ONOS-1767 SM-ONOS implementation

22a363e ONOS-17767 SM-ONOS impl Change-Id: Ifca8129f2266bada68af735cf81a1d39f1ec8506

ONOS-1767 SM-ONOS implementation
22a363e ONOS-17767 SM-ONOS impl Change-Id: Ifca8129f2266bada68af735cf81a1d39f1ec8506
Changhoon Yoon · Gerrit Code Review
Commit b856b813b5a42f07fc1092781cf0f13e24ea41c0 b856b813 1 parent f28207bd
Showing 66 changed files with 978 additions and 780 deletions
cli/src/main/java/org/onosproject/cli/security/PermissionCommand.java
cli/src/main/java/org/onosproject/cli/security/PermissionApplicationNameCompleter.java → cli/src/main/java/org/onosproject/cli/security/ReviewApplicationNameCompleter.java
cli/src/main/java/org/onosproject/cli/security/ReviewCommand.java
cli/src/main/resources/OSGI-INF/blueprint/shell-config.xml
core/api/src/main/java/org/onosproject/app/ApplicationAdminService.java
core/api/src/main/java/org/onosproject/app/ApplicationDescription.java
core/api/src/main/java/org/onosproject/app/ApplicationService.java
core/api/src/main/java/org/onosproject/app/ApplicationStore.java
core/api/src/main/java/org/onosproject/app/DefaultApplicationDescription.java
core/api/src/main/java/org/onosproject/core/Application.java
core/api/src/main/java/org/onosproject/core/ApplicationRole.java
core/api/src/main/java/org/onosproject/core/DefaultApplication.java
core/api/src/main/java/org/onosproject/core/Permission.java
core/api/src/main/java/org/onosproject/net/packet/DefaultPacketContext.java
core/api/src/main/java/org/onosproject/security/AppGuard.java
core/api/src/main/java/org/onosproject/security/AppPermission.java
core/api/src/main/java/org/onosproject/security/Permission.java
core/api/src/main/java/org/onosproject/security/SecurityAdminService.java
core/api/src/main/java/org/onosproject/security/SecurityUtil.java
core/api/src/test/java/org/onosproject/app/ApplicationAdminServiceAdapter.java
--- a/cli/src/main/java/org/onosproject/cli/security/PermissionCommand.java deleted 100644 → 0
View file @f28207b
+++ b/cli/src/main/java/org/onosproject/cli/security/PermissionCommand.java deleted 100644 → 0
View file @f28207b
-/*
- * Copyright 2015 Open Networking Laboratory
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.onosproject.cli.security;
-
-import com.google.common.collect.ImmutableSet;
-import com.google.common.collect.Sets;
-import org.apache.karaf.shell.commands.Argument;
-import org.apache.karaf.shell.commands.Command;
-import org.onosproject.app.ApplicationAdminService;
-import org.onosproject.cli.AbstractShellCommand;
-import org.onosproject.core.Application;
-import org.onosproject.core.ApplicationId;
-import org.onosproject.core.Permission;
-
-import java.util.Set;
-import java.util.stream.Collectors;
-
-/**
- * Manages application permissions.
- */
-@Command(scope = "onos", name = "perm",
-        description = "Manages application permissions")
-public class PermissionCommand extends AbstractShellCommand {
-
-    static final String ADD = "add";
-    static final String REMOVE = "remove";
-    static final String LIST = "list";
-    static final String CLEAR = "clear";
-
-
-    @Argument(index = 0, name = "command",
-            description = "Command name (add|remove)",
-            required = true, multiValued = false)
-    String command = null;
-
-    @Argument(index = 1, name = "name", description = "Application name",
-            required = true, multiValued = false)
-    String name = null;
-
-    @Argument(index = 2, name = "permissions", description = "List of permissions",
-            required = false, multiValued = true)
-    String[] permissions = null;
-
-    @Override
-    protected void execute() {
-        ApplicationAdminService applicationAdminService = get(ApplicationAdminService.class);
-        Set<Permission> newPermSet = Sets.newHashSet();
-        if (command.equals(ADD)) {
-            ApplicationId appId = applicationAdminService.getId(name);
-            if (appId == null) {
-                print("No such application: %s", name);
-                return;
-            }
-            Application app = applicationAdminService.getApplication(appId);
-
-            for (String perm : permissions) {
-                try {
-                    Permission permission = Permission.valueOf(perm);
-                    newPermSet.add(permission);
-                } catch (IllegalArgumentException e) {
-                    print("%s is not a valid permission.", perm);
-                    return;
-                }
-
-            }
-            Set<Permission> oldPermSet = applicationAdminService.getPermissions(appId);
-            if (oldPermSet != null) {
-                newPermSet.addAll(oldPermSet);
-            } else {
-                newPermSet.addAll(app.permissions());
-            }
-            applicationAdminService.setPermissions(appId, ImmutableSet.copyOf(newPermSet));
-
-        } else if (command.equals(REMOVE)) {
-            ApplicationId appId = applicationAdminService.getId(name);
-            Application app = applicationAdminService.getApplication(appId);
-            if (appId == null) {
-                print("No such application: %s", name);
-                return;
-            }
-            Set<Permission> oldPermSet = applicationAdminService.getPermissions(appId);
-            if (oldPermSet == null) {
-                oldPermSet = app.permissions();
-            }
-            Set<String> clearPermSet = Sets.newHashSet(permissions);
-            newPermSet.addAll(oldPermSet.stream().filter(
-                    perm -> !clearPermSet.contains(perm.name().toUpperCase())).collect(Collectors.toList()));
-            applicationAdminService.setPermissions(appId, ImmutableSet.copyOf(newPermSet));
-        } else if (command.equals(CLEAR)) {
-            ApplicationId appId = applicationAdminService.getId(name);
-            if (appId == null) {
-                print("No such application: %s", name);
-                return;
-            }
-            applicationAdminService.setPermissions(appId, ImmutableSet.of());
-            print("Cleared the permission list of %s.", appId.name());
-        } else if (command.equals(LIST)) {
-            ApplicationId appId = applicationAdminService.getId(name);
-            if (appId == null) {
-                print("No such application: %s", name);
-                return;
-            }
-            Application app = applicationAdminService.getApplication(appId);
-            Set<Permission> userPermissions = applicationAdminService.getPermissions(appId);
-            Set<Permission> defaultPermissions = app.permissions();
-            print("Application Role");
-            print("\trole=%s", app.role().name());
-
-            if (defaultPermissions != null) {
-                if (!defaultPermissions.isEmpty()) {
-                    print("Default permissions (specified in app.xml)");
-                    for (Permission perm : defaultPermissions) {
-                        print("\tpermission=%s", perm.name());
-                    }
-                } else {
-                    print("(No default permissions specified in app.xml)");
-                }
-            }
-            if (userPermissions != null) {
-                if (!userPermissions.isEmpty()) {
-                    print("User permissions");
-                    for (Permission perm : userPermissions) {
-                        print("\tpermission=%s", perm.name());
-                    }
-                } else {
-                    print("(User has removed all the permissions");
-                }
-            }
-
-        }
-    }
-}
--- a/cli/src/main/java/org/onosproject/cli/security/PermissionApplicationNameCompleter.java → cli/src/main/java/org/onosproject/cli/security/ReviewApplicationNameCompleter.java
View file @b856b81
+++ b/cli/src/main/java/org/onosproject/cli/security/PermissionApplicationNameCompleter.java → cli/src/main/java/org/onosproject/cli/security/ReviewApplicationNameCompleter.java
View file @b856b81
@@ -18,6 +18,7 @@ package org.onosproject.cli.security;
 import org.apache.karaf.shell.console.completer.StringsCompleter;
 import org.onosproject.app.ApplicationService;
+import org.onosproject.app.ApplicationState;
 import org.onosproject.cli.AbstractCompleter;
 import org.onosproject.core.Application;
@@ -25,27 +26,33 @@ import java.util.Iterator;
 import java.util.List;
 import java.util.SortedSet;
+import static org.onosproject.app.ApplicationState.INSTALLED;
 import static org.onosproject.cli.AbstractShellCommand.get;
 /**
- * Application name completer for permission command.
+ * Application name completer for security review command.
  */
-public class PermissionApplicationNameCompleter extends AbstractCompleter {
+public class ReviewApplicationNameCompleter extends AbstractCompleter {
     @Override
     public int complete(String buffer, int cursor, List<String> candidates) {
         // Delegate string completer
         StringsCompleter delegate = new StringsCompleter();
-        // Fetch our service and feed it's offerings to the string completer
         ApplicationService service = get(ApplicationService.class);
         Iterator<Application> it = service.getApplications().iterator();
         SortedSet<String> strings = delegate.getStrings();
         while (it.hasNext()) {
             Application app = it.next();
-            strings.add(app.id().name());
+            ApplicationState state = service.getState(app.id());
+//            if (previousApps.contains(app.id().name())) {
+//                continue;
+//            }
+            if (state == INSTALLED) {
+                strings.add(app.id().name());
+            }
         }
         // Now let the completer do the work for figuring out what to offer.
         return delegate.complete(buffer, cursor, candidates);
     }
-}
+}
\ No newline at end of file
--- a/cli/src/main/java/org/onosproject/cli/security/ReviewCommand.java 0 → 100644
View file @b856b81
+++ b/cli/src/main/java/org/onosproject/cli/security/ReviewCommand.java 0 → 100644
View file @b856b81
+/*
+ * Copyright 2015 Open Networking Laboratory
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.onosproject.cli.security;
+
+import org.apache.karaf.shell.commands.Argument;
+import org.apache.karaf.shell.commands.Command;
+import org.onosproject.app.ApplicationAdminService;
+import org.onosproject.cli.AbstractShellCommand;
+import org.onosproject.core.Application;
+import org.onosproject.core.ApplicationId;
+import org.onosproject.security.SecurityAdminService;
+import org.onosproject.security.SecurityUtil;
+
+import java.security.Permission;
+import java.util.List;
+import java.util.Map;
+
+
+/**
+ * Application security policy review commands.
+ */
+@Command(scope = "onos", name = "review",
+        description = "Application security policy review interface")
+public class ReviewCommand extends AbstractShellCommand {
+
+    @Argument(index = 0, name = "name", description = "Application name",
+            required = true, multiValued = false)
+    String name = null;
+
+    @Argument(index = 1, name = "accept", description = "Option to accept policy",
+            required = false, multiValued = false)
+    String accept = null;
+
+    @Override
+    protected void execute() {
+        ApplicationAdminService applicationAdminService = get(ApplicationAdminService.class);
+        ApplicationId appId = applicationAdminService.getId(name);
+        if (appId == null) {
+            print("No such application: %s", name);
+            return;
+        }
+        Application app = applicationAdminService.getApplication(appId);
+        SecurityAdminService smService = SecurityUtil.getSecurityService();
+        if (smService == null) {
+            print("Security Mode is disabled");
+            return;
+        }
+        if (accept == null) {
+            smService.review(appId);
+            printPolicy(smService, app);
+        } else if (accept.trim().equals("accept")) {
+            smService.acceptPolicy(appId);
+            printPolicy(smService, app);
+        } else {
+            print("Unknown command");
+        }
+    }
+
+    private void printPolicy(SecurityAdminService smService, Application app) {
+        print("\n*******************************");
+        print("       SM-ONOS APP REVIEW      ");
+        print("*******************************");
+
+        print("Application name: %s ", app.id().name());
+        print("Application role: " + app.role());
+        print("\nDeveloper specified permissions: ");
+        printMap(smService.getPrintableSpecifiedPermissions(app.id()));
+        print("\nPermissions granted: ");
+        printMap(smService.getPrintableGrantedPermissions(app.id()));
+        print("\nAdditional permissions requested on runtime (POLICY VIOLATIONS): ");
+        printMap(smService.getPrintableRequestedPermissions(app.id()));
+        print("");
+
+    }
+    private void printMap(Map<Integer, List<Permission>> assortedMap) {
+        for (Integer type : assortedMap.keySet()) {
+            switch (type) {
+                case 0:
+                    for (Permission perm: assortedMap.get(0)) {
+                        print("\t[APP PERMISSION] " + perm.getName());
+                    }
+                    break;
+                case 1:
+                    for (Permission perm: assortedMap.get(1)) {
+                        print("\t[NB-ADMIN SERVICE] " + perm.getName() + "(" + perm.getActions() + ")");
+                    }
+                    break;
+                case 2:
+                    for (Permission perm: assortedMap.get(2)) {
+                        print("\t[NB SERVICE] " + perm.getName() + "(" + perm.getActions() + ")");
+                    }
+                    break;
+                case 3:
+                    for (Permission perm: assortedMap.get(3)) {
+                        print("\t[Other SERVICE] " + perm.getName() + "(" + perm.getActions() + ")");
+                    }
+                    break;
+                case 4:
+                    for (Permission perm: assortedMap.get(4)) {
+                        print("\t[Other] " + perm.getClass().getSimpleName() +
+                                " " + perm.getName() + " (" + perm.getActions() + ")");
+                    }
+                default:
+                    break;
+            }
+        }
+    }
+}
--- a/cli/src/main/resources/OSGI-INF/blueprint/shell-config.xml
View file @b856b81
+++ b/cli/src/main/resources/OSGI-INF/blueprint/shell-config.xml
View file @b856b81
@@ -21,11 +21,9 @@
         </command>
         <command>
-            <action class="org.onosproject.cli.security.PermissionCommand"/>
+            <action class="org.onosproject.cli.security.ReviewCommand"/>
             <completers>
-                <ref component-id="permCommandCompleter"/>
+                <ref component-id="reviewAppNameCompleter"/>
-                <ref component-id="permAppNameCompleter"/>
-                <ref component-id="permNameCompleter"/>
             </completers>
         </command>
@@ -435,9 +433,7 @@
         </command>
     </command-bundle>
-    <bean id="permAppNameCompleter" class="org.onosproject.cli.security.PermissionApplicationNameCompleter"/>
+    <bean id="reviewAppNameCompleter" class="org.onosproject.cli.security.ReviewApplicationNameCompleter"/>
-    <bean id="permCommandCompleter" class="org.onosproject.cli.security.PermissionCommandCompleter"/>
-    <bean id="permNameCompleter" class="org.onosproject.cli.security.PermissionNameCompleter"/>
     <bean id="appCommandCompleter" class="org.onosproject.cli.app.ApplicationCommandCompleter"/>
     <bean id="appNameCompleter" class="org.onosproject.cli.app.ApplicationNameCompleter"/>
     <bean id="allAppNameCompleter" class="org.onosproject.cli.app.AllApplicationNamesCompleter"/>
--- a/core/api/src/main/java/org/onosproject/app/ApplicationAdminService.java
View file @b856b81
+++ b/core/api/src/main/java/org/onosproject/app/ApplicationAdminService.java
View file @b856b81
@@ -17,7 +17,7 @@ package org.onosproject.app;
 import org.onosproject.core.Application;
 import org.onosproject.core.ApplicationId;
-import org.onosproject.core.Permission;
+import org.onosproject.security.Permission;
 import java.io.InputStream;
 import java.util.Set;
--- a/core/api/src/main/java/org/onosproject/app/ApplicationDescription.java
View file @b856b81
+++ b/core/api/src/main/java/org/onosproject/app/ApplicationDescription.java
View file @b856b81
@@ -16,8 +16,8 @@
 package org.onosproject.app;
 import org.onosproject.core.ApplicationRole;
-import org.onosproject.core.Permission;
 import org.onosproject.core.Version;
+import org.onosproject.security.Permission;
 import java.net.URI;
 import java.util.List;
--- a/core/api/src/main/java/org/onosproject/app/ApplicationService.java
View file @b856b81
+++ b/core/api/src/main/java/org/onosproject/app/ApplicationService.java
View file @b856b81
@@ -17,8 +17,8 @@ package org.onosproject.app;
 import org.onosproject.core.Application;
 import org.onosproject.core.ApplicationId;
-import org.onosproject.core.Permission;
 import org.onosproject.event.ListenerService;
+import org.onosproject.security.Permission;
 import java.util.Set;
--- a/core/api/src/main/java/org/onosproject/app/ApplicationStore.java
View file @b856b81
+++ b/core/api/src/main/java/org/onosproject/app/ApplicationStore.java
View file @b856b81
@@ -17,7 +17,7 @@ package org.onosproject.app;
 import org.onosproject.core.Application;
 import org.onosproject.core.ApplicationId;
-import org.onosproject.core.Permission;
+import org.onosproject.security.Permission;
 import org.onosproject.store.Store;
 import java.io.InputStream;
--- a/core/api/src/main/java/org/onosproject/app/DefaultApplicationDescription.java
View file @b856b81
+++ b/core/api/src/main/java/org/onosproject/app/DefaultApplicationDescription.java
View file @b856b81
@@ -16,8 +16,8 @@
 package org.onosproject.app;
 import org.onosproject.core.ApplicationRole;
-import org.onosproject.core.Permission;
 import org.onosproject.core.Version;
+import org.onosproject.security.Permission;
 import java.net.URI;
 import java.util.List;
--- a/core/api/src/main/java/org/onosproject/core/Application.java
View file @b856b81
+++ b/core/api/src/main/java/org/onosproject/core/Application.java
View file @b856b81
@@ -15,6 +15,8 @@
  */
 package org.onosproject.core;
+import org.onosproject.security.Permission;
+
 import java.net.URI;
 import java.util.List;
 import java.util.Optional;
--- a/core/api/src/main/java/org/onosproject/core/ApplicationRole.java
View file @b856b81
+++ b/core/api/src/main/java/org/onosproject/core/ApplicationRole.java
View file @b856b81
@@ -23,9 +23,9 @@ public enum ApplicationRole {
     ADMIN,
     /**
-     * Indicates that an application has a REGULAR role.
+     * Indicates that an application has a USER role.
      */
-    REGULAR,
+    USER,
     /**
      * Indicates that an application role has not been specified.
--- a/core/api/src/main/java/org/onosproject/core/DefaultApplication.java
View file @b856b81
+++ b/core/api/src/main/java/org/onosproject/core/DefaultApplication.java
View file @b856b81
@@ -15,6 +15,8 @@
  */
 package org.onosproject.core;
+import org.onosproject.security.Permission;
+
 import java.net.URI;
 import java.util.Set;
 import java.util.Optional;
--- a/core/api/src/main/java/org/onosproject/core/Permission.java deleted 100644 → 0
View file @f28207b
+++ b/core/api/src/main/java/org/onosproject/core/Permission.java deleted 100644 → 0
View file @f28207b
-/*
- * Copyright 2015 Open Networking Laboratory
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.onosproject.core;
-
-/**
- * Representation of an application permission.
- */
-public enum Permission {
-    APP_READ,
-    APP_EVENT,
-    CONFIG_READ,
-    CONFIG_WRITE,
-    CLUSTER_READ,
-    CLUSTER_WRITE,
-    CLUSTER_EVENT,
-    DEVICE_READ,
-    DEVICE_EVENT,
-    DRIVER_READ,
-    DRIVER_WRITE,
-    FLOWRULE_READ,
-    FLOWRULE_WRITE,
-    FLOWRULE_EVENT,
-    GROUP_READ,
-    GROUP_WRITE,
-    GROUP_EVENT,
-    HOST_READ,
-    HOST_WRITE,
-    HOST_EVENT,
-    INTENT_READ,
-    INTENT_WRITE,
-    INTENT_EVENT,
-    LINK_READ,
-    LINK_WRITE,
-    LINK_EVENT,
-    PACKET_READ,
-    PACKET_WRITE,
-    PACKET_EVENT,
-    STATISTIC_READ,
-    TOPOLOGY_READ,
-    TOPOLOGY_EVENT,
-    TUNNEL_READ,
-    TUNNEL_WRITE,
-    TUNNEL_EVENT,
-    STORAGE_WRITE
-}
--- a/core/api/src/main/java/org/onosproject/net/packet/DefaultPacketContext.java
View file @b856b81
+++ b/core/api/src/main/java/org/onosproject/net/packet/DefaultPacketContext.java
View file @b856b81
@@ -15,7 +15,6 @@
  */
 package org.onosproject.net.packet;
-import org.onosproject.core.Permission;
 import org.onosproject.net.flow.DefaultTrafficTreatment;
 import org.onosproject.net.flow.TrafficTreatment;
 import org.onosproject.net.flow.TrafficTreatment.Builder;
@@ -23,7 +22,7 @@ import org.onosproject.net.flow.TrafficTreatment.Builder;
 import java.util.concurrent.atomic.AtomicBoolean;
 import static org.onosproject.security.AppGuard.checkPermission;
-
+import static org.onosproject.security.AppPermission.Type.*;
 /**
  * Default implementation of a packet context.
@@ -57,29 +56,25 @@ public abstract class DefaultPacketContext implements PacketContext {
     @Override
     public long time() {
-        checkPermission(Permission.PACKET_READ);
+        checkPermission(PACKET_READ);
-
         return time;
     }
     @Override
     public InboundPacket inPacket() {
-        checkPermission(Permission.PACKET_READ);
+        checkPermission(PACKET_READ);
-
         return inPkt;
     }
     @Override
     public OutboundPacket outPacket() {
-        checkPermission(Permission.PACKET_READ);
+        checkPermission(PACKET_READ);
-
         return outPkt;
     }
     @Override
     public Builder treatmentBuilder() {
-        checkPermission(Permission.PACKET_READ);
+        checkPermission(PACKET_READ);
-
         return builder;
     }
@@ -88,15 +83,13 @@ public abstract class DefaultPacketContext implements PacketContext {
     @Override
     public boolean block() {
-        checkPermission(Permission.PACKET_WRITE);
+        checkPermission(PACKET_WRITE);
-
         return this.block.getAndSet(true);
     }
     @Override
     public boolean isHandled() {
-        checkPermission(Permission.PACKET_READ);
+        checkPermission(PACKET_READ);
-
         return this.block.get();
     }
 }
\ No newline at end of file
--- a/core/api/src/main/java/org/onosproject/security/AppGuard.java
View file @b856b81
+++ b/core/api/src/main/java/org/onosproject/security/AppGuard.java
View file @b856b81
@@ -16,7 +16,6 @@
 package org.onosproject.security;
-import org.onosproject.core.Permission;
 /**
  * Aids SM-ONOS to perform API-level permission checking.
@@ -30,10 +29,10 @@ public final class AppGuard {
      * Checks if the caller has the required permission only when security-mode is enabled.
      * @param permission permission to be checked
      */
-    public static void checkPermission(Permission permission) {
+    public static void checkPermission(AppPermission.Type permission) {
         SecurityManager sm = System.getSecurityManager();
         if (sm != null) {
-            System.getSecurityManager().checkPermission(new AppPermission(permission.name()));
+            System.getSecurityManager().checkPermission(new AppPermission(permission));
         }
     }
 }
--- a/core/api/src/main/java/org/onosproject/security/AppPermission.java
View file @b856b81
+++ b/core/api/src/main/java/org/onosproject/security/AppPermission.java
View file @b856b81
@@ -23,12 +23,57 @@ import java.security.BasicPermission;
  */
 public class AppPermission extends BasicPermission {
+    public enum Type {
+        APP_READ,
+        APP_EVENT,
+        CONFIG_READ,
+        CONFIG_WRITE,
+        CLUSTER_READ,
+        CLUSTER_WRITE,
+        CLUSTER_EVENT,
+        DEVICE_READ,
+        DEVICE_EVENT,
+        DRIVER_READ,
+        DRIVER_WRITE,
+        FLOWRULE_READ,
+        FLOWRULE_WRITE,
+        FLOWRULE_EVENT,
+        GROUP_READ,
+        GROUP_WRITE,
+        GROUP_EVENT,
+        HOST_READ,
+        HOST_WRITE,
+        HOST_EVENT,
+        INTENT_READ,
+        INTENT_WRITE,
+        INTENT_EVENT,
+        LINK_READ,
+        LINK_WRITE,
+        LINK_EVENT,
+        PACKET_READ,
+        PACKET_WRITE,
+        PACKET_EVENT,
+        STATISTIC_READ,
+        TOPOLOGY_READ,
+        TOPOLOGY_EVENT,
+        TUNNEL_READ,
+        TUNNEL_WRITE,
+        TUNNEL_EVENT,
+        STORAGE_WRITE
+    }
+
+    protected Type type;
     /**
      * Creates new application permission using the supplied data.
      * @param name permission name
      */
     public AppPermission(String name) {
         super(name.toUpperCase(), "");
+        try {
+            type = Type.valueOf(name);
+        } catch (IllegalArgumentException e) {
+            type = null;
+        }
     }
     /**
@@ -38,6 +83,28 @@ public class AppPermission extends BasicPermission {
      */
     public AppPermission(String name, String actions) {
         super(name.toUpperCase(), actions);
+        try {
+            type = Type.valueOf(name);
+        } catch (IllegalArgumentException e) {
+            type = null;
+        }
+    }
+
+    /**
+     * Crates new application permission using the supplied data.
+     * @param type permission type
+     */
+    public AppPermission(Type type) {
+        super(type.name(), "");
+        this.type = type;
+    }
+
+    /**
+     * Returns type of permission.
+     * @return application permission type
+     */
+    public Type getType() {
+        return this.type;
     }
 }
--- a/core/api/src/main/java/org/onosproject/security/Permission.java 0 → 100644
View file @b856b81
+++ b/core/api/src/main/java/org/onosproject/security/Permission.java 0 → 100644
View file @b856b81
+/*
+ * Copyright 2015 Open Networking Laboratory
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.onosproject.security;
+
+public class Permission {
+
+    protected String classname;
+    protected String name;
+    protected String actions;
+
+    public Permission(String classname, String name, String actions) {
+        this.classname = classname;
+        this.name = name;
+        if (actions == null) {
+            this.actions = "";
+        } else {
+            this.actions = actions;
+        }
+    }
+
+    public Permission(String classname, String name) {
+        this.classname = classname;
+        this.name = name;
+        this.actions = "";
+    }
+
+    public String getClassName() {
+       return classname;
+    }
+
+    public String getName() {
+        return name;
+    }
+
+    public String getActions() {
+        return actions;
+    }
+
+    @Override
+    public int hashCode() {
+        return 0;
+    }
+
+    @Override
+    public boolean equals(Object thatPerm) {
+        if (this == thatPerm) {
+            return true;
+        }
+
+        if (!(thatPerm instanceof Permission)) {
+            return false;
+        }
+
+        Permission that = (Permission) thatPerm;
+        return (this.classname.equals(that.classname)) && (this.name.equals(that.name))
+                && (this.actions.equals(that.actions));
+    }
+
+    @Override
+    public String toString() {
+        return String.format("(%s, %s, %s)", classname, name, actions);
+    }
+}
--- a/core/api/src/main/java/org/onosproject/security/SecurityAdminService.java 0 → 100644
View file @b856b81
+++ b/core/api/src/main/java/org/onosproject/security/SecurityAdminService.java 0 → 100644
View file @b856b81
+/*
+ * Copyright 2015 Open Networking Laboratory
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.onosproject.security;
+
+import org.onosproject.core.ApplicationId;
+
+import java.security.Permission;
+import java.util.List;
+import java.util.Map;
+
+/**
+ * Security-Mode ONOS service.
+ */
+public interface SecurityAdminService {
+
+    /**
+     * Returns true if security policy has been enforced to specified application.
+     * @param appId application identifier
+     * @return true if secured.
+     */
+    boolean isSecured(ApplicationId appId);
+
+    /**
+     * Changes SecurityModeState of specified application to REVIEWED.
+     * @param appId application identifier
+     */
+    void review(ApplicationId appId);
+
+    /**
+     * Accepts and enforces security policy to specified application.
+     * @param appId application identifier
+     */
+    void acceptPolicy(ApplicationId appId);
+
+    /**
+     * Register application to SM-ONOS subsystem.
+     * @param appId application identifier
+     */
+    void register(ApplicationId appId);
+
+    /**
+     * Returns sorted developer specified permission Map.
+     * @param appId application identifier
+     * @return Map of list of permissions sorted by permission type
+     */
+    Map<Integer, List<Permission>> getPrintableSpecifiedPermissions(ApplicationId appId);
+
+    /**
+     * Returns sorted granted permission Map.
+     * @param appId application identifier
+     * @return Map of list of permissions sorted by permission type
+     */
+    Map<Integer, List<Permission>> getPrintableGrantedPermissions(ApplicationId appId);
+
+    /**
+     * Returns sorted requested permission Map.
+     * @param appId application identifier
+     * @return Map of list of permissions sorted by permission type
+     */
+    Map<Integer, List<Permission>> getPrintableRequestedPermissions(ApplicationId appId);
+
+
+}
--- a/core/api/src/main/java/org/onosproject/security/SecurityUtil.java 0 → 100644
View file @b856b81
+++ b/core/api/src/main/java/org/onosproject/security/SecurityUtil.java 0 → 100644
View file @b856b81
+/*
+ * Copyright 2015 Open Networking Laboratory
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.onosproject.security;
+
+import org.onlab.osgi.DefaultServiceDirectory;
+import org.onlab.osgi.ServiceDirectory;
+import org.onlab.osgi.ServiceNotFoundException;
+import org.onosproject.core.ApplicationId;
+
+/**
+ * Utility class to aid Security-Mode ONOS.
