From 6730fa2b47d165dc121c5dc9fc3e1dd42c2745f7 Mon Sep 17 00:00:00 2001 From: Min Chen Date: Mon, 9 Dec 2013 14:08:54 -0800 Subject: [PATCH] Fill in implementation of AclService.getGrantedDomains, getGrantedAccounts and getGrantedResources. --- .../org/apache/cloudstack/acl/AclService.java | 6 +- .../acl/dao/AclPolicyPermissionDao.java | 2 + .../acl/dao/AclPolicyPermissionDaoImpl.java | 50 ++++++++++++++-- .../com/cloud/user/AccountManagerImpl.java | 6 +- .../apache/cloudstack/acl/AclServiceImpl.java | 57 ++++++++++++++++--- 5 files changed, 102 insertions(+), 19 deletions(-) diff --git a/api/src/org/apache/cloudstack/acl/AclService.java b/api/src/org/apache/cloudstack/acl/AclService.java index 0c0ec69fdab..c8d8b48867b 100644 --- a/api/src/org/apache/cloudstack/acl/AclService.java +++ b/api/src/org/apache/cloudstack/acl/AclService.java @@ -57,10 +57,10 @@ public interface AclService { List getEffectivePolicies(Account caller, ControlledEntity entity); /* Visibility related interfaces */ - List getGrantedDomains(long accountId, AclEntityType entityType, String action); + List getGrantedDomains(long accountId, String action); - List getGrantedAccounts(long accountId, AclEntityType entityType, String action); + List getGrantedAccounts(long accountId, String action); - List getGrantedResources(long accountId, AclEntityType entityType, String action); + List getGrantedResources(long accountId, String action); } diff --git a/engine/schema/src/org/apache/cloudstack/acl/dao/AclPolicyPermissionDao.java b/engine/schema/src/org/apache/cloudstack/acl/dao/AclPolicyPermissionDao.java index f3c6446e0fe..2defc1c4f0d 100644 --- a/engine/schema/src/org/apache/cloudstack/acl/dao/AclPolicyPermissionDao.java +++ b/engine/schema/src/org/apache/cloudstack/acl/dao/AclPolicyPermissionDao.java @@ -31,5 +31,7 @@ public interface AclPolicyPermissionDao extends GenericDao listGrantedByActionAndScope(long policyId, String action, PermissionScope scope); + } diff --git a/engine/schema/src/org/apache/cloudstack/acl/dao/AclPolicyPermissionDaoImpl.java b/engine/schema/src/org/apache/cloudstack/acl/dao/AclPolicyPermissionDaoImpl.java index 11b009b30c5..fefafde4a06 100644 --- a/engine/schema/src/org/apache/cloudstack/acl/dao/AclPolicyPermissionDaoImpl.java +++ b/engine/schema/src/org/apache/cloudstack/acl/dao/AclPolicyPermissionDaoImpl.java @@ -26,28 +26,70 @@ import org.apache.cloudstack.acl.AclPolicyPermissionVO; import org.apache.cloudstack.acl.PermissionScope; import com.cloud.utils.db.GenericDaoBase; +import com.cloud.utils.db.SearchBuilder; +import com.cloud.utils.db.SearchCriteria; public class AclPolicyPermissionDaoImpl extends GenericDaoBase implements AclPolicyPermissionDao { + private SearchBuilder policyIdSearch; + private SearchBuilder fullSearch; + private SearchBuilder actionScopeSearch; @Override public boolean configure(String name, Map params) throws ConfigurationException { super.configure(name, params); + policyIdSearch = createSearchBuilder(); + policyIdSearch.and("policyId", policyIdSearch.entity().getAclPolicyId(), SearchCriteria.Op.EQ); + policyIdSearch.done(); + + fullSearch = createSearchBuilder(); + fullSearch.and("policyId", fullSearch.entity().getAclPolicyId(), SearchCriteria.Op.EQ); + fullSearch.and("entityType", fullSearch.entity().getEntityType(), SearchCriteria.Op.EQ); + fullSearch.and("scope", fullSearch.entity().getScope(), SearchCriteria.Op.EQ); + fullSearch.and("scopeId", fullSearch.entity().getScopeId(), SearchCriteria.Op.EQ); + fullSearch.and("action", fullSearch.entity().getAction(), SearchCriteria.Op.EQ); + fullSearch.and("permission", fullSearch.entity().getPermission(), SearchCriteria.Op.EQ); + fullSearch.done(); + + actionScopeSearch = createSearchBuilder(); + actionScopeSearch.and("policyId", actionScopeSearch.entity().getAclPolicyId(), SearchCriteria.Op.EQ); + actionScopeSearch.and("scope", actionScopeSearch.entity().getScope(), SearchCriteria.Op.EQ); + actionScopeSearch.and("action", actionScopeSearch.entity().getAction(), SearchCriteria.Op.EQ); + actionScopeSearch.and("permission", actionScopeSearch.entity().getPermission(), SearchCriteria.Op.EQ); + actionScopeSearch.done(); + return true; } @Override public List listByPolicy(long policyId) { - // TODO Auto-generated method stub - return null; + SearchCriteria sc = policyIdSearch.create(); + sc.setParameters("policyId", policyId); + return listBy(sc); } @Override public AclPolicyPermissionVO findByPolicyAndEntity(long policyId, String entityType, PermissionScope scope, Long scopeId, String action, Permission perm) { - // TODO Auto-generated method stub - return null; + SearchCriteria sc = fullSearch.create(); + sc.setParameters("policyId", policyId); + sc.setParameters("entityType", entityType); + sc.setParameters("scope", scope); + sc.setParameters("scopeId", scopeId); + sc.setParameters("action", action); + sc.setParameters("permission", perm); + return findOneBy(sc); + } + + @Override + public List listGrantedByActionAndScope(long policyId, String action, PermissionScope scope) { + SearchCriteria sc = actionScopeSearch.create(); + sc.setParameters("policyId", policyId); + sc.setParameters("action", action); + sc.setParameters("scope", scope); + sc.setParameters("permission", Permission.Allow); + return listBy(sc); } } diff --git a/server/src/com/cloud/user/AccountManagerImpl.java b/server/src/com/cloud/user/AccountManagerImpl.java index 0ddc37a09ad..3decaf06183 100755 --- a/server/src/com/cloud/user/AccountManagerImpl.java +++ b/server/src/com/cloud/user/AccountManagerImpl.java @@ -2610,9 +2610,9 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M // search for policy permissions associated with caller to get all his authorized domains, accounts, and resources // Assumption: if a domain is in grantedDomains, then all the accounts under this domain will not be returned in "grantedAccounts". Similarly, if an account // is in grantedAccounts, then all the resources owned by this account will not be returned in "grantedResources". - List grantedDomains = _aclService.getGrantedDomains(caller.getId(), AclEntityType.VM, action); - List grantedAccounts = _aclService.getGrantedAccounts(caller.getId(), AclEntityType.VM, action); - List grantedResources = _aclService.getGrantedResources(caller.getId(), AclEntityType.VM, action); + List grantedDomains = _aclService.getGrantedDomains(caller.getId(), action); + List grantedAccounts = _aclService.getGrantedAccounts(caller.getId(), action); + List grantedResources = _aclService.getGrantedResources(caller.getId(), action); if (domainId != null) { // specific domain is specified diff --git a/server/src/org/apache/cloudstack/acl/AclServiceImpl.java b/server/src/org/apache/cloudstack/acl/AclServiceImpl.java index 9b3973364b1..1ab4efeab70 100644 --- a/server/src/org/apache/cloudstack/acl/AclServiceImpl.java +++ b/server/src/org/apache/cloudstack/acl/AclServiceImpl.java @@ -678,21 +678,60 @@ public class AclServiceImpl extends ManagerBase implements AclService, Manager { } @Override - public List getGrantedDomains(long accountId, AclEntityType entityType, String action) { - // TODO Auto-generated method stub - return null; + public List getGrantedDomains(long accountId, String action) { + // Get the static Policies of the Caller + List policies = listAclPolicies(accountId); + // for each policy, find granted permission with Domain scope + List domainIds = new ArrayList(); + for (AclPolicy policy : policies) { + List pp = _policyPermissionDao.listGrantedByActionAndScope(policy.getId(), action, PermissionScope.DOMAIN); + if (pp != null) { + for (AclPolicyPermissionVO p : pp) { + if (p.getScopeId() != null) { + domainIds.add(p.getScopeId()); + } + } + } + } + return domainIds; } @Override - public List getGrantedAccounts(long accountId, AclEntityType entityType, String action) { - // TODO Auto-generated method stub - return null; + public List getGrantedAccounts(long accountId, String action) { + // Get the static Policies of the Caller + List policies = listAclPolicies(accountId); + // for each policy, find granted permission with Account scope + List accountIds = new ArrayList(); + for (AclPolicy policy : policies) { + List pp = _policyPermissionDao.listGrantedByActionAndScope(policy.getId(), action, PermissionScope.ACCOUNT); + if (pp != null) { + for (AclPolicyPermissionVO p : pp) { + if (p.getScopeId() != null) { + accountIds.add(p.getScopeId()); + } + } + } + } + return accountIds; } @Override - public List getGrantedResources(long accountId, AclEntityType entityType, String action) { - // TODO Auto-generated method stub - return null; + public List getGrantedResources(long accountId, String action) { + // Get the static Policies of the Caller + List policies = listAclPolicies(accountId); + // for each policy, find granted permission with Resource scope + List entityIds = new ArrayList(); + for (AclPolicy policy : policies) { + List pp = _policyPermissionDao.listGrantedByActionAndScope(policy.getId(), action, PermissionScope.RESOURCE); + if (pp != null) { + for (AclPolicyPermissionVO p : pp) { + if (p.getScopeId() != null) { + entityIds.add(p.getScopeId()); + } + } + } + } + return entityIds; } }