/** * Processes a list by finding all canned-acls and expanding those. The returned list is a new * list that includes all non-canned ACL entries of the input as well as the expanded grants * mapped to canned-acls * * <p>CannedAcls are Grants with Grantee = "", and Permision is the canned-acl string * * @param msgAcl * @return */ public static AccessControlList expandCannedAcl( @Nonnull AccessControlList msgAcl, @Nullable final String bucketOwnerCanonicalId, @Nullable final String objectOwnerCanonicalId) throws EucalyptusCloudException { if (msgAcl == null) { throw new IllegalArgumentException("Null list received"); } AccessControlList outputList = new AccessControlList(); if (outputList.getGrants() == null) { // Should be handled by constructor of ACL, but just to be sure outputList.setGrants(new ArrayList<Grant>()); } final OwnerIdPair owners = new OwnerIdPair(bucketOwnerCanonicalId, objectOwnerCanonicalId); String entryValue = null; for (Grant msgGrant : msgAcl.getGrants()) { entryValue = msgGrant .getPermission(); // The OSG binding populates the canned-acl in the permission field try { if (cannedAclMap.containsKey(entryValue)) { outputList.getGrants().addAll(cannedAclMap.get(entryValue).apply(owners)); } else { // add to output. outputList.getGrants().add(msgGrant); } } catch (Exception e) { // Failed. Stop now throw new EucalyptusCloudException("Failed generating the full ACL from canned ACL", e); } } return outputList; }
@Override public List<Grant> apply(OwnerIdPair ownerIds) { ArrayList<Grant> privateGrants = new ArrayList<Grant>(); Grant ownerFullControl = new Grant(); Grantee owner = new Grantee(); String displayName = ""; String ownerCanonicalId = null; if (!Strings.isNullOrEmpty(ownerIds.getObjectOwnerCanonicalId())) { ownerCanonicalId = ownerIds.getObjectOwnerCanonicalId(); } else { ownerCanonicalId = ownerIds.getBucketOwnerCanonicalId(); } try { displayName = Accounts.lookupAccountByCanonicalId(ownerCanonicalId).getName(); } catch (AuthException e) { displayName = ""; } owner.setCanonicalUser(new CanonicalUser(ownerCanonicalId, displayName)); owner.setType("CanonicalUser"); ownerFullControl.setGrantee(owner); ownerFullControl.setPermission(ObjectStorageProperties.Permission.FULL_CONTROL.toString()); privateGrants.add(ownerFullControl); return privateGrants; }
/** * Checks grants and transforms grantees into canonicalId from eucalyptus account id or email * address * * @param acl * @return */ public static AccessControlList scrubAcl(AccessControlList acl) { AccessControlList scrubbed = new AccessControlList(); if (acl == null || acl.getGrants() == null || acl.getGrants().size() == 0) { return scrubbed; } String canonicalId = null; Grantee grantee; CanonicalUser canonicalUser; Group group; String email; for (Grant g : acl.getGrants()) { grantee = g.getGrantee(); if (grantee == null) { continue; // skip, no grantee } else { canonicalUser = grantee.getCanonicalUser(); group = grantee.getGroup(); email = grantee.getEmailAddress(); } canonicalId = canonicalUser == null ? null : resolveCanonicalId(canonicalUser.getID()); if (canonicalId == null) { try { User user = Accounts.lookupUserByEmailAddress(email); if (user != null && user.isAccountAdmin() && user.getAccount() != null) { canonicalId = user.getAccount().getCanonicalId(); } } catch (AuthException authEx) { // no-op, we'll check the group } } if (canonicalId == null && group != null && !Strings.isNullOrEmpty(group.getUri())) { ObjectStorageProperties.S3_GROUP foundGroup = AclUtils.getGroupFromUri(group.getUri()); if (foundGroup == null) { throw new NoSuchElementException("URI: " + group.getUri() + " not found in group map"); } // Group URI, use as canonicalId for now. canonicalId = group.getUri(); } if (canonicalId == null) { throw new NoSuchElementException("No canonicalId found for grant: " + g.toString()); } else { if (grantee.getCanonicalUser() == null) { grantee.setCanonicalUser(new CanonicalUser(canonicalId, "")); } else { grantee.getCanonicalUser().setID(canonicalId); } } } return acl; }
@Override public List<Grant> apply(OwnerIdPair ownerIds) { List<Grant> grants = PrivateOnlyGrantBuilder.INSTANCE.apply(ownerIds); Grantee grantee = new Grantee(); grantee.setGroup(new Group(ObjectStorageProperties.S3_GROUP.EC2_BUNDLE_READ.toString())); Grant grant = new Grant(); grant.setPermission(ObjectStorageProperties.Permission.READ.toString()); grant.setGrantee(grantee); grants.add(grant); return grants; }
@Override public List<Grant> apply(OwnerIdPair ownerIds) { List<Grant> awsExecRead = PrivateOnlyGrantBuilder.INSTANCE.apply(ownerIds); Grantee execReadGroup = new Grantee(); execReadGroup.setGroup(new Group(ObjectStorageProperties.S3_GROUP.AWS_EXEC_READ.toString())); Grant execReadGrant = new Grant(); execReadGrant.setPermission(ObjectStorageProperties.Permission.READ.toString()); execReadGrant.setGrantee(execReadGroup); awsExecRead.add(execReadGrant); return awsExecRead; }
@Override public List<Grant> apply(OwnerIdPair ownerIds) { List<Grant> publicReadWrite = PublicReadGrantBuilder.INSTANCE.apply(ownerIds); Grantee allUsers = new Grantee(); allUsers.setGroup(new Group(ObjectStorageProperties.S3_GROUP.ALL_USERS_GROUP.toString())); Grant allUsersGrant = new Grant(); allUsersGrant.setPermission(ObjectStorageProperties.Permission.WRITE.toString()); allUsersGrant.setGrantee(allUsers); publicReadWrite.add(allUsersGrant); return publicReadWrite; }
@Override public List<Grant> apply(OwnerIdPair ownerIds) { List<Grant> authenticatedRead = PrivateOnlyGrantBuilder.INSTANCE.apply(ownerIds); Grantee authenticatedUsers = new Grantee(); authenticatedUsers.setGroup( new Group(ObjectStorageProperties.S3_GROUP.AUTHENTICATED_USERS_GROUP.toString())); Grant authUsersGrant = new Grant(); authUsersGrant.setPermission(ObjectStorageProperties.Permission.READ.toString()); authUsersGrant.setGrantee(authenticatedUsers); authenticatedRead.add(authUsersGrant); return authenticatedRead; }
@Override public List<Grant> apply(OwnerIdPair ownerIds) { List<Grant> bucketOwnerRead = PrivateOnlyGrantBuilder.INSTANCE.apply(ownerIds); String canonicalId = ownerIds.getBucketOwnerCanonicalId(); String displayName = ""; try { displayName = Accounts.lookupAccountByCanonicalId(canonicalId).getName(); } catch (AuthException e) { displayName = ""; } Grantee bucketOwner = new Grantee(); bucketOwner.setCanonicalUser(new CanonicalUser(canonicalId, displayName)); Grant bucketOwnerGrant = new Grant(); bucketOwnerGrant.setPermission(ObjectStorageProperties.Permission.READ.toString()); bucketOwnerGrant.setGrantee(bucketOwner); bucketOwnerRead.add(bucketOwnerGrant); return bucketOwnerRead; }
@Override public List<Grant> apply(OwnerIdPair ownerIds) { List<Grant> logDeliveryWrite = PrivateOnlyGrantBuilder.INSTANCE.apply(ownerIds); Grantee logGroup = new Grantee(); logGroup.setGroup(new Group(ObjectStorageProperties.S3_GROUP.LOGGING_GROUP.toString())); Grant loggingWriteGrant = new Grant(); loggingWriteGrant.setPermission(ObjectStorageProperties.Permission.WRITE.toString()); loggingWriteGrant.setGrantee(logGroup); Grant loggingReadAcpGrant = new Grant(); loggingReadAcpGrant.setPermission(ObjectStorageProperties.Permission.READ_ACP.toString()); loggingReadAcpGrant.setGrantee(logGroup); logDeliveryWrite.add(loggingWriteGrant); logDeliveryWrite.add(loggingReadAcpGrant); return logDeliveryWrite; }