diff options
author | Keith Wall <kwall@apache.org> | 2015-03-12 15:13:16 +0000 |
---|---|---|
committer | Keith Wall <kwall@apache.org> | 2015-03-12 15:13:16 +0000 |
commit | 49c02f9fcf8c2dd1b063c887f8948f840ec785c2 (patch) | |
tree | 7fa009399d501d9ad3e9f77f735d85a2b75807cf /qpid/java/broker-core/src/main/java/org/apache/qpid | |
parent | d31279a6374f4fd4326d04fdae456543547d441f (diff) | |
parent | b66b4f357a756449c7e7184be4d963fb36f5b2d4 (diff) | |
download | qpid-python-QPID-6262-JavaBrokerNIO.tar.gz |
Merge from trunkQPID-6262-JavaBrokerNIO
git-svn-id: https://svn.apache.org/repos/asf/qpid/branches/QPID-6262-JavaBrokerNIO@1666219 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'qpid/java/broker-core/src/main/java/org/apache/qpid')
2 files changed, 37 insertions, 46 deletions
diff --git a/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/SecurityManager.java b/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/SecurityManager.java index c475824c2d..3bd44a92ea 100755 --- a/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/SecurityManager.java +++ b/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/SecurityManager.java @@ -39,9 +39,7 @@ import java.util.concurrent.ConcurrentMap; import javax.security.auth.Subject; -import org.apache.log4j.Logger; import org.apache.qpid.server.model.AccessControlProvider; -import org.apache.qpid.server.model.AuthenticationProvider; import org.apache.qpid.server.model.Binding; import org.apache.qpid.server.model.Broker; import org.apache.qpid.server.model.ConfiguredObject; @@ -51,17 +49,13 @@ import org.apache.qpid.server.model.Exchange; import org.apache.qpid.server.model.ExclusivityPolicy; import org.apache.qpid.server.model.Group; import org.apache.qpid.server.model.GroupMember; -import org.apache.qpid.server.model.GroupProvider; -import org.apache.qpid.server.model.KeyStore; import org.apache.qpid.server.model.LifetimePolicy; import org.apache.qpid.server.model.Model; -import org.apache.qpid.server.model.Plugin; -import org.apache.qpid.server.model.Port; +import org.apache.qpid.server.model.PreferencesProvider; import org.apache.qpid.server.model.Queue; import org.apache.qpid.server.model.RemoteReplicationNode; import org.apache.qpid.server.model.Session; import org.apache.qpid.server.model.State; -import org.apache.qpid.server.model.TrustStore; import org.apache.qpid.server.model.User; import org.apache.qpid.server.model.VirtualHost; import org.apache.qpid.server.model.VirtualHostAlias; @@ -78,7 +72,6 @@ import org.apache.qpid.server.security.auth.TaskPrincipal; public class SecurityManager { - private static final Logger LOGGER = Logger.getLogger(SecurityManager.class); private static final Subject SYSTEM = new Subject(true, Collections.singleton(new SystemPrincipal()), @@ -274,38 +267,17 @@ public class SecurityManager return; } - if (Operation.CREATE == operation && configuredObject instanceof RemoteReplicationNode) + if (isAllowedOperation(operation, configuredObject)) { // creation of remote replication node is out of control for user of this broker return; } - if ((Operation.CREATE == operation) && configuredObject instanceof RemoteReplicationNode) - { - // creation of remote replication node is out of control for user of this broker - return; - } - - if ((EnumSet.of(Operation.CREATE, Operation.UPDATE, Operation.DELETE).contains(operation)) && configuredObject instanceof Session) - { - return; - } - - if ((EnumSet.of(Operation.UPDATE, Operation.DELETE).contains(operation)) && (configuredObject instanceof Consumer || configuredObject instanceof Connection)) - { - return; - } - - Class<? extends ConfiguredObject> categoryClass = configuredObject.getCategoryClass(); - LOGGER.debug("getCategoryClass " + categoryClass); ObjectType objectType = getACLObjectTypeManagingConfiguredObjectOfCategory(categoryClass); - LOGGER.debug("objectType " + objectType); if (objectType == null) { - LOGGER.warn("Cannot determine object type for " + configuredObject.getName() + " of category " - + categoryClass + ". Skipping ACL check..."); - return; + throw new IllegalArgumentException("Cannot identify object type for category " + categoryClass ); } ObjectProperties properties = getACLObjectProperties(configuredObject, operation); @@ -336,6 +308,28 @@ public class SecurityManager } } + private boolean isAllowedOperation(Operation operation, ConfiguredObject<?