Return-Path: X-Original-To: apmail-geode-commits-archive@minotaur.apache.org Delivered-To: apmail-geode-commits-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 2A2A41092A for ; Thu, 27 Aug 2015 12:27:35 +0000 (UTC) Received: (qmail 91485 invoked by uid 500); 27 Aug 2015 12:27:35 -0000 Delivered-To: apmail-geode-commits-archive@geode.apache.org Received: (qmail 91454 invoked by uid 500); 27 Aug 2015 12:27:34 -0000 Mailing-List: contact commits-help@geode.incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@geode.incubator.apache.org Delivered-To: mailing list commits@geode.incubator.apache.org Received: (qmail 91445 invoked by uid 99); 27 Aug 2015 12:27:34 -0000 Received: from Unknown (HELO spamd4-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 27 Aug 2015 12:27:34 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id 55AACC0861 for ; Thu, 27 Aug 2015 12:27:34 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 1.775 X-Spam-Level: * X-Spam-Status: No, score=1.775 tagged_above=-999 required=6.31 tests=[KAM_ASCII_DIVIDERS=0.8, KAM_LAZY_DOMAIN_SECURITY=1, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.006, URIBL_BLOCKED=0.001] autolearn=disabled Received: from mx1-eu-west.apache.org ([10.40.0.8]) by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024) with ESMTP id 5V89pQEpwgJe for ; Thu, 27 Aug 2015 12:27:21 +0000 (UTC) Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx1-eu-west.apache.org (ASF Mail Server at mx1-eu-west.apache.org) with SMTP id DF74E2575A for ; Thu, 27 Aug 2015 12:27:18 +0000 (UTC) Received: (qmail 90904 invoked by uid 99); 27 Aug 2015 12:27:18 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 27 Aug 2015 12:27:18 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id D6F88E7E5A; Thu, 27 Aug 2015 12:27:17 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: tushark@apache.org To: commits@geode.incubator.apache.org Date: Thu, 27 Aug 2015 12:27:22 -0000 Message-Id: <3ddb776a630142d584b230dcd221d18c@git.apache.org> In-Reply-To: References: X-Mailer: ASF-Git Admin Mailer Subject: [6/6] incubator-geode git commit: GEODE-77 : Integrated Security Code Merge Review board url : https://reviews.apache.org/r/37209/ GEODE-77 : Integrated Security Code Merge Review board url : https://reviews.apache.org/r/37209/ This is manual merge of code from int_security branch. Testing done : JMX RMI-connector testing done from JConsole, Gfsh interactive testing with different roles. DUnits are not yet integrated into open. Adding description about changes done JMX - Key Changes ManagementAgent.java Hooks managementInterceptor when security plugins are configured ManagementInterceptor.java Central interceptor for JMX RMI connector. Each JMX call go through interceptor via MBeanServerWrapper in following fashion jmx(mxbean.op()) -> mbeanServerWrapper -> interceptor -> security plugin -> back to wrapper -> mxbean.op() ResourceOperationContext OperationContext for all m&m resource operations. This returns operation code as RESOURCE (except for data commands) and has additional code called resourceOperationCode which return exact operation requested ResourceOperation This annotation is used to mark mxbean interfaces and commands to corresponding m&m action JMXOperationContext describes mbean operation(getAttr,SetAttr,Op) in terms of ResourceOperationContext. Parses all MXBean annotation and build map used for mapping jmx calls to resource codes CLIOperationContext describes gfsh command(name, params) in terms of ResourceOperationContext Parses all Command annotation and build map used for mapping gfsh command calls to resource codes *MXBean and *Commands Changes Added ResourceOperation annotation REST ADMIN - Key Changes AuthManager gateway to authorize and authenticate REST ADMIN internal/web/controllers/AbstractCommandsController.java Changes for ADMIN REST to add authentication and authorization callbacks Pulse - Key Changes from gemfire side AccessControlMXBean/AccessControlContext This is hidden mbean which opens up authorization end-point for Pulse Pulse will access this mbean to know its authorization levels after connecting with given credentials Any JMX Client can use this mbean to know its (currrent jmx connection) authorization levels REST - Key changes gemfire-web-api - AbstractBaseController.java and other controller classes REST API changes for At & Az DistributionConfig (its impl) New system properties token-service for REST TokenService New interface for REST endpoint which is supposed to give secured token when given Princial RestAPIsOperationContext OperationContext for REST API Project: http://git-wip-us.apache.org/repos/asf/incubator-geode/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-geode/commit/d511979e Tree: http://git-wip-us.apache.org/repos/asf/incubator-geode/tree/d511979e Diff: http://git-wip-us.apache.org/repos/asf/incubator-geode/diff/d511979e Branch: refs/heads/feature/GEODE-17 Commit: d511979efbbbd8146f1bd285a4642df87b0a29bb Parents: e040750 Author: tushark Authored: Thu Aug 27 14:58:02 2015 +0530 Committer: tushark Committed: Thu Aug 27 14:58:02 2015 +0530 ---------------------------------------------------------------------- .../cache/operations/OperationContext.java | 70 +- .../operations/RestAPIsOperationContext.java | 64 ++ .../gemfire/distributed/DistributedSystem.java | 10 + .../internal/AbstractDistributionConfig.java | 21 + .../internal/DistributionConfig.java | 29 + .../internal/DistributionConfigImpl.java | 31 + .../gemfire/internal/i18n/LocalizedStrings.java | 3 +- .../internal/security/AuthorizeRequest.java | 12 + .../gemfire/management/CacheServerMXBean.java | 18 +- .../gemfire/management/DiskStoreMXBean.java | 17 +- .../management/DistributedSystemMXBean.java | 16 +- .../management/GatewayReceiverMXBean.java | 5 + .../gemfire/management/GatewaySenderMXBean.java | 8 + .../gemfire/management/LockServiceMXBean.java | 4 + .../gemfire/management/ManagerMXBean.java | 7 + .../gemfire/management/MemberMXBean.java | 11 + .../management/internal/AuthManager.java | 296 ++++++ .../management/internal/ManagementAgent.java | 14 +- .../gemfire/management/internal/RestAgent.java | 151 ++- .../internal/SystemManagementService.java | 10 +- .../internal/cli/commands/ClientCommands.java | 7 +- .../internal/cli/commands/ConfigCommands.java | 6 + .../CreateAlterDestroyRegionCommands.java | 6 + .../internal/cli/commands/DataCommands.java | 4 +- .../internal/cli/commands/DeployCommands.java | 7 + .../cli/commands/DiskStoreCommands.java | 18 +- .../cli/commands/DurableClientCommands.java | 7 + ...ExportImportSharedConfigurationCommands.java | 5 + .../internal/cli/commands/FunctionCommands.java | 8 +- .../internal/cli/commands/GfshHelpCommands.java | 5 + .../cli/commands/HDFSStoreCommands.java | 8 + .../internal/cli/commands/IndexCommands.java | 9 + .../cli/commands/LauncherLifecycleCommands.java | 18 +- .../internal/cli/commands/MemberCommands.java | 5 + .../cli/commands/MiscellaneousCommands.java | 11 +- .../internal/cli/commands/PDXCommands.java | 5 + .../internal/cli/commands/QueueCommands.java | 5 + .../internal/cli/commands/RegionCommands.java | 5 + .../internal/cli/commands/ShellCommands.java | 49 +- .../internal/cli/commands/StatusCommands.java | 4 + .../internal/cli/commands/WanCommands.java | 15 + .../internal/cli/shell/JmxOperationInvoker.java | 64 +- .../internal/security/AccessControl.java | 12 +- .../internal/security/AccessControlContext.java | 14 +- .../internal/security/AccessControlMXBean.java | 6 + .../internal/security/CLIOperationContext.java | 236 +++-- .../internal/security/JMXOperationContext.java | 357 ++++--- .../internal/security/JSONAuthorization.java | 4 +- .../internal/security/MBeanServerWrapper.java | 109 ++- .../security/ManagementInterceptor.java | 495 ++++++---- .../management/internal/security/Resource.java | 9 +- .../internal/security/ResourceConstants.java | 105 +- .../internal/security/ResourceOperation.java | 6 + .../security/ResourceOperationContext.java | 588 +++++++---- .../security/SetAttributesOperationContext.java | 39 + .../controllers/AbstractCommandsController.java | 105 +- .../controllers/ConfigCommandsController.java | 14 +- .../web/controllers/DataCommandsController.java | 18 +- .../DiskStoreCommandsController.java | 11 +- .../controllers/FunctionCommandsController.java | 7 +- .../MiscellaneousCommandsController.java | 8 +- .../web/controllers/WanCommandsController.java | 2 +- .../controllers/WanCommandsController.java.rej | 10 + .../EnvironmentVariablesHandlerInterceptor.java | 86 ++ .../web/http/support/SimpleHttpRequester.java | 105 +- .../web/shell/AbstractHttpOperationInvoker.java | 33 +- .../web/shell/RestHttpOperationInvoker.java | 26 +- .../web/shell/SimpleHttpOperationInvoker.java | 11 +- .../gemfire/security/GeodeTokenService.java | 101 ++ .../gemstone/gemfire/security/TokenService.java | 60 ++ .../extension/mock/MockExtensionCommands.java | 9 + .../internal/cli/CommandManagerJUnitTest.java | 10 + .../internal/cli/GfshParserJUnitTest.java | 12 +- .../shell/GfshExecutionStrategyJUnitTest.java | 7 + .../internal/security/JSONAuthCodeTest.java | 2 +- .../security/ResourceOperationJUnit.java | 968 +++++++++++++------ .../internal/web/controllers/RestTestUtils.java | 10 + .../web/controllers/AbstractBaseController.java | 34 +- .../web/controllers/BaseControllerAdvice.java | 44 +- .../web/controllers/CommonCrudController.java | 83 +- .../controllers/FunctionAccessController.java | 75 +- .../web/controllers/PdxBasedCrudController.java | 118 ++- .../web/controllers/QueryAccessController.java | 139 ++- .../web/security/AuthorizationProvider.java | 295 ++++++ .../security/FunctionExecutionPostAuthzRC.java | 101 ++ .../web/security/RestRequestFilter.java | 241 +++++ gemfire-web-api/src/main/webapp/WEB-INF/web.xml | 10 + 87 files changed, 4661 insertions(+), 1142 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/d511979e/gemfire-core/src/main/java/com/gemstone/gemfire/cache/operations/OperationContext.java ---------------------------------------------------------------------- diff --git a/gemfire-core/src/main/java/com/gemstone/gemfire/cache/operations/OperationContext.java b/gemfire-core/src/main/java/com/gemstone/gemfire/cache/operations/OperationContext.java index d25063c..ec0c128 100644 --- a/gemfire-core/src/main/java/com/gemstone/gemfire/cache/operations/OperationContext.java +++ b/gemfire-core/src/main/java/com/gemstone/gemfire/cache/operations/OperationContext.java @@ -75,13 +75,49 @@ public abstract class OperationContext { private static final byte OP_REMOVEALL = 19; + /** + @since Geode 1.0 + */ private static final byte OP_RESOURCE = 20; - private static final OperationCode[] VALUES = new OperationCode[22]; + private static final byte OP_LIST = 21; + + private static final byte OP_CREATE_QUERY = 22; + + private static final byte OP_UPDATE_QUERY = 23; + + private static final byte OP_DELETE_QUERY = 24; + + private static final OperationCode[] VALUES = new OperationCode[25]; private static final Map OperationNameMap = new HashMap(); /** + * A LIST operation. + * LIST regions, registered functions, named queries in DS. + */ + public static final OperationCode LIST = new OperationCode( + "LIST", OP_LIST); + + /** + * A create parameterized query operation with developer REST APIs. + */ + public static final OperationCode CREATE_QUERY = new OperationCode( + "CREATE_QUERY", OP_CREATE_QUERY); + + /** + * A update parameterized query operation with developer REST APIs. + */ + public static final OperationCode UPDATE_QUERY = new OperationCode( + "UPDATE_QUERY", OP_UPDATE_QUERY); + + /** + * A delete parameterized query operation with developer REST APIs. + */ + public static final OperationCode DELETE_QUERY = new OperationCode( + "DELETE_QUERY", OP_DELETE_QUERY); + + /** * An entry get operation. * * @see Region#get(Object) @@ -223,7 +259,9 @@ public abstract class OperationContext { /** - * A resource operation. See ResourceOperationContext for more details + * A resource operation + * + * @since Geode 1.0 */ public static final OperationCode RESOURCE = new OperationCode( "RESOURCE", OP_RESOURCE); @@ -246,8 +284,36 @@ public abstract class OperationContext { VALUES[opCode] = this; OperationNameMap.put(name, this); } + + /** + * Returns true if this is a list operation for regions, functions and queries. + */ + public boolean isList() { + return (this.opCode == OP_LIST); + } + + /** + * Returns true if this is a create named query operation. + */ + public boolean isCreateQuery() { + return (this.opCode == OP_CREATE_QUERY); + } /** + * Returns true if this is a update named query operation. + */ + public boolean isUpdateQuery() { + return (this.opCode == OP_UPDATE_QUERY); + } + + /** + * Returns true if this is a delete named query operation. + */ + public boolean isDestroyQuery() { + return (this.opCode == OP_DELETE_QUERY); + } + + /** * Returns true if this is a entry get operation. */ public boolean isGet() { http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/d511979e/gemfire-core/src/main/java/com/gemstone/gemfire/cache/operations/RestAPIsOperationContext.java ---------------------------------------------------------------------- diff --git a/gemfire-core/src/main/java/com/gemstone/gemfire/cache/operations/RestAPIsOperationContext.java b/gemfire-core/src/main/java/com/gemstone/gemfire/cache/operations/RestAPIsOperationContext.java new file mode 100644 index 0000000..57f56a0 --- /dev/null +++ b/gemfire-core/src/main/java/com/gemstone/gemfire/cache/operations/RestAPIsOperationContext.java @@ -0,0 +1,64 @@ +/*========================================================================= + * Copyright (c) 2002-2014 Pivotal Software, Inc. All Rights Reserved. + * This product is protected by U.S. and international copyright + * and intellectual property laws. Pivotal products are covered by + * more patents listed at http://www.pivotal.io/patents. + *========================================================================= + */ + +package com.gemstone.gemfire.cache.operations; + + +/** + * Encapsulates a REST APIs specific operations for both the pre-operation and + * post-operation cases. + * + * @author Nilkanth Patel + * @since 9.0 + */ +public class RestAPIsOperationContext extends OperationContext { + + private boolean restOperation; + + private OperationCode opCode; + + private String queryId; + private String oqlStatement; + + public RestAPIsOperationContext( OperationCode opCode, boolean restOperation) { + this.opCode = opCode; + this.restOperation = restOperation; + } + + public RestAPIsOperationContext( OperationCode opCode, boolean restOperation, + String queryId, String oqlStatement) { + this.opCode = opCode; + this.restOperation = restOperation; + this.queryId = queryId; + this.oqlStatement = oqlStatement; + } + + /** + * True if the context is for REST APIs specific operation. + */ + public boolean isRestAPIsOperation() { + return this.restOperation; + } + + /** + * Set the REST APIs specific operation flag to true. + */ + public void setRestAPIsOperation() { + this.restOperation = true; + } + + @Override + public OperationCode getOperationCode() { + return this.opCode; + } + + @Override + public boolean isPostOperation() { + return false; + } +} \ No newline at end of file http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/d511979e/gemfire-core/src/main/java/com/gemstone/gemfire/distributed/DistributedSystem.java ---------------------------------------------------------------------- diff --git a/gemfire-core/src/main/java/com/gemstone/gemfire/distributed/DistributedSystem.java b/gemfire-core/src/main/java/com/gemstone/gemfire/distributed/DistributedSystem.java index b7b2cd8..bc97c34 100644 --- a/gemfire-core/src/main/java/com/gemstone/gemfire/distributed/DistributedSystem.java +++ b/gemfire-core/src/main/java/com/gemstone/gemfire/distributed/DistributedSystem.java @@ -587,6 +587,16 @@ import com.gemstone.gemfire.security.GemFireSecurityException; *
Allowed values: jar file:class name
* * + *
+ *
security-rest-token-service
 + *
Description: Token service module name for REST servers that that is + * required to manage tokens. + * Module must implement TokenService interface. + *
+ *
Default: ""
+ *
Allowed values: jar file:class name.method name
+ *
+ * *
* *
delta-propagation
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/d511979e/gemfire-core/src/main/java/com/gemstone/gemfire/distributed/internal/AbstractDistributionConfig.java ---------------------------------------------------------------------- diff --git a/gemfire-core/src/main/java/com/gemstone/gemfire/distributed/internal/AbstractDistributionConfig.java b/gemfire-core/src/main/java/com/gemstone/gemfire/distributed/internal/AbstractDistributionConfig.java index 472959d..ce75981 100644 --- a/gemfire-core/src/main/java/com/gemstone/gemfire/distributed/internal/AbstractDistributionConfig.java +++ b/gemfire-core/src/main/java/com/gemstone/gemfire/distributed/internal/AbstractDistributionConfig.java @@ -1122,6 +1122,14 @@ public abstract class AbstractDistributionConfig return _modifiableDefault(); } + protected void checkSecurityRestTokenService(String value) { + _checkIfModifiable(SECURITY_REST_TOKEN_SERVICE_NAME); + } + + public boolean isSecurityRestTokenServiceModifiable() { + return _modifiableDefault(); + } + protected void checkSecurityClientDHAlgo(String value) { _checkIfModifiable(SECURITY_CLIENT_DHALGO_NAME); } @@ -1586,6 +1594,7 @@ public abstract class AbstractDistributionConfig HTTP_SERVICE_SSL_PROTOCOLS_NAME, HTTP_SERVICE_SSL_CIPHERS_NAME, HTTP_SERVICE_SSL_KEYSTORE_NAME,HTTP_SERVICE_SSL_KEYSTORE_TYPE_NAME,HTTP_SERVICE_SSL_KEYSTORE_PASSWORD_NAME,HTTP_SERVICE_SSL_TRUSTSTORE_NAME,HTTP_SERVICE_SSL_TRUSTSTORE_PASSWORD_NAME, + SECURITY_REST_TOKEN_SERVICE_NAME, OFF_HEAP_MEMORY_SIZE_NAME, LOCK_MEMORY_NAME, DISTRIBUTED_TRANSACTIONS_NAME @@ -1888,6 +1897,8 @@ public abstract class AbstractDistributionConfig this.setHttpServiceSSLTrustStorePassword((String)attValue); } else if (attName.equalsIgnoreCase(START_DEV_REST_API_NAME)) { this.setStartDevRestApi(((Boolean)attValue).booleanValue()); + } else if (attName.equalsIgnoreCase(SECURITY_REST_TOKEN_SERVICE_NAME)) { + this.setSecurityRestTokenService((String)attValue); } else if (attName.equalsIgnoreCase(OFF_HEAP_MEMORY_SIZE_NAME)) { this.setOffHeapMemorySize((String)attValue); } else if (attName.equalsIgnoreCase(LOCK_MEMORY_NAME)) { @@ -2178,6 +2189,8 @@ public abstract class AbstractDistributionConfig return this.getHttpServiceSSLTrustStorePassword(); } else if (attName.equalsIgnoreCase(START_DEV_REST_API_NAME)) { return this.getStartDevRestApi(); + } else if (attName.equalsIgnoreCase(SECURITY_REST_TOKEN_SERVICE_NAME)) { + return this.getSecurityRestTokenService(); } else if (attName.equalsIgnoreCase(OFF_HEAP_MEMORY_SIZE_NAME)) { return this.getOffHeapMemorySize(); } else if (attName.equalsIgnoreCase(LOCK_MEMORY_NAME)) { @@ -2471,6 +2484,8 @@ public abstract class AbstractDistributionConfig return this.isHttpServiceSSLTrustStorePasswordModifiable(); } else if (attName.equalsIgnoreCase(START_DEV_REST_API_NAME)) { return this.isStartDevRestApiModifiable(); + } else if (attName.equalsIgnoreCase(SECURITY_REST_TOKEN_SERVICE_NAME)) { + return this.isSecurityRestTokenServiceModifiable(); } else if (attName.equalsIgnoreCase(LOCK_MEMORY_NAME)) { return this.isLockMemoryModifiable(); } else if (attName.equals(DISTRIBUTED_TRANSACTIONS_NAME)) { @@ -2762,6 +2777,8 @@ public abstract class AbstractDistributionConfig return String.class; } else if (attName.equalsIgnoreCase(START_DEV_REST_API_NAME)) { return Boolean.class; + } else if (attName.equalsIgnoreCase(SECURITY_REST_TOKEN_SERVICE_NAME)) { + return String.class; } else if (attName.equalsIgnoreCase(OFF_HEAP_MEMORY_SIZE_NAME)) { return String.class; } else if (attName.equalsIgnoreCase(LOCK_MEMORY_NAME)) { @@ -3057,6 +3074,10 @@ public abstract class AbstractDistributionConfig LocalizedStrings.AbstractDistributionConfig_SECURITY_CLIENT_AUTHENTICATOR_NAME_0 .toLocalizedString(DEFAULT_SECURITY_CLIENT_AUTHENTICATOR)); + m.put(SECURITY_REST_TOKEN_SERVICE_NAME, + LocalizedStrings.AbstractDistributionConfig_SECURITY_REST_TOKEN_SERVICE_NAME_0 + .toLocalizedString(DEFAULT_SECURITY_REST_TOKEN_SERVICE)); + m.put(SECURITY_CLIENT_DHALGO_NAME, LocalizedStrings.AbstractDistributionConfig_SECURITY_CLIENT_DHALGO_NAME_0 .toLocalizedString(DEFAULT_SECURITY_CLIENT_DHALGO)); http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/d511979e/gemfire-core/src/main/java/com/gemstone/gemfire/distributed/internal/DistributionConfig.java ---------------------------------------------------------------------- diff --git a/gemfire-core/src/main/java/com/gemstone/gemfire/distributed/internal/DistributionConfig.java b/gemfire-core/src/main/java/com/gemstone/gemfire/distributed/internal/DistributionConfig.java index 10094a9..baa6be5 100644 --- a/gemfire-core/src/main/java/com/gemstone/gemfire/distributed/internal/DistributionConfig.java +++ b/gemfire-core/src/main/java/com/gemstone/gemfire/distributed/internal/DistributionConfig.java @@ -2016,6 +2016,35 @@ public interface DistributionConfig extends Config, LogConfig { public static final String DEFAULT_SECURITY_CLIENT_AUTHENTICATOR = ""; /** + * Returns user module name generating token in "security-rest-token-service" + */ + public String getSecurityRestTokenService(); + + /** + * Sets the user defined method name in "security-rest-token-service" + * property. + */ + public void setSecurityRestTokenService(String attValue); + + /** + * Returns true if the value of the token service method name can + * currently be modified. Some attributes can not be modified while the + * system is running. + */ + public boolean isSecurityRestTokenServiceModifiable(); + + /** The name of factory method for "security-rest-token-service" property */ + public static final String SECURITY_REST_TOKEN_SERVICE_NAME = "security-rest-token-service"; + + /** + * The default REST token service method name. + *

