geode-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jensde...@apache.org
Subject [5/5] incubator-geode git commit: GEODE-17: Initial integration work
Date Tue, 01 Mar 2016 22:24:34 GMT
GEODE-17: Initial integration work

- Fix failing tests


Project: http://git-wip-us.apache.org/repos/asf/incubator-geode/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-geode/commit/406a80f8
Tree: http://git-wip-us.apache.org/repos/asf/incubator-geode/tree/406a80f8
Diff: http://git-wip-us.apache.org/repos/asf/incubator-geode/diff/406a80f8

Branch: refs/heads/feature/GEODE-17-2
Commit: 406a80f8060fe10ed8144ce9e0ff6ca6860dc33f
Parents: 19a8f0a
Author: Jens Deppe <jdeppe@pivotal.io>
Authored: Tue Mar 1 14:24:04 2016 -0800
Committer: Jens Deppe <jdeppe@pivotal.io>
Committed: Tue Mar 1 14:24:04 2016 -0800

----------------------------------------------------------------------
 .../internal/security/AccessControl.java        |  57 ----
 .../internal/security/AccessControlMBean.java   |  59 ++++
 .../internal/security/JSONAuthorization.java    | 308 -------------------
 .../security/ManagementInterceptor.java         |  88 +++---
 .../security/ResourceOperationContext.java      |   2 +-
 .../controllers/AbstractCommandsController.java |  46 +--
 .../DiskStoreCommandsController.java            |   1 -
 .../EnvironmentVariablesHandlerInterceptor.java |  44 +--
 .../cli/commands/CliCommandTestBase.java        |   4 +-
 .../cli/shell/GfshHistoryJUnitTest.java         |   3 -
 ...horizeOperationForMBeansIntegrationTest.java |  12 +-
 ...erationForRegionCommandsIntegrationTest.java |  20 +-
 .../internal/security/JSONAuthorization.java    | 307 ++++++++++++++++++
 ...tionCodesForDistributedSystemMXBeanTest.java |  10 +-
 .../ReadOpFileAccessControllerJUnitTest.java    |  19 +-
 .../management/internal/security/auth3.json     |  55 ++--
 16 files changed, 498 insertions(+), 537 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/406a80f8/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/AccessControl.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/AccessControl.java b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/AccessControl.java
deleted file mode 100644
index f20ea22..0000000
--- a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/AccessControl.java
+++ /dev/null
@@ -1,57 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements.  See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License.  You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package com.gemstone.gemfire.management.internal.security;
-
-import java.security.AccessControlContext;
-import java.security.AccessController;
-import java.security.Principal;
-import java.util.Set;
-
-import javax.management.remote.JMXPrincipal;
-import javax.security.auth.Subject;
-
-/**
- * AccessControlMBean Implementation. This retrieves JMXPrincipal from AccessController
- * and performs authorization for given role using gemfire AccessControl Plugin
- *
- * @author tushark
- * @since 9.0
- */
-public class AccessControl implements AccessControlMXBean {
-
-  private ManagementInterceptor interceptor;
-
-  public AccessControl(ManagementInterceptor interceptor) {
-    this.interceptor = interceptor;
-  }
-
-  @Override
-  public boolean authorize(String role) {
-    AccessControlContext acc = AccessController.getContext();
-    Subject subject = Subject.getSubject(acc);
-    Set<JMXPrincipal> principals = subject.getPrincipals(JMXPrincipal.class);
-    if (principals == null || principals.isEmpty()) {
-      throw new SecurityException("Access denied");
-    }
-    Principal principal = principals.iterator().next();
-    com.gemstone.gemfire.security.AccessControl gemAccControl = interceptor.getAccessControl(principal, false);
-    boolean authorized = gemAccControl.authorizeOperation(null,
-        new com.gemstone.gemfire.management.internal.security.AccessControlContext(role));
-    return authorized;
-  }
-
-}

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/406a80f8/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/AccessControlMBean.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/AccessControlMBean.java b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/AccessControlMBean.java
new file mode 100644
index 0000000..a525416
--- /dev/null
+++ b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/AccessControlMBean.java
@@ -0,0 +1,59 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.gemstone.gemfire.management.internal.security;
+
+import com.gemstone.gemfire.security.AccessControl;
+
+import java.security.AccessControlContext;
+import java.security.AccessController;
+import java.security.Principal;
+import java.util.Set;
+
+import javax.management.remote.JMXPrincipal;
+import javax.security.auth.Subject;
+
+/**
+ * AccessControlMBean Implementation. This retrieves JMXPrincipal from AccessController
+ * and performs authorization for given role using gemfire AccessControl Plugin
+ *
+ * @author tushark
+ * @since 9.0
+ */
+public class AccessControlMBean implements AccessControlMXBean {
+
+  private ManagementInterceptor interceptor;
+
+  public AccessControlMBean(ManagementInterceptor interceptor) {
+    this.interceptor = interceptor;
+  }
+
+  @Override
+  public boolean authorize(String role) {
+    AccessControlContext acc = AccessController.getContext();
+    Subject subject = Subject.getSubject(acc);
+    Set<JMXPrincipal> principals = subject.getPrincipals(JMXPrincipal.class);
+    if (principals == null || principals.isEmpty()) {
+      throw new SecurityException("Access denied");
+    }
+    Principal principal = principals.iterator().next();
+    AccessControl gemAccControl = interceptor.getAccessControl(principal, false);
+    boolean authorized = gemAccControl.authorizeOperation(null,
+        new com.gemstone.gemfire.management.internal.security.AccessControlContext(role));
+    return authorized;
+  }
+
+}

