Apache
/
activemq-artemis
mirror of https://github.com/apache/activemq-artemis.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

ARTEMIS-1717 create/delete address permissions ignored in broker.xml

This commit is contained in:
Justin Bertram 2018-03-01 11:25:56 -06:00
parent 25bb816652
commit 2123f85ea9
10 changed files with 58 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
artemis-core-client/src/main/java/org/apache/activemq/artemis/core/security/Role.java
View File

@ -79,6 +79,7 @@ public class Role implements Serializable {
this(name, send, consume, createDurableQueue, deleteDurableQueue, createNonDurableQueue, deleteNonDurableQueue, manage, consume);
}
@Deprecated
public Role(final String name,
final boolean send,
final boolean consume,
@ -156,6 +157,14 @@ public class Role implements Serializable {
return deleteNonDurableQueue;
}
public boolean isManage() {
return manage;
}
public boolean isBrowse() {
return browse;
}
@Override
public String toString() {
StringBuffer stringReturn = new StringBuffer("Role {name=" + name + "; allows=[");
@ -260,12 +269,4 @@ public class Role implements Serializable {
result = 31 * result + (browse ? 1 : 0);
return result;
}
public boolean isManage() {
return manage;
}
public boolean isBrowse() {
return browse;
}
}

2
artemis-server/src/main/java/org/apache/activemq/artemis/core/deployers/impl/FileConfigurationParser.java
View File

@ -871,7 +871,7 @@ public final class FileConfigurationParser extends XMLConfigurationUtil {
}
for (String role : allRoles) {
securityRoles.add(new Role(role, send.contains(role), consume.contains(role), createDurableQueue.contains(role), deleteDurableQueue.contains(role), createNonDurableQueue.contains(role), deleteNonDurableQueue.contains(role), manageRoles.contains(role), browseRoles.contains(role)));
securityRoles.add(new Role(role, send.contains(role), consume.contains(role), createDurableQueue.contains(role), deleteDurableQueue.contains(role), createNonDurableQueue.contains(role), deleteNonDurableQueue.contains(role), manageRoles.contains(role), browseRoles.contains(role), createAddressRoles.contains(role), deleteAddressRoles.contains(role)));
}
return securityMatch;

14
artemis-server/src/main/java/org/apache/activemq/artemis/core/server/impl/LegacyLDAPSecuritySettingPlugin.java
View File

@ -366,8 +366,18 @@ public class LegacyLDAPSecuritySettingPlugin implements SecuritySettingPlugin {
Rdn rdn = ldapname.getRdn(ldapname.size() - 1);
String roleName = rdn.getValue().toString();
logger.debug("\tRole name: " + roleName);
Role role = new Role(roleName, permissionType.equalsIgnoreCase(writePermissionValue), permissionType.equalsIgnoreCase(readPermissionValue), permissionType.equalsIgnoreCase(adminPermissionValue), permissionType.equalsIgnoreCase(adminPermissionValue), permissionType.equalsIgnoreCase(adminPermissionValue), permissionType.equalsIgnoreCase(adminPermissionValue), false, // there is no permission from ActiveMQ 5.x that corresponds to the "manage" permission in ActiveMQ Artemis
permissionType.equalsIgnoreCase(readPermissionValue)); // the "browse" permission matches "read" from ActiveMQ 5.x
Role role = new Role(roleName,
permissionType.equalsIgnoreCase(writePermissionValue), // send
permissionType.equalsIgnoreCase(readPermissionValue), // consume
permissionType.equalsIgnoreCase(adminPermissionValue), // createDurableQueue
permissionType.equalsIgnoreCase(adminPermissionValue), // deleteDurableQueue
permissionType.equalsIgnoreCase(adminPermissionValue), // createNonDurableQueue
permissionType.equalsIgnoreCase(adminPermissionValue), // deleteNonDurableQueue
false, // manage - there is no permission from ActiveMQ 5.x that corresponds to this
permissionType.equalsIgnoreCase(readPermissionValue), // browse
permissionType.equalsIgnoreCase(adminPermissionValue), // createAddress
permissionType.equalsIgnoreCase(adminPermissionValue) // deleteAddress
);
roles.add(role);
}

