Initial Changes for the API to support data sharing
Project: http://git-wip-us.apache.org/repos/asf/airavata/repo Commit: http://git-wip-us.apache.org/repos/asf/airavata/commit/edfbbfe0 Tree: http://git-wip-us.apache.org/repos/asf/airavata/tree/edfbbfe0 Diff: http://git-wip-us.apache.org/repos/asf/airavata/diff/edfbbfe0 Branch: refs/heads/develop Commit: edfbbfe09e722bd0549b5a0c368f520679d0d927 Parents: 4766b37 Author: scnakandala <[email protected]> Authored: Thu Jul 7 02:31:41 2016 -0400 Committer: scnakandala <[email protected]> Committed: Thu Jul 7 02:31:42 2016 -0400 ---------------------------------------------------------------------- .../server/handler/AiravataServerHandler.java | 351 +- .../java/org/apache/airavata/api/Airavata.java | 42356 +++++++++-------- .../main/resources/lib/airavata/Airavata.cpp | 5557 ++- .../src/main/resources/lib/airavata/Airavata.h | 532 + .../lib/airavata/Airavata_server.skeleton.cpp | 24 + .../resources/lib/airavata/airavata_api_types.h | 1 + .../lib/airavata/airavata_data_models_types.h | 1 + .../lib/airavata/workspace_model_types.cpp | 274 +- .../lib/airavata/workspace_model_types.h | 52 +- .../resources/lib/Airavata/API/Airavata.php | 11419 +++-- .../lib/Airavata/Model/Workspace/Types.php | 197 +- .../lib/apache/airavata/api/Airavata-remote | 21 + .../lib/apache/airavata/api/Airavata.py | 6300 +-- .../resources/lib/apache/airavata/api/ttypes.py | 1 + .../lib/apache/airavata/model/ttypes.py | 1 + .../apache/airavata/model/workspace/ttypes.py | 138 +- .../apache/airavata/model/ComponentStatus.java | 2 +- .../org/apache/airavata/model/EdgeModel.java | 2 +- .../org/apache/airavata/model/NodeModel.java | 2 +- .../org/apache/airavata/model/PortModel.java | 2 +- .../apache/airavata/model/WorkflowModel.java | 2 +- .../apache/airavata/model/WorkflowStatus.java | 2 +- .../ApplicationDeploymentDescription.java | 2 +- .../appdeployment/ApplicationModule.java | 2 +- .../appcatalog/appdeployment/CommandObject.java | 2 +- .../appcatalog/appdeployment/SetEnvPaths.java | 2 +- .../ApplicationInterfaceDescription.java | 2 +- .../appcatalog/computeresource/BatchQueue.java | 2 +- .../computeresource/CloudJobSubmission.java | 2 +- .../ComputeResourceDescription.java | 2 +- .../computeresource/GlobusJobSubmission.java | 2 +- .../computeresource/JobSubmissionInterface.java | 2 +- .../computeresource/LOCALSubmission.java | 2 +- .../computeresource/ResourceJobManager.java | 2 +- .../computeresource/SSHJobSubmission.java | 2 +- .../computeresource/UnicoreJobSubmission.java | 2 +- .../ComputeResourcePreference.java | 2 +- .../gatewayprofile/GatewayResourceProfile.java | 2 +- .../gatewayprofile/StoragePreference.java | 2 +- .../StorageResourceDescription.java | 2 +- .../application/io/InputDataObjectType.java | 2 +- .../application/io/OutputDataObjectType.java | 2 +- .../airavata/model/commons/ErrorModel.java | 2 +- .../model/commons/ValidationResults.java | 2 +- .../airavata/model/commons/ValidatorResult.java | 2 +- .../data/movement/DataMovementInterface.java | 2 +- .../data/movement/GridFTPDataMovement.java | 2 +- .../model/data/movement/LOCALDataMovement.java | 2 +- .../model/data/movement/SCPDataMovement.java | 2 +- .../data/movement/UnicoreDataMovement.java | 2 +- .../model/data/replica/DataProductModel.java | 2 +- .../data/replica/DataReplicaLocationModel.java | 2 +- .../model/error/AiravataClientException.java | 2 +- .../model/error/AiravataSystemException.java | 2 +- .../model/error/AuthenticationException.java | 2 +- .../model/error/AuthorizationException.java | 2 +- .../error/ExperimentNotFoundException.java | 2 +- .../model/error/InvalidRequestException.java | 2 +- .../model/error/LaunchValidationException.java | 2 +- .../model/error/ProjectNotFoundException.java | 2 +- .../airavata/model/error/TimedOutException.java | 2 +- .../airavata/model/error/ValidationResults.java | 2 +- .../airavata/model/error/ValidatorResult.java | 2 +- .../model/experiment/ExperimentModel.java | 2 +- .../model/experiment/ExperimentStatistics.java | 2 +- .../experiment/ExperimentSummaryModel.java | 2 +- .../experiment/UserConfigurationDataModel.java | 2 +- .../org/apache/airavata/model/job/JobModel.java | 2 +- .../event/ExperimentStatusChangeEvent.java | 2 +- .../model/messaging/event/JobIdentifier.java | 2 +- .../messaging/event/JobStatusChangeEvent.java | 2 +- .../event/JobStatusChangeRequestEvent.java | 2 +- .../airavata/model/messaging/event/Message.java | 2 +- .../messaging/event/ProcessIdentifier.java | 2 +- .../event/ProcessStatusChangeEvent.java | 2 +- .../event/ProcessStatusChangeRequestEvent.java | 2 +- .../messaging/event/ProcessSubmitEvent.java | 2 +- .../messaging/event/ProcessTerminateEvent.java | 2 +- .../model/messaging/event/TaskIdentifier.java | 2 +- .../messaging/event/TaskOutputChangeEvent.java | 2 +- .../messaging/event/TaskStatusChangeEvent.java | 2 +- .../event/TaskStatusChangeRequestEvent.java | 2 +- .../airavata/model/process/ProcessModel.java | 2 +- .../ComputationalResourceSchedulingModel.java | 2 +- .../airavata/model/security/AuthzToken.java | 2 +- .../airavata/model/status/ExperimentStatus.java | 2 +- .../apache/airavata/model/status/JobStatus.java | 2 +- .../airavata/model/status/ProcessStatus.java | 2 +- .../airavata/model/status/TaskStatus.java | 2 +- .../model/task/DataStagingTaskModel.java | 2 +- .../model/task/EnvironmentSetupTaskModel.java | 2 +- .../model/task/JobSubmissionTaskModel.java | 2 +- .../airavata/model/task/MonitorTaskModel.java | 2 +- .../apache/airavata/model/task/TaskModel.java | 2 +- .../airavata/model/user/NSFDemographics.java | 2 +- .../apache/airavata/model/user/UserProfile.java | 2 +- .../airavata/model/workspace/Gateway.java | 2 +- .../apache/airavata/model/workspace/Group.java | 2 +- .../airavata/model/workspace/Notification.java | 2 +- .../airavata/model/workspace/Project.java | 143 +- .../apache/airavata/model/workspace/User.java | 620 +- .../resources/airavata-default-xacml-policy.xml | 9 +- .../airavata/grouper/GroupManagerCPI.java | 20 + .../airavata/grouper/GroupManagerException.java | 36 + .../airavata/grouper/GroupManagerFactory.java | 42 + .../airavata/grouper/GroupManagerImpl.java | 52 + .../utils/ThriftDataModelConversion.java | 1 + .../airavata-apis/airavata_api.thrift | 26 + .../data-models/airavata_data_models.thrift | 1 + .../workspace_model.thrift | 19 +- .../group_manager_model.thrift | 53 +- 111 files changed, 39742 insertions(+), 28671 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/airavata/blob/edfbbfe0/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/handler/AiravataServerHandler.java ---------------------------------------------------------------------- diff --git a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/handler/AiravataServerHandler.java b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/handler/AiravataServerHandler.java index 1a7ee72..6ed3829 100644 --- a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/handler/AiravataServerHandler.java +++ b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/handler/AiravataServerHandler.java @@ -33,6 +33,12 @@ import org.apache.airavata.credential.store.cpi.CredentialStoreService; import org.apache.airavata.credential.store.datamodel.PasswordCredential; import org.apache.airavata.credential.store.datamodel.SSHCredential; import org.apache.airavata.credential.store.exception.CredentialStoreException; +import org.apache.airavata.grouper.GroupManagerCPI; +import org.apache.airavata.grouper.GroupManagerException; +import org.apache.airavata.grouper.GroupManagerFactory; +import org.apache.airavata.grouper.SubjectType; +import org.apache.airavata.grouper.permission.PermissionAction; +import org.apache.airavata.grouper.resource.Resource; import org.apache.airavata.messaging.core.MessageContext; import org.apache.airavata.messaging.core.Publisher; import org.apache.airavata.messaging.core.PublisherFactory; @@ -54,6 +60,8 @@ import org.apache.airavata.model.data.replica.DataProductModel; import org.apache.airavata.model.data.replica.DataReplicaLocationModel; import org.apache.airavata.model.error.