mirror of https://github.com/apache/activemq.git
https://issues.apache.org/jira/browse/AMQ-826 - ldap based authorization - add support for temp destinations
git-svn-id: https://svn.apache.org/repos/asf/activemq/trunk@1092098 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
parent
d822db72f3
commit
efcd57f60d
|
@ -81,6 +81,7 @@ public class LDAPAuthorizationMap implements AuthorizationMap {
|
||||||
private MessageFormat topicSearchMatchingFormat;
|
private MessageFormat topicSearchMatchingFormat;
|
||||||
private MessageFormat queueSearchMatchingFormat;
|
private MessageFormat queueSearchMatchingFormat;
|
||||||
private String advisorySearchBase = "uid=ActiveMQ.Advisory,ou=topics,ou=destinations,o=ActiveMQ,dc=example,dc=com";
|
private String advisorySearchBase = "uid=ActiveMQ.Advisory,ou=topics,ou=destinations,o=ActiveMQ,dc=example,dc=com";
|
||||||
|
private String tempSearchBase = "uid=ActiveMQ.Temp,ou=topics,ou=destinations,o=ActiveMQ,dc=example,dc=com";
|
||||||
|
|
||||||
private boolean topicSearchSubtreeBool = true;
|
private boolean topicSearchSubtreeBool = true;
|
||||||
private boolean queueSearchSubtreeBool = true;
|
private boolean queueSearchSubtreeBool = true;
|
||||||
|
@ -140,18 +141,39 @@ public class LDAPAuthorizationMap implements AuthorizationMap {
|
||||||
}
|
}
|
||||||
|
|
||||||
public Set<GroupPrincipal> getTempDestinationAdminACLs() {
|
public Set<GroupPrincipal> getTempDestinationAdminACLs() {
|
||||||
// TODO insert implementation
|
try {
|
||||||
return null;
|
context = open();
|
||||||
|
} catch (NamingException e) {
|
||||||
|
LOG.error(e.toString());
|
||||||
|
return new HashSet<GroupPrincipal>();
|
||||||
|
}
|
||||||
|
SearchControls constraints = new SearchControls();
|
||||||
|
constraints.setReturningAttributes(new String[] {adminAttribute});
|
||||||
|
return getACLs(tempSearchBase, constraints, adminBase, adminAttribute);
|
||||||
}
|
}
|
||||||
|
|
||||||
public Set<GroupPrincipal> getTempDestinationReadACLs() {
|
public Set<GroupPrincipal> getTempDestinationReadACLs() {
|
||||||
// TODO insert implementation
|
try {
|
||||||
return null;
|
context = open();
|
||||||
|
} catch (NamingException e) {
|
||||||
|
LOG.error(e.toString());
|
||||||
|
return new HashSet<GroupPrincipal>();
|
||||||
|
}
|
||||||
|
SearchControls constraints = new SearchControls();
|
||||||
|
constraints.setReturningAttributes(new String[] {readAttribute});
|
||||||
|
return getACLs(tempSearchBase, constraints, readBase, readAttribute);
|
||||||
}
|
}
|
||||||
|
|
||||||
public Set<GroupPrincipal> getTempDestinationWriteACLs() {
|
public Set<GroupPrincipal> getTempDestinationWriteACLs() {
|
||||||
// TODO insert implementation
|
try {
|
||||||
return null;
|
context = open();
|
||||||
|
} catch (NamingException e) {
|
||||||
|
LOG.error(e.toString());
|
||||||
|
return new HashSet<GroupPrincipal>();
|
||||||
|
}
|
||||||
|
SearchControls constraints = new SearchControls();
|
||||||
|
constraints.setReturningAttributes(new String[] {writeAttribute});
|
||||||
|
return getACLs(tempSearchBase, constraints, writeBase, writeAttribute);
|
||||||
}
|
}
|
||||||
|
|
||||||
public Set<GroupPrincipal> getAdminACLs(ActiveMQDestination destination) {
|
public Set<GroupPrincipal> getAdminACLs(ActiveMQDestination destination) {
|
||||||
|
@ -330,6 +352,14 @@ public class LDAPAuthorizationMap implements AuthorizationMap {
|
||||||
this.advisorySearchBase = advisorySearchBase;
|
this.advisorySearchBase = advisorySearchBase;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public String getTempSearchBase() {
|
||||||
|
return tempSearchBase;
|
||||||
|
}
|
||||||
|
|
||||||
|
public void setTempSearchBase(String tempSearchBase) {
|
||||||
|
this.tempSearchBase = tempSearchBase;
|
||||||
|
}
|
||||||
|
|
||||||
protected Set<GroupPrincipal> getCompositeACLs(ActiveMQDestination destination, String roleBase, String roleAttribute) {
|
protected Set<GroupPrincipal> getCompositeACLs(ActiveMQDestination destination, String roleBase, String roleAttribute) {
|
||||||
ActiveMQDestination[] dests = destination.getCompositeDestinations();
|
ActiveMQDestination[] dests = destination.getCompositeDestinations();
|
||||||
Set<GroupPrincipal> acls = new HashSet<GroupPrincipal>();
|
Set<GroupPrincipal> acls = new HashSet<GroupPrincipal>();
|
||||||
|
@ -376,6 +406,10 @@ public class LDAPAuthorizationMap implements AuthorizationMap {
|
||||||
|
|
||||||
constraints.setReturningAttributes(new String[] {roleAttribute});
|
constraints.setReturningAttributes(new String[] {roleAttribute});
|
||||||
|
|
||||||
|
return getACLs(destinationBase, constraints, roleBase, roleAttribute);
|
||||||
|
}
|
||||||
|
|
||||||
|
protected Set<GroupPrincipal> getACLs(String destinationBase, SearchControls constraints, String roleBase, String roleAttribute) {
|
||||||
try {
|
try {
|
||||||
Set<GroupPrincipal> roles = new HashSet<GroupPrincipal>();
|
Set<GroupPrincipal> roles = new HashSet<GroupPrincipal>();
|
||||||
Set<String> acls = new HashSet<String>();
|
Set<String> acls = new HashSet<String>();
|
||||||
|
|
|
@ -20,6 +20,7 @@ import junit.framework.TestCase;
|
||||||
import org.apache.activemq.advisory.AdvisorySupport;
|
import org.apache.activemq.advisory.AdvisorySupport;
|
||||||
import org.apache.activemq.command.ActiveMQDestination;
|
import org.apache.activemq.command.ActiveMQDestination;
|
||||||
import org.apache.activemq.command.ActiveMQQueue;
|
import org.apache.activemq.command.ActiveMQQueue;
|
||||||
|
import org.apache.activemq.command.ActiveMQTempQueue;
|
||||||
import org.apache.activemq.command.ActiveMQTopic;
|
import org.apache.activemq.command.ActiveMQTopic;
|
||||||
import org.apache.activemq.jaas.GroupPrincipal;
|
import org.apache.activemq.jaas.GroupPrincipal;
|
||||||
import org.apache.activemq.spring.ActiveMQConnectionFactory;
|
import org.apache.activemq.spring.ActiveMQConnectionFactory;
|
||||||
|
@ -68,6 +69,7 @@ public class LDAPAuthorizationMapTest extends AbstractLdapTestUnit {
|
||||||
authMap.setTopicSearchMatchingFormat(new MessageFormat("uid={0},ou=topics,ou=destinations,o=ActiveMQ,ou=system"));
|
authMap.setTopicSearchMatchingFormat(new MessageFormat("uid={0},ou=topics,ou=destinations,o=ActiveMQ,ou=system"));
