Repository: knox Updated Branches: refs/heads/KNOX-1204 8350e75d9 -> feb848b2c
KNOX-1204 - combine policy across user and groups Project: http://git-wip-us.apache.org/repos/asf/knox/repo Commit: http://git-wip-us.apache.org/repos/asf/knox/commit/feb848b2 Tree: http://git-wip-us.apache.org/repos/asf/knox/tree/feb848b2 Diff: http://git-wip-us.apache.org/repos/asf/knox/diff/feb848b2 Branch: refs/heads/KNOX-1204 Commit: feb848b2c4c3e08a957eb994b124a53837c72fae Parents: 8350e75 Author: Larry McCay <[email protected]> Authored: Tue Aug 7 17:48:27 2018 -0400 Committer: Larry McCay <[email protected]> Committed: Tue Aug 7 17:48:27 2018 -0400 ---------------------------------------------------------------------- .../idbroker/KnoxCloudPolicyProvider.java | 2 +- .../idbroker/KnoxPolicyProviderManager.java | 4 +- .../service/idbroker/aws/KnoxAWSClient.java | 2 +- .../idbroker/aws/KnoxAWSPolicyProvider.java | 56 +++---- .../service/knoxs3/IdBrokerResourceTest.java | 157 +++++++++++++++++++ .../service/knoxs3/S3BucketsResourceTest.java | 148 ----------------- 6 files changed, 190 insertions(+), 179 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/knox/blob/feb848b2/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/KnoxCloudPolicyProvider.java ---------------------------------------------------------------------- diff --git a/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/KnoxCloudPolicyProvider.java b/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/KnoxCloudPolicyProvider.java index eac1bcf..9c67783 100644 --- a/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/KnoxCloudPolicyProvider.java +++ b/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/KnoxCloudPolicyProvider.java @@ -47,5 +47,5 @@ public interface KnoxCloudPolicyProvider { * @param subject * @return */ - String buildPolicy(String username, Subject subject); + String getPolicy(String username, Subject subject); } \ No newline at end of file http://git-wip-us.apache.org/repos/asf/knox/blob/feb848b2/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/KnoxPolicyProviderManager.java ---------------------------------------------------------------------- diff --git a/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/KnoxPolicyProviderManager.java b/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/KnoxPolicyProviderManager.java index 1105b16..133b7c9 100644 --- a/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/KnoxPolicyProviderManager.java +++ b/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/KnoxPolicyProviderManager.java @@ -50,8 +50,8 @@ public class KnoxPolicyProviderManager implements KnoxCloudPolicyProvider { } @Override - public String buildPolicy(String username, Subject subject) { - return delegate.buildPolicy(username, subject); + public String getPolicy(String username, Subject subject) { + return delegate.getPolicy(username, subject); } public KnoxCloudPolicyProvider loadDelegate(String name) throws IdentityBrokerConfigException { http://git-wip-us.apache.org/repos/asf/knox/blob/feb848b2/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/aws/KnoxAWSClient.java ---------------------------------------------------------------------- diff --git a/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/aws/KnoxAWSClient.java b/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/aws/KnoxAWSClient.java index 1294eb7..21137fd 100644 --- a/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/aws/KnoxAWSClient.java +++ b/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/aws/KnoxAWSClient.java @@ -58,7 +58,7 @@ public class KnoxAWSClient extends AbstractKnoxCloudCredentialsClient implements String username = null; Subject subject = Subject.getSubject(AccessController.getContext()); username = getEffectiveUserName(subject); - policy = getPolicyProvider().buildPolicy(username, subject); + policy = getPolicyProvider().getPolicy(username, subject); GetFederationTokenResult result = null; if (policy != null) { GetFederationTokenRequest request = new GetFederationTokenRequest(username).withPolicy(policy); http://git-wip-us.apache.org/repos/asf/knox/blob/feb848b2/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/aws/KnoxAWSPolicyProvider.java ---------------------------------------------------------------------- diff --git a/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/aws/KnoxAWSPolicyProvider.java b/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/aws/KnoxAWSPolicyProvider.java index 9fbbc94..7dad04d 100644 --- a/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/aws/KnoxAWSPolicyProvider.java +++ b/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/aws/KnoxAWSPolicyProvider.java @@ -50,7 +50,7 @@ public class KnoxAWSPolicyProvider implements KnoxCloudPolicyProvider { <service> <role>IDBROKER</role> <param> - <name>3.user.policy.action.guest</name> + <name>s3.user.policy.action.guest</name> <value>s3:Get*,s3:List*</value> </param> <param> @@ -85,9 +85,6 @@ public class KnoxAWSPolicyProvider implements KnoxCloudPolicyProvider { } else { policy.resources=context.getProperty(paramName); } - if (policy.actions != null && policy.resources != null) { - buildAWSPolicyModel(policy); - } }else if (elements[1].equals("group")) { PolicyConfig policy = groupPolicyConfig.get(elements[4]); if (policy == null) { @@ -99,15 +96,12 @@ public class KnoxAWSPolicyProvider implements KnoxCloudPolicyProvider { } else { policy.resources=context.getProperty(paramName); } - if (policy.actions != null && policy.resources != null) { - buildAWSPolicyModel(policy); - } } } } } - private void buildAWSPolicyModel(PolicyConfig policy) { + private AWSPolicyModel buildAWSPolicyModel(PolicyConfig policy) { AWSPolicyModel model = new AWSPolicyModel(); model.setEffect("Allow"); String[] actions = policy.actions.split(","); @@ -122,43 +116,51 @@ public class KnoxAWSPolicyProvider implements KnoxCloudPolicyProvider { } else { model.setResource(resources[0]); } - policy.policy = model.toString(); + return model; } /* (non-Javadoc) * @see org.apache.knox.gateway.service.idbroker.KnoxCloudPolicyProvider#buildPolicy(java.lang.String, javax.security.auth.Subject) */ @Override - public String buildPolicy(String username, Subject subject) { + public String getPolicy(String username, Subject subject) { String policy = null; + List<String> groupNames = getGroupNames(subject); + + PolicyConfig userConfig = userPolicyConfig.get(username); + // check for a group policy match + PolicyConfig config = null; + AWSPolicyModel model = null; + if (userConfig != null) { + model = buildAWSPolicyModel(userConfig); + } + for (String groupName : groupNames) { + config = groupPolicyConfig.get(groupName); + if (config != null) { + if (model != null) { + model.combine(buildAWSPolicyModel(config)); + } + else { + model = buildAWSPolicyModel(config); + } + } + } + return model.toString(); + } + + private List<String> getGroupNames(Subject subject) { List<String> groupNames = new ArrayList<String>(); Object[] groups = subject.getPrincipals(GroupPrincipal.class).toArray(); for (int i = 0; i < groups.length; i++) { groupNames.add( ((Principal)groups[0]).getName()); } - - PolicyConfig config = userPolicyConfig.get(username); - if (config == null) { - // check for a group policy match - for (String groupName : groupNames) { - config = groupPolicyConfig.get(groupName); - if (config != null) { - // just accept first match for now - break; - } - } - } - if (config != null) { - policy = config.policy; - } - return policy; + return groupNames; } private class PolicyConfig { public String actions = null; public String resources = null; - public String policy = null; } @Override http://git-wip-us.apache.org/repos/asf/knox/blob/feb848b2/gateway-service-idbroker/src/test/java/org/apache/knox/gateway/service/knoxs3/IdBrokerResourceTest.java ---------------------------------------------------------------------- diff --git a/gateway-service-idbroker/src/test/java/org/apache/knox/gateway/service/knoxs3/IdBrokerResourceTest.java b/gateway-service-idbroker/src/test/java/org/apache/knox/gateway/service/knoxs3/IdBrokerResourceTest.java new file mode 100644 index 0000000..07151fb --- /dev/null +++ b/gateway-service-idbroker/src/test/java/org/apache/knox/gateway/service/knoxs3/IdBrokerResourceTest.java @@ -0,0 +1,157 