Akiban Server

Merge lp:~mmcm/akiban-server/is-session-restrict into lp:~akiban-technologies/akiban-server/trunk

  1. is-session-restrict
  2. Merge into trunk
Proposed by Mike McMahon
Status: Merged
Approved by: Nathan Williams
Approved revision: 2642
Merged at revision: 2641
Proposed branch: lp:~mmcm/akiban-server/is-session-restrict
Merge into: lp:~akiban-technologies/akiban-server/trunk
Diff against target: 469 lines (+91/-34)
9 files modified
src/main/java/com/akiban/server/service/is/ServerSchemaTablesServiceImpl.java (+50/-25)
src/main/java/com/akiban/server/service/monitor/MonitorService.java (+7/-2)
src/main/java/com/akiban/server/service/monitor/MonitorServiceImpl.java (+13/-2)
src/main/java/com/akiban/server/service/security/SecurityService.java (+1/-0)
src/main/java/com/akiban/server/service/security/SecurityServiceImpl.java (+7/-0)
src/main/java/com/akiban/sql/embedded/JDBCConnection.java (+2/-2)
src/main/java/com/akiban/sql/pg/PostgresServerConnection.java (+3/-3)
src/main/java/com/akiban/sql/pg/PostgresServerStatement.java (+3/-0)
src/test/java/com/akiban/sql/ServerSessionITBase.java (+5/-0)
To merge this branch: bzr merge lp:~mmcm/akiban-server/is-session-restrict
Reviewer Review Type Date Requested Status
Akiban Build User Needs Fixing
Nathan Williams Approve
Review via email: mp+160521@code.launchpad.net

Description of the change

Restrict session tables to own session when security enabled and not admin.
Restrict ALTER TABLE the same way.

To post a comment you must log in.
Revision history for this message
Nathan Williams (nwilliams) wrote :

Looks good.

review: Approve
Revision history for this message
Akiban Build User (build-akiban) wrote :

There were 2 failures during build/test:

* job server-build failed at build number 3986: http://172.16.20.104:8080/job/server-build/3986/

* view must-pass failed: server-build is red

review: Needs Fixing
Revision history for this message
Akiban Build User (build-akiban) wrote :

There were 2 failures during build/test:

* job server-build failed at build number 3990: http://172.16.20.104:8080/job/server-build/3990/

* view must-pass failed: server-build is yellow

review: Needs Fixing
Revision history for this message
Mike McMahon (mmcm) wrote :

The order returned by full text seems to be non-deterministic, probably because the loading is asynchronous. But maybe we'll get lucky.

Revision history for this message
Akiban Build User (build-akiban) wrote :

There were 2 failures during build/test:

* job server-build failed at build number 3992: http://172.16.20.104:8080/job/server-build/3992/

* view must-pass failed: server-build is yellow

review: Needs Fixing

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'src/main/java/com/akiban/server/service/is/ServerSchemaTablesServiceImpl.java'
2--- src/main/java/com/akiban/server/service/is/ServerSchemaTablesServiceImpl.java 2013-03-22 20:05:57 +0000
3+++ src/main/java/com/akiban/server/service/is/ServerSchemaTablesServiceImpl.java 2013-04-24 20:46:27 +0000
4@@ -19,6 +19,8 @@
5 import java.lang.management.GarbageCollectorMXBean;
6 import java.lang.management.ManagementFactory;
7 import java.lang.management.MemoryPoolMXBean;
8+import java.util.Collection;
9+import java.util.Collections;
10 import java.util.Iterator;
11 import java.util.Map;
12
13@@ -42,6 +44,8 @@
14 import com.akiban.server.service.monitor.PreparedStatementMonitor;
15 import com.akiban.server.service.monitor.ServerMonitor;
16 import com.akiban.server.service.monitor.SessionMonitor;
17+import com.akiban.server.service.security.SecurityService;
18+import com.akiban.server.service.session.Session;
19 import com.akiban.server.store.SchemaManager;
20 import com.akiban.server.types.AkType;
21 import com.akiban.server.types.FromObjectValueSource;
22@@ -63,20 +67,23 @@
23 static final TableName SERVER_TAPS = new TableName (SCHEMA_NAME, "server_taps");
24 static final TableName SERVER_PREPARED_STATEMENTS = new TableName (SCHEMA_NAME, "server_prepared_statements");
25 static final TableName SERVER_CURSORS = new TableName (SCHEMA_NAME, "server_cursors");
26-
27+
28 private final MonitorService monitor;
29 private final ConfigurationService configService;
30 private final AkServerInterface serverInterface;
31+ private final SecurityService securityService;
32
33 @Inject
34 public ServerSchemaTablesServiceImpl (SchemaManager schemaManager,
35 MonitorService monitor,
36 ConfigurationService configService,
37- AkServerInterface serverInterface) {
38+ AkServerInterface serverInterface,
39+ SecurityService securityService) {
40 super(schemaManager);
41 this.monitor = monitor;
42 this.configService = configService;
43 this.serverInterface = serverInterface;
44+ this.securityService = securityService;
45 }
46
47 @Override
48@@ -114,6 +121,21 @@
49 // nothing
50 }
51
52+ protected Collection<SessionMonitor> getAccessibleSessions(Session session) {
53+ if (securityService.hasRestrictedAccess(session)) {
54+ return monitor.getSessionMonitors();
55+ }
56+ else {
57+ SessionMonitor sm = monitor.getSessionMonitor(session);
58+ if (sm == null) {
59+ return Collections.emptyList();
60+ }
61+ else {
62+ return Collections.singletonList(sm);
63+ }
64+ }
65+ }
66+
67 private class InstanceSummary extends BasicFactoryBase {
68
69 public InstanceSummary(TableName sourceTable) {
70@@ -122,7 +144,7 @@
71
72 @Override
73 public GroupScan getGroupScan(MemoryAdapter adapter) {
74- return new Scan(getRowType(adapter));
75+ return new Scan(adapter.getSession(), getRowType(adapter));
76 }
77
78 @Override
79@@ -132,7 +154,7 @@
80
81 private class Scan extends BaseScan {
82
83- public Scan (RowType rowType) {
84+ public Scan (Session session, RowType rowType) {
85 super(rowType);
86 }
87
88@@ -158,7 +180,7 @@
89
90 @Override
91 public GroupScan getGroupScan(MemoryAdapter adapter) {
92- return new Scan (getRowType(adapter));
93+ return new Scan (adapter.getSession(), getRowType(adapter));
94 }
95
96 @Override
97@@ -168,7 +190,7 @@
98
99 private class Scan extends BaseScan {
100 final Iterator<ServerMonitor> servers = monitor.getServerMonitors().values().iterator();
101- public Scan(RowType rowType) {
102+ public Scan(Session session, RowType rowType) {
103 super(rowType);
104 }
105
106@@ -198,7 +220,7 @@
107
108 @Override
109 public GroupScan getGroupScan(MemoryAdapter adapter) {
110- return new Scan (getRowType(adapter));
111+ return new Scan (adapter.getSession(), getRowType(adapter));
112 }
113
114 @Override
115@@ -207,9 +229,10 @@
116 }
117
118 private class Scan extends BaseScan {
119- final Iterator<SessionMonitor> sessions = monitor.getSessionMonitors().iterator();
120- public Scan(RowType rowType) {
121+ final Iterator<SessionMonitor> sessions;
122+ public Scan(Session session, RowType rowType) {