|
||||||
authMap.setQueueSearchMatchingFormat(new MessageFormat("uid={0},ou=queues,ou=destinations,o=ActiveMQ,ou=system"));
|
authMap.setQueueSearchMatchingFormat(new MessageFormat("uid={0},ou=queues,ou=destinations,o=ActiveMQ,ou=system"));
|
||||||
authMap.setAdvisorySearchBase("uid=ActiveMQ.Advisory,ou=topics,ou=destinations,o=ActiveMQ,ou=system");
|
authMap.setAdvisorySearchBase("uid=ActiveMQ.Advisory,ou=topics,ou=destinations,o=ActiveMQ,ou=system");
|
||||||
|
authMap.setTempSearchBase("uid=ActiveMQ.Temp,ou=topics,ou=destinations,o=ActiveMQ,ou=system");
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
|
@ -154,5 +156,13 @@ public class LDAPAuthorizationMapTest extends AbstractLdapTestUnit {
|
||||||
assertTrue(acls.contains(new GroupPrincipal("role3")));
|
assertTrue(acls.contains(new GroupPrincipal("role3")));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testTemp() {
|
||||||
|
Set acls = authMap.getTempDestinationAdminACLs();
|
||||||
|
|
||||||
|
assertEquals(1, acls.size());
|
||||||
|
assertTrue(acls.contains(new GroupPrincipal("role1")));
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -76,4 +76,20 @@ public class LDAPSecurityTest extends AbstractLdapTestUnit {
|
||||||
assertNotNull(msg);
|
assertNotNull(msg);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testTempDestinations() throws Exception {
|
||||||
|
ActiveMQConnectionFactory factory = new ActiveMQConnectionFactory("tcp://localhost:61616");
|
||||||
|
Connection conn = factory.createQueueConnection("jdoe", "sunflower");
|
||||||
|
Session sess = conn.createSession(false, Session.AUTO_ACKNOWLEDGE);
|
||||||
|
conn.start();
|
||||||
|
Queue queue = sess.createTemporaryQueue();
|
||||||
|
|
||||||
|
MessageProducer producer = sess.createProducer(queue);
|
||||||
|
MessageConsumer consumer = sess.createConsumer(queue);
|
||||||
|
|
||||||
|
producer.send(sess.createTextMessage("test"));
|
||||||
|
Message msg = consumer.receive(1000);
|
||||||
|
assertNotNull(msg);
|
||||||
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -132,3 +132,28 @@ objectclass: top
|
||||||
cn: write
|
cn: write
|
||||||
uniquemember: uid=role3
|
uniquemember: uid=role3
|
||||||
|
|
||||||
|
dn: uid=ActiveMQ.Temp,ou=topics,ou=destinations,o=ActiveMQ,ou=system
|
||||||
|
objectclass: uidObject
|
||||||
|
objectclass: top
|
||||||
|
objectclass: applicationProcess
|
||||||
|
uid: ActiveMQ.Temp
|
||||||
|
cn: ActiveMQ.Temp
|
||||||
|
|
||||||
|
dn: cn=admin,uid=ActiveMQ.Temp,ou=topics,ou=destinations,o=ActiveMQ,ou=system
|
||||||
|
objectclass: groupOfUniqueNames
|
||||||
|
objectclass: top
|
||||||
|
cn: admin
|
||||||
|
uniquemember: uid=role1
|
||||||
|
|
||||||
|
dn: cn=read,uid=ActiveMQ.Temp,ou=topics,ou=destinations,o=ActiveMQ,ou=system
|
||||||
|
objectclass: groupOfUniqueNames
|
||||||
|
objectclass: top
|
||||||
|
cn: read
|
||||||
|
uniquemember: uid=role2
|
||||||
|
|
||||||
|
dn: cn=write,uid=ActiveMQ.Temp,ou=topics,ou=destinations,o=ActiveMQ,ou=system
|
||||||
|
objectclass: groupOfUniqueNames
|
||||||
|
objectclass: top
|
||||||
|
cn: write
|
||||||
|
uniquemember: uid=role3
