Permalink
Browse files

review catalog security to better support non-partitionned mode

  • Loading branch information...
1 parent ba424a2 commit b3b384db57abe7422d58044f723ed2ea0ba6b4f0 @ddossot ddossot committed Apr 6, 2013
@@ -88,6 +88,7 @@
private static final String SYSTEM_SUBPATH = "system";
public static final String ADMIN_SYSTEM_PATH = Constants.ADMIN_PATH + "/" + SYSTEM_SUBPATH;
+ public static final String ADMIN_CATALOG_PATH = Constants.ADMIN_PATH + "/" + CATALOG_SUBPATH;
private ConfigurableApplicationContext applicationContext;
@@ -104,7 +104,7 @@ public void createCatalogTree() throws IOException
return applicationNames;
}
- @PreAuthorize("hasPermission(#applicationName, 'APPLICATION_USER')")
+ @PreAuthorize("hasPermission(#applicationName, 'CATALOG_USER')")
public Map<Pair<CatalogSection, File>, List<File>> getCatalog(final String applicationName)
{
final Map<Pair<CatalogSection, File>, List<File>> catalog = new HashMap<Pair<CatalogSection, File>, List<File>>();
@@ -120,7 +120,7 @@ public void createCatalogTree() throws IOException
return catalog;
}
- @PreAuthorize("hasPermission(#applicationName, 'APPLICATION_USER')")
+ @PreAuthorize("hasPermission(#applicationName, 'CATALOG_USER')")
public File getCatalogFile(final CatalogSection catalogSection,
final String applicationName,
final String fileName)
@@ -129,7 +129,7 @@ public File getCatalogFile(final CatalogSection catalogSection,
return new File(catalogSectionDirectory, fileName);
}
- @PreAuthorize("hasPermission(#applicationName, 'APPLICATION_ADMIN')")
+ @PreAuthorize("hasPermission(#applicationName, 'CATALOG_ADMIN')")
public Pair<PutCatalogFileResult, File> putCatalogFile(final CatalogSection catalogSection,
final String applicationName,
final String fileName,
@@ -60,6 +60,15 @@ public boolean hasPermission(final Authentication authentication,
final Object targetDomainObject,
final Object permission)
{
+ if ("CATALOG_USER".equals(permission))
+ {
+ return hasCatalogUserPermission(authentication, targetDomainObject);
+ }
+ else if ("CATALOG_ADMIN".equals(permission))
+ {
+ return hasCatalogAdminPermission(authentication, targetDomainObject);
+ }
+
if (targetDomainObject == null)
{
return false;
@@ -91,30 +100,53 @@ else if ("RSB_RESOURCE".equals(permission))
}
}
- private boolean hasApplicationUserOrAdminPermission(final Authentication authentication,
- final String applicationName)
+ private boolean hasCatalogAdminPermission(final Authentication authentication,
+ final Object targetDomainObject)
{
- return hasApplicationUserPermission(authentication, applicationName)
- || hasApplicationAdminPermission(authentication, applicationName);
+ if (configuration.isApplicationAwareCatalog())
+ {
+ // in secure-mode with an application aware catalog, only admins of a specific
+ // application can modify the application's catalog
+ return hasPermission(authentication, targetDomainObject, "APPLICATION_ADMIN");
+ }
+ else
+ {
+ // in secure-mode with a non-application aware catalog, only RSB admins can
+ // modify the catalog
+ return hasRsbResourcePermission(authentication, AdminResource.ADMIN_CATALOG_PATH);
+ }
}
- private boolean hasApplicationJobPermission(final Authentication authentication, final AbstractJob job)
+ private boolean hasCatalogUserPermission(final Authentication authentication,
+ final Object targetDomainObject)
{
- final Map<String, ApplicationSecurityAuthorization> applicationSecurityConfigurations = configuration.getApplicationSecurityConfiguration();
-
- if (applicationSecurityConfigurations != null)
+ if (configuration.isApplicationAwareCatalog())
{
- final String applicationName = job.getApplicationName();
- final ApplicationSecurityAuthorization applicationSecurityConfiguration = applicationSecurityConfigurations.get(applicationName);
- return hasApplicationUserOrAdminPermission(authentication, applicationName)
- && isJobAuthorized(job, applicationSecurityConfiguration);
