List of usage examples for org.springframework.security.acls.domain PrincipalSid PrincipalSid
public PrincipalSid(Authentication authentication)
From source file:org.apache.kylin.rest.service.AccessService.java
public Sid getSid(String sid, boolean isPrincepal) { if (isPrincepal) { return new PrincipalSid(sid); } else {// w w w. jav a 2 s.c o m return new GrantedAuthoritySid(sid); } }
From source file:org.apache.kylin.rest.service.AclService.java
@Override public Map<ObjectIdentity, Acl> readAclsById(List<ObjectIdentity> oids, List<Sid> sids) throws NotFoundException { Map<ObjectIdentity, Acl> aclMaps = new HashMap<ObjectIdentity, Acl>(); HTableInterface htable = null;// w ww .ja va2 s. com Result result = null; try { htable = aclHBaseStorage.getTable(aclTableName); for (ObjectIdentity oid : oids) { result = htable.get(new Get(Bytes.toBytes(String.valueOf(oid.getIdentifier())))); if (null != result && !result.isEmpty()) { SidInfo owner = sidSerializer .deserialize(result.getValue(Bytes.toBytes(AclHBaseStorage.ACL_INFO_FAMILY), Bytes.toBytes(ACL_INFO_FAMILY_OWNER_COLUMN))); Sid ownerSid = (null == owner) ? null : (owner.isPrincipal() ? new PrincipalSid(owner.getSid()) : new GrantedAuthoritySid(owner.getSid())); boolean entriesInheriting = Bytes .toBoolean(result.getValue(Bytes.toBytes(AclHBaseStorage.ACL_INFO_FAMILY), Bytes.toBytes(ACL_INFO_FAMILY_ENTRY_INHERIT_COLUMN))); Acl parentAcl = null; DomainObjectInfo parentInfo = domainObjSerializer .deserialize(result.getValue(Bytes.toBytes(AclHBaseStorage.ACL_INFO_FAMILY), Bytes.toBytes(ACL_INFO_FAMILY_PARENT_COLUMN))); if (null != parentInfo) { ObjectIdentity parentObj = new ObjectIdentityImpl(parentInfo.getType(), parentInfo.getId()); parentAcl = readAclById(parentObj, null); } AclImpl acl = new AclImpl(oid, oid.getIdentifier(), aclAuthorizationStrategy, permissionGrantingStrategy, parentAcl, null, entriesInheriting, ownerSid); genAces(sids, result, acl); aclMaps.put(oid, acl); } else { throw new NotFoundException("Unable to find ACL information for object identity '" + oid + "'"); } } } catch (IOException e) { throw new RuntimeException(e.getMessage(), e); } finally { IOUtils.closeQuietly(htable); } return aclMaps; }
From source file:org.apache.kylin.rest.service.AclService.java
@Override public MutableAcl createAcl(ObjectIdentity objectIdentity) throws AlreadyExistsException { Acl acl = null;/* w w w. ja v a 2 s .c o m*/ try { acl = readAclById(objectIdentity); } catch (NotFoundException e) { //do nothing? } if (null != acl) { throw new AlreadyExistsException("ACL of " + objectIdentity + " exists!"); } Authentication auth = SecurityContextHolder.getContext().getAuthentication(); PrincipalSid sid = new PrincipalSid(auth); HTableInterface htable = null; try { htable = aclHBaseStorage.getTable(aclTableName); Put put = new Put(Bytes.toBytes(String.valueOf(objectIdentity.getIdentifier()))); put.add(Bytes.toBytes(AclHBaseStorage.ACL_INFO_FAMILY), Bytes.toBytes(ACL_INFO_FAMILY_TYPE_COLUMN), Bytes.toBytes(objectIdentity.getType())); put.add(Bytes.toBytes(AclHBaseStorage.ACL_INFO_FAMILY), Bytes.toBytes(ACL_INFO_FAMILY_OWNER_COLUMN), sidSerializer.serialize(new SidInfo(sid))); put.add(Bytes.toBytes(AclHBaseStorage.ACL_INFO_FAMILY), Bytes.toBytes(ACL_INFO_FAMILY_ENTRY_INHERIT_COLUMN), Bytes.toBytes(true)); htable.put(put); htable.flushCommits(); logger.debug("ACL of " + objectIdentity + " created successfully."); } catch (IOException e) { throw new RuntimeException(e.getMessage(), e); } finally { IOUtils.closeQuietly(htable); } return (MutableAcl) readAclById(objectIdentity); }
From source file:org.apache.kylin.rest.service.AclService.java
