ARTEMIS-1717 create/delete address permissions ignored in broker.xml

This commit is contained in:
Justin Bertram 2018-03-01 11:25:56 -06:00
parent 25bb816652
commit 2123f85ea9
10 changed files with 58 additions and 39 deletions

View File

@ -79,6 +79,7 @@ public class Role implements Serializable {
this(name, send, consume, createDurableQueue, deleteDurableQueue, createNonDurableQueue, deleteNonDurableQueue, manage, consume); this(name, send, consume, createDurableQueue, deleteDurableQueue, createNonDurableQueue, deleteNonDurableQueue, manage, consume);
} }
@Deprecated
public Role(final String name, public Role(final String name,
final boolean send, final boolean send,
final boolean consume, final boolean consume,
@ -156,6 +157,14 @@ public class Role implements Serializable {
return deleteNonDurableQueue; return deleteNonDurableQueue;
} }
public boolean isManage() {
return manage;
}
public boolean isBrowse() {
return browse;
}
@Override @Override
public String toString() { public String toString() {
StringBuffer stringReturn = new StringBuffer("Role {name=" + name + "; allows=["); StringBuffer stringReturn = new StringBuffer("Role {name=" + name + "; allows=[");
@ -260,12 +269,4 @@ public class Role implements Serializable {
result = 31 * result + (browse ? 1 : 0); result = 31 * result + (browse ? 1 : 0);
return result; return result;
} }
public boolean isManage() {
return manage;
}
public boolean isBrowse() {
return browse;
}
} }

View File

@ -871,7 +871,7 @@ public final class FileConfigurationParser extends XMLConfigurationUtil {
} }
for (String role : allRoles) { for (String role : allRoles) {
securityRoles.add(new Role(role, send.contains(role), consume.contains(role), createDurableQueue.contains(role), deleteDurableQueue.contains(role), createNonDurableQueue.contains(role), deleteNonDurableQueue.contains(role), manageRoles.contains(role), browseRoles.contains(role))); securityRoles.add(new Role(role, send.contains(role), consume.contains(role), createDurableQueue.contains(role), deleteDurableQueue.contains(role), createNonDurableQueue.contains(role), deleteNonDurableQueue.contains(role), manageRoles.contains(role), browseRoles.contains(role), createAddressRoles.contains(role), deleteAddressRoles.contains(role)));
} }
return securityMatch; return securityMatch;

View File

@ -366,8 +366,18 @@ public class LegacyLDAPSecuritySettingPlugin implements SecuritySettingPlugin {
Rdn rdn = ldapname.getRdn(ldapname.size() - 1); Rdn rdn = ldapname.getRdn(ldapname.size() - 1);
String roleName = rdn.getValue().toString(); String roleName = rdn.getValue().toString();
logger.debug("\tRole name: " + roleName); logger.debug("\tRole name: " + roleName);
Role role = new Role(roleName, permissionType.equalsIgnoreCase(writePermissionValue), permissionType.equalsIgnoreCase(readPermissionValue), permissionType.equalsIgnoreCase(adminPermissionValue), permissionType.equalsIgnoreCase(adminPermissionValue), permissionType.equalsIgnoreCase(adminPermissionValue), permissionType.equalsIgnoreCase(adminPermissionValue), false, // there is no permission from ActiveMQ 5.x that corresponds to the "manage" permission in ActiveMQ Artemis Role role = new Role(roleName,
permissionType.equalsIgnoreCase(readPermissionValue)); // the "browse" permission matches "read" from ActiveMQ 5.x permissionType.equalsIgnoreCase(writePermissionValue), // send
permissionType.equalsIgnoreCase(readPermissionValue), // consume
permissionType.equalsIgnoreCase(adminPermissionValue), // createDurableQueue
permissionType.equalsIgnoreCase(adminPermissionValue), // deleteDurableQueue
permissionType.equalsIgnoreCase(adminPermissionValue), // createNonDurableQueue
permissionType.equalsIgnoreCase(adminPermissionValue), // deleteNonDurableQueue
false, // manage - there is no permission from ActiveMQ 5.x that corresponds to this
permissionType.equalsIgnoreCase(readPermissionValue), // browse
permissionType.equalsIgnoreCase(adminPermissionValue), // createAddress
permissionType.equalsIgnoreCase(adminPermissionValue) // deleteAddress
);
roles.add(role); roles.add(role);
} }

