ignite-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From sboi...@apache.org
Subject [02/17] ignite git commit: ignite-4178 support permission builder
Date Wed, 09 Nov 2016 09:27:12 GMT
ignite-4178 support permission builder


Project: http://git-wip-us.apache.org/repos/asf/ignite/repo
Commit: http://git-wip-us.apache.org/repos/asf/ignite/commit/40ef2f5a
Tree: http://git-wip-us.apache.org/repos/asf/ignite/tree/40ef2f5a
Diff: http://git-wip-us.apache.org/repos/asf/ignite/diff/40ef2f5a

Branch: refs/heads/ignite-4154
Commit: 40ef2f5ae42826fe8fd077e3013e8f55c8512bdd
Parents: 175da6b
Author: Dmitriy Govorukhin <dgovorukhin@gridgain.com>
Authored: Mon Nov 7 12:09:41 2016 +0300
Committer: Dmitriy Govorukhin <dgovorukhin@gridgain.com>
Committed: Mon Nov 7 12:09:41 2016 +0300

----------------------------------------------------------------------
 .../security/SecurityBasicPermissionSet.java    | 107 +++++++++
 .../security/SecurityPermissionSetBuilder.java  | 222 +++++++++++++++++++
 .../SecurityPermissionSetBuilderTest.java       |  93 ++++++++
 .../ignite/testsuites/IgniteBasicTestSuite.java |   3 +
 4 files changed, 425 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/ignite/blob/40ef2f5a/modules/core/src/main/java/org/apache/ignite/plugin/security/SecurityBasicPermissionSet.java
----------------------------------------------------------------------
diff --git a/modules/core/src/main/java/org/apache/ignite/plugin/security/SecurityBasicPermissionSet.java
b/modules/core/src/main/java/org/apache/ignite/plugin/security/SecurityBasicPermissionSet.java
new file mode 100644
index 0000000..5b50c56
--- /dev/null
+++ b/modules/core/src/main/java/org/apache/ignite/plugin/security/SecurityBasicPermissionSet.java
@@ -0,0 +1,107 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.ignite.plugin.security;
+
+import java.util.Map;
+import java.util.HashMap;
+import java.util.ArrayList;
+import java.util.Collection;
+import org.apache.ignite.internal.util.typedef.internal.S;
+import org.jetbrains.annotations.Nullable;
+
+/**
+ * Simple implementation of {@link SecurityPermissionSet} interface. Provides
+ * convenient way to specify permission set in the XML configuration.
+ */
+public class SecurityBasicPermissionSet implements SecurityPermissionSet {
+    /** Serial version uid. */
+    private static final long serialVersionUID = 0L;
+
+    /** Cache permissions. */
+    private Map<String, Collection<SecurityPermission>> cachePerms = new HashMap<>();
+
+    /** Task permissions. */
+    private Map<String, Collection<SecurityPermission>> taskPerms = new HashMap<>();
+
+    /** System permissions. */
+    private Collection<SecurityPermission> sysPerms = new ArrayList<>();
+
+    /** Default allow all. */
+    private boolean dfltAllowAll;
+
+    /**
+     * Setter for set cache permission map.
+     *
+     * @param cachePerms Cache permissions.
+     */
+    public void setCachePermissions(Map<String, Collection<SecurityPermission>>
cachePerms) {
+        this.cachePerms = cachePerms;
+    }
+
+    /**
+     * Setter for set task permission map.
+     *
+     * @param taskPerms Task permissions.
+     */
+    public void setTaskPermissions(Map<String, Collection<SecurityPermission>>
taskPerms) {
+        this.taskPerms = taskPerms;
+    }
+
+    /**
+     * Setter for set collection  system permission.
+     *
+     * @param sysPerms System permissions.
+     */
+    public void setSystemPermissions(Collection<SecurityPermission> sysPerms) {
+        this.sysPerms = sysPerms;
+    }
+
+    /**
+     * Setter for set default allow all.
+     *
+     * @param dfltAllowAll Default allow all.
+     */
+    public void setDefaultAllowAll(boolean dfltAllowAll) {
+        this.dfltAllowAll = dfltAllowAll;
+    }
+
+    /** {@inheritDoc} */
+    @Override public Map<String, Collection<SecurityPermission>> cachePermissions()
{
+        return cachePerms;
+    }
+
+    /** {@inheritDoc} */
+    @Override public Map<String, Collection<SecurityPermission>> taskPermissions()
{
+        return taskPerms;
+    }
+
+    /** {@inheritDoc} */
+    @Nullable @Override public Collection<SecurityPermission> systemPermissions() {
+        return sysPerms;
+    }
+
+    /** {@inheritDoc} */
+    @Override public boolean defaultAllowAll() {
+        return dfltAllowAll;
+    }
+
+    /** {@inheritDoc} */
+    @Override public String toString() {
+        return S.toString(SecurityBasicPermissionSet.class, this);
+    }
+}

