Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id E6785200ACA for ; Wed, 18 May 2016 19:04:52 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id E54D4160A00; Wed, 18 May 2016 17:04:52 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 710C8160A1B for ; Wed, 18 May 2016 19:04:51 +0200 (CEST) Received: (qmail 63374 invoked by uid 500); 18 May 2016 17:04:50 -0000 Mailing-List: contact commits-help@geode.incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@geode.incubator.apache.org Delivered-To: mailing list commits@geode.incubator.apache.org Received: (qmail 63365 invoked by uid 99); 18 May 2016 17:04:50 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 18 May 2016 17:04:50 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id 3F90F1A07AE for ; Wed, 18 May 2016 17:04:50 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -3.221 X-Spam-Level: X-Spam-Status: No, score=-3.221 tagged_above=-999 required=6.31 tests=[KAM_ASCII_DIVIDERS=0.8, KAM_LAZY_DOMAIN_SECURITY=1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001] autolearn=disabled Received: from mx2-lw-us.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id H_DGOt2Y-pkD for ; Wed, 18 May 2016 17:04:45 +0000 (UTC) Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx2-lw-us.apache.org (ASF Mail Server at mx2-lw-us.apache.org) with SMTP id ACBE9611FF for ; Wed, 18 May 2016 17:04:42 +0000 (UTC) Received: (qmail 61761 invoked by uid 99); 18 May 2016 17:04:42 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 18 May 2016 17:04:42 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id EF030E0844; Wed, 18 May 2016 17:04:41 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: klund@apache.org To: commits@geode.incubator.apache.org Date: Wed, 18 May 2016 17:04:52 -0000 Message-Id: <3e18bbee875f420ba25c5d597d50cd90@git.apache.org> In-Reply-To: <216afdb004ad4d12b369c7e481985dcd@git.apache.org> References: <216afdb004ad4d12b369c7e481985dcd@git.apache.org> X-Mailer: ASF-Git Admin Mailer Subject: [12/19] incubator-geode git commit: GEODE-17: make geode authorization case-sensitive since our region names are case sensitive archived-at: Wed, 18 May 2016 17:04:53 -0000 GEODE-17: make geode authorization case-sensitive since our region names are case sensitive * Specify case sensitive when creating the permission context * Specify case sensitive when resolving the permission from shiro-ini file * rename shiro-init to security-shiro-init since it's security related in DistributionConfig * For DATA operations, a "NULL" regionName is used when regionName couldn't be resolved yet. Since for permissions, DATA:READ is different from DATA:READ:NULL Project: http://git-wip-us.apache.org/repos/asf/incubator-geode/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-geode/commit/1179c08e Tree: http://git-wip-us.apache.org/repos/asf/incubator-geode/tree/1179c08e Diff: http://git-wip-us.apache.org/repos/asf/incubator-geode/diff/1179c08e Branch: refs/heads/feature/GEODE-1392 Commit: 1179c08eb4f9d1fe1c1ffea337a34a0f1c6c89c7 Parents: 758643c Author: Jinmei Liao Authored: Fri May 13 14:04:10 2016 -0700 Committer: Kirk Lund Committed: Wed May 18 10:04:25 2016 -0700 ---------------------------------------------------------------------- .../cache/operations/OperationContext.java | 10 ++++- .../internal/AbstractDistributionConfig.java | 2 +- .../internal/DistributionConfig.java | 26 ++++++++----- .../gemfire/internal/AbstractConfig.java | 2 +- .../internal/security/GeodeSecurityUtil.java | 41 ++++++++++++++++++++ .../security/shiro/GeodePermissionResolver.java | 28 +++++++++++++ .../internal/SystemManagementService.java | 29 ++------------ .../security/ResourceOperationContext.java | 10 ++++- .../CacheServerMBeanShiroJUnitTest.java | 2 +- .../security/DataCommandsSecurityTest.java | 4 +- .../GeodeSecurityUtilCustomRealmJUnitTest.java | 18 ++------- .../GeodeSecurityUtilWithIniFileJUnitTest.java | 15 ++++--- .../security/GfshCommandsSecurityTest.java | 2 +- .../ResourceOperationContextJUnitTest.java | 11 ++++-- .../internal/security/ShiroCacheStartRule.java | 2 +- .../internal/security/TestCommand.java | 16 ++++---- 16 files changed, 140 insertions(+), 78 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/1179c08e/geode-core/src/main/java/com/gemstone/gemfire/cache/operations/OperationContext.java ---------------------------------------------------------------------- diff --git a/geode-core/src/main/java/com/gemstone/gemfire/cache/operations/OperationContext.java b/geode-core/src/main/java/com/gemstone/gemfire/cache/operations/OperationContext.java index dec716c..b81016d 100644 --- a/geode-core/src/main/java/com/gemstone/gemfire/cache/operations/OperationContext.java +++ b/geode-core/src/main/java/com/gemstone/gemfire/cache/operations/OperationContext.java @@ -304,7 +304,7 @@ public abstract class OperationContext extends WildcardPermission{ } public String getRegionName(){ - return "NULL"; + return null; } /** @@ -358,4 +358,12 @@ public abstract class OperationContext extends WildcardPermission{ || opCode.isRegionDestroy() || opCode.isRegionClear()); } + @Override + public String toString(){ + if(getRegionName()==null) + return getResource()+":"+getOperationCode(); + else + return getResource()+":"+getOperationCode()+":"+getRegionName(); + } + } http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/1179c08e/geode-core/src/main/java/com/gemstone/gemfire/distributed/internal/AbstractDistributionConfig.java ---------------------------------------------------------------------- diff --git a/geode-core/src/main/java/com/gemstone/gemfire/distributed/internal/AbstractDistributionConfig.java b/geode-core/src/main/java/com/gemstone/gemfire/distributed/internal/AbstractDistributionConfig.java index d38e1a9..17e7c2b 100644 --- a/geode-core/src/main/java/com/gemstone/gemfire/distributed/internal/AbstractDistributionConfig.java +++ b/geode-core/src/main/java/com/gemstone/gemfire/distributed/internal/AbstractDistributionConfig.java @@ -1125,7 +1125,7 @@ public abstract class AbstractDistributionConfig m.put(LOCK_MEMORY_NAME, LocalizedStrings.AbstractDistributionConfig_LOCK_MEMORY.toLocalizedString(DEFAULT_LOCK_MEMORY)); m.put(DISTRIBUTED_TRANSACTIONS_NAME, "Flag to indicate whether all transactions including JTA should be distributed transactions. Default is false, meaning colocated transactions."); - m.put(SHIRO_INIT_NAME, "The name of the shiro configuration file in the classpath, e.g. shiro.ini"); + m.put(SECURITY_SHIRO_INIT_NAME, "The name of the shiro configuration file in the classpath, e.g. shiro.ini"); dcAttDescriptions = Collections.unmodifiableMap(m); http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/1179c08e/geode-core/src/main/java/com/gemstone/gemfire/distributed/internal/DistributionConfig.java ---------------------------------------------------------------------- diff --git a/geode-core/src/main/java/com/gemstone/gemfire/distributed/internal/DistributionConfig.java b/geode-core/src/main/java/com/gemstone/gemfire/distributed/internal/DistributionConfig.java index c0e560c..36ef671 100644 --- a/geode-core/src/main/java/com/gemstone/gemfire/distributed/internal/DistributionConfig.java +++ b/geode-core/src/main/java/com/gemstone/gemfire/distributed/internal/DistributionConfig.java @@ -17,6 +17,17 @@ package com.gemstone.gemfire.distributed.internal; +import java.io.File; +import java.lang.reflect.Field; +import java.lang.reflect.Method; +import java.net.InetAddress; +import java.util.ArrayList; +import java.util.Collections; +import java.util.HashMap; +import java.util.List; +import java.util.Map; +import java.util.Properties; + import com.gemstone.gemfire.distributed.DistributedSystem; import com.gemstone.gemfire.internal.Config; import com.gemstone.gemfire.internal.ConfigSource; @@ -25,12 +36,6 @@ import com.gemstone.gemfire.internal.logging.LogConfig; import com.gemstone.gemfire.internal.tcp.Connection; import com.gemstone.gemfire.memcached.GemFireMemcachedServer; -import java.io.File; -import java.lang.reflect.Field; -import java.lang.reflect.Method; -import java.net.InetAddress; -import java.util.