Author: rareddy
Date: 2010-03-18 20:20:58 -0400 (Thu, 18 Mar 2010)
New Revision: 1975
Added:
trunk/client/src/main/java/org/teiid/adminapi/DataPolicy.java
trunk/client/src/main/java/org/teiid/adminapi/impl/DataPolicyMetadata.java
trunk/client/src/main/java/org/teiid/adminapi/impl/PermissionMap.java
trunk/client/src/test/java/org/teiid/adminapi/impl/TestDataPolicyMetaData.java
Removed:
trunk/client/src/main/java/com/metamatrix/platform/security/api/MetaMatrixPrincipal.java
trunk/client/src/main/java/com/metamatrix/platform/security/api/MetaMatrixPrincipalName.java
trunk/client/src/main/java/org/teiid/adminapi/AdminRoles.java
trunk/client/src/main/java/org/teiid/adminapi/DataRole.java
trunk/client/src/main/java/org/teiid/adminapi/impl/DataRoleMetadata.java
trunk/engine/src/main/java/com/metamatrix/api/exception/security/AuthorizationException.java
trunk/engine/src/main/java/com/metamatrix/api/exception/security/AuthorizationMgmtException.java
trunk/engine/src/main/java/com/metamatrix/dqp/service/AuthorizationService.java
trunk/engine/src/main/java/org/teiid/security/roles/
trunk/engine/src/main/resources/org/teiid/security/roles/
trunk/engine/src/test/java/com/metamatrix/dqp/service/FakeAuthorizationService.java
trunk/runtime/src/main/java/org/teiid/services/AuthorizationServiceImpl.java
trunk/runtime/src/test/java/com/metamatrix/platform/security/api/
Modified:
trunk/build/kit-jboss-container/deploy/teiid/teiid-jboss-beans.xml
trunk/client/src/main/java/org/teiid/adminapi/VDB.java
trunk/client/src/main/java/org/teiid/adminapi/impl/ListOverMap.java
trunk/client/src/main/java/org/teiid/adminapi/impl/VDBMetaData.java
trunk/client/src/main/resources/vdb-deployer.xsd
trunk/client/src/test/java/org/teiid/adminapi/impl/TestVDBMetaData.java
trunk/engine/src/main/java/com/metamatrix/dqp/service/SessionService.java
trunk/engine/src/main/java/org/teiid/dqp/internal/process/DQPConfiguration.java
trunk/engine/src/main/java/org/teiid/dqp/internal/process/DQPCore.java
trunk/engine/src/main/java/org/teiid/dqp/internal/process/DQPWorkContext.java
trunk/engine/src/main/java/org/teiid/dqp/internal/process/Request.java
trunk/engine/src/main/java/org/teiid/dqp/internal/process/validator/AuthorizationValidationVisitor.java
trunk/engine/src/test/java/org/teiid/dqp/internal/process/TestPreparedStatement.java
trunk/engine/src/test/java/org/teiid/dqp/internal/process/TestRequest.java
trunk/engine/src/test/java/org/teiid/dqp/internal/process/validator/TestAuthorizationValidationVisitor.java
trunk/jboss-integration/src/main/java/org/teiid/jboss/deployers/RuntimeEngineDeployer.java
Log:
TEIID-1017: step(2) Associating data policies read from the vdb.xml file into the engine
that they can be enforced by the Teiid runtime. This removed the old authorization
framework as the complexity may not be required here.
Modified: trunk/build/kit-jboss-container/deploy/teiid/teiid-jboss-beans.xml
===================================================================
--- trunk/build/kit-jboss-container/deploy/teiid/teiid-jboss-beans.xml 2010-03-18 18:26:59
UTC (rev 1974)
+++ trunk/build/kit-jboss-container/deploy/teiid/teiid-jboss-beans.xml 2010-03-19 00:20:58
UTC (rev 1975)
@@ -18,12 +18,6 @@
</bind>
<!-- Teiid Services -->
- <bean name="AuthorizationService"
class="org.teiid.services.AuthorizationServiceImpl">
- <property name="VDBRepository"><inject
bean="VDBRepository"/></property>
- <!-- Turn on checking the entitlements on resources based on the roles defined
in VDB -->
- <property name="useEntitlements"
class="java.lang.Boolean">false</property>
- </bean>
-
<bean name="SessionService"
class="org.teiid.services.SessionServiceImpl">
<property name="VDBRepository"><inject
bean="VDBRepository"/></property>
<property name="securityHelper"><inject
bean="SecurityHelper"/></property>
@@ -73,7 +67,6 @@
<property name="workManager"><inject
bean="WorkManager"/></property>
<property name="XATerminator"><inject
bean="TransactionManager"
property="XATerminator"/></property>
<property name="transactionManager"><inject
bean="TransactionManager"
property="transactionManager"/></property>
- <property name="authorizationService"><inject
bean="AuthorizationService"/></property>
<property name="sessionService"><inject
bean="SessionService"/></property>
<property name="bufferService"><inject
bean="BufferService"/></property>
<property name="connectorManagerRepository"><inject
bean="ConnectorManagerRepository"/></property>
@@ -101,6 +94,8 @@
<property name="resultSetCacheMaxEntries">1024</property>
<!-- Enable Resultset Caching -->
<property name="resultSetCacheEnabled">true</property>
+ <!-- Turn on checking the entitlements on resources based on the roles defined
in VDB -->
+ <property name="useEntitlements"
class="java.lang.Boolean">false</property>
</bean>
<!-- JDBC Socket connection properties (SSL see below) -->
Deleted:
trunk/client/src/main/java/com/metamatrix/platform/security/api/MetaMatrixPrincipal.java
===================================================================
---
trunk/client/src/main/java/com/metamatrix/platform/security/api/MetaMatrixPrincipal.java 2010-03-18
18:26:59 UTC (rev 1974)
+++
trunk/client/src/main/java/com/metamatrix/platform/security/api/MetaMatrixPrincipal.java 2010-03-19
00:20:58 UTC (rev 1975)
@@ -1,86 +0,0 @@
-/*
- * JBoss, Home of Professional Open Source.
- * See the COPYRIGHT.txt file distributed with this work for information
- * regarding copyright ownership. Some portions may be licensed
- * to Red Hat, Inc. under one or more contributor license agreements.
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
- * 02110-1301 USA.
- */
-
-package com.metamatrix.platform.security.api;
-
-import java.security.Principal;
-import java.util.Set;
-
-/**
- * This interface represents an abstract notion of users, groups or applications
- * within the MetaMatrix Security Framework. MetaMatrixPrincipal is anlogous
- * to java.security.Principal, which it extends from.
- */
-public interface MetaMatrixPrincipal extends Principal, Cloneable {
-
- // JPC 07/07/2005
- // These constants were copied to com.metamtrix.admin.server package
- // (instead of moved - for dependancy reasons) so any changes
- // made here should also be made there.
- // Better yet, these should be moved there and dependanies resolved
- static final int TYPE_USER = 0;
- static final int TYPE_GROUP = 1;
- static final int TYPE_ADMIN = 2;
-
- public static final String TYPE_LABEL_USER = "User"; //$NON-NLS-1$
- public static final String TYPE_LABEL_GROUP = "Group"; //$NON-NLS-1$
- public static final String TYPE_LABEL_ADMIN = "Admin"; //$NON-NLS-1$
-
-
- // User and Group names can be no longer then this
- public static final int NAME_LEN_LIMIT = 1024;
-
- static final String[] TYPE_NAMES = new String[] {TYPE_LABEL_USER, TYPE_LABEL_GROUP,
TYPE_LABEL_ADMIN};
-
- /**
- * Get the <code>MetaMatrixPrincipalName</code> for this principal.
- * @see MetaMatrixPrincipaName.
- * @return the <code>MetaMatrixPrincipalName</code> for this principal.
- */
- MetaMatrixPrincipalName getMetaMatrixPrincipalName();
-
- /**
- * Get the type of principal
- * @return the type for this principal
- */
- int getType();
-
- /**
- * Get the String form for the type of principal
- * @return the type for this principal as a String
- */
- String getTypeLabel();
-
- /**
- * Returns the Principal for each group that this principal is a member of.
- */
- Set getGroupNames();
-
- /**
- * Return a cloned instance of this object.
- * @return the object that is the clone of this instance.
- */
- Object clone();
-}
-
-
-
Deleted:
trunk/client/src/main/java/com/metamatrix/platform/security/api/MetaMatrixPrincipalName.java
===================================================================
---
trunk/client/src/main/java/com/metamatrix/platform/security/api/MetaMatrixPrincipalName.java 2010-03-18
18:26:59 UTC (rev 1974)
+++
trunk/client/src/main/java/com/metamatrix/platform/security/api/MetaMatrixPrincipalName.java 2010-03-19
00:20:58 UTC (rev 1975)
@@ -1,136 +0,0 @@
-/*
- * JBoss, Home of Professional Open Source.
- * See the COPYRIGHT.txt file distributed with this work for information
- * regarding copyright ownership. Some portions may be licensed
- * to Red Hat, Inc. under one or more contributor license agreements.
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
- * 02110-1301 USA.
- */
-
-package com.metamatrix.platform.security.api;
-
-import java.io.Serializable;
-
-public class MetaMatrixPrincipalName implements Serializable {
- private static final long serialVersionUID = 4630832657093482302L;
- private int type;
- private String name;
-
- public MetaMatrixPrincipalName( String name, int type ) {
- if ( name == null || name.trim().length() == 0 ) {
- throw new IllegalArgumentException("illegal name " + name);
//$NON-NLS-1$
- }
- if ( name.trim().length() > MetaMatrixPrincipal.NAME_LEN_LIMIT ) {
- throw new IllegalArgumentException("name too long " + name);
//$NON-NLS-1$
- }
- if ( type < MetaMatrixPrincipal.TYPE_USER || type >
MetaMatrixPrincipal.TYPE_ADMIN ) {
- throw new IllegalArgumentException("invalid type " + type);
//$NON-NLS-1$
- }
- this.name = name;
- this.type = type;
- }
-
- protected MetaMatrixPrincipalName( MetaMatrixPrincipalName obj ) {
- if ( obj == null ) {
- throw new IllegalArgumentException("argument cannot be null");
//$NON-NLS-1$
- }
- this.type = obj.getType();
- this.name = obj.getName();
- }
-
- public boolean equals(Object obj){
- if( this == obj ){
- return true;
- }
-
- if(!(obj instanceof MetaMatrixPrincipalName)){
- return false;
- }
- MetaMatrixPrincipalName that = (MetaMatrixPrincipalName) obj;
- return this.type == that.type && this.name.compareTo(that.name) == 0;
- }
-
- /**
- * Compares this object to another. If the specified object is
- * an instance of the MetaMatrixPrincipalName class, then this
- * method compares the contents; otherwise, it throws a
- * ClassCastException (as instances are comparable only to
- * instances of the same
- * class).
- * <p>
- * Note: this method <i>is</i> consistent with
- * <code>equals()</code>, meaning
- * that
- * <code>(compareTo(x, y)==0) == (x.equals(y))</code>.
- * <p>
- * @param obj the object that this instance is to be compared to.
- * @return a negative integer, zero, or a positive integer as this object
- * is less than, equal to, or greater than the specified object, respectively.
- * @throws IllegalArgumentException if the specified object reference is null
- * @throws ClassCastException if the specified object's type prevents it
- * from being compared to this instance.
- */
- public int compareTo(Object obj) {
- MetaMatrixPrincipalName that = (MetaMatrixPrincipalName)obj; // May throw
ClassCastException
- int comp = this.name.compareTo(that.name);
- if ( comp == 0 ) {
- comp = this.type - that.type;
- }
- return comp;
- }
-
- /**
- * Get the type of principal
- * @return the type for this principal
- */
- public int getType() {
- return type;
- }
-
- /**
- * Get the String form for the type of principal.
- * @return the type for this principal as a String
- */
- public String getTypeLabel() {
- return MetaMatrixPrincipal.TYPE_NAMES[this.type];
- }
-
- /**
- * Returns the name of this principal.
- * @return the name of this principal (never null)
- */
- public String getName(){
- return name;
- }
-
- public int hashCode(){
- return name.hashCode();
- }
-
- public String toString(){
- StringBuffer sb = new StringBuffer();
- sb.append("[Name=\""); //$NON-NLS-1$
- sb.append(this.getName());
- sb.append("\" - Type=\""); //$NON-NLS-1$
- sb.append( MetaMatrixPrincipal.TYPE_NAMES[this.type] );
- sb.append("\"]"); //$NON-NLS-1$
- return sb.toString();
- }
-
-}
-
-
-
Deleted: trunk/client/src/main/java/org/teiid/adminapi/AdminRoles.java
===================================================================
--- trunk/client/src/main/java/org/teiid/adminapi/AdminRoles.java 2010-03-18 18:26:59 UTC
(rev 1974)
+++ trunk/client/src/main/java/org/teiid/adminapi/AdminRoles.java 2010-03-19 00:20:58 UTC
(rev 1975)
@@ -1,79 +0,0 @@
-/*
- * JBoss, Home of Professional Open Source.
- * See the COPYRIGHT.txt file distributed with this work for information
- * regarding copyright ownership. Some portions may be licensed
- * to Red Hat, Inc. under one or more contributor license agreements.
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
- * 02110-1301 USA.
- */
-
-package org.teiid.adminapi;
-
-import java.util.HashSet;
-import java.util.Set;
-
-/**
- * Static class that lists the roles allowable in the MetaMatrix system.
- *
- * <p>This class can be used to get a list of all allowable administrative role
- * names or the name of one role to assign to a principal.</p>
- * @since 4.3
- */
-public class AdminRoles {
- private static final Set roleSet;
-
- static {
- roleSet = new HashSet();
- roleSet.add(RoleName.ADMIN_SYSTEM);
- roleSet.add(RoleName.ADMIN_PRODUCT);
- roleSet.add(RoleName.ADMIN_READONLY);
- }
-
- /**
- * Get the set of static MetaMatrix administrative roles known to the system.
- * @return the <code>Set</code> of <code>String</code> role
names.
- * @since 4.3
- */
- public static Set<String> getAllRoleNames() {
- return roleSet;
- }
-
- /**
- * Determine whether an admin role exists by the given
<code>roleName</code>.
- * @param roleName the name for which to validate.
- * @return <code>true</code> iff an admin role exists with the given role
name.
- * @since 4.3
- */
- public static boolean containsRole(String roleName) {
- return roleSet.contains(roleName);
- }
-
- /**
- * Static class that defines defines the allowed administrative roles
- * for the MetaMatrix system.
- * @since 4.3
- */
- public static class RoleName {
- /** System admin role name */
- public static final String ADMIN_SYSTEM =
"Admin.SystemAdmin"; //$NON-NLS-1$
- /** Product admin role name */
- public static final String ADMIN_PRODUCT =
"Admin.ProductAdmin"; //$NON-NLS-1$
- /** Read-only admin role name */
- public static final String ADMIN_READONLY =
"Admin.ReadOnlyAdmin"; //$NON-NLS-1$
-
- public static final String ANONYMOUS = "Anonymous"; //$NON-NLS-1$
- }
-}
Copied: trunk/client/src/main/java/org/teiid/adminapi/DataPolicy.java (from rev 1974,
trunk/client/src/main/java/org/teiid/adminapi/DataRole.java)
===================================================================
--- trunk/client/src/main/java/org/teiid/adminapi/DataPolicy.java
(rev 0)
+++ trunk/client/src/main/java/org/teiid/adminapi/DataPolicy.java 2010-03-19 00:20:58 UTC
(rev 1975)
@@ -0,0 +1,86 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * See the COPYRIGHT.txt file distributed with this work for information
+ * regarding copyright ownership. Some portions may be licensed
+ * to Red Hat, Inc. under one or more contributor license agreements.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301 USA.
+ */
+package org.teiid.adminapi;
+
+import java.util.List;
+
+public interface DataPolicy {
+
+ public enum PermissionType {CREATE, READ, UPDATE, DELETE};
+
+ /**
+ * Get the Name of the Data Policy
+ * @return
+ */
+ String getName();
+
+ /**
+ * Get the description of the Data Policy
+ * @return
+ */
+ String getDescription();
+
+ /**
+ * Get the List of Permissions for this Data Policy.
+ * @return
+ */
+ List<DataPermission> getPermissions();
+
+ /**
+ * Mapped Container Role names for this Data Policy
+ * @return
+ */
+ List<String> getMappedRoleNames();
+
+
+ interface DataPermission {
+ /**
+ * Get the Resource Name that Data Permission representing
+ * @return
+ */
+ String getResourceName();
+
+ /**
+ * Is "CREATE" allowed?
+ * @return
+ */
+ boolean isAllowCreate();
+
+ /**
+ * Is "SELECT" allowed?
+ * @return
+ */
+ boolean isAllowRead();
+
+ /**
+ * Is "INSERT/UPDATE" allowed?
+ * @return
+ */
+ boolean isAllowUpdate();
+
+ /**
+ * Is "DELETE" allowed?
+ * @return
+ */
+ boolean isAllowDelete();
+ }
+}
Property changes on: trunk/client/src/main/java/org/teiid/adminapi/DataPolicy.java
___________________________________________________________________
Name: svn:mime-type
+ text/plain
Deleted: trunk/client/src/main/java/org/teiid/adminapi/DataRole.java
===================================================================
--- trunk/client/src/main/java/org/teiid/adminapi/DataRole.java 2010-03-18 18:26:59 UTC
(rev 1974)
+++ trunk/client/src/main/java/org/teiid/adminapi/DataRole.java 2010-03-19 00:20:58 UTC
(rev 1975)
@@ -1,83 +0,0 @@
-/*
- * JBoss, Home of Professional Open Source.
- * See the COPYRIGHT.txt file distributed with this work for information
- * regarding copyright ownership. Some portions may be licensed
- * to Red Hat, Inc. under one or more contributor license agreements.
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
- * 02110-1301 USA.
- */
-package org.teiid.adminapi;
-
-import java.util.List;
-
-public interface DataRole {
- /**
- * Get the Name of the Data Role
- * @return
- */
- String getName();
-
- /**
- * Get the description of the Data Role
- * @return
- */
- String getDescription();
-
- /**
- * Get the List of Permissions for this Data Role.
- * @return
- */
- List<Permission> getPermissions();
-
- /**
- * Mapped Container Role names for this Data Role
- * @return
- */
- List<String> getMappedRoleNames();
-
-
- interface Permission {
- /**
- * Get the Resource Name that Data Role representing
- * @return
- */
- String getResourceName();
-
- /**
- * Is "CREATE" allowed?
- * @return
- */
- boolean isAllowCreate();
-
- /**
- * Is "SELECT" allowed?
- * @return
- */
- boolean isAllowRead();
-
- /**
- * Is "INSERT/UPDATE" allowed?
- * @return
- */
- boolean isAllowUpdate();
-
- /**
- * Is "DELETE" allowed?
- * @return
- */
- boolean isAllowDelete();
- }
-}
Modified: trunk/client/src/main/java/org/teiid/adminapi/VDB.java
===================================================================
--- trunk/client/src/main/java/org/teiid/adminapi/VDB.java 2010-03-18 18:26:59 UTC (rev
1974)
+++ trunk/client/src/main/java/org/teiid/adminapi/VDB.java 2010-03-19 00:20:58 UTC (rev
1975)
@@ -93,5 +93,5 @@
* Get the data roles defined on this VDB
* @return
*/
- public List<DataRole> getDataRoles();
+ public List<DataPolicy> getDataPolicies();
}
Copied: trunk/client/src/main/java/org/teiid/adminapi/impl/DataPolicyMetadata.java (from
rev 1974, trunk/client/src/main/java/org/teiid/adminapi/impl/DataRoleMetadata.java)
===================================================================
--- trunk/client/src/main/java/org/teiid/adminapi/impl/DataPolicyMetadata.java
(rev 0)
+++ trunk/client/src/main/java/org/teiid/adminapi/impl/DataPolicyMetadata.java 2010-03-19
00:20:58 UTC (rev 1975)
@@ -0,0 +1,326 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * See the COPYRIGHT.txt file distributed with this work for information
+ * regarding copyright ownership. Some portions may be licensed
+ * to Red Hat, Inc. under one or more contributor license agreements.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301 USA.
+ */
+package org.teiid.adminapi.impl;
+
+import java.io.Serializable;
+import java.util.ArrayList;
+import java.util.List;
+
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlAttribute;
+import javax.xml.bind.annotation.XmlElement;
+import javax.xml.bind.annotation.XmlType;
+
+import org.jboss.managed.api.annotation.ManagementObject;
+import org.jboss.managed.api.annotation.ManagementObjectID;
+import org.jboss.managed.api.annotation.ManagementProperties;
+import org.jboss.managed.api.annotation.ManagementProperty;
+import org.teiid.adminapi.DataPolicy;
+
+
+(a)XmlAccessorType(XmlAccessType.NONE)
+@XmlType(name = "", propOrder = {
+ "description",
+ "permissions",
+ "mappedRoleNames"
+})
+(a)ManagementObject(properties=ManagementProperties.EXPLICIT)
+public class DataPolicyMetadata implements DataPolicy, Serializable {
+ private static final long serialVersionUID = -4119646357275977190L;
+
+ @XmlAttribute(name = "name", required = true)
+ protected String name;
+ @XmlElement(name = "description")
+ protected String description;
+
+ @XmlElement(name = "permission")
+ protected PermissionMap permissions = new PermissionMap(new
KeyBuilder<PermissionMetaData>() {
+ private static final long serialVersionUID = -6992984146431492449L;
+ @Override
+ public String getKey(PermissionMetaData entry) {
+ return entry.getResourceName();
+ }
+ });
+
+ @XmlElement(name = "mapped-role-name")
+ protected List<String> mappedRoleNames;
+
+ @Override
+ @ManagementProperty(description="Policy Name")
+ @ManagementObjectID(type="policy")
+ public String getName() {
+ return name;
+ }
+
+ public void setName(String value) {
+ this.name = value;
+ }
+
+ @Override
+ @ManagementProperty(description="Policy Description")
+ public String getDescription() {
+ return description;
+ }
+
+ public void setDescription(String value) {
+ this.description = value;
+ }
+
+ @Override
+ @ManagementProperty(description="Permissions in a Data Policy", managed=true)
+ public List<DataPermission> getPermissions() {
+ return new ArrayList<DataPermission>(this.permissions.getMap().values());
+ }
+
+ public void setPermissions(List<DataPermission> permissions) {
+ this.permissions.getMap().clear();
+ for (DataPermission permission:permissions) {
+ this.permissions.add((PermissionMetaData)permission);
+ }
+ }
+
+ public void addPermission(PermissionMetaData... permissions) {
+ for (PermissionMetaData permission:permissions) {
+ this.permissions.add(permission);
+ }
+ }
+
+ @Override
+ @ManagementProperty(description="Mapped Container role names mapped to this
policy")
+ public List<String> getMappedRoleNames() {
+ return mappedRoleNames;
+ }
+
+ public void setMappedRoleNames(List<String> names) {
+ this.mappedRoleNames = names;
+ }
+
+ public boolean allows(String resourceName, DataPolicy.PermissionType type) {
+ for(PermissionMetaData permission:this.permissions.getMap().values()) {
+ if (permission.getResourceName().equalsIgnoreCase(resourceName) ) {
+ return permission.allows(type);
+ }
+ }
+
+ for(PermissionMetaData permission:this.permissions.getMap().values()) {
+ if (permission.allows(resourceName, type)) {
+ return true;
+ }
+ }
+ return false;
+ }
+
+
+ @XmlAccessorType(XmlAccessType.NONE)
+ @XmlType(name = "", propOrder = {
+ "resourceName",
+ "allowCreate",
+ "allowRead",
+ "allowUpdate",
+ "allowDelete"
+ })
+ @ManagementObject(properties=ManagementProperties.EXPLICIT)
+ public static class PermissionMetaData implements DataPermission{
+
+ private static final String SEPARATOR = "."; //$NON-NLS-1$
+ public static final String RECURSIVE = "*"; //$NON-NLS-1$
+ private static final String ALL_NODES = RECURSIVE;
+ public static final String SEPARATOR_WITH_RECURSIVE = SEPARATOR + RECURSIVE;
+
+ // derived state
+ private String canonicalName; // The resource's canonical name
+ private boolean isRecursive = false; // Is this a recursive resource?
+
+ // XML based fields
+ private String resourceName;
+ @XmlElement(name = "allow-create")
+ protected Boolean allowCreate;
+ @XmlElement(name = "allow-read")
+ protected Boolean allowRead;
+ @XmlElement(name = "allow-update")
+ protected Boolean allowUpdate;
+ @XmlElement(name = "allow-delete")
+ protected Boolean allowDelete;
+
+ @Override
+ @ManagementProperty(description="Resource Name, for which permission
defined")
+ @ManagementObjectID(type="permission")
+ @XmlElement(name = "resource-name", required = true)
+ public String getResourceName() {
+ return resourceName;
+ }
+
+ public void setResourceName(String value) {
+ this.resourceName = value;
+ init(this.resourceName);
+ }
+
+ @Override
+ @ManagementProperty(description="Allows Create")
+ public boolean isAllowCreate() {
+ if (allowCreate == null) {
+ return false;
+ }
+ return allowCreate;
+ }
+
+ public void setAllowCreate(Boolean value) {
+ this.allowCreate = value;
+ }
+
+ @Override
+ @ManagementProperty(description="Allows Read")
+ public boolean isAllowRead() {
+ if (allowRead == null) {
+ return false;
+ }
+ return allowRead;
+ }
+
+ public void setAllowRead(Boolean value) {
+ this.allowRead = value;
+ }
+
+ @Override
+ @ManagementProperty(description="Allows Update")
+ public boolean isAllowUpdate() {
+ if (allowUpdate == null) {
+ return false;
+ }
+ return allowUpdate;
+ }
+
+ public void setAllowUpdate(Boolean value) {
+ this.allowUpdate = value;
+ }
+
+ @Override
+ @ManagementProperty(description="Allows Delete")
+ public boolean isAllowDelete() {
+ if (allowDelete == null) {
+ return false;
+ }
+ return allowDelete;
+ }
+
+ public void setAllowDelete(Boolean value) {
+ this.allowDelete = value;
+ }
+
+ public String getType() {
+ StringBuilder sb = new StringBuilder();
+ if (isAllowCreate()) {
+ sb.append("C");//$NON-NLS-1$
+ }
+ if (isAllowRead()) {
+ sb.append("R");//$NON-NLS-1$
+ }
+ if (isAllowUpdate()) {
+ sb.append("U");//$NON-NLS-1$
+ }
+ if (isAllowDelete()) {
+ sb.append("D");//$NON-NLS-1$
+ }
+ return sb.toString();
+ }
+
+ public boolean allows(PermissionType type) {
+ boolean allowedType = false;
+ switch (type) {
+ case CREATE:
+ allowedType = isAllowCreate();
+ break;
+ case READ:
+ allowedType = isAllowRead();
+ break;
+ case UPDATE:
+ allowedType = isAllowUpdate();
+ break;
+ case DELETE:
+ allowedType = isAllowDelete();
+ break;
+ }
+ return allowedType;
+ }
+
+ public boolean allows(String checkResource, PermissionType type) {
+ boolean allowedType = allows(type);
+ boolean allowed = false;
+
+ if (allowedType) {
+ checkResource = checkResource.toLowerCase();
+ if ( isRecursive ) {
+ if ( checkResource.startsWith(this.canonicalName) ) {
+ allowed = true;
+ }
+ } else {
+ allowed = this.canonicalName.equals(checkResource);
+
+ if (!allowed) {
+ // if this resource is a group level permission, then grant permission to
any children
+ // for ex: 'foo.x.y' has permission if 'foo.x' is defined
+ int lastSepIndex = checkResource.lastIndexOf(SEPARATOR);
+ if ( lastSepIndex > 0 && checkResource.substring(0,
lastSepIndex).equals(this.canonicalName) ) {
+ allowed = true;
+ }
+ }
+ }
+ }
+ return allowed;
+ }
+
+ /**
+ * This method is invoked by the constructors that take a string resource name,
and is
+ * to strip out any recursive or wildcard characters and return simple the name
of the
+ * node.
+ */
+ private void init( String resourceName ) {
+ // If the resource name is the ALL_NODES resource ...
+ if ( resourceName.equals(ALL_NODES) ) {
+ this.isRecursive = true;
+ this.canonicalName = ""; // resource name should be
nothing //$NON-NLS-1$
+ }
+
+ // If the resource name includes the recursive parameter ...
+ if ( resourceName.endsWith(SEPARATOR_WITH_RECURSIVE) ) {
+ isRecursive = true;
+ this.canonicalName = resourceName.substring(0, resourceName.length()-2);
+ } else if (resourceName.endsWith(RECURSIVE) ) {
+ this.isRecursive = true;
+ this.canonicalName = resourceName.substring(0, resourceName.length()-1);
+ } else {
+ this.canonicalName = resourceName;
+ }
+ this.canonicalName = this.canonicalName.toLowerCase();
+ }
+
+ public String toString() {
+ StringBuilder sb = new StringBuilder();
+ sb.append(getResourceName());
+ sb.append("["); //$NON-NLS-1$
+ sb.append(getType());
+ sb.append("]");//$NON-NLS-1$
+ return sb.toString();
+ }
+ }
+}
Property changes on:
trunk/client/src/main/java/org/teiid/adminapi/impl/DataPolicyMetadata.java
___________________________________________________________________
Name: svn:mime-type
+ text/plain
Deleted: trunk/client/src/main/java/org/teiid/adminapi/impl/DataRoleMetadata.java
===================================================================
--- trunk/client/src/main/java/org/teiid/adminapi/impl/DataRoleMetadata.java 2010-03-18
18:26:59 UTC (rev 1974)
+++ trunk/client/src/main/java/org/teiid/adminapi/impl/DataRoleMetadata.java 2010-03-19
00:20:58 UTC (rev 1975)
@@ -1,204 +0,0 @@
-/*
- * JBoss, Home of Professional Open Source.
- * See the COPYRIGHT.txt file distributed with this work for information
- * regarding copyright ownership. Some portions may be licensed
- * to Red Hat, Inc. under one or more contributor license agreements.
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
- * 02110-1301 USA.
