Alon Bar-Lev has uploaded a new change for review. Change subject: aaa: add authz namespace support ......................................................................
aaa: add authz namespace support in an environment of large network as active directory forest we need a way to query subset of the content. the namespace will enable the provider to place partitions / domains into context to allow user interface to present selector. currently user interface does not support that, so we query all namespaces at server side. Topic: AAA Change-Id: I38968ae4b61aa8d0a5120a22a17e016cbe96c5e9 Signed-off-by: Alon Bar-Lev <[email protected]> --- M backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/AuthzUtils.java M backend/manager/modules/builtin-extensions/src/main/java/org/ovirt/engine/extensions/aaa/builtin/internal/InternalAuthz.java M backend/manager/modules/builtin-extensions/src/main/java/org/ovirt/engine/extensions/aaa/builtin/kerberosldap/KerberosLdapAuthz.java M backend/manager/modules/extensions-api-root/extensions-api/src/main/java/org/ovirt/engine/api/extensions/aaa/Authz.java 4 files changed, 53 insertions(+), 22 deletions(-) git pull ssh://gerrit.ovirt.org:29418/ovirt-engine refs/changes/38/27538/1 diff --git a/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/AuthzUtils.java b/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/AuthzUtils.java index 2710942..e849181 100644 --- a/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/AuthzUtils.java +++ b/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/AuthzUtils.java @@ -177,28 +177,38 @@ ) { Object opaque = null; try { - opaque = extension.invoke( - new ExtMap().mput( - Base.InvokeKeys.COMMAND, - Authz.InvokeCommands.QUERY_OPEN - ).mput( - input - ) - ).get(Authz.InvokeKeys.QUERY_OPAQUE); - List<ExtMap> result = null; - do { - result = extension.invoke(new ExtMap().mput( - Base.InvokeKeys.COMMAND, - Authz.InvokeCommands.QUERY_EXECUTE - ).mput( - Authz.InvokeKeys.QUERY_OPAQUE, - opaque + for (String namespace : extension.getContext().<List<String>>get(Authz.ContextKeys.AVAILABLE_NAMESPACES)) { + opaque = extension.invoke( + new ExtMap().mput( + Base.InvokeKeys.COMMAND, + Authz.InvokeCommands.QUERY_OPEN ).mput( - Authz.InvokeKeys.PAGE_SIZE, - PAGE_SIZE + Authz.InvokeKeys.NAMESPACE, + namespace + ).mput( + input ) - ).get(Authz.InvokeKeys.QUERY_RESULT); - } while (result != null && handler.handle(result)); + ).get(Authz.InvokeKeys.QUERY_OPAQUE); + List<ExtMap> result = null; + do { + result = extension.invoke(new ExtMap().mput( + Base.InvokeKeys.COMMAND, + Authz.InvokeCommands.QUERY_EXECUTE + ).mput( + Authz.InvokeKeys.QUERY_OPAQUE, + opaque + ).mput( + Authz.InvokeKeys.PAGE_SIZE, + PAGE_SIZE + ) + ).get(Authz.InvokeKeys.QUERY_RESULT); + } while (result != null && handler.handle(result)); + + // no conditional in for-in + if (result != null) { + break; + } + } } finally { extension.invoke(new ExtMap().mput( Base.InvokeKeys.COMMAND, diff --git a/backend/manager/modules/builtin-extensions/src/main/java/org/ovirt/engine/extensions/aaa/builtin/internal/InternalAuthz.java b/backend/manager/modules/builtin-extensions/src/main/java/org/ovirt/engine/extensions/aaa/builtin/internal/InternalAuthz.java index 3e28277..482eac5 100644 --- a/backend/manager/modules/builtin-extensions/src/main/java/org/ovirt/engine/extensions/aaa/builtin/internal/InternalAuthz.java +++ b/backend/manager/modules/builtin-extensions/src/main/java/org/ovirt/engine/extensions/aaa/builtin/internal/InternalAuthz.java @@ -102,7 +102,11 @@ configuration.get("config.query.filter.size") ).mput( Base.ContextKeys.BUILD_INTERFACE_VERSION, - Base.INTERFACE_VERSION_CURRENT); + Base.INTERFACE_VERSION_CURRENT + ).mput( + Authz.ContextKeys.AVAILABLE_NAMESPACES, + Arrays.asList("*") + ); adminUser = new ExtMap().mput( Authz.PrincipalRecord.NAME, configuration.getProperty("config.authz.user.name") diff --git a/backend/manager/modules/builtin-extensions/src/main/java/org/ovirt/engine/extensions/aaa/builtin/kerberosldap/KerberosLdapAuthz.java b/backend/manager/modules/builtin-extensions/src/main/java/org/ovirt/engine/extensions/aaa/builtin/kerberosldap/KerberosLdapAuthz.java index 68dfb19..ecb7656 100644 --- a/backend/manager/modules/builtin-extensions/src/main/java/org/ovirt/engine/extensions/aaa/builtin/kerberosldap/KerberosLdapAuthz.java +++ b/backend/manager/modules/builtin-extensions/src/main/java/org/ovirt/engine/extensions/aaa/builtin/kerberosldap/KerberosLdapAuthz.java @@ -1,6 +1,7 @@ package org.ovirt.engine.extensions.aaa.builtin.kerberosldap; import java.util.ArrayList; +import java.util.Arrays; import java.util.HashMap; import java.util.List; import java.util.Map; @@ -204,7 +205,11 @@ configuration.get("config.query.filter.size") ).mput( Base.ContextKeys.BUILD_INTERFACE_VERSION, - Base.INTERFACE_VERSION_CURRENT); + Base.INTERFACE_VERSION_CURRENT + ).mput( + Authz.ContextKeys.AVAILABLE_NAMESPACES, + Arrays.asList("*") + ); } private ExtMap mapLdapUser(LdapUser user) { diff --git a/backend/manager/modules/extensions-api-root/extensions-api/src/main/java/org/ovirt/engine/api/extensions/aaa/Authz.java b/backend/manager/modules/extensions-api-root/extensions-api/src/main/java/org/ovirt/engine/api/extensions/aaa/Authz.java index 7e914f8..6f085d1 100644 --- a/backend/manager/modules/extensions-api-root/extensions-api/src/main/java/org/ovirt/engine/api/extensions/aaa/Authz.java +++ b/backend/manager/modules/extensions-api-root/extensions-api/src/main/java/org/ovirt/engine/api/extensions/aaa/Authz.java @@ -16,6 +16,12 @@ */ public static class ContextKeys { /** + * Available namespaces within provider. + * Query can be done within the context of namespace, to avoid + * scanning entire network. At least one namespace must be available. + */ + public static final ExtKey AVAILABLE_NAMESPACES = new ExtKey("AAA_AUTHZ_AVAILABLE_NAMESPACES", List/*<String>*/.class, "6dffa34c-955f-486a-bd35-0a272b45a711"); + /** * Maximum query filter size. * Limit the number of entries within {@link InvokeKeys#QUERY_FILTER}. * No more than this may be provided. @@ -45,6 +51,11 @@ * @see Status */ public static final ExtKey STATUS = new ExtKey("AAA_AUTHZ_STATUS", Integer.class, "566f0ba5-8329-4de1-952a-7a81e4bedd3e"); + /** + * Namespace to use. + * @see ContextKeys#AVAILABLE_NAMESPACES + */ + public static final ExtKey NAMESPACE = new ExtKey("AAA_AUTHZ_NAMESPACE", ExtUUID.class, "7e12d802-86ff-4162-baaa-d6f6fe73201e"); /** * Query filter. * @see QueryFilterRecord @@ -101,6 +112,7 @@ * <p> * Input: * <ul> + * <li>{@link InvokeKeys#NAMESPACE}[M]</li> * <li>{@link InvokeKeys#QUERY_ENTITY}[M]</li> * <li>{@link InvokeKeys#QUERY_FILTER}[M]</li> * <li>{@link InvokeKeys#RESOLVE_GROUPS_RECURSIVE}[M] - resolve groups recursively.</li> -- To view, visit http://gerrit.ovirt.org/27538 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I38968ae4b61aa8d0a5120a22a17e016cbe96c5e9 Gerrit-PatchSet: 1 Gerrit-Project: ovirt-engine Gerrit-Branch: master Gerrit-Owner: Alon Bar-Lev <[email protected]> _______________________________________________ Engine-patches mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/engine-patches
