1 /*******************************************************************************
\r
2 * ============LICENSE_START====================================================
\r
4 * * ===========================================================================
\r
5 * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
\r
6 * * ===========================================================================
\r
7 * * Licensed under the Apache License, Version 2.0 (the "License");
\r
8 * * you may not use this file except in compliance with the License.
\r
9 * * You may obtain a copy of the License at
\r
11 * * http://www.apache.org/licenses/LICENSE-2.0
\r
13 * * Unless required by applicable law or agreed to in writing, software
\r
14 * * distributed under the License is distributed on an "AS IS" BASIS,
\r
15 * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
\r
16 * * See the License for the specific language governing permissions and
\r
17 * * limitations under the License.
\r
18 * * ============LICENSE_END====================================================
\r
20 * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
\r
22 ******************************************************************************/
\r
23 package org.onap.aaf.cadi.aaf.cass;
\r
25 import java.util.ArrayList;
\r
26 import java.util.HashSet;
\r
27 import java.util.Set;
\r
29 import org.apache.cassandra.auth.AuthenticatedUser;
\r
30 import org.apache.cassandra.auth.IAuthorizer;
\r
31 import org.apache.cassandra.auth.IResource;
\r
32 import org.apache.cassandra.auth.Permission;
\r
33 import org.apache.cassandra.auth.PermissionDetails;
\r
34 import org.apache.cassandra.exceptions.RequestExecutionException;
\r
35 import org.apache.cassandra.exceptions.RequestValidationException;
\r
36 import org.onap.aaf.cadi.Access.Level;
\r
37 import org.onap.aaf.cadi.aaf.v2_0.AbsAAFLur;
\r
38 import org.onap.aaf.cadi.lur.LocalPermission;
\r
40 public class AAFAuthorizer extends AAFBase implements IAuthorizer {
\r
41 // Returns every permission on the resource granted to the user.
\r
42 public Set<Permission> authorize(AuthenticatedUser user, IResource resource) {
\r
43 String uname, rname;
\r
44 access.log(Level.DEBUG,"Authorizing",uname=user.getName(),"for",rname=resource.getName());
\r
46 Set<Permission> permissions;
\r
48 if(user instanceof AAFAuthenticatedUser) {
\r
49 AAFAuthenticatedUser aafUser = (AAFAuthenticatedUser) user;
\r
50 aafUser.setAnonymous(false);
\r
52 if(aafUser.isLocal()) {
\r
53 permissions = checkPermissions(aafUser, new LocalPermission(
\r
54 rname.replaceFirst("data", cluster_name)
\r
57 permissions = checkPermissions(
\r
60 ':'+rname.replaceFirst("data", cluster_name).replace('/', ':'));
\r
63 permissions = Permission.NONE;
\r
66 access.log(Level.INFO,"Permissions on",rname,"for",uname,':', permissions);
\r
72 * Check only for Localized IDs (see cadi.properties)
\r
77 private Set<Permission> checkPermissions(AAFAuthenticatedUser aau, LocalPermission perm) {
\r
78 if(localLur.fish(aau.getFullName(), perm)) {
\r
79 // aau.setSuper(true);
\r
80 return Permission.ALL;
\r
82 return Permission.NONE;
\r
87 * Check remoted AAF Permissions
\r
93 private Set<Permission> checkPermissions(AAFAuthenticatedUser aau, String type, String instance) {
\r
94 // Can perform ALL actions
\r
95 String fullName = aau.getFullName();
\r
96 PermHolder ph = new PermHolder(aau);
\r
97 aafLur.fishOneOf(fullName, ph,type,instance,actions);
\r
98 return ph.permissions;
\r
101 private class PermHolder {
\r
102 private AAFAuthenticatedUser aau;
\r
103 public PermHolder(AAFAuthenticatedUser aau) {
\r
106 public Set<Permission> permissions = Permission.NONE;
\r
107 public void mutable() {
\r
108 if(permissions==Permission.NONE) {
\r
109 permissions = new HashSet<Permission>();
\r
115 * This specialty List avoid extra Object Creation, and allows the Lur to do a Vistor on all appropriate Perms
\r
117 private static final ArrayList<AbsAAFLur.Action<PermHolder>> actions = new ArrayList<AbsAAFLur.Action<PermHolder>>();
\r
119 actions.add(new AbsAAFLur.Action<PermHolder>() {
\r
120 public String getName() {
\r
124 public boolean exec(PermHolder a) {
\r
125 a.aau.setSuper(true);
\r
126 a.permissions = Permission.ALL;
\r
131 actions.add(new AbsAAFLur.Action<PermHolder>() {
\r
132 public String getName() {
\r
136 public boolean exec(PermHolder ph) {
\r
138 ph.permissions.add(Permission.SELECT);
\r
142 actions.add(new AbsAAFLur.Action<PermHolder>() {
\r
143 public String getName() {
\r
147 public boolean exec(PermHolder ph) {
\r
149 ph.permissions.add(Permission.MODIFY);
\r
153 actions.add(new AbsAAFLur.Action<PermHolder>() {
\r
154 public String getName() {
\r
158 public boolean exec(PermHolder ph) {
\r
160 ph.permissions.add(Permission.CREATE);
\r
165 actions.add(new AbsAAFLur.Action<PermHolder>() {
\r
166 public String getName() {
\r
170 public boolean exec(PermHolder ph) {
\r
172 ph.permissions.add(Permission.ALTER);
\r
176 actions.add(new AbsAAFLur.Action<PermHolder>() {
\r
177 public String getName() {
\r
181 public boolean exec(PermHolder ph) {
\r
183 ph.permissions.add(Permission.DROP);
\r
187 actions.add(new AbsAAFLur.Action<PermHolder>() {
\r
188 public String getName() {
\r
189 return "AUTHORIZE";
\r
192 public boolean exec(PermHolder ph) {
\r
194 ph.permissions.add(Permission.AUTHORIZE);
\r
203 public void grant(AuthenticatedUser performer, Set<Permission> permissions, IResource resource, String to) throws RequestExecutionException {
\r
204 access.log(Level.INFO, "Use AAF CLI to grant permission(s) to user/role");
\r
207 public void revoke(AuthenticatedUser performer, Set<Permission> permissions, IResource resource, String from) throws RequestExecutionException {
\r
208 access.log(Level.INFO,"Use AAF CLI to revoke permission(s) for user/role");
\r
211 public Set<PermissionDetails> list(AuthenticatedUser performer, Set<Permission> permissions, IResource resource, String of) throws RequestValidationException, RequestExecutionException {
\r
212 access.log(Level.INFO,"Use AAF CLI to find the list of permissions");
\r
216 // Called prior to deleting the user with DROP USER query. Internal hook, so no permission checks are needed here.
\r
217 public void revokeAll(String droppedUser) {
\r
218 access.log(Level.INFO,"Use AAF CLI to revoke permission(s) for user/role");
\r
221 // Called after a resource is removed (DROP KEYSPACE, DROP TABLE, etc.).
\r
222 public void revokeAll(IResource droppedResource) {
\r
223 access.log(Level.INFO,"Use AAF CLI to delete the unused permission", droppedResource.getName());
\r