- */
-package org.teiid.adminapi.impl;
-
-import java.io.Serializable;
-import java.util.ArrayList;
-import java.util.List;
-
-import javax.xml.bind.annotation.XmlAccessType;
-import javax.xml.bind.annotation.XmlAccessorType;
-import javax.xml.bind.annotation.XmlAttribute;
-import javax.xml.bind.annotation.XmlElement;
-import javax.xml.bind.annotation.XmlType;
-
-import org.jboss.managed.api.annotation.ManagementObject;
-import org.jboss.managed.api.annotation.ManagementObjectID;
-import org.jboss.managed.api.annotation.ManagementProperties;
-import org.jboss.managed.api.annotation.ManagementProperty;
-import org.teiid.adminapi.DataRole;
-
-
-(a)XmlAccessorType(XmlAccessType.FIELD)
-@XmlType(name = "", propOrder = {
- "description",
- "permissions",
- "mappedRoleNames"
-})
-(a)ManagementObject(properties=ManagementProperties.EXPLICIT)
-public class DataRoleMetadata implements DataRole, Serializable {
- private static final long serialVersionUID = -4119646357275977190L;
-
- @XmlAttribute(name = "name", required = true)
- protected String name;
- @XmlElement(name = "description")
- protected String description;
-
- @XmlElement(name = "permission")
- protected ListOverMap<PermissionMetaData> permissions = new
ListOverMap<PermissionMetaData>(new KeyBuilder<PermissionMetaData>() {
- @Override
- public String getKey(PermissionMetaData entry) {
- return entry.getResourceName();
- }
- });
-
- @XmlElement(name = "mapped-role-name")
- protected List<String> mappedRoleNames;
-
- @Override
- @ManagementProperty(description="Role Name")
- @ManagementObjectID(type="role")
- public String getName() {
- return name;
- }
-
- public void setName(String value) {
- this.name = value;
- }
-
- @Override
- @ManagementProperty(description="Role Description")
- public String getDescription() {
- return description;
- }
-
- public void setDescription(String value) {
- this.description = value;
- }
-
- @Override
- @ManagementProperty(description="Permissions in a Data Role", managed=true)
- public List<Permission> getPermissions() {
- return new ArrayList<Permission>(this.permissions.getMap().values());
- }
-
- public void setPermissions(List<Permission> permissions) {
- this.permissions.getMap().clear();
- for (Permission permission:permissions) {
- this.permissions.getMap().put(permission.getResourceName(),
(PermissionMetaData)permission);
- }
- }
-
- public PermissionMetaData getPermission(String resourceName) {
- return this.permissions.getMap().get(resourceName);
- }
-
- public void addPermission(PermissionMetaData permission) {
- this.permissions.getMap().put(permission.getResourceName(), permission);
- }
-
- @Override
- @ManagementProperty(description="Mapped Container role names mapped to this
role")
- public List<String> getMappedRoleNames() {
- return mappedRoleNames;
- }
-
- public void setMappedRoleNames(List<String> names) {
- this.mappedRoleNames = names;
- }
-
-
- @XmlAccessorType(XmlAccessType.FIELD)
- @XmlType(name = "", propOrder = {
- "resourceName",
- "allowCreate",
- "allowRead",
- "allowUpdate",
- "allowDelete"
- })
- @ManagementObject(properties=ManagementProperties.EXPLICIT)
- public static class PermissionMetaData implements Permission{
- @XmlElement(name = "resource-name", required = true)
- protected String resourceName;
- @XmlElement(name = "allow-create")
- protected Boolean allowCreate;
- @XmlElement(name = "allow-read")
- protected Boolean allowRead;
- @XmlElement(name = "allow-update")
- protected Boolean allowUpdate;
- @XmlElement(name = "allow-delete")
- protected Boolean allowDelete;
-
- @Override
- @ManagementProperty(description="Resource Name, for which role
defined")
- @ManagementObjectID(type="permission")
- public String getResourceName() {
- return resourceName;
- }
-
- public void setResourceName(String value) {
- this.resourceName = value;
- }
-
- @Override
- @ManagementProperty(description="Allows Create")
- public boolean isAllowCreate() {
- if (allowCreate == null) {
- return false;
- }
- return allowCreate;
- }
-
- public void setAllowCreate(Boolean value) {
- this.allowCreate = value;
- }
-
- @Override
- @ManagementProperty(description="Allows Read")
- public boolean isAllowRead() {
- if (allowRead == null) {
- return false;
- }
- return allowRead;
- }
-
- public void setAllowRead(Boolean value) {
- this.allowRead = value;
- }
-
- @Override
- @ManagementProperty(description="Allows Update")
- public boolean isAllowUpdate() {
- if (allowUpdate == null) {
- return false;
- }
- return allowUpdate;
- }
-
- public void setAllowUpdate(Boolean value) {
- this.allowUpdate = value;
- }
-
- @Override
- @ManagementProperty(description="Allows Delete")
- public boolean isAllowDelete() {
- if (allowDelete == null) {
- return false;
- }
- return allowDelete;
- }
-
- public void setAllowDelete(Boolean value) {
- this.allowDelete = value;
- }
- }
-}
Modified: trunk/client/src/main/java/org/teiid/adminapi/impl/ListOverMap.java
===================================================================
--- trunk/client/src/main/java/org/teiid/adminapi/impl/ListOverMap.java 2010-03-18
18:26:59 UTC (rev 1974)
+++ trunk/client/src/main/java/org/teiid/adminapi/impl/ListOverMap.java 2010-03-19
00:20:58 UTC (rev 1975)
@@ -28,12 +28,12 @@
import java.util.LinkedHashMap;
import java.util.Set;
-final class ListOverMap<E> extends AbstractList<E> implements Serializable {
+class ListOverMap<E> extends AbstractList<E> implements Serializable {
private static final long serialVersionUID = 5171741731121210240L;
- private LinkedHashMap<String, E> map = new LinkedHashMap<String, E>();
- private KeyBuilder<E> builder;
+ protected LinkedHashMap<String, E> map = new LinkedHashMap<String, E>();
+ protected KeyBuilder<E> builder;
public ListOverMap(KeyBuilder<E> builder) {
this.builder = builder;
Added: trunk/client/src/main/java/org/teiid/adminapi/impl/PermissionMap.java
===================================================================
--- trunk/client/src/main/java/org/teiid/adminapi/impl/PermissionMap.java
(rev 0)
+++ trunk/client/src/main/java/org/teiid/adminapi/impl/PermissionMap.java 2010-03-19
00:20:58 UTC (rev 1975)
@@ -0,0 +1,58 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright (C) 2008 Red Hat, Inc.
+ * Copyright (C) 2000-2007 MetaMatrix, Inc.
+ * Licensed to Red Hat, Inc. under one or more contributor
+ * license agreements. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301 USA.
+ */
+package org.teiid.adminapi.impl;
+
+import org.teiid.adminapi.impl.DataPolicyMetadata.PermissionMetaData;
+
+public class PermissionMap extends ListOverMap<PermissionMetaData> {
+
+ private static final long serialVersionUID = -1170556665834875267L;
+
+ public PermissionMap(KeyBuilder<PermissionMetaData> builder) {
+ super(builder);
+ }
+
+ @Override
+ public void add(int index, PermissionMetaData element) {
+ PermissionMetaData previous = this.map.get(builder.getKey(element));
+ if (previous != null) {
+ if (element.allowCreate != null) {
+ previous.setAllowCreate(element.allowCreate);
+ }
+ if (element.allowRead != null) {
+ previous.setAllowRead(element.allowRead);
+ }
+ if (element.allowUpdate != null) {
+ previous.setAllowUpdate(element.allowUpdate);
+ }
+ if (element.allowDelete != null) {
+ previous.setAllowDelete(element.allowDelete);
+ }
+ }
+ else {
+ super.add(index, element);
+ }
+ }
+
+}
Property changes on:
trunk/client/src/main/java/org/teiid/adminapi/impl/PermissionMap.java
___________________________________________________________________
Name: svn:mime-type
+ text/plain
Modified: trunk/client/src/main/java/org/teiid/adminapi/impl/VDBMetaData.java
===================================================================
--- trunk/client/src/main/java/org/teiid/adminapi/impl/VDBMetaData.java 2010-03-18
18:26:59 UTC (rev 1974)
+++ trunk/client/src/main/java/org/teiid/adminapi/impl/VDBMetaData.java 2010-03-19
00:20:58 UTC (rev 1975)
@@ -39,7 +39,7 @@
import org.jboss.managed.api.annotation.ManagementObjectID;
import org.jboss.managed.api.annotation.ManagementProperties;
import org.jboss.managed.api.annotation.ManagementProperty;
-import org.teiid.adminapi.DataRole;
+import org.teiid.adminapi.DataPolicy;
import org.teiid.adminapi.Model;
import org.teiid.adminapi.VDB;
import org.teiid.adminapi.impl.ModelMetaData.ValidationError;
@@ -51,7 +51,7 @@
"description",
"JAXBProperties",
"models",
- "roles"
+ "dataPolicies"
})
@XmlRootElement(name = "vdb")
public class VDBMetaData extends AdminObjectImpl implements VDB {
@@ -71,10 +71,10 @@
}
});
- @XmlElement(name = "role", required = true, type = DataRoleMetadata.class)
- protected ListOverMap<DataRoleMetadata> roles = new
ListOverMap<DataRoleMetadata>(new KeyBuilder<DataRoleMetadata>() {
+ @XmlElement(name = "data-policy", required = true, type =
DataPolicyMetadata.class)
+ protected ListOverMap<DataPolicyMetadata> dataPolicies = new
ListOverMap<DataPolicyMetadata>(new KeyBuilder<DataPolicyMetadata>() {
@Override
- public String getKey(DataRoleMetadata entry) {
+ public String getKey(DataPolicyMetadata entry) {
return entry.getName();
}
});
@@ -251,27 +251,27 @@
}
@Override
- @ManagementProperty(description="Data Roles in a VDB", managed=true)
- public List<DataRole> getDataRoles(){
- return new ArrayList<DataRole>(this.roles.getMap().values());
+ @ManagementProperty(description="Data Policies in a VDB", managed=true)
+ public List<DataPolicy> getDataPolicies(){
+ return new ArrayList<DataPolicy>(this.dataPolicies.getMap().values());
}
/**
* This method is required by the Management framework to write the mappings.
- * @param roles
+ * @param policies
*/
- public void setDataRoles(List<DataRole> roles){
- this.roles.getMap().clear();
- for (DataRole role:roles) {
- this.roles.getMap().put(role.getName(), (DataRoleMetadata)role);
+ public void setDataPolicies(List<DataPolicy> policies){
+ this.dataPolicies.getMap().clear();
+ for (DataPolicy policy:policies) {
+ this.dataPolicies.getMap().put(policy.getName(), (DataPolicyMetadata)policy);
}
}
- public void addDataRole(DataRoleMetadata role){
- this.roles.getMap().put(role.getName(), role);
+ public void addDataPolicy(DataPolicyMetadata policy){
+ this.dataPolicies.getMap().put(policy.getName(), policy);
}
- public DataRoleMetadata getDataRole(String roleName) {
- return this.roles.getMap().get(roleName);
+ public DataPolicyMetadata getDataPolicy(String policyName) {
+ return this.dataPolicies.getMap().get(policyName);
}
}
Modified: trunk/client/src/main/resources/vdb-deployer.xsd
===================================================================
--- trunk/client/src/main/resources/vdb-deployer.xsd 2010-03-18 18:26:59 UTC (rev 1974)
+++ trunk/client/src/main/resources/vdb-deployer.xsd 2010-03-19 00:20:58 UTC (rev 1975)
@@ -49,7 +49,7 @@
<xs:attribute name="path"
type="xs:string"/>
</xs:complexType>
</xs:element>
- <xs:element name="role" minOccurs="0"
maxOccurs="unbounded">
+ <xs:element name="data-policy" minOccurs="0"
maxOccurs="unbounded">
<xs:complexType>
<xs:sequence>
<xs:element name="description" type="xs:string"
minOccurs="0"/>
Added: trunk/client/src/test/java/org/teiid/adminapi/impl/TestDataPolicyMetaData.java
===================================================================
--- trunk/client/src/test/java/org/teiid/adminapi/impl/TestDataPolicyMetaData.java
(rev 0)
+++
trunk/client/src/test/java/org/teiid/adminapi/impl/TestDataPolicyMetaData.java 2010-03-19
00:20:58 UTC (rev 1975)
@@ -0,0 +1,83 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * See the COPYRIGHT.txt file distributed with this work for information
+ * regarding copyright ownership. Some portions may be licensed
+ * to Red Hat, Inc. under one or more contributor license agreements.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301 USA.
+ */
+package org.teiid.adminapi.impl;
+
+import java.util.Arrays;
+
+import org.junit.Test;
+import org.teiid.adminapi.DataPolicy.PermissionType;
+import org.teiid.adminapi.impl.DataPolicyMetadata.PermissionMetaData;
+import static junit.framework.Assert.*;
+
+public class TestDataPolicyMetaData {
+
+ @Test
+ public void testAllowed() {
+ DataPolicyMetadata policy = new DataPolicyMetadata();
+ policy.setName("readOnly"); //$NON-NLS-1$
+ policy.setDescription("Only has read only permissions"); //$NON-NLS-1$
+ policy.setMappedRoleNames(Arrays.asList("jack", "susan"));
//$NON-NLS-1$ //$NON-NLS-2$
+
+
+ PermissionMetaData perm1 = new PermissionMetaData();
+ perm1.setResourceName("schema.catalog.Table1"); //$NON-NLS-1$
+ perm1.setAllowRead(true);
+
+ PermissionMetaData perm2 = new PermissionMetaData();
+ perm2.setResourceName("schema.catalog.Table2"); //$NON-NLS-1$
+ perm2.setAllowRead(false);
+
+ PermissionMetaData perm3 = new PermissionMetaData();
+ perm3.setResourceName("schema.catalog.Table3.*"); //$NON-NLS-1$
+ perm3.setAllowRead(true);
+
+ PermissionMetaData perm4 = new PermissionMetaData();
+ perm4.setResourceName("schema.catalog.Table4*"); //$NON-NLS-1$
+ perm4.setAllowRead(true);
+
+ PermissionMetaData perm5 = new PermissionMetaData();
+ perm5.setResourceName("schema.catalog.Table5.column1"); //$NON-NLS-1$
+ perm5.setAllowRead(true);
+
+ policy.addPermission(perm1, perm2, perm3, perm4, perm5);
+
+
+ assertTrue(policy.allows("schema.catalog.Table1", PermissionType.READ));
//$NON-NLS-1$
+ assertFalse(policy.allows("schema.catalog.Table1", PermissionType.CREATE));
//$NON-NLS-1$
+
+ assertFalse(policy.allows("schema.catalog", PermissionType.READ));
//$NON-NLS-1$
+
+ assertFalse(policy.allows("schema.catalog.Table2.column",
PermissionType.READ)); //$NON-NLS-1$
+ assertFalse(policy.allows("schema.catalog.Table2", PermissionType.READ));
//$NON-NLS-1$
+
+ assertTrue(policy.allows("schema.catalog.Table3.column",
PermissionType.READ)); //$NON-NLS-1$
+ assertTrue(policy.allows("schema.catalog.Table3", PermissionType.READ));
//$NON-NLS-1$
+
+ assertTrue(policy.allows("schema.catalog.Table4.column",
PermissionType.READ)); //$NON-NLS-1$
+ assertTrue(policy.allows("schema.catalog.Table4", PermissionType.READ));
//$NON-NLS-1$
+ assertFalse(policy.allows("schema.catalog.Table4", PermissionType.DELETE));
//$NON-NLS-1$
+
+ assertTrue(policy.allows("schema.catalog.Table5.column1",
PermissionType.READ)); //$NON-NLS-1$
+ assertFalse(policy.allows("schema.catalog.Table5.column2",
PermissionType.READ)); //$NON-NLS-1$
+ assertFalse(policy.allows("schema.catalog.Table5", PermissionType.READ));
//$NON-NLS-1$
+ }
+}
Property changes on:
trunk/client/src/test/java/org/teiid/adminapi/impl/TestDataPolicyMetaData.java
___________________________________________________________________
Name: svn:mime-type
+ text/plain
Modified: trunk/client/src/test/java/org/teiid/adminapi/impl/TestVDBMetaData.java
===================================================================
--- trunk/client/src/test/java/org/teiid/adminapi/impl/TestVDBMetaData.java 2010-03-18
18:26:59 UTC (rev 1974)
+++ trunk/client/src/test/java/org/teiid/adminapi/impl/TestVDBMetaData.java 2010-03-19
00:20:58 UTC (rev 1975)
@@ -36,9 +36,9 @@
import javax.xml.validation.SchemaFactory;
import org.junit.Test;
-import org.teiid.adminapi.DataRole;
+import org.teiid.adminapi.DataPolicy;
import org.teiid.adminapi.Model;
-import org.teiid.adminapi.impl.DataRoleMetadata.PermissionMetaData;
+import org.teiid.adminapi.impl.DataPolicyMetadata.PermissionMetaData;
public class TestVDBMetaData {
@@ -72,7 +72,7 @@
vdb.addModel(modelTwo);
- DataRoleMetadata roleOne = new DataRoleMetadata();
+ DataPolicyMetadata roleOne = new DataPolicyMetadata();
roleOne.setName("roleOne"); //$NON-NLS-1$
roleOne.setDescription("roleOne described"); //$NON-NLS-1$
@@ -89,7 +89,7 @@
roleOne.setMappedRoleNames(Arrays.asList("ROLE1", "ROLE2"));
//$NON-NLS-1$ //$NON-NLS-2$
- vdb.addDataRole(roleOne);
+ vdb.addDataPolicy(roleOne);
SchemaFactory schemaFactory =
SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
@@ -136,24 +136,28 @@
assertTrue(vdb.getValidityErrors().contains("There is an error in VDB"));
//$NON-NLS-1$
- List<DataRole> roles = vdb.getDataRoles();
+ List<DataPolicy> roles = vdb.getDataPolicies();
assertTrue(roles.size() == 1);
- DataRoleMetadata role = vdb.getDataRole("roleOne"); //$NON-NLS-1$
+ DataPolicyMetadata role = vdb.getDataPolicy("roleOne"); //$NON-NLS-1$
assertEquals("roleOne described", role.getDescription()); //$NON-NLS-1$
assertNotNull(role.getMappedRoleNames());
assertTrue(role.getMappedRoleNames().contains("ROLE1")); //$NON-NLS-1$
assertTrue(role.getMappedRoleNames().contains("ROLE2")); //$NON-NLS-1$
- assertEquals(2, role.getPermissions().size());
- PermissionMetaData p1 = role.getPermission("myTable.T1"); //$NON-NLS-1$
+ List<DataPolicy.DataPermission> permissions = role.getPermissions();
+ assertEquals(2, permissions.size());
- assertTrue(p1.isAllowRead());
- assertFalse(p1.isAllowDelete());
-
- PermissionMetaData p2 = role.getPermission("myTable.T2"); //$NON-NLS-1$
- assertFalse(p2.isAllowRead());
- assertTrue(p2.isAllowDelete());
+ for (DataPolicy.DataPermission p: permissions) {
+ if (p.getResourceName().equalsIgnoreCase("myTable.T1")) { //$NON-NLS-1$
+ assertTrue(p.isAllowRead());
+ assertFalse(p.isAllowDelete());
+ }
+ else {
+ assertFalse(p.isAllowRead());
+ assertTrue(p.isAllowDelete());
+ }
+ }
}
}
Deleted:
trunk/engine/src/main/java/com/metamatrix/api/exception/security/AuthorizationException.java
===================================================================
---
trunk/engine/src/main/java/com/metamatrix/api/exception/security/AuthorizationException.java 2010-03-18
18:26:59 UTC (rev 1974)
+++
trunk/engine/src/main/java/com/metamatrix/api/exception/security/AuthorizationException.java 2010-03-19
00:20:58 UTC (rev 1975)
@@ -1,81 +0,0 @@
-/*
- * JBoss, Home of Professional Open Source.
