java/com.sap.sailing.landscape/src/com/sap/sailing/landscape/impl/LandscapeServiceImpl.java
... ...
@@ -183,7 +183,7 @@ public class LandscapeServiceImpl implements LandscapeService {
183 183
newSharedMasterInstance ? optionalMemoryTotalSizeFactorOrNull : null, optionalIgtimiRiotPort, region, release);
184 184
final String bearerTokenUsedByReplicas = getEffectiveBearerToken(replicaReplicationBearerToken);
185 185
final InboundReplicationConfiguration inboundMasterReplicationConfiguration = masterConfigurationBuilder.getInboundReplicationConfiguration().get();
186
- establishServerGroupAndTryToMakeCurrentUserItsOwnerAndMember(name, bearerTokenUsedByReplicas,
186
+ establishServerAndServerGroupAndTryToMakeCurrentUserItsOwnerAndMember(name, bearerTokenUsedByReplicas,
187 187
inboundMasterReplicationConfiguration.getMasterHostname(), inboundMasterReplicationConfiguration.getMasterHttpPort());
188 188
final com.sap.sailing.landscape.procedures.StartSailingAnalyticsMasterHost.Builder<?, String> masterHostBuilder = StartSailingAnalyticsMasterHost.masterHostBuilder(masterConfigurationBuilder);
189 189
masterHostBuilder
... ...
@@ -255,7 +255,7 @@ public class LandscapeServiceImpl implements LandscapeService {
255 255
null, optionalIgtimiRiotPort, region, release);
256 256
final String bearerTokenUsedByReplicas = getEffectiveBearerToken(replicaReplicationBearerToken);
257 257
final InboundReplicationConfiguration inboundMasterReplicationConfiguration = masterConfigurationBuilder.getInboundReplicationConfiguration().get();
258
- establishServerGroupAndTryToMakeCurrentUserItsOwnerAndMember(replicaSetName, bearerTokenUsedByReplicas,
258
+ establishServerAndServerGroupAndTryToMakeCurrentUserItsOwnerAndMember(replicaSetName, bearerTokenUsedByReplicas,
259 259
inboundMasterReplicationConfiguration.getMasterHostname(), inboundMasterReplicationConfiguration.getMasterHttpPort());
260 260
final com.sap.sailing.landscape.procedures.StartSailingAnalyticsMasterHost.Builder<?, String> masterHostBuilder = StartSailingAnalyticsMasterHost.masterHostBuilder(masterConfigurationBuilder);
261 261
masterHostBuilder
... ...
@@ -404,7 +404,7 @@ public class LandscapeServiceImpl implements LandscapeService {
404 404
optionalIgtimiRiotPort, region, release);
405 405
final InboundReplicationConfiguration inboundMasterReplicationConfiguration = masterConfigurationBuilder.getInboundReplicationConfiguration().get();
406 406
final String bearerTokenUsedByReplicas = getEffectiveBearerToken(replicaReplicationBearerToken);
407
- establishServerGroupAndTryToMakeCurrentUserItsOwnerAndMember(replicaSetName, bearerTokenUsedByReplicas,
407
+ establishServerAndServerGroupAndTryToMakeCurrentUserItsOwnerAndMember(replicaSetName, bearerTokenUsedByReplicas,
408 408
inboundMasterReplicationConfiguration.getMasterHostname(), inboundMasterReplicationConfiguration.getMasterHttpPort());
409 409
final SailingAnalyticsProcess<String> master = deployProcessToSharedInstance(hostToDeployTo,
410 410
masterConfigurationBuilder, optionalKeyName, privateKeyEncryptionPassphrase);
... ...
@@ -857,7 +857,7 @@ public class LandscapeServiceImpl implements LandscapeService {
857 857
: SailingReleaseRepository.INSTANCE.getRelease(releaseNameOrNullForLatestMaster);
858 858
}
859 859
860
- private void establishServerGroupAndTryToMakeCurrentUserItsOwnerAndMember(String serverName,
860
+ private void establishServerAndServerGroupAndTryToMakeCurrentUserItsOwnerAndMember(String serverName,
861 861
String bearerTokenUsedByReplicas, String securityServiceHostname,
862 862
Integer securityServicePort)
863 863
throws MalformedURLException, ClientProtocolException, IOException, ParseException, IllegalAccessException {
... ...
@@ -867,6 +867,7 @@ public class LandscapeServiceImpl implements LandscapeService {
867 867
RemoteServerUtil.getBaseServerUrl(securityServiceHostname, securityServicePort==null?443:securityServicePort), bearerTokenUsedByReplicas);
868 868
final UUID userGroupId = securityServiceServer.getUserGroupIdByName(serverGroupName);
869 869
final UUID groupId;
870
+ final String securityServiceServerUsername = securityServiceServer.getUsername();
870 871
if (userGroupId != null) {
871 872
groupId = userGroupId;
872 873
final TypeRelativeObjectIdentifier serverGroupTypeRelativeObjectId = new TypeRelativeObjectIdentifier(userGroupId.toString());
... ...
@@ -881,7 +882,7 @@ public class LandscapeServiceImpl implements LandscapeService {
881 882
SecuredSecurityTypes.SERVER.getPermissionForTypeRelativeIdentifier(DefaultActions.DELETE, serverGroupTypeRelativeObjectId)));
882 883
for (final Pair<WildcardPermission, Boolean> permission : permissions) {
883 884
if (!permission.getB()) {
884
- final String msg = "Subject "+securityServiceServer.getUsername()+" on server "+securityServiceHostname+
885
+ final String msg = "Subject "+securityServiceServerUsername+" on server "+securityServiceHostname+
885 886
" is not allowed "+permission.getA()+". Not allowing to create application replica set for "+serverName;
886 887
logger.warning(msg);
887 888
throw new AuthorizationException(msg);
... ...
@@ -893,12 +894,12 @@ public class LandscapeServiceImpl implements LandscapeService {
893 894
} else {
894 895
groupId = securityServiceServer.createUserGroupAndAddCurrentUser(serverGroupName);
895 896
try {
896
- securityServiceServer.addRoleToUser(ServerAdminRole.getInstance().getId(), securityServiceServer.getUsername(),
897
+ securityServiceServer.addRoleToUser(ServerAdminRole.getInstance().getId(), securityServiceServerUsername,
897 898
/* qualified for server group: */ groupId, null, /* transitive */ true);
898 899
} catch (Exception e) {
899 900
// this didn't work, but it's not the end of the world if we cannot grant the requesting user the
900 901
// event_manager:{group-name} role; the user may end up not having SERVER:CREATE_OBJECT...
901
- logger.warning("Couldn't grant role "+ServerAdminRole.getInstance().getName()+" to user "+securityServiceServer.getUsername()+": "+e.getMessage());
902
+ logger.warning("Couldn't grant role "+ServerAdminRole.getInstance().getName()+" to user "+securityServiceServerUsername+": "+e.getMessage());
902 903
}
903 904
try {
904 905
// try to set the group owner of the new group to the group itself, allowing all users with role user:{group-name} to
... ...
@@ -913,6 +914,14 @@ public class LandscapeServiceImpl implements LandscapeService {
913 914
}
914 915
}
915 916
ensureGroupMembersCanReadGroup(securityServiceServer, groupId);
917
+ final TypeRelativeObjectIdentifier serverTypeRelativeObjectId = new TypeRelativeObjectIdentifier(serverName);
918
+ final Pair<UUID, String> serverOwningGroupIdAndUsername = securityServiceServer.getGroupAndUserOwner(SecuredSecurityTypes.SERVER, serverTypeRelativeObjectId);
919
+ if (serverOwningGroupIdAndUsername == null || serverOwningGroupIdAndUsername.getA() == null && serverOwningGroupIdAndUsername.getB() == null) {
920
+ logger.info("Setting ownership for SERVER object "+serverName+" to group "+serverGroupName+" and user "+securityServiceServerUsername);
921
+ securityServiceServer.setGroupAndUserOwner(SecuredSecurityTypes.SERVER, serverTypeRelativeObjectId,
922
+ Optional.of(SecuredSecurityTypes.SERVER.getName()+"/"+serverName),
923
+ Optional.of(groupId), Optional.of(securityServiceServerUsername));
924
+ }
916 925
}
917 926
918 927
private void ensureGroupMembersCanReadGroup(SailingServer securityServiceServer, UUID groupId) throws ClientProtocolException, IOException, ParseException {