diff --git a/modules/core/src/main/java/org/apache/ignite/internal/processors/authentication/IgniteAuthenticationProcessor.java b/modules/core/src/main/java/org/apache/ignite/internal/processors/authentication/IgniteAuthenticationProcessor.java index 1d3f458a064aa..b4a39621e0f69 100644 --- a/modules/core/src/main/java/org/apache/ignite/internal/processors/authentication/IgniteAuthenticationProcessor.java +++ b/modules/core/src/main/java/org/apache/ignite/internal/processors/authentication/IgniteAuthenticationProcessor.java @@ -71,7 +71,6 @@ import org.apache.ignite.plugin.security.SecurityCredentials; import org.apache.ignite.plugin.security.SecurityException; import org.apache.ignite.plugin.security.SecurityPermission; -import org.apache.ignite.plugin.security.SecurityPermissionSet; import org.apache.ignite.plugin.security.SecuritySubject; import org.apache.ignite.plugin.security.SecuritySubjectType; import org.apache.ignite.spi.discovery.DiscoveryDataBag; @@ -89,7 +88,6 @@ import static org.apache.ignite.internal.processors.authentication.UserManagementOperation.OperationType.ADD; import static org.apache.ignite.internal.processors.authentication.UserManagementOperation.OperationType.REMOVE; import static org.apache.ignite.internal.processors.authentication.UserManagementOperation.OperationType.UPDATE; -import static org.apache.ignite.plugin.security.SecurityPermissionSetBuilder.ALL_PERMISSIONS; import static org.apache.ignite.plugin.security.SecuritySubjectType.REMOTE_CLIENT; import static org.apache.ignite.plugin.security.SecuritySubjectType.REMOTE_NODE; @@ -1405,11 +1403,6 @@ public SecuritySubjectImpl(UUID id, String login, SecuritySubjectType type, Inet return addr; } - /** {@inheritDoc} */ - @Override public SecurityPermissionSet permissions() { - return ALL_PERMISSIONS; - } - /** {@inheritDoc} */ @Override public String toString() { return S.toString(SecuritySubjectImpl.class, this); @@ -1433,25 +1426,5 @@ public SecurityContextImpl(UUID id, String login, SecuritySubjectType type, Inet @Override public SecuritySubject subject() { return subj; } - - /** {@inheritDoc} */ - @Override public boolean taskOperationAllowed(String taskClsName, SecurityPermission perm) { - return true; - } - - /** {@inheritDoc} */ - @Override public boolean cacheOperationAllowed(String cacheName, SecurityPermission perm) { - return true; - } - - /** {@inheritDoc} */ - @Override public boolean serviceOperationAllowed(String srvcName, SecurityPermission perm) { - return true; - } - - /** {@inheritDoc} */ - @Override public boolean systemOperationAllowed(SecurityPermission perm) { - return true; - } } } diff --git a/modules/core/src/main/java/org/apache/ignite/internal/processors/security/IgniteSecurityProcessor.java b/modules/core/src/main/java/org/apache/ignite/internal/processors/security/IgniteSecurityProcessor.java index 65c983f843532..88e80b7ff3f04 100644 --- a/modules/core/src/main/java/org/apache/ignite/internal/processors/security/IgniteSecurityProcessor.java +++ b/modules/core/src/main/java/org/apache/ignite/internal/processors/security/IgniteSecurityProcessor.java @@ -463,8 +463,7 @@ private IgniteNodeValidationResult validateNodeJoinPermission(ClusterNode node) ); try { - if (!secCtx.systemOperationAllowed(JOIN_AS_SERVER)) - secPrc.authorize(null, JOIN_AS_SERVER, secCtx); + secPrc.authorize(null, JOIN_AS_SERVER, secCtx); return null; } diff --git a/modules/core/src/main/java/org/apache/ignite/internal/processors/security/SecurityContext.java b/modules/core/src/main/java/org/apache/ignite/internal/processors/security/SecurityContext.java index 90ba76328c71d..70f8eb498fd30 100644 --- a/modules/core/src/main/java/org/apache/ignite/internal/processors/security/SecurityContext.java +++ b/modules/core/src/main/java/org/apache/ignite/internal/processors/security/SecurityContext.java @@ -17,7 +17,6 @@ package org.apache.ignite.internal.processors.security; -import org.apache.ignite.plugin.security.SecurityPermission; import org.apache.ignite.plugin.security.SecuritySubject; /** @@ -28,51 +27,4 @@ public interface SecurityContext { * @return Security subject. */ public SecuritySubject subject(); - - /** - * Checks whether task operation is allowed. - * - * @param taskClsName Task class name. - * @param perm Permission to check. - * @return {@code True} if task operation is allowed. - * @deprecated Use {@link IgniteSecurity#authorize(String, SecurityPermission)} instead. - * This method will be removed in the future releases. - */ - @Deprecated - public boolean taskOperationAllowed(String taskClsName, SecurityPermission perm); - - /** - * Checks whether cache operation is allowed. - * - * @param cacheName Cache name. - * @param perm Permission to check. - * @return {@code True} if cache operation is allowed. - * @deprecated Use {@link IgniteSecurity#authorize(String, SecurityPermission)} instead. - * This method will be removed in the future releases. - */ - @Deprecated - public boolean cacheOperationAllowed(String cacheName, SecurityPermission perm); - - /** - * Checks whether service operation is allowed. - * - * @param srvcName Service name. - * @param perm Permission to check. - * @return {@code True} if task operation is allowed. - * @deprecated Use {@link IgniteSecurity#authorize(String, SecurityPermission)} instead. - * This method will be removed in the future releases. - */ - @Deprecated - public boolean serviceOperationAllowed(String srvcName, SecurityPermission perm); - - /** - * Checks whether system-wide permission is allowed (excluding Visor task operations). - * - * @param perm Permission to check. - * @return {@code True} if system operation is allowed. - * @deprecated Use {@link IgniteSecurity#authorize(SecurityPermission)} instead. - * This method will be removed in the future releases. - */ - @Deprecated - public boolean systemOperationAllowed(SecurityPermission perm); } diff --git a/modules/core/src/main/java/org/apache/ignite/plugin/security/SecuritySubject.java b/modules/core/src/main/java/org/apache/ignite/plugin/security/SecuritySubject.java index f83fe3d9643d9..491a1454744c8 100644 --- a/modules/core/src/main/java/org/apache/ignite/plugin/security/SecuritySubject.java +++ b/modules/core/src/main/java/org/apache/ignite/plugin/security/SecuritySubject.java @@ -66,17 +66,6 @@ public default Certificate[] certificates() { return null; } - /** - * Authorized permission set for the subject. - * - * @return Authorized permission set for the subject. - * @deprecated {@link SecuritySubject} must contain only immutable set of - * information that represents a security principal. Security permissions are part of authorization process - * and have nothing to do with {@link SecuritySubject}. This method will be removed in the future releases. - */ - @Deprecated - public SecurityPermissionSet permissions(); - /** * @return Permissions for SecurityManager checks. * @deprecated {@link SecuritySubject} must contain only immutable set of diff --git a/modules/core/src/main/java/org/apache/ignite/spi/discovery/tcp/ServerImpl.java b/modules/core/src/main/java/org/apache/ignite/spi/discovery/tcp/ServerImpl.java index c28c88b851f7c..3480d54e06720 100644 --- a/modules/core/src/main/java/org/apache/ignite/spi/discovery/tcp/ServerImpl.java +++ b/modules/core/src/main/java/org/apache/ignite/spi/discovery/tcp/ServerImpl.java @@ -114,7 +114,6 @@ import org.apache.ignite.lang.IgniteProductVersion; import org.apache.ignite.lang.IgniteUuid; import org.apache.ignite.plugin.security.SecurityCredentials; -import org.apache.ignite.plugin.security.SecurityPermissionSet; import org.apache.ignite.spi.IgniteNodeValidationResult; import org.apache.ignite.spi.IgniteSpiContext; import org.apache.ignite.spi.IgniteSpiException; @@ -182,7 +181,6 @@ import static org.apache.ignite.internal.IgniteNodeAttributes.ATTR_MARSHALLER_USE_BINARY_STRING_SER_VER_2; import static org.apache.ignite.internal.IgniteNodeAttributes.ATTR_MARSHALLER_USE_DFLT_SUID; import static org.apache.ignite.internal.processors.security.SecurityUtils.authenticateLocalNode; -import static org.apache.ignite.internal.processors.security.SecurityUtils.nodeSecurityContext; import static org.apache.ignite.internal.processors.security.SecurityUtils.withSecurityContext; import static org.apache.ignite.spi.IgnitePortProtocol.TCP; import static org.apache.ignite.spi.discovery.tcp.TcpDiscoverySpi.DFLT_DISCOVERY_CLIENT_RECONNECT_HISTORY_SIZE; @@ -2160,28 +2158,6 @@ private boolean recordable(TcpDiscoveryAbstractMessage msg) { !