- * See the COPYRIGHT.txt file distributed with this work for information
- * regarding copyright ownership. Some portions may be licensed
- * to Red Hat, Inc. under one or more contributor license agreements.
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
- * 02110-1301 USA.
- */
-
-package com.metamatrix.api.exception.security;
-
-import com.metamatrix.admin.api.exception.security.MetaMatrixSecurityException;
-
-public class AuthorizationException extends MetaMatrixSecurityException {
- /**
- * No-Arg Constructor
- */
- public AuthorizationException( ) {
- super( );
- }
- /**
- * Constructs an instance of the exception with the specified detail message. A
detail
- * message is a String that describes this particular exception.
- * @param the detail message
- */
- public AuthorizationException(String message) {
- super(message);
- }
- /**
- * Constructs an instance of the exception with no detail message but with a
- * single exception.
- * @param e the exception that is encapsulated by this exception
- */
- public AuthorizationException(Throwable e) {
- super(e);
- }
- /**
- * Constructs an instance of the exception with the specified detail message
- * and a single exception. A detail message is a String that describes this
- * particular exception.
- * @param message the detail message
- * @param e the exception that is encapsulated by this exception
- */
- public AuthorizationException( Throwable e, String message ) {
- super(e, message);
- }
- /**
- * Construct an instance with an error code and message specified.
- *
- * @param message The error message
- * @param code The error code
- */
- public AuthorizationException( String code, String message ) {
- super( code, message );
- }
- /**
- * Construct an instance with a linked exception, and an error code and
- * message, specified.
- *
- * @param e An exception to chain to this exception
- * @param message The error message
- * @param code The error code
- */
- public AuthorizationException( Throwable e, String code, String message ) {
- super(e, code, message );
- }
-}
-
Deleted:
trunk/engine/src/main/java/com/metamatrix/api/exception/security/AuthorizationMgmtException.java
===================================================================
---
trunk/engine/src/main/java/com/metamatrix/api/exception/security/AuthorizationMgmtException.java 2010-03-18
18:26:59 UTC (rev 1974)
+++
trunk/engine/src/main/java/com/metamatrix/api/exception/security/AuthorizationMgmtException.java 2010-03-19
00:20:58 UTC (rev 1975)
@@ -1,87 +0,0 @@
-/*
- * JBoss, Home of Professional Open Source.
- * See the COPYRIGHT.txt file distributed with this work for information
- * regarding copyright ownership. Some portions may be licensed
- * to Red Hat, Inc. under one or more contributor license agreements.
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
- * 02110-1301 USA.
- */
-
-package com.metamatrix.api.exception.security;
-
-public class AuthorizationMgmtException extends AuthorizationException {
-
- /**
- * No-Arg Constructor
- */
- public AuthorizationMgmtException( ) {
- super( );
- }
- /**
- * Constructs an instance of the exception with the specified detail
- * message. A detail message is a String that describes this particular
- * exception.
- * @param the detail message
- */
- public AuthorizationMgmtException(String message) {
- super(message);
- }
-
- /**
- * Constructs an instance of the exception with no detail message but with a
- * single exception.
- * @param e the exception that is encapsulated by this exception
- */
- public AuthorizationMgmtException(Throwable e) {
- super(e);
- }
-
- /**
- * Constructs an instance of the exception with the specified detail message
- * and a single exception. A detail message is a String that describes this
- * particular exception.
- * @param e the exception that is encapsulated by this exception
- * @param message the detail message
- */
- public AuthorizationMgmtException(Throwable e, String message) {
- super(e,message);
- }
-
- /**
- * Construct an instance with an error code and message specified.
- *
- * @param message The error message
- * @param code The error code
- */
- public AuthorizationMgmtException( String code, String message ) {
- super( code, message );
- }
-
- /**
- * Construct an instance with a linked exception, and an error code and
- * message, specified.
- *
- * @param e An exception to chain to this exception
- * @param message The error message
- * @param code The error code
- */
- public AuthorizationMgmtException( Throwable e, String code, String message ) {
- super( e, code, message );
- }
-
-}
-
-
Deleted: trunk/engine/src/main/java/com/metamatrix/dqp/service/AuthorizationService.java
===================================================================
---
trunk/engine/src/main/java/com/metamatrix/dqp/service/AuthorizationService.java 2010-03-18
18:26:59 UTC (rev 1974)
+++
trunk/engine/src/main/java/com/metamatrix/dqp/service/AuthorizationService.java 2010-03-19
00:20:58 UTC (rev 1975)
@@ -1,94 +0,0 @@
-/*
- * JBoss, Home of Professional Open Source.
- * See the COPYRIGHT.txt file distributed with this work for information
- * regarding copyright ownership. Some portions may be licensed
- * to Red Hat, Inc. under one or more contributor license agreements.
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
- * 02110-1301 USA.
- */
-
-package com.metamatrix.dqp.service;
-
-import java.util.Collection;
-
-import org.teiid.security.roles.AuthorizationPolicy;
-import org.teiid.security.roles.AuthorizationRealm;
-
-import com.metamatrix.api.exception.MetaMatrixComponentException;
-import com.metamatrix.api.exception.security.AuthorizationException;
-import com.metamatrix.api.exception.security.AuthorizationMgmtException;
-import com.metamatrix.query.eval.SecurityFunctionEvaluator;
-
-/**
- * This service provides a means to check whether a connection is authorized to access
- * various data resources.
- */
-public interface AuthorizationService extends SecurityFunctionEvaluator {
-
- public static final int ACTION_READ = 0;
- public static final int ACTION_CREATE = 1;
- public static final int ACTION_UPDATE = 2;
- public static final int ACTION_DELETE = 3;
-
- public enum Context {
- QUERY,
- INSERT,
- UPDATE,
- DELETE,
- STORED_PROCEDURE;
- }
-
- public static final String ENTITELEMENTS_ENABLED =
"auth.check_entitlements"; //$NON-NLS-1$
- public static final String ADMIN_ROLES_FILE = "auth.adminRolesFile";
//$NON-NLS-1$
-
- /**
- * Determine which of a set of resources a connection does not have permission to
- * perform the specified action.
- * @param action Action connection wishes to perform
- * @param resources Resources the connection wishes to perform the action on,
Collection of String
- * @param context Auditing context
- * @return Collection Subset of resources
- * @throws MetaMatrixComponentException If an error occurs in the service while
checking resources
- */
- Collection getInaccessibleResources(int action, Collection resources, Context
context) throws MetaMatrixComponentException;
-
- /**
- * Determine whether entitlements checking is enabled on the server.
- * @return <code>true</code> iff server-side entitlements checking is
enabled.
- */
- boolean checkingEntitlements();
-
- boolean isCallerInRole(String roleName ) throws AuthorizationMgmtException;
-
- /**
- * Returns a <code>Collection</code> of
<code>AuthorizationPolicy</code>s
- * that have <code>AuthorizationPermission</code>s in the given
<code>AuthorizationRealm</code>.<br>
- * <strong>NOTE:</strong> It is the responsibility of the caller to
determine
- * which of the <code>AuthorizationPolicy</code>'s
<code>AuthorizationPermission</code>s
- * are actually in the given <code>AuthorizationRealm</code>. The
<code>AuthorizationPolicy</code>
- * may span <code>AuthorizationRealm</code>s.
- * @param caller The session token of the principal that is attempting to retrieve
the policies.
- * @param realm The realm in which to search for
<code>AuthorizationPermission</code>s.
- * @return The collection of <code>AuthorizationPolicy</code>s that have
permissions
- * in the given realm - possibly empty but never null.
- * @throws AuthorizationException if administrator does not have the authority to
perform the action.
- * @throws AuthorizationMgmtException if an error occurs in the Authorization store.
- */
- Collection<AuthorizationPolicy> getPoliciesInRealm(AuthorizationRealm realm)
- throws AuthorizationException, AuthorizationMgmtException;
-
- void updatePoliciesInRealm(AuthorizationRealm realm,
Collection<AuthorizationPolicy> policies) throws AuthorizationMgmtException;
-}
Modified: trunk/engine/src/main/java/com/metamatrix/dqp/service/SessionService.java
===================================================================
--- trunk/engine/src/main/java/com/metamatrix/dqp/service/SessionService.java 2010-03-18
18:26:59 UTC (rev 1974)
+++ trunk/engine/src/main/java/com/metamatrix/dqp/service/SessionService.java 2010-03-19
00:20:58 UTC (rev 1975)
@@ -32,7 +32,6 @@
import org.teiid.security.Credentials;
import com.metamatrix.admin.api.exception.security.InvalidSessionException;
-import com.metamatrix.api.exception.security.AuthorizationException;
import com.metamatrix.api.exception.security.SessionServiceException;
/**
@@ -90,7 +89,6 @@
* @param adminSessionID The session id identifying session of administrator
* @throws InvalidSessionException If terminatedSessionID identifies an invalid
* session
- * @throws AuthorizationException if the caller denoted by
<code>adminSessionID</code>
* does not have authority to terminate the
<code>terminatedSessionID</code> session
* @throws SessionServiceException
*/
Modified: trunk/engine/src/main/java/org/teiid/dqp/internal/process/DQPConfiguration.java
===================================================================
---
trunk/engine/src/main/java/org/teiid/dqp/internal/process/DQPConfiguration.java 2010-03-18
18:26:59 UTC (rev 1974)
+++
trunk/engine/src/main/java/org/teiid/dqp/internal/process/DQPConfiguration.java 2010-03-19
00:20:58 UTC (rev 1975)
@@ -38,7 +38,7 @@
public static final int DEFAULT_MAX_PROCESS_WORKERS = 16;
- private String processName = "localhost";
+ private String processName = "localhost"; //$NON-NLS-1$
private int maxThreads = DEFAULT_MAX_PROCESS_WORKERS;
private int timeSliceInMilli = DEFAULT_PROCESSOR_TIMESLICE;
private boolean processDebugAllowed;
@@ -50,6 +50,7 @@
private int codeTablesMaxRows = DEFAULT_MAX_CODE_RECORDS;
private boolean resultSetCacheEnabled = true;
private int maxResultSetCacheEntries =
DQPConfiguration.DEFAULT_MAX_RESULTSET_CACHE_ENTRIES;
+ private boolean useEntitlements = false;
@ManagementProperty (description="Name of the process that uniquely identifies this
process")
public String getProcessName() {
@@ -158,4 +159,17 @@
public void setResultSetCacheEnabled(boolean value) {
this.resultSetCacheEnabled = value;
}
+
+ /**
+ * Determine whether entitlements checking is enabled on the server.
+ * @return <code>true</code> if server-side entitlements checking is
enabled.