*; import org.apache.airavata.model.experiment.*; +import org.apache.airavata.model.group.ResourcePermissionType; +import org.apache.airavata.model.group.ResourceType; import org.apache.airavata.model.job.JobModel; import org.apache.airavata.model.messaging.event.ExperimentStatusChangeEvent; import org.apache.airavata.model.messaging.event.MessageType; @@ -619,6 +627,20 @@ public class AiravataServerHandler implements Airavata.Iface { exception.setMessage("Project does not exist in the system. Please provide a valid project ID..."); throw exception; } + + Project existingProject = (Project) experimentCatalog.get(ExperimentCatalogModelType.PROJECT, projectId); + if(!authzToken.getClaimsMap().get("userName").equals(existingProject.getOwner()) + || !authzToken.getClaimsMap().get("gatewayId").equals(existingProject.getGatewayId())){ + try { + if(!hasPermission(authzToken.getClaimsMap().get("userName")+"@"+authzToken.getClaimsMap().get("gatewayId"), + existingProject.getProjectID(), ResourceType.PROJECT, ResourcePermissionType.WRITE)){ + throw new AuthorizationException("User does not have permission to access this resource"); + } + } catch (GroupManagerException e) { + throw new AuthorizationException("User does not have permission to access this resource"); + } + } + experimentCatalog.update(ExperimentCatalogModelType.PROJECT, updatedProject, projectId); logger.debug("Airavata updated project with project Id : " + projectId ); } catch (RegistryException e) { @@ -644,6 +666,20 @@ public class AiravataServerHandler implements Airavata.Iface { exception.setMessage("Project does not exist in the system. Please provide a valid project ID..."); throw exception; } + + Project existingProject = (Project) experimentCatalog.get(ExperimentCatalogModelType.PROJECT, projectId); + if(!authzToken.getClaimsMap().get("userName").equals(existingProject.getOwner()) + || !authzToken.getClaimsMap().get("gatewayId").equals(existingProject.getGatewayId())){ + try { + if(!hasPermission(authzToken.getClaimsMap().get("userName")+"@"+authzToken.getClaimsMap().get("gatewayId"), + existingProject.getProjectID(), ResourceType.PROJECT, ResourcePermissionType.WRITE)){ + throw new AuthorizationException("User does not have permission to access this resource"); + } + } catch (GroupManagerException e) { + throw new AuthorizationException("User does not have permission to access this resource"); + } + } + experimentCatalog.remove(ExperimentCatalogModelType.PROJECT, projectId); logger.debug("Airavata deleted project with project Id : " + projectId ); return true; @@ -681,7 +717,23 @@ public class AiravataServerHandler implements Airavata.Iface { throw exception; } logger.debug("Airavata retrieved project with project Id : " + projectId ); - return (Project) experimentCatalog.get(ExperimentCatalogModelType.PROJECT, projectId); + + Project project = (Project) experimentCatalog.get(ExperimentCatalogModelType.PROJECT, projectId); + if(authzToken.getClaimsMap().get("userName").equals(project.getOwner()) + && authzToken.getClaimsMap().get("gatewayId").equals(project.getGatewayId())){ + return project; + }else{ + try { + if(hasPermission(authzToken.getClaimsMap().get("userName")+"@"+authzToken.getClaimsMap().get("gatewayId"), + project.getProjectID(), ResourceType.PROJECT, ResourcePermissionType.READ)){ + return project; + }else { + throw new AuthorizationException("User does not have