Search in sources :

Example 1 with ACLEntry

use of com.emc.storageos.model.auth.ACLEntry in project coprhd-controller by CoprHD.

the class ApiTest method zoneCosSetup.

private void zoneCosSetup() {
    VirtualArrayList nList = rSTAdmin1.path("/vdc/varrays/").get(VirtualArrayList.class);
    Assert.assertEquals(1, nList.getVirtualArrays().size());
    _nh = nList.getVirtualArrays().get(0).getId();
    _log.info("varray: " + _nh.toString());
    NetworkCreate param = new NetworkCreate();
    param.setTransportType("IP");
    param.setLabel("iptz");
    _iptzone = rZAdmin.path(String.format("/vdc/varrays/%s/networks", _nh).toString()).post(NetworkRestRep.class, param);
    NetworkCreate fctzone = new NetworkCreate();
    fctzone.setTransportType("FC");
    fctzone.setLabel("fctz");
    _fctzone = rZAdmin.path(String.format("/vdc/varrays/%s/networks", _nh).toString()).post(NetworkRestRep.class, fctzone);
    FileVirtualPoolParam paramCosFile = new FileVirtualPoolParam();
    paramCosFile.setName("isilon-file");
    paramCosFile.setProtocols(new HashSet<String>());
    paramCosFile.getProtocols().add(StorageProtocol.File.NFS.name());
    _cosFile = rZAdmin.path("/file/vpools").post(FileVirtualPoolRestRep.class, paramCosFile);
    BlockVirtualPoolParam paramCosBlock = new BlockVirtualPoolParam();
    paramCosBlock.setName("vnx-block");
    paramCosBlock.setProtocols(new HashSet<String>());
    paramCosBlock.getProtocols().add(StorageProtocol.Block.FC.name());
    paramCosBlock.setProvisionType("Thick");
    paramCosBlock.setMaxPaths(2);
    _cosBlock = rZAdminGr.path("/block/vpools").post(BlockVirtualPoolRestRep.class, paramCosBlock);
    ACLAssignmentChanges changes = new ACLAssignmentChanges();
    changes.setAdd(new ArrayList<ACLEntry>());
    ACLEntry entry1 = new ACLEntry();
    entry1.setTenant(subtenant1Id.toString());
    entry1.setAces(new ArrayList<String>());
    entry1.getAces().add("USE");
    changes.getAdd().add(entry1);
    ClientResponse resp = rSys.path(String.format(_blockCosAclUrl, _cosBlock.getId().toString())).put(ClientResponse.class, changes);
    Assert.assertEquals(200, resp.getStatus());
    resp = rSys.path(String.format(_fileCosAclUrl, _cosFile.getId().toString())).put(ClientResponse.class, changes);
    Assert.assertEquals(200, resp.getStatus());
}
Also used : ClientResponse(com.sun.jersey.api.client.ClientResponse) FileVirtualPoolParam(com.emc.storageos.model.vpool.FileVirtualPoolParam) ACLAssignmentChanges(com.emc.storageos.model.auth.ACLAssignmentChanges) FileVirtualPoolRestRep(com.emc.storageos.model.vpool.FileVirtualPoolRestRep) NetworkCreate(com.emc.storageos.model.varray.NetworkCreate) ACLEntry(com.emc.storageos.model.auth.ACLEntry) VirtualArrayList(com.emc.storageos.model.varray.VirtualArrayList) BlockVirtualPoolRestRep(com.emc.storageos.model.vpool.BlockVirtualPoolRestRep) BlockVirtualPoolParam(com.emc.storageos.model.vpool.BlockVirtualPoolParam) NetworkRestRep(com.emc.storageos.model.varray.NetworkRestRep)

Example 2 with ACLEntry

use of com.emc.storageos.model.auth.ACLEntry in project coprhd-controller by CoprHD.

the class ApiTest method projectSetup.

