Realm: allow auth instances to support multiple realms

In practice, most folks will use something like DirAclAuthz to manage their realm. Rather than requiring a new authz plugin for each realm, we allow the authz plugin to support multiple realms (as a comma separated list). For the Acl plugins in particular, we expand the authorize call to allow the caller to pass in the realm as well as the resource and operation. The resource queried would then be constructed on the fly as realm.resource Examples will be provided in the wiki page. Trac Ticket 2041
author: Ade Lee <alee@redhat.com> 2016-04-19 22:32:33 -0400
committer: Ade Lee <alee@redhat.com> 2016-04-20 17:31:17 -0400
commit: 9dc5a7829e9521ac29196515e1384f552068a649 (patch)
tree: 170fea823082cccc3d1d367ab915fdb2de9d1cb4 /base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java
parent: b59d8305130e81d3e00240b5612a327c9dfc7d12 (diff)
download: pki-9dc5a7829e9521ac29196515e1384f552068a649.tar.gz
pki-9dc5a7829e9521ac29196515e1384f552068a649.tar.xz
pki-9dc5a7829e9521ac29196515e1384f552068a649.zip
1 files changed, 3 insertions, 3 deletions
diff --git a/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java b/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java
index 255d8d614..74b58b8a2 100644
--- a/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java
+++ b/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java
@@ -422,7 +422,7 @@ public class KeyService extends PKIService implements KeyResource {
 
         if (realm != null) {
             try {
-                authz.checkRealm(realm, getAuthToken(), null, "keys", "list");
+                authz.checkRealm(realm, getAuthToken(), null, "certServer.kra.keys", "list");
             } catch (EAuthzAccessDenied e) {
                 throw new UnauthorizedException("Not authorized to list these keys", e);
             } catch (EAuthzUnknownRealm e) {
@@ -509,7 +509,7 @@ public class KeyService extends PKIService implements KeyResource {
             if (info != null) {
                 // return the first one, but first confirm that the requester has access to this key
                 try {
-                    authz.checkRealm(info.getRealm(), getAuthToken(), info.getOwnerName(), "key", "read");
+                    authz.checkRealm(info.getRealm(), getAuthToken(), info.getOwnerName(), "certServer.kra.key", "read");
                 } catch (EAuthzAccessDenied e) {
                     throw new UnauthorizedException("Not authorized to read this key", e);
                 } catch (EBaseException e) {
@@ -681,7 +681,7 @@ public class KeyService extends PKIService implements KeyResource {
         IKeyRecord rec = null;
         try {
             rec = repo.readKeyRecord(keyId.toBigInteger());
-            authz.checkRealm(rec.getRealm(), getAuthToken(), rec.getOwnerName(), "key", "read");
+            authz.checkRealm(rec.getRealm(), getAuthToken(), rec.getOwnerName(), "certServer.kra.key", "read");
             KeyInfo info = createKeyDataInfo(rec, true);
             auditRetrieveKey(ILogger.SUCCESS, null, keyId, auditInfo);
author	Ade Lee <alee@redhat.com>	2016-04-19 22:32:33 -0400
committer	Ade Lee <alee@redhat.com>	2016-04-20 17:31:17 -0400
commit	9dc5a7829e9521ac29196515e1384f552068a649 (patch)
tree	170fea823082cccc3d1d367ab915fdb2de9d1cb4 /base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java
parent	b59d8305130e81d3e00240b5612a327c9dfc7d12 (diff)
download	pki-9dc5a7829e9521ac29196515e1384f552068a649.tar.gz pki-9dc5a7829e9521ac29196515e1384f552068a649.tar.xz pki-9dc5a7829e9521ac29196515e1384f552068a649.zip