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/406a80f8/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/JSONAuthorization.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/JSONAuthorization.java b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/JSONAuthorization.java
deleted file mode 100644
index 004117f..0000000
--- a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/JSONAuthorization.java
+++ /dev/null
@@ -1,308 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements.  See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License.  You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package com.gemstone.gemfire.management.internal.security;
-
-import java.io.File;
-import java.io.FileReader;
-import java.io.IOException;
-import java.security.Principal;
-import java.util.HashMap;
-import java.util.HashSet;
-import java.util.Map;
-import java.util.Properties;
-import java.util.Set;
-
-import javax.management.remote.JMXPrincipal;
-
-import org.json.JSONArray;
-import org.json.JSONException;
-import org.json.JSONObject;
-
-import com.gemstone.gemfire.GemFireConfigException;
-import com.gemstone.gemfire.LogWriter;
-import com.gemstone.gemfire.cache.Cache;
-import com.gemstone.gemfire.cache.operations.OperationContext;
-import com.gemstone.gemfire.distributed.DistributedMember;
-import com.gemstone.gemfire.internal.logging.LogService;
-import com.gemstone.gemfire.management.internal.security.ResourceOperationContext.ResourceOperationCode;
-import com.gemstone.gemfire.security.AccessControl;
-import com.gemstone.gemfire.security.AuthenticationFailedException;
-import com.gemstone.gemfire.security.Authenticator;
-import com.gemstone.gemfire.security.NotAuthorizedException;
-
-public class JSONAuthorization implements AccessControl, Authenticator {
-	
-	public static class Role{
-		String[] permissions;
-		String name;
-		String regionName;
-		String serverGroup;		
-	}
-	
-	public static class User{
-		String name;
-		Role[] roles;
-		String pwd;
-	}
-	
-	private static Map<String,User> acl = null;
-	
-	public static JSONAuthorization create() throws IOException, JSONException {
-	  if(acl==null){
-	    readSecurityDescriptor(readDefault());
-	  }
-	  return new JSONAuthorization();
-	}
-	
-  public JSONAuthorization() {
-    if (acl == null) {
-      try {
-        readSecurityDescriptor(readDefault());
-      } catch (IOException e) {
-        throw new GemFireConfigException("Error creating JSONAuth", e);
-      } catch (JSONException e) {
-        throw new GemFireConfigException("Error creating JSONAuth", e);
-      }
-    }
-  }
-	
-	public static Set<ResourceOperationCode> getAuthorizedOps(User user, ResourceOperationContext context) {
-    Set<ResourceOperationCode> codeList = new HashSet<ResourceOperationCode>();
-    for(Role role : user.roles) {
-      for (String perm : role.permissions) {
-        ResourceOperationCode code = ResourceOperationCode.parse(perm);
-        if (role.regionName == null && role.serverGroup == null) {
-          addPermissions(code, codeList);
-        } else if (role.regionName != null) {
-          LogService.getLogger().info("This role requires region=" + role.regionName);
-          if (context instanceof CLIOperationContext) {
-            CLIOperationContext cliContext = (CLIOperationContext) context;
-            String region = cliContext.getCommandOptions().get("region");
-            if (region != null && region.equals(role.regionName)) {
-              addPermissions(code, codeList);
-            } else {
-              LogService.getLogger().info("Not adding permission " + code + " since region=" + region + " does not match");
-            }
-          }
-        }
-        // Same to be implemented for ServerGroup
-      }
-    }
-    LogService.getLogger().info("Final set of permisions " + codeList);
-    return codeList;
-  }
-	
-	private static void addPermissions(ResourceOperationCode code, Set<ResourceOperationCode> codeList) {
-	  if(code!=null) {
-      if(code.getChildren()==null)
-        codeList.add(code);
-      else {
-        for(ResourceOperationCode c : code.getChildren()){
-          codeList.add(c);
-        }
-      }
-    }    
-  }
-
-  private static String readDefault() throws IOException, JSONException {
-	  String str = System.getProperty(ResourceConstants.RESORUCE_SEC_DESCRIPTOR, ResourceConstants.RESORUCE_DEFAULT_SEC_DESCRIPTOR);
-		File file = new File(str);
-		FileReader reader = new FileReader(file);
-		char[] buffer = new char[(int) file.length()];
-		reader.read(buffer);
-		String json = new String(buffer);
-		reader.close();
-		return json;
-	}
-
-	public JSONAuthorization(String json) throws IOException, JSONException{
-		readSecurityDescriptor(json);
-	}
-	
-
-	private static void readSecurityDescriptor(String json) throws IOException, JSONException {		
-		JSONObject jsonBean = new JSONObject(json);		
-		acl = new HashMap<String,User>();		
-		Map<String,Role> roleMap = readRoles(jsonBean);
-		readUsers(acl,jsonBean,roleMap);		
-	}
-
-	private static void readUsers(Map<String, User> acl, JSONObject jsonBean,
-			Map<String, Role> roleMap) throws JSONException {
-		JSONArray array = jsonBean.getJSONArray("users");
-		for(int i=0;i<array.length();i++){
-			JSONObject obj = array.getJSONObject(i);
-			User user = new User();
-			user.name = obj.getString("name");
-			if(obj.has("password"))
-			  user.pwd = obj.getString("password");
-			else 
-			  user.pwd = user.name;
-			
-			JSONArray ops = obj.getJSONArray("roles");
-			user.roles = new Role[ops.length()];
-			for(int j=0;j<ops.length();j++){
-				String roleName = ops.getString(j);
-				user.roles[j] = roleMap.get(roleName);
-				if(user.roles[j]==null){
-					throw new RuntimeException("Role not present " + roleName);
-				}
-			}
-			acl.put(user.name, user);
-		}		
-	}
-
-	private static Map<String, Role> readRoles(JSONObject jsonBean) throws JSONException {
-		Map<String,Role> roleMap = new HashMap<String,Role>();
-		JSONArray array = jsonBean.getJSONArray("roles");
-		for(int i=0;i<array.length();i++){
-			JSONObject obj = array.getJSONObject(i);
-			Role role = new Role();
-			role.name = obj.getString("name");
-			
-			if(obj.has("operationsAllowed")){
-				JSONArray ops = obj.getJSONArray("operationsAllowed");
-				role.permissions = new String[ops.length()];
-				for(int j=0;j<ops.length();j++){
-					role.permissions[j] = ops.getString(j);
-				}
-			}else {
-				if (!obj.has("inherit"))
-					throw new RuntimeException(
-							"Role "
-									+ role.name
-									+ " does not have any permission neither it inherits any parent role");
-			}
-			
-			roleMap.put(role.name,role);
-			
-			if(obj.has("region")){
-				role.regionName = obj.getString("region");
-			}
-			
-			if(obj.has("serverGroup")){
-				role.serverGroup = obj.getString("serverGroup");
-			}
-		}
-		
-		for(int i=0;i<array.length();i++){
-			JSONObject obj = array.getJSONObject(i);
-			String name = obj.getString("name");
-			Role role = roleMap.get(name);
-			if (role == null) {
-				throw new RuntimeException("Role not present "
-						+ role);
-			}
-			if(obj.has("inherit")){				
-				JSONArray parentRoles = obj.getJSONArray("inherit");
-				for (int m = 0; m < parentRoles.length(); m++) {
-					String parentRoleName = parentRoles.getString(m);
-					Role parentRole = roleMap.get(parentRoleName);
-					if (parentRole == null) {
-						throw new RuntimeException("Role not present "
-								+ parentRoleName);
-					}
-					int oldLenth=0;
-					if(role.permissions!=null)
-						oldLenth = role.permissions.length;
-					int newLength = oldLenth + parentRole.permissions.length;
-					String[] str = new String[newLength];
-					int k = 0;
-					if(role.permissions!=null) {
-						for (; k < role.permissions.length; k++) {
-							str[k] = role.permissions[k];
-						}
-					}
-
-					for (int l = 0; l < parentRole.permissions.length; l++) {
-						str[k + l] = parentRole.permissions[l];
-					}
-					role.permissions = str;
-				}
-			}
-			
-		}		
-		return roleMap;
-	}
-
-	public static Map<String, User> getAcl() {
-		return acl;
-	}
-	
-	private Principal principal=null;
-
-  @Override
-  public void close() {
-    
-  }
-
-  @Override
-  public boolean authorizeOperation(String arg0, OperationContext context) {
-    
-    if(principal!=null) {
-      User user = acl.get(principal.getName());
-      if(user!=null) {
-        LogService.getLogger().info("Context received " + context);
-        ResourceOperationContext ctx = (ResourceOperationContext)context;
-        LogService.getLogger().info("Checking for code " + ctx.getResourceOperationCode());
-        
-        //TODO : This is for un-annotated commands
-        if(ctx.getResourceOperationCode()==null)
-          return true;        
-        
-        boolean found = false;
-        for(ResourceOperationCode code : getAuthorizedOps(user, (ResourceOperationContext) context)) {
-          if(ctx.getResourceOperationCode().equals(code)){
-            found =true;
-            LogService.getLogger().info("found code " + code.toString());
-            break;
-          }             
-        }
-        if(found)
-          return true;
-        LogService.getLogger().info("Did not find code " + ctx.getResourceOperationCode());
-        return false;        
-      }
-    } 
-    return false;
-  }
-
-  @Override
-  public void init(Principal principal, DistributedMember arg1, Cache arg2) throws NotAuthorizedException {
-    this.principal = principal;    
-  }
-
-  @Override
-  public Principal authenticate(Properties props, DistributedMember arg1) throws AuthenticationFailedException {
-    String user = props.getProperty(ResourceConstants.USER_NAME);
-    String pwd = props.getProperty(ResourceConstants.PASSWORD);
-    User userObj = acl.get(user);
-    if(userObj==null)
-      throw new AuthenticationFailedException("Wrong username/password");
-    LogService.getLogger().info("User="+user + " pwd="+pwd);
-    if (user!=null && !userObj.pwd.equals(pwd) && !"".equals(user))
-      throw new AuthenticationFailedException("Wrong username/password");
-    LogService.getLogger().info("Authentication successful!! for " + user);
-    return new JMXPrincipal(user);    
-  }
-
-  @Override
-  public void init(Properties arg0, LogWriter arg1, LogWriter arg2) throws AuthenticationFailedException {   
-    
-  }	
-
-}