+ */
+ @ManagementProperty(description="Turn on checking the entitlements on resources
based on the roles defined in VDB")
+ public boolean useEntitlements() {
+ return useEntitlements;
+ }
+
+ public void setUseEntitlements(Boolean useEntitlements) {
+ this.useEntitlements = useEntitlements.booleanValue();
+ }
}
Modified: trunk/engine/src/main/java/org/teiid/dqp/internal/process/DQPCore.java
===================================================================
--- trunk/engine/src/main/java/org/teiid/dqp/internal/process/DQPCore.java 2010-03-18
18:26:59 UTC (rev 1974)
+++ trunk/engine/src/main/java/org/teiid/dqp/internal/process/DQPCore.java 2010-03-19
00:20:58 UTC (rev 1975)
@@ -70,7 +70,6 @@
import com.metamatrix.dqp.message.RequestID;
import com.metamatrix.dqp.message.RequestMessage;
import com.metamatrix.dqp.message.ResultsMessage;
-import com.metamatrix.dqp.service.AuthorizationService;
import com.metamatrix.dqp.service.BufferService;
import com.metamatrix.dqp.service.TransactionContext;
import com.metamatrix.dqp.service.TransactionService;
@@ -176,7 +175,6 @@
private SessionAwareCache<PreparedPlan> prepPlanCache;
private SessionAwareCache<CachedResults> rsCache;
private TransactionService transactionService;
- private AuthorizationService authorizationService;
private BufferService bufferService;
private ConnectorManagerRepository connectorManagerRepository;
@@ -189,7 +187,7 @@
private Map<RequestID, RequestWorkItem> requests = new
ConcurrentHashMap<RequestID, RequestWorkItem>();
private Map<String, ClientState> clientState = Collections.synchronizedMap(new
HashMap<String, ClientState>());
private DQPContextCache contextCache;
-
+ private boolean useEntitlements = false;
/**
* perform a full shutdown and wait for 10 seconds for all threads to finish
*/
@@ -288,9 +286,9 @@
}
ClientState state = this.getClientState(workContext.getConnectionID(), true);
request.initialize(requestMsg, bufferManager,
- dataTierMgr, transactionService, authorizationService, processorDebugAllowed,
+ dataTierMgr, transactionService, processorDebugAllowed,
state.tempTableStoreImpl, workContext,
- chunkSize, connectorManagerRepository);
+ chunkSize, connectorManagerRepository, this.useEntitlements);
ResultsFuture<ResultsMessage> resultsFuture = new
ResultsFuture<ResultsMessage>();
RequestWorkItem workItem = new RequestWorkItem(this, requestMsg, request,
resultsFuture.getResultsReceiver(), requestID, workContext);
@@ -622,6 +620,7 @@
this.maxCodeTableRecords = config.getCodeTablesMaxRowsPerTable();
this.maxCodeTables = config.getCodeTablesMaxCount();
this.maxCodeRecords = config.getCodeTablesMaxRows();
+ this.useEntitlements = config.useEntitlements();
this.chunkSize = config.getLobChunkSizeInKB() * 1024;
@@ -656,10 +655,6 @@
setContextCache(service.getContextCache());
}
- public void setAuthorizationService(AuthorizationService service) {
- this.authorizationService = service;
- }
-
public void setContextCache(DQPContextCache cache) {
this.contextCache = cache;
}
@@ -805,8 +800,4 @@
public ConnectorManagerRepository getConnectorManagerRepository() {
return this.connectorManagerRepository;
}
-
- public AuthorizationService getAuthorizationService() {
- return this.authorizationService;
- }
}
\ No newline at end of file
Modified: trunk/engine/src/main/java/org/teiid/dqp/internal/process/DQPWorkContext.java
===================================================================
---
trunk/engine/src/main/java/org/teiid/dqp/internal/process/DQPWorkContext.java 2010-03-18
18:26:59 UTC (rev 1974)
+++
trunk/engine/src/main/java/org/teiid/dqp/internal/process/DQPWorkContext.java 2010-03-19
00:20:58 UTC (rev 1975)
@@ -23,10 +23,19 @@
package org.teiid.dqp.internal.process;
import java.io.Serializable;
+import java.security.Principal;
+import java.security.acl.Group;
+import java.util.Collections;
+import java.util.Enumeration;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
import java.util.concurrent.Callable;
import javax.security.auth.Subject;
+import org.teiid.adminapi.DataPolicy;
import org.teiid.adminapi.impl.SessionMetadata;
import org.teiid.adminapi.impl.VDBMetaData;
import org.teiid.security.SecurityHelper;
@@ -60,6 +69,7 @@
private String clientAddress;
private String clientHostname;
private SecurityHelper securityHelper;
+ private HashMap<String, DataPolicy> policies;
public DQPWorkContext() {
}
@@ -189,4 +199,52 @@
}
}
+ public HashMap<String, DataPolicy> getAllowedDataPolicies() {
+ if (this.policies == null) {
+ this.policies = new HashMap<String, DataPolicy>();
+ Set<String> userRoles = getUserRoles();
+ if (userRoles.isEmpty()) {
+ return this.policies;
+ }
+
+ // get data roles from the VDB
+ List<DataPolicy> policies = getVDB().getDataPolicies();
+
+ for (DataPolicy policy : policies) {
+ if (matchesPrincipal(userRoles, policy)) {
+ this.policies.put(policy.getName(), policy);
+ }
+ }
+ }
+ return this.policies;
+ }
+
+ private boolean matchesPrincipal(Set<String> userRoles, DataPolicy policy) {
+ List<String> roles = policy.getMappedRoleNames();
+ for (String role:roles) {
+ return userRoles.contains(role);
+ }
+ return false;
+ }
+
+ private Set<String> getUserRoles() {
+ Set<String> roles = new HashSet<String>();
+
+ if (getSubject() == null) {
+ return Collections.EMPTY_SET;
+ }
+
+ Set<Principal> principals = getSubject().getPrincipals();
+ for(Principal p: principals) {
+ // this JBoss specific, but no code level dependencies
+ if ((p instanceof Group) && p.getName().equals("Roles")){
//$NON-NLS-1$
+ Group g = (Group)p;
+ Enumeration rolesPrinciples = g.members();
+ while(rolesPrinciples.hasMoreElements()) {
+ roles.add(((Principal)rolesPrinciples.nextElement()).getName());
+ }
+ }
+ }
+ return roles;
+ }
}
Modified: trunk/engine/src/main/java/org/teiid/dqp/internal/process/Request.java
===================================================================
--- trunk/engine/src/main/java/org/teiid/dqp/internal/process/Request.java 2010-03-18
18:26:59 UTC (rev 1974)
+++ trunk/engine/src/main/java/org/teiid/dqp/internal/process/Request.java 2010-03-19
00:20:58 UTC (rev 1975)
@@ -54,11 +54,11 @@
import com.metamatrix.dqp.message.RequestID;
import com.metamatrix.dqp.message.RequestMessage;
import com.metamatrix.dqp.message.RequestMessage.ResultsMode;
-import com.metamatrix.dqp.service.AuthorizationService;
import com.metamatrix.dqp.service.TransactionContext;
import com.metamatrix.dqp.service.TransactionService;
import com.metamatrix.dqp.service.TransactionContext.Scope;
import com.metamatrix.query.analysis.AnalysisRecord;
+import com.metamatrix.query.eval.SecurityFunctionEvaluator;
import com.metamatrix.query.metadata.QueryMetadataInterface;
import com.metamatrix.query.metadata.TempMetadataAdapter;
import com.metamatrix.query.metadata.TempMetadataStore;
@@ -109,7 +109,6 @@
private BufferManager bufferManager;
private ProcessorDataManager processorDataManager;
private TransactionService transactionService;
- private AuthorizationService authService;
private TempTableStore tempTableStore;
protected IDGenerator idGenerator = new IDGenerator();
private boolean procDebugAllowed = false;
@@ -135,17 +134,18 @@
protected Command userCommand;
protected boolean returnsUpdateCount;
+ protected boolean useEntitlements;
void initialize(RequestMessage requestMsg,
BufferManager bufferManager,
ProcessorDataManager processorDataManager,
TransactionService transactionService,
- AuthorizationService authService,
boolean procDebugAllowed,
TempTableStore tempTableStore,
DQPWorkContext workContext,
int chunckSize,
- ConnectorManagerRepository repo) {
+ ConnectorManagerRepository repo,
+ boolean useEntitlements) {
this.requestMsg = requestMsg;
this.vdbName = workContext.getVdbName();
@@ -153,7 +153,6 @@
this.bufferManager = bufferManager;
this.processorDataManager = processorDataManager;
this.transactionService = transactionService;
- this.authService = authService;
this.procDebugAllowed = procDebugAllowed;
this.tempTableStore = tempTableStore;
idGenerator.setDefaultFactory(new IntegerIDFactory());
@@ -161,6 +160,7 @@
this.requestId = workContext.getRequestID(this.requestMsg.getExecutionId());
this.chunkSize = chunckSize;
this.connectorManagerRepo = repo;
+ this.useEntitlements = useEntitlements;
}
void setMetadata(CapabilitiesFinder capabilitiesFinder, QueryMetadataInterface metadata,
Set multiSourceModels) {
@@ -253,7 +253,18 @@
context.setPlanToProcessConverter(modifier);
}
- context.setSecurityFunctionEvaluator(this.authService);
+ context.setSecurityFunctionEvaluator(new SecurityFunctionEvaluator() {
+ @Override
+ public boolean hasRole(String roleType, String roleName) throws
MetaMatrixComponentException {
+ if (isEntitled() || !useEntitlements) {
+ return true;
+ }
+ if (!DATA_ROLE.equalsIgnoreCase(roleType)) {
+ return false;
+ }
+ return workContext.getAllowedDataPolicies().containsKey(roleName);
+ }
+ });
context.setTempTableStore(tempTableStore);
context.setQueryProcessorFactory(this);
context.setMetadata(this.metadata);
@@ -553,7 +564,15 @@
}
protected void validateAccess(Command command) throws QueryValidatorException,
MetaMatrixComponentException {
- AuthorizationValidationVisitor visitor = new
AuthorizationValidationVisitor(this.authService, this.workContext.getVDB());
+ AuthorizationValidationVisitor visitor = new
AuthorizationValidationVisitor(this.workContext.getVDB(), !isEntitled() &&
this.useEntitlements, this.workContext.getAllowedDataPolicies(),
this.workContext.getUserName());
validateWithVisitor(visitor, this.metadata, command);
}
+
+ protected boolean isEntitled(){
+ if (this.workContext.getSubject() == null) {
+
LogManager.logDetail(com.metamatrix.common.log.LogConstants.CTX_AUTHORIZATION,new
Object[]{ "Automatically entitling principal", this.workContext.getUserName()});
//$NON-NLS-1$
+ return true;
+ }
+ return false;
+ }
}
Modified:
trunk/engine/src/main/java/org/teiid/dqp/internal/process/validator/AuthorizationValidationVisitor.java
===================================================================
---
trunk/engine/src/main/java/org/teiid/dqp/internal/process/validator/AuthorizationValidationVisitor.java 2010-03-18
18:26:59 UTC (rev 1974)
+++
trunk/engine/src/main/java/org/teiid/dqp/internal/process/validator/AuthorizationValidationVisitor.java 2010-03-19
00:20:58 UTC (rev 1975)
@@ -24,24 +24,29 @@
import java.util.ArrayList;
import java.util.Collection;
+import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
+import java.util.Set;
+import org.teiid.adminapi.DataPolicy;
+import org.teiid.adminapi.impl.DataPolicyMetadata;
import org.teiid.adminapi.impl.ModelMetaData;
import org.teiid.adminapi.impl.VDBMetaData;
import org.teiid.dqp.internal.process.DQPWorkContext;
import org.teiid.dqp.internal.process.multisource.MultiSourceElement;
+import org.teiid.logging.api.AuditMessage;
import com.metamatrix.api.exception.MetaMatrixComponentException;
import com.metamatrix.api.exception.MetaMatrixProcessingException;
import com.metamatrix.api.exception.query.QueryMetadataException;
+import com.metamatrix.common.log.LogManager;
+import com.metamatrix.core.log.MessageLevel;
import com.metamatrix.dqp.DQPPlugin;
-import com.metamatrix.dqp.service.AuthorizationService;
-import com.metamatrix.dqp.service.AuthorizationService.Context;
import com.metamatrix.query.function.FunctionLibrary;
import com.metamatrix.query.metadata.TempMetadataID;
import com.metamatrix.query.resolver.util.ResolverUtil;
@@ -60,13 +65,25 @@
import com.metamatrix.query.validator.AbstractValidationVisitor;
public class AuthorizationValidationVisitor extends AbstractValidationVisitor {
-
- private AuthorizationService authInterface;
+
+ public enum Context {
+ QUERY,
+ INSERT,
+ UPDATE,
+ DELETE,
+ STORED_PROCEDURE;
+ }
+
private VDBMetaData vdb;
+ private HashMap<String, DataPolicy> allowedPolicies;
+ private String userName;
+ private boolean useEntitlements;
- public AuthorizationValidationVisitor(AuthorizationService authInterface, VDBMetaData
vdb) {
- this.authInterface = authInterface;
+ public AuthorizationValidationVisitor(VDBMetaData vdb, boolean useEntitlements,
HashMap<String, DataPolicy> policies, String user) {
this.vdb = vdb;
+ this.allowedPolicies = policies;
+ this.userName = user;
+ this.useEntitlements = useEntitlements;
}
// ############### Visitor methods for language objects ##################
@@ -84,34 +101,24 @@
}
public void visit(Delete obj) {
- if (this.authInterface != null && this.authInterface.checkingEntitlements())
{
- validateEntitlements(obj);
- }
+ validateEntitlements(obj);
}
public void visit(Insert obj) {
- if (this.authInterface != null && this.authInterface.checkingEntitlements())
{
- validateEntitlements(obj);
- }
+ validateEntitlements(obj);
}
public void visit(Query obj) {
- if (this.authInterface != null && this.authInterface.checkingEntitlements())
{
- validateEntitlements(obj);
- }
+ validateEntitlements(obj);
}
public void visit(Update obj) {
- if (this.authInterface != null && this.authInterface.checkingEntitlements())
{
- validateEntitlements(obj);
- }
+ validateEntitlements(obj);
}
public void visit(StoredProcedure obj) {
this.validateModelVisibility(obj.getModelID(), obj.getGroup());
- if (this.authInterface != null && this.authInterface.checkingEntitlements())
{
- validateEntitlements(obj);
- }
+ validateEntitlements(obj);
}
public void visit(Function obj) {
@@ -119,13 +126,11 @@
try {
ResolverUtil.ResolvedLookup lookup = ResolverUtil.resolveLookup(obj,
this.getMetadata());
validateModelVisibility(getMetadata().getModelID(lookup.getGroup().getMetadataID()),
lookup.getGroup());
- if (this.authInterface != null &&
this.authInterface.checkingEntitlements()) {
- List<Symbol> symbols = new LinkedList<Symbol>();
- symbols.add(lookup.getGroup());
- symbols.add(lookup.getKeyElement());
- symbols.add(lookup.getReturnElement());
- validateEntitlements(symbols, AuthorizationService.ACTION_READ, Context.QUERY);
- }
+ List<Symbol> symbols = new LinkedList<Symbol>();
+ symbols.add(lookup.getGroup());
+ symbols.add(lookup.getKeyElement());
+ symbols.add(lookup.getReturnElement());
+ validateEntitlements(symbols, DataPolicy.PermissionType.READ, Context.QUERY);
} catch (MetaMatrixComponentException e) {
handleException(e, obj);
} catch (MetaMatrixProcessingException e) {
@@ -142,7 +147,7 @@
protected void validateEntitlements(Insert obj) {
validateEntitlements(
obj.getVariables(),
- AuthorizationService.ACTION_CREATE,
+ DataPolicy.PermissionType.CREATE,
Context.INSERT);
}
@@ -154,13 +159,13 @@
if (obj.getCriteria() != null) {
validateEntitlements(
ElementCollectorVisitor.getElements(obj.getCriteria(), true),
- AuthorizationService.ACTION_READ,
+ DataPolicy.PermissionType.READ,
Context.UPDATE);
}
// The variables from the changes must be checked for UPDATE entitlement
// validateEntitlements on all the variables used in the update.
- validateEntitlements(obj.getChangeList().getClauseMap().keySet(),
AuthorizationService.ACTION_UPDATE, Context.UPDATE);
+ validateEntitlements(obj.getChangeList().getClauseMap().keySet(),
DataPolicy.PermissionType.UPDATE, Context.UPDATE);
}
/**
@@ -171,14 +176,14 @@
if (obj.getCriteria() != null) {
validateEntitlements(
ElementCollectorVisitor.getElements(obj.getCriteria(), true),
- AuthorizationService.ACTION_READ,
+ DataPolicy.PermissionType.READ,
Context.DELETE);
}
// Check that all elements of group being deleted have delete permission
HashSet deleteVars = new HashSet();
deleteVars.add(obj.getGroup());
- validateEntitlements(deleteVars, AuthorizationService.ACTION_DELETE,
Context.DELETE);
+ validateEntitlements(deleteVars, DataPolicy.PermissionType.DELETE,
Context.DELETE);
}
/**
@@ -198,7 +203,7 @@
handleException(err, intoGroup);
}
validateEntitlements(intoElements,
- AuthorizationService.ACTION_CREATE,
+ DataPolicy.PermissionType.CREATE,
Context.INSERT);
}
@@ -212,7 +217,7 @@
return;
}
- validateEntitlements(entitledObjects, AuthorizationService.ACTION_READ,
Context.QUERY);
+ validateEntitlements(entitledObjects, DataPolicy.PermissionType.READ,
Context.QUERY);
}
/**
@@ -221,15 +226,15 @@
protected void validateEntitlements(StoredProcedure obj) {
List symbols = new ArrayList(1);
symbols.add(obj.getGroup());
- validateEntitlements(symbols, AuthorizationService.ACTION_READ,
Context.STORED_PROCEDURE);
+ validateEntitlements(symbols, DataPolicy.PermissionType.READ,
Context.STORED_PROCEDURE);
}
- private String getActionLabel(int actionCode) {
+ private String getActionLabel(DataPolicy.PermissionType actionCode) {
switch(actionCode) {
- case AuthorizationService.ACTION_READ: return "Read";
//$NON-NLS-1$
- case AuthorizationService.ACTION_CREATE: return "Create";
//$NON-NLS-1$
- case AuthorizationService.ACTION_UPDATE: return "Update";
//$NON-NLS-1$
- case AuthorizationService.ACTION_DELETE: return "Delete";
//$NON-NLS-1$
+ case READ: return "Read"; //$NON-NLS-1$
+ case CREATE: return "Create"; //$NON-NLS-1$
+ case UPDATE: return "Update"; //$NON-NLS-1$
+ case DELETE: return "Delete"; //$NON-NLS-1$
default: return "UNKNOWN"; //$NON-NLS-1$
}
}
@@ -241,7 +246,7 @@
* @param actionCode The actions to validate for
* @param auditContext The {@link AuthorizationService} to use when resource auditing
is done.
