1 /*******************************************************************************
\r
2 * ============LICENSE_START====================================================
\r
4 * * ===========================================================================
\r
5 * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
\r
6 * * ===========================================================================
\r
7 * * Licensed under the Apache License, Version 2.0 (the "License");
\r
8 * * you may not use this file except in compliance with the License.
\r
9 * * You may obtain a copy of the License at
\r
11 * * http://www.apache.org/licenses/LICENSE-2.0
\r
13 * * Unless required by applicable law or agreed to in writing, software
\r
14 * * distributed under the License is distributed on an "AS IS" BASIS,
\r
15 * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
\r
16 * * See the License for the specific language governing permissions and
\r
17 * * limitations under the License.
\r
18 * * ============LICENSE_END====================================================
\r
20 * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
\r
22 ******************************************************************************/
\r
23 package com.att.cadi.aaf.cass;
\r
25 import java.util.ArrayList;
\r
26 import java.util.HashSet;
\r
27 import java.util.Set;
\r
29 import org.apache.cassandra.auth.AuthenticatedUser;
\r
30 import org.apache.cassandra.auth.IAuthorizer;
\r
31 import org.apache.cassandra.auth.IResource;
\r
32 import org.apache.cassandra.auth.Permission;
\r
33 import org.apache.cassandra.auth.PermissionDetails;
\r
34 import org.apache.cassandra.exceptions.RequestExecutionException;
\r
35 import org.apache.cassandra.exceptions.RequestValidationException;
\r
37 import com.att.cadi.Access.Level;
\r
38 import com.att.cadi.aaf.v2_0.AbsAAFLur;
\r
39 import com.att.cadi.lur.LocalPermission;
\r
41 public class AAFAuthorizer extends AAFBase implements IAuthorizer {
\r
42 // Returns every permission on the resource granted to the user.
\r
43 public Set<Permission> authorize(AuthenticatedUser user, IResource resource) {
\r
44 String uname, rname;
\r
45 access.log(Level.DEBUG,"Authorizing",uname=user.getName(),"for",rname=resource.getName());
\r
47 Set<Permission> permissions;
\r
49 if(user instanceof AAFAuthenticatedUser) {
\r
50 AAFAuthenticatedUser aafUser = (AAFAuthenticatedUser) user;
\r
51 aafUser.setAnonymous(false);
\r
53 if(aafUser.isLocal()) {
\r
54 permissions = checkPermissions(aafUser, new LocalPermission(
\r
55 rname.replaceFirst("data", cluster_name)
\r
58 permissions = checkPermissions(
\r
61 ':'+rname.replaceFirst("data", cluster_name).replace('/', ':'));
\r
64 permissions = Permission.NONE;
\r
67 access.log(Level.INFO,"Permissions on",rname,"for",uname,':', permissions);
\r
73 * Check only for Localized IDs (see cadi.properties)
\r
78 private Set<Permission> checkPermissions(AAFAuthenticatedUser aau, LocalPermission perm) {
\r
79 if(localLur.fish(aau.getFullName(), perm)) {
\r
80 // aau.setSuper(true);
\r
81 return Permission.ALL;
\r
83 return Permission.NONE;
\r
88 * Check remoted AAF Permissions
\r
94 private Set<Permission> checkPermissions(AAFAuthenticatedUser aau, String type, String instance) {
\r
95 // Can perform ALL actions
\r
96 String fullName = aau.getFullName();
\r
97 PermHolder ph = new PermHolder(aau);
\r
98 aafLur.fishOneOf(fullName, ph,type,instance,actions);
\r
99 return ph.permissions;
\r
102 private class PermHolder {
\r
103 private AAFAuthenticatedUser aau;
\r
104 public PermHolder(AAFAuthenticatedUser aau) {
\r
107 public Set<Permission> permissions = Permission.NONE;
\r
108 public void mutable() {
\r
109 if(permissions==Permission.NONE) {
\r
110 permissions = new HashSet<Permission>();
\r
116 * This specialty List avoid extra Object Creation, and allows the Lur to do a Vistor on all appropriate Perms
\r
118 private static final ArrayList<AbsAAFLur.Action<PermHolder>> actions = new ArrayList<AbsAAFLur.Action<PermHolder>>();
\r
120 actions.add(new AbsAAFLur.Action<PermHolder>() {
\r
121 public String getName() {
\r
125 public boolean exec(PermHolder a) {
\r
126 a.aau.setSuper(true);
\r
127 a.permissions = Permission.ALL;
\r
132 actions.add(new AbsAAFLur.Action<PermHolder>() {
\r
133 public String getName() {
\r
137 public boolean exec(PermHolder ph) {
\r
139 ph.permissions.add(Permission.SELECT);
\r
143 actions.add(new AbsAAFLur.Action<PermHolder>() {
\r
144 public String getName() {
\r
148 public boolean exec(PermHolder ph) {
\r
150 ph.permissions.add(Permission.MODIFY);
\r
154 actions.add(new AbsAAFLur.Action<PermHolder>() {
\r
155 public String getName() {
\r
159 public boolean exec(PermHolder ph) {
\r
161 ph.permissions.add(Permission.CREATE);
\r
166 actions.add(new AbsAAFLur.Action<PermHolder>() {
\r
167 public String getName() {
\r
171 public boolean exec(PermHolder ph) {
\r
173 ph.permissions.add(Permission.ALTER);
\r
177 actions.add(new AbsAAFLur.Action<PermHolder>() {
\r
178 public String getName() {
\r
182 public boolean exec(PermHolder ph) {
\r
184 ph.permissions.add(Permission.DROP);
\r
188 actions.add(new AbsAAFLur.Action<PermHolder>() {
\r
189 public String getName() {
\r
190 return "AUTHORIZE";
\r
193 public boolean exec(PermHolder ph) {
\r
195 ph.permissions.add(Permission.AUTHORIZE);
\r
204 public void grant(AuthenticatedUser performer, Set<Permission> permissions, IResource resource, String to) throws RequestExecutionException {
\r
205 access.log(Level.INFO, "Use AAF CLI to grant permission(s) to user/role");
\r
208 public void revoke(AuthenticatedUser performer, Set<Permission> permissions, IResource resource, String from) throws RequestExecutionException {
\r
209 access.log(Level.INFO,"Use AAF CLI to revoke permission(s) for user/role");
\r
212 public Set<PermissionDetails> list(AuthenticatedUser performer, Set<Permission> permissions, IResource resource, String of) throws RequestValidationException, RequestExecutionException {
\r
213 access.log(Level.INFO,"Use AAF CLI to find the list of permissions");
\r
217 // Called prior to deleting the user with DROP USER query. Internal hook, so no permission checks are needed here.
\r
218 public void revokeAll(String droppedUser) {
\r
219 access.log(Level.INFO,"Use AAF CLI to revoke permission(s) for user/role");
\r
222 // Called after a resource is removed (DROP KEYSPACE, DROP TABLE, etc.).
\r
223 public void revokeAll(IResource droppedResource) {
\r
224 access.log(Level.INFO,"Use AAF CLI to delete the unused permission", droppedResource.getName());
\r