High severityNVD Advisory· Published Jun 13, 2018· Updated Sep 17, 2024
CVE-2017-15695
CVE-2017-15695
Description
When an Apache Geode server versions 1.0.0 to 1.4.0 is configured with a security manager, a user with DATA:WRITE privileges is allowed to deploy code by invoking an internal Geode function. This allows remote code execution. Code deployment should be restricted to users with DATA:MANAGE privilege.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In Apache Geode 1.0.0-1.4.0, users with DATA:WRITE can deploy code via internal functions, leading to RCE; fix in 1.5.0.
Vulnerability
In Apache Geode versions 1.0.0 to 1.4.0, when a security manager is configured, the authorization check for code deployment is insufficient. Specifically, a user with DATA:WRITE privilege is allowed to invoke internal Geode functions that deploy code, contrary to the intended restriction that such operations require DATA:MANAGE privilege [1][2]. This vulnerability is identified as CVE-2017-15695 and affects all Geode server versions in the stated range [1].
Exploitation
An attacker must have network access to an Apache Geode server that has a security manager enabled [1]. The attacker must possess valid credentials with at least DATA:WRITE privilege [1]. By invoking an internal Geode function (e.g., via gfsh or JMX), the attacker can deploy arbitrary code on the server [1]. The commits fixing this issue show changes to function permission definitions, indicating that internal functions (such as FindRestEnabledServersFunction, AlterConnectionFunction, and AlterMappingFunction) were incorrectly allowed with lower privileges [2][3][4].
Impact
Successful exploitation allows an attacker to execute arbitrary code on the Geode server with the privileges of the server process [1]. This leads to full remote code execution (RCE), compromising the confidentiality, integrity, and availability of the system [1]. The attacker can gain complete control over the Geode instance and potentially access sensitive data, modify stored data, or disrupt service.
Mitigation
The fix was implemented in Apache Geode version 1.5.0 [1]. Users should upgrade to Geode 1.5.0 or later. The fix involves tightening permission checks so that internal functions require DATA:MANAGE privilege instead of DATA:WRITE [2][3][4]. No workaround is available for vulnerable versions. This CVE is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date.
References
- Release Notes - Geode - Apache Software Foundation
- GEODE-3974: Core function security improvement (#1310) · apache/geode@6df14c8
- GEODE-3974: improve permission for Internal functions (#1395) · apache/geode@aa46923
- GEODE-3974: Improve permissions for geode-connectors functions (#1265) · apache/geode@49d28f9
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.geode:geode-coreMaven | >= 1.0.0, < 1.5.0 | 1.5.0 |
Affected products
2- Apache Software Foundation/Apache Geodev5Range: 1.0.0 to 1.4.0
Patches
7954ccb545d24GEODE-3974: revert a change to log the exception in the server logs (#1444)
1 file changed · +4 −3
geode-core/src/main/java/org/apache/geode/internal/cache/MemberFunctionStreamingMessage.java+4 −3 modified@@ -215,9 +215,10 @@ protected void process(final ClusterDistributionManager dm) { rex = new ReplyException(thr); replyWithException(dm, rex); } catch (Exception exception) { - logger.error("Exception occurred on remote member while executing Function: {}", - this.functionObject.getId(), exception); - + if (logger.isDebugEnabled()) { + logger.debug("Exception occurred on remote member while executing Function: {}", + this.functionObject.getId(), exception); + } stats.endFunctionExecutionWithException(this.functionObject.hasResult()); rex = new ReplyException(exception); replyWithException(dm, rex);
aa4692398607GEODE-3974: improve permission for Internal functions (#1395)
86 files changed · +258 −1001
geode-connectors/src/main/java/org/apache/geode/connectors/jdbc/internal/cli/AlterConnectionFunction.java+0 −9 modified@@ -14,8 +14,6 @@ */ package org.apache.geode.connectors.jdbc.internal.cli; -import java.util.Collection; -import java.util.Collections; import java.util.Map; import org.apache.geode.annotations.Experimental; @@ -25,8 +23,6 @@ import org.apache.geode.connectors.jdbc.internal.JdbcConnectorService; import org.apache.geode.management.internal.cli.functions.CliFunctionResult; import org.apache.geode.management.internal.configuration.domain.XmlEntity; -import org.apache.geode.management.internal.security.ResourcePermissions; -import org.apache.geode.security.ResourcePermission; @Experimental public class AlterConnectionFunction @@ -90,9 +86,4 @@ private CliFunctionResult createSuccessResult(String connectionName, String memb String message = "Altered JDBC connection " + connectionName + " on " + member; return new CliFunctionResult(member, xmlEntity, message); } - - @Override - public Collection<ResourcePermission> getRequiredPermissions(String regionName) { - return Collections.singletonList(ResourcePermissions.CLUSTER_MANAGE); - } }
geode-connectors/src/main/java/org/apache/geode/connectors/jdbc/internal/cli/AlterMappingFunction.java+0 −9 modified@@ -14,8 +14,6 @@ */ package org.apache.geode.connectors.jdbc.internal.cli; -import java.util.Collection; -import java.util.Collections; import java.util.Map; import org.apache.geode.annotations.Experimental; @@ -25,8 +23,6 @@ import org.apache.geode.connectors.jdbc.internal.RegionMappingNotFoundException; import org.apache.geode.management.internal.cli.functions.CliFunctionResult; import org.apache.geode.management.internal.configuration.domain.XmlEntity; -import org.apache.geode.management.internal.security.ResourcePermissions; -import org.apache.geode.security.ResourcePermission; @Experimental public class AlterMappingFunction extends JdbcCliFunction<RegionMapping, CliFunctionResult> { @@ -88,9 +84,4 @@ private CliFunctionResult createSuccessResult(String connectionName, String memb String message = "Altered JDBC connection " + connectionName + " on " + member; return new CliFunctionResult(member, xmlEntity, message); } - - @Override - public Collection<ResourcePermission> getRequiredPermissions(String regionName) { - return Collections.singletonList(ResourcePermissions.CLUSTER_MANAGE); - } }
geode-connectors/src/main/java/org/apache/geode/connectors/jdbc/internal/cli/CreateConnectionFunction.java+0 −10 modified@@ -14,18 +14,13 @@ */ package org.apache.geode.connectors.jdbc.internal.cli; -import java.util.Collection; -import java.util.Collections; - import org.apache.geode.annotations.Experimental; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.connectors.jdbc.internal.ConnectionConfigExistsException; import org.apache.geode.connectors.jdbc.internal.ConnectionConfiguration; import org.apache.geode.connectors.jdbc.internal.JdbcConnectorService; import org.apache.geode.management.internal.cli.functions.CliFunctionResult; import org.apache.geode.management.internal.configuration.domain.XmlEntity; -import org.apache.geode.management.internal.security.ResourcePermissions; -import org.apache.geode.security.ResourcePermission; @Experimental public class CreateConnectionFunction @@ -58,9 +53,4 @@ private CliFunctionResult createSuccessResult(String connectionName, String memb String message = "Created JDBC connection " + connectionName + " on " + member; return new CliFunctionResult(member, xmlEntity, message); } - - @Override - public Collection<ResourcePermission> getRequiredPermissions(String regionName) { - return Collections.singletonList(ResourcePermissions.CLUSTER_MANAGE); - } }
geode-connectors/src/main/java/org/apache/geode/connectors/jdbc/internal/cli/CreateMappingFunction.java+0 −10 modified@@ -14,18 +14,13 @@ */ package org.apache.geode.connectors.jdbc.internal.cli; -import java.util.Collection; -import java.util.Collections; - import org.apache.geode.annotations.Experimental; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.connectors.jdbc.internal.JdbcConnectorService; import org.apache.geode.connectors.jdbc.internal.RegionMapping; import org.apache.geode.connectors.jdbc.internal.RegionMappingExistsException; import org.apache.geode.management.internal.cli.functions.CliFunctionResult; import org.apache.geode.management.internal.configuration.domain.XmlEntity; -import org.apache.geode.management.internal.security.ResourcePermissions; -import org.apache.geode.security.ResourcePermission; @Experimental public class CreateMappingFunction extends JdbcCliFunction<RegionMapping, CliFunctionResult> { @@ -62,9 +57,4 @@ private CliFunctionResult createSuccessResult(String regionName, String member, String message = "Created JDBC mapping for region " + regionName + " on " + member; return new CliFunctionResult(member, xmlEntity, message); } - - @Override - public Collection<ResourcePermission> getRequiredPermissions(String regionName) { - return Collections.singletonList(ResourcePermissions.CLUSTER_MANAGE); - } }
geode-connectors/src/main/java/org/apache/geode/connectors/jdbc/internal/cli/DescribeConnectionFunction.java+0 −10 modified@@ -14,15 +14,10 @@ */ package org.apache.geode.connectors.jdbc.internal.cli; -import java.util.Collection; -import java.util.Collections; - import org.apache.geode.annotations.Experimental; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.connectors.jdbc.internal.ConnectionConfiguration; import org.apache.geode.connectors.jdbc.internal.JdbcConnectorService; -import org.apache.geode.management.internal.security.ResourcePermissions; -import org.apache.geode.security.ResourcePermission; @Experimental public class DescribeConnectionFunction extends JdbcCliFunction<String, ConnectionConfiguration> { @@ -36,9 +31,4 @@ ConnectionConfiguration getFunctionResult(JdbcConnectorService service, FunctionContext<String> context) { return service.getConnectionConfig(context.getArguments()); } - - @Override - public Collection<ResourcePermission> getRequiredPermissions(String regionName) { - return Collections.singletonList(ResourcePermissions.CLUSTER_READ); - } }
geode-connectors/src/main/java/org/apache/geode/connectors/jdbc/internal/cli/DescribeMappingFunction.java+0 −10 modified@@ -14,15 +14,10 @@ */ package org.apache.geode.connectors.jdbc.internal.cli; -import java.util.Collection; -import java.util.Collections; - import org.apache.geode.annotations.Experimental; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.connectors.jdbc.internal.JdbcConnectorService; import org.apache.geode.connectors.jdbc.internal.RegionMapping; -import org.apache.geode.management.internal.security.ResourcePermissions; -import org.apache.geode.security.ResourcePermission; @Experimental public class DescribeMappingFunction extends JdbcCliFunction<String, RegionMapping> { @@ -35,9 +30,4 @@ public class DescribeMappingFunction extends JdbcCliFunction<String, RegionMappi RegionMapping getFunctionResult(JdbcConnectorService service, FunctionContext<String> context) { return service.getMappingForRegion(context.getArguments()); } - - @Override - public Collection<ResourcePermission> getRequiredPermissions(String regionName) { - return Collections.singletonList(ResourcePermissions.CLUSTER_READ); - } }
geode-connectors/src/main/java/org/apache/geode/connectors/jdbc/internal/cli/DestroyConnectionFunction.java+0 −10 modified@@ -14,17 +14,12 @@ */ package org.apache.geode.connectors.jdbc.internal.cli; -import java.util.Collection; -import java.util.Collections; - import org.apache.geode.annotations.Experimental; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.connectors.jdbc.internal.ConnectionConfiguration; import org.apache.geode.connectors.jdbc.internal.JdbcConnectorService; import org.apache.geode.management.internal.cli.functions.CliFunctionResult; import org.apache.geode.management.internal.configuration.domain.XmlEntity; -import org.apache.geode.management.internal.security.ResourcePermissions; -import org.apache.geode.security.ResourcePermission; @Experimental public class DestroyConnectionFunction extends JdbcCliFunction<String, CliFunctionResult> { @@ -81,9 +76,4 @@ private CliFunctionResult createNotFoundResult(String member, String connectionN String message = "Connection named \"" + connectionName + "\" not found"; return new CliFunctionResult(member, false, message); } - - @Override - public Collection<ResourcePermission> getRequiredPermissions(String regionName) { - return Collections.singletonList(ResourcePermissions.CLUSTER_MANAGE); - } }
geode-connectors/src/main/java/org/apache/geode/connectors/jdbc/internal/cli/DestroyMappingFunction.java+0 −10 modified@@ -14,17 +14,12 @@ */ package org.apache.geode.connectors.jdbc.internal.cli; -import java.util.Collection; -import java.util.Collections; - import org.apache.geode.annotations.Experimental; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.connectors.jdbc.internal.JdbcConnectorService; import org.apache.geode.connectors.jdbc.internal.RegionMapping; import org.apache.geode.management.internal.cli.functions.CliFunctionResult; import org.apache.geode.management.internal.configuration.domain.XmlEntity; -import org.apache.geode.management.internal.security.ResourcePermissions; -import org.apache.geode.security.ResourcePermission; @Experimental public class DestroyMappingFunction extends JdbcCliFunction<String, CliFunctionResult> { @@ -81,9 +76,4 @@ private CliFunctionResult createNotFoundResult(String member, String regionName) String message = "Region mapping for region \"" + regionName + "\" not found"; return new CliFunctionResult(member, false, message); } - - @Override - public Collection<ResourcePermission> getRequiredPermissions(String regionName) { - return Collections.singletonList(ResourcePermissions.CLUSTER_MANAGE); - } }
geode-connectors/src/main/java/org/apache/geode/connectors/jdbc/internal/cli/JdbcCliFunction.java+2 −13 modified@@ -14,20 +14,14 @@ */ package org.apache.geode.connectors.jdbc.internal.cli; -import java.util.Collection; -import java.util.Collections; - import org.apache.geode.annotations.Experimental; -import org.apache.geode.cache.execute.Function; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.connectors.jdbc.internal.JdbcConnectorService; -import org.apache.geode.internal.InternalEntity; +import org.apache.geode.internal.cache.execute.InternalFunction; import org.apache.geode.management.internal.configuration.domain.XmlEntity; -import org.apache.geode.management.internal.security.ResourcePermissions; -import org.apache.geode.security.ResourcePermission; @Experimental -public abstract class JdbcCliFunction<T1, T2> implements Function<T1>, InternalEntity { +public abstract class JdbcCliFunction<T1, T2> implements InternalFunction<T1> { private final FunctionContextArgumentProvider argumentProvider; private final ExceptionHandler exceptionHandler; @@ -59,11 +53,6 @@ public void execute(FunctionContext<T1> context) { } } - @Override - public Collection<ResourcePermission> getRequiredPermissions(String regionName) { - return Collections.singletonList(ResourcePermissions.CLUSTER_READ); - } - String getMember(FunctionContext<T1> context) { return argumentProvider.getMember(context); }
geode-connectors/src/main/java/org/apache/geode/connectors/jdbc/internal/cli/ListConnectionFunction.java+0 −9 modified@@ -14,16 +14,12 @@ */ package org.apache.geode.connectors.jdbc.internal.cli; -import java.util.Collection; -import java.util.Collections; import java.util.Set; import org.apache.geode.annotations.Experimental; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.connectors.jdbc.internal.ConnectionConfiguration; import org.apache.geode.connectors.jdbc.internal.JdbcConnectorService; -import org.apache.geode.management.internal.security.ResourcePermissions; -import org.apache.geode.security.ResourcePermission; @Experimental public class ListConnectionFunction extends JdbcCliFunction<Void, ConnectionConfiguration[]> { @@ -46,9 +42,4 @@ ConnectionConfiguration[] getConnectionConfigAsArray(JdbcConnectorService servic private Set<ConnectionConfiguration> getConnectionConfigs(JdbcConnectorService service) { return service.getConnectionConfigs(); } - - @Override - public Collection<ResourcePermission> getRequiredPermissions(String regionName) { - return Collections.singletonList(ResourcePermissions.CLUSTER_READ); - } }
geode-connectors/src/main/java/org/apache/geode/connectors/jdbc/internal/cli/ListMappingFunction.java+0 −9 modified@@ -14,16 +14,12 @@ */ package org.apache.geode.connectors.jdbc.internal.cli; -import java.util.Collection; -import java.util.Collections; import java.util.Set; import org.apache.geode.annotations.Experimental; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.connectors.jdbc.internal.JdbcConnectorService; import org.apache.geode.connectors.jdbc.internal.RegionMapping; -import org.apache.geode.management.internal.security.ResourcePermissions; -import org.apache.geode.security.ResourcePermission; @Experimental public class ListMappingFunction extends JdbcCliFunction<Void, RegionMapping[]> { @@ -45,9 +41,4 @@ RegionMapping[] getRegionMappingsAsArray(JdbcConnectorService service) { private Set<RegionMapping> getRegionMappings(JdbcConnectorService service) { return service.getRegionMappings(); } - - @Override - public Collection<ResourcePermission> getRequiredPermissions(String regionName) { - return Collections.singletonList(ResourcePermissions.CLUSTER_READ); - } }
geode-connectors/src/test/java/org/apache/geode/connectors/jdbc/internal/cli/JDBCConnectorFunctionsSecurityTest.java+11 −11 modified@@ -63,17 +63,17 @@ public class JDBCConnectorFunctionsSecurityTest { @BeforeClass public static void setupClass() { - functionStringMap.put(new AlterConnectionFunction(), "CLUSTER:MANAGE"); - functionStringMap.put(new AlterMappingFunction(), "CLUSTER:MANAGE"); - functionStringMap.put(new CreateConnectionFunction(), "CLUSTER:MANAGE"); - functionStringMap.put(new CreateMappingFunction(), "CLUSTER:MANAGE"); - functionStringMap.put(new DescribeConnectionFunction(), "CLUSTER:READ"); - functionStringMap.put(new DescribeMappingFunction(), "CLUSTER:READ"); - functionStringMap.put(new DestroyConnectionFunction(), "CLUSTER:MANAGE"); - functionStringMap.put(new DestroyMappingFunction(), "CLUSTER:MANAGE"); - functionStringMap.put(new ListConnectionFunction(), "CLUSTER:READ"); - functionStringMap.put(new ListMappingFunction(), "CLUSTER:READ"); - functionStringMap.put(new InheritsDefaultPermissionsJDBCFunction(), "CLUSTER:READ"); + functionStringMap.put(new AlterConnectionFunction(), "*"); + functionStringMap.put(new AlterMappingFunction(), "*"); + functionStringMap.put(new CreateConnectionFunction(), "*"); + functionStringMap.put(new CreateMappingFunction(), "*"); + functionStringMap.put(new DescribeConnectionFunction(), "*"); + functionStringMap.put(new DescribeMappingFunction(), "*"); + functionStringMap.put(new DestroyConnectionFunction(), "*"); + functionStringMap.put(new DestroyMappingFunction(), "*"); + functionStringMap.put(new ListConnectionFunction(), "*"); + functionStringMap.put(new ListMappingFunction(), "*"); + functionStringMap.put(new InheritsDefaultPermissionsJDBCFunction(), "*"); functionStringMap.keySet().forEach(FunctionService::registerFunction); }
geode-core/src/main/java/org/apache/geode/distributed/internal/deadlock/GemFireDeadlockDetector.java+2 −3 modified@@ -20,16 +20,15 @@ import java.util.concurrent.TimeUnit; import org.apache.geode.cache.execute.Execution; -import org.apache.geode.cache.execute.Function; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.cache.execute.FunctionException; import org.apache.geode.cache.execute.FunctionService; import org.apache.geode.cache.execute.ResultCollector; import org.apache.geode.distributed.DistributedMember; import org.apache.geode.distributed.internal.InternalDistributedSystem; import org.apache.geode.distributed.internal.membership.InternalDistributedMember; -import org.apache.geode.internal.InternalEntity; import org.apache.geode.internal.cache.execute.AbstractExecution; +import org.apache.geode.internal.cache.execute.InternalFunction; /** * This class uses gemfire function execution to get the dependencies between threads present in @@ -103,7 +102,7 @@ public void clearResults() { return detector.getDependencyGraph(); } - private static class CollectDependencyFunction implements Function, InternalEntity { + private static class CollectDependencyFunction implements InternalFunction { private static final long serialVersionUID = 6204378622627095817L;
geode-core/src/main/java/org/apache/geode/internal/cache/execute/InternalFunction.java+40 −0 added@@ -0,0 +1,40 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more contributor license + * agreements. See the NOTICE file distributed with this work for additional information regarding + * copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance with the License. You may obtain a + * copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software distributed under the License + * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express + * or implied. See the License for the specific language governing permissions and limitations under + * the License. + */ +package org.apache.geode.internal.cache.execute; + +import java.util.Collection; +import java.util.Collections; + +import org.apache.geode.cache.execute.Function; +import org.apache.geode.internal.InternalEntity; +import org.apache.geode.management.internal.security.ResourcePermissions; +import org.apache.geode.security.ResourcePermission; + +/** + * Defines a marker interface to be used by all internal functions and expected to require + * ResourcePermissions.ALL to execute the function. Internal Functions are functions that are + * executed by members with in the distributed system, if a function is required by a client API + * then it shouldn't be an InternalFunction. + */ +public interface InternalFunction<T> extends Function<T>, InternalEntity { + + /** + * InternalFunction do require ResourcePermissions.ALL so that it only allows super users to + * invoke from Clients. So don't override this in implementations. + */ + default Collection<ResourcePermission> getRequiredPermissions(String regionName) { + return Collections.singletonList(ResourcePermissions.ALL); + } +}
geode-core/src/main/java/org/apache/geode/internal/cache/execute/util/FindRestEnabledServersFunction.java+2 −3 modified@@ -15,12 +15,11 @@ package org.apache.geode.internal.cache.execute.util; import org.apache.geode.cache.CacheClosedException; -import org.apache.geode.cache.execute.Function; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.distributed.internal.DistributionConfig; import org.apache.geode.distributed.internal.InternalDistributedSystem; -import org.apache.geode.internal.InternalEntity; import org.apache.geode.internal.cache.InternalCache; +import org.apache.geode.internal.cache.execute.InternalFunction; import org.apache.geode.management.internal.RestAgent; /** @@ -29,7 +28,7 @@ * * @since GemFire 8.1 */ -public class FindRestEnabledServersFunction implements Function, InternalEntity { +public class FindRestEnabledServersFunction implements InternalFunction { private static final long serialVersionUID = 7851518767859544678L; /**
geode-core/src/main/java/org/apache/geode/internal/cache/PRContainsValueFunction.java+2 −3 modified@@ -17,15 +17,14 @@ import java.util.Iterator; import org.apache.geode.cache.Region; -import org.apache.geode.cache.execute.FunctionAdapter; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.cache.execute.RegionFunctionContext; -import org.apache.geode.internal.InternalEntity; +import org.apache.geode.internal.cache.execute.InternalFunction; /** * */ -public class PRContainsValueFunction extends FunctionAdapter implements InternalEntity { +public class PRContainsValueFunction implements InternalFunction { @Override public void execute(FunctionContext context) {
geode-core/src/main/java/org/apache/geode/internal/cache/snapshot/ClientExporter.java+2 −2 modified@@ -30,7 +30,7 @@ import org.apache.geode.cache.execute.ResultSender; import org.apache.geode.cache.snapshot.SnapshotOptions; import org.apache.geode.distributed.DistributedMember; -import org.apache.geode.internal.InternalEntity; +import org.apache.geode.internal.cache.execute.InternalFunction; import org.apache.geode.internal.cache.snapshot.RegionSnapshotServiceImpl.ExportSink; import org.apache.geode.internal.cache.snapshot.RegionSnapshotServiceImpl.Exporter; import org.apache.geode.internal.cache.snapshot.RegionSnapshotServiceImpl.ResultSenderSink; @@ -118,7 +118,7 @@ public SnapshotOptions<K, V> getOptions() { * @param <K> the key type * @param <V> the value type */ - static class ProxyExportFunction<K, V> implements Function, InternalEntity { + static class ProxyExportFunction<K, V> implements InternalFunction { private static final long serialVersionUID = 1L; @Override
geode-core/src/main/java/org/apache/geode/internal/cache/snapshot/RegionSnapshotServiceImpl.java+2 −2 modified@@ -53,11 +53,11 @@ import org.apache.geode.internal.cache.CachePerfStats; import org.apache.geode.internal.cache.CachedDeserializable; import org.apache.geode.internal.cache.CachedDeserializableFactory; -import org.apache.geode.internal.cache.GemFireCacheImpl; import org.apache.geode.internal.cache.InternalCache; import org.apache.geode.internal.cache.LocalDataSet; import org.apache.geode.internal.cache.LocalRegion; import org.apache.geode.internal.cache.Token; +import org.apache.geode.internal.cache.execute.InternalFunction; import org.apache.geode.internal.cache.snapshot.GFSnapshot.GFSnapshotImporter; import org.apache.geode.internal.cache.snapshot.GFSnapshot.SnapshotWriter; import org.apache.geode.internal.cache.snapshot.SnapshotPacket.SnapshotRecord; @@ -504,7 +504,7 @@ public SnapshotOptionsImpl<K, V> getOptions() { } } - private static class ParallelExportFunction<K, V> implements Function, InternalEntity { + private static class ParallelExportFunction<K, V> implements InternalFunction { @Override public boolean hasResult() { return true;
geode-core/src/main/java/org/apache/geode/internal/cache/snapshot/WindowedExporter.java+2 −3 modified@@ -32,7 +32,6 @@ import org.apache.geode.cache.EntryDestroyedException; import org.apache.geode.cache.Region; -import org.apache.geode.cache.execute.Function; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.cache.execute.FunctionException; import org.apache.geode.cache.execute.FunctionService; @@ -44,9 +43,9 @@ import org.apache.geode.distributed.DistributedMember; import org.apache.geode.distributed.internal.DistributionConfig; import org.apache.geode.distributed.internal.ReplyProcessor21; -import org.apache.geode.internal.InternalEntity; import org.apache.geode.internal.cache.LocalRegion; import org.apache.geode.internal.cache.execute.InternalExecution; +import org.apache.geode.internal.cache.execute.InternalFunction; import org.apache.geode.internal.cache.execute.LocalResultCollector; import org.apache.geode.internal.cache.snapshot.FlowController.Window; import org.apache.geode.internal.cache.snapshot.RegionSnapshotServiceImpl.ExportSink; @@ -157,7 +156,7 @@ public SnapshotOptions<K, V> getOptions() { * * @see FlowController */ - private static class WindowedExportFunction<K, V> implements Function, InternalEntity { + private static class WindowedExportFunction<K, V> implements InternalFunction { private static final long serialVersionUID = 1L; // We must keep a ref here since the ProcessorKeeper only has a weak ref. If
geode-core/src/main/java/org/apache/geode/management/internal/beans/QueryDataFunction.java+2 −1 modified@@ -53,6 +53,7 @@ import org.apache.geode.internal.cache.LocalDataSet; import org.apache.geode.internal.cache.PartitionedRegion; import org.apache.geode.internal.cache.PartitionedRegionHelper; +import org.apache.geode.internal.cache.execute.InternalFunction; import org.apache.geode.internal.logging.LogService; import org.apache.geode.management.DistributedRegionMXBean; import org.apache.geode.management.ManagementService; @@ -486,7 +487,7 @@ private static Set<String> compileQuery(final InternalCache cache, final String /** * Function to gather data locally. This function is required to execute query with region context */ - private class LocalQueryFunction implements Function, InternalEntity { + private class LocalQueryFunction implements InternalFunction { private static final long serialVersionUID = 1L;
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/AlterRuntimeConfigFunction.java+2 −12 modified@@ -14,28 +14,23 @@ */ package org.apache.geode.management.internal.cli.functions; -import java.util.Collection; -import java.util.Collections; import java.util.Map; import java.util.Map.Entry; import java.util.Set; import org.apache.logging.log4j.Logger; import org.apache.geode.cache.CacheClosedException; -import org.apache.geode.cache.execute.Function; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.distributed.internal.DistributionConfig; import org.apache.geode.internal.ConfigSource; -import org.apache.geode.internal.InternalEntity; import org.apache.geode.internal.cache.InternalCache; +import org.apache.geode.internal.cache.execute.InternalFunction; import org.apache.geode.internal.logging.LogService; import org.apache.geode.management.internal.cli.CliUtil; import org.apache.geode.management.internal.cli.i18n.CliStrings; -import org.apache.geode.management.internal.security.ResourcePermissions; -import org.apache.geode.security.ResourcePermission; -public class AlterRuntimeConfigFunction implements Function, InternalEntity { +public class AlterRuntimeConfigFunction implements InternalFunction { private static final long serialVersionUID = 1L; @@ -89,11 +84,6 @@ public void execute(FunctionContext context) { } } - @Override - public Collection<ResourcePermission> getRequiredPermissions(String regionName) { - return Collections.singleton(ResourcePermissions.CLUSTER_WRITE); - } - @Override public String getId() { return AlterRuntimeConfigFunction.class.getName();
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/ChangeLogLevelFunction.java+2 −12 modified@@ -16,25 +16,20 @@ import static org.apache.geode.distributed.ConfigurationProperties.LOG_LEVEL; -import java.util.Collection; -import java.util.Collections; import java.util.HashMap; import java.util.Map; import org.apache.logging.log4j.Level; import org.apache.logging.log4j.Logger; import org.apache.geode.cache.Cache; -import org.apache.geode.cache.execute.Function; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.distributed.internal.DistributionConfig; -import org.apache.geode.internal.InternalEntity; +import org.apache.geode.internal.cache.execute.InternalFunction; import org.apache.geode.internal.logging.LogService; import org.apache.geode.internal.logging.log4j.LogLevel; import org.apache.geode.internal.logging.log4j.LogMarker; import org.apache.geode.internal.logging.log4j.LogWriterLogger; -import org.apache.geode.management.internal.security.ResourcePermissions; -import org.apache.geode.security.ResourcePermission; /** @@ -45,7 +40,7 @@ * */ -public class ChangeLogLevelFunction implements Function, InternalEntity { +public class ChangeLogLevelFunction implements InternalFunction { private static final Logger logger = LogService.getLogger(); public static final String ID = ChangeLogLevelFunction.class.getName(); @@ -76,11 +71,6 @@ public void execute(FunctionContext context) { } } - @Override - public Collection<ResourcePermission> getRequiredPermissions(String regionName) { - return Collections.singleton(ResourcePermissions.CLUSTER_WRITE); - } - @Override public String getId() { return ChangeLogLevelFunction.ID;
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/CloseDurableClientFunction.java+2 −13 modified@@ -14,26 +14,20 @@ */ package org.apache.geode.management.internal.cli.functions; -import java.util.Collection; -import java.util.Collections; - import org.apache.geode.cache.Cache; -import org.apache.geode.cache.execute.Function; import org.apache.geode.cache.execute.FunctionContext; -import org.apache.geode.internal.InternalEntity; +import org.apache.geode.internal.cache.execute.InternalFunction; import org.apache.geode.internal.cache.tier.sockets.CacheClientNotifier; import org.apache.geode.internal.cache.tier.sockets.CacheClientProxy; import org.apache.geode.management.internal.cli.CliUtil; import org.apache.geode.management.internal.cli.domain.MemberResult; import org.apache.geode.management.internal.cli.i18n.CliStrings; -import org.apache.geode.management.internal.security.ResourcePermissions; -import org.apache.geode.security.ResourcePermission; /*** * Function to close a durable client * */ -public class CloseDurableClientFunction implements Function, InternalEntity { +public class CloseDurableClientFunction implements InternalFunction { private static final long serialVersionUID = 1L; @@ -73,11 +67,6 @@ public void execute(FunctionContext context) { } } - @Override - public Collection<ResourcePermission> getRequiredPermissions(String regionName) { - return Collections.singleton(ResourcePermissions.CLUSTER_MANAGE_QUERY); - } - @Override public String getId() { return CloseDurableClientFunction.class.getName();
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/CloseDurableCqFunction.java+2 −13 modified@@ -14,26 +14,20 @@ */ package org.apache.geode.management.internal.cli.functions; -import java.util.Collection; -import java.util.Collections; - import org.apache.geode.cache.Cache; -import org.apache.geode.cache.execute.Function; import org.apache.geode.cache.execute.FunctionContext; -import org.apache.geode.internal.InternalEntity; +import org.apache.geode.internal.cache.execute.InternalFunction; import org.apache.geode.internal.cache.tier.sockets.CacheClientNotifier; import org.apache.geode.internal.cache.tier.sockets.CacheClientProxy; import org.apache.geode.management.internal.cli.CliUtil; import org.apache.geode.management.internal.cli.domain.MemberResult; import org.apache.geode.management.internal.cli.i18n.CliStrings; -import org.apache.geode.management.internal.security.ResourcePermissions; -import org.apache.geode.security.ResourcePermission; /*** * Function to close a durable cq * */ -public class CloseDurableCqFunction implements Function, InternalEntity { +public class CloseDurableCqFunction implements InternalFunction { private static final long serialVersionUID = 1L; @@ -75,11 +69,6 @@ public void execute(FunctionContext context) { } } - @Override - public Collection<ResourcePermission> getRequiredPermissions(String regionName) { - return Collections.singleton(ResourcePermissions.CLUSTER_MANAGE_QUERY); - } - @Override public String getId() { return CloseDurableCqFunction.class.getName();
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/ContinuousQueryFunction.java+2 −11 modified@@ -16,26 +16,22 @@ import java.io.Serializable; import java.util.Collection; -import java.util.Collections; import java.util.Iterator; -import org.apache.geode.cache.execute.Function; import org.apache.geode.cache.execute.FunctionContext; -import org.apache.geode.internal.InternalEntity; import org.apache.geode.internal.cache.CacheServerImpl; import org.apache.geode.internal.cache.InternalCache; +import org.apache.geode.internal.cache.execute.InternalFunction; import org.apache.geode.internal.cache.tier.sockets.AcceptorImpl; import org.apache.geode.internal.cache.tier.sockets.CacheClientNotifier; import org.apache.geode.internal.cache.tier.sockets.CacheClientProxy; import org.apache.geode.internal.cache.tier.sockets.ClientProxyMembershipID; import org.apache.geode.internal.cache.tier.sockets.ServerConnection; -import org.apache.geode.management.internal.security.ResourcePermissions; -import org.apache.geode.security.ResourcePermission; /** * @since GemFire 8.0 */ -public class ContinuousQueryFunction implements Function, InternalEntity { +public class ContinuousQueryFunction implements InternalFunction { private static final long serialVersionUID = 1L; public static final String ID = ContinuousQueryFunction.class.getName(); @@ -106,11 +102,6 @@ public void execute(FunctionContext context) { context.getResultSender().lastResult(null); } - @Override - public Collection<ResourcePermission> getRequiredPermissions(String regionName) { - return Collections.singleton(ResourcePermissions.CLUSTER_READ); - } - @Override public String getId() { return ContinuousQueryFunction.ID;
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/CreateAsyncEventQueueFunction.java+2 −12 modified@@ -14,8 +14,6 @@ */ package org.apache.geode.management.internal.cli.functions; -import java.util.Collection; -import java.util.Collections; import java.util.HashMap; import java.util.Map; import java.util.Properties; @@ -27,29 +25,26 @@ import org.apache.geode.cache.Declarable; import org.apache.geode.cache.asyncqueue.AsyncEventListener; import org.apache.geode.cache.asyncqueue.AsyncEventQueueFactory; -import org.apache.geode.cache.execute.Function; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.cache.wan.GatewayEventFilter; import org.apache.geode.cache.wan.GatewayEventSubstitutionFilter; import org.apache.geode.cache.wan.GatewaySender.OrderPolicy; import org.apache.geode.distributed.DistributedMember; import org.apache.geode.internal.ClassPathLoader; import org.apache.geode.internal.InternalDataSerializer; -import org.apache.geode.internal.InternalEntity; import org.apache.geode.internal.cache.InternalCache; +import org.apache.geode.internal.cache.execute.InternalFunction; import org.apache.geode.internal.cache.xmlcache.CacheXml; import org.apache.geode.internal.logging.LogService; import org.apache.geode.management.internal.configuration.domain.XmlEntity; -import org.apache.geode.management.internal.security.ResourcePermissions; -import org.apache.geode.security.ResourcePermission; /** * Function used by the 'create async-event-queue' gfsh command to create an asynchronous event * queue on a member. * * @since GemFire 8.0 */ -public class CreateAsyncEventQueueFunction implements Function, InternalEntity { +public class CreateAsyncEventQueueFunction implements InternalFunction { private static final Logger logger = LogService.getLogger(); private static final long serialVersionUID = 1L; @@ -132,11 +127,6 @@ public void execute(FunctionContext context) { } } - @Override - public Collection<ResourcePermission> getRequiredPermissions(String regionName) { - return Collections.singleton(ResourcePermissions.CLUSTER_MANAGE_DEPLOY); - } - private Object newInstance(String className) throws ClassNotFoundException, IllegalAccessException, InstantiationException { if (Strings.isNullOrEmpty(className)) {
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/CreateDefinedIndexesFunction.java+2 −12 modified@@ -15,30 +15,25 @@ package org.apache.geode.management.internal.cli.functions; import java.util.ArrayList; -import java.util.Collection; -import java.util.Collections; import java.util.Iterator; import java.util.List; import java.util.Map; import java.util.Set; import org.apache.geode.cache.Cache; -import org.apache.geode.cache.execute.Function; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.cache.execute.ResultSender; import org.apache.geode.cache.query.Index; import org.apache.geode.cache.query.IndexType; import org.apache.geode.cache.query.MultiIndexCreationException; import org.apache.geode.cache.query.QueryService; -import org.apache.geode.internal.InternalEntity; +import org.apache.geode.internal.cache.execute.InternalFunction; import org.apache.geode.internal.cache.xmlcache.CacheXml; import org.apache.geode.management.internal.cli.domain.IndexInfo; import org.apache.geode.management.internal.cli.i18n.CliStrings; import org.apache.geode.management.internal.configuration.domain.XmlEntity; -import org.apache.geode.management.internal.security.ResourcePermissions; -import org.apache.geode.security.ResourcePermission; -public class CreateDefinedIndexesFunction implements Function, InternalEntity { +public class CreateDefinedIndexesFunction implements InternalFunction { private static final long serialVersionUID = 1L; @Override @@ -126,9 +121,4 @@ public void execute(FunctionContext context) { .lastResult(new CliFunctionResult(memberId, exception, exceptionMessage)); } } - - @Override - public Collection<ResourcePermission> getRequiredPermissions(String regionName) { - return Collections.singleton(ResourcePermissions.CLUSTER_MANAGE_QUERY); - } }
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/CreateDiskStoreFunction.java+2 −13 modified@@ -20,27 +20,21 @@ * @since GemFire 8.0 */ -import java.util.Collection; -import java.util.Collections; - import org.apache.logging.log4j.Logger; import org.apache.geode.SystemFailure; import org.apache.geode.cache.CacheClosedException; import org.apache.geode.cache.DiskStoreFactory; -import org.apache.geode.cache.execute.Function; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.distributed.DistributedMember; -import org.apache.geode.internal.InternalEntity; import org.apache.geode.internal.cache.DiskStoreAttributes; import org.apache.geode.internal.cache.InternalCache; +import org.apache.geode.internal.cache.execute.InternalFunction; import org.apache.geode.internal.cache.xmlcache.CacheXml; import org.apache.geode.internal.logging.LogService; import org.apache.geode.management.internal.configuration.domain.XmlEntity; -import org.apache.geode.management.internal.security.ResourcePermissions; -import org.apache.geode.security.ResourcePermission; -public class CreateDiskStoreFunction implements Function, InternalEntity { +public class CreateDiskStoreFunction implements InternalFunction { private static final Logger logger = LogService.getLogger(); private static final long serialVersionUID = 1L; @@ -84,11 +78,6 @@ public void execute(FunctionContext context) { } } - @Override - public Collection<ResourcePermission> getRequiredPermissions(String regionName) { - return Collections.singleton(ResourcePermissions.CLUSTER_MANAGE_DISK); - } - @Override public String getId() { return CreateDiskStoreFunction.class.getName();
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/CreateIndexFunction.java+2 −13 modified@@ -14,30 +14,24 @@ */ package org.apache.geode.management.internal.cli.functions; -import java.util.Collection; -import java.util.Collections; - import org.apache.geode.cache.Cache; -import org.apache.geode.cache.execute.Function; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.cache.query.IndexExistsException; import org.apache.geode.cache.query.IndexInvalidException; import org.apache.geode.cache.query.IndexNameConflictException; import org.apache.geode.cache.query.QueryService; import org.apache.geode.cache.query.RegionNotFoundException; -import org.apache.geode.internal.InternalEntity; +import org.apache.geode.internal.cache.execute.InternalFunction; import org.apache.geode.internal.cache.xmlcache.CacheXml; import org.apache.geode.management.internal.cli.domain.IndexInfo; import org.apache.geode.management.internal.cli.i18n.CliStrings; import org.apache.geode.management.internal.configuration.domain.XmlEntity; -import org.apache.geode.management.internal.security.ResourcePermissions; -import org.apache.geode.security.ResourcePermission; /*** * Function to create index in a member, based on different arguments passed to it * */ -public class CreateIndexFunction implements Function, InternalEntity { +public class CreateIndexFunction implements InternalFunction { private static final long serialVersionUID = 1L; @@ -109,11 +103,6 @@ private void setResultInSender(FunctionContext context, IndexInfo indexInfo, Str } } - @Override - public Collection<ResourcePermission> getRequiredPermissions(String regionName) { - return Collections.singleton(ResourcePermissions.CLUSTER_MANAGE_QUERY); - } - private String getValidRegionName(Cache cache, String regionPath) { while (regionPath != null && cache.getRegion(regionPath) == null) { int dotPosition;
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/DataCommandFunction.java+2 −11 modified@@ -15,7 +15,6 @@ package org.apache.geode.management.internal.cli.functions; import java.util.ArrayList; -import java.util.Collection; import java.util.Collections; import java.util.Iterator; import java.util.List; @@ -29,7 +28,6 @@ import org.apache.geode.cache.DataPolicy; import org.apache.geode.cache.Region; -import org.apache.geode.cache.execute.Function; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.cache.partition.PartitionRegionHelper; import org.apache.geode.cache.query.FunctionDomainException; @@ -48,10 +46,10 @@ import org.apache.geode.cache.query.internal.Undefined; import org.apache.geode.distributed.DistributedMember; import org.apache.geode.internal.ClassPathLoader; -import org.apache.geode.internal.InternalEntity; import org.apache.geode.internal.NanoTimer; import org.apache.geode.internal.cache.InternalCache; import org.apache.geode.internal.cache.PartitionedRegion; +import org.apache.geode.internal.cache.execute.InternalFunction; import org.apache.geode.internal.logging.LogService; import org.apache.geode.internal.security.SecurityService; import org.apache.geode.management.internal.cli.domain.DataCommandRequest; @@ -61,14 +59,12 @@ import org.apache.geode.management.internal.cli.json.GfJsonException; import org.apache.geode.management.internal.cli.json.GfJsonObject; import org.apache.geode.management.internal.cli.util.JsonUtil; -import org.apache.geode.management.internal.security.ResourcePermissions; import org.apache.geode.pdx.PdxInstance; -import org.apache.geode.security.ResourcePermission; /** * @since GemFire 7.0 */ -public class DataCommandFunction implements Function, InternalEntity { +public class DataCommandFunction implements InternalFunction { private static final Logger logger = LogService.getLogger(); private static final long serialVersionUID = 1L; @@ -136,11 +132,6 @@ public void execute(FunctionContext functionContext) { } } - public Collection<ResourcePermission> getRequiredPermissions(String regionName) { - return Collections.singleton(ResourcePermissions.DATA_ALL); - } - - public DataCommandResult remove(DataCommandRequest request, InternalCache cache) { String key = request.getKey(); String keyClass = request.getKeyClass();
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/DeployFunction.java+2 −12 modified@@ -24,8 +24,6 @@ import java.nio.file.attribute.PosixFilePermission; import java.nio.file.attribute.PosixFilePermissions; import java.util.ArrayList; -import java.util.Collection; -import java.util.Collections; import java.util.HashMap; import java.util.HashSet; import java.util.List; @@ -40,18 +38,15 @@ import org.apache.geode.SystemFailure; import org.apache.geode.cache.CacheClosedException; -import org.apache.geode.cache.execute.Function; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.distributed.DistributedMember; import org.apache.geode.internal.ClassPathLoader; import org.apache.geode.internal.DeployedJar; -import org.apache.geode.internal.InternalEntity; import org.apache.geode.internal.cache.InternalCache; +import org.apache.geode.internal.cache.execute.InternalFunction; import org.apache.geode.internal.logging.LogService; -import org.apache.geode.management.internal.security.ResourcePermissions; -import org.apache.geode.security.ResourcePermission; -public class DeployFunction implements Function, InternalEntity { +public class DeployFunction implements InternalFunction { private static final Logger logger = LogService.getLogger(); public static final String ID = DeployFunction.class.getName(); @@ -122,11 +117,6 @@ public void execute(FunctionContext context) { } } - @Override - public Collection<ResourcePermission> getRequiredPermissions(String regionName) { - return Collections.singleton(ResourcePermissions.CLUSTER_MANAGE_DEPLOY); - } - @Override public String getId() { return ID;
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/DescribeDiskStoreFunction.java+2 −12 modified@@ -16,8 +16,6 @@ package org.apache.geode.management.internal.cli.functions; import java.io.File; -import java.util.Collection; -import java.util.Collections; import java.util.HashSet; import java.util.Properties; import java.util.Set; @@ -31,20 +29,17 @@ import org.apache.geode.cache.EvictionAction; import org.apache.geode.cache.Region; import org.apache.geode.cache.asyncqueue.AsyncEventQueue; -import org.apache.geode.cache.execute.Function; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.cache.server.CacheServer; import org.apache.geode.cache.wan.GatewaySender; import org.apache.geode.distributed.DistributedMember; -import org.apache.geode.internal.InternalEntity; import org.apache.geode.internal.cache.InternalCache; +import org.apache.geode.internal.cache.execute.InternalFunction; import org.apache.geode.internal.lang.ObjectUtils; import org.apache.geode.internal.logging.LogService; import org.apache.geode.internal.util.ArrayUtils; import org.apache.geode.management.internal.cli.domain.DiskStoreDetails; import org.apache.geode.management.internal.cli.exceptions.EntityNotFoundException; -import org.apache.geode.management.internal.security.ResourcePermissions; -import org.apache.geode.security.ResourcePermission; /** * The DescribeDiskStoreFunction class is an implementation of a GemFire Function used to collect @@ -59,7 +54,7 @@ * @see org.apache.geode.management.internal.cli.domain.DiskStoreDetails * @since GemFire 7.0 */ -public class DescribeDiskStoreFunction implements Function, InternalEntity { +public class DescribeDiskStoreFunction implements InternalFunction { private static final Logger logger = LogService.getLogger(); @@ -135,11 +130,6 @@ public void execute(final FunctionContext context) { } } - @Override - public Collection<ResourcePermission> getRequiredPermissions(String regionName) { - return Collections.singleton(ResourcePermissions.CLUSTER_READ); - } - private void setDiskDirDetails(final DiskStore diskStore, final DiskStoreDetails diskStoreDetails) { File[] diskDirs = diskStore.getDiskDirs();
