activemq-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From clebertsuco...@apache.org
Subject [activemq-artemis] branch master updated: ARTEMIS-2447 allow mapping admin to manage in LDAP plugin
Date Thu, 08 Aug 2019 17:04:49 GMT
This is an automated email from the ASF dual-hosted git repository.

clebertsuconic pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/activemq-artemis.git


The following commit(s) were added to refs/heads/master by this push:
     new d379cda  ARTEMIS-2447 allow mapping admin to manage in LDAP plugin
     new 91a67fa  This closes #2788
d379cda is described below

commit d379cda374e87b873407b68b39d1c6cc8fb96296
Author: Justin Bertram <jbertram@apache.org>
AuthorDate: Tue Aug 6 15:27:18 2019 -0500

    ARTEMIS-2447 allow mapping admin to manage in LDAP plugin
---
 .../impl/LegacyLDAPSecuritySettingPlugin.java      | 14 +++++++-
 docs/user-manual/en/security.md                    | 18 +++++++---
 .../LegacyLDAPSecuritySettingPluginTest.java       | 38 ++++++++++++++++++++++
 .../src/test/resources/AMQauth.ldif                | 25 ++++++++++++++
 4 files changed, 89 insertions(+), 6 deletions(-)

diff --git a/artemis-server/src/main/java/org/apache/activemq/artemis/core/server/impl/LegacyLDAPSecuritySettingPlugin.java
b/artemis-server/src/main/java/org/apache/activemq/artemis/core/server/impl/LegacyLDAPSecuritySettingPlugin.java
index 6f33565..812b0dc 100644
--- a/artemis-server/src/main/java/org/apache/activemq/artemis/core/server/impl/LegacyLDAPSecuritySettingPlugin.java
+++ b/artemis-server/src/main/java/org/apache/activemq/artemis/core/server/impl/LegacyLDAPSecuritySettingPlugin.java
@@ -65,6 +65,7 @@ public class LegacyLDAPSecuritySettingPlugin implements SecuritySettingPlugin
{
    public static final String READ_PERMISSION_VALUE = "readPermissionValue";
    public static final String WRITE_PERMISSION_VALUE = "writePermissionValue";
    public static final String ENABLE_LISTENER = "enableListener";
+   public static final String MAP_ADMIN_TO_MANAGE = "mapAdminToManage";
 
    private String initialContextFactory = "com.sun.jndi.ldap.LdapCtxFactory";
    private String connectionURL = "ldap://localhost:1024";
@@ -79,6 +80,7 @@ public class LegacyLDAPSecuritySettingPlugin implements SecuritySettingPlugin
{
    private String readPermissionValue = "read";
    private String writePermissionValue = "write";
    private boolean enableListener = true;
+   private boolean mapAdminToManage = false;
 
    private DirContext context;
    private EventDirContext eventContext;
@@ -101,6 +103,7 @@ public class LegacyLDAPSecuritySettingPlugin implements SecuritySettingPlugin
{
          readPermissionValue = getOption(options, READ_PERMISSION_VALUE, readPermissionValue);
          writePermissionValue = getOption(options, WRITE_PERMISSION_VALUE, writePermissionValue);
          enableListener = getOption(options, ENABLE_LISTENER, Boolean.TRUE.toString()).equalsIgnoreCase(Boolean.TRUE.toString());
+         mapAdminToManage = getOption(options, MAP_ADMIN_TO_MANAGE, Boolean.FALSE.toString()).equalsIgnoreCase(Boolean.TRUE.toString());
       }
 
       return this;
@@ -232,6 +235,15 @@ public class LegacyLDAPSecuritySettingPlugin implements SecuritySettingPlugin
{
       return this;
    }
 
+   public boolean isMapAdminToManage() {
+      return mapAdminToManage;
+   }
+
+   public LegacyLDAPSecuritySettingPlugin setMapAdminToManage(boolean mapAdminToManage) {
+      this.mapAdminToManage = mapAdminToManage;
+      return this;
+   }
+
    protected boolean isContextAlive() {
       boolean alive = false;
       if (context != null) {
@@ -400,7 +412,7 @@ public class LegacyLDAPSecuritySettingPlugin implements SecuritySettingPlugin
{
                               permissionType.equalsIgnoreCase(adminPermissionValue), // deleteDurableQueue
                               permissionType.equalsIgnoreCase(adminPermissionValue), // createNonDurableQueue
                               permissionType.equalsIgnoreCase(adminPermissionValue), // deleteNonDurableQueue
-                              false, // manage - there is no permission from ActiveMQ 5.x
that corresponds to this
+                              mapAdminToManage ? permissionType.equalsIgnoreCase(adminPermissionValue)
: false, // manage - map to admin based on configuration
                               permissionType.equalsIgnoreCase(readPermissionValue),  // browse
                               permissionType.equalsIgnoreCase(adminPermissionValue), // createAddress
                               permissionType.equalsIgnoreCase(adminPermissionValue)  // deleteAddress
diff --git a/docs/user-manual/en/security.md b/docs/user-manual/en/security.md
index 340f038..2263f20 100644
--- a/docs/user-manual/en/security.md
+++ b/docs/user-manual/en/security.md
@@ -256,6 +256,10 @@ and Security Layer (SASL) authentication is currently not supported.
   receive updates made in the LDAP server and update the broker's authorization
   configuration in real-time. The default value is `true`.
 
