Examples with CheckPermission com.emc.storageos.security.authorization.CheckPermission used on opensource projects

Example 1 with CheckPermission

use of com.emc.storageos.security.authorization.CheckPermission in project coprhd-controller by CoprHD.

the class ProjectService method updateQuota.

/**
 * Updates quota and available capacity before quota is exhausted
 *
 * @param id the URN of a ViPR Project.
 * @param param new values for the quota
 * @prereq none
 * @brief Update quota and available capacity
 * @return QuotaInfo Quota metrics.
 */
@PUT
@Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
@Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
@CheckPermission(roles = { Role.TENANT_ADMIN })
@Path("/{id}/quota")
public QuotaInfo updateQuota(@PathParam("id") URI id, QuotaUpdateParam param) throws DatabaseException {
    Project project = getProjectById(id, true);
    project.setQuotaEnabled(param.getEnable());
    if (param.getEnable()) {
        long quota_gb = (param.getQuotaInGb() != null) ? param.getQuotaInGb() : project.getQuota();
        ArgValidator.checkFieldMinimum(quota_gb, 0, "quota_gb", "GB");
        // Verify that the quota of this project does not exit quota for its tenant
        TenantOrg tenant = _dbClient.queryObject(TenantOrg.class, project.getTenantOrg().getURI());
        if (tenant.getQuotaEnabled()) {
            long totalProjects = CapacityUtils.totalProjectQuota(_dbClient, tenant.getId()) - project.getQuota() + quota_gb;
            if (totalProjects > tenant.getQuota()) {
                throw APIException.badRequests.invalidParameterProjectQuotaInvalidatesTenantQuota(tenant.getQuota());
            }
        }
        project.setQuota(quota_gb);
    }
    _dbClient.persistObject(project);
    return getQuota(project);
}

Example 2 with CheckPermission

use of com.emc.storageos.security.authorization.CheckPermission in project coprhd-controller by CoprHD.

the class ProjectService method unassignVNasServersFromProject.

/**
 * Unassigns VNAS server from project.
 *
 * @param id the URN of a ViPR Project
 * @param param Assign virtual NAS server parameters
 * @prereq none
 * @brief Unassign VNAS servers from project
 * @return No data returned in response body
 * @throws BadRequestException
 */
@PUT
@Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
@Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
@Path("/{id}/unassign-vnas-servers")
@CheckPermission(roles = { Role.SYSTEM_ADMIN }, acls = { ACL.ALL, ACL.OWN })
public Response unassignVNasServersFromProject(@PathParam("id") URI id, VirtualNasParam param) {
    checkCompatibleVersion();
    Project project = getProjectById(id, true);
    Set<String> vNasIds = param.getVnasServers();
    if (vNasIds != null && !vNasIds.isEmpty()) {
        StringSet vnasServers = project.getAssignedVNasServers();
        if (!vnasServers.containsAll(vNasIds)) {
            throw APIException.badRequests.vNasServersNotAssociatedToProject();
        }
        if (vnasServers != null && !vnasServers.isEmpty()) {
            for (String vId : vNasIds) {
                URI vnasURI = URI.create(vId);
                VirtualNAS vnas = _permissionsHelper.getObjectById(vnasURI, VirtualNAS.class);
                ArgValidator.checkEntity(vnas, vnasURI, isIdEmbeddedInURL(vnasURI));
                if (vnasServers.contains(vId)) {
                    vnas.dissociateProject(id.toString());
                    _dbClient.updateObject(vnas);
                    project.getAssignedVNasServers().remove(vId);
                }
            }
            _dbClient.updateObject(project);
            _log.info("Successfully unassigned the VNAS servers from project : {} ", project.getLabel());
        } else {
            throw APIException.badRequests.noVNasServersAssociatedToProject(project.getLabel());
        }
    } else {
        throw APIException.badRequests.invalidEntryForProjectVNAS();
    }
    return Response.ok().build();
}

Example 3 with CheckPermission

use of com.emc.storageos.security.authorization.CheckPermission in project coprhd-controller by CoprHD.

the class FileService method export.

