MantaACLAuthorizationManager


1   /*
2    * Copyright 2002 by
3    * <a HREF="http://www.coridan.com">Coridan</a>
4    * <a HREF="mailto: support@coridan.com ">support@coridan.com</a>
5    *
6    * The contents of this file are subject to the Mozilla Public License Version
7    * 1.1 (the "License"); you may not use this file except in compliance with the
8    * License.  You may obtain a copy of the License at
9    * http://www.mozilla.org/MPL/
10   *
11   * Software distributed under the License is distributed on an "AS IS" basis,
12   * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
13   * for the specific language governing rights and limitations under the
14   * License.
15   *
16   * The Original Code is "MantaRay" (TM).
17   *
18   * The Initial Developer of the Original Code is Shirley Sasson.
19   * Portions created by the Initial Developer are Copyright (C) 2006
20   * Coridan Inc.  All Rights Reserved.
21   *
22   * Contributor(s): all the names of the contributors are added in the source
23   * code where applicable.
24   *
25   * Alternatively, the contents of this file may be used under the terms of the
26   * LGPL license (the "GNU LESSER GENERAL PUBLIC LICENSE"), in which case the
27   * provisions of LGPL are applicable instead of those above.  If you wish to
28   * allow use of your version of this file only under the terms of the LGPL
29   * License and not to allow others to use your version of this file under
30   * the MPL, indicate your decision by deleting the provisions above and
31   * replace them with the notice and other provisions required by the LGPL.
32   * If you do not delete the provisions above, a recipient may use your version
33   * of this file under either the MPL or the GNU LESSER GENERAL PUBLIC LICENSE.
34  
35   *
36   * This library is free software; you can redistribute it and/or modify it
37   * under the terms of the MPL as stated above or under the terms of the GNU
38   * Lesser General Public License as published by the Free Software Foundation;
39   * either version 2.1 of the License, or any later version.
40   *
41   * This library is distributed in the hope that it will be useful, but WITHOUT
42   * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
43   * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public
44   * License for more details.
45   */
46  
47  package org.mr.kernel.security.authorization;
48  
49  import org.mr.kernel.security.impl.ACLStorageConnector;
50  import org.mr.kernel.security.impl.ACLStorageConnectorFactory;
51  import org.mr.kernel.security.authorization.permissions.MantaPermission;
52  import org.mr.MantaAgent;
53  import org.mr.kernel.security.*;
54  import org.apache.commons.logging.Log;
55  import org.apache.commons.logging.LogFactory;
56  
57  import java.net.InetAddress  ;
58  import java.util.List  ;
59  
60  /**
61   * This class is responsible for searching and managing authorizations, using the configured ACL storage.
62   * This class receives requests from the implementation of {@link org.mr.kernel.security.MantaAuthorization}.
63   * The requests are usually for searching a specific permission. Permissions may also be written to a cahce,
64   * if one is configured.
65   *
66   * This class holds up to 2 types of caches, one for permissions to perform secured actions, and one for
67   * white list of IP addresses. 
