org.apache.shiro.authz.permission.PermissionResolver Java Exaples

Source File: SecurityModule.java From emodb with Apache License 2.0

6 votes

@Provides
@Singleton
PermissionManager providePermissionManager(@Named("dao") PermissionManager permissionManager,
                                           InvalidatableCacheManager cacheManager,
                                           final PermissionResolver permissionResolver) {
    ImmutableMap.Builder<String, Set<Permission>> defaultRolePermissions = ImmutableMap.builder();

    for (DefaultRoles defaultRole : DefaultRoles.values()) {
        Set<Permission> rolePermissions = defaultRole.getPermissions()
                .stream()
                .map(permissionResolver::resolvePermission)
                .collect(Collectors.toSet());

        defaultRolePermissions.put(PermissionIDs.forRole(defaultRole.toString()), rolePermissions);
    }

    PermissionManager deferring = new DeferringPermissionManager(permissionManager, defaultRolePermissions.build());

    return new CacheManagingPermissionManager(deferring, cacheManager);
}

Source File: SecurityModule.java From emodb with Apache License 2.0

5 votes

@Override
protected void configure() {
    bind(HashFunction.class).annotatedWith(ApiKeyHashFunction.class).toInstance(Hashing.sha256());
    bind(ApiKeyEncryption.class).asEagerSingleton();
    bind(RebuildMissingRolesTask.class).asEagerSingleton();

    bind(LocalSubjectUserAccessControl.class).asEagerSingleton();
    
    bind(new TypeLiteral<Set<String>>() {})
            .annotatedWith(ReservedRoles.class)
            .toInstance(ImmutableSet.of(
                    DefaultRoles.replication.toString()));

    bind(PermissionResolver.class).to(EmoPermissionResolver.class).asEagerSingleton();
    bind(SecurityManager.class).to(EmoSecurityManager.class);
    bind(InternalAuthorizer.class).to(EmoSecurityManager.class);
    bind(new TypeLiteral<AuthIdentityReader<ApiKey>>() {}).to(new TypeLiteral<AuthIdentityManager<ApiKey>>() {});
    bind(PermissionReader.class).to(PermissionManager.class);

    bind(String.class).annotatedWith(SystemIdentity.class).toInstance(SYSTEM_INTERNAL_ID);

    expose(DropwizardAuthConfigurator.class);
    expose(Key.get(String.class, ReplicationKey.class));
    expose(Key.get(String.class, CompControlApiKey.class));
    expose(Key.get(String.class, SystemIdentity.class));
    expose(PermissionResolver.class);
    expose(InternalAuthorizer.class);
    expose(SubjectUserAccessControl.class);
}

Source File: SecurityModule.java From emodb with Apache License 2.0

5 votes

@Provides
@Singleton
@Named("dao")
PermissionManager providePermissionManagerDAO(
        AuthorizationConfiguration config, PermissionResolver permissionResolver, DataStore dataStore,
        @SystemTablePlacement String tablePlacement) {
    return new TablePermissionManagerDAO(
            permissionResolver, dataStore, config.getPermissionsTable(), tablePlacement);
}

Source File: LocalSubjectUserAccessControl.java From emodb with Apache License 2.0

5 votes

@Inject
public LocalSubjectUserAccessControl(RoleManager roleManager, PermissionResolver permissionResolver,
                                     AuthIdentityManager<ApiKey> authIdentityManager,
                                     @SelfHostAndPort HostAndPort selfHostAndPort, MetricRegistry metricRegistry) {
    _roleManager = roleManager;
    _permissionResolver = permissionResolver;
    _authIdentityManager = authIdentityManager;
    _hostAndPort = selfHostAndPort;
    _lockTimeoutMeter = metricRegistry.meter(MetricRegistry.name("bv.emodb.web.uac", "acquire-update-lock", "timeouts"));
}

Source File: TablePermissionManagerDAO.java From emodb with Apache License 2.0

5 votes

public TablePermissionManagerDAO(PermissionResolver permissionResolver, DataStore dataStore,
                                 String tableName, String placement) {
    _permissionResolver = checkNotNull(permissionResolver, "permissionResolver");
    _dataStore = checkNotNull(dataStore, "dataStore");
    _tableName = checkNotNull(tableName, "tableName");
    _placement = checkNotNull(placement, "placement");
}

Source File: RebuildMissingRolesTaskTest.java From emodb with Apache License 2.0

5 votes

@Test
public void testTask() throws Exception {
    PermissionResolver permissionResolver = new EmoPermissionResolver(mock(DataStore.class), mock(BlobStore.class));
    PermissionManager permissionManager = new InMemoryPermissionManager(permissionResolver);
    RoleManager roleManager = new InMemoryRoleManager(permissionManager);

    RebuildMissingRolesTask task = new RebuildMissingRolesTask(permissionManager, roleManager, mock(TaskRegistry.class));

    // Create pre-existing permissions for two roles, one with a group and one without
    permissionManager.updatePermissions("role:role1", new PermissionUpdateRequest().permit("role1|*"));
    permissionManager.updatePermissions("role:group2/role2", new PermissionUpdateRequest().permit("role2|*"));

    // Create a role complete with permissions which should be untouched by the task
    roleManager.createRole(new RoleIdentifier(null, "role3"),
            new RoleModification()
                    .withName("role3")
                    .withPermissionUpdate(new PermissionUpdateRequest().permit(ImmutableSet.of("role3|*"))));

    // Run the task
    StringWriter out = new StringWriter();
    task.execute(ImmutableMultimap.of(), new PrintWriter(out));