(msg instanceof TcpDiscoveryConnectionCheckMessage); } - /** - * Checks if two given {@link SecurityPermissionSet} objects contain the same permissions. - * Each permission belongs to one of three groups : cache, task or system. - * - * @param locPerms The first set of permissions. - * @param rmtPerms The second set of permissions. - * @return {@code True} if given parameters contain the same permissions, {@code False} otherwise. - */ - private boolean permissionsEqual(@Nullable SecurityPermissionSet locPerms, - @Nullable SecurityPermissionSet rmtPerms) { - if (locPerms == null || rmtPerms == null) - return false; - - boolean dfltAllowMatch = locPerms.defaultAllowAll() == rmtPerms.defaultAllowAll(); - - boolean bothHaveSamePerms = F.eqNotOrdered(rmtPerms.systemPermissions(), locPerms.systemPermissions()) && - F.eqNotOrdered(rmtPerms.cachePermissions(), locPerms.cachePermissions()) && - F.eqNotOrdered(rmtPerms.taskPermissions(), locPerms.taskPermissions()); - - return dfltAllowMatch && bothHaveSamePerms; - } - /** * @param msg Message. * @param nodeId Node ID. @@ -4993,11 +4969,7 @@ else if (!locNodeId.equals(node.id()) && ring.node(node.id()) != null) { else { SecurityContext subj = spi.nodeAuth.authenticateNode(node, cred); - SecurityContext coordSubj = nodeSecurityContext( - spi.marshaller(), U.resolveClassLoader(spi.ignite().configuration()), node - ); - - if (!permissionsEqual(getPermissions(coordSubj), getPermissions(subj))) { + if (subj == null) { // Node has not pass authentication. LT.warn(log, "Authentication failed [nodeId=" + node.id() + ", addrs=" + U.addressesAsString(node) + ']'); @@ -5082,50 +5054,6 @@ else if (spiState == CONNECTING) if (top != null && !top.isEmpty()) { spi.gridStartTime = msg.gridStartTime(); - if (spi.nodeAuth != null && spi.nodeAuth.isGlobalNodeAuthentication()) { - TcpDiscoveryAbstractMessage authFail = - new TcpDiscoveryAuthFailedMessage(locNodeId, spi.locHost, node.id()); - - try { - ClassLoader ldr = U.resolveClassLoader(spi.ignite().configuration()); - - SecurityContext rmCrd = nodeSecurityContext( - spi.marshaller(), ldr, node - ); - - SecurityContext locCrd = nodeSecurityContext( - spi.marshaller(), ldr, locNode - ); - - if (!permissionsEqual(getPermissions(locCrd), getPermissions(rmCrd))) { - // Node has not pass authentication. - LT.warn(log, - "Failed to authenticate local node " + - "(local authentication result is different from rest of topology) " + - "[nodeId=" + node.id() + ", addrs=" + U.addressesAsString(node) + ']'); - - joinRes.set(authFail); - - spiState = AUTH_FAILED; - - mux.notifyAll(); - - return; - } - } - catch (IgniteException e) { - U.error(log, "Failed to verify node permissions consistency (will drop the node): " + node, e); - - joinRes.set(authFail); - - spiState = AUTH_FAILED; - - mux.notifyAll(); - - return; - } - } - for (TcpDiscoveryNode n : top) { assert n.internalOrder() < node.internalOrder() : "Invalid node [topNode=" + n + ", added=" + node + ']'; @@ -5205,17 +5133,6 @@ else if (spiState == CONNECTING) sendMessageAcrossRing(msg); } - /** - * @param secCtx Security context. - * @return Security permission set. - */ - private @Nullable SecurityPermissionSet getPermissions(SecurityContext secCtx) { - if (secCtx == null || secCtx.subject() == null) - return null; - - return secCtx.subject().permissions(); - } - /** * Processes node add finished message. * diff --git a/modules/core/src/test/java/org/apache/ignite/internal/processors/security/cluster/NodeJoinPermissionsTest.java b/modules/core/src/test/java/org/apache/ignite/internal/processors/security/cluster/NodeJoinPermissionsTest.java index b641cd7b634eb..0c3829f0d3f7b 100644 --- a/modules/core/src/test/java/org/apache/ignite/internal/processors/security/cluster/NodeJoinPermissionsTest.java +++ b/modules/core/src/test/java/org/apache/ignite/internal/processors/security/cluster/NodeJoinPermissionsTest.java @@ -17,56 +17,22 @@ package org.apache.ignite.internal.processors.security.cluster; -import java.io.Serializable; -import java.net.InetSocketAddress; -import java.util.Arrays; -import java.util.Collection; -import java.util.Map; -import java.util.Objects; import java.util.concurrent.CountDownLatch; import java.util.concurrent.TimeUnit; -import org.apache.ignite.cluster.ClusterNode; import org.apache.ignite.configuration.IgniteConfiguration; -import org.apache.ignite.internal.GridKernalContext; import org.apache.ignite.internal.processors.security.AbstractSecurityTest; -import org.apache.ignite.internal.processors.security.AbstractTestSecurityPluginProvider; -import org.apache.ignite.internal.processors.security.GridSecurityProcessor; -import org.apache.ignite.internal.processors.security.SecurityContext; -import org.apache.ignite.internal.processors.security.impl.TestSecurityData; import org.apache.ignite.internal.processors.security.impl.TestSecurityPluginProvider; -import org.apache.ignite.internal.processors.security.impl.TestSecurityProcessor; -import org.apache.ignite.internal.processors.security.impl.TestSecuritySubject; -import org.apache.ignite.internal.util.typedef.F; -import org.apache.ignite.plugin.security.AuthenticationContext; -import org.apache.ignite.plugin.security.SecurityCredentials; -import org.apache.ignite.plugin.security.SecurityException; import org.apache.ignite.plugin.security.SecurityPermission; -import org.apache.ignite.plugin.security.SecurityPermissionSet; -import org.apache.ignite.plugin.security.SecuritySubject; import org.apache.ignite.spi.IgniteSpiException; import org.apache.ignite.testframework.GridTestUtils; import org.junit.Test; -import org.junit.runner.RunWith; -import org.junit.runners.Parameterized; import static org.apache.ignite.events.EventType.EVT_CLIENT_NODE_RECONNECTED; import static org.apache.ignite.plugin.security.SecurityPermission.JOIN_AS_SERVER; import static org.apache.ignite.plugin.security.SecurityPermissionSetBuilder.systemPermissions; -import static org.apache.ignite.plugin.security.SecuritySubjectType.REMOTE_NODE; /** */ -@RunWith(Parameterized.class) public class NodeJoinPermissionsTest extends AbstractSecurityTest { - /** */ - @Parameterized.Parameter - public boolean isLegacyAuthApproach; - - /** */ - @Parameterized.Parameters(name = "isLegacyAuthorizationApproach={0}") - public static Object[] parameters() { - return new Object[] { false, true }; - } - /** {@inheritDoc} */ @Override protected void beforeTest() throws Exception { super.beforeTest(); @@ -78,19 +44,14 @@ public static Object[] parameters() { private IgniteConfiguration configuration(int idx, SecurityPermission... sysPermissions) throws Exception { String login = getTestIgniteInstanceName(idx); - AbstractTestSecurityPluginProvider secPuginProv = isLegacyAuthApproach - ? new TestSecurityPluginProvider( + return getConfiguration( + login, + new TestSecurityPluginProvider( login, "", systemPermissions(sysPermissions), - false) - : new SecurityPluginProvider( - login, - "", - systemPermissions(sysPermissions), - false); - - return getConfiguration(login, secPuginProv); + false + )); } /** */ @@ -132,198 +93,4 @@ public void testNodeJoinPermissions() throws Exception { assertEquals(3, grid(0).cluster().nodes().size()); } - - /** */ - private static class SecurityPluginProvider extends TestSecurityPluginProvider { - /** */ - public SecurityPluginProvider( - String login, - String pwd, - SecurityPermissionSet perms, - boolean globalAuth, - TestSecurityData... clientData - ) { - super(login, pwd, perms, globalAuth, clientData); - } - - /** {@inheritDoc} */ - @Override protected GridSecurityProcessor securityProcessor(GridKernalContext ctx) { - return new SecurityProcessor( - ctx, - new TestSecurityData(login, pwd, perms, sandboxPerms), - Arrays.asList(clientData), - globalAuth - ); - } - } - - /** - * Security Processor implementaiton that does