This commit is contained in:
Clebert Suconic 2019-10-23 15:27:53 -04:00
commit 4f3df1f1e4
3 changed files with 127 additions and 69 deletions

View File

@ -18,79 +18,95 @@ package org.apache.activemq.artemis.core.server.management;
import javax.management.ObjectName; import javax.management.ObjectName;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.Comparator;
import java.util.HashMap; import java.util.HashMap;
import java.util.Hashtable; import java.util.Hashtable;
import java.util.LinkedHashMap; import java.util.LinkedHashMap;
import java.util.List; import java.util.List;
import java.util.Map; import java.util.Map;
import java.util.TreeMap;
import java.util.concurrent.ConcurrentHashMap; import java.util.concurrent.ConcurrentHashMap;
import java.util.regex.Pattern;
public class JMXAccessControlList { public class JMXAccessControlList {
private static final String WILDCARD = "*";
private Access defaultAccess = new Access("*"); private Access defaultAccess = new Access(WILDCARD);
private Map<String, Access> domainAccess = new HashMap<>(); private ConcurrentHashMap<String, TreeMap<String, Access>> domainAccess = new ConcurrentHashMap<>();
private ConcurrentHashMap<String, List<String>> whitelist = new ConcurrentHashMap<>(); private ConcurrentHashMap<String, TreeMap<String, Access>> whitelist = new ConcurrentHashMap<>();
private Comparator<String> keyComparator = (key1, key2) -> {
boolean key1ContainsWildCard = key1.contains(WILDCARD);
public void addToWhiteList(String domain, String match) { boolean key2ContainsWildcard = key2.contains(WILDCARD);
List<String> list = new ArrayList<>(); if (key1ContainsWildCard && !key2ContainsWildcard) {
list = whitelist.putIfAbsent(domain, list); return +1;
if (list == null) { } else if (!key1ContainsWildCard && key2ContainsWildcard) {
list = whitelist.get(domain); return -1;
} else if (key1ContainsWildCard && key2ContainsWildcard) {
return key2.length() - key1.length();
} }
list.add(match != null ? match : "*"); return key1.length() - key2.length();
};
public void addToWhiteList(String domain, String key) {
TreeMap<String, Access> domainMap = new TreeMap<>(keyComparator);
domainMap = whitelist.putIfAbsent(domain, domainMap);
if (domainMap == null) {
domainMap = whitelist.get(domain);
}
Access access = new Access(domain, normalizeKey(key));
domainMap.putIfAbsent(access.getKey(), access);
} }
public List<String> getRolesForObject(ObjectName objectName, String methodName) { public List<String> getRolesForObject(ObjectName objectName, String methodName) {
TreeMap<String, Access> domainMap = domainAccess.get(objectName.getDomain());
if (domainMap != null) {
Hashtable<String, String> keyPropertyList = objectName.getKeyPropertyList(); Hashtable<String, String> keyPropertyList = objectName.getKeyPropertyList();
for (Map.Entry<String, String> keyEntry : keyPropertyList.entrySet()) { for (Map.Entry<String, String> keyEntry : keyPropertyList.entrySet()) {
String key = keyEntry.getKey() + "=" + keyEntry.getValue(); String key = normalizeKey(keyEntry.getKey() + "=" + keyEntry.getValue());
Access access = domainAccess.get(getObjectID(objectName.getDomain(), key)); for (Access accessEntry : domainMap.values()) {
if (accessEntry.getKeyPattern().matcher(key).matches()) {
return accessEntry.getMatchingRolesForMethod(methodName);
}
}
}
Access access = domainMap.get("");
if (access != null) { if (access != null) {
return access.getMatchingRolesForMethod(methodName); return access.getMatchingRolesForMethod(methodName);
} }
} }
for (Map.Entry<String, String> keyEntry : keyPropertyList.entrySet()) {
String key = keyEntry.getKey() + "=*"; return defaultAccess.getMatchingRolesForMethod(methodName);
Access access = domainAccess.get(getObjectID(objectName.getDomain(), key));
if (access != null) {
return access.getMatchingRolesForMethod(methodName);
}
}
Access access = domainAccess.get(objectName.getDomain());
if (access == null) {
access = defaultAccess;
}
return access.getMatchingRolesForMethod(methodName);
} }
public boolean isInWhiteList(ObjectName objectName) { public boolean isInWhiteList(ObjectName objectName) {
List<String> matches = whitelist.get(objectName.getDomain()); TreeMap<String, Access> domainMap = whitelist.get(objectName.getDomain());
if (matches != null) { if (domainMap != null) {
for (String match : matches) { if (domainMap.containsKey("")) {
if (match.equals("*")) {
return true; return true;
} else { }
String[] split = match.split("=");
String key = split[0]; Hashtable<String, String> keyPropertyList = objectName.getKeyPropertyList();
String val = split[1]; for (Map.Entry<String, String> keyEntry : keyPropertyList.entrySet()) {
String propVal = objectName.getKeyProperty(key); String key = normalizeKey(keyEntry.getKey() + "=" + keyEntry.getValue());
if (propVal != null && (val.equals("*") || propVal.equals(val))) { for (Access accessEntry : domainMap.values()) {
if (accessEntry.getKeyPattern().matcher(key).matches()) {
return true; return true;
} }
} }
} }
} }
return false; return false;
} }
public void addToDefaultAccess(String method, String... roles) { public void addToDefaultAccess(String method, String... roles) {
if (roles != null) { if (roles != null) {
