From 9293aee68cd3cf39a39d13b448e16b5c9872e9ca Mon Sep 17 00:00:00 2001 From: Alessandro Boch Date: Wed, 23 Oct 2013 12:26:45 -0700 Subject: [PATCH] Prevent addition/removal for well known container roles - Container roles are self generated when container is created. They are equivalent to the Controller network admin and network operator roles for the container sub controller. Authorization APIs for creating and removing roles are currently only validating against the Controller roles, not the sub controller roles. Change-Id: I0ecf521a89163fedb68450fa3bc2b0d6c077977a Signed-off-by: Alessandro Boch --- opendaylight/appauth/pom.xml | 8 ++++++-- .../appauth/authorization/Authorization.java | 20 ++++++++++++++++++- 2 files changed, 25 insertions(+), 3 deletions(-) diff --git a/opendaylight/appauth/pom.xml b/opendaylight/appauth/pom.xml index 6f2e9ee1eb..fa273b6e92 100644 --- a/opendaylight/appauth/pom.xml +++ b/opendaylight/appauth/pom.xml @@ -27,13 +27,12 @@ + org.opendaylight.controller.containermanager, org.opendaylight.controller.sal.authorization, org.opendaylight.controller.sal.utils, org.opendaylight.controller.usermanager, org.slf4j, org.apache.felix.dm, - org.apache.commons.lang3.builder, - org.eclipse.osgi.framework.console org.opendaylight.controller.appauth, @@ -53,6 +52,11 @@ sal 0.5.1-SNAPSHOT + + org.opendaylight.controller + containermanager + 0.5.1-SNAPSHOT + org.opendaylight.controller usermanager diff --git a/opendaylight/appauth/src/main/java/org/opendaylight/controller/appauth/authorization/Authorization.java b/opendaylight/appauth/src/main/java/org/opendaylight/controller/appauth/authorization/Authorization.java index fd8799f4f3..b872f49130 100644 --- a/opendaylight/appauth/src/main/java/org/opendaylight/controller/appauth/authorization/Authorization.java +++ b/opendaylight/appauth/src/main/java/org/opendaylight/controller/appauth/authorization/Authorization.java @@ -16,6 +16,7 @@ import java.util.Map.Entry; import java.util.Set; import java.util.concurrent.ConcurrentMap; +import org.opendaylight.controller.containermanager.IContainerAuthorization; import org.opendaylight.controller.sal.authorization.AppRoleLevel; import org.opendaylight.controller.sal.authorization.IResourceAuthorization; import org.opendaylight.controller.sal.authorization.Privilege; @@ -66,6 +67,11 @@ private static final Logger logger = LoggerFactory.getLogger(Authorization.class "Controller roles cannot be explicitely " + "created in App context"); } + if (isContainerRole(role)) { + return new Status(StatusCode.NOTALLOWED, + "Container roles cannot be explicitely " + + "created in App context"); + } if (isRoleInUse(role)) { return new Status(StatusCode.CONFLICT, "Role already in use"); } @@ -96,7 +102,10 @@ private static final Logger logger = LoggerFactory.getLogger(Authorization.class return new Status(StatusCode.NOTALLOWED, "Controller roles cannot be removed"); } - + if (isContainerRole(role)) { + return new Status(StatusCode.NOTALLOWED, + "Container roles cannot be removed"); + } return removeRoleInternal(role); } @@ -599,6 +608,15 @@ private static final Logger logger = LoggerFactory.getLogger(Authorization.class .equals(UserLevel.NETWORKOPERATOR.toString())); } + private boolean isContainerRole(String role) { + IContainerAuthorization containerAuth = (IContainerAuthorization) ServiceHelper.getGlobalInstance( + IContainerAuthorization.class, this); + if (containerAuth == null) { + return false; + } + return containerAuth.isApplicationRole(role); + } + private boolean isRoleInUse(String role) { IUserManager userManager = (IUserManager) ServiceHelper .getGlobalInstance(IUserManager.class, this); -- 2.36.6