Example 1 with UserMappingAttribute
use of com.emc.storageos.security.authorization.BasePermissionsHelper.UserMappingAttribute in project coprhd-controller by CoprHD.
the class StorageOSLdapPersonAttributeDao method getStorageOSUserAndTenants.
private UserAndTenants getStorageOSUserAndTenants(String username, ValidationFailureReason[] failureReason, URI tenantURI, List<UserMapping> usermapping) {
BasePermissionsHelper permissionsHelper = new BasePermissionsHelper(_dbClient, false);
final String[] userDomain = username.split("@");
if (userDomain.length < 2) {
_log.error("Illegal username {} missing domain", username);
failureReason[0] = ValidationFailureReason.USER_OR_GROUP_NOT_FOUND_FOR_TENANT;
return null;
}
final String domain = userDomain[1];
final String ldapQuery = LdapFilterUtil.getPersonFilterWithValues(_filter, username);
if (ldapQuery == null) {
_log.error("Null query filter from string {} for username", _filter, username);
failureReason[0] = ValidationFailureReason.USER_OR_GROUP_NOT_FOUND_FOR_TENANT;
return null;
}
StringSet authnProviderDomains = getAuthnProviderDomains(domain);
List<String> attrs = new ArrayList<String>();
Map<URI, List<UserMapping>> tenantToMappingMap = permissionsHelper.getAllUserMappingsForDomain(authnProviderDomains);
if (_searchControls.getReturningAttributes() != null) {
Collections.addAll(attrs, _searchControls.getReturningAttributes());
}
if (tenantURI != null) {
tenantToMappingMap.put(tenantURI, usermapping);
}
printTenantToMappingMap(tenantToMappingMap);
// Add attributes that need to be released for tenant mapping
for (List<UserMapping> mappings : tenantToMappingMap.values()) {
if (mappings == null) {
continue;
}
for (UserMapping mapping : mappings) {
if (mapping.getAttributes() != null && !mapping.getAttributes().isEmpty()) {
for (UserMappingAttribute mappingAttribute : mapping.getAttributes()) {
attrs.add(mappingAttribute.getKey());
}
}
}
}
// Now get the returning attributes from the userGroup table.
getReturningAttributesFromUserGroups(permissionsHelper, domain, attrs);
// Create search controls with the additional attributes to return
SearchControls dnSearchControls = new SearchControls(_searchControls.getSearchScope(), _searchControls.getCountLimit(), _searchControls.getTimeLimit(), attrs.toArray(new String[attrs.size()]), _searchControls.getReturningObjFlag(), _searchControls.getDerefLinkFlag());
Map<String, List<String>> userMappingAttributes = new HashMap<String, List<String>>();
StorageOSUserMapper userMapper = new StorageOSUserMapper(username, getDistinguishedNameAttribute(), userMappingAttributes);
// Execute the query
@SuppressWarnings("unchecked") final List<StorageOSUserDAO> storageOSUsers = safeLdapSearch(_baseDN, ldapQuery, dnSearchControls, userMapper, failureReason);
if (null == storageOSUsers) {
_log.error("Query for user {} failed", username);
return null;
}
StorageOSUserDAO storageOSUser = null;
try {
storageOSUser = DataAccessUtils.requiredUniqueResult(storageOSUsers);
if (null == storageOSUser) {
_log.error("Query for user {} yielded no results", username);
failureReason[0] = ValidationFailureReason.USER_OR_GROUP_NOT_FOUND_FOR_TENANT;
return null;
}
} catch (IncorrectResultSizeDataAccessException ex) {
_log.error("Query for user {} yielded incorrect number of results.", username, ex);
failureReason[0] = ValidationFailureReason.USER_OR_GROUP_NOT_FOUND_FOR_TENANT;
return null;
}
// If the type is AD then fetch the users tokenGroups
if (_type == AuthnProvider.ProvidersType.ad) {
List<String> groups = queryTokenGroups(ldapQuery, storageOSUser);
StringBuilder groupsString = new StringBuilder("[ ");
for (String group : groups) {
groupsString.append(group + " ");
storageOSUser.addGroup(group);
}
groupsString.append("]");
_log.debug("User {} adding groups {}", username, groupsString);
} else {
if (!updateGroupsAndRootGroupsInLDAPByMemberAttribute(storageOSUser, failureReason)) {
// null means Exception has been thrown and error logged already, empty means no group found in LDAP/AD
_log.info("User {} is not in any AD/LDAP groups.", storageOSUser.getDistinguishedName());
}
}
// Add the user's group based on the attributes.
