Example 6 with StorageOSUser
use of com.emc.storageos.security.authentication.StorageOSUser in project coprhd-controller by CoprHD.
the class ResourceService method isAuthorized.
// Helper function to check if the user has authorization to access the project
// This is used by all search functions
protected boolean isAuthorized(URI projectUri) {
final StorageOSUser user = getUserFromContext();
if (_permissionsHelper == null) {
return false;
}
Project project = _permissionsHelper.getObjectById(projectUri, Project.class);
if (project == null) {
return false;
}
if ((_permissionsHelper.userHasGivenRole(user, project.getTenantOrg().getURI(), Role.SYSTEM_MONITOR, Role.TENANT_ADMIN) || _permissionsHelper.userHasGivenACL(user, projectUri, ACL.ANY))) {
return true;
} else {
return false;
}
}
Also used :
Project(com.emc.storageos.db.client.model.Project)
StorageOSUser(com.emc.storageos.security.authentication.StorageOSUser)
Example 7 with StorageOSUser
use of com.emc.storageos.security.authentication.StorageOSUser in project coprhd-controller by CoprHD.
the class BlockSnapshotSessionManager method auditOp.
/**
* Record audit log for services.
*
* @param opType audit event type (e.g. CREATE_VPOOL|TENANT etc.)
* @param operationalStatus Status of operation (true|false)
* @param operationStage Stage of operation. For sync operation, it should
* be null; For async operation, it should be "BEGIN" or "END";
* @param descparams Description parameters
*/
private void auditOp(OperationTypeEnum opType, boolean operationalStatus, String operationStage, Object... descparams) {
URI tenantId;
URI username;
if (!BlockServiceUtils.hasValidUserInContext(_securityContext) && InterNodeHMACAuthFilter.isInternalRequest(_request)) {
// Use default values for internal datasvc requests that lack a user
// context
tenantId = _permissionsHelper.getRootTenant().getId();
username = ResourceService.INTERNAL_DATASVC_USER;
} else {
StorageOSUser user = BlockServiceUtils.getUserFromContext(_securityContext);
tenantId = URI.create(user.getTenantId());
username = URI.create(user.getName());
}
_auditLogManager.recordAuditLog(tenantId, username, BlockService.EVENT_SERVICE_TYPE, opType, System.currentTimeMillis(), operationalStatus ? AuditLogManager.AUDITLOG_SUCCESS : AuditLogManager.AUDITLOG_FAILURE, operationStage, descparams);
}
Also used :
StorageOSUser(com.emc.storageos.security.authentication.StorageOSUser)
NamedURI(com.emc.storageos.db.client.model.NamedURI)
URI(java.net.URI)
NullColumnValueGetter.isNullURI(com.emc.storageos.db.client.util.NullColumnValueGetter.isNullURI)
Example 8 with StorageOSUser
use of com.emc.storageos.security.authentication.StorageOSUser in project coprhd-controller by CoprHD.
the class AuthenticationResource method logout.
/**
* Logs out a user's authentication token and optionally other related tokens and proxytokens
*
* @brief User logout
* @param force Optional query parameter, if set to true, will delete all active tokens for the user,
* excluding proxy tokens. Otherwise, invalidates only the token from the request
* Default value: false
* @param includeProxyTokens Optional query parameter, if set to true and combined with force, will delete
* all active tokens, including proxy tokens for the user.
