Examples with StorageOSUser com.emc.storageos.security.authentication.StorageOSUser used on opensource projects

Example 91 with StorageOSUser

use of com.emc.storageos.security.authentication.StorageOSUser in project coprhd-controller by CoprHD.

the class VolumeService method verifyUserIsAuthorizedForRequest.

/**
 * Verify the user is authorized for a volume creation request.
 *
 * @param project The reference to the Project.
 * @param vpool The reference to the Virtual Pool.
 * @param varray The reference to the Virtual Array.
 *
 * @throws APIException when the user is not authorized.
 */
private void verifyUserIsAuthorizedForRequest(Project project, VirtualPool vpool, VirtualArray varray) {
    StorageOSUser user = getUserFromContext();
    if (!(_permissionsHelper.userHasGivenRole(user, project.getTenantOrg().getURI(), Role.TENANT_ADMIN) || _permissionsHelper.userHasGivenACL(user, project.getId(), ACL.OWN, ACL.ALL))) {
        throw APIException.forbidden.insufficientPermissionsForUser(user.getName());
    }
    URI vipr_tenantId = URI.create(user.getTenantId());
    _permissionsHelper.checkTenantHasAccessToVirtualPool(vipr_tenantId, vpool);
    _permissionsHelper.checkTenantHasAccessToVirtualArray(vipr_tenantId, varray);
}

Example 92 with StorageOSUser

use of com.emc.storageos.security.authentication.StorageOSUser in project coprhd-controller by CoprHD.

the class ExportGroupService method createExportGroup.

