geode-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jinmeil...@apache.org
Subject [48/50] [abbrv] incubator-geode git commit: GEODE-1571: putting security checks in CQ related commands and add tests.
Date Mon, 27 Jun 2016 21:21:38 GMT
GEODE-1571: putting security checks in CQ related commands and add tests.

* redo the security used for functions.


Project: http://git-wip-us.apache.org/repos/asf/incubator-geode/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-geode/commit/fa66c65c
Tree: http://git-wip-us.apache.org/repos/asf/incubator-geode/tree/fa66c65c
Diff: http://git-wip-us.apache.org/repos/asf/incubator-geode/diff/fa66c65c

Branch: refs/heads/feature/GEODE-1571
Commit: fa66c65c66617f20aa3a78ce76e1655d02e88642
Parents: a534931
Author: Jinmei Liao <jiliao@pivotal.io>
Authored: Mon Jun 27 13:26:44 2016 -0700
Committer: Jinmei Liao <jiliao@pivotal.io>
Committed: Mon Jun 27 13:26:44 2016 -0700

----------------------------------------------------------------------
 .../tier/sockets/command/ExecuteFunction.java   |   2 +-
 .../tier/sockets/command/ExecuteFunction65.java |   2 +-
 .../tier/sockets/command/ExecuteFunction66.java |   2 +-
 .../sockets/command/ExecuteRegionFunction.java  |   2 +-
 .../command/ExecuteRegionFunction65.java        |   2 +-
 .../command/ExecuteRegionFunction66.java        |   2 +-
 .../command/ExecuteRegionFunctionSingleHop.java |   2 +-
 .../sockets/command/GetFunctionAttribute.java   |   4 +-
 .../internal/security/GeodeSecurityUtil.java    |   7 --
 .../gemfire/security/GeodePermission.java       |   6 +-
 ...ntegratedClientQueryAuthDistributedTest.java |  45 ---------
 .../cache/query/internal/cq/ClientCQImpl.java   |   3 +-
 .../cache/tier/sockets/command/CloseCQ.java     |  25 +++--
 .../cache/tier/sockets/command/GetCQStats.java  |  42 ++++----
 .../tier/sockets/command/GetDurableCQs.java     |  16 +--
 .../cache/tier/sockets/command/MonitorCQ.java   |  15 +--
 .../cache/tier/sockets/command/StopCQ.java      |  28 +++---
 ...ntegratedClientQueryAuthDistributedTest.java | 100 +++++++++++++++++++
 18 files changed, 173 insertions(+), 132 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/fa66c65c/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/ExecuteFunction.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/ExecuteFunction.java
b/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/ExecuteFunction.java
index 0f3bdec..1ad2c42 100755
--- a/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/ExecuteFunction.java
+++ b/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/ExecuteFunction.java
@@ -130,7 +130,7 @@ public class ExecuteFunction extends BaseCommand {
           functionObject = (Function)function;
         }
 
-        GeodeSecurityUtil.authorizeFunctionExec(functionObject.getId());
+        GeodeSecurityUtil.authorizeDataWrite();
 
         FunctionStats stats = FunctionStats.getFunctionStats(functionObject.getId(), null);
         

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/fa66c65c/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/ExecuteFunction65.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/ExecuteFunction65.java
b/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/ExecuteFunction65.java
index ff6cdd6..fdd33ac 100644
--- a/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/ExecuteFunction65.java
+++ b/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/ExecuteFunction65.java
@@ -146,7 +146,7 @@ public class ExecuteFunction65 extends BaseCommand {
         functionObject = (Function) function;
       }
 
-      GeodeSecurityUtil.authorizeFunctionExec(functionObject.getId());
+      GeodeSecurityUtil.authorizeDataWrite();
 
       FunctionStats stats = FunctionStats.getFunctionStats(functionObject.getId(), null);
       // check if the caller is authorized to do this operation on server

