etan39
/
cloudstack
mirror of https://github.com/apache/cloudstack.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

plugins: Check access based on roleType, remove unnecessary properties.in file 

- Fix StaticRoleBasedAPIAccessChecker to check api access based on roletype
- Remove properties file which is not needed now for api discovery plugin

Signed-off-by: Rohit Yadav <bhaisaab@apache.org>
This commit is contained in:
Rohit Yadav 2013-01-10 15:53:18 -08:00
parent 8f26e171e6
commit 345c179e77
2 changed files with 48 additions and 111 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
client/tomcatconf/api-discovery_commands.properties.in
View File

@ -1,23 +0,0 @@
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
# bitmap of permissions at the end of each classname, 1 = ADMIN, 2 =
# RESOURCE_DOMAIN_ADMIN, 4 = DOMAIN_ADMIN, 8 = USER
# Please standardize naming conventions to camel-case (even for acronyms).
# CloudStack API Discovery service command
listApis=15

136
plugins/acl/static-role-based/src/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java
View File

@ -16,28 +16,23 @@
// under the License.
package org.apache.cloudstack.acl;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.io.InputStream;
import java.util.*;
import javax.ejb.Local;
import javax.naming.ConfigurationException;
import org.apache.cloudstack.acl.APIAccessChecker;
import org.apache.cloudstack.acl.RoleType;
import static org.apache.cloudstack.acl.RoleType.*;
import org.apache.log4j.Logger;
import com.cloud.exception.PermissionDeniedException;
import com.cloud.server.ManagementServer;
import com.cloud.utils.PropertiesUtil;
import com.cloud.utils.component.AdapterBase;
import com.cloud.utils.component.ComponentLocator;
import com.cloud.utils.component.PluggableService;
import javax.ejb.Local;
import javax.naming.ConfigurationException;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import static org.apache.cloudstack.acl.RoleType.*;
import org.apache.log4j.Logger;
// This is the default API access checker that grab's the user's account
// based on the account type, access is granted
@Local(value=APIAccessChecker.class)
@ -60,35 +55,29 @@ public class StaticRoleBasedAPIAccessChecker extends AdapterBase implements APIA
}
@Override
public boolean canAccessAPI(RoleType roleType, String apiCommandName)
throws PermissionDeniedException{
public boolean canAccessAPI(RoleType roleType, String commandName)
throws PermissionDeniedException {
boolean commandExists = s_allCommands.contains(apiCommandName);
boolean commandExists = s_allCommands.contains(commandName);
boolean commandAccessible = false;
if(commandExists) {
return isCommandAvailableForAccount(roleType, apiCommandName);
if (commandExists) {
switch (roleType) {
case Admin:
commandAccessible = s_adminCommands.contains(commandName);
break;
case DomainAdmin:
commandAccessible = s_resellerCommands.contains(commandName);
break;
case ResourceAdmin:
commandAccessible = s_resourceDomainAdminCommands.contains(commandName);
break;
case User:
commandAccessible = s_userCommands.contains(commandName);
break;
}
}
return commandExists;
}
private static boolean isCommandAvailableForAccount(RoleType roleType, String commandName) {
boolean isCommandAvailable = false;
switch (roleType) {
case Admin:
isCommandAvailable = s_adminCommands.contains(commandName);
break;
case DomainAdmin:
isCommandAvailable = s_resellerCommands.contains(commandName);
break;
case ResourceAdmin:
isCommandAvailable = s_resourceDomainAdminCommands.contains(commandName);
break;
case User:
isCommandAvailable = s_userCommands.contains(commandName);
break;
}
return isCommandAvailable;
return commandExists && commandAccessible;
}
@Override
@ -100,69 +89,40 @@ public class StaticRoleBasedAPIAccessChecker extends AdapterBase implements APIA
List<PluggableService> services = locator.getAllPluggableServices();
services.add((PluggableService) ComponentLocator.getComponent(ManagementServer.Name));
List<String> configFiles = new ArrayList<String>();
Map<String, String> configPropertiesMap = new HashMap<String, String>();
for (PluggableService service : services) {
configFiles.addAll(Arrays.asList(service.getPropertiesFiles()));
configPropertiesMap.putAll(service.getProperties());
}
processConfigFiles(configFiles);
processConfigFiles(configPropertiesMap);
return true;
}
private void processConfigFiles(List<String> configFiles) {
Properties preProcessedCommands = new Properties();
for (String configFile : configFiles) {
File commandsFile = PropertiesUtil.findConfigFile(configFile);
if (commandsFile != null) {
try {
preProcessedCommands.load(new FileInputStream(commandsFile));
} catch (FileNotFoundException fnfex) {
// in case of a file within a jar in classpath, try to open stream using url
InputStream stream = PropertiesUtil.openStreamFromURL(configFile);
if (stream != null) {
try {
preProcessedCommands.load(stream);
} catch (IOException e) {
s_logger.error("IO Exception, unable to find properties file:", fnfex);
}
} else {
s_logger.error("Unable to find properites file", fnfex);
}
} catch (IOException ioe) {
s_logger.error("IO Exception loading properties file", ioe);
}
}
}
for (Object key : preProcessedCommands.keySet()) {
String preProcessedCommand = preProcessedCommands.getProperty((String) key);
int splitIndex = preProcessedCommand.lastIndexOf(";");
// Backward compatible to old style, apiname=pkg;mask
String mask = preProcessedCommand.substring(splitIndex+1);
private void processConfigFiles(Map<String, String> config) {
for (Map.Entry<String, String> entry: config.entrySet()) {
String apiName = entry.getKey();
String roleMask = entry.getValue();
try {
short cmdPermissions = Short.parseShort(mask);
short cmdPermissions = Short.parseShort(roleMask);
if ((cmdPermissions & Admin.getValue()) != 0) {
s_adminCommands.add((String) key);
s_adminCommands.add(apiName);
}
if ((cmdPermissions & ResourceAdmin.getValue()) != 0) {
s_resourceDomainAdminCommands.add((String) key);
s_resourceDomainAdminCommands.add(apiName);
}
if ((cmdPermissions & DomainAdmin.getValue()) != 0) {
s_resellerCommands.add((String) key);
s_resellerCommands.add(apiName);
}
if ((cmdPermissions & User.getValue()) != 0) {
s_userCommands.add((String) key);
s_userCommands.add(apiName);
}
s_allCommands.addAll(s_adminCommands);
s_allCommands.addAll(s_resourceDomainAdminCommands);
s_allCommands.addAll(s_userCommands);
s_allCommands.addAll(s_resellerCommands);
} catch (NumberFormatException nfe) {
s_logger.info("Malformed command.properties permissions value, key = " + key + ", value = " + preProcessedCommand);
s_logger.info("Malformed commands.properties permissions value, for entry: " + entry.toString());
}
}
s_allCommands.addAll(s_adminCommands);
s_allCommands.addAll(s_resourceDomainAdminCommands);
s_allCommands.addAll(s_userCommands);
s_allCommands.addAll(s_resellerCommands);
}
}