View File

@ -508,63 +508,62 @@ public class FileConfigurationTest extends ConfigurationImplTest {
Map<String, Set<Role>> securityRoles = fc.getSecurityRoles(); Map<String, Set<Role>> securityRoles = fc.getSecurityRoles();
Set<Role> roles = securityRoles.get("#"); Set<Role> roles = securityRoles.get("#");
//N.B. - FileConfigurationParser uses the constructor without createAddress and deleteAddress
//cn=mygroup,dc=local,dc=com = amq1 //cn=mygroup,dc=local,dc=com = amq1
Role testRole1 = new Role("cn=mygroup,dc=local,dc=com",false, false, false, Role testRole1 = new Role("cn=mygroup,dc=local,dc=com",false, false, false,
false, true, false, false, false, true, false, false,
false); false, false, false);
//myrole1 = amq1 + amq2 //myrole1 = amq1 + amq2
Role testRole2 = new Role("myrole1",false, false, false, Role testRole2 = new Role("myrole1",false, false, false,
false, true, true, false, false, true, true, false,
false); false, false, false);
//myrole3 = amq3 + amq4 //myrole3 = amq3 + amq4
Role testRole3 = new Role("myrole3",false, false, true, Role testRole3 = new Role("myrole3",false, false, true,
true, false, false, false, true, false, false, false,
false); false, false, false);
//myrole4 = amq5 + amq!@#$%^&*() + amq6 //myrole4 = amq5 + amq!@#$%^&*() + amq6
Role testRole4 = new Role("myrole4",true, true, false, Role testRole4 = new Role("myrole4",true, true, false,
false, false, false, false, false, false, false, false,
true); true, true, true);
//myrole5 = amq4 = amq3 + amq4 //myrole5 = amq4 = amq3 + amq4
Role testRole5 = new Role("myrole5",false, false, true, Role testRole5 = new Role("myrole5",false, false, true,
true, false, false, false, true, false, false, false,
false); false, false, false);
Role testRole6 = new Role("amq1",false, false, false, Role testRole6 = new Role("amq1",false, false, false,
false, true, false, false, false, true, false, false,
false); false, false, false);
Role testRole7 = new Role("amq2",false, false, false, Role testRole7 = new Role("amq2",false, false, false,
false, false, true, false, false, false, true, false,
false); false, false, false);
Role testRole8 = new Role("amq3",false, false, true, Role testRole8 = new Role("amq3",false, false, true,
false, false, false, false, false, false, false, false,
false); false, false, false);
Role testRole9 = new Role("amq4",false, false, true, Role testRole9 = new Role("amq4",false, false, true,
true, false, false, false, true, false, false, false,
false); false, false, false);
Role testRole10 = new Role("amq5",false, false, false, Role testRole10 = new Role("amq5",false, false, false,
false, false, false, false, false, false, false, false,
false); false, true, true);
Role testRole11 = new Role("amq6",false, true, false, Role testRole11 = new Role("amq6",false, true, false,
false, false, false, false, false, false, false, false,
true); true, false, false);
Role testRole12 = new Role("amq7",false, false, false, Role testRole12 = new Role("amq7",false, false, false,
false, false, false, true, false, false, false, true,
false); false, false, false);
Role testRole13 = new Role("amq!@#$%^&*()",true, false, false, Role testRole13 = new Role("amq!@#$%^&*()",true, false, false,
false, false, false, false, false, false, false, false,
false); false, false, false);
assertEquals(13, roles.size()); assertEquals(13, roles.size());
assertTrue(roles.contains(testRole1)); assertTrue(roles.contains(testRole1));

View File

@ -35,6 +35,12 @@ wildcard match can be used using the wildcard characters '`#`' and
Eight different permissions can be given to the set of queues which Eight different permissions can be given to the set of queues which
match the address. Those permissions are: match the address. Those permissions are:
- `createAddress`. This permission allows the user to create an
address fitting the `match`.
- `deleteAddress`. This permission allows the user to delete an
address fitting the `match`.
- `createDurableQueue`. This permission allows the user to create a - `createDurableQueue`. This permission allows the user to create a
durable queue under matching addresses. durable queue under matching addresses.
@ -225,13 +231,14 @@ The name of the queue or topic defined in LDAP will serve as the "match" for the
will be mapped from the ActiveMQ 5.x type to the Artemis type, and the role will be mapped as-is. will be mapped from the ActiveMQ 5.x type to the Artemis type, and the role will be mapped as-is.
ActiveMQ 5.x only has 3 permission types - `read`, `write`, and `admin`. These permission types are described on their ActiveMQ 5.x only has 3 permission types - `read`, `write`, and `admin`. These permission types are described on their
[website](http://activemq.apache.org/security.html). However, as described previously, ActiveMQ Artemis has 7 permission [website](http://activemq.apache.org/security.html). However, as described previously, ActiveMQ Artemis has 9 permission
types - `createDurableQueue`, `deleteDurableQueue`, `createNonDurableQueue`, `deleteNonDurableQueue`, `send`, `consume`, types - `createAddress`, `deleteAddress`, `createDurableQueue`, `deleteDurableQueue`, `createNonDurableQueue`,
`browse`, and `manage`. Here's how the old types are mapped to the new types: `deleteNonDurableQueue`, `send`, `consume`, `browse`, and `manage`. Here's how the old types are mapped to the new types:
- `read` - `consume`, `browse` - `read` - `consume`, `browse`
- `write` - `send` - `write` - `send`
- `admin` - `createDurableQueue`, `deleteDurableQueue`, `createNonDurableQueue`, `deleteNonDurableQueue` - `admin` - `createAddress`, `deleteAddress`, `createDurableQueue`, `deleteDurableQueue`, `createNonDurableQueue`,
`deleteNonDurableQueue`
As mentioned, there are a few places where a translation was performed to achieve some equivalence.: As mentioned, there are a few places where a translation was performed to achieve some equivalence.:

View File

@ -256,10 +256,10 @@ public class AmqpClientTestSupport extends AmqpTestSupport {
// Configure roles // Configure roles
HierarchicalRepository<Set<Role>> securityRepository = server.getSecurityRepository(); HierarchicalRepository<Set<Role>> securityRepository = server.getSecurityRepository();
HashSet<Role> value = new HashSet<>(); HashSet<Role> value = new HashSet<>();
value.add(new Role("nothing", false, false, false, false, false, false, false, false)); value.add(new Role("nothing", false, false, false, false, false, false, false, false, false, false));
value.add(new Role("browser", false, false, false, false, false, false, false, true)); value.add(new Role("browser", false, false, false, false, false, false, false, true, false, false));
value.add(new Role("guest", false, true, false, false, false, false, false, true)); value.add(new Role("guest", false, true, false, false, false, false, false, true, false, false));
value.add(new Role("full", true, true, true, true, true, true, true, true)); value.add(new Role("full", true, true, true, true, true, true, true, true, true, true));
securityRepository.addMatch(getQueueName(), value); securityRepository.addMatch(getQueueName(), value);
server.getConfiguration().setSecurityEnabled(true); server.getConfiguration().setSecurityEnabled(true);

