modules/core/domain/src/main/java/org/rhq/core/domain/auth/Subject.java
| 20
modules/core/domain/src/main/java/org/rhq/core/domain/authz/Permission.java
| 35
modules/core/domain/src/main/java/org/rhq/core/domain/bundle/Bundle.java
| 3
modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/admin/roles/PermissionsEditor.java
| 6
modules/enterprise/gui/coregui/src/main/resources/org/rhq/enterprise/gui/coregui/client/Messages.properties
| 1
modules/enterprise/gui/coregui/src/main/resources/org/rhq/enterprise/gui/coregui/client/Messages_cs.properties
| 1
modules/enterprise/gui/coregui/src/main/resources/org/rhq/enterprise/gui/coregui/client/Messages_de.properties
| 1
modules/enterprise/gui/coregui/src/main/resources/org/rhq/enterprise/gui/coregui/client/Messages_ja.properties
| 1
modules/enterprise/gui/coregui/src/main/resources/org/rhq/enterprise/gui/coregui/client/Messages_ko.properties
| 1
modules/enterprise/gui/coregui/src/main/resources/org/rhq/enterprise/gui/coregui/client/Messages_pt.properties
| 1
modules/enterprise/gui/coregui/src/main/resources/org/rhq/enterprise/gui/coregui/client/Messages_ru.properties
| 1
modules/enterprise/gui/coregui/src/main/resources/org/rhq/enterprise/gui/coregui/client/Messages_zh.properties
| 1
modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/authz/AuthorizationManagerBean.java
| 52 +
modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/authz/AuthorizationManagerLocal.java
| 25
modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/bundle/BundleManagerBean.java
| 423 ++++++++--
modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/bundle/BundleManagerRemote.java
| 20
modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/util/CriteriaQueryGenerator.java
| 45 -
17 files changed, 524 insertions(+), 113 deletions(-)
New commits:
commit b36674c735aea47d668f840e4cd53560de3e80d8
Author: Jay Shaughnessy <jshaughn(a)redhat.com>
Date: Mon Jul 29 17:22:29 2013 -0400
In progress: working through the bundle remote API and adding fine-grained authz...
diff --git a/modules/core/domain/src/main/java/org/rhq/core/domain/auth/Subject.java
b/modules/core/domain/src/main/java/org/rhq/core/domain/auth/Subject.java
index 27ac704..5f86d8e 100644
--- a/modules/core/domain/src/main/java/org/rhq/core/domain/auth/Subject.java
+++ b/modules/core/domain/src/main/java/org/rhq/core/domain/auth/Subject.java
@@ -58,7 +58,7 @@ import org.rhq.core.domain.resource.group.ResourceGroup;
* @author Greg Hinkle
*/
@Entity
-@NamedQueries( {
+@NamedQueries({
@NamedQuery(name = Subject.QUERY_GET_SUBJECTS_ASSIGNED_TO_ROLE, query = ""
//
+ "SELECT s " //
@@ -139,6 +139,16 @@ import org.rhq.core.domain.resource.group.ResourceGroup;
+ " JOIN r.permissions p " //
+ " JOIN r.subjects s " //
+ " WHERE s.id = :subjectId and p =
:permission ) ) "),
+
+ @NamedQuery(name = Subject.QUERY_HAS_BUNDLE_PERMISSION, query = "SELECT COUNT(b)
"
+ + "FROM Bundle b, IN (b.bundleGroups) bg, IN (bg.roles) r, IN (r.subjects)
s, IN (r.permissions) p "
+ + "WHERE s = :subject AND b.id = :bundleId AND p = :permission"),
+
+ @NamedQuery(name = Subject.QUERY_HAS_BUNDLE_GROUP_PERMISSION, query = "SELECT
count(r) "
+ + "FROM Role r JOIN r.subjects s JOIN r.permissions p "
+ + "WHERE r in (SELECT r2 from BundleGroup bg JOIN bg.roles r2 WHERE bg.id =
:bundleGroupId) "
+ + " AND s = :subject " + " AND p = :permission"),
+
@NamedQuery(name = Subject.QUERY_CAN_VIEW_RESOURCE, query = "SELECT COUNT(res)
"
+ "FROM Resource res, IN (res.implicitGroups) g, IN (g.roles) r, IN
(r.subjects) s "
+ "WHERE s = :subject AND res.id = :resourceId"),
@@ -228,6 +238,8 @@ public class Subject implements Serializable {
public static final String QUERY_HAS_PRIVATE_GROUP_PERMISSION =
"Subject.hasPrivateGroupPermission";
public static final String QUERY_HAS_RESOURCE_PERMISSION =
"Subject.hasResourcePermission";
public static final String QUERY_HAS_AUTO_GROUP_PERMISSION =
"Subject.hasAutoGroupPermission";
+ public static final String QUERY_HAS_BUNDLE_PERMISSION =
"Subject.hasBundlePermission";
+ public static final String QUERY_HAS_BUNDLE_GROUP_PERMISSION =
"Subject.hasBundleGroupPermission";
/** This query can return more than 1 if the resource is accessible via separate
groups */
public static final String QUERY_CAN_VIEW_RESOURCE =
"Subject.canViewResource";
@@ -314,7 +326,8 @@ public class Subject implements Serializable {
init();
}
- public Subject(@NotNull String name, boolean factive, boolean fsystem) {
+ public Subject(@NotNull
+ String name, boolean factive, boolean fsystem) {
init();
this.name = name;
this.factive = factive;
@@ -353,7 +366,8 @@ public class Subject implements Serializable {
return this.name;
}
- public void setName(@NotNull String name) {
+ public void setName(@NotNull
+ String name) {
this.name = name;
}
diff --git a/modules/core/domain/src/main/java/org/rhq/core/domain/authz/Permission.java
b/modules/core/domain/src/main/java/org/rhq/core/domain/authz/Permission.java
index 4ca733c..77f66fc 100644
--- a/modules/core/domain/src/main/java/org/rhq/core/domain/authz/Permission.java
+++ b/modules/core/domain/src/main/java/org/rhq/core/domain/authz/Permission.java
@@ -104,10 +104,8 @@ public enum Permission {
CONFIGURE_WRITE(Target.RESOURCE), // 11
/**
- * can C/U/D provisioning bundles
+ * can perform any bundle action, assigns all other bundle permissions
*/
- // NOTE: This is a GLOBAL permission, but is defined down here so as to maintain the
ordinal indexes of the other
- // pre-existing permissions.
MANAGE_BUNDLE(Target.GLOBAL), // 12
/**
@@ -124,7 +122,6 @@ public enum Permission {
/**
* Can C/U/D repositories and content sources
*/
- // NOTE: This is a GLOBAL permission but defined here to maintain the ordinal
indexes
MANAGE_REPOSITORIES(Target.GLOBAL), // 15
/**
@@ -135,7 +132,6 @@ public enum Permission {
/**
* Can view other RHQ users, except for their assigned roles
*/
- // NOTE: This is a GLOBAL permission but defined here to maintain the ordinal
indexes
VIEW_USERS(Target.GLOBAL), // 17
/**
@@ -146,54 +142,59 @@ public enum Permission {
/**
* Can create Bundle [Versions]s
* Can assign to viewable bundle groups
- * Can create global Bundle [Versions] if holding Global.VIEW_BUNDLES
+ * Can create unassigned Bundle [Versions] if holding Global.VIEW_BUNDLES
*/
CREATE_BUNDLES(Target.GLOBAL), // 19
/**
* Can delete viewable bundle [Versions]s
* Can unassign from viewable bundle groups
- * Can delete global bundles if holding Global.VIEW_BUNDLES
+ * Can delete unassigned bundles if holding Global.VIEW_BUNDLES
*/
DELETE_BUNDLES(Target.GLOBAL), // 20
/**
- * Can view any bundle, including global bundles
+ * Can view any bundle, including unassigned bundles
*/
VIEW_BUNDLES(Target.GLOBAL), // 21
/**
- * Can deploy any viewable bundle version to any viewable (deployable, compatible)
resource group
+ * Can deploy any viewable bundle version to any viewable [deployable, compatible]
resource group
*/
DEPLOY_BUNDLES(Target.GLOBAL), // 22
/**
- * Can assign viewable bundles to the bundle group
+ * Can assign viewable bundles to the bundle groups associated with the role.
* - this can be a copy from another viewable bundle group
- * - this can be a global bundle if holding Global.VIEW_BUNDLES
+ * - this can be an unassigned bundle if holding Global.VIEW_BUNDLES
*/
ASSIGN_BUNDLES_TO_GROUP(Target.BUNDLE), // 23
/**
- * Can unassign bundles from the bundle group
- * - the bundle is not deleted and becomes a global bundle if assigned to no other
bundle group
+ * Can unassign bundles assigned to bundle groups associated with the role.
+ * - the bundle is not deleted and becomes an unassigned bundle if assigned to no
other bundle group
*/
UNASSIGN_BUNDLES_FROM_GROUP(Target.BUNDLE), // 24
/**
- * Can create bundle [version]s for this bundle group
+ * Can create [implicitly assigned] bundle [version]s for bundle groups associated
with the role.
*/
CREATE_BUNDLES_IN_GROUP(Target.BUNDLE), // 25
/**
- * Can delete bundle [version]s from the bundle group
+ * Can delete assigned bundle [version]s from the bundle groups associated with the
role.
*/
DELETE_BUNDLES_FROM_GROUP(Target.BUNDLE), // 26
/**
- * Implied - Can view bundles in the bundle group
+ * Implied - Can view the bundles assigned to the bundle groups associated with the
role.
*/
- VIEW_BUNDLES_IN_GROUP(Target.BUNDLE) // 27
+ VIEW_BUNDLES_IN_GROUP(Target.BUNDLE), // 27
+
+ /**
+ * Can deploy viewable bundles to the [compatible, deployable] resource groups
associated with the role.
+ */
+ DEPLOY_BUNDLES_TO_GROUP(Target.RESOURCE) // 28
;
diff --git a/modules/core/domain/src/main/java/org/rhq/core/domain/bundle/Bundle.java
b/modules/core/domain/src/main/java/org/rhq/core/domain/bundle/Bundle.java
index 7b5499f..3a8569f 100644
--- a/modules/core/domain/src/main/java/org/rhq/core/domain/bundle/Bundle.java
+++ b/modules/core/domain/src/main/java/org/rhq/core/domain/bundle/Bundle.java
@@ -105,6 +105,9 @@ public class Bundle implements Serializable {
private List<BundleVersion> bundleVersions = new
ArrayList<BundleVersion>();
@ManyToMany(mappedBy = "bundles", fetch = FetchType.LAZY, cascade =
CascadeType.REMOVE)
+ private Set<BundleGroup> bundleGroups;
+
+ @ManyToMany(mappedBy = "bundles", fetch = FetchType.LAZY, cascade =
CascadeType.REMOVE)
private Set<Tag> tags;
public Bundle() {
diff --git
a/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/admin/roles/PermissionsEditor.java
b/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/admin/roles/PermissionsEditor.java
index 5e80d82..77beefb 100644
---
a/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/admin/roles/PermissionsEditor.java
+++
b/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/admin/roles/PermissionsEditor.java
@@ -431,6 +431,7 @@ public class PermissionsEditor extends EnhancedVStack {
String permissionName = record.getAttribute(nameField);
Permission permission = Permission.valueOf(permissionName);
String permissionDisplayName =
record.getAttribute("displayName");
+
if (permission == Permission.VIEW_RESOURCE) {
String messageString =
MSG.view_adminRoles_permissions_readAccessImplied(permissionDisplayName);
handleIllegalPermissionSelection(event, messageString);
@@ -449,6 +450,11 @@ public class PermissionsEditor extends EnhancedVStack {
String messageString = MSG
.view_adminRoles_permissions_illegalDeselectionDueToCorrespondingWritePermSelection(permissionDisplayName);
handleIllegalPermissionSelection(event, messageString);
+ } else if (!authorized &&
selectedPermissions.contains(Permission.MANAGE_BUNDLE)
+ && Permission.BUNDLE_ALL.contains(permission)) {
+ String messageString = MSG
+
.view_adminRoles_permissions_illegalDeselectionDueToManageBundleSelection(permissionDisplayName);
+ handleIllegalPermissionSelection(event, messageString);
} else {
updatePermissions(authorized, permission);
diff --git
a/modules/enterprise/gui/coregui/src/main/resources/org/rhq/enterprise/gui/coregui/client/Messages.properties
b/modules/enterprise/gui/coregui/src/main/resources/org/rhq/enterprise/gui/coregui/client/Messages.properties
index 25f5171..5a42502 100644
---
a/modules/enterprise/gui/coregui/src/main/resources/org/rhq/enterprise/gui/coregui/client/Messages.properties
+++
b/modules/enterprise/gui/coregui/src/main/resources/org/rhq/enterprise/gui/coregui/client/Messages.properties
@@ -509,6 +509,7 @@ view_adminRoles_permissions_autoselecting_manageSecurity_implied =
Autoselected
view_adminRoles_permissions_bundleGroupPermissions = Bundle Group Permissions
view_adminRoles_permissions_globalPermissions = Global Permissions
view_adminRoles_permissions_illegalDeselectionDueToCorrespondingWritePermSelection = {0}
read permission cannot be deselected, unless the {0} write permission, which implies the
read permission, is deselected first.
+view_adminRoles_permissions_illegalDeselectionDueToManageBundleSelection = {0} permission
cannot be deselected, unless Manage Bundle, which implies all Bundle permissions, is
deselected first.
view_adminRoles_permissions_illegalDeselectionDueToManageInventorySelection = {0}
permission cannot be deselected, unless Manage Inventory, which implies all Resource
permissions, is deselected first.
view_adminRoles_permissions_illegalDeselectionDueToManageSecuritySelection = {0}
permission cannot be deselected, unless the Manage Security permission, which implies all
other permissions, is deselected first.
view_adminRoles_permissions_isAuthorized = Authorized?
diff --git
a/modules/enterprise/gui/coregui/src/main/resources/org/rhq/enterprise/gui/coregui/client/Messages_cs.properties
b/modules/enterprise/gui/coregui/src/main/resources/org/rhq/enterprise/gui/coregui/client/Messages_cs.properties
index 8982a54..69c8452 100644
---
a/modules/enterprise/gui/coregui/src/main/resources/org/rhq/enterprise/gui/coregui/client/Messages_cs.properties
+++
b/modules/enterprise/gui/coregui/src/main/resources/org/rhq/enterprise/gui/coregui/client/Messages_cs.properties
@@ -528,6 +528,7 @@ view_adminRoles_permissions_autoselecting_manageSecurity_implied =
Automaticky o
view_adminRoles_permissions_bundleGroupPermissions = Bundle Group Permissions
view_adminRoles_permissions_globalPermissions = Globální povolení
##view_adminRoles_permissions_illegalDeselectionDueToCorrespondingWritePermSelection =
{0} read permission cannot be deselected, unless the {0} write permission, which implies
the read permission, is deselected first.
+##view_adminRoles_permissions_illegalDeselectionDueToManageBundleSelection = {0}
permission cannot be deselected, unless Manage Bundle, which implies all Bundle
permissions, is deselected first.
##view_adminRoles_permissions_illegalDeselectionDueToManageInventorySelection = {0}
permission cannot be deselected, unless Manage Inventory, which implies all Resource
permissions, is deselected first.
##view_adminRoles_permissions_illegalDeselectionDueToManageSecuritySelection = {0}
permission cannot be deselected, unless the Manage Security permission, which implies all
other permissions, is deselected first.
view_adminRoles_permissions_isAuthorized = Autorizován?
diff --git
a/modules/enterprise/gui/coregui/src/main/resources/org/rhq/enterprise/gui/coregui/client/Messages_de.properties
b/modules/enterprise/gui/coregui/src/main/resources/org/rhq/enterprise/gui/coregui/client/Messages_de.properties
index 8b086a7..ddd4686 100644
---
a/modules/enterprise/gui/coregui/src/main/resources/org/rhq/enterprise/gui/coregui/client/Messages_de.properties
+++
b/modules/enterprise/gui/coregui/src/main/resources/org/rhq/enterprise/gui/coregui/client/Messages_de.properties
@@ -507,6 +507,7 @@ view_adminRoles_noLdap = Die LDAP-Integration ist nicht konfiguriert.
Um LDAP zu
view_adminRoles_permissions_bundleGroupPermissions = Bundle Group Permissions
view_adminRoles_permissions_globalPermissions = Globale Rechte
##view_adminRoles_permissions_illegalDeselectionDueToCorrespondingWritePermSelection =
{0} read permission cannot be deselected, unless the {0} write permission, which implies
the read permission, is deselected first.
+##view_adminRoles_permissions_illegalDeselectionDueToManageBundleSelection = {0}
permission cannot be deselected, unless Manage Bundle, which implies all Bundle
permissions, is deselected first.
##view_adminRoles_permissions_illegalDeselectionDueToManageInventorySelection = {0}
permission cannot be deselected, unless Manage Inventory, which implies all Resource
permissions, is deselected first.
##view_adminRoles_permissions_illegalDeselectionDueToManageSecuritySelection = {0}
permission cannot be deselected, unless the Manage Security permission, which implies all
other permissions, is deselected first.
view_adminRoles_permissions_isAuthorized = Berechtigt?
diff --git
a/modules/enterprise/gui/coregui/src/main/resources/org/rhq/enterprise/gui/coregui/client/Messages_ja.properties
b/modules/enterprise/gui/coregui/src/main/resources/org/rhq/enterprise/gui/coregui/client/Messages_ja.properties
index a78ab58..49cc7e6 100644
---
a/modules/enterprise/gui/coregui/src/main/resources/org/rhq/enterprise/gui/coregui/client/Messages_ja.properties
+++
b/modules/enterprise/gui/coregui/src/main/resources/org/rhq/enterprise/gui/coregui/client/Messages_ja.properties
@@ -506,6 +506,7 @@ view_adminRoles_permissions_autoselecting_manageSecurity_implied =
未選択の
view_adminRoles_permissions_bundleGroupPermissions = Bundle Group Permissions
view_adminRoles_permissions_globalPermissions = グローバル権限
view_adminRoles_permissions_illegalDeselectionDueToCorrespondingWritePermSelection = {0}
読み取り権限は選択解除できませんでした。読み取り権限を暗示する {0} 書き込み権限が最初に選択解除されなければそれはできません。
+##view_adminRoles_permissions_illegalDeselectionDueToManageBundleSelection = {0}
permission cannot be deselected, unless Manage Bundle, which implies all Bundle
permissions, is deselected first.
view_adminRoles_permissions_illegalDeselectionDueToManageInventorySelection = {0}
権限は選択解除できませんでした。他のすべてのリソースを暗示する管理インベントリが最初に選択解除されなければそれはできません。
view_adminRoles_permissions_illegalDeselectionDueToManageSecuritySelection = {0}
権限は選択解除できませんでした。他のすべての権限を暗示する管理セキュリティ権限が最初に選択解除されなければそれはできません。
view_adminRoles_permissions_isAuthorized = 権限があるか?
diff --git
a/modules/enterprise/gui/coregui/src/main/resources/org/rhq/enterprise/gui/coregui/client/Messages_ko.properties
b/modules/enterprise/gui/coregui/src/main/resources/org/rhq/enterprise/gui/coregui/client/Messages_ko.properties
index a00f560..89c10c0 100644
---
a/modules/enterprise/gui/coregui/src/main/resources/org/rhq/enterprise/gui/coregui/client/Messages_ko.properties
+++
b/modules/enterprise/gui/coregui/src/main/resources/org/rhq/enterprise/gui/coregui/client/Messages_ko.properties
@@ -457,6 +457,7 @@ view_adminRoles_noLdap = LDAP 보안 통합이 설정되지 않았습니다. LDA
view_adminRoles_permissions_bundleGroupPermissions = Bundle Group Permissions
view_adminRoles_permissions_globalPermissions = 글로벌 권한
view_adminRoles_permissions_illegalDeselectionDueToCorrespondingWritePermSelection = {0}
읽기 권한은 선택 해제 할 수 없습니다. 읽기 권한을 암시하는 {0} 쓰기 권한이 먼저 선택 해제되어야 그것은 수행할 수 있습니다.