http://git-wip-us.apache.org/repos/asf/ignite/blob/40ef2f5a/modules/core/src/main/java/org/apache/ignite/plugin/security/SecurityPermissionSetBuilder.java
----------------------------------------------------------------------
diff --git a/modules/core/src/main/java/org/apache/ignite/plugin/security/SecurityPermissionSetBuilder.java
b/modules/core/src/main/java/org/apache/ignite/plugin/security/SecurityPermissionSetBuilder.java
new file mode 100644
index 0000000..61ad77c
--- /dev/null
+++ b/modules/core/src/main/java/org/apache/ignite/plugin/security/SecurityPermissionSetBuilder.java
@@ -0,0 +1,222 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.ignite.plugin.security;
+
+import java.util.Map;
+import java.util.List;
+import java.util.HashMap;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.Collections;
+import org.apache.ignite.IgniteException;
+
+import static java.util.Collections.unmodifiableList;
+import static java.util.Collections.unmodifiableMap;
+
+/**
+ * Provides a convenient way to create a permission set.
+ * <p>
+ * Here is example:
+ * <pre>
+ *      SecurityPermissionSet permsSet = new SecurityPermissionSetBuilder()
+ *          .appendCachePermissions("cache1", CACHE_PUT, CACHE_REMOVE)
+ *          .appendCachePermissions("cache2", CACHE_READ)
+ *          .appendTaskPermissions("task1", TASK_CANCEL)
+ *          .appendTaskPermissions("task2", TASK_EXECUTE)
+ *          .appendSystemPermissions(ADMIN_VIEW, EVENTS_ENABLE)
+ *          .build();
+ * </pre>
+ * <p>
+ * The builder also does additional validation. For example, if you try to
+ * append {@code EVENTS_ENABLE} permission for a cache, exception will be thrown:
+ * <pre>
+ *      SecurityPermissionSet permsSet = new SecurityPermissionSetBuilder()
+ *          .appendCachePermissions("cache1", EVENTS_ENABLE)
+ *          .build();
+ * </pre>
+ */
+public class SecurityPermissionSetBuilder {
+    /** Cache permissions.*/
+    private Map<String, Collection<SecurityPermission>> cachePerms = new HashMap<>();
+
+    /** Task permissions.*/
+    private Map<String, Collection<SecurityPermission>> taskPerms = new HashMap<>();
+
+    /** System permissions.*/
+    private List<SecurityPermission> sysPerms = new ArrayList<>();
+
+    /** Default allow all.*/
+    private boolean dfltAllowAll;
+
+    /**
+     * Static factory method for create new permission builder.
+     *
+     * @return SecurityPermissionSetBuilder
+     */
+    public static SecurityPermissionSetBuilder create(){
+        return new SecurityPermissionSetBuilder();
+    }
+
+    /**
+     * Append default all flag.
+     *
+     * @param dfltAllowAll Default allow all.
+     * @return SecurityPermissionSetBuilder refer to same permission builder.
+     */
+    public SecurityPermissionSetBuilder defaultAllowAll(boolean dfltAllowAll) {
+        this.dfltAllowAll = dfltAllowAll;
+
+        return this;
+    }
+
+    /**
+     * Append permission set form {@link org.apache.ignite.IgniteCompute task} with {@code
name}.
+     *
+     * @param name  String for map some task to permission set.
+     * @param perms Permissions.
+     * @return SecurityPermissionSetBuilder refer to same permission builder.
+     */
+    public SecurityPermissionSetBuilder appendTaskPermissions(String name, SecurityPermission...
perms) {
+        validate(toCollection("TASK_"), perms);
+
+        append(taskPerms, name, toCollection(perms));
+
+        return this;
+    }
+
+    /**
+     * Append permission set form {@link org.apache.ignite.IgniteCache cache} with {@code
name}.
+     *
+     * @param name  String for map some cache to permission set.
+     * @param perms Permissions.
+     * @return {@link SecurityPermissionSetBuilder} refer to same permission builder.
+     */
+    public SecurityPermissionSetBuilder appendCachePermissions(String name, SecurityPermission...
perms) {
+        validate(toCollection("CACHE_"), perms);
+
+        append(cachePerms, name, toCollection(perms));
+
+        return this;
+    }
+
+    /**
+     * Append system permission set.
+     *
+     * @param perms Permission.
+     * @return {@link SecurityPermissionSetBuilder} refer to same permission builder.
+     */
+    public SecurityPermissionSetBuilder appendSystemPermissions(SecurityPermission... perms)
{
+        validate(toCollection("EVENTS_", "ADMIN_"), perms);
+
+        sysPerms.addAll(toCollection(perms));
+
+        return this;
+    }
+
+    /**
+     * Validate method use patterns.
+     *
+     * @param ptrns Pattern.
+     * @param perms Permissions.
+     */
+    private void validate(Collection<String> ptrns, SecurityPermission... perms) {
+        assert ptrns != null;
+        assert perms != null;
+
+        for (SecurityPermission perm : perms)
+            validate(ptrns, perm);
+    }
+
+    /**
+     * @param ptrns Patterns.
+     * @param perm  Permission.
+     */
+    private void validate(Collection<String> ptrns, SecurityPermission perm) {
+        assert ptrns != null;
+        assert perm != null;
+
+        boolean ex = true;
+
+        String name = perm.name();
+
+        for (String ptrn : ptrns) {
+            if (name.startsWith(ptrn)) {
+                ex = false;
+
+                break;
+            }
+        }
+
+        if (ex)
+            throw new IgniteException("you can assign permission only start with " + ptrns
+ ", but you try " + name);
+    }
+
+    /**
+     * Convert vararg to {@link Collection}.
+     *
+     * @param perms Permissions.
+     */
+    @SafeVarargs
+    private final <T> Collection<T> toCollection(T... perms) {
+        assert perms != null;
+
+        Collection<T> col = new ArrayList<>(perms.length);
+
+        Collections.addAll(col, perms);
+
+        return col;
+    }
+
+    /**
+     * @param permsMap Permissions map.
+     * @param name Name.
+     * @param perms Permission.
+     */
+    private void append(
+        Map<String, Collection<SecurityPermission>> permsMap,
+        String name,
+        Collection<SecurityPermission> perms
+    ) {
+        assert permsMap != null;
+        assert name != null;
+        assert perms != null;
+
+        Collection<SecurityPermission> col = permsMap.get(name);
+
+        if (col == null)
+            permsMap.put(name, perms);
+        else
+            col.addAll(perms);
+    }
+
+    /**
+     * Builds the {@link SecurityPermissionSet}.
+     *
+     * @return {@link SecurityPermissionSet} instance.
+     */
+    public SecurityPermissionSet build() {
+        SecurityBasicPermissionSet permSet = new SecurityBasicPermissionSet();
+
+        permSet.setDefaultAllowAll(dfltAllowAll);
+        permSet.setCachePermissions(unmodifiableMap(cachePerms));
+        permSet.setTaskPermissions(unmodifiableMap(taskPerms));
+        permSet.setSystemPermissions(unmodifiableList(sysPerms));
+
+        return permSet;
+    }
+}

