ARTEMIS-1717 create/delete address permissions ignored in broker.xml
This commit is contained in:
Justin Bertram
parent
25bb816652
commit
2123f85ea9
|
|
@ -79,6 +79,7 @@ public class Role implements Serializable {
|
||||||
this(name, send, consume, createDurableQueue, deleteDurableQueue, createNonDurableQueue, deleteNonDurableQueue, manage, consume);
|
this(name, send, consume, createDurableQueue, deleteDurableQueue, createNonDurableQueue, deleteNonDurableQueue, manage, consume);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Deprecated
|
||||||
public Role(final String name,
|
public Role(final String name,
|
||||||
final boolean send,
|
final boolean send,
|
||||||
final boolean consume,
|
final boolean consume,
|
||||||
|
|
@ -156,6 +157,14 @@ public class Role implements Serializable {
|
||||||
return deleteNonDurableQueue;
|
return deleteNonDurableQueue;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public boolean isManage() {
|
||||||
|
return manage;
|
||||||
|
}
|
||||||
|
|
||||||
|
public boolean isBrowse() {
|
||||||
|
return browse;
|
||||||
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public String toString() {
|
public String toString() {
|
||||||
StringBuffer stringReturn = new StringBuffer("Role {name=" + name + "; allows=[");
|
StringBuffer stringReturn = new StringBuffer("Role {name=" + name + "; allows=[");
|
||||||
|
|
@ -260,12 +269,4 @@ public class Role implements Serializable {
|
||||||
result = 31 * result + (browse ? 1 : 0);
|
result = 31 * result + (browse ? 1 : 0);
|
||||||
return result;
|
return result;
|
||||||
}
|
}
|
||||||
|
|
||||||
public boolean isManage() {
|
|
||||||
return manage;
|
|
||||||
}
|
|
||||||
|
|
||||||
public boolean isBrowse() {
|
|
||||||
return browse;
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -871,7 +871,7 @@ public final class FileConfigurationParser extends XMLConfigurationUtil {
|
||||||
}
|
}
|
||||||
|
|
||||||
for (String role : allRoles) {
|
for (String role : allRoles) {
|
||||||
securityRoles.add(new Role(role, send.contains(role), consume.contains(role), createDurableQueue.contains(role), deleteDurableQueue.contains(role), createNonDurableQueue.contains(role), deleteNonDurableQueue.contains(role), manageRoles.contains(role), browseRoles.contains(role)));
|
securityRoles.add(new Role(role, send.contains(role), consume.contains(role), createDurableQueue.contains(role), deleteDurableQueue.contains(role), createNonDurableQueue.contains(role), deleteNonDurableQueue.contains(role), manageRoles.contains(role), browseRoles.contains(role), createAddressRoles.contains(role), deleteAddressRoles.contains(role)));
|
||||||
}
|
}
|
||||||
|
|
||||||
return securityMatch;
|
return securityMatch;
|
||||||
|
|
|
||||||
|
|
@ -366,8 +366,18 @@ public class LegacyLDAPSecuritySettingPlugin implements SecuritySettingPlugin {
|
||||||
Rdn rdn = ldapname.getRdn(ldapname.size() - 1);
|
Rdn rdn = ldapname.getRdn(ldapname.size() - 1);
|
||||||
String roleName = rdn.getValue().toString();
|
String roleName = rdn.getValue().toString();
|
||||||
logger.debug("\tRole name: " + roleName);
|
logger.debug("\tRole name: " + roleName);
|
||||||