View File

@ -486,7 +486,7 @@ public class SimpleJNDIClientTest extends ActiveMQTestBase {
//setup user and role on broker //setup user and role on broker
((ActiveMQJAASSecurityManager) liveService.getSecurityManager()).getConfiguration().addUser("myUser", "myPassword"); ((ActiveMQJAASSecurityManager) liveService.getSecurityManager()).getConfiguration().addUser("myUser", "myPassword");
((ActiveMQJAASSecurityManager) liveService.getSecurityManager()).getConfiguration().addRole("myUser", "consumeCreateRole"); ((ActiveMQJAASSecurityManager) liveService.getSecurityManager()).getConfiguration().addRole("myUser", "consumeCreateRole");
Role consumeCreateRole = new Role("consumeCreateRole", false, true, true, true, true, true, true, true); Role consumeCreateRole = new Role("consumeCreateRole", false, true, true, true, true, true, true, true, true, true);
Set<Role> consumerCreateRoles = new HashSet<>(); Set<Role> consumerCreateRoles = new HashSet<>();
consumerCreateRoles.add(consumeCreateRole); consumerCreateRoles.add(consumeCreateRole);
liveService.getSecurityRepository().addMatch("test.queue", consumerCreateRoles); liveService.getSecurityRepository().addMatch("test.queue", consumerCreateRoles);

View File

@ -181,10 +181,10 @@ public class MQTTTestSupport extends ActiveMQTestBase {
// Configure roles // Configure roles
HierarchicalRepository<Set<Role>> securityRepository = server.getSecurityRepository(); HierarchicalRepository<Set<Role>> securityRepository = server.getSecurityRepository();
HashSet<Role> value = new HashSet<>(); HashSet<Role> value = new HashSet<>();
value.add(new Role("nothing", false, false, false, false, false, false, false, false)); value.add(new Role("nothing", false, false, false, false, false, false, false, false, false, false));
value.add(new Role("browser", false, false, false, false, false, false, false, true)); value.add(new Role("browser", false, false, false, false, false, false, false, true, false, false));
value.add(new Role("guest", false, true, false, false, false, false, false, true)); value.add(new Role("guest", false, true, false, false, false, false, false, true, false, false));
value.add(new Role("full", true, true, true, true, true, true, true, true)); value.add(new Role("full", true, true, true, true, true, true, true, true, true, true));
securityRepository.addMatch(getQueueName(), value); securityRepository.addMatch(getQueueName(), value);
server.getConfiguration().setSecurityEnabled(true); server.getConfiguration().setSecurityEnabled(true);

View File

@ -71,7 +71,7 @@ public class OutgoingConnectionNoJTATest extends ActiveMQRATestBase {
((ActiveMQJAASSecurityManager) server.getSecurityManager()).getConfiguration().setDefaultUser("guest"); ((ActiveMQJAASSecurityManager) server.getSecurityManager()).getConfiguration().setDefaultUser("guest");
((ActiveMQJAASSecurityManager) server.getSecurityManager()).getConfiguration().addRole("testuser", "arole"); ((ActiveMQJAASSecurityManager) server.getSecurityManager()).getConfiguration().addRole("testuser", "arole");
((ActiveMQJAASSecurityManager) server.getSecurityManager()).getConfiguration().addRole("guest", "arole"); ((ActiveMQJAASSecurityManager) server.getSecurityManager()).getConfiguration().addRole("guest", "arole");
Role role = new Role("arole", true, true, true, true, true, true, true, true); Role role = new Role("arole", true, true, true, true, true, true, true, true, true, true);
Set<Role> roles = new HashSet<>(); Set<Role> roles = new HashSet<>();
roles.add(role); roles.add(role);
server.getSecurityRepository().addMatch(MDBQUEUEPREFIXED, roles); server.getSecurityRepository().addMatch(MDBQUEUEPREFIXED, roles);

View File

@ -44,6 +44,8 @@
<security-settings> <security-settings>
<security-setting match="#"> <security-setting match="#">
<permission type="createAddress" roles="guest,def"/>
<permission type="deleteAddress" roles="guest,def"/>
<permission type="createDurableQueue" roles="guest,def"/> <permission type="createDurableQueue" roles="guest,def"/>
<permission type="deleteDurableQueue" roles="guest,def"/> <permission type="deleteDurableQueue" roles="guest,def"/>
<permission type="createNonDurableQueue" roles="guest,def"/> <permission type="createNonDurableQueue" roles="guest,def"/>