diff --git a/server/src/com/cloud/template/HypervisorTemplateAdapter.java b/server/src/com/cloud/template/HypervisorTemplateAdapter.java index deda42aa387..96e3fcac1ea 100755 --- a/server/src/com/cloud/template/HypervisorTemplateAdapter.java +++ b/server/src/com/cloud/template/HypervisorTemplateAdapter.java @@ -27,6 +27,7 @@ import javax.inject.Inject; import org.apache.log4j.Logger; +import org.apache.cloudstack.acl.AclEntityType; import org.apache.cloudstack.api.command.user.iso.DeleteIsoCmd; import org.apache.cloudstack.api.command.user.iso.RegisterIsoCmd; import org.apache.cloudstack.api.command.user.template.DeleteTemplateCmd; @@ -69,8 +70,10 @@ import com.cloud.storage.VMTemplateZoneVO; import com.cloud.storage.dao.VMTemplateZoneDao; import com.cloud.storage.download.DownloadMonitor; import com.cloud.user.Account; +import com.cloud.utils.Pair; import com.cloud.utils.UriUtils; import com.cloud.utils.db.DB; +import com.cloud.utils.db.EntityManager; import com.cloud.utils.exception.CloudRuntimeException; @Local(value = TemplateAdapter.class) @@ -399,6 +402,11 @@ public class HypervisorTemplateAdapter extends TemplateAdapterBase { _resourceLimitMgr.recalculateResourceCount(template.getAccountId(), account.getDomainId(), ResourceType.secondary_storage.getOrdinal()); } } + + // remove its related ACL permission + Pair tmplt = new Pair(AclEntityType.VirtualMachineTemplate, template.getId()); + _messageBus.publish(_name, EntityManager.MESSAGE_REMOVE_ENTITY_EVENT, PublishScope.LOCAL, tmplt); + } return success; diff --git a/services/iam/plugin/src/org/apache/cloudstack/acl/api/AclApiServiceImpl.java b/services/iam/plugin/src/org/apache/cloudstack/acl/api/AclApiServiceImpl.java index 35f7d96d691..c3c9caaeda1 100644 --- a/services/iam/plugin/src/org/apache/cloudstack/acl/api/AclApiServiceImpl.java +++ b/services/iam/plugin/src/org/apache/cloudstack/acl/api/AclApiServiceImpl.java @@ -75,6 +75,7 @@ import com.cloud.utils.Pair; import com.cloud.utils.component.Manager; import com.cloud.utils.component.ManagerBase; import com.cloud.utils.db.DB; +import com.cloud.utils.db.EntityManager; @Local(value = {AclApiService.class}) public class AclApiServiceImpl extends ManagerBase implements AclApiService, Manager { @@ -165,6 +166,19 @@ public class AclApiServiceImpl extends ManagerBase implements AclApiService, Man } }); + _messageBus.subscribe(EntityManager.MESSAGE_REMOVE_ENTITY_EVENT, new MessageSubscriber() { + @Override + public void onPublishMessage(String senderAddress, String subject, Object obj) { + Pair entity = (Pair)obj; + if (entity != null) { + String entityType = entity.first().toString(); + Long entityId = entity.second(); + s_logger.debug("MessageBus message: delete an entity: (" + entityType + "," + entityId + "), remove its related permission"); + _iamSrv.removeAclPermissionForEntity(entityType, entityId); + } + } + }); + return super.configure(name, params); } diff --git a/services/iam/server/src/org/apache/cloudstack/iam/api/IAMService.java b/services/iam/server/src/org/apache/cloudstack/iam/api/IAMService.java index aad982b50e8..98aec5d91fb 100644 --- a/services/iam/server/src/org/apache/cloudstack/iam/api/IAMService.java +++ b/services/iam/server/src/org/apache/cloudstack/iam/api/IAMService.java @@ -64,6 +64,8 @@ public interface IAMService { AclPolicy removeAclPermissionFromAclPolicy(long aclPolicyId, String entityType, String scope, Long scopeId, String action); + void removeAclPermissionForEntity(final String entityType, final Long entityId); + AclPolicy getResourceOwnerPolicy(); List