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/DestroyAsyncEventQueueFunction.java+2 −13 modified@@ -14,24 +14,18 @@ */ package org.apache.geode.management.internal.cli.functions; -import java.util.Collection; -import java.util.Collections; - import org.apache.geode.cache.asyncqueue.internal.AsyncEventQueueImpl; -import org.apache.geode.cache.execute.Function; import org.apache.geode.cache.execute.FunctionContext; -import org.apache.geode.internal.InternalEntity; +import org.apache.geode.internal.cache.execute.InternalFunction; import org.apache.geode.internal.cache.xmlcache.CacheXml; import org.apache.geode.management.internal.cli.commands.DestroyAsyncEventQueueCommand; import org.apache.geode.management.internal.configuration.domain.XmlEntity; -import org.apache.geode.management.internal.security.ResourcePermissions; -import org.apache.geode.security.ResourcePermission; /** * Function used by the 'destroy async-event-queue' gfsh command to destroy an asynchronous event * queue on a member. */ -public class DestroyAsyncEventQueueFunction implements Function, InternalEntity { +public class DestroyAsyncEventQueueFunction implements InternalFunction { private static final long serialVersionUID = -7754359270344102817L; @@ -73,11 +67,6 @@ public void execute(FunctionContext context) { } } - @Override - public Collection<ResourcePermission> getRequiredPermissions(String regionName) { - return Collections.singleton(ResourcePermissions.CLUSTER_MANAGE); - } - XmlEntity getAEQXmlEntity(String key, String value) { XmlEntity xmlEntity = new XmlEntity(CacheXml.ASYNC_EVENT_QUEUE, key, value); return xmlEntity;
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/DestroyDiskStoreFunction.java+2 −14 modified@@ -14,26 +14,20 @@ */ package org.apache.geode.management.internal.cli.functions; -import java.util.Collection; -import java.util.Collections; - import org.apache.geode.cache.DiskStore; -import org.apache.geode.cache.execute.Function; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.distributed.DistributedMember; -import org.apache.geode.internal.InternalEntity; import org.apache.geode.internal.cache.InternalCache; +import org.apache.geode.internal.cache.execute.InternalFunction; import org.apache.geode.internal.cache.xmlcache.CacheXml; import org.apache.geode.management.internal.configuration.domain.XmlEntity; -import org.apache.geode.management.internal.security.ResourcePermissions; -import org.apache.geode.security.ResourcePermission; /** * Function used by the 'destroy disk-store' gfsh command to destroy a disk store on each member. * * @since GemFire 8.0 */ -public class DestroyDiskStoreFunction implements Function, InternalEntity { +public class DestroyDiskStoreFunction implements InternalFunction { private static final long serialVersionUID = 1L; @Override @@ -74,10 +68,4 @@ public void execute(FunctionContext context) { } context.getResultSender().lastResult(result); } - - - @Override - public Collection<ResourcePermission> getRequiredPermissions(String regionName) { - return Collections.singleton(ResourcePermissions.CLUSTER_MANAGE_DISK); - } }
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/DestroyIndexFunction.java+2 −12 modified@@ -14,26 +14,21 @@ */ package org.apache.geode.management.internal.cli.functions; -import java.util.Collection; -import java.util.Collections; import java.util.List; import org.apache.geode.cache.Cache; import org.apache.geode.cache.CacheClosedException; import org.apache.geode.cache.Region; -import org.apache.geode.cache.execute.Function; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.cache.query.Index; import org.apache.geode.cache.query.QueryService; -import org.apache.geode.internal.InternalEntity; +import org.apache.geode.internal.cache.execute.InternalFunction; import org.apache.geode.internal.cache.xmlcache.CacheXml; import org.apache.geode.management.internal.cli.domain.IndexInfo; import org.apache.geode.management.internal.cli.i18n.CliStrings; import org.apache.geode.management.internal.configuration.domain.XmlEntity; -import org.apache.geode.management.internal.security.ResourcePermissions; -import org.apache.geode.security.ResourcePermission; -public class DestroyIndexFunction implements Function, InternalEntity { +public class DestroyIndexFunction implements InternalFunction { private static final long serialVersionUID = -868082551095130315L; @Override @@ -105,11 +100,6 @@ public void execute(FunctionContext context) { context.getResultSender().lastResult(result); } - @Override - public Collection<ResourcePermission> getRequiredPermissions(String regionName) { - return Collections.singleton(ResourcePermissions.CLUSTER_MANAGE_QUERY); - } - /*** * * @param name
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/ExportConfigFunction.java+2 −12 modified@@ -16,28 +16,23 @@ import java.io.PrintWriter; import java.io.StringWriter; -import java.util.Collection; -import java.util.Collections; import java.util.Map; import org.apache.logging.log4j.Logger; import org.apache.geode.SystemFailure; import org.apache.geode.cache.Cache; import org.apache.geode.cache.CacheClosedException; -import org.apache.geode.cache.execute.Function; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.distributed.DistributedMember; import org.apache.geode.distributed.internal.DistributionConfigImpl; import org.apache.geode.distributed.internal.InternalDistributedSystem; import org.apache.geode.internal.ConfigSource; -import org.apache.geode.internal.InternalEntity; +import org.apache.geode.internal.cache.execute.InternalFunction; import org.apache.geode.internal.cache.xmlcache.CacheXmlGenerator; import org.apache.geode.internal.logging.LogService; -import org.apache.geode.management.internal.security.ResourcePermissions; -import org.apache.geode.security.ResourcePermission; -public class ExportConfigFunction implements Function, InternalEntity { +public class ExportConfigFunction implements InternalFunction { private static final Logger logger = LogService.getLogger(); public static final String ID = ExportConfigFunction.class.getName(); @@ -118,11 +113,6 @@ public void execute(FunctionContext context) { } } - @Override - public Collection<ResourcePermission> getRequiredPermissions(String regionName) { - return Collections.singleton(ResourcePermissions.CLUSTER_READ); - } - @Override public String getId() { return ID;
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/ExportDataFunction.java+2 −12 modified@@ -15,29 +15,24 @@ package org.apache.geode.management.internal.cli.functions; import java.io.File; -import java.util.Collection; -import java.util.Collections; import org.apache.geode.cache.Cache; import org.apache.geode.cache.Region; -import org.apache.geode.cache.execute.Function; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.cache.snapshot.RegionSnapshotService; import org.apache.geode.cache.snapshot.SnapshotOptions; import org.apache.geode.cache.snapshot.SnapshotOptions.SnapshotFormat; -import org.apache.geode.internal.InternalEntity; +import org.apache.geode.internal.cache.execute.InternalFunction; import org.apache.geode.internal.cache.snapshot.SnapshotOptionsImpl; import org.apache.geode.management.internal.cli.i18n.CliStrings; -import org.apache.geode.management.internal.security.ResourcePermissions; -import org.apache.geode.security.ResourcePermission; /*** * Function which carries out the export of a region to a file on a member. Uses the * RegionSnapshotService to export the data * * */ -public class ExportDataFunction implements Function, InternalEntity { +public class ExportDataFunction implements InternalFunction { private static final long serialVersionUID = 1L; public void execute(FunctionContext context) { @@ -76,11 +71,6 @@ public void execute(FunctionContext context) { } } - @Override - public Collection<ResourcePermission> getRequiredPermissions(String regionName) { - return Collections.singleton(ResourcePermissions.DATA_READ); - } - public String getId() { return ExportDataFunction.class.getName(); }
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/ExportLogsFunction.java+2 −12 modified@@ -25,8 +25,6 @@ import java.time.LocalDateTime; import java.time.ZoneId; import java.util.Arrays; -import java.util.Collection; -import java.util.Collections; import org.apache.commons.lang.StringUtils; import org.apache.logging.log4j.Level; @@ -36,21 +34,18 @@ import org.apache.geode.cache.DataPolicy; import org.apache.geode.cache.Region; import org.apache.geode.cache.Scope; -import org.apache.geode.cache.execute.Function; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.distributed.internal.DistributionConfig; -import org.apache.geode.internal.InternalEntity; import org.apache.geode.internal.cache.InternalCache; import org.apache.geode.internal.cache.InternalRegionArguments; +import org.apache.geode.internal.cache.execute.InternalFunction; import org.apache.geode.internal.logging.LogService; import org.apache.geode.internal.logging.log4j.LogLevel; import org.apache.geode.management.internal.cli.commands.ExportLogsCommand; import org.apache.geode.management.internal.cli.util.ExportLogsCacheWriter; import org.apache.geode.management.internal.cli.util.LogExporter; import org.apache.geode.management.internal.cli.util.LogFilter; import org.apache.geode.management.internal.configuration.domain.Configuration; -import org.apache.geode.management.internal.security.ResourcePermissions; -import org.apache.geode.security.ResourcePermission; /** * this function extracts the logs using a LogExporter which creates a zip file, and then writes the @@ -59,7 +54,7 @@ * * The function only extracts .log and .gfs files under server's working directory */ -public class ExportLogsFunction implements Function, InternalEntity { +public class ExportLogsFunction implements InternalFunction { private static final Logger logger = LogService.getLogger(); public static final String EXPORT_LOGS_REGION = "__exportLogsRegion"; @@ -123,11 +118,6 @@ public void execute(final FunctionContext context) { } } - @Override - public Collection<ResourcePermission> getRequiredPermissions(String regionName) { - return Collections.singleton(ResourcePermissions.CLUSTER_READ); - } - public static Region createOrGetExistingExportLogsRegion(boolean isInitiatingMember, InternalCache cache) throws IOException, ClassNotFoundException {
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/FetchRegionAttributesFunction.java+2 −12 modified@@ -15,8 +15,6 @@ package org.apache.geode.management.internal.cli.functions; import java.util.Arrays; -import java.util.Collection; -import java.util.Collections; import java.util.List; import java.util.stream.Collectors; @@ -25,21 +23,18 @@ import org.apache.geode.cache.AttributesFactory; import org.apache.geode.cache.Cache; import org.apache.geode.cache.CacheListener; -import org.apache.geode.cache.execute.Function; import org.apache.geode.cache.execute.FunctionContext; -import org.apache.geode.internal.InternalEntity; import org.apache.geode.internal.cache.AbstractRegion; +import org.apache.geode.internal.cache.execute.InternalFunction; import org.apache.geode.internal.logging.LogService; import org.apache.geode.management.internal.cli.domain.ClassName; import org.apache.geode.management.internal.cli.i18n.CliStrings; -import org.apache.geode.management.internal.security.ResourcePermissions; -import org.apache.geode.security.ResourcePermission; /** * * @since GemFire 7.0 */ -public class FetchRegionAttributesFunction implements Function, InternalEntity { +public class FetchRegionAttributesFunction implements InternalFunction { private static final Logger logger = LogService.getLogger(); private static final long serialVersionUID = 4366812590788342070L; @@ -123,11 +118,6 @@ public static RegionAttributesWrapper getRegionAttributes(Cache cache, String re return result; } - @Override - public Collection<ResourcePermission> getRequiredPermissions(String regionName) { - return Collections.singleton(ResourcePermissions.CLUSTER_READ); - } - @Override public String getId() { return ID;
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/FetchSharedConfigurationStatusFunction.java+2 −14 modified@@ -14,23 +14,16 @@ */ package org.apache.geode.management.internal.cli.functions; -import java.util.Collection; -import java.util.Collections; - import org.apache.commons.lang.StringUtils; -import org.apache.geode.cache.execute.FunctionAdapter; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.distributed.DistributedMember; import org.apache.geode.distributed.internal.InternalLocator; -import org.apache.geode.internal.InternalEntity; import org.apache.geode.internal.cache.InternalCache; +import org.apache.geode.internal.cache.execute.InternalFunction; import org.apache.geode.management.internal.configuration.domain.SharedConfigurationStatus; -import org.apache.geode.management.internal.security.ResourcePermissions; -import org.apache.geode.security.ResourcePermission; -public class FetchSharedConfigurationStatusFunction extends FunctionAdapter - implements InternalEntity { +public class FetchSharedConfigurationStatusFunction implements InternalFunction { private static final long serialVersionUID = 1L; @@ -50,11 +43,6 @@ public void execute(FunctionContext context) { context.getResultSender().lastResult(result); } - @Override - public Collection<ResourcePermission> getRequiredPermissions(String regionName) { - return Collections.singleton(ResourcePermissions.CLUSTER_READ); - } - @Override public String getId() { return FetchSharedConfigurationStatusFunction.class.getName();
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/GarbageCollectionFunction.java+2 −13 modified@@ -14,20 +14,15 @@ */ package org.apache.geode.management.internal.cli.functions; -import java.util.Collection; -import java.util.Collections; import java.util.HashMap; import java.util.Map; import org.apache.geode.cache.Cache; -import org.apache.geode.cache.execute.Function; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.distributed.DistributedMember; -import org.apache.geode.internal.InternalEntity; +import org.apache.geode.internal.cache.execute.InternalFunction; import org.apache.geode.management.internal.cli.CliUtil; import org.apache.geode.management.internal.cli.util.BytesToString; -import org.apache.geode.management.internal.security.ResourcePermissions; -import org.apache.geode.security.ResourcePermission; /** * @@ -36,7 +31,7 @@ * * */ -public class GarbageCollectionFunction implements Function, InternalEntity { +public class GarbageCollectionFunction implements InternalFunction { public static final String ID = GarbageCollectionFunction.class.getName(); private static final long serialVersionUID = 1L; @@ -71,12 +66,6 @@ public void execute(FunctionContext context) { context.getResultSender().lastResult(resultMap); } - - @Override - public Collection<ResourcePermission> getRequiredPermissions(String regionName) { - return Collections.singleton(ResourcePermissions.CLUSTER_MANAGE); - } - @Override public String getId() { return GarbageCollectionFunction.ID;
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/GatewayReceiverCreateFunction.java+2 −12 modified@@ -14,34 +14,29 @@ */ package org.apache.geode.management.internal.cli.functions; -import java.util.Collection; -import java.util.Collections; import java.util.HashMap; import java.util.Map; import joptsimple.internal.Strings; import org.apache.logging.log4j.Logger; import org.apache.geode.cache.Cache; -import org.apache.geode.cache.execute.Function; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.cache.execute.ResultSender; import org.apache.geode.cache.wan.GatewayReceiver; import org.apache.geode.cache.wan.GatewayReceiverFactory; import org.apache.geode.cache.wan.GatewayTransportFilter; import org.apache.geode.internal.ClassPathLoader; -import org.apache.geode.internal.InternalEntity; +import org.apache.geode.internal.cache.execute.InternalFunction; import org.apache.geode.internal.cache.xmlcache.CacheXml; import org.apache.geode.internal.logging.LogService; import org.apache.geode.management.internal.cli.i18n.CliStrings; import org.apache.geode.management.internal.configuration.domain.XmlEntity; -import org.apache.geode.management.internal.security.ResourcePermissions; -import org.apache.geode.security.ResourcePermission; /** * The function to a create GatewayReceiver using given configuration parameters. */ -public class GatewayReceiverCreateFunction implements Function, InternalEntity { +public class GatewayReceiverCreateFunction implements InternalFunction { private static final Logger logger = LogService.getLogger(); @@ -91,11 +86,6 @@ public void execute(FunctionContext context) { } - @Override - public Collection<ResourcePermission> getRequiredPermissions(String regionName) { - return Collections.singleton(ResourcePermissions.CLUSTER_MANAGE_GATEWAY); - } - /** * GatewayReceiver creation happens here. *
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/GatewaySenderCreateFunction.java+2 −13 modified@@ -14,13 +14,9 @@ */ package org.apache.geode.management.internal.cli.functions; -import java.util.Collection; -import java.util.Collections; - import org.apache.logging.log4j.Logger; import org.apache.geode.cache.Cache; -import org.apache.geode.cache.execute.Function; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.cache.execute.ResultSender; import org.apache.geode.cache.wan.GatewayEventFilter; @@ -29,15 +25,13 @@ import org.apache.geode.cache.wan.GatewaySenderFactory; import org.apache.geode.cache.wan.GatewayTransportFilter; import org.apache.geode.internal.ClassPathLoader; -import org.apache.geode.internal.InternalEntity; +import org.apache.geode.internal.cache.execute.InternalFunction; import org.apache.geode.internal.cache.xmlcache.CacheXml; import org.apache.geode.internal.logging.LogService; import org.apache.geode.management.internal.cli.i18n.CliStrings; import org.apache.geode.management.internal.configuration.domain.XmlEntity; -import org.apache.geode.management.internal.security.ResourcePermissions; -import org.apache.geode.security.ResourcePermission; -public class GatewaySenderCreateFunction implements Function, InternalEntity { +public class GatewaySenderCreateFunction implements InternalFunction { private static final Logger logger = LogService.getLogger(); @@ -71,11 +65,6 @@ public void execute(FunctionContext context) { } } - @Override - public Collection<ResourcePermission> getRequiredPermissions(String regionName) { - return Collections.singleton(ResourcePermissions.CLUSTER_MANAGE_GATEWAY); - } - /** * Creates the GatewaySender with given configuration. *
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/GatewaySenderDestroyFunction.java+2 −13 modified@@ -14,22 +14,16 @@ */ package org.apache.geode.management.internal.cli.functions; -import java.util.Collection; -import java.util.Collections; - import org.apache.geode.cache.Cache; -import org.apache.geode.cache.execute.Function; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.cache.execute.ResultSender; import org.apache.geode.cache.wan.GatewaySender; -import org.apache.geode.internal.InternalEntity; +import org.apache.geode.internal.cache.execute.InternalFunction; import org.apache.geode.internal.cache.xmlcache.CacheXml; import org.apache.geode.management.internal.cli.CliUtil; import org.apache.geode.management.internal.configuration.domain.XmlEntity; -import org.apache.geode.management.internal.security.ResourcePermissions; -import org.apache.geode.security.ResourcePermission; -public class GatewaySenderDestroyFunction implements Function, InternalEntity { +public class GatewaySenderDestroyFunction implements InternalFunction { private static final long serialVersionUID = 1L; private static final String ID = GatewaySenderDestroyFunction.class.getName(); public static GatewaySenderDestroyFunction INSTANCE = new GatewaySenderDestroyFunction(); @@ -70,11 +64,6 @@ public void execute(FunctionContext context) { } } - @Override - public Collection<ResourcePermission> getRequiredPermissions(String regionName) { - return Collections.singleton(ResourcePermissions.CLUSTER_MANAGE_GATEWAY); - } - @Override public String getId() { return ID;
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/GetMemberConfigInformationFunction.java+2 −12 modified@@ -19,35 +19,30 @@ import java.lang.management.ManagementFactory; import java.lang.management.RuntimeMXBean; import java.util.ArrayList; -import java.util.Collection; -import java.util.Collections; import java.util.HashMap; import java.util.HashSet; import java.util.List; import java.util.Map; import java.util.Set; import org.apache.geode.cache.Cache; -import org.apache.geode.cache.execute.Function; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.cache.server.CacheServer; import org.apache.geode.distributed.internal.DistributionConfig; import org.apache.geode.distributed.internal.DistributionConfigImpl; import org.apache.geode.distributed.internal.InternalDistributedSystem; import org.apache.geode.internal.ConfigSource; -import org.apache.geode.internal.InternalEntity; import org.apache.geode.internal.cache.CacheConfig; import org.apache.geode.internal.cache.GemFireCacheImpl; +import org.apache.geode.internal.cache.execute.InternalFunction; import org.apache.geode.internal.cache.ha.HARegionQueue; import org.apache.geode.management.internal.cli.domain.MemberConfigurationInfo; -import org.apache.geode.management.internal.security.ResourcePermissions; -import org.apache.geode.security.ResourcePermission; /**** * * */ -public class GetMemberConfigInformationFunction implements Function, InternalEntity { +public class GetMemberConfigInformationFunction implements InternalFunction { private static final long serialVersionUID = 1L; @@ -138,11 +133,6 @@ public void execute(FunctionContext context) { context.getResultSender().lastResult(memberConfigInfo); } - @Override - public Collection<ResourcePermission> getRequiredPermissions(String regionName) { - return Collections.singleton(ResourcePermissions.CLUSTER_READ); - } - /**** * Gets the default values for the cache attributes *
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/GetMemberInformationFunction.java+2 −12 modified@@ -17,35 +17,30 @@ import java.lang.management.ManagementFactory; import java.lang.management.MemoryMXBean; import java.lang.management.MemoryUsage; -import java.util.Collection; -import java.util.Collections; import java.util.Iterator; import java.util.List; import java.util.Map; import org.apache.geode.cache.Cache; import org.apache.geode.cache.CacheClosedException; -import org.apache.geode.cache.execute.Function; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.cache.server.CacheServer; import org.apache.geode.distributed.internal.DistributionConfig; import org.apache.geode.distributed.internal.InternalDistributedSystem; -import org.apache.geode.internal.InternalEntity; import org.apache.geode.internal.cache.CacheClientStatus; +import org.apache.geode.internal.cache.execute.InternalFunction; import org.apache.geode.internal.cache.tier.InternalClientMembership; import org.apache.geode.internal.cache.tier.sockets.ClientProxyMembershipID; import org.apache.geode.management.internal.cli.CliUtil; import org.apache.geode.management.internal.cli.domain.CacheServerInfo; import org.apache.geode.management.internal.cli.domain.MemberInformation; -import org.apache.geode.management.internal.security.ResourcePermissions; -import org.apache.geode.security.ResourcePermission; /*** * * since 7.0 */ -public class GetMemberInformationFunction implements Function, InternalEntity { +public class GetMemberInformationFunction implements InternalFunction { /** * */ @@ -143,11 +138,6 @@ public void execute(FunctionContext functionContext) { } } - @Override - public Collection<ResourcePermission> getRequiredPermissions(String regionName) { - return Collections.singleton(ResourcePermissions.CLUSTER_READ); - } - private long bytesToMeg(long bytes) { return bytes / (1024L * 1024L); }
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/GetRegionDescriptionFunction.java+2 −13 modified@@ -15,19 +15,13 @@ package org.apache.geode.management.internal.cli.functions; -import java.util.Collection; -import java.util.Collections; - import org.apache.geode.cache.Cache; import org.apache.geode.cache.Region; -import org.apache.geode.cache.execute.Function; import org.apache.geode.cache.execute.FunctionContext; -import org.apache.geode.internal.InternalEntity; +import org.apache.geode.internal.cache.execute.InternalFunction; import org.apache.geode.management.internal.cli.domain.RegionDescriptionPerMember; -import org.apache.geode.management.internal.security.ResourcePermissions; -import org.apache.geode.security.ResourcePermission; -public class GetRegionDescriptionFunction implements Function, InternalEntity { +public class GetRegionDescriptionFunction implements InternalFunction { private static final long serialVersionUID = 1L; @@ -51,9 +45,4 @@ public void execute(FunctionContext context) { context.getResultSender().sendException(e); } } - - @Override - public Collection<ResourcePermission> getRequiredPermissions(String regionName) { - return Collections.singleton(ResourcePermissions.CLUSTER_READ); - } }
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/GetRegionsFunction.java+2 −12 modified@@ -14,24 +14,19 @@ */ package org.apache.geode.management.internal.cli.functions; -import java.util.Collection; -import java.util.Collections; import java.util.HashSet; import java.util.Set; import org.apache.geode.cache.Cache; import org.apache.geode.cache.Region; -import org.apache.geode.cache.execute.Function; import org.apache.geode.cache.execute.FunctionContext; -import org.apache.geode.internal.InternalEntity; +import org.apache.geode.internal.cache.execute.InternalFunction; import org.apache.geode.management.internal.cli.domain.RegionInformation; -import org.apache.geode.management.internal.security.ResourcePermissions; -import org.apache.geode.security.ResourcePermission; /** * Function that retrieves regions hosted on every member */ -public class GetRegionsFunction implements Function, InternalEntity { +public class GetRegionsFunction implements InternalFunction { private static final long serialVersionUID = 1L; @@ -56,9 +51,4 @@ public void execute(FunctionContext functionContext) { functionContext.getResultSender().sendException(e); } } - - @Override - public Collection<ResourcePermission> getRequiredPermissions(String regionName) { - return Collections.singleton(ResourcePermissions.CLUSTER_READ); - } }
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/GetStackTracesFunction.java+2 −13 modified@@ -15,19 +15,13 @@ package org.apache.geode.management.internal.cli.functions; -import java.util.Collection; -import java.util.Collections; - import org.apache.geode.cache.Cache; -import org.apache.geode.cache.execute.Function; import org.apache.geode.cache.execute.FunctionContext; -import org.apache.geode.internal.InternalEntity; import org.apache.geode.internal.OSProcess; +import org.apache.geode.internal.cache.execute.InternalFunction; import org.apache.geode.management.internal.cli.domain.StackTracesPerMember; -import org.apache.geode.management.internal.security.ResourcePermissions; -import org.apache.geode.security.ResourcePermission; -public class GetStackTracesFunction implements Function, InternalEntity { +public class GetStackTracesFunction implements InternalFunction { private static final long serialVersionUID = 1L; @@ -48,11 +42,6 @@ public void execute(FunctionContext context) { } } - @Override - public Collection<ResourcePermission> getRequiredPermissions(String regionName) { - return Collections.singleton(ResourcePermissions.CLUSTER_READ); - } - @Override public String getId() { // TODO Auto-generated method stub
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/GetSubscriptionQueueSizeFunction.java+2 −13 modified@@ -14,30 +14,24 @@ */ package org.apache.geode.management.internal.cli.functions; -import java.util.Collection; -import java.util.Collections; - import org.apache.geode.cache.Cache; -import org.apache.geode.cache.execute.Function; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.cache.query.CqQuery; import org.apache.geode.cache.query.internal.CqQueryVsdStats; import org.apache.geode.cache.query.internal.cq.CqService; import org.apache.geode.cache.query.internal.cq.InternalCqQuery; -import org.apache.geode.internal.InternalEntity; +import org.apache.geode.internal.cache.execute.InternalFunction; import org.apache.geode.internal.cache.tier.sockets.CacheClientNotifier; import org.apache.geode.internal.cache.tier.sockets.CacheClientProxy; import org.apache.geode.management.internal.cli.CliUtil; import org.apache.geode.management.internal.cli.domain.SubscriptionQueueSizeResult; import org.apache.geode.management.internal.cli.i18n.CliStrings; -import org.apache.geode.management.internal.security.ResourcePermissions; -import org.apache.geode.security.ResourcePermission; /*** * Function to get subscription-queue-size * */ -public class GetSubscriptionQueueSizeFunction implements Function, InternalEntity { +public class GetSubscriptionQueueSizeFunction implements InternalFunction { private static final long serialVersionUID = 1L; @@ -102,11 +96,6 @@ public void execute(FunctionContext context) { } } - @Override - public Collection<ResourcePermission> getRequiredPermissions(String regionName) { - return Collections.singleton(ResourcePermissions.CLUSTER_READ); - } - @Override public String getId() { return GetSubscriptionQueueSizeFunction.class.getName();
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/ImportDataFunction.java+2 −12 modified@@ -15,27 +15,22 @@ package org.apache.geode.management.internal.cli.functions; import java.io.File; -import java.util.Collection; -import java.util.Collections; import org.apache.geode.cache.Cache; import org.apache.geode.cache.Region; -import org.apache.geode.cache.execute.Function; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.cache.snapshot.RegionSnapshotService; import org.apache.geode.cache.snapshot.SnapshotOptions; import org.apache.geode.cache.snapshot.SnapshotOptions.SnapshotFormat; -import org.apache.geode.internal.InternalEntity; +import org.apache.geode.internal.cache.execute.InternalFunction; import org.apache.geode.management.internal.cli.i18n.CliStrings; -import org.apache.geode.management.internal.security.ResourcePermissions; -import org.apache.geode.security.ResourcePermission; /**** * Function which carries out the import of a region to a file on a member. Uses the * RegionSnapshotService to import the data * */ -public class ImportDataFunction implements Function, InternalEntity { +public class ImportDataFunction implements InternalFunction { private static final long serialVersionUID = 1L; @@ -74,11 +69,6 @@ public void execute(FunctionContext context) { } } - @Override - public Collection<ResourcePermission> getRequiredPermissions(String regionName) { - return Collections.singleton(ResourcePermissions.DATA_WRITE); - } - public String getId() { return ImportDataFunction.class.getName(); }
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/ListAsyncEventQueuesFunction.java+2 −12 modified@@ -14,8 +14,6 @@ */ package org.apache.geode.management.internal.cli.functions; -import java.util.Collection; -import java.util.Collections; import java.util.Properties; import java.util.Set; @@ -26,15 +24,12 @@ import org.apache.geode.cache.CacheClosedException; import org.apache.geode.cache.asyncqueue.AsyncEventListener; import org.apache.geode.cache.asyncqueue.AsyncEventQueue; -import org.apache.geode.cache.execute.Function; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.distributed.DistributedMember; -import org.apache.geode.internal.InternalEntity; +import org.apache.geode.internal.cache.execute.InternalFunction; import org.apache.geode.internal.cache.xmlcache.Declarable2; import org.apache.geode.internal.logging.LogService; import org.apache.geode.management.internal.cli.domain.AsyncEventQueueDetails; -import org.apache.geode.management.internal.security.ResourcePermissions; -import org.apache.geode.security.ResourcePermission; /** * An implementation of GemFire Function interface used to determine all the async event queues that @@ -43,7 +38,7 @@ * * @since GemFire 8.0 */ -public class ListAsyncEventQueuesFunction implements Function, InternalEntity { +public class ListAsyncEventQueuesFunction implements InternalFunction { private static final Logger logger = LogService.getLogger(); private static final long serialVersionUID = 1L; @@ -103,9 +98,4 @@ public void execute(final FunctionContext context) { context.getResultSender().lastResult(result); } } - - @Override - public Collection<ResourcePermission> getRequiredPermissions(String regionName) { - return Collections.singleton(ResourcePermissions.CLUSTER_READ); - } }
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/ListDeployedFunction.java+2 −12 modified@@ -14,27 +14,22 @@ */ package org.apache.geode.management.internal.cli.functions; -import java.util.Collection; -import java.util.Collections; import java.util.List; import org.apache.logging.log4j.Logger; import org.apache.geode.SystemFailure; import org.apache.geode.cache.CacheClosedException; -import org.apache.geode.cache.execute.Function; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.distributed.DistributedMember; import org.apache.geode.internal.ClassPathLoader; import org.apache.geode.internal.DeployedJar; -import org.apache.geode.internal.InternalEntity; import org.apache.geode.internal.JarDeployer; import org.apache.geode.internal.cache.InternalCache; +import org.apache.geode.internal.cache.execute.InternalFunction; import org.apache.geode.internal.logging.LogService; -import org.apache.geode.management.internal.security.ResourcePermissions; -import org.apache.geode.security.ResourcePermission; -public class ListDeployedFunction implements Function, InternalEntity { +public class ListDeployedFunction implements InternalFunction { private static final Logger logger = LogService.getLogger(); public static final String ID = ListDeployedFunction.class.getName(); @@ -85,11 +80,6 @@ public void execute(FunctionContext context) { } } - @Override - public Collection<ResourcePermission> getRequiredPermissions(String regionName) { - return Collections.singleton(ResourcePermissions.CLUSTER_READ); - } - @Override public String getId() { return ID;
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/ListDiskStoresFunction.java+2 −12 modified@@ -15,22 +15,17 @@ package org.apache.geode.management.internal.cli.functions; -import java.util.Collection; -import java.util.Collections; import java.util.HashSet; import java.util.Properties; import java.util.Set; import org.apache.geode.cache.Cache; import org.apache.geode.cache.DiskStore; -import org.apache.geode.cache.execute.Function; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.distributed.DistributedMember; -import org.apache.geode.internal.InternalEntity; import org.apache.geode.internal.cache.InternalCache; +import org.apache.geode.internal.cache.execute.InternalFunction; import org.apache.geode.management.internal.cli.domain.DiskStoreDetails; -import org.apache.geode.management.internal.security.ResourcePermissions; -import org.apache.geode.security.ResourcePermission; /** * The ListDiskStoresFunction class is an implementation of GemFire Function interface used to @@ -46,7 +41,7 @@ * @see org.apache.geode.management.internal.cli.domain.DiskStoreDetails * @since GemFire 7.0 */ -public class ListDiskStoresFunction implements Function, InternalEntity { +public class ListDiskStoresFunction implements InternalFunction { @SuppressWarnings("unused") public void init(final Properties props) {} @@ -77,9 +72,4 @@ public void execute(final FunctionContext context) { context.getResultSender().sendException(e); } } - - @Override - public Collection<ResourcePermission> getRequiredPermissions(String regionName) { - return Collections.singleton(ResourcePermissions.CLUSTER_READ); - } }
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/ListDurableCqNamesFunction.java+2 −12 modified@@ -16,23 +16,18 @@ package org.apache.geode.management.internal.cli.functions; import java.util.ArrayList; -import java.util.Collection; -import java.util.Collections; import java.util.List; import org.apache.geode.cache.Cache; -import org.apache.geode.cache.execute.Function; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.cache.query.internal.cq.CqService; import org.apache.geode.distributed.DistributedMember; -import org.apache.geode.internal.InternalEntity; +import org.apache.geode.internal.cache.execute.InternalFunction; import org.apache.geode.internal.cache.tier.sockets.CacheClientNotifier; import org.apache.geode.internal.cache.tier.sockets.CacheClientProxy; import org.apache.geode.management.internal.cli.CliUtil; import org.apache.geode.management.internal.cli.domain.DurableCqNamesResult; import org.apache.geode.management.internal.cli.i18n.CliStrings; -import org.apache.geode.management.internal.security.ResourcePermissions; -import org.apache.geode.security.ResourcePermission; /** * The ListDurableCqs class is a GemFire function used to collect all the durable client names on @@ -48,7 +43,7 @@ * @since GemFire 7.0.1 */ @SuppressWarnings("unused") -public class ListDurableCqNamesFunction implements Function, InternalEntity { +public class ListDurableCqNamesFunction implements InternalFunction { private static final long serialVersionUID = 1L; public String getId() { @@ -93,9 +88,4 @@ public void execute(final FunctionContext context) { context.getResultSender().lastResult(result); } } - - @Override - public Collection<ResourcePermission> getRequiredPermissions(String regionName) { - return Collections.singleton(ResourcePermissions.CLUSTER_READ); - } }
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/ListFunctionFunction.java+2 −11 modified@@ -14,8 +14,6 @@ */ package org.apache.geode.management.internal.cli.functions; -import java.util.Collection; -import java.util.Collections; import java.util.LinkedList; import java.util.List; import java.util.Map; @@ -31,12 +29,10 @@ import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.cache.execute.FunctionService; import org.apache.geode.distributed.DistributedMember; -import org.apache.geode.internal.InternalEntity; +import org.apache.geode.internal.cache.execute.InternalFunction; import org.apache.geode.internal.logging.LogService; -import org.apache.geode.management.internal.security.ResourcePermissions; -import org.apache.geode.security.ResourcePermission; -public class ListFunctionFunction implements Function, InternalEntity { +public class ListFunctionFunction implements InternalFunction { private static final Logger logger = LogService.getLogger(); public static final String ID = ListFunctionFunction.class.getName(); @@ -94,11 +90,6 @@ public void execute(FunctionContext context) { } } - @Override - public Collection<ResourcePermission> getRequiredPermissions(String regionName) { - return Collections.singleton(ResourcePermissions.CLUSTER_READ); - } - @Override public String getId() { return ID;
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/ListIndexFunction.java+2 −12 modified@@ -15,20 +15,15 @@ package org.apache.geode.management.internal.cli.functions; -import java.util.Collection; -import java.util.Collections; import java.util.HashSet; import java.util.Set; import org.apache.geode.cache.Cache; -import org.apache.geode.cache.execute.Function; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.cache.query.Index; import org.apache.geode.distributed.DistributedMember; -import org.apache.geode.internal.InternalEntity; +import org.apache.geode.internal.cache.execute.InternalFunction; import org.apache.geode.management.internal.cli.domain.IndexDetails; -import org.apache.geode.management.internal.security.ResourcePermissions; -import org.apache.geode.security.ResourcePermission; /** * The ListIndexFunction class is a GemFire function used to collect all the index information on @@ -44,7 +39,7 @@ * @since GemFire 7.0 */ @SuppressWarnings("unused") -public class ListIndexFunction implements Function, InternalEntity { +public class ListIndexFunction implements InternalFunction { public String getId() { return ListIndexFunction.class.getName(); @@ -66,9 +61,4 @@ public void execute(final FunctionContext context) { context.getResultSender().sendException(e); } } - - @Override - public Collection<ResourcePermission> getRequiredPermissions(String regionName) { - return Collections.singleton(ResourcePermissions.CLUSTER_READ_QUERY); - } }
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/NetstatFunction.java+2 −12 modified@@ -27,32 +27,27 @@ import java.io.InputStreamReader; import java.io.Serializable; import java.util.ArrayList; -import java.util.Collection; -import java.util.Collections; import java.util.List; import org.apache.logging.log4j.Logger; -import org.apache.geode.cache.execute.Function; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.distributed.DistributedSystem; import org.apache.geode.distributed.internal.InternalDistributedSystem; -import org.apache.geode.internal.InternalEntity; +import org.apache.geode.internal.cache.execute.InternalFunction; import org.apache.geode.internal.logging.LogService; import org.apache.geode.management.internal.cli.CliUtil; import org.apache.geode.management.internal.cli.CliUtil.DeflaterInflaterData; import org.apache.geode.management.internal.cli.GfshParser; import org.apache.geode.management.internal.cli.i18n.CliStrings; -import org.apache.geode.management.internal.security.ResourcePermissions; -import org.apache.geode.security.ResourcePermission; /** * Executes 'netstat' OS command & returns the result as compressed bytes. * * @since GemFire 7.0 */ @SuppressWarnings({"serial"}) -public class NetstatFunction implements Function, InternalEntity { +public class NetstatFunction implements InternalFunction { private static final Logger logger = LogService.getLogger(); private static final long serialVersionUID = 1L; @@ -93,11 +88,6 @@ public void execute(final FunctionContext context) { context.getResultSender().lastResult(result); } - @Override - public Collection<ResourcePermission> getRequiredPermissions(String regionName) { - return Collections.singleton(ResourcePermissions.CLUSTER_READ); - } - private static void addMemberHostHeader(final StringBuilder netstatInfo, final String id, final String host, final String lineSeparator) {
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/RebalanceFunction.java+2 −12 modified@@ -14,8 +14,6 @@ */ package org.apache.geode.management.internal.cli.functions; -import java.util.Collection; -import java.util.Collections; import java.util.Iterator; import java.util.Set; import java.util.concurrent.CancellationException; @@ -27,16 +25,13 @@ import org.apache.geode.cache.control.RebalanceOperation; import org.apache.geode.cache.control.RebalanceResults; import org.apache.geode.cache.control.ResourceManager; -import org.apache.geode.cache.execute.Function; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.cache.partition.PartitionRebalanceInfo; -import org.apache.geode.internal.InternalEntity; +import org.apache.geode.internal.cache.execute.InternalFunction; import org.apache.geode.internal.logging.LogService; -import org.apache.geode.management.internal.security.ResourcePermissions; -import org.apache.geode.security.ResourcePermission; -public class RebalanceFunction implements Function, InternalEntity { +public class RebalanceFunction implements InternalFunction { private static final Logger logger = LogService.getLogger(); public static final String ID = RebalanceFunction.class.getName(); @@ -94,11 +89,6 @@ public void execute(FunctionContext context) { } } - @Override - public Collection<ResourcePermission> getRequiredPermissions(String regionName) { - return Collections.singleton(ResourcePermissions.DATA_MANAGE); - } - @Override public String getId() { return RebalanceFunction.ID;
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/RegionAlterFunction.java+2 −12 modified@@ -14,8 +14,6 @@ */ package org.apache.geode.management.internal.cli.functions; -import java.util.Collection; -import java.util.Collections; import java.util.Set; import org.apache.logging.log4j.Logger; @@ -27,28 +25,25 @@ import org.apache.geode.cache.CacheLoader; import org.apache.geode.cache.CacheWriter; import org.apache.geode.cache.Region; -import org.apache.geode.cache.execute.Function; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.cache.execute.ResultSender; import org.apache.geode.internal.ClassPathLoader; -import org.apache.geode.internal.InternalEntity; import org.apache.geode.internal.cache.AbstractRegion; +import org.apache.geode.internal.cache.execute.InternalFunction; import org.apache.geode.internal.cache.xmlcache.CacheXml; import org.apache.geode.internal.logging.LogService; import org.apache.geode.management.internal.cli.CliUtil; import org.apache.geode.management.internal.cli.domain.ClassName; import org.apache.geode.management.internal.cli.i18n.CliStrings; import org.apache.geode.management.internal.cli.util.RegionPath; import org.apache.geode.management.internal.configuration.domain.XmlEntity; -import org.apache.geode.management.internal.security.ResourcePermissions; -import org.apache.geode.security.ResourcePermission; /** * Function used by the 'alter region' gfsh command to alter a region on each member. * * @since GemFire 8.0 */ -public class RegionAlterFunction implements Function, InternalEntity { +public class RegionAlterFunction implements InternalFunction { private static final Logger logger = LogService.getLogger(); private static final long serialVersionUID = -4846425364943216425L; @@ -98,11 +93,6 @@ public void execute(FunctionContext context) { } } - @Override - public Collection<ResourcePermission> getRequiredPermissions(String regionName) { - return Collections.singleton(ResourcePermissions.DATA_MANAGE); - } - private <K, V> Region<?, ?> alterRegion(Cache cache, RegionFunctionArgs regionAlterArgs) { final String regionPathString = regionAlterArgs.getRegionPath();
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/RegionCreateFunction.java+2 −12 modified@@ -15,8 +15,6 @@ package org.apache.geode.management.internal.cli.functions; import java.util.ArrayList; -import java.util.Collection; -import java.util.Collections; import java.util.List; import java.util.Set; @@ -38,13 +36,12 @@ import org.apache.geode.cache.RegionExistsException; import org.apache.geode.cache.RegionFactory; import org.apache.geode.cache.RegionShortcut; -import org.apache.geode.cache.execute.Function; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.cache.execute.ResultSender; import org.apache.geode.cache.util.ObjectSizer; import org.apache.geode.compression.Compressor; import org.apache.geode.internal.ClassPathLoader; -import org.apache.geode.internal.InternalEntity; +import org.apache.geode.internal.cache.execute.InternalFunction; import org.apache.geode.internal.cache.xmlcache.CacheXml; import org.apache.geode.internal.i18n.LocalizedStrings; import org.apache.geode.internal.logging.LogService; @@ -54,14 +51,12 @@ import org.apache.geode.management.internal.cli.i18n.CliStrings; import org.apache.geode.management.internal.cli.util.RegionPath; import org.apache.geode.management.internal.configuration.domain.XmlEntity; -import org.apache.geode.management.internal.security.ResourcePermissions; -import org.apache.geode.security.ResourcePermission; /** * * @since GemFire 7.0 */ -public class RegionCreateFunction implements Function, InternalEntity { +public class RegionCreateFunction implements InternalFunction { private static final Logger logger = LogService.getLogger(); @@ -128,11 +123,6 @@ public void execute(FunctionContext context) { } } - @Override - public Collection<ResourcePermission> getRequiredPermissions(String regionName) { - return Collections.singletonList(ResourcePermissions.DATA_MANAGE); - } - private CliFunctionResult handleException(final String memberNameOrId, final String exceptionMsg, final Exception e) { if (e != null && logger.isDebugEnabled()) {
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/RegionDestroyFunction.java+2 −13 modified@@ -14,26 +14,20 @@ */ package org.apache.geode.management.internal.cli.functions; -import java.util.Collection; -import java.util.Collections; - import org.apache.geode.cache.Cache; import org.apache.geode.cache.Region; import org.apache.geode.cache.RegionDestroyedException; -import org.apache.geode.cache.execute.Function; import org.apache.geode.cache.execute.FunctionContext; -import org.apache.geode.internal.InternalEntity; +import org.apache.geode.internal.cache.execute.InternalFunction; import org.apache.geode.internal.cache.xmlcache.CacheXml; import org.apache.geode.internal.logging.LogService; import org.apache.geode.management.internal.configuration.domain.XmlEntity; -import org.apache.geode.management.internal.security.ResourcePermissions; -import org.apache.geode.security.ResourcePermission; /** * * @since GemFire 7.0 */ -public class RegionDestroyFunction implements Function, InternalEntity { +public class RegionDestroyFunction implements InternalFunction { private static final long serialVersionUID = 9172773671865750685L; public static final RegionDestroyFunction INSTANCE = new RegionDestroyFunction(); @@ -91,11 +85,6 @@ public void execute(FunctionContext context) { } } - @Override - public Collection<ResourcePermission> getRequiredPermissions(String regionName) { - return Collections.singleton(ResourcePermissions.DATA_MANAGE); - } - @Override public String getId() { return ID;
