mirror of https://github.com/apache/cloudstack.git
90 lines
3.6 KiB
Java
90 lines
3.6 KiB
Java
/**
|
|
* Copyright (C) 2010 Cloud.com, Inc. All rights reserved.
|
|
*
|
|
* This software is licensed under the GNU General Public License v3 or later.
|
|
*
|
|
* It is free software: you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License as published by
|
|
* the Free Software Foundation, either version 3 of the License, or any later version.
|
|
* This program is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License
|
|
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
*
|
|
*/
|
|
|
|
/**
|
|
*
|
|
*/
|
|
package com.cloud.acl;
|
|
|
|
import com.cloud.dc.DataCenter;
|
|
import com.cloud.domain.Domain;
|
|
import com.cloud.exception.PermissionDeniedException;
|
|
import com.cloud.offering.DiskOffering;
|
|
import com.cloud.offering.ServiceOffering;
|
|
import com.cloud.user.Account;
|
|
import com.cloud.user.User;
|
|
import com.cloud.utils.component.Adapter;
|
|
|
|
/**
|
|
* SecurityChecker checks the ownership and access control to objects within
|
|
* the management stack for users and accounts.
|
|
*/
|
|
public interface SecurityChecker extends Adapter {
|
|
|
|
public enum AccessType {
|
|
ListEntry,
|
|
ModifyEntry,
|
|
}
|
|
/**
|
|
* Checks if the account owns the object.
|
|
*
|
|
* @param account account to check against.
|
|
* @param object object that the account is trying to access.
|
|
* @return true if access allowed. false if this adapter cannot authenticate ownership.
|
|
* @throws PermissionDeniedException if this adapter is suppose to authenticate ownership and the check failed.
|
|
*/
|
|
boolean checkAccess(Account account, Domain domain) throws PermissionDeniedException;
|
|
|
|
/**
|
|
* Checks if the user belongs to an account that owns the object.
|
|
*
|
|
* @param user user to check against.
|
|
* @param object object that the account is trying to access.
|
|
* @return true if access allowed. false if this adapter cannot authenticate ownership.
|
|
* @throws PermissionDeniedException if this adapter is suppose to authenticate ownership and the check failed.
|
|
*/
|
|
boolean checkAccess(User user, Domain domain) throws PermissionDeniedException;
|
|
|
|
/**
|
|
* Checks if the account can access the object.
|
|
*
|
|
* @param caller account to check against.
|
|
* @param entity object that the account is trying to access.
|
|
* @param accessType TODO
|
|
* @return true if access allowed. false if this adapter cannot provide permission.
|
|
* @throws PermissionDeniedException if this adapter is suppose to authenticate ownership and the check failed.
|
|
*/
|
|
boolean checkAccess(Account caller, ControlledEntity entity, AccessType accessType) throws PermissionDeniedException;
|
|
|
|
/**
|
|
* Checks if the user belongs to an account that can access the object.
|
|
*
|
|
* @param user user to check against.
|
|
* @param entity object that the account is trying to access.
|
|
* @return true if access allowed. false if this adapter cannot authenticate ownership.
|
|
* @throws PermissionDeniedException if this adapter is suppose to authenticate ownership and the check failed.
|
|
*/
|
|
boolean checkAccess(User user, ControlledEntity entity) throws PermissionDeniedException;
|
|
|
|
boolean checkAccess(Account account, DataCenter zone) throws PermissionDeniedException;
|
|
|
|
public boolean checkAccess(Account account, ServiceOffering so) throws PermissionDeniedException;
|
|
|
|
boolean checkAccess(Account account, DiskOffering dof) throws PermissionDeniedException;
|
|
}
|