Examples with PermissionChecker - org.ow2.proactive.jmx.PermissionChecker

Example 1 with PermissionChecker

use of org.ow2.proactive.jmx.PermissionChecker in project scheduling by ow2-proactive.

the class RMNodeStarter method registerInRM.

/**
 * Tries to join to the Resource Manager with a specified timeout
 * at the given URL, logs with provided credentials and adds the local node to
 * the Resource Manager. Handles all errors/exceptions.
 */
protected ResourceManager registerInRM(final Credentials credentials, final String rmURL, final String nodeName, final Collection<Node> nodes) {
    RMAuthentication auth = joinResourceManager(rmURL);
    final ResourceManager rm = loginToResourceManager(credentials, auth);
    SigarExposer sigarExposer = null;
    if (!disabledMonitoring) {
        // initializing JMX server with Sigar beans
        sigarExposer = new SigarExposer(nodeName);
        final RMAuthentication rmAuth = auth;
        sigarExposer.boot(auth, false, new PermissionChecker() {

            @Override
            public boolean checkPermission(Credentials cred) {
                ResourceManager rm = null;
                try {
                    rm = rmAuth.login(cred);
                    if (NB_OF_ADD_NODE_ATTEMPTS == 0)
                        return true;
                    boolean isAdmin = rm.isNodeAdmin(nodes.iterator().next().getNodeInformation().getURL()).getBooleanValue();
                    if (!isAdmin) {
                        throw new SecurityException("Permission denied");
                    }
                    return true;
                } catch (LoginException e) {
                    throw new SecurityException(e);
                } finally {
                    if (rm != null) {
                        rm.disconnect();
                    }
                }
            }
        });
    } else {
        logger.info("JMX monitoring is disabled.");
    }
    for (final Node node : nodes) {
        nodeSetJmxUrl(sigarExposer, node);
        addNodeToResourceManager(rmURL, node, rm);
    }
    return rm;
}

Also used : SigarExposer(org.ow2.proactive.resourcemanager.node.jmx.SigarExposer) RMAuthentication(org.ow2.proactive.resourcemanager.authentication.RMAuthentication) PermissionChecker(org.ow2.proactive.jmx.PermissionChecker) Node(org.objectweb.proactive.core.node.Node) LoginException(javax.security.auth.login.LoginException) ResourceManager(org.ow2.proactive.resourcemanager.frontend.ResourceManager) Credentials(org.ow2.proactive.authentication.crypto.Credentials)

Example 2 with PermissionChecker

use of org.ow2.proactive.jmx.PermissionChecker in project scheduling by ow2-proactive.

the class JMXAuthenticatorImpl method authenticate.

/**
 * This method is automatically called when a JMX client tries to connect to the MBean Server referred
 * by the connector.
 * <p>
 * The only allowed credentials structure provided by the client is Object[] that contains
 * username/password (String/String) or username/{@link org.ow2.proactive.authentication.crypto.Credentials}
 *
 * @return a subject with the username as JMXPrincipal and the role as pubCredentials {@link javax.security.auth.Subject}
 * @param rawCredentials the credentials provided by the client
 */
public Subject authenticate(final Object rawCredentials) {
    // If not an array of object do not give any clues just throw exception
    if (rawCredentials == null || !(rawCredentials instanceof Object[])) {
        throw new SecurityException("Invalid credentials");
    }
    final Object[] arr = (Object[]) rawCredentials;
    if (arr[0] == null || arr[1] == null) {
        throw new SecurityException("Invalid credentials");
    }
    final String username = arr[0].toString();
    Credentials internalCredentials = null;
    // If username/Credentials
    if (arr[1] instanceof Credentials) {
        internalCredentials = (Credentials) arr[1];
    // If username/password (ex: JConsole)
    } else if (arr[1] instanceof String) {
        try {
            internalCredentials = Credentials.createCredentials(new CredData(CredData.parseLogin(username), CredData.parseDomain(username), (String) arr[1]), authentication.getPublicKey());
        } catch (Exception e) {
            throw new SecurityException("Invalid credentials", e);
        }
    } else {
        throw new SecurityException("Invalid credentials");
    }
    try {
        Subject s = this.authentication.authenticate(internalCredentials);
        if (permissionChecker != null) {
            boolean allowed = permissionChecker.checkPermission(internalCredentials);
            if (!allowed) {
                throw new SecurityException("Permission denied");
            }
        }
        return s;
    } catch (LoginException e) {
        throw new SecurityException("Unable to authenticate " + username);
    }
}

Also used : CredData(org.ow2.proactive.authentication.crypto.CredData) LoginException(javax.security.auth.login.LoginException) Credentials(org.ow2.proactive.authentication.crypto.Credentials) LoginException(javax.security.auth.login.LoginException) Subject(javax.security.auth.Subject)

Aggregations

LoginException (javax.security.auth.login.LoginException)2 Credentials (org.ow2.proactive.authentication.crypto.Credentials)2 Subject (javax.security.auth.Subject)1 Node (org.objectweb.proactive.core.node.Node)1 CredData (org.ow2.proactive.authentication.crypto.CredData)1 PermissionChecker (org.ow2.proactive.jmx.PermissionChecker)1 RMAuthentication (org.ow2.proactive.resourcemanager.authentication.RMAuthentication)1 ResourceManager (org.ow2.proactive.resourcemanager.frontend.ResourceManager)1 SigarExposer (org.ow2.proactive.resourcemanager.node.jmx.SigarExposer)1