Class RunAsRoleMapper
- java.lang.Object
-
- org.jboss.as.controller.access.rbac.RunAsRoleMapper
-
- All Implemented Interfaces:
RoleMapper
public class RunAsRoleMapper extends Object implements RoleMapper
ARoleMapper
that allows clients to specify the roles they desire to run as. By default thisRoleMapper
Reads the set of roles from a request headers in the operation, allowing the client to completely control the mapping. Roles are stored as a ModelNode of type ModelType.LIST, elements of ModelType.STRING, under operation.get("operation-headers", "roles"). If no such header is found, the user is SUPERUSER. IF the list is empty, the user has no permissions. ThisRoleMapper
can be extended to allow the ability to run as different roles to be checked.- Author:
- Brian Stansberry (c) 2013 Red Hat Inc., Darran Lofthouse
-
-
Constructor Summary
Constructors Constructor Description RunAsRoleMapper(RoleMapper realRoleMapper)
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Modifier and Type Method Description boolean
canRunAs(Set<String> mappedRoles, String runAsRole)
Gets whether the given set of mapped roles provides a caller with the privilege to run as the given "runAsRole
".static Set<String>
getOperationHeaderRoles(org.jboss.dmr.ModelNode operation)
Set<String>
mapRoles(org.wildfly.security.auth.server.SecurityIdentity identity, Environment callEnvironment, Set<String> operationHeaderRoles)
Determine the roles available for the caller without reference to a particular action or target.Set<String>
mapRoles(org.wildfly.security.auth.server.SecurityIdentity identity, Environment callEnvironment, Action action, TargetAttribute attribute)
Determine the roles available for the caller for a management operation affecting an individual attribute.Set<String>
mapRoles(org.wildfly.security.auth.server.SecurityIdentity identity, Environment callEnvironment, Action action, TargetResource resource)
Determine the roles available for the caller for a management operation affecting an entire resource.Set<String>
mapRoles(org.wildfly.security.auth.server.SecurityIdentity identity, Environment callEnvironment, JmxAction action, JmxTarget target)
Determine the roles available for the caller for a JMX invocation unrelated to the management facade MBeans.
-
-
-
Constructor Detail
-
RunAsRoleMapper
public RunAsRoleMapper(RoleMapper realRoleMapper)
-
-
Method Detail
-
mapRoles
public Set<String> mapRoles(org.wildfly.security.auth.server.SecurityIdentity identity, Environment callEnvironment, Action action, TargetAttribute attribute)
Description copied from interface:RoleMapper
Determine the roles available for the caller for a management operation affecting an individual attribute.- Specified by:
mapRoles
in interfaceRoleMapper
- Parameters:
identity
- the caller identity. Cannot benull
callEnvironment
- the call environment. Cannot benull
action
- the action being authorized. Cannot benull
attribute
- the target of the action. Cannot benull
- Returns:
- the roles. Will not be
null
, but may be an empty set
-
mapRoles
public Set<String> mapRoles(org.wildfly.security.auth.server.SecurityIdentity identity, Environment callEnvironment, Action action, TargetResource resource)
Description copied from interface:RoleMapper
Determine the roles available for the caller for a management operation affecting an entire resource.- Specified by:
mapRoles
in interfaceRoleMapper
- Parameters:
identity
- the caller identity. Cannot benull
callEnvironment
- the call environment. Cannot benull
action
- the action being authorized. Cannot benull
resource
- the target of the action. Cannot benull
- Returns:
- the roles. Will not be
null
, but may be an empty set
-
mapRoles
public Set<String> mapRoles(org.wildfly.security.auth.server.SecurityIdentity identity, Environment callEnvironment, JmxAction action, JmxTarget target)
Description copied from interface:RoleMapper
Determine the roles available for the caller for a JMX invocation unrelated to the management facade MBeans.- Specified by:
mapRoles
in interfaceRoleMapper
- Parameters:
identity
- the caller identity. Cannot benull
callEnvironment
- the call environment. Cannot benull
action
- the action being authorized. Cannot benull
target
- the target of the action. Cannot benull
- Returns:
- the roles. Will not be
null
, but may be an empty set
-
mapRoles
public Set<String> mapRoles(org.wildfly.security.auth.server.SecurityIdentity identity, Environment callEnvironment, Set<String> operationHeaderRoles)
Description copied from interface:RoleMapper
Determine the roles available for the caller without reference to a particular action or target. Note that actually mapping a caller to roles without reference to a particular action or target is not required.- Specified by:
mapRoles
in interfaceRoleMapper
- Parameters:
identity
- the caller identity. Cannot benull
callEnvironment
- the call environment. Cannot benull
operationHeaderRoles
- any roles specified as headers in the operation. May benull
- Returns:
- the roles. Will not be
null
, but may be an empty set
-
canRunAs
public boolean canRunAs(Set<String> mappedRoles, String runAsRole)
Description copied from interface:RoleMapper
Gets whether the given set of mapped roles provides a caller with the privilege to run as the given "runAsRole
".- Specified by:
canRunAs
in interfaceRoleMapper
- Parameters:
mappedRoles
- a set of roles obtained from a call to one of this mapper'smapRoles
methodsrunAsRole
- the role the caller wishes to run as- Returns:
true
if running asrunAsRole
is allowed
-
-