Overview  Package   Class  Use  Tree  Deprecated  Index  Help 
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES    
SUMMARY: NESTED | FIELD | CONSTR | METHOD DETAIL: FIELD | CONSTR | METHOD

org.rhq.enterprise.server.authz
Interface AuthorizationManagerLocal

All Known Implementing Classes:
AuthorizationManagerBean
public interface AuthorizationManagerLocal

A manager that provides methods for checking the current user's JON permissions and for setting permissions on roles.

Author:
Ian Springer, Joseph Marques

Method Summary
 boolean canUpdateRepo(org.rhq.core.domain.auth.Subject subject, int repoId)
          Returns true if given subject is able to update given repo.
 boolean canViewAutoGroup(org.rhq.core.domain.auth.Subject subject, int parentResourceId, int resourceTypeId)
          Returns true if the current user has some role attached to this auto-group.
 boolean canViewGroup(org.rhq.core.domain.auth.Subject subject, int groupId)
          Returns true if the current user has some role attached to this group.
 boolean canViewRepo(org.rhq.core.domain.auth.Subject subject, int repoId)
          Returns true if given subject is able to view given repo.
 boolean canViewResource(org.rhq.core.domain.auth.Subject subject, int resourceId)
          Returns true if the current user has some role attached to some group that contains this resource.
 boolean canViewResources(org.rhq.core.domain.auth.Subject subject, List<Integer> resourceIds)
          Returns true if the current user has a role attached to a group that contains the specified resources.
 Set<org.rhq.core.domain.authz.Permission> getExplicitGlobalPermissions(org.rhq.core.domain.auth.Subject subject)
          Gets the set of global permissions that the current user explicitly possesses.
 Set<org.rhq.core.domain.authz.Permission> getExplicitGroupPermissions(org.rhq.core.domain.auth.Subject subject, int groupId)
          Gets the set of permissions that the current user explicitly possesses for the specified Group.
 Set<org.rhq.core.domain.authz.Permission> getExplicitResourcePermissions(org.rhq.core.domain.auth.Subject subject, int resourceId)
          Gets the set of permissions that the current user explicitly possesses for the specified Resource.
 Set<org.rhq.core.domain.authz.Permission> getImplicitGroupPermissions(org.rhq.core.domain.auth.Subject subject, int groupId)
          Gets the set of permissions that the current user implicitly possesses for the specified Group.
 Set<org.rhq.core.domain.authz.Permission> getImplicitResourcePermissions(org.rhq.core.domain.auth.Subject subject, int resourceId)
          Gets the set of permissions that the current user implicitly possesses for the specified Resource.
 boolean hasAutoGroupPermission(org.rhq.core.domain.auth.Subject subject, org.rhq.core.domain.authz.Permission permission, int parentResourceId, int resourceTypeId)
          Returns true if the current user possesses either: 1) the specified resource permission for the specified auto-group, or 2) the global MANAGE_INVENTORY permission which, by definition, gives full access to the inventory (all resources and all groups)
 boolean hasGlobalPermission(org.rhq.core.domain.auth.Subject subject, org.rhq.core.domain.authz.Permission permission)
          Returns true if the current user possesses the specified global permission.
 boolean hasGroupPermission(org.rhq.core.domain.auth.Subject subject, org.rhq.core.domain.authz.Permission permission, int groupId)
          Returns true if the current user possesses either: 1) the specified resource permission for the specified group, or 2) the global MANAGE_INVENTORY permission which, by definition, gives full access to the inventory (all resources and all groups)
 boolean hasResourcePermission(org.rhq.core.domain.auth.Subject subject, org.rhq.core.domain.authz.Permission permission, Collection<Integer> resourceIds)
          Returns true if the current user possesses either: 1) the specified resource permission for *all* of the specified resources, or 2) the global MANAGE_INVENTORY permission which, by definition, gives full access to the inventory (all resources and all groups) NOTE: The size of the collection must be less than or equal to 1000 (due to an Oracle limitation).
 boolean hasResourcePermission(org.rhq.core.domain.auth.Subject subject, org.rhq.core.domain.authz.Permission permission, int resourceId)
          Returns true if the current user possesses either: 1) the specified resource permission for the specified resource, or 2) the global MANAGE_INVENTORY permission which, by definition, gives full access to the inventory (all resources and all groups)
 boolean isInventoryManager(org.rhq.core.domain.auth.Subject subject)
          Returns whether the subject can manage all resources and all groups in the system, without having to filter operations through the subject-role-group-resource authorization mechanism
 boolean isOverlord(org.rhq.core.domain.auth.Subject subject)
          Returns true if and only if the given subject represents the internal overlord subject.
 boolean isSystemSuperuser(org.rhq.core.domain.auth.Subject subject)
          Returns true if and only if the given subject represents either the initial superuser (e.g.
 

Method Detail

canViewResource

boolean canViewResource(org.rhq.core.domain.auth.Subject subject,
                        int resourceId)
Returns true if the current user has some role attached to some group that contains this resource.

Parameters:
subject - the current subject or caller
resourceId - the id of some Resource to check permissions against
Returns:
true if the current user has some role attached to some group that contains this resource

canViewResources

boolean canViewResources(org.rhq.core.domain.auth.Subject subject,
                         List<Integer> resourceIds)
Returns true if the current user has a role attached to a group that contains the specified resources. Note that this method will return true if the resources span multiple groups so long has the user is in one or more roles granting view permission for those groups containing the resources.

Parameters:
subject - The current subject or caller
resourceIds - The resource ids against which we are checking whether the subject has access
Returns:
true only if the subject has a role attached to a group that contains all of the specified resources

canViewGroup

boolean canViewGroup(org.rhq.core.domain.auth.Subject subject,
                     int groupId)
Returns true if the current user has some role attached to this group.

Parameters:
subject - the current subject or caller
groupId - the id of some Group to check permissions against
Returns:
true if the current user has some role attached to this group

canViewAutoGroup

boolean canViewAutoGroup(org.rhq.core.domain.auth.Subject subject,
                         int parentResourceId,
                         int resourceTypeId)
Returns true if the current user has some role attached to this auto-group.

Parameters:
subject - the current subject or caller
parentResourceId - the id of the parent resource filter for this auto-group
resourceTypeId - the id of the resource type filter for this auto-group
Returns:
true if the current user has some role attached to this auto-group

hasResourcePermission

boolean hasResourcePermission(org.rhq.core.domain.auth.Subject subject,
                              org.rhq.core.domain.authz.Permission permission,
                              int resourceId)
Returns true if the current user possesses either: 1) the specified resource permission for the specified resource, or 2) the global MANAGE_INVENTORY permission which, by definition, gives full access to the inventory (all resources and all groups)

Parameters:
subject - the current subject or caller
permission - a resource permission (i.e. permission.getTarget() == Permission.Target.RESOURCE)
resourceId - the id of some Resource to check permissions against
Returns:
true if the current user possesses the specified resource permission for the specified resource

hasResourcePermission

boolean hasResourcePermission(org.rhq.core.domain.auth.Subject subject,
                              org.rhq.core.domain.authz.Permission permission,
                              Collection<Integer> resourceIds)
Returns true if the current user possesses either: 1) the specified resource permission for *all* of the specified resources, or 2) the global MANAGE_INVENTORY permission which, by definition, gives full access to the inventory (all resources and all groups) NOTE: The size of the collection must be less than or equal to 1000 (due to an Oracle limitation).

Parameters:
subject - the current subject or caller
permission - a resource permission (i.e. permission.getTarget() == Permission.Target.RESOURCE)
resourceIds - the ids of some Resources to check permissions against (size of collection must be <= 1000)
Returns:
true if the current user possesses the specified resource permission for the specified resource

hasGroupPermission

boolean hasGroupPermission(org.rhq.core.domain.auth.Subject subject,
                           org.rhq.core.domain.authz.Permission permission,
                           int groupId)
Returns true if the current user possesses either: 1) the specified resource permission for the specified group, or 2) the global MANAGE_INVENTORY permission which, by definition, gives full access to the inventory (all resources and all groups)

Parameters:
subject - the current subject or caller
permission - a resource permission (i.e. permission.getTarget() == Permission.Target.RESOURCE)
groupId - the id of some Group to check permissions against
Returns:
true if the current user possesses the specified resource permission for the specified group

hasAutoGroupPermission

boolean hasAutoGroupPermission(org.rhq.core.domain.auth.Subject subject,
                               org.rhq.core.domain.authz.Permission permission,
                               int parentResourceId,
                               int resourceTypeId)
Returns true if the current user possesses either: 1) the specified resource permission for the specified auto-group, or 2) the global MANAGE_INVENTORY permission which, by definition, gives full access to the inventory (all resources and all groups)

Parameters:
subject - the current subject or caller
permission - a resource permission (i.e. permission.getTarget() == Permission.Target.RESOURCE)
parentResourceId - the id of the parent resource of the auto-group to check permissions against
parentResourceId - the id of the resource type filter of the auto-group to check permissions against
Returns:
true if the current user possesses the specified resource permission for the specified auto-group

hasGlobalPermission

boolean hasGlobalPermission(org.rhq.core.domain.auth.Subject subject,
                            org.rhq.core.domain.authz.Permission permission)
Returns true if the current user possesses the specified global permission.

Parameters:
subject - the current subject or caller
permission - a global permission (i.e. permission.getTarget() == Permission.Target.GLOBAL)
Returns:
true if the current user possesses the specified global permission

getExplicitResourcePermissions

Set<org.rhq.core.domain.authz.Permission> getExplicitResourcePermissions(org.rhq.core.domain.auth.Subject subject,
                                                                         int resourceId)
Gets the set of permissions that the current user explicitly possesses for the specified Resource.

Parameters:
subject - the current subject or caller
resourceId - the id of some Resource to check permissions against
Returns:
the set of permissions that the current user possesses for the specified Resource - never null

getImplicitResourcePermissions

Set<org.rhq.core.domain.authz.Permission> getImplicitResourcePermissions(org.rhq.core.domain.auth.Subject subject,
                                                                         int resourceId)
Gets the set of permissions that the current user implicitly possesses for the specified Resource.

Parameters:
subject - the current subject or caller
resourceId - the id of some Resource to check permissions against
Returns:
the set of permissions that the current user implicitly possesses for the specified Resource - never null

getExplicitGroupPermissions

Set<org.rhq.core.domain.authz.Permission> getExplicitGroupPermissions(org.rhq.core.domain.auth.Subject subject,
                                                                      int groupId)
Gets the set of permissions that the current user explicitly possesses for the specified Group.

Parameters:
subject - the current subject or caller
groupId - the id of some Group to check permissions against
Returns:
the set of permissions that the current user explicitly possesses for the specified Group - never null

getImplicitGroupPermissions

Set<org.rhq.core.domain.authz.Permission> getImplicitGroupPermissions(org.rhq.core.domain.auth.Subject subject,
                                                                      int groupId)
Gets the set of permissions that the current user implicitly possesses for the specified Group.

Parameters:
subject - the current subject or caller
groupId - the id of some Group to check permissions against
Returns:
the set of permissions that the current user implicitly possesses for the specified Group

isInventoryManager

boolean isInventoryManager(org.rhq.core.domain.auth.Subject subject)
Returns whether the subject can manage all resources and all groups in the system, without having to filter operations through the subject-role-group-resource authorization mechanism

Parameters:
subject - the current subject or caller
Returns:
whether this subject has full control over resources and groups

getExplicitGlobalPermissions

Set<org.rhq.core.domain.authz.Permission> getExplicitGlobalPermissions(org.rhq.core.domain.auth.Subject subject)
Gets the set of global permissions that the current user explicitly possesses.

Parameters:
subject - the current subject or caller
Returns:
the set of global permissions that the current user possesses - never null

isSystemSuperuser

boolean isSystemSuperuser(org.rhq.core.domain.auth.Subject subject)
Returns true if and only if the given subject represents either the initial superuser (e.g. rhqadmin) or the internal overlord subject. These are what is known as the "system superusers".

Parameters:
subject - the subject to check
Returns:
true if the given subject is considered one of the built-in system superusers

isOverlord

boolean isOverlord(org.rhq.core.domain.auth.Subject subject)
Returns true if and only if the given subject represents the internal overlord subject.

Parameters:
subject - the subject to check
Returns:
true if the given subject is considered the overlord subject

canViewRepo

boolean canViewRepo(org.rhq.core.domain.auth.Subject subject,
                    int repoId)
Returns true if given subject is able to view given repo. The subject is able to view a repo if it is public or if the subject is the owner of the repo or if the subject is a member of a role with Permission.MANAGE_REPOSITORIES.

Parameters:
subject -
repoId -
Returns:
true if subject is able to view the repo, false otherwise

canUpdateRepo

boolean canUpdateRepo(org.rhq.core.domain.auth.Subject subject,
                      int repoId)
Returns true if given subject is able to update given repo. The subject is able to update a repo if it is owned by the subject or if the subject is a member of a role with Permission.MANAGE_REPOSITORIES.

Parameters:
subject -
repoId -
Returns:
true if subject is able to update the repo, false otherwise
Overview  Package   Class  Use  Tree  Deprecated  Index  Help 
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES    
SUMMARY: NESTED | FIELD | CONSTR | METHOD DETAIL: FIELD | CONSTR | METHOD
Copyright © 2008-2012 Red Hat, Inc.. All Rights Reserved.