/**
 * Export file system.
 *
 * <p>
 * NOTE: This is an asynchronous operation.
 *
 * @param param
 *            File system export parameters
 * @param id
 *            the URN of a ViPR File system
 * @brief Create file export
 * @return Task resource representation
 * @throws InternalException
 */
@POST
@Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
@Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
@Path("/{id}/exports")
@CheckPermission(roles = { Role.TENANT_ADMIN }, acls = { ACL.OWN, ACL.ALL })
public TaskResourceRep export(@PathParam("id") URI id, FileSystemExportParam param) throws InternalException {
    _log.info("Export request recieved {}", id);
    // check file System
    ArgValidator.checkFieldUriType(id, FileShare.class, "id");
    ArgValidator.checkFieldValueFromEnum(param.getPermissions(), "permissions", EnumSet.allOf(FileShareExport.Permissions.class));
    _log.info("Export security type {}", param.getSecurityType());
    for (String sectype : param.getSecurityType().split(",")) {
        ArgValidator.checkFieldValueFromEnum(sectype.trim(), "type", EnumSet.allOf(FileShareExport.SecurityTypes.class));
    }
    ArgValidator.checkFieldValueFromEnum(param.getProtocol(), "protocol", EnumSet.allOf(StorageProtocol.File.class));
    validateIpInterfacesRegistered(param.getEndpoints(), _dbClient);
    FileShare fs = queryResource(id);
    String task = UUID.randomUUID().toString();
    StorageSystem device = _dbClient.queryObject(StorageSystem.class, fs.getStorageDevice());
    ArgValidator.checkEntity(fs, id, isIdEmbeddedInURL(id));
    // Check for VirtualPool whether it has NFS enabled
    VirtualPool vpool = _dbClient.queryObject(VirtualPool.class, fs.getVirtualPool());
    if (!vpool.getProtocols().contains(StorageProtocol.File.NFS.name()) && !vpool.getProtocols().contains(StorageProtocol.File.NFSv4.name())) {
        // Throw an error
        throw APIException.methodNotAllowed.vPoolDoesntSupportProtocol("Vpool doesn't support " + StorageProtocol.File.NFS.name() + " or " + StorageProtocol.File.NFSv4 + " protocol");
    }
    // locate storage port for exporting file System
    StoragePort sport = _fileScheduler.placeFileShareExport(fs, param.getProtocol(), param.getEndpoints());
    String path = fs.getPath();
    String mountPath = fs.getMountPath();
    String subDirectory = param.getSubDirectory();
    if (ArgValidator.checkSubDirName("sub_directory", param.getSubDirectory())) {
        // Add subdirectory to the path as this is a subdirectory export
        path += "/" + param.getSubDirectory();
        mountPath += "/" + param.getSubDirectory();
    }
    FSExportMap exportMap = fs.getFsExports();
    if (exportMap != null) {
        Iterator it = fs.getFsExports().keySet().iterator();
        boolean exportExists = false;
        while (it.hasNext()) {
            String fsExpKey = (String) it.next();
            FileExport fileExport = fs.getFsExports().get(fsExpKey);
            if (fileExport.getPath().equalsIgnoreCase(path)) {
                exportExists = true;
                break;
            }
        }
        if (exportExists) {
            throw APIException.badRequests.fileSystemHasExistingExport();
        }
    }
    String rootUserMapping = param.getRootUserMapping();
    if (rootUserMapping != null) {
        rootUserMapping = rootUserMapping.toLowerCase();
    }
    // check for bypassDnsCheck flag. If null then set to false
    Boolean dnsCheck = param.getBypassDnsCheck();
    if (dnsCheck == null) {
        dnsCheck = false;
    }
    FileShareExport export = new FileShareExport(param.getEndpoints(), param.getSecurityType(), param.getPermissions(), rootUserMapping, param.getProtocol(), sport.getPortGroup(), sport.getPortNetworkId(), path, mountPath, subDirectory, param.getComments(), dnsCheck);
    _log.info(String.format("FileShareExport --- FileShare id: %1$s, Clients: %2$s, StoragePort: %3$s, SecurityType: %4$s, " + "Permissions: %5$s, Root user mapping: %6$s, Protocol: %7$s, path: %8$s, mountPath: %9$s, SubDirectory: %10$s ,byPassDnsCheck: %11$s", id, export.getClients(), sport.getPortName(), export.getSecurityType(), export.getPermissions(), export.getRootUserMapping(), export.getProtocol(), export.getPath(), export.getMountPath(), export.getSubDirectory(), export.getBypassDnsCheck()));
    Operation op = _dbClient.createTaskOpStatus(FileShare.class, fs.getId(), task, ResourceOperationTypeEnum.EXPORT_FILE_SYSTEM);
    op.setDescription("Filesystem export");
    FileServiceApi fileServiceApi = getFileShareServiceImpl(fs, _dbClient);
    fileServiceApi.export(device.getId(), fs.getId(), Arrays.asList(export), task);
    auditOp(OperationTypeEnum.EXPORT_FILE_SYSTEM, true, AuditLogManager.AUDITOP_BEGIN, fs.getId().toString(), device.getId().toString(), export.getClients(), param.getSecurityType(), param.getPermissions(), param.getRootUserMapping(), param.getProtocol());
    return toTask(fs, task, op);
}

Example 4 with CheckPermission

use of com.emc.storageos.security.authorization.CheckPermission in project coprhd-controller by CoprHD.

the class FileService method stopContinuousCopies.

/**
 * Stop continuous copies.
 *
 * @prereq none
 * @param id the URN of a ViPR Source file share
 * @brief Stop the replication session between source and target file system.
 * @return TaskList
 * @throws ControllerException
 */
@POST
@Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
@Path("/{id}/protection/continuous-copies/stop")
@CheckPermission(roles = { Role.TENANT_ADMIN }, acls = { ACL.OWN, ACL.ALL })
public TaskList stopContinuousCopies(@PathParam("id") URI id, FileReplicationParam param) throws ControllerException {
    doMirrorOperationValidation(id, ProtectionOp.STOP.toString());
    String task = UUID.randomUUID().toString();
    FileShare sourceFileShare = queryResource(id);
    Set<URI> unassignFrom = new HashSet<>();
    unassignFrom.add(id);
    FilePolicy filepolicy = FileSystemReplicationUtils.getReplicationPolicyAppliedOnFS(sourceFileShare, _dbClient);
    Operation op = _dbClient.createTaskOpStatus(FileShare.class, id, task, ResourceOperationTypeEnum.FILE_PROTECTION_ACTION_STOP);
    op.setDescription("stop the replication link between source and target");
    FileOrchestrationController controller = getController(FileOrchestrationController.class, FileOrchestrationController.FILE_ORCHESTRATION_DEVICE);
    controller.unassignFilePolicy(filepolicy.getId(), unassignFrom, task);
    auditOp(OperationTypeEnum.STOP_FILE_MIRROR, true, "BEGIN", sourceFileShare.getId().toString());
    TaskList taskList = new TaskList();
    TaskResourceRep taskResp = toTask(sourceFileShare, task, op);
    taskList.getTaskList().add(taskResp);
    return taskList;
}

Example 5 with CheckPermission

use of com.emc.storageos.security.authorization.CheckPermission in project coprhd-controller by CoprHD.

the class FileService method createQuotaDirectory.

