This is an automated email from the ASF dual-hosted git repository.
av pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ignite.git
The following commit(s) were added to refs/heads/master by this push:
new 61a1aaa IGNITE-12220 Allow to use cache-related permissions both at
system and per-cache levels (#6904)
61a1aaa is described below
commit 61a1aaaeab30d7d6b78e504a632492d02f52e32d
Author: Sergei Ryzhov <s.vi.ryz...@gmail.com>
AuthorDate: Wed Apr 1 17:40:53 2020 +0300
IGNITE-12220 Allow to use cache-related permissions both at system and
per-cache levels (#6904)
---
.../security/SecurityPermissionSetBuilder.java | 7 +-
...eOperationPermissionCreateDestroyCheckTest.java | 164 +++++++++++++++++++++
.../security/impl/TestSecurityContext.java | 7 +-
.../security/SecurityPermissionSetBuilderTest.java | 22 +--
.../ignite/testsuites/SecurityTestSuite.java | 2 +
5 files changed, 179 insertions(+), 23 deletions(-)
diff --git
a/modules/core/src/main/java/org/apache/ignite/plugin/security/SecurityPermissionSetBuilder.java
b/modules/core/src/main/java/org/apache/ignite/plugin/security/SecurityPermissionSetBuilder.java
index 2eca640..61be724 100644
---
a/modules/core/src/main/java/org/apache/ignite/plugin/security/SecurityPermissionSetBuilder.java
+++
b/modules/core/src/main/java/org/apache/ignite/plugin/security/SecurityPermissionSetBuilder.java
@@ -68,7 +68,7 @@ public class SecurityPermissionSetBuilder {
private boolean dfltAllowAll;
/** */
- public static final SecurityPermissionSet ALLOW_ALL =
create().defaultAllowAll(true).build();
+ public static final SecurityPermissionSet ALLOW_ALL = create().build();
/**
* Static factory method for create new permission builder.
@@ -129,11 +129,6 @@ public class SecurityPermissionSetBuilder {
* @return {@link SecurityPermissionSetBuilder} refer to same permission
builder.
*/
public SecurityPermissionSetBuilder appendCachePermissions(String name,
SecurityPermission... perms) {
- for (SecurityPermission perm : perms) {
- if (perm == SecurityPermission.CACHE_CREATE || perm ==
SecurityPermission.CACHE_DESTROY)
- throw new IgniteException(perm + " should be assigned as
system permission, not cache permission");
- }
-
validate(toCollection("CACHE_"), perms);
append(cachePerms, name, toCollection(perms));
diff --git
a/modules/core/src/test/java/org/apache/ignite/internal/processors/security/cache/CacheOperationPermissionCreateDestroyCheckTest.java
b/modules/core/src/test/java/org/apache/ignite/internal/processors/security/cache/CacheOperationPermissionCreateDestroyCheckTest.java
new file mode 100644
index 0000000..1e9429c
--- /dev/null
+++
b/modules/core/src/test/java/org/apache/ignite/internal/processors/security/cache/CacheOperationPermissionCreateDestroyCheckTest.java
@@ -0,0 +1,164 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.ignite.internal.processors.security.cache;
+
+import java.util.Arrays;
+import org.apache.ignite.Ignite;
+import org.apache.ignite.internal.processors.security.AbstractSecurityTest;
+import org.apache.ignite.plugin.security.SecurityException;
+import org.apache.ignite.plugin.security.SecurityPermissionSet;
+import org.apache.ignite.plugin.security.SecurityPermissionSetBuilder;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.junit.runners.Parameterized;
+
+import static org.apache.ignite.plugin.security.SecurityPermission.*;
+import static
org.apache.ignite.testframework.GridTestUtils.assertThrowsWithCause;
+
+/**
+ * Test create and destroy cache permissions.
