From: Alessandro Boch <aboch@cisco.com>
Date: Wed, 22 May 2013 00:54:03 +0000 (-0700)
Subject: Enable multiple roles per user (backend)
X-Git-Tag: releasepom-0.1.0~432
X-Git-Url: https://git.opendaylight.org/gerrit/gitweb?p=controller.git;a=commitdiff_plain;h=074d2ad908fcdd5f395a8c918444b47619cc9194

Enable multiple roles per user (backend)

Signed-off-by: Alessandro Boch <aboch@cisco.com>
---

diff --git a/opendaylight/usermanager/src/main/java/org/opendaylight/controller/usermanager/internal/AuthenticatedUser.java b/opendaylight/usermanager/src/main/java/org/opendaylight/controller/usermanager/internal/AuthenticatedUser.java
index 6c6f07ca66..f66d47ea55 100644
--- a/opendaylight/usermanager/src/main/java/org/opendaylight/controller/usermanager/internal/AuthenticatedUser.java
+++ b/opendaylight/usermanager/src/main/java/org/opendaylight/controller/usermanager/internal/AuthenticatedUser.java
@@ -40,7 +40,10 @@ public class AuthenticatedUser implements Serializable {
     public void setRoleList(String[] roleArray) {
         userRoles = new ArrayList<String>(roleArray.length);
         for (String role : roleArray) {
-            userRoles.add(role);
+            String target = role.trim();
+            if (!target.isEmpty()) {
+                userRoles.add(target);
+            }
         }
     }
 
diff --git a/opendaylight/usermanager/src/main/java/org/opendaylight/controller/usermanager/internal/AuthorizationConfig.java b/opendaylight/usermanager/src/main/java/org/opendaylight/controller/usermanager/internal/AuthorizationConfig.java
index 2474eec6d9..038ccca2fc 100644
--- a/opendaylight/usermanager/src/main/java/org/opendaylight/controller/usermanager/internal/AuthorizationConfig.java
+++ b/opendaylight/usermanager/src/main/java/org/opendaylight/controller/usermanager/internal/AuthorizationConfig.java
@@ -8,6 +8,9 @@
 
 package org.opendaylight.controller.usermanager.internal;
 
+import java.util.ArrayList;
+import java.util.List;
+
 import org.opendaylight.controller.sal.utils.Status;
 
 /**
@@ -22,22 +25,23 @@ public class AuthorizationConfig extends UserConfig {
     }
 
     // Constructor may be needed for autocontainer logic
-    public AuthorizationConfig(String user, String role) {
+    public AuthorizationConfig(String user, List<String> roles) {
         super();
         this.user = user;
-        this.role = role;
+        this.roles = (roles == null) ? new ArrayList<String>()
+                : new ArrayList<String>(roles);
     }
 
     @Override
     public Status validate() {
-        return (!isRoleValid().isSuccess() ? isRoleValid() : isUsernameValid());
-    }
-
-    public String getRolesData() {
-        return (role.replace(",", " "));
+        Status status = validateUsername();
+        if (status.isSuccess()) {
+            status = validateRoles();
+        }
+        return status;
     }
 
     public String toString() {
-        return "AuthorizationConfig=[user: " + user + ", role: " + role + "]";
+        return "AuthorizationConfig=[user: " + user + ", roles: " + roles + "]";
     }
 }
diff --git a/opendaylight/usermanager/src/main/java/org/opendaylight/controller/usermanager/internal/UserConfig.java b/opendaylight/usermanager/src/main/java/org/opendaylight/controller/usermanager/internal/UserConfig.java
index cedae6c918..fd491fe880 100644
--- a/opendaylight/usermanager/src/main/java/org/opendaylight/controller/usermanager/internal/UserConfig.java
+++ b/opendaylight/usermanager/src/main/java/org/opendaylight/controller/usermanager/internal/UserConfig.java
@@ -9,6 +9,9 @@
 package org.opendaylight.controller.usermanager.internal;
 
 import java.io.Serializable;
+import java.util.ArrayList;
+import java.util.Iterator;
+import java.util.List;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
@@ -31,7 +34,7 @@ public class UserConfig implements Serializable {
      * configurations
      */
     protected String user;
-    protected String role;
+    protected List<String> roles;
     private String password;
     private static final int USERNAME_MAXLENGTH = 32;
     private static final int PASSWORD_MINLENGTH = 5;
@@ -42,12 +45,13 @@ public class UserConfig implements Serializable {
     public UserConfig() {
     }
 
-    public UserConfig(String user, String password, String role) {
+    public UserConfig(String user, String password, List<String> roles) {
         this.user = user;
         this.password = password;
-        this.role = role;
+        this.roles = (roles == null) ? new ArrayList<String>()
+                : new ArrayList<String>(roles);
     }
-
+    
     public String getUser() {
         return user;
     }
@@ -56,8 +60,8 @@ public class UserConfig implements Serializable {
         return password;
     }
 
-    public String getRole() {
-        return role;
+    public List<String> getRoles() {
+        return new ArrayList<String>(roles);
     }
 
     @Override
@@ -72,22 +76,21 @@ public class UserConfig implements Serializable {
 
     @Override
     public String toString() {
-        return "UserConfig[user=" + user + ", password=" + password + "]";
+        return "UserConfig[user=" + user + ", password=" + password + ", roles=" + roles +"]";
     }
 
     public Status validate() {
-        Status validCheck = new Status(StatusCode.SUCCESS, null);
-        validCheck = isRoleValid();
-
-        if (validCheck.isSuccess())
-            validCheck = isUsernameValid();
-        if (validCheck.isSuccess())
-            validCheck = isPasswordValid();
-
+        Status validCheck = validateRoles();
+        if (validCheck.isSuccess()) {
+            validCheck = validateUsername();
+        }
+        if (validCheck.isSuccess()) {
+            validCheck = validatePassword();
+        }
         return validCheck;
     }
 
