Package com.tailf.dp

Interface DpAuthorizationCallback

All Known Implementing Classes:
AuthorizationCallbackProxy
public interface DpAuthorizationCallback
We can register two authorization callbacks with ConfD´s AAA subsystem. These will be invoked when the northbound agents check that a command or a data access is allowed by the AAA access rules. The callbacks can partially or completely replace the access checks done within the AAA subsystem, and they may accept or reject the access. Typically many access checks are done during the processing of commands etc, and using these callbacks can thus have a significant performance impact. Unless it is a requirement to query an external authorization mechanism, it is far better to only configure access rules in the AAA data model (see the AAA chapter in the User Guide). The callbacks will only be invoked if it is registered using Dp.registerAnnotatedCallbacks() and enabled via /confdConfig/aaa/authenticationCallback/enabled in confd.conf or /ncs-config/aaa/authentication-callback/enabled in ncs.conf respectively.

  • Field Details

  • Method Details

    • mask

      int mask()
      Mask of flags for each method that is supported by this callback:
      Returns:
      bitmask indicating which callback methods are supported

    • checkCommandAccess

      AuthorizationResult checkCommandAccess(DpAuthorizationContext context, String[] commandTokens, AuthorizationOperCheck operation) throws DpCallbackException
      This callback is invoked for command authorization, i.e. it corresponds to the rules under /nacm/rule-list in the NACM data model. commandTokens is an String array of tokens representing the command to be checked, corresponding to the command leaf in the cmdrule list. If The operation parameter gives the operation, corresponding to the ops leaf in the cmdrule list.
      Parameters:
      context - the authorization context
      commandTokens - command represented as a string of tokens
      operation - AuthorizationOperCheck describing the operatopn type
      Returns:
      AuthorizationResult the command access result
      Throws:
      DpCallbackException - if an error occurs during the callback

    • checkDataAccess

      AuthorizationResult checkDataAccess(DpAuthorizationContext context, ConfObject[] kp, AuthorizationOperCheck operation, AuthorizationOperCheck how) throws DpCallbackException
      This callback is invoked for data authorization, i.e. it corresponds to the rules under /nacm/rule-list in the NACM data model. The keypath parameter gives the data element path corresponding to the keypath leaf in the datarule list, and the operation parameter gives the operation type. The how parameter indicates whether the check is an intermediate or final check.
      Parameters:
      context - the authorization context
      kp - the data element represented by an array of ConfObject
      operation - AuthorizationOperCheck describing the operation type
      how - checking state INTERMEDIATE or FINAL
      Returns:
      AuthorizationResult the data access result
      Throws:
      DpCallbackException - if an error occurs during the callback

    • commandFilter

      EnumSet<AuthorizationOperCheck> commandFilter()
      Thus method can be used to prevent access checks from causing invocation of a checkCommandAccess callback even though it is registered. If we do not want any filtering this method should not be registered or return null. For checkCommandAccess callback values INTERMEDIATE and FINAL does not contain any meaning.
      Returns:
      EnumSet of AuthorizationOperCheck values

    • dataFilter

      EnumSet<AuthorizationOperCheck> dataFilter()
      Thus method can be used to prevent access checks from causing invocation of a checkDataAccess callback even though it is registered. If we do not want any filtering this method should not be registered or return null.
      Returns:
      EnumSet of AuthorizationOperCheck values