This is an automated email from the ASF dual-hosted git repository. av pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ignite.git
The following commit(s) were added to refs/heads/master by this push: new 61a1aaa IGNITE-12220 Allow to use cache-related permissions both at system and per-cache levels (#6904) 61a1aaa is described below commit 61a1aaaeab30d7d6b78e504a632492d02f52e32d Author: Sergei Ryzhov <s.vi.ryz...@gmail.com> AuthorDate: Wed Apr 1 17:40:53 2020 +0300 IGNITE-12220 Allow to use cache-related permissions both at system and per-cache levels (#6904) --- .../security/SecurityPermissionSetBuilder.java | 7 +- ...eOperationPermissionCreateDestroyCheckTest.java | 164 +++++++++++++++++++++ .../security/impl/TestSecurityContext.java | 7 +- .../security/SecurityPermissionSetBuilderTest.java | 22 +-- .../ignite/testsuites/SecurityTestSuite.java | 2 + 5 files changed, 179 insertions(+), 23 deletions(-) diff --git a/modules/core/src/main/java/org/apache/ignite/plugin/security/SecurityPermissionSetBuilder.java b/modules/core/src/main/java/org/apache/ignite/plugin/security/SecurityPermissionSetBuilder.java index 2eca640..61be724 100644 --- a/modules/core/src/main/java/org/apache/ignite/plugin/security/SecurityPermissionSetBuilder.java +++ b/modules/core/src/main/java/org/apache/ignite/plugin/security/SecurityPermissionSetBuilder.java @@ -68,7 +68,7 @@ public class SecurityPermissionSetBuilder { private boolean dfltAllowAll; /** */ - public static final SecurityPermissionSet ALLOW_ALL = create().defaultAllowAll(true).build(); + public static final SecurityPermissionSet ALLOW_ALL = create().build(); /** * Static factory method for create new permission builder. @@ -129,11 +129,6 @@ public class SecurityPermissionSetBuilder { * @return {@link SecurityPermissionSetBuilder} refer to same permission builder. */ public SecurityPermissionSetBuilder appendCachePermissions(String name, SecurityPermission... perms) { - for (SecurityPermission perm : perms) { - if (perm == SecurityPermission.CACHE_CREATE || perm == SecurityPermission.CACHE_DESTROY) - throw new IgniteException(perm + " should be assigned as system permission, not cache permission"); - } - validate(toCollection("CACHE_"), perms); append(cachePerms, name, toCollection(perms)); diff --git a/modules/core/src/test/java/org/apache/ignite/internal/processors/security/cache/CacheOperationPermissionCreateDestroyCheckTest.java b/modules/core/src/test/java/org/apache/ignite/internal/processors/security/cache/CacheOperationPermissionCreateDestroyCheckTest.java new file mode 100644 index 0000000..1e9429c --- /dev/null +++ b/modules/core/src/test/java/org/apache/ignite/internal/processors/security/cache/CacheOperationPermissionCreateDestroyCheckTest.java @@ -0,0 +1,164 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.ignite.internal.processors.security.cache; + +import java.util.Arrays; +import org.apache.ignite.Ignite; +import org.apache.ignite.internal.processors.security.AbstractSecurityTest; +import org.apache.ignite.plugin.security.SecurityException; +import org.apache.ignite.plugin.security.SecurityPermissionSet; +import org.apache.ignite.plugin.security.SecurityPermissionSetBuilder; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.junit.runners.Parameterized; + +import static org.apache.ignite.plugin.security.SecurityPermission.*; +import static org.apache.ignite.testframework.GridTestUtils.assertThrowsWithCause; + +/** + * Test create and destroy cache permissions. + */ +@RunWith(Parameterized.class) +public class CacheOperationPermissionCreateDestroyCheckTest extends AbstractSecurityTest { + /** */ + @Parameterized.Parameters(name = "clientMode={0}") + public static Iterable<Boolean[]> data() { + return Arrays.asList(new Boolean[] {true}, new Boolean[] {false}); + } + + /** */ + @Parameterized.Parameter() + public boolean clientMode; + + /** */ + private static final String SRV = "srv"; + + /** */ + private static final String SRV_WITHOUT_PERMS = "srv_without_perms"; + + /** */ + private static final String CLNT_WITHOUT_PERMS = "clnt_without_perms"; + + /** */ + private static final String TEST_NODE = "test_node"; + + /** */ + private static final String CACHE_NAME = "CACHE_NAME"; + + /** */ + private static final String UNMANAGED_CACHE = "UNMANAGED_CACHE"; + + /** */ + @Test + public void testCreateCacheWithCachePermissions() throws Exception { + SecurityPermissionSet secPermSet = builder() + .appendCachePermissions(CACHE_NAME, CACHE_CREATE) + .build(); + + try (Ignite node = startGrid(TEST_NODE, secPermSet, clientMode)) { + assertThrowsWithCause(() -> node.createCache(UNMANAGED_CACHE), SecurityException.class); + + assertNull(grid(SRV).cache(UNMANAGED_CACHE)); + + assertNotNull(node.createCache(CACHE_NAME)); + } + } + + /** */ + @Test + public void testDestroyCacheWithCachePermissions() throws Exception { + SecurityPermissionSet secPermSet = builder() + .appendCachePermissions(CACHE_NAME, CACHE_DESTROY) + .build(); + + grid(SRV).createCache(CACHE_NAME); + grid(SRV).createCache(UNMANAGED_CACHE); + + try (Ignite node = startGrid(TEST_NODE, secPermSet, clientMode)) { + node.destroyCache(CACHE_NAME); + + assertThrowsWithCause(() -> node.destroyCache(UNMANAGED_CACHE), SecurityException.class); + + assertNull(grid(SRV).cache(CACHE_NAME)); + + assertNotNull(grid(SRV).cache(UNMANAGED_CACHE)); + } + } + + /** */ + @Test + public void testCreateCacheWithSystemPermissions() throws Exception { + SecurityPermissionSet secPermSet = builder() + .appendSystemPermissions(CACHE_CREATE) + .build(); + + try (Ignite node = startGrid(TEST_NODE, secPermSet, clientMode)) { + assertThrowsWithCause(() -> forbidden(clientMode).createCache(CACHE_NAME), SecurityException.class); + + assertNotNull(node.createCache(CACHE_NAME)); + } + } + + /** */ + @Test + public void testDestroyCacheWithSystemPermissions() throws Exception { + SecurityPermissionSet secPermSet = builder() + .appendSystemPermissions(CACHE_DESTROY) + .build(); + + grid(SRV).createCache(CACHE_NAME); + + try (Ignite node = startGrid(TEST_NODE, secPermSet, clientMode)) { + assertThrowsWithCause(() -> forbidden(clientMode).destroyCache(CACHE_NAME), SecurityException.class); + + node.destroyCache(CACHE_NAME); + + assertNull(grid(SRV).cache(CACHE_NAME)); + } + } + + /** */ + private SecurityPermissionSetBuilder builder() { + return SecurityPermissionSetBuilder.create() + .defaultAllowAll(false) + .appendSystemPermissions(JOIN_AS_SERVER); + } + + /** + * @param isClnt Is client. + */ + private Ignite forbidden(boolean isClnt) { + return isClnt ? grid(CLNT_WITHOUT_PERMS) : grid(SRV_WITHOUT_PERMS); + } + + /** {@inheritDoc} */ + @Override protected void beforeTestsStarted() throws Exception { + startGridAllowAll(SRV); + + startGrid(CLNT_WITHOUT_PERMS, builder().build(), true); + + startGrid(SRV_WITHOUT_PERMS, builder().build(), false); + } + + /** {@inheritDoc} */ + @Override protected void afterTest() throws Exception { + Ignite server = grid(SRV); + + server.cacheNames().forEach(server::destroyCache); + } +} diff --git a/modules/core/src/test/java/org/apache/ignite/internal/processors/security/impl/TestSecurityContext.java b/modules/core/src/test/java/org/apache/ignite/internal/processors/security/impl/TestSecurityContext.java index 846762c..6e8dfba 100644 --- a/modules/core/src/test/java/org/apache/ignite/internal/processors/security/impl/TestSecurityContext.java +++ b/modules/core/src/test/java/org/apache/ignite/internal/processors/security/impl/TestSecurityContext.java @@ -44,10 +44,13 @@ public class TestSecurityContext implements SecurityContext, Serializable { */ public boolean operationAllowed(String opName, SecurityPermission perm) { switch (perm) { + case CACHE_CREATE: + case CACHE_DESTROY: + return systemOperationAllowed(perm) || cacheOperationAllowed(opName, perm); + case CACHE_PUT: case CACHE_READ: case CACHE_REMOVE: - return cacheOperationAllowed(opName, perm); case TASK_CANCEL: @@ -65,8 +68,6 @@ public class TestSecurityContext implements SecurityContext, Serializable { case ADMIN_CACHE: case ADMIN_QUERY: case ADMIN_OPS: - case CACHE_CREATE: - case CACHE_DESTROY: case