mirror of https://github.com/apache/cloudstack.git
Changing the access checkers to work with IAM server
This commit is contained in:
Prachi Damle
parent
d374cd5a2c
commit
28b81e423e
|
|
@ -86,7 +86,7 @@ public class RoleBasedAPIAccessChecker extends AdapterBase implements APIChecker
|
|||
|
||||
List<AclPolicy> policies = _iamSrv.listAclPolicies(account.getAccountId());
|
||||
|
||||
boolean isAllowed = _iamSrv.isAPIAccessibleForPolicies(commandName, policies);
|
||||
boolean isAllowed = _iamSrv.isActionAllowedForPolicies(commandName, policies);
|
||||
if (!isAllowed) {
|
||||
throw new PermissionDeniedException("The API does not exist or is blacklisted. api: " + commandName);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -25,9 +25,9 @@ import javax.inject.Inject;
|
|||
import org.apache.log4j.Logger;
|
||||
|
||||
import org.apache.cloudstack.acl.api.AclApiService;
|
||||
import org.apache.cloudstack.acl.dao.AclGroupAccountMapDao;
|
||||
import org.apache.cloudstack.acl.dao.AclPolicyPermissionDao;
|
||||
import org.apache.cloudstack.iam.api.AclPolicy;
|
||||
import org.apache.cloudstack.iam.api.AclPolicyPermission;
|
||||
import org.apache.cloudstack.iam.api.IAMService;
|
||||
|
||||
import com.cloud.acl.DomainChecker;
|
||||
import com.cloud.domain.dao.DomainDao;
|
||||
|
|
@ -47,10 +47,7 @@ public class RoleBasedEntityAccessChecker extends DomainChecker implements Secur
|
|||
@Inject DomainDao _domainDao;
|
||||
|
||||
@Inject
|
||||
AclGroupAccountMapDao _aclGroupAccountMapDao;
|
||||
|
||||
@Inject
|
||||
AclPolicyPermissionDao _policyPermissionDao;
|
||||
IAMService _iamSrv;
|
||||
|
||||
|
||||
@Override
|
||||
|
|
@ -74,15 +71,15 @@ public class RoleBasedEntityAccessChecker extends DomainChecker implements Secur
|
|||
HashMap<AclPolicy, Boolean> policyPermissionMap = new HashMap<AclPolicy, Boolean>();
|
||||
|
||||
for (AclPolicy policy : policies) {
|
||||
List<AclPolicyPermissionVO> permissions = new ArrayList<AclPolicyPermissionVO>();
|
||||
List<AclPolicyPermission> permissions = new ArrayList<AclPolicyPermission>();
|
||||
|
||||
if (action != null) {
|
||||
permissions = _policyPermissionDao.listByPolicyActionAndEntity(policy.getId(),
|
||||
action, entityType);
|
||||
permissions = _iamSrv.listPolicyPermissionByEntityType(policy.getId(), action, entityType);
|
||||
} else {
|
||||
permissions = _policyPermissionDao.listByPolicyAccessAndEntity(policy.getId(), accessType, entityType);
|
||||
permissions = _iamSrv.listPolicyPermissionByAccessType(policy.getId(), accessType.toString(),
|
||||
entityType, action);
|
||||
}
|
||||
for (AclPolicyPermissionVO permission : permissions) {
|
||||
for (AclPolicyPermission permission : permissions) {
|
||||
if (checkPermissionScope(caller, permission.getScope(), entity)) {
|
||||
if (permission.getEntityType().equals(entityType)) {
|
||||
policyPermissionMap.put(policy, permission.getPermission().isGranted());
|
||||
|
|
@ -109,13 +106,13 @@ public class RoleBasedEntityAccessChecker extends DomainChecker implements Secur
|
|||
return false;
|
||||
}
|
||||
|
||||
private boolean checkPermissionScope(Account caller, PermissionScope scope, ControlledEntity entity) {
|
||||
private boolean checkPermissionScope(Account caller, String scope, ControlledEntity entity) {
|
||||
|
||||
if(scope.equals(PermissionScope.ACCOUNT)){
|
||||
if (scope.equals(PermissionScope.ACCOUNT.name())) {
|
||||
if(caller.getAccountId() == entity.getAccountId()){
|
||||
return true;
|
||||
}
|
||||
}else if(scope.equals(PermissionScope.DOMAIN)){
|
||||
} else if (scope.equals(PermissionScope.DOMAIN.name())) {
|
||||
if (_domainDao.isChildDomain(caller.getDomainId(), entity.getDomainId())) {
|
||||
return true;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -60,8 +60,6 @@ public interface AclApiService {
|
|||
|
||||
AclPolicyPermission getAclPolicyPermission(long accountId, String entityType, String action);
|
||||
|
||||
boolean isAPIAccessibleForPolicies(String apiName, List<AclPolicy> policies);
|
||||
|
||||
List<AclPolicy> getEffectivePolicies(Account caller, ControlledEntity entity);
|
||||
|
||||
/* Response Generation */
|
||||
|
|
|
|||
|
|
@ -174,7 +174,8 @@ public class AclApiServiceImpl extends ManagerBase implements AclApiService, Man
|
|||
List<AclPolicy> policies = _iamSrv.listAclPolicies(accountId);
|
||||
AclPolicyPermission curPerm = null;
|
||||
for (AclPolicy policy : policies) {
|
||||
List<AclPolicyPermission> perms = _iamSrv.listPollcyPermissionByEntityType(policy.getId(), action, entityType);
|
||||
List<AclPolicyPermission> perms = _iamSrv.listPolicyPermissionByEntityType(policy.getId(), action,
|
||||
entityType);
|
||||
if (perms == null || perms.size() == 0)
|
||||
continue;
|
||||
AclPolicyPermission perm = perms.get(0); // just pick one
|
||||
|
|
@ -190,12 +191,6 @@ public class AclApiServiceImpl extends ManagerBase implements AclApiService, Man
|
|||
}
|
||||
|
||||
|
||||
|
||||
@Override
|
||||
public boolean isAPIAccessibleForPolicies(String apiName, List<AclPolicy> policies) {
|
||||
return _iamSrv.isAPIAccessibleForPolicies(apiName, policies);
|
||||
}
|
||||
|
||||
@Override
|
||||
public List<AclPolicy> getEffectivePolicies(Account caller, ControlledEntity entity) {
|
||||
|
||||
|
|
|
|||
|
|
@ -66,12 +66,14 @@ public interface IAMService {
|
|||
|
||||
List<AclPolicyPermission> listPolicyPermissionsByScope(long policyId, String action, String scope);
|
||||
|
||||
List<AclPolicyPermission> listPollcyPermissionByEntityType(long policyId, String action, String entityType);
|
||||
List<AclPolicyPermission> listPolicyPermissionByEntityType(long policyId, String action, String entityType);
|
||||
|
||||
boolean isAPIAccessibleForPolicies(String apiName, List<AclPolicy> policies);
|
||||
boolean isActionAllowedForPolicies(String action, List<AclPolicy> policies);
|
||||
|
||||
List<Long> getGrantedEntities(long accountId, String action, String scope);
|
||||
|
||||
AclPolicy resetAclPolicy(long aclPolicyId);
|
||||
|
||||
List<AclPolicyPermission> listPolicyPermissionByAccessType(long policyId, String accessType, String entityType, String action);
|
||||
|
||||
}
|
||||
|
|
|
|||
|
|
@ -601,9 +601,9 @@ public class IAMServiceImpl extends ManagerBase implements IAMService, Manager {
|
|||
}
|
||||
|
||||
@Override
|
||||
public boolean isAPIAccessibleForPolicies(String apiName, List<AclPolicy> policies) {
|
||||