if ( method.equals("*")) { if ( method.equals(WILDCARD)) {
defaultAccess.addCatchAll(roles); defaultAccess.addCatchAll(roles);
} else if (method.endsWith("*")) { } else if (method.endsWith(WILDCARD)) {
String prefix = method.replace("*", ""); String prefix = method.replace(WILDCARD, "");
defaultAccess.addMethodsPrefixes(prefix, roles); defaultAccess.addMethodsPrefixes(prefix, roles);
} else { } else {
defaultAccess.addMethods(method, roles); defaultAccess.addMethods(method, roles);
@ -99,44 +115,54 @@ public class JMXAccessControlList {
} }
public void addToRoleAccess(String domain,String key, String method, String... roles) { public void addToRoleAccess(String domain,String key, String method, String... roles) {
String id = getObjectID(domain, key); TreeMap<String, Access> domainMap = new TreeMap<>(keyComparator);
Access access = domainAccess.get(id); domainMap = domainAccess.putIfAbsent(domain, domainMap);
if (access == null) { if (domainMap == null) {
access = new Access(domain); domainMap = domainAccess.get(domain);
domainAccess.put(id, access);
} }
if (method.equals("*")) { String accessKey = normalizeKey(key);
Access access = domainMap.get(accessKey);
if (access == null) {
access = new Access(domain, accessKey);
domainMap.put(accessKey, access);
}
if (method.equals(WILDCARD)) {
access.addCatchAll(roles); access.addCatchAll(roles);
} else if (method.endsWith("*")) { } else if (method.endsWith(WILDCARD)) {
String prefix = method.replace("*", ""); String prefix = method.replace(WILDCARD, "");
access.addMethodsPrefixes(prefix, roles); access.addMethodsPrefixes(prefix, roles);
} else { } else {
access.addMethods(method, roles); access.addMethods(method, roles);
} }
} }
private String getObjectID(String domain, String key) { private String normalizeKey(final String key) {
String id = domain; if (key == null) {
return "";
if (key != null) { } else if (key.endsWith("\"")) {
String actualKey = key; return key.replace("\"", "");
if (key.endsWith("\"")) {
actualKey = actualKey.replace("\"", "");
} }
id += ":" + actualKey; return key;
}
return id;
} }
static class Access { static class Access {
private final String domain; private final String id;
private final String key;
private final Pattern keyPattern;
List<String> catchAllRoles = new ArrayList<>(); List<String> catchAllRoles = new ArrayList<>();
Map<String, List<String>> methodRoles = new HashMap<>(); Map<String, List<String>> methodRoles = new HashMap<>();
Map<String, List<String>> methodPrefixRoles = new LinkedHashMap<>(); Map<String, List<String>> methodPrefixRoles = new LinkedHashMap<>();
Access(String domain) { Access(String id) {
this.domain = domain; this(id, "");
}
Access(String id, String key) {
this.id = id;
this.key = key;
this.keyPattern = Pattern.compile(key.replace(WILDCARD, ".*"));
} }
public synchronized void addMethods(String prefix, String... roles) { public synchronized void addMethods(String prefix, String... roles) {
@ -167,8 +193,16 @@ public class JMXAccessControlList {
} }
} }
public String getDomain() { public String getId() {
return domain; return id;
}
public String getKey() {
return key;
}
public Pattern getKeyPattern() {
return keyPattern;
} }
public List<String> getMatchingRolesForMethod(String methodName) { public List<String> getMatchingRolesForMethod(String methodName) {
@ -184,6 +218,7 @@ public class JMXAccessControlList {
return catchAllRoles; return catchAllRoles;
} }
} }
public static JMXAccessControlList createDefaultList() { public static JMXAccessControlList createDefaultList() {
JMXAccessControlList accessControlList = new JMXAccessControlList(); JMXAccessControlList accessControlList = new JMXAccessControlList();
@ -193,13 +228,13 @@ public class JMXAccessControlList {
accessControlList.addToRoleAccess("org.apache.activemq.artemis", null, "get*", "view", "update", "amq"); accessControlList.addToRoleAccess("org.apache.activemq.artemis", null, "get*", "view", "update", "amq");
accessControlList.addToRoleAccess("org.apache.activemq.artemis", null, "is*", "view", "update", "amq"); accessControlList.addToRoleAccess("org.apache.activemq.artemis", null, "is*", "view", "update", "amq");
accessControlList.addToRoleAccess("org.apache.activemq.artemis", null, "set*", "update", "amq"); accessControlList.addToRoleAccess("org.apache.activemq.artemis", null, "set*", "update", "amq");
accessControlList.addToRoleAccess("org.apache.activemq.artemis", null,"*", "amq"); accessControlList.addToRoleAccess("org.apache.activemq.artemis", null, WILDCARD, "amq");
accessControlList.addToDefaultAccess("list*", "view", "update", "amq"); accessControlList.addToDefaultAccess("list*", "view", "update", "amq");
accessControlList.addToDefaultAccess("get*", "view", "update", "amq"); accessControlList.addToDefaultAccess("get*", "view", "update", "amq");
accessControlList.addToDefaultAccess("is*", "view", "update", "amq"); accessControlList.addToDefaultAccess("is*", "view", "update", "amq");
accessControlList.addToDefaultAccess("set*", "update", "amq"); accessControlList.addToDefaultAccess("set*", "update", "amq");
accessControlList.addToDefaultAccess("*", "amq"); accessControlList.addToDefaultAccess(WILDCARD, "amq");
return accessControlList; return accessControlList;
} }

