changes to support the domain wide resources for Network

engine/orchestration/src/org/apache/cloudstack/engine/orchestration/NetworkOrchestrator.java

@@ -2196,6 +2196,10 @@ public class NetworkOrchestrator extends ManagerBase implements NetworkOrchestra
                                 NetworkAccountVO networkAccount = _networkAccountDao.getAccountNetworkMapByNetworkId(networkFinal.getId());
                                 if (networkAccount != null)
                                     _networkAccountDao.remove(networkAccount.getId());
+                                
+                                // remove its related ACL permission
+                                Pair<AclEntityType, Long> networkMsg = new Pair<AclEntityType, Long>(AclEntityType.Network, networkFinal.getId());
+                                _messageBus.publish(_name, EntityManager.MESSAGE_REMOVE_ENTITY_EVENT, PublishScope.LOCAL, networkMsg);
                             }
 
                             NetworkOffering ntwkOff = _entityMgr.findById(NetworkOffering.class, networkFinal.getNetworkOfferingId());

server/src/com/cloud/user/DomainManager.java

@@ -49,5 +49,6 @@ public interface DomainManager extends DomainService {
     Domain updateDomain(UpdateDomainCmd cmd);
 
     public static final String MESSAGE_ADD_DOMAIN_EVENT = "Message.AddDomain.Event";
+    public static final String MESSAGE_REMOVE_DOMAIN_EVENT = "Message.RemoveDomain.Event";
 
 }

services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedEntityAccessChecker.java

@@ -25,6 +25,7 @@ import javax.inject.Inject;
 import org.apache.log4j.Logger;
 
 import org.apache.cloudstack.api.InternalIdentity;
+import org.apache.cloudstack.iam.api.AclGroup;
 import org.apache.cloudstack.iam.api.AclPolicy;
 import org.apache.cloudstack.iam.api.AclPolicyPermission;
 import org.apache.cloudstack.iam.api.IAMService;
@@ -168,6 +169,15 @@ public class RoleBasedEntityAccessChecker extends DomainChecker implements Secur
             policies.add(_iamSrv.getResourceOwnerPolicy());
         }
 
+        List<AclGroup> groups = _iamSrv.listAclGroups(caller.getId());
+        for (AclGroup group : groups) {
+            // for each group find the grand parent groups.
+            List<AclGroup> parentGroups = _iamSrv.listParentAclGroupsOnPath(group.getPath());
+            for (AclGroup parentGroup : parentGroups) {
+                policies.addAll(_iamSrv.listRecursiveAclPoliciesByGroup(parentGroup.getId()));
+            }
+        }
+
         return policies;
     }
 }

services/iam/plugin/src/org/apache/cloudstack/acl/api/AclApiServiceImpl.java

@@ -159,6 +159,21 @@ public class AclApiServiceImpl extends ManagerBase implements AclApiService, Man
             }
         });
 
+        _messageBus.subscribe(DomainManager.MESSAGE_REMOVE_DOMAIN_EVENT, new MessageSubscriber() {
+            @Override
+            public void onPublishMessage(String senderAddress, String subject, Object obj) {
+                Long domainId = ((Long) obj);
+                if (domainId != null) {
+                    s_logger.debug("MessageBus message: Domain removed: " + domainId + ", removing the domain group");
+                    Domain domain = _domainDao.findById(domainId);
+                    List<AclGroup> groups = listDomainGroup(domain);
+                    for (AclGroup group : groups) {
+                        _iamSrv.deleteAclGroup(group.getId());
+                    }
+                }
+            }
+        });
+
         _messageBus.subscribe(TemplateManager.MESSAGE_REGISTER_PUBLIC_TEMPLATE_EVENT, new MessageSubscriber() {
             @Override
             public void onPublishMessage(String senderAddress, String subject, Object obj) {

services/iam/server/src/org/apache/cloudstack/iam/api/IAMService.java

@@ -85,4 +85,8 @@ public interface IAMService {
     List<AclPolicyPermission> listPolicyPermissionByAccessAndEntity(long policyId, String accessType,
             String entityType);
 
