PDPImpl (GRIA master 5.2 API)

Overview

Package

Class

Use

Tree

Deprecated

Index

Help

PREV CLASS NEXT CLASS

FRAMES NO FRAMES

SUMMARY: NESTED | FIELD | CONSTR | METHOD

DETAIL: FIELD | CONSTR | METHOD

uk.ac.soton.itinnovation.grid.pbac2.pdp.dynamic
Class PDPImpl

java.lang.Object
  uk.ac.soton.itinnovation.grid.pbac2.pdp.dynamic.PDPImpl

All Implemented Interfaces:: PDP

Direct Known Subclasses:: PDPServiceImpl

public class PDPImpl
extends Object
implements PDP
extends Object
implements PDP

Policy Decision point implementation for PBAC2.

Field Summary

Fields inherited from interface uk.ac.soton.itinnovation.grid.pbac2.pdp.PDP
`DESTROYED_STATE, GROUP_MEMBER_ROLE, UNINITIALISED_STATE`

Constructor Summary
`PDPImpl()`

Method Summary
`void`	`addAccessControlRule(String resourceID, MatchRule rule)` Add a new match rule for a resource.
`void`	`check(String resourceID, SubjectDescription subjectDesc, String action)` Checks if the request is granted.
`void`	`deployPolicy(String resourceTypeID, String policyClassName, String modelData, String defaultVersion)` Deploy a new resource type.
`MatchRule[]`	`getAccessControlRules(String resourceID, String processRole)` Get the list of rules for membership of the given role.
`String[]`	`getAvailableSignals(String resourceID)` List the signals available given the current state of the resource.
`String`	`getDefaultVersion(String resourceTypeID)` Get the service's default policy version at the time this policy was deployed.
`String[]`	`getDeployedPolicies()` List the policies currently deployed.
`boolean`	`getHasRole(String resourceID, SubjectDescription subjectDesc, String role)` Check whether the given subject has the named role in 'resourceID'.
`String[]`	`getProcessRolesForSubject(String resourceID, SubjectDescription subjectDesc)` Get the list of roles of which this subject is a member.
`String`	`getProcessState(String resourceID)` Return the current process state of a resource.
`String[]`	`getResources(String resourceTypeID, SubjectDescription subjectDesc, String processState)` Get the list of resources in which the given subject has membership of some role.
`String`	`getResourceStatusMessage(String resourceID)` For the admin interface only.
`String`	`getResourceType(String resourceID)` Get the type of a resource.
`String`	`getStaticPolicy(String resourceTypeID)` Returns the modelData previously set using deployPolicy.
`String[]`	`getValidProcessRoles(String resourceTypeID)` List the valid process roles for this model.
`String`	`getVersion()` Returns the version of PBAC being used.
`String`	`lockAndCheck(String resourceID, SubjectDescription subjectSpec, String action)` Locks the resource and checks if the request is granted.
`String`	`lockForAdmin(String resourceID, String action)` Like lockAndCheck, but without the check.
`void`	`newProcess(String resourceTypeID, String resourceID)` Creates a new process for a given resource.
`void`	`removeAccessControlRule(String resourceID, MatchRule rule)` Remove a match rule from a resource.
`void`	`setLockTimeout(long timeout)` For debugging.
`void`	`shutdown()` Shutdown the PDP.
`String`	`signal(String resourceID, String event)` Signal an event on the resource.
`void`	`undeployPolicy(String resourceTypeID)` Undeploy a policy.
`void`	`unlock(String resourceID)` Unlocks a resource.

Methods inherited from class java.lang.Object
`clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait`

Constructor Detail

PDPImpl

public PDPImpl()

Method Detail

shutdown

public void shutdown()

Shutdown the PDP. This closes our hibernate session. It is mainly useful for unit testing.

lockAndCheck

public String lockAndCheck(String resourceID,
                           SubjectDescription subjectSpec,
                           String action)
                    throws AcquireResourceLockTimeoutException,
                           InvalidResourceIDException,
                           InvalidSubjectDescriptorException,
                           InvalidActionException,
                           NotAuthorisedException,
                           ActionCurrentlyUnavailableException,
                           ResourceTypeNotDeployedException

Description copied from interface: PDP

Locks the resource and checks if the request is granted. If the request fails, the resource is unlocked before returning.

