summaryrefslogtreecommitdiff
path: root/qpid/java/broker/src/main/java/org/apache/qpid/server/security/auth/management/AMQUserManagementMBean.java
diff options
context:
space:
mode:
Diffstat (limited to 'qpid/java/broker/src/main/java/org/apache/qpid/server/security/auth/management/AMQUserManagementMBean.java')
-rw-r--r--qpid/java/broker/src/main/java/org/apache/qpid/server/security/auth/management/AMQUserManagementMBean.java404
1 files changed, 39 insertions, 365 deletions
diff --git a/qpid/java/broker/src/main/java/org/apache/qpid/server/security/auth/management/AMQUserManagementMBean.java b/qpid/java/broker/src/main/java/org/apache/qpid/server/security/auth/management/AMQUserManagementMBean.java
index ee4336055b..a839315bcc 100644
--- a/qpid/java/broker/src/main/java/org/apache/qpid/server/security/auth/management/AMQUserManagementMBean.java
+++ b/qpid/java/broker/src/main/java/org/apache/qpid/server/security/auth/management/AMQUserManagementMBean.java
@@ -20,19 +20,9 @@
*/
package org.apache.qpid.server.security.auth.management;
-import java.io.File;
-import java.io.FileInputStream;
-import java.io.FileOutputStream;
import java.io.IOException;
-import java.security.AccessControlContext;
-import java.security.AccessController;
import java.security.Principal;
-import java.util.Enumeration;
import java.util.List;
-import java.util.Properties;
-import java.util.Random;
-import java.util.Set;
-import java.util.concurrent.locks.ReentrantLock;
import javax.management.JMException;
import javax.management.openmbean.CompositeData;
@@ -44,17 +34,13 @@ import javax.management.openmbean.SimpleType;
import javax.management.openmbean.TabularData;
import javax.management.openmbean.TabularDataSupport;
import javax.management.openmbean.TabularType;
-import javax.management.remote.JMXPrincipal;
-import javax.security.auth.Subject;
import javax.security.auth.login.AccountNotFoundException;
-import org.apache.commons.configuration.ConfigurationException;
import org.apache.log4j.Logger;
import org.apache.qpid.management.common.mbeans.UserManagement;
import org.apache.qpid.management.common.mbeans.annotations.MBeanDescription;
import org.apache.qpid.management.common.mbeans.annotations.MBeanOperation;
import org.apache.qpid.server.management.AMQManagedObject;
-import org.apache.qpid.server.management.MBeanInvocationHandlerImpl;
import org.apache.qpid.server.security.auth.database.PrincipalDatabase;
import org.apache.qpid.server.security.auth.sasl.UsernamePrincipal;
@@ -65,22 +51,18 @@ public class AMQUserManagementMBean extends AMQManagedObject implements UserMana
private static final Logger _logger = Logger.getLogger(AMQUserManagementMBean.class);
private PrincipalDatabase _principalDatabase;
- private Properties _accessRights;
- private File _accessFile;
-
- private ReentrantLock _accessRightsUpdate = new ReentrantLock();
// Setup for the TabularType
- static TabularType _userlistDataType; // Datatype for representing User Lists
- static CompositeType _userDataType; // Composite type for representing User
+ private static final TabularType _userlistDataType; // Datatype for representing User Lists
+ private static final CompositeType _userDataType; // Composite type for representing User
static
{
OpenType[] userItemTypes = new OpenType[4]; // User item types.
