geode-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jinmeil...@apache.org
Subject [geode] branch develop updated: GEODE-3974: Core function security improvement (#1310)
Date Tue, 23 Jan 2018 17:19:25 GMT
This is an automated email from the ASF dual-hosted git repository.

jinmeiliao pushed a commit to branch develop
in repository https://gitbox.apache.org/repos/asf/geode.git


The following commit(s) were added to refs/heads/develop by this push:
     new 6df14c8  GEODE-3974: Core function security improvement (#1310)
6df14c8 is described below

commit 6df14c8b1e3c644f9f810149e80bba0c2f073dab
Author: jinmeiliao <jiliao@pivotal.io>
AuthorDate: Tue Jan 23 09:19:22 2018 -0800

    GEODE-3974: Core function security improvement (#1310)
---
 .../cli/JDBCConnectorFunctionsSecurityTest.java    |   4 +-
 .../util/FindRestEnabledServersFunction.java       |   7 +-
 .../cli/functions/AlterRuntimeConfigFunction.java  |  13 +-
 .../cli/functions/ChangeLogLevelFunction.java      |  11 +-
 .../cli/functions/CloseDurableClientFunction.java  |  17 +-
 .../cli/functions/CloseDurableCqFunction.java      |  17 +-
 .../cli/functions/ContinuousQueryFunction.java     |   8 +
 .../functions/CreateAsyncEventQueueFunction.java   |  11 +-
 .../functions/CreateDefinedIndexesFunction.java    |  13 +-
 .../cli/functions/CreateDiskStoreFunction.java     |  14 +-
 .../cli/functions/CreateIndexFunction.java         |  14 +-
 .../cli/functions/DataCommandFunction.java         |   7 +
 .../internal/cli/functions/DeployFunction.java     |   9 ++
 .../cli/functions/DescribeDiskStoreFunction.java   |  13 +-
 .../functions/DestroyAsyncEventQueueFunction.java  |  10 ++
 .../cli/functions/DestroyDiskStoreFunction.java    |  10 ++
 .../cli/functions/DestroyIndexFunction.java        |   9 ++
 .../cli/functions/ExportConfigFunction.java        |   9 ++
 .../internal/cli/functions/ExportDataFunction.java |   9 ++
 .../internal/cli/functions/ExportLogsFunction.java |  10 +-
 .../functions/FetchRegionAttributesFunction.java   |  10 ++
 .../FetchSharedConfigurationStatusFunction.java    |  13 +-
 .../cli/functions/GarbageCollectionFunction.java   |  10 ++
 .../functions/GatewayReceiverCreateFunction.java   |   9 ++
 .../cli/functions/GatewaySenderCreateFunction.java |  10 ++
 .../functions/GatewaySenderDestroyFunction.java    |  10 ++
 .../GetMemberConfigInformationFunction.java        |  32 ++--
 .../functions/GetMemberInformationFunction.java    |  13 +-
 .../functions/GetRegionDescriptionFunction.java    |  11 +-
 .../internal/cli/functions/GetRegionsFunction.java |  14 +-
 .../cli/functions/GetStackTracesFunction.java      |  14 +-
 .../GetSubscriptionQueueSizeFunction.java          |  16 +-
 .../internal/cli/functions/ImportDataFunction.java |   9 ++
 .../functions/ListAsyncEventQueuesFunction.java    |  13 +-
 .../cli/functions/ListDeployedFunction.java        |   9 ++
 .../cli/functions/ListDiskStoresFunction.java      |  12 +-
 .../cli/functions/ListDurableCqNamesFunction.java  |  13 +-
 .../cli/functions/ListFunctionFunction.java        |   9 ++
 .../internal/cli/functions/ListIndexFunction.java  |  12 +-
 .../cli/functions/MemberRegionFunction.java        |  82 ----------
 .../cli/functions/MembersForRegionFunction.java    |  91 -----------
 .../internal/cli/functions/NetstatFunction.java    |  16 +-
 .../internal/cli/functions/RebalanceFunction.java  |  10 +-
 .../cli/functions/RegionAlterFunction.java         |  13 +-
 .../cli/functions/RegionDestroyFunction.java       |  10 ++
 .../functions/ShowMissingDiskStoresFunction.java   |  13 +-
 .../internal/cli/functions/ShutDownFunction.java   |   9 ++
 .../cli/functions/SizeExportLogsFunction.java      |  10 +-
 .../internal/cli/functions/UndeployFunction.java   |   9 ++
 .../internal/cli/functions/UnregisterFunction.java |  18 +--
 .../cli/functions/UserFunctionExecution.java       |   8 +
 .../functions/DownloadJarFunction.java             |  10 +-
 .../functions/GetClusterConfigurationFunction.java |  19 +--
 .../functions/GetRegionNamesFunction.java          |   9 ++
 .../functions/RecreateCacheFunction.java           |  12 +-
 .../internal/security/ResourcePermissions.java     |  14 ++
 .../apache/geode/security/ResourcePermission.java  |  25 ++-
 .../sanctioned-geode-core-serializables.txt        |   2 -
 .../cache/execute/CoreFunctionSecurityTest.java    | 180 +++++++++++++++++++++
 .../GetClusterConfigurationFunctionTest.java       |  48 ------
 .../internal/security/ResourcePermissionTest.java  |  17 +-
 .../lucene/test/LuceneFunctionSecurityTest.java    |  21 ++-
 62 files changed, 764 insertions(+), 336 deletions(-)

diff --git a/geode-connectors/src/test/java/org/apache/geode/connectors/jdbc/internal/cli/JDBCConnectorFunctionsSecurityTest.java b/geode-connectors/src/test/java/org/apache/geode/connectors/jdbc/internal/cli/JDBCConnectorFunctionsSecurityTest.java
index 188c255..a0abef0 100644
--- a/geode-connectors/src/test/java/org/apache/geode/connectors/jdbc/internal/cli/JDBCConnectorFunctionsSecurityTest.java
+++ b/geode-connectors/src/test/java/org/apache/geode/connectors/jdbc/internal/cli/JDBCConnectorFunctionsSecurityTest.java
@@ -77,7 +77,6 @@ public class JDBCConnectorFunctionsSecurityTest {
     functionStringMap.keySet().forEach(FunctionService::registerFunction);
   }
 
-
   @Test
   @ConnectionConfiguration(user = "user", password = "user")
   public void functionRequireExpectedPermission() throws Exception {
@@ -86,7 +85,8 @@ public class JDBCConnectorFunctionsSecurityTest {
       String permission = entry.getValue();
       gfsh.executeAndAssertThat("execute function --id=" + function.getId())
           .tableHasRowCount("Function Execution Result", 1)
-          .tableHasColumnWithValuesContaining("Function Execution Result", permission)
+          .tableHasRowWithValues("Function Execution Result",
+              "Exception: user not authorized for " + permission)
           .statusIsError();
     });
   }
diff --git a/geode-core/src/main/java/org/apache/geode/internal/cache/execute/util/FindRestEnabledServersFunction.java b/geode-core/src/main/java/org/apache/geode/internal/cache/execute/util/FindRestEnabledServersFunction.java
index f78de18..1977920 100644
--- a/geode-core/src/main/java/org/apache/geode/internal/cache/execute/util/FindRestEnabledServersFunction.java
+++ b/geode-core/src/main/java/org/apache/geode/internal/cache/execute/util/FindRestEnabledServersFunction.java
@@ -15,8 +15,7 @@
 package org.apache.geode.internal.cache.execute.util;
 
 import org.apache.geode.cache.CacheClosedException;
-import org.apache.geode.cache.CacheFactory;
-import org.apache.geode.cache.execute.FunctionAdapter;
+import org.apache.geode.cache.execute.Function;
 import org.apache.geode.cache.execute.FunctionContext;
 import org.apache.geode.distributed.internal.DistributionConfig;
 import org.apache.geode.distributed.internal.InternalDistributedSystem;
@@ -30,7 +29,7 @@ import org.apache.geode.management.internal.RestAgent;
  *
  * @since GemFire 8.1
  */
-public class FindRestEnabledServersFunction extends FunctionAdapter implements InternalEntity {
+public class FindRestEnabledServersFunction implements Function, InternalEntity {
   private static final long serialVersionUID = 7851518767859544678L;
 
   /**
@@ -42,7 +41,7 @@ public class FindRestEnabledServersFunction extends FunctionAdapter implements I
 
   public void execute(FunctionContext context) {
     try {
-      InternalCache cache = (InternalCache) CacheFactory.getAnyInstance();
+      InternalCache cache = (InternalCache) context.getCache();
       DistributionConfig config = InternalDistributedSystem.getAnyInstance().getConfig();
 
       String bindAddress = RestAgent.getBindAddressForHttpService(config);
diff --git a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/AlterRuntimeConfigFunction.java b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/AlterRuntimeConfigFunction.java
index 46d89ef..1a3aa24 100644
--- a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/AlterRuntimeConfigFunction.java
+++ b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/AlterRuntimeConfigFunction.java
@@ -14,6 +14,8 @@
  */
 package org.apache.geode.management.internal.cli.functions;
 
+import java.util.Collection;
+import java.util.Collections;
 import java.util.Map;
 import java.util.Map.Entry;
 import java.util.Set;
@@ -21,7 +23,7 @@ import java.util.Set;
 import org.apache.logging.log4j.Logger;
 
 import org.apache.geode.cache.CacheClosedException;
-import org.apache.geode.cache.execute.FunctionAdapter;
+import org.apache.geode.cache.execute.Function;
 import org.apache.geode.cache.execute.FunctionContext;
 import org.apache.geode.distributed.internal.DistributionConfig;
 import org.apache.geode.internal.ConfigSource;
@@ -30,8 +32,10 @@ import org.apache.geode.internal.cache.InternalCache;
 import org.apache.geode.internal.logging.LogService;
 import org.apache.geode.management.internal.cli.CliUtil;
 import org.apache.geode.management.internal.cli.i18n.CliStrings;
+import org.apache.geode.management.internal.security.ResourcePermissions;
+import org.apache.geode.security.ResourcePermission;
 
-public class AlterRuntimeConfigFunction extends FunctionAdapter implements InternalEntity {
+public class AlterRuntimeConfigFunction implements Function, InternalEntity {
 
   private static final long serialVersionUID = 1L;
 
@@ -86,6 +90,11 @@ public class AlterRuntimeConfigFunction extends FunctionAdapter implements Inter
   }
 
   @Override
+  public Collection<ResourcePermission> getRequiredPermissions(String regionName) {
+    return Collections.singleton(ResourcePermissions.CLUSTER_WRITE);
+  }
+
+  @Override
   public String getId() {
     return AlterRuntimeConfigFunction.class.getName();
   }
diff --git a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/ChangeLogLevelFunction.java b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/ChangeLogLevelFunction.java
index 7220413..16b3ea1 100644
--- a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/ChangeLogLevelFunction.java
+++ b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/ChangeLogLevelFunction.java
@@ -14,8 +14,10 @@
  */
 package org.apache.geode.management.internal.cli.functions;
 
-import static org.apache.geode.distributed.ConfigurationProperties.*;
+import static org.apache.geode.distributed.ConfigurationProperties.LOG_LEVEL;
 
+import java.util.Collection;
+import java.util.Collections;
 import java.util.HashMap;
 import java.util.Map;
 
@@ -31,6 +33,8 @@ import org.apache.geode.internal.logging.LogService;
 import org.apache.geode.internal.logging.log4j.LogLevel;
 import org.apache.geode.internal.logging.log4j.LogMarker;
 import org.apache.geode.internal.logging.log4j.LogWriterLogger;
+import org.apache.geode.management.internal.security.ResourcePermissions;
+import org.apache.geode.security.ResourcePermission;
 
 
 /**
@@ -73,6 +77,11 @@ public class ChangeLogLevelFunction implements Function, InternalEntity {
   }
 
   @Override
+  public Collection<ResourcePermission> getRequiredPermissions(String regionName) {
+    return Collections.singleton(ResourcePermissions.CLUSTER_WRITE);
+  }
+
+  @Override
   public String getId() {
     return ChangeLogLevelFunction.ID;
 
diff --git a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/CloseDurableClientFunction.java b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/CloseDurableClientFunction.java
index 73761c4..f4ece32 100644
--- a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/CloseDurableClientFunction.java
+++ b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/CloseDurableClientFunction.java
@@ -14,29 +14,33 @@
  */
 package org.apache.geode.management.internal.cli.functions;
 
+import java.util.Collection;
+import java.util.Collections;
+
 import org.apache.geode.cache.Cache;
-import org.apache.geode.cache.execute.FunctionAdapter;
+import org.apache.geode.cache.execute.Function;
 import org.apache.geode.cache.execute.FunctionContext;
-import org.apache.geode.distributed.internal.InternalDistributedSystem;
 import org.apache.geode.internal.InternalEntity;
 import org.apache.geode.internal.cache.tier.sockets.CacheClientNotifier;
 import org.apache.geode.internal.cache.tier.sockets.CacheClientProxy;
 import org.apache.geode.management.internal.cli.CliUtil;
 import org.apache.geode.management.internal.cli.domain.MemberResult;
 import org.apache.geode.management.internal.cli.i18n.CliStrings;
+import org.apache.geode.management.internal.security.ResourcePermissions;
+import org.apache.geode.security.ResourcePermission;
 
 /***
  * Function to close a durable client
  *
  */
-public class CloseDurableClientFunction extends FunctionAdapter implements InternalEntity {
+public class CloseDurableClientFunction implements Function, InternalEntity {
 
   private static final long serialVersionUID = 1L;
 
   @Override
   public void execute(FunctionContext context) {
     String durableClientId = (String) context.getArguments();
-    final Cache cache = CliUtil.getCacheIfExists();
+    final Cache cache = context.getCache();
     final String memberNameOrId =
         CliUtil.getMemberNameOrId(cache.getDistributedSystem().getDistributedMember());
     MemberResult memberResult = new MemberResult(memberNameOrId);
@@ -70,6 +74,11 @@ public class CloseDurableClientFunction extends FunctionAdapter implements Inter
   }
 
   @Override
+  public Collection<ResourcePermission> getRequiredPermissions(String regionName) {
+    return Collections.singleton(ResourcePermissions.CLUSTER_MANAGE_QUERY);
+  }
+
+  @Override
   public String getId() {
     return CloseDurableClientFunction.class.getName();
   }
diff --git a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/CloseDurableCqFunction.java b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/CloseDurableCqFunction.java
index e526409..d196d9e 100644
--- a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/CloseDurableCqFunction.java
+++ b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/CloseDurableCqFunction.java
@@ -14,29 +14,33 @@
  */
 package org.apache.geode.management.internal.cli.functions;
 
+import java.util.Collection;
+import java.util.Collections;
+
 import org.apache.geode.cache.Cache;
-import org.apache.geode.cache.execute.FunctionAdapter;
+import org.apache.geode.cache.execute.Function;
 import org.apache.geode.cache.execute.FunctionContext;
 import org.apache.geode.internal.InternalEntity;
 import org.apache.geode.internal.cache.tier.sockets.CacheClientNotifier;
 import org.apache.geode.internal.cache.tier.sockets.CacheClientProxy;
-import org.apache.geode.internal.cache.tier.sockets.ClientProxyMembershipID;
 import org.apache.geode.management.internal.cli.CliUtil;
 import org.apache.geode.management.internal.cli.domain.MemberResult;
 import org.apache.geode.management.internal.cli.i18n.CliStrings;
+import org.apache.geode.management.internal.security.ResourcePermissions;
+import org.apache.geode.security.ResourcePermission;
 
 /***
  * Function to close a durable cq
  *
  */
-public class CloseDurableCqFunction extends FunctionAdapter implements InternalEntity {
+public class CloseDurableCqFunction implements Function, InternalEntity {
 
   private static final long serialVersionUID = 1L;
 
