@Override public List<Grant> apply(OwnerIdPair ownerIds) { List<Grant> publicReadWrite = PublicReadGrantBuilder.INSTANCE.apply(ownerIds); Grantee allUsers = new Grantee(); allUsers.setGroup(new Group(ObjectStorageProperties.S3_GROUP.ALL_USERS_GROUP.toString())); Grant allUsersGrant = new Grant(); allUsersGrant.setPermission(ObjectStorageProperties.Permission.WRITE.toString()); allUsersGrant.setGrantee(allUsers); publicReadWrite.add(allUsersGrant); return publicReadWrite; }
/** * Just checks the basic S3 groups for membership of the userId. Caller must ensure that the * userId is a valid ID in the system. That is outside the scope of this method. * * @param userId * @param group * @return */ public static boolean isUserMember(String userId, ObjectStorageProperties.S3_GROUP group) { if (group == null) { return false; } if (ObjectStorageProperties.S3_GROUP.ALL_USERS_GROUP.equals(group)) { return true; } if (ObjectStorageProperties.S3_GROUP.AUTHENTICATED_USERS_GROUP.equals(group) && !Strings.isNullOrEmpty(userId) && !userId.equals(Principals.nobodyUser().getUserId())) { return true; } boolean isSystemAdmin = false; try { isSystemAdmin = (Principals.systemUser().getUserId().equals(userId) || Accounts.lookupSystemAdmin().getUserId().equals(userId)); } catch (AuthException e) { // Fall through LOG.debug( "Got auth exception trying to lookup system admin user for group membership check in ec2-bundle-read", e); } boolean isAWSExecReadUser = false; try { isAWSExecReadUser = Accounts.lookupAwsExecReadAdmin(false).getUserId().equals(userId); } catch (AuthException e) { // Fall through LOG.debug( "Got auth exception trying to lookup aws-exec-read admin user for group membership check in ec2-bundle-read", e); } if (ObjectStorageProperties.S3_GROUP.AWS_EXEC_READ.equals(group) && isAWSExecReadUser) { return true; } // System only (or euca/admin) in the ec2-bundle-read group if (ObjectStorageProperties.S3_GROUP.EC2_BUNDLE_READ.equals(group) && isSystemAdmin) { return true; } // System or euca/admin only in logging if (ObjectStorageProperties.S3_GROUP.LOGGING_GROUP.equals(group) && isSystemAdmin) { return true; } return false; }