use of org.ow2.proactive.permissions.PrincipalPermission in project scheduling by ow2-proactive.
the class SelectionManagerTest method createMockeNode.
public static RMNode createMockeNode(String nodeUser, String nodeName, String nodeUrl) {
RMNode rmNode = mock(RMNode.class);
NodeInformation mockedNodeInformation = mock(NodeInformation.class);
Node node = mock(Node.class);
when(mockedNodeInformation.getURL()).thenReturn(nodeUrl);
when(mockedNodeInformation.getName()).thenReturn(nodeName);
when(node.getNodeInformation()).thenReturn(mockedNodeInformation);
when(rmNode.getNodeName()).thenReturn(nodeName);
when(rmNode.getNodeSource()).thenReturn(new NodeSource());
when(rmNode.getNode()).thenReturn(node);
when(rmNode.getNodeURL()).thenReturn(nodeUrl);
when(rmNode.getUserPermission()).thenReturn(new PrincipalPermission("permissions", singleton(new UserNamePrincipal(nodeUser))));
return rmNode;
}
use of org.ow2.proactive.permissions.PrincipalPermission in project scheduling by ow2-proactive.
the class NodeSource method buildRMNode.
/**
* Builds a RMNode from a raw Node
* @param node the node object
* @param provider the client of the request
* @return the expected RMNode
*/
private RMNode buildRMNode(Node node, Client provider) {
// creating a node access permission
// it could be either PROVIDER/PROVIDER_GROUPS and in this case
// the provider principals will be taken or
// ME/MY_GROUPS (ns creator/ns creator groups) and in this case
// creator's principals will be used
Client permissionOwner = administrator;
if (nodeUserAccessType.equals(AccessType.PROVIDER) || nodeUserAccessType.equals(AccessType.PROVIDER_GROUPS)) {
permissionOwner = provider;
}
// now selecting the type (user or group) and construct the permission
Set<IdentityPrincipal> principals = (Set<IdentityPrincipal>) nodeUserAccessType.getIdentityPrincipals(permissionOwner);
boolean tokenInNode = false;
boolean tokenInNodeSource = nodeUserAccessType.getTokens() != null && nodeUserAccessType.getTokens().length > 0;
try {
String nodeAccessToken = node.getProperty(RMNodeStarter.NODE_ACCESS_TOKEN);
tokenInNode = nodeAccessToken != null && nodeAccessToken.length() > 0;
if (tokenInNode) {
logger.debug("Node " + node.getNodeInformation().getURL() + " is protected by access token " + nodeAccessToken);
// it overrides all other principals
principals.clear();
principals.add(new TokenPrincipal(nodeAccessToken));
}
} catch (Exception e) {
throw new AddingNodesException(e);
}
PrincipalPermission nodeAccessPermission = new PrincipalPermission(node.getNodeInformation().getURL(), principals);
RMNodeImpl rmnode = new RMNodeImpl(node, stub, provider, nodeAccessPermission);
rmnode.setProtectedByToken(tokenInNode || tokenInNodeSource);
return rmnode;
}
use of org.ow2.proactive.permissions.PrincipalPermission in project scheduling by ow2-proactive.
the class SelectionManager method filterOut.
/**
* Removes exclusion nodes and nodes not accessible for the client
*/
private List<RMNode> filterOut(List<RMNode> freeNodes, Criteria criteria, Client client) {
NodeSet exclusion = criteria.getBlackList();
Set<String> inclusion = criteria.getAcceptableNodesUrls();
boolean nodeWithTokenRequested = criteria.getNodeAccessToken() != null && criteria.getNodeAccessToken().length() > 0;
TokenPrincipal tokenPrincipal = null;
if (nodeWithTokenRequested) {
logger.debug("Node access token specified " + criteria.getNodeAccessToken());
tokenPrincipal = new TokenPrincipal(criteria.getNodeAccessToken());
client.getSubject().getPrincipals().add(tokenPrincipal);
}
List<RMNode> filteredList = new ArrayList<>();
HashSet<Permission> clientPermissions = new HashSet<>();
for (RMNode node : freeNodes) {
// checking the permission
try {
if (!clientPermissions.contains(node.getUserPermission())) {
client.checkPermission(node.getUserPermission(), client + " is not authorized to get the node " + node.getNodeURL() + " from " + node.getNodeSource().getName());
clientPermissions.add(node.getUserPermission());
}
} catch (SecurityException e) {
// client does not have an access to this node
logger.debug(e.getMessage());
continue;
}
// with other tokens but must also filter out nodes without tokens
if (nodeWithTokenRequested && !node.isProtectedByToken()) {
continue;
}
// we will avoid it here
if (nodeWithTokenRequested) {
PrincipalPermission perm = (PrincipalPermission) node.getUserPermission();
// checking explicitly that node has this token identity
if (!perm.hasPrincipal(tokenPrincipal)) {
if (logger.isDebugEnabled()) {
logger.debug(client + " does not have required token to get the node " + node.getNodeURL() + " from " + node.getNodeSource().getName());
}
continue;
}
}
if (!contains(exclusion, node) && ((inclusion != null) ? inclusion.contains(node.getNodeURL()) : true)) {
filteredList.add(node);
}
}
return filteredList;
}
use of org.ow2.proactive.permissions.PrincipalPermission in project scheduling by ow2-proactive.
the class RMCore method releaseNodes.
