1 /*******************************************************************************
\r
2 * ============LICENSE_START====================================================
\r
4 * * ===========================================================================
\r
5 * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
\r
6 * * Copyright © 2017 Amdocs
\r
7 * * ===========================================================================
\r
8 * * Licensed under the Apache License, Version 2.0 (the "License");
\r
9 * * you may not use this file except in compliance with the License.
\r
10 * * You may obtain a copy of the License at
\r
12 * * http://www.apache.org/licenses/LICENSE-2.0
\r
14 * * Unless required by applicable law or agreed to in writing, software
\r
15 * * distributed under the License is distributed on an "AS IS" BASIS,
\r
16 * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
\r
17 * * See the License for the specific language governing permissions and
\r
18 * * limitations under the License.
\r
19 * * ============LICENSE_END====================================================
\r
21 * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
\r
23 ******************************************************************************/
\r
24 package com.att.cadi.aaf.cass;
\r
26 import java.util.ArrayList;
\r
27 import java.util.HashSet;
\r
28 import java.util.Set;
\r
30 import org.apache.cassandra.auth.AuthenticatedUser;
\r
31 import org.apache.cassandra.auth.IAuthorizer;
\r
32 import org.apache.cassandra.auth.IResource;
\r
33 import org.apache.cassandra.auth.Permission;
\r
34 import org.apache.cassandra.auth.PermissionDetails;
\r
35 import org.apache.cassandra.exceptions.RequestExecutionException;
\r
36 import org.apache.cassandra.exceptions.RequestValidationException;
\r
38 import com.att.cadi.Access.Level;
\r
39 import com.att.cadi.aaf.v2_0.AbsAAFLur;
\r
40 import com.att.cadi.lur.LocalPermission;
\r
42 public class AAFAuthorizer extends AAFBase implements IAuthorizer {
\r
43 // Returns every permission on the resource granted to the user.
\r
44 public Set<Permission> authorize(AuthenticatedUser user, IResource resource) {
\r
45 String uname, rname;
\r
46 access.log(Level.DEBUG,"Authorizing",uname=user.getName(),"for",rname=resource.getName());
\r
48 Set<Permission> permissions;
\r
50 if(user instanceof AAFAuthenticatedUser) {
\r
51 AAFAuthenticatedUser aafUser = (AAFAuthenticatedUser) user;
\r
52 aafUser.setAnonymous(false);
\r
54 if(aafUser.isLocal()) {
\r
55 permissions = checkPermissions(aafUser, new LocalPermission(
\r
56 rname.replaceFirst("data", cluster_name)
\r
59 permissions = checkPermissions(
\r
62 ':'+rname.replaceFirst("data", cluster_name).replace('/', ':'));
\r
65 permissions = Permission.NONE;
\r
68 access.log(Level.INFO,"Permissions on",rname,"for",uname,':', permissions);
\r
74 * Check only for Localized IDs (see cadi.properties)
\r
79 private Set<Permission> checkPermissions(AAFAuthenticatedUser aau, LocalPermission perm) {
\r
80 if(localLur.fish(aau.getFullName(), perm)) {
\r
81 // aau.setSuper(true);
\r
82 return Permission.ALL;
\r
84 return Permission.NONE;
\r
89 * Check remoted AAF Permissions
\r
95 private Set<Permission> checkPermissions(AAFAuthenticatedUser aau, String type, String instance) {
\r
96 // Can perform ALL actions
\r
97 String fullName = aau.getFullName();
\r
98 PermHolder ph = new PermHolder(aau);
\r
99 aafLur.fishOneOf(fullName, ph,type,instance,actions);
\r
100 return ph.permissions;
\r
103 private class PermHolder {
\r
104 private AAFAuthenticatedUser aau;
\r
105 public PermHolder(AAFAuthenticatedUser aau) {
\r
108 public Set<Permission> permissions = Permission.NONE;
\r
109 public void mutable() {
\r
110 if(permissions==Permission.NONE) {
\r
111 permissions = new HashSet<Permission>();
\r
117 * This specialty List avoid extra Object Creation, and allows the Lur to do a Vistor on all appropriate Perms
\r
119 private static final ArrayList<AbsAAFLur.Action<PermHolder>> actions = new ArrayList<AbsAAFLur.Action<PermHolder>>();
\r
121 actions.add(new AbsAAFLur.Action<PermHolder>() {
\r
122 public String getName() {
\r
126 public boolean exec(PermHolder a) {
\r
127 a.aau.setSuper(true);
\r
128 a.permissions = Permission.ALL;
\r
133 actions.add(new AbsAAFLur.Action<PermHolder>() {
\r
134 public String getName() {
\r
138 public boolean exec(PermHolder ph) {
\r
140 ph.permissions.add(Permission.SELECT);
\r
144 actions.add(new AbsAAFLur.Action<PermHolder>() {
\r
145 public String getName() {
\r
149 public boolean exec(PermHolder ph) {
\r
151 ph.permissions.add(Permission.MODIFY);
\r
155 actions.add(new AbsAAFLur.Action<PermHolder>() {
\r
156 public String getName() {
\r
160 public boolean exec(PermHolder ph) {
\r
162 ph.permissions.add(Permission.CREATE);
\r
167 actions.add(new AbsAAFLur.Action<PermHolder>() {
\r
168 public String getName() {
\r
172 public boolean exec(PermHolder ph) {
\r
174 ph.permissions.add(Permission.ALTER);
\r
178 actions.add(new AbsAAFLur.Action<PermHolder>() {
\r
179 public String getName() {
\r
183 public boolean exec(PermHolder ph) {
\r
185 ph.permissions.add(Permission.DROP);
\r
189 actions.add(new AbsAAFLur.Action<PermHolder>() {
\r
190 public String getName() {
\r
191 return "AUTHORIZE";
\r
194 public boolean exec(PermHolder ph) {
\r
196 ph.permissions.add(Permission.AUTHORIZE);
\r
205 public void grant(AuthenticatedUser performer, Set<Permission> permissions, IResource resource, String to) throws RequestExecutionException {
\r
206 access.log(Level.INFO, "Use AAF CLI to grant permission(s) to user/role");
\r
209 public void revoke(AuthenticatedUser performer, Set<Permission> permissions, IResource resource, String from) throws RequestExecutionException {
\r
210 access.log(Level.INFO,"Use AAF CLI to revoke permission(s) for user/role");
\r
213 public Set<PermissionDetails> list(AuthenticatedUser performer, Set<Permission> permissions, IResource resource, String of) throws RequestValidationException, RequestExecutionException {
\r
214 access.log(Level.INFO,"Use AAF CLI to find the list of permissions");
\r
218 // Called prior to deleting the user with DROP USER query. Internal hook, so no permission checks are needed here.
\r
219 public void revokeAll(String droppedUser) {
\r
220 access.log(Level.INFO,"Use AAF CLI to revoke permission(s) for user/role");
\r
223 // Called after a resource is removed (DROP KEYSPACE, DROP TABLE, etc.).
\r
224 public void revokeAll(IResource droppedResource) {
\r
225 access.log(Level.INFO,"Use AAF CLI to delete the unused permission", droppedResource.getName());
\r