From 2dcfa753b97cd6d720e91ed15df9b4836948d18a Mon Sep 17 00:00:00 2001 From: 21429079 Date: Wed, 15 Jan 2025 11:05:59 +0300 Subject: [PATCH 1/3] IGNITE-23749: initial commit --- ...SecurityCommandHandlerPermissionsTest.java | 44 +++++++++++++++++++ .../management/kill/CancelServiceTask.java | 10 +++++ 2 files changed, 54 insertions(+) diff --git a/modules/control-utility/src/test/java/org/apache/ignite/internal/commandline/SecurityCommandHandlerPermissionsTest.java b/modules/control-utility/src/test/java/org/apache/ignite/internal/commandline/SecurityCommandHandlerPermissionsTest.java index c56d8e2199094..9e9ada973388a 100644 --- a/modules/control-utility/src/test/java/org/apache/ignite/internal/commandline/SecurityCommandHandlerPermissionsTest.java +++ b/modules/control-utility/src/test/java/org/apache/ignite/internal/commandline/SecurityCommandHandlerPermissionsTest.java @@ -27,12 +27,15 @@ import org.apache.ignite.Ignite; import org.apache.ignite.configuration.IgniteConfiguration; import org.apache.ignite.internal.IgniteEx; +import org.apache.ignite.internal.client.thin.ServicesTest; import org.apache.ignite.internal.processors.security.impl.TestSecurityData; import org.apache.ignite.internal.processors.security.impl.TestSecurityPluginProvider; import org.apache.ignite.internal.util.typedef.F; import org.apache.ignite.plugin.security.SecurityPermission; import org.apache.ignite.plugin.security.SecurityPermissionSet; import org.apache.ignite.plugin.security.SecurityPermissionSetBuilder; +import org.apache.ignite.services.ServiceConfiguration; +import org.apache.ignite.services.ServiceDescriptor; import org.apache.ignite.util.GridCommandHandlerAbstractTest; import org.junit.Test; import org.junit.runners.Parameterized; @@ -47,6 +50,7 @@ import static org.apache.ignite.plugin.security.SecurityPermission.CACHE_DESTROY; import static org.apache.ignite.plugin.security.SecurityPermission.CACHE_READ; import static org.apache.ignite.plugin.security.SecurityPermission.CACHE_REMOVE; +import static org.apache.ignite.plugin.security.SecurityPermission.SERVICE_CANCEL; import static org.apache.ignite.plugin.security.SecurityPermissionSetBuilder.ALL_PERMISSIONS; import static org.apache.ignite.plugin.security.SecurityPermissionSetBuilder.NO_PERMISSIONS; import static org.apache.ignite.plugin.security.SecurityPermissionSetBuilder.systemPermissions; @@ -134,6 +138,38 @@ public void testCacheCreate() throws Exception { ); } + /** */ + @Test + public void testServiceCancel() throws Exception { + String srvcName = "testService"; + Collection cmdArgs = asList("--kill", "service", srvcName); + + Ignite ignite = startGrid( + 0, + userData(TEST_NO_PERMISSIONS_LOGIN, NO_PERMISSIONS), + userData(TEST_LOGIN, servicePermission(srvcName, SERVICE_CANCEL)) + ); + + ServiceConfiguration srvcCfg = new ServiceConfiguration(); + + srvcCfg.setName(srvcName); + srvcCfg.setMaxPerNodeCount(1); + srvcCfg.setTotalCount(1); + srvcCfg.setService(new ServicesTest.TestService()); + + ignite.services().deploy(srvcCfg); + + Collection svcs = ignite.services().serviceDescriptors(); + + assertEquals(EXIT_CODE_UNEXPECTED_ERROR, execute(enrichWithConnectionArguments(cmdArgs, TEST_NO_PERMISSIONS_LOGIN))); + assertEquals(1, svcs.size()); + + assertEquals(EXIT_CODE_OK, execute(enrichWithConnectionArguments(cmdArgs, TEST_LOGIN))); + + svcs = ignite.services().serviceDescriptors(); + assertEquals(0, svcs.size()); + } + /** */ protected IgniteEx startGrid(int idx, TestSecurityData... userData) throws Exception { String login = getTestIgniteInstanceName(idx); @@ -186,6 +222,14 @@ private SecurityPermissionSet cachePermission(SecurityPermission... perms) { .build(); } + /** */ + private SecurityPermissionSet servicePermission(String name, SecurityPermission... perms) { + return SecurityPermissionSetBuilder.create() + .defaultAllowAll(false) + .appendServicePermissions(name, perms) + .build(); + } + /** */ private TestSecurityData userData(String login, SecurityPermissionSet perms) { return new TestSecurityData( diff --git a/modules/core/src/main/java/org/apache/ignite/internal/management/kill/CancelServiceTask.java b/modules/core/src/main/java/org/apache/ignite/internal/management/kill/CancelServiceTask.java index 2cd4f24717d2b..e68eaa6c27d59 100644 --- a/modules/core/src/main/java/org/apache/ignite/internal/management/kill/CancelServiceTask.java +++ b/modules/core/src/main/java/org/apache/ignite/internal/management/kill/CancelServiceTask.java @@ -22,6 +22,9 @@ import org.apache.ignite.internal.util.typedef.internal.S; import org.apache.ignite.internal.visor.VisorJob; import org.apache.ignite.internal.visor.VisorOneNodeTask; +import org.apache.ignite.plugin.security.SecurityPermissionSet; + +import static org.apache.ignite.plugin.security.SecurityPermissionSetBuilder.NO_PERMISSIONS; /** * Task for cancel services with specified name. @@ -60,6 +63,13 @@ protected CancelServiceJob(KillServiceCommandArg arg, boolean debug) { return null; } + /** {@inheritDoc} */ + @Override public SecurityPermissionSet requiredPermissions() { + // This task does nothing but delegates the call to the Ignite public API. + // Therefore, it is safe to execute task without any additional permissions check. + return NO_PERMISSIONS; + } + /** {@inheritDoc} */ @Override public String toString() { return S.toString(CancelServiceJob.class, this); From 0c1298d3100d31dc32cc023f952dcbc84110b92f Mon Sep 17 00:00:00 2001 From: 21429079 Date: Tue, 21 Jan 2025 10:23:03 +0300 Subject: [PATCH 2/3] IGNITE-23749: style fix --- .../commandline/SecurityCommandHandlerPermissionsTest.java | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/modules/control-utility/src/test/java/org/apache/ignite/internal/commandline/SecurityCommandHandlerPermissionsTest.java b/modules/control-utility/src/test/java/org/apache/ignite/internal/commandline/SecurityCommandHandlerPermissionsTest.java index 9e9ada973388a..627b0a77cd286 100644 --- a/modules/control-utility/src/test/java/org/apache/ignite/internal/commandline/SecurityCommandHandlerPermissionsTest.java +++ b/modules/control-utility/src/test/java/org/apache/ignite/internal/commandline/SecurityCommandHandlerPermissionsTest.java @@ -144,11 +144,8 @@ public void testServiceCancel() throws Exception { String srvcName = "testService"; Collection cmdArgs = asList("--kill", "service", srvcName); - Ignite ignite = startGrid( - 0, - userData(TEST_NO_PERMISSIONS_LOGIN, NO_PERMISSIONS), - userData(TEST_LOGIN, servicePermission(srvcName, SERVICE_CANCEL)) - ); + Ignite ignite = startGrid(0, userData(TEST_NO_PERMISSIONS_LOGIN, NO_PERMISSIONS), + userData(TEST_LOGIN, servicePermission(srvcName, SERVICE_CANCEL))); ServiceConfiguration srvcCfg = new ServiceConfiguration(); From d5caa4229c4340bd319408cf9e6407d36fde7de4 Mon Sep 17 00:00:00 2001 From: 21429079 Date: Tue, 21 Jan 2025 11:58:57 +0300 Subject: [PATCH 3/3] IGNITE-23749: style fix --- .../commandline/SecurityCommandHandlerPermissionsTest.java | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/modules/control-utility/src/test/java/org/apache/ignite/internal/commandline/SecurityCommandHandlerPermissionsTest.java b/modules/control-utility/src/test/java/org/apache/ignite/internal/commandline/SecurityCommandHandlerPermissionsTest.java index 627b0a77cd286..9e9ada973388a 100644 --- a/modules/control-utility/src/test/java/org/apache/ignite/internal/commandline/SecurityCommandHandlerPermissionsTest.java +++ b/modules/control-utility/src/test/java/org/apache/ignite/internal/commandline/SecurityCommandHandlerPermissionsTest.java @@ -144,8 +144,11 @@ public void testServiceCancel() throws Exception { String srvcName = "testService"; Collection cmdArgs = asList("--kill", "service", srvcName); - Ignite ignite = startGrid(0, userData(TEST_NO_PERMISSIONS_LOGIN, NO_PERMISSIONS), - userData(TEST_LOGIN, servicePermission(srvcName, SERVICE_CANCEL))); + Ignite ignite = startGrid( + 0, + userData(TEST_NO_PERMISSIONS_LOGIN, NO_PERMISSIONS), + userData(TEST_LOGIN, servicePermission(srvcName, SERVICE_CANCEL)) + ); ServiceConfiguration srvcCfg = new ServiceConfiguration();