incubator-blur-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From amccu...@apache.org
Subject git commit: Adding api to handle securing method calls by user and/or ipaddress. This should allow for controlling access to actions, tables, commands, etc.
Date Mon, 02 Feb 2015 13:48:20 GMT
Repository: incubator-blur
Updated Branches:
  refs/heads/master 0c04e4e6a -> 4468f6cc5


Adding api to handle securing method calls by user and/or ipaddress.  This should allow for
controlling access to actions, tables, commands, etc.


Project: http://git-wip-us.apache.org/repos/asf/incubator-blur/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-blur/commit/4468f6cc
Tree: http://git-wip-us.apache.org/repos/asf/incubator-blur/tree/4468f6cc
Diff: http://git-wip-us.apache.org/repos/asf/incubator-blur/diff/4468f6cc

Branch: refs/heads/master
Commit: 4468f6cc52e8b615f8e23cf26664dacc54a27027
Parents: 0c04e4e
Author: Aaron McCurry <amccurry@gmail.com>
Authored: Mon Feb 2 08:48:13 2015 -0500
Committer: Aaron McCurry <amccurry@gmail.com>
Committed: Mon Feb 2 08:48:13 2015 -0500

----------------------------------------------------------------------
 .../apache/blur/server/BlurServerContext.java   |  2 +-
 .../org/apache/blur/server/ServerSecurity.java  | 34 ++++++++++
 .../apache/blur/server/ServerSecurityUtil.java  | 69 ++++++++++++++++++++
 .../example/SimpleExampleServerSecurity.java    | 44 +++++++++++++
 .../blur/thrift/ThriftBlurControllerServer.java |  8 ++-
 .../blur/thrift/ThriftBlurShardServer.java      |  5 ++
 .../org/apache/blur/thrift/ThriftServer.java    | 24 ++++++-
 .../org/apache/blur/utils/BlurConstants.java    |  2 +
 8 files changed, 184 insertions(+), 4 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-blur/blob/4468f6cc/blur-core/src/main/java/org/apache/blur/server/BlurServerContext.java
----------------------------------------------------------------------
diff --git a/blur-core/src/main/java/org/apache/blur/server/BlurServerContext.java b/blur-core/src/main/java/org/apache/blur/server/BlurServerContext.java
index 8ddf078..542f057 100644
--- a/blur-core/src/main/java/org/apache/blur/server/BlurServerContext.java
+++ b/blur-core/src/main/java/org/apache/blur/server/BlurServerContext.java
@@ -77,7 +77,7 @@ public class BlurServerContext implements ServerContext, ThriftTrace {
     _traceRequestId = traceRequestId;
   }
 
-  public SocketAddress getRocalSocketAddress() {
+  public SocketAddress getLocalSocketAddress() {
     return _localSocketAddress;
   }
 

http://git-wip-us.apache.org/repos/asf/incubator-blur/blob/4468f6cc/blur-core/src/main/java/org/apache/blur/server/ServerSecurity.java
----------------------------------------------------------------------
diff --git a/blur-core/src/main/java/org/apache/blur/server/ServerSecurity.java b/blur-core/src/main/java/org/apache/blur/server/ServerSecurity.java
new file mode 100644
index 0000000..3ebf079
--- /dev/null
+++ b/blur-core/src/main/java/org/apache/blur/server/ServerSecurity.java
@@ -0,0 +1,34 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.blur.server;
+
+import java.lang.reflect.Method;
+import java.net.InetAddress;
+
+import org.apache.blur.BlurConfiguration;
+import org.apache.blur.thrift.generated.BlurException;
+import org.apache.blur.user.User;
+
+public abstract class ServerSecurity {
+  
+  public ServerSecurity(BlurConfiguration configuration) {
+    
+  }
+
+  public abstract boolean canAccess(Method method, Object[] args, User user, InetAddress
address, int port) throws BlurException;
+
+}

