Example 11 with StorageOSUser
use of com.emc.storageos.security.authentication.StorageOSUser in project coprhd-controller by CoprHD.
the class VirtualArrayService method getVirtualArrayList.
/**
* List VirtualArrays in zone the user is authorized to see
*
* @brief List VirtualArrays in zone
* @return List of VirtualArrays
*/
@GET
@Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
public VirtualArrayList getVirtualArrayList(@DefaultValue("") @QueryParam(VDC_ID_QUERY_PARAM) String shortVdcId, @DefaultValue("") @QueryParam(TENANT_ID_QUERY_PARAM) String tenantId) {
_geoHelper.verifyVdcId(shortVdcId);
VirtualArrayList list = new VirtualArrayList();
TenantOrg tenant_input = null;
// if input tenant is not empty, but user have no access to it, return empty list.
if (!StringUtils.isEmpty(tenantId)) {
tenant_input = getTenantIfHaveAccess(tenantId);
if (tenant_input == null) {
return list;
}
}
List<VirtualArray> nhObjList = Collections.emptyList();
if (_geoHelper.isLocalVdcId(shortVdcId)) {
_log.debug("retrieving virtual arrays via dbclient");
final List<URI> ids = _dbClient.queryByType(VirtualArray.class, true);
nhObjList = _dbClient.queryObject(VirtualArray.class, ids);
} else {
_log.debug("retrieving virtual arrays via geoclient");
try {
GeoServiceClient geoClient = _geoHelper.getClient(shortVdcId);
final List<URI> ids = Lists.newArrayList(geoClient.queryByType(VirtualArray.class, true));
nhObjList = Lists.newArrayList(geoClient.queryObjects(VirtualArray.class, ids));
} catch (Exception ex) {
// TODO: revisit this exception
_log.error("error retrieving virtual arrays", ex);
throw APIException.internalServerErrors.genericApisvcError("error retrieving virtual arrays", ex);
}
}
StorageOSUser user = getUserFromContext();
// else only return the list, which input tenant has access.
if (_permissionsHelper.userHasGivenRole(user, null, Role.SYSTEM_ADMIN, Role.SYSTEM_MONITOR)) {
for (VirtualArray nh : nhObjList) {
if (tenant_input == null || _permissionsHelper.tenantHasUsageACL(tenant_input.getId(), nh)) {
list.getVirtualArrays().add(toNamedRelatedResource(ResourceTypeEnum.VARRAY, nh.getId(), nh.getLabel()));
}
}
} else {
// otherwise, filter by only authorized to use
URI tenant = null;
if (tenant_input == null) {
tenant = URI.create(user.getTenantId());
} else {
tenant = tenant_input.getId();
}
Set<VirtualArray> varraySet = new HashSet<VirtualArray>();
for (VirtualArray virtualArray : nhObjList) {
if (_permissionsHelper.tenantHasUsageACL(tenant, virtualArray)) {
varraySet.add(virtualArray);
}
}
// if no tenant specified in request, also adding varrays which sub-tenants of the user have access to.
if (tenant_input == null) {
List<URI> subtenants = _permissionsHelper.getSubtenantsWithRoles(user);
for (VirtualArray virtualArray : nhObjList) {
if (_permissionsHelper.tenantHasUsageACL(subtenants, virtualArray)) {
varraySet.add(virtualArray);
}
}
}
for (VirtualArray virtualArray : varraySet) {
list.getVirtualArrays().add(toNamedRelatedResource(ResourceTypeEnum.VARRAY, virtualArray.getId(), virtualArray.getLabel()));
}
}
return list;
}
Also used :
MapVirtualArray(com.emc.storageos.api.mapper.functions.MapVirtualArray)
VirtualArray(com.emc.storageos.db.client.model.VirtualArray)
StorageOSUser(com.emc.storageos.security.authentication.StorageOSUser)
TenantOrg(com.emc.storageos.db.client.model.TenantOrg)
VirtualArrayList(com.emc.storageos.model.varray.VirtualArrayList)
GeoServiceClient(com.emc.storageos.security.geo.GeoServiceClient)
URI(java.net.URI)
APIException(com.emc.storageos.svcs.errorhandling.resources.APIException)
DatabaseException(com.emc.storageos.db.exceptions.DatabaseException)
HashSet(java.util.HashSet)
Produces(javax.ws.rs.Produces)
GET(javax.ws.rs.GET)
Example 12 with StorageOSUser
use of com.emc.storageos.security.authentication.StorageOSUser in project coprhd-controller by CoprHD.
the class VcenterDataCenterService method verifyAuthorizedSystemOrTenantOrgUser.
/**
* Checks if the user is authorized to view resources in a tenant organization.
* The user can see resources if:
*
* The user is in the tenant organization.
* The user has SysAdmin, SysMonitor, SecAdmin role.
* The user has TenantAdmin role to this tenant organization even
* if the user is in another tenant org
*
* @param tenantId the tenant organization URI
*/
protected void verifyAuthorizedSystemOrTenantOrgUser(URI tenantId) {
if (isSystemAdmin() || isSecurityAdmin()) {
return;
}
StorageOSUser user = getUserFromContext();
verifyAuthorizedInTenantOrg(tenantId, user);
}
Also used :
StorageOSUser(com.emc.storageos.security.authentication.StorageOSUser)
Example 13 with StorageOSUser
use of com.emc.storageos.security.authentication.StorageOSUser in project coprhd-controller by CoprHD.
the class VcenterService method verifyAuthorizedInTenantOrg.
/**
* Checks if the user is authorized to view the vCenter.
* Authorized if,
* The user a TenantOrg user of one the tenant that shares the vCenter.
* The user is a TenantAdmin of one of the tenant that shares the vCenter.
*
* @param aclEntries the tenants list that shares the vCenter.
*/
private void verifyAuthorizedInTenantOrg(List<ACLEntry> aclEntries) {
boolean isUserAuthorized = false;
StorageOSUser user = getUserFromContext();
Iterator<ACLEntry> aclEntriesIterator = aclEntries.iterator();
while (aclEntriesIterator.hasNext()) {
ACLEntry aclEntry = aclEntriesIterator.next();
if (aclEntry == null) {
continue;
}
if (user.getTenantId().toString().equals(aclEntry.getTenant()) || isSystemAdminOrMonitorUser() || _permissionsHelper.userHasGivenRole(user, URI.create(aclEntry.getTenant()), Role.TENANT_ADMIN)) {
isUserAuthorized = true;
break;
}
}
if (!isUserAuthorized) {
throw APIException.forbidden.insufficientPermissionsForUser(user.getName());
}
}
Also used :
ACLEntry(com.emc.storageos.model.auth.ACLEntry)
StorageOSUser(com.emc.storageos.security.authentication.StorageOSUser)
Example 14 with StorageOSUser
use of com.emc.storageos.security.authentication.StorageOSUser in project coprhd-controller by CoprHD.
the class VcenterService method updateTaskTenant.
/**
* Updates the tenant information in the Task data object and
* TaskResourceRep (the response object to the API request).
* Both Task and TaskResourceRep is updated with the user's
* tenant information if it they don't contain any tenant information
* already.
*
* @param taskResourceRep api response to be updated.
*/
private void updateTaskTenant(TaskResourceRep taskResourceRep) {
Task task = _dbClient.queryObject(Task.class, taskResourceRep.getId());
if (areEqual(task.getTenant(), NullColumnValueGetter.getNullURI())) {
StorageOSUser user = getUserFromContext();
URI userTenantUri = URI.create(user.getTenantId());
task.setTenant(userTenantUri);
RelatedResourceRep tenant = new RelatedResourceRep();
tenant.setId(userTenantUri);
tenant.setLink(new RestLinkRep("self", URI.create("/tenants/" + userTenantUri.toString())));
taskResourceRep.setTenant(tenant);
_dbClient.persistObject(task);
List<String> traceParams = new ArrayList<String>();
traceParams.add(task.getId().toString());
traceParams.add(user.getName());
traceParams.add(user.getTenantId());
_log.info("Update the task {} with the user's {} tenant {}", traceParams);
}
}
Also used :
AsyncTask(com.emc.storageos.volumecontroller.AsyncTask)
TaskMapper.toTask(com.emc.storageos.api.mapper.TaskMapper.toTask)
StorageOSUser(com.emc.storageos.security.authentication.StorageOSUser)
ArrayList(java.util.ArrayList)
URI(java.net.URI)
Example 15 with StorageOSUser
use of com.emc.storageos.security.authentication.StorageOSUser in project coprhd-controller by CoprHD.
the class TaggedResource method getTenantIfHaveAccess.
/**
* Get tenant object from id
*
* it will also check if user have access to the tenant, return the tenant if:
* 1. it is user's home tenant
* 2. it is a subtenant which user has tenant role.
*
* or else throw insufficient permission exception.
*
* @param tenantId the URN of a ViPR tenant
* @return
*/
protected TenantOrg getTenantIfHaveAccess(String tenantId) {
if (!StringUtils.isEmpty(tenantId)) {
URI tenantUri = URI.create(tenantId);
TenantOrg org = _permissionsHelper.getObjectById(tenantUri, TenantOrg.class);
ArgValidator.checkEntity(org, tenantUri, isIdEmbeddedInURL(tenantUri), true);
// check user has access to the input tenant
StorageOSUser user = getUserFromContext();
if (org.getId().toString().equals(user.getTenantId())) {
return org;
} else {
for (String subTenantId : _permissionsHelper.getSubtenantsForUser(user)) {
if (org.getId().toString().equals(subTenantId)) {
return org;
}
}
throw APIException.forbidden.insufficientPermissionsForUser(user.getName());
}
}
return null;
}
Also used :
StorageOSUser(com.emc.storageos.security.authentication.StorageOSUser)
TenantOrg(com.emc.storageos.db.client.model.TenantOrg)
URI(java.net.URI)
Aggregations
StorageOSUser (com.emc.storageos.security.authentication.StorageOSUser)105
Produces (javax.ws.rs.Produces)59
Path (javax.ws.rs.Path)53
URI (java.net.URI)50
GET (javax.ws.rs.GET)36
CheckPermission (com.emc.storageos.security.authorization.CheckPermission)31
Consumes (javax.ws.rs.Consumes)24
POST (javax.ws.rs.POST)15
ArrayList (java.util.ArrayList)13
Order (com.emc.storageos.db.client.model.uimodels.Order)12
APIException (com.emc.storageos.svcs.errorhandling.resources.APIException)12
TenantOrg (com.emc.storageos.db.client.model.TenantOrg)11
NamedURI (com.emc.storageos.db.client.model.NamedURI)10
TaskResourceRep (com.emc.storageos.model.TaskResourceRep)10
PUT (javax.ws.rs.PUT)10
Operation (com.emc.storageos.db.client.model.Operation)9
VirtualPool (com.emc.storageos.db.client.model.VirtualPool)9
HashSet (java.util.HashSet)9
StringSet (com.emc.storageos.db.client.model.StringSet)8
DatabaseException (com.emc.storageos.db.exceptions.DatabaseException)8
