use of com.emc.storageos.model.auth.ACLEntry in project coprhd-controller by CoprHD.
the class ApiTest method zoneCosSetup.
private void zoneCosSetup() {
VirtualArrayList nList = rSTAdmin1.path("/vdc/varrays/").get(VirtualArrayList.class);
Assert.assertEquals(1, nList.getVirtualArrays().size());
_nh = nList.getVirtualArrays().get(0).getId();
_log.info("varray: " + _nh.toString());
NetworkCreate param = new NetworkCreate();
param.setTransportType("IP");
param.setLabel("iptz");
_iptzone = rZAdmin.path(String.format("/vdc/varrays/%s/networks", _nh).toString()).post(NetworkRestRep.class, param);
NetworkCreate fctzone = new NetworkCreate();
fctzone.setTransportType("FC");
fctzone.setLabel("fctz");
_fctzone = rZAdmin.path(String.format("/vdc/varrays/%s/networks", _nh).toString()).post(NetworkRestRep.class, fctzone);
FileVirtualPoolParam paramCosFile = new FileVirtualPoolParam();
paramCosFile.setName("isilon-file");
paramCosFile.setProtocols(new HashSet<String>());
paramCosFile.getProtocols().add(StorageProtocol.File.NFS.name());
_cosFile = rZAdmin.path("/file/vpools").post(FileVirtualPoolRestRep.class, paramCosFile);
BlockVirtualPoolParam paramCosBlock = new BlockVirtualPoolParam();
paramCosBlock.setName("vnx-block");
paramCosBlock.setProtocols(new HashSet<String>());
paramCosBlock.getProtocols().add(StorageProtocol.Block.FC.name());
paramCosBlock.setProvisionType("Thick");
paramCosBlock.setMaxPaths(2);
_cosBlock = rZAdminGr.path("/block/vpools").post(BlockVirtualPoolRestRep.class, paramCosBlock);
ACLAssignmentChanges changes = new ACLAssignmentChanges();
changes.setAdd(new ArrayList<ACLEntry>());
ACLEntry entry1 = new ACLEntry();
entry1.setTenant(subtenant1Id.toString());
entry1.setAces(new ArrayList<String>());
entry1.getAces().add("USE");
changes.getAdd().add(entry1);
ClientResponse resp = rSys.path(String.format(_blockCosAclUrl, _cosBlock.getId().toString())).put(ClientResponse.class, changes);
Assert.assertEquals(200, resp.getStatus());
resp = rSys.path(String.format(_fileCosAclUrl, _cosFile.getId().toString())).put(ClientResponse.class, changes);
Assert.assertEquals(200, resp.getStatus());
}
use of com.emc.storageos.model.auth.ACLEntry in project coprhd-controller by CoprHD.
the class ApiTest method projectSetup.
private void projectSetup() {
ProjectParam paramProj = new ProjectParam("resourcetestproject");
ProjectElement project1 = rSTAdminGr1.path(String.format(_projectsUrlFormat, subtenant1Id.toString())).post(ProjectElement.class, paramProj);
_testProject = project1.getId();
ACLEntry entry = new ACLEntry();
entry.setSubjectId(SUBTENANT1_READER);
entry.setAces(new ArrayList<String>());
entry.getAces().add("backup");
ACLEntry entry2 = new ACLEntry();
entry2.setGroup(SUBTENANT1_USERS_GROUP);
entry2.setAces(new ArrayList<String>());
entry2.getAces().add("all");
ACLAssignmentChanges changes = new ACLAssignmentChanges();
changes.setAdd(new ArrayList<ACLEntry>());
changes.getAdd().add(entry2);
changes.getAdd().add(entry);
ClientResponse resp = rSTAdmin1.path(String.format(_projectAclUrl, _testProject.toString())).post(ClientResponse.class, changes);
Assert.assertEquals(200, resp.getStatus());
}
use of com.emc.storageos.model.auth.ACLEntry in project coprhd-controller by CoprHD.
the class VcenterService method checkVcenterUsage.
/**
* Check if the vCenter being updated is used by any of its vCenterDataCenters
* or clusters or hosts or not. This validates only with respect to the tenant
* that is being removed from the vCenter acls. If the tenant that is getting
* removed teh vCenter has any exports with the vCenter's vCenterDataCenter or
* its clusters or hosts.
*
* @param vcenter the vCenter being updated.
* @param changes new acl assignment changes for the vCenter.
*/
private void checkVcenterUsage(Vcenter vcenter, ACLAssignmentChanges changes) {
// Make a copy of the vCenter's existing tenant list.