   @Override
   public void execute(FunctionContext context) {
 
-    final Cache cache = CliUtil.getCacheIfExists();
+    final Cache cache = context.getCache();
     final String memberNameOrId =
         CliUtil.getMemberNameOrId(cache.getDistributedSystem().getDistributedMember());
     CacheClientNotifier cacheClientNotifier = CacheClientNotifier.getInstance();
@@ -72,6 +76,11 @@ public class CloseDurableCqFunction extends FunctionAdapter implements InternalE
   }
 
   @Override
+  public Collection<ResourcePermission> getRequiredPermissions(String regionName) {
+    return Collections.singleton(ResourcePermissions.CLUSTER_MANAGE_QUERY);
+  }
+
+  @Override
   public String getId() {
     return CloseDurableCqFunction.class.getName();
   }
diff --git a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/ContinuousQueryFunction.java b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/ContinuousQueryFunction.java
index f4e931f..d9d389b 100644
--- a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/ContinuousQueryFunction.java
+++ b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/ContinuousQueryFunction.java
@@ -16,6 +16,7 @@ package org.apache.geode.management.internal.cli.functions;
 
 import java.io.Serializable;
 import java.util.Collection;
+import java.util.Collections;
 import java.util.Iterator;
 
 import org.apache.geode.cache.execute.Function;
@@ -28,6 +29,8 @@ import org.apache.geode.internal.cache.tier.sockets.CacheClientNotifier;
 import org.apache.geode.internal.cache.tier.sockets.CacheClientProxy;
 import org.apache.geode.internal.cache.tier.sockets.ClientProxyMembershipID;
 import org.apache.geode.internal.cache.tier.sockets.ServerConnection;
+import org.apache.geode.management.internal.security.ResourcePermissions;
+import org.apache.geode.security.ResourcePermission;
 
 /**
  * @since GemFire 8.0
@@ -104,6 +107,11 @@ public class ContinuousQueryFunction implements Function, InternalEntity {
   }
 
   @Override
+  public Collection<ResourcePermission> getRequiredPermissions(String regionName) {
+    return Collections.singleton(ResourcePermissions.CLUSTER_READ);
+  }
+
+  @Override
   public String getId() {
     return ContinuousQueryFunction.ID;
   }
diff --git a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/CreateAsyncEventQueueFunction.java b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/CreateAsyncEventQueueFunction.java
index b31d97c..a56efc2 100644
--- a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/CreateAsyncEventQueueFunction.java
+++ b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/CreateAsyncEventQueueFunction.java
@@ -14,6 +14,8 @@
  */
 package org.apache.geode.management.internal.cli.functions;
 
+import java.util.Collection;
+import java.util.Collections;
 import java.util.HashMap;
 import java.util.Map;
 import java.util.Properties;
@@ -38,6 +40,8 @@ import org.apache.geode.internal.cache.InternalCache;
 import org.apache.geode.internal.cache.xmlcache.CacheXml;
 import org.apache.geode.internal.logging.LogService;
 import org.apache.geode.management.internal.configuration.domain.XmlEntity;
+import org.apache.geode.management.internal.security.ResourcePermissions;
+import org.apache.geode.security.ResourcePermission;
 
 /**
  * Function used by the 'create async-event-queue' gfsh command to create an asynchronous event
@@ -128,6 +132,11 @@ public class CreateAsyncEventQueueFunction implements Function, InternalEntity {
     }
   }
 
+  @Override
+  public Collection<ResourcePermission> getRequiredPermissions(String regionName) {
+    return Collections.singleton(ResourcePermissions.CLUSTER_MANAGE_DEPLOY);
+  }
+
   private Object newInstance(String className)
       throws ClassNotFoundException, IllegalAccessException, InstantiationException {
     if (Strings.isNullOrEmpty(className)) {
@@ -139,6 +148,6 @@ public class CreateAsyncEventQueueFunction implements Function, InternalEntity {
 
   @Override
   public String getId() {
-    return CreateDiskStoreFunction.class.getName();
+    return CreateAsyncEventQueueFunction.class.getName();
   }
 }
diff --git a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/CreateDefinedIndexesFunction.java b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/CreateDefinedIndexesFunction.java
index 5d9a294..3d10421 100644
--- a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/CreateDefinedIndexesFunction.java
+++ b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/CreateDefinedIndexesFunction.java
@@ -15,13 +15,15 @@
 package org.apache.geode.management.internal.cli.functions;
 
 import java.util.ArrayList;
+import java.util.Collection;
+import java.util.Collections;
 import java.util.Iterator;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
 
 import org.apache.geode.cache.Cache;
-import org.apache.geode.cache.execute.FunctionAdapter;
+import org.apache.geode.cache.execute.Function;
 import org.apache.geode.cache.execute.FunctionContext;
 import org.apache.geode.cache.execute.ResultSender;
 import org.apache.geode.cache.query.Index;
@@ -33,8 +35,10 @@ import org.apache.geode.internal.cache.xmlcache.CacheXml;
 import org.apache.geode.management.internal.cli.domain.IndexInfo;
 import org.apache.geode.management.internal.cli.i18n.CliStrings;
 import org.apache.geode.management.internal.configuration.domain.XmlEntity;
+import org.apache.geode.management.internal.security.ResourcePermissions;
+import org.apache.geode.security.ResourcePermission;
 
-public class CreateDefinedIndexesFunction extends FunctionAdapter implements InternalEntity {
+public class CreateDefinedIndexesFunction implements Function, InternalEntity {
   private static final long serialVersionUID = 1L;
 
   @Override
@@ -122,4 +126,9 @@ public class CreateDefinedIndexesFunction extends FunctionAdapter implements Int
           .lastResult(new CliFunctionResult(memberId, exception, exceptionMessage));
     }
   }
+
+  @Override
+  public Collection<ResourcePermission> getRequiredPermissions(String regionName) {
+    return Collections.singleton(ResourcePermissions.CLUSTER_MANAGE_QUERY);
+  }
 }
diff --git a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/CreateDiskStoreFunction.java b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/CreateDiskStoreFunction.java
index 41fd042..d013a8e 100644
--- a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/CreateDiskStoreFunction.java
+++ b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/CreateDiskStoreFunction.java
@@ -20,12 +20,15 @@ package org.apache.geode.management.internal.cli.functions;
  * @since GemFire 8.0
  */
 
+import java.util.Collection;
+import java.util.Collections;
+
 import org.apache.logging.log4j.Logger;
 
 import org.apache.geode.SystemFailure;
 import org.apache.geode.cache.CacheClosedException;
 import org.apache.geode.cache.DiskStoreFactory;
-import org.apache.geode.cache.execute.FunctionAdapter;
+import org.apache.geode.cache.execute.Function;
 import org.apache.geode.cache.execute.FunctionContext;
 import org.apache.geode.distributed.DistributedMember;
 import org.apache.geode.internal.InternalEntity;
@@ -34,8 +37,10 @@ import org.apache.geode.internal.cache.InternalCache;
 import org.apache.geode.internal.cache.xmlcache.CacheXml;
 import org.apache.geode.internal.logging.LogService;
 import org.apache.geode.management.internal.configuration.domain.XmlEntity;
+import org.apache.geode.management.internal.security.ResourcePermissions;
+import org.apache.geode.security.ResourcePermission;
 
-public class CreateDiskStoreFunction extends FunctionAdapter implements InternalEntity {
+public class CreateDiskStoreFunction implements Function, InternalEntity {
   private static final Logger logger = LogService.getLogger();
 
   private static final long serialVersionUID = 1L;
@@ -80,6 +85,11 @@ public class CreateDiskStoreFunction extends FunctionAdapter implements Internal
   }
 
   @Override
+  public Collection<ResourcePermission> getRequiredPermissions(String regionName) {
+    return Collections.singleton(ResourcePermissions.CLUSTER_MANAGE_DISK);
+  }
+
+  @Override
   public String getId() {
     return CreateDiskStoreFunction.class.getName();
   }
diff --git a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/CreateIndexFunction.java b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/CreateIndexFunction.java
index e02b192..1e103f2 100644
--- a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/CreateIndexFunction.java
+++ b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/CreateIndexFunction.java
@@ -14,8 +14,11 @@
  */
 package org.apache.geode.management.internal.cli.functions;
 
+import java.util.Collection;
+import java.util.Collections;
+
 import org.apache.geode.cache.Cache;
-import org.apache.geode.cache.execute.FunctionAdapter;
+import org.apache.geode.cache.execute.Function;
 import org.apache.geode.cache.execute.FunctionContext;
 import org.apache.geode.cache.query.IndexExistsException;
 import org.apache.geode.cache.query.IndexInvalidException;
@@ -27,12 +30,14 @@ import org.apache.geode.internal.cache.xmlcache.CacheXml;
 import org.apache.geode.management.internal.cli.domain.IndexInfo;
 import org.apache.geode.management.internal.cli.i18n.CliStrings;
 import org.apache.geode.management.internal.configuration.domain.XmlEntity;
+import org.apache.geode.management.internal.security.ResourcePermissions;
+import org.apache.geode.security.ResourcePermission;
 
 /***
  * Function to create index in a member, based on different arguments passed to it
  *
  */
-public class CreateIndexFunction extends FunctionAdapter implements InternalEntity {
+public class CreateIndexFunction implements Function, InternalEntity {
 
 
   private static final long serialVersionUID = 1L;
@@ -104,6 +109,11 @@ public class CreateIndexFunction extends FunctionAdapter implements InternalEnti
     }
   }
 
+  @Override
+  public Collection<ResourcePermission> getRequiredPermissions(String regionName) {
+    return Collections.singleton(ResourcePermissions.CLUSTER_MANAGE_QUERY);
+  }
+
   private String getValidRegionName(Cache cache, String regionPath) {
     while (regionPath != null && cache.getRegion(regionPath) == null) {
       int dotPosition;
diff --git a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/DataCommandFunction.java b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/DataCommandFunction.java
index 9e51ec8..63c60de 100644
--- a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/DataCommandFunction.java
+++ b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/DataCommandFunction.java
@@ -15,6 +15,7 @@
 package org.apache.geode.management.internal.cli.functions;
 
 import java.util.ArrayList;
+import java.util.Collection;
 import java.util.Collections;
 import java.util.Iterator;
 import java.util.List;
@@ -60,7 +61,9 @@ import org.apache.geode.management.internal.cli.i18n.CliStrings;
 import org.apache.geode.management.internal.cli.json.GfJsonException;
 import org.apache.geode.management.internal.cli.json.GfJsonObject;
 import org.apache.geode.management.internal.cli.util.JsonUtil;
+import org.apache.geode.management.internal.security.ResourcePermissions;
 import org.apache.geode.pdx.PdxInstance;
+import org.apache.geode.security.ResourcePermission;
 
 /**
  * @since GemFire 7.0
@@ -133,6 +136,10 @@ public class DataCommandFunction implements Function, InternalEntity {
     }
   }
 
+  public Collection<ResourcePermission> getRequiredPermissions(String regionName) {
+    return Collections.singleton(ResourcePermissions.DATA_ALL);
+  }
+
 
   public DataCommandResult remove(DataCommandRequest request, InternalCache cache) {
     String key = request.getKey();
diff --git a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/DeployFunction.java b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/DeployFunction.java
index dd82a8f..6652955 100644
--- a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/DeployFunction.java
+++ b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/DeployFunction.java
@@ -24,6 +24,8 @@ import java.nio.file.Paths;
 import java.nio.file.attribute.PosixFilePermission;
 import java.nio.file.attribute.PosixFilePermissions;
 import java.util.ArrayList;
+import java.util.Collection;
+import java.util.Collections;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.List;
@@ -46,6 +48,8 @@ import org.apache.geode.internal.DeployedJar;
 import org.apache.geode.internal.InternalEntity;
 import org.apache.geode.internal.cache.InternalCache;
 import org.apache.geode.internal.logging.LogService;
+import org.apache.geode.management.internal.security.ResourcePermissions;
+import org.apache.geode.security.ResourcePermission;
 
 public class DeployFunction implements Function, InternalEntity {
   private static final Logger logger = LogService.getLogger();
@@ -119,6 +123,11 @@ public class DeployFunction implements Function, InternalEntity {
   }
 
   @Override
+  public Collection<ResourcePermission> getRequiredPermissions(String regionName) {
+    return Collections.singleton(ResourcePermissions.CLUSTER_MANAGE_DEPLOY);
+  }
+
+  @Override
   public String getId() {
     return ID;
   }
diff --git a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/DescribeDiskStoreFunction.java b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/DescribeDiskStoreFunction.java
index f8668c0..976a975 100644
--- a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/DescribeDiskStoreFunction.java
+++ b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/DescribeDiskStoreFunction.java
@@ -16,6 +16,8 @@
 package org.apache.geode.management.internal.cli.functions;
 
 import java.io.File;
+import java.util.Collection;
+import java.util.Collections;
 import java.util.HashSet;
 import java.util.Properties;
 import java.util.Set;
@@ -29,7 +31,7 @@ import org.apache.geode.cache.DiskStore;
 import org.apache.geode.cache.EvictionAction;
 import org.apache.geode.cache.Region;
 import org.apache.geode.cache.asyncqueue.AsyncEventQueue;
-import org.apache.geode.cache.execute.FunctionAdapter;
+import org.apache.geode.cache.execute.Function;
 import org.apache.geode.cache.execute.FunctionContext;
 import org.apache.geode.cache.server.CacheServer;
 import org.apache.geode.cache.wan.GatewaySender;
@@ -41,6 +43,8 @@ import org.apache.geode.internal.logging.LogService;
 import org.apache.geode.internal.util.ArrayUtils;
 import org.apache.geode.management.internal.cli.domain.DiskStoreDetails;
 import org.apache.geode.management.internal.cli.exceptions.EntityNotFoundException;
+import org.apache.geode.management.internal.security.ResourcePermissions;
+import org.apache.geode.security.ResourcePermission;
 
 /**
  * The DescribeDiskStoreFunction class is an implementation of a GemFire Function used to collect
@@ -55,7 +59,7 @@ import org.apache.geode.management.internal.cli.exceptions.EntityNotFoundExcepti
  * @see org.apache.geode.management.internal.cli.domain.DiskStoreDetails
  * @since GemFire 7.0
  */
-public class DescribeDiskStoreFunction extends FunctionAdapter implements InternalEntity {
+public class DescribeDiskStoreFunction implements Function, InternalEntity {
 
   private static final Logger logger = LogService.getLogger();
 
@@ -131,6 +135,11 @@ public class DescribeDiskStoreFunction extends FunctionAdapter implements Intern
     }
   }
 
+  @Override
+  public Collection<ResourcePermission> getRequiredPermissions(String regionName) {
+    return Collections.singleton(ResourcePermissions.CLUSTER_READ);
+  }
+
   private void setDiskDirDetails(final DiskStore diskStore,
       final DiskStoreDetails diskStoreDetails) {
     File[] diskDirs = diskStore.getDiskDirs();
diff --git a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/DestroyAsyncEventQueueFunction.java b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/DestroyAsyncEventQueueFunction.java
index 54b3000..51fd394 100644
--- a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/DestroyAsyncEventQueueFunction.java
+++ b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/DestroyAsyncEventQueueFunction.java
@@ -14,6 +14,9 @@
  */
 package org.apache.geode.management.internal.cli.functions;
 
+import java.util.Collection;
+import java.util.Collections;
+
 import org.apache.geode.cache.asyncqueue.internal.AsyncEventQueueImpl;
 import org.apache.geode.cache.execute.Function;
 import org.apache.geode.cache.execute.FunctionContext;
@@ -21,6 +24,8 @@ import org.apache.geode.internal.InternalEntity;
 import org.apache.geode.internal.cache.xmlcache.CacheXml;
 import org.apache.geode.management.internal.cli.commands.DestroyAsyncEventQueueCommand;
 import org.apache.geode.management.internal.configuration.domain.XmlEntity;
+import org.apache.geode.management.internal.security.ResourcePermissions;
+import org.apache.geode.security.ResourcePermission;
 
