Unverified Commit 78654220 authored by Fabien Viale's avatar Fabien Viale Committed by GitHub
Browse files

Merge pull request #3787 from fviale/master

PCA permissions
parents b67f2c8d be40d471
/*
* ProActive Parallel Suite(TM):
* The Open Source library for parallel and distributed
* Workflows & Scheduling, Orchestration, Cloud Automation
* and Big Data Analysis on Enterprise Grids & Clouds.
*
* Copyright (c) 2007 - 2017 ActiveEon
* Contact: contact@activeeon.com
*
* This library is free software: you can redistribute it and/or
* modify it under the terms of the GNU Affero General Public License
* as published by the Free Software Foundation: version 3 of
* the License.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
* If needed, contact us to obtain a release under GPL Version 2 or 3
* or a different license than the AGPL.
*/
package org.ow2.proactive.permissions;
import org.ow2.proactive.policy.ClientsPolicy;
/**
* The NotificationAdminPermission is a permission that allows managing subscriptions inside the notification service.
* @see ClientsPolicy
*/
public class PcaAdminPermission extends ClientPermission {
// This serial version uid is meant to prevent issues when restoring Resource Manager database from a previous version.
// any addition to this class (new method, field, etc) should imply to change this uid.
private static final long serialVersionUID = 1L;
}
......@@ -107,6 +107,10 @@ grant principal org.ow2.proactive.authentication.principals.GroupNamePrincipal "
permission org.ow2.proactive.permissions.MethodCallPermission "org.ow2.proactive.resourcemanager.core.RMCore.getExistingNodeSourcesList";
permission org.ow2.proactive.permissions.MethodCallPermission "org.ow2.proactive.resourcemanager.core.RMCore.getCurrentUserData";
permission org.ow2.proactive.permissions.MethodCallPermission "org.ow2.proactive.resourcemanager.core.RMCore.setNodeTokens";
permission org.ow2.proactive.permissions.MethodCallPermission "org.ow2.proactive.resourcemanager.core.RMCore.removeNodeToken";
permission org.ow2.proactive.permissions.MethodCallPermission "org.ow2.proactive.resourcemanager.core.RMCore.getNodeTokens";
permission org.ow2.proactive.permissions.MethodCallPermission "org.ow2.proactive.resourcemanager.core.RMCore.addNodeToken";
// AuthPermission is requires for those who would like to access any mbean
permission javax.security.auth.AuthPermission "getSubject";
......@@ -170,6 +174,7 @@ grant principal org.ow2.proactive.authentication.principals.GroupNamePrincipal "
permission java.sql.SQLPermission "callAbort";
permission java.sql.SQLPermission "setSyncFactory";
permission java.sql.SQLPermission "setNetworkTimeout";
};
......@@ -179,6 +184,7 @@ grant principal org.ow2.proactive.authentication.principals.GroupNamePrincipal "
permission org.ow2.proactive.permissions.MethodCallPermission "org.ow2.proactive.resourcemanager.core.RMCore.getNodeTokens";
permission org.ow2.proactive.permissions.MethodCallPermission "org.ow2.proactive.resourcemanager.core.RMCore.addNodeToken";
permission org.ow2.proactive.permissions.MethodCallPermission "org.ow2.proactive.resourcemanager.core.RMCore.removeNodeToken";
permission org.ow2.proactive.permissions.MethodCallPermission "org.ow2.proactive.resourcemanager.core.RMCore.setNodeTokens";
permission org.ow2.proactive.permissions.MethodCallPermission "org.ow2.proactive.resourcemanager.core.RMCore.setNeededNodes";
permission org.ow2.proactive.permissions.MethodCallPermission "org.ow2.proactive.resourcemanager.core.RMCore.getAtMostNodes";
permission org.ow2.proactive.permissions.MethodCallPermission "org.ow2.proactive.resourcemanager.core.RMCore.getNodes";
......@@ -238,9 +244,11 @@ grant principal org.ow2.proactive.authentication.principals.GroupNamePrincipal "
// Members of "nsadmins" can create/remove node sources (according to their policies)
grant principal org.ow2.proactive.authentication.principals.GroupNamePrincipal "nsadmins" {
permission org.ow2.proactive_grid_cloud_portal.common.PortalAccessPermission "rm";
permission org.ow2.proactive.permissions.PcaAdminPermission;
permission org.ow2.proactive.permissions.MethodCallPermission "org.ow2.proactive.resourcemanager.core.RMCore.getNodeTokens";