/**
* {@inheritDoc}
*/
public BooleanWrapper releaseNodes(NodeSet nodes) {
if (nodes.getExtraNodes() != null) {
// do not forget to release extra nodes
nodes.addAll(nodes.getExtraNodes());
}
// exception to throw in case of problems
RuntimeException exception = null;
NodeSet nodesReleased = new NodeSet();
NodeSet nodesFailedToRelease = new NodeSet();
for (Node node : nodes) {
String nodeURL = null;
try {
nodeURL = node.getNodeInformation().getURL();
logger.debug("Releasing node " + nodeURL);
} catch (RuntimeException e) {
logger.debug("A Runtime exception occurred while obtaining information on the node," + "the node must be down (it will be detected later)", e);
// node is down, will be detected by pinger
exception = new IllegalStateException(e.getMessage(), e);
nodesFailedToRelease.add(node);
}
// verify whether the node has not been removed from the RM
if (this.allNodes.containsKey(nodeURL)) {
RMNode rmnode = this.getNodebyUrl(nodeURL);
// free
if (rmnode.isFree()) {
logger.warn("Client " + caller + " tries to release the already free node " + nodeURL);
nodesFailedToRelease.add(node);
} else if (rmnode.isDown()) {
logger.warn("Node was down, it cannot be released");
nodesFailedToRelease.add(node);
} else {
Set<? extends IdentityPrincipal> userPrincipal = rmnode.getOwner().getSubject().getPrincipals(UserNamePrincipal.class);
Permission ownerPermission = new PrincipalPermission(rmnode.getOwner().getName(), userPrincipal);
try {
caller.checkPermission(ownerPermission, caller + " is not authorized to free node " + node.getNodeInformation().getURL());
if (rmnode.isToRemove()) {
removeNodeFromCoreAndSource(rmnode, caller);
nodesReleased.add(node);
} else {
internalSetFree(rmnode);
nodesReleased.add(node);
}
} catch (SecurityException ex) {
logger.error(ex.getMessage(), ex);
nodesFailedToRelease.add(node);
exception = ex;
}
}
} else {
logger.warn("Cannot release unknown node " + nodeURL);
nodesFailedToRelease.add(node);
exception = new IllegalArgumentException("Cannot release unknown node " + nodeURL);
}
}
logger.info("Nodes released : " + nodesReleased);
if (!nodesFailedToRelease.isEmpty()) {
logger.warn("Nodes failed to release : " + nodesFailedToRelease);
}
if (exception != null) {
// throwing the latest exception we had
throw exception;
}
return new BooleanWrapper(true);
}
use of org.ow2.proactive.permissions.PrincipalPermission in project scheduling by ow2-proactive.
the class NodeSource method initActivity.
/**
* Initialization of node source. Creates and activates a pinger to monitor nodes.
*
* @param body active object body
*/
public void initActivity(Body body) {
this.stub = (NodeSource) PAActiveObject.getStubOnThis();
this.infrastructureManager.setNodeSource(this);
// Infrastructure has been configured and linked to the node source, so we can now persist the runtime
// variables of the infrastructure for the first time (they have been initialized during the creation of the
// infrastructure, in its configuration.
this.infrastructureManager.persistInfrastructureVariables();
this.activePolicy.setNodeSource((NodeSource) PAActiveObject.getStubOnThis());
// Set permissions again according to the activated node source policy
// node source admin permission
// it's the PrincipalPermission of the user who created the node source
this.adminPermission = new PrincipalPermission(this.administrator.getName(), this.administrator.getSubject().getPrincipals(UserNamePrincipal.class));
// creating node source provider permission
// could be one of the following: PrincipalPermission (NS creator) or PrincipalPermission (NS creator groups)
// or PrincipalPermission (anyone)
this.providerPermission = new PrincipalPermission(this.administrator.getName(), this.activePolicy.getProviderAccessType().getIdentityPrincipals(this.administrator));
this.nodeUserAccessType = this.activePolicy.getUserAccessType();
Thread.currentThread().setName("Node Source \"" + this.name + "\"");
}
Aggregations