http://git-wip-us.apache.org/repos/asf/incubator-blur/blob/4468f6cc/blur-core/src/main/java/org/apache/blur/server/ServerSecurityUtil.java
----------------------------------------------------------------------
diff --git a/blur-core/src/main/java/org/apache/blur/server/ServerSecurityUtil.java b/blur-core/src/main/java/org/apache/blur/server/ServerSecurityUtil.java
new file mode 100644
index 0000000..162fe35
--- /dev/null
+++ b/blur-core/src/main/java/org/apache/blur/server/ServerSecurityUtil.java
@@ -0,0 +1,69 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.blur.server;
+
+import java.lang.reflect.InvocationHandler;
+import java.lang.reflect.InvocationTargetException;
+import java.lang.reflect.Method;
+import java.lang.reflect.Proxy;
+import java.net.InetAddress;
+import java.net.InetSocketAddress;
+
+import org.apache.blur.log.Log;
+import org.apache.blur.log.LogFactory;
+import org.apache.blur.thrift.BException;
+import org.apache.blur.thrift.generated.Blur.Iface;
+import org.apache.blur.user.User;
+import org.apache.blur.user.UserContext;
+
+public class ServerSecurityUtil {
+
+  private static final Log LOG = LogFactory.getLog(ServerSecurityUtil.class);
+
+  public static Iface applySecurity(final Iface iface, final ServerSecurity serverSecurity,
final boolean shardServer) {
+    if (serverSecurity == null) {
+      LOG.info("No server security configured.");
+      return iface;
+    }
+    LOG.info("Server security configured with [{0}] class [{1}].", serverSecurity, serverSecurity.getClass());
+    InvocationHandler handler = new InvocationHandler() {
+      @Override
+      public Object invoke(Object proxy, Method method, Object[] args) throws Throwable {
+        BlurServerContext blurServerContext;
+        if (shardServer) {
+          blurServerContext = ShardServerContext.getShardServerContext();
+        } else {
+          blurServerContext = ControllerServerContext.getControllerServerContext();
+        }
+        InetSocketAddress remoteSocketAddress = (InetSocketAddress) blurServerContext.getRemoteSocketAddress();
+        InetAddress address = remoteSocketAddress.getAddress();
+        int port = remoteSocketAddress.getPort();
+        User user = UserContext.getUser();
+        if (serverSecurity.canAccess(method, args, user, address, port)) {
+          try {
+            return method.invoke(iface, args);
+          } catch (InvocationTargetException e) {
+            throw e.getTargetException();
+          }
+        }
+        throw new BException("ACCESS DENIED for User [{0}] method [{1}].", user, method.getName());
+      }
+    };
+    return (Iface) Proxy.newProxyInstance(Iface.class.getClassLoader(), new Class[] { Iface.class
}, handler);
+  }
+
+}

http://git-wip-us.apache.org/repos/asf/incubator-blur/blob/4468f6cc/blur-core/src/main/java/org/apache/blur/server/example/SimpleExampleServerSecurity.java
----------------------------------------------------------------------
diff --git a/blur-core/src/main/java/org/apache/blur/server/example/SimpleExampleServerSecurity.java
b/blur-core/src/main/java/org/apache/blur/server/example/SimpleExampleServerSecurity.java
new file mode 100644
index 0000000..206c054
--- /dev/null
+++ b/blur-core/src/main/java/org/apache/blur/server/example/SimpleExampleServerSecurity.java
@@ -0,0 +1,44 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.blur.server.example;
+
+import java.lang.reflect.Method;
+import java.net.InetAddress;
+
+import org.apache.blur.BlurConfiguration;
+import org.apache.blur.server.ServerSecurity;
+import org.apache.blur.thrift.generated.BlurException;
+import org.apache.blur.user.User;
+
+public class SimpleExampleServerSecurity extends ServerSecurity {
+
+  public SimpleExampleServerSecurity(BlurConfiguration configuration) {
+    super(configuration);
+  }
+
+  @Override
+  public boolean canAccess(Method method, Object[] args, User user, InetAddress address,
int port) throws BlurException {
+    if (method.getName().equals("createTable")) {
+      if (user != null && user.getUsername().equals("admin")) {
+        return true;
+      }
+      return false;
+    }
+    return true;
+  }
+
+}

