Search in sources :

Example 1 with PrincipalPermission

use of org.ow2.proactive.permissions.PrincipalPermission in project scheduling by ow2-proactive.

the class SelectionManagerTest method createMockeNode.

public static RMNode createMockeNode(String nodeUser, String nodeName, String nodeUrl) {
    RMNode rmNode = mock(RMNode.class);
    NodeInformation mockedNodeInformation = mock(NodeInformation.class);
    Node node = mock(Node.class);
    when(mockedNodeInformation.getURL()).thenReturn(nodeUrl);
    when(mockedNodeInformation.getName()).thenReturn(nodeName);
    when(node.getNodeInformation()).thenReturn(mockedNodeInformation);
    when(rmNode.getNodeName()).thenReturn(nodeName);
    when(rmNode.getNodeSource()).thenReturn(new NodeSource());
    when(rmNode.getNode()).thenReturn(node);
    when(rmNode.getNodeURL()).thenReturn(nodeUrl);
    when(rmNode.getUserPermission()).thenReturn(new PrincipalPermission("permissions", singleton(new UserNamePrincipal(nodeUser))));
    return rmNode;
}
Also used : UserNamePrincipal(org.ow2.proactive.authentication.principals.UserNamePrincipal) NodeSource(org.ow2.proactive.resourcemanager.nodesource.NodeSource) RMNode(org.ow2.proactive.resourcemanager.rmnode.RMNode) NodeInformation(org.objectweb.proactive.core.node.NodeInformation) RMNode(org.ow2.proactive.resourcemanager.rmnode.RMNode) Node(org.objectweb.proactive.core.node.Node) PrincipalPermission(org.ow2.proactive.permissions.PrincipalPermission)

Example 2 with PrincipalPermission

use of org.ow2.proactive.permissions.PrincipalPermission in project scheduling by ow2-proactive.

the class NodeSource method buildRMNode.

/**
 * Builds a RMNode from a raw Node
 * @param node the node object
 * @param provider the client of the request
 * @return the expected RMNode
 */
private RMNode buildRMNode(Node node, Client provider) {
    // creating a node access permission
    // it could be either PROVIDER/PROVIDER_GROUPS and in this case
    // the provider principals will be taken or
    // ME/MY_GROUPS (ns creator/ns creator groups) and in this case
    // creator's principals will be used
    Client permissionOwner = administrator;
    if (nodeUserAccessType.equals(AccessType.PROVIDER) || nodeUserAccessType.equals(AccessType.PROVIDER_GROUPS)) {
        permissionOwner = provider;
    }
    // now selecting the type (user or group) and construct the permission
    Set<IdentityPrincipal> principals = (Set<IdentityPrincipal>) nodeUserAccessType.getIdentityPrincipals(permissionOwner);
    boolean tokenInNode = false;
    boolean tokenInNodeSource = nodeUserAccessType.getTokens() != null && nodeUserAccessType.getTokens().length > 0;
    try {
        String nodeAccessToken = node.getProperty(RMNodeStarter.NODE_ACCESS_TOKEN);
        tokenInNode = nodeAccessToken != null && nodeAccessToken.length() > 0;
        if (tokenInNode) {
            logger.debug("Node " + node.getNodeInformation().getURL() + " is protected by access token " + nodeAccessToken);
            // it overrides all other principals
            principals.clear();
            principals.add(new TokenPrincipal(nodeAccessToken));
        }
    } catch (Exception e) {
        throw new AddingNodesException(e);
    }
    PrincipalPermission nodeAccessPermission = new PrincipalPermission(node.getNodeInformation().getURL(), principals);
    RMNodeImpl rmnode = new RMNodeImpl(node, stub, provider, nodeAccessPermission);
    rmnode.setProtectedByToken(tokenInNode || tokenInNodeSource);
    return rmnode;
}
Also used : Set(java.util.Set) PrincipalPermission(org.ow2.proactive.permissions.PrincipalPermission) TokenPrincipal(org.ow2.proactive.authentication.principals.TokenPrincipal) AddingNodesException(org.ow2.proactive.resourcemanager.exception.AddingNodesException) Client(org.ow2.proactive.resourcemanager.authentication.Client) IdentityPrincipal(org.ow2.proactive.authentication.principals.IdentityPrincipal) RMNodeImpl(org.ow2.proactive.resourcemanager.rmnode.RMNodeImpl) AddingNodesException(org.ow2.proactive.resourcemanager.exception.AddingNodesException) RMException(org.ow2.proactive.resourcemanager.exception.RMException)

Example 3 with PrincipalPermission

use of org.ow2.proactive.permissions.PrincipalPermission in project scheduling by ow2-proactive.

the class SelectionManager method filterOut.

