001/* 002 * The contents of this file are subject to the terms of the Common Development and 003 * Distribution License (the License). You may not use this file except in compliance with the 004 * License. 005 * 006 * You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the 007 * specific language governing permission and limitations under the License. 008 * 009 * When distributing Covered Software, include this CDDL Header Notice in each file and include 010 * the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL 011 * Header, with the fields enclosed by brackets [] replaced by your own identifying 012 * information: "Portions Copyright [year] [name of copyright owner]". 013 * 014 * Copyright 2008-2010 Sun Microsystems, Inc. 015 * Portions Copyright 2014-2015 ForgeRock AS. 016 */ 017package org.opends.server.types; 018 019import java.util.HashMap; 020import java.util.HashSet; 021import java.util.Map; 022import java.util.Set; 023 024/** 025 * This class implements an enumeration that defines the set of 026 * privileges available in the Directory Server. 027 */ 028@org.opends.server.types.PublicAPI( 029 stability=org.opends.server.types.StabilityLevel.UNCOMMITTED, 030 mayInstantiate=false, 031 mayExtend=false, 032 mayInvoke=true) 033public enum Privilege 034{ 035 /** 036 * The privilege that provides the ability to bypass access control 037 * evaluation. 038 */ 039 BYPASS_ACL("bypass-acl"), 040 041 042 043 /** 044 * The privilege that provides the ability to bypass server 045 * lockdown mode. 046 */ 047 BYPASS_LOCKDOWN("bypass-lockdown"), 048 049 050 051 /** 052 * The privilege that provides the ability to modify access control 053 * rules. 054 */ 055 MODIFY_ACL("modify-acl"), 056 057 058 059 /** 060 * The privilege that provides the ability to read the server 061 * configuration. 062 */ 063 CONFIG_READ("config-read"), 064 065 066 067 /** 068 * The privilege that provides the ability to update the server 069 * configuration. 070 */ 071 CONFIG_WRITE("config-write"), 072 073 074 075 /** 076 * The privilege that provides the ability to perform read 077 * operations via JMX. 078 */ 079 JMX_READ("jmx-read"), 080 081 082 083 /** 084 * The privilege that provides the ability to perform write 085 * operations via JMX. 086 */ 087 JMX_WRITE("jmx-write"), 088 089 090 091 /** 092 * The privilege that provides the ability to subscribe to JMX 093 * notifications. 094 */ 095 JMX_NOTIFY("jmx-notify"), 096 097 098 099 /** 100 * The privilege that provides the ability to perform LDIF import 101 * operations. 102 */ 103 LDIF_IMPORT("ldif-import"), 104 105 106 107 /** 108 * The privilege that provides the ability to perform LDIF export 109 * operations. 110 */ 111 LDIF_EXPORT("ldif-export"), 112 113 114 115 /** 116 * The privilege that provides the ability to perform backend backup 117 * operations. 118 */ 119 BACKEND_BACKUP("backend-backup"), 120 121 122 123 /** 124 * The privilege that provides the ability to perform backend 125 * restore operations. 126 */ 127 BACKEND_RESTORE("backend-restore"), 128 129 130 131 /** 132 * The privilege that provides the ability to lockdown a server. 133 */ 134 SERVER_LOCKDOWN("server-lockdown"), 135 136 137 138 /** 139 * The privilege that provides the ability to request a server 140 * shutdown. 141 */ 142 SERVER_SHUTDOWN("server-shutdown"), 143 144 145 146 /** 147 * The privilege that provides the ability to request a server 148 * restart. 149 */ 150 SERVER_RESTART("server-restart"), 151 152 153 154 /** 155 * The privilege that provides the ability to perform proxied 156 * authorization or request an alternate authorization identity. 157 */ 158 PROXIED_AUTH("proxied-auth"), 159 160 161 162 /** 163 * The privilege that provides the ability to terminate arbitrary 164 * client connections. 165 */ 166 DISCONNECT_CLIENT("disconnect-client"), 167 168 169 170 /** 171 * The privilege that provides the ability to cancel arbitrary 172 * client requests. 173 */ 174 CANCEL_REQUEST("cancel-request"), 175 176 177 178 /** 179 * The privilege that provides the ability to reset user passwords. 180 */ 181 PASSWORD_RESET("password-reset"), 182 183 184 185 /** 186 * The privilege that provides the ability to participate in a 187 * data synchronization environment. 