Role role = new Role(roleName, permissionType.equalsIgnoreCase(writePermissionValue), permissionType.equalsIgnoreCase(readPermissionValue), permissionType.equalsIgnoreCase(adminPermissionValue), permissionType.equalsIgnoreCase(adminPermissionValue), permissionType.equalsIgnoreCase(adminPermissionValue), permissionType.equalsIgnoreCase(adminPermissionValue), false, // there is no permission from ActiveMQ 5.x that corresponds to the "manage" permission in ActiveMQ Artemis
|
Role role = new Role(roleName,
|
||||||
permissionType.equalsIgnoreCase(readPermissionValue)); // the "browse" permission matches "read" from ActiveMQ 5.x
|
permissionType.equalsIgnoreCase(writePermissionValue), // send
|
||||||
|
permissionType.equalsIgnoreCase(readPermissionValue), // consume
|
||||||
|
permissionType.equalsIgnoreCase(adminPermissionValue), // createDurableQueue
|
||||||
|
permissionType.equalsIgnoreCase(adminPermissionValue), // deleteDurableQueue
|
||||||
|
permissionType.equalsIgnoreCase(adminPermissionValue), // createNonDurableQueue
|
||||||
|
permissionType.equalsIgnoreCase(adminPermissionValue), // deleteNonDurableQueue
|
||||||
|
false, // manage - there is no permission from ActiveMQ 5.x that corresponds to this
|
||||||
|
permissionType.equalsIgnoreCase(readPermissionValue), // browse
|
||||||
|
permissionType.equalsIgnoreCase(adminPermissionValue), // createAddress
|
||||||
|
permissionType.equalsIgnoreCase(adminPermissionValue) // deleteAddress
|
||||||
|
);
|
||||||
roles.add(role);
|
roles.add(role);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -508,63 +508,62 @@ public class FileConfigurationTest extends ConfigurationImplTest {
|
||||||
Map<String, Set<Role>> securityRoles = fc.getSecurityRoles();
|
Map<String, Set<Role>> securityRoles = fc.getSecurityRoles();
|
||||||
Set<Role> roles = securityRoles.get("#");
|
Set<Role> roles = securityRoles.get("#");
|
||||||
|
|
||||||
//N.B. - FileConfigurationParser uses the constructor without createAddress and deleteAddress
|
|
||||||
//cn=mygroup,dc=local,dc=com = amq1
|
//cn=mygroup,dc=local,dc=com = amq1
|
||||||
Role testRole1 = new Role("cn=mygroup,dc=local,dc=com",false, false, false,
|
Role testRole1 = new Role("cn=mygroup,dc=local,dc=com",false, false, false,
|
||||||
false, true, false, false,
|
false, true, false, false,
|
||||||
false);
|
false, false, false);
|
||||||
|
|
||||||
//myrole1 = amq1 + amq2
|
//myrole1 = amq1 + amq2
|
||||||
Role testRole2 = new Role("myrole1",false, false, false,
|
Role testRole2 = new Role("myrole1",false, false, false,
|
||||||
false, true, true, false,
|
false, true, true, false,
|
||||||
false);
|
false, false, false);
|
||||||
|
|
||||||
//myrole3 = amq3 + amq4
|
//myrole3 = amq3 + amq4
|
||||||
Role testRole3 = new Role("myrole3",false, false, true,
|
Role testRole3 = new Role("myrole3",false, false, true,
|
||||||
true, false, false, false,
|
true, false, false, false,
|
||||||
false);
|
false, false, false);
|
||||||
|
|
||||||
//myrole4 = amq5 + amq!@#$%^&*() + amq6
|
//myrole4 = amq5 + amq!@#$%^&*() + amq6
|
||||||
Role testRole4 = new Role("myrole4",true, true, false,
|
Role testRole4 = new Role("myrole4",true, true, false,
|
||||||
false, false, false, false,
|
false, false, false, false,
|
||||||
true);
|
true, true, true);
|
||||||
|
|
||||||
//myrole5 = amq4 = amq3 + amq4
|
//myrole5 = amq4 = amq3 + amq4
|
||||||
Role testRole5 = new Role("myrole5",false, false, true,
|
Role testRole5 = new Role("myrole5",false, false, true,
|
||||||
true, false, false, false,