-    protected Status isUsernameValid() {
+    protected Status validateUsername() {
         if (user == null || user.isEmpty()) {
             return new Status(StatusCode.BADREQUEST, "Username cannot be empty");
         }
@@ -101,10 +104,10 @@ public class UserConfig implements Serializable {
                             + "characters except ./#%;?\\");
         }
 
-        return new Status(StatusCode.SUCCESS, null);
+        return new Status(StatusCode.SUCCESS);
     }
 
-    private Status isPasswordValid() {
+    private Status validatePassword() {
         if (password == null || password.isEmpty()) {
             return new Status(StatusCode.BADREQUEST, "Password cannot be empty");
         }
@@ -114,41 +117,66 @@ public class UserConfig implements Serializable {
             return new Status(StatusCode.BADREQUEST,
                     "Password should have 5-256 characters");
         }
-        return new Status(StatusCode.SUCCESS, null);
+        return new Status(StatusCode.SUCCESS);
     }
 
-    protected Status isRoleValid() {
-        if (role == null || role.isEmpty()) {
-            return new Status(StatusCode.BADREQUEST,
-                    "Role name cannot be empty");
+    protected Status validateRoles() {
+        if (roles == null || roles.isEmpty()) {
+            return new Status(StatusCode.BADREQUEST, "No role specified");
         }
-        return new Status(StatusCode.SUCCESS, null);
+        return new Status(StatusCode.SUCCESS);
     }
 
-    public boolean update(String currentPassword, String newPassword,
-            String newRole) {
+    public Status update(String currentPassword, String newPassword,
+            List<String> newRoles) {
         // To make any changes to a user configured profile, current password
         // must always be provided
         if (!this.password.equals(currentPassword)) {
-            return false;
-        }
-        if (newPassword != null) {
-            this.password = newPassword;
+            return new Status(StatusCode.BADREQUEST,
+                    "Current password is incorrect");
         }
-        if (newRole != null) {
-            this.role = newRole;
+        
+        // Create a new object with the proposed modifications
+        UserConfig proposed = new UserConfig();
+        proposed.user = this.user;
+        proposed.password = (newPassword != null)? newPassword : this.password;
+        proposed.roles = (newRoles != null)? newRoles : this.roles;
+        
+        // Validate it
+        Status status = proposed.validate();
+        if (!status.isSuccess()) {
+            return status;
         }
-        return true;
+        
+        // Accept the modifications
+        this.user = proposed.user;
+        this.password = proposed.password;
+        this.roles = new ArrayList<String>(proposed.roles);
+        
+        return status;
     }
 
     public AuthResponse authenticate(String clearTextPass) {
         AuthResponse locResponse = new AuthResponse();
         if (password.equals(clearTextPass)) {
             locResponse.setStatus(AuthResultEnum.AUTH_ACCEPT_LOC);
-            locResponse.addData(role.replace(",", " "));
+            locResponse.addData(getRolesString());
         } else {
             locResponse.setStatus(AuthResultEnum.AUTH_REJECT_LOC);
         }
         return locResponse;
     }
+    
+    protected String getRolesString() {
+        StringBuffer buffer = new StringBuffer();
+        if (!roles.isEmpty()) {
+            Iterator<String> iter = roles.iterator();
+            buffer.append(iter.next());
+            while (iter.hasNext()) {
+                buffer.append(" ");
+                buffer.append(iter.next());
+            }
+        }
+        return buffer.toString();
+    }
 }
diff --git a/opendaylight/usermanager/src/main/java/org/opendaylight/controller/usermanager/internal/UserManagerImpl.java b/opendaylight/usermanager/src/main/java/org/opendaylight/controller/usermanager/internal/UserManagerImpl.java
index 31c773da8a..69c9a1a2a6 100644
--- a/opendaylight/usermanager/src/main/java/org/opendaylight/controller/usermanager/internal/UserManagerImpl.java
+++ b/opendaylight/usermanager/src/main/java/org/opendaylight/controller/usermanager/internal/UserManagerImpl.java
@@ -82,13 +82,8 @@ public class UserManagerImpl implements IUserManager, IObjectReader,
     private static final String authFileName = ROOT + "authorization.conf";
     private ConcurrentMap<String, UserConfig> localUserConfigList;
     private ConcurrentMap<String, ServerConfig> remoteServerConfigList;
-    private ConcurrentMap<String, AuthorizationConfig> authorizationConfList; // local
-                                                                              // authorization
-                                                                              // info
-                                                                              // for
-                                                                              // remotely
-                                                                              // authenticated
-                                                                              // users
+    // local authorization info for remotely authenticated users
+    private ConcurrentMap<String, AuthorizationConfig> authorizationConfList; 
     private ConcurrentMap<String, AuthenticatedUser> activeUsers;
     private ConcurrentMap<String, IAAAProvider> authProviders;
     private ConcurrentMap<Long, String> localUserListSaveConfigEvent,
@@ -243,8 +238,10 @@ public class UserManagerImpl implements IUserManager, IObjectReader,
         // If startup config is not there, it's old or it was deleted,
         // need to add Default Admin
         if (!localUserConfigList.containsKey(defaultAdmin)) {
+            List<String> roles = new ArrayList<String>(1);
+            roles.add(defaultAdminRole);
             localUserConfigList.put(defaultAdmin, new UserConfig(defaultAdmin,
-                    defaultAdminPassword, defaultAdminRole));
+                    defaultAdminPassword, roles));
         }
     }
 
@@ -253,7 +250,6 @@ public class UserManagerImpl implements IUserManager, IObjectReader,
         IAAAProvider aaaClient;
         AuthResponse rcResponse = null;
         AuthenticatedUser result;
-        String[] adminRoles = null;
         boolean remotelyAuthenticated = false;
         boolean authorizationInfoIsPresent = false;
         boolean authorized = false;
@@ -342,7 +338,7 @@ public class UserManagerImpl implements IUserManager, IObjectReader,
             if (resource != null) {
                 logger.info("Found Local Authorization Info for User: \"{}\"",
                         userName);
-                attributes = resource.getRolesData();
+                attributes = resource.getRolesString();
 
             }
             authorizationInfoIsPresent = checkAuthorizationInfo(attributes);
@@ -354,8 +350,7 @@ public class UserManagerImpl implements IUserManager, IObjectReader,
          */
         if (authorizationInfoIsPresent) {
             // Identifying the administrative role
-            adminRoles = attributes.split(" ");
-            result.setRoleList(adminRoles);
+            result.setRoleList(attributes.split(" "));
             authorized = true;
         } else {
             logger.info("Not able to find Authorization Info for User: \"{}\"",
@@ -504,6 +499,12 @@ public class UserManagerImpl implements IUserManager, IObjectReader,
                 return new Status(StatusCode.NOTALLOWED, msg);
             }
             localUserConfigList.remove(AAAconf.getUser());
+            /*
+             * A user account has been removed form local database, we assume
+             * admin does not want this user to stay connected, in case he has
+             * an open session. So we clean the active list as well.
+             */
+            removeUserFromActiveList(AAAconf.getUser());
         } else {
             if (AAAconf.getUser().equals(UserManagerImpl.defaultAdmin)) {
                 String msg = "Invalid Request: Default Network Admin  User "
@@ -621,16 +622,17 @@ public class UserManagerImpl implements IUserManager, IObjectReader,
         if (targetConfigEntry == null) {
             return new Status(StatusCode.NOTFOUND, "User not found");
         }
-        if (false == targetConfigEntry.update(curPassword, newPassword, null)) {
-            return new Status(StatusCode.BADREQUEST,
-                    "Current password is incorrect");
+        Status status = targetConfigEntry
+                .update(curPassword, newPassword, null);
+        if (!status.isSuccess()) {
+            return status;
         }
-        localUserConfigList.put(user, targetConfigEntry); // trigger cluster
-                                                          // update
+        // Trigger cluster update
+        localUserConfigList.put(user, targetConfigEntry); 
 
         logger.info("Password changed for User \"{}\"", user);
 
-        return new Status(StatusCode.SUCCESS, null);
+        return status;
     }
 
     @Override
@@ -701,35 +703,44 @@ public class UserManagerImpl implements IUserManager, IObjectReader,
         String userName = ci.nextArgument();
         String password = ci.nextArgument();
         String role = ci.nextArgument();
+        
+        List<String> roles = new ArrayList<String>();
+        while (role != null) {
+            if (!role.trim().isEmpty()) {
+                roles.add(role);
+            }
+            role = ci.nextArgument();
+        }
 
         if (userName == null || userName.trim().isEmpty() || password == null
-                || password.trim().isEmpty() || role == null
-                || role.trim().isEmpty()) {
+                || password.trim().isEmpty() || roles == null
+                || roles.isEmpty()) {
             ci.println("Invalid Arguments");
             ci.println("umAddUser <user_name> <password> <user_role>");
             return;
         }
-        this.addLocalUser(new UserConfig(userName, password, role));
+        ci.print(this.addLocalUser(new UserConfig(userName, password, roles)));
     }
 
     public void _umRemUser(CommandInterpreter ci) {
         String userName = ci.nextArgument();
-        String password = ci.nextArgument();
-        String role = ci.nextArgument();
 
-        if (userName == null || userName.trim().isEmpty() || password == null
-                || password.trim().isEmpty() || role == null
-                || role.trim().isEmpty()) {
+        if (userName == null || userName.trim().isEmpty()) {
             ci.println("Invalid Arguments");
-            ci.println("umRemUser <user_name> <password> <user_role>");
+            ci.println("umRemUser <user_name>");
             return;
         }
-        this.removeLocalUser(new UserConfig(userName, password, role));
+        UserConfig target = localUserConfigList.get(userName);
+        if (target == null) {
+            ci.println("User not found");
+            return;
+        }       
+        ci.println(this.removeLocalUser(target));
     }
 
     public void _umGetUsers(CommandInterpreter ci) {
         for (UserConfig conf : this.getLocalUserList()) {
-            ci.println(conf.getUser() + " " + conf.getRole());
+            ci.println(conf.getUser() + " " + conf.getRoles());
         }
     }
 
@@ -862,39 +873,47 @@ public class UserManagerImpl implements IUserManager, IObjectReader,
     @Override
     public UserLevel getUserLevel(String username) {
         // Returns the controller well-know user level for the passed user
-        String roleName = null;
+        List<String> rolesNames = null;
 
         // First check in active users then in local configured users
         if (activeUsers.containsKey(username)) {
             List<String> roles = activeUsers.get(username).getUserRoles();
-            roleName = (roles == null || roles.isEmpty())? null : roles.get(0);
+            rolesNames = (roles == null || roles.isEmpty()) ? null : roles;
         } else if (localUserConfigList.containsKey(username)) {
             UserConfig config = localUserConfigList.get(username);
-            roleName = (config == null)? null : config.getRole();
+            rolesNames = (config == null) ? null : config.getRoles();
         }
 
-        if (roleName == null) {
+        if (rolesNames == null) {
             return UserLevel.NOUSER;
         }
 
-        // For now only one role per user is allowed
-        if (roleName.equals(UserLevel.SYSTEMADMIN.toString())) {
+        // Check against the well known controller roles first
+        if (rolesNames.contains(UserLevel.SYSTEMADMIN.toString())) {
             return UserLevel.SYSTEMADMIN;
         }
-        if (roleName.equals(UserLevel.NETWORKADMIN.toString())) {
+        if (rolesNames.contains(UserLevel.NETWORKADMIN.toString())) {
             return UserLevel.NETWORKADMIN;
         }
-        if (roleName.equals(UserLevel.NETWORKOPERATOR.toString())) {
+        if (rolesNames.contains(UserLevel.NETWORKOPERATOR.toString())) {
             return UserLevel.NETWORKOPERATOR;
         }
-        if (this.containerAuthorizationClient != null
-                && this.containerAuthorizationClient
-                        .isApplicationRole(roleName)) {
-            return UserLevel.CONTAINERUSER;
+        // Check if container user now
+        if (containerAuthorizationClient != null) {
+            for (String roleName : rolesNames) {
+                if (containerAuthorizationClient.isApplicationRole(roleName)) {
+                    return UserLevel.CONTAINERUSER;
+                }
+            }
         }
-        for (IResourceAuthorization client : this.applicationAuthorizationClients) {
-            if (client.isApplicationRole(roleName)) {
-                return UserLevel.APPUSER;
+        // Finally check if application user
+        if (applicationAuthorizationClients != null) {
+            for (String roleName : rolesNames) {
+                for (IResourceAuthorization client : this.applicationAuthorizationClients) {
+                    if (client.isApplicationRole(roleName)) {
+                        return UserLevel.APPUSER;
+                    }
+                }
             }
         }
         return UserLevel.NOUSER;
diff --git a/opendaylight/usermanager/src/test/java/org/opendaylight/controller/usermanager/internal/AuthenticatedUserTest.java b/opendaylight/usermanager/src/test/java/org/opendaylight/controller/usermanager/internal/AuthenticatedUserTest.java
index 4a379cdd2f..810500baa4 100644
--- a/opendaylight/usermanager/src/test/java/org/opendaylight/controller/usermanager/internal/AuthenticatedUserTest.java
+++ b/opendaylight/usermanager/src/test/java/org/opendaylight/controller/usermanager/internal/AuthenticatedUserTest.java
@@ -35,7 +35,6 @@ public class AuthenticatedUserTest {
 
 		Assert.assertFalse(user.getAccessDate().isEmpty());
 		Assert.assertNull(user.getUserRoles());
-
 	}
 
 	@Test
diff --git a/opendaylight/usermanager/src/test/java/org/opendaylight/controller/usermanager/internal/AuthorizationUserConfigTest.java b/opendaylight/usermanager/src/test/java/org/opendaylight/controller/usermanager/internal/AuthorizationUserConfigTest.java
index d274da5248..7d28d23075 100644
--- a/opendaylight/usermanager/src/test/java/org/opendaylight/controller/usermanager/internal/AuthorizationUserConfigTest.java
+++ b/opendaylight/usermanager/src/test/java/org/opendaylight/controller/usermanager/internal/AuthorizationUserConfigTest.java
@@ -11,6 +11,9 @@ import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertTrue;
 
+import java.util.ArrayList;
+import java.util.List;
+
 import org.junit.Test;
 import org.opendaylight.controller.sal.authorization.AuthResultEnum;
 import org.opendaylight.controller.sal.authorization.UserLevel;
@@ -24,61 +27,75 @@ public class AuthorizationUserConfigTest {
     @Test
     public void AuthorizationConfigTest() {
         AuthorizationConfig authConfig;
+        List<String> roles = new ArrayList<String>();
 
         // test isValid
-        authConfig = new AuthorizationConfig(null,
-                UserLevel.SYSTEMADMIN.toString());
+        roles.add(UserLevel.SYSTEMADMIN.toString());
+        authConfig = new AuthorizationConfig(null, roles);
         assertFalse(authConfig.validate().isSuccess());
-        authConfig = new AuthorizationConfig("admin", "");
+        authConfig = new AuthorizationConfig("admin", new ArrayList<String>());
         assertFalse(authConfig.validate().isSuccess());
-        authConfig = new AuthorizationConfig("admin",
-                UserLevel.SYSTEMADMIN.toString());
+        authConfig = new AuthorizationConfig("admin", roles);
         assertTrue(authConfig.validate().isSuccess());
     }
 
     @Test
     public void UserConfigTest() {
         UserConfig userConfig;
+        List<String> roles = new ArrayList<String>();
 
-        userConfig = new UserConfig(null, "cisco",
-                UserLevel.NETWORKOPERATOR.toString());
+        roles.add(UserLevel.SYSTEMADMIN.toString());
+        userConfig = new UserConfig(null, "cisco", roles);
         assertFalse(userConfig.validate().isSuccess());
 
