diff options
Diffstat (limited to 'qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/SecurityManager.java')
-rwxr-xr-x | qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/SecurityManager.java | 59 |
1 files changed, 34 insertions, 25 deletions
diff --git a/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/SecurityManager.java b/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/SecurityManager.java index 754f6074e3..e0eb083bd4 100755 --- a/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/SecurityManager.java +++ b/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/SecurityManager.java @@ -38,9 +38,7 @@ import java.util.concurrent.ConcurrentMap; import javax.security.auth.Subject; -import org.apache.log4j.Logger; import org.apache.qpid.server.model.AccessControlProvider; -import org.apache.qpid.server.model.AuthenticationProvider; import org.apache.qpid.server.model.Binding; import org.apache.qpid.server.model.Broker; import org.apache.qpid.server.model.ConfiguredObject; @@ -50,17 +48,13 @@ import org.apache.qpid.server.model.Exchange; import org.apache.qpid.server.model.ExclusivityPolicy; import org.apache.qpid.server.model.Group; import org.apache.qpid.server.model.GroupMember; -import org.apache.qpid.server.model.GroupProvider; -import org.apache.qpid.server.model.KeyStore; import org.apache.qpid.server.model.LifetimePolicy; import org.apache.qpid.server.model.Model; -import org.apache.qpid.server.model.Plugin; -import org.apache.qpid.server.model.Port; +import org.apache.qpid.server.model.PreferencesProvider; import org.apache.qpid.server.model.Queue; import org.apache.qpid.server.model.RemoteReplicationNode; import org.apache.qpid.server.model.Session; import org.apache.qpid.server.model.State; -import org.apache.qpid.server.model.TrustStore; import org.apache.qpid.server.model.User; import org.apache.qpid.server.model.VirtualHost; import org.apache.qpid.server.model.VirtualHostAlias; @@ -77,7 +71,6 @@ import org.apache.qpid.server.security.auth.TaskPrincipal; public class SecurityManager { - private static final Logger LOGGER = Logger.getLogger(SecurityManager.class); private static final Subject SYSTEM = new Subject(true, Collections.singleton(new SystemPrincipal()), @@ -273,7 +266,7 @@ public class SecurityManager return; } - if (Operation.CREATE == operation && configuredObject instanceof RemoteReplicationNode) + if (isAllowedOperation(operation, configuredObject)) { // creation of remote replication node is out of control for user of this broker return; @@ -283,9 +276,7 @@ public class SecurityManager ObjectType objectType = getACLObjectTypeManagingConfiguredObjectOfCategory(categoryClass); if (objectType == null) { - LOGGER.warn("Cannot determine object type for " + configuredObject.getName() + " of category " - + categoryClass + ". Skipping ACL check..."); - return; + throw new IllegalArgumentException("Cannot identify object type for category " + categoryClass ); } ObjectProperties properties = getACLObjectProperties(configuredObject, operation); @@ -316,6 +307,28 @@ public class SecurityManager } } + private boolean isAllowedOperation(Operation operation, ConfiguredObject<?> configuredObject) + { + if (configuredObject instanceof Session && (operation == Operation.CREATE || operation == Operation.UPDATE + || operation == Operation.DELETE)) + { + return true; + + } + + if (configuredObject instanceof Consumer && (operation == Operation.UPDATE || operation == Operation.DELETE)) + { + return true; + } + + if (configuredObject instanceof Connection && (operation == Operation.UPDATE || operation == Operation.DELETE)) + { + return true; + } + + return false; + } + private Model getModel() { return _aclProvidersParent.getModel(); @@ -351,7 +364,7 @@ public class SecurityManager // CREATE GROUP MEMBER is transformed into UPDATE GROUP rule return Operation.UPDATE; } - else if (isBrokerOrBrokerChild(category)) + else if (isBrokerOrBrokerChildOrPreferencesProvider(category)) { // CREATE/UPDATE broker child is transformed into CONFIGURE BROKER rule return Operation.CONFIGURE; @@ -364,10 +377,11 @@ public class SecurityManager // DELETE BINDING is transformed into UNBIND EXCHANGE rule return Operation.UNBIND; } - else if (isBrokerOrBrokerChild(category)) + else if (isBrokerOrBrokerChildOrPreferencesProvider(category)) { // DELETE broker child is transformed into CONFIGURE BROKER rule return Operation.CONFIGURE; + } else if (GroupMember.class.isAssignableFrom(category)) { @@ -378,16 +392,11 @@ public class SecurityManager return operation; } - private boolean isBrokerOrBrokerChild(Class<? extends ConfiguredObject> category) + private boolean isBrokerOrBrokerChildOrPreferencesProvider(Class<? extends ConfiguredObject> category) { - return Broker.class.isAssignableFrom(category) - || Port.class.isAssignableFrom(category) - || AuthenticationProvider.class.isAssignableFrom(category) - || AccessControlProvider.class.isAssignableFrom(category) - || GroupProvider.class.isAssignableFrom(category) - || KeyStore.class.isAssignableFrom(category) - || TrustStore.class.isAssignableFrom(category) - || Plugin.class.isAssignableFrom(category); + return Broker.class.isAssignableFrom(category) || + PreferencesProvider.class.isAssignableFrom(category) || + ( !VirtualHostNode.class.isAssignableFrom(category) && getModel().getChildTypes(Broker.class).contains(category)); } private ObjectProperties getACLObjectProperties(ConfiguredObject<?> configuredObject, Operation configuredObjectOperation) @@ -428,7 +437,7 @@ public class SecurityManager Queue<?> queue = (Queue<?>)configuredObject.getParent(Queue.class); setQueueProperties(queue, properties); } - else if (isBrokerOrBrokerChild(configuredObjectType)) + else if (isBrokerOrBrokerChildOrPreferencesProvider(configuredObjectType)) { String description = String.format("%s %s '%s'", configuredObjectOperation == null? null : configuredObjectOperation.name().toLowerCase(), @@ -474,7 +483,7 @@ public class SecurityManager { return ObjectType.VIRTUALHOSTNODE; } - else if (isBrokerOrBrokerChild(category)) + else if (isBrokerOrBrokerChildOrPreferencesProvider(category)) { return ObjectType.BROKER; } |