diff --git a/modules/common/src/main/java/org/dcache/auth/AbstractUidPrincipal.java b/modules/common/src/main/java/org/dcache/auth/AbstractIdPrincipal.java similarity index 86% rename from modules/common/src/main/java/org/dcache/auth/AbstractUidPrincipal.java rename to modules/common/src/main/java/org/dcache/auth/AbstractIdPrincipal.java index 7d4d78b87c9..1be67f8f520 100644 --- a/modules/common/src/main/java/org/dcache/auth/AbstractUidPrincipal.java +++ b/modules/common/src/main/java/org/dcache/auth/AbstractIdPrincipal.java @@ -65,35 +65,31 @@ LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING /* * Base class for both UidPrincipal and UidRolePrincipal. */ -abstract class AbstractUidPrincipal implements Principal, Serializable { +abstract class AbstractIdPrincipal implements Principal, Serializable { - private static final long serialVersionUID = -8815120327854777479L; + private static final long serialVersionUID = 6512883936234057609L; - protected final long uid; + protected final long id; - protected AbstractUidPrincipal(long uid) { - if (uid < 0) { + protected AbstractIdPrincipal(long id) { + if (id < 0) { throw new IllegalArgumentException("UID must be non-negative"); } - this.uid = uid; + this.id = id; } - protected AbstractUidPrincipal(String uid) { - this(Long.parseLong(uid)); - } - - public long getUid() { - return uid; + protected AbstractIdPrincipal(String id) { + this(Long.parseLong(id)); } @Override public String getName() { - return String.valueOf(getUid()); + return String.valueOf(getId()); } @Override public int hashCode() { - return (int) getUid(); + return (int) getId(); } @Override @@ -109,12 +105,16 @@ public boolean equals(Object other) { if (!(this.getClass().equals(other.getClass()))) { return false; } - AbstractUidPrincipal otherUid = (AbstractUidPrincipal) other; - return (otherUid.getUid() == getUid()); + AbstractIdPrincipal otherUid = (AbstractIdPrincipal) other; + return (otherUid.getId() == getId()); } @Override public String toString() { return getClass().getSimpleName() + '[' + getName() + ']'; } + + protected long getId() { + return id; + } } diff --git a/modules/common/src/main/java/org/dcache/auth/AdminRolePrincipal.java b/modules/common/src/main/java/org/dcache/auth/AdminRolePrincipal.java deleted file mode 100644 index 251982a37bc..00000000000 --- a/modules/common/src/main/java/org/dcache/auth/AdminRolePrincipal.java +++ /dev/null @@ -1,74 +0,0 @@ -/* -COPYRIGHT STATUS: -Dec 1st 2001, Fermi National Accelerator Laboratory (FNAL) documents and -software are sponsored by the U.S. Department of Energy under Contract No. -DE-AC02-76CH03000. Therefore, the U.S. Government retains a world-wide -non-exclusive, royalty-free license to publish or reproduce these documents -and software for U.S. Government purposes. All documents and software -available from this server are protected under the U.S. and Foreign -Copyright Laws, and FNAL reserves all rights. - -Distribution of the software available from this server is free of -charge subject to the user following the terms of the Fermitools -Software Legal Information. - -Redistribution and/or modification of the software shall be accompanied -by the Fermitools Software Legal Information (including the copyright -notice). - -The user is asked to feed back problems, benefits, and/or suggestions -about the software to the Fermilab Software Providers. - -Neither the name of Fermilab, the URA, nor the names of the contributors -may be used to endorse or promote products derived from this software -without specific prior written permission. - -DISCLAIMER OF LIABILITY (BSD): - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS -FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL FERMILAB, -OR THE URA, OR THE U.S. DEPARTMENT of ENERGY, OR CONTRIBUTORS BE LIABLE -FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT -OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR -BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF -LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING -NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS -SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - -Liabilities of the Government: - -This software is provided by URA, independent from its Prime Contract -with the U.S. Department of Energy. URA is acting independently from -the Government and in its own private capacity and is not acting on -behalf of the U.S. Government, nor as its contractor nor its agent. -Correspondingly, it is understood and agreed that the U.S. Government -has no connection to this software and in no manner whatsoever shall -be liable for nor assume any responsibility or obligation for any claim, -cost, or damages arising out of or resulting from the use of the software -available from this server. - -Export Control: - -All documents and software available from this server are subject to U.S. -export control laws. Anyone downloading information from this server is -obligated to secure any necessary Government licenses before exporting -documents or software obtained from this server. - */ -package org.dcache.auth; - -/** - * Authorizes the bearer to act as ROOT. - */ -@AuthenticationOutput -@AuthenticationInput -public class AdminRolePrincipal extends UidRolePrincipal { - - private static final long serialVersionUID = 2702995170926235855L; - - public AdminRolePrincipal() { - super(Subjects.getUid(Subjects.ROOT)); - } -} diff --git a/modules/common/src/main/java/org/dcache/auth/QoSPlaceholderRolePrincipal.java b/modules/common/src/main/java/org/dcache/auth/QoSPlaceholderRolePrincipal.java deleted file mode 100644 index 9e20e998d55..00000000000 --- a/modules/common/src/main/java/org/dcache/auth/QoSPlaceholderRolePrincipal.java +++ /dev/null @@ -1,89 +0,0 @@ -/* -COPYRIGHT STATUS: -Dec 1st 2001, Fermi National Accelerator Laboratory (FNAL) documents and -software are sponsored by the U.S. Department of Energy under Contract No. -DE-AC02-76CH03000. Therefore, the U.S. Government retains a world-wide -non-exclusive, royalty-free license to publish or reproduce these documents -and software for U.S. Government purposes. All documents and software -available from this server are protected under the U.S. and Foreign -Copyright Laws, and FNAL reserves all rights. - -Distribution of the software available from this server is free of -charge subject to the user following the terms of the Fermitools -Software Legal Information. - -Redistribution and/or modification of the software shall be accompanied -by the Fermitools Software Legal Information (including the copyright -notice). - -The user is asked to feed back problems, benefits, and/or suggestions -about the software to the Fermilab Software Providers. - -Neither the name of Fermilab, the URA, nor the names of the contributors -may be used to endorse or promote products derived from this software -without specific prior written permission. - -DISCLAIMER OF LIABILITY (BSD): - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS -FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL FERMILAB, -OR THE URA, OR THE U.S. DEPARTMENT of ENERGY, OR CONTRIBUTORS BE LIABLE -FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT -OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR -BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF -LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING -NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS -SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - -Liabilities of the Government: - -This software is provided by URA, independent from its Prime Contract -with the U.S. Department of Energy. URA is acting independently from -the Government and in its own private capacity and is not acting on -behalf of the U.S. Government, nor as its contractor nor its agent. -Correspondingly, it is understood and agreed that the U.S. Government -has no connection to this software and in no manner whatsoever shall -be liable for nor assume any responsibility or obligation for any claim, -cost, or damages arising out of or resulting from the use of the software -available from this server. - -Export Control: - -All documents and software available from this server are subject to U.S. -export control laws. Anyone downloading information from this server is -obligated to secure any necessary Government licenses before exporting -documents or software obtained from this server. - */ -package org.dcache.auth; - -import java.util.UUID; - -/** - * Authorizes the user to execute QoS transitions on the files belonging to that user. - * The user's uid is not specified in the construction of the principal and must - * be derived from the user's actual Uid principal. The placeholder uid value - * is simply an attempt to give each object a unique random value for hashing purposes - * and should not be called in order to reference an actual uid. - */ -@AuthenticationOutput -@AuthenticationInput -public class QoSPlaceholderRolePrincipal extends UidRolePrincipal { - - private static final long serialVersionUID = 7355594681811638281L; - - private static final long PLACEHOLDER_FOR_USER_UID = Long.MAX_VALUE; - - private final long placeholderUid; - - public QoSPlaceholderRolePrincipal() { - super(PLACEHOLDER_FOR_USER_UID); - placeholderUid = UUID.randomUUID().getLeastSignificantBits(); - } - - public long getUid() { - return placeholderUid; - } -} diff --git a/modules/common/src/main/java/org/dcache/auth/QoSRolePrincipal.java b/modules/common/src/main/java/org/dcache/auth/QoSRolePrincipal.java deleted file mode 100644 index ace9495dc64..00000000000 --- a/modules/common/src/main/java/org/dcache/auth/QoSRolePrincipal.java +++ /dev/null @@ -1,79 +0,0 @@ -/* -COPYRIGHT STATUS: -Dec 1st 2001, Fermi National Accelerator Laboratory (FNAL) documents and -software are sponsored by the U.S. Department of Energy under Contract No. -DE-AC02-76CH03000. Therefore, the U.S. Government retains a world-wide -non-exclusive, royalty-free license to publish or reproduce these documents -and software for U.S. Government purposes. All documents and software -available from this server are protected under the U.S. and Foreign -Copyright Laws, and FNAL reserves all rights. - -Distribution of the software available from this server is free of -charge subject to the user following the terms of the Fermitools -Software Legal Information. - -Redistribution and/or modification of the software shall be accompanied -by the Fermitools Software Legal Information (including the copyright -notice). - -The user is asked to feed back problems, benefits, and/or suggestions -about the software to the Fermilab Software Providers. - -Neither the name of Fermilab, the URA, nor the names of the contributors -may be used to endorse or promote products derived from this software -without specific prior written permission. - -DISCLAIMER OF LIABILITY (BSD): - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS -FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL FERMILAB, -OR THE URA, OR THE U.S. DEPARTMENT of ENERGY, OR CONTRIBUTORS BE LIABLE -FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT -OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR -BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF -LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING -NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS -SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - -Liabilities of the Government: - -This software is provided by URA, independent from its Prime Contract -with the U.S. Department of Energy. URA is acting independently from -the Government and in its own private capacity and is not acting on -behalf of the U.S. Government, nor as its contractor nor its agent. -Correspondingly, it is understood and agreed that the U.S. Government -has no connection to this software and in no manner whatsoever shall -be liable for nor assume any responsibility or obligation for any claim, -cost, or damages arising out of or resulting from the use of the software -available from this server. - -Export Control: - -All documents and software available from this server are subject to U.S. -export control laws. Anyone downloading information from this server is -obligated to secure any necessary Government licenses before exporting -documents or software obtained from this server. - */ -package org.dcache.auth; - -/** - * Authorizes the bearer to execute QoS transitions on files whose owner - * is the given uid. - */ -@AuthenticationOutput -@AuthenticationInput -public class QoSRolePrincipal extends UidRolePrincipal { - - private static final long serialVersionUID = 3808303034807479246L; - - public QoSRolePrincipal(Long uid) { - super(uid); - } - - public QoSRolePrincipal(String uid) { - super(uid); - } -} diff --git a/modules/common/src/main/java/org/dcache/auth/UidRolePrincipal.java b/modules/common/src/main/java/org/dcache/auth/RolePrincipal.java similarity index 66% rename from modules/common/src/main/java/org/dcache/auth/UidRolePrincipal.java rename to modules/common/src/main/java/org/dcache/auth/RolePrincipal.java index 8aee84eaa6f..6854734c938 100644 --- a/modules/common/src/main/java/org/dcache/auth/UidRolePrincipal.java +++ b/modules/common/src/main/java/org/dcache/auth/RolePrincipal.java @@ -59,6 +59,13 @@ LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING */ package org.dcache.auth; +import com.google.common.base.Splitter; +import java.util.HashSet; +import java.util.List; +import java.util.Locale; +import java.util.Set; +import java.util.UUID; + /** * A Principal which assigns a role-based authorization with respect to a uid. * While this code replicates the UidPrincipal, it needs to be independent so @@ -67,15 +74,63 @@ LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING */ @AuthenticationOutput @AuthenticationInput -abstract class UidRolePrincipal extends AbstractUidPrincipal { +public class RolePrincipal extends AbstractIdPrincipal { + + private static final long serialVersionUID = -208608738074565124L; + + private static final long PLACEHOLDER_ID = Long.MAX_VALUE; + + private final long internalId; + + public enum Role { + ADMIN("admin"), + QOS_USER("qos-user"), + QOS_GROUP("qos-group"); + + private final String tag; + + Role(String tag) { + this.tag = tag; + } + + public String getTag() { + return tag; + } - private static final long serialVersionUID = 3405254609909807921L; + static Role fromTag(String tag) { + switch (tag.toUpperCase(Locale.ROOT)) { + case "ADMIN": + return ADMIN; + case "QOS-USER": + return QOS_USER; + case "QOS-GROUP": + return QOS_GROUP; + } + + throw new IllegalArgumentException("Unrecognized role: " + tag); + } + } + + private final Set roles = new HashSet<>(); + + public RolePrincipal(String roles) { + super(PLACEHOLDER_ID); + internalId = UUID.randomUUID().getLeastSignificantBits(); + List parts = Splitter.on(',').splitToList(roles); + for (String role: parts) { + this.roles.add(Role.fromTag(role)); + } + } + + public long getId() { + return internalId; + } - protected UidRolePrincipal(long uid) { - super(uid); + public Set getRoles() { + return Set.copyOf(roles); } - protected UidRolePrincipal(String uid) { - super(uid); + public boolean hasRole(Role role) { + return roles.contains(role); } } diff --git a/modules/common/src/main/java/org/dcache/auth/UidPrincipal.java b/modules/common/src/main/java/org/dcache/auth/UidPrincipal.java index a7e5af7912f..71f99ba640d 100644 --- a/modules/common/src/main/java/org/dcache/auth/UidPrincipal.java +++ b/modules/common/src/main/java/org/dcache/auth/UidPrincipal.java @@ -10,7 +10,7 @@ */ @AuthenticationOutput @AuthenticationInput -public class UidPrincipal extends AbstractUidPrincipal { +public class UidPrincipal extends AbstractIdPrincipal { private static final long serialVersionUID = -6614351509379265417L; @@ -19,4 +19,8 @@ public UidPrincipal(long uid) { } public UidPrincipal(String uid) { super(uid); } + + public long getUid() { + return getId(); + } } diff --git a/modules/common/src/test/java/org/dcache/auth/SubjectsTest.java b/modules/common/src/test/java/org/dcache/auth/SubjectsTest.java index 7bff4e3e8cf..a1c4ab08d90 100644 --- a/modules/common/src/test/java/org/dcache/auth/SubjectsTest.java +++ b/modules/common/src/test/java/org/dcache/auth/SubjectsTest.java @@ -319,7 +319,8 @@ public void shouldConvertUnixNumericPrincipals() { assertTrue(Subjects.hasGid(dcacheSubject, GID2)); assertEquals(Subjects.getLoginName(dcacheSubject), USERNAME1); - assertThat("UidPrincipal