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/ShowMissingDiskStoresFunction.java+2 −12 modified@@ -14,27 +14,22 @@ */ package org.apache.geode.management.internal.cli.functions; -import java.util.Collection; -import java.util.Collections; import java.util.HashSet; import java.util.List; import java.util.Map; import java.util.Set; -import org.apache.geode.cache.execute.Function; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.distributed.DistributedMember; -import org.apache.geode.internal.InternalEntity; import org.apache.geode.internal.cache.InternalCache; import org.apache.geode.internal.cache.PartitionedRegion; +import org.apache.geode.internal.cache.execute.InternalFunction; import org.apache.geode.internal.cache.partitioned.ColocatedRegionDetails; import org.apache.geode.internal.cache.persistence.PersistentMemberID; import org.apache.geode.internal.cache.persistence.PersistentMemberManager; import org.apache.geode.internal.cache.persistence.PersistentMemberPattern; -import org.apache.geode.management.internal.security.ResourcePermissions; -import org.apache.geode.security.ResourcePermission; -public class ShowMissingDiskStoresFunction implements Function, InternalEntity { +public class ShowMissingDiskStoresFunction implements InternalFunction { @Override public void execute(FunctionContext context) { @@ -88,11 +83,6 @@ public void execute(FunctionContext context) { } } - @Override - public Collection<ResourcePermission> getRequiredPermissions(String regionName) { - return Collections.singleton(ResourcePermissions.CLUSTER_READ); - } - @Override public String getId() { return getClass().getName();
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/ShutDownFunction.java+2 −12 modified@@ -14,23 +14,18 @@ */ package org.apache.geode.management.internal.cli.functions; -import java.util.Collection; -import java.util.Collections; import java.util.concurrent.ExecutionException; import java.util.concurrent.ExecutorService; import java.util.concurrent.Executors; import java.util.concurrent.Future; import org.apache.logging.log4j.Logger; -import org.apache.geode.cache.execute.Function; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.distributed.internal.InternalDistributedSystem; -import org.apache.geode.internal.InternalEntity; +import org.apache.geode.internal.cache.execute.InternalFunction; import org.apache.geode.internal.logging.LogService; import org.apache.geode.internal.tcp.ConnectionTable; -import org.apache.geode.management.internal.security.ResourcePermissions; -import org.apache.geode.security.ResourcePermission; /** * @@ -39,7 +34,7 @@ * * */ -public class ShutDownFunction implements Function, InternalEntity { +public class ShutDownFunction implements InternalFunction { private static final Logger logger = LogService.getLogger(); public static final String ID = ShutDownFunction.class.getName(); @@ -96,11 +91,6 @@ public String getId() { } - @Override - public Collection<ResourcePermission> getRequiredPermissions(String regionName) { - return Collections.singleton(ResourcePermissions.CLUSTER_MANAGE); - } - @Override public boolean hasResult() { return true;
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/SizeExportLogsFunction.java+2 −12 modified@@ -16,26 +16,21 @@ import java.io.File; import java.io.IOException; -import java.util.Collection; -import java.util.Collections; import org.apache.logging.log4j.Logger; -import org.apache.geode.cache.execute.Function; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.distributed.DistributedMember; import org.apache.geode.distributed.internal.DistributionConfig; -import org.apache.geode.internal.InternalEntity; import org.apache.geode.internal.cache.InternalCache; +import org.apache.geode.internal.cache.execute.InternalFunction; import org.apache.geode.internal.logging.LogService; import org.apache.geode.management.ManagementException; import org.apache.geode.management.internal.cli.util.BytesToString; import org.apache.geode.management.internal.cli.util.LogExporter; import org.apache.geode.management.internal.cli.util.LogFilter; -import org.apache.geode.management.internal.security.ResourcePermissions; -import org.apache.geode.security.ResourcePermission; -public class SizeExportLogsFunction extends ExportLogsFunction implements Function, InternalEntity { +public class SizeExportLogsFunction extends ExportLogsFunction implements InternalFunction { private static final Logger LOGGER = LogService.getLogger(); private static final long serialVersionUID = 1L; @@ -97,9 +92,4 @@ long estimateLogFileSize(final DistributedMember member, final File logFile, return estimatedSize; } - - @Override - public Collection<ResourcePermission> getRequiredPermissions(String regionName) { - return Collections.singleton(ResourcePermissions.CLUSTER_READ); - } }
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/UndeployFunction.java+2 −12 modified@@ -15,28 +15,23 @@ package org.apache.geode.management.internal.cli.functions; import java.util.ArrayList; -import java.util.Collection; -import java.util.Collections; import java.util.List; import org.apache.commons.lang.ArrayUtils; import org.apache.logging.log4j.Logger; import org.apache.geode.SystemFailure; import org.apache.geode.cache.CacheClosedException; -import org.apache.geode.cache.execute.Function; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.distributed.DistributedMember; import org.apache.geode.internal.ClassPathLoader; import org.apache.geode.internal.DeployedJar; -import org.apache.geode.internal.InternalEntity; import org.apache.geode.internal.JarDeployer; import org.apache.geode.internal.cache.InternalCache; +import org.apache.geode.internal.cache.execute.InternalFunction; import org.apache.geode.internal.logging.LogService; -import org.apache.geode.management.internal.security.ResourcePermissions; -import org.apache.geode.security.ResourcePermission; -public class UndeployFunction implements Function, InternalEntity { +public class UndeployFunction implements InternalFunction { private static final Logger logger = LogService.getLogger(); public static final String ID = UndeployFunction.class.getName(); @@ -111,11 +106,6 @@ public void execute(FunctionContext context) { } } - @Override - public Collection<ResourcePermission> getRequiredPermissions(String regionName) { - return Collections.singleton(ResourcePermissions.CLUSTER_MANAGE_DEPLOY); - } - @Override public String getId() { return ID;
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/UnregisterFunction.java+2 −13 modified@@ -14,17 +14,11 @@ */ package org.apache.geode.management.internal.cli.functions; -import java.util.Collection; -import java.util.Collections; - -import org.apache.geode.cache.execute.Function; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.cache.execute.FunctionService; -import org.apache.geode.internal.InternalEntity; -import org.apache.geode.management.internal.security.ResourcePermissions; -import org.apache.geode.security.ResourcePermission; +import org.apache.geode.internal.cache.execute.InternalFunction; -public class UnregisterFunction implements Function, InternalEntity { +public class UnregisterFunction implements InternalFunction { public static final String ID = UnregisterFunction.class.getName(); private static final long serialVersionUID = 1L; @@ -45,11 +39,6 @@ public String getId() { return UnregisterFunction.ID; } - @Override - public Collection<ResourcePermission> getRequiredPermissions(String regionName) { - return Collections.singleton(ResourcePermissions.CLUSTER_MANAGE_DEPLOY); - } - @Override public boolean hasResult() { return true;
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/UserFunctionExecution.java+2 −2 modified@@ -34,8 +34,8 @@ import org.apache.geode.cache.execute.ResultCollector; import org.apache.geode.distributed.DistributedMember; import org.apache.geode.internal.ClassPathLoader; -import org.apache.geode.internal.InternalEntity; import org.apache.geode.internal.cache.InternalCache; +import org.apache.geode.internal.cache.execute.InternalFunction; import org.apache.geode.internal.logging.LogService; import org.apache.geode.internal.security.SecurityService; import org.apache.geode.management.internal.cli.i18n.CliStrings; @@ -45,7 +45,7 @@ /** * @since GemFire 7.0 */ -public class UserFunctionExecution implements Function<Object[]>, InternalEntity { +public class UserFunctionExecution implements InternalFunction<Object[]> { public static final String ID = UserFunctionExecution.class.getName(); private static Logger logger = LogService.getLogger();
geode-core/src/main/java/org/apache/geode/management/internal/configuration/functions/DownloadJarFunction.java+2 −12 modified@@ -20,28 +20,23 @@ import java.io.FileInputStream; import java.io.FileNotFoundException; import java.rmi.RemoteException; -import java.util.Collection; -import java.util.Collections; import com.healthmarketscience.rmiio.RemoteInputStream; import com.healthmarketscience.rmiio.RemoteInputStreamServer; import com.healthmarketscience.rmiio.SimpleRemoteInputStream; import com.healthmarketscience.rmiio.exporter.RemoteStreamExporter; import org.apache.logging.log4j.Logger; -import org.apache.geode.cache.execute.Function; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.cache.execute.FunctionException; import org.apache.geode.distributed.Locator; import org.apache.geode.distributed.internal.ClusterConfigurationService; import org.apache.geode.distributed.internal.InternalLocator; -import org.apache.geode.internal.InternalEntity; +import org.apache.geode.internal.cache.execute.InternalFunction; import org.apache.geode.internal.logging.LogService; import org.apache.geode.management.internal.SystemManagementService; -import org.apache.geode.management.internal.security.ResourcePermissions; -import org.apache.geode.security.ResourcePermission; -public class DownloadJarFunction implements Function<Object[]>, InternalEntity { +public class DownloadJarFunction implements InternalFunction<Object[]> { private static final Logger logger = LogService.getLogger(); private static final long serialVersionUID = 1L; @@ -88,11 +83,6 @@ public void execute(FunctionContext<Object[]> context) { context.getResultSender().lastResult(result); } - @Override - public Collection<ResourcePermission> getRequiredPermissions(String regionName) { - return Collections.singleton(ResourcePermissions.CLUSTER_READ); - } - @Override public String getId() { return DownloadJarFunction.class.getName();
geode-core/src/main/java/org/apache/geode/management/internal/configuration/functions/GetClusterConfigurationFunction.java+2 −15 modified@@ -16,23 +16,18 @@ package org.apache.geode.management.internal.configuration.functions; import java.io.IOException; -import java.util.Collection; -import java.util.Collections; import java.util.Set; import org.apache.logging.log4j.Logger; -import org.apache.geode.cache.execute.Function; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.distributed.internal.ClusterConfigurationService; import org.apache.geode.distributed.internal.InternalLocator; -import org.apache.geode.internal.InternalEntity; +import org.apache.geode.internal.cache.execute.InternalFunction; import org.apache.geode.internal.logging.LogService; import org.apache.geode.management.internal.configuration.messages.ConfigurationResponse; -import org.apache.geode.management.internal.security.ResourcePermissions; -import org.apache.geode.security.ResourcePermission; -public class GetClusterConfigurationFunction implements Function, InternalEntity { +public class GetClusterConfigurationFunction implements InternalFunction { private static final Logger logger = LogService.getLogger(); @Override @@ -53,12 +48,4 @@ public void execute(FunctionContext context) { context.getResultSender().lastResult(e); } } - - /** - * this function will return all cluster config which will potentially leak security information. - * Thus we require all permissions to execute this function - **/ - public Collection<ResourcePermission> getRequiredPermissions(String regionName) { - return Collections.singleton(ResourcePermissions.ALL); - } }
geode-core/src/main/java/org/apache/geode/management/internal/configuration/functions/GetRegionNamesFunction.java+2 −12 modified@@ -16,20 +16,15 @@ import static java.util.stream.Collectors.toSet; -import java.util.Collection; -import java.util.Collections; import java.util.Set; -import org.apache.geode.cache.execute.Function; import org.apache.geode.cache.execute.FunctionContext; -import org.apache.geode.internal.InternalEntity; import org.apache.geode.internal.cache.GemFireCacheImpl; import org.apache.geode.internal.cache.InternalCache; import org.apache.geode.internal.cache.InternalRegion; -import org.apache.geode.management.internal.security.ResourcePermissions; -import org.apache.geode.security.ResourcePermission; +import org.apache.geode.internal.cache.execute.InternalFunction; -public class GetRegionNamesFunction implements Function, InternalEntity { +public class GetRegionNamesFunction implements InternalFunction { @Override public void execute(FunctionContext context) { InternalCache cache = GemFireCacheImpl.getInstance(); @@ -40,11 +35,6 @@ public void execute(FunctionContext context) { context.getResultSender().lastResult(regions); } - @Override - public Collection<ResourcePermission> getRequiredPermissions(String regionName) { - return Collections.singleton(ResourcePermissions.CLUSTER_READ); - } - @Override public String getId() { return GetRegionNamesFunction.class.getName();
geode-core/src/main/java/org/apache/geode/management/internal/configuration/functions/RecreateCacheFunction.java+2 −13 modified@@ -14,21 +14,15 @@ */ package org.apache.geode.management.internal.configuration.functions; -import java.util.Collection; -import java.util.Collections; - -import org.apache.geode.cache.execute.Function; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.distributed.internal.InternalDistributedSystem; -import org.apache.geode.internal.InternalEntity; import org.apache.geode.internal.cache.CacheConfig; import org.apache.geode.internal.cache.GemFireCacheImpl; import org.apache.geode.internal.cache.InternalCache; +import org.apache.geode.internal.cache.execute.InternalFunction; import org.apache.geode.management.internal.cli.functions.CliFunctionResult; -import org.apache.geode.management.internal.security.ResourcePermissions; -import org.apache.geode.security.ResourcePermission; -public class RecreateCacheFunction implements Function, InternalEntity { +public class RecreateCacheFunction implements InternalFunction { @Override public void execute(FunctionContext context) { CliFunctionResult result = null; @@ -47,11 +41,6 @@ public void execute(FunctionContext context) { context.getResultSender().lastResult(result); } - @Override - public Collection<ResourcePermission> getRequiredPermissions(String regionName) { - return Collections.singleton(ResourcePermissions.CLUSTER_MANAGE); - } - @Override public String getId() { return RecreateCacheFunction.class.getName();
geode-core/src/main/java/org/apache/geode/management/internal/JmxManagerLocator.java+2 −3 modified@@ -24,16 +24,15 @@ import org.apache.geode.cache.Cache; import org.apache.geode.cache.CacheFactory; import org.apache.geode.cache.GemFireCache; -import org.apache.geode.cache.execute.Function; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.cache.execute.FunctionService; import org.apache.geode.distributed.DistributedSystem; import org.apache.geode.distributed.internal.ClusterConfigurationService; import org.apache.geode.distributed.internal.membership.InternalDistributedMember; import org.apache.geode.distributed.internal.tcpserver.TcpHandler; import org.apache.geode.distributed.internal.tcpserver.TcpServer; -import org.apache.geode.internal.InternalEntity; import org.apache.geode.internal.cache.InternalCache; +import org.apache.geode.internal.cache.execute.InternalFunction; import org.apache.geode.internal.logging.LogService; import org.apache.geode.management.AlreadyRunningException; import org.apache.geode.management.ManagementService; @@ -196,7 +195,7 @@ private boolean sendStartJmxManager(InternalDistributedMember distributedMember) } } - public static class StartJmxManagerFunction implements Function, InternalEntity { + public static class StartJmxManagerFunction implements InternalFunction { private static final long serialVersionUID = -2860286061903069789L; public static final String ID = StartJmxManagerFunction.class.getName();
geode-core/src/main/java/org/apache/geode/management/internal/ManagementFunction.java+2 −3 modified@@ -25,11 +25,10 @@ import org.apache.logging.log4j.Logger; -import org.apache.geode.cache.execute.FunctionAdapter; import org.apache.geode.cache.execute.FunctionContext; -import org.apache.geode.internal.InternalEntity; import org.apache.geode.internal.cache.GemFireCacheImpl; import org.apache.geode.internal.cache.InternalCache; +import org.apache.geode.internal.cache.execute.InternalFunction; import org.apache.geode.internal.logging.LogService; /** @@ -42,7 +41,7 @@ * 1) All setter methods 2) All operations 3) addNotificationListener 4) removeNotificationListener * 5) getNotificationInfo */ -public class ManagementFunction extends FunctionAdapter implements InternalEntity { +public class ManagementFunction implements InternalFunction { private static final Logger logger = LogService.getLogger();
geode-core/src/test/java/org/apache/geode/cache/execute/CoreFunctionSecurityTest.java+50 −50 modified@@ -103,57 +103,57 @@ public class CoreFunctionSecurityTest { @BeforeClass public static void setupClass() { - functionStringMap.put(new AlterRuntimeConfigFunction(), "CLUSTER:WRITE"); - functionStringMap.put(new ChangeLogLevelFunction(), "CLUSTER:WRITE"); - functionStringMap.put(new CloseDurableClientFunction(), "CLUSTER:MANAGE:QUERY"); - functionStringMap.put(new CloseDurableCqFunction(), "CLUSTER:MANAGE:QUERY"); - functionStringMap.put(new ContinuousQueryFunction(), "CLUSTER:READ"); - functionStringMap.put(new CreateAsyncEventQueueFunction(), "CLUSTER:MANAGE:DEPLOY"); - functionStringMap.put(new CreateDefinedIndexesFunction(), "CLUSTER:MANAGE:QUERY"); - functionStringMap.put(new CreateDiskStoreFunction(), "CLUSTER:MANAGE:DISK"); - functionStringMap.put(new CreateIndexFunction(), "CLUSTER:MANAGE:QUERY"); - functionStringMap.put(new DataCommandFunction(), "DATA"); - functionStringMap.put(new DeployFunction(), "CLUSTER:MANAGE:DEPLOY"); - functionStringMap.put(new DescribeDiskStoreFunction(), "CLUSTER:READ"); - functionStringMap.put(new DestroyAsyncEventQueueFunction(), "CLUSTER:MANAGE"); - functionStringMap.put(new DestroyDiskStoreFunction(), "CLUSTER:MANAGE:DISK"); - functionStringMap.put(new DestroyIndexFunction(), "CLUSTER:MANAGE:QUERY"); - functionStringMap.put(new ExportConfigFunction(), "CLUSTER:READ"); - functionStringMap.put(new ExportDataFunction(), "DATA:READ"); - functionStringMap.put(new ExportLogsFunction(), "CLUSTER:READ"); - functionStringMap.put(new FetchRegionAttributesFunction(), "CLUSTER:READ"); - functionStringMap.put(new FetchSharedConfigurationStatusFunction(), "CLUSTER:READ"); - functionStringMap.put(new GarbageCollectionFunction(), "CLUSTER:MANAGE"); - functionStringMap.put(new GatewayReceiverCreateFunction(), "CLUSTER:MANAGE:GATEWAY"); - functionStringMap.put(new GatewaySenderCreateFunction(), "CLUSTER:MANAGE:GATEWAY"); - functionStringMap.put(new GatewaySenderDestroyFunction(), "CLUSTER:MANAGE:GATEWAY"); + functionStringMap.put(new AlterRuntimeConfigFunction(), "*"); + functionStringMap.put(new ChangeLogLevelFunction(), "*"); + functionStringMap.put(new CloseDurableClientFunction(), "*"); + functionStringMap.put(new CloseDurableCqFunction(), "*"); + functionStringMap.put(new ContinuousQueryFunction(), "*"); + functionStringMap.put(new CreateAsyncEventQueueFunction(), "*"); + functionStringMap.put(new CreateDefinedIndexesFunction(), "*"); + functionStringMap.put(new CreateDiskStoreFunction(), "*"); + functionStringMap.put(new CreateIndexFunction(), "*"); + functionStringMap.put(new DataCommandFunction(), "*"); + functionStringMap.put(new DeployFunction(), "*"); + functionStringMap.put(new DescribeDiskStoreFunction(), "*"); + functionStringMap.put(new DestroyAsyncEventQueueFunction(), "*"); + functionStringMap.put(new DestroyDiskStoreFunction(), "*"); + functionStringMap.put(new DestroyIndexFunction(), "*"); + functionStringMap.put(new ExportConfigFunction(), "*"); + functionStringMap.put(new ExportDataFunction(), "*"); + functionStringMap.put(new ExportLogsFunction(), "*"); + functionStringMap.put(new FetchRegionAttributesFunction(), "*"); + functionStringMap.put(new FetchSharedConfigurationStatusFunction(), "*"); + functionStringMap.put(new GarbageCollectionFunction(), "*"); + functionStringMap.put(new GatewayReceiverCreateFunction(), "*"); + functionStringMap.put(new GatewaySenderCreateFunction(), "*"); + functionStringMap.put(new GatewaySenderDestroyFunction(), "*"); functionStringMap.put(new GetClusterConfigurationFunction(), "*"); - functionStringMap.put(new GetMemberConfigInformationFunction(), "CLUSTER:READ"); - functionStringMap.put(new GetMemberInformationFunction(), "CLUSTER:READ"); - functionStringMap.put(new GetRegionDescriptionFunction(), "CLUSTER:READ"); - functionStringMap.put(new GetRegionsFunction(), "CLUSTER:READ"); - functionStringMap.put(new GetStackTracesFunction(), "CLUSTER:READ"); - functionStringMap.put(new GetSubscriptionQueueSizeFunction(), "CLUSTER:READ"); - functionStringMap.put(new ImportDataFunction(), "DATA:WRITE"); - functionStringMap.put(new ListAsyncEventQueuesFunction(), "CLUSTER:READ"); - functionStringMap.put(new ListDeployedFunction(), "CLUSTER:READ"); - functionStringMap.put(new ListDiskStoresFunction(), "CLUSTER:READ"); - functionStringMap.put(new ListDurableCqNamesFunction(), "CLUSTER:READ"); - functionStringMap.put(new ListFunctionFunction(), "CLUSTER:READ"); - functionStringMap.put(new ListIndexFunction(), "CLUSTER:READ:QUERY"); - functionStringMap.put(new NetstatFunction(), "CLUSTER:READ"); - functionStringMap.put(new RebalanceFunction(), "DATA:MANAGE"); - functionStringMap.put(new RegionAlterFunction(), "DATA:MANAGE"); - functionStringMap.put(new RegionCreateFunction(), "DATA:MANAGE"); - functionStringMap.put(new RegionDestroyFunction(), "DATA:MANAGE"); - functionStringMap.put(new ShowMissingDiskStoresFunction(), "CLUSTER:READ"); - functionStringMap.put(new ShutDownFunction(), "CLUSTER:MANAGE"); - functionStringMap.put(new SizeExportLogsFunction(), "CLUSTER:READ"); - functionStringMap.put(new UndeployFunction(), "CLUSTER:MANAGE:DEPLOY"); - functionStringMap.put(new UnregisterFunction(), "CLUSTER:MANAGE:DEPLOY"); - functionStringMap.put(new GetRegionNamesFunction(), "CLUSTER:READ"); - functionStringMap.put(new RecreateCacheFunction(), "CLUSTER:MANAGE"); - functionStringMap.put(new DownloadJarFunction(), "CLUSTER:READ"); + functionStringMap.put(new GetMemberConfigInformationFunction(), "*"); + functionStringMap.put(new GetMemberInformationFunction(), "*"); + functionStringMap.put(new GetRegionDescriptionFunction(), "*"); + functionStringMap.put(new GetRegionsFunction(), "*"); + functionStringMap.put(new GetStackTracesFunction(), "*"); + functionStringMap.put(new GetSubscriptionQueueSizeFunction(), "*"); + functionStringMap.put(new ImportDataFunction(), "*"); + functionStringMap.put(new ListAsyncEventQueuesFunction(), "*"); + functionStringMap.put(new ListDeployedFunction(), "*"); + functionStringMap.put(new ListDiskStoresFunction(), "*"); + functionStringMap.put(new ListDurableCqNamesFunction(), "*"); + functionStringMap.put(new ListFunctionFunction(), "*"); + functionStringMap.put(new ListIndexFunction(), "*"); + functionStringMap.put(new NetstatFunction(), "*"); + functionStringMap.put(new RebalanceFunction(), "*"); + functionStringMap.put(new RegionAlterFunction(), "*"); + functionStringMap.put(new RegionCreateFunction(), "*"); + functionStringMap.put(new RegionDestroyFunction(), "*"); + functionStringMap.put(new ShowMissingDiskStoresFunction(), "*"); + functionStringMap.put(new ShutDownFunction(), "*"); + functionStringMap.put(new SizeExportLogsFunction(), "*"); + functionStringMap.put(new UndeployFunction(), "*"); + functionStringMap.put(new UnregisterFunction(), "*"); + functionStringMap.put(new GetRegionNamesFunction(), "*"); + functionStringMap.put(new RecreateCacheFunction(), "*"); + functionStringMap.put(new DownloadJarFunction(), "*"); functionStringMap.keySet().forEach(FunctionService::registerFunction); }
geode-lucene/src/main/java/org/apache/geode/cache/lucene/internal/cli/functions/LuceneCreateIndexFunction.java+2 −15 modified@@ -18,9 +18,6 @@ import static org.apache.geode.cache.lucene.internal.LuceneServiceImpl.validateCommandParameters.INDEX_NAME; import static org.apache.geode.cache.lucene.internal.LuceneServiceImpl.validateCommandParameters.REGION_PATH; -import java.util.Collection; -import java.util.Collections; - import org.apache.commons.lang.StringUtils; import org.apache.lucene.analysis.Analyzer; import org.apache.lucene.analysis.standard.StandardAnalyzer; @@ -36,17 +33,13 @@ import org.apache.geode.cache.lucene.internal.cli.LuceneCliStrings; import org.apache.geode.cache.lucene.internal.cli.LuceneIndexDetails; import org.apache.geode.cache.lucene.internal.cli.LuceneIndexInfo; -import org.apache.geode.cache.lucene.internal.security.LucenePermission; -import org.apache.geode.cache.lucene.internal.xml.LuceneXmlConstants; import org.apache.geode.internal.InternalEntity; +import org.apache.geode.internal.cache.execute.InternalFunction; import org.apache.geode.internal.cache.xmlcache.CacheXml; import org.apache.geode.management.internal.cli.CliUtil; import org.apache.geode.management.internal.cli.functions.CliFunctionResult; import org.apache.geode.management.internal.cli.i18n.CliStrings; import org.apache.geode.management.internal.configuration.domain.XmlEntity; -import org.apache.geode.security.ResourcePermission; -import org.apache.geode.security.ResourcePermission.Operation; -import org.apache.geode.security.ResourcePermission.Resource; /** @@ -61,7 +54,7 @@ * @see LuceneIndexDetails */ @SuppressWarnings("unused") -public class LuceneCreateIndexFunction implements InternalEntity, Function { +public class LuceneCreateIndexFunction implements InternalFunction { private static final long serialVersionUID = 3061443846664615818L; @@ -129,12 +122,6 @@ protected XmlEntity getXmlEntity(String indexName, String regionPath) { return new XmlEntity(CacheXml.REGION, "name", regionName); } - @Override - public Collection<ResourcePermission> getRequiredPermissions(String regionName) { - return Collections.singleton( - new ResourcePermission(Resource.CLUSTER, Operation.MANAGE, LucenePermission.TARGET)); - } - private LuceneSerializer toSerializer(String serializerName) throws InstantiationException, IllegalAccessException, ClassNotFoundException { String trimmedName = StringUtils.trim(serializerName);
geode-lucene/src/main/java/org/apache/geode/cache/lucene/internal/cli/functions/LuceneDescribeIndexFunction.java+2 −14 modified@@ -15,9 +15,6 @@ package org.apache.geode.cache.lucene.internal.cli.functions; -import java.util.Collection; -import java.util.Collections; - import org.apache.geode.cache.Cache; import org.apache.geode.cache.execute.Function; import org.apache.geode.cache.execute.FunctionContext; @@ -28,11 +25,8 @@ import org.apache.geode.cache.lucene.internal.LuceneServiceImpl; import org.apache.geode.cache.lucene.internal.cli.LuceneIndexDetails; import org.apache.geode.cache.lucene.internal.cli.LuceneIndexInfo; -import org.apache.geode.cache.lucene.internal.security.LucenePermission; import org.apache.geode.internal.InternalEntity; -import org.apache.geode.security.ResourcePermission; -import org.apache.geode.security.ResourcePermission.Operation; -import org.apache.geode.security.ResourcePermission.Resource; +import org.apache.geode.internal.cache.execute.InternalFunction; /** * The LuceneDescribeIndexFunction class is a function used to collect the information on a @@ -48,7 +42,7 @@ * @see LuceneIndexInfo */ @SuppressWarnings("unused") -public class LuceneDescribeIndexFunction implements InternalEntity, Function { +public class LuceneDescribeIndexFunction implements InternalFunction { private static final long serialVersionUID = 1776072528558670172L; @@ -73,10 +67,4 @@ public void execute(final FunctionContext context) { } context.getResultSender().lastResult(result); } - - @Override - public Collection<ResourcePermission> getRequiredPermissions(String regionName) { - return Collections.singleton( - new ResourcePermission(Resource.CLUSTER, Operation.READ, LucenePermission.TARGET)); - } }
geode-lucene/src/main/java/org/apache/geode/cache/lucene/internal/cli/functions/LuceneDestroyIndexFunction.java+2 −16 modified@@ -14,28 +14,20 @@ */ package org.apache.geode.cache.lucene.internal.cli.functions; -import java.util.Collection; -import java.util.Collections; - import org.apache.commons.lang.StringUtils; -import org.apache.geode.cache.execute.Function; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.cache.lucene.LuceneService; import org.apache.geode.cache.lucene.LuceneServiceProvider; import org.apache.geode.cache.lucene.internal.LuceneServiceImpl; import org.apache.geode.cache.lucene.internal.cli.LuceneDestroyIndexInfo; -import org.apache.geode.cache.lucene.internal.security.LucenePermission; import org.apache.geode.cache.lucene.internal.xml.LuceneXmlConstants; -import org.apache.geode.internal.InternalEntity; +import org.apache.geode.internal.cache.execute.InternalFunction; import org.apache.geode.internal.cache.xmlcache.CacheXml; import org.apache.geode.management.internal.cli.functions.CliFunctionResult; import org.apache.geode.management.internal.configuration.domain.XmlEntity; -import org.apache.geode.security.ResourcePermission; -import org.apache.geode.security.ResourcePermission.Operation; -import org.apache.geode.security.ResourcePermission.Resource; -public class LuceneDestroyIndexFunction implements Function, InternalEntity { +public class LuceneDestroyIndexFunction implements InternalFunction { public void execute(final FunctionContext context) { CliFunctionResult result; String memberId = context.getCache().getDistributedSystem().getDistributedMember().getId(); @@ -72,10 +64,4 @@ protected XmlEntity getXmlEntity(String indexName, String regionPath) { return new XmlEntity(CacheXml.REGION, "name", regionName, LuceneXmlConstants.PREFIX, LuceneXmlConstants.NAMESPACE, LuceneXmlConstants.INDEX, "name", indexName); } - - @Override - public Collection<ResourcePermission> getRequiredPermissions(String regionName) { - return Collections.singleton( - new ResourcePermission(Resource.CLUSTER, Operation.MANAGE, LucenePermission.TARGET)); - } }
geode-lucene/src/main/java/org/apache/geode/cache/lucene/internal/cli/functions/LuceneListIndexFunction.java+2 −13 modified@@ -15,8 +15,6 @@ package org.apache.geode.cache.lucene.internal.cli.functions; -import java.util.Collection; -import java.util.Collections; import java.util.HashSet; import java.util.Set; @@ -29,11 +27,8 @@ import org.apache.geode.cache.lucene.internal.LuceneIndexImpl; import org.apache.geode.cache.lucene.internal.LuceneServiceImpl; import org.apache.geode.cache.lucene.internal.cli.LuceneIndexDetails; -import org.apache.geode.cache.lucene.internal.security.LucenePermission; import org.apache.geode.internal.InternalEntity; -import org.apache.geode.security.ResourcePermission; -import org.apache.geode.security.ResourcePermission.Operation; -import org.apache.geode.security.ResourcePermission.Resource; +import org.apache.geode.internal.cache.execute.InternalFunction; /** * The LuceneListIndexFunction class is a function used to collect the information on all lucene @@ -48,7 +43,7 @@ * @see LuceneIndexDetails */ @SuppressWarnings("unused") -public class LuceneListIndexFunction implements InternalEntity, Function { +public class LuceneListIndexFunction implements InternalFunction { private static final long serialVersionUID = -2320432506763893879L; @@ -70,10 +65,4 @@ public void execute(final FunctionContext context) { } context.getResultSender().lastResult(indexDetailsSet); } - - @Override - public Collection<ResourcePermission> getRequiredPermissions(String regionName) { - return Collections.singleton( - new ResourcePermission(Resource.CLUSTER, Operation.READ, LucenePermission.TARGET)); - } }
geode-lucene/src/main/java/org/apache/geode/cache/lucene/internal/cli/functions/LuceneSearchIndexFunction.java+3 −17 modified@@ -15,29 +15,20 @@ package org.apache.geode.cache.lucene.internal.cli.functions; -import java.util.Collection; -import java.util.Collections; import java.util.HashSet; import java.util.List; import java.util.Set; import org.apache.geode.cache.Cache; import org.apache.geode.cache.execute.Function; import org.apache.geode.cache.execute.FunctionContext; -import org.apache.geode.cache.lucene.LuceneQuery; -import org.apache.geode.cache.lucene.LuceneQueryException; -import org.apache.geode.cache.lucene.LuceneResultStruct; -import org.apache.geode.cache.lucene.LuceneService; -import org.apache.geode.cache.lucene.LuceneServiceProvider; -import org.apache.geode.cache.lucene.PageableLuceneQueryResults; +import org.apache.geode.cache.lucene.*; import org.apache.geode.cache.lucene.internal.cli.LuceneIndexDetails; import org.apache.geode.cache.lucene.internal.cli.LuceneIndexInfo; import org.apache.geode.cache.lucene.internal.cli.LuceneQueryInfo; import org.apache.geode.cache.lucene.internal.cli.LuceneSearchResults; import org.apache.geode.internal.InternalEntity; -import org.apache.geode.security.ResourcePermission; -import org.apache.geode.security.ResourcePermission.Operation; -import org.apache.geode.security.ResourcePermission.Resource; +import org.apache.geode.internal.cache.execute.InternalFunction; /** * The LuceneSearchIndexFunction class is a function used to collect the information on a particular @@ -53,7 +44,7 @@ * @see LuceneIndexInfo */ @SuppressWarnings("unused") -public class LuceneSearchIndexFunction<K, V> implements InternalEntity, Function { +public class LuceneSearchIndexFunction<K, V> implements InternalFunction { private static final long serialVersionUID = 163818919780803222L; @@ -98,9 +89,4 @@ public void execute(final FunctionContext context) { context.getResultSender().lastResult(result); } } - - @Override - public Collection<ResourcePermission> getRequiredPermissions(String regionName) { - return Collections.singleton(new ResourcePermission(Resource.DATA, Operation.READ, regionName)); - } }
geode-lucene/src/main/java/org/apache/geode/cache/lucene/internal/directory/DumpDirectoryFiles.java+2 −16 modified@@ -17,14 +17,11 @@ import java.io.File; import java.util.Collection; -import java.util.HashSet; -import java.util.Set; import org.apache.logging.log4j.Logger; import org.apache.lucene.index.IndexWriter; import org.apache.geode.cache.Region; -import org.apache.geode.cache.execute.Function; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.cache.execute.FunctionException; import org.apache.geode.cache.execute.RegionFunctionContext; @@ -34,14 +31,11 @@ import org.apache.geode.cache.lucene.internal.filesystem.FileSystem; import org.apache.geode.cache.lucene.internal.repository.IndexRepository; import org.apache.geode.cache.lucene.internal.repository.RepositoryManager; -import org.apache.geode.internal.InternalEntity; import org.apache.geode.internal.cache.BucketNotFoundException; +import org.apache.geode.internal.cache.execute.InternalFunction; import org.apache.geode.internal.logging.LogService; -import org.apache.geode.security.ResourcePermission; -import org.apache.geode.security.ResourcePermission.Operation; -import org.apache.geode.security.ResourcePermission.Resource; -public class DumpDirectoryFiles implements Function, InternalEntity { +public class DumpDirectoryFiles implements InternalFunction { private static final long serialVersionUID = 1L; private static final Logger logger = LogService.getLogger(); @@ -101,12 +95,4 @@ public String getId() { public boolean optimizeForWrite() { return true; } - - @Override - public Collection<ResourcePermission> getRequiredPermissions(String regionName) { - Set<ResourcePermission> required = new HashSet<>(); - required.add(new ResourcePermission(Resource.DATA, Operation.READ, regionName)); - required.add(new ResourcePermission(Resource.CLUSTER, Operation.MANAGE)); - return required; - } }
geode-lucene/src/main/java/org/apache/geode/cache/lucene/internal/distributed/LuceneQueryFunction.java+2 −12 modified@@ -18,14 +18,12 @@ import java.io.IOException; import java.util.ArrayList; import java.util.Collection; -import java.util.Collections; import org.apache.logging.log4j.Logger; import org.apache.lucene.search.Query; import org.apache.geode.cache.CacheClosedException; import org.apache.geode.cache.Region; -import org.apache.geode.cache.execute.Function; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.cache.execute.FunctionException; import org.apache.geode.cache.execute.RegionFunctionContext; @@ -41,20 +39,19 @@ import org.apache.geode.cache.lucene.internal.repository.IndexRepository; import org.apache.geode.cache.lucene.internal.repository.IndexResultCollector; import org.apache.geode.cache.lucene.internal.repository.RepositoryManager; -import org.apache.geode.internal.InternalEntity; import org.apache.geode.internal.cache.BucketNotFoundException; import org.apache.geode.internal.cache.PrimaryBucketException; +import org.apache.geode.internal.cache.execute.InternalFunction; import org.apache.geode.internal.cache.execute.InternalFunctionInvocationTargetException; import org.apache.geode.internal.logging.LogService; -import org.apache.geode.security.ResourcePermission; /** * {@link LuceneQueryFunction} coordinates text search on a member. It receives text search query * from the coordinator and arguments like region and buckets. It invokes search on the local index * and provides a result collector. The locally collected results are sent to the search * coordinator. */ -public class LuceneQueryFunction implements Function<LuceneFunctionContext>, InternalEntity { +public class LuceneQueryFunction implements InternalFunction<LuceneFunctionContext> { private static final long serialVersionUID = 1L; public static final String ID = LuceneQueryFunction.class.getName(); @@ -176,11 +173,4 @@ public String getId() { public boolean optimizeForWrite() { return true; } - - @Override - public Collection<ResourcePermission> getRequiredPermissions(String regionName) { - ResourcePermission read = new ResourcePermission(ResourcePermission.Resource.DATA, - ResourcePermission.Operation.READ, regionName); - return Collections.singleton(read); - } }
geode-lucene/src/main/java/org/apache/geode/cache/lucene/internal/distributed/WaitUntilFlushedFunction.java+2 −13 modified@@ -15,27 +15,23 @@ package org.apache.geode.cache.lucene.internal.distributed; -import java.util.Collection; -import java.util.Collections; import java.util.concurrent.TimeUnit; import org.apache.geode.cache.Cache; import org.apache.geode.cache.Region; import org.apache.geode.cache.asyncqueue.internal.AsyncEventQueueImpl; -import org.apache.geode.cache.execute.Function; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.cache.execute.RegionFunctionContext; import org.apache.geode.cache.execute.ResultSender; import org.apache.geode.cache.lucene.internal.LuceneServiceImpl; -import org.apache.geode.internal.InternalEntity; -import org.apache.geode.security.ResourcePermission; +import org.apache.geode.internal.cache.execute.InternalFunction; /** * {@link WaitUntilFlushedFunction} will check all the members with index to wait until the events * in current AEQs are flushed into index. This function enables an accessor and client to call to * make sure the current events are processed. */ -public class WaitUntilFlushedFunction implements Function<Object>, InternalEntity { +public class WaitUntilFlushedFunction implements InternalFunction<Object> { private static final long serialVersionUID = 1L; public static final String ID = WaitUntilFlushedFunction.class.getName(); @@ -79,11 +75,4 @@ public String getId() { public boolean optimizeForWrite() { return true; } - - @Override - public Collection<ResourcePermission> getRequiredPermissions(String regionName) { - ResourcePermission read = new ResourcePermission(ResourcePermission.Resource.DATA, - ResourcePermission.Operation.READ, regionName); - return Collections.singleton(read); - } }
geode-lucene/src/main/java/org/apache/geode/cache/lucene/internal/results/LuceneGetPageFunction.java+2 −13 modified@@ -15,32 +15,28 @@ package org.apache.geode.cache.lucene.internal.results; -import java.util.Collection; -import java.util.Collections; import java.util.List; import java.util.Set; import org.apache.logging.log4j.Logger; import org.apache.geode.cache.CacheClosedException; import org.apache.geode.cache.Region; -import org.apache.geode.cache.execute.Function; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.cache.execute.RegionFunctionContext; import org.apache.geode.cache.partition.PartitionRegionHelper; -import org.apache.geode.internal.InternalEntity; import org.apache.geode.internal.cache.EntrySnapshot; import org.apache.geode.internal.cache.PrimaryBucketException; import org.apache.geode.internal.cache.Token; +import org.apache.geode.internal.cache.execute.InternalFunction; import org.apache.geode.internal.cache.execute.InternalFunctionInvocationTargetException; import org.apache.geode.internal.logging.LogService; -import org.apache.geode.security.ResourcePermission; /** * {@link LuceneGetPageFunction} Returns the values of entries back to the user This behaves * basically like a getAll, but it does not invoke a cache loader */ -public class LuceneGetPageFunction implements Function<Object>, InternalEntity { +public class LuceneGetPageFunction implements InternalFunction<Object> { private static final long serialVersionUID = 1L; public static final String ID = LuceneGetPageFunction.class.getName(); @@ -90,11 +86,4 @@ public String getId() { public boolean optimizeForWrite() { return false; } - - @Override - public Collection<ResourcePermission> getRequiredPermissions(String regionName) { - ResourcePermission read = new ResourcePermission(ResourcePermission.Resource.DATA, - ResourcePermission.Operation.READ, regionName); - return Collections.singleton(read); - } }
geode-lucene/src/test/java/org/apache/geode/cache/lucene/LuceneClientSecurityDUnitTest.java+2 −3 modified@@ -136,8 +136,7 @@ private void executeTextSearch(boolean expectAuthorizationError, String expected protected LuceneCommandsSecurityDUnitTest.UserNameAndExpectedResponse[] getSearchIndexUserNameAndExpectedResponses() { return new LuceneCommandsSecurityDUnitTest.UserNameAndExpectedResponse[] { new LuceneCommandsSecurityDUnitTest.UserNameAndExpectedResponse("nopermissions", true, - "nopermissions not authorized for DATA:READ"), - new LuceneCommandsSecurityDUnitTest.UserNameAndExpectedResponse("dataread" + REGION_NAME, - false, null)}; + "nopermissions not authorized for *"), + new LuceneCommandsSecurityDUnitTest.UserNameAndExpectedResponse("*", false, null)}; } }
geode-lucene/src/test/java/org/apache/geode/cache/lucene/test/LuceneFunctionSecurityTest.java+12 −44 modified@@ -60,14 +60,14 @@ public class LuceneFunctionSecurityTest { @BeforeClass public static void setupClass() { - functionStringMap.put(new LuceneCreateIndexFunction(), "CLUSTER:MANAGE:LUCENE"); - functionStringMap.put(new LuceneDescribeIndexFunction(), "CLUSTER:READ:LUCENE"); - functionStringMap.put(new LuceneDestroyIndexFunction(), "CLUSTER:MANAGE:LUCENE"); - functionStringMap.put(new LuceneListIndexFunction(), "CLUSTER:READ:LUCENE"); - functionStringMap.put(new LuceneSearchIndexFunction(), "DATA:READ:testRegion"); - functionStringMap.put(new LuceneQueryFunction(), "DATA:READ:testRegion"); - functionStringMap.put(new WaitUntilFlushedFunction(), "DATA:READ:testRegion"); - functionStringMap.put(new LuceneGetPageFunction(), "DATA:READ:testRegion"); + functionStringMap.put(new LuceneCreateIndexFunction(), "*"); + functionStringMap.put(new LuceneDescribeIndexFunction(), "*"); + functionStringMap.put(new LuceneDestroyIndexFunction(), "*"); + functionStringMap.put(new LuceneListIndexFunction(), "*"); + functionStringMap.put(new LuceneSearchIndexFunction(), "*"); + functionStringMap.put(new LuceneQueryFunction(), "*"); + functionStringMap.put(new WaitUntilFlushedFunction(), "*"); + functionStringMap.put(new LuceneGetPageFunction(), "*"); functionStringMap.keySet().forEach(FunctionService::registerFunction); FunctionService.registerFunction(new DumpDirectoryFiles()); @@ -90,48 +90,16 @@ public void functionRequireExpectedPermission() throws Exception { // getRequiredPermission are all enforced before trying to execute @Test @ConnectionConfiguration(user = "clusterManage", password = "clusterManage") - public void dumpDirectoryFileRequiresBoth_AsClusterManage() { - gfsh.executeAndAssertThat("execute function --region=testRegion --id=" + DumpDirectoryFiles.ID) - .tableHasRowCount(RESULT_HEADER, 1).tableHasRowWithValues(RESULT_HEADER, - "Exception: clusterManage not authorized for DATA:READ:testRegion") - .statusIsError(); - } - - @Test - @ConnectionConfiguration(user = "dataRead", password = "dataRead") - public void dumpDirectoryFileRequiresBoth_AsDataRead() { - gfsh.executeAndAssertThat("execute function --region=testRegion --id=" + DumpDirectoryFiles.ID) - .tableHasRowCount(RESULT_HEADER, 1).tableHasRowWithValues(RESULT_HEADER, - "Exception: dataRead not authorized for CLUSTER:MANAGE") - .statusIsError(); - } - - @Test - @ConnectionConfiguration(user = "clusterManage,dataReadRegionB", - password = "clusterManage,dataReadRegionB") - public void dumpDirectoryFileRequiresBoth_dataReadAnotherRegion() { - gfsh.executeAndAssertThat("execute function --region=testRegion --id=" + DumpDirectoryFiles.ID) - .tableHasRowCount(RESULT_HEADER, 1) - .tableHasRowWithValues(RESULT_HEADER, - "Exception: clusterManage,dataReadRegionB not authorized for DATA:READ:testRegion") - .statusIsError(); - } - - @Test - @ConnectionConfiguration(user = "clusterManage,dataReadTestRegionA", - password = "clusterManage,dataReadTestRegionA") - public void dumpDirectoryFileRequiresBoth_dataReadInsufficient() { + public void dumpDirectoryFileRequiresAll_insufficientUser() { gfsh.executeAndAssertThat("execute function --region=testRegion --id=" + DumpDirectoryFiles.ID) .tableHasRowCount(RESULT_HEADER, 1) - .tableHasRowWithValues(RESULT_HEADER, - "Exception: clusterManage,dataReadTestRegionA not authorized for DATA:READ:testRegion") + .tableHasRowWithValues(RESULT_HEADER, "Exception: clusterManage not authorized for *") .statusIsError(); } @Test - @ConnectionConfiguration(user = "clusterManage,dataReadTestRegion", - password = "clusterManage,dataReadTestRegion") - public void dumpDirectoryFileRequiresBoth_validUser() { + @ConnectionConfiguration(user = "*", password = "*") + public void dumpDirectoryFileRequiresAll_validUser() { gfsh.executeAndAssertThat("execute function --region=testRegion --id=" + DumpDirectoryFiles.ID) .tableHasRowCount(RESULT_HEADER, 1).doesNotContainOutput("not authorized").statusIsError(); }
6df14c8b1e3cGEODE-3974: Core function security improvement (#1310)
62 files changed · +764 −336
geode-connectors/src/test/java/org/apache/geode/connectors/jdbc/internal/cli/JDBCConnectorFunctionsSecurityTest.java+2 −2 modified@@ -77,7 +77,6 @@ public static void setupClass() { functionStringMap.keySet().forEach(FunctionService::registerFunction); } - @Test @ConnectionConfiguration(user = "user", password = "user") public void functionRequireExpectedPermission() throws Exception { @@ -86,7 +85,8 @@ public void functionRequireExpectedPermission() throws Exception { String permission = entry.getValue(); gfsh.executeAndAssertThat("execute function --id=" + function.getId()) .tableHasRowCount("Function Execution Result", 1) - .tableHasColumnWithValuesContaining("Function Execution Result", permission) + .tableHasRowWithValues("Function Execution Result", + "Exception: user not authorized for " + permission) .statusIsError(); }); }
geode-core/src/main/java/org/apache/geode/internal/cache/execute/util/FindRestEnabledServersFunction.java+3 −4 modified@@ -15,8 +15,7 @@ package org.apache.geode.internal.cache.execute.util; import org.apache.geode.cache.CacheClosedException; -import org.apache.geode.cache.CacheFactory; -import org.apache.geode.cache.execute.FunctionAdapter; +import org.apache.geode.cache.execute.Function; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.distributed.internal.DistributionConfig; import org.apache.geode.distributed.internal.InternalDistributedSystem; @@ -30,7 +29,7 @@ * * @since GemFire 8.1 */ -public class FindRestEnabledServersFunction extends FunctionAdapter implements InternalEntity { +public class FindRestEnabledServersFunction implements Function, InternalEntity { private static final long serialVersionUID = 7851518767859544678L; /** @@ -42,7 +41,7 @@ public class FindRestEnabledServersFunction extends FunctionAdapter implements I public void execute(FunctionContext context) { try { - InternalCache cache = (InternalCache) CacheFactory.getAnyInstance(); + InternalCache cache = (InternalCache) context.getCache(); DistributionConfig config = InternalDistributedSystem.getAnyInstance().getConfig(); String bindAddress = RestAgent.getBindAddressForHttpService(config);
