Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 7A072200B3C for ; Mon, 27 Jun 2016 23:21:09 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 78C7D160A5B; Mon, 27 Jun 2016 21:21:09 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 0CAF1160A54 for ; Mon, 27 Jun 2016 23:21:07 +0200 (CEST) Received: (qmail 39821 invoked by uid 500); 27 Jun 2016 21:21:07 -0000 Mailing-List: contact commits-help@geode.incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@geode.incubator.apache.org Delivered-To: mailing list commits@geode.incubator.apache.org Received: (qmail 39812 invoked by uid 99); 27 Jun 2016 21:21:07 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 27 Jun 2016 21:21:07 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id C22411805ED for ; Mon, 27 Jun 2016 21:21:06 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -4.646 X-Spam-Level: X-Spam-Status: No, score=-4.646 tagged_above=-999 required=6.31 tests=[KAM_ASCII_DIVIDERS=0.8, KAM_LAZY_DOMAIN_SECURITY=1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.426] autolearn=disabled Received: from mx2-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id 4fBNuHgra1fu for ; Mon, 27 Jun 2016 21:20:54 +0000 (UTC) Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx2-lw-eu.apache.org (ASF Mail Server at mx2-lw-eu.apache.org) with SMTP id C8A0F60CDE for ; Mon, 27 Jun 2016 21:20:52 +0000 (UTC) Received: (qmail 35998 invoked by uid 99); 27 Jun 2016 21:20:52 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 27 Jun 2016 21:20:52 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id EC686E95B7; Mon, 27 Jun 2016 21:20:51 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: jinmeiliao@apache.org To: commits@geode.incubator.apache.org Date: Mon, 27 Jun 2016 21:21:38 -0000 Message-Id: <7ac42f51d68a4b34a8011248cde0ccf3@git.apache.org> In-Reply-To: <24ba314e899c4361b472ed9567d1f7cb@git.apache.org> References: <24ba314e899c4361b472ed9567d1f7cb@git.apache.org> X-Mailer: ASF-Git Admin Mailer Subject: [48/50] [abbrv] incubator-geode git commit: GEODE-1571: putting security checks in CQ related commands and add tests. archived-at: Mon, 27 Jun 2016 21:21:09 -0000 GEODE-1571: putting security checks in CQ related commands and add tests. * redo the security used for functions. Project: http://git-wip-us.apache.org/repos/asf/incubator-geode/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-geode/commit/fa66c65c Tree: http://git-wip-us.apache.org/repos/asf/incubator-geode/tree/fa66c65c Diff: http://git-wip-us.apache.org/repos/asf/incubator-geode/diff/fa66c65c Branch: refs/heads/feature/GEODE-1571 Commit: fa66c65c66617f20aa3a78ce76e1655d02e88642 Parents: a534931 Author: Jinmei Liao Authored: Mon Jun 27 13:26:44 2016 -0700 Committer: Jinmei Liao Committed: Mon Jun 27 13:26:44 2016 -0700 ---------------------------------------------------------------------- .../tier/sockets/command/ExecuteFunction.java | 2 +- .../tier/sockets/command/ExecuteFunction65.java | 2 +- .../tier/sockets/command/ExecuteFunction66.java | 2 +- .../sockets/command/ExecuteRegionFunction.java | 2 +- .../command/ExecuteRegionFunction65.java | 2 +- .../command/ExecuteRegionFunction66.java | 2 +- .../command/ExecuteRegionFunctionSingleHop.java | 2 +- .../sockets/command/GetFunctionAttribute.java | 4 +- .../internal/security/GeodeSecurityUtil.java | 7 -- .../gemfire/security/GeodePermission.java | 6 +- ...ntegratedClientQueryAuthDistributedTest.java | 45 --------- .../cache/query/internal/cq/ClientCQImpl.java | 3 +- .../cache/tier/sockets/command/CloseCQ.java | 25 +++-- .../cache/tier/sockets/command/GetCQStats.java | 42 ++++---- .../tier/sockets/command/GetDurableCQs.java | 16 +-- .../cache/tier/sockets/command/MonitorCQ.java | 15 +-- .../cache/tier/sockets/command/StopCQ.java | 28 +++--- ...ntegratedClientQueryAuthDistributedTest.java | 100 +++++++++++++++++++ 18 files changed, 173 insertions(+), 132 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/fa66c65c/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/ExecuteFunction.java ---------------------------------------------------------------------- diff --git