permission org.ow2.proactive.permissions.MethodCallPermission "org.ow2.proactive.resourcemanager.core.RMCore.addNodeToken";
permission org.ow2.proactive.permissions.MethodCallPermission "org.ow2.proactive.resourcemanager.core.RMCore.removeNodeToken";
permission org.ow2.proactive.permissions.MethodCallPermission "org.ow2.proactive.resourcemanager.core.RMCore.setNodeTokens";
permission org.ow2.proactive.permissions.MethodCallPermission "org.ow2.proactive.resourcemanager.core.RMCore.setNeededNodes";
permission org.ow2.proactive.permissions.MethodCallPermission "org.ow2.proactive.resourcemanager.core.RMCore.getAtMostNodes";
permission org.ow2.proactive.permissions.MethodCallPermission "org.ow2.proactive.resourcemanager.core.RMCore.getNodes";
......@@ -311,6 +319,8 @@ grant principal org.ow2.proactive.authentication.principals.GroupNamePrincipal "
grant principal org.ow2.proactive.authentication.principals.GroupNamePrincipal "rmcoreadmins" {
permission org.ow2.proactive_grid_cloud_portal.common.PortalAccessPermission "rm";
permission org.ow2.proactive.permissions.PcaAdminPermission;
permission org.ow2.proactive.permissions.MethodCallPermission "org.ow2.proactive.resourcemanager.core.RMCore.*";
permission org.ow2.proactive.permissions.RMCoreAllPermission;
......@@ -341,8 +351,8 @@ grant principal org.ow2.proactive.authentication.principals.GroupNamePrincipal "
// Members of "scheduleradmins" can call any method of the scheduler
grant principal org.ow2.proactive.authentication.principals.GroupNamePrincipal "scheduleradmins" {
permission org.ow2.proactive_grid_cloud_portal.common.PortalAccessPermission "*";
permission org.ow2.proactive.permissions.MethodCallPermission "org.ow2.proactive.resourcemanager.core.RMCore.getNodeTokens";
permission org.ow2.proactive.permissions.PcaAdminPermission;
// Notification service administrator permission
permission org.ow2.proactive.permissions.NotificationAdminPermission;
......@@ -356,6 +366,10 @@ grant principal org.ow2.proactive.authentication.principals.GroupNamePrincipal "
permission org.ow2.proactive.scheduler.permissions.ChangePolicyPermission;
permission org.ow2.proactive.permissions.MethodCallPermission "org.ow2.proactive.scheduler.core.SchedulerFrontend.*";
permission org.ow2.proactive.permissions.MethodCallPermission "org.ow2.proactive.resourcemanager.core.RMCore.getNodeTokens";
permission org.ow2.proactive.permissions.MethodCallPermission "org.ow2.proactive.resourcemanager.core.RMCore.addNodeToken";
permission org.ow2.proactive.permissions.MethodCallPermission "org.ow2.proactive.resourcemanager.core.RMCore.removeNodeToken";
permission org.ow2.proactive.permissions.MethodCallPermission "org.ow2.proactive.resourcemanager.core.RMCore.setNodeTokens";
permission org.ow2.proactive.permissions.MethodCallPermission "org.ow2.proactive.resourcemanager.core.RMCore.setNeededNodes";
permission org.ow2.proactive.permissions.MethodCallPermission "org.ow2.proactive.resourcemanager.core.RMCore.getAtMostNodes";
permission org.ow2.proactive.permissions.MethodCallPermission "org.ow2.proactive.resourcemanager.core.RMCore.getNodes";
......@@ -442,6 +456,9 @@ grant principal org.ow2.proactive.authentication.principals.GroupNamePrincipal "
permission org.ow2.proactive_grid_cloud_portal.common.PortalAccessPermission "studio,catalog-portal,workflow-automation,cloud-automation,job-analytics,job-gantt,notification-portal";
permission org.ow2.proactive.permissions.MethodCallPermission "org.ow2.proactive.resourcemanager.core.RMCore.getNodeTokens";
permission org.ow2.proactive.permissions.MethodCallPermission "org.ow2.proactive.resourcemanager.core.RMCore.addNodeToken";
permission org.ow2.proactive.permissions.MethodCallPermission "org.ow2.proactive.resourcemanager.core.RMCore.removeNodeToken";
permission org.ow2.proactive.permissions.MethodCallPermission "org.ow2.proactive.resourcemanager.core.RMCore.setNodeTokens";
permission org.ow2.proactive.permissions.MethodCallPermission "org.ow2.proactive.resourcemanager.core.RMCore.getNodesList";
permission org.ow2.proactive.permissions.MethodCallPermission "org.ow2.proactive.resourcemanager.core.RMCore.getAtMostNodes";
permission org.ow2.proactive.permissions.MethodCallPermission "org.ow2.proactive.resourcemanager.core.RMCore.getNodes";
......@@ -515,6 +532,9 @@ grant principal org.ow2.proactive.authentication.principals.GroupNamePrincipal "
permission org.ow2.proactive_grid_cloud_portal.common.PortalAccessPermission "studio,scheduler,catalog-portal,workflow-automation,cloud-automation,job-analytics,job-gantt,job-planner-calendar-def,job-planner-calendar-def-workflows,job-planner-execution-planning,job-planner-gantt-chart,notification-portal";
permission org.ow2.proactive.permissions.MethodCallPermission "org.ow2.proactive.resourcemanager.core.RMCore.getNodeTokens";
permission org.ow2.proactive.permissions.MethodCallPermission "org.ow2.proactive.resourcemanager.core.RMCore.addNodeToken";
permission org.ow2.proactive.permissions.MethodCallPermission "org.ow2.proactive.resourcemanager.core.RMCore.removeNodeToken";
permission org.ow2.proactive.permissions.MethodCallPermission "org.ow2.proactive.resourcemanager.core.RMCore.setNodeTokens";
permission org.ow2.proactive.permissions.MethodCallPermission "org.ow2.proactive.resourcemanager.core.RMCore.getNodesList";
permission org.ow2.proactive.permissions.MethodCallPermission "org.ow2.proactive.resourcemanager.core.RMCore.getAtMostNodes";
permission org.ow2.proactive.permissions.MethodCallPermission "org.ow2.proactive.resourcemanager.core.RMCore.getNodes";
......
......@@ -173,4 +173,15 @@ public interface CommonRestInterface {
@Path("permissions/notification-service/admin")
boolean checkSubscriptionAdmin(@HeaderParam("sessionid") String sessionId) throws RestException;
/**
* Check if a user has admin privilege in cloud automation service.
*
* @param sessionId id of a session
* @return true if the user has the correct rights
* @throws RestException if an error occurs or the session is invalid
*/
@GET
@Path("permissions/cloud-automation-service/admin")
boolean checkPcaAdmin(@HeaderParam("sessionid") String sessionId) throws RestException;
}
......@@ -37,6 +37,7 @@ import javax.security.auth.login.LoginException;
import org.apache.log4j.Logger;
import org.ow2.proactive.authentication.UserData;
import org.ow2.proactive.permissions.NotificationAdminPermission;
import org.ow2.proactive.permissions.PcaAdminPermission;
import org.ow2.proactive.scheduler.common.Scheduler;
import org.ow2.proactive.scheduler.common.exception.NotConnectedException;
import org.ow2.proactive.scheduler.common.exception.PermissionException;
......@@ -163,6 +164,21 @@ public class CommonRest implements CommonRestInterface {
}
}
@Override
public boolean checkPcaAdmin(String sessionId) throws NotConnectedRestException {
Scheduler scheduler = checkAccess(sessionId);
try {
return checkPermission(scheduler.getSubject(),
new PcaAdminPermission(),
"User does not have cloud automation service administrator privilege");
} catch (PermissionException e) {
return false;
} catch (NotConnectedException e) {
throw new NotConnectedRestException(YOU_ARE_NOT_CONNECTED_TO_THE_SCHEDULER_YOU_SHOULD_LOG_ON_FIRST);
}
}
/**
* the method check if the session id is valid i.e. a scheduler client is
* associated to the session id in the session map. If not, a
......
......@@ -3114,7 +3114,12 @@ public class RMCore implements ResourceManager, InitActive, RunActive {
}
if (allNodes.containsKey(nodeUrl)) {
RMNode rmNode = allNodes.get(nodeUrl);
checkNodeAdminPermission(rmNode, caller);
if (rmNode.isBusy() && rmNode.getOwner() != null && rmNode.getOwner().equals(getCurrentUser())) {
// current user has the right to add a token to reserve it for further usage
} else {
// if not, check that the request initiator is a node administrator
checkNodeAdminPermission(rmNode, caller);
}
rmNode.addToken(token);
persistUpdatedRMNodeIfRecoveryEnabled(rmNode);
......@@ -3143,7 +3148,11 @@ public class RMCore implements ResourceManager, InitActive, RunActive {
}
if (allNodes.containsKey(nodeUrl)) {
RMNode rmNode = allNodes.get(nodeUrl);
checkNodeAdminPermission(rmNode, caller);
if (rmNode.isBusy() && rmNode.getOwner() != null && rmNode.getOwner().equals(getCurrentUser())) {
// current user has the right to add a token to reserve it for further usage
} else {
checkNodeAdminPermission(rmNode, caller);
}
rmNode.removeToken(token);
persistUpdatedRMNodeIfRecoveryEnabled(rmNode);
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment