/** * Gets the effects of this action. * * @return the effects. Will not be {@code null} */ public Set<Action.ActionEffect> getActionEffects() { switch(getImpact()) { case CLASSLOADING: case WRITE: return WRITES; case READ_ONLY: return READS; default: throw new IllegalStateException(); } }
boolean authorizeSuperUserOrAdministrator(String methodName) throws MBeanException { if (authorizer != null) { //TODO populate the 'environment' variable AuthorizationResult authorizationResult = authorizer.authorizeJmxOperation(createCaller(), null, new JmxAction(methodName, JmxAction.Impact.EXTRA_SENSITIVE)); if (authorizationResult.getDecision() != Decision.PERMIT) { throw JmxMessages.MESSAGES.unauthorized(); } } return true; }
@Override public PermissionCollection getRequiredPermissions(JmxAction action, JmxTarget target) { PermsHolder currentPerms = configureRolePermissions(); ConstraintFactory[] currentFactories = currentPerms.constraintFactories; ManagementPermissionCollection result = new ManagementPermissionCollection(SimpleManagementPermission.class); for (Action.ActionEffect actionEffect : action.getActionEffects()) { Constraint[] constraints = new Constraint[currentFactories.length]; for (int i = 0; i < constraints.length; i++) { constraints[i] = currentFactories[i].getRequiredConstraint(actionEffect, action, target); } result.add(new SimpleManagementPermission(actionEffect, constraints)); } return result; }
boolean authorizeSensitiveOperation(String methodName, boolean readOnly, boolean exception) throws MBeanException { if (authorizer != null) { final JmxAction target = new JmxAction(methodName, readOnly ? JmxAction.Impact.READ_ONLY : JmxAction.Impact.WRITE); //TODO populate the 'environment' variable AuthorizationResult authorizationResult = authorizer.authorizeJmxOperation(createCaller(), null, target); if (authorizationResult.getDecision() != Decision.PERMIT) { if (exception) { throw JmxMessages.MESSAGES.unauthorized(); } else { return false; } } } return true; }
@Override public PermissionCollection getRequiredPermissions(JmxAction action, JmxTarget target) { PermsHolder currentPerms = configureRolePermissions(); ConstraintFactory[] currentFactories = currentPerms.constraintFactories; ManagementPermissionCollection result = new ManagementPermissionCollection(SimpleManagementPermission.class); for (Action.ActionEffect actionEffect : action.getActionEffects()) { Constraint[] constraints = new Constraint[currentFactories.length]; for (int i = 0; i < constraints.length; i++) { constraints[i] = currentFactories[i].getRequiredConstraint(actionEffect, action, target); } result.add(new SimpleManagementPermission(actionEffect, constraints)); } return result; }
/** * Gets the effects of this action. * * @return the effects. Will not be {@code null} */ public Set<Action.ActionEffect> getActionEffects() { switch(getImpact()) { case CLASSLOADING: case WRITE: return WRITES; case READ_ONLY: return READS; default: throw new IllegalStateException(); } }
private void authorizeClassloadingOperation(MBeanServerPlugin delegate, ObjectName objectName, String methodName) throws MBeanException { if (authorizer != null && delegate.shouldAuthorize()) { JmxTarget target = new JmxTarget(methodName, objectName, isNonFacadeMBeansSensitive(), jmxEffect, jmxEffect); JmxAction action = new JmxAction(methodName, JmxAction.Impact.CLASSLOADING); //TODO populate the 'environment' variable SecurityIdentity securityIdentity = securityIdentitySupplier != null ? securityIdentitySupplier.get() : null; AuthorizationResult authorizationResult = authorizer.authorizeJmxOperation(createCaller(securityIdentity), null, action, target); if (authorizationResult.getDecision() != Decision.PERMIT) { throw JmxLogger.ROOT_LOGGER.unauthorized(); } } }
@Override public Constraint getRequiredConstraint(Action.ActionEffect actionEffect, JmxAction action, JmxTarget target) { return (action.getImpact() == JmxAction.Impact.CLASSLOADING || target.isNonFacadeMBeansSensitive()) ? SENSITIVE : NOT_SENSITIVE; } }
private boolean authorizeMBeanOperation(MBeanServerPlugin delegate, ObjectName name, String methodName, String attributeName, JmxAction.Impact impact, boolean exception) throws MBeanException { if (authorizer != null && delegate.shouldAuthorize()) { JmxTarget target = new JmxTarget(methodName, name, isNonFacadeMBeansSensitive(), jmxEffect, jmxEffect); JmxAction action = new JmxAction(methodName, impact, attributeName); //TODO populate the 'environment' variable SecurityIdentity securityIdentity = securityIdentitySupplier != null ? securityIdentitySupplier.get() : null; AuthorizationResult authorizationResult = authorizer.authorizeJmxOperation(createCaller(securityIdentity), null, action, target); if (authorizationResult.getDecision() != Decision.PERMIT) { if (exception) { throw JmxLogger.ROOT_LOGGER.unauthorized(); } else { return false; } } } return true; }
@Override public Constraint getRequiredConstraint(Action.ActionEffect actionEffect, JmxAction action, JmxTarget target) { return (action.getImpact() == JmxAction.Impact.CLASSLOADING || target.isNonFacadeMBeansSensitive()) ? SENSITIVE : NOT_SENSITIVE; } }
@Override public AuthorizationResult authorizeJmxOperation(Caller caller, Environment callEnvironment, JmxAction action) { Set<String> roles = jmxPermissionFactory.getUserRoles(caller, null, FAKE_JMX_ACTION, (TargetResource) null); if (action.getImpact() == Impact.EXTRA_SENSITIVE) { return authorize(roles, StandardRole.SUPERUSER, StandardRole.ADMINISTRATOR); } else if (jmxPermissionFactory.isNonFacadeMBeansSensitive()) { if (action.getImpact() == Impact.READ_ONLY) { return authorize(roles, StandardRole.SUPERUSER, StandardRole.ADMINISTRATOR, StandardRole.AUDITOR); } else { return authorize(roles, StandardRole.SUPERUSER, StandardRole.ADMINISTRATOR); } } else { if (action.getImpact() == Impact.READ_ONLY) { //Everybody can read mbeans when not sensitive return AuthorizationResult.PERMITTED; //authorize(exception, roles, StandardRole.SUPERUSER, StandardRole.ADMINISTRATOR, StandardRole.OPERATOR, StandardRole.MAINTAINER, StandardRole.AUDITOR, StandardRole.MONITOR, StandardRole.DEPLOYER); } else { return authorize(roles, StandardRole.SUPERUSER, StandardRole.ADMINISTRATOR, StandardRole.OPERATOR, StandardRole.MAINTAINER); } } }