etan39
/
cloudstack
mirror of https://github.com/apache/cloudstack.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add all Apis for AclRole.

This commit is contained in:
Min Chen 2013-09-26 17:48:29 -07:00
parent fce2aad23d
commit 97fd99b09a
19 changed files with 535 additions and 63 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
api/src/com/cloud/event/EventTypes.java
View File

@ -445,6 +445,13 @@ public class EventTypes {
public static final String EVENT_UCS_ASSOCIATED_PROFILE = "UCS.ASSOCIATEPROFILE";
public static final String EVENT_ACL_ROLE_CREATE = "ACLROLE.CREATE";
public static final String EVENT_ACL_ROLE_DELETE = "ACLROLE.DELETE";
public static final String EVENT_ACL_ROLE_GRANT = "ACLROLE.GRANT";
public static final String EVENT_ACL_ROLE_REVOKE = "ACLROLE.REVOKE";
public static final String EVENT_ACL_GROUP_UPDATE = "ACLGROUP.UPDATE";
static {
// TODO: need a way to force author adding event types to declare the entity details as well, with out braking

19
api/src/org/apache/cloudstack/acl/AclService.java
View File

@ -40,24 +40,9 @@ public interface AclService {
*/
boolean deleteAclRole(long aclRoleId);
/** Lists Acl roles for a domain
* @param domainId
* @param aclRoleId
* @param aclRoleName
* @param startIndex
* @param pageSize
* @return
*/
Pair<List<? extends AclRole>, Integer> listAclRoles(Long aclRoleId, String aclRoleName,
Long domainId, Long startIndex, Long pageSize);
AclRole grantPermissionToAclRole(long aclRoleId, List<String> apiNames);
/**
* Get the acl role for the given role id.
* @param roleId
* @return AclRole
*/
AclRole getAclRole(Long roleId);
AclRole revokePermissionFromAclRole(long aclRoleId, List<String> apiNames);
AclGroup addAclRolesToGroup(List<Long> roleIds, Long groupId);

3
api/src/org/apache/cloudstack/api/ApiConstants.java
View File

@ -523,7 +523,8 @@ public class ApiConstants {
public static final String ACL_PARENT_ROLE_NAME = "parentrolename";
public static final String ACL_ROLES = "roles";
public static final String ACL_ROLE_IDS = "roleids";
public static final String ACL_ALLOWED_APIS = "allowedapis";
public static final String ACL_APIS = "apis";
public enum HostDetails {
all, capacity, events, stats, min;
}

20
api/src/org/apache/cloudstack/api/command/admin/acl/AddAclRoleToAclGroupCmd.java
View File

@ -23,22 +23,24 @@ import org.apache.log4j.Logger;
import org.apache.cloudstack.acl.AclGroup;
import org.apache.cloudstack.api.ACL;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiCommandJobType;
import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.ApiErrorCode;
import org.apache.cloudstack.api.BaseCmd;
import org.apache.cloudstack.api.BaseAsyncCmd;
import org.apache.cloudstack.api.Parameter;
import org.apache.cloudstack.api.ServerApiException;
import org.apache.cloudstack.api.response.AclGroupResponse;
import org.apache.cloudstack.api.response.AclRoleResponse;
import org.apache.cloudstack.context.CallContext;
import com.cloud.event.EventTypes;
import com.cloud.exception.InsufficientCapacityException;
import com.cloud.exception.ResourceUnavailableException;
import com.cloud.user.Account;
@APICommand(name = "addAclRoleToAclGroup", description = "add acl role to an acl group", responseObject = AclGroupResponse.class)
public class AddAclRoleToAclGroupCmd extends BaseCmd {
public class AddAclRoleToAclGroupCmd extends BaseAsyncCmd {
public static final Logger s_logger = Logger.getLogger(AddAclRoleToAclGroupCmd.class.getName());
private static final String s_name = "addaclroletoaclgroupresponse";
@ -101,5 +103,19 @@ public class AddAclRoleToAclGroupCmd extends BaseCmd {
}
}
@Override
public String getEventType() {
return EventTypes.EVENT_ACL_GROUP_UPDATE;
}
@Override
public String getEventDescription() {
return "adding acl roles to acl group";
}
@Override
public ApiCommandJobType getInstanceType() {
return ApiCommandJobType.AclGroup;
}
}