userItemTypes[0] = SimpleType.STRING; // For Username
- userItemTypes[1] = SimpleType.BOOLEAN; // For Rights - Read
- userItemTypes[2] = SimpleType.BOOLEAN; // For Rights - Write
- userItemTypes[3] = SimpleType.BOOLEAN; // For Rights - Admin
+ userItemTypes[1] = SimpleType.BOOLEAN; // For Rights - Read - No longer in use
+ userItemTypes[2] = SimpleType.BOOLEAN; // For Rights - Write - No longer in use
+ userItemTypes[3] = SimpleType.BOOLEAN; // For Rights - Admin - No longer is use
try
{
@@ -92,12 +74,11 @@ public class AMQUserManagementMBean extends AMQManagedObject implements UserMana
}
catch (OpenDataException e)
{
- _logger.error("Tabular data setup for viewing users incorrect.");
- _userlistDataType = null;
+ _logger.error("Tabular data setup for viewing users incorrect.", e);
+ throw new ExceptionInInitializerError("Tabular data setup for viewing users incorrect");
}
}
-
public AMQUserManagementMBean() throws JMException
{
super(UserManagement.class, UserManagement.TYPE);
@@ -122,141 +103,45 @@ public class AMQUserManagementMBean extends AMQManagedObject implements UserMana
}
catch (AccountNotFoundException e)
{
- _logger.warn("Attempt to set password of non-existant user'" + username + "'");
+ _logger.warn("Attempt to set password of non-existent user'" + username + "'");
return false;
}
}
public boolean setRights(String username, boolean read, boolean write, boolean admin)
{
-
- Object oldRights = null;
- if ((oldRights =_accessRights.get(username)) == null)
- {
- // If the user doesn't exist in the access rights file check that they at least have an account.
- if (_principalDatabase.getUser(username) == null)
- {
- return false;
- }
- }
-
- try
- {
- _accessRightsUpdate.lock();
-
- // Update the access rights
- if (admin)
- {
- _accessRights.put(username, MBeanInvocationHandlerImpl.ADMIN);
- }
- else
- {
- if (read | write)
- {
- if (read)
- {
- _accessRights.put(username, MBeanInvocationHandlerImpl.READONLY);
- }
- if (write)
- {
- _accessRights.put(username, MBeanInvocationHandlerImpl.READWRITE);
- }
- }
- else
- {
- _accessRights.remove(username);
- }
- }
-
- //save the rights file
- try
- {
- saveAccessFile();
- }
- catch (IOException e)
- {
- _logger.warn("Problem occured saving '" + _accessFile + "', the access right changes will not be preserved: " + e);
-
- //the rights file was not successfully saved, restore user rights to previous value
- _logger.warn("Reverting attempted rights update for user'" + username + "'");
- if (oldRights != null)
- {
- _accessRights.put(username, oldRights);
- }
- else
- {
- _accessRights.remove(username);
- }
-
- return false;
- }
- }
- finally
+ throw new UnsupportedOperationException("Support for setting access rights no longer supported.");
+ }
+
+ public boolean createUser(String username, String password)
+ {
+ if (_principalDatabase.createPrincipal(new UsernamePrincipal(username), password.toCharArray()))
{
- _accessRightsUpdate.unlock();
+ return true;
}
- return true;
+ return false;
}
public boolean createUser(String username, String password, boolean read, boolean write, boolean admin)
{
- return createUser(username, password.toCharArray(), read, write, admin);
+ if (read || write || admin)
+ {
+ throw new UnsupportedOperationException("Support for setting access rights to true no longer supported.");
+ }
+ return createUser(username, password);
}
public boolean createUser(String username, char[] password, boolean read, boolean write, boolean admin)
{
- if (_principalDatabase.createPrincipal(new UsernamePrincipal(username), password))
- {
- if (!setRights(username, read, write, admin))