/**
 * Create block export.
 * <p>
 * Block export method is use to export one or more volumes to one or more hosts. This is a required step for a host to be able to
 * access a block volume, although in some scenarios, additional configurations may be required. There are three main types of export
 * group to meet the common use cases:
 * <ol>
 *
 * <li>Create an initiator type export group so that a single host can see one or more volumes. An example would be an export group for
 * a host boot lun or a private volume that is meant to be used by only one host. The assumption is, in this case the user wants the
 * boot or private volume to be accessed via known initiators. For this type of export, the request object is expected to have only
 * initiators (i.e. no hosts or clusters). Further, the initiators are expected to belong to the same host. While an initiator type
 * export group can belong to only one host, this does not mean the host can only have the initiator type export group. A hosts can be
 * part of many export groups of any type. The export group type {@link ExportGroupType#Initiator} should be specified in the request
 * for this type of export.</li>
 *
 * <li>Create an export group so that one or more hosts, which are not part of a cluster, can access one or more volumes. This is the
 * use case of a shared data lun. In this case, it is assumed that the user wants all the hosts initiators that are connected to the
 * storage array (up to the maximum specified by the virtual pool) to be able to access the volume. The export group type
 * {@link ExportGroupType#Host} should be specified in the request for this type of export.</li>
 *
 * <li>Create an export group so that one or more clusters of hosts can access one or more volumes. This is the same use case of shared
 * data lun as the {@link ExportGroupType#Host} use case with the exception that the user is managing a cluster of hosts as opposed to
 * individual hosts. In this case, the same assumption about the initiators as in the previous case is made. The export group type
 * {@link ExportGroupType#Cluster} should be specified in the request for this type of export.</li>
 * </ol>
 *
 * Note that the above discussion only mentions volumes but mirrors and snapshots can also be used in export groups.
 *
 * <p>
 * Once a block export is created, following incremental changes can be applied to it: - add volume or volume snapshot to the shared
 * storage pool - remove volume or volume snapshot from the shared storage pool - add new server to the cluster by adding initiator from
 * that server to the block export - remove visibility of shared storage to a server by removing initiators from the block export
 *
 * <p>
 * Similar to block storage provisioning, block export is also created within the scope of a varray. Hence, volumes and snapshots being
 * added to a block export must belong to the same varray. Fibre Channel and iSCSI initiators must be part of SANs belonging to the same
 * varray as block export.
 * <p>
 * For Fibre Channel initiators, SAN zones will also be created when the export group is created if the networks are discovered and:
 * <ol>
 * <li>at least one of the Network Systems can provision the Vsan or Fabric in which the each endpoint exists, and</li>
 * <li>the VirtualArray has "auto_san_zoning" set to true.</li>
 * </ol>
 * The SAN zones each consists of an initiator (from the arguments) and a storage port that is selected. The number of zones created
 * will be determined from the number of required initiator/storage-port communication paths.
 * <p>
 * NOTE: This is an asynchronous operation.
 *
 * @param param Export creation parameters
 * @brief Create block export
 * @return Block export details
 * @throws ControllerException
 */
@POST
@Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
@Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
public TaskResourceRep createExportGroup(ExportCreateParam param) throws ControllerException {
    // Validate count of number of volumes to export
    if (param.getVolumes() != null && param.getVolumes().size() > MAX_VOLUME_COUNT) {
        throw APIException.badRequests.exceedingLimit("count", MAX_VOLUME_COUNT);
    }
    // validate input for the type of export
    validateCreateInputForExportType(param);
    // backend volumes to a group.
    if (param.getVolumes() != null && !param.getVolumes().isEmpty()) {
        List<URI> addVolumeURIs = new ArrayList<URI>();
        for (VolumeParam volParam : param.getVolumes()) {
            addVolumeURIs.add(volParam.getId());
        }
        BlockService.validateNoInternalBlockObjects(_dbClient, addVolumeURIs, false);
        /**
         * Validate ExportGroup add volume's nativeId/nativeGuid
         */
        validateBlockObjectNativeId(addVolumeURIs);
    }
    // Validate the project and check its permissions
    Project project = queryObject(Project.class, param.getProject(), true);
    StorageOSUser user = getUserFromContext();
    if (!(_permissionsHelper.userHasGivenRole(user, project.getTenantOrg().getURI(), Role.TENANT_ADMIN) || _permissionsHelper.userHasGivenACL(user, project.getId(), ACL.OWN, ACL.ALL))) {
        throw APIException.forbidden.insufficientPermissionsForUser(user.getName());
    }
    // Validate the varray and check its permissions
    VirtualArray neighborhood = _dbClient.queryObject(VirtualArray.class, param.getVarray());
    _permissionsHelper.checkTenantHasAccessToVirtualArray(project.getTenantOrg().getURI(), neighborhood);
    validateBlockSnapshotsForExportGroupCreate(param);
    // prepare the export group object
    ExportGroup exportGroup = prepareExportGroup(project, param);
    // validate block objects input and package them
    Map<URI, Map<URI, Integer>> storageMap = new HashMap<URI, Map<URI, Integer>>();
    Map<URI, Integer> volumeMap = validateBlockObjectsAndGetMap(param.getVolumes(), exportGroup, storageMap);
    _log.info("Computed storage map: {} volumes in {} storage systems: {}", new Object[] { volumeMap.size(), storageMap.size(), storageMap.keySet().toArray() });
    // Validate that there is not already an ExportGroup of the same name, project, and varray.
    // If so, this is like because concurrent operations were in the API at the same time and another created
    // the ExportGroup.
    validateNotSameNameProjectAndVarray(param);
    // If ExportPathParameter block is present, and volumes are present, validate have permissions.
    // Processing will be in the aysnc. task.
    ExportPathParameters pathParam = param.getExportPathParameters();
    if (pathParam != null && !volumeMap.keySet().isEmpty()) {
        // Only [RESTRICTED_]SYSTEM_ADMIN may override the Vpool export parameters
        if ((pathParam.getMaxPaths() != null || pathParam.getMinPaths() != null || pathParam.getPathsPerInitiator() != null) && !_permissionsHelper.userHasGivenRole(user, null, Role.SYSTEM_ADMIN, Role.RESTRICTED_SYSTEM_ADMIN)) {
            throw APIException.forbidden.onlySystemAdminsCanOverrideVpoolPathParameters(exportGroup.getLabel());
        }
    }
    validatePortGroupWhenAddVolumesForExportGroup(volumeMap.keySet(), (pathParam != null ? pathParam.getPortGroup() : null), null);
    // COP-14028
    // Changing the return of a TaskList to return immediately while the underlying tasks are
    // being built up. Steps:
    // 1. Create a task object ahead of time and persist it for the export group
    // 2. Fire off a thread that does the scheduling (planning) of the export operation
    // 3. Return to the caller the new Task objects that is in the pending state.
    // create export groups in the array but only when the export
    // group has both block objects and initiators.
    String task = UUID.randomUUID().toString();
    Operation.Status status = storageMap.isEmpty() ? Operation.Status.ready : Operation.Status.pending;
    _dbClient.createObject(exportGroup);
    Operation op = initTaskStatus(exportGroup, task, status, ResourceOperationTypeEnum.CREATE_EXPORT_GROUP);
    // persist the export group to the database
    auditOp(OperationTypeEnum.CREATE_EXPORT_GROUP, true, AuditLogManager.AUDITOP_BEGIN, param.getName(), neighborhood.getId().toString(), project.getId().toString());
    TaskResourceRep taskRes = toTask(exportGroup, task, op);
    // call thread that does the work.
    CreateExportGroupSchedulingThread.executeApiTask(this, _asyncTaskService.getExecutorService(), _dbClient, neighborhood, project, exportGroup, storageMap, param.getClusters(), param.getHosts(), param.getInitiators(), volumeMap, param.getExportPathParameters(), task, taskRes);
    _log.info("Kicked off thread to perform export create scheduling. Returning task: " + taskRes.getId());
    return taskRes;
}