-        userConfig = new UserConfig("uname", "", "cisco");
+        roles.clear();
+        roles.add("cisco");
+        userConfig = new UserConfig("uname", "", roles);
         assertFalse(userConfig.validate().isSuccess());
 
-        userConfig = new UserConfig("uname", "ciscocisco",
-                UserLevel.NETWORKOPERATOR.toString());
+        roles.clear();
+        roles.add(UserLevel.NETWORKOPERATOR.toString());
+        userConfig = new UserConfig("uname", "ciscocisco", roles);
         assertTrue(userConfig.validate().isSuccess());
 
-        /* currentPassword mismatch */
-        assertFalse(userConfig.update("Cisco", "cisco123",
-                UserLevel.NETWORKOPERATOR.toString()));
-
-        assertTrue(userConfig.update("ciscocisco", null,
-                UserLevel.NETWORKOPERATOR.toString()));
-        /* New Password = null, No change in password */
+        // currentPassword mismatch
+        assertFalse(userConfig.update("Cisco", "cisco123", roles).isSuccess());
+
+        // Role change only
+        roles.clear();
+        roles.add(UserLevel.NETWORKADMIN.toString());
+        assertTrue(userConfig.update("ciscocisco", null, roles).isSuccess());
+        
+        // Role change and same new password
+        roles.clear();
+        roles.add(UserLevel.NETWORKOPERATOR.toString());
+        assertTrue(userConfig.update("ciscocisco", "ciscocisco", roles)
+                .isSuccess());
+        
+        // New Password = null, No change in password
         assertTrue(userConfig.getPassword().equals("ciscocisco"));
 
-        /* Password changed successfully, no change in user role */
-        assertTrue(userConfig.update("ciscocisco", "cisco123",
-                UserLevel.NETWORKOPERATOR.toString()));
+        // Password changed successfully, no change in user role
+        assertTrue(userConfig.update("ciscocisco", "cisco123", roles)
+                .isSuccess());
         assertTrue(userConfig.getPassword().equals("cisco123"));
-        assertTrue(userConfig.getRole().equals(
+        assertTrue(userConfig.getRoles().get(0).equals(
                 UserLevel.NETWORKOPERATOR.toString()));
 
-        /* Password not changed, role changed successfully */
-        assertTrue(userConfig.update("cisco123", "cisco123",
-                UserLevel.SYSTEMADMIN.toString()));
+        // Password not changed, role changed successfully
+        roles.clear();
+        roles.add(UserLevel.SYSTEMADMIN.toString());
+        assertTrue(userConfig.update("cisco123", "cisco123", roles)
+                .isSuccess());
         assertTrue(userConfig.getPassword().equals("cisco123"));
-        assertTrue(userConfig.getRole()
+        assertTrue(userConfig.getRoles().get(0)
                 .equals(UserLevel.SYSTEMADMIN.toString()));
 
-        /* Password and role changed successfully */
-        assertTrue(userConfig.update("cisco123", "ciscocisco",
-                UserLevel.SYSTEMADMIN.toString()));
+        // Password and role changed successfully
+        assertTrue(userConfig.update("cisco123", "ciscocisco", roles)
+                .isSuccess());
         assertTrue(userConfig.getPassword().equals("ciscocisco"));
-        assertTrue(userConfig.getRole()
+        assertTrue(userConfig.getRoles().get(0)
                 .equals(UserLevel.SYSTEMADMIN.toString()));
 
         String username = userConfig.getUser();
@@ -91,11 +108,11 @@ public class AuthorizationUserConfigTest {
         assertTrue(authresp.getStatus().equals(AuthResultEnum.AUTH_REJECT_LOC));
 
         // test equals()
-        userConfig = new UserConfig("uname", "ciscocisco",
-                UserLevel.NETWORKOPERATOR.toString());
+        roles.clear();
+        roles.add(UserLevel.NETWORKOPERATOR.toString());
+        userConfig = new UserConfig("uname", "ciscocisco", roles);
         assertEquals(userConfig, userConfig);
-        UserConfig userConfig2 = new UserConfig("uname", "ciscocisco",
-                UserLevel.NETWORKOPERATOR.toString());
+        UserConfig userConfig2 = new UserConfig("uname", "ciscocisco", roles);
         assertEquals(userConfig, userConfig2);
     }
 }
diff --git a/opendaylight/usermanager/src/test/java/org/opendaylight/controller/usermanager/internal/UserManagerImplTest.java b/opendaylight/usermanager/src/test/java/org/opendaylight/controller/usermanager/internal/UserManagerImplTest.java
index ec7b136039..626011bd69 100644
--- a/opendaylight/usermanager/src/test/java/org/opendaylight/controller/usermanager/internal/UserManagerImplTest.java
+++ b/opendaylight/usermanager/src/test/java/org/opendaylight/controller/usermanager/internal/UserManagerImplTest.java
@@ -1,4 +1,3 @@
-
 /*
  * Copyright (c) 2013 Cisco Systems, Inc. and others.  All rights reserved.
  *
@@ -13,7 +12,8 @@ import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertTrue;
 
-import java.util.Date;
+import java.util.ArrayList;
+import java.util.List;
 import java.util.concurrent.ConcurrentHashMap;
 
 import org.junit.Assert;
@@ -31,218 +31,229 @@ import org.opendaylight.controller.usermanager.IUserManager;
  */
 public class UserManagerImplTest {
 
-	private static UserManagerImpl um;
-
-	/**
-	 * @throws java.lang.Exception
-	 */
-	@BeforeClass
-	public static void setUpBeforeClass() throws Exception {
-
-		IUserManager userManager = (IUserManager) ServiceHelper
-				.getGlobalInstance(IUserManager.class, new Object());
-		if (userManager instanceof UserManagerImpl) {
-			um = (UserManagerImpl) userManager;
-		} else {
-			um = new UserManagerImpl();
-			um.setAuthProviders(new ConcurrentHashMap<String, IAAAProvider>());
-
-			// mock up a remote server list with a dummy server
-			um.setRemoteServerConfigList(new ConcurrentHashMap<String, ServerConfig>() {
-				static final long serialVersionUID = 1L;
-				{
-					put("dummyServerConfig", new ServerConfig() { // Server config can't be empty
-								static final long serialVersionUID = 8645L;
-
-								public String getAddress() {
-									return "1.1.1.1";
-								}
-
-								public String getSecret() {
-									return "secret";
-								}
-
-								public String getProtocol() {
-									return "IPv4";
-								}
-							});
-				}
-			});
-
-			// mock up a localUserConfigList with an admin user
-			um.setLocalUserConfigList(new ConcurrentHashMap<String, UserConfig>() {
-				static final long serialVersionUID = 2L;
-				{
-					put("admin", new UserConfig("admin", "7029,7455,8165,7029,7881",
-									UserLevel.SYSTEMADMIN.toString()));
-				}
-			});
-			// instantiate an empty activeUser collection
-			um.setActiveUsers(new ConcurrentHashMap<String, AuthenticatedUser>());
-
-		}
-
-	}
-
-	/**
-	 * Test method for
-	 * {@link org.opendaylight.controller.usermanager.internal.UserManagerImpl#addAAAProvider(org.opendaylight.controller.usermanager.IAAAProvider)}
-	 * .
-	 */
-	@Test
-	public void testAddAAAProvider() {
-		// instantiate an anonymous AAAProvider
-		IAAAProvider a3p = new IAAAProvider() {
-
-			public AuthResponse authService(String userName, String password,
-					String server, String secretKey) {
-				return new AuthResponse();
-			};
-
-			public String getName() {
-				return "dummyAAAProvider";
-			}
-		};
-
-		um.addAAAProvider(a3p);
-		assertEquals(a3p, um.getAAAProvider("dummyAAAProvider"));
-
-	}
-
-	/**
-	 * Test method for
-	 * {@link org.opendaylight.controller.usermanager.internal.UserManagerImpl#removeAAAProvider(org.opendaylight.controller.usermanager.IAAAProvider)}
-	 * and for for
-	 * {@link org.opendaylight.controller.usermanager.internal.UserManagerImpl#getAAAProvider(java.lang.String)}
-	 * .
-	 */
-	@Test
-	public void testRemoveAAAProvider() {
-		um.removeAAAProvider(um.getAAAProvider("dummyAAAProvider"));
-		assertTrue(um.getAAAProviderNames().isEmpty());
-	}
-
-	/**
-	 * Test method for
-	 * {@link org.opendaylight.controller.usermanager.internal.UserManagerImpl#authenticate(java.lang.String, java.lang.String)}
-	 * .
-	 */
-	@Test
-	public void testAuthenticateStringString() {
-		UserConfig uc = new UserConfig("administrator", "admin",
-				UserLevel.SYSTEMADMIN.toString());
-		um.addLocalUser(uc);
-		AuthResultEnum authResult = um.authenticate("administrator", "admin");
-		assertEquals(authResult, AuthResultEnum.AUTH_ACCEPT_LOC);
-	}
-
-	/**
-	 * Test method for
-	 * {@link org.opendaylight.controller.usermanager.internal.UserManagerImpl#addRemoveLocalUser(org.opendaylight.controller.usermanager.internal.UserConfig, boolean)}
-	 * .
-	 */
-	@Test
-	public void testAddRemoveLocalUser() {
-		UserConfig uc = new UserConfig("sysadmin", "7029,7455,8165,7029,7881",
-				UserLevel.SYSTEMADMIN.toString());
-		um.addLocalUser(uc);
-		assertTrue(um.getLocalUserList().contains(uc));
-		um.removeLocalUser(uc);
-		assertFalse(um.getLocalUserList().contains(uc));
-	}
-
-	/**
-	 * Test method for
-	 * {@link org.opendaylight.controller.usermanager.internal.UserManagerImpl#changeLocalUserPassword(java.lang.String, java.lang.String, java.lang.String)}
-	 * .
-	 */
-	@Test
-	public void testChangeLocalUserPassword() {
-		// fail("Not yet implemented");
-	}
-
-	/**
-	 * Test method for
-	 * {@link org.opendaylight.controller.usermanager.internal.UserManagerImpl#userLogout(java.lang.String)}
-	 * .
-	 */
-	@Test
-	public void testUserLogout() {
-		// fail("Not yet implemented");
-	}
-
-	/**
-	 * Test method for
-	 * {@link org.opendaylight.controller.usermanager.internal.UserManagerImpl#userTimedOut(java.lang.String)}
-	 * .
-	 */
-	@Test
-	public void testUserTimedOut() {
-		// fail("Not yet implemented");
-	}
-
-	/**
-	 * Test method for
-	 * {@link org.opendaylight.controller.usermanager.internal.UserManagerImpl#authenticate(org.springframework.security.core.Authentication)}
-	 * .
-	 */
-	@Test
-	public void testAuthenticateAuthentication() {
-		// fail("Not yet implemented");
-	}
-
-	/**
-	 * Test method for
-	 * {@link org.opendaylight.controller.usermanager.internal.UserManagerImpl#saveLocalUserList()}
-	 * .
-	 */
-	@Test
-	public void testSaveLocalUserList() {
-		// fail("Not yet implemented");
-	}
-
-	/**
-	 * Test method for
-	 * {@link org.opendaylight.controller.usermanager.internal.UserManagerImpl#saveAAAServerList()}
-	 * .
-	 */
