Interface AuthzResolverImplApi
- All Known Implementing Classes:
AuthzResolverImpl
public interface AuthzResolverImplApi
This interface represents AuthzResolver methods.
- Author:
- Michal Prochazka
-
Method Summary
Modifier and TypeMethodDescriptionvoidaddAdmin(PerunSession sess, Facility facility, Group group) Add group of users role admin for the facilityvoidaddAdmin(PerunSession sess, Facility facility, User user) Add user role admin for the facilityvoidaddAdmin(PerunSession sess, Group group, Group authorizedGroup) Add group of users role admin for the groupvoidaddAdmin(PerunSession sess, Group group, User user) Add user role admin for the groupvoidaddAdmin(PerunSession sess, Resource resource, Group group) Add group of users role admin for the resourcevoidaddAdmin(PerunSession sess, Resource resource, User user) Add user role admin for the resourcevoidaddAdmin(PerunSession sess, User sponsoredUser, Group group) Add group of users role admin for the sponsored uservoidaddAdmin(PerunSession sess, User sponsoredUser, User user) Add user role admin for the sponsored uservoidaddResourceRole(PerunSession sess, Group group, String role, Resource resource) Sets role to given group for given resource.voidaddResourceRole(PerunSession sess, User user, String role, Resource resource) Sets role to given user for given resource.voidaddVoRole(PerunSession sess, String role, Vo vo, Group group) Adds role for group in a VO.voidaddVoRole(PerunSession sess, String role, Vo vo, User user) Adds role for user in VO.getAdminGroups(Map<String, Integer> mappingOfValues) Get all authorizedGroups for complementary object and role.Get all valid richUser administrators (for group-based rights, status must be VALID for both Vo and group) for complementary object and role with specified attributes.getFacilitiesWhereUserIsInRoles(User user, List<String> roles) Get all Facilities where the given user has set one of the given roles or the given user is a member of an authorized group with such roles.getGroupsWhereUserIsInRoles(User user, List<String> roles) Get all Groups where the given user has set one of the given roles or the given user is a member of an authorized group with such roles.getMembersWhereUserIsInRoles(User user, List<String> roles) Get all Members where the given user has set one of the given roles or the given user is a member of an authorized group with such roles.getResourcesWhereUserIsInRoles(User user, List<String> roles) Get all Resources where the given user has set one of the given roles or the given user is a member of an authorized group with such roles.Returns map of role name and map of corresponding role complementary objects (perun beans) distinguished by type. * together with list of authorized groups where user is member: * Mapinvalid input: '<' RoleName, Mapinvalid input: '<' BeanName, Mapinvalid input: '<' BeanID, List>>> Fetch the identification of the role from the table roles in the database;intgetRoleIdByName(String name) Get role id by its name, returns -1 if role does not exist.Returns all group's roles.Returns user's direct roles, can also include roles resulting from being a VALID member of authorized groupsReturns user's roles resulting from being a VALID member of authorized groupsgetVoIdsForGroupInRole(PerunSession sess, Group group, String role) Gets list of VOs for which the group has the role.getVoIdsForUserInRole(PerunSession sess, User user, String role) Gets list of VOs for which the user has the role.getVosWhereUserIsInRoles(User user, List<String> roles) Get all Vos where the given user has set one of the given roles or the given user is a member of an authorized group with such roles.booleangroupMatchesUserRolesFilter(PerunSession sess, User user, Group group, List<String> roles, List<RoleAssignmentType> types) Check if the given group passes the user's roles filter.booleanisGroupInRoleForVo(PerunSession session, Group group, String role, Vo vo) Checks whether the gruop is in role for Vo.booleanisUserInRoleForVo(PerunSession session, User user, String role, Vo vo) Checks whether the user is in role for Vo.booleanisVoAdminOrObserver(PerunSession sess, Vo vo) Returns true if the user in session is vo admin or vo observer of specific Vo.voidLoad perun roles and policies from the configuration file perun-roles.yml.voidmakeAuthorizedGroupPerunObserver(PerunSession sess, Group authorizedGroup) Make group Perun observervoidmakeUserCabinetAdmin(PerunSession sess, User user) Make user Cabinet manager.voidmakeUserPerunAdmin(PerunSession sess, User user) Make user to be perunAdminvoidmakeUserPerunObserver(PerunSession sess, User user) Make user Perun observervoidremoveAdmin(PerunSession sess, Facility facility, Group group) Remove group of users role admin for the facilityvoidremoveAdmin(PerunSession sess, Facility facility, User user) Remove user role admin for the facilityvoidremoveAdmin(PerunSession sess, Group group, Group authorizedGroup) Remove group of users role admin for the groupvoidremoveAdmin(PerunSession sess, Group group, User user) Remove user role admin for the groupvoidremoveAdmin(PerunSession sess, Resource resource, Group group) Remove group of users role admin for the resourcevoidremoveAdmin(PerunSession sess, Resource resource, User user) Remove user role admin for the resourcevoidremoveAdmin(PerunSession sess, User sponsoredUser, Group group) Remove group of users role admin for the sponsoredUservoidremoveAdmin(PerunSession sess, User sponsoredUser, User user) Remove user role admin for the sponsoredUservoidremoveAllAuthzForFacility(PerunSession sess, Facility facility) Removes all authz entries for the facilityvoidremoveAllAuthzForGroup(PerunSession sess, Group group) Removes all authz entries for the groupvoidremoveAllAuthzForResource(PerunSession sess, Resource resource) Removes all authz entries for the resourcevoidremoveAllAuthzForService(PerunSession sess, Service service) Removes all authz entries for the servicevoidremoveAllAuthzForVo(PerunSession sess, Vo vo) Removes all authz entries for the vovoidremoveAllSponsoredUserAuthz(PerunSession sess, User sponsoredUser) Removes all authz entries for the sponsoredUser.voidremoveAllUserAuthz(PerunSession sess, User user) Removes all authz entries for the user.voidremoveCabinetAdmin(PerunSession sess, User user) Remove role Cabinet manager from user.voidremovePerunAdmin(PerunSession sess, User user) Remove role perunAdmin for user.voidremovePerunObserver(PerunSession sess, User user) Remove role Perun observer from user.voidremovePerunObserverFromAuthorizedGroup(PerunSession sess, Group authorizedGroup) Remove role Perun observer from authorizedGroup.voidremoveResourceRole(PerunSession sess, String role, Resource resource, Group group) Remove role to group for resource.voidremoveResourceRole(PerunSession sess, String role, Resource resource, User user) Remove role to user for resource.voidremoveVoRole(PerunSession sess, String role, Vo vo, Group group) Removes role from group in a VO.voidremoveVoRole(PerunSession sess, String role, Vo vo, User user) Removes role from user in a VO.booleanroleExists(String role) Check if the given role exists in the database.voidSet a role according the mapping of valuesbooleansomeAdminExists(Map<String, Integer> mappingOfValues, boolean onlyDirectAdmins) Check if some valid user with specific role exists for given complementary object (for group-based rights, status must be VALID for both Vo and group).voidUnset a role according the mapping of values
-
Method Details
-
addAdmin
Add user role admin for the facility- Parameters:
sess-facility-user-- Throws:
InternalErrorExceptionAlreadyAdminException
-
addAdmin
Add group of users role admin for the facility- Parameters:
sess-facility-group-- Throws:
InternalErrorExceptionAlreadyAdminException
-
addAdmin
Add user role admin for the resource- Parameters:
sess-resource-user-- Throws:
InternalErrorExceptionAlreadyAdminException
-
addAdmin
Add group of users role admin for the resource- Parameters:
sess-resource-group-- Throws:
InternalErrorExceptionAlreadyAdminException
-
addAdmin
Add user role admin for the sponsored user- Parameters:
sess-sponsoredUser-user-- Throws:
InternalErrorExceptionAlreadyAdminException
-
addAdmin
Add group of users role admin for the sponsored user- Parameters:
sess-sponsoredUser-group-- Throws:
InternalErrorExceptionAlreadyAdminException
-
addAdmin
Add user role admin for the group- Parameters:
sess-group-user-- Throws:
InternalErrorExceptionAlreadyAdminException
-
addAdmin
Add group of users role admin for the group- Parameters:
sess-group-authorizedGroup-- Throws:
InternalErrorExceptionAlreadyAdminException
-
addResourceRole
void addResourceRole(PerunSession sess, User user, String role, Resource resource) throws AlreadyAdminException Sets role to given user for given resource.- Parameters:
sess- sessionuser- userrole- roleresource- resource- Throws:
InternalErrorException- internal errorAlreadyAdminException- when already in role
-
addResourceRole
void addResourceRole(PerunSession sess, Group group, String role, Resource resource) throws AlreadyAdminException Sets role to given group for given resource.- Parameters:
sess- sessiongroup- grouprole- roleresource- resource- Throws:
InternalErrorException- internal errorAlreadyAdminException- when already in role
-
addVoRole
Adds role for user in VO.- Parameters:
sess- perun sessionrole- role of user in VOvo- virtual organizationuser- user- Throws:
InternalErrorExceptionAlreadyAdminException
-
addVoRole
Adds role for group in a VO.- Parameters:
sess- perun sessionrole- role of group in VOvo- virtual organizationgroup- group- Throws:
InternalErrorExceptionAlreadyAdminException
-
getAdminGroups
Get all authorizedGroups for complementary object and role.- Parameters:
mappingOfValues- according to which will be the role selected- Returns:
- list of authorizedGroups
-
getAdmins
Get all valid richUser administrators (for group-based rights, status must be VALID for both Vo and group) for complementary object and role with specified attributes.- Parameters:
mappingOfValues- from which will be the query created (keys are column names and values are their ids)onlyDirectAdmins- if we do not want to include also members of authorized groups.- Returns:
- list of user administrators for complementary object and role with specified attributes.
-
someAdminExists
Check if some valid user with specific role exists for given complementary object (for group-based rights, status must be VALID for both Vo and group).- Parameters:
mappingOfValues- from which will be the query created (keys are column names and values are their ids)onlyDirectAdmins- if true, search only direct user administrators (if false, search both direct and indirect)- Returns:
- true, if some user with required role exists, false otherwise.
-
getFacilitiesWhereUserIsInRoles
Get all Facilities where the given user has set one of the given roles or the given user is a member of an authorized group with such roles.- Parameters:
user- for who Facilities are retrievedroles- for which Facilities are retrieved- Returns:
- Set of Facilities
-
getGroupsWhereUserIsInRoles
Get all Groups where the given user has set one of the given roles or the given user is a member of an authorized group with such roles.Method does not return subgroups of the fetched groups.
- Parameters:
user- for who Groups are retrievedroles- for which Groups are retrieved- Returns:
- Set of Groups
-
getMembersWhereUserIsInRoles
Get all Members where the given user has set one of the given roles or the given user is a member of an authorized group with such roles.- Parameters:
user- for who Members are retrievedroles- for which Members are retrieved- Returns:
- Set of Members
-
getResourcesWhereUserIsInRoles
Get all Resources where the given user has set one of the given roles or the given user is a member of an authorized group with such roles.- Parameters:
user- for who Resources are retrievedroles- for which Resources are retrieved- Returns:
- Set of Resources
-
getRoleComplementaryObjectsWithAuthorizedGroups
Map<String,Map<String, getRoleComplementaryObjectsWithAuthorizedGroupsMap<Integer, List<Group>>>> (User user) Returns map of role name and map of corresponding role complementary objects (perun beans) distinguished by type. * together with list of authorized groups where user is member: * Mapinvalid input: '<' RoleName, Mapinvalid input: '<' BeanName, Mapinvalid input: '<' BeanID, List>>> - Parameters:
user-- Returns:
- Mapinvalid input: '<'String, Map invalid input: '<' String, Map invalid input: '<' Integer, List invalid input: '<' Group>>>> complementary objects with associated authorized groups
-
getRoleId
Fetch the identification of the role from the table roles in the database;- Returns:
- identification of the role
-
getRoleIdByName
Get role id by its name, returns -1 if role does not exist.- Parameters:
name- - name of the role- Returns:
- - role id with the given name
-
getRoles
Returns user's direct roles, can also include roles resulting from being a VALID member of authorized groups- Parameters:
user-getAuthorizedGroupBasedRoles-- Returns:
- AuthzRoles object which contains all roles with perunbeans
-
getRoles
Returns all group's roles.- Parameters:
group-- Returns:
- AuthzRoles object which contains all roles with perunbeans
-
getRolesObtainedFromAuthorizedGroupMemberships
Returns user's roles resulting from being a VALID member of authorized groups- Parameters:
user- user- Returns:
- AuthzRoles object which contains roles with perunbeans
-
getVoIdsForGroupInRole
Gets list of VOs for which the group has the role.- Parameters:
sess- perun sessiongroup- grouprole- role of group- Returns:
- list of VOs from which the group has the role
- Throws:
InternalErrorException
-
getVoIdsForUserInRole
Gets list of VOs for which the user has the role.- Parameters:
sess- perun sessionuser- userrole- role of user- Returns:
- list of VOs for which the user has the role.
- Throws:
InternalErrorException
-
getVosWhereUserIsInRoles
Get all Vos where the given user has set one of the given roles or the given user is a member of an authorized group with such roles.- Parameters:
user- for who Vos are retrievedroles- for which Vos are retrieved- Returns:
- Set of Vos
-
groupMatchesUserRolesFilter
boolean groupMatchesUserRolesFilter(PerunSession sess, User user, Group group, List<String> roles, List<RoleAssignmentType> types) Check if the given group passes the user's roles filter.- Parameters:
sess- sessionuser- usergroup- grouproles- list of selected roles (if empty, then return groups by all roles)types- list of selected types of roles (if empty, then return by roles of all types)- Returns:
- list of groups
-
isGroupInRoleForVo
Checks whether the gruop is in role for Vo.- Parameters:
session- perun sessiongroup- grouprole- role of groupvo- virtual organization- Returns:
- true if group is in role for VO, otherwise false.
-
isUserInRoleForVo
Checks whether the user is in role for Vo.- Parameters:
session- perun sessionuser- userrole- role of uservo- virtual organisation- Returns:
- true if user is in role for VO, otherwise false.
-
isVoAdminOrObserver
Returns true if the user in session is vo admin or vo observer of specific Vo.- Parameters:
sess- - sessionvo- - vo- Returns:
- bolean
-
loadAuthorizationComponents
void loadAuthorizationComponents()Load perun roles and policies from the configuration file perun-roles.yml. Roles are loaded to the database and policies are loaded to the PerunPoliciesContainer. -
makeAuthorizedGroupPerunObserver
void makeAuthorizedGroupPerunObserver(PerunSession sess, Group authorizedGroup) throws AlreadyAdminException Make group Perun observer- Parameters:
sess- the perunSessionauthorizedGroup- authorizedGroup to be promoted to perunObserver- Throws:
InternalErrorExceptionAlreadyAdminException
-
makeUserCabinetAdmin
Make user Cabinet manager.- Parameters:
sess- PerunSessionuser- User to add Cabinet manager role.- Throws:
InternalErrorException- When implementation fails
-
makeUserPerunAdmin
Make user to be perunAdmin- Parameters:
sess-user-- Throws:
InternalErrorExceptionAlreadyAdminException
-
makeUserPerunObserver
Make user Perun observer- Parameters:
sess- the perunSessionuser- user to be promoted to perunObserver- Throws:
InternalErrorExceptionAlreadyAdminException
-
removeAdmin
Remove user role admin for the facility- Parameters:
sess-facility-user-- Throws:
InternalErrorExceptionUserNotAdminException
-
removeAdmin
Remove group of users role admin for the facility- Parameters:
sess-facility-group-- Throws:
InternalErrorExceptionGroupNotAdminException
-
removeAdmin
Remove user role admin for the resource- Parameters:
sess-resource-user-- Throws:
InternalErrorExceptionUserNotAdminException
-
removeAdmin
Remove group of users role admin for the resource- Parameters:
sess-resource-group-- Throws:
InternalErrorExceptionGroupNotAdminException
-
removeAdmin
Remove user role admin for the sponsoredUser- Parameters:
sess-sponsoredUser-user-- Throws:
InternalErrorExceptionUserNotAdminException
-
removeAdmin
Remove group of users role admin for the sponsoredUser- Parameters:
sess-sponsoredUser-group-- Throws:
InternalErrorExceptionGroupNotAdminException
-
removeAdmin
Remove user role admin for the group- Parameters:
sess-group-user-- Throws:
InternalErrorExceptionUserNotAdminException
-
removeAdmin
void removeAdmin(PerunSession sess, Group group, Group authorizedGroup) throws GroupNotAdminException Remove group of users role admin for the group- Parameters:
sess-group-authorizedGroup-- Throws:
InternalErrorExceptionGroupNotAdminException
-
removeAllAuthzForFacility
Removes all authz entries for the facility- Parameters:
sess-facility-- Throws:
InternalErrorException
-
removeAllAuthzForGroup
Removes all authz entries for the group- Parameters:
sess-group-- Throws:
InternalErrorException
-
removeAllAuthzForResource
Removes all authz entries for the resource- Parameters:
sess-resource-- Throws:
InternalErrorException
-
removeAllAuthzForService
Removes all authz entries for the service- Parameters:
sess-service-- Throws:
InternalErrorException
-
removeAllAuthzForVo
Removes all authz entries for the vo- Parameters:
sess-vo-- Throws:
InternalErrorException
-
removeAllSponsoredUserAuthz
Removes all authz entries for the sponsoredUser.- Parameters:
sess-sponsoredUser-- Throws:
InternalErrorException
-
removeAllUserAuthz
Removes all authz entries for the user.- Parameters:
sess-user-- Throws:
InternalErrorException
-
removeCabinetAdmin
Remove role Cabinet manager from user.- Parameters:
sess- PerunSessionuser- User to have cabinet manager role removed- Throws:
InternalErrorException- If implementation failsUserNotAdminException- If user was not cabinet admin
-
removePerunAdmin
Remove role perunAdmin for user.- Parameters:
sess-user-- Throws:
InternalErrorExceptionUserNotAdminException
-
removePerunObserver
Remove role Perun observer from user.- Parameters:
sess-user-- Throws:
InternalErrorExceptionUserNotAdminException
-
removePerunObserverFromAuthorizedGroup
void removePerunObserverFromAuthorizedGroup(PerunSession sess, Group authorizedGroup) throws GroupNotAdminException Remove role Perun observer from authorizedGroup.- Parameters:
sess-authorizedGroup-- Throws:
InternalErrorExceptionGroupNotAdminException
-
removeResourceRole
void removeResourceRole(PerunSession sess, String role, Resource resource, User user) throws UserNotAdminException Remove role to user for resource.- Parameters:
sess- sessionrole- roleresource- resourceuser- user- Throws:
InternalErrorException- internal errorUserNotAdminException- user was not admin
-
removeResourceRole
void removeResourceRole(PerunSession sess, String role, Resource resource, Group group) throws GroupNotAdminException Remove role to group for resource.- Parameters:
sess- sessionrole- roleresource- resourcegroup- group- Throws:
InternalErrorException- internal errorGroupNotAdminException- group was not admin
-
removeVoRole
Removes role from user in a VO.- Parameters:
sess- perun sessionrole- role of user in a VOvo- virtual organizationuser- user- Throws:
InternalErrorExceptionUserNotAdminException
-
removeVoRole
Removes role from group in a VO.- Parameters:
sess- perun sessionrole- role of group in a VOvo- virtual organizationgroup- group- Throws:
InternalErrorExceptionGroupNotAdminException
-
roleExists
Check if the given role exists in the database. Check is case insensitive.- Parameters:
role- which will be checked- Returns:
- true if role exists, false otherwise.
-
setRole
void setRole(PerunSession sess, Map<String, Integer> mappingOfValues, String role) throws RoleAlreadySetExceptionSet a role according the mapping of values- Parameters:
sess-mappingOfValues- from which will be the query created (keys are column names and values are their ids)role- which will be set (just information for exception)- Throws:
InternalErrorExceptionRoleAlreadySetException
-
unsetRole
void unsetRole(PerunSession sess, Map<String, Integer> mappingOfValues, String role) throws RoleNotSetExceptionUnset a role according the mapping of values- Parameters:
sess-mappingOfValues- from which will be the query created (keys are column names and values are their ids)role- which will be unset (just information for exception)- Throws:
InternalErrorExceptionRoleNotSetException
-