forked from dCache/dcache
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
common,gplazma-multimap,dcache-qos: authorize qos transition based on…
… role Motivation: Implement authorization of user-initiated QoS transitions based on roles, as agreed upon. Modification: Create a new base principal, `UidRolePrincipal`, and subclass it with `QoSRolePrincipal` (where the uid is specified) and `QoSPlaceholderRolePrincipal` (where the uid must be derived from the user's `UidPrincipal`). Also add an `AdminRolePrincipal`. Map these new principals to the `multimap` plugin's `MappedPrincipals`. The admin role is specified as `admin:`, the qos role with and without a specified uid as `qos:` and `qos:<uid>`, respectively. The code is written to logical-OR these in case it may be useful to specify more than one `qos:` capability. The permissions utility in QoS has been rewritten to do this. The permission check in the `QoSAdjuster` has been removed as it was redundant. Result: It is now possible to authorize users to have QoS transition capabilities based on the `multimap` plugin. Target: master Patch: https://rb.dcache.org/r/14070/ Requires-notes: yes Acked-by: Lea
- Loading branch information
Showing
10 changed files
with
497 additions
and
73 deletions.
There are no files selected for viewing
115 changes: 115 additions & 0 deletions
115
modules/common/src/main/java/org/dcache/auth/AbstractUidPrincipal.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,115 @@ | ||
/* | ||
COPYRIGHT STATUS: | ||
Dec 1st 2001, Fermi National Accelerator Laboratory (FNAL) documents and | ||
software are sponsored by the U.S. Department of Energy under Contract No. | ||
DE-AC02-76CH03000. Therefore, the U.S. Government retains a world-wide | ||
non-exclusive, royalty-free license to publish or reproduce these documents | ||
and software for U.S. Government purposes. All documents and software | ||
available from this server are protected under the U.S. and Foreign | ||
Copyright Laws, and FNAL reserves all rights. | ||
Distribution of the software available from this server is free of | ||
charge subject to the user following the terms of the Fermitools | ||
Software Legal Information. | ||
Redistribution and/or modification of the software shall be accompanied | ||
by the Fermitools Software Legal Information (including the copyright | ||
notice). | ||
The user is asked to feed back problems, benefits, and/or suggestions | ||
about the software to the Fermilab Software Providers. | ||
Neither the name of Fermilab, the URA, nor the names of the contributors | ||
may be used to endorse or promote products derived from this software | ||
without specific prior written permission. | ||
DISCLAIMER OF LIABILITY (BSD): | ||
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS | ||
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT | ||
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS | ||
FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL FERMILAB, | ||
OR THE URA, OR THE U.S. DEPARTMENT of ENERGY, OR CONTRIBUTORS BE LIABLE | ||
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR | ||
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT | ||
OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR | ||
BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF | ||
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING | ||
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS | ||
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | ||
Liabilities of the Government: | ||
This software is provided by URA, independent from its Prime Contract | ||
with the U.S. Department of Energy. URA is acting independently from | ||
the Government and in its own private capacity and is not acting on | ||
behalf of the U.S. Government, nor as its contractor nor its agent. | ||
Correspondingly, it is understood and agreed that the U.S. Government | ||
has no connection to this software and in no manner whatsoever shall | ||
be liable for nor assume any responsibility or obligation for any claim, | ||
cost, or damages arising out of or resulting from the use of the software | ||
available from this server. | ||
Export Control: | ||
All documents and software available from this server are subject to U.S. | ||
export control laws. Anyone downloading information from this server is | ||
obligated to secure any necessary Government licenses before exporting | ||
documents or software obtained from this server. | ||
*/ | ||
package org.dcache.auth; | ||
|
||
import java.io.Serializable; | ||
import java.security.Principal; | ||
|
||
/* | ||
* Base class for both UidPrincipal and UidRolePrincipal. | ||
*/ | ||
abstract class AbstractUidPrincipal implements Principal, Serializable { | ||
|
||
private static final long serialVersionUID = -8815120327854777479L; | ||
|
||
protected final long uid; | ||
|
||
protected AbstractUidPrincipal(long uid) { | ||
if (uid < 0) { | ||
throw new IllegalArgumentException("UID must be non-negative"); | ||
} | ||
this.uid = uid; | ||
} | ||
|
||
protected AbstractUidPrincipal(String uid) { | ||
this(Long.parseLong(uid)); | ||
} | ||
|
||
public long getUid() { | ||
return uid; | ||
} | ||
|
||
@Override | ||
public String getName() { | ||
return String.valueOf(getUid()); | ||
} | ||
|
||
@Override | ||
public int hashCode() { | ||
return (int) getUid(); | ||
} | ||
|
||
@Override | ||
public boolean equals(Object other) { | ||
if (this == other) { | ||
return true; | ||
} | ||
if (!(this.getClass().equals(other.getClass()))) { | ||
return false; | ||
} | ||
AbstractUidPrincipal otherUid = (AbstractUidPrincipal) other; | ||
return (otherUid.getUid() == getUid()); | ||
} | ||
|
||
@Override | ||
public String toString() { | ||
return getClass().getSimpleName() + '[' + getName() + ']'; | ||
} | ||
} |
74 changes: 74 additions & 0 deletions
74
modules/common/src/main/java/org/dcache/auth/AdminRolePrincipal.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,74 @@ | ||
/* | ||
COPYRIGHT STATUS: | ||
Dec 1st 2001, Fermi National Accelerator Laboratory (FNAL) documents and | ||
software are sponsored by the U.S. Department of Energy under Contract No. | ||
DE-AC02-76CH03000. Therefore, the U.S. Government retains a world-wide | ||
non-exclusive, royalty-free license to publish or reproduce these documents | ||
and software for U.S. Government purposes. All documents and software | ||
available from this server are protected under the U.S. and Foreign | ||
Copyright Laws, and FNAL reserves all rights. | ||
Distribution of the software available from this server is free of | ||
charge subject to the user following the terms of the Fermitools | ||
Software Legal Information. | ||
Redistribution and/or modification of the software shall be accompanied | ||
by the Fermitools Software Legal Information (including the copyright | ||
notice). | ||
The user is asked to feed back problems, benefits, and/or suggestions | ||
about the software to the Fermilab Software Providers. | ||
Neither the name of Fermilab, the URA, nor the names of the contributors | ||
may be used to endorse or promote products derived from this software | ||
without specific prior written permission. | ||
DISCLAIMER OF LIABILITY (BSD): | ||
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS | ||
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT | ||
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS | ||
FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL FERMILAB, | ||
OR THE URA, OR THE U.S. DEPARTMENT of ENERGY, OR CONTRIBUTORS BE LIABLE | ||
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR | ||
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT | ||
OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR | ||
BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF | ||
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING | ||
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS | ||
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | ||
Liabilities of the Government: | ||
This software is provided by URA, independent from its Prime Contract | ||
with the U.S. Department of Energy. URA is acting independently from | ||
the Government and in its own private capacity and is not acting on | ||
behalf of the U.S. Government, nor as its contractor nor its agent. | ||
Correspondingly, it is understood and agreed that the U.S. Government | ||
has no connection to this software and in no manner whatsoever shall | ||
be liable for nor assume any responsibility or obligation for any claim, | ||
cost, or damages arising out of or resulting from the use of the software | ||
available from this server. | ||
Export Control: | ||
All documents and software available from this server are subject to U.S. | ||
export control laws. Anyone downloading information from this server is | ||
obligated to secure any necessary Government licenses before exporting | ||
documents or software obtained from this server. | ||
*/ | ||
package org.dcache.auth; | ||
|
||
/** | ||
* Authorizes the bearer to act as ROOT. | ||
*/ | ||
@AuthenticationOutput | ||
@AuthenticationInput | ||
public class AdminRolePrincipal extends UidRolePrincipal { | ||
|
||
private static final long serialVersionUID = 2702995170926235855L; | ||
|
||
public AdminRolePrincipal() { | ||
super(Subjects.getUid(Subjects.ROOT)); | ||
} | ||
} |
89 changes: 89 additions & 0 deletions
89
modules/common/src/main/java/org/dcache/auth/QoSPlaceholderRolePrincipal.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,89 @@ | ||
/* | ||
COPYRIGHT STATUS: | ||
Dec 1st 2001, Fermi National Accelerator Laboratory (FNAL) documents and | ||
software are sponsored by the U.S. Department of Energy under Contract No. | ||
DE-AC02-76CH03000. Therefore, the U.S. Government retains a world-wide | ||
non-exclusive, royalty-free license to publish or reproduce these documents | ||
and software for U.S. Government purposes. All documents and software | ||
available from this server are protected under the U.S. and Foreign | ||
Copyright Laws, and FNAL reserves all rights. | ||
Distribution of the software available from this server is free of | ||
charge subject to the user following the terms of the Fermitools | ||
Software Legal Information. | ||
Redistribution and/or modification of the software shall be accompanied | ||
by the Fermitools Software Legal Information (including the copyright | ||
notice). | ||
The user is asked to feed back problems, benefits, and/or suggestions | ||
about the software to the Fermilab Software Providers. | ||
Neither the name of Fermilab, the URA, nor the names of the contributors | ||
may be used to endorse or promote products derived from this software | ||
without specific prior written permission. | ||
DISCLAIMER OF LIABILITY (BSD): | ||
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS | ||
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT | ||
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS | ||
FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL FERMILAB, | ||
OR THE URA, OR THE U.S. DEPARTMENT of ENERGY, OR CONTRIBUTORS BE LIABLE | ||
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR | ||
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT | ||
OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR | ||
BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF | ||
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING | ||
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS | ||
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | ||
Liabilities of the Government: | ||
This software is provided by URA, independent from its Prime Contract | ||
with the U.S. Department of Energy. URA is acting independently from | ||
the Government and in its own private capacity and is not acting on | ||
behalf of the U.S. Government, nor as its contractor nor its agent. | ||
Correspondingly, it is understood and agreed that the U.S. Government | ||
has no connection to this software and in no manner whatsoever shall | ||
be liable for nor assume any responsibility or obligation for any claim, | ||
cost, or damages arising out of or resulting from the use of the software | ||
available from this server. | ||
Export Control: | ||
All documents and software available from this server are subject to U.S. | ||
export control laws. Anyone downloading information from this server is | ||
obligated to secure any necessary Government licenses before exporting | ||
documents or software obtained from this server. | ||
*/ | ||
package org.dcache.auth; | ||
|
||
import java.util.UUID; | ||
|
||
/** | ||
* Authorizes the user to execute QoS transitions on the files belonging to that user. | ||
* The user's uid is not specified in the construction of the principal and must | ||
* be derived from the user's actual Uid principal. The placeholder uid value | ||
* is simply an attempt to give each object a unique random value for hashing purposes | ||
* and should not be called in order to reference an actual uid. | ||
*/ | ||
@AuthenticationOutput | ||
@AuthenticationInput | ||
public class QoSPlaceholderRolePrincipal extends UidRolePrincipal { | ||
|
||
private static final long serialVersionUID = 7355594681811638281L; | ||
|
||
private static final long PLACEHOLDER_FOR_USER_UID = Long.MAX_VALUE; | ||
|
||
private final long placeholderUid; | ||
|
||
public QoSPlaceholderRolePrincipal() { | ||
super(PLACEHOLDER_FOR_USER_UID); | ||
placeholderUid = UUID.randomUUID().getLeastSignificantBits(); | ||
} | ||
|
||
public long getUid() { | ||
return placeholderUid; | ||
} | ||
} |
79 changes: 79 additions & 0 deletions
79
modules/common/src/main/java/org/dcache/auth/QoSRolePrincipal.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,79 @@ | ||
/* | ||
COPYRIGHT STATUS: | ||
Dec 1st 2001, Fermi National Accelerator Laboratory (FNAL) documents and | ||
software are sponsored by the U.S. Department of Energy under Contract No. | ||
DE-AC02-76CH03000. Therefore, the U.S. Government retains a world-wide | ||
non-exclusive, royalty-free license to publish or reproduce these documents | ||
and software for U.S. Government purposes. All documents and software | ||
available from this server are protected under the U.S. and Foreign | ||
Copyright Laws, and FNAL reserves all rights. | ||
Distribution of the software available from this server is free of | ||
charge subject to the user following the terms of the Fermitools | ||
Software Legal Information. | ||
Redistribution and/or modification of the software shall be accompanied | ||
by the Fermitools Software Legal Information (including the copyright | ||
notice). | ||
The user is asked to feed back problems, benefits, and/or suggestions | ||
about the software to the Fermilab Software Providers. | ||
Neither the name of Fermilab, the URA, nor the names of the contributors | ||
may be used to endorse or promote products derived from this software | ||
without specific prior written permission. | ||
DISCLAIMER OF LIABILITY (BSD): | ||
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS | ||
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT | ||
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS | ||
FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL FERMILAB, | ||
OR THE URA, OR THE U.S. DEPARTMENT of ENERGY, OR CONTRIBUTORS BE LIABLE | ||
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR | ||
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT | ||
OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR | ||
BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF | ||
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING | ||
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS | ||
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | ||
Liabilities of the Government: | ||
This software is provided by URA, independent from its Prime Contract | ||
with the U.S. Department of Energy. URA is acting independently from | ||
the Government and in its own private capacity and is not acting on | ||
behalf of the U.S. Government, nor as its contractor nor its agent. | ||
Correspondingly, it is understood and agreed that the U.S. Government | ||
has no connection to this software and in no manner whatsoever shall | ||
be liable for nor assume any responsibility or obligation for any claim, | ||
cost, or damages arising out of or resulting from the use of the software | ||
available from this server. | ||
Export Control: | ||
All documents and software available from this server are subject to U.S. | ||
export control laws. Anyone downloading information from this server is | ||
obligated to secure any necessary Government licenses before exporting | ||
documents or software obtained from this server. | ||
*/ | ||
package org.dcache.auth; | ||
|
||
/** | ||
* Authorizes the bearer to execute QoS transitions on files whose owner | ||
* is the given uid. | ||
*/ | ||
@AuthenticationOutput | ||
@AuthenticationInput | ||
public class QoSRolePrincipal extends UidRolePrincipal { | ||
|
||
private static final long serialVersionUID = 3808303034807479246L; | ||
|
||
public QoSRolePrincipal(Long uid) { | ||
super(uid); | ||
} | ||
|
||
public QoSRolePrincipal(String uid) { | ||
super(uid); | ||
} | ||
} |
Oops, something went wrong.