Class UserRoleDaoResource
- java.lang.Object
-
- org.pentaho.platform.web.http.api.resources.AbstractJaxRSResource
-
- org.pentaho.platform.web.http.api.resources.UserRoleDaoResource
-
public class UserRoleDaoResource extends AbstractJaxRSResource
UserRoleDao manages Pentaho Security user and roles in the BA platform.
-
-
Field Summary
-
Fields inherited from class org.pentaho.platform.web.http.api.resources.AbstractJaxRSResource
acceptableMediaTypes, httpServletRequest, httpServletResponse, TEXT_HTML
-
-
Constructor Summary
Constructors Constructor Description UserRoleDaoResource()
UserRoleDaoResource(org.pentaho.platform.security.policy.rolebased.IRoleAuthorizationPolicyRoleBindingDao roleBindingDao, org.pentaho.platform.api.mt.ITenantManager tenantMgr, ArrayList<String> systemRoles, String adminRole)
UserRoleDaoResource(org.pentaho.platform.security.policy.rolebased.IRoleAuthorizationPolicyRoleBindingDao roleBindingDao, org.pentaho.platform.api.mt.ITenantManager tenantMgr, ArrayList<String> systemRoles, String adminRole, UserRoleDaoService service)
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description javax.ws.rs.core.Response
assignAllRolesToUser(String tenantPath, String userName)
Associate all roles to the selected userjavax.ws.rs.core.Response
assignAllUsersToRole(String tenantPath, String roleName)
Associates all user to a particular rolejavax.ws.rs.core.Response
assignRolesToUser(String userName, String roleNames)
Appends existing roles to an existing user passed to the system through query parameters.
If the user name exists but the role name is not valid, the call will return 200.javax.ws.rs.core.Response
assignUserToRole(String tenantPath, String userNames, String roleName)
Associate list of users to the selected roleprotected boolean
canAdminister()
javax.ws.rs.core.Response
changeUserPassword(ChangePasswordUser user)
Allows a user to change their password.javax.ws.rs.core.Response
createRole(String roleName)
Creates a new role that that does not have any permissions assigned to it.javax.ws.rs.core.Response
createUser(User user)
Creates a new user with the specified name and password.javax.ws.rs.core.Response
deleteRoles(String roleNames)
Delete role(s) from the platform.javax.ws.rs.core.Response
deleteUsers(String userNames)
Delete user(s) from the platform using a query parameter that takes a list of tab separated user names.SystemRolesMap
getRoleBindingStruct(String locale)
Retrieves the list of roles in the platform and the mapping for operation permissions, along with a list of operation permissions.UserListWrapper
getRoleMembers(String roleName)
Retrieves list of users for the selected role.RoleListWrapper
getRoles()
Returns the list of roles in the platform's repository.RoleListWrapper
getRolesForUser(String user)
Gets the roles for the given user.protected org.pentaho.platform.api.engine.IPentahoSession
getSession()
protected org.pentaho.platform.api.mt.ITenant
getTenant(String tenantId)
protected org.pentaho.platform.api.engine.security.userroledao.IUserRoleDao
getUserRoleDao()
For testingUserListWrapper
getUsers()
Returns the list of users in the platform's repository.javax.ws.rs.core.Response
removeAllRolesFromUser(String tenantPath, String userName)
Remove all roles from the selected userjavax.ws.rs.core.Response
removeAllUsersFromRole(String tenantPath, String roleName)
Removes all users from a particular rolejavax.ws.rs.core.Response
removeRolesFromUser(String userName, String roleNames)
Removes selected roles from an existing user passed to the system through query parameters.javax.ws.rs.core.Response
removeUserFromRole(String tenantPath, String userNames, String roleName)
Remove user(s) from a particular rolejavax.ws.rs.core.Response
setLogicalRoles(LogicalRoleAssignments roleAssignments)
Associate a particular role to a list of physical permissions available in the system.javax.ws.rs.core.Response
updatePassword(UserChangePasswordDTO user)
This is an administrative tool, that allows an administrator the ability to change any users password by passing in the username and the new password.protected void
updateRolesForCurrentSession()
-
Methods inherited from class org.pentaho.platform.web.http.api.resources.AbstractJaxRSResource
setHttpHeaders
-
-
-
-
Constructor Detail
-
UserRoleDaoResource
public UserRoleDaoResource()
-
UserRoleDaoResource
public UserRoleDaoResource(org.pentaho.platform.security.policy.rolebased.IRoleAuthorizationPolicyRoleBindingDao roleBindingDao, org.pentaho.platform.api.mt.ITenantManager tenantMgr, ArrayList<String> systemRoles, String adminRole)
-
UserRoleDaoResource
public UserRoleDaoResource(org.pentaho.platform.security.policy.rolebased.IRoleAuthorizationPolicyRoleBindingDao roleBindingDao, org.pentaho.platform.api.mt.ITenantManager tenantMgr, ArrayList<String> systemRoles, String adminRole, UserRoleDaoService service)
-
-
Method Detail
-
createUser
public javax.ws.rs.core.Response createUser(User user)
Creates a new user with the specified name and password. This request is encapsulated inside a user object that has userName and password values. The user is created without any assigned roles, roles must be assigned separately. This endpoint is only accessible to an administrative user.Example Request:
PUT pentaho/api/userroledao/createUserLuke password - Parameters:
user
- A user is an object the system uses to pass along a userName and password in the format:Joe password - Returns:
- Response object containing the status code of the operation
-
deleteUsers
public javax.ws.rs.core.Response deleteUsers(String userNames)
Delete user(s) from the platform using a query parameter that takes a list of tab separated user names. This endpoint is only available to users with administrative privledges.Example Request:
PUT pentaho/api/userroledao/deleteUsers?userNames=user1%09user2%09- Parameters:
userNames
- (List of tab (\t) separated user names)- Returns:
- Response object containing the status code of the operation
-
changeUserPassword
public javax.ws.rs.core.Response changeUserPassword(ChangePasswordUser user)
Allows a user to change their password. The information is encapsulated in a ChangeUserPassword object that contains these fields: userName, newPassword, oldPassword.Example Request:
PUT pentaho/api/userroledao/userLuke newPassword oldPassword - Parameters:
user
- Encapsulates the fields required for a user to update their password. The object requires the name of the user whose password is being changed, the old password, and the new password. A ChangePasswordUser object can be constructed as follows: <>
Luke newPassword oldPassword - Returns:
- Response object containing the status code of the operation
-
getUsers
public UserListWrapper getUsers() throws javax.ws.rs.WebApplicationException
Returns the list of users in the platform's repository.Example Request:
GET pentaho/api/userroledao/users- Returns:
- List of users in the platform.
Example Response:
suzy pat tiffany admin - Throws:
javax.ws.rs.WebApplicationException
-
getRolesForUser
public RoleListWrapper getRolesForUser(String user) throws Exception
Gets the roles for the given user.Example Request:
GET pentaho/api/userroledao/userRoles?userName=suzy- Parameters:
user
- The username to get the roles for.- Returns:
- List containing the roles for the given user.
Example Response:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><roleList><roles>Power User</roles></roleList>
- Throws:
Exception
-
assignRolesToUser
public javax.ws.rs.core.Response assignRolesToUser(String userName, String roleNames)
Appends existing roles to an existing user passed to the system through query parameters.
If the user name exists but the role name is not valid, the call will return 200. This means that the call itself was successful and able to find the user, but added no new roles to it. This prevents the call from failing in the instance of a set of other valid roles, with a single invalid role among them. This endpoint is only available to users with administrative privileges.Example Request:
PUT pentaho/api/userroledao/assignRoleToUser?userName=admin&roleNames=power%20user%09cto%09- Parameters:
userName
- The username that the list of roles will be appended toroleNames
- Rolenames must be associated to existing roles in a tab (\t) separated list- Returns:
- Response object containing the status code of the operation
-
removeRolesFromUser
public javax.ws.rs.core.Response removeRolesFromUser(String userName, String roleNames)
Removes selected roles from an existing user passed to the system through query parameters. This endpoint is only available to users with administrative privileges.Example Request:
PUT pentaho/api/userroledao/removeRoleFromUser?userName=admin&roleNames=Business%20User%09Power%20User%09- Parameters:
userName
- The username that the list of roles will be removed from.roleNames
- Rolenames must be associated to existing roles in a tab (\t) separated list.- Returns:
- Response object containing the status code of the operation.
-
createRole
public javax.ws.rs.core.Response createRole(String roleName)
Creates a new role that that does not have any permissions assigned to it. Permissions must be assigned after creating the role. This endpoint is only usable by an administrative user.Example Request:
PUT pentaho/api/userroledao/createRole?roleName=rName- Parameters:
roleName
- Name of the new role to create in the system.- Returns:
- Response containing the result of the operation.
-
deleteRoles
public javax.ws.rs.core.Response deleteRoles(String roleNames)
Delete role(s) from the platform. This endpoint is only available to users with administrative privileges.Example Request:
PUT pentaho/api/userroledao/deleteRoles?roleNames=role1%09- Parameters:
roleNames
- List of tab (\t) separated role names, must be valid roles.- Returns:
- Response containing the result of the operation.
-
getRoles
public RoleListWrapper getRoles() throws Exception
Returns the list of roles in the platform's repository.Example Request:
GET pentaho/api/userroledao/roles- Returns:
- List of roles in the platform.
Example Response:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><roleList><roles>Administrator</roles><roles>Power User</roles><roles>Report Author</roles><roles>Business Analyst</roles></roleList>>
- Throws:
Exception
-
getRoleMembers
public UserListWrapper getRoleMembers(String roleName) throws Exception
Retrieves list of users for the selected role. The role must be a valid role in the system. Must have administrative privileges to access this.Example Request:
GET pentaho/api/userroledao/roleMembers?roleName=Power%20User- Parameters:
roleName
- The role name to get the list of users associated with it.- Returns:
- List of users for the selected role.
Example Response:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><userList><users>suzy</users><users>admin</users></userList>
- Throws:
Exception
-
setLogicalRoles
public javax.ws.rs.core.Response setLogicalRoles(LogicalRoleAssignments roleAssignments)
Associate a particular role to a list of physical permissions available in the system. Setting the physical permissions to the roles is a way to add and delete permissions from the role. Any permissions the role had before that are not on this list will be deleted. Any permissions on this list that were not previously assigned will now be assigned.Example Request:
PUT /pentaho/api/userroledao/roleAssignments<systemRolesMap> <assignments> <roleName>Report Author</roleName> <logicalRoles>org.pentaho.scheduler.manage</logicalRoles> <logicalRoles>org.pentaho.repository.read</logicalRoles> <logicalRoles>org.pentaho.security.publish</logicalRoles> <logicalRoles>org.pentaho.repository.create</logicalRoles> <logicalRoles>org.pentaho.repository.execute</logicalRoles> </assignments> </systemRolesMap>
- Parameters:
roleAssignments
- Built from the Request payload, an example of the role assignments exists in the example request.- Returns:
- Response code determining the success of the operation.
-
getRoleBindingStruct
public SystemRolesMap getRoleBindingStruct(String locale)
Retrieves the list of roles in the platform and the mapping for operation permissions, along with a list of operation permissions. The logical role name mapping is determined by the locale. If the locale is empty, the system will use the default locale of "en".Example Request:
GET pentaho/api/userroledao/logicalRoleMap?locale=en- Parameters:
locale
- The locale paramter is optional and determines the localized role name for a physical permission in the system roles map.- Returns:
- A role mapping for the current system. Each assignment contains the immutable flag and
roles for immutable assignments cannot be edited. This is useful for roles such as administrator, who should never lose the administrative privilege.
Logical roles in the assignment are the physical permissions currently mapped to the role. The role name is the name of the role that can be assigned to users.
The system roles map also includes a list of all physical permissions in the system along with their localized role name. The localized role name is based on the locale passed into the call, defaulting to "en".
These are the physical permissions that can be used to create roles.