not pass user security permissions to the Security Context and - * expects all authorization checks to be delegated exclusively to {@link GridSecurityProcessor#authorize}. - */ - private static class SecurityProcessor extends TestSecurityProcessor { - /** */ - public SecurityProcessor( - GridKernalContext ctx, - TestSecurityData nodeSecData, - Collection predefinedAuthData, - boolean globalAuth - ) { - super(ctx, nodeSecData, predefinedAuthData, globalAuth); - } - - /** {@inheritDoc} */ - @Override public SecurityContext authenticateNode(ClusterNode node, SecurityCredentials cred) { - TestSecurityData data = USERS.get(cred.getLogin()); - - if (data == null || !Objects.equals(cred, data.credentials())) - return null; - - SecurityContext res = new TestSecurityContext( - new TestSecuritySubject() - .setType(REMOTE_NODE) - .setId(node.id()) - .setAddr(new InetSocketAddress(F.first(node.addresses()), 0)) - .setLogin(cred.getLogin()) - .sandboxPermissions(data.sandboxPermissions()) - ); - - SECURITY_CONTEXTS.put(res.subject().id(), res); - - return res; - } - - /** {@inheritDoc} */ - @Override public SecurityContext authenticate(AuthenticationContext ctx) { - TestSecurityData data = USERS.get(ctx.credentials().getLogin()); - - if (data == null || !Objects.equals(ctx.credentials(), data.credentials())) - return null; - - SecurityContext res = new TestSecurityContext( - new TestSecuritySubject() - .setType(ctx.subjectType()) - .setId(ctx.subjectId()) - .setAddr(ctx.address()) - .setLogin(ctx.credentials().getLogin()) - .setCerts(ctx.certificates()) - .sandboxPermissions(data.sandboxPermissions()) - ); - - SECURITY_CONTEXTS.put(res.subject().id(), res); - - return res; - } - - /** {@inheritDoc} */ - @Override public void authorize( - String name, - SecurityPermission perm, - SecurityContext securityCtx - ) throws SecurityException { - TestSecurityData userData = USERS.get(securityCtx.subject().login()); - - if (userData == null || !contains(userData.permissions(), name, perm)) { - throw new SecurityException("Authorization failed [perm=" + perm + - ", name=" + name + - ", subject=" + securityCtx.subject() + ']'); - } - } - - /** */ - public static boolean contains(SecurityPermissionSet userPerms, String name, SecurityPermission perm) { - boolean dfltAllowAll = userPerms.defaultAllowAll(); - - switch (perm) { - case CACHE_PUT: - case CACHE_READ: - case CACHE_REMOVE: - return contains(userPerms.cachePermissions(), dfltAllowAll, name, perm); - - case CACHE_CREATE: - case CACHE_DESTROY: - return (name != null && contains(userPerms.cachePermissions(), dfltAllowAll, name, perm)) - || containsSystemPermission(userPerms, perm); - - case TASK_CANCEL: - case TASK_EXECUTE: - return contains(userPerms.taskPermissions(), dfltAllowAll, name, perm); - - case SERVICE_DEPLOY: - case SERVICE_INVOKE: - case SERVICE_CANCEL: - return contains(userPerms.servicePermissions(), dfltAllowAll, name, perm); - - default: - return containsSystemPermission(userPerms, perm); - } - } - - /** */ - private static boolean contains( - Map> userPerms, - boolean dfltAllowAll, - String name, - SecurityPermission perm - ) { - Collection perms = userPerms.get(name); - - if (perms == null) - return dfltAllowAll; - - return perms.stream().anyMatch(perm::equals); - } - - /** */ - private static boolean containsSystemPermission( - SecurityPermissionSet userPerms, - SecurityPermission perm - ) { - Collection sysPerms = userPerms.systemPermissions(); - - if (F.isEmpty(sysPerms)) - return userPerms.defaultAllowAll(); - - return sysPerms.stream().anyMatch(perm::equals); - } - } - - /** */ - private static class TestSecurityContext implements SecurityContext, Serializable { - /** */ - private static final long serialVersionUID = 0L; - - /** */ - private final SecuritySubject subj; - - /** */ - public TestSecurityContext(SecuritySubject subj) { - this.subj = subj; - } - - /** {@inheritDoc} */ - @Override public SecuritySubject subject() { - return subj; - } - - /** {@inheritDoc} */ - @Override public boolean taskOperationAllowed(String taskClsName, SecurityPermission