45
api/src/org/apache/cloudstack/api/command/admin/acl/CreateAclRoleCmd.java
View File

@ -20,18 +20,21 @@ import org.apache.log4j.Logger;
import org.apache.cloudstack.acl.AclRole;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiCommandJobType;
import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.ApiErrorCode;
import org.apache.cloudstack.api.BaseCmd;
import org.apache.cloudstack.api.BaseAsyncCreateCmd;
import org.apache.cloudstack.api.Parameter;
import org.apache.cloudstack.api.ServerApiException;
import org.apache.cloudstack.api.response.AclRoleResponse;
import org.apache.cloudstack.api.response.DomainResponse;
import com.cloud.event.EventTypes;
import com.cloud.exception.ResourceAllocationException;
import com.cloud.user.Account;
@APICommand(name = "createAclRole", responseObject = AclRoleResponse.class, description = "Creates an acl role")
public class CreateAclRoleCmd extends BaseCmd {
public class CreateAclRoleCmd extends BaseAsyncCreateCmd {
public static final Logger s_logger = Logger.getLogger(CreateAclRoleCmd.class.getName());
private static final String s_name = "createaclroleresponse";
@ -84,7 +87,7 @@ public class CreateAclRoleCmd extends BaseCmd {
@Override
public void execute() {
AclRole role = _aclService.createAclRole(domainId, name, description);
AclRole role = _entityMgr.findById(AclRole.class, getEntityId());
if (role != null) {
AclRoleResponse response = _responseGenerator.createAclRoleResponse(role);
response.setResponseName(getCommandName());
@ -94,5 +97,41 @@ public class CreateAclRoleCmd extends BaseCmd {
}
}
@Override
public void create() throws ResourceAllocationException {
AclRole result = _aclService.createAclRole(domainId, name, description);
if (result != null) {
setEntityId(result.getId());
setEntityUuid(result.getUuid());
} else {
throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to create acl role entity" + name);
}
}
@Override
public String getEventType() {
return EventTypes.EVENT_ACL_ROLE_CREATE;
}
@Override
public String getEventDescription() {
return "creating Acl role";
}
@Override
public String getCreateEventType() {
return EventTypes.EVENT_ACL_ROLE_CREATE;
}
@Override
public String getCreateEventDescription() {
return "creating acl role";
}
@Override
public ApiCommandJobType getInstanceType() {
return ApiCommandJobType.AclRole;
}
}

21
api/src/org/apache/cloudstack/api/command/admin/acl/DeleteAclRoleCmd.java
View File

@ -20,18 +20,20 @@ import org.apache.log4j.Logger;
import org.apache.cloudstack.api.ACL;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiCommandJobType;
import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.ApiErrorCode;
import org.apache.cloudstack.api.BaseCmd;
import org.apache.cloudstack.api.BaseAsyncCmd;
import org.apache.cloudstack.api.Parameter;
import org.apache.cloudstack.api.ServerApiException;
import org.apache.cloudstack.api.response.AclRoleResponse;
import org.apache.cloudstack.api.response.SuccessResponse;
import com.cloud.event.EventTypes;
import com.cloud.user.Account;
@APICommand(name = "deleteAclRole", description = "Deletes acl role", responseObject = SuccessResponse.class)
public class DeleteAclRoleCmd extends BaseCmd {
public class DeleteAclRoleCmd extends BaseAsyncCmd {
public static final Logger s_logger = Logger.getLogger(DeleteAclRoleCmd.class.getName());
private static final String s_name = "deleteaclroleresponse";
@ -76,4 +78,19 @@ public class DeleteAclRoleCmd extends BaseCmd {
throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to delete acl role");
}
}
@Override
public String getEventType() {
return EventTypes.EVENT_ACL_ROLE_DELETE;
}
@Override
public String getEventDescription() {
return "Deleting Acl role";
}
@Override
public ApiCommandJobType getInstanceType() {
return ApiCommandJobType.AclRole;
}
}