-	@Test
-	public void testSaveAAAServerList() {
-		// fail("Not yet implemented");
-	}
-
-	/**
-	 * Test method for
-	 * {@link org.opendaylight.controller.usermanager.internal.UserManagerImpl#saveAuthorizationList()}
-	 * .
-	 */
-	@Test
-	public void testSaveAuthorizationList() {
-		// fail("Not yet implemented");
-	}
-
-	/**
-	 * Test method for
-	 * {@link org.opendaylight.controller.usermanager.internal.UserManagerImpl#readObject(java.io.ObjectInputStream)}
-	 * .
-	 */
-	@Test
-	public void testReadObject() {
-		// fail("Not yet implemented");
-	}
-	
-	@Test
-	public void testGetUserLevel() {
-		um.addLocalUser(new UserConfig("Jack", "password",
-				UserLevel.SYSTEMADMIN.toString()));
-		um.authenticate("Jack", "password");
-		
-		um.addLocalUser(new UserConfig("John", "password",
-				UserLevel.NETWORKOPERATOR.toString()));
-		// Run the check on authenticated user
-		Assert.assertTrue(um.getUserLevel("Jack") == UserLevel.SYSTEMADMIN);
-		// Run the check on configured users
-		Assert.assertTrue(um.getUserLevel("John") == UserLevel.NETWORKOPERATOR);
-		Assert.assertTrue(um.getUserLevel("Andrew") == UserLevel.NOUSER);
-	}
+    private static UserManagerImpl um;
+
+    /**
+     * @throws java.lang.Exception
+     */
+    @BeforeClass
+    public static void setUpBeforeClass() throws Exception {
+
+        IUserManager userManager = (IUserManager) ServiceHelper
+                .getGlobalInstance(IUserManager.class, new Object());
+        if (userManager instanceof UserManagerImpl) {
+            um = (UserManagerImpl) userManager;
+        } else {
+            um = new UserManagerImpl();
+            um.setAuthProviders(new ConcurrentHashMap<String, IAAAProvider>());
+
+            // mock up a remote server list with a dummy server
+            um.setRemoteServerConfigList(new ConcurrentHashMap<String, ServerConfig>() {
+                static final long serialVersionUID = 1L;
+                {
+                    put("dummyServerConfig", new ServerConfig() {
+                        // Server config can't be empty
+                        static final long serialVersionUID = 8645L;
+
+                        public String getAddress() {
+                            return "1.1.1.1";
+                        }
+
+                        public String getSecret() {
+                            return "secret";
+                        }
+
+                        public String getProtocol() {
+                            return "IPv4";
+                        }
+                    });
+                }
+            });
+
+            // mock up a localUserConfigList with an admin user
+            um.setLocalUserConfigList(new ConcurrentHashMap<String, UserConfig>() {
+                static final long serialVersionUID = 2L;
+                {
+                    List<String> roles = new ArrayList<String>(1);
+                    roles.add(UserLevel.SYSTEMADMIN.toString());
+                    put("admin", new UserConfig("admin",
+                            "7029,7455,8165,7029,7881", roles));
+                }
+            });
+            // instantiate an empty activeUser collection
+            um.setActiveUsers(new ConcurrentHashMap<String, AuthenticatedUser>());
+
+        }
+
+    }
+
+    /**
+     * Test method for
+     * {@link org.opendaylight.controller.usermanager.internal.UserManagerImpl#addAAAProvider(org.opendaylight.controller.usermanager.IAAAProvider)}
+     * .
+     */
+    @Test
+    public void testAddAAAProvider() {
+        // instantiate an anonymous AAAProvider
+        IAAAProvider a3p = new IAAAProvider() {
+
+            public AuthResponse authService(String userName, String password,
+                    String server, String secretKey) {
+                return new AuthResponse();
+            };
+
+            public String getName() {
+                return "dummyAAAProvider";
+            }
+        };
+
+        um.addAAAProvider(a3p);
+        assertEquals(a3p, um.getAAAProvider("dummyAAAProvider"));
+
+    }
+
+    /**
+     * Test method for
+     * {@link org.opendaylight.controller.usermanager.internal.UserManagerImpl#removeAAAProvider(org.opendaylight.controller.usermanager.IAAAProvider)}
+     * and for for
+     * {@link org.opendaylight.controller.usermanager.internal.UserManagerImpl#getAAAProvider(java.lang.String)}
+     * .
+     */
+    @Test
+    public void testRemoveAAAProvider() {
+        um.removeAAAProvider(um.getAAAProvider("dummyAAAProvider"));
+        assertTrue(um.getAAAProviderNames().isEmpty());
+    }
+
+    /**
+     * Test method for
+     * {@link org.opendaylight.controller.usermanager.internal.UserManagerImpl#authenticate(java.lang.String, java.lang.String)}
+     * .
+     */
+    @Test
+    public void testAuthenticateStringString() {
+        List<String> roles = new ArrayList<String>(1);
+        roles.add(UserLevel.SYSTEMADMIN.toString());
+        UserConfig uc = new UserConfig("administrator", "admin", roles);
+        um.addLocalUser(uc);
+        AuthResultEnum authResult = um.authenticate("administrator", "admin");
