modules/core/domain/src/main/java/org/rhq/core/domain/auth/Subject.java
| 65 +-
modules/core/domain/src/main/java/org/rhq/core/domain/criteria/ResourceGroupCriteria.java
| 10
modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/LinkManager.java
| 27 +
modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/inventory/groups/detail/ResourceGroupContextMenu.java
| 191 ++++---
modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/inventory/groups/detail/ResourceGroupDetailView.java
| 21
modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/inventory/groups/detail/ResourceGroupTitleBar.java
| 12
modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/inventory/groups/detail/ResourceGroupTreeView.java
| 20
modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/inventory/resource/detail/ResourceTreeView.java
| 43 -
modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/authz/AuthorizationManagerBean.java
| 52 +-
modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/resource/group/ResourceGroupManagerBean.java
| 247 ++++++----
10 files changed, 432 insertions(+), 256 deletions(-)
New commits:
commit 77fdb652eb6ffd64f2a89800a3d9e03900b44f71
Author: Jay Shaughnessy <jshaughn(a)redhat.com>
Date: Mon Dec 20 21:50:25 2010 -0500
Group Authorization work
- enhanced AuthorizationManager to handle more group authz cases
- enhanced findResourceGroup[Composite]sByCriteria to handle more group
authz cases and to return proper resourcePermission for all cases,
for composites.
Group Context Menu work
- fixed issues in autogroup and clustergroup context menus
- added authz to the group context menus
diff --git
a/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/LinkManager.java
b/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/LinkManager.java
index 4855575..e819c36 100644
---
a/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/LinkManager.java
+++
b/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/LinkManager.java
@@ -65,6 +65,15 @@ public class LinkManager {
}
}
+ public static String getAutoClusterTabLink(int autoClusterGroupId, String tabName,
String subTabName) {
+ if (GWT) {
+ return "#ResourceGroup/AutoCluster/" + autoClusterGroupId +
"/" + tabName
+ + ((null == subTabName) ? "" : ("/" + subTabName));
+ } else {
+ return "/rhq/group/inventory/view.xhtml?groupId=" +
autoClusterGroupId;
+ }
+ }
+
public static String getResourceGroupTabLink(int resourceGroupId, String tabName,
String subTabName) {
if (GWT) {
return "#ResourceGroup/" + resourceGroupId + "/" +
tabName
diff --git
a/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/inventory/groups/detail/ResourceGroupContextMenu.java
b/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/inventory/groups/detail/ResourceGroupContextMenu.java
index c6ce934..0b454bf 100644
---
a/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/inventory/groups/detail/ResourceGroupContextMenu.java
+++
b/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/inventory/groups/detail/ResourceGroupContextMenu.java
@@ -26,9 +26,6 @@ import java.util.EnumSet;
import java.util.List;
import com.google.gwt.user.client.rpc.AsyncCallback;
-import com.smartgwt.client.widgets.Window;
-import com.smartgwt.client.widgets.events.CloseClickHandler;
-import com.smartgwt.client.widgets.events.CloseClientEvent;
import com.smartgwt.client.widgets.menu.Menu;
import com.smartgwt.client.widgets.menu.MenuItem;
import com.smartgwt.client.widgets.menu.MenuItemSeparator;
@@ -36,19 +33,19 @@ import com.smartgwt.client.widgets.menu.events.ClickHandler;
import com.smartgwt.client.widgets.menu.events.MenuItemClickEvent;
import org.rhq.core.domain.configuration.PropertySimple;
-import org.rhq.core.domain.criteria.ResourceTypeCriteria;
+import org.rhq.core.domain.criteria.ResourceGroupCriteria;
import org.rhq.core.domain.dashboard.Dashboard;
import org.rhq.core.domain.dashboard.DashboardPortlet;
import org.rhq.core.domain.measurement.MeasurementDefinition;
import org.rhq.core.domain.operation.OperationDefinition;
import org.rhq.core.domain.resource.ResourceType;
import org.rhq.core.domain.resource.group.ResourceGroup;
+import org.rhq.core.domain.resource.group.composite.ResourceGroupComposite;
import org.rhq.core.domain.util.PageList;
import org.rhq.enterprise.gui.coregui.client.CoreGUI;
import org.rhq.enterprise.gui.coregui.client.LinkManager;
import
org.rhq.enterprise.gui.coregui.client.dashboard.portlets.inventory.resource.graph.GraphPortlet;
import org.rhq.enterprise.gui.coregui.client.gwt.GWTServiceLookup;
-import org.rhq.enterprise.gui.coregui.client.gwt.ResourceTypeGWTServiceAsync;
import
org.rhq.enterprise.gui.coregui.client.inventory.resource.type.ResourceTypeRepository;
import org.rhq.enterprise.gui.coregui.client.util.message.Message;
import org.rhq.enterprise.gui.coregui.client.util.selenium.LocatableMenu;
@@ -58,37 +55,70 @@ import
org.rhq.enterprise.gui.coregui.client.util.selenium.LocatableMenu;
*/
public class ResourceGroupContextMenu extends LocatableMenu {
+ private ResourceGroupComposite groupComposite;
+ private ResourceGroup group;
+ private ResourceType groupMemberType;
+
+ private boolean isAutoCluster = false;
private boolean isAutoGroup = false;
public ResourceGroupContextMenu(String locatorId) {
super(locatorId);
}
- public ResourceGroupContextMenu(String locatorId, boolean isAutoGroup) {
- super(locatorId);
- this.isAutoGroup = isAutoGroup;
- }
+ public void showContextMenu(final ResourceGroup group) {
+ // we need the group composite to access permissions for context menu authz, so
get it now
+ ResourceGroupCriteria criteria = new ResourceGroupCriteria();
+ criteria.addFilterId(group.getId());
+
+ // for autoclusters and private groups (autogroups) we need to add more criteria
+ isAutoCluster = (null != group.getClusterResourceGroup());
+ isAutoGroup = (null != group.getSubject());
+
+ if (isAutoCluster) {
+ criteria.addFilterVisible(false);
+
+ } else if (isAutoGroup) {
+ criteria.addFilterVisible(false);
+ criteria.addFilterPrivate(true);
+ }
- private ResourceType currentType;
- //private ResourceGroup group;
- private ResourceGroup currentGroup;
+
GWTServiceLookup.getResourceGroupService().findResourceGroupCompositesByCriteria(criteria,
+ new AsyncCallback<PageList<ResourceGroupComposite>>() {
+ public void onFailure(Throwable caught) {
+ CoreGUI.getErrorHandler().handleError(
+
MSG.view_group_detail_failLoadComp(String.valueOf(group.getId())), caught);
+ }
+
+ public void onSuccess(PageList<ResourceGroupComposite> result) {
+ if (result.isEmpty()) {
+ CoreGUI.getErrorHandler().handleError(
+
MSG.view_group_detail_failLoadComp(String.valueOf(group.getId())));
+ } else {
+ showContextMenu(result.get(0));
+ }
+ }
+ });
+ }
- public void showContextMenu(ResourceGroup compatibleGroup) {
- this.currentType = compatibleGroup.getResourceType();
- this.currentGroup = compatibleGroup;
+ public void showContextMenu(ResourceGroupComposite groupComposite) {
+ this.groupComposite = groupComposite;
+ group = groupComposite.getResourceGroup();
+ groupMemberType = group.getResourceType();
+ isAutoCluster = (null != group.getClusterResourceGroup());
+ isAutoGroup = (null != group.getSubject());
ResourceTypeRepository.Cache.getInstance().getResourceTypes(
- currentType.getId(),
+ groupMemberType.getId(),
EnumSet.of(ResourceTypeRepository.MetadataType.operations,
ResourceTypeRepository.MetadataType.children,
ResourceTypeRepository.MetadataType.subCategory,
ResourceTypeRepository.MetadataType.pluginConfigurationDefinition,
ResourceTypeRepository.MetadataType.resourceConfigurationDefinition),
new ResourceTypeRepository.TypeLoadedCallback() {
public void onTypesLoaded(ResourceType type) {
+ groupMemberType = type;
- currentType = type;
-
- buildResourceGroupContextMenu(currentGroup, type);
+ buildResourceGroupContextMenu(group, type);
showContextMenu();
}
});
@@ -105,87 +135,67 @@ public class ResourceGroupContextMenu extends LocatableMenu {
addItem(new MenuItemSeparator());
// plugin config
- MenuItem editPluginConfiguration = new
MenuItem(MSG.view_tabs_common_connectionSettings());
- editPluginConfiguration.addClickHandler(new ClickHandler() {
+ MenuItem pluginConfiguration = new
