public boolean isUserAuthorized(String userName, String resourceId, String action) throws UserStoreException { return getAuthorizationManager().isUserAuthorized(userName, resourceId, action); }
if (!realm.getAuthorizationManager().isUserAuthorized(userRegistry.getUserName(),resourcePath, AccessControlConstants.AUTHORIZE)) { String msg = userRegistry.getUserName()+" is not allowed to authorize resource " + resourcePath; accessControlAdmin.clearRoleAuthorization(permRole, resourcePath, ActionConstants.GET); accessControlAdmin.clearRoleAuthorization(permRole, resourcePath, ActionConstants.PUT); accessControlAdmin.clearRoleAuthorization(permRole, resourcePath, ActionConstants.DELETE); accessControlAdmin.clearRoleAuthorization(permRole, resourcePath, AccessControlConstants.AUTHORIZE); accessControlAdmin.authorizeRole(permRole, resourcePath, ActionConstants.GET); notificationResponse += " READ: Allowed."; accessControlAdmin.denyRole(permRole, resourcePath, ActionConstants.GET); notificationResponse += " READ: Denied."; accessControlAdmin.authorizeRole(permRole, resourcePath, ActionConstants.PUT); notificationResponse += " WRITE: Allowed."; accessControlAdmin.denyRole(permRole, resourcePath, ActionConstants.PUT); notificationResponse += " WRITE: Denied."; accessControlAdmin.authorizeRole(permRole, resourcePath, ActionConstants.DELETE); notificationResponse += " DELETE: Allowed."; accessControlAdmin.denyRole(permRole, resourcePath, ActionConstants.DELETE); notificationResponse += " DELETE: Denied."; accessControlAdmin.authorizeRole(permRole, resourcePath, AccessControlConstants.AUTHORIZE); notificationResponse += " AUTHORIZE: Allowed.";
public String[] getAllowedRolesForResource(String resourceId, String action) throws UserStoreException { return getAuthorizationManager().getAllowedRolesForResource(resourceId, action); }
private void buildUIPermissionNode(Collection parent, UIPermissionNode parentNode, Registry registry, Registry tenantRegistry, AuthorizationManager authMan, String roleName, String userName) throws RegistryException, UserStoreException { boolean isSelected = false; if (roleName != null) { isSelected = authMan.isRoleAuthorized(roleName, parentNode.getResourcePath(), UserMgtConstants.EXECUTE_ACTION); } else if (userName != null) { isSelected = authMan.isUserAuthorized(userName, parentNode.getResourcePath(), UserMgtConstants.EXECUTE_ACTION); } if (isSelected) { buildUIPermissionNodeAllSelected(parent, parentNode, registry, tenantRegistry); parentNode.setSelected(true); } else { buildUIPermissionNodeNotAllSelected(parent, parentNode, registry, tenantRegistry, authMan, roleName, userName); } }
String adminRole = realm.getRealmConfiguration().getAdminRoleName(); AuthorizationManager authMan = realm.getAuthorizationManager(); if (!authMan.isRoleAuthorized(adminRole, CarbonConstants.UI_PERMISSION_COLLECTION, UserMgtConstants.EXECUTE_ACTION)) { authMan.authorizeRole(adminRole, CarbonConstants.UI_PERMISSION_COLLECTION, UserMgtConstants.EXECUTE_ACTION);
if (!userRealm.getAuthorizationManager().isUserAuthorized(userRegistry.getUserName(),pathToAuthorize, AccessControlConstants.AUTHORIZE)) { String msg = userRegistry.getUserName()+" is not allowed to authorize resource " + pathToAuthorize; userRealm.getAuthorizationManager().authorizeRole(roleToAuthorize, pathToAuthorize, ActionConstants.GET); notificationResponse += " READ: Allowed."; } else { userRealm.getAuthorizationManager().denyRole(roleToAuthorize, pathToAuthorize, ActionConstants.GET); notificationResponse += " READ: Denied."; userRealm.getAuthorizationManager().authorizeRole(roleToAuthorize, pathToAuthorize, ActionConstants.PUT); notificationResponse += " WRITE: Allowed."; } else { userRealm.getAuthorizationManager().denyRole(roleToAuthorize, pathToAuthorize, ActionConstants.PUT); notificationResponse += " WRITE: Denied."; userRealm.getAuthorizationManager().authorizeRole(roleToAuthorize, pathToAuthorize, ActionConstants.DELETE); notificationResponse += " DELETE: Allowed."; } else { userRealm.getAuthorizationManager().denyRole(roleToAuthorize, pathToAuthorize, ActionConstants.DELETE); notificationResponse += " DELETE: Denied."; userRealm.getAuthorizationManager().authorizeRole(roleToAuthorize, pathToAuthorize, AccessControlConstants.AUTHORIZE); notificationResponse += " AUTHORIZE: Allowed."; } else { userRealm.getAuthorizationManager().denyRole(roleToAuthorize, pathToAuthorize, AccessControlConstants.AUTHORIZE); notificationResponse += " AUTHORIZE: Denied.";
public static void updateRoleUIPermission(String roleName, String[] rawPermissions) throws UserAdminException { try { String[] optimizedList = UserCoreUtil.optimizePermissions(rawPermissions); UserRealm realm = AdminServicesUtil.getUserRealm(); AuthorizationManager authMan = realm.getAuthorizationManager(); authMan.clearRoleActionOnAllResources(roleName, UserMgtConstants.EXECUTE_ACTION); for (String path : optimizedList) { authMan.authorizeRole(roleName, path, UserMgtConstants.EXECUTE_ACTION); } } catch (UserStoreException e) { // not logging already logged throw new UserAdminException(e.getMessage(), e); } catch (CarbonException e) { throw new UserAdminException(e.getMessage(), e); } }
private void addPermission(UserRealm user, String role, String target, String rule) throws UserStoreException { //Do nothing if either the role,target or rule is empty if ((role == null) || (target == null) || (rule == null)) { return; } user.getAuthorizationManager().authorizeRole(role, target, rule); if (log.isDebugEnabled()) { log.debug("Permission " + rule + " ADDED to role: " + role + " for " + target); } }
acAdmin = realm.getAuthorizationManager(); String resourceName = serviceGroupId + "/" + serviceName; String[] roles = acAdmin.getAllowedRolesForResource( resourceName, UserCoreConstants.INVOKE_SERVICE_PERMISSION); for (int i = 0; i < roles.length; i++) { acAdmin.clearRoleAuthorization(roles[i], resourceName, UserCoreConstants.INVOKE_SERVICE_PERMISSION); if (log.isDebugEnabled()) {
String[] raRoles = authorizer.getAllowedRolesForResource(path, ActionConstants.GET); for (String raRole : raRoles) { if (raRole.equals(adminRoleName)) { String[] rdRoles = authorizer.getDeniedRolesForResource(path, ActionConstants.GET); for (String rdRole : rdRoles) { if (rolePermissionMap.containsKey(rdRole)) { String[] waRoles = authorizer.getAllowedRolesForResource(path, ActionConstants.PUT); for (String waRole : waRoles) { if (waRole.equals(adminRoleName)) { String[] wdRoles = authorizer.getDeniedRolesForResource(path, ActionConstants.PUT); for (String wdRole : wdRoles) { if (rolePermissionMap.containsKey(wdRole)) { String[] daRoles = authorizer.getAllowedRolesForResource(path, ActionConstants.DELETE); for (String daRole : daRoles) { if (daRole.equals(adminRoleName)) { String[] ddRoles = authorizer.getDeniedRolesForResource(path, ActionConstants.DELETE); for (String ddRole : ddRoles) { if (rolePermissionMap.containsKey(ddRole)) { getAllowedRolesForResource(path, AccessControlConstants.AUTHORIZE); for (String aaRole : aaRoles) { if (aaRole.equals(adminRoleName)) { getDeniedRolesForResource(path, AccessControlConstants.AUTHORIZE);
realm.getAuthorizationManager().denyRole(everyoneRole, RegistryConstants.CONFIG_REGISTRY_BASE_PATH + path, ActionConstants.GET); realm.getAuthorizationManager().authorizeUser(username, RegistryConstants.CONFIG_REGISTRY_BASE_PATH + path, ActionConstants.GET); } catch (UserStoreException e) {
private void removePermission(UserRealm user, String role, String target, String rule) throws UserStoreException { if ((role == null) || (target == null) || (rule == null)) { return; } user.getAuthorizationManager().denyRole(role, target, rule); if (log.isDebugEnabled()) { log.debug("Permission: " + rule + " REMOVED from role: " + role + " for " + target); } }
public void clearRoleAuthorization(String roleName, String resourceId, String action) throws UserStoreException { getAuthorizationManager().clearRoleAuthorization(roleName, resourceId, action); }
public void authorizeUser(String userName, String resourceId, String action) throws UserStoreException { Util.checkAccess(resourceId); getAuthorizationManager().authorizeUser(userName, resourceId, action); }
private void buildUIPermissionNode(Collection parent, UIPermissionNode parentNode, Registry registry, Registry tenantRegistry, AuthorizationManager authMan, String roleName, String userName) throws RegistryException, UserStoreException { boolean isSelected = false; if (roleName != null) { isSelected = authMan.isRoleAuthorized(roleName, parentNode.getResourcePath(), UserMgtConstants.EXECUTE_ACTION); } else if (userName != null) { isSelected = authMan.isUserAuthorized(userName, parentNode.getResourcePath(), UserMgtConstants.EXECUTE_ACTION); } if (isSelected) { buildUIPermissionNodeAllSelected(parent, parentNode, registry, tenantRegistry); parentNode.setSelected(true); } else { buildUIPermissionNodeNotAllSelected(parent, parentNode, registry, tenantRegistry, authMan, roleName, userName); } }
authMan.clearRoleActionOnAllResources(roleName, UserMgtConstants.EXECUTE_ACTION); for (String path : optimizedList) { authMan.authorizeRole(roleName, path, UserMgtConstants.EXECUTE_ACTION);
public void authorizeRole(String roleName, String resourceId, String action) throws UserStoreException { Util.checkAccess(resourceId); getAuthorizationManager().authorizeRole(roleName, resourceId, action); }
acAdmin = realm.getAuthorizationManager(); String resourceName = serviceGroupId + "/" + serviceName; String[] roles = acAdmin.getAllowedRolesForResource( resourceName, UserCoreConstants.INVOKE_SERVICE_PERMISSION); for (int i = 0; i < roles.length; i++) { acAdmin.clearRoleAuthorization(roles[i], resourceName, UserCoreConstants.INVOKE_SERVICE_PERMISSION); if (log.isDebugEnabled()) {
String adminRole = realm.getRealmConfiguration().getAdminRoleName(); AuthorizationManager authMan = realm.getAuthorizationManager(); if (!authMan.isRoleAuthorized(adminRole, CarbonConstants.UI_PERMISSION_COLLECTION, UserMgtConstants.EXECUTE_ACTION)) { authMan.authorizeRole(adminRole, CarbonConstants.UI_PERMISSION_COLLECTION, UserMgtConstants.EXECUTE_ACTION);
public void denyRole(String roleName, String resourceId, String action) throws UserStoreException { getAuthorizationManager().denyRole(roleName, resourceId, action); }