GEODE-3974: Core function security improvement (#1310)

Author: jinmeiliao

geode-connectors/src/test/java/org/apache/geode/connectors/jdbc/internal/cli/JDBCConnectorFunctionsSecurityTest.java

@@ -77,7 +77,6 @@ public static void setupClass() {
     functionStringMap.keySet().forEach(FunctionService::registerFunction);
   }
 
-
   @Test
   @ConnectionConfiguration(user = "user", password = "user")
   public void functionRequireExpectedPermission() throws Exception {
@@ -86,7 +85,8 @@ public void functionRequireExpectedPermission() throws Exception {
       String permission = entry.getValue();
       gfsh.executeAndAssertThat("execute function --id=" + function.getId())
           .tableHasRowCount("Function Execution Result", 1)
-          .tableHasColumnWithValuesContaining("Function Execution Result", permission)
+          .tableHasRowWithValues("Function Execution Result",
+              "Exception: user not authorized for " + permission)
           .statusIsError();
     });
   }

geode-core/src/main/java/org/apache/geode/internal/cache/execute/util/FindRestEnabledServersFunction.java

@@ -15,8 +15,7 @@
 package org.apache.geode.internal.cache.execute.util;
 
 import org.apache.geode.cache.CacheClosedException;
-import org.apache.geode.cache.CacheFactory;
-import org.apache.geode.cache.execute.FunctionAdapter;
+import org.apache.geode.cache.execute.Function;
 import org.apache.geode.cache.execute.FunctionContext;
 import org.apache.geode.distributed.internal.DistributionConfig;
 import org.apache.geode.distributed.internal.InternalDistributedSystem;
@@ -30,7 +29,7 @@
  *
  * @since GemFire 8.1
  */
-public class FindRestEnabledServersFunction extends FunctionAdapter implements InternalEntity {
+public class FindRestEnabledServersFunction implements Function, InternalEntity {
   private static final long serialVersionUID = 7851518767859544678L;
 
   /**
@@ -42,7 +41,7 @@ public class FindRestEnabledServersFunction extends FunctionAdapter implements I
 
   public void execute(FunctionContext context) {
     try {
-      InternalCache cache = (InternalCache) CacheFactory.getAnyInstance();
+      InternalCache cache = (InternalCache) context.getCache();
       DistributionConfig config = InternalDistributedSystem.getAnyInstance().getConfig();
 
       String bindAddress = RestAgent.getBindAddressForHttpService(config);

geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/AlterRuntimeConfigFunction.java

@@ -14,14 +14,16 @@
  */
 package org.apache.geode.management.internal.cli.functions;
 
+import java.util.Collection;
+import java.util.Collections;
 import java.util.Map;
 import java.util.Map.Entry;
 import java.util.Set;
 
 import org.apache.logging.log4j.Logger;
 
 import org.apache.geode.cache.CacheClosedException;
-import org.apache.geode.cache.execute.FunctionAdapter;
+import org.apache.geode.cache.execute.Function;
 import org.apache.geode.cache.execute.FunctionContext;
 import org.apache.geode.distributed.internal.DistributionConfig;
 import org.apache.geode.internal.ConfigSource;
@@ -30,8 +32,10 @@
 import org.apache.geode.internal.logging.LogService;
 import org.apache.geode.management.internal.cli.CliUtil;
 import org.apache.geode.management.internal.cli.i18n.CliStrings;
+import org.apache.geode.management.internal.security.ResourcePermissions;
+import org.apache.geode.security.ResourcePermission;
 
-public class AlterRuntimeConfigFunction extends FunctionAdapter implements InternalEntity {
+public class AlterRuntimeConfigFunction implements Function, InternalEntity {
 
   private static final long serialVersionUID = 1L;
 