Example 93 with StorageOSUser

use of com.emc.storageos.security.authentication.StorageOSUser in project coprhd-controller by CoprHD.

the class ComputeVirtualPoolService method getComputeVirtualPool.

/**
 * Get all compute virtual pools
 *
 * @brief Get all compute virtual pools
 * @return ComputeVirtualPoolList representations of Compute Virtual Pools
 */
@GET
@Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
public ComputeVirtualPoolList getComputeVirtualPool(@DefaultValue("") @QueryParam(TENANT_ID_QUERY_PARAM) String tenantId) {
    List<URI> ids = _dbClient.queryByType(ComputeVirtualPool.class, true);
    ComputeVirtualPoolList list = new ComputeVirtualPoolList();
    // if input tenant is not empty, but user have no access to it, an exception will be thrown.
    TenantOrg tenant_input = null;
    if (!StringUtils.isEmpty(tenantId)) {
        tenant_input = getTenantIfHaveAccess(tenantId);
    }
    StorageOSUser user = getUserFromContext();
    Iterator<ComputeVirtualPool> iter = _dbClient.queryIterativeObjects(ComputeVirtualPool.class, ids);
    List<ComputeVirtualPool> vpoolObjects = new ArrayList<>();
    while (iter.hasNext()) {
        vpoolObjects.add(iter.next());
    }
    // else only return the list, which input tenant has access.
    if (_permissionsHelper.userHasGivenRole(user, null, Role.SYSTEM_ADMIN, Role.SYSTEM_MONITOR)) {
        for (ComputeVirtualPool virtualPool : vpoolObjects) {
            if (tenant_input == null || _permissionsHelper.tenantHasUsageACL(tenant_input.getId(), virtualPool)) {
                list.getComputeVirtualPool().add(toNamedRelatedResource(virtualPool));
            }
        }
    } else {
        // otherwise, filter by only authorized to use
        URI tenant = null;
        if (tenant_input == null) {
            tenant = URI.create(user.getTenantId());
        } else {
            tenant = tenant_input.getId();
        }
        Set<ComputeVirtualPool> vpoolSet = new HashSet<ComputeVirtualPool>();
        for (ComputeVirtualPool virtualPool : vpoolObjects) {
            if (_permissionsHelper.tenantHasUsageACL(tenant, virtualPool)) {
                vpoolSet.add(virtualPool);
            }
        }
        // if no tenant specified in request, also adding vpools which sub-tenants of the user have access to.
        if (tenant_input == null) {
            List<URI> subtenants = _permissionsHelper.getSubtenantsWithRoles(user);
            for (ComputeVirtualPool virtualPool : vpoolObjects) {
                if (_permissionsHelper.tenantHasUsageACL(subtenants, virtualPool)) {
                    vpoolSet.add(virtualPool);
                }
            }
        }
        for (ComputeVirtualPool virtualPool : vpoolSet) {
            list.getComputeVirtualPool().add(toNamedRelatedResource(virtualPool));
        }
    }
    return list;
}

