Example 1 with GlobalAuthorizationConfiguration
use of org.infinispan.configuration.global.GlobalAuthorizationConfiguration in project infinispan by infinispan.
the class Authorizer method computeSubjectACL.
private SubjectACL computeSubjectACL(Subject subject, AuthorizationConfiguration configuration) {
GlobalAuthorizationConfiguration authorization = globalConfiguration.authorization();
PrincipalRoleMapper roleMapper = authorization.principalRoleMapper();
Set<Principal> principals = subject.getPrincipals();
Set<String> allRoles = new HashSet<>(principals.size());
// Map all the Subject's principals to roles using the role mapper. There may be more than one role per principal
for (Principal principal : principals) {
Set<String> roleNames = roleMapper.principalToRoles(principal);
if (roleNames != null) {
allRoles.addAll(roleNames);
}
}
// Create a bitmask of the permissions this Subject has for the resource identified by the configuration
int subjectMask = 0;
// If this resource has not declared any roles, all the inheritable global roles will be checked
boolean implicit = configuration != null ? configuration.roles().isEmpty() : false;
for (String role : allRoles) {
if (configuration == null || implicit || configuration.roles().contains(role)) {
Role globalRole = authorization.getRole(role);
if (globalRole != null && (!implicit || globalRole.isInheritable())) {
subjectMask |= globalRole.getMask();
}
}
}
if (log.isTraceEnabled()) {
log.tracef("Subject '%s' has roles '%s' and permission mask %d", subject, allRoles, subjectMask);
}
return new SubjectACL(allRoles, subjectMask);
}
Also used :
PrincipalRoleMapper(org.infinispan.security.PrincipalRoleMapper)
Role(org.infinispan.security.Role)
Principal(java.security.Principal)
GlobalAuthorizationConfiguration(org.infinispan.configuration.global.GlobalAuthorizationConfiguration)
HashSet(java.util.HashSet)
Example 2 with GlobalAuthorizationConfiguration
use of org.infinispan.configuration.global.GlobalAuthorizationConfiguration in project infinispan by infinispan.
the class DefaultCacheManager method initializeSecurity.
private void initializeSecurity(GlobalConfiguration globalConfiguration) {
GlobalAuthorizationConfiguration authorizationConfig = globalConfiguration.security().authorization();
if (authorizationConfig.enabled() && System.getSecurityManager() == null) {
CONFIG.authorizationEnabledWithoutSecurityManager();
}
if (authorizationConfig.enabled()) {
AuthorizationMapperContextImpl context = new AuthorizationMapperContextImpl(this);
authorizationConfig.principalRoleMapper().setContext(context);
authorizationConfig.rolePermissionMapper().setContext(context);
}
}
Also used :
AuthorizationMapperContextImpl(org.infinispan.security.impl.AuthorizationMapperContextImpl)
GlobalAuthorizationConfiguration(org.infinispan.configuration.global.GlobalAuthorizationConfiguration)
Example 3 with GlobalAuthorizationConfiguration
use of org.infinispan.configuration.global.GlobalAuthorizationConfiguration in project infinispan by infinispan.
the class AuthorizationConfigurationBuilder method validate.
@Override
public void validate(GlobalConfiguration globalConfig) {
GlobalAuthorizationConfiguration authorization = globalConfig.security().authorization();
if (attributes.attribute(ENABLED).get() && !authorization.enabled()) {
throw CONFIG.globalSecurityAuthShouldBeEnabled();
}
Set<String> cacheRoles = attributes.attribute(ROLES).get();
Set<String> missingRoles = new HashSet<>();
for (String role : cacheRoles) {
if (!authorization.hasRole(role)) {
missingRoles.add(role);
}
}
if (!missingRoles.isEmpty()) {
throw CONFIG.noSuchGlobalRoles(missingRoles);
}
}
Also used :
GlobalAuthorizationConfiguration(org.infinispan.configuration.global.GlobalAuthorizationConfiguration)
HashSet(java.util.HashSet)
Example 4 with GlobalAuthorizationConfiguration
use of org.infinispan.configuration.global.GlobalAuthorizationConfiguration in project infinispan by infinispan.
the class CoreConfigurationSerializer method writeSecurity.