188 */ 189 DATA_SYNC("data-sync"), 190 191 192 193 /** 194 * The privilege that provides the ability to update the server 195 * schema. 196 */ 197 UPDATE_SCHEMA("update-schema"), 198 199 200 201 /** 202 * The privilege that provides the ability to change the set of 203 * privileges for a user, or to change the set of privileges 204 * automatically assigned to a root user. 205 */ 206 PRIVILEGE_CHANGE("privilege-change"), 207 208 209 210 /** 211 * The privilege that provides the ability to perform an unindexed 212 * search in the JE backend. 213 */ 214 UNINDEXED_SEARCH("unindexed-search"), 215 216 217 218 /** 219 * The privilege that provides the ability to perform write 220 * operations on LDAP subentries. 221 */ 222 SUBENTRY_WRITE("subentry-write"), 223 224 225 226 /** 227 * The privilege that provides the ability to perform read 228 * operations on the changelog. 229 */ 230 CHANGELOG_READ("changelog-read"); 231 232 233 /** A map that will be used to hold a mapping between privilege names and enum values. */ 234 private static final Map<String, Privilege> PRIV_MAP = new HashMap<>(); 235 236 /** 237 * The set of privileges that will be automatically assigned to root 238 * users if the root privilege set is not specified in the configuration. 239 */ 240 private static final Set<Privilege> DEFAULT_ROOT_PRIV_SET = new HashSet<>(); 241 242 243 /** The human-readable name for this privilege. */ 244 private final String privilegeName; 245 246 247 248 static 249 { 250 for (Privilege privilege : Privilege.values()) 251 { 252 PRIV_MAP.put(privilege.privilegeName, privilege); 253 } 254 255 DEFAULT_ROOT_PRIV_SET.add(BYPASS_ACL); 256 DEFAULT_ROOT_PRIV_SET.add(BYPASS_LOCKDOWN); 257 DEFAULT_ROOT_PRIV_SET.add(MODIFY_ACL); 258 DEFAULT_ROOT_PRIV_SET.add(CONFIG_READ); 259 DEFAULT_ROOT_PRIV_SET.add(CONFIG_WRITE); 260 DEFAULT_ROOT_PRIV_SET.add(LDIF_IMPORT); 261 DEFAULT_ROOT_PRIV_SET.add(LDIF_EXPORT); 262 DEFAULT_ROOT_PRIV_SET.add(BACKEND_BACKUP); 263 DEFAULT_ROOT_PRIV_SET.add(BACKEND_RESTORE); 264 DEFAULT_ROOT_PRIV_SET.add(SERVER_LOCKDOWN); 265 DEFAULT_ROOT_PRIV_SET.add(SERVER_SHUTDOWN); 266 DEFAULT_ROOT_PRIV_SET.add(SERVER_RESTART); 267 DEFAULT_ROOT_PRIV_SET.add(DISCONNECT_CLIENT); 268 DEFAULT_ROOT_PRIV_SET.add(CANCEL_REQUEST); 269 DEFAULT_ROOT_PRIV_SET.add(PASSWORD_RESET); 270 DEFAULT_ROOT_PRIV_SET.add(UPDATE_SCHEMA); 271 DEFAULT_ROOT_PRIV_SET.add(PRIVILEGE_CHANGE); 272 DEFAULT_ROOT_PRIV_SET.add(UNINDEXED_SEARCH); 273 DEFAULT_ROOT_PRIV_SET.add(SUBENTRY_WRITE); 274 DEFAULT_ROOT_PRIV_SET.add(CHANGELOG_READ); 275 } 276 277 278 279 /** 280 * Creates a new privilege with the provided name. 281 * 282 * @param privilegeName The human-readable name for this policy. 283 */ 284 private Privilege(String privilegeName) 285 { 286 this.privilegeName = privilegeName; 287 } 288 289 290 291 /** 292 * Retrieves the name for this privilege. 293 * 294 * @return The name for this privilege. 295 */ 296 public String getName() 297 { 298 return privilegeName; 299 } 300 301 302 303 /** 304 * Retrieves the privilege with the specified name. 305 * 306 * @param lowerPrivName The name of the privilege to retrieve, 307 * formatted in all lowercase characters. 308 * 309 * @return The requested privilege, or {@code null} if the provided 310 * value is not the name of a valid privilege. 311 */ 312 public static Privilege privilegeForName(String lowerPrivName) 313 { 314 return PRIV_MAP.get(lowerPrivName); 315 } 316 317 318 319 /** 320 * Retrieves the human-readable name for this privilege. 321 * 322 * @return The human-readable name for this privilege. 323 */ 324 @Override 325 public String toString() 326 { 327 return privilegeName; 328 } 329 330 331 332 /** 333 * Retrieves the set of available privilege names. 334 * 335 * @return The set of available privilege names. 336 */ 337 public static Set<String> getPrivilegeNames() 338 { 339 return PRIV_MAP.keySet(); 340 } 341 342 343 344 /** 345 * Retrieves the set of privileges that should be automatically 346 * granted to root users if the root privilege set is not specified 347 * in the configuration. 348 * 349 * @return The set of privileges that should be automatically 350 * granted to root users if the root privilege set is not 351 * specified in the configuration. 352 */ 353 public static Set<Privilege> getDefaultRootPrivileges() 354 { 355 return DEFAULT_ROOT_PRIV_SET; 356 } 357} 358