updated the default-xacml-policy with a new rule for admin-read-only role, finished identifying including all admin methods in the policy and updated the sample client to demonstrate the latest updates to the authorization policy.
Project: http://git-wip-us.apache.org/repos/asf/airavata/repo Commit: http://git-wip-us.apache.org/repos/asf/airavata/commit/c3652607 Tree: http://git-wip-us.apache.org/repos/asf/airavata/tree/c3652607 Diff: http://git-wip-us.apache.org/repos/asf/airavata/diff/c3652607 Branch: refs/heads/master Commit: c3652607aff77da6dc4dd6ab039ada78aa836c79 Parents: 4226a2d Author: hasinitg <[email protected]> Authored: Wed Aug 5 14:04:41 2015 +0530 Committer: hasinitg <[email protected]> Committed: Wed Aug 5 14:04:41 2015 +0530 ---------------------------------------------------------------------- .../resources/airavata-default-xacml-policy.xml | 98 +++++++++++++++++++- .../airavata/secure/sample/SecureClient.java | 18 +++- 2 files changed, 113 insertions(+), 3 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/airavata/blob/c3652607/modules/configuration/server/src/main/resources/airavata-default-xacml-policy.xml ---------------------------------------------------------------------- diff --git a/modules/configuration/server/src/main/resources/airavata-default-xacml-policy.xml b/modules/configuration/server/src/main/resources/airavata-default-xacml-policy.xml index ab3208d..b0ca91e 100644 --- a/modules/configuration/server/src/main/resources/airavata-default-xacml-policy.xml +++ b/modules/configuration/server/src/main/resources/airavata-default-xacml-policy.xml @@ -23,6 +23,64 @@ </Apply> </Condition> </Rule> + <Rule Effect="Permit" RuleId="admin-read-only-permit"> + <Target> + <AnyOf> + <AllOf> + <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match"> + <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>^(?:(?! +/airavata/addGateway| +/airavata/deleteteway| +/airavata/updateGateway| +/airavata/registerApplicationModule| +/airavata/deleteApplicationModule| +/airavata/updateApplicationInterface| +/airavata/deleteApplicationInterface| +/airavata/updateApplicationDeployment| +/airavata/registerApplicationDeployment| +/airavata/deleteApplicationDeployment| +/airavata/updateComputeResource| +/airavata/registerComputeResource| +/airavata/deleteBatchQueue| +/airavata/updateResourceJobManager| +/airavata/addLocalSubmissionDetails| +/airavata/updateResourceJobManager| +/airavaa/updateSSHJobSubmissionDetails| +/airavata/addSSHJobSubmissionDetails| +/airavata/updateUnicoreJobSubmissionDetails| +/airavata/addUNICOREJobSubmissionDetails| +/airavata/addLocalDataMovementDetails| +/airavata/updateSCPDataMovementDetails| +/airavata/addSCPDataMovementDetails| +/airavata/updateGridFTPDataMovementDetails| +/airavata/addGridFTPDataMovementDetails| +/airavata/updateUnicoreDataMovementDetails| +/airavata/addUnicoreDataMovementDetails| +/airavata/deleteJobSubmissionInterface| +/airavata/deleteDataMovementInterface| +/airavata/deleteComputeResource| +/airavata/updateGatewayResourceProfile| +/airavata/registerGatewayResourceProfile| +/airavata/addGatewayComputeResourcePreference| +/airavata/deleteGatewayResourceProfile| +/airavata/deleteGatewayComputeResourcePreference).)*$\r?\n? +</AttributeValue> + <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" + Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" + DataType="http://www.w3.org/2001/XMLSchema#string"; MustBePresent="true"/> + </Match> + </AllOf> + </AnyOf> + </Target> + <Condition> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in"> + <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>admin_read_only</AttributeValue> + <AttributeDesignator AttributeId="http://wso2.org/claims/role"; + Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" + DataType="http://www.w3.org/2001/XMLSchema#string"; MustBePresent="true"/> + </Apply> + </Condition> + </Rule> <Rule Effect="Permit" RuleId="user-permit"> <Target> <AnyOf> @@ -30,6 +88,7 @@ <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>^(?:(?! /airavata/addGateway| +/airavata/getExperimentStatistics| /airavata/deleteteway| /airavata/updateGateway| /airavata/registerApplicationModule| @@ -46,7 +105,44 @@ /airavata/getApplicationInterface| /airavata/getApplicationInputs| /airavata/getApplicationOutputs| -/airavata/getExperimentStatistics).)