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/406a80f8/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/ManagementInterceptor.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/ManagementInterceptor.java b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/ManagementInterceptor.java
index 8282ab0..7b285f6 100644
--- a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/ManagementInterceptor.java
+++ b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/ManagementInterceptor.java
@@ -16,30 +16,19 @@
  */
 package com.gemstone.gemfire.management.internal.security;
 
-import static com.gemstone.gemfire.management.internal.security.ResourceConstants.ACCESS_DENIED_MESSAGE;
-import static com.gemstone.gemfire.management.internal.security.ResourceConstants.GET_ATTRIBUTE;
-import static com.gemstone.gemfire.management.internal.security.ResourceConstants.GET_ATTRIBUTES;
-import static com.gemstone.gemfire.management.internal.security.ResourceConstants.GET_PREFIX;
-import static com.gemstone.gemfire.management.internal.security.ResourceConstants.PASSWORD;
-import static com.gemstone.gemfire.management.internal.security.ResourceConstants.PROCESS_COMMAND;
-import static com.gemstone.gemfire.management.internal.security.ResourceConstants.SET_ATTRIBUTE;
-import static com.gemstone.gemfire.management.internal.security.ResourceConstants.SET_ATTRIBUTES;
-import static com.gemstone.gemfire.management.internal.security.ResourceConstants.SET_PREFIX;
-import static com.gemstone.gemfire.management.internal.security.ResourceConstants.USER_NAME;
-import static com.gemstone.gemfire.management.internal.security.ResourceConstants.WRONGE_CREDENTIALS_MESSAGE;
-
-import java.lang.management.ManagementFactory;
-import java.lang.reflect.Method;
-import java.security.AccessControlContext;
-import java.security.AccessController;
-import java.security.Principal;
-import java.util.Collections;
-import java.util.List;
-import java.util.Map.Entry;
-import java.util.Properties;
-import java.util.Set;
-import java.util.concurrent.ConcurrentHashMap;
-import java.util.concurrent.ConcurrentMap;
+import com.gemstone.gemfire.GemFireConfigException;
+import com.gemstone.gemfire.cache.Cache;
+import com.gemstone.gemfire.distributed.DistributedSystem;
+import com.gemstone.gemfire.distributed.internal.DistributionConfig;
+import com.gemstone.gemfire.internal.ClassLoadUtil;
+import com.gemstone.gemfire.internal.i18n.LocalizedStrings;
+import com.gemstone.gemfire.internal.lang.StringUtils;
+import com.gemstone.gemfire.internal.logging.InternalLogWriter;
+import com.gemstone.gemfire.management.internal.ManagementConstants;
+import com.gemstone.gemfire.security.AccessControl;
+import com.gemstone.gemfire.security.AuthenticationFailedException;
+import com.gemstone.gemfire.security.Authenticator;
+import org.apache.logging.log4j.Logger;
 
 import javax.management.Attribute;
 import javax.management.AttributeList;
@@ -53,21 +42,20 @@ import javax.management.remote.JMXAuthenticator;
 import javax.management.remote.JMXPrincipal;
 import javax.management.remote.MBeanServerForwarder;
 import javax.security.auth.Subject;
+import java.lang.management.ManagementFactory;
+import java.lang.reflect.Method;
+import java.security.AccessControlContext;
+import java.security.AccessController;
+import java.security.Principal;
+import java.util.Collections;
+import java.util.List;
+import java.util.Map.Entry;
+import java.util.Properties;
+import java.util.Set;
+import java.util.concurrent.ConcurrentHashMap;
+import java.util.concurrent.ConcurrentMap;
 
-import org.apache.logging.log4j.Logger;
-
-import com.gemstone.gemfire.GemFireConfigException;
-import com.gemstone.gemfire.cache.Cache;
-import com.gemstone.gemfire.distributed.DistributedSystem;
-import com.gemstone.gemfire.distributed.internal.DistributionConfig;
-import com.gemstone.gemfire.internal.ClassLoadUtil;
-import com.gemstone.gemfire.internal.i18n.LocalizedStrings;
-import com.gemstone.gemfire.internal.lang.StringUtils;
-import com.gemstone.gemfire.internal.logging.InternalLogWriter;
-import com.gemstone.gemfire.management.internal.ManagementConstants;
-import com.gemstone.gemfire.security.AccessControl;
-import com.gemstone.gemfire.security.AuthenticationFailedException;
-import com.gemstone.gemfire.security.Authenticator;
+import static com.gemstone.gemfire.management.internal.security.ResourceConstants.*;
 
