Example 11 with AuthorizeRequestPP
use of org.apache.geode.internal.security.AuthorizeRequestPP in project geode by apache.
the class ServerToClientFunctionResultSender method authorizeResult.
protected void authorizeResult(Object oneResult) throws IOException {
// check if the caller is authorised to receive these function execution
// results from server
AuthorizeRequestPP authzRequestPP = this.sc.getPostAuthzRequest();
if (authzRequestPP != null) {
this.authContext.setIsPostOperation(true);
this.authContext = authzRequestPP.executeFunctionAuthorize(oneResult, this.authContext);
}
}
Also used :
AuthorizeRequestPP(org.apache.geode.internal.security.AuthorizeRequestPP)
Example 12 with AuthorizeRequestPP
use of org.apache.geode.internal.security.AuthorizeRequestPP in project geode by apache.
the class CacheClientProxy method postDeliverAuthCheckPassed.
private boolean postDeliverAuthCheckPassed(ClientUpdateMessage clientMessage) {
// process authorization
if (AcceptorImpl.isAuthenticationRequired() && this.postAuthzCallback == null && AcceptorImpl.isPostAuthzCallbackPresent()) {
// security is on and callback is null: it means multiuser mode.
ClientUpdateMessageImpl cumi = (ClientUpdateMessageImpl) clientMessage;
CqNameToOp clientCq = cumi.getClientCq(this.proxyID);
if (clientCq != null && !clientCq.isEmpty()) {
if (logger.isDebugEnabled()) {
logger.debug("CCP clientCq size before processing auth {}", clientCq.size());
}
String[] regionNameHolder = new String[1];
OperationContext opctxt = getOperationContext(clientMessage, regionNameHolder);
if (opctxt == null) {
logger.warn(LocalizedMessage.create(LocalizedStrings.CacheClientProxy__0_NOT_ADDING_MESSAGE_TO_QUEUE_1_BECAUSE_THE_OPERATION_CONTEXT_OBJECT_COULD_NOT_BE_OBTAINED_FOR_THIS_CLIENT_MESSAGE, new Object[] { this, clientMessage }));
return false;
}
String[] cqNames = clientCq.getNames();
if (logger.isDebugEnabled()) {
logger.debug("CCP clientCq names array size {}", cqNames.length);
}
for (int i = 0; i < cqNames.length; i++) {
try {
if (logger.isDebugEnabled()) {
logger.debug("CCP clientCq name {}", cqNames[i]);
}
boolean isAuthorized = false;
if (this.proxyID.isDurable() && this.getDurableKeepAlive() && this._isPaused) {
// need to take lock as we may be reinitializing proxy cache
synchronized (this.clientUserAuthsLock) {
AuthorizeRequestPP postAuthCallback = this.clientUserAuths.getUserAuthAttributes(cqNames[i]).getPostAuthzRequest();
if (logger.isDebugEnabled() && postAuthCallback == null) {
logger.debug("CCP clientCq post callback is null");
}
if (postAuthCallback != null && postAuthCallback.getPostAuthzCallback().authorizeOperation(regionNameHolder[0], opctxt)) {
isAuthorized = true;
}
}
} else {
UserAuthAttributes userAuthAttributes = this.clientUserAuths.getUserAuthAttributes(cqNames[i]);
AuthorizeRequestPP postAuthCallback = userAuthAttributes.getPostAuthzRequest();
if (postAuthCallback == null && logger.isDebugEnabled()) {
logger.debug("CCP clientCq post callback is null");
}
if (postAuthCallback != null && postAuthCallback.getPostAuthzCallback().authorizeOperation(regionNameHolder[0], opctxt)) {
isAuthorized = true;
}
}
if (!isAuthorized) {
logger.warn(LocalizedMessage.create(LocalizedStrings.CacheClientProxy__0_NOT_ADDING_CQ_MESSAGE_TO_QUEUE_1_BECAUSE_AUTHORIZATION_FAILED, new Object[] { this, clientMessage }));
clientCq.delete(cqNames[i]);
}
} catch (Exception ex) {
// ignore...