List<ACLEntry> existingAclEntries = _permissionsHelper.convertToACLEntries(vcenter.getAcls());
if (CollectionUtils.isEmpty(existingAclEntries)) {
// If there no existing acl entries for the vCenter
// there is nothing to validate if it is in user or not.
_log.debug("vCenter {} does not have any existing acls", vcenter.getLabel());
return;
}
// there is nothing to check for usage.
if (CollectionUtils.isEmpty(changes.getRemove())) {
_log.debug("There are not acls to remove from vCenter {}", vcenter.getLabel());
return;
}
Set<String> tenantsInUse = new HashSet<String>();
Set<URI> removingTenants = _permissionsHelper.getUsageURIsFromAclEntries(changes.getRemove());
Set<URI> existingTenants = _permissionsHelper.getUsageURIsFromAclEntries(existingAclEntries);
Iterator<URI> removingTenantsIterator = removingTenants.iterator();
while (removingTenantsIterator.hasNext()) {
URI removingTenant = removingTenantsIterator.next();
if (!existingTenants.contains(removingTenant)) {
continue;
}
// use the exports from the removing tenant or not.
if (ComputeSystemHelper.isVcenterInUseForTheTenant(_dbClient, vcenter.getId(), removingTenant)) {
TenantOrg tenant = _dbClient.queryObject(TenantOrg.class, removingTenant);
tenantsInUse.add(tenant.getLabel());
}
}
if (!CollectionUtils.isEmpty(tenantsInUse)) {
throw APIException.badRequests.cannotRemoveTenant("vCener", vcenter.getLabel(), tenantsInUse);
}
}
use of com.emc.storageos.model.auth.ACLEntry in project coprhd-controller by CoprHD.
the class VcenterService method validateAclEntries.
/**
* Validates the individual list of acl entries.
* It is not valid acl entries list, when an
* acl entry contains more than one privilege or privileges
* other than USE and if the tenant provided in the acl entry
* is not a valid tenant org.
*
* @param aclEntries acl entries to be validated.
*/
private void validateAclEntries(List<ACLEntry> aclEntries) {
if (CollectionUtils.isEmpty(aclEntries)) {
return;
}
Iterator<ACLEntry> aclEntryIterator = aclEntries.iterator();
while (aclEntryIterator.hasNext()) {
ACLEntry aclEntry = aclEntryIterator.next();
// for vCenter ACL. Only USE ACL can be provided.
if (aclEntry.getAces().size() != 1) {
throw APIException.badRequests.unsupportedNumberOfPrivileges(URI.create(aclEntry.getTenant()), aclEntry.getAces());
}
if (!aclEntry.getAces().get(0).equalsIgnoreCase(ACL.USE.name())) {
throw APIException.badRequests.unsupportedPrivilege(URI.create(aclEntry.getTenant()), aclEntry.getAces().get(0));
}
// Validate if the provided tenant is a valid tenant or not.
URI tenantId = URI.create(aclEntry.getTenant());
TenantOrg tenant = queryObject(TenantOrg.class, tenantId, true);
ArgValidator.checkEntity(tenant, tenantId, isIdEmbeddedInURL(tenantId));
}
}
use of com.emc.storageos.model.auth.ACLEntry in project coprhd-controller by CoprHD.
the class VcenterService method verifyAuthorizedInTenantOrg.
/**
* Checks if the user is authorized to view the vCenter.
* Authorized if,
* The user a TenantOrg user of one the tenant that shares the vCenter.
* The user is a TenantAdmin of one of the tenant that shares the vCenter.
*
* @param aclEntries the tenants list that shares the vCenter.
*/
private void verifyAuthorizedInTenantOrg(List<ACLEntry> aclEntries) {
boolean isUserAuthorized = false;
StorageOSUser user = getUserFromContext();
Iterator<ACLEntry> aclEntriesIterator = aclEntries.iterator();
while (aclEntriesIterator.hasNext()) {
ACLEntry aclEntry = aclEntriesIterator.next();
if (aclEntry == null) {
continue;
}
if (user.getTenantId().toString().equals(aclEntry.getTenant()) || isSystemAdminOrMonitorUser() || _permissionsHelper.userHasGivenRole(user, URI.create(aclEntry.getTenant()), Role.TENANT_ADMIN)) {
isUserAuthorized = true;
break;
}
}
if (!isUserAuthorized) {
throw APIException.forbidden.insufficientPermissionsForUser(user.getName());
}
}
Aggregations