 /**
  * Function used by the 'destroy async-event-queue' gfsh command to destroy an asynchronous event
@@ -68,6 +73,11 @@ public class DestroyAsyncEventQueueFunction implements Function, InternalEntity
     }
   }
 
+  @Override
+  public Collection<ResourcePermission> getRequiredPermissions(String regionName) {
+    return Collections.singleton(ResourcePermissions.CLUSTER_MANAGE);
+  }
+
   XmlEntity getAEQXmlEntity(String key, String value) {
     XmlEntity xmlEntity = new XmlEntity(CacheXml.ASYNC_EVENT_QUEUE, key, value);
     return xmlEntity;
diff --git a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/DestroyDiskStoreFunction.java b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/DestroyDiskStoreFunction.java
index 6f15301..8b38e6a 100644
--- a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/DestroyDiskStoreFunction.java
+++ b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/DestroyDiskStoreFunction.java
@@ -14,6 +14,9 @@
  */
 package org.apache.geode.management.internal.cli.functions;
 
+import java.util.Collection;
+import java.util.Collections;
+
 import org.apache.geode.cache.DiskStore;
 import org.apache.geode.cache.execute.Function;
 import org.apache.geode.cache.execute.FunctionContext;
@@ -22,6 +25,8 @@ import org.apache.geode.internal.InternalEntity;
 import org.apache.geode.internal.cache.InternalCache;
 import org.apache.geode.internal.cache.xmlcache.CacheXml;
 import org.apache.geode.management.internal.configuration.domain.XmlEntity;
+import org.apache.geode.management.internal.security.ResourcePermissions;
+import org.apache.geode.security.ResourcePermission;
 
 /**
  * Function used by the 'destroy disk-store' gfsh command to destroy a disk store on each member.
@@ -70,4 +75,9 @@ public class DestroyDiskStoreFunction implements Function, InternalEntity {
     context.getResultSender().lastResult(result);
   }
 
+
+  @Override
+  public Collection<ResourcePermission> getRequiredPermissions(String regionName) {
+    return Collections.singleton(ResourcePermissions.CLUSTER_MANAGE_DISK);
+  }
 }
diff --git a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/DestroyIndexFunction.java b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/DestroyIndexFunction.java
index e7488e7..d3b445e 100644
--- a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/DestroyIndexFunction.java
+++ b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/DestroyIndexFunction.java
@@ -14,6 +14,8 @@
  */
 package org.apache.geode.management.internal.cli.functions;
 
+import java.util.Collection;
+import java.util.Collections;
 import java.util.List;
 
 import org.apache.geode.cache.Cache;
@@ -28,6 +30,8 @@ import org.apache.geode.internal.cache.xmlcache.CacheXml;
 import org.apache.geode.management.internal.cli.domain.IndexInfo;
 import org.apache.geode.management.internal.cli.i18n.CliStrings;
 import org.apache.geode.management.internal.configuration.domain.XmlEntity;
+import org.apache.geode.management.internal.security.ResourcePermissions;
+import org.apache.geode.security.ResourcePermission;
 
 public class DestroyIndexFunction implements Function, InternalEntity {
   private static final long serialVersionUID = -868082551095130315L;
@@ -101,6 +105,11 @@ public class DestroyIndexFunction implements Function, InternalEntity {
     context.getResultSender().lastResult(result);
   }
 
+  @Override
+  public Collection<ResourcePermission> getRequiredPermissions(String regionName) {
+    return Collections.singleton(ResourcePermissions.CLUSTER_MANAGE_QUERY);
+  }
+
   /***
    *
    * @param name
diff --git a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/ExportConfigFunction.java b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/ExportConfigFunction.java
index 61278a5..fe210f2 100644
--- a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/ExportConfigFunction.java
+++ b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/ExportConfigFunction.java
@@ -16,6 +16,8 @@ package org.apache.geode.management.internal.cli.functions;
 
 import java.io.PrintWriter;
 import java.io.StringWriter;
+import java.util.Collection;
+import java.util.Collections;
 import java.util.Map;
 
 import org.apache.logging.log4j.Logger;
@@ -32,6 +34,8 @@ import org.apache.geode.internal.ConfigSource;
 import org.apache.geode.internal.InternalEntity;
 import org.apache.geode.internal.cache.xmlcache.CacheXmlGenerator;
 import org.apache.geode.internal.logging.LogService;
+import org.apache.geode.management.internal.security.ResourcePermissions;
+import org.apache.geode.security.ResourcePermission;
 
 public class ExportConfigFunction implements Function, InternalEntity {
   private static final Logger logger = LogService.getLogger();
@@ -115,6 +119,11 @@ public class ExportConfigFunction implements Function, InternalEntity {
   }
 
   @Override
+  public Collection<ResourcePermission> getRequiredPermissions(String regionName) {
+    return Collections.singleton(ResourcePermissions.CLUSTER_READ);
+  }
+
+  @Override
   public String getId() {
     return ID;
   }
diff --git a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/ExportDataFunction.java b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/ExportDataFunction.java
index d12be4b..cc25452 100644
--- a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/ExportDataFunction.java
+++ b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/ExportDataFunction.java
@@ -15,6 +15,8 @@
 package org.apache.geode.management.internal.cli.functions;
 
 import java.io.File;
+import java.util.Collection;
+import java.util.Collections;
 
 import org.apache.geode.cache.Cache;
 import org.apache.geode.cache.Region;
@@ -26,6 +28,8 @@ import org.apache.geode.cache.snapshot.SnapshotOptions.SnapshotFormat;
 import org.apache.geode.internal.InternalEntity;
 import org.apache.geode.internal.cache.snapshot.SnapshotOptionsImpl;
 import org.apache.geode.management.internal.cli.i18n.CliStrings;
+import org.apache.geode.management.internal.security.ResourcePermissions;
+import org.apache.geode.security.ResourcePermission;
 
 /***
  * Function which carries out the export of a region to a file on a member. Uses the
@@ -72,6 +76,11 @@ public class ExportDataFunction implements Function, InternalEntity {
     }
   }
 
+  @Override
+  public Collection<ResourcePermission> getRequiredPermissions(String regionName) {
+    return Collections.singleton(ResourcePermissions.DATA_READ);
+  }
+
   public String getId() {
     return ExportDataFunction.class.getName();
   }
diff --git a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/ExportLogsFunction.java b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/ExportLogsFunction.java
index b2a7e7e..ab9c95b 100644
--- a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/ExportLogsFunction.java
+++ b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/ExportLogsFunction.java
@@ -25,6 +25,8 @@ import java.text.SimpleDateFormat;
 import java.time.LocalDateTime;
 import java.time.ZoneId;
 import java.util.Arrays;
+import java.util.Collection;
+import java.util.Collections;
 
 import org.apache.commons.lang.StringUtils;
 import org.apache.logging.log4j.Level;
@@ -38,7 +40,6 @@ import org.apache.geode.cache.execute.Function;
 import org.apache.geode.cache.execute.FunctionContext;
 import org.apache.geode.distributed.internal.DistributionConfig;
 import org.apache.geode.internal.InternalEntity;
-import org.apache.geode.internal.cache.GemFireCacheImpl;
 import org.apache.geode.internal.cache.InternalCache;
 import org.apache.geode.internal.cache.InternalRegionArguments;
 import org.apache.geode.internal.logging.LogService;
@@ -48,6 +49,8 @@ import org.apache.geode.management.internal.cli.util.ExportLogsCacheWriter;
 import org.apache.geode.management.internal.cli.util.LogExporter;
 import org.apache.geode.management.internal.cli.util.LogFilter;
 import org.apache.geode.management.internal.configuration.domain.Configuration;
+import org.apache.geode.management.internal.security.ResourcePermissions;
+import org.apache.geode.security.ResourcePermission;
 
 /**
  * this function extracts the logs using a LogExporter which creates a zip file, and then writes the
@@ -120,6 +123,11 @@ public class ExportLogsFunction implements Function, InternalEntity {
     }
   }
 
+  @Override
+  public Collection<ResourcePermission> getRequiredPermissions(String regionName) {
+    return Collections.singleton(ResourcePermissions.CLUSTER_READ);
+  }
+
   public static Region createOrGetExistingExportLogsRegion(boolean isInitiatingMember,
       InternalCache cache) throws IOException, ClassNotFoundException {
 
diff --git a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/FetchRegionAttributesFunction.java b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/FetchRegionAttributesFunction.java
index 0927427..4fd7bb9 100644
--- a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/FetchRegionAttributesFunction.java
+++ b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/FetchRegionAttributesFunction.java
@@ -14,6 +14,9 @@
  */
 package org.apache.geode.management.internal.cli.functions;
 
+import java.util.Collection;
+import java.util.Collections;
+
 import org.apache.logging.log4j.Logger;
 
 import org.apache.geode.cache.AttributesFactory;
@@ -25,6 +28,8 @@ import org.apache.geode.cache.execute.FunctionContext;
 import org.apache.geode.internal.InternalEntity;
 import org.apache.geode.internal.logging.LogService;
 import org.apache.geode.management.internal.cli.i18n.CliStrings;
+import org.apache.geode.management.internal.security.ResourcePermissions;
+import org.apache.geode.security.ResourcePermission;
 
 /**
  *
@@ -80,6 +85,11 @@ public class FetchRegionAttributesFunction implements Function, InternalEntity {
   }
 
   @Override
+  public Collection<ResourcePermission> getRequiredPermissions(String regionName) {
+    return Collections.singleton(ResourcePermissions.CLUSTER_READ);
+  }
+
+  @Override
   public String getId() {
     return ID;
   }
diff --git a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/FetchSharedConfigurationStatusFunction.java b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/FetchSharedConfigurationStatusFunction.java
index 09814c1..3bad85e 100644
--- a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/FetchSharedConfigurationStatusFunction.java
+++ b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/FetchSharedConfigurationStatusFunction.java
@@ -14,6 +14,9 @@
  */
 package org.apache.geode.management.internal.cli.functions;
 
+import java.util.Collection;
+import java.util.Collections;
+
 import org.apache.commons.lang.StringUtils;
 
 import org.apache.geode.cache.execute.FunctionAdapter;
@@ -21,9 +24,10 @@ import org.apache.geode.cache.execute.FunctionContext;
 import org.apache.geode.distributed.DistributedMember;
 import org.apache.geode.distributed.internal.InternalLocator;
 import org.apache.geode.internal.InternalEntity;
-import org.apache.geode.internal.cache.GemFireCacheImpl;
 import org.apache.geode.internal.cache.InternalCache;
 import org.apache.geode.management.internal.configuration.domain.SharedConfigurationStatus;
+import org.apache.geode.management.internal.security.ResourcePermissions;
+import org.apache.geode.security.ResourcePermission;
 
 public class FetchSharedConfigurationStatusFunction extends FunctionAdapter
     implements InternalEntity {
@@ -33,7 +37,7 @@ public class FetchSharedConfigurationStatusFunction extends FunctionAdapter
   @Override
   public void execute(FunctionContext context) {
     InternalLocator locator = InternalLocator.getLocator();
-    InternalCache cache = GemFireCacheImpl.getInstance();
+    InternalCache cache = (InternalCache) context.getCache();
     DistributedMember member = cache.getDistributedSystem().getDistributedMember();
     SharedConfigurationStatus status = locator.getSharedConfigurationStatus().getStatus();
 
@@ -47,6 +51,11 @@ public class FetchSharedConfigurationStatusFunction extends FunctionAdapter
   }
 
   @Override
+  public Collection<ResourcePermission> getRequiredPermissions(String regionName) {
+    return Collections.singleton(ResourcePermissions.CLUSTER_READ);
+  }
+
+  @Override
   public String getId() {
     return FetchSharedConfigurationStatusFunction.class.getName();
   }
diff --git a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/GarbageCollectionFunction.java b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/GarbageCollectionFunction.java
index b7b1bc5..48a8153 100644
--- a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/GarbageCollectionFunction.java
+++ b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/GarbageCollectionFunction.java
@@ -14,6 +14,8 @@
  */
 package org.apache.geode.management.internal.cli.functions;
 
+import java.util.Collection;
+import java.util.Collections;
 import java.util.HashMap;
 import java.util.Map;
 
@@ -24,6 +26,8 @@ import org.apache.geode.distributed.DistributedMember;
 import org.apache.geode.internal.InternalEntity;
 import org.apache.geode.management.internal.cli.CliUtil;
 import org.apache.geode.management.internal.cli.util.BytesToString;
+import org.apache.geode.management.internal.security.ResourcePermissions;
+import org.apache.geode.security.ResourcePermission;
 
 /**
  *
@@ -67,6 +71,12 @@ public class GarbageCollectionFunction implements Function, InternalEntity {
     context.getResultSender().lastResult(resultMap);
   }
 
+
+  @Override
+  public Collection<ResourcePermission> getRequiredPermissions(String regionName) {
+    return Collections.singleton(ResourcePermissions.CLUSTER_MANAGE);
+  }
+
   @Override
   public String getId() {
     return GarbageCollectionFunction.ID;
diff --git a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/GatewayReceiverCreateFunction.java b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/GatewayReceiverCreateFunction.java
index 408176d..dd01f28 100644
--- a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/GatewayReceiverCreateFunction.java
+++ b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/GatewayReceiverCreateFunction.java
@@ -14,6 +14,8 @@
  */
 package org.apache.geode.management.internal.cli.functions;
 
+import java.util.Collection;
+import java.util.Collections;
 import java.util.HashMap;
 import java.util.Map;
 
@@ -33,6 +35,8 @@ import org.apache.geode.internal.cache.xmlcache.CacheXml;
 import org.apache.geode.internal.logging.LogService;
 import org.apache.geode.management.internal.cli.i18n.CliStrings;
 import org.apache.geode.management.internal.configuration.domain.XmlEntity;
+import org.apache.geode.management.internal.security.ResourcePermissions;
+import org.apache.geode.security.ResourcePermission;
 
 /**
  * The function to a create GatewayReceiver using given configuration parameters.
@@ -87,6 +91,11 @@ public class GatewayReceiverCreateFunction implements Function, InternalEntity {
 
   }
 
+  @Override
+  public Collection<ResourcePermission> getRequiredPermissions(String regionName) {
+    return Collections.singleton(ResourcePermissions.CLUSTER_MANAGE_GATEWAY);
+  }
+
   /**
    * GatewayReceiver creation happens here.
    *
diff --git a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/GatewaySenderCreateFunction.java b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/GatewaySenderCreateFunction.java
index 4a12048..8c2a5ea 100644
--- a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/GatewaySenderCreateFunction.java
+++ b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/GatewaySenderCreateFunction.java
@@ -14,6 +14,9 @@
  */
 package org.apache.geode.management.internal.cli.functions;
 
+import java.util.Collection;
+import java.util.Collections;
+
 import org.apache.logging.log4j.Logger;
 
 import org.apache.geode.cache.Cache;
@@ -31,6 +34,8 @@ import org.apache.geode.internal.cache.xmlcache.CacheXml;
 import org.apache.geode.internal.logging.LogService;
 import org.apache.geode.management.internal.cli.i18n.CliStrings;
 import org.apache.geode.management.internal.configuration.domain.XmlEntity;
+import org.apache.geode.management.internal.security.ResourcePermissions;
+import org.apache.geode.security.ResourcePermission;
 
 public class GatewaySenderCreateFunction implements Function, InternalEntity {
 
@@ -66,6 +71,11 @@ public class GatewaySenderCreateFunction implements Function, InternalEntity {
     }
   }
 
+  @Override
+  public Collection<ResourcePermission> getRequiredPermissions(String regionName) {
+    return Collections.singleton(ResourcePermissions.CLUSTER_MANAGE_GATEWAY);
+  }
+
   /**
    * Creates the GatewaySender with given configuration.
    *
diff --git a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/GatewaySenderDestroyFunction.java b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/GatewaySenderDestroyFunction.java
index edba972..99a134e 100644
--- a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/GatewaySenderDestroyFunction.java
+++ b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/GatewaySenderDestroyFunction.java
@@ -14,6 +14,9 @@
  */
 package org.apache.geode.management.internal.cli.functions;
 
