From 579806440b4c1ca0107b97cd65d30494cf804a99 Mon Sep 17 00:00:00 2001 From: Prachi Damle Date: Mon, 7 Oct 2013 14:30:15 -0700 Subject: [PATCH] Add permission flag to acl_entity_permission --- .../cloudstack/acl/AclEntityPermission.java | 2 ++ .../cloudstack/acl/AclEntityPermissionVO.java | 17 ++++++++++++++--- .../entity/RoleBasedEntityAccessChecker.java | 12 ++++++++++++ .../apache/cloudstack/acl/AclServiceImpl.java | 2 +- setup/db/db/schema-420to430.sql | 3 ++- 5 files changed, 31 insertions(+), 5 deletions(-) diff --git a/api/src/org/apache/cloudstack/acl/AclEntityPermission.java b/api/src/org/apache/cloudstack/acl/AclEntityPermission.java index 2716406de3f..bfe7ac96c46 100644 --- a/api/src/org/apache/cloudstack/acl/AclEntityPermission.java +++ b/api/src/org/apache/cloudstack/acl/AclEntityPermission.java @@ -12,4 +12,6 @@ public interface AclEntityPermission extends InternalIdentity { Long getEntityId(); AccessType getAccessType(); + + boolean isAllowed(); } diff --git a/engine/schema/src/org/apache/cloudstack/acl/AclEntityPermissionVO.java b/engine/schema/src/org/apache/cloudstack/acl/AclEntityPermissionVO.java index a3945163221..4e0f3c0a0cf 100644 --- a/engine/schema/src/org/apache/cloudstack/acl/AclEntityPermissionVO.java +++ b/engine/schema/src/org/apache/cloudstack/acl/AclEntityPermissionVO.java @@ -32,7 +32,7 @@ public class AclEntityPermissionVO implements AclEntityPermission { @Column(name = "entity_id") private long entityId; - + @Column(name = "entity_uuid") private String entityUuid; @@ -40,6 +40,9 @@ public class AclEntityPermissionVO implements AclEntityPermission { @Enumerated(value = EnumType.STRING) AccessType accessType; + @Column(name = "permission") + private boolean permission; + @Column(name = GenericDao.REMOVED_COLUMN) private Date removed; @@ -50,14 +53,16 @@ public class AclEntityPermissionVO implements AclEntityPermission { } - public AclEntityPermissionVO(long groupId, String entityType, long entityId, String entityUuid, AccessType atype) { + public AclEntityPermissionVO(long groupId, String entityType, long entityId, String entityUuid, AccessType atype, + boolean permission) { aclGroupId = groupId; this.entityType = entityType; this.entityId = entityId; this.entityUuid = entityUuid; accessType = atype; + this.permission = permission; } - + @Override public long getId() { return id; @@ -115,4 +120,10 @@ public class AclEntityPermissionVO implements AclEntityPermission { public Date getCreated() { return created; } + + @Override + public boolean isAllowed() { + return permission; + } + } diff --git a/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/entity/RoleBasedEntityAccessChecker.java b/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/entity/RoleBasedEntityAccessChecker.java index 0f83b28b44d..fa8bed103aa 100644 --- a/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/entity/RoleBasedEntityAccessChecker.java +++ b/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/entity/RoleBasedEntityAccessChecker.java @@ -20,11 +20,14 @@ import java.util.List; import javax.inject.Inject; +import org.apache.cloudstack.acl.AclGroupAccountMapVO; import org.apache.cloudstack.acl.AclRole; import org.apache.cloudstack.acl.AclService; import org.apache.cloudstack.acl.ControlledEntity; import org.apache.cloudstack.acl.SecurityChecker; import org.apache.cloudstack.acl.SecurityChecker.AccessType; +import org.apache.cloudstack.acl.dao.AclGroupAccountMapDao; +import org.apache.cloudstack.acl.dao.AclGroupDao; import com.cloud.acl.DomainChecker; import com.cloud.exception.PermissionDeniedException; @@ -39,10 +42,19 @@ public class RoleBasedEntityAccessChecker extends DomainChecker implements Secur @Inject AclService _aclService; + @Inject + AclGroupAccountMapDao _aclGroupAccountMapDao; + @Override public boolean checkAccess(Account caller, ControlledEntity entity, AccessType accessType) throws PermissionDeniedException { + // check if explicit allow/deny is present for this entity in + // acl_entity_permission + + List acctGroups = _aclGroupAccountMapDao.listByAccountId(caller.getId()); + + // Is Caller RootAdmin? Yes, granted true if (_accountService.isRootAdmin(caller.getId())) { return true; diff --git a/server/src/org/apache/cloudstack/acl/AclServiceImpl.java b/server/src/org/apache/cloudstack/acl/AclServiceImpl.java index 69f9d3d5568..ecff79409fc 100644 --- a/server/src/org/apache/cloudstack/acl/AclServiceImpl.java +++ b/server/src/org/apache/cloudstack/acl/AclServiceImpl.java @@ -259,7 +259,7 @@ public class AclServiceImpl extends ManagerBase implements AclService, Manager { if (entity instanceof Identity) { entityUuid = ((Identity)entity).getUuid(); } - perm = new AclEntityPermissionVO(aclGroupId, entityType, entityId, entityUuid, accessType); + perm = new AclEntityPermissionVO(aclGroupId, entityType, entityId, entityUuid, accessType, true); _entityPermissionDao.persist(perm); } return group; diff --git a/setup/db/db/schema-420to430.sql b/setup/db/db/schema-420to430.sql index 6d03a6d6958..ecc2049900f 100644 --- a/setup/db/db/schema-420to430.sql +++ b/setup/db/db/schema-420to430.sql @@ -362,7 +362,8 @@ CREATE TABLE `cloud`.`acl_entity_permission` ( `entity_type` varchar(100) NOT NULL, `entity_id` bigint unsigned NOT NULL, `entity_uuid` varchar(40), - `access_type` varchar(40) NOT NULL, + `access_type` varchar(40) NOT NULL, + `permission` int(1) unsigned NOT NULL COMMENT '1 allowed, 0 for denied', `removed` datetime COMMENT 'date the permission was revoked', `created` datetime COMMENT 'date the permission was granted', PRIMARY KEY (`id`),