Class AAclAuthz
- Direct Known Subclasses:
BasicAclAuthz
,DirAclAuthz
checkPermission
for code that needs to verify access before
performing
actions.
Here is a sample resourceACLS for a resource
certServer.UsrGrpAdminServlet: execute: deny (execute) user="tempAdmin"; allow (execute) group="Administrators";To perform permission checking, code call authz mgr authorize() method to verify access. See AuthzMgr for calling example. Default "evaluators" are used to evaluate the "group=.." or "user=.." rules. See evaluator for more info.
- See Also:
-
Nested Class Summary
Nested Classes -
Field Summary
FieldsModifier and TypeFieldDescriptionprotected static final String
static final org.slf4j.Logger
protected static String[]
protected static final String
protected static final String
protected static final String
Fields inherited from class org.dogtagpki.server.authorization.AuthzManager
config, engine, implName, name
-
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionvoid
accessInit
(String accessInfo) accessInit
is for servlets who want to initialize their own authorization information before full operation.gets an enumeration of access evaluatorsvoid
void
Parse ACL resource attributes, then update the ACLs memory store This is intended to be used if storing ACLs on ldap is not desired, and the caller is expected to call this method to add resource and acl info into acls memory store.check the authorization permission for the user associated with authToken on operation Example: For example, if UsrGrpAdminServlet needs to authorize the caller it would do be done in the following fashion: try { authzTok = mAuthz.authorize( "DirAclAuthz", authToken, RES_GROUP, "read"); } catch (EBaseException e) { logger.warn("authorize call: " + e.getMessage(), e); }protected boolean
Checks if the permission is granted or denied in the current execution context.protected boolean
checkAllowEntries
(AuthToken authToken, Iterable<String> nodes, String perm) protected void
checkDenyEntries
(AuthToken authToken, Iterable<String> nodes, String perm) throw EACLsException if a deny entry is matchedprotected void
checkPermission
(String name, String perm) Checks if the permission is granted or denied in the current execution context.void
checkPermission
(AuthToken authToken, String name, String perm) Checks if the permission is granted or denied with id from authtoken gotten from authentication that precedes authorization.boolean
evaluateACLs
(AuthToken authToken, String exp) gets the access evaluatorsGet individual ACL entry for the given name of entry.getACLs()
Get ACL entriesString[]
Returns a list of configuration parameter names.getEntries
(ACLEntry.Type entryType, Iterable<String> nodes, String operation) String[]
getOrder()
void
init
(String name, String implName, AuthzManagerConfig config) Initializesboolean
isTypeUnique
(String type) is this resource name uniquevoid
registerEvaluator
(String type, AccessEvaluator evaluator) Registers new handler for the given attribute type in the expressions.void
updateACLs
(String id, String rights, String strACLs, String desc) This one only updates the memory.Methods inherited from class org.dogtagpki.server.authorization.AuthzManager
getCMSEngine, getConfigStore, getImplName, getName, setCMSEngine, shutdown
-
Field Details
-
logger
public static final org.slf4j.Logger logger -
PROP_CLASS
- See Also:
-
PROP_IMPL
- See Also:
-
PROP_EVAL
- See Also:
-
ACLS_ATTR
- See Also:
-
mExtendedPluginInfo
-
mConfigParams
-
-
Constructor Details
-
AAclAuthz
protected AAclAuthz()Constructor
-
-
Method Details
-
init
Initializes- Specified by:
init
in classAuthzManager
- Parameters:
name
- The name of this authorization manager instance.implName
- The name of the authorization manager plugin.config
- The configuration store for this authorization manager.- Throws:
EBaseException
- If an initialization error occurred.
-
addACLs
Parse ACL resource attributes, then update the ACLs memory store This is intended to be used if storing ACLs on ldap is not desired, and the caller is expected to call this method to add resource and acl info into acls memory store. The resACLs format should conform to the following: Example: resTurnKnob:left,right:allow(left) group="lefties":door knobs for lefties- Parameters:
resACLs
- same format as the resourceACLs attribute- Throws:
EACLsException
- parsing error fromparseACL
-
addACLs
- Throws:
EACLsException
-
accessInit
Description copied from class:AuthzManager
accessInit
is for servlets who want to initialize their own authorization information before full operation. It is supposed to be called from the authzMgrAccessInit() method of the AuthzSubsystem.The accessInfo format is determined by each individual authzmgr. For example, for BasicAclAuthz, The accessInfo is the resACLs, whose format should conform to the following: Example: resTurnKnob:left,right:allow(left) group="lefties":door knobs for lefties
- Specified by:
accessInit
in classAuthzManager
- Parameters:
accessInfo
- the access info string in the format specified in the authorization manager- Throws:
EBaseException
- error parsing the accessInfo
-
getACL
Description copied from class:AuthzManager
Get individual ACL entry for the given name of entry.- Specified by:
getACL
in classAuthzManager
- Parameters:
target
- The name of the ACL entry- Returns:
- The ACL entry.
- Throws:
EACLsException
-
getTargetNames
- Throws:
EACLsException
-
getACLs
Description copied from class:AuthzManager
Get ACL entries- Specified by:
getACLs
in classAuthzManager
- Returns:
- collection of ACL entries.
- Throws:
EACLsException
-
getExtendedPluginInfo
-
getConfigParams
Returns a list of configuration parameter names. The list is passed to the configuration console so instances of this implementation can be configured through the console.- Specified by:
getConfigParams
in classAuthzManager
- Returns:
- String array of configuration parameter names.