+import java.util.Collection;
+import java.util.Collections;
+
 import org.apache.geode.cache.Cache;
 import org.apache.geode.cache.execute.Function;
 import org.apache.geode.cache.execute.FunctionContext;
@@ -23,6 +26,8 @@ import org.apache.geode.internal.InternalEntity;
 import org.apache.geode.internal.cache.xmlcache.CacheXml;
 import org.apache.geode.management.internal.cli.CliUtil;
 import org.apache.geode.management.internal.configuration.domain.XmlEntity;
+import org.apache.geode.management.internal.security.ResourcePermissions;
+import org.apache.geode.security.ResourcePermission;
 
 public class GatewaySenderDestroyFunction implements Function, InternalEntity {
   private static final long serialVersionUID = 1L;
@@ -66,6 +71,11 @@ public class GatewaySenderDestroyFunction implements Function, InternalEntity {
   }
 
   @Override
+  public Collection<ResourcePermission> getRequiredPermissions(String regionName) {
+    return Collections.singleton(ResourcePermissions.CLUSTER_MANAGE_GATEWAY);
+  }
+
+  @Override
   public String getId() {
     return ID;
   }
diff --git a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/GetMemberConfigInformationFunction.java b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/GetMemberConfigInformationFunction.java
index 1c898b4..a7d40fe 100644
--- a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/GetMemberConfigInformationFunction.java
+++ b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/GetMemberConfigInformationFunction.java
@@ -14,14 +14,21 @@
  */
 package org.apache.geode.management.internal.cli.functions;
 
-import static org.apache.geode.distributed.ConfigurationProperties.*;
+import static org.apache.geode.distributed.ConfigurationProperties.SOCKET_BUFFER_SIZE;
 
 import java.lang.management.ManagementFactory;
 import java.lang.management.RuntimeMXBean;
-import java.util.*;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
 
 import org.apache.geode.cache.Cache;
-import org.apache.geode.cache.execute.FunctionAdapter;
+import org.apache.geode.cache.execute.Function;
 import org.apache.geode.cache.execute.FunctionContext;
 import org.apache.geode.cache.server.CacheServer;
 import org.apache.geode.distributed.internal.DistributionConfig;
@@ -33,16 +40,14 @@ import org.apache.geode.internal.cache.CacheConfig;
 import org.apache.geode.internal.cache.GemFireCacheImpl;
 import org.apache.geode.internal.cache.ha.HARegionQueue;
 import org.apache.geode.management.internal.cli.domain.MemberConfigurationInfo;
+import org.apache.geode.management.internal.security.ResourcePermissions;
+import org.apache.geode.security.ResourcePermission;
 
 /****
  *
  *
  */
-public class GetMemberConfigInformationFunction extends FunctionAdapter implements InternalEntity {
-
-  /**
-   *
-   */
+public class GetMemberConfigInformationFunction implements Function, InternalEntity {
   private static final long serialVersionUID = 1L;
 
 
@@ -133,6 +138,11 @@ public class GetMemberConfigInformationFunction extends FunctionAdapter implemen
     context.getResultSender().lastResult(memberConfigInfo);
   }
 
+  @Override
+  public Collection<ResourcePermission> getRequiredPermissions(String regionName) {
+    return Collections.singleton(ResourcePermissions.CLUSTER_READ);
+  }
+
   /****
    * Gets the default values for the cache attributes
    *
@@ -220,12 +230,6 @@ public class GetMemberConfigInformationFunction extends FunctionAdapter implemen
     }
   }
 
-  @Override
-  public String getId() {
-    // TODO Auto-generated method stub
-    return GetMemberConfigInformationFunction.class.toString();
-  }
-
   private List<String> getJvmInputArguments() {
     RuntimeMXBean runtimeBean = ManagementFactory.getRuntimeMXBean();
     return runtimeBean.getInputArguments();
diff --git a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/GetMemberInformationFunction.java b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/GetMemberInformationFunction.java
index c1a95d4..b0bffe7 100644
--- a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/GetMemberInformationFunction.java
+++ b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/GetMemberInformationFunction.java
@@ -17,13 +17,15 @@ package org.apache.geode.management.internal.cli.functions;
 import java.lang.management.ManagementFactory;
 import java.lang.management.MemoryMXBean;
 import java.lang.management.MemoryUsage;
+import java.util.Collection;
+import java.util.Collections;
 import java.util.Iterator;
 import java.util.List;
 import java.util.Map;
 
 import org.apache.geode.cache.Cache;
 import org.apache.geode.cache.CacheClosedException;
-import org.apache.geode.cache.execute.FunctionAdapter;
+import org.apache.geode.cache.execute.Function;
 import org.apache.geode.cache.execute.FunctionContext;
 import org.apache.geode.cache.server.CacheServer;
 import org.apache.geode.distributed.internal.DistributionConfig;
@@ -35,13 +37,15 @@ import org.apache.geode.internal.cache.tier.sockets.ClientProxyMembershipID;
 import org.apache.geode.management.internal.cli.CliUtil;
 import org.apache.geode.management.internal.cli.domain.CacheServerInfo;
 import org.apache.geode.management.internal.cli.domain.MemberInformation;
+import org.apache.geode.management.internal.security.ResourcePermissions;
+import org.apache.geode.security.ResourcePermission;
 
 /***
  *
  * since 7.0
  */
 
-public class GetMemberInformationFunction extends FunctionAdapter implements InternalEntity {
+public class GetMemberInformationFunction implements Function, InternalEntity {
   /**
    *
    */
@@ -139,6 +143,11 @@ public class GetMemberInformationFunction extends FunctionAdapter implements Int
     }
   }
 
+  @Override
+  public Collection<ResourcePermission> getRequiredPermissions(String regionName) {
+    return Collections.singleton(ResourcePermissions.CLUSTER_READ);
+  }
+
   private long bytesToMeg(long bytes) {
     return bytes / (1024L * 1024L);
   }
diff --git a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/GetRegionDescriptionFunction.java b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/GetRegionDescriptionFunction.java
index d13446c..e3250be 100644
--- a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/GetRegionDescriptionFunction.java
+++ b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/GetRegionDescriptionFunction.java
@@ -15,12 +15,17 @@
 package org.apache.geode.management.internal.cli.functions;
 
 
+import java.util.Collection;
+import java.util.Collections;
+
 import org.apache.geode.cache.Cache;
 import org.apache.geode.cache.Region;
 import org.apache.geode.cache.execute.Function;
 import org.apache.geode.cache.execute.FunctionContext;
 import org.apache.geode.internal.InternalEntity;
 import org.apache.geode.management.internal.cli.domain.RegionDescriptionPerMember;
+import org.apache.geode.management.internal.security.ResourcePermissions;
+import org.apache.geode.security.ResourcePermission;
 
 public class GetRegionDescriptionFunction implements Function, InternalEntity {
 
@@ -48,9 +53,7 @@ public class GetRegionDescriptionFunction implements Function, InternalEntity {
   }
 
   @Override
-  public String getId() {
-    // TODO Auto-generated method stub
-    return GetRegionDescriptionFunction.class.toString();
+  public Collection<ResourcePermission> getRequiredPermissions(String regionName) {
+    return Collections.singleton(ResourcePermissions.CLUSTER_READ);
   }
-
 }
diff --git a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/GetRegionsFunction.java b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/GetRegionsFunction.java
index 6571dca..110d4ff 100644
--- a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/GetRegionsFunction.java
+++ b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/GetRegionsFunction.java
@@ -14,6 +14,8 @@
  */
 package org.apache.geode.management.internal.cli.functions;
 
+import java.util.Collection;
+import java.util.Collections;
 import java.util.HashSet;
 import java.util.Set;
 
@@ -23,6 +25,8 @@ import org.apache.geode.cache.execute.Function;
 import org.apache.geode.cache.execute.FunctionContext;
 import org.apache.geode.internal.InternalEntity;
 import org.apache.geode.management.internal.cli.domain.RegionInformation;
+import org.apache.geode.management.internal.security.ResourcePermissions;
+import org.apache.geode.security.ResourcePermission;
 
 /**
  * Function that retrieves regions hosted on every member
@@ -32,12 +36,6 @@ public class GetRegionsFunction implements Function, InternalEntity {
   private static final long serialVersionUID = 1L;
 
   @Override
-  public String getId() {
-    // TODO Auto-generated method stub
-    return GetRegionsFunction.class.toString();
-  }
-
-  @Override
   public void execute(FunctionContext functionContext) {
     try {
       Cache cache = functionContext.getCache();
@@ -59,4 +57,8 @@ public class GetRegionsFunction implements Function, InternalEntity {
     }
   }
 
+  @Override
+  public Collection<ResourcePermission> getRequiredPermissions(String regionName) {
+    return Collections.singleton(ResourcePermissions.CLUSTER_READ);
+  }
 }
diff --git a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/GetStackTracesFunction.java b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/GetStackTracesFunction.java
index 6f148dd..c2ae7d6 100644
--- a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/GetStackTracesFunction.java
+++ b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/GetStackTracesFunction.java
@@ -15,14 +15,19 @@
 package org.apache.geode.management.internal.cli.functions;
 
 
+import java.util.Collection;
+import java.util.Collections;
+
 import org.apache.geode.cache.Cache;
-import org.apache.geode.cache.execute.FunctionAdapter;
+import org.apache.geode.cache.execute.Function;
 import org.apache.geode.cache.execute.FunctionContext;
 import org.apache.geode.internal.InternalEntity;
 import org.apache.geode.internal.OSProcess;
 import org.apache.geode.management.internal.cli.domain.StackTracesPerMember;
+import org.apache.geode.management.internal.security.ResourcePermissions;
+import org.apache.geode.security.ResourcePermission;
 
-public class GetStackTracesFunction extends FunctionAdapter implements InternalEntity {
+public class GetStackTracesFunction implements Function, InternalEntity {
 
   private static final long serialVersionUID = 1L;
 
@@ -44,6 +49,11 @@ public class GetStackTracesFunction extends FunctionAdapter implements InternalE
   }
 
   @Override
+  public Collection<ResourcePermission> getRequiredPermissions(String regionName) {
+    return Collections.singleton(ResourcePermissions.CLUSTER_READ);
+  }
+
+  @Override
   public String getId() {
     // TODO Auto-generated method stub
     return GetStackTracesFunction.class.getName();
diff --git a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/GetSubscriptionQueueSizeFunction.java b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/GetSubscriptionQueueSizeFunction.java
index 70b649c..2a3670a 100644
--- a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/GetSubscriptionQueueSizeFunction.java
+++ b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/GetSubscriptionQueueSizeFunction.java
@@ -14,8 +14,11 @@
  */
 package org.apache.geode.management.internal.cli.functions;
 
+import java.util.Collection;
+import java.util.Collections;
+
 import org.apache.geode.cache.Cache;
-import org.apache.geode.cache.execute.FunctionAdapter;
+import org.apache.geode.cache.execute.Function;
 import org.apache.geode.cache.execute.FunctionContext;
 import org.apache.geode.cache.query.CqQuery;
 import org.apache.geode.cache.query.internal.CqQueryVsdStats;
@@ -27,18 +30,20 @@ import org.apache.geode.internal.cache.tier.sockets.CacheClientProxy;
 import org.apache.geode.management.internal.cli.CliUtil;
 import org.apache.geode.management.internal.cli.domain.SubscriptionQueueSizeResult;
 import org.apache.geode.management.internal.cli.i18n.CliStrings;
+import org.apache.geode.management.internal.security.ResourcePermissions;
+import org.apache.geode.security.ResourcePermission;
 
 /***
  * Function to get subscription-queue-size
  *
  */
-public class GetSubscriptionQueueSizeFunction extends FunctionAdapter implements InternalEntity {
+public class GetSubscriptionQueueSizeFunction implements Function, InternalEntity {
 
   private static final long serialVersionUID = 1L;
 
   @Override
   public void execute(FunctionContext context) {
-    final Cache cache = CliUtil.getCacheIfExists();
+    final Cache cache = context.getCache();
     final String memberNameOrId =
         CliUtil.getMemberNameOrId(cache.getDistributedSystem().getDistributedMember());
     String args[] = (String[]) context.getArguments();
@@ -98,6 +103,11 @@ public class GetSubscriptionQueueSizeFunction extends FunctionAdapter implements
   }
 
   @Override
+  public Collection<ResourcePermission> getRequiredPermissions(String regionName) {
+    return Collections.singleton(ResourcePermissions.CLUSTER_READ);
+  }
+
+  @Override
   public String getId() {
     return GetSubscriptionQueueSizeFunction.class.getName();
   }
diff --git a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/ImportDataFunction.java b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/ImportDataFunction.java
index afc6bde..600d530 100644
--- a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/ImportDataFunction.java
+++ b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/ImportDataFunction.java
@@ -15,6 +15,8 @@
 package org.apache.geode.management.internal.cli.functions;
 
 import java.io.File;
+import java.util.Collection;
+import java.util.Collections;
 
 import org.apache.geode.cache.Cache;
 import org.apache.geode.cache.Region;
@@ -25,6 +27,8 @@ import org.apache.geode.cache.snapshot.SnapshotOptions;
 import org.apache.geode.cache.snapshot.SnapshotOptions.SnapshotFormat;
 import org.apache.geode.internal.InternalEntity;
 import org.apache.geode.management.internal.cli.i18n.CliStrings;
+import org.apache.geode.management.internal.security.ResourcePermissions;
+import org.apache.geode.security.ResourcePermission;
 
 /****
  * Function which carries out the import of a region to a file on a member. Uses the
@@ -70,6 +74,11 @@ public class ImportDataFunction implements Function, InternalEntity {
     }
   }
 
+  @Override
+  public Collection<ResourcePermission> getRequiredPermissions(String regionName) {
+    return Collections.singleton(ResourcePermissions.DATA_WRITE);
+  }
+
   public String getId() {
     return ImportDataFunction.class.getName();
   }
diff --git a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/ListAsyncEventQueuesFunction.java b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/ListAsyncEventQueuesFunction.java
index d7277ee..00715e4 100644
--- a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/ListAsyncEventQueuesFunction.java
+++ b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/ListAsyncEventQueuesFunction.java
@@ -14,6 +14,8 @@
  */
 package org.apache.geode.management.internal.cli.functions;
 
+import java.util.Collection;
+import java.util.Collections;
 import java.util.Properties;
 import java.util.Set;
 
@@ -24,13 +26,15 @@ import org.apache.geode.cache.Cache;
 import org.apache.geode.cache.CacheClosedException;
 import org.apache.geode.cache.asyncqueue.AsyncEventListener;
 import org.apache.geode.cache.asyncqueue.AsyncEventQueue;
-import org.apache.geode.cache.execute.FunctionAdapter;
+import org.apache.geode.cache.execute.Function;
 import org.apache.geode.cache.execute.FunctionContext;
 import org.apache.geode.distributed.DistributedMember;
 import org.apache.geode.internal.InternalEntity;
 import org.apache.geode.internal.cache.xmlcache.Declarable2;
 import org.apache.geode.internal.logging.LogService;
 import org.apache.geode.management.internal.cli.domain.AsyncEventQueueDetails;
+import org.apache.geode.management.internal.security.ResourcePermissions;
+import org.apache.geode.security.ResourcePermission;
 
 /**
  * An implementation of GemFire Function interface used to determine all the async event queues that
@@ -39,7 +43,7 @@ import org.apache.geode.management.internal.cli.domain.AsyncEventQueueDetails;
  *
  * @since GemFire 8.0
  */
-public class ListAsyncEventQueuesFunction extends FunctionAdapter implements InternalEntity {
+public class ListAsyncEventQueuesFunction implements Function, InternalEntity {
   private static final Logger logger = LogService.getLogger();
 
   private static final long serialVersionUID = 1L;
@@ -99,4 +103,9 @@ public class ListAsyncEventQueuesFunction extends FunctionAdapter implements Int
       context.getResultSender().lastResult(result);
     }
   }
+
+  @Override
+  public Collection<ResourcePermission> getRequiredPermissions(String regionName) {
+    return Collections.singleton(ResourcePermissions.CLUSTER_READ);
+  }
 }
diff --git a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/ListDeployedFunction.java b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/ListDeployedFunction.java
index 7ed83db..3ae31c4 100644
--- a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/ListDeployedFunction.java
+++ b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/ListDeployedFunction.java
@@ -14,6 +14,8 @@
  */
 package org.apache.geode.management.internal.cli.functions;
 