*/
- protected void validateEntitlements(Collection symbols, int actionCode, Context
auditContext) {
+ protected void validateEntitlements(Collection symbols, DataPolicy.PermissionType
actionCode, Context auditContext) {
Map nameToSymbolMap = new HashMap();
Iterator symbolIter = symbols.iterator();
while(symbolIter.hasNext()) {
@@ -271,25 +276,21 @@
}
if (!nameToSymbolMap.isEmpty()) {
- try {
- Collection inaccessibleResources =
this.authInterface.getInaccessibleResources(actionCode, nameToSymbolMap.keySet(),
auditContext);
- if(inaccessibleResources.size() > 0) {
- List inaccessibleSymbols = new
ArrayList(inaccessibleResources.size());
- Iterator nameIter = inaccessibleResources.iterator();
- while(nameIter.hasNext()) {
- String name = (String) nameIter.next();
- inaccessibleSymbols.add(nameToSymbolMap.get(name));
- }
-
- // CASE 2362 - do not include the names of the elements for which the
user
- // is not authorized in the exception message
-
- handleValidationError(
- DQPPlugin.Util.getString("ERR.018.005.0095", new
Object[]{DQPWorkContext.getWorkContext().getConnectionID(), getActionLabel(actionCode)}),
//$NON-NLS-1$
- inaccessibleSymbols);
+ Collection inaccessibleResources = getInaccessibleResources(actionCode,
nameToSymbolMap.keySet(), auditContext);
+ if(inaccessibleResources.size() > 0) {
+ List inaccessibleSymbols = new ArrayList(inaccessibleResources.size());
+ Iterator nameIter = inaccessibleResources.iterator();
+ while(nameIter.hasNext()) {
+ String name = (String) nameIter.next();
+ inaccessibleSymbols.add(nameToSymbolMap.get(name));
}
- } catch(MetaMatrixComponentException e) {
- handleException(e);
+
+ // CASE 2362 - do not include the names of the elements for which the
user
+ // is not authorized in the exception message
+
+ handleValidationError(
+ DQPPlugin.Util.getString("ERR.018.005.0095", new
Object[]{DQPWorkContext.getWorkContext().getConnectionID(), getActionLabel(actionCode)}),
//$NON-NLS-1$
+ inaccessibleSymbols);
}
}
@@ -310,4 +311,46 @@
}
}
+
+ /**
+ * Out of resources specified, return the subset for which the specified not have
authorization to access.
+ */
+ public Set<String> getInaccessibleResources(DataPolicy.PermissionType action,
Set<String> resources, Context context) {
+
+ LogManager.logDetail(com.metamatrix.common.log.LogConstants.CTX_AUTHORIZATION,
new Object[]{"getInaccessibleResources(", this.userName, ", ",
context, ", ", resources, ")"}); //$NON-NLS-1$ //$NON-NLS-2$
//$NON-NLS-3$ //$NON-NLS-4$
+
+ if (!this.useEntitlements) {
+ return Collections.EMPTY_SET;
+ }
+
+ // Audit - request
+ AuditMessage msg = new AuditMessage(context.name(),
"getInaccessibleResources-request", this.userName, resources.toArray(new
String[resources.size()])); //$NON-NLS-1$
+ LogManager.log(MessageLevel.INFO,
com.metamatrix.common.log.LogConstants.CTX_AUDITLOGGING, msg);
+
+ HashSet<String> results = new HashSet<String>(resources);
+
+ for(DataPolicy p:this.allowedPolicies.values()) {
+ DataPolicyMetadata policy = (DataPolicyMetadata)p;
+
+ if (results.isEmpty()) {
+ break;
+ }
+
+ Iterator<String> i = results.iterator();
+ while (i.hasNext()) {
+ if (policy.allows(i.next(), action)) {
+ i.remove();
+ }
+ }
+ }
+
+ if (results.isEmpty()) {
+ msg = new AuditMessage(context.name(), "getInaccessibleResources-granted
all", this.userName, resources.toArray(new String[resources.size()])); //$NON-NLS-1$
+ LogManager.log(MessageLevel.INFO,
com.metamatrix.common.log.LogConstants.CTX_AUDITLOGGING, msg);
+ } else {
+ msg = new AuditMessage(context.name(),
"getInaccessibleResources-denied", this.userName, resources.toArray(new
String[resources.size()])); //$NON-NLS-1$
+ LogManager.log(MessageLevel.INFO,
com.metamatrix.common.log.LogConstants.CTX_AUDITLOGGING, msg);
+ }
+ return results;
+ }
}
Deleted:
trunk/engine/src/test/java/com/metamatrix/dqp/service/FakeAuthorizationService.java
===================================================================
---
trunk/engine/src/test/java/com/metamatrix/dqp/service/FakeAuthorizationService.java 2010-03-18
18:26:59 UTC (rev 1974)
+++
trunk/engine/src/test/java/com/metamatrix/dqp/service/FakeAuthorizationService.java 2010-03-19
00:20:58 UTC (rev 1975)
@@ -1,157 +0,0 @@
-/*
- * JBoss, Home of Professional Open Source.
- * See the COPYRIGHT.txt file distributed with this work for information
- * regarding copyright ownership. Some portions may be licensed
- * to Red Hat, Inc. under one or more contributor license agreements.
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
- * 02110-1301 USA.
- */
-
-package com.metamatrix.dqp.service;
-
-import java.util.ArrayList;
-import java.util.Collection;
-import java.util.HashSet;
-import java.util.Iterator;
-import java.util.List;
-import java.util.Set;
-
-import org.teiid.security.roles.AuthorizationPolicy;
-import org.teiid.security.roles.AuthorizationRealm;
-
-import com.metamatrix.api.exception.MetaMatrixComponentException;
-import com.metamatrix.api.exception.security.AuthorizationException;
-import com.metamatrix.api.exception.security.AuthorizationMgmtException;
-
-/**
- */
-public class FakeAuthorizationService implements AuthorizationService {
-
- // Inaccessible resources
- private Set knownResources = new HashSet();
- private boolean defaultAllow;
-
- public FakeAuthorizationService(boolean defaultAllow) {
- this.defaultAllow = defaultAllow;
- }
-
- public void addResource(int action, String resource) {
- knownResources.add(new Resource(action, resource));
- }
-
- @Override
- public Collection getInaccessibleResources(int action,
- Collection resources, Context context)
- throws MetaMatrixComponentException {
- List found = new ArrayList();
-
- if (resources.isEmpty()) {
- throw new MetaMatrixComponentException("expected resources");
//$NON-NLS-1$
- }
-
- Iterator rIter = resources.iterator();
- while(rIter.hasNext()) {
- String resourceName = (String) rIter.next();
-
- Resource key = new Resource(action, resourceName);
-
- boolean foundResource = knownResources.contains(key);
- if (!foundResource && !defaultAllow) {
- found.add(resourceName);
- } else if (foundResource && defaultAllow) {
- found.add(resourceName);
- }
- }
-
- return found;
- }
-
- /**
- * Determine whether entitlements checking is enabled on the server.
- *
- * @return <code>true</code> iff server-side entitlements checking is
enabled.
- */
- public boolean checkingEntitlements() {
- return true;
- }
-
- private static class Resource {
- public int action;
- public String resource;
-
- public Resource(int action, String resource) {
- this.action = action;
- this.resource = resource;
- }
-
- public String toString() {
- return resource;
- }
-
- /**
- * @see java.lang.Object#hashCode()
- */
- public int hashCode() {
- return resource.hashCode() * action;
- }
-
- /**
- * @see java.lang.Object#equals(java.lang.Object)
- */
- public boolean equals(Object obj) {
- if (obj == this) {
- return true;
- }
-
- if (!(obj instanceof Resource)) {
- return false;
- }
-
- Resource other = (Resource)obj;
-
- return other.action == this.action
- && other.resource.equalsIgnoreCase(this.resource);
- }
- }
-
- /**
- * @see com.metamatrix.dqp.service.AuthorizationService#hasRole(java.lang.String,
java.lang.String, java.lang.String)
- */
- public boolean hasRole(String roleType,
- String roleName) throws MetaMatrixComponentException {
- return false;
- }
-
- @Override
- public boolean isCallerInRole(String roleName)
- throws AuthorizationMgmtException {
- return false;
- }
-
- @Override
- public Collection<AuthorizationPolicy> getPoliciesInRealm(
- AuthorizationRealm realm)
- throws AuthorizationException, AuthorizationMgmtException {
- return null;
- }
-
- @Override
- public void updatePoliciesInRealm(AuthorizationRealm realm,
- Collection<AuthorizationPolicy> policies)
- throws AuthorizationMgmtException {
-
- }
-}
Modified:
trunk/engine/src/test/java/org/teiid/dqp/internal/process/TestPreparedStatement.java
===================================================================
---
trunk/engine/src/test/java/org/teiid/dqp/internal/process/TestPreparedStatement.java 2010-03-18
18:26:59 UTC (rev 1974)
+++
trunk/engine/src/test/java/org/teiid/dqp/internal/process/TestPreparedStatement.java 2010-03-19
00:20:58 UTC (rev 1975)
@@ -251,7 +251,7 @@
ConnectorManagerRepository repo =
Mockito.mock(ConnectorManagerRepository.class);
Mockito.stub(repo.getConnectorManager(Mockito.anyString())).toReturn(new
AutoGenDataService());
- serverRequest.initialize(request,
BufferManagerFactory.getStandaloneBufferManager(), null, new FakeTransactionService(),
null, DEBUG, null, workContext, 101024,repo);
+ serverRequest.initialize(request,
BufferManagerFactory.getStandaloneBufferManager(), null, new FakeTransactionService(),
DEBUG, null, workContext, 101024,repo, false);
serverRequest.setMetadata(capFinder, metadata, null);
serverRequest.processRequest();
Modified: trunk/engine/src/test/java/org/teiid/dqp/internal/process/TestRequest.java
===================================================================
--- trunk/engine/src/test/java/org/teiid/dqp/internal/process/TestRequest.java 2010-03-18
18:26:59 UTC (rev 1974)
+++ trunk/engine/src/test/java/org/teiid/dqp/internal/process/TestRequest.java 2010-03-19
00:20:58 UTC (rev 1975)
@@ -86,7 +86,7 @@
RequestMessage message = new RequestMessage();
DQPWorkContext workContext = FakeMetadataFactory.buildWorkContext(metadata,
FakeMetadataFactory.example1VDB());
- request.initialize(message, null, null, null,null,false, null, workContext,
101024, repo);
+ request.initialize(message, null, null,null,false, null, workContext, 101024,
repo, false);
request.initMetadata();
request.validateAccess(command);
}
@@ -143,8 +143,8 @@
Mockito.stub(repo.getConnectorManager(Mockito.anyString())).toReturn(new
AutoGenDataService());
request.initialize(message, Mockito.mock(BufferManager.class),
- new FakeDataManager(), null, null, false, null, workContext,
- 101024, repo);
+ new FakeDataManager(), null, false, null, workContext,
+ 101024, repo, false);
request.processRequest();
return request;
Modified:
trunk/engine/src/test/java/org/teiid/dqp/internal/process/validator/TestAuthorizationValidationVisitor.java
===================================================================
---
trunk/engine/src/test/java/org/teiid/dqp/internal/process/validator/TestAuthorizationValidationVisitor.java 2010-03-18
18:26:59 UTC (rev 1974)
+++
trunk/engine/src/test/java/org/teiid/dqp/internal/process/validator/TestAuthorizationValidationVisitor.java 2010-03-19
00:20:58 UTC (rev 1975)
@@ -23,22 +23,24 @@
package org.teiid.dqp.internal.process.validator;
import java.util.Arrays;
+import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import junit.framework.TestCase;
-import org.mockito.Mockito;
+import org.teiid.adminapi.DataPolicy;
+import org.teiid.adminapi.DataPolicy.PermissionType;
+import org.teiid.adminapi.impl.DataPolicyMetadata;
import org.teiid.adminapi.impl.VDBMetaData;
+import org.teiid.adminapi.impl.DataPolicyMetadata.PermissionMetaData;
import org.teiid.dqp.internal.process.Request;
import com.metamatrix.api.exception.MetaMatrixComponentException;
import com.metamatrix.api.exception.query.QueryParserException;
import com.metamatrix.api.exception.query.QueryResolverException;
import com.metamatrix.api.exception.query.QueryValidatorException;
-import com.metamatrix.dqp.service.AuthorizationService;
-import com.metamatrix.dqp.service.FakeAuthorizationService;
import com.metamatrix.query.metadata.QueryMetadataInterface;
import com.metamatrix.query.parser.QueryParser;
import com.metamatrix.query.resolver.QueryResolver;
@@ -60,71 +62,108 @@
public TestAuthorizationValidationVisitor(String name) {
super(name);
}
+
+ PermissionMetaData addResource(PermissionType type, boolean flag, String resource) {
+ PermissionMetaData p = new PermissionMetaData();
+ p.setResourceName(resource);
+ switch(type) {
+ case CREATE:
+ p.setAllowCreate(flag);
+ break;
+ case DELETE:
+ p.setAllowDelete(flag);
+ break;
+ case READ:
+ p.setAllowRead(flag);
+ break;
+ case UPDATE:
+ p.setAllowUpdate(flag);
+ break;
+ }
+ return p;
+ }
+ PermissionMetaData addResource(PermissionType type, String resource) {
+ return addResource(type, true, resource);
+ }
- private AuthorizationService exampleAuthSvc1() {
- FakeAuthorizationService svc = new FakeAuthorizationService(false);
+ private DataPolicyMetadata exampleAuthSvc1() {
+ DataPolicyMetadata svc = new DataPolicyMetadata();
+ svc.setName("test"); //$NON-NLS-1$
// pm1.g1
- svc.addResource(AuthorizationService.ACTION_DELETE, "pm1.g1");
//$NON-NLS-1$
+ svc.addPermission(addResource(PermissionType.DELETE, "pm1.g1"));
//$NON-NLS-1$
- svc.addResource(AuthorizationService.ACTION_READ, "pm1.g1");
//$NON-NLS-1$
- svc.addResource(AuthorizationService.ACTION_READ, "pm1.g1.e1");
//$NON-NLS-1$
+ svc.addPermission(addResource(DataPolicy.PermissionType.READ,
"pm1.g1")); //$NON-NLS-1$
+ svc.addPermission(addResource(DataPolicy.PermissionType.READ,
"pm1.g1.e1")); //$NON-NLS-1$
+ svc.addPermission(addResource(DataPolicy.PermissionType.READ, false,
"pm1.g1.e2")); //$NON-NLS-1$
- svc.addResource(AuthorizationService.ACTION_CREATE, "pm1.g1");