}
if (logger.isDebugEnabled()) {
logger.debug("CCP clientCq size after processing auth {}", clientCq.size());
}
}
// again need to check as there may be no CQ available
if (!clientMessage.hasCqs(this.proxyID)) {
this._statistics.incMessagesNotQueuedNotInterested();
if (logger.isTraceEnabled(LogMarker.BRIDGE_SERVER)) {
logger.debug("{}: Not adding message to queue. It is not interested in this region and key: {}", clientMessage);
}
return false;
}
}
} else if (this.postAuthzCallback != null) {
String[] regionNameHolder = new String[1];
boolean isAuthorize = false;
OperationContext opctxt = getOperationContext(clientMessage, regionNameHolder);
if (opctxt == null) {
logger.warn(LocalizedMessage.create(LocalizedStrings.CacheClientProxy__0_NOT_ADDING_MESSAGE_TO_QUEUE_1_BECAUSE_THE_OPERATION_CONTEXT_OBJECT_COULD_NOT_BE_OBTAINED_FOR_THIS_CLIENT_MESSAGE, new Object[] { this, clientMessage }));
return false;
}
if (logger.isTraceEnabled()) {
logger.trace("{}: Invoking authorizeOperation for message: {}", this, clientMessage);
}
if (this.proxyID.isDurable() && this.getDurableKeepAlive() && this._isPaused) {
synchronized (this.clientUserAuthsLock) {
isAuthorize = this.postAuthzCallback.authorizeOperation(regionNameHolder[0], opctxt);
}
} else {
isAuthorize = this.postAuthzCallback.authorizeOperation(regionNameHolder[0], opctxt);
}
if (!isAuthorize) {
logger.warn(LocalizedMessage.create(LocalizedStrings.CacheClientProxy__0_NOT_ADDING_MESSAGE_TO_QUEUE_1_BECAUSE_AUTHORIZATION_FAILED, new Object[] { this, clientMessage }));
return false;
}
}
return true;
}
Also used :
RegionCreateOperationContext(org.apache.geode.cache.operations.RegionCreateOperationContext)
DestroyOperationContext(org.apache.geode.cache.operations.DestroyOperationContext)
PutOperationContext(org.apache.geode.cache.operations.PutOperationContext)
InvalidateOperationContext(org.apache.geode.cache.operations.InvalidateOperationContext)
RegionClearOperationContext(org.apache.geode.cache.operations.RegionClearOperationContext)
RegionDestroyOperationContext(org.apache.geode.cache.operations.RegionDestroyOperationContext)
OperationContext(org.apache.geode.cache.operations.OperationContext)
CqNameToOp(org.apache.geode.internal.cache.tier.sockets.ClientUpdateMessageImpl.CqNameToOp)
AuthorizeRequestPP(org.apache.geode.internal.security.AuthorizeRequestPP)
RegionExistsException(org.apache.geode.cache.RegionExistsException)
CqException(org.apache.geode.cache.query.CqException)
RegionDestroyedException(org.apache.geode.cache.RegionDestroyedException)
CancelException(org.apache.geode.CancelException)
SocketException(java.net.SocketException)
IOException(java.io.IOException)
CacheException(org.apache.geode.cache.CacheException)
Example 13 with AuthorizeRequestPP
use of org.apache.geode.internal.security.AuthorizeRequestPP in project geode by apache.
the class BaseCommandQuery method processQueryUsingParams.
/**
* Process the give query and sends the resulset back to the client.
*
* @param msg
* @param query
* @param queryString
* @param regionNames
* @param start
* @param cqQuery
* @param queryContext
* @param servConn
* @return true if successful execution false in case of failure.
* @throws IOException
*/
protected boolean processQueryUsingParams(Message msg, Query query, String queryString, Set regionNames, long start, ServerCQ cqQuery, QueryOperationContext queryContext, ServerConnection servConn, boolean sendResults, Object[] params) throws IOException, InterruptedException {
ChunkedMessage queryResponseMsg = servConn.getQueryResponseMessage();
CacheServerStats stats = servConn.getCacheServerStats();
CachedRegionHelper crHelper = servConn.getCachedRegionHelper();
{
long oldStart = start;
start = DistributionStats.getStatTime();
stats.incReadQueryRequestTime(start - oldStart);
}
// object type
if (servConn.getClientVersion().compareTo(Version.GFE_70) >= 0) {
((DefaultQuery) query).setRemoteQuery(true);
}
// Process the query request
try {
// integrated security
for (Object regionName : regionNames) {
this.securityService.authorizeRegionRead(regionName.toString());
}
// Execute query
// startTime = GenericStats.getTime();
// startTime = System.currentTimeMillis();
// For now we assume the results are a SelectResults
// which is the only possibility now, but this may change
// in the future if we support arbitrary queries
Object result = null;
if (params != null) {
result = query.execute(params);
} else {
result = query.execute();
}
// Asif : Before conditioning the results check if any
// of the regions involved in the query have been destroyed
// or not. If yes, throw an Exception.
