예제 #1
0
  /**
   * Processes a list by finding all canned-acls and expanding those. The returned list is a new
   * list that includes all non-canned ACL entries of the input as well as the expanded grants
   * mapped to canned-acls
   *
   * <p>CannedAcls are Grants with Grantee = "", and Permision is the canned-acl string
   *
   * @param msgAcl
   * @return
   */
  public static AccessControlList expandCannedAcl(
      @Nonnull AccessControlList msgAcl,
      @Nullable final String bucketOwnerCanonicalId,
      @Nullable final String objectOwnerCanonicalId)
      throws EucalyptusCloudException {
    if (msgAcl == null) {
      throw new IllegalArgumentException("Null list received");
    }

    AccessControlList outputList = new AccessControlList();
    if (outputList.getGrants() == null) {
      // Should be handled by constructor of ACL, but just to be sure
      outputList.setGrants(new ArrayList<Grant>());
    }
    final OwnerIdPair owners = new OwnerIdPair(bucketOwnerCanonicalId, objectOwnerCanonicalId);
    String entryValue = null;
    for (Grant msgGrant : msgAcl.getGrants()) {
      entryValue =
          msgGrant
              .getPermission(); // The OSG binding populates the canned-acl in the permission field
      try {
        if (cannedAclMap.containsKey(entryValue)) {
          outputList.getGrants().addAll(cannedAclMap.get(entryValue).apply(owners));
        } else {
          // add to output.
          outputList.getGrants().add(msgGrant);
        }
      } catch (Exception e) {
        // Failed. Stop now
        throw new EucalyptusCloudException("Failed generating the full ACL from canned ACL", e);
      }
    }
    return outputList;
  }
예제 #2
0
    @Override
    public List<Grant> apply(OwnerIdPair ownerIds) {
      ArrayList<Grant> privateGrants = new ArrayList<Grant>();
      Grant ownerFullControl = new Grant();
      Grantee owner = new Grantee();
      String displayName = "";
      String ownerCanonicalId = null;
      if (!Strings.isNullOrEmpty(ownerIds.getObjectOwnerCanonicalId())) {
        ownerCanonicalId = ownerIds.getObjectOwnerCanonicalId();
      } else {
        ownerCanonicalId = ownerIds.getBucketOwnerCanonicalId();
      }

      try {
        displayName = Accounts.lookupAccountByCanonicalId(ownerCanonicalId).getName();
      } catch (AuthException e) {
        displayName = "";
      }
      owner.setCanonicalUser(new CanonicalUser(ownerCanonicalId, displayName));
      owner.setType("CanonicalUser");
      ownerFullControl.setGrantee(owner);
      ownerFullControl.setPermission(ObjectStorageProperties.Permission.FULL_CONTROL.toString());
      privateGrants.add(ownerFullControl);
      return privateGrants;
    }
예제 #3
0
  /**
   * Checks grants and transforms grantees into canonicalId from eucalyptus account id or email
   * address
   *
   * @param acl
   * @return
   */
  public static AccessControlList scrubAcl(AccessControlList acl) {
    AccessControlList scrubbed = new AccessControlList();
    if (acl == null || acl.getGrants() == null || acl.getGrants().size() == 0) {
      return scrubbed;
    }

    String canonicalId = null;
    Grantee grantee;
    CanonicalUser canonicalUser;
    Group group;
    String email;

    for (Grant g : acl.getGrants()) {
      grantee = g.getGrantee();
      if (grantee == null) {
        continue; // skip, no grantee
      } else {
        canonicalUser = grantee.getCanonicalUser();
        group = grantee.getGroup();
        email = grantee.getEmailAddress();
      }

      canonicalId = canonicalUser == null ? null : resolveCanonicalId(canonicalUser.getID());
      if (canonicalId == null) {
        try {
          User user = Accounts.lookupUserByEmailAddress(email);
          if (user != null && user.isAccountAdmin() && user.getAccount() != null) {
            canonicalId = user.getAccount().getCanonicalId();
          }
        } catch (AuthException authEx) {
          // no-op, we'll check the group
        }
      }
      if (canonicalId == null && group != null && !Strings.isNullOrEmpty(group.getUri())) {
        ObjectStorageProperties.S3_GROUP foundGroup = AclUtils.getGroupFromUri(group.getUri());
        if (foundGroup == null) {
          throw new NoSuchElementException("URI: " + group.getUri() + " not found in group map");
        }
        // Group URI, use as canonicalId for now.
        canonicalId = group.getUri();
      }

      if (canonicalId == null) {
        throw new NoSuchElementException("No canonicalId found for grant: " + g.toString());
      } else {
        if (grantee.getCanonicalUser() == null) {
          grantee.setCanonicalUser(new CanonicalUser(canonicalId, ""));
        } else {
          grantee.getCanonicalUser().setID(canonicalId);
        }
      }
    }

