Repository: incubator-brooklyn Updated Branches: refs/heads/master c4c615b10 -> 66226030c
Adds entitlement check to state checks Project: http://git-wip-us.apache.org/repos/asf/incubator-brooklyn/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-brooklyn/commit/2bcdf649 Tree: http://git-wip-us.apache.org/repos/asf/incubator-brooklyn/tree/2bcdf649 Diff: http://git-wip-us.apache.org/repos/asf/incubator-brooklyn/diff/2bcdf649 Branch: refs/heads/master Commit: 2bcdf649b84ea0d3f46134cbf06b93b74d5e14e4 Parents: fbfd78f Author: Martin Harris <[email protected]> Authored: Thu Nov 20 09:55:51 2014 +0000 Committer: Martin Harris <[email protected]> Committed: Thu Nov 20 09:55:51 2014 +0000 ---------------------------------------------------------------------- .../java/brooklyn/management/entitlement/Entitlements.java | 9 +++++++++ .../main/java/brooklyn/rest/resources/ServerResource.java | 4 ++++ 2 files changed, 13 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-brooklyn/blob/2bcdf649/core/src/main/java/brooklyn/management/entitlement/Entitlements.java ---------------------------------------------------------------------- diff --git a/core/src/main/java/brooklyn/management/entitlement/Entitlements.java b/core/src/main/java/brooklyn/management/entitlement/Entitlements.java index 85dc6fb..d35df64 100644 --- a/core/src/main/java/brooklyn/management/entitlement/Entitlements.java +++ b/core/src/main/java/brooklyn/management/entitlement/Entitlements.java @@ -66,6 +66,9 @@ public class Entitlements { * secondary check required for any operation which could potentially grant root-level access */ public static EntitlementClass<Void> ROOT = new BasicEntitlementClassDefinition<Void>("root", Void.class); + /** permission to see the server status API */ + public static EntitlementClass<Void> SERVER_STATUS = new BasicEntitlementClassDefinition<Void>("server.status", Void.class); + public static enum EntitlementClassesEnum { ENTITLEMENT_SEE_ENTITY(SEE_ENTITY), ENTITLEMENT_SEE_SENSOR(SEE_SENSOR), @@ -74,6 +77,7 @@ public class Entitlements { ENTITLEMENT_DEPLOY_APPLICATION(DEPLOY_APPLICATION), ENTITLEMENT_SEE_ALL_SERVER_INFO(SEE_ALL_SERVER_INFO), ENTITLEMENT_ROOT(ROOT), + ENTITLEMENT_SERVER_STATUS(SERVER_STATUS), ; private EntitlementClass<?> entitlementClass; @@ -217,6 +221,11 @@ public class Entitlements { ); } + /** allow healthcheck */ + public static EntitlementManager serverStatusOnly() { + return FineGrainedEntitlements.allowing(SERVER_STATUS); + } + // ------------- lookup conveniences ------------- private static class PerThreadEntitlementContextHolder { http://git-wip-us.apache.org/repos/asf/incubator-brooklyn/blob/2bcdf649/usage/rest-server/src/main/java/brooklyn/rest/resources/ServerResource.java ---------------------------------------------------------------------- diff --git a/usage/rest-server/src/main/java/brooklyn/rest/resources/ServerResource.java b/usage/rest-server/src/main/java/brooklyn/rest/resources/ServerResource.java index 04424d4..5072850 100644 --- a/usage/rest-server/src/main/java/brooklyn/rest/resources/ServerResource.java +++ b/usage/rest-server/src/main/java/brooklyn/rest/resources/ServerResource.java @@ -246,6 +246,8 @@ public class ServerResource extends AbstractBrooklynRestResource implements Serv @Override public ManagementNodeState getHighAvailabilityNodeState() { + if (!Entitlements.isEntitled(mgmt().getEntitlementManager(), Entitlements.SERVER_STATUS, null)) + throw WebResourceUtils.unauthorized("User '%s' is not authorized for this operation", Entitlements.getEntitlementContext().user()); return mgmt().getHighAvailabilityManager().getNodeState(); } @@ -280,6 +282,8 @@ public class ServerResource extends AbstractBrooklynRestResource implements Serv @Override public HighAvailabilitySummary getHighAvailabilityPlaneStates() { + if (!Entitlements.isEntitled(mgmt().getEntitlementManager(), Entitlements.SERVER_STATUS, null)) + throw WebResourceUtils.unauthorized("User '%s' is not authorized for this operation", Entitlements.getEntitlementContext().user()); ManagementPlaneSyncRecord memento = mgmt().getHighAvailabilityManager().getLastManagementPlaneSyncRecord(); if (memento==null) memento = mgmt().getHighAvailabilityManager().loadManagementPlaneSyncRecord(true); if (memento==null) return null;
