001/*
002 * CDDL HEADER START
003 *
004 * The contents of this file are subject to the terms of the
005 * Common Development and Distribution License, Version 1.0 only
006 * (the "License").  You may not use this file except in compliance
007 * with the License.
008 *
009 * You can obtain a copy of the license at legal-notices/CDDLv1_0.txt
010 * or http://forgerock.org/license/CDDLv1.0.html.
011 * See the License for the specific language governing permissions
012 * and limitations under the License.
013 *
014 * When distributing Covered Code, include this CDDL HEADER in each
015 * file and include the License file at legal-notices/CDDLv1_0.txt.
016 * If applicable, add the following below this CDDL HEADER, with the
017 * fields enclosed by brackets "[]" replaced with your own identifying
018 * information:
019 *      Portions Copyright [yyyy] [name of copyright owner]
020 *
021 * CDDL HEADER END
022 *
023 *
024 *      Copyright 2008-2010 Sun Microsystems, Inc.
025 *      Portions Copyright 2014-2015 ForgeRock AS
026 */
027package org.opends.server.types;
028
029import java.util.HashMap;
030import java.util.HashSet;
031import java.util.Map;
032import java.util.Set;
033
034/**
035 * This class implements an enumeration that defines the set of
036 * privileges available in the Directory Server.
037 */
038@org.opends.server.types.PublicAPI(
039     stability=org.opends.server.types.StabilityLevel.UNCOMMITTED,
040     mayInstantiate=false,
041     mayExtend=false,
042     mayInvoke=true)
043public enum Privilege
044{
045  /**
046   * The privilege that provides the ability to bypass access control
047   * evaluation.
048   */
049  BYPASS_ACL("bypass-acl"),
050
051
052
053  /**
054   * The privilege that provides the ability to bypass server
055   * lockdown mode.
056   */
057  BYPASS_LOCKDOWN("bypass-lockdown"),
058
059
060
061  /**
062   * The privilege that provides the ability to modify access control
063   * rules.
064   */
065  MODIFY_ACL("modify-acl"),
066
067
068
069  /**
070   * The privilege that provides the ability to read the server
071   * configuration.
072   */
073  CONFIG_READ("config-read"),
074
075
076
077  /**
078   * The privilege that provides the ability to update the server
079   * configuration.
080   */
081  CONFIG_WRITE("config-write"),
082
083
084
085  /**
086   * The privilege that provides the ability to perform read
087   * operations via JMX.
088   */
089  JMX_READ("jmx-read"),
090
091
092
093  /**
094   * The privilege that provides the ability to perform write
095   * operations via JMX.
096   */
097  JMX_WRITE("jmx-write"),
098
099
100
101  /**
102   * The privilege that provides the ability to subscribe to JMX
103   * notifications.
104   */
105  JMX_NOTIFY("jmx-notify"),
106
107
108
109  /**
110   * The privilege that provides the ability to perform LDIF import
111   * operations.
112   */
113  LDIF_IMPORT("ldif-import"),
114
115
116
117  /**
118   * The privilege that provides the ability to perform LDIF export
119   * operations.
120   */
121  LDIF_EXPORT("ldif-export"),
122
123
124
125  /**
126   * The privilege that provides the ability to perform backend backup
127   * operations.
128   */
129  BACKEND_BACKUP("backend-backup"),
130
131
132
133  /**
134   * The privilege that provides the ability to perform backend
135   * restore operations.
136   */
137  BACKEND_RESTORE("backend-restore"),
138
139
140
141  /**
142   * The privilege that provides the ability to lockdown a server.
143   */
144  SERVER_LOCKDOWN("server-lockdown"),
145
146
147
148  /**
149   * The privilege that provides the ability to request a server
150   * shutdown.
151   */
152  SERVER_SHUTDOWN("server-shutdown"),
153
154
155
156  /**
157   * The privilege that provides the ability to request a server
158   * restart.
159   */
160  SERVER_RESTART("server-restart"),
161
162
163
164  /**
165   * The privilege that provides the ability to perform proxied
166   * authorization or request an alternate authorization identity.
167   */
168  PROXIED_AUTH("proxied-auth"),
169
170
171
172  /**
173   * The privilege that provides the ability to terminate arbitrary
174   * client connections.
175   */
176  DISCONNECT_CLIENT("disconnect-client"),
177
178
179
180  /**
181   * The privilege that provides the ability to cancel arbitrary
182   * client requests.
183   */
184  CANCEL_REQUEST("cancel-request"),
185
186
187
188  /**
189   * The privilege that provides the ability to reset user passwords.
190   */
191  PASSWORD_RESET("password-reset"),
192
193
194
195  /**
196   * The privilege that provides the ability to participate in a
197   * data synchronization environment.
198   */
199  DATA_SYNC("data-sync"),
200
201
202
203  /**
204   * The privilege that provides the ability to update the server
205   * schema.
206   */
207  UPDATE_SCHEMA("update-schema"),
208
209
210
211  /**
212   * The privilege that provides the ability to change the set of
213   * privileges for a user, or to change the set of privileges
214   * automatically assigned to a root user.
215   */
216  PRIVILEGE_CHANGE("privilege-change"),
217
218
219
220  /**
221   * The privilege that provides the ability to perform an unindexed
222   * search in the JE backend.
223   */
224  UNINDEXED_SEARCH("unindexed-search"),
225
226
227
228  /**
229   * The privilege that provides the ability to perform write
230   * operations on LDAP subentries.
231   */
232  SUBENTRY_WRITE("subentry-write"),
233
234
235
236  /**
237   * The privilege that provides the ability to perform read
238   * operations on the changelog.
239   */
240  CHANGELOG_READ("changelog-read");
241
242
243  /** A map that will be used to hold a mapping between privilege names and enum values. */
244  private static final Map<String, Privilege> PRIV_MAP = new HashMap<>();
245
246  /**
247   * The set of privileges that will be automatically assigned to root
248   * users if the root privilege set is not specified in the configuration.
249   */
250  private static final Set<Privilege> DEFAULT_ROOT_PRIV_SET = new HashSet<>();
251
252
253  /** The human-readable name for this privilege. */
254  private final String privilegeName;
255
256
257
258  static
259  {
260    for (Privilege privilege : Privilege.values())
261    {
262      PRIV_MAP.put(privilege.privilegeName, privilege);
263    }
264
265    DEFAULT_ROOT_PRIV_SET.add(BYPASS_ACL);
266    DEFAULT_ROOT_PRIV_SET.add(BYPASS_LOCKDOWN);
267    DEFAULT_ROOT_PRIV_SET.add(MODIFY_ACL);
268    DEFAULT_ROOT_PRIV_SET.add(CONFIG_READ);
269    DEFAULT_ROOT_PRIV_SET.add(CONFIG_WRITE);
270    DEFAULT_ROOT_PRIV_SET.add(LDIF_IMPORT);
271    DEFAULT_ROOT_PRIV_SET.add(LDIF_EXPORT);
272    DEFAULT_ROOT_PRIV_SET.add(BACKEND_BACKUP);
273    DEFAULT_ROOT_PRIV_SET.add(BACKEND_RESTORE);
274    DEFAULT_ROOT_PRIV_SET.add(SERVER_LOCKDOWN);
275    DEFAULT_ROOT_PRIV_SET.add(SERVER_SHUTDOWN);
276    DEFAULT_ROOT_PRIV_SET.add(SERVER_RESTART);
277    DEFAULT_ROOT_PRIV_SET.add(DISCONNECT_CLIENT);
278    DEFAULT_ROOT_PRIV_SET.add(CANCEL_REQUEST);
279    DEFAULT_ROOT_PRIV_SET.add(PASSWORD_RESET);
280    DEFAULT_ROOT_PRIV_SET.add(UPDATE_SCHEMA);
281    DEFAULT_ROOT_PRIV_SET.add(PRIVILEGE_CHANGE);
282    DEFAULT_ROOT_PRIV_SET.add(UNINDEXED_SEARCH);
283    DEFAULT_ROOT_PRIV_SET.add(SUBENTRY_WRITE);
284    DEFAULT_ROOT_PRIV_SET.add(CHANGELOG_READ);
285  }
286
287
288
289  /**
290   * Creates a new privilege with the provided name.
291   *
292   * @param  privilegeName  The human-readable name for this policy.
293   */
294  private Privilege(String privilegeName)
295  {
296    this.privilegeName = privilegeName;
297  }
298
299
300
301  /**
302   * Retrieves the name for this privilege.
303   *
304   * @return  The name for this privilege.
305   */
306  public String getName()
307  {
308    return privilegeName;
309  }
310
311
312
313  /**
314   * Retrieves the privilege with the specified name.
315   *
316   * @param  lowerPrivName  The name of the privilege to retrieve,
317   *                        formatted in all lowercase characters.
318   *
319   * @return  The requested privilege, or {@code null} if the provided
320   *          value is not the name of a valid privilege.
321   */
322  public static Privilege privilegeForName(String lowerPrivName)
323  {
324    return PRIV_MAP.get(lowerPrivName);
325  }
326
327
328
329  /**
330   * Retrieves the human-readable name for this privilege.
331   *
332   * @return  The human-readable name for this privilege.
333   */
334  @Override
335  public String toString()
336  {
337    return privilegeName;
338  }
339
340
341
342  /**
343   * Retrieves the set of available privilege names.
344   *
345   * @return  The set of available privilege names.
346   */
347  public static Set<String> getPrivilegeNames()
348  {
349    return PRIV_MAP.keySet();
350  }
351
352
353
354  /**
355   * Retrieves the set of privileges that should be automatically
356   * granted to root users if the root privilege set is not specified
357   * in the configuration.
358   *
359   * @return  The set of privileges that should be automatically
360   *          granted to root users if the root privilege set is not
361   *          specified in the configuration.
362   */
363  public static Set<Privilege> getDefaultRootPrivileges()
364  {
365    return DEFAULT_ROOT_PRIV_SET;
366  }
367}
368