+- `mapAdminToManage`. Whether or not to map the legacy `admin` permission to the
+  `manage` permission. See details of the mapping semantics below. The default
+   value is `false`.
+
 The name of the queue or topic defined in LDAP will serve as the "match" for
 the security-setting, the permission value will be mapped from the ActiveMQ 5.x
 type to the Artemis type, and the role will be mapped as-is.
@@ -271,20 +275,24 @@ and `manage`. Here's how the old types are mapped to the new types:
 - `read` - `consume`, `browse`
 - `write` - `send`
 - `admin` - `createAddress`, `deleteAddress`, `createDurableQueue`,
-  `deleteDurableQueue`, `createNonDurableQueue`, `deleteNonDurableQueue`
+  `deleteDurableQueue`, `createNonDurableQueue`, `deleteNonDurableQueue`,
+  `manage` (if `mapAdminToManage` is `true`)
 
 As mentioned, there are a few places where a translation was performed to
 achieve some equivalence.:
 
-- This mapping doesn't include the Artemis `manage` permission type since there
-  is no type analogous for that in ActiveMQ 5.x.
+- This mapping doesn't include the Artemis `manage` permission type by default
+  since there is no type analogous for that in ActiveMQ 5.x. However, if
+  `mapAdminToManage` is `true` then the legacy `admin` permission will be
+  mapped to the `manage` permission.
 
 - The `admin` permission in ActiveMQ 5.x relates to whether or not the broker
   will auto-create a destination if it doesn't exist and the user sends a
   message to it. Artemis automatically allows the automatic creation of a
   destination if the user has permission to send message to it. Therefore, the
-  plugin will map the `admin` permission to the 4 aforementioned permissions in
-  Artemis.
+  plugin will map the `admin` permission to the 6 aforementioned permissions in
+  Artemis by default. If `mapAdminToManage` is `true` then the legacy `admin`
+  permission will be mapped to the `manage` permission as well.
 
 ## Secure Sockets Layer (SSL) Transport
 
diff --git a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/security/LegacyLDAPSecuritySettingPluginTest.java
b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/security/LegacyLDAPSecuritySettingPluginTest.java
index b601b5f..a4cbdc1 100644
--- a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/security/LegacyLDAPSecuritySettingPluginTest.java
+++ b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/security/LegacyLDAPSecuritySettingPluginTest.java
@@ -217,6 +217,14 @@ public class LegacyLDAPSecuritySettingPluginTest extends AbstractLdapTestUnit
{
          // ignore
       }
 
+      // MANAGE
+      try {
+         ClientProducer producer = session.createProducer(server.getConfiguration().getManagementAddress());
+         producer.send(session.createMessage(true));
+         Assert.fail("should throw exception here");
+      } catch (ActiveMQException e) {
+      }
+
       session.close();
       cf.close();
    }
@@ -278,6 +286,36 @@ public class LegacyLDAPSecuritySettingPluginTest extends AbstractLdapTestUnit
{
          Assert.fail("should not throw exception here");
       }
 
+      // MANAGE
+      try {
+         ClientProducer producer = session.createProducer(server.getConfiguration().getManagementAddress());
+         producer.send(session.createMessage(true));
+         // don't enable manage permission by default; must set mapAdminToManage=true in
plugin config
+         Assert.fail("should throw exception here");
+      } catch (ActiveMQException e) {
+      }
+
+      session.close();
+      cf.close();
+   }
+
+   @Test
+   public void testPluginAuthorizationPositiveMappingAdminToManage() throws Exception {
+      ((LegacyLDAPSecuritySettingPlugin)server.getConfiguration().getSecuritySettingPlugins().get(0)).setMapAdminToManage(true);
+
+      server.start();
+
+      ClientSessionFactory cf = locator.createSessionFactory();
+      ClientSession session = cf.createSession("first", "secret", false, true, true, false,
0);
+
+      // MANAGE
+      try {
+         ClientProducer producer = session.createProducer(server.getConfiguration().getManagementAddress());
+         producer.send(session.createMessage(true));
+      } catch (ActiveMQException e) {
+         Assert.fail("should not throw exception here");
+      }
+
       session.close();
       cf.close();
    }
diff --git a/tests/integration-tests/src/test/resources/AMQauth.ldif b/tests/integration-tests/src/test/resources/AMQauth.ldif
index e79257d..70e11f3 100755
--- a/tests/integration-tests/src/test/resources/AMQauth.ldif
+++ b/tests/integration-tests/src/test/resources/AMQauth.ldif
@@ -75,6 +75,13 @@ objectclass: top
 uid: queue2
 cn: queue2
 
+dn: uid=activemq.management,ou=queues,ou=destinations,o=ActiveMQ,ou=system
+objectclass: applicationProcess
+objectclass: uidObject
+objectclass: top
+uid: activemq.management
+cn: activemq.management
+
 dn: cn=read,uid=queue1,ou=queues,ou=destinations,o=ActiveMQ,ou=system
 objectclass: groupOfUniqueNames
 objectclass: top
@@ -91,4 +98,22 @@ dn: cn=admin,uid=queue1,ou=queues,ou=destinations,o=ActiveMQ,ou=system
 objectclass: groupOfUniqueNames
 objectclass: top
 cn: admin
+uniquemember: uid=role1
+
+dn: cn=read,uid=activemq.management,ou=queues,ou=destinations,o=ActiveMQ,ou=system
+objectclass: groupOfUniqueNames
+objectclass: top
+cn: read
+uniquemember: uid=role1
+
+dn: cn=write,uid=activemq.management,ou=queues,ou=destinations,o=ActiveMQ,ou=system
+objectclass: groupOfUniqueNames
+objectclass: top
+cn: write
+uniquemember: uid=role1
+
+dn: cn=admin,uid=activemq.management,ou=queues,ou=destinations,o=ActiveMQ,ou=system
+objectclass: groupOfUniqueNames
+objectclass: top
+cn: admin
 uniquemember: uid=role1
\ No newline at end of file


Mime
View raw message