+##view_adminRoles_permissions_illegalDeselectionDueToManageBundleSelection = {0}
permission cannot be deselected, unless Manage Bundle, which implies all Bundle
permissions, is deselected first.
view_adminRoles_permissions_illegalDeselectionDueToManageInventorySelection = {0} 권한은 선택
해제 할 수 없습니다. 다른 모든 자원을 암시하는 관리 인벤토리가 먼저 선택 해제되어야 그것은 수행할 수 있습니다.
view_adminRoles_permissions_illegalDeselectionDueToManageSecuritySelection = {0} 권한은 선택
해제 할 수 없습니다. 다른 모든 권한을 암시하는 관리 보안 권한이 먼저 선택 해제되어야 그것은 수행할 수 있습니다.
view_adminRoles_permissions_isAuthorized = 권한이 있습니까?
diff --git
a/modules/enterprise/gui/coregui/src/main/resources/org/rhq/enterprise/gui/coregui/client/Messages_pt.properties
b/modules/enterprise/gui/coregui/src/main/resources/org/rhq/enterprise/gui/coregui/client/Messages_pt.properties
index e6a7864..26546fb 100644
---
a/modules/enterprise/gui/coregui/src/main/resources/org/rhq/enterprise/gui/coregui/client/Messages_pt.properties
+++
b/modules/enterprise/gui/coregui/src/main/resources/org/rhq/enterprise/gui/coregui/client/Messages_pt.properties
@@ -511,6 +511,7 @@ view_adminRoles_permissions_autoselecting_manageSecurity_implied =
Autoselected
view_adminRoles_permissions_bundleGroupPermissions = Bundle Group Permissions
view_adminRoles_permissions_globalPermissions = Permiss\u00F5es Globais
view_adminRoles_permissions_illegalDeselectionDueToCorrespondingWritePermSelection = {0}
permiss\u00E3o de leitura n\u00E3 pode ser desmarcada, a menos que {0} permiss\u00E3o de
escrita, que implica na permiss\u00E3o de leitura, seja desmarcada primeiro.
+##view_adminRoles_permissions_illegalDeselectionDueToManageBundleSelection = {0}
permission cannot be deselected, unless Manage Bundle, which implies all Bundle
permissions, is deselected first.
view_adminRoles_permissions_illegalDeselectionDueToManageInventorySelection = {0}
permiss\u00E3o n\u00E3o pode ser desmarcada, a menos que Gerenciar Invent\u00E1rio, que
implica todas as permiss\u00F5es de Recurso, seja desmarcada primeiro.
view_adminRoles_permissions_illegalDeselectionDueToManageSecuritySelection = {0}
permiss\u00E3o n\u00E3o pode ser desmarcada, a menos que a permiss\u00E3 Gerenciar
SeguranÁa, que implica em todas outras permissıes, seja desmarcada primeiro.
view_adminRoles_permissions_isAuthorized = Autorizado?
diff --git
a/modules/enterprise/gui/coregui/src/main/resources/org/rhq/enterprise/gui/coregui/client/Messages_ru.properties
b/modules/enterprise/gui/coregui/src/main/resources/org/rhq/enterprise/gui/coregui/client/Messages_ru.properties
index 4f9a97e..5692d33 100644
---
a/modules/enterprise/gui/coregui/src/main/resources/org/rhq/enterprise/gui/coregui/client/Messages_ru.properties
+++
b/modules/enterprise/gui/coregui/src/main/resources/org/rhq/enterprise/gui/coregui/client/Messages_ru.properties
@@ -2591,6 +2591,7 @@ view_adminRoles_permissions_autoselecting_manageSecurity_implied =
Автома
view_adminRoles_permissions_bundleGroupPermissions = Bundle Group Permissions
view_adminRoles_permissions_globalPermissions = Глобальные полномчия
view_adminRoles_permissions_illegalDeselectionDueToCorrespondingWritePermSelection = {0}
полномочия на чтение не могут быть отключены, пока предварительно {0} полномочия записи,
которые включают полномочия на чтение, не будут отключены.
+##view_adminRoles_permissions_illegalDeselectionDueToManageBundleSelection = {0}
permission cannot be deselected, unless Manage Bundle, which implies all Bundle
permissions, is deselected first.
view_adminRoles_permissions_illegalDeselectionDueToManageInventorySelection = {0}
полномочия не могут быть отключены, пока предварительно Manage Inventory, которая включает
все полномочия ресурса, не будет отключено.
view_adminRoles_permissions_illegalDeselectionDueToManageSecuritySelection = {0}
полномочия не могут быть отключены, пока предватильно Manage Security полномочие, которое
включает все другие полномочия, не будет отключено.
view_adminRoles_permissions_isAuthorized = Авторизованы?
diff --git
a/modules/enterprise/gui/coregui/src/main/resources/org/rhq/enterprise/gui/coregui/client/Messages_zh.properties
b/modules/enterprise/gui/coregui/src/main/resources/org/rhq/enterprise/gui/coregui/client/Messages_zh.properties
index 547ebd5..f126e51 100644
---
a/modules/enterprise/gui/coregui/src/main/resources/org/rhq/enterprise/gui/coregui/client/Messages_zh.properties
+++
b/modules/enterprise/gui/coregui/src/main/resources/org/rhq/enterprise/gui/coregui/client/Messages_zh.properties
@@ -500,6 +500,7 @@ view_adminRoles_noLdap = \u6ca1\u6709\u96c6\u6210LDAP\u5b89\u5168,
\u5230<a {0}>
view_adminRoles_permissions_bundleGroupPermissions = Bundle Group Permissions
view_adminRoles_permissions_globalPermissions = \u5168\u5c40\u6388\u6743
##view_adminRoles_permissions_illegalDeselectionDueToCorrespondingWritePermSelection =
{0} read permission cannot be deselected, unless the {0} write permission, which implies
the read permission, is deselected first.
+##view_adminRoles_permissions_illegalDeselectionDueToManageBundleSelection = {0}
permission cannot be deselected, unless Manage Bundle, which implies all Bundle
permissions, is deselected first.
##view_adminRoles_permissions_illegalDeselectionDueToManageInventorySelection = {0}
permission cannot be deselected, unless Manage Inventory, which implies all Resource
permissions, is deselected first.
##view_adminRoles_permissions_illegalDeselectionDueToManageSecuritySelection = {0}
permission cannot be deselected, unless the Manage Security permission, which implies all
other permissions, is deselected first.
view_adminRoles_permissions_isAuthorized = \u6388\u6743?
diff --git
a/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/authz/AuthorizationManagerBean.java
b/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/authz/AuthorizationManagerBean.java
index 2fda53e..d71095f 100644
---
a/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/authz/AuthorizationManagerBean.java
+++
b/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/authz/AuthorizationManagerBean.java
@@ -51,6 +51,7 @@ public class AuthorizationManagerBean implements
AuthorizationManagerLocal {
@PersistenceContext(unitName = RHQConstants.PERSISTENCE_UNIT_NAME)
private EntityManager entityManager;
+ @Override
@SuppressWarnings("unchecked")
public Set<Permission> getExplicitGlobalPermissions(Subject subject) {
Query query =
entityManager.createNamedQuery(Subject.QUERY_GET_GLOBAL_PERMISSIONS);
@@ -66,6 +67,7 @@ public class AuthorizationManagerBean implements
AuthorizationManagerLocal {
return results;
}
+ @Override
@SuppressWarnings("unchecked")
public Set<Permission> getExplicitGroupPermissions(Subject subject, int
groupId) {
Set<Permission> result = new HashSet<Permission>();
@@ -99,12 +101,14 @@ public class AuthorizationManagerBean implements
AuthorizationManagerLocal {
return result;
}
+ @Override
public Set<Permission> getImplicitGroupPermissions(Subject subject, int
groupId) {
Set<Permission> permissions = isInventoryManager(subject) ?
Permission.RESOURCE_ALL
: getExplicitGroupPermissions(subject, groupId);
return permissions;
}
+ @Override
@SuppressWarnings("unchecked")
public Set<Permission> getExplicitResourcePermissions(Subject subject, int
resourceId) {
Query query =
entityManager.createNamedQuery(Subject.QUERY_GET_PERMISSIONS_BY_RESOURCE_ID);
@@ -119,12 +123,14 @@ public class AuthorizationManagerBean implements
AuthorizationManagerLocal {
return results;
}
+ @Override
public Set<Permission> getImplicitResourcePermissions(Subject subject, int
resourceId) {
Set<Permission> permissions = isInventoryManager(subject) ?
Permission.RESOURCE_ALL
: getExplicitResourcePermissions(subject, resourceId);
return permissions;
}
+ @Override
public boolean hasGlobalPermission(Subject subject, Permission permission) {
if (isOverlord(subject)) {
return true;
@@ -137,6 +143,7 @@ public class AuthorizationManagerBean implements
AuthorizationManagerLocal {
return (count != 0);
}
+ @Override
@SuppressWarnings("unchecked")
public boolean hasGroupPermission(Subject subject, Permission permission, int
groupId) {
if (isInventoryManager(subject)) {
@@ -170,6 +177,7 @@ public class AuthorizationManagerBean implements
AuthorizationManagerLocal {
}
}
+ @Override
public boolean hasResourcePermission(Subject subject, Permission permission, int
resourceId) {
if (isInventoryManager(subject)) {
return true;
@@ -183,6 +191,31 @@ public class AuthorizationManagerBean implements
AuthorizationManagerLocal {
return (count != 0);
}
+ @SuppressWarnings("unchecked")
+ @Override
+ public boolean hasBundlePermission(Subject subject, Permission permission, int
bundleId) {
+
+ Query query =
entityManager.createNamedQuery(Subject.QUERY_HAS_BUNDLE_PERMISSION);
+ query.setParameter("subject", subject);
+ query.setParameter("permission", permission);
+ query.setParameter("bundleId", bundleId);
+ long count = (Long) query.getSingleResult();
+ return (count != 0);
+ }
+
+ @SuppressWarnings("unchecked")
+ @Override
+ public boolean hasBundleGroupPermission(Subject subject, Permission permission, int
bundleGroupId) {
+
+ Query query =
entityManager.createNamedQuery(Subject.QUERY_HAS_BUNDLE_GROUP_PERMISSION);
+ query.setParameter("subject", subject);
+ query.setParameter("permission", permission);
+ query.setParameter("bundleGroupId", bundleGroupId);
+ long count = (Long) query.getSingleResult();
+ return (count != 0);
+ }
+
+ @Override
public boolean hasAutoGroupPermission(Subject subject, Permission permission, int
parentResourceId,
int resourceTypeId) {
if (isInventoryManager(subject)) {
@@ -207,6 +240,7 @@ public class AuthorizationManagerBean implements
AuthorizationManagerLocal {
return (baseCount == subjectCount);
}
+ @Override
public boolean canViewResource(Subject subject, int resourceId) {
if (isInventoryManager(subject)) {
return true;
@@ -219,6 +253,7 @@ public class AuthorizationManagerBean implements
AuthorizationManagerLocal {
return (count != 0);
}
+ @Override
public boolean canViewResources(Subject subject, List<Integer> resourceIds) {
if (isInventoryManager(subject)) {
return true;
@@ -232,6 +267,7 @@ public class AuthorizationManagerBean implements
AuthorizationManagerLocal {
return count == resourceIds.size();
}
+ @Override
public boolean canViewGroup(Subject subject, int groupId) {
if (isInventoryManager(subject)) {
return true;
@@ -244,6 +280,7 @@ public class AuthorizationManagerBean implements
AuthorizationManagerLocal {
return (count != 0);
}
+ @Override
public boolean canViewAutoGroup(Subject subject, int parentResourceId, int
resourceTypeId) {
if (isInventoryManager(subject)) {
return true;
@@ -266,10 +303,12 @@ public class AuthorizationManagerBean implements
AuthorizationManagerLocal {
return (baseCount == subjectCount);
}
+ @Override
public boolean isInventoryManager(Subject subject) {
return hasGlobalPermission(subject, Permission.MANAGE_INVENTORY);
}
+ @Override
@SuppressWarnings("unchecked")
public boolean hasResourcePermission(Subject subject, Permission permission,
Collection<Integer> resourceIds) {
if (isInventoryManager(subject)) {
@@ -284,16 +323,20 @@ public class AuthorizationManagerBean implements
AuthorizationManagerLocal {
return results.containsAll(resourceIds);
}
+ @Override
public boolean isSystemSuperuser(Subject subject) {
// We know that our overlord is always id=1 and the rhqadmin user is always
id=2.
- return (subject != null) && ((subject.getId() == SUBJECT_ID_OVERLORD) ||
(subject.getId() == SUBJECT_ID_RHQADMIN));
+ return (subject != null)
+ && ((subject.getId() == SUBJECT_ID_OVERLORD) || (subject.getId() ==
SUBJECT_ID_RHQADMIN));
}
+ @Override
public boolean isOverlord(Subject subject) {
// We know that our overlord is always id=1.
return (subject != null) && (subject.getId() == SUBJECT_ID_OVERLORD);
}
+ @Override
public boolean canUpdateRepo(Subject subject, int repoId) {
if (hasGlobalPermission(subject, Permission.MANAGE_REPOSITORIES)) {
return true;
@@ -301,11 +344,12 @@ public class AuthorizationManagerBean implements
AuthorizationManagerLocal {
Query q =
entityManager.createNamedQuery(Repo.QUERY_CHECK_REPO_OWNED_BY_SUBJECT_ID);
q.setParameter("repoId", repoId);
q.setParameter("subjectId", subject.getId());
-
+
Long num = (Long) q.getSingleResult();
return num > 0;
}
-
+
+ @Override
public boolean canViewRepo(Subject subject, int repoId) {
if (hasGlobalPermission(subject, Permission.MANAGE_REPOSITORIES)) {
return true;
@@ -314,7 +358,7 @@ public class AuthorizationManagerBean implements
AuthorizationManagerLocal {
Query q =
entityManager.createNamedQuery(Repo.QUERY_CHECK_REPO_VISIBLE_BY_SUBJECT_ID);
q.setParameter("repoId", repoId);
q.setParameter("subjectId", subject.getId());
-
+
Long num = (Long) q.getSingleResult();
return num > 0;
}
diff --git
a/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/authz/AuthorizationManagerLocal.java
b/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/authz/AuthorizationManagerLocal.java
index 194e345..8872d61 100644
---
a/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/authz/AuthorizationManagerLocal.java
+++
b/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/authz/AuthorizationManagerLocal.java
@@ -20,7 +20,6 @@ package org.rhq.enterprise.server.authz;
import java.util.Collection;
import java.util.List;
-import java.util.Properties;
import java.util.Set;
import javax.ejb.Local;
@@ -135,6 +134,30 @@ public interface AuthorizationManagerLocal {
boolean hasAutoGroupPermission(Subject subject, Permission permission, int
parentResourceId, int resourceTypeId);
/**
+ * Returns true if the current user possesses the specified bundle permission for the
specified bundle.
+ *
+ * @param subject the current subject or caller
+ * @param permission a bundle permission (i.e. permission.getTarget() ==
Permission.Target.BUNDLE)
+ * @param bundleId the id of the bundle to check permissions against
+ *
+ * @return true if the current user possesses the specified resource permission for
the specified resource
+ */
+
+ boolean hasBundlePermission(Subject subject, Permission permission, int bundleId);
+
+ /**
+ * Returns true if the current user possesses the specified bundle permission for the
specified bundle group.
+ *
+ * @param subject the current subject or caller
+ * @param permission a bundle permission (i.e. permission.getTarget() ==
Permission.Target.BUNDLE)
+ * @param bundleGroupId the id of the bundle group to check permissions against
+ *
+ * @return true if the current user possesses the specified resource permission for
the specified resource
+ */
+
+ boolean hasBundleGroupPermission(Subject subject, Permission permission, int
bundleGroupId);
+
+ /**
* Returns true if the current user possesses the specified global permission.
*
* @param subject the current subject or caller
diff --git
a/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/bundle/BundleManagerBean.java
b/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/bundle/BundleManagerBean.java
index 139a26e..51e59ff 100644
---
a/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/bundle/BundleManagerBean.java
+++
b/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/bundle/BundleManagerBean.java
@@ -214,12 +214,6 @@ public class BundleManagerBean implements BundleManagerLocal,
BundleManagerRemot
}
@Override
- public void assignBundlesToBundleGroup(Subject subject, int bundleGroupId, int...
bundleIds) {
- // TODO Auto-generated method stub
-
- }
-
- @Override
@RequiredPermission(Permission.MANAGE_BUNDLE)
public Bundle createBundle(Subject subject, String name, String description, int
bundleTypeId) throws Exception {
if (null == name || "".equals(name.trim())) {
@@ -281,7 +275,6 @@ public class BundleManagerBean implements BundleManagerLocal,
BundleManagerRemot
}
@Override
- @RequiredPermission(Permission.MANAGE_BUNDLE)
public BundleDeployment createBundleDeployment(Subject subject, int bundleVersionId,
int bundleDestinationId,
String description, Configuration configuration) throws Exception {
@@ -294,6 +287,8 @@ public class BundleManagerBean implements BundleManagerLocal,
BundleManagerRemot
throw new IllegalArgumentException("Invalid bundleDestinationId: "
+ bundleDestinationId);
}
+ checkBundleDeploymentAuthz(subject, bundleVersion.getBundle().getId(),
bundleDestination.getGroup().getId());
+
String name = getBundleDeploymentNameImpl(subject, bundleDestination,
bundleVersion, null);
return this.createBundleDeploymentImpl(subject, bundleVersion, bundleDestination,
name, description,
configuration);
@@ -326,7 +321,6 @@ public class BundleManagerBean implements BundleManagerLocal,
BundleManagerRemot
}
@Override
- @RequiredPermission(Permission.MANAGE_BUNDLE)
public BundleDestination createBundleDestination(Subject subject, int bundleId,
String name, String description,
String destBaseDirName, String deployDir, Integer groupId) throws Exception {
@@ -354,6 +348,8 @@ public class BundleManagerBean implements BundleManagerLocal,
BundleManagerRemot
}
ResourceGroup group = entityManager.find(ResourceGroup.class,
groups.get(0).getId());
+ checkBundleDeploymentAuthz(subject, bundle.getId(), groupId);
+
BundleDestination dest = new BundleDestination(bundle, name, group,
destBaseDirName, deployDir);
dest.setDescription(description);
entityManager.persist(dest);
@@ -561,37 +557,78 @@ public class BundleManagerBean implements BundleManagerLocal,
BundleManagerRemot
}
@Override
- @RequiredPermission(Permission.MANAGE_BUNDLE)
public BundleVersion createBundleVersionViaRecipe(Subject subject, String recipe)
throws Exception {