Example Response:
<systemRolesMap> <assignments> <immutable>false</immutable> <logicalRoles>org.pentaho.scheduler.manage</logicalRoles> <logicalRoles>org.pentaho.security.publish</logicalRoles> <logicalRoles>org.pentaho.repository.create</logicalRoles> <logicalRoles>org.pentaho.repository.execute</logicalRoles> <roleName>Power User</roleName> </assignments> <assignments> <immutable>true</immutable> <logicalRoles>org.pentaho.repository.execute</logicalRoles> <logicalRoles> org.pentaho.platform.dataaccess.datasource.security.manage </logicalRoles> <logicalRoles>org.pentaho.repository.read</logicalRoles> <logicalRoles>org.pentaho.repository.create</logicalRoles> <logicalRoles>org.pentaho.scheduler.manage</logicalRoles> <logicalRoles>org.pentaho.security.administerSecurity</logicalRoles> <logicalRoles>org.pentaho.security.publish</logicalRoles> <roleName>Administrator</roleName> </assignments> <localizedRoleNames> <localizedName>Administer Security</localizedName> <roleName>org.pentaho.security.administerSecurity</roleName> </localizedRoleNames> <localizedRoleNames> <localizedName>Schedule Content</localizedName> <roleName>org.pentaho.scheduler.manage</roleName> </localizedRoleNames> <localizedRoleNames> <localizedName>Read Content</localizedName> <roleName>org.pentaho.repository.read</roleName> </localizedRoleNames> <localizedRoleNames> <localizedName>Publish Content</localizedName> <roleName>org.pentaho.security.publish</roleName> </localizedRoleNames> <localizedRoleNames> <localizedName>Create Content</localizedName> <roleName>org.pentaho.repository.create</roleName> </localizedRoleNames> <localizedRoleNames> <localizedName>Execute</localizedName> <roleName>org.pentaho.repository.execute</roleName> </localizedRoleNames> <localizedRoleNames> <localizedName>Manage Data Sources</localizedName> <roleName> org.pentaho.platform.dataaccess.datasource.security.manage </roleName> </localizedRoleNames> </systemRolesMap>
-
assignAllRolesToUser
public javax.ws.rs.core.Response assignAllRolesToUser(String tenantPath, String userName)
Associate all roles to the selected user- Parameters:
tenantPath
- (tenant path where the user exist, null of empty string assumes default tenant)userName
- (username)- Returns:
-
removeAllRolesFromUser
public javax.ws.rs.core.Response removeAllRolesFromUser(String tenantPath, String userName)
Remove all roles from the selected user- Parameters:
tenantPath
- (tenant path where the user exist, null of empty string assumes default tenant)userName
- (username)- Returns:
-
assignUserToRole
public javax.ws.rs.core.Response assignUserToRole(String tenantPath, String userNames, String roleName)
Associate list of users to the selected role- Parameters:
tenantPath
- (tenant path where the user exist, null of empty string assumes default tenant)userNames
- (list of tab (\t) separated user namesroleName
- (role name)- Returns:
-
removeUserFromRole
public javax.ws.rs.core.Response removeUserFromRole(String tenantPath, String userNames, String roleName)
Remove user(s) from a particular role- Parameters:
tenantPath
- (tenant path where the user exist, null of empty string assumes default tenant)userNames
- (list of tab (\t) separated user namesroleName
- (role name)- Returns:
-
assignAllUsersToRole
public javax.ws.rs.core.Response assignAllUsersToRole(String tenantPath, String roleName)
Associates all user to a particular role- Parameters:
tenantPath
- (tenant path where the user exist, null of empty string assumes default tenant)roleName
- (role name)- Returns:
-
removeAllUsersFromRole
public javax.ws.rs.core.Response removeAllUsersFromRole(String tenantPath, String roleName)
Removes all users from a particular role- Parameters:
tenantPath
- (tenant path where the user exist, null of empty string assumes default tenant)roleName
- (role name)- Returns:
-
updatePassword
public javax.ws.rs.core.Response updatePassword(UserChangePasswordDTO user)
This is an administrative tool, that allows an administrator the ability to change any users password by passing in the username and the new password. Additionally the current administrator password is needed to authorize the change. The fields are encapsulated in a user object containing a userName, password and administratorPassword.Example Request:
PUT pentaho/api/userroledao/updatePasswordJoe password administratorPassword - Parameters:
user
- A user is an object the system uses to pass along a userName, password and administratorPassword in the format:Joe password administratorPassword - Returns:
- response object containing the status code of the operation
-
getTenant
protected org.pentaho.platform.api.mt.ITenant getTenant(String tenantId) throws com.sun.jersey.api.NotFoundException
- Throws:
com.sun.jersey.api.NotFoundException
-
canAdminister
protected boolean canAdminister()
-
updateRolesForCurrentSession
protected void updateRolesForCurrentSession()
-
getSession
protected org.pentaho.platform.api.engine.IPentahoSession getSession()
-
getUserRoleDao
protected org.pentaho.platform.api.engine.security.userroledao.IUserRoleDao getUserRoleDao()
For testing
-
-