From d388231a121e26c67a4f8c0abff447f517a6fe67 Mon Sep 17 00:00:00 2001 From: Alessandro Boch Date: Mon, 3 Jun 2013 19:19:28 -0700 Subject: [PATCH] Principal to contain all the user roles - Added IUserManager.getUserLevels() which returns all the controller levels for the passed user - Modified CustomRealm to return a principal containing all the controller roles for the passed user - Code style and format changes for the touched files Signed-off-by: Alessandro Boch --- .../security/ControllerCustomRealm.java | 20 ++-- .../controller/usermanager/IUserManager.java | 64 +++++++------ .../usermanager/internal/UserManagerImpl.java | 91 +++++++++++++++---- 3 files changed, 124 insertions(+), 51 deletions(-) diff --git a/opendaylight/security/src/main/java/org/opendaylight/controller/security/ControllerCustomRealm.java b/opendaylight/security/src/main/java/org/opendaylight/controller/security/ControllerCustomRealm.java index f2e339f0c7..a988673c7e 100644 --- a/opendaylight/security/src/main/java/org/opendaylight/controller/security/ControllerCustomRealm.java +++ b/opendaylight/security/src/main/java/org/opendaylight/controller/security/ControllerCustomRealm.java @@ -31,8 +31,9 @@ public class ControllerCustomRealm extends RealmBase { .getGlobalInstance(IUserManager.class, this); if (userManager != null) { return userManager.getPassword(username); - } else + } else { throw new RuntimeException("User Manager reference is null"); + } } @Override @@ -40,14 +41,14 @@ public class ControllerCustomRealm extends RealmBase { IUserManager userManager = (IUserManager) ServiceHelper .getGlobalInstance(IUserManager.class, this); if (userManager != null) { - final List levels = new ArrayList(); - UserLevel level = userManager.getUserLevel(username); - if (level == null) level = UserLevel.NOUSER; - levels.add(level.toString()); - return new GenericPrincipal(username, "", levels); - } else + List controllerRoles = new ArrayList(); + for (UserLevel level : userManager.getUserLevels(username)) { + controllerRoles.add(level.toString()); + } + return new GenericPrincipal(username, "", controllerRoles); + } else { throw new RuntimeException("User Manager reference is null"); - + } } @Override @@ -66,8 +67,9 @@ public class ControllerCustomRealm extends RealmBase { logger.error("Authentication failed for user " + username); return null; } - } else + } else { throw new RuntimeException("User Manager reference is null"); + } } } diff --git a/opendaylight/usermanager/src/main/java/org/opendaylight/controller/usermanager/IUserManager.java b/opendaylight/usermanager/src/main/java/org/opendaylight/controller/usermanager/IUserManager.java index 0ec9445b1e..ed23b5f067 100644 --- a/opendaylight/usermanager/src/main/java/org/opendaylight/controller/usermanager/IUserManager.java +++ b/opendaylight/usermanager/src/main/java/org/opendaylight/controller/usermanager/IUserManager.java @@ -28,7 +28,7 @@ public interface IUserManager extends UserDetailsService { /** * Returns the list of roles associated to the passed user name - * + * * @param userName * @return the role associated to the user name */ @@ -37,7 +37,7 @@ public interface IUserManager extends UserDetailsService { /** * Authenticate user with AAA server and return authentication and * authorization info - * + * * @param username * the username * @param password @@ -49,7 +49,7 @@ public interface IUserManager extends UserDetailsService { /** * Add/remove AAA server - * + * * @param configObject * {@link org.opendaylight.controller.usermanager.internal.ServerConfig} * Server Configuration @@ -60,7 +60,7 @@ public interface IUserManager extends UserDetailsService { /** * Remove AAA server - * + * * @param configObject * refer to * {@link org.opendaylight.controller.usermanager.internal.ServerConfig} @@ -72,7 +72,7 @@ public interface IUserManager extends UserDetailsService { /** * Add a local user - * + * * @param configObject * {@link org.opendaylight.controller.usermanager.internal.UserConfig} * User Configuration @@ -83,7 +83,7 @@ public interface IUserManager extends UserDetailsService { /** * Remove a local user - * + * * @param configObject * {@link org.opendaylight.controller.usermanager.internal.UserConfig} * UserConfig @@ -94,7 +94,7 @@ public interface IUserManager extends UserDetailsService { /** * Remove a local user - * + * * @param userName * the user name * @return {@link org.opendaylight.controller.sal.utils.Status} @@ -105,7 +105,7 @@ public interface IUserManager extends UserDetailsService { /** * Add the authorization information for a user that gets authenticated * remotely - * + * * @param AAAconf * {@link org.opendaylight.controller.usermanager.internal.AuthorizationConfig} * Authorization Resources @@ -117,7 +117,7 @@ public interface IUserManager extends UserDetailsService { /** * Remove the authorization information for a user that gets authenticated * remotely - * + * * @param AAAconf * {@link org.opendaylight.controller.usermanager.internal.AuthorizationConfig} * Authorization Resource @@ -128,7 +128,7 @@ public interface IUserManager extends UserDetailsService { /** * Return the list of authorization resources - * + * * @return {@link org.opendaylight.controller.usermanager.internal.AuthorizationConfig} * List of Authorization Resource */ @@ -136,14 +136,14 @@ public interface IUserManager extends UserDetailsService { /** * Returns a list of AAA Providers. - * + * * @return Set of provider names. */ public Set getAAAProviderNames(); /** * Change the current password for a locally configured user - * + * * @param user * the username * @param curPasssword @@ -158,7 +158,7 @@ public interface IUserManager extends UserDetailsService { /** * Return a list of AAA servers currently configured - * + * * @return {@link org.opendaylight.controller.usermanager.internal.ServerConfig} * List of ServerConfig */ @@ -166,7 +166,7 @@ public interface IUserManager extends UserDetailsService { /** * Return a list of local users - * + * * @return {@link org.opendaylight.controller.usermanager.internal.UserConfig} * List of UserConfig */ @@ -174,7 +174,7 @@ public interface IUserManager extends UserDetailsService { /** * Save the local users to disk - * + * * @return {@link org.opendaylight.controller.sal.utils.Status} * status of this action */ @@ -182,7 +182,7 @@ public interface IUserManager extends UserDetailsService { /** * Save the AAA server configurations to disk - * + * * @return {@link org.opendaylight.controller.sal.utils.Status} * status of this action */ @@ -190,7 +190,7 @@ public interface IUserManager extends UserDetailsService { /** * Save the Authorization configurations to disk - * + * * @return {@link org.opendaylight.controller.sal.utils.Status} * status code */ @@ -198,7 +198,7 @@ public interface IUserManager extends UserDetailsService { /** * Remove user profile when user logs out - * + * * @param username * the user name */ @@ -206,7 +206,7 @@ public interface IUserManager extends UserDetailsService { /** * Remove user profile when user times out - * + * * @param username * the user name */ @@ -214,24 +214,24 @@ public interface IUserManager extends UserDetailsService { /** * Get the list of users currently logged in - * + * * @return the list of users along with their administrative roles */ public Map> getUserLoggedIn(); /** * Get date and time user was successfully authenticated - * + * * @param user * @return Date in String format */ public String getAccessDate(String user); /** - * Returns the user level for the passed user name. It checks the roles + * Returns the highest user level for the passed user name. It checks the roles * assigned to this user and checks against the well known Controller user * roles to determines the highest user level associated with the user - * + * * @param userName * the user name * @return {@link org.opendaylight.controller.sal.authorization.UserLevel} @@ -239,9 +239,21 @@ public interface IUserManager extends UserDetailsService { */ public UserLevel getUserLevel(String userName); + /** + * Returns the list of user level for the passed user name. It checks the roles + * assigned to this user and checks against the well known Controller user + * roles to determines the corresponding list of user level associated with the user + * + * @param userName + * the user name + * @return + * the list of user level for this user + */ + public List getUserLevels(String userName); + /** * Returns the Security Context - * + * * @returns {@link org.springframework.security.web.context.SecurityContextRepository} * Security Context */ @@ -249,7 +261,7 @@ public interface IUserManager extends UserDetailsService { /** * Returns the Session Manager Interface Handler - * + * * @return {@link org.opendaylight.controller.usermanager.ISessionManager} * session manager interface handler */ @@ -257,7 +269,7 @@ public interface IUserManager extends UserDetailsService { /* non-Javadoc * Returns the password for a given user - * + * * @param username * the user name * @return password for the username diff --git a/opendaylight/usermanager/src/main/java/org/opendaylight/controller/usermanager/internal/UserManagerImpl.java b/opendaylight/usermanager/src/main/java/org/opendaylight/controller/usermanager/internal/UserManagerImpl.java index 69c9a1a2a6..5ddf6be6c5 100644 --- a/opendaylight/usermanager/src/main/java/org/opendaylight/controller/usermanager/internal/UserManagerImpl.java +++ b/opendaylight/usermanager/src/main/java/org/opendaylight/controller/usermanager/internal/UserManagerImpl.java @@ -83,11 +83,11 @@ public class UserManagerImpl implements IUserManager, IObjectReader, private ConcurrentMap localUserConfigList; private ConcurrentMap remoteServerConfigList; // local authorization info for remotely authenticated users - private ConcurrentMap authorizationConfList; + private ConcurrentMap authorizationConfList; private ConcurrentMap activeUsers; private ConcurrentMap authProviders; private ConcurrentMap localUserListSaveConfigEvent, - remoteServerSaveConfigEvent, authorizationSaveConfigEvent; + remoteServerSaveConfigEvent, authorizationSaveConfigEvent; private IClusterGlobalServices clusterGlobalService = null; private SecurityContextRepository securityContextRepo = new UserSecurityContextRepository(); private IContainerAuthorization containerAuthorizationClient; @@ -115,6 +115,7 @@ public class UserManagerImpl implements IUserManager, IObjectReader, return authProviders.get(name); } + @Override public Set getAAAProviderNames() { return authProviders.keySet(); } @@ -272,13 +273,13 @@ public class UserManagerImpl implements IUserManager, IObjectReader, } else if (rcResponse.getStatus() == AuthResultEnum.AUTH_REJECT) { logger.info( "Remote Authentication Rejected User: \"{}\", from Server: {}, Reason:{}", - new Object[] {userName, aaaServer.getAddress(), - rcResponse.getStatus().toString()}); + new Object[] { userName, aaaServer.getAddress(), + rcResponse.getStatus().toString() }); } else { logger.info( "Remote Authentication Failed for User: \"{}\", from Server: {}, Reason:{}", - new Object[] {userName, aaaServer.getAddress(), - rcResponse.getStatus().toString()}); + new Object[] { userName, aaaServer.getAddress(), + rcResponse.getStatus().toString() }); } } } @@ -363,7 +364,7 @@ public class UserManagerImpl implements IUserManager, IObjectReader, putUserInActiveList(userName, result); if (authorized) { logger.info("User \"{}\" authorized for the following role(s): {}", - userName, result.getUserRoles()); + userName, result.getUserRoles()); } else { logger.info("User \"{}\" Not Authorized for any role ", userName); } @@ -390,6 +391,7 @@ public class UserManagerImpl implements IUserManager, IObjectReader, activeUsers.remove(user); } + @Override public Status saveLocalUserList() { // Publish the save config event to the cluster nodes localUserListSaveConfigEvent.put(new Date().getTime(), SAVE); @@ -402,6 +404,7 @@ public class UserManagerImpl implements IUserManager, IObjectReader, localUserConfigList), usersFileName); } + @Override public Status saveAAAServerList() { // Publish the save config event to the cluster nodes remoteServerSaveConfigEvent.put(new Date().getTime(), SAVE); @@ -414,6 +417,7 @@ public class UserManagerImpl implements IUserManager, IObjectReader, remoteServerConfigList), serversFileName); } + @Override public Status saveAuthorizationList() { // Publish the save config event to the cluster nodes authorizationSaveConfigEvent.put(new Date().getTime(), SAVE); @@ -628,7 +632,7 @@ public class UserManagerImpl implements IUserManager, IObjectReader, return status; } // Trigger cluster update - localUserConfigList.put(user, targetConfigEntry); + localUserConfigList.put(user, targetConfigEntry); logger.info("Password changed for User \"{}\"", user); @@ -703,7 +707,7 @@ public class UserManagerImpl implements IUserManager, IObjectReader, String userName = ci.nextArgument(); String password = ci.nextArgument(); String role = ci.nextArgument(); - + List roles = new ArrayList(); while (role != null) { if (!role.trim().isEmpty()) { @@ -734,7 +738,7 @@ public class UserManagerImpl implements IUserManager, IObjectReader, if (target == null) { ci.println("User not found"); return; - } + } ci.println(this.removeLocalUser(target)); } @@ -815,7 +819,7 @@ public class UserManagerImpl implements IUserManager, IObjectReader, /** * Function called by the dependency manager when all the required * dependencies are satisfied - * + * */ void init() { } @@ -824,7 +828,7 @@ public class UserManagerImpl implements IUserManager, IObjectReader, * Function called by the dependency manager when at least one dependency * become unsatisfied or when the component is shutting down because for * example bundle is being stopped. - * + * */ void destroy() { } @@ -832,7 +836,7 @@ public class UserManagerImpl implements IUserManager, IObjectReader, /** * Function called by dependency manager after "init ()" is called and after * the services provided by the class are registered in the service registry - * + * */ void start() { authProviders = new ConcurrentHashMap(); @@ -855,7 +859,7 @@ public class UserManagerImpl implements IUserManager, IObjectReader, * Function called by the dependency manager before the services exported by * the component are unregistered, this will be followed by a "destroy ()" * calls - * + * */ void stop() { } @@ -919,6 +923,58 @@ public class UserManagerImpl implements IUserManager, IObjectReader, return UserLevel.NOUSER; } + + @Override + public List getUserLevels(String username) { + // Returns the controller well-know user levels for the passed user + List rolesNames = null; + List levels = new ArrayList(); + + if (activeUsers.containsKey(username)) { + List roles = activeUsers.get(username).getUserRoles(); + rolesNames = (roles == null || roles.isEmpty()) ? null : roles; + } else if (localUserConfigList.containsKey(username)) { + UserConfig config = localUserConfigList.get(username); + rolesNames = (config == null) ? null : config.getRoles(); + } + + if (rolesNames == null) { + return levels; + } + + // Check against the well known controller roles first + if (rolesNames.contains(UserLevel.SYSTEMADMIN.toString())) { + levels.add(UserLevel.SYSTEMADMIN); + } + if (rolesNames.contains(UserLevel.NETWORKADMIN.toString())) { + levels.add(UserLevel.NETWORKADMIN); + } + if (rolesNames.contains(UserLevel.NETWORKOPERATOR.toString())) { + levels.add(UserLevel.NETWORKOPERATOR); + } + // Check if container user now + if (containerAuthorizationClient != null) { + for (String roleName : rolesNames) { + if (containerAuthorizationClient.isApplicationRole(roleName)) { + levels.add(UserLevel.CONTAINERUSER); + break; + } + } + } + // Finally check if application user + if (applicationAuthorizationClients != null) { + for (String roleName : rolesNames) { + for (IResourceAuthorization client : this.applicationAuthorizationClients) { + if (client.isApplicationRole(roleName)) { + levels.add(UserLevel.APPUSER); + break; + } + } + } + } + return levels; + } + @Override public Status saveConfiguration() { boolean success = true; @@ -958,8 +1014,9 @@ public class UserManagerImpl implements IUserManager, IObjectReader, .getPassword(), enabled, accountNonExpired, credentialsNonExpired, accountNonLocked, user.getGrantedAuthorities(getUserLevel(username))); - } else + } else { throw new UsernameNotFoundException("User not found " + username); + } } @Override @@ -1011,9 +1068,10 @@ public class UserManagerImpl implements IUserManager, IObjectReader, .getName()))); return authentication; - } else + } else { throw new BadCredentialsException( "Username or credentials did not match"); + } } @@ -1057,6 +1115,7 @@ public class UserManagerImpl implements IUserManager, IObjectReader, this.sessionMgr = sessionMgr; } + @Override public String getPassword(String username) { return localUserConfigList.get(username).getPassword(); } -- 2.36.6