Return-Path: X-Original-To: apmail-ignite-commits-archive@minotaur.apache.org Delivered-To: apmail-ignite-commits-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 064C91808C for ; Sat, 1 Aug 2015 00:19:52 +0000 (UTC) Received: (qmail 31888 invoked by uid 500); 1 Aug 2015 00:19:52 -0000 Delivered-To: apmail-ignite-commits-archive@ignite.apache.org Received: (qmail 31857 invoked by uid 500); 1 Aug 2015 00:19:52 -0000 Mailing-List: contact commits-help@ignite.incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@ignite.incubator.apache.org Delivered-To: mailing list commits@ignite.incubator.apache.org Received: (qmail 31810 invoked by uid 99); 1 Aug 2015 00:19:52 -0000 Received: from Unknown (HELO spamd1-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 01 Aug 2015 00:19:52 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id 726B7D964B for ; Sat, 1 Aug 2015 00:19:52 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 0.373 X-Spam-Level: X-Spam-Status: No, score=0.373 tagged_above=-999 required=6.31 tests=[KAM_ASCII_DIVIDERS=0.8, KAM_LAZY_DOMAIN_SECURITY=1, RP_MATCHES_RCVD=-1.428, URIBL_BLOCKED=0.001] autolearn=disabled Received: from mx1-us-west.apache.org ([10.40.0.8]) by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024) with ESMTP id gpxG-G1_0I7D for ; Sat, 1 Aug 2015 00:19:43 +0000 (UTC) Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx1-us-west.apache.org (ASF Mail Server at mx1-us-west.apache.org) with SMTP id AAA242139E for ; Sat, 1 Aug 2015 00:19:43 +0000 (UTC) Received: (qmail 30862 invoked by uid 99); 1 Aug 2015 00:19:43 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 01 Aug 2015 00:19:43 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id 6FC23E0523; Sat, 1 Aug 2015 00:19:43 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: agoncharuk@apache.org To: commits@ignite.incubator.apache.org Date: Sat, 01 Aug 2015 00:19:54 -0000 Message-Id: <9f222e0cdfc34af9817ec9c387328963@git.apache.org> In-Reply-To: References: X-Mailer: ASF-Git Admin Mailer Subject: [12/19] incubator-ignite git commit: #ignite-gg-10610: Security hole if DataStreamer is used for populating the cache (cherry picked from commit 5288b2d) #ignite-gg-10610: Security hole if DataStreamer is used for populating the cache (cherry picked from commit 5288b2d) Project: http://git-wip-us.apache.org/repos/asf/incubator-ignite/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ignite/commit/9afd0f0f Tree: http://git-wip-us.apache.org/repos/asf/incubator-ignite/tree/9afd0f0f Diff: http://git-wip-us.apache.org/repos/asf/incubator-ignite/diff/9afd0f0f Branch: refs/heads/master Commit: 9afd0f0ff7af477fb4689961a13ceea8b3e3eee6 Parents: a889abd Author: ivasilinets Authored: Wed Jul 29 15:27:31 2015 +0300 Committer: ivasilinets Committed: Wed Jul 29 15:34:31 2015 +0300 ---------------------------------------------------------------------- .../datastreamer/DataStreamerImpl.java | 22 ++++++++++++++++++++ .../datastreamer/DataStreamerUpdateJob.java | 20 +++++++++++++++++- 2 files changed, 41 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ignite/blob/9afd0f0f/modules/core/src/main/java/org/apache/ignite/internal/processors/datastreamer/DataStreamerImpl.java ---------------------------------------------------------------------- diff --git a/modules/core/src/main/java/org/apache/ignite/internal/processors/datastreamer/DataStreamerImpl.java b/modules/core/src/main/java/org/apache/ignite/internal/processors/datastreamer/DataStreamerImpl.java index 26b0568..cc349cc 100644 --- a/modules/core/src/main/java/org/apache/ignite/internal/processors/datastreamer/DataStreamerImpl.java +++ b/modules/core/src/main/java/org/apache/ignite/internal/processors/datastreamer/DataStreamerImpl.java @@ -39,6 +39,7 @@ import org.apache.ignite.internal.util.tostring.*; import org.apache.ignite.internal.util.typedef.*; import org.apache.ignite.internal.util.typedef.internal.*; import org.apache.ignite.lang.*; +import org.apache.ignite.plugin.security.*; import org.apache.ignite.stream.*; import org.jetbrains.annotations.*; import org.jsr166.*; @@ -406,6 +407,8 @@ public class DataStreamerImpl implements IgniteDataStreamer, Delayed @Override public IgniteFuture addData(Collection> entries) { A.notEmpty(entries, "entries"); + checkSecurityPermission(SecurityPermission.CACHE_PUT); + enterBusy(); try { @@ -513,6 +516,11 @@ public class DataStreamerImpl implements IgniteDataStreamer, Delayed @Override public IgniteFuture addData(K key, V val) { A.notNull(key, "key"); + if (val == null) + checkSecurityPermission(SecurityPermission.CACHE_REMOVE); + else + checkSecurityPermission(SecurityPermission.CACHE_PUT); + KeyCacheObject key0 = cacheObjProc.toCacheKeyObject(cacheObjCtx, key, true); CacheObject val0 = cacheObjProc.toCacheObject(cacheObjCtx, val, true); @@ -936,6 +944,20 @@ public class DataStreamerImpl implements IgniteDataStreamer, Delayed } /** + * Check permissions for streaming. + * + * @param perm Security permission. + * @throws org.apache.ignite.plugin.security.SecurityException If permissions are not enough for streaming. + */ + private void checkSecurityPermission(SecurityPermission perm) + throws org.apache.ignite.plugin.security.SecurityException{ + if (!ctx.security().enabled()) + return; + + ctx.security().authorize(cacheName, perm, null); + } + + /** * */ private class Buffer { http://git-wip-us.apache.org/repos/asf/incubator-ignite/blob/9afd0f0f/modules/core/src/main/java/org/apache/ignite/internal/processors/datastreamer/DataStreamerUpdateJob.java ---------------------------------------------------------------------- diff --git a/modules/core/src/main/java/org/apache/ignite/internal/processors/datastreamer/DataStreamerUpdateJob.java b/modules/core/src/main/java/org/apache/ignite/internal/processors/datastreamer/DataStreamerUpdateJob.java index 21ba3ac..9e0703a 100644 --- a/modules/core/src/main/java/org/apache/ignite/internal/processors/datastreamer/DataStreamerUpdateJob.java +++ b/modules/core/src/main/java/org/apache/ignite/internal/processors/datastreamer/DataStreamerUpdateJob.java @@ -22,6 +22,7 @@ import org.apache.ignite.internal.*; import org.apache.ignite.internal.processors.cache.*; import org.apache.ignite.internal.util.lang.*; import org.apache.ignite.internal.util.typedef.*; +import org.apache.ignite.plugin.security.*; import org.apache.ignite.stream.*; import org.jetbrains.annotations.*; @@ -106,8 +107,13 @@ class DataStreamerUpdateJob implements GridPlainCallable { CacheObject val = e.getValue(); - if (val != null) + if (val != null) { + checkSecurityPermission(SecurityPermission.CACHE_PUT); + val.finishUnmarshal(cctx.cacheObjectContext(), cctx.deploy().globalLoader()); + } + else + checkSecurityPermission(SecurityPermission.CACHE_REMOVE); } if (unwrapEntries()) { @@ -139,4 +145,16 @@ class DataStreamerUpdateJob implements GridPlainCallable { private boolean unwrapEntries() { return !(rcvr instanceof DataStreamerCacheUpdaters.InternalUpdater); } + + /** + * @param perm Security permission. + * @throws org.apache.ignite.plugin.security.SecurityException If permission is not enough. + */ + private void checkSecurityPermission(SecurityPermission perm) + throws org.apache.ignite.plugin.security.SecurityException { + if (!ctx.security().enabled()) + return; + + ctx.security().authorize(cacheName, perm, null); + } }