+ */
+public final class SecurityUtil {
+
+    protected static ServiceDirectory serviceDirectory = new DefaultServiceDirectory();
+
+    private SecurityUtil() {
+    }
+
+    public static boolean isSecurityModeEnabled() {
+        if (System.getSecurityManager() != null) {
+            try {
+                SecurityAdminService securityService = serviceDirectory.get(SecurityAdminService.class);
+                if (securityService != null) {
+                    return true;
+                }
+            } catch (ServiceNotFoundException e) {
+                return false;
+            }
+        }
+        return false;
+    }
+
+    public static SecurityAdminService getSecurityService() {
+        if (System.getSecurityManager() != null) {
+            try {
+                SecurityAdminService securityService = serviceDirectory.get(SecurityAdminService.class);
+                if (securityService != null) {
+                    return securityService;
+                }
+            } catch (ServiceNotFoundException e) {
+                return null;
+            }
+        }
+        return null;
+    }
+
+    public static boolean isAppSecured(ApplicationId appId) {
+        SecurityAdminService service = getSecurityService();
+        if (service != null) {
+            if (!service.isSecured(appId)) {
+                System.out.println("\n*******************************");
+                System.out.println("      SM-ONOS APP WARNING      ");
+                System.out.println("*******************************");
+                System.out.println(appId.name() + " has not been secured.");
+                System.out.println("Please review before activating.");
+                return false;
+            }
+        }
+        return true;
+    }
+    public static void register(ApplicationId appId) {
+        SecurityAdminService service = getSecurityService();
+        if (service != null) {
+            service.register(appId);
+        }
+    }
+}
--- a/core/api/src/test/java/org/onosproject/app/ApplicationAdminServiceAdapter.java
View file @b856b81
+++ b/core/api/src/test/java/org/onosproject/app/ApplicationAdminServiceAdapter.java
View file @b856b81
@@ -17,7 +17,7 @@ package org.onosproject.app;
 import org.onosproject.core.Application;
 import org.onosproject.core.ApplicationId;
-import org.onosproject.core.Permission;
+import org.onosproject.security.Permission;
 import java.io.InputStream;
 import java.util.Set;
--- a/core/api/src/test/java/org/onosproject/app/ApplicationServiceAdapter.java
View file @b856b81
+++ b/core/api/src/test/java/org/onosproject/app/ApplicationServiceAdapter.java
View file @b856b81
@@ -17,7 +17,7 @@ package org.onosproject.app;
 import org.onosproject.core.Application;
 import org.onosproject.core.ApplicationId;
-import org.onosproject.core.Permission;
+import org.onosproject.security.Permission;
 import java.util.Set;
--- a/core/api/src/test/java/org/onosproject/app/ApplicationStoreAdapter.java
View file @b856b81
+++ b/core/api/src/test/java/org/onosproject/app/ApplicationStoreAdapter.java
View file @b856b81
@@ -17,7 +17,7 @@ package org.onosproject.app;
 import org.onosproject.core.Application;
 import org.onosproject.core.ApplicationId;
-import org.onosproject.core.Permission;
+import org.onosproject.security.Permission;
 import org.onosproject.store.AbstractStore;
 import java.io.InputStream;
--- a/core/api/src/test/java/org/onosproject/app/DefaultApplicationDescriptionTest.java
View file @b856b81
+++ b/core/api/src/test/java/org/onosproject/app/DefaultApplicationDescriptionTest.java
View file @b856b81
@@ -19,8 +19,9 @@ import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableSet;
 import org.junit.Test;
 import org.onosproject.core.ApplicationRole;
-import org.onosproject.core.Permission;
 import org.onosproject.core.Version;
+import org.onosproject.security.AppPermission;
+import org.onosproject.security.Permission;
 import java.net.URI;
 import java.util.List;
@@ -40,7 +41,9 @@ public class DefaultApplicationDescriptionTest {
     public static final String DESC = "Awesome application from Circus, Inc.";
     public static final String ORIGIN = "Circus";
     public static final ApplicationRole ROLE = ApplicationRole.ADMIN;
-    public static final Set<Permission> PERMS = ImmutableSet.of(Permission.FLOWRULE_WRITE, Permission.FLOWRULE_READ);
+    public static final Set<Permission> PERMS = ImmutableSet.of(
+                            new Permission(AppPermission.class.getName(), "FLOWRULE_WRITE"),
+                            new Permission(AppPermission.class.getName(), "FLOWRULE_READ"));
     public static final URI FURL = URI.create("mvn:org.foo-features/1.2a/xml/features");
     public static final List<String> FEATURES = ImmutableList.of("foo", "bar");
--- a/core/common/pom.xml
View file @b856b81
+++ b/core/common/pom.xml
View file @b856b81
@@ -33,6 +33,10 @@
     <dependencies>
         <dependency>
+            <groupId>org.osgi</groupId>
+            <artifactId>org.osgi.core</artifactId>
+        </dependency>
+        <dependency>
             <groupId>org.onosproject</groupId>
             <artifactId>onos-api</artifactId>
         </dependency>
--- a/core/common/src/main/java/org/onosproject/common/app/ApplicationArchive.java
View file @b856b81
+++ b/core/common/src/main/java/org/onosproject/common/app/ApplicationArchive.java
View file @b856b81
@@ -20,6 +20,7 @@ import com.google.common.collect.ImmutableSet;
 import com.google.common.io.ByteStreams;
 import com.google.common.io.Files;
 import org.apache.commons.configuration.ConfigurationException;
+import org.apache.commons.configuration.HierarchicalConfiguration;
 import org.apache.commons.configuration.XMLConfiguration;
 import org.onlab.util.Tools;
 import org.onosproject.app.ApplicationDescription;
@@ -28,9 +29,11 @@ import org.onosproject.app.ApplicationException;
 import org.onosproject.app.ApplicationStoreDelegate;
 import org.onosproject.app.DefaultApplicationDescription;
 import org.onosproject.core.ApplicationRole;
-import org.onosproject.core.Permission;
 import org.onosproject.core.Version;
+import org.onosproject.security.AppPermission;
+import org.onosproject.security.Permission;
 import org.onosproject.store.AbstractStore;
+
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -79,7 +82,9 @@ public class ApplicationArchive
     private static final String DESCRIPTION = "description";
     private static final String ROLE = "security.role";
-    private static final String PERMISSIONS = "security.permissions.permission";
+    private static final String APP_PERMISSIONS = "security.permissions.app-perm";
+    private static final String NET_PERMISSIONS = "security.permissions.net-perm";
+    private static final String JAVA_PERMISSIONS = "security.permissions.java-perm";
     private static final String OAR = ".oar";
     private static final String APP_XML = "app.xml";
@@ -386,13 +391,25 @@ public class ApplicationArchive
     // Returns the set of Permissions specified in the app.xml file
     private ImmutableSet<Permission> getPermissions(XMLConfiguration cfg) {
         List<Permission> permissionList = new ArrayList();
-        for (Object o : cfg.getList(PERMISSIONS)) {
+
+        for (Object o : cfg.getList(APP_PERMISSIONS)) {
             String name = (String) o;
-            try {
+            permissionList.add(new Permission(AppPermission.class.getName(), name));
-                Permission perm = Permission.valueOf(name);
+        }
-                permissionList.add(perm);
+        for (Object o : cfg.getList(NET_PERMISSIONS)) {
-            } catch (IllegalArgumentException e) {
+            //TODO: TO BE FLESHED OUT WHEN NETWORK PERMISSIONS ARE SUPPORTED
-                log.debug("Unknown permission specified: %s", name);
+            break;
+        }
+
+        List<HierarchicalConfiguration> fields =
+                cfg.configurationsAt(JAVA_PERMISSIONS);
+        for (HierarchicalConfiguration sub : fields) {
+            String classname = sub.getString("classname");
+            String name = sub.getString("name");
+            String actions = sub.getString("actions");
+
+            if (classname != null && name != null) {
+                permissionList.add(new Permission(classname, name, actions));
             }
         }
         return ImmutableSet.copyOf(permissionList);
--- a/core/common/src/test/java/org/onosproject/store/trivial/SimpleApplicationStore.java
View file @b856b81
+++ b/core/common/src/test/java/org/onosproject/store/trivial/SimpleApplicationStore.java
View file @b856b81
@@ -31,7 +31,7 @@ import org.onosproject.core.Application;
 import org.onosproject.core.ApplicationId;
 import org.onosproject.core.ApplicationIdStore;
 import org.onosproject.core.DefaultApplication;
-import org.onosproject.core.Permission;
+import org.onosproject.security.Permission;
 import org.slf4j.Logger;
 import java.io.InputStream;
--- a/core/common/src/test/java/org/onosproject/store/trivial/SimpleApplicationStoreTest.java
View file @b856b81
+++ b/core/common/src/test/java/org/onosproject/store/trivial/SimpleApplicationStoreTest.java
View file @b856b81
@@ -28,7 +28,8 @@ import org.onosproject.core.Application;
 import org.onosproject.core.ApplicationId;
 import org.onosproject.core.ApplicationIdStoreAdapter;
 import org.onosproject.core.DefaultApplicationId;
-import org.onosproject.core.Permission;
+import org.onosproject.security.AppPermission;
+import org.onosproject.security.Permission;
 import java.io.File;
 import java.io.IOException;
@@ -114,7 +115,8 @@ public class SimpleApplicationStoreTest {
     @Test
     public void permissions() {
         Application app = createTestApp();
-        ImmutableSet<Permission> permissions = ImmutableSet.of(Permission.FLOWRULE_WRITE);
+        ImmutableSet<Permission> permissions =
+                ImmutableSet.of(new Permission(AppPermission.class.getName(), "FLOWRULE_WRITE"));
         store.setPermissions(app.id(), permissions);
         assertEquals("incorrect app perms", 1, store.getPermissions(app.id()).size());
         assertEquals("incorrect app state", INSTALLED, store.getState(app.id()));
--- a/core/common/src/test/resources/org/onosproject/common/app/app.xml
View file @b856b81
+++ b/core/common/src/test/resources/org/onosproject/common/app/app.xml
View file @b856b81
-<?xml version="1.0" encoding="UTF-8"?>
 <!--
   ~ Copyright 2015 Open Networking Laboratory
   ~
@@ -21,8 +20,10 @@
     <security>
         <role>ADMIN</role>
         <permissions>
-            <permission>FLOWRULE_WRITE</permission>
+            <app-perm>FLOWRULE_WRITE</app-perm>
-            <permission>FLOWRULE_READ</permission>
+            <app-perm>FLOWRULE_READ</app-perm>
         </permissions>
+
     </security>
+
 </app>
--- a/core/common/src/test/resources/org/onosproject/common/app/app.zip
View file @b856b81
+++ b/core/common/src/test/resources/org/onosproject/common/app/app.zip
View file @b856b81
--- a/core/net/src/main/java/org/onosproject/app/impl/ApplicationManager.java
View file @b856b81
+++ b/core/net/src/main/java/org/onosproject/app/impl/ApplicationManager.java
View file @b856b81
@@ -33,7 +33,8 @@ import org.onosproject.app.ApplicationStoreDelegate;
 import org.onosproject.event.AbstractListenerManager;
 import org.onosproject.core.Application;
 import org.onosproject.core.ApplicationId;
-import org.onosproject.core.Permission;
+import org.onosproject.security.Permission;
+import org.onosproject.security.SecurityUtil;
 import org.slf4j.Logger;
 import java.io.InputStream;
@@ -41,6 +42,7 @@ import java.util.Set;
 import static com.google.common.base.Preconditions.checkNotNull;
 import static org.onosproject.app.ApplicationEvent.Type.*;
+import static org.onosproject.security.AppPermission.Type.*;
 import static org.onosproject.security.AppGuard.checkPermission;
 import static org.slf4j.LoggerFactory.getLogger;
@@ -87,34 +89,34 @@ public class ApplicationManager
     @Override
     public Set<Application> getApplications() {
-        checkPermission(Permission.APP_READ);
+        checkPermission(APP_READ);
         return store.getApplications();
     }
     @Override
     public ApplicationId getId(String name) {
-        checkPermission(Permission.APP_READ);
+        checkPermission(APP_READ);
         checkNotNull(name, "Name cannot be null");
         return store.getId(name);
     }
     @Override
     public Application getApplication(ApplicationId appId) {
-        checkPermission(Permission.APP_READ);
+        checkPermission(APP_READ);
         checkNotNull(appId, APP_ID_NULL);
         return store.getApplication(appId);
     }
     @Override
     public ApplicationState getState(ApplicationId appId) {
-        checkPermission(Permission.APP_READ);
+        checkPermission(APP_READ);
         checkNotNull(appId, APP_ID_NULL);
         return store.getState(appId);
     }
     @Override
     public Set<Permission> getPermissions(ApplicationId appId) {
-        checkPermission(Permission.APP_READ);
+        checkPermission(APP_READ);
         checkNotNull(appId, APP_ID_NULL);
         return store.getPermissions(appId);
     }
@@ -122,7 +124,9 @@ public class ApplicationManager
     @Override
     public Application install(InputStream appDescStream) {
         checkNotNull(appDescStream, "Application archive stream cannot be null");
-        return store.create(appDescStream);
+        Application app = store.create(appDescStream);
+        SecurityUtil.register(app.id());
+        return app;
     }
     @Override
@@ -138,6 +142,9 @@ public class ApplicationManager
     @Override
     public void activate(ApplicationId appId) {
         checkNotNull(appId, APP_ID_NULL);
+        if (!SecurityUtil.isAppSecured(appId)) {
+            return;
+        }
         store.activate(appId);
     }
--- a/core/net/src/main/java/org/onosproject/cfg/impl/ComponentConfigManager.java
View file @b856b81
+++ b/core/net/src/main/java/org/onosproject/cfg/impl/ComponentConfigManager.java
View file @b856b81
@@ -31,7 +31,6 @@ import org.onosproject.cfg.ComponentConfigService;
 import org.onosproject.cfg.ComponentConfigStore;
 import org.onosproject.cfg.ComponentConfigStoreDelegate;
 import org.onosproject.cfg.ConfigProperty;
-import org.onosproject.core.Permission;
 import org.osgi.service.cm.Configuration;
 import org.osgi.service.cm.ConfigurationAdmin;
 import org.slf4j.Logger;
@@ -50,6 +49,7 @@ import static com.google.common.base.Preconditions.checkArgument;
 import static com.google.common.base.Preconditions.checkNotNull;
 import static org.onosproject.security.AppGuard.checkPermission;
 import static org.slf4j.LoggerFactory.getLogger;
+import static org.onosproject.security.AppPermission.Type.*;
 /**
@@ -99,14 +99,14 @@ public class ComponentConfigManager implements ComponentConfigService {
     @Override
     public Set<String> getComponentNames() {
-        checkPermission(Permission.CONFIG_READ);
+        checkPermission(CONFIG_READ);
         return ImmutableSet.copyOf(properties.keySet());
     }
     @Override
     public void registerProperties(Class<?> componentClass) {
-        checkPermission(Permission.CONFIG_WRITE);
+        checkPermission(CONFIG_WRITE);
         String componentName = componentClass.getName();
         String resourceName = componentClass.getSimpleName() + RESOURCE_EXT;
@@ -130,7 +130,7 @@ public class ComponentConfigManager implements ComponentConfigService {
     @Override
     public void unregisterProperties(Class<?> componentClass, boolean clear) {
-        checkPermission(Permission.CONFIG_WRITE);
+        checkPermission(CONFIG_WRITE);
         String componentName = componentClass.getName();
         checkNotNull(componentName, COMPONENT_NULL);
@@ -148,7 +148,7 @@ public class ComponentConfigManager implements ComponentConfigService {
     @Override
     public Set<ConfigProperty> getProperties(String componentName) {
-        checkPermission(Permission.CONFIG_READ);
+        checkPermission(CONFIG_READ);
         Map<String, ConfigProperty> map = properties.get(componentName);
         return map != null ? ImmutableSet.copyOf(map.values()) : null;
@@ -156,7 +156,7 @@ public class ComponentConfigManager implements ComponentConfigService {
     @Override
     public void setProperty(String componentName, String name, String value) {
-        checkPermission(Permission.CONFIG_WRITE);
+        checkPermission(CONFIG_WRITE);
         checkNotNull(componentName, COMPONENT_NULL);
         checkNotNull(name, PROPERTY_NULL);
@@ -165,7 +165,7 @@ public class ComponentConfigManager implements ComponentConfigService {
     @Override
     public void unsetProperty(String componentName, String name) {
-        checkPermission(Permission.CONFIG_WRITE);
+        checkPermission(CONFIG_WRITE);
         checkNotNull(componentName, COMPONENT_NULL);
         checkNotNull(name, PROPERTY_NULL);
--- a/core/net/src/main/java/org/onosproject/cluster/impl/ClusterManager.java
View file @b856b81
+++ b/core/net/src/main/java/org/onosproject/cluster/impl/ClusterManager.java
View file @b856b81
@@ -34,7 +34,6 @@ import org.onosproject.cluster.ClusterStoreDelegate;
 import org.onosproject.cluster.ControllerNode;
 import org.onosproject.cluster.NodeId;
 import org.onosproject.event.AbstractListenerManager;
-import org.onosproject.core.Permission;
 import org.slf4j.Logger;
 import java.util.Set;
@@ -43,6 +42,8 @@ import static com.google.common.base.Preconditions.checkArgument;
 import static com.google.common.base.Preconditions.checkNotNull;
 import static org.onosproject.security.AppGuard.checkPermission;
 import static org.slf4j.LoggerFactory.getLogger;
+import static org.onosproject.security.AppPermission.Type.*;
+
 /**
@@ -86,26 +87,26 @@ public class ClusterManager
     @Override
     public ControllerNode getLocalNode() {
-        checkPermission(Permission.CLUSTER_READ);
+        checkPermission(CLUSTER_READ);
         return store.getLocalNode();
     }
     @Override
     public Set<ControllerNode> getNodes() {
-        checkPermission(Permission.CLUSTER_READ);
+        checkPermission(CLUSTER_READ);
         return store.getNodes();
     }
     @Override
     public ControllerNode getNode(NodeId nodeId) {
-        checkPermission(Permission.CLUSTER_READ);
+        checkPermission(CLUSTER_READ);
         checkNotNull(nodeId, INSTANCE_ID_NULL);
         return store.getNode(nodeId);
     }
     @Override
     public ControllerNode.State getState(NodeId nodeId) {
-        checkPermission(Permission.CLUSTER_READ);
+        checkPermission(CLUSTER_READ);
         checkNotNull(nodeId, INSTANCE_ID_NULL);
         return store.getState(nodeId);
     }
@@ -113,7 +114,7 @@ public class ClusterManager
     @Override
     public DateTime getLastUpdated(NodeId nodeId) {
-        checkPermission(Permission.CLUSTER_READ);
+        checkPermission(CLUSTER_READ);
         return store.getLastUpdated(nodeId);
     }
--- a/core/net/src/main/java/org/onosproject/cluster/impl/MastershipManager.java
View file @b856b81
+++ b/core/net/src/main/java/org/onosproject/cluster/impl/MastershipManager.java
View file @b856b81
@@ -32,7 +32,6 @@ import org.onosproject.cluster.NodeId;
 import org.onosproject.cluster.RoleInfo;
 import org.onosproject.event.AbstractListenerManager;
 import org.onosproject.core.MetricsHelper;
-import org.onosproject.core.Permission;
 import org.onosproject.mastership.MastershipAdminService;
 import org.onosproject.mastership.MastershipEvent;
 import org.onosproject.mastership.MastershipListener;
@@ -62,6 +61,8 @@ import static org.onosproject.cluster.ControllerNode.State.ACTIVE;
 import static org.onosproject.net.MastershipRole.MASTER;
 import static org.onosproject.security.AppGuard.checkPermission;
 import static org.slf4j.LoggerFactory.getLogger;
+import static org.onosproject.security.AppPermission.Type.*;
+
 @Component(immediate = true)
@@ -136,7 +137,7 @@ public class MastershipManager
     @Override
     public MastershipRole getLocalRole(DeviceId deviceId) {
-        checkPermission(Permission.CLUSTER_READ);
+        checkPermission(CLUSTER_READ);
         checkNotNull(deviceId, DEVICE_ID_NULL);
         return store.getRole(clusterService.getLocalNode().id(), deviceId);
@@ -144,7 +145,7 @@ public class MastershipManager
     @Override
     public CompletableFuture<Void> relinquishMastership(DeviceId deviceId) {
-        checkPermission(Permission.CLUSTER_WRITE);
+        checkPermission(CLUSTER_WRITE);
         return store.relinquishRole(localNodeId, deviceId)
                     .thenAccept(this::post)
                     .thenApply(v -> null);
@@ -152,7 +153,7 @@ public class MastershipManager
     @Override
     public CompletableFuture<MastershipRole> requestRoleFor(DeviceId deviceId) {
-        checkPermission(Permission.CLUSTER_WRITE);
+        checkPermission(CLUSTER_WRITE);
         checkNotNull(deviceId, DEVICE_ID_NULL);
         final Context timer = startTimer(requestRoleTimer);
@@ -162,7 +163,7 @@ public class MastershipManager
     @Override
     public NodeId getMasterFor(DeviceId deviceId) {
-        checkPermission(Permission.CLUSTER_READ);
+        checkPermission(CLUSTER_READ);
         checkNotNull(deviceId, DEVICE_ID_NULL);
         return store.getMaster(deviceId);
@@ -170,7 +171,7 @@ public class MastershipManager
     @Override
     public Set<DeviceId> getDevicesOf(NodeId nodeId) {
-        checkPermission(Permission.CLUSTER_READ);
+        checkPermission(CLUSTER_READ);
         checkNotNull(nodeId, NODE_ID_NULL);
         return store.getDevices(nodeId);
@@ -178,7 +179,7 @@ public class MastershipManager
     @Override
     public RoleInfo getNodesFor(DeviceId deviceId) {
-        checkPermission(Permission.CLUSTER_READ);
+        checkPermission(CLUSTER_READ);
         checkNotNull(deviceId, DEVICE_ID_NULL);
         return store.getNodes(deviceId);
--- a/core/net/src/main/java/org/onosproject/core/impl/CoreManager.java
View file @b856b81
+++ b/core/net/src/main/java/org/onosproject/core/impl/CoreManager.java
View file @b856b81
@@ -31,7 +31,6 @@ import org.onosproject.core.ApplicationIdStore;
 import org.onosproject.core.CoreService;
 import org.onosproject.core.IdBlockStore;
 import org.onosproject.core.IdGenerator;
-import org.onosproject.core.Permission;
 import org.onosproject.core.Version;
 import org.onosproject.event.EventDeliveryService;
 import org.osgi.service.component.ComponentContext;
@@ -46,6 +45,8 @@ import java.util.Set;
 import static com.google.common.base.Preconditions.checkNotNull;
 import static com.google.common.base.Strings.isNullOrEmpty;
 import static org.onosproject.security.AppGuard.checkPermission;
+import static org.onosproject.security.AppPermission.Type.*;
+
 /**
@@ -100,28 +101,28 @@ public class CoreManager implements CoreService {
     @Override
     public Version version() {
-        checkPermission(Permission.APP_READ);
+        checkPermission(APP_READ);
         return version;
     }
     @Override
     public Set<ApplicationId> getAppIds() {
-        checkPermission(Permission.APP_READ);
+        checkPermission(APP_READ);
         return applicationIdStore.getAppIds();
     }
     @Override
     public ApplicationId getAppId(Short id) {
-        checkPermission(Permission.APP_READ);
+        checkPermission(APP_READ);
         return applicationIdStore.getAppId(id);
     }
     @Override
     public ApplicationId getAppId(String name) {
-        checkPermission(Permission.APP_READ);
+        checkPermission(APP_READ);
         return applicationIdStore.getAppId(name);
     }
--- a/core/net/src/main/java/org/onosproject/net/device/impl/DeviceManager.java
View file @b856b81
+++ b/core/net/src/main/java/org/onosproject/net/device/impl/DeviceManager.java
View file @b856b81
@@ -27,7 +27,6 @@ import org.apache.felix.scr.annotations.Service;
 import org.onosproject.cluster.ClusterService;
 import org.onosproject.cluster.NodeId;
 import org.onosproject.net.provider.AbstractListenerProviderRegistry;
-import org.onosproject.core.Permission;
 import org.onosproject.net.config.NetworkConfigEvent;
 import org.onosproject.net.config.NetworkConfigListener;
 import org.onosproject.net.config.NetworkConfigService;
@@ -77,6 +76,7 @@ import static org.onlab.util.Tools.groupedThreads;
 import static org.onosproject.net.MastershipRole.*;
 import static org.onosproject.security.AppGuard.checkPermission;
 import static org.slf4j.LoggerFactory.getLogger;
+import static org.onosproject.security.AppPermission.Type.*;
 /**
@@ -151,60 +151,60 @@ public class DeviceManager
     @Override
     public int getDeviceCount() {
-        checkPermission(Permission.DEVICE_READ);
+        checkPermission(DEVICE_READ);
         return store.getDeviceCount();
     }
     @Override
     public Iterable<Device> getDevices() {
-        checkPermission(Permission.DEVICE_READ);
+        checkPermission(DEVICE_READ);
         return store.getDevices();
     }
     @Override
     public Iterable<Device> getAvailableDevices() {
-        checkPermission(Permission.DEVICE_READ);
+        checkPermission(DEVICE_READ);
         return store.getAvailableDevices();
     }
     @Override
     public Device getDevice(DeviceId deviceId) {
-        checkPermission(Permission.DEVICE_READ);
+        checkPermission(DEVICE_READ);
         checkNotNull(deviceId, DEVICE_ID_NULL);
         return store.getDevice(deviceId);
     }
     @Override
     public MastershipRole getRole(DeviceId deviceId) {
-        checkPermission(Permission.DEVICE_READ);
+        checkPermission(DEVICE_READ);
         checkNotNull(deviceId, DEVICE_ID_NULL);
         return mastershipService.getLocalRole(deviceId);
     }
     @Override
     public List<Port> getPorts(DeviceId deviceId) {
-        checkPermission(Permission.DEVICE_READ);
+        checkPermission(DEVICE_READ);
         checkNotNull(deviceId, DEVICE_ID_NULL);
         return store.getPorts(deviceId);
     }
     @Override
     public List<PortStatistics> getPortStatistics(DeviceId deviceId) {
-        checkPermission(Permission.DEVICE_READ);
+        checkPermission(DEVICE_READ);
         checkNotNull(deviceId, DEVICE_ID_NULL);
         return store.getPortStatistics(deviceId);
     }
     @Override
     public List<PortStatistics> getPortDeltaStatistics(DeviceId deviceId) {
-        checkPermission(Permission.DEVICE_READ);
+        checkPermission(DEVICE_READ);
         checkNotNull(deviceId, DEVICE_ID_NULL);
         return store.getPortDeltaStatistics(deviceId);
     }
     @Override
     public Port getPort(DeviceId deviceId, PortNumber portNumber) {
-        checkPermission(Permission.DEVICE_READ);
+        checkPermission(DEVICE_READ);
         checkNotNull(deviceId, DEVICE_ID_NULL);
         checkNotNull(portNumber, PORT_NUMBER_NULL);
         return store.getPort(deviceId, portNumber);
@@ -212,7 +212,7 @@ public class DeviceManager
     @Override
     public boolean isAvailable(DeviceId deviceId) {
-        checkPermission(Permission.DEVICE_READ);
+        checkPermission(DEVICE_READ);
         checkNotNull(deviceId, DEVICE_ID_NULL);
         return store.isAvailable(deviceId);
@@ -664,7 +664,7 @@ public class DeviceManager
     @Override
     public Iterable<Device> getDevices(Type type) {
-        checkPermission(Permission.DEVICE_READ);
+        checkPermission(DEVICE_READ);
         Set<Device> results = new HashSet<>();
         Iterable<Device> devices = store.getDevices();
         if (devices != null) {
@@ -679,7 +679,7 @@ public class DeviceManager
     @Override
     public Iterable<Device> getAvailableDevices(Type type) {
-        checkPermission(Permission.DEVICE_READ);
+        checkPermission(DEVICE_READ);
         Set<Device> results = new HashSet<>();
         Iterable<Device> availableDevices = store.getAvailableDevices();
         if (availableDevices != null) {
--- a/core/net/src/main/java/org/onosproject/net/driver/impl/DriverManager.java
View file @b856b81
+++ b/core/net/src/main/java/org/onosproject/net/driver/impl/DriverManager.java
View file @b856b81
@@ -24,7 +24,6 @@ import org.apache.felix.scr.annotations.Deactivate;
 import org.apache.felix.scr.annotations.Reference;
 import org.apache.felix.scr.annotations.ReferenceCardinality;
 import org.apache.felix.scr.annotations.Service;
-import org.onosproject.core.Permission;
 import org.onosproject.net.Device;
 import org.onosproject.net.DeviceId;
 import org.onosproject.net.device.DeviceService;
@@ -47,6 +46,8 @@ import java.util.stream.Collectors;
 import static org.onlab.util.Tools.nullIsNotFound;
 import static org.onosproject.net.AnnotationKeys.DRIVER;
 import static org.onosproject.security.AppGuard.checkPermission;
+import static org.onosproject.security.AppPermission.Type.*;
+
 /**
@@ -108,7 +109,7 @@ public class DriverManager extends DefaultDriverProvider implements DriverAdminS
     @Override
     public Set<Driver> getDrivers() {
-        checkPermission(Permission.DRIVER_READ);
+        checkPermission(DRIVER_READ);
         ImmutableSet.Builder<Driver> builder = ImmutableSet.builder();
         drivers.values().forEach(builder::add);
@@ -117,7 +118,7 @@ public class DriverManager extends DefaultDriverProvider implements DriverAdminS
     @Override
     public Set<Driver> getDrivers(Class<? extends Behaviour> withBehaviour) {
-        checkPermission(Permission.DRIVER_READ);
+        checkPermission(DRIVER_READ);
         return drivers.values().stream()
                 .filter(d -> d.hasBehaviour(withBehaviour))
@@ -126,14 +127,14 @@ public class DriverManager extends DefaultDriverProvider implements DriverAdminS
     @Override
     public Driver getDriver(String driverName) {
-        checkPermission(Permission.DRIVER_READ);
+        checkPermission(DRIVER_READ);
         return nullIsNotFound(drivers.get(driverName), NO_DRIVER);
     }
     @Override
     public Driver getDriver(String mfr, String hw, String sw) {
-        checkPermission(Permission.DRIVER_READ);
+        checkPermission(DRIVER_READ);
         // First attempt a literal search.
         Driver driver = driverByKey.get(key(mfr, hw, sw));
@@ -160,7 +161,7 @@ public class DriverManager extends DefaultDriverProvider implements DriverAdminS
     @Override
     public Driver getDriver(DeviceId deviceId) {
-        checkPermission(Permission.DRIVER_READ);
+        checkPermission(DRIVER_READ);
         Device device = nullIsNotFound(deviceService.getDevice(deviceId), NO_DEVICE);
         String driverName = device.annotations().value(DRIVER);
@@ -174,7 +175,7 @@ public class DriverManager extends DefaultDriverProvider implements DriverAdminS
     @Override
     public DriverHandler createHandler(DeviceId deviceId, String... credentials) {
-        checkPermission(Permission.DRIVER_WRITE);
+        checkPermission(DRIVER_WRITE);
         Driver driver = getDriver(deviceId);
         return new DefaultDriverHandler(new DefaultDriverData(driver, deviceId));
--- a/core/net/src/main/java/org/onosproject/net/flow/impl/FlowRuleManager.java
View file @b856b81
+++ b/core/net/src/main/java/org/onosproject/net/flow/impl/FlowRuleManager.java
View file @b856b81
@@ -36,7 +36,6 @@ import org.onosproject.net.provider.AbstractListenerProviderRegistry;
 import org.onosproject.core.ApplicationId;
 import org.onosproject.core.CoreService;
 import org.onosproject.core.IdGenerator;
-import org.onosproject.core.Permission;
 import org.onosproject.net.Device;
 import org.onosproject.net.DeviceId;
 import org.onosproject.net.device.DeviceService;
@@ -79,6 +78,8 @@ import static org.onosproject.net.flow.FlowRuleEvent.Type.RULE_ADD_REQUESTED;
 import static org.onosproject.net.flow.FlowRuleEvent.Type.RULE_REMOVE_REQUESTED;
 import static org.onosproject.security.AppGuard.checkPermission;
 import static org.slf4j.LoggerFactory.getLogger;
+import static org.onosproject.security.AppPermission.Type.*;
+
 /**
@@ -165,19 +166,19 @@ public class FlowRuleManager
     @Override
     public int getFlowRuleCount() {
-        checkPermission(Permission.FLOWRULE_READ);
+        checkPermission(FLOWRULE_READ);
         return store.getFlowRuleCount();
     }
     @Override
     public Iterable<FlowEntry> getFlowEntries(DeviceId deviceId) {
-        checkPermission(Permission.FLOWRULE_READ);
+        checkPermission(FLOWRULE_READ);
         return store.getFlowEntries(deviceId);
     }
     @Override
     public void applyFlowRules(FlowRule... flowRules) {
-        checkPermission(Permission.FLOWRULE_WRITE);
+        checkPermission(FLOWRULE_WRITE);
         FlowRuleOperations.Builder builder = FlowRuleOperations.builder();
         for (int i = 0; i < flowRules.length; i++) {
@@ -188,7 +189,7 @@ public class FlowRuleManager
     @Override
     public void removeFlowRules(FlowRule... flowRules) {
-        checkPermission(Permission.FLOWRULE_WRITE);
+        checkPermission(FLOWRULE_WRITE);
         FlowRuleOperations.Builder builder = FlowRuleOperations.builder();
         for (int i = 0; i < flowRules.length; i++) {
@@ -199,13 +200,13 @@ public class FlowRuleManager
     @Override
     public void removeFlowRulesById(ApplicationId id) {
-        checkPermission(Permission.FLOWRULE_WRITE);
+        checkPermission(FLOWRULE_WRITE);
         removeFlowRules(Iterables.toArray(getFlowRulesById(id), FlowRule.class));
     }
     @Override
     public Iterable<FlowRule> getFlowRulesById(ApplicationId id) {
-        checkPermission(Permission.FLOWRULE_READ);
+        checkPermission(FLOWRULE_READ);
         Set<FlowRule> flowEntries = Sets.newHashSet();
         for (Device d : deviceService.getDevices()) {
@@ -220,7 +221,7 @@ public class FlowRuleManager
     @Override
     public Iterable<FlowRule> getFlowRulesByGroupId(ApplicationId appId, short groupId) {
-        checkPermission(Permission.FLOWRULE_READ);
+        checkPermission(FLOWRULE_READ);
         Set<FlowRule> matches = Sets.newHashSet();
         long toLookUp = ((long) appId.id() << 16) | groupId;
@@ -236,7 +237,7 @@ public class FlowRuleManager
     @Override
     public void apply(FlowRuleOperations ops) {
-        checkPermission(Permission.FLOWRULE_WRITE);
+        checkPermission(FLOWRULE_WRITE);
         operationsService.submit(new FlowOperationsProcessor(ops));
     }
--- a/core/net/src/main/java/org/onosproject/net/flowobjective/impl/FlowObjectiveManager.java
View file @b856b81
+++ b/core/net/src/main/java/org/onosproject/net/flowobjective/impl/FlowObjectiveManager.java
View file @b856b81
@@ -27,7 +27,6 @@ import org.onlab.osgi.DefaultServiceDirectory;
 import org.onlab.osgi.ServiceDirectory;
 import org.onlab.util.ItemNotFoundException;
 import org.onosproject.cluster.ClusterService;
-import org.onosproject.core.Permission;
 import org.onosproject.mastership.MastershipEvent;
 import org.onosproject.mastership.MastershipListener;
 import org.onosproject.mastership.MastershipService;
@@ -62,6 +61,8 @@ import static com.google.common.base.Preconditions.checkNotNull;
 import static java.util.concurrent.Executors.newFixedThreadPool;
 import static org.onlab.util.Tools.groupedThreads;
 import static org.onosproject.security.AppGuard.checkPermission;
+import static org.onosproject.security.AppPermission.Type.*;
+
 /**
@@ -193,13 +194,13 @@ public class FlowObjectiveManager implements FlowObjectiveService {
     @Override
     public void filter(DeviceId deviceId, FilteringObjective filteringObjective) {
-        checkPermission(Permission.FLOWRULE_WRITE);
+        checkPermission(FLOWRULE_WRITE);
         executorService.submit(new ObjectiveInstaller(deviceId, filteringObjective));
     }
     @Override
     public void forward(DeviceId deviceId, ForwardingObjective forwardingObjective) {
-        checkPermission(Permission.FLOWRULE_WRITE);
+        checkPermission(FLOWRULE_WRITE);
         if (queueObjective(deviceId, forwardingObjective)) {
             return;
         }
@@ -208,13 +209,13 @@ public class FlowObjectiveManager implements FlowObjectiveService {
     @Override
     public void next(DeviceId deviceId, NextObjective nextObjective) {
-        checkPermission(Permission.FLOWRULE_WRITE);
+        checkPermission(FLOWRULE_WRITE);
         executorService.submit(new ObjectiveInstaller(deviceId, nextObjective));
     }
     @Override
     public int allocateNextId() {
-        checkPermission(Permission.FLOWRULE_WRITE);
+        checkPermission(FLOWRULE_WRITE);
         return flowObjectiveStore.allocateNextId();
     }
--- a/core/net/src/main/java/org/onosproject/net/flowobjective/impl/composition/FlowObjectiveCompositionManager.java
View file @b856b81
+++ b/core/net/src/main/java/org/onosproject/net/flowobjective/impl/composition/FlowObjectiveCompositionManager.java
View file @b856b81
@@ -27,7 +27,6 @@ import org.onlab.osgi.DefaultServiceDirectory;
 import org.onlab.osgi.ServiceDirectory;
 import org.onlab.util.ItemNotFoundException;
 import org.onosproject.cluster.ClusterService;
-import org.onosproject.core.Permission;
 import org.onosproject.mastership.MastershipEvent;
 import org.onosproject.mastership.MastershipListener;
 import org.onosproject.mastership.MastershipService;
@@ -65,6 +64,7 @@ import static com.google.common.base.Preconditions.checkNotNull;
 import static java.util.concurrent.Executors.newFixedThreadPool;
 import static org.onlab.util.Tools.groupedThreads;
 import static org.onosproject.security.AppGuard.checkPermission;
+import static org.onosproject.security.AppPermission.Type.*;
 /**
@@ -217,7 +217,7 @@ public class FlowObjectiveCompositionManager implements FlowObjectiveService {
     @Override
     public void filter(DeviceId deviceId, FilteringObjective filteringObjective) {
-        checkPermission(Permission.FLOWRULE_WRITE);
+        checkPermission(FLOWRULE_WRITE);
         List<FilteringObjective> filteringObjectives
                 = this.deviceCompositionTreeMap.get(deviceId).updateFilter(filteringObjective);
@@ -228,7 +228,7 @@ public class FlowObjectiveCompositionManager implements FlowObjectiveService {
     @Override
     public void forward(DeviceId deviceId, ForwardingObjective forwardingObjective) {
-        checkPermission(Permission.FLOWRULE_WRITE);
+        checkPermission(FLOWRULE_WRITE);
         if (queueObjective(deviceId, forwardingObjective)) {
             return;
@@ -242,7 +242,7 @@ public class FlowObjectiveCompositionManager implements FlowObjectiveService {
     @Override
     public void next(DeviceId deviceId, NextObjective nextObjective) {
-        checkPermission(Permission.FLOWRULE_WRITE);
+        checkPermission(FLOWRULE_WRITE);
         List<NextObjective> nextObjectives = this.deviceCompositionTreeMap.get(deviceId).updateNext(nextObjective);
         for (NextObjective tmp : nextObjectives) {
@@ -252,7 +252,7 @@ public class FlowObjectiveCompositionManager implements FlowObjectiveService {
     @Override
     public int allocateNextId() {
-        checkPermission(Permission.FLOWRULE_WRITE);
+        checkPermission(FLOWRULE_WRITE);
         return flowObjectiveStore.allocateNextId();
     }
--- a/core/net/src/main/java/org/onosproject/net/group/impl/GroupManager.java
View file @b856b81
+++ b/core/net/src/main/java/org/onosproject/net/group/impl/GroupManager.java
View file @b856b81
@@ -23,7 +23,6 @@ import org.apache.felix.scr.annotations.ReferenceCardinality;
 import org.apache.felix.scr.annotations.Service;
 import org.onosproject.net.provider.AbstractListenerProviderRegistry;
 import org.onosproject.core.ApplicationId;
-import org.onosproject.core.Permission;
 import org.onosproject.net.DeviceId;
 import org.onosproject.net.device.DeviceEvent;
 import org.onosproject.net.device.DeviceListener;
@@ -51,6 +50,8 @@ import java.util.Collections;
 import static org.onosproject.security.AppGuard.checkPermission;
 import static org.slf4j.LoggerFactory.getLogger;
+import static org.onosproject.security.AppPermission.Type.*;
+
 /**
@@ -96,7 +97,7 @@ public class GroupManager
      */
     @Override
     public void addGroup(GroupDescription groupDesc) {
-        checkPermission(Permission.GROUP_WRITE);
+        checkPermission(GROUP_WRITE);
         store.storeGroupDescription(groupDesc);
     }
@@ -115,7 +116,7 @@ public class GroupManager
      */
     @Override
     public Group getGroup(DeviceId deviceId, GroupKey appCookie) {
-        checkPermission(Permission.GROUP_READ);
+        checkPermission(GROUP_READ);
         return store.getGroup(deviceId, appCookie);
     }
@@ -137,7 +138,7 @@ public class GroupManager
                                   GroupBuckets buckets,
                                   GroupKey newCookie,
                                   ApplicationId appId) {
-        checkPermission(Permission.GROUP_WRITE);
+        checkPermission(GROUP_WRITE);
         store.updateGroupDescription(deviceId,
                                      oldCookie,
                                      UpdateType.ADD,
@@ -163,7 +164,7 @@ public class GroupManager
                                        GroupBuckets buckets,
                                        GroupKey newCookie,
                                        ApplicationId appId) {
-        checkPermission(Permission.GROUP_WRITE);
+        checkPermission(GROUP_WRITE);
         store.updateGroupDescription(deviceId,
                                      oldCookie,
                                      UpdateType.REMOVE,
@@ -185,7 +186,7 @@ public class GroupManager
     public void removeGroup(DeviceId deviceId,
                             GroupKey appCookie,
                             ApplicationId appId) {
-        checkPermission(Permission.GROUP_WRITE);
+        checkPermission(GROUP_WRITE);
         store.deleteGroupDescription(deviceId, appCookie);
     }
@@ -200,13 +201,13 @@ public class GroupManager
     @Override
     public Iterable<Group> getGroups(DeviceId deviceId,
                                      ApplicationId appId) {
-        checkPermission(Permission.GROUP_READ);
+        checkPermission(GROUP_READ);
         return store.getGroups(deviceId);
     }
     @Override
     public Iterable<Group> getGroups(DeviceId deviceId) {
-        checkPermission(Permission.GROUP_READ);
+        checkPermission(GROUP_READ);
         return store.getGroups(deviceId);
     }
--- a/core/net/src/main/java/org/onosproject/net/host/impl/HostManager.java
View file @b856b81
+++ b/core/net/src/main/java/org/onosproject/net/host/impl/HostManager.java
View file @b856b81
@@ -26,7 +26,6 @@ import org.onlab.packet.MacAddress;
 import org.onlab.packet.VlanId;
 import org.onosproject.incubator.net.intf.InterfaceService;
 import org.onosproject.net.provider.AbstractListenerProviderRegistry;
-import org.onosproject.core.Permission;
 import org.onosproject.net.config.NetworkConfigEvent;
 import org.onosproject.net.config.NetworkConfigListener;
 import org.onosproject.net.config.NetworkConfigService;
@@ -57,6 +56,7 @@ import static com.google.common.base.Preconditions.checkNotNull;
 import static com.google.common.base.Preconditions.checkState;
 import static org.onosproject.security.AppGuard.checkPermission;
 import static org.slf4j.LoggerFactory.getLogger;
+import static org.onosproject.security.AppPermission.Type.*;
 /**
  * Provides basic implementation of the host SB &amp; NB APIs.
@@ -118,66 +118,66 @@ public class HostManager
     @Override
     public int getHostCount() {
-        checkPermission(Permission.HOST_READ);
+        checkPermission(HOST_READ);
         return store.getHostCount();
     }
     @Override
     public Iterable<Host> getHosts() {
-        checkPermission(Permission.HOST_READ);
+        checkPermission(HOST_READ);
         return store.getHosts();
     }
     @Override
     public Host getHost(HostId hostId) {
-        checkPermission(Permission.HOST_READ);
+        checkPermission(HOST_READ);
         checkNotNull(hostId, HOST_ID_NULL);
         return store.getHost(hostId);
     }
     @Override
     public Set<Host> getHostsByVlan(VlanId vlanId) {
-        checkPermission(Permission.HOST_READ);
+        checkPermission(HOST_READ);
         return store.getHosts(vlanId);
     }
     @Override
     public Set<Host> getHostsByMac(MacAddress mac) {
-        checkPermission(Permission.HOST_READ);
+        checkPermission(HOST_READ);
         checkNotNull(mac, "MAC address cannot be null");
         return store.getHosts(mac);
     }
     @Override
     public Set<Host> getHostsByIp(IpAddress ip) {
-        checkPermission(Permission.HOST_READ);
+        checkPermission(HOST_READ);
         checkNotNull(ip, "IP address cannot be null");
         return store.getHosts(ip);
     }
     @Override
     public Set<Host> getConnectedHosts(ConnectPoint connectPoint) {
-        checkPermission(Permission.HOST_READ);
+        checkPermission(HOST_READ);
         checkNotNull(connectPoint, "Connection point cannot be null");
         return store.getConnectedHosts(connectPoint);
     }
     @Override
     public Set<Host> getConnectedHosts(DeviceId deviceId) {
-        checkPermission(Permission.HOST_READ);
+        checkPermission(HOST_READ);
         checkNotNull(deviceId, "Device ID cannot be null");
         return store.getConnectedHosts(deviceId);
     }
     @Override
     public void startMonitoringIp(IpAddress ip) {
-        checkPermission(Permission.HOST_EVENT);
+        checkPermission(HOST_EVENT);
         monitor.addMonitoringFor(ip);
     }
     @Override
     public void stopMonitoringIp(IpAddress ip) {
-        checkPermission(Permission.HOST_EVENT);
+        checkPermission(HOST_EVENT);
         monitor.stopMonitoring(ip);
     }
@@ -212,13 +212,13 @@ public class HostManager
     @Override
     public Set<PortAddresses> getAddressBindings() {
-        checkPermission(Permission.HOST_READ);
+        checkPermission(HOST_READ);
         return store.getAddressBindings();
     }
     @Override
     public Set<PortAddresses> getAddressBindingsForPort(ConnectPoint connectPoint) {
-        checkPermission(Permission.HOST_READ);
+        checkPermission(HOST_READ);
         return store.getAddressBindingsForPort(connectPoint);
     }
--- a/core/net/src/main/java/org/onosproject/net/intent/impl/IntentManager.java
View file @b856b81
+++ b/core/net/src/main/java/org/onosproject/net/intent/impl/IntentManager.java
View file @b856b81
@@ -25,7 +25,6 @@ import org.apache.felix.scr.annotations.Service;
 import org.onosproject.event.AbstractListenerManager;
 import org.onosproject.core.CoreService;
 import org.onosproject.core.IdGenerator;
-import org.onosproject.core.Permission;
 import org.onosproject.net.flow.FlowRule;
 import org.onosproject.net.flow.FlowRuleOperations;
 import org.onosproject.net.flow.FlowRuleOperationsContext;
@@ -67,6 +66,8 @@ import static org.onosproject.net.intent.constraint.PartialFailureConstraint.int
 import static org.onosproject.net.intent.impl.phase.IntentProcessPhase.newInitialPhase;
 import static org.onosproject.security.AppGuard.checkPermission;
 import static org.slf4j.LoggerFactory.getLogger;
+import static org.onosproject.security.AppPermission.Type.*;
+
 /**
  * An implementation of intent service.
@@ -138,7 +139,7 @@ public class IntentManager
     @Override
     public void submit(Intent intent) {
-        checkPermission(Permission.INTENT_WRITE);
+        checkPermission(INTENT_WRITE);
         checkNotNull(intent, INTENT_NULL);
         IntentData data = new IntentData(intent, IntentState.INSTALL_REQ, null);
         store.addPending(data);
@@ -146,7 +147,7 @@ public class IntentManager
     @Override
     public void withdraw(Intent intent) {
-        checkPermission(Permission.INTENT_WRITE);
+        checkPermission(INTENT_WRITE);
         checkNotNull(intent, INTENT_NULL);
         IntentData data = new IntentData(intent, IntentState.WITHDRAW_REQ, null);
         store.addPending(data);
@@ -154,7 +155,7 @@ public class IntentManager
     @Override
     public void purge(Intent intent) {
-        checkPermission(Permission.INTENT_WRITE);
+        checkPermission(INTENT_WRITE);
         checkNotNull(intent, INTENT_NULL);
         IntentData data = new IntentData(intent, IntentState.PURGE_REQ, null);
         store.addPending(data);
@@ -162,45 +163,45 @@ public class IntentManager
     @Override
     public Intent getIntent(Key key) {
-        checkPermission(Permission.INTENT_READ);
+        checkPermission(INTENT_READ);
         return store.getIntent(key);
     }
     @Override
     public Iterable<Intent> getIntents() {
-        checkPermission(Permission.INTENT_READ);
+        checkPermission(INTENT_READ);
         return store.getIntents();
     }
     @Override
     public Iterable<IntentData> getIntentData() {
-        checkPermission(Permission.INTENT_READ);
+        checkPermission(INTENT_READ);
         return store.getIntentData(false, 0);
     }
     @Override
     public long getIntentCount() {
-        checkPermission(Permission.INTENT_READ);
+        checkPermission(INTENT_READ);
         return store.getIntentCount();
     }
     @Override
     public IntentState getIntentState(Key intentKey) {
-        checkPermission(Permission.INTENT_READ);
+        checkPermission(INTENT_READ);
         checkNotNull(intentKey, INTENT_ID_NULL);
         return store.getIntentState(intentKey);
     }
     @Override
     public List<Intent> getInstallableIntents(Key intentKey) {
-        checkPermission(Permission.INTENT_READ);
+        checkPermission(INTENT_READ);
         checkNotNull(intentKey, INTENT_ID_NULL);
         return store.getInstallableIntents(intentKey);
     }
     @Override
     public boolean isLocal(Key intentKey) {
-        checkPermission(Permission.INTENT_READ);
+        checkPermission(INTENT_READ);
         return store.isMaster(intentKey);
     }
@@ -221,7 +222,7 @@ public class IntentManager
     @Override
     public Iterable<Intent> getPending() {
-        checkPermission(Permission.INTENT_READ);
+        checkPermission(INTENT_READ);
         return store.getPending();
     }
--- a/core/net/src/main/java/org/onosproject/net/link/impl/LinkManager.java
View file @b856b81
+++ b/core/net/src/main/java/org/onosproject/net/link/impl/LinkManager.java
View file @b856b81
@@ -25,7 +25,6 @@ import org.apache.felix.scr.annotations.Reference;
 import org.apache.felix.scr.annotations.ReferenceCardinality;
 import org.apache.felix.scr.annotations.Service;
 import org.onosproject.net.provider.AbstractListenerProviderRegistry;
-import org.onosproject.core.Permission;
 import org.onosproject.net.config.NetworkConfigEvent;
 import org.onosproject.net.config.NetworkConfigListener;
 import org.onosproject.net.config.NetworkConfigService;
@@ -59,6 +58,7 @@ import static com.google.common.base.Preconditions.checkState;
 import static org.onosproject.net.LinkKey.linkKey;
 import static org.onosproject.security.AppGuard.checkPermission;
 import static org.slf4j.LoggerFactory.getLogger;
+import static org.onosproject.security.AppPermission.Type.*;
 /**
@@ -111,19 +111,19 @@ public class LinkManager
     @Override
     public int getLinkCount() {
-        checkPermission(Permission.LINK_READ);
+        checkPermission(LINK_READ);
         return store.getLinkCount();
     }
     @Override
     public Iterable<Link> getLinks() {
-        checkPermission(Permission.LINK_READ);
+        checkPermission(LINK_READ);
         return store.getLinks();
     }
     @Override
     public Iterable<Link> getActiveLinks() {
-        checkPermission(Permission.LINK_READ);
+        checkPermission(LINK_READ);
         return FluentIterable.from(getLinks())
                 .filter(new Predicate<Link>() {
@@ -136,7 +136,7 @@ public class LinkManager
     @Override
     public Set<Link> getDeviceLinks(DeviceId deviceId) {
-        checkPermission(Permission.LINK_READ);
+        checkPermission(LINK_READ);
         checkNotNull(deviceId, DEVICE_ID_NULL);
         return Sets.union(store.getDeviceEgressLinks(deviceId),
                           store.getDeviceIngressLinks(deviceId));
@@ -144,21 +144,21 @@ public class LinkManager
     @Override
     public Set<Link> getDeviceEgressLinks(DeviceId deviceId) {
-        checkPermission(Permission.LINK_READ);
+        checkPermission(LINK_READ);
         checkNotNull(deviceId, DEVICE_ID_NULL);
         return store.getDeviceEgressLinks(deviceId);
     }
     @Override
     public Set<Link> getDeviceIngressLinks(DeviceId deviceId) {
-        checkPermission(Permission.LINK_READ);
+        checkPermission(LINK_READ);
         checkNotNull(deviceId, DEVICE_ID_NULL);
         return store.getDeviceIngressLinks(deviceId);
     }
     @Override
     public Set<Link> getLinks(ConnectPoint connectPoint) {
-        checkPermission(Permission.LINK_READ);
+        checkPermission(LINK_READ);
         checkNotNull(connectPoint, CONNECT_POINT_NULL);
         return Sets.union(store.getEgressLinks(connectPoint),
                           store.getIngressLinks(connectPoint));
@@ -166,21 +166,21 @@ public class LinkManager
     @Override
     public Set<Link> getEgressLinks(ConnectPoint connectPoint) {
-        checkPermission(Permission.LINK_READ);
+        checkPermission(LINK_READ);
         checkNotNull(connectPoint, CONNECT_POINT_NULL);
         return store.getEgressLinks(connectPoint);
     }
     @Override
     public Set<Link> getIngressLinks(ConnectPoint connectPoint) {
-        checkPermission(Permission.LINK_READ);
+        checkPermission(LINK_READ);
         checkNotNull(connectPoint, CONNECT_POINT_NULL);
         return store.getIngressLinks(connectPoint);
     }
     @Override
     public Link getLink(ConnectPoint src, ConnectPoint dst) {
-        checkPermission(Permission.LINK_READ);
+        checkPermission(LINK_READ);
         checkNotNull(src, CONNECT_POINT_NULL);
         checkNotNull(dst, CONNECT_POINT_NULL);
         return store.getLink(src, dst);
--- a/core/net/src/main/java/org/onosproject/net/packet/impl/PacketManager.java
View file @b856b81
+++ b/core/net/src/main/java/org/onosproject/net/packet/impl/PacketManager.java
View file @b856b81
@@ -23,7 +23,6 @@ import org.apache.felix.scr.annotations.ReferenceCardinality;
 import org.apache.felix.scr.annotations.Service;
 import org.onosproject.core.ApplicationId;
 import org.onosproject.core.CoreService;
-import org.onosproject.core.Permission;
 import org.onosproject.net.Device;
 import org.onosproject.net.device.DeviceEvent;
 import org.onosproject.net.device.DeviceListener;
@@ -63,7 +62,7 @@ import static com.google.common.base.Preconditions.checkNotNull;
 import static org.onlab.util.Tools.groupedThreads;
 import static org.onosproject.security.AppGuard.checkPermission;
 import static org.slf4j.LoggerFactory.getLogger;
-
+import static org.onosproject.security.AppPermission.Type.*;
 /**
  * Provides a basic implementation of the packet SB &amp; NB APIs.
@@ -126,14 +125,14 @@ public class PacketManager
     @Override
     public void addProcessor(PacketProcessor processor, int priority) {
-        checkPermission(Permission.PACKET_EVENT);
+        checkPermission(PACKET_EVENT);
         checkNotNull(processor, "Processor cannot be null");
         processors.put(priority, processor);
     }
     @Override
     public void removeProcessor(PacketProcessor processor) {
-        checkPermission(Permission.PACKET_EVENT);
+        checkPermission(PACKET_EVENT);
         checkNotNull(processor, "Processor cannot be null");
         processors.values().remove(processor);
     }
@@ -141,7 +140,7 @@ public class PacketManager
     @Override
     public void requestPackets(TrafficSelector selector, PacketPriority priority,
                                ApplicationId appId) {
-        checkPermission(Permission.PACKET_READ);
+        checkPermission(PACKET_READ);
         checkNotNull(selector, "Selector cannot be null");
         checkNotNull(appId, "Application ID cannot be null");
@@ -154,7 +153,7 @@ public class PacketManager
     @Override
     public void cancelPackets(TrafficSelector selector, PacketPriority priority,
                               ApplicationId appId) {
-        checkPermission(Permission.PACKET_READ);
+        checkPermission(PACKET_READ);
         checkNotNull(selector, "Selector cannot be null");
         checkNotNull(appId, "Application ID cannot be null");
@@ -246,7 +245,7 @@ public class PacketManager
     @Override
     public void emit(OutboundPacket packet) {
-        checkPermission(Permission.PACKET_WRITE);
+        checkPermission(PACKET_WRITE);
         checkNotNull(packet, "Packet cannot be null");
         store.emit(packet);
     }
--- a/core/net/src/main/java/org/onosproject/net/proxyarp/impl/ProxyArpManager.java
View file @b856b81
+++ b/core/net/src/main/java/org/onosproject/net/proxyarp/impl/ProxyArpManager.java
View file @b856b81
@@ -33,7 +33,6 @@ import org.onlab.packet.VlanId;
 import org.onlab.packet.ndp.NeighborAdvertisement;
 import org.onlab.packet.ndp.NeighborDiscoveryOptions;
 import org.onlab.packet.ndp.NeighborSolicitation;
-import org.onosproject.core.Permission;
 import org.onosproject.incubator.net.intf.Interface;
 import org.onosproject.incubator.net.intf.InterfaceService;
 import org.onosproject.net.ConnectPoint;
@@ -61,6 +60,7 @@ import static org.onlab.packet.VlanId.vlanId;
 import static org.onosproject.net.HostId.hostId;
 import static org.onosproject.security.AppGuard.checkPermission;
 import static org.slf4j.LoggerFactory.getLogger;
+import static org.onosproject.security.AppPermission.Type.*;
 @Component(immediate = true)
@@ -110,7 +110,8 @@ public class ProxyArpManager implements ProxyArpService {
     @Override
     public boolean isKnown(IpAddress addr) {
-        checkPermission(Permission.PACKET_READ);
+        checkPermission(PACKET_READ);
+
         checkNotNull(addr, MAC_ADDR_NULL);
         Set<Host> hosts = hostService.getHostsByIp(addr);
         return !hosts.isEmpty();
@@ -118,7 +119,8 @@ public class ProxyArpManager implements ProxyArpService {
     @Override
     public void reply(Ethernet eth, ConnectPoint inPort) {
-        checkPermission(Permission.PACKET_WRITE);
+        checkPermission(PACKET_WRITE);
+
         checkNotNull(eth, REQUEST_NULL);
         if (eth.getEtherType() == Ethernet.TYPE_ARP) {
@@ -316,7 +318,8 @@ public class ProxyArpManager implements ProxyArpService {
     @Override
     public void forward(Ethernet eth, ConnectPoint inPort) {
-        checkPermission(Permission.PACKET_WRITE);
+        checkPermission(PACKET_WRITE);
+
         checkNotNull(eth, REQUEST_NULL);
         Host h = hostService.getHost(hostId(eth.getDestinationMAC(),
@@ -333,7 +336,7 @@ public class ProxyArpManager implements ProxyArpService {
     @Override
     public boolean handlePacket(PacketContext context) {
-        checkPermission(Permission.PACKET_WRITE);
+        checkPermission(PACKET_WRITE);
         InboundPacket pkt = context.inPacket();
         Ethernet ethPkt = pkt.parsed();
--- a/core/net/src/main/java/org/onosproject/net/resource/impl/LinkResourceManager.java
View file @b856b81
+++ b/core/net/src/main/java/org/onosproject/net/resource/impl/LinkResourceManager.java
View file @b856b81
@@ -23,7 +23,6 @@ import org.apache.felix.scr.annotations.Reference;
 import org.apache.felix.scr.annotations.ReferenceCardinality;
 import org.apache.felix.scr.annotations.Service;
 import org.onosproject.event.AbstractListenerManager;
-import org.onosproject.core.Permission;
 import org.onosproject.net.Link;
 import org.onosproject.net.intent.IntentId;
 import org.onosproject.net.resource.ResourceAllocation;
@@ -58,6 +57,7 @@ import static com.google.common.base.Preconditions.checkArgument;
 import static com.google.common.base.Preconditions.checkNotNull;
 import static org.onosproject.security.AppGuard.checkPermission;
 import static org.slf4j.LoggerFactory.getLogger;
+import static org.onosproject.security.AppPermission.Type.*;
 /**
@@ -150,7 +150,7 @@ public class LinkResourceManager
     @Override
     public LinkResourceAllocations requestResources(LinkResourceRequest req) {
-        checkPermission(Permission.LINK_WRITE);
+        checkPermission(LINK_WRITE);
         // TODO Concatenate multiple bandwidth requests.
         // TODO Support multiple lambda resource requests.
@@ -213,7 +213,7 @@ public class LinkResourceManager
     @Override
     public void releaseResources(LinkResourceAllocations allocations) {
-        checkPermission(Permission.LINK_WRITE);
+        checkPermission(LINK_WRITE);
         final LinkResourceEvent event = store.releaseResources(allocations);
         if (event != null) {
             post(event);
@@ -223,32 +223,32 @@ public class LinkResourceManager
     @Override
     public LinkResourceAllocations updateResources(LinkResourceRequest req,
             LinkResourceAllocations oldAllocations) {
-        checkPermission(Permission.LINK_WRITE);
+        checkPermission(LINK_WRITE);
         releaseResources(oldAllocations);
          return requestResources(req);
     }
     @Override
     public Iterable<LinkResourceAllocations> getAllocations() {
-        checkPermission(Permission.LINK_READ);
+        checkPermission(LINK_READ);
         return store.getAllocations();
     }
     @Override
     public Iterable<LinkResourceAllocations> getAllocations(Link link) {
-        checkPermission(Permission.LINK_READ);
+        checkPermission(LINK_READ);
         return store.getAllocations(link);
     }
     @Override
     public LinkResourceAllocations getAllocations(IntentId intentId) {
-        checkPermission(Permission.LINK_READ);
+        checkPermission(LINK_READ);
         return store.getAllocations(intentId);
     }
     @Override
     public Iterable<ResourceRequest> getAvailableResources(Link link) {
-        checkPermission(Permission.LINK_READ);
+        checkPermission(LINK_READ);
         Set<ResourceAllocation> freeRes = store.getFreeResources(link);
         Set<ResourceRequest> result = new HashSet<>();
@@ -274,7 +274,7 @@ public class LinkResourceManager
     @Override
     public Iterable<ResourceRequest> getAvailableResources(Link link,
             LinkResourceAllocations allocations) {
-        checkPermission(Permission.LINK_READ);
+        checkPermission(LINK_READ);
         Set<ResourceAllocation> allocatedRes = allocations.getResourceAllocation(link);
         Set<ResourceRequest> result = Sets.newHashSet(getAvailableResources(link));
--- a/core/net/src/main/java/org/onosproject/net/statistic/impl/StatisticManager.java
View file @b856b81
+++ b/core/net/src/main/java/org/onosproject/net/statistic/impl/StatisticManager.java
View file @b856b81
@@ -27,7 +27,6 @@ import org.apache.felix.scr.annotations.ReferenceCardinality;
 import org.apache.felix.scr.annotations.Service;
 import org.onosproject.core.ApplicationId;
 import org.onosproject.core.GroupId;
-import org.onosproject.core.Permission;
 import org.onosproject.net.ConnectPoint;
 import org.onosproject.net.Link;
 import org.onosproject.net.Path;
@@ -51,6 +50,7 @@ import java.util.Set;
 import static com.google.common.base.Preconditions.checkNotNull;
 import static org.slf4j.LoggerFactory.getLogger;
 import static org.onosproject.security.AppGuard.checkPermission;
+import static org.onosproject.security.AppPermission.Type.*;
 /**
@@ -86,14 +86,14 @@ public class StatisticManager implements StatisticService {
     @Override
     public Load load(Link link) {
-        checkPermission(Permission.STATISTIC_READ);
+        checkPermission(STATISTIC_READ);
         return load(link.src());
     }
     @Override
     public Load load(Link link, ApplicationId appId, Optional<GroupId> groupId) {
-        checkPermission(Permission.STATISTIC_READ);
+        checkPermission(STATISTIC_READ);
         Statistics stats = getStatistics(link.src());
         if (!stats.isValid()) {
@@ -114,14 +114,14 @@ public class StatisticManager implements StatisticService {
     @Override
     public Load load(ConnectPoint connectPoint) {
-        checkPermission(Permission.STATISTIC_READ);
+        checkPermission(STATISTIC_READ);
         return loadInternal(connectPoint);
     }
     @Override
     public Link max(Path path) {
-        checkPermission(Permission.STATISTIC_READ);
+        checkPermission(STATISTIC_READ);
         if (path.links().isEmpty()) {
             return null;
@@ -140,7 +140,7 @@ public class StatisticManager implements StatisticService {
     @Override
     public Link min(Path path) {
-        checkPermission(Permission.STATISTIC_READ);
+        checkPermission(STATISTIC_READ);
         if (path.links().isEmpty()) {
             return null;
@@ -159,7 +159,7 @@ public class StatisticManager implements StatisticService {
     @Override
     public FlowRule highestHitter(ConnectPoint connectPoint) {
-        checkPermission(Permission.STATISTIC_READ);
+        checkPermission(STATISTIC_READ);
         Set<FlowEntry> hitters = statisticStore.getCurrentStatistic(connectPoint);
         if (hitters.isEmpty()) {
--- a/core/net/src/main/java/org/onosproject/net/topology/impl/PathManager.java
View file @b856b81
+++ b/core/net/src/main/java/org/onosproject/net/topology/impl/PathManager.java
View file @b856b81
@@ -24,7 +24,6 @@ import org.apache.felix.scr.annotations.Deactivate;
 import org.apache.felix.scr.annotations.Reference;
 import org.apache.felix.scr.annotations.ReferenceCardinality;
 import org.apache.felix.scr.annotations.Service;
-import org.onosproject.core.Permission;
 import org.onosproject.net.ConnectPoint;
 import org.onosproject.net.DefaultEdgeLink;
 import org.onosproject.net.DefaultPath;
@@ -51,6 +50,7 @@ import java.util.Set;
 import static com.google.common.base.Preconditions.checkNotNull;
 import static org.slf4j.LoggerFactory.getLogger;
 import static org.onosproject.security.AppGuard.checkPermission;
+import static org.onosproject.security.AppPermission.Type.*;
 /**
@@ -88,14 +88,14 @@ public class PathManager implements PathService {
     @Override
     public Set<Path> getPaths(ElementId src, ElementId dst) {
-        checkPermission(Permission.TOPOLOGY_READ);
+        checkPermission(TOPOLOGY_READ);
         return getPaths(src, dst, null);
     }
     @Override
     public Set<Path> getPaths(ElementId src, ElementId dst, LinkWeight weight) {
-        checkPermission(Permission.TOPOLOGY_READ);
+        checkPermission(TOPOLOGY_READ);
         checkNotNull(src, ELEMENT_ID_NULL);
         checkNotNull(dst, ELEMENT_ID_NULL);
--- a/core/net/src/main/java/org/onosproject/net/topology/impl/TopologyManager.java
View file @b856b81
+++ b/core/net/src/main/java/org/onosproject/net/topology/impl/TopologyManager.java
View file @b856b81
@@ -22,7 +22,6 @@ import org.apache.felix.scr.annotations.Reference;
 import org.apache.felix.scr.annotations.ReferenceCardinality;
 import org.apache.felix.scr.annotations.Service;
 import org.onosproject.net.provider.AbstractListenerProviderRegistry;
-import org.onosproject.core.Permission;
 import org.onosproject.event.Event;
 import org.onosproject.net.ConnectPoint;
 import org.onosproject.net.DeviceId;
@@ -51,6 +50,8 @@ import java.util.Set;
 import static com.google.common.base.Preconditions.checkNotNull;
 import static org.onosproject.security.AppGuard.checkPermission;
 import static org.slf4j.LoggerFactory.getLogger;
+import static org.onosproject.security.AppPermission.Type.*;
+
 /**
  * Provides basic implementation of the topology SB &amp; NB APIs.
