mirror of https://github.com/apache/archiva.git
Security role changes, added global repository manager that is the role for administering all repositories configuration wise, the particular repository managers now administer content _in_ their assigned repositories, observers get read access to corresponding repository (or global access to add if they get the global observer) and I also removed the archiva-edit-configuration operation since it was duplicated by the archiva-manage-configuraiton operation
git-svn-id: https://svn.apache.org/repos/asf/maven/archiva/trunk@513431 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Jesse McConnell
parent
013a962760
commit
eecc68356e
|
|
@ -36,8 +36,6 @@ public class ArchivaRoleConstants
|
|||
|
||||
public static final String GUEST_ROLE = "Guest";
|
||||
|
||||
public static final String BASE_REPOSITORY_MANAGER = "Repository Manager Base";
|
||||
|
||||
// dynamic role prefixes
|
||||
public static final String REPOSITORY_MANAGER_ROLE_PREFIX = "Repository Manager";
|
||||
|
||||
|
|
@ -66,5 +64,4 @@ public class ArchivaRoleConstants
|
|||
|
||||
public static final String OPERATION_REPOSITORY_UPLOAD = "archiva-upload-repository";
|
||||
|
||||
public static final String OPERATION_EDIT_CONFIGURATION = "archiva-edit-configuration";
|
||||
}
|
||||
|
|
|
|||
|
|
@ -25,6 +25,8 @@ import org.codehaus.plexus.rbac.profile.RoleProfileException;
|
|||
/**
|
||||
* Role profile manager.
|
||||
*
|
||||
* Role Structures are laid out as documented http://docs.codehaus.org/display/MAVENUSER/Archiva+Security+Roles
|
||||
*
|
||||
* @author Brett Porter
|
||||
* @todo composition over inheritence?
|
||||
* @plexus.component role="org.codehaus.plexus.rbac.profile.RoleProfileManager" role-hint="archiva"
|
||||
|
|
@ -35,7 +37,8 @@ public class ArchivaRoleProfileManager
|
|||
public void initialize()
|
||||
throws RoleProfileException
|
||||
{
|
||||
getRole( "archiva-repository-manager-base" );
|
||||
getRole( "global-repository-manager" );
|
||||
getRole( "global-repository-observer" );
|
||||
|
||||
mergeRoleProfiles( "system-administrator", "archiva-system-administrator" );
|
||||
mergeRoleProfiles( "user-administrator", "archiva-user-administrator" );
|
||||
|
|
|
|||
|
|
@ -41,7 +41,6 @@ public class ArchivaSystemAdministratorRoleProfile
|
|||
{
|
||||
List operations = new ArrayList();
|
||||
operations.add( ArchivaRoleConstants.OPERATION_MANAGE_CONFIGURATION );
|
||||
operations.add( ArchivaRoleConstants.OPERATION_EDIT_CONFIGURATION );
|
||||
operations.add( ArchivaRoleConstants.OPERATION_MANAGE_USERS );
|
||||
operations.add( ArchivaRoleConstants.OPERATION_RUN_INDEXER );
|
||||
operations.add( ArchivaRoleConstants.OPERATION_REGENERATE_INDEX );
|
||||
|
|
|
|||
|
|
@ -1,57 +0,0 @@
|
|||
package org.apache.maven.archiva.security;
|
||||
|
||||
/*
|
||||
* Licensed to the Apache Software Foundation (ASF) under one
|
||||
* or more contributor license agreements. See the NOTICE file
|
||||
* distributed with this work for additional information
|
||||
* regarding copyright ownership. The ASF licenses this file
|
||||
* to you under the Apache License, Version 2.0 (the
|
||||
* "License"); you may not use this file except in compliance
|
||||
* with the License. You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing,
|
||||
* software distributed under the License is distributed on an
|
||||
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||
* KIND, either express or implied. See the License for the
|
||||
* specific language governing permissions and limitations
|
||||
* under the License.
