SGF-517 - Configure Authentication/Authorization with annotations.

(cherry picked from commit a9398d32b2d33eff660916e41faaeeda9e0367a4)
Signed-off-by: John Blum <jblum@pivotal.io>
This commit is contained in:
John Blum
2016-09-07 10:54:22 -07:00
parent ce08dfd39f
commit 9915562fa5
2 changed files with 238 additions and 0 deletions

View File

@@ -0,0 +1,84 @@
/*
* Copyright 2012 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
*/
package org.springframework.data.gemfire.config.annotation;
import java.util.Map;
import java.util.Properties;
import org.springframework.data.gemfire.config.annotation.support.EmbeddedServiceConfigurationSupport;
import org.springframework.data.gemfire.util.PropertiesBuilder;
/**
* The AuthConfiguration class is a Spring {@link org.springframework.context.annotation.ImportBeanDefinitionRegistrar}
* that applies additional GemFire/Geode configuration by way of GemFire/Geode System properties to configure
* GemFire/Geode Authentication and Authorization framework services.
*
* @author John Blum
* @see org.springframework.data.gemfire.config.annotation.EnableAuth
* @see org.springframework.data.gemfire.config.annotation.support.EmbeddedServiceConfigurationSupport
* @see <a href="Security">http://gemfire.docs.pivotal.io/docs-gemfire/managing/security/chapter_overview.html</a>
* @since 1.9.0
*/
public class AuthConfiguration extends EmbeddedServiceConfigurationSupport {
public static final int DEFAULT_PEER_VERIFY_MEMBER_TIMEOUT = 1000;
public static final String DEFAULT_SECURITY_LOG_LEVEL = "config";
/* (non-Javadoc) */
@Override
protected Class getAnnotationType() {
return EnableAuth.class;
}
/* (non-Javadoc) */
@Override
protected Properties toGemFireProperties(Map<String, Object> annotationAttributes) {
PropertiesBuilder gemfireProperties = PropertiesBuilder.create();
gemfireProperties.setProperty("gemfireSecurityPropertyFile", annotationAttributes.get("securityPropertiesFile"));
gemfireProperties.setProperty("security-client-accessor", annotationAttributes.get("clientAccessor"));
gemfireProperties.setProperty("security-client-accessor-pp",
annotationAttributes.get("clientAccessPostOperation"));
gemfireProperties.setProperty("security-client-auth-init",
annotationAttributes.get("clientAuthenticationInitializer"));
gemfireProperties.setProperty("security-client-authenticator", annotationAttributes.get("clientAuthenticator"));
gemfireProperties.setProperty("security-client-dhalgo",
annotationAttributes.get("clientDiffieHellmanAlgorithm"));
gemfireProperties.setProperty("security-peer-auth-init",
annotationAttributes.get("peerAuthenticationInitializer"));
gemfireProperties.setProperty("security-peer-authenticator", annotationAttributes.get("peerAuthenticator"));
gemfireProperties.setPropertyIfNotDefault("security-peer-verifymember-timeout",
annotationAttributes.get("peerVerifyMemberTimeout"), DEFAULT_PEER_VERIFY_MEMBER_TIMEOUT);
gemfireProperties.setProperty("security-log-file", annotationAttributes.get("securityLogFile"));
gemfireProperties.setPropertyIfNotDefault("security-log-level",
annotationAttributes.get("securityLogLevel"), DEFAULT_SECURITY_LOG_LEVEL);
return gemfireProperties.build();
}
}

View File

@@ -0,0 +1,154 @@
/*
* Copyright 2012 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
*/
package org.springframework.data.gemfire.config.annotation;
import java.lang.annotation.Documented;
import java.lang.annotation.ElementType;
import java.lang.annotation.Inherited;
import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
import java.lang.annotation.Target;
import com.gemstone.gemfire.security.AccessControl;
import com.gemstone.gemfire.security.AuthInitialize;
import com.gemstone.gemfire.security.Authenticator;
/**
* The EnableAuth annotation marks a Spring {@link org.springframework.context.annotation.Configuration @Configuration}
* annotated class to configure and enable GemFire/Geode's Authentication and Authorization framework services.
*
* @author John Blum
* @see com.gemstone.gemfire.security.AccessControl
* @see com.gemstone.gemfire.security.AuthInitialize
* @see com.gemstone.gemfire.security.Authenticator
* @see <a href="http://gemfire.docs.pivotal.io/docs-gemfire/latest/managing/security/authentication_overview.html">Authentication</a>
* @see <a href="http://gemfire.docs.pivotal.io/docs-gemfire/latest/managing/security/authorization_overview.html">Authorization</a>
* @since 1.9.0
*/
@Target(ElementType.TYPE)
@Retention(RetentionPolicy.RUNTIME)
@Inherited
@Documented
@SuppressWarnings({ "deprecation", "unused" })
public @interface EnableAuth {
/**
* Used for authorization. Static creation method returning an {@link AccessControl} object, which determines
* authorization of client-server cache operations. This specifies the callback that should be invoked
* in the pre-operation phase, which is when the request for the operation is received from the client.
*
* Defaults to unset.
*/
String clientAccessor() default "";
/**
* Used for authorization. The callback that should be invoked in the post-operation phase, which is
* when the operation has completed on the server but before the result is sent to the client.
* The post-operation callback is also invoked for the updates that are sent from server to client
* through the notification channel.
*
* Defaults to unset.
*/
String clientAccessPostOperation() default "";
/**
* Used for authentication. Static creation method returning an {@link AuthInitialize} object,
* which obtains credentials for clients. The obtained credentials should be acceptable
* to the {@link Authenticator} specified through the {@literal security-client-authenticator} property
* on the clients.
*
* Defaults to unset.
*/
String clientAuthenticationInitializer() default "";
/**
* Used for authentication. Static creation method returning an {@link Authenticator} object,
* which is used by a server to verify the credentials of the connecting client.
*
* Defaults to unset.
*/
String clientAuthenticator() default "";
/**
* Used for authentication. For secure transmission of sensitive credentials like passwords, you can encrypt
* the credentials using the Diffie-Hellman key exchange algorithm. Do this by setting the
* {@literal security-client-dhalgo} system property on the clients to the name of a valid symmetric key cipher
* supported by the JDK.
*
* Defaults to unset.
*/
String clientDiffieHellmanAlgorithm() default "";
/**
* Used with authentication. Static creation method returning an {@link AuthInitialize} object, which obtains
* credentials for peers in a distributed system. The obtained credentials should be acceptable to the
* {@link Authenticator} specified through the {@literal security-peer-authenticator} property on the peers.
*
* Defaults to unset.
*/
String peerAuthenticationInitializer() default "";
/**
* Used with authentication. Static creation method returning an {@link Authenticator} object, which is used
* by a peer to verify the credentials of the connecting peer.
*
* Defaults to unset.
*/
String peerAuthenticator() default "";
/**
* Used with authentication. Timeout in milliseconds used by a peer to verify membership of an unknown
* authenticated peer requesting a secure connection.
*
* Defaults to {@literal 1000} milliseconds.
*/
long peerVerifyMemberTimeout() default AuthConfiguration.DEFAULT_PEER_VERIFY_MEMBER_TIMEOUT;
/**
* Used with authentication. The log file for security log messages. If not specified, the members
* regular log file is used.
*
* Defaults to unset.
*/
String securityLogFile() default "";
/**
* Used with authentication. Logging level detail for security log messages.
*
* Valid values from lowest to highest are {@literal fine}, {@literal config}, {@literal info}, {@literal warning},
* {@literal error}, {@literal severe}, and {@literal none}.
*
* Defaults to {@literal config}.
*/
String securityLogLevel() default AuthConfiguration.DEFAULT_SECURITY_LOG_LEVEL;
/**
* Used for authentication. Any custom properties needed by your {@link AuthInitialize}
* or {@link Authenticator} callbacks store in an external {@link java.util.Properties} file.
*
* Any security-related (properties that begin with {@literal security-*}) configuration properties
* that are normally configured in {@literal gemfire.properties} can be moved to a separate
* {@literal gfsecurity.properties} file. Placing these configuration settings in a separate file
* allows you to restrict access to security configuration data. This way, you can still allow read
* or write access for your {@literal gemfire.properties} file.
*
* Defaults to unset.
*/
String securityPropertiesFile() default "";
}