120
api/src/org/apache/cloudstack/api/command/admin/acl/GrantPermissionToAclRoleCmd.java Normal file
View File

@ -0,0 +1,120 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.api.command.admin.acl;
import java.util.List;
import org.apache.log4j.Logger;
import org.apache.cloudstack.acl.AclRole;
import org.apache.cloudstack.api.ACL;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiCommandJobType;
import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.ApiErrorCode;
import org.apache.cloudstack.api.BaseAsyncCmd;
import org.apache.cloudstack.api.Parameter;
import org.apache.cloudstack.api.ServerApiException;
import org.apache.cloudstack.api.response.AclRoleResponse;
import org.apache.cloudstack.context.CallContext;
import com.cloud.event.EventTypes;
import com.cloud.exception.InsufficientCapacityException;
import com.cloud.exception.ResourceUnavailableException;
import com.cloud.user.Account;
@APICommand(name = "grantPermissionToAclRole", description = "Grant api permission to an acl role", responseObject = AclRoleResponse.class)
public class GrantPermissionToAclRoleCmd extends BaseAsyncCmd {
public static final Logger s_logger = Logger.getLogger(GrantPermissionToAclRoleCmd.class.getName());
private static final String s_name = "grantpermissiontoroleresponse";
/////////////////////////////////////////////////////
//////////////// API parameters /////////////////////
/////////////////////////////////////////////////////
@ACL
@Parameter(name = ApiConstants.ID, type = CommandType.UUID, entityType = AclRoleResponse.class,
required = true, description = "The ID of the acl role")
private Long id;
@ACL
@Parameter(name = ApiConstants.ACL_APIS, type = CommandType.LIST, collectionType = CommandType.STRING, description = "comma separated list of apis granted to the acl role. ")
private List<String> apiList;
/////////////////////////////////////////////////////
/////////////////// Accessors ///////////////////////
/////////////////////////////////////////////////////
public Long getId() {
return id;
}
public List<String> getApiList() {
return apiList;
}
/////////////////////////////////////////////////////
/////////////// API Implementation///////////////////
/////////////////////////////////////////////////////
@Override
public String getCommandName() {
return s_name;
}
@Override
public long getEntityOwnerId() {
return Account.ACCOUNT_ID_SYSTEM; // no account info given, parent this command to SYSTEM so ERROR events are tracked
}
@Override
public void execute() throws ResourceUnavailableException,
InsufficientCapacityException, ServerApiException {
CallContext.current().setEventDetails("Acl role Id: " + getId());
AclRole result = _aclService.grantPermissionToAclRole(id, apiList);
if (result != null) {
AclRoleResponse response = _responseGenerator.createAclRoleResponse(result);
response.setResponseName(getCommandName());
setResponseObject(response);
} else {
throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to grant permission to acl role " + getId());
}
}
@Override
public String getEventType() {
return EventTypes.EVENT_ACL_ROLE_GRANT;
}
@Override
public String getEventDescription() {
return "granting permission to acl role";
}
@Override
public ApiCommandJobType getInstanceType() {
return ApiCommandJobType.AclRole;
}
}

20
api/src/org/apache/cloudstack/api/command/admin/acl/RemoveAclRoleFromAclGroupCmd.java
View File

