feat: add ingore security check api (#1784)

apache · Mar 21, 2022 · 91f1cec · 91f1cec
1 parent 14eb6cb
commit 91f1cec
Showing 1 changed file with 19 additions and 2 deletions.
diff --git a/hugegraph-core/src/main/java/com/baidu/hugegraph/security/HugeSecurityManager.java b/hugegraph-core/src/main/java/com/baidu/hugegraph/security/HugeSecurityManager.java
@@ -24,6 +24,7 @@
 import java.security.Permission;
 import java.util.Map;
 import java.util.Set;
+import java.util.concurrent.CopyOnWriteArraySet;
 
 import org.slf4j.Logger;
 
@@ -126,6 +127,17 @@ public class HugeSecurityManager extends SecurityManager {
             ImmutableSet.of("newSecurityException")
     );
 
+    private static final Set<String> ignoreCheckedClasses = new CopyOnWriteArraySet<>();
+
+    public static void ignoreCheckedClass(String clazz) {
+        if (callFromGremlin()) {
+            throw newSecurityException(
+                  "Not allowed to add ignore check via Gremlin");
+        }
+
+        ignoreCheckedClasses.add(clazz);
+    }
+
     @Override
     public void checkPermission(Permission permission) {
         if (DENIED_PERMISSIONS.contains(permission.getName()) &&
@@ -167,7 +179,7 @@ public void checkAccess(Thread thread) {
         if (callFromGremlin() && !callFromCaffeine() &&
             !callFromAsyncTasks() && !callFromEventHubNotify() &&
             !callFromBackendThread() && !callFromBackendHbase() &&
-            !callFromRaft() && !callFromSofaRpc()) {
+            !callFromRaft() && !callFromSofaRpc() && !callFromIgnoreCheckedClass()) {
             throw newSecurityException(
                   "Not allowed to access thread via Gremlin");
         }
@@ -179,7 +191,8 @@ public void checkAccess(ThreadGroup threadGroup) {
         if (callFromGremlin() && !callFromCaffeine() &&
             !callFromAsyncTasks() && !callFromEventHubNotify() &&
             !callFromBackendThread() && !callFromBackendHbase() &&
-            !callFromRaft() && !callFromSofaRpc()) {
+            !callFromRaft() && !callFromSofaRpc() &&
+            !callFromIgnoreCheckedClass()) {
             throw newSecurityException(
                   "Not allowed to access thread group via Gremlin");
         }
@@ -475,6 +488,10 @@ private static boolean callFromNewSecurityException() {
         return callFromMethods(NEW_SECURITY_EXCEPTION);
     }
 
+    private static boolean callFromIgnoreCheckedClass() {
+        return callFromWorkerWithClass(ignoreCheckedClasses);
+    }
+
     private static boolean callFromWorkerWithClass(Set<String> classes) {
         Thread curThread = Thread.currentThread();
         if (curThread.getName().startsWith(GREMLIN_SERVER_WORKER) ||