perm) { - return false; - } - - /** {@inheritDoc} */ - @Override public boolean cacheOperationAllowed(String cacheName, SecurityPermission perm) { - return false; - } - - /** {@inheritDoc} */ - @Override public boolean serviceOperationAllowed(String srvcName, SecurityPermission perm) { - return false; - } - - /** {@inheritDoc} */ - @Override public boolean systemOperationAllowed(SecurityPermission perm) { - return false; - } - } } diff --git a/modules/core/src/test/java/org/apache/ignite/internal/processors/security/impl/TestCertificateSecurityProcessor.java b/modules/core/src/test/java/org/apache/ignite/internal/processors/security/impl/TestCertificateSecurityProcessor.java index d69d35bc8e506..87677605f7d74 100644 --- a/modules/core/src/test/java/org/apache/ignite/internal/processors/security/impl/TestCertificateSecurityProcessor.java +++ b/modules/core/src/test/java/org/apache/ignite/internal/processors/security/impl/TestCertificateSecurityProcessor.java @@ -29,7 +29,6 @@ import org.apache.ignite.IgniteCheckedException; import org.apache.ignite.cluster.ClusterNode; import org.apache.ignite.internal.GridKernalContext; -import org.apache.ignite.internal.IgniteNodeAttributes; import org.apache.ignite.internal.processors.GridProcessorAdapter; import org.apache.ignite.internal.processors.security.GridSecurityProcessor; import org.apache.ignite.internal.processors.security.SecurityContext; @@ -41,6 +40,8 @@ import org.apache.ignite.plugin.security.SecurityPermissionSet; import org.apache.ignite.plugin.security.SecuritySubject; +import static org.apache.ignite.internal.IgniteNodeAttributes.ATTR_SECURITY_CREDENTIALS; +import static org.apache.ignite.internal.processors.security.impl.TestSecurityProcessor.contains; import static org.apache.ignite.plugin.security.SecurityPermissionSetBuilder.ALL_PERMISSIONS; import static org.apache.ignite.plugin.security.SecuritySubjectType.REMOTE_NODE; import static org.junit.Assert.assertEquals; @@ -78,8 +79,7 @@ public TestCertificateSecurityProcessor(GridKernalContext ctx, Collection perms = subject.permissions().systemPermissions(); - - if (F.isEmpty(perms)) - return subject.permissions().defaultAllowAll(); - - return perms.stream().anyMatch(p -> perm == p); - } - - /** - * @param perms Permissions. - * @param perm Permission. - */ - private boolean hasPermission(Collection perms, SecurityPermission perm) { - if (perms == null) - return subject.permissions().defaultAllowAll(); - - return perms.stream().anyMatch(p -> perm == p); - } /** {@inheritDoc} */ @Override public String toString() { diff --git a/modules/core/src/test/java/org/apache/ignite/internal/processors/security/impl/TestSecurityProcessor.java b/modules/core/src/test/java/org/apache/ignite/internal/processors/security/impl/TestSecurityProcessor.java index 308e1d6c9cdb7..679a59d225815 100644 --- a/modules/core/src/test/java/org/apache/ignite/internal/processors/security/impl/TestSecurityProcessor.java +++ b/modules/core/src/test/java/org/apache/ignite/internal/processors/security/impl/TestSecurityProcessor.java @@ -40,6 +40,7 @@ import org.apache.ignite.plugin.security.SecurityCredentials; import org.apache.ignite.plugin.security.SecurityException; import org.apache.ignite.plugin.security.SecurityPermission; +import org.apache.ignite.plugin.security.SecurityPermissionSet; import org.apache.ignite.plugin.security.SecuritySubject; import static org.apache.ignite.plugin.security.SecurityPermissionSetBuilder.ALL_PERMISSIONS; @@ -95,7 +96,6 @@ public TestSecurityProcessor(GridKernalContext ctx, TestSecurityData nodeSecData .setId(node.id()) .setAddr(new InetSocketAddress(F.first(node.addresses()), 0)) .setLogin(cred.getLogin()) - .setPerms(data.permissions()) .sandboxPermissions(data.sandboxPermissions()) ); @@ -127,7 +127,6 @@ public TestSecurityProcessor(GridKernalContext ctx, TestSecurityData nodeSecData .setId(ctx.subjectId()) .setAddr(ctx.address()) .setLogin(ctx.credentials().getLogin()) - .setPerms(data.permissions()) .setCerts(ctx.certificates()) .sandboxPermissions(data.sandboxPermissions()) ); @@ -153,12 +152,18 @@ public TestSecurityProcessor(GridKernalContext ctx, TestSecurityData nodeSecData } /** {@inheritDoc} */ - @Override public void authorize(String name, SecurityPermission perm, SecurityContext securityCtx) - throws SecurityException { - if (!