http://git-wip-us.apache.org/repos/asf/ignite/blob/40ef2f5a/modules/core/src/test/java/org/apache/ignite/plugin/security/SecurityPermissionSetBuilderTest.java
----------------------------------------------------------------------
diff --git a/modules/core/src/test/java/org/apache/ignite/plugin/security/SecurityPermissionSetBuilderTest.java
b/modules/core/src/test/java/org/apache/ignite/plugin/security/SecurityPermissionSetBuilderTest.java
new file mode 100644
index 0000000..1d951cf
--- /dev/null
+++ b/modules/core/src/test/java/org/apache/ignite/plugin/security/SecurityPermissionSetBuilderTest.java
@@ -0,0 +1,93 @@
+package org.apache.ignite.plugin.security;
+
+import java.util.Map;
+import java.util.Arrays;
+import java.util.HashMap;
+import java.util.Collection;
+import java.util.concurrent.Callable;
+import org.apache.ignite.IgniteException;
+import org.apache.ignite.testframework.junits.common.GridCommonAbstractTest;
+
+import static org.apache.ignite.plugin.security.SecurityPermission.CACHE_PUT;
+import static org.apache.ignite.plugin.security.SecurityPermission.CACHE_READ;
+import static org.apache.ignite.plugin.security.SecurityPermission.CACHE_REMOVE;
+import static org.apache.ignite.plugin.security.SecurityPermission.TASK_CANCEL;
+import static org.apache.ignite.plugin.security.SecurityPermission.TASK_EXECUTE;
+import static org.apache.ignite.plugin.security.SecurityPermission.EVENTS_ENABLE;
+import static org.apache.ignite.plugin.security.SecurityPermission.ADMIN_VIEW;
+import static org.apache.ignite.testframework.GridTestUtils.assertThrows;
+
+/**
+ * Test for check correct work {@link SecurityPermissionSetBuilder permission builder}
+ */
+public class SecurityPermissionSetBuilderTest extends GridCommonAbstractTest {
+    /**
+     *
+     */
+    public void testPermissionBuilder() {
+        SecurityBasicPermissionSet exp = new SecurityBasicPermissionSet();
+
+        Map<String, Collection<SecurityPermission>> permCache = new HashMap<>();
+        permCache.put("cache1", Arrays.asList(CACHE_PUT, CACHE_REMOVE));
+        permCache.put("cache2", Arrays.asList(CACHE_READ));
+
+        exp.setCachePermissions(permCache);
+
+        Map<String, Collection<SecurityPermission>> permTask = new HashMap<>();
+        permTask.put("task1", Arrays.asList(TASK_CANCEL));
+        permTask.put("task2", Arrays.asList(TASK_EXECUTE));
+
+        exp.setTaskPermissions(permTask);
+
+        exp.setSystemPermissions(Arrays.asList(ADMIN_VIEW, EVENTS_ENABLE));
+
+        final SecurityPermissionSetBuilder permsBuilder = new SecurityPermissionSetBuilder();
+
+        assertThrows(log, new Callable<Object>() {
+                    @Override
+                    public Object call() throws Exception {
+                        permsBuilder.appendCachePermissions("cache", ADMIN_VIEW);
+                        return null;
+                    }
+                }, IgniteException.class,
+                "you can assign permission only start with [CACHE_], but you try ADMIN_VIEW"
+        );
+
+        assertThrows(log, new Callable<Object>() {
+                    @Override
+                    public Object call() throws Exception {
+                        permsBuilder.appendTaskPermissions("task", CACHE_READ);
+                        return null;
+                    }
+                }, IgniteException.class,
+                "you can assign permission only start with [TASK_], but you try CACHE_READ"
+        );
+
+        assertThrows(log, new Callable<Object>() {
+                    @Override
+                    public Object call() throws Exception {
+                        permsBuilder.appendSystemPermissions(TASK_EXECUTE, CACHE_PUT);
+                        return null;
+                    }
+                }, IgniteException.class,
+                "you can assign permission only start with [EVENTS_, ADMIN_], but you try
TASK_EXECUTE"
+        );
+
+        permsBuilder.appendCachePermissions(
+                "cache1", CACHE_PUT, CACHE_REMOVE
+        ).appendCachePermissions(
+                "cache2", CACHE_READ
+        ).appendTaskPermissions(
+                "task1", TASK_CANCEL
+        ).appendTaskPermissions(
+                "task2", TASK_EXECUTE
+        ).appendSystemPermissions(ADMIN_VIEW, EVENTS_ENABLE);
+
+        SecurityPermissionSet actual = permsBuilder.build();
+
+        assertEquals(exp.cachePermissions(), actual.cachePermissions());
+        assertEquals(exp.taskPermissions(), actual.taskPermissions());
+        assertEquals(exp.systemPermissions(), actual.systemPermissions());
+        assertEquals(exp.defaultAllowAll(), actual.defaultAllowAll());
+    }
+}