//$NON-NLS-1$
- svc.addResource(AuthorizationService.ACTION_CREATE, "pm1.g1.e1");
//$NON-NLS-1$
- svc.addResource(AuthorizationService.ACTION_CREATE, "pm1.g1.e2");
//$NON-NLS-1$
- svc.addResource(AuthorizationService.ACTION_CREATE, "pm1.g1.e3");
//$NON-NLS-1$
- svc.addResource(AuthorizationService.ACTION_CREATE, "pm1.g1.e4");
//$NON-NLS-1$
+ svc.addPermission(addResource(DataPolicy.PermissionType.CREATE,
"pm1.g1")); //$NON-NLS-1$
+ svc.addPermission(addResource(DataPolicy.PermissionType.CREATE,
"pm1.g1.e1")); //$NON-NLS-1$
+ svc.addPermission(addResource(DataPolicy.PermissionType.CREATE,
"pm1.g1.e2")); //$NON-NLS-1$
+ svc.addPermission(addResource(DataPolicy.PermissionType.CREATE,
"pm1.g1.e3")); //$NON-NLS-1$
+ svc.addPermission(addResource(DataPolicy.PermissionType.CREATE,
"pm1.g1.e4")); //$NON-NLS-1$
- svc.addResource(AuthorizationService.ACTION_UPDATE, "pm1.g1");
//$NON-NLS-1$
- svc.addResource(AuthorizationService.ACTION_UPDATE, "pm1.g1.e2");
//$NON-NLS-1$
- svc.addResource(AuthorizationService.ACTION_UPDATE, "pm1.g1.e3");
//$NON-NLS-1$
- svc.addResource(AuthorizationService.ACTION_UPDATE, "pm1.g1.e4");
//$NON-NLS-1$
+ svc.addPermission(addResource(DataPolicy.PermissionType.UPDATE,
"pm1.g1")); //$NON-NLS-1$
+ svc.addPermission(addResource(DataPolicy.PermissionType.UPDATE, false,
"pm1.g1.e1")); //$NON-NLS-1$
+ svc.addPermission(addResource(DataPolicy.PermissionType.UPDATE,
"pm1.g1.e2")); //$NON-NLS-1$
+ svc.addPermission(addResource(DataPolicy.PermissionType.UPDATE,
"pm1.g1.e3")); //$NON-NLS-1$
+ svc.addPermission(addResource(DataPolicy.PermissionType.UPDATE,
"pm1.g1.e4")); //$NON-NLS-1$
+
// pm1.g2
- svc.addResource(AuthorizationService.ACTION_CREATE, "pm1.g2");
//$NON-NLS-1$
- svc.addResource(AuthorizationService.ACTION_CREATE, "pm1.g2.e2");
//$NON-NLS-1$
- svc.addResource(AuthorizationService.ACTION_CREATE, "pm1.g2.e3");
//$NON-NLS-1$
- svc.addResource(AuthorizationService.ACTION_CREATE, "pm1.g2.e4");
//$NON-NLS-1$
+ svc.addPermission(addResource(DataPolicy.PermissionType.CREATE,
"pm1.g2")); //$NON-NLS-1$
+ svc.addPermission(addResource(DataPolicy.PermissionType.CREATE, false,
"pm1.g2.e1")); //$NON-NLS-1$
+ svc.addPermission(addResource(DataPolicy.PermissionType.CREATE,
"pm1.g2.e2")); //$NON-NLS-1$
+ svc.addPermission(addResource(DataPolicy.PermissionType.CREATE,
"pm1.g2.e3")); //$NON-NLS-1$
+ svc.addPermission(addResource(DataPolicy.PermissionType.CREATE,
"pm1.g2.e4")); //$NON-NLS-1$
- svc.addResource(AuthorizationService.ACTION_UPDATE, "pm1.g2");
//$NON-NLS-1$
- svc.addResource(AuthorizationService.ACTION_UPDATE, "pm1.g2.e2");
//$NON-NLS-1$
- svc.addResource(AuthorizationService.ACTION_UPDATE, "pm1.g2.e3");
//$NON-NLS-1$
- svc.addResource(AuthorizationService.ACTION_UPDATE, "pm1.g2.e4");
//$NON-NLS-1$
+ svc.addPermission(addResource(DataPolicy.PermissionType.UPDATE,
"pm1.g2")); //$NON-NLS-1$
+ svc.addPermission(addResource(DataPolicy.PermissionType.UPDATE, false,
"pm1.g2.e1")); //$NON-NLS-1$
+ svc.addPermission(addResource(DataPolicy.PermissionType.UPDATE,
"pm1.g2.e2")); //$NON-NLS-1$
+ svc.addPermission(addResource(DataPolicy.PermissionType.UPDATE,
"pm1.g2.e3")); //$NON-NLS-1$
+ svc.addPermission(addResource(DataPolicy.PermissionType.UPDATE,
"pm1.g2.e4")); //$NON-NLS-1$
// pm1.g4
- svc.addResource(AuthorizationService.ACTION_DELETE, "pm1.g4");
//$NON-NLS-1$
- svc.addResource(AuthorizationService.ACTION_DELETE, "pm1.g4.e1");
//$NON-NLS-1$
- svc.addResource(AuthorizationService.ACTION_DELETE, "pm1.g4.e2");
//$NON-NLS-1$
+ svc.addPermission(addResource(DataPolicy.PermissionType.DELETE,
"pm1.g4")); //$NON-NLS-1$
+ svc.addPermission(addResource(DataPolicy.PermissionType.DELETE,
"pm1.g4.e1")); //$NON-NLS-1$
+ svc.addPermission(addResource(DataPolicy.PermissionType.DELETE,
"pm1.g4.e2")); //$NON-NLS-1$
// pm1.sq2
- svc.addResource(AuthorizationService.ACTION_READ, "pm1.sq1");
//$NON-NLS-1$
+ svc.addPermission(addResource(DataPolicy.PermissionType.READ,
"pm1.sq1")); //$NON-NLS-1$
return svc;
}
//allow by default
- private AuthorizationService exampleAuthSvc2() {
- FakeAuthorizationService svc = new FakeAuthorizationService(true);
+ private DataPolicyMetadata exampleAuthSvc2() {
+ DataPolicyMetadata svc = new DataPolicyMetadata();
+ svc.setName("test"); //$NON-NLS-1$
+
+ svc.addPermission(addResource(DataPolicy.PermissionType.CREATE,
"pm1.g2")); //$NON-NLS-1$
+ svc.addPermission(addResource(DataPolicy.PermissionType.READ, "pm1.g2"));
//$NON-NLS-1$
+ svc.addPermission(addResource(DataPolicy.PermissionType.READ, "pm2.g1"));
//$NON-NLS-1$
- // pm2.g2
- svc.addResource(AuthorizationService.ACTION_CREATE, "pm2.g2.e1");
//$NON-NLS-1$
+ // pm2.g2
+ svc.addPermission(addResource(DataPolicy.PermissionType.CREATE,
"pm2.g2.e1")); //$NON-NLS-1$
// pm3.g2
- svc.addResource(AuthorizationService.ACTION_CREATE, "pm3.g2.e1");
//$NON-NLS-1$
- svc.addResource(AuthorizationService.ACTION_CREATE, "pm3.g2.e2");
//$NON-NLS-1$
+ svc.addPermission(addResource(DataPolicy.PermissionType.CREATE,
"pm3.g2.e1")); //$NON-NLS-1$
+ svc.addPermission(addResource(DataPolicy.PermissionType.CREATE,
"pm3.g2.e2")); //$NON-NLS-1$
return svc;
}
- private void helpTest(AuthorizationService svc, String sql, QueryMetadataInterface
metadata, String[] expectedInaccesible, VDBMetaData vdb) throws QueryParserException,
QueryResolverException, MetaMatrixComponentException {
+ private void helpTest(DataPolicyMetadata policy, String sql, QueryMetadataInterface
metadata, String[] expectedInaccesible, VDBMetaData vdb) throws QueryParserException,
QueryResolverException, MetaMatrixComponentException {
QueryParser parser = QueryParser.getQueryParser();
Command command = parser.parseCommand(sql);
QueryResolver.resolveCommand(command, metadata);
vdb.addAttchment(QueryMetadataInterface.class, metadata);
- AuthorizationValidationVisitor visitor = new AuthorizationValidationVisitor(svc,
vdb);
+ HashMap<String, DataPolicy> policies = new HashMap<String,
DataPolicy>();
+ policies.put(policy.getName(), policy);
+
+ AuthorizationValidationVisitor visitor = new AuthorizationValidationVisitor(vdb,
true, policies, "test"); //$NON-NLS-1$
ValidatorReport report = Validator.validate(command, metadata, visitor);
if(report.hasItems()) {
ValidatorFailure firstFailure = (ValidatorFailure)
report.getItems().iterator().next();
@@ -213,11 +252,11 @@
}
public void testSelectIntoTarget_e1_NotAccessible() throws Exception {
- helpTest(exampleAuthSvc2(), "SELECT e1, e2, e3, e4 INTO pm2.g2 FROM
pm2.g1", FakeMetadataFactory.example1Cached(), new String[] {"pm2.g2.e1"},
FakeMetadataFactory.example1VDB()); //$NON-NLS-1$ //$NON-NLS-2$
+ helpTest(exampleAuthSvc2(), "SELECT e1, e2, e3, e4 INTO pm2.g2 FROM
pm2.g1", FakeMetadataFactory.example1Cached(), new String[]
{"pm2.g2.e2","pm2.g2.e4","pm2.g2.e3"},
FakeMetadataFactory.example1VDB()); //$NON-NLS-1$ //$NON-NLS-2$ //$NON-NLS-3$
//$NON-NLS-4$
}
public void testSelectIntoTarget_e1e2_NotAccessible() throws Exception {
- helpTest(exampleAuthSvc2(), "SELECT e1, e2, e3, e4 INTO pm3.g2 FROM
pm2.g1", FakeMetadataFactory.example1Cached(), new String[] {"pm3.g2.e1",
"pm3.g2.e2"},FakeMetadataFactory.example1VDB()); //$NON-NLS-1$ //$NON-NLS-2$
//$NON-NLS-3$
+ helpTest(exampleAuthSvc2(), "SELECT e1, e2, e3, e4 INTO pm3.g2 FROM
pm2.g1", FakeMetadataFactory.example1Cached(), new String[] {"pm3.g2.e4",
"pm3.g2.e3"},FakeMetadataFactory.example1VDB()); //$NON-NLS-1$ //$NON-NLS-2$
//$NON-NLS-3$
}
public void testTempTableSelectInto() throws Exception {
@@ -233,7 +272,7 @@
}
public void testXMLAccessible() throws Exception {
- helpTest(exampleAuthSvc2(), "select * from xmltest.doc1",
FakeMetadataFactory.example1Cached(), new String[] {}, FakeMetadataFactory.example1VDB());
//$NON-NLS-1$
+ helpTest(exampleAuthSvc2(), "select * from xmltest.doc1",
FakeMetadataFactory.example1Cached(), new String[] {"xmltest.doc1"},
FakeMetadataFactory.example1VDB()); //$NON-NLS-1$ //$NON-NLS-2$
}
public void testXMLInAccessible() throws Exception {
@@ -242,10 +281,8 @@
private void helpTestLookupVisibility(boolean visible) throws QueryParserException,
QueryValidatorException, MetaMatrixComponentException {
VDBMetaData vdb = FakeMetadataFactory.example1VDB();
- if (!visible) {
- vdb.getModel("pm1").setVisible(false);
- }
- AuthorizationValidationVisitor mvvv = new
AuthorizationValidationVisitor(Mockito.mock(AuthorizationService.class), vdb);
+ vdb.getModel("pm1").setVisible(visible); //$NON-NLS-1$
+ AuthorizationValidationVisitor mvvv = new AuthorizationValidationVisitor(vdb, false,
new HashMap<String, DataPolicy>(), "test"); //$NON-NLS-1$
String sql = "select lookup('pm1.g1', 'e1', 'e2',
1)"; //$NON-NLS-1$
Command command = QueryParser.getQueryParser().parseCommand(sql);
Request.validateWithVisitor(mvvv, FakeMetadataFactory.example1Cached(), command);
Modified:
trunk/jboss-integration/src/main/java/org/teiid/jboss/deployers/RuntimeEngineDeployer.java
===================================================================
---
trunk/jboss-integration/src/main/java/org/teiid/jboss/deployers/RuntimeEngineDeployer.java 2010-03-18
18:26:59 UTC (rev 1974)
+++
trunk/jboss-integration/src/main/java/org/teiid/jboss/deployers/RuntimeEngineDeployer.java 2010-03-19
00:20:58 UTC (rev 1975)
@@ -74,7 +74,6 @@
import com.metamatrix.core.log.MessageLevel;
import com.metamatrix.dqp.client.DQP;
import com.metamatrix.dqp.client.DQPManagement;
-import com.metamatrix.dqp.service.AuthorizationService;
import com.metamatrix.dqp.service.BufferService;
import com.metamatrix.dqp.service.SessionService;
import com.metamatrix.dqp.service.TransactionService;
@@ -216,10 +215,6 @@
this.dqpCore.setWorkManager(mgr);
}
- public void setAuthorizationService(AuthorizationService service) {
- this.dqpCore.setAuthorizationService(service);
- }
-
public void setSessionService(SessionService service) {
this.sessionService = service;
service.setDqp(this.dqpCore);
Deleted: trunk/runtime/src/main/java/org/teiid/services/AuthorizationServiceImpl.java
===================================================================
---
trunk/runtime/src/main/java/org/teiid/services/AuthorizationServiceImpl.java 2010-03-18
18:26:59 UTC (rev 1974)
+++
trunk/runtime/src/main/java/org/teiid/services/AuthorizationServiceImpl.java 2010-03-19
00:20:58 UTC (rev 1975)
@@ -1,465 +0,0 @@
-/*
- * JBoss, Home of Professional Open Source.
- * See the COPYRIGHT.txt file distributed with this work for information
- * regarding copyright ownership. Some portions may be licensed
- * to Red Hat, Inc. under one or more contributor license agreements.
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
- * 02110-1301 USA.
- */
-
-package org.teiid.services;
-
-import java.io.Serializable;
-import java.security.Principal;
-import java.security.acl.Group;
-import java.util.ArrayList;
-import java.util.Collection;
-import java.util.Collections;
-import java.util.Enumeration;
-import java.util.HashSet;
-import java.util.Iterator;
-import java.util.List;
-import java.util.Set;
-
-import org.jboss.managed.api.annotation.ManagementComponent;
-import org.jboss.managed.api.annotation.ManagementObject;
-import org.jboss.managed.api.annotation.ManagementProperties;
-import org.jboss.managed.api.annotation.ManagementProperty;
-import org.teiid.adminapi.AdminRoles;
-import org.teiid.adminapi.impl.VDBMetaData;
-import org.teiid.deployers.VDBRepository;
-import org.teiid.dqp.internal.process.DQPWorkContext;
-import org.teiid.logging.api.AuditMessage;
-import org.teiid.runtime.RuntimePlugin;
-import org.teiid.security.roles.AuthorizationActions;
-import org.teiid.security.roles.AuthorizationPermission;
-import org.teiid.security.roles.AuthorizationPoliciesHolder;
-import org.teiid.security.roles.AuthorizationPolicy;
-import org.teiid.security.roles.AuthorizationPolicyFactory;
-import org.teiid.security.roles.AuthorizationRealm;
-import org.teiid.security.roles.BasicAuthorizationPermission;
-import org.teiid.security.roles.BasicAuthorizationPermissionFactory;
-import org.teiid.security.roles.RolePermissionFactory;
-import org.teiid.security.roles.StandardAuthorizationActions;
-
-import com.metamatrix.admin.api.exception.security.InvalidSessionException;
-import com.metamatrix.api.exception.MetaMatrixComponentException;
-import com.metamatrix.api.exception.security.AuthorizationMgmtException;
-import com.metamatrix.common.log.LogManager;
-import com.metamatrix.core.log.MessageLevel;
-import com.metamatrix.core.util.LRUCache;
-import com.metamatrix.dqp.service.AuthorizationService;
-import com.metamatrix.platform.security.api.MetaMatrixPrincipal;
-import com.metamatrix.platform.security.api.MetaMatrixPrincipalName;
-import com.metamatrix.platform.security.api.SessionToken;
-import com.metamatrix.vdb.runtime.VDBKey;
-
-/**
- * The Authorization Service is responsible for handling requests to determine
- * whether a Principal is entitled to perform a given action on a given resource
- * or set of resources.
- * <p>
- * Administration of the Authorization policies; creating/destroying Policies,
- * adding/deleting Principals and Permissions is available to Principals that
- * have the proper administrative role.