 /**
  *
@@ -116,7 +104,7 @@ public class ManagementInterceptor implements JMXAuthenticator {
    */
 	private void registerAccessContorlMbean() {
     try {
-      com.gemstone.gemfire.management.internal.security.AccessControl acc = new com.gemstone.gemfire.management.internal.security.AccessControl(this);
+      AccessControlMBean acc = new AccessControlMBean(this);
       accessControlMBeanON = new ObjectName(ResourceConstants.OBJECT_NAME_ACCESSCONTROL);
       MBeanServer platformMBeanServer = ManagementFactory.getPlatformMBeanServer();
       Set<ObjectName> names = platformMBeanServer.queryNames(accessControlMBeanON, null);
@@ -240,34 +228,34 @@ public class ManagementInterceptor implements JMXAuthenticator {
       List<Attribute> list = attrList.asList();
       ResourceOperationContext setterContext = null;
       SetAttributesOperationContext resourceContext = new SetAttributesOperationContext();
-      for(int i=0;i<list.size();i++) {
+      for (int i = 0; i < list.size(); i++) {
         Attribute attribute = list.get(i);
         String setter = SET_PREFIX + attribute.getName();
-        setterContext = buildContext(name,setter,null);
+        setterContext = buildContext(name, setter, null);
         boolean authorized = accessControl.authorizeOperation(null, setterContext);
         if (logger.isDebugEnabled()) {
-          logger.debug("Name=" + name + " methodName=" + methodName + " result=" + authorized + " principal="
-              + principal.getName());
+          logger.debug(
+              "Name=" + name + " methodName=" + methodName + " result=" + authorized + " principal=" + principal.getName());
         }
-		if(!authorized)
+        if (!authorized) {
           throw new SecurityException(ACCESS_DENIED_MESSAGE);
-        else
+        } else {
           resourceContext.addAttribute(attribute.getName(), setterContext);
+        }
       }
       return resourceContext;
     } else {
       ResourceOperationContext resourceContext = buildContext(name, method, params);
       boolean authorized = accessControl.authorizeOperation(null, resourceContext);
       if (logger.isDebugEnabled()) {
-        logger.debug("Name=" + name + " methodName=" + methodName + " result=" + authorized + " principal="
-            + principal.getName());
+        logger.debug(
+            "Name=" + name + " methodName=" + methodName + " result=" + authorized + " principal=" + principal.getName());
       }
 
-      if (!authorized)
-        throw new SecurityException(ACCESS_DENIED_MESSAGE);
+      if (!authorized) throw new SecurityException(ACCESS_DENIED_MESSAGE);
       return resourceContext;
     }
-	}
+  }
 
 	public MBeanServerForwarder getMBeanServerForwarder() {
 		return mBeanServerForwarder;

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/406a80f8/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/ResourceOperationContext.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/ResourceOperationContext.java b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/ResourceOperationContext.java
index 56d6b2c..d53b253 100644
--- a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/ResourceOperationContext.java
+++ b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/ResourceOperationContext.java
@@ -310,7 +310,7 @@ public abstract class ResourceOperationContext extends OperationContext {
 		}
 	    
     public List<ResourceOperationCode> getChildren() {
-      return Collections.unmodifiableList(children);
+      return children != null ? Collections.unmodifiableList(children) : null;
     }
 
     public void addChild(ResourceOperationCode code) {

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/406a80f8/geode-core/src/main/java/com/gemstone/gemfire/management/internal/web/controllers/AbstractCommandsController.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/web/controllers/AbstractCommandsController.java b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/web/controllers/AbstractCommandsController.java
index 64c5a73..ce91b30 100644
--- a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/web/controllers/AbstractCommandsController.java
+++ b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/web/controllers/AbstractCommandsController.java
@@ -17,29 +17,6 @@
 
 package com.gemstone.gemfire.management.internal.web.controllers;
 
-import static com.gemstone.gemfire.management.internal.security.ResourceConstants.ACCESS_DENIED_MESSAGE;
-
-import java.io.PrintWriter;
-import java.io.StringWriter;
-import java.lang.management.ManagementFactory;
-import java.net.URI;
-import java.security.Principal;
-import java.util.Collection;
-import java.util.HashMap;
-import java.util.Iterator;
-import java.util.Map;
-import java.util.Properties;
-import java.util.Set;
-import javax.management.JMX;
-import javax.management.MBeanServer;
-import javax.management.MalformedObjectNameException;
-import javax.management.ObjectName;
-import javax.management.Query;
-import javax.management.QueryExp;
-import javax.management.remote.JMXPrincipal;
-import javax.security.auth.Subject;
-
-import com.gemstone.gemfire.GemFireConfigException;
 import com.gemstone.gemfire.cache.CacheFactory;
 import com.gemstone.gemfire.internal.cache.GemFireCacheImpl;
 import com.gemstone.gemfire.internal.lang.StringUtils;
@@ -55,15 +32,10 @@ import com.gemstone.gemfire.management.internal.SystemManagementService;
 import com.gemstone.gemfire.management.internal.cli.shell.Gfsh;
 import com.gemstone.gemfire.management.internal.cli.util.CommandStringBuilder;
 import com.gemstone.gemfire.management.internal.security.CLIOperationContext;
-import com.gemstone.gemfire.management.internal.security.MBeanServerWrapper;
-import com.gemstone.gemfire.management.internal.security.ResourceConstants;
 import com.gemstone.gemfire.management.internal.security.ResourceOperationContext;
 import com.gemstone.gemfire.management.internal.web.controllers.support.EnvironmentVariablesHandlerInterceptor;
 import com.gemstone.gemfire.management.internal.web.controllers.support.MemberMXBeanAdapter;
 import com.gemstone.gemfire.management.internal.web.util.UriUtils;
-import com.gemstone.gemfire.security.AccessControl;
-import com.gemstone.gemfire.security.Authenticator;
-
 import org.apache.logging.log4j.Logger;
 import org.springframework.beans.propertyeditors.StringArrayPropertyEditor;
 import org.springframework.http.HttpStatus;
@@ -75,7 +47,23 @@ import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.ResponseStatus;
 import org.springframework.web.context.request.WebRequest;
 import org.springframework.web.servlet.support.ServletUriComponentsBuilder;
-import org.springframework.web.util.UriComponentsBuilder;
+
+import javax.management.JMX;
+import javax.management.MBeanServer;
+import javax.management.MalformedObjectNameException;
+import javax.management.ObjectName;
+import javax.management.Query;
+import javax.management.QueryExp;
+import java.io.PrintWriter;
+import java.io.StringWriter;
+import java.lang.management.ManagementFactory;
+import java.net.URI;
+import java.util.Collection;
+import java.util.HashMap;
+import java.util.Iterator;
+import java.util.Map;
+import java.util.Properties;
+import java.util.Set;
 
 /**
  * The AbstractCommandsController class is the abstract base class encapsulating common functionality across all