@ -23,22 +23,24 @@ import org.apache.log4j.Logger;
import org.apache.cloudstack.acl.AclGroup;
import org.apache.cloudstack.api.ACL;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiCommandJobType;
import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.ApiErrorCode;
import org.apache.cloudstack.api.BaseCmd;
import org.apache.cloudstack.api.BaseAsyncCmd;
import org.apache.cloudstack.api.Parameter;
import org.apache.cloudstack.api.ServerApiException;
import org.apache.cloudstack.api.response.AclGroupResponse;
import org.apache.cloudstack.api.response.AclRoleResponse;
import org.apache.cloudstack.context.CallContext;
import com.cloud.event.EventTypes;
import com.cloud.exception.InsufficientCapacityException;
import com.cloud.exception.ResourceUnavailableException;
import com.cloud.user.Account;
@APICommand(name = "removeAclRoleFromAclGroup", description = "remove acl role to an acl group", responseObject = AclGroupResponse.class)
public class RemoveAclRoleFromAclGroupCmd extends BaseCmd {
public class RemoveAclRoleFromAclGroupCmd extends BaseAsyncCmd {
public static final Logger s_logger = Logger.getLogger(RemoveAclRoleFromAclGroupCmd.class.getName());
private static final String s_name = "removeaclroletoaclgroupresponse";
@ -101,5 +103,19 @@ public class RemoveAclRoleFromAclGroupCmd extends BaseCmd {
}
}
@Override
public String getEventType() {
return EventTypes.EVENT_ACL_GROUP_UPDATE;
}
@Override
public String getEventDescription() {
return "removing acl roles from acl group";
}
@Override
public ApiCommandJobType getInstanceType() {
return ApiCommandJobType.AclGroup;
}
}

120
api/src/org/apache/cloudstack/api/command/admin/acl/RevokePermissionFromAclRoleCmd.java Normal file
View File

@ -0,0 +1,120 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.api.command.admin.acl;
import java.util.List;
import org.apache.log4j.Logger;
import org.apache.cloudstack.acl.AclRole;
import org.apache.cloudstack.api.ACL;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiCommandJobType;
import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.ApiErrorCode;
import org.apache.cloudstack.api.BaseAsyncCmd;
import org.apache.cloudstack.api.Parameter;
import org.apache.cloudstack.api.ServerApiException;
import org.apache.cloudstack.api.response.AclRoleResponse;
import org.apache.cloudstack.context.CallContext;
import com.cloud.event.EventTypes;
import com.cloud.exception.InsufficientCapacityException;
import com.cloud.exception.ResourceUnavailableException;
import com.cloud.user.Account;
@APICommand(name = "revokePermissionFromAclRole", description = "Revoke api permission from an acl role", responseObject = AclRoleResponse.class)
public class RevokePermissionFromAclRoleCmd extends BaseAsyncCmd {
public static final Logger s_logger = Logger.getLogger(RevokePermissionFromAclRoleCmd.class.getName());
private static final String s_name = "revokepermissionfromroleresponse";
/////////////////////////////////////////////////////
//////////////// API parameters /////////////////////
/////////////////////////////////////////////////////
@ACL
@Parameter(name = ApiConstants.ID, type = CommandType.UUID, entityType = AclRoleResponse.class,
required = true, description = "The ID of the acl role")
private Long id;
@ACL
@Parameter(name = ApiConstants.ACL_APIS, type = CommandType.LIST, collectionType = CommandType.STRING, description = "comma separated list of apis granted to the acl role. ")
private List<String> apiList;
/////////////////////////////////////////////////////
/////////////////// Accessors ///////////////////////
/////////////////////////////////////////////////////
public Long getId() {
return id;
}
public List<String> getApiList() {
return apiList;
}
/////////////////////////////////////////////////////
/////////////// API Implementation///////////////////
/////////////////////////////////////////////////////
@Override
public String getCommandName() {
return s_name;
}
@Override
public long getEntityOwnerId() {
return Account.ACCOUNT_ID_SYSTEM; // no account info given, parent this command to SYSTEM so ERROR events are tracked
}
@Override
public void execute() throws ResourceUnavailableException,
InsufficientCapacityException, ServerApiException {
CallContext.current().setEventDetails("Acl role Id: " + getId());
AclRole result = _aclService.revokePermissionFromAclRole(id, apiList);
if (result != null) {
AclRoleResponse response = _responseGenerator.createAclRoleResponse(result);
response.setResponseName(getCommandName());
setResponseObject(response);
} else {
throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to revoke permission from acl role " + getId());
}