+ // in secure-mode with an application aware catalog, only users of a specific
+ // application can read the application's catalog
+ return hasPermission(authentication, targetDomainObject, "APPLICATION_USER");
}
else
{
- return false;
+ // in secure-mode with a non-application aware catalog, anyone authenticated can
+ // read the catalog
+ return true;
}
}
+ private boolean hasApplicationUserOrAdminPermission(final Authentication authentication,
+ final String applicationName)
+ {
+ return hasApplicationUserPermission(authentication, applicationName)
+ || hasApplicationAdminPermission(authentication, applicationName);
+ }
+
+ private boolean hasApplicationJobPermission(final Authentication authentication, final AbstractJob job)
+ {
+ return hasApplicationAdminPermission(authentication, job.getApplicationName())
+ || (hasApplicationUserPermission(authentication, job.getApplicationName()) && isJobAuthorized(job));
+ }
+
private boolean hasApplicationUserPermission(final Authentication authentication,
final String applicationName)
{
@@ -153,9 +185,17 @@ private boolean hasApplicationAdminPermission(final Authentication authenticatio
}
}
- private boolean isJobAuthorized(final AbstractJob job,
- final ApplicationSecurityAuthorization applicationSecurityConfiguration)
+ private boolean isJobAuthorized(final AbstractJob job)
{
+ final Map<String, ApplicationSecurityAuthorization> applicationSecurityConfigurations = configuration.getApplicationSecurityConfiguration();
+ if (applicationSecurityConfigurations == null)
+ {
+ return false;
+ }
+
+ final String applicationName = job.getApplicationName();
+
+ final ApplicationSecurityAuthorization applicationSecurityConfiguration = applicationSecurityConfigurations.get(applicationName);
if (applicationSecurityConfiguration == null)
{
return false;
@@ -185,6 +225,10 @@ private boolean hasRsbResourcePermission(final Authentication authentication, fi
{
return isAuthenticationAdmin(authentication, configuration.getRsbSecurityConfiguration());
}
+ else if (AdminResource.ADMIN_CATALOG_PATH.equals(resourceName))
+ {
+ return isAuthenticationAdmin(authentication, configuration.getRsbSecurityConfiguration());
+ }
else
{
return false;
@@ -212,8 +256,8 @@ private boolean isAuthenticationUser(final Authentication authentication,
}
return isAuthenticationAuthorized(authentication,
- applicationSecurityAuthorization.getAdminPrincipals(),
- applicationSecurityAuthorization.getAdminRoles());
+ applicationSecurityAuthorization.getUserPrincipals(),
+ applicationSecurityAuthorization.getUserRoles());
}
private boolean isAuthenticationAuthorized(final Authentication authentication,
@@ -69,8 +69,8 @@
}
}
</pre>
- <p>Notice how the <b>functionCallAllowed</b> and <b>scriptSubmissionAllowed</b> attributes are used to explicitly allow the users of <i>secure_app_4</i> to execute jobs that can potentially impact the environment where R executes. This is disabled by default.</p>
<p>Application admins, declared with <b>adminPrincipals</b> and <b>adminRoles</b> are de-facto users of the concerned application.</p>
+ <p>Notice how the <b>functionCallAllowed</b> and <b>scriptSubmissionAllowed</b> attributes are used to explicitly allow the users of <i>secure_app_4</i> to execute jobs that can potentially impact the environment where R executes. This is disabled by default. Application admins are not affected by these flags.</p>
</section>
<section name="RSB Admin Security">
<p>The following demonstrate how to configure the optional RSB admin roles/groups:</p>
@@ -91,7 +91,7 @@
},
"rsbSecurityConfiguration": {
"adminPrincipals":["joe"],
- "adminRoles":["ROLE_USB_ADMIN"]
+ "adminRoles":["ROLE_RSB_ADMIN"]
},
"applicationAwareCatalog" : true
}
@@ -95,7 +95,7 @@
},
"rsbSecurityConfiguration": {
"adminPrincipals":["joe"],
- "adminRoles":["ROLE_USB_ADMIN"]
+ "adminRoles":["ROLE_RSB_ADMIN"]
},
"applicationAwareCatalog" : true
}

0 comments on commit b3b384d

Please sign in to comment.