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/406a80f8/geode-core/src/main/java/com/gemstone/gemfire/management/internal/web/controllers/DiskStoreCommandsController.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/web/controllers/DiskStoreCommandsController.java b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/web/controllers/DiskStoreCommandsController.java
index cafd2d6..bbdd596 100644
--- a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/web/controllers/DiskStoreCommandsController.java
+++ b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/web/controllers/DiskStoreCommandsController.java
@@ -22,7 +22,6 @@ import java.util.concurrent.Callable;
 import com.gemstone.gemfire.internal.lang.StringUtils;
 import com.gemstone.gemfire.management.internal.cli.i18n.CliStrings;
 import com.gemstone.gemfire.management.internal.cli.util.CommandStringBuilder;
-import com.gemstone.gemfire.management.internal.security.CLIOperationContext;
 import com.gemstone.gemfire.management.internal.web.controllers.support.EnvironmentVariablesHandlerInterceptor;
 
 import org.springframework.http.HttpStatus;

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/406a80f8/geode-core/src/main/java/com/gemstone/gemfire/management/internal/web/controllers/support/EnvironmentVariablesHandlerInterceptor.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/web/controllers/support/EnvironmentVariablesHandlerInterceptor.java b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/web/controllers/support/EnvironmentVariablesHandlerInterceptor.java
index bbc0036..f484f70 100644
--- a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/web/controllers/support/EnvironmentVariablesHandlerInterceptor.java
+++ b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/web/controllers/support/EnvironmentVariablesHandlerInterceptor.java
@@ -16,46 +16,24 @@
  */
 package com.gemstone.gemfire.management.internal.web.controllers.support;
 
-import java.lang.reflect.Method;
-import java.security.Principal;
-import java.util.Collections;
-import java.util.Enumeration;
-import java.util.HashMap;
-import java.util.Iterator;
-import java.util.Map;
-import java.util.Properties;
-import java.util.Set;
-import java.util.Map.Entry;
-
-import javax.management.remote.JMXPrincipal;
-import javax.security.auth.Subject;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;
-
-import com.gemstone.gemfire.GemFireConfigException;
 import com.gemstone.gemfire.cache.Cache;
-import com.gemstone.gemfire.cache.CacheFactory;
-import com.gemstone.gemfire.distributed.DistributedMember;
-import com.gemstone.gemfire.distributed.DistributedSystem;
-import com.gemstone.gemfire.distributed.internal.DistributionConfig;
-import com.gemstone.gemfire.internal.ClassLoadUtil;
 import com.gemstone.gemfire.internal.cache.GemFireCacheImpl;
-import com.gemstone.gemfire.internal.i18n.LocalizedStrings;
-import com.gemstone.gemfire.internal.logging.InternalLogWriter;
 import com.gemstone.gemfire.internal.logging.LogService;
 import com.gemstone.gemfire.management.ManagementService;
 import com.gemstone.gemfire.management.internal.SystemManagementService;
-import com.gemstone.gemfire.management.internal.security.CLIOperationContext;
-import com.gemstone.gemfire.management.internal.security.MBeanServerWrapper;
-import com.gemstone.gemfire.management.internal.security.ResourceConstants;
-import com.gemstone.gemfire.security.AccessControl;
-import com.gemstone.gemfire.security.AuthenticationFailedException;
-import com.gemstone.gemfire.security.AuthenticationRequiredException;
 import com.gemstone.gemfire.security.Authenticator;
-
 import org.apache.logging.log4j.Logger;
+import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.util.Collections;
+import java.util.Enumeration;
+import java.util.HashMap;
+import java.util.Iterator;
+import java.util.Map;
+import java.util.Map.Entry;
+import java.util.Properties;
 
 /**
  * The GetEnvironmentHandlerInterceptor class handles extracting Gfsh environment variables encoded in the HTTP request

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/406a80f8/geode-core/src/test/java/com/gemstone/gemfire/management/internal/cli/commands/CliCommandTestBase.java
----------------------------------------------------------------------
diff --git a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/cli/commands/CliCommandTestBase.java b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/cli/commands/CliCommandTestBase.java
index 664e7a6..f01c951 100644
--- a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/cli/commands/CliCommandTestBase.java
+++ b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/cli/commands/CliCommandTestBase.java
@@ -55,9 +55,7 @@ import java.util.regex.Pattern;
  * @author David Hoots
  * @author John Blum
  */
-public class CliCommandTestBase extends CacheTestCase {
-
-  private static final long serialVersionUID = 1L;
+public abstract class CliCommandTestBase extends CacheTestCase {
 
   protected static final String USE_HTTP_SYSTEM_PROPERTY = "useHTTP";
 

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/406a80f8/geode-core/src/test/java/com/gemstone/gemfire/management/internal/cli/shell/GfshHistoryJUnitTest.java
----------------------------------------------------------------------
diff --git a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/cli/shell/GfshHistoryJUnitTest.java b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/cli/shell/GfshHistoryJUnitTest.java
index 3d4615a..3ad9ce8 100644
--- a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/cli/shell/GfshHistoryJUnitTest.java
+++ b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/cli/shell/GfshHistoryJUnitTest.java
@@ -31,9 +31,6 @@ import java.util.List;
 
 import static org.junit.Assert.assertEquals;
 
-/**
- * @author Jens Deppe
- */
 @Category(UnitTest.class)
 public class GfshHistoryJUnitTest {
 

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/406a80f8/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/AuthorizeOperationForMBeansIntegrationTest.java
----------------------------------------------------------------------
diff --git a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/AuthorizeOperationForMBeansIntegrationTest.java b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/AuthorizeOperationForMBeansIntegrationTest.java
index 8c51a40..59b60ac 100644
--- a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/AuthorizeOperationForMBeansIntegrationTest.java
+++ b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/AuthorizeOperationForMBeansIntegrationTest.java
@@ -80,8 +80,8 @@ public class AuthorizeOperationForMBeansIntegrationTest {
 
   @Before
   public void setUp() throws Exception {
-    System.setProperty("resource-auth-accessor", TestAccessControl.class.getName());
-    System.setProperty("resource-authenticator", TestAuthenticator.class.getName());
+    System.setProperty("gemfire.security-client-accessor", TestAccessControl.class.getName() + ".create");
+    System.setProperty("gemfire.security-client-authenticator", TestAuthenticator.class.getName() + ".create");
     
     Properties properties = new Properties();
     properties.put("name", this.testName.getMethodName());
@@ -263,6 +263,10 @@ public class AuthorizeOperationForMBeansIntegrationTest {
    */
   public static class TestAuthenticator implements Authenticator {
 
+    public static Authenticator create() {
+      return new TestAuthenticator();
+    }
+
     @Override
     public void close() {
     }
@@ -293,6 +297,10 @@ public class AuthorizeOperationForMBeansIntegrationTest {
     public void close() {
     }
 
+    public static AccessControl create() {
+      return new TestAccessControl();
+    }
+
     @Override
     public void init(final Principal principal, final DistributedMember remoteMember, final Cache cache) throws NotAuthorizedException {
       this.principal = principal;

