knox-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From lmc...@apache.org
Subject [knox] branch master updated: KNOX-2066 - Composite Authz Provider
Date Thu, 24 Oct 2019 20:48:50 GMT
This is an automated email from the ASF dual-hosted git repository.

lmccay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/knox.git


The following commit(s) were added to refs/heads/master by this push:
     new f3eddab  KNOX-2066 - Composite Authz Provider
     new 15a85c0  Merge branch 'master' into KNOX-2066
f3eddab is described below

commit f3eddab9b854f1774ecf89ac39ec03566e296113
Author: lmccay <lmccay@apache.org>
AuthorDate: Thu Oct 24 16:35:04 2019 -0400

    KNOX-2066 - Composite Authz Provider
---
 gateway-provider-security-authz-composite/pom.xml  | 64 ++++++++++++++++
 .../impl/CompositeAuthzDeploymentContributor.java  | 89 ++++++++++++++++++++++
 ...ox.gateway.deploy.ProviderDeploymentContributor | 18 +++++
 .../deploy/impl/CompositeAuthzProviderTest.java    | 67 ++++++++++++++++
 gateway-release/pom.xml                            |  4 +
 pom.xml                                            |  6 ++
 6 files changed, 248 insertions(+)

diff --git a/gateway-provider-security-authz-composite/pom.xml b/gateway-provider-security-authz-composite/pom.xml
new file mode 100644
index 0000000..fd1f962
--- /dev/null
+++ b/gateway-provider-security-authz-composite/pom.xml
@@ -0,0 +1,64 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>org.apache.knox</groupId>
+        <artifactId>gateway</artifactId>
+        <version>1.4.0-SNAPSHOT</version>
+    </parent>
+    <artifactId>gateway-provider-security-authz-composite</artifactId>
+    <name>gateway-provider-security-authz-composite</name>
+    <description>Provides authorization support through the use of multiple providers.</description>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.apache.knox</groupId>
+            <artifactId>gateway-i18n</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.knox</groupId>
+            <artifactId>gateway-server</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.knox</groupId>
+            <artifactId>gateway-spi</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.knox</groupId>
+            <artifactId>gateway-util-common</artifactId>
+        </dependency>
+
+        <dependency>
+            <groupId>commons-io</groupId>
+            <artifactId>commons-io</artifactId>
+        </dependency>
+
+        <dependency>
+            <groupId>javax.servlet</groupId>
+            <artifactId>javax.servlet-api</artifactId>
+        </dependency>
+
+        <dependency>
+            <groupId>org.apache.knox</groupId>
+            <artifactId>gateway-test-utils</artifactId>
+            <scope>test</scope>
+        </dependency>
+    </dependencies>
+</project>
diff --git a/gateway-provider-security-authz-composite/src/main/java/org/apache/knox/gateway/deploy/impl/CompositeAuthzDeploymentContributor.java
b/gateway-provider-security-authz-composite/src/main/java/org/apache/knox/gateway/deploy/impl/CompositeAuthzDeploymentContributor.java
new file mode 100644
index 0000000..5e7562c
--- /dev/null
+++ b/gateway-provider-security-authz-composite/src/main/java/org/apache/knox/gateway/deploy/impl/CompositeAuthzDeploymentContributor.java
@@ -0,0 +1,89 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.knox.gateway.deploy.impl;
+
+import org.apache.knox.gateway.deploy.DeploymentContext;
+import org.apache.knox.gateway.deploy.DeploymentFactory;
+import org.apache.knox.gateway.deploy.ProviderDeploymentContributorBase;
+import org.apache.knox.gateway.descriptor.FilterParamDescriptor;
+import org.apache.knox.gateway.descriptor.ResourceDescriptor;
+import org.apache.knox.gateway.topology.Provider;
+import org.apache.knox.gateway.topology.Service;
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Locale;
+import java.util.Map;
+import java.util.Map.Entry;
+
+public class CompositeAuthzDeploymentContributor extends ProviderDeploymentContributorBase
{
+  @Override
+  public String getRole() {
+    return "authorization";
+  }
+
+  @Override
+  public String getName() {
+    return "CompositeAuthz";
+  }
+
+  @Override
+  public void initializeContribution(DeploymentContext context) {
+    super.initializeContribution(context);
+  }
+
+  @Override
+  public void contributeProvider( DeploymentContext context, Provider provider ) {
+  }
+
+  @Override
+  public void contributeFilter( DeploymentContext context, Provider provider, Service service,
+      ResourceDescriptor resource, List<FilterParamDescriptor> params ) {
+
+    if (params == null) {
+      params = new ArrayList<>();
+    }
+
+    Map<String, String> providerParams = provider.getParams();
+    String providerNames = providerParams.get("composite.provider.names");
+    String[] names = parseProviderNames(providerNames);
+    for (String name : names) {
+      getProviderSpecificParams(resource, params, providerParams, name);
+      DeploymentFactory.getProviderContributor("authorization", name)
+        .contributeFilter(context, provider, service, resource, params);
+      params.clear();
+    }
+  }
+
+  String[] parseProviderNames(String providerNames) {
+    String[] names = providerNames.split(",\\s*");
+    return names;
+  }
+
+  void getProviderSpecificParams(ResourceDescriptor resource, List<FilterParamDescriptor>
params,
+      Map<String, String> providerParams, String name) {
