Interface AuthzResolverImplApi
- All Known Implementing Classes:
AuthzResolverImpl
public interface AuthzResolverImplApi
This interface represents AuthzResolver methods.
- Author:
- Michal Prochazka
-
Method Summary
Modifier and TypeMethodDescriptionvoid
addAdmin
(PerunSession sess, Facility facility, Group group) Add group of users role admin for the facilityvoid
addAdmin
(PerunSession sess, Facility facility, User user) Add user role admin for the facilityvoid
addAdmin
(PerunSession sess, Group group, Group authorizedGroup) Add group of users role admin for the groupvoid
addAdmin
(PerunSession sess, Group group, User user) Add user role admin for the groupvoid
addAdmin
(PerunSession sess, Resource resource, Group group) Add group of users role admin for the resourcevoid
addAdmin
(PerunSession sess, Resource resource, User user) Add user role admin for the resourcevoid
addAdmin
(PerunSession sess, SecurityTeam securityTeam, Group group) void
addAdmin
(PerunSession sess, SecurityTeam securityTeam, User user) void
addAdmin
(PerunSession sess, User sponsoredUser, Group group) Add group of users role admin for the sponsored uservoid
addAdmin
(PerunSession sess, User sponsoredUser, User user) Add user role admin for the sponsored uservoid
addResourceRole
(PerunSession sess, Group group, String role, Resource resource) Sets role to given group for given resource.void
addResourceRole
(PerunSession sess, User user, String role, Resource resource) Sets role to given user for given resource.void
addVoRole
(PerunSession sess, String role, Vo vo, Group group) Adds role for group in a VO.void
addVoRole
(PerunSession sess, String role, Vo vo, User user) Adds role for user in VO.getAdminGroups
(Map<String, Integer> mappingOfValues) Get all authorizedGroups for complementary object and role.Get all valid richUser administrators (for group-based rights, status must be VALID for both Vo and group) for complementary object and role with specified attributes.getFacilitiesWhereUserIsInRoles
(User user, List<String> roles) Get all Facilities where the given user has set one of the given roles or the given user is a member of an authorized group with such roles.getGroupsWhereUserIsInRoles
(User user, List<String> roles) Get all Groups where the given user has set one of the given roles or the given user is a member of an authorized group with such roles.getMembersWhereUserIsInRoles
(User user, List<String> roles) Get all Members where the given user has set one of the given roles or the given user is a member of an authorized group with such roles.getResourcesWhereUserIsInRoles
(User user, List<String> roles) Get all Resources where the given user has set one of the given roles or the given user is a member of an authorized group with such roles.Returns map of role name and map of corresponding role complementary objects (perun beans) distinguished by type.Fetch the identification of the role from the table roles in the database;int
getRoleIdByName
(String name) Get role id by its name, returns -1 if role does not exist.Returns all group's roles.Returns user's direct roles, can also include roles resulting from being a VALID member of authorized groupsReturns user's roles resulting from being a VALID member of authorized groupsgetSecurityTeamsWhereUserIsInRoles
(User user, List<String> roles) Get all SecurityTeams where the given user has set one of the given roles or the given user is a member of an authorized group with such roles.getVoIdsForGroupInRole
(PerunSession sess, Group group, String role) Gets list of VOs for which the group has the role.getVoIdsForUserInRole
(PerunSession sess, User user, String role) Gets list of VOs for which the user has the role.getVosWhereUserIsInRoles
(User user, List<String> roles) Get all Vos where the given user has set one of the given roles or the given user is a member of an authorized group with such roles.boolean
groupMatchesUserRolesFilter
(PerunSession sess, User user, Group group, List<String> roles, List<RoleAssignmentType> types) Check if the given group passes the user's roles filter.boolean
isGroupInRoleForVo
(PerunSession session, Group group, String role, Vo vo) Checks whether the gruop is in role for Vo.boolean
isUserInRoleForVo
(PerunSession session, User user, String role, Vo vo) Checks whether the user is in role for Vo.boolean
isVoAdminOrObserver
(PerunSession sess, Vo vo) Returns true if the user in session is vo admin or vo observer of specific Vo.void
Load perun roles and policies from the configuration file perun-roles.yml.void
makeAuthorizedGroupPerunObserver
(PerunSession sess, Group authorizedGroup) Make group Perun observervoid
makeUserCabinetAdmin
(PerunSession sess, User user) Make user Cabinet manager.void
makeUserPerunAdmin
(PerunSession sess, User user) Make user to be perunAdminvoid
makeUserPerunObserver
(PerunSession sess, User user) Make user Perun observervoid
removeAdmin
(PerunSession sess, Facility facility, Group group) Remove group of users role admin for the facilityvoid
removeAdmin
