use of org.apache.geode.internal.security.AuthorizeRequestPP in project geode by apache.
the class GetAll70 method fillAndSendGetAllResponseChunks.
private void fillAndSendGetAllResponseChunks(Region region, String regionName, Object[] keys, ServerConnection servConn, boolean requestSerializedValues) throws IOException {
// Interpret null keys object as a request to get all key,value entry pairs
// of the region; otherwise iterate each key and perform the get behavior.
Iterator allKeysIter;
int numKeys;
if (keys != null) {
allKeysIter = null;
numKeys = keys.length;
} else {
Set allKeys = region.keySet();
allKeysIter = allKeys.iterator();
numKeys = allKeys.size();
}
// Shouldn't it be 'keys != null' below?
// The answer is no.
// Note that the current implementation of client/server getAll the "keys" will always be
// non-null.
// The server callects and returns the values in the same order as the keys it received.
// So the server does not need to send the keys back to the client.
// When the client receives the server's "values" it calls setKeys using the key list the client
// already has.
// So the only reason we would tell the VersionedObjectList that it needs to track keys is if we
// are running
// in the old mode (which may be impossible since we only used that mode pre 7.0) in which the
// client told us
// to get and return all the keys and values. I think this was used for register interest.
VersionedObjectList values = new VersionedObjectList(MAXIMUM_CHUNK_SIZE, keys == null, region.getAttributes().getConcurrencyChecksEnabled(), requestSerializedValues);
try {
AuthorizeRequest authzRequest = servConn.getAuthzRequest();
AuthorizeRequestPP postAuthzRequest = servConn.getPostAuthzRequest();
Get70 request = (Get70) Get70.getCommand();
final boolean isDebugEnabled = logger.isDebugEnabled();
for (int i = 0; i < numKeys; i++) {
// Send the intermediate chunk if necessary
if (values.size() == MAXIMUM_CHUNK_SIZE) {
// Send the chunk and clear the list
values.setKeys(null);
sendGetAllResponseChunk(region, values, false, servConn);
values.clear();
}
Object key;
boolean keyNotPresent = false;
if (keys != null) {
key = keys[i];
} else {
key = allKeysIter.next();
}
if (isDebugEnabled) {
logger.debug("{}: Getting value for key={}", servConn.getName(), key);
}
// Determine if the user authorized to get this key
GetOperationContext getContext = null;
if (authzRequest != null) {
try {
getContext = authzRequest.getAuthorize(regionName, key, null);
if (isDebugEnabled) {
logger.debug("{}: Passed GET pre-authorization for key={}", servConn.getName(), key);
}
} catch (NotAuthorizedException ex) {
logger.warn(LocalizedMessage.create(LocalizedStrings.GetAll_0_CAUGHT_THE_FOLLOWING_EXCEPTION_ATTEMPTING_TO_GET_VALUE_FOR_KEY_1, new Object[] { servConn.getName(), key }), ex);
values.addExceptionPart(key, ex);
continue;
}
}
try {
this.securityService.authorizeRegionRead(regionName, key.toString());
} catch (NotAuthorizedException ex) {
logger.warn(LocalizedMessage.create(LocalizedStrings.GetAll_0_CAUGHT_THE_FOLLOWING_EXCEPTION_ATTEMPTING_TO_GET_VALUE_FOR_KEY_1, new Object[] { servConn.getName(), key }), ex);
values.addExceptionPart(key, ex);
continue;
}
// Get the value and update the statistics. Do not deserialize
// the value if it is a byte[].
// Getting a value in serialized form is pretty nasty. I split this out
// so the logic can be re-used by the CacheClientProxy.
Get70.Entry entry = request.getEntry(region, key, null, servConn);
@Retained final Object originalData = entry.value;
Object data = originalData;
if (logger.isDebugEnabled()) {
logger.debug("retrieved key={} {}", key, entry);
}
boolean addedToValues = false;
try {
boolean isObject = entry.isObject;
VersionTag versionTag = entry.versionTag;
keyNotPresent = entry.keyNotPresent;
if (postAuthzRequest != null) {
try {
getContext = postAuthzRequest.getAuthorize(regionName, key, data, isObject, getContext);
GetOperationContextImpl gci = (GetOperationContextImpl) getContext;
Object newData = gci.getRawValue();
if (newData != data) {
// user changed the value
isObject = getContext.isObject();
data = newData;
}
} catch (NotAuthorizedException ex) {
logger.warn(LocalizedMessage.create(LocalizedStrings.GetAll_0_CAUGHT_THE_FOLLOWING_EXCEPTION_ATTEMPTING_TO_GET_VALUE_FOR_KEY_1, new Object[] { servConn.getName(), key }), ex);
values.addExceptionPart(key, ex);
continue;
} finally {
if (getContext != null) {
((GetOperationContextImpl) getContext).release();
}
}
}
data = this.securityService.postProcess(regionName, key, data, entry.isObject);
// Add the entry to the list that will be returned to the client
if (keyNotPresent) {
values.addObjectPartForAbsentKey(key, data, versionTag);
addedToValues = true;
} else {
values.addObjectPart(key, data, isObject, versionTag);
addedToValues = true;
}
} finally {
if (!addedToValues || data != originalData) {
OffHeapHelper.release(originalData);
}
}
}
// Send the last chunk even if the list is of zero size.
if (Version.GFE_701.compareTo(servConn.getClientVersion()) <= 0) {
// 7.0.1 and later clients do not expect the keys in the response
values.setKeys(null);
}
sendGetAllResponseChunk(region, values, true, servConn);
servConn.setAsTrue(RESPONDED);
} finally {
values.release();
}
}
use of org.apache.geode.internal.security.AuthorizeRequestPP in project geode by apache.
the class GetAllWithCallback method fillAndSendGetAllResponseChunks.
private void fillAndSendGetAllResponseChunks(Region region, String regionName, Object[] keys, ServerConnection servConn, Object callback) throws IOException {
assert keys != null;
int numKeys = keys.length;
VersionedObjectList values = new VersionedObjectList(MAXIMUM_CHUNK_SIZE, false, region.getAttributes().getConcurrencyChecksEnabled(), false);
try {
AuthorizeRequest authzRequest = servConn.getAuthzRequest();
AuthorizeRequestPP postAuthzRequest = servConn.getPostAuthzRequest();
Get70 request = (Get70) Get70.getCommand();
for (int i = 0; i < numKeys; i++) {
// Send the intermediate chunk if necessary
if (values.size() == MAXIMUM_CHUNK_SIZE) {
// Send the chunk and clear the list
sendGetAllResponseChunk(region, values, false, servConn);
values.clear();
}
Object key;
boolean keyNotPresent = false;
key = keys[i];
if (logger.isDebugEnabled()) {
logger.debug("{}: Getting value for key={}", servConn.getName(), key);
}
// Determine if the user authorized to get this key
GetOperationContext getContext = null;
if (authzRequest != null) {
try {
getContext = authzRequest.getAuthorize(regionName, key, callback);
if (logger.isDebugEnabled()) {
logger.debug("{}: Passed GET pre-authorization for key={}", servConn.getName(), key);
}
} catch (NotAuthorizedException ex) {
logger.warn(LocalizedMessage.create(LocalizedStrings.GetAll_0_CAUGHT_THE_FOLLOWING_EXCEPTION_ATTEMPTING_TO_GET_VALUE_FOR_KEY_1, new Object[] { servConn.getName(), key }), ex);
values.addExceptionPart(key, ex);
continue;
}
}
try {
this.securityService.authorizeRegionRead(regionName, key.toString());
} catch (NotAuthorizedException ex) {
logger.warn(LocalizedMessage.create(LocalizedStrings.GetAll_0_CAUGHT_THE_FOLLOWING_EXCEPTION_ATTEMPTING_TO_GET_VALUE_FOR_KEY_1, new Object[] { servConn.getName(), key }), ex);
values.addExceptionPart(key, ex);
continue;
}
// Get the value and update the statistics. Do not deserialize
// the value if it is a byte[].
// Getting a value in serialized form is pretty nasty. I split this out
// so the logic can be re-used by the CacheClientProxy.
Get70.Entry entry = request.getEntry(region, key, callback, servConn);
@Retained final Object originalData = entry.value;
Object data = originalData;
if (logger.isDebugEnabled()) {
logger.debug("retrieved key={} {}", key, entry);
}
boolean addedToValues = false;
try {
boolean isObject = entry.isObject;
VersionTag versionTag = entry.versionTag;
keyNotPresent = entry.keyNotPresent;
if (postAuthzRequest != null) {
try {
getContext = postAuthzRequest.getAuthorize(regionName, key, data, isObject, getContext);
GetOperationContextImpl gci = (GetOperationContextImpl) getContext;
Object newData = gci.getRawValue();
if (newData != data) {
// user changed the value
isObject = getContext.isObject();
data = newData;
}
} catch (NotAuthorizedException ex) {
logger.warn(LocalizedMessage.create(LocalizedStrings.GetAll_0_CAUGHT_THE_FOLLOWING_EXCEPTION_ATTEMPTING_TO_GET_VALUE_FOR_KEY_1, new Object[] { servConn.getName(), key }), ex);
values.addExceptionPart(key, ex);
continue;
} finally {
if (getContext != null) {
((GetOperationContextImpl) getContext).release();
}
}
}
// Add the entry to the list that will be returned to the client
if (keyNotPresent) {
values.addObjectPartForAbsentKey(key, data, versionTag);
addedToValues = true;
} else {
values.addObjectPart(key, data, isObject, versionTag);
addedToValues = true;
}
} finally {
if (!addedToValues || data != originalData) {
OffHeapHelper.release(originalData);
}
}
}
// Send the last chunk even if the list is of zero size.
sendGetAllResponseChunk(region, values, true, servConn);
servConn.setAsTrue(RESPONDED);
} finally {
values.release();
}
}
use of org.apache.geode.internal.security.AuthorizeRequestPP in project geode by apache.
the class GetAll method fillAndSendGetAllResponseChunks.
private void fillAndSendGetAllResponseChunks(Region region, String regionName, Object[] keys, ServerConnection servConn) throws IOException {
// Interpret null keys object as a request to get all key,value entry pairs
// of the region; otherwise iterate each key and perform the get behavior.
Iterator allKeysIter;
int numKeys;
if (keys != null) {
allKeysIter = null;
numKeys = keys.length;
} else {
Set allKeys = region.keySet();
allKeysIter = allKeys.iterator();
numKeys = allKeys.size();
}
ObjectPartList values = new ObjectPartList(MAXIMUM_CHUNK_SIZE, keys == null);
AuthorizeRequest authzRequest = servConn.getAuthzRequest();
AuthorizeRequestPP postAuthzRequest = servConn.getPostAuthzRequest();
Request request = (Request) Request.getCommand();
Object[] valueAndIsObject = new Object[3];
for (int i = 0; i < numKeys; i++) {
// Send the intermediate chunk if necessary
if (values.size() == MAXIMUM_CHUNK_SIZE) {
// Send the chunk and clear the list
sendGetAllResponseChunk(region, values, false, servConn);
values.clear();
}
Object key;
if (keys != null) {
key = keys[i];
} else {
key = allKeysIter.next();
}
if (logger.isDebugEnabled()) {
logger.debug("{}: Getting value for key={}", servConn.getName(), key);
}
// Determine if the user authorized to get this key
GetOperationContext getContext = null;
if (authzRequest != null) {
try {
getContext = authzRequest.getAuthorize(regionName, key, null);
if (logger.isDebugEnabled()) {
logger.debug("{}: Passed GET pre-authorization for key={}", servConn.getName(), key);
}
} catch (NotAuthorizedException ex) {
logger.warn(LocalizedMessage.create(LocalizedStrings.GetAll_0_CAUGHT_THE_FOLLOWING_EXCEPTION_ATTEMPTING_TO_GET_VALUE_FOR_KEY_1, new Object[] { servConn.getName(), key }), ex);
values.addExceptionPart(key, ex);
continue;
}
}
try {
this.securityService.authorizeRegionRead(regionName, key.toString());
} catch (NotAuthorizedException ex) {
logger.warn(LocalizedMessage.create(LocalizedStrings.GetAll_0_CAUGHT_THE_FOLLOWING_EXCEPTION_ATTEMPTING_TO_GET_VALUE_FOR_KEY_1, new Object[] { servConn.getName(), key }), ex);
values.addExceptionPart(key, ex);
continue;
}
// Get the value and update the statistics. Do not deserialize
// the value if it is a byte[].
