Author: ritchiem
Date: Wed Oct 28 15:28:03 2009
New Revision: 830577
URL: http://svn.apache.org/viewvc?rev=830577&view=rev
Log:
QPID-1304: implement the ACCESS section of SimpleXML ACL. Enables virtualhost
level access control, giving the defined users full access to all artifacts in
the vhost
Modified:
qpid/branches/0.5.x-dev/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/PrincipalPermissions.java
qpid/branches/0.5.x-dev/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/plugins/SimpleXML.java
qpid/branches/0.5.x-dev/qpid/java/broker/src/test/java/org/apache/qpid/server/security/access/PrincipalPermissionsTest.java
qpid/branches/0.5.x-dev/qpid/java/systests/src/main/java/org/apache/qpid/server/security/acl/SimpleACLTest.java
Modified:
qpid/branches/0.5.x-dev/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/PrincipalPermissions.java
URL:
http://svn.apache.org/viewvc/qpid/branches/0.5.x-dev/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/PrincipalPermissions.java?rev=830577&r1=830576&r2=830577&view=diff
==============================================================================
---
qpid/branches/0.5.x-dev/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/PrincipalPermissions.java
(original)
+++
qpid/branches/0.5.x-dev/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/PrincipalPermissions.java
Wed Oct 28 15:28:03 2009
@@ -53,6 +53,7 @@
private static final int PUBLISH_EXCHANGES_KEY = 0;
private Map _permissions;
+ private boolean _fullVHostAccess = false;
private String _user;
@@ -82,6 +83,9 @@
{
switch (permission)
{
+ case ACCESS:// Parameters : None
+ grantAccess(permission);
+ break;
case CONSUME: // Parameters : AMQShortString queueName, Boolean
Temporary, Boolean ownQueueOnly
grantConsume(permission, parameters);
break;
@@ -98,7 +102,6 @@
break;
/* The other cases just fall through to no-op */
case DELETE:
- case ACCESS: // This is a no-op as the existence of this
PrincipalPermission object is scoped per VHost for ACCESS
case BIND: // All the details are currently included in the create
setup.
case PURGE:
case UNBIND:
@@ -107,6 +110,11 @@
}
+ private void grantAccess(Permission permission)
+ {
+ _fullVHostAccess = true;
+ }
+
private void grantPublish(Permission permission, Object... parameters) {
Map publishRights = (Map) _permissions.get(permission);
@@ -353,9 +361,8 @@
switch (permission)
{
- case ACCESS:
- return AuthzResult.ALLOWED; // This is here for completeness
but the SimpleXML ACLManager never calls it.
- // The existence of this user specific PP can be validated in
the map SimpleXML maintains.
+ case ACCESS://No Parameters
+ return AuthzResult.ALLOWED; // The existence of this
user-specific PP infers some level of access is authorised
case BIND: // Parameters : QueueBindMethod , Exchange , AMQQueue,
AMQShortString routingKey
return authoriseBind(parameters);
case CREATEQUEUE:// Parameters : boolean autodelete,
AMQShortString name
@@ -376,7 +383,14 @@
}
- private AuthzResult authoriseConsume(Permission permission, Object...
parameters) {
+ private AuthzResult authoriseConsume(Permission permission, Object...
parameters)
+ {
+ if(_fullVHostAccess)
+ {
+ //user has been granted full access to the vhost
+ return AuthzResult.ALLOWED;
+ }
+
if (parameters.length == 1 && parameters[0] instanceof AMQQueue)
{
AMQQueue queue = ((AMQQueue) parameters[0]);
@@ -434,8 +448,15 @@
return AuthzResult.DENIED;
}
- private AuthzResult authorisePublish(Permission permission, Object...
parameters) {
- Map publishRights = (Map) _permissions.get(permission);
+ private AuthzResult authorisePublish(Permission permission, Object...
