Revision 8360
Added by Jing Tao over 10 years ago
| D1NodeService.java | ||
|---|---|---|
| 715 | 715 |
return systemMetadata; |
| 716 | 716 |
} |
| 717 | 717 |
|
| 718 |
|
|
| 719 |
/** |
|
| 720 |
* Test if the specified session represents the authoritative member node for the |
|
| 721 |
* given object specified by the identifier. According the the DataONE documentation, |
|
| 722 |
* the authoritative member node has all the rights of the *rightsHolder*. |
|
| 723 |
* @param session - the Session object containing the credentials for the Subject |
|
| 724 |
* @param pid - the Identifier of the data object |
|
| 725 |
* @return true if the session represents the authoritative mn. |
|
| 726 |
* @throws ServiceFailure |
|
| 727 |
* @throws NotImplemented |
|
| 728 |
*/ |
|
| 729 |
public boolean isAuthoritativeMNodeAdmin(Session session, Identifier pid) {
|
|
| 730 |
boolean allowed = false; |
|
| 731 |
//check the parameters |
|
| 732 |
if(session == null) {
|
|
| 733 |
logMetacat.debug("D1NodeService.isAuthoritativeMNodeAdmin - the session object is null and return false.");
|
|
| 734 |
return allowed; |
|
| 735 |
} else if (pid == null || pid.getValue() == null || pid.getValue().trim().equals("")) {
|
|
| 736 |
logMetacat.debug("D1NodeService.isAuthoritativeMNodeAdmin - the Identifier object is null (not being specified) and return false.");
|
|
| 737 |
return allowed; |
|
| 738 |
} |
|
| 739 |
|
|
| 740 |
//Get the subject from the session |
|
| 741 |
Subject subject = session.getSubject(); |
|
| 742 |
if(subject != null) {
|
|
| 743 |
//Get the authoritative member node info from the system metadata |
|
| 744 |
SystemMetadata sysMeta = HazelcastService.getInstance().getSystemMetadataMap().get(pid); |
|
| 745 |
if(sysMeta != null) {
|
|
| 746 |
NodeReference authoritativeMNode = sysMeta.getAuthoritativeMemberNode(); |
|
| 747 |
if(authoritativeMNode != null) {
|
|
| 748 |
CNode cn = null; |
|
| 749 |
try {
|
|
| 750 |
cn = D1Client.getCN(); |
|
| 751 |
} catch (ServiceFailure e) {
|
|
| 752 |
logMetacat.error("D1NodeService.isAuthoritativeMNodeAdmin - couldn't connect to the CN since "+
|
|
| 753 |
e.getDescription()+ ". The false value will be returned for the AuthoritativeMNodeAdmin."); |
|
| 754 |
return allowed; |
|
| 755 |
} |
|
| 756 |
|
|
| 757 |
if(cn != null) {
|
|
| 758 |
List<Node> nodes = null; |
|
| 759 |
try {
|
|
| 760 |
nodes = cn.listNodes().getNodeList(); |
|
| 761 |
} catch (NotImplemented e) {
|
|
| 762 |
logMetacat.error("D1NodeService.isAuthoritativeMNodeAdmin - couldn't get the member nodes list from the CN since "+e.getDescription()+
|
|
| 763 |
". The false value will be returned for the AuthoritativeMNodeAdmin."); |
|
| 764 |
return allowed; |
|
| 765 |
} catch (ServiceFailure ee) {
|
|
| 766 |
logMetacat.error("D1NodeService.isAuthoritativeMNodeAdmin - couldn't get the member nodes list from the CN since "+ee.getDescription()+
|
|
| 767 |
". The false value will be returned for the AuthoritativeMNodeAdmin."); |
|
| 768 |
return allowed; |
|
| 769 |
} |
|
| 770 |
if(nodes != null) {
|
|
| 771 |
for(Node node : nodes) {
|
|
| 772 |
//find the authoritative node and get its subjects |
|
| 773 |
if (node.getType() == NodeType.MN && node.getIdentifier() != null && node.getIdentifier().equals(authoritativeMNode)) {
|
|
| 774 |
List<Subject> nodeSubjects = node.getSubjectList(); |
|
| 775 |
if(nodeSubjects != null) {
|
|
| 776 |
// check if the session subject is in the node subject list |
|
| 777 |
for (Subject nodeSubject : nodeSubjects) {
|
|
| 778 |
logMetacat.debug("D1NodeService.isAuthoritativeMNodeAdmin(), comparing subjects: " +
|
|
| 779 |
nodeSubject.getValue() + " and " + subject.getValue()); |
|
| 780 |
if ( nodeSubject != null && nodeSubject.equals(subject) ) {
|
|
| 781 |
allowed = true; // subject of session == target node subject |
|
| 782 |
break; |
|
| 783 |
} |
|
| 784 |
} |
|
| 785 |
} |
|
| 786 |
|
|
| 787 |
} |
|
| 788 |
} |
|
| 789 |
} |
|
| 790 |
} |
|
| 791 |
} |
|
| 792 |
} |
|
| 793 |
} |
|
| 794 |
return allowed; |
|
| 795 |
} |
|
| 796 |
|
|
| 797 |
|
|
| 718 | 798 |
/** |
| 719 | 799 |
* Test if the user identified by the provided token has administrative authorization |
| 720 | 800 |
* |
| ... | ... | |
| 868 | 948 |
|
| 869 | 949 |
} |
| 870 | 950 |
|
| 951 |
// the authoritative member node of the pid always has the access as well. |
|
| 952 |
if (isAuthoritativeMNodeAdmin(session, pid)) {
|
|
| 953 |
allowed = true; |
|
| 954 |
return allowed; |
|
| 955 |
} |
|
| 956 |
|
|
| 871 | 957 |
// get the subject[s] from the session |
| 872 | 958 |
//defer to the shared util for recursively compiling the subjects |
| 873 | 959 |
Set<Subject> subjects = AuthUtils.authorizedClientSubjects(session); |
Also available in: Unified diff
Add the methond named isAuthoritativeMNodeAdmin method. It applies to both CN and MN methods.