// Getting a value in serialized form is pretty nasty. I split this out
// so the logic can be re-used by the CacheClientProxy.
request.getValueAndIsObject(region, key, null, servConn, valueAndIsObject);
Object value = valueAndIsObject[0];
boolean isObject = ((Boolean) valueAndIsObject[1]).booleanValue();
if (logger.isDebugEnabled()) {
logger.debug("{}: Retrieved value for key={}: {}", servConn.getName(), key, value);
}
if (postAuthzRequest != null) {
try {
getContext = postAuthzRequest.getAuthorize(regionName, key, value, isObject, getContext);
byte[] serializedValue = getContext.getSerializedValue();
if (serializedValue == null) {
value = getContext.getObject();
} else {
value = serializedValue;
}
isObject = getContext.isObject();
if (logger.isDebugEnabled()) {
logger.debug("{}: Passed GET post-authorization for key={}: {}", servConn.getName(), key, value);
}
} catch (NotAuthorizedException ex) {
logger.warn(LocalizedMessage.create(LocalizedStrings.GetAll_0_CAUGHT_THE_FOLLOWING_EXCEPTION_ATTEMPTING_TO_GET_VALUE_FOR_KEY_1, new Object[] { servConn.getName(), key }), ex);
values.addExceptionPart(key, ex);
continue;
}
}
// post process
value = this.securityService.postProcess(regionName, key, value, isObject);
if (logger.isDebugEnabled()) {
logger.debug("{}: Returning value for key={}: {}", servConn.getName(), key, value);
}
// Add the value to the list of values
values.addObjectPart(key, value, isObject, null);
}
// Send the last chunk even if the list is of zero size.
sendGetAllResponseChunk(region, values, true, servConn);
servConn.setAsTrue(RESPONDED);
}
use of org.apache.geode.internal.security.AuthorizeRequestPP in project geode by apache.
the class GetAll651 method fillAndSendGetAllResponseChunks.
private void fillAndSendGetAllResponseChunks(Region region, String regionName, Object[] keys, ServerConnection servConn) throws IOException {
// Interpret null keys object as a request to get all key,value entry pairs
// of the region; otherwise iterate each key and perform the get behavior.
Iterator allKeysIter;
int numKeys;
if (keys != null) {
allKeysIter = null;
numKeys = keys.length;
} else {
Set allKeys = region.keySet();
allKeysIter = allKeys.iterator();
numKeys = allKeys.size();
}
ObjectPartList651 values = getObjectPartsList(keys == null);
AuthorizeRequest authzRequest = servConn.getAuthzRequest();
AuthorizeRequestPP postAuthzRequest = servConn.getPostAuthzRequest();
Request request = (Request) Request.getCommand();
Object[] valueAndIsObject = new Object[3];
final boolean isDebugEnabled = logger.isDebugEnabled();
for (int i = 0; i < numKeys; i++) {
// Send the intermediate chunk if necessary
if (values.size() == MAXIMUM_CHUNK_SIZE) {
// Send the chunk and clear the list
sendGetAllResponseChunk(region, values, false, servConn);
values.clear();
}
Object key;
boolean keyNotPresent = false;
if (keys != null) {
key = keys[i];
} else {
key = allKeysIter.next();
}
if (isDebugEnabled) {
logger.debug("{}: Getting value for key={}", servConn.getName(), key);
}
// Determine if the user authorized to get this key
GetOperationContext getContext = null;
if (authzRequest != null) {
try {
getContext = authzRequest.getAuthorize(regionName, key, null);
if (isDebugEnabled) {
logger.debug("{}: Passed GET pre-authorization for key={}", servConn.getName(), key);
}
} catch (NotAuthorizedException ex) {
logger.warn(LocalizedMessage.create(LocalizedStrings.GetAll_0_CAUGHT_THE_FOLLOWING_EXCEPTION_ATTEMPTING_TO_GET_VALUE_FOR_KEY_1, new Object[] { servConn.getName(), key }), ex);
values.addExceptionPart(key, ex);
continue;
}
}
try {
this.securityService.authorizeRegionRead(regionName, key.toString());
} catch (NotAuthorizedException ex) {
logger.warn(LocalizedMessage.create(LocalizedStrings.GetAll_0_CAUGHT_THE_FOLLOWING_EXCEPTION_ATTEMPTING_TO_GET_VALUE_FOR_KEY_1, new Object[] { servConn.getName(), key }), ex);
values.addExceptionPart(key, ex);
continue;
}
// Get the value and update the statistics. Do not deserialize
// the value if it is a byte[].