+        assertEquals(authResult, AuthResultEnum.AUTH_ACCEPT_LOC);
+    }
+
+    /**
+     * Test method for
+     * {@link org.opendaylight.controller.usermanager.internal.UserManagerImpl#addRemoveLocalUser(org.opendaylight.controller.usermanager.internal.UserConfig, boolean)}
+     * .
+     */
+    @Test
+    public void testAddRemoveLocalUser() {
+        List<String> roles = new ArrayList<String>(1);
+        roles.add(UserLevel.SYSTEMADMIN.toString());
+        UserConfig uc = new UserConfig("sysadmin", "7029,7455,8165,7029,7881",
+                roles);
+        um.addLocalUser(uc);
+        assertTrue(um.getLocalUserList().contains(uc));
+        um.removeLocalUser(uc);
+        assertFalse(um.getLocalUserList().contains(uc));
+    }
+
+    /**
+     * Test method for
+     * {@link org.opendaylight.controller.usermanager.internal.UserManagerImpl#changeLocalUserPassword(java.lang.String, java.lang.String, java.lang.String)}
+     * .
+     */
+    @Test
+    public void testChangeLocalUserPassword() {
+        // fail("Not yet implemented");
+    }
+
+    /**
+     * Test method for
+     * {@link org.opendaylight.controller.usermanager.internal.UserManagerImpl#userLogout(java.lang.String)}
+     * .
+     */
+    @Test
+    public void testUserLogout() {
+        // fail("Not yet implemented");
+    }
+
+    /**
+     * Test method for
+     * {@link org.opendaylight.controller.usermanager.internal.UserManagerImpl#userTimedOut(java.lang.String)}
+     * .
+     */
+    @Test
+    public void testUserTimedOut() {
+        // fail("Not yet implemented");
+    }
+
+    /**
+     * Test method for
+     * {@link org.opendaylight.controller.usermanager.internal.UserManagerImpl#authenticate(org.springframework.security.core.Authentication)}
+     * .
+     */
+    @Test
+    public void testAuthenticateAuthentication() {
+        // fail("Not yet implemented");
+    }
+
+    /**
+     * Test method for
+     * {@link org.opendaylight.controller.usermanager.internal.UserManagerImpl#saveLocalUserList()}
+     * .
+     */
+    @Test
+    public void testSaveLocalUserList() {
+        // fail("Not yet implemented");
+    }
+
+    /**
+     * Test method for
+     * {@link org.opendaylight.controller.usermanager.internal.UserManagerImpl#saveAAAServerList()}
+     * .
+     */
+    @Test
+    public void testSaveAAAServerList() {
+        // fail("Not yet implemented");
+    }
+
+    /**
+     * Test method for
+     * {@link org.opendaylight.controller.usermanager.internal.UserManagerImpl#saveAuthorizationList()}
+     * .
+     */
+    @Test
+    public void testSaveAuthorizationList() {
+        // fail("Not yet implemented");
+    }
+
+    /**
+     * Test method for
+     * {@link org.opendaylight.controller.usermanager.internal.UserManagerImpl#readObject(java.io.ObjectInputStream)}
+     * .
+     */
+    @Test
+    public void testReadObject() {
+        // fail("Not yet implemented");
+    }
+
+    @Test
+    public void testGetUserLevel() {
+        List<String> roles = new ArrayList<String>(2);
+        roles.add(UserLevel.SYSTEMADMIN.toString());
+        roles.add("App1_supervisor");
+        um.addLocalUser(new UserConfig("Jack", "password", roles));
+        um.authenticate("Jack", "password");
+
+        roles.clear();
+        roles.add("App2Admin");
+        roles.add(UserLevel.NETWORKOPERATOR.toString());
+        um.addLocalUser(new UserConfig("John", "password", roles));
+
+        // Run the check on authenticated user
+        Assert.assertTrue(um.getUserLevel("Jack") == UserLevel.SYSTEMADMIN);
+        // Run the check on configured users
+        Assert.assertTrue(um.getUserLevel("John") == UserLevel.NETWORKOPERATOR);
+        Assert.assertTrue(um.getUserLevel("Andrew") == UserLevel.NOUSER);
+    }
 }
diff --git a/opendaylight/web/root/src/main/resources/js/open.js b/opendaylight/web/root/src/main/resources/js/open.js
index dda63be90e..b82a85a74a 100644
--- a/opendaylight/web/root/src/main/resources/js/open.js
+++ b/opendaylight/web/root/src/main/resources/js/open.js
@@ -201,7 +201,7 @@ one.main.admin = {
                 var tr = {};
                 var entry = [];
                 entry.push(value['user']);
-                entry.push(value['role']);
+                entry.push(value['roles']);
                 tr['entry'] = entry;
                 tr['id'] = value['user'];
                 body.push(tr);
@@ -385,9 +385,11 @@ one.main.admin = {
                         '#' + one.main.admin.id.modal.add.form.name).val();
                 user['password'] = $modal.find(
                         '#' + one.main.admin.id.modal.add.form.password).val();
-                user['role'] = $modal.find(
+                roles = new Array();
+                roles[0] = $modal.find(
                         '#' + one.main.admin.id.modal.add.form.role).find(
                         'option:selected').attr('value');
+                user['roles'] = roles;
 
 				// password check
 				var verify = $('#'+one.main.admin.id.modal.add.form.verify).val();