Example 1 with KarafMBeanServerGuard
use of org.apache.karaf.management.KarafMBeanServerGuard in project karaf by apache.
the class Activator method doStart.
protected void doStart() throws Exception {
// Verify dependencies
ConfigurationAdmin configurationAdmin = getTrackedService(ConfigurationAdmin.class);
KeystoreManager keystoreManager = getTrackedService(KeystoreManager.class);
if (configurationAdmin == null || keystoreManager == null) {
return;
}
String rmiRegistryHost = getString("rmiRegistryHost", "");
int rmiRegistryPort = getInt("rmiRegistryPort", 1099);
String rmiServerHost = getString("rmiServerHost", "0.0.0.0");
int rmiServerPort = getInt("rmiServerPort", 44444);
String jmxRealm = getString("jmxRealm", "karaf");
String serviceUrl = getString("serviceUrl", "service:jmx:rmi://" + rmiServerHost + ":" + rmiServerPort + "/jndi/rmi://" + rmiRegistryHost + ":" + rmiRegistryPort + "/karaf-" + System.getProperty("karaf.name"));
boolean daemon = getBoolean("daemon", true);
boolean threaded = getBoolean("threaded", true);
ObjectName objectName = new ObjectName(getString("objectName", "connector:name=rmi"));
long keyStoreAvailabilityTimeout = getLong("keyStoreAvailabilityTimeout", 5000);
String authenticatorType = getString("authenticatorType", "password");
final boolean secured = getBoolean("secured", false);
String secureAlgorithm = getString("secureAlgorithm", "default");
String secureProtocol = getString("secureProtocol", "TLS");
String keyStore = getString("keyStore", "karaf.ks");
String keyAlias = getString("keyAlias", "karaf");
String trustStore = getString("trustStore", "karaf.ts");
boolean createRmiRegistry = getBoolean("createRmiRegistry", true);
boolean locateRmiRegistry = getBoolean("locateRmiRegistry", true);
boolean locateExistingMBeanServerIfPossible = getBoolean("locateExistingMBeanServerIfPossible", true);
KarafMBeanServerGuard guard = new KarafMBeanServerGuard();
guard.setConfigAdmin(configurationAdmin);
rmiRegistryFactory = new RmiRegistryFactory();
rmiRegistryFactory.setCreate(createRmiRegistry);
rmiRegistryFactory.setLocate(locateRmiRegistry);
rmiRegistryFactory.setHost(rmiRegistryHost);
rmiRegistryFactory.setPort(rmiRegistryPort);
rmiRegistryFactory.setBundleContext(bundleContext);
rmiRegistryFactory.init();
mbeanServerFactory = new MBeanServerFactory();
mbeanServerFactory.setLocateExistingServerIfPossible(locateExistingMBeanServerIfPossible);
mbeanServerFactory.init();
MBeanServer mbeanServer = mbeanServerFactory.getServer();
JaasAuthenticator jaasAuthenticator = new JaasAuthenticator();
jaasAuthenticator.setRealm(jmxRealm);
connectorServerFactory = new ConnectorServerFactory();
connectorServerFactory.setServer(mbeanServer);
connectorServerFactory.setServiceUrl(serviceUrl);
connectorServerFactory.setGuard(guard);
connectorServerFactory.setRmiServerHost(rmiServerHost);
connectorServerFactory.setDaemon(daemon);
connectorServerFactory.setThreaded(threaded);
connectorServerFactory.setObjectName(objectName);
Map<String, Object> environment = new HashMap<>();
environment.put("jmx.remote.authenticator", jaasAuthenticator);
try {
connectorServerFactory.setEnvironment(environment);
connectorServerFactory.setKeyStoreAvailabilityTimeout(keyStoreAvailabilityTimeout);
connectorServerFactory.setAuthenticatorType(authenticatorType);
connectorServerFactory.setSecured(secured);
connectorServerFactory.setAlgorithm(secureAlgorithm);
connectorServerFactory.setSecureProtocol(secureProtocol);
connectorServerFactory.setKeyStore(keyStore);
connectorServerFactory.setKeyAlias(keyAlias);
connectorServerFactory.setTrustStore(trustStore);
connectorServerFactory.setKeystoreManager(keystoreManager);
connectorServerFactory.init();