+ */
+@RunWith(Parameterized.class)
+public class CacheOperationPermissionCreateDestroyCheckTest extends
AbstractSecurityTest {
+ /** */
+ @Parameterized.Parameters(name = "clientMode={0}")
+ public static Iterable<Boolean[]> data() {
+ return Arrays.asList(new Boolean[] {true}, new Boolean[] {false});
+ }
+
+ /** */
+ @Parameterized.Parameter()
+ public boolean clientMode;
+
+ /** */
+ private static final String SRV = "srv";
+
+ /** */
+ private static final String SRV_WITHOUT_PERMS = "srv_without_perms";
+
+ /** */
+ private static final String CLNT_WITHOUT_PERMS = "clnt_without_perms";
+
+ /** */
+ private static final String TEST_NODE = "test_node";
+
+ /** */
+ private static final String CACHE_NAME = "CACHE_NAME";
+
+ /** */
+ private static final String UNMANAGED_CACHE = "UNMANAGED_CACHE";
+
+ /** */
+ @Test
+ public void testCreateCacheWithCachePermissions() throws Exception {
+ SecurityPermissionSet secPermSet = builder()
+ .appendCachePermissions(CACHE_NAME, CACHE_CREATE)
+ .build();
+
+ try (Ignite node = startGrid(TEST_NODE, secPermSet, clientMode)) {
+ assertThrowsWithCause(() -> node.createCache(UNMANAGED_CACHE),
SecurityException.class);
+
+ assertNull(grid(SRV).cache(UNMANAGED_CACHE));
+
+ assertNotNull(node.createCache(CACHE_NAME));
+ }
+ }
+
+ /** */
+ @Test
+ public void testDestroyCacheWithCachePermissions() throws Exception {
+ SecurityPermissionSet secPermSet = builder()
+ .appendCachePermissions(CACHE_NAME, CACHE_DESTROY)
+ .build();
+
+ grid(SRV).createCache(CACHE_NAME);
+ grid(SRV).createCache(UNMANAGED_CACHE);
+
+ try (Ignite node = startGrid(TEST_NODE, secPermSet, clientMode)) {
+ node.destroyCache(CACHE_NAME);
+
+ assertThrowsWithCause(() -> node.destroyCache(UNMANAGED_CACHE),
SecurityException.class);
+
+ assertNull(grid(SRV).cache(CACHE_NAME));
+
+ assertNotNull(grid(SRV).cache(UNMANAGED_CACHE));
+ }
+ }
+
+ /** */
+ @Test
+ public void testCreateCacheWithSystemPermissions() throws Exception {
+ SecurityPermissionSet secPermSet = builder()
+ .appendSystemPermissions(CACHE_CREATE)
+ .build();
+
+ try (Ignite node = startGrid(TEST_NODE, secPermSet, clientMode)) {
+ assertThrowsWithCause(() ->
forbidden(clientMode).createCache(CACHE_NAME), SecurityException.class);
+
+ assertNotNull(node.createCache(CACHE_NAME));
+ }
+ }
+
+ /** */
+ @Test
+ public void testDestroyCacheWithSystemPermissions() throws Exception {
+ SecurityPermissionSet secPermSet = builder()
+ .appendSystemPermissions(CACHE_DESTROY)
+ .build();
+
+ grid(SRV).createCache(CACHE_NAME);
+
+ try (Ignite node = startGrid(TEST_NODE, secPermSet, clientMode)) {
+ assertThrowsWithCause(() ->
forbidden(clientMode).destroyCache(CACHE_NAME), SecurityException.class);
+
+ node.destroyCache(CACHE_NAME);
+
+ assertNull(grid(SRV).cache(CACHE_NAME));
+ }
+ }
+
+ /** */
+ private SecurityPermissionSetBuilder builder() {
+ return SecurityPermissionSetBuilder.create()
+ .defaultAllowAll(false)
+ .appendSystemPermissions(JOIN_AS_SERVER);
+ }
+
+ /**
+ * @param isClnt Is client.
+ */
+ private Ignite forbidden(boolean isClnt) {
+ return isClnt ? grid(CLNT_WITHOUT_PERMS) : grid(SRV_WITHOUT_PERMS);
+ }
+
+ /** {@inheritDoc} */
+ @Override protected void beforeTestsStarted() throws Exception {
+ startGridAllowAll(SRV);
+
+ startGrid(CLNT_WITHOUT_PERMS, builder().build(), true);
+
+ startGrid(SRV_WITHOUT_PERMS, builder().build(), false);
+ }
+
+ /** {@inheritDoc} */
+ @Override protected void afterTest() throws Exception {
+ Ignite server = grid(SRV);
+
+ server.cacheNames().forEach(server::destroyCache);
+ }
+}
diff --git
a/modules/core/src/test/java/org/apache/ignite/internal/processors/security/impl/TestSecurityContext.java
b/modules/core/src/test/java/org/apache/ignite/internal/processors/security/impl/TestSecurityContext.java
index 846762c..6e8dfba 100644
---
a/modules/core/src/test/java/org/apache/ignite/internal/processors/security/impl/TestSecurityContext.java
+++
b/modules/core/src/test/java/org/apache/ignite/internal/processors/security/impl/TestSecurityContext.java
@@ -44,10 +44,13 @@ public class TestSecurityContext implements
SecurityContext, Serializable {
*/
public boolean operationAllowed(String opName, SecurityPermission perm) {
switch (perm) {
+ case CACHE_CREATE:
+ case CACHE_DESTROY:
+ return systemOperationAllowed(perm) ||
cacheOperationAllowed(opName, perm);
+
case CACHE_PUT:
case CACHE_READ:
case CACHE_REMOVE:
-
return cacheOperationAllowed(opName, perm);
case TASK_CANCEL:
@@ -65,8 +68,6 @@ public class TestSecurityContext implements SecurityContext,
Serializable {
case ADMIN_CACHE:
case ADMIN_QUERY:
case ADMIN_OPS:
- case CACHE_CREATE:
- case CACHE_DESTROY:
case JOIN_AS_SERVER:
return systemOperationAllowed(perm);
diff --git
a/modules/core/src/test/java/org/apache/ignite/plugin/security/SecurityPermissionSetBuilderTest.java
b/modules/core/src/test/java/org/apache/ignite/plugin/security/SecurityPermissionSetBuilderTest.java
index 99f5aa5..7a29ddd 100644
---
a/modules/core/src/test/java/org/apache/ignite/plugin/security/SecurityPermissionSetBuilderTest.java
+++
b/modules/core/src/test/java/org/apache/ignite/plugin/security/SecurityPermissionSetBuilderTest.java
@@ -53,8 +53,8 @@ public class SecurityPermissionSetBuilderTest extends
GridCommonAbstractTest {
SecurityBasicPermissionSet exp = new SecurityBasicPermissionSet();
Map<String, Collection<SecurityPermission>> permCache = new
HashMap<>();
- permCache.put("cache1", permissions(CACHE_PUT, CACHE_REMOVE));
- permCache.put("cache2", permissions(CACHE_READ));
+ permCache.put("cache1", permissions(CACHE_PUT, CACHE_REMOVE,
CACHE_CREATE));
+ permCache.put("cache2", permissions(CACHE_READ, CACHE_DESTROY));
exp.setCachePermissions(permCache);
@@ -98,7 +98,8 @@ public class SecurityPermissionSetBuilderTest extends
GridCommonAbstractTest {
return null;
}
}, IgniteException.class,
- "you can assign permission only start with [EVENTS_, ADMIN_,
CACHE_CREATE, CACHE_DESTROY, JOIN_AS_SERVER], but you try TASK_EXECUTE"
+ "you can assign permission only start with [EVENTS_, ADMIN_,
CACHE_CREATE, CACHE_DESTROY, " +
+ "JOIN_AS_SERVER], but you try TASK_EXECUTE"
);
assertThrows(log, new Callable<Object>() {
@@ -107,22 +108,15 @@ public class SecurityPermissionSetBuilderTest extends
GridCommonAbstractTest {
return null;
}
}, IgniteException.class,
- "you can assign permission only start with [EVENTS_, ADMIN_,
CACHE_CREATE, CACHE_DESTROY, JOIN_AS_SERVER], but you try SERVICE_INVOKE"
- );
-
- assertThrows(log, new Callable<Object>() {
- @Override public Object call() throws Exception {
- permsBuilder.appendCachePermissions("cache", CACHE_CREATE);
- return null;
- }
- }, IgniteException.class,
- "CACHE_CREATE should be assigned as system permission, not cache
permission"
+ "you can assign permission only start with [EVENTS_, ADMIN_,
CACHE_CREATE, CACHE_DESTROY, " +
+ "JOIN_AS_SERVER], but you try SERVICE_INVOKE"
);
permsBuilder
- .appendCachePermissions("cache1", CACHE_PUT)
+ .appendCachePermissions("cache1", CACHE_PUT, CACHE_CREATE)
.appendCachePermissions("cache1", CACHE_PUT, CACHE_REMOVE)
.appendCachePermissions("cache2", CACHE_READ)
+ .appendCachePermissions("cache2", CACHE_DESTROY)
.appendTaskPermissions("task1", TASK_CANCEL)
.appendTaskPermissions("task2", TASK_EXECUTE)
.appendTaskPermissions("task2", TASK_EXECUTE)
diff --git
a/modules/core/src/test/java/org/apache/ignite/testsuites/SecurityTestSuite.java
b/modules/core/src/test/java/org/apache/ignite/testsuites/SecurityTestSuite.java
index e466e14..8968f16 100644
---
a/modules/core/src/test/java/org/apache/ignite/testsuites/SecurityTestSuite.java
+++
b/modules/core/src/test/java/org/apache/ignite/testsuites/SecurityTestSuite.java
@@ -21,6 +21,7 @@ import
org.apache.ignite.internal.processors.security.IgniteSecurityProcessorTes
import
org.apache.ignite.internal.processors.security.GridCommandHandlerSslWithSecurityTest;
import org.apache.ignite.internal.processors.security.InvalidServerTest;
import
org.apache.ignite.internal.processors.security.cache.CacheOperationPermissionCheckTest;
+import
org.apache.ignite.internal.processors.security.cache.CacheOperationPermissionCreateDestroyCheckTest;
import
org.apache.ignite.internal.processors.security.cache.ContinuousQueryPermissionCheckTest;
import
org.apache.ignite.internal.processors.security.cache.EntryProcessorPermissionCheckTest;
import
org.apache.ignite.internal.processors.security.cache.ScanQueryPermissionCheckTest;
@@ -58,6 +59,7 @@ import org.junit.runners.Suite;
@RunWith(Suite.class)
@Suite.SuiteClasses({
CacheOperationPermissionCheckTest.class,
+ CacheOperationPermissionCreateDestroyCheckTest.class,
DataStreamerPermissionCheckTest.class,
ScanQueryPermissionCheckTest.class,
EntryProcessorPermissionCheckTest.class,
