knox-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From lmc...@apache.org
Subject knox git commit: KNOX-1204 - combine policy across user and groups
Date Tue, 07 Aug 2018 21:48:44 GMT
Repository: knox
Updated Branches:
  refs/heads/KNOX-1204 8350e75d9 -> feb848b2c


KNOX-1204 - combine policy across user and groups

Project: http://git-wip-us.apache.org/repos/asf/knox/repo
Commit: http://git-wip-us.apache.org/repos/asf/knox/commit/feb848b2
Tree: http://git-wip-us.apache.org/repos/asf/knox/tree/feb848b2
Diff: http://git-wip-us.apache.org/repos/asf/knox/diff/feb848b2

Branch: refs/heads/KNOX-1204
Commit: feb848b2c4c3e08a957eb994b124a53837c72fae
Parents: 8350e75
Author: Larry McCay <lmccay@apache.org>
Authored: Tue Aug 7 17:48:27 2018 -0400
Committer: Larry McCay <lmccay@apache.org>
Committed: Tue Aug 7 17:48:27 2018 -0400

----------------------------------------------------------------------
 .../idbroker/KnoxCloudPolicyProvider.java       |   2 +-
 .../idbroker/KnoxPolicyProviderManager.java     |   4 +-
 .../service/idbroker/aws/KnoxAWSClient.java     |   2 +-
 .../idbroker/aws/KnoxAWSPolicyProvider.java     |  56 +++----
 .../service/knoxs3/IdBrokerResourceTest.java    | 157 +++++++++++++++++++
 .../service/knoxs3/S3BucketsResourceTest.java   | 148 -----------------
 6 files changed, 190 insertions(+), 179 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/knox/blob/feb848b2/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/KnoxCloudPolicyProvider.java
----------------------------------------------------------------------
diff --git a/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/KnoxCloudPolicyProvider.java
b/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/KnoxCloudPolicyProvider.java
index eac1bcf..9c67783 100644
--- a/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/KnoxCloudPolicyProvider.java
+++ b/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/KnoxCloudPolicyProvider.java
@@ -47,5 +47,5 @@ public interface KnoxCloudPolicyProvider {
    * @param subject
    * @return
    */
-  String buildPolicy(String username, Subject subject);
+  String getPolicy(String username, Subject subject);
 }
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/knox/blob/feb848b2/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/KnoxPolicyProviderManager.java
----------------------------------------------------------------------
diff --git a/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/KnoxPolicyProviderManager.java
b/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/KnoxPolicyProviderManager.java
index 1105b16..133b7c9 100644
--- a/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/KnoxPolicyProviderManager.java
+++ b/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/KnoxPolicyProviderManager.java
@@ -50,8 +50,8 @@ public class KnoxPolicyProviderManager implements KnoxCloudPolicyProvider
{
   }
 
   @Override
-  public String buildPolicy(String username, Subject subject) {
-    return delegate.buildPolicy(username, subject);
+  public String getPolicy(String username, Subject subject) {
+    return delegate.getPolicy(username, subject);
   }
 
   public KnoxCloudPolicyProvider loadDelegate(String name) throws IdentityBrokerConfigException
{

http://git-wip-us.apache.org/repos/asf/knox/blob/feb848b2/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/aws/KnoxAWSClient.java
----------------------------------------------------------------------
diff --git a/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/aws/KnoxAWSClient.java
b/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/aws/KnoxAWSClient.java
index 1294eb7..21137fd 100644
--- a/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/aws/KnoxAWSClient.java
+++ b/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/aws/KnoxAWSClient.java
@@ -58,7 +58,7 @@ public class KnoxAWSClient extends AbstractKnoxCloudCredentialsClient implements
     String username = null;
     Subject subject = Subject.getSubject(AccessController.getContext());
     username = getEffectiveUserName(subject);
-    policy = getPolicyProvider().buildPolicy(username, subject);
+    policy = getPolicyProvider().getPolicy(username, subject);
     GetFederationTokenResult result = null;
     if (policy != null) {
       GetFederationTokenRequest request = new GetFederationTokenRequest(username).withPolicy(policy);

http://git-wip-us.apache.org/repos/asf/knox/blob/feb848b2/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/aws/KnoxAWSPolicyProvider.java
----------------------------------------------------------------------
diff --git a/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/aws/KnoxAWSPolicyProvider.java
b/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/aws/KnoxAWSPolicyProvider.java
index 9fbbc94..7dad04d 100644
--- a/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/aws/KnoxAWSPolicyProvider.java
+++ b/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/aws/KnoxAWSPolicyProvider.java
@@ -50,7 +50,7 @@ public class KnoxAWSPolicyProvider implements KnoxCloudPolicyProvider {
     <service>
     <role>IDBROKER</role>
     <param>
-        <name>3.user.policy.action.guest</name>
+        <name>s3.user.policy.action.guest</name>
         <value>s3:Get*,s3:List*</value>
     </param>
     <param>
@@ -85,9 +85,6 @@ public class KnoxAWSPolicyProvider implements KnoxCloudPolicyProvider {
           } else {
             policy.resources=context.getProperty(paramName);
           }
-          if (policy.actions != null && policy.resources != null) {
-            buildAWSPolicyModel(policy);
-          }
         }else if (elements[1].equals("group")) {
           PolicyConfig policy = groupPolicyConfig.get(elements[4]);
           if (policy == null) {
@@ -99,15 +96,12 @@ public class KnoxAWSPolicyProvider implements KnoxCloudPolicyProvider
{
           } else {
             policy.resources=context.getProperty(paramName);
           }
-          if (policy.actions != null && policy.resources != null) {
-            buildAWSPolicyModel(policy);
-          }
         }
       }
     }
   }
 
-  private void buildAWSPolicyModel(PolicyConfig policy) {
+  private AWSPolicyModel buildAWSPolicyModel(PolicyConfig policy) {
     AWSPolicyModel model = new AWSPolicyModel();
     model.setEffect("Allow");
     String[] actions = policy.actions.split(",");
@@ -122,43 +116,51 @@ public class KnoxAWSPolicyProvider implements KnoxCloudPolicyProvider
{
     } else {
       model.setResource(resources[0]);
     }
-    policy.policy = model.toString();
+    return model;
   }
 
   /* (non-Javadoc)
    * @see org.apache.knox.gateway.service.idbroker.KnoxCloudPolicyProvider#buildPolicy(java.lang.String,
javax.security.auth.Subject)
    */
   @Override
-  public String buildPolicy(String username, Subject subject) {
+  public String getPolicy(String username, Subject subject) {
     String policy = null;
+    List<String> groupNames = getGroupNames(subject);
+
+    PolicyConfig userConfig = userPolicyConfig.get(username);
+    // check for a group policy match
+    PolicyConfig config = null;
+    AWSPolicyModel model = null;
+    if (userConfig != null) {
+      model = buildAWSPolicyModel(userConfig); 
+    }
+    for (String groupName : groupNames) {
+      config = groupPolicyConfig.get(groupName);
+      if (config != null) {
+        if (model != null) {
+          model.combine(buildAWSPolicyModel(config));
+        }
+        else {
+          model = buildAWSPolicyModel(config);
+        }
+      }
+    }
+    return model.toString();
+  }
+
+  private List<String> getGroupNames(Subject subject) {
     List<String> groupNames = new ArrayList<String>();
     Object[] groups = subject.getPrincipals(GroupPrincipal.class).toArray();
     for (int i = 0; i < groups.length; i++) {
       groupNames.add(
           ((Principal)groups[0]).getName());
     }
-
-    PolicyConfig config = userPolicyConfig.get(username);
-    if (config == null) {
-      // check for a group policy match
-      for (String groupName : groupNames) {
-        config = groupPolicyConfig.get(groupName);
-        if (config != null) {
-          // just accept first match for now
-          break;
-        }
-      }
-    }
-    if (config != null) {
-      policy = config.policy;
-    }
-    return policy;
+    return groupNames;
   }
 
   private class PolicyConfig {
     public String actions = null;
     public String resources = null;
-    public String policy = null;
   }
 
   @Override

http://git-wip-us.apache.org/repos/asf/knox/blob/feb848b2/gateway-service-idbroker/src/test/java/org/apache/knox/gateway/service/knoxs3/IdBrokerResourceTest.java
----------------------------------------------------------------------
diff --git a/gateway-service-idbroker/src/test/java/org/apache/knox/gateway/service/knoxs3/IdBrokerResourceTest.java
b/gateway-service-idbroker/src/test/java/org/apache/knox/gateway/service/knoxs3/IdBrokerResourceTest.java
new file mode 100644
index 0000000..07151fb
--- /dev/null
+++ b/gateway-service-idbroker/src/test/java/org/apache/knox/gateway/service/knoxs3/IdBrokerResourceTest.java
@@ -0,0 +1,157 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.knox.gateway.service.knoxs3;
+
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.Map;
+
+import org.apache.knox.gateway.service.idbroker.aws.AWSPolicyModel;
+import org.apache.knox.gateway.util.JsonUtils;
+import org.junit.Test;
+
+public class IdBrokerResourceTest {
+  @Test
+  public void testPolicyCreation() {
+
+    String policy = "{\n" +
+    "  \"Version\": \"2012-10-17\",\n" +
+    "  \"Statement\": [\n" +
+    "    {\n" +
+    "      \"Effect\": \"Allow\",\n" +
+    "      \"Action\": [\n" +
+    "        \"s3:Get*\",\n" +
+    "        \"s3:List*\"\n" +
+    // "        \"s3:Delete*\"\n" +
+    "      ],\n" +
+    "      \"Resource\": \"*\"\n" +
+    "    }\n" +
+    "  ]\n" +
+    "}";
+    System.out.println(policy);
+
+    HashMap<String, Object> policyModel = new HashMap<String, Object>();
+    policyModel.put("Version", "2012-10-17");
+    ArrayList<Map<String, Object>> statement = new ArrayList<Map<String,
Object>>();
+
+    policyModel.put("Version", "2012-10-17");
+    policyModel.put("Statement", statement );
+    HashMap<String, Object> statementMap = new HashMap<String, Object>();
+    statementMap.put("Effect", "Allow");
+    ArrayList<String> actionArray = new ArrayList<String>();
+    actionArray.add("s3:Get*");
+    actionArray.add("s3:List*");
+    statementMap.put("Action", actionArray );
+    statement.add(statementMap);
+    policyModel.put("Resource", "*");
+    
+    System.out.println(JsonUtils.renderAsJsonString(policyModel));
+    
+    AWSPolicyModel model = new AWSPolicyModel();
+    model.setEffect("Allow");
+    model.addAction("s3:Get*");
+    model.addAction("s3:List*");
+    model.setResource("*");
+    System.out.println(model);
+
+    model = new AWSPolicyModel();
+    model.setEffect("Allow");
+    model.addAction("s3:Get*");
+    model.addAction("s3:List*");
+    model.addResource("this");
+    model.addResource("that");
+    System.out.println(model);
+  }
+  
+  @Test
+  public void testCombinedPolicyCreation() {
+
+    String policy = "{\n" +
+    "  \"Version\": \"2012-10-17\",\n" +
+    "  \"Statement\": [\n" +
+    "    {\n" +
+    "      \"Effect\": \"Allow\",\n" +
+    "      \"Action\": [\n" +
+    "        \"s3:Get*\",\n" +
+    "        \"s3:List*\"\n" +
+    // "        \"s3:Delete*\"\n" +
+    "      ],\n" +
+    "      \"Resource\": \"*\"\n" +
+    "    }\n" +
+    "    {\n" +
+    "      \"Effect\": \"Allow\",\n" +
+    "      \"Action\": [\n" +
+    "        \"s3:Get*\",\n" +
+    "        \"s3:List*\"\n" +
+    "        \"s3:Delete*\"\n" +
+    "      ],\n" +
+    "      \"Resource\": \"ljm\"\n" +
+    "    }\n" +