permission to access this resource"); + } + } catch (GroupManagerException e) { + throw new AuthorizationException("User does not have permission to access this resource"); + } + } } catch (RegistryException e) { logger.error("Error while retrieving the project", e); ProjectNotFoundException exception = new ProjectNotFoundException(); @@ -808,14 +860,18 @@ public class AiravataServerHandler implements Airavata.Iface { } } - //FIXME - These accessible IDs should come from grouper Map<String, String> temp = new HashMap(); temp.put(Constants.FieldConstants.ProjectConstants.OWNER, userName); temp.put(Constants.FieldConstants.ProjectConstants.GATEWAY_ID, gatewayId); - List<Object> allUserProjects = experimentCatalog.search(ExperimentCatalogModelType.PROJECT, temp, -1, - 0, Constants.FieldConstants.ProjectConstants.CREATION_TIME, ResultOrderType.DESC); - List<String> accessibleProjIds = new ArrayList<>(); - allUserProjects.stream().forEach(e->accessibleProjIds.add(((Project) e).getProjectID())); + final List<String> accessibleProjIds = new ArrayList<>(); + try{ + accessibleProjIds.addAll(getAllAccessibleResourcesForUser(userName+"@"+gatewayId, ResourceType.PROJECT, ResourcePermissionType.READ)); + }catch (GroupManagerException ex){ + logger.error(ex.getMessage(), ex); + List<Object> allUserProjects = experimentCatalog.search(ExperimentCatalogModelType.PROJECT, temp, -1, + 0, Constants.FieldConstants.ProjectConstants.CREATION_TIME, ResultOrderType.DESC); + allUserProjects.stream().forEach(e->accessibleProjIds.add(((Project) e).getProjectID())); + } List<Object> results = experimentCatalog.searchAllAccessible(ExperimentCatalogModelType.PROJECT, accessibleProjIds, regFilters, limit, offset, Constants.FieldConstants.ProjectConstants.CREATION_TIME, ResultOrderType.DESC); @@ -896,14 +952,19 @@ public class AiravataServerHandler implements Airavata.Iface { } } - //FIXME - These accessible IDs should come from grouper Map<String, String> temp = new HashMap(); temp.put(Constants.FieldConstants.ExperimentConstants.USER_NAME, userName); temp.put(Constants.FieldConstants.ExperimentConstants.GATEWAY_ID, gatewayId); - List<Object> allUserExperiments = experimentCatalog.search(ExperimentCatalogModelType.EXPERIMENT, temp, -1, - 0, Constants.FieldConstants.ExperimentConstants.CREATION_TIME, ResultOrderType.DESC); - List<String> accessibleExpIds = new ArrayList<>(); - allUserExperiments.stream().forEach(e->accessibleExpIds.add(((ExperimentSummaryModel) e).getExperimentId())); + + final List<String> accessibleExpIds = new ArrayList<>(); + try{ + accessibleExpIds.addAll(getAllAccessibleResourcesForUser(userName + "@" + gatewayId, ResourceType.EXPERIMENT, ResourcePermissionType.READ)); + }catch (GroupManagerException ex){ + logger.error(ex.getMessage(), ex); + List<Object> allUserExperiments = experimentCatalog.search(ExperimentCatalogModelType.EXPERIMENT, temp, -1, + 0, Constants.FieldConstants.ExperimentConstants.CREATION_TIME, ResultOrderType.DESC); + allUserExperiments.stream().forEach(e->accessibleExpIds.add(((ExperimentSummaryModel) e).getExperimentId())); + } List<Object> results = experimentCatalog.searchAllAccessible(ExperimentCatalogModelType.EXPERIMENT, accessibleExpIds, regFilters, limit, @@ -992,6 +1053,20 @@ public class AiravataServerHandler implements Airavata.Iface { exception.setMessage("Project does not exist in the system. Please provide a valid project ID..."); throw exception; } + + Project project = (Project) experimentCatalog.get(ExperimentCatalogModelType.PROJECT, projectId); + if(!authzToken.getClaimsMap().get("userName").equals(project.getOwner()) + || !authzToken.getClaimsMap().get("gatewayId").equals(project.getGatewayId())){ + try { + if(!hasPermission(authzToken.getClaimsMap().get("userName")+"@"+authzToken.getClaimsMap().get("gatewayId"), + project.getProjectID(), ResourceType.PROJECT, ResourcePermissionType.READ)){ + throw new AuthorizationException("User does not have permission to access this resource"); + } + } catch (GroupManagerException e) { + throw new AuthorizationException("User does not have permission to access this resource"); + } + } + List<ExperimentModel> experiments = new ArrayList<ExperimentModel>(); List<Object> list = experimentCatalog.get(ExperimentCatalogModelType.EXPERIMENT, Constants.FieldConstants.ExperimentConstants.PROJECT_ID, projectId, limit, offset, @@ -1168,6 +1243,19 @@ public class AiravataServerHandler implements Airavata.Iface { throw new ExperimentNotFoundException("Requested experiment id " + experimentId + " does not exist in the system.."); } ExperimentModel experimentModel = (ExperimentModel) experimentCatalog.get(ExperimentCatalogModelType.EXPERIMENT, experimentId); + + if(!authzToken.getClaimsMap().get("userName").equals(experimentModel.getUserName()) + || !authzToken.getClaimsMap().get("gatewayId").equals(experimentModel.getGatewayId())){ + try { + if(! hasPermission(authzToken.getClaimsMap().get("userName")+"@"+authzToken.getClaimsMap().get("gatewayId"), + experimentModel.getExperimentId(), ResourceType.EXPERIMENT, ResourcePermissionType.WRITE)){ + throw new AuthorizationException("User does not have permission to access this resource"); + } + } catch (GroupManagerException e) { + throw new AuthorizationException("User does not have permission to access this resource"); + } + } + if(!(experimentModel.getExperimentStatus().getState() == ExperimentState.CREATED)){ logger.error("Error while deleting the experiment"); throw new ExperimentCatalogException("Experiment is not in CREATED state. Hence cannot deleted. ID:"+ experimentId); @@ -1210,7 +1298,22 @@ public class AiravataServerHandler implements Airavata.Iface { @SecurityCheck public ExperimentModel getExperiment(AuthzToken authzToken, String airavataExperimentId) throws InvalidRequestException, ExperimentNotFoundException, AiravataClientException, AiravataSystemException, AuthorizationException, TException { - return getExperimentInternal(airavataExperimentId); + ExperimentModel experimentModel = getExperimentInternal(airavataExperimentId); + if(authzToken.getClaimsMap().get("userName").equals(experimentModel.getUserName()) + && authzToken.getClaimsMap().get("gatewayId").equals(experimentModel.getGatewayId())){ + return experimentModel; + }else{ + try { + if(hasPermission(authzToken.getClaimsMap().get("userName")+"@"+authzToken.getClaimsMap().get("gatewayId"), + experimentModel.getExperimentId(), ResourceType.EXPERIMENT, ResourcePermissionType.READ)){ + return experimentModel; + }else { + throw new AuthorizationException("User does not have permission to access this resource"); + } + } catch (GroupManagerException e) { + throw new AuthorizationException("User does not have permission to access this resource"); + } + } } /** @@ -1336,6 +1439,20 @@ public class AiravataServerHandler implements Airavata.Iface { logger.error(airavataExperimentId, "Update request failed, Experiment {} doesn't exist.", airavataExperimentId); throw new ExperimentNotFoundException("Requested experiment id " + airavataExperimentId + " does not exist in the system.."); } + + ExperimentModel experimentModel = (ExperimentModel) experimentCatalog.get(ExperimentCatalogModelType.EXPERIMENT, airavataExperimentId); + if(!authzToken.getClaimsMap().get("userName").equals(experimentModel.getUserName()) + || !authzToken.getClaimsMap().get("gatewayId").equals(experimentModel.getGatewayId())){ + try { + if(! hasPermission(authzToken.getClaimsMap().get("userName")+"@"+authzToken.getClaimsMap().get("gatewayId"), + experimentModel.getExperimentId(), ResourceType.EXPERIMENT, ResourcePermissionType.WRITE)){ + throw new AuthorizationException("User does not have