public boolean isActionAllowedForPolicies(String action, List<AclPolicy> policies) {
|
||||
|
||||
boolean accessible = false;
|
||||
boolean allowed = false;
|
||||
|
||||
List<Long> policyIds = new ArrayList<Long>();
|
||||
for (AclPolicy policy : policies) {
|
||||
|
|
@ -616,14 +616,15 @@ public class IAMServiceImpl extends ManagerBase implements IAMService, Manager {
|
|||
|
||||
SearchCriteria<AclPolicyPermissionVO> sc = sb.create();
|
||||
sc.setParameters("policyId", policyIds.toArray(new Object[policyIds.size()]));
|
||||
sc.setParameters("action", action);
|
||||
|
||||
List<AclPolicyPermissionVO> permissions = _policyPermissionDao.customSearch(sc, null);
|
||||
|
||||
if (permissions != null && !permissions.isEmpty()) {
|
||||
accessible = true;
|
||||
allowed = true;
|
||||
}
|
||||
|
||||
return accessible;
|
||||
return allowed;
|
||||
}
|
||||
|
||||
|
||||
|
|
@ -664,13 +665,21 @@ public class IAMServiceImpl extends ManagerBase implements IAMService, Manager {
|
|||
}
|
||||
|
||||
@Override
|
||||
public List<AclPolicyPermission> listPollcyPermissionByEntityType(long policyId, String action, String entityType) {
|
||||
public List<AclPolicyPermission> listPolicyPermissionByEntityType(long policyId, String action, String entityType) {
|
||||
List<AclPolicyPermissionVO> pp = _policyPermissionDao.listByPolicyActionAndEntity(policyId, action, entityType);
|
||||
List<AclPolicyPermission> pl = new ArrayList<AclPolicyPermission>();
|
||||
pl.addAll(pp);
|
||||
return pl;
|
||||
}
|
||||
|
||||
@Override
|
||||
public List<AclPolicyPermission> listPolicyPermissionByAccessType(long policyId, String accessType, String entityType, String action) {
|
||||
List<AclPolicyPermissionVO> pp = _policyPermissionDao.listByPolicyAccessAndEntity(policyId, accessType, entityType, action);
|
||||
List<AclPolicyPermission> pl = new ArrayList<AclPolicyPermission>();
|
||||
pl.addAll(pp);
|
||||
return pl;
|
||||
}
|
||||
|
||||
@Override
|
||||
public AclPolicy getResourceOwnerPolicy() {
|
||||
return _aclPolicyDao.findByName("RESOURCE_OWNER");
|
||||
|
|
|
|||
|
|
@ -33,6 +33,6 @@ public interface AclPolicyPermissionDao extends GenericDao<AclPolicyPermissionVO
|
|||
|
||||
List<AclPolicyPermissionVO> listByPolicyActionAndEntity(long policyId, String action, String entityType);
|
||||
|
||||
List<AclPolicyPermissionVO> listByPolicyAccessAndEntity(long id, String accessType, String entityType);
|
||||
List<AclPolicyPermissionVO> listByPolicyAccessAndEntity(long id, String accessType, String entityType, String action);
|
||||
|
||||
}
|
||||
|
|
|
|||
|
|
@ -104,11 +104,12 @@ public class AclPolicyPermissionDaoImpl extends GenericDaoBase<AclPolicyPermissi
|
|||
|
||||
@Override
|
||||
public List<AclPolicyPermissionVO> listByPolicyAccessAndEntity(long policyId, String accessType,
|
||||
String entityType) {
|
||||
String entityType, String action) {
|
||||
SearchCriteria<AclPolicyPermissionVO> sc = fullSearch.create();
|
||||
sc.setParameters("policyId", policyId);
|
||||
sc.setParameters("entityType", entityType);
|
||||
sc.setParameters("accessType", accessType);
|
||||
sc.setParameters("action", action);
|
||||
return listBy(sc);
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue