Overview  Package   Class  Use  Tree  Deprecated  Index  Help 
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES    
SUMMARY: NESTED | FIELD | CONSTR | METHOD DETAIL: FIELD | CONSTR | METHOD

org.rhq.enterprise.server.authz
Class AuthorizationManagerBean

java.lang.Object
  extended by org.rhq.enterprise.server.authz.AuthorizationManagerBean
All Implemented Interfaces:
AuthorizationManagerLocal
public class AuthorizationManagerBean
extends Object
implements AuthorizationManagerLocal

Author:
Joseph Marques

Constructor Summary
AuthorizationManagerBean()
           
 
Method Summary
 boolean canUpdateRepo(org.rhq.core.domain.auth.Subject subject, int repoId)
          Returns true if given subject is able to update given repo.
 boolean canViewAutoGroup(org.rhq.core.domain.auth.Subject subject, int parentResourceId, int resourceTypeId)
          Returns true if the current user has some role attached to this auto-group.
 boolean canViewGroup(org.rhq.core.domain.auth.Subject subject, int groupId)
          Returns true if the current user has some role attached to this group.
 boolean canViewRepo(org.rhq.core.domain.auth.Subject subject, int repoId)
          Returns true if given subject is able to view given repo.
 boolean canViewResource(org.rhq.core.domain.auth.Subject subject, int resourceId)
          Returns true if the current user has some role attached to some group that contains this resource.
 boolean canViewResources(org.rhq.core.domain.auth.Subject subject, List<Integer> resourceIds)
          Returns true if the current user has a role attached to a group that contains the specified resources.
 Set<org.rhq.core.domain.authz.Permission> getExplicitGlobalPermissions(org.rhq.core.domain.auth.Subject subject)
          Gets the set of global permissions that the current user explicitly possesses.
 Set<org.rhq.core.domain.authz.Permission> getExplicitGroupPermissions(org.rhq.core.domain.auth.Subject subject, int groupId)
          Gets the set of permissions that the current user explicitly possesses for the specified Group.
 Set<org.rhq.core.domain.authz.Permission> getExplicitResourcePermissions(org.rhq.core.domain.auth.Subject subject, int resourceId)
          Gets the set of permissions that the current user explicitly possesses for the specified Resource.
 Set<org.rhq.core.domain.authz.Permission> getImplicitGroupPermissions(org.rhq.core.domain.auth.Subject subject, int groupId)
          Gets the set of permissions that the current user implicitly possesses for the specified Group.
 Set<org.rhq.core.domain.authz.Permission> getImplicitResourcePermissions(org.rhq.core.domain.auth.Subject subject, int resourceId)
          Gets the set of permissions that the current user implicitly possesses for the specified Resource.
 boolean hasAutoGroupPermission(org.rhq.core.domain.auth.Subject subject, org.rhq.core.domain.authz.Permission permission, int parentResourceId, int resourceTypeId)
          Returns true if the current user possesses either: 1) the specified resource permission for the specified auto-group, or 2) the global MANAGE_INVENTORY permission which, by definition, gives full access to the inventory (all resources and all groups)
 boolean hasGlobalPermission(org.rhq.core.domain.auth.Subject subject, org.rhq.core.domain.authz.Permission permission)
          Returns true if the current user possesses the specified global permission.
 boolean hasGroupPermission(org.rhq.core.domain.auth.Subject subject, org.rhq.core.domain.authz.Permission permission, int groupId)
          Returns true if the current user possesses either: 1) the specified resource permission for the specified group, or 2) the global MANAGE_INVENTORY permission which, by definition, gives full access to the inventory (all resources and all groups)
 boolean hasResourcePermission(org.rhq.core.domain.auth.Subject subject, org.rhq.core.domain.authz.Permission permission, Collection<Integer> resourceIds)
          Returns true if the current user possesses either: 1) the specified resource permission for *all* of the specified resources, or 2) the global MANAGE_INVENTORY permission which, by definition, gives full access to the inventory (all resources and all groups) NOTE: The size of the collection must be less than or equal to 1000 (due to an Oracle limitation).
 boolean hasResourcePermission(org.rhq.core.domain.auth.Subject subject, org.rhq.core.domain.authz.Permission permission, int resourceId)
          Returns true if the current user possesses either: 1) the specified resource permission for the specified resource, or 2) the global MANAGE_INVENTORY permission which, by definition, gives full access to the inventory (all resources and all groups)
 boolean isInventoryManager(org.rhq.core.domain.auth.Subject subject)
          Returns whether the subject can manage all resources and all groups in the system, without having to filter operations through the subject-role-group-resource authorization mechanism
 boolean isOverlord(org.rhq.core.domain.auth.Subject subject)
          Returns true if and only if the given subject represents the internal overlord subject.
 boolean isSystemSuperuser(org.rhq.core.domain.auth.Subject subject)
          Returns true if and only if the given subject represents either the initial superuser (e.g.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

AuthorizationManagerBean

public AuthorizationManagerBean()
Method Detail

getExplicitGlobalPermissions

public Set<org.rhq.core.domain.authz.Permission> getExplicitGlobalPermissions(org.rhq.core.domain.auth.Subject subject)
Description copied from interface: AuthorizationManagerLocal
Gets the set of global permissions that the current user explicitly possesses.

Specified by:
getExplicitGlobalPermissions in interface AuthorizationManagerLocal
Parameters:
subject - the current subject or caller
Returns:
the set of global permissions that the current user possesses - never null

getExplicitGroupPermissions

public Set<org.rhq.core.domain.authz.Permission> getExplicitGroupPermissions(org.rhq.core.domain.auth.Subject subject,
                                                                             int groupId)
Description copied from interface: AuthorizationManagerLocal
Gets the set of permissions that the current user explicitly possesses for the specified Group.

Specified by:
getExplicitGroupPermissions in interface AuthorizationManagerLocal
Parameters:
subject - the current subject or caller
groupId - the id of some Group to check permissions against
Returns:
the set of permissions that the current user explicitly possesses for the specified Group - never null

getImplicitGroupPermissions

public Set<org.rhq.core.domain.authz.Permission> getImplicitGroupPermissions(org.rhq.core.domain.auth.Subject subject,
                                                                             int groupId)
Description copied from interface: AuthorizationManagerLocal
Gets the set of permissions that the current user implicitly possesses for the specified Group.

Specified by:
getImplicitGroupPermissions in interface AuthorizationManagerLocal
Parameters:
subject - the current subject or caller
groupId - the id of some Group to check permissions against
Returns:
the set of permissions that the current user implicitly possesses for the specified Group

getExplicitResourcePermissions

public Set<org.rhq.core.domain.authz.Permission> getExplicitResourcePermissions(org.rhq.core.domain.auth.Subject subject,
                                                                                int resourceId)
Description copied from interface: AuthorizationManagerLocal
Gets the set of permissions that the current user explicitly possesses for the specified Resource.

Specified by:
getExplicitResourcePermissions in interface AuthorizationManagerLocal
Parameters:
subject - the current subject or caller
resourceId - the id of some Resource to check permissions against
Returns:
the set of permissions that the current user possesses for the specified Resource - never null

getImplicitResourcePermissions

public Set<org.rhq.core.domain.authz.Permission> getImplicitResourcePermissions(org.rhq.core.domain.auth.Subject subject,
                                                                                int resourceId)
Description copied from interface: AuthorizationManagerLocal
Gets the set of permissions that the current user implicitly possesses for the specified Resource.

Specified by:
getImplicitResourcePermissions in interface AuthorizationManagerLocal
Parameters:
subject - the current subject or caller
resourceId - the id of some Resource to check permissions against
Returns:
the set of permissions that the current user implicitly possesses for the specified Resource - never null

hasGlobalPermission

public boolean hasGlobalPermission(org.rhq.core.domain.auth.Subject subject,
                                   org.rhq.core.domain.authz.Permission permission)
Description copied from interface: AuthorizationManagerLocal
Returns true if the current user possesses the specified global permission.