addUserGroupsToUserGroupList(permissionsHelper, domain, storageOSUser);
return new UserAndTenants(storageOSUser, mapUserToTenant(authnProviderDomains, storageOSUser, userMappingAttributes, tenantToMappingMap, failureReason));
}
Also used :
UserMappingAttribute(com.emc.storageos.security.authorization.BasePermissionsHelper.UserMappingAttribute)
URI(java.net.URI)
StorageOSUserDAO(com.emc.storageos.db.client.model.StorageOSUserDAO)
UserMapping(com.emc.storageos.security.authorization.BasePermissionsHelper.UserMapping)
IncorrectResultSizeDataAccessException(org.springframework.dao.IncorrectResultSizeDataAccessException)
StringSet(com.emc.storageos.db.client.model.StringSet)
LdapServerList(com.emc.storageos.auth.impl.LdapServerList)
URIQueryResultList(com.emc.storageos.db.client.constraint.URIQueryResultList)
SearchControls(javax.naming.directory.SearchControls)
BasePermissionsHelper(com.emc.storageos.security.authorization.BasePermissionsHelper)
Example 2 with UserMappingAttribute
use of com.emc.storageos.security.authorization.BasePermissionsHelper.UserMappingAttribute in project coprhd-controller by CoprHD.
the class UserFromRequestHelper method parseOldFormat.
/**
* This method parses the userContext information using the "old" format
* ( "user,user@domain.com;group,group2")
* TODO: once AD integration is complete and attribute release is only
* available through that channel, this old format should be removed. For
* now, keeping for backwards compatibility and so that authz testing can
* continue without AD servers.
*
* @param userContext
* @return a UserFromRequest pojo
*/
private StorageOSUser parseOldFormat(String userContext) {
StorageOSUser user = null;
if (!StringUtils.isBlank(userContext)) {
String[] userInfo = userContext.split(";");
String[] userAttributes = userInfo[0].split(",");
String name = userAttributes[0];
String[] parts = name.split("@");
String domain = "";
if (parts.length > 1) {
domain = parts[1];
}
URI tenant = null;
boolean local = false;
if (userAttributes.length > 1 && null != userAttributes[1] && !StringUtils.isBlank(userAttributes[1])) {
String[] attrKV = userAttributes[1].split("=");
if (attrKV[0].equals(USERDETAILS_LOCALUSER)) {
if (attrKV.length > 1 && Boolean.valueOf(attrKV[1])) {
local = true;
}
} else {
UserMapping mapping = new UserMapping();
mapping.setDomain(domain);
if (attrKV.length > 1) {
if (attrKV[0].equalsIgnoreCase("group")) {
mapping.setGroups(Collections.singletonList(attrKV[1]));
} else {
UserMappingAttribute tenantAttribute = new UserMappingAttribute();
tenantAttribute.setKey(attrKV[0]);
tenantAttribute.setValues(Collections.singletonList(attrKV[1]));
}
try {
tenant = _permissionsHelper.lookupTenant(mapping);
} catch (DatabaseException e) {
_logger.error("Failed to query for tenant with attribute: {}. Exception {} ", mapping.toString(), e);
}
}
}
} else if (!domain.isEmpty()) {
UserMapping mapping = new UserMapping();
mapping.setDomain(domain);
try {
tenant = _permissionsHelper.lookupTenant(mapping);
} catch (DatabaseException e) {
_logger.error("Failed to query for tenant with attribute: {}. Exception {} ", mapping.toString(), e);
}
}
if (null == tenant) {
tenant = _permissionsHelper.getRootTenant().getId();
}
user = new StorageOSUser(name, tenant.toString());
user.setIsLocal(local);
if (userInfo.length > 1) {
String[] groups = org.springframework.util.StringUtils.commaDelimitedListToStringArray(userInfo[1]);
if (groups.length > 0) {
for (String group : groups) {
user.addGroup(group);
}
}
}
return user;
}
return null;
}
Also used :
UserMapping(com.emc.storageos.security.authorization.BasePermissionsHelper.UserMapping)
UserMappingAttribute(com.emc.storageos.security.authorization.BasePermissionsHelper.UserMappingAttribute)
URI(java.net.URI)
DatabaseException(com.emc.storageos.db.exceptions.DatabaseException)
Example 3 with UserMappingAttribute
use of com.emc.storageos.security.authorization.BasePermissionsHelper.UserMappingAttribute in project coprhd-controller by CoprHD.