Actual value of this is fully qualified "method name". + */ + public static final String DEFAULT_SECURITY_REST_TOKEN_SERVICE = ""; + + /** * Returns name of algorithm to use for Diffie-Hellman key exchange "security-client-dhalgo" */ http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/d511979e/gemfire-core/src/main/java/com/gemstone/gemfire/distributed/internal/DistributionConfigImpl.java ---------------------------------------------------------------------- diff --git a/gemfire-core/src/main/java/com/gemstone/gemfire/distributed/internal/DistributionConfigImpl.java b/gemfire-core/src/main/java/com/gemstone/gemfire/distributed/internal/DistributionConfigImpl.java index 3707ff3..88b6445 100644 --- a/gemfire-core/src/main/java/com/gemstone/gemfire/distributed/internal/DistributionConfigImpl.java +++ b/gemfire-core/src/main/java/com/gemstone/gemfire/distributed/internal/DistributionConfigImpl.java @@ -220,6 +220,9 @@ public class DistributionConfigImpl /** The post-processing client authorization method name*/ private String securityClientAccessorPP = DEFAULT_SECURITY_CLIENT_ACCESSOR_PP; + /** The token service method name*/ + private String securityRestTokenService = DEFAULT_SECURITY_REST_TOKEN_SERVICE; + /** * The level at which security related log messages are logged * @@ -557,6 +560,9 @@ public class DistributionConfigImpl this.startDevRestApi = other.getStartDevRestApi(); + // Following added for 8.2 + this.securityRestTokenService = other.getSecurityRestTokenService(); + // following added for 9.0 this.offHeapMemorySize = other.getOffHeapMemorySize(); @@ -1952,6 +1958,10 @@ public class DistributionConfigImpl return securityClientAuthenticator; } + public String getSecurityRestTokenService() { + return securityRestTokenService; + } + public boolean getEnableNetworkPartitionDetection() { return this.enableNetworkPartitionDetection; } @@ -1971,6 +1981,11 @@ public class DistributionConfigImpl securityClientAuthenticator = value; } + public void setSecurityRestTokenService(String value) { + checkSecurityRestTokenService(value); + securityRestTokenService = value; + } + public String getSecurityClientDHAlgo() { return securityClientDHAlgo; } @@ -2851,6 +2866,15 @@ public class DistributionConfigImpl return false; } else if (!userDefinedProps.equals(other.userDefinedProps)) return false; + + + if (securityRestTokenService == null) { + if (other.securityRestTokenService != null) + return false; + } else if (!securityRestTokenService + .equals(other.securityRestTokenService)) + return false; + return true; } @@ -3120,6 +3144,13 @@ public class DistributionConfigImpl + ((userCommandPackages == null) ? 0 : userCommandPackages.hashCode()); result = prime * result + ((userDefinedProps == null) ? 0 : userDefinedProps.hashCode()); + + + result = prime + * result + + ((securityRestTokenService == null) ? 0 : securityRestTokenService + .hashCode()); + return result; } http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/d511979e/gemfire-core/src/main/java/com/gemstone/gemfire/internal/i18n/LocalizedStrings.java ---------------------------------------------------------------------- diff --git a/gemfire-core/src/main/java/com/gemstone/gemfire/internal/i18n/LocalizedStrings.java b/gemfire-core/src/main/java/com/gemstone/gemfire/internal/i18n/LocalizedStrings.java index f5ae3e5..4a35015 100644 --- a/gemfire-core/src/main/java/com/gemstone/gemfire/internal/i18n/LocalizedStrings.java +++ b/gemfire-core/src/main/java/com/gemstone/gemfire/internal/i18n/LocalizedStrings.java @@ -1285,8 +1285,9 @@ public class LocalizedStrings extends ParentLocalizedStrings { public static final StringId AuthorizeRequestPP_0_NOT_AUTHORIZED_TO_PERFORM_EXECUTE_REGION_FUNCTION_1= new StringIdImpl(4664, "{0}: In post-process: Not authorized to perform EXECUTE_REGION_FUNCTION operation on region [{1}]"); public static final StringId PartitionedRegionLoadModel_INCOMPLETE_COLOCATION= new StringIdImpl(4665, "PartitionedRegionLoadModel - member {0} has incomplete colocation, but it has buckets for some regions. Should have colocated regions {1} but had {2} and contains buckets {3}"); public static final StringId HeapMemoryMonitor_OVERRIDDING_MEMORYPOOLMXBEAN_HEAP_0_NAME_1 = new StringIdImpl(4666, "Overridding MemoryPoolMXBean heap threshold bytes {0} on pool {1}"); + public static final StringId AbstractDistributionConfig_SECURITY_REST_TOKEN_SERVICE_NAME_0 = new StringIdImpl(4667, "User defined fully qualified method name of a class implementing the TokenService interface for REST client verification. Defaults to \"{0}\". Legal values can be any \"method name\" of a static method that is present in the classpath."); - // 4667-4668 is UNUSED. + // 4668 is UNUSED. public static final StringId MemoryMonitor_MEMBER_ABOVE_CRITICAL_THRESHOLD = new StringIdImpl(4669, "Member: {0} above {1} critical threshold"); public static final StringId MemoryMonitor_MEMBER_ABOVE_HIGH_THRESHOLD = new StringIdImpl(4670, "Member: {0} above {1} eviction threshold"); http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/d511979e/gemfire-core/src/main/java/com/gemstone/gemfire/internal/security/AuthorizeRequest.java ---------------------------------------------------------------------- diff --git a/gemfire-core/src/main/java/com/gemstone/gemfire/internal/security/AuthorizeRequest.java b/gemfire-core/src/main/java/com/gemstone/gemfire/internal/security/AuthorizeRequest.java index 8ba07a2..364f6be 100644 --- a/gemfire-core/src/main/java/com/gemstone/gemfire/internal/security/AuthorizeRequest.java +++ b/gemfire-core/src/main/java/com/gemstone/gemfire/internal/security/AuthorizeRequest.java @@ -93,6 +93,18 @@ public class AuthorizeRequest { return this.authzCallback; } + public Principal getPrincipal() { + return principal; + } + + public boolean isPrincipalSerializable() { + return isPrincipalSerializable; + } + + public LogWriterI18n getLogger() { + return logger; + } + public GetOperationContext getAuthorize(String regionName, Object key, Object callbackArg) throws NotAuthorizedException { http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/d511979e/gemfire-core/src/main/java/com/gemstone/gemfire/management/CacheServerMXBean.java ---------------------------------------------------------------------- diff --git a/gemfire-core/src/main/java/com/gemstone/gemfire/management/CacheServerMXBean.java b/gemfire-core/src/main/java/com/gemstone/gemfire/management/CacheServerMXBean.java index 59f6537..9e4954d 100644 --- a/gemfire-core/src/main/java/com/gemstone/gemfire/management/CacheServerMXBean.java +++ b/gemfire-core/src/main/java/com/gemstone/gemfire/management/CacheServerMXBean.java @@ -1,14 +1,9 @@ -/* - * ========================================================================= - * Copyright (c) 2002-2014 Pivotal Software, Inc. All Rights Reserved. - * This product is protected by U.S. and international copyright - * and intellectual property laws. Pivotal products are covered by - * more patents listed at http://www.pivotal.io/patents. - * ======================================================================== - */ package com.gemstone.gemfire.management; import com.gemstone.gemfire.cache.server.CacheServer; +import com.gemstone.gemfire.management.internal.security.Resource; +import com.gemstone.gemfire.management.internal.security.ResourceConstants; +import com.gemstone.gemfire.management.internal.security.ResourceOperation; /** * MBean that provides access to information and management functionality for a @@ -271,6 +266,7 @@ public interface CacheServerMXBean { * @param indexName * Name of the index to be removed. */ + @ResourceOperation(resource=Resource.REGION, operation=ResourceConstants.DESTROY_INDEX) public void removeIndex(String indexName) throws Exception; /** @@ -287,7 +283,8 @@ public interface CacheServerMXBean { * target cache server - other copies of the CQ on other servers are * not affected. Using the client side CQ methods to modify a CQ. */ - @Deprecated + @Deprecated + @ResourceOperation(resource=Resource.DISTRIBUTED_SYSTEM, operation=ResourceConstants.QUERY) public void executeContinuousQuery(String queryName) throws Exception; /** @@ -301,6 +298,7 @@ public interface CacheServerMXBean { * not affected. Using the client side CQ methods to modify a CQ. */ @Deprecated + @ResourceOperation(resource=Resource.DISTRIBUTED_SYSTEM, operation=ResourceConstants.STOP_CONTINUOUS_QUERY) public void stopContinuousQuery(String queryName) throws Exception; /** @@ -313,6 +311,7 @@ public interface CacheServerMXBean { * not affected. Using the client side CQ methods to modify a CQ. */ @Deprecated + @ResourceOperation(resource=Resource.DISTRIBUTED_SYSTEM, operation=ResourceConstants.STOP_CONTINUOUS_QUERY) public void closeAllContinuousQuery(String regionName) throws Exception; @@ -326,6 +325,7 @@ public interface CacheServerMXBean { * not affected. Using the client side CQ methods to modify a CQ. */ @Deprecated + @ResourceOperation(resource=Resource.DISTRIBUTED_SYSTEM, operation=ResourceConstants.STOP_CONTINUOUS_QUERY) public void closeContinuousQuery(String queryName) throws Exception; http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/d511979e/gemfire-core/src/main/java/com/gemstone/gemfire/management/DiskStoreMXBean.java ---------------------------------------------------------------------- diff --git a/gemfire-core/src/main/java/com/gemstone/gemfire/management/DiskStoreMXBean.java b/gemfire-core/src/main/java/com/gemstone/gemfire/management/DiskStoreMXBean.java index f14d16c..cf2ea91 100644 --- a/gemfire-core/src/main/java/com/gemstone/gemfire/management/DiskStoreMXBean.java +++ b/gemfire-core/src/main/java/com/gemstone/gemfire/management/DiskStoreMXBean.java @@ -1,14 +1,9 @@ -/* - * ========================================================================= - * Copyright (c) 2002-2014 Pivotal Software, Inc. All Rights Reserved. - * This product is protected by U.S. and international copyright - * and intellectual property laws. Pivotal products are covered by - * more patents listed at http://www.pivotal.io/patents. - * ======================================================================== - */ package com.gemstone.gemfire.management; import com.gemstone.gemfire.cache.DiskStore; +import com.gemstone.gemfire.management.internal.security.Resource; +import com.gemstone.gemfire.management.internal.security.ResourceConstants; +import com.gemstone.gemfire.management.internal.security.ResourceOperation; /** @@ -149,6 +144,7 @@ public interface DiskStoreMXBean { * compaction is true then the application will wait for the other op-logs to * be compacted and additional space is available. */ + @ResourceOperation(resource=Resource.DISKSTORE, operation=ResourceConstants.FORCE_ROLL) public void forceRoll(); /** @@ -162,12 +158,14 @@ public interface DiskStoreMXBean { * that no op-logs were ready to be compacted or that a compaction was * already in progress. */ + @ResourceOperation(resource=Resource.DISKSTORE, operation=ResourceConstants.FORCE_COMPACTION) public boolean forceCompaction(); /** * Causes any data that is currently in the asynchronous queue to be written * to disk. Does not return until the flush is complete. */ + @ResourceOperation(resource=Resource.DISKSTORE, operation=ResourceConstants.FLUSH_DISKSTORE) public void flush(); /** @@ -193,6 +191,7 @@ public interface DiskStoreMXBean { * * @param warningPercent the warning percent */ + @ResourceOperation(resource=Resource.DISKSTORE, operation=ResourceConstants.SET_DISK_USAGE) public void setDiskUsageWarningPercentage(float warningPercent); /** @@ -200,5 +199,7 @@ public interface DiskStoreMXBean { * * @param criticalPercent the critical percent */ + @ResourceOperation(resource=Resource.DISKSTORE, operation=ResourceConstants.SET_DISK_USAGE) public void setDiskUsageCriticalPercentage(float criticalPercent); + } http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/d511979e/gemfire-core/src/main/java/com/gemstone/gemfire/management/DistributedSystemMXBean.java ---------------------------------------------------------------------- diff --git a/gemfire-core/src/main/java/com/gemstone/gemfire/management/DistributedSystemMXBean.java b/gemfire-core/src/main/java/com/gemstone/gemfire/management/DistributedSystemMXBean.java index f0a0a79..6ac2556 100644 --- a/gemfire-core/src/main/java/com/gemstone/gemfire/management/DistributedSystemMXBean.java +++ b/gemfire-core/src/main/java/com/gemstone/gemfire/management/DistributedSystemMXBean.java @@ -153,7 +153,7 @@ public interface DistributedSystemMXBean { * Minimum level for alerts to be delivered. * Must be one of: WARNING, ERROR, SEVERE or NONE. */ - @ResourceOperation( resource=Resource.DISTRIBUTED_SYSTEM, operation=ResourceConstants.CHANGE_ALERT_LEVEL_DS) + @ResourceOperation( resource=Resource.DISTRIBUTED_SYSTEM, operation=ResourceConstants.CHANGE_ALERT_LEVEL) public void changeAlertLevel(String alertLevel) throws Exception; /** @@ -236,7 +236,7 @@ public interface DistributedSystemMXBean { * path of the directory for baseline backup. * @return The results of the backup request. */ - @ResourceOperation( resource=Resource.DISTRIBUTED_SYSTEM, operation=ResourceConstants.BACKUP_DS) + @ResourceOperation( resource=Resource.DISTRIBUTED_SYSTEM, operation=ResourceConstants.BACKUP_MEMBERS) public DiskBackupStatus backupAllMembers(String targetDirPath, String baselineDirPath) throws Exception; @@ -321,7 +321,7 @@ public interface DistributedSystemMXBean { * * @return List of names of all distributed members that were shutdown. */ - @ResourceOperation( resource=Resource.DISTRIBUTED_SYSTEM, operation=ResourceConstants.SHUTDOWN_DS) + @ResourceOperation( resource=Resource.DISTRIBUTED_SYSTEM, operation=ResourceConstants.SHUTDOWN) public String[] shutDownAllMembers() throws Exception; /** @@ -341,7 +341,7 @@ public interface DistributedSystemMXBean { * UUID of the disk store to remove * @return True if the request is successful, false otherwise. */ - @ResourceOperation( resource=Resource.DISTRIBUTED_SYSTEM, operation=ResourceConstants.REMOVE_DISKSTORE_DS) + @ResourceOperation( resource=Resource.DISTRIBUTED_SYSTEM, operation=ResourceConstants.REVOKE_MISSING_DISKSTORE) public boolean revokeMissingDiskStores(String diskStoreId) throws Exception; @@ -617,7 +617,7 @@ public interface DistributedSystemMXBean { * will be set. * @return a JSON formated string containing data and its type */ - @ResourceOperation( resource=Resource.DISTRIBUTED_SYSTEM, operation=ResourceConstants.QUERYDATA_DS) + @ResourceOperation( resource=Resource.DISTRIBUTED_SYSTEM, operation=ResourceConstants.QUERY) public String queryData(String queryString, String members, int limit) throws Exception; /** @@ -647,7 +647,7 @@ public interface DistributedSystemMXBean { * will be set. * @return a byte[] which is a compressed JSON string. */ - @ResourceOperation( resource=Resource.DISTRIBUTED_SYSTEM, operation=ResourceConstants.QUERYDATA_DS) + @ResourceOperation( resource=Resource.DISTRIBUTED_SYSTEM, operation=ResourceConstants.QUERY) public byte[] queryDataForCompressedResult(String queryString, String members, int limit) throws Exception; @@ -673,7 +673,7 @@ public interface DistributedSystemMXBean { */ public int getQueryResultSetLimit(); - @ResourceOperation( resource=Resource.DISTRIBUTED_SYSTEM, operation=ResourceConstants.QUERYDATA_DS) + @ResourceOperation( resource=Resource.DISTRIBUTED_SYSTEM, operation=ResourceConstants.QUERY) public void setQueryResultSetLimit(int queryResultSetLimit); /** @@ -683,6 +683,6 @@ public interface DistributedSystemMXBean { */ public int getQueryCollectionsDepth(); - @ResourceOperation( resource=Resource.DISTRIBUTED_SYSTEM, operation=ResourceConstants.QUERYDATA_DS) + @ResourceOperation( resource=Resource.DISTRIBUTED_SYSTEM, operation=ResourceConstants.QUERY) public void setQueryCollectionsDepth(int queryCollectionsDepth); } http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/d511979e/gemfire-core/src/main/java/com/gemstone/gemfire/management/GatewayReceiverMXBean.java ---------------------------------------------------------------------- diff --git a/gemfire-core/src/main/java/com/gemstone/gemfire/management/GatewayReceiverMXBean.java b/gemfire-core/src/main/java/com/gemstone/gemfire/management/GatewayReceiverMXBean.java index 3e5ba1a..bd58598 100644 --- a/gemfire-core/src/main/java/com/gemstone/gemfire/management/GatewayReceiverMXBean.java +++ b/gemfire-core/src/main/java/com/gemstone/gemfire/management/GatewayReceiverMXBean.java @@ -9,6 +9,9 @@ package com.gemstone.gemfire.management; import com.gemstone.gemfire.cache.wan.GatewayReceiver; +import com.gemstone.gemfire.management.internal.security.Resource; +import com.gemstone.gemfire.management.internal.security.ResourceConstants; +import com.gemstone.gemfire.management.internal.security.ResourceOperation; /** * MBean that provides access to information and management functionality for a @@ -81,11 +84,13 @@ public interface GatewayReceiverMXBean { /** * Starts the gateway receiver. */ + @ResourceOperation(resource=Resource.GATEWAY_RECEIVER, operation=ResourceConstants.START_GW_RECEIVER) public void start() throws Exception; /** * Stops the gateway receiver. */ + @ResourceOperation(resource=Resource.GATEWAY_RECEIVER, operation=ResourceConstants.STOP_GW_RECEIVER) public void stop() throws Exception; /** http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/d511979e/gemfire-core/src/main/java/com/gemstone/gemfire/management/GatewaySenderMXBean.java ---------------------------------------------------------------------- diff --git a/gemfire-core/src/main/java/com/gemstone/gemfire/management/GatewaySenderMXBean.java b/gemfire-core/src/main/java/com/gemstone/gemfire/management/GatewaySenderMXBean.java index b6c5219..44e82b4 100644 --- a/gemfire-core/src/main/java/com/gemstone/gemfire/management/GatewaySenderMXBean.java +++ b/gemfire-core/src/main/java/com/gemstone/gemfire/management/GatewaySenderMXBean.java @@ -9,6 +9,9 @@ package com.gemstone.gemfire.management; import com.gemstone.gemfire.cache.wan.GatewaySender; +import com.gemstone.gemfire.management.internal.security.Resource; +import com.gemstone.gemfire.management.internal.security.ResourceConstants; +import com.gemstone.gemfire.management.internal.security.ResourceOperation; /** * MBean that provides access to information and management functionality for a @@ -163,26 +166,31 @@ public interface GatewaySenderMXBean { * configuration cannot be changed. * */ + @ResourceOperation(resource=Resource.GATEWAY_SENDER, operation=ResourceConstants.START_GW_SENDER) public void start(); /** * Stops this GatewaySender. */ + @ResourceOperation(resource=Resource.GATEWAY_SENDER, operation=ResourceConstants.STOP_GW_SENDER) public void stop(); /** * Pauses this GatewaySender. */ + @ResourceOperation(resource=Resource.GATEWAY_SENDER, operation=ResourceConstants.PAUSE_GW_SENDER) public void pause(); /** * Resumes this paused GatewaySender. */ + @ResourceOperation(resource=Resource.GATEWAY_SENDER, operation=ResourceConstants.RESUME_GW_SENDER) public void resume(); /** * Rebalances this GatewaySender. */ + @ResourceOperation(resource=Resource.GATEWAY_SENDER, operation=ResourceConstants.LOAD_BALANCE_GW_SENDER) public void rebalance(); /** http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/d511979e/gemfire-core/src/main/java/com/gemstone/gemfire/management/LockServiceMXBean.java ---------------------------------------------------------------------- diff --git a/gemfire-core/src/main/java/com/gemstone/gemfire/management/LockServiceMXBean.java b/gemfire-core/src/main/java/com/gemstone/gemfire/management/LockServiceMXBean.java index e53d50a..14b7e09 100644 --- a/gemfire-core/src/main/java/com/gemstone/gemfire/management/LockServiceMXBean.java +++ b/gemfire-core/src/main/java/com/gemstone/gemfire/management/LockServiceMXBean.java @@ -11,6 +11,9 @@ package com.gemstone.gemfire.management; import java.util.Map; import com.gemstone.gemfire.distributed.internal.locks.DLockService; +import com.gemstone.gemfire.management.internal.security.Resource; +import com.gemstone.gemfire.management.internal.security.ResourceConstants; +import com.gemstone.gemfire.management.internal.security.ResourceOperation; /** * MBean that provides access to information and management functionality for a @@ -61,6 +64,7 @@ public interface LockServiceMXBean { /** * Requests that this member become the granter. */ + @ResourceOperation(resource=Resource.MEMBER, operation=ResourceConstants.BECOME_LOCK_GRANTOR) public void becomeLockGrantor(); /** http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/d511979e/gemfire-core/src/main/java/com/gemstone/gemfire/management/ManagerMXBean.java ---------------------------------------------------------------------- diff --git a/gemfire-core/src/main/java/com/gemstone/gemfire/management/ManagerMXBean.java b/gemfire-core/src/main/java/com/gemstone/gemfire/management/ManagerMXBean.java index 04fda7e..be4dd37 100644 --- a/gemfire-core/src/main/java/com/gemstone/gemfire/management/ManagerMXBean.java +++ b/gemfire-core/src/main/java/com/gemstone/gemfire/management/ManagerMXBean.java @@ -11,6 +11,9 @@ package com.gemstone.gemfire.management; import javax.management.JMException; import com.gemstone.gemfire.management.internal.Manager; +import com.gemstone.gemfire.management.internal.security.Resource; +import com.gemstone.gemfire.management.internal.security.ResourceConstants; +import com.gemstone.gemfire.management.internal.security.ResourceOperation; /** @@ -35,6 +38,7 @@ public interface ManagerMXBean { * * @return True if the manager service was successfully started, false otherwise. */ + @ResourceOperation(resource=Resource.MEMBER, operation=ResourceConstants.START_MANAGER) public boolean start() throws JMException; /** @@ -42,6 +46,7 @@ public interface ManagerMXBean { * * @return True if the manager service was successfully stopped, false otherwise. */ + @ResourceOperation(resource=Resource.MEMBER, operation=ResourceConstants.STOP_MANAGER) public boolean stop() throws JMException; /** @@ -55,6 +60,7 @@ public interface ManagerMXBean { * @param pulseURL * The URL for the Pulse application. */ + @ResourceOperation(resource=Resource.DISTRIBUTED_SYSTEM, operation=ResourceConstants.LIST_DS) public void setPulseURL(String pulseURL); /** @@ -71,5 +77,6 @@ public interface ManagerMXBean { * @param message * The status message. */ + @ResourceOperation(resource=Resource.DISTRIBUTED_SYSTEM, operation=ResourceConstants.LIST_DS) public void setStatusMessage(String message); } http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/d511979e/gemfire-core/src/main/java/com/gemstone/gemfire/management/MemberMXBean.java ---------------------------------------------------------------------- diff --git a/gemfire-core/src/main/java/com/gemstone/gemfire/management/MemberMXBean.java b/gemfire-core/src/main/java/com/gemstone/gemfire/management/MemberMXBean.java index e935fcd..941d54b 100644 --- a/gemfire-core/src/main/java/com/gemstone/gemfire/management/MemberMXBean.java +++ b/gemfire-core/src/main/java/com/gemstone/gemfire/management/MemberMXBean.java @@ -11,6 +11,9 @@ package com.gemstone.gemfire.management; import java.util.Map; import com.gemstone.gemfire.distributed.DistributedMember; +import com.gemstone.gemfire.management.internal.security.Resource; +import com.gemstone.gemfire.management.internal.security.ResourceConstants; +import com.gemstone.gemfire.management.internal.security.ResourceOperation; /** @@ -137,6 +140,7 @@ public interface MemberMXBean { * @param numberOfLines * Number of lines to return, up to a maximum of 100. */ + @ResourceOperation(resource=Resource.MEMBER, operation=ResourceConstants.SHOW_LOG) public String showLog(int numberOfLines); /** @@ -152,6 +156,7 @@ public interface MemberMXBean { * * @return A list of names of the disk stores that were compacted. */ + @ResourceOperation(resource=Resource.DISKSTORE, operation=ResourceConstants.COMPACT_DISKSTORE) public String[] compactAllDiskStores(); /** @@ -159,12 +164,14 @@ public interface MemberMXBean { * * @return True if the Manager MBean was successfully create, false otherwise. */ + @ResourceOperation(resource=Resource.MEMBER, operation=ResourceConstants.CREATE_MANAGER) public boolean createManager(); /** * Shuts down the member. This is an asynchronous call and it will * return immediately without waiting for a result. */ + @ResourceOperation(resource=Resource.MEMBER, operation=ResourceConstants.SHUTDOWN) public void shutDownMember(); /** @@ -185,6 +192,7 @@ public interface MemberMXBean { * * @return Result of the execution in JSON format. */ + @ResourceOperation(resource=Resource.MEMBER, operation=ResourceConstants.LIST_DS) String processCommand(String commandString); /** @@ -196,6 +204,7 @@ public interface MemberMXBean { * Environmental properties to use during command execution. * @return Result of the execution in JSON format. */ + @ResourceOperation(resource=Resource.MEMBER, operation=ResourceConstants.LIST_DS) String processCommand(String commandString, Map env); /** @@ -209,6 +218,7 @@ public interface MemberMXBean { * Binary data specific to the command being executed. * @return Result of the execution in JSON format. */ + @ResourceOperation(resource=Resource.MEMBER, operation=ResourceConstants.LIST_DS) String processCommand(String commandString, Map env, Byte[][] binaryData); /** @@ -265,6 +275,7 @@ public interface MemberMXBean { /** * Returns the status. */ + @ResourceOperation(resource=Resource.MEMBER, operation=ResourceConstants.LIST_DS) public String status(); /** http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/d511979e/gemfire-core/src/main/java/com/gemstone/gemfire/management/internal/AuthManager.java ---------------------------------------------------------------------- diff --git a/gemfire-core/src/main/java/com/gemstone/gemfire/management/internal/AuthManager.java b/gemfire-core/src/main/java/com/gemstone/gemfire/management/internal/AuthManager.java new file mode 100644 index 0000000..fb68c29 --- /dev/null +++ b/gemfire-core/src/main/java/com/gemstone/gemfire/management/internal/AuthManager.java @@ -0,0 +1,296 @@ +/*========================================================================= + * Copyright (c) 2002-2014 Pivotal Software, Inc. All Rights Reserved. + * This product is protected by U.S. and international copyright + * and intellectual property laws. Pivotal products are covered by + * more patents listed at http://www.pivotal.io/patents. + *========================================================================= + */ + +package com.gemstone.gemfire.management.internal; + +import static com.gemstone.gemfire.management.internal.security.ResourceConstants.ACCESS_DENIED_MESSAGE; + +import java.lang.reflect.Method; +import java.security.Principal; +import java.util.Map; +import java.util.Properties; +import java.util.concurrent.ConcurrentHashMap; + +import com.gemstone.gemfire.GemFireConfigException; +import com.gemstone.gemfire.cache.Cache; +import com.gemstone.gemfire.cache.operations.OperationContext; +import com.gemstone.gemfire.distributed.DistributedMember; +import com.gemstone.gemfire.distributed.DistributedSystem; +import com.gemstone.gemfire.distributed.internal.DistributionConfig; +import com.gemstone.gemfire.i18n.LogWriterI18n; +import com.gemstone.gemfire.internal.ClassLoadUtil; +import com.gemstone.gemfire.internal.i18n.LocalizedStrings; +import com.gemstone.gemfire.internal.logging.InternalLogWriter; +import com.gemstone.gemfire.security.AccessControl; +import com.gemstone.gemfire.security.AuthenticationFailedException; +import com.gemstone.gemfire.security.AuthenticationRequiredException; +import com.gemstone.gemfire.security.Authenticator; +import com.gemstone.gemfire.internal.lang.StringUtils; + + +/** + * This class acts as a single gateway to authorize and authenticate REST ADMIN + * APIS. This stores credentials against CommandAuthZRequest object which is + * used to identify a particular client. As REST requests are state less we need + * to store this map to avoid re-authenticating same client on subsequent + * requests. However this map needs to be purged and cleaned up on some expiry + * policy. + * + * + * @author rishim + * + */ +public class AuthManager { + + private Map authMap = new ConcurrentHashMap(); + + private Cache cache; + + private final LogWriterI18n logger; + + private long DEFAULT_EXPIRY_TIME = 30; // in minutes + + private long EXPIRY_TIME ; + + String authzFactoryName; + + String postAuthzFactoryName; + + public static String EXPIRY_TIME_FOR_REST_ADMIN_AUTH = "gemfire.expriyTimeForRESTAdminAuth"; + + public AuthManager(Cache cache) { + this.cache = cache; + this.logger = cache.getSecurityLoggerI18n(); + this.EXPIRY_TIME = Long.getLong(EXPIRY_TIME_FOR_REST_ADMIN_AUTH, DEFAULT_EXPIRY_TIME); + DistributedSystem system = cache.getDistributedSystem(); + Properties sysProps = system.getProperties(); + this.authzFactoryName = sysProps.getProperty(DistributionConfig.SECURITY_CLIENT_ACCESSOR_NAME); + this.postAuthzFactoryName = sysProps.getProperty(DistributionConfig.SECURITY_CLIENT_ACCESSOR_PP_NAME); + } + + private Authenticator getAuthenticator(String authenticatorMethod, Properties securityProperties, + InternalLogWriter logWriter, InternalLogWriter securityLogWriter) throws AuthenticationFailedException { + Authenticator auth; + try { + + Method instanceGetter = ClassLoadUtil.methodFromName(authenticatorMethod); + auth = (Authenticator) instanceGetter.invoke(null, (Object[]) null); + } catch (Exception ex) { + throw new AuthenticationFailedException( + LocalizedStrings.HandShake_FAILED_TO_ACQUIRE_AUTHENTICATOR_OBJECT.toLocalizedString(), ex); + } + if (auth == null) { + throw new AuthenticationFailedException( + LocalizedStrings.HandShake_AUTHENTICATOR_INSTANCE_COULD_NOT_BE_OBTAINED.toLocalizedString()); + } + auth.init(securityProperties, logWriter, securityLogWriter); + return auth; + + } + + public void verifyCredentials(Properties credentials) { + + DistributedSystem system = this.cache.getDistributedSystem(); + Properties sysProps = system.getProperties(); + String authenticator = sysProps.getProperty(DistributionConfig.SECURITY_CLIENT_AUTHENTICATOR_NAME); + + if (authenticator != null && authenticator.length() > 0) { + + CommandAuthZRequest authZRequest = authMap.get(credentials); + + if (authZRequest != null && !authZRequest.hasExpired()) { + return; //Already existing credentials . Return from here + + } else { + Principal principal = verifyCredentials(authenticator, credentials, system.getSecurityProperties(), + (InternalLogWriter) this.cache.getLogger(), (InternalLogWriter) this.cache.getSecurityLogger(), cache + .getDistributedSystem().getDistributedMember()); + + if(authZRequest != null){ //i.e its an expired credential + CommandAuthZRequest expiredAuth = authMap.remove(credentials); + try{ + expiredAuth.close(); + }catch(Exception e){ + logger.error(e);//Don't throw an exception , just logs it + } + } + + authZRequest = new CommandAuthZRequest(principal).init(); + authMap.put(credentials, authZRequest); + } + } + + } + + public void expireAllAuthZ() { + for (CommandAuthZRequest auth : authMap.values()) { + try { + auth.close(); + + } catch (Exception e) { + logger.error(e);// Don't throw an exception , just log it, as it depends on the user code. + }finally{ + authMap.clear(); + } + } + } + + public void authorize(Properties credentials, OperationContext context) { + + if (!StringUtils.isBlank(authzFactoryName)) { + CommandAuthZRequest authZRequest = authMap.get(credentials); + boolean authorized = authZRequest.authorize(context); + if (!authorized) + throw new SecurityException(ACCESS_DENIED_MESSAGE); + } + } + + public void postAuthorize(Properties credentials, OperationContext context) { + if (!StringUtils.isBlank(postAuthzFactoryName)) { + CommandAuthZRequest authZRequest = authMap.get(credentials); + boolean authorized = authZRequest.postAuthorize(context); + if (!authorized) + throw new SecurityException(ACCESS_DENIED_MESSAGE); + } + + } + + private Principal verifyCredentials(String authenticatorMethod, Properties credentials, + Properties securityProperties, InternalLogWriter logWriter, InternalLogWriter securityLogWriter, + DistributedMember member) throws AuthenticationRequiredException, AuthenticationFailedException { + + Authenticator authenticator = getAuthenticator(authenticatorMethod, securityProperties, logWriter, + securityLogWriter); + Principal principal; + + try { + principal = authenticator.authenticate(credentials, member); + } finally { + authenticator.close(); + } + + return principal; + + } + + public class CommandAuthZRequest { + + private Principal principal; + + private AccessControl authzCallback; + + private AccessControl postAuthzCallback; + + private long initTime = System.currentTimeMillis(); + + public CommandAuthZRequest(Principal principal) { + this.principal = principal; + } + + public boolean authorize(OperationContext context) { + if (authzCallback != null) { + return authzCallback.authorizeOperation(null, context); + } + return true; // If no AccessControl is set then always return true + } + + public boolean postAuthorize(OperationContext context) { + if (postAuthzCallback != null) { + return postAuthzCallback.authorizeOperation(null, context); + } + return true; // If no AccessControl is set then always return true + } + + public boolean hasExpired(){ + if(System.currentTimeMillis() - initTime >= EXPIRY_TIME * 60 * 1000){ + return true; + } + return false; + } + + public void close() { + if (authzCallback != null) { + authzCallback.close(); + } + if (postAuthzCallback != null) { + postAuthzCallback.close(); + } + } + + private CommandAuthZRequest init() { + try { + if (!StringUtils.isBlank(authzFactoryName)) { + Method authzMethod = ClassLoadUtil.methodFromName(authzFactoryName); + this.authzCallback = (AccessControl) authzMethod.invoke(null, (Object[]) null); + this.authzCallback.init(principal, null, cache); + } + if (!StringUtils.isBlank(postAuthzFactoryName)) { + Method postAuthzMethod = ClassLoadUtil.methodFromName(postAuthzFactoryName); + this.postAuthzCallback = (AccessControl) postAuthzMethod.invoke(null, (Object[]) null); + this.postAuthzCallback.init(principal, null, cache); + } + } catch (IllegalAccessException e) { + logger.error(e); + throw new GemFireConfigException("Error while configuring accesscontrol for rest resource", e); + } catch (Exception e) { + logger.error(e); + throw new GemFireConfigException("Error while configuring accesscontrol for rest resource", e); + } + return this; + } + + public AccessControl getAuthzCallback() { + return authzCallback; + } + + public AccessControl getPostAuthzCallback() { + return postAuthzCallback; + } + + @Override + public int hashCode() { + final int prime = 31; + int result = 1; + result = prime * result + getOuterType().hashCode(); + result = prime * result + (int) (initTime ^ (initTime >>> 32)); + result = prime * result + ((principal == null) ? 0 : principal.hashCode()); + return result; + } + + @Override + public boolean equals(Object obj) { + if (this == obj) + return true; + if (obj == null) + return false; + if (getClass() != obj.getClass()) + return false; + CommandAuthZRequest other = (CommandAuthZRequest) obj; + if (!getOuterType().equals(other.getOuterType())) + return false; + if (initTime != other.initTime) + return false; + if (principal == null) { + if (other.principal != null) + return false; + } else if (!principal.equals(other.principal)) + return false; + return true; + } + + private AuthManager getOuterType() { + return AuthManager.this; + } + + } + + public Map getAuthMap() { + return this.authMap; + } + +} http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/d511979e/gemfire-core/src/main/java/com/gemstone/gemfire/management/internal/ManagementAgent.java ---------------------------------------------------------------------- diff --git a/gemfire-core/src/main/java/com/gemstone/gemfire/management/internal/ManagementAgent.java b/gemfire-core/src/main/java/com/gemstone/gemfire/management/internal/ManagementAgent.java index 43bfe73..975bf1b 100755 --- a/gemfire-core/src/main/java/com/gemstone/gemfire/management/internal/ManagementAgent.java +++ b/gemfire-core/src/main/java/com/gemstone/gemfire/management/internal/ManagementAgent.java @@ -268,6 +268,11 @@ public class ManagementAgent { // create region to hold query information (queryId, queryString). // Added for the developer REST APIs RestAgent.createParameterizedQueryRegion(); + + //Rest APIs security + if(!StringUtils.isBlank(this.config.SECURITY_CLIENT_AUTHENTICATOR_NAME)){ + RestAgent.createTokenToAuthzRequestRegion(); + } } // set true for HTTP service running @@ -388,9 +393,9 @@ public class ManagementAgent { // Environment map. KIRK: why is this declared as HashMap? final HashMap env = new HashMap(); - boolean integratedSecEnabled = System.getProperty("resource-authenticator") != null; + boolean integratedSecEnabled = isIntegratedSecEnabled(); if (integratedSecEnabled) { - securityInterceptor = new ManagementInterceptor(logger); + securityInterceptor = new ManagementInterceptor((GemFireCacheImpl)CacheFactory.getAnyInstance(), logger); env.put(JMXConnectorServer.AUTHENTICATOR, securityInterceptor); } else { /* Disable the old authenticator mechanism */ @@ -482,6 +487,11 @@ public class ManagementAgent { // final Thread clean = new CleanThread(cs); // clean.start(); } + + private boolean isIntegratedSecEnabled() { + String authenticatorFactoryName = config.getSecurityClientAuthenticator(); + return authenticatorFactoryName != null && !authenticatorFactoryName.isEmpty(); + } private static class GemFireRMIClientSocketFactory implements RMIClientSocketFactory, Serializable { http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/d511979e/gemfire-core/src/main/java/com/gemstone/gemfire/management/internal/RestAgent.java ---------------------------------------------------------------------- diff --git a/gemfire-core/src/main/java/com/gemstone/gemfire/management/internal/RestAgent.java b/gemfire-core/src/main/java/com/gemstone/gemfire/management/internal/RestAgent.java index 74695ee..714e15e 100755 --- a/gemfire-core/src/main/java/com/gemstone/gemfire/management/internal/RestAgent.java +++ b/gemfire-core/src/main/java/com/gemstone/gemfire/management/internal/RestAgent.java @@ -8,20 +8,29 @@ package com.gemstone.gemfire.management.internal; +import java.security.Principal; +import java.util.List; + import org.apache.logging.log4j.Logger; import org.eclipse.jetty.server.Server; import org.eclipse.jetty.server.ServerConnector; +import org.springframework.util.Assert; import com.gemstone.gemfire.cache.AttributesFactory; +import com.gemstone.gemfire.cache.Cache; import com.gemstone.gemfire.cache.CacheFactory; import com.gemstone.gemfire.cache.DataPolicy; +import com.gemstone.gemfire.cache.Region; import com.gemstone.gemfire.cache.RegionAttributes; import com.gemstone.gemfire.cache.Scope; import com.gemstone.gemfire.distributed.internal.DistributionConfig; import com.gemstone.gemfire.internal.GemFireVersion; import com.gemstone.gemfire.internal.cache.GemFireCacheImpl; import com.gemstone.gemfire.internal.cache.InternalRegionArguments; +import com.gemstone.gemfire.internal.lang.StringUtils; import com.gemstone.gemfire.internal.logging.LogService; +import com.gemstone.gemfire.internal.security.AuthorizeRequest; +import com.gemstone.gemfire.internal.security.AuthorizeRequestPP; import com.gemstone.gemfire.management.ManagementService; /** @@ -39,7 +48,9 @@ public class RestAgent { private boolean running = false; private final DistributionConfig config; - + + public static final String AUTH_METADATA_REGION = "__TokenToAuthzRequest__"; + public RestAgent(DistributionConfig config) { this.config = config; } @@ -47,13 +58,70 @@ public class RestAgent { public synchronized boolean isRunning() { return this.running; } - - private boolean isManagementRestServiceRunning(GemFireCacheImpl cache) { - final SystemManagementService managementService = (SystemManagementService) ManagementService - .getManagementService(cache); - return (managementService.getManagementAgent() != null && managementService - .getManagementAgent().isHttpServiceRunning()); - + + private static Cache getCache(){ + Cache cache = GemFireCacheImpl.getExisting(); + Assert.state(cache != null, "The Gemfire Cache reference was not properly initialized"); + return cache; + } + + public static Region> getAuthzRegion(final String namePath) { + /* + return ValidationUtils.returnValueThrowOnNull(getCache().