Prevent addition/removal for well known container roles

- Container roles are self generated when container is created.
  They are equivalent to the Controller network admin and network
  operator roles for the container sub controller. Authorization
  APIs for creating and removing roles are currently only validating
  against the Controller roles, not the sub controller roles.

Change-Id: I0ecf521a89163fedb68450fa3bc2b0d6c077977a
Signed-off-by: Alessandro Boch <aboch@cisco.com>

diff --git a/opendaylight/appauth/pom.xml b/opendaylight/appauth/pom.xml
index 6f2e9ee1eb4c6ce010b368791aff8e22eaeed733..fa273b6e92eea0318176415b8b62d9e5b15d3e27 100644 (file)
--- a/opendaylight/appauth/pom.xml
+++ b/opendaylight/appauth/pom.xml
@@ -27,13 +27,12 @@
                 <configuration>
                     <instructions>
                         <Import-Package>
+                            org.opendaylight.controller.containermanager,
                             org.opendaylight.controller.sal.authorization,
                             org.opendaylight.controller.sal.utils,
                             org.opendaylight.controller.usermanager,
                             org.slf4j,
                             org.apache.felix.dm,
-                             org.apache.commons.lang3.builder,
-                            org.eclipse.osgi.framework.console
                         </Import-Package>
                         <Export-Package>
                             org.opendaylight.controller.appauth,
@@ -53,6 +52,11 @@
            <artifactId>sal</artifactId>
           <version>0.5.1-SNAPSHOT</version>
         </dependency>
+        <dependency>
+         <groupId>org.opendaylight.controller</groupId>
+         <artifactId>containermanager</artifactId>
+         <version>0.5.1-SNAPSHOT</version>
+        </dependency>
         <dependency>
          <groupId>org.opendaylight.controller</groupId>
            <artifactId>usermanager</artifactId>

diff --git a/opendaylight/appauth/src/main/java/org/opendaylight/controller/appauth/authorization/Authorization.java b/opendaylight/appauth/src/main/java/org/opendaylight/controller/appauth/authorization/Authorization.java
index fd8799f4f31fdac7f49576f2b49fbb0d8e034867..b872f49130205d239f9ee9bfac647b09eb7a241e 100644 (file)
--- a/opendaylight/appauth/src/main/java/org/opendaylight/controller/appauth/authorization/Authorization.java
+++ b/opendaylight/appauth/src/main/java/org/opendaylight/controller/appauth/authorization/Authorization.java
@@ -16,6 +16,7 @@ import java.util.Map.Entry;
 import java.util.Set;
 import java.util.concurrent.ConcurrentMap;
 
+import org.opendaylight.controller.containermanager.IContainerAuthorization;
 import org.opendaylight.controller.sal.authorization.AppRoleLevel;
 import org.opendaylight.controller.sal.authorization.IResourceAuthorization;
 import org.opendaylight.controller.sal.authorization.Privilege;
@@ -66,6 +67,11 @@ private static final Logger logger = LoggerFactory.getLogger(Authorization.class
                     "Controller roles cannot be explicitely "
                             + "created in App context");
         }
+        if (isContainerRole(role)) {
+            return new Status(StatusCode.NOTALLOWED,
+                    "Container roles cannot be explicitely "
+                            + "created in App context");
+        }
         if (isRoleInUse(role)) {
             return new Status(StatusCode.CONFLICT, "Role already in use");
         }
@@ -96,7 +102,10 @@ private static final Logger logger = LoggerFactory.getLogger(Authorization.class
             return new Status(StatusCode.NOTALLOWED,
                     "Controller roles cannot be removed");
         }
-
+        if (isContainerRole(role)) {
+            return new Status(StatusCode.NOTALLOWED,
+                    "Container roles cannot be removed");
+        }
         return removeRoleInternal(role);
     }
 
@@ -599,6 +608,15 @@ private static final Logger logger = LoggerFactory.getLogger(Authorization.class
                     .equals(UserLevel.NETWORKOPERATOR.toString()));
     }
 
+    private boolean isContainerRole(String role) {
+        IContainerAuthorization containerAuth = (IContainerAuthorization) ServiceHelper.getGlobalInstance(
+                IContainerAuthorization.class, this);
+        if (containerAuth == null) {
+            return false;
+        }
+        return containerAuth.isApplicationRole(role);
+    }
+
     private boolean isRoleInUse(String role) {
         IUserManager userManager = (IUserManager) ServiceHelper
                 .getGlobalInstance(IUserManager.class, this);