RoleManagerRemote.java

/*
 * RHQ Management Platform
 * Copyright (C) 2005-2008 Red Hat, Inc.
 * All rights reserved.
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation version 2 of the License.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
 */
package org.rhq.enterprise.server.authz;

import javax.ejb.Remote;

import org.rhq.core.domain.auth.Subject;
import org.rhq.core.domain.authz.Role;
import org.rhq.core.domain.criteria.RoleCriteria;
import org.rhq.core.domain.util.PageControl;
import org.rhq.core.domain.util.PageList;

/**
 * The remote interface to the role manager, providing a restricted set of Role Management services. that provides the API to manipulate the security rules within the JON Server.
 *
 * @author Jay Shaughnessy
 */
@Remote
public interface RoleManagerRemote {

    /**
     * Returns the role with the given ID
     *
     * @param subject
     * @param roleId
     *
     * @return the role or <code>null</code> if it wasn't found
     */
    Role getRole(Subject subject, int roleId);

    /**
     * Persists the new role to the database.
     *
     * @param subject The user attempting to create the role
     * @param newRole The new role being created
     * @return The persisted role with the primary key populated
     */
    Role createRole(Subject subject, Role newRole);

    /**
     * Removes a set of roles from the database. The subjects assigned to the roles are no longer authorized with the
     * deleted roles. Groups attached to the deleted roles are left alone.
     *
     * @param subject The user attempting to delete the role
     * @param roleIds The IDs of the roles to delete
     */
    void deleteRoles(Subject subject, int[] roleIds);

    /**
     * Updates the given role including permissions. To update subjects, resource groups, ldap groups
     * or bundle groups pass a non-null value.
     *
     * @param subject The user updating the role
     * @param role The role being updated
     * @return The updated role
     */
    Role updateRole(Subject subject, Role role);

    /**
     * Get all roles assigned for a certain subject
     *
     * @param subject The logged in user's subject
     * @param subjectId The subject ID to find the associated roles for
     * @param pc PageControl
     * @return A page list of assigned
     */
    PageList<Role> findSubjectAssignedRoles(Subject subject, int subjectId, PageControl pc);

    /**
     * Get all roles eligible to be assigned to the user.
     *
     * @param subject
     * @param subjectId
     * @param pc
     * @return not null
     */
    PageList<Role> findSubjectUnassignedRoles(Subject subject, int subjectId, PageControl pc);

    /**
     * Assigns a set of roles to a subject which authorizes the subject to do anything the roles permit.
     *
     * @param subject The logged in user's subject.
     * @param subjectId the subject who is to be authorized with the given roles
     * @param roleIds   the roles to assign
     */
    void addRolesToSubject(Subject subject, int subjectId, int[] roleIds);

    /**
     * Remove particular roles from a subject. Once complete, the subject will no longer be authorized with the
     * given roles.
     *
     * @param subject The logged in user's subject.
     * @param subjectId the user that is to have the roles unassigned from it
     * @param roleIds   list of role IDs that are to be removed from user
     */
    void removeRolesFromSubject(Subject subject, int subjectId, int[] roleIds);

    /**
     * Assigns a set of subjects to a role which authorizes the subjects to do anything the role permits.
     *
     * @param subject     the user attempting to assign the roles to the subject
     * @param roleId     the role who will authorized with the given subjects
     * @param subjectIds the subjects to assign the role
     */
    void addSubjectsToRole(Subject subject, int roleId, int[] subjectIds);

    /**
     * Dissociate particular subjects from a role.
     *
     * @param subject The logged in user's subject.
     * @param roleId The role ID to dissociate the roles from
     * @param subjectIds The IDs of the subjects to remove from the specified Role
     */
    void removeSubjectsFromRole(Subject subject, int roleId, int[] subjectIds);

    /**
     * Sets the set of roles assigned to a subject. Requires SECURITY_ADMIN
     * @param subject
     * @param subjectId
     * @param roleIds
     */
    void setAssignedSubjectRoles(Subject subject, int subjectId, int[] roleIds);

    /**
     * Adds the given bundle groups to the given role.
     *
     * @param subject The logged in user's subject.
     * @param roleId
     * @param bundleGroupIds
     *
     * @since 4.9
     */
    void addBundleGroupsToRole(Subject subject, int roleId, int[] bundleGroupIds);

    /**
     * Adds the given resource groups to the given role.
     *
     * @param subject The logged in user's subject.
     * @param roleId
     * @param pendingGroupIds
     */
    void addResourceGroupsToRole(Subject subject, int roleId, int[] pendingGroupIds);

    /**
     * @param subject
     * @param bundleGroupId
     * @param roleIds
     *
     * @since 4.9
     */
    void addRolesToBundleGroup(Subject subject, int bundleGroupId, int[] roleIds);

    /**
     * @param subject
     * @param groupId
     * @param roleIds
     */
    void addRolesToResourceGroup(Subject subject, int groupId, int[] roleIds);

    /**
     * Set the specified bundle groups on the role, replacing the previous set of bundle groups.
     *
     * @param subject
     * @param roleId
     * @param bundleGroupIds
     *
     * @since 4.9
     */
    void setAssignedBundleGroups(Subject subject, int roleId, int[] bundleGroupIds);

    /**
     * Set the specified resource groups on the role, replacing the previous set of resource groups.
     *
     * @param subject
     * @param roleId
     * @param groupIds
     */
    void setAssignedResourceGroups(Subject subject, int roleId, int[] groupIds);

    /**
     * Removes the given bundle groups from the given role.
     *
     * @param subject user attempting to remove the groups from the role
     * @param roleId
     * @param bundleGroupIds
     *
     * @since 4.9
     */
    void removeBundleGroupsFromRole(Subject subject, int roleId, int[] bundleGroupIds);

    /**
     * Removes the given resource groups from the given role.
     *
     * @param subject user attempting to remove the groups from the role
     * @param roleId
     * @param groupIds
     */
    void removeResourceGroupsFromRole(Subject subject, int roleId, int[] groupIds);

    /**
     * Remove the bundle group from the specified roles.
     *
     * @param subject
     * @param bundleGroupId
     * @param roleIds
     *
     * @since 4.9
     */
    void removeRolesFromBundleGroup(Subject subject, int bundleGroupId, int[] roleIds);

    /**
     * Remove the resource group from the specified roles.
     *
     * @param subject
     * @param groupId
     * @param roleIds
     */
    void removeRolesFromResourceGroup(Subject subject, int groupId, int[] roleIds);

    /**
     * @param subject
     * @param criteria
     * @return not null
     */
    PageList<Role> findRolesByCriteria(Subject subject, RoleCriteria criteria);

}