the class CustomAuthenticationManagerTest method testAuthentication.
@Test
public void testAuthentication() throws Exception {
createADLDAPProviders();
UsernamePasswordCredentials sanityUserCreds = new UsernamePasswordCredentials("sanity_user@sanity.local", "P@ssw0rd");
Assert.assertNotNull(_authManager.authenticate(sanityUserCreds));
UsernamePasswordCredentials ldapUserCreds = new UsernamePasswordCredentials("user@root.com", "password");
Assert.assertNotNull(_authManager.authenticate(ldapUserCreds));
UsernamePasswordCredentials badDomainUserCreds = new UsernamePasswordCredentials("sanity_user@baddomain", "P@ssw0rd");
Assert.assertNull(_authManager.authenticate(badDomainUserCreds));
UsernamePasswordCredentials noDomainUserCreds = new UsernamePasswordCredentials("sanity_user", "P@ssw0rd");
Assert.assertNull(_authManager.authenticate(noDomainUserCreds));
UsernamePasswordCredentials badUserUserCreds = new UsernamePasswordCredentials("sanity_user@root.com", "P@ssw0rd");
Assert.assertNull(_authManager.authenticate(badUserUserCreds));
UsernamePasswordCredentials badPasswordUserCreds = new UsernamePasswordCredentials("sanity_user@sanity.local", "badpassword");
Assert.assertNull(_authManager.authenticate(badPasswordUserCreds));
UsernamePasswordCredentials emptyUsernameUserCreds = new UsernamePasswordCredentials("", "P@ssw0rd");
Assert.assertNull(_authManager.authenticate(emptyUsernameUserCreds));
UsernamePasswordCredentials emptyPasswordUserCreds = new UsernamePasswordCredentials("sanity_user@sanity.local", "");
Assert.assertNull(_authManager.authenticate(emptyPasswordUserCreds));
UsernamePasswordCredentials nullPasswordUserCreds = new UsernamePasswordCredentials("sanity_user@sanity.local", null);
Assert.assertNull(_authManager.authenticate(nullPasswordUserCreds));
UserMapping tenantMapping = new UserMapping();
UserMappingAttribute tenantAttr = new UserMappingAttribute();
tenantAttr.setKey("o");
tenantAttr.setValues(Collections.singletonList("sales"));
tenantMapping.setAttributes(Collections.singletonList(tenantAttr));
tenantMapping.setDomain("root.com");
UserMapping tenantMapping2 = new UserMapping();
tenantMapping2.setGroups(Collections.singletonList("Test Group"));
tenantMapping2.setDomain("sanity.local");
StringSetMap mappings = new StringSetMap();
mappings.put(tenantMapping.getDomain(), tenantMapping.toString());
mappings.put(tenantMapping2.getDomain(), tenantMapping2.toString());
_subtenantId = URIUtil.createId(TenantOrg.class);
TenantOrg subtenant = new TenantOrg();
subtenant.setLabel("subtenant");
subtenant.setDescription("auth subtenant");
subtenant.setId(_subtenantId);
subtenant.setParentTenant(new NamedURI(_rootTenantId, "subtenant"));
subtenant.setUserMappings(mappings);
_dbClient.persistObject(subtenant);
StorageOSUserDAO user = _authManager.authenticate(sanityUserCreds);
Assert.assertEquals(_rootTenantId.toString(), user.getTenantId());
// this user has the o=sales attribute so should be in the subtenant
user = _authManager.authenticate(ldapUserCreds);
Assert.assertEquals(_subtenantId.toString(), user.getTenantId());
// this user is in the group Test Group so should be in the subtenant
UsernamePasswordCredentials groupUserCreds = new UsernamePasswordCredentials("testuser@sanity.local", "P@ssw0rd");
user = _authManager.authenticate(groupUserCreds);
Assert.assertEquals(_subtenantId.toString(), user.getTenantId());
// Create the a good authConfig with whitelist values
AuthnProvider adAuthConfig = new AuthnProvider();
adAuthConfig.setId(URIUtil.createId(AuthnProvider.class));
adAuthConfig.setMode("ad");
StringSet adDomains = new StringSet();
adDomains.add("whitelist1");
adDomains.add("whitelist2");
adAuthConfig.setDomains(adDomains);
adAuthConfig.setManagerDN("CN=Administrator,CN=Users,DC=sanity,DC=local");
adAuthConfig.setManagerPassword(_adManagerPassword);
StringSet adUrls = new StringSet();
adUrls.add(LDAP_SERVER_2);
adAuthConfig.setServerUrls(adUrls);
adAuthConfig.setSearchBase("CN=Users,DC=sanity,DC=local");
adAuthConfig.setSearchFilter("sAMAccountName=%U");
adAuthConfig.setGroupAttribute("CN");
StringSet whitelistValues = new StringSet();
whitelistValues.add("*Users*");
whitelistValues.add("ProjectAdmins");
adAuthConfig.setGroupWhitelistValues(whitelistValues);
adAuthConfig.setLastModified(System.currentTimeMillis());
_dbClient.createObject(adAuthConfig);
reloadConfig(true);
// Login the user the user that is in the group "Test Group" but it is not in the whitelist in
// the auth config so the user should end up in the root tenant
UsernamePasswordCredentials whitelist1GroupUserCreds = new UsernamePasswordCredentials("testuser@whitelist1", "P@ssw0rd");
user = _authManager.authenticate(whitelist1GroupUserCreds);
Assert.assertEquals(_rootTenantId.toString(), user.getTenantId());
// log the same user in to the other domain to make sure it is mapped to the same domain
UsernamePasswordCredentials whitelist2GroupUserCreds = new UsernamePasswordCredentials("testuser@whitelist2", "P@ssw0rd");
user = _authManager.authenticate(whitelist2GroupUserCreds);
Assert.assertEquals(_rootTenantId.toString(), user.getTenantId());
ValidationFailureReason[] failureReason = new ValidationFailureReason[1];
_authManager.validateUser("sanity_user@sanity.local", _rootTenantId.toString(), null);
thrown.expect(APIException.class);
_authManager.validateUser("sanity_user@sanity.local", _subtenantId.toString(), null);
_authManager.validateUser("sanity_user@sanity.local", _subtenantId.toString(), _rootTenantId.toString());
_authManager.validateUser("user2@root.com", _rootTenantId.toString(), null);
thrown.expect(APIException.class);
_authManager.validateUser("user2@root.com", _subtenantId.toString(), null);
_authManager.validateUser("user2@root.com", _subtenantId.toString(), _rootTenantId.toString());
_authManager.validateUser("user@root.com", _subtenantId.toString(), null);
thrown.expect(APIException.class);
_authManager.validateUser("user@root.com", _rootTenantId.toString(), null);
_authManager.validateUser("testuser@sanity.local", _subtenantId.toString(), null);
thrown.expect(APIException.class);
_authManager.validateUser("testuser@sanity.local", _rootTenantId.toString(), null);
thrown.expect(APIException.class);
_authManager.validateUser("testuser", _rootTenantId.toString(), null);
thrown.expect(APIException.class);
_authManager.validateUser("testuser", _subtenantId.toString(), null);
Assert.assertTrue(_authManager.isGroupValid("Test Group@sanity.local", failureReason));
Assert.assertFalse(_authManager.isGroupValid("Test Group@whitelist1", failureReason));
Assert.assertEquals(failureReason[0], ValidationFailureReason.USER_OR_GROUP_NOT_FOUND_FOR_TENANT);
Assert.assertFalse(_authManager.isGroupValid("Test Group@whitelist2", failureReason));
Assert.assertTrue(_authManager.isGroupValid("Domain Users@whitelist2", failureReason));
Assert.assertTrue(_authManager.isGroupValid("ProjectAdmins@whitelist1", failureReason));
Assert.assertFalse(_authManager.isGroupValid("Test Group", failureReason));
// Create the a good authConfig with the sid group attribute
AuthnProvider sidAuthConfig = new AuthnProvider();
sidAuthConfig.setId(URIUtil.createId(AuthnProvider.class));
sidAuthConfig.setMode("ad");
StringSet sidDomains = new StringSet();
sidDomains.add("sidtest");
sidAuthConfig.setDomains(sidDomains);
sidAuthConfig.setManagerDN("CN=Administrator,CN=Users,DC=sanity,DC=local");
sidAuthConfig.setManagerPassword(_adManagerPassword);
StringSet sidUrls = new StringSet();
sidUrls.add(LDAP_SERVER_2);
sidAuthConfig.setServerUrls(sidUrls);
sidAuthConfig.setSearchBase("CN=Users,DC=sanity,DC=local");
sidAuthConfig.setSearchFilter("sAMAccountName=%U");
sidAuthConfig.setGroupAttribute("objectSid");
StringSet sidWhitelistValues = new StringSet();
// Domain users ends in -513
sidWhitelistValues.add("*-513");
// Test group SID
sidWhitelistValues.add("S-1-5-21-2759885641-1951973838-595118951-1135");
sidAuthConfig.setGroupWhitelistValues(sidWhitelistValues);
sidAuthConfig.setLastModified(System.currentTimeMillis());
_dbClient.createObject(sidAuthConfig);
reloadConfig(true);
// Create a subtenant using the sid of Domain users from '@sidtest'
// for mapping
UserMapping sidGroupMapping = new UserMapping();
sidGroupMapping.setDomain("sidtest");
sidGroupMapping.setGroups(Collections.singletonList("S-1-5-21-2759885641-1951973838-595118951-513"));
StringSetMap sidTestMappings = new StringSetMap();
sidTestMappings.put(sidGroupMapping.getDomain(), sidGroupMapping.toString());
URI subtenant2Id = URIUtil.createId(TenantOrg.class);
TenantOrg subtenant2 = new TenantOrg();
subtenant2.setLabel("subtenant2");
subtenant2.setDescription("auth subtenant2");
subtenant2.setId(subtenant2Id);
subtenant2.setParentTenant(new NamedURI(_rootTenantId, "subtenant2"));
subtenant2.setUserMappings(sidTestMappings);
_dbClient.persistObject(subtenant2);
// login the sanity_user (sanity_user@sanity.local) and verify that the user is in the
// root tenant still despite being in 'Domain Users' group because it is a different domain
user = _authManager.authenticate(sanityUserCreds);
Assert.assertEquals(_rootTenantId.toString(), user.getTenantId());
// Now try sanity_user@sidtest and the user should be in subtenant2
UsernamePasswordCredentials sidTestUserCreds = new UsernamePasswordCredentials("sanity_user@sidtest", "P@ssw0rd");
user = _authManager.authenticate(sidTestUserCreds);
Assert.assertEquals(subtenant2Id.toString(), user.getTenantId());
_authManager.validateUser("sanity_user@sidtest", subtenant2Id.toString(), null);
_authManager.validateUser("testuser@sidtest", subtenant2Id.toString(), null);
_authManager.validateUser("baduser@sidtest", subtenant2Id.toString(), null);
// Test group
Assert.assertTrue(_authManager.isGroupValid("S-1-5-21-2759885641-1951973838-595118951-1135@sidtest", failureReason));
// Domain Users
Assert.assertTrue(_authManager.isGroupValid("S-1-5-21-2759885641-1951973838-595118951-513@sidtest", failureReason));
// non-existent group
Assert.assertFalse(_authManager.isGroupValid("S-2-2-21-2759885641-1951973838-595118951-513@sidtest", failureReason));
// non-whitelist group (ProjectAdmins)
Assert.assertFalse(_authManager.isGroupValid("S-1-5-21-2759885641-1951973838-595118951-1111@sidtest", failureReason));
// Create an config with a bad URL
AuthnProvider ldapAuthConfig = new AuthnProvider();
ldapAuthConfig.setId(URIUtil.createId(AuthnProvider.class));
ldapAuthConfig.setMode("ldap");
StringSet ldapDomains = new StringSet();
ldapDomains.add("badurl.com");
ldapAuthConfig.setDomains(ldapDomains);
ldapAuthConfig.setManagerDN("cn=Manager,dc=root,dc=com");
ldapAuthConfig.setManagerPassword("secret");
StringSet ldapURLs = new StringSet();
ldapURLs.add("ldap://xxx");
ldapAuthConfig.setServerUrls(ldapURLs);
ldapAuthConfig.setSearchBase("ou=People,dc=root,dc=com");
ldapAuthConfig.setSearchFilter("(uid=%U)");
_dbClient.createObject(ldapAuthConfig);
UsernamePasswordCredentials badURLUserCreds = new UsernamePasswordCredentials("user@badurl.com", "password");
// Check that authentication and validation operations fail
// but do not throw connection exceptions
user = _authManager.authenticate(badURLUserCreds);
Assert.assertNull(user);
thrown.expect(APIException.class);
_authManager.validateUser("user@badurl.com", subtenant2Id.toString(), null);
Assert.assertFalse(_authManager.isGroupValid("group@badurl.com", failureReason));
cleanupProviders();
}
Also used :
StringSetMap(com.emc.storageos.db.client.model.StringSetMap)
StorageOSUserDAO(com.emc.storageos.db.client.model.StorageOSUserDAO)
ValidationFailureReason(com.emc.storageos.auth.AuthenticationManager.ValidationFailureReason)
UserMapping(com.emc.storageos.security.authorization.BasePermissionsHelper.UserMapping)
NamedURI(com.emc.storageos.db.client.model.NamedURI)
AuthnProvider(com.emc.storageos.db.client.model.AuthnProvider)
UserMappingAttribute(com.emc.storageos.security.authorization.BasePermissionsHelper.UserMappingAttribute)
TenantOrg(com.emc.storageos.db.client.model.TenantOrg)
StringSet(com.emc.storageos.db.client.model.StringSet)
NamedURI(com.emc.storageos.db.client.model.NamedURI)
URI(java.net.URI)
UsernamePasswordCredentials(org.apache.commons.httpclient.UsernamePasswordCredentials)
Example 4 with UserMappingAttribute
use of com.emc.storageos.security.authorization.BasePermissionsHelper.UserMappingAttribute in project coprhd-controller by CoprHD.
the class StorageOSLdapPersonAttributeDao method mapUserToTenant.
/**
* Match the user to one and only one tenant if found user there attributes/groups
*
* @param domains
* @param storageOSUser
* @param attributeKeyValuesMap
* @param tenantToMappingMap
*/
private Map<URI, UserMapping> mapUserToTenant(StringSet domains, StorageOSUserDAO storageOSUser, Map<String, List<String>> attributeKeyValuesMap, Map<URI, List<UserMapping>> tenantToMappingMap, ValidationFailureReason[] failureReason) {
Map<URI, UserMapping> tenants = new HashMap<URI, UserMapping>();
if (CollectionUtils.isEmpty(domains)) {
return tenants;
}
List<UserMappingAttribute> userMappingAttributes = new ArrayList<UserMappingAttribute>();
for (Entry<String, List<String>> attributeKeyValues : attributeKeyValuesMap.entrySet()) {
UserMappingAttribute userMappingAttribute = new UserMappingAttribute();
userMappingAttribute.setKey(attributeKeyValues.getKey());
userMappingAttribute.setValues(attributeKeyValues.getValue());
userMappingAttributes.add(userMappingAttribute);
}
List<String> userMappingGroups = new ArrayList<String>();
if (null != storageOSUser.getGroups()) {
for (String group : storageOSUser.getGroups()) {
userMappingGroups.add((group.split("@")[0]).toUpperCase());
_log.debug("Adding user's group {} to usermapping group ", (group.split("@")[0]).toUpperCase());
}
}
for (Entry<URI, List<UserMapping>> tenantToMappingMapEntry : tenantToMappingMap.entrySet()) {
if (tenantToMappingMapEntry == null || tenantToMappingMapEntry.getValue() == null) {
continue;
}
for (String domain : domains) {
for (UserMapping userMapping : tenantToMappingMapEntry.getValue()) {
if (userMapping.isMatch(domain, userMappingAttributes, userMappingGroups)) {
tenants.put(tenantToMappingMapEntry.getKey(), userMapping);
}
}
}
}
// unless the root tenant is restricted by a mapping
if (tenants.isEmpty()) {
BasePermissionsHelper permissionsHelper = new BasePermissionsHelper(_dbClient, false);
TenantOrg rootTenant = permissionsHelper.getRootTenant();
// if yes, means Provider Tenant's user-mapping under modification.
if (tenantToMappingMap.containsKey(rootTenant.getId())) {
List<UserMapping> rootUserMapping = tenantToMappingMap.get(rootTenant.getId());
// if yes, set user map to provider tenant.
if (CollectionUtils.isEmpty(rootUserMapping)) {
_log.debug("User {} did not match a tenant. Assigning to root tenant since root does not have any attribute mappings", storageOSUser.getUserName());
tenants.put(rootTenant.getId(), null);
}
// provider tenant is not in UserMapping parameter, means no change to its user-mapping in this request,
// need to check if its original user-mapping is empty or not.
} else if (rootTenant.getUserMappings() == null || rootTenant.getUserMappings().isEmpty()) {
_log.debug("User {} did not match a tenant. Assigning to root tenant since root does not have any attribute mappings", storageOSUser.getUserName());
tenants.put(rootTenant.getId(), null);
}
}
return tenants;
}
Also used :
UserMappingAttribute(com.emc.storageos.security.authorization.BasePermissionsHelper.UserMappingAttribute)
URI(java.net.URI)
UserMapping(com.emc.storageos.security.authorization.BasePermissionsHelper.UserMapping)
TenantOrg(com.emc.storageos.db.client.model.TenantOrg)
LdapServerList(com.emc.storageos.auth.impl.LdapServerList)
URIQueryResultList(com.emc.storageos.db.client.constraint.URIQueryResultList)
BasePermissionsHelper(com.emc.storageos.security.authorization.BasePermissionsHelper)
Aggregations
UserMapping (com.emc.storageos.security.authorization.BasePermissionsHelper.UserMapping)4
UserMappingAttribute (com.emc.storageos.security.authorization.BasePermissionsHelper.UserMappingAttribute)4
URI (java.net.URI)4
LdapServerList (com.emc.storageos.auth.impl.LdapServerList)2
URIQueryResultList (com.emc.storageos.db.client.constraint.URIQueryResultList)2
StorageOSUserDAO (com.emc.storageos.db.client.model.StorageOSUserDAO)2
StringSet (com.emc.storageos.db.client.model.StringSet)2
TenantOrg (com.emc.storageos.db.client.model.TenantOrg)2
BasePermissionsHelper (com.emc.storageos.security.authorization.BasePermissionsHelper)2
ValidationFailureReason (com.emc.storageos.auth.AuthenticationManager.ValidationFailureReason)1
AuthnProvider (com.emc.storageos.db.client.model.AuthnProvider)1
NamedURI (com.emc.storageos.db.client.model.NamedURI)1
StringSetMap (com.emc.storageos.db.client.model.StringSetMap)1
DatabaseException (com.emc.storageos.db.exceptions.DatabaseException)1
SearchControls (javax.naming.directory.SearchControls)1
UsernamePasswordCredentials (org.apache.commons.httpclient.UsernamePasswordCredentials)1
IncorrectResultSizeDataAccessException (org.springframework.dao.IncorrectResultSizeDataAccessException)1