@@ -91,27 +92,27 @@ public class TopologyManager
     @Override
     public Topology currentTopology() {
-        checkPermission(Permission.TOPOLOGY_READ);
+        checkPermission(TOPOLOGY_READ);
         return store.currentTopology();
     }
     @Override
     public boolean isLatest(Topology topology) {
-        checkPermission(Permission.TOPOLOGY_READ);
+        checkPermission(TOPOLOGY_READ);
         checkNotNull(topology, TOPOLOGY_NULL);
         return store.isLatest(topology);
     }
     @Override
     public Set<TopologyCluster> getClusters(Topology topology) {
-        checkPermission(Permission.TOPOLOGY_READ);
+        checkPermission(TOPOLOGY_READ);
         checkNotNull(topology, TOPOLOGY_NULL);
         return store.getClusters(topology);
     }
     @Override
     public TopologyCluster getCluster(Topology topology, ClusterId clusterId) {
-        checkPermission(Permission.TOPOLOGY_READ);
+        checkPermission(TOPOLOGY_READ);
         checkNotNull(topology, TOPOLOGY_NULL);
         checkNotNull(topology, CLUSTER_ID_NULL);
         return store.getCluster(topology, clusterId);
@@ -119,7 +120,7 @@ public class TopologyManager
     @Override
     public Set<DeviceId> getClusterDevices(Topology topology, TopologyCluster cluster) {
-        checkPermission(Permission.TOPOLOGY_READ);
+        checkPermission(TOPOLOGY_READ);
         checkNotNull(topology, TOPOLOGY_NULL);
         checkNotNull(topology, CLUSTER_NULL);
         return store.getClusterDevices(topology, cluster);
@@ -127,7 +128,7 @@ public class TopologyManager
     @Override
     public Set<Link> getClusterLinks(Topology topology, TopologyCluster cluster) {
-        checkPermission(Permission.TOPOLOGY_READ);
+        checkPermission(TOPOLOGY_READ);
         checkNotNull(topology, TOPOLOGY_NULL);
         checkNotNull(topology, CLUSTER_NULL);
         return store.getClusterLinks(topology, cluster);
@@ -135,14 +136,14 @@ public class TopologyManager
     @Override
     public TopologyGraph getGraph(Topology topology) {
-        checkPermission(Permission.TOPOLOGY_READ);
+        checkPermission(TOPOLOGY_READ);
         checkNotNull(topology, TOPOLOGY_NULL);
         return store.getGraph(topology);
     }
     @Override
     public Set<Path> getPaths(Topology topology, DeviceId src, DeviceId dst) {
-        checkPermission(Permission.TOPOLOGY_READ);
+        checkPermission(TOPOLOGY_READ);
         checkNotNull(topology, TOPOLOGY_NULL);
         checkNotNull(src, DEVICE_ID_NULL);
         checkNotNull(dst, DEVICE_ID_NULL);
@@ -151,7 +152,7 @@ public class TopologyManager
     @Override
     public Set<Path> getPaths(Topology topology, DeviceId src, DeviceId dst, LinkWeight weight) {
-        checkPermission(Permission.TOPOLOGY_READ);
+        checkPermission(TOPOLOGY_READ);
         checkNotNull(topology, TOPOLOGY_NULL);
         checkNotNull(src, DEVICE_ID_NULL);
@@ -162,7 +163,7 @@ public class TopologyManager
     @Override
     public boolean isInfrastructure(Topology topology, ConnectPoint connectPoint) {
-        checkPermission(Permission.TOPOLOGY_READ);
+        checkPermission(TOPOLOGY_READ);
         checkNotNull(topology, TOPOLOGY_NULL);
         checkNotNull(connectPoint, CONNECTION_POINT_NULL);
         return store.isInfrastructure(topology, connectPoint);
@@ -170,7 +171,7 @@ public class TopologyManager
     @Override
     public boolean isBroadcastPoint(Topology topology, ConnectPoint connectPoint) {
-        checkPermission(Permission.TOPOLOGY_READ);
+        checkPermission(TOPOLOGY_READ);
         checkNotNull(topology, TOPOLOGY_NULL);
         checkNotNull(connectPoint, CONNECTION_POINT_NULL);
         return store.isBroadcastPoint(topology, connectPoint);
--- a/core/security/impl/pom.xml deleted 100644 → 0
View file @f28207b
+++ b/core/security/impl/pom.xml deleted 100644 → 0
View file @f28207b
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
-  ~ Copyright 2015 Open Networking Laboratory
-  ~
-  ~ Licensed under the Apache License, Version 2.0 (the "License");
-  ~ you may not use this file except in compliance with the License.
-  ~ You may obtain a copy of the License at
-  ~
-  ~     http://www.apache.org/licenses/LICENSE-2.0
-  ~
-  ~ Unless required by applicable law or agreed to in writing, software
-  ~ distributed under the License is distributed on an "AS IS" BASIS,
-  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-  ~ See the License for the specific language governing permissions and
-  ~ limitations under the License.
-  -->
-
-<project xmlns="http://maven.apache.org/POM/4.0.0"
-         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
-    <parent>
-        <artifactId>onos-security</artifactId>
-        <groupId>org.onosproject</groupId>
-        <version>1.3.0-SNAPSHOT</version>
-        <relativePath>../pom.xml</relativePath>
-    </parent>
-    <modelVersion>4.0.0</modelVersion>
-    <packaging>bundle</packaging>
-
-    <artifactId>onos-security-impl</artifactId>
-
-    <description>Security-mode ONOS components</description>
-
-    <dependencies>
-        <dependency>
-            <groupId>org.osgi</groupId>
-            <artifactId>org.osgi.core</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.onosproject</groupId>
-            <artifactId>onos-api</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.apache.karaf.features</groupId>
-            <artifactId>org.apache.karaf.features.core</artifactId>
-        </dependency>
-    </dependencies>
-
-</project>
\ No newline at end of file
--- a/core/security/impl/src/main/java/org/onosproject/security/impl/PolicyBuilder.java deleted 100644 → 0
View file @f28207b
+++ b/core/security/impl/src/main/java/org/onosproject/security/impl/PolicyBuilder.java deleted 100644 → 0
View file @f28207b
--- a/core/security/impl/src/main/java/org/onosproject/security/impl/SecurityModeManager.java deleted 100644 → 0
View file @f28207b
+++ b/core/security/impl/src/main/java/org/onosproject/security/impl/SecurityModeManager.java deleted 100644 → 0
View file @f28207b
-package org.onosproject.security.impl;
-
-import org.apache.felix.scr.annotations.Component;
-import org.apache.felix.scr.annotations.Reference;
-import org.apache.felix.scr.annotations.ReferenceCardinality;
-import org.apache.felix.scr.annotations.Activate;
-import org.apache.felix.scr.annotations.Deactivate;
-import org.apache.karaf.features.BundleInfo;
-import org.apache.karaf.features.Feature;
-import org.apache.karaf.features.FeaturesService;
-
-import org.onosproject.app.ApplicationAdminService;
-import org.onosproject.app.ApplicationEvent;
-import org.onosproject.app.ApplicationListener;
-import org.onosproject.app.ApplicationState;
-import org.onosproject.core.Application;
-import org.onosproject.core.ApplicationId;
-import org.onosproject.core.Permission;
-import org.onosproject.security.AppPermission;
-import org.osgi.framework.Bundle;
-import org.osgi.framework.BundleContext;
-import org.osgi.framework.BundleEvent;
-import org.osgi.framework.BundleListener;
-import org.osgi.framework.FrameworkUtil;
-import org.osgi.framework.PackagePermission;
-import org.osgi.framework.ServicePermission;
-import org.osgi.service.log.LogEntry;
-import org.osgi.service.log.LogListener;
-import org.osgi.service.log.LogReaderService;
-import org.osgi.service.permissionadmin.PermissionInfo;
-
-import java.security.AccessControlException;
-import java.security.AllPermission;
-import java.util.ArrayList;
-import java.util.List;
-import java.util.Map;
-import java.util.Set;
-import java.util.concurrent.ConcurrentHashMap;
-import java.util.stream.Collectors;
-
-import org.osgi.service.permissionadmin.PermissionAdmin;
-import org.slf4j.Logger;
-
-import static org.slf4j.LoggerFactory.getLogger;
-
-/**
- * Security-Mode ONOS management implementation.
- */
-
-//TODO : implement a dedicated distributed store for SM-ONOS
-
-@Component(immediate = true)
-public class SecurityModeManager {
-
-    @Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY)
-    protected ApplicationAdminService appAdminService;
-
-    @Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY)
-    protected FeaturesService featuresService;
-
-    @Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY)
-    protected LogReaderService logReaderService;
-
-    private final Logger log = getLogger(getClass());
-
-    private SecurityBundleListener securityBundleListener = new SecurityBundleListener();
-
-    private SecurityApplicationListener securityApplicationListener = new SecurityApplicationListener();
-
-    private SecurityLogListener securityLogListener = new SecurityLogListener();
-
-    private Bundle bundle = null;
-
-    private BundleContext bundleContext = null;
-
-    private PermissionAdmin permissionAdmin = null;
-
-    private Map<String, ApplicationId> appTracker = null;
-
-    private Map<Permission, Set<String>> serviceDirectory = null;
-
-
-    @Activate
-    public void activate() {
-        if (System.getSecurityManager() == null) {
-            log.warn("J2EE security manager is disabled.");
-            deactivate();
-            return;
-        }
-        bundle = FrameworkUtil.getBundle(this.getClass());
-        bundleContext = bundle.getBundleContext();
-
-        bundleContext.addBundleListener(securityBundleListener);
-        appAdminService.addListener(securityApplicationListener);
-        logReaderService.addLogListener(securityLogListener);
-        appTracker = new ConcurrentHashMap<>();
-
-        permissionAdmin = getPermissionAdmin(bundleContext);
-        if (permissionAdmin == null) {
-            log.warn("Permission Admin not found.");
-            this.deactivate();
-            return;
-        }
-
-        serviceDirectory = PolicyBuilder.getServiceDirectory();
-
-        PermissionInfo[] allPerm = {
-                new PermissionInfo(AllPermission.class.getName(), "", ""), };
-
-        permissionAdmin.setPermissions(bundle.getLocation(), allPerm);
-        log.warn("Security-Mode Started");
-    }
-
-
-    @Deactivate
-    public void deactivate() {
-        bundleContext.removeBundleListener(securityBundleListener);
-        appAdminService.removeListener(securityApplicationListener);
-        logReaderService.removeLogListener(securityLogListener);
-        log.info("Stopped");
-
-    }
-
-    private class SecurityApplicationListener implements ApplicationListener {
-
-        @Override
-        public void event(ApplicationEvent event) {
-            //App needs to be restarted
-            if (event.type() == ApplicationEvent.Type.APP_PERMISSIONS_CHANGED) {
-                if (appAdminService.getState(event.subject().id()) == ApplicationState.ACTIVE) {
-                    appAdminService.deactivate(event.subject().id());
-                    print("Permissions updated (%s). Deactivating...",
-                            event.subject().id().name());
-                }
-            }
-        }
-    }
-
-    private class SecurityBundleListener implements BundleListener {
-
-        @Override
-        public void bundleChanged(BundleEvent event) {
-            switch (event.getType()) {
-                case BundleEvent.INSTALLED:
-                    setPermissions(event);
-                    break;
-                case BundleEvent.UNINSTALLED:
-                    clearPermissions(event);
-                    break;
-                default:
-                    break;
-            }
-        }
-    }
-
-    private void clearPermissions(BundleEvent bundleEvent) {
-        if (appTracker.containsKey(bundleEvent.getBundle().getLocation())) {
-            permissionAdmin.setPermissions(bundleEvent.getBundle().getLocation(), new PermissionInfo[]{});
-            appTracker.remove(bundleEvent.getBundle().getLocation());
-        }
-    }
-
-    // find the location of the installed bundle and enforce policy
-    private void setPermissions(BundleEvent bundleEvent) {
-        for (Application app : appAdminService.getApplications()) {
-            if (getBundleLocations(app).contains(bundleEvent.getBundle().getLocation())) {
-                String location = bundleEvent.getBundle().getLocation();
-
-                Set<org.onosproject.core.Permission> permissions =
-                        appAdminService.getPermissions(app.id());
-
-                //Permissions granted by user overrides the permissions specified in App.Xml file
-                if (permissions == null) {
-                    permissions = app.permissions();
-                }
-
-                if (permissions.isEmpty()) {
-                    print("Application %s has not been granted any permission.", app.id().name());
-                }
-
-                PermissionInfo[] perms = null;
-
-                switch (app.role()) {
-                    case ADMIN:
-                        perms = PolicyBuilder.getAdminApplicationPermissions(serviceDirectory);
-                        break;
-                    case REGULAR:
-                        perms = PolicyBuilder.getApplicationPermissions(serviceDirectory, permissions);
-                        break;
-                    case UNSPECIFIED:
-                    default:
-                        //no role has been assigned.
