diff options
| author | Robert Godfrey <rgodfrey@apache.org = rgodfrey = Robert Godfrey rgodfrey@apache.org@apache.org> | 2014-04-13 23:41:53 +0000 |
|---|---|---|
| committer | Robert Godfrey <rgodfrey@apache.org = rgodfrey = Robert Godfrey rgodfrey@apache.org@apache.org> | 2014-04-13 23:41:53 +0000 |
| commit | 981b8f5357355f842a523e4b50a1d5c711095a68 (patch) | |
| tree | 8b3f05d036802077af1ae280c3c357b39dc3a4f0 /qpid/java/broker-plugins/access-control | |
| parent | 529183e95ce802787694ec7b5b72a50f2c895821 (diff) | |
| download | qpid-python-981b8f5357355f842a523e4b50a1d5c711095a68.tar.gz | |
QPID-5690 : [Java Broker] Improve mechanisms for validating and reacting to changes in configured object attribute values
git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk@1587123 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'qpid/java/broker-plugins/access-control')
3 files changed, 252 insertions, 222 deletions
diff --git a/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/plugins/ACLFileAccessControlProvider.java b/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/plugins/ACLFileAccessControlProvider.java index 55de9fc902..961eb25236 100644 --- a/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/plugins/ACLFileAccessControlProvider.java +++ b/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/plugins/ACLFileAccessControlProvider.java @@ -20,224 +20,13 @@ */ package org.apache.qpid.server.security.access.plugins; -import java.security.AccessControlException; -import java.util.Collection; -import java.util.Collections; -import java.util.Map; -import java.util.concurrent.atomic.AtomicReference; - -import org.apache.log4j.Logger; -import org.apache.qpid.server.model.*; -import org.apache.qpid.server.model.AbstractConfiguredObject; -import org.apache.qpid.server.plugin.AccessControlProviderFactory; -import org.apache.qpid.server.security.AccessControl; -import org.apache.qpid.server.security.access.Operation; -import org.apache.qpid.server.util.MapValueConverter; +import org.apache.qpid.server.model.AccessControlProvider; +import org.apache.qpid.server.model.ManagedAttribute; +import org.apache.qpid.server.model.ManagedObject; @ManagedObject( category = false, type="AclFile" ) -public class ACLFileAccessControlProvider - extends AbstractConfiguredObject<ACLFileAccessControlProvider> - implements AccessControlProvider<ACLFileAccessControlProvider> +public interface ACLFileAccessControlProvider<X extends ACLFileAccessControlProvider<X>> extends AccessControlProvider<X> { - private static final Logger LOGGER = Logger.getLogger(ACLFileAccessControlProvider.class); - - protected DefaultAccessControl _accessControl; - protected final Broker _broker; - - protected Map<String, AccessControlProviderFactory> _factories; - private AtomicReference<State> _state; - - @ManagedAttributeField - private String _path; - - public ACLFileAccessControlProvider(Broker broker, - Map<String, Object> attributes) - { - super(parentsMap(broker), - attributes, broker.getTaskExecutor()); - - - _broker = broker; - - State state = MapValueConverter.getEnumAttribute(State.class, STATE, attributes, State.INITIALISING); - _state = new AtomicReference<State>(state); - - } - - @Override - protected void onOpen() - { - super.onOpen(); - _accessControl = new DefaultAccessControl(getPath(), _broker); - } - @ManagedAttribute( automate = true, mandatory = true ) - public String getPath() - { - return _path; - } - - @Override - public String setName(String currentName, String desiredName) throws IllegalStateException, AccessControlException - { - return null; - } - - @Override - public State getState() - { - return _state.get(); - } - - @Override - public boolean isDurable() - { - return true; - } - - @Override - public void setDurable(boolean durable) - throws IllegalStateException, AccessControlException, IllegalArgumentException - { - } - - @Override - public LifetimePolicy getLifetimePolicy() - { - return LifetimePolicy.PERMANENT; - } - - @Override - public LifetimePolicy setLifetimePolicy(LifetimePolicy expected, LifetimePolicy desired) - throws IllegalStateException, AccessControlException, IllegalArgumentException - { - return null; - } - - @Override - public Collection<String> getAttributeNames() - { - return getAttributeNames(getClass()); - } - - @Override - public Object getAttribute(String name) - { - if(DURABLE.equals(name)) - { - return true; - } - else if(LIFETIME_POLICY.equals(name)) - { - return LifetimePolicy.PERMANENT; - } - else if(STATE.equals(name)) - { - return getState(); - } - return super.getAttribute(name); - } - - @Override - public <C extends ConfiguredObject> Collection<C> getChildren(Class<C> clazz) - { - return Collections.emptySet(); - } - - @Override - public boolean setState(State currentState, State desiredState) - throws IllegalStateTransitionException, AccessControlException - { - State state = _state.get(); - - if(desiredState == State.DELETED) - { - deleted(); - return _state.compareAndSet(state, State.DELETED); - } - else if (desiredState == State.QUIESCED) - { - return _state.compareAndSet(state, State.QUIESCED); - } - else if(desiredState == State.ACTIVE) - { - if ((state == State.INITIALISING || state == State.QUIESCED) && _state.compareAndSet(state, State.ACTIVE)) - { - try - { - _accessControl.open(); - return true; - } - catch(RuntimeException e) - { - _state.compareAndSet(State.ACTIVE, State.ERRORED); - if (_broker.isManagementMode()) - { - LOGGER.warn("Failed to activate ACL provider: " + getName(), e); - } - else - { - throw e; - } - } - } - else - { - throw new IllegalStateException("Can't activate access control provider in " + state + " state"); - } - } - else if(desiredState == State.STOPPED) - { - if(_state.compareAndSet(state, State.STOPPED)) - { - _accessControl.close(); - return true; - } - - return false; - } - return false; - } - - - @Override - protected void changeAttributes(Map<String, Object> attributes) - { - throw new UnsupportedOperationException("Changing attributes on AccessControlProvider is not supported"); - } - - @Override - protected void authoriseSetDesiredState(State currentState, State desiredState) throws AccessControlException - { - if(desiredState == State.DELETED) - { - if (!_broker.getSecurityManager().authoriseConfiguringBroker(getName(), AccessControlProvider.class, Operation.DELETE)) - { - throw new AccessControlException("Deletion of AccessControlProvider is denied"); - } - } - } - - @Override - protected void authoriseSetAttribute(String name, Object expected, Object desired) throws AccessControlException - { - if (!_broker.getSecurityManager().authoriseConfiguringBroker(getName(), AccessControlProvider.class, Operation.UPDATE)) - { - throw new AccessControlException("Setting of AccessControlProvider attributes is denied"); - } - } - - @Override - protected void authoriseSetAttributes(Map<String, Object> attributes) throws AccessControlException - { - if (!_broker.getSecurityManager().authoriseConfiguringBroker(getName(), AccessControlProvider.class, Operation.UPDATE)) - { - throw new AccessControlException("Setting of AccessControlProvider attributes is denied"); - } - } - - public AccessControl getAccessControl() - { - return _accessControl; - } + String getPath(); } diff --git a/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/plugins/ACLFileAccessControlProviderFactory.java b/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/plugins/ACLFileAccessControlProviderFactory.java index e9de449804..f20d468a14 100644 --- a/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/plugins/ACLFileAccessControlProviderFactory.java +++ b/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/plugins/ACLFileAccessControlProviderFactory.java @@ -20,21 +20,21 @@ */ package org.apache.qpid.server.security.access.plugins; +import java.util.Map; + import org.apache.qpid.server.model.AbstractConfiguredObjectTypeFactory; import org.apache.qpid.server.model.Broker; import org.apache.qpid.server.model.ConfiguredObject; import org.apache.qpid.server.plugin.AccessControlProviderFactory; import org.apache.qpid.server.util.ResourceBundleLoader; -import java.util.Map; - -public class ACLFileAccessControlProviderFactory extends AbstractConfiguredObjectTypeFactory<ACLFileAccessControlProvider> implements AccessControlProviderFactory<ACLFileAccessControlProvider> +public class ACLFileAccessControlProviderFactory extends AbstractConfiguredObjectTypeFactory<ACLFileAccessControlProviderImpl> implements AccessControlProviderFactory<ACLFileAccessControlProviderImpl> { public static final String RESOURCE_BUNDLE = "org.apache.qpid.server.security.access.plugins.FileAccessControlProviderAttributeDescriptions"; public ACLFileAccessControlProviderFactory() { - super(ACLFileAccessControlProvider.class); + super(ACLFileAccessControlProviderImpl.class); } @Override @@ -44,10 +44,10 @@ public class ACLFileAccessControlProviderFactory extends AbstractConfiguredObjec } @Override - public ACLFileAccessControlProvider createInstance(final Map<String, Object> attributes, + public ACLFileAccessControlProviderImpl createInstance(final Map<String, Object> attributes, final ConfiguredObject<?>... parents) { - return new ACLFileAccessControlProvider(getParent(Broker.class,parents), attributes); + return new ACLFileAccessControlProviderImpl(getParent(Broker.class,parents), attributes); } } diff --git a/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/plugins/ACLFileAccessControlProviderImpl.java b/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/plugins/ACLFileAccessControlProviderImpl.java new file mode 100644 index 0000000000..db2b44c5e6 --- /dev/null +++ b/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/plugins/ACLFileAccessControlProviderImpl.java @@ -0,0 +1,241 @@ +/* + * + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + * + */ +package org.apache.qpid.server.security.access.plugins; + +import java.security.AccessControlException; +import java.util.Collection; +import java.util.Collections; +import java.util.Map; +import java.util.Set; +import java.util.concurrent.atomic.AtomicReference; + +import org.apache.log4j.Logger; + +import org.apache.qpid.server.model.AbstractConfiguredObject; +import