KNOX-1204 - combine policy across user and groups
diff --git a/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/KnoxCloudPolicyProvider.java b/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/KnoxCloudPolicyProvider.java
index eac1bcf..9c67783 100644
--- a/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/KnoxCloudPolicyProvider.java
+++ b/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/KnoxCloudPolicyProvider.java
@@ -47,5 +47,5 @@
* @param subject
* @return
*/
- String buildPolicy(String username, Subject subject);
+ String getPolicy(String username, Subject subject);
}
\ No newline at end of file
diff --git a/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/KnoxPolicyProviderManager.java b/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/KnoxPolicyProviderManager.java
index 1105b16..133b7c9 100644
--- a/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/KnoxPolicyProviderManager.java
+++ b/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/KnoxPolicyProviderManager.java
@@ -50,8 +50,8 @@
}
@Override
- public String buildPolicy(String username, Subject subject) {
- return delegate.buildPolicy(username, subject);
+ public String getPolicy(String username, Subject subject) {
+ return delegate.getPolicy(username, subject);
}
public KnoxCloudPolicyProvider loadDelegate(String name) throws IdentityBrokerConfigException {
diff --git a/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/aws/KnoxAWSClient.java b/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/aws/KnoxAWSClient.java
index 1294eb7..21137fd 100644
--- a/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/aws/KnoxAWSClient.java
+++ b/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/aws/KnoxAWSClient.java
@@ -58,7 +58,7 @@
String username = null;
Subject subject = Subject.getSubject(AccessController.getContext());
username = getEffectiveUserName(subject);
- policy = getPolicyProvider().buildPolicy(username, subject);
+ policy = getPolicyProvider().getPolicy(username, subject);
GetFederationTokenResult result = null;
if (policy != null) {
GetFederationTokenRequest request = new GetFederationTokenRequest(username).withPolicy(policy);
diff --git a/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/aws/KnoxAWSPolicyProvider.java b/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/aws/KnoxAWSPolicyProvider.java
index 9fbbc94..7dad04d 100644
--- a/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/aws/KnoxAWSPolicyProvider.java
+++ b/gateway-service-idbroker/src/main/java/org/apache/knox/gateway/service/idbroker/aws/KnoxAWSPolicyProvider.java
@@ -50,7 +50,7 @@
<service>
<role>IDBROKER</role>
<param>
- <name>3.user.policy.action.guest</name>
+ <name>s3.user.policy.action.guest</name>
<value>s3:Get*,s3:List*</value>
</param>
<param>
@@ -85,9 +85,6 @@
} else {
policy.resources=context.getProperty(paramName);
}
- if (policy.actions != null && policy.resources != null) {
- buildAWSPolicyModel(policy);
- }
}else if (elements[1].equals("group")) {
PolicyConfig policy = groupPolicyConfig.get(elements[4]);
if (policy == null) {
@@ -99,15 +96,12 @@
} else {
policy.resources=context.getProperty(paramName);
}
- if (policy.actions != null && policy.resources != null) {
- buildAWSPolicyModel(policy);
- }
}
}
}
}
- private void buildAWSPolicyModel(PolicyConfig policy) {
+ private AWSPolicyModel buildAWSPolicyModel(PolicyConfig policy) {
AWSPolicyModel model = new AWSPolicyModel();
model.setEffect("Allow");
String[] actions = policy.actions.split(",");
@@ -122,43 +116,51 @@
} else {
model.setResource(resources[0]);
}
- policy.policy = model.toString();
+ return model;
}
/* (non-Javadoc)
* @see org.apache.knox.gateway.service.idbroker.KnoxCloudPolicyProvider#buildPolicy(java.lang.String, javax.security.auth.Subject)
*/
@Override
- public String buildPolicy(String username, Subject subject) {
+ public String getPolicy(String username, Subject subject) {
String policy = null;
+ List<String> groupNames = getGroupNames(subject);
+
+ PolicyConfig userConfig = userPolicyConfig.get(username);
+ // check for a group policy match
+ PolicyConfig config = null;
+ AWSPolicyModel model = null;
+ if (userConfig != null) {
+ model = buildAWSPolicyModel(userConfig);
+ }
+ for (String groupName : groupNames) {
+ config = groupPolicyConfig.get(groupName);
+ if (config != null) {
+ if (model != null) {
+ model.combine(buildAWSPolicyModel(config));
+ }
+ else {
+ model = buildAWSPolicyModel(config);
+ }
+ }
+ }
+ return model.toString();
+ }
+
+ private List<String> getGroupNames(Subject subject) {
List<String> groupNames = new ArrayList<String>();
Object[] groups = subject.getPrincipals(GroupPrincipal.class).toArray();
for (int i = 0; i < groups.length; i++) {
groupNames.add(
((Principal)groups[0]).getName());
}
-
- PolicyConfig config = userPolicyConfig.get(username);
- if (config == null) {
- // check for a group policy match
- for (String groupName : groupNames) {
- config = groupPolicyConfig.get(groupName);
- if (config != null) {
- // just accept first match for now
- break;
- }
- }
- }
- if (config != null) {
- policy = config.policy;
- }
- return policy;
+ return groupNames;
}
private class PolicyConfig {
public String actions = null;
public String resources = null;
- public String policy = null;
}
@Override
diff --git a/gateway-service-idbroker/src/test/java/org/apache/knox/gateway/service/knoxs3/S3BucketsResourceTest.java b/gateway-service-idbroker/src/test/java/org/apache/knox/gateway/service/knoxs3/IdBrokerResourceTest.java
similarity index 93%
rename from gateway-service-idbroker/src/test/java/org/apache/knox/gateway/service/knoxs3/S3BucketsResourceTest.java
rename to gateway-service-idbroker/src/test/java/org/apache/knox/gateway/service/knoxs3/IdBrokerResourceTest.java
index 8291421..07151fb 100644
--- a/gateway-service-idbroker/src/test/java/org/apache/knox/gateway/service/knoxs3/S3BucketsResourceTest.java
+++ b/gateway-service-idbroker/src/test/java/org/apache/knox/gateway/service/knoxs3/IdBrokerResourceTest.java
@@ -25,7 +25,7 @@
import org.apache.knox.gateway.util.JsonUtils;
import org.junit.Test;
-public class S3BucketsResourceTest {
+public class IdBrokerResourceTest {
@Test
public void testPolicyCreation() {
@@ -138,11 +138,20 @@
model2.addResource("that");
System.out.println(model2);
+ AWSPolicyModel model3 = new AWSPolicyModel();
+ model3.setEffect("Deny");
+ model3.addAction("s3:Get*");
+ model3.addAction("s3:List*");
+ model3.addResource("other thing");
+ System.out.println(model3);
+
ArrayList<AWSPolicyModel> models = new ArrayList<AWSPolicyModel>();
models.add(model);
models.add(model2);
+ models.add(model3);
model.combine(model2);
+ model.combine(model3);
System.out.println("Aggregate: " + model);
}
}
\ No newline at end of file