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/fa66c65c/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/ExecuteFunction66.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/ExecuteFunction66.java
b/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/ExecuteFunction66.java
index d5f3660..5ed8e00 100644
--- a/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/ExecuteFunction66.java
+++ b/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/ExecuteFunction66.java
@@ -186,7 +186,7 @@ public class ExecuteFunction66 extends BaseCommand {
         functionObject = (Function) function;
       }
 
-      GeodeSecurityUtil.authorizeFunctionExec(functionObject.getId());
+      GeodeSecurityUtil.authorizeDataWrite();
 
       FunctionStats stats = FunctionStats.getFunctionStats(functionObject.getId(), null);
       // check if the caller is authorized to do this operation on server

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/fa66c65c/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/ExecuteRegionFunction.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/ExecuteRegionFunction.java
b/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/ExecuteRegionFunction.java
index 6889e32..7f37688 100755
--- a/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/ExecuteRegionFunction.java
+++ b/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/ExecuteRegionFunction.java
@@ -152,7 +152,7 @@ public class ExecuteRegionFunction extends BaseCommand {
         functionObject = (Function) function;
       }
 
-      GeodeSecurityUtil.authorizeFunctionExec(functionObject.getId());
+      GeodeSecurityUtil.authorizeDataWrite();
 
       // check if the caller is authorized to do this operation on server
       AuthorizeRequest authzRequest = servConn.getAuthzRequest();

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/fa66c65c/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/ExecuteRegionFunction65.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/ExecuteRegionFunction65.java
b/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/ExecuteRegionFunction65.java
index e11787c..652c74e 100755
--- a/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/ExecuteRegionFunction65.java
+++ b/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/ExecuteRegionFunction65.java
@@ -182,7 +182,7 @@ public class ExecuteRegionFunction65 extends BaseCommand {
         functionObject = (Function) function;
       }
 
-      GeodeSecurityUtil.authorizeFunctionExec(functionObject.getId());
+      GeodeSecurityUtil.authorizeDataWrite();
 
       // check if the caller is authorized to do this operation on server
       AuthorizeRequest authzRequest = servConn.getAuthzRequest();

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/fa66c65c/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/ExecuteRegionFunction66.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/ExecuteRegionFunction66.java
b/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/ExecuteRegionFunction66.java
index 36285bf..7c81b8c 100644
--- a/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/ExecuteRegionFunction66.java
+++ b/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/ExecuteRegionFunction66.java
@@ -199,7 +199,7 @@ public class ExecuteRegionFunction66 extends BaseCommand {
         functionObject = (Function) function;
       }
 
-      GeodeSecurityUtil.authorizeFunctionExec(functionObject.getId());
+      GeodeSecurityUtil.authorizeDataWrite();
 
       // check if the caller is authorized to do this operation on server
       AuthorizeRequest authzRequest = servConn.getAuthzRequest();

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/fa66c65c/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/ExecuteRegionFunctionSingleHop.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/ExecuteRegionFunctionSingleHop.java
b/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/ExecuteRegionFunctionSingleHop.java
index 1bfe7de..fcbe47d 100644
--- a/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/ExecuteRegionFunctionSingleHop.java
+++ b/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/ExecuteRegionFunctionSingleHop.java
@@ -200,7 +200,7 @@ public class ExecuteRegionFunctionSingleHop extends BaseCommand {
         functionObject = (Function) function;
       }
 
-      GeodeSecurityUtil.authorizeFunctionExec(functionObject.getId());
+      GeodeSecurityUtil.authorizeDataWrite();
 
       // check if the caller is authorized to do this operation on server
       AuthorizeRequest authzRequest = servConn.getAuthzRequest();

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/fa66c65c/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/GetFunctionAttribute.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/GetFunctionAttribute.java
b/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/GetFunctionAttribute.java
index 871a80b..1cf1ea4 100644
--- a/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/GetFunctionAttribute.java
+++ b/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/GetFunctionAttribute.java
@@ -62,15 +62,13 @@ public class GetFunctionAttribute extends BaseCommand {
       return;
     }
 