Example 94 with StorageOSUser

use of com.emc.storageos.security.authentication.StorageOSUser in project coprhd-controller by CoprHD.

the class WorkflowService method userHasRoles.

/**
 * Determines if the user has one of the passed roles.
 *
 * @param roles The roles to verify
 *
 * @return true if the user has one of the passed roles, else false
 */
private boolean userHasRoles(String... roles) {
    StorageOSUser user = getUserFromContext();
    Set<String> userRoles = user.getRoles();
    return !disjoint(userRoles, Arrays.asList(roles));
}

Example 95 with StorageOSUser

use of com.emc.storageos.security.authentication.StorageOSUser in project coprhd-controller by CoprHD.

the class VirtualArrayService method getVirtualArrayVirtualPool.

/**
 * Returns the id and self link for all VirtualPool associated
 * with the VirtualArray.
 *
 * @param id the URN of a ViPR VirtualArray.
 *
 * @brief List VirtualArray VirtualPools
 * @return A reference to a VirtualPoolList specifying the id and self link for the
 *         VirtualPool for the VirtualArray.
 */
@GET
@Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
@Path("/{id}/vpools")
@CheckPermission(roles = { Role.SYSTEM_ADMIN, Role.SYSTEM_MONITOR }, acls = { ACL.USE })
public VirtualPoolList getVirtualArrayVirtualPool(@PathParam("id") URI id, @DefaultValue("") @QueryParam(TENANT_ID_QUERY_PARAM) String tenantId) {
    TenantOrg tenant_input = getTenantIfHaveAccess(tenantId);
    VirtualPoolList cosList = new VirtualPoolList();
    URIQueryResultList resultList = new URIQueryResultList();
    _dbClient.queryByConstraint(ContainmentConstraint.Factory.getVirtualArrayVirtualPoolConstraint(id), resultList);
    Iterator<URI> cosIterator = resultList.iterator();
    while (cosIterator.hasNext()) {
        URI cosId = cosIterator.next();
        VirtualPool cos = _dbClient.queryObject(VirtualPool.class, cosId);
        if (cosList.containsVirtualPoolResource(cosId.toString())) {
            // already added, ignore
            continue;
        }
        /*
             * when input tenant parameter is null, An user can see the vpool if:
             * 1. be sysadmin or sysmonitor or restricted sysadmin
             * 2. mapped to that tenant.
             * 3. tenant admin but not mapping to the tenant cannot see it
             *
             * when input tenant parameter is not null, in addition to above conditions need be met,
             * the specified tenant also need have access to the vpool.
             */
        StorageOSUser user = getUserFromContext();
        if (_permissionsHelper.userHasGivenRole(user, null, Role.SYSTEM_ADMIN, Role.SYSTEM_MONITOR, Role.RESTRICTED_SYSTEM_ADMIN) || userTenantHasPermissionForVirtualPool(cosId.toString())) {
            if (tenant_input == null || _permissionsHelper.tenantHasUsageACL(tenant_input.getId(), cos)) {
                _log.debug("Adding VirtualPool");
                cosList.getVirtualPool().add(toVirtualPoolResource(cos));
            }
        }
    }
    return cosList;
}