private void projectSetup() {
    ProjectParam paramProj = new ProjectParam("resourcetestproject");
    ProjectElement project1 = rSTAdminGr1.path(String.format(_projectsUrlFormat, subtenant1Id.toString())).post(ProjectElement.class, paramProj);
    _testProject = project1.getId();
    ACLEntry entry = new ACLEntry();
    entry.setSubjectId(SUBTENANT1_READER);
    entry.setAces(new ArrayList<String>());
    entry.getAces().add("backup");
    ACLEntry entry2 = new ACLEntry();
    entry2.setGroup(SUBTENANT1_USERS_GROUP);
    entry2.setAces(new ArrayList<String>());
    entry2.getAces().add("all");
    ACLAssignmentChanges changes = new ACLAssignmentChanges();
    changes.setAdd(new ArrayList<ACLEntry>());
    changes.getAdd().add(entry2);
    changes.getAdd().add(entry);
    ClientResponse resp = rSTAdmin1.path(String.format(_projectAclUrl, _testProject.toString())).post(ClientResponse.class, changes);
    Assert.assertEquals(200, resp.getStatus());
}
Also used : ClientResponse(com.sun.jersey.api.client.ClientResponse) ProjectParam(com.emc.storageos.model.project.ProjectParam) ACLAssignmentChanges(com.emc.storageos.model.auth.ACLAssignmentChanges) ProjectElement(com.emc.storageos.model.project.ProjectElement) ACLEntry(com.emc.storageos.model.auth.ACLEntry)

Example 3 with ACLEntry

use of com.emc.storageos.model.auth.ACLEntry in project coprhd-controller by CoprHD.

the class VcenterService method checkVcenterUsage.

/**
 * Check if the vCenter being updated is used by any of its vCenterDataCenters
 * or clusters or hosts or not. This validates only with respect to the tenant
 * that is being removed from the vCenter acls. If the tenant that is getting
 * removed teh vCenter has any exports with the vCenter's vCenterDataCenter or
 * its clusters or hosts.
 *
 * @param vcenter the vCenter being updated.
 * @param changes new acl assignment changes for the vCenter.
 */
private void checkVcenterUsage(Vcenter vcenter, ACLAssignmentChanges changes) {
    // Make a copy of the vCenter's existing tenant list.
    List<ACLEntry> existingAclEntries = _permissionsHelper.convertToACLEntries(vcenter.getAcls());
    if (CollectionUtils.isEmpty(existingAclEntries)) {
        // If there no existing acl entries for the vCenter
        // there is nothing to validate if it is in user or not.
        _log.debug("vCenter {} does not have any existing acls", vcenter.getLabel());
        return;
    }
    // there is nothing to check for usage.
    if (CollectionUtils.isEmpty(changes.getRemove())) {
        _log.debug("There are not acls to remove from vCenter {}", vcenter.getLabel());
        return;
    }
    Set<String> tenantsInUse = new HashSet<String>();
    Set<URI> removingTenants = _permissionsHelper.getUsageURIsFromAclEntries(changes.getRemove());
    Set<URI> existingTenants = _permissionsHelper.getUsageURIsFromAclEntries(existingAclEntries);
    Iterator<URI> removingTenantsIterator = removingTenants.iterator();
    while (removingTenantsIterator.hasNext()) {
        URI removingTenant = removingTenantsIterator.next();
        if (!existingTenants.contains(removingTenant)) {
            continue;
        }
        // use the exports from the removing tenant or not.
        if (ComputeSystemHelper.isVcenterInUseForTheTenant(_dbClient, vcenter.getId(), removingTenant)) {
            TenantOrg tenant = _dbClient.queryObject(TenantOrg.class, removingTenant);
            tenantsInUse.add(tenant.getLabel());
        }
    }
    if (!CollectionUtils.isEmpty(tenantsInUse)) {
        throw APIException.badRequests.cannotRemoveTenant("vCener", vcenter.getLabel(), tenantsInUse);
    }
}
Also used : ACLEntry(com.emc.storageos.model.auth.ACLEntry) URI(java.net.URI) HashSet(java.util.HashSet)

Example 4 with ACLEntry

use of com.emc.storageos.model.auth.ACLEntry in project coprhd-controller by CoprHD.

the class VcenterService method validateAclEntries.