parameters)
+ {
+ if(_fullVHostAccess)
+ {
+ //user has been granted full access to the vhost
+ return AuthzResult.ALLOWED;
+ }
+
+ Map publishRights = (Map) _permissions.get(permission);
if (publishRights == null)
{
@@ -494,7 +515,14 @@
}
}
- private AuthzResult authoriseCreateExchange(Permission permission,
Object... parameters) {
+ private AuthzResult authoriseCreateExchange(Permission permission,
Object... parameters)
+ {
+ if(_fullVHostAccess)
+ {
+ //user has been granted full access to the vhost
+ return AuthzResult.ALLOWED;
+ }
+
Map rights = (Map) _permissions.get(permission);
AMQShortString exchangeName = (AMQShortString) parameters[0];
@@ -511,8 +539,15 @@
}
}
- private AuthzResult authoriseCreateQueue(Permission permission,
Object... parameters) {
- Map createRights = (Map) _permissions.get(permission);
+ private AuthzResult authoriseCreateQueue(Permission permission,
Object... parameters)
+ {
+ if(_fullVHostAccess)
+ {
+ //user has been granted full access to the vhost
+ return AuthzResult.ALLOWED;
+ }
+
+ Map createRights = (Map) _permissions.get(permission);
// If there are no create rights then deny request
if (createRights == null)
@@ -549,8 +584,15 @@
}
}
- private AuthzResult authoriseBind(Object... parameters) {
- Exchange exchange = (Exchange) parameters[1];
+ private AuthzResult authoriseBind(Object... parameters)
+ {
+ if(_fullVHostAccess)
+ {
+ //user has been granted full access to the vhost
+ return AuthzResult.ALLOWED;
+ }
+
+ Exchange exchange = (Exchange) parameters[1];
AMQQueue bind_queueName = (AMQQueue) parameters[2];
AMQShortString routingKey = (AMQShortString) parameters[3];
Modified:
qpid/branches/0.5.x-dev/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/plugins/SimpleXML.java
URL:
http://svn.apache.org/viewvc/qpid/branches/0.5.x-dev/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/plugins/SimpleXML.java?rev=830577&r1=830576&r2=830577&view=diff
==============================================================================
---
qpid/branches/0.5.x-dev/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/plugins/SimpleXML.java
(original)
+++
qpid/branches/0.5.x-dev/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/plugins/SimpleXML.java
Wed Oct 28 15:28:03 2009
@@ -85,8 +85,29 @@
processConsume(config);
processCreate(config);
+
+ processAccess(config);
}
+ private void processAccess(Configuration config)
+ {
+ Configuration accessConfig =
config.subset("access_control_list.access");
+
+ if(accessConfig.isEmpty())
+ {
+ //there is no access configuration to process
+ return;
+ }
+
+ // Process users that have full access permission
+ String[] users = accessConfig.getStringArray("users.user");
+
+ for (String user : users)
+ {
+ grant(Permission.ACCESS, user);
+ }
+ }
+
/**
* Publish format takes Exchange + Routing Key Pairs
*
Modified:
qpid/branches/0.5.x-dev/qpid/java/broker/src/test/java/org/apache/qpid/server/security/access/PrincipalPermissionsTest.java
URL:
http://svn.apache.org/viewvc/qpid/branches/0.5.x-dev/qpid/java/broker/src/test/java/org/apache/qpid/server/security/access/PrincipalPermissionsTest.java?rev=830577&r1=830576&r2=830577&view=diff
==============================================================================
---
qpid/branches/0.5.x-dev/qpid/java/broker/src/test/java/org/apache/qpid/server/security/access/PrincipalPermissionsTest.java
(original)
+++
qpid/branches/0.5.x-dev/qpid/java/broker/src/test/java/org/apache/qpid/server/security/access/PrincipalPermissionsTest.java
Wed Oct 28 15:28:03 2009
@@ -165,4 +165,37 @@
assertEquals(AuthzResult.ALLOWED, _perms.authorise(Permission.PUBLISH,
authArgs));
}
+ public void testVhostAccess()
+ {
+ //Tests that granting a user Virtualhost level access allows all
authorisation requests
+ //where previously they would be denied
+
+ //QPID-2133 createExchange rights currently allow all exchange
creation unless rights for creating some
+ //specific exchanges are granted. Grant a specific exchange creation
to cause all others to be denied.
+ Object[] createArgsCreateExchange = new Object[]{new
AMQShortString("madeup"), _exchangeType};
+ Object[] authArgsCreateExchange = new
Object[]{_exchangeName,_exchangeType};
+ assertEquals("Exchange creation was not allowed", AuthzResult.ALLOWED,
_perms.authorise(Permission.CREATEEXCHANGE, authArgsCreateExchange));
+ _perms.grant(Permission.CREATEEXCHANGE, createArgsCreateExchange);
+
+ Object[] authArgsPublish = new Object[]{_exchange, _routingKey};
+ Object[] authArgsConsume = new Object[]{_queue};
+ Object[] authArgsCreateQueue = new Object[]{_autoDelete, _queueName};
+ QueueBindBodyImpl bind = new QueueBindBodyImpl(_ticket, _queueName,
_exchangeName, _routingKey, _nowait, _arguments);
+ Object[] authArgsBind = new Object[]{bind, _exchange, _queue,
_routingKey};
+
+ assertEquals("Exchange creation was not denied", AuthzResult.DENIED,
_perms.authorise(Permission.CREATEEXCHANGE, authArgsCreateExchange));
+ assertEquals("Publish was not denied", AuthzResult.DENIED,
_perms.authorise(Permission.PUBLISH, authArgsPublish));
+ assertEquals("Consume creation was not denied", AuthzResult.DENIED,
_perms.authorise(Permission.CONSUME, authArgsConsume));
+ assertEquals("Queue creation was not denied", AuthzResult.DENIED,
_perms.authorise(Permission.CREATEQUEUE, authArgsCreateQueue));
+ //BIND pre-grant authorise check disabled due to QPID-1597
+ //assertEquals("Binding creation was not denied", AuthzResult.DENIED,
_perms.authorise(Permission.BIND, authArgsBind));
+
+ _perms.grant(Permission.ACCESS);
+
+ assertEquals("Exchange creation was not allowed", AuthzResult.ALLOWED,
_perms.authorise(Permission.CREATEEXCHANGE, authArgsCreateExchange));
+ assertEquals("Publish was not allowed", AuthzResult.ALLOWED,
_perms.authorise(Permission.PUBLISH, authArgsPublish));
+ assertEquals("Consume creation was not allowed", AuthzResult.ALLOWED,
_perms.authorise(Permission.CONSUME, authArgsConsume));
+ assertEquals("Queue creation was not allowed", AuthzResult.ALLOWED,
_perms.authorise(Permission.CREATEQUEUE, authArgsCreateQueue));
+ assertEquals("Binding creation was not allowed", AuthzResult.ALLOWED,
_perms.authorise(Permission.BIND, authArgsBind));
+ }
}
Modified:
qpid/branches/0.5.x-dev/qpid/java/systests/src/main/java/org/apache/qpid/server/security/acl/SimpleACLTest.java
URL:
http://svn.apache.org/viewvc/qpid/branches/0.5.x-dev/qpid/java/systests/src/main/java/org/apache/qpid/server/security/acl/SimpleACLTest.java?rev=830577&r1=830576&r2=830577&view=diff
==============================================================================
---
qpid/branches/0.5.x-dev/qpid/java/systests/src/main/java/org/apache/qpid/server/security/acl/SimpleACLTest.java
(original)
+++
qpid/branches/0.5.x-dev/qpid/java/systests/src/main/java/org/apache/qpid/server/security/acl/SimpleACLTest.java
Wed Oct 28 15:28:03 2009
@@ -102,7 +102,51 @@
fail("Connection was not created due to:" + e);
}
}
+
+ public void testAccessVhostAuthorisedGuest() throws IOException, Exception
+ {
+ //The 'guest' user normally has no access, as tested below in
testAccessNoRights(), and so is unable to perform
+ //actions such as connecting (and by extension, creating a queue, and
consuming from a queue etc). In order to test
+ //the vhost-wide 'access' right, we will now give the guest user
'access' ACL rights and perform various such actions.
+
setConfigurationProperty("virtualhosts.virtualhost.test.security.access_control_list.access.users.user",
"guest");
+
+ setUpACLTest();
+
+ try
+ {
+ //get a connection
+ Connection conn = getConnection("guest", "guest");
+ ((AMQConnection) conn).setConnectionListener(this);
+
+ Session sesh = conn.createSession(false, Session.AUTO_ACKNOWLEDGE);
+
+ conn.start();
+ //create Queues and consumers for each
+ Queue namedQueue = sesh.createQueue("vhostAccessCreatedQueue" +
getTestQueueName());
+ Queue tempQueue = sesh.createTemporaryQueue();
+ MessageConsumer consumer = sesh.createConsumer(namedQueue);
+ MessageConsumer tempConsumer = sesh.createConsumer(tempQueue);
+
+ //send a message to each queue (also causing an exchange declare)
+ MessageProducer sender = ((AMQSession)sesh).createProducer(null);
+ ((org.apache.qpid.jms.MessageProducer) sender).send(namedQueue,
sesh.createTextMessage("test"),
+
DeliveryMode.NON_PERSISTENT, 0, 0L, false, false, true);
+ ((org.apache.qpid.jms.MessageProducer) sender).send(tempQueue,
sesh.createTextMessage("test"),
+
DeliveryMode.NON_PERSISTENT, 0, 0L, false, false, true);
+
+ //consume the messages from the queues
+ consumer.receive(2000);
+ tempConsumer.receive(2000);
+
+ conn.close();
+ }
+ catch (Exception e)
+ {
+ fail("Test failed due to:" + e.getMessage());
+ }
+ }
+
public void testAccessNoRights() throws Exception
{
setUpACLTest();
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:commits-subscr...@qpid.apache.org