+import java.util.Collection;
+import java.util.Collections;
 import java.util.List;
 
 import org.apache.logging.log4j.Logger;
@@ -29,6 +31,8 @@ import org.apache.geode.internal.InternalEntity;
 import org.apache.geode.internal.JarDeployer;
 import org.apache.geode.internal.cache.InternalCache;
 import org.apache.geode.internal.logging.LogService;
+import org.apache.geode.management.internal.security.ResourcePermissions;
+import org.apache.geode.security.ResourcePermission;
 
 public class ListDeployedFunction implements Function, InternalEntity {
   private static final Logger logger = LogService.getLogger();
@@ -82,6 +86,11 @@ public class ListDeployedFunction implements Function, InternalEntity {
   }
 
   @Override
+  public Collection<ResourcePermission> getRequiredPermissions(String regionName) {
+    return Collections.singleton(ResourcePermissions.CLUSTER_READ);
+  }
+
+  @Override
   public String getId() {
     return ID;
   }
diff --git a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/ListDiskStoresFunction.java b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/ListDiskStoresFunction.java
index 11072ff..b38219f 100644
--- a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/ListDiskStoresFunction.java
+++ b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/ListDiskStoresFunction.java
@@ -15,18 +15,22 @@
 
 package org.apache.geode.management.internal.cli.functions;
 
+import java.util.Collection;
+import java.util.Collections;
 import java.util.HashSet;
 import java.util.Properties;
 import java.util.Set;
 
 import org.apache.geode.cache.Cache;
 import org.apache.geode.cache.DiskStore;
-import org.apache.geode.cache.execute.FunctionAdapter;
+import org.apache.geode.cache.execute.Function;
 import org.apache.geode.cache.execute.FunctionContext;
 import org.apache.geode.distributed.DistributedMember;
 import org.apache.geode.internal.InternalEntity;
 import org.apache.geode.internal.cache.InternalCache;
 import org.apache.geode.management.internal.cli.domain.DiskStoreDetails;
+import org.apache.geode.management.internal.security.ResourcePermissions;
+import org.apache.geode.security.ResourcePermission;
 
 /**
  * The ListDiskStoresFunction class is an implementation of GemFire Function interface used to
@@ -42,7 +46,7 @@ import org.apache.geode.management.internal.cli.domain.DiskStoreDetails;
  * @see org.apache.geode.management.internal.cli.domain.DiskStoreDetails
  * @since GemFire 7.0
  */
-public class ListDiskStoresFunction extends FunctionAdapter implements InternalEntity {
+public class ListDiskStoresFunction implements Function, InternalEntity {
 
   @SuppressWarnings("unused")
   public void init(final Properties props) {}
@@ -74,4 +78,8 @@ public class ListDiskStoresFunction extends FunctionAdapter implements InternalE
     }
   }
 
+  @Override
+  public Collection<ResourcePermission> getRequiredPermissions(String regionName) {
+    return Collections.singleton(ResourcePermissions.CLUSTER_READ);
+  }
 }
diff --git a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/ListDurableCqNamesFunction.java b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/ListDurableCqNamesFunction.java
index e5d1c63..6952c5f 100644
--- a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/ListDurableCqNamesFunction.java
+++ b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/ListDurableCqNamesFunction.java
@@ -16,10 +16,12 @@
 package org.apache.geode.management.internal.cli.functions;
 
 import java.util.ArrayList;
+import java.util.Collection;
+import java.util.Collections;
 import java.util.List;
 
 import org.apache.geode.cache.Cache;
-import org.apache.geode.cache.execute.FunctionAdapter;
+import org.apache.geode.cache.execute.Function;
 import org.apache.geode.cache.execute.FunctionContext;
 import org.apache.geode.cache.query.internal.cq.CqService;
 import org.apache.geode.distributed.DistributedMember;
@@ -29,6 +31,8 @@ import org.apache.geode.internal.cache.tier.sockets.CacheClientProxy;
 import org.apache.geode.management.internal.cli.CliUtil;
 import org.apache.geode.management.internal.cli.domain.DurableCqNamesResult;
 import org.apache.geode.management.internal.cli.i18n.CliStrings;
+import org.apache.geode.management.internal.security.ResourcePermissions;
+import org.apache.geode.security.ResourcePermission;
 
 /**
  * The ListDurableCqs class is a GemFire function used to collect all the durable client names on
@@ -44,7 +48,7 @@ import org.apache.geode.management.internal.cli.i18n.CliStrings;
  * @since GemFire 7.0.1
  */
 @SuppressWarnings("unused")
-public class ListDurableCqNamesFunction extends FunctionAdapter implements InternalEntity {
+public class ListDurableCqNamesFunction implements Function, InternalEntity {
   private static final long serialVersionUID = 1L;
 
   public String getId() {
@@ -89,4 +93,9 @@ public class ListDurableCqNamesFunction extends FunctionAdapter implements Inter
       context.getResultSender().lastResult(result);
     }
   }
+
+  @Override
+  public Collection<ResourcePermission> getRequiredPermissions(String regionName) {
+    return Collections.singleton(ResourcePermissions.CLUSTER_READ);
+  }
 }
diff --git a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/ListFunctionFunction.java b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/ListFunctionFunction.java
index e4d56a1..87f22c8 100644
--- a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/ListFunctionFunction.java
+++ b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/ListFunctionFunction.java
@@ -14,6 +14,8 @@
  */
 package org.apache.geode.management.internal.cli.functions;
 
+import java.util.Collection;
+import java.util.Collections;
 import java.util.LinkedList;
 import java.util.List;
 import java.util.Map;
@@ -31,6 +33,8 @@ import org.apache.geode.cache.execute.FunctionService;
 import org.apache.geode.distributed.DistributedMember;
 import org.apache.geode.internal.InternalEntity;
 import org.apache.geode.internal.logging.LogService;
+import org.apache.geode.management.internal.security.ResourcePermissions;
+import org.apache.geode.security.ResourcePermission;
 
 public class ListFunctionFunction implements Function, InternalEntity {
   private static final Logger logger = LogService.getLogger();
@@ -91,6 +95,11 @@ public class ListFunctionFunction implements Function, InternalEntity {
   }
 
   @Override
+  public Collection<ResourcePermission> getRequiredPermissions(String regionName) {
+    return Collections.singleton(ResourcePermissions.CLUSTER_READ);
+  }
+
+  @Override
   public String getId() {
     return ID;
   }
diff --git a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/ListIndexFunction.java b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/ListIndexFunction.java
index da7bc69..d1a96e2 100644
--- a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/ListIndexFunction.java
+++ b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/ListIndexFunction.java
@@ -15,16 +15,20 @@
 
 package org.apache.geode.management.internal.cli.functions;
 
+import java.util.Collection;
+import java.util.Collections;
 import java.util.HashSet;
 import java.util.Set;
 
 import org.apache.geode.cache.Cache;
-import org.apache.geode.cache.execute.FunctionAdapter;
+import org.apache.geode.cache.execute.Function;
 import org.apache.geode.cache.execute.FunctionContext;
 import org.apache.geode.cache.query.Index;
 import org.apache.geode.distributed.DistributedMember;
 import org.apache.geode.internal.InternalEntity;
 import org.apache.geode.management.internal.cli.domain.IndexDetails;
+import org.apache.geode.management.internal.security.ResourcePermissions;
+import org.apache.geode.security.ResourcePermission;
 
 /**
  * The ListIndexFunction class is a GemFire function used to collect all the index information on
@@ -40,7 +44,7 @@ import org.apache.geode.management.internal.cli.domain.IndexDetails;
  * @since GemFire 7.0
  */
 @SuppressWarnings("unused")
-public class ListIndexFunction extends FunctionAdapter implements InternalEntity {
+public class ListIndexFunction implements Function, InternalEntity {
 
   public String getId() {
     return ListIndexFunction.class.getName();
@@ -63,4 +67,8 @@ public class ListIndexFunction extends FunctionAdapter implements InternalEntity
     }
   }
 
+  @Override
+  public Collection<ResourcePermission> getRequiredPermissions(String regionName) {
+    return Collections.singleton(ResourcePermissions.CLUSTER_READ_QUERY);
+  }
 }
diff --git a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/MemberRegionFunction.java b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/MemberRegionFunction.java
deleted file mode 100644
index d20edc7..0000000
--- a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/MemberRegionFunction.java
+++ /dev/null
@@ -1,82 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more contributor license
- * agreements. See the NOTICE file distributed with this work for additional information regarding
- * copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance with the License. You may obtain a
- * copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed under the License
- * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
- * or implied. See the License for the specific language governing permissions and limitations under
- * the License.
- */
-package org.apache.geode.management.internal.cli.functions;
-
-import org.apache.geode.cache.Cache;
-import org.apache.geode.cache.execute.Execution;
-import org.apache.geode.cache.execute.Function;
-import org.apache.geode.cache.execute.FunctionContext;
-import org.apache.geode.cache.execute.FunctionException;
-import org.apache.geode.cache.execute.FunctionService;
-import org.apache.geode.internal.InternalEntity;
-
-
-public class MemberRegionFunction implements Function, InternalEntity {
-  public static final String ID = MemberRegionFunction.class.getName();
-  private static final long serialVersionUID = 1L;
-
-  @Override
-  public void execute(FunctionContext context) {
-    Object[] args = (Object[]) context.getArguments();
-    String region = (String) args[0];
-    String functionId = (String) args[1];
-    Cache cache = context.getCache();
-
-    try {
-      Function function = FunctionService.getFunction(functionId);
-      if (function == null) {
-        context.getResultSender()
-            .lastResult("For region on a member did not get function " + functionId);
-      }
-      Execution execution = FunctionService.onRegion(cache.getRegion(region));
-      if (execution == null) {
-        context.getResultSender().lastResult("For region on a member could not execute");
-      } else {
-        execution.execute(function);
-        context.getResultSender().lastResult("succeeded in executing on region " + region);
-      }
-
-    } catch (FunctionException e) {
-      context.getResultSender()
-          .lastResult("FunctionException in MemberRegionFunction =" + e.getMessage());
-    } catch (Exception e) {
-      context.getResultSender().lastResult("Exception in MemberRegionFunction =" + e.getMessage());
-    }
-
-  }
-
-  @Override
-  public String getId() {
-    return MemberRegionFunction.ID;
-
-  }
-
-  @Override
-  public boolean hasResult() {
-    return true;
-  }
-
-  @Override
-  public boolean optimizeForWrite() {
-    // no need of optimization since read-only.
-    return false;
-  }
-
-  @Override
-  public boolean isHA() {
-    return false;
-  }
-
-}
diff --git a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/MembersForRegionFunction.java b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/MembersForRegionFunction.java
deleted file mode 100644
index 6ed1e17..0000000
--- a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/MembersForRegionFunction.java
+++ /dev/null
@@ -1,91 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more contributor license
- * agreements. See the NOTICE file distributed with this work for additional information regarding
- * copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance with the License. You may obtain a
- * copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed under the License
- * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
- * or implied. See the License for the specific language governing permissions and limitations under
- * the License.
- */
-
-package org.apache.geode.management.internal.cli.functions;
-
-import java.util.HashMap;
-import java.util.Map;
-
-import org.apache.logging.log4j.Logger;
-
-import org.apache.geode.cache.Cache;
-import org.apache.geode.cache.Region;
-import org.apache.geode.cache.execute.Function;
-import org.apache.geode.cache.execute.FunctionContext;
-import org.apache.geode.internal.InternalEntity;
-import org.apache.geode.internal.logging.LogService;
-
-/**
- *
- * @since GemFire 8.0
- */
-
-public class MembersForRegionFunction implements Function, InternalEntity {
-  private static final Logger logger = LogService.getLogger();
-
-  private static final long serialVersionUID = 8746830191680509335L;
-
-  private static final String ID = MembersForRegionFunction.class.getName();
-
-  @Override
-  public void execute(FunctionContext context) {
-    Map<String, String> resultMap = new HashMap<String, String>();
-    try {
-      Cache cache = context.getCache();
-      String memberNameOrId = cache.getDistributedSystem().getDistributedMember().getId();
-      Object args = (Object) context.getArguments();
-      String regionName = ((String) args);
-      Region<Object, Object> region = cache.getRegion(regionName);
-
-      if (region != null) {
-        resultMap.put(memberNameOrId, "" + region.getAttributes().getScope().isLocal());
-      } else {
-        String regionWithPrefix = Region.SEPARATOR + regionName;
-        region = cache.getRegion(regionWithPrefix);
-        if (region != null) {
-          resultMap.put(memberNameOrId, "" + region.getAttributes().getScope().isLocal());
-        } else {
-          resultMap.put("", "");
-        }
-      }
-      context.getResultSender().lastResult(resultMap);
-    } catch (Exception ex) {
-      logger.info("MembersForRegionFunction exception {}", ex.getMessage(), ex);
-      resultMap.put("", "");
-      context.getResultSender().lastResult(resultMap);
-    }
-  }
-
-  @Override
-  public String getId() {
-    return MembersForRegionFunction.ID;
-  }
-
-  @Override
-  public boolean isHA() {
-    return false;
-  }
-
-  @Override
-  public boolean hasResult() {
-    return true;
-  }
-
-  @Override
-  public boolean optimizeForWrite() {
-    return false;
-  }
-
-}
diff --git a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/NetstatFunction.java b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/NetstatFunction.java
index c934427..7b59b98 100644
--- a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/NetstatFunction.java
+++ b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/NetstatFunction.java
@@ -14,7 +14,12 @@
  */
 package org.apache.geode.management.internal.cli.functions;
 
-import static org.apache.geode.internal.lang.SystemUtils.*;
+import static org.apache.geode.internal.lang.SystemUtils.getOsArchitecture;
+import static org.apache.geode.internal.lang.SystemUtils.getOsName;
+import static org.apache.geode.internal.lang.SystemUtils.getOsVersion;
+import static org.apache.geode.internal.lang.SystemUtils.isLinux;
+import static org.apache.geode.internal.lang.SystemUtils.isMacOSX;
+import static org.apache.geode.internal.lang.SystemUtils.isSolaris;
 
 import java.io.BufferedReader;
 import java.io.IOException;
@@ -22,6 +27,8 @@ import java.io.InputStream;
 import java.io.InputStreamReader;
 import java.io.Serializable;
 import java.util.ArrayList;
+import java.util.Collection;
+import java.util.Collections;
 import java.util.List;
 
 import org.apache.logging.log4j.Logger;
@@ -36,6 +43,8 @@ import org.apache.geode.management.internal.cli.CliUtil;
 import org.apache.geode.management.internal.cli.CliUtil.DeflaterInflaterData;
 import org.apache.geode.management.internal.cli.GfshParser;
 import org.apache.geode.management.internal.cli.i18n.CliStrings;
+import org.apache.geode.management.internal.security.ResourcePermissions;
+import org.apache.geode.security.ResourcePermission;
 
 /**
  * Executes 'netstat' OS command & returns the result as compressed bytes.
@@ -84,6 +93,11 @@ public class NetstatFunction implements Function, InternalEntity {
     context.getResultSender().lastResult(result);
   }
 