*$\r?\n? +/airavata/updateComputeResource| +/airavata/getComputeResource| +/airavata/registerComputeResource| +/airavata/deleteBatchQueue| +/airavata/getLocalJobSubmission| +/airavata/updateResourceJobManager| +/airavata/addLocalSubmissionDetails| +/airavata/getSSHJobSubmission| +/airavata/updateResourceJobManager| +/airavata/getresourceJobManager| +/airavaa/updateSSHJobSubmissionDetails| +/airavata/addSSHJobSubmissionDetails| +/airavata/getUnicoreJobSubmission| +/airavata/updateUnicoreJobSubmissionDetails| +/airavata/addUNICOREJobSubmissionDetails| +/airavata/addLocalDataMovementDetails| +/airavata/updateSCPDataMovementDetails| +/airavata/addSCPDataMovementDetails| +/airavata/updateGridFTPDataMovementDetails| +/airavata/addGridFTPDataMovementDetails| +/airavata/updateUnicoreDataMovementDetails| +/airavata/addUnicoreDataMovementDetails| +/airavata/getCloudJobSubmission| +/airavata/getSCPDataMovement| +/airavata/getGridFTPDataMovement| +/airavata/getUnicoreDataMovement| +/airavata/deleteJobSubmissionInterface| +/airavata/deleteDataMovementInterface| +/airavata/deleteComputeResource| +/airavata/updateGatewayResourceProfile| +/airavata/registerGatewayResourceProfile| +/airavata/getAllGateways| +/airavata/getGateway| +/airavata/getAllGatewayComputeResources| +/airavata/addGatewayComputeResourcePreference| +/airavata/deleteGatewayResourceProfile| +/airavata/deleteGatewayComputeResourcePreference| +/airavata/getAvailableAppInterfaceComputeResources).)*$\r?\n? </AttributeValue> <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" http://git-wip-us.apache.org/repos/asf/airavata/blob/c3652607/samples/java-client/secure-client/src/main/java/org/apache/airavata/secure/sample/SecureClient.java ---------------------------------------------------------------------- diff --git a/samples/java-client/secure-client/src/main/java/org/apache/airavata/secure/sample/SecureClient.java b/samples/java-client/secure-client/src/main/java/org/apache/airavata/secure/sample/SecureClient.java index 890aa99..992d17d 100644 --- a/samples/java-client/secure-client/src/main/java/org/apache/airavata/secure/sample/SecureClient.java +++ b/samples/java-client/secure-client/src/main/java/org/apache/airavata/secure/sample/SecureClient.java @@ -21,6 +21,7 @@ package org.apache.airavata.secure.sample; import org.apache.airavata.api.client.AiravataClientFactory; +import org.apache.airavata.model.appcatalog.appdeployment.ApplicationModule; import org.apache.airavata.model.error.*; import org.apache.airavata.api.Airavata; import org.apache.airavata.model.security.AuthzToken; @@ -35,6 +36,7 @@ import org.slf4j.LoggerFactory; import org.wso2.carbon.identity.oauth.stub.dto.OAuthConsumerAppDTO; import java.util.HashMap; +import java.util.List; import java.util.Map; import java.util.Scanner; @@ -185,7 +187,8 @@ public class SecureClient { System.out.println(""); System.out.println("Enter the number corresponding to the method to be invoked: "); System.out.println("1. getAPIVersion"); - System.out.println("2. addGateway"); + System.out.println("2. getAllAppModules"); + System.out.println("3. addGateway"); String methodNumberString = scanner.next(); int methodNumber = Integer.valueOf(methodNumberString.trim()); @@ -202,12 +205,23 @@ public class SecureClient { System.out.println(""); System.out.println("Airavata API version: " + version); System.out.println(""); - } else if (methodNumber == 2) { System.out.println(""); System.out.println("Enter the gateway id: "); String gatewayId = scanner.next().trim(); + List<ApplicationModule> appModules= client.getAllAppModules(authzToken, gatewayId); + System.out.println("Output of getAllAppModuels: "); + for (ApplicationModule appModule : appModules) { + System.out.println(appModule.getAppModuleName()); + } + System.out.println(""); + System.out.println(""); + } else if (methodNumber == 3) { + System.out.println(""); + System.out.println("Enter the gateway id: "); + String gatewayId = scanner.next().trim(); + Gateway gateway = new Gateway(gatewayId); gateway.setDomain("airavata.org"); gateway.setEmailAddress("[email protected]");