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/AlterRuntimeConfigFunction.java+11 −2 modified@@ -14,14 +14,16 @@ */ package org.apache.geode.management.internal.cli.functions; +import java.util.Collection; +import java.util.Collections; import java.util.Map; import java.util.Map.Entry; import java.util.Set; import org.apache.logging.log4j.Logger; import org.apache.geode.cache.CacheClosedException; -import org.apache.geode.cache.execute.FunctionAdapter; +import org.apache.geode.cache.execute.Function; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.distributed.internal.DistributionConfig; import org.apache.geode.internal.ConfigSource; @@ -30,8 +32,10 @@ import org.apache.geode.internal.logging.LogService; import org.apache.geode.management.internal.cli.CliUtil; import org.apache.geode.management.internal.cli.i18n.CliStrings; +import org.apache.geode.management.internal.security.ResourcePermissions; +import org.apache.geode.security.ResourcePermission; -public class AlterRuntimeConfigFunction extends FunctionAdapter implements InternalEntity { +public class AlterRuntimeConfigFunction implements Function, InternalEntity { private static final long serialVersionUID = 1L; @@ -85,6 +89,11 @@ public void execute(FunctionContext context) { } } + @Override + public Collection<ResourcePermission> getRequiredPermissions(String regionName) { + return Collections.singleton(ResourcePermissions.CLUSTER_WRITE); + } + @Override public String getId() { return AlterRuntimeConfigFunction.class.getName();
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/ChangeLogLevelFunction.java+10 −1 modified@@ -14,8 +14,10 @@ */ package org.apache.geode.management.internal.cli.functions; -import static org.apache.geode.distributed.ConfigurationProperties.*; +import static org.apache.geode.distributed.ConfigurationProperties.LOG_LEVEL; +import java.util.Collection; +import java.util.Collections; import java.util.HashMap; import java.util.Map; @@ -31,6 +33,8 @@ import org.apache.geode.internal.logging.log4j.LogLevel; import org.apache.geode.internal.logging.log4j.LogMarker; import org.apache.geode.internal.logging.log4j.LogWriterLogger; +import org.apache.geode.management.internal.security.ResourcePermissions; +import org.apache.geode.security.ResourcePermission; /** @@ -72,6 +76,11 @@ public void execute(FunctionContext context) { } } + @Override + public Collection<ResourcePermission> getRequiredPermissions(String regionName) { + return Collections.singleton(ResourcePermissions.CLUSTER_WRITE); + } + @Override public String getId() { return ChangeLogLevelFunction.ID;
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/CloseDurableClientFunction.java+13 −4 modified@@ -14,29 +14,33 @@ */ package org.apache.geode.management.internal.cli.functions; +import java.util.Collection; +import java.util.Collections; + import org.apache.geode.cache.Cache; -import org.apache.geode.cache.execute.FunctionAdapter; +import org.apache.geode.cache.execute.Function; import org.apache.geode.cache.execute.FunctionContext; -import org.apache.geode.distributed.internal.InternalDistributedSystem; import org.apache.geode.internal.InternalEntity; import org.apache.geode.internal.cache.tier.sockets.CacheClientNotifier; import org.apache.geode.internal.cache.tier.sockets.CacheClientProxy; import org.apache.geode.management.internal.cli.CliUtil; import org.apache.geode.management.internal.cli.domain.MemberResult; import org.apache.geode.management.internal.cli.i18n.CliStrings; +import org.apache.geode.management.internal.security.ResourcePermissions; +import org.apache.geode.security.ResourcePermission; /*** * Function to close a durable client * */ -public class CloseDurableClientFunction extends FunctionAdapter implements InternalEntity { +public class CloseDurableClientFunction implements Function, InternalEntity { private static final long serialVersionUID = 1L; @Override public void execute(FunctionContext context) { String durableClientId = (String) context.getArguments(); - final Cache cache = CliUtil.getCacheIfExists(); + final Cache cache = context.getCache(); final String memberNameOrId = CliUtil.getMemberNameOrId(cache.getDistributedSystem().getDistributedMember()); MemberResult memberResult = new MemberResult(memberNameOrId); @@ -69,6 +73,11 @@ public void execute(FunctionContext context) { } } + @Override + public Collection<ResourcePermission> getRequiredPermissions(String regionName) { + return Collections.singleton(ResourcePermissions.CLUSTER_MANAGE_QUERY); + } + @Override public String getId() { return CloseDurableClientFunction.class.getName();
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/CloseDurableCqFunction.java+13 −4 modified@@ -14,29 +14,33 @@ */ package org.apache.geode.management.internal.cli.functions; +import java.util.Collection; +import java.util.Collections; + import org.apache.geode.cache.Cache; -import org.apache.geode.cache.execute.FunctionAdapter; +import org.apache.geode.cache.execute.Function; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.internal.InternalEntity; import org.apache.geode.internal.cache.tier.sockets.CacheClientNotifier; import org.apache.geode.internal.cache.tier.sockets.CacheClientProxy; -import org.apache.geode.internal.cache.tier.sockets.ClientProxyMembershipID; import org.apache.geode.management.internal.cli.CliUtil; import org.apache.geode.management.internal.cli.domain.MemberResult; import org.apache.geode.management.internal.cli.i18n.CliStrings; +import org.apache.geode.management.internal.security.ResourcePermissions; +import org.apache.geode.security.ResourcePermission; /*** * Function to close a durable cq * */ -public class CloseDurableCqFunction extends FunctionAdapter implements InternalEntity { +public class CloseDurableCqFunction implements Function, InternalEntity { private static final long serialVersionUID = 1L; @Override public void execute(FunctionContext context) { - final Cache cache = CliUtil.getCacheIfExists(); + final Cache cache = context.getCache(); final String memberNameOrId = CliUtil.getMemberNameOrId(cache.getDistributedSystem().getDistributedMember()); CacheClientNotifier cacheClientNotifier = CacheClientNotifier.getInstance(); @@ -71,6 +75,11 @@ public void execute(FunctionContext context) { } } + @Override + public Collection<ResourcePermission> getRequiredPermissions(String regionName) { + return Collections.singleton(ResourcePermissions.CLUSTER_MANAGE_QUERY); + } + @Override public String getId() { return CloseDurableCqFunction.class.getName();
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/ContinuousQueryFunction.java+8 −0 modified@@ -16,6 +16,7 @@ import java.io.Serializable; import java.util.Collection; +import java.util.Collections; import java.util.Iterator; import org.apache.geode.cache.execute.Function; @@ -28,6 +29,8 @@ import org.apache.geode.internal.cache.tier.sockets.CacheClientProxy; import org.apache.geode.internal.cache.tier.sockets.ClientProxyMembershipID; import org.apache.geode.internal.cache.tier.sockets.ServerConnection; +import org.apache.geode.management.internal.security.ResourcePermissions; +import org.apache.geode.security.ResourcePermission; /** * @since GemFire 8.0 @@ -103,6 +106,11 @@ public void execute(FunctionContext context) { context.getResultSender().lastResult(null); } + @Override + public Collection<ResourcePermission> getRequiredPermissions(String regionName) { + return Collections.singleton(ResourcePermissions.CLUSTER_READ); + } + @Override public String getId() { return ContinuousQueryFunction.ID;
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/CreateAsyncEventQueueFunction.java+10 −1 modified@@ -14,6 +14,8 @@ */ package org.apache.geode.management.internal.cli.functions; +import java.util.Collection; +import java.util.Collections; import java.util.HashMap; import java.util.Map; import java.util.Properties; @@ -38,6 +40,8 @@ import org.apache.geode.internal.cache.xmlcache.CacheXml; import org.apache.geode.internal.logging.LogService; import org.apache.geode.management.internal.configuration.domain.XmlEntity; +import org.apache.geode.management.internal.security.ResourcePermissions; +import org.apache.geode.security.ResourcePermission; /** * Function used by the 'create async-event-queue' gfsh command to create an asynchronous event @@ -128,6 +132,11 @@ public void execute(FunctionContext context) { } } + @Override + public Collection<ResourcePermission> getRequiredPermissions(String regionName) { + return Collections.singleton(ResourcePermissions.CLUSTER_MANAGE_DEPLOY); + } + private Object newInstance(String className) throws ClassNotFoundException, IllegalAccessException, InstantiationException { if (Strings.isNullOrEmpty(className)) { @@ -139,6 +148,6 @@ private Object newInstance(String className) @Override public String getId() { - return CreateDiskStoreFunction.class.getName(); + return CreateAsyncEventQueueFunction.class.getName(); } }
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/CreateDefinedIndexesFunction.java+11 −2 modified@@ -15,13 +15,15 @@ package org.apache.geode.management.internal.cli.functions; import java.util.ArrayList; +import java.util.Collection; +import java.util.Collections; import java.util.Iterator; import java.util.List; import java.util.Map; import java.util.Set; import org.apache.geode.cache.Cache; -import org.apache.geode.cache.execute.FunctionAdapter; +import org.apache.geode.cache.execute.Function; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.cache.execute.ResultSender; import org.apache.geode.cache.query.Index; @@ -33,8 +35,10 @@ import org.apache.geode.management.internal.cli.domain.IndexInfo; import org.apache.geode.management.internal.cli.i18n.CliStrings; import org.apache.geode.management.internal.configuration.domain.XmlEntity; +import org.apache.geode.management.internal.security.ResourcePermissions; +import org.apache.geode.security.ResourcePermission; -public class CreateDefinedIndexesFunction extends FunctionAdapter implements InternalEntity { +public class CreateDefinedIndexesFunction implements Function, InternalEntity { private static final long serialVersionUID = 1L; @Override @@ -122,4 +126,9 @@ public void execute(FunctionContext context) { .lastResult(new CliFunctionResult(memberId, exception, exceptionMessage)); } } + + @Override + public Collection<ResourcePermission> getRequiredPermissions(String regionName) { + return Collections.singleton(ResourcePermissions.CLUSTER_MANAGE_QUERY); + } }
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/CreateDiskStoreFunction.java+12 −2 modified@@ -20,12 +20,15 @@ * @since GemFire 8.0 */ +import java.util.Collection; +import java.util.Collections; + import org.apache.logging.log4j.Logger; import org.apache.geode.SystemFailure; import org.apache.geode.cache.CacheClosedException; import org.apache.geode.cache.DiskStoreFactory; -import org.apache.geode.cache.execute.FunctionAdapter; +import org.apache.geode.cache.execute.Function; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.distributed.DistributedMember; import org.apache.geode.internal.InternalEntity; @@ -34,8 +37,10 @@ import org.apache.geode.internal.cache.xmlcache.CacheXml; import org.apache.geode.internal.logging.LogService; import org.apache.geode.management.internal.configuration.domain.XmlEntity; +import org.apache.geode.management.internal.security.ResourcePermissions; +import org.apache.geode.security.ResourcePermission; -public class CreateDiskStoreFunction extends FunctionAdapter implements InternalEntity { +public class CreateDiskStoreFunction implements Function, InternalEntity { private static final Logger logger = LogService.getLogger(); private static final long serialVersionUID = 1L; @@ -79,6 +84,11 @@ public void execute(FunctionContext context) { } } + @Override + public Collection<ResourcePermission> getRequiredPermissions(String regionName) { + return Collections.singleton(ResourcePermissions.CLUSTER_MANAGE_DISK); + } + @Override public String getId() { return CreateDiskStoreFunction.class.getName();
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/CreateIndexFunction.java+12 −2 modified@@ -14,8 +14,11 @@ */ package org.apache.geode.management.internal.cli.functions; +import java.util.Collection; +import java.util.Collections; + import org.apache.geode.cache.Cache; -import org.apache.geode.cache.execute.FunctionAdapter; +import org.apache.geode.cache.execute.Function; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.cache.query.IndexExistsException; import org.apache.geode.cache.query.IndexInvalidException; @@ -27,12 +30,14 @@ import org.apache.geode.management.internal.cli.domain.IndexInfo; import org.apache.geode.management.internal.cli.i18n.CliStrings; import org.apache.geode.management.internal.configuration.domain.XmlEntity; +import org.apache.geode.management.internal.security.ResourcePermissions; +import org.apache.geode.security.ResourcePermission; /*** * Function to create index in a member, based on different arguments passed to it * */ -public class CreateIndexFunction extends FunctionAdapter implements InternalEntity { +public class CreateIndexFunction implements Function, InternalEntity { private static final long serialVersionUID = 1L; @@ -104,6 +109,11 @@ private void setResultInSender(FunctionContext context, IndexInfo indexInfo, Str } } + @Override + public Collection<ResourcePermission> getRequiredPermissions(String regionName) { + return Collections.singleton(ResourcePermissions.CLUSTER_MANAGE_QUERY); + } + private String getValidRegionName(Cache cache, String regionPath) { while (regionPath != null && cache.getRegion(regionPath) == null) { int dotPosition;
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/DataCommandFunction.java+7 −0 modified@@ -15,6 +15,7 @@ package org.apache.geode.management.internal.cli.functions; import java.util.ArrayList; +import java.util.Collection; import java.util.Collections; import java.util.Iterator; import java.util.List; @@ -60,7 +61,9 @@ import org.apache.geode.management.internal.cli.json.GfJsonException; import org.apache.geode.management.internal.cli.json.GfJsonObject; import org.apache.geode.management.internal.cli.util.JsonUtil; +import org.apache.geode.management.internal.security.ResourcePermissions; import org.apache.geode.pdx.PdxInstance; +import org.apache.geode.security.ResourcePermission; /** * @since GemFire 7.0 @@ -133,6 +136,10 @@ public void execute(FunctionContext functionContext) { } } + public Collection<ResourcePermission> getRequiredPermissions(String regionName) { + return Collections.singleton(ResourcePermissions.DATA_ALL); + } + public DataCommandResult remove(DataCommandRequest request, InternalCache cache) { String key = request.getKey();
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/DeployFunction.java+9 −0 modified@@ -24,6 +24,8 @@ import java.nio.file.attribute.PosixFilePermission; import java.nio.file.attribute.PosixFilePermissions; import java.util.ArrayList; +import java.util.Collection; +import java.util.Collections; import java.util.HashMap; import java.util.HashSet; import java.util.List; @@ -46,6 +48,8 @@ import org.apache.geode.internal.InternalEntity; import org.apache.geode.internal.cache.InternalCache; import org.apache.geode.internal.logging.LogService; +import org.apache.geode.management.internal.security.ResourcePermissions; +import org.apache.geode.security.ResourcePermission; public class DeployFunction implements Function, InternalEntity { private static final Logger logger = LogService.getLogger(); @@ -118,6 +122,11 @@ public void execute(FunctionContext context) { } } + @Override + public Collection<ResourcePermission> getRequiredPermissions(String regionName) { + return Collections.singleton(ResourcePermissions.CLUSTER_MANAGE_DEPLOY); + } + @Override public String getId() { return ID;
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/DescribeDiskStoreFunction.java+11 −2 modified@@ -16,6 +16,8 @@ package org.apache.geode.management.internal.cli.functions; import java.io.File; +import java.util.Collection; +import java.util.Collections; import java.util.HashSet; import java.util.Properties; import java.util.Set; @@ -29,7 +31,7 @@ import org.apache.geode.cache.EvictionAction; import org.apache.geode.cache.Region; import org.apache.geode.cache.asyncqueue.AsyncEventQueue; -import org.apache.geode.cache.execute.FunctionAdapter; +import org.apache.geode.cache.execute.Function; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.cache.server.CacheServer; import org.apache.geode.cache.wan.GatewaySender; @@ -41,6 +43,8 @@ import org.apache.geode.internal.util.ArrayUtils; import org.apache.geode.management.internal.cli.domain.DiskStoreDetails; import org.apache.geode.management.internal.cli.exceptions.EntityNotFoundException; +import org.apache.geode.management.internal.security.ResourcePermissions; +import org.apache.geode.security.ResourcePermission; /** * The DescribeDiskStoreFunction class is an implementation of a GemFire Function used to collect @@ -55,7 +59,7 @@ * @see org.apache.geode.management.internal.cli.domain.DiskStoreDetails * @since GemFire 7.0 */ -public class DescribeDiskStoreFunction extends FunctionAdapter implements InternalEntity { +public class DescribeDiskStoreFunction implements Function, InternalEntity { private static final Logger logger = LogService.getLogger(); @@ -131,6 +135,11 @@ public void execute(final FunctionContext context) { } } + @Override + public Collection<ResourcePermission> getRequiredPermissions(String regionName) { + return Collections.singleton(ResourcePermissions.CLUSTER_READ); + } + private void setDiskDirDetails(final DiskStore diskStore, final DiskStoreDetails diskStoreDetails) { File[] diskDirs = diskStore.getDiskDirs();
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/DestroyAsyncEventQueueFunction.java+10 −0 modified@@ -14,13 +14,18 @@ */ package org.apache.geode.management.internal.cli.functions; +import java.util.Collection; +import java.util.Collections; + import org.apache.geode.cache.asyncqueue.internal.AsyncEventQueueImpl; import org.apache.geode.cache.execute.Function; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.internal.InternalEntity; import org.apache.geode.internal.cache.xmlcache.CacheXml; import org.apache.geode.management.internal.cli.commands.DestroyAsyncEventQueueCommand; import org.apache.geode.management.internal.configuration.domain.XmlEntity; +import org.apache.geode.management.internal.security.ResourcePermissions; +import org.apache.geode.security.ResourcePermission; /** * Function used by the 'destroy async-event-queue' gfsh command to destroy an asynchronous event @@ -68,6 +73,11 @@ public void execute(FunctionContext context) { } } + @Override + public Collection<ResourcePermission> getRequiredPermissions(String regionName) { + return Collections.singleton(ResourcePermissions.CLUSTER_MANAGE); + } + XmlEntity getAEQXmlEntity(String key, String value) { XmlEntity xmlEntity = new XmlEntity(CacheXml.ASYNC_EVENT_QUEUE, key, value); return xmlEntity;
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/DestroyDiskStoreFunction.java+10 −0 modified@@ -14,6 +14,9 @@ */ package org.apache.geode.management.internal.cli.functions; +import java.util.Collection; +import java.util.Collections; + import org.apache.geode.cache.DiskStore; import org.apache.geode.cache.execute.Function; import org.apache.geode.cache.execute.FunctionContext; @@ -22,6 +25,8 @@ import org.apache.geode.internal.cache.InternalCache; import org.apache.geode.internal.cache.xmlcache.CacheXml; import org.apache.geode.management.internal.configuration.domain.XmlEntity; +import org.apache.geode.management.internal.security.ResourcePermissions; +import org.apache.geode.security.ResourcePermission; /** * Function used by the 'destroy disk-store' gfsh command to destroy a disk store on each member. @@ -70,4 +75,9 @@ public void execute(FunctionContext context) { context.getResultSender().lastResult(result); } + + @Override + public Collection<ResourcePermission> getRequiredPermissions(String regionName) { + return Collections.singleton(ResourcePermissions.CLUSTER_MANAGE_DISK); + } }
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/DestroyIndexFunction.java+9 −0 modified@@ -14,6 +14,8 @@ */ package org.apache.geode.management.internal.cli.functions; +import java.util.Collection; +import java.util.Collections; import java.util.List; import org.apache.geode.cache.Cache; @@ -28,6 +30,8 @@ import org.apache.geode.management.internal.cli.domain.IndexInfo; import org.apache.geode.management.internal.cli.i18n.CliStrings; import org.apache.geode.management.internal.configuration.domain.XmlEntity; +import org.apache.geode.management.internal.security.ResourcePermissions; +import org.apache.geode.security.ResourcePermission; public class DestroyIndexFunction implements Function, InternalEntity { private static final long serialVersionUID = -868082551095130315L; @@ -101,6 +105,11 @@ public void execute(FunctionContext context) { context.getResultSender().lastResult(result); } + @Override + public Collection<ResourcePermission> getRequiredPermissions(String regionName) { + return Collections.singleton(ResourcePermissions.CLUSTER_MANAGE_QUERY); + } + /*** * * @param name
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/ExportConfigFunction.java+9 −0 modified@@ -16,6 +16,8 @@ import java.io.PrintWriter; import java.io.StringWriter; +import java.util.Collection; +import java.util.Collections; import java.util.Map; import org.apache.logging.log4j.Logger; @@ -32,6 +34,8 @@ import org.apache.geode.internal.InternalEntity; import org.apache.geode.internal.cache.xmlcache.CacheXmlGenerator; import org.apache.geode.internal.logging.LogService; +import org.apache.geode.management.internal.security.ResourcePermissions; +import org.apache.geode.security.ResourcePermission; public class ExportConfigFunction implements Function, InternalEntity { private static final Logger logger = LogService.getLogger(); @@ -114,6 +118,11 @@ public void execute(FunctionContext context) { } } + @Override + public Collection<ResourcePermission> getRequiredPermissions(String regionName) { + return Collections.singleton(ResourcePermissions.CLUSTER_READ); + } + @Override public String getId() { return ID;
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/ExportDataFunction.java+9 −0 modified@@ -15,6 +15,8 @@ package org.apache.geode.management.internal.cli.functions; import java.io.File; +import java.util.Collection; +import java.util.Collections; import org.apache.geode.cache.Cache; import org.apache.geode.cache.Region; @@ -26,6 +28,8 @@ import org.apache.geode.internal.InternalEntity; import org.apache.geode.internal.cache.snapshot.SnapshotOptionsImpl; import org.apache.geode.management.internal.cli.i18n.CliStrings; +import org.apache.geode.management.internal.security.ResourcePermissions; +import org.apache.geode.security.ResourcePermission; /*** * Function which carries out the export of a region to a file on a member. Uses the @@ -72,6 +76,11 @@ public void execute(FunctionContext context) { } } + @Override + public Collection<ResourcePermission> getRequiredPermissions(String regionName) { + return Collections.singleton(ResourcePermissions.DATA_READ); + } + public String getId() { return ExportDataFunction.class.getName(); }
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/ExportLogsFunction.java+9 −1 modified@@ -25,6 +25,8 @@ import java.time.LocalDateTime; import java.time.ZoneId; import java.util.Arrays; +import java.util.Collection; +import java.util.Collections; import org.apache.commons.lang.StringUtils; import org.apache.logging.log4j.Level; @@ -38,7 +40,6 @@ import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.distributed.internal.DistributionConfig; import org.apache.geode.internal.InternalEntity; -import org.apache.geode.internal.cache.GemFireCacheImpl; import org.apache.geode.internal.cache.InternalCache; import org.apache.geode.internal.cache.InternalRegionArguments; import org.apache.geode.internal.logging.LogService; @@ -48,6 +49,8 @@ import org.apache.geode.management.internal.cli.util.LogExporter; import org.apache.geode.management.internal.cli.util.LogFilter; import org.apache.geode.management.internal.configuration.domain.Configuration; +import org.apache.geode.management.internal.security.ResourcePermissions; +import org.apache.geode.security.ResourcePermission; /** * this function extracts the logs using a LogExporter which creates a zip file, and then writes the @@ -120,6 +123,11 @@ public void execute(final FunctionContext context) { } } + @Override + public Collection<ResourcePermission> getRequiredPermissions(String regionName) { + return Collections.singleton(ResourcePermissions.CLUSTER_READ); + } + public static Region createOrGetExistingExportLogsRegion(boolean isInitiatingMember, InternalCache cache) throws IOException, ClassNotFoundException {
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/FetchRegionAttributesFunction.java+10 −0 modified@@ -14,6 +14,9 @@ */ package org.apache.geode.management.internal.cli.functions; +import java.util.Collection; +import java.util.Collections; + import org.apache.logging.log4j.Logger; import org.apache.geode.cache.AttributesFactory; @@ -25,6 +28,8 @@ import org.apache.geode.internal.InternalEntity; import org.apache.geode.internal.logging.LogService; import org.apache.geode.management.internal.cli.i18n.CliStrings; +import org.apache.geode.management.internal.security.ResourcePermissions; +import org.apache.geode.security.ResourcePermission; /** * @@ -79,6 +84,11 @@ public static <K, V> RegionAttributes<K, V> getRegionAttributes(Cache cache, Str return afactory.create(); } + @Override + public Collection<ResourcePermission> getRequiredPermissions(String regionName) { + return Collections.singleton(ResourcePermissions.CLUSTER_READ); + } + @Override public String getId() { return ID;
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/FetchSharedConfigurationStatusFunction.java+11 −2 modified@@ -14,16 +14,20 @@ */ package org.apache.geode.management.internal.cli.functions; +import java.util.Collection; +import java.util.Collections; + import org.apache.commons.lang.StringUtils; import org.apache.geode.cache.execute.FunctionAdapter; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.distributed.DistributedMember; import org.apache.geode.distributed.internal.InternalLocator; import org.apache.geode.internal.InternalEntity; -import org.apache.geode.internal.cache.GemFireCacheImpl; import org.apache.geode.internal.cache.InternalCache; import org.apache.geode.management.internal.configuration.domain.SharedConfigurationStatus; +import org.apache.geode.management.internal.security.ResourcePermissions; +import org.apache.geode.security.ResourcePermission; public class FetchSharedConfigurationStatusFunction extends FunctionAdapter implements InternalEntity { @@ -33,7 +37,7 @@ public class FetchSharedConfigurationStatusFunction extends FunctionAdapter @Override public void execute(FunctionContext context) { InternalLocator locator = InternalLocator.getLocator(); - InternalCache cache = GemFireCacheImpl.getInstance(); + InternalCache cache = (InternalCache) context.getCache(); DistributedMember member = cache.getDistributedSystem().getDistributedMember(); SharedConfigurationStatus status = locator.getSharedConfigurationStatus().getStatus(); @@ -46,6 +50,11 @@ public void execute(FunctionContext context) { context.getResultSender().lastResult(result); } + @Override + public Collection<ResourcePermission> getRequiredPermissions(String regionName) { + return Collections.singleton(ResourcePermissions.CLUSTER_READ); + } + @Override public String getId() { return FetchSharedConfigurationStatusFunction.class.getName();
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/GarbageCollectionFunction.java+10 −0 modified@@ -14,6 +14,8 @@ */ package org.apache.geode.management.internal.cli.functions; +import java.util.Collection; +import java.util.Collections; import java.util.HashMap; import java.util.Map; @@ -24,6 +26,8 @@ import org.apache.geode.internal.InternalEntity; import org.apache.geode.management.internal.cli.CliUtil; import org.apache.geode.management.internal.cli.util.BytesToString; +import org.apache.geode.management.internal.security.ResourcePermissions; +import org.apache.geode.security.ResourcePermission; /** * @@ -67,6 +71,12 @@ public void execute(FunctionContext context) { context.getResultSender().lastResult(resultMap); } + + @Override + public Collection<ResourcePermission> getRequiredPermissions(String regionName) { + return Collections.singleton(ResourcePermissions.CLUSTER_MANAGE); + } + @Override public String getId() { return GarbageCollectionFunction.ID;
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/GatewayReceiverCreateFunction.java+9 −0 modified@@ -14,6 +14,8 @@ */ package org.apache.geode.management.internal.cli.functions; +import java.util.Collection; +import java.util.Collections; import java.util.HashMap; import java.util.Map; @@ -33,6 +35,8 @@ import org.apache.geode.internal.logging.LogService; import org.apache.geode.management.internal.cli.i18n.CliStrings; import org.apache.geode.management.internal.configuration.domain.XmlEntity; +import org.apache.geode.management.internal.security.ResourcePermissions; +import org.apache.geode.security.ResourcePermission; /** * The function to a create GatewayReceiver using given configuration parameters. @@ -87,6 +91,11 @@ public void execute(FunctionContext context) { } + @Override + public Collection<ResourcePermission> getRequiredPermissions(String regionName) { + return Collections.singleton(ResourcePermissions.CLUSTER_MANAGE_GATEWAY); + } + /** * GatewayReceiver creation happens here. *
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/GatewaySenderCreateFunction.java+10 −0 modified@@ -14,6 +14,9 @@ */ package org.apache.geode.management.internal.cli.functions; +import java.util.Collection; +import java.util.Collections; + import org.apache.logging.log4j.Logger; import org.apache.geode.cache.Cache; @@ -31,6 +34,8 @@ import org.apache.geode.internal.logging.LogService; import org.apache.geode.management.internal.cli.i18n.CliStrings; import org.apache.geode.management.internal.configuration.domain.XmlEntity; +import org.apache.geode.management.internal.security.ResourcePermissions; +import org.apache.geode.security.ResourcePermission; public class GatewaySenderCreateFunction implements Function, InternalEntity { @@ -66,6 +71,11 @@ public void execute(FunctionContext context) { } } + @Override + public Collection<ResourcePermission> getRequiredPermissions(String regionName) { + return Collections.singleton(ResourcePermissions.CLUSTER_MANAGE_GATEWAY); + } + /** * Creates the GatewaySender with given configuration. *
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/GatewaySenderDestroyFunction.java+10 −0 modified@@ -14,6 +14,9 @@ */ package org.apache.geode.management.internal.cli.functions; +import java.util.Collection; +import java.util.Collections; + import org.apache.geode.cache.Cache; import org.apache.geode.cache.execute.Function; import org.apache.geode.cache.execute.FunctionContext; @@ -23,6 +26,8 @@ import org.apache.geode.internal.cache.xmlcache.CacheXml; import org.apache.geode.management.internal.cli.CliUtil; import org.apache.geode.management.internal.configuration.domain.XmlEntity; +import org.apache.geode.management.internal.security.ResourcePermissions; +import org.apache.geode.security.ResourcePermission; public class GatewaySenderDestroyFunction implements Function, InternalEntity { private static final long serialVersionUID = 1L; @@ -65,6 +70,11 @@ public void execute(FunctionContext context) { } } + @Override + public Collection<ResourcePermission> getRequiredPermissions(String regionName) { + return Collections.singleton(ResourcePermissions.CLUSTER_MANAGE_GATEWAY); + } + @Override public String getId() { return ID;
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/GetMemberConfigInformationFunction.java+18 −14 modified@@ -14,14 +14,21 @@ */ package org.apache.geode.management.internal.cli.functions; -import static org.apache.geode.distributed.ConfigurationProperties.*; +import static org.apache.geode.distributed.ConfigurationProperties.SOCKET_BUFFER_SIZE; import java.lang.management.ManagementFactory; import java.lang.management.RuntimeMXBean; -import java.util.*; +import java.util.ArrayList; +import java.util.Collection; +import java.util.Collections; +import java.util.HashMap; +import java.util.HashSet; +import java.util.List; +import java.util.Map; +import java.util.Set; import org.apache.geode.cache.Cache; -import org.apache.geode.cache.execute.FunctionAdapter; +import org.apache.geode.cache.execute.Function; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.cache.server.CacheServer; import org.apache.geode.distributed.internal.DistributionConfig; @@ -33,16 +40,14 @@ import org.apache.geode.internal.cache.GemFireCacheImpl; import org.apache.geode.internal.cache.ha.HARegionQueue; import org.apache.geode.management.internal.cli.domain.MemberConfigurationInfo; +import org.apache.geode.management.internal.security.ResourcePermissions; +import org.apache.geode.security.ResourcePermission; /**** * * */ -public class GetMemberConfigInformationFunction extends FunctionAdapter implements InternalEntity { - - /** - * - */ +public class GetMemberConfigInformationFunction implements Function, InternalEntity { private static final long serialVersionUID = 1L; @@ -133,6 +138,11 @@ public void execute(FunctionContext context) { context.getResultSender().lastResult(memberConfigInfo); } + @Override + public Collection<ResourcePermission> getRequiredPermissions(String regionName) { + return Collections.singleton(ResourcePermissions.CLUSTER_READ); + } + /**** * Gets the default values for the cache attributes * @@ -220,12 +230,6 @@ private void removeDefaults(Map<String, String> attributesMap, } } - @Override - public String getId() { - // TODO Auto-generated method stub - return GetMemberConfigInformationFunction.class.toString(); - } - private List<String> getJvmInputArguments() { RuntimeMXBean runtimeBean = ManagementFactory.getRuntimeMXBean(); return runtimeBean.getInputArguments();
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/GetMemberInformationFunction.java+11 −2 modified@@ -17,13 +17,15 @@ import java.lang.management.ManagementFactory; import java.lang.management.MemoryMXBean; import java.lang.management.MemoryUsage; +import java.util.Collection; +import java.util.Collections; import java.util.Iterator; import java.util.List; import java.util.Map; import org.apache.geode.cache.Cache; import org.apache.geode.cache.CacheClosedException; -import org.apache.geode.cache.execute.FunctionAdapter; +import org.apache.geode.cache.execute.Function; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.cache.server.CacheServer; import org.apache.geode.distributed.internal.DistributionConfig; @@ -35,13 +37,15 @@ import org.apache.geode.management.internal.cli.CliUtil; import org.apache.geode.management.internal.cli.domain.CacheServerInfo; import org.apache.geode.management.internal.cli.domain.MemberInformation; +import org.apache.geode.management.internal.security.ResourcePermissions; +import org.apache.geode.security.ResourcePermission; /*** * * since 7.0 */ -public class GetMemberInformationFunction extends FunctionAdapter implements InternalEntity { +public class GetMemberInformationFunction implements Function, InternalEntity { /** * */ @@ -139,6 +143,11 @@ public void execute(FunctionContext functionContext) { } } + @Override + public Collection<ResourcePermission> getRequiredPermissions(String regionName) { + return Collections.singleton(ResourcePermissions.CLUSTER_READ); + } + private long bytesToMeg(long bytes) { return bytes / (1024L * 1024L); }
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/GetRegionDescriptionFunction.java+7 −4 modified@@ -15,12 +15,17 @@ package org.apache.geode.management.internal.cli.functions; +import java.util.Collection; +import java.util.Collections; + import org.apache.geode.cache.Cache; import org.apache.geode.cache.Region; import org.apache.geode.cache.execute.Function; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.internal.InternalEntity; import org.apache.geode.management.internal.cli.domain.RegionDescriptionPerMember; +import org.apache.geode.management.internal.security.ResourcePermissions; +import org.apache.geode.security.ResourcePermission; public class GetRegionDescriptionFunction implements Function, InternalEntity { @@ -48,9 +53,7 @@ public void execute(FunctionContext context) { } @Override - public String getId() { - // TODO Auto-generated method stub - return GetRegionDescriptionFunction.class.toString(); + public Collection<ResourcePermission> getRequiredPermissions(String regionName) { + return Collections.singleton(ResourcePermissions.CLUSTER_READ); } - }
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/GetRegionsFunction.java+8 −6 modified@@ -14,6 +14,8 @@ */ package org.apache.geode.management.internal.cli.functions; +import java.util.Collection; +import java.util.Collections; import java.util.HashSet; import java.util.Set; @@ -23,6 +25,8 @@ import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.internal.InternalEntity; import org.apache.geode.management.internal.cli.domain.RegionInformation; +import org.apache.geode.management.internal.security.ResourcePermissions; +import org.apache.geode.security.ResourcePermission; /** * Function that retrieves regions hosted on every member @@ -31,12 +35,6 @@ public class GetRegionsFunction implements Function, InternalEntity { private static final long serialVersionUID = 1L; - @Override - public String getId() { - // TODO Auto-generated method stub - return GetRegionsFunction.class.toString(); - } - @Override public void execute(FunctionContext functionContext) { try { @@ -59,4 +57,8 @@ public void execute(FunctionContext functionContext) { } } + @Override + public Collection<ResourcePermission> getRequiredPermissions(String regionName) { + return Collections.singleton(ResourcePermissions.CLUSTER_READ); + } }
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/GetStackTracesFunction.java+12 −2 modified@@ -15,14 +15,19 @@ package org.apache.geode.management.internal.cli.functions; +import java.util.Collection; +import java.util.Collections; + import org.apache.geode.cache.Cache; -import org.apache.geode.cache.execute.FunctionAdapter; +import org.apache.geode.cache.execute.Function; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.internal.InternalEntity; import org.apache.geode.internal.OSProcess; import org.apache.geode.management.internal.cli.domain.StackTracesPerMember; +import org.apache.geode.management.internal.security.ResourcePermissions; +import org.apache.geode.security.ResourcePermission; -public class GetStackTracesFunction extends FunctionAdapter implements InternalEntity { +public class GetStackTracesFunction implements Function, InternalEntity { private static final long serialVersionUID = 1L; @@ -43,6 +48,11 @@ public void execute(FunctionContext context) { } } + @Override + public Collection<ResourcePermission> getRequiredPermissions(String regionName) { + return Collections.singleton(ResourcePermissions.CLUSTER_READ); + } + @Override public String getId() { // TODO Auto-generated method stub
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/GetSubscriptionQueueSizeFunction.java+13 −3 modified@@ -14,8 +14,11 @@ */ package org.apache.geode.management.internal.cli.functions; +import java.util.Collection; +import java.util.Collections; + import org.apache.geode.cache.Cache; -import org.apache.geode.cache.execute.FunctionAdapter; +import org.apache.geode.cache.execute.Function; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.cache.query.CqQuery; import org.apache.geode.cache.query.internal.CqQueryVsdStats; @@ -27,18 +30,20 @@ import org.apache.geode.management.internal.cli.CliUtil; import org.apache.geode.management.internal.cli.domain.SubscriptionQueueSizeResult; import org.apache.geode.management.internal.cli.i18n.CliStrings; +import org.apache.geode.management.internal.security.ResourcePermissions; +import org.apache.geode.security.ResourcePermission; /*** * Function to get subscription-queue-size * */ -public class GetSubscriptionQueueSizeFunction extends FunctionAdapter implements InternalEntity { +public class GetSubscriptionQueueSizeFunction implements Function, InternalEntity { private static final long serialVersionUID = 1L; @Override public void execute(FunctionContext context) { - final Cache cache = CliUtil.getCacheIfExists(); + final Cache cache = context.getCache(); final String memberNameOrId = CliUtil.getMemberNameOrId(cache.getDistributedSystem().getDistributedMember()); String args[] = (String[]) context.getArguments(); @@ -97,6 +102,11 @@ public void execute(FunctionContext context) { } } + @Override + public Collection<ResourcePermission> getRequiredPermissions(String regionName) { + return Collections.singleton(ResourcePermissions.CLUSTER_READ); + } + @Override public String getId() { return GetSubscriptionQueueSizeFunction.class.getName();
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/ImportDataFunction.java+9 −0 modified@@ -15,6 +15,8 @@ package org.apache.geode.management.internal.cli.functions; import java.io.File; +import java.util.Collection; +import java.util.Collections; import org.apache.geode.cache.Cache; import org.apache.geode.cache.Region; @@ -25,6 +27,8 @@ import org.apache.geode.cache.snapshot.SnapshotOptions.SnapshotFormat; import org.apache.geode.internal.InternalEntity; import org.apache.geode.management.internal.cli.i18n.CliStrings; +import org.apache.geode.management.internal.security.ResourcePermissions; +import org.apache.geode.security.ResourcePermission; /**** * Function which carries out the import of a region to a file on a member. Uses the @@ -70,6 +74,11 @@ public void execute(FunctionContext context) { } } + @Override + public Collection<ResourcePermission> getRequiredPermissions(String regionName) { + return Collections.singleton(ResourcePermissions.DATA_WRITE); + } + public String getId() { return ImportDataFunction.class.getName(); }
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/ListAsyncEventQueuesFunction.java+11 −2 modified@@ -14,6 +14,8 @@ */ package org.apache.geode.management.internal.cli.functions; +import java.util.Collection; +import java.util.Collections; import java.util.Properties; import java.util.Set; @@ -24,13 +26,15 @@ import org.apache.geode.cache.CacheClosedException; import org.apache.geode.cache.asyncqueue.AsyncEventListener; import org.apache.geode.cache.asyncqueue.AsyncEventQueue; -import org.apache.geode.cache.execute.FunctionAdapter; +import org.apache.geode.cache.execute.Function; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.distributed.DistributedMember; import org.apache.geode.internal.InternalEntity; import org.apache.geode.internal.cache.xmlcache.Declarable2; import org.apache.geode.internal.logging.LogService; import org.apache.geode.management.internal.cli.domain.AsyncEventQueueDetails; +import org.apache.geode.management.internal.security.ResourcePermissions; +import org.apache.geode.security.ResourcePermission; /** * An implementation of GemFire Function interface used to determine all the async event queues that @@ -39,7 +43,7 @@ * * @since GemFire 8.0 */ -public class ListAsyncEventQueuesFunction extends FunctionAdapter implements InternalEntity { +public class ListAsyncEventQueuesFunction implements Function, InternalEntity { private static final Logger logger = LogService.getLogger(); private static final long serialVersionUID = 1L; @@ -99,4 +103,9 @@ public void execute(final FunctionContext context) { context.getResultSender().lastResult(result); } } + + @Override + public Collection<ResourcePermission> getRequiredPermissions(String regionName) { + return Collections.singleton(ResourcePermissions.CLUSTER_READ); + } }
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/ListDeployedFunction.java+9 −0 modified@@ -14,6 +14,8 @@ */ package org.apache.geode.management.internal.cli.functions; +import java.util.Collection; +import java.util.Collections; import java.util.List; import org.apache.logging.log4j.Logger; @@ -29,6 +31,8 @@ import org.apache.geode.internal.JarDeployer; import org.apache.geode.internal.cache.InternalCache; import org.apache.geode.internal.logging.LogService; +import org.apache.geode.management.internal.security.ResourcePermissions; +import org.apache.geode.security.ResourcePermission; public class ListDeployedFunction implements Function, InternalEntity { private static final Logger logger = LogService.getLogger(); @@ -81,6 +85,11 @@ public void execute(FunctionContext context) { } } + @Override + public Collection<ResourcePermission> getRequiredPermissions(String regionName) { + return Collections.singleton(ResourcePermissions.CLUSTER_READ); + } + @Override public String getId() { return ID;
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/ListDiskStoresFunction.java+10 −2 modified@@ -15,18 +15,22 @@ package org.apache.geode.management.internal.cli.functions; +import java.util.Collection; +import java.util.Collections; import java.util.HashSet; import java.util.Properties; import java.util.Set; import org.apache.geode.cache.Cache; import org.apache.geode.cache.DiskStore; -import org.apache.geode.cache.execute.FunctionAdapter; +import org.apache.geode.cache.execute.Function; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.distributed.DistributedMember; import org.apache.geode.internal.InternalEntity; import org.apache.geode.internal.cache.InternalCache; import org.apache.geode.management.internal.cli.domain.DiskStoreDetails; +import org.apache.geode.management.internal.security.ResourcePermissions; +import org.apache.geode.security.ResourcePermission; /** * The ListDiskStoresFunction class is an implementation of GemFire Function interface used to @@ -42,7 +46,7 @@ * @see org.apache.geode.management.internal.cli.domain.DiskStoreDetails * @since GemFire 7.0 */ -public class ListDiskStoresFunction extends FunctionAdapter implements InternalEntity { +public class ListDiskStoresFunction implements Function, InternalEntity { @SuppressWarnings("unused") public void init(final Properties props) {} @@ -74,4 +78,8 @@ public void execute(final FunctionContext context) { } } + @Override + public Collection<ResourcePermission> getRequiredPermissions(String regionName) { + return Collections.singleton(ResourcePermissions.CLUSTER_READ); + } }
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/ListDurableCqNamesFunction.java+11 −2 modified@@ -16,10 +16,12 @@ package org.apache.geode.management.internal.cli.functions; import java.util.ArrayList; +import java.util.Collection; +import java.util.Collections; import java.util.List; import org.apache.geode.cache.Cache; -import org.apache.geode.cache.execute.FunctionAdapter; +import org.apache.geode.cache.execute.Function; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.cache.query.internal.cq.CqService; import org.apache.geode.distributed.DistributedMember; @@ -29,6 +31,8 @@ import org.apache.geode.management.internal.cli.CliUtil; import org.apache.geode.management.internal.cli.domain.DurableCqNamesResult; import org.apache.geode.management.internal.cli.i18n.CliStrings; +import org.apache.geode.management.internal.security.ResourcePermissions; +import org.apache.geode.security.ResourcePermission; /** * The ListDurableCqs class is a GemFire function used to collect all the durable client names on @@ -44,7 +48,7 @@ * @since GemFire 7.0.1 */ @SuppressWarnings("unused") -public class ListDurableCqNamesFunction extends FunctionAdapter implements InternalEntity { +public class ListDurableCqNamesFunction implements Function, InternalEntity { private static final long serialVersionUID = 1L; public String getId() { @@ -89,4 +93,9 @@ public void execute(final FunctionContext context) { context.getResultSender().lastResult(result); } } + + @Override + public Collection<ResourcePermission> getRequiredPermissions(String regionName) { + return Collections.singleton(ResourcePermissions.CLUSTER_READ); + } }
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/ListFunctionFunction.java+9 −0 modified@@ -14,6 +14,8 @@ */ package org.apache.geode.management.internal.cli.functions; +import java.util.Collection; +import java.util.Collections; import java.util.LinkedList; import java.util.List; import java.util.Map; @@ -31,6 +33,8 @@ import org.apache.geode.distributed.DistributedMember; import org.apache.geode.internal.InternalEntity; import org.apache.geode.internal.logging.LogService; +import org.apache.geode.management.internal.security.ResourcePermissions; +import org.apache.geode.security.ResourcePermission; public class ListFunctionFunction implements Function, InternalEntity { private static final Logger logger = LogService.getLogger(); @@ -90,6 +94,11 @@ public void execute(FunctionContext context) { } } + @Override + public Collection<ResourcePermission> getRequiredPermissions(String regionName) { + return Collections.singleton(ResourcePermissions.CLUSTER_READ); + } + @Override public String getId() { return ID;
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/ListIndexFunction.java+10 −2 modified@@ -15,16 +15,20 @@ package org.apache.geode.management.internal.cli.functions; +import java.util.Collection; +import java.util.Collections; import java.util.HashSet; import java.util.Set; import org.apache.geode.cache.Cache; -import org.apache.geode.cache.execute.FunctionAdapter; +import org.apache.geode.cache.execute.Function; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.cache.query.Index; import org.apache.geode.distributed.DistributedMember; import org.apache.geode.internal.InternalEntity; import org.apache.geode.management.internal.cli.domain.IndexDetails; +import org.apache.geode.management.internal.security.ResourcePermissions; +import org.apache.geode.security.ResourcePermission; /** * The ListIndexFunction class is a GemFire function used to collect all the index information on @@ -40,7 +44,7 @@ * @since GemFire 7.0 */ @SuppressWarnings("unused") -public class ListIndexFunction extends FunctionAdapter implements InternalEntity { +public class ListIndexFunction implements Function, InternalEntity { public String getId() { return ListIndexFunction.class.getName(); @@ -63,4 +67,8 @@ public void execute(final FunctionContext context) { } } + @Override + public Collection<ResourcePermission> getRequiredPermissions(String regionName) { + return Collections.singleton(ResourcePermissions.CLUSTER_READ_QUERY); + } }
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/MemberRegionFunction.java+0 −82 removed@@ -1,82 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more contributor license - * agreements. See the NOTICE file distributed with this work for additional information regarding - * copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance with the License. You may obtain a - * copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software distributed under the License - * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express - * or implied. See the License for the specific language governing permissions and limitations under - * the License. - */ -package org.apache.geode.management.internal.cli.functions; - -import org.apache.geode.cache.Cache; -import org.apache.geode.cache.execute.Execution; -import org.apache.geode.cache.execute.Function; -import org.apache.geode.cache.execute.FunctionContext; -import org.apache.geode.cache.execute.FunctionException; -import org.apache.geode.cache.execute.FunctionService; -import org.apache.geode.internal.InternalEntity; - - -public class MemberRegionFunction implements Function, InternalEntity { - public static final String ID = MemberRegionFunction.class.getName(); - private static final long serialVersionUID = 1L; - - @Override - public void execute(FunctionContext context) { - Object[] args = (Object[]) context.getArguments(); - String region = (String) args[0]; - String functionId = (String) args[1]; - Cache cache = context.getCache(); - - try { - Function function = FunctionService.getFunction(functionId); - if (function == null) { - context.getResultSender() - .lastResult("For region on a member did not get function " + functionId); - } - Execution execution = FunctionService.onRegion(cache.getRegion(region)); - if (execution == null) { - context.getResultSender().lastResult("For region on a member could not execute"); - } else { - execution.execute(function); - context.getResultSender().lastResult("succeeded in executing on region " + region); - } - - } catch (FunctionException e) { - context.getResultSender() - .lastResult("FunctionException in MemberRegionFunction =" + e.getMessage()); - } catch (Exception e) { - context.getResultSender().lastResult("Exception in MemberRegionFunction =" + e.getMessage()); - } - - } - - @Override - public String getId() { - return MemberRegionFunction.ID; - - } - - @Override - public boolean hasResult() { - return true; - } - - @Override - public boolean optimizeForWrite() { - // no need of optimization since read-only. - return false; - } - - @Override - public boolean isHA() { - return false; - } - -}
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/MembersForRegionFunction.java+0 −91 removed@@ -1,91 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more contributor license - * agreements. See the NOTICE file distributed with this work for additional information regarding - * copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance with the License. You may obtain a - * copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software distributed under the License - * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express - * or implied. See the License for the specific language governing permissions and limitations under - * the License. - */ - -package org.apache.geode.management.internal.cli.functions; - -import java.util.HashMap; -import java.util.Map; - -import org.apache.logging.log4j.Logger; - -import org.apache.geode.cache.Cache; -import org.apache.geode.cache.Region; -import org.apache.geode.cache.execute.Function; -import org.apache.geode.cache.execute.FunctionContext; -import org.apache.geode.internal.InternalEntity; -import org.apache.geode.internal.logging.LogService; - -/** - * - * @since GemFire 8.0 - */ - -public class MembersForRegionFunction implements Function, InternalEntity { - private static final Logger logger = LogService.getLogger(); - - private static final long serialVersionUID = 8746830191680509335L; - - private static final String ID = MembersForRegionFunction.class.getName(); - - @Override - public void execute(FunctionContext context) { - Map<String, String> resultMap = new HashMap<String, String>(); - try { - Cache cache = context.getCache(); - String memberNameOrId = cache.getDistributedSystem().getDistributedMember().getId(); - Object args = (Object) context.getArguments(); - String regionName = ((String) args); - Region<Object, Object> region = cache.getRegion(regionName); - - if (region != null) { - resultMap.put(memberNameOrId, "" + region.getAttributes().getScope().isLocal()); - } else { - String regionWithPrefix = Region.SEPARATOR + regionName; - region = cache.getRegion(regionWithPrefix); - if (region != null) { - resultMap.put(memberNameOrId, "" + region.getAttributes().getScope().isLocal()); - } else { - resultMap.put("", ""); - } - } - context.getResultSender().lastResult(resultMap); - } catch (Exception ex) { - logger.info("MembersForRegionFunction exception {}", ex.getMessage(), ex); - resultMap.put("", ""); - context.getResultSender().lastResult(resultMap); - } - } - - @Override - public String getId() { - return MembersForRegionFunction.ID; - } - - @Override - public boolean isHA() { - return false; - } - - @Override - public boolean hasResult() { - return true; - } - - @Override - public boolean optimizeForWrite() { - return false; - } - -}
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/NetstatFunction.java+15 −1 modified@@ -14,14 +14,21 @@ */ package org.apache.geode.management.internal.cli.functions; -import static org.apache.geode.internal.lang.SystemUtils.*; +import static org.apache.geode.internal.lang.SystemUtils.getOsArchitecture; +import static org.apache.geode.internal.lang.SystemUtils.getOsName; +import static org.apache.geode.internal.lang.SystemUtils.getOsVersion; +import static org.apache.geode.internal.lang.SystemUtils.isLinux; +import static org.apache.geode.internal.lang.SystemUtils.isMacOSX; +import static org.apache.geode.internal.lang.SystemUtils.isSolaris; import java.io.BufferedReader; import java.io.IOException; import java.io.InputStream; import java.io.InputStreamReader; import java.io.Serializable; import java.util.ArrayList; +import java.util.Collection; +import java.util.Collections; import java.util.List; import org.apache.logging.log4j.Logger; @@ -36,6 +43,8 @@ import org.apache.geode.management.internal.cli.CliUtil.DeflaterInflaterData; import org.apache.geode.management.internal.cli.GfshParser; import org.apache.geode.management.internal.cli.i18n.CliStrings; +import org.apache.geode.management.internal.security.ResourcePermissions; +import org.apache.geode.security.ResourcePermission; /** * Executes 'netstat' OS command & returns the result as compressed bytes. @@ -84,6 +93,11 @@ public void execute(final FunctionContext context) { context.getResultSender().lastResult(result); } + @Override + public Collection<ResourcePermission> getRequiredPermissions(String regionName) { + return Collections.singleton(ResourcePermissions.CLUSTER_READ); + } + private static void addMemberHostHeader(final StringBuilder netstatInfo, final String id, final String host, final String lineSeparator) {
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/RebalanceFunction.java+9 −1 modified@@ -14,6 +14,8 @@ */ package org.apache.geode.management.internal.cli.functions; +import java.util.Collection; +import java.util.Collections; import java.util.Iterator; import java.util.Set; import java.util.concurrent.CancellationException; @@ -30,7 +32,8 @@ import org.apache.geode.cache.partition.PartitionRebalanceInfo; import org.apache.geode.internal.InternalEntity; import org.apache.geode.internal.logging.LogService; - +import org.apache.geode.management.internal.security.ResourcePermissions; +import org.apache.geode.security.ResourcePermission; public class RebalanceFunction implements Function, InternalEntity { @@ -91,6 +94,11 @@ public void execute(FunctionContext context) { } } + @Override + public Collection<ResourcePermission> getRequiredPermissions(String regionName) { + return Collections.singleton(ResourcePermissions.DATA_MANAGE); + } + @Override public String getId() { return RebalanceFunction.ID;
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/RegionAlterFunction.java+11 −2 modified@@ -14,6 +14,8 @@ */ package org.apache.geode.management.internal.cli.functions; +import java.util.Collection; +import java.util.Collections; import java.util.Set; import org.apache.logging.log4j.Logger; @@ -27,7 +29,7 @@ import org.apache.geode.cache.ExpirationAction; import org.apache.geode.cache.ExpirationAttributes; import org.apache.geode.cache.Region; -import org.apache.geode.cache.execute.FunctionAdapter; +import org.apache.geode.cache.execute.Function; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.cache.execute.ResultSender; import org.apache.geode.internal.ClassPathLoader; @@ -39,13 +41,15 @@ import org.apache.geode.management.internal.cli.i18n.CliStrings; import org.apache.geode.management.internal.cli.util.RegionPath; import org.apache.geode.management.internal.configuration.domain.XmlEntity; +import org.apache.geode.management.internal.security.ResourcePermissions; +import org.apache.geode.security.ResourcePermission; /** * Function used by the 'alter region' gfsh command to alter a region on each member. * * @since GemFire 8.0 */ -public class RegionAlterFunction extends FunctionAdapter implements InternalEntity { +public class RegionAlterFunction implements Function, InternalEntity { private static final Logger logger = LogService.getLogger(); private static final long serialVersionUID = -4846425364943216425L; @@ -95,6 +99,11 @@ public void execute(FunctionContext context) { } } + @Override + public Collection<ResourcePermission> getRequiredPermissions(String regionName) { + return Collections.singleton(ResourcePermissions.DATA_MANAGE); + } + private <K, V> Region<?, ?> alterRegion(Cache cache, RegionFunctionArgs regionAlterArgs) { final String regionPathString = regionAlterArgs.getRegionPath();
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/RegionDestroyFunction.java+10 −0 modified@@ -14,6 +14,9 @@ */ package org.apache.geode.management.internal.cli.functions; +import java.util.Collection; +import java.util.Collections; + import org.apache.geode.cache.Cache; import org.apache.geode.cache.Region; import org.apache.geode.cache.RegionDestroyedException; @@ -23,6 +26,8 @@ import org.apache.geode.internal.cache.xmlcache.CacheXml; import org.apache.geode.internal.logging.LogService; import org.apache.geode.management.internal.configuration.domain.XmlEntity; +import org.apache.geode.management.internal.security.ResourcePermissions; +import org.apache.geode.security.ResourcePermission; /** * @@ -86,6 +91,11 @@ public void execute(FunctionContext context) { } } + @Override + public Collection<ResourcePermission> getRequiredPermissions(String regionName) { + return Collections.singleton(ResourcePermissions.DATA_MANAGE); + } + @Override public String getId() { return ID;
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/ShowMissingDiskStoresFunction.java+11 −2 modified@@ -14,12 +14,14 @@ */ package org.apache.geode.management.internal.cli.functions; +import java.util.Collection; +import java.util.Collections; import java.util.HashSet; import java.util.List; import java.util.Map; import java.util.Set; -import org.apache.geode.cache.execute.FunctionAdapter; +import org.apache.geode.cache.execute.Function; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.distributed.DistributedMember; import org.apache.geode.internal.InternalEntity; @@ -29,8 +31,10 @@ import org.apache.geode.internal.cache.persistence.PersistentMemberID; import org.apache.geode.internal.cache.persistence.PersistentMemberManager; import org.apache.geode.internal.cache.persistence.PersistentMemberPattern; +import org.apache.geode.management.internal.security.ResourcePermissions; +import org.apache.geode.security.ResourcePermission; -public class ShowMissingDiskStoresFunction extends FunctionAdapter implements InternalEntity { +public class ShowMissingDiskStoresFunction implements Function, InternalEntity { @Override public void execute(FunctionContext context) { @@ -84,6 +88,11 @@ public void execute(FunctionContext context) { } } + @Override + public Collection<ResourcePermission> getRequiredPermissions(String regionName) { + return Collections.singleton(ResourcePermissions.CLUSTER_READ); + } + @Override public String getId() { return getClass().getName();
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/ShutDownFunction.java+9 −0 modified@@ -14,6 +14,8 @@ */ package org.apache.geode.management.internal.cli.functions; +import java.util.Collection; +import java.util.Collections; import java.util.concurrent.ExecutionException; import java.util.concurrent.ExecutorService; import java.util.concurrent.Executors; @@ -27,6 +29,8 @@ import org.apache.geode.internal.InternalEntity; import org.apache.geode.internal.logging.LogService; import org.apache.geode.internal.tcp.ConnectionTable; +import org.apache.geode.management.internal.security.ResourcePermissions; +import org.apache.geode.security.ResourcePermission; /** * @@ -86,6 +90,11 @@ public String getId() { } + @Override + public Collection<ResourcePermission> getRequiredPermissions(String regionName) { + return Collections.singleton(ResourcePermissions.CLUSTER_MANAGE); + } + @Override public boolean hasResult() { return true;
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/SizeExportLogsFunction.java+9 −1 modified@@ -16,6 +16,8 @@ import java.io.File; import java.io.IOException; +import java.util.Collection; +import java.util.Collections; import org.apache.logging.log4j.Logger; @@ -24,13 +26,14 @@ import org.apache.geode.distributed.DistributedMember; import org.apache.geode.distributed.internal.DistributionConfig; import org.apache.geode.internal.InternalEntity; -import org.apache.geode.internal.cache.GemFireCacheImpl; import org.apache.geode.internal.cache.InternalCache; import org.apache.geode.internal.logging.LogService; import org.apache.geode.management.ManagementException; import org.apache.geode.management.internal.cli.util.BytesToString; import org.apache.geode.management.internal.cli.util.LogExporter; import org.apache.geode.management.internal.cli.util.LogFilter; +import org.apache.geode.management.internal.security.ResourcePermissions; +import org.apache.geode.security.ResourcePermission; public class SizeExportLogsFunction extends ExportLogsFunction implements Function, InternalEntity { private static final Logger LOGGER = LogService.getLogger(); @@ -94,4 +97,9 @@ long estimateLogFileSize(final DistributedMember member, final File logFile, return estimatedSize; } + + @Override + public Collection<ResourcePermission> getRequiredPermissions(String regionName) { + return Collections.singleton(ResourcePermissions.CLUSTER_READ); + } }
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/UndeployFunction.java+9 −0 modified@@ -15,6 +15,8 @@ package org.apache.geode.management.internal.cli.functions; import java.util.ArrayList; +import java.util.Collection; +import java.util.Collections; import java.util.List; import org.apache.commons.lang.ArrayUtils; @@ -31,6 +33,8 @@ import org.apache.geode.internal.JarDeployer; import org.apache.geode.internal.cache.InternalCache; import org.apache.geode.internal.logging.LogService; +import org.apache.geode.management.internal.security.ResourcePermissions; +import org.apache.geode.security.ResourcePermission; public class UndeployFunction implements Function, InternalEntity { private static final Logger logger = LogService.getLogger(); @@ -107,6 +111,11 @@ public void execute(FunctionContext context) { } } + @Override + public Collection<ResourcePermission> getRequiredPermissions(String regionName) { + return Collections.singleton(ResourcePermissions.CLUSTER_MANAGE_DEPLOY); + } + @Override public String getId() { return ID;
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/UnregisterFunction.java+9 −9 modified@@ -14,19 +14,15 @@ */ package org.apache.geode.management.internal.cli.functions; +import java.util.Collection; +import java.util.Collections; + import org.apache.geode.cache.execute.Function; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.cache.execute.FunctionService; import org.apache.geode.internal.InternalEntity; - -/** - * - * Class for Unregister function - * - * - * - */ - +import org.apache.geode.management.internal.security.ResourcePermissions; +import org.apache.geode.security.ResourcePermission; public class UnregisterFunction implements Function, InternalEntity { public static final String ID = UnregisterFunction.class.getName(); @@ -47,7 +43,11 @@ public void execute(FunctionContext context) { @Override public String getId() { return UnregisterFunction.ID; + } + @Override + public Collection<ResourcePermission> getRequiredPermissions(String regionName) { + return Collections.singleton(ResourcePermissions.CLUSTER_MANAGE_DEPLOY); } @Override
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/UserFunctionExecution.java+8 −0 modified@@ -15,6 +15,8 @@ package org.apache.geode.management.internal.cli.functions; import java.util.ArrayList; +import java.util.Collection; +import java.util.Collections; import java.util.HashSet; import java.util.List; import java.util.Properties; @@ -38,6 +40,7 @@ import org.apache.geode.internal.security.SecurityService; import org.apache.geode.management.internal.cli.i18n.CliStrings; import org.apache.geode.security.AuthenticationRequiredException; +import org.apache.geode.security.ResourcePermission; /** * @since GemFire 7.0 @@ -182,6 +185,11 @@ public void execute(FunctionContext<Object[]> context) { } } + @Override + public Collection<ResourcePermission> getRequiredPermissions(String regionName) { + return Collections.emptySet(); + } + @Override public String getId() { return UserFunctionExecution.ID;
geode-core/src/main/java/org/apache/geode/management/internal/configuration/functions/DownloadJarFunction.java+9 −1 modified@@ -20,8 +20,9 @@ import java.io.FileInputStream; import java.io.FileNotFoundException; import java.rmi.RemoteException; +import java.util.Collection; +import java.util.Collections; -import com.healthmarketscience.rmiio.GZIPRemoteInputStream; import com.healthmarketscience.rmiio.RemoteInputStream; import com.healthmarketscience.rmiio.RemoteInputStreamServer; import com.healthmarketscience.rmiio.SimpleRemoteInputStream; @@ -35,6 +36,8 @@ import org.apache.geode.distributed.internal.InternalLocator; import org.apache.geode.internal.InternalEntity; import org.apache.geode.internal.logging.LogService; +import org.apache.geode.management.internal.security.ResourcePermissions; +import org.apache.geode.security.ResourcePermission; public class DownloadJarFunction implements Function<Object[]>, InternalEntity { private static final Logger logger = LogService.getLogger(); @@ -80,6 +83,11 @@ public void execute(FunctionContext<Object[]> context) { context.getResultSender().lastResult(result); } + @Override + public Collection<ResourcePermission> getRequiredPermissions(String regionName) { + return Collections.singleton(ResourcePermissions.CLUSTER_READ); + } + @Override public String getId() { return DownloadJarFunction.class.getName();
geode-core/src/main/java/org/apache/geode/management/internal/configuration/functions/GetClusterConfigurationFunction.java+7 −12 modified@@ -15,18 +15,10 @@ package org.apache.geode.management.internal.configuration.functions; -import static org.apache.geode.management.internal.security.ResourcePermissions.CLUSTER_MANAGE; -import static org.apache.geode.management.internal.security.ResourcePermissions.CLUSTER_READ; -import static org.apache.geode.management.internal.security.ResourcePermissions.CLUSTER_WRITE; -import static org.apache.geode.management.internal.security.ResourcePermissions.DATA_MANAGE; -import static org.apache.geode.management.internal.security.ResourcePermissions.DATA_READ; -import static org.apache.geode.management.internal.security.ResourcePermissions.DATA_WRITE; - import java.io.IOException; import java.util.Collection; +import java.util.Collections; import java.util.Set; -import java.util.stream.Collectors; -import java.util.stream.Stream; import org.apache.logging.log4j.Logger; @@ -37,6 +29,7 @@ import org.apache.geode.internal.InternalEntity; import org.apache.geode.internal.logging.LogService; import org.apache.geode.management.internal.configuration.messages.ConfigurationResponse; +import org.apache.geode.management.internal.security.ResourcePermissions; import org.apache.geode.security.ResourcePermission; public class GetClusterConfigurationFunction implements Function, InternalEntity { @@ -61,9 +54,11 @@ public void execute(FunctionContext context) { } } + /** + * this function will return all cluster config which will potentially leak security information. + * Thus we require all permissions to execute this function + **/ public Collection<ResourcePermission> getRequiredPermissions(String regionName) { - return Stream - .of(DATA_READ, DATA_WRITE, DATA_MANAGE, CLUSTER_READ, CLUSTER_WRITE, CLUSTER_MANAGE) - .collect(Collectors.toSet()); + return Collections.singleton(ResourcePermissions.ALL); } }
geode-core/src/main/java/org/apache/geode/management/internal/configuration/functions/GetRegionNamesFunction.java+9 −0 modified@@ -16,6 +16,8 @@ import static java.util.stream.Collectors.toSet; +import java.util.Collection; +import java.util.Collections; import java.util.Set; import org.apache.geode.cache.execute.Function; @@ -24,6 +26,8 @@ import org.apache.geode.internal.cache.GemFireCacheImpl; import org.apache.geode.internal.cache.InternalCache; import org.apache.geode.internal.cache.LocalRegion; +import org.apache.geode.management.internal.security.ResourcePermissions; +import org.apache.geode.security.ResourcePermission; public class GetRegionNamesFunction implements Function, InternalEntity { @Override @@ -36,6 +40,11 @@ public void execute(FunctionContext context) { context.getResultSender().lastResult(regions); } + @Override + public Collection<ResourcePermission> getRequiredPermissions(String regionName) { + return Collections.singleton(ResourcePermissions.CLUSTER_READ); + } + @Override public String getId() { return GetRegionNamesFunction.class.getName();
geode-core/src/main/java/org/apache/geode/management/internal/configuration/functions/RecreateCacheFunction.java+11 −1 modified@@ -14,6 +14,9 @@ */ package org.apache.geode.management.internal.configuration.functions; +import java.util.Collection; +import java.util.Collections; + import org.apache.geode.cache.execute.Function; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.distributed.internal.InternalDistributedSystem; @@ -22,12 +25,14 @@ import org.apache.geode.internal.cache.GemFireCacheImpl; import org.apache.geode.internal.cache.InternalCache; import org.apache.geode.management.internal.cli.functions.CliFunctionResult; +import org.apache.geode.management.internal.security.ResourcePermissions; +import org.apache.geode.security.ResourcePermission; public class RecreateCacheFunction implements Function, InternalEntity { @Override public void execute(FunctionContext context) { CliFunctionResult result = null; - InternalCache cache = GemFireCacheImpl.getInstance(); + InternalCache cache = (InternalCache) context.getCache(); InternalDistributedSystem ds = cache.getInternalDistributedSystem(); CacheConfig cacheConfig = cache.getCacheConfig(); try { @@ -42,6 +47,11 @@ public void execute(FunctionContext context) { context.getResultSender().lastResult(result); } + @Override + public Collection<ResourcePermission> getRequiredPermissions(String regionName) { + return Collections.singleton(ResourcePermissions.CLUSTER_MANAGE); + } + @Override public String getId() { return RecreateCacheFunction.class.getName();
geode-core/src/main/java/org/apache/geode/management/internal/security/ResourcePermissions.java+14 −0 modified@@ -20,6 +20,10 @@ import static org.apache.geode.security.ResourcePermission.Operation.WRITE; import static org.apache.geode.security.ResourcePermission.Resource.CLUSTER; import static org.apache.geode.security.ResourcePermission.Resource.DATA; +import static org.apache.geode.security.ResourcePermission.Target.DEPLOY; +import static org.apache.geode.security.ResourcePermission.Target.DISK; +import static org.apache.geode.security.ResourcePermission.Target.GATEWAY; +import static org.apache.geode.security.ResourcePermission.Target.QUERY; import org.apache.geode.security.ResourcePermission; import org.apache.geode.security.ResourcePermission.Operation; @@ -36,6 +40,16 @@ public final class ResourcePermissions { public static final ResourcePermission CLUSTER_READ = new ResourcePermission(CLUSTER, READ); public static final ResourcePermission CLUSTER_WRITE = new ResourcePermission(CLUSTER, WRITE); public static final ResourcePermission CLUSTER_MANAGE = new ResourcePermission(CLUSTER, MANAGE); + public static final ResourcePermission CLUSTER_READ_QUERY = + new ResourcePermission(CLUSTER, READ, QUERY); + public static final ResourcePermission CLUSTER_MANAGE_QUERY = + new ResourcePermission(CLUSTER, MANAGE, QUERY); + public static final ResourcePermission CLUSTER_MANAGE_DEPLOY = + new ResourcePermission(CLUSTER, MANAGE, DEPLOY); + public static final ResourcePermission CLUSTER_MANAGE_DISK = + new ResourcePermission(CLUSTER, MANAGE, DISK); + public static final ResourcePermission CLUSTER_MANAGE_GATEWAY = + new ResourcePermission(CLUSTER, MANAGE, GATEWAY); private ResourcePermissions() {} }
geode-core/src/main/java/org/apache/geode/security/ResourcePermission.java+18 −7 modified@@ -14,7 +14,11 @@ */ package org.apache.geode.security; +import java.util.ArrayList; +import java.util.Arrays; +import java.util.List; import java.util.function.UnaryOperator; +import java.util.stream.Collectors; import org.apache.commons.lang.StringUtils; import org.apache.shiro.authz.permission.WildcardPermission; @@ -79,7 +83,9 @@ public String getName() { private String target = ALL; private String key = ALL; - public ResourcePermission() {} + public ResourcePermission() { + setParts(this.resource + ":" + this.operation + ":" + this.target + ":" + this.key, true); + } public ResourcePermission(Resource resource, Operation operation) { this(resource, operation, ALL, ALL); @@ -196,13 +202,18 @@ public String getKey() { @Override public String toString() { - if (ALL.equals(target)) { - return resource + ":" + operation; - } else if (ALL.equals(key)) { - return resource + ":" + operation + ":" + target; - } else { - return resource + ":" + operation + ":" + target + ":" + key; + List<String> parts = new ArrayList<>(Arrays.asList(resource, operation, target, key)); + if (ALL.equals(key)) { + parts.remove(3); + if (ALL.equals(target)) { + parts.remove(2); + if (ALL.equals(operation)) { + parts.remove(1); + } + } } + + return parts.stream().collect(Collectors.joining(":")); } }
geode-core/src/main/resources/org/apache/geode/internal/sanctioned-geode-core-serializables.txt+0 −2 modified@@ -548,8 +548,6 @@ org/apache/geode/management/internal/cli/functions/ListDiskStoresFunction,false org/apache/geode/management/internal/cli/functions/ListDurableCqNamesFunction,true,1 org/apache/geode/management/internal/cli/functions/ListFunctionFunction,true,1 org/apache/geode/management/internal/cli/functions/ListIndexFunction,false -org/apache/geode/management/internal/cli/functions/MemberRegionFunction,true,1 -org/apache/geode/management/internal/cli/functions/MembersForRegionFunction,true,8746830191680509335 org/apache/geode/management/internal/cli/functions/NetstatFunction,true,1 org/apache/geode/management/internal/cli/functions/NetstatFunction$NetstatFunctionArgument,true,1,lineSeparator:java/lang/String,withlsof:boolean org/apache/geode/management/internal/cli/functions/NetstatFunction$NetstatFunctionResult,true,1,compressedBytes:org/apache/geode/management/internal/cli/CliUtil$DeflaterInflaterData,headerInfo:java/lang/String,host:java/lang/String
geode-core/src/test/java/org/apache/geode/cache/execute/CoreFunctionSecurityTest.java+180 −0 added@@ -0,0 +1,180 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more contributor license + * agreements. See the NOTICE file distributed with this work for additional information regarding + * copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance with the License. You may obtain a + * copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software distributed under the License + * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express + * or implied. See the License for the specific language governing permissions and limitations under + * the License. + */ + +package org.apache.geode.cache.execute; + +import static org.assertj.core.api.Assertions.assertThat; + +import java.util.HashMap; +import java.util.Map; + +import org.junit.BeforeClass; +import org.junit.ClassRule; +import org.junit.Rule; +import org.junit.Test; +import org.junit.experimental.categories.Category; + +import org.apache.geode.cache.RegionShortcut; +import org.apache.geode.examples.SimpleSecurityManager; +import org.apache.geode.management.internal.cli.functions.AlterRuntimeConfigFunction; +import org.apache.geode.management.internal.cli.functions.ChangeLogLevelFunction; +import org.apache.geode.management.internal.cli.functions.CloseDurableClientFunction; +import org.apache.geode.management.internal.cli.functions.CloseDurableCqFunction; +import org.apache.geode.management.internal.cli.functions.ContinuousQueryFunction; +import org.apache.geode.management.internal.cli.functions.CreateAsyncEventQueueFunction; +import org.apache.geode.management.internal.cli.functions.CreateDefinedIndexesFunction; +import org.apache.geode.management.internal.cli.functions.CreateDiskStoreFunction; +import org.apache.geode.management.internal.cli.functions.CreateIndexFunction; +import org.apache.geode.management.internal.cli.functions.DataCommandFunction; +import org.apache.geode.management.internal.cli.functions.DeployFunction; +import org.apache.geode.management.internal.cli.functions.DescribeDiskStoreFunction; +import org.apache.geode.management.internal.cli.functions.DestroyAsyncEventQueueFunction; +import org.apache.geode.management.internal.cli.functions.DestroyDiskStoreFunction; +import org.apache.geode.management.internal.cli.functions.DestroyIndexFunction; +import org.apache.geode.management.internal.cli.functions.ExportConfigFunction; +import org.apache.geode.management.internal.cli.functions.ExportDataFunction; +import org.apache.geode.management.internal.cli.functions.ExportLogsFunction; +import org.apache.geode.management.internal.cli.functions.FetchRegionAttributesFunction; +import org.apache.geode.management.internal.cli.functions.FetchSharedConfigurationStatusFunction; +import org.apache.geode.management.internal.cli.functions.GarbageCollectionFunction; +import org.apache.geode.management.internal.cli.functions.GatewayReceiverCreateFunction; +import org.apache.geode.management.internal.cli.functions.GatewaySenderCreateFunction; +import org.apache.geode.management.internal.cli.functions.GatewaySenderDestroyFunction; +import org.apache.geode.management.internal.cli.functions.GetMemberConfigInformationFunction; +import org.apache.geode.management.internal.cli.functions.GetMemberInformationFunction; +import org.apache.geode.management.internal.cli.functions.GetRegionDescriptionFunction; +import org.apache.geode.management.internal.cli.functions.GetRegionsFunction; +import org.apache.geode.management.internal.cli.functions.GetStackTracesFunction; +import org.apache.geode.management.internal.cli.functions.GetSubscriptionQueueSizeFunction; +import org.apache.geode.management.internal.cli.functions.ImportDataFunction; +import org.apache.geode.management.internal.cli.functions.ListAsyncEventQueuesFunction; +import org.apache.geode.management.internal.cli.functions.ListDeployedFunction; +import org.apache.geode.management.internal.cli.functions.ListDiskStoresFunction; +import org.apache.geode.management.internal.cli.functions.ListDurableCqNamesFunction; +import org.apache.geode.management.internal.cli.functions.ListFunctionFunction; +import org.apache.geode.management.internal.cli.functions.ListIndexFunction; +import org.apache.geode.management.internal.cli.functions.NetstatFunction; +import org.apache.geode.management.internal.cli.functions.RebalanceFunction; +import org.apache.geode.management.internal.cli.functions.RegionAlterFunction; +import org.apache.geode.management.internal.cli.functions.RegionCreateFunction; +import org.apache.geode.management.internal.cli.functions.RegionDestroyFunction; +import org.apache.geode.management.internal.cli.functions.ShowMissingDiskStoresFunction; +import org.apache.geode.management.internal.cli.functions.ShutDownFunction; +import org.apache.geode.management.internal.cli.functions.SizeExportLogsFunction; +import org.apache.geode.management.internal.cli.functions.UndeployFunction; +import org.apache.geode.management.internal.cli.functions.UnregisterFunction; +import org.apache.geode.management.internal.cli.functions.UserFunctionExecution; +import org.apache.geode.management.internal.configuration.functions.DownloadJarFunction; +import org.apache.geode.management.internal.configuration.functions.GetClusterConfigurationFunction; +import org.apache.geode.management.internal.configuration.functions.GetRegionNamesFunction; +import org.apache.geode.management.internal.configuration.functions.RecreateCacheFunction; +import org.apache.geode.test.junit.categories.IntegrationTest; +import org.apache.geode.test.junit.rules.ConnectionConfiguration; +import org.apache.geode.test.junit.rules.GfshCommandRule; +import org.apache.geode.test.junit.rules.ServerStarterRule; + + +@Category(IntegrationTest.class) +public class CoreFunctionSecurityTest { + private static final String RESULT_HEADER = "Function Execution Result"; + + @ClassRule + public static ServerStarterRule server = + new ServerStarterRule().withJMXManager().withSecurityManager(SimpleSecurityManager.class) + .withRegion(RegionShortcut.PARTITION, "testRegion").withAutoStart(); + + @Rule + public GfshCommandRule gfsh = + new GfshCommandRule(server::getJmxPort, GfshCommandRule.PortType.jmxManager); + + private static Map<Function, String> functionStringMap = new HashMap<>(); + + @BeforeClass + public static void setupClass() { + functionStringMap.put(new AlterRuntimeConfigFunction(), "CLUSTER:WRITE"); + functionStringMap.put(new ChangeLogLevelFunction(), "CLUSTER:WRITE"); + functionStringMap.put(new CloseDurableClientFunction(), "CLUSTER:MANAGE:QUERY"); + functionStringMap.put(new CloseDurableCqFunction(), "CLUSTER:MANAGE:QUERY"); + functionStringMap.put(new ContinuousQueryFunction(), "CLUSTER:READ"); + functionStringMap.put(new CreateAsyncEventQueueFunction(), "CLUSTER:MANAGE:DEPLOY"); + functionStringMap.put(new CreateDefinedIndexesFunction(), "CLUSTER:MANAGE:QUERY"); + functionStringMap.put(new CreateDiskStoreFunction(), "CLUSTER:MANAGE:DISK"); + functionStringMap.put(new CreateIndexFunction(), "CLUSTER:MANAGE:QUERY"); + functionStringMap.put(new DataCommandFunction(), "DATA"); + functionStringMap.put(new DeployFunction(), "CLUSTER:MANAGE:DEPLOY"); + functionStringMap.put(new DescribeDiskStoreFunction(), "CLUSTER:READ"); + functionStringMap.put(new DestroyAsyncEventQueueFunction(), "CLUSTER:MANAGE"); + functionStringMap.put(new DestroyDiskStoreFunction(), "CLUSTER:MANAGE:DISK"); + functionStringMap.put(new DestroyIndexFunction(), "CLUSTER:MANAGE:QUERY"); + functionStringMap.put(new ExportConfigFunction(), "CLUSTER:READ"); + functionStringMap.put(new ExportDataFunction(), "DATA:READ"); + functionStringMap.put(new ExportLogsFunction(), "CLUSTER:READ"); + functionStringMap.put(new FetchRegionAttributesFunction(), "CLUSTER:READ"); + functionStringMap.put(new FetchSharedConfigurationStatusFunction(), "CLUSTER:READ"); + functionStringMap.put(new GarbageCollectionFunction(), "CLUSTER:MANAGE"); + functionStringMap.put(new GatewayReceiverCreateFunction(), "CLUSTER:MANAGE:GATEWAY"); + functionStringMap.put(new GatewaySenderCreateFunction(), "CLUSTER:MANAGE:GATEWAY"); + functionStringMap.put(new GatewaySenderDestroyFunction(), "CLUSTER:MANAGE:GATEWAY"); + functionStringMap.put(new GetClusterConfigurationFunction(), "*"); + functionStringMap.put(new GetMemberConfigInformationFunction(), "CLUSTER:READ"); + functionStringMap.put(new GetMemberInformationFunction(), "CLUSTER:READ"); + functionStringMap.put(new GetRegionDescriptionFunction(), "CLUSTER:READ"); + functionStringMap.put(new GetRegionsFunction(), "CLUSTER:READ"); + functionStringMap.put(new GetStackTracesFunction(), "CLUSTER:READ"); + functionStringMap.put(new GetSubscriptionQueueSizeFunction(), "CLUSTER:READ"); + functionStringMap.put(new ImportDataFunction(), "DATA:WRITE"); + functionStringMap.put(new ListAsyncEventQueuesFunction(), "CLUSTER:READ"); + functionStringMap.put(new ListDeployedFunction(), "CLUSTER:READ"); + functionStringMap.put(new ListDiskStoresFunction(), "CLUSTER:READ"); + functionStringMap.put(new ListDurableCqNamesFunction(), "CLUSTER:READ"); + functionStringMap.put(new ListFunctionFunction(), "CLUSTER:READ"); + functionStringMap.put(new ListIndexFunction(), "CLUSTER:READ:QUERY"); + functionStringMap.put(new NetstatFunction(), "CLUSTER:READ"); + functionStringMap.put(new RebalanceFunction(), "DATA:MANAGE"); + functionStringMap.put(new RegionAlterFunction(), "DATA:MANAGE"); + functionStringMap.put(new RegionCreateFunction(), "DATA:MANAGE"); + functionStringMap.put(new RegionDestroyFunction(), "DATA:MANAGE"); + functionStringMap.put(new ShowMissingDiskStoresFunction(), "CLUSTER:READ"); + functionStringMap.put(new ShutDownFunction(), "CLUSTER:MANAGE"); + functionStringMap.put(new SizeExportLogsFunction(), "CLUSTER:READ"); + functionStringMap.put(new UndeployFunction(), "CLUSTER:MANAGE:DEPLOY"); + functionStringMap.put(new UnregisterFunction(), "CLUSTER:MANAGE:DEPLOY"); + functionStringMap.put(new GetRegionNamesFunction(), "CLUSTER:READ"); + functionStringMap.put(new RecreateCacheFunction(), "CLUSTER:MANAGE"); + functionStringMap.put(new DownloadJarFunction(), "CLUSTER:READ"); + + functionStringMap.keySet().forEach(FunctionService::registerFunction); + } + + @Test + @ConnectionConfiguration(user = "user", password = "user") + public void functionRequireExpectedPermission() throws Exception { + functionStringMap.entrySet().stream().forEach(entry -> { + Function function = entry.getKey(); + String permission = entry.getValue(); + System.out.println("function: " + function.getId() + ", permission: " + permission); + gfsh.executeAndAssertThat("execute function --id=" + function.getId()) + .tableHasRowCount(RESULT_HEADER, 1) + .tableHasRowWithValues(RESULT_HEADER, "Exception: user not authorized for " + permission) + .statusIsError(); + }); + } + + @Test + public void userFunctionExecutionRequiresNoSecurity() { + Function function = new UserFunctionExecution(); + assertThat(function.getRequiredPermissions("testRegion")).isEmpty(); + } +}
geode-core/src/test/java/org/apache/geode/management/internal/configuration/functions/GetClusterConfigurationFunctionTest.java+0 −48 removed@@ -1,48 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more contributor license - * agreements. See the NOTICE file distributed with this work for additional information regarding - * copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance with the License. You may obtain a - * copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software distributed under the License - * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express - * or implied. See the License for the specific language governing permissions and limitations under - * the License. - */ - -package org.apache.geode.management.internal.configuration.functions; - -import static org.apache.geode.management.internal.security.ResourcePermissions.CLUSTER_MANAGE; -import static org.apache.geode.management.internal.security.ResourcePermissions.CLUSTER_READ; -import static org.apache.geode.management.internal.security.ResourcePermissions.CLUSTER_WRITE; -import static org.apache.geode.management.internal.security.ResourcePermissions.DATA_MANAGE; -import static org.apache.geode.management.internal.security.ResourcePermissions.DATA_READ; -import static org.apache.geode.management.internal.security.ResourcePermissions.DATA_WRITE; -import static org.assertj.core.api.Assertions.assertThat; - -import org.junit.Before; -import org.junit.Test; -import org.junit.experimental.categories.Category; - -import org.apache.geode.test.junit.categories.UnitTest; - - -@Category(UnitTest.class) -public class GetClusterConfigurationFunctionTest { - - private GetClusterConfigurationFunction function; - - @Before - public void before() { - function = new GetClusterConfigurationFunction(); - } - - @Test - public void functionRequireAllPermissions() throws Exception { - assertThat(function.getRequiredPermissions("")).containsExactlyInAnyOrder(DATA_READ, DATA_WRITE, - DATA_MANAGE, CLUSTER_READ, CLUSTER_WRITE, CLUSTER_MANAGE); - } -}
geode-core/src/test/java/org/apache/geode/management/internal/security/ResourcePermissionTest.java+16 −1 modified@@ -186,14 +186,29 @@ public void testToString() { ResourcePermission context = new ResourcePermission(); assertThat("NULL:NULL").isEqualTo(context.toString()); - context = new ResourcePermission(Resource.DATA, Operation.MANAGE); + context = new ResourcePermission("data", "manage"); assertThat("DATA:MANAGE").isEqualTo(context.toString()); + context = new ResourcePermission("data", "read", "regionA"); + assertThat("DATA:READ:regionA").isEqualTo(context.toString()); + + context = new ResourcePermission("DATA", "READ", "/regionA", "key"); + assertThat("DATA:READ:regionA:key").isEqualTo(context.toString()); + context = new ResourcePermission(Resource.DATA, Operation.MANAGE, "REGIONA"); assertThat("DATA:MANAGE:REGIONA").isEqualTo(context.toString()); context = new ResourcePermission(Resource.DATA, Operation.MANAGE); assertThat("DATA:MANAGE").isEqualTo(context.toString()); + + context = new ResourcePermission("ALL", "READ"); + assertThat(context.toString()).isEqualTo("*:READ"); + + context = new ResourcePermission("DATA", "ALL"); + assertThat(context.toString()).isEqualTo("DATA"); + + context = new ResourcePermission("ALL", "ALL", "regionA", "*"); + assertThat(context.toString()).isEqualTo("*:*:regionA"); } @Test
geode-lucene/src/test/java/org/apache/geode/cache/lucene/test/LuceneFunctionSecurityTest.java+14 −7 modified@@ -81,7 +81,8 @@ public void functionRequireExpectedPermission() throws Exception { String permission = entry.getValue(); gfsh.executeAndAssertThat("execute function --region=testRegion --id=" + function.getId()) .tableHasRowCount(RESULT_HEADER, 1) - .tableHasColumnWithValuesContaining(RESULT_HEADER, permission).statusIsError(); + .tableHasRowWithValues(RESULT_HEADER, "Exception: user not authorized for " + permission) + .statusIsError(); }); } @@ -91,16 +92,18 @@ public void functionRequireExpectedPermission() throws Exception { @ConnectionConfiguration(user = "clusterManage", password = "clusterManage") public void dumpDirectoryFileRequiresBoth_AsClusterManage() { gfsh.executeAndAssertThat("execute function --region=testRegion --id=" + DumpDirectoryFiles.ID) - .tableHasRowCount(RESULT_HEADER, 1) - .tableHasColumnWithValuesContaining(RESULT_HEADER, "DATA:READ:testRegion").statusIsError(); + .tableHasRowCount(RESULT_HEADER, 1).tableHasRowWithValues(RESULT_HEADER, + "Exception: clusterManage not authorized for DATA:READ:testRegion") + .statusIsError(); } @Test @ConnectionConfiguration(user = "dataRead", password = "dataRead") public void dumpDirectoryFileRequiresBoth_AsDataRead() { gfsh.executeAndAssertThat("execute function --region=testRegion --id=" + DumpDirectoryFiles.ID) - .tableHasRowCount(RESULT_HEADER, 1) - .tableHasColumnWithValuesContaining(RESULT_HEADER, "CLUSTER:MANAGE").statusIsError(); + .tableHasRowCount(RESULT_HEADER, 1).tableHasRowWithValues(RESULT_HEADER, + "Exception: dataRead not authorized for CLUSTER:MANAGE") + .statusIsError(); } @Test @@ -109,7 +112,9 @@ public void dumpDirectoryFileRequiresBoth_AsDataRead() { public void dumpDirectoryFileRequiresBoth_dataReadAnotherRegion() { gfsh.executeAndAssertThat("execute function --region=testRegion --id=" + DumpDirectoryFiles.ID) .tableHasRowCount(RESULT_HEADER, 1) - .tableHasColumnWithValuesContaining(RESULT_HEADER, "DATA:READ:testRegion").statusIsError(); + .tableHasRowWithValues(RESULT_HEADER, + "Exception: clusterManage,dataReadRegionB not authorized for DATA:READ:testRegion") + .statusIsError(); } @Test @@ -118,7 +123,9 @@ public void dumpDirectoryFileRequiresBoth_dataReadAnotherRegion() { public void dumpDirectoryFileRequiresBoth_dataReadInsufficient() { gfsh.executeAndAssertThat("execute function --region=testRegion --id=" + DumpDirectoryFiles.ID) .tableHasRowCount(RESULT_HEADER, 1) - .tableHasColumnWithValuesContaining(RESULT_HEADER, "DATA:READ:testRegion").statusIsError(); + .tableHasRowWithValues(RESULT_HEADER, + "Exception: clusterManage,dataReadTestRegionA not authorized for DATA:READ:testRegion") + .statusIsError(); } @Test
00be4f9774e1GEODE-3974: function security improvement (#1287)
22 files changed · +315 −753
extensions/geode-modules/src/main/java/org/apache/geode/modules/util/CreateRegionFunction.java+1 −11 modified@@ -33,7 +33,6 @@ import org.apache.geode.cache.Region; import org.apache.geode.cache.RegionAttributes; import org.apache.geode.cache.Scope; -import org.apache.geode.cache.client.ClientCache; import org.apache.geode.cache.execute.Function; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.cache.partition.PartitionRegionHelper; @@ -64,19 +63,10 @@ public class CreateRegionFunction implements Function, Declarable, DataSerializa "__regionConfigurationMetadata"; public CreateRegionFunction() { - this(CacheFactory.getAnyInstance()); - } - - public CreateRegionFunction(Cache cache) { - this.cache = cache; + this.cache = CacheFactory.getAnyInstance(); this.regionConfigurationsRegion = createRegionConfigurationMetadataRegion(); } - public CreateRegionFunction(ClientCache cache) { - this.cache = null; - this.regionConfigurationsRegion = null; - } - public void execute(FunctionContext context) { RegionConfiguration configuration = (RegionConfiguration) context.getArguments(); if (this.cache.getLogger().fineEnabled()) {
extensions/geode-modules/src/main/java/org/apache/geode/modules/util/TouchPartitionedRegionEntriesFunction.java+3 −13 modified@@ -24,7 +24,6 @@ import org.apache.geode.DataSerializable; import org.apache.geode.cache.Cache; -import org.apache.geode.cache.CacheFactory; import org.apache.geode.cache.Declarable; import org.apache.geode.cache.Region; import org.apache.geode.cache.execute.Function; @@ -42,31 +41,22 @@ public class TouchPartitionedRegionEntriesFunction private static final long serialVersionUID = -3700389655056961153L; - private final Cache cache; - public static final String ID = "touch-partitioned-region-entries"; - public TouchPartitionedRegionEntriesFunction() { - this(CacheFactory.getAnyInstance()); - } - - public TouchPartitionedRegionEntriesFunction(Cache cache) { - this.cache = cache; - } - @SuppressWarnings("unchecked") public void execute(FunctionContext context) { RegionFunctionContext rfc = (RegionFunctionContext) context; Set<String> keys = (Set<String>) rfc.getFilter(); + Cache cache = context.getCache(); // Get local (primary) data for the context Region primaryDataSet = PartitionRegionHelper.getLocalDataForContext(rfc); - if (this.cache.getLogger().fineEnabled()) { + if (cache.getLogger().fineEnabled()) { StringBuilder builder = new StringBuilder(); builder.append("Function ").append(ID).append(" received request to touch ") .append(primaryDataSet.getFullPath()).append("->").append(keys); - this.cache.getLogger().fine(builder.toString()); + cache.getLogger().fine(builder.toString()); } // Retrieve each value to update the lastAccessedTime.
