/** * Just checks the basic S3 groups for membership of the userId. Caller must ensure that the * userId is a valid ID in the system. That is outside the scope of this method. * * @param userId * @param group * @return */ public static boolean isUserMember(String userId, ObjectStorageProperties.S3_GROUP group) { if (group == null) { return false; } if (ObjectStorageProperties.S3_GROUP.ALL_USERS_GROUP.equals(group)) { return true; } if (ObjectStorageProperties.S3_GROUP.AUTHENTICATED_USERS_GROUP.equals(group) && !Strings.isNullOrEmpty(userId) && !userId.equals(Principals.nobodyUser().getUserId())) { return true; } boolean isSystemAdmin = false; try { isSystemAdmin = (Principals.systemUser().getUserId().equals(userId) || Accounts.lookupSystemAdmin().getUserId().equals(userId)); } catch (AuthException e) { // Fall through LOG.debug( "Got auth exception trying to lookup system admin user for group membership check in ec2-bundle-read", e); } boolean isAWSExecReadUser = false; try { isAWSExecReadUser = Accounts.lookupAwsExecReadAdmin(false).getUserId().equals(userId); } catch (AuthException e) { // Fall through LOG.debug( "Got auth exception trying to lookup aws-exec-read admin user for group membership check in ec2-bundle-read", e); } if (ObjectStorageProperties.S3_GROUP.AWS_EXEC_READ.equals(group) && isAWSExecReadUser) { return true; } // System only (or euca/admin) in the ec2-bundle-read group if (ObjectStorageProperties.S3_GROUP.EC2_BUNDLE_READ.equals(group) && isSystemAdmin) { return true; } // System or euca/admin only in logging if (ObjectStorageProperties.S3_GROUP.LOGGING_GROUP.equals(group) && isSystemAdmin) { return true; } return false; }
@Override public List<Grant> apply(OwnerIdPair ownerIds) { List<Grant> logDeliveryWrite = PrivateOnlyGrantBuilder.INSTANCE.apply(ownerIds); Grantee logGroup = new Grantee(); logGroup.setGroup(new Group(ObjectStorageProperties.S3_GROUP.LOGGING_GROUP.toString())); Grant loggingWriteGrant = new Grant(); loggingWriteGrant.setPermission(ObjectStorageProperties.Permission.WRITE.toString()); loggingWriteGrant.setGrantee(logGroup); Grant loggingReadAcpGrant = new Grant(); loggingReadAcpGrant.setPermission(ObjectStorageProperties.Permission.READ_ACP.toString()); loggingReadAcpGrant.setGrantee(logGroup); logDeliveryWrite.add(loggingWriteGrant); logDeliveryWrite.add(loggingReadAcpGrant); return logDeliveryWrite; }