+    "  ]\n" +
+    "}";
+    System.out.println(policy);
+
+    HashMap<String, Object> policyModel = new HashMap<String, Object>();
+    policyModel.put("Version", "2012-10-17");
+    ArrayList<Map<String, Object>> statement = new ArrayList<Map<String,
Object>>();
+
+    policyModel.put("Version", "2012-10-17");
+    policyModel.put("Statement", statement );
+    HashMap<String, Object> statementMap = new HashMap<String, Object>();
+    statementMap.put("Effect", "Allow");
+    ArrayList<String> actionArray = new ArrayList<String>();
+    actionArray.add("s3:Get*");
+    actionArray.add("s3:List*");
+    statementMap.put("Action", actionArray );
+    statement.add(statementMap);
+    policyModel.put("Resource", "*");
+    
+    System.out.println(JsonUtils.renderAsJsonString(policyModel));
+    
+    AWSPolicyModel model = new AWSPolicyModel();
+    model.setEffect("Allow");
+    model.addAction("s3:Get*");
+    model.addAction("s3:List*");
+    model.setResource("*");
+    System.out.println(model);
+
+    AWSPolicyModel model2 = new AWSPolicyModel();
+    model2.setEffect("Allow");
+    model2.addAction("s3:Get*");
+    model2.addAction("s3:List*");
+    model2.addResource("this");
+    model2.addResource("that");
+    System.out.println(model2);
+    
+    AWSPolicyModel model3 = new AWSPolicyModel();
+    model3.setEffect("Deny");
+    model3.addAction("s3:Get*");
+    model3.addAction("s3:List*");
+    model3.addResource("other thing");
+    System.out.println(model3);
+
+    ArrayList<AWSPolicyModel> models = new ArrayList<AWSPolicyModel>();
+    models.add(model);
+    models.add(model2);
+    models.add(model3);
+
+    model.combine(model2);
+    model.combine(model3);
+    System.out.println("Aggregate: " + model);
+  }
+}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/knox/blob/feb848b2/gateway-service-idbroker/src/test/java/org/apache/knox/gateway/service/knoxs3/S3BucketsResourceTest.java
----------------------------------------------------------------------
diff --git a/gateway-service-idbroker/src/test/java/org/apache/knox/gateway/service/knoxs3/S3BucketsResourceTest.java
b/gateway-service-idbroker/src/test/java/org/apache/knox/gateway/service/knoxs3/S3BucketsResourceTest.java
deleted file mode 100644
index 8291421..0000000
--- a/gateway-service-idbroker/src/test/java/org/apache/knox/gateway/service/knoxs3/S3BucketsResourceTest.java
+++ /dev/null
@@ -1,148 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.knox.gateway.service.knoxs3;
-
-import java.util.ArrayList;
-import java.util.HashMap;
-import java.util.Map;
-
-import org.apache.knox.gateway.service.idbroker.aws.AWSPolicyModel;
-import org.apache.knox.gateway.util.JsonUtils;
-import org.junit.Test;
-
-public class S3BucketsResourceTest {
-  @Test
-  public void testPolicyCreation() {
-
-    String policy = "{\n" +
-    "  \"Version\": \"2012-10-17\",\n" +
-    "  \"Statement\": [\n" +
-    "    {\n" +
-    "      \"Effect\": \"Allow\",\n" +
-    "      \"Action\": [\n" +
-    "        \"s3:Get*\",\n" +
-    "        \"s3:List*\"\n" +
-    // "        \"s3:Delete*\"\n" +
-    "      ],\n" +
-    "      \"Resource\": \"*\"\n" +
-    "    }\n" +
-    "  ]\n" +
-    "}";
-    System.out.println(policy);
-
-    HashMap<String, Object> policyModel = new HashMap<String, Object>();
