org.apache.ambari.server.security.authorization

Class AuthorizationHelper

java.lang.Object

org.apache.ambari.server.security.authorization.AuthorizationHelper

public class AuthorizationHelper
extends Object

Provides utility methods for authentication functionality

Constructor Summary

Constructors

Constructor and Description
AuthorizationHelper()

Method Summary

Modifier and Type	Method and Description
static void	addLoginNameAlias(String ambariUserName, String loginAlias) There are cases when users log-in with a login name that is define in LDAP and which do not correspond to the user name stored locally in ambari.
Collection<org.springframework.security.core.GrantedAuthority>	convertPrivilegesToAuthorities(Collection<PrivilegeEntity> privilegeEntities) Converts collection of RoleEntities to collection of GrantedAuthorities
static int	getAuthenticatedId() Gets the ID of the logged-in user.
static String	getAuthenticatedName() Gets the name of the logged in user.
static String	getAuthenticatedName(String defaultUsername) Gets the name of the logged-in user, if any.
static org.springframework.security.core.Authentication	getAuthentication() Retrieves the authenticated user and authorization details from the application's security context.
static List<String>	getAuthorizationNames(org.springframework.security.core.Authentication authentication) Retrieve authorization names based on the details of the authenticated user
static String	getProxyUserName() Gets the name of the logged-in proxy user, if any.
static String	getProxyUserName(org.springframework.security.core.Authentication authentication) Gets the name of the logged-in proxy user, if any.
static boolean	isAuthorized(org.springframework.security.core.Authentication authentication, ResourceType resourceType, Long resourceId, RoleAuthorization requiredAuthorization) Determines if the specified authenticated user is authorized to perform an operation on the specific resource by matching the authenticated user's authorizations with the one indicated.
static boolean	isAuthorized(org.springframework.security.core.Authentication authentication, ResourceType resourceType, Long resourceId, Set<RoleAuthorization> requiredAuthorizations) Determines if the specified authenticated user is authorized to perform an operation on the the specific resource by matching the authenticated user's authorizations with one from the provided set of authorizations.
static boolean	isAuthorized(ResourceType resourceType, Long resourceId, RoleAuthorization requiredAuthorization) Determines if the authenticated user (from application's security context) is authorized to perform an operation on the specific resource by matching the authenticated user's authorizations with the one indicated.
static boolean	isAuthorized(ResourceType resourceType, Long resourceId, Set<RoleAuthorization> requiredAuthorizations) Determines if the authenticated user (from application's security context) is authorized to perform an operation on the specific resource by matching the authenticated user's authorizations with one from the provided set of authorizations.
static String	resolveLoginAliasToUserName(String loginAlias) Looks up the provided loginAlias in the current http session and return the ambari user name that the alias is defined for.
static void	verifyAuthorization(org.springframework.security.core.Authentication authentication, ResourceType resourceType, Long resourceId, Set<RoleAuthorization> requiredAuthorizations) Determines if the specified authenticated user is authorized to perform an operation on the the specific resource by matching the authenticated user's authorizations with one from the provided set of authorizations.
static void	verifyAuthorization(ResourceType resourceType, Long resourceId, Set<RoleAuthorization> requiredAuthorizations) Determines if the authenticated user (from application's security context) is authorized to perform an operation on the the specific resource by matching the authenticated user's authorizations with one from the provided set of authorizations.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

AuthorizationHelper

public AuthorizationHelper()

Method Detail

getProxyUserName

public static String getProxyUserName(org.springframework.security.core.Authentication authentication)

Gets the name of the logged-in proxy user, if any.

Parameters:

authentication -

Returns:

the name of the logged-in proxy user

getProxyUserName

public static String getProxyUserName()

Gets the name of the logged-in proxy user, if any.

Returns:

the name of the logged-in proxy user

convertPrivilegesToAuthorities

public Collection<org.springframework.security.core.GrantedAuthority> convertPrivilegesToAuthorities(Collection<PrivilegeEntity> privilegeEntities)

Converts collection of RoleEntities to collection of GrantedAuthorities

getAuthenticatedName

public static String getAuthenticatedName()

Gets the name of the logged in user. Thread-safe due to use of thread-local.

Returns:

the name of the logged in user, or null if none set.

getAuthenticatedName

public static String getAuthenticatedName(String defaultUsername)

Gets the name of the logged-in user, if any. Thread-safe due to use of thread-local.

Parameters:

defaultUsername - the value if there is no logged-in user

Returns:

the name of the logged-in user, or the default

getAuthenticatedId

public static int getAuthenticatedId()

Gets the ID of the logged-in user. Thread-safe due to use of thread-local.

Returns:

the ID of the logged-in user

isAuthorized

public static boolean isAuthorized(ResourceType resourceType,
                                   Long resourceId,
                                   RoleAuthorization requiredAuthorization)

Determines if the authenticated user (from application's security context) is authorized to perform an operation on the specific resource by matching the authenticated user's authorizations with the one indicated.

Parameters:

resourceType - a resource type being acted upon

resourceId - the privilege resource id (or adminresource.id) of the relevant resource

requiredAuthorization - the required authorization

Returns:

true if authorized; otherwise false

See Also:

isAuthorized(Authentication, ResourceType, Long, Set)

isAuthorized

public static boolean isAuthorized(ResourceType resourceType,
                                   Long resourceId,
                                   Set<RoleAuthorization> requiredAuthorizations)

Determines if the authenticated user (from application's security context) is authorized to perform an operation on the specific resource by matching the authenticated user's authorizations with one from the provided set of authorizations.

Parameters:

resourceType - a resource type being acted upon

resourceId - the privilege resource id (or adminresource.id) of the relevant resource

requiredAuthorizations - a set of requirements for which one match will allow authorization

Returns:

true if authorized; otherwise false

See Also:

isAuthorized(Authentication, ResourceType, Long, Set)

isAuthorized

public static boolean isAuthorized(org.springframework.security.core.Authentication authentication,
                                   ResourceType resourceType,
                                   Long resourceId,
                                   RoleAuthorization requiredAuthorization)

Determines if the specified authenticated user is authorized to perform an operation on the specific resource by matching the authenticated user's authorizations with the one indicated.

Parameters:

authentication - the authenticated user and associated access privileges

resourceType - a resource type being acted upon

resourceId - the privilege resource id (or adminresource.id) of the relevant resource

requiredAuthorization - the required authorization

Returns:

true if authorized; otherwise false

See Also:

isAuthorized(Authentication, ResourceType, Long, Set)

isAuthorized

public static boolean isAuthorized(org.springframework.security.core.Authentication authentication,
                                   ResourceType resourceType,
                                   Long resourceId,
                                   Set<RoleAuthorization> requiredAuthorizations)

Determines if the specified authenticated user is authorized to perform an operation on the the specific resource by matching the authenticated user's authorizations with one from the provided set of authorizations.

The specified resource type is a high-level resource such as Ambari, a cluster, or a view.

The specified resource id is the (admin)resource id referenced by a specific resource instance such as a cluster or view.

Parameters:

authentication - the authenticated user and associated access privileges

resourceType - a resource type being acted upon

resourceId - the privilege resource id (or adminresource.id) of the relevant resource

requiredAuthorizations - a set of requirements for which one match will allow authorization

Returns:

true if authorized; otherwise false

verifyAuthorization

public static void verifyAuthorization(ResourceType resourceType,
                                       Long resourceId,
                                       Set<RoleAuthorization> requiredAuthorizations)
                                throws AuthorizationException

Determines if the authenticated user (from application's security context) is authorized to perform an operation on the the specific resource by matching the authenticated user's authorizations with one from the provided set of authorizations.

If not authorized, an AuthorizationException will be thrown.

Parameters:

resourceType - a resource type being acted upon

resourceId - the privilege resource id (or adminresource.id) of the relevant resource

requiredAuthorizations - a set of requirements for which one match will allow authorization

Throws:

AuthorizationException - if authorization is not granted

See Also:

isAuthorized(ResourceType, Long, Set)

verifyAuthorization

public static void verifyAuthorization(org.springframework.security.core.Authentication authentication,
                                       ResourceType resourceType,
                                       Long resourceId,
                                       Set<RoleAuthorization> requiredAuthorizations)
                                throws AuthorizationException

Determines if the specified authenticated user is authorized to perform an operation on the the specific resource by matching the authenticated user's authorizations with one from the provided set of authorizations.

If not authorized, an AuthorizationException will be thrown.

Parameters:

authentication - the authenticated user and associated access privileges

resourceType - a resource type being acted upon

resourceId - the privilege resource id (or adminresource.id) of the relevant resource

requiredAuthorizations - a set of requirements for which one match will allow authorization

Throws:

AuthorizationException - if authorization is not granted

See Also:

isAuthorized(Authentication, ResourceType, Long, Set)

getAuthentication

public static org.springframework.security.core.Authentication getAuthentication()

Retrieves the authenticated user and authorization details from the application's security context.

Returns:

the authenticated user and associated access privileges; or null if not available

addLoginNameAlias

public static void addLoginNameAlias(String ambariUserName,
                                     String loginAlias)

There are cases when users log-in with a login name that is define in LDAP and which do not correspond to the user name stored locally in ambari. These external login names act as an alias to ambari users name. This method stores in the current http session a mapping of alias user name to local ambari user name to make possible resolving login alias to ambari user name.

Parameters:

ambariUserName - ambari user name for which the alias is to be stored in the session

loginAlias - the alias for the ambari user name.

resolveLoginAliasToUserName

public static String resolveLoginAliasToUserName(String loginAlias)

Looks up the provided loginAlias in the current http session and return the ambari user name that the alias is defined for.

Parameters:

loginAlias - the login alias to resolve to ambari user name

Returns:

the ambari user name if the alias is found otherwise returns the passed in loginAlias

getAuthorizationNames

public static List<String> getAuthorizationNames(org.springframework.security.core.Authentication authentication)

Retrieve authorization names based on the details of the authenticated user

Parameters:

authentication - the authenticated user and associated access privileges

Returns:

human readable role authorizations