private void genAces(List<Sid> sids, Result result, AclImpl acl) throws JsonParseException, JsonMappingException, IOException { List<AceInfo> aceInfos = new ArrayList<AceInfo>(); if (null != sids) { // Just return aces in sids for (Sid sid : sids) { String sidName = null; if (sid instanceof PrincipalSid) { sidName = ((PrincipalSid) sid).getPrincipal(); } else if (sid instanceof GrantedAuthoritySid) { sidName = ((GrantedAuthoritySid) sid).getGrantedAuthority(); }/* w ww .j a va 2 s . c o m*/ AceInfo aceInfo = aceSerializer.deserialize( result.getValue(Bytes.toBytes(AclHBaseStorage.ACL_ACES_FAMILY), Bytes.toBytes(sidName))); if (null != aceInfo) { aceInfos.add(aceInfo); } } } else { NavigableMap<byte[], byte[]> familyMap = result .getFamilyMap(Bytes.toBytes(AclHBaseStorage.ACL_ACES_FAMILY)); for (byte[] qualifier : familyMap.keySet()) { AceInfo aceInfo = aceSerializer.deserialize(familyMap.get(qualifier)); if (null != aceInfo) { aceInfos.add(aceInfo); } } } List<AccessControlEntry> newAces = new ArrayList<AccessControlEntry>(); for (int i = 0; i < aceInfos.size(); i++) { AceInfo aceInfo = aceInfos.get(i); if (null != aceInfo) { Sid sid = aceInfo.getSidInfo().isPrincipal() ? new PrincipalSid(aceInfo.getSidInfo().getSid()) : new GrantedAuthoritySid(aceInfo.getSidInfo().getSid()); AccessControlEntry ace = new AccessControlEntryImpl(Long.valueOf(i), acl, sid, aclPermissionFactory.buildFromMask(aceInfo.getPermissionMask()), true, false, false); newAces.add(ace); } } this.setAces(acl, newAces); }
From source file:org.apache.kylin.rest.service.LegacyAclService.java
@Override public Map<ObjectIdentity, Acl> readAclsById(List<ObjectIdentity> oids, List<Sid> sids) throws NotFoundException { Map<ObjectIdentity, Acl> aclMaps = new HashMap<ObjectIdentity, Acl>(); Table htable = null;// w w w . j av a 2 s . c o m Result result = null; try { htable = aclHBaseStorage.getTable(aclTableName); for (ObjectIdentity oid : oids) { result = htable.get(new Get(Bytes.toBytes(String.valueOf(oid.getIdentifier())))); if (null != result && !result.isEmpty()) { SidInfo owner = sidSerializer .deserialize(result.getValue(Bytes.toBytes(AclHBaseStorage.ACL_INFO_FAMILY), Bytes.toBytes(ACL_INFO_FAMILY_OWNER_COLUMN))); Sid ownerSid = (null == owner) ? null : (owner.isPrincipal() ? new PrincipalSid(owner.getSid()) : new GrantedAuthoritySid(owner.getSid())); boolean entriesInheriting = Bytes .toBoolean(result.getValue(Bytes.toBytes(AclHBaseStorage.ACL_INFO_FAMILY), Bytes.toBytes(ACL_INFO_FAMILY_ENTRY_INHERIT_COLUMN))); Acl parentAcl = null; DomainObjectInfo parentInfo = domainObjSerializer .deserialize(result.getValue(Bytes.toBytes(AclHBaseStorage.ACL_INFO_FAMILY), Bytes.toBytes(ACL_INFO_FAMILY_PARENT_COLUMN))); if (null != parentInfo) { ObjectIdentity parentObj = new ObjectIdentityImpl(parentInfo.getType(), parentInfo.getId()); parentAcl = readAclById(parentObj, null); } AclImpl acl = new AclImpl(oid, oid.getIdentifier(), aclAuthorizationStrategy, permissionGrantingStrategy, parentAcl, null, entriesInheriting, ownerSid); genAces(sids, result, acl); aclMaps.put(oid, acl); } else { throw new NotFoundException("Unable to find ACL information for object identity '" + oid + "'"); } } } catch (IOException e) { throw new RuntimeException(e.getMessage(), e); } finally { IOUtils.closeQuietly(htable); } return aclMaps; }
From source file:org.apache.kylin.rest.service.LegacyAclService.java
@Override public MutableAcl createAcl(ObjectIdentity objectIdentity) throws AlreadyExistsException { Acl acl = null;//from ww w . j a v a2s . com try { acl = readAclById(objectIdentity); } catch (NotFoundException e) { //do nothing? } if (null != acl) { throw new AlreadyExistsException("ACL of " + objectIdentity + " exists!"); } Authentication auth = SecurityContextHolder.getContext().getAuthentication(); PrincipalSid sid = new PrincipalSid(auth); Table htable = null; try { htable = aclHBaseStorage.getTable(aclTableName); Put put = new Put(Bytes.toBytes(String.valueOf(objectIdentity.getIdentifier()))); put.addColumn(Bytes.toBytes(AclHBaseStorage.ACL_INFO_FAMILY), Bytes.toBytes(ACL_INFO_FAMILY_TYPE_COLUMN), Bytes.toBytes(objectIdentity.getType())); put.addColumn(Bytes.toBytes(AclHBaseStorage.ACL_INFO_FAMILY), Bytes.toBytes(ACL_INFO_FAMILY_OWNER_COLUMN), sidSerializer.serialize(new SidInfo(sid))); put.addColumn(Bytes.toBytes(AclHBaseStorage.ACL_INFO_FAMILY), Bytes.toBytes(ACL_INFO_FAMILY_ENTRY_INHERIT_COLUMN), Bytes.toBytes(true)); htable.put(put); logger.debug("ACL of " + objectIdentity + " created successfully."); } catch (IOException e) { throw new RuntimeException(e.getMessage(), e); } finally { IOUtils.closeQuietly(htable); } return (MutableAcl) readAclById(objectIdentity); }