/**
 * Validates the individual list of acl entries.
 * It is not valid acl entries list, when an
 * acl entry contains more than one privilege or privileges
 * other than USE and if the tenant provided in the acl entry
 * is not a valid tenant org.
 *
 * @param aclEntries acl entries to be validated.
 */
private void validateAclEntries(List<ACLEntry> aclEntries) {
    if (CollectionUtils.isEmpty(aclEntries)) {
        return;
    }
    Iterator<ACLEntry> aclEntryIterator = aclEntries.iterator();
    while (aclEntryIterator.hasNext()) {
        ACLEntry aclEntry = aclEntryIterator.next();
        // for vCenter ACL. Only USE ACL can be provided.
        if (aclEntry.getAces().size() != 1) {
            throw APIException.badRequests.unsupportedNumberOfPrivileges(URI.create(aclEntry.getTenant()), aclEntry.getAces());
        }
        if (!aclEntry.getAces().get(0).equalsIgnoreCase(ACL.USE.name())) {
            throw APIException.badRequests.unsupportedPrivilege(URI.create(aclEntry.getTenant()), aclEntry.getAces().get(0));
        }
        // Validate if the provided tenant is a valid tenant or not.
        URI tenantId = URI.create(aclEntry.getTenant());
        TenantOrg tenant = queryObject(TenantOrg.class, tenantId, true);
        ArgValidator.checkEntity(tenant, tenantId, isIdEmbeddedInURL(tenantId));
    }
}
Also used : ACLEntry(com.emc.storageos.model.auth.ACLEntry) URI(java.net.URI)

Example 5 with ACLEntry

use of com.emc.storageos.model.auth.ACLEntry in project coprhd-controller by CoprHD.

the class VcenterService method verifyAuthorizedInTenantOrg.

/**
 * Checks if the user is authorized to view the vCenter.
 * Authorized if,
 * The user a TenantOrg user of one the tenant that shares the vCenter.
 * The user is a TenantAdmin of one of the tenant that shares the vCenter.
 *
 * @param aclEntries the tenants list that shares the vCenter.
 */
private void verifyAuthorizedInTenantOrg(List<ACLEntry> aclEntries) {
    boolean isUserAuthorized = false;
    StorageOSUser user = getUserFromContext();
    Iterator<ACLEntry> aclEntriesIterator = aclEntries.iterator();
    while (aclEntriesIterator.hasNext()) {
        ACLEntry aclEntry = aclEntriesIterator.next();
        if (aclEntry == null) {
            continue;
        }
        if (user.getTenantId().toString().equals(aclEntry.getTenant()) || isSystemAdminOrMonitorUser() || _permissionsHelper.userHasGivenRole(user, URI.create(aclEntry.getTenant()), Role.TENANT_ADMIN)) {
            isUserAuthorized = true;
            break;
        }
    }
    if (!isUserAuthorized) {
        throw APIException.forbidden.insufficientPermissionsForUser(user.getName());
    }
}
Also used : ACLEntry(com.emc.storageos.model.auth.ACLEntry) StorageOSUser(com.emc.storageos.security.authentication.StorageOSUser)

Aggregations

ACLEntry (com.emc.storageos.model.auth.ACLEntry)21 ACLAssignmentChanges (com.emc.storageos.model.auth.ACLAssignmentChanges)6 ClientResponse (com.sun.jersey.api.client.ClientResponse)4 URI (java.net.URI)4 ArrayList (java.util.ArrayList)4 VirtualArrayList (com.emc.storageos.model.varray.VirtualArrayList)3 HashSet (java.util.HashSet)3 ACLAssignments (com.emc.storageos.model.auth.ACLAssignments)2 ProjectParam (com.emc.storageos.model.project.ProjectParam)2 BlockVirtualPoolParam (com.emc.storageos.model.vpool.BlockVirtualPoolParam)2 BlockVirtualPoolRestRep (com.emc.storageos.model.vpool.BlockVirtualPoolRestRep)2 FileVirtualPoolParam (com.emc.storageos.model.vpool.FileVirtualPoolParam)2 AbstractChangeTrackingSet (com.emc.storageos.db.client.model.AbstractChangeTrackingSet)1 NamedURI (com.emc.storageos.db.client.model.NamedURI)1 StringSet (com.emc.storageos.db.client.model.StringSet)1 StringSetMap (com.emc.storageos.db.client.model.StringSetMap)1 NamedRelatedResourceRep (com.emc.storageos.model.NamedRelatedResourceRep)1 TagAssignment (com.emc.storageos.model.TagAssignment)1 ProjectElement (com.emc.storageos.model.project.ProjectElement)1 ProjectUpdateParam (com.emc.storageos.model.project.ProjectUpdateParam)1