View File

@ -95,6 +95,16 @@ public class JMXAccessControlListTest {
Assert.assertArrayEquals(roles.toArray(), new String[]{"admin"}); Assert.assertArrayEquals(roles.toArray(), new String[]{"admin"});
} }
@Test
public void testBasicRoleWithWildcardInKey() throws MalformedObjectNameException {
JMXAccessControlList controlList = new JMXAccessControlList();
controlList.addToRoleAccess("org.myDomain", "type=foo*","listSomething", "update");
controlList.addToRoleAccess("org.myDomain", "type=foo.bar*","listSomething", "admin");
controlList.addToRoleAccess("org.myDomain", null,"listSomething", "view");
List<String> roles = controlList.getRolesForObject(new ObjectName("org.myDomain:type=foo.bar.test"), "listSomething");
Assert.assertArrayEquals(roles.toArray(), new String[]{"admin"});
}
@Test @Test
public void testMutipleBasicRoles() throws MalformedObjectNameException { public void testMutipleBasicRoles() throws MalformedObjectNameException {
JMXAccessControlList controlList = new JMXAccessControlList(); JMXAccessControlList controlList = new JMXAccessControlList();

View File

@ -388,6 +388,19 @@ by configuring:
</match> </match>
``` ```
You can also use wildcards for the mBean properties so the following would
also match, allowing prefix match for the mBean properties.
```xml
<match domain="org.apache.activemq.artemis" key="queue=example*">
<access method="list*" roles="view,update,amq"/>
<access method="get*" roles="view,update,amq"/>
<access method="is*" roles="view,update,amq"/>
<access method="set*" roles="update,amq"/>
<access method="*" roles="amq"/>
</match>
```
Access to JMX mBean attributes are converted to method calls so these are Access to JMX mBean attributes are converted to method calls so these are
controlled via the `set*`, `get*` and `is*`. The `*` access is the catch all controlled via the `set*`, `get*` and `is*`. The `*` access is the catch all
for everything other method that isn't specifically matched. for everything other method that isn't specifically matched.