Package org.jboss.as.controller.access.rbac

Class RunAsRoleMapper

  • All Implemented Interfaces:
    RoleMapper
    public class RunAsRoleMapper
extends Object
implements RoleMapper
    A RoleMapper that allows clients to specify the roles they desire to run as. By default this RoleMapper Reads the set of roles from a request headers in the operation, allowing the client to completely control the mapping. Roles are stored as a ModelNode of type ModelType.LIST, elements of ModelType.STRING, under operation.get("operation-headers", "roles"). If no such header is found, the user is SUPERUSER. IF the list is empty, the user has no permissions. This RoleMapper can be extended to allow the ability to run as different roles to be checked.
    Author:
    Brian Stansberry (c) 2013 Red Hat Inc., Darran Lofthouse

    • Constructor Detail

      • RunAsRoleMapper

        public RunAsRoleMapper​(RoleMapper realRoleMapper)

    • Method Detail

      • mapRoles

        public Set<String> mapRoles​(org.wildfly.security.auth.server.SecurityIdentity identity,
                            Environment callEnvironment,
                            Action action,
                            TargetAttribute attribute)
        Description copied from interface: RoleMapper
        Determine the roles available for the caller for a management operation affecting an individual attribute.
        Specified by:
        mapRoles in interface RoleMapper
        Parameters:
        identity - the caller identity. Cannot be null
        callEnvironment - the call environment. Cannot be null
        action - the action being authorized. Cannot be null
        attribute - the target of the action. Cannot be null
        Returns:
        the roles. Will not be null, but may be an empty set

      • mapRoles

        public Set<String> mapRoles​(org.wildfly.security.auth.server.SecurityIdentity identity,
                            Environment callEnvironment,
                            Action action,
                            TargetResource resource)
        Description copied from interface: RoleMapper
        Determine the roles available for the caller for a management operation affecting an entire resource.
        Specified by:
        mapRoles in interface RoleMapper
        Parameters:
        identity - the caller identity. Cannot be null
        callEnvironment - the call environment. Cannot be null
        action - the action being authorized. Cannot be null
        resource - the target of the action. Cannot be null
        Returns:
        the roles. Will not be null, but may be an empty set

      • mapRoles

        public Set<String> mapRoles​(org.wildfly.security.auth.server.SecurityIdentity identity,
                            Environment callEnvironment,
                            JmxAction action,
                            JmxTarget target)
        Description copied from interface: RoleMapper
        Determine the roles available for the caller for a JMX invocation unrelated to the management facade MBeans.
        Specified by:
        mapRoles in interface RoleMapper
        Parameters:
        identity - the caller identity. Cannot be null
        callEnvironment - the call environment. Cannot be null
        action - the action being authorized. Cannot be null
        target - the target of the action. Cannot be null
        Returns:
        the roles. Will not be null, but may be an empty set

      • mapRoles

        public Set<String> mapRoles​(org.wildfly.security.auth.server.SecurityIdentity identity,
                            Environment callEnvironment,
                            Set<String> operationHeaderRoles)
        Description copied from interface: RoleMapper
        Determine the roles available for the caller without reference to a particular action or target. Note that actually mapping a caller to roles without reference to a particular action or target is not required.
        Specified by:
        mapRoles in interface RoleMapper
        Parameters:
        identity - the caller identity. Cannot be null
        callEnvironment - the call environment. Cannot be null
        operationHeaderRoles - any roles specified as headers in the operation. May be null
        Returns:
        the roles. Will not be null, but may be an empty set

      • canRunAs

        public boolean canRunAs​(Set<String> mappedRoles,
                        String runAsRole)
        Description copied from interface: RoleMapper
        Gets whether the given set of mapped roles provides a caller with the privilege to run as the given "runAsRole".
        Specified by:
        canRunAs in interface RoleMapper
        Parameters:
        mappedRoles - a set of roles obtained from a call to one of this mapper's mapRoles methods
        runAsRole - the role the caller wishes to run as
        Returns:
        true if running as runAsRole is allowed

      • getOperationHeaderRoles

        public static Set<String> getOperationHeaderRoles​(org.jboss.dmr.ModelNode operation)