X-Git-Url: https://git.opendaylight.org/gerrit/gitweb?a=blobdiff_plain;f=opendaylight%2Fusermanager%2Fsrc%2Fmain%2Fjava%2Forg%2Fopendaylight%2Fcontroller%2Fusermanager%2Finternal%2FUserManagerImpl.java;h=e835887606273ce478ae0cdc63c534b9bab8c253;hb=9c8108faabf300747a2a5529dc7a8ef76e79c2bc;hp=69c9a1a2a615ee0c435b5fe8fccc7402e019568a;hpb=9ff610f03e7fe11a5c9e40405cf24dd3e3af8a89;p=controller.git diff --git a/opendaylight/usermanager/src/main/java/org/opendaylight/controller/usermanager/internal/UserManagerImpl.java b/opendaylight/usermanager/src/main/java/org/opendaylight/controller/usermanager/internal/UserManagerImpl.java index 69c9a1a2a6..e835887606 100644 --- a/opendaylight/usermanager/src/main/java/org/opendaylight/controller/usermanager/internal/UserManagerImpl.java +++ b/opendaylight/usermanager/src/main/java/org/opendaylight/controller/usermanager/internal/UserManagerImpl.java @@ -83,11 +83,11 @@ public class UserManagerImpl implements IUserManager, IObjectReader, private ConcurrentMap localUserConfigList; private ConcurrentMap remoteServerConfigList; // local authorization info for remotely authenticated users - private ConcurrentMap authorizationConfList; + private ConcurrentMap authorizationConfList; private ConcurrentMap activeUsers; private ConcurrentMap authProviders; private ConcurrentMap localUserListSaveConfigEvent, - remoteServerSaveConfigEvent, authorizationSaveConfigEvent; + remoteServerSaveConfigEvent, authorizationSaveConfigEvent; private IClusterGlobalServices clusterGlobalService = null; private SecurityContextRepository securityContextRepo = new UserSecurityContextRepository(); private IContainerAuthorization containerAuthorizationClient; @@ -115,6 +115,7 @@ public class UserManagerImpl implements IUserManager, IObjectReader, return authProviders.get(name); } + @Override public Set getAAAProviderNames() { return authProviders.keySet(); } @@ -155,9 +156,9 @@ public class UserManagerImpl implements IUserManager, IObjectReader, "usermanager.authorizationSaveConfigEvent", EnumSet.of(IClusterServices.cacheMode.NON_TRANSACTIONAL)); } catch (CacheConfigException cce) { - logger.error("\nCache configuration invalid - check cache mode"); + logger.error("Cache configuration invalid - check cache mode"); } catch (CacheExistException ce) { - logger.error("\nCache already exits - destroy and recreate if needed"); + logger.debug("Skipping cache creation as already present"); } } @@ -171,43 +172,43 @@ public class UserManagerImpl implements IUserManager, IObjectReader, activeUsers = (ConcurrentMap) clusterGlobalService .getCache("usermanager.activeUsers"); if (activeUsers == null) { - logger.error("\nFailed to get cache for activeUsers"); + logger.error("Failed to get cache for activeUsers"); } localUserConfigList = (ConcurrentMap) clusterGlobalService .getCache("usermanager.localUserConfigList"); if (localUserConfigList == null) { - logger.error("\nFailed to get cache for localUserConfigList"); + logger.error("Failed to get cache for localUserConfigList"); } remoteServerConfigList = (ConcurrentMap) clusterGlobalService .getCache("usermanager.remoteServerConfigList"); if (remoteServerConfigList == null) { - logger.error("\nFailed to get cache for remoteServerConfigList"); + logger.error("Failed to get cache for remoteServerConfigList"); } authorizationConfList = (ConcurrentMap) clusterGlobalService .getCache("usermanager.authorizationConfList"); if (authorizationConfList == null) { - logger.error("\nFailed to get cache for authorizationConfList"); + logger.error("Failed to get cache for authorizationConfList"); } localUserListSaveConfigEvent = (ConcurrentMap) clusterGlobalService .getCache("usermanager.localUserSaveConfigEvent"); if (localUserListSaveConfigEvent == null) { - logger.error("\nFailed to get cache for localUserSaveConfigEvent"); + logger.error("Failed to get cache for localUserSaveConfigEvent"); } remoteServerSaveConfigEvent = (ConcurrentMap) clusterGlobalService .getCache("usermanager.remoteServerSaveConfigEvent"); if (remoteServerSaveConfigEvent == null) { - logger.error("\nFailed to get cache for remoteServerSaveConfigEvent"); + logger.error("Failed to get cache for remoteServerSaveConfigEvent"); } authorizationSaveConfigEvent = (ConcurrentMap) clusterGlobalService .getCache("usermanager.authorizationSaveConfigEvent"); if (authorizationSaveConfigEvent == null) { - logger.error("\nFailed to get cache for authorizationSaveConfigEvent"); + logger.error("Failed to get cache for authorizationSaveConfigEvent"); } } @@ -272,13 +273,13 @@ public class UserManagerImpl implements IUserManager, IObjectReader, } else if (rcResponse.getStatus() == AuthResultEnum.AUTH_REJECT) { logger.info( "Remote Authentication Rejected User: \"{}\", from Server: {}, Reason:{}", - new Object[] {userName, aaaServer.getAddress(), - rcResponse.getStatus().toString()}); + new Object[] { userName, aaaServer.getAddress(), + rcResponse.getStatus().toString() }); } else { logger.info( "Remote Authentication Failed for User: \"{}\", from Server: {}, Reason:{}", - new Object[] {userName, aaaServer.getAddress(), - rcResponse.getStatus().toString()}); + new Object[] { userName, aaaServer.getAddress(), + rcResponse.getStatus().toString() }); } } } @@ -363,7 +364,7 @@ public class UserManagerImpl implements IUserManager, IObjectReader, putUserInActiveList(userName, result); if (authorized) { logger.info("User \"{}\" authorized for the following role(s): {}", - userName, result.getUserRoles()); + userName, result.getUserRoles()); } else { logger.info("User \"{}\" Not Authorized for any role ", userName); } @@ -390,6 +391,7 @@ public class UserManagerImpl implements IUserManager, IObjectReader, activeUsers.remove(user); } + @Override public Status saveLocalUserList() { // Publish the save config event to the cluster nodes localUserListSaveConfigEvent.put(new Date().getTime(), SAVE); @@ -402,6 +404,7 @@ public class UserManagerImpl implements IUserManager, IObjectReader, localUserConfigList), usersFileName); } + @Override public Status saveAAAServerList() { // Publish the save config event to the cluster nodes remoteServerSaveConfigEvent.put(new Date().getTime(), SAVE); @@ -414,6 +417,7 @@ public class UserManagerImpl implements IUserManager, IObjectReader, remoteServerConfigList), serversFileName); } + @Override public Status saveAuthorizationList() { // Publish the save config event to the cluster nodes authorizationSaveConfigEvent.put(new Date().getTime(), SAVE); @@ -628,7 +632,7 @@ public class UserManagerImpl implements IUserManager, IObjectReader, return status; } // Trigger cluster update - localUserConfigList.put(user, targetConfigEntry); + localUserConfigList.put(user, targetConfigEntry); logger.info("Password changed for User \"{}\"", user); @@ -703,7 +707,7 @@ public class UserManagerImpl implements IUserManager, IObjectReader, String userName = ci.nextArgument(); String password = ci.nextArgument(); String role = ci.nextArgument(); - + List roles = new ArrayList(); while (role != null) { if (!role.trim().isEmpty()) { @@ -734,7 +738,7 @@ public class UserManagerImpl implements IUserManager, IObjectReader, if (target == null) { ci.println("User not found"); return; - } + } ci.println(this.removeLocalUser(target)); } @@ -815,7 +819,7 @@ public class UserManagerImpl implements IUserManager, IObjectReader, /** * Function called by the dependency manager when all the required * dependencies are satisfied - * + * */ void init() { } @@ -824,7 +828,7 @@ public class UserManagerImpl implements IUserManager, IObjectReader, * Function called by the dependency manager when at least one dependency * become unsatisfied or when the component is shutting down because for * example bundle is being stopped. - * + * */ void destroy() { } @@ -832,7 +836,7 @@ public class UserManagerImpl implements IUserManager, IObjectReader, /** * Function called by dependency manager after "init ()" is called and after * the services provided by the class are registered in the service registry - * + * */ void start() { authProviders = new ConcurrentHashMap(); @@ -855,36 +859,36 @@ public class UserManagerImpl implements IUserManager, IObjectReader, * Function called by the dependency manager before the services exported by * the component are unregistered, this will be followed by a "destroy ()" * calls - * + * */ void stop() { } @Override public List getUserRoles(String userName) { - if (userName == null) { - return new ArrayList(0); + List roles = null; + if (userName != null) { + /* + * First look in active users then in local configured users, + * finally in local authorized users + */ + if (activeUsers.containsKey(userName)) { + roles = activeUsers.get(userName).getUserRoles(); + } else