68   *
69   * @version 1.0
70   * @since May 9, 2006
71   * @author Shirley Sasson
72   *
73   */
74  public class MantaACLAuthorizationManager implements SecurityConfigurationPaths, SecurityConstants {
75      private static MantaACLAuthorizationManager _instance;
76      private MantaCache _permissionsCache;
77      private MantaCache _whiteListCache;
78      private ACLStorageConnector _storage;
79      private Log _logger;
80  
81      // read from configuration:
82      // true - white list
83      // false - black list
84      private boolean _isWhiteList;
85  
86      // read from configuration
87      private boolean _usePermissionsCache;
88      private boolean _useWhiteListCache;
89  
90      private MantaACLAuthorizationManager() throws MantaSecurityException {
91          _usePermissionsCache = MantaAgent.getInstance().getSingletonRepository().getConfigManager().getBooleanProperty(ACL + "." + USE_PERMISSION_CACHE, DEFAULT_USE_PERMISSION_CACHE);
92          _useWhiteListCache = MantaAgent.getInstance().getSingletonRepository().getConfigManager().getBooleanProperty(ACL + "." + USE_WHITE_LIST_CACHE, DEFAULT_USE_WHITE_LIST_CACHE);
93          _isWhiteList = MantaAgent.getInstance().getSingletonRepository().getConfigManager().getBooleanProperty(ACL + "." + WHITE_LIST, DEFAULT_WHITE_LIST);
94  
95          if (_usePermissionsCache)
96              _permissionsCache = new MantaPermissionCache();
97  
98          if (_useWhiteListCache)
99              _whiteListCache = new MantaWhiteListCache();
100 
101         String   currentACLConfigurationInUse = MantaAgent.getInstance().getSingletonRepository().getConfigManager().getStringProperty(ACL + "." + ACL_CONFIGURATION_IN_USE);
102         if (currentACLConfigurationInUse == null){
103             if (getLogger().isErrorEnabled())
104                 getLogger().error("[MantaACLAuthorizationManager] Unable to find configuration parameter: " + ACL + "." + ACL_CONFIGURATION_IN_USE);
105             throw new MantaSecurityException("Unable to find configuration parameter: " + ACL + "." + ACL_CONFIGURATION_IN_USE);
106         }
107         _storage = ACLStorageConnectorFactory.getInstance().getACLStorageConnector(currentACLConfigurationInUse);
108 
109         /*
110         // instanciate implementing class
111         String implementingACLConnector = MantaAgent.getInstance().getSingletonRepository().getConfigManager().getStringProperty(ACL_AUTHORIZATION_IMPLEMENTING_CLASS);
112         if (implementingACLConnector == null){
113             if (getLogger().isErrorEnabled())
114                 getLogger().error("[MantaACLAuthorizationManager] Unable to find configuration parameter: " + ACL_AUTHORIZATION_IMPLEMENTING_CLASS);
115             throw new MantaSecurityException("Unable to find configuration parameter: " + ACL_AUTHORIZATION_IMPLEMENTING_CLASS);
116         }
117 
118         try {
119             _storage = (ACLStorageConnector) Class.forName(implementingACLConnector).newInstance();
120         }
121         catch (Exception e){
122             if (getLogger().isErrorEnabled())
123                 getLogger().error("[MantaACLAuthorizationManager] Error instantiating ACLConnector implementation class: " + implementingACLConnector);
124             throw new MantaSecurityException("Error instantiating ACLConnector implementation class: " + implementingACLConnector);
125         }
126         */
127     }
128 
129     /**
130       * Returns the single instance of ActionFactory.
131       *
132       * @return the single instance of ActionFactory
133       */
134     public static MantaACLAuthorizationManager getInstance() throws MantaSecurityException {
135         if (_instance == null){
136             synchronized(MantaACLAuthorizationManager.class){
137                 if (_instance == null)
138                     _instance = new MantaACLAuthorizationManager();
139             }
140         }
141         return _instance;
142     }
143 
144     /**
145      * Checks whether a given IP address is authorized.
146      * This method searches first the cache (if one is used), and if not found, searches
147      * the ACL storage (for example, LDAP server).
148      *
149      * @param inetAddress the IP address to check is authorized
150      * @return true if the IP address is authorized, false otherwise
151      * @throws MantaSecurityException if an error occured
152      *
153      */
154     public boolean isAuthorized(InetAddress   inetAddress) throws MantaSecurityException {
155         if (_useWhiteListCache){
156             AuthorizationValue value = searchInWhiteListCache(inetAddress);
157             if (value != null){
158                 if (getLogger().isDebugEnabled())
159                     getLogger().debug("[isAuthorized] White list entry [" + inetAddress + "] found in cache.");
160                 return value.isAuthorized();
161             }
162             else {
163                 if (getLogger().isDebugEnabled())
164                     getLogger().debug("[isAuthorized] White list entry [" + inetAddress + "] not found in cache.");
165             }
166         }
167         return checkACL(inetAddress);
168     }
169 
170     /**
171      * Checks whether a given principal is authorized to perform a given action with a given parameter.
172      * This method searches first the cache (if one is used), and if not found, searches
173      * the ACL storage (for example, LDAP server).