private void writeSecurity(ConfigurationWriter writer, GlobalConfiguration configuration) {
GlobalAuthorizationConfiguration authorization = configuration.security().authorization();
AttributeSet attributes = authorization.attributes();
if (attributes.isModified() && authorization.enabled()) {
writer.writeStartElement(Element.SECURITY);
writer.writeStartElement(Element.AUTHORIZATION);
attributes.write(writer, GlobalAuthorizationConfiguration.AUDIT_LOGGER, Attribute.AUDIT_LOGGER);
PrincipalRoleMapper mapper = authorization.principalRoleMapper();
if (mapper != null) {
if (mapper instanceof IdentityRoleMapper) {
writer.writeEmptyElement(Element.IDENTITY_ROLE_MAPPER);
} else if (mapper instanceof CommonNameRoleMapper) {
writer.writeEmptyElement(Element.COMMON_NAME_ROLE_MAPPER);
} else if (mapper instanceof ClusterRoleMapper) {
writer.writeEmptyElement(Element.CLUSTER_ROLE_MAPPER);
} else {
writer.writeStartElement(Element.CUSTOM_ROLE_MAPPER);
writer.writeAttribute(Attribute.CLASS, mapper.getClass().getName());
writer.writeEndElement();
}
}
if (!authorization.isDefaultRoles()) {
writer.writeStartMap(Element.ROLES);
for (Role role : authorization.roles().values()) {
writer.writeMapItem(Element.ROLE, Attribute.NAME, role.getName());
writeCollectionAsAttribute(writer, Attribute.PERMISSIONS, role.getPermissions());
writer.writeEndMapItem();
}
writer.writeEndMap();
}
writer.writeEndElement();
writer.writeEndElement();
}
}
Also used :
PrincipalRoleMapper(org.infinispan.security.PrincipalRoleMapper)
Role(org.infinispan.security.Role)
IdentityRoleMapper(org.infinispan.security.mappers.IdentityRoleMapper)
AttributeSet(org.infinispan.commons.configuration.attributes.AttributeSet)
ClusterRoleMapper(org.infinispan.security.mappers.ClusterRoleMapper)
CommonNameRoleMapper(org.infinispan.security.mappers.CommonNameRoleMapper)
GlobalAuthorizationConfiguration(org.infinispan.configuration.global.GlobalAuthorizationConfiguration)
Example 5 with GlobalAuthorizationConfiguration
use of org.infinispan.configuration.global.GlobalAuthorizationConfiguration in project infinispan by infinispan.
the class LifecycleCallbacks method getScriptCacheConfiguration.
private ConfigurationBuilder getScriptCacheConfiguration(GlobalConfiguration globalConfiguration) {
ConfigurationBuilder cfg = new ConfigurationBuilder();
cfg.encoding().key().mediaType(APPLICATION_OBJECT_TYPE);
cfg.encoding().value().mediaType(APPLICATION_OBJECT_TYPE);
GlobalAuthorizationConfiguration globalAuthz = globalConfiguration.security().authorization();
if (globalAuthz.enabled()) {
globalAuthz.addRole(GlobalAuthorizationConfiguration.DEFAULT_ROLES.get(SCRIPT_MANAGER_ROLE));
AuthorizationConfigurationBuilder authorization = cfg.security().authorization().enable();
// Copy all global roles
globalAuthz.roles().keySet().forEach(role -> authorization.role(role));
// Add a special module which translates permissions
cfg.addModule(CreatePermissionConfigurationBuilder.class);
}
return cfg;
}
Also used :
ConfigurationBuilder(org.infinispan.configuration.cache.ConfigurationBuilder)
CreatePermissionConfigurationBuilder(org.infinispan.security.impl.CreatePermissionConfigurationBuilder)
AuthorizationConfigurationBuilder(org.infinispan.configuration.cache.AuthorizationConfigurationBuilder)
AuthorizationConfigurationBuilder(org.infinispan.configuration.cache.AuthorizationConfigurationBuilder)
GlobalAuthorizationConfiguration(org.infinispan.configuration.global.GlobalAuthorizationConfiguration)
Aggregations
GlobalAuthorizationConfiguration (org.infinispan.configuration.global.GlobalAuthorizationConfiguration)7
PrincipalRoleMapper (org.infinispan.security.PrincipalRoleMapper)3
Role (org.infinispan.security.Role)3
HashSet (java.util.HashSet)2
AuthorizationConfigurationBuilder (org.infinispan.configuration.cache.AuthorizationConfigurationBuilder)2
ConfigurationBuilder (org.infinispan.configuration.cache.ConfigurationBuilder)2
CreatePermissionConfigurationBuilder (org.infinispan.security.impl.CreatePermissionConfigurationBuilder)2
HttpResponseStatus (io.netty.handler.codec.http.HttpResponseStatus)1
BAD_REQUEST (io.netty.handler.codec.http.HttpResponseStatus.BAD_REQUEST)1
CONFLICT (io.netty.handler.codec.http.HttpResponseStatus.CONFLICT)1
NO_CONTENT (io.netty.handler.codec.http.HttpResponseStatus.NO_CONTENT)1
Principal (java.security.Principal)1
Collection (java.util.Collection)1
List (java.util.List)1
Map (java.util.Map)1
Set (java.util.Set)1
CompletableFuture (java.util.concurrent.CompletableFuture)1
CompletableFuture.completedFuture (java.util.concurrent.CompletableFuture.completedFuture)1
CompletionStage (java.util.concurrent.CompletionStage)1
Collectors (java.util.stream.Collectors)1
