svn commit: r1352526 - in /qpid/branches/java-config-and-management/qpid/java: broker-plugins/management/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/ broker-plugins/management/src/main/java/resources/js/qpid/management/ broker/etc/

Thu, 21 Jun 2012 06:21:17 -0700 

Author: rgodfrey
Date: Thu Jun 21 13:20:51 2012
New Revision: 1352526

URL: http://svn.apache.org/viewvc?rev=1352526&view=rev
Log:
QPID-3999 : Applied patch from Alex Rudyy for auth checks on management 
operations

Modified:
    
qpid/branches/java-config-and-management/qpid/java/broker-plugins/management/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/MessageServlet.java
    
qpid/branches/java-config-and-management/qpid/java/broker-plugins/management/src/main/java/resources/js/qpid/management/Queue.js
    
qpid/branches/java-config-and-management/qpid/java/broker/etc/broker_example.acl
    qpid/branches/java-config-and-management/qpid/java/broker/etc/passwd

Modified: 
qpid/branches/java-config-and-management/qpid/java/broker-plugins/management/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/MessageServlet.java
URL: 
http://svn.apache.org/viewvc/qpid/branches/java-config-and-management/qpid/java/broker-plugins/management/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/MessageServlet.java?rev=1352526&r1=1352525&r2=1352526&view=diff
==============================================================================
--- 
qpid/branches/java-config-and-management/qpid/java/broker-plugins/management/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/MessageServlet.java
 (original)
+++ 
qpid/branches/java-config-and-management/qpid/java/broker-plugins/management/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/MessageServlet.java
 Thu Jun 21 13:20:51 2012
@@ -31,6 +31,7 @@ import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.apache.log4j.Logger;
 import org.apache.qpid.server.message.AMQMessageHeader;
 import org.apache.qpid.server.message.MessageReference;
 import org.apache.qpid.server.message.ServerMessage;
@@ -39,12 +40,18 @@ import org.apache.qpid.server.model.Queu
 import org.apache.qpid.server.model.VirtualHost;
 import org.apache.qpid.server.queue.QueueEntry;
 import org.apache.qpid.server.queue.QueueEntryVisitor;
+import org.apache.qpid.server.registry.ApplicationRegistry;
+import org.apache.qpid.server.registry.IApplicationRegistry;
+import org.apache.qpid.server.security.SecurityManager;
+import org.apache.qpid.server.security.access.Operation;
 import org.apache.qpid.server.subscription.Subscription;
 import org.codehaus.jackson.map.ObjectMapper;
 import org.codehaus.jackson.map.SerializationConfig;
 
 public class MessageServlet extends AbstractServlet
 {
+    private static final Logger LOGGER = 
Logger.getLogger(MessageServlet.class);
+
     public MessageServlet()
     {
         super();
@@ -399,38 +406,43 @@ public class MessageServlet extends Abst
 
         try
         {
-        final Queue sourceQueue = getQueueFromRequest(request);
-
-        ObjectMapper mapper = new ObjectMapper();
+            final Queue sourceQueue = getQueueFromRequest(request);
 
-        @SuppressWarnings("unchecked")
-        Map<String,Object> providedObject = 
mapper.readValue(request.getInputStream(), LinkedHashMap.class);
+            ObjectMapper mapper = new ObjectMapper();
 
+            @SuppressWarnings("unchecked")
+            Map<String,Object> providedObject = 
mapper.readValue(request.getInputStream(), LinkedHashMap.class);
 
-        String destQueueName = (String) providedObject.get("destinationQueue");
-        Boolean move = (Boolean) providedObject.get("move");
+            String destQueueName = (String) 
providedObject.get("destinationQueue");
+            Boolean move = (Boolean) providedObject.get("move");
 
+            final VirtualHost vhost = sourceQueue.getParent(VirtualHost.class);
 
-        final VirtualHost vhost = sourceQueue.getParent(VirtualHost.class);
-
-        final Queue destinationQueue = getQueueFromVirtualHost(destQueueName, 
vhost);
+            boolean isMoveTransaction = move != null && Boolean.valueOf(move);
 