-                        perms = PolicyBuilder.getDefaultPerms();
-                        log.warn("Application %s has no role assigned.", app.id().name());
-                        break;
-                }
-                permissionAdmin.setPermissions(location, perms);
-                appTracker.put(location, app.id());
-                break;
-            }
-        }
-    }
-
-    //TODO: dispatch security policy violation event via distributed store
-    //immediately notify and deactivate the application upon policy violation
-    private class SecurityLogListener implements LogListener {
-        @Override
-        public void logged(LogEntry entry) {
-            if (entry != null) {
-                if (entry.getException() != null) {
-                    ApplicationId applicationId = appTracker.get(entry.getBundle().getLocation());
-                    if (applicationId != null) {
-                        if (appAdminService.getState(applicationId).equals(ApplicationState.ACTIVE)) {
-                            if (entry.getException() instanceof AccessControlException) {
-                                java.security.Permission permission =
-                                        ((AccessControlException) entry.getException()).getPermission();
-                                handleException(applicationId.name(), permission);
-                                appAdminService.deactivate(applicationId);
-                            }
-                        }
-                    }
-                }
-            }
-        }
-    }
-
-    private void handleException(String name, java.security.Permission perm) {
-        if (perm instanceof ServicePermission || perm instanceof PackagePermission) {
-            print("%s has attempted to %s %s.", name, perm.getActions(), perm.getName());
-        } else if (perm instanceof AppPermission) {
-            print("%s has attempted to call an NB API that requires %s permission.",
-                    name, perm.getName().toUpperCase());
-        } else {
-            print("%s has attempted to perform an action that requires %s", name, perm.toString());
-        }
-        print("POLICY VIOLATION: Deactivating %s.", name);
-
-    }
-    private void print(String format, Object... args) {
-        System.out.println(String.format("SM-ONOS: " + format, args));
-        log.warn(String.format(format, args));
-    }
-
-    private List<String> getBundleLocations(Application app) {
-        List<String> locations = new ArrayList();
-        for (String name : app.features()) {
-            try {
-                Feature feature = featuresService.getFeature(name);
-                locations.addAll(
-                        feature.getBundles().stream().map(BundleInfo::getLocation).collect(Collectors.toList()));
-            } catch (Exception e) {
-                return locations;
-            }
-        }
-        return locations;
-    }
-
-    private PermissionAdmin getPermissionAdmin(BundleContext context) {
-        return (PermissionAdmin) context.getService(context.getServiceReference(PermissionAdmin.class.getName()));
-    }
-
-}
--- a/core/security/pom.xml
View file @b856b81
+++ b/core/security/pom.xml
View file @b856b81
@@ -12,10 +12,46 @@
     </parent>
     <artifactId>onos-security</artifactId>
-    <packaging>pom</packaging>
+    <packaging>bundle</packaging>
-    <modules>
+
-        <module>impl</module>
+
-    </modules>
+    <description>Security-Mode ONOS project</description>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.osgi</groupId>
+            <artifactId>org.osgi.core</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.osgi</groupId>
+            <artifactId>org.osgi.compendium</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.felix</groupId>
+            <artifactId>org.apache.felix.scr.annotations</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.onosproject</groupId>
+            <artifactId>onos-api</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.onosproject</groupId>
+            <artifactId>onos-core-serializers</artifactId>
+            <version>${project.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.karaf.features</groupId>
+            <artifactId>org.apache.karaf.features.core</artifactId>
+        </dependency>
+    </dependencies>
+
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.felix</groupId>
+                <artifactId>maven-scr-plugin</artifactId>
+            </plugin>
+        </plugins>
+    </build>
-    <description>Security-mode ONOS project root</description>
 </project>
\ No newline at end of file
--- a/core/security/src/main/java/org/onosproject/security/impl/DefaultPolicyBuilder.java 0 → 100644
View file @b856b81
+++ b/core/security/src/main/java/org/onosproject/security/impl/DefaultPolicyBuilder.java 0 → 100644
View file @b856b81
--- a/core/security/src/main/java/org/onosproject/security/impl/SecurityModeManager.java 0 → 100644
View file @b856b81
+++ b/core/security/src/main/java/org/onosproject/security/impl/SecurityModeManager.java 0 → 100644
View file @b856b81
--- a/core/security/impl/src/main/java/org/onosproject/security/impl/package-info.java → core/security/src/main/java/org/onosproject/security/impl/package-info.java
View file @b856b81
+++ b/core/security/impl/src/main/java/org/onosproject/security/impl/package-info.java → core/security/src/main/java/org/onosproject/security/impl/package-info.java
View file @b856b81
--- a/core/security/src/main/java/org/onosproject/security/store/DistributedSecurityModeStore.java 0 → 100644
View file @b856b81
+++ b/core/security/src/main/java/org/onosproject/security/store/DistributedSecurityModeStore.java 0 → 100644
View file @b856b81
--- a/core/security/src/main/java/org/onosproject/security/store/SecurityInfo.java 0 → 100644
View file @b856b81
+++ b/core/security/src/main/java/org/onosproject/security/store/SecurityInfo.java 0 → 100644
View file @b856b81
+/*
+ * Copyright 2015 Open Networking Laboratory
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.onosproject.security.store;
+
+import org.onosproject.security.Permission;
+
+import java.util.Set;
+
+/**
+ * Security-Mode ONOS security policy and state representation for distributed store.
+ */
+public class SecurityInfo {
+
+    protected Set<Permission> grantedPermissions;
+    protected SecurityModeState state;
+
+    public SecurityInfo(Set<Permission> perms, SecurityModeState state) {
+        this.grantedPermissions = perms;
+        this.state = state;
+    }
+    public Set<Permission> getPermissions() {
+        return grantedPermissions;
+    }
+    public SecurityModeState getState() {
+        return state;
+    }
+}
--- a/core/security/src/main/java/org/onosproject/security/store/SecurityModeEvent.java 0 → 100644
View file @b856b81
+++ b/core/security/src/main/java/org/onosproject/security/store/SecurityModeEvent.java 0 → 100644
View file @b856b81
+/*
+ * Copyright 2015 Open Networking Laboratory
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.onosproject.security.store;
+
+import org.onosproject.core.ApplicationId;
+import org.onosproject.event.AbstractEvent;
+
+/**
+ * Security-Mode ONOS notifications.
+ */
+public class SecurityModeEvent extends AbstractEvent<SecurityModeEvent.Type, ApplicationId> {
+
+    protected SecurityModeEvent(Type type, ApplicationId subject) {
+        super(type, subject);
+    }
+
+    public enum Type {
+
+        /**
+         * Signifies that security policy has been accepted.
+         */
+        POLICY_ACCEPTED,
+
+        /**
+         * Signifies that security policy has been reviewed.
+         */
+        POLICY_REVIEWED,
+
+        /**
+         * Signifies that application has violated security policy.
+         */
+        POLICY_VIOLATED,
+    }
+}
--- a/cli/src/main/java/org/onosproject/cli/security/PermissionCommandCompleter.java → core/security/src/main/java/org/onosproject/security/store/SecurityModeListener.java
View file @b856b81
+++ b/cli/src/main/java/org/onosproject/cli/security/PermissionCommandCompleter.java → core/security/src/main/java/org/onosproject/security/store/SecurityModeListener.java
View file @b856b81
@@ -14,20 +14,12 @@
  * limitations under the License.
  */
-package org.onosproject.cli.security;
+package org.onosproject.security.store;
-import com.google.common.collect.ImmutableList;
+import org.onosproject.event.EventListener;
-import org.onosproject.cli.AbstractChoicesCompleter;
-import java.util.List;
-
-import static org.onosproject.cli.security.PermissionCommand.*;
 /**
- * Permission command completer.
+ * Security-Mode ONOS event listener.
  */
-public class PermissionCommandCompleter extends AbstractChoicesCompleter {
+public interface SecurityModeListener extends EventListener<SecurityModeEvent> {
-    @Override
-    protected List<String> choices() {
-        return ImmutableList.of(ADD, REMOVE, CLEAR, LIST);
-    }
 }
--- a/core/security/src/main/java/org/onosproject/security/store/SecurityModeState.java 0 → 100644
View file @b856b81
+++ b/core/security/src/main/java/org/onosproject/security/store/SecurityModeState.java 0 → 100644
View file @b856b81
+/*
+ * Copyright 2015 Open Networking Laboratory
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.onosproject.security.store;
+
+/**
+ * Representation of Security-Mode ONOS application review state.
+ */
+public enum SecurityModeState {
+
+    /**
+     * Indicates that operator has accepted application security policy.
+     */
+    SECURED,
+
+    /**
+     * Indicates that application security policy has been reviewed.
+     */
+    REVIEWED,
+
+    /**
+     * Indicates that application has been installed.
+     */
+    INSTALLED,
+
+    /**
+     * Indicates that application has violated security policy.
+     */
+    POLICY_VIOLATED,
+}
--- a/core/security/src/main/java/org/onosproject/security/store/SecurityModeStore.java 0 → 100644
View file @b856b81
+++ b/core/security/src/main/java/org/onosproject/security/store/SecurityModeStore.java 0 → 100644
View file @b856b81
+/*
+ * Copyright 2015 Open Networking Laboratory
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.onosproject.security.store;
+
+import org.onosproject.core.ApplicationId;
+import org.onosproject.security.Permission;
+import org.onosproject.store.Store;
+
+import java.util.Set;
+
+/**
+ * Security-Mode ONOS distributed store service.
+ */
+public interface SecurityModeStore extends Store<SecurityModeEvent, SecurityModeStoreDelegate> {
+
+    /**
+     * Updates the local bundle-application directories.
+     * @param appId application identifier
+     * @return true if successfully registered.
+     */
+    boolean registerApplication(ApplicationId appId);
+
+    /**
+     * Removes application info from the local bundle-application directories.
+     * @param appId application identifier
+     */
+    void unregisterApplication(ApplicationId appId);
+
+    /**
+     * Returns state of the specified application.
+     * @param appId application identifier
+     * @return Security-Mode State of application
+     */
+    SecurityModeState getState(ApplicationId appId);
+
+    /**
+     * Returns bundle locations of specified application.
+     * @param appId application identifier
+     * @return set of bundle location strings
+     */
+    Set<String> getBundleLocations(ApplicationId appId);
+
+    /**
+     * Returns application identifiers that are associated with given bundle location.
+     * @param location OSGi bundle location
+     * @return set of application identifiers
+     */
+    Set<ApplicationId> getApplicationIds(String location);
+
+    /**
+     * Returns a list of permissions that have been requested by given application.
+     * @param appId application identifier
+     * @return list of permissions
+     */
+    Set<Permission> getRequestedPermissions(ApplicationId appId);
+
+    /**
+     * Returns an array of permissions that have been granted to given application.
+     * @param appId application identifier
+     * @return array of permissionInfo
+     */
+    Set<Permission> getGrantedPermissions(ApplicationId appId);
+
+    /**
+     * Request permission that is required to run given application.
+     * @param appId application identifier
+     * @param permission permission
+     */
+    void requestPermission(ApplicationId appId, Permission permission);
+
+    /**
+     * Returns true if given application has been secured.
+     * @param appId application identifier
+     * @return true indicates secured
+     */
+    boolean isSecured(ApplicationId appId);
+
+    /**
+     * Notifies SM-ONOS that operator has reviewed the policy.
+     * @param appId application identifier
+     */
+    void reviewPolicy(ApplicationId appId);
+
+    /**
+     * Accept the current security policy of given application.
+     * @param appId application identifier
+     * @param permissionSet array of PermissionInfo
+     */
+    void acceptPolicy(ApplicationId appId, Set<Permission> permissionSet);
+}
\ No newline at end of file
--- a/cli/src/main/java/org/onosproject/cli/security/PermissionNameCompleter.java → core/security/src/main/java/org/onosproject/security/store/SecurityModeStoreDelegate.java
View file @b856b81
+++ b/cli/src/main/java/org/onosproject/cli/security/PermissionNameCompleter.java → core/security/src/main/java/org/onosproject/security/store/SecurityModeStoreDelegate.java
View file @b856b81
@@ -14,32 +14,12 @@
  * limitations under the License.
  */
-package org.onosproject.cli.security;
+package org.onosproject.security.store;
-import org.apache.karaf.shell.console.completer.ArgumentCompleter;
+import org.onosproject.store.StoreDelegate;
-import org.onosproject.cli.AbstractChoicesCompleter;
-import org.onosproject.core.Permission;
-
-import java.util.ArrayList;
-import java.util.List;
 /**
- * Permission Name Completer.
+ * Security-Mode distributed store delegate abstraction.
  */
-public class PermissionNameCompleter extends AbstractChoicesCompleter {
+public interface SecurityModeStoreDelegate extends StoreDelegate<SecurityModeEvent> {
-    @Override
-    protected List<String> choices() {
-        List<String> permNames = new ArrayList<>();
-
-        ArgumentCompleter.ArgumentList list = getArgumentList();
-        String cmd = list.getArguments()[1];
-        if (cmd.equals("add") || cmd.equals("remove")) {
-            for (Permission perm : Permission.values()) {
-                permNames.add(perm.name());
-            }
-        }
-        return permNames;
-    }
-
-
 }
--- a/core/store/dist/src/main/java/org/onosproject/store/app/GossipApplicationStore.java
View file @b856b81
+++ b/core/store/dist/src/main/java/org/onosproject/store/app/GossipApplicationStore.java
View file @b856b81
@@ -38,7 +38,7 @@ import org.onosproject.core.Application;
 import org.onosproject.core.ApplicationId;
 import org.onosproject.core.ApplicationIdStore;
 import org.onosproject.core.DefaultApplication;
-import org.onosproject.core.Permission;
+import org.onosproject.security.Permission;
 import org.onosproject.store.cluster.messaging.ClusterCommunicationService;
 import org.onosproject.store.cluster.messaging.MessageSubject;
 import org.onosproject.store.serializers.KryoNamespaces;
--- a/features/features.xml
View file @b856b81
+++ b/features/features.xml
View file @b856b81
@@ -135,7 +135,7 @@
         <feature>onos-api</feature>
         <!-- FIXME Release when stable (before Drake) -->
         <bundle>mvn:org.onosproject/org.apache.felix.framework.security/2.2.0.onos-SNAPSHOT</bundle>
-        <bundle>mvn:org.onosproject/onos-security-impl/@ONOS-VERSION</bundle>
+        <bundle>mvn:org.onosproject/onos-security/@ONOS-VERSION</bundle>
     </feature>
 </features>
--- a/openflow/api/src/main/java/org/onosproject/openflow/controller/DefaultOpenFlowPacketContext.java
View file @b856b81
+++ b/openflow/api/src/main/java/org/onosproject/openflow/controller/DefaultOpenFlowPacketContext.java
View file @b856b81
@@ -17,7 +17,6 @@ package org.onosproject.openflow.controller;
 import org.onlab.packet.DeserializationException;
 import org.onlab.packet.Ethernet;
-import org.onosproject.core.Permission;
 import org.projectfloodlight.openflow.protocol.OFPacketIn;
 import org.projectfloodlight.openflow.protocol.OFPacketOut;
 import org.projectfloodlight.openflow.protocol.OFVersion;
@@ -34,6 +33,7 @@ import java.util.Collections;
 import java.util.concurrent.atomic.AtomicBoolean;
 import static org.onosproject.security.AppGuard.checkPermission;
+import static org.onosproject.security.AppPermission.Type.*;
 /**
@@ -57,7 +57,7 @@ public final class DefaultOpenFlowPacketContext implements OpenFlowPacketContext
     @Override
     public void send() {
-        checkPermission(Permission.PACKET_WRITE);
+        checkPermission(PACKET_WRITE);
         if (block() && isBuilt.get()) {
             sw.sendMsg(pktout);
@@ -97,7 +97,7 @@ public final class DefaultOpenFlowPacketContext implements OpenFlowPacketContext
     @Override
     public Ethernet parsed() {
-        checkPermission(Permission.PACKET_READ);
+        checkPermission(PACKET_READ);
         try {
             return Ethernet.deserializer().deserialize(pktin.getData(), 0, pktin.getData().length);
@@ -111,7 +111,7 @@ public final class DefaultOpenFlowPacketContext implements OpenFlowPacketContext
     @Override
     public Dpid dpid() {
-        checkPermission(Permission.PACKET_READ);
+        checkPermission(PACKET_READ);
         return new Dpid(sw.getId());
     }
@@ -130,7 +130,7 @@ public final class DefaultOpenFlowPacketContext implements OpenFlowPacketContext
     @Override
     public Integer inPort() {
-        checkPermission(Permission.PACKET_READ);
+        checkPermission(PACKET_READ);
         return pktinInPort().getPortNumber();
     }
@@ -144,7 +144,7 @@ public final class DefaultOpenFlowPacketContext implements OpenFlowPacketContext
     @Override
     public byte[] unparsed() {
-        checkPermission(Permission.PACKET_READ);
+        checkPermission(PACKET_READ);
         return pktin.getData().clone();
@@ -160,21 +160,21 @@ public final class DefaultOpenFlowPacketContext implements OpenFlowPacketContext
     @Override
     public boolean block() {
-        checkPermission(Permission.PACKET_WRITE);
+        checkPermission(PACKET_WRITE);
         return free.getAndSet(false);
     }
     @Override
     public boolean isHandled() {
-        checkPermission(Permission.PACKET_READ);
+        checkPermission(PACKET_READ);
         return !free.get();
     }
     @Override
     public boolean isBuffered() {
-        checkPermission(Permission.PACKET_READ);
+        checkPermission(PACKET_READ);
         return isBuffered;
     }