org.pentaho.platform.web.http.api.resources

Class UserRoleDaoResource

java.lang.Object

org.pentaho.platform.web.http.api.resources.AbstractJaxRSResource

org.pentaho.platform.web.http.api.resources.UserRoleDaoResource

public class UserRoleDaoResource
extends AbstractJaxRSResource

UserRoleDao manages Pentaho Security user and roles in the BA platform.

Field Summary

Fields inherited from class org.pentaho.platform.web.http.api.resources.AbstractJaxRSResource

acceptableMediaTypes, httpServletRequest, httpServletResponse, TEXT_HTML

Constructor Summary

Constructors

Constructor and Description
UserRoleDaoResource()
UserRoleDaoResource(IRoleAuthorizationPolicyRoleBindingDao roleBindingDao, ITenantManager tenantMgr, ArrayList<String> systemRoles, String adminRole)
UserRoleDaoResource(IRoleAuthorizationPolicyRoleBindingDao roleBindingDao, ITenantManager tenantMgr, ArrayList<String> systemRoles, String adminRole, UserRoleDaoService service)

Method Summary

Modifier and Type	Method and Description
javax.ws.rs.core.Response	assignAllRolesToUser(String tenantPath, String userName) Associate all roles to the selected user
javax.ws.rs.core.Response	assignAllUsersToRole(String tenantPath, String roleName) Associates all user to a particular role
javax.ws.rs.core.Response	assignRolesToUser(String userName, String roleNames) Appends existing roles to an existing user passed to the system through query parameters. If the user name exists but the role name is not valid, the call will return 200.
javax.ws.rs.core.Response	assignUserToRole(String tenantPath, String userNames, String roleName) Associate list of users to the selected role
protected boolean	canAdminister()
javax.ws.rs.core.Response	changeUserPassword(ChangePasswordUser user) Allows a user to change their password.
javax.ws.rs.core.Response	createRole(String roleName) Creates a new role that that does not have any permissions assigned to it.
javax.ws.rs.core.Response	createUser(User user) Creates a new user with the specified name and password.
javax.ws.rs.core.Response	deleteRoles(String roleNames) Delete role(s) from the platform.
javax.ws.rs.core.Response	deleteUsers(String userNames) Delete user(s) from the platform using a query parameter that takes a list of tab separated user names.
SystemRolesMap	getRoleBindingStruct(String locale) Retrieves the list of roles in the platform and the mapping for operation permissions, along with a list of operation permissions.
UserListWrapper	getRoleMembers(String roleName) Retrieves list of users for the selected role.
RoleListWrapper	getRoles() Returns the list of roles in the platform's repository.
RoleListWrapper	getRolesForUser(String user) Gets the roles for the given user.
protected IPentahoSession	getSession()
protected ITenant	getTenant(String tenantId)
protected IUserRoleDao	getUserRoleDao() For testing
UserListWrapper	getUsers() Returns the list of users in the platform's repository.
javax.ws.rs.core.Response	removeAllRolesFromUser(String tenantPath, String userName) Remove all roles from the selected user
javax.ws.rs.core.Response	removeAllUsersFromRole(String tenantPath, String roleName) Removes all users from a particular role
javax.ws.rs.core.Response	removeRolesFromUser(String userName, String roleNames) Removes selected roles from an existing user passed to the system through query parameters.
javax.ws.rs.core.Response	removeUserFromRole(String tenantPath, String userNames, String roleName) Remove user(s) from a particular role
javax.ws.rs.core.Response	setLogicalRoles(LogicalRoleAssignments roleAssignments) Associate a particular role to a list of physical permissions available in the system.
javax.ws.rs.core.Response	updatePassword(UserChangePasswordDTO user) This is an administrative tool, that allows an administrator the ability to change any users password by passing in the username and the new password.
protected void	updateRolesForCurrentSession()

Methods inherited from class org.pentaho.platform.web.http.api.resources.AbstractJaxRSResource

setHttpHeaders

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

UserRoleDaoResource

public UserRoleDaoResource()

UserRoleDaoResource

public UserRoleDaoResource(IRoleAuthorizationPolicyRoleBindingDao roleBindingDao,
                           ITenantManager tenantMgr,
                           ArrayList<String> systemRoles,
                           String adminRole)

UserRoleDaoResource

public UserRoleDaoResource(IRoleAuthorizationPolicyRoleBindingDao roleBindingDao,
                           ITenantManager tenantMgr,
                           ArrayList<String> systemRoles,
                           String adminRole,
                           UserRoleDaoService service)

Method Detail

createUser

public javax.ws.rs.core.Response createUser(User user)

Creates a new user with the specified name and password. This request is encapsulated inside a user object that has userName and password values. The user is created without any assigned roles, roles must be assigned separately. This endpoint is only accessible to an administrative user.

