Skip to content

Commit

Permalink
feat(core): solve default and associated roles for attribute rights
Browse files Browse the repository at this point in the history 
* These changes are related only to new attribute authorization
* By default PERUNADMIN needs read and write privilege for attributes, default read roles are also PERUNOBSERVER, RPC, ENGINE
* Default roles are automatically resolved before fetching related objects to speed up the check
* Observer roles are defined in perun-roles.yml as associated read roles to admin roles
* Associated roles can read attribute if the main role can (groupobserver can read it if groupadmin can)
  • Loading branch information
@Johaney-s
Johaney-s committed Feb 16, 2022
1 parent 472c814 commit 9d71412
Show file tree
Hide file tree
Showing 5 changed files with 310 additions and 10 deletions.
23 changes: 19 additions & 4 deletions perun-base/src/main/java/cz/metacentrum/perun/core/api/RoleManagementRules.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,8 @@

/**
* RoleManagementRules represents a set of rules which is used to determine principal's access rights for managing and reading a role.
* Moreover, it contains a allowed combinations of object and entity to/from which will be the role un/assigned.
* Moreover, it contains allowed combinations of object and entity to/from which will be the role un/assigned
* and related roles which can also read attribute value if the role can.
* Each object and entity also contains a mapping to the specific column in the authz table,
* so the database query can be created and executed more generally.
*
Expand All @@ -22,6 +23,8 @@
* Example entry: key: User; value: user_id
* assignedObjects is a map of objects which can be assigned with the role. Key is a object name and value is mapping to the database.
* Example entry: key: Resource; value: resource_id
* associatedReadRoles is a list of related roles which are authorized to read attribute value if the main role is authorized.
* Example list for groupadmin role - value: [GROUPOBSERVER]
*
*/
public class RoleManagementRules {
Expand All @@ -32,14 +35,16 @@ public class RoleManagementRules {
private List<Map<String, String>> privilegedRolesToRead;
private Map<String, String> entitiesToManage;
private Map<String, String> assignedObjects;
private List<String> associatedReadRoles;

public RoleManagementRules(String roleName, String primaryObject, List<Map<String, String>> privilegedRolesToManage, List<Map<String, String>> privilegedRolesToRead, Map<String, String> entitiesToManage, Map<String, String> assignedObjects) {
public RoleManagementRules(String roleName, String primaryObject, List<Map<String, String>> privilegedRolesToManage, List<Map<String, String>> privilegedRolesToRead, Map<String, String> entitiesToManage, Map<String, String> assignedObjects, List<String> associatedReadRoles) {
this.roleName = roleName;
this.primaryObject = primaryObject;
this.privilegedRolesToManage = privilegedRolesToManage;
this.privilegedRolesToRead = privilegedRolesToRead;
this.entitiesToManage = entitiesToManage;
this.assignedObjects = assignedObjects;
this.associatedReadRoles = associatedReadRoles;
}

public String getRoleName() {
Expand Down Expand Up @@ -90,6 +95,14 @@ public void setAssignedObjects(Map<String, String> assignedObjects) {
this.assignedObjects = assignedObjects;
}

public List<String> getAssociatedReadRoles() {
return associatedReadRoles;
}

public void setAssociatedReadRoles(List<String> associatedReadRoles) {
this.associatedReadRoles = associatedReadRoles;
}

@Override
public boolean equals(Object o) {
if (this == o) return true;
Expand All @@ -100,12 +113,13 @@ public boolean equals(Object o) {
Objects.equals(privilegedRolesToManage, that.privilegedRolesToManage) &&
Objects.equals(privilegedRolesToRead, that.privilegedRolesToRead) &&
Objects.equals(entitiesToManage, that.entitiesToManage) &&
Objects.equals(assignedObjects, that.assignedObjects);
Objects.equals(assignedObjects, that.assignedObjects) &&
Objects.equals(associatedReadRoles, that.associatedReadRoles);
}

@Override
public int hashCode() {
return Objects.hash(roleName, primaryObject, privilegedRolesToManage, privilegedRolesToRead, entitiesToManage, assignedObjects);
return Objects.hash(roleName, primaryObject, privilegedRolesToManage, privilegedRolesToRead, entitiesToManage, assignedObjects, associatedReadRoles);
}

@Override
Expand All @@ -117,6 +131,7 @@ public String toString() {
", privilegedRolesToRead=" + privilegedRolesToRead +
", entitiesToManage=" + entitiesToManage +
", assignedObjects=" + assignedObjects +
", associatedReadRoles=" + associatedReadRoles +
'}';
}
}
30 changes: 30 additions & 0 deletions perun-base/src/main/resources/perun-roles.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6596,6 +6596,8 @@ perun_roles_management:
privileged_roles_to_read:
- PERUNADMIN:
- PERUNOBSERVER:
associated_read_roles:
- PERUNOBSERVER

PERUNOBSERVER:
primary_object:
Expand All @@ -6607,6 +6609,7 @@ perun_roles_management:
privileged_roles_to_read:
- PERUNADMIN:
- PERUNOBSERVER:
associated_read_roles: []

AUDITCONSUMERADMIN:
primary_object:
Expand All @@ -6618,6 +6621,7 @@ perun_roles_management:
privileged_roles_to_read:
- PERUNADMIN:
- PERUNOBSERVER:
associated_read_roles: []

VOADMIN:
primary_object: Vo
Expand All @@ -6634,6 +6638,8 @@ perun_roles_management:
- PERUNOBSERVER:
- VOADMIN: Vo
- VOOBSERVER: Vo
associated_read_roles:
- VOOBSERVER

GROUPADMIN:
primary_object: Group
Expand All @@ -6654,6 +6660,8 @@ perun_roles_management:
- VOOBSERVER: Vo
- GROUPADMIN: Group
- GROUPOBSERVER: Group
associated_read_roles:
- GROUPOBSERVER

GROUPOBSERVER:
primary_object: Group
Expand All @@ -6674,13 +6682,15 @@ perun_roles_management:
- VOOBSERVER: Vo
- GROUPADMIN: Group
- GROUPOBSERVER: Group
associated_read_roles: []

SELF:
primary_object:
assign_to_objects: {}
entities_to_manage: {}
privileged_roles_to_manage: []
privileged_roles_to_read: []
associated_read_roles: []

FACILITYADMIN:
primary_object: Facility
Expand All @@ -6697,6 +6707,8 @@ perun_roles_management:
- PERUNOBSERVER:
- FACILITYADMIN: Facility
- FACILITYOBSERVER: Facility
associated_read_roles:
- FACILITYOBSERVER

FACILITYOBSERVER:
primary_object: Facility
Expand All @@ -6713,6 +6725,7 @@ perun_roles_management:
- PERUNOBSERVER:
- FACILITYADMIN: Facility
- FACILITYOBSERVER: Facility
associated_read_roles: []

TRUSTEDFACILITYADMIN:
primary_object: Vo
Expand All @@ -6729,6 +6742,7 @@ perun_roles_management:
- PERUNOBSERVER:
- VOADMIN: Vo
- VOOBSERVER: Vo
associated_read_roles: []

RESOURCEADMIN:
primary_object: Resource
Expand Down Expand Up @@ -6756,6 +6770,8 @@ perun_roles_management:
- TRUSTEDFACILITYADMIN: Vo
FACILITYOBSERVER: Facility
- VOOBSERVER: Vo
associated_read_roles:
- RESOURCEOBSERVER

RESOURCEOBSERVER:
primary_object: Resource
Expand Down Expand Up @@ -6783,6 +6799,7 @@ perun_roles_management:
- TRUSTEDFACILITYADMIN: Vo
FACILITYOBSERVER: Facility
- VOOBSERVER: Vo
associated_read_roles: []

RESOURCESELFSERVICE:
primary_object: Resource
Expand Down Expand Up @@ -6810,41 +6827,47 @@ perun_roles_management:
- TRUSTEDFACILITYADMIN: Vo
FACILITYOBSERVER: Facility
- VOOBSERVER: Vo
associated_read_roles: []

REGISTRAR:
primary_object:
assign_to_objects: {}
entities_to_manage: {}
privileged_roles_to_manage: []
privileged_roles_to_read: []
associated_read_roles: []

ENGINE:
primary_object:
assign_to_objects: {}
entities_to_manage: {}
privileged_roles_to_manage: []
privileged_roles_to_read: []
associated_read_roles: []

RPC:
primary_object:
assign_to_objects: {}
entities_to_manage: {}
privileged_roles_to_manage: []
privileged_roles_to_read: []
associated_read_roles: []

NOTIFICATIONS:
primary_object:
assign_to_objects: {}
entities_to_manage: {}
privileged_roles_to_manage: []
privileged_roles_to_read: []
associated_read_roles: []

SERVICEUSER:
primary_object:
assign_to_objects: {}
entities_to_manage: {}
privileged_roles_to_manage: []
privileged_roles_to_read: []
associated_read_roles: []

SPONSOR:
primary_object: Vo
Expand All @@ -6861,6 +6884,7 @@ perun_roles_management:
- PERUNOBSERVER:
- VOADMIN: Vo
- VOOBSERVER: Vo
associated_read_roles: []

VOOBSERVER:
primary_object: Vo
Expand All @@ -6877,6 +6901,7 @@ perun_roles_management:
- PERUNOBSERVER:
- VOADMIN: Vo
- VOOBSERVER: Vo
associated_read_roles: []

TOPGROUPCREATOR:
primary_object: Vo
Expand All @@ -6893,6 +6918,7 @@ perun_roles_management:
- PERUNOBSERVER:
- VOADMIN: Vo
- VOOBSERVER: Vo
associated_read_roles: []

SECURITYADMIN:
primary_object: SecurityTeam
Expand All @@ -6908,6 +6934,7 @@ perun_roles_management:
- PERUNADMIN:
- PERUNOBSERVER:
- SECURITYADMIN: SecurityTeam
associated_read_roles: []

CABINETADMIN:
primary_object:
Expand All @@ -6921,6 +6948,7 @@ perun_roles_management:
- PERUNADMIN:
- PERUNOBSERVER:
- CABINETADMIN:
associated_read_roles: []

MEMBERSHIP:
primary_object:
Expand All @@ -6931,12 +6959,14 @@ perun_roles_management:
entities_to_manage: {}
privileged_roles_to_manage: []
privileged_roles_to_read: []
associated_read_roles: []

UNKNOWN:
primary_object:
assign_to_objects: {}
entities_to_manage: {}
privileged_roles_to_manage: []
privileged_roles_to_read: []
associated_read_roles: []

...
Loading

0 comments on commit 9d71412

Please sign in to comment.