You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airavata.apache.org by ma...@apache.org on 2018/02/23 06:23:00 UTC
[airavata] branch group-based-auth updated (e100d6d -> b0b32f7)
This is an automated email from the ASF dual-hosted git repository.
machristie pushed a change to branch group-based-auth
in repository https://gitbox.apache.org/repos/asf/airavata.git.
from e100d6d Changed struct order in group resource profile models to workaround bug
new b99f516 Fix construction of userId from AuthzToken
add 6c1478c Fixing AIRAVATA-2621
add dc6ea56 Fixing AIRAVATA-2624 Sampede2 cluster SSH connectivity issue
add 61b9684 Validating port value before overriding
add 8d4a65e Ansible changes for Airavata Standalone Server
add bf6ef8b fixing database transaction issue in creating password credential and improving ansible scripts
add 4da2c5f fixing minor issues
add 4f429ef Updating cloning url to original airavata repo
add 5f1e81f Reverting back to https urls
add 3a2e1be Adding missing placeholder
add d6fa1cf Removing admin email value
add 7eae3f9 Moving default gateway initialization code to api server
add 9f06e0f Minor improvement
add 1f5066a Reverting back to http urls as ansible does not trust mariadb ssl certificates
add 882722c Merge branch 'ansible-standalone' of https://github.com/DImuthuUpe/airavata into DImuthuUpe-ansible-standalone
add 37b06e2 Merge branch 'DImuthuUpe-ansible-standalone' into develop
add a544455 Use 'become' to open port 22 in firewall
add 49ff096 Remove registry client from credential store
add 04724f0 Merge branch 'DImuthuUpe-ansible-standalone' into develop
add 3c3345d Setting default pga_git_branch
add cce75c8 Merge branch 'DImuthuUpe-ansible-standalone' into develop
add 5144f67 Merge remote-tracking branch 'upstream/develop' into develop
add 508b895 Improving exception handling of GfacServerHandler
add b6c2e13 Merge pull request #175 from DImuthuUpe/develop
add 4338008 Fixing incorrect assignment
add 85c222b Merge pull request #177 from DImuthuUpe/develop
new b0b32f7 Merge branch 'develop' into group-based-auth
The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
.../api/server/handler/AiravataServerHandler.java | 55 ++++++++++++++++++
.../handlers/GroupManagerServiceHandler.java | 67 ++++++++++++----------
.../scigap/develop/group_vars/all/vars.yml | 1 +
.../scigap/develop/pga_config/scigap/vars.yml | 2 +-
.../scigap/develop/pga_config/seagrid/vars.yml | 2 +-
.../scigap/develop/pga_config/testdrive/vars.yml | 2 +-
.../scigap/dreg-production/group_vars/pga/vars.yml | 2 +-
.../group_vars/all/vars.yml | 60 +++++++++++--------
.../group_vars/pga/vars.yml | 30 +++++-----
dev-tools/ansible/inventories/standalone/hosts | 24 ++++++++
.../inventories/template/group_vars/all/vars.yml | 11 +++-
dev-tools/ansible/roles/api-orch/defaults/main.yml | 13 ++++-
dev-tools/ansible/roles/api-orch/tasks/main.yml | 12 ++--
.../templates/airavata-server.properties.j2 | 6 +-
dev-tools/ansible/roles/common/tasks/main.yml | 4 +-
.../ansible/roles/database/tasks/keycloak.yml | 2 +-
dev-tools/ansible/roles/database/tasks/main.yml | 2 +-
dev-tools/ansible/roles/env_setup/tasks/main.yml | 4 ++
dev-tools/ansible/roles/gfac/defaults/main.yml | 5 +-
.../gfac/templates/airavata-server.properties.j2 | 6 +-
dev-tools/ansible/roles/pga/defaults/main.yml | 13 ++++-
dev-tools/ansible/roles/pga/tasks/main.yml | 16 +++++-
.../default.conf => templates/default.conf.j2} | 3 +-
.../roles/pga/templates/pga-ssl-vhost.conf.j2 | 4 +-
.../ansible/roles/pga/templates/pga-vhost.conf.j2 | 2 +-
.../pga/{files/ssl.conf => templates/ssl.conf.j2} | 4 +-
dev-tools/ansible/roles/rabbitmq/tasks/main.yml | 8 +--
.../templates/airavata-server.properties.j2 | 2 +-
dev-tools/ansible/roles/zookeeper/vars/main.yml | 2 +-
.../roles/zookeeper/vars/main.yml | 2 +-
.../store/impl/util/CredentialStoreInitUtil.java | 1 +
.../org/apache/airavata/gfac/core/GFacUtils.java | 2 +-
.../airavata/gfac/server/GfacServerHandler.java | 56 +++++++++---------
.../registry-server/registry-api-service/pom.xml | 2 +-
34 files changed, 281 insertions(+), 146 deletions(-)
copy dev-tools/ansible/inventories/{scigap/production => standalone}/group_vars/all/vars.yml (71%)
copy dev-tools/ansible/inventories/{template => standalone}/group_vars/pga/vars.yml (68%)
create mode 100644 dev-tools/ansible/inventories/standalone/hosts
rename dev-tools/ansible/roles/pga/{files/default.conf => templates/default.conf.j2} (73%)
rename dev-tools/ansible/roles/pga/{files/ssl.conf => templates/ssl.conf.j2} (99%)
--
To stop receiving notification emails like this one, please contact
machristie@apache.org.
[airavata] 02/02: Merge branch 'develop' into group-based-auth
Posted by ma...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
machristie pushed a commit to branch group-based-auth
in repository https://gitbox.apache.org/repos/asf/airavata.git
commit b0b32f7318cd75adb9bca6f5dc51564528a4aa61
Merge: b99f516 85c222b
Author: Marcus Christie <ma...@apache.org>
AuthorDate: Fri Feb 23 01:22:19 2018 -0500
Merge branch 'develop' into group-based-auth
.../api/server/handler/AiravataServerHandler.java | 55 +++++++++++++++++
.../scigap/develop/group_vars/all/vars.yml | 1 +
.../scigap/develop/pga_config/scigap/vars.yml | 2 +-
.../scigap/develop/pga_config/seagrid/vars.yml | 2 +-
.../scigap/develop/pga_config/testdrive/vars.yml | 2 +-
.../scigap/dreg-production/group_vars/pga/vars.yml | 2 +-
.../group_vars/all/vars.yml | 63 +++++++++++--------
.../inventories/standalone/group_vars/pga/vars.yml | 70 ++++++++++++++++++++++
dev-tools/ansible/inventories/standalone/hosts | 24 ++++++++
.../inventories/template/group_vars/all/vars.yml | 11 +++-
dev-tools/ansible/roles/api-orch/defaults/main.yml | 13 +++-
dev-tools/ansible/roles/api-orch/tasks/main.yml | 12 ++--
.../templates/airavata-server.properties.j2 | 6 +-
dev-tools/ansible/roles/common/tasks/main.yml | 4 +-
.../ansible/roles/database/tasks/keycloak.yml | 2 +-
dev-tools/ansible/roles/database/tasks/main.yml | 2 +-
dev-tools/ansible/roles/env_setup/tasks/main.yml | 4 ++
dev-tools/ansible/roles/gfac/defaults/main.yml | 5 +-
.../gfac/templates/airavata-server.properties.j2 | 6 +-
dev-tools/ansible/roles/pga/defaults/main.yml | 13 +++-
dev-tools/ansible/roles/pga/tasks/main.yml | 16 ++++-
.../default.conf => templates/default.conf.j2} | 3 +-
.../roles/pga/templates/pga-ssl-vhost.conf.j2 | 4 +-
.../ansible/roles/pga/templates/pga-vhost.conf.j2 | 2 +-
.../pga/{files/ssl.conf => templates/ssl.conf.j2} | 4 +-
dev-tools/ansible/roles/rabbitmq/tasks/main.yml | 8 +--
.../templates/airavata-server.properties.j2 | 2 +-
dev-tools/ansible/roles/zookeeper/vars/main.yml | 2 +-
.../roles/zookeeper/vars/main.yml | 2 +-
.../store/impl/util/CredentialStoreInitUtil.java | 1 +
.../org/apache/airavata/gfac/core/GFacUtils.java | 2 +-
.../airavata/gfac/server/GfacServerHandler.java | 56 ++++++++---------
.../registry-server/registry-api-service/pom.xml | 2 +-
33 files changed, 301 insertions(+), 102 deletions(-)
--
To stop receiving notification emails like this one, please contact
machristie@apache.org.
[airavata] 01/02: Fix construction of userId from AuthzToken
Posted by ma...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
machristie pushed a commit to branch group-based-auth
in repository https://gitbox.apache.org/repos/asf/airavata.git
commit b99f51636f691c0016aad3198d007395c0fe3016
Author: Marcus Christie <ma...@apache.org>
AuthorDate: Fri Feb 23 01:19:54 2018 -0500
Fix construction of userId from AuthzToken
---
.../handlers/GroupManagerServiceHandler.java | 67 ++++++++++++----------
1 file changed, 37 insertions(+), 30 deletions(-)
diff --git a/airavata-services/profile-service/profile-service-server/src/main/java/org/apache/airavata/service/profile/handlers/GroupManagerServiceHandler.java b/airavata-services/profile-service/profile-service-server/src/main/java/org/apache/airavata/service/profile/handlers/GroupManagerServiceHandler.java
index aeca014..101c3df 100644
--- a/airavata-services/profile-service/profile-service-server/src/main/java/org/apache/airavata/service/profile/handlers/GroupManagerServiceHandler.java
+++ b/airavata-services/profile-service/profile-service-server/src/main/java/org/apache/airavata/service/profile/handlers/GroupManagerServiceHandler.java
@@ -44,10 +44,9 @@ public class GroupManagerServiceHandler implements GroupManagerService.Iface {
sharingUserGroup.setDescription(groupModel.getDescription());
sharingUserGroup.setGroupType(GroupType.USER_LEVEL_GROUP);
sharingUserGroup.setGroupCardinality(GroupCardinality.MULTI_USER);
- String gatewayId = authzToken.getClaimsMap().get(Constants.GATEWAY_ID);
+ String gatewayId = getDomainId(authzToken);
sharingUserGroup.setDomainId(gatewayId);
- String username = authzToken.getClaimsMap().get(Constants.USER_NAME);
- sharingUserGroup.setOwnerId(username + "@" + gatewayId);
+ sharingUserGroup.setOwnerId(getUserId(authzToken));
String groupId = sharingClient.createGroup(sharingUserGroup);
sharingClient.addUsersToGroup(gatewayId, groupModel.getMembers(), groupId);
@@ -74,7 +73,7 @@ public class GroupManagerServiceHandler implements GroupManagerService.Iface {
sharingUserGroup.setName(groupModel.getName());
sharingUserGroup.setDescription(groupModel.getDescription());
sharingUserGroup.setGroupType(GroupType.USER_LEVEL_GROUP);
- sharingUserGroup.setDomainId(authzToken.getClaimsMap().get(Constants.GATEWAY_ID));
+ sharingUserGroup.setDomainId(getDomainId(authzToken));
//adding and removal of users should be handle separately
sharingClient.updateGroup(sharingUserGroup);
@@ -96,7 +95,7 @@ public class GroupManagerServiceHandler implements GroupManagerService.Iface {
//TODO Validations for authorization (user must be owner or admin)
SharingRegistryService.Client sharingClient = getSharingRegistryServiceClient();
- sharingClient.deleteGroup(authzToken.getClaimsMap().get(Constants.GATEWAY_ID), groupId);
+ sharingClient.deleteGroup(getDomainId(authzToken), groupId);
return true;
}
catch (Exception e) {
@@ -113,7 +112,7 @@ public class GroupManagerServiceHandler implements GroupManagerService.Iface {
public GroupModel getGroup(AuthzToken authzToken, String groupId) throws GroupManagerServiceException, AuthorizationException, TException {
try {
SharingRegistryService.Client sharingClient = getSharingRegistryServiceClient();
- final String domainId = authzToken.getClaimsMap().get(Constants.GATEWAY_ID);
+ final String domainId = getDomainId(authzToken);
UserGroup userGroup = sharingClient.getGroup(domainId, groupId);
GroupModel groupModel = convertToGroupModel(userGroup, sharingClient);
@@ -132,7 +131,7 @@ public class GroupManagerServiceHandler implements GroupManagerService.Iface {
@Override
@SecurityCheck
public List<GroupModel> getGroups(AuthzToken authzToken) throws GroupManagerServiceException, AuthorizationException, TException {
- final String domainId = authzToken.getClaimsMap().get(Constants.GATEWAY_ID);
+ final String domainId = getDomainId(authzToken);
SharingRegistryService.Client sharingClient = null;
try {
sharingClient = getSharingRegistryServiceClient();
@@ -157,7 +156,7 @@ public class GroupManagerServiceHandler implements GroupManagerService.Iface {
try {
SharingRegistryService.Client sharingClient = getSharingRegistryServiceClient();
List<GroupModel> groupModels = new ArrayList<GroupModel>();
- final String domainId = authzToken.getClaimsMap().get(Constants.GATEWAY_ID);
+ final String domainId = getDomainId(authzToken);
List<UserGroup> userGroups = sharingClient.getAllMemberGroupsForUser(domainId, userName);
return convertToGroupModels(userGroups, sharingClient);
@@ -175,10 +174,10 @@ public class GroupManagerServiceHandler implements GroupManagerService.Iface {
public boolean addUsersToGroup(AuthzToken authzToken, List<String> userIds, String groupId) throws GroupManagerServiceException, AuthorizationException, TException {
try {
SharingRegistryService.Client sharingClient = getSharingRegistryServiceClient();
- String username = authzToken.getClaimsMap().get(Constants.USER_NAME);
- String domainId = authzToken.getClaimsMap().get(Constants.GATEWAY_ID);
- if (!(sharingClient.hasOwnerAccess(domainId, groupId, username)
- || sharingClient.hasAdminAccess(domainId, groupId, username))) {
+ String userId = getUserId(authzToken);
+ String domainId = getDomainId(authzToken);
+ if (!(sharingClient.hasOwnerAccess(domainId, groupId, userId)
+ || sharingClient.hasAdminAccess(domainId, groupId, userId))) {
throw new GroupManagerServiceException("User does not have access to add users to the group");
}
return sharingClient.addUsersToGroup(domainId, userIds, groupId);
@@ -196,10 +195,10 @@ public class GroupManagerServiceHandler implements GroupManagerService.Iface {
public boolean removeUsersFromGroup(AuthzToken authzToken, List<String> userIds, String groupId) throws GroupManagerServiceException, AuthorizationException, TException {
try {
SharingRegistryService.Client sharingClient = getSharingRegistryServiceClient();
- String username = authzToken.getClaimsMap().get(Constants.USER_NAME);
- String domainId = authzToken.getClaimsMap().get(Constants.GATEWAY_ID);
- if (!(sharingClient.hasOwnerAccess(domainId, groupId, username)
- || sharingClient.hasAdminAccess(domainId, groupId, username))) {
+ String userId = getUserId(authzToken);
+ String domainId = getDomainId(authzToken);
+ if (!(sharingClient.hasOwnerAccess(domainId, groupId, userId)
+ || sharingClient.hasAdminAccess(domainId, groupId, userId))) {
throw new GroupManagerServiceException("User does not have access to remove users to the group");
}
return sharingClient.removeUsersFromGroup(domainId, userIds, groupId);
@@ -217,12 +216,12 @@ public class GroupManagerServiceHandler implements GroupManagerService.Iface {
public boolean transferGroupOwnership(AuthzToken authzToken, String groupId, String newOwnerId) throws GroupManagerServiceException, AuthorizationException, TException {
try{
SharingRegistryService.Client sharingClient = getSharingRegistryServiceClient();
- String username = authzToken.getClaimsMap().get(Constants.USER_NAME);
- String domainId = authzToken.getClaimsMap().get(Constants.GATEWAY_ID);
- if (!(sharingClient.hasOwnerAccess(domainId, groupId, username))) {
+ String userId = getUserId(authzToken);
+ String domainId = getDomainId(authzToken);
+ if (!(sharingClient.hasOwnerAccess(domainId, groupId, userId))) {
throw new GroupManagerServiceException("User does not have Owner permission to transfer group ownership");
}
- return sharingClient.transferGroupOwnership(authzToken.getClaimsMap().get(Constants.GATEWAY_ID), groupId, newOwnerId);
+ return sharingClient.transferGroupOwnership(getDomainId(authzToken), groupId, newOwnerId);
}
catch (Exception e) {
String msg = "Error Transferring Group Ownership";
@@ -239,12 +238,12 @@ public class GroupManagerServiceHandler implements GroupManagerService.Iface {
public boolean addGroupAdmins(AuthzToken authzToken, String groupId, List<String> adminIds) throws GroupManagerServiceException, AuthorizationException, TException {
try {
SharingRegistryService.Client sharingClient = getSharingRegistryServiceClient();
- String username = authzToken.getClaimsMap().get(Constants.USER_NAME);
- String domainId = authzToken.getClaimsMap().get(Constants.GATEWAY_ID);
- if (!(sharingClient.hasOwnerAccess(domainId, groupId, username))) {
+ String userId = getUserId(authzToken);
+ String domainId = getDomainId(authzToken);
+ if (!(sharingClient.hasOwnerAccess(domainId, groupId, userId))) {
throw new GroupManagerServiceException("User does not have Owner permission to add group admins");
}
- return sharingClient.addGroupAdmins(authzToken.getClaimsMap().get(Constants.GATEWAY_ID), groupId, adminIds);
+ return sharingClient.addGroupAdmins(getDomainId(authzToken), groupId, adminIds);
}
catch (Exception e) {
String msg = "Error Adding Admins to Group. Group ID: " + groupId;
@@ -260,12 +259,12 @@ public class GroupManagerServiceHandler implements GroupManagerService.Iface {
public boolean removeGroupAdmins(AuthzToken authzToken, String groupId, List<String> adminIds) throws GroupManagerServiceException, AuthorizationException, TException {
try {
SharingRegistryService.Client sharingClient = getSharingRegistryServiceClient();
- String username = authzToken.getClaimsMap().get(Constants.USER_NAME);
- String domainId = authzToken.getClaimsMap().get(Constants.GATEWAY_ID);
- if (!(sharingClient.hasOwnerAccess(domainId, groupId, username))) {
+ String userId = getUserId(authzToken);
+ String domainId = getDomainId(authzToken);
+ if (!(sharingClient.hasOwnerAccess(domainId, groupId, userId))) {
throw new GroupManagerServiceException("User does not have Owner permission to remove group admins");
}
- return sharingClient.removeGroupAdmins(authzToken.getClaimsMap().get(Constants.GATEWAY_ID), groupId, adminIds);
+ return sharingClient.removeGroupAdmins(getDomainId(authzToken), groupId, adminIds);
}
catch (Exception e) {
String msg = "Error Removing Admins from the Group. Group ID: " + groupId;
@@ -281,7 +280,7 @@ public class GroupManagerServiceHandler implements GroupManagerService.Iface {
public boolean hasAdminAccess(AuthzToken authzToken, String groupId, String adminId) throws GroupManagerServiceException, AuthorizationException, TException {
try {
SharingRegistryService.Client sharingClient = getSharingRegistryServiceClient();
- return sharingClient.hasAdminAccess(authzToken.getClaimsMap().get(Constants.GATEWAY_ID), groupId, adminId);
+ return sharingClient.hasAdminAccess(getDomainId(authzToken), groupId, adminId);
}
catch (Exception e) {
String msg = "Error Checking Admin Access for the Group. Group ID: " + groupId + " Admin ID: " + adminId;
@@ -297,7 +296,7 @@ public class GroupManagerServiceHandler implements GroupManagerService.Iface {
public boolean hasOwnerAccess(AuthzToken authzToken, String groupId, String ownerId) throws GroupManagerServiceException, AuthorizationException, TException {
try {
SharingRegistryService.Client sharingClient = getSharingRegistryServiceClient();
- return sharingClient.hasOwnerAccess(authzToken.getClaimsMap().get(Constants.GATEWAY_ID), groupId, ownerId);
+ return sharingClient.hasOwnerAccess(getDomainId(authzToken), groupId, ownerId);
}
catch (Exception e) {
String msg = "Error Checking Owner Access for the Group. Group ID: " + groupId + " Owner ID: " + ownerId;
@@ -319,6 +318,14 @@ public class GroupManagerServiceHandler implements GroupManagerService.Iface {
}
}
+ private String getDomainId(AuthzToken authzToken) {
+ return authzToken.getClaimsMap().get(Constants.GATEWAY_ID);
+ }
+
+ private String getUserId(AuthzToken authzToken) {
+ return authzToken.getClaimsMap().get(Constants.USER_NAME) + "@" + getDomainId(authzToken);
+ }
+
private List<GroupModel> convertToGroupModels(List<UserGroup> userGroups, SharingRegistryService.Client sharingClient) throws TException {
List<GroupModel> groupModels = new ArrayList<>();
--
To stop receiving notification emails like this one, please contact
machristie@apache.org.