Specified by:: lockAndCheck in interface PDP

Parameters:: resourceID - the resource in question; subjectSpec - the subject's description; action - the requested action
Returns:: the current state, which may be needed by the service operation
Throws:: AcquireResourceLockTimeoutException - if we cant get exclusive access to the resource in the timeout period; InvalidResourceIDException - if the resource ID is not recognised; InvalidSubjectDescriptorException - if the subject descriptor is invalid; InvalidActionException - if the action is not valid; NotAuthorisedException - if the user is not authorised on the action in the resource; ActionCurrentlyUnavailableException - if the user is authorised to execute the action on the resource but can't right now; ResourceTypeNotDeployedException - if the resource's type is no longer valid (undeployed)

check

public void check(String resourceID,
                  SubjectDescription subjectDesc,
                  String action)
           throws InvalidResourceIDException,
                  ResourceNotLockedException,
                  NotAuthorisedException,
                  ActionCurrentlyUnavailableException,
                  InvalidActionException,
                  InvalidSubjectDescriptorException

Description copied from interface: PDP

Checks if the request is granted. The resource must be locked.

Specified by:: check in interface PDP

Parameters:: resourceID - the resource in question; subjectDesc - the subject's description; action - the requested action
Throws:: InvalidResourceIDException - if the resource ID is not recognised; ResourceNotLockedException - if the resource is not locked; NotAuthorisedException - if the user is not authorised on the action in the resource; ActionCurrentlyUnavailableException - if the user is authorised to execute the action on the resource but can't right now; InvalidActionException - if the action is not valid; InvalidSubjectDescriptorException - if the subject descriptor is invalid

lockForAdmin

public String lockForAdmin(String resourceID,
                           String action)
                    throws AcquireResourceLockTimeoutException,
                           InvalidResourceIDException,
                           ResourceTypeNotDeployedException

Description copied from interface: PDP

Like lockAndCheck, but without the check. This is for admin interfaces. This operation is similar to lockAndCheck, except that 'action' is not checked (and need not even exist in the policy). Here, it is only used for informational purposes (for example, in log messages and in the string returned by getResourceStatusMessage).

Specified by:: lockForAdmin in interface PDP

Parameters:: resourceID - the resource to lock; action - the action which requires the resource to be locked
Throws:: AcquireResourceLockTimeoutException; InvalidResourceIDException; ResourceTypeNotDeployedException

unlock

public void unlock(String resourceID)
            throws ResourceNotLockedException,
                   InvalidResourceIDException

Description copied from interface: PDP

Unlocks a resource. If the process state is UNINITIALISED_STATE or DESTROYED_STATE, the process is destroyed.

Specified by:: unlock in interface PDP

Parameters:: resourceID - the resource in question
Throws:: ResourceNotLockedException - if the resource is not locked; InvalidResourceIDException - if the resource ID is not recognised

signal

public String signal(String resourceID,
                     String event)
              throws EventCurrentlyUnavailableException,
                     InvalidResourceIDException,
                     InvalidEventException,
                     ResourceNotLockedException

Description copied from interface: PDP

Signal an event on the resource. The process state may be updated in response to this, according to the service policy.

Specified by:: signal in interface PDP

Parameters:: resourceID - the resource in question; event - the event causing the transition
Returns:: the new state
Throws:: EventCurrentlyUnavailableException - if the event is not available in the current state; InvalidResourceIDException - if the resource ID is not recognised; InvalidEventException - if the event is not valid according to the service policy; ResourceNotLockedException - if the resource is not locked

getAvailableSignals

public String[] getAvailableSignals(String resourceID)
                             throws InvalidResourceIDException

Description copied from interface: PDP

List the signals available given the current state of the resource. The resource may or may not be locked. If not locked, other callers may change the state so that the returned list is no longer valid.

Specified by:: getAvailableSignals in interface PDP

Parameters:: resourceID - the resource in question
Returns:: a list of available events
Throws:: InvalidResourceIDException - if the resource ID is not recognised

getProcessState

public String getProcessState(String resourceID)
                       throws InvalidResourceIDException

Description copied from interface: PDP

Return the current process state of a resource. The resource does not need to be locked to use this call. However, if it is not locked then the status may change at any time, so the result should only be used for informational purposes.

Specified by:: getProcessState in interface PDP

Returns:: the process state of the resource
Throws:: InvalidResourceIDException

addAccessControlRule

public void addAccessControlRule(String resourceID,
                                 MatchRule rule)
                          throws InvalidResourceIDException,
                                 InvalidMatchRuleException,
                                 InvalidProcessRoleException,
                                 ResourceNotLockedException

Description copied from interface: PDP

Add a new match rule for a resource. The resource must be locked before a rule can be added.

