org.rhq.enterprise.server.authz
Class AuthorizationManagerBean

java.lang.Object
  org.rhq.enterprise.server.authz.AuthorizationManagerBean

All Implemented Interfaces:

AuthorizationManagerLocal

public class AuthorizationManagerBean
extends java.lang.Object
implements AuthorizationManagerLocal

Author:

Joseph Marques

Constructor Summary

AuthorizationManagerBean()

Method Summary

boolean	canViewGroup(Subject subject, int groupId) Returns true if the current user has some role attached to this group.
boolean	canViewResource(Subject subject, int resourceId) Returns true if the current user has some role attached to some group that contains this resource.
java.util.Set<Permission>	getExplicitGlobalPermissions(Subject subject) Gets the set of global permissions that the current user explicitly possesses.
java.util.Set<Permission>	getExplicitGroupPermissions(Subject subject, int groupId) Gets the set of permissions that the current user explicitly possesses for the specified Group.
java.util.Set<Permission>	getExplicitResourcePermissions(Subject subject, int resourceId) Gets the set of permissions that the current user explicitly possesses for the specified Resource.
java.util.Set<Permission>	getImplicitGroupPermissions(Subject subject, int groupId) Gets the set of permissions that the current user implicitly possesses for the specified Group.
java.util.Set<Permission>	getImplicitResourcePermissions(Subject subject, int resourceId) Gets the set of permissions that the current user implicitly possesses for the specified Resource.
boolean	hasGlobalPermission(Subject subject, Permission permission) Returns true if the current user possesses the specified global permission.
boolean	hasGroupPermission(Subject subject, Permission permission, int groupId) Returns true if the current user possesses either: 1) the specified resource permission for the specified group, or 2) the global MANAGE_INVENTORY permission which, by definition, gives full access to the inventory (all resources and all groups)
boolean	hasResourcePermission(Subject subject, Permission permission, java.util.Collection<java.lang.Integer> resourceIds) Returns true if the current user possesses either: 1) the specified resource permission for *all* of the specified resources, or 2) the global MANAGE_INVENTORY permission which, by definition, gives full access to the inventory (all resources and all groups) NOTE: The size of the collection must be less than or equal to 1000 (due to an Oracle limitation).
boolean	hasResourcePermission(Subject subject, Permission permission, int resourceId) Returns true if the current user possesses either: 1) the specified resource permission for the specified resource, or 2) the global MANAGE_INVENTORY permission which, by definition, gives full access to the inventory (all resources and all groups)
boolean	isInventoryManager(Subject subject) Returns whether the subject can manage all resources and all groups in the system, without having to filter operations through the subject-role-group-resource authorization mechanism
boolean	isOverlord(Subject subject) Returns true if and only if the given subject represents the internal overlord subject.
boolean	isSystemSuperuser(Subject subject) Returns true if and only if the given subject represents either the initial superuser (e.g.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

AuthorizationManagerBean

public AuthorizationManagerBean()

Method Detail

getExplicitGlobalPermissions

public java.util.Set<Permission> getExplicitGlobalPermissions(Subject subject)

Description copied from interface: AuthorizationManagerLocal

Gets the set of global permissions that the current user explicitly possesses.

Specified by:

getExplicitGlobalPermissions in interface AuthorizationManagerLocal

Parameters:

subject - the current subject or caller

Returns:

the set of global permissions that the current user possesses

getExplicitGroupPermissions

public java.util.Set<Permission> getExplicitGroupPermissions(Subject subject,
                                                             int groupId)

Description copied from interface: AuthorizationManagerLocal

Gets the set of permissions that the current user explicitly possesses for the specified Group.

Specified by:

getExplicitGroupPermissions in interface AuthorizationManagerLocal

Parameters:

subject - the current subject or caller

groupId - the id of some Group to check permissions against

Returns:

the set of permissions that the current user explicitly possesses for the specified Group

getImplicitGroupPermissions

public java.util.Set<Permission> getImplicitGroupPermissions(Subject subject,
                                                             int groupId)

Description copied from interface: AuthorizationManagerLocal

Gets the set of permissions that the current user implicitly possesses for the specified Group.

Specified by:

getImplicitGroupPermissions in interface AuthorizationManagerLocal

Parameters:

subject - the current subject or caller

groupId - the id of some Group to check permissions against

Returns:

the set of permissions that the current user implicitly possesses for the specified Group

getExplicitResourcePermissions

public java.util.Set<Permission> getExplicitResourcePermissions(Subject subject,
                                                                int resourceId)

Description copied from interface: AuthorizationManagerLocal

Gets the set of permissions that the current user explicitly possesses for the specified Resource.

Specified by:

getExplicitResourcePermissions in interface AuthorizationManagerLocal

Parameters:

subject - the current subject or caller

resourceId - the id of some Resource to check permissions against

Returns:

the set of permissions that the current user possesses for the specified Resource

getImplicitResourcePermissions

public java.util.Set<Permission> getImplicitResourcePermissions(Subject subject,
                                                                int resourceId)

Description copied from interface: AuthorizationManagerLocal

Gets the set of permissions that the current user implicitly possesses for the specified Resource.

Specified by:

getImplicitResourcePermissions in interface AuthorizationManagerLocal

Parameters:

subject - the current subject or caller

resourceId - the id of some Resource to check permissions against

Returns:

the set of permissions that the current user implicitly possesses for the specified Resource

hasGlobalPermission

public boolean hasGlobalPermission(Subject subject,
                                   Permission permission)

Description copied from interface: AuthorizationManagerLocal

Returns true if the current user possesses the specified global permission.

Specified by:

hasGlobalPermission in interface AuthorizationManagerLocal

Parameters:

subject - the current subject or caller

permission - a global permission (i.e. permission.getTarget() == Permission.Target.GLOBAL)

Returns:

true if the current user possesses the specified global permission

hasGroupPermission

public boolean hasGroupPermission(Subject subject,
                                  Permission permission,
                                  int groupId)

Description copied from interface: AuthorizationManagerLocal

Returns true if the current user possesses either: 1) the specified resource permission for the specified group, or 2) the global MANAGE_INVENTORY permission which, by definition, gives full access to the inventory (all resources and all groups)

Specified by:

hasGroupPermission in interface AuthorizationManagerLocal

Parameters:

subject - the current subject or caller

permission - a resource permission (i.e. permission.getTarget() == Permission.Target.RESOURCE)

groupId - the id of some Group to check permissions against

Returns:

true if the current user possesses the specified resource permission for the specified group

hasResourcePermission

public boolean hasResourcePermission(Subject subject,
                                     Permission permission,
                                     int resourceId)

Description copied from interface: AuthorizationManagerLocal

Returns true if the current user possesses either: 1) the specified resource permission for the specified resource, or 2) the global MANAGE_INVENTORY permission which, by definition, gives full access to the inventory (all resources and all groups)

Specified by:

hasResourcePermission in interface AuthorizationManagerLocal

Parameters:

subject - the current subject or caller

permission - a resource permission (i.e. permission.getTarget() == Permission.Target.RESOURCE)

resourceId - the id of some Resource to check permissions against

Returns:

true if the current user possesses the specified resource permission for the specified resource

canViewResource

public boolean canViewResource(Subject subject,
                               int resourceId)

Description copied from interface: AuthorizationManagerLocal

Returns true if the current user has some role attached to some group that contains this resource.

Specified by:

canViewResource in interface AuthorizationManagerLocal

Parameters:

subject - the current subject or caller

resourceId - the id of some Resource to check permissions against

Returns:

true if the current user has some role attached to some group that contains this resource

canViewGroup

public boolean canViewGroup(Subject subject,
                            int groupId)

Description copied from interface: AuthorizationManagerLocal

Returns true if the current user has some role attached to this group.

Specified by:

canViewGroup in interface AuthorizationManagerLocal

Parameters:

subject - the current subject or caller

groupId - the id of some Group to check permissions against

Returns:

true if the current user has some role attached to this group

isInventoryManager

public boolean isInventoryManager(Subject subject)

Description copied from interface: AuthorizationManagerLocal

Returns whether the subject can manage all resources and all groups in the system, without having to filter operations through the subject-role-group-resource authorization mechanism

Specified by:

isInventoryManager in interface AuthorizationManagerLocal

Parameters:

subject - the current subject or caller

Returns:

whether this subject has full control over resources and groups

hasResourcePermission

public boolean hasResourcePermission(Subject subject,
                                     Permission permission,
                                     java.util.Collection<java.lang.Integer> resourceIds)

Description copied from interface: AuthorizationManagerLocal

Returns true if the current user possesses either: 1) the specified resource permission for *all* of the specified resources, or 2) the global MANAGE_INVENTORY permission which, by definition, gives full access to the inventory (all resources and all groups) NOTE: The size of the collection must be less than or equal to 1000 (due to an Oracle limitation).

Specified by:

hasResourcePermission in interface AuthorizationManagerLocal

Parameters:

subject - the current subject or caller

permission - a resource permission (i.e. permission.getTarget() == Permission.Target.RESOURCE)

resourceIds - the ids of some Resources to check permissions against (size of collection must be <= 1000)

Returns:

true if the current user possesses the specified resource permission for the specified resource

isSystemSuperuser

public boolean isSystemSuperuser(Subject subject)

Description copied from interface: AuthorizationManagerLocal

Returns true if and only if the given subject represents either the initial superuser (e.g. rhqadmin) or the internal overlord subject. These are what is known as the "system superusers".

Specified by:

isSystemSuperuser in interface AuthorizationManagerLocal

Returns:

true if the given subject is considered one of the built-in system superusers

isOverlord

public boolean isOverlord(Subject subject)

Description copied from interface: AuthorizationManagerLocal

Returns true if and only if the given subject represents the internal overlord subject.

Specified by:

isOverlord in interface AuthorizationManagerLocal

Returns:

true if the given subject is considered the overlord subject