http://git-wip-us.apache.org/repos/asf/incubator-blur/blob/4468f6cc/blur-core/src/main/java/org/apache/blur/thrift/ThriftBlurControllerServer.java
----------------------------------------------------------------------
diff --git a/blur-core/src/main/java/org/apache/blur/thrift/ThriftBlurControllerServer.java
b/blur-core/src/main/java/org/apache/blur/thrift/ThriftBlurControllerServer.java
index 276f2b8..5632b88 100644
--- a/blur-core/src/main/java/org/apache/blur/thrift/ThriftBlurControllerServer.java
+++ b/blur-core/src/main/java/org/apache/blur/thrift/ThriftBlurControllerServer.java
@@ -64,6 +64,8 @@ import org.apache.blur.manager.indexserver.BlurServerShutDown;
 import org.apache.blur.manager.indexserver.BlurServerShutDown.BlurShutdown;
 import org.apache.blur.metrics.ReporterSetup;
 import org.apache.blur.server.ControllerServerEventHandler;
+import org.apache.blur.server.ServerSecurity;
+import org.apache.blur.server.ServerSecurityUtil;
 import org.apache.blur.thirdparty.thrift_0_9_0.protocol.TJSONProtocol;
 import org.apache.blur.thirdparty.thrift_0_9_0.server.TServlet;
 import org.apache.blur.thirdparty.thrift_0_9_0.transport.TServerTransport;
@@ -108,8 +110,7 @@ public class ThriftBlurControllerServer extends ThriftServer {
     if (configBindPort == 0) {
       instanceBindPort = 0;
     }
-    TServerTransport serverTransport = ThriftServer.getTServerTransport(bindAddress, instanceBindPort,
-        configuration);
+    TServerTransport serverTransport = ThriftServer.getTServerTransport(bindAddress, instanceBindPort,
configuration);
     instanceBindPort = ThriftServer.getBindingPort(serverTransport);
 
     LOG.info("Controller Server using index [{0}] bind address [{1}]", serverIndex, bindAddress
+ ":"
@@ -183,7 +184,10 @@ public class ThriftBlurControllerServer extends ThriftServer {
     Trace.setStorage(traceStorage);
     Trace.setNodeName(nodeName);
 
+    ServerSecurity serverSecurity = getServerSecurity(configuration, false);
+
     Iface iface = BlurUtil.wrapFilteredBlurServer(configuration, controllerServer, false);
+    iface = ServerSecurityUtil.applySecurity(iface, serverSecurity, false);
     iface = BlurUtil.recordMethodCallsAndAverageTimes(iface, Iface.class, true);
     iface = BlurUtil.runWithUser(iface, true);
     iface = BlurUtil.runTrace(iface, true);

http://git-wip-us.apache.org/repos/asf/incubator-blur/blob/4468f6cc/blur-core/src/main/java/org/apache/blur/thrift/ThriftBlurShardServer.java
----------------------------------------------------------------------
diff --git a/blur-core/src/main/java/org/apache/blur/thrift/ThriftBlurShardServer.java b/blur-core/src/main/java/org/apache/blur/thrift/ThriftBlurShardServer.java
index 93bbcd5..0d91bec 100644
--- a/blur-core/src/main/java/org/apache/blur/thrift/ThriftBlurShardServer.java
+++ b/blur-core/src/main/java/org/apache/blur/thrift/ThriftBlurShardServer.java
@@ -84,6 +84,8 @@ import org.apache.blur.manager.indexserver.DistributedLayoutFactory;
 import org.apache.blur.manager.indexserver.DistributedLayoutFactoryImpl;
 import org.apache.blur.metrics.JSONReporter;
 import org.apache.blur.metrics.ReporterSetup;
+import org.apache.blur.server.ServerSecurity;
+import org.apache.blur.server.ServerSecurityUtil;
 import org.apache.blur.server.ShardServerEventHandler;
 import org.apache.blur.server.TableContext;
 import org.apache.blur.store.BlockCacheDirectoryFactory;
@@ -262,7 +264,10 @@ public class ThriftBlurShardServer extends ThriftServer {
     Trace.setStorage(traceStorage);
     Trace.setNodeName(nodeName);
 
+    ServerSecurity serverSecurity = getServerSecurity(configuration, true);
+
     Iface iface = BlurUtil.wrapFilteredBlurServer(configuration, shardServer, true);
+    iface = ServerSecurityUtil.applySecurity(iface, serverSecurity, true);
     iface = BlurUtil.recordMethodCallsAndAverageTimes(iface, Iface.class, false);
     iface = BlurUtil.runWithUser(iface, false);
     iface = BlurUtil.runTrace(iface, false);

