org.rhq.enterprise.server.authz
Interface AuthorizationManagerLocal

All Known Implementing Classes:

AuthorizationManagerBean

public interface AuthorizationManagerLocal

A manager that provides methods for checking the current user's JON permissions and for setting permissions on roles.

Author:

Ian Springer, Joseph Marques

Method Summary

boolean	canViewGroup(Subject subject, int groupId) Returns true if the current user has some role attached to this group.
boolean	canViewResource(Subject subject, int resourceId) Returns true if the current user has some role attached to some group that contains this resource.
java.util.Set<Permission>	getExplicitGlobalPermissions(Subject subject) Gets the set of global permissions that the current user explicitly possesses.
java.util.Set<Permission>	getExplicitGroupPermissions(Subject subject, int groupId) Gets the set of permissions that the current user explicitly possesses for the specified Group.
java.util.Set<Permission>	getExplicitResourcePermissions(Subject subject, int resourceId) Gets the set of permissions that the current user explicitly possesses for the specified Resource.
java.util.Set<Permission>	getImplicitGroupPermissions(Subject subject, int groupId) Gets the set of permissions that the current user implicitly possesses for the specified Group.
java.util.Set<Permission>	getImplicitResourcePermissions(Subject subject, int resourceId) Gets the set of permissions that the current user implicitly possesses for the specified Resource.
boolean	hasGlobalPermission(Subject subject, Permission permission) Returns true if the current user possesses the specified global permission.
boolean	hasGroupPermission(Subject subject, Permission permission, int groupId) Returns true if the current user possesses either: 1) the specified resource permission for the specified group, or 2) the global MANAGE_INVENTORY permission which, by definition, gives full access to the inventory (all resources and all groups)
boolean	hasResourcePermission(Subject subject, Permission permission, java.util.Collection<java.lang.Integer> resourceIds) Returns true if the current user possesses either: 1) the specified resource permission for *all* of the specified resources, or 2) the global MANAGE_INVENTORY permission which, by definition, gives full access to the inventory (all resources and all groups) NOTE: The size of the collection must be less than or equal to 1000 (due to an Oracle limitation).
boolean	hasResourcePermission(Subject subject, Permission permission, int resourceId) Returns true if the current user possesses either: 1) the specified resource permission for the specified resource, or 2) the global MANAGE_INVENTORY permission which, by definition, gives full access to the inventory (all resources and all groups)
boolean	isInventoryManager(Subject subject) Returns whether the subject can manage all resources and all groups in the system, without having to filter operations through the subject-role-group-resource authorization mechanism
boolean	isOverlord(Subject subject) Returns true if and only if the given subject represents the internal overlord subject.
boolean	isSystemSuperuser(Subject subject) Returns true if and only if the given subject represents either the initial superuser (e.g.

Method Detail

canViewResource

boolean canViewResource(Subject subject,
                        int resourceId)

Returns true if the current user has some role attached to some group that contains this resource.

Parameters:

subject - the current subject or caller

resourceId - the id of some Resource to check permissions against

Returns:

true if the current user has some role attached to some group that contains this resource

canViewGroup

boolean canViewGroup(Subject subject,
                     int groupId)

Returns true if the current user has some role attached to this group.

Parameters:

subject - the current subject or caller

groupId - the id of some Group to check permissions against

Returns:

true if the current user has some role attached to this group

hasResourcePermission

boolean hasResourcePermission(Subject subject,
                              Permission permission,
                              int resourceId)

Returns true if the current user possesses either: 1) the specified resource permission for the specified resource, or 2) the global MANAGE_INVENTORY permission which, by definition, gives full access to the inventory (all resources and all groups)

Parameters:

subject - the current subject or caller

permission - a resource permission (i.e. permission.getTarget() == Permission.Target.RESOURCE)

resourceId - the id of some Resource to check permissions against

Returns:

true if the current user possesses the specified resource permission for the specified resource

hasResourcePermission

boolean hasResourcePermission(Subject subject,
                              Permission permission,
                              java.util.Collection<java.lang.Integer> resourceIds)

Returns true if the current user possesses either: 1) the specified resource permission for *all* of the specified resources, or 2) the global MANAGE_INVENTORY permission which, by definition, gives full access to the inventory (all resources and all groups) NOTE: The size of the collection must be less than or equal to 1000 (due to an Oracle limitation).

Parameters:

subject - the current subject or caller

permission - a resource permission (i.e. permission.getTarget() == Permission.Target.RESOURCE)

resourceIds - the ids of some Resources to check permissions against (size of collection must be <= 1000)

Returns:

true if the current user possesses the specified resource permission for the specified resource

hasGroupPermission

boolean hasGroupPermission(Subject subject,
                           Permission permission,
                           int groupId)

Returns true if the current user possesses either: 1) the specified resource permission for the specified group, or 2) the global MANAGE_INVENTORY permission which, by definition, gives full access to the inventory (all resources and all groups)

Parameters:

subject - the current subject or caller

permission - a resource permission (i.e. permission.getTarget() == Permission.Target.RESOURCE)

groupId - the id of some Group to check permissions against

Returns:

true if the current user possesses the specified resource permission for the specified group

hasGlobalPermission

boolean hasGlobalPermission(Subject subject,
                            Permission permission)

Returns true if the current user possesses the specified global permission.

Parameters:

subject - the current subject or caller

permission - a global permission (i.e. permission.getTarget() == Permission.Target.GLOBAL)

Returns:

true if the current user possesses the specified global permission

getExplicitResourcePermissions

java.util.Set<Permission> getExplicitResourcePermissions(Subject subject,
                                                         int resourceId)

Gets the set of permissions that the current user explicitly possesses for the specified Resource.

Parameters:

subject - the current subject or caller

resourceId - the id of some Resource to check permissions against

Returns:

the set of permissions that the current user possesses for the specified Resource

getImplicitResourcePermissions

java.util.Set<Permission> getImplicitResourcePermissions(Subject subject,
                                                         int resourceId)

Gets the set of permissions that the current user implicitly possesses for the specified Resource.

Parameters:

subject - the current subject or caller

resourceId - the id of some Resource to check permissions against

Returns:

the set of permissions that the current user implicitly possesses for the specified Resource

getExplicitGroupPermissions

java.util.Set<Permission> getExplicitGroupPermissions(Subject subject,
                                                      int groupId)

Gets the set of permissions that the current user explicitly possesses for the specified Group.

Parameters:

subject - the current subject or caller

groupId - the id of some Group to check permissions against

Returns:

the set of permissions that the current user explicitly possesses for the specified Group

getImplicitGroupPermissions

java.util.Set<Permission> getImplicitGroupPermissions(Subject subject,
                                                      int groupId)

Gets the set of permissions that the current user implicitly possesses for the specified Group.

Parameters:

subject - the current subject or caller

groupId - the id of some Group to check permissions against

Returns:

the set of permissions that the current user implicitly possesses for the specified Group

isInventoryManager

boolean isInventoryManager(Subject subject)

Returns whether the subject can manage all resources and all groups in the system, without having to filter operations through the subject-role-group-resource authorization mechanism

Parameters:

subject - the current subject or caller

Returns:

whether this subject has full control over resources and groups

getExplicitGlobalPermissions

java.util.Set<Permission> getExplicitGlobalPermissions(Subject subject)

Gets the set of global permissions that the current user explicitly possesses.

Parameters:

subject - the current subject or caller

Returns:

the set of global permissions that the current user possesses

isSystemSuperuser

boolean isSystemSuperuser(Subject subject)

Returns true if and only if the given subject represents either the initial superuser (e.g. rhqadmin) or the internal overlord subject. These are what is known as the "system superusers".

Parameters:

subject -

Returns:

true if the given subject is considered one of the built-in system superusers

isOverlord

boolean isOverlord(Subject subject)

Returns true if and only if the given subject represents the internal overlord subject.

Parameters:

subject -

Returns:

true if the given subject is considered the overlord subject