*; - /** * Provides accessor (and in some cases mutator) methods for the * various GemFire distribution configuration properties. The @@ -47,7 +52,8 @@ import java.util.*; * * @since 2.1 */ -public interface DistributionConfig extends Config, LogConfig { +public interface +DistributionConfig extends Config, LogConfig { //////////////////// Instance Methods //////////////////// @@ -3739,11 +3745,11 @@ public interface DistributionConfig extends Config, LogConfig { public void setLockMemory(boolean value); @ConfigAttribute(type=String.class) - public String SHIRO_INIT_NAME="shiro-init"; + public String SECURITY_SHIRO_INIT_NAME ="security-shiro-init"; - @ConfigAttributeSetter(name=SHIRO_INIT_NAME) + @ConfigAttributeSetter(name= SECURITY_SHIRO_INIT_NAME) public void setShiroInit(String value); - @ConfigAttributeGetter(name=SHIRO_INIT_NAME) + @ConfigAttributeGetter(name= SECURITY_SHIRO_INIT_NAME) public String getShiroInit(); http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/1179c08e/geode-core/src/main/java/com/gemstone/gemfire/internal/AbstractConfig.java ---------------------------------------------------------------------- diff --git a/geode-core/src/main/java/com/gemstone/gemfire/internal/AbstractConfig.java b/geode-core/src/main/java/com/gemstone/gemfire/internal/AbstractConfig.java index a4c2f2f..93cb9b2 100644 --- a/geode-core/src/main/java/com/gemstone/gemfire/internal/AbstractConfig.java +++ b/geode-core/src/main/java/com/gemstone/gemfire/internal/AbstractConfig.java @@ -172,7 +172,7 @@ public abstract class AbstractConfig implements Config { } } // hide the shiro-init configuration for now. Remove after we can allow customer to specify shiro.ini file - if(attName.equals("shiro-init")){ + if(attName.equals(DistributionConfig.SECURITY_SHIRO_INIT_NAME)){ continue; } pw.print(attName); http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/1179c08e/geode-core/src/main/java/com/gemstone/gemfire/internal/security/GeodeSecurityUtil.java ---------------------------------------------------------------------- diff --git a/geode-core/src/main/java/com/gemstone/gemfire/internal/security/GeodeSecurityUtil.java b/geode-core/src/main/java/com/gemstone/gemfire/internal/security/GeodeSecurityUtil.java index 6e10f3f..236b00b 100644 --- a/geode-core/src/main/java/com/gemstone/gemfire/internal/security/GeodeSecurityUtil.java +++ b/geode-core/src/main/java/com/gemstone/gemfire/internal/security/GeodeSecurityUtil.java @@ -18,13 +18,16 @@ package com.gemstone.gemfire.internal.security; import java.security.AccessController; +import java.util.Properties; import java.util.Set; import java.util.concurrent.Callable; import com.gemstone.gemfire.cache.operations.OperationContext; import com.gemstone.gemfire.cache.operations.OperationContext.OperationCode; import com.gemstone.gemfire.cache.operations.OperationContext.Resource; +import com.gemstone.gemfire.distributed.internal.DistributionConfig; import com.gemstone.gemfire.internal.logging.LogService; +import com.gemstone.gemfire.internal.security.shiro.CustomAuthRealm; import com.gemstone.gemfire.internal.security.shiro.ShiroPrincipal; import com.gemstone.gemfire.management.internal.security.ResourceOperation; import com.gemstone.gemfire.management.internal.security.ResourceOperationContext; @@ -37,6 +40,11 @@ import org.apache.shiro.SecurityUtils; import org.apache.shiro.ShiroException; import org.apache.shiro.UnavailableSecurityManagerException; import org.apache.shiro.authc.UsernamePasswordToken; +import org.apache.shiro.config.Ini.Section; +import org.apache.shiro.config.IniSecurityManagerFactory; +import org.apache.shiro.mgt.DefaultSecurityManager; +import org.apache.shiro.mgt.SecurityManager; +import org.apache.shiro.realm.Realm; import org.apache.shiro.subject.Subject; import org.apache.shiro.util.ThreadContext; @@ -211,4 +219,37 @@ public class GeodeSecurityUtil { return true; } + /** + * initialize Shiro's Security Manager and Security Utilities + * @param securityProps + */ + public static void initSecurity(Properties securityProps){ + if(securityProps==null) + return; + + String shiroConfig = securityProps.getProperty(DistributionConfig.SECURITY_SHIRO_INIT_NAME); + String customAuthenticator =securityProps.getProperty(DistributionConfig.SECURITY_CLIENT_AUTHENTICATOR_NAME); + if (!com.gemstone.gemfire.internal.lang.StringUtils.isBlank(shiroConfig)) { + IniSecurityManagerFactory factory = new IniSecurityManagerFactory("classpath:"+shiroConfig); + + // we will need to make sure that shiro uses a case sensitive permission resolver + Section main = factory.getIni().addSection("main"); + main.put("geodePermissionResolver", "com.gemstone.gemfire.internal.security.shiro.GeodePermissionResolver"); + if(!main.containsKey("iniRealm.permissionResolver")) { + main.put("iniRealm.permissionResolver", "$geodePermissionResolver"); + } + + SecurityManager securityManager = factory.getInstance(); + SecurityUtils.setSecurityManager(securityManager); + } + else if (!com.gemstone.gemfire.internal.lang.StringUtils.isBlank(customAuthenticator)) { + Realm realm = new CustomAuthRealm(securityProps); + SecurityManager securityManager = new DefaultSecurityManager(realm); + SecurityUtils.setSecurityManager(securityManager); + } + else{ + SecurityUtils.setSecurityManager(null); + } + } + } http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/1179c08e/geode-core/src/main/java/com/gemstone/gemfire/internal/security/shiro/GeodePermissionResolver.java ---------------------------------------------------------------------- diff --git a/geode-core/src/main/java/com/gemstone/gemfire/internal/security/shiro/GeodePermissionResolver.java b/geode-core/src/main/java/com/gemstone/gemfire/internal/security/shiro/GeodePermissionResolver.java new file mode 100644 index 0000000..d170756 --- /dev/null +++ b/geode-core/src/main/java/com/gemstone/gemfire/internal/security/shiro/GeodePermissionResolver.java @@ -0,0 +1,28 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.gemstone.gemfire.internal.security.shiro; + +import org.apache.shiro.authz.Permission; +import org.apache.shiro.authz.permission.PermissionResolver; +import org.apache.shiro.authz.permission.WildcardPermission; + +public class GeodePermissionResolver implements PermissionResolver { + @Override public Permission resolvePermission(final String permissionString) { + return new WildcardPermission(permissionString, true); + } +} http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/1179c08e/geode-core/src/main/java/com/gemstone/gemfire/management/internal/SystemManagementService.java ---------------------------------------------------------------------- diff --git a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/SystemManagementService.java b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/SystemManagementService.java index fd2a834..b773b94 100755 --- a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/SystemManagementService.java +++ b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/SystemManagementService.java @@ -28,14 +28,13 @@ import com.gemstone.gemfire.cache.Cache; import com.gemstone.gemfire.cache.execute.FunctionService; import com.gemstone.gemfire.distributed.DistributedMember; import com.gemstone.gemfire.distributed.DistributedSystemDisconnectedException; -import com.gemstone.gemfire.distributed.internal.DistributionConfig; import com.gemstone.gemfire.distributed.internal.InternalDistributedSystem; import com.gemstone.gemfire.distributed.internal.ResourceEvent; import com.gemstone.gemfire.distributed.internal.membership.InternalDistributedMember; import com.gemstone.gemfire.internal.cache.GemFireCacheImpl; import com.gemstone.gemfire.internal.i18n.LocalizedStrings; -import com.gemstone.gemfire.internal.lang.StringUtils; import com.gemstone.gemfire.internal.logging.LogService; +import com.gemstone.gemfire.internal.security.GeodeSecurityUtil; import com.gemstone.gemfire.management.AlreadyRunningException; import com.gemstone.gemfire.management.AsyncEventQueueMXBean; import com.gemstone.gemfire.management.CacheServerMXBean; @@ -54,13 +53,8 @@ import com.gemstone.gemfire.management.RegionMXBean; import com.gemstone.gemfire.management.internal.beans.ManagementAdapter; import com.gemstone.gemfire.management.membership.MembershipEvent; import com.gemstone.gemfire.management.membership.MembershipListener; -import com.gemstone.gemfire.internal.security.shiro.CustomAuthRealm; + import org.apache.logging.log4j.Logger; -import org.apache.shiro.SecurityUtils; -import org.apache.shiro.config.IniSecurityManagerFactory; -import org.apache.shiro.mgt.DefaultSecurityManager; -import org.apache.shiro.mgt.SecurityManager; -import org.apache.shiro.realm.Realm; import org.apache.shiro.util.ThreadContext; /** @@ -157,24 +151,7 @@ public final class SystemManagementService extends BaseManagementService { this.jmxAdapter = new MBeanJMXAdapter(); this.repo = new ManagementResourceRepo(); - DistributionConfig config = system.getConfig(); - - // setup shiro for authentication and authorization if it's desired - String shiroConfig = config.getShiroInit(); - String customAuthenticator = config.getSecurityClientAuthenticator(); - if (!StringUtils.isBlank(shiroConfig)) { - IniSecurityManagerFactory factory = new IniSecurityManagerFactory("classpath:"+shiroConfig); - SecurityManager securityManager = factory.getInstance(); - SecurityUtils.setSecurityManager(securityManager); - } - else if (!StringUtils.isBlank(customAuthenticator)) { - Realm realm = new CustomAuthRealm(config.getSecurityProps()); - SecurityManager securityManager = new DefaultSecurityManager(realm); - SecurityUtils.setSecurityManager(securityManager); - } - else{ - SecurityUtils.setSecurityManager(null); - } + GeodeSecurityUtil.initSecurity(system.getConfig().getSecurityProps()); this.notificationHub = new NotificationHub(repo); if (system.getConfig().getJmxManager()) { http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/1179c08e/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/ResourceOperationContext.java ---------------------------------------------------------------------- diff --git a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/ResourceOperationContext.java b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/ResourceOperationContext.java index 2e46104..ab49270 100644 --- a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/ResourceOperationContext.java +++ b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/ResourceOperationContext.java @@ -43,7 +43,15 @@ public class ResourceOperationContext extends OperationContext { if (operation != null) this.operation = OperationCode.valueOf(operation); if (regionName !=null ) this.regionName = regionName; - setParts(this.resource.name()+":"+this.operation.name()+":"+this.regionName); + //for DATA resource, when we construct the lock to guard the operations, there should always be a 3rd part (regionName), + // if no regionName is specified, we need to add "NULL" to it. + // this means, for general data operations, or operations that we can't put a regionName on yet, like backup diskstore, query data, create regions + // it will require DATA:REAT/WRITE:NULL role + if(this.resource==Resource.DATA && this.regionName==null){ + this.regionName = "NULL"; + } + + setParts(this.resource.name()+":"+this.operation.name()+":"+this.regionName, true); } @Override http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/1179c08e/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/CacheServerMBeanShiroJUnitTest.java ---------------------------------------------------------------------- diff --git a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/CacheServerMBeanShiroJUnitTest.java b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/CacheServerMBeanShiroJUnitTest.java index 85a55a7..1c8586f 100644 --- a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/CacheServerMBeanShiroJUnitTest.java +++ b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/CacheServerMBeanShiroJUnitTest.java @@ -83,7 +83,7 @@ public class CacheServerMBeanShiroJUnitTest { @Test @JMXConnectionConfiguration(user = "dataReader", password = "12345") - public void testDataRead() throws Exception{ + public void ztestDataRead() throws Exception{ assertThatThrownBy(() -> bean.removeIndex("foo")).hasMessageContaining(TestCommand.dataManage.toString()); assertThatThrownBy(() -> bean.fetchLoadProbe()).hasMessageContaining(TestCommand.clusterRead.toString()); assertThatThrownBy(() -> bean.getActiveCQCount()).hasMessageContaining(TestCommand.clusterRead.toString()); http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/1179c08e/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/DataCommandsSecurityTest.java ---------------------------------------------------------------------- diff --git a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/DataCommandsSecurityTest.java b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/DataCommandsSecurityTest.java index 97260d8..9c9b4fc 100644 --- a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/DataCommandsSecurityTest.java +++ b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/DataCommandsSecurityTest.java @@ -74,10 +74,10 @@ public class DataCommandsSecurityTest { assertThatThrownBy(() -> bean.processCommand("import data --region=region2 --file=foo.txt --member=value")).isInstanceOf(GemFireSecurityException.class); assertThatThrownBy(() -> bean.processCommand("put --key=key1 --value=value1 --region=region2")).isInstanceOf(GemFireSecurityException.class) - .hasMessageContaining("[data]:[write]:[region2]"); + .hasMessageContaining("DATA:WRITE:region2"); assertThatThrownBy(() -> bean.processCommand("get --key=key1 --region=region2")).isInstanceOf(GemFireSecurityException.class) - .hasMessageContaining("[data]:[read]:[region2]"); + .hasMessageContaining("DATA:READ:region2"); } } http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/1179c08e/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/GeodeSecurityUtilCustomRealmJUnitTest.java ---------------------------------------------------------------------- diff --git a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/GeodeSecurityUtilCustomRealmJUnitTest.java b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/GeodeSecurityUtilCustomRealmJUnitTest.java index 0bf3cab..52f37e6 100644 --- a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/GeodeSecurityUtilCustomRealmJUnitTest.java +++ b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/GeodeSecurityUtilCustomRealmJUnitTest.java @@ -17,16 +17,10 @@ package com.gemstone.gemfire.management.internal.security; -import java.util.Properties; - import com.gemstone.gemfire.distributed.internal.DistributionConfig; -import com.gemstone.gemfire.internal.security.shiro.CustomAuthRealm; +import com.gemstone.gemfire.internal.security.GeodeSecurityUtil; import com.gemstone.gemfire.test.junit.categories.UnitTest; -import org.apache.shiro.SecurityUtils; -import org.apache.shiro.mgt.DefaultSecurityManager; -import org.apache.shiro.mgt.SecurityManager; -import org.apache.shiro.realm.Realm; import org.junit.BeforeClass; import org.junit.experimental.categories.Category; @@ -39,14 +33,10 @@ import org.junit.experimental.categories.Category; public class GeodeSecurityUtilCustomRealmJUnitTest extends GeodeSecurityUtilWithIniFileJUnitTest { @BeforeClass public static void beforeClass() throws Exception{ - Properties properties = new Properties(); - properties.put(DistributionConfig.SECURITY_CLIENT_AUTHENTICATOR_NAME, JSONAuthorization.class.getName() + ".create"); - properties.put(DistributionConfig.SECURITY_CLIENT_ACCESSOR_NAME, JSONAuthorization.class.getName() + ".create"); + props.put(DistributionConfig.SECURITY_CLIENT_AUTHENTICATOR_NAME, JSONAuthorization.class.getName() + ".create"); + props.put(DistributionConfig.SECURITY_CLIENT_ACCESSOR_NAME, JSONAuthorization.class.getName() + ".create"); JSONAuthorization.setUpWithJsonFile("shiro-ini.json"); - - Realm realm = new CustomAuthRealm(properties); - SecurityManager securityManager = new DefaultSecurityManager(realm); - SecurityUtils.setSecurityManager(securityManager); + GeodeSecurityUtil.initSecurity(props); } } http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/1179c08e/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/GeodeSecurityUtilWithIniFileJUnitTest.java ---------------------------------------------------------------------- diff --git a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/GeodeSecurityUtilWithIniFileJUnitTest.java b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/GeodeSecurityUtilWithIniFileJUnitTest.java index fe80180..63bf447 100644 --- a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/GeodeSecurityUtilWithIniFileJUnitTest.java +++ b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/GeodeSecurityUtilWithIniFileJUnitTest.java @@ -19,14 +19,14 @@ package com.gemstone.gemfire.management.internal.security; import static org.assertj.core.api.Assertions.