a/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/ExecuteFunction.java b/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/ExecuteFunction.java index 0f3bdec..1ad2c42 100755 --- a/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/ExecuteFunction.java +++ b/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/ExecuteFunction.java @@ -130,7 +130,7 @@ public class ExecuteFunction extends BaseCommand { functionObject = (Function)function; } - GeodeSecurityUtil.authorizeFunctionExec(functionObject.getId()); + GeodeSecurityUtil.authorizeDataWrite(); FunctionStats stats = FunctionStats.getFunctionStats(functionObject.getId(), null); http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/fa66c65c/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/ExecuteFunction65.java ---------------------------------------------------------------------- diff --git a/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/ExecuteFunction65.java b/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/ExecuteFunction65.java index ff6cdd6..fdd33ac 100644 --- a/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/ExecuteFunction65.java +++ b/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/ExecuteFunction65.java @@ -146,7 +146,7 @@ public class ExecuteFunction65 extends BaseCommand { functionObject = (Function) function; } - GeodeSecurityUtil.authorizeFunctionExec(functionObject.getId()); + GeodeSecurityUtil.authorizeDataWrite(); FunctionStats stats = FunctionStats.getFunctionStats(functionObject.getId(), null); // check if the caller is authorized to do this operation on server http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/fa66c65c/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/ExecuteFunction66.java ---------------------------------------------------------------------- diff --git a/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/ExecuteFunction66.java b/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/ExecuteFunction66.java index d5f3660..5ed8e00 100644 --- a/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/ExecuteFunction66.java +++ b/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/ExecuteFunction66.java @@ -186,7 +186,7 @@ public class ExecuteFunction66 extends BaseCommand { functionObject = (Function) function; } - GeodeSecurityUtil.authorizeFunctionExec(functionObject.getId()); + GeodeSecurityUtil.authorizeDataWrite(); FunctionStats stats = FunctionStats.getFunctionStats(functionObject.getId(), null); // check if the caller is authorized to do this operation on server http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/fa66c65c/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/ExecuteRegionFunction.java ---------------------------------------------------------------------- diff --git a/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/ExecuteRegionFunction.java b/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/ExecuteRegionFunction.java index 6889e32..7f37688 100755 --- a/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/ExecuteRegionFunction.java +++ b/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/ExecuteRegionFunction.java @@ -152,7 +152,7 @@ public class ExecuteRegionFunction extends BaseCommand { functionObject = (Function) function; } - GeodeSecurityUtil.authorizeFunctionExec(functionObject.getId()); + GeodeSecurityUtil.authorizeDataWrite(); // check if the caller is authorized to do this operation on server AuthorizeRequest authzRequest = servConn.getAuthzRequest(); http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/fa66c65c/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/ExecuteRegionFunction65.java ---------------------------------------------------------------------- diff --git a/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/ExecuteRegionFunction65.java b/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/ExecuteRegionFunction65.java index e11787c..652c74e 100755 --- a/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/ExecuteRegionFunction65.java +++ b/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/ExecuteRegionFunction65.java @@ -182,7 +182,7 @@ public class ExecuteRegionFunction65 extends BaseCommand { functionObject = (Function) function; } - GeodeSecurityUtil.authorizeFunctionExec(functionObject.getId()); + GeodeSecurityUtil.authorizeDataWrite(); // check if the caller is authorized to do this operation on server AuthorizeRequest authzRequest = servConn.getAuthzRequest(); http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/fa66c65c/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/ExecuteRegionFunction66.java ---------------------------------------------------------------------- diff --git a/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/ExecuteRegionFunction66.java b/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/ExecuteRegionFunction66.java index 36285bf..7c81b8c 100644 --- a/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/ExecuteRegionFunction66.java +++ b/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/ExecuteRegionFunction66.java @@ -199,7 +199,7 @@ public class ExecuteRegionFunction66 extends BaseCommand { functionObject = (Function) function; } - GeodeSecurityUtil.authorizeFunctionExec(functionObject.getId()); + GeodeSecurityUtil.authorizeDataWrite(); // check if the caller is authorized to do this operation on server AuthorizeRequest authzRequest = servConn.getAuthzRequest(); http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/fa66c65c/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/ExecuteRegionFunctionSingleHop.java ---------------------------------------------------------------------- diff --git a/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/ExecuteRegionFunctionSingleHop.java b/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/ExecuteRegionFunctionSingleHop.java index 1bfe7de..fcbe47d 100644 --- a/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/ExecuteRegionFunctionSingleHop.java +++ b/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/ExecuteRegionFunctionSingleHop.java @@ -200,7 +200,7 @@ public class ExecuteRegionFunctionSingleHop extends BaseCommand { functionObject = (Function) function; } - GeodeSecurityUtil.authorizeFunctionExec(functionObject.getId()); + GeodeSecurityUtil.authorizeDataWrite(); // check if the caller is authorized to do this operation on server AuthorizeRequest authzRequest = servConn.getAuthzRequest(); http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/fa66c65c/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/GetFunctionAttribute.java ---------------------------------------------------------------------- diff --git a/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/GetFunctionAttribute.java b/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/GetFunctionAttribute.java index 871a80b..1cf1ea4 100644 --- a/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/GetFunctionAttribute.java +++ b/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/GetFunctionAttribute.java @@ -62,15 +62,13 @@ public class GetFunctionAttribute extends BaseCommand { return; } - GeodeSecurityUtil.authorizeFunctionRead(functionId); + GeodeSecurityUtil.authorizeClusterRead(); byte[] functionAttributes = new byte[3]; functionAttributes[0] = (byte)(function.hasResult() ? 1 : 0); functionAttributes[1] = (byte)(function.isHA() ? 1 : 0); functionAttributes[2] = (byte)(function.optimizeForWrite() ? 1 : 0); writeResponseWithFunctionAttribute(functionAttributes, msg, servConn); - - } private void sendError(Message msg, String message, ServerConnection servConn) http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/fa66c65c/geode-core/src/main/java/com/gemstone/gemfire/internal/security/GeodeSecurityUtil.java ---------------------------------------------------------------------- diff --git a/geode-core/src/main/java/com/gemstone/gemfire/internal/security/GeodeSecurityUtil.java b/geode-core/src/main/java/com/gemstone/gemfire/internal/security/GeodeSecurityUtil.java index 7cc7dbf..0ae3f7d 100644 --- a/geode-core/src/main/java/com/gemstone/gemfire/internal/security/GeodeSecurityUtil.java +++ b/geode-core/src/main/java/com/gemstone/gemfire/internal/security/GeodeSecurityUtil.java @@ -237,13 +237,6 @@ public class GeodeSecurityUtil { authorize("DATA", "READ", regionName, key); } - public static void authorizeFunctionExec(String function){ - authorize("FUNCTION", "EXEC", function); - } - public static void authorizeFunctionRead(String function){ - authorize("FUNCTION", "READ", function); - } - public static void authorize(String resource, String operation) { authorize(resource, operation, null); } http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/fa66c65c/geode-core/src/main/java/com/gemstone/gemfire/security/GeodePermission.java ---------------------------------------------------------------------- diff --git a/geode-core/src/main/java/com/gemstone/gemfire/security/GeodePermission.java b/geode-core/src/main/java/com/gemstone/gemfire/security/GeodePermission.java index b1aad84..22b53b1 100644 --- a/geode-core/src/main/java/com/gemstone/gemfire/security/GeodePermission.java +++ b/geode-core/src/main/java/com/gemstone/gemfire/security/GeodePermission.java @@ -27,16 +27,14 @@ public class GeodePermission extends WildcardPermission { public enum Resource { NULL, CLUSTER, - DATA, - FUNCTION + DATA } public enum Operation { NULL, MANAGE, WRITE, - READ, - EXEC + READ } public Resource getResource() { http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/fa66c65c/geode-core/src/test/java/com/gemstone/gemfire/security/IntegratedClientQueryAuthDistributedTest.java ---------------------------------------------------------------------- diff --git a/geode-core/src/test/java/com/gemstone/gemfire/security/IntegratedClientQueryAuthDistributedTest.java b/geode-core/src/test/java/com/gemstone/gemfire/security/IntegratedClientQueryAuthDistributedTest.java deleted file mode 100644 index 8651a2f..0000000 --- a/geode-core/src/test/java/com/gemstone/gemfire/security/IntegratedClientQueryAuthDistributedTest.java +++ /dev/null @@ -1,45 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package com.gemstone.gemfire.security; - -import com.gemstone.gemfire.cache.Cache; -import com.gemstone.gemfire.cache.Region; -import com.gemstone.gemfire.cache.client.Pool; -import com.gemstone.gemfire.cache.client.PoolManager; -import com.gemstone.gemfire.test.junit.categories.DistributedTest; - -import org.junit.Test; -import org.junit.experimental.categories.Category; - -@Category(DistributedTest.class) -public class IntegratedClientQueryAuthDistributedTest extends AbstractIntegratedClientAuthDistributedTest { - - @Test - public void testQuery(){ - client1.invoke(()-> { - Cache cache = SecurityTestUtils.createCacheClient("stranger", "1234567", serverPort, SecurityTestUtils.NO_EXCEPTION); - final Region region = cache.getRegion(SecurityTestUtils.REGION_NAME); - - String query = "select * from /AuthRegion"; - assertNotAuthorized(()->region.query(query), "DATA:READ:AuthRegion"); - - Pool pool = PoolManager.find(region); - assertNotAuthorized(()->pool.getQueryService().newQuery(query).execute(), "DATA:READ:AuthRegion"); - }); - } - -} http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/fa66c65c/geode-cq/src/main/java/com/gemstone/gemfire/cache/query/internal/cq/ClientCQImpl.java ---------------------------------------------------------------------- diff --git a/geode-cq/src/main/java/com/gemstone/gemfire/cache/query/internal/cq/ClientCQImpl.java b/geode-cq/src/main/java/com/gemstone/gemfire/cache/query/internal/cq/ClientCQImpl.java index 7fbd9d0..f6de4ce 100644 --- a/geode-cq/src/main/java/com/gemstone/gemfire/cache/query/internal/cq/ClientCQImpl.java +++ b/geode-cq/src/main/java/com/gemstone/gemfire/cache/query/internal/cq/ClientCQImpl.java @@ -453,8 +453,7 @@ public class ClientCQImpl extends CqQueryImpl implements ClientCQ { if (securityLogWriter.warningEnabled()) { securityLogWriter.warning(LocalizedStrings.CqQueryImpl_EXCEPTION_WHILE_EXECUTING_CQ_EXCEPTION_0, ex, null); } - throw new CqException( - LocalizedStrings.CqQueryImpl_GOT_SECURITY_EXCEPTION_WHILE_EXECUTING_CQ_ON_SERVER.toLocalizedString(), ex.getCause()); + throw new CqException(ex.getCause().getMessage(), ex.getCause()); } else if(ex instanceof CqException) { throw (CqException)ex; } else { http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/fa66c65c/geode-cq/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/CloseCQ.java ---------------------------------------------------------------------- diff --git a/geode-cq/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/CloseCQ.java b/geode-cq/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/CloseCQ.java index 2b25d89..0908783 100644 --- a/geode-cq/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/CloseCQ.java +++ b/geode-cq/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/CloseCQ.java @@ -16,23 +16,24 @@ */ package com.gemstone.gemfire.internal.cache.tier.sockets.command; -import com.gemstone.gemfire.internal.cache.tier.CachedRegionHelper; -import com.gemstone.gemfire.internal.cache.tier.Command; -import com.gemstone.gemfire.internal.cache.tier.MessageType; -import com.gemstone.gemfire.internal.cache.tier.sockets.*; +import java.io.IOException; +import java.util.HashSet; +import java.util.Set; + import com.gemstone.gemfire.cache.query.CqException; -import com.gemstone.gemfire.cache.query.CqQuery; -import com.gemstone.gemfire.distributed.internal.DistributionStats; -import com.gemstone.gemfire.cache.query.internal.DefaultQueryService; import com.gemstone.gemfire.cache.query.internal.cq.CqService; import com.gemstone.gemfire.cache.query.internal.cq.InternalCqQuery; +import com.gemstone.gemfire.distributed.internal.DistributionStats; +import com.gemstone.gemfire.internal.cache.tier.CachedRegionHelper; +import com.gemstone.gemfire.internal.cache.tier.Command; +import com.gemstone.gemfire.internal.cache.tier.MessageType; +import com.gemstone.gemfire.internal.cache.tier.sockets.CacheServerStats; import com.gemstone.gemfire.internal.cache.tier.sockets.ClientProxyMembershipID; +import com.gemstone.gemfire.internal.cache.tier.sockets.Message; +import com.gemstone.gemfire.internal.cache.tier.sockets.ServerConnection; import com.gemstone.gemfire.internal.i18n.LocalizedStrings; import com.gemstone.gemfire.internal.security.AuthorizeRequest; - -import java.io.IOException; -import java.util.HashSet; -import java.util.Set; +import com.gemstone.gemfire.internal.security.GeodeSecurityUtil; public class CloseCQ extends BaseCQCommand { @@ -74,6 +75,8 @@ public class CloseCQ extends BaseCQCommand { return; } + GeodeSecurityUtil.authorizeDataManage(); + // Process CQ close request try { // Append Client ID to CQ name http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/fa66c65c/geode-cq/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/GetCQStats.java ---------------------------------------------------------------------- diff --git a/geode-cq/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/GetCQStats.java b/geode-cq/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/GetCQStats.java index 5c51fd0..6b82913 100644 --- a/geode-cq/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/GetCQStats.java +++ b/geode-cq/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/GetCQStats.java @@ -17,16 +17,17 @@ package com.gemstone.gemfire.internal.cache.tier.sockets.command; +import java.io.IOException; + +import com.gemstone.gemfire.cache.query.internal.cq.CqService; +import com.gemstone.gemfire.distributed.internal.DistributionStats; import com.gemstone.gemfire.internal.cache.tier.CachedRegionHelper; import com.gemstone.gemfire.internal.cache.tier.Command; import com.gemstone.gemfire.internal.cache.tier.MessageType; -import com.gemstone.gemfire.internal.cache.tier.sockets.*; -import com.gemstone.gemfire.cache.query.CqException; -import com.gemstone.gemfire.distributed.internal.DistributionStats; -import com.gemstone.gemfire.cache.query.internal.DefaultQueryService; -import com.gemstone.gemfire.cache.query.internal.cq.CqService; - -import java.io.IOException; +import com.gemstone.gemfire.internal.cache.tier.sockets.CacheServerStats; +import com.gemstone.gemfire.internal.cache.tier.sockets.Message; +import com.gemstone.gemfire.internal.cache.tier.sockets.ServerConnection; +import com.gemstone.gemfire.internal.security.GeodeSecurityUtil; public class GetCQStats extends BaseCQCommand { @@ -68,22 +69,21 @@ public class GetCQStats extends BaseCQCommand { sendCqResponse(MessageType.CQDATAERROR_MSG_TYPE, err, msg .getTransactionId(), null, servConn); return; + } + GeodeSecurityUtil.authorizeClusterRead(); + // Process the cq request + try { + // make sure the cqservice has been created + // since that is what registers the stats + CqService cqService = crHelper.getCache().getCqService(); + cqService.start(); } - else { - // Process the cq request - try { - // make sure the cqservice has been created - // since that is what registers the stats - CqService cqService = crHelper.getCache().getCqService(); - cqService.start(); - } - catch (Exception e) { - String err = "Exception while Getting the CQ Statistics. "; - sendCqResponse(MessageType.CQ_EXCEPTION_TYPE, err, msg - .getTransactionId(), e, servConn); - return; - } + catch (Exception e) { + String err = "Exception while Getting the CQ Statistics. "; + sendCqResponse(MessageType.CQ_EXCEPTION_TYPE, err, msg + .getTransactionId(), e, servConn); + return; } // Send OK to client sendCqResponse(MessageType.REPLY, "cq stats sent successfully.", msg http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/fa66c65c/geode-cq/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/GetDurableCQs.java ---------------------------------------------------------------------- diff --git a/geode-cq/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/GetDurableCQs.java b/geode-cq/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/GetDurableCQs.java index f06d61f..dc1d461 100755 --- a/geode-cq/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/GetDurableCQs.java +++ b/geode-cq/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/GetDurableCQs.java @@ -20,30 +20,22 @@ import java.io.IOException; import java.util.ArrayList; import java.util.Iterator; import java.util.List; -import java.util.Set; -import com.gemstone.gemfire.cache.Region; -import com.gemstone.gemfire.cache.operations.GetDurableCQsOperationContext; import com.gemstone.gemfire.cache.query.CqException; -import com.gemstone.gemfire.cache.query.Query; -import com.gemstone.gemfire.cache.query.internal.DefaultQuery; import com.gemstone.gemfire.cache.query.internal.DefaultQueryService; import com.gemstone.gemfire.cache.query.internal.cq.CqService; -import com.gemstone.gemfire.cache.query.internal.cq.InternalCqQuery; -import com.gemstone.gemfire.distributed.internal.DistributionStats; import com.gemstone.gemfire.internal.cache.GemFireCacheImpl; import com.gemstone.gemfire.internal.cache.tier.CachedRegionHelper; import com.gemstone.gemfire.internal.cache.tier.Command; import com.gemstone.gemfire.internal.cache.tier.MessageType; import com.gemstone.gemfire.internal.cache.tier.sockets.AcceptorImpl; -import com.gemstone.gemfire.internal.cache.tier.sockets.BaseCommand; import com.gemstone.gemfire.internal.cache.tier.sockets.CacheServerStats; import com.gemstone.gemfire.internal.cache.tier.sockets.ChunkedMessage; import com.gemstone.gemfire.internal.cache.tier.sockets.ClientProxyMembershipID; import com.gemstone.gemfire.internal.cache.tier.sockets.Message; import com.gemstone.gemfire.internal.cache.tier.sockets.ServerConnection; -import com.gemstone.gemfire.internal.i18n.LocalizedStrings; import com.gemstone.gemfire.internal.security.AuthorizeRequest; +import com.gemstone.gemfire.internal.security.GeodeSecurityUtil; public class GetDurableCQs extends BaseCQCommand { @@ -74,15 +66,13 @@ public class GetDurableCQs extends BaseCQCommand { DefaultQueryService qService = null; CqService cqServiceForExec = null; - Query query = null; - Set cqRegionNames = null; - GetDurableCQsOperationContext getDurableCqsOperationContext = null; - InternalCqQuery cqQuery = null; try { qService = (DefaultQueryService) ((GemFireCacheImpl) crHelper.getCache()) .getLocalQueryService(); + GeodeSecurityUtil.authorizeClusterRead(); + // Authorization check AuthorizeRequest authzRequest = servConn.getAuthzRequest(); if (authzRequest != null) { http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/fa66c65c/geode-cq/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/MonitorCQ.java ---------------------------------------------------------------------- diff --git a/geode-cq/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/MonitorCQ.java b/geode-cq/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/MonitorCQ.java index bf18dae..f9ca140 100644 --- a/geode-cq/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/MonitorCQ.java +++ b/geode-cq/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/MonitorCQ.java @@ -17,16 +17,17 @@ package com.gemstone.gemfire.internal.cache.tier.sockets.command; +import java.io.IOException; + +import com.gemstone.gemfire.cache.query.CqException; +import com.gemstone.gemfire.cache.query.internal.cq.CqService; import com.gemstone.gemfire.internal.cache.tier.CachedRegionHelper; import com.gemstone.gemfire.internal.cache.tier.Command; import com.gemstone.gemfire.internal.cache.tier.MessageType; -import com.gemstone.gemfire.internal.cache.tier.sockets.*; +import com.gemstone.gemfire.internal.cache.tier.sockets.Message; +import com.gemstone.gemfire.internal.cache.tier.sockets.ServerConnection; import com.gemstone.gemfire.internal.i18n.LocalizedStrings; -import com.gemstone.gemfire.cache.query.CqException; -import com.gemstone.gemfire.cache.query.internal.DefaultQueryService; -import com.gemstone.gemfire.cache.query.internal.cq.CqService; - -import java.io.IOException; +import com.gemstone.gemfire.internal.security.GeodeSecurityUtil; public class MonitorCQ extends BaseCQCommand { @@ -73,6 +74,8 @@ public class MonitorCQ extends BaseCQCommand { logger.debug("{}: Received MonitorCq request from {} op: {}{}", servConn.getName(), servConn.getSocketString(), op, (regionName != null) ? " RegionName: " + regionName : ""); } + GeodeSecurityUtil.authorizeClusterRead(); + try { CqService cqService = crHelper.getCache().getCqService(); cqService.start(); http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/fa66c65c/geode-cq/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/StopCQ.java ---------------------------------------------------------------------- diff --git a/geode-cq/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/StopCQ.java b/geode-cq/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/StopCQ.java index 1bdf352..9231bfc 100644 --- a/geode-cq/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/StopCQ.java +++ b/geode-cq/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/command/StopCQ.java @@ -16,25 +16,25 @@ */ package com.gemstone.gemfire.internal.cache.tier.sockets.command; -import com.gemstone.gemfire.internal.cache.tier.CachedRegionHelper; -import com.gemstone.gemfire.internal.cache.tier.Command; -import com.gemstone.gemfire.internal.cache.tier.MessageType; -import com.gemstone.gemfire.internal.cache.tier.sockets.*; +import java.io.IOException; +import java.util.HashSet; +import java.util.Set; + import com.gemstone.gemfire.cache.query.CqException; -import com.gemstone.gemfire.cache.query.CqQuery; -import com.gemstone.gemfire.distributed.internal.DistributionStats; -import com.gemstone.gemfire.cache.query.internal.DefaultQueryService; import com.gemstone.gemfire.cache.query.internal.cq.CqQueryImpl; import com.gemstone.gemfire.cache.query.internal.cq.CqService; -import com.gemstone.gemfire.cache.query.internal.cq.CqServiceImpl; import com.gemstone.gemfire.cache.query.internal.cq.InternalCqQuery; +import com.gemstone.gemfire.distributed.internal.DistributionStats; +import com.gemstone.gemfire.internal.cache.tier.CachedRegionHelper; +import com.gemstone.gemfire.internal.cache.tier.Command; +import com.gemstone.gemfire.internal.cache.tier.MessageType; +import com.gemstone.gemfire.internal.cache.tier.sockets.CacheServerStats; import com.gemstone.gemfire.internal.cache.tier.sockets.ClientProxyMembershipID; +import com.gemstone.gemfire.internal.cache.tier.sockets.Message; +import com.gemstone.gemfire.internal.cache.tier.sockets.ServerConnection; import com.gemstone.gemfire.internal.i18n.LocalizedStrings; import com.gemstone.gemfire.internal.security.AuthorizeRequest; - -import java.io.IOException; -import java.util.HashSet; -import java.util.Set; +import com.gemstone.gemfire.internal.security.GeodeSecurityUtil; public class StopCQ extends BaseCQCommand { @@ -88,7 +88,9 @@ public class StopCQ extends BaseCQCommand { serverCqName = cqService.constructServerCqName(cqName, id); } InternalCqQuery cqQuery = cqService.getCq(serverCqName); - + + GeodeSecurityUtil.authorizeDataManage(); + AuthorizeRequest authzRequest = servConn.getAuthzRequest(); if (authzRequest != null) { String queryStr = null; http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/fa66c65c/geode-cq/src/test/java/com/gemstone/gemfire/security/IntegratedClientQueryAuthDistributedTest.java ---------------------------------------------------------------------- diff --git a/geode-cq/src/test/java/com/gemstone/gemfire/security/IntegratedClientQueryAuthDistributedTest.java b/geode-cq/src/test/java/com/gemstone/gemfire/security/IntegratedClientQueryAuthDistributedTest.java new file mode 100644 index 0000000..a484160 --- /dev/null +++ b/geode-cq/src/test/java/com/gemstone/gemfire/security/IntegratedClientQueryAuthDistributedTest.java @@ -0,0 +1,100 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.gemstone.gemfire.security; + +import org.junit.Test; +import org.junit.experimental.categories.Category; + +import com.gemstone.gemfire.cache.Cache; +import com.gemstone.gemfire.cache.Region; +import com.gemstone.gemfire.cache.client.Pool; +import com.gemstone.gemfire.cache.client.PoolManager; +import com.gemstone.gemfire.cache.query.CqAttributes; +import com.gemstone.gemfire.cache.query.CqAttributesFactory; +import com.gemstone.gemfire.cache.query.CqQuery; +import com.gemstone.gemfire.cache.query.QueryService; +import com.gemstone.gemfire.test.junit.categories.DistributedTest; + +@Category(DistributedTest.class) +public class IntegratedClientQueryAuthDistributedTest extends AbstractIntegratedClientAuthDistributedTest { + + @Test + public void testQuery(){ + client1.invoke(()-> { + Cache cache = SecurityTestUtils.createCacheClient("stranger", "1234567", serverPort, SecurityTestUtils.NO_EXCEPTION); + final Region region = cache.getRegion(SecurityTestUtils.REGION_NAME); + + String query = "select * from /AuthRegion"; + assertNotAuthorized(()->region.query(query), "DATA:READ:AuthRegion"); + + Pool pool = PoolManager.find(region); + assertNotAuthorized(()->pool.getQueryService().newQuery(query).execute(), "DATA:READ:AuthRegion"); + }); + } + + @Test + public void testCQ(){ + String query = "select * from /AuthRegion"; + client1.invoke(()-> { + Cache cache = SecurityTestUtils.createCacheClient("stranger", "1234567", serverPort, SecurityTestUtils.NO_EXCEPTION); + Region region = cache.getRegion(SecurityTestUtils.REGION_NAME); + Pool pool = PoolManager.find(region); + QueryService qs = pool.getQueryService(); + + CqAttributes cqa = new CqAttributesFactory().create(); + + // Create the CqQuery + CqQuery cq = qs.newCq("CQ1", query, cqa); + + assertNotAuthorized(()->cq.executeWithInitialResults(), "DATA:READ:AuthRegion"); + assertNotAuthorized(()->cq.execute(), "DATA:READ:AuthRegion"); + + assertNotAuthorized(()->cq.close(), "DATA:MANAGE"); + }); + + client2.invoke(()-> { + Cache cache = SecurityTestUtils.createCacheClient("authRegionReader", "1234567", serverPort, SecurityTestUtils.NO_EXCEPTION); + Region region = cache.getRegion(SecurityTestUtils.REGION_NAME); + Pool pool = PoolManager.find(region); + QueryService qs = pool.getQueryService(); + + CqAttributes cqa = new CqAttributesFactory().create(); + // Create the CqQuery + CqQuery cq = qs.newCq("CQ1", query, cqa); + cq.execute(); + + assertNotAuthorized(()->cq.stop(), "DATA:MANAGE"); + assertNotAuthorized(()->qs.getAllDurableCqsFromServer(), "CLUSTER:READ"); + }); + + client3.invoke(()-> { + Cache cache = SecurityTestUtils.createCacheClient("super-user", "1234567", serverPort, SecurityTestUtils.NO_EXCEPTION); + Region region = cache.getRegion(SecurityTestUtils.REGION_NAME); + Pool pool = PoolManager.find(region); + QueryService qs = pool.getQueryService(); + + CqAttributes cqa = new CqAttributesFactory().create(); + + // Create the CqQuery + CqQuery cq = qs.newCq("CQ1", query, cqa); + cq.execute(); + + cq.stop(); + }); + } + +}