MenuItem(MSG.view_tabs_common_connectionSettings());
+ pluginConfiguration.addClickHandler(new ClickHandler() {
public void onClick(MenuItemClickEvent event) {
if (isAutoGroup) {
CoreGUI.goToView(LinkManager.getAutoGroupTabLink(group.getId(),
"Inventory", "ConnectionSettings"));
+ } else if (isAutoCluster) {
+ CoreGUI.goToView(LinkManager
+ .getAutoClusterTabLink(group.getId(), "Inventory",
"ConnectionSettings"));
} else {
CoreGUI.goToView(LinkManager.getResourceGroupTabLink(group.getId(),
"Inventory",
"ConnectionSettings"));
}
}
});
-
editPluginConfiguration.setEnabled(resourceType.getPluginConfigurationDefinition() !=
null);
- addItem(editPluginConfiguration);
-
- MenuItem editResourceConfiguration = new
MenuItem(MSG.view_tree_common_contextMenu_resourceConfiguration());
- editResourceConfiguration.addClickHandler(new ClickHandler() {
- public void onClick(MenuItemClickEvent event) {
- int groupId = group.getId();
- int resourceTypeId = resourceType.getId();
-
- final Window configEditor = new Window();
-
configEditor.setTitle(MSG.view_tree_common_contextMenu_editResourceConfiguration(group.getName()));
- configEditor.setWidth(800);
- configEditor.setHeight(800);
- configEditor.setIsModal(true);
- configEditor.setShowModalMask(true);
- configEditor.setCanDragResize(true);
- configEditor.setShowResizer(true);
- configEditor.centerInPage();
- configEditor.addCloseClickHandler(new CloseClickHandler() {
- public void onCloseClick(CloseClientEvent closeClientEvent) {
- configEditor.destroy();
+ pluginConfiguration.setEnabled(resourceType.getPluginConfigurationDefinition() !=
null);
+ addItem(pluginConfiguration);
+
+ MenuItem resourceConfiguration = new
MenuItem(MSG.view_tree_common_contextMenu_resourceConfiguration());
+ boolean enabled = groupComposite.getResourcePermission().isConfigureRead()
+ && resourceType.getResourceConfigurationDefinition() != null;
+ resourceConfiguration.setEnabled(enabled);
+ if (enabled) {
+ resourceConfiguration.addClickHandler(new ClickHandler() {
+ public void onClick(MenuItemClickEvent event) {
+ if (isAutoGroup) {
+ CoreGUI.goToView(LinkManager.getAutoGroupTabLink(group.getId(),
"Configuration", "Current"));
+ } else if (isAutoCluster) {
+ CoreGUI.goToView(LinkManager.getAutoClusterTabLink(group.getId(),
"Configuration", "Current"));
+ } else {
+
CoreGUI.goToView(LinkManager.getResourceGroupTabLink(group.getId(),
"Inventory",
+ "ConnectionSettings"));
}
- });
- // TODO group config editor
- // configEditor.addItem(new
ConfigurationEditor(resourceId, resourceTypeId,
- // ConfigurationEditor.ConfigType.resource));
- configEditor.show();
-
- }
- });
-
editResourceConfiguration.setEnabled(resourceType.getResourceConfigurationDefinition() !=
null);
- addItem(editResourceConfiguration);
+ }
+ });
+ }
+ addItem(resourceConfiguration);
+ // separator
addItem(new MenuItemSeparator());
// Operations Menu
MenuItem operations = new
MenuItem(MSG.view_tree_common_contextMenu_operations());
- Menu opSubMenu = new Menu();
- if (resourceType.getOperationDefinitions() != null) {
+ enabled = (groupComposite.getResourcePermission().isControl() && null !=
resourceType.getOperationDefinitions() && !resourceType
+ .getOperationDefinitions().isEmpty());
+ operations.setEnabled(enabled);
+ if (enabled) {
+ Menu opSubMenu = new Menu();
for (final OperationDefinition operationDefinition :
resourceType.getOperationDefinitions()) {
MenuItem operationItem = new
MenuItem(operationDefinition.getDisplayName());
operationItem.addClickHandler(new ClickHandler() {
public void onClick(MenuItemClickEvent event) {
-
- // TODO Group version
- // ResourceCriteria criteria = new
ResourceCriteria();
- // criteria.addFilterId(selectedResourceId);
- //
- //
GWTServiceLookup.getResourceService().findResourcesByCriteria(criteria,
- // new
AsyncCallback<PageList<Resource>>() {
- // public void onFailure(Throwable
caught) {
- // CoreGUI.getErrorHandler()
- // .handleError("Failed
to get resource to run operation", caught);
- // }
- //
- // public void
onSuccess(PageList<Resource> result) {
- // new
OperationCreateWizard(result.get(0), operationDefinition).startOperationWizard();
- // }
- // });
-
+ // TODO Group version, wizard invoke or tab nav?
}
});
opSubMenu.addItem(operationItem);
}
+ operations.setSubmenu(opSubMenu);
}
- operations.setEnabled(resourceType.getOperationDefinitions() != null
- && !resourceType.getOperationDefinitions().isEmpty());
- operations.setSubmenu(opSubMenu);
addItem(operations);
+ // Metric graph addition menu
addItem(buildMetricsMenu(resourceType));
/* TODO: We don't support group factory create
@@ -227,6 +237,7 @@ public class ResourceGroupContextMenu extends LocatableMenu {
*/
}
+ /*
private void loadManuallyAddServersToPlatforms(final Menu manuallyAddMenu) {
ResourceTypeGWTServiceAsync rts = GWTServiceLookup.getResourceTypeGWTService();
@@ -248,6 +259,7 @@ public class ResourceGroupContextMenu extends LocatableMenu {
}
});
}
+ */
private MenuItem buildMetricsMenu(final ResourceType type) {
MenuItem measurements = new
MenuItem(MSG.view_tree_common_contextMenu_measurements());
@@ -279,7 +291,7 @@ public class ResourceGroupContextMenu extends LocatableMenu {
DashboardPortlet p = new
DashboardPortlet(def.getDisplayName() + " "
+ MSG.view_tree_common_contextMenu_chart(),
GraphPortlet.KEY, 250);
p.getConfiguration().put(
- new
PropertySimple(GraphPortlet.CFG_RESOURCE_GROUP_ID, currentGroup.getId()));
+ new
PropertySimple(GraphPortlet.CFG_RESOURCE_GROUP_ID, group.getId()));
p.getConfiguration().put(
new
PropertySimple(GraphPortlet.CFG_DEFINITION_ID, def.getId()));
diff --git
a/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/inventory/groups/detail/ResourceGroupTreeView.java
b/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/inventory/groups/detail/ResourceGroupTreeView.java
index de0f1ea..a056ca1 100644
---
a/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/inventory/groups/detail/ResourceGroupTreeView.java
+++
b/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/inventory/groups/detail/ResourceGroupTreeView.java
@@ -74,6 +74,7 @@ public class ResourceGroupTreeView extends LocatableVLayout implements
Bookmarka
private ViewId currentViewId;
private int rootGroupId;
private int selectedGroupId;
+ private String selectedNodeId;
private ResourceGroupTreeContextMenu contextMenu;
@@ -111,8 +112,9 @@ public class ResourceGroupTreeView extends LocatableVLayout implements
Bookmarka
treeGrid.addSelectionChangedHandler(new SelectionChangedHandler() {
@Override
public void onSelectionChanged(SelectionEvent selectionEvent) {
- if (selectionEvent.getState()) {
+ if (!selectionEvent.isRightButtonDown() &&
selectionEvent.getState()) {
Record selectedNode = selectionEvent.getRecord();
+ selectedNodeId = selectedNode.getAttribute("id");
com.allen_sauer.gwt.log.client.Log.info("Node selected in tree:
" + selectedNode);
ResourceType type = (ResourceType)
selectedNode.getAttributeAsObject("resourceType");
if (type != null) {
@@ -138,9 +140,15 @@ public class ResourceGroupTreeView extends LocatableVLayout
implements Bookmarka
treeGrid.addNodeContextClickHandler(new NodeContextClickHandler() {
public void onNodeContextClick(final NodeContextClickEvent event) {
- event.getNode();
+ // stop the browser right-click menu
event.cancel();
+ // don't select the node on a right click, since we're not
navigating to it
+ treeGrid.deselectRecord(event.getNode());
+ if (null != selectedNodeId) {
+ treeGrid.selectRecord(treeGrid.getTree().findById(selectedNodeId));
+ }
+
contextMenu.showContextMenu(event.getNode());
}
});
diff --git
a/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/inventory/resource/detail/ResourceTreeView.java
b/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/inventory/resource/detail/ResourceTreeView.java
index b636b38..9cebc97 100644
---
a/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/inventory/resource/detail/ResourceTreeView.java
+++
b/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/inventory/resource/detail/ResourceTreeView.java
@@ -85,6 +85,7 @@ import
org.rhq.enterprise.gui.coregui.client.inventory.resource.factory.Resource
import
org.rhq.enterprise.gui.coregui.client.inventory.resource.factory.ResourceFactoryImportWizard;
import
org.rhq.enterprise.gui.coregui.client.inventory.resource.type.ResourceTypeRepository;
import org.rhq.enterprise.gui.coregui.client.util.message.Message;
+import org.rhq.enterprise.gui.coregui.client.util.selenium.LocatableMenu;
import org.rhq.enterprise.gui.coregui.client.util.selenium.LocatableVLayout;
/**
@@ -136,8 +137,8 @@ public class ResourceTreeView extends LocatableVLayout {
treeGrid.setLeaveScrollbarGap(false);
- resourceContextMenu = new Menu();
- autoGroupContextMenu = new
ResourceGroupContextMenu(extendLocatorId("autoGroupContextMenu"), true);
+ resourceContextMenu = new
LocatableMenu(extendLocatorId("resourceContextMenu"));
+ autoGroupContextMenu = new
ResourceGroupContextMenu(extendLocatorId("autoGroupContextMenu"));
treeGrid.addSelectionChangedHandler(new SelectionChangedHandler() {
public void onSelectionChanged(SelectionEvent selectionEvent) {
@@ -383,35 +384,36 @@ public class ResourceTreeView extends LocatableVLayout {
resourceContextMenu.addItem(new MenuItemSeparator());
// plugin config
- MenuItem editPluginConfiguration = new
MenuItem(MSG.view_tabs_common_connectionSettings());
- editPluginConfiguration.addClickHandler(new ClickHandler() {
+ MenuItem pluginConfiguration = new
MenuItem(MSG.view_tabs_common_connectionSettings());
+ pluginConfiguration.addClickHandler(new ClickHandler() {
public void onClick(MenuItemClickEvent event) {
CoreGUI.goToView(LinkManager.getResourceTabLink(resource.getId(),
"Inventory", "ConnectionSettings"));
}
});
-
editPluginConfiguration.setEnabled(resourceType.getPluginConfigurationDefinition() !=
null);
- resourceContextMenu.addItem(editPluginConfiguration);
+ pluginConfiguration.setEnabled(resourceType.getPluginConfigurationDefinition() !=
null);
+ resourceContextMenu.addItem(pluginConfiguration);
// resource config
- MenuItem editResourceConfiguration = new
MenuItem(MSG.view_tree_common_contextMenu_resourceConfiguration());
+ MenuItem resourceConfiguration = new
MenuItem(MSG.view_tree_common_contextMenu_resourceConfiguration());
boolean enabled = resourcePermission.isConfigureRead()
&& resourceType.getResourceConfigurationDefinition() != null;
- editResourceConfiguration.setEnabled(enabled);
+ resourceConfiguration.setEnabled(enabled);
if (enabled) {
- editResourceConfiguration.addClickHandler(new ClickHandler() {
+ resourceConfiguration.addClickHandler(new ClickHandler() {
public void onClick(MenuItemClickEvent event) {
CoreGUI.goToView(LinkManager.getResourceTabLink(resource.getId(),
"Configuration", "Current"));
}
});
}
- resourceContextMenu.addItem(editResourceConfiguration);
+ resourceContextMenu.addItem(resourceConfiguration);
// separator
resourceContextMenu.addItem(new MenuItemSeparator());
// Operations Menu
MenuItem operations = new
MenuItem(MSG.view_tree_common_contextMenu_operations());
- enabled = (resourcePermission.isControl() &&
!resourceType.getOperationDefinitions().isEmpty());
+ enabled = (resourcePermission.isControl() && null ==
resourceType.getOperationDefinitions() && !resourceType
+ .getOperationDefinitions().isEmpty());
operations.setEnabled(enabled);
if (enabled) {
Menu opSubMenu = new Menu();
@@ -419,29 +421,10 @@ public class ResourceTreeView extends LocatableVLayout {
MenuItem operationItem = new
MenuItem(operationDefinition.getDisplayName());
operationItem.addClickHandler(new ClickHandler() {
public void onClick(MenuItemClickEvent event) {
- int resourceId = ((ResourceTreeNode)
treeGrid.getTree().findById(selectedNodeId)).getResource()
- .getId();
-
- ResourceCriteria criteria = new ResourceCriteria();
- criteria.addFilterId(resourceId);
-
-
GWTServiceLookup.getResourceService().findResourcesByCriteria(criteria,
- new AsyncCallback<PageList<Resource>>() {
- public void onFailure(Throwable caught) {
- CoreGUI.getErrorHandler().handleError(
-
MSG.view_tree_common_contextMenu_operations_loadFailed(), caught);
- }
-
- public void onSuccess(PageList<Resource> result) {
- new OperationCreateWizard(result.get(0),
operationDefinition)
- .startOperationWizard();
- }
- });
-
+ new OperationCreateWizard(resource,
operationDefinition).startOperationWizard();
}
});
opSubMenu.addItem(operationItem);
- // todo action
}
operations.setSubmenu(opSubMenu);
}
diff --git
a/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/authz/AuthorizationManagerBean.java
b/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/authz/AuthorizationManagerBean.java
index 1da673c..d7eb82f 100644
---
a/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/authz/AuthorizationManagerBean.java
+++
b/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/authz/AuthorizationManagerBean.java
@@ -18,7 +18,6 @@
*/
package org.rhq.enterprise.server.authz;
-import java.util.ArrayList;
import java.util.Collection;
import java.util.HashSet;
import java.util.List;
@@ -33,7 +32,6 @@ import javax.persistence.Query;
import org.rhq.core.domain.auth.Subject;
import org.rhq.core.domain.authz.Permission;
import org.rhq.core.domain.authz.Permission.Target;
-import org.rhq.core.domain.resource.Resource;
import org.rhq.core.domain.resource.group.ResourceGroup;
import org.rhq.enterprise.server.RHQConstants;
@@ -69,16 +67,35 @@ public class AuthorizationManagerBean implements
AuthorizationManagerLocal {
@SuppressWarnings("unchecked")
public Set<Permission> getExplicitGroupPermissions(Subject subject, int
groupId) {
- Query query =
entityManager.createNamedQuery(Subject.QUERY_GET_PERMISSIONS_BY_GROUP_ID);
- query.setParameter("subject", subject);
- query.setParameter("groupId", groupId);
- List<Permission> intermediate = query.getResultList();
- Set<Permission> results = new HashSet<Permission>();
- for (Permission permission : intermediate) {
- results.add(permission);
+ Set<Permission> result = new HashSet<Permission>();
+
+ ResourceGroup group = entityManager.find(ResourceGroup.class, groupId);
+ Subject owner = group.getSubject();
+
+ if (null == owner) {
+ // role-owned group
+ Query query =
entityManager.createNamedQuery(Subject.QUERY_GET_PERMISSIONS_BY_GROUP_ID);
+ query.setParameter("subject", subject);
+ query.setParameter("groupId", groupId);
+ List<Permission> resultList = query.getResultList();
+ for (Permission permission : resultList) {
+ result.add(permission);
+ }
+
+ } else {
+ // don't let a user other than the owner do anything with this group
+ if (subject.equals(owner)) {
+ Query query =
entityManager.createNamedQuery(Subject.QUERY_GET_PERMISSIONS_BY_PRIVATE_GROUP_ID);
+ query.setParameter("subjectId", subject.getId());
+ query.setParameter("privateGroupId", groupId);
+ List<Object[]> resultList = query.getResultList();
+ for (Object[] row : resultList) {
+ result.add((Permission) row[0]);
+ }
+ }
}
- return results;
+ return result;
}
public Set<Permission> getImplicitGroupPermissions(Subject subject, int
groupId) {
@@ -119,6 +136,7 @@ public class AuthorizationManagerBean implements
AuthorizationManagerLocal {
return (count != 0);
}
+ @SuppressWarnings("unchecked")
public boolean hasGroupPermission(Subject subject, Permission permission, int
groupId) {
if (isInventoryManager(subject)) {
return true;
@@ -142,14 +160,12 @@ public class AuthorizationManagerBean implements
AuthorizationManagerLocal {
return false;
}
- // subject-owned group, requires perm check against each group member
- Set<Resource> members = group.getExplicitResources();
- List<Integer> memberIds = new
ArrayList<Integer>(members.size());
- for (Resource member : members) {
- memberIds.add(member.getId());
- }
-
- return hasResourcePermission(owner, permission, memberIds);
+ Query query =
entityManager.createNamedQuery(Subject.QUERY_HAS_PRIVATE_GROUP_PERMISSION);
+ query.setParameter("subjectId", subject.getId());
+ query.setParameter("permission", permission);
+ query.setParameter("privateGroupId", groupId);
+ List<Object[]> resultList = query.getResultList();
+ return (!resultList.isEmpty());
}
}
commit bd452aa44978444ceb728ea14ba166656744f995
Author: Jay Shaughnessy <jshaughn(a)redhat.com>
Date: Mon Dec 20 12:20:32 2010 -0500
Fix longstanding bug where authz to resources could be denied if any of the
resources were available via multiple groups to the user.
diff --git a/modules/core/domain/src/main/java/org/rhq/core/domain/auth/Subject.java
b/modules/core/domain/src/main/java/org/rhq/core/domain/auth/Subject.java
index f870539..182b74b 100644
--- a/modules/core/domain/src/main/java/org/rhq/core/domain/auth/Subject.java
+++ b/modules/core/domain/src/main/java/org/rhq/core/domain/auth/Subject.java
@@ -153,12 +153,11 @@ import org.rhq.core.domain.resource.group.ResourceGroup;
+ " JOIN r.permissions p " //
+ " JOIN r.subjects s " //
+ " WHERE s.id = :subjectId and p =
:permission ) ) "),
-
@NamedQuery(name = Subject.QUERY_CAN_VIEW_RESOURCE, query = "SELECT COUNT(res)
"
+ "FROM Resource res, IN (res.implicitGroups) g, IN (g.roles) r, IN
(r.subjects) s "
+ "WHERE s = :subject AND res.id = :resourceId"),
- @NamedQuery(name = Subject.QUERY_CAN_VIEW_RESOURCES, query = "SELECT DISTINCT
COUNT(res) "
+ @NamedQuery(name = Subject.QUERY_CAN_VIEW_RESOURCES, query = "SELECT
COUNT(DISTINCT res) "
+ "FROM Resource res, IN (res.implicitGroups) g, IN (g.roles) r, IN
(r.subjects) s "
+ "WHERE s = :subject AND res.id IN (:resourceIds)"),
@@ -247,6 +246,7 @@ public class Subject implements Serializable {
public static final String QUERY_HAS_RESOURCE_PERMISSION =
"Subject.hasResourcePermission";
public static final String QUERY_HAS_AUTO_GROUP_PERMISSION =
"Subject.hasAutoGroupPermission";
+ /** This query can return more than 1 if the resource is accessible via separate
groups */
public static final String QUERY_CAN_VIEW_RESOURCE =
"Subject.canViewResource";
public static final String QUERY_CAN_VIEW_RESOURCES =
"Subject.canViewResources";
public static final String QUERY_CAN_VIEW_GROUP = "Subject.canViewGroup";
commit 45752848315ab7ddb587566059558ab77523c5f7
Author: Jay Shaughnessy <jshaughn(a)redhat.com>
Date: Fri Dec 17 17:56:12 2010 -0500
Work for autogroup and autocluster context menu rendering, navigation and
authorization.
diff --git
a/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/LinkManager.java
b/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/LinkManager.java
index 46b4e41..4855575 100644
---
a/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/LinkManager.java
+++
b/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/LinkManager.java
@@ -56,6 +56,24 @@ public class LinkManager {
}
}
+ public static String getAutoGroupTabLink(int autoGroupId, String tabName, String
subTabName) {
+ if (GWT) {
+ return "#Resource/AutoGroup/" + autoGroupId + "/" +
tabName
+ + ((null == subTabName) ? "" : ("/" + subTabName));
+ } else {
+ return "/rhq/group/inventory/view.xhtml?groupId=" + autoGroupId;
+ }
+ }
+
+ public static String getResourceGroupTabLink(int resourceGroupId, String tabName,
String subTabName) {
+ if (GWT) {
+ return "#ResourceGroup/" + resourceGroupId + "/" +
tabName
+ + ((null == subTabName) ? "" : ("/" + subTabName));
+ } else {
+ return "/rhq/group/inventory/view.xhtml?groupId=" +
resourceGroupId;
+ }
+ }
+
public static String getGroupPluginConfigurationUpdateHistoryLink(int groupId) {
return getResourceGroupLink(groupId) +
"/Inventory/ConnectionSettingsHistory";
}
diff --git
a/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/inventory/groups/detail/ResourceGroupContextMenu.java
b/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/inventory/groups/detail/ResourceGroupContextMenu.java
index 972ba73..c6ce934 100644
---
a/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/inventory/groups/detail/ResourceGroupContextMenu.java
+++
b/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/inventory/groups/detail/ResourceGroupContextMenu.java
@@ -45,6 +45,7 @@ import org.rhq.core.domain.resource.ResourceType;
import org.rhq.core.domain.resource.group.ResourceGroup;
import org.rhq.core.domain.util.PageList;
import org.rhq.enterprise.gui.coregui.client.CoreGUI;
+import org.rhq.enterprise.gui.coregui.client.LinkManager;
import
org.rhq.enterprise.gui.coregui.client.dashboard.portlets.inventory.resource.graph.GraphPortlet;
import org.rhq.enterprise.gui.coregui.client.gwt.GWTServiceLookup;
import org.rhq.enterprise.gui.coregui.client.gwt.ResourceTypeGWTServiceAsync;
@@ -57,10 +58,17 @@ import
org.rhq.enterprise.gui.coregui.client.util.selenium.LocatableMenu;
*/
public class ResourceGroupContextMenu extends LocatableMenu {
+ private boolean isAutoGroup = false;
+
public ResourceGroupContextMenu(String locatorId) {
super(locatorId);
}
+ public ResourceGroupContextMenu(String locatorId, boolean isAutoGroup) {
+ super(locatorId);
+ this.isAutoGroup = isAutoGroup;
+ }
+
private ResourceType currentType;
//private ResourceGroup group;
private ResourceGroup currentGroup;
@@ -84,33 +92,28 @@ public class ResourceGroupContextMenu extends LocatableMenu {
showContextMenu();
}
});
-
}
private void buildResourceGroupContextMenu(final ResourceGroup group, final
ResourceType resourceType) {
+ // name
setItems(new MenuItem(group.getName()));
+ // type name
addItem(new MenuItem("Type: " + resourceType.getName()));
+ // separator
+ addItem(new MenuItemSeparator());
+
+ // plugin config
MenuItem editPluginConfiguration = new
MenuItem(MSG.view_tabs_common_connectionSettings());
editPluginConfiguration.addClickHandler(new ClickHandler() {
public void onClick(MenuItemClickEvent event) {
- int groupId = group.getId();
- int resourceTypeId = resourceType.getId();
-
- Window configEditor = new Window();
- // configEditor.setTitle("Edit " +
group.getName() + " plugin configuration");
- configEditor.setWidth(800);
- configEditor.setHeight(800);
- configEditor.setIsModal(true);
- configEditor.setShowModalMask(true);
- configEditor.setCanDragResize(true);
- configEditor.centerInPage();
- // TODO Group config editor
- // configEditor.addItem(new
ConfigurationEditor(resourceId, resourceTypeId,
- // ConfigurationEditor.ConfigType.plugin));
- configEditor.show();
-
+ if (isAutoGroup) {
+ CoreGUI.goToView(LinkManager.getAutoGroupTabLink(group.getId(),
"Inventory", "ConnectionSettings"));
+ } else {
+ CoreGUI.goToView(LinkManager.getResourceGroupTabLink(group.getId(),
"Inventory",
+ "ConnectionSettings"));
+ }
}
});
editPluginConfiguration.setEnabled(resourceType.getPluginConfigurationDefinition() !=
null);
diff --git
a/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/inventory/groups/detail/ResourceGroupDetailView.java
b/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/inventory/groups/detail/ResourceGroupDetailView.java
index 9cd3ded..8c4d6a2 100644
---
a/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/inventory/groups/detail/ResourceGroupDetailView.java
+++
b/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/inventory/groups/detail/ResourceGroupDetailView.java
@@ -280,8 +280,8 @@ public class ResourceGroupDetailView extends
AbstractTwoLevelTabSetView<Resource
private void updateInventoryTab(int groupId, Set<ResourceTypeFacet> facets) {
// Inventory tab is always visible and enabled.
- boolean canModifyMembers = (!isAutoGroup() && !isAutoCluster()
- && globalPermissions.contains(Permission.MANAGE_INVENTORY));
+ boolean canModifyMembers = (!isAutoGroup() && !isAutoCluster() &&
globalPermissions
+ .contains(Permission.MANAGE_INVENTORY));
updateSubTab(this.inventoryTab, this.inventoryMembers, new
MembersView(this.inventoryMembers
.extendLocatorId("View"), groupId, canModifyMembers), true, true);
updateSubTab(this.inventoryTab, this.inventoryConn, new
CurrentGroupPluginConfigurationView(this.inventoryConn
@@ -310,14 +310,15 @@ public class ResourceGroupDetailView extends
AbstractTwoLevelTabSetView<Resource
.extendLocatorId("View"), groupComposite), true, true);
// but alert definitions can only be created on compatible groups
boolean visible = (groupCategory == GroupCategory.COMPATIBLE);
- Canvas canvas = (visible) ? new
GroupAlertDefinitionsView(alertDef.extendLocatorId("View"),
this.groupComposite)
- : null;
+ Canvas canvas = (visible) ? new
GroupAlertDefinitionsView(alertDef.extendLocatorId("View"),
+ this.groupComposite) : null;
updateSubTab(this.alertsTab, this.alertDef, canvas, visible, true);
}
}
private void updateConfigurationTab(int groupId, GroupCategory groupCategory,
Set<ResourceTypeFacet> facets) {
- boolean visible = (groupCategory == GroupCategory.COMPATIBLE &&
facets.contains(ResourceTypeFacet.CONFIGURATION));
+ boolean visible = (groupCategory == GroupCategory.COMPATIBLE && facets
+ .contains(ResourceTypeFacet.CONFIGURATION));
Set<Permission> groupPermissions =
this.groupComposite.getResourcePermission().getPermissions();
if (updateTab(this.configurationTab, visible, visible &&
groupPermissions.contains(Permission.CONFIGURE_READ))) {
//updateSubTab(this.configurationTab, this.configCurrent, new FullHTMLPane(
@@ -331,10 +332,10 @@ public class ResourceGroupDetailView extends
AbstractTwoLevelTabSetView<Resource
}
private void updateEventsTab(ResourceGroupComposite groupComposite, GroupCategory
groupCategory,
- Set<ResourceTypeFacet> facets) {
+ Set<ResourceTypeFacet> facets) {
// allow mixed groups to show events from supporting resources
- boolean visible = (groupCategory == GroupCategory.MIXED
- || (groupCategory == GroupCategory.COMPATIBLE &&
facets.contains(ResourceTypeFacet.EVENT)));
+ boolean visible = (groupCategory == GroupCategory.MIXED || (groupCategory ==
GroupCategory.COMPATIBLE && facets
+ .contains(ResourceTypeFacet.EVENT)));
if (updateTab(this.eventsTab, visible, true)) {
updateSubTab(this.eventsTab, this.eventHistory,
EventCompositeHistoryView.get(this.eventHistory
.extendLocatorId("View"), groupComposite), true, true);
@@ -354,10 +355,10 @@ public class ResourceGroupDetailView extends
AbstractTwoLevelTabSetView<Resource
// for autoclusters and autogroups we need to add more criteria
if (isAutoCluster()) {
- criteria.addFilterVisible(null);
+ criteria.addFilterVisible(false);
} else if (isAutoGroup()) {
- criteria.addFilterVisible(null);
+ criteria.addFilterVisible(false);
criteria.addFilterPrivate(true);
}
diff --git
a/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/inventory/groups/detail/ResourceGroupTitleBar.java
b/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/inventory/groups/detail/ResourceGroupTitleBar.java
index 3940108..042311b 100644
---
a/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/inventory/groups/detail/ResourceGroupTitleBar.java
+++
b/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/inventory/groups/detail/ResourceGroupTitleBar.java
@@ -113,9 +113,9 @@ public class ResourceGroupTitleBar extends LocatableVLayout {
criteria.addFilterId(this.group.getId());
// for autoclusters and autogroups we need to add more criteria
if (isAutoCluster) {
- criteria.addFilterVisible(null);
+ criteria.addFilterVisible(false);
} else if (isAutoGroup) {
- criteria.addFilterVisible(null);
+ criteria.addFilterVisible(false);
criteria.addFilterPrivate(true);
}
@@ -200,7 +200,13 @@ public class ResourceGroupTitleBar extends LocatableVLayout {
private void loadTags(final TagEditorView tagEditorView) {
ResourceGroupCriteria criteria = new ResourceGroupCriteria();
criteria.addFilterId(group.getId());
- criteria.addFilterVisible(null); // default is only visible groups, null to
support auto-cluster-groups
+ // for autoclusters and autogroups we need to add more criteria
+ if (isAutoCluster) {
+ criteria.addFilterVisible(false);
+ } else if (isAutoGroup) {
+ criteria.addFilterVisible(false);
+ criteria.addFilterPrivate(true);
+ }
criteria.fetchTags(true);
GWTServiceLookup.getResourceGroupService().findResourceGroupsByCriteria(criteria,
diff --git
a/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/inventory/groups/detail/ResourceGroupTreeView.java
b/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/inventory/groups/detail/ResourceGroupTreeView.java
index 0684946..de0f1ea 100644
---
a/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/inventory/groups/detail/ResourceGroupTreeView.java
+++
b/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/inventory/groups/detail/ResourceGroupTreeView.java
@@ -147,12 +147,12 @@ public class ResourceGroupTreeView extends LocatableVLayout
implements Bookmarka
}
- public void setSelectedGroup(final int groupId) {
+ public void setSelectedGroup(final int groupId, boolean isAutoCluster) {
this.selectedGroupId = groupId;
ResourceGroupCriteria criteria = new ResourceGroupCriteria();
criteria.addFilterId(groupId);
- criteria.addFilterVisible(null);
+ criteria.addFilterVisible(Boolean.valueOf(!isAutoCluster));
criteria.fetchResourceType(true);
GWTServiceLookup.getResourceGroupService().findResourceGroupsByCriteria(criteria,
@@ -422,11 +422,11 @@ public class ResourceGroupTreeView extends LocatableVLayout
implements Bookmarka
currentViewId = viewPath.getNext();
String clusterGroupIdString = currentViewId.getPath();
Integer clusterGroupId = Integer.parseInt(clusterGroupIdString);
- setSelectedGroup(clusterGroupId);
+ setSelectedGroup(clusterGroupId, true);
} else {
String groupIdString = currentViewId.getPath();
int groupId = Integer.parseInt(groupIdString);
- setSelectedGroup(groupId);
+ setSelectedGroup(groupId, false);
}
}
}
diff --git
a/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/inventory/resource/detail/ResourceTreeView.java
b/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/inventory/resource/detail/ResourceTreeView.java
index a0d233d..b636b38 100644
---
a/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/inventory/resource/detail/ResourceTreeView.java
+++
b/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/inventory/resource/detail/ResourceTreeView.java
@@ -137,7 +137,7 @@ public class ResourceTreeView extends LocatableVLayout {
treeGrid.setLeaveScrollbarGap(false);
resourceContextMenu = new Menu();
- autoGroupContextMenu = new
ResourceGroupContextMenu(extendLocatorId("autoGroupContextMenu"));
+ autoGroupContextMenu = new
ResourceGroupContextMenu(extendLocatorId("autoGroupContextMenu"), true);
treeGrid.addSelectionChangedHandler(new SelectionChangedHandler() {
public void onSelectionChanged(SelectionEvent selectionEvent) {
commit e6bd91db98a6a711979d6d22cb8b221ebe532a9d
Author: Jay Shaughnessy <jshaughn(a)redhat.com>
Date: Fri Dec 17 17:55:17 2010 -0500
Group Authz work to cover role-owned (typical), subject-owned (private,
like an auto-group backing group, and auto-cluster backing groups
(role-owned, but by the root clusterResourceGroup (i.e. the recursive
compatible resource group)).
This includes work in AuthorizationManager and ResourceGroupManager. It depends on
pending work in CriteriaQueryGenerator.