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/406a80f8/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/AuthorizeOperationForRegionCommandsIntegrationTest.java
----------------------------------------------------------------------
diff --git a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/AuthorizeOperationForRegionCommandsIntegrationTest.java b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/AuthorizeOperationForRegionCommandsIntegrationTest.java
index ecc4c72..e8620aa 100644
--- a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/AuthorizeOperationForRegionCommandsIntegrationTest.java
+++ b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/AuthorizeOperationForRegionCommandsIntegrationTest.java
@@ -16,6 +16,7 @@
  */
 package com.gemstone.gemfire.management.internal.security;
 
+import static org.jgroups.util.Util.readFile;
 import static org.junit.Assert.*;
 
 import java.lang.management.ManagementFactory;
@@ -62,9 +63,8 @@ public class AuthorizeOperationForRegionCommandsIntegrationTest {
   
   @Before
   public void setUp() {
-    System.setProperty("resource.secDescriptor", TestUtil.getResourcePath(getClass(), "auth3.json"));
-    System.setProperty("resource-auth-accessor", JSONAuthorization.class.getCanonicalName());
-    System.setProperty("resource-authenticator", JSONAuthorization.class.getCanonicalName());
+    System.setProperty("gemfire.security-client-accessor", JSONAuthorization.class.getName() + ".create");
+    System.setProperty("gemfire.security-client-authenticator", JSONAuthorization.class.getName() + ".create");
 
     Properties properties = new Properties();
     properties.put("name", testName.getMethodName());
@@ -95,26 +95,22 @@ public class AuthorizeOperationForRegionCommandsIntegrationTest {
   @Test
   public void testInheritRole() {
   }
-  
-  @Ignore("Test was dead-coded")
-  @Test
-  public void testUserMultipleRole() throws Exception {
-  }
-  
+
   @Test
   public void testAuthorizeOperationWithRegionOperations() throws Exception {
-    JSONAuthorization authorization = JSONAuthorization.create();       
+    String json = readFile(TestUtil.getResourcePath(getClass(), "auth3.json"));
+    JSONAuthorization authorization = new JSONAuthorization(json);
     authorization.init(new JMXPrincipal("tushark"), null, null);
     
     checkAccessControlMBean();
     
     CLIOperationContext cliContext = new CLIOperationContext("locate entry --key=k1 --region=region1");
     boolean result = authorization.authorizeOperation(null, cliContext);
-    assertTrue(result);
+    assertTrue("Operation not authorized", result);
 
     cliContext = new CLIOperationContext("locate entry --key=k1 --region=secureRegion");
     result = authorization.authorizeOperation(null, cliContext);
-    //assertFalse(result); //this is failing due to logic issue TODO: why is this commented out?
+    assertTrue("Operation not authorized", result);
 
     authorization.init(new JMXPrincipal("avinash"), null, null);
     result = authorization.authorizeOperation(null, cliContext);

