From 62c4eb45e157d502463d797c1353802ca8e1e307 Mon Sep 17 00:00:00 2001 From: sg481n Date: Fri, 25 Aug 2017 01:57:24 -0400 Subject: Update project structure for aaf/cadi Update project structure from com.att to org.onap and add distribution management and staging plugin. Issue-id: AAF-22 Change-Id: Idf2b591139e38921ad28782a51486714a05dee92 Signed-off-by: sg481n --- .../org/onap/aaf/cadi/aaf/cass/AAFAuthorizer.java | 226 +++++++++++++++++++++ 1 file changed, 226 insertions(+) create mode 100644 cass/src/main/java/org/onap/aaf/cadi/aaf/cass/AAFAuthorizer.java (limited to 'cass/src/main/java/org/onap/aaf/cadi/aaf/cass/AAFAuthorizer.java') diff --git a/cass/src/main/java/org/onap/aaf/cadi/aaf/cass/AAFAuthorizer.java b/cass/src/main/java/org/onap/aaf/cadi/aaf/cass/AAFAuthorizer.java new file mode 100644 index 0000000..bea0e86 --- /dev/null +++ b/cass/src/main/java/org/onap/aaf/cadi/aaf/cass/AAFAuthorizer.java @@ -0,0 +1,226 @@ +/******************************************************************************* + * ============LICENSE_START==================================================== + * * org.onap.aaf + * * =========================================================================== + * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * * =========================================================================== + * * Licensed under the Apache License, Version 2.0 (the "License"); + * * you may not use this file except in compliance with the License. + * * You may obtain a copy of the License at + * * + * * http://www.apache.org/licenses/LICENSE-2.0 + * * + * * Unless required by applicable law or agreed to in writing, software + * * distributed under the License is distributed on an "AS IS" BASIS, + * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * * See the License for the specific language governing permissions and + * * limitations under the License. + * * ============LICENSE_END==================================================== + * * + * * ECOMP is a trademark and service mark of AT&T Intellectual Property. + * * + ******************************************************************************/ +package org.onap.aaf.cadi.aaf.cass; + +import java.util.ArrayList; +import java.util.HashSet; +import java.util.Set; + +import org.apache.cassandra.auth.AuthenticatedUser; +import org.apache.cassandra.auth.IAuthorizer; +import org.apache.cassandra.auth.IResource; +import org.apache.cassandra.auth.Permission; +import org.apache.cassandra.auth.PermissionDetails; +import org.apache.cassandra.exceptions.RequestExecutionException; +import org.apache.cassandra.exceptions.RequestValidationException; +import org.onap.aaf.cadi.Access.Level; +import org.onap.aaf.cadi.aaf.v2_0.AbsAAFLur; +import org.onap.aaf.cadi.lur.LocalPermission; + +public class AAFAuthorizer extends AAFBase implements IAuthorizer { + // Returns every permission on the resource granted to the user. + public Set authorize(AuthenticatedUser user, IResource resource) { + String uname, rname; + access.log(Level.DEBUG,"Authorizing",uname=user.getName(),"for",rname=resource.getName()); + + Set permissions; + + if(user instanceof AAFAuthenticatedUser) { + AAFAuthenticatedUser aafUser = (AAFAuthenticatedUser) user; + aafUser.setAnonymous(false); + + if(aafUser.isLocal()) { + permissions = checkPermissions(aafUser, new LocalPermission( + rname.replaceFirst("data", cluster_name) + )); + } else { + permissions = checkPermissions( + aafUser, + perm_type, + ':'+rname.replaceFirst("data", cluster_name).replace('/', ':')); + } + } else { + permissions = Permission.NONE; + } + + access.log(Level.INFO,"Permissions on",rname,"for",uname,':', permissions); + + return permissions; + } + + /** + * Check only for Localized IDs (see cadi.properties) + * @param aau + * @param perm + * @return + */ + private Set checkPermissions(AAFAuthenticatedUser aau, LocalPermission perm) { + if(localLur.fish(aau.getFullName(), perm)) { +// aau.setSuper(true); + return Permission.ALL; + } else { + return Permission.NONE; + } + } + + /** + * Check remoted AAF Permissions + * @param aau + * @param type + * @param instance + * @return + */ + private Set checkPermissions(AAFAuthenticatedUser aau, String type, String instance) { + // Can perform ALL actions + String fullName = aau.getFullName(); + PermHolder ph = new PermHolder(aau); + aafLur.fishOneOf(fullName, ph,type,instance,actions); + return ph.permissions; + } + + private class PermHolder { + private AAFAuthenticatedUser aau; + public PermHolder(AAFAuthenticatedUser aau) { + this.aau = aau; + } + public Set permissions = Permission.NONE; + public void mutable() { + if(permissions==Permission.NONE) { + permissions = new HashSet(); + } + } + }; + + /** + * This specialty List avoid extra Object Creation, and allows the Lur to do a Vistor on all appropriate Perms + */ + private static final ArrayList> actions = new ArrayList>(); + static { + actions.add(new AbsAAFLur.Action() { + public String getName() { + return "*"; + } + + public boolean exec(PermHolder a) { + a.aau.setSuper(true); + a.permissions = Permission.ALL; + return true; + } + }); + + actions.add(new AbsAAFLur.Action() { + public String getName() { + return "SELECT"; + } + + public boolean exec(PermHolder ph) { + ph.mutable(); + ph.permissions.add(Permission.SELECT); + return false; + } + }); + actions.add(new AbsAAFLur.Action() { + public String getName() { + return "MODIFY"; + } + + public boolean exec(PermHolder ph) { + ph.mutable(); + ph.permissions.add(Permission.MODIFY); + return false; + } + }); + actions.add(new AbsAAFLur.Action() { + public String getName() { + return "CREATE"; + } + + public boolean exec(PermHolder ph) { + ph.mutable(); + ph.permissions.add(Permission.CREATE); + return false; + } + }); + + actions.add(new AbsAAFLur.Action() { + public String getName() { + return "ALTER"; + } + + public boolean exec(PermHolder ph) { + ph.mutable(); + ph.permissions.add(Permission.ALTER); + return false; + } + }); + actions.add(new AbsAAFLur.Action() { + public String getName() { + return "DROP"; + } + + public boolean exec(PermHolder ph) { + ph.mutable(); + ph.permissions.add(Permission.DROP); + return false; + } + }); + actions.add(new AbsAAFLur.Action() { + public String getName() { + return "AUTHORIZE"; + } + + public boolean exec(PermHolder ph) { + ph.mutable(); + ph.permissions.add(Permission.AUTHORIZE); + return false; + } + }); + + + }; + + + public void grant(AuthenticatedUser performer, Set permissions, IResource resource, String to) throws RequestExecutionException { + access.log(Level.INFO, "Use AAF CLI to grant permission(s) to user/role"); + } + + public void revoke(AuthenticatedUser performer, Set permissions, IResource resource, String from) throws RequestExecutionException { + access.log(Level.INFO,"Use AAF CLI to revoke permission(s) for user/role"); + } + + public Set list(AuthenticatedUser performer, Set permissions, IResource resource, String of) throws RequestValidationException, RequestExecutionException { + access.log(Level.INFO,"Use AAF CLI to find the list of permissions"); + return null; + } + + // Called prior to deleting the user with DROP USER query. Internal hook, so no permission checks are needed here. + public void revokeAll(String droppedUser) { + access.log(Level.INFO,"Use AAF CLI to revoke permission(s) for user/role"); + } + + // Called after a resource is removed (DROP KEYSPACE, DROP TABLE, etc.). + public void revokeAll(IResource droppedResource) { + access.log(Level.INFO,"Use AAF CLI to delete the unused permission", droppedResource.getName()); + } + +} -- cgit 1.2.3-korg