    // Verify all three roles exist with the correct permissions
    assertEquals(roleManager.getRole(new RoleIdentifier(null, "role1")).getName(), "role1");
    assertEquals(roleManager.getPermissionsForRole(new RoleIdentifier(null, "role1")), ImmutableSet.of("role1|*"));
    assertEquals(roleManager.getRole(new RoleIdentifier("group2", "role2")).getName(), "role2");
    assertEquals(roleManager.getPermissionsForRole(new RoleIdentifier("group2", "role2")), ImmutableSet.of("role2|*"));
    assertEquals(roleManager.getRole(new RoleIdentifier(null, "role3")).getName(), "role3");
    assertEquals(roleManager.getPermissionsForRole(new RoleIdentifier(null, "role3")), ImmutableSet.of("role3|*"));

    Set<String> lines = ImmutableSet.copyOf(out.toString().split("\n"));
    assertEquals(lines, ImmutableSet.of("Created missing role: role1", "Created missing role: group2/role2"));
}

Source File: Realm.java From usergrid with Apache License 2.0

5 votes

@Override
public void setPermissionResolver( PermissionResolver permissionResolver ) {
    if ( !( permissionResolver instanceof CustomPermissionResolver ) ) {
        if (logger.isDebugEnabled()) {
            logger.debug("Replacing {} with CustomPermissionResolver", permissionResolver);
        }
        permissionResolver = new CustomPermissionResolver();
    }
    super.setPermissionResolver(permissionResolver);
}

Source File: OwnerDatabusAuthorizer.java From emodb with Apache License 2.0

4 votes

@Inject
public OwnerDatabusAuthorizer(InternalAuthorizer internalAuthorizer, final PermissionResolver permissionResolver,
                              MetricRegistry metricRegistry, Clock clock) {
    this(internalAuthorizer, permissionResolver, metricRegistry, clock, DEFAULT_PERMISSION_CHECK_CACHE_SIZE,
            DEFAULT_PERMISSION_CHECK_CACHE_TIMEOUT, DEFAULT_READ_PERMISSION_CACHE_SIZE);
}

Source File: OwnerDatabusAuthorizer.java From emodb with Apache License 2.0

4 votes

public OwnerDatabusAuthorizer(InternalAuthorizer internalAuthorizer, final PermissionResolver permissionResolver,
                              MetricRegistry metricRegistry, Clock clock, int permissionCheckCacheSize,
                              Duration permissionCheckCacheTimeout, int readPermissionCacheSize) {
    _internalAuthorizer = checkNotNull(internalAuthorizer, "internalAuthorizer");
    _permissionResolver = checkNotNull(permissionResolver, "permissionResolver");

    if (permissionCheckCacheSize > 0) {
        checkNotNull(permissionCheckCacheTimeout, "permissionCheckCacheTimeout");
        checkArgument(permissionCheckCacheTimeout.compareTo(MAX_PERMISSION_CHECK_CACHE_TIMEOUT) <= 0,
                "Permission check cache timeout is too long");

        _permissionCheckCache = CacheBuilder.newBuilder()
                .maximumSize(permissionCheckCacheSize)
                .expireAfterWrite(permissionCheckCacheTimeout.toMillis(), TimeUnit.MILLISECONDS)
                .recordStats()
                .ticker(ClockTicker.getTicker(clock))
                .build(new CacheLoader<OwnerTableCacheKey, Boolean>() {
                    @Override
                    public Boolean load(OwnerTableCacheKey key) throws Exception {
                        return ownerCanReadTable(key._ownerId, key._table);
                    }
                });

        if (metricRegistry != null) {
            // Getting the full benefits of permission check caching requires tuning.  Publish statistics to
            // give visibility into performance.
            metricRegistry.register(MetricRegistry.name("bv.emodb.databus", "authorizer", "read-permission-cache", "hits"),
                    new Gauge<Long>() {
                        @Override
                        public Long getValue() {
                            return _permissionCheckCache.stats().hitCount();
                        }
                    });

            metricRegistry.register(MetricRegistry.name("bv.emodb.databus", "authorizer", "read-permission-cache", "misses"),
                    new Gauge<Long>() {
                        @Override
                        public Long getValue() {
                            return _permissionCheckCache.stats().missCount();
                        }
                    });
        }
    } else {
        _permissionCheckCache = null;
    }

    if (readPermissionCacheSize > 0) {
        _readPermissionCache = CacheBuilder.newBuilder()
                .maximumSize(readPermissionCacheSize)
                .ticker(ClockTicker.getTicker(clock))
                .build(new CacheLoader<String, Permission>() {
                    @Override
                    public Permission load(String table) throws Exception {
                        return createReadPermission(table);
                    }
                });
    } else {
        _readPermissionCache = null;
    }
}

Source File: TablePermissionManagerDAO.java From emodb with Apache License 2.0

4 votes

@Override
public PermissionResolver getPermissionResolver() {
    return _permissionResolver;
}

Source File: DeferringPermissionManager.java From emodb with Apache License 2.0

4 votes

@Override
public PermissionResolver getPermissionResolver() {
    return _manager.getPermissionResolver();
}

Source File: CacheManagingPermissionManager.java From emodb with Apache License 2.0

4 votes

@Override
public PermissionResolver getPermissionResolver() {
    return _manager.getPermissionResolver();
}

Source File: InMemoryPermissionManager.java From emodb with Apache License 2.0

4 votes

public InMemoryPermissionManager(PermissionResolver permissionResolver) {
    _permissionResolver = permissionResolver;
}

Source File: InMemoryPermissionManager.java From emodb with Apache License 2.0

4 votes

@Override
public PermissionResolver getPermissionResolver() {
    return _permissionResolver;
}

Source File: PermissionReader.java From emodb with Apache License 2.0

2 votes

/**
 * Gets the permission resolver for this reader.
 */
PermissionResolver getPermissionResolver();

org.apache.shiro.authz.permission.PermissionResolver Java Examples