174      *
175      * @param principal the principal to check for
176      * @param actionType the action to check if this perincipal is authorized to perform
177      * @param param optional, may add additional information required for authorizing the action. For
178      * example, queue name if the action is "create queue producer".
179      * @return true if the IP address is authorized, false otherwise
180      * @throws MantaSecurityException if an error occured
181      *
182      */
183     public boolean isAuthorized(UserPrincipal principal, int actionType, Object   param) throws MantaSecurityException {
184         List   searchedPermissions = ActionFactory.getInstance().getMantaAction(actionType).getPermissionSearchList(param);
185         for (int i=0 ; i<searchedPermissions.size() ; i++){
186             AuthorizationValue value = searchInPermissionsCache(principal, (MantaPermission) searchedPermissions.get(i));
187             if (value != null){
188                 return value.isAuthorized();
189             }
190 
191             value = checkACL(principal, (MantaPermission) searchedPermissions.get(i));
192             if (value != null)
193                 return value.isAuthorized();
194         }
195 
196         return false;
197     }
198 
199     /**
200      * Reads the name of the group that the given username is associated with.
201      * When a user is trying to perform an action, we check to see if his has the
202      * required permissions to perform the action. If the user doesn't have those
203      * permissions, he will be authorizec if the group that it is associated with, does
204      * have the required permissions. So we need to know to which group this user
205      * belongs.
206      *
207      * @param username the username to get its group
208      * @return the group of the user
209      * @throws MantaSecurityException if an error occured
210      *
211      */
212     public String   getGroupOfUser(String   username) throws MantaSecurityException {
213         return _storage.getGroupOfUser(username);
214     }
215 
216     private AuthorizationValue searchInWhiteListCache(InetAddress   inetAddress){
217         WhiteListKeyEntry entry = new WhiteListKeyEntry(inetAddress);
218         if (_whiteListCache.contains(entry))
219             return _whiteListCache.isAuthorized(entry);
220         return null;
221     }
222 
223     private boolean checkACL(InetAddress   inetAddress) throws MantaSecurityException {
224         boolean authorized = false;
225         WhiteListKeyEntry entry = new WhiteListKeyEntry(inetAddress);
226         AuthorizationValue authorizationValue = searchACLStorage(entry);
227         if (authorizationValue != null){
228             if (getLogger().isDebugEnabled())
229                 getLogger().debug("[checkACL] White list entry [" + inetAddress + "] found in ACL.");
230             authorized = authorizationValue.isAuthorized();
231             // if list is black - the boolean is switched
232             if (!_isWhiteList)
233                 authorizationValue.setAuthorized(!authorized);
234             if (_useWhiteListCache){
235                 if (getLogger().isDebugEnabled())
236                     getLogger().debug("[checkACL] Adding white list entry [" + inetAddress + "] to the cache.");
237                 _whiteListCache.add(entry, authorizationValue);
238             }
239         }
240         // if list is black - the boolean is switched
241         if (!_isWhiteList){
242             if (getLogger().isDebugEnabled())
243                 getLogger().debug("[checkACL] White list is actually black. Switching " + authorized + " to " + !authorized);
244             authorized = !authorized;
245         }
246         return authorized;
247     }
248 
249     private AuthorizationValue checkACL(UserPrincipal user, MantaPermission permission) throws MantaSecurityException {
250         // search for a permission for the user
251         PermissionKeyEntry entry = new PermissionKeyEntry(user, permission);
252         AuthorizationValue authorizationValue = searchACLStorage(entry);
253         if (authorizationValue != null){
254             if (getLogger().isDebugEnabled())
255                 getLogger().debug("[checkACL] Permission [" + permission + "] for user " + user + " found in ACL.");
256             if (_usePermissionsCache){
257                 if (getLogger().isDebugEnabled())
258                     getLogger().debug("[checkACL] Adding permission [" + permission + "] for user " + user + " to the cache.");
259                 _permissionsCache.add(entry, authorizationValue);
260             }
261             return authorizationValue;