|
true, false, false, false,
|
||||||
false);
|
false, false, false);
|
||||||
|
|
||||||
Role testRole6 = new Role("amq1",false, false, false,
|
Role testRole6 = new Role("amq1",false, false, false,
|
||||||
false, true, false, false,
|
false, true, false, false,
|
||||||
false);
|
false, false, false);
|
||||||
|
|
||||||
Role testRole7 = new Role("amq2",false, false, false,
|
Role testRole7 = new Role("amq2",false, false, false,
|
||||||
false, false, true, false,
|
false, false, true, false,
|
||||||
false);
|
false, false, false);
|
||||||
|
|
||||||
Role testRole8 = new Role("amq3",false, false, true,
|
Role testRole8 = new Role("amq3",false, false, true,
|
||||||
false, false, false, false,
|
false, false, false, false,
|
||||||
false);
|
false, false, false);
|
||||||
|
|
||||||
Role testRole9 = new Role("amq4",false, false, true,
|
Role testRole9 = new Role("amq4",false, false, true,
|
||||||
true, false, false, false,
|
true, false, false, false,
|
||||||
false);
|
false, false, false);
|
||||||
|
|
||||||
Role testRole10 = new Role("amq5",false, false, false,
|
Role testRole10 = new Role("amq5",false, false, false,
|
||||||
false, false, false, false,
|
false, false, false, false,
|
||||||
false);
|
false, true, true);
|
||||||
|
|
||||||
Role testRole11 = new Role("amq6",false, true, false,
|
Role testRole11 = new Role("amq6",false, true, false,
|
||||||
false, false, false, false,
|
false, false, false, false,
|
||||||
true);
|
true, false, false);
|
||||||
|
|
||||||
Role testRole12 = new Role("amq7",false, false, false,
|
Role testRole12 = new Role("amq7",false, false, false,
|
||||||
false, false, false, true,
|
false, false, false, true,
|
||||||
false);
|
false, false, false);
|
||||||
|
|
||||||
Role testRole13 = new Role("amq!@#$%^&*()",true, false, false,
|
Role testRole13 = new Role("amq!@#$%^&*()",true, false, false,
|
||||||
false, false, false, false,
|
false, false, false, false,
|
||||||
false);
|
false, false, false);
|
||||||
|
|
||||||
assertEquals(13, roles.size());
|
assertEquals(13, roles.size());
|
||||||
assertTrue(roles.contains(testRole1));
|
assertTrue(roles.contains(testRole1));
|
||||||
|
|
|
||||||
|
|
@ -35,6 +35,12 @@ wildcard match can be used using the wildcard characters '`#`' and
|
||||||
Eight different permissions can be given to the set of queues which
|
Eight different permissions can be given to the set of queues which
|
||||||
match the address. Those permissions are:
|
match the address. Those permissions are:
|
||||||
|
|
||||||
|
- `createAddress`. This permission allows the user to create an
|
||||||
|
address fitting the `match`.
|
||||||
|
|
||||||
|
- `deleteAddress`. This permission allows the user to delete an
|
||||||
|
address fitting the `match`.
|
||||||
|
|
||||||
- `createDurableQueue`. This permission allows the user to create a
|
- `createDurableQueue`. This permission allows the user to create a
|
||||||
durable queue under matching addresses.
|
durable queue under matching addresses.
|
||||||
|
|
||||||
|
|
@ -225,13 +231,14 @@ The name of the queue or topic defined in LDAP will serve as the "match" for the
|
||||||
will be mapped from the ActiveMQ 5.x type to the Artemis type, and the role will be mapped as-is.
|
will be mapped from the ActiveMQ 5.x type to the Artemis type, and the role will be mapped as-is.
|
||||||
|
|
||||||
ActiveMQ 5.x only has 3 permission types - `read`, `write`, and `admin`. These permission types are described on their
|
ActiveMQ 5.x only has 3 permission types - `read`, `write`, and `admin`. These permission types are described on their
|
||||||
[website](http://activemq.apache.org/security.html). However, as described previously, ActiveMQ Artemis has 7 permission
|
[website](http://activemq.apache.org/security.html). However, as described previously, ActiveMQ Artemis has 9 permission
|
||||||
types - `createDurableQueue`, `deleteDurableQueue`, `createNonDurableQueue`, `deleteNonDurableQueue`, `send`, `consume`,
|
types - `createAddress`, `deleteAddress`, `createDurableQueue`, `deleteDurableQueue`, `createNonDurableQueue`,
|
||||||
`browse`, and `manage`. Here's how the old types are mapped to the new types:
|
`deleteNonDurableQueue`, `send`, `consume`, `browse`, and `manage`. Here's how the old types are mapped to the new types:
|
||||||
|
|
||||||
- `read` - `consume`, `browse`
|
- `read` - `consume`, `browse`
|
||||||
- `write` - `send`
|
- `write` - `send`
|
||||||
- `admin` - `createDurableQueue`, `deleteDurableQueue`, `createNonDurableQueue`, `deleteNonDurableQueue`
|
- `admin` - `createAddress`, `deleteAddress`, `createDurableQueue`, `deleteDurableQueue`, `createNonDurableQueue`,
|
||||||
|
`deleteNonDurableQueue`
|
||||||
|
|
||||||
As mentioned, there are a few places where a translation was performed to achieve some equivalence.:
|
As mentioned, there are a few places where a translation was performed to achieve some equivalence.:
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -256,10 +256,10 @@ public class AmqpClientTestSupport extends AmqpTestSupport {
|
||||||
// Configure roles
|
// Configure roles
|
||||||
HierarchicalRepository<Set<Role>> securityRepository = server.getSecurityRepository();
|
HierarchicalRepository<Set<Role>> securityRepository = server.getSecurityRepository();
|
||||||
HashSet<Role> value = new HashSet<>();
|
HashSet<Role> value = new HashSet<>();
|
||||||
value.add(new Role("nothing", false, false, false, false, false, false, false, false));
|
value.add(new Role("nothing", false, false, false, false, false, false, false, false, false, false));
|
||||||
value.add(new Role("browser", false, false, false, false, false, false, false, true));
|
value.add(new Role("browser", false, false, false, false, false, false, false, true, false, false));
|
||||||
value.add(new Role("guest", false, true, false, false, false, false, false, true));
|
value.add(new Role("guest", false, true, false, false, false, false, false, true, false, false));
|
||||||
value.add(new Role("full", true, true, true, true, true, true, true, true));
|
value.add(new Role("full", true, true, true, true, true, true, true, true, true, true));
|
||||||
securityRepository.addMatch(getQueueName(), value);
|
securityRepository.addMatch(getQueueName(), value);
|
||||||
|
|
||||||
server.getConfiguration().setSecurityEnabled(true);
|
server.getConfiguration().setSecurityEnabled(true);
|
||||||
|
|
|
||||||
|
|
@ -486,7 +486,7 @@ public class SimpleJNDIClientTest extends ActiveMQTestBase {
|
||||||
//setup user and role on broker
|
//setup user and role on broker
|
||||||
((ActiveMQJAASSecurityManager) liveService.getSecurityManager()).getConfiguration().addUser("myUser", "myPassword");
|
((ActiveMQJAASSecurityManager) liveService.getSecurityManager()).getConfiguration().addUser("myUser", "myPassword");
|
||||||
((ActiveMQJAASSecurityManager) liveService.getSecurityManager()).getConfiguration().addRole("myUser", "consumeCreateRole");
|
((ActiveMQJAASSecurityManager) liveService.getSecurityManager()).getConfiguration().addRole("myUser", "consumeCreateRole");
|
||||||
Role consumeCreateRole = new Role("consumeCreateRole", false, true, true, true, true, true, true, true);
|
Role consumeCreateRole = new Role("consumeCreateRole", false, true, true, true, true, true, true, true, true, true);
|
||||||
Set<Role> consumerCreateRoles = new HashSet<>();
|
Set<Role> consumerCreateRoles = new HashSet<>();
|
||||||
consumerCreateRoles.add(consumeCreateRole);
|
consumerCreateRoles.add(consumeCreateRole);
|
||||||
liveService.getSecurityRepository().addMatch("test.queue", consumerCreateRoles);
|
liveService.getSecurityRepository().addMatch("test.queue", consumerCreateRoles);
|
||||||
|
|
|
||||||
|
|
@ -181,10 +181,10 @@ public class MQTTTestSupport extends ActiveMQTestBase {
|
||||||
// Configure roles
|
// Configure roles
|
||||||
HierarchicalRepository<Set<Role>> securityRepository = server.getSecurityRepository();
|
HierarchicalRepository<Set<Role>> securityRepository = server.getSecurityRepository();
|
||||||
HashSet<Role> value = new HashSet<>();
|
HashSet<Role> value = new HashSet<>();
|
||||||
value.add(new Role("nothing", false, false, false, false, false, false, false, false));
|
value.add(new Role("nothing", false, false, false, false, false, false, false, false, false, false));
|
||||||
value.add(new Role("browser", false, false, false, false, false, false, false, true));
|
value.add(new Role("browser", false, false, false, false, false, false, false, true, false, false));
|
||||||
value.add(new Role("guest", false, true, false, false, false, false, false, true));
|
value.add(new Role("guest", false, true, false, false, false, false, false, true, false, false));
|
||||||
value.add(new Role("full", true, true, true, true, true, true, true, true));
|
value.add(new Role("full", true, true, true, true, true, true, true, true, true, true));
|
||||||
securityRepository.addMatch(getQueueName(), value);
|
securityRepository.addMatch(getQueueName(), value);
|
||||||
|
|
||||||
server.getConfiguration().setSecurityEnabled(true);
|
server.getConfiguration().setSecurityEnabled(true);
|
||||||
|
|
|
||||||
|
|
@ -71,7 +71,7 @@ public class OutgoingConnectionNoJTATest extends ActiveMQRATestBase {
|
||||||
((ActiveMQJAASSecurityManager) server.getSecurityManager()).getConfiguration().setDefaultUser("guest");
|
((ActiveMQJAASSecurityManager) server.getSecurityManager()).getConfiguration().setDefaultUser("guest");
|
||||||
((ActiveMQJAASSecurityManager) server.getSecurityManager()).getConfiguration().addRole("testuser", "arole");
|
((ActiveMQJAASSecurityManager) server.getSecurityManager()).getConfiguration().addRole("testuser", "arole");
|
||||||
((ActiveMQJAASSecurityManager) server.getSecurityManager()).getConfiguration().addRole("guest", "arole");
|
((ActiveMQJAASSecurityManager) server.getSecurityManager()).getConfiguration().addRole("guest", "arole");
|
||||||
Role role = new Role("arole", true, true, true, true, true, true, true, true);
|
Role role = new Role("arole", true, true, true, true, true, true, true, true, true, true);
|
||||||
Set<Role> roles = new HashSet<>();
|
Set<Role> roles = new HashSet<>();
|
||||||
roles.add(role);
|
roles.add(role);
|
||||||
server.getSecurityRepository().addMatch(MDBQUEUEPREFIXED, roles);
|
server.getSecurityRepository().addMatch(MDBQUEUEPREFIXED, roles);
|
||||||
|
|
|
||||||
|
|
@ -44,6 +44,8 @@
|
||||||
|
|
||||||
<security-settings>
|
<security-settings>
|
||||||
<security-setting match="#">
|
<security-setting match="#">
|
||||||
|
<permission type="createAddress" roles="guest,def"/>
|
||||||
|
<permission type="deleteAddress" roles="guest,def"/>
|
||||||
<permission type="createDurableQueue" roles="guest,def"/>
|
<permission type="createDurableQueue" roles="guest,def"/>
|
||||||
<permission type="deleteDurableQueue" roles="guest,def"/>
|
<permission type="deleteDurableQueue" roles="guest,def"/>
|
||||||
<permission type="createNonDurableQueue" roles="guest,def"/>
|
<permission type="createNonDurableQueue" roles="guest,def"/>
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue