activemq-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From chir...@apache.org
Subject svn commit: r1073002 - in /activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security: AclAuthorizer.scala CertificateLoginModule.scala FileGroupLoginModule.scala
Date Mon, 21 Feb 2011 15:00:54 GMT
Author: chirino
Date: Mon Feb 21 15:00:53 2011
New Revision: 1073002

URL: http://svn.apache.org/viewvc?rev=1073002&view=rev
Log:
Added logging statements so that we can tell why a user action gets rejected.

Modified:
    activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/AclAuthorizer.scala
    activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/CertificateLoginModule.scala
    activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/FileGroupLoginModule.scala

Modified: activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/AclAuthorizer.scala
URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/AclAuthorizer.scala?rev=1073002&r1=1073001&r2=1073002&view=diff
==============================================================================
--- activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/AclAuthorizer.scala
(original)
+++ activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/AclAuthorizer.scala
Mon Feb 21 15:00:53 2011
@@ -16,10 +16,11 @@
  */
 package org.apache.activemq.apollo.broker.security
 
-import scala.util.continuations._
-import org.apache.activemq.apollo.util.path.Path
 import org.apache.activemq.apollo.broker.{Connector, VirtualHost, Broker}
 import org.apache.activemq.apollo.dto._
+import org.apache.activemq.apollo.util.Log
+
+object AclAuthorizer extends Log
 
 /**
  * <p>
@@ -31,75 +32,70 @@ import org.apache.activemq.apollo.dto._
  */
 class AclAuthorizer(val default_kinds:List[String]) extends Authorizer {
   import collection.JavaConversions._
+  import AclAuthorizer._
 
   def is_in(ctx: SecurityContext, allowed:java.util.List[PrincipalDTO]):Boolean = {
     ctx.is_allowed(allowed.toList, default_kinds)
   }
 
-  def can_admin(ctx: SecurityContext, broker: Broker) = {
-    if( broker.config.acl!=null ) {
-      is_in(ctx, broker.config.acl.admins)
-    } else {
-      true
+  def log_on_failure(ctx: SecurityContext, action: String, resource: =>String)(func: =>Boolean):Boolean
= {
+    val rc = func
+    if( !rc ) {
+      debug("Authorization failed: '%s' does not have %s access on %s", ctx.user, action,
resource)
     }
+    rc
+  }
+
+  def can_admin(ctx: SecurityContext, broker: Broker) = log_on_failure(ctx, "administration",
"broker") {
+    broker.config.acl==null  || is_in(ctx, broker.config.acl.admins)
   }
 
   def can_connect_to(ctx: SecurityContext, host: VirtualHost, connector:Connector):Boolean
= {
-    if( host.config.acl!=null && !is_in(ctx, host.config.acl.connects) ) {
-      return false
+    log_on_failure(ctx, "connect", "host "+host.names) {
+      host.config.acl==null || is_in(ctx, host.config.acl.connects)
+    } && log_on_failure(ctx, "connect", "connector "+connector.config.id) {
+      connector.config.acl==null || is_in(ctx, connector.config.acl.connects)
     }
-    if( connector.config.acl!=null && !is_in(ctx, connector.config.acl.connects)
) {
-      return false
-    }
-    true
   }
 
   private def can_dest(ctx: SecurityContext, host: VirtualHost, dest: TopicDTO)(func: TopicAclDTO=>java.util.List[PrincipalDTO])
= {
-    if( dest.acl!=null ) {
-      is_in(ctx, func(dest.acl))
-    } else {
-      true
-    }
+    dest.acl==null || is_in(ctx, func(dest.acl))
   }
 
-  def can_send_to(ctx: SecurityContext, host: VirtualHost, dest: TopicDTO) = {
+  def can_send_to(ctx: SecurityContext, host: VirtualHost, dest: TopicDTO) = log_on_failure(ctx,
"send to", "topic "+dest.name) {
     can_dest(ctx, host, dest)(_.sends)
   }
-  def can_receive_from(ctx: SecurityContext, host: VirtualHost, dest: TopicDTO) = {
+  def can_receive_from(ctx: SecurityContext, host: VirtualHost, dest: TopicDTO) = log_on_failure(ctx,
"receive from", "topic "+dest.name) {
     can_dest(ctx, host, dest)(_.receives)
   }
-  def can_destroy(ctx: SecurityContext, host: VirtualHost, dest: TopicDTO) = {
+  def can_destroy(ctx: SecurityContext, host: VirtualHost, dest: TopicDTO) = log_on_failure(ctx,
"destroy", "topic "+dest.name) {
     can_dest(ctx, host, dest)(_.destroys)
   }
-  def can_create(ctx: SecurityContext, host: VirtualHost, dest: TopicDTO) = {
+  def can_create(ctx: SecurityContext, host: VirtualHost, dest: TopicDTO) = log_on_failure(ctx,
"create", "topic "+dest.name) {
     can_dest(ctx, host, dest)(_.creates)
   }
 
   private def can_queue(ctx: SecurityContext, host: VirtualHost, queue: QueueDTO)(func: QueueAclDTO=>java.util.List[PrincipalDTO])
= {
-    if( queue.acl!=null ) {
-      is_in(ctx, func(queue.acl))
-    } else {
-      true
-    }
+    queue.acl==null || is_in(ctx, func(queue.acl))
   }
 
-  def can_send_to(ctx: SecurityContext, host: VirtualHost, queue: QueueDTO) = {
+  def can_send_to(ctx: SecurityContext, host: VirtualHost, queue: QueueDTO) = log_on_failure(ctx,
"send to", "queue "+queue.name) {
     can_queue(ctx, host, queue)(_.sends)
   }
 
-  def can_receive_from(ctx: SecurityContext, host: VirtualHost, queue: QueueDTO) = {
+  def can_receive_from(ctx: SecurityContext, host: VirtualHost, queue: QueueDTO) = log_on_failure(ctx,
"receive from", "queue "+queue.name) {
     can_queue(ctx, host, queue)(_.receives)
   }
 
-  def can_destroy(ctx: SecurityContext, host: VirtualHost, queue: QueueDTO) = {
+  def can_destroy(ctx: SecurityContext, host: VirtualHost, queue: QueueDTO) = log_on_failure(ctx,
"destroy", "queue "+queue.name) {
     can_queue(ctx, host, queue)(_.destroys)
   }
 
-  def can_create(ctx: SecurityContext, host: VirtualHost, queue: QueueDTO) = {
+  def can_create(ctx: SecurityContext, host: VirtualHost, queue: QueueDTO) = log_on_failure(ctx,
"create", "queue "+queue.name) {
     can_queue(ctx, host, queue)(_.creates)
   }
 
-  def can_consume_from(ctx: SecurityContext, host: VirtualHost, queue: QueueDTO) = {
+  def can_consume_from(ctx: SecurityContext, host: VirtualHost, queue: QueueDTO) = log_on_failure(ctx,
"consume from", "queue "+queue.name) {
     can_queue(ctx, host, queue)(_.consumes)
   }
 

Modified: activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/CertificateLoginModule.scala
URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/CertificateLoginModule.scala?rev=1073002&r1=1073001&r2=1073002&view=diff
==============================================================================
--- activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/CertificateLoginModule.scala
(original)
+++ activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/CertificateLoginModule.scala
Mon Feb 21 15:00:53 2011
@@ -30,7 +30,7 @@ import org.yaml.snakeyaml.Yaml
 import org.apache.activemq.apollo.util.{FileSupport, Log}
 import java.lang.String
 import org.apache.activemq.jaas.{UserPrincipal, CertificateCallback}
-import java.util.{LinkedList, Properties, HashSet}
+import java.util.LinkedList
 
 /**
  * <p>
@@ -98,6 +98,7 @@ class CertificateLoginModule {
     file match {
       case None =>
         for (cert <- certificates) {
+          debug("Adding certificiate principal: '%s'", cert.getSubjectX500Principal.getName)
           principals.add(cert.getSubjectX500Principal)
         }
 
@@ -120,8 +121,12 @@ class CertificateLoginModule {
             val alias = users.get(dn)
             if( alias!=null ) {
               principals.add(new UserPrincipal(alias.toString))
+              debug("Adding user principal: '%s'", alias.toString)
             }
             principals.add(cert.getSubjectX500Principal)
+            debug("Adding certificiate principal: '%s'", dn)
+          } else {
+            debug("Distinguished name: '%s' not found in dn file", dn)
           }
         }
 

Modified: activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/FileGroupLoginModule.scala
URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/FileGroupLoginModule.scala?rev=1073002&r1=1073001&r2=1073002&view=diff
==============================================================================
--- activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/FileGroupLoginModule.scala
(original)
+++ activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/FileGroupLoginModule.scala
Mon Feb 21 15:00:53 2011
@@ -121,14 +121,15 @@ class FileGroupLoginModule extends Login
       val group_name = en.nextElement().asInstanceOf[String]
       val users = groups.getProperty(group_name).split(Pattern.quote(separator)).map(_.trim)
       users.foreach { x =>
+        debug("Searching for groups with member: '%s'", x)
         if ( principles.contains(x) ) {
           principals.add(new GroupPrincipal(group_name))
+          debug("Added group principal: '%s'", group_name)
         }
       }
     }
 
     subject.getPrincipals().addAll(principals)
-    debug("commit")
     return true
   }
 



Mime
View raw message