JOIN_AS_SERVER: return systemOperationAllowed(perm); diff --git a/modules/core/src/test/java/org/apache/ignite/plugin/security/SecurityPermissionSetBuilderTest.java b/modules/core/src/test/java/org/apache/ignite/plugin/security/SecurityPermissionSetBuilderTest.java index 99f5aa5..7a29ddd 100644 --- a/modules/core/src/test/java/org/apache/ignite/plugin/security/SecurityPermissionSetBuilderTest.java +++ b/modules/core/src/test/java/org/apache/ignite/plugin/security/SecurityPermissionSetBuilderTest.java @@ -53,8 +53,8 @@ public class SecurityPermissionSetBuilderTest extends GridCommonAbstractTest { SecurityBasicPermissionSet exp = new SecurityBasicPermissionSet(); Map<String, Collection<SecurityPermission>> permCache = new HashMap<>(); - permCache.put("cache1", permissions(CACHE_PUT, CACHE_REMOVE)); - permCache.put("cache2", permissions(CACHE_READ)); + permCache.put("cache1", permissions(CACHE_PUT, CACHE_REMOVE, CACHE_CREATE)); + permCache.put("cache2", permissions(CACHE_READ, CACHE_DESTROY)); exp.setCachePermissions(permCache); @@ -98,7 +98,8 @@ public class SecurityPermissionSetBuilderTest extends GridCommonAbstractTest { return null; } }, IgniteException.class, - "you can assign permission only start with [EVENTS_, ADMIN_, CACHE_CREATE, CACHE_DESTROY, JOIN_AS_SERVER], but you try TASK_EXECUTE" + "you can assign permission only start with [EVENTS_, ADMIN_, CACHE_CREATE, CACHE_DESTROY, " + + "JOIN_AS_SERVER], but you try TASK_EXECUTE" ); assertThrows(log, new Callable<Object>() { @@ -107,22 +108,15 @@ public class SecurityPermissionSetBuilderTest extends GridCommonAbstractTest { return null; } }, IgniteException.class, - "you can assign permission only start with [EVENTS_, ADMIN_, CACHE_CREATE, CACHE_DESTROY, JOIN_AS_SERVER], but you try SERVICE_INVOKE" - ); - - assertThrows(log, new Callable<Object>() { - @Override public Object call() throws Exception { - permsBuilder.appendCachePermissions("cache", CACHE_CREATE); - return null; - } - }, IgniteException.class, - "CACHE_CREATE should be assigned as system permission, not cache permission" + "you can assign permission only start with [EVENTS_, ADMIN_, CACHE_CREATE, CACHE_DESTROY, " + + "JOIN_AS_SERVER], but you try SERVICE_INVOKE" ); permsBuilder - .appendCachePermissions("cache1", CACHE_PUT) + .appendCachePermissions("cache1", CACHE_PUT, CACHE_CREATE) .appendCachePermissions("cache1", CACHE_PUT, CACHE_REMOVE) .appendCachePermissions("cache2", CACHE_READ) + .appendCachePermissions("cache2", CACHE_DESTROY) .appendTaskPermissions("task1", TASK_CANCEL) .appendTaskPermissions("task2", TASK_EXECUTE) .appendTaskPermissions("task2", TASK_EXECUTE) diff --git a/modules/core/src/test/java/org/apache/ignite/testsuites/SecurityTestSuite.java b/modules/core/src/test/java/org/apache/ignite/testsuites/SecurityTestSuite.java index e466e14..8968f16 100644 --- a/modules/core/src/test/java/org/apache/ignite/testsuites/SecurityTestSuite.java +++ b/modules/core/src/test/java/org/apache/ignite/testsuites/SecurityTestSuite.java @@ -21,6 +21,7 @@ import org.apache.ignite.internal.processors.security.IgniteSecurityProcessorTes import org.apache.ignite.internal.processors.security.GridCommandHandlerSslWithSecurityTest; import org.apache.ignite.internal.processors.security.InvalidServerTest; import org.apache.ignite.internal.processors.security.cache.CacheOperationPermissionCheckTest; +import org.apache.ignite.internal.processors.security.cache.CacheOperationPermissionCreateDestroyCheckTest; import org.apache.ignite.internal.processors.security.cache.ContinuousQueryPermissionCheckTest; import org.apache.ignite.internal.processors.security.cache.EntryProcessorPermissionCheckTest; import org.apache.ignite.internal.processors.security.cache.ScanQueryPermissionCheckTest; @@ -58,6 +59,7 @@ import org.junit.runners.Suite; @RunWith(Suite.class) @Suite.SuiteClasses({ CacheOperationPermissionCheckTest.class, + CacheOperationPermissionCreateDestroyCheckTest.class, DataStreamerPermissionCheckTest.class, ScanQueryPermissionCheckTest.class, EntryProcessorPermissionCheckTest.class,