org.apache.ambari.server.controller.internal

Class AbstractAuthorizedResourceProvider

java.lang.Object

org.apache.ambari.server.controller.internal.BaseProvider

org.apache.ambari.server.controller.internal.AbstractResourceProvider

org.apache.ambari.server.controller.internal.AbstractAuthorizedResourceProvider

All Implemented Interfaces:

ObservableResourceProvider, ResourceProvider

Direct Known Subclasses:

AbstractControllerResourceProvider, AlertTargetResourceProvider, PrivilegeResourceProvider, RemoteClusterResourceProvider, RepositoryVersionResourceProvider, RootServiceComponentConfigurationResourceProvider, SettingResourceProvider, UserAuthenticationSourceResourceProvider, VersionDefinitionResourceProvider, ViewInstanceResourceProvider, ViewResourceProvider, ViewURLResourceProvider

public abstract class AbstractAuthorizedResourceProvider
extends AbstractResourceProvider

AbstractAuthorizedResourceProvider helps to provide an authorization layer for a resource provider.

Resource providers that need to perform authorization checks should extend ths abstract class and then override the *ResourcesAuthorized methods and set the required*Authorizations properties. For more sophisticated authorization checks, the isAuthorizedTo*Resources methods may be overwritten.

Additionally, the AuthorizationHelper.isAuthorized(ResourceType, Long, Set) or AuthorizationHelper.verifyAuthorization(ResourceType, Long, Set) methods may be called within the logic of the resource provider implementation to provide checks on particular resources.

See Also:

AuthorizationHelper

Nested Class Summary

Nested classes/interfaces inherited from class org.apache.ambari.server.controller.internal.AbstractResourceProvider

AbstractResourceProvider.Command<T>

Field Summary

Fields inherited from class org.apache.ambari.server.controller.internal.AbstractResourceProvider

keyPropertyIds, LOG, PROPERTIES_ATTRIBUTES_REGEX

Method Summary

Modifier and Type	Method and Description
RequestStatus	createResources(Request request) Create the resources defined by the properties in the given request object.
protected RequestStatus	createResourcesAuthorized(Request request) Create the resources defined by the properties in the given request object if authorization was granted to the authenticated user.
RequestStatus	deleteResources(Request request, Predicate predicate) Delete the resources selected by the given predicate.
protected RequestStatus	deleteResourcesAuthorized(Request request, Predicate predicate) Delete the resources selected by the given predicate if the authenticated user is authorized to do so.
Set<RoleAuthorization>	getRequiredCreateAuthorizations() Gets the authorizations for which one is needed to the grant access to create resources or a particular resource.
Set<RoleAuthorization>	getRequiredDeleteAuthorizations() Gets the authorizations for which one is needed to the grant access to delete resources or a particular resource.
Set<RoleAuthorization>	getRequiredGetAuthorizations() Gets the authorizations for which one is needed to the grant access to get resources or a particular resource.
Set<RoleAuthorization>	getRequiredUpdateAuthorizations() Gets the authorizations for which one is needed to the grant access to update resources or a particular resource.
protected Long	getResourceId(Request request, Predicate predicate) Gets the identifier, relative to the the effected ResourceType that is effected by the relevant request and predicate.
Set<Resource>	getResources(Request request, Predicate predicate) Get a set of resources based on the given request and predicate information.
protected Set<Resource>	getResourcesAuthorized(Request request, Predicate predicate) Get a set of resources based on the given request and predicate information if the authenticated user is authorized to do so.
protected ResourceType	getResourceType(Request request, Predicate predicate) Gets the ResourceType that is effected by the relevant request and predicate.
protected boolean	isAuthorizedToCreateResources(org.springframework.security.core.Authentication authentication, Request request) Tests authorization to create resources.
protected boolean	isAuthorizedToDeleteResources(org.springframework.security.core.Authentication authentication, Predicate predicate) Tests authorization to delete resources.
protected boolean	isAuthorizedToGetResources(org.springframework.security.core.Authentication authentication, Request request, Predicate predicate) Tests authorization to get resources.
protected boolean	isAuthorizedToUpdateResources(org.springframework.security.core.Authentication authentication, Request request, Predicate predicate) Tests authorization to update resources Implementations should override this method to perform a more sophisticated authorization routine.
void	setRequiredCreateAuthorizations(Set<RoleAuthorization> requiredCreateAuthorizations) Sets the authorizations for which one is needed to the grant access to create resources or a particular resource.
void	setRequiredDeleteAuthorizations(Set<RoleAuthorization> requiredDeleteAuthorizations) Sets the authorizations for which one is needed to the grant access to delete resources or a particular resource.
void	setRequiredGetAuthorizations(Set<RoleAuthorization> requiredGetAuthorizations) Sets the authorizations for which one is needed to the grant access to get resources or a particular resource.
void	setRequiredUpdateAuthorizations(Set<RoleAuthorization> requiredUpdateAuthorizations) Sets the authorizations for which one is needed to the grant access to update resources or a particular resource.
RequestStatus	updateResources(Request request, Predicate predicate) Update the resources selected by the given predicate with the properties from the given request object.
protected RequestStatus	updateResourcesAuthorized(Request request, Predicate predicate) Update the resources selected by the given predicate with the properties from the given request object if the authenticated user is authorized to do so.