-    policyModel.put("Version", "2012-10-17");
-    ArrayList<Map<String, Object>> statement = new ArrayList<Map<String,
Object>>();
-
-    policyModel.put("Version", "2012-10-17");
-    policyModel.put("Statement", statement );
-    HashMap<String, Object> statementMap = new HashMap<String, Object>();
-    statementMap.put("Effect", "Allow");
-    ArrayList<String> actionArray = new ArrayList<String>();
-    actionArray.add("s3:Get*");
-    actionArray.add("s3:List*");
-    statementMap.put("Action", actionArray );
-    statement.add(statementMap);
-    policyModel.put("Resource", "*");
-    
-    System.out.println(JsonUtils.renderAsJsonString(policyModel));
-    
-    AWSPolicyModel model = new AWSPolicyModel();
-    model.setEffect("Allow");
-    model.addAction("s3:Get*");
-    model.addAction("s3:List*");
-    model.setResource("*");
-    System.out.println(model);
-
-    model = new AWSPolicyModel();
-    model.setEffect("Allow");
-    model.addAction("s3:Get*");
-    model.addAction("s3:List*");
-    model.addResource("this");
-    model.addResource("that");
-    System.out.println(model);
-  }
-  
-  @Test
-  public void testCombinedPolicyCreation() {
-
-    String policy = "{\n" +
-    "  \"Version\": \"2012-10-17\",\n" +
-    "  \"Statement\": [\n" +
-    "    {\n" +
-    "      \"Effect\": \"Allow\",\n" +
-    "      \"Action\": [\n" +
-    "        \"s3:Get*\",\n" +
-    "        \"s3:List*\"\n" +
-    // "        \"s3:Delete*\"\n" +
-    "      ],\n" +
-    "      \"Resource\": \"*\"\n" +
-    "    }\n" +
-    "    {\n" +
-    "      \"Effect\": \"Allow\",\n" +
-    "      \"Action\": [\n" +
-    "        \"s3:Get*\",\n" +
-    "        \"s3:List*\"\n" +
-    "        \"s3:Delete*\"\n" +
-    "      ],\n" +
-    "      \"Resource\": \"ljm\"\n" +
-    "    }\n" +
-    "  ]\n" +
-    "}";
-    System.out.println(policy);
-
-    HashMap<String, Object> policyModel = new HashMap<String, Object>();
-    policyModel.put("Version", "2012-10-17");
-    ArrayList<Map<String, Object>> statement = new ArrayList<Map<String,
Object>>();
-
-    policyModel.put("Version", "2012-10-17");
-    policyModel.put("Statement", statement );
-    HashMap<String, Object> statementMap = new HashMap<String, Object>();
-    statementMap.put("Effect", "Allow");
-    ArrayList<String> actionArray = new ArrayList<String>();
-    actionArray.add("s3:Get*");
-    actionArray.add("s3:List*");
-    statementMap.put("Action", actionArray );
-    statement.add(statementMap);
-    policyModel.put("Resource", "*");
-    
-    System.out.println(JsonUtils.renderAsJsonString(policyModel));
-    
-    AWSPolicyModel model = new AWSPolicyModel();
-    model.setEffect("Allow");
-    model.addAction("s3:Get*");
-    model.addAction("s3:List*");
-    model.setResource("*");
-    System.out.println(model);
-
-    AWSPolicyModel model2 = new AWSPolicyModel();
-    model2.setEffect("Allow");
-    model2.addAction("s3:Get*");
-    model2.addAction("s3:List*");
-    model2.addResource("this");
-    model2.addResource("that");
-    System.out.println(model2);
-    
-    ArrayList<AWSPolicyModel> models = new ArrayList<AWSPolicyModel>();
-    models.add(model);
-    models.add(model2);
-
-    model.combine(model2);
-    System.out.println("Aggregate: " + model);
-  }
-}
\ No newline at end of file


Mime
View raw message