- {
- //unable to set rights for user, remove account
- try
- {
- _principalDatabase.deletePrincipal(new UsernamePrincipal(username));
- }
- catch (AccountNotFoundException e)
- {
- //ignore
- }
- return false;
- }
- else
- {
- return true;
- }
- }
-
- return false;
+ return createUser(username, new String(password), read, write, admin);
}
public boolean deleteUser(String username)
{
try
{
- if (_principalDatabase.deletePrincipal(new UsernamePrincipal(username)))
- {
- try
- {
- _accessRightsUpdate.lock();
-
- _accessRights.remove(username);
-
- try
- {
- saveAccessFile();
- }
- catch (IOException e)
- {
- _logger.warn("Problem occured saving '" + _accessFile + "', the access right changes will not be preserved: " + e);
- return false;
- }
- }
- finally
- {
- _accessRightsUpdate.unlock();
- }
- }
+ _principalDatabase.deletePrincipal(new UsernamePrincipal(username));
}
catch (AccountNotFoundException e)
{
@@ -269,38 +154,23 @@ public class AMQUserManagementMBean extends AMQManagedObject implements UserMana
public boolean reloadData()
{
- try
- {
- loadAccessFile();
- _principalDatabase.reload();
- }
- catch (ConfigurationException e)
- {
- _logger.warn("Reload failed due to:" + e);
- return false;
- }
- catch (IOException e)
- {
- _logger.warn("Reload failed due to:" + e);
- return false;
- }
- // Reload successful
- return true;
+ try
+ {
+ _principalDatabase.reload();
+ }
+ catch (IOException e)
+ {
+ _logger.warn("Reload failed due to:", e);
+ return false;
+ }
+ // Reload successful
+ return true;
}
- @MBeanOperation(name = "viewUsers", description = "All users with access rights to the system.")
+ @MBeanOperation(name = "viewUsers", description = "All users that are currently available to the system.")
public TabularData viewUsers()
{
- // Table of users
- // Username(string), Access rights Read,Write,Admin(bool,bool,bool)
-
- if (_userlistDataType == null)
- {
- _logger.warn("TabluarData not setup correctly");
- return null;
- }
-
List<Principal> users = _principalDatabase.getUsers();
TabularDataSupport userList = new TabularDataSupport(_userlistDataType);
@@ -311,29 +181,16 @@ public class AMQUserManagementMBean extends AMQManagedObject implements UserMana
for (Principal user : users)
{
// Create header attributes list
-
- String rights = (String) _accessRights.get(user.getName());
-
- Boolean read = false;
- Boolean write = false;
- Boolean admin = false;
-
- if (rights != null)
- {
- read = rights.equals(MBeanInvocationHandlerImpl.READONLY)
- || rights.equals(MBeanInvocationHandlerImpl.READWRITE);
- write = rights.equals(MBeanInvocationHandlerImpl.READWRITE);
- admin = rights.equals(MBeanInvocationHandlerImpl.ADMIN);
- }
-
- Object[] itemData = {user.getName(), read, write, admin};
+
+ // Read,Write,Admin items are depcreated and we return always false.
+ Object[] itemData = {user.getName(), false, false, false};
CompositeData messageData = new CompositeDataSupport(_userDataType, COMPOSITE_ITEM_NAMES.toArray(new String[COMPOSITE_ITEM_NAMES.size()]), itemData);
userList.put(messageData);
}
}
catch (OpenDataException e)
{
- _logger.warn("Unable to create user list due to :" + e);
+ _logger.warn("Unable to create user list due to :", e);
return null;
}
@@ -351,187 +208,4 @@ public class AMQUserManagementMBean extends AMQManagedObject implements UserMana
{
_principalDatabase = database;
}
-
- /**
- * setAccessFile
- *
- * @param accessFile the file to use for updating.
- *
- * @throws java.io.IOException If the file cannot be accessed
- * @throws org.apache.commons.configuration.ConfigurationException
- * if checks on the file fail.