* Default value: false
* @param username Optional query parameter, if supplied, the user pointed by the username will
* be logged out instead of the currently logged in user (SECURITY_ADMIN role required to
* use this parameter)
* @param notifyVDCs if set to true, will look if the token was copied to other VDCs and notify them
* @return Response
* @prereq none
* @throws IOException
*/
@GET
@Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
@Path("logout")
public Response logout(@DefaultValue("false") @QueryParam("force") boolean force, @DefaultValue("false") @QueryParam("proxytokens") boolean includeProxyTokens, @QueryParam("username") String username, @DefaultValue("true") @QueryParam("notifyvdcs") boolean notifyVDCs) {
StorageOSUser user = getUserFromContext();
if (user != null) {
if (StringUtils.isNotBlank(username)) {
boolean isTargetUserLocal = _localUsers.containsKey(username);
boolean hasRestrictedSecurityAdmin = _permissionsHelper.userHasGivenRole(user, URI.create(user.getTenantId()), Role.RESTRICTED_SECURITY_ADMIN);
boolean hasSecurityAdmin = _permissionsHelper.userHasGivenRole(user, URI.create(user.getTenantId()), Role.SECURITY_ADMIN);
// if the user is security admin or restricted sec admin (if the user to be logged out is just local)
if (hasSecurityAdmin || (isTargetUserLocal && hasRestrictedSecurityAdmin)) {
// boot the user out
_tokenManager.deleteAllTokensForUser(username, includeProxyTokens);
if (notifyVDCs && !isTargetUserLocal) {
// broadcast the call to other vdcs if this is not a local user
tokenNotificationHelper.broadcastLogoutForce(user.getToken(), username);
}
return Response.ok(new LoggedOut(username)).build();
} else {
throw APIException.forbidden.userNotPermittedToLogoutAnotherUser(user.getUserName());
}
} else {
if (force) {
// delete all tokens for this user
_tokenManager.deleteAllTokensForUser(user.getUserName(), includeProxyTokens);
if (notifyVDCs && !user.isLocal()) {
tokenNotificationHelper.broadcastLogoutForce(user.getToken(), null);
}
} else {
// delete only the current token
_tokenManager.deleteToken(user.getToken());
if (notifyVDCs && !user.isLocal()) {
// if other VDCs have a copy of this token, they need to be notified.
tokenNotificationHelper.notifyExternalVDCs(user.getToken());
}
}
return Response.ok(new LoggedOut(user.getUserName())).build();
}
}
throw APIException.unauthorized.tokenNotFoundOrInvalidTokenProvided();
}
Also used :
StorageOSUser(com.emc.storageos.security.authentication.StorageOSUser)
Example 9 with StorageOSUser
use of com.emc.storageos.security.authentication.StorageOSUser in project coprhd-controller by CoprHD.
the class VirtualDataCenterService method validateVdcRoleAssignmentChange.
/**
* restrict SecurityAdmin from dropping his own SECURITY_ADMIN role.
*
* @param vdc vdc to be persisted with the new role change
*/
private void validateVdcRoleAssignmentChange(VirtualDataCenter vdc) {
StorageOSUser user = (StorageOSUser) sc.getUserPrincipal();
// return if user is a local user
if (_localUsers.keySet().contains(user.getName())) {
return;
}
if (!user.getRoles().contains(Role.SECURITY_ADMIN.name())) {
throw APIException.forbidden.insufficientPermissionsForUser(user.getName());
}
// populate vdc roles to the cloned user after vdc role-assignment change.
// then do the check
StorageOSUser tempUser = user.clone();
tempUser.setRoles(new StringSet());
_permissionsHelper.populateZoneRoles(tempUser, vdc);
_log.info(tempUser.toString());
if (!tempUser.getRoles().contains(Role.SECURITY_ADMIN.name())) {
throw APIException.forbidden.securityAdminCantDropHisOwnSecurityAdminRole(user.getName());
}
}
Also used :
StorageOSUser(com.emc.storageos.security.authentication.StorageOSUser)
Example 10 with StorageOSUser
use of com.emc.storageos.security.authentication.StorageOSUser in project coprhd-controller by CoprHD.
the class VirtualPoolService method getVirtualPoolList.
protected VirtualPoolList getVirtualPoolList(VirtualPool.Type type, String shortVdcId, String tenantId) {
URIQueryResultList vpoolList = new URIQueryResultList();
VirtualPoolList list = new VirtualPoolList();
TenantOrg tenant_input = null;
// if input tenant is not empty, but user have no access to it, return empty list.
if (!StringUtils.isEmpty(tenantId)) {
tenant_input = getTenantIfHaveAccess(tenantId);
if (tenant_input == null) {
return list;
}
}
StorageOSUser user = getUserFromContext();
List<VirtualPool> vpoolObjects = null;
if (_geoHelper.isLocalVdcId(shortVdcId)) {
_log.debug("retrieving virtual pools via the dbclient");
_dbClient.queryByConstraint(AlternateIdConstraint.Factory.getVpoolTypeVpoolConstraint(type), vpoolList);
List<URI> allowed = new ArrayList<URI>();
for (URI vpool : vpoolList) {
allowed.add(vpool);
}
vpoolObjects = _dbClient.queryObject(VirtualPool.class, allowed);
} else {
_log.debug("retrieving virtual pools via the geoclient");
GeoServiceClient geoClient = _geoHelper.getClient(shortVdcId);
try {
// TODO: query by constraint isn't working on the geosvc
// List<URI> resultList = geoClient.queryByConstraint(AlternateIdConstraint.Factory.getVpoolTypeVpoolConstraint(type),
// URIQueryResultList.class);
Iterator<URI> uriIter = geoClient.queryByType(VirtualPool.class, true);
List<URI> resultList = Lists.newArrayList(uriIter);
Iterator<VirtualPool> iter = geoClient.queryObjects(VirtualPool.class, resultList);
// iter);
vpoolObjects = Lists.newArrayList();
while (iter.hasNext()) {
VirtualPool p = iter.next();
if (type.toString().equals(p.getType())) {
vpoolObjects.add(p);
}
}
} catch (Exception ex) {
// TODO: revisit this exception
_log.error("error retrieving virtual pools from vdc " + shortVdcId, ex);
throw APIException.internalServerErrors.genericApisvcError("error retrieving remote pools", ex);
}
}
// else only return the list, which input tenant has access.
if (_permissionsHelper.userHasGivenRole(user, null, Role.SYSTEM_ADMIN, Role.SYSTEM_MONITOR)) {
for (VirtualPool virtualPool : vpoolObjects) {
if (tenant_input == null || _permissionsHelper.tenantHasUsageACL(tenant_input.getId(), virtualPool)) {
list.getVirtualPool().add(toVirtualPoolResource(virtualPool));
}
}
} else {
// otherwise, filter by only authorized to use
URI tenant = null;
if (tenant_input == null) {
tenant = URI.create(user.getTenantId());
} else {
tenant = tenant_input.getId();
}
Set<VirtualPool> vpoolSet = new HashSet<VirtualPool>();
for (VirtualPool virtualPool : vpoolObjects) {
if (_permissionsHelper.tenantHasUsageACL(tenant, virtualPool)) {
vpoolSet.add(virtualPool);
}
}
// if no tenant specified in request, also adding vpools which sub-tenants of the user have access to.
if (tenant_input == null) {
List<URI> subtenants = _permissionsHelper.getSubtenantsWithRoles(user);
for (VirtualPool virtualPool : vpoolObjects) {
if (_permissionsHelper.tenantHasUsageACL(subtenants, virtualPool)) {
vpoolSet.add(virtualPool);
}
}
}
for (VirtualPool virtualPool : vpoolSet) {
list.getVirtualPool().add(toVirtualPoolResource(virtualPool));
}
}
return list;
}
Also used :
ArrayList(java.util.ArrayList)
GeoServiceClient(com.emc.storageos.security.geo.GeoServiceClient)
VirtualPoolList(com.emc.storageos.model.vpool.VirtualPoolList)
VirtualPool(com.emc.storageos.db.client.model.VirtualPool)
URI(java.net.URI)
URIQueryResultList(com.emc.storageos.db.client.constraint.URIQueryResultList)
APIException(com.emc.storageos.svcs.errorhandling.resources.APIException)
DatabaseException(com.emc.storageos.db.exceptions.DatabaseException)
StorageOSUser(com.emc.storageos.security.authentication.StorageOSUser)
TenantOrg(com.emc.storageos.db.client.model.TenantOrg)
HashSet(java.util.HashSet)
Aggregations
StorageOSUser (com.emc.storageos.security.authentication.StorageOSUser)105
Produces (javax.ws.rs.Produces)59
Path (javax.ws.rs.Path)53
URI (java.net.URI)50
GET (javax.ws.rs.GET)36
CheckPermission (com.emc.storageos.security.authorization.CheckPermission)31
Consumes (javax.ws.rs.Consumes)24
POST (javax.ws.rs.POST)15
ArrayList (java.util.ArrayList)13
Order (com.emc.storageos.db.client.model.uimodels.Order)12
APIException (com.emc.storageos.svcs.errorhandling.resources.APIException)12
TenantOrg (com.emc.storageos.db.client.model.TenantOrg)11
NamedURI (com.emc.storageos.db.client.model.NamedURI)10
TaskResourceRep (com.emc.storageos.model.TaskResourceRep)10
PUT (javax.ws.rs.PUT)10
Operation (com.emc.storageos.db.client.model.Operation)9
VirtualPool (com.emc.storageos.db.client.model.VirtualPool)9
HashSet (java.util.HashSet)9
StringSet (com.emc.storageos.db.client.model.StringSet)8
DatabaseException (com.emc.storageos.db.exceptions.DatabaseException)8
