Search in sources :

Example 1 with SecurityPermission

use of org.apache.ignite.plugin.security.SecurityPermission in project ignite by apache.

the class GridRestProcessor method authorize.

/**
 * @param req REST request.
 * @param sCtx Security context.
 * @throws SecurityException If authorization failed.
 */
private void authorize(GridRestRequest req, SecurityContext sCtx) throws SecurityException {
    SecurityPermission perm = null;
    String name = null;
    switch(req.command()) {
        case CACHE_GET:
        case CACHE_CONTAINS_KEY:
        case CACHE_CONTAINS_KEYS:
        case CACHE_GET_ALL:
            perm = SecurityPermission.CACHE_READ;
            name = ((GridRestCacheRequest) req).cacheName();
            break;
        case EXECUTE_SQL_QUERY:
        case EXECUTE_SQL_FIELDS_QUERY:
        case EXECUTE_SCAN_QUERY:
        case CLOSE_SQL_QUERY:
        case FETCH_SQL_QUERY:
            perm = SecurityPermission.CACHE_READ;
            name = ((RestQueryRequest) req).cacheName();
            break;
        case CACHE_PUT:
        case CACHE_ADD:
        case CACHE_PUT_ALL:
        case CACHE_REPLACE:
        case CACHE_CAS:
        case CACHE_APPEND:
        case CACHE_PREPEND:
        case CACHE_GET_AND_PUT:
        case CACHE_GET_AND_REPLACE:
        case CACHE_GET_AND_PUT_IF_ABSENT:
        case CACHE_PUT_IF_ABSENT:
        case CACHE_REPLACE_VALUE:
            perm = SecurityPermission.CACHE_PUT;
            name = ((GridRestCacheRequest) req).cacheName();
            break;
        case CACHE_REMOVE:
        case CACHE_REMOVE_ALL:
        case CACHE_CLEAR:
        case CACHE_GET_AND_REMOVE:
        case CACHE_REMOVE_VALUE:
            perm = SecurityPermission.CACHE_REMOVE;
            name = ((GridRestCacheRequest) req).cacheName();
            break;
        case EXE:
        case RESULT:
            perm = SecurityPermission.TASK_EXECUTE;
            name = ((GridRestTaskRequest) req).taskName();
            break;
        case GET_OR_CREATE_CACHE:
        case DESTROY_CACHE:
            perm = SecurityPermission.ADMIN_CACHE;
            name = ((GridRestCacheRequest) req).cacheName();
            break;
        case CACHE_METRICS:
        case CACHE_SIZE:
        case CACHE_METADATA:
        case TOPOLOGY:
        case NODE:
        case VERSION:
        case NOOP:
        case QUIT:
        case ATOMIC_INCREMENT:
        case ATOMIC_DECREMENT:
        case NAME:
        case LOG:
        case CLUSTER_CURRENT_STATE:
        case CLUSTER_ACTIVE:
        case CLUSTER_INACTIVE:
        case ADD_USER:
        case REMOVE_USER:
        case UPDATE_USER:
            break;
        default:
            throw new AssertionError("Unexpected command: " + req.command());
    }
    if (perm != null)
        ctx.security().authorize(name, perm, sCtx);
}
Also used : SecurityPermission(org.apache.ignite.plugin.security.SecurityPermission)

Example 2 with SecurityPermission

use of org.apache.ignite.plugin.security.SecurityPermission in project ignite by apache.

the class RestProcessorAuthorizationTest method getPluginProvider.