-
registerEvaluator
Registers new handler for the given attribute type in the expressions.- Specified by:
registerEvaluator
in classAuthzManager
- Parameters:
type
- Type of evaluatorevaluator
- Value of evaluator
-
checkPermission
Checks if the permission is granted or denied in the current execution context. If the code is marked as privileged, this methods will simply return.note that if a resource does not exist in the aclResources entry, but a higher level node exist, it will still be evaluated. The highest level node's acl determines the permission. If the higher level node doesn't contain any acl information, then it's passed down to the lower node. If a node has no aci in its resourceACLs, then it's considered passed.
example: certServer.common.users, if failed permission check for "certServer", then it's considered failed, and there is no need to continue the check. If passed permission check for "certServer", then it's considered passed, and no need to continue the check. If certServer contains no aci then "certServer.common" will be checked for permission instead. If down to the leaf level, the node still contains no aci, then it's considered passed. If at the leaf level, no such resource exist, or no acis, it's considered passed.
If there are multiple aci's for a resource, ALL aci's will be checked, and only if all passed permission checks, will the eventual access be granted.
- Parameters:
name
- resource nameperm
- permission requested- Throws:
EACLsException
- access permission denied
-
checkACLs
Checks if the permission is granted or denied in the current execution context.An
ACL
may contain one or moreACLEntry
. However, in case of multipleACLEntry
, a subject must pass ALL of theACLEntry
evaluation for permission to be grantednegative ("deny") aclEntries are treated differently than positive ("allow") statements. If a negative aclEntries fails the acl check, the permission check will return "false" right away; while in the case of a positive aclEntry, if the the aclEntry fails the acl check, the next aclEntry will be evaluated.
- Parameters:
name
- resource nameperm
- permission requested- Returns:
- true if access allowed false if should be passed down to the next node
- Throws:
EACLsException
- if access disallowed
-
checkPermission
Checks if the permission is granted or denied with id from authtoken gotten from authentication that precedes authorization. If the code is marked as privileged, this methods will simply return.note that if a resource does not exist in the aclResources entry, but a higher level node exist, it will still be evaluated. The highest level node's acl determines the permission. If the higher level node doesn't contain any acl information, then it's passed down to the lower node. If a node has no aci in its resourceACLs, then it's considered passed.
example: certServer.common.users, if failed permission check for "certServer", then it's considered failed, and there is no need to continue the check. If passed permission check for "certServer", then it's considered passed, and no need to continue the check. If certServer contains no aci then "certServer.common" will be checked for permission instead. If down to the leaf level, the node still contains no aci, then it's considered passed. If at the leaf level, no such resource exist, or no acis, it's considered passed.
If there are multiple aci's for a resource, ALL aci's will be checked, and only if all passed permission checks, will the eventual access be granted.
- Parameters:
authToken
- authentication token gotten from authenticationname
- resource nameperm
- permission requested- Throws:
EACLsException
- access permission denied
-
checkAllowEntries
protected boolean checkAllowEntries(AuthToken authToken, Iterable<String> nodes, String perm) throws EACLsException - Throws:
EACLsException
-
checkDenyEntries
protected void checkDenyEntries(AuthToken authToken, Iterable<String> nodes, String perm) throws EACLsException throw EACLsException if a deny entry is matched- Throws:
EACLsException
-
getEntries
protected Iterable<ACLEntry> getEntries(ACLEntry.Type entryType, Iterable<String> nodes, String operation) throws EACLsException - Throws:
EACLsException
-
getNodes
-
updateACLs
This one only updates the memory. Classes extend this class should also update to a permanent storage- Specified by:
updateACLs
in classAuthzManager
- Parameters:
id
- The name of the ACL entry (ie, resource id)rights
- The allowable rights for this resourcestrACLs
- The value of the ACL entrydesc
- The description for this resource- Throws:
EACLsException
- when update fails.
-
aclEvaluatorElements
gets an enumeration of access evaluators- Specified by:
aclEvaluatorElements
in classAuthzManager
- Returns:
- an enumeraton of access evaluators
-
getAccessEvaluators
gets the access evaluators- Specified by:
getAccessEvaluators
in classAuthzManager
- Returns:
- handle to the access evaluators table
-
isTypeUnique
is this resource name unique- Returns:
- true if unique; false otherwise
- Throws:
EACLsException
-
authorize
public AuthzToken authorize(AuthToken authToken, String resource, String operation) throws EAuthzInternalError, EAuthzAccessDenied check the authorization permission for the user associated with authToken on operation Example: For example, if UsrGrpAdminServlet needs to authorize the caller it would do be done in the following fashion: try { authzTok = mAuthz.authorize( "DirAclAuthz", authToken, RES_GROUP, "read"); } catch (EBaseException e) { logger.warn("authorize call: " + e.getMessage(), e); }- Specified by:
authorize
in classAuthzManager
- Parameters:
authToken
- the authToken associated with a userresource
- - the protected resource nameoperation
- - the protected resource operation name- Returns:
- authzToken
- Throws:
EAuthzAccessDenied
- If access was deniedEAuthzInternalError
- If an internal error occurred.
-
authorize
- Specified by:
authorize
in classAuthzManager
- Throws:
EAuthzAccessDenied
-
getOrder
-
evaluateACLs
-