Examples with StorageOSUser com.emc.storageos.security.authentication.StorageOSUser used on opensource projects

Example 16 with StorageOSUser

use of com.emc.storageos.security.authentication.StorageOSUser in project coprhd-controller by CoprHD.

the class TaggedResource method getBulkResources.

protected BulkRestRep getBulkResources(List<URI> ids) {
    StorageOSUser user = getUserFromContext();
    BulkRestRep ret = null;
    if (ids.size() > _maxBulkSize) {
        throw APIException.badRequests.exceedingLimit("bulk size", _maxBulkSize);
    }
    // -sysadmin (if zone level resource or resource is system admin readable)
    if (_permissionsHelper.userHasGivenRole(user, null, Role.SYSTEM_MONITOR) || ((isZoneLevelResource() || isSysAdminReadableResource()) && _permissionsHelper.userHasGivenRole(user, null, Role.SYSTEM_ADMIN))) {
        _log.info("Bulk of {} for sysmonitor/sysadmin", getResourceClass().getSimpleName());
        ret = queryBulkResourceReps(ids);
    } else {
        _log.info("Bulk of {} for user", getResourceClass().getSimpleName());
        ret = queryFilteredBulkResourceReps(ids);
    }
    return ret;
}

Example 17 with StorageOSUser

use of com.emc.storageos.security.authentication.StorageOSUser in project coprhd-controller by CoprHD.

the class TaskService method verifyUserHasAccessToTenants.

/**
 * Verifies that the user has permission to access all the tenants in the tenants collection
 */
private void verifyUserHasAccessToTenants(Collection<URI> tenants) {
    StorageOSUser user = getUserFromContext();
    if (_permissionsHelper.userHasGivenRole(user, URI.create(user.getTenantId()), Role.SECURITY_ADMIN, Role.RESTRICTED_SECURITY_ADMIN, Role.SYSTEM_ADMIN, Role.RESTRICTED_SYSTEM_ADMIN)) {
        return;
    }
    Set<String> subtenants = _permissionsHelper.getSubtenantRolesForUser(user).keySet();
    for (URI tenantId : tenants) {
        if (tenantId.equals(TenantOrg.SYSTEM_TENANT)) {
            verifySystemAdmin();
        } else if (!tenantId.toString().equals(user.getTenantId()) && !subtenants.contains(tenantId.toString())) {
            throw APIException.forbidden.insufficientPermissionsForUser(user.getName());
        }
    }
}

Example 18 with StorageOSUser

use of com.emc.storageos.security.authentication.StorageOSUser in project coprhd-controller by CoprHD.

the class VirtualPoolService method getCapacityForVirtualPoolAndVirtualArray.

/**
 * Returns capacity metrics for a given pair of VirtualPool and Neighborhood. The
 * method returns set of metrics for capacity available for storage
 * provisioning: - usable_gb : total storage capacity - free_gb : free
 * storage capacity - used_gb : used storage capacity - subscribed_gb :
 * subscribed storage capacity (may be larger than usable capacity) -
 * percent_used : percent of usable capacity which is used -
 * percent_subscribed : percent of usable capacity which is subscribed (may
 * be more than 100) Subscribed and percent subscribed is returned only for
 * block vpool.
 *
 * @param vpool
 * @param vArrayId
 * @return CapacityResponse instance
 */
protected CapacityResponse getCapacityForVirtualPoolAndVirtualArray(VirtualPool vpool, URI vArrayId) {
    VirtualArray varray = _permissionsHelper.getObjectById(vArrayId, VirtualArray.class);
    ArgValidator.checkEntity(varray, vArrayId, isIdEmbeddedInURL(vArrayId));
    // Check permissions: check that varray is accessible to user's
    // tenant
    final StorageOSUser user = getUserFromContext();
    final URI tenant = URI.create(user.getTenantId());
    if (!(_permissionsHelper.userHasGivenRole(user, null, Role.SYSTEM_ADMIN, Role.SYSTEM_MONITOR) || _permissionsHelper.tenantHasUsageACL(tenant, varray))) {
        throw APIException.forbidden.insufficientPermissionsForUser(user.getName());
    }
    return CapacityUtils.getCapacityForVirtualPoolAndVirtualArray(vpool, vArrayId, _dbClient, _coordinator);
}

Example 19 with StorageOSUser

use of com.emc.storageos.security.authentication.StorageOSUser in project coprhd-controller by CoprHD.

the class TypeService method getVolumeTypes.

/**
 * Get volume types
 *
 * @prereq none
 *
 * @param tenant_id the URN of the tenant
 *
 * @brief List volume types
 * @return Volume types list
 */
@GET
@Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
public Response getVolumeTypes(@PathParam("tenant_id") URI openstack_tenant_id, @Context HttpHeaders header) {
    // Here we ignore the openstack tenant id
    _log.info("START get list of volume types");
    VolumeTypesRestResp types = new VolumeTypesRestResp();
    StorageOSUser user = getUserFromContext();
    URI tenantId = URI.create(user.getTenantId());
    List<URI> vpools = _dbClient.queryByType(VirtualPool.class, true);
    for (URI vpool : vpools) {
        VirtualPool pool = _dbClient.queryObject(VirtualPool.class, vpool);
        _log.debug("Looking up vpool {}", pool.getLabel());
        if (pool != null && pool.getType().equalsIgnoreCase(VirtualPool.Type.block.name())) {
            if (_permissionsHelper.tenantHasUsageACL(tenantId, pool)) {
                _log.debug("Adding vpool {}", pool.getLabel());
                VolumeType type = new VolumeType();
                type.id = pool.getId().toString();
                type.name = pool.getLabel();
                type.extra_specs = new HashMap<String, String>();
                types.getVolume_types().add(type);
            }
        }
    }
    _log.info("END get list of volume types");
    return CinderApiUtils.getCinderResponse(types, header, false, CinderConstants.STATUS_OK);
}

Example 20 with StorageOSUser

use of com.emc.storageos.security.authentication.StorageOSUser in project coprhd-controller by CoprHD.

the class SnapshotService method verifyUserCanModifyVolume.

protected void verifyUserCanModifyVolume(Volume vol) {
    StorageOSUser user = getUserFromContext();
    URI projectId = vol.getProject().getURI();
    if (!(_permissionsHelper.userHasGivenRole(user, vol.getTenant().getURI(), Role.TENANT_ADMIN) || _permissionsHelper.userHasGivenACL(user, projectId, ACL.OWN, ACL.ALL))) {
        throw APIException.forbidden.insufficientPermissionsForUser(user.getName());
    }
}