diff --git a/modules/core/domain/src/main/java/org/rhq/core/domain/auth/Subject.java
b/modules/core/domain/src/main/java/org/rhq/core/domain/auth/Subject.java
index e2447cd..f870539 100644
--- a/modules/core/domain/src/main/java/org/rhq/core/domain/auth/Subject.java
+++ b/modules/core/domain/src/main/java/org/rhq/core/domain/auth/Subject.java
@@ -63,14 +63,17 @@ import org.rhq.core.domain.resource.group.ResourceGroup;
+ " WHERE s.id IN ( :ids ) " //
+ " AND s.fsystem = FALSE " //
+ " AND s.factive = TRUE"),
+
@NamedQuery(name = Subject.QUERY_FIND_ALL, query = "" //
+ "SELECT s " //
+ " FROM Subject s " //
+ " WHERE s.fsystem = false"),
+
@NamedQuery(name = Subject.QUERY_FIND_BY_NAME, query = "" //
+ "SELECT s " //
+ " FROM Subject s " //
+ " WHERE s.name = :name"),
+
@NamedQuery(name = Subject.QUERY_GET_SUBJECTS_ASSIGNED_TO_ROLE, query = ""
//
+ "SELECT s " //
+ " FROM Subject s " //
@@ -94,18 +97,41 @@ import org.rhq.core.domain.resource.group.ResourceGroup;
+ "FROM Role r JOIN r.subjects s JOIN r.permissions p "
+ "WHERE "
+ " ("
- + " r in (SELECT r2 from ResourceGroup g JOIN g.roles r2 WHERE g.id =
:groupId) "
+ + " r in (SELECT r2 from ResourceGroup g JOIN g.roles r2 WHERE g.id =
:groupId) "
+ " OR r in (SELECT r3 from ResourceGroup g JOIN g.clusterResourceGroup
crg JOIN crg.roles r3 WHERE g.id = :groupId AND crg.recursive = true) "
+ " ) " + " AND s = :subject"),
+ @NamedQuery(name = Subject.QUERY_GET_PERMISSIONS_BY_PRIVATE_GROUP_ID, query =
"" //
+ + "SELECT p, count(distinct res.id) " //
+ + " FROM ResourceGroup rg, IN (rg.explicitResources) res, IN
(res.implicitGroups) g, IN (g.roles) r, IN (r.permissions) p " //
+ + " WHERE rg.id = :privateGroupId " //
+ + " AND rg.subject.id = :subjectId " //
+ + " GROUP BY p " //
+ + " HAVING count(distinct res.id) = " //
+ + " ( SELECT count(*) " //
+ + " FROM ResourceGroup g2 JOIN g2.explicitResources res2 "
//
+ + " WHERE g2.id = :privateGroupId )"),
+
@NamedQuery(name = Subject.QUERY_HAS_GROUP_PERMISSION, query = "SELECT count(r)
"
+ "FROM Role r JOIN r.subjects s JOIN r.permissions p "
+ "WHERE "
+ " ("
- + " r in (SELECT r2 from ResourceGroup g JOIN g.roles r2 WHERE g.id =
:groupId) "
+ + " r in (SELECT r2 from ResourceGroup g JOIN g.roles r2 WHERE g.id =
:groupId) "
+ " OR r in (SELECT r3 from ResourceGroup g JOIN g.clusterResourceGroup
crg JOIN crg.roles r3 WHERE g.id = :groupId AND crg.recursive = true) "
+ " ) " + " AND s = :subject " + " AND p =
:permission"),
+ @NamedQuery(name = Subject.QUERY_HAS_PRIVATE_GROUP_PERMISSION, query = ""
//
+ + "SELECT p, count(distinct res.id) " //
+ + " FROM ResourceGroup rg, IN (rg.explicitResources) res, IN
(res.implicitGroups) g, IN (g.roles) r, IN (r.permissions) p " //
+ + " WHERE rg.id = :privateGroupId " //
+ + " AND rg.subject.id = :subjectId " //
+ + " AND p = :permission " //
+ + " GROUP BY p " //
+ + " HAVING count(distinct res.id) = " //
+ + " ( SELECT count(*) " //
+ + " FROM ResourceGroup g2 JOIN g2.explicitResources res2 "
//
+ + " WHERE g2.id = :privateGroupId )"),
+
@NamedQuery(name = Subject.QUERY_GET_PERMISSIONS_BY_RESOURCE_ID, query = "SELECT
distinct p "
+ "FROM Resource res, IN (res.implicitGroups) g, IN (g.roles) r, IN
(r.subjects) s, IN (r.permissions) p "
+ "WHERE s = :subject AND res.id = :resourceId"),
@@ -114,6 +140,7 @@ import org.rhq.core.domain.resource.group.ResourceGroup;
+ "FROM Resource res, IN (res.implicitGroups) g, IN (g.roles) r, IN
(r.subjects) s, IN (r.permissions) p "
+ "WHERE s = :subject AND res.id = :resourceId AND p = :permission"),
+ //@Deprecated
@NamedQuery(name = Subject.QUERY_HAS_AUTO_GROUP_PERMISSION, query = "" //
+ "SELECT COUNT(res.id) " //
+ " FROM Resource res " //
@@ -138,19 +165,20 @@ import org.rhq.core.domain.resource.group.ResourceGroup;
@NamedQuery(name = Subject.QUERY_CAN_VIEW_GROUP, query = "" //
+ "SELECT count(g) " //
+ " FROM ResourceGroup g " //
- + " WHERE (g.id IN (SELECT rg.id " //
- + " FROM ResourceGroup rg " //
- + " JOIN rg.roles r " //
- + " JOIN r.subjects s " //
- + " WHERE s = :subject) " //
- + " OR g.id IN (SELECT rg.id " //
- + " FROM ResourceGroup rg " //
- + " JOIN rg.clusterResourceGroup crg " //
- + " JOIN crg.roles r " //
- + " JOIN r.subjects s " //
- + " WHERE crg.recursive = true AND s = :subject)) " //
- + " AND g.id = :groupId"),
-
+ + " WHERE g.id = :groupId " //
+ + " AND ( g.subject = :subject " // private group case (autogroup
backing group)
+ + " OR g.id IN (SELECT rg.id " // role-associated group case
+ + " FROM ResourceGroup rg " //
+ + " JOIN rg.roles r " //
+ + " JOIN r.subjects s " //
+ + " WHERE s = :subject) " //
+ + " OR g.id IN (SELECT rg.id " // autocluster backing group
case
+ + " FROM ResourceGroup rg " //
+ + " JOIN rg.clusterResourceGroup crg " //
+ + " JOIN crg.roles r " //
+ + " JOIN r.subjects s " //
+ + " WHERE crg.recursive = true AND s =
:subject))"),
+ // @Deprecated
@NamedQuery(name = Subject.QUERY_CAN_VIEW_AUTO_GROUP, query = "" //
+ "SELECT COUNT(res.id) " //
+ " FROM Resource res " //
@@ -209,10 +237,13 @@ public class Subject implements Serializable {
public static final String QUERY_GET_GLOBAL_PERMISSIONS =
"Subject.getGlobalPermissions";
public static final String QUERY_GET_PERMISSIONS_BY_GROUP_ID =
"Subject.getPermissionsByGroup";
+ public static final String QUERY_GET_PERMISSIONS_BY_PRIVATE_GROUP_ID =
"Subject.getPermissionsByPrivateGroup";
public static final String QUERY_GET_PERMISSIONS_BY_RESOURCE_ID =
"Subject.getPermissionsByResource";
+ public static final String QUERY_ROLES_BY_RESOURCE_IDS =
"Subject.getRolesByResources";
public static final String QUERY_HAS_GLOBAL_PERMISSION =
"Subject.hasGlobalPermission";
public static final String QUERY_HAS_GROUP_PERMISSION =
"Subject.hasGroupPermission";
+ public static final String QUERY_HAS_PRIVATE_GROUP_PERMISSION =
"Subject.hasPrivateGroupPermission";
public static final String QUERY_HAS_RESOURCE_PERMISSION =
"Subject.hasResourcePermission";
public static final String QUERY_HAS_AUTO_GROUP_PERMISSION =
"Subject.hasAutoGroupPermission";
diff --git
a/modules/core/domain/src/main/java/org/rhq/core/domain/criteria/ResourceGroupCriteria.java
b/modules/core/domain/src/main/java/org/rhq/core/domain/criteria/ResourceGroupCriteria.java
index 09eccfc..6f99a24 100644
---
a/modules/core/domain/src/main/java/org/rhq/core/domain/criteria/ResourceGroupCriteria.java
+++
b/modules/core/domain/src/main/java/org/rhq/core/domain/criteria/ResourceGroupCriteria.java
@@ -220,10 +220,20 @@ public class ResourceGroupCriteria extends TaggedCriteria {
return (Boolean.TRUE.equals(this.filterPrivate));
}
+ /**
+ * @param filterVisible not null. A single fetch may be for visible or invisible
groups, but not both.
+ */
public void addFilterVisible(Boolean filterVisible) {
+ if (null == filterVisible) {
+ throw new IllegalArgumentException("A single fetch may be for visible or
invisible groups, but not both.");
+ }
this.filterVisible = filterVisible;
}
+ public boolean isFilterVisible() {
+ return (Boolean.TRUE.equals(this.filterVisible));
+ }
+
public void addFilterIds(Integer... filterIds) {
this.filterIds = CriteriaUtils.getListIgnoringNulls(filterIds);
}
diff --git
a/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/resource/group/ResourceGroupManagerBean.java
b/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/resource/group/ResourceGroupManagerBean.java
index 3208c7e..a6c26e2 100644
---
a/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/resource/group/ResourceGroupManagerBean.java
+++
b/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/resource/group/ResourceGroupManagerBean.java
@@ -27,6 +27,7 @@ import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
+import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
@@ -1003,82 +1004,6 @@ public class ResourceGroupManagerBean implements
ResourceGroupManagerLocal, Reso
return (int) count;
}
- /**
- * This method adheres to all of the regular semantics of {@link Criteria}-based
queries. In other words,
- * all of the methods on the {@link Criteria} object - including paging, sorting,
filtering, fetching - will
- * work with this method. The only thing that differs is the ResultSet which,
instead of being a collection
- * of {@link ResourceGroup} objects is a collection of {@link ResourceGroupComposite}
objects.