+  @Override
+  public Collection<ResourcePermission> getRequiredPermissions(String regionName) {
+    return Collections.singleton(ResourcePermissions.CLUSTER_READ);
+  }
+
   private static void addMemberHostHeader(final StringBuilder netstatInfo, final String id,
       final String host, final String lineSeparator) {
 
diff --git a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/RebalanceFunction.java b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/RebalanceFunction.java
index c77d848..dfdd9d2 100644
--- a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/RebalanceFunction.java
+++ b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/RebalanceFunction.java
@@ -14,6 +14,8 @@
  */
 package org.apache.geode.management.internal.cli.functions;
 
+import java.util.Collection;
+import java.util.Collections;
 import java.util.Iterator;
 import java.util.Set;
 import java.util.concurrent.CancellationException;
@@ -30,7 +32,8 @@ import org.apache.geode.cache.execute.FunctionContext;
 import org.apache.geode.cache.partition.PartitionRebalanceInfo;
 import org.apache.geode.internal.InternalEntity;
 import org.apache.geode.internal.logging.LogService;
-
+import org.apache.geode.management.internal.security.ResourcePermissions;
+import org.apache.geode.security.ResourcePermission;
 
 
 public class RebalanceFunction implements Function, InternalEntity {
@@ -92,6 +95,11 @@ public class RebalanceFunction implements Function, InternalEntity {
   }
 
   @Override
+  public Collection<ResourcePermission> getRequiredPermissions(String regionName) {
+    return Collections.singleton(ResourcePermissions.DATA_MANAGE);
+  }
+
+  @Override
   public String getId() {
     return RebalanceFunction.ID;
   }
diff --git a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/RegionAlterFunction.java b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/RegionAlterFunction.java
index 8876035..47c2897 100644
--- a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/RegionAlterFunction.java
+++ b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/RegionAlterFunction.java
@@ -14,6 +14,8 @@
  */
 package org.apache.geode.management.internal.cli.functions;
 
+import java.util.Collection;
+import java.util.Collections;
 import java.util.Set;
 
 import org.apache.logging.log4j.Logger;
@@ -27,7 +29,7 @@ import org.apache.geode.cache.CacheWriter;
 import org.apache.geode.cache.ExpirationAction;
 import org.apache.geode.cache.ExpirationAttributes;
 import org.apache.geode.cache.Region;
-import org.apache.geode.cache.execute.FunctionAdapter;
+import org.apache.geode.cache.execute.Function;
 import org.apache.geode.cache.execute.FunctionContext;
 import org.apache.geode.cache.execute.ResultSender;
 import org.apache.geode.internal.ClassPathLoader;
@@ -39,13 +41,15 @@ import org.apache.geode.management.internal.cli.CliUtil;
 import org.apache.geode.management.internal.cli.i18n.CliStrings;
 import org.apache.geode.management.internal.cli.util.RegionPath;
 import org.apache.geode.management.internal.configuration.domain.XmlEntity;
+import org.apache.geode.management.internal.security.ResourcePermissions;
+import org.apache.geode.security.ResourcePermission;
 
 /**
  * Function used by the 'alter region' gfsh command to alter a region on each member.
  *
  * @since GemFire 8.0
  */
-public class RegionAlterFunction extends FunctionAdapter implements InternalEntity {
+public class RegionAlterFunction implements Function, InternalEntity {
   private static final Logger logger = LogService.getLogger();
 
   private static final long serialVersionUID = -4846425364943216425L;
@@ -95,6 +99,11 @@ public class RegionAlterFunction extends FunctionAdapter implements InternalEnti
     }
   }
 
+  @Override
+  public Collection<ResourcePermission> getRequiredPermissions(String regionName) {
+    return Collections.singleton(ResourcePermissions.DATA_MANAGE);
+  }
+
   private <K, V> Region<?, ?> alterRegion(Cache cache, RegionFunctionArgs regionAlterArgs) {
     final String regionPathString = regionAlterArgs.getRegionPath();
 
diff --git a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/RegionDestroyFunction.java b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/RegionDestroyFunction.java
index ef23522..06e2ff6 100644
--- a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/RegionDestroyFunction.java
+++ b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/RegionDestroyFunction.java
@@ -14,6 +14,9 @@
  */
 package org.apache.geode.management.internal.cli.functions;
 
+import java.util.Collection;
+import java.util.Collections;
+
 import org.apache.geode.cache.Cache;
 import org.apache.geode.cache.Region;
 import org.apache.geode.cache.RegionDestroyedException;
@@ -23,6 +26,8 @@ import org.apache.geode.internal.InternalEntity;
 import org.apache.geode.internal.cache.xmlcache.CacheXml;
 import org.apache.geode.internal.logging.LogService;
 import org.apache.geode.management.internal.configuration.domain.XmlEntity;
+import org.apache.geode.management.internal.security.ResourcePermissions;
+import org.apache.geode.security.ResourcePermission;
 
 /**
  *
@@ -87,6 +92,11 @@ public class RegionDestroyFunction implements Function, InternalEntity {
   }
 
   @Override
+  public Collection<ResourcePermission> getRequiredPermissions(String regionName) {
+    return Collections.singleton(ResourcePermissions.DATA_MANAGE);
+  }
+
+  @Override
   public String getId() {
     return ID;
   }
diff --git a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/ShowMissingDiskStoresFunction.java b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/ShowMissingDiskStoresFunction.java
index 656c0fd..c5dd3b5 100644
--- a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/ShowMissingDiskStoresFunction.java
+++ b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/ShowMissingDiskStoresFunction.java
@@ -14,12 +14,14 @@
  */
 package org.apache.geode.management.internal.cli.functions;
 
+import java.util.Collection;
+import java.util.Collections;
 import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
 
-import org.apache.geode.cache.execute.FunctionAdapter;
+import org.apache.geode.cache.execute.Function;
 import org.apache.geode.cache.execute.FunctionContext;
 import org.apache.geode.distributed.DistributedMember;
 import org.apache.geode.internal.InternalEntity;
@@ -29,8 +31,10 @@ import org.apache.geode.internal.cache.partitioned.ColocatedRegionDetails;
 import org.apache.geode.internal.cache.persistence.PersistentMemberID;
 import org.apache.geode.internal.cache.persistence.PersistentMemberManager;
 import org.apache.geode.internal.cache.persistence.PersistentMemberPattern;
+import org.apache.geode.management.internal.security.ResourcePermissions;
+import org.apache.geode.security.ResourcePermission;
 
-public class ShowMissingDiskStoresFunction extends FunctionAdapter implements InternalEntity {
+public class ShowMissingDiskStoresFunction implements Function, InternalEntity {
 
   @Override
   public void execute(FunctionContext context) {
@@ -85,6 +89,11 @@ public class ShowMissingDiskStoresFunction extends FunctionAdapter implements In
   }
 
   @Override
+  public Collection<ResourcePermission> getRequiredPermissions(String regionName) {
+    return Collections.singleton(ResourcePermissions.CLUSTER_READ);
+  }
+
+  @Override
   public String getId() {
     return getClass().getName();
   }
diff --git a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/ShutDownFunction.java b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/ShutDownFunction.java
index 27c317c..4fb8605 100644
--- a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/ShutDownFunction.java
+++ b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/ShutDownFunction.java
@@ -14,6 +14,8 @@
  */
 package org.apache.geode.management.internal.cli.functions;
 
+import java.util.Collection;
+import java.util.Collections;
 import java.util.concurrent.ExecutionException;
 import java.util.concurrent.ExecutorService;
 import java.util.concurrent.Executors;
@@ -27,6 +29,8 @@ import org.apache.geode.distributed.internal.InternalDistributedSystem;
 import org.apache.geode.internal.InternalEntity;
 import org.apache.geode.internal.logging.LogService;
 import org.apache.geode.internal.tcp.ConnectionTable;
+import org.apache.geode.management.internal.security.ResourcePermissions;
+import org.apache.geode.security.ResourcePermission;
 
 /**
  *
@@ -87,6 +91,11 @@ public class ShutDownFunction implements Function, InternalEntity {
   }
 
   @Override
+  public Collection<ResourcePermission> getRequiredPermissions(String regionName) {
+    return Collections.singleton(ResourcePermissions.CLUSTER_MANAGE);
+  }
+
+  @Override
   public boolean hasResult() {
     return true;
   }
diff --git a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/SizeExportLogsFunction.java b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/SizeExportLogsFunction.java
index ba6ab15..edae35d 100644
--- a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/SizeExportLogsFunction.java
+++ b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/SizeExportLogsFunction.java
@@ -16,6 +16,8 @@ package org.apache.geode.management.internal.cli.functions;
 
 import java.io.File;
 import java.io.IOException;
+import java.util.Collection;
+import java.util.Collections;
 
 import org.apache.logging.log4j.Logger;
 
@@ -24,13 +26,14 @@ import org.apache.geode.cache.execute.FunctionContext;
 import org.apache.geode.distributed.DistributedMember;
 import org.apache.geode.distributed.internal.DistributionConfig;
 import org.apache.geode.internal.InternalEntity;
-import org.apache.geode.internal.cache.GemFireCacheImpl;
 import org.apache.geode.internal.cache.InternalCache;
 import org.apache.geode.internal.logging.LogService;
 import org.apache.geode.management.ManagementException;
 import org.apache.geode.management.internal.cli.util.BytesToString;
 import org.apache.geode.management.internal.cli.util.LogExporter;
 import org.apache.geode.management.internal.cli.util.LogFilter;
+import org.apache.geode.management.internal.security.ResourcePermissions;
+import org.apache.geode.security.ResourcePermission;
 
 public class SizeExportLogsFunction extends ExportLogsFunction implements Function, InternalEntity {
   private static final Logger LOGGER = LogService.getLogger();
@@ -94,4 +97,9 @@ public class SizeExportLogsFunction extends ExportLogsFunction implements Functi
 
     return estimatedSize;
   }
+
+  @Override
+  public Collection<ResourcePermission> getRequiredPermissions(String regionName) {
+    return Collections.singleton(ResourcePermissions.CLUSTER_READ);
+  }
 }
diff --git a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/UndeployFunction.java b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/UndeployFunction.java
index 98b3cd5..73c92dc 100644
--- a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/UndeployFunction.java
+++ b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/UndeployFunction.java
@@ -15,6 +15,8 @@
 package org.apache.geode.management.internal.cli.functions;
 
 import java.util.ArrayList;
+import java.util.Collection;
+import java.util.Collections;
 import java.util.List;
 
 import org.apache.commons.lang.ArrayUtils;
@@ -31,6 +33,8 @@ import org.apache.geode.internal.InternalEntity;
 import org.apache.geode.internal.JarDeployer;
 import org.apache.geode.internal.cache.InternalCache;
 import org.apache.geode.internal.logging.LogService;
+import org.apache.geode.management.internal.security.ResourcePermissions;
+import org.apache.geode.security.ResourcePermission;
 
 public class UndeployFunction implements Function, InternalEntity {
   private static final Logger logger = LogService.getLogger();
@@ -108,6 +112,11 @@ public class UndeployFunction implements Function, InternalEntity {
   }
 
   @Override
+  public Collection<ResourcePermission> getRequiredPermissions(String regionName) {
+    return Collections.singleton(ResourcePermissions.CLUSTER_MANAGE_DEPLOY);
+  }
+
+  @Override
   public String getId() {
     return ID;
   }
diff --git a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/UnregisterFunction.java b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/UnregisterFunction.java
index 506d7a8..6bbdc1a 100644
--- a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/UnregisterFunction.java
+++ b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/UnregisterFunction.java
@@ -14,19 +14,15 @@
  */
 package org.apache.geode.management.internal.cli.functions;
 
+import java.util.Collection;
+import java.util.Collections;
+
 import org.apache.geode.cache.execute.Function;
 import org.apache.geode.cache.execute.FunctionContext;
 import org.apache.geode.cache.execute.FunctionService;
 import org.apache.geode.internal.InternalEntity;
-
-/**
- *
- * Class for Unregister function
- *
- *
- *
- */
-
+import org.apache.geode.management.internal.security.ResourcePermissions;
+import org.apache.geode.security.ResourcePermission;
 
 public class UnregisterFunction implements Function, InternalEntity {
   public static final String ID = UnregisterFunction.class.getName();
@@ -47,7 +43,11 @@ public class UnregisterFunction implements Function, InternalEntity {
   @Override
   public String getId() {
     return UnregisterFunction.ID;
+  }
 
+  @Override
+  public Collection<ResourcePermission> getRequiredPermissions(String regionName) {
+    return Collections.singleton(ResourcePermissions.CLUSTER_MANAGE_DEPLOY);
   }
 
   @Override
diff --git a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/UserFunctionExecution.java b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/UserFunctionExecution.java
index da74dff..a2f4d55 100644
--- a/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/UserFunctionExecution.java
+++ b/geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/UserFunctionExecution.java
@@ -15,6 +15,8 @@
 package org.apache.geode.management.internal.cli.functions;
 
 import java.util.ArrayList;
+import java.util.Collection;
+import java.util.Collections;
 import java.util.HashSet;
 import java.util.List;
 import java.util.Properties;
@@ -38,6 +40,7 @@ import org.apache.geode.internal.logging.LogService;
 import org.apache.geode.internal.security.SecurityService;
 import org.apache.geode.management.internal.cli.i18n.CliStrings;
 import org.apache.geode.security.AuthenticationRequiredException;
+import org.apache.geode.security.ResourcePermission;
 
 /**
  * @since GemFire 7.0
@@ -183,6 +186,11 @@ public class UserFunctionExecution implements Function<Object[]>, InternalEntity
   }
 
   @Override
+  public Collection<ResourcePermission> getRequiredPermissions(String regionName) {
+    return Collections.emptySet();
+  }
+
+  @Override
   public String getId() {
     return UserFunctionExecution.ID;
   }
diff --git a/geode-core/src/main/java/org/apache/geode/management/internal/configuration/functions/DownloadJarFunction.java b/geode-core/src/main/java/org/apache/geode/management/internal/configuration/functions/DownloadJarFunction.java
index fd93ecb..046c883 100644
--- a/geode-core/src/main/java/org/apache/geode/management/internal/configuration/functions/DownloadJarFunction.java
+++ b/geode-core/src/main/java/org/apache/geode/management/internal/configuration/functions/DownloadJarFunction.java
@@ -20,8 +20,9 @@ import java.io.File;
 import java.io.FileInputStream;
 import java.io.FileNotFoundException;
 import java.rmi.RemoteException;
+import java.util.Collection;
+import java.util.Collections;
 
-import com.healthmarketscience.rmiio.GZIPRemoteInputStream;
 import com.healthmarketscience.rmiio.RemoteInputStream;
 import com.healthmarketscience.rmiio.RemoteInputStreamServer;
 import com.healthmarketscience.rmiio.SimpleRemoteInputStream;
@@ -35,6 +36,8 @@ import org.apache.geode.distributed.internal.ClusterConfigurationService;
 import org.apache.geode.distributed.internal.InternalLocator;
 import org.apache.geode.internal.InternalEntity;
 import org.apache.geode.internal.logging.LogService;
+import org.apache.geode.management.internal.security.ResourcePermissions;
+import org.apache.geode.security.ResourcePermission;
 
 public class DownloadJarFunction implements Function<Object[]>, InternalEntity {
   private static final Logger logger = LogService.getLogger();
@@ -81,6 +84,11 @@ public class DownloadJarFunction implements Function<Object[]>, InternalEntity {
   }
 
   @Override
+  public Collection<ResourcePermission> getRequiredPermissions(String regionName) {
+    return Collections.singleton(ResourcePermissions.CLUSTER_READ);
+  }
+
+  @Override
   public String getId() {
     return DownloadJarFunction.class.getName();
   }
diff --git a/geode-core/src/main/java/org/apache/geode/management/internal/configuration/functions/GetClusterConfigurationFunction.java b/geode-core/src/main/java/org/apache/geode/management/internal/configuration/functions/GetClusterConfigurationFunction.java
index b8c6ff9..9184a3f 100644
--- a/geode-core/src/main/java/org/apache/geode/management/internal/configuration/functions/GetClusterConfigurationFunction.java
+++ b/geode-core/src/main/java/org/apache/geode/management/internal/configuration/functions/GetClusterConfigurationFunction.java
@@ -15,18 +15,10 @@
 
 package org.apache.geode.management.internal.configuration.functions;
 
