org.jboss.as.controller.access.rbac

Class RunAsRoleMapper

java.lang.Object

org.jboss.as.controller.access.rbac.RunAsRoleMapper

All Implemented Interfaces:

RoleMapper

public class RunAsRoleMapper
extends Object
implements RoleMapper

A RoleMapper that allows clients to specify the roles they desire to run as. By default this RoleMapper Reads the set of roles from a request headers in the operation, allowing the client to completely control the mapping. Roles are stored as a ModelNode of type ModelType.LIST, elements of ModelType.STRING, under operation.get("operation-headers", "roles"). If no such header is found, the user is SUPERUSER. IF the list is empty, the user has no permissions. This RoleMapper can be extended to allow the ability to run as different roles to be checked.

Author:

Brian Stansberry (c) 2013 Red Hat Inc., Darran Lofthouse

Constructor Summary

Constructors

Constructor and Description
RunAsRoleMapper(RoleMapper realRoleMapper)

Method Summary

Modifier and Type	Method and Description
boolean	canRunAs(Set<String> mappedRoles, String runAsRole) Gets whether the given set of mapped roles provides a caller with the privilege to run as the given "runAsRole".
static Set<String>	getOperationHeaderRoles(org.jboss.dmr.ModelNode operation)
Set<String>	mapRoles(org.wildfly.security.auth.server.SecurityIdentity identity, Environment callEnvironment, Action action, TargetAttribute attribute) Determine the roles available for the caller for a management operation affecting an individual attribute.
Set<String>	mapRoles(org.wildfly.security.auth.server.SecurityIdentity identity, Environment callEnvironment, Action action, TargetResource resource) Determine the roles available for the caller for a management operation affecting an entire resource.
Set<String>	mapRoles(org.wildfly.security.auth.server.SecurityIdentity identity, Environment callEnvironment, JmxAction action, JmxTarget target) Determine the roles available for the caller for a JMX invocation unrelated to the management facade MBeans.
Set<String>	mapRoles(org.wildfly.security.auth.server.SecurityIdentity identity, Environment callEnvironment, Set<String> operationHeaderRoles) Determine the roles available for the caller without reference to a particular action or target.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

RunAsRoleMapper

public RunAsRoleMapper(RoleMapper realRoleMapper)

Method Detail

mapRoles

public Set<String> mapRoles(org.wildfly.security.auth.server.SecurityIdentity identity,
                            Environment callEnvironment,
                            Action action,
                            TargetAttribute attribute)

Description copied from interface: RoleMapper

Determine the roles available for the caller for a management operation affecting an individual attribute.

Specified by:

mapRoles in interface RoleMapper

Parameters:

identity - the caller identity. Cannot be null

callEnvironment - the call environment. Cannot be null

action - the action being authorized. Cannot be null

attribute - the target of the action. Cannot be null

Returns:

the roles. Will not be null, but may be an empty set

mapRoles

public Set<String> mapRoles(org.wildfly.security.auth.server.SecurityIdentity identity,
                            Environment callEnvironment,
                            Action action,
                            TargetResource resource)

Description copied from interface: RoleMapper

Determine the roles available for the caller for a management operation affecting an entire resource.

Specified by:

mapRoles in interface RoleMapper

Parameters:

identity - the caller identity. Cannot be null

callEnvironment - the call environment. Cannot be null

action - the action being authorized. Cannot be null

resource - the target of the action. Cannot be null

Returns:

the roles. Will not be null, but may be an empty set

mapRoles

public Set<String> mapRoles(org.wildfly.security.auth.server.SecurityIdentity identity,
                            Environment callEnvironment,
                            JmxAction action,
                            JmxTarget target)

Description copied from interface: RoleMapper

Determine the roles available for the caller for a JMX invocation unrelated to the management facade MBeans.

Specified by:

mapRoles in interface RoleMapper

Parameters:

identity - the caller identity. Cannot be null

callEnvironment - the call environment. Cannot be null

action - the action being authorized. Cannot be null

target - the target of the action. Cannot be null

Returns:

the roles. Will not be null, but may be an empty set

mapRoles

public Set<String> mapRoles(org.wildfly.security.auth.server.SecurityIdentity identity,
                            Environment callEnvironment,
                            Set<String> operationHeaderRoles)

Description copied from interface: RoleMapper

Determine the roles available for the caller without reference to a particular action or target. Note that actually mapping a caller to roles without reference to a particular action or target is not required.

Specified by:

mapRoles in interface RoleMapper

Parameters:

identity - the caller identity. Cannot be null

callEnvironment - the call environment. Cannot be null

operationHeaderRoles - any roles specified as headers in the operation. May be null

Returns:

the roles. Will not be null, but may be an empty set

canRunAs

public boolean canRunAs(Set<String> mappedRoles,
                        String runAsRole)

Description copied from interface: RoleMapper

Gets whether the given set of mapped roles provides a caller with the privilege to run as the given "runAsRole".

Specified by:

canRunAs in interface RoleMapper

Parameters:

mappedRoles - a set of roles obtained from a call to one of this mapper's mapRoles methods

runAsRole - the role the caller wishes to run as

Returns:

true if running as runAsRole is allowed

getOperationHeaderRoles

public static Set<String> getOperationHeaderRoles(org.jboss.dmr.ModelNode operation)