// This is a workaround/fix for Bug 36969
Iterator itr = regionNames.iterator();
while (itr.hasNext()) {
String regionName = (String) itr.next();
if (crHelper.getRegion(regionName) == null) {
throw new RegionDestroyedException(LocalizedStrings.BaseCommand_REGION_DESTROYED_DURING_THE_EXECUTION_OF_THE_QUERY.toLocalizedString(), regionName);
}
}
AuthorizeRequestPP postAuthzRequest = servConn.getPostAuthzRequest();
if (postAuthzRequest != null) {
if (cqQuery == null) {
queryContext = postAuthzRequest.queryAuthorize(queryString, regionNames, result, queryContext, params);
} else {
queryContext = postAuthzRequest.executeCQAuthorize(cqQuery.getName(), queryString, regionNames, result, queryContext);
}
result = queryContext.getQueryResult();
}
if (result instanceof SelectResults) {
SelectResults selectResults = (SelectResults) result;
if (logger.isDebugEnabled()) {
logger.debug("Query Result size for : {} is {}", query.getQueryString(), selectResults.size());
}
CollectionType collectionType = null;
boolean sendCqResultsWithKey = true;
boolean isStructs = false;
// check if resultset has serialized objects, so that they could be sent
// as ObjectPartList
boolean hasSerializedObjects = ((DefaultQuery) query).isKeepSerialized();
if (logger.isDebugEnabled()) {
logger.debug("Query Result for :{} has serialized objects: {}", query.getQueryString(), hasSerializedObjects);
}
// Don't convert to a Set, there might be duplicates now
// The results in a StructSet are stored in Object[]s
// Get them as Object[]s for the objs[] in order to avoid duplicating
// the StructTypes
// Object[] objs = new Object[selectResults.size()];
// Get the collection type (which includes the element type)
// (used to generate the appropriate instance on the client)
// Get the collection type (which includes the element type)
// (used to generate the appropriate instance on the client)
collectionType = getCollectionType(selectResults);
isStructs = collectionType.getElementType().isStructType();
// Check if the Query is from CQ execution.
if (cqQuery != null) {
// Check if the key can be sent to the client based on its version.
sendCqResultsWithKey = sendCqResultsWithKey(servConn);
if (sendCqResultsWithKey) {
// Update the collection type to include key info.
collectionType = new CollectionTypeImpl(Collection.class, new StructTypeImpl(new String[] { "key", "value" }));
isStructs = collectionType.getElementType().isStructType();
}
}
int numberOfChunks = (int) Math.ceil(selectResults.size() * 1.0 / MAXIMUM_CHUNK_SIZE);
if (logger.isTraceEnabled()) {
logger.trace("{}: Query results size: {}: Entries in chunk: {}: Number of chunks: {}", servConn.getName(), selectResults.size(), MAXIMUM_CHUNK_SIZE, numberOfChunks);
}
long oldStart = start;
start = DistributionStats.getStatTime();
stats.incProcessQueryTime(start - oldStart);
if (sendResults) {
queryResponseMsg.setMessageType(MessageType.RESPONSE);
queryResponseMsg.setTransactionId(msg.getTransactionId());
queryResponseMsg.sendHeader();
}
if (sendResults && numberOfChunks == 0) {
// Send 1 empty chunk
if (logger.isTraceEnabled()) {
logger.trace("{}: Creating chunk: 0", servConn.getName());
}
writeQueryResponseChunk(new Object[0], collectionType, true, servConn);
if (logger.isDebugEnabled()) {
logger.debug("{}: Sent chunk (1 of 1) of query response for query {}", servConn.getName(), queryString);
}
} else {
// send it as a part of ObjectPartList
if (hasSerializedObjects) {
sendResultsAsObjectPartList(numberOfChunks, servConn, selectResults.asList(), isStructs, collectionType, queryString, cqQuery, sendCqResultsWithKey, sendResults);
} else {
sendResultsAsObjectArray(selectResults, numberOfChunks, servConn, isStructs, collectionType, queryString, cqQuery, sendCqResultsWithKey, sendResults);
}
}
if (cqQuery != null) {
// Set the CQ query result cache initialized flag.
cqQuery.setCqResultsCacheInitialized();
}
} else if (result instanceof Integer) {
if (sendResults) {
queryResponseMsg.setMessageType(MessageType.RESPONSE);
queryResponseMsg.setTransactionId(msg.getTransactionId());
queryResponseMsg.sendHeader();
writeQueryResponseChunk(result, null, true, servConn);
}
} else {
throw new QueryInvalidException(LocalizedStrings.BaseCommand_UNKNOWN_RESULT_TYPE_0.toLocalizedString(result.getClass()));
}
msg.clearParts();
} catch (QueryInvalidException e) {
// Handle this exception differently since it can contain
// non-serializable objects.