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/406a80f8/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/JSONAuthorization.java
----------------------------------------------------------------------
diff --git a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/JSONAuthorization.java b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/JSONAuthorization.java
new file mode 100644
index 0000000..2148edd
--- /dev/null
+++ b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/JSONAuthorization.java
@@ -0,0 +1,307 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.gemstone.gemfire.management.internal.security;
+
+import com.gemstone.gemfire.GemFireConfigException;
+import com.gemstone.gemfire.LogWriter;
+import com.gemstone.gemfire.cache.Cache;
+import com.gemstone.gemfire.cache.operations.OperationContext;
+import com.gemstone.gemfire.distributed.DistributedMember;
+import com.gemstone.gemfire.internal.logging.LogService;
+import com.gemstone.gemfire.management.internal.security.ResourceOperationContext.ResourceOperationCode;
+import com.gemstone.gemfire.security.AccessControl;
+import com.gemstone.gemfire.security.AuthenticationFailedException;
+import com.gemstone.gemfire.security.Authenticator;
+import com.gemstone.gemfire.security.NotAuthorizedException;
+import org.json.JSONArray;
+import org.json.JSONException;
+import org.json.JSONObject;
+
+import javax.management.remote.JMXPrincipal;
+import java.io.File;
+import java.io.FileReader;
+import java.io.IOException;
+import java.security.Principal;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.Map;
+import java.util.Properties;
+import java.util.Set;
+
+public class JSONAuthorization implements AccessControl, Authenticator {
+
+	public static class Role{
+		String[] permissions;
+		String name;
+		String regionName;
+		String serverGroup;
+	}
+
+	public static class User{
+		String name;
+		Role[] roles;
+		String pwd;
+	}
+
+	private static Map<String,User> acl = null;
+
+	public static JSONAuthorization create() throws IOException, JSONException {
+	  if(acl==null){
+	    readSecurityDescriptor(readDefault());
+	  }
+	  return new JSONAuthorization();
+	}
+
+  public JSONAuthorization() {
+    if (acl == null) {
+      try {
+        readSecurityDescriptor(readDefault());
+      } catch (IOException e) {
+        throw new GemFireConfigException("Error creating JSONAuth", e);
+      } catch (JSONException e) {
+        throw new GemFireConfigException("Error creating JSONAuth", e);
+      }
+    }
+  }
+
+	public static Set<ResourceOperationCode> getAuthorizedOps(User user, ResourceOperationContext context) {
+    Set<ResourceOperationCode> codeList = new HashSet<ResourceOperationCode>();
+    for(Role role : user.roles) {
+      for (String perm : role.permissions) {
+        ResourceOperationCode code = ResourceOperationCode.parse(perm);
+        if (role.regionName == null && role.serverGroup == null) {
+          addPermissions(code, codeList);
+        } else if (role.regionName != null) {
+          LogService.getLogger().info("This role requires region=" + role.regionName);
+          if (context instanceof CLIOperationContext) {
+            CLIOperationContext cliContext = (CLIOperationContext) context;
+            String region = cliContext.getCommandOptions().get("region");
+            if (region != null && region.equals(role.regionName)) {
+              addPermissions(code, codeList);
+            } else {
+              LogService.getLogger().info("Not adding permission " + code + " since region=" + region + " does not match");
+            }
+          }
+        }
+        // Same to be implemented for ServerGroup
+      }
+    }
+    LogService.getLogger().info("Final set of permisions " + codeList);
+    return codeList;
+  }
+
+  private static void addPermissions(ResourceOperationCode code, Set<ResourceOperationCode> codeList) {
+    if (code == null) {
+      return;
+    }
+
+    codeList.add(code);
+    if (code.getChildren() != null) {
+      for (ResourceOperationCode c : code.getChildren()) {
+        codeList.add(c);
+      }
+    }
+  }
+
+  private static String readDefault() throws IOException, JSONException {
+	  String str = System.getProperty(ResourceConstants.RESORUCE_SEC_DESCRIPTOR, ResourceConstants.RESORUCE_DEFAULT_SEC_DESCRIPTOR);
+		File file = new File(str);
+		FileReader reader = new FileReader(file);
+		char[] buffer = new char[(int) file.length()];
+		reader.read(buffer);
+		String json = new String(buffer);
+		reader.close();
+		return json;
+	}
+
+	public JSONAuthorization(String json) throws IOException, JSONException{
+		readSecurityDescriptor(json);
+	}
+
+	private static void readSecurityDescriptor(String json) throws IOException, JSONException {
+		JSONObject jsonBean = new JSONObject(json);
+		acl = new HashMap<String,User>();
+		Map<String,Role> roleMap = readRoles(jsonBean);
+		readUsers(acl,jsonBean,roleMap);
+	}
+
+	private static void readUsers(Map<String, User> acl, JSONObject jsonBean,
+			Map<String, Role> roleMap) throws JSONException {
+		JSONArray array = jsonBean.getJSONArray("users");
+		for(int i=0;i<array.length();i++){
+			JSONObject obj = array.getJSONObject(i);
+			User user = new User();
+			user.name = obj.getString("name");
+			if(obj.has("password")) {
+        user.pwd = obj.getString("password");
+      } else {
+        user.pwd = user.name;
+      }
+
+			JSONArray ops = obj.getJSONArray("roles");
+			user.roles = new Role[ops.length()];
+			for(int j=0;j<ops.length();j++){
+				String roleName = ops.getString(j);
+				user.roles[j] = roleMap.get(roleName);
+				if(user.roles[j]==null){
+					throw new RuntimeException("Role not present " + roleName);
+				}
+			}
+			acl.put(user.name, user);
+		}
+	}
+
+	private static Map<String, Role> readRoles(JSONObject jsonBean) throws JSONException {
+		Map<String,Role> roleMap = new HashMap<String,Role>();
+		JSONArray array = jsonBean.getJSONArray("roles");
+		for(int i=0;i<array.length();i++){
+			JSONObject obj = array.getJSONObject(i);
+			Role role = new Role();
+			role.name = obj.getString("name");
+
+			if(obj.has("operationsAllowed")){
+				JSONArray ops = obj.getJSONArray("operationsAllowed");
+				role.permissions = new String[ops.length()];
+				for(int j=0;j<ops.length();j++){
+					role.permissions[j] = ops.getString(j);
+				}
+			}else {
+				if (!obj.has("inherit"))
+					throw new RuntimeException(
+							"Role "
+									+ role.name
+									+ " does not have any permission neither it inherits any parent role");
+			}
+
+			roleMap.put(role.name,role);
+
+			if(obj.has("region")){
+				role.regionName = obj.getString("region");
+			}
+
+			if(obj.has("serverGroup")){
+				role.serverGroup = obj.getString("serverGroup");
+			}
+		}
+
+		for(int i=0;i<array.length();i++){
+			JSONObject obj = array.getJSONObject(i);
+			String name = obj.getString("name");
+			Role role = roleMap.get(name);
+			if (role == null) {
+				throw new RuntimeException("Role not present "
+						+ role);
+			}
+			if(obj.has("inherit")){
+				JSONArray parentRoles = obj.getJSONArray("inherit");
+				for (int m = 0; m < parentRoles.length(); m++) {
+					String parentRoleName = parentRoles.getString(m);
+					Role parentRole = roleMap.get(parentRoleName);
+					if (parentRole == null) {
+						throw new RuntimeException("Role not present "
+								+ parentRoleName);
+					}
+					int oldLenth=0;
+					if(role.permissions!=null)
+						oldLenth = role.permissions.length;
+					int newLength = oldLenth + parentRole.permissions.length;
+					String[] str = new String[newLength];
+					int k = 0;
+					if(role.permissions!=null) {
+						for (; k < role.permissions.length; k++) {
+							str[k] = role.permissions[k];
+						}
+					}
+
+					for (int l = 0; l < parentRole.permissions.length; l++) {
+						str[k + l] = parentRole.permissions[l];
+					}
+					role.permissions = str;
+				}
+			}
+
+		}
+		return roleMap;
+	}
+
+	public static Map<String, User> getAcl() {
+		return acl;
+	}
+
+	private Principal principal=null;
+
+  @Override
+  public void close() {
+
+  }
+
+  @Override
+  public boolean authorizeOperation(String arg0, OperationContext context) {
+
+    if(principal!=null) {
+      User user = acl.get(principal.getName());
+      if(user!=null) {
+        LogService.getLogger().info("Context received " + context);
+        ResourceOperationContext ctx = (ResourceOperationContext)context;
+        LogService.getLogger().info("Checking for code " + ctx.getResourceOperationCode());
+
+        //TODO : This is for un-annotated commands
+        if(ctx.getResourceOperationCode()==null)
+          return true;
+
+        boolean found = false;
+        for(ResourceOperationCode code : getAuthorizedOps(user, (ResourceOperationContext) context)) {
+          if(ctx.getResourceOperationCode().equals(code)){
+            found =true;
+            LogService.getLogger().info("found code " + code.toString());
+            break;
+          }
+        }
+        if(found)
+          return true;
+        LogService.getLogger().info("Did not find code " + ctx.getResourceOperationCode());
+        return false;
+      }
+    }
+    return false;
+  }
+
+  @Override
+  public void init(Principal principal, DistributedMember arg1, Cache arg2) throws NotAuthorizedException {
+    this.principal = principal;
+  }
+
+  @Override
+  public Principal authenticate(Properties props, DistributedMember arg1) throws AuthenticationFailedException {
+    String user = props.getProperty(ResourceConstants.USER_NAME);
+    String pwd = props.getProperty(ResourceConstants.PASSWORD);
+    User userObj = acl.get(user);
+    if(userObj==null)
+      throw new AuthenticationFailedException("Wrong username/password");
+    LogService.getLogger().info("User="+user + " pwd="+pwd);
+    if (user!=null && !userObj.pwd.equals(pwd) && !"".equals(user))
+      throw new AuthenticationFailedException("Wrong username/password");
+    LogService.getLogger().info("Authentication successful!! for " + user);
+    return new JMXPrincipal(user);
+  }
+
+  @Override
+  public void init(Properties arg0, LogWriter arg1, LogWriter arg2) throws AuthenticationFailedException {
+
+  }
+
+}

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/406a80f8/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/OperationCodesForDistributedSystemMXBeanTest.java
----------------------------------------------------------------------
diff --git a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/OperationCodesForDistributedSystemMXBeanTest.java b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/OperationCodesForDistributedSystemMXBeanTest.java
index 65fcf56..f4ef154 100755
--- a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/OperationCodesForDistributedSystemMXBeanTest.java
+++ b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/OperationCodesForDistributedSystemMXBeanTest.java
@@ -16,7 +16,7 @@
  */
 package com.gemstone.gemfire.management.internal.security;
 
-import static org.assertj.core.api.Assertions.assertThat;
+import static org.junit.Assert.assertEquals;
 
 import javax.management.ObjectName;
 