extensions/geode-modules/src/main/java/org/apache/geode/modules/util/TouchReplicatedRegionEntriesFunction.java+8 −16 modified@@ -24,11 +24,11 @@ import org.apache.geode.DataSerializable; import org.apache.geode.cache.Cache; -import org.apache.geode.cache.CacheFactory; import org.apache.geode.cache.Declarable; import org.apache.geode.cache.Region; import org.apache.geode.cache.execute.Function; import org.apache.geode.cache.execute.FunctionContext; +import org.apache.geode.management.internal.security.ResourcePermissions; import org.apache.geode.security.ResourcePermission; /** @@ -41,31 +41,22 @@ public class TouchReplicatedRegionEntriesFunction private static final long serialVersionUID = -7424895036162243564L; - private final Cache cache; - public static final String ID = "touch-replicated-region-entries"; - public TouchReplicatedRegionEntriesFunction() { - this(CacheFactory.getAnyInstance()); - } - - public TouchReplicatedRegionEntriesFunction(Cache cache) { - this.cache = cache; - } - public void execute(FunctionContext context) { Object[] arguments = (Object[]) context.getArguments(); + Cache cache = context.getCache(); String regionName = (String) arguments[0]; Set<String> keys = (Set<String>) arguments[1]; - if (this.cache.getLogger().fineEnabled()) { + if (cache.getLogger().fineEnabled()) { StringBuilder builder = new StringBuilder(); builder.append("Function ").append(ID).append(" received request to touch ") .append(regionName).append("->").append(keys); - this.cache.getLogger().fine(builder.toString()); + cache.getLogger().fine(builder.toString()); } // Retrieve the appropriate Region and value to update the lastAccessedTime - Region region = this.cache.getRegion(regionName); + Region region = cache.getRegion(regionName); if (region != null) { region.getAll(keys); } @@ -75,9 +66,10 @@ public void execute(FunctionContext context) { } @Override + // the actual regionName used in the function body is passed in as an function arugment, + // this regionName is not really used in function. Hence requiring DATA:READ on all regions public Collection<ResourcePermission> getRequiredPermissions(String regionName) { - return Collections.singletonList(new ResourcePermission(ResourcePermission.Resource.DATA, - ResourcePermission.Operation.READ, regionName)); + return Collections.singletonList(ResourcePermissions.DATA_READ); } public String getId() {
extensions/geode-modules/src/test/java/org/apache/geode/modules/util/ModuleFunctionsSecurityTest.java+22 −50 modified@@ -15,13 +15,17 @@ package org.apache.geode.modules.util; +import java.util.HashMap; +import java.util.Map; + import org.junit.BeforeClass; import org.junit.ClassRule; import org.junit.Rule; import org.junit.Test; import org.junit.experimental.categories.Category; import org.apache.geode.cache.RegionShortcut; +import org.apache.geode.cache.execute.Function; import org.apache.geode.cache.execute.FunctionService; import org.apache.geode.examples.SimpleSecurityManager; import org.apache.geode.test.junit.categories.IntegrationTest; @@ -38,66 +42,34 @@ public class ModuleFunctionsSecurityTest { @ClassRule public static ServerStarterRule server = new ServerStarterRule().withJMXManager().withSecurityManager(SimpleSecurityManager.class) - .withRegion(RegionShortcut.REPLICATE, "REPLICATE_1") - .withRegion(RegionShortcut.PARTITION, "PARTITION_1").withAutoStart(); + .withRegion(RegionShortcut.REPLICATE, "AuthRegion").withAutoStart(); @Rule public GfshCommandRule gfsh = new GfshCommandRule(server::getJmxPort, GfshCommandRule.PortType.jmxManager); + private static Map<Function, String> functionStringMap = new HashMap<>(); + @BeforeClass public static void setupClass() { - FunctionService.registerFunction(new BootstrappingFunction()); - FunctionService.registerFunction(new CreateRegionFunction()); - FunctionService.registerFunction(new RegionSizeFunction()); - FunctionService.registerFunction(new TouchPartitionedRegionEntriesFunction()); - FunctionService.registerFunction(new TouchReplicatedRegionEntriesFunction()); - } + functionStringMap.put(new BootstrappingFunction(), "CLUSTER:MANAGE"); + functionStringMap.put(new CreateRegionFunction(), "DATA:MANAGE"); + functionStringMap.put(new RegionSizeFunction(), "DATA:READ:AuthRegion"); + functionStringMap.put(new TouchPartitionedRegionEntriesFunction(), "DATA:READ:AuthRegion"); + functionStringMap.put(new TouchReplicatedRegionEntriesFunction(), "DATA:READ"); - @Test - @ConnectionConfiguration(user = "dataWrite", password = "dataWrite") - public void testInvalidPermissionsForBootstrappingFunction() throws Exception { - gfsh.executeAndAssertThat("execute function --id=" + BootstrappingFunction.ID) - .tableHasColumnWithExactValuesInAnyOrder(RESULT_HEADER, - "Exception: dataWrite not authorized for CLUSTER:MANAGE") - .statusIsError(); - } - - @Test - @ConnectionConfiguration(user = "dataWrite", password = "dataWrite") - public void testInvalidPermissionsForCreateRegionFunction() throws Exception { - gfsh.executeAndAssertThat("execute function --id=" + CreateRegionFunction.ID) - .tableHasColumnWithExactValuesInAnyOrder(RESULT_HEADER, - "Exception: dataWrite not authorized for DATA:MANAGE") - .statusIsError(); - } - - @Test - @ConnectionConfiguration(user = "dataWrite", password = "dataWrite") - public void testInvalidPermissionsForRegionSizeFunction() throws Exception { - gfsh.executeAndAssertThat("execute function --region=REPLICATE_1 --id=" + RegionSizeFunction.ID) - .tableHasColumnWithExactValuesInAnyOrder(RESULT_HEADER, - "Exception: dataWrite not authorized for DATA:READ:REPLICATE_1") - .statusIsError(); - } - - @Test - @ConnectionConfiguration(user = "dataWrite", password = "dataWrite") - public void testInvalidPermissionsForTouchPartitionedRegionEntriesFunction() throws Exception { - gfsh.executeAndAssertThat( - "execute function --region=PARTITION_1 --id=" + TouchPartitionedRegionEntriesFunction.ID) - .tableHasColumnWithExactValuesInAnyOrder(RESULT_HEADER, - "Exception: dataWrite not authorized for DATA:READ:PARTITION_1") - .statusIsError(); + functionStringMap.keySet().forEach(FunctionService::registerFunction); } @Test - @ConnectionConfiguration(user = "dataWrite", password = "dataWrite") - public void testInvalidPermissionsForTouchReplicatedRegionEntriesFunction() throws Exception { - gfsh.executeAndAssertThat( - "execute function --region=REPLICATE_1 --id=" + TouchReplicatedRegionEntriesFunction.ID) - .tableHasColumnWithExactValuesInAnyOrder(RESULT_HEADER, - "Exception: dataWrite not authorized for DATA:READ:REPLICATE_1") - .statusIsError(); + @ConnectionConfiguration(user = "user", password = "user") + public void functionRequireExpectedPermission() throws Exception { + functionStringMap.entrySet().stream().forEach(entry -> { + Function function = entry.getKey(); + String permission = entry.getValue(); + gfsh.executeAndAssertThat("execute function --region=AuthRegion --id=" + function.getId()) + .tableHasRowCount(RESULT_HEADER, 1) + .tableHasColumnWithValuesContaining(RESULT_HEADER, permission).statusIsError(); + }); } }
geode-connectors/src/test/java/org/apache/geode/connectors/jdbc/internal/cli/JDBCConnectorFunctionsSecurityTest.java+27 −84 modified@@ -15,6 +15,9 @@ package org.apache.geode.connectors.jdbc.internal.cli; +import java.util.HashMap; +import java.util.Map; + import org.junit.BeforeClass; import org.junit.ClassRule; import org.junit.Rule; @@ -48,20 +51,6 @@ CliFunctionResult getFunctionResult(JdbcConnectorService service, @Category({IntegrationTest.class, SecurityException.class}) public class JDBCConnectorFunctionsSecurityTest { - - private static Function alterConnectionFunction = new AlterConnectionFunction(); - private static Function alterMappingFunction = new AlterMappingFunction(); - private static Function createConnectionFunction = new CreateConnectionFunction(); - private static Function createMappingFunction = new CreateMappingFunction(); - private static Function describeConnectionFunction = new DescribeConnectionFunction(); - private static Function describeMappingFunction = new DescribeMappingFunction(); - private static Function destroyConnectionFunction = new DestroyConnectionFunction(); - private static Function destroyMappingFunction = new DestroyMappingFunction(); - private static Function listConnectionFunction = new ListConnectionFunction(); - private static Function listMappingFunction = new ListMappingFunction(); - private static Function inheritsDefaultPermissionsFunction = - new InheritsDefaultPermissionsJDBCFunction(); - @ClassRule public static ServerStarterRule server = new ServerStarterRule().withJMXManager() .withSecurityManager(SimpleSecurityManager.class).withAutoStart(); @@ -70,81 +59,35 @@ public class JDBCConnectorFunctionsSecurityTest { public GfshCommandRule gfsh = new GfshCommandRule(server::getJmxPort, GfshCommandRule.PortType.jmxManager); + private static Map<Function, String> functionStringMap = new HashMap<>(); + @BeforeClass public static void setupClass() { - FunctionService.registerFunction(alterConnectionFunction); - FunctionService.registerFunction(alterMappingFunction); - FunctionService.registerFunction(createConnectionFunction); - FunctionService.registerFunction(createMappingFunction); - FunctionService.registerFunction(describeConnectionFunction); - FunctionService.registerFunction(describeMappingFunction); - FunctionService.registerFunction(destroyConnectionFunction); - FunctionService.registerFunction(destroyMappingFunction); - FunctionService.registerFunction(listConnectionFunction); - FunctionService.registerFunction(listMappingFunction); - FunctionService.registerFunction(inheritsDefaultPermissionsFunction); - } - - @Test - @ConnectionConfiguration(user = "dataWrite", password = "dataWrite") - public void testInvalidPermissionsForAlterConnectionFunction() { - gfsh.executeAndAssertThat("execute function --id=" + alterConnectionFunction.getId()) - .containsOutput("not authorized for CLUSTER:MANAGE").statusIsError(); + functionStringMap.put(new AlterConnectionFunction(), "CLUSTER:MANAGE"); + functionStringMap.put(new AlterMappingFunction(), "CLUSTER:MANAGE"); + functionStringMap.put(new CreateConnectionFunction(), "CLUSTER:MANAGE"); + functionStringMap.put(new CreateMappingFunction(), "CLUSTER:MANAGE"); + functionStringMap.put(new DescribeConnectionFunction(), "CLUSTER:READ"); + functionStringMap.put(new DescribeMappingFunction(), "CLUSTER:READ"); + functionStringMap.put(new DestroyConnectionFunction(), "CLUSTER:MANAGE"); + functionStringMap.put(new DestroyMappingFunction(), "CLUSTER:MANAGE"); + functionStringMap.put(new ListConnectionFunction(), "CLUSTER:READ"); + functionStringMap.put(new ListMappingFunction(), "CLUSTER:READ"); + functionStringMap.put(new InheritsDefaultPermissionsJDBCFunction(), "CLUSTER:READ"); + functionStringMap.keySet().forEach(FunctionService::registerFunction); } - @Test - @ConnectionConfiguration(user = "dataWrite", password = "dataWrite") - public void testInvalidPermissionsForAlterMappingFunction() { - gfsh.executeAndAssertThat("execute function --id=" + alterMappingFunction.getId()) - .containsOutput("not authorized for CLUSTER:MANAGE").statusIsError(); - } - - @Test - @ConnectionConfiguration(user = "dataWrite", password = "dataWrite") - public void testInvalidPermissionsForCreateConnectionFunction() { - gfsh.executeAndAssertThat("execute function --id=" + createConnectionFunction.getId()) - .containsOutput("not authorized for CLUSTER:MANAGE").statusIsError(); - } - - @Test - @ConnectionConfiguration(user = "dataWrite", password = "dataWrite") - public void testInvalidPermissionsForCreateMappingFunction() { - gfsh.executeAndAssertThat("execute function --id=" + createMappingFunction.getId()) - .containsOutput("not authorized for CLUSTER:MANAGE").statusIsError(); - } - - @Test - @ConnectionConfiguration(user = "dataWrite", password = "dataWrite") - public void testInvalidPermissionsForDescribeConnectionFunction() { - gfsh.executeAndAssertThat("execute function --id=" + describeConnectionFunction.getId()) - .containsOutput("not authorized for CLUSTER:READ").statusIsError(); - } - - @Test - @ConnectionConfiguration(user = "dataWrite", password = "dataWrite") - public void testInvalidPermissionsForDescribeMappingFunction() { - gfsh.executeAndAssertThat("execute function --id=" + describeMappingFunction.getId()) - .containsOutput("not authorized for CLUSTER:READ").statusIsError(); - } - - @Test - @ConnectionConfiguration(user = "dataWrite", password = "dataWrite") - public void testInvalidPermissionsForDestroyConnectionFunction() { - gfsh.executeAndAssertThat("execute function --id=" + destroyConnectionFunction.getId()) - .containsOutput("not authorized for CLUSTER:MANAGE").statusIsError(); - } - - @Test - @ConnectionConfiguration(user = "dataWrite", password = "dataWrite") - public void testInvalidPermissionsForDestroyMappingFunction() { - gfsh.executeAndAssertThat("execute function --id=" + destroyMappingFunction.getId()) - .containsOutput("not authorized for CLUSTER:MANAGE").statusIsError(); - } @Test - @ConnectionConfiguration(user = "dataWrite", password = "dataWrite") - public void testInvalidPermissionsForFunctionInheritingDefaultPermissions() { - gfsh.executeAndAssertThat("execute function --id=" + inheritsDefaultPermissionsFunction.getId()) - .containsOutput("not authorized for CLUSTER:READ").statusIsError(); + @ConnectionConfiguration(user = "user", password = "user") + public void functionRequireExpectedPermission() throws Exception { + functionStringMap.entrySet().stream().forEach(entry -> { + Function function = entry.getKey(); + String permission = entry.getValue(); + gfsh.executeAndAssertThat("execute function --id=" + function.getId()) + .tableHasRowCount("Function Execution Result", 1) + .tableHasColumnWithValuesContaining("Function Execution Result", permission) + .statusIsError(); + }); } }
geode-core/src/main/java/org/apache/geode/distributed/internal/deadlock/GemFireDeadlockDetector.java+2 −3 modified@@ -16,7 +16,6 @@ import java.io.Serializable; import java.util.HashSet; -import java.util.LinkedList; import java.util.Set; import java.util.concurrent.TimeUnit; @@ -27,9 +26,9 @@ import org.apache.geode.cache.execute.FunctionService; import org.apache.geode.cache.execute.ResultCollector; import org.apache.geode.distributed.DistributedMember; -import org.apache.geode.distributed.DistributedSystem; import org.apache.geode.distributed.internal.InternalDistributedSystem; import org.apache.geode.distributed.internal.membership.InternalDistributedMember; +import org.apache.geode.internal.InternalEntity; import org.apache.geode.internal.cache.execute.AbstractExecution; /** @@ -104,7 +103,7 @@ public void clearResults() { return detector.getDependencyGraph(); } - private static class CollectDependencyFunction implements Function { + private static class CollectDependencyFunction implements Function, InternalEntity { private static final long serialVersionUID = 6204378622627095817L;
geode-core/src/main/java/org/apache/geode/internal/cache/MemberFunctionStreamingMessage.java+3 −4 modified@@ -215,10 +215,9 @@ protected void process(final ClusterDistributionManager dm) { rex = new ReplyException(thr); replyWithException(dm, rex); } catch (Exception exception) { - if (logger.isDebugEnabled()) { - logger.debug("Exception occurred on remote member while executing Function: {}", - this.functionObject.getId(), exception); - } + logger.error("Exception occurred on remote member while executing Function: {}", + this.functionObject.getId(), exception); + stats.endFunctionExecutionWithException(this.functionObject.hasResult()); rex = new ReplyException(exception); replyWithException(dm, rex);
geode-core/src/main/java/org/apache/geode/internal/cache/snapshot/ClientExporter.java+2 −2 modified@@ -30,7 +30,7 @@ import org.apache.geode.cache.execute.ResultSender; import org.apache.geode.cache.snapshot.SnapshotOptions; import org.apache.geode.distributed.DistributedMember; -import org.apache.geode.internal.cache.GemFireCacheImpl; +import org.apache.geode.internal.InternalEntity; import org.apache.geode.internal.cache.snapshot.RegionSnapshotServiceImpl.ExportSink; import org.apache.geode.internal.cache.snapshot.RegionSnapshotServiceImpl.Exporter; import org.apache.geode.internal.cache.snapshot.RegionSnapshotServiceImpl.ResultSenderSink; @@ -118,7 +118,7 @@ public SnapshotOptions<K, V> getOptions() { * @param <K> the key type * @param <V> the value type */ - static class ProxyExportFunction<K, V> implements Function { + static class ProxyExportFunction<K, V> implements Function, InternalEntity { private static final long serialVersionUID = 1L; @Override
geode-core/src/main/java/org/apache/geode/internal/cache/snapshot/RegionSnapshotServiceImpl.java+3 −2 modified@@ -49,6 +49,7 @@ import org.apache.geode.distributed.internal.DistributionConfig; import org.apache.geode.distributed.internal.InternalDistributedSystem; import org.apache.geode.internal.DSCODE; +import org.apache.geode.internal.InternalEntity; import org.apache.geode.internal.cache.CachePerfStats; import org.apache.geode.internal.cache.CachedDeserializable; import org.apache.geode.internal.cache.CachedDeserializableFactory; @@ -501,7 +502,7 @@ public SnapshotOptionsImpl<K, V> getOptions() { } } - private static class ParallelExportFunction<K, V> implements Function { + private static class ParallelExportFunction<K, V> implements Function, InternalEntity { @Override public boolean hasResult() { return true; @@ -544,7 +545,7 @@ public boolean isHA() { } } - private static class ParallelImportFunction<K, V> implements Function { + private static class ParallelImportFunction<K, V> implements Function, InternalEntity { @Override public boolean hasResult() { return true;
geode-core/src/main/java/org/apache/geode/internal/cache/snapshot/WindowedExporter.java+9 −2 modified@@ -32,12 +32,19 @@ import org.apache.geode.cache.EntryDestroyedException; import org.apache.geode.cache.Region; -import org.apache.geode.cache.execute.*; +import org.apache.geode.cache.execute.Function; +import org.apache.geode.cache.execute.FunctionContext; +import org.apache.geode.cache.execute.FunctionException; +import org.apache.geode.cache.execute.FunctionService; +import org.apache.geode.cache.execute.RegionFunctionContext; +import org.apache.geode.cache.execute.ResultCollector; +import org.apache.geode.cache.execute.ResultSender; import org.apache.geode.cache.partition.PartitionRegionHelper; import org.apache.geode.cache.snapshot.SnapshotOptions; import org.apache.geode.distributed.DistributedMember; import org.apache.geode.distributed.internal.DistributionConfig; import org.apache.geode.distributed.internal.ReplyProcessor21; +import org.apache.geode.internal.InternalEntity; import org.apache.geode.internal.cache.LocalRegion; import org.apache.geode.internal.cache.execute.InternalExecution; import org.apache.geode.internal.cache.execute.LocalResultCollector; @@ -150,7 +157,7 @@ public SnapshotOptions<K, V> getOptions() { * * @see FlowController */ - private static class WindowedExportFunction<K, V> implements Function { + private static class WindowedExportFunction<K, V> implements Function, InternalEntity { private static final long serialVersionUID = 1L; // We must keep a ref here since the ProcessorKeeper only has a weak ref. If
geode-core/src/main/java/org/apache/geode/management/internal/beans/QueryDataFunction.java+2 −3 modified@@ -34,7 +34,6 @@ import org.apache.geode.cache.DataPolicy; import org.apache.geode.cache.Region; import org.apache.geode.cache.execute.Function; -import org.apache.geode.cache.execute.FunctionAdapter; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.cache.execute.FunctionException; import org.apache.geode.cache.execute.FunctionService; @@ -70,7 +69,7 @@ * DistributedSystemMXBean.queryData() */ @SuppressWarnings({"deprecation", "unchecked"}) -public class QueryDataFunction extends FunctionAdapter implements InternalEntity { +public class QueryDataFunction implements Function, InternalEntity { private static final long serialVersionUID = 1L; @@ -487,7 +486,7 @@ private static Set<String> compileQuery(final InternalCache cache, final String /** * Function to gather data locally. This function is required to execute query with region context */ - private class LocalQueryFunction extends FunctionAdapter { + private class LocalQueryFunction implements Function, InternalEntity { private static final long serialVersionUID = 1L;
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/ExportDataFunction.java+2 −6 modified@@ -18,7 +18,7 @@ import org.apache.geode.cache.Cache; import org.apache.geode.cache.Region; -import org.apache.geode.cache.execute.FunctionAdapter; +import org.apache.geode.cache.execute.Function; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.cache.snapshot.RegionSnapshotService; import org.apache.geode.cache.snapshot.SnapshotOptions; @@ -33,11 +33,7 @@ * * */ -public class ExportDataFunction extends FunctionAdapter implements InternalEntity { - - /** - * - */ +public class ExportDataFunction implements Function, InternalEntity { private static final long serialVersionUID = 1L; public void execute(FunctionContext context) {
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/FetchRegionAttributesFunction.java+3 −2 modified@@ -20,16 +20,17 @@ import org.apache.geode.cache.Cache; import org.apache.geode.cache.Region; import org.apache.geode.cache.RegionAttributes; -import org.apache.geode.cache.execute.FunctionAdapter; +import org.apache.geode.cache.execute.Function; import org.apache.geode.cache.execute.FunctionContext; +import org.apache.geode.internal.InternalEntity; import org.apache.geode.internal.logging.LogService; import org.apache.geode.management.internal.cli.i18n.CliStrings; /** * * @since GemFire 7.0 */ -public class FetchRegionAttributesFunction extends FunctionAdapter { +public class FetchRegionAttributesFunction implements Function, InternalEntity { private static final Logger logger = LogService.getLogger(); private static final long serialVersionUID = 4366812590788342070L;
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/ImportDataFunction.java+2 −2 modified@@ -18,7 +18,7 @@ import org.apache.geode.cache.Cache; import org.apache.geode.cache.Region; -import org.apache.geode.cache.execute.FunctionAdapter; +import org.apache.geode.cache.execute.Function; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.cache.snapshot.RegionSnapshotService; import org.apache.geode.cache.snapshot.SnapshotOptions; @@ -31,7 +31,7 @@ * RegionSnapshotService to import the data * */ -public class ImportDataFunction extends FunctionAdapter implements InternalEntity { +public class ImportDataFunction implements Function, InternalEntity { private static final long serialVersionUID = 1L;
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/UserFunctionExecution.java+113 −97 modified@@ -20,6 +20,9 @@ import java.util.Properties; import java.util.Set; +import org.apache.logging.log4j.Logger; +import org.apache.shiro.subject.Subject; + import org.apache.geode.cache.Cache; import org.apache.geode.cache.Region; import org.apache.geode.cache.execute.Execution; @@ -31,138 +34,151 @@ import org.apache.geode.internal.ClassPathLoader; import org.apache.geode.internal.InternalEntity; import org.apache.geode.internal.cache.InternalCache; +import org.apache.geode.internal.logging.LogService; import org.apache.geode.internal.security.SecurityService; import org.apache.geode.management.internal.cli.i18n.CliStrings; +import org.apache.geode.security.AuthenticationRequiredException; /** * @since GemFire 7.0 */ public class UserFunctionExecution implements Function<Object[]>, InternalEntity { public static final String ID = UserFunctionExecution.class.getName(); + private static Logger logger = LogService.getLogger(); private static final long serialVersionUID = 1L; @Override public void execute(FunctionContext<Object[]> context) { Cache cache = context.getCache(); DistributedMember member = cache.getDistributedSystem().getDistributedMember(); - try { - String[] functionArgs = null; - Object[] args = context.getArguments(); - if (args == null) { - context.getResultSender().lastResult(new CliFunctionResult(member.getId(), false, - CliStrings.EXECUTE_FUNCTION__MSG__COULD_NOT_RETRIEVE_ARGUMENTS)); - return; - } + String[] functionArgs = null; + Object[] args = context.getArguments(); + if (args == null) { + context.getResultSender().lastResult(new CliFunctionResult(member.getId(), false, + CliStrings.EXECUTE_FUNCTION__MSG__COULD_NOT_RETRIEVE_ARGUMENTS)); + return; + } - String functionId = ((String) args[0]); - String filterString = ((String) args[1]); - String resultCollectorName = ((String) args[2]); - String argumentsString = ((String) args[3]); - String onRegion = ((String) args[4]); - Properties credentials = (Properties) args[5]; + String functionId = ((String) args[0]); + String filterString = ((String) args[1]); + String resultCollectorName = ((String) args[2]); + String argumentsString = ((String) args[3]); + String onRegion = ((String) args[4]); + Properties credentials = (Properties) args[5]; - SecurityService securityService = ((InternalCache) context.getCache()).getSecurityService(); + SecurityService securityService = ((InternalCache) context.getCache()).getSecurityService(); + boolean loginNeeded = false; + try { + // if the function is executed on a server with jmx-manager that user is already logged into + // then we do not need to do login/logout here. + Subject subject = securityService.getSubject(); + loginNeeded = subject == null || !subject.isAuthenticated(); + } catch (AuthenticationRequiredException e) { + loginNeeded = true; + } - try { + boolean loginSuccessful = false; + try { + if (loginNeeded) { securityService.login(credentials); + loginSuccessful = true; + } - if (argumentsString != null && argumentsString.length() > 0) { - functionArgs = argumentsString.split(","); - } - Set<String> filters = new HashSet<>(); - ResultCollector resultCollectorInstance = null; - if (resultCollectorName != null && resultCollectorName.length() > 0) { - resultCollectorInstance = (ResultCollector) ClassPathLoader.getLatest() - .forName(resultCollectorName).newInstance(); - } - if (filterString != null && filterString.length() > 0) { - filters.add(filterString); - } + if (argumentsString != null && argumentsString.length() > 0) { + functionArgs = argumentsString.split(","); + } + Set<String> filters = new HashSet<>(); + ResultCollector resultCollectorInstance = null; + if (resultCollectorName != null && resultCollectorName.length() > 0) { + resultCollectorInstance = (ResultCollector) ClassPathLoader.getLatest() + .forName(resultCollectorName).newInstance(); + } + if (filterString != null && filterString.length() > 0) { + filters.add(filterString); + } - Function<?> function = FunctionService.getFunction(functionId); - if (function == null) { - context.getResultSender() - .lastResult(new CliFunctionResult(member.getId(), false, - (CliStrings.format( - CliStrings.EXECUTE_FUNCTION__MSG__DOES_NOT_HAVE_FUNCTION_0_REGISTERED, - functionId)))); - return; - } + Function<?> function = FunctionService.getFunction(functionId); + if (function == null) { + context.getResultSender() + .lastResult(new CliFunctionResult(member.getId(), false, + (CliStrings.format( + CliStrings.EXECUTE_FUNCTION__MSG__DOES_NOT_HAVE_FUNCTION_0_REGISTERED, + functionId)))); + return; + } - // security check - function.getRequiredPermissions(onRegion).forEach(securityService::authorize); + // security check + function.getRequiredPermissions(onRegion).forEach(securityService::authorize); - Execution execution = null; - if (onRegion != null && onRegion.length() > 0) { - Region region = cache.getRegion(onRegion); - if (region == null) { - context.getResultSender().lastResult( - new CliFunctionResult(member.getId(), false, onRegion + " does not exist")); - return; - } - execution = FunctionService.onRegion(region); - } else { - execution = FunctionService.onMember(member); - } - - if (execution == null) { - context.getResultSender() - .lastResult(new CliFunctionResult(member.getId(), false, - CliStrings.format( - CliStrings.EXECUTE_FUNCTION__MSG__ERROR_IN_EXECUTING_0_ON_MEMBER_1_ON_REGION_2_DETAILS_3, - functionId, member.getId(), onRegion, - CliStrings.EXECUTE_FUNCTION__MSG__ERROR_IN_RETRIEVING_EXECUTOR))); + Execution execution = null; + if (onRegion != null && onRegion.length() > 0) { + Region region = cache.getRegion(onRegion); + if (region == null) { + context.getResultSender().lastResult( + new CliFunctionResult(member.getId(), false, onRegion + " does not exist")); return; } + execution = FunctionService.onRegion(region); + } else { + execution = FunctionService.onMember(member); + } - if (resultCollectorInstance != null) { - execution = execution.withCollector(resultCollectorInstance); - } + if (execution == null) { + context.getResultSender() + .lastResult(new CliFunctionResult(member.getId(), false, + CliStrings.format( + CliStrings.EXECUTE_FUNCTION__MSG__ERROR_IN_EXECUTING_0_ON_MEMBER_1_ON_REGION_2_DETAILS_3, + functionId, member.getId(), onRegion, + CliStrings.EXECUTE_FUNCTION__MSG__ERROR_IN_RETRIEVING_EXECUTOR))); + return; + } - if (functionArgs != null && functionArgs.length > 0) { - execution = execution.setArguments(functionArgs); - } - if (filters.size() > 0) { - execution = execution.withFilter(filters); - } + if (resultCollectorInstance != null) { + execution = execution.withCollector(resultCollectorInstance); + } - List<Object> results = (List<Object>) execution.execute(function.getId()).getResult(); - List<String> resultMessage = new ArrayList<>(); - boolean functionSuccess = true; - - if (results != null) { - for (Object resultObj : results) { - if (resultObj != null) { - if (resultObj instanceof Exception) { - resultMessage.add(((Exception) resultObj).getMessage()); - functionSuccess = false; - } else { - resultMessage.add(resultObj.toString()); - } + if (functionArgs != null && functionArgs.length > 0) { + execution = execution.setArguments(functionArgs); + } + if (filters.size() > 0) { + execution = execution.withFilter(filters); + } + + List<Object> results = (List<Object>) execution.execute(function.getId()).getResult(); + List<String> resultMessage = new ArrayList<>(); + boolean functionSuccess = true; + + if (results != null) { + for (Object resultObj : results) { + if (resultObj != null) { + if (resultObj instanceof Exception) { + resultMessage.add(((Exception) resultObj).getMessage()); + functionSuccess = false; + } else { + resultMessage.add(resultObj.toString()); } } } - context.getResultSender().lastResult( - new CliFunctionResult(member.getId(), functionSuccess, resultMessage.toString())); - - } catch (ClassNotFoundException | IllegalAccessException | InstantiationException e) { - context.getResultSender() - .lastResult(new CliFunctionResult(member.getId(), false, - CliStrings.format( - CliStrings.EXECUTE_FUNCTION__MSG__RESULT_COLLECTOR_0_NOT_FOUND_ERROR_1, - resultCollectorName, e.getMessage()))); - } catch (Exception e) { - context.getResultSender().lastResult( - new CliFunctionResult(member.getId(), false, "Exception: " + e.getMessage())); - } finally { - securityService.logout(); } + context.getResultSender().lastResult( + new CliFunctionResult(member.getId(), functionSuccess, resultMessage.toString())); - } catch (Exception ex) { + } catch (ClassNotFoundException | IllegalAccessException | InstantiationException e) { + context.getResultSender() + .lastResult(new CliFunctionResult(member.getId(), false, + CliStrings.format( + CliStrings.EXECUTE_FUNCTION__MSG__RESULT_COLLECTOR_0_NOT_FOUND_ERROR_1, + resultCollectorName, e.getMessage()))); + } catch (Exception e) { + logger.error("error executing function " + functionId, e); context.getResultSender() - .lastResult(new CliFunctionResult(member.getId(), false, ex.getMessage())); + .lastResult(new CliFunctionResult(member.getId(), false, "Exception: " + e.getMessage())); + } finally { + if (loginSuccessful) { + securityService.logout(); + } } }
geode-core/src/main/java/org/apache/geode/management/internal/configuration/functions/GetClusterConfigurationFunction.java+2 −1 modified@@ -34,11 +34,12 @@ import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.distributed.internal.ClusterConfigurationService; import org.apache.geode.distributed.internal.InternalLocator; +import org.apache.geode.internal.InternalEntity; import org.apache.geode.internal.logging.LogService; import org.apache.geode.management.internal.configuration.messages.ConfigurationResponse; import org.apache.geode.security.ResourcePermission; -public class GetClusterConfigurationFunction implements Function { +public class GetClusterConfigurationFunction implements Function, InternalEntity { private static final Logger logger = LogService.getLogger(); @Override
geode-core/src/main/java/org/apache/geode/security/ResourcePermission.java+2 −2 modified@@ -145,16 +145,16 @@ public Resource getResource() { if (ALL.equals(resource)) { return Resource.ALL; } - return Resource.valueOf(resource); } /** * Returns the operation, could be either ALL, NULL, MANAGE, WRITE or READ */ public Operation getOperation() { - if (ALL.equals(operation)) + if (ALL.equals(operation)) { return Operation.ALL; + } return Operation.valueOf(operation); }
geode-core/src/test/java/org/apache/geode/internal/cache/execute/FunctionServiceBase.java+6 −3 modified@@ -49,6 +49,7 @@ import org.apache.geode.distributed.DistributedMember; import org.apache.geode.distributed.internal.InternalDistributedSystem; import org.apache.geode.distributed.internal.membership.InternalDistributedMember; +import org.apache.geode.test.dunit.IgnoredException; import org.apache.geode.test.dunit.cache.internal.JUnit4CacheTestCase; /* @@ -126,6 +127,7 @@ public void defaultCollectorReturnsAllIntermediateResults() { @Test() public void defaultCollectorThrowsExceptionAfterFunctionThrowsIllegalState() { + IgnoredException.addIgnoredException("java.lang.IllegalStateException"); // GEODE-1762 - clients throw from execute, but peers throw from rc.getResult thrown.expect(FunctionException.class); // GEODE-1762 - clients wrap cause in a ServerOperationException @@ -163,7 +165,7 @@ public void defaultCollectorThrowsExceptionAfterFunctionReturnsIllegalStateExcep final Object result = rc.getResult(); } - @Test() + @Test public void defaultCollectorThrowsExceptionAfterFunctionReturnsFunctionException() { // GEODE-1762 - clients throw from execute, but peers throw from rc.getResult thrown.expect(FunctionException.class); @@ -174,7 +176,7 @@ public void defaultCollectorThrowsExceptionAfterFunctionReturnsFunctionException final Object result = rc.getResult(); } - @Test() + @Test public void defaultCollectorThrowsExceptionAfterFunctionReturnsIllegalStateExceptionAsIntermediateResult() { // GEODE-1762 - clients throw from execute, but peers throw from rc.getResult // GEODE-1762 - client throws a ServerOperationException @@ -188,7 +190,7 @@ public void defaultCollectorThrowsExceptionAfterFunctionReturnsIllegalStateExcep final Object result = rc.getResult(); } - @Test() + @Test public void defaultCollectorThrowsExceptionAfterFunctionReturnsFunctionExceptionAsIntermediateResult() { // GEODE-1762 - clients throw from execute, but peers throw from rc.getResult thrown.expect(FunctionException.class); @@ -224,6 +226,7 @@ public void defaultCollectorReturnsResultOfSendFunctionException() { @Test public void customCollectorDoesNotSeeExceptionFunctionThrowsIllegalState() { // GEODE-1762 - clients throw from execute, but peers throw from rc.getResult + IgnoredException.addIgnoredException("java.lang.IllegalStateException"); try { ResultCollector rc = getExecution().withCollector(customCollector).execute((context) -> { throw new IllegalStateException();
geode-core/src/test/java/org/apache/geode/internal/cache/functions/TestFunction.java+2 −2 modified@@ -36,7 +36,7 @@ import org.apache.geode.cache.control.RebalanceOperation; import org.apache.geode.cache.control.RebalanceResults; import org.apache.geode.cache.control.ResourceManager; -import org.apache.geode.cache.execute.FunctionAdapter; +import org.apache.geode.cache.execute.Function; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.cache.execute.FunctionInvocationTargetException; import org.apache.geode.cache.execute.RegionFunctionContext; @@ -56,7 +56,7 @@ import org.apache.geode.test.dunit.Wait; import org.apache.geode.test.dunit.WaitCriterion; -public class TestFunction extends FunctionAdapter implements Declarable2, DataSerializable { +public class TestFunction implements Function, Declarable2, DataSerializable { public static final String TEST_FUNCTION10 = "TestFunction10"; public static final String TEST_FUNCTION9 = "TestFunction9"; public static final String TEST_FUNCTION8 = "TestFunction8";
geode-core/src/test/java/org/apache/geode/security/ClientExecuteFunctionAuthDUnitTest.java+46 −55 modified@@ -16,92 +16,83 @@ import static org.apache.geode.cache.execute.FunctionService.onServer; import static org.apache.geode.distributed.ConfigurationProperties.SECURITY_MANAGER; -import static org.apache.geode.security.SecurityTestUtil.assertNotAuthorized; -import static org.apache.geode.security.SecurityTestUtil.createClientCache; import static org.assertj.core.api.Assertions.assertThat; +import static org.assertj.core.api.Assertions.assertThatThrownBy; import java.util.ArrayList; +import java.util.Properties; -import org.junit.Before; -import org.junit.Rule; +import org.junit.BeforeClass; +import org.junit.ClassRule; import org.junit.Test; import org.junit.experimental.categories.Category; +import org.apache.geode.cache.RegionShortcut; import org.apache.geode.cache.client.ClientCache; import org.apache.geode.cache.execute.Function; -import org.apache.geode.cache.execute.FunctionService; import org.apache.geode.cache.execute.ResultCollector; import org.apache.geode.management.internal.security.TestFunctions.ReadFunction; import org.apache.geode.management.internal.security.TestFunctions.WriteFunction; -import org.apache.geode.test.dunit.Host; -import org.apache.geode.test.dunit.VM; -import org.apache.geode.test.dunit.internal.JUnit4DistributedTestCase; +import org.apache.geode.test.dunit.rules.ClientVM; +import org.apache.geode.test.dunit.rules.ClusterStartupRule; +import org.apache.geode.test.dunit.rules.MemberVM; import org.apache.geode.test.junit.categories.DistributedTest; import org.apache.geode.test.junit.categories.SecurityTest; -import org.apache.geode.test.junit.rules.ServerStarterRule; +import org.apache.geode.test.junit.rules.VMProvider; @Category({DistributedTest.class, SecurityTest.class}) -public class ClientExecuteFunctionAuthDUnitTest extends JUnit4DistributedTestCase { - final Host host = Host.getHost(0); - final VM client1 = host.getVM(1); - final VM client2 = host.getVM(2); - - private Function writeFunction; - private Function readFunction; - - @Rule - public ServerStarterRule server = new ServerStarterRule() - .withProperty(SECURITY_MANAGER, SimpleTestSecurityManager.class.getName()).withAutoStart(); - - @Before - public void before() { - writeFunction = new WriteFunction(); - readFunction = new ReadFunction(); - FunctionService.registerFunction(writeFunction); - FunctionService.registerFunction(readFunction); +public class ClientExecuteFunctionAuthDUnitTest { + private static Function writeFunction; + private static Function readFunction; + + private static MemberVM server; + private static ClientVM client1, client2; + + @ClassRule + public static ClusterStartupRule cluster = new ClusterStartupRule(); + + @BeforeClass + public static void beforeClass() throws Exception { + Properties properties = new Properties(); + properties.setProperty(SECURITY_MANAGER, SimpleTestSecurityManager.class.getName()); + server = cluster.startServerVM(0, properties); + + server.invoke(() -> { + ClusterStartupRule.getCache().createRegionFactory(RegionShortcut.REPLICATE).create("region"); + }); + client1 = cluster.startClientVM(1, "dataRead", "dataRead", true, server.getPort()); + client2 = cluster.startClientVM(2, "dataWrite", "dataWrite", true, server.getPort()); + + VMProvider.invokeInEveryMember(() -> { + writeFunction = new WriteFunction(); + readFunction = new ReadFunction(); + }, server, client1, client2); } @Test - public void testExecuteFunctionWithClientRegistration() { - client1.invoke("logging in with dataReader", () -> { - ClientCache cache = createClientCache("dataRead", "dataRead", server.getPort()); - - FunctionService.registerFunction(writeFunction); - FunctionService.registerFunction(readFunction); + public void testExecuteFunctionWithFunctionObject() throws Exception { + client1.invoke(() -> { + ClientCache cache = ClusterStartupRule.getClientCache(); // can not write - assertNotAuthorized(() -> onServer(cache.getDefaultPool()).execute(writeFunction.getId()), - "DATA:WRITE"); + assertThatThrownBy(() -> onServer(cache.getDefaultPool()).execute(writeFunction)) + .hasMessageContaining("DATA:WRITE"); // can read - ResultCollector rc = onServer(cache.getDefaultPool()).execute(readFunction.getId()); + ResultCollector rc = onServer(cache.getDefaultPool()).execute(readFunction); assertThat(((ArrayList) rc.getResult()).get(0)).isEqualTo(ReadFunction.SUCCESS_OUTPUT); }); - client2.invoke("logging in with dataWriter", () -> { - ClientCache cache = createClientCache("dataWrite", "dataWrite", server.getPort()); - - FunctionService.registerFunction(writeFunction); - FunctionService.registerFunction(readFunction); + client2.invoke(() -> { + ClientCache cache = ClusterStartupRule.getClientCache(); // can write - ResultCollector rc = onServer(cache.getDefaultPool()).execute(writeFunction.getId()); + ResultCollector rc = onServer(cache.getDefaultPool()).execute(writeFunction); assertThat(((ArrayList) rc.getResult()).get(0)).isEqualTo(WriteFunction.SUCCESS_OUTPUT); // can not read - assertNotAuthorized(() -> onServer(cache.getDefaultPool()).execute(readFunction.getId()), - "DATA:READ"); - }); - } - - @Test - // this would trigger the client to send a GetFunctionAttribute command before executing it - public void testExecuteFunctionWithOutClientRegistration() { - client1.invoke("logging in with dataReader", () -> { - ClientCache cache = createClientCache("dataRead", "dataRead", server.getPort()); - assertNotAuthorized(() -> onServer(cache.getDefaultPool()).execute(writeFunction.getId()), - "DATA:WRITE"); + assertThatThrownBy(() -> onServer(cache.getDefaultPool()).execute(readFunction)) + .hasMessageContaining("DATA:READ"); }); } - }
geode-core/src/test/java/org/apache/geode/test/junit/assertions/CommandResultAssert.java+2 −1 modified@@ -243,7 +243,8 @@ public CommandResultAssert tableHasColumnWithValuesContaining(String header, Arrays.stream(expectedValues).anyMatch(actualValueString::contains); if (!actualValueContainsAnExpectedValue) { - failWithMessage("Found unexpected value: " + actualValue); + failWithMessage( + "Expecting: " + Arrays.toString(expectedValues) + ", but found: " + actualValue); } }
