Example 1 with IdentityPrincipal
use of org.ow2.proactive.authentication.principals.IdentityPrincipal in project scheduling by ow2-proactive.
the class NodeSource method buildRMNode.
/**
* Builds a RMNode from a raw Node
* @param node the node object
* @param provider the client of the request
* @return the expected RMNode
*/
private RMNode buildRMNode(Node node, Client provider) {
// creating a node access permission
// it could be either PROVIDER/PROVIDER_GROUPS and in this case
// the provider principals will be taken or
// ME/MY_GROUPS (ns creator/ns creator groups) and in this case
// creator's principals will be used
Client permissionOwner = administrator;
if (nodeUserAccessType.equals(AccessType.PROVIDER) || nodeUserAccessType.equals(AccessType.PROVIDER_GROUPS)) {
permissionOwner = provider;
}
// now selecting the type (user or group) and construct the permission
Set<IdentityPrincipal> principals = (Set<IdentityPrincipal>) nodeUserAccessType.getIdentityPrincipals(permissionOwner);
boolean tokenInNode = false;
boolean tokenInNodeSource = nodeUserAccessType.getTokens() != null && nodeUserAccessType.getTokens().length > 0;
try {
String nodeAccessToken = node.getProperty(RMNodeStarter.NODE_ACCESS_TOKEN);
tokenInNode = nodeAccessToken != null && nodeAccessToken.length() > 0;
if (tokenInNode) {
logger.debug("Node " + node.getNodeInformation().getURL() + " is protected by access token " + nodeAccessToken);
// it overrides all other principals
principals.clear();
principals.add(new TokenPrincipal(nodeAccessToken));
}
} catch (Exception e) {
throw new AddingNodesException(e);
}
PrincipalPermission nodeAccessPermission = new PrincipalPermission(node.getNodeInformation().getURL(), principals);
RMNodeImpl rmnode = new RMNodeImpl(node, stub, provider, nodeAccessPermission);
rmnode.setProtectedByToken(tokenInNode || tokenInNodeSource);
return rmnode;
}
Also used :
PrincipalPermission(org.ow2.proactive.permissions.PrincipalPermission)
TokenPrincipal(org.ow2.proactive.authentication.principals.TokenPrincipal)
AddingNodesException(org.ow2.proactive.resourcemanager.exception.AddingNodesException)
Client(org.ow2.proactive.resourcemanager.authentication.Client)
IdentityPrincipal(org.ow2.proactive.authentication.principals.IdentityPrincipal)
RMNodeImpl(org.ow2.proactive.resourcemanager.rmnode.RMNodeImpl)
RMException(org.ow2.proactive.resourcemanager.exception.RMException)
AddingNodesException(org.ow2.proactive.resourcemanager.exception.AddingNodesException)
Example 2 with IdentityPrincipal
use of org.ow2.proactive.authentication.principals.IdentityPrincipal in project scheduling by ow2-proactive.
the class RMCore method releaseNodes.
/**
* {@inheritDoc}
*/
public BooleanWrapper releaseNodes(NodeSet nodes) {
if (nodes.getExtraNodes() != null) {
// do not forget to release extra nodes
nodes.addAll(nodes.getExtraNodes());
}
// exception to throw in case of problems
RuntimeException exception = null;
NodeSet nodesReleased = new NodeSet();
NodeSet nodesFailedToRelease = new NodeSet();
for (Node node : nodes) {
String nodeURL = null;
try {
nodeURL = node.getNodeInformation().getURL();
logger.debug("Releasing node " + nodeURL);
} catch (RuntimeException e) {
logger.debug("A Runtime exception occurred while obtaining information on the node," + "the node must be down (it will be detected later)", e);
// node is down, will be detected by pinger
exception = new IllegalStateException(e.getMessage(), e);
nodesFailedToRelease.add(node);
}
// verify whether the node has not been removed from the RM
if (this.allNodes.containsKey(nodeURL)) {
RMNode rmnode = this.getNodebyUrl(nodeURL);
// free
if (rmnode.isFree()) {
logger.warn("Client " + caller + " tries to release the already free node " + nodeURL);
nodesFailedToRelease.add(node);
} else if (rmnode.isDown()) {
logger.warn("Node was down, it cannot be released");
nodesFailedToRelease.add(node);
} else {
