2 * ============LICENSE_START====================================================
4 * ===========================================================================
5 * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
6 * ===========================================================================
7 * Licensed under the Apache License, Version 2.0 (the "License");
8 * you may not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
11 * http://www.apache.org/licenses/LICENSE-2.0
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS,
15 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 * ============LICENSE_END====================================================
22 package com.att.aaf.cadi.cass;
24 import java.util.ArrayList;
25 import java.util.HashSet;
28 import org.apache.cassandra.auth.AuthenticatedUser;
29 import org.apache.cassandra.auth.IAuthorizer;
30 import org.apache.cassandra.auth.IResource;
31 import org.apache.cassandra.auth.Permission;
32 import org.apache.cassandra.auth.PermissionDetails;
33 import org.apache.cassandra.exceptions.RequestExecutionException;
34 import org.apache.cassandra.exceptions.RequestValidationException;
35 import org.onap.aaf.cadi.Access.Level;
36 import org.onap.aaf.cadi.aaf.v2_0.AbsAAFLur;
37 import org.onap.aaf.cadi.lur.LocalPermission;
39 public class AAFAuthorizer extends AAFBase implements IAuthorizer {
40 // Returns every permission on the resource granted to the user.
41 public Set<Permission> authorize(AuthenticatedUser user, IResource resource) {
43 access.log(Level.DEBUG,"Authorizing",uname=user.getName(),"for",rname=resource.getName());
45 Set<Permission> permissions;
47 if(user instanceof AAFAuthenticatedUser) {
48 AAFAuthenticatedUser aafUser = (AAFAuthenticatedUser) user;
49 aafUser.setAnonymous(false);
51 if(aafUser.isLocal()) {
52 permissions = checkPermissions(aafUser, new LocalPermission(
53 rname.replaceFirst("data", cluster_name)
56 permissions = checkPermissions(
59 ':'+rname.replaceFirst("data", cluster_name).replace('/', ':'));
62 permissions = Permission.NONE;
65 access.log(Level.INFO,"Permissions on",rname,"for",uname,':', permissions);
71 * Check only for Localized IDs (see cadi.properties)
76 private Set<Permission> checkPermissions(AAFAuthenticatedUser aau, LocalPermission perm) {
77 if(localLur.fish(aau, perm)) {
78 // aau.setSuper(true);
79 return Permission.ALL;
81 return Permission.NONE;
86 * Check remoted AAF Permissions
92 private Set<Permission> checkPermissions(AAFAuthenticatedUser aau, String type, String instance) {
93 // Can perform ALL actions
94 PermHolder ph = new PermHolder(aau);
95 aafLur.fishOneOf(aau,ph,type,instance,actions);
96 return ph.permissions;
99 private class PermHolder {
100 private AAFAuthenticatedUser aau;
101 public PermHolder(AAFAuthenticatedUser aau) {
104 public Set<Permission> permissions = Permission.NONE;
105 public void mutable() {
106 if(permissions==Permission.NONE) {
107 permissions = new HashSet<Permission>();
113 * This specialty List avoid extra Object Creation, and allows the Lur to do a Vistor on all appropriate Perms
115 private static final ArrayList<AbsAAFLur.Action<PermHolder>> actions = new ArrayList<AbsAAFLur.Action<PermHolder>>();
117 actions.add(new AbsAAFLur.Action<PermHolder>() {
118 public String getName() {
122 public boolean exec(PermHolder a) {
123 a.aau.setSuper(true);
124 a.permissions = Permission.ALL;
129 actions.add(new AbsAAFLur.Action<PermHolder>() {
130 public String getName() {
134 public boolean exec(PermHolder ph) {
136 ph.permissions.add(Permission.SELECT);
140 actions.add(new AbsAAFLur.Action<PermHolder>() {
141 public String getName() {
145 public boolean exec(PermHolder ph) {
147 ph.permissions.add(Permission.MODIFY);
151 actions.add(new AbsAAFLur.Action<PermHolder>() {
152 public String getName() {
156 public boolean exec(PermHolder ph) {
158 ph.permissions.add(Permission.CREATE);
163 actions.add(new AbsAAFLur.Action<PermHolder>() {
164 public String getName() {
168 public boolean exec(PermHolder ph) {
170 ph.permissions.add(Permission.ALTER);
174 actions.add(new AbsAAFLur.Action<PermHolder>() {
175 public String getName() {
179 public boolean exec(PermHolder ph) {
181 ph.permissions.add(Permission.DROP);
185 actions.add(new AbsAAFLur.Action<PermHolder>() {
186 public String getName() {
190 public boolean exec(PermHolder ph) {
192 ph.permissions.add(Permission.AUTHORIZE);
201 public void grant(AuthenticatedUser performer, Set<Permission> permissions, IResource resource, String to) throws RequestExecutionException {
202 access.log(Level.INFO, "Use AAF CLI to grant permission(s) to user/role");
205 public void revoke(AuthenticatedUser performer, Set<Permission> permissions, IResource resource, String from) throws RequestExecutionException {
206 access.log(Level.INFO,"Use AAF CLI to revoke permission(s) for user/role");
209 public Set<PermissionDetails> list(AuthenticatedUser performer, Set<Permission> permissions, IResource resource, String of) throws RequestValidationException, RequestExecutionException {
210 access.log(Level.INFO,"Use AAF CLI to find the list of permissions");
214 // Called prior to deleting the user with DROP USER query. Internal hook, so no permission checks are needed here.
215 public void revokeAll(String droppedUser) {
216 access.log(Level.INFO,"Use AAF CLI to revoke permission(s) for user/role");
219 // Called after a resource is removed (DROP KEYSPACE, DROP TABLE, etc.).
220 public void revokeAll(IResource droppedResource) {
221 access.log(Level.INFO,"Use AAF CLI to delete the unused permission", droppedResource.getName());