/**
 * Removes exclusion nodes and nodes not accessible for the client
 */
private List<RMNode> filterOut(List<RMNode> freeNodes, Criteria criteria, Client client) {
    NodeSet exclusion = criteria.getBlackList();
    Set<String> inclusion = criteria.getAcceptableNodesUrls();
    boolean nodeWithTokenRequested = criteria.getNodeAccessToken() != null && criteria.getNodeAccessToken().length() > 0;
    TokenPrincipal tokenPrincipal = null;
    if (nodeWithTokenRequested) {
        logger.debug("Node access token specified " + criteria.getNodeAccessToken());
        tokenPrincipal = new TokenPrincipal(criteria.getNodeAccessToken());
        client.getSubject().getPrincipals().add(tokenPrincipal);
    }
    List<RMNode> filteredList = new ArrayList<>();
    HashSet<Permission> clientPermissions = new HashSet<>();
    for (RMNode node : freeNodes) {
        // checking the permission
        try {
            if (!clientPermissions.contains(node.getUserPermission())) {
                client.checkPermission(node.getUserPermission(), client + " is not authorized to get the node " + node.getNodeURL() + " from " + node.getNodeSource().getName());
                clientPermissions.add(node.getUserPermission());
            }
        } catch (SecurityException e) {
            // client does not have an access to this node
            logger.debug(e.getMessage());
            continue;
        }
        // with other tokens but must also filter out nodes without tokens
        if (nodeWithTokenRequested && !node.isProtectedByToken()) {
            continue;
        }
        // we will avoid it here
        if (nodeWithTokenRequested) {
            PrincipalPermission perm = (PrincipalPermission) node.getUserPermission();
            // checking explicitly that node has this token identity
            if (!perm.hasPrincipal(tokenPrincipal)) {
                if (logger.isDebugEnabled()) {
                    logger.debug(client + " does not have required token to get the node " + node.getNodeURL() + " from " + node.getNodeSource().getName());
                }
                continue;
            }
        }
        if (!contains(exclusion, node) && ((inclusion != null) ? inclusion.contains(node.getNodeURL()) : true)) {
            filteredList.add(node);
        }
    }
    return filteredList;
}
Also used : NodeSet(org.ow2.proactive.utils.NodeSet) ArrayList(java.util.ArrayList) PrincipalPermission(org.ow2.proactive.permissions.PrincipalPermission) RMNode(org.ow2.proactive.resourcemanager.rmnode.RMNode) Permission(java.security.Permission) PrincipalPermission(org.ow2.proactive.permissions.PrincipalPermission) TokenPrincipal(org.ow2.proactive.authentication.principals.TokenPrincipal) HashSet(java.util.HashSet)

Example 4 with PrincipalPermission

use of org.ow2.proactive.permissions.PrincipalPermission in project scheduling by ow2-proactive.

the class RMCore method releaseNodes.

/**
 * {@inheritDoc}
 */
public BooleanWrapper releaseNodes(NodeSet nodes) {
    if (nodes.getExtraNodes() != null) {
        // do not forget to release extra nodes
        nodes.addAll(nodes.getExtraNodes());
    }
    // exception to throw in case of problems
    RuntimeException exception = null;
    NodeSet nodesReleased = new NodeSet();
    NodeSet nodesFailedToRelease = new NodeSet();
    for (Node node : nodes) {
        String nodeURL = null;
        try {
            nodeURL = node.getNodeInformation().getURL();
            logger.debug("Releasing node " + nodeURL);
        } catch (RuntimeException e) {
            logger.debug("A Runtime exception occurred while obtaining information on the node," + "the node must be down (it will be detected later)", e);
            // node is down, will be detected by pinger
            exception = new IllegalStateException(e.getMessage(), e);
            nodesFailedToRelease.add(node);
        }
        // verify whether the node has not been removed from the RM
        if (this.allNodes.containsKey(nodeURL)) {
            RMNode rmnode = this.getNodebyUrl(nodeURL);
            // free
            if (rmnode.isFree()) {
                logger.warn("Client " + caller + " tries to release the already free node " + nodeURL);
                nodesFailedToRelease.add(node);
            } else if (rmnode.isDown()) {
                logger.warn("Node was down, it cannot be released");
                nodesFailedToRelease.add(node);
            } else {
                Set<? extends IdentityPrincipal> userPrincipal = rmnode.getOwner().getSubject().getPrincipals(UserNamePrincipal.class);
                Permission ownerPermission = new PrincipalPermission(rmnode.getOwner().getName(), userPrincipal);
                try {
                    caller.checkPermission(ownerPermission, caller + " is not authorized to free node " + node.getNodeInformation().getURL());
                    if (rmnode.isToRemove()) {
                        removeNodeFromCoreAndSource(rmnode, caller);
                        nodesReleased.add(node);
                    } else {
                        internalSetFree(rmnode);
                        nodesReleased.add(node);
                    }
                } catch (SecurityException ex) {
                    logger.error(ex.getMessage(), ex);
                    nodesFailedToRelease.add(node);
                    exception = ex;
                }
            }
        } else {
            logger.warn("Cannot release unknown node " + nodeURL);
            nodesFailedToRelease.add(node);
            exception = new IllegalArgumentException("Cannot release unknown node " + nodeURL);
        }
    }
    logger.info("Nodes released : " + nodesReleased);
    if (!nodesFailedToRelease.isEmpty()) {
        logger.warn("Nodes failed to release : " + nodesFailedToRelease);
    }
    if (exception != null) {
        // throwing the latest exception we had
        throw exception;
    }
    return new BooleanWrapper(true);
}
Also used : NodeSet(org.ow2.proactive.utils.NodeSet) NodeSet(org.ow2.proactive.utils.NodeSet) Set(java.util.Set) ImmutableSet(com.google.common.collect.ImmutableSet) HashSet(java.util.HashSet) RMDeployingNode(org.ow2.proactive.resourcemanager.rmnode.RMDeployingNode) Node(org.objectweb.proactive.core.node.Node) RMNode(org.ow2.proactive.resourcemanager.rmnode.RMNode) PrincipalPermission(org.ow2.proactive.permissions.PrincipalPermission) UserNamePrincipal(org.ow2.proactive.authentication.principals.UserNamePrincipal) BooleanWrapper(org.objectweb.proactive.core.util.wrapper.BooleanWrapper) RMNode(org.ow2.proactive.resourcemanager.rmnode.RMNode) Permission(java.security.Permission) MethodCallPermission(org.ow2.proactive.permissions.MethodCallPermission) PrincipalPermission(org.ow2.proactive.permissions.PrincipalPermission) IdentityPrincipal(org.ow2.proactive.authentication.principals.IdentityPrincipal)