Specified by:
hasGlobalPermission in interface AuthorizationManagerLocal
Parameters:
subject - the current subject or caller
permission - a global permission (i.e. permission.getTarget() == Permission.Target.GLOBAL)
Returns:
true if the current user possesses the specified global permission

hasGroupPermission

public boolean hasGroupPermission(org.rhq.core.domain.auth.Subject subject,
                                  org.rhq.core.domain.authz.Permission permission,
                                  int groupId)
Description copied from interface: AuthorizationManagerLocal
Returns true if the current user possesses either: 1) the specified resource permission for the specified group, or 2) the global MANAGE_INVENTORY permission which, by definition, gives full access to the inventory (all resources and all groups)

Specified by:
hasGroupPermission in interface AuthorizationManagerLocal
Parameters:
subject - the current subject or caller
permission - a resource permission (i.e. permission.getTarget() == Permission.Target.RESOURCE)
groupId - the id of some Group to check permissions against
Returns:
true if the current user possesses the specified resource permission for the specified group

hasResourcePermission

public boolean hasResourcePermission(org.rhq.core.domain.auth.Subject subject,
                                     org.rhq.core.domain.authz.Permission permission,
                                     int resourceId)
Description copied from interface: AuthorizationManagerLocal
Returns true if the current user possesses either: 1) the specified resource permission for the specified resource, or 2) the global MANAGE_INVENTORY permission which, by definition, gives full access to the inventory (all resources and all groups)

Specified by:
hasResourcePermission in interface AuthorizationManagerLocal
Parameters:
subject - the current subject or caller
permission - a resource permission (i.e. permission.getTarget() == Permission.Target.RESOURCE)
resourceId - the id of some Resource to check permissions against
Returns:
true if the current user possesses the specified resource permission for the specified resource

hasAutoGroupPermission

public boolean hasAutoGroupPermission(org.rhq.core.domain.auth.Subject subject,
                                      org.rhq.core.domain.authz.Permission permission,
                                      int parentResourceId,
                                      int resourceTypeId)
Description copied from interface: AuthorizationManagerLocal
Returns true if the current user possesses either: 1) the specified resource permission for the specified auto-group, or 2) the global MANAGE_INVENTORY permission which, by definition, gives full access to the inventory (all resources and all groups)

Specified by:
hasAutoGroupPermission in interface AuthorizationManagerLocal
Parameters:
subject - the current subject or caller
permission - a resource permission (i.e. permission.getTarget() == Permission.Target.RESOURCE)
parentResourceId - the id of the parent resource of the auto-group to check permissions against
Returns:
true if the current user possesses the specified resource permission for the specified auto-group

canViewResource

public boolean canViewResource(org.rhq.core.domain.auth.Subject subject,
                               int resourceId)
Description copied from interface: AuthorizationManagerLocal
Returns true if the current user has some role attached to some group that contains this resource.

Specified by:
canViewResource in interface AuthorizationManagerLocal
Parameters:
subject - the current subject or caller
resourceId - the id of some Resource to check permissions against
Returns:
true if the current user has some role attached to some group that contains this resource

canViewResources

public boolean canViewResources(org.rhq.core.domain.auth.Subject subject,
                                List<Integer> resourceIds)
Description copied from interface: AuthorizationManagerLocal
Returns true if the current user has a role attached to a group that contains the specified resources. Note that this method will return true if the resources span multiple groups so long has the user is in one or more roles granting view permission for those groups containing the resources.

Specified by:
canViewResources in interface AuthorizationManagerLocal
Parameters:
subject - The current subject or caller
resourceIds - The resource ids against which we are checking whether the subject has access
Returns:
true only if the subject has a role attached to a group that contains all of the specified resources

canViewGroup

public boolean canViewGroup(org.rhq.core.domain.auth.Subject subject,
                            int groupId)
Description copied from interface: AuthorizationManagerLocal
Returns true if the current user has some role attached to this group.