+ return createBundleVersionViaRecipeImpl(subject, recipe, false, 0);
+ }
+
+ @Override
+ public BundleVersion createInitialBundleVersionViaRecipe(Subject subject, int
bundleGroupId, String recipe)
+ throws Exception {
+
+ return createBundleVersionViaRecipeImpl(subject, recipe, true, bundleGroupId);
+ }
+
+ private BundleVersion createBundleVersionViaRecipeImpl(Subject subject, String
recipe,
+ boolean mustBeInitialVersion, int initialBundleGroupId) throws Exception {
+
BundleServerPluginManager manager =
BundleManagerHelper.getPluginContainer().getBundleServerPluginManager();
BundleDistributionInfo info = manager.parseRecipe(recipe);
- BundleVersion bundleVersion = createBundleVersionViaDistributionInfo(subject,
info);
+ BundleVersion bundleVersion = createBundleVersionViaDistributionInfo(subject,
info, mustBeInitialVersion,
+ initialBundleGroupId);
return bundleVersion;
}
@Override
- @RequiredPermission(Permission.MANAGE_BUNDLE)
@TransactionAttribute(TransactionAttributeType.NEVER)
public BundleVersion createBundleVersionViaFile(Subject subject, File
distributionFile) throws Exception {
+ return createBundleVersionViaFileImpl(subject, distributionFile, false, 0);
+ }
+
+ @Override
+ @TransactionAttribute(TransactionAttributeType.NEVER)
+ public BundleVersion createInitialBundleVersionViaFile(Subject subject, int
bundleGroupId, File distributionFile)
+ throws Exception {
+
+ return createBundleVersionViaFileImpl(subject, distributionFile, true,
bundleGroupId);
+ }
+
+ private BundleVersion createBundleVersionViaFileImpl(Subject subject, File
distributionFile,
+ boolean mustBeInitialVersion, int initialBundleGroupId) throws Exception {
+
BundleServerPluginManager manager =
BundleManagerHelper.getPluginContainer().getBundleServerPluginManager();
BundleDistributionInfo info =
manager.processBundleDistributionFile(distributionFile);
- BundleVersion bundleVersion = createBundleVersionViaDistributionInfo(subject,
info);
+ BundleVersion bundleVersion = createBundleVersionViaDistributionInfo(subject,
info, mustBeInitialVersion,
+ initialBundleGroupId);
return bundleVersion;
}
@Override
- @RequiredPermission(Permission.MANAGE_BUNDLE)
@TransactionAttribute(TransactionAttributeType.NEVER)
public BundleVersion createBundleVersionViaByteArray(Subject subject, byte[]
fileBytes) throws Exception {
+ return createBundleVersionViaByteArrayImpl(subject, fileBytes, false, 0);
+ }
+
+ @Override
+ @TransactionAttribute(TransactionAttributeType.NEVER)
+ public BundleVersion createInitialBundleVersionViaByteArray(Subject subject, int
bundleGroupId, byte[] fileBytes)
+ throws Exception {
+
+ return createBundleVersionViaByteArrayImpl(subject, fileBytes, true,
bundleGroupId);
+ }
+
+ private BundleVersion createBundleVersionViaByteArrayImpl(Subject subject, byte[]
fileBytes,
+ boolean mustBeInitialVersion, int bundleGroupId) throws Exception {
+
File tmpFile = File.createTempFile("bundleDistroBits",
".zip");
try {
StreamUtil.copy(new ByteArrayInputStream(fileBytes), new
FileOutputStream(tmpFile));
- BundleVersion bundleVersion = createBundleVersionViaFile(subject, tmpFile);
+ BundleVersion bundleVersion = createBundleVersionViaFileImpl(subject,
tmpFile, mustBeInitialVersion,
+ bundleGroupId);
return bundleVersion;
} finally {
if (tmpFile != null) {
@@ -601,17 +638,36 @@ public class BundleManagerBean implements BundleManagerLocal,
BundleManagerRemot
}
@Override
- @RequiredPermission(Permission.MANAGE_BUNDLE)
@TransactionAttribute(TransactionAttributeType.NEVER)
public BundleVersion createBundleVersionViaURL(Subject subject, String
distributionFileUrl) throws Exception {
+
return createBundleVersionViaURL(subject, distributionFileUrl, null, null);
}
@Override
- @RequiredPermission(Permission.MANAGE_BUNDLE)
@TransactionAttribute(TransactionAttributeType.NEVER)
public BundleVersion createBundleVersionViaURL(Subject subject, String
distributionFileUrl, String username,
String password) throws Exception {
+
+ return createBundleVersionViaURLImpl(subject, distributionFileUrl, username,
password, false, 0);
+ }
+
+ @Override
+ public BundleVersion createInitialBundleVersionViaURL(Subject subject, int
bundleGroupId, String distributionFileUrl)
+ throws Exception {
+
+ return createInitialBundleVersionViaURL(subject, bundleGroupId,
distributionFileUrl, null, null);
+ }
+
+ @Override
+ public BundleVersion createInitialBundleVersionViaURL(Subject subject, int
bundleGroupId,
+ String distributionFileUrl, String username, String password) throws Exception {
+
+ return createBundleVersionViaURLImpl(subject, distributionFileUrl, username,
password, true, bundleGroupId);
+ }
+
+ public BundleVersion createBundleVersionViaURLImpl(Subject subject, String
distributionFileUrl, String username,
+ String password, boolean mustBeInitialVersion, int initialBundleGroupId) throws
Exception {
File file = null;
try {
file = downloadFile(distributionFileUrl, username, password);
@@ -619,7 +675,7 @@ public class BundleManagerBean implements BundleManagerLocal,
BundleManagerRemot
log.debug("Copied [" + file.length() + "] bytes from [" +
distributionFileUrl + "] into [" + file.getPath()
+ "]");
- return createBundleVersionViaFile(subject, file);
+ return createBundleVersionViaFileImpl(subject, file, mustBeInitialVersion,
initialBundleGroupId);
} finally {
if (file != null) {
file.delete();
@@ -669,8 +725,8 @@ public class BundleManagerBean implements BundleManagerLocal,
BundleManagerRemot
return file;
}
- private BundleVersion createBundleVersionViaDistributionInfo(Subject subject,
BundleDistributionInfo info)
- throws Exception {
+ private BundleVersion createBundleVersionViaDistributionInfo(Subject subject,
BundleDistributionInfo info,
+ boolean mustBeInitialVersion, Integer initialBundleGroupId) throws Exception {
BundleType bundleType = bundleManager.getBundleType(subject,
info.getBundleTypeName());
String bundleName =
info.getRecipeParseResults().getBundleMetadata().getBundleName();
@@ -680,7 +736,7 @@ public class BundleManagerBean implements BundleManagerLocal,
BundleManagerRemot
String version =
info.getRecipeParseResults().getBundleMetadata().getBundleVersion();
String recipe = info.getRecipe();
- // first see if the bundle exists or not; if not, create one
+ // first see if the bundle exists or not
boolean createdBundle;
BundleCriteria criteria = new BundleCriteria();
criteria.setStrict(true);
@@ -689,11 +745,19 @@ public class BundleManagerBean implements BundleManagerLocal,
BundleManagerRemot
PageList<Bundle> bundles = bundleManager.findBundlesByCriteria(subject,
criteria);
Bundle bundle;
- if (bundles.getTotalSize() == 0) {
+ boolean isInitialVersion = (bundles.getTotalSize() == 0);
+
+ if (!isInitialVersion && mustBeInitialVersion) {
+ throw new PermissionException("This must be the initial version of a new
Bundle.");
+ }
+
+ if (isInitialVersion) {
+ checkCreateInitialBundleVersionAuthz(subject, initialBundleGroupId);
bundle = bundleManager.createBundle(subject, bundleName, bundleDescription,
bundleType.getId());
createdBundle = true;
} else {
bundle = bundles.get(0);
+ checkCreateBundleVersionAuthz(subject, bundle.getId());
createdBundle = false;
}
@@ -808,7 +872,6 @@ public class BundleManagerBean implements BundleManagerLocal,
BundleManagerRemot
}
@Override
- @RequiredPermission(Permission.MANAGE_BUNDLE)
public BundleFile addBundleFile(Subject subject, int bundleVersionId, String name,
String version,
Architecture architecture, InputStream fileStream) throws Exception {
@@ -826,6 +889,9 @@ public class BundleManagerBean implements BundleManagerLocal,
BundleManagerRemot
throw new IllegalArgumentException("Invalid bundleVersionId: " +
bundleVersionId);
}
+ // Check authorization
+ checkCreateBundleVersionAuthz(subject, bundleVersion.getBundle().getId());
+
// Create the PackageVersion the BundleFile is tied to. This implicitly creates
the
// Package for the PackageVersion.
Bundle bundle = bundleVersion.getBundle();
@@ -866,7 +932,6 @@ public class BundleManagerBean implements BundleManagerLocal,
BundleManagerRemot
}
@Override
- @RequiredPermission(Permission.MANAGE_BUNDLE)
public BundleFile addBundleFileViaByteArray(Subject subject, int bundleVersionId,
String name, String version,
Architecture architecture, byte[] fileBytes) throws Exception {
@@ -874,7 +939,6 @@ public class BundleManagerBean implements BundleManagerLocal,
BundleManagerRemot
}
@Override
- @RequiredPermission(Permission.MANAGE_BUNDLE)
public BundleFile addBundleFileViaURL(Subject subject, int bundleVersionId, String
name, String version,
Architecture architecture, String bundleFileUrl) throws Exception {
@@ -885,11 +949,17 @@ public class BundleManagerBean implements BundleManagerLocal,
BundleManagerRemot
}
@Override
- @RequiredPermission(Permission.MANAGE_BUNDLE)
@TransactionAttribute(TransactionAttributeType.NEVER)
public BundleFile addBundleFileViaURL(Subject subject, int bundleVersionId, String
name, String version,
Architecture architecture, String bundleFileUrl, String userName, String
password) throws Exception {
+ // Check authorization prior to performing any file download
+ BundleVersion bundleVersion = entityManager.find(BundleVersion.class,
bundleVersionId);
+ if (null == bundleVersion) {
+ throw new IllegalArgumentException("Invalid bundleVersionId: " +
bundleVersionId);
+ }
+ checkCreateBundleVersionAuthz(subject, bundleVersion.getBundle().getId());
+
File file = null;
FileInputStream fis = null;
try {
@@ -925,8 +995,11 @@ public class BundleManagerBean implements BundleManagerLocal,
BundleManagerRemot
throw new IllegalArgumentException("Invalid packageVersionId: " +
packageVersionId);
}
+ // Check authorization
+ checkCreateBundleVersionAuthz(subject, bundleVersion.getBundle().getId());
+
// With all the plumbing in place, create and persist the BundleFile. Tie it to
the Package if the caller
- // wants this BundleFile pinned to themost recent version.
+ // wants this BundleFile pinned to the most recent version.
BundleFile bundleFile = new BundleFile();
bundleFile.setBundleVersion(bundleVersion);
bundleFile.setPackageVersion(packageVersion);
@@ -1317,31 +1390,6 @@ public class BundleManagerBean implements BundleManagerLocal,
BundleManagerRemot
}
@Override
- @RequiredPermission(Permission.MANAGE_BUNDLE_GROUPS)
- public BundleGroup createBundleGroup(Subject subject, String name, String
description) throws Exception {
- if (null == name || "".equals(name.trim())) {
- throw new IllegalArgumentException("Invalid bundleGroupName: " +
name);
- }
-
- BundleGroupCriteria c = new BundleGroupCriteria();
- c.addFilterName(name);
- c.setStrict(true);
- if (!bundleManager.findBundleGroupsByCriteria(subject, c).isEmpty()) {
- throw new IllegalArgumentException("Invalid bundleGroupName, bundle
group already exists with name: "
- + name);
- }
-
- // create and add the required Repo. the Repo is a detached object which helps in
its eventual
- // removal.
- BundleGroup bg = new BundleGroup(name);
- bg.setDescription(description);
-
- entityManager.persist(bg);
-
- return bg;
- }
-
- @Override
@TransactionAttribute(TransactionAttributeType.REQUIRES_NEW)
@RequiredPermission(Permission.MANAGE_BUNDLE)
public BundleResourceDeployment createBundleResourceDeployment(Subject subject, int
bundleDeploymentId,
@@ -1661,14 +1709,6 @@ public class BundleManagerBean implements BundleManagerLocal,
BundleManagerRemot
return queryRunner.execute();
}
- @Override
- public PageList<BundleGroup> findBundleGroupsByCriteria(Subject subject,
BundleGroupCriteria criteria) {
- CriteriaQueryGenerator generator = new CriteriaQueryGenerator(subject,
criteria);
- CriteriaQueryRunner<BundleGroup> queryRunner = new
CriteriaQueryRunner<BundleGroup>(criteria, generator,
- entityManager);
- return queryRunner.execute();
- }
-
/**
* Fetch bundles by criteria and then filter destination on the result objects to
limit what the user can see
* @param subject Caller
@@ -1697,27 +1737,6 @@ public class BundleManagerBean implements BundleManagerLocal,
BundleManagerRemot
}
@Override
- @RequiredPermission(Permission.MANAGE_BUNDLE_GROUPS)
- public void deleteBundleGroups(Subject subject, int... bundleGroupIds) throws
Exception {
-
- for (int bundleGroupId : bundleGroupIds) {
- BundleGroup bundleGroup = this.entityManager.find(BundleGroup.class,
bundleGroupIds);
- if (null == bundleGroup) {
- return;
- }
-
- // unassign any bundles assigned to the bundle group
- for (Bundle b : bundleGroup.getBundles()) {
- bundleGroup.removeBundle(b);
- }
- bundleGroup = entityManager.merge(bundleGroup);
-
- // now remove the bundle group
- entityManager.remove(bundleGroup);
- }
- }
-
- @Override
public PageList<BundleWithLatestVersionComposite>
findBundlesWithLatestVersionCompositesByCriteria(Subject subject,
BundleCriteria criteria) {
@@ -1862,12 +1881,6 @@ public class BundleManagerBean implements BundleManagerLocal,
BundleManagerRemot
return;
}
- @Override
- public void unassignBundlesFromBundleGroup(Subject subject, int bundleGroupId, int...
bundleIds) {
- // TODO Auto-generated method stub
-
- }
-
private void safeClose(InputStream is) {
if (null != is) {
try {
@@ -1888,4 +1901,246 @@ public class BundleManagerBean implements BundleManagerLocal,
BundleManagerRemot
}
}
+ @Override
+ public void assignBundlesToBundleGroup(Subject subject, int bundleGroupId, int[]
bundleIds) {
+ BundleGroup bundleGroup = entityManager.find(BundleGroup.class, bundleGroupId);
+ if (null == bundleGroup) {
+ throw new IllegalArgumentException("BundleGroup does not exist for
bundleGroupId [" + bundleGroupId + "]");
+ }
+
+ checkAssignBundleGroupAuthz(subject, bundleGroupId, bundleIds);
+
+ for (int bundleId : bundleIds) {
+ Bundle bundle = entityManager.find(Bundle.class, bundleId);
+ if (null == bundle) {
+ throw new IllegalArgumentException("Bundle does not exist for
bundleId [" + bundleId + "]");
+ }
+
+ bundleGroup.addBundle(bundle);
+ }
+ }
+
+ @Override
+ @RequiredPermission(Permission.MANAGE_BUNDLE_GROUPS)
+ public BundleGroup createBundleGroup(Subject subject, String name, String
description) throws Exception {
+ if (null == name || "".equals(name.trim())) {
+ throw new IllegalArgumentException("Invalid bundleGroupName: " +
name);
+ }
+
+ BundleGroupCriteria c = new BundleGroupCriteria();
+ c.addFilterName(name);
+ c.setStrict(true);
+ if (!bundleManager.findBundleGroupsByCriteria(subject, c).isEmpty()) {
+ throw new IllegalArgumentException("Invalid bundleGroupName, bundle
group already exists with name: "
+ + name);
+ }
+
+ // create and add the required Repo. the Repo is a detached object which helps in
its eventual
+ // removal.
+ BundleGroup bg = new BundleGroup(name);
+ bg.setDescription(description);
+
+ entityManager.persist(bg);
+
+ return bg;
+ }
+
+ @Override
+ @RequiredPermission(Permission.MANAGE_BUNDLE_GROUPS)
+ public void deleteBundleGroups(Subject subject, int[] bundleGroupIds) throws
Exception {
+
+ for (int bundleGroupId : bundleGroupIds) {
+ BundleGroup bundleGroup = this.entityManager.find(BundleGroup.class,
bundleGroupIds);
+ if (null == bundleGroup) {
+ return;
+ }
+
+ // unassign any bundles assigned to the bundle group
+ for (Bundle b : bundleGroup.getBundles()) {
+ bundleGroup.removeBundle(b);
+ }
+ bundleGroup = entityManager.merge(bundleGroup);
+
+ // now remove the bundle group
+ entityManager.remove(bundleGroup);
+ }
+ }
+
+ @Override
+ public PageList<BundleGroup> findBundleGroupsByCriteria(Subject subject,
BundleGroupCriteria criteria) {
+ CriteriaQueryGenerator generator = new CriteriaQueryGenerator(subject,
criteria);
+
+ if (!authorizationManager.hasGlobalPermission(subject, Permission.VIEW_BUNDLES))
{
+
+
generator.setAuthorizationResourceFragment(CriteriaQueryGenerator.AuthorizationTokenType.BUNDLE,
null,
+ subject.getId());
+ }
+
+ CriteriaQueryRunner<BundleGroup> queryRunner = new
CriteriaQueryRunner<BundleGroup>(criteria, generator,
+ entityManager);
+ return queryRunner.execute();
+ }
+
+ @Override
+ public void unassignBundlesFromBundleGroup(Subject subject, int bundleGroupId, int[]
bundleIds) {
+ // TODO Auto-generated method stub
+
+ }
+
+ /**
+ * @param subject
+ * @param bundleGroupId null or 0 for unassigned initial bundle version creation
+ * @throws PermissionException
+ */
+ private void checkCreateInitialBundleVersionAuthz(Subject subject, Integer
bundleGroupId)
+ throws PermissionException {
+ Set<Permission> globalPerms =
authorizationManager.getExplicitGlobalPermissions(subject);
+ boolean hasGlobalCreateBundles =
globalPerms.contains(Permission.CREATE_BUNDLES);
+
+ if (hasGlobalCreateBundles &&
globalPerms.contains(Permission.VIEW_BUNDLES)) {
+ return;
+ }
+
+ if (null == bundleGroupId || bundleGroupId.intValue() <= 0) {
+ String msg = "Subject [" + subject.getName()
+ + "] requires Global CREATE_BUNDLES and VIEW_BUNDLES to create
unsassigned initial bundle version.";
+ throw new PermissionException(msg);
+ }
+
+ if (hasGlobalCreateBundles) {
+ if (authorizationManager.hasBundleGroupPermission(subject,
Permission.VIEW_BUNDLES_IN_GROUP, bundleGroupId)) {
+ return;
+ }
+ } else {
+ if (authorizationManager.hasBundleGroupPermission(subject,
Permission.CREATE_BUNDLES_IN_GROUP,
+ bundleGroupId)) {
+ return;
+ }
+ }
+
+ String msg = "Subject ["
+ + subject.getName()
+ + "] requires either Global.CREATE_BUNDLES +
BundleGroup.VIEW_BUNDLES_IN_GROUP, or BundleGroup.CREATE_BUNDLES_IN_GROUP, to create or
update a bundle in bundle group ["
+ + bundleGroupId + "].";
+ throw new PermissionException(msg);
+ }
+
+ /**
+ * @param subject
+ * @param bundleId required, bundleId of bundle in which bundle version is being
created/updated
+ * @throws PermissionException
+ */
+ private void checkCreateBundleVersionAuthz(Subject subject, int bundleId) throws
PermissionException {
+
+ if (bundleId <= 0) {
+ throw new IllegalArgumentException(
+ "Must supply valid bundleId for bundle version being created.
BundleId specified [" + bundleId + "]");
+ }
+
+ Set<Permission> globalPerms =
authorizationManager.getExplicitGlobalPermissions(subject);
+ boolean hasGlobalCreateBundles =
globalPerms.contains(Permission.CREATE_BUNDLES);
+
+ if (hasGlobalCreateBundles &&
globalPerms.contains(Permission.VIEW_BUNDLES)) {
+ return;
+ }
+
+ if (hasGlobalCreateBundles) {
+ if (authorizationManager.hasBundlePermission(subject,
Permission.VIEW_BUNDLES_IN_GROUP, bundleId)) {
+ return;
+ }
+ } else {
+ if (authorizationManager.hasBundlePermission(subject,
Permission.CREATE_BUNDLES_IN_GROUP, bundleId)) {
+ return;
+ }
+ }
+
+ String msg = "Subject ["
+ + subject.getName()
+ + "] requires either Global.CREATE_BUNDLES +
BundleGroup.VIEW_BUNDLES_IN_GROUP, or BundleGroup.CREATE_BUNDLES_IN_GROUP, to create or
update a bundleVersion for bundle ["
+ + bundleId + "].";
+ throw new PermissionException(msg);
+ }
+
+ /**
+ * @param subject
+ * @param bundleGroupId an existing bundle group
+ * @param bundleIds existing bundles
+ * @throws PermissionException
+ */
+ private void checkAssignBundleGroupAuthz(Subject subject, int bundleGroupId, int[]
bundleIds)
+ throws PermissionException {
+
+ Set<Permission> globalPerms =
authorizationManager.getExplicitGlobalPermissions(subject);
+ boolean hasGlobalCreateBundles =
globalPerms.contains(Permission.CREATE_BUNDLES);
+ boolean hasGlobalViewBundles = globalPerms.contains(Permission.VIEW_BUNDLES);
+
+ if (hasGlobalCreateBundles && hasGlobalViewBundles) {
+ return;
+ }
+
+ boolean hasBundleGroupCreate = hasGlobalCreateBundles
+ || authorizationManager
+ .hasBundleGroupPermission(subject, Permission.CREATE_BUNDLES_IN_GROUP,
bundleGroupId);
+ boolean hasBundleGroupAssign = hasBundleGroupCreate
+ || authorizationManager
+ .hasBundleGroupPermission(subject, Permission.ASSIGN_BUNDLES_TO_GROUP,
bundleGroupId);
+
+ if (!hasBundleGroupAssign) {
+ String msg = "Subject ["
+ + subject.getName()
+ + "] requires one of Global.CREATE_BUNDLES,
BundleGroup.CREATE_BUNDLES_IN_GROUP, or BundleGroup.ASSIGN_BUNDLES_TO_GROUP to assign a
bundle to undle group ["
+ + bundleGroupId + "].";
+ throw new PermissionException(msg);
+ }
+
+ for (int bundleId : bundleIds) {
+ if (bundleId <= 0) {
+ throw new IllegalArgumentException("Invalid bundleId: [" +
bundleId + "]");
+ }
+
+ if (!authorizationManager.hasBundlePermission(subject,
Permission.VIEW_BUNDLES_IN_GROUP, bundleId)) {
+ String msg = "Subject [" + subject.getName()
+ + "] requires either Global.VIEW_BUNDLES or
BundleGroup.VIEW_BUNDLES_IN_GROUP to assign bundle ["
+ + bundleId + "] to bundle group [" + bundleGroupId +
"]";
+ throw new PermissionException(msg);
+ }
+ }
+
+ return;
+ }
+
+ private void checkBundleDeploymentAuthz(Subject subject, int bundleId, int
resourceGroupId)
+ throws PermissionException {
+
+ boolean hasResourceGroupView = authorizationManager.hasGroupPermission(subject,
Permission.VIEW_RESOURCE,
+ resourceGroupId);
+
+ if (!hasResourceGroupView) {
+ String msg = "Subject [" + subject.getName() + "] requires
VIEW permission on resource group ["
+ + resourceGroupId + "].";
+ throw new PermissionException(msg);
+ }
+
+ Set<Permission> globalPerms =
authorizationManager.getExplicitGlobalPermissions(subject);
+ boolean hasGlobalDeployBundles =
globalPerms.contains(Permission.DEPLOY_BUNDLES);
+ boolean hasGlobalViewBundles = globalPerms.contains(Permission.VIEW_BUNDLES);
+
+ if (hasGlobalDeployBundles && hasGlobalViewBundles) {
+ return;
+ }
+
+ boolean hasResourceGroupDeploy = hasGlobalDeployBundles
+ || authorizationManager.hasGroupPermission(subject,
Permission.DEPLOY_BUNDLES_TO_GROUP, resourceGroupId);
+ boolean hasBundleView = hasGlobalViewBundles
+ || authorizationManager.hasBundlePermission(subject,
Permission.VIEW_BUNDLES_IN_GROUP, bundleId);
+
+ if (!(hasResourceGroupDeploy && hasBundleView)) {
+ String msg = "Subject [" + subject.getName()
+ + "] requires DEPLOY permission (global or on for resource group
[" + resourceGroupId
+ + "] and VIEW permission for bundle [" + bundleId +
"]";
+ throw new PermissionException(msg);
+ }
+
+ return;
+ }
}
diff --git
a/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/bundle/BundleManagerRemote.java
b/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/bundle/BundleManagerRemote.java
index cffe363..5ff63d0 100644
---
a/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/bundle/BundleManagerRemote.java
+++
b/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/bundle/BundleManagerRemote.java
@@ -247,8 +247,8 @@ public interface BundleManagerRemote {
* </p>
* Required Permissions: Either:
* - Global.CREATE_BUNDLES and Global.VIEW_BUNDLES
- * - Global.CREATE_BUNDLES and BundleGroup.VIEW_BUNDLES_IN_GROUP for bundle group BG
and the relevant bundle is assigned to BG
- * - BundleGroup.CREATE_BUNDLES_IN_GROUP for bundle group BG and the relevant bundle
is assigned to BG
+ * - Global.CREATE_BUNDLES and BundleGroup.VIEW_BUNDLES_IN_GROUP for bundle group BG
+ * - BundleGroup.CREATE_BUNDLES_IN_GROUP for bundle group BG
*
* @param subject user that must have proper permissions
* @param bundleGroupId identifies the bundle group that the new bundle will be
associated with; 0 if no group
@@ -289,8 +289,8 @@ public interface BundleManagerRemote {
* </p>
* Required Permissions: Either:
* - Global.CREATE_BUNDLES and Global.VIEW_BUNDLES
- * - Global.CREATE_BUNDLES and BundleGroup.VIEW_BUNDLES_IN_GROUP for bundle group BG
and the relevant bundle is assigned to BG
- * - BundleGroup.CREATE_BUNDLES_IN_GROUP for bundle group BG and the relevant bundle
is assigned to BG
+ * - Global.CREATE_BUNDLES and BundleGroup.VIEW_BUNDLES_IN_GROUP for bundle group BG
+ * - BundleGroup.CREATE_BUNDLES_IN_GROUP for bundle group BG
*
* @param subject user that must have proper permissions
* @param bundleGroupId identifies the bundle group that the new bundle will be
associated with; 0 if no group
@@ -332,8 +332,8 @@ public interface BundleManagerRemote {
* </p>
* Required Permissions: Either:
* - Global.CREATE_BUNDLES and Global.VIEW_BUNDLES
- * - Global.CREATE_BUNDLES and BundleGroup.VIEW_BUNDLES_IN_GROUP for bundle group BG
and the relevant bundle is assigned to BG
- * - BundleGroup.CREATE_BUNDLES_IN_GROUP for bundle group BG and the relevant bundle
is assigned to BG
+ * - Global.CREATE_BUNDLES and BundleGroup.VIEW_BUNDLES_IN_GROUP for bundle group BG
+ * - BundleGroup.CREATE_BUNDLES_IN_GROUP for bundle group BG
*
* @param subject user that must have proper permissions
* @param bundleGroupId identifies the bundle group that the new bundle will be
associated with; 0 if no group
@@ -379,8 +379,8 @@ public interface BundleManagerRemote {
* </p>
* Required Permissions: Either:
* - Global.CREATE_BUNDLES and Global.VIEW_BUNDLES
- * - Global.CREATE_BUNDLES and BundleGroup.VIEW_BUNDLES_IN_GROUP for bundle group BG
and the relevant bundle is assigned to BG
- * - BundleGroup.CREATE_BUNDLES_IN_GROUP for bundle group BG and the relevant bundle
is assigned to BG
+ * - Global.CREATE_BUNDLES and BundleGroup.VIEW_BUNDLES_IN_GROUP for bundle group BG
+ * - BundleGroup.CREATE_BUNDLES_IN_GROUP for bundle group BG
*
* @param subject user that must have proper permissions
* @param bundleGroupId identifies the bundle group that the new bundle will be
associated with; 0 if no group
@@ -418,8 +418,8 @@ public interface BundleManagerRemote {
* </p>
* Required Permissions: Either:
* - Global.CREATE_BUNDLES and Global.VIEW_BUNDLES
- * - Global.CREATE_BUNDLES and BundleGroup.VIEW_BUNDLES_IN_GROUP for bundle group BG
and the relevant bundle is assigned to BG
- * - BundleGroup.CREATE_BUNDLES_IN_GROUP for bundle group BG and the relevant bundle
is assigned to BG
+ * - Global.CREATE_BUNDLES and BundleGroup.VIEW_BUNDLES_IN_GROUP for bundle group BG
+ * - BundleGroup.CREATE_BUNDLES_IN_GROUP for bundle group BG
*
* @see #createBundleVersionViaURL(org.rhq.core.domain.auth.Subject, String)
*/
commit dac01526994e7de15ef99a72768bd9a81d7b8818
Author: Jay Shaughnessy <jshaughn(a)redhat.com>
Date: Fri Jul 26 15:44:58 2013 -0400
Add new auth token for bundles
diff --git
a/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/bundle/BundleManagerBean.java
b/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/bundle/BundleManagerBean.java
index ac05e20..139a26e 100644
---
a/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/bundle/BundleManagerBean.java
+++
b/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/bundle/BundleManagerBean.java
@@ -214,6 +214,12 @@ public class BundleManagerBean implements BundleManagerLocal,
BundleManagerRemot
}
@Override
+ public void assignBundlesToBundleGroup(Subject subject, int bundleGroupId, int...
bundleIds) {
+ // TODO Auto-generated method stub
+
+ }
+
+ @Override
@RequiredPermission(Permission.MANAGE_BUNDLE)
public Bundle createBundle(Subject subject, String name, String description, int
bundleTypeId) throws Exception {
if (null == name || "".equals(name.trim())) {
@@ -257,31 +263,6 @@ public class BundleManagerBean implements BundleManagerLocal,
BundleManagerRemot
}
@Override
- @RequiredPermission(Permission.MANAGE_BUNDLE_GROUPS)
- public BundleGroup createBundleGroup(Subject subject, String name, String
description) throws Exception {
- if (null == name || "".equals(name.trim())) {
- throw new IllegalArgumentException("Invalid bundleGroupName: " +
name);
- }
-
- BundleGroupCriteria c = new BundleGroupCriteria();
- c.addFilterName(name);
- c.setStrict(true);
- if (!bundleManager.findBundleGroupsByCriteria(subject, c).isEmpty()) {
- throw new IllegalArgumentException("Invalid bundleGroupName, bundle
group already exists with name: "
- + name);
- }
-
- // create and add the required Repo. the Repo is a detached object which helps in
its eventual
- // removal.
- BundleGroup bg = new BundleGroup(name);
- bg.setDescription(description);
-
- entityManager.persist(bg);
-
- return bg;
- }
-
- @Override
@TransactionAttribute(TransactionAttributeType.REQUIRES_NEW)
@RequiredPermission(Permission.MANAGE_BUNDLE)
public BundleDeployment createBundleDeploymentInNewTrans(Subject subject, int
bundleVersionId,
@@ -1336,6 +1317,31 @@ public class BundleManagerBean implements BundleManagerLocal,
BundleManagerRemot
}
@Override
+ @RequiredPermission(Permission.MANAGE_BUNDLE_GROUPS)
+ public BundleGroup createBundleGroup(Subject subject, String name, String
description) throws Exception {
+ if (null == name || "".equals(name.trim())) {
+ throw new IllegalArgumentException("Invalid bundleGroupName: " +
name);
+ }
+
+ BundleGroupCriteria c = new BundleGroupCriteria();
+ c.addFilterName(name);
+ c.setStrict(true);
+ if (!bundleManager.findBundleGroupsByCriteria(subject, c).isEmpty()) {
+ throw new IllegalArgumentException("Invalid bundleGroupName, bundle
group already exists with name: "
+ + name);
+ }
+
+ // create and add the required Repo. the Repo is a detached object which helps in
its eventual
+ // removal.
+ BundleGroup bg = new BundleGroup(name);
+ bg.setDescription(description);
+
+ entityManager.persist(bg);
+
+ return bg;
+ }
+
+ @Override
@TransactionAttribute(TransactionAttributeType.REQUIRES_NEW)
@RequiredPermission(Permission.MANAGE_BUNDLE)
public BundleResourceDeployment createBundleResourceDeployment(Subject subject, int
bundleDeploymentId,
@@ -1642,7 +1648,15 @@ public class BundleManagerBean implements BundleManagerLocal,
BundleManagerRemot
@Override
public PageList<Bundle> findBundlesByCriteria(Subject subject, BundleCriteria
criteria) {
+
CriteriaQueryGenerator generator = new CriteriaQueryGenerator(subject,
criteria);
+
+ if (!authorizationManager.hasGlobalPermission(subject, Permission.VIEW_BUNDLES))
{
+
+
generator.setAuthorizationResourceFragment(CriteriaQueryGenerator.AuthorizationTokenType.BUNDLE,
null,
+ subject.getId());
+ }
+
CriteriaQueryRunner<Bundle> queryRunner = new
CriteriaQueryRunner<Bundle>(criteria, generator, entityManager);
return queryRunner.execute();
}
@@ -1683,6 +1697,27 @@ public class BundleManagerBean implements BundleManagerLocal,
BundleManagerRemot
}
@Override
+ @RequiredPermission(Permission.MANAGE_BUNDLE_GROUPS)
+ public void deleteBundleGroups(Subject subject, int... bundleGroupIds) throws
Exception {
+
+ for (int bundleGroupId : bundleGroupIds) {
+ BundleGroup bundleGroup = this.entityManager.find(BundleGroup.class,
bundleGroupIds);
+ if (null == bundleGroup) {
+ return;
+ }
+
+ // unassign any bundles assigned to the bundle group
+ for (Bundle b : bundleGroup.getBundles()) {
+ bundleGroup.removeBundle(b);
+ }
+ bundleGroup = entityManager.merge(bundleGroup);
+
+ // now remove the bundle group
+ entityManager.remove(bundleGroup);
+ }
+ }
+
+ @Override
public PageList<BundleWithLatestVersionComposite>
findBundlesWithLatestVersionCompositesByCriteria(Subject subject,
BundleCriteria criteria) {
@@ -1780,27 +1815,6 @@ public class BundleManagerBean implements BundleManagerLocal,
BundleManagerRemot
}
@Override
- @RequiredPermission(Permission.MANAGE_BUNDLE_GROUPS)
- public void deleteBundleGroups(Subject subject, int... bundleGroupIds) throws
Exception {
-
- for (int bundleGroupId : bundleGroupIds) {
- BundleGroup bundleGroup = this.entityManager.find(BundleGroup.class,
bundleGroupIds);
- if (null == bundleGroup) {
- return;
- }
-
- // unassign any bundles assigned to the bundle group
- for (Bundle b : bundleGroup.getBundles()) {
- bundleGroup.removeBundle(b);
- }
- bundleGroup = entityManager.merge(bundleGroup);
-
- // now remove the bundle group
- entityManager.remove(bundleGroup);
- }
- }
-
- @Override
@RequiredPermission(Permission.MANAGE_BUNDLE)
public void deleteBundleVersion(Subject subject, int bundleVersionId, boolean
deleteBundleIfEmpty) throws Exception {
BundleVersion bundleVersion = this.entityManager.find(BundleVersion.class,
bundleVersionId);
@@ -1848,6 +1862,12 @@ public class BundleManagerBean implements BundleManagerLocal,
BundleManagerRemot
return;
}
+ @Override
+ public void unassignBundlesFromBundleGroup(Subject subject, int bundleGroupId, int...
bundleIds) {
+ // TODO Auto-generated method stub
+
+ }
+
private void safeClose(InputStream is) {
if (null != is) {
try {
diff --git
a/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/util/CriteriaQueryGenerator.java
b/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/util/CriteriaQueryGenerator.java
index 574fe73..e65d9f3 100644
---
a/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/util/CriteriaQueryGenerator.java
+++
b/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/util/CriteriaQueryGenerator.java
@@ -68,7 +68,8 @@ public final class CriteriaQueryGenerator {
public enum AuthorizationTokenType {
RESOURCE, // specifies the resource alias to join on for standard
res-group-role-subject authorization checking
- GROUP; // specifies the group alias to join on for standard group-role-subject
authorization checking
+ GROUP, // specifies the group alias to join on for standard group-role-subject
authorization checking
+ BUNDLE; // specifies the bundle alias to join on for standard
bundle-bundleGroup-role-subject authorization checking
}
private Criteria criteria;
@@ -118,10 +119,13 @@ public final class CriteriaQueryGenerator {
String defaultFragment = null;
if (type == AuthorizationTokenType.RESOURCE) {
defaultFragment = "resource";
+ setAuthorizationResourceFragment(type, defaultFragment, subjectId);
} else if (type == AuthorizationTokenType.GROUP) {
defaultFragment = "group";
+ setAuthorizationResourceFragment(type, defaultFragment, subjectId);
+ } else if (type == AuthorizationTokenType.BUNDLE) {
+ setAuthorizationBundleFragment(subjectId);
}
- setAuthorizationResourceFragment(type, defaultFragment, subjectId);
}
private String fixFilterOverride(String expression, String fieldName) {
@@ -173,9 +177,9 @@ public final class CriteriaQueryGenerator {
+ " does not yet support generating queries for '" + type +
"' token types");
}
- // If the query results are narrowed by requiredParams generate the fragment now.
It's done
+ // If the query results are narrowed by requiredPerms generate the fragment now.
It's done
// here for two reasons. First, it seems to make sense to apply this only when an
authFragment is
- // being used. Second, because ond day the query may be less brute force and may
modify or
+ // being used. Second, because one day the query may be less brute force and may
modify or
// leverage the joinFragment above. But, after extensive trying a more elegant
// query could not be constructed due to Hibernate limitations. So, for now, here
it is...
List<Permission> requiredPerms = this.criteria.getRequiredPermissions();
@@ -230,6 +234,39 @@ public final class CriteriaQueryGenerator {
return customAuthzFragment;
}
+ public void setAuthorizationBundleFragment(int subjectId) {
+ this.authorizationSubjectId = subjectId;
+
+ String fragment = "bundle";
+ String customAuthzFragment = "" //
+ + "( %aliasWithFragment%.id IN ( SELECT %innerAlias%.id " + NL //
+ + " FROM %alias% innerAlias " + NL //
+ + " JOIN %innerAlias%.bundleGroups g JOIN g.roles r
JOIN r.subjects s " + NL //
+ + " WHERE s.id = %subjectId% ) )" + NL; //
+ String aliasReplacement = criteria.getAlias() + (fragment != null ? "."
+ fragment : "");
+ String innerAliasReplacement = "innerAlias" + (fragment != null ?
"." + fragment : "");
+ customAuthzFragment = customAuthzFragment.replace("%alias%",
criteria.getAlias());
+ customAuthzFragment =
customAuthzFragment.replace("%aliasWithFragment%", aliasReplacement);
+ customAuthzFragment = customAuthzFragment.replace("%innerAlias%",
innerAliasReplacement);
+ customAuthzFragment = customAuthzFragment.replace("%subjectId%",
String.valueOf(subjectId));
+
+ // If the query results are narrowed by requiredPerms generate the fragment now.
It's done
+ // here for two reasons. First, it seems to make sense to apply this only when an
authFragment is
+ // being used. Second, because one day the query may be less brute force and may
modify or
+ // leverage the joinFragment above. But, after extensive trying a more elegant
+ // query could not be constructed due to Hibernate limitations. So, for now, here
it is...
+ List<Permission> requiredPerms = this.criteria.getRequiredPermissions();
+ if (!(null == requiredPerms || requiredPerms.isEmpty())) {
+ this.authorizationPermsFragment = "" //
+ + "( SELECT COUNT(DISTINCT p)" + NL //
+ + " FROM Subject innerSubject" + NL //
+ + " JOIN innerSubject.roles r" + NL //
+ + " JOIN r.permissions p" + NL //
+ + " WHERE innerSubject.id = " + this.authorizationSubjectId +
NL //
+ + " AND p IN ( :requiredPerms ) ) = :requiredPermsSize" +
NL;
+ }
+ }
+
public String getParameterReplacedQuery(boolean countQuery) {
String query = getQueryString(countQuery);