|
||||||
|
|
||||||
|
|
|
@ -54,6 +54,8 @@
|
||||||
value="cn={0},ou=Queue,ou=Destination,ou=ActiveMQ,ou=system"/>
|
value="cn={0},ou=Queue,ou=Destination,ou=ActiveMQ,ou=system"/>
|
||||||
<property name="advisorySearchBase"
|
<property name="advisorySearchBase"
|
||||||
value="cn=ActiveMQ.Advisory,ou=Topic,ou=Destination,ou=ActiveMQ,ou=system"/>
|
value="cn=ActiveMQ.Advisory,ou=Topic,ou=Destination,ou=ActiveMQ,ou=system"/>
|
||||||
|
<property name="tempSearchBase"
|
||||||
|
value="cn=ActiveMQ.Temp,ou=Topic,ou=Destination,ou=ActiveMQ,ou=system"/>
|
||||||
<property name="queueSearchSubtreeBool" value="true"/>
|
<property name="queueSearchSubtreeBool" value="true"/>
|
||||||
<property name="adminBase" value="(cn=admin)"/>
|
<property name="adminBase" value="(cn=admin)"/>
|
||||||
<property name="adminAttribute" value="member"/>
|
<property name="adminAttribute" value="member"/>
|
||||||
|
|
|
@ -151,11 +151,12 @@ member: cn=admins
|
||||||
#######################
|
#######################
|
||||||
## Define advisories ##
|
## Define advisories ##
|
||||||
#######################
|
#######################
|
||||||
|
|
||||||
dn: cn=ActiveMQ.Advisory,ou=Topic,ou=Destination,ou=ActiveMQ,ou=system
|
dn: cn=ActiveMQ.Advisory,ou=Topic,ou=Destination,ou=ActiveMQ,ou=system
|
||||||
cn: ActiveMQ.Advisory
|
cn: ActiveMQ.Advisory
|
||||||
objectClass: applicationProcess
|
objectClass: applicationProcess
|
||||||
objectClass: top
|
objectClass: top
|
||||||
description: Advisory topic about consumers
|
description: Advisory topics
|
||||||
|
|
||||||
dn: cn=read,cn=ActiveMQ.Advisory,ou=Topic,ou=Destination,ou=ActiveMQ,ou=system
|
dn: cn=read,cn=ActiveMQ.Advisory,ou=Topic,ou=Destination,ou=ActiveMQ,ou=system
|
||||||
cn: read
|
cn: read
|
||||||
|
@ -176,4 +177,35 @@ cn: admin
|
||||||
member: cn=admins
|
member: cn=admins
|
||||||
member: cn=users
|
member: cn=users
|
||||||
objectClass: groupOfNames
|
objectClass: groupOfNames
|
||||||
|
objectClass: top
|
||||||
|
|
||||||
|
######################
|
||||||
|
## Define temporary ##
|
||||||
|
######################
|
||||||
|
|
||||||
|
dn: cn=ActiveMQ.Temp,ou=Topic,ou=Destination,ou=ActiveMQ,ou=system
|
||||||
|
cn: ActiveMQ.Temp
|
||||||
|
objectClass: applicationProcess
|
||||||
|
objectClass: top
|
||||||
|
description: Temporary destinations
|
||||||
|
|
||||||
|
dn: cn=read,cn=ActiveMQ.Temp,ou=Topic,ou=Destination,ou=ActiveMQ,ou=system
|
||||||
|
cn: read
|
||||||
|
member: cn=admins
|
||||||
|
member: cn=users
|
||||||
|
objectClass: groupOfNames
|
||||||
|
objectClass: top
|
||||||
|
|
||||||
|
dn: cn=write,cn=ActiveMQ.Temp,ou=Topic,ou=Destination,ou=ActiveMQ,ou=system
|
||||||
|
cn: write
|
||||||
|
member: cn=admins
|
||||||
|
member: cn=users
|
||||||
|
objectClass: groupOfNames
|
||||||
|
objectClass: top
|
||||||
|
|
||||||
|
dn: cn=admin,cn=ActiveMQ.Temp,ou=Topic,ou=Destination,ou=ActiveMQ,ou=system
|
||||||
|
cn: admin
|
||||||
|
member: cn=admins
|
||||||
|
member: cn=users
|
||||||
|
objectClass: groupOfNames
|
||||||
objectClass: top
|
objectClass: top
|
Loading…
Reference in New Issue