Prevent addition/removal for well known container roles 18/2118/3
authorAlessandro Boch <aboch@cisco.com>
Wed, 23 Oct 2013 19:26:45 +0000 (12:26 -0700)
committerGerrit Code Review <gerrit@opendaylight.org>
Thu, 24 Oct 2013 18:11:48 +0000 (18:11 +0000)
- Container roles are self generated when container is created.
  They are equivalent to the Controller network admin and network
  operator roles for the container sub controller. Authorization
  APIs for creating and removing roles are currently only validating
  against the Controller roles, not the sub controller roles.

Change-Id: I0ecf521a89163fedb68450fa3bc2b0d6c077977a
Signed-off-by: Alessandro Boch <aboch@cisco.com>
opendaylight/appauth/pom.xml
opendaylight/appauth/src/main/java/org/opendaylight/controller/appauth/authorization/Authorization.java

index 6f2e9ee..fa273b6 100644 (file)
                 <configuration>
                     <instructions>
                         <Import-Package>
+                            org.opendaylight.controller.containermanager,
                             org.opendaylight.controller.sal.authorization,
                             org.opendaylight.controller.sal.utils,
                             org.opendaylight.controller.usermanager,
                             org.slf4j,
                             org.apache.felix.dm,
-                             org.apache.commons.lang3.builder,
-                            org.eclipse.osgi.framework.console
                         </Import-Package>
                         <Export-Package>
                             org.opendaylight.controller.appauth,
            <artifactId>sal</artifactId>
           <version>0.5.1-SNAPSHOT</version>
         </dependency>
+        <dependency>
+         <groupId>org.opendaylight.controller</groupId>
+         <artifactId>containermanager</artifactId>
+         <version>0.5.1-SNAPSHOT</version>
+        </dependency>
         <dependency>
          <groupId>org.opendaylight.controller</groupId>
            <artifactId>usermanager</artifactId>
index fd8799f..b872f49 100644 (file)
@@ -16,6 +16,7 @@ import java.util.Map.Entry;
 import java.util.Set;
 import java.util.concurrent.ConcurrentMap;
 
+import org.opendaylight.controller.containermanager.IContainerAuthorization;
 import org.opendaylight.controller.sal.authorization.AppRoleLevel;
 import org.opendaylight.controller.sal.authorization.IResourceAuthorization;
 import org.opendaylight.controller.sal.authorization.Privilege;
@@ -66,6 +67,11 @@ private static final Logger logger = LoggerFactory.getLogger(Authorization.class
                     "Controller roles cannot be explicitely "
                             + "created in App context");
         }
+        if (isContainerRole(role)) {
+            return new Status(StatusCode.NOTALLOWED,
+                    "Container roles cannot be explicitely "
+                            + "created in App context");
+        }
         if (isRoleInUse(role)) {
             return new Status(StatusCode.CONFLICT, "Role already in use");
         }
@@ -96,7 +102,10 @@ private static final Logger logger = LoggerFactory.getLogger(Authorization.class
             return new Status(StatusCode.NOTALLOWED,
                     "Controller roles cannot be removed");
         }
-
+        if (isContainerRole(role)) {
+            return new Status(StatusCode.NOTALLOWED,
+                    "Container roles cannot be removed");
+        }
         return removeRoleInternal(role);
     }
 
@@ -599,6 +608,15 @@ private static final Logger logger = LoggerFactory.getLogger(Authorization.class
                     .equals(UserLevel.NETWORKOPERATOR.toString()));
     }
 
+    private boolean isContainerRole(String role) {
+        IContainerAuthorization containerAuth = (IContainerAuthorization) ServiceHelper.getGlobalInstance(
+                IContainerAuthorization.class, this);
+        if (containerAuth == null) {
+            return false;
+        }
+        return containerAuth.isApplicationRole(role);
+    }
+
     private boolean isRoleInUse(String role) {
         IUserManager userManager = (IUserManager) ServiceHelper
                 .getGlobalInstance(IUserManager.class, this);