-        final List messageIds = new ArrayList((List) 
providedObject.get("messages"));
-
-        QueueEntryTransaction txn =
-                (move != null && Boolean.valueOf(move))
-                        ? new MoveTransaction(sourceQueue, messageIds, 
destinationQueue)
-                        : new CopyTransaction(sourceQueue, messageIds, 
destinationQueue);
-        vhost.executeTransaction(txn);
+            // FIXME: added temporary authorization check until we introduce 
management layer
+            // and review current ACL rules to have common rules for all 
management interfaces
+            String methodName = isMoveTransaction? 
"moveMessages":"copyMessages";
+            if (isQueueUpdateMethodAuthorized(methodName, vhost.getName()))
+            {
+                final Queue destinationQueue = 
getQueueFromVirtualHost(destQueueName, vhost);
+                final List messageIds = new ArrayList((List) 
providedObject.get("messages"));
+                QueueEntryTransaction txn =
+                        isMoveTransaction
+                                ? new MoveTransaction(sourceQueue, messageIds, 
destinationQueue)
+                                : new CopyTransaction(sourceQueue, messageIds, 
destinationQueue);
+                vhost.executeTransaction(txn);
+                response.setStatus(HttpServletResponse.SC_OK);
+            }
+            else
+            {
+                response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
+            }
         }
         catch(RuntimeException e)
         {
-            e.printStackTrace();
-        }
-        catch(IOException e)
-        {
-            e.printStackTrace();
-            throw e;
+            LOGGER.error("Failure to perform message opertion", e);
+            response.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
         }
     }
 
@@ -444,11 +456,6 @@ public class MessageServlet extends Abst
 
         final Queue sourceQueue = getQueueFromRequest(request);
 
-        ObjectMapper mapper = new ObjectMapper();
-
-        /*@SuppressWarnings("unchecked")
-        Map<String,Object> providedObject = 
mapper.readValue(request.getInputStream(), LinkedHashMap.class);
-*/
         final VirtualHost vhost = sourceQueue.getParent(VirtualHost.class);
 
 
@@ -458,9 +465,39 @@ public class MessageServlet extends Abst
             messageIds.add(Long.valueOf(idStr));
         }
 
-        vhost.executeTransaction(new DeleteTransaction(sourceQueue, 
messageIds));
+        // FIXME: added temporary authorization check until we introduce 
management layer
+        // and review current ACL rules to have common rules for all 
management interfaces
+        if (isQueueUpdateMethodAuthorized("deleteMessages", vhost.getName()))
+        {
+            vhost.executeTransaction(new DeleteTransaction(sourceQueue, 
messageIds));
+            response.setStatus(HttpServletResponse.SC_OK);
+        }
+        else
+        {
+            response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
+        }
+
+    }
 
+    private boolean isQueueUpdateMethodAuthorized(String methodName, String 
virtualHost)
+    {
+        SecurityManager securityManager = getSecurityManager(virtualHost);
+        return securityManager.authoriseMethod(Operation.UPDATE, 
"VirtualHost.Queue", methodName);
     }
 
+    private SecurityManager getSecurityManager(String virtualHost)
+    {
+        IApplicationRegistry appRegistry = ApplicationRegistry.getInstance();
+        SecurityManager security;
+        if (virtualHost == null)
+        {
+            security = appRegistry.getSecurityManager();
+        }
+        else
+        {
+            security = 
appRegistry.getVirtualHostRegistry().getVirtualHost(virtualHost).getSecurityManager();
+        }
+        return security;
+    }
 
 }

Modified: 
qpid/branches/java-config-and-management/qpid/java/broker-plugins/management/src/main/java/resources/js/qpid/management/Queue.js
URL: 
http://svn.apache.org/viewvc/qpid/branches/java-config-and-management/qpid/java/broker-plugins/management/src/main/java/resources/js/qpid/management/Queue.js?rev=1352526&r1=1352525&r2=1352526&view=diff
==============================================================================
--- 
qpid/branches/java-config-and-management/qpid/java/broker-plugins/management/src/main/java/resources/js/qpid/management/Queue.js
 (original)
+++ 
qpid/branches/java-config-and-management/qpid/java/broker-plugins/management/src/main/java/resources/js/qpid/management/Queue.js
 Thu Jun 21 13:20:51 2012
@@ -180,12 +180,17 @@ define(["dojo/_base/xhr",
                        }
                        var query = "rest/message/"+ 
encodeURIComponent(that.getVirtualHostName())
                            + "/" + encodeURIComponent(that.getQueueName()) + 
queryParam;
+                       that.success = true
                        xhr.del({url: query, sync: true, handleAs: 
"json"}).then(
                            function(data) {
                                that.grid.setQuery({id: "*"});
                                that.grid.selection.deselectAll();
                                that.queueUpdater.update();
-                           });
+                           },
+                           function(error) {that.success = false; 
that.failureReason = error;});
+                        if(!that.success ) {
+                            alert("Error:" + this.failureReason);
+                        }
                    }
                }
            };

Modified: 
qpid/branches/java-config-and-management/qpid/java/broker/etc/broker_example.acl
URL: 
http://svn.apache.org/viewvc/qpid/branches/java-config-and-management/qpid/java/broker/etc/broker_example.acl?rev=1352526&r1=1352525&r2=1352526&view=diff
==============================================================================
--- 
qpid/branches/java-config-and-management/qpid/java/broker/etc/broker_example.acl
 (original)
+++ 
qpid/branches/java-config-and-management/qpid/java/broker/etc/broker_example.acl
 Thu Jun 21 13:20:51 2012
@@ -24,6 +24,8 @@
 #Define a 'messaging-users' group with users  'client' and  'server' in it
 GROUP messaging-users client server
 
+#Define a group for management web console users
+GROUP webadmins webadmin
 
 ### MANAGEMENT ####
 
@@ -74,6 +76,23 @@ ACL ALLOW-LOG server CONSUME QUEUE name=
 ACL ALLOW-LOG server BIND EXCHANGE
 ACL ALLOW-LOG server PUBLISH EXCHANGE name="amq.direct" routingKey="TempQueue*"
 
+# ACL for web management console admins
+# All rules below are required for console admin users
+# to perform create/update/delete operations
+ACL ALLOW-LOG webadmins CREATE QUEUE
+ACL ALLOW-LOG webadmins DELETE QUEUE
+ACL ALLOW-LOG webadmins PURGE  QUEUE
+ACL ALLOW-LOG webadmins CREATE EXCHANGE
+ACL ALLOW-LOG webadmins DELETE EXCHANGE
+ACL ALLOW-LOG webadmins BIND   EXCHANGE
+ACL ALLOW-LOG webadmins UNBIND EXCHANGE
+ACL ALLOW-LOG webadmins UPDATE METHOD
+
+# at the moment only the following UPDATE METHOD rules are supported by web 
management console
+#ACL ALLOW-LOG webadmins UPDATE METHOD component="VirtualHost.Queue" 
name="moveMessages"
+#ACL ALLOW-LOG webadmins UPDATE METHOD component="VirtualHost.Queue" 
name="copyMessages"
+#ACL ALLOW-LOG webadmins UPDATE METHOD component="VirtualHost.Queue" 
name="deleteMessages"
+
 ### DEFAULT ###
 
 #Deny all users from performing all operations

Modified: qpid/branches/java-config-and-management/qpid/java/broker/etc/passwd
URL: 
http://svn.apache.org/viewvc/qpid/branches/java-config-and-management/qpid/java/broker/etc/passwd?rev=1352526&r1=1352525&r2=1352526&view=diff
==============================================================================
--- qpid/branches/java-config-and-management/qpid/java/broker/etc/passwd 
(original)
+++ qpid/branches/java-config-and-management/qpid/java/broker/etc/passwd Thu 
Jun 21 13:20:51 2012
@@ -21,3 +21,5 @@ client:guest
 server:guest
 admin:admin
 
+webadmin:webadmin
+



---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to