/*
* RHQ Management Platform
* Copyright (C) 2005-2012 Red Hat, Inc.
* All rights reserved.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License, version 2, as
* published by the Free Software Foundation, and/or the GNU Lesser
* General Public License, version 2.1, also as published by the Free
* Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License and the GNU Lesser General Public License
* for more details.
*
* You should have received a copy of the GNU General Public License
* and the GNU Lesser General Public License along with this program;
* if not, write to the Free Software Foundation, Inc.,
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*/
package org.rhq.core.domain.authz;
import java.util.HashSet;
import java.util.Set;
import org.rhq.core.domain.auth.Subject;
/**
* An authorization permission is applied to {@link Role}s and related to {@link Subject}s that are members of those
* Roles. There are two types of permissions - {@link Target#GLOBAL global} and {@link Target#RESOURCE Resource}.
*
* @author Ian Springer
* @author Joseph Marques
* @author Greg Hinkle
*/
public enum Permission {
/* ========== Global Permissions ========== */
/**
* can C/U/D users and roles (viewing is implied for everyone)
*/
MANAGE_SECURITY(Target.GLOBAL), // 0
/**
* can C/R/U/D all resources, groups and can import auto-discovered resources
*/
MANAGE_INVENTORY(Target.GLOBAL), // 1
/**
* can modify the RHQ Server configuration and perform any server-related functionality
*/
MANAGE_SETTINGS(Target.GLOBAL), // 2
/* ========= Resource Permissions ========= */
/**
* can view (but not C/U/D) all aspects of this Resource except its configuration ({@link #CONFIGURE_READ} is
* required to view that); this permission is implied just by having a Resource or Group in one's assigned Roles
*/
VIEW_RESOURCE(Target.RESOURCE), // 3
/**
* can modify resource name, description, and plugin config (e.g. set principal/credentials jboss-as plugin uses to
* access the managed JBossAS instance)
*/
MODIFY_RESOURCE(Target.RESOURCE), // 4
/**
* can delete this resource (which also implies deleting all its descendant resources)
*/
DELETE_RESOURCE(Target.RESOURCE), // 5
/**
* can manually create new child servers or services
*/
CREATE_CHILD_RESOURCES(Target.RESOURCE), // 6
/**
* can C/U/D alert definitions (this implies {@link #MANAGE_MEASUREMENTS} and {@link #CONTROL})
*/
MANAGE_ALERTS(Target.RESOURCE), // 7
/**
* can C/U/D metric schedules
*/
MANAGE_MEASUREMENTS(Target.RESOURCE), // 8
/**
* can C/U/D content (package bits, software updates, etc.)
*/
MANAGE_CONTENT(Target.RESOURCE), // 9
/**
* can invoke operations and delete operation history items
*/
CONTROL(Target.RESOURCE), // 10
/**
* can C/U/D resource config (e.g. reconfiguring JBoss to listen for jnp on port 1199);
* having this permission implies having {@link #CONFIGURE_READ}
*/
CONFIGURE_WRITE(Target.RESOURCE), // 11
/**
* can perform any bundle action, assigns all other bundle permissions
*/
MANAGE_BUNDLE(Target.GLOBAL), // 12
/**
* can view Resource configuration, but can not necessarily C/U/D unless {@link #CONFIGURE_WRITE} is also possessed
*/
CONFIGURE_READ(Target.RESOURCE), // 13
/**
* can C/U/D events
* (in the future, will also C/U/D event definitions)
*/
MANAGE_EVENTS(Target.RESOURCE), // 14
/**
* Can C/U/D repositories and content sources
*/
MANAGE_REPOSITORIES(Target.GLOBAL), // 15
/**
* Can C/U/D drift related entities
*/
MANAGE_DRIFT(Target.RESOURCE), // 16
/**
* Can view other RHQ users, except for their assigned roles
*/
VIEW_USERS(Target.GLOBAL), // 17
/**
* Can CRUD BundleGroups
*/
MANAGE_BUNDLE_GROUPS(Target.GLOBAL), // 18
/**
* Can create Bundle [Versions]s
* Can assign to viewable bundle groups
* Can create unassigned Bundle [Versions] if holding Global.VIEW_BUNDLES
*/
CREATE_BUNDLES(Target.GLOBAL), // 19
/**
* Can delete viewable bundle [Versions]s
* Can unassign from viewable bundle groups
* Can delete unassigned bundles if holding Global.VIEW_BUNDLES
*/
DELETE_BUNDLES(Target.GLOBAL), // 20
/**
* Can view any bundle, including unassigned bundles
*/
VIEW_BUNDLES(Target.GLOBAL), // 21
/**
* Can deploy any viewable bundle version to any viewable [deployable, compatible] resource group
*/
DEPLOY_BUNDLES(Target.GLOBAL), // 22
/**
* Can assign viewable bundles to the bundle groups associated with the role.
* - this can be a copy from another viewable bundle group
* - this can be an unassigned bundle if holding Global.VIEW_BUNDLES
*/
ASSIGN_BUNDLES_TO_GROUP(Target.BUNDLE), // 23
/**
* Can unassign bundles assigned to bundle groups associated with the role.
* - the bundle is not deleted and becomes an unassigned bundle if assigned to no other bundle group
*/
UNASSIGN_BUNDLES_FROM_GROUP(Target.BUNDLE), // 24
/**
* Can create [implicitly assigned] bundle [version]s for bundle groups associated with the role.
*/
CREATE_BUNDLES_IN_GROUP(Target.BUNDLE), // 25
/**
* Can delete assigned bundle [version]s from the bundle groups associated with the role.
*/
DELETE_BUNDLES_FROM_GROUP(Target.BUNDLE), // 26
/**
* Implied - Can view the bundles assigned to the bundle groups associated with the role.
*/
VIEW_BUNDLES_IN_GROUP(Target.BUNDLE), // 27
/**
* Can deploy viewable bundles to the [compatible, deployable] resource groups associated with the role.
*/
DEPLOY_BUNDLES_TO_GROUP(Target.RESOURCE) // 28
;
/**
* the target to which the permission applies
*/
public enum Target {
/** global permissions do not apply to specific resources or bundles */
GLOBAL,
/** resource permissions apply only to the resources in the role's resource groups */
RESOURCE,
/** bundle permissions apply only to the bundles in the role's bundle groups */
BUNDLE
}
private Target target;
Permission(Target target) {
this.target = target;
}
/**
* Returns the target to which the permission applies
*
* @return the target to which the permission applies
*/
public Target getTarget() {
return target;
}
public static final Set<Permission> GLOBAL_ALL = new HashSet<Permission>();
public static final Set<Permission> RESOURCE_ALL = new HashSet<Permission>();
public static final Set<Permission> BUNDLE_ALL = new HashSet<Permission>();
static {
for (Permission permission : Permission.values()) {
switch (permission.getTarget()) {
case GLOBAL:
GLOBAL_ALL.add(permission);
if (permission.name().contains("BUNDLE")) {
BUNDLE_ALL.add(permission);
}
break;
case RESOURCE:
RESOURCE_ALL.add(permission);
break;
default:
// bundle level perms do not need any aggregation
break;
}
}
}
}