>getRegion(namePath), + new GemfireRestException(String.format(" (%1$s) store does not exist!", namePath))); + */ + try{ + return getCache().getRegion(namePath); + }catch(Exception e){ + throw new RuntimeException("AuthorizeStore does not exist!" + e.getMessage()); + } + } + + public static AuthorizeRequest getAuthorizeRequest(String token){ + List objs = getAuthzRegion(RestAgent.AUTH_METADATA_REGION).get(token); + return (AuthorizeRequest)objs.get(0); + } + + public static AuthorizeRequestPP getAuthorizeRequestPP(String token){ + List objs = getAuthzRegion(RestAgent.AUTH_METADATA_REGION).get(token); + return (AuthorizeRequestPP)objs.get(1); + } + + public static Principal getPrincipalForToken(String token){ + return getAuthorizeRequest(token).getPrincipal(); + } + + public static synchronized void removeAuthzEntry(String token){ + //remove the authzCallback. Note that this does not close() it. + getAuthzRegion(AUTH_METADATA_REGION).remove(token); + } + + public static void closeAuthz(String token){ + //Close the authzCallback + try{ + AuthorizeRequest authRequest = getAuthorizeRequest(token); + if(authRequest != null) { + authRequest.close(); + } + + AuthorizeRequestPP authRequestPP = getAuthorizeRequestPP(token); + if(authRequestPP != null) { + authRequestPP.close(); + } + } catch(Exception e){ + logger.error("Cannot close the authzCallback for token {}", token, e); + } + } + + public static synchronized void addAuthzEntry(String token, List authObjects){ + getAuthzRegion(AUTH_METADATA_REGION).put(token, authObjects); + } + + private boolean isManagementRestServiceRunning(GemFireCacheImpl cache){ + final SystemManagementService managementService = (SystemManagementService) ManagementService.getManagementService( + cache); + return ( managementService.getManagementAgent() != null && managementService.getManagementAgent().isHttpServiceRunning()); + } public synchronized void start(GemFireCacheImpl cache) { @@ -67,8 +135,12 @@ public class RestAgent { // create region to hold query information (queryId, queryString). Added // for the developer REST APIs RestAgent.createParameterizedQueryRegion(); - - } catch (RuntimeException e) { + + if(!StringUtils.isBlank(this.config.SECURITY_CLIENT_AUTHENTICATOR_NAME)){ + RestAgent.createTokenToAuthzRequestRegion(); + } + + } catch (RuntimeException e){ logger.debug(e.getMessage(), e); } } @@ -88,7 +160,21 @@ public class RestAgent { } } } - + + public synchronized void cleanup(){ + //close all authzCallback instances currently present in the region; + if(!StringUtils.isBlank(this.config.SECURITY_CLIENT_AUTHENTICATOR_NAME)){ + for(final String key : getAuthzRegion(AUTH_METADATA_REGION).keySet() ){ + try{ + closeAuthz(key); + + }catch(Exception e){ + logger.error("Cannot close the authzCallback for token {}", key, e); + } + } + } + } + private Server httpServer; private final String GEMFIRE_VERSION = GemFireVersion.getGemFireVersion(); private AgentUtil agentUtil = new AgentUtil(GEMFIRE_VERSION); @@ -198,7 +284,48 @@ public class RestAgent { } else { logger.error("Cannot create ParameterizedQueries Region as no cache found!"); } - } catch (Exception e) { + } + catch (Exception e) { + if (logger.isDebugEnabled()) { + logger.debug("Error creating __ParameterizedQueries__ Region with cause {}",e.getMessage(), e); + } + } + } + + /** + * This method will create a REPLICATED region named _ParameterizedQueries__. + * In developer REST APIs, this region will be used to store the queryId and queryString as a key and value respectively. + */ + public static void createTokenToAuthzRequestRegion(){ + try { + if (logger.isDebugEnabled()) { + logger.debug("Starting creation of ({}) region", AUTH_METADATA_REGION); + } + GemFireCacheImpl cache = (GemFireCacheImpl)CacheFactory.getAnyInstance(); + if (cache != null) { + //cache.getCacheConfig().setPdxReadSerialized(true); + final InternalRegionArguments regionArguments = new InternalRegionArguments(); + regionArguments.setIsUsedForMetaRegion(true); + final AttributesFactory> attributesFactory = new AttributesFactory>(); + + attributesFactory.setConcurrencyChecksEnabled(false); + attributesFactory.setDataPolicy(DataPolicy.NORMAL); + attributesFactory.setKeyConstraint(String.class); + attributesFactory.setScope(Scope.LOCAL); + attributesFactory.setStatisticsEnabled(false); + //attributesFactory.setValueConstraint(AuthorizeRequest.class); + + final RegionAttributes> regionAttributes = attributesFactory.create(); + + cache.createVMRegion(AUTH_METADATA_REGION, regionAttributes, regionArguments); + if (logger.isDebugEnabled()) { + logger.debug("Successfully created ({}) region", AUTH_METADATA_REGION); + } + }else { + logger.error("Cannot create ({}) Region as no cache found!", AUTH_METADATA_REGION); + } + } + catch (Exception e) { if (logger.isDebugEnabled()) { logger.debug("Error creating __ParameterizedQueries__ Region with cause {}", e.getMessage(), e); http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/d511979e/gemfire-core/src/main/java/com/gemstone/gemfire/management/internal/SystemManagementService.java ---------------------------------------------------------------------- diff --git a/gemfire-core/src/main/java/com/gemstone/gemfire/management/internal/SystemManagementService.java b/gemfire-core/src/main/java/com/gemstone/gemfire/management/internal/SystemManagementService.java index d8f6983..64a057c 100755 --- a/gemfire-core/src/main/java/com/gemstone/gemfire/management/internal/SystemManagementService.java +++ b/gemfire-core/src/main/java/com/gemstone/gemfire/management/internal/SystemManagementService.java @@ -121,6 +121,8 @@ public final class SystemManagementService extends BaseManagementService { * GemFire comes with a default aggregator. */ private List proxyListeners; + + private AuthManager authManager; private UniversalListenerContainer universalListenerContainer = new UniversalListenerContainer(); @@ -171,6 +173,7 @@ public final class SystemManagementService extends BaseManagementService { this.listener = new ManagementMembershipListener(this); system.getDistributionManager().addMembershipListener(listener); isStarted = true; + this.authManager = new AuthManager(cache); return this; } catch (CancelException e) { // Rethrow all CancelExceptions (fix for defect 46339) @@ -262,7 +265,8 @@ public final class SystemManagementService extends BaseManagementService { } if (this.agent != null && this.agent.isRunning()) { this.agent.stopAgent(); - } + } + this.authManager.expireAllAuthZ(); getGemFireCacheImpl().getJmxManagerAdvisor().broadcastChange(); instances.remove(cache); localManager = null; @@ -826,4 +830,8 @@ public final class SystemManagementService extends BaseManagementService { public void removeMembershipListener(MembershipListener listener) { universalListenerContainer.removeMembershipListener(listener); } + + public AuthManager getAuthManager(){ + return this.authManager; + } } http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/d511979e/gemfire-core/src/main/java/com/gemstone/gemfire/management/internal/cli/commands/ClientCommands.java ---------------------------------------------------------------------- diff --git a/gemfire-core/src/main/java/com/gemstone/gemfire/management/internal/cli/commands/ClientCommands.java b/gemfire-core/src/main/java/com/gemstone/gemfire/management/internal/cli/commands/ClientCommands.java index 2eb1318..958df80 100644 --- a/gemfire-core/src/main/java/com/gemstone/gemfire/management/internal/cli/commands/ClientCommands.java +++ b/gemfire-core/src/main/java/com/gemstone/gemfire/management/internal/cli/commands/ClientCommands.java @@ -44,6 +44,9 @@ import com.gemstone.gemfire.management.internal.cli.result.CompositeResultData.S import com.gemstone.gemfire.management.internal.cli.result.ResultBuilder; import com.gemstone.gemfire.management.internal.cli.result.TabularResultData; import com.gemstone.gemfire.management.internal.cli.shell.Gfsh; +import com.gemstone.gemfire.management.internal.security.Resource; +import com.gemstone.gemfire.management.internal.security.ResourceConstants; +import com.gemstone.gemfire.management.internal.security.ResourceOperation; /** * @@ -59,6 +62,7 @@ public class ClientCommands implements CommandMarker { @CliCommand(value = CliStrings.LIST_CLIENTS, help = CliStrings.LIST_CLIENT__HELP) @CliMetaData(relatedTopic = { CliStrings.TOPIC_LIST }) + @ResourceOperation(resource = Resource.DISTRIBUTED_SYSTEM, operation= ResourceConstants.LIST_DS) public Result listClient() { Result result = null; @@ -142,6 +146,7 @@ public class ClientCommands implements CommandMarker { @CliCommand(value = CliStrings.DESCRIBE_CLIENT, help = CliStrings.DESCRIBE_CLIENT__HELP) @CliMetaData(relatedTopic = { CliStrings.TOPIC_LIST }) + @ResourceOperation(resource = Resource.DISTRIBUTED_SYSTEM, operation= ResourceConstants.LIST_DS) public Result describeClient( @CliOption(key = CliStrings.DESCRIBE_CLIENT__ID, mandatory = true, help = CliStrings.DESCRIBE_CLIENT__ID__HELP) String clientId) { Result result = null; @@ -310,7 +315,7 @@ public class ClientCommands implements CommandMarker { } @CliAvailabilityIndicator({ CliStrings.LIST_CLIENTS , CliStrings.DESCRIBE_CLIENT}) - public boolean functionCommandsAvailable() { + public boolean clientCommandsAvailable() { boolean isAvailable = true; // always available on server if (CliUtil.isGfshVM()) { // in gfsh check if connected isAvailable = getGfsh() != null && getGfsh().isConnectedAndReady(); http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/d511979e/gemfire-core/src/main/java/com/gemstone/gemfire/management/internal/cli/commands/ConfigCommands.java ---------------------------------------------------------------------- diff --git a/gemfire-core/src/main/java/com/gemstone/gemfire/management/internal/cli/commands/ConfigCommands.java b/gemfire-core/src/main/java/com/gemstone/gemfire/management/internal/cli/commands/ConfigCommands.java index 279fb45..1341890 100644 --- a/gemfire-core/src/main/java/com/gemstone/gemfire/management/internal/cli/commands/ConfigCommands.java +++ b/gemfire-core/src/main/java/com/gemstone/gemfire/management/internal/cli/commands/ConfigCommands.java @@ -54,6 +54,9 @@ import com.gemstone.gemfire.management.internal.cli.result.TabularResultData; import com.gemstone.gemfire.management.internal.cli.shell.Gfsh; import com.gemstone.gemfire.management.internal.configuration.SharedConfigurationWriter; import com.gemstone.gemfire.management.internal.configuration.domain.XmlEntity; +import