org.apache.shiro.authz.permission.PermissionResolver Java Examples

The following examples show how to use org.apache.shiro.authz.permission.PermissionResolver. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: SecurityModule.java    From emodb with Apache License 2.0 6 votes vote down vote up 
@Provides
@Singleton
PermissionManager providePermissionManager(@Named("dao") PermissionManager permissionManager,
                                           InvalidatableCacheManager cacheManager,
                                           final PermissionResolver permissionResolver) {
    ImmutableMap.Builder<String, Set<Permission>> defaultRolePermissions = ImmutableMap.builder();

    for (DefaultRoles defaultRole : DefaultRoles.values()) {
        Set<Permission> rolePermissions = defaultRole.getPermissions()
                .stream()
                .map(permissionResolver::resolvePermission)
                .collect(Collectors.toSet());

        defaultRolePermissions.put(PermissionIDs.forRole(defaultRole.toString()), rolePermissions);
    }

    PermissionManager deferring = new DeferringPermissionManager(permissionManager, defaultRolePermissions.build());

    return new CacheManagingPermissionManager(deferring, cacheManager);
}
Example #2
Source File: SecurityModule.java    From emodb with Apache License 2.0 5 votes vote down vote up 
@Override
protected void configure() {
    bind(HashFunction.class).annotatedWith(ApiKeyHashFunction.class).toInstance(Hashing.sha256());
    bind(ApiKeyEncryption.class).asEagerSingleton();
    bind(RebuildMissingRolesTask.class).asEagerSingleton();

    bind(LocalSubjectUserAccessControl.class).asEagerSingleton();
    
    bind(new TypeLiteral<Set<String>>() {})
            .annotatedWith(ReservedRoles.class)
            .toInstance(ImmutableSet.of(
                    DefaultRoles.replication.toString()));

    bind(PermissionResolver.class).to(EmoPermissionResolver.class).asEagerSingleton();
    bind(SecurityManager.class).to(EmoSecurityManager.class);
    bind(InternalAuthorizer.class).to(EmoSecurityManager.class);
    bind(new TypeLiteral<AuthIdentityReader<ApiKey>>() {}).to(new TypeLiteral<AuthIdentityManager<ApiKey>>() {});
    bind(PermissionReader.class).to(PermissionManager.class);

    bind(String.class).annotatedWith(SystemIdentity.class).toInstance(SYSTEM_INTERNAL_ID);

    expose(DropwizardAuthConfigurator.class);
    expose(Key.get(String.class, ReplicationKey.class));
    expose(Key.get(String.class, CompControlApiKey.class));
    expose(Key.get(String.class, SystemIdentity.class));
    expose(PermissionResolver.class);
    expose(InternalAuthorizer.class);
    expose(SubjectUserAccessControl.class);
}
Example #3
Source File: SecurityModule.java    From emodb with Apache License 2.0 5 votes vote down vote up 
@Provides
@Singleton
@Named("dao")
PermissionManager providePermissionManagerDAO(
        AuthorizationConfiguration config, PermissionResolver permissionResolver, DataStore dataStore,
        @SystemTablePlacement String tablePlacement) {
    return new TablePermissionManagerDAO(
            permissionResolver, dataStore, config.getPermissionsTable(), tablePlacement);
}
Example #4
Source File: LocalSubjectUserAccessControl.java    From emodb with Apache License 2.0 5 votes vote down vote up 
@Inject
public LocalSubjectUserAccessControl(RoleManager roleManager, PermissionResolver permissionResolver,
                                     AuthIdentityManager<ApiKey> authIdentityManager,
                                     @SelfHostAndPort HostAndPort selfHostAndPort, MetricRegistry metricRegistry) {
    _roleManager = roleManager;
    _permissionResolver = permissionResolver;
    _authIdentityManager = authIdentityManager;
    _hostAndPort = selfHostAndPort;
    _lockTimeoutMeter = metricRegistry.meter(MetricRegistry.name("bv.emodb.web.uac", "acquire-update-lock", "timeouts"));
}
Example #5
Source File: TablePermissionManagerDAO.java    From emodb with Apache License 2.0 5 votes vote down vote up 
public TablePermissionManagerDAO(PermissionResolver permissionResolver, DataStore dataStore,
                                 String tableName, String placement) {
    _permissionResolver = checkNotNull(permissionResolver, "permissionResolver");
    _dataStore = checkNotNull(dataStore, "dataStore");
    _tableName = checkNotNull(tableName, "tableName");
    _placement = checkNotNull(placement, "placement");
}
Example #6
Source File: RebuildMissingRolesTaskTest.java    From emodb with Apache License 2.0 5 votes vote down vote up 
@Test
public void testTask() throws Exception {
    PermissionResolver permissionResolver = new EmoPermissionResolver(mock(DataStore.class), mock(BlobStore.class));
    PermissionManager permissionManager = new InMemoryPermissionManager(permissionResolver);
    RoleManager roleManager = new InMemoryRoleManager(permissionManager);

    RebuildMissingRolesTask task = new RebuildMissingRolesTask(permissionManager, roleManager, mock(TaskRegistry.class));

    // Create pre-existing permissions for two roles, one with a group and one without
    permissionManager.updatePermissions("role:role1", new PermissionUpdateRequest().permit("role1|*"));
    permissionManager.updatePermissions("role:group2/role2", new PermissionUpdateRequest().permit("role2|*"));

    // Create a role complete with permissions which should be untouched by the task
    roleManager.createRole(new RoleIdentifier(null, "role3"),
            new RoleModification()
                    .withName("role3")
                    .withPermissionUpdate(new PermissionUpdateRequest().permit(ImmutableSet.of("role3|*"))));

    // Run the task
    StringWriter out = new StringWriter();
    task.execute(ImmutableMultimap.of(), new PrintWriter(out));

    // Verify all three roles exist with the correct permissions
    assertEquals(roleManager.getRole(new RoleIdentifier(null, "role1")).getName(), "role1");
    assertEquals(roleManager.getPermissionsForRole(new RoleIdentifier(null, "role1")), ImmutableSet.of("role1|*"));
    assertEquals(roleManager.getRole(new RoleIdentifier("group2", "role2")).getName(), "role2");
    assertEquals(roleManager.getPermissionsForRole(new RoleIdentifier("group2", "role2")), ImmutableSet.of("role2|*"));
    assertEquals(roleManager.getRole(new RoleIdentifier(null, "role3")).getName(), "role3");
    assertEquals(roleManager.getPermissionsForRole(new RoleIdentifier(null, "role3")), ImmutableSet.of("role3|*"));

    Set<String> lines = ImmutableSet.copyOf(out.toString().split("\n"));
    assertEquals(lines, ImmutableSet.of("Created missing role: role1", "Created missing role: group2/role2"));
}
Example #7
Source File: Realm.java    From usergrid with Apache License 2.0 5 votes vote down vote up 
@Override
public void setPermissionResolver( PermissionResolver permissionResolver ) {
    if ( !( permissionResolver instanceof CustomPermissionResolver ) ) {
        if (logger.isDebugEnabled()) {
            logger.debug("Replacing {} with CustomPermissionResolver", permissionResolver);
        }
        permissionResolver = new CustomPermissionResolver();
    }
    super.setPermissionResolver(permissionResolver);
}
Example #8
Source File: OwnerDatabusAuthorizer.java    From emodb with Apache License 2.0 4 votes vote down vote up 
@Inject
public OwnerDatabusAuthorizer(InternalAuthorizer internalAuthorizer, final PermissionResolver permissionResolver,
                              MetricRegistry metricRegistry, Clock clock) {
    this(internalAuthorizer, permissionResolver, metricRegistry, clock, DEFAULT_PERMISSION_CHECK_CACHE_SIZE,
            DEFAULT_PERMISSION_CHECK_CACHE_TIMEOUT, DEFAULT_READ_PERMISSION_CACHE_SIZE);
}
Example #9
Source File: OwnerDatabusAuthorizer.java    From emodb with Apache License 2.0 4 votes vote down vote up 
public OwnerDatabusAuthorizer(InternalAuthorizer internalAuthorizer, final PermissionResolver permissionResolver,
                              MetricRegistry metricRegistry, Clock clock, int permissionCheckCacheSize,
                              Duration permissionCheckCacheTimeout, int readPermissionCacheSize) {
    _internalAuthorizer = checkNotNull(internalAuthorizer, "internalAuthorizer");
    _permissionResolver = checkNotNull(permissionResolver, "permissionResolver");