// Getting a value in serialized form is pretty nasty. I split this out
// so the logic can be re-used by the CacheClientProxy.
request.getValueAndIsObject(region, key, null, servConn, valueAndIsObject);
Object value = valueAndIsObject[0];
boolean isObject = ((Boolean) valueAndIsObject[1]).booleanValue();
keyNotPresent = ((Boolean) valueAndIsObject[2]).booleanValue();
;
if (isDebugEnabled) {
logger.debug("{}: Retrieved value for key={}: {}", servConn.getName(), key, value);
}
if (postAuthzRequest != null) {
try {
getContext = postAuthzRequest.getAuthorize(regionName, key, value, isObject, getContext);
byte[] serializedValue = getContext.getSerializedValue();
if (serializedValue == null) {
value = getContext.getObject();
} else {
value = serializedValue;
}
isObject = getContext.isObject();
if (isDebugEnabled) {
logger.debug("{}: Passed GET post-authorization for key={}: {}", servConn.getName(), key, value);
}
} catch (NotAuthorizedException ex) {
logger.warn(LocalizedMessage.create(LocalizedStrings.GetAll_0_CAUGHT_THE_FOLLOWING_EXCEPTION_ATTEMPTING_TO_GET_VALUE_FOR_KEY_1, new Object[] { servConn.getName(), key }), ex);
values.addExceptionPart(key, ex);
continue;
}
}
value = this.securityService.postProcess(regionName, key, value, isObject);
if (isDebugEnabled) {
logger.debug("{}: Returning value for key={}: {}", servConn.getName(), key, value);
}
// Add the value to the list of values
if (keyNotPresent) {
if (logger.isDebugEnabled()) {
logger.debug("{}: key={} is not present on server.", servConn.getName(), key);
}
values.addObjectPartForAbsentKey(key, value);
} else {
values.addObjectPart(key, value, isObject, null);
}
}
// Send the last chunk even if the list is of zero size.
sendGetAllResponseChunk(region, values, true, servConn);
servConn.setAsTrue(RESPONDED);
}
use of org.apache.geode.internal.security.AuthorizeRequestPP in project geode by apache.
the class ServerHandShakeProcessor method getUniqueId.
public static long getUniqueId(ServerConnection connection, Principal principal) throws Exception {
try {
InternalLogWriter securityLogWriter = connection.getSecurityLogWriter();
DistributedSystem system = connection.getDistributedSystem();
Properties systemProperties = system.getProperties();
// hitesh:auth callbacks
String authzFactoryName = systemProperties.getProperty(SECURITY_CLIENT_ACCESSOR);
String postAuthzFactoryName = systemProperties.getProperty(SECURITY_CLIENT_ACCESSOR_PP);
AuthorizeRequest authzRequest = null;
AuthorizeRequestPP postAuthzRequest = null;
if (authzFactoryName != null && authzFactoryName.length() > 0) {
if (securityLogWriter.fineEnabled())
securityLogWriter.fine(connection.getName() + ": Setting pre-process authorization callback to: " + authzFactoryName);
if (principal == null) {
if (securityLogWriter.warningEnabled()) {
securityLogWriter.warning(LocalizedStrings.ServerHandShakeProcessor_0_AUTHORIZATION_ENABLED_BUT_AUTHENTICATION_CALLBACK_1_RETURNED_WITH_NULL_CREDENTIALS_FOR_PROXYID_2, new Object[] { connection.getName(), SECURITY_CLIENT_AUTHENTICATOR, connection.getProxyID() });
}
}
authzRequest = new AuthorizeRequest(authzFactoryName, connection.getProxyID(), principal, connection.getCache());
// connection.setAuthorizeRequest(authzRequest);
}
if (postAuthzFactoryName != null && postAuthzFactoryName.length() > 0) {
if (securityLogWriter.fineEnabled())
securityLogWriter.fine(connection.getName() + ": Setting post-process authorization callback to: " + postAuthzFactoryName);
if (principal == null) {
if (securityLogWriter.warningEnabled()) {
securityLogWriter.warning(LocalizedStrings.ServerHandShakeProcessor_0_POSTPROCESS_AUTHORIZATION_ENABLED_BUT_NO_AUTHENTICATION_CALLBACK_2_IS_CONFIGURED, new Object[] { connection.getName(), SECURITY_CLIENT_AUTHENTICATOR });
}
}
postAuthzRequest = new AuthorizeRequestPP(postAuthzFactoryName, connection.getProxyID(), principal, connection.getCache());
// connection.setPostAuthorizeRequest(postAuthzRequest);
}
return connection.setUserAuthorizeAndPostAuthorizeRequest(authzRequest, postAuthzRequest);
} catch (Exception ex) {
throw ex;
}
}
Aggregations