geode-lucene/src/test/java/org/apache/geode/cache/lucene/test/LuceneFunctionSecurityTest.java+53 −392 modified@@ -15,26 +15,17 @@ package org.apache.geode.cache.lucene.test; -import static org.apache.geode.management.internal.security.ResourcePermissions.CLUSTER_MANAGE; -import static org.apache.geode.management.internal.security.ResourcePermissions.DATA_READ; -import static org.assertj.core.api.Assertions.assertThat; -import static org.mockito.ArgumentMatchers.any; +import java.util.HashMap; +import java.util.Map; -import java.util.function.Predicate; - -import org.assertj.core.api.Condition; import org.junit.BeforeClass; import org.junit.ClassRule; import org.junit.Rule; import org.junit.Test; import org.junit.experimental.categories.Category; -import org.mockito.Mockito; -import org.mockito.invocation.InvocationOnMock; -import org.mockito.stubbing.Answer; import org.apache.geode.cache.RegionShortcut; import org.apache.geode.cache.execute.Function; -import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.cache.execute.FunctionService; import org.apache.geode.cache.lucene.internal.cli.functions.LuceneCreateIndexFunction; import org.apache.geode.cache.lucene.internal.cli.functions.LuceneDescribeIndexFunction; @@ -45,11 +36,7 @@ import org.apache.geode.cache.lucene.internal.distributed.LuceneQueryFunction; import org.apache.geode.cache.lucene.internal.distributed.WaitUntilFlushedFunction; import org.apache.geode.cache.lucene.internal.results.LuceneGetPageFunction; -import org.apache.geode.cache.lucene.internal.security.LucenePermission; import org.apache.geode.examples.SimpleSecurityManager; -import org.apache.geode.security.ResourcePermission; -import org.apache.geode.security.ResourcePermission.Operation; -import org.apache.geode.security.ResourcePermission.Resource; import org.apache.geode.test.junit.categories.IntegrationTest; import org.apache.geode.test.junit.categories.SecurityTest; import org.apache.geode.test.junit.rules.ConnectionConfiguration; @@ -58,413 +45,87 @@ @Category({IntegrationTest.class, SecurityTest.class}) public class LuceneFunctionSecurityTest { - // Note: this region name is embedded below in several @ConnectionConfiguration inputs, - // which is itself case-sensitive in parsing. - private static String regionName = "this_test_region"; - - private static ResourcePermission CLUSTER_MANAGE_LUCENE = - new ResourcePermission(Resource.CLUSTER, Operation.MANAGE, LucenePermission.TARGET); - private static ResourcePermission CLUSTER_READ_LUCENE = - new ResourcePermission(Resource.CLUSTER, Operation.READ, LucenePermission.TARGET); - private static ResourcePermission DATA_READ_REGION = - new ResourcePermission(Resource.DATA, Operation.READ, regionName); - - private static Function luceneCreateIndexFunction = Mockito.spy(new LuceneCreateIndexFunction()); - private static Function luceneDescribeIndexFunction = - Mockito.spy(new LuceneDescribeIndexFunction()); - private static Function luceneDestroyIndexFunction = - Mockito.spy(new LuceneDestroyIndexFunction()); - private static Function luceneListIndexFunction = Mockito.spy(new LuceneListIndexFunction()); - private static Function luceneSearchIndexFunction = Mockito.spy(new LuceneSearchIndexFunction()); - private static Function dumpDirectoryFiles = Mockito.spy(new DumpDirectoryFiles()); - private static Function luceneQueryFunction = Mockito.spy(new LuceneQueryFunction()); - private static Function waitUntilFlushedFunction = Mockito.spy(new WaitUntilFlushedFunction()); - private static Function luceneGetPageFunction = Mockito.spy(new LuceneGetPageFunction()); - - static { - Mockito.doAnswer(callLastResult()).when(luceneCreateIndexFunction).execute(any()); - Mockito.doAnswer(callLastResult()).when(luceneDescribeIndexFunction).execute(any()); - Mockito.doAnswer(callLastResult()).when(luceneDestroyIndexFunction).execute(any()); - Mockito.doAnswer(callLastResult()).when(luceneListIndexFunction).execute(any()); - Mockito.doAnswer(callLastResult()).when(luceneSearchIndexFunction).execute(any()); - Mockito.doAnswer(callLastResult()).when(dumpDirectoryFiles).execute(any()); - Mockito.doAnswer(callLastResult()).when(luceneQueryFunction).execute(any()); - Mockito.doAnswer(callLastResult()).when(waitUntilFlushedFunction).execute(any()); - Mockito.doAnswer(callLastResult()).when(luceneGetPageFunction).execute(any()); - } - - // The FunctionService requires a lastResult to be produced - private static Answer<Void> callLastResult() { - return invocation -> { - FunctionContext context = invocation.getArgument(0); - context.getResultSender().lastResult(null); - return null; - }; - } + private static final String RESULT_HEADER = "Function Execution Result"; @ClassRule public static ServerStarterRule server = new ServerStarterRule().withJMXManager().withSecurityManager(SimpleSecurityManager.class) - .withRegion(RegionShortcut.PARTITION, regionName).withAutoStart(); + .withRegion(RegionShortcut.PARTITION, "testRegion").withAutoStart(); @Rule public GfshCommandRule gfsh = new GfshCommandRule(server::getJmxPort, GfshCommandRule.PortType.jmxManager); + private static Map<Function, String> functionStringMap = new HashMap<>(); + @BeforeClass public static void setupClass() { - FunctionService.registerFunction(luceneCreateIndexFunction); - FunctionService.registerFunction(luceneDescribeIndexFunction); - FunctionService.registerFunction(luceneDestroyIndexFunction); - FunctionService.registerFunction(luceneListIndexFunction); - FunctionService.registerFunction(luceneSearchIndexFunction); - FunctionService.registerFunction(dumpDirectoryFiles); - FunctionService.registerFunction(luceneQueryFunction); - FunctionService.registerFunction(waitUntilFlushedFunction); - FunctionService.registerFunction(luceneGetPageFunction); - } - - /* Command authorized tests */ - @Test - @ConnectionConfiguration(user = "clusterManageLucene", password = "clusterManageLucene") - public void testValidPermissionsForLuceneCreateIndexFunction() { - Function thisFunction = luceneCreateIndexFunction; - - gfsh.executeAndAssertThat("execute function --id=" + thisFunction.getId()) - .doesNotContainOutput("not authorized for").statusIsSuccess(); - } - - @Test - @ConnectionConfiguration(user = "clusterReadLucene", password = "clusterReadLucene") - public void testValidPermissionsForLuceneDescribeIndexFunction() { - Function thisFunction = luceneDescribeIndexFunction; - - gfsh.executeAndAssertThat("execute function --id=" + thisFunction.getId()) - .doesNotContainOutput("not authorized for").statusIsSuccess(); - } - - @Test - @ConnectionConfiguration(user = "clusterManageLucene", password = "clusterManageLucene") - public void testValidPermissionsForLuceneDestroyIndexFunction() { - Function thisFunction = luceneDestroyIndexFunction; - - gfsh.executeAndAssertThat("execute function --id=" + thisFunction.getId()) - .doesNotContainOutput("not authorized for").statusIsSuccess(); - } - - @Test - @ConnectionConfiguration(user = "clusterReadLucene", password = "clusterReadLucene") - public void testValidPermissionsForLuceneListIndexFunction() { - Function thisFunction = luceneListIndexFunction; - - gfsh.executeAndAssertThat("execute function --id=" + thisFunction.getId()) - .doesNotContainOutput("not authorized for").statusIsSuccess(); - } - - @Test - @ConnectionConfiguration(user = "dataReadThis_test_region,clusterManage", - password = "dataReadThis_test_region,clusterManage") - public void testValidPermissionsForDumpDirectoryFilesWithRegionParameter() { - Function thisFunction = dumpDirectoryFiles; - - gfsh.executeAndAssertThat( - "execute function --region=" + regionName + " --id=" + thisFunction.getId()) - .doesNotContainOutput("not authorized for").statusIsSuccess(); - } - - @Test - @ConnectionConfiguration(user = "dataRead,clusterManage", password = "dataRead,clusterManage") - public void testValidPermissionsForDumpDirectoryFilesWithoutRegionParameter() { - Function thisFunction = dumpDirectoryFiles; - - gfsh.executeAndAssertThat("execute function --id=" + thisFunction.getId()) - .doesNotContainOutput("not authorized for").statusIsSuccess(); - } + functionStringMap.put(new LuceneCreateIndexFunction(), "CLUSTER:MANAGE:LUCENE"); + functionStringMap.put(new LuceneDescribeIndexFunction(), "CLUSTER:READ:LUCENE"); + functionStringMap.put(new LuceneDestroyIndexFunction(), "CLUSTER:MANAGE:LUCENE"); + functionStringMap.put(new LuceneListIndexFunction(), "CLUSTER:READ:LUCENE"); + functionStringMap.put(new LuceneSearchIndexFunction(), "DATA:READ:testRegion"); + functionStringMap.put(new LuceneQueryFunction(), "DATA:READ:testRegion"); + functionStringMap.put(new WaitUntilFlushedFunction(), "DATA:READ:testRegion"); + functionStringMap.put(new LuceneGetPageFunction(), "DATA:READ:testRegion"); - - @Test - @ConnectionConfiguration(user = "dataRead", password = "dataRead") - public void testValidPermissionsForLuceneSearchIndexFunctionWithoutRegionParameter() { - Function thisFunction = luceneSearchIndexFunction; - - gfsh.executeAndAssertThat("execute function --id=" + thisFunction.getId()) - .doesNotContainOutput("not authorized for").statusIsSuccess(); + functionStringMap.keySet().forEach(FunctionService::registerFunction); + FunctionService.registerFunction(new DumpDirectoryFiles()); } @Test - @ConnectionConfiguration(user = "dataReadThis_test_region", password = "dataReadThis_test_region") - public void testValidPermissionsForLuceneSearchIndexFunctionWithRegionParameter() { - Function thisFunction = luceneSearchIndexFunction; - - gfsh.executeAndAssertThat( - "execute function --region=" + regionName + " --id=" + thisFunction.getId()) - .doesNotContainOutput("not authorized for").statusIsSuccess(); - } - - @Test - @ConnectionConfiguration(user = "dataRead", password = "dataRead") - public void testValidPermissionsForLuceneQueryFunctionWithoutRegionParameter() { - Function thisFunction = luceneQueryFunction; - - gfsh.executeAndAssertThat("execute function --id=" + thisFunction.getId()) - .doesNotContainOutput("not authorized for").statusIsSuccess(); - } - - @Test - @ConnectionConfiguration(user = "dataReadThis_test_region", password = "dataReadThis_test_region") - public void testValidPermissionsForLuceneQueryFunctionWithRegionParameter() { - Function thisFunction = luceneQueryFunction; - - gfsh.executeAndAssertThat( - "execute function --region=" + regionName + " --id=" + thisFunction.getId()) - .doesNotContainOutput("not authorized for").statusIsSuccess(); - } - - @Test - @ConnectionConfiguration(user = "dataRead", password = "dataRead") - public void testValidPermissionsForWaitUntilFlushedFunctionWithoutRegionParameter() { - Function thisFunction = waitUntilFlushedFunction; - - gfsh.executeAndAssertThat("execute function --id=" + thisFunction.getId()) - .doesNotContainOutput("not authorized for").statusIsSuccess(); - } - - @Test - @ConnectionConfiguration(user = "dataReadThis_test_region", password = "dataReadThis_test_region") - public void testValidPermissionsForWaitUntilFlushedFunctionWithRegionParameter() { - Function thisFunction = waitUntilFlushedFunction; - - gfsh.executeAndAssertThat( - "execute function --region=" + regionName + " --id=" + thisFunction.getId()) - .doesNotContainOutput("not authorized for").statusIsSuccess(); - } - - @Test - @ConnectionConfiguration(user = "dataRead", password = "dataRead") - public void testValidPermissionsForLuceneGetPageFunctionWithoutRegionParameter() { - Function thisFunction = luceneGetPageFunction; - - gfsh.executeAndAssertThat("execute function --id=" + thisFunction.getId()) - .doesNotContainOutput("not authorized for").statusIsSuccess(); - } - - @Test - @ConnectionConfiguration(user = "dataReadThis_test_region", password = "dataReadThis_test_region") - public void testValidPermissionsForLuceneGetPageFunctionWithRegionParameter() { - Function thisFunction = luceneGetPageFunction; - - gfsh.executeAndAssertThat( - "execute function --region=" + regionName + " --id=" + thisFunction.getId()) - .doesNotContainOutput("not authorized for").statusIsSuccess(); - } - - - /* Command refused tests */ - @Test - @ConnectionConfiguration(user = "noPermissions", password = "noPermissions") - public void testInvalidPermissionsForLuceneCreateIndexFunction() { - Function thisFunction = luceneCreateIndexFunction; - ResourcePermission thisRequiredPermission = CLUSTER_MANAGE_LUCENE; - - gfsh.executeAndAssertThat("execute function --id=" + thisFunction.getId()) - .containsOutput("not authorized for " + thisRequiredPermission.toString()).statusIsError(); - } - - @Test - @ConnectionConfiguration(user = "noPermissions", password = "noPermissions") - public void testInvalidPermissionsForLuceneDescribeIndexFunction() { - Function thisFunction = luceneDescribeIndexFunction; - ResourcePermission thisRequiredPermission = CLUSTER_READ_LUCENE; - - gfsh.executeAndAssertThat("execute function --id=" + thisFunction.getId()) - .containsOutput("not authorized for " + thisRequiredPermission.toString()).statusIsError(); - } - - @Test - @ConnectionConfiguration(user = "noPermissions", password = "noPermissions") - public void testInvalidPermissionsForLuceneDestroyIndexFunction() { - Function thisFunction = luceneDestroyIndexFunction; - ResourcePermission thisRequiredPermission = CLUSTER_MANAGE_LUCENE; - - gfsh.executeAndAssertThat("execute function --id=" + thisFunction.getId()) - .containsOutput("not authorized for " + thisRequiredPermission.toString()).statusIsError(); - } - - @Test - @ConnectionConfiguration(user = "noPermissions", password = "noPermissions") - public void testInvalidPermissionsForLuceneListIndexFunction() { - Function thisFunction = luceneListIndexFunction; - ResourcePermission thisRequiredPermission = CLUSTER_READ_LUCENE; - - gfsh.executeAndAssertThat("execute function --id=" + thisFunction.getId()) - .containsOutput("not authorized for " + thisRequiredPermission.toString()).statusIsError(); - } - - @Test - @ConnectionConfiguration(user = "noPermissions", password = "noPermissions") - public void testInvalidPermissionsForDumpDirectoryFilesWithoutRegionParameter_noPermission() - throws Exception { - Function thisFunction = dumpDirectoryFiles; - - Predicate<String> notAuthForDataRead = - s -> s.contains("not authorized for " + DATA_READ.toString()); - Predicate<String> notAuthForClusterManage = - s -> s.contains("not authorized for " + CLUSTER_MANAGE.toString()); - Predicate<String> notAuthForSomePermission = - s -> notAuthForDataRead.test(s) || notAuthForClusterManage.test(s); - - String output = gfsh.execute("execute function --id=" + thisFunction.getId()); - - Condition<String> containsSomeAuthFailure = new Condition<>(notAuthForSomePermission, - "not authorized for for [DATA:MANAGE|CLUSTER:MANAGE]", output); - assertThat(output).has(containsSomeAuthFailure); - } - - @Test - @ConnectionConfiguration(user = "dataRead", password = "dataRead") - public void testInvalidPermissionsForDumpDirectoryFilesWithoutRegionParameter_withDataRead() { - Function thisFunction = dumpDirectoryFiles; - ResourcePermission thisMissingPermission = CLUSTER_MANAGE; - - gfsh.executeAndAssertThat("execute function --id=" + thisFunction.getId()) - .containsOutput("not authorized for " + thisMissingPermission.toString()).statusIsError(); + @ConnectionConfiguration(user = "user", password = "user") + public void functionRequireExpectedPermission() throws Exception { + functionStringMap.entrySet().stream().forEach(entry -> { + Function function = entry.getKey(); + String permission = entry.getValue(); + gfsh.executeAndAssertThat("execute function --region=testRegion --id=" + function.getId()) + .tableHasRowCount(RESULT_HEADER, 1) + .tableHasColumnWithValuesContaining(RESULT_HEADER, permission).statusIsError(); + }); } + // use DumpDirectoryFile function to verify that all the permissions returned by the + // getRequiredPermission are all enforced before trying to execute @Test @ConnectionConfiguration(user = "clusterManage", password = "clusterManage") - public void testInvalidPermissionsForDumpDirectoryFilesWithoutRegionParameter_withClusterManage() { - Function thisFunction = dumpDirectoryFiles; - ResourcePermission thisMissingPermission = DATA_READ; - - gfsh.executeAndAssertThat("execute function --id=" + thisFunction.getId()) - .containsOutput("not authorized for " + thisMissingPermission.toString()).statusIsError(); + public void dumpDirectoryFileRequiresBoth_AsClusterManage() { + gfsh.executeAndAssertThat("execute function --region=testRegion --id=" + DumpDirectoryFiles.ID) + .tableHasRowCount(RESULT_HEADER, 1) + .tableHasColumnWithValuesContaining(RESULT_HEADER, "DATA:READ:testRegion").statusIsError(); } @Test - @ConnectionConfiguration(user = "noPermissions", password = "noPermissions") - public void testInvalidPermissionsForDumpDirectoryFilesWithRegionParameter_noPermission() - throws Exception { - Function thisFunction = dumpDirectoryFiles; - - Predicate<String> notAuthForDataReadRegion = - s -> s.contains("not authorized for " + DATA_READ_REGION.toString()); - Predicate<String> notAuthForClusterManage = - s -> s.contains("not authorized for " + CLUSTER_MANAGE.toString()); - Predicate<String> notAuthForSomePermission = - s -> notAuthForDataReadRegion.test(s) || notAuthForClusterManage.test(s); - - String output = - gfsh.execute("execute function --region=" + regionName + " --id=" + thisFunction.getId()); - - Condition<String> containsSomeAuthFailure = - new Condition<>(notAuthForSomePermission, "D:R or C:M:L auth failure", output); - assertThat(output).has(containsSomeAuthFailure); - } - - @Test - @ConnectionConfiguration(user = "dataReadThis_test_region", password = "dataReadThis_test_region") - public void testInvalidPermissionsForDumpDirectoryFilesWithRegionParameter_withDataReadRegion() { - Function thisFunction = dumpDirectoryFiles; - ResourcePermission thisMissingPermission = CLUSTER_MANAGE; - - gfsh.executeAndAssertThat( - "execute function --region=" + regionName + " --id=" + thisFunction.getId()) - .containsOutput("not authorized for " + thisMissingPermission.toString()).statusIsError(); - } - - @Test - @ConnectionConfiguration(user = "clusterManage", password = "clusterManage") - public void testInvalidPermissionsForDumpDirectoryFilesWithRegionParameter_withClusterManage() { - Function thisFunction = dumpDirectoryFiles; - ResourcePermission thisMissingPermission = DATA_READ; - - gfsh.executeAndAssertThat( - "execute function --region=" + regionName + " --id=" + thisFunction.getId()) - .containsOutput("not authorized for " + thisMissingPermission.toString()).statusIsError(); - } - - - @Test - @ConnectionConfiguration(user = "noPermissions", password = "noPermissions") - public void testInvalidPermissionsForLuceneSearchIndexFunctionWithoutRegionParameter() { - Function thisFunction = luceneSearchIndexFunction; - ResourcePermission thisRequiredPermission = DATA_READ; - - gfsh.executeAndAssertThat("execute function --id=" + thisFunction.getId()) - .containsOutput("not authorized for " + thisRequiredPermission.toString()).statusIsError(); - } - - @Test - @ConnectionConfiguration(user = "noPermissions", password = "noPermissions") - public void testInvalidPermissionsForLuceneSearchIndexFunctionWithRegionParameter() { - Function thisFunction = luceneSearchIndexFunction; - ResourcePermission thisRequiredPermission = DATA_READ_REGION; - - gfsh.executeAndAssertThat( - "execute function --region=" + regionName + " --id=" + thisFunction.getId()) - .containsOutput("not authorized for " + thisRequiredPermission.toString()).statusIsError(); - } - - @Test - @ConnectionConfiguration(user = "noPermissions", password = "noPermissions") - public void testInvalidPermissionsForLuceneQueryFunctionWithoutRegionParameter() { - Function thisFunction = luceneQueryFunction; - ResourcePermission thisRequiredPermission = DATA_READ; - - gfsh.executeAndAssertThat("execute function --id=" + thisFunction.getId()) - .containsOutput("not authorized for " + thisRequiredPermission.toString()).statusIsError(); - } - - @Test - @ConnectionConfiguration(user = "noPermissions", password = "noPermissions") - public void testInvalidPermissionsForLuceneQueryFunctionWithRegionParameter() { - Function thisFunction = luceneQueryFunction; - ResourcePermission thisRequiredPermission = DATA_READ_REGION; - - gfsh.executeAndAssertThat( - "execute function --region=" + regionName + " --id=" + thisFunction.getId()) - .containsOutput("not authorized for " + thisRequiredPermission.toString()).statusIsError(); - } - - @Test - @ConnectionConfiguration(user = "noPermissions", password = "noPermissions") - public void testInvalidPermissionsForWaitUntilFlushedFunctionWithoutRegionParameter() { - Function thisFunction = waitUntilFlushedFunction; - ResourcePermission thisRequiredPermission = DATA_READ; - - gfsh.executeAndAssertThat("execute function --id=" + thisFunction.getId()) - .containsOutput("not authorized for " + thisRequiredPermission.toString()).statusIsError(); + @ConnectionConfiguration(user = "dataRead", password = "dataRead") + public void dumpDirectoryFileRequiresBoth_AsDataRead() { + gfsh.executeAndAssertThat("execute function --region=testRegion --id=" + DumpDirectoryFiles.ID) + .tableHasRowCount(RESULT_HEADER, 1) + .tableHasColumnWithValuesContaining(RESULT_HEADER, "CLUSTER:MANAGE").statusIsError(); } @Test - @ConnectionConfiguration(user = "noPermissions", password = "noPermissions") - public void testInvalidPermissionsForWaitUntilFlushedFunctionWithRegionParameter() { - Function thisFunction = waitUntilFlushedFunction; - ResourcePermission thisRequiredPermission = DATA_READ_REGION; - - gfsh.executeAndAssertThat( - "execute function --region=" + regionName + " --id=" + thisFunction.getId()) - .containsOutput("not authorized for " + thisRequiredPermission.toString()).statusIsError(); + @ConnectionConfiguration(user = "clusterManage,dataReadRegionB", + password = "clusterManage,dataReadRegionB") + public void dumpDirectoryFileRequiresBoth_dataReadAnotherRegion() { + gfsh.executeAndAssertThat("execute function --region=testRegion --id=" + DumpDirectoryFiles.ID) + .tableHasRowCount(RESULT_HEADER, 1) + .tableHasColumnWithValuesContaining(RESULT_HEADER, "DATA:READ:testRegion").statusIsError(); } @Test - @ConnectionConfiguration(user = "noPermissions", password = "noPermissions") - public void testInvalidPermissionsForLuceneGetPageFunctionWithoutRegionParameter() { - Function thisFunction = luceneGetPageFunction; - ResourcePermission thisRequiredPermission = DATA_READ; - - gfsh.executeAndAssertThat("execute function --id=" + thisFunction.getId()) - .containsOutput("not authorized for " + thisRequiredPermission.toString()).statusIsError(); + @ConnectionConfiguration(user = "clusterManage,dataReadTestRegionA", + password = "clusterManage,dataReadTestRegionA") + public void dumpDirectoryFileRequiresBoth_dataReadInsufficient() { + gfsh.executeAndAssertThat("execute function --region=testRegion --id=" + DumpDirectoryFiles.ID) + .tableHasRowCount(RESULT_HEADER, 1) + .tableHasColumnWithValuesContaining(RESULT_HEADER, "DATA:READ:testRegion").statusIsError(); } @Test - @ConnectionConfiguration(user = "noPermissions", password = "noPermissions") - public void testInvalidPermissionsForLuceneGetPageFunctionWithRegionParameter() { - Function thisFunction = luceneGetPageFunction; - ResourcePermission thisRequiredPermission = DATA_READ_REGION; - - gfsh.executeAndAssertThat( - "execute function --region=" + regionName + " --id=" + thisFunction.getId()) - .containsOutput("not authorized for " + thisRequiredPermission.toString()).statusIsError(); + @ConnectionConfiguration(user = "clusterManage,dataReadTestRegion", + password = "clusterManage,dataReadTestRegion") + public void dumpDirectoryFileRequiresBoth_validUser() { + gfsh.executeAndAssertThat("execute function --region=testRegion --id=" + DumpDirectoryFiles.ID) + .tableHasRowCount(RESULT_HEADER, 1).doesNotContainOutput("not authorized").statusIsError(); } }
49d28f93fd2eGEODE-3974: Improve permissions for geode-connectors functions (#1265)
12 files changed · +256 −0
geode-connectors/src/main/java/org/apache/geode/connectors/jdbc/internal/cli/AlterConnectionFunction.java+9 −0 modified@@ -14,6 +14,8 @@ */ package org.apache.geode.connectors.jdbc.internal.cli; +import java.util.Collection; +import java.util.Collections; import java.util.Map; import org.apache.geode.annotations.Experimental; @@ -23,6 +25,8 @@ import org.apache.geode.connectors.jdbc.internal.JdbcConnectorService; import org.apache.geode.management.internal.cli.functions.CliFunctionResult; import org.apache.geode.management.internal.configuration.domain.XmlEntity; +import org.apache.geode.management.internal.security.ResourcePermissions; +import org.apache.geode.security.ResourcePermission; @Experimental public class AlterConnectionFunction @@ -86,4 +90,9 @@ private CliFunctionResult createSuccessResult(String connectionName, String memb String message = "Altered JDBC connection " + connectionName + " on " + member; return new CliFunctionResult(member, xmlEntity, message); } + + @Override + public Collection<ResourcePermission> getRequiredPermissions(String regionName) { + return Collections.singletonList(ResourcePermissions.CLUSTER_MANAGE); + } }
geode-connectors/src/main/java/org/apache/geode/connectors/jdbc/internal/cli/AlterMappingFunction.java+9 −0 modified@@ -14,6 +14,8 @@ */ package org.apache.geode.connectors.jdbc.internal.cli; +import java.util.Collection; +import java.util.Collections; import java.util.Map; import org.apache.geode.annotations.Experimental; @@ -23,6 +25,8 @@ import org.apache.geode.connectors.jdbc.internal.RegionMappingNotFoundException; import org.apache.geode.management.internal.cli.functions.CliFunctionResult; import org.apache.geode.management.internal.configuration.domain.XmlEntity; +import org.apache.geode.management.internal.security.ResourcePermissions; +import org.apache.geode.security.ResourcePermission; @Experimental public class AlterMappingFunction extends JdbcCliFunction<RegionMapping, CliFunctionResult> { @@ -84,4 +88,9 @@ private CliFunctionResult createSuccessResult(String connectionName, String memb String message = "Altered JDBC connection " + connectionName + " on " + member; return new CliFunctionResult(member, xmlEntity, message); } + + @Override + public Collection<ResourcePermission> getRequiredPermissions(String regionName) { + return Collections.singletonList(ResourcePermissions.CLUSTER_MANAGE); + } }
geode-connectors/src/main/java/org/apache/geode/connectors/jdbc/internal/cli/CreateConnectionFunction.java+10 −0 modified@@ -14,13 +14,18 @@ */ package org.apache.geode.connectors.jdbc.internal.cli; +import java.util.Collection; +import java.util.Collections; + import org.apache.geode.annotations.Experimental; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.connectors.jdbc.internal.ConnectionConfigExistsException; import org.apache.geode.connectors.jdbc.internal.ConnectionConfiguration; import org.apache.geode.connectors.jdbc.internal.JdbcConnectorService; import org.apache.geode.management.internal.cli.functions.CliFunctionResult; import org.apache.geode.management.internal.configuration.domain.XmlEntity; +import org.apache.geode.management.internal.security.ResourcePermissions; +import org.apache.geode.security.ResourcePermission; @Experimental public class CreateConnectionFunction @@ -53,4 +58,9 @@ private CliFunctionResult createSuccessResult(String connectionName, String memb String message = "Created JDBC connection " + connectionName + " on " + member; return new CliFunctionResult(member, xmlEntity, message); } + + @Override + public Collection<ResourcePermission> getRequiredPermissions(String regionName) { + return Collections.singletonList(ResourcePermissions.CLUSTER_MANAGE); + } }
geode-connectors/src/main/java/org/apache/geode/connectors/jdbc/internal/cli/CreateMappingFunction.java+10 −0 modified@@ -14,13 +14,18 @@ */ package org.apache.geode.connectors.jdbc.internal.cli; +import java.util.Collection; +import java.util.Collections; + import org.apache.geode.annotations.Experimental; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.connectors.jdbc.internal.JdbcConnectorService; import org.apache.geode.connectors.jdbc.internal.RegionMapping; import org.apache.geode.connectors.jdbc.internal.RegionMappingExistsException; import org.apache.geode.management.internal.cli.functions.CliFunctionResult; import org.apache.geode.management.internal.configuration.domain.XmlEntity; +import org.apache.geode.management.internal.security.ResourcePermissions; +import org.apache.geode.security.ResourcePermission; @Experimental public class CreateMappingFunction extends JdbcCliFunction<RegionMapping, CliFunctionResult> { @@ -57,4 +62,9 @@ private CliFunctionResult createSuccessResult(String regionName, String member, String message = "Created JDBC mapping for region " + regionName + " on " + member; return new CliFunctionResult(member, xmlEntity, message); } + + @Override + public Collection<ResourcePermission> getRequiredPermissions(String regionName) { + return Collections.singletonList(ResourcePermissions.CLUSTER_MANAGE); + } }
geode-connectors/src/main/java/org/apache/geode/connectors/jdbc/internal/cli/DescribeConnectionFunction.java+10 −0 modified@@ -14,10 +14,15 @@ */ package org.apache.geode.connectors.jdbc.internal.cli; +import java.util.Collection; +import java.util.Collections; + import org.apache.geode.annotations.Experimental; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.connectors.jdbc.internal.ConnectionConfiguration; import org.apache.geode.connectors.jdbc.internal.JdbcConnectorService; +import org.apache.geode.management.internal.security.ResourcePermissions; +import org.apache.geode.security.ResourcePermission; @Experimental public class DescribeConnectionFunction extends JdbcCliFunction<String, ConnectionConfiguration> { @@ -31,4 +36,9 @@ ConnectionConfiguration getFunctionResult(JdbcConnectorService service, FunctionContext<String> context) { return service.getConnectionConfig(context.getArguments()); } + + @Override + public Collection<ResourcePermission> getRequiredPermissions(String regionName) { + return Collections.singletonList(ResourcePermissions.CLUSTER_READ); + } }
geode-connectors/src/main/java/org/apache/geode/connectors/jdbc/internal/cli/DescribeMappingFunction.java+10 −0 modified@@ -14,10 +14,15 @@ */ package org.apache.geode.connectors.jdbc.internal.cli; +import java.util.Collection; +import java.util.Collections; + import org.apache.geode.annotations.Experimental; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.connectors.jdbc.internal.JdbcConnectorService; import org.apache.geode.connectors.jdbc.internal.RegionMapping; +import org.apache.geode.management.internal.security.ResourcePermissions; +import org.apache.geode.security.ResourcePermission; @Experimental public class DescribeMappingFunction extends JdbcCliFunction<String, RegionMapping> { @@ -30,4 +35,9 @@ public class DescribeMappingFunction extends JdbcCliFunction<String, RegionMappi RegionMapping getFunctionResult(JdbcConnectorService service, FunctionContext<String> context) { return service.getMappingForRegion(context.getArguments()); } + + @Override + public Collection<ResourcePermission> getRequiredPermissions(String regionName) { + return Collections.singletonList(ResourcePermissions.CLUSTER_READ); + } }
geode-connectors/src/main/java/org/apache/geode/connectors/jdbc/internal/cli/DestroyConnectionFunction.java+10 −0 modified@@ -14,12 +14,17 @@ */ package org.apache.geode.connectors.jdbc.internal.cli; +import java.util.Collection; +import java.util.Collections; + import org.apache.geode.annotations.Experimental; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.connectors.jdbc.internal.ConnectionConfiguration; import org.apache.geode.connectors.jdbc.internal.JdbcConnectorService; import org.apache.geode.management.internal.cli.functions.CliFunctionResult; import org.apache.geode.management.internal.configuration.domain.XmlEntity; +import org.apache.geode.management.internal.security.ResourcePermissions; +import org.apache.geode.security.ResourcePermission; @Experimental public class DestroyConnectionFunction extends JdbcCliFunction<String, CliFunctionResult> { @@ -76,4 +81,9 @@ private CliFunctionResult createNotFoundResult(String member, String connectionN String message = "Connection named \"" + connectionName + "\" not found"; return new CliFunctionResult(member, false, message); } + + @Override + public Collection<ResourcePermission> getRequiredPermissions(String regionName) { + return Collections.singletonList(ResourcePermissions.CLUSTER_MANAGE); + } }
geode-connectors/src/main/java/org/apache/geode/connectors/jdbc/internal/cli/DestroyMappingFunction.java+10 −0 modified@@ -14,12 +14,17 @@ */ package org.apache.geode.connectors.jdbc.internal.cli; +import java.util.Collection; +import java.util.Collections; + import org.apache.geode.annotations.Experimental; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.connectors.jdbc.internal.JdbcConnectorService; import org.apache.geode.connectors.jdbc.internal.RegionMapping; import org.apache.geode.management.internal.cli.functions.CliFunctionResult; import org.apache.geode.management.internal.configuration.domain.XmlEntity; +import org.apache.geode.management.internal.security.ResourcePermissions; +import org.apache.geode.security.ResourcePermission; @Experimental public class DestroyMappingFunction extends JdbcCliFunction<String, CliFunctionResult> { @@ -76,4 +81,9 @@ private CliFunctionResult createNotFoundResult(String member, String regionName) String message = "Region mapping for region \"" + regionName + "\" not found"; return new CliFunctionResult(member, false, message); } + + @Override + public Collection<ResourcePermission> getRequiredPermissions(String regionName) { + return Collections.singletonList(ResourcePermissions.CLUSTER_MANAGE); + } }
geode-connectors/src/main/java/org/apache/geode/connectors/jdbc/internal/cli/JdbcCliFunction.java+10 −0 modified@@ -14,12 +14,17 @@ */ package org.apache.geode.connectors.jdbc.internal.cli; +import java.util.Collection; +import java.util.Collections; + import org.apache.geode.annotations.Experimental; import org.apache.geode.cache.execute.Function; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.connectors.jdbc.internal.JdbcConnectorService; import org.apache.geode.internal.InternalEntity; import org.apache.geode.management.internal.configuration.domain.XmlEntity; +import org.apache.geode.management.internal.security.ResourcePermissions; +import org.apache.geode.security.ResourcePermission; @Experimental public abstract class JdbcCliFunction<T1, T2> implements Function<T1>, InternalEntity { @@ -54,6 +59,11 @@ public void execute(FunctionContext<T1> context) { } } + @Override + public Collection<ResourcePermission> getRequiredPermissions(String regionName) { + return Collections.singletonList(ResourcePermissions.CLUSTER_READ); + } + String getMember(FunctionContext<T1> context) { return argumentProvider.getMember(context); }
geode-connectors/src/main/java/org/apache/geode/connectors/jdbc/internal/cli/ListConnectionFunction.java+9 −0 modified@@ -14,12 +14,16 @@ */ package org.apache.geode.connectors.jdbc.internal.cli; +import java.util.Collection; +import java.util.Collections; import java.util.Set; import org.apache.geode.annotations.Experimental; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.connectors.jdbc.internal.ConnectionConfiguration; import org.apache.geode.connectors.jdbc.internal.JdbcConnectorService; +import org.apache.geode.management.internal.security.ResourcePermissions; +import org.apache.geode.security.ResourcePermission; @Experimental public class ListConnectionFunction extends JdbcCliFunction<Void, ConnectionConfiguration[]> { @@ -42,4 +46,9 @@ ConnectionConfiguration[] getConnectionConfigAsArray(JdbcConnectorService servic private Set<ConnectionConfiguration> getConnectionConfigs(JdbcConnectorService service) { return service.getConnectionConfigs(); } + + @Override + public Collection<ResourcePermission> getRequiredPermissions(String regionName) { + return Collections.singletonList(ResourcePermissions.CLUSTER_READ); + } }
geode-connectors/src/main/java/org/apache/geode/connectors/jdbc/internal/cli/ListMappingFunction.java+9 −0 modified@@ -14,12 +14,16 @@ */ package org.apache.geode.connectors.jdbc.internal.cli; +import java.util.Collection; +import java.util.Collections; import java.util.Set; import org.apache.geode.annotations.Experimental; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.connectors.jdbc.internal.JdbcConnectorService; import org.apache.geode.connectors.jdbc.internal.RegionMapping; +import org.apache.geode.management.internal.security.ResourcePermissions; +import org.apache.geode.security.ResourcePermission; @Experimental public class ListMappingFunction extends JdbcCliFunction<Void, RegionMapping[]> { @@ -41,4 +45,9 @@ RegionMapping[] getRegionMappingsAsArray(JdbcConnectorService service) { private Set<RegionMapping> getRegionMappings(JdbcConnectorService service) { return service.getRegionMappings(); } + + @Override + public Collection<ResourcePermission> getRequiredPermissions(String regionName) { + return Collections.singletonList(ResourcePermissions.CLUSTER_READ); + } }
geode-connectors/src/test/java/org/apache/geode/connectors/jdbc/internal/cli/JDBCConnectorFunctionsSecurityTest.java+150 −0 added@@ -0,0 +1,150 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more contributor license + * agreements. See the NOTICE file distributed with this work for additional information regarding + * copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance with the License. You may obtain a + * copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software distributed under the License + * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express + * or implied. See the License for the specific language governing permissions and limitations under + * the License. + */ + +package org.apache.geode.connectors.jdbc.internal.cli; + +import org.junit.BeforeClass; +import org.junit.ClassRule; +import org.junit.Rule; +import org.junit.Test; +import org.junit.experimental.categories.Category; + +import org.apache.geode.cache.execute.Function; +import org.apache.geode.cache.execute.FunctionContext; +import org.apache.geode.cache.execute.FunctionService; +import org.apache.geode.connectors.jdbc.internal.JdbcConnectorService; +import org.apache.geode.examples.SimpleSecurityManager; +import org.apache.geode.management.internal.cli.functions.CliFunctionResult; +import org.apache.geode.test.junit.categories.IntegrationTest; +import org.apache.geode.test.junit.rules.ConnectionConfiguration; +import org.apache.geode.test.junit.rules.GfshCommandRule; +import org.apache.geode.test.junit.rules.ServerStarterRule; + +class InheritsDefaultPermissionsJDBCFunction extends JdbcCliFunction<String, CliFunctionResult> { + + InheritsDefaultPermissionsJDBCFunction() { + super(new FunctionContextArgumentProvider(), new ExceptionHandler()); + } + + @Override + CliFunctionResult getFunctionResult(JdbcConnectorService service, + FunctionContext<String> context) { + return new CliFunctionResult(); + } +} + + +@Category({IntegrationTest.class, SecurityException.class}) +public class JDBCConnectorFunctionsSecurityTest { + + private static Function alterConnectionFunction = new AlterConnectionFunction(); + private static Function alterMappingFunction = new AlterMappingFunction(); + private static Function createConnectionFunction = new CreateConnectionFunction(); + private static Function createMappingFunction = new CreateMappingFunction(); + private static Function describeConnectionFunction = new DescribeConnectionFunction(); + private static Function describeMappingFunction = new DescribeMappingFunction(); + private static Function destroyConnectionFunction = new DestroyConnectionFunction(); + private static Function destroyMappingFunction = new DestroyMappingFunction(); + private static Function listConnectionFunction = new ListConnectionFunction(); + private static Function listMappingFunction = new ListMappingFunction(); + private static Function inheritsDefaultPermissionsFunction = + new InheritsDefaultPermissionsJDBCFunction(); + + @ClassRule + public static ServerStarterRule server = new ServerStarterRule().withJMXManager() + .withSecurityManager(SimpleSecurityManager.class).withAutoStart(); + + @Rule + public GfshCommandRule gfsh = + new GfshCommandRule(server::getJmxPort, GfshCommandRule.PortType.jmxManager); + + @BeforeClass + public static void setupClass() { + FunctionService.registerFunction(alterConnectionFunction); + FunctionService.registerFunction(alterMappingFunction); + FunctionService.registerFunction(createConnectionFunction); + FunctionService.registerFunction(createMappingFunction); + FunctionService.registerFunction(describeConnectionFunction); + FunctionService.registerFunction(describeMappingFunction); + FunctionService.registerFunction(destroyConnectionFunction); + FunctionService.registerFunction(destroyMappingFunction); + FunctionService.registerFunction(listConnectionFunction); + FunctionService.registerFunction(listMappingFunction); + FunctionService.registerFunction(inheritsDefaultPermissionsFunction); + } + + @Test + @ConnectionConfiguration(user = "dataWrite", password = "dataWrite") + public void testInvalidPermissionsForAlterConnectionFunction() throws Exception { + gfsh.executeAndAssertThat("execute function --id=" + alterConnectionFunction.getId()) + .containsOutput("not authorized for CLUSTER:MANAGE").statusIsSuccess(); + } + + @Test + @ConnectionConfiguration(user = "dataWrite", password = "dataWrite") + public void testInvalidPermissionsForAlterMappingFunction() throws Exception { + gfsh.executeAndAssertThat("execute function --id=" + alterMappingFunction.getId()) + .containsOutput("not authorized for CLUSTER:MANAGE").statusIsSuccess(); + } + + @Test + @ConnectionConfiguration(user = "dataWrite", password = "dataWrite") + public void testInvalidPermissionsForCreateConnectionFunction() throws Exception { + gfsh.executeAndAssertThat("execute function --id=" + createConnectionFunction.getId()) + .containsOutput("not authorized for CLUSTER:MANAGE").statusIsSuccess(); + } + + @Test + @ConnectionConfiguration(user = "dataWrite", password = "dataWrite") + public void testInvalidPermissionsForCreateMappingFunction() throws Exception { + gfsh.executeAndAssertThat("execute function --id=" + createMappingFunction.getId()) + .containsOutput("not authorized for CLUSTER:MANAGE").statusIsSuccess(); + } + + @Test + @ConnectionConfiguration(user = "dataWrite", password = "dataWrite") + public void testInvalidPermissionsForDescribeConnectionFunction() throws Exception { + gfsh.executeAndAssertThat("execute function --id=" + describeConnectionFunction.getId()) + .containsOutput("not authorized for CLUSTER:READ").statusIsSuccess(); + } + + @Test + @ConnectionConfiguration(user = "dataWrite", password = "dataWrite") + public void testInvalidPermissionsForDescribeMappingFunction() throws Exception { + gfsh.executeAndAssertThat("execute function --id=" + describeMappingFunction.getId()) + .containsOutput("not authorized for CLUSTER:READ").statusIsSuccess(); + } + + @Test + @ConnectionConfiguration(user = "dataWrite", password = "dataWrite") + public void testInvalidPermissionsForDestroyConnectionFunction() throws Exception { + gfsh.executeAndAssertThat("execute function --id=" + destroyConnectionFunction.getId()) + .containsOutput("not authorized for CLUSTER:MANAGE").statusIsSuccess(); + } + + @Test + @ConnectionConfiguration(user = "dataWrite", password = "dataWrite") + public void testInvalidPermissionsForDestroyMappingFunction() throws Exception { + gfsh.executeAndAssertThat("execute function --id=" + destroyMappingFunction.getId()) + .containsOutput("not authorized for CLUSTER:MANAGE").statusIsSuccess(); + } + + @Test + @ConnectionConfiguration(user = "dataWrite", password = "dataWrite") + public void testInvalidPermissionsForFunctionInheritingDefaultPermissions() throws Exception { + gfsh.executeAndAssertThat("execute function --id=" + inheritsDefaultPermissionsFunction.getId()) + .containsOutput("not authorized for CLUSTER:READ").statusIsSuccess(); + } +}
740289c61d60GEODE-3974: Improve permissions for geode-lucene functions
10 files changed · +560 −8
