| 33 |
33 |
import java.util.Date;
|
| 34 |
34 |
import java.util.HashMap;
|
| 35 |
35 |
import java.util.HashSet;
|
|
36 |
import java.util.Iterator;
|
| 36 |
37 |
import java.util.List;
|
| 37 |
38 |
import java.util.Map;
|
| 38 |
39 |
import java.util.Set;
|
| ... | ... | |
| 60 |
61 |
import edu.ucsb.nceas.metacat.AccessionNumberException;
|
| 61 |
62 |
import edu.ucsb.nceas.metacat.IdentifierManager;
|
| 62 |
63 |
import edu.ucsb.nceas.metacat.McdbDocNotFoundException;
|
|
64 |
import edu.ucsb.nceas.metacat.dataone.D1NodeService;
|
| 63 |
65 |
import edu.ucsb.nceas.metacat.properties.PropertyService;
|
| 64 |
66 |
import edu.ucsb.nceas.metacat.shared.ServiceException;
|
| 65 |
67 |
import edu.ucsb.nceas.utilities.PropertyNotFoundException;
|
| ... | ... | |
| 68 |
70 |
public class SyncAccessPolicy {
|
| 69 |
71 |
|
| 70 |
72 |
private static Logger logMetacat = Logger.getLogger(SyncAccessPolicy.class);
|
|
73 |
|
|
74 |
protected static int MAXIMUM_DB_RECORD_COUNT;
|
| 71 |
75 |
|
|
76 |
static {
|
|
77 |
try {
|
|
78 |
MAXIMUM_DB_RECORD_COUNT = Integer.valueOf(PropertyService
|
|
79 |
.getProperty("database.webResultsetSize"));
|
|
80 |
} catch (Exception e) {
|
|
81 |
logMetacat.warn("Could not set MAXIMUM_DB_RECORD_COUNT", e);
|
|
82 |
}
|
|
83 |
}
|
|
84 |
|
| 72 |
85 |
/**
|
| 73 |
86 |
* Synchronize access policy (from system metadata) of d1 member node with
|
| 74 |
87 |
* the corresponding controlling node.
|
| ... | ... | |
| 106 |
119 |
|
| 107 |
120 |
CNode cn = D1Client.getCN();
|
| 108 |
121 |
|
| 109 |
|
for (int i = objList.getStart(); i <= objList.getCount(); i++) {
|
|
122 |
logMetacat.debug("start: " + objList.getStart() + "count: "
|
|
123 |
+ objList.getCount());
|
|
124 |
for (int i = objList.getStart(); i < objList.getCount(); i++) {
|
| 110 |
125 |
|
| 111 |
126 |
objInfo = objList.getObjectInfo(i);
|
| 112 |
127 |
pid = objInfo.getIdentifier();
|
|
128 |
|
|
129 |
logMetacat.debug("Getting SM for pid: " + pid.getValue() + " i: "
|
|
130 |
+ i);
|
| 113 |
131 |
try {
|
| 114 |
132 |
// Get sm, access policy for requested localId
|
| 115 |
133 |
mnSysMeta = IdentifierManager.getInstance().getSystemMetadata(
|
| ... | ... | |
| 123 |
141 |
+ pid.getValue() + e.getMessage());
|
| 124 |
142 |
}
|
| 125 |
143 |
|
|
144 |
logMetacat
|
|
145 |
.debug("Getting access policy for pid: " + pid.getValue());
|
|
146 |
|
| 126 |
147 |
mnAccessPolicy = mnSysMeta.getAccessPolicy();
|
| 127 |
|
// System.out.println("pid: " +
|
|
148 |
// logMetacat.debug("pid: " +
|
| 128 |
149 |
// mnSysMeta.getIdentifier().toString());
|
| 129 |
150 |
|
| 130 |
151 |
// Get sm, access policy for requested pid from the CN
|
| 131 |
|
// BigInteger mnSerialVersion = mnSysMeta.getSerialVersion();
|
| 132 |
152 |
|
| 133 |
153 |
try {
|
| 134 |
154 |
cnSysMeta = cn.getSystemMetadata(pid);
|
| ... | ... | |
| 136 |
156 |
logMetacat.error("Error getting system metadata for pid: "
|
| 137 |
157 |
+ pid.getValue() + " from cn: " + e.getMessage());
|
| 138 |
158 |
}
|
| 139 |
|
|
|
159 |
logMetacat.debug("Getting access policy from CN for pid: "
|
|
160 |
+ pid.getValue());
|
|
161 |
|
| 140 |
162 |
cnAccessPolicy = cnSysMeta.getAccessPolicy();
|
|
163 |
logMetacat.debug("Diffing access policies (MN,CN) for pid: "
|
|
164 |
+ pid.getValue());
|
| 141 |
165 |
|
| 142 |
|
// Compare access policy of MN and CN, and update if different
|
|
166 |
// Compare access policies of MN and CN, and update if different.
|
| 143 |
167 |
if (!isEqual(mnAccessPolicy, cnAccessPolicy)) {
|
| 144 |
168 |
try {
|
| 145 |
169 |
BigInteger serialVersion = cnSysMeta.getSerialVersion();
|
| 146 |
|
cn.setAccessPolicy(session, pid,
|
| 147 |
|
mnSysMeta.getAccessPolicy(),
|
|
170 |
logMetacat.debug("Setting access policy from CN for pid: "
|
|
171 |
+ pid.getValue() + "serial version: "
|
|
172 |
+ serialVersion.toString());
|
|
173 |
cn.setAccessPolicy(session, pid, mnAccessPolicy,
|
| 148 |
174 |
serialVersion.longValue());
|
| 149 |
|
// Add this pid to the list of pids that were successfully synced
|
|
175 |
logMetacat.debug("Successfully set access policy");
|
|
176 |
// Add this pid to the list of pids that were successfully
|
|
177 |
// synced
|
| 150 |
178 |
syncedIds.add(pid);
|
| 151 |
179 |
} catch (Exception e) {
|
| 152 |
180 |
logMetacat.error("Error setting access policy of pid: "
|
| ... | ... | |
| 154 |
182 |
}
|
| 155 |
183 |
|
| 156 |
184 |
}
|
|
185 |
logMetacat.debug("Done with pid: " + pid.getValue());
|
| 157 |
186 |
}
|
| 158 |
187 |
|
| 159 |
188 |
return syncedIds;
|
| ... | ... | |
| 240 |
269 |
ObjectFormatIdentifier objectFormatId = null;
|
| 241 |
270 |
Boolean replicaStatus = false; // return only pids for which this mn is
|
| 242 |
271 |
// authoritative
|
| 243 |
|
Integer start = null;
|
| 244 |
|
Integer count = null;
|
|
272 |
Integer start = 0;
|
|
273 |
Integer count = MAXIMUM_DB_RECORD_COUNT;
|
| 245 |
274 |
|
| 246 |
275 |
ObjectList objsToSync = IdentifierManager.getInstance()
|
| 247 |
276 |
.querySystemMetadata(startTime, endTime, objectFormatId,
|
| ... | ... | |
| 259 |
288 |
* - first access policy in the comparison
|
| 260 |
289 |
* @param ap2
|
| 261 |
290 |
* - second access policy in the comparison
|
| 262 |
|
* @return
|
|
291 |
* @return boolean - true if access policies are equivalent
|
| 263 |
292 |
*/
|
| 264 |
293 |
private boolean isEqual(AccessPolicy ap1, AccessPolicy ap2) {
|
| 265 |
294 |
|
|
295 |
// Access Policy -> Access Rule -> (Subject, Permission)
|
|
296 |
// i.e. Subject="slaughter", Permission="read,write,changePermission"
|
| 266 |
297 |
// Get the list of access rules for each access policy
|
| 267 |
298 |
List<org.dataone.service.types.v1.AccessRule> allowList1 = ap1
|
| 268 |
299 |
.getAllowList();
|
| ... | ... | |
| 274 |
305 |
|
| 275 |
306 |
// Load the permissions from the access rules into a hash of sets, i.e.,
|
| 276 |
307 |
// so that we end up with this:
|
| 277 |
|
// hash key: set of permissions
|
|
308 |
// hash key: set of permissions, i.e.
|
| 278 |
309 |
// ----------------------------
|
| 279 |
310 |
// user1: read, write
|
| 280 |
311 |
// user2: read
|
| ... | ... | |
| 282 |
313 |
// With the permissions in this structure, they can be easily compared
|
| 283 |
314 |
Set<Permission> perms = null;
|
| 284 |
315 |
// Process first access policy
|
|
316 |
// Loop through access rules of this allowList
|
| 285 |
317 |
for (org.dataone.service.types.v1.AccessRule accessRule : allowList1) {
|
| 286 |
318 |
for (Subject s : accessRule.getSubjectList()) {
|
| 287 |
319 |
if (userPerms1.containsKey(s)) {
|
| ... | ... | |
| 292 |
324 |
for (Permission p : accessRule.getPermissionList()) {
|
| 293 |
325 |
perms.add(p);
|
| 294 |
326 |
}
|
|
327 |
userPerms1.put(s, perms);
|
| 295 |
328 |
}
|
| 296 |
329 |
}
|
| 297 |
330 |
|
| ... | ... | |
| 306 |
339 |
for (Permission p : accessRule.getPermissionList()) {
|
| 307 |
340 |
perms.add(p);
|
| 308 |
341 |
}
|
|
342 |
userPerms2.put(s, perms);
|
| 309 |
343 |
}
|
| 310 |
344 |
}
|
| 311 |
345 |
|
| 312 |
346 |
// Now perform the comparison. This test assumes that the mn perms are
|
| 313 |
347 |
// more
|
| 314 |
348 |
// complete than the cn perms.
|
|
349 |
logMetacat.debug("Performing comparison of access policies");
|
| 315 |
350 |
for (Map.Entry<Subject, Set<Permission>> entry : userPerms1.entrySet()) {
|
| 316 |
351 |
// User name
|
| 317 |
352 |
Subject s1 = entry.getKey();
|
| 318 |
353 |
// Perms that the user holds
|
| 319 |
|
Set p1 = entry.getValue();
|
|
354 |
Set<Permission> p1 = entry.getValue();
|
|
355 |
logMetacat
|
|
356 |
.debug("Checking access policy of user: " + s1.getValue());
|
| 320 |
357 |
|
| 321 |
|
// Does this user in both access policies?
|
|
358 |
// Does this user exist in both access policies?
|
| 322 |
359 |
if (userPerms2.containsKey(s1)) {
|
| 323 |
|
if (!p1.equals(userPerms2.get(p1))) {
|
|
360 |
if (!p1.equals(userPerms2.get(s1))) {
|
|
361 |
logMetacat.debug("User access policies not equal");
|
| 324 |
362 |
return false;
|
| 325 |
363 |
}
|
| 326 |
364 |
} else {
|
|
365 |
logMetacat.debug("User access policy not found on CN");
|
| 327 |
366 |
return false;
|
| 328 |
367 |
}
|
| 329 |
368 |
}
|
| 330 |
369 |
|
| 331 |
370 |
// All comparisons have been passed, so the two access policies are
|
| 332 |
371 |
// equivalent
|
|
372 |
logMetacat.debug("Access policies are the same");
|
| 333 |
373 |
return true;
|
| 334 |
374 |
}
|
| 335 |
375 |
|
| ... | ... | |
| 351 |
391 |
try {
|
| 352 |
392 |
guids = new ArrayList<String>(Arrays.asList(args[0]
|
| 353 |
393 |
.split("\\s*,\\s*")));
|
| 354 |
|
System.out.println("Trying to syncing access policy for pids: "
|
|
394 |
logMetacat.debug("Trying to syncing access policy for pids: "
|
| 355 |
395 |
+ args[0]);
|
| 356 |
396 |
syncAP.sync(guids);
|
| 357 |
397 |
} catch (Exception e) {
|
Sync access policy between mn -> cn in case where metacat native ui being used to update ap on mn