org.apache.qpid.server.model.AccessControlProvider; +import org.apache.qpid.server.model.Broker; +import org.apache.qpid.server.model.ConfiguredObject; +import org.apache.qpid.server.model.IllegalStateTransitionException; +import org.apache.qpid.server.model.LifetimePolicy; +import org.apache.qpid.server.model.ManagedAttributeField; +import org.apache.qpid.server.model.State; +import org.apache.qpid.server.plugin.AccessControlProviderFactory; +import org.apache.qpid.server.security.AccessControl; +import org.apache.qpid.server.security.access.Operation; +import org.apache.qpid.server.util.MapValueConverter; + +public class ACLFileAccessControlProviderImpl + extends AbstractConfiguredObject<ACLFileAccessControlProviderImpl> + implements ACLFileAccessControlProvider<ACLFileAccessControlProviderImpl> +{ + private static final Logger LOGGER = Logger.getLogger(ACLFileAccessControlProviderImpl.class); + + protected DefaultAccessControl _accessControl; + protected final Broker _broker; + + protected Map<String, AccessControlProviderFactory> _factories; + private AtomicReference<State> _state; + + @ManagedAttributeField + private String _path; + + public ACLFileAccessControlProviderImpl(Broker broker, + Map<String, Object> attributes) + { + super(parentsMap(broker), + attributes, broker.getTaskExecutor()); + + + _broker = broker; + + State state = MapValueConverter.getEnumAttribute(State.class, STATE, attributes, State.INITIALISING); + _state = new AtomicReference<State>(state); + + } + + @Override + protected void onOpen() + { + super.onOpen(); + _accessControl = new DefaultAccessControl(getPath(), _broker); + } + + @Override + public String getPath() + { + return _path; + } + + @Override + public String setName(String currentName, String desiredName) throws IllegalStateException, AccessControlException + { + return null; + } + + @Override + public State getState() + { + return _state.get(); + } + + @Override + public boolean isDurable() + { + return true; + } + + @Override + public void setDurable(boolean durable) + throws IllegalStateException, AccessControlException, IllegalArgumentException + { + } + + @Override + public LifetimePolicy getLifetimePolicy() + { + return LifetimePolicy.PERMANENT; + } + + @Override + public LifetimePolicy setLifetimePolicy(LifetimePolicy expected, LifetimePolicy desired) + throws IllegalStateException, AccessControlException, IllegalArgumentException + { + return null; + } + + @Override + public Collection<String> getAttributeNames() + { + return getAttributeNames(getClass()); + } + + @Override + public Object getAttribute(String name) + { + if(DURABLE.equals(name)) + { + return true; + } + else if(LIFETIME_POLICY.equals(name)) + { + return LifetimePolicy.PERMANENT; + } + else if(STATE.equals(name)) + { + return getState(); + } + return super.getAttribute(name); + } + + @Override + public <C extends ConfiguredObject> Collection<C> getChildren(Class<C> clazz) + { + return Collections.emptySet(); + } + + @Override + public boolean setState(State currentState, State desiredState) + throws IllegalStateTransitionException, AccessControlException + { + State state = _state.get(); + + if(desiredState == State.DELETED) + { + deleted(); + return _state.compareAndSet(state, State.DELETED); + } + else if (desiredState == State.QUIESCED) + { + return _state.compareAndSet(state, State.QUIESCED); + } + else if(desiredState == State.ACTIVE) + { + if ((state == State.INITIALISING || state == State.QUIESCED) && _state.compareAndSet(state, State.ACTIVE)) + { + try + { + _accessControl.open(); + return true; + } + catch(RuntimeException e) + { + _state.compareAndSet(State.ACTIVE, State.ERRORED); + if (_broker.isManagementMode()) + { + LOGGER.warn("Failed to activate ACL provider: " + getName(), e); + } + else + { + throw e; + } + } + } + else + { + throw new IllegalStateException("Can't activate access control provider in " + state + " state"); + } + } + else if(desiredState == State.STOPPED) + { + if(_state.compareAndSet(state, State.STOPPED)) + { + _accessControl.close(); + return true; + } + + return false; + } + return false; + } + + + @Override + protected void changeAttributes(Map<String, Object> attributes) + { + throw new UnsupportedOperationException("Changing attributes on AccessControlProvider is not supported"); + } + + @Override + protected void authoriseSetDesiredState(State currentState, State desiredState) throws AccessControlException + { + if(desiredState == State.DELETED) + { + if (!_broker.getSecurityManager().authoriseConfiguringBroker(getName(), AccessControlProvider.class, Operation.DELETE)) + { + throw new AccessControlException("Deletion of AccessControlProvider is denied"); + } + } + } + + @Override + protected void authoriseSetAttributes(ConfiguredObject<?> modified, Set<String> attributes) throws AccessControlException + { + if (!_broker.getSecurityManager().authoriseConfiguringBroker(getName(), AccessControlProvider.class, Operation.UPDATE)) + { + throw new AccessControlException("Setting of AccessControlProvider attributes is denied"); + } + } + + public AccessControl getAccessControl() + { + return _accessControl; + } +} |