Specified by:
canViewGroup in interface AuthorizationManagerLocal
Parameters:
subject - the current subject or caller
groupId - the id of some Group to check permissions against
Returns:
true if the current user has some role attached to this group

canViewAutoGroup

public boolean canViewAutoGroup(org.rhq.core.domain.auth.Subject subject,
                                int parentResourceId,
                                int resourceTypeId)
Description copied from interface: AuthorizationManagerLocal
Returns true if the current user has some role attached to this auto-group.

Specified by:
canViewAutoGroup in interface AuthorizationManagerLocal
Parameters:
subject - the current subject or caller
parentResourceId - the id of the parent resource filter for this auto-group
resourceTypeId - the id of the resource type filter for this auto-group
Returns:
true if the current user has some role attached to this auto-group

isInventoryManager

public boolean isInventoryManager(org.rhq.core.domain.auth.Subject subject)
Description copied from interface: AuthorizationManagerLocal
Returns whether the subject can manage all resources and all groups in the system, without having to filter operations through the subject-role-group-resource authorization mechanism

Specified by:
isInventoryManager in interface AuthorizationManagerLocal
Parameters:
subject - the current subject or caller
Returns:
whether this subject has full control over resources and groups

hasResourcePermission

public boolean hasResourcePermission(org.rhq.core.domain.auth.Subject subject,
                                     org.rhq.core.domain.authz.Permission permission,
                                     Collection<Integer> resourceIds)
Description copied from interface: AuthorizationManagerLocal
Returns true if the current user possesses either: 1) the specified resource permission for *all* of the specified resources, or 2) the global MANAGE_INVENTORY permission which, by definition, gives full access to the inventory (all resources and all groups) NOTE: The size of the collection must be less than or equal to 1000 (due to an Oracle limitation).

Specified by:
hasResourcePermission in interface AuthorizationManagerLocal
Parameters:
subject - the current subject or caller
permission - a resource permission (i.e. permission.getTarget() == Permission.Target.RESOURCE)
resourceIds - the ids of some Resources to check permissions against (size of collection must be <= 1000)
Returns:
true if the current user possesses the specified resource permission for the specified resource

isSystemSuperuser

public boolean isSystemSuperuser(org.rhq.core.domain.auth.Subject subject)
Description copied from interface: AuthorizationManagerLocal
Returns true if and only if the given subject represents either the initial superuser (e.g. rhqadmin) or the internal overlord subject. These are what is known as the "system superusers".

Specified by:
isSystemSuperuser in interface AuthorizationManagerLocal
Parameters:
subject - the subject to check
Returns:
true if the given subject is considered one of the built-in system superusers

isOverlord

public boolean isOverlord(org.rhq.core.domain.auth.Subject subject)
Description copied from interface: AuthorizationManagerLocal
Returns true if and only if the given subject represents the internal overlord subject.

Specified by:
isOverlord in interface AuthorizationManagerLocal
Parameters:
subject - the subject to check
Returns:
true if the given subject is considered the overlord subject

canUpdateRepo

public boolean canUpdateRepo(org.rhq.core.domain.auth.Subject subject,
                             int repoId)
Description copied from interface: AuthorizationManagerLocal
Returns true if given subject is able to update given repo. The subject is able to update a repo if it is owned by the subject or if the subject is a member of a role with Permission.MANAGE_REPOSITORIES.

Specified by:
canUpdateRepo in interface AuthorizationManagerLocal
Returns:
true if subject is able to update the repo, false otherwise

canViewRepo

public boolean canViewRepo(org.rhq.core.domain.auth.Subject subject,
                           int repoId)
Description copied from interface: AuthorizationManagerLocal
Returns true if given subject is able to view given repo. The subject is able to view a repo if it is public or if the subject is the owner of the repo or if the subject is a member of a role with Permission.MANAGE_REPOSITORIES.

Specified by:
canViewRepo in interface AuthorizationManagerLocal
Returns:
true if subject is able to view the repo, false otherwise
Overview  Package   Class  Use  Tree  Deprecated  Index  Help 
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES    
SUMMARY: NESTED | FIELD | CONSTR | METHOD DETAIL: FIELD | CONSTR | METHOD
Copyright © 2008-2012 Red Hat, Inc.. All Rights Reserved.