/**
 * {@inheritDoc}
 */
@Override
protected PluginProvider<?> getPluginProvider(String name) {
    return new TestSecurityPluginProvider(name, null, ALLOW_ALL, globalAuth, clientData()) {

        /**
         * {@inheritDoc}
         */
        @Override
        protected GridSecurityProcessor securityProcessor(GridKernalContext ctx) {
            return new TestSecurityProcessor(ctx, new TestSecurityData(login, pwd, perms, new Permissions()), Arrays.asList(clientData), globalAuth) {

                /**
                 * {@inheritDoc}
                 */
                @Override
                public void authorize(String name, SecurityPermission perm, SecurityContext securityCtx) throws SecurityException {
                    authorizationCtxList.add(F.t(name, perm, securityCtx));
                    super.authorize(name, perm, securityCtx);
                }
            };
        }
    };
}
Also used : TestSecurityData(org.apache.ignite.internal.processors.security.impl.TestSecurityData) TestSecurityProcessor(org.apache.ignite.internal.processors.security.impl.TestSecurityProcessor) TestSecurityPluginProvider(org.apache.ignite.internal.processors.security.impl.TestSecurityPluginProvider) GridKernalContext(org.apache.ignite.internal.GridKernalContext) Permissions(java.security.Permissions) SecurityContext(org.apache.ignite.internal.processors.security.SecurityContext) SecurityPermission(org.apache.ignite.plugin.security.SecurityPermission)

Example 3 with SecurityPermission

use of org.apache.ignite.plugin.security.SecurityPermission in project ignite by apache.

the class RestProcessorAuthorizationTest method testCacheCreateDestroyPermission.

/**
 * @throws Exception if failed.
 */
@Test
public void testCacheCreateDestroyPermission() throws Exception {
    IgniteEx ignite = startGrid(0);
    ignite.cluster().state(ClusterState.ACTIVE);
    assertNull(ignite.cache(TEST_CACHE));
    executeCommand(GridRestCommand.GET_OR_CREATE_CACHE, LOGIN, PWD);
    GridTuple3<String, SecurityPermission, SecurityContext> ctx = authorizationCtxList.get(0);
    assertEquals(TEST_CACHE, ctx.get1());
    assertEquals(SecurityPermission.CACHE_CREATE, ctx.get2());
    assertEquals(LOGIN, ctx.get3().subject().login());
    assertNotNull(ignite.cache(TEST_CACHE));
    authorizationCtxList.clear();
    executeCommand(GridRestCommand.DESTROY_CACHE, LOGIN, PWD);
    ctx = authorizationCtxList.get(0);
    assertEquals(TEST_CACHE, ctx.get1());
    assertEquals(SecurityPermission.CACHE_DESTROY, ctx.get2());
    assertEquals(LOGIN, ctx.get3().subject().login());
    assertNull(ignite.cache(TEST_CACHE));
}
Also used : IgniteEx(org.apache.ignite.internal.IgniteEx) SecurityContext(org.apache.ignite.internal.processors.security.SecurityContext) SecurityPermission(org.apache.ignite.plugin.security.SecurityPermission) CommonSecurityCheckTest(org.apache.ignite.internal.processors.security.client.CommonSecurityCheckTest) Test(org.junit.Test)

Example 4 with SecurityPermission

use of org.apache.ignite.plugin.security.SecurityPermission in project ignite by apache.

the class GridRestProcessor method authorize.