+    String entryName;
+    for(Entry<String, String> entry : providerParams.entrySet()) {
+      if (entry.getKey().startsWith(name + ".")) {
+        entryName = entry.getKey().substring(entry.getKey().indexOf('.') + 1);
+        FilterParamDescriptor fpd = resource.createFilterParam();
+        params.add(fpd.name(entryName.toLowerCase(Locale.ROOT)).value(entry.getValue()));
+      }
+    }
+  }
+}
diff --git a/gateway-provider-security-authz-composite/src/main/resources/META-INF/services/org.apache.knox.gateway.deploy.ProviderDeploymentContributor
b/gateway-provider-security-authz-composite/src/main/resources/META-INF/services/org.apache.knox.gateway.deploy.ProviderDeploymentContributor
new file mode 100644
index 0000000..33362c5
--- /dev/null
+++ b/gateway-provider-security-authz-composite/src/main/resources/META-INF/services/org.apache.knox.gateway.deploy.ProviderDeploymentContributor
@@ -0,0 +1,18 @@
+##########################################################################
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+##########################################################################
+org.apache.knox.gateway.deploy.impl.CompositeAuthzDeploymentContributor
diff --git a/gateway-provider-security-authz-composite/src/test/java/org/apache/knox/gateway/deploy/impl/CompositeAuthzProviderTest.java
b/gateway-provider-security-authz-composite/src/test/java/org/apache/knox/gateway/deploy/impl/CompositeAuthzProviderTest.java
new file mode 100644
index 0000000..eadb2d6
--- /dev/null
+++ b/gateway-provider-security-authz-composite/src/test/java/org/apache/knox/gateway/deploy/impl/CompositeAuthzProviderTest.java
@@ -0,0 +1,67 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.knox.gateway.deploy.impl;
+
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+import org.apache.knox.gateway.descriptor.FilterParamDescriptor;
+import org.apache.knox.gateway.descriptor.ResourceDescriptor;
+import org.junit.Test;
+
+import static org.junit.Assert.assertEquals;
+
+import static org.easymock.EasyMock.createMock;
+import static org.easymock.EasyMock.expect;
+import static org.easymock.EasyMock.replay;
+
+public class CompositeAuthzProviderTest {
+  @Test
+  public void testParsingProviderParams() throws Exception {
+    String name = "AclsAuthz";
+    Map<String, String> providerParams = new HashMap<>();
+    // provider params are disambiguated by prefixing them with
+    // the provider name. Therefore the following should only
+    // result in a single param making it through since only
+    // one has a prefix that matches the name.
+    providerParams.put("AclsAuthz.webhdfs.acl", "admin;*;*");
+    providerParams.put("SomeOther.webhdfs.acl", "admin;*;*");
+    List<FilterParamDescriptor> params = new ArrayList<>();
+    ResourceDescriptor resource = createMock(ResourceDescriptor.class);
+    FilterParamDescriptor fpd = createMock(FilterParamDescriptor.class);
+    expect(resource.createFilterParam()).andReturn(fpd).atLeastOnce();
+    expect(fpd.name("webhdfs.acl")).andReturn(fpd).once();
+    expect(fpd.value("admin;*;*")).andReturn(fpd).once();
+    replay(resource, fpd);
+    CompositeAuthzDeploymentContributor c = new CompositeAuthzDeploymentContributor();
+    c.getProviderSpecificParams(resource, params, providerParams, name);
+  }
+
+  @Test
+  public void testParsingProviderNames() throws Exception {
+    String names = "AclsAuthz,   SomeOther,TheOtherOne";
+    CompositeAuthzDeploymentContributor c = new CompositeAuthzDeploymentContributor();
+    String[] providerNames = c.parseProviderNames(names);
+    assertEquals(providerNames.length, 3);
+    assertEquals(providerNames[0], "AclsAuthz");
+    assertEquals(providerNames[1], "SomeOther");
+    assertEquals(providerNames[2], "TheOtherOne");
+  }
+}
diff --git a/gateway-release/pom.xml b/gateway-release/pom.xml
index fdc4536..2306a3d 100644
--- a/gateway-release/pom.xml
+++ b/gateway-release/pom.xml
@@ -348,6 +348,10 @@
         </dependency>
         <dependency>
             <groupId>org.apache.knox</groupId>
+            <artifactId>gateway-provider-security-authz-composite</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.knox</groupId>
             <artifactId>gateway-provider-identity-assertion-common</artifactId>
         </dependency>
         <dependency>
diff --git a/pom.xml b/pom.xml
index c0ef103..fd97b52 100644
--- a/pom.xml
+++ b/pom.xml
@@ -89,6 +89,7 @@
         <module>gateway-provider-security-shiro</module>
         <module>gateway-provider-security-pac4j</module>
         <module>gateway-provider-security-authz-acls</module>
+        <module>gateway-provider-security-authz-composite</module>
         <module>gateway-provider-security-authc-anon</module>
         <module>gateway-provider-identity-assertion-common</module>
         <module>gateway-provider-identity-assertion-concat</module>
@@ -847,6 +848,11 @@
             </dependency>
             <dependency>
                 <groupId>org.apache.knox</groupId>
+                <artifactId>gateway-provider-security-authz-composite</artifactId>
+                <version>${project.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>org.apache.knox</groupId>
                 <artifactId>gateway-provider-identity-assertion-common</artifactId>
                 <version>${project.version}</version>
             </dependency>


Mime
View raw message