Specified by:: addAccessControlRule in interface PDP

Parameters:: resourceID - the resource being protected; rule - the rule to add
Throws:: InvalidResourceIDException; InvalidMatchRuleException; InvalidProcessRoleException; ResourceNotLockedException

removeAccessControlRule

public void removeAccessControlRule(String resourceID,
                                    MatchRule rule)
                             throws InvalidMatchRuleException,
                                    ResourceNotLockedException,
                                    InvalidProcessRoleException,
                                    InvalidResourceIDException,
                                    MatchRuleNotFoundException

Description copied from interface: PDP

Remove a match rule from a resource. The resource must be locked, and the rule must match one previously added with addAccessControlRule.

Specified by:: removeAccessControlRule in interface PDP

Parameters:: resourceID - the resource being protected; rule - the rule to remove
Throws:: InvalidMatchRuleException; ResourceNotLockedException; InvalidProcessRoleException; InvalidResourceIDException; MatchRuleNotFoundException

newProcess

public void newProcess(String resourceTypeID,
                       String resourceID)
                throws ResourceIDAlreadyExistsException,
                       ResourceTypeNotDeployedException

Description copied from interface: PDP

Creates a new process for a given resource. The new resource is locked when the call returns. You must call signal() at least once before unlocking (otherwise, unlocking will remove the new process).

Specified by:: newProcess in interface PDP

Parameters:: resourceTypeID - the resource's type; resourceID - the resource ID (must not already have a PBAC process)
Throws:: ResourceIDAlreadyExistsException - if the resource is already managed by PBAC; ResourceTypeNotDeployedException - if the resourceTypeID is not currently deployed

getResourceType

public String getResourceType(String resourceID)
                       throws InvalidResourceIDException

Description copied from interface: PDP

Get the type of a resource.

Specified by:: getResourceType in interface PDP

Parameters:: resourceID - the resource to check
Returns:: the resourceTypeID passed to newProcess() when this resource was registered
Throws:: InvalidResourceIDException - if the resource does not exist

getResourceStatusMessage

public String getResourceStatusMessage(String resourceID)
                                throws InvalidResourceIDException

For the admin interface only.

Returns:: a string describing this resource's process state and locked state.
Throws:: InvalidResourceIDException

getAccessControlRules

public MatchRule[] getAccessControlRules(String resourceID,
                                         String processRole)
                                  throws InvalidResourceIDException,
                                         ResourceNotLockedException

Description copied from interface: PDP

Get the list of rules for membership of the given role.

Specified by:: getAccessControlRules in interface PDP

Parameters:: resourceID - the resource being protected; processRole - the role being queried, or null for all The resource does not need to be locked to use this call. However, if it is not locked then the status may change at any time, so the result should only be used for informational purposes.
Returns:: A set of MatchRule objects
Throws:: InvalidResourceIDException; ResourceNotLockedException

getResources

public String[] getResources(String resourceTypeID,
                             SubjectDescription subjectDesc,
                             String processState)
                      throws ResourceTypeNotDeployedException,
                             InvalidSubjectDescriptorException,
                             InvalidStateException

Description copied from interface: PDP

Get the list of resources in which the given subject has membership of some role.

Specified by:: getResources in interface PDP

Parameters:: resourceTypeID - the type of resource to match; subjectDesc - the user to query on, or null for all resources; processState - the state the resource must be in, or null to match all states
Returns:: the list of resource ID strings for which this subject has some role
Throws:: ResourceTypeNotDeployedException; InvalidSubjectDescriptorException; InvalidStateException

getProcessRolesForSubject

public String[] getProcessRolesForSubject(String resourceID,
                                          SubjectDescription subjectDesc)
                                   throws InvalidResourceIDException,
                                          ResourceNotLockedException,
                                          InvalidSubjectDescriptorException

Description copied from interface: PDP

Get the list of roles of which this subject is a member.

Specified by:: getProcessRolesForSubject in interface PDP

Parameters:: resourceID - the resource being protected; subjectDesc - the user to query on
Returns:: the list of roles which this subject can act in
Throws:: InvalidResourceIDException; ResourceNotLockedException; InvalidSubjectDescriptorException

getHasRole

public boolean getHasRole(String resourceID,
                          SubjectDescription subjectDesc,
                          String role)
                   throws InvalidResourceIDException,
                          ResourceNotLockedException,
                          InvalidSubjectDescriptorException

Description copied from interface: PDP

Check whether the given subject has the named role in 'resourceID'. This is equivalent to calling getProcessRolesForSubject() and checking whether 'role' is in the returned list, but is more efficient.

Specified by:: getHasRole in interface PDP

Returns:: true if the subject has the role
Throws:: InvalidResourceIDException; ResourceNotLockedException; InvalidSubjectDescriptorException

setLockTimeout

public void setLockTimeout(long timeout)

For debugging.

deployPolicy

public void deployPolicy(String resourceTypeID,
                         String policyClassName,
                         String modelData,
                         String defaultVersion)
                  throws ResourceTypeAlreadyDeployedException

Description copied from interface: PDP

Deploy a new resource type. The version number is used to warn the user when they need to upgrade the policy. When the service deploys its default policy OR when the user replaces it with a custom policy the SAME defaultVersion is passed. This means that the user will not be asked to upgrade. When the service is upgraded to a version with a newer default policy, the user will be prompted to upgrade.

Specified by:: deployPolicy in interface PDP

Parameters:: resourceTypeID - the name of the type; policyClassName - the Java class to handle the type (implements ServicePolicy); modelData - data to pass to the service policy constructor; defaultVersion - the version of the default policy for this version of the service
Throws:: ResourceTypeAlreadyDeployedException - if the type is already deployed

undeployPolicy

public void undeployPolicy(String resourceTypeID)
                    throws ResourceTypeNotDeployedException,
                           AcquireResourceLockTimeoutException

Description copied from interface: PDP

Undeploy a policy. This first marks the policy as disabled, so resources of this type can't be created or locked (it is not an error if the type is already disabled; it remains disabled). The policy is then undeployed if no resources of that type are locked. If any are, it throws AcquireResourceLockTimeoutException with the policy still disabled. Call again later to actually undeploy.

Specified by:: undeployPolicy in interface PDP

Parameters:: resourceTypeID - the type to undeploy
Throws:: ResourceTypeNotDeployedException - if the resource type is not currently deployed; AcquireResourceLockTimeoutException - if some resources of this type are still locked

getStaticPolicy

public String getStaticPolicy(String resourceTypeID)
                       throws ResourceTypeNotDeployedException

Description copied from interface: PDP

Returns the modelData previously set using deployPolicy.

Specified by:: getStaticPolicy in interface PDP

Returns:: the modelData for this type
Throws:: ResourceTypeNotDeployedException - if these resource type is not currently deployed

getDeployedPolicies

public String[] getDeployedPolicies()

Description copied from interface: PDP

List the policies currently deployed.

Specified by:: getDeployedPolicies in interface PDP

Returns:: an array of resource type IDs.

getValidProcessRoles

public String[] getValidProcessRoles(String resourceTypeID)
                              throws ResourceTypeNotDeployedException

Description copied from interface: PDP

List the valid process roles for this model.

Specified by:: getValidProcessRoles in interface PDP

Returns:: an array of process role names.
Throws:: ResourceTypeNotDeployedException

getVersion

public String getVersion()

Description copied from interface: PDP

Returns the version of PBAC being used.

Specified by:: getVersion in interface PDP

getDefaultVersion

public String getDefaultVersion(String resourceTypeID)
                         throws ResourceTypeNotDeployedException

Description copied from interface: PDP

Get the service's default policy version at the time this policy was deployed. If this is different to the current default policy version, the admin should be prompted to upgrade the policy.

Specified by:: getDefaultVersion in interface PDP

Parameters:: resourceTypeID - the type to check
Returns:: the version passed to PDP.deployPolicy(java.lang.String, java.lang.String, java.lang.String, java.lang.String) when the policy was deployed
Throws:: ResourceTypeNotDeployedException - if this type isn't deployed

Overview

Package

Class

Use

Tree

Deprecated

Index

Help

PREV CLASS NEXT CLASS

FRAMES NO FRAMES

SUMMARY: NESTED | FIELD | CONSTR | METHOD

DETAIL: FIELD | CONSTR | METHOD

uk.ac.soton.itinnovation.grid.pbac2.pdp.dynamic Class PDPImpl

PDPImpl

shutdown

lockAndCheck

check

lockForAdmin

unlock

signal

getAvailableSignals

getProcessState

addAccessControlRule

removeAccessControlRule

newProcess

getResourceType

getResourceStatusMessage

getAccessControlRules

getResources

getProcessRolesForSubject

getHasRole

setLockTimeout

deployPolicy

undeployPolicy

getStaticPolicy

getDeployedPolicies

getValidProcessRoles

getVersion

getDefaultVersion

uk.ac.soton.itinnovation.grid.pbac2.pdp.dynamic
Class PDPImpl