = (String)e.nextElement(); + if (paramName.startsWith("s3.")) { + String[] elements = paramName.split("\\."); + if (elements[1].equals("user")) { + PolicyConfig policy = userPolicyConfig.get(elements[4]); + if (policy == null) { + policy = new PolicyConfig(); + userPolicyConfig.put(elements[4], policy); + } + if (elements[3].equals("action")) { + policy.actions=context.getProperty(paramName); + } else { + policy.resources=context.getProperty(paramName); + } + if (policy.actions != null && policy.resources != null) { + buildAWSPolicyModel(policy); + } + }else if (elements[1].equals("group")) { + PolicyConfig policy = groupPolicyConfig.get(elements[4]); + if (policy == null) { + policy = new PolicyConfig(); + groupPolicyConfig.put(elements[4], policy); + } + if (elements[3].equals("action")) { + policy.actions=context.getProperty(paramName); + } else { + policy.resources=context.getProperty(paramName); + } + if (policy.actions != null && policy.resources != null) { + buildAWSPolicyModel(policy); + } + } + } + } + } + + private void buildAWSPolicyModel(PolicyConfig policy) { + AWSPolicyModel model = new AWSPolicyModel(); + model.setEffect("Allow"); + String[] actions = policy.actions.split(","); + for (int i = 0; i < actions.length; i++) { + model.addAction(actions[i]); + } + String[] resources = policy.resources.split(","); + if (resources.length > 1) { + for (int i = 0; i < resources.length; i++) { + model.addResource(resources[i]); + } + } else { + model.setResource(resources[0]); + } + policy.policy = model.toString(); + } + + /* (non-Javadoc) + * @see org.apache.knox.gateway.service.idbroker.KnoxCloudPolicyProvider#buildPolicy(java.lang.String, javax.security.auth.Subject) + */ + @Override + public String buildPolicy(String username, Subject subject) { + String policy = null; + List<String> groupNames = new ArrayList<String>(); + Object[] groups = subject.getPrincipals(GroupPrincipal.class).toArray(); + for (int i = 0; i < groups.length; i++) { + groupNames.add( + ((Principal)groups[0]).getName()); + } + + PolicyConfig config = userPolicyConfig.get(username); + if (config == null) { + // check for a group policy match + for (String groupName : groupNames) { + config = groupPolicyConfig.get(groupName); + if (config != null) { + // just accept first match for now + break; + } + } + } + if (config != null) { + policy = config.policy; + } + return policy; + } + + private class PolicyConfig { + public String actions = null; + public String resources = null; + public String policy = null; + } + + @Override + public String getName() { + return "default"; + } +} \ No newline at end of file http://git-wip-us.apache.org/repos/asf/knox/blob/d5885d14/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/deploy/IdBrokerServiceDeploymentContributor.java ---------------------------------------------------------------------- diff --git a/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/deploy/IdBrokerServiceDeploymentContributor.java b/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/deploy/IdBrokerServiceDeploymentContributor.java new file mode 100644 index 0000000..81169b6 --- /dev/null +++ b/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/deploy/IdBrokerServiceDeploymentContributor.java @@ -0,0 +1,55 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.knox.gateway.service.idbroker.deploy; + +import org.apache.knox.gateway.jersey.JerseyServiceDeploymentContributorBase; + +public class IdBrokerServiceDeploymentContributor extends JerseyServiceDeploymentContributorBase { + + /* (non-Javadoc) + * @see ServiceDeploymentContributor#getRole() + */ + @Override + public String getRole() { + return "IDBROKER"; + } + + /* (non-Javadoc) + * @see ServiceDeploymentContributor#getName() + */ + @Override + public String getName() { + return "IDBrokerService"; + } + + /* (non-Javadoc) + * @see JerseyServiceDeploymentContributorBase#getPackages() + */ + @Override + protected String[] getPackages() { + return new String[]{"org.apache.knox.gateway.service.idbroker"}; + } + + /* (non-Javadoc) + * @see JerseyServiceDeploymentContributorBase#getPatterns() + */ + @Override + protected String[] getPatterns() { + return new String[]{"*/**?**"}; + } +} http://git-wip-us.apache.org/repos/asf/knox/blob/d5885d14/gateway-service-idbroker/src/main/resources/META-INF/services/org.apache.knox.gateway.deploy.ServiceDeploymentContributor ---------------------------------------------------------------------- diff --git a/gateway-service-idbroker/src/main/resources/META-INF/services/org.apache.knox.gateway.deploy.ServiceDeploymentContributor b/gateway-service-idbroker/src/main/resources/META-INF/services/org.apache.knox.gateway.deploy.ServiceDeploymentContributor new file mode 100644 index 0000000..c0bf5f0 --- /dev/null +++ b/gateway-service-idbroker/src/main/resources/META-INF/services/org.apache.knox.gateway.deploy.ServiceDeploymentContributor @@ -0,0 +1,19 @@ +########################################################################## +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +########################################################################## + +org.apache.knox.gateway.service.idbroker.deploy.IdBrokerServiceDeploymentContributor \ No newline at end of file http://git-wip-us.apache.org/repos/asf/knox/blob/d5885d14/gateway-service-idbroker/src/main/resources/META-INF/services/org.apache.knox.gateway.service.idbroker.KnoxCloudCredentialsClient ---------------------------------------------------------------------- diff --git a/gateway-service-idbroker/src/main/resources/META-INF/services/org.apache.knox.gateway.service.idbroker.KnoxCloudCredentialsClient b/gateway-service-idbroker/src/main/resources/META-INF/services/org.apache.knox.gateway.service.idbroker.KnoxCloudCredentialsClient new file mode 100644 index 0000000..f8778a0 --- /dev/null +++ b/gateway-service-idbroker/src/main/resources/META-INF/services/org.apache.knox.gateway.service.idbroker.KnoxCloudCredentialsClient @@ -0,0 +1,19 @@ +########################################################################## +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +########################################################################## + +org.apache.knox.gateway.service.idbroker.aws.KnoxAWSClient \ No newline at end of file http://git-wip-us.apache.org/repos/asf/knox/blob/d5885d14/gateway-service-idbroker/src/main/resources/META-INF/services/org.apache.knox.gateway.service.idbroker.KnoxCloudPolicyProvider ---------------------------------------------------------------------- diff --git a/gateway-service-idbroker/src/main/resources/META-INF/services/org.apache.knox.gateway.service.idbroker.KnoxCloudPolicyProvider b/gateway-service-idbroker/src/main/resources/META-INF/services/org.apache.knox.gateway.service.idbroker.KnoxCloudPolicyProvider new file mode 100644 index 0000000..e1ed602 --- /dev/null +++ b/gateway-service-idbroker/src/main/resources/META-INF/services/org.apache.knox.gateway.service.idbroker.KnoxCloudPolicyProvider @@ -0,0 +1,19 @@ +########################################################################## +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +########################################################################## + +org.apache.knox.gateway.service.idbroker.aws.KnoxAWSPolicyProvider \ No newline at end of file http://git-wip-us.apache.org/repos/asf/knox/blob/d5885d14/gateway-service-idbroker/src/test/java/org/apache/knox/gateway/service/knoxs3/S3BucketsResourceTest.java ---------------------------------------------------------------------- diff --git a/gateway-service-idbroker/src/test/java/org/apache/knox/gateway/service/knoxs3/S3BucketsResourceTest.java b/gateway-service-idbroker/src/test/java/org/apache/knox/gateway/service/knoxs3/S3BucketsResourceTest.java new file mode 100644 index 0000000..651c407 --- /dev/null +++ b/gateway-service-idbroker/src/test/java/org/apache/knox/gateway/service/knoxs3/S3BucketsResourceTest.java @@ -0,0 +1,80 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.knox.gateway.service.knoxs3; + +import java.util.ArrayList; +import java.util.HashMap; +import java.util.Map; + +import org.apache.knox.gateway.service.idbroker.aws.AWSPolicyModel; +import org.apache.knox.gateway.util.JsonUtils; +import org.junit.Test; + +public class S3BucketsResourceTest { + @Test + public void testPolicyCreation() { + + String policy = "{\n" + + " \"Version\": \"2012-10-17\",\n" + + " \"Statement\": [\n" + + " {\n" + + " \"Effect\": \"Allow\",\n" + + " \"Action\": [\n" + + " \"s3:Get*\",\n" + + " \"s3:List*\"\n" + + // " \"s3:Delete*\"\n" + + " ],\n" + + " \"Resource\": \"*\"\n" + + " }\n" + + " ]\n" + + "}"; + System.out.println(policy); + + HashMap<String, Object> policyModel = new HashMap<String, Object>(); + policyModel.put("Version", "2012-10-17"); + ArrayList<Map<String, Object>> statement = new ArrayList<Map<String, Object>>(); + + policyModel.put("Version", "2012-10-17"); + policyModel.put("Statement", statement ); + HashMap<String, Object> statementMap = new HashMap<String, Object>(); + statementMap.put("Effect", "Allow"); + ArrayList<String> actionArray = new ArrayList<String>(); + actionArray.add("s3:Get*"); + actionArray.add("s3:List*"); + statementMap.put("Action", actionArray ); + statement.add(statementMap); + policyModel.put("Resource", "*"); + + System.out.println(JsonUtils.renderAsJsonString(policyModel)); + + AWSPolicyModel model = new AWSPolicyModel(); + model.setEffect("Allow"); + model.addAction("s3:Get*"); + model.addAction("s3:List*"); + model.setResource("*"); + System.out.println(model); + + model = new AWSPolicyModel(); + model.setEffect("Allow"); + model.addAction("s3:Get*"); + model.addAction("s3:List*"); + model.addResource("this"); + model.addResource("that"); + System.out.println(model); +} +} \ No newline at end of file http://git-wip-us.apache.org/repos/asf/knox/blob/d5885d14/pom.xml ---------------------------------------------------------------------- diff --git a/pom.xml b/pom.xml index 1c49602..6423dba 100644 --- a/pom.xml +++ b/pom.xml @@ -78,6 +78,7 @@ <module>gateway-service-knoxsso</module> <module>gateway-service-knoxssout</module> <module>gateway-service-knoxtoken</module> + <module>gateway-service-idbroker</module> <module>gateway-service-knoxs3</module> <module>gateway-service-health</module> <module>gateway-service-webhdfs</module> @@ -634,6 +635,11 @@ </dependency> <dependency> <groupId>${gateway-group}</groupId> + <artifactId>gateway-service-idbroker</artifactId> + <version>${gateway-version}</version> + </dependency> + <dependency> + <groupId>${gateway-group}</groupId> <artifactId>gateway-service-knoxs3</artifactId> <version>${gateway-version}</version> </dependency>
