Revision 8360
Added by Jing Tao about 11 years ago
| src/edu/ucsb/nceas/metacat/dataone/MNodeService.java | ||
|---|---|---|
| 232 | 232 |
// only admin of the MN or the CN is allowed a full delete |
| 233 | 233 |
boolean allowed = false; |
| 234 | 234 |
allowed = isAdminAuthorized(session); |
| 235 |
|
|
| 236 |
//check if it is the authoritative member node |
|
| 237 |
if(!allowed) {
|
|
| 238 |
allowed = isAuthoritativeMNodeAdmin(session, pid); |
|
| 239 |
} |
|
| 240 |
|
|
| 235 | 241 |
if (!allowed) {
|
| 236 | 242 |
throw new NotAuthorized("1320", "The provided identity does not have " + "permission to delete objects on the Node.");
|
| 237 | 243 |
} |
| src/edu/ucsb/nceas/metacat/dataone/CNodeService.java | ||
|---|---|---|
| 346 | 346 |
// check that it is CN/admin |
| 347 | 347 |
boolean allowed = isAdminAuthorized(session); |
| 348 | 348 |
|
| 349 |
// additional check if it is the authoritative node if it is not the admin |
|
| 350 |
if(!allowed) {
|
|
| 351 |
allowed = isAuthoritativeMNodeAdmin(session, pid); |
|
| 352 |
} |
|
| 353 |
|
|
| 349 | 354 |
if (!allowed) {
|
| 350 | 355 |
String msg = "The subject is not allowed to call delete() on a Coordinating Node."; |
| 351 | 356 |
logMetacat.info(msg); |
| ... | ... | |
| 397 | 402 |
// check that it is CN/admin |
| 398 | 403 |
boolean allowed = isAdminAuthorized(session); |
| 399 | 404 |
|
| 405 |
//check if it is the authoritative member node |
|
| 406 |
if(!allowed) {
|
|
| 407 |
allowed = isAuthoritativeMNodeAdmin(session, pid); |
|
| 408 |
} |
|
| 409 |
|
|
| 400 | 410 |
if (!allowed) {
|
| 401 | 411 |
String msg = "The subject is not allowed to call archive() on a Coordinating Node."; |
| 402 | 412 |
logMetacat.info(msg); |
| ... | ... | |
| 1345 | 1355 |
// are we allowed? |
| 1346 | 1356 |
boolean isAllowed = false; |
| 1347 | 1357 |
isAllowed = isAdminAuthorized(session); |
| 1358 |
|
|
| 1359 |
// additional check if it is the authoritative node if it is not the admin |
|
| 1360 |
if(!isAllowed) {
|
|
| 1361 |
isAllowed = isAuthoritativeMNodeAdmin(session, pid); |
|
| 1362 |
} |
|
| 1348 | 1363 |
|
| 1349 | 1364 |
// proceed if we're called by a CN |
| 1350 | 1365 |
if ( isAllowed ) {
|
| src/edu/ucsb/nceas/metacat/dataone/D1NodeService.java | ||
|---|---|---|
| 715 | 715 |
return systemMetadata; |
| 716 | 716 |
} |
| 717 | 717 |
|
| 718 |
|
|
| 719 |
/** |
|
| 720 |
* Test if the specified session represents the authoritative member node for the |
|
| 721 |
* given object specified by the identifier. According the the DataONE documentation, |
|
| 722 |
* the authoritative member node has all the rights of the *rightsHolder*. |
|
| 723 |
* @param session - the Session object containing the credentials for the Subject |
|
| 724 |
* @param pid - the Identifier of the data object |
|
| 725 |
* @return true if the session represents the authoritative mn. |
|
| 726 |
* @throws ServiceFailure |
|
| 727 |
* @throws NotImplemented |
|
| 728 |
*/ |
|
| 729 |
public boolean isAuthoritativeMNodeAdmin(Session session, Identifier pid) {
|
|
| 730 |
boolean allowed = false; |
|
| 731 |
//check the parameters |
|
| 732 |
if(session == null) {
|
|
| 733 |
logMetacat.debug("D1NodeService.isAuthoritativeMNodeAdmin - the session object is null and return false.");
|
|
| 734 |
return allowed; |
|
| 735 |
} else if (pid == null || pid.getValue() == null || pid.getValue().trim().equals("")) {
|
|
| 736 |
logMetacat.debug("D1NodeService.isAuthoritativeMNodeAdmin - the Identifier object is null (not being specified) and return false.");
|
|
| 737 |
return allowed; |
|
| 738 |
} |
|
| 739 |
|
|
| 740 |
//Get the subject from the session |
|
| 741 |
Subject subject = session.getSubject(); |
|
| 742 |
if(subject != null) {
|
|
| 743 |
//Get the authoritative member node info from the system metadata |
|
| 744 |
SystemMetadata sysMeta = HazelcastService.getInstance().getSystemMetadataMap().get(pid); |
|
| 745 |
if(sysMeta != null) {
|
|
| 746 |
NodeReference authoritativeMNode = sysMeta.getAuthoritativeMemberNode(); |
|
| 747 |
if(authoritativeMNode != null) {
|
|
| 748 |
CNode cn = null; |
|
| 749 |
try {
|
|
| 750 |
cn = D1Client.getCN(); |
|
| 751 |
} catch (ServiceFailure e) {
|
|
| 752 |
logMetacat.error("D1NodeService.isAuthoritativeMNodeAdmin - couldn't connect to the CN since "+
|
|
| 753 |
e.getDescription()+ ". The false value will be returned for the AuthoritativeMNodeAdmin."); |
|
| 754 |
return allowed; |
|
| 755 |
} |
|
| 756 |
|
|
| 757 |
if(cn != null) {
|
|
| 758 |
List<Node> nodes = null; |
|
| 759 |
try {
|
|
| 760 |
nodes = cn.listNodes().getNodeList(); |
|
| 761 |
} catch (NotImplemented e) {
|
|
| 762 |
logMetacat.error("D1NodeService.isAuthoritativeMNodeAdmin - couldn't get the member nodes list from the CN since "+e.getDescription()+
|
|
| 763 |
". The false value will be returned for the AuthoritativeMNodeAdmin."); |
|
| 764 |
return allowed; |
|
| 765 |
} catch (ServiceFailure ee) {
|
|
| 766 |
logMetacat.error("D1NodeService.isAuthoritativeMNodeAdmin - couldn't get the member nodes list from the CN since "+ee.getDescription()+
|
|
| 767 |
". The false value will be returned for the AuthoritativeMNodeAdmin."); |
|
| 768 |
return allowed; |
|
| 769 |
} |
|
| 770 |
if(nodes != null) {
|
|
| 771 |
for(Node node : nodes) {
|
|
| 772 |
//find the authoritative node and get its subjects |
|
| 773 |
if (node.getType() == NodeType.MN && node.getIdentifier() != null && node.getIdentifier().equals(authoritativeMNode)) {
|
|
| 774 |
List<Subject> nodeSubjects = node.getSubjectList(); |
|
| 775 |
if(nodeSubjects != null) {
|
|
| 776 |
// check if the session subject is in the node subject list |
|
| 777 |
for (Subject nodeSubject : nodeSubjects) {
|
|
| 778 |
logMetacat.debug("D1NodeService.isAuthoritativeMNodeAdmin(), comparing subjects: " +
|
|
| 779 |
nodeSubject.getValue() + " and " + subject.getValue()); |
|
| 780 |
if ( nodeSubject != null && nodeSubject.equals(subject) ) {
|
|
| 781 |
allowed = true; // subject of session == target node subject |
|
| 782 |
break; |
|
| 783 |
} |
|
| 784 |
} |
|
| 785 |
} |
|
| 786 |
|
|
| 787 |
} |
|
| 788 |
} |
|
| 789 |
} |
|
| 790 |
} |
|
| 791 |
} |
|
| 792 |
} |
|
| 793 |
} |
|
| 794 |
return allowed; |
|
| 795 |
} |
|
| 796 |
|
|
| 797 |
|
|
| 718 | 798 |
/** |
| 719 | 799 |
* Test if the user identified by the provided token has administrative authorization |
| 720 | 800 |
* |
| ... | ... | |
| 868 | 948 |
|
| 869 | 949 |
} |
| 870 | 950 |
|
| 951 |
// the authoritative member node of the pid always has the access as well. |
|
| 952 |
if (isAuthoritativeMNodeAdmin(session, pid)) {
|
|
| 953 |
allowed = true; |
|
| 954 |
return allowed; |
|
| 955 |
} |
|
| 956 |
|
|
| 871 | 957 |
// get the subject[s] from the session |
| 872 | 958 |
//defer to the shared util for recursively compiling the subjects |
| 873 | 959 |
Set<Subject> subjects = AuthUtils.authorizedClientSubjects(session); |
Also available in: Unified diff
Add the methond named isAuthoritativeMNodeAdmin method. It applies to both CN and MN methods.