- *
- * The extended data in the composite object, however, is treated differently:
- *
- * 1) It is always fetched
- * 2) It can not be a candidate for filtering
- * 3) It must be sorted by using the zero-based positional ordinal within the
projection
- *
- * This method offers 4 new aggregates that you can sort on. The
- *
- * explicitCount (ordinal 0) - the count of the number of children in the group
- * explicitAvail (ordinal 1) - decimal percentage representing the number of UP
children relative to the total
- * number of children in the group
- * implicitCount (ordinal 2) - the count of the number of descendents in the group
- * implicitAvail (ordinal 3) - decimal percentage representing the number of UP
descendents relative to the total
- * number of descendents in the group
- */
- public PageList<ResourceGroupComposite>
findResourceGroupCompositesByCriteria(Subject subject,
- ResourceGroupCriteria criteria) {
-
- Set<Permission> userGlobalPermissions =
authorizationManager.getExplicitGlobalPermissions(subject);
-
- String compositeProjection;
- if (userGlobalPermissions.contains(Permission.MANAGE_INVENTORY)) {
- compositeProjection = ""
- + " new
org.rhq.core.domain.resource.group.composite.ResourceGroupComposite( "
- + " ( SELECT COUNT(avail) FROM %alias%.explicitResources res JOIN
res.currentAvailability avail ) AS explicitCount," // explicit member count
- + " ( SELECT AVG(avail.availabilityType) FROM
%alias%.explicitResources res JOIN res.currentAvailability avail ) AS explicitAvail,"
// explicit member availability
- + " ( SELECT COUNT(avail) FROM %alias%.implicitResources res JOIN
res.currentAvailability avail ) AS implicitCount," // implicit member count
- + " ( SELECT AVG(avail.availabilityType) FROM
%alias%.implicitResources res JOIN res.currentAvailability avail ) AS implicitAvail,"
// implicit member availability
- + " %alias% ) "; // ResourceGroup
- } else {
- compositeProjection = ""
- + " new
org.rhq.core.domain.resource.group.composite.ResourceGroupComposite( "
- + " ( SELECT COUNT(avail) FROM %alias%.explicitResources res JOIN
res.currentAvailability avail ) AS explicitCount," // explicit member count
- + " ( SELECT AVG(avail.availabilityType) FROM
%alias%.explicitResources res JOIN res.currentAvailability avail ) AS explicitAvail,"
// explicit member availability
- + " ( SELECT COUNT(avail) FROM %alias%.implicitResources res JOIN
res.currentAvailability avail ) AS implicitCount," // implicit member count
- + " ( SELECT AVG(avail.availabilityType) FROM
%alias%.implicitResources res JOIN res.currentAvailability avail ) AS implicitAvail,"
// implicit member availability
- + " %alias%, " // ResourceGroup
- + " ( SELECT count(p) FROM %alias%.roles r JOIN r.subjects s JOIN
r.permissions p WHERE s.id = %subjectId% AND p = 8 ), " // MANAGE_MEASUREMENTS
- + " ( SELECT count(p) FROM %alias%.roles r JOIN r.subjects s JOIN
r.permissions p WHERE s.id = %subjectId% AND p = 4 ), " // MODIFY_RESOURCE
- + " ( SELECT count(p) FROM %alias%.roles r JOIN r.subjects s JOIN
r.permissions p WHERE s.id = %subjectId% AND p = 10 ), " // CONTROL
- + " ( SELECT count(p) FROM %alias%.roles r JOIN r.subjects s JOIN
r.permissions p WHERE s.id = %subjectId% AND p = 7 ), " // MANAGE_ALERTS
- + " ( SELECT count(p) FROM %alias%.roles r JOIN r.subjects s JOIN
r.permissions p WHERE s.id = %subjectId% AND p = 14 ), " // MANAGE_EVENTS
- + " ( SELECT count(p) FROM %alias%.roles r JOIN r.subjects s JOIN
r.permissions p WHERE s.id = %subjectId% AND p = 13 ), " // CONFIGURE_READ
- + " ( SELECT count(p) FROM %alias%.roles r JOIN r.subjects s JOIN
r.permissions p WHERE s.id = %subjectId% AND p = 11 ), " // CONFIGURE_WRITE
- + " ( SELECT count(p) FROM %alias%.roles r JOIN r.subjects s JOIN
r.permissions p WHERE s.id = %subjectId% AND p = 9 ), " // MANAGE_CONTENT
- + " ( SELECT count(p) FROM %alias%.roles r JOIN r.subjects s JOIN
r.permissions p WHERE s.id = %subjectId% AND p = 6 ), " // CREATE_CHILD_RESOURCES
- + " ( SELECT count(p) FROM %alias%.roles r JOIN r.subjects s JOIN
r.permissions p WHERE s.id = %subjectId% AND p = 5 ))"; // DELETE_RESOURCES
- compositeProjection = compositeProjection.replace("%subjectId%",
String.valueOf(subject.getId()));
- }
- compositeProjection = compositeProjection.replace("%alias%",
criteria.getAlias());
-
- CriteriaQueryGenerator generator = getCriteriaQueryGenerator(subject, criteria,
userGlobalPermissions);
- generator.alterProjection(compositeProjection);
-
- CriteriaQueryRunner<ResourceGroupComposite> queryRunner = new
CriteriaQueryRunner<ResourceGroupComposite>(
- criteria, generator, entityManager, false); // don't auto-init bags,
we're returning composites not entities
- PageList<ResourceGroupComposite> results = queryRunner.execute();
-
- for (ResourceGroupComposite composite : results) {
- ResourceGroup group = composite.getResourceGroup();
- ResourceType type = group.getResourceType();
- ResourceFacets facets = (type != null) ?
resourceTypeManager.getResourceFacets(type.getId())
- : ResourceFacets.NONE;
-
- queryRunner.initFetchFields(group); // manual field fetch for
composite-wrapped entity
- composite.setResourceFacets(facets);
- }
- return results;
- }
-
// note, resourceId and groupId can both be NULL, and so must use the numeric wrapper
classes
public PageList<ResourceGroupComposite> findResourceGroupComposites(Subject
subject, GroupCategory groupCategory,
ResourceCategory resourceCategory, String resourceTypeName, String pluginName,
String nameFilter,
@@ -1503,32 +1428,151 @@ public class ResourceGroupManagerBean implements
ResourceGroupManagerLocal, Reso
@SuppressWarnings("unchecked")
public PageList<ResourceGroup> findResourceGroupsByCriteria(Subject subject,
ResourceGroupCriteria criteria) {
- Set<Permission> globalUserPerms =
authorizationManager.getExplicitGlobalPermissions(subject);
- CriteriaQueryGenerator generator = getCriteriaQueryGenerator(subject, criteria,
globalUserPerms);
+ CriteriaAuthzType authzType = getCriteriaAuthzType(subject, criteria);
+
+ CriteriaQueryGenerator generator = getCriteriaQueryGenerator(subject, criteria,
authzType);
CriteriaQueryRunner<ResourceGroup> queryRunner = new
CriteriaQueryRunner(criteria, generator, entityManager);
+
PageList<ResourceGroup> result = queryRunner.execute();
+
return result;
}
- private CriteriaQueryGenerator getCriteriaQueryGenerator(Subject subject,
ResourceGroupCriteria criteria,
- Set<Permission> globalUserPerms) {
+ /**
+ * This method adheres to all of the regular semantics of {@link Criteria}-based
queries. In other words,
+ * all of the methods on the {@link Criteria} object - including paging, sorting,
filtering, fetching - will
+ * work with this method. The only thing that differs is the ResultSet which,
instead of being a collection
+ * of {@link ResourceGroup} objects is a collection of {@link ResourceGroupComposite}
objects.
+ *
+ * The extended data in the composite object, however, is treated differently:
+ *
+ * 1) It is always fetched
+ * 2) It can not be a candidate for filtering
+ * 3) It must be sorted by using the zero-based positional ordinal within the
projection
+ *
+ * This method offers 4 new aggregates that you can sort on. The
+ *
+ * explicitCount (ordinal 0) - the count of the number of children in the group
+ * explicitAvail (ordinal 1) - decimal percentage representing the number of UP
children relative to the total
+ * number of children in the group
+ * implicitCount (ordinal 2) - the count of the number of descendents in the group
+ * implicitAvail (ordinal 3) - decimal percentage representing the number of UP
descendents relative to the total
+ * number of descendents in the group
+ */
+ public PageList<ResourceGroupComposite>
findResourceGroupCompositesByCriteria(Subject subject,
+ ResourceGroupCriteria criteria) {
+
+ CriteriaAuthzType authzType = getCriteriaAuthzType(subject, criteria);
+
+ String compositeProjection = null;
+ switch (authzType) {
+ case NONE:
+ case SUBJECT_OWNED:
+ compositeProjection = ""
+ + " new
org.rhq.core.domain.resource.group.composite.ResourceGroupComposite( "
+ + " ( SELECT COUNT(avail) FROM %alias%.explicitResources res JOIN
res.currentAvailability avail ) AS explicitCount," // explicit member count
+ + " ( SELECT AVG(avail.availabilityType) FROM
%alias%.explicitResources res JOIN res.currentAvailability avail ) AS explicitAvail,"
// explicit member availability
+ + " ( SELECT COUNT(avail) FROM %alias%.implicitResources res JOIN
res.currentAvailability avail ) AS implicitCount," // implicit member count
+ + " ( SELECT AVG(avail.availabilityType) FROM
%alias%.implicitResources res JOIN res.currentAvailability avail ) AS implicitAvail,"
// implicit member availability
+ + " %alias% ) "; // ResourceGroup
+ break;
+ case ROLE_OWNED:
+ case AUTO_CLUSTER:
+ compositeProjection = ""
+ + " new
org.rhq.core.domain.resource.group.composite.ResourceGroupComposite( "
+ + " ( SELECT COUNT(avail) FROM %alias%.explicitResources res JOIN
res.currentAvailability avail ) AS explicitCount," // explicit member count
+ + " ( SELECT AVG(avail.availabilityType) FROM
%alias%.explicitResources res JOIN res.currentAvailability avail ) AS explicitAvail,"
// explicit member availability
+ + " ( SELECT COUNT(avail) FROM %alias%.implicitResources res JOIN
res.currentAvailability avail ) AS implicitCount," // implicit member count
+ + " ( SELECT AVG(avail.availabilityType) FROM
%alias%.implicitResources res JOIN res.currentAvailability avail ) AS implicitAvail,"
// implicit member availability
+ + " %alias%, " // ResourceGroup
+ + " ( SELECT count(p) FROM %permAlias%.roles r JOIN r.subjects s
JOIN r.permissions p WHERE s.id = %subjectId% AND p = 8 ), " // MANAGE_MEASUREMENTS
+ + " ( SELECT count(p) FROM %permAlias%.roles r JOIN r.subjects s
JOIN r.permissions p WHERE s.id = %subjectId% AND p = 4 ), " // MODIFY_RESOURCE
+ + " ( SELECT count(p) FROM %permAlias%.roles r JOIN r.subjects s
JOIN r.permissions p WHERE s.id = %subjectId% AND p = 10 ), " // CONTROL
+ + " ( SELECT count(p) FROM %permAlias%.roles r JOIN r.subjects s
JOIN r.permissions p WHERE s.id = %subjectId% AND p = 7 ), " // MANAGE_ALERTS
+ + " ( SELECT count(p) FROM %permAlias%.roles r JOIN r.subjects s
JOIN r.permissions p WHERE s.id = %subjectId% AND p = 14 ), " // MANAGE_EVENTS
+ + " ( SELECT count(p) FROM %permAlias%.roles r JOIN r.subjects s
JOIN r.permissions p WHERE s.id = %subjectId% AND p = 13 ), " // CONFIGURE_READ
+ + " ( SELECT count(p) FROM %permAlias%.roles r JOIN r.subjects s
JOIN r.permissions p WHERE s.id = %subjectId% AND p = 11 ), " // CONFIGURE_WRITE
+ + " ( SELECT count(p) FROM %permAlias%.roles r JOIN r.subjects s
JOIN r.permissions p WHERE s.id = %subjectId% AND p = 9 ), " // MANAGE_CONTENT
+ + " ( SELECT count(p) FROM %permAlias%.roles r JOIN r.subjects s
JOIN r.permissions p WHERE s.id = %subjectId% AND p = 6 ), " //
CREATE_CHILD_RESOURCES
+ + " ( SELECT count(p) FROM %permAlias%.roles r JOIN r.subjects s
JOIN r.permissions p WHERE s.id = %subjectId% AND p = 5 ))"; // DELETE_RESOURCES
+ compositeProjection = compositeProjection.replace("%subjectId%",
String.valueOf(subject.getId()));
+ break;
+ default:
+ throw new IllegalStateException("Unexpected CriteriaAuthzType: " +
authzType);
+ }
+
+ String alias = criteria.getAlias();
+ compositeProjection = compositeProjection.replace("%alias%", alias);
+ String permAlias = alias + ((authzType == CriteriaAuthzType.AUTO_CLUSTER) ?
".clusterResourceGroup" : "");
+ compositeProjection = compositeProjection.replace("%permAlias%",
permAlias);
+
+ CriteriaQueryGenerator generator = getCriteriaQueryGenerator(subject, criteria,
authzType);
+ generator.alterProjection(compositeProjection);
+
+ CriteriaQueryRunner<ResourceGroupComposite> queryRunner = new
CriteriaQueryRunner<ResourceGroupComposite>(
+ criteria, generator, entityManager, false); // don't auto-init bags,
we're returning composites not entities
+ PageList<ResourceGroupComposite> results = queryRunner.execute();
+
+ results = getAuthorizedGroupComposites(subject, authzType, results);
+
+ for (ResourceGroupComposite composite : results) {
+ ResourceGroup group = composite.getResourceGroup();
+ ResourceType type = group.getResourceType();
+ ResourceFacets facets = (type != null) ?
resourceTypeManager.getResourceFacets(type.getId())
+ : ResourceFacets.NONE;
+
+ queryRunner.initFetchFields(group); // manual field fetch for
composite-wrapped entity
+ composite.setResourceFacets(facets);
+ }
+ return results;
+ }
+
+ private enum CriteriaAuthzType {
+ // inv manager / no auth required
+ NONE,
+ // standard role-subject-group auth
+ ROLE_OWNED,
+ // private group auth
+ SUBJECT_OWNED,
+ // auto cluster backing group
+ AUTO_CLUSTER
+ }
+
+ private CriteriaAuthzType getCriteriaAuthzType(Subject subject, ResourceGroupCriteria
criteria) {
+ Set<Permission> globalUserPerms =
authorizationManager.getExplicitGlobalPermissions(subject);
+
if (criteria.isSecurityManagerRequired() &&
!globalUserPerms.contains(Permission.MANAGE_SECURITY)) {
throw new PermissionException("Subject [" + subject.getName()
+ "] requires SecurityManager permission for requested query
criteria.");
}
boolean isInventoryManager =
globalUserPerms.contains(Permission.MANAGE_INVENTORY);
- boolean groupAuthzRequired = (!(criteria.isFilterPrivate() ||
isInventoryManager));
if (criteria.isInventoryManagerRequired() && !isInventoryManager) {
throw new PermissionException("Subject [" + subject.getName()
+ "] requires InventoryManager permission for requested query
criteria.");
}
- // if we're searching for private groups set the subject filter to the
current user's subjectId
+ CriteriaAuthzType result = CriteriaAuthzType.ROLE_OWNED;
+
+ if (isInventoryManager) {
+ result = CriteriaAuthzType.NONE;
+ } else if (criteria.isFilterPrivate()) {
+ result = CriteriaAuthzType.SUBJECT_OWNED;
+ } else if (!criteria.isFilterVisible()) {
+ result = CriteriaAuthzType.AUTO_CLUSTER;
+ }
+
+ return result;
+ }
+
+ private CriteriaQueryGenerator getCriteriaQueryGenerator(Subject subject,
ResourceGroupCriteria criteria,
+ CriteriaAuthzType authzType) {
+
+ // if we're searching for private groups set the subject filter to the
current user's subjectId.
// setting it here prevents the caller from spoofing a different user. This is
why the subject and
- // private filters are different. The suject filter can specifiy any use and
therefore requires
+ // private filters are different. The subject filter can specify any user and
therefore requires
// inventory manager.
if (criteria.isFilterPrivate()) {
criteria.addFilterPrivate(null);
@@ -1536,7 +1580,7 @@ public class ResourceGroupManagerBean implements
ResourceGroupManagerLocal, Reso
}
CriteriaQueryGenerator generator = new CriteriaQueryGenerator(subject,
criteria);
- if (groupAuthzRequired) {
+ if (authzType != CriteriaAuthzType.NONE) {
generator.setAuthorizationResourceFragment(CriteriaQueryGenerator.AuthorizationTokenType.GROUP,
null,
subject.getId());
}
@@ -1544,6 +1588,41 @@ public class ResourceGroupManagerBean implements
ResourceGroupManagerLocal, Reso
return generator;
}
+ private PageList<ResourceGroupComposite> getAuthorizedGroupComposites(Subject
subject, CriteriaAuthzType authzType,
+ PageList<ResourceGroupComposite> groupComposites) {
+
+ switch (authzType) {
+ case NONE:
+ // leave resourcePermissions unset on the assumption that it will not be
checked for inv managers
+ break;
+ case ROLE_OWNED:
+ // the permissions are already set by the query projection
+ break;
+ case AUTO_CLUSTER:
+ // the permissions are already set by the query projection
+ break;
+ case SUBJECT_OWNED:
+ Iterator<ResourceGroupComposite> iterator =
groupComposites.iterator();
+ while (iterator.hasNext()) {
+ ResourceGroupComposite groupComposite = iterator.next();
+ ResourceGroup group = groupComposite.getResourceGroup();
+ Subject groupOwner = group.getSubject();
+ if (null != groupOwner) {
+ // private group, we need to set the group resource permissions since
we couldn't do it in
+ // the projection.
+ groupComposite.setResourcePermission(new
ResourcePermission(authorizationManager
+ .getExplicitGroupPermissions(groupOwner, group.getId())));
+ } else {
+ throw new IllegalStateException("Unexpected group, not subject
owned: " + groupComposite);
+ }
+ }
+ break;
+ default:
+ throw new IllegalStateException("Unexpected CriteriaAuthzType: " +
authzType);
+ }
+ return groupComposites;
+ }
+
@TransactionAttribute(TransactionAttributeType.NOT_SUPPORTED)
@RequiredPermission(Permission.MANAGE_INVENTORY)
public void uninventoryMembers(Subject subject, int groupId) {