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.knox.gateway.service.knoxs3; + +import java.util.ArrayList; +import java.util.HashMap; +import java.util.Map; + +import org.apache.knox.gateway.service.idbroker.aws.AWSPolicyModel; +import org.apache.knox.gateway.util.JsonUtils; +import org.junit.Test; + +public class IdBrokerResourceTest { + @Test + public void testPolicyCreation() { + + String policy = "{\n" + + " \"Version\": \"2012-10-17\",\n" + + " \"Statement\": [\n" + + " {\n" + + " \"Effect\": \"Allow\",\n" + + " \"Action\": [\n" + + " \"s3:Get*\",\n" + + " \"s3:List*\"\n" + + // " \"s3:Delete*\"\n" + + " ],\n" + + " \"Resource\": \"*\"\n" + + " }\n" + + " ]\n" + + "}"; + System.out.println(policy); + + HashMap<String, Object> policyModel = new HashMap<String, Object>(); + policyModel.put("Version", "2012-10-17"); + ArrayList<Map<String, Object>> statement = new ArrayList<Map<String, Object>>(); + + policyModel.put("Version", "2012-10-17"); + policyModel.put("Statement", statement ); + HashMap<String, Object> statementMap = new HashMap<String, Object>(); + statementMap.put("Effect", "Allow"); + ArrayList<String> actionArray = new ArrayList<String>(); + actionArray.add("s3:Get*"); + actionArray.add("s3:List*"); + statementMap.put("Action", actionArray ); + statement.add(statementMap); + policyModel.put("Resource", "*"); + + System.out.println(JsonUtils.renderAsJsonString(policyModel)); + + AWSPolicyModel model = new AWSPolicyModel(); + model.setEffect("Allow"); + model.addAction("s3:Get*"); + model.addAction("s3:List*"); + model.setResource("*"); + System.out.println(model); + + model = new AWSPolicyModel(); + model.setEffect("Allow"); + model.addAction("s3:Get*"); + model.addAction("s3:List*"); + model.addResource("this"); + model.addResource("that"); + System.out.println(model); + } + + @Test + public void testCombinedPolicyCreation() { + + String policy = "{\n" + + " \"Version\": \"2012-10-17\",\n" + + " \"Statement\": [\n" + + " {\n" + + " \"Effect\": \"Allow\",\n" + + " \"Action\": [\n" + + " \"s3:Get*\",\n" + + " \"s3:List*\"\n" + + // " \"s3:Delete*\"\n" + + " ],\n" + + " \"Resource\": \"*\"\n" + + " }\n" + + " {\n" + + " \"Effect\": \"Allow\",\n" + + " \"Action\": [\n" + + " \"s3:Get*\",\n" + + " \"s3:List*\"\n" + + " \"s3:Delete*\"\n" + + " ],\n" + + " \"Resource\": \"ljm\"\n" + + " }\n" + + " ]\n" + + "}"; + System.out.println(policy); + + HashMap<String, Object> policyModel = new HashMap<String, Object>(); + policyModel.put("Version", "2012-10-17"); + ArrayList<Map<String, Object>> statement = new ArrayList<Map<String, Object>>(); + + policyModel.put("Version", "2012-10-17"); + policyModel.put("Statement", statement ); + HashMap<String, Object> statementMap = new HashMap<String, Object>(); + statementMap.put("Effect", "Allow"); + ArrayList<String> actionArray = new ArrayList<String>(); + actionArray.add("s3:Get*"); + actionArray.add("s3:List*"); + statementMap.put("Action", actionArray ); + statement.add(statementMap); + policyModel.put("Resource", "*"); + + System.out.println(JsonUtils.renderAsJsonString(policyModel)); + + AWSPolicyModel model = new AWSPolicyModel(); + model.setEffect("Allow"); + model.addAction("s3:Get*"); + model.addAction("s3:List*"); + model.setResource("*"); + System.out.println(model); + + AWSPolicyModel model2 = new AWSPolicyModel(); + model2.setEffect("Allow"); + model2.addAction("s3:Get*"); + model2.addAction("s3:List*"); + model2.addResource("this"); + model2.addResource("that"); + System.out.println(model2); + + AWSPolicyModel model3 = new AWSPolicyModel(); + model3.setEffect("Deny"); + model3.addAction("s3:Get*"); + model3.addAction("s3:List*"); + model3.addResource("other thing"); + System.out.println(model3); + + ArrayList<AWSPolicyModel> models = new ArrayList<AWSPolicyModel>(); + models.add(model); + models.add(model2); + models.add(model3); + + model.combine(model2); + model.combine(model3); + System.out.println("Aggregate: " + model); + } +} \ No newline at end of file http://git-wip-us.apache.org/repos/asf/knox/blob/feb848b2/gateway-service-idbroker/src/test/java/org/apache/knox/gateway/service/knoxs3/S3BucketsResourceTest.java ---------------------------------------------------------------------- diff --git a/gateway-service-idbroker/src/test/java/org/apache/knox/gateway/service/knoxs3/S3BucketsResourceTest.java b/gateway-service-idbroker/src/test/java/org/apache/knox/gateway/service/knoxs3/S3BucketsResourceTest.java deleted file mode 100644 index 8291421..0000000 --- a/gateway-service-idbroker/src/test/java/org/apache/knox/gateway/service/knoxs3/S3BucketsResourceTest.java +++ /dev/null @@ -1,148 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.knox.gateway.service.knoxs3; - -import java.util.ArrayList; -import java.util.HashMap; -import java.util.Map; - -import org.apache.knox.gateway.service.idbroker.aws.AWSPolicyModel; -import org.apache.knox.gateway.util.JsonUtils; -import org.junit.Test; - -public class S3BucketsResourceTest { - @Test - public void testPolicyCreation() { - - String policy = "{\n" + - " \"Version\": \"2012-10-17\",\n" + - " \"Statement\": [\n" + - " {\n" + - " \"Effect\": \"Allow\",\n" + - " \"Action\": [\n" + - " \"s3:Get*\",\n" + - " \"s3:List*\"\n" + - // " \"s3:Delete*\"\n" + - " ],\n" + - " \"Resource\": \"*\"\n" + - " }\n" + - " ]\n" + - "}"; - System.out.println(policy); - - HashMap<String, Object> policyModel = new HashMap<String, Object>(); - policyModel.put("Version", "2012-10-17"); - ArrayList<Map<String, Object>> statement = new ArrayList<Map<String, Object>>(); - - policyModel.put("Version", "2012-10-17"); - policyModel.put("Statement", statement ); - HashMap<String, Object> statementMap = new HashMap<String, Object>(); - statementMap.put("Effect", "Allow"); - ArrayList<String> actionArray = new ArrayList<String>(); - actionArray.add("s3:Get*"); - actionArray.add("s3:List*"); - statementMap.put("Action", actionArray ); - statement.add(statementMap); - policyModel.put("Resource", "*"); - - System.out.println(JsonUtils.renderAsJsonString(policyModel)); - - AWSPolicyModel model = new AWSPolicyModel(); - model.setEffect("Allow"); - model.addAction("s3:Get*"); - model.addAction("s3:List*"); - model.setResource("*"); - System.out.println(model); - - model = new AWSPolicyModel(); - model.setEffect("Allow"); - model.addAction("s3:Get*"); - model.addAction("s3:List*"); - model.addResource("this"); - model.addResource("that"); - System.out.println(model); - } - - @Test - public void testCombinedPolicyCreation() { - - String policy = "{\n" + - " \"Version\": \"2012-10-17\",\n" + - " \"Statement\": [\n" + - " {\n" + - " \"Effect\": \"Allow\",\n" + - " \"Action\": [\n" + - " \"s3:Get*\",\n" + - " \"s3:List*\"\n" + - // " \"s3:Delete*\"\n" + - " ],\n" + - " \"Resource\": \"*\"\n" + - " }\n" + - " {\n" + - " \"Effect\": \"Allow\",\n" + - " \"Action\": [\n" + - " \"s3:Get*\",\n" + - " \"s3:List*\"\n" + - " \"s3:Delete*\"\n" + - " ],\n" + - " \"Resource\": \"ljm\"\n" + - " }\n" + - " ]\n" + - "}"; - System.out.println(policy); - - HashMap<String, Object> policyModel = new HashMap<String, Object>(); - policyModel.put("Version", "2012-10-17"); - ArrayList<Map<String, Object>> statement = new ArrayList<Map<String, Object>>(); - - policyModel.put("Version", "2012-10-17"); - policyModel.put("Statement", statement ); - HashMap<String, Object> statementMap = new HashMap<String, Object>(); - statementMap.put("Effect", "Allow"); - ArrayList<String> actionArray = new ArrayList<String>(); - actionArray.add("s3:Get*"); - actionArray.add("s3:List*"); - statementMap.put("Action", actionArray ); - statement.add(statementMap); - policyModel.put("Resource", "*"); - - System.out.println(JsonUtils.renderAsJsonString(policyModel)); - - AWSPolicyModel model = new AWSPolicyModel(); - model.setEffect("Allow"); - model.addAction("s3:Get*"); - model.addAction("s3:List*"); - model.setResource("*"); - System.out.println(model); - - AWSPolicyModel model2 = new AWSPolicyModel(); - model2.setEffect("Allow"); - model2.addAction("s3:Get*"); - model2.addAction("s3:List*"); - model2.addResource("this"); - model2.addResource("that"); - System.out.println(model2); - - ArrayList<AWSPolicyModel> models = new ArrayList<AWSPolicyModel>(); - models.add(model); - models.add(model2); - - model.combine(model2); - System.out.println("Aggregate: " + model); - } -} \ No newline at end of file