http://git-wip-us.apache.org/repos/asf/ignite/blob/40ef2f5a/modules/core/src/test/java/org/apache/ignite/testsuites/IgniteBasicTestSuite.java
----------------------------------------------------------------------
diff --git a/modules/core/src/test/java/org/apache/ignite/testsuites/IgniteBasicTestSuite.java
b/modules/core/src/test/java/org/apache/ignite/testsuites/IgniteBasicTestSuite.java
index 62c2eb3..6ab0885 100644
--- a/modules/core/src/test/java/org/apache/ignite/testsuites/IgniteBasicTestSuite.java
+++ b/modules/core/src/test/java/org/apache/ignite/testsuites/IgniteBasicTestSuite.java
@@ -53,6 +53,7 @@ import org.apache.ignite.marshaller.DynamicProxySerializationMultiJvmSelfTest;
 import org.apache.ignite.messaging.GridMessagingNoPeerClassLoadingSelfTest;
 import org.apache.ignite.messaging.GridMessagingSelfTest;
 import org.apache.ignite.messaging.IgniteMessagingWithClientTest;
+import org.apache.ignite.plugin.security.SecurityPermissionSetBuilderTest;
 import org.apache.ignite.spi.GridSpiLocalHostInjectionTest;
 import org.apache.ignite.startup.properties.NotStringSystemPropertyTest;
 import org.apache.ignite.testframework.GridTestUtils;
@@ -143,6 +144,8 @@ public class IgniteBasicTestSuite extends TestSuite {
 
         suite.addTestSuite(MarshallerContextLockingSelfTest.class);
 
+        suite.addTestSuite(SecurityPermissionSetBuilderTest.class);
+
         return suite;
     }
 }


Mime
View raw message