Example Request:
PUT pentaho/api/userroledao/createUser

 
   Luke
   password
 
 

Parameters:

user - A user is an object the system uses to pass along a userName and password in the format:

          
            Joe
            password
          
          

Returns:

Response object containing the status code of the operation

deleteUsers

public javax.ws.rs.core.Response deleteUsers(String userNames)

Delete user(s) from the platform using a query parameter that takes a list of tab separated user names. This endpoint is only available to users with administrative privledges.

Example Request:
PUT pentaho/api/userroledao/deleteUsers?userNames=user1%09user2%09

Parameters:

userNames - (List of tab (\t) separated user names)

Returns:

Response object containing the status code of the operation

changeUserPassword

public javax.ws.rs.core.Response changeUserPassword(ChangePasswordUser user)

Allows a user to change their password. The information is encapsulated in a ChangeUserPassword object that contains these fields: userName, newPassword, oldPassword.

Example Request:
PUT pentaho/api/userroledao/user

 
   Luke
   newPassword
   oldPassword
 
 

Parameters:

ChangePasswordUser - Encapsulates the fields required for a user to update their password. The object requires the name of the user whose password is being changed, the old password, and the new password. A ChangePasswordUser object can be constructed as follows: <

>
 
   Luke
   newPassword
   oldPassword
 
 

Returns:

Response object containing the status code of the operation

getUsers

public UserListWrapper getUsers()
                         throws javax.ws.rs.WebApplicationException

Returns the list of users in the platform's repository.

Example Request:
GET pentaho/api/userroledao/users

Returns:

List of users in the platform.

Example Response:

  
    suzy
    pat
    tiffany
    admin
  
 

Throws:

javax.ws.rs.WebApplicationException

getRolesForUser

public RoleListWrapper getRolesForUser(String user)
                                throws Exception

Gets the roles for the given user.

Example Request:
GET pentaho/api/userroledao/userRoles?userName=suzy

Parameters:

user - The username to get the roles for.

Returns:

List containing the roles for the given user.

Example Response:

     <?xml version="1.0" encoding="UTF-8" standalone="yes"?><roleList><roles>Power User</roles></roleList>
 

Throws:

Exception

assignRolesToUser

public javax.ws.rs.core.Response assignRolesToUser(String userName,
                                                   String roleNames)

Appends existing roles to an existing user passed to the system through query parameters.
If the user name exists but the role name is not valid, the call will return 200. This means that the call itself was successful and able to find the user, but added no new roles to it. This prevents the call from failing in the instance of a set of other valid roles, with a single invalid role among them. This endpoint is only available to users with administrative privileges.

Example Request:
PUT pentaho/api/userroledao/assignRoleToUser?userName=admin&roleNames=power%20user%09cto%09

Parameters:

userName - The username that the list of roles will be appended to

roleNames - Rolenames must be associated to existing roles in a tab (\t) separated list

Returns:

Response object containing the status code of the operation

removeRolesFromUser

public javax.ws.rs.core.Response removeRolesFromUser(String userName,
                                                     String roleNames)

Removes selected roles from an existing user passed to the system through query parameters. This endpoint is only available to users with administrative privileges.

Example Request:
PUT pentaho/api/userroledao/removeRoleFromUser?userName=admin&roleNames=Business%20User%09Power%20User%09

Parameters:

userName - The username that the list of roles will be removed from.

roleNames - Rolenames must be associated to existing roles in a tab (\t) separated list.

Returns:

Response object containing the status code of the operation.

createRole

public javax.ws.rs.core.Response createRole(String roleName)

Creates a new role that that does not have any permissions assigned to it. Permissions must be assigned after creating the role. This endpoint is only usable by an administrative user.

Example Request:
PUT pentaho/api/userroledao/createRole?roleName=rName

Parameters:

roleName - Name of the new role to create in the system.