com.gemstone.gemfire.management.internal.security.Resource; +import com.gemstone.gemfire.management.internal.security.ResourceConstants; +import com.gemstone.gemfire.management.internal.security.ResourceOperation; /**** * * @author David Hoots @@ -72,6 +75,7 @@ public class ConfigCommands implements CommandMarker { @CliCommand(value = { CliStrings.DESCRIBE_CONFIG }, help = CliStrings.DESCRIBE_CONFIG__HELP) @CliMetaData(shellOnly = false, relatedTopic = {CliStrings.TOPIC_GEMFIRE_CONFIG}) + @ResourceOperation(resource = Resource.DISTRIBUTED_SYSTEM, operation= ResourceConstants.LIST_DS) public Result describeConfig( @CliOption (key = CliStrings.DESCRIBE_CONFIG__MEMBER, optionContext = ConverterHint.ALL_MEMBER_IDNAME, @@ -185,6 +189,7 @@ public class ConfigCommands implements CommandMarker { */ @CliCommand(value = { CliStrings.EXPORT_CONFIG }, help = CliStrings.EXPORT_CONFIG__HELP) @CliMetaData(interceptor = "com.gemstone.gemfire.management.internal.cli.commands.ConfigCommands$Interceptor", relatedTopic = {CliStrings.TOPIC_GEMFIRE_CONFIG}) + @ResourceOperation(resource = Resource.DISTRIBUTED_SYSTEM, operation= ResourceConstants.EXPORT_CONFIG) public Result exportConfig( @CliOption(key = { CliStrings.EXPORT_CONFIG__MEMBER }, optionContext = ConverterHint.ALL_MEMBER_IDNAME, @@ -240,6 +245,7 @@ public class ConfigCommands implements CommandMarker { @CliCommand(value = { CliStrings.ALTER_RUNTIME_CONFIG }, help = CliStrings.ALTER_RUNTIME_CONFIG__HELP) @CliMetaData(relatedTopic = {CliStrings.TOPIC_GEMFIRE_CONFIG}) + @ResourceOperation(resource = Resource.DISTRIBUTED_SYSTEM, operation= ResourceConstants.ALTER_RUNTIME) public Result alterRuntimeConfig( @CliOption (key = {CliStrings.ALTER_RUNTIME_CONFIG__MEMBER}, optionContext = ConverterHint.ALL_MEMBER_IDNAME, http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/d511979e/gemfire-core/src/main/java/com/gemstone/gemfire/management/internal/cli/commands/CreateAlterDestroyRegionCommands.java ---------------------------------------------------------------------- diff --git a/gemfire-core/src/main/java/com/gemstone/gemfire/management/internal/cli/commands/CreateAlterDestroyRegionCommands.java b/gemfire-core/src/main/java/com/gemstone/gemfire/management/internal/cli/commands/CreateAlterDestroyRegionCommands.java index 919d6fe..2362b96 100644 --- a/gemfire-core/src/main/java/com/gemstone/gemfire/management/internal/cli/commands/CreateAlterDestroyRegionCommands.java +++ b/gemfire-core/src/main/java/com/gemstone/gemfire/management/internal/cli/commands/CreateAlterDestroyRegionCommands.java @@ -75,6 +75,9 @@ import com.gemstone.gemfire.management.internal.cli.result.TabularResultData; import com.gemstone.gemfire.management.internal.cli.util.RegionPath; import com.gemstone.gemfire.management.internal.configuration.SharedConfigurationWriter; import com.gemstone.gemfire.management.internal.configuration.domain.XmlEntity; +import com.gemstone.gemfire.management.internal.security.Resource; +import com.gemstone.gemfire.management.internal.security.ResourceConstants; +import com.gemstone.gemfire.management.internal.security.ResourceOperation; /** * @@ -101,6 +104,7 @@ public class CreateAlterDestroyRegionCommands extends AbstractCommandsSupport { @CliCommand (value = CliStrings.CREATE_REGION, help = CliStrings.CREATE_REGION__HELP) @CliMetaData (relatedTopic = CliStrings.TOPIC_GEMFIRE_REGION, writesToSharedConfiguration = true) + @ResourceOperation(resource = Resource.DISTRIBUTED_SYSTEM, operation= ResourceConstants.CREATE_REGION) public Result createRegion( @CliOption (key = CliStrings.CREATE_REGION__REGION, mandatory = true, @@ -432,6 +436,7 @@ public class CreateAlterDestroyRegionCommands extends AbstractCommandsSupport { @CliCommand (value = CliStrings.ALTER_REGION, help = CliStrings.ALTER_REGION__HELP) @CliMetaData (relatedTopic = CliStrings.TOPIC_GEMFIRE_REGION, writesToSharedConfiguration = true) + @ResourceOperation(resource = Resource.DISTRIBUTED_SYSTEM, operation= ResourceConstants.ALTER_REGION) public Result alterRegion( @CliOption (key = CliStrings.ALTER_REGION__REGION, mandatory = true, @@ -990,6 +995,7 @@ public class CreateAlterDestroyRegionCommands extends AbstractCommandsSupport { @CliCommand(value = { CliStrings.DESTROY_REGION }, help = CliStrings.DESTROY_REGION__HELP) @CliMetaData(shellOnly = false, relatedTopic = CliStrings.TOPIC_GEMFIRE_REGION, writesToSharedConfiguration = true) + @ResourceOperation(resource = Resource.DISTRIBUTED_SYSTEM, operation= ResourceConstants.DESTROY_REGION) public Result destroyRegion( @CliOption(key = CliStrings.DESTROY_REGION__REGION, optionContext = ConverterHint.REGIONPATH, http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/d511979e/gemfire-core/src/main/java/com/gemstone/gemfire/management/internal/cli/commands/DataCommands.java ---------------------------------------------------------------------- diff --git a/gemfire-core/src/main/java/com/gemstone/gemfire/management/internal/cli/commands/DataCommands.java b/gemfire-core/src/main/java/com/gemstone/gemfire/management/internal/cli/commands/DataCommands.java index 9e60839..f199d30 100644 --- a/gemfire-core/src/main/java/com/gemstone/gemfire/management/internal/cli/commands/DataCommands.java +++ b/gemfire-core/src/main/java/com/gemstone/gemfire/management/internal/cli/commands/DataCommands.java @@ -1009,6 +1009,7 @@ public class DataCommands implements CommandMarker { @CliMetaData(shellOnly = false, relatedTopic = { CliStrings.TOPIC_GEMFIRE_DATA, CliStrings.TOPIC_GEMFIRE_REGION }) @CliCommand(value = { CliStrings.GET }, help = CliStrings.GET__HELP) + @ResourceOperation(resource = Resource.REGION, operation= ResourceConstants.GET) public Result get( @CliOption(key = { CliStrings.GET__KEY }, mandatory = true, help = CliStrings.GET__KEY__HELP) String key, @CliOption(key = { CliStrings.GET__REGIONNAME }, mandatory = true, help = CliStrings.GET__REGIONNAME__HELP, optionContext = ConverterHint.REGIONPATH) String regionPath, @@ -1111,6 +1112,7 @@ public class DataCommands implements CommandMarker { @CliMetaData(shellOnly = false, relatedTopic = { CliStrings.TOPIC_GEMFIRE_DATA, CliStrings.TOPIC_GEMFIRE_REGION }) @CliCommand(value = { CliStrings.REMOVE }, help = CliStrings.REMOVE__HELP) + @ResourceOperation(resource = Resource.REGION, operation= ResourceConstants.REMOVE) public Result remove( @CliOption(key = { CliStrings.REMOVE__KEY }, help = CliStrings.REMOVE__KEY__HELP) String key, @CliOption(key = { CliStrings.REMOVE__REGION }, mandatory = true, help = CliStrings.REMOVE__REGION__HELP, optionContext = ConverterHint.REGIONPATH) String regionPath, @@ -1165,7 +1167,7 @@ public class DataCommands implements CommandMarker { CliStrings.TOPIC_GEMFIRE_DATA, CliStrings.TOPIC_GEMFIRE_REGION }) @MultiStepCommand @CliCommand(value = { CliStrings.QUERY }, help = CliStrings.QUERY__HELP) - @ResourceOperation(resource = Resource.DISTRIBUTED_SYSTEM, operation= ResourceConstants.QUERYDATA_DS) + @ResourceOperation(resource = Resource.DISTRIBUTED_SYSTEM, operation= ResourceConstants.QUERY) public Object query( @CliOption(key = CliStrings.QUERY__QUERY, help = CliStrings.QUERY__QUERY__HELP, mandatory = true) final String query, @CliOption(key = CliStrings.QUERY__STEPNAME, mandatory = false, help = "Stpe name", unspecifiedDefaultValue = CliStrings.QUERY__STEPNAME__DEFAULTVALUE) String stepName, http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/d511979e/gemfire-core/src/main/java/com/gemstone/gemfire/management/internal/cli/commands/DeployCommands.java ---------------------------------------------------------------------- diff --git a/gemfire-core/src/main/java/com/gemstone/gemfire/management/internal/cli/commands/DeployCommands.java b/gemfire-core/src/main/java/com/gemstone/gemfire/management/internal/cli/commands/DeployCommands.java index 4591b53..3d0cacc 100644 --- a/gemfire-core/src/main/java/com/gemstone/gemfire/management/internal/cli/commands/DeployCommands.java +++ b/gemfire-core/src/main/java/com/gemstone/gemfire/management/internal/cli/commands/DeployCommands.java @@ -36,6 +36,10 @@ import com.gemstone.gemfire.management.internal.cli.result.FileResult; import com.gemstone.gemfire.management.internal.cli.result.ResultBuilder; import com.gemstone.gemfire.management.internal.cli.result.TabularResultData; import com.gemstone.gemfire.management.internal.configuration.SharedConfigurationWriter; +import com.gemstone.gemfire.management.internal.security.Resource; +import com.gemstone.gemfire.management.internal.security.ResourceConstants; +import com.gemstone.gemfire.management.internal.security.ResourceOperation; + import org.springframework.shell.core.CommandMarker; import org.springframework.shell.core.annotation.CliAvailabilityIndicator; import org.springframework.shell.core.annotation.CliCommand; @@ -67,6 +71,7 @@ public final class DeployCommands extends AbstractCommandsSupport implements Com */ @CliCommand(value = { CliStrings.DEPLOY }, help = CliStrings.DEPLOY__HELP) @CliMetaData(interceptor = "com.gemstone.gemfire.management.internal.cli.commands.DeployCommands$Interceptor", relatedTopic={CliStrings.TOPIC_GEMFIRE_CONFIG}, writesToSharedConfiguration=true) + @ResourceOperation(resource = Resource.DISTRIBUTED_SYSTEM, operation= ResourceConstants.DEPLOY) public final Result deploy( @CliOption(key = { CliStrings.DEPLOY__GROUP }, help = CliStrings.DEPLOY__GROUP__HELP, optionContext=ConverterHint.MEMBERGROUP) @CliMetaData (valueSeparator = ",") @@ -149,6 +154,7 @@ public final class DeployCommands extends AbstractCommandsSupport implements Com */ @CliCommand(value = { CliStrings.UNDEPLOY }, help = CliStrings.UNDEPLOY__HELP) @CliMetaData(relatedTopic={CliStrings.TOPIC_GEMFIRE_CONFIG}, writesToSharedConfiguration=true) + @ResourceOperation(resource = Resource.DISTRIBUTED_SYSTEM, operation= ResourceConstants.UNDEPLOY) public final Result undeploy( @CliOption(key = { CliStrings.UNDEPLOY__GROUP }, help = CliStrings.UNDEPLOY__GROUP__HELP, @@ -219,6 +225,7 @@ public final class DeployCommands extends AbstractCommandsSupport implements Com */ @CliCommand(value = { CliStrings.LIST_DEPLOYED }, help = CliStrings.LIST_DEPLOYED__HELP) @CliMetaData(relatedTopic={CliStrings.TOPIC_GEMFIRE_CONFIG}) + @ResourceOperation(resource = Resource.DISTRIBUTED_SYSTEM, operation= ResourceConstants.LIST_DS) public final Result listDeployed( @CliOption(key = { CliStrings.LIST_DEPLOYED__GROUP }, help = CliStrings.LIST_DEPLOYED__GROUP__HELP)