/**
 * Create Quota directory for a file system
 * <p>
 * NOTE: This is an asynchronous operation.
 *
 * @param id
 *            the URN of a ViPR File system
 * @param param
 *            File system Quota directory parameters
 * @brief Create file system Quota directory
 * @return Task resource representation
 * @throws InternalException
 */
@POST
@Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
@Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
@Path("/{id}/quota-directories")
@CheckPermission(roles = { Role.TENANT_ADMIN }, acls = { ACL.OWN, ACL.ALL })
public TaskResourceRep createQuotaDirectory(@PathParam("id") URI id, QuotaDirectoryCreateParam param) throws InternalException {
    _log.info("FileService::createQtree Request recieved {}", id);
    String origQtreeName = param.getQuotaDirName();
    ArgValidator.checkQuotaDirName(origQtreeName, "name");
    ArgValidator.checkFieldMaximum(param.getSoftLimit(), 100, "softLimit");
    ArgValidator.checkFieldMaximum(param.getNotificationLimit(), 100, "notificationLimit");
    if (param.getSoftLimit() != 0L) {
        ArgValidator.checkFieldMinimum(param.getSoftGrace(), 1L, "softGrace");
    }
    // check duplicate QuotaDirectory names for this fileshare
    checkForDuplicateName(origQtreeName, QuotaDirectory.class, id, "parent", _dbClient);
    String task = UUID.randomUUID().toString();
    ArgValidator.checkFieldUriType(id, FileShare.class, "id");
    if (param.getSecurityStyle() != null) {
        ArgValidator.checkFieldValueFromEnum(param.getSecurityStyle(), "security_style", EnumSet.allOf(QuotaDirectory.SecurityStyles.class));
    }
    // Get the FileSystem object from the URN
    FileShare fs = queryResource(id);
    ArgValidator.checkEntity(fs, id, isIdEmbeddedInURL(id));
    int fsSoftLimit = -1;
    if (null != fs.getSoftLimit()) {
        fsSoftLimit = fs.getSoftLimit().intValue();
    }
    int fsNotifiLimit = -1;
    if (null != fs.getNotificationLimit()) {
        fsNotifiLimit = fs.getNotificationLimit().intValue();
    }
    int fsGraceLimit = -1;
    if (null != fs.getSoftGracePeriod()) {
        fsGraceLimit = fs.getSoftGracePeriod().intValue();
    }
    // Create the QuotaDirectory object for the DB
    QuotaDirectory quotaDirectory = new QuotaDirectory();
    quotaDirectory.setId(URIUtil.createId(QuotaDirectory.class));
    // ICICIC - Curious !
    quotaDirectory.setParent(new NamedURI(id, origQtreeName));
    quotaDirectory.setLabel(origQtreeName);
    quotaDirectory.setOpStatus(new OpStatusMap());
    quotaDirectory.setProject(new NamedURI(fs.getProject().getURI(), origQtreeName));
    quotaDirectory.setTenant(new NamedURI(fs.getTenant().getURI(), origQtreeName));
    quotaDirectory.setSoftLimit(param.getSoftLimit() > 0 ? param.getSoftLimit() : fsSoftLimit > 0 ? fsSoftLimit : 0);
    quotaDirectory.setSoftGrace(param.getSoftGrace() > 0 ? param.getSoftGrace() : fsGraceLimit > 0 ? fsGraceLimit : 0);
    quotaDirectory.setNotificationLimit(param.getNotificationLimit() > 0 ? param.getNotificationLimit() : fsNotifiLimit > 0 ? fsNotifiLimit : 0);
    String convertedName = origQtreeName.replaceAll("[^\\dA-Za-z_]", "");
    _log.info("FileService::QuotaDirectory Original name {} and converted name {}", origQtreeName, convertedName);
    quotaDirectory.setName(convertedName);
    if (param.getOpLock() != null) {
        quotaDirectory.setOpLock(param.getOpLock());
    } else {
        quotaDirectory.setOpLock(true);
    }
    if (param.getSecurityStyle() != null) {
        quotaDirectory.setSecurityStyle(param.getSecurityStyle());
    } else {
        quotaDirectory.setSecurityStyle(SecurityStyles.parent.toString());
    }
    if (param.getSize() != null) {
        // converts the input string in format "<value>GB"
        Long quotaSize = SizeUtil.translateSize(param.getSize());
        // to bytes
        ArgValidator.checkFieldMaximum(quotaSize, fs.getCapacity(), SizeUtil.SIZE_B, "size", true);
        quotaDirectory.setSize(quotaSize);
    } else {
        quotaDirectory.setSize((long) 0);
    }
    fs.setOpStatus(new OpStatusMap());
    Operation op = new Operation();
    op.setResourceType(ResourceOperationTypeEnum.CREATE_FILE_SYSTEM_QUOTA_DIR);
    quotaDirectory.getOpStatus().createTaskStatus(task, op);
    fs.getOpStatus().createTaskStatus(task, op);
    _dbClient.createObject(quotaDirectory);
    _dbClient.persistObject(fs);
    // Create an object of type "FileShareQuotaDirectory" to be passed into the south-bound layers.
    FileShareQuotaDirectory qt = new FileShareQuotaDirectory(quotaDirectory);
    // Now get ready to make calls into the controller
    StorageSystem device = _dbClient.queryObject(StorageSystem.class, fs.getStorageDevice());
    FileController controller = getController(FileController.class, device.getSystemType());
    try {
        controller.createQuotaDirectory(device.getId(), qt, fs.getId(), task);
    } catch (InternalException e) {
        quotaDirectory.setInactive(true);
        _dbClient.persistObject(quotaDirectory);
        // should discriminate between validation problems vs. internal errors
        throw e;
    }
    auditOp(OperationTypeEnum.CREATE_FILE_SYSTEM_QUOTA_DIR, true, AuditLogManager.AUDITOP_BEGIN, quotaDirectory.getLabel(), quotaDirectory.getId().toString(), fs.getId().toString());
    fs = _dbClient.queryObject(FileShare.class, id);
    _log.debug("FileService::QuotaDirectory Before sending response, FS ID : {}, Tasks : {} ; Status {}", fs.getOpStatus().get(task), fs.getOpStatus().get(task).getStatus());
    return toTask(quotaDirectory, task, op);
}