@@ -52,9 +52,9 @@ public class OperationCodesForDistributedSystemMXBeanTest {
   private final ResourceOperationCode[] distributedSystemResourceOperationCodes = {
       ResourceOperationCode.LIST_DS, 
       ResourceOperationCode.LIST_DS, 
-      ResourceOperationCode.GET,
+      ResourceOperationCode.LIST_DS,
       ResourceOperationCode.QUERY,
-      ResourceOperationCode.GET,
+      ResourceOperationCode.LIST_DS,
       ResourceOperationCode.CHANGE_ALERT_LEVEL,
       ResourceOperationCode.BACKUP_MEMBERS,
       ResourceOperationCode.REVOKE_MISSING_DISKSTORE,
@@ -69,8 +69,8 @@ public class OperationCodesForDistributedSystemMXBeanTest {
     ObjectName objectName = MBeanJMXAdapter.getDistributedSystemName();
     for (int i = 0; i < distributedSystemMXBeanOperations.length; i++) {
       JMXOperationContext context = new JMXOperationContext(objectName, distributedSystemMXBeanOperations[i]);
-      assertThat(context.getResourceOperationCode()).isEqualTo(distributedSystemResourceOperationCodes[i]);
-      assertThat(context.getOperationCode()).isEqualTo(OperationCode.RESOURCE);
+      assertEquals(distributedSystemResourceOperationCodes[i], context.getResourceOperationCode());
+      assertEquals(OperationCode.RESOURCE, context.getOperationCode());
     }
   }
 }

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/406a80f8/geode-core/src/test/java/com/gemstone/gemfire/management/internal/unsafe/ReadOpFileAccessControllerJUnitTest.java
----------------------------------------------------------------------
diff --git a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/unsafe/ReadOpFileAccessControllerJUnitTest.java b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/unsafe/ReadOpFileAccessControllerJUnitTest.java
index 47b86f3..6aa1072 100644
--- a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/unsafe/ReadOpFileAccessControllerJUnitTest.java
+++ b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/unsafe/ReadOpFileAccessControllerJUnitTest.java
@@ -47,6 +47,7 @@ import javax.management.remote.JMXServiceURL;
 
 import org.junit.After;
 import org.junit.Before;
+import org.junit.Rule;
 import org.junit.Test;
 import org.junit.experimental.categories.Category;
 
@@ -56,6 +57,7 @@ import com.gemstone.gemfire.distributed.DistributedSystem;
 import com.gemstone.gemfire.internal.cache.GemFireCacheImpl;
 import com.gemstone.gemfire.management.ManagementService;
 import com.gemstone.gemfire.test.junit.categories.IntegrationTest;
+import org.junit.rules.TemporaryFolder;
 
 /**
  * Test ReadOnly operations are accesible from RMI Connector with readOnly user
@@ -75,6 +77,9 @@ public class ReadOpFileAccessControllerJUnitTest {
 
   public static final String SERVICE_URLPREFIX = "service:jmx:rmi:///jndi/rmi:";
   private static final String NEW_LINE = System.getProperty("line.separator");
+
+  @Rule
+  public TemporaryFolder tempFolder = new TemporaryFolder();
   
   @Before
   public void setUp() throws Exception {
@@ -89,6 +94,7 @@ public class ReadOpFileAccessControllerJUnitTest {
     connector.close();
     rmiConnector.stop();
     cache.close();
+    ds.disconnect();
     UnicastRemoteObject.unexportObject(registry, true);
   }
   
@@ -145,12 +151,7 @@ public class ReadOpFileAccessControllerJUnitTest {
   }
 
   private void createConnector(String accessFileName, String pwFile) throws IOException {
-    
-    try {
-      registry = LocateRegistry.createRegistry(port);
-    } catch (Exception e) {
-      throw new RuntimeException(e);
-    }
+    registry = LocateRegistry.createRegistry(port);
     MBeanServer mbs = ManagementFactory.getPlatformMBeanServer();
     String serviceUrl = SERVICE_URLPREFIX + "//" + hostname + ":" + port
         + "/jmxconnector";
@@ -169,8 +170,7 @@ public class ReadOpFileAccessControllerJUnitTest {
   }
   
   private String createAccessFile() throws IOException {
-    File file = new File("jmxremote.access");
-    assertTrue(file.createNewFile());
+    File file = tempFolder.newFile("jmxremote.access");
     BufferedWriter writer = new BufferedWriter(new FileWriter(file));
     writer.append("admin readwrite");
     writer.append(NEW_LINE);
@@ -182,8 +182,7 @@ public class ReadOpFileAccessControllerJUnitTest {
   }
   
   private String createPasswordFile() throws IOException {
-    File file = new File("jmxremote.password");
-    assertTrue(file.createNewFile());
+    File file = tempFolder.newFile("jmxremote.password");
     BufferedWriter writer = new BufferedWriter(new FileWriter(file));
     writer.append("admin admin");
     writer.append(NEW_LINE);

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/406a80f8/geode-core/src/test/resources/com/gemstone/gemfire/management/internal/security/auth3.json
----------------------------------------------------------------------
diff --git a/geode-core/src/test/resources/com/gemstone/gemfire/management/internal/security/auth3.json b/geode-core/src/test/resources/com/gemstone/gemfire/management/internal/security/auth3.json
index 274eb89..5adee52 100644
--- a/geode-core/src/test/resources/com/gemstone/gemfire/management/internal/security/auth3.json
+++ b/geode-core/src/test/resources/com/gemstone/gemfire/management/internal/security/auth3.json
@@ -1,25 +1,34 @@
 {
-"roles" : [	
-			{
-				"name" : "dataUsers",
-				"operationsAllowed" : ["LOCATE_ENTRY"],
-			},
-			{
-				"name" : "secureDataUsers",
-				"operationsAllowed" : ["LOCATE_ENTRY"],
-				"region" : "secureRegion"
-			}
-		],
-users : [
-	 		{
-	 			"name" : "tushark",
-	 			"password" : "1234567",
-	 			"roles" : ["dataUsers"]
-	 		},
-	 		{
-	 			"name" : "avinash",
-	 			"password" : "1234567",
-	 			"roles" : ["secureDataUsers", "dataUsers"]
-	 		}
-		]
+  "roles": [
+    {
+      "name": "dataUsers",
+      "operationsAllowed": [
+        "LOCATE_ENTRY"
+      ]
+    },
+    {
+      "name": "secureDataUsers",
+      "operationsAllowed": [
+        "LOCATE_ENTRY"
+      ],
+      "region": "secureRegion"
+    }
+  ],
+  "users": [
+    {
+      "name": "tushark",
+      "password": "1234567",
+      "roles": [
+        "dataUsers"
+      ]
+    },
+    {
+      "name": "avinash",
+      "password": "1234567",
+      "roles": [
+        "secureDataUsers",
+        "dataUsers"
+      ]
+    }
+  ]
 }


Mime
View raw message