-    GeodeSecurityUtil.authorizeFunctionRead(functionId);
+    GeodeSecurityUtil.authorizeClusterRead();
 
     byte[] functionAttributes = new byte[3];
     functionAttributes[0] = (byte)(function.hasResult() ? 1 : 0);
     functionAttributes[1] = (byte)(function.isHA() ? 1 : 0);
     functionAttributes[2] = (byte)(function.optimizeForWrite() ? 1 : 0);
     writeResponseWithFunctionAttribute(functionAttributes, msg, servConn);
-
-
   }
 
   private void sendError(Message msg, String message, ServerConnection servConn)

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/fa66c65c/geode-core/src/main/java/com/gemstone/gemfire/internal/security/GeodeSecurityUtil.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/internal/security/GeodeSecurityUtil.java
b/geode-core/src/main/java/com/gemstone/gemfire/internal/security/GeodeSecurityUtil.java
index 7cc7dbf..0ae3f7d 100644
--- a/geode-core/src/main/java/com/gemstone/gemfire/internal/security/GeodeSecurityUtil.java
+++ b/geode-core/src/main/java/com/gemstone/gemfire/internal/security/GeodeSecurityUtil.java
@@ -237,13 +237,6 @@ public class GeodeSecurityUtil {
     authorize("DATA", "READ", regionName, key);
   }
 
-  public static void authorizeFunctionExec(String function){
-    authorize("FUNCTION", "EXEC", function);
-  }
-  public static void authorizeFunctionRead(String function){
-    authorize("FUNCTION", "READ", function);
-  }
-
   public static void authorize(String resource, String operation) {
     authorize(resource, operation, null);
   }

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/fa66c65c/geode-core/src/main/java/com/gemstone/gemfire/security/GeodePermission.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/security/GeodePermission.java b/geode-core/src/main/java/com/gemstone/gemfire/security/GeodePermission.java
index b1aad84..22b53b1 100644
--- a/geode-core/src/main/java/com/gemstone/gemfire/security/GeodePermission.java
+++ b/geode-core/src/main/java/com/gemstone/gemfire/security/GeodePermission.java
@@ -27,16 +27,14 @@ public class GeodePermission extends WildcardPermission {
   public enum Resource {
     NULL,
     CLUSTER,
-    DATA,
-    FUNCTION
+    DATA
   }
 
   public enum Operation {
     NULL,
     MANAGE,
     WRITE,
-    READ,
-    EXEC
+    READ
   }
 
   public Resource getResource() {

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/fa66c65c/geode-core/src/test/java/com/gemstone/gemfire/security/IntegratedClientQueryAuthDistributedTest.java
----------------------------------------------------------------------
diff --git a/geode-core/src/test/java/com/gemstone/gemfire/security/IntegratedClientQueryAuthDistributedTest.java
b/geode-core/src/test/java/com/gemstone/gemfire/security/IntegratedClientQueryAuthDistributedTest.java
deleted file mode 100644
index 8651a2f..0000000
--- a/geode-core/src/test/java/com/gemstone/gemfire/security/IntegratedClientQueryAuthDistributedTest.java
+++ /dev/null
@@ -1,45 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements.  See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License.  You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package com.gemstone.gemfire.security;
-
-import com.gemstone.gemfire.cache.Cache;
-import com.gemstone.gemfire.cache.Region;
-import com.gemstone.gemfire.cache.client.Pool;
-import com.gemstone.gemfire.cache.client.PoolManager;
-import com.gemstone.gemfire.test.junit.categories.DistributedTest;
-
-import org.junit.Test;
-import org.junit.experimental.categories.Category;
-
-@Category(DistributedTest.class)
-public class IntegratedClientQueryAuthDistributedTest extends AbstractIntegratedClientAuthDistributedTest
{
-
-  @Test
-  public void testQuery(){
-    client1.invoke(()-> {
-      Cache cache = SecurityTestUtils.createCacheClient("stranger", "1234567", serverPort,
SecurityTestUtils.NO_EXCEPTION);
-      final Region region = cache.getRegion(SecurityTestUtils.REGION_NAME);
-
-      String query = "select * from /AuthRegion";
-      assertNotAuthorized(()->region.query(query), "DATA:READ:AuthRegion");
-
-      Pool pool = PoolManager.find(region);
-      assertNotAuthorized(()->pool.getQueryService().newQuery(query).execute(), "DATA:READ:AuthRegion");
-    });
-  }
-
-}