27
artemis-server/src/test/java/org/apache/activemq/artemis/core/config/impl/FileConfigurationTest.java
View File

@ -508,63 +508,62 @@ public class FileConfigurationTest extends ConfigurationImplTest {
Map<String, Set<Role>> securityRoles = fc.getSecurityRoles();
Set<Role> roles = securityRoles.get("#");
//N.B. - FileConfigurationParser uses the constructor without createAddress and deleteAddress
//cn=mygroup,dc=local,dc=com = amq1
Role testRole1 = new Role("cn=mygroup,dc=local,dc=com",false, false, false,
false, true, false, false,
false);
false, false, false);
//myrole1 = amq1 + amq2
Role testRole2 = new Role("myrole1",false, false, false,
false, true, true, false,
false);
false, false, false);
//myrole3 = amq3 + amq4
Role testRole3 = new Role("myrole3",false, false, true,
true, false, false, false,
false);
false, false, false);
//myrole4 = amq5 + amq!@#$%^&*() + amq6
Role testRole4 = new Role("myrole4",true, true, false,
false, false, false, false,
true);
true, true, true);
//myrole5 = amq4 = amq3 + amq4
Role testRole5 = new Role("myrole5",false, false, true,
true, false, false, false,
false);
false, false, false);
Role testRole6 = new Role("amq1",false, false, false,
false, true, false, false,
false);
false, false, false);
Role testRole7 = new Role("amq2",false, false, false,
false, false, true, false,
false);
false, false, false);
Role testRole8 = new Role("amq3",false, false, true,
false, false, false, false,
false);
false, false, false);
Role testRole9 = new Role("amq4",false, false, true,
true, false, false, false,
false);
false, false, false);
Role testRole10 = new Role("amq5",false, false, false,
false, false, false, false,
false);
false, true, true);
Role testRole11 = new Role("amq6",false, true, false,
false, false, false, false,
true);
true, false, false);
Role testRole12 = new Role("amq7",false, false, false,
false, false, false, true,
false);
false, false, false);
Role testRole13 = new Role("amq!@#$%^&*()",true, false, false,
false, false, false, false,
false);
false, false, false);
assertEquals(13, roles.size());
assertTrue(roles.contains(testRole1));

15
docs/user-manual/en/security.md
View File

@ -35,6 +35,12 @@ wildcard match can be used using the wildcard characters '`#`' and
Eight different permissions can be given to the set of queues which
match the address. Those permissions are:
- `createAddress`. This permission allows the user to create an
address fitting the `match`.
- `deleteAddress`. This permission allows the user to delete an
address fitting the `match`.
- `createDurableQueue`. This permission allows the user to create a
durable queue under matching addresses.
@ -225,13 +231,14 @@ The name of the queue or topic defined in LDAP will serve as the "match" for the
will be mapped from the ActiveMQ 5.x type to the Artemis type, and the role will be mapped as-is.
ActiveMQ 5.x only has 3 permission types - `read`, `write`, and `admin`. These permission types are described on their
[website](http://activemq.apache.org/security.html). However, as described previously, ActiveMQ Artemis has 7 permission
types - `createDurableQueue`, `deleteDurableQueue`, `createNonDurableQueue`, `deleteNonDurableQueue`, `send`, `consume`,
`browse`, and `manage`. Here's how the old types are mapped to the new types:
[website](http://activemq.apache.org/security.html). However, as described previously, ActiveMQ Artemis has 9 permission
types - `createAddress`, `deleteAddress`, `createDurableQueue`, `deleteDurableQueue`, `createNonDurableQueue`,
`deleteNonDurableQueue`, `send`, `consume`, `browse`, and `manage`. Here's how the old types are mapped to the new types:
- `read` - `consume`, `browse`
- `write` - `send`
- `admin` - `createDurableQueue`, `deleteDurableQueue`, `createNonDurableQueue`, `deleteNonDurableQueue`
- `admin` - `createAddress`, `deleteAddress`, `createDurableQueue`, `deleteDurableQueue`, `createNonDurableQueue`,
`deleteNonDurableQueue`
As mentioned, there are a few places where a translation was performed to achieve some equivalence.:

8
tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/amqp/AmqpClientTestSupport.java
View File

