Examples with PermissionsKey - com.emc.storageos.security.authorization.PermissionsKey

Example 6 with PermissionsKey

use of com.emc.storageos.security.authorization.PermissionsKey in project coprhd-controller by CoprHD.

the class BaseModelFinder method findPermissions.

public <T extends DataObjectWithACLs> Map<URI, Set<String>> findPermissions(Class<T> type, StorageOSUser user, URI tenantId, final Set<String> filterBy) {
    final Map<URI, Set<String>> permissionsMap = Maps.newHashMap();
    if (user == null) {
        throw new IllegalArgumentException("StorageOSUser can not be null");
    }
    if (tenantId == null) {
        throw new IllegalArgumentException("Tenant URI can not be null");
    }
    try {
        PermissionsKey userKey = new PermissionsKey(PermissionsKey.Type.SID, user.getName(), tenantId);
        Map<URI, Set<String>> userPermissions = client.findByPermission(type, userKey, filterBy);
        if (userPermissions != null && userPermissions.isEmpty() == false) {
            permissionsMap.putAll(userPermissions);
        }
        if (user.getGroups() != null) {
            for (String group : user.getGroups()) {
                PermissionsKey groupKey = new PermissionsKey(PermissionsKey.Type.GROUP, group, tenantId);
                Map<URI, Set<String>> groupPermissions = client.findByPermission(type, groupKey, filterBy);
                if (groupPermissions != null && groupPermissions.isEmpty() == false) {
                    permissionsMap.putAll(groupPermissions);
                }
            }
        }
    } catch (DatabaseException ex) {
        throw new DataAccessException(ex);
    }
    return permissionsMap;
}

Also used : Set(java.util.Set) StringSet(com.emc.storageos.db.client.model.StringSet) PermissionsKey(com.emc.storageos.security.authorization.PermissionsKey) URI(java.net.URI) DatabaseException(com.emc.storageos.db.exceptions.DatabaseException)

Example 7 with PermissionsKey

use of com.emc.storageos.security.authorization.PermissionsKey in project coprhd-controller by CoprHD.

the class AclEntryForm method createPermissionKey.

public PermissionsKey createPermissionKey() {
    String tenant = Security.getUserInfo().getTenant();
    PermissionsKey key = null;
    if (RoleAssignmentType.GROUP.name().equals(type)) {
        key = new PermissionsKey(PermissionsKey.Type.GROUP, aclName, tenant);
    } else if (RoleAssignmentType.USER.name().equals(type)) {
        key = new PermissionsKey(PermissionsKey.Type.SID, aclName, tenant);
    }
    return key;
}

Also used : PermissionsKey(com.emc.storageos.security.authorization.PermissionsKey)

Example 8 with PermissionsKey

use of com.emc.storageos.security.authorization.PermissionsKey in project coprhd-controller by CoprHD.

the class PermissionsHelper method convertToRoleAssignments.

/**
 * Converts StringSetMap of permissions into a list of assignment entries as used by the API
 *
 * @param roleAssignments
 * @param forZone
 * @return
 */
public ArrayList<RoleAssignmentEntry> convertToRoleAssignments(StringSetMap roleAssignments, boolean forZone) {
    ArrayList<RoleAssignmentEntry> assignments = new ArrayList<RoleAssignmentEntry>();
    if (roleAssignments != null && !roleAssignments.isEmpty()) {
        for (Map.Entry<String, AbstractChangeTrackingSet<String>> roleAssignment : roleAssignments.entrySet()) {
            PermissionsKey rowKey = new PermissionsKey();
            rowKey.parseFromString(roleAssignment.getKey());
            RoleAssignmentEntry entry = new RoleAssignmentEntry();
            if (rowKey.getType().equals(PermissionsKey.Type.GROUP)) {
                entry.setGroup(rowKey.getValue());
            } else if (rowKey.getType().equals(PermissionsKey.Type.SID)) {
                entry.setSubjectId(rowKey.getValue());
            }
            for (String role : roleAssignment.getValue()) {
                if ((forZone && isRoleZoneLevel(role)) || (!forZone && isRoleTenantLevel(role))) {
                    entry.getRoles().add(role);
                }
            }
            if (!entry.getRoles().isEmpty()) {
                assignments.add(entry);
            }
        }
    }
    return assignments;
}

Also used : PermissionsKey(com.emc.storageos.security.authorization.PermissionsKey) RoleAssignmentEntry(com.emc.storageos.model.auth.RoleAssignmentEntry) ArrayList(java.util.ArrayList) Map(java.util.Map)

Example 9 with PermissionsKey

use of com.emc.storageos.security.authorization.PermissionsKey in project coprhd-controller by CoprHD.

the class TenantsService method clearTenantACLs.