    return acl;
  }
예제 #4
0
 @Override
 public List<Grant> apply(OwnerIdPair ownerIds) {
   List<Grant> grants = PrivateOnlyGrantBuilder.INSTANCE.apply(ownerIds);
   Grantee grantee = new Grantee();
   grantee.setGroup(new Group(ObjectStorageProperties.S3_GROUP.EC2_BUNDLE_READ.toString()));
   Grant grant = new Grant();
   grant.setPermission(ObjectStorageProperties.Permission.READ.toString());
   grant.setGrantee(grantee);
   grants.add(grant);
   return grants;
 }
예제 #5
0
 @Override
 public List<Grant> apply(OwnerIdPair ownerIds) {
   List<Grant> awsExecRead = PrivateOnlyGrantBuilder.INSTANCE.apply(ownerIds);
   Grantee execReadGroup = new Grantee();
   execReadGroup.setGroup(new Group(ObjectStorageProperties.S3_GROUP.AWS_EXEC_READ.toString()));
   Grant execReadGrant = new Grant();
   execReadGrant.setPermission(ObjectStorageProperties.Permission.READ.toString());
   execReadGrant.setGrantee(execReadGroup);
   awsExecRead.add(execReadGrant);
   return awsExecRead;
 }
예제 #6
0
 @Override
 public List<Grant> apply(OwnerIdPair ownerIds) {
   List<Grant> publicReadWrite = PublicReadGrantBuilder.INSTANCE.apply(ownerIds);
   Grantee allUsers = new Grantee();
   allUsers.setGroup(new Group(ObjectStorageProperties.S3_GROUP.ALL_USERS_GROUP.toString()));
   Grant allUsersGrant = new Grant();
   allUsersGrant.setPermission(ObjectStorageProperties.Permission.WRITE.toString());
   allUsersGrant.setGrantee(allUsers);
   publicReadWrite.add(allUsersGrant);
   return publicReadWrite;
 }
예제 #7
0
 @Override
 public List<Grant> apply(OwnerIdPair ownerIds) {
   List<Grant> authenticatedRead = PrivateOnlyGrantBuilder.INSTANCE.apply(ownerIds);
   Grantee authenticatedUsers = new Grantee();
   authenticatedUsers.setGroup(
       new Group(ObjectStorageProperties.S3_GROUP.AUTHENTICATED_USERS_GROUP.toString()));
   Grant authUsersGrant = new Grant();
   authUsersGrant.setPermission(ObjectStorageProperties.Permission.READ.toString());
   authUsersGrant.setGrantee(authenticatedUsers);
   authenticatedRead.add(authUsersGrant);
   return authenticatedRead;
 }
예제 #8
0
    @Override
    public List<Grant> apply(OwnerIdPair ownerIds) {
      List<Grant> bucketOwnerRead = PrivateOnlyGrantBuilder.INSTANCE.apply(ownerIds);
      String canonicalId = ownerIds.getBucketOwnerCanonicalId();
      String displayName = "";
      try {
        displayName = Accounts.lookupAccountByCanonicalId(canonicalId).getName();
      } catch (AuthException e) {
        displayName = "";
      }

      Grantee bucketOwner = new Grantee();
      bucketOwner.setCanonicalUser(new CanonicalUser(canonicalId, displayName));
      Grant bucketOwnerGrant = new Grant();
      bucketOwnerGrant.setPermission(ObjectStorageProperties.Permission.READ.toString());
      bucketOwnerGrant.setGrantee(bucketOwner);
      bucketOwnerRead.add(bucketOwnerGrant);
      return bucketOwnerRead;
    }
예제 #9
0
    @Override
    public List<Grant> apply(OwnerIdPair ownerIds) {
      List<Grant> logDeliveryWrite = PrivateOnlyGrantBuilder.INSTANCE.apply(ownerIds);
      Grantee logGroup = new Grantee();
      logGroup.setGroup(new Group(ObjectStorageProperties.S3_GROUP.LOGGING_GROUP.toString()));

      Grant loggingWriteGrant = new Grant();
      loggingWriteGrant.setPermission(ObjectStorageProperties.Permission.WRITE.toString());
      loggingWriteGrant.setGrantee(logGroup);

      Grant loggingReadAcpGrant = new Grant();
      loggingReadAcpGrant.setPermission(ObjectStorageProperties.Permission.READ_ACP.toString());
      loggingReadAcpGrant.setGrantee(logGroup);

      logDeliveryWrite.add(loggingWriteGrant);
      logDeliveryWrite.add(loggingReadAcpGrant);
      return logDeliveryWrite;
    }