123 super(rowType);
124+ sessions = getAccessibleSessions(session).iterator();
125 }
126
127 @Override
128@@ -252,7 +275,7 @@
129
130 @Override
131 public GroupScan getGroupScan(MemoryAdapter adapter) {
132- return new Scan (getRowType(adapter));
133+ return new Scan (adapter.getSession(), getRowType(adapter));
134 }
135
136 @Override
137@@ -263,7 +286,7 @@
138 private class Scan extends BaseScan {
139
140 private final ErrorCode[] codes = ErrorCode.values();
141- public Scan(RowType rowType) {
142+ public Scan(Session session, RowType rowType) {
143 super(rowType);
144 }
145
146@@ -288,7 +311,7 @@
147
148 @Override
149 public GroupScan getGroupScan(MemoryAdapter adapter) {
150- return new Scan (getRowType(adapter));
151+ return new Scan (adapter.getSession(), getRowType(adapter));
152 }
153
154 @Override
155@@ -299,7 +322,7 @@
156 private class Scan extends BaseScan {
157 private Iterator<Map.Entry<String,String>> propertyIt;
158
159- public Scan(RowType rowType) {
160+ public Scan(Session session, RowType rowType) {
161 super(rowType);
162 propertyIt = configService.getProperties().entrySet().iterator();
163 }
164@@ -324,7 +347,7 @@
165
166 @Override
167 public GroupScan getGroupScan(MemoryAdapter adapter) {
168- return new Scan (getRowType(adapter));
169+ return new Scan (adapter.getSession(), getRowType(adapter));
170 }
171
172 @Override
173@@ -335,7 +358,7 @@
174 private class Scan extends BaseScan {
175 private final Iterator<MemoryPoolMXBean> it;
176
177- public Scan(RowType rowType) {
178+ public Scan(Session session, RowType rowType) {
179 super(rowType);
180 it = ManagementFactory.getMemoryPoolMXBeans().iterator();
181 }
182@@ -364,7 +387,7 @@
183
184 @Override
185 public GroupScan getGroupScan(MemoryAdapter adapter) {
186- return new Scan (getRowType(adapter));
187+ return new Scan (adapter.getSession(), getRowType(adapter));
188 }
189
190 @Override
191@@ -375,7 +398,7 @@
192 private class Scan extends BaseScan {
193 private final Iterator<GarbageCollectorMXBean> it;
194
195- public Scan(RowType rowType) {
196+ public Scan(Session session, RowType rowType) {
197 super(rowType);
198 it = ManagementFactory.getGarbageCollectorMXBeans().iterator();
199 }
200@@ -406,7 +429,7 @@
201
202 @Override
203 public GroupScan getGroupScan(MemoryAdapter adapter) {
204- return new Scan (getRowType(adapter));
205+ return new Scan (adapter.getSession(), getRowType(adapter));
206 }
207
208 @Override
209@@ -418,7 +441,7 @@
210 private final TapReport[] reports;
211 private int it = 0;
212
213- public Scan(RowType rowType) {
214+ public Scan(Session session, RowType rowType) {
215 super(rowType);
216 reports = getAllReports();
217 }
218@@ -447,7 +470,7 @@
219
220 @Override
221 public GroupScan getGroupScan(MemoryAdapter adapter) {
222- return new Scan (getRowType(adapter));
223+ return new Scan (adapter.getSession(), getRowType(adapter));
224 }
225
226 @Override
227@@ -459,11 +482,12 @@
228 }
229
230 private class Scan extends BaseScan {
231- final Iterator<SessionMonitor> sessions = monitor.getSessionMonitors().iterator();
232+ final Iterator<SessionMonitor> sessions;
233 Iterator<PreparedStatementMonitor> statements = null;
234
235- public Scan(RowType rowType) {
236+ public Scan(Session session, RowType rowType) {
237 super(rowType);
238+ sessions = getAccessibleSessions(session).iterator();
239 }
240
241 @Override
242@@ -497,7 +521,7 @@
243
244 @Override
245 public GroupScan getGroupScan(MemoryAdapter adapter) {
246- return new Scan (getRowType(adapter));
247+ return new Scan (adapter.getSession(), getRowType(adapter));
248 }
249
250 @Override
251@@ -509,11 +533,12 @@
252 }
253
254 private class Scan extends BaseScan {
255- final Iterator<SessionMonitor> sessions = monitor.getSessionMonitors().iterator();
256+ final Iterator<SessionMonitor> sessions;
257 Iterator<CursorMonitor> statements = null;
258
259- public Scan(RowType rowType) {
260+ public Scan(Session session, RowType rowType) {
261 super(rowType);
262+ sessions = getAccessibleSessions(session).iterator();
263 }
264
265 @Override
266
267=== modified file 'src/main/java/com/akiban/server/service/monitor/MonitorService.java'
268--- src/main/java/com/akiban/server/service/monitor/MonitorService.java 2013-03-22 20:05:57 +0000
269+++ src/main/java/com/akiban/server/service/monitor/MonitorService.java 2013-04-24 20:46:27 +0000
270@@ -17,6 +17,8 @@
271
272 package com.akiban.server.service.monitor;
273
274+import com.akiban.server.service.session.Session;
275+
276 import java.util.Collection;
277 import java.util.Map;
278
279@@ -34,14 +36,17 @@
280 int allocateSessionId();
281
282 /** Register the given session monitor. */
283- void registerSessionMonitor(SessionMonitor sessionMonitor);
284+ void registerSessionMonitor(SessionMonitor sessionMonitor, Session session);
285
286 /** Deregister the given session monitor. */
287- void deregisterSessionMonitor(SessionMonitor sessionMonitor);
288+ void deregisterSessionMonitor(SessionMonitor sessionMonitor, Session session);
289
290 /** Get the session monitor for the given session id. */
291 SessionMonitor getSessionMonitor(int sessionId);
292
293+ /** Get the session monitor for the given session. */
294+ SessionMonitor getSessionMonitor(Session session);
295+
296 /** Get all registered session monitors. */
297 Collection<SessionMonitor> getSessionMonitors();
298
299
300=== modified file 'src/main/java/com/akiban/server/service/monitor/MonitorServiceImpl.java'
301--- src/main/java/com/akiban/server/service/monitor/MonitorServiceImpl.java 2013-03-22 20:05:57 +0000
302+++ src/main/java/com/akiban/server/service/monitor/MonitorServiceImpl.java 2013-04-24 20:46:27 +0000
303@@ -21,6 +21,7 @@
304 import com.akiban.server.service.Service;
305 import com.akiban.server.service.config.ConfigurationService;
306 import com.akiban.server.service.jmx.JmxManageable;
307+import com.akiban.server.service.session.Session;
308
309 import com.google.inject.Inject;
310 import org.slf4j.Logger;
311@@ -45,6 +46,9 @@
312
313 private static final Logger logger = LoggerFactory.getLogger(MonitorServiceImpl.class);
314
315+ public static final Session.Key<SessionMonitor> SESSION_KEY =
316+ Session.Key.named("SESSION_MONITOR");
317+
318 private final ConfigurationService config;
319
320 private Map<String,ServerMonitor> servers;
321@@ -124,15 +128,17 @@
322 }
323
324 @Override
325- public void registerSessionMonitor(SessionMonitor sessionMonitor) {
326+ public void registerSessionMonitor(SessionMonitor sessionMonitor, Session session) {
327 SessionMonitor old = sessions.put(sessionMonitor.getSessionId(), sessionMonitor);
328 assert ((old == null) || (old == sessionMonitor));
329+ session.put(SESSION_KEY, sessionMonitor);
330 }
331
332 @Override
333- public void deregisterSessionMonitor(SessionMonitor sessionMonitor) {
334+ public void deregisterSessionMonitor(SessionMonitor sessionMonitor, Session session) {
335 SessionMonitor old = sessions.remove(sessionMonitor.getSessionId());
336 assert ((old == null) || (old == sessionMonitor));
337+ session.remove(SESSION_KEY);
338 }
339
340 @Override
341@@ -141,6 +147,11 @@
342 }
343
344 @Override
345+ public SessionMonitor getSessionMonitor(Session session) {
346+ return session.get(SESSION_KEY);
347+ }
348+
349+ @Override
350 public Collection<SessionMonitor> getSessionMonitors() {
351 return sessions.values();
352 }
353
354=== modified file 'src/main/java/com/akiban/server/service/security/SecurityService.java'
355--- src/main/java/com/akiban/server/service/security/SecurityService.java 2013-03-22 20:05:57 +0000
356+++ src/main/java/com/akiban/server/service/security/SecurityService.java 2013-04-24 20:46:27 +0000
357@@ -36,6 +36,7 @@
358
359 public boolean isAccessible(Session session, String schema);
360 public boolean isAccessible(HttpServletRequest request, String schema);
361+ public boolean hasRestrictedAccess(Session session);
362
363 public void addRole(String name);
364 public void deleteRole(String name);
365
366=== modified file 'src/main/java/com/akiban/server/service/security/SecurityServiceImpl.java'
367--- src/main/java/com/akiban/server/service/security/SecurityServiceImpl.java 2013-04-22 22:50:40 +0000
368+++ src/main/java/com/akiban/server/service/security/SecurityServiceImpl.java 2013-04-24 20:46:27 +0000
369@@ -481,6 +481,13 @@
370 TableName.SYS_SCHEMA.equals(schema);
371 }
372
373+ @Override
374+ public boolean hasRestrictedAccess(Session session) {
375+ User user = session.get(SESSION_KEY);
376+ if (user == null) return true; // Not authenticated = open.
377+ return user.hasRole(ADMIN_ROLE);
378+ }
379+
380 /* Service */
381
382 @Override
383
384=== modified file 'src/main/java/com/akiban/sql/embedded/JDBCConnection.java'
385--- src/main/java/com/akiban/sql/embedded/JDBCConnection.java 2013-03-22 20:05:57 +0000
386+++ src/main/java/com/akiban/sql/embedded/JDBCConnection.java 2013-04-24 20:46:27 +0000
387@@ -281,12 +281,12 @@
388
389 // Register as a result of beginning a transaction (which is implicit).
390 protected void registerSessionMonitor() {
391- reqs.monitor().registerSessionMonitor(sessionMonitor);
392+ reqs.monitor().registerSessionMonitor(sessionMonitor, session);
393 }
394
395 // Deregister when transaction is committed, rolled back, or connection closed.
396 protected void deregisterSessionMonitor() {
397- reqs.monitor().deregisterSessionMonitor(sessionMonitor);
398+ reqs.monitor().deregisterSessionMonitor(sessionMonitor, session);
399 }
400
401 protected AkServerInterface getAkServer() {
402
403=== modified file 'src/main/java/com/akiban/sql/pg/PostgresServerConnection.java'
404--- src/main/java/com/akiban/sql/pg/PostgresServerConnection.java 2013-04-19 21:33:50 +0000
405+++ src/main/java/com/akiban/sql/pg/PostgresServerConnection.java 2013-04-24 20:46:27 +0000
406@@ -133,7 +133,8 @@
407 }
408 };
409 sessionMonitor.setRemoteAddress(socket.getInetAddress().getHostAddress());
410- reqs.monitor().registerSessionMonitor(sessionMonitor);
411+ session = reqs.sessionService().createSession();
412+ reqs.monitor().registerSessionMonitor(sessionMonitor, session);
413 }
414
415 public void start() {
416@@ -328,7 +329,7 @@
417 transaction = null;
418 }
419 server.removeConnection(sessionId);
420- reqs.monitor().deregisterSessionMonitor(sessionMonitor);
421+ reqs.monitor().deregisterSessionMonitor(sessionMonitor, session);
422 }
423 }
424
425@@ -431,7 +432,6 @@
426 logger.debug("Properties: {}", clientProperties);
427 setProperties(clientProperties);
428
429- session = reqs.sessionService().createSession();
430 // TODO: Not needed right now and not a convenient time to
431 // encounter schema lock from long-running DDL.
432 // But see comment in initParser(): what if we wanted to warn
433
434=== modified file 'src/main/java/com/akiban/sql/pg/PostgresServerStatement.java'
435--- src/main/java/com/akiban/sql/pg/PostgresServerStatement.java 2013-04-04 21:44:13 +0000
436+++ src/main/java/com/akiban/sql/pg/PostgresServerStatement.java 2013-04-24 20:46:27 +0000
437@@ -34,6 +34,7 @@
438 import com.akiban.server.error.AkibanInternalException;
439 import com.akiban.server.error.ConnectionTerminatedException;
440 import com.akiban.server.error.InvalidOperationException;
441+import com.akiban.server.error.SecurityException;
442 import com.akiban.server.error.UnsupportedConfigurationException;
443 import com.akiban.sql.parser.AlterServerNode;
444
445@@ -135,6 +136,8 @@
446 }
447
448 protected void doOperation (PostgresServerSession session) throws Exception {
449+ if (!session.getSecurityService().hasRestrictedAccess(session.getSession()))
450+ throw new SecurityException("Operation not allowed");
451 PostgresServerConnection current = (PostgresServerConnection)session;
452 PostgresServer server = current.getServer();
453 Integer sessionId = statement.getSessionID();
454
455=== modified file 'src/test/java/com/akiban/sql/ServerSessionITBase.java'
456--- src/test/java/com/akiban/sql/ServerSessionITBase.java 2013-03-22 20:05:57 +0000
457+++ src/test/java/com/akiban/sql/ServerSessionITBase.java 2013-04-24 20:46:27 +0000
458@@ -114,6 +114,11 @@
459 }
460
461 @Override
462+ public boolean hasRestrictedAccess(com.akiban.server.service.session.Session session) {
463+ return true;
464+ }
465+
466+ @Override
467 public void addRole(String name) {
468 throw new UnsupportedOperationException();
469 }

Subscribers

People subscribed via source and target branches