|
||||
*/
|
||||
|
||||
import org.codehaus.plexus.rbac.profile.AbstractRoleProfile;
|
||||
|
||||
import java.util.ArrayList;
|
||||
import java.util.List;
|
||||
|
||||
/**
|
||||
* @plexus.component role="org.codehaus.plexus.rbac.profile.RoleProfile"
|
||||
* role-hint="archiva-repository-manager-base"
|
||||
*/
|
||||
public class BaseRepositoryManagerRoleProfile
|
||||
extends AbstractRoleProfile
|
||||
{
|
||||
public String getRoleName()
|
||||
{
|
||||
return ArchivaRoleConstants.BASE_REPOSITORY_MANAGER;
|
||||
}
|
||||
|
||||
public List getOperations()
|
||||
{
|
||||
List operations = new ArrayList();
|
||||
|
||||
operations.add( ArchivaRoleConstants.OPERATION_MANAGE_CONFIGURATION );
|
||||
|
||||
return operations;
|
||||
}
|
||||
|
||||
public boolean isPermanent()
|
||||
{
|
||||
return true;
|
||||
}
|
||||
|
||||
public boolean isAssignable()
|
||||
{
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
|
@ -26,7 +26,7 @@ import java.util.List;
|
|||
|
||||
/**
|
||||
* @plexus.component role="org.codehaus.plexus.rbac.profile.RoleProfile"
|
||||
* role-hint="archiva-repository-administrator"
|
||||
* role-hint="global-repository-manager"
|
||||
*/
|
||||
public class GlobalRepositoryManagerRoleProfile
|
||||
extends AbstractRoleProfile
|
||||
|
|
@ -49,9 +49,21 @@ public class GlobalRepositoryManagerRoleProfile
|
|||
public List getOperations()
|
||||
{
|
||||
List operations = new ArrayList();
|
||||
operations.add( ArchivaRoleConstants.OPERATION_MANAGE_CONFIGURATION );
|
||||
operations.add( ArchivaRoleConstants.OPERATION_ADD_REPOSITORY );
|
||||
operations.add( ArchivaRoleConstants.OPERATION_EDIT_REPOSITORY );
|
||||
operations.add( ArchivaRoleConstants.OPERATION_DELETE_REPOSITORY );
|
||||
return operations;
|
||||
}
|
||||
|
||||
public List getChildRoles()
|
||||
{
|
||||
List childRoles = new ArrayList();
|
||||
childRoles.add( ArchivaRoleConstants.GLOBAL_REPOSITORY_OBSERVER_ROLE );
|
||||
return childRoles;
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
}
|
||||
|
|
|
|||
|
|
@ -26,7 +26,7 @@ import java.util.List;
|
|||
|
||||
/**
|
||||
* @plexus.component role="org.codehaus.plexus.rbac.profile.RoleProfile"
|
||||
* role-hint="archiva-repository-administrator"
|
||||
* role-hint="global-repository-observer"
|
||||
*/
|
||||
public class GlobalRepositoryObserverRoleProfile
|
||||
extends AbstractRoleProfile
|
||||
|
|
@ -48,6 +48,8 @@ public class GlobalRepositoryObserverRoleProfile
|
|||
|
||||
public List getOperations()
|
||||
{
|
||||
return null;
|
||||
List operations = new ArrayList();
|
||||
operations.add( ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS );
|
||||
return operations;
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -50,61 +50,17 @@ public class RepositoryManagerDynamicRoleProfile
|
|||
{
|
||||
List operations = new ArrayList();
|
||||
|
||||
// I'm not sure these are appropriate roles.
|
||||
operations.add( ArchivaRoleConstants.OPERATION_EDIT_REPOSITORY );
|
||||
operations.add( ArchivaRoleConstants.OPERATION_DELETE_REPOSITORY );
|
||||
|
||||
operations.add( ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS );
|
||||
operations.add( ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD );
|
||||
return operations;
|
||||
}
|
||||
|
||||
|
||||
public List getChildRoles()
|
||||
{
|
||||
return Collections.singletonList( ArchivaRoleConstants.BASE_REPOSITORY_MANAGER );
|
||||
}
|
||||
|
||||
public List getDynamicChildRoles( String string )
|
||||
{
|
||||
return Collections.singletonList(
|
||||
ArchivaRoleConstants.REPOSITORY_OBSERVER_ROLE_PREFIX + ArchivaRoleConstants.DELIMITER + string );
|
||||
}
|
||||
|
||||
public boolean isAssignable()
|
||||
{
|
||||
return true;
|
||||
}
|
||||
|
||||
public Role getRole( String resource )
|
||||
throws RoleProfileException
|
||||
{
|
||||
try
|
||||
{
|
||||
if ( rbacManager.roleExists( getRoleName( resource ) ) )
|
||||
{
|
||||
return rbacManager.getRole( getRoleName( resource ) );
|
||||
}
|
||||
else
|
||||
{
|
||||
// first time assign the role to the group administrator since they need the access
|
||||
Role newRole = generateRole( resource );
|
||||
|
||||
Role repoAdmin = rbacManager.getRole( ArchivaRoleConstants.GLOBAL_REPOSITORY_MANAGER_ROLE );
|
||||
repoAdmin.addChildRoleName( newRole.getName() );
|
||||
rbacManager.saveRole( repoAdmin );
|
||||
|
||||
return newRole;
|
||||
}
|
||||
}
|
||||
catch ( RbacObjectNotFoundException ne )
|
||||
{
|
||||
throw new RoleProfileException( "unable to get role", ne );
|
||||
}
|
||||
catch ( RbacManagerException e )
|
||||
{
|
||||
throw new RoleProfileException( "system error with rbac manager", e );
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -57,34 +57,4 @@ public class RepositoryObserverDynamicRoleProfile
|
|||
return true;
|
||||
}
|
||||
|
||||
public Role getRole( String resource )
|
||||
throws RoleProfileException
|
||||
{
|
||||
try
|
||||
{
|
||||
if ( rbacManager.roleExists( getRoleName( resource ) ) )
|
||||
{
|
||||
return rbacManager.getRole( getRoleName( resource ) );
|
||||
}
|
||||
else
|
||||
{
|
||||
// first time assign the role to the group administrator since they need the access
|
||||
Role newRole = generateRole( resource );
|
||||
|
||||
Role repoAdmin = rbacManager.getRole( ArchivaRoleConstants.GLOBAL_REPOSITORY_OBSERVER_ROLE );
|
||||
repoAdmin.addChildRoleName( newRole.getName() );
|
||||
rbacManager.saveRole( repoAdmin );
|
||||
|
||||
return newRole;
|
||||
}
|
||||
}
|
||||
catch ( RbacObjectNotFoundException ne )
|
||||
{
|
||||
throw new RoleProfileException( "unable to get role", ne );
|
||||
}
|
||||
catch ( RbacManagerException e )
|
||||
{
|
||||
throw new RoleProfileException( "system error with rbac manager", e );
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -85,8 +85,22 @@
|
|||
</component>
|
||||
<component>
|
||||
<role>org.codehaus.plexus.rbac.profile.RoleProfile</role>
|
||||
<role-hint>archiva-repository-manager-base</role-hint>
|
||||
<implementation>org.apache.maven.archiva.security.BaseRepositoryManagerRoleProfile</implementation>
|
||||
<role-hint>global-repository-manager</role-hint>
|
||||
<implementation>org.apache.maven.archiva.security.GlobalRepositoryManagerRoleProfile</implementation>
|
||||
<requirements>
|
||||
<requirement>
|
||||
<role>org.codehaus.plexus.security.rbac.RBACManager</role>
|
||||
</requirement>
|
||||
<requirement>
|
||||
<role>org.codehaus.plexus.PlexusContainer</role>
|
||||
<field-name>container</field-name>
|
||||
</requirement>
|
||||
</requirements>
|
||||
</component>
|
||||
<component>
|
||||
<role>org.codehaus.plexus.rbac.profile.RoleProfile</role>
|
||||
<role-hint>global-repository-observer</role-hint>
|
||||