/**
 * Clear any tenant USE ACLs associated with the provided tenant id from the indicated CF
 *
 * @param clazz CF type to clear of tenant ACLs
 * @param tenantId the tenant id
 * @param specifier optional specifier (e.g. block or file for VirtualPools)
 */
private void clearTenantACLs(Class<? extends DataObjectWithACLs> clazz, URI tenantId, String specifier) {
    PermissionsKey permissionKey;
    if (StringUtils.isNotBlank(specifier)) {
        permissionKey = new PermissionsKey(PermissionsKey.Type.TENANT, tenantId.toString(), specifier);
    } else {
        permissionKey = new PermissionsKey(PermissionsKey.Type.TENANT, tenantId.toString());
    }
    URIQueryResultList resultURIs = new URIQueryResultList();
    Constraint aclConstraint = ContainmentPermissionsConstraint.Factory.getObjsWithPermissionsConstraint(permissionKey.toString(), clazz);
    _dbClient.queryByConstraint(aclConstraint, resultURIs);
    List<URI> ids = new ArrayList<URI>();
    for (URI result : resultURIs) {
        ids.add(result);
    }
    Iterator<? extends DataObjectWithACLs> objectIter = _dbClient.queryIterativeObjects(clazz, ids);
    if ((objectIter != null) && (objectIter.hasNext())) {
        List<DataObjectWithACLs> objectList = new ArrayList<DataObjectWithACLs>();
        while (objectIter.hasNext()) {
            objectList.add(objectIter.next());
        }
        for (DataObjectWithACLs object : objectList) {
            _log.info("Removing USE ACL for deleted subtenant {} from object {}", tenantId, object.getId());
            object.removeAcl(permissionKey.toString(), ACL.USE.toString());
        }
        _dbClient.updateAndReindexObject(objectList);
    }
}

Also used : AlternateIdConstraint(com.emc.storageos.db.client.constraint.AlternateIdConstraint) ContainmentConstraint(com.emc.storageos.db.client.constraint.ContainmentConstraint) ContainmentPermissionsConstraint(com.emc.storageos.db.client.constraint.ContainmentPermissionsConstraint) Constraint(com.emc.storageos.db.client.constraint.Constraint) PermissionsKey(com.emc.storageos.security.authorization.PermissionsKey) ArrayList(java.util.ArrayList) DataObjectWithACLs(com.emc.storageos.db.client.model.DataObjectWithACLs) NamedURI(com.emc.storageos.db.client.model.NamedURI) URI(java.net.URI) URIQueryResultList(com.emc.storageos.db.client.constraint.URIQueryResultList)

Example 10 with PermissionsKey

use of com.emc.storageos.security.authorization.PermissionsKey in project coprhd-controller by CoprHD.

the class TenantsService method createSubTenant.

/**
 * Create subtenant
 *
 * @param param Subtenant create parameter
 * @param id the URN of a ViPR Tenant
 * @prereq An authentication provider needs to support the domain used in the mappings
 * @brief Create subtenant
 * @return Subtenant details
 */
@POST
@Path("/{id}/subtenants")
@Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
@Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
@CheckPermission(roles = { Role.SECURITY_ADMIN })
public TenantOrgRestRep createSubTenant(@PathParam("id") URI id, TenantCreateParam param) {
    ObjectNamespace namesp = null;
    boolean namespModified = false;
    TenantOrg parent = getTenantById(id, true);
    if (!TenantOrg.isRootTenant(parent)) {
        throw APIException.badRequests.parentTenantIsNotRoot();
    }
    ArgValidator.checkFieldNotEmpty(param.getLabel(), "name");
    checkForDuplicateName(param.getLabel(), TenantOrg.class, id, "parentTenant", _dbClient);
    TenantOrg subtenant = new TenantOrg();
    subtenant.setId(URIUtil.createId(TenantOrg.class));
    subtenant.setParentTenant(new NamedURI(parent.getId(), param.getLabel()));
    subtenant.setLabel(param.getLabel());
    subtenant.setDescription(param.getDescription());
    if (param.getNamespace() != null) {
        checkForDuplicateNamespace(param.getNamespace());
        subtenant.setNamespace(param.getNamespace());
        // Update tenant info in respective namespace CF
        List<URI> allNamespaceURI = _dbClient.queryByType(ObjectNamespace.class, true);
        Iterator<ObjectNamespace> nsItr = _dbClient.queryIterativeObjects(ObjectNamespace.class, allNamespaceURI);
        while (nsItr.hasNext()) {
            namesp = nsItr.next();
            if (subtenant.getNamespace().equalsIgnoreCase(namesp.getNativeId())) {
                namesp.setTenant(subtenant.getId());
                namesp.setMapped(true);
                // There could be exceptions ahead; update the db at end
                namespModified = true;
                break;
            }
        }
    }
    if (null == param.getUserMappings() || param.getUserMappings().isEmpty()) {
        throw APIException.badRequests.requiredParameterMissingOrEmpty("user_mappings");
    } else {
        checkUserMappingAttribute(param.getUserMappings());
        addUserMappings(subtenant, param.getUserMappings(), getUserFromContext());
    }
    // add creator as tenant admin
    subtenant.addRole(new PermissionsKey(PermissionsKey.Type.SID, getUserFromContext().getName()).toString(), Role.TENANT_ADMIN.toString());
    // perform user tenant check before persistent
    mapOutProviderTenantCheck(subtenant);
    if (namespModified) {
        _dbClient.updateObject(namesp);
    }
    _dbClient.createObject(subtenant);
    // To Do - add attributes to the set of attributes to pull from AD/LDAP
    recordOperation(OperationTypeEnum.CREATE_TENANT, parent.getId(), subtenant);
    return map(subtenant);
}

Also used : NamedURI(com.emc.storageos.db.client.model.NamedURI) PermissionsKey(com.emc.storageos.security.authorization.PermissionsKey) TenantOrg(com.emc.storageos.db.client.model.TenantOrg) ObjectNamespace(com.emc.storageos.db.client.model.ObjectNamespace) NamedURI(com.emc.storageos.db.client.model.NamedURI) URI(java.net.URI) Path(javax.ws.rs.Path) POST(javax.ws.rs.POST) Consumes(javax.ws.rs.Consumes) Produces(javax.ws.rs.Produces) CheckPermission(com.emc.storageos.security.authorization.CheckPermission)

Aggregations

PermissionsKey (com.emc.storageos.security.authorization.PermissionsKey)10 URI (java.net.URI)5 NamedURI (com.emc.storageos.db.client.model.NamedURI)4 ArrayList (java.util.ArrayList)3 AlternateIdConstraint (com.emc.storageos.db.client.constraint.AlternateIdConstraint)2 Constraint (com.emc.storageos.db.client.constraint.Constraint)2 ContainmentConstraint (com.emc.storageos.db.client.constraint.ContainmentConstraint)2 ContainmentPermissionsConstraint (com.emc.storageos.db.client.constraint.ContainmentPermissionsConstraint)2 URIQueryResultList (com.emc.storageos.db.client.constraint.URIQueryResultList)2 Project (com.emc.storageos.db.client.model.Project)2 TenantOrg (com.emc.storageos.db.client.model.TenantOrg)2 CheckPermission (com.emc.storageos.security.authorization.CheckPermission)2 StorageOSPrincipal (com.emc.storageos.security.validator.StorageOSPrincipal)2 Consumes (javax.ws.rs.Consumes)2 Path (javax.ws.rs.Path)2 Produces (javax.ws.rs.Produces)2 MapProject (com.emc.storageos.api.mapper.functions.MapProject)1 ContainmentPrefixConstraint (com.emc.storageos.db.client.constraint.ContainmentPrefixConstraint)1 PrefixConstraint (com.emc.storageos.db.client.constraint.PrefixConstraint)1 DataObjectWithACLs (com.emc.storageos.db.client.model.DataObjectWithACLs)1