- */
- public void setAccessFile(String accessFile) throws IOException, ConfigurationException
- {
- if (accessFile != null)
- {
- _accessFile = new File(accessFile);
- if (!_accessFile.exists())
- {
- throw new ConfigurationException("'" + _accessFile + "' does not exist");
- }
-
- if (!_accessFile.canRead())
- {
- throw new ConfigurationException("Cannot read '" + _accessFile + "'.");
- }
-
- if (!_accessFile.canWrite())
- {
- _logger.warn("Unable to write to access rights file '" + _accessFile + "', changes will not be preserved.");
- }
-
- loadAccessFile();
- }
- else
- {
- _logger.warn("Access rights file specified is null. Access rights not changed.");
- }
- }
-
- private void loadAccessFile() throws IOException, ConfigurationException
- {
- if(_accessFile == null)
- {
- _logger.error("No jmx access rights file has been specified.");
- return;
- }
-
- if(_accessFile.exists())
- {
- try
- {
- _accessRightsUpdate.lock();
-
- Properties accessRights = new Properties();
- FileInputStream inStream = new FileInputStream(_accessFile);
- try
- {
- accessRights.load(inStream);
- }
- finally
- {
- inStream.close();
- }
-
- checkAccessRights(accessRights);
- setAccessRights(accessRights);
- }
- finally
- {
- _accessRightsUpdate.unlock();
- }
- }
- else
- {
- _logger.error("Specified jmxaccess rights file '" + _accessFile + "' does not exist.");
- }
- }
-
- private void checkAccessRights(Properties accessRights)
- {
- Enumeration values = accessRights.propertyNames();
-
- while (values.hasMoreElements())
- {
- String user = (String) values.nextElement();
-
- if (_principalDatabase.getUser(user) == null)
- {
- _logger.warn("Access rights contains user '" + user + "' but there is no authentication data for that user");
- }
- }
- }
-
- private void saveAccessFile() throws IOException
- {
- try
- {
- _accessRightsUpdate.lock();
-
- // Create temporary file
- Random r = new Random();
- File tmp;
- do
- {
- tmp = new File(_accessFile.getPath() + r.nextInt() + ".tmp");
- }
- while(tmp.exists());
-
- tmp.deleteOnExit();
-
- FileOutputStream output = new FileOutputStream(tmp);
- _accessRights.store(output, "Generated by AMQUserManagementMBean Console : Last edited by user:" + getCurrentJMXUser());
- output.close();
-
- // Swap temp file to main rights file.
- File old = new File(_accessFile.getAbsoluteFile() + ".old");
- if (old.exists())
- {
- old.delete();
- }
-
- if(!_accessFile.renameTo(old))
- {
- //unable to rename the existing file to the backup name
- _logger.error("Could not backup the existing management rights file");
- throw new IOException("Could not backup the existing management rights file");
- }
-
- if(!tmp.renameTo(_accessFile))
- {
- //failed to rename the new file to the required filename
-
- if(!old.renameTo(_accessFile))
- {
- //unable to return the backup to required filename
- _logger.error("Could not rename the new management rights file into place, and unable to restore original file");
- throw new IOException("Could not rename the new management rights file into place, and unable to restore original file");
- }
-
- _logger.error("Could not rename the new management rights file into place");
- throw new IOException("Could not rename the new management rights file into place");
- }
- }
- finally
- {
- _accessRightsUpdate.unlock();
- }
-
- }
-
- private String getCurrentJMXUser()
- {
- AccessControlContext acc = AccessController.getContext();
-
- Subject subject = Subject.getSubject(acc);
- if (subject == null)
- {
- return "Unknown user, authentication Subject was null";
- }
-
- // Retrieve JMXPrincipal from Subject
- Set<JMXPrincipal> principals = subject.getPrincipals(JMXPrincipal.class);
- if (principals == null || principals.isEmpty())
- {
- return "Unknown user principals were null";
- }
-
- Principal principal = principals.iterator().next();
- return principal.getName();
- }
-
- /**
- * user=read user=write user=readwrite user=admin
- *
- * @param accessRights The properties list of access rights to process
- */
- private void setAccessRights(Properties accessRights)
- {
- _logger.debug("Setting Access Rights:" + accessRights);
- _accessRights = accessRights;
-
- // TODO check where this is used
- // MBeanInvocationHandlerImpl.setAccessRights(_accessRights);
- }
}
View Lorry Controller Status