    if (permissionCheckCacheSize > 0) {
        checkNotNull(permissionCheckCacheTimeout, "permissionCheckCacheTimeout");
        checkArgument(permissionCheckCacheTimeout.compareTo(MAX_PERMISSION_CHECK_CACHE_TIMEOUT) <= 0,
                "Permission check cache timeout is too long");

        _permissionCheckCache = CacheBuilder.newBuilder()
                .maximumSize(permissionCheckCacheSize)
                .expireAfterWrite(permissionCheckCacheTimeout.toMillis(), TimeUnit.MILLISECONDS)
                .recordStats()
                .ticker(ClockTicker.getTicker(clock))
                .build(new CacheLoader<OwnerTableCacheKey, Boolean>() {
                    @Override
                    public Boolean load(OwnerTableCacheKey key) throws Exception {
                        return ownerCanReadTable(key._ownerId, key._table);
                    }
                });

        if (metricRegistry != null) {
            // Getting the full benefits of permission check caching requires tuning.  Publish statistics to
            // give visibility into performance.
            metricRegistry.register(MetricRegistry.name("bv.emodb.databus", "authorizer", "read-permission-cache", "hits"),
                    new Gauge<Long>() {
                        @Override
                        public Long getValue() {
                            return _permissionCheckCache.stats().hitCount();
                        }
                    });

            metricRegistry.register(MetricRegistry.name("bv.emodb.databus", "authorizer", "read-permission-cache", "misses"),
                    new Gauge<Long>() {
                        @Override
                        public Long getValue() {
                            return _permissionCheckCache.stats().missCount();
                        }
                    });
        }
    } else {
        _permissionCheckCache = null;
    }

    if (readPermissionCacheSize > 0) {
        _readPermissionCache = CacheBuilder.newBuilder()
                .maximumSize(readPermissionCacheSize)
                .ticker(ClockTicker.getTicker(clock))
                .build(new CacheLoader<String, Permission>() {
                    @Override
                    public Permission load(String table) throws Exception {
                        return createReadPermission(table);
                    }
                });
    } else {
        _readPermissionCache = null;
    }
}
Example #10
Source File: TablePermissionManagerDAO.java    From emodb with Apache License 2.0 4 votes vote down vote up 
@Override
public PermissionResolver getPermissionResolver() {
    return _permissionResolver;
}
Example #11
Source File: DeferringPermissionManager.java    From emodb with Apache License 2.0 4 votes vote down vote up 
@Override
public PermissionResolver getPermissionResolver() {
    return _manager.getPermissionResolver();
}
Example #12
Source File: CacheManagingPermissionManager.java    From emodb with Apache License 2.0 4 votes vote down vote up 
@Override
public PermissionResolver getPermissionResolver() {
    return _manager.getPermissionResolver();
}
Example #13
Source File: InMemoryPermissionManager.java    From emodb with Apache License 2.0 4 votes vote down vote up 
public InMemoryPermissionManager(PermissionResolver permissionResolver) {
    _permissionResolver = permissionResolver;
}
Example #14
Source File: InMemoryPermissionManager.java    From emodb with Apache License 2.0 4 votes vote down vote up 
@Override
public PermissionResolver getPermissionResolver() {
    return _permissionResolver;
}
Example #15
Source File: PermissionReader.java    From emodb with Apache License 2.0 2 votes vote down vote up 
/**
 * Gets the permission resolver for this reader.
 */
PermissionResolver getPermissionResolver();