-import static org.apache.geode.management.internal.security.ResourcePermissions.CLUSTER_MANAGE;
-import static org.apache.geode.management.internal.security.ResourcePermissions.CLUSTER_READ;
-import static org.apache.geode.management.internal.security.ResourcePermissions.CLUSTER_WRITE;
-import static org.apache.geode.management.internal.security.ResourcePermissions.DATA_MANAGE;
-import static org.apache.geode.management.internal.security.ResourcePermissions.DATA_READ;
-import static org.apache.geode.management.internal.security.ResourcePermissions.DATA_WRITE;
-
 import java.io.IOException;
 import java.util.Collection;
+import java.util.Collections;
 import java.util.Set;
-import java.util.stream.Collectors;
-import java.util.stream.Stream;
 
 import org.apache.logging.log4j.Logger;
 
@@ -37,6 +29,7 @@ import org.apache.geode.distributed.internal.InternalLocator;
 import org.apache.geode.internal.InternalEntity;
 import org.apache.geode.internal.logging.LogService;
 import org.apache.geode.management.internal.configuration.messages.ConfigurationResponse;
+import org.apache.geode.management.internal.security.ResourcePermissions;
 import org.apache.geode.security.ResourcePermission;
 
 public class GetClusterConfigurationFunction implements Function, InternalEntity {
@@ -61,9 +54,11 @@ public class GetClusterConfigurationFunction implements Function, InternalEntity
     }
   }
 
+  /**
+   * this function will return all cluster config which will potentially leak security information.
+   * Thus we require all permissions to execute this function
+   **/
   public Collection<ResourcePermission> getRequiredPermissions(String regionName) {
-    return Stream
-        .of(DATA_READ, DATA_WRITE, DATA_MANAGE, CLUSTER_READ, CLUSTER_WRITE, CLUSTER_MANAGE)
-        .collect(Collectors.toSet());
+    return Collections.singleton(ResourcePermissions.ALL);
   }
 }
diff --git a/geode-core/src/main/java/org/apache/geode/management/internal/configuration/functions/GetRegionNamesFunction.java b/geode-core/src/main/java/org/apache/geode/management/internal/configuration/functions/GetRegionNamesFunction.java
index 9cde755..00979b1 100644
--- a/geode-core/src/main/java/org/apache/geode/management/internal/configuration/functions/GetRegionNamesFunction.java
+++ b/geode-core/src/main/java/org/apache/geode/management/internal/configuration/functions/GetRegionNamesFunction.java
@@ -16,6 +16,8 @@ package org.apache.geode.management.internal.configuration.functions;
 
 import static java.util.stream.Collectors.toSet;
 
+import java.util.Collection;
+import java.util.Collections;
 import java.util.Set;
 
 import org.apache.geode.cache.execute.Function;
@@ -24,6 +26,8 @@ import org.apache.geode.internal.InternalEntity;
 import org.apache.geode.internal.cache.GemFireCacheImpl;
 import org.apache.geode.internal.cache.InternalCache;
 import org.apache.geode.internal.cache.LocalRegion;
+import org.apache.geode.management.internal.security.ResourcePermissions;
+import org.apache.geode.security.ResourcePermission;
 
 public class GetRegionNamesFunction implements Function, InternalEntity {
   @Override
@@ -37,6 +41,11 @@ public class GetRegionNamesFunction implements Function, InternalEntity {
   }
 
   @Override
+  public Collection<ResourcePermission> getRequiredPermissions(String regionName) {
+    return Collections.singleton(ResourcePermissions.CLUSTER_READ);
+  }
+
+  @Override
   public String getId() {
     return GetRegionNamesFunction.class.getName();
   }
diff --git a/geode-core/src/main/java/org/apache/geode/management/internal/configuration/functions/RecreateCacheFunction.java b/geode-core/src/main/java/org/apache/geode/management/internal/configuration/functions/RecreateCacheFunction.java
index f25d1af..075d76f 100644
--- a/geode-core/src/main/java/org/apache/geode/management/internal/configuration/functions/RecreateCacheFunction.java
+++ b/geode-core/src/main/java/org/apache/geode/management/internal/configuration/functions/RecreateCacheFunction.java
@@ -14,6 +14,9 @@
  */
 package org.apache.geode.management.internal.configuration.functions;
 
+import java.util.Collection;
+import java.util.Collections;
+
 import org.apache.geode.cache.execute.Function;
 import org.apache.geode.cache.execute.FunctionContext;
 import org.apache.geode.distributed.internal.InternalDistributedSystem;
@@ -22,12 +25,14 @@ import org.apache.geode.internal.cache.CacheConfig;
 import org.apache.geode.internal.cache.GemFireCacheImpl;
 import org.apache.geode.internal.cache.InternalCache;
 import org.apache.geode.management.internal.cli.functions.CliFunctionResult;
+import org.apache.geode.management.internal.security.ResourcePermissions;
+import org.apache.geode.security.ResourcePermission;
 
 public class RecreateCacheFunction implements Function, InternalEntity {
   @Override
   public void execute(FunctionContext context) {
     CliFunctionResult result = null;
-    InternalCache cache = GemFireCacheImpl.getInstance();
+    InternalCache cache = (InternalCache) context.getCache();
     InternalDistributedSystem ds = cache.getInternalDistributedSystem();
     CacheConfig cacheConfig = cache.getCacheConfig();
     try {
@@ -43,6 +48,11 @@ public class RecreateCacheFunction implements Function, InternalEntity {
   }
 
   @Override
+  public Collection<ResourcePermission> getRequiredPermissions(String regionName) {
+    return Collections.singleton(ResourcePermissions.CLUSTER_MANAGE);
+  }
+
+  @Override
   public String getId() {
     return RecreateCacheFunction.class.getName();
   }
diff --git a/geode-core/src/main/java/org/apache/geode/management/internal/security/ResourcePermissions.java b/geode-core/src/main/java/org/apache/geode/management/internal/security/ResourcePermissions.java
index 5565a46..0db67f0 100644
--- a/geode-core/src/main/java/org/apache/geode/management/internal/security/ResourcePermissions.java
+++ b/geode-core/src/main/java/org/apache/geode/management/internal/security/ResourcePermissions.java
@@ -20,6 +20,10 @@ import static org.apache.geode.security.ResourcePermission.Operation.READ;
 import static org.apache.geode.security.ResourcePermission.Operation.WRITE;
 import static org.apache.geode.security.ResourcePermission.Resource.CLUSTER;
 import static org.apache.geode.security.ResourcePermission.Resource.DATA;
+import static org.apache.geode.security.ResourcePermission.Target.DEPLOY;
+import static org.apache.geode.security.ResourcePermission.Target.DISK;
+import static org.apache.geode.security.ResourcePermission.Target.GATEWAY;
+import static org.apache.geode.security.ResourcePermission.Target.QUERY;
 
 import org.apache.geode.security.ResourcePermission;
 import org.apache.geode.security.ResourcePermission.Operation;
@@ -36,6 +40,16 @@ public final class ResourcePermissions {
   public static final ResourcePermission CLUSTER_READ = new ResourcePermission(CLUSTER, READ);
   public static final ResourcePermission CLUSTER_WRITE = new ResourcePermission(CLUSTER, WRITE);
   public static final ResourcePermission CLUSTER_MANAGE = new ResourcePermission(CLUSTER, MANAGE);
+  public static final ResourcePermission CLUSTER_READ_QUERY =
+      new ResourcePermission(CLUSTER, READ, QUERY);
+  public static final ResourcePermission CLUSTER_MANAGE_QUERY =
+      new ResourcePermission(CLUSTER, MANAGE, QUERY);
+  public static final ResourcePermission CLUSTER_MANAGE_DEPLOY =
+      new ResourcePermission(CLUSTER, MANAGE, DEPLOY);
+  public static final ResourcePermission CLUSTER_MANAGE_DISK =
+      new ResourcePermission(CLUSTER, MANAGE, DISK);
+  public static final ResourcePermission CLUSTER_MANAGE_GATEWAY =
+      new ResourcePermission(CLUSTER, MANAGE, GATEWAY);
 
   private ResourcePermissions() {}
 }
diff --git a/geode-core/src/main/java/org/apache/geode/security/ResourcePermission.java b/geode-core/src/main/java/org/apache/geode/security/ResourcePermission.java
index 3d8dd1e..33db0e4 100644
--- a/geode-core/src/main/java/org/apache/geode/security/ResourcePermission.java
+++ b/geode-core/src/main/java/org/apache/geode/security/ResourcePermission.java
@@ -14,7 +14,11 @@
  */
 package org.apache.geode.security;
 
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
 import java.util.function.UnaryOperator;
+import java.util.stream.Collectors;
 
 import org.apache.commons.lang.StringUtils;
 import org.apache.shiro.authz.permission.WildcardPermission;
@@ -79,7 +83,9 @@ public class ResourcePermission extends WildcardPermission {
   private String target = ALL;
   private String key = ALL;
 
-  public ResourcePermission() {}
+  public ResourcePermission() {
+    setParts(this.resource + ":" + this.operation + ":" + this.target + ":" + this.key, true);
+  }
 
   public ResourcePermission(Resource resource, Operation operation) {
     this(resource, operation, ALL, ALL);
@@ -196,13 +202,18 @@ public class ResourcePermission extends WildcardPermission {
 
   @Override
   public String toString() {
-    if (ALL.equals(target)) {
-      return resource + ":" + operation;
-    } else if (ALL.equals(key)) {
-      return resource + ":" + operation + ":" + target;
-    } else {
-      return resource + ":" + operation + ":" + target + ":" + key;
+    List<String> parts = new ArrayList<>(Arrays.asList(resource, operation, target, key));
+    if (ALL.equals(key)) {
+      parts.remove(3);
+      if (ALL.equals(target)) {
+        parts.remove(2);
+        if (ALL.equals(operation)) {
+          parts.remove(1);
+        }
+      }
     }
+
+    return parts.stream().collect(Collectors.joining(":"));
   }
 