Methods inherited from class org.apache.ambari.server.controller.internal.AbstractResourceProvider

addObserver, createResources, getConfigurationRequests, getKeyPropertyIds, getPKPropertyIds, getPropertyMaps, getPropertyMaps, getQueryParameterValue, getRequestStatus, getRequestStatus, getRequestStatus, getResources, modifyResources, notifyCreate, notifyDelete, notifyUpdate, parseProperties, updateObservers

Methods inherited from class org.apache.ambari.server.controller.internal.BaseProvider

checkCategory, checkConfigPropertyIds, checkPropertyIds, containsArguments, getCategoryIds, getPropertyIds, getRegexEntry, getRegexGroups, getRequestPropertyIds, isPatternKey, isPropertyCategoryRequested, isPropertyEntryRequested, isPropertyRequested, setResourceProperty

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.apache.ambari.server.controller.spi.ResourceProvider

checkPropertyIds

Method Detail

getRequiredCreateAuthorizations

public Set<RoleAuthorization> getRequiredCreateAuthorizations()

Gets the authorizations for which one is needed to the grant access to create resources or a particular resource.

A null or empty set indicates no authorization check needs to be performed.

Returns:

a set of authorizations

setRequiredCreateAuthorizations

public void setRequiredCreateAuthorizations(Set<RoleAuthorization> requiredCreateAuthorizations)

Sets the authorizations for which one is needed to the grant access to create resources or a particular resource.

A null or empty set indicates no authorization check needs to be performed.

Parameters:

requiredCreateAuthorizations - a set of authorizations

getRequiredGetAuthorizations

public Set<RoleAuthorization> getRequiredGetAuthorizations()

Gets the authorizations for which one is needed to the grant access to get resources or a particular resource.

A null or empty set indicates no authorization check needs to be performed.

Returns:

a set of authorizations

setRequiredGetAuthorizations

public void setRequiredGetAuthorizations(Set<RoleAuthorization> requiredGetAuthorizations)

Sets the authorizations for which one is needed to the grant access to get resources or a particular resource.

A null or empty set indicates no authorization check needs to be performed.

Parameters:

requiredGetAuthorizations - a set of authorizations

getRequiredUpdateAuthorizations

public Set<RoleAuthorization> getRequiredUpdateAuthorizations()

Gets the authorizations for which one is needed to the grant access to update resources or a particular resource.

A null or empty set indicates no authorization check needs to be performed.

Returns:

a set of authorizations

setRequiredUpdateAuthorizations

public void setRequiredUpdateAuthorizations(Set<RoleAuthorization> requiredUpdateAuthorizations)

Sets the authorizations for which one is needed to the grant access to update resources or a particular resource.

A null or empty set indicates no authorization check needs to be performed.

Parameters:

requiredUpdateAuthorizations - a set of authorizations

getRequiredDeleteAuthorizations

public Set<RoleAuthorization> getRequiredDeleteAuthorizations()

Gets the authorizations for which one is needed to the grant access to delete resources or a particular resource.

A null or empty set indicates no authorization check needs to be performed.

Returns:

a set of authorizations

setRequiredDeleteAuthorizations

public void setRequiredDeleteAuthorizations(Set<RoleAuthorization> requiredDeleteAuthorizations)

Sets the authorizations for which one is needed to the grant access to delete resources or a particular resource.

A null or empty set indicates no authorization check needs to be performed.

Parameters:

requiredDeleteAuthorizations - a set of authorizations

createResources

public RequestStatus createResources(Request request)
                              throws SystemException,
                                     UnsupportedPropertyException,
                                     ResourceAlreadyExistsException,
                                     NoSuchParentResourceException

Create the resources defined by the properties in the given request object.

This implementation attempts to authorize the authenticated user before performing the requested operation. If authorization fails, an AuthorizationException will be thrown.

This method may be overwritten by implementing classes to avoid performing authorization checks to create resources.

Parameters:

request - the request object which defines the set of properties for the resources to be created

Returns:

the request status

Throws:

SystemException - an internal system exception occurred

UnsupportedPropertyException - the request contains unsupported property ids

ResourceAlreadyExistsException - attempted to create a resource which already exists

NoSuchParentResourceException - a parent resource of the resource to create doesn't exist

AuthorizationException - if the authenticated user is not authorized to perform this operation

getResources

public Set<Resource> getResources(Request request,
                                  Predicate predicate)
                           throws SystemException,
                                  UnsupportedPropertyException,
                                  NoSuchResourceException,
                                  NoSuchParentResourceException

Get a set of resources based on the given request and predicate information.

Note that it is not required for this resource provider to completely filter the set of resources based on the given predicate. It may not be possible since some of the properties involved may be provided by another provider. This partial filtering is allowed because the predicate will always be applied by the calling cluster controller. The predicate is made available at this level so that some pre-filtering can be done as an optimization.

A simple implementation of a resource provider may choose to just return all of the resources of a given type and allow the calling cluster controller to filter based on the predicate.

This implementation attempts to authorize the authenticated user before performing the requested operation. If authorization fails, an AuthorizationException will be thrown.

This method may be overwritten by implementing classes to avoid performing authorization checks to get resources.

Parameters:

request - the request object which defines the desired set of properties

predicate - the predicate object which can be used to filter which resources are returned

Returns:

a set of resources based on the given request and predicate information

Throws:

SystemException - an internal system exception occurred

UnsupportedPropertyException - the request contains unsupported property ids

NoSuchResourceException - the requested resource instance doesn't exist

NoSuchParentResourceException - a parent resource of the requested resource doesn't exist

AuthorizationException - if the authenticated user is not authorized to perform this operation

updateResources

public RequestStatus updateResources(Request request,
                                     Predicate predicate)
                              throws SystemException,
                                     UnsupportedPropertyException,
                                     NoSuchResourceException,
                                     NoSuchParentResourceException

Update the resources selected by the given predicate with the properties from the given request object.

This implementation attempts to authorize the authenticated user before performing the requested operation. If authorization fails, an AuthorizationException will be thrown.

This method may be overwritten by implementing classes to avoid performing authorization checks to update resources.

Parameters:

request - the request object which defines the set of properties for the resources to be updated

predicate - the predicate object which can be used to filter which resources are updated

Returns:

the request status

Throws:

SystemException - an internal system exception occurred

UnsupportedPropertyException - the request contains unsupported property ids

NoSuchResourceException - the resource instance to be updated doesn't exist

NoSuchParentResourceException - a parent resource of the resource doesn't exist

AuthorizationException - if the authenticated user is not authorized to perform this operation

deleteResources

public RequestStatus deleteResources(Request request,
                                     Predicate predicate)
                              throws SystemException,
                                     UnsupportedPropertyException,
                                     NoSuchResourceException,
                                     NoSuchParentResourceException

Delete the resources selected by the given predicate.

This implementation attempts to authorize the authenticated user before performing the requested operation. If authorization fails, an AuthorizationException will be thrown.

This method may be overwritten by implementing classes to avoid performing authorization checks to delete resources.

Parameters:

request -

predicate - the predicate object which can be used to filter which resources are deleted

Returns:

the request status

Throws:

SystemException - an internal system exception occurred

UnsupportedPropertyException - the request contains unsupported property ids

NoSuchResourceException - the resource instance to be deleted doesn't exist

NoSuchParentResourceException - a parent resource of the resource doesn't exist

AuthorizationException - if the authenticated user is not authorized to perform this operation

createResourcesAuthorized

protected RequestStatus createResourcesAuthorized(Request request)
                                           throws SystemException,
                                                  UnsupportedPropertyException,
                                                  ResourceAlreadyExistsException,
                                                  NoSuchParentResourceException

Create the resources defined by the properties in the given request object if authorization was granted to the authenticated user.

This method must be overwritten if createResources(Request) is not overwritten.

Parameters:

request - the request object which defines the set of properties for the resources to be created

Returns:

the request status

Throws:

SystemException - an internal system exception occurred

UnsupportedPropertyException - the request contains unsupported property ids

ResourceAlreadyExistsException - attempted to create a resource which already exists

NoSuchParentResourceException - a parent resource of the resource to create doesn't exist

AuthorizationException - if the authenticated user is not authorized to perform this operation

See Also:

createResources(Request)

isAuthorizedToCreateResources

protected boolean isAuthorizedToCreateResources(org.springframework.security.core.Authentication authentication,
                                                Request request)
                                         throws SystemException

Tests authorization to create resources.

Implementations should override this method to perform a more sophisticated authorization routine.

Parameters:

authentication - the authenticated user and associated access privileges

request - the request object which defines the set of properties for the resources to be created

Returns:

true if authorized; otherwise false

Throws:

SystemException - if an internal system exception occurred

getResourcesAuthorized

protected Set<Resource> getResourcesAuthorized(Request request,
                                               Predicate predicate)
                                        throws SystemException,
                                               UnsupportedPropertyException,
                                               NoSuchResourceException,
                                               NoSuchParentResourceException

Get a set of resources based on the given request and predicate information if the authenticated user is authorized to do so.

This method must be overwritten if getResources(Request, Predicate) is not overwritten.

Parameters:

request - the request object which defines the desired set of properties

predicate - the predicate object which can be used to filter which resources are returned

Returns:

a set of resources based on the given request and predicate information

Throws:

SystemException - an internal system exception occurred

UnsupportedPropertyException - the request contains unsupported property ids

NoSuchResourceException - the requested resource instance doesn't exist

NoSuchParentResourceException - a parent resource of the requested resource doesn't exist

AuthorizationException - if the authenticated user is not authorized to perform this operation

See Also:

getResources(Request, Predicate)

isAuthorizedToGetResources

protected boolean isAuthorizedToGetResources(org.springframework.security.core.Authentication authentication,
                                             Request request,
                                             Predicate predicate)
                                      throws SystemException

Tests authorization to get resources.

Implementations should override this method to perform a more sophisticated authorization routine.

Parameters:

authentication - the authenticated user and associated access privileges

request - the request object which defines the desired set of properties

predicate - the predicate object which can be used to filter which resources are returned

Returns:

true if authorized; otherwise false

Throws:

SystemException - if an internal system exception occurred

updateResourcesAuthorized

protected RequestStatus updateResourcesAuthorized(Request request,
                                                  Predicate predicate)
                                           throws SystemException,
                                                  UnsupportedPropertyException,
                                                  NoSuchResourceException,
                                                  NoSuchParentResourceException

Update the resources selected by the given predicate with the properties from the given request object if the authenticated user is authorized to do so.

This method must be overwritten if updateResources(Request, Predicate) is not overwritten.

Parameters:

request - the request object which defines the set of properties for the resources to be updated

predicate - the predicate object which can be used to filter which resources are updated

Returns:

the request status

Throws:

SystemException - an internal system exception occurred

UnsupportedPropertyException - the request contains unsupported property ids

NoSuchResourceException - the resource instance to be updated doesn't exist

NoSuchParentResourceException - a parent resource of the resource doesn't exist

AuthorizationException - if the authenticated user is not authorized to perform this operation

See Also:

updateResources(Request, Predicate)

isAuthorizedToUpdateResources

protected boolean isAuthorizedToUpdateResources(org.springframework.security.core.Authentication authentication,
                                                Request request,
                                                Predicate predicate)
                                         throws SystemException

Tests authorization to update resources

Implementations should override this method to perform a more sophisticated authorization routine.

Parameters:

authentication - the authenticated user and associated access privileges

request - the request object which defines the desired set of properties

predicate - the predicate object which can be used to filter which resources are returned

Returns:

true if authorized; otherwise false

Throws:

SystemException - if an internal system exception occurred

deleteResourcesAuthorized

protected RequestStatus deleteResourcesAuthorized(Request request,
                                                  Predicate predicate)
                                           throws SystemException,
                                                  UnsupportedPropertyException,
                                                  NoSuchResourceException,
                                                  NoSuchParentResourceException

Delete the resources selected by the given predicate if the authenticated user is authorized to do so.

This method must be overwritten if ResourceProvider.deleteResources(Request, Predicate) is not overwritten.

Parameters:

request -

predicate - the predicate object which can be used to filter which resources are deleted

Returns:

the request status

Throws:

SystemException - an internal system exception occurred

UnsupportedPropertyException - the request contains unsupported property ids

NoSuchResourceException - the resource instance to be deleted doesn't exist

NoSuchParentResourceException - a parent resource of the resource doesn't exist

AuthorizationException - if the authenticated user is not authorized to perform this operation

See Also:

ResourceProvider.deleteResources(Request, Predicate)

isAuthorizedToDeleteResources

protected boolean isAuthorizedToDeleteResources(org.springframework.security.core.Authentication authentication,
                                                Predicate predicate)
                                         throws SystemException

Tests authorization to delete resources.

Implementations should override this method to perform a more sophisticated authorization routine.

Parameters:

authentication - the authenticated user and associated access privileges

predicate - the predicate object which can be used to filter which resources are deleted

Returns:

true if authorized; otherwise false

Throws:

SystemException - if an internal system exception occurred

getResourceType

protected ResourceType getResourceType(Request request,
                                       Predicate predicate)

Gets the ResourceType that is effected by the relevant request and predicate.

Implementations should override this method return the proper ResourceType.

Parameters:

request - the request object which defines the desired set of properties

predicate - the predicate object which can be used to indicate the filter

Returns:

a ResourceType

getResourceId

protected Long getResourceId(Request request,
                             Predicate predicate)

Gets the identifier, relative to the the effected ResourceType that is effected by the relevant request and predicate.

Implementations should override this method return the proper resource id.

Parameters:

request - the request object which defines the desired set of properties

predicate - the predicate object which can be used to indicate the filter

Returns:

a resource id; or null to indicate any or all resources of the relevant type