Project

General

Profile

« Previous | Next » 

Revision 8360

Added by Jing Tao over 10 years ago

Add the methond named isAuthoritativeMNodeAdmin method. It applies to both CN and MN methods.

View differences:

src/edu/ucsb/nceas/metacat/dataone/MNodeService.java
232 232
    	// only admin of  the MN or the CN is allowed a full delete
233 233
        boolean allowed = false;
234 234
        allowed = isAdminAuthorized(session);
235
        
236
        //check if it is the authoritative member node
237
        if(!allowed) {
238
            allowed = isAuthoritativeMNodeAdmin(session, pid);
239
        }
240
        
235 241
        if (!allowed) { 
236 242
            throw new NotAuthorized("1320", "The provided identity does not have " + "permission to delete objects on the Node.");
237 243
        }
src/edu/ucsb/nceas/metacat/dataone/CNodeService.java
346 346
	  // check that it is CN/admin
347 347
	  boolean allowed = isAdminAuthorized(session);
348 348
	  
349
	  // additional check if it is the authoritative node if it is not the admin
350
      if(!allowed) {
351
          allowed = isAuthoritativeMNodeAdmin(session, pid);
352
      }
353
	  
349 354
	  if (!allowed) {
350 355
		  String msg = "The subject is not allowed to call delete() on a Coordinating Node.";
351 356
		  logMetacat.info(msg);
......
397 402
	  // check that it is CN/admin
398 403
	  boolean allowed = isAdminAuthorized(session);
399 404
	  
405
	  //check if it is the authoritative member node
406
	  if(!allowed) {
407
	      allowed = isAuthoritativeMNodeAdmin(session, pid);
408
	  }
409
	  
400 410
	  if (!allowed) {
401 411
		  String msg = "The subject is not allowed to call archive() on a Coordinating Node.";
402 412
		  logMetacat.info(msg);
......
1345 1355
          // are we allowed?
1346 1356
          boolean isAllowed = false;
1347 1357
          isAllowed = isAdminAuthorized(session);
1358
          
1359
          // additional check if it is the authoritative node if it is not the admin
1360
          if(!isAllowed) {
1361
              isAllowed = isAuthoritativeMNodeAdmin(session, pid);
1362
          }
1348 1363

  
1349 1364
          // proceed if we're called by a CN
1350 1365
          if ( isAllowed ) {
src/edu/ucsb/nceas/metacat/dataone/D1NodeService.java
715 715
        return systemMetadata;
716 716
    }
717 717
     
718
    
719
    /**
720
     * Test if the specified session represents the authoritative member node for the
721
     * given object specified by the identifier. According the the DataONE documentation, 
722
     * the authoritative member node has all the rights of the *rightsHolder*.
723
     * @param session - the Session object containing the credentials for the Subject
724
     * @param pid - the Identifier of the data object
725
     * @return true if the session represents the authoritative mn.
726
     * @throws ServiceFailure 
727
     * @throws NotImplemented 
728
     */
729
    public boolean isAuthoritativeMNodeAdmin(Session session, Identifier pid) {
730
        boolean allowed = false;
731
        //check the parameters
732
        if(session == null) {
733
            logMetacat.debug("D1NodeService.isAuthoritativeMNodeAdmin - the session object is null and return false.");
734
            return allowed;
735
        } else if (pid == null || pid.getValue() == null || pid.getValue().trim().equals("")) {
736
            logMetacat.debug("D1NodeService.isAuthoritativeMNodeAdmin - the Identifier object is null (not being specified) and return false.");
737
            return allowed;
738
        }
739
        
740
        //Get the subject from the session
741
        Subject subject = session.getSubject();
742
        if(subject != null) {
743
            //Get the authoritative member node info from the system metadata
744
            SystemMetadata sysMeta = HazelcastService.getInstance().getSystemMetadataMap().get(pid);
745
            if(sysMeta != null) {
746
                NodeReference authoritativeMNode = sysMeta.getAuthoritativeMemberNode();
747
                if(authoritativeMNode != null) {
748
                        CNode cn = null;
749
                        try {
750
                            cn = D1Client.getCN();
751
                        } catch (ServiceFailure e) {
752
                            logMetacat.error("D1NodeService.isAuthoritativeMNodeAdmin - couldn't connect to the CN since "+
753
                                            e.getDescription()+ ". The false value will be returned for the AuthoritativeMNodeAdmin.");
754
                            return allowed;
755
                        }
756
                        
757
                        if(cn != null) {
758
                            List<Node> nodes = null;
759
                            try {
760
                                nodes = cn.listNodes().getNodeList();
761
                            } catch (NotImplemented e) {
762
                                logMetacat.error("D1NodeService.isAuthoritativeMNodeAdmin - couldn't get the member nodes list from the CN since "+e.getDescription()+ 
763
                                                ". The false value will be returned for the AuthoritativeMNodeAdmin.");
764
                                return allowed;
765
                            } catch (ServiceFailure ee) {
766
                                logMetacat.error("D1NodeService.isAuthoritativeMNodeAdmin - couldn't get the member nodes list from the CN since "+ee.getDescription()+ 
767
                                                ". The false value will be returned for the AuthoritativeMNodeAdmin.");
768
                                return allowed;
769
                            }
770
                            if(nodes != null) {
771
                                for(Node node : nodes) {
772
                                    //find the authoritative node and get its subjects
773
                                    if (node.getType() == NodeType.MN && node.getIdentifier() != null && node.getIdentifier().equals(authoritativeMNode)) {
774
                                        List<Subject> nodeSubjects = node.getSubjectList();
775
                                        if(nodeSubjects != null) {
776
                                            // check if the session subject is in the node subject list
777
                                            for (Subject nodeSubject : nodeSubjects) {
778
                                                logMetacat.debug("D1NodeService.isAuthoritativeMNodeAdmin(), comparing subjects: " +
779
                                                    nodeSubject.getValue() + " and " + subject.getValue());
780
                                                if ( nodeSubject != null && nodeSubject.equals(subject) ) {
781
                                                    allowed = true; // subject of session == target node subject
782
                                                    break;
783
                                                }
784
                                            }              
785
                                        }
786
                                      
787
                                    }
788
                                }
789
                            }
790
                        }
791
                }
792
            }
793
        }
794
        return allowed;
795
    }
796
    
797
    
718 798
  /**
719 799
   * Test if the user identified by the provided token has administrative authorization 
720 800
   * 
......
868 948
        
869 949
    }
870 950
    
951
    // the authoritative member node of the pid always has the access as well.
952
    if (isAuthoritativeMNodeAdmin(session, pid)) {
953
        allowed = true;
954
        return allowed;
955
    }
956
    
871 957
    // get the subject[s] from the session
872 958
	//defer to the shared util for recursively compiling the subjects	
873 959
	Set<Subject> subjects = AuthUtils.authorizedClientSubjects(session);

Also available in: Unified diff