/**
 * @param req REST request.
 * @throws SecurityException If authorization failed.
 */
private void authorize(GridRestRequest req) throws SecurityException {
    SecurityPermission perm = null;
    String name = null;
    switch(req.command()) {
        case CACHE_GET:
        case CACHE_CONTAINS_KEY:
        case CACHE_CONTAINS_KEYS:
        case CACHE_GET_ALL:
            perm = SecurityPermission.CACHE_READ;
            name = ((GridRestCacheRequest) req).cacheName();
            break;
        case EXECUTE_SQL_QUERY:
        case EXECUTE_SQL_FIELDS_QUERY:
        case EXECUTE_SCAN_QUERY:
        case CLOSE_SQL_QUERY:
        case FETCH_SQL_QUERY:
            perm = SecurityPermission.CACHE_READ;
            name = ((RestQueryRequest) req).cacheName();
            break;
        case CACHE_PUT:
        case CACHE_ADD:
        case CACHE_PUT_ALL:
        case CACHE_REPLACE:
        case CACHE_CAS:
        case CACHE_APPEND:
        case CACHE_PREPEND:
        case CACHE_GET_AND_PUT:
        case CACHE_GET_AND_REPLACE:
        case CACHE_GET_AND_PUT_IF_ABSENT:
        case CACHE_PUT_IF_ABSENT:
        case CACHE_REPLACE_VALUE:
            perm = SecurityPermission.CACHE_PUT;
            name = ((GridRestCacheRequest) req).cacheName();
            break;
        case CACHE_REMOVE:
        case CACHE_REMOVE_ALL:
        case CACHE_CLEAR:
        case CACHE_GET_AND_REMOVE:
        case CACHE_REMOVE_VALUE:
            perm = SecurityPermission.CACHE_REMOVE;
            name = ((GridRestCacheRequest) req).cacheName();
            break;
        case EXE:
        case RESULT:
            perm = SecurityPermission.TASK_EXECUTE;
            GridRestTaskRequest taskReq = (GridRestTaskRequest) req;
            name = taskReq.taskName();
            // We should extract task name wrapped by VisorGatewayTask.
            if (VisorGatewayTask.class.getName().equals(name))
                name = (String) taskReq.params().get(WRAPPED_TASK_IDX);
            break;
        case GET_OR_CREATE_CACHE:
            perm = SecurityPermission.CACHE_CREATE;
            name = ((GridRestCacheRequest) req).cacheName();
            break;
        case DESTROY_CACHE:
            perm = SecurityPermission.CACHE_DESTROY;
            name = ((GridRestCacheRequest) req).cacheName();
            break;
        case CLUSTER_ACTIVE:
        case CLUSTER_INACTIVE:
        case CLUSTER_ACTIVATE:
        case CLUSTER_DEACTIVATE:
        case BASELINE_SET:
        case BASELINE_ADD:
        case BASELINE_REMOVE:
        case CLUSTER_SET_STATE:
            perm = SecurityPermission.ADMIN_OPS;
            break;
        case DATA_REGION_METRICS:
        case DATA_STORAGE_METRICS:
        case CACHE_METRICS:
        case CACHE_SIZE:
        case CACHE_METADATA:
        case TOPOLOGY:
        case NODE:
        case VERSION:
        case NOOP:
        case QUIT:
        case ATOMIC_INCREMENT:
        case ATOMIC_DECREMENT:
        case NAME:
        case LOG:
        case CLUSTER_CURRENT_STATE:
        case CLUSTER_NAME:
        case BASELINE_CURRENT_STATE:
        case CLUSTER_STATE:
        case AUTHENTICATE:
        case ADD_USER:
        case REMOVE_USER:
        case UPDATE_USER:
        case PROBE:
            break;
        default:
            throw new AssertionError("Unexpected command: " + req.command());
    }
    if (perm != null)
        ctx.security().authorize(name, perm);
}
Also used : GridRestTaskRequest(org.apache.ignite.internal.processors.rest.request.GridRestTaskRequest) VisorGatewayTask(org.apache.ignite.internal.visor.compute.VisorGatewayTask) SecurityPermission(org.apache.ignite.plugin.security.SecurityPermission)

Aggregations

SecurityPermission (org.apache.ignite.plugin.security.SecurityPermission)4 SecurityContext (org.apache.ignite.internal.processors.security.SecurityContext)2 Permissions (java.security.Permissions)1 GridKernalContext (org.apache.ignite.internal.GridKernalContext)1 IgniteEx (org.apache.ignite.internal.IgniteEx)1 GridRestTaskRequest (org.apache.ignite.internal.processors.rest.request.GridRestTaskRequest)1 CommonSecurityCheckTest (org.apache.ignite.internal.processors.security.client.CommonSecurityCheckTest)1 TestSecurityData (org.apache.ignite.internal.processors.security.impl.TestSecurityData)1 TestSecurityPluginProvider (org.apache.ignite.internal.processors.security.impl.TestSecurityPluginProvider)1 TestSecurityProcessor (org.apache.ignite.internal.processors.security.impl.TestSecurityProcessor)1 VisorGatewayTask (org.apache.ignite.internal.visor.compute.VisorGatewayTask)1 Test (org.junit.Test)1