if (localUserConfigList.containsKey(userName)) { + roles = localUserConfigList.get(userName).getRoles(); + } else if (authorizationConfList.containsKey(userName)) { + roles = authorizationConfList.get(userName).getRoles(); + } } - AuthenticatedUser locatedUser = activeUsers.get(userName); - return (locatedUser == null) ? new ArrayList(0) : locatedUser - .getUserRoles(); + return (roles == null) ? new ArrayList(0) : roles; } @Override public UserLevel getUserLevel(String username) { - // Returns the controller well-know user level for the passed user - List rolesNames = null; - - // First check in active users then in local configured users - if (activeUsers.containsKey(username)) { - List roles = activeUsers.get(username).getUserRoles(); - rolesNames = (roles == null || roles.isEmpty()) ? null : roles; - } else if (localUserConfigList.containsKey(username)) { - UserConfig config = localUserConfigList.get(username); - rolesNames = (config == null) ? null : config.getRoles(); - } + // Returns the highest controller user level for the passed user + List rolesNames = getUserRoles(username); - if (rolesNames == null) { + if (rolesNames.isEmpty()) { return UserLevel.NOUSER; } @@ -919,6 +923,50 @@ public class UserManagerImpl implements IUserManager, IObjectReader, return UserLevel.NOUSER; } + + @Override + public List getUserLevels(String username) { + // Returns the controller user levels for the passed user + List rolesNames = getUserRoles(username); + List levels = new ArrayList(); + + if (rolesNames.isEmpty()) { + return levels; + } + + // Check against the well known controller roles first + if (rolesNames.contains(UserLevel.SYSTEMADMIN.toString())) { + levels.add(UserLevel.SYSTEMADMIN); + } + if (rolesNames.contains(UserLevel.NETWORKADMIN.toString())) { + levels.add(UserLevel.NETWORKADMIN); + } + if (rolesNames.contains(UserLevel.NETWORKOPERATOR.toString())) { + levels.add(UserLevel.NETWORKOPERATOR); + } + // Check if container user now + if (containerAuthorizationClient != null) { + for (String roleName : rolesNames) { + if (containerAuthorizationClient.isApplicationRole(roleName)) { + levels.add(UserLevel.CONTAINERUSER); + break; + } + } + } + // Finally check if application user + if (applicationAuthorizationClients != null) { + for (String roleName : rolesNames) { + for (IResourceAuthorization client : this.applicationAuthorizationClients) { + if (client.isApplicationRole(roleName)) { + levels.add(UserLevel.APPUSER); + break; + } + } + } + } + return levels; + } + @Override public Status saveConfiguration() { boolean success = true; @@ -958,8 +1006,9 @@ public class UserManagerImpl implements IUserManager, IObjectReader, .getPassword(), enabled, accountNonExpired, credentialsNonExpired, accountNonLocked, user.getGrantedAuthorities(getUserLevel(username))); - } else + } else { throw new UsernameNotFoundException("User not found " + username); + } } @Override @@ -1011,13 +1060,14 @@ public class UserManagerImpl implements IUserManager, IObjectReader, .getName()))); return authentication; - } else + } else { throw new BadCredentialsException( "Username or credentials did not match"); + } } - // following are setters for use in unit testing + // Following are setters for use in unit testing void setLocalUserConfigList(ConcurrentMap ucl) { if (ucl != null) { this.localUserConfigList = ucl; @@ -1057,7 +1107,36 @@ public class UserManagerImpl implements IUserManager, IObjectReader, this.sessionMgr = sessionMgr; } + @Override public String getPassword(String username) { return localUserConfigList.get(username).getPassword(); } + + @Override + public boolean isRoleInUse(String role) { + if (role == null || role.isEmpty()) { + return false; + } + // Check against controller roles + if (role.equals(UserLevel.SYSTEMADMIN.toString()) + || role.equals(UserLevel.NETWORKADMIN.toString()) + || role.equals(UserLevel.NETWORKOPERATOR.toString())) { + return true; + } + // Check if container roles + if (containerAuthorizationClient != null) { + if (containerAuthorizationClient.isApplicationRole(role)) { + return true; + } + } + // Finally if application role + if (applicationAuthorizationClients != null) { + for (IResourceAuthorization client : this.applicationAuthorizationClients) { + if (client.isApplicationRole(role)) { + return true; + } + } + } + return false; + } }