http://git-wip-us.apache.org/repos/asf/incubator-blur/blob/4468f6cc/blur-core/src/main/java/org/apache/blur/thrift/ThriftServer.java
----------------------------------------------------------------------
diff --git a/blur-core/src/main/java/org/apache/blur/thrift/ThriftServer.java b/blur-core/src/main/java/org/apache/blur/thrift/ThriftServer.java
index a46666d..c7310ba 100644
--- a/blur-core/src/main/java/org/apache/blur/thrift/ThriftServer.java
+++ b/blur-core/src/main/java/org/apache/blur/thrift/ThriftServer.java
@@ -22,9 +22,10 @@ import static org.apache.blur.metrics.MetricsConstants.JVM;
 import static org.apache.blur.metrics.MetricsConstants.LOAD_AVERAGE;
 import static org.apache.blur.metrics.MetricsConstants.ORG_APACHE_BLUR;
 import static org.apache.blur.metrics.MetricsConstants.SYSTEM;
+import static org.apache.blur.utils.BlurConstants.BLUR_CONTROLLER_SERVER_SECURITY_CLASS;
 import static org.apache.blur.utils.BlurConstants.BLUR_HDFS_TRACE_PATH;
 import static org.apache.blur.utils.BlurConstants.BLUR_HOME;
-import static org.apache.blur.utils.BlurConstants.BLUR_SECURITY_SASL_ENABLED;
+import static org.apache.blur.utils.BlurConstants.BLUR_SHARD_SERVER_SECURITY_CLASS;
 import static org.apache.blur.utils.BlurConstants.BLUR_ZOOKEEPER_TRACE_PATH;
 
 import java.io.BufferedReader;
@@ -36,6 +37,7 @@ import java.lang.management.ManagementFactory;
 import java.lang.management.MemoryMXBean;
 import java.lang.management.MemoryUsage;
 import java.lang.management.OperatingSystemMXBean;
+import java.lang.reflect.Constructor;
 import java.lang.reflect.Method;
 import java.net.InetAddress;
 import java.net.InetSocketAddress;
@@ -48,6 +50,7 @@ import org.apache.blur.concurrent.Executors;
 import org.apache.blur.log.Log;
 import org.apache.blur.log.LogFactory;
 import org.apache.blur.manager.indexserver.BlurServerShutDown.BlurShutdown;
+import org.apache.blur.server.ServerSecurity;
 import org.apache.blur.thirdparty.thrift_0_9_0.protocol.TBinaryProtocol;
 import org.apache.blur.thirdparty.thrift_0_9_0.protocol.TCompactProtocol;
 import org.apache.blur.thirdparty.thrift_0_9_0.server.TServer;
@@ -435,4 +438,23 @@ public class ThriftServer {
     }
   }
 
+  @SuppressWarnings("unchecked")
+  public static ServerSecurity getServerSecurity(BlurConfiguration configuration, boolean
shardServer) {
+    String className;
+    if (shardServer) {
+      className = configuration.get(BLUR_SHARD_SERVER_SECURITY_CLASS);
+    } else {
+      className = configuration.get(BLUR_CONTROLLER_SERVER_SECURITY_CLASS);
+    }
+    if (className == null) {
+      return null;
+    }
+    try {
+      Class<? extends ServerSecurity> clazz = (Class<? extends ServerSecurity>)
Class.forName(className);
+      Constructor<? extends ServerSecurity> constructor = clazz.getConstructor(new
Class[] { BlurConfiguration.class });
+      return constructor.newInstance(configuration);
+    } catch (Exception e) {
+      throw new RuntimeException(e);
+    }
+  }
 }

http://git-wip-us.apache.org/repos/asf/incubator-blur/blob/4468f6cc/blur-util/src/main/java/org/apache/blur/utils/BlurConstants.java
----------------------------------------------------------------------
diff --git a/blur-util/src/main/java/org/apache/blur/utils/BlurConstants.java b/blur-util/src/main/java/org/apache/blur/utils/BlurConstants.java
index a22954d..5b3993e 100644
--- a/blur-util/src/main/java/org/apache/blur/utils/BlurConstants.java
+++ b/blur-util/src/main/java/org/apache/blur/utils/BlurConstants.java
@@ -171,6 +171,8 @@ public class BlurConstants {
   
   public static final String BLUR_SECURITY_SASL_TYPE = "blur.security.sasl.type";
   public static final String BLUR_SECURITY_SASL_ENABLED = "blur.security.sasl.enabled";
+  public static final String BLUR_CONTROLLER_SERVER_SECURITY_CLASS = "blur.controller.server.security.class";
+  public static final String BLUR_SHARD_SERVER_SECURITY_CLASS = "blur.shard.server.security.class";
 
   public static final String BLUR_HOME = "BLUR_HOME";
 


Mime
View raw message