 }
diff --git a/geode-core/src/main/resources/org/apache/geode/internal/sanctioned-geode-core-serializables.txt b/geode-core/src/main/resources/org/apache/geode/internal/sanctioned-geode-core-serializables.txt
index c7d832a..c037b0c 100644
--- a/geode-core/src/main/resources/org/apache/geode/internal/sanctioned-geode-core-serializables.txt
+++ b/geode-core/src/main/resources/org/apache/geode/internal/sanctioned-geode-core-serializables.txt
@@ -548,8 +548,6 @@ org/apache/geode/management/internal/cli/functions/ListDiskStoresFunction,false
 org/apache/geode/management/internal/cli/functions/ListDurableCqNamesFunction,true,1
 org/apache/geode/management/internal/cli/functions/ListFunctionFunction,true,1
 org/apache/geode/management/internal/cli/functions/ListIndexFunction,false
-org/apache/geode/management/internal/cli/functions/MemberRegionFunction,true,1
-org/apache/geode/management/internal/cli/functions/MembersForRegionFunction,true,8746830191680509335
 org/apache/geode/management/internal/cli/functions/NetstatFunction,true,1
 org/apache/geode/management/internal/cli/functions/NetstatFunction$NetstatFunctionArgument,true,1,lineSeparator:java/lang/String,withlsof:boolean
 org/apache/geode/management/internal/cli/functions/NetstatFunction$NetstatFunctionResult,true,1,compressedBytes:org/apache/geode/management/internal/cli/CliUtil$DeflaterInflaterData,headerInfo:java/lang/String,host:java/lang/String
diff --git a/geode-core/src/test/java/org/apache/geode/cache/execute/CoreFunctionSecurityTest.java b/geode-core/src/test/java/org/apache/geode/cache/execute/CoreFunctionSecurityTest.java
new file mode 100644
index 0000000..729abf9
--- /dev/null
+++ b/geode-core/src/test/java/org/apache/geode/cache/execute/CoreFunctionSecurityTest.java
@@ -0,0 +1,180 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more contributor license
+ * agreements. See the NOTICE file distributed with this work for additional information regarding
+ * copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance with the License. You may obtain a
+ * copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under the License
+ * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+ * or implied. See the License for the specific language governing permissions and limitations under
+ * the License.
+ */
+
+package org.apache.geode.cache.execute;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+import java.util.HashMap;
+import java.util.Map;
+
+import org.junit.BeforeClass;
+import org.junit.ClassRule;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.experimental.categories.Category;
+
+import org.apache.geode.cache.RegionShortcut;
+import org.apache.geode.examples.SimpleSecurityManager;
+import org.apache.geode.management.internal.cli.functions.AlterRuntimeConfigFunction;
+import org.apache.geode.management.internal.cli.functions.ChangeLogLevelFunction;
+import org.apache.geode.management.internal.cli.functions.CloseDurableClientFunction;
+import org.apache.geode.management.internal.cli.functions.CloseDurableCqFunction;
+import org.apache.geode.management.internal.cli.functions.ContinuousQueryFunction;
+import org.apache.geode.management.internal.cli.functions.CreateAsyncEventQueueFunction;
+import org.apache.geode.management.internal.cli.functions.CreateDefinedIndexesFunction;
+import org.apache.geode.management.internal.cli.functions.CreateDiskStoreFunction;
+import org.apache.geode.management.internal.cli.functions.CreateIndexFunction;
+import org.apache.geode.management.internal.cli.functions.DataCommandFunction;
+import org.apache.geode.management.internal.cli.functions.DeployFunction;
+import org.apache.geode.management.internal.cli.functions.DescribeDiskStoreFunction;
+import org.apache.geode.management.internal.cli.functions.DestroyAsyncEventQueueFunction;
+import org.apache.geode.management.internal.cli.functions.DestroyDiskStoreFunction;
+import org.apache.geode.management.internal.cli.functions.DestroyIndexFunction;
+import org.apache.geode.management.internal.cli.functions.ExportConfigFunction;
+import org.apache.geode.management.internal.cli.functions.ExportDataFunction;
+import org.apache.geode.management.internal.cli.functions.ExportLogsFunction;
+import org.apache.geode.management.internal.cli.functions.FetchRegionAttributesFunction;
+import org.apache.geode.management.internal.cli.functions.FetchSharedConfigurationStatusFunction;
+import org.apache.geode.management.internal.cli.functions.GarbageCollectionFunction;
+import org.apache.geode.management.internal.cli.functions.GatewayReceiverCreateFunction;
+import org.apache.geode.management.internal.cli.functions.GatewaySenderCreateFunction;
+import org.apache.geode.management.internal.cli.functions.GatewaySenderDestroyFunction;
+import org.apache.geode.management.internal.cli.functions.GetMemberConfigInformationFunction;
+import org.apache.geode.management.internal.cli.functions.GetMemberInformationFunction;
+import org.apache.geode.management.internal.cli.functions.GetRegionDescriptionFunction;
+import org.apache.geode.management.internal.cli.functions.GetRegionsFunction;
+import org.apache.geode.management.internal.cli.functions.GetStackTracesFunction;
+import org.apache.geode.management.internal.cli.functions.GetSubscriptionQueueSizeFunction;
+import org.apache.geode.management.internal.cli.functions.ImportDataFunction;
+import org.apache.geode.management.internal.cli.functions.ListAsyncEventQueuesFunction;
+import org.apache.geode.management.internal.cli.functions.ListDeployedFunction;
+import org.apache.geode.management.internal.cli.functions.ListDiskStoresFunction;
+import org.apache.geode.management.internal.cli.functions.ListDurableCqNamesFunction;
+import org.apache.geode.management.internal.cli.functions.ListFunctionFunction;
+import org.apache.geode.management.internal.cli.functions.ListIndexFunction;
+import org.apache.geode.management.internal.cli.functions.NetstatFunction;
+import org.apache.geode.management.internal.cli.functions.RebalanceFunction;
+import org.apache.geode.management.internal.cli.functions.RegionAlterFunction;
+import org.apache.geode.management.internal.cli.functions.RegionCreateFunction;
+import org.apache.geode.management.internal.cli.functions.RegionDestroyFunction;
+import org.apache.geode.management.internal.cli.functions.ShowMissingDiskStoresFunction;
+import org.apache.geode.management.internal.cli.functions.ShutDownFunction;
+import org.apache.geode.management.internal.cli.functions.SizeExportLogsFunction;
+import org.apache.geode.management.internal.cli.functions.UndeployFunction;
+import org.apache.geode.management.internal.cli.functions.UnregisterFunction;
+import org.apache.geode.management.internal.cli.functions.UserFunctionExecution;
+import org.apache.geode.management.internal.configuration.functions.DownloadJarFunction;
+import org.apache.geode.management.internal.configuration.functions.GetClusterConfigurationFunction;
+import org.apache.geode.management.internal.configuration.functions.GetRegionNamesFunction;
+import org.apache.geode.management.internal.configuration.functions.RecreateCacheFunction;
+import org.apache.geode.test.junit.categories.IntegrationTest;
+import org.apache.geode.test.junit.rules.ConnectionConfiguration;
+import org.apache.geode.test.junit.rules.GfshCommandRule;
+import org.apache.geode.test.junit.rules.ServerStarterRule;
+
+
+@Category(IntegrationTest.class)
+public class CoreFunctionSecurityTest {
+  private static final String RESULT_HEADER = "Function Execution Result";
+
+  @ClassRule
+  public static ServerStarterRule server =
+      new ServerStarterRule().withJMXManager().withSecurityManager(SimpleSecurityManager.class)
+          .withRegion(RegionShortcut.PARTITION, "testRegion").withAutoStart();
+
+  @Rule
+  public GfshCommandRule gfsh =
+      new GfshCommandRule(server::getJmxPort, GfshCommandRule.PortType.jmxManager);
+
+  private static Map<Function, String> functionStringMap = new HashMap<>();
+
+  @BeforeClass
+  public static void setupClass() {
+    functionStringMap.put(new AlterRuntimeConfigFunction(), "CLUSTER:WRITE");
+    functionStringMap.put(new ChangeLogLevelFunction(), "CLUSTER:WRITE");
+    functionStringMap.put(new CloseDurableClientFunction(), "CLUSTER:MANAGE:QUERY");
+    functionStringMap.put(new CloseDurableCqFunction(), "CLUSTER:MANAGE:QUERY");
+    functionStringMap.put(new ContinuousQueryFunction(), "CLUSTER:READ");
+    functionStringMap.put(new CreateAsyncEventQueueFunction(), "CLUSTER:MANAGE:DEPLOY");
+    functionStringMap.put(new CreateDefinedIndexesFunction(), "CLUSTER:MANAGE:QUERY");
+    functionStringMap.put(new CreateDiskStoreFunction(), "CLUSTER:MANAGE:DISK");
+    functionStringMap.put(new CreateIndexFunction(), "CLUSTER:MANAGE:QUERY");
+    functionStringMap.put(new DataCommandFunction(), "DATA");
+    functionStringMap.put(new DeployFunction(), "CLUSTER:MANAGE:DEPLOY");
+    functionStringMap.put(new DescribeDiskStoreFunction(), "CLUSTER:READ");
+    functionStringMap.put(new DestroyAsyncEventQueueFunction(), "CLUSTER:MANAGE");
+    functionStringMap.put(new DestroyDiskStoreFunction(), "CLUSTER:MANAGE:DISK");
+    functionStringMap.put(new DestroyIndexFunction(), "CLUSTER:MANAGE:QUERY");
+    functionStringMap.put(new ExportConfigFunction(), "CLUSTER:READ");
+    functionStringMap.put(new ExportDataFunction(), "DATA:READ");
+    functionStringMap.put(new ExportLogsFunction(), "CLUSTER:READ");
+    functionStringMap.put(new FetchRegionAttributesFunction(), "CLUSTER:READ");
+    functionStringMap.put(new FetchSharedConfigurationStatusFunction(), "CLUSTER:READ");
+    functionStringMap.put(new GarbageCollectionFunction(), "CLUSTER:MANAGE");
+    functionStringMap.put(new GatewayReceiverCreateFunction(), "CLUSTER:MANAGE:GATEWAY");
+    functionStringMap.put(new GatewaySenderCreateFunction(), "CLUSTER:MANAGE:GATEWAY");
+    functionStringMap.put(new GatewaySenderDestroyFunction(), "CLUSTER:MANAGE:GATEWAY");
+    functionStringMap.put(new GetClusterConfigurationFunction(), "*");
+    functionStringMap.put(new GetMemberConfigInformationFunction(), "CLUSTER:READ");
+    functionStringMap.put(new GetMemberInformationFunction(), "CLUSTER:READ");
+    functionStringMap.put(new GetRegionDescriptionFunction(), "CLUSTER:READ");
+    functionStringMap.put(new GetRegionsFunction(), "CLUSTER:READ");
+    functionStringMap.put(new GetStackTracesFunction(), "CLUSTER:READ");
+    functionStringMap.put(new GetSubscriptionQueueSizeFunction(), "CLUSTER:READ");
+    functionStringMap.put(new ImportDataFunction(), "DATA:WRITE");
+    functionStringMap.put(new ListAsyncEventQueuesFunction(), "CLUSTER:READ");
+    functionStringMap.put(new ListDeployedFunction(), "CLUSTER:READ");
+    functionStringMap.put(new ListDiskStoresFunction(), "CLUSTER:READ");
+    functionStringMap.put(new ListDurableCqNamesFunction(), "CLUSTER:READ");
+    functionStringMap.put(new ListFunctionFunction(), "CLUSTER:READ");
+    functionStringMap.put(new ListIndexFunction(), "CLUSTER:READ:QUERY");
+    functionStringMap.put(new NetstatFunction(), "CLUSTER:READ");
+    functionStringMap.put(new RebalanceFunction(), "DATA:MANAGE");
+    functionStringMap.put(new RegionAlterFunction(), "DATA:MANAGE");
+    functionStringMap.put(new RegionCreateFunction(), "DATA:MANAGE");
+    functionStringMap.put(new RegionDestroyFunction(), "DATA:MANAGE");
+    functionStringMap.put(new ShowMissingDiskStoresFunction(), "CLUSTER:READ");
+    functionStringMap.put(new ShutDownFunction(), "CLUSTER:MANAGE");
+    functionStringMap.put(new SizeExportLogsFunction(), "CLUSTER:READ");
+    functionStringMap.put(new UndeployFunction(), "CLUSTER:MANAGE:DEPLOY");
+    functionStringMap.put(new UnregisterFunction(), "CLUSTER:MANAGE:DEPLOY");
+    functionStringMap.put(new GetRegionNamesFunction(), "CLUSTER:READ");
+    functionStringMap.put(new RecreateCacheFunction(), "CLUSTER:MANAGE");
+    functionStringMap.put(new DownloadJarFunction(), "CLUSTER:READ");
+
+    functionStringMap.keySet().forEach(FunctionService::registerFunction);
+  }
+
+  @Test
+  @ConnectionConfiguration(user = "user", password = "user")
+  public void functionRequireExpectedPermission() throws Exception {
+    functionStringMap.entrySet().stream().forEach(entry -> {
+      Function function = entry.getKey();
+      String permission = entry.getValue();
+      System.out.println("function: " + function.getId() + ", permission: " + permission);
+      gfsh.executeAndAssertThat("execute function --id=" + function.getId())
+          .tableHasRowCount(RESULT_HEADER, 1)
+          .tableHasRowWithValues(RESULT_HEADER, "Exception: user not authorized for " + permission)
+          .statusIsError();
+    });
+  }
+
+  @Test
+  public void userFunctionExecutionRequiresNoSecurity() {
+    Function function = new UserFunctionExecution();
+    assertThat(function.getRequiredPermissions("testRegion")).isEmpty();
+  }
+}
diff --git a/geode-core/src/test/java/org/apache/geode/management/internal/configuration/functions/GetClusterConfigurationFunctionTest.java b/geode-core/src/test/java/org/apache/geode/management/internal/configuration/functions/GetClusterConfigurationFunctionTest.java
deleted file mode 100644
index f756b5c..0000000
--- a/geode-core/src/test/java/org/apache/geode/management/internal/configuration/functions/GetClusterConfigurationFunctionTest.java
+++ /dev/null
@@ -1,48 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more contributor license
- * agreements. See the NOTICE file distributed with this work for additional information regarding
- * copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance with the License. You may obtain a
- * copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed under the License
- * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
- * or implied. See the License for the specific language governing permissions and limitations under
- * the License.
- */
-
-package org.apache.geode.management.internal.configuration.functions;
-
-import static org.apache.geode.management.internal.security.ResourcePermissions.CLUSTER_MANAGE;
-import static org.apache.geode.management.internal.security.ResourcePermissions.CLUSTER_READ;
-import static org.apache.geode.management.internal.security.ResourcePermissions.CLUSTER_WRITE;
-import static org.apache.geode.management.internal.security.ResourcePermissions.DATA_MANAGE;
-import static org.apache.geode.management.internal.security.ResourcePermissions.DATA_READ;
-import static org.apache.geode.management.internal.security.ResourcePermissions.DATA_WRITE;
-import static org.assertj.core.api.Assertions.assertThat;
-
-import org.junit.Before;
-import org.junit.Test;
-import org.junit.experimental.categories.Category;
-
-import org.apache.geode.test.junit.categories.UnitTest;
-
-
-@Category(UnitTest.class)
-public class GetClusterConfigurationFunctionTest {
-
-  private GetClusterConfigurationFunction function;
-
-  @Before
-  public void before() {
-    function = new GetClusterConfigurationFunction();
-  }
-
-  @Test
-  public void functionRequireAllPermissions() throws Exception {
-    assertThat(function.getRequiredPermissions("")).containsExactlyInAnyOrder(DATA_READ, DATA_WRITE,
-        DATA_MANAGE, CLUSTER_READ, CLUSTER_WRITE, CLUSTER_MANAGE);
-  }
-}
diff --git a/geode-core/src/test/java/org/apache/geode/management/internal/security/ResourcePermissionTest.java b/geode-core/src/test/java/org/apache/geode/management/internal/security/ResourcePermissionTest.java
index 4b15407..fa4048c 100644
--- a/geode-core/src/test/java/org/apache/geode/management/internal/security/ResourcePermissionTest.java
+++ b/geode-core/src/test/java/org/apache/geode/management/internal/security/ResourcePermissionTest.java
@@ -186,14 +186,29 @@ public class ResourcePermissionTest {
     ResourcePermission context = new ResourcePermission();
     assertThat("NULL:NULL").isEqualTo(context.toString());
 
-    context = new ResourcePermission(Resource.DATA, Operation.MANAGE);
+    context = new ResourcePermission("data", "manage");
     assertThat("DATA:MANAGE").isEqualTo(context.toString());
 
+    context = new ResourcePermission("data", "read", "regionA");
+    assertThat("DATA:READ:regionA").isEqualTo(context.toString());
+
+    context = new ResourcePermission("DATA", "READ", "/regionA", "key");
+    assertThat("DATA:READ:regionA:key").isEqualTo(context.toString());
+
     context = new ResourcePermission(Resource.DATA, Operation.MANAGE, "REGIONA");
     assertThat("DATA:MANAGE:REGIONA").isEqualTo(context.toString());
 
     context = new ResourcePermission(Resource.DATA, Operation.MANAGE);
     assertThat("DATA:MANAGE").isEqualTo(context.toString());
+
+    context = new ResourcePermission("ALL", "READ");
+    assertThat(context.toString()).isEqualTo("*:READ");
+
+    context = new ResourcePermission("DATA", "ALL");
+    assertThat(context.toString()).isEqualTo("DATA");
+
+    context = new ResourcePermission("ALL", "ALL", "regionA", "*");
+    assertThat(context.toString()).isEqualTo("*:*:regionA");
   }
 
   @Test
diff --git a/geode-lucene/src/test/java/org/apache/geode/cache/lucene/test/LuceneFunctionSecurityTest.java b/geode-lucene/src/test/java/org/apache/geode/cache/lucene/test/LuceneFunctionSecurityTest.java
index 2deb244..fd4aa30 100644
--- a/geode-lucene/src/test/java/org/apache/geode/cache/lucene/test/LuceneFunctionSecurityTest.java
+++ b/geode-lucene/src/test/java/org/apache/geode/cache/lucene/test/LuceneFunctionSecurityTest.java
@@ -81,7 +81,8 @@ public class LuceneFunctionSecurityTest {
       String permission = entry.getValue();
       gfsh.executeAndAssertThat("execute function --region=testRegion --id=" + function.getId())
           .tableHasRowCount(RESULT_HEADER, 1)
-          .tableHasColumnWithValuesContaining(RESULT_HEADER, permission).statusIsError();
+          .tableHasRowWithValues(RESULT_HEADER, "Exception: user not authorized for " + permission)
+          .statusIsError();
     });
   }
 
@@ -91,16 +92,18 @@ public class LuceneFunctionSecurityTest {
   @ConnectionConfiguration(user = "clusterManage", password = "clusterManage")
   public void dumpDirectoryFileRequiresBoth_AsClusterManage() {
     gfsh.executeAndAssertThat("execute function --region=testRegion --id=" + DumpDirectoryFiles.ID)
-        .tableHasRowCount(RESULT_HEADER, 1)
-        .tableHasColumnWithValuesContaining(RESULT_HEADER, "DATA:READ:testRegion").statusIsError();
+        .tableHasRowCount(RESULT_HEADER, 1).tableHasRowWithValues(RESULT_HEADER,
+            "Exception: clusterManage not authorized for DATA:READ:testRegion")
+        .statusIsError();
   }
 
   @Test
   @ConnectionConfiguration(user = "dataRead", password = "dataRead")
   public void dumpDirectoryFileRequiresBoth_AsDataRead() {
     gfsh.executeAndAssertThat("execute function --region=testRegion --id=" + DumpDirectoryFiles.ID)
-        .tableHasRowCount(RESULT_HEADER, 1)
-        .tableHasColumnWithValuesContaining(RESULT_HEADER, "CLUSTER:MANAGE").statusIsError();
+        .tableHasRowCount(RESULT_HEADER, 1).tableHasRowWithValues(RESULT_HEADER,
+            "Exception: dataRead not authorized for CLUSTER:MANAGE")
+        .statusIsError();
   }
 
   @Test
@@ -109,7 +112,9 @@ public class LuceneFunctionSecurityTest {
   public void dumpDirectoryFileRequiresBoth_dataReadAnotherRegion() {
     gfsh.executeAndAssertThat("execute function --region=testRegion --id=" + DumpDirectoryFiles.ID)
         .tableHasRowCount(RESULT_HEADER, 1)
-        .tableHasColumnWithValuesContaining(RESULT_HEADER, "DATA:READ:testRegion").statusIsError();
+        .tableHasRowWithValues(RESULT_HEADER,
+            "Exception: clusterManage,dataReadRegionB not authorized for DATA:READ:testRegion")
+        .statusIsError();
   }
 
   @Test
@@ -118,7 +123,9 @@ public class LuceneFunctionSecurityTest {
   public void dumpDirectoryFileRequiresBoth_dataReadInsufficient() {
     gfsh.executeAndAssertThat("execute function --region=testRegion --id=" + DumpDirectoryFiles.ID)
         .tableHasRowCount(RESULT_HEADER, 1)
-        .tableHasColumnWithValuesContaining(RESULT_HEADER, "DATA:READ:testRegion").statusIsError();
+        .tableHasRowWithValues(RESULT_HEADER,
+            "Exception: clusterManage,dataReadTestRegionA not authorized for DATA:READ:testRegion")
+        .statusIsError();
   }
 
   @Test

-- 
To stop receiving notification emails like this one, please contact
jinmeiliao@apache.org.

Mime
View raw message