- * </p>
- */
-@ManagementObject(componentType=@ManagementComponent(type="teiid",subtype="dqp"),
properties=ManagementProperties.EXPLICIT)
-public class AuthorizationServiceImpl implements AuthorizationService, Serializable {
-
- private static final long serialVersionUID = 5399603007837606243L;
-
- /*
- * Configuration state
- */
- private boolean useEntitlements;
-
- protected LRUCache<VDBKey, Collection<AuthorizationPolicy>> policyCache =
new LRUCache<VDBKey, Collection<AuthorizationPolicy>>();
-
- // Permission factory is reusable and thread safe
- private static final BasicAuthorizationPermissionFactory PERMISSION_FACTORY = new
BasicAuthorizationPermissionFactory();
-
- private Collection<AuthorizationPolicy> adminPolicies =
AuthorizationPolicyFactory.buildDefaultAdminPolicies();
-
- private VDBRepository vdbRepository;
-
- @Override
- public Collection getInaccessibleResources(int action, Collection resources,
com.metamatrix.dqp.service.AuthorizationService.Context context) throws
MetaMatrixComponentException {
- AuthorizationRealm realm = getRealm(DQPWorkContext.getWorkContext());
- AuthorizationActions actions = getActions(action);
- Collection permissions = createPermissions(realm, resources, actions);
- String auditContext = context.toString();
- Collection inaccessableResources = Collections.EMPTY_LIST;
- try {
- inaccessableResources = getInaccessibleResources(auditContext, permissions);
- } catch (AuthorizationMgmtException e) {
- throw new MetaMatrixComponentException(e);
- }
-
- // Convert inaccessable resources from auth permissions to string resource names
- Collection inaccessableResourceNames = Collections.EMPTY_LIST;
- if ( inaccessableResources != null && inaccessableResources.size() > 0
) {
- inaccessableResourceNames = new ArrayList();
- for ( Iterator permItr = inaccessableResources.iterator(); permItr.hasNext();
) {
- AuthorizationPermission permission = (AuthorizationPermission)
permItr.next();
- inaccessableResourceNames.add(permission.getResourceName());
- }
- }
- return inaccessableResourceNames;
- }
-
- /**
- * Of those resources specified, return the subset for which the specified account
- * does <emph>NOT</emph> have authorization to access.
- * @param caller the session token of the principal that is calling this method
- * @param contextName the name of the context for the caller (@see AuditContext)
- * @param requests the permissions that detail the resources and the desired form of
access
- * @return the subset of <code>requests</code> that the account does
<i>not</i> have access to
- * @throws InvalidSessionException if the session token for this cache is not valid
- * @throws AuthorizationMgmtException if this service is unable to locate resources
required
- * for this operation
- */
- private Collection getInaccessibleResources(String contextName, Collection requests)
throws AuthorizationMgmtException {
-
- SessionToken caller = getSession();
-
- LogManager.logDetail(com.metamatrix.common.log.LogConstants.CTX_AUTHORIZATION,
new Object[]{"getInaccessibleResources(", caller, ", ", contextName,
", ", requests, ")"}); //$NON-NLS-1$ //$NON-NLS-2$ //$NON-NLS-3$
//$NON-NLS-4$
-
- List<String> resources = new ArrayList<String>();
- if (requests != null && ! requests.isEmpty()) {
- Iterator permItr = requests.iterator();
- while ( permItr.hasNext() ) {
-
resources.add(((AuthorizationPermission)permItr.next()).getResourceName());
- }
- }
-
- // Audit - request
- AuditMessage msg = new AuditMessage( contextName,
"getInaccessibleResources-request", caller.getUsername(), resources.toArray(new
String[resources.size()])); //$NON-NLS-1$
- LogManager.log(MessageLevel.INFO,
com.metamatrix.common.log.LogConstants.CTX_AUDITLOGGING, msg);
-
- if (isEntitled()){
- return Collections.EMPTY_LIST;
- }
-
- Collection results = new HashSet(requests);
- Collection policies = this.getPoliciesForPrincipal(getRequestedRealm(requests));
-
- Iterator policyIter = policies.iterator();
-
- while (policyIter.hasNext() && !results.isEmpty()) {
- Iterator requestIter = results.iterator();
- AuthorizationPolicy policy = (AuthorizationPolicy) policyIter.next();
- while (requestIter.hasNext()) {
- AuthorizationPermission request = (AuthorizationPermission)
requestIter.next();
- if (policy.implies(request)) {
- requestIter.remove();
- continue;
- }
- }
- }
-
- if (results.isEmpty()) {
- msg = new AuditMessage( contextName, "getInaccessibleResources-granted
all", caller.getUsername(), resources.toArray(new String[resources.size()]));
//$NON-NLS-1$
- LogManager.log(MessageLevel.INFO,
com.metamatrix.common.log.LogConstants.CTX_AUDITLOGGING, msg);
- } else {
- msg = new AuditMessage( contextName,
"getInaccessibleResources-denied", caller.getUsername(), resources.toArray(new
String[resources.size()])); //$NON-NLS-1$
- LogManager.log(MessageLevel.INFO,
com.metamatrix.common.log.LogConstants.CTX_AUDITLOGGING, msg);
- }
- return results;
- }
-
- /**
- * Query <code>requests</code> for the
<code>AuthorizationRealm</code> in
- * which they belong.
- * @param requests
- * @return The realm in which <i>all</i> the requests in the collection
- * belong.
- * @throws AuthorizationMgmtException if the request <i>do not all</i>
- * belong to the same realm.
- */
- private static AuthorizationRealm getRequestedRealm(final Collection requests)
- throws AuthorizationMgmtException {
- AuthorizationRealm theRealm = null;
- Iterator requestItr = requests.iterator();
- while (requestItr.hasNext()) {
- AuthorizationPermission aPerm = (AuthorizationPermission) requestItr.next();
- AuthorizationRealm aRealm = aPerm.getRealm();
- if ( theRealm != null ) {
- if ( ! theRealm.equals(aRealm) ) {
- throw new
AuthorizationMgmtException(RuntimePlugin.Util.getString("AuthorizationServiceImpl.wrong_realms
")); //$NON-NLS-1$
- }
- } else {
- theRealm = aRealm;
- }
- }
- if ( theRealm == null ) {
- throw new
AuthorizationMgmtException(RuntimePlugin.Util.getString("AuthorizationServiceImpl.Authorization_Realm_is_null"));
//$NON-NLS-1$
- }
- return theRealm;
- }
-
- @Override
- public boolean hasRole(String roleType, String roleName) throws
MetaMatrixComponentException {
-
- AuthorizationRealm realm = null;
-
- if (ADMIN_ROLE.equalsIgnoreCase(roleType)) {
- realm = RolePermissionFactory.getRealm();
- } else if (DATA_ROLE.equalsIgnoreCase(roleType)){
- realm = getRealm(DQPWorkContext.getWorkContext());
- } else {
- return false;
- }
-
- try {
- return hasPolicy(realm, roleName);
- } catch (AuthorizationMgmtException err) {
- throw new MetaMatrixComponentException(err);
- }
- }
-
- private boolean matchesPrincipal(Set<MetaMatrixPrincipalName> principals,
AuthorizationPolicy policy) {
- for (MetaMatrixPrincipalName principal : principals) {
- if (policy.getPrincipals().contains(principal)) {
- return true;
- }
- }
- return false;
- }
-
- private boolean hasPolicy(AuthorizationRealm realm, String policyName) throws
AuthorizationMgmtException {
-
- if (isEntitled()) {
- return true;
- }
-
- Collection<AuthorizationPolicy> policies = getPoliciesForPrincipal(realm);
-
- HashSet applicablePolicies = new HashSet();
- applicablePolicies.add(policyName);
-
- if (realm == RolePermissionFactory.getRealm()) {
- if (AdminRoles.RoleName.ADMIN_PRODUCT.equals(policyName)) {
- applicablePolicies.add(AdminRoles.RoleName.ADMIN_SYSTEM);
- } else if (AdminRoles.RoleName.ADMIN_READONLY.equals(policyName)) {
- applicablePolicies.add(AdminRoles.RoleName.ADMIN_PRODUCT);
- applicablePolicies.add(AdminRoles.RoleName.ADMIN_SYSTEM);
- }
- }
-
- for (AuthorizationPolicy policy:policies) {
- if (applicablePolicies.contains(policy.getAuthorizationPolicyID().getDisplayName()))
{
- return true;
- }
- }
- return false;
- }
-
- /**
- * Return a collection of all policies for which this principal has authorization,
caching as needed.
- * Policies are returned for the principal and all groups in which the principal has
membership.
- * <br><strong>NOTE:</strong> This method only goes to the
authorization store when
- * <emph>none</emph> of the given principal's policies are found in
the cache.
- * @param user the user account for which access is being checked; may not be null
- * (this is not checked for, however)
- * @return All policies for which the principal is authenticated - may be empty but
never null.
- * @throws AuthorizationMgmtException if this service has trouble connecting to
services it uses.
- * @throws MetaMatrixComponentException
- */
- private Collection<AuthorizationPolicy>
getPoliciesForPrincipal(AuthorizationRealm realm)
- throws AuthorizationMgmtException {
-
- Set<AuthorizationPolicy> result = new HashSet<AuthorizationPolicy>();
- Set<MetaMatrixPrincipalName> userRoles = getUserRoles();
- if (userRoles.isEmpty()) {
- return result;
- }
-
- Collection<AuthorizationPolicy> policies = getPoliciesInRealm(realm);
-
- for (AuthorizationPolicy policy : policies) {
- if (matchesPrincipal(userRoles, policy)) {
- result.add(policy);
- continue;
- }
- }
- return result;
- }
-
-
- private Set<MetaMatrixPrincipalName> getUserRoles() {
- Set<MetaMatrixPrincipalName> roles = new
HashSet<MetaMatrixPrincipalName>();
- Set<Principal> principals =
DQPWorkContext.getWorkContext().getSubject().getPrincipals();
- for(Principal p: principals) {
- // this JBoss specific, but no code level dependencies
- if ((p instanceof Group) && p.getName().equals("Roles")){
- Group g = (Group)p;
- Enumeration rolesPrinciples = g.members();
- while(rolesPrinciples.hasMoreElements()) {
- roles.add(new
MetaMatrixPrincipalName(((Principal)rolesPrinciples.nextElement()).getName(),
MetaMatrixPrincipal.TYPE_GROUP));
- }
- }
- }
- return roles;
- }
-
- @Override
- public Collection<AuthorizationPolicy> getPoliciesInRealm(AuthorizationRealm
realm) throws AuthorizationMgmtException {
-
- Collection<AuthorizationPolicy> policies = null;
-
- VDBKey key = null;
-
- if (realm.getSubRealmName() != null) {
- // get data roles for the user
- key = new VDBKey(realm.getSuperRealmName(), realm.getSubRealmName());
- synchronized (this.policyCache) {
- policies = this.policyCache.get(key);
- if (policies == null ) {
- policies = getDataPolicies(realm);
- }
- this.policyCache.put(key, policies);
- }
- }
- else {
- // get admin roles
- policies = getAdminPolicies();
- }
- return policies;
- }
-
- private Collection<AuthorizationPolicy> getDataPolicies(AuthorizationRealm realm)
{
- Collection<AuthorizationPolicy> policies = null;
- VDBMetaData vdb = this.vdbRepository.getVDB(realm.getSuperRealmName(),
Integer.parseInt(realm.getSubRealmName()));
- AuthorizationPoliciesHolder holder =
vdb.getAttachment(AuthorizationPoliciesHolder.class);
-
- if (holder == null) {
- policies = Collections.emptyList();
- }
- else {
- policies = holder.getAuthorizationPolicies();
- //AuthorizationPolicyFactory.buildPolicies(vdb.getName(),
String.valueOf(vdb.getVersion()), vdb.getDataRoles());
- }
- return policies;
- }
-
- private Collection<AuthorizationPolicy> getAdminPolicies() {
- return adminPolicies;
- }
-
- @Override
- public void updatePoliciesInRealm(AuthorizationRealm realm,
Collection<AuthorizationPolicy> policies) throws AuthorizationMgmtException {
-
- if (realm.getSubRealmName() != null) {
- VDBKey key = new VDBKey(realm.getSuperRealmName(), realm.getSubRealmName());
- synchronized (this.policyCache) {
- policies = this.policyCache.get(key);
- if (policies != null) {
- this.policyCache.remove(key);
- }
- VDBMetaData vdb = this.vdbRepository.getVDB(realm.getSuperRealmName(),
Integer.parseInt(realm.getSubRealmName()));
- AuthorizationPoliciesHolder holder = new AuthorizationPoliciesHolder();
- holder.setAuthorizationPolicies(policies);
- vdb.addAttchment(AuthorizationPoliciesHolder.class, holder);
- //vdb.setDataRoles(AuthorizationPolicyFactory.exportPolicies(policies));
- this.policyCache.put(key, policies);
- }
- }
- else {
- // there is no admin API way to update the Admin Roles.
- this.adminPolicies = policies;
- }
- }
-
- protected boolean isEntitled(){
- if (DQPWorkContext.getWorkContext().getSubject() == null) {
-
LogManager.logDetail(com.metamatrix.common.log.LogConstants.CTX_AUTHORIZATION,new
Object[]{ "Automatically entitling principal",
DQPWorkContext.getWorkContext().getSessionToken().getUsername()}); //$NON-NLS-1$
- return true;
- }
- return false;
- }
-
- /**
- * Determine whether entitlements checking is enabled on the server.
- *
- * @return <code>true</code> iff server-side entitlements checking is
enabled.
- */
- @Override
- @ManagementProperty(description="Turn on checking the entitlements on resources
based on the roles defined in VDB", readOnly=true)
- public boolean checkingEntitlements() {
- return useEntitlements;
- }
-
-
- /**
- * Create realm based on token
- * @param token Used to find info about this session
- * @return Realm to use (based on vdb name and version)
- */
- private AuthorizationRealm getRealm(DQPWorkContext context) {
- return new AuthorizationRealm(context.getVdbName(),
String.valueOf(context.getVdbVersion()));
- }
-
- private AuthorizationActions getActions(int actionCode) {
- switch(actionCode) {
- case AuthorizationService.ACTION_READ: return
StandardAuthorizationActions.DATA_READ;
- case AuthorizationService.ACTION_CREATE: return
StandardAuthorizationActions.DATA_CREATE;
- case AuthorizationService.ACTION_UPDATE: return
StandardAuthorizationActions.DATA_UPDATE;
- case AuthorizationService.ACTION_DELETE: return
StandardAuthorizationActions.DATA_DELETE;
- default: return StandardAuthorizationActions.DATA_READ;
- }
- }
-
- /**
- * Take a list of resources (Strings) and create a list of permissions
- * suitable for sending to the authorization service.
- * @param realm Realm to use
- * @param resources Collection of String, listing resources
- * @param actions Actions to check for
- * @return Collection of BasicAuthorizationPermission
- */
- private Collection createPermissions(AuthorizationRealm realm, Collection resources,
AuthorizationActions actions) {
- List permissions = new ArrayList(resources.size());
- Iterator iter = resources.iterator();
- while(iter.hasNext()) {
- String resource = (String) iter.next();
-
- BasicAuthorizationPermission permission =
- (BasicAuthorizationPermission) PERMISSION_FACTORY.create(resource, realm,
actions);
-
- permissions.add(permission);
- }
- return permissions;
- }
-
- public void setVDBRepository(VDBRepository repo) {
- this.vdbRepository = repo;
- }
-
- public void setUseEntitlements(Boolean useEntitlements) {
- this.useEntitlements = useEntitlements.booleanValue();
- }
-
- @Override
- public boolean isCallerInRole(String roleName) throws AuthorizationMgmtException {
- LogManager.logTrace(com.metamatrix.common.log.LogConstants.CTX_AUTHORIZATION, new
Object[]{"isCallerInRole(", getSession(), roleName, ")"});
//$NON-NLS-1$ //$NON-NLS-2$
- return hasPolicy(RolePermissionFactory.getRealm(), roleName);
- }
-
- SessionToken getSession() {
- return DQPWorkContext.getWorkContext().getSessionToken();
- }
-}