org.rhq.enterprise.server.authz

Interface AuthorizationManagerLocal

All Known Implementing Classes:

AuthorizationManagerBean

public interface AuthorizationManagerLocal

A manager that provides methods for checking the current user's JON permissions and for setting permissions on roles.

Author:

Ian Springer, Joseph Marques

Method Summary

Methods

Modifier and Type	Method and Description
boolean	canUpdateRepo(org.rhq.core.domain.auth.Subject subject, int repoId) Returns true if given subject is able to update given repo.
boolean	canViewAutoGroup(org.rhq.core.domain.auth.Subject subject, int parentResourceId, int resourceTypeId) Returns true if the current user has some role attached to this auto-group.
boolean	canViewGroup(org.rhq.core.domain.auth.Subject subject, int groupId) Returns true if the current user has some role attached to this group.
boolean	canViewRepo(org.rhq.core.domain.auth.Subject subject, int repoId) Returns true if given subject is able to view given repo.
boolean	canViewResource(org.rhq.core.domain.auth.Subject subject, int resourceId) Returns true if the current user has some role attached to some group that contains this resource.
boolean	canViewResources(org.rhq.core.domain.auth.Subject subject, List<Integer> resourceIds) Returns true if the current user has a role attached to a group that contains the specified resources.
Set<org.rhq.core.domain.authz.Permission>	getExplicitGlobalPermissions(org.rhq.core.domain.auth.Subject subject) Gets the set of global permissions that the current user explicitly possesses.
Set<org.rhq.core.domain.authz.Permission>	getExplicitGroupPermissions(org.rhq.core.domain.auth.Subject subject, int groupId) Gets the set of permissions that the current user explicitly possesses for the specified Group.
Set<org.rhq.core.domain.authz.Permission>	getExplicitResourcePermissions(org.rhq.core.domain.auth.Subject subject, int resourceId) Gets the set of permissions that the current user explicitly possesses for the specified Resource.
Set<org.rhq.core.domain.authz.Permission>	getImplicitGroupPermissions(org.rhq.core.domain.auth.Subject subject, int groupId) Gets the set of permissions that the current user implicitly possesses for the specified Group.
Set<org.rhq.core.domain.authz.Permission>	getImplicitResourcePermissions(org.rhq.core.domain.auth.Subject subject, int resourceId) Gets the set of permissions that the current user implicitly possesses for the specified Resource.
boolean	hasAutoGroupPermission(org.rhq.core.domain.auth.Subject subject, org.rhq.core.domain.authz.Permission permission, int parentResourceId, int resourceTypeId) Returns true if the current user possesses either: 1) the specified resource permission for the specified auto-group, or 2) the global MANAGE_INVENTORY permission which, by definition, gives full access to the inventory (all resources and all groups)
boolean	hasGlobalPermission(org.rhq.core.domain.auth.Subject subject, org.rhq.core.domain.authz.Permission permission) Returns true if the current user possesses the specified global permission.
boolean	hasGroupPermission(org.rhq.core.domain.auth.Subject subject, org.rhq.core.domain.authz.Permission permission, int groupId) Returns true if the current user possesses either: 1) the specified resource permission for the specified group, or 2) the global MANAGE_INVENTORY permission which, by definition, gives full access to the inventory (all resources and all groups)
boolean	hasResourcePermission(org.rhq.core.domain.auth.Subject subject, org.rhq.core.domain.authz.Permission permission, Collection<Integer> resourceIds) Returns true if the current user possesses either: 1) the specified resource permission for *all* of the specified resources, or 2) the global MANAGE_INVENTORY permission which, by definition, gives full access to the inventory (all resources and all groups) NOTE: The size of the collection must be less than or equal to 1000 (due to an Oracle limitation).
boolean	hasResourcePermission(org.rhq.core.domain.auth.Subject subject, org.rhq.core.domain.authz.Permission permission, int resourceId) Returns true if the current user possesses either: 1) the specified resource permission for the specified resource, or 2) the global MANAGE_INVENTORY permission which, by definition, gives full access to the inventory (all resources and all groups)
boolean	isInventoryManager(org.rhq.core.domain.auth.Subject subject) Returns whether the subject can manage all resources and all groups in the system, without having to filter operations through the subject-role-group-resource authorization mechanism
boolean	isOverlord(org.rhq.core.domain.auth.Subject subject) Returns true if and only if the given subject represents the internal overlord subject.
boolean	isSystemSuperuser(org.rhq.core.domain.auth.Subject subject) Returns true if and only if the given subject represents either the initial superuser (e.g.

Method Detail

canViewResource

boolean canViewResource(org.rhq.core.domain.auth.Subject subject,
                      int resourceId)

Returns true if the current user has some role attached to some group that contains this resource.

Parameters:

subject - the current subject or caller

resourceId - the id of some Resource to check permissions against

Returns:

true if the current user has some role attached to some group that contains this resource

canViewResources

boolean canViewResources(org.rhq.core.domain.auth.Subject subject,
                       List<Integer> resourceIds)

Returns true if the current user has a role attached to a group that contains the specified resources. Note that this method will return true if the resources span multiple groups so long has the user is in one or more roles granting view permission for those groups containing the resources.

Parameters:

subject - The current subject or caller

resourceIds - The resource ids against which we are checking whether the subject has access

Returns:

true only if the subject has a role attached to a group that contains all of the specified resources

canViewGroup

boolean canViewGroup(org.rhq.core.domain.auth.Subject subject,
                   int groupId)

Returns true if the current user has some role attached to this group.

Parameters:

subject - the current subject or caller

groupId - the id of some Group to check permissions against

Returns:

true if the current user has some role attached to this group

canViewAutoGroup

boolean canViewAutoGroup(org.rhq.core.domain.auth.Subject subject,
                       int parentResourceId,
                       int resourceTypeId)

Returns true if the current user has some role attached to this auto-group.

Parameters:

subject - the current subject or caller

parentResourceId - the id of the parent resource filter for this auto-group

resourceTypeId - the id of the resource type filter for this auto-group

Returns:

true if the current user has some role attached to this auto-group

hasResourcePermission

boolean hasResourcePermission(org.rhq.core.domain.auth.Subject subject,
                            org.rhq.core.domain.authz.Permission permission,
                            int resourceId)

Returns true if the current user possesses either: 1) the specified resource permission for the specified resource, or 2) the global MANAGE_INVENTORY permission which, by definition, gives full access to the inventory (all resources and all groups)

Parameters:

subject - the current subject or caller

permission - a resource permission (i.e. permission.getTarget() == Permission.Target.RESOURCE)

resourceId - the id of some Resource to check permissions against

Returns:

true if the current user possesses the specified resource permission for the specified resource

hasResourcePermission

boolean hasResourcePermission(org.rhq.core.domain.auth.Subject subject,
                            org.rhq.core.domain.authz.Permission permission,
                            Collection<Integer> resourceIds)

Returns true if the current user possesses either: 1) the specified resource permission for *all* of the specified resources, or 2) the global MANAGE_INVENTORY permission which, by definition, gives full access to the inventory (all resources and all groups) NOTE: The size of the collection must be less than or equal to 1000 (due to an Oracle limitation).

Parameters:

subject - the current subject or caller

permission - a resource permission (i.e. permission.getTarget() == Permission.Target.RESOURCE)

resourceIds - the ids of some Resources to check permissions against (size of collection must be <= 1000)

Returns:

true if the current user possesses the specified resource permission for the specified resource

hasGroupPermission

boolean hasGroupPermission(org.rhq.core.domain.auth.Subject subject,
                         org.rhq.core.domain.authz.Permission permission,
                         int groupId)

Returns true if the current user possesses either: 1) the specified resource permission for the specified group, or 2) the global MANAGE_INVENTORY permission which, by definition, gives full access to the inventory (all resources and all groups)

Parameters:

subject - the current subject or caller

permission - a resource permission (i.e. permission.getTarget() == Permission.Target.RESOURCE)

groupId - the id of some Group to check permissions against

Returns:

true if the current user possesses the specified resource permission for the specified group

hasAutoGroupPermission

boolean hasAutoGroupPermission(org.rhq.core.domain.auth.Subject subject,
                             org.rhq.core.domain.authz.Permission permission,
                             int parentResourceId,
                             int resourceTypeId)

Returns true if the current user possesses either: 1) the specified resource permission for the specified auto-group, or 2) the global MANAGE_INVENTORY permission which, by definition, gives full access to the inventory (all resources and all groups)

Parameters:

subject - the current subject or caller

permission - a resource permission (i.e. permission.getTarget() == Permission.Target.RESOURCE)

parentResourceId - the id of the parent resource of the auto-group to check permissions against

parentResourceId - the id of the resource type filter of the auto-group to check permissions against

Returns:

true if the current user possesses the specified resource permission for the specified auto-group

hasGlobalPermission

boolean hasGlobalPermission(org.rhq.core.domain.auth.Subject subject,
                          org.rhq.core.domain.authz.Permission permission)

Returns true if the current user possesses the specified global permission.

Parameters:

subject - the current subject or caller

permission - a global permission (i.e. permission.getTarget() == Permission.Target.GLOBAL)

Returns:

true if the current user possesses the specified global permission

getExplicitResourcePermissions

Set<org.rhq.core.domain.authz.Permission> getExplicitResourcePermissions(org.rhq.core.domain.auth.Subject subject,
                                                                       int resourceId)

Gets the set of permissions that the current user explicitly possesses for the specified Resource.

Parameters:

subject - the current subject or caller

resourceId - the id of some Resource to check permissions against

Returns:

the set of permissions that the current user possesses for the specified Resource - never null

getImplicitResourcePermissions

Set<org.rhq.core.domain.authz.Permission> getImplicitResourcePermissions(org.rhq.core.domain.auth.Subject subject,
                                                                       int resourceId)

Gets the set of permissions that the current user implicitly possesses for the specified Resource.

Parameters:

subject - the current subject or caller

resourceId - the id of some Resource to check permissions against

Returns:

the set of permissions that the current user implicitly possesses for the specified Resource - never null

getExplicitGroupPermissions

Set<org.rhq.core.domain.authz.Permission> getExplicitGroupPermissions(org.rhq.core.domain.auth.Subject subject,
                                                                    int groupId)

Gets the set of permissions that the current user explicitly possesses for the specified Group.

Parameters:

subject - the current subject or caller

groupId - the id of some Group to check permissions against

Returns:

the set of permissions that the current user explicitly possesses for the specified Group - never null

getImplicitGroupPermissions

Set<org.rhq.core.domain.authz.Permission> getImplicitGroupPermissions(org.rhq.core.domain.auth.Subject subject,
                                                                    int groupId)

Gets the set of permissions that the current user implicitly possesses for the specified Group.

Parameters:

subject - the current subject or caller

groupId - the id of some Group to check permissions against

Returns:

the set of permissions that the current user implicitly possesses for the specified Group

isInventoryManager

boolean isInventoryManager(org.rhq.core.domain.auth.Subject subject)

Returns whether the subject can manage all resources and all groups in the system, without having to filter operations through the subject-role-group-resource authorization mechanism

Parameters:

subject - the current subject or caller

Returns:

whether this subject has full control over resources and groups

getExplicitGlobalPermissions

Set<org.rhq.core.domain.authz.Permission> getExplicitGlobalPermissions(org.rhq.core.domain.auth.Subject subject)

Gets the set of global permissions that the current user explicitly possesses.

Parameters:

subject - the current subject or caller

Returns:

the set of global permissions that the current user possesses - never null

isSystemSuperuser

boolean isSystemSuperuser(org.rhq.core.domain.auth.Subject subject)

Returns true if and only if the given subject represents either the initial superuser (e.g. rhqadmin) or the internal overlord subject. These are what is known as the "system superusers".

Parameters:

subject - the subject to check

Returns:

true if the given subject is considered one of the built-in system superusers

isOverlord

boolean isOverlord(org.rhq.core.domain.auth.Subject subject)

Returns true if and only if the given subject represents the internal overlord subject.

Parameters:

subject - the subject to check

Returns:

true if the given subject is considered the overlord subject

canViewRepo

boolean canViewRepo(org.rhq.core.domain.auth.Subject subject,
                  int repoId)

Returns true if given subject is able to view given repo. The subject is able to view a repo if it is public or if the subject is the owner of the repo or if the subject is a member of a role with Permission.MANAGE_REPOSITORIES.

Parameters:

subject -

repoId -

Returns:

true if subject is able to view the repo, false otherwise

canUpdateRepo

boolean canUpdateRepo(org.rhq.core.domain.auth.Subject subject,
                    int repoId)

Returns true if given subject is able to update given repo. The subject is able to update a repo if it is owned by the subject or if the subject is a member of a role with Permission.MANAGE_REPOSITORIES.

Parameters:

subject -

repoId -

Returns:

true if subject is able to update the repo, false otherwise