Set<? extends IdentityPrincipal> userPrincipal = rmnode.getOwner().getSubject().getPrincipals(UserNamePrincipal.class);
Permission ownerPermission = new PrincipalPermission(rmnode.getOwner().getName(), userPrincipal);
try {
caller.checkPermission(ownerPermission, caller + " is not authorized to free node " + node.getNodeInformation().getURL(), new RMCoreAllPermission(), new NodeUserAllPermission(), new NSAdminPermission());
if (rmnode.isToRemove()) {
removeNodeFromCoreAndSource(rmnode, caller);
nodesReleased.add(node);
if (delayedNodeSourceRemovalEvents.containsKey(rmnode.getNodeSourceName()) && nodeSourceCanBeRemoved(rmnode.getNodeSourceName())) {
logger.debug(NODE_SOURCE_STRING + rmnode.getNodeSourceName() + " is eligible to remove.");
final Entry<RMNodeSourceEvent, NodeSource> remove = delayedNodeSourceRemovalEvents.remove(rmnode.getNodeSourceName());
final RMNodeSourceEvent removedEvent = remove.getKey();
final NodeSource nodeSource = remove.getValue();
logger.info(NODE_SOURCE_STRING + rmnode.getNodeSourceName() + HAS_BEEN_SUCCESSFULLY + removedEvent.getEventType().getDescription());
this.monitoring.nodeSourceEvent(removedEvent);
nodeSource.shutdown(this.caller);
} else if (delayedNodeSourceUndeploying.containsKey(rmnode.getNodeSourceName()) && nodeSourceCanBeRemoved(rmnode.getNodeSourceName())) {
logger.debug(NODE_SOURCE_STRING + rmnode.getNodeSourceName() + " is eligible to undeploy.");
final NodeSource nodeSource = delayedNodeSourceUndeploying.remove(rmnode.getNodeSourceName());
logger.info(NODE_SOURCE_STRING + rmnode.getNodeSourceName() + HAS_BEEN_SUCCESSFULLY + "undeployed.");
nodeSource.shutdown(this.caller);
}
} else {
internalSetFree(rmnode);
nodesReleased.add(node);
}
} catch (SecurityException ex) {
logger.error(ex.getMessage(), ex);
nodesFailedToRelease.add(node);
exception = ex;
}
}
} else {
logger.warn("Cannot release unknown node " + nodeURL);
nodesFailedToRelease.add(node);
exception = new IllegalArgumentException("Cannot release unknown node " + nodeURL);
}
}
logger.info("Nodes released : " + nodesReleased);
if (!nodesFailedToRelease.isEmpty()) {
logger.warn("Nodes failed to release : " + nodesFailedToRelease);
}
if (exception != null) {
// throwing the latest exception we had
throw exception;
}
return new BooleanWrapper(true);
}
Also used :
NodeSet(org.ow2.proactive.utils.NodeSet)
RMNodeSourceEvent(org.ow2.proactive.resourcemanager.common.event.RMNodeSourceEvent)
NodeSet(org.ow2.proactive.utils.NodeSet)
Set(java.util.Set)
ImmutableSet(com.google.common.collect.ImmutableSet)
HashSet(java.util.HashSet)
RMDeployingNode(org.ow2.proactive.resourcemanager.rmnode.RMDeployingNode)
Node(org.objectweb.proactive.core.node.Node)
RMNode(org.ow2.proactive.resourcemanager.rmnode.RMNode)
PrincipalPermission(org.ow2.proactive.permissions.PrincipalPermission)
NodeUserAllPermission(org.ow2.proactive.permissions.NodeUserAllPermission)
UserNamePrincipal(org.ow2.proactive.authentication.principals.UserNamePrincipal)
RMCoreAllPermission(org.ow2.proactive.permissions.RMCoreAllPermission)
NSAdminPermission(org.ow2.proactive.permissions.NSAdminPermission)
NodeSource(org.ow2.proactive.resourcemanager.nodesource.NodeSource)
BooleanWrapper(org.objectweb.proactive.core.util.wrapper.BooleanWrapper)
RMNode(org.ow2.proactive.resourcemanager.rmnode.RMNode)
Entry(java.util.Map.Entry)
Permission(java.security.Permission)
NSAdminPermission(org.ow2.proactive.permissions.NSAdminPermission)
NodeUserAllPermission(org.ow2.proactive.permissions.NodeUserAllPermission)
MethodCallPermission(org.ow2.proactive.permissions.MethodCallPermission)
RMCoreAllPermission(org.ow2.proactive.permissions.RMCoreAllPermission)
PrincipalPermission(org.ow2.proactive.permissions.PrincipalPermission)
IdentityPrincipal(org.ow2.proactive.authentication.principals.IdentityPrincipal)
Example 3 with IdentityPrincipal
use of org.ow2.proactive.authentication.principals.IdentityPrincipal in project scheduling by ow2-proactive.
the class ClientsPolicy method getPermissions.
@Override
public PermissionCollection getPermissions(final ProtectionDomain domain) {
try {
readLock.lock();
PermissionCollection permissions = new Permissions();
// Look up permissions
Principal[] principals = domain.getPrincipals();
boolean identityPrincipal = false;
if (principals != null) {
for (Principal principal : principals) {
if (principal instanceof IdentityPrincipal) {
identityPrincipal = true;
PermissionCollection pc = original.getPermissions(domain);
if (pc != null) {
Permission permission = new PrincipalPermission((IdentityPrincipal) principal);
// always adding identity permission
permissions.add(permission);
if (debug) {
// WARNING cannot use log4j as it may lead to recursive permission check
System.out.println(principal + " has " + permission);
}
for (Enumeration<Permission> en = pc.elements(); en.hasMoreElements(); ) {
permission = en.nextElement();
// boot class path, so they were not correctly resolved at JVM start up time
if (permission instanceof UnresolvedPermission) {
permission = resolvePermission((UnresolvedPermission) permission);
if (permission == null)
continue;
}
// For IdentityPrincipal org.ow2.proactive.permissions.AllPermissions must be used
if (!permission.getClass().isAssignableFrom(AllPermission.class)) {
if (debug) {
// WARNING cannot use log4j as it may lead to recursive permission check
System.out.println(principal + " has " + permission);
}
permissions.add(permission);
}
}
}
}
}
}
if (!identityPrincipal) {
return original.getPermissions(domain);
}
return permissions;
} finally {
readLock.unlock();
}
}
Also used :
UnresolvedPermission(java.security.UnresolvedPermission)
PermissionCollection(java.security.PermissionCollection)
UnresolvedPermission(java.security.UnresolvedPermission)
MBeanPermission(javax.management.MBeanPermission)
AllPermission(java.security.AllPermission)
Permission(java.security.Permission)
ClientPermission(org.ow2.proactive.permissions.ClientPermission)
PrincipalPermission(org.ow2.proactive.permissions.PrincipalPermission)
AuthPermission(javax.security.auth.AuthPermission)
PrincipalPermission(org.ow2.proactive.permissions.PrincipalPermission)
AllPermission(java.security.AllPermission)
IdentityPrincipal(org.ow2.proactive.authentication.principals.IdentityPrincipal)
IdentityPrincipal(org.ow2.proactive.authentication.principals.IdentityPrincipal)
Principal(java.security.Principal)
Aggregations
IdentityPrincipal (org.ow2.proactive.authentication.principals.IdentityPrincipal)3
PrincipalPermission (org.ow2.proactive.permissions.PrincipalPermission)3
Permission (java.security.Permission)2
ImmutableSet (com.google.common.collect.ImmutableSet)1
AllPermission (java.security.AllPermission)1
PermissionCollection (java.security.PermissionCollection)1
Principal (java.security.Principal)1
UnresolvedPermission (java.security.UnresolvedPermission)1
HashSet (java.util.HashSet)1
Entry (java.util.Map.Entry)1
Set (java.util.Set)1
MBeanPermission (javax.management.MBeanPermission)1
AuthPermission (javax.security.auth.AuthPermission)1
Node (org.objectweb.proactive.core.node.Node)1
BooleanWrapper (org.objectweb.proactive.core.util.wrapper.BooleanWrapper)1
TokenPrincipal (org.ow2.proactive.authentication.principals.TokenPrincipal)1
UserNamePrincipal (org.ow2.proactive.authentication.principals.UserNamePrincipal)1
ClientPermission (org.ow2.proactive.permissions.ClientPermission)1
MethodCallPermission (org.ow2.proactive.permissions.MethodCallPermission)1
NSAdminPermission (org.ow2.proactive.permissions.NSAdminPermission)1
