def deassign(user, role):
"""
This command deletes the assignment of the User from the Role entities.
The command is valid if and only if the user is a member of the USERS data set, the role is a member of the ROLES data set,
and the user is assigned to the role. Any sessions that currently have this role activated will not be effected.
Successful completion includes:
User entity in USER data set has role assignment removed.
Role entity in ROLE data set has userId removed as role occupant.
required parameters:
user.uid - existing user.
role.name - existing role.
"""
utils.validate_user(user)
utils.validate_role(role)
out_user = userdao.read(user)
for constraint in out_user.role_constraints:
if constraint.name == role.name:
found = True
userdao.deassign(user, constraint)
try:
roledao.remove_member(role, user.uid)
except RbacError as e:
if e.id != global_ids.URLE_ASSIGN_NOT_EXIST:
raise RbacError(msg=e.msg, id=e.id)
else:
logger.warn('admin.deassign remove member failed because not occupant. user:'******', role:' + role.name)
if not found:
raise RbacError(msg='Role deassign failed constraint not found', id=global_ids.URLE_DEASSIGN_FAILED)
def assign(user, role):
"""
This command assigns a user to a role.
The command is valid if and only if:
The user is a member of the USERS data set
The role is a member of the ROLES data set
The user is not already assigned to the role
required parameters:
user.uid - existing user.
role.name - existing role.
"""
utils.validate_user(user)
utils.validate_role(role)
entity = roledao.read(role)
# LDAP doesn't do well with sub-string indexes which is why the role assignments are stored within two separate multi-occurring attributes on the user entry -- roles' and 'role_constraints'.
# The first, is a set of role names (only), and will be indexed for fast search.
# the second, is a set of delimited strings containing the role name (once again) plus its associated temporal values.
userdao.assign(user, entity.constraint)
# Fortress user-role assignments also keep member association on the role itself.
# The rationale for these assignments also stored on role is two-fold:
# 1. works with traditional LDAP group-based authZ mechanisms
# 2. makes role-users search query more efficient, as its stored on single entry.
roledao.add_member(entity, user.uid)
def delete_role(role):
"""
This command deletes an existing role from the RBAC database. The command is valid if and only if the role to be deleted is a member of the ROLES data set.
This command will also deassign role from all users.
required parameters:
role.name - maps to INetOrgPerson uid
"""
utils.validate_role(role)
# if role has members, deassign all.
members, constraint = roledao.get_members_constraint (role)
for member in members:
try:
userdao.deassign(User(uid=member), constraint)
logger.info('admin.delete_role:' + role.name + ', remove assign for user:'******'admin.delete_role:' + role.name + ', assign not exist for user:'******'admin.delete_role:' + role.name + ', remove grant for perm obj_name:' + perm.obj_name + ', op_name:' + perm.op_name)
# now remove the role entry.
return roledao.delete(role)
def find_roles(role):
"""
Method will return a list of type Role matching all or part of Role name, Role.name.
required parameters:
role.name - maps to existing role. May be partial name with wildcard on end - *.
return:
Role list
"""
utils.validate_role(role)
return roledao.search(role)
def read_role(role):
"""
Method reads Role entity from the role container in directory.
required parameters:
role.name - maps to existing role
return:
Role
"""
utils.validate_role(role)
return roledao.read(role)
def role_perms(role):
"""
This function returns the set of all permissions (op, obj), granted to or inherited by a given role. The function is valid if and only if the role is a member of the ROLES data set.
required parameters:
role.name - maps to existing role
return:
Perm list
"""
utils.validate_role(role)
return permdao.search_on_roles([role.name])
def assigned_users(role):
"""
This function returns the set of users assigned to a given role. The function is valid if and only if the role is a member of the ROLES data set.
required parameters:
role.name - maps to existing role
return:
String list of uids
"""
utils.validate_role(role)
return roledao.get_members(role)
def grant(perm, role):
"""
This method will add permission operation to an existing permission object which resides under ou=Permissions,ou=RBAC,dc=yourHostName,dc=com container in directory information tree.
The perm operation entity may have Role or User associations. The target Permission must not exist prior to calling.
A Fortress Permission instance exists in a hierarchical, one-many relationship between its parent and itself as stored in ldap tree: (PermObj*->Permission).
required parameters:
perm.obj_name - existing perm obj.
perm.obj_name - existing perm op.
role.name - existing role.
optional parameters:
perm.obj_id - object identifier
"""
utils.validate_role(role)
utils.validate_perm(perm)
return permdao.grant(perm, role)
def revoke(perm, role):
"""
This command revokes the permission to perform an operation on an object from the set of permissions assigned to a role.
The command is implemented by setting the access control list of the object involved.
The command is valid if and only if the pair (operation, object) represents a permission, the role is a member of the ROLES data set, and the permission is assigned to that role.
required parameters:
perm.obj_name - existing perm obj.
perm.obj_name - existing perm op.
role.name - existing role.
optional parameters:
perm.obj_id - object identifier
"""
utils.validate_role(role)
utils.validate_perm(perm)
return permdao.revoke(perm, role)
def update_role(role):
"""
Method will update a Role entity in the directory. The role must exist in role container prior to this call.
required parameters:
role.name - maps to INetOrgPerson uid
optional parameters Temporal constraints may be associated with ftUserAttrs aux object class based on:
role.props - multi-occurring name:value pairs
role.description
role.constraint.timeout - 99 - set the integer timeout that contains max time (in minutes) that entity may remain inactive.
role.constraint.beginDate - YYYYMMDD - determines date when role may be activated.
role.constraint.endDate - YYMMDD - indicates latest date role may be activated.
role.constraint.beginLockDate - YYYYMMDD - determines beginning of enforced inactive status
role.constraint.endLockDate - YYMMDD - determines end of enforced inactive status.
role.constraint.beginTime - HHMM - determines begin hour role may be activated in user's session.
role.constraint.endTime - HHMM - determines end hour role may be activated in user's session.*
role.constraint.dayMask - 1234567, 1 = Sunday, 2 = Monday, etc - specifies which day of week role may be activated.
"""
utils.validate_role(role)
return roledao.update(role)
def add_role(role):
"""
This command creates a new role. The command is valid if and only if the new role is not already a member of the ROLES data set.
The ROLES data set is updated. Initially, no user or permission is assigned to the new role.
required parameters:
role.name - maps to INetOrgPerson uid
optional parameters Temporal constraints may be associated with ftUserAttrs aux object class based on:
role.props - multi-occurring name:value pairs
role.description
role.constraint.timeout - 99 - set the integer timeout that contains max time (in minutes) that entity may remain inactive.
role.constraint.beginDate - YYYYMMDD - determines date when role may be activated.
role.constraint.endDate - YYMMDD - indicates latest date role may be activated.
role.constraint.beginLockDate - YYYYMMDD - determines beginning of enforced inactive status
role.constraint.endLockDate - YYMMDD - determines end of enforced inactive status.
role.constraint.beginTime - HHMM - determines begin hour role may be activated in user's session.
role.constraint.endTime - HHMM - determines end hour role may be activated in user's session.*
role.constraint.dayMask - 1234567, 1 = Sunday, 2 = Monday, etc - specifies which day of week role may be activated.
"""
utils.validate_role(role)
return roledao.create(role)