// java.io.NotSerializableException: antlr.CommonToken
// Log a warning to show stack trace and create a new
// QueryInvalidEsception on the original one's message (not cause).
logger.warn(LocalizedMessage.create(LocalizedStrings.BaseCommand_UNEXPECTED_QUERYINVALIDEXCEPTION_WHILE_PROCESSING_QUERY_0, queryString), e);
QueryInvalidException qie = new QueryInvalidException(LocalizedStrings.BaseCommand_0_QUERYSTRING_IS_1.toLocalizedString(new Object[] { e.getLocalizedMessage(), queryString }));
writeQueryResponseException(msg, qie, servConn);
return false;
} catch (DistributedSystemDisconnectedException se) {
if (msg != null && logger.isDebugEnabled()) {
logger.debug("{}: ignoring message of type {} from client {} because shutdown occurred during message processing.", servConn.getName(), MessageType.getString(msg.getMessageType()), servConn.getProxyID());
}
servConn.setFlagProcessMessagesAsFalse();
servConn.setClientDisconnectedException(se);
return false;
} catch (Exception e) {
// If an interrupted exception is thrown , rethrow it
checkForInterrupt(servConn, e);
// Otherwise, write a query response and continue
// Check if query got canceled from QueryMonitor.
DefaultQuery defaultQuery = (DefaultQuery) query;
if ((defaultQuery).isCanceled()) {
e = new QueryException(defaultQuery.getQueryCanceledException().getMessage(), e.getCause());
}
writeQueryResponseException(msg, e, servConn);
return false;
} finally {
// Since the query object is being shared in case of bind queries,
// resetting the flag may cause inconsistency.
// Also since this flag is only being set in code path executed by
// remote query execution, resetting it is not required.
// ((DefaultQuery)query).setRemoteQuery(false);
}
if (logger.isDebugEnabled()) {
logger.debug("{}: Sent query response for query {}", servConn.getName(), queryString);
}
stats.incWriteQueryResponseTime(DistributionStats.getStatTime() - start);
return true;
}
Also used :
DistributedSystemDisconnectedException(org.apache.geode.distributed.DistributedSystemDisconnectedException)
DefaultQuery(org.apache.geode.cache.query.internal.DefaultQuery)
RegionDestroyedException(org.apache.geode.cache.RegionDestroyedException)
QueryInvalidException(org.apache.geode.cache.query.QueryInvalidException)
AuthorizeRequestPP(org.apache.geode.internal.security.AuthorizeRequestPP)
RegionDestroyedException(org.apache.geode.cache.RegionDestroyedException)
DistributedSystemDisconnectedException(org.apache.geode.distributed.DistributedSystemDisconnectedException)
QueryInvalidException(org.apache.geode.cache.query.QueryInvalidException)
IOException(java.io.IOException)
QueryException(org.apache.geode.cache.query.QueryException)
CachedRegionHelper(org.apache.geode.internal.cache.tier.CachedRegionHelper)
QueryException(org.apache.geode.cache.query.QueryException)
SelectResults(org.apache.geode.cache.query.SelectResults)
CollectionTypeImpl(org.apache.geode.cache.query.internal.types.CollectionTypeImpl)
CollectionType(org.apache.geode.cache.query.types.CollectionType)
Iterator(java.util.Iterator)
StructTypeImpl(org.apache.geode.cache.query.internal.types.StructTypeImpl)
Collection(java.util.Collection)
Aggregations
AuthorizeRequestPP (org.apache.geode.internal.security.AuthorizeRequestPP)13
AuthorizeRequest (org.apache.geode.internal.security.AuthorizeRequest)8
IOException (java.io.IOException)6
GetOperationContext (org.apache.geode.cache.operations.GetOperationContext)6
NotAuthorizedException (org.apache.geode.security.NotAuthorizedException)6
Iterator (java.util.Iterator)5
Set (java.util.Set)4
GetOperationContextImpl (org.apache.geode.cache.operations.internal.GetOperationContextImpl)3
CachedRegionHelper (org.apache.geode.internal.cache.tier.CachedRegionHelper)3
VersionTag (org.apache.geode.internal.cache.versions.VersionTag)3
Retained (org.apache.geode.internal.offheap.annotations.Retained)3
SocketException (java.net.SocketException)2
Region (org.apache.geode.cache.Region)2
RegionDestroyedException (org.apache.geode.cache.RegionDestroyedException)2
StringId (org.apache.geode.i18n.StringId)2
LocalRegion (org.apache.geode.internal.cache.LocalRegion)2
PartitionedRegion (org.apache.geode.internal.cache.PartitionedRegion)2
CacheServerStats (org.apache.geode.internal.cache.tier.sockets.CacheServerStats)2
Part (org.apache.geode.internal.cache.tier.sockets.Part)2
VersionedObjectList (org.apache.geode.internal.cache.tier.sockets.VersionedObjectList)2