not injected", dcacheSubject.getPrincipals(), hasItem(any(UidPrincipal.class))); + assertThat("UidPrincipal not injected", dcacheSubject.getPrincipals(), hasItem(any( + UidPrincipal.class))); assertThat("GidPrincipal not injected", dcacheSubject.getPrincipals(), hasItem(any(GidPrincipal.class))); assertThat("UnixNumericUserPrincipal not removed", dcacheSubject.getPrincipals(), not(hasItem(any(UnixNumericUserPrincipal.class)))); diff --git a/modules/dcache-bulk/src/main/java/org/dcache/services/bulk/BulkServiceCommands.java b/modules/dcache-bulk/src/main/java/org/dcache/services/bulk/BulkServiceCommands.java index 73180c97ea8..339675c7d4c 100644 --- a/modules/dcache-bulk/src/main/java/org/dcache/services/bulk/BulkServiceCommands.java +++ b/modules/dcache-bulk/src/main/java/org/dcache/services/bulk/BulkServiceCommands.java @@ -95,7 +95,7 @@ LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING import java.util.concurrent.TimeUnit; import java.util.stream.Collectors; import javax.security.auth.Subject; -import org.dcache.auth.AdminRolePrincipal; +import org.dcache.auth.RolePrincipal; import org.dcache.auth.Subjects; import org.dcache.auth.attributes.Restriction; import org.dcache.auth.attributes.Restrictions; @@ -1104,7 +1104,7 @@ class RequestSubmit implements Callable { public String call() { Subject subject = new Subject(); Subjects.ROOT.getPrincipals().forEach(subject.getPrincipals()::add); - subject.getPrincipals().add(new AdminRolePrincipal()); + subject.getPrincipals().add(new RolePrincipal("admin")); Restriction restriction = Restrictions.none(); BulkRequest request = new BulkRequest(); request.setUrlPrefix("ssh://admin"); diff --git a/modules/dcache-qos/src/main/java/org/dcache/qos/services/engine/provider/ALRPStorageUnitQoSProvider.java b/modules/dcache-qos/src/main/java/org/dcache/qos/services/engine/provider/ALRPStorageUnitQoSProvider.java index 2831e6a355e..5847bf31b32 100644 --- a/modules/dcache-qos/src/main/java/org/dcache/qos/services/engine/provider/ALRPStorageUnitQoSProvider.java +++ b/modules/dcache-qos/src/main/java/org/dcache/qos/services/engine/provider/ALRPStorageUnitQoSProvider.java @@ -241,8 +241,8 @@ public void handleModifiedRequirements(FileQoSRequirements newRequirements, Subj if (canModifyQos(subject, currentAttributes)) { pnfsHandler().setFileAttributes(pnfsId, modifiedAttributes); } else { - throw new PermissionDeniedCacheException("User does not have permissions to set " - + "attributes for " + newRequirements.getPnfsId()); + throw new PermissionDeniedCacheException("User does not have permissions to modify " + + "QoS for " + newRequirements.getPnfsId()); } } diff --git a/modules/dcache-qos/src/main/java/org/dcache/qos/util/QoSPermissionUtils.java b/modules/dcache-qos/src/main/java/org/dcache/qos/util/QoSPermissionUtils.java index 6c173a0070e..523757ff64a 100644 --- a/modules/dcache-qos/src/main/java/org/dcache/qos/util/QoSPermissionUtils.java +++ b/modules/dcache-qos/src/main/java/org/dcache/qos/util/QoSPermissionUtils.java @@ -63,9 +63,8 @@ LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING import java.util.Iterator; import java.util.Set; import javax.security.auth.Subject; -import org.dcache.auth.AdminRolePrincipal; -import org.dcache.auth.QoSPlaceholderRolePrincipal; -import org.dcache.auth.QoSRolePrincipal; +import org.dcache.auth.RolePrincipal; +import org.dcache.auth.RolePrincipal.Role; import org.dcache.auth.Subjects; import org.dcache.vehicles.FileAttributes; @@ -79,44 +78,34 @@ public class QoSPermissionUtils { * do not need checking. * * @param subject of the message received. - * @param attributes with OWNER defined. + * @param attributes with OWNER and OWNER_GROUP defined. */ public static boolean canModifyQos(Subject subject, FileAttributes attributes) { if (subject == null) { /* - * This is a workaround for legacy database entries before - * https://github.com/dCache/dcache-security-fixes/tree/fix/master/qos-propagate-subject-to-adjuster - * was introduced. An incompatibility was overlooked whereby - * the database could contain entries when updated by liquibase, - * thus making the new subject field null. - * - * In this case we just return false. + * with 9.2, the subject is no longer retrieved from the database. + * If it is missing from the message, do not authorize. */ return false; } - long owner = attributes.getOwner(); - Set principals = subject.getPrincipals(); - for (Iterator i = principals.iterator(); i.hasNext();) { + for (Iterator i = principals.iterator(); i.hasNext(); ) { Principal next = i.next(); - - if (next instanceof AdminRolePrincipal) { - return true; - } - - /* - * This may not be something we have immediate need for, but the OR logic here - * allows for there being multiple specifications of qos permissions - * on different uids. - */ - if (next instanceof QoSPlaceholderRolePrincipal && Subjects.getUid(subject) == owner) { - return true; - } - - if (next instanceof QoSRolePrincipal && ((QoSRolePrincipal) next).getUid() == owner) { - return true; + if (next instanceof RolePrincipal) { + RolePrincipal principal = (RolePrincipal) next; + /* + * This may not be something we have immediate need for, but the OR logic here + * allows for there being permissions based on both uid and primary gid. + */ + if (principal.hasRole(Role.ADMIN) || + (principal.hasRole(Role.QOS_USER) + && Subjects.getUid(subject) == attributes.getOwner()) || + (principal.hasRole(Role.QOS_GROUP) + && Subjects.getPrimaryGid(subject) == attributes.getGroup())) { + return true; + } } } diff --git a/modules/gplazma2-multimap/src/main/java/org/dcache/gplazma/plugins/GplazmaMultiMapFile.java b/modules/gplazma2-multimap/src/main/java/org/dcache/gplazma/plugins/GplazmaMultiMapFile.java index cb42ddb5ed6..8eb650db347 100644 --- a/modules/gplazma2-multimap/src/main/java/org/dcache/gplazma/plugins/GplazmaMultiMapFile.java +++ b/modules/gplazma2-multimap/src/main/java/org/dcache/gplazma/plugins/GplazmaMultiMapFile.java @@ -3,7 +3,6 @@ import static org.dcache.gplazma.plugins.exceptions.GplazmaParseMapFileException.checkFormat; import com.google.common.base.Splitter; -import com.google.common.base.Strings; import com.google.common.collect.ImmutableMap; import java.io.IOException; import java.lang.reflect.InvocationTargetException; @@ -22,18 +21,16 @@ import java.util.function.Consumer; import java.util.stream.Collectors; import javax.security.auth.kerberos.KerberosPrincipal; -import org.dcache.auth.AdminRolePrincipal; import org.dcache.auth.EmailAddressPrincipal; import org.dcache.auth.EntitlementPrincipal; import org.dcache.auth.FQANPrincipal; import org.dcache.auth.GidPrincipal; import org.dcache.auth.GroupNamePrincipal; import org.dcache.auth.GroupPrincipal; +import org.dcache.auth.RolePrincipal; import org.dcache.auth.OAuthProviderPrincipal; import org.dcache.auth.OidcSubjectPrincipal; import org.dcache.auth.OpenIdGroupPrincipal; -import org.dcache.auth.QoSPlaceholderRolePrincipal; -import org.dcache.auth.QoSRolePrincipal; import org.dcache.auth.UidPrincipal; import org.dcache.auth.UserNamePrincipal; import org.dcache.gplazma.AuthenticationException; @@ -120,8 +117,7 @@ public PrincipalMatcher buildMatcher(String value) USER_NAME("username", UserNamePrincipal.class), ENTITLEMENT("entitlement", EntitlementPrincipal.class), OP("op", OAuthProviderPrincipal.class), - ADMIN_ROLE("admin", AdminRolePrincipal.class), - QOS_ROLE("qos", QoSRolePrincipal.class); + ROLES("roles", RolePrincipal.class); private final String label; private final Class groupType; @@ -145,11 +141,6 @@ public Principal buildPrincipal(String value) parts.size() == 2 ? Boolean.parseBoolean(parts.get(1)) : false; return groupType.getConstructor(String.class, Boolean.TYPE) .newInstance(parts.get(0), isPrimary); - } else if (QoSRolePrincipal.class.isAssignableFrom(groupType) - && Strings.emptyToNull(value) == null) { - return QoSPlaceholderRolePrincipal.class.getConstructor().newInstance(); - } else if (AdminRolePrincipal.class.isAssignableFrom(groupType)) { - return AdminRolePrincipal.class.getConstructor().newInstance(); } else { return groupType.getConstructor(String.class).newInstance(value); }