Package com.tailf.dp

Interface DpAuthorizationCallback

All Known Implementing Classes:
AuthorizationCallbackProxy
public interface DpAuthorizationCallback
We can register two authorization callbacks with ConfD´s AAA subsystem. These will be invoked when the northbound agents check that a command or a data access is allowed by the AAA access rules. The callbacks can partially or completely replace the access checks done within the AAA subsystem, and they may accept or reject the access. Typically many access checks are done during the processing of commands etc, and using these callbacks can thus have a significant performance impact. Unless it is a requirement to query an external authorization mechanism, it is far better to only configure access rules in the AAA data model (see the AAA chapter in the User Guide). The callbacks will only be invoked if it is registered using Dp.registerAnnotatedCallbacks() and enabled via /confdConfig/aaa/authenticationCallback/enabled in confd.conf or /ncs-config/aaa/authentication-callback/enabled in ncs.conf respectively.

  • Field Details

  • Method Details

    • mask

      int mask()
      Mask of flags for each method that is supported by this callback:

    • checkCommandAccess

      AuthorizationResult checkCommandAccess(DpAuthorizationContext context, String[] commandTokens, AuthorizationOperCheck operation) throws DpCallbackException
      This callback is invoked for command authorization, i.e. it corresponds to the rules under /aaa/authorization/cmdrules in the AAA data model. commandTokens is an String array of tokens representing the command to be checked, corresponding to the command leaf in the cmdrule list. If The operation parameter gives the operation, corresponding to the ops leaf in the cmdrule list.
      Parameters:
      context - the authorization context
      commandTokens - command represented as a string of tokens
      operation - AuthorizationOperCheck describing the operatopn type
      Returns:
      AuthorizationResult
      Throws:
      DpCallbackException

    • checkDataAccess

      AuthorizationResult checkDataAccess(DpAuthorizationContext context, ConfObject[] kp, AuthorizationOperCheck operation, AuthorizationOperCheck how) throws DpCallbackException
      Parameters:
      context - the authorization context
      kp - the data element represented by an array of ConfObject
      operation - AuthorizationOperCheck describing the operatopn type
      how - checking state INTERMEDIATE or FINAL
      Returns:
      AuthorizationResult
      Throws:
      DpCallbackException

    • commandFilter

      EnumSet<AuthorizationOperCheck> commandFilter()
      Thus method can be used to prevent access checks from causing invocation of a checkCommandAccess callback even though it is registered. If we do not want any filtering this method should not be registered or return null. For checkCommandAccess callback values INTERMEDIATE and FINAL does not contain any meaning.
      Returns:
      EnumSet of AuthorizationOperCheck values

    • dataFilter

      EnumSet<AuthorizationOperCheck> dataFilter()
      Thus method can be used to prevent access checks from causing invocation of a checkDataAccess callback even though it is registered. If we do not want any filtering this method should not be registered or return null.
      Returns:
      EnumSet of AuthorizationOperCheck values