262         }
263         else {
264             if (getLogger().isDebugEnabled())
265                 getLogger().debug("[checkACL] Permission [" + permission + "] for user " + user + " not found in ACL.");
266         }
267 
268         // search for a permission for the group that the user is in
269         String   groupOfUser = (String  ) user.getProperty(PROPERTY_USER_GROUP);
270         if (groupOfUser == null || "".equals(groupOfUser)){
271             if (getLogger().isWarnEnabled())
272                 getLogger().warn("[checkACL] Group of user " + user.getName() + " isn't found in user properties");
273             throw new MantaSecurityException("Group of user " + user.getName() + " isn't found in user properties");
274         }
275 
276         GroupPrincipal group = new GroupPrincipal(groupOfUser);
277         entry = new PermissionKeyEntry(group, permission);
278 
279         authorizationValue = searchACLStorage(entry);
280         if (authorizationValue != null){
281             if (getLogger().isDebugEnabled())
282                 getLogger().debug("[checkACL] Permission [" + permission + "] for " + group + " found in ACL.");
283             if (_usePermissionsCache){
284                 if (getLogger().isDebugEnabled())
285                     getLogger().debug("[checkACL] Adding permission [" + permission + "] for " + group + " to the cache.");
286                 _permissionsCache.add(entry, authorizationValue);
287             }
288             return authorizationValue;
289         }
290         else {
291             if (getLogger().isDebugEnabled())
292                 getLogger().debug("[checkACL] Permission [" + permission + "] for " + group + " not found in ACL.");
293         }
294         return null;
295     }
296 
297     private AuthorizationValue searchACLStorage(ACLKeyEntry keyEntry) throws MantaSecurityException {
298         return _storage.isAuthorized(keyEntry);
299     }
300 
301     private AuthorizationValue searchInPermissionsCache(UserPrincipal principal, MantaPermission permission) throws MantaSecurityException {
302         if (!_usePermissionsCache)
303             return null;
304         // search for a permission for the user
305         PermissionKeyEntry entry = new PermissionKeyEntry(principal, permission);
306         if (_permissionsCache.contains(entry)){
307             if (getLogger().isDebugEnabled())
308                 getLogger().debug("[searchInPermissionsCache] Permission [" + permission + "] for user " + principal + " found in cache.");
309             return _permissionsCache.isAuthorized(entry);
310         }
311         else {
312             if (getLogger().isDebugEnabled())
313                 getLogger().debug("[searchInPermissionsCache] Permission [" + permission + "] for user " + principal + " not found in cache.");
314         }
315 
316         // search for a permission for the group that the user is in
317         //String groupOfUser = principal.getProperty(PROPERTY_USER_GROUP);
318         String   groupOfUser = (String  ) principal.getProperty(PROPERTY_USER_GROUP);
319         if (groupOfUser == null || "".equals(groupOfUser)){
320             if (getLogger().isWarnEnabled())
321                 getLogger().warn("[searchInPermissionsCache] Group of user " + principal.getName() + " isn't found in user properties");
322             throw new MantaSecurityException("Group of user " + principal.getName() + " isn't found in user properties");
323         }
324 
325         GroupPrincipal group = new GroupPrincipal(groupOfUser);
326         entry = new PermissionKeyEntry(group, permission);
327         if (_permissionsCache.contains(entry)){
328             if (getLogger().isDebugEnabled())
329                 getLogger().debug("[searchInPermissionsCache] Permission [" + permission + "] for group " + group + " found in cache.");
330             return _permissionsCache.isAuthorized(entry);
331         }
332         else {
333             if (getLogger().isDebugEnabled())
334                 getLogger().debug("[searchInPermissionsCache] Permission [" + permission + "] for group " + group + " not found in cache.");
335         }
336         return null;
337     }
338 
339     /**
340      * Returns the instance of the logger for this class
341      *
342      * @return the instance of the logger
343      */
344     public Log getLogger(){
345         if (_logger == null){
346             _logger = LogFactory.getLog(getClass().getName());
347         }
348         return _logger;
349     }
350 }
351
A to Z: JavaDoc & Examples Daily Java News & Articles Open Source Projects Open Source Codes Free Computer Books Remove Frame
Popular Tags