> configuredObject) + { + if (configuredObject instanceof Session && (operation == Operation.CREATE || operation == Operation.UPDATE + || operation == Operation.DELETE)) + { + return true; + + } + + if (configuredObject instanceof Consumer && (operation == Operation.UPDATE || operation == Operation.DELETE)) + { + return true; + } + + if (configuredObject instanceof Connection && (operation == Operation.UPDATE || operation == Operation.DELETE)) + { + return true; + } + + return false; + } + private Model getModel() { return _aclProvidersParent.getModel(); @@ -371,7 +365,7 @@ public class SecurityManager // CREATE GROUP MEMBER is transformed into UPDATE GROUP rule return Operation.UPDATE; } - else if (isBrokerOrBrokerChild(category)) + else if (isBrokerOrBrokerChildOrPreferencesProvider(category)) { // CREATE/UPDATE broker child is transformed into CONFIGURE BROKER rule return Operation.CONFIGURE; @@ -384,10 +378,11 @@ public class SecurityManager // DELETE BINDING is transformed into UNBIND EXCHANGE rule return Operation.UNBIND; } - else if (isBrokerOrBrokerChild(category)) + else if (isBrokerOrBrokerChildOrPreferencesProvider(category)) { // DELETE broker child is transformed into CONFIGURE BROKER rule return Operation.CONFIGURE; + } else if (GroupMember.class.isAssignableFrom(category)) { @@ -398,16 +393,11 @@ public class SecurityManager return operation; } - private boolean isBrokerOrBrokerChild(Class<? extends ConfiguredObject> category) + private boolean isBrokerOrBrokerChildOrPreferencesProvider(Class<? extends ConfiguredObject> category) { - return Broker.class.isAssignableFrom(category) - || Port.class.isAssignableFrom(category) - || AuthenticationProvider.class.isAssignableFrom(category) - || AccessControlProvider.class.isAssignableFrom(category) - || GroupProvider.class.isAssignableFrom(category) - || KeyStore.class.isAssignableFrom(category) - || TrustStore.class.isAssignableFrom(category) - || Plugin.class.isAssignableFrom(category); + return Broker.class.isAssignableFrom(category) || + PreferencesProvider.class.isAssignableFrom(category) || + ( !VirtualHostNode.class.isAssignableFrom(category) && getModel().getChildTypes(Broker.class).contains(category)); } private ObjectProperties getACLObjectProperties(ConfiguredObject<?> configuredObject, Operation configuredObjectOperation) @@ -448,7 +438,7 @@ public class SecurityManager Queue<?> queue = (Queue<?>)configuredObject.getParent(Queue.class); setQueueProperties(queue, properties); } - else if (isBrokerOrBrokerChild(configuredObjectType)) + else if (isBrokerOrBrokerChildOrPreferencesProvider(configuredObjectType)) { String description = String.format("%s %s '%s'", configuredObjectOperation == null? null : configuredObjectOperation.name().toLowerCase(), @@ -494,7 +484,7 @@ public class SecurityManager { return ObjectType.VIRTUALHOSTNODE; } - else if (isBrokerOrBrokerChild(category)) + else if (isBrokerOrBrokerChildOrPreferencesProvider(category)) { return ObjectType.BROKER; } diff --git a/qpid/java/broker-core/src/main/java/org/apache/qpid/server/virtualhostnode/RedirectingVirtualHostImpl.java b/qpid/java/broker-core/src/main/java/org/apache/qpid/server/virtualhostnode/RedirectingVirtualHostImpl.java index cacc981e9b..917c2fd9a1 100644 --- a/qpid/java/broker-core/src/main/java/org/apache/qpid/server/virtualhostnode/RedirectingVirtualHostImpl.java +++ b/qpid/java/broker-core/src/main/java/org/apache/qpid/server/virtualhostnode/RedirectingVirtualHostImpl.java @@ -48,6 +48,7 @@ import org.apache.qpid.server.model.port.AmqpPort; import org.apache.qpid.server.protocol.AMQConnectionModel; import org.apache.qpid.server.protocol.LinkRegistry; import org.apache.qpid.server.queue.AMQQueue; +import org.apache.qpid.server.security.SecurityManager; import org.apache.qpid.server.stats.StatisticsCounter; import org.apache.qpid.server.store.DurableConfigurationStore; import org.apache.qpid.server.store.MessageStore; @@ -355,9 +356,9 @@ class RedirectingVirtualHostImpl } @Override - public org.apache.qpid.server.security.SecurityManager getSecurityManager() + public SecurityManager getSecurityManager() { - return null; + return super.getSecurityManager(); } @Override |