*; +import java.util.Properties; + import com.gemstone.gemfire.cache.operations.OperationContext; -import com.gemstone.gemfire.security.GemFireSecurityException; +import com.gemstone.gemfire.distributed.internal.DistributionConfig; import com.gemstone.gemfire.internal.security.GeodeSecurityUtil; +import com.gemstone.gemfire.security.GemFireSecurityException; import com.gemstone.gemfire.test.junit.categories.UnitTest; -import org.apache.shiro.SecurityUtils; -import org.apache.shiro.config.IniSecurityManagerFactory; -import org.apache.shiro.mgt.SecurityManager; import org.apache.shiro.util.ThreadContext; import org.junit.AfterClass; import org.junit.BeforeClass; @@ -39,12 +39,11 @@ import org.junit.experimental.categories.Category; */ @Category(UnitTest.class) public class GeodeSecurityUtilWithIniFileJUnitTest { + protected static Properties props = new Properties(); @BeforeClass public static void beforeClass() throws Exception{ - ThreadContext.remove(); - IniSecurityManagerFactory factory = new IniSecurityManagerFactory("classpath:shiro.ini"); - SecurityManager securityManager = factory.getInstance(); - SecurityUtils.setSecurityManager(securityManager); + props.setProperty(DistributionConfig.SECURITY_SHIRO_INIT_NAME, "shiro.ini"); + GeodeSecurityUtil.initSecurity(props); } @AfterClass http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/1179c08e/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/GfshCommandsSecurityTest.java ---------------------------------------------------------------------- diff --git a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/GfshCommandsSecurityTest.java b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/GfshCommandsSecurityTest.java index 8eaaf6a..377ab77 100644 --- a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/GfshCommandsSecurityTest.java +++ b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/GfshCommandsSecurityTest.java @@ -112,7 +112,7 @@ public class GfshCommandsSecurityTest { private void runCommandsWithAndWithout(String permission) throws Exception{ - List permitted = TestCommand.getPermittedCommands(new WildcardPermission(permission)); + List permitted = TestCommand.getPermittedCommands(new WildcardPermission(permission, true)); for(TestCommand clusterRead:permitted) { LogService.getLogger().info("Processing authorized command: "+clusterRead.getCommand());gfsh.executeCommand(clusterRead.getCommand()); CommandResult result = (CommandResult) gfsh.getResult(); http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/1179c08e/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/ResourceOperationContextJUnitTest.java ---------------------------------------------------------------------- diff --git a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/ResourceOperationContextJUnitTest.java b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/ResourceOperationContextJUnitTest.java index 9e2e41a..ec89aaa 100644 --- a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/ResourceOperationContextJUnitTest.java +++ b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/ResourceOperationContextJUnitTest.java @@ -61,6 +61,11 @@ public class ResourceOperationContextJUnitTest { context = new ResourceOperationContext("DATA", null, null); assertEquals(Resource.DATA, context.getResource()); assertEquals(OperationCode.NULL, context.getOperationCode()); + assertEquals("NULL", context.getRegionName()); + + context = new ResourceOperationContext("CLUSTER", null, null); + assertEquals(Resource.CLUSTER, context.getResource()); + assertEquals(OperationCode.NULL, context.getOperationCode()); assertEquals(null, context.getRegionName()); context = new ResourceOperationContext(null, "MANAGE", "REGIONA"); @@ -77,12 +82,12 @@ public class ResourceOperationContextJUnitTest { @Test public void testToString(){ context = new ResourceOperationContext(); - assertEquals("[null]:[null]:[null]", context.toString()); + assertEquals("NULL:NULL", context.toString()); context = new ResourceOperationContext("DATA", "MANAGE"); - assertEquals("[data]:[manage]:[null]", context.toString()); + assertEquals("DATA:MANAGE:NULL", context.toString()); context = new ResourceOperationContext("DATA", "MANAGE", "REGIONA"); - assertEquals("[data]:[manage]:[regiona]", context.toString()); + assertEquals("DATA:MANAGE:REGIONA", context.toString()); } } http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/1179c08e/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/ShiroCacheStartRule.java ---------------------------------------------------------------------- diff --git a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/ShiroCacheStartRule.java b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/ShiroCacheStartRule.java index 7d683f3..f4c2e06 100644 --- a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/ShiroCacheStartRule.java +++ b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/ShiroCacheStartRule.java @@ -43,7 +43,7 @@ public class ShiroCacheStartRule extends ExternalResource { properties.put(DistributionConfig.JMX_MANAGER_START_NAME, "true"); properties.put(DistributionConfig.JMX_MANAGER_PORT_NAME, String.valueOf(jmxManagerPort)); properties.put(DistributionConfig.HTTP_SERVICE_PORT_NAME, "0"); - properties.put(DistributionConfig.SHIRO_INIT_NAME, shiroFile); + properties.put(DistributionConfig.SECURITY_SHIRO_INIT_NAME, shiroFile); cache = new CacheFactory(properties).create(); cache.addCacheServer().start(); http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/1179c08e/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/TestCommand.java ---------------------------------------------------------------------- diff --git a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/TestCommand.java b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/TestCommand.java index 56eeeec..667330c 100644 --- a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/TestCommand.java +++ b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/TestCommand.java @@ -96,14 +96,14 @@ public class TestCommand { createTestCommand("destroy region --name=value", dataManage); //Data Commands - createTestCommand("rebalance --include-region=regionA", dataManage); - createTestCommand("export data --region=regionA --file=export.txt --member=exportMember", regionARead); - createTestCommand("import data --region=regionA --file=import.txt --member=importMember", regionAWrite); - createTestCommand("put --key=key1 --value=value1 --region=regionA", regionAWrite); - createTestCommand("get --key=key1 --region=regionA", regionARead); - createTestCommand("remove --region=regionA", dataManage); - createTestCommand("query --query='SELECT * FROM /region1'", dataRead); - createTestCommand("locate entry --key=k1 --region=regionA", regionARead); + createTestCommand("rebalance --include-region=RegionA", dataManage); + createTestCommand("export data --region=RegionA --file=export.txt --member=exportMember", regionARead); + createTestCommand("import data --region=RegionA --file=import.txt --member=importMember", regionAWrite); + createTestCommand("put --key=key1 --value=value1 --region=RegionA", regionAWrite); + createTestCommand("get --key=key1 --region=RegionA", regionARead); + createTestCommand("remove --region=RegionA", dataManage); + createTestCommand("query --query='SELECT * FROM /RegionA'", dataRead); + createTestCommand("locate entry --key=k1 --region=RegionA", regionARead); // Deploy commands //createTestCommand("deploy --jar=group1_functions.jar --group=Group1", dataManage); // TODO: this command will fail in GfshCommandsSecurityTest at interceptor for jar file checking