hudson.security
Class AuthorizationStrategy

java.lang.Object
  hudson.model.AbstractDescribableImpl<AuthorizationStrategy>
      hudson.security.AuthorizationStrategy

All Implemented Interfaces:

ExtensionPoint, Describable<AuthorizationStrategy>

Direct Known Subclasses:

AuthorizationStrategy.Unsecured, FullControlOnceLoggedInAuthorizationStrategy, GlobalMatrixAuthorizationStrategy

public abstract class AuthorizationStrategy
extends AbstractDescribableImpl<AuthorizationStrategy>
implements ExtensionPoint

Controls authorization throughout Hudson.

Persistence

This object will be persisted along with Hudson object. Hudson by itself won't put the ACL returned from getRootACL() into the serialized object graph, so if that object contains state and needs to be persisted, it's the responsibility of AuthorizationStrategy to do so (by keeping them in an instance field.)

Re-configuration

The corresponding Describable instance will be asked to create a new AuthorizationStrategy every time the system configuration is updated. Implementations that keep more state in ACL beyond the system configuration should use Hudson.getAuthorizationStrategy() to talk to the current instance to carry over the state.

Author:

Kohsuke Kawaguchi

See Also:

SecurityRealm

Nested Class Summary

static class

AuthorizationStrategy.Unsecured

Nested classes/interfaces inherited from interface hudson.ExtensionPoint

ExtensionPoint.LegacyInstancesAreScopedToHudson

Field Summary

static DescriptorList<AuthorizationStrategy>	LIST Deprecated. since 1.286 Use all() for read access, and Extension for registration.
static AuthorizationStrategy	UNSECURED AuthorizationStrategy that implements the semantics of unsecured Hudson where everyone has full control.

Constructor Summary

AuthorizationStrategy()

Method Summary

static DescriptorExtensionList<AuthorizationStrategy,Descriptor<AuthorizationStrategy>>	all() Returns all the registered AuthorizationStrategy descriptors.
ACL	getACL(AbstractItem item) Implementation can choose to provide different ACL for different items.
ACL	getACL(AbstractProject<?,?> project) Deprecated. since 1.277 Override getACL(Job) instead.
ACL	getACL(Cloud cloud) Implementation can choose to provide different ACL for different Clouds.
ACL	getACL(Computer computer) Implementation can choose to provide different ACL for different computers.
ACL	getACL(Job<?,?> project)
ACL	getACL(Node node)
ACL	getACL(User user) Implementation can choose to provide different ACL per user.
ACL	getACL(View item) Implementation can choose to provide different ACL for different views.
abstract Collection<String>	getGroups() Returns the list of all group/role names used in this authorization strategy, and the ACL returned from the getRootACL() method.
abstract ACL	getRootACL() Returns the instance of ACL where all the other ACL instances for all the other model objects eventually delegate.

Methods inherited from class hudson.model.AbstractDescribableImpl

getDescriptor

Methods inherited from class java.lang.Object

equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

LIST

public static final DescriptorList<AuthorizationStrategy> LIST

Deprecated. since 1.286 Use all() for read access, and Extension for registration.

All registered SecurityRealm implementations.

UNSECURED

public static final AuthorizationStrategy UNSECURED

AuthorizationStrategy that implements the semantics of unsecured Hudson where everyone has full control.

This singleton is safe because AuthorizationStrategy.Unsecured is stateless.

Constructor Detail

AuthorizationStrategy

public AuthorizationStrategy()

Method Detail

getRootACL

public abstract ACL getRootACL()

Returns the instance of ACL where all the other ACL instances for all the other model objects eventually delegate.

IOW, this ACL will have the ultimate say on the access control.

getACL

@Deprecated
public ACL getACL(AbstractProject<?,?> project)

Deprecated. since 1.277 Override getACL(Job) instead.

getACL

public ACL getACL(Job<?,?> project)

getACL

public ACL getACL(View item)

Implementation can choose to provide different ACL for different views. This can be used as a basis for more fine-grained access control.

The default implementation returns the ACL of the ViewGroup.

Since:

1.220

getACL

public ACL getACL(AbstractItem item)

Implementation can choose to provide different ACL for different items. This can be used as a basis for more fine-grained access control.

The default implementation returns getRootACL().

Since:

1.220

getACL

public ACL getACL(User user)

Implementation can choose to provide different ACL per user. This can be used as a basis for more fine-grained access control.

The default implementation returns getRootACL().

Since:

1.221

getACL

public ACL getACL(Computer computer)

Implementation can choose to provide different ACL for different computers. This can be used as a basis for more fine-grained access control.

The default implementation delegates to getACL(Node)

Since:

1.220

getACL

public ACL getACL(Cloud cloud)

Implementation can choose to provide different ACL for different Clouds. This can be used as a basis for more fine-grained access control.

The default implementation returns getRootACL().

Since:

1.252

getACL

public ACL getACL(Node node)

getGroups

public abstract Collection<String> getGroups()

Returns the list of all group/role names used in this authorization strategy, and the ACL returned from the getRootACL() method.

This method is used by ContainerAuthentication to work around the servlet API issue that prevents us from enumerating roles that the user has.

If such enumeration is impossible, do the best to list as many as possible, then return it. In the worst case, just return an empty list. Doing so would prevent users from using role names as group names (see HUDSON-2716 for such one such report.)

Returns:

never null.

all

public static DescriptorExtensionList<AuthorizationStrategy,Descriptor<AuthorizationStrategy>> all()

Returns all the registered AuthorizationStrategy descriptors.