Returns:

Response containing the result of the operation.

deleteRoles

public javax.ws.rs.core.Response deleteRoles(String roleNames)

Delete role(s) from the platform. This endpoint is only available to users with administrative privileges.

Example Request:
PUT pentaho/api/userroledao/deleteRoles?roleNames=role1%09

Parameters:

roleNames - List of tab (\t) separated role names, must be valid roles.

Returns:

Response containing the result of the operation.

getRoles

public RoleListWrapper getRoles()
                         throws Exception

Returns the list of roles in the platform's repository.

Example Request:
GET pentaho/api/userroledao/roles

Returns:

List of roles in the platform.

Example Response:

   <?xml version="1.0" encoding="UTF-8" standalone="yes"?><roleList><roles>Administrator</roles><roles>Power User</roles><roles>Report Author</roles><roles>Business Analyst</roles></roleList>>
 

Throws:

Exception

getRoleMembers

public UserListWrapper getRoleMembers(String roleName)
                               throws Exception

Retrieves list of users for the selected role. The role must be a valid role in the system. Must have administrative privileges to access this.

Example Request:
GET pentaho/api/userroledao/roleMembers?roleName=Power%20User

Parameters:

roleName - The role name to get the list of users associated with it.

Returns:

List of users for the selected role.

Example Response:

   <?xml version="1.0" encoding="UTF-8" standalone="yes"?><userList><users>suzy</users><users>admin</users></userList>
 

Throws:

Exception

setLogicalRoles

public javax.ws.rs.core.Response setLogicalRoles(LogicalRoleAssignments roleAssignments)

Associate a particular role to a list of physical permissions available in the system. Setting the physical permissions to the roles is a way to add and delete permissions from the role. Any permissions the role had before that are not on this list will be deleted. Any permissions on this list that were not previously assigned will now be assigned.

Example Request:
PUT /pentaho/api/userroledao/roleAssignments

   <systemRolesMap>
   <assignments>
   <roleName>Report Author</roleName>
   <logicalRoles>org.pentaho.scheduler.manage</logicalRoles>
   <logicalRoles>org.pentaho.repository.read</logicalRoles>
   <logicalRoles>org.pentaho.security.publish</logicalRoles>
   <logicalRoles>org.pentaho.repository.create</logicalRoles>
   <logicalRoles>org.pentaho.repository.execute</logicalRoles>
   </assignments>
   </systemRolesMap>
 

Parameters:

roleAssignments - Built from the Request payload, an example of the role assignments exists in the example request.

Returns:

Response code determining the success of the operation.

getRoleBindingStruct

public SystemRolesMap getRoleBindingStruct(String locale)

Retrieves the list of roles in the platform and the mapping for operation permissions, along with a list of operation permissions. The logical role name mapping is determined by the locale. If the locale is empty, the system will use the default locale of "en".

Example Request:
GET pentaho/api/userroledao/logicalRoleMap?locale=en

Parameters:

locale - The locale paramter is optional and determines the localized role name for a physical permission in the system roles map.

Returns:

A role mapping for the current system. Each assignment contains the immutable flag and roles for immutable assignments cannot be edited. This is useful for roles such as administrator, who should never lose the administrative privilege. Logical roles in the assignment are the physical permissions currently mapped to the role. The role name is the name of the role that can be assigned to users. The system roles map also includes a list of all physical permissions in the system along with their localized role name. The localized role name is based on the locale passed into the call, defaulting to "en". These are the physical permissions that can be used to create roles.

Example Response:

  <systemRolesMap>
  <assignments>
  <immutable>false</immutable>
  <logicalRoles>org.pentaho.scheduler.manage</logicalRoles>
  <logicalRoles>org.pentaho.security.publish</logicalRoles>
  <logicalRoles>org.pentaho.repository.create</logicalRoles>
  <logicalRoles>org.pentaho.repository.execute</logicalRoles>
  <roleName>Power User</roleName>
  </assignments>
  <assignments>
  <immutable>true</immutable>
  <logicalRoles>org.pentaho.repository.execute</logicalRoles>
  <logicalRoles>
    org.pentaho.platform.dataaccess.datasource.security.manage
  </logicalRoles>
  <logicalRoles>org.pentaho.repository.read</logicalRoles>
  <logicalRoles>org.pentaho.repository.create</logicalRoles>
  <logicalRoles>org.pentaho.scheduler.manage</logicalRoles>
  <logicalRoles>org.pentaho.security.administerSecurity</logicalRoles>
  <logicalRoles>org.pentaho.security.publish</logicalRoles>
  <roleName>Administrator</roleName>
  </assignments>
  <localizedRoleNames>
  <localizedName>Administer Security</localizedName>
  <roleName>org.pentaho.security.administerSecurity</roleName>
  </localizedRoleNames>
  <localizedRoleNames>
  <localizedName>Schedule Content</localizedName>
  <roleName>org.pentaho.scheduler.manage</roleName>
  </localizedRoleNames>
  <localizedRoleNames>
  <localizedName>Read Content</localizedName>
  <roleName>org.pentaho.repository.read</roleName>
  </localizedRoleNames>
  <localizedRoleNames>
  <localizedName>Publish Content</localizedName>
  <roleName>org.pentaho.security.publish</roleName>
  </localizedRoleNames>
  <localizedRoleNames>
  <localizedName>Create Content</localizedName>
  <roleName>org.pentaho.repository.create</roleName>
  </localizedRoleNames>
  <localizedRoleNames>
  <localizedName>Execute</localizedName>
  <roleName>org.pentaho.repository.execute</roleName>
  </localizedRoleNames>
  <localizedRoleNames>
  <localizedName>Manage Data Sources</localizedName>
  <roleName>
  org.pentaho.platform.dataaccess.datasource.security.manage
  </roleName>
  </localizedRoleNames>
  </systemRolesMap>
 

assignAllRolesToUser

public javax.ws.rs.core.Response assignAllRolesToUser(String tenantPath,
                                                      String userName)

Associate all roles to the selected user

Parameters:

tenantPath - (tenant path where the user exist, null of empty string assumes default tenant)

userName - (username)

Returns:

removeAllRolesFromUser

public javax.ws.rs.core.Response removeAllRolesFromUser(String tenantPath,
                                                        String userName)

Remove all roles from the selected user

Parameters:

tenantPath - (tenant path where the user exist, null of empty string assumes default tenant)

userName - (username)

Returns:

assignUserToRole

public javax.ws.rs.core.Response assignUserToRole(String tenantPath,
                                                  String userNames,
                                                  String roleName)

Associate list of users to the selected role

Parameters:

tenantPath - (tenant path where the user exist, null of empty string assumes default tenant)

userNames - (list of tab (\t) separated user names

roleName - (role name)

Returns:

removeUserFromRole

public javax.ws.rs.core.Response removeUserFromRole(String tenantPath,
                                                    String userNames,
                                                    String roleName)

Remove user(s) from a particular role

Parameters:

tenantPath - (tenant path where the user exist, null of empty string assumes default tenant)

userNames - (list of tab (\t) separated user names

roleName - (role name)

Returns:

assignAllUsersToRole

public javax.ws.rs.core.Response assignAllUsersToRole(String tenantPath,
                                                      String roleName)

Associates all user to a particular role

Parameters:

tenantPath - (tenant path where the user exist, null of empty string assumes default tenant)

roleName - (role name)

Returns:

removeAllUsersFromRole

public javax.ws.rs.core.Response removeAllUsersFromRole(String tenantPath,
                                                        String roleName)

Removes all users from a particular role

Parameters:

tenantPath - (tenant path where the user exist, null of empty string assumes default tenant)

roleName - (role name)

Returns:

updatePassword

public javax.ws.rs.core.Response updatePassword(UserChangePasswordDTO user)

This is an administrative tool, that allows an administrator the ability to change any users password by passing in the username and the new password. Additionally the current administrator password is needed to authorize the change. The fields are encapsulated in a user object containing a userName, password and administratorPassword.

Example Request:
PUT pentaho/api/userroledao/updatePassword

 
   Joe
   password
   administratorPassword
 
 

Parameters:

user - A user is an object the system uses to pass along a userName, password and administratorPassword in the format:

          
            Joe
            password
            administratorPassword
          
          

Returns:

response object containing the status code of the operation

getTenant

protected ITenant getTenant(String tenantId)
                     throws com.sun.jersey.api.NotFoundException

Throws:

com.sun.jersey.api.NotFoundException

canAdminister

protected boolean canAdminister()

updateRolesForCurrentSession

protected void updateRolesForCurrentSession()

getSession

protected IPentahoSession getSession()

getUserRoleDao

protected IUserRoleDao getUserRoleDao()

For testing