@ -256,10 +256,10 @@ public class AmqpClientTestSupport extends AmqpTestSupport {
// Configure roles
HierarchicalRepository<Set<Role>> securityRepository = server.getSecurityRepository();
HashSet<Role> value = new HashSet<>();
value.add(new Role("nothing", false, false, false, false, false, false, false, false));
value.add(new Role("browser", false, false, false, false, false, false, false, true));
value.add(new Role("guest", false, true, false, false, false, false, false, true));
value.add(new Role("full", true, true, true, true, true, true, true, true));
value.add(new Role("nothing", false, false, false, false, false, false, false, false, false, false));
value.add(new Role("browser", false, false, false, false, false, false, false, true, false, false));
value.add(new Role("guest", false, true, false, false, false, false, false, true, false, false));
value.add(new Role("full", true, true, true, true, true, true, true, true, true, true));
securityRepository.addMatch(getQueueName(), value);
server.getConfiguration().setSecurityEnabled(true);

2
tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/jms/SimpleJNDIClientTest.java
View File

@ -486,7 +486,7 @@ public class SimpleJNDIClientTest extends ActiveMQTestBase {
//setup user and role on broker
((ActiveMQJAASSecurityManager) liveService.getSecurityManager()).getConfiguration().addUser("myUser", "myPassword");
((ActiveMQJAASSecurityManager) liveService.getSecurityManager()).getConfiguration().addRole("myUser", "consumeCreateRole");
Role consumeCreateRole = new Role("consumeCreateRole", false, true, true, true, true, true, true, true);
Role consumeCreateRole = new Role("consumeCreateRole", false, true, true, true, true, true, true, true, true, true);
Set<Role> consumerCreateRoles = new HashSet<>();
consumerCreateRoles.add(consumeCreateRole);
liveService.getSecurityRepository().addMatch("test.queue", consumerCreateRoles);

8
tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/mqtt/imported/MQTTTestSupport.java
View File

@ -181,10 +181,10 @@ public class MQTTTestSupport extends ActiveMQTestBase {
// Configure roles
HierarchicalRepository<Set<Role>> securityRepository = server.getSecurityRepository();
HashSet<Role> value = new HashSet<>();
value.add(new Role("nothing", false, false, false, false, false, false, false, false));
value.add(new Role("browser", false, false, false, false, false, false, false, true));
value.add(new Role("guest", false, true, false, false, false, false, false, true));
value.add(new Role("full", true, true, true, true, true, true, true, true));
value.add(new Role("nothing", false, false, false, false, false, false, false, false, false, false));
value.add(new Role("browser", false, false, false, false, false, false, false, true, false, false));
value.add(new Role("guest", false, true, false, false, false, false, false, true, false, false));
value.add(new Role("full", true, true, true, true, true, true, true, true, true, true));
securityRepository.addMatch(getQueueName(), value);
server.getConfiguration().setSecurityEnabled(true);

2
tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ra/OutgoingConnectionNoJTATest.java
View File

@ -71,7 +71,7 @@ public class OutgoingConnectionNoJTATest extends ActiveMQRATestBase {
((ActiveMQJAASSecurityManager) server.getSecurityManager()).getConfiguration().setDefaultUser("guest");
((ActiveMQJAASSecurityManager) server.getSecurityManager()).getConfiguration().addRole("testuser", "arole");
((ActiveMQJAASSecurityManager) server.getSecurityManager()).getConfiguration().addRole("guest", "arole");
Role role = new Role("arole", true, true, true, true, true, true, true, true);
Role role = new Role("arole", true, true, true, true, true, true, true, true, true, true);
Set<Role> roles = new HashSet<>();
roles.add(role);
server.getSecurityRepository().addMatch(MDBQUEUEPREFIXED, roles);

2
tests/jms-tests/src/test/resources/broker.xml
View File

@ -44,6 +44,8 @@
<security-settings>
<security-setting match="#">
<permission type="createAddress" roles="guest,def"/>
<permission type="deleteAddress" roles="guest,def"/>
<permission type="createDurableQueue" roles="guest,def"/>
<permission type="deleteDurableQueue" roles="guest,def"/>
<permission type="createNonDurableQueue" roles="guest,def"/>