@@ -85,6 +89,11 @@ public void execute(FunctionContext context) {
     }
   }
 
+  @Override
+  public Collection<ResourcePermission> getRequiredPermissions(String regionName) {
+    return Collections.singleton(ResourcePermissions.CLUSTER_WRITE);
+  }
+
   @Override
   public String getId() {
     return AlterRuntimeConfigFunction.class.getName();

geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/ChangeLogLevelFunction.java

@@ -14,8 +14,10 @@
  */
 package org.apache.geode.management.internal.cli.functions;
 
-import static org.apache.geode.distributed.ConfigurationProperties.*;
+import static org.apache.geode.distributed.ConfigurationProperties.LOG_LEVEL;
 
+import java.util.Collection;
+import java.util.Collections;
 import java.util.HashMap;
 import java.util.Map;
 
@@ -31,6 +33,8 @@
 import org.apache.geode.internal.logging.log4j.LogLevel;
 import org.apache.geode.internal.logging.log4j.LogMarker;
 import org.apache.geode.internal.logging.log4j.LogWriterLogger;
+import org.apache.geode.management.internal.security.ResourcePermissions;
+import org.apache.geode.security.ResourcePermission;
 
 
 /**
@@ -72,6 +76,11 @@ public void execute(FunctionContext context) {
     }
   }
 
+  @Override
+  public Collection<ResourcePermission> getRequiredPermissions(String regionName) {
+    return Collections.singleton(ResourcePermissions.CLUSTER_WRITE);
+  }
+
   @Override
   public String getId() {
     return ChangeLogLevelFunction.ID;

geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/CloseDurableClientFunction.java

@@ -14,29 +14,33 @@
  */
 package org.apache.geode.management.internal.cli.functions;
 
+import java.util.Collection;
+import java.util.Collections;
+
 import org.apache.geode.cache.Cache;
-import org.apache.geode.cache.execute.FunctionAdapter;
+import org.apache.geode.cache.execute.Function;
 import org.apache.geode.cache.execute.FunctionContext;
-import org.apache.geode.distributed.internal.InternalDistributedSystem;
 import org.apache.geode.internal.InternalEntity;
 import org.apache.geode.internal.cache.tier.sockets.CacheClientNotifier;
 import org.apache.geode.internal.cache.tier.sockets.CacheClientProxy;
 import org.apache.geode.management.internal.cli.CliUtil;
 import org.apache.geode.management.internal.cli.domain.MemberResult;
 import org.apache.geode.management.internal.cli.i18n.CliStrings;
+import org.apache.geode.management.internal.security.ResourcePermissions;
+import org.apache.geode.security.ResourcePermission;
 
 /***
  * Function to close a durable client
  *
  */
-public class CloseDurableClientFunction extends FunctionAdapter implements InternalEntity {
+public class CloseDurableClientFunction implements Function, InternalEntity {
 
   private static final long serialVersionUID = 1L;
 
   @Override
   public void execute(FunctionContext context) {
     String durableClientId = (String) context.getArguments();
-    final Cache cache = CliUtil.getCacheIfExists();
+    final Cache cache = context.getCache();
     final String memberNameOrId =
         CliUtil.getMemberNameOrId(cache.getDistributedSystem().getDistributedMember());
     MemberResult memberResult = new MemberResult(memberNameOrId);
@@ -69,6 +73,11 @@ public void execute(FunctionContext context) {
     }
   }
 
+  @Override
+  public Collection<ResourcePermission> getRequiredPermissions(String regionName) {
+    return Collections.singleton(ResourcePermissions.CLUSTER_MANAGE_QUERY);
+  }
+
   @Override
   public String getId() {
     return CloseDurableClientFunction.class.getName();

geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/CloseDurableCqFunction.java

@@ -14,29 +14,33 @@
  */
 package org.apache.geode.management.internal.cli.functions;
 
+import java.util.Collection;
+import java.util.Collections;
+
 import org.apache.geode.cache.Cache;
-import org.apache.geode.cache.execute.FunctionAdapter;
+import org.apache.geode.cache.execute.Function;
 import org.apache.geode.cache.execute.FunctionContext;
 import org.apache.geode.internal.InternalEntity;
 import org.apache.geode.internal.cache.tier.sockets.CacheClientNotifier;
 import org.apache.geode.internal.cache.tier.sockets.CacheClientProxy;
-import org.apache.geode.internal.cache.tier.sockets.ClientProxyMembershipID;
 import org.apache.geode.management.internal.cli.CliUtil;
 import org.apache.geode.management.internal.cli.domain.MemberResult;
 import org.apache.geode.management.internal.cli.i18n.CliStrings;
+import org.apache.geode.management.internal.security.ResourcePermissions;
+import org.apache.geode.security.ResourcePermission;
 
 /***
  * Function to close a durable cq
  *
  */
-public class CloseDurableCqFunction extends FunctionAdapter implements InternalEntity {
+public class CloseDurableCqFunction implements Function, InternalEntity {
 
   private static final long serialVersionUID = 1L;
 
   @Override
   public void execute(FunctionContext context) {
 
-    final Cache cache = CliUtil.getCacheIfExists();
+    final Cache cache = context.getCache();
     final String memberNameOrId =
         CliUtil.getMemberNameOrId(cache.getDistributedSystem().getDistributedMember());
     CacheClientNotifier cacheClientNotifier = CacheClientNotifier.getInstance();
@@ -71,6 +75,11 @@ public void execute(FunctionContext context) {
     }
   }
 
+  @Override
+  public Collection<ResourcePermission> getRequiredPermissions(String regionName) {
+    return Collections.singleton(ResourcePermissions.CLUSTER_MANAGE_QUERY);
+  }
+
   @Override
   public String getId() {
     return CloseDurableCqFunction.class.getName();

geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/ContinuousQueryFunction.java

@@ -16,6 +16,7 @@
 
 import java.io.Serializable;
 import java.util.Collection;
+import java.util.Collections;
 import java.util.Iterator;
 
 import org.apache.geode.cache.execute.Function;
@@ -28,6 +29,8 @@
 import org.apache.geode.internal.cache.tier.sockets.CacheClientProxy;
 import org.apache.geode.internal.cache.tier.sockets.ClientProxyMembershipID;
 import org.apache.geode.internal.cache.tier.sockets.ServerConnection;
+import org.apache.geode.management.internal.security.ResourcePermissions;
+import org.apache.geode.security.ResourcePermission;
 
 /**
  * @since GemFire 8.0
@@ -103,6 +106,11 @@ public void execute(FunctionContext context) {
     context.getResultSender().lastResult(null);
   }
 
+  @Override
+  public Collection<ResourcePermission> getRequiredPermissions(String regionName) {
+    return Collections.singleton(ResourcePermissions.CLUSTER_READ);
+  }
+
   @Override
   public String getId() {
     return ContinuousQueryFunction.ID;

geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/CreateAsyncEventQueueFunction.java

@@ -14,6 +14,8 @@
  */
 package org.apache.geode.management.internal.cli.functions;
 
+import java.util.Collection;
+import java.util.Collections;
 import java.util.HashMap;
 import java.util.Map;
 import java.util.Properties;
@@ -38,6 +40,8 @@
 import org.apache.geode.internal.cache.xmlcache.CacheXml;
 import org.apache.geode.internal.logging.LogService;
 import org.apache.geode.management.internal.configuration.domain.XmlEntity;
+import org.apache.geode.management.internal.security.ResourcePermissions;
+import org.apache.geode.security.ResourcePermission;
 
 /**
  * Function used by the 'create async-event-queue' gfsh command to create an asynchronous event
@@ -128,6 +132,11 @@ public void execute(FunctionContext context) {
     }
   }
 
+  @Override
+  public Collection<ResourcePermission> getRequiredPermissions(String regionName) {
+    return Collections.singleton(ResourcePermissions.CLUSTER_MANAGE_DEPLOY);
+  }
+
   private Object newInstance(String className)
       throws ClassNotFoundException, IllegalAccessException, InstantiationException {
     if (Strings.isNullOrEmpty(className)) {
@@ -139,6 +148,6 @@ private Object newInstance(String className)
 
   @Override
   public String getId() {
-    return CreateDiskStoreFunction.class.getName();
+    return CreateAsyncEventQueueFunction.class.getName();
   }
 }

geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/CreateDefinedIndexesFunction.java

@@ -15,13 +15,15 @@
 package org.apache.geode.management.internal.cli.functions;
 
 import java.util.ArrayList;
+import java.util.Collection;
+import java.util.Collections;
 import java.util.Iterator;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
 
 import org.apache.geode.cache.Cache;
-import org.apache.geode.cache.execute.FunctionAdapter;
+import org.apache.geode.cache.execute.Function;
 import org.apache.geode.cache.execute.FunctionContext;
 import org.apache.geode.cache.execute.ResultSender;
 import org.apache.geode.cache.query.Index;
@@ -33,8 +35,10 @@
 import org.apache.geode.management.internal.cli.domain.IndexInfo;
 import org.apache.geode.management.internal.cli.i18n.CliStrings;
 import org.apache.geode.management.internal.configuration.domain.XmlEntity;
+import org.apache.geode.management.internal.security.ResourcePermissions;
+import org.apache.geode.security.ResourcePermission;
 
-public class CreateDefinedIndexesFunction extends FunctionAdapter implements InternalEntity {
+public class CreateDefinedIndexesFunction implements Function, InternalEntity {
   private static final long serialVersionUID = 1L;
 
   @Override
@@ -122,4 +126,9 @@ public void execute(FunctionContext context) {
           .lastResult(new CliFunctionResult(memberId, exception, exceptionMessage));
     }
   }
+
+  @Override
+  public Collection<ResourcePermission> getRequiredPermissions(String regionName) {
+    return Collections.singleton(ResourcePermissions.CLUSTER_MANAGE_QUERY);
+  }
 }

geode-core/src/main/java/org/apache/geode/management/internal/cli/functions/CreateDiskStoreFunction.java

@@ -20,12 +20,15 @@
  * @since GemFire 8.0
  */
 
+import java.util.Collection;
+import java.util.Collections;
+
 import org.apache.logging.log4j.Logger;
 
 import org.apache.geode.SystemFailure;
 import org.apache.geode.cache.CacheClosedException;
 import org.apache.geode.cache.DiskStoreFactory;
-import org.apache.geode.cache.execute.FunctionAdapter;
+import org.apache.geode.cache.execute.Function;
 import org.apache.geode.cache.execute.FunctionContext;
 import org.apache.geode.distributed.DistributedMember;
 import org.apache.geode.internal.InternalEntity;
@@ -34,8 +37,10 @@
 import org.apache.geode.internal.cache.xmlcache.CacheXml;
 import org.apache.geode.internal.logging.LogService;
 import org.apache.geode.management.internal.configuration.domain.XmlEntity;
+import org.apache.geode.management.internal.security.ResourcePermissions;
+import org.apache.geode.security.ResourcePermission;
 
-public class CreateDiskStoreFunction extends FunctionAdapter implements InternalEntity {
+public class CreateDiskStoreFunction implements Function, InternalEntity {
   private static final Logger logger = LogService.getLogger();
 
   private static final long serialVersionUID = 1L;
@@ -79,6 +84,11 @@ public void execute(FunctionContext context) {
     }
   }
 
+  @Override
+  public Collection<ResourcePermission> getRequiredPermissions(String regionName) {
+    return Collections.singleton(ResourcePermissions.CLUSTER_MANAGE_DISK);
+  }
+
   @Override
   public String getId() {
     return CreateDiskStoreFunction.class.getName();