Example 5 with PrincipalPermission

use of org.ow2.proactive.permissions.PrincipalPermission in project scheduling by ow2-proactive.

the class NodeSource method initActivity.

/**
 * Initialization of node source. Creates and activates a pinger to monitor nodes.
 *
 * @param body active object body
 */
public void initActivity(Body body) {
    this.stub = (NodeSource) PAActiveObject.getStubOnThis();
    this.infrastructureManager.setNodeSource(this);
    // Infrastructure has been configured and linked to the node source, so we can now persist the runtime
    // variables of the infrastructure for the first time (they have been initialized during the creation of the
    // infrastructure, in its configuration.
    this.infrastructureManager.persistInfrastructureVariables();
    this.activePolicy.setNodeSource((NodeSource) PAActiveObject.getStubOnThis());
    // Set permissions again according to the activated node source policy
    // node source admin permission
    // it's the PrincipalPermission of the user who created the node source
    this.adminPermission = new PrincipalPermission(this.administrator.getName(), this.administrator.getSubject().getPrincipals(UserNamePrincipal.class));
    // creating node source provider permission
    // could be one of the following: PrincipalPermission (NS creator) or PrincipalPermission (NS creator groups)
    // or PrincipalPermission (anyone)
    this.providerPermission = new PrincipalPermission(this.administrator.getName(), this.activePolicy.getProviderAccessType().getIdentityPrincipals(this.administrator));
    this.nodeUserAccessType = this.activePolicy.getUserAccessType();
    Thread.currentThread().setName("Node Source \"" + this.name + "\"");
}
Also used : PrincipalPermission(org.ow2.proactive.permissions.PrincipalPermission)

Aggregations

PrincipalPermission (org.ow2.proactive.permissions.PrincipalPermission)6 Permission (java.security.Permission)3 IdentityPrincipal (org.ow2.proactive.authentication.principals.IdentityPrincipal)3 RMNode (org.ow2.proactive.resourcemanager.rmnode.RMNode)3 HashSet (java.util.HashSet)2 Set (java.util.Set)2 Node (org.objectweb.proactive.core.node.Node)2 TokenPrincipal (org.ow2.proactive.authentication.principals.TokenPrincipal)2 UserNamePrincipal (org.ow2.proactive.authentication.principals.UserNamePrincipal)2 NodeSet (org.ow2.proactive.utils.NodeSet)2 ImmutableSet (com.google.common.collect.ImmutableSet)1 AllPermission (java.security.AllPermission)1 PermissionCollection (java.security.PermissionCollection)1 Principal (java.security.Principal)1 UnresolvedPermission (java.security.UnresolvedPermission)1 ArrayList (java.util.ArrayList)1 MBeanPermission (javax.management.MBeanPermission)1 AuthPermission (javax.security.auth.AuthPermission)1 NodeInformation (org.objectweb.proactive.core.node.NodeInformation)1 BooleanWrapper (org.objectweb.proactive.core.util.wrapper.BooleanWrapper)1