+    List<AclGroup> listParentAclGroupsOnPath(String path);
+
+    List<AclPolicy> listRecursiveAclPoliciesByGroup(long groupId);
+
 }

services/iam/server/src/org/apache/cloudstack/iam/server/IAMServiceImpl.java

@@ -45,6 +45,7 @@ import com.cloud.utils.db.DB;
 import com.cloud.utils.db.EntityManager;
 import com.cloud.utils.db.Filter;
 import com.cloud.utils.db.GenericSearchBuilder;
+import com.cloud.utils.db.JoinBuilder;
 import com.cloud.utils.db.JoinBuilder.JoinType;
 import com.cloud.utils.db.SearchBuilder;
 import com.cloud.utils.db.SearchCriteria;
@@ -255,6 +256,33 @@ public class IAMServiceImpl extends ManagerBase implements IAMService, Manager {
         return new Pair<List<AclGroup>, Integer>(new ArrayList<AclGroup>(groups.first()), groups.second());
     }
 
+    @Override
+    public List<AclGroup> listParentAclGroupsOnPath(String path) {
+
+        List<String> pathList = new ArrayList<String>();
+
+        String[] parts = path.split("/");
+
+        for (String part : parts) {
+            int start = path.indexOf(part);
+            if (start > 0) {
+                String subPath = path.substring(0, start);
+                pathList.add(subPath);
+            }
+        }
+
+        SearchBuilder<AclGroupVO> sb = _aclGroupDao.createSearchBuilder();
+        sb.and("paths", sb.entity().getPath(), SearchCriteria.Op.IN);
+
+        SearchCriteria<AclGroupVO> sc = sb.create();
+        sc.setParameters("paths", pathList.toArray());
+
+        List<AclGroupVO> groups = _aclGroupDao.search(sc, null);
+
+        return new ArrayList<AclGroup>(groups);
+
+    }
+
     @DB
     @Override
     public AclPolicy createAclPolicy(final String aclPolicyName, final String description, final Long parentPolicyId) {
@@ -388,6 +416,37 @@ public class IAMServiceImpl extends ManagerBase implements IAMService, Manager {
         return policies;
     }
 
+    @SuppressWarnings("unchecked")
+    @Override
+    public List<AclPolicy> listRecursiveAclPoliciesByGroup(long groupId) {
+        List<AclGroupPolicyMapVO> policyGrpMap = _aclGroupPolicyMapDao.listByGroupId(groupId);
+        if (policyGrpMap == null || policyGrpMap.size() == 0) {
+            return new ArrayList<AclPolicy>();
+        }
+
+        List<Long> policyIds = new ArrayList<Long>();
+        for (AclGroupPolicyMapVO pg : policyGrpMap) {
+            policyIds.add(pg.getAclPolicyId());
+        }
+
+        SearchBuilder<AclPolicyPermissionVO> permSb = _policyPermissionDao.createSearchBuilder();
+        permSb.and("isRecursive", permSb.entity().isRecursive(), Op.EQ);
+
+        SearchBuilder<AclPolicyVO> sb = _aclPolicyDao.createSearchBuilder();
+        sb.and("ids", sb.entity().getId(), Op.IN);
+        sb.join("recursivePerm", permSb, sb.entity().getId(), permSb.entity().getAclPolicyId(),
+                JoinBuilder.JoinType.INNER);
+
+        SearchCriteria<AclPolicyVO> sc = sb.create();
+        sc.setParameters("ids", policyIds.toArray(new Object[policyIds.size()]));
+        sc.setJoinParameters("recursivePerm", "isRecursive", true);
+
+        @SuppressWarnings("rawtypes")
+        List policies = _aclPolicyDao.customSearch(sc, null);
+
+        return policies;
+    }
+
 
     @SuppressWarnings("unchecked")
     @Override
@@ -591,7 +650,13 @@ public class IAMServiceImpl extends ManagerBase implements IAMService, Manager {
                 // remove entry from acl_entity_permission table
                 List<AclPolicyPermissionVO> permitList = _policyPermissionDao.listByEntity(entityType, entityId);
                 for (AclPolicyPermissionVO permit : permitList) {
+                    long policyId = permit.getAclPolicyId();
                     _policyPermissionDao.remove(permit.getId());
+
+                    // remove the policy of there are no other permissions
+                    if ((_policyPermissionDao.listByPolicy(policyId)).isEmpty()) {
+                        deleteAclPolicy(policyId);
+                    }
                 }
             }
         });