(PerunSession sess, Facility facility, User user) Remove user role admin for the facilityvoid
removeAdmin
(PerunSession sess, Group group, Group authorizedGroup) Remove group of users role admin for the groupvoid
removeAdmin
(PerunSession sess, Group group, User user) Remove user role admin for the groupvoid
removeAdmin
(PerunSession sess, Resource resource, Group group) Remove group of users role admin for the resourcevoid
removeAdmin
(PerunSession sess, Resource resource, User user) Remove user role admin for the resourcevoid
removeAdmin
(PerunSession sess, SecurityTeam securityTeam, Group group) void
removeAdmin
(PerunSession sess, SecurityTeam securityTeam, User user) void
removeAdmin
(PerunSession sess, User sponsoredUser, Group group) Remove group of users role admin for the sponsoredUservoid
removeAdmin
(PerunSession sess, User sponsoredUser, User user) Remove user role admin for the sponsoredUservoid
removeAllAuthzForFacility
(PerunSession sess, Facility facility) Removes all authz entries for the facilityvoid
removeAllAuthzForGroup
(PerunSession sess, Group group) Removes all authz entries for the groupvoid
removeAllAuthzForResource
(PerunSession sess, Resource resource) Removes all authz entries for the resourcevoid
removeAllAuthzForSecurityTeam
(PerunSession sess, SecurityTeam securityTeam) Removes all authz entries for the securityTeamvoid
removeAllAuthzForService
(PerunSession sess, Service service) Removes all authz entries for the servicevoid
removeAllAuthzForVo
(PerunSession sess, Vo vo) Removes all authz entries for the vovoid
removeAllSponsoredUserAuthz
(PerunSession sess, User sponsoredUser) Removes all authz entries for the sponsoredUser.void
removeAllUserAuthz
(PerunSession sess, User user) Removes all authz entries for the user.void
removeCabinetAdmin
(PerunSession sess, User user) Remove role Cabinet manager from user.void
removePerunAdmin
(PerunSession sess, User user) Remove role perunAdmin for user.void
removePerunObserver
(PerunSession sess, User user) Remove role Perun observer from user.void
removePerunObserverFromAuthorizedGroup
(PerunSession sess, Group authorizedGroup) Remove role Perun observer from authorizedGroup.void
removeResourceRole
(PerunSession sess, String role, Resource resource, Group group) Remove role to group for resource.void
removeResourceRole
(PerunSession sess, String role, Resource resource, User user) Remove role to user for resource.void
removeVoRole
(PerunSession sess, String role, Vo vo, Group group) Removes role from group in a VO.void
removeVoRole
(PerunSession sess, String role, Vo vo, User user) Removes role from user in a VO.boolean
roleExists
(String role) Check if the given role exists in the database.void
Set a role according the mapping of valuesboolean
someAdminExists
(Map<String, Integer> mappingOfValues, boolean onlyDirectAdmins) Check if some valid user with specific role exists for given complementary object (for group-based rights, status must be VALID for both Vo and group).void
Unset a role according the mapping of values
-
Method Details
-
addAdmin
Add user role admin for the facility- Parameters:
sess
-facility
-user
-- Throws:
InternalErrorException
AlreadyAdminException
-
addAdmin
Add group of users role admin for the facility- Parameters:
sess
-facility
-group
-- Throws:
InternalErrorException
AlreadyAdminException
-
addAdmin
Add user role admin for the resource- Parameters:
sess
-resource
-user
-- Throws:
InternalErrorException
AlreadyAdminException
-
addAdmin
Add group of users role admin for the resource- Parameters:
sess
-resource
-group
-- Throws:
InternalErrorException
AlreadyAdminException
-
addAdmin
Add user role admin for the sponsored user- Parameters:
sess
-sponsoredUser
-user
-- Throws:
InternalErrorException
AlreadyAdminException
-
addAdmin
Add group of users role admin for the sponsored user- Parameters:
sess
-sponsoredUser
-group
-- Throws:
InternalErrorException
AlreadyAdminException
-
addAdmin
Add user role admin for the group- Parameters:
sess
-group
-user
-- Throws:
InternalErrorException
AlreadyAdminException
-
addAdmin
Add group of users role admin for the group- Parameters:
sess
-group
-authorizedGroup
-- Throws:
InternalErrorException
AlreadyAdminException
-
addAdmin
- Throws:
AlreadyAdminException
-
addAdmin
void addAdmin(PerunSession sess, SecurityTeam securityTeam, Group group) throws AlreadyAdminException - Throws:
AlreadyAdminException
-
addResourceRole
void addResourceRole(PerunSession sess, User user, String role, Resource resource) throws AlreadyAdminException Sets role to given user for given resource.- Parameters:
sess
- sessionuser
- userrole
- roleresource
- resource- Throws:
InternalErrorException
- internal errorAlreadyAdminException
- when already in role
-
addResourceRole
void addResourceRole(PerunSession sess, Group group, String role, Resource resource) throws AlreadyAdminException Sets role to given group for given resource.- Parameters:
sess
- sessiongroup
- grouprole
- roleresource
- resource- Throws:
InternalErrorException
- internal errorAlreadyAdminException