<implementation>org.apache.maven.archiva.security.GlobalRepositoryObserverRoleProfile</implementation>
|
||||
<requirements>
|
||||
<requirement>
|
||||
<role>org.codehaus.plexus.security.rbac.RBACManager</role>
|
||||
|
|
|
|||
|
|
@ -264,7 +264,7 @@
|
|||
<jettyEnvXml>src/jetty-env.xml</jettyEnvXml>
|
||||
<connectors>
|
||||
<connector implementation="org.mortbay.jetty.nio.SelectChannelConnector">
|
||||
<port>9091</port>
|
||||
<port>9090</port>
|
||||
<maxIdleTime>60000</maxIdleTime>
|
||||
</connector>
|
||||
</connectors>
|
||||
|
|
|
|||
|
|
@ -35,7 +35,7 @@
|
|||
<div>
|
||||
<div style="float: right">
|
||||
<%-- TODO replace with icons --%>
|
||||
<pss:ifAuthorized permission="archiva-edit-configuration" resource="*">
|
||||
<pss:ifAuthorized permission="archiva-manage-configuration">
|
||||
<a href="<ww:url action="configure" />">Edit Configuration</a>
|
||||
</pss:ifAuthorized>
|
||||
</div>
|
||||
|
|
|
|||
|
|
@ -39,7 +39,7 @@
|
|||
<div>
|
||||
<div style="float: right">
|
||||
<%-- TODO replace with icons --%>
|
||||
<pss:ifAuthorized permission="archiva-add-repository">
|
||||
<pss:ifAuthorized permission="archiva-manage-configuration">
|
||||
<ww:url id="addRepositoryUrl" action="addRepository" method="input"/>
|
||||
<ww:a href="%{addRepositoryUrl}">Add Repository</ww:a>
|
||||
</pss:ifAuthorized>
|
||||
|
|
@ -52,9 +52,10 @@
|
|||
<strong>There are no managed repositories configured yet.</strong>
|
||||
</c:if>
|
||||
<c:forEach items="${repositories}" var="repository" varStatus="i">
|
||||
<pss:ifAnyAuthorized permissions="archiva-edit-repository, archiva-delete-repository" resource="${repository.id}">
|
||||
|
||||
<div>
|
||||
<div style="float: right">
|
||||
<pss:ifAnyAuthorized permissions="archiva-manage-configuration">
|
||||
<ww:url id="editRepositoryUrl" action="editRepository" method="input">
|
||||
<ww:param name="repoId" value="%{'${repository.id}'}"/>
|
||||
</ww:url>
|
||||
|
|
@ -64,6 +65,7 @@
|
|||
<%-- TODO replace with icons --%>
|
||||
<ww:a href="%{editRepositoryUrl}">Edit Repository</ww:a>
|
||||
<ww:a href="%{deleteRepositoryUrl}">Delete Repository</ww:a>
|
||||
</pss:ifAnyAuthorized>
|
||||
</div>
|
||||
<h3>${repository.name}</h3>
|
||||
<table class="infoTable">
|
||||
|
|
@ -142,7 +144,6 @@
|
|||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
</pss:ifAnyAuthorized>
|
||||
</c:forEach>
|
||||
</div>
|
||||
|
||||
|
|
|
|||
|
|
@ -20,6 +20,7 @@
|
|||
<%@ taglib prefix="ww" uri="/webwork" %>
|
||||
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
|
||||
<%@ taglib prefix="my" tagdir="/WEB-INF/tags" %>
|
||||
<%@ taglib prefix="pss" uri="/plexusSecuritySystem" %>
|
||||
|
||||
<html>
|
||||
<head>
|
||||
|
|
@ -33,10 +34,14 @@
|
|||
|
||||
<div id="contentArea">
|
||||
<div>
|
||||
|
||||
<%-- TODO replace with icons --%>
|
||||
<div style="float: right">
|
||||
<pss:ifAuthorized permission="archiva-manage-configuration">
|
||||
<a href="<ww:url action="addProxiedRepository" method="input" />">Add Repository</a>
|
||||
</pss:ifAuthorized>
|
||||
</div>
|
||||
|
||||
<h2>Proxied Repositories</h2>
|
||||
</div>
|
||||
|
||||
|
|
@ -48,10 +53,12 @@
|
|||
<div>
|
||||
<div style="float: right">
|
||||
<%-- TODO replace with icons --%>
|
||||
<pss:ifAuthorized permission="archiva-manage-configuration">
|
||||
<a href="<ww:url action="editProxiedRepository" method="input"><ww:param name="repoId" value="%{'${repository.id}'}" /></ww:url>">Edit
|
||||
Repository</a> | <a
|
||||
href="<ww:url action="deleteProxiedRepository" method="input"><ww:param name="repoId" value="%{'${repository.id}'}" /></ww:url>">Delete
|
||||
Repository</a>
|
||||
</pss:ifAuthorized>
|
||||
</div>
|
||||
<h3>${repository.name}</h3>
|
||||
<table class="infoTable">
|
||||
|
|
|
|||
Loading…
Reference in New Issue