geode-lucene/src/main/java/org/apache/geode/cache/lucene/internal/cli/functions/LuceneCreateIndexFunction.java+13 −1 modified@@ -18,6 +18,9 @@ import static org.apache.geode.cache.lucene.internal.LuceneServiceImpl.validateCommandParameters.INDEX_NAME; import static org.apache.geode.cache.lucene.internal.LuceneServiceImpl.validateCommandParameters.REGION_PATH; +import java.util.Collection; +import java.util.Collections; + import org.apache.commons.lang.StringUtils; import org.apache.lucene.analysis.Analyzer; import org.apache.lucene.analysis.standard.StandardAnalyzer; @@ -33,11 +36,15 @@ import org.apache.geode.cache.lucene.internal.cli.LuceneCliStrings; import org.apache.geode.cache.lucene.internal.cli.LuceneIndexDetails; import org.apache.geode.cache.lucene.internal.cli.LuceneIndexInfo; +import org.apache.geode.cache.lucene.internal.security.LucenePermission; import org.apache.geode.internal.InternalEntity; import org.apache.geode.management.internal.cli.CliUtil; import org.apache.geode.management.internal.cli.functions.CliFunctionResult; import org.apache.geode.management.internal.cli.i18n.CliStrings; import org.apache.geode.management.internal.configuration.domain.XmlEntity; +import org.apache.geode.security.ResourcePermission; +import org.apache.geode.security.ResourcePermission.Operation; +import org.apache.geode.security.ResourcePermission.Resource; /** @@ -110,6 +117,12 @@ public void execute(final FunctionContext context) { } } + @Override + public Collection<ResourcePermission> getRequiredPermissions(String regionName) { + return Collections.singleton( + new ResourcePermission(Resource.CLUSTER, Operation.MANAGE, LucenePermission.TARGET)); + } + private LuceneSerializer toSerializer(String serializerName) throws InstantiationException, IllegalAccessException, ClassNotFoundException { String trimmedName = StringUtils.trim(serializerName); @@ -136,5 +149,4 @@ private Analyzer toAnalyzer(String className) { CliUtil.forName(className, LuceneCliStrings.LUCENE_CREATE_INDEX__ANALYZER); return CliUtil.newInstance(clazz, LuceneCliStrings.LUCENE_CREATE_INDEX__ANALYZER); } - }
geode-lucene/src/main/java/org/apache/geode/cache/lucene/internal/cli/functions/LuceneDescribeIndexFunction.java+13 −0 modified@@ -15,6 +15,9 @@ package org.apache.geode.cache.lucene.internal.cli.functions; +import java.util.Collection; +import java.util.Collections; + import org.apache.geode.cache.Cache; import org.apache.geode.cache.execute.Function; import org.apache.geode.cache.execute.FunctionContext; @@ -25,7 +28,11 @@ import org.apache.geode.cache.lucene.internal.LuceneServiceImpl; import org.apache.geode.cache.lucene.internal.cli.LuceneIndexDetails; import org.apache.geode.cache.lucene.internal.cli.LuceneIndexInfo; +import org.apache.geode.cache.lucene.internal.security.LucenePermission; import org.apache.geode.internal.InternalEntity; +import org.apache.geode.security.ResourcePermission; +import org.apache.geode.security.ResourcePermission.Operation; +import org.apache.geode.security.ResourcePermission.Resource; /** * The LuceneDescribeIndexFunction class is a function used to collect the information on a @@ -66,4 +73,10 @@ public void execute(final FunctionContext context) { } context.getResultSender().lastResult(result); } + + @Override + public Collection<ResourcePermission> getRequiredPermissions(String regionName) { + return Collections.singleton( + new ResourcePermission(Resource.CLUSTER, Operation.READ, LucenePermission.TARGET)); + } }
geode-lucene/src/main/java/org/apache/geode/cache/lucene/internal/cli/functions/LuceneDestroyIndexFunction.java+14 −2 modified@@ -14,6 +14,9 @@ */ package org.apache.geode.cache.lucene.internal.cli.functions; +import java.util.Collection; +import java.util.Collections; + import org.apache.commons.lang.StringUtils; import org.apache.geode.cache.execute.Function; @@ -22,16 +25,19 @@ import org.apache.geode.cache.lucene.LuceneServiceProvider; import org.apache.geode.cache.lucene.internal.LuceneServiceImpl; import org.apache.geode.cache.lucene.internal.cli.LuceneDestroyIndexInfo; +import org.apache.geode.cache.lucene.internal.security.LucenePermission; import org.apache.geode.cache.lucene.internal.xml.LuceneXmlConstants; import org.apache.geode.internal.InternalEntity; import org.apache.geode.internal.cache.xmlcache.CacheXml; import org.apache.geode.management.internal.cli.functions.CliFunctionResult; import org.apache.geode.management.internal.configuration.domain.XmlEntity; +import org.apache.geode.security.ResourcePermission; +import org.apache.geode.security.ResourcePermission.Operation; +import org.apache.geode.security.ResourcePermission.Resource; public class LuceneDestroyIndexFunction implements Function, InternalEntity { - public void execute(final FunctionContext context) { - CliFunctionResult result = null; + CliFunctionResult result; String memberId = context.getCache().getDistributedSystem().getDistributedMember().getId(); try { LuceneDestroyIndexInfo indexInfo = (LuceneDestroyIndexInfo) context.getArguments(); @@ -66,4 +72,10 @@ protected XmlEntity getXmlEntity(String indexName, String regionPath) { return new XmlEntity(CacheXml.REGION, "name", regionName, LuceneXmlConstants.PREFIX, LuceneXmlConstants.NAMESPACE, LuceneXmlConstants.INDEX, "name", indexName); } + + @Override + public Collection<ResourcePermission> getRequiredPermissions(String regionName) { + return Collections.singleton( + new ResourcePermission(Resource.CLUSTER, Operation.MANAGE, LucenePermission.TARGET)); + } }
geode-lucene/src/main/java/org/apache/geode/cache/lucene/internal/cli/functions/LuceneListIndexFunction.java+12 −0 modified@@ -15,6 +15,8 @@ package org.apache.geode.cache.lucene.internal.cli.functions; +import java.util.Collection; +import java.util.Collections; import java.util.HashSet; import java.util.Set; @@ -27,7 +29,11 @@ import org.apache.geode.cache.lucene.internal.LuceneIndexImpl; import org.apache.geode.cache.lucene.internal.LuceneServiceImpl; import org.apache.geode.cache.lucene.internal.cli.LuceneIndexDetails; +import org.apache.geode.cache.lucene.internal.security.LucenePermission; import org.apache.geode.internal.InternalEntity; +import org.apache.geode.security.ResourcePermission; +import org.apache.geode.security.ResourcePermission.Operation; +import org.apache.geode.security.ResourcePermission.Resource; /** * The LuceneListIndexFunction class is a function used to collect the information on all lucene @@ -64,4 +70,10 @@ public void execute(final FunctionContext context) { } context.getResultSender().lastResult(indexDetailsSet); } + + @Override + public Collection<ResourcePermission> getRequiredPermissions(String regionName) { + return Collections.singleton( + new ResourcePermission(Resource.CLUSTER, Operation.READ, LucenePermission.TARGET)); + } }
geode-lucene/src/main/java/org/apache/geode/cache/lucene/internal/cli/functions/LuceneSearchIndexFunction.java+10 −2 modified@@ -15,14 +15,14 @@ package org.apache.geode.cache.lucene.internal.cli.functions; +import java.util.Collection; +import java.util.Collections; import java.util.HashSet; import java.util.List; import java.util.Set; import org.apache.geode.cache.Cache; -import org.apache.geode.cache.CacheFactory; import org.apache.geode.cache.execute.Function; -import org.apache.geode.cache.execute.FunctionAdapter; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.cache.lucene.LuceneQuery; import org.apache.geode.cache.lucene.LuceneQueryException; @@ -35,6 +35,9 @@ import org.apache.geode.cache.lucene.internal.cli.LuceneQueryInfo; import org.apache.geode.cache.lucene.internal.cli.LuceneSearchResults; import org.apache.geode.internal.InternalEntity; +import org.apache.geode.security.ResourcePermission; +import org.apache.geode.security.ResourcePermission.Operation; +import org.apache.geode.security.ResourcePermission.Resource; /** * The LuceneSearchIndexFunction class is a function used to collect the information on a particular @@ -95,4 +98,9 @@ public void execute(final FunctionContext context) { context.getResultSender().lastResult(result); } } + + @Override + public Collection<ResourcePermission> getRequiredPermissions(String regionName) { + return Collections.singleton(new ResourcePermission(Resource.DATA, Operation.READ, regionName)); + } }
geode-lucene/src/main/java/org/apache/geode/cache/lucene/internal/directory/DumpDirectoryFiles.java+13 −0 modified@@ -17,6 +17,8 @@ import java.io.File; import java.util.Collection; +import java.util.HashSet; +import java.util.Set; import org.apache.logging.log4j.Logger; import org.apache.lucene.index.IndexWriter; @@ -35,6 +37,9 @@ import org.apache.geode.internal.InternalEntity; import org.apache.geode.internal.cache.BucketNotFoundException; import org.apache.geode.internal.logging.LogService; +import org.apache.geode.security.ResourcePermission; +import org.apache.geode.security.ResourcePermission.Operation; +import org.apache.geode.security.ResourcePermission.Resource; public class DumpDirectoryFiles implements Function, InternalEntity { private static final long serialVersionUID = 1L; @@ -96,4 +101,12 @@ public String getId() { public boolean optimizeForWrite() { return true; } + + @Override + public Collection<ResourcePermission> getRequiredPermissions(String regionName) { + Set<ResourcePermission> required = new HashSet<>(); + required.add(new ResourcePermission(Resource.DATA, Operation.READ, regionName)); + required.add(new ResourcePermission(Resource.CLUSTER, Operation.MANAGE)); + return required; + } }
geode-lucene/src/main/java/org/apache/geode/cache/lucene/internal/distributed/LuceneQueryFunction.java+0 −1 modified@@ -19,7 +19,6 @@ import java.util.ArrayList; import java.util.Collection; import java.util.Collections; -import java.util.Optional; import org.apache.logging.log4j.Logger; import org.apache.lucene.search.Query;
geode-lucene/src/main/java/org/apache/geode/cache/lucene/internal/distributed/WaitUntilFlushedFunction.java+0 −1 modified@@ -17,7 +17,6 @@ import java.util.Collection; import java.util.Collections; -import java.util.Optional; import java.util.concurrent.TimeUnit; import org.apache.geode.cache.Cache;
geode-lucene/src/main/java/org/apache/geode/cache/lucene/internal/results/LuceneGetPageFunction.java+0 −1 modified@@ -18,7 +18,6 @@ import java.util.Collection; import java.util.Collections; import java.util.List; -import java.util.Optional; import java.util.Set; import org.apache.logging.log4j.Logger;
geode-lucene/src/test/java/org/apache/geode/cache/lucene/test/LuceneFunctionSecurityTest.java+485 −0 added@@ -0,0 +1,485 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more contributor license + * agreements. See the NOTICE file distributed with this work for additional information regarding + * copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance with the License. You may obtain a + * copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software distributed under the License + * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express + * or implied. See the License for the specific language governing permissions and limitations under + * the License. + */ + +package org.apache.geode.cache.lucene.test; + +import static org.apache.geode.management.internal.security.ResourcePermissions.CLUSTER_MANAGE; +import static org.apache.geode.management.internal.security.ResourcePermissions.DATA_READ; +import static org.assertj.core.api.Assertions.assertThat; +import static org.mockito.ArgumentMatchers.any; + +import java.util.function.Predicate; + +import org.assertj.core.api.Condition; +import org.junit.BeforeClass; +import org.junit.ClassRule; +import org.junit.Rule; +import org.junit.Test; +import org.junit.experimental.categories.Category; +import org.mockito.Mockito; + +import org.apache.geode.cache.RegionShortcut; +import org.apache.geode.cache.execute.Function; +import org.apache.geode.cache.execute.FunctionService; +import org.apache.geode.cache.lucene.internal.cli.functions.LuceneCreateIndexFunction; +import org.apache.geode.cache.lucene.internal.cli.functions.LuceneDescribeIndexFunction; +import org.apache.geode.cache.lucene.internal.cli.functions.LuceneDestroyIndexFunction; +import org.apache.geode.cache.lucene.internal.cli.functions.LuceneListIndexFunction; +import org.apache.geode.cache.lucene.internal.cli.functions.LuceneSearchIndexFunction; +import org.apache.geode.cache.lucene.internal.directory.DumpDirectoryFiles; +import org.apache.geode.cache.lucene.internal.distributed.LuceneQueryFunction; +import org.apache.geode.cache.lucene.internal.distributed.WaitUntilFlushedFunction; +import org.apache.geode.cache.lucene.internal.results.LuceneGetPageFunction; +import org.apache.geode.cache.lucene.internal.security.LucenePermission; +import org.apache.geode.examples.SimpleSecurityManager; +import org.apache.geode.security.ResourcePermission; +import org.apache.geode.security.ResourcePermission.Operation; +import org.apache.geode.security.ResourcePermission.Resource; +import org.apache.geode.test.junit.categories.IntegrationTest; +import org.apache.geode.test.junit.categories.SecurityTest; +import org.apache.geode.test.junit.rules.ConnectionConfiguration; +import org.apache.geode.test.junit.rules.GfshCommandRule; +import org.apache.geode.test.junit.rules.ServerStarterRule; + +@Category({IntegrationTest.class, SecurityTest.class}) +public class LuceneFunctionSecurityTest { + // Note: this region name is embedded below in several @ConnectionConfiguration inputs, + // which is itself case-sensitive in parsing. + private static String regionName = "this_test_region"; + + private static ResourcePermission CLUSTER_MANAGE_LUCENE = + new ResourcePermission(Resource.CLUSTER, Operation.MANAGE, LucenePermission.TARGET); + private static ResourcePermission CLUSTER_READ_LUCENE = + new ResourcePermission(Resource.CLUSTER, Operation.READ, LucenePermission.TARGET); + private static ResourcePermission DATA_READ_REGION = + new ResourcePermission(Resource.DATA, Operation.READ, regionName); + + private static Function luceneCreateIndexFunction = Mockito.spy(new LuceneCreateIndexFunction()); + private static Function luceneDescribeIndexFunction = + Mockito.spy(new LuceneDescribeIndexFunction()); + private static Function luceneDestroyIndexFunction = + Mockito.spy(new LuceneDestroyIndexFunction()); + private static Function luceneListIndexFunction = Mockito.spy(new LuceneListIndexFunction()); + private static Function luceneSearchIndexFunction = Mockito.spy(new LuceneSearchIndexFunction()); + private static Function dumpDirectoryFiles = Mockito.spy(new DumpDirectoryFiles()); + private static Function luceneQueryFunction = Mockito.spy(new LuceneQueryFunction()); + private static Function waitUntilFlushedFunction = Mockito.spy(new WaitUntilFlushedFunction()); + private static Function luceneGetPageFunction = Mockito.spy(new LuceneGetPageFunction()); + + static { + Mockito.doNothing().when(luceneCreateIndexFunction).execute(any()); + Mockito.doNothing().when(luceneDescribeIndexFunction).execute(any()); + Mockito.doNothing().when(luceneDestroyIndexFunction).execute(any()); + Mockito.doNothing().when(luceneListIndexFunction).execute(any()); + Mockito.doNothing().when(luceneSearchIndexFunction).execute(any()); + Mockito.doNothing().when(dumpDirectoryFiles).execute(any()); + Mockito.doNothing().when(luceneQueryFunction).execute(any()); + Mockito.doNothing().when(waitUntilFlushedFunction).execute(any()); + Mockito.doNothing().when(luceneGetPageFunction).execute(any()); + } + + @ClassRule + public static ServerStarterRule server = + new ServerStarterRule().withJMXManager().withSecurityManager(SimpleSecurityManager.class) + .withRegion(RegionShortcut.PARTITION, regionName).withAutoStart(); + + @Rule + public GfshCommandRule gfsh = + new GfshCommandRule(server::getJmxPort, GfshCommandRule.PortType.jmxManager); + + @BeforeClass + public static void setupClass() { + FunctionService.registerFunction(luceneCreateIndexFunction); + FunctionService.registerFunction(luceneDescribeIndexFunction); + FunctionService.registerFunction(luceneDestroyIndexFunction); + FunctionService.registerFunction(luceneListIndexFunction); + FunctionService.registerFunction(luceneSearchIndexFunction); + FunctionService.registerFunction(dumpDirectoryFiles); + FunctionService.registerFunction(luceneQueryFunction); + FunctionService.registerFunction(waitUntilFlushedFunction); + FunctionService.registerFunction(luceneGetPageFunction); + } + + /* Command authorized tests */ + @Test + @ConnectionConfiguration(user = "clusterManageLucene", password = "clusterManageLucene") + public void testValidPermissionsForLuceneCreateIndexFunction() throws Exception { + Function thisFunction = luceneCreateIndexFunction; + + gfsh.executeAndAssertThat("execute function --id=" + thisFunction.getId()) + .doesNotContainOutput("not authorized for").statusIsSuccess(); + } + + @Test + @ConnectionConfiguration(user = "clusterReadLucene", password = "clusterReadLucene") + public void testValidPermissionsForLuceneDescribeIndexFunction() throws Exception { + Function thisFunction = luceneDescribeIndexFunction; + + gfsh.executeAndAssertThat("execute function --id=" + thisFunction.getId()) + .doesNotContainOutput("not authorized for").statusIsSuccess(); + } + + @Test + @ConnectionConfiguration(user = "clusterManageLucene", password = "clusterManageLucene") + public void testValidPermissionsForLuceneDestroyIndexFunction() throws Exception { + Function thisFunction = luceneDestroyIndexFunction; + + gfsh.executeAndAssertThat("execute function --id=" + thisFunction.getId()) + .doesNotContainOutput("not authorized for").statusIsSuccess(); + } + + @Test + @ConnectionConfiguration(user = "clusterReadLucene", password = "clusterReadLucene") + public void testValidPermissionsForLuceneListIndexFunction() throws Exception { + Function thisFunction = luceneListIndexFunction; + + gfsh.executeAndAssertThat("execute function --id=" + thisFunction.getId()) + .doesNotContainOutput("not authorized for").statusIsSuccess(); + } + + @Test + @ConnectionConfiguration(user = "dataReadThis_test_region,clusterManage", + password = "dataReadThis_test_region,clusterManage") + public void testValidPermissionsForDumpDirectoryFilesWithRegionParameter() throws Exception { + Function thisFunction = dumpDirectoryFiles; + + gfsh.executeAndAssertThat( + "execute function --region=" + regionName + " --id=" + thisFunction.getId()) + .doesNotContainOutput("not authorized for").statusIsSuccess(); + } + + @Test + @ConnectionConfiguration(user = "dataRead,clusterManage", password = "dataRead,clusterManage") + public void testValidPermissionsForDumpDirectoryFilesWithoutRegionParameter() throws Exception { + Function thisFunction = dumpDirectoryFiles; + + gfsh.executeAndAssertThat("execute function --id=" + thisFunction.getId()) + .doesNotContainOutput("not authorized for").statusIsSuccess(); + } + + + @Test + @ConnectionConfiguration(user = "dataRead", password = "dataRead") + public void testValidPermissionsForLuceneSearchIndexFunctionWithoutRegionParameter() + throws Exception { + Function thisFunction = luceneSearchIndexFunction; + + gfsh.executeAndAssertThat("execute function --id=" + thisFunction.getId()) + .doesNotContainOutput("not authorized for").statusIsSuccess(); + } + + @Test + @ConnectionConfiguration(user = "dataReadThis_test_region", password = "dataReadThis_test_region") + public void testValidPermissionsForLuceneSearchIndexFunctionWithRegionParameter() + throws Exception { + Function thisFunction = luceneSearchIndexFunction; + + gfsh.executeAndAssertThat( + "execute function --region=" + regionName + " --id=" + thisFunction.getId()) + .doesNotContainOutput("not authorized for").statusIsSuccess(); + } + + @Test + @ConnectionConfiguration(user = "dataRead", password = "dataRead") + public void testValidPermissionsForLuceneQueryFunctionWithoutRegionParameter() throws Exception { + Function thisFunction = luceneQueryFunction; + + gfsh.executeAndAssertThat("execute function --id=" + thisFunction.getId()) + .doesNotContainOutput("not authorized for").statusIsSuccess(); + } + + @Test + @ConnectionConfiguration(user = "dataReadThis_test_region", password = "dataReadThis_test_region") + public void testValidPermissionsForLuceneQueryFunctionWithRegionParameter() throws Exception { + Function thisFunction = luceneQueryFunction; + + gfsh.executeAndAssertThat( + "execute function --region=" + regionName + " --id=" + thisFunction.getId()) + .doesNotContainOutput("not authorized for").statusIsSuccess(); + } + + @Test + @ConnectionConfiguration(user = "dataRead", password = "dataRead") + public void testValidPermissionsForWaitUntilFlushedFunctionWithoutRegionParameter() + throws Exception { + Function thisFunction = waitUntilFlushedFunction; + + gfsh.executeAndAssertThat("execute function --id=" + thisFunction.getId()) + .doesNotContainOutput("not authorized for").statusIsSuccess(); + } + + @Test + @ConnectionConfiguration(user = "dataReadThis_test_region", password = "dataReadThis_test_region") + public void testValidPermissionsForWaitUntilFlushedFunctionWithRegionParameter() + throws Exception { + Function thisFunction = waitUntilFlushedFunction; + + gfsh.executeAndAssertThat( + "execute function --region=" + regionName + " --id=" + thisFunction.getId()) + .doesNotContainOutput("not authorized for").statusIsSuccess(); + } + + @Test + @ConnectionConfiguration(user = "dataRead", password = "dataRead") + public void testValidPermissionsForLuceneGetPageFunctionWithoutRegionParameter() + throws Exception { + Function thisFunction = luceneGetPageFunction; + + gfsh.executeAndAssertThat("execute function --id=" + thisFunction.getId()) + .doesNotContainOutput("not authorized for").statusIsSuccess(); + } + + @Test + @ConnectionConfiguration(user = "dataReadThis_test_region", password = "dataReadThis_test_region") + public void testValidPermissionsForLuceneGetPageFunctionWithRegionParameter() throws Exception { + Function thisFunction = luceneGetPageFunction; + + gfsh.executeAndAssertThat( + "execute function --region=" + regionName + " --id=" + thisFunction.getId()) + .doesNotContainOutput("not authorized for").statusIsSuccess(); + } + + + /* Command refused tests */ + @Test + @ConnectionConfiguration(user = "noPermissions", password = "noPermissions") + public void testInvalidPermissionsForLuceneCreateIndexFunction() throws Exception { + Function thisFunction = luceneCreateIndexFunction; + ResourcePermission thisRequiredPermission = CLUSTER_MANAGE_LUCENE; + + gfsh.executeAndAssertThat("execute function --id=" + thisFunction.getId()) + .containsOutput("not authorized for " + thisRequiredPermission.toString()) + .statusIsSuccess(); + } + + @Test + @ConnectionConfiguration(user = "noPermissions", password = "noPermissions") + public void testInvalidPermissionsForLuceneDescribeIndexFunction() throws Exception { + Function thisFunction = luceneDescribeIndexFunction; + ResourcePermission thisRequiredPermission = CLUSTER_READ_LUCENE; + + gfsh.executeAndAssertThat("execute function --id=" + thisFunction.getId()) + .containsOutput("not authorized for " + thisRequiredPermission.toString()) + .statusIsSuccess(); + } + + @Test + @ConnectionConfiguration(user = "noPermissions", password = "noPermissions") + public void testInvalidPermissionsForLuceneDestroyIndexFunction() throws Exception { + Function thisFunction = luceneDestroyIndexFunction; + ResourcePermission thisRequiredPermission = CLUSTER_MANAGE_LUCENE; + + gfsh.executeAndAssertThat("execute function --id=" + thisFunction.getId()) + .containsOutput("not authorized for " + thisRequiredPermission.toString()) + .statusIsSuccess(); + } + + @Test + @ConnectionConfiguration(user = "noPermissions", password = "noPermissions") + public void testInvalidPermissionsForLuceneListIndexFunction() throws Exception { + Function thisFunction = luceneListIndexFunction; + ResourcePermission thisRequiredPermission = CLUSTER_READ_LUCENE; + + gfsh.executeAndAssertThat("execute function --id=" + thisFunction.getId()) + .containsOutput("not authorized for " + thisRequiredPermission.toString()) + .statusIsSuccess(); + } + + @Test + @ConnectionConfiguration(user = "noPermissions", password = "noPermissions") + public void testInvalidPermissionsForDumpDirectoryFilesWithoutRegionParameter_noPermission() + throws Exception { + Function thisFunction = dumpDirectoryFiles; + + Predicate<String> notAuthForDataRead = + s -> s.contains("not authorized for " + DATA_READ.toString()); + Predicate<String> notAuthForClusterManage = + s -> s.contains("not authorized for " + CLUSTER_MANAGE.toString()); + Predicate<String> notAuthForSomePermission = + s -> notAuthForDataRead.test(s) || notAuthForClusterManage.test(s); + + String output = gfsh.execute("execute function --id=" + thisFunction.getId()); + + Condition<String> containsSomeAuthFailure = new Condition<>(notAuthForSomePermission, + "not authorized for for [DATA:MANAGE|CLUSTER:MANAGE]", output); + assertThat(output).has(containsSomeAuthFailure); + } + + @Test + @ConnectionConfiguration(user = "dataRead", password = "dataRead") + public void testInvalidPermissionsForDumpDirectoryFilesWithoutRegionParameter_withDataRead() + throws Exception { + Function thisFunction = dumpDirectoryFiles; + ResourcePermission thisMissingPermission = CLUSTER_MANAGE; + + gfsh.executeAndAssertThat("execute function --id=" + thisFunction.getId()) + .containsOutput("not authorized for " + thisMissingPermission.toString()).statusIsSuccess(); + } + + @Test + @ConnectionConfiguration(user = "clusterManage", password = "clusterManage") + public void testInvalidPermissionsForDumpDirectoryFilesWithoutRegionParameter_withClusterManage() + throws Exception { + Function thisFunction = dumpDirectoryFiles; + ResourcePermission thisMissingPermission = DATA_READ; + + gfsh.executeAndAssertThat("execute function --id=" + thisFunction.getId()) + .containsOutput("not authorized for " + thisMissingPermission.toString()).statusIsSuccess(); + } + + @Test + @ConnectionConfiguration(user = "noPermissions", password = "noPermissions") + public void testInvalidPermissionsForDumpDirectoryFilesWithRegionParameter_noPermission() + throws Exception { + Function thisFunction = dumpDirectoryFiles; + + Predicate<String> notAuthForDataReadRegion = + s -> s.contains("not authorized for " + DATA_READ_REGION.toString()); + Predicate<String> notAuthForClusterManage = + s -> s.contains("not authorized for " + CLUSTER_MANAGE.toString()); + Predicate<String> notAuthForSomePermission = + s -> notAuthForDataReadRegion.test(s) || notAuthForClusterManage.test(s); + + String output = + gfsh.execute("execute function --region=" + regionName + " --id=" + thisFunction.getId()); + + Condition<String> containsSomeAuthFailure = + new Condition<>(notAuthForSomePermission, "D:R or C:M:L auth failure", output); + assertThat(output).has(containsSomeAuthFailure); + } + + @Test + @ConnectionConfiguration(user = "dataReadThis_test_region", password = "dataReadThis_test_region") + public void testInvalidPermissionsForDumpDirectoryFilesWithRegionParameter_withDataReadRegion() + throws Exception { + Function thisFunction = dumpDirectoryFiles; + ResourcePermission thisMissingPermission = CLUSTER_MANAGE; + + gfsh.executeAndAssertThat( + "execute function --region=" + regionName + " --id=" + thisFunction.getId()) + .containsOutput("not authorized for " + thisMissingPermission.toString()).statusIsSuccess(); + } + + @Test + @ConnectionConfiguration(user = "clusterManage", password = "clusterManage") + public void testInvalidPermissionsForDumpDirectoryFilesWithRegionParameter_withClusterManage() + throws Exception { + Function thisFunction = dumpDirectoryFiles; + ResourcePermission thisMissingPermission = DATA_READ; + + gfsh.executeAndAssertThat( + "execute function --region=" + regionName + " --id=" + thisFunction.getId()) + .containsOutput("not authorized for " + thisMissingPermission.toString()).statusIsSuccess(); + } + + + @Test + @ConnectionConfiguration(user = "noPermissions", password = "noPermissions") + public void testInvalidPermissionsForLuceneSearchIndexFunctionWithoutRegionParameter() + throws Exception { + Function thisFunction = luceneSearchIndexFunction; + ResourcePermission thisRequiredPermission = DATA_READ; + + gfsh.executeAndAssertThat("execute function --id=" + thisFunction.getId()) + .containsOutput("not authorized for " + thisRequiredPermission.toString()) + .statusIsSuccess(); + } + + @Test + @ConnectionConfiguration(user = "noPermissions", password = "noPermissions") + public void testInvalidPermissionsForLuceneSearchIndexFunctionWithRegionParameter() + throws Exception { + Function thisFunction = luceneSearchIndexFunction; + ResourcePermission thisRequiredPermission = DATA_READ_REGION; + + gfsh.executeAndAssertThat( + "execute function --region=" + regionName + " --id=" + thisFunction.getId()) + .containsOutput("not authorized for " + thisRequiredPermission.toString()) + .statusIsSuccess(); + } + + @Test + @ConnectionConfiguration(user = "noPermissions", password = "noPermissions") + public void testInvalidPermissionsForLuceneQueryFunctionWithoutRegionParameter() + throws Exception { + Function thisFunction = luceneQueryFunction; + ResourcePermission thisRequiredPermission = DATA_READ; + + gfsh.executeAndAssertThat("execute function --id=" + thisFunction.getId()) + .containsOutput("not authorized for " + thisRequiredPermission.toString()) + .statusIsSuccess(); + } + + @Test + @ConnectionConfiguration(user = "noPermissions", password = "noPermissions") + public void testInvalidPermissionsForLuceneQueryFunctionWithRegionParameter() throws Exception { + Function thisFunction = luceneQueryFunction; + ResourcePermission thisRequiredPermission = DATA_READ_REGION; + + gfsh.executeAndAssertThat( + "execute function --region=" + regionName + " --id=" + thisFunction.getId()) + .containsOutput("not authorized for " + thisRequiredPermission.toString()) + .statusIsSuccess(); + } + + @Test + @ConnectionConfiguration(user = "noPermissions", password = "noPermissions") + public void testInvalidPermissionsForWaitUntilFlushedFunctionWithoutRegionParameter() + throws Exception { + Function thisFunction = waitUntilFlushedFunction; + ResourcePermission thisRequiredPermission = DATA_READ; + + gfsh.executeAndAssertThat("execute function --id=" + thisFunction.getId()) + .containsOutput("not authorized for " + thisRequiredPermission.toString()) + .statusIsSuccess(); + } + + @Test + @ConnectionConfiguration(user = "noPermissions", password = "noPermissions") + public void testInvalidPermissionsForWaitUntilFlushedFunctionWithRegionParameter() + throws Exception { + Function thisFunction = waitUntilFlushedFunction; + ResourcePermission thisRequiredPermission = DATA_READ_REGION; + + gfsh.executeAndAssertThat( + "execute function --region=" + regionName + " --id=" + thisFunction.getId()) + .containsOutput("not authorized for " + thisRequiredPermission.toString()) + .statusIsSuccess(); + } + + @Test + @ConnectionConfiguration(user = "noPermissions", password = "noPermissions") + public void testInvalidPermissionsForLuceneGetPageFunctionWithoutRegionParameter() + throws Exception { + Function thisFunction = luceneGetPageFunction; + ResourcePermission thisRequiredPermission = DATA_READ; + + gfsh.executeAndAssertThat("execute function --id=" + thisFunction.getId()) + .containsOutput("not authorized for " + thisRequiredPermission.toString()) + .statusIsSuccess(); + } + + @Test + @ConnectionConfiguration(user = "noPermissions", password = "noPermissions") + public void testInvalidPermissionsForLuceneGetPageFunctionWithRegionParameter() throws Exception { + Function thisFunction = luceneGetPageFunction; + ResourcePermission thisRequiredPermission = DATA_READ_REGION; + + gfsh.executeAndAssertThat( + "execute function --region=" + regionName + " --id=" + thisFunction.getId()) + .containsOutput("not authorized for " + thisRequiredPermission.toString()) + .statusIsSuccess(); + } +}
90f8f6242927GEODE-3974: Improve permissions for geode-modules functions (#1258)
7 files changed · +145 −4
extensions/geode-modules/src/main/java/org/apache/geode/modules/util/BootstrappingFunction.java+9 −0 modified@@ -17,6 +17,8 @@ import java.io.DataInput; import java.io.DataOutput; import java.io.IOException; +import java.util.Collection; +import java.util.Collections; import java.util.List; import java.util.Set; @@ -32,6 +34,8 @@ import org.apache.geode.distributed.internal.InternalDistributedSystem; import org.apache.geode.distributed.internal.MembershipListener; import org.apache.geode.distributed.internal.membership.InternalDistributedMember; +import org.apache.geode.management.internal.security.ResourcePermissions; +import org.apache.geode.security.ResourcePermission; public class BootstrappingFunction implements Function, MembershipListener, DataSerializable { @@ -87,6 +91,11 @@ private Cache verifyCacheExists() { return cache; } + @Override + public Collection<ResourcePermission> getRequiredPermissions(String regionName) { + return Collections.singletonList(ResourcePermissions.CLUSTER_MANAGE); + } + private void registerAsMembershipListener(Cache cache) { DistributionManager dm = ((InternalDistributedSystem) cache.getDistributedSystem()).getDistributionManager();
extensions/geode-modules/src/main/java/org/apache/geode/modules/util/CreateRegionFunction.java+9 −4 modified@@ -20,10 +20,10 @@ import java.io.FileWriter; import java.io.IOException; import java.io.PrintWriter; +import java.util.Collection; +import java.util.Collections; import java.util.Properties; -import javax.xml.crypto.Data; - import org.apache.geode.DataSerializable; import org.apache.geode.InternalGemFireError; import org.apache.geode.cache.AttributesFactory; @@ -32,8 +32,6 @@ import org.apache.geode.cache.Declarable; import org.apache.geode.cache.Region; import org.apache.geode.cache.RegionAttributes; -import org.apache.geode.cache.RegionFactory; -import org.apache.geode.cache.RegionShortcut; import org.apache.geode.cache.Scope; import org.apache.geode.cache.client.ClientCache; import org.apache.geode.cache.execute.Function; @@ -46,6 +44,8 @@ import org.apache.geode.internal.cache.PartitionedRegion; import org.apache.geode.internal.cache.xmlcache.CacheXmlGenerator; import org.apache.geode.internal.i18n.LocalizedStrings; +import org.apache.geode.management.internal.security.ResourcePermissions; +import org.apache.geode.security.ResourcePermission; public class CreateRegionFunction implements Function, Declarable, DataSerializable { @@ -96,6 +96,11 @@ public void execute(FunctionContext context) { context.getResultSender().lastResult(status); } + @Override + public Collection<ResourcePermission> getRequiredPermissions(String regionName) { + return Collections.singletonList(ResourcePermissions.DATA_MANAGE); + } + private RegionStatus createOrRetrieveRegion(RegionConfiguration configuration) { RegionStatus status = null; String regionName = configuration.getRegionName();
extensions/geode-modules/src/main/java/org/apache/geode/modules/util/RegionSizeFunction.java+9 −0 modified@@ -17,13 +17,16 @@ import java.io.DataInput; import java.io.DataOutput; import java.io.IOException; +import java.util.Collection; +import java.util.Collections; import java.util.Properties; import org.apache.geode.DataSerializable; import org.apache.geode.cache.Declarable; import org.apache.geode.cache.execute.Function; import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.cache.execute.RegionFunctionContext; +import org.apache.geode.security.ResourcePermission; public class RegionSizeFunction implements Function, Declarable, DataSerializable { @@ -38,6 +41,12 @@ public void execute(FunctionContext context) { context.getResultSender().lastResult(rfc.getDataSet().size()); } + @Override + public Collection<ResourcePermission> getRequiredPermissions(String regionName) { + return Collections.singletonList(new ResourcePermission(ResourcePermission.Resource.DATA, + ResourcePermission.Operation.READ, regionName)); + } + public String getId() { return ID; }
extensions/geode-modules/src/main/java/org/apache/geode/modules/util/TouchPartitionedRegionEntriesFunction.java+9 −0 modified@@ -17,6 +17,8 @@ import java.io.DataInput; import java.io.DataOutput; import java.io.IOException; +import java.util.Collection; +import java.util.Collections; import java.util.Properties; import java.util.Set; @@ -29,6 +31,7 @@ import org.apache.geode.cache.execute.FunctionContext; import org.apache.geode.cache.execute.RegionFunctionContext; import org.apache.geode.cache.partition.PartitionRegionHelper; +import org.apache.geode.security.ResourcePermission; /** * Touches the keys contained in the set of keys by performing a get on the partitioned region. @@ -76,6 +79,12 @@ public void execute(FunctionContext context) { context.getResultSender().lastResult(true); } + @Override + public Collection<ResourcePermission> getRequiredPermissions(String regionName) { + return Collections.singletonList(new ResourcePermission(ResourcePermission.Resource.DATA, + ResourcePermission.Operation.READ, regionName)); + } + public String getId() { return ID; }
extensions/geode-modules/src/main/java/org/apache/geode/modules/util/TouchReplicatedRegionEntriesFunction.java+9 −0 modified@@ -17,6 +17,8 @@ import java.io.DataInput; import java.io.DataOutput; import java.io.IOException; +import java.util.Collection; +import java.util.Collections; import java.util.Properties; import java.util.Set; @@ -27,6 +29,7 @@ import org.apache.geode.cache.Region; import org.apache.geode.cache.execute.Function; import org.apache.geode.cache.execute.FunctionContext; +import org.apache.geode.security.ResourcePermission; /** * Touches the keys contained in the set of keys by performing a get on the replicated region. This @@ -71,6 +74,12 @@ public void execute(FunctionContext context) { context.getResultSender().lastResult(true); } + @Override + public Collection<ResourcePermission> getRequiredPermissions(String regionName) { + return Collections.singletonList(new ResourcePermission(ResourcePermission.Resource.DATA, + ResourcePermission.Operation.READ, regionName)); + } + public String getId() { return ID; }
extensions/geode-modules/src/test/java/org/apache/geode/modules/util/ModuleFunctionsSecurityTest.java+91 −0 added@@ -0,0 +1,91 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more contributor license + * agreements. See the NOTICE file distributed with this work for additional information regarding + * copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance with the License. You may obtain a + * copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software distributed under the License + * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express + * or implied. See the License for the specific language governing permissions and limitations under + * the License. + */ + +package org.apache.geode.modules.util; + +import org.junit.BeforeClass; +import org.junit.ClassRule; +import org.junit.Rule; +import org.junit.Test; +import org.junit.experimental.categories.Category; + +import org.apache.geode.cache.RegionShortcut; +import org.apache.geode.cache.execute.FunctionService; +import org.apache.geode.examples.SimpleSecurityManager; +import org.apache.geode.test.junit.categories.IntegrationTest; +import org.apache.geode.test.junit.categories.SecurityTest; +import org.apache.geode.test.junit.rules.ConnectionConfiguration; +import org.apache.geode.test.junit.rules.GfshCommandRule; +import org.apache.geode.test.junit.rules.ServerStarterRule; + +@Category({IntegrationTest.class, SecurityTest.class}) +public class ModuleFunctionsSecurityTest { + + @ClassRule + public static ServerStarterRule server = + new ServerStarterRule().withJMXManager().withSecurityManager(SimpleSecurityManager.class) + .withRegion(RegionShortcut.REPLICATE, "REPLICATE_1") + .withRegion(RegionShortcut.PARTITION, "PARTITION_1").withAutoStart(); + + @Rule + public GfshCommandRule gfsh = + new GfshCommandRule(server::getJmxPort, GfshCommandRule.PortType.jmxManager); + + @BeforeClass + public static void setupClass() { + FunctionService.registerFunction(new BootstrappingFunction()); + FunctionService.registerFunction(new CreateRegionFunction()); + FunctionService.registerFunction(new RegionSizeFunction()); + FunctionService.registerFunction(new TouchPartitionedRegionEntriesFunction()); + FunctionService.registerFunction(new TouchReplicatedRegionEntriesFunction()); + } + + @Test + @ConnectionConfiguration(user = "dataWrite", password = "dataWrite") + public void testInvalidPermissionsForBootstrappingFunction() throws Exception { + gfsh.executeAndAssertThat("execute function --id=" + BootstrappingFunction.ID) + .containsOutput("not authorized for CLUSTER:MANAGE").statusIsSuccess(); + } + + @Test + @ConnectionConfiguration(user = "dataWrite", password = "dataWrite") + public void testInvalidPermissionsForCreateRegionFunction() throws Exception { + gfsh.executeAndAssertThat("execute function --id=" + CreateRegionFunction.ID) + .containsOutput("not authorized for DATA:MANAGE").statusIsSuccess(); + } + + @Test + @ConnectionConfiguration(user = "dataWrite", password = "dataWrite") + public void testInvalidPermissionsForRegionSizeFunction() throws Exception { + gfsh.executeAndAssertThat("execute function --region=REPLICATE_1 --id=" + RegionSizeFunction.ID) + .containsOutput("not authorized for DATA:READ:REPLICATE_1").statusIsSuccess(); + } + + @Test + @ConnectionConfiguration(user = "dataWrite", password = "dataWrite") + public void testInvalidPermissionsForTouchPartitionedRegionEntriesFunction() throws Exception { + gfsh.executeAndAssertThat( + "execute function --region=PARTITION_1 --id=" + TouchPartitionedRegionEntriesFunction.ID) + .containsOutput("not authorized for DATA:READ:PARTITION_1").statusIsSuccess(); + } + + @Test + @ConnectionConfiguration(user = "dataWrite", password = "dataWrite") + public void testInvalidPermissionsForTouchReplicatedRegionEntriesFunction() throws Exception { + gfsh.executeAndAssertThat( + "execute function --region=REPLICATE_1 --id=" + TouchReplicatedRegionEntriesFunction.ID) + .containsOutput("not authorized for DATA:READ:REPLICATE_1").statusIsSuccess(); + } +}
geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/RegionCreateFunction.java+9 −0 modified@@ -14,6 +14,8 @@ */ package org.apache.geode.management.internal.cli.functions; +import java.util.Collection; +import java.util.Collections; import java.util.Set; import org.apache.commons.lang.StringUtils; @@ -49,6 +51,8 @@ import org.apache.geode.management.internal.cli.i18n.CliStrings; import org.apache.geode.management.internal.cli.util.RegionPath; import org.apache.geode.management.internal.configuration.domain.XmlEntity; +import org.apache.geode.management.internal.security.ResourcePermissions; +import org.apache.geode.security.ResourcePermission; /** * @@ -121,6 +125,11 @@ public void execute(FunctionContext context) { } } + @Override + public Collection<ResourcePermission> getRequiredPermissions(String regionName) { + return Collections.singletonList(ResourcePermissions.DATA_MANAGE); + } + private CliFunctionResult handleException(final String memberNameOrId, final String exceptionMsg, final Exception e) { if (e != null && logger.isDebugEnabled()) {
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
15- github.com/advisories/GHSA-jmg4-x4vp-6c6xghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-15695ghsaADVISORY
- www.securityfocus.com/bid/104465mitrevdb-entryx_refsource_BID
- cwiki.apache.org/confluence/display/GEODE/Release+NotesghsaWEB
- github.com/apache/geode/commit/00be4f9774e1adf8e7ccc2664da8005fc30bb11dghsaWEB
- github.com/apache/geode/commit/49d28f93fd2ef069693ce15d124ef3a29f22fb7dghsaWEB
- github.com/apache/geode/commit/6df14c8b1e3c644f9f810149e80bba0c2f073dabghsaWEB
- github.com/apache/geode/commit/740289c61d60256c6270756bc84b9e24b76e4913ghsaWEB
- github.com/apache/geode/commit/90f8f6242927c5e16da64f38bba9abf3d450a305ghsaWEB
- github.com/apache/geode/commit/954ccb545d24a9c9a35cbd84023a4d7e07032de0ghsaWEB
- github.com/apache/geode/commit/aa469239860778eb46e09dd7b390aee08f152480ghsaWEB
- github.com/apache/geode/pull/1258ghsaWEB
- issues.apache.org/jira/browse/GEODE-3974ghsaWEB
- lists.apache.org/thread.html/dc8875c0b924885a884eba6d5bd7dc3f123411b2d33cffd00e351c99%40%3Cuser.geode.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/dc8875c0b924885a884eba6d5bd7dc3f123411b2d33cffd00e351c99@%3Cuser.geode.apache.org%3EghsaWEB
News mentions
0No linked articles in our index yet.