- when already in role
-
addVoRole
Adds role for user in VO.- Parameters:
sess
- perun sessionrole
- role of user in VOvo
- virtual organizationuser
- user- Throws:
InternalErrorException
AlreadyAdminException
-
addVoRole
Adds role for group in a VO.- Parameters:
sess
- perun sessionrole
- role of group in VOvo
- virtual organizationgroup
- group- Throws:
InternalErrorException
AlreadyAdminException
-
getAdminGroups
Get all authorizedGroups for complementary object and role.- Parameters:
mappingOfValues
- according to which will be the role selected- Returns:
- list of authorizedGroups
-
getAdmins
Get all valid richUser administrators (for group-based rights, status must be VALID for both Vo and group) for complementary object and role with specified attributes.- Parameters:
mappingOfValues
- from which will be the query created (keys are column names and values are their ids)onlyDirectAdmins
- if we do not want to include also members of authorized groups.- Returns:
- list of user administrators for complementary object and role with specified attributes.
-
someAdminExists
Check if some valid user with specific role exists for given complementary object (for group-based rights, status must be VALID for both Vo and group).- Parameters:
mappingOfValues
- from which will be the query created (keys are column names and values are their ids)onlyDirectAdmins
- if true, search only direct user administrators (if false, search both direct and indirect)- Returns:
- true, if some user with required role exists, false otherwise.
-
getFacilitiesWhereUserIsInRoles
Get all Facilities where the given user has set one of the given roles or the given user is a member of an authorized group with such roles.- Parameters:
user
- for who Facilities are retrievedroles
- for which Facilities are retrieved- Returns:
- Set of Facilities
-
getGroupsWhereUserIsInRoles
Get all Groups where the given user has set one of the given roles or the given user is a member of an authorized group with such roles.Method does not return subgroups of the fetched groups.
- Parameters:
user
- for who Groups are retrievedroles
- for which Groups are retrieved- Returns:
- Set of Groups
-
getMembersWhereUserIsInRoles
Get all Members where the given user has set one of the given roles or the given user is a member of an authorized group with such roles.- Parameters:
user
- for who Members are retrievedroles
- for which Members are retrieved- Returns:
- Set of Members
-
getResourcesWhereUserIsInRoles
Get all Resources where the given user has set one of the given roles or the given user is a member of an authorized group with such roles.- Parameters:
user
- for who Resources are retrievedroles
- for which Resources are retrieved- Returns:
- Set of Resources
-
getRoleComplementaryObjectsWithAuthorizedGroups
Map<String,Map<String, getRoleComplementaryObjectsWithAuthorizedGroupsMap<Integer, List<Group>>>> (User user) Returns map of role name and map of corresponding role complementary objects (perun beans) distinguished by type. * together with list of authorized groups where user is member: * Mapinvalid input: '<' RoleName, Mapinvalid input: '<' BeanName, Mapinvalid input: '<' BeanID, List>>> - Parameters:
user
-- Returns:
- Mapinvalid input: '<'String, Map invalid input: '<' String, Map invalid input: '<' Integer, List invalid input: '<' Group>>>> complementary objects with associated authorized groups
-
getRoleId
Fetch the identification of the role from the table roles in the database;- Returns:
- identification of the role
-
getRoleIdByName
Get role id by its name, returns -1 if role does not exist.- Parameters:
name
- - name of the role- Returns:
- - role id with the given name
-
getRoles
Returns user's direct roles, can also include roles resulting from being a VALID member of authorized groups- Parameters:
user
-getAuthorizedGroupBasedRoles
-- Returns:
- AuthzRoles object which contains all roles with perunbeans
-
getRoles
Returns all group's roles.- Parameters:
group
-- Returns:
- AuthzRoles object which contains all roles with perunbeans
-
getRolesObtainedFromAuthorizedGroupMemberships
Returns user's roles resulting from being a VALID member of authorized groups- Parameters:
user
- user- Returns:
- AuthzRoles object which contains roles with perunbeans
-
getSecurityTeamsWhereUserIsInRoles
Get all SecurityTeams where the given user has set one of the given roles or the given user is a member of an authorized group with such roles.- Parameters:
user
- for who SecurityTeams are retrievedroles
- for which SecurityTeams are retrieved- Returns:
- Set of SecurityTeams
-
getVoIdsForGroupInRole
Gets list of VOs for which the group has the role.- Parameters:
sess
- perun sessiongroup
- grouprole
- role of group- Returns:
- list of VOs from which the group has the role
- Throws:
InternalErrorException
-
getVoIdsForUserInRole
Gets list of VOs for which the user has the role.- Parameters:
sess
- perun sessionuser
- userrole
- role of user- Returns:
- list of VOs for which the user has the role.
- Throws:
InternalErrorException
-
getVosWhereUserIsInRoles
Get all Vos where the given user has set one of the given roles or the given user is a member of an authorized group with such roles.- Parameters:
user
- for who Vos are retrievedroles
- for which Vos are retrieved- Returns:
- Set of Vos
-
groupMatchesUserRolesFilter
boolean groupMatchesUserRolesFilter(PerunSession sess, User user, Group group, List<String> roles, List<RoleAssignmentType> types) Check if the given group passes the user's roles filter.- Parameters:
sess
- sessionuser
- usergroup
- grouproles
- list of selected roles (if empty, then return groups by all roles)types
- list of selected types of roles (if empty, then return by roles of all types)- Returns:
- list of groups
-
isGroupInRoleForVo
Checks whether the gruop is in role for Vo.- Parameters:
session
- perun sessiongroup
- grouprole
- role of groupvo
- virtual organization- Returns:
- true if group is in role for VO, otherwise false.
-
isUserInRoleForVo
Checks whether the user is in role for Vo.- Parameters:
session
- perun sessionuser
- userrole
- role of uservo
- virtual organisation- Returns:
- true if user is in role for VO, otherwise false.
-
isVoAdminOrObserver
Returns true if the user in session is vo admin or vo observer of specific Vo.- Parameters:
sess
- - sessionvo
- - vo- Returns:
- bolean
-
loadAuthorizationComponents
void loadAuthorizationComponents()Load perun roles and policies from the configuration file perun-roles.yml. Roles are loaded to the database and policies are loaded to the PerunPoliciesContainer. -
makeAuthorizedGroupPerunObserver
void makeAuthorizedGroupPerunObserver(PerunSession sess, Group authorizedGroup) throws AlreadyAdminException Make group Perun observer- Parameters:
sess
- the perunSessionauthorizedGroup
- authorizedGroup to be promoted to perunObserver- Throws:
InternalErrorException
AlreadyAdminException
-
makeUserCabinetAdmin
Make user Cabinet manager.- Parameters:
sess
- PerunSessionuser
- User to add Cabinet manager role.- Throws:
InternalErrorException
- When implementation fails
-
makeUserPerunAdmin
Make user to be perunAdmin- Parameters:
sess
-user
-- Throws:
InternalErrorException
AlreadyAdminException
-
makeUserPerunObserver
Make user Perun observer- Parameters:
sess
- the perunSessionuser
- user to be promoted to perunObserver- Throws:
InternalErrorException
AlreadyAdminException
-
removeAdmin
Remove user role admin for the facility- Parameters:
sess
-facility
-user
-- Throws:
InternalErrorException
UserNotAdminException
-
removeAdmin
Remove group of users role admin for the facility- Parameters:
sess
-facility
-group
-- Throws:
InternalErrorException
GroupNotAdminException
-
removeAdmin
Remove user role admin for the resource- Parameters:
sess
-resource
-user
-- Throws:
InternalErrorException
UserNotAdminException
-
removeAdmin
Remove group of users role admin for the resource- Parameters:
sess
-resource
-group
-- Throws:
InternalErrorException
GroupNotAdminException
-
removeAdmin
Remove user role admin for the sponsoredUser- Parameters:
sess
-sponsoredUser
-user
-- Throws:
InternalErrorException
UserNotAdminException
-
removeAdmin
Remove group of users role admin for the sponsoredUser- Parameters:
sess
-sponsoredUser
-group
-- Throws:
InternalErrorException
GroupNotAdminException
-
removeAdmin
Remove user role admin for the group- Parameters:
sess
-group
-user
-- Throws:
InternalErrorException
UserNotAdminException
-
removeAdmin
void removeAdmin(PerunSession sess, Group group, Group authorizedGroup) throws GroupNotAdminException Remove group of users role admin for the group- Parameters:
sess
-group
-authorizedGroup
-- Throws:
InternalErrorException
GroupNotAdminException
-
removeAdmin
void removeAdmin(PerunSession sess, SecurityTeam securityTeam, User user) throws UserNotAdminException - Throws:
UserNotAdminException
-
removeAdmin
void removeAdmin(PerunSession sess, SecurityTeam securityTeam, Group group) throws GroupNotAdminException - Throws:
GroupNotAdminException
-
removeAllAuthzForFacility
Removes all authz entries for the facility- Parameters:
sess
-facility
-- Throws:
InternalErrorException
-
removeAllAuthzForGroup
Removes all authz entries for the group- Parameters:
sess
-group
-- Throws:
InternalErrorException
-
removeAllAuthzForResource
Removes all authz entries for the resource- Parameters:
sess
-resource
-- Throws:
InternalErrorException
-
removeAllAuthzForSecurityTeam
Removes all authz entries for the securityTeam- Parameters:
sess
-securityTeam
-- Throws:
InternalErrorException
-
removeAllAuthzForService
Removes all authz entries for the service- Parameters:
sess
-service
-- Throws:
InternalErrorException
-
removeAllAuthzForVo
Removes all authz entries for the vo- Parameters:
sess
-vo
-- Throws:
InternalErrorException
-
removeAllSponsoredUserAuthz
Removes all authz entries for the sponsoredUser.- Parameters:
sess
-sponsoredUser
-- Throws:
InternalErrorException
-
removeAllUserAuthz
Removes all authz entries for the user.- Parameters:
sess
-user
-- Throws:
InternalErrorException
-
removeCabinetAdmin
Remove role Cabinet manager from user.- Parameters:
sess
- PerunSessionuser
- User to have cabinet manager role removed- Throws:
InternalErrorException
- If implementation failsUserNotAdminException
- If user was not cabinet admin
-
removePerunAdmin
Remove role perunAdmin for user.- Parameters:
sess
-user
-- Throws:
InternalErrorException
UserNotAdminException
-
removePerunObserver
Remove role Perun observer from user.- Parameters:
sess
-user
-- Throws:
InternalErrorException
UserNotAdminException
-
removePerunObserverFromAuthorizedGroup
void removePerunObserverFromAuthorizedGroup(PerunSession sess, Group authorizedGroup) throws GroupNotAdminException Remove role Perun observer from authorizedGroup.- Parameters:
sess
-authorizedGroup
-- Throws:
InternalErrorException
GroupNotAdminException
-
removeResourceRole
void removeResourceRole(PerunSession sess, String role, Resource resource, User user) throws UserNotAdminException Remove role to user for resource.- Parameters:
sess
- sessionrole
- roleresource
- resourceuser
- user- Throws:
InternalErrorException
- internal errorUserNotAdminException
- user was not admin
-
removeResourceRole
void removeResourceRole(PerunSession sess, String role, Resource resource, Group group) throws GroupNotAdminException Remove role to group for resource.- Parameters:
sess
- sessionrole
- roleresource
- resourcegroup
- group- Throws:
InternalErrorException
- internal errorGroupNotAdminException
- group was not admin
-
removeVoRole
Removes role from user in a VO.- Parameters:
sess
- perun sessionrole
- role of user in a VOvo
- virtual organizationuser
- user- Throws:
InternalErrorException
UserNotAdminException
-
removeVoRole
Removes role from group in a VO.- Parameters:
sess
- perun sessionrole
- role of group in a VOvo
- virtual organizationgroup
- group- Throws:
InternalErrorException
GroupNotAdminException
-
roleExists
Check if the given role exists in the database. Check is case insensitive.- Parameters:
role
- which will be checked- Returns:
- true if role exists, false otherwise.
-
setRole
void setRole(PerunSession sess, Map<String, Integer> mappingOfValues, String role) throws RoleAlreadySetExceptionSet a role according the mapping of values- Parameters:
sess
-mappingOfValues
- from which will be the query created (keys are column names and values are their ids)role
- which will be set (just information for exception)- Throws:
InternalErrorException
RoleAlreadySetException
-
unsetRole
void unsetRole(PerunSession sess, Map<String, Integer> mappingOfValues, String role) throws RoleNotSetExceptionUnset a role according the mapping of values- Parameters:
sess
-mappingOfValues
- from which will be the query created (keys are column names and values are their ids)role
- which will be unset (just information for exception)- Throws:
InternalErrorException
RoleNotSetException
-