listPolicyPermissions(long policyId); diff --git a/services/iam/server/src/org/apache/cloudstack/iam/server/IAMServiceImpl.java b/services/iam/server/src/org/apache/cloudstack/iam/server/IAMServiceImpl.java index 0745e621e6c..d2b173ede6b 100644 --- a/services/iam/server/src/org/apache/cloudstack/iam/server/IAMServiceImpl.java +++ b/services/iam/server/src/org/apache/cloudstack/iam/server/IAMServiceImpl.java @@ -579,6 +579,20 @@ public class IAMServiceImpl extends ManagerBase implements IAMService, Manager { return policy; } + @DB + @Override + public void removeAclPermissionForEntity(final String entityType, final Long entityId) { + Transaction.execute(new TransactionCallbackNoReturn() { + @Override + public void doInTransactionWithoutResult(TransactionStatus status) { + // remove entry from acl_entity_permission table + List permitList = _policyPermissionDao.listByEntity(entityType, entityId); + for (AclPolicyPermissionVO permit : permitList) { + _policyPermissionDao.remove(permit.getId()); + } + } + }); + } @DB @Override diff --git a/services/iam/server/src/org/apache/cloudstack/iam/server/dao/AclPolicyPermissionDao.java b/services/iam/server/src/org/apache/cloudstack/iam/server/dao/AclPolicyPermissionDao.java index 53c89837ecd..2a492430098 100644 --- a/services/iam/server/src/org/apache/cloudstack/iam/server/dao/AclPolicyPermissionDao.java +++ b/services/iam/server/src/org/apache/cloudstack/iam/server/dao/AclPolicyPermissionDao.java @@ -16,10 +16,10 @@ // under the License. package org.apache.cloudstack.iam.server.dao; import java.util.List; + import org.apache.cloudstack.iam.api.AclPolicyPermission.Permission; import org.apache.cloudstack.iam.server.AclPolicyPermissionVO; - import com.cloud.utils.db.GenericDao; public interface AclPolicyPermissionDao extends GenericDao { @@ -35,4 +35,5 @@ public interface AclPolicyPermissionDao extends GenericDao listByPolicyAccessAndEntity(long policyId, String accessType, String entityType); + List listByEntity(String entityType, Long entityId); } diff --git a/services/iam/server/src/org/apache/cloudstack/iam/server/dao/AclPolicyPermissionDaoImpl.java b/services/iam/server/src/org/apache/cloudstack/iam/server/dao/AclPolicyPermissionDaoImpl.java index d738e007e48..1b266168994 100644 --- a/services/iam/server/src/org/apache/cloudstack/iam/server/dao/AclPolicyPermissionDaoImpl.java +++ b/services/iam/server/src/org/apache/cloudstack/iam/server/dao/AclPolicyPermissionDaoImpl.java @@ -34,6 +34,7 @@ public class AclPolicyPermissionDaoImpl extends GenericDaoBase policyIdSearch; private SearchBuilder fullSearch; private SearchBuilder actionScopeSearch; + private SearchBuilder entitySearch; @Override public boolean configure(String name, Map params) throws ConfigurationException { @@ -60,6 +61,11 @@ public class AclPolicyPermissionDaoImpl extends GenericDaoBase listByEntity(String entityType, Long entityId) { + SearchCriteria sc = fullSearch.create(); + sc.setParameters("entityType", entityType); + sc.setParameters("scopeId", entityId); + return listBy(sc); + } + } diff --git a/utils/src/com/cloud/utils/db/EntityManager.java b/utils/src/com/cloud/utils/db/EntityManager.java index 0ab19fc0a9e..aed5bcbc312 100644 --- a/utils/src/com/cloud/utils/db/EntityManager.java +++ b/utils/src/com/cloud/utils/db/EntityManager.java @@ -70,4 +70,6 @@ public interface EntityManager { public List list(Class entityType); public void remove(Class entityType, K id); + + public static final String MESSAGE_REMOVE_ENTITY_EVENT = "Message.RemoveEntity.Event"; }