((TestSecurityContext)securityCtx).operationAllowed(name, perm)) + @Override public void authorize( + String name, + SecurityPermission perm, + SecurityContext securityCtx + ) throws SecurityException { + TestSecurityData userData = USERS.get(securityCtx.subject().login()); + + if (userData == null || !contains(userData.permissions(), name, perm)) { throw new SecurityException("Authorization failed [perm=" + perm + ", name=" + name + ", subject=" + securityCtx.subject() + ']'); + } } /** {@inheritDoc} */ @@ -219,4 +224,61 @@ public TestSecurityProcessor(GridKernalContext ctx, TestSecurityData nodeSecData public static void registerExternalSystemTypes(Class... cls) { EXT_SYS_CLASSES.addAll(Arrays.asList(cls)); } + + /** */ + public static boolean contains(SecurityPermissionSet userPerms, String name, SecurityPermission perm) { + boolean dfltAllowAll = userPerms.defaultAllowAll(); + + switch (perm) { + case CACHE_PUT: + case CACHE_READ: + case CACHE_REMOVE: + return contains(userPerms.cachePermissions(), dfltAllowAll, name, perm); + + case CACHE_CREATE: + case CACHE_DESTROY: + return (name != null && contains(userPerms.cachePermissions(), dfltAllowAll, name, perm)) + || containsSystemPermission(userPerms, perm); + + case TASK_CANCEL: + case TASK_EXECUTE: + return contains(userPerms.taskPermissions(), dfltAllowAll, name, perm); + + case SERVICE_DEPLOY: + case SERVICE_INVOKE: + case SERVICE_CANCEL: + return contains(userPerms.servicePermissions(), dfltAllowAll, name, perm); + + default: + return containsSystemPermission(userPerms, perm); + } + } + + /** */ + private static boolean contains( + Map> userPerms, + boolean dfltAllowAll, + String name, + SecurityPermission perm + ) { + Collection perms = userPerms.get(name); + + if (perms == null) + return dfltAllowAll; + + return perms.stream().anyMatch(perm::equals); + } + + /** */ + private static boolean containsSystemPermission( + SecurityPermissionSet userPerms, + SecurityPermission perm + ) { + Collection sysPerms = userPerms.systemPermissions(); + + if (F.isEmpty(sysPerms)) + return userPerms.defaultAllowAll(); + + return sysPerms.stream().anyMatch(perm::equals); + } } diff --git a/modules/core/src/test/java/org/apache/ignite/internal/processors/security/impl/TestSecuritySubject.java b/modules/core/src/test/java/org/apache/ignite/internal/processors/security/impl/TestSecuritySubject.java index 2e27355f68761..c1c7dcc01037f 100644 --- a/modules/core/src/test/java/org/apache/ignite/internal/processors/security/impl/TestSecuritySubject.java +++ b/modules/core/src/test/java/org/apache/ignite/internal/processors/security/impl/TestSecuritySubject.java @@ -21,7 +21,6 @@ import java.security.PermissionCollection; import java.security.cert.Certificate; import java.util.UUID; -import org.apache.ignite.plugin.security.SecurityPermissionSet; import org.apache.ignite.plugin.security.SecuritySubject; import org.apache.ignite.plugin.security.SecuritySubjectType; @@ -41,38 +40,12 @@ public class TestSecuritySubject implements SecuritySubject { /** Address. */ private InetSocketAddress addr; - /** Permissions. */ - private SecurityPermissionSet perms; - /** Permissions for Sandbox checks. */ private PermissionCollection sandboxPerms; /** Client certificates. */ private Certificate[] certs; - /** - * Default constructor. - */ - public TestSecuritySubject() { - // No-op. - } - - /** - * @param id Id. - * @param login Login. - * @param addr Address. - * @param perms Permissions. - */ - public TestSecuritySubject(UUID id, - Object login, - InetSocketAddress addr, - SecurityPermissionSet perms) { - this.id = id; - this.login = login; - this.addr = addr; - this.perms = perms; - } - /** {@inheritDoc} */ @Override public UUID id() { return id; @@ -129,20 +102,6 @@ public TestSecuritySubject setAddr(InetSocketAddress addr) { return this; } - /** {@inheritDoc} */ - @Override public SecurityPermissionSet permissions() { - return perms; - } - - /** - * @param perms Permissions. - */ - public TestSecuritySubject setPerms(SecurityPermissionSet perms) { - this.perms = perms; - - return this; - } - /** {@inheritDoc} */ @Override public PermissionCollection sandboxPermissions() { return sandboxPerms; @@ -160,16 +119,13 @@ public TestSecuritySubject sandboxPermissions(PermissionCollection perms) { return certs; } - /** - * @param perms Permissions. - */ + /** */ public TestSecuritySubject setCerts(Certificate[] certs) { this.certs = certs; return this; } - /** {@inheritDoc} */ @Override public String toString() { return "TestSecuritySubject{" + diff --git a/modules/core/src/test/java/org/apache/ignite/spi/discovery/tcp/TestReconnectProcessor.java b/modules/core/src/test/java/org/apache/ignite/spi/discovery/tcp/TestReconnectProcessor.java index 41befe948d292..95eeeb81fb9f2 100644 --- a/modules/core/src/test/java/org/apache/ignite/spi/discovery/tcp/TestReconnectProcessor.java +++ b/modules/core/src/test/java/org/apache/ignite/spi/discovery/tcp/TestReconnectProcessor.java @@ -33,7 +33,6 @@ import org.apache.ignite.plugin.security.SecurityCredentials; import org.apache.ignite.plugin.security.SecurityException; import org.apache.ignite.plugin.security.SecurityPermission; -import org.apache.ignite.plugin.security.SecurityPermissionSet; import org.apache.ignite.plugin.security.SecuritySubject; import org.apache.ignite.plugin.security.SecuritySubjectType; import org.jetbrains.annotations.Nullable; @@ -140,11 +139,6 @@ public TestSecuritySubject(UUID id) { @Override public InetSocketAddress address() { return null; } - - /** {@inheritDoc} */ - @Override public SecurityPermissionSet permissions() { - return null; - } } /** @@ -168,25 +162,5 @@ public TestSecurityContext(SecuritySubject subj) { @Override public SecuritySubject subject() { return subj; } - - /** {@inheritDoc} */ - @Override public boolean taskOperationAllowed(String taskClsName, SecurityPermission perm) { - return true; - } - - /** {@inheritDoc} */ - @Override public boolean cacheOperationAllowed(String cacheName, SecurityPermission perm) { - return true; - } - - /** {@inheritDoc} */ - @Override public boolean serviceOperationAllowed(String srvcName, SecurityPermission perm) { - return true; - } - - /** {@inheritDoc} */ - @Override public boolean systemOperationAllowed(SecurityPermission perm) { - return true; - } } } diff --git a/modules/zookeeper/src/test/java/org/apache/ignite/spi/discovery/zk/internal/ZookeeperDiscoveryMiscTest.java b/modules/zookeeper/src/test/java/org/apache/ignite/spi/discovery/zk/internal/ZookeeperDiscoveryMiscTest.java index 57aae67fe445a..4083352348058 100644 --- a/modules/zookeeper/src/test/java/org/apache/ignite/spi/discovery/zk/internal/ZookeeperDiscoveryMiscTest.java +++ b/modules/zookeeper/src/test/java/org/apache/ignite/spi/discovery/zk/internal/ZookeeperDiscoveryMiscTest.java @@ -42,7 +42,6 @@ import org.apache.ignite.lang.IgnitePredicate; import org.apache.ignite.marshaller.jdk.JdkMarshaller; import org.apache.ignite.plugin.security.SecurityCredentials; -import org.apache.ignite.plugin.security.SecurityPermission; import org.apache.ignite.plugin.security.SecuritySubject; import org.apache.ignite.spi.IgniteSpiException; import org.apache.ignite.spi.discovery.DiscoverySpiNodeAuthenticator; @@ -597,26 +596,6 @@ private static class TestSecurityContext implements SecurityContext, Serializabl @Override public SecuritySubject subject() { return null; } - - /** {@inheritDoc} */ - @Override public boolean taskOperationAllowed(String taskClsName, SecurityPermission perm) { - return true; - } - - /** {@inheritDoc} */ - @Override public boolean cacheOperationAllowed(String cacheName, SecurityPermission perm) { - return true; - } - - /** {@inheritDoc} */ - @Override public boolean serviceOperationAllowed(String srvcName, SecurityPermission perm) { - return true; - } - - /** {@inheritDoc} */ - @Override public boolean systemOperationAllowed(SecurityPermission perm) { - return true; - } } } }