- Container roles are self generated when container is created.
They are equivalent to the Controller network admin and network
operator roles for the container sub controller. Authorization
APIs for creating and removing roles are currently only validating
against the Controller roles, not the sub controller roles.
Change-Id: I0ecf521a89163fedb68450fa3bc2b0d6c077977a
Signed-off-by: Alessandro Boch <aboch@cisco.com>
<configuration>
<instructions>
<Import-Package>
<configuration>
<instructions>
<Import-Package>
+ org.opendaylight.controller.containermanager,
org.opendaylight.controller.sal.authorization,
org.opendaylight.controller.sal.utils,
org.opendaylight.controller.usermanager,
org.slf4j,
org.apache.felix.dm,
org.opendaylight.controller.sal.authorization,
org.opendaylight.controller.sal.utils,
org.opendaylight.controller.usermanager,
org.slf4j,
org.apache.felix.dm,
- org.apache.commons.lang3.builder,
- org.eclipse.osgi.framework.console
</Import-Package>
<Export-Package>
org.opendaylight.controller.appauth,
</Import-Package>
<Export-Package>
org.opendaylight.controller.appauth,
<artifactId>sal</artifactId>
<version>0.5.1-SNAPSHOT</version>
</dependency>
<artifactId>sal</artifactId>
<version>0.5.1-SNAPSHOT</version>
</dependency>
+ <dependency>
+ <groupId>org.opendaylight.controller</groupId>
+ <artifactId>containermanager</artifactId>
+ <version>0.5.1-SNAPSHOT</version>
+ </dependency>
<dependency>
<groupId>org.opendaylight.controller</groupId>
<artifactId>usermanager</artifactId>
<dependency>
<groupId>org.opendaylight.controller</groupId>
<artifactId>usermanager</artifactId>
import java.util.Set;
import java.util.concurrent.ConcurrentMap;
import java.util.Set;
import java.util.concurrent.ConcurrentMap;
+import org.opendaylight.controller.containermanager.IContainerAuthorization;
import org.opendaylight.controller.sal.authorization.AppRoleLevel;
import org.opendaylight.controller.sal.authorization.IResourceAuthorization;
import org.opendaylight.controller.sal.authorization.Privilege;
import org.opendaylight.controller.sal.authorization.AppRoleLevel;
import org.opendaylight.controller.sal.authorization.IResourceAuthorization;
import org.opendaylight.controller.sal.authorization.Privilege;
"Controller roles cannot be explicitely "
+ "created in App context");
}
"Controller roles cannot be explicitely "
+ "created in App context");
}
+ if (isContainerRole(role)) {
+ return new Status(StatusCode.NOTALLOWED,
+ "Container roles cannot be explicitely "
+ + "created in App context");
+ }
if (isRoleInUse(role)) {
return new Status(StatusCode.CONFLICT, "Role already in use");
}
if (isRoleInUse(role)) {
return new Status(StatusCode.CONFLICT, "Role already in use");
}
return new Status(StatusCode.NOTALLOWED,
"Controller roles cannot be removed");
}
return new Status(StatusCode.NOTALLOWED,
"Controller roles cannot be removed");
}
+ if (isContainerRole(role)) {
+ return new Status(StatusCode.NOTALLOWED,
+ "Container roles cannot be removed");
+ }
return removeRoleInternal(role);
}
return removeRoleInternal(role);
}
.equals(UserLevel.NETWORKOPERATOR.toString()));
}
.equals(UserLevel.NETWORKOPERATOR.toString()));
}
+ private boolean isContainerRole(String role) {
+ IContainerAuthorization containerAuth = (IContainerAuthorization) ServiceHelper.getGlobalInstance(
+ IContainerAuthorization.class, this);
+ if (containerAuth == null) {
+ return false;
+ }
+ return containerAuth.isApplicationRole(role);
+ }
+
private boolean isRoleInUse(String role) {
IUserManager userManager = (IUserManager) ServiceHelper
.getGlobalInstance(IUserManager.class, this);
private boolean isRoleInUse(String role) {
IUserManager userManager = (IUserManager) ServiceHelper
.getGlobalInstance(IUserManager.class, this);