diff --git a/api/src/org/apache/cloudstack/acl/AclProxyService.java b/api/src/org/apache/cloudstack/acl/AclProxyService.java deleted file mode 100644 index 7f6bf2337ec..00000000000 --- a/api/src/org/apache/cloudstack/acl/AclProxyService.java +++ /dev/null @@ -1,13 +0,0 @@ -package org.apache.cloudstack.acl; - -import java.util.List; - -public interface AclProxyService { - - List listAclGroupsByAccount(long accountId); - - void removeAccountFromAclGroups(long accountId); - - void addAccountToAclGroup(long accountId, long groupId); - -} diff --git a/api/src/org/apache/cloudstack/acl/QuerySelector.java b/api/src/org/apache/cloudstack/acl/QuerySelector.java index 75fedb39f0a..b89aa4e9ef5 100644 --- a/api/src/org/apache/cloudstack/acl/QuerySelector.java +++ b/api/src/org/apache/cloudstack/acl/QuerySelector.java @@ -62,4 +62,11 @@ public interface QuerySelector extends Adapter { */ boolean isGrantedAll(Account caller, String action); + /** + * List of ACL group the given account belongs to + * @param accountId account id. + * @return ACL group names + */ + List listAclGroupsByAccount(long accountId); + } diff --git a/server/src/com/cloud/api/query/dao/AccountJoinDaoImpl.java b/server/src/com/cloud/api/query/dao/AccountJoinDaoImpl.java index 8c2b1953d1b..6ea11813145 100644 --- a/server/src/com/cloud/api/query/dao/AccountJoinDaoImpl.java +++ b/server/src/com/cloud/api/query/dao/AccountJoinDaoImpl.java @@ -24,7 +24,6 @@ import javax.inject.Inject; import org.apache.log4j.Logger; import org.springframework.stereotype.Component; -import org.apache.cloudstack.acl.AclProxyService; import org.apache.cloudstack.api.ResponseObject.ResponseView; import org.apache.cloudstack.api.response.AccountResponse; import org.apache.cloudstack.api.response.ResourceLimitAndCountResponse; @@ -48,9 +47,7 @@ public class AccountJoinDaoImpl extends GenericDaoBase impl private final SearchBuilder acctIdSearch; @Inject - public AccountManager _accountMgr; - @Inject - AclProxyService _aclProxy; + AccountManager _acctMgr; protected AccountJoinDaoImpl() { @@ -106,7 +103,7 @@ public class AccountJoinDaoImpl extends GenericDaoBase impl accountResponse.setObjectName("account"); // add all the acl groups for an account - accountResponse.setGroups(_aclProxy.listAclGroupsByAccount(account.getId())); + accountResponse.setGroups(_acctMgr.listAclGroupsByAccount(account.getId())); return accountResponse; } diff --git a/server/src/com/cloud/user/AccountManager.java b/server/src/com/cloud/user/AccountManager.java index 84eadea96a5..46829e756fe 100755 --- a/server/src/com/cloud/user/AccountManager.java +++ b/server/src/com/cloud/user/AccountManager.java @@ -191,6 +191,8 @@ public interface AccountManager extends AccountService { */ Account lockAccount(String accountName, Long domainId, Long accountId); + List listAclGroupsByAccount(Long accountId); + public static final String MESSAGE_ADD_ACCOUNT_EVENT = "Message.AddAccount.Event"; public static final String MESSAGE_REMOVE_ACCOUNT_EVENT = "Message.RemoveAccount.Event"; diff --git a/server/src/com/cloud/user/AccountManagerImpl.java b/server/src/com/cloud/user/AccountManagerImpl.java index bd41520b544..62b496d61c3 100755 --- a/server/src/com/cloud/user/AccountManagerImpl.java +++ b/server/src/com/cloud/user/AccountManagerImpl.java @@ -40,7 +40,6 @@ import javax.naming.ConfigurationException; import org.apache.commons.codec.binary.Base64; import org.apache.log4j.Logger; -import org.apache.cloudstack.acl.AclProxyService; import org.apache.cloudstack.acl.ControlledEntity; import org.apache.cloudstack.acl.QuerySelector; import org.apache.cloudstack.acl.RoleType; @@ -253,8 +252,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M @Inject private GlobalLoadBalancerRuleDao _gslbRuleDao; - @Inject - QuerySelector _aclQuerySelector; // we assume that there should be one type of QuerySelector adapter + List _querySelectors; @Inject MessageBus _messageBus; @@ -302,6 +300,14 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M _securityCheckers = securityCheckers; } + public List getQuerySelectors() { + return _querySelectors; + } + + public void setQuerySelectors(List querySelectors) { + _querySelectors = querySelectors; + } + @Override public boolean configure(final String name, final Map params) throws ConfigurationException { _systemAccount = _accountDao.findById(AccountVO.ACCOUNT_ID_SYSTEM); @@ -2249,16 +2255,21 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M // search for policy permissions associated with caller to get all his authorized domains, accounts, and resources // Assumption: if a domain is in grantedDomains, then all the accounts under this domain will not be returned in "grantedAccounts". Similarly, if an account // is in grantedAccounts, then all the resources owned by this account will not be returned in "grantedResources". - boolean grantedAll = _aclQuerySelector.isGrantedAll(caller, action); + // assume that there is only one query selector adapter + if (_querySelectors == null || _querySelectors.size() == 0) + return; // no futher filtering + + QuerySelector qs = _querySelectors.get(0); + boolean grantedAll = qs.isGrantedAll(caller, action); if ( grantedAll ){ if ( domainId != null ){ permittedDomains.add(domainId); } } else { - List grantedDomains = _aclQuerySelector.getAuthorizedDomains(caller, action); - List grantedAccounts = _aclQuerySelector.getAuthorizedAccounts(caller, action); - List grantedResources = _aclQuerySelector.getAuthorizedResources(caller, action); + List grantedDomains = qs.getAuthorizedDomains(caller, action); + List grantedAccounts = qs.getAuthorizedAccounts(caller, action); + List grantedResources = qs.getAuthorizedResources(caller, action); if (domainId != null) { // specific domain is specified @@ -2437,4 +2448,13 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M sc.addAnd("accountId", SearchCriteria.Op.SC, aclSc); } + @Override + public List listAclGroupsByAccount(Long accountId) { + if (_querySelectors == null || _querySelectors.size() == 0) + return new ArrayList(); + + QuerySelector qs = _querySelectors.get(0); + return qs.listAclGroupsByAccount(accountId); + } + } diff --git a/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedEntityQuerySelector.java b/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedEntityQuerySelector.java index 3e76a7e50c8..8299819fddd 100644 --- a/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedEntityQuerySelector.java +++ b/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedEntityQuerySelector.java @@ -23,6 +23,7 @@ import javax.inject.Inject; import org.apache.log4j.Logger; +import org.apache.cloudstack.iam.api.AclGroup; import org.apache.cloudstack.iam.api.AclPolicy; import org.apache.cloudstack.iam.api.AclPolicyPermission; import org.apache.cloudstack.iam.api.IAMService; @@ -112,4 +113,14 @@ public class RoleBasedEntityQuerySelector extends AdapterBase implements QuerySe return false; } + @Override + public List listAclGroupsByAccount(long accountId) { + List groups = _iamService.listAclGroups(accountId); + List groupNames = new ArrayList(); + for (AclGroup grp : groups) { + groupNames.add(grp.getName()); + } + return groupNames; + } + } diff --git a/services/iam/plugin/src/org/apache/cloudstack/acl/api/AclApiService.java b/services/iam/plugin/src/org/apache/cloudstack/acl/api/AclApiService.java index 273c3833241..98abd133a67 100644 --- a/services/iam/plugin/src/org/apache/cloudstack/acl/api/AclApiService.java +++ b/services/iam/plugin/src/org/apache/cloudstack/acl/api/AclApiService.java @@ -18,7 +18,6 @@ package org.apache.cloudstack.acl.api; import java.util.List; -import org.apache.cloudstack.acl.AclProxyService; import org.apache.cloudstack.acl.PermissionScope; import org.apache.cloudstack.acl.api.response.AclGroupResponse; import org.apache.cloudstack.acl.api.response.AclPolicyResponse; @@ -31,7 +30,7 @@ import org.apache.cloudstack.iam.api.AclPolicyPermission.Permission; import com.cloud.user.Account; import com.cloud.utils.component.PluggableService; -public interface AclApiService extends AclProxyService, PluggableService { +public interface AclApiService extends PluggableService { /* ACL group related interfaces */ AclGroup createAclGroup(Account caller, String aclGroupName, String description); diff --git a/services/iam/plugin/src/org/apache/cloudstack/acl/api/AclApiServiceImpl.java b/services/iam/plugin/src/org/apache/cloudstack/acl/api/AclApiServiceImpl.java index cb6ef0ce70e..d3be7471e41 100644 --- a/services/iam/plugin/src/org/apache/cloudstack/acl/api/AclApiServiceImpl.java +++ b/services/iam/plugin/src/org/apache/cloudstack/acl/api/AclApiServiceImpl.java @@ -150,15 +150,6 @@ public class AclApiServiceImpl extends ManagerBase implements AclApiService, Man return _iamSrv.listAclGroups(accountId); } - @Override - public List listAclGroupsByAccount(long accountId) { - List groups = listAclGroups(accountId); - List groupNames = new ArrayList(); - for (AclGroup grp : groups) { - groupNames.add(grp.getName()); - } - return groupNames; - } @DB @Override @@ -167,8 +158,7 @@ public class AclApiServiceImpl extends ManagerBase implements AclApiService, Man return _iamSrv.addAccountsToGroup(acctIds, groupId); } - @Override - public void removeAccountFromAclGroups(long accountId) { + private void removeAccountFromAclGroups(long accountId) { List groups = listAclGroups(accountId); List accts = new ArrayList(); accts.add(accountId); @@ -179,8 +169,7 @@ public class AclApiServiceImpl extends ManagerBase implements AclApiService, Man } } - @Override - public void addAccountToAclGroup(long accountId, long groupId) { + private void addAccountToAclGroup(long accountId, long groupId) { List accts = new ArrayList(); accts.add(accountId); addAccountsToGroup(accts, groupId); diff --git a/services/pom.xml b/services/pom.xml index 81531df2e37..fb6d71de0cf 100644 --- a/services/pom.xml +++ b/services/pom.xml @@ -27,9 +27,6 @@ 4.3.0-SNAPSHOT ../pom.xml - - install - console-proxy secondary-storage diff --git a/setup/db/db/schema-421to430.sql b/setup/db/db/schema-421to430.sql index 453e47f88a7..2256a51ca92 100644 --- a/setup/db/db/schema-421to430.sql +++ b/setup/db/db/schema-421to430.sql @@ -397,75 +397,6 @@ INSERT IGNORE INTO `cloud`.`acl_policy_permission` (id, policy_id, action, permi INSERT IGNORE INTO `cloud`.`acl_policy_permission` (id, policy_id, action, permission, created) VALUES (2, 3, 'DomainCapability', 'Allow', Now()); INSERT IGNORE INTO `cloud`.`acl_policy_permission` (id, policy_id, action, permission, created) VALUES (3, 4, 'DomainResourceCapability', 'Allow', Now()); -CREATE OR REPLACE VIEW `cloud`.`acl_policy_view` AS - select - acl_policy.id id, - acl_policy.uuid uuid, - acl_policy.name name, - acl_policy.description description, - acl_policy.removed removed, - acl_policy.created created, - domain.id domain_id, - domain.uuid domain_uuid, - domain.name domain_name, - domain.path domain_path, - account.id account_id, - account.uuid account_uuid, - account.account_name account_name, - account.type account_type, - acl_policy_permission.action permission_action, - acl_policy_permission.resource_type permission_entity_type, - acl_policy_permission.scope permission_scope, - acl_policy_permission.scope_id permission_scope_id, - acl_policy_permission.access_type permission_access_type, - acl_policy_permission.permission permission_allow_deny - from - `cloud`.`acl_policy` - inner join - `cloud`.`domain` ON acl_policy.domain_id = domain.id - inner join - `cloud`.`account` ON acl_policy.account_id = account.id - left join - `cloud`.`acl_policy_permission` ON acl_policy.id = acl_policy_permission.policy_id; - - -CREATE OR REPLACE VIEW `cloud`.`acl_group_view` AS - select - acl_group.id id, - acl_group.uuid uuid, - acl_group.name name, - acl_group.description description, - acl_group.removed removed, - acl_group.created created, - domain.id domain_id, - domain.uuid domain_uuid, - domain.name domain_name, - domain.path domain_path, - account.id account_id, - account.uuid account_uuid, - account.account_name account_name, - account.type account_type, - member_account.id member_account_id, - member_account.uuid member_account_uuid, - member_account.account_name member_account_name, - acl_policy.id policy_id, - acl_policy.uuid policy_uuid, - acl_policy.name policy_name - from - `cloud`.`acl_group` - inner join - `cloud`.`domain` ON acl_group.domain_id = domain.id - inner join - `cloud`.`account` ON acl_group.account_id = account.id - left join - `cloud`.`acl_group_policy_map` ON acl_group.id = acl_group_policy_map.group_id - left join - `cloud`.`acl_policy` ON acl_group_policy_map.policy_id = acl_policy.id - left join - `cloud`.`acl_group_account_map` ON acl_group.id = acl_group_account_map.group_id - left join - `cloud`.`account` member_account ON acl_group_account_map.account_id = member_account.id; - DROP VIEW IF EXISTS `cloud`.`volume_view`;