permission to access this resource"); + } + } catch (GroupManagerException e) { + throw new AuthorizationException("User does not have permission to access this resource"); + } + } + ExperimentStatus experimentStatus = getExperimentStatusInternal(airavataExperimentId); if (experimentStatus != null){ ExperimentState experimentState = experimentStatus.getState(); @@ -1370,7 +1487,13 @@ public class AiravataServerHandler implements Airavata.Iface { throw exception; } } - } catch (Exception e) { + } catch (RegistryException e) { + logger.error(airavataExperimentId, "Error while updating experiment", e); + AiravataSystemException exception = new AiravataSystemException(); + exception.setAiravataErrorType(AiravataErrorType.INTERNAL_ERROR); + exception.setMessage("Error while updating experiment. More info : " + e.getMessage()); + throw exception; + } catch (AppCatalogException e) { logger.error(airavataExperimentId, "Error while updating experiment", e); AiravataSystemException exception = new AiravataSystemException(); exception.setAiravataErrorType(AiravataErrorType.INTERNAL_ERROR); @@ -4241,6 +4364,208 @@ public class AiravataServerHandler implements Airavata.Iface { } } + /** + * Group Manager and Data Sharing Related API methods + * + * @param authzToken + * @param resourceId + * @param resourceType + * @param userPermissionList + */ + @Override + @SecurityCheck + public boolean shareResourceWithUsers(AuthzToken authzToken, String resourceId, ResourceType resourceType, + Map<String, ResourcePermissionType> userPermissionList) throws InvalidRequestException, + AiravataClientException, AiravataSystemException, AuthorizationException, TException { + try { + if(!isResourceExistsInGrouper(resourceId, resourceType)){ + initializeResourceWithGrouper(resourceId, resourceType); + } + GroupManagerCPI groupManager = GroupManagerFactory.getGroupManager(); + for(Map.Entry<String, ResourcePermissionType> entry : userPermissionList.entrySet()){ + org.apache.airavata.grouper.resource.ResourceType gResouceType; + if(resourceType.equals(ResourceType.EXPERIMENT)){ + gResouceType = org.apache.airavata.grouper.resource.ResourceType.EXPERIMENT; + }else if(resourceType.equals(ResourceType.PROJECT)){ + gResouceType = org.apache.airavata.grouper.resource.ResourceType.PROJECT; + }else{ + //Unsupported data type + continue; + } + + if(entry.getValue().equals(ResourcePermissionType.READ)){ + groupManager.grantPermission(entry.getKey(), SubjectType.PERSON, resourceId, gResouceType, PermissionAction.READ); + }else if(entry.getValue().equals(ResourcePermissionType.WRITE)){ + groupManager.grantPermission(entry.getKey(), SubjectType.PERSON, resourceId, gResouceType, PermissionAction.WRITE); + }else{ + //Unsupported permission type + continue; + } + } + return true; + } catch (Exception e) { + String msg = "Error in sharing resource with users. Resource ID : " + resourceId + " Resource Type : " + resourceType.toString() ; + logger.error(msg, e); + AiravataSystemException exception = new AiravataSystemException(AiravataErrorType.INTERNAL_ERROR); + exception.setMessage(msg + " More info : " + e.getMessage()); + throw exception; + } + } + + @Override + @SecurityCheck + public boolean revokeSharingOfResourceFromUsers(AuthzToken authzToken, String resourceId, ResourceType resourceType, + Map<String, ResourcePermissionType> userPermissionList) throws InvalidRequestException, AiravataClientException, AiravataSystemException, AuthorizationException, TException { + try { + if(!isResourceExistsInGrouper(resourceId, resourceType)){ + initializeResourceWithGrouper(resourceId, resourceType); + } + GroupManagerCPI groupManager = GroupManagerFactory.getGroupManager(); + for(Map.Entry<String, ResourcePermissionType> entry : userPermissionList.entrySet()){ + org.apache.airavata.grouper.resource.ResourceType