From source file:org.opennaas.core.security.acl.ACLManager.java
private void initializeUsers() throws IOException, NumberFormatException { Properties usersProperties = getProperties(usersPropertiesFile); // getting users.size int usersSize = Integer .parseInt(usersProperties.getProperty(usersPropertiesUsersPrefix + usersPropertiesUsersSize)); for (int i = 0; i < usersSize; i++) { // adding users.{i} String user = usersProperties.getProperty(usersPropertiesUsersPrefix + i); if (user != null) { insertAclSid(i, true, new PrincipalSid(user)); }//from www . j a v a2s. c om } }
From source file:org.opennaas.core.security.acl.ACLManager.java
@Override public void secureResource(String resourceId, String user) { insertAcl(ResourceIdToSecureId(resourceId), new PrincipalSid(user), BasePermission.READ); }
From source file:org.springframework.security.acls.cassandra.CassandraMutableAclService.java
public MutableAcl createAcl(ObjectIdentity objectIdentity) throws AlreadyExistsException { Assert.notNull(objectIdentity, "Object Identity required"); if (LOG.isDebugEnabled()) { LOG.debug("BEGIN createAcl: objectIdentity: " + objectIdentity); }/* ww w .j a v a 2 s . c o m*/ // Need to retrieve the current principal, in order to know who "owns" // this ACL (can be changed later on) Authentication auth = SecurityContextHolder.getContext().getAuthentication(); PrincipalSid sid = new PrincipalSid(auth); AclObjectIdentity newAoi = new AclObjectIdentity(objectIdentity); newAoi.setOwnerId(sid.getPrincipal()); newAoi.setOwnerPrincipal(true); newAoi.setEntriesInheriting(false); try { aclRepository.saveAcl(newAoi); } catch (AclAlreadyExistsException e) { throw new AlreadyExistsException(e.getMessage(), e); } // Retrieve the ACL via superclass (ensures cache registration, proper retrieval etc) Acl acl = readAclById(objectIdentity); Assert.isInstanceOf(MutableAcl.class, acl, "MutableAcl should be been returned"); if (LOG.isDebugEnabled()) { LOG.debug("END createAcl: acl: " + acl); } return (MutableAcl) acl; }
From source file:ubic.gemma.security.authorization.acl.AclAdvice.java
/** * Creates the acl_permission object and the acl_object_identity object. * //from w ww . j av a2s .c o m * @param object The domain object. * @return true if an ACL was created, false otherwise. */ private AuditableAcl addOrUpdateAcl(Securable object, Acl parentAcl) { if (object.getId() == null) { log.warn("ACLs cannot be added or updated on non-persistent object: " + object); return null; } ObjectIdentity oi = makeObjectIdentity(object); AuditableAcl acl = null; boolean exists = false; try { acl = (AuditableAcl) aclService.readAclById(oi); // throws exception if not found exists = true; } catch (NotFoundException nfe) { acl = (AuditableAcl) aclService.createAcl(oi); } if (exists) { /* * Could be findOrCreate, or could be a second pass that will let us fill in parent ACLs for associated * objects missed earlier in a persist cycle. E.g. BioMaterial */ try { maybeSetParentACL(object, acl, parentAcl); return acl; } catch (NotFoundException nfe) { log.error(nfe, nfe); } } Authentication authentication = SecurityContextHolder.getContext().getAuthentication(); if (authentication == null) { throw new IllegalStateException("No authentication found in the security context"); } Object p = authentication.getPrincipal(); if (p == null) { throw new IllegalStateException("Principal was null for " + authentication); } Sid sid = new PrincipalSid(p.toString()); boolean isAdmin = SecurityServiceImpl.isUserAdmin(); boolean isRunningAsAdmin = SecurityServiceImpl.isRunningAsAdmin(); boolean isAnonymous = SecurityServiceImpl.isUserAnonymous(); boolean objectIsAUser = User.class.isAssignableFrom(object.getClass()); boolean objectIsAGroup = UserGroup.class.isAssignableFrom(object.getClass()); /* * The only case where we absolutely disallow inheritance is for SecuredNotChild. */ boolean inheritFromParent = parentAcl != null && !SecuredNotChild.class.isAssignableFrom(object.getClass()); boolean missingParent = parentAcl == null & SecuredChild.class.isAssignableFrom(object.getClass()); if (missingParent) { // This easily happens, it's not a problem as we go back through to recheck objects. log.debug("Object should have a parent during ACL setup: " + object); } acl.setEntriesInheriting(inheritFromParent); /* * The logic here is: if we're supposed to inherit from the parent, but none is provided (can easily happen), we * have to put in ACEs. Same goes if we're not supposed to inherit. Objects which are not supposed to have their * own ACLs (SecurableChild) */ if (!inheritFromParent || parentAcl == null) { /* * All objects must have administration permissions on them. */ if (log.isDebugEnabled()) log.debug("Making administratable by GROUP_ADMIN: " + oi); grant(acl, BasePermission.ADMINISTRATION, new GrantedAuthoritySid(new GrantedAuthorityImpl(AuthorityConstants.ADMIN_GROUP_AUTHORITY))); /* * Let agent read anything */ if (log.isDebugEnabled()) log.debug("Making readable by GROUP_AGENT: " + oi); grant(acl, BasePermission.READ, new GrantedAuthoritySid(new GrantedAuthorityImpl(AuthorityConstants.AGENT_GROUP_AUTHORITY))); /* * If admin, and the object is not a user or group, make it readable by anonymous. */ boolean makeAnonymousReadable = isAdmin && !objectIsAUser && !objectIsAGroup; if (makeAnonymousReadable) { if (log.isDebugEnabled()) log.debug("Making readable by IS_AUTHENTICATED_ANONYMOUSLY: " + oi); grant(acl, BasePermission.READ, new GrantedAuthoritySid( new GrantedAuthorityImpl(AuthorityConstants.IS_AUTHENTICATED_ANONYMOUSLY))); } /* * Don't add more permissions for the administrator. But whatever it is, the person who created it can * read/write it. User will only be anonymous if they are registering (AFAIK) */ if (!isAdmin && !isAnonymous) { if (log.isDebugEnabled()) log.debug("Giving read/write permissions on " + oi + " to " + sid); grant(acl, BasePermission.READ, sid); /* * User who created something can edit it. */ grant(acl, BasePermission.WRITE, sid); } } /* * If the object is a user, make sure that user gets permissions even if the current user is not the same! In * fact, user creation runs with GROUP_RUN_AS_ADMIN privileges. */ if (objectIsAUser) { User u = (User) object; if (((PrincipalSid) sid).getPrincipal().equals(u.getUserName())) { /* * This case should actually never happen. "we" are the user who is creating this user. We've already * adding the READ/WRITE permissions above. */ log.warn("Somehow...a user created themselves: " + oi); } else { if (log.isDebugEnabled()) log.debug("New User: given read/write permissions on " + oi + " to " + sid); if (isRunningAsAdmin) { /* * Important: we expect this to normally be the case. */ sid = new PrincipalSid(u.getUserName()); } /* * See org.springframework.security.acls.domain.AclAuthorizationStrategy. */ grant(acl, BasePermission.READ, sid); grant(acl, BasePermission.WRITE, sid); } } // Treating Analyses as special case. It'll inherit ACL from ExpressionExperiment // If aclParent is passed to this method we overwrite it. if (SingleExperimentAnalysis.class.isAssignableFrom(object.getClass())) { SingleExperimentAnalysis experimentAnalysis = (SingleExperimentAnalysis) object; BioAssaySet bioAssaySet = experimentAnalysis.getExperimentAnalyzed(); ObjectIdentity oi_temp = makeObjectIdentity(bioAssaySet); try { parentAcl = aclService.readAclById(oi_temp); } catch (NotFoundException nfe) { // This is possible if making an EESubSet is part of the transaction. parentAcl = aclService.createAcl(oi_temp); } acl.setEntriesInheriting(true); acl.setParent(parentAcl); // Owner of the experiment owns analyses even if administrator ran them. sid = parentAcl.getOwner(); } acl.setOwner(sid); // this might be the 'user' now. assert !acl.equals(parentAcl); if (parentAcl != null && inheritFromParent) { if (log.isTraceEnabled()) log.trace("Setting parent to: " + parentAcl + " <--- " + acl); acl.setParent(parentAcl); } return (AuditableAcl) aclService.updateAcl(acl); }