IGNITE-5077 - Support service security permissions backport from master (cherry picked from commit 6236b5f)
Project: http://git-wip-us.apache.org/repos/asf/ignite/repo Commit: http://git-wip-us.apache.org/repos/asf/ignite/commit/f9ecacc6 Tree: http://git-wip-us.apache.org/repos/asf/ignite/tree/f9ecacc6 Diff: http://git-wip-us.apache.org/repos/asf/ignite/diff/f9ecacc6 Branch: refs/heads/ignite-5232-1.7.2 Commit: f9ecacc625b458539775e6550bd9b7613ed38f21 Parents: bf10497 Author: dkarachentsev <dkarachent...@gridgain.com> Authored: Fri Apr 28 11:46:23 2017 +0300 Committer: dkarachentsev <dkarachent...@gridgain.com> Committed: Fri Apr 28 12:21:13 2017 +0300 ---------------------------------------------------------------------- .../processors/security/SecurityContext.java | 9 ++++++ .../service/GridServiceProcessor.java | 11 +++++++ .../security/SecurityBasicPermissionSet.java | 17 +++++++++++ .../plugin/security/SecurityPermission.java | 13 ++++++-- .../plugin/security/SecurityPermissionSet.java | 8 +++++ .../security/SecurityPermissionSetBuilder.java | 19 ++++++++++++ .../SecurityPermissionSetBuilderTest.java | 32 ++++++++++++++++---- .../junits/spi/GridSpiAbstractTest.java | 5 +++ 8 files changed, 106 insertions(+), 8 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ignite/blob/f9ecacc6/modules/core/src/main/java/org/apache/ignite/internal/processors/security/SecurityContext.java ---------------------------------------------------------------------- diff --git a/modules/core/src/main/java/org/apache/ignite/internal/processors/security/SecurityContext.java b/modules/core/src/main/java/org/apache/ignite/internal/processors/security/SecurityContext.java index ef46713..bf5894e 100644 --- a/modules/core/src/main/java/org/apache/ignite/internal/processors/security/SecurityContext.java +++ b/modules/core/src/main/java/org/apache/ignite/internal/processors/security/SecurityContext.java @@ -48,6 +48,15 @@ public interface SecurityContext { public boolean cacheOperationAllowed(String cacheName, SecurityPermission perm); /** + * Checks whether service operation is allowed. + * + * @param srvcName Service name. + * @param perm Permission to check. + * @return {@code True} if task operation is allowed. + */ + public boolean serviceOperationAllowed(String srvcName, SecurityPermission perm); + + /** * Checks whether system-wide permission is allowed (excluding Visor task operations). * * @param perm Permission to check. http://git-wip-us.apache.org/repos/asf/ignite/blob/f9ecacc6/modules/core/src/main/java/org/apache/ignite/internal/processors/service/GridServiceProcessor.java ---------------------------------------------------------------------- diff --git a/modules/core/src/main/java/org/apache/ignite/internal/processors/service/GridServiceProcessor.java b/modules/core/src/main/java/org/apache/ignite/internal/processors/service/GridServiceProcessor.java index 2a363e2..d7b9abc 100644 --- a/modules/core/src/main/java/org/apache/ignite/internal/processors/service/GridServiceProcessor.java +++ b/modules/core/src/main/java/org/apache/ignite/internal/processors/service/GridServiceProcessor.java @@ -92,6 +92,7 @@ import org.apache.ignite.lang.IgniteFuture; import org.apache.ignite.lang.IgniteProductVersion; import org.apache.ignite.lang.IgniteUuid; import org.apache.ignite.marshaller.Marshaller; +import org.apache.ignite.plugin.security.SecurityPermission; import org.apache.ignite.resources.IgniteInstanceResource; import org.apache.ignite.resources.JobContextResource; import org.apache.ignite.resources.LoggerResource; @@ -496,6 +497,8 @@ public class GridServiceProcessor extends GridProcessorAdapter { validate(cfg); + ctx.security().authorize(cfg.getName(), SecurityPermission.SERVICE_DEPLOY, null); + if (!state.srvcCompatibility) { Marshaller marsh = ctx.config().getMarshaller(); @@ -632,6 +635,8 @@ public class GridServiceProcessor extends GridProcessorAdapter { * @return Future. */ public IgniteInternalFuture<?> cancel(String name) { + ctx.security().authorize(name, SecurityPermission.SERVICE_CANCEL, null); + while (true) { try { GridFutureAdapter<?> fut = new GridFutureAdapter<>(); @@ -780,6 +785,8 @@ public class GridServiceProcessor extends GridProcessorAdapter { */ @SuppressWarnings("unchecked") public <T> T service(String name) { + ctx.security().authorize(name, SecurityPermission.SERVICE_INVOKE, null); + Collection<ServiceContextImpl> ctxs; synchronized (locSvcs) { @@ -844,6 +851,8 @@ public class GridServiceProcessor extends GridProcessorAdapter { @SuppressWarnings("unchecked") public <T> T serviceProxy(ClusterGroup prj, String name, Class<? super T> svcItf, boolean sticky, long timeout) throws IgniteException { + ctx.security().authorize(name, SecurityPermission.SERVICE_INVOKE, null); + if (hasLocalNode(prj)) { ServiceContextImpl ctx = serviceContext(name); @@ -883,6 +892,8 @@ public class GridServiceProcessor extends GridProcessorAdapter { */ @SuppressWarnings("unchecked") public <T> Collection<T> services(String name) { + ctx.security().authorize(name, SecurityPermission.SERVICE_INVOKE, null); + Collection<ServiceContextImpl> ctxs; synchronized (locSvcs) { http://git-wip-us.apache.org/repos/asf/ignite/blob/f9ecacc6/modules/core/src/main/java/org/apache/ignite/plugin/security/SecurityBasicPermissionSet.java ---------------------------------------------------------------------- diff --git a/modules/core/src/main/java/org/apache/ignite/plugin/security/SecurityBasicPermissionSet.java b/modules/core/src/main/java/org/apache/ignite/plugin/security/SecurityBasicPermissionSet.java index 5b50c56..7521dff 100644 --- a/modules/core/src/main/java/org/apache/ignite/plugin/security/SecurityBasicPermissionSet.java +++ b/modules/core/src/main/java/org/apache/ignite/plugin/security/SecurityBasicPermissionSet.java @@ -38,6 +38,9 @@ public class SecurityBasicPermissionSet implements SecurityPermissionSet { /** Task permissions. */ private Map<String, Collection<SecurityPermission>> taskPerms = new HashMap<>(); + /** Service permissions. */ + private Map<String, Collection<SecurityPermission>> srvcPerms = new HashMap<>(); + /** System permissions. */ private Collection<SecurityPermission> sysPerms = new ArrayList<>(); @@ -63,6 +66,15 @@ public class SecurityBasicPermissionSet implements SecurityPermissionSet { } /** + * Setter for set service permission map. + * + * @param srvcPerms Service permissions. + */ + public void setServicePermissions(Map<String, Collection<SecurityPermission>> srvcPerms) { + this.srvcPerms = srvcPerms; + } + + /** * Setter for set collection system permission. * * @param sysPerms System permissions. @@ -91,6 +103,11 @@ public class SecurityBasicPermissionSet implements SecurityPermissionSet { } /** {@inheritDoc} */ + @Override public Map<String, Collection<SecurityPermission>> servicePermissions() { + return srvcPerms; + } + + /** {@inheritDoc} */ @Nullable @Override public Collection<SecurityPermission> systemPermissions() { return sysPerms; } http://git-wip-us.apache.org/repos/asf/ignite/blob/f9ecacc6/modules/core/src/main/java/org/apache/ignite/plugin/security/SecurityPermission.java ---------------------------------------------------------------------- diff --git a/modules/core/src/main/java/org/apache/ignite/plugin/security/SecurityPermission.java b/modules/core/src/main/java/org/apache/ignite/plugin/security/SecurityPermission.java index 9f63c1e..5436161 100644 --- a/modules/core/src/main/java/org/apache/ignite/plugin/security/SecurityPermission.java +++ b/modules/core/src/main/java/org/apache/ignite/plugin/security/SecurityPermission.java @@ -21,7 +21,7 @@ import org.jetbrains.annotations.Nullable; /** * Supported security permissions within grid. Permissions - * are specified on per-cache or per-task level. + * are specified on per-cache, per-task or per-service level. */ public enum SecurityPermission { /** Cache {@code read} permission. */ @@ -55,7 +55,16 @@ public enum SecurityPermission { ADMIN_CACHE, /** Visor admin operations permissions. */ - ADMIN_OPS; + ADMIN_OPS, + + /** Service deploy permission. */ + SERVICE_DEPLOY, + + /** Service cancel permission. */ + SERVICE_CANCEL, + + /** Service invoke permission. */ + SERVICE_INVOKE; /** Enumerated values. */ private static final SecurityPermission[] VALS = values(); http://git-wip-us.apache.org/repos/asf/ignite/blob/f9ecacc6/modules/core/src/main/java/org/apache/ignite/plugin/security/SecurityPermissionSet.java ---------------------------------------------------------------------- diff --git a/modules/core/src/main/java/org/apache/ignite/plugin/security/SecurityPermissionSet.java b/modules/core/src/main/java/org/apache/ignite/plugin/security/SecurityPermissionSet.java index 9961501..5e07e42 100644 --- a/modules/core/src/main/java/org/apache/ignite/plugin/security/SecurityPermissionSet.java +++ b/modules/core/src/main/java/org/apache/ignite/plugin/security/SecurityPermissionSet.java @@ -59,6 +59,14 @@ public interface SecurityPermissionSet extends Serializable, LessNamingBean { public Map<String, Collection<SecurityPermission>> cachePermissions(); /** + * Map of service names to service permissions. Wildcards are allowed at the + * end of service names. + * + * @return Map of service names to service permissions. + */ + public Map<String, Collection<SecurityPermission>> servicePermissions(); + + /** * Collection of system-wide permissions (events enable/disable, Visor task execution). * * @return Collection of system-wide permissions. http://git-wip-us.apache.org/repos/asf/ignite/blob/f9ecacc6/modules/core/src/main/java/org/apache/ignite/plugin/security/SecurityPermissionSetBuilder.java ---------------------------------------------------------------------- diff --git a/modules/core/src/main/java/org/apache/ignite/plugin/security/SecurityPermissionSetBuilder.java b/modules/core/src/main/java/org/apache/ignite/plugin/security/SecurityPermissionSetBuilder.java index 61ad77c..cf38c0f 100644 --- a/modules/core/src/main/java/org/apache/ignite/plugin/security/SecurityPermissionSetBuilder.java +++ b/modules/core/src/main/java/org/apache/ignite/plugin/security/SecurityPermissionSetBuilder.java @@ -57,6 +57,9 @@ public class SecurityPermissionSetBuilder { /** Task permissions.*/ private Map<String, Collection<SecurityPermission>> taskPerms = new HashMap<>(); + /** Service permissions.*/ + private Map<String, Collection<SecurityPermission>> srvcPerms = new HashMap<>(); + /** System permissions.*/ private List<SecurityPermission> sysPerms = new ArrayList<>(); @@ -100,6 +103,21 @@ public class SecurityPermissionSetBuilder { } /** + * Append permission set form {@link org.apache.ignite.IgniteServices service} with {@code name}. + * + * @param name String for map some service to permission set. + * @param perms Permissions. + * @return SecurityPermissionSetBuilder refer to same permission builder. + */ + public SecurityPermissionSetBuilder appendServicePermissions(String name, SecurityPermission... perms) { + validate(toCollection("SERVICE_"), perms); + + append(srvcPerms, name, toCollection(perms)); + + return this; + } + + /** * Append permission set form {@link org.apache.ignite.IgniteCache cache} with {@code name}. * * @param name String for map some cache to permission set. @@ -215,6 +233,7 @@ public class SecurityPermissionSetBuilder { permSet.setDefaultAllowAll(dfltAllowAll); permSet.setCachePermissions(unmodifiableMap(cachePerms)); permSet.setTaskPermissions(unmodifiableMap(taskPerms)); + permSet.setServicePermissions(unmodifiableMap(srvcPerms)); permSet.setSystemPermissions(unmodifiableList(sysPerms)); return permSet; http://git-wip-us.apache.org/repos/asf/ignite/blob/f9ecacc6/modules/core/src/test/java/org/apache/ignite/plugin/security/SecurityPermissionSetBuilderTest.java ---------------------------------------------------------------------- diff --git a/modules/core/src/test/java/org/apache/ignite/plugin/security/SecurityPermissionSetBuilderTest.java b/modules/core/src/test/java/org/apache/ignite/plugin/security/SecurityPermissionSetBuilderTest.java index f63f9a7..5443cfd 100644 --- a/modules/core/src/test/java/org/apache/ignite/plugin/security/SecurityPermissionSetBuilderTest.java +++ b/modules/core/src/test/java/org/apache/ignite/plugin/security/SecurityPermissionSetBuilderTest.java @@ -28,6 +28,8 @@ import org.apache.ignite.testframework.junits.common.GridCommonAbstractTest; import static org.apache.ignite.plugin.security.SecurityPermission.CACHE_PUT; import static org.apache.ignite.plugin.security.SecurityPermission.CACHE_READ; import static org.apache.ignite.plugin.security.SecurityPermission.CACHE_REMOVE; +import static org.apache.ignite.plugin.security.SecurityPermission.SERVICE_DEPLOY; +import static org.apache.ignite.plugin.security.SecurityPermission.SERVICE_INVOKE; import static org.apache.ignite.plugin.security.SecurityPermission.TASK_CANCEL; import static org.apache.ignite.plugin.security.SecurityPermission.TASK_EXECUTE; import static org.apache.ignite.plugin.security.SecurityPermission.EVENTS_ENABLE; @@ -41,6 +43,7 @@ public class SecurityPermissionSetBuilderTest extends GridCommonAbstractTest { /** * */ + @SuppressWarnings({"ThrowableNotThrown", "ArraysAsListWithZeroOrOneArgument"}) public void testPermissionBuilder() { SecurityBasicPermissionSet exp = new SecurityBasicPermissionSet(); @@ -56,13 +59,18 @@ public class SecurityPermissionSetBuilderTest extends GridCommonAbstractTest { exp.setTaskPermissions(permTask); + Map<String, Collection<SecurityPermission>> permSrvc = new HashMap<>(); + permSrvc.put("service1", Arrays.asList(SERVICE_DEPLOY)); + permSrvc.put("service2", Arrays.asList(SERVICE_INVOKE)); + + exp.setServicePermissions(permSrvc); + exp.setSystemPermissions(Arrays.asList(ADMIN_VIEW, EVENTS_ENABLE)); final SecurityPermissionSetBuilder permsBuilder = new SecurityPermissionSetBuilder(); assertThrows(log, new Callable<Object>() { - @Override - public Object call() throws Exception { + @Override public Object call() throws Exception { permsBuilder.appendCachePermissions("cache", ADMIN_VIEW); return null; } @@ -71,8 +79,7 @@ public class SecurityPermissionSetBuilderTest extends GridCommonAbstractTest { ); assertThrows(log, new Callable<Object>() { - @Override - public Object call() throws Exception { + @Override public Object call() throws Exception { permsBuilder.appendTaskPermissions("task", CACHE_READ); return null; } @@ -81,8 +88,7 @@ public class SecurityPermissionSetBuilderTest extends GridCommonAbstractTest { ); assertThrows(log, new Callable<Object>() { - @Override - public Object call() throws Exception { + @Override public Object call() throws Exception { permsBuilder.appendSystemPermissions(TASK_EXECUTE, CACHE_PUT); return null; } @@ -90,6 +96,15 @@ public class SecurityPermissionSetBuilderTest extends GridCommonAbstractTest { "you can assign permission only start with [EVENTS_, ADMIN_], but you try TASK_EXECUTE" ); + assertThrows(log, new Callable<Object>() { + @Override public Object call() throws Exception { + permsBuilder.appendSystemPermissions(SERVICE_INVOKE, CACHE_REMOVE); + return null; + } + }, IgniteException.class, + "you can assign permission only start with [EVENTS_, ADMIN_], but you try SERVICE_INVOKE" + ); + permsBuilder.appendCachePermissions( "cache1", CACHE_PUT, CACHE_REMOVE ).appendCachePermissions( @@ -98,12 +113,17 @@ public class SecurityPermissionSetBuilderTest extends GridCommonAbstractTest { "task1", TASK_CANCEL ).appendTaskPermissions( "task2", TASK_EXECUTE + ).appendServicePermissions( + "service1", SERVICE_DEPLOY + ).appendServicePermissions( + "service2", SERVICE_INVOKE ).appendSystemPermissions(ADMIN_VIEW, EVENTS_ENABLE); SecurityPermissionSet actual = permsBuilder.build(); assertEquals(exp.cachePermissions(), actual.cachePermissions()); assertEquals(exp.taskPermissions(), actual.taskPermissions()); + assertEquals(exp.servicePermissions(), actual.servicePermissions()); assertEquals(exp.systemPermissions(), actual.systemPermissions()); assertEquals(exp.defaultAllowAll(), actual.defaultAllowAll()); } http://git-wip-us.apache.org/repos/asf/ignite/blob/f9ecacc6/modules/core/src/test/java/org/apache/ignite/testframework/junits/spi/GridSpiAbstractTest.java ---------------------------------------------------------------------- diff --git a/modules/core/src/test/java/org/apache/ignite/testframework/junits/spi/GridSpiAbstractTest.java b/modules/core/src/test/java/org/apache/ignite/testframework/junits/spi/GridSpiAbstractTest.java index 20b3cf2..0aeff3c 100644 --- a/modules/core/src/test/java/org/apache/ignite/testframework/junits/spi/GridSpiAbstractTest.java +++ b/modules/core/src/test/java/org/apache/ignite/testframework/junits/spi/GridSpiAbstractTest.java @@ -718,6 +718,11 @@ public abstract class GridSpiAbstractTest<T extends IgniteSpi> extends GridAbstr } /** {@inheritDoc} */ + @Override public Map<String, Collection<SecurityPermission>> servicePermissions() { + return Collections.emptyMap(); + } + + /** {@inheritDoc} */ @Nullable @Override public Collection<SecurityPermission> systemPermissions() { return null; }