} catch (Exception e) {
LOG.error("Can't init JMXConnectorServer: " + e.getMessage());
}
JMXSecurityMBeanImpl securityMBean = new JMXSecurityMBeanImpl();
securityMBean.setMBeanServer(mbeanServer);
securityMBean.setGuard(guard);
registerMBean(securityMBean, "type=security,area=jmx");
register(MBeanServer.class, mbeanServer);
keystoreInstanceServiceTracker = new ServiceTracker<>(bundleContext, KeystoreInstance.class, new ServiceTrackerCustomizer<KeystoreInstance, KeystoreInstance>() {
@Override
public KeystoreInstance addingService(ServiceReference<KeystoreInstance> reference) {
if (secured) {
try {
connectorServerFactory.init();
} catch (Exception e) {
LOG.error("Can't re-init JMXConnectorServer with SSL enabled when register a keystore:" + e.getMessage());
}
}
return null;
}
@Override
public void modifiedService(ServiceReference<KeystoreInstance> reference, KeystoreInstance service) {
}
@Override
public void removedService(ServiceReference<KeystoreInstance> reference, KeystoreInstance service) {
if (secured) {
try {
connectorServerFactory.init();
} catch (Exception e) {
LOG.error("Can't re-init JMXConnectorServer with SSL enabled when unregister a keystore: " + e.getMessage());
}
}
}
});
keystoreInstanceServiceTracker.open();
}
Also used :
KeystoreManager(org.apache.karaf.jaas.config.KeystoreManager)
KarafMBeanServerGuard(org.apache.karaf.management.KarafMBeanServerGuard)
HashMap(java.util.HashMap)
ServiceTrackerCustomizer(org.osgi.util.tracker.ServiceTrackerCustomizer)
ConnectorServerFactory(org.apache.karaf.management.ConnectorServerFactory)
ObjectName(javax.management.ObjectName)
ServiceReference(org.osgi.framework.ServiceReference)
RmiRegistryFactory(org.apache.karaf.management.RmiRegistryFactory)
JaasAuthenticator(org.apache.karaf.management.JaasAuthenticator)
ConfigurationAdmin(org.osgi.service.cm.ConfigurationAdmin)
KeystoreInstance(org.apache.karaf.jaas.config.KeystoreInstance)
MBeanServerFactory(org.apache.karaf.management.MBeanServerFactory)
MBeanServer(javax.management.MBeanServer)
Example 2 with KarafMBeanServerGuard
use of org.apache.karaf.management.KarafMBeanServerGuard in project karaf by apache.
the class JMXSecurityMBeanImplTestCase method testCanInvokeBulk.
public void testCanInvokeBulk() throws Exception {
MBeanServer mbs = EasyMock.createMock(MBeanServer.class);
EasyMock.replay(mbs);
ConfigurationAdmin testConfigAdmin = EasyMock.createMock(ConfigurationAdmin.class);
EasyMock.expect(testConfigAdmin.listConfigurations(EasyMock.eq("(service.pid=jmx.acl*)"))).andReturn(new Configuration[0]).anyTimes();
EasyMock.expect(testConfigAdmin.listConfigurations(EasyMock.eq("(service.pid=jmx.acl.whitelist)"))).andReturn(new Configuration[0]).once();
EasyMock.replay(testConfigAdmin);
KarafMBeanServerGuard testGuard = EasyMock.createMock(KarafMBeanServerGuard.class);
String objectName = "foo.bar.testing:type=SomeMBean";
final String[] la = new String[] { "long" };
final String[] sa = new String[] { "java.lang.String" };
EasyMock.expect(testGuard.getConfigAdmin()).andReturn(testConfigAdmin).anyTimes();
EasyMock.expect(testGuard.canInvoke(EasyMock.anyObject(BulkRequestContext.class), EasyMock.eq(mbs), EasyMock.eq(new ObjectName(objectName)), EasyMock.eq("testMethod"), EasyMock.aryEq(la))).andReturn(true).anyTimes();
EasyMock.expect(testGuard.canInvoke(EasyMock.anyObject(BulkRequestContext.class), EasyMock.eq(mbs), EasyMock.eq(new ObjectName(objectName)), EasyMock.eq("testMethod"), EasyMock.aryEq(sa))).andReturn(false).anyTimes();
EasyMock.expect(testGuard.canInvoke(EasyMock.anyObject(BulkRequestContext.class), EasyMock.eq(mbs), EasyMock.eq(new ObjectName(objectName)), EasyMock.eq("otherMethod"))).andReturn(true).anyTimes();
String objectName2 = "foo.bar.testing:type=SomeOtherMBean";
EasyMock.expect(testGuard.canInvoke(EasyMock.anyObject(BulkRequestContext.class), EasyMock.eq(mbs), EasyMock.eq(new ObjectName(objectName2)))).andReturn(true).anyTimes();
String objectName3 = "foo.bar.foo.testing:type=SomeOtherMBean";
EasyMock.expect(testGuard.canInvoke(EasyMock.anyObject(BulkRequestContext.class), EasyMock.eq(mbs), EasyMock.eq(new ObjectName(objectName3)))).andReturn(false).anyTimes();
EasyMock.replay(testGuard);
JMXSecurityMBeanImpl mb = new JMXSecurityMBeanImpl();
mb.setMBeanServer(mbs);
mb.setGuard(testGuard);
Map<String, List<String>> query = new HashMap<>();
query.put(objectName, Arrays.asList("otherMethod", "testMethod(long)", "testMethod(java.lang.String)"));
query.put(objectName2, Collections.emptyList());
query.put(objectName3, Collections.emptyList());
TabularData result = mb.canInvoke(query);
assertEquals(5, result.size());
CompositeData cd = result.get(new Object[] { objectName, "testMethod(long)" });
assertEquals(objectName, cd.get("ObjectName"));
assertEquals("testMethod(long)", cd.get("Method"));
assertEquals(true, cd.get("CanInvoke"));
CompositeData cd2 = result.get(new Object[] { objectName, "testMethod(java.lang.String)" });
assertEquals(objectName, cd2.get("ObjectName"));
assertEquals("testMethod(java.lang.String)", cd2.get("Method"));
assertEquals(false, cd2.get("CanInvoke"));
CompositeData cd3 = result.get(new Object[] { objectName, "otherMethod" });
assertEquals(objectName, cd3.get("ObjectName"));
assertEquals("otherMethod", cd3.get("Method"));
assertEquals(true, cd3.get("CanInvoke"));
CompositeData cd4 = result.get(new Object[] { objectName2, "" });
assertEquals(objectName2, cd4.get("ObjectName"));
assertEquals("", cd4.get("Method"));
assertEquals(true, cd4.get("CanInvoke"));
CompositeData cd5 = result.get(new Object[] { objectName3, "" });
assertEquals(objectName3, cd5.get("ObjectName"));
assertEquals("", cd5.get("Method"));
assertEquals(false, cd5.get("CanInvoke"));
}
Also used :
Configuration(org.osgi.service.cm.Configuration)
KarafMBeanServerGuard(org.apache.karaf.management.KarafMBeanServerGuard)
CompositeData(javax.management.openmbean.CompositeData)
ObjectName(javax.management.ObjectName)
TabularData(javax.management.openmbean.TabularData)
ConfigurationAdmin(org.osgi.service.cm.ConfigurationAdmin)
MBeanServer(javax.management.MBeanServer)
Example 3 with KarafMBeanServerGuard
use of org.apache.karaf.management.KarafMBeanServerGuard in project karaf by apache.
the class JMXSecurityMBeanImplTestCase method testCanInvokeMethodException.
public void testCanInvokeMethodException() throws Exception {
try {
MBeanServer mbs = EasyMock.createMock(MBeanServer.class);
EasyMock.replay(mbs);
String objectName = "foo.bar.testing:type=SomeMBean";
KarafMBeanServerGuard testGuard = EasyMock.createMock(KarafMBeanServerGuard.class);
String[] ea = new String[] {};
EasyMock.expect(testGuard.canInvoke(null, mbs, new ObjectName(objectName), "testMethod", ea)).andThrow(new IOException());
EasyMock.replay(testGuard);
JMXSecurityMBeanImpl mb = new JMXSecurityMBeanImpl();
mb.setMBeanServer(mbs);
mb.setGuard(testGuard);
mb.canInvoke(objectName, "testMethod", ea);
fail("Should have thrown an exception");
} catch (IOException ioe) {
// good
}
}
Also used :
KarafMBeanServerGuard(org.apache.karaf.management.KarafMBeanServerGuard)
IOException(java.io.IOException)
MBeanServer(javax.management.MBeanServer)
ObjectName(javax.management.ObjectName)
Example 4 with KarafMBeanServerGuard
use of org.apache.karaf.management.KarafMBeanServerGuard in project karaf by apache.
the class JMXSecurityMBeanImplTestCase method testCanInvokeBulkCacheConfigAdmin.
public void testCanInvokeBulkCacheConfigAdmin() throws Exception {
MBeanServer mbs = EasyMock.createMock(MBeanServer.class);
EasyMock.replay(mbs);
Configuration fooWildcardTesting = EasyMock.createMock(Configuration.class);
EasyMock.expect(fooWildcardTesting.getPid()).andReturn("jmx.acl.foo._.testing").once();
EasyMock.replay(fooWildcardTesting);
Dictionary<String, Object> fooBarProperties = new Hashtable<>();
// using '*' frees us from mocking JAAS
fooBarProperties.put("testMethod(java.lang.String)", "*");
fooBarProperties.put("testMethod(long)", "*");
Configuration fooBarTesting = EasyMock.createMock(Configuration.class);
EasyMock.expect(fooBarTesting.getPid()).andReturn("jmx.acl.foo.bar.testing").once();
EasyMock.expect(fooBarTesting.getProperties()).andReturn(fooBarProperties).once();
EasyMock.replay(fooBarTesting);
ConfigurationAdmin testConfigAdmin = EasyMock.createMock(ConfigurationAdmin.class);
EasyMock.expect(testConfigAdmin.listConfigurations(EasyMock.eq("(service.pid=jmx.acl*)"))).andReturn(new Configuration[] { fooWildcardTesting, fooBarTesting }).once();
EasyMock.expect(testConfigAdmin.listConfigurations(EasyMock.eq("(service.pid=jmx.acl.whitelist)"))).andReturn(new Configuration[0]).once();
EasyMock.expect(testConfigAdmin.getConfiguration(EasyMock.eq("jmx.acl.foo.bar.testing"), EasyMock.isNull(String.class))).andReturn(fooBarTesting).once();
EasyMock.replay(testConfigAdmin);
KarafMBeanServerGuard guard = new KarafMBeanServerGuard();
guard.setConfigAdmin(testConfigAdmin);
String objectName = "foo.bar.testing:type=SomeMBean";
String objectName2 = "foo.bar.testing:type=SomeOtherMBean";
JMXSecurityMBeanImpl mb = new JMXSecurityMBeanImpl();
mb.setMBeanServer(mbs);
mb.setGuard(guard);
Map<String, List<String>> query = new HashMap<>();
query.put(objectName, Collections.singletonList("testMethod(java.lang.String)"));
query.put(objectName2, Collections.singletonList("testMethod(long)"));
TabularData result = mb.canInvoke(query);
assertEquals(2, result.size());
CompositeData cd2 = result.get(new Object[] { objectName, "testMethod(java.lang.String)" });
assertEquals(objectName, cd2.get("ObjectName"));
assertEquals("testMethod(java.lang.String)", cd2.get("Method"));
assertEquals(true, cd2.get("CanInvoke"));
CompositeData cd4 = result.get(new Object[] { objectName2, "testMethod(long)" });
assertEquals(objectName2, cd4.get("ObjectName"));
assertEquals("testMethod(long)", cd4.get("Method"));
assertEquals(true, cd4.get("CanInvoke"));
EasyMock.verify(testConfigAdmin, fooWildcardTesting, fooBarTesting);
}
Also used :
Configuration(org.osgi.service.cm.Configuration)
KarafMBeanServerGuard(org.apache.karaf.management.KarafMBeanServerGuard)
CompositeData(javax.management.openmbean.CompositeData)
TabularData(javax.management.openmbean.TabularData)
ConfigurationAdmin(org.osgi.service.cm.ConfigurationAdmin)
MBeanServer(javax.management.MBeanServer)
Example 5 with KarafMBeanServerGuard
use of org.apache.karaf.management.KarafMBeanServerGuard in project karaf by apache.
the class JMXSecurityMBeanImplTestCase method testCanInvokeMBean2.
public void testCanInvokeMBean2() throws Exception {
MBeanServer mbs = EasyMock.createMock(MBeanServer.class);
EasyMock.replay(mbs);
String objectName = "foo.bar.testing:type=SomeMBean";
KarafMBeanServerGuard testGuard = EasyMock.createMock(KarafMBeanServerGuard.class);
EasyMock.expect(testGuard.canInvoke(null, mbs, new ObjectName(objectName))).andReturn(false);
EasyMock.replay(testGuard);
JMXSecurityMBeanImpl mb = new JMXSecurityMBeanImpl();
mb.setMBeanServer(mbs);
mb.setGuard(testGuard);
assertFalse(mb.canInvoke(objectName));
}
Also used :
KarafMBeanServerGuard(org.apache.karaf.management.KarafMBeanServerGuard)
MBeanServer(javax.management.MBeanServer)
ObjectName(javax.management.ObjectName)
Aggregations
MBeanServer (javax.management.MBeanServer)9
KarafMBeanServerGuard (org.apache.karaf.management.KarafMBeanServerGuard)9
ObjectName (javax.management.ObjectName)8
ConfigurationAdmin (org.osgi.service.cm.ConfigurationAdmin)4
CompositeData (javax.management.openmbean.CompositeData)3
TabularData (javax.management.openmbean.TabularData)3
Configuration (org.osgi.service.cm.Configuration)3
IOException (java.io.IOException)2
HashMap (java.util.HashMap)1
KeystoreInstance (org.apache.karaf.jaas.config.KeystoreInstance)1
KeystoreManager (org.apache.karaf.jaas.config.KeystoreManager)1
ConnectorServerFactory (org.apache.karaf.management.ConnectorServerFactory)1
JaasAuthenticator (org.apache.karaf.management.JaasAuthenticator)1
MBeanServerFactory (org.apache.karaf.management.MBeanServerFactory)1
RmiRegistryFactory (org.apache.karaf.management.RmiRegistryFactory)1
ServiceReference (org.osgi.framework.ServiceReference)1
ServiceTrackerCustomizer (org.osgi.util.tracker.ServiceTrackerCustomizer)1