gResouceType; + if(resourceType.equals(ResourceType.EXPERIMENT)){ + gResouceType = org.apache.airavata.grouper.resource.ResourceType.EXPERIMENT; + }else if(resourceType.equals(ResourceType.PROJECT)){ + gResouceType = org.apache.airavata.grouper.resource.ResourceType.PROJECT; + }else{ + //Unsupported data type + continue; + } + + if(entry.getValue().equals(ResourcePermissionType.READ)){ + groupManager.revokePermission(entry.getKey(), SubjectType.PERSON, resourceId, gResouceType, PermissionAction.READ); + }else if(entry.getValue().equals(ResourcePermissionType.WRITE)){ + groupManager.revokePermission(entry.getKey(), SubjectType.PERSON, resourceId, gResouceType, PermissionAction.WRITE); + }else{ + //Unsupported permission type + continue; + } + } + return true; + } catch (Exception e) { + String msg = "Error in revoking access to resouce from users. Resource ID : " + resourceId + " Resource Type : " + resourceType.toString() ; + logger.error(msg, e); + AiravataSystemException exception = new AiravataSystemException(AiravataErrorType.INTERNAL_ERROR); + exception.setMessage(msg + " More info : " + e.getMessage()); + throw exception; + } + } + + @Override + @SecurityCheck + public List<String> getAllAccessibleUsers(AuthzToken authzToken, String resourceId, ResourceType resourceType, ResourcePermissionType permissionType) throws InvalidRequestException, AiravataClientException, AiravataSystemException, AuthorizationException, TException { + try { + GroupManagerCPI groupManager = GroupManagerFactory.getGroupManager(); + org.apache.airavata.grouper.resource.ResourceType gResourceType; + if(resourceType.equals(ResourceType.PROJECT)){ + gResourceType = org.apache.airavata.grouper.resource.ResourceType.PROJECT; + }else if(resourceType.equals(ResourceType.EXPERIMENT)){ + gResourceType = org.apache.airavata.grouper.resource.ResourceType.EXPERIMENT; + }else{ + throw new GroupManagerException("Unsupported Resource Type"); + } + + org.apache.airavata.grouper.permission.PermissionAction gPermissionType; + if(permissionType.equals(ResourcePermissionType.READ)){ + gPermissionType = PermissionAction.READ; + } else if (permissionType.equals(ResourcePermissionType.WRITE)){ + gPermissionType = PermissionAction.WRITE; + }else{ + throw new GroupManagerException("Unsupported Permission Type"); + } + List<String> accessibleUsers = new ArrayList<>(); + accessibleUsers.addAll(groupManager.getAllAccessibleUsers(resourceId, gResourceType, gPermissionType)); + return accessibleUsers; + } catch (GroupManagerException e) { + String msg = "Error in getting all accessible users for resource. Resource ID : " + resourceId + " Resource Type : " + resourceType.toString() ; + logger.error(msg, e); + AiravataSystemException exception = new AiravataSystemException(AiravataErrorType.INTERNAL_ERROR); + exception.setMessage(msg + " More info : " + e.getMessage()); + throw exception; + } + } + + private void initializeResourceWithGrouper(String resourceId, ResourceType resourceType) throws RegistryException, GroupManagerException { + ExperimentCatalog experimentCatalog = RegistryFactory.getDefaultExpCatalog(); + GroupManagerCPI groupManager = GroupManagerFactory.getGroupManager(); + if(resourceType.equals(ResourceType.PROJECT)){ + Project project = (Project) experimentCatalog.get(ExperimentCatalogModelType.PROJECT, resourceId); + + Resource projectResource = new Resource(project.getProjectID(), org.apache.airavata.grouper.resource.ResourceType.PROJECT); + projectResource.setName(project.getName()); + projectResource.setDescription(project.getDescription()); + projectResource.setOwnerId(project.getOwner()+"@"+project.getGatewayId()); + groupManager.createResource(projectResource); + + }else if(resourceType.equals(ResourceType.EXPERIMENT)){ + ExperimentModel experiment = (ExperimentModel) experimentCatalog.get(ExperimentCatalogModelType.EXPERIMENT, resourceId); + Resource experimentResource = new Resource(experiment.getExperimentId(), org.apache.airavata.grouper.resource.ResourceType.EXPERIMENT); + experimentResource.setName(experiment.getExperimentName()); + experimentResource.setDescription(experiment.getDescription()); + experimentResource.setParentResourceId(experiment.getProjectId()); + experimentResource.setOwnerId(experiment.getUserName()+"@"+experiment.getGatewayId()); + groupManager.createResource(experimentResource); + } + throw new GroupManagerException("Unsupported Resource Type"); + } + + private boolean isResourceExistsInGrouper(String resourceId, ResourceType resourceType) throws GroupManagerException { + GroupManagerCPI groupManager = GroupManagerFactory.getGroupManager(); + if(resourceType.equals(ResourceType.PROJECT)){ + return groupManager.isResourceRegistered(resourceId, org.apache.airavata.grouper.resource.ResourceType.PROJECT); + }else if(resourceType.equals(ResourceType.EXPERIMENT)){ + return groupManager.isResourceRegistered(resourceId, org.apache.airavata.grouper.resource.ResourceType.EXPERIMENT); + } + throw new GroupManagerException("Unsupported Resource Type"); + } + + private boolean hasPermission(String userId, String resourceId, ResourceType resourceType, ResourcePermissionType permissionType) throws GroupManagerException { + GroupManagerCPI groupManager = GroupManagerFactory.getGroupManager(); + org.apache.airavata.grouper.resource.ResourceType gResourceType; + if(resourceType.equals(ResourceType.PROJECT)){ + gResourceType = org.apache.airavata.grouper.resource.ResourceType.PROJECT; + }else if(resourceType.equals(ResourceType.EXPERIMENT)){ + gResourceType = org.apache.airavata.grouper.resource.ResourceType.EXPERIMENT; + }else{ + throw new GroupManagerException("Unsupported Resource Type"); + } + + org.apache.airavata.grouper.permission.PermissionAction gPermissionType; + if(permissionType.equals(ResourcePermissionType.READ)){ + gPermissionType = PermissionAction.READ; + } else if (permissionType.equals(ResourcePermissionType.WRITE)){ + gPermissionType = PermissionAction.WRITE; + }else{ + throw new GroupManagerException("Unsupported Permission Type"); + } + Set<String> accessibleUsers = groupManager.getAllAccessibleUsers(resourceId, gResourceType, gPermissionType); + return accessibleUsers.contains(userId); + } + + private List<String> getAllAccessibleResourcesForUser(String userId, ResourceType resourceType, ResourcePermissionType permissionType) throws GroupManagerException { + GroupManagerCPI groupManager = GroupManagerFactory.getGroupManager(); + org.apache.airavata.grouper.resource.ResourceType gResourceType; + if(resourceType.equals(ResourceType.PROJECT)){ + gResourceType = org.apache.airavata.grouper.resource.ResourceType.PROJECT; + }else if(resourceType.equals(ResourceType.EXPERIMENT)){ + gResourceType = org.apache.airavata.grouper.resource.ResourceType.EXPERIMENT; + }else{ + throw new GroupManagerException("Unsupported Resource Type"); + } + + org.apache.airavata.grouper.permission.PermissionAction gPermissionType; + if(permissionType.equals(ResourcePermissionType.READ)){ + gPermissionType = PermissionAction.READ; + } else if (permissionType.equals(ResourcePermissionType.WRITE)){ + gPermissionType = PermissionAction.WRITE; + }else{ + throw new GroupManagerException("Unsupported Permission Type"); + } + + List<String> allAccessibleResources = groupManager.getAccessibleResourcesForUser(userId, gResourceType, gPermissionType); + return allAccessibleResources; + } + private CredentialStoreService.Client getCredentialStoreServiceClient() throws TException, ApplicationSettingsException { final int serverPort = Integer.parseInt(ServerSettings.getCredentialStoreServerPort()); final String serverHost = ServerSettings.getCredentialStoreServerHost();