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/fa66c65c/geode-cq/src/main/java/com/gemstone/gemfire/cache/query/internal/cq/ClientCQImpl.java
----------------------------------------------------------------------
diff --git a/geode-cq/src/main/java/com/gemstone/gemfire/cache/query/internal/cq/ClientCQImpl.java
b/geode-cq/src/main/java/com/gemstone/gemfire/cache/query/internal/cq/ClientCQImpl.java
index 7fbd9d0..f6de4ce 100644
--- a/geode-cq/src/main/java/com/gemstone/gemfire/cache/query/internal/cq/ClientCQImpl.java
+++ b/geode-cq/src/main/java/com/gemstone/gemfire/cache/query/internal/cq/ClientCQImpl.java
@@ -453,8 +453,7 @@ public class ClientCQImpl extends CqQueryImpl implements ClientCQ {
             if (securityLogWriter.warningEnabled()) {
               securityLogWriter.warning(LocalizedStrings.CqQueryImpl_EXCEPTION_WHILE_EXECUTING_CQ_EXCEPTION_0,
ex, null);              
             }
-            throw new CqException(
-              LocalizedStrings.CqQueryImpl_GOT_SECURITY_EXCEPTION_WHILE_EXECUTING_CQ_ON_SERVER.toLocalizedString(),
ex.getCause());  
+            throw new CqException(ex.getCause().getMessage(), ex.getCause());
           } else if(ex instanceof CqException) {
             throw (CqException)ex;
           } else {

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/fa66c65c/geode-cq/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/CloseCQ.java
----------------------------------------------------------------------
diff --git a/geode-cq/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/CloseCQ.java
b/geode-cq/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/CloseCQ.java
index 2b25d89..0908783 100644
--- a/geode-cq/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/CloseCQ.java
+++ b/geode-cq/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/CloseCQ.java
@@ -16,23 +16,24 @@
  */
 package com.gemstone.gemfire.internal.cache.tier.sockets.command;
 
-import com.gemstone.gemfire.internal.cache.tier.CachedRegionHelper;
-import com.gemstone.gemfire.internal.cache.tier.Command;
-import com.gemstone.gemfire.internal.cache.tier.MessageType;
-import com.gemstone.gemfire.internal.cache.tier.sockets.*;
+import java.io.IOException;
+import java.util.HashSet;
+import java.util.Set;
+
 import com.gemstone.gemfire.cache.query.CqException;
-import com.gemstone.gemfire.cache.query.CqQuery;
-import com.gemstone.gemfire.distributed.internal.DistributionStats;
-import com.gemstone.gemfire.cache.query.internal.DefaultQueryService;
 import com.gemstone.gemfire.cache.query.internal.cq.CqService;
 import com.gemstone.gemfire.cache.query.internal.cq.InternalCqQuery;
+import com.gemstone.gemfire.distributed.internal.DistributionStats;
+import com.gemstone.gemfire.internal.cache.tier.CachedRegionHelper;
+import com.gemstone.gemfire.internal.cache.tier.Command;
+import com.gemstone.gemfire.internal.cache.tier.MessageType;
+import com.gemstone.gemfire.internal.cache.tier.sockets.CacheServerStats;
 import com.gemstone.gemfire.internal.cache.tier.sockets.ClientProxyMembershipID;
+import com.gemstone.gemfire.internal.cache.tier.sockets.Message;
+import com.gemstone.gemfire.internal.cache.tier.sockets.ServerConnection;
 import com.gemstone.gemfire.internal.i18n.LocalizedStrings;
 import com.gemstone.gemfire.internal.security.AuthorizeRequest;
-
-import java.io.IOException;
-import java.util.HashSet;
-import java.util.Set;
+import com.gemstone.gemfire.internal.security.GeodeSecurityUtil;
 
 
 public class CloseCQ extends BaseCQCommand {
@@ -74,6 +75,8 @@ public class CloseCQ extends BaseCQCommand {
       return;
     }
 
+    GeodeSecurityUtil.authorizeDataManage();
+
     // Process CQ close request
     try {
       // Append Client ID to CQ name

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/fa66c65c/geode-cq/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/GetCQStats.java
----------------------------------------------------------------------
diff --git a/geode-cq/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/GetCQStats.java
b/geode-cq/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/GetCQStats.java
index 5c51fd0..6b82913 100644
--- a/geode-cq/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/GetCQStats.java
+++ b/geode-cq/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/GetCQStats.java
@@ -17,16 +17,17 @@
 package com.gemstone.gemfire.internal.cache.tier.sockets.command;
 
 
+import java.io.IOException;
+
+import com.gemstone.gemfire.cache.query.internal.cq.CqService;
+import com.gemstone.gemfire.distributed.internal.DistributionStats;
 import com.gemstone.gemfire.internal.cache.tier.CachedRegionHelper;
 import com.gemstone.gemfire.internal.cache.tier.Command;
 import com.gemstone.gemfire.internal.cache.tier.MessageType;
-import com.gemstone.gemfire.internal.cache.tier.sockets.*;
-import com.gemstone.gemfire.cache.query.CqException;
-import com.gemstone.gemfire.distributed.internal.DistributionStats;
-import com.gemstone.gemfire.cache.query.internal.DefaultQueryService;
-import com.gemstone.gemfire.cache.query.internal.cq.CqService;
-
-import java.io.IOException;
+import com.gemstone.gemfire.internal.cache.tier.sockets.CacheServerStats;
+import com.gemstone.gemfire.internal.cache.tier.sockets.Message;
+import com.gemstone.gemfire.internal.cache.tier.sockets.ServerConnection;
+import com.gemstone.gemfire.internal.security.GeodeSecurityUtil;
 
 
 public class GetCQStats extends BaseCQCommand {
@@ -68,22 +69,21 @@ public class GetCQStats extends BaseCQCommand {
       sendCqResponse(MessageType.CQDATAERROR_MSG_TYPE, err, msg
           .getTransactionId(), null, servConn);
       return;
+    }
 
+    GeodeSecurityUtil.authorizeClusterRead();
+    // Process the cq request
+    try {
+      // make sure the cqservice has been created
+      // since that is what registers the stats
+      CqService cqService = crHelper.getCache().getCqService();
+      cqService.start();
     }
-    else {
-      // Process the cq request
-      try {
-        // make sure the cqservice has been created
-        // since that is what registers the stats
-        CqService cqService = crHelper.getCache().getCqService();
-        cqService.start();
-      }
-      catch (Exception e) {
-        String err = "Exception while Getting the CQ Statistics. ";
-        sendCqResponse(MessageType.CQ_EXCEPTION_TYPE, err, msg
-            .getTransactionId(), e, servConn);
-        return;
-      }
+    catch (Exception e) {
+      String err = "Exception while Getting the CQ Statistics. ";
+      sendCqResponse(MessageType.CQ_EXCEPTION_TYPE, err, msg
+          .getTransactionId(), e, servConn);
+      return;
     }
     // Send OK to client
     sendCqResponse(MessageType.REPLY, "cq stats sent successfully.", msg

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/fa66c65c/geode-cq/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/GetDurableCQs.java
----------------------------------------------------------------------
diff --git a/geode-cq/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/GetDurableCQs.java
b/geode-cq/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/GetDurableCQs.java
index f06d61f..dc1d461 100755
--- a/geode-cq/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/GetDurableCQs.java
+++ b/geode-cq/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/GetDurableCQs.java
@@ -20,30 +20,22 @@ import java.io.IOException;
 import java.util.ArrayList;
 import java.util.Iterator;
 import java.util.List;
-import java.util.Set;
 
-import com.gemstone.gemfire.cache.Region;
-import com.gemstone.gemfire.cache.operations.GetDurableCQsOperationContext;
 import com.gemstone.gemfire.cache.query.CqException;
-import com.gemstone.gemfire.cache.query.Query;
-import com.gemstone.gemfire.cache.query.internal.DefaultQuery;
 import com.gemstone.gemfire.cache.query.internal.DefaultQueryService;
 import com.gemstone.gemfire.cache.query.internal.cq.CqService;
-import com.gemstone.gemfire.cache.query.internal.cq.InternalCqQuery;
-import com.gemstone.gemfire.distributed.internal.DistributionStats;
 import com.gemstone.gemfire.internal.cache.GemFireCacheImpl;
 import com.gemstone.gemfire.internal.cache.tier.CachedRegionHelper;
 import com.gemstone.gemfire.internal.cache.tier.Command;
 import com.gemstone.gemfire.internal.cache.tier.MessageType;
 import com.gemstone.gemfire.internal.cache.tier.sockets.AcceptorImpl;
-import com.gemstone.gemfire.internal.cache.tier.sockets.BaseCommand;
 import com.gemstone.gemfire.internal.cache.tier.sockets.CacheServerStats;
 import com.gemstone.gemfire.internal.cache.tier.sockets.ChunkedMessage;
 import com.gemstone.gemfire.internal.cache.tier.sockets.ClientProxyMembershipID;
 import com.gemstone.gemfire.internal.cache.tier.sockets.Message;
 import com.gemstone.gemfire.internal.cache.tier.sockets.ServerConnection;
-import com.gemstone.gemfire.internal.i18n.LocalizedStrings;
 import com.gemstone.gemfire.internal.security.AuthorizeRequest;
+import com.gemstone.gemfire.internal.security.GeodeSecurityUtil;
 
 
 public class GetDurableCQs extends BaseCQCommand {
@@ -74,15 +66,13 @@ public class GetDurableCQs extends BaseCQCommand {
 
     DefaultQueryService qService = null;
     CqService cqServiceForExec = null;
-    Query query = null;
-    Set cqRegionNames = null;
-    GetDurableCQsOperationContext getDurableCqsOperationContext = null;
-    InternalCqQuery cqQuery = null;
 
     try {
       qService = (DefaultQueryService) ((GemFireCacheImpl) crHelper.getCache())
           .getLocalQueryService();
 
+      GeodeSecurityUtil.authorizeClusterRead();
+
       // Authorization check
       AuthorizeRequest authzRequest = servConn.getAuthzRequest();
       if (authzRequest != null) {

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/fa66c65c/geode-cq/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/MonitorCQ.java
----------------------------------------------------------------------
diff --git a/geode-cq/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/MonitorCQ.java
b/geode-cq/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/MonitorCQ.java
index bf18dae..f9ca140 100644
--- a/geode-cq/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/MonitorCQ.java
+++ b/geode-cq/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/MonitorCQ.java
@@ -17,16 +17,17 @@
 package com.gemstone.gemfire.internal.cache.tier.sockets.command;
 
 
+import java.io.IOException;
+
+import com.gemstone.gemfire.cache.query.CqException;
+import com.gemstone.gemfire.cache.query.internal.cq.CqService;
 import com.gemstone.gemfire.internal.cache.tier.CachedRegionHelper;
 import com.gemstone.gemfire.internal.cache.tier.Command;
 import com.gemstone.gemfire.internal.cache.tier.MessageType;
-import com.gemstone.gemfire.internal.cache.tier.sockets.*;
+import com.gemstone.gemfire.internal.cache.tier.sockets.Message;
+import com.gemstone.gemfire.internal.cache.tier.sockets.ServerConnection;
 import com.gemstone.gemfire.internal.i18n.LocalizedStrings;
-import com.gemstone.gemfire.cache.query.CqException;
-import com.gemstone.gemfire.cache.query.internal.DefaultQueryService;
-import com.gemstone.gemfire.cache.query.internal.cq.CqService;
-
-import java.io.IOException;
+import com.gemstone.gemfire.internal.security.GeodeSecurityUtil;
 
 public class MonitorCQ extends BaseCQCommand {
 
@@ -73,6 +74,8 @@ public class MonitorCQ extends BaseCQCommand {
       logger.debug("{}: Received MonitorCq request from {} op: {}{}", servConn.getName(),
servConn.getSocketString(), op, (regionName != null) ? " RegionName: " + regionName : "");
     }
 
+    GeodeSecurityUtil.authorizeClusterRead();
+
     try {
       CqService cqService = crHelper.getCache().getCqService();
       cqService.start();

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/fa66c65c/geode-cq/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/StopCQ.java
----------------------------------------------------------------------
diff --git a/geode-cq/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/StopCQ.java
b/geode-cq/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/StopCQ.java
index 1bdf352..9231bfc 100644
--- a/geode-cq/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/StopCQ.java
+++ b/geode-cq/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/StopCQ.java
@@ -16,25 +16,25 @@
  */
 package com.gemstone.gemfire.internal.cache.tier.sockets.command;
 
-import com.gemstone.gemfire.internal.cache.tier.CachedRegionHelper;
-import com.gemstone.gemfire.internal.cache.tier.Command;
-import com.gemstone.gemfire.internal.cache.tier.MessageType;
-import com.gemstone.gemfire.internal.cache.tier.sockets.*;
+import java.io.IOException;
+import java.util.HashSet;
+import java.util.Set;
+
 import com.gemstone.gemfire.cache.query.CqException;
-import com.gemstone.gemfire.cache.query.CqQuery;
-import com.gemstone.gemfire.distributed.internal.DistributionStats;
-import com.gemstone.gemfire.cache.query.internal.DefaultQueryService;
 import com.gemstone.gemfire.cache.query.internal.cq.CqQueryImpl;
 import com.gemstone.gemfire.cache.query.internal.cq.CqService;
-import com.gemstone.gemfire.cache.query.internal.cq.CqServiceImpl;
 import com.gemstone.gemfire.cache.query.internal.cq.InternalCqQuery;
+import com.gemstone.gemfire.distributed.internal.DistributionStats;
+import com.gemstone.gemfire.internal.cache.tier.CachedRegionHelper;
+import com.gemstone.gemfire.internal.cache.tier.Command;
+import com.gemstone.gemfire.internal.cache.tier.MessageType;
+import com.gemstone.gemfire.internal.cache.tier.sockets.CacheServerStats;
 import com.gemstone.gemfire.internal.cache.tier.sockets.ClientProxyMembershipID;
+import com.gemstone.gemfire.internal.cache.tier.sockets.Message;
+import com.gemstone.gemfire.internal.cache.tier.sockets.ServerConnection;
 import com.gemstone.gemfire.internal.i18n.LocalizedStrings;
 import com.gemstone.gemfire.internal.security.AuthorizeRequest;
-
-import java.io.IOException;
-import java.util.HashSet;
-import java.util.Set;
+import com.gemstone.gemfire.internal.security.GeodeSecurityUtil;
 
 
 public class StopCQ extends BaseCQCommand {
@@ -88,7 +88,9 @@ public class StopCQ extends BaseCQCommand {
         serverCqName = cqService.constructServerCqName(cqName, id);
       }
       InternalCqQuery cqQuery = cqService.getCq(serverCqName);
-      
+
+      GeodeSecurityUtil.authorizeDataManage();
+
       AuthorizeRequest authzRequest = servConn.getAuthzRequest();
       if (authzRequest != null) {
         String queryStr = null;

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/fa66c65c/geode-cq/src/test/java/com/gemstone/gemfire/security/IntegratedClientQueryAuthDistributedTest.java
----------------------------------------------------------------------
diff --git a/geode-cq/src/test/java/com/gemstone/gemfire/security/IntegratedClientQueryAuthDistributedTest.java
b/geode-cq/src/test/java/com/gemstone/gemfire/security/IntegratedClientQueryAuthDistributedTest.java
new file mode 100644
index 0000000..a484160
--- /dev/null
+++ b/geode-cq/src/test/java/com/gemstone/gemfire/security/IntegratedClientQueryAuthDistributedTest.java
@@ -0,0 +1,100 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.gemstone.gemfire.security;
+
+import org.junit.Test;
+import org.junit.experimental.categories.Category;
+
+import com.gemstone.gemfire.cache.Cache;
+import com.gemstone.gemfire.cache.Region;
+import com.gemstone.gemfire.cache.client.Pool;
+import com.gemstone.gemfire.cache.client.PoolManager;
+import com.gemstone.gemfire.cache.query.CqAttributes;
+import com.gemstone.gemfire.cache.query.CqAttributesFactory;
+import com.gemstone.gemfire.cache.query.CqQuery;
+import com.gemstone.gemfire.cache.query.QueryService;
+import com.gemstone.gemfire.test.junit.categories.DistributedTest;
+
+@Category(DistributedTest.class)
+public class IntegratedClientQueryAuthDistributedTest extends AbstractIntegratedClientAuthDistributedTest
{
+
+  @Test
+  public void testQuery(){
+    client1.invoke(()-> {
+      Cache cache = SecurityTestUtils.createCacheClient("stranger", "1234567", serverPort,
SecurityTestUtils.NO_EXCEPTION);
+      final Region region = cache.getRegion(SecurityTestUtils.REGION_NAME);
+
+      String query = "select * from /AuthRegion";
+      assertNotAuthorized(()->region.query(query), "DATA:READ:AuthRegion");
+
+      Pool pool = PoolManager.find(region);
+      assertNotAuthorized(()->pool.getQueryService().newQuery(query).execute(), "DATA:READ:AuthRegion");
+    });
+  }
+
+  @Test
+  public void testCQ(){
+    String query = "select * from /AuthRegion";
+    client1.invoke(()-> {
+      Cache cache = SecurityTestUtils.createCacheClient("stranger", "1234567", serverPort,
SecurityTestUtils.NO_EXCEPTION);
+      Region region = cache.getRegion(SecurityTestUtils.REGION_NAME);
+      Pool pool = PoolManager.find(region);
+      QueryService qs = pool.getQueryService();
+
+      CqAttributes cqa = new CqAttributesFactory().create();
+
+      // Create the CqQuery
+      CqQuery cq = qs.newCq("CQ1", query, cqa);
+
+      assertNotAuthorized(()->cq.executeWithInitialResults(), "DATA:READ:AuthRegion");
+      assertNotAuthorized(()->cq.execute(), "DATA:READ:AuthRegion");
+
+      assertNotAuthorized(()->cq.close(), "DATA:MANAGE");
+    });
+
+    client2.invoke(()-> {
+      Cache cache = SecurityTestUtils.createCacheClient("authRegionReader", "1234567", serverPort,
SecurityTestUtils.NO_EXCEPTION);
+      Region region = cache.getRegion(SecurityTestUtils.REGION_NAME);
+      Pool pool = PoolManager.find(region);
+      QueryService qs = pool.getQueryService();
+
+      CqAttributes cqa = new CqAttributesFactory().create();
+      // Create the CqQuery
+      CqQuery cq = qs.newCq("CQ1", query, cqa);
+      cq.execute();
+
+      assertNotAuthorized(()->cq.stop(), "DATA:MANAGE");
+      assertNotAuthorized(()->qs.getAllDurableCqsFromServer(), "CLUSTER:READ");
+    });
+
+    client3.invoke(()-> {
+      Cache cache = SecurityTestUtils.createCacheClient("super-user", "1234567", serverPort,
SecurityTestUtils.NO_EXCEPTION);
+      Region region = cache.getRegion(SecurityTestUtils.REGION_NAME);
+      Pool pool = PoolManager.find(region);
+      QueryService qs = pool.getQueryService();
+
+      CqAttributes cqa = new CqAttributesFactory().create();
+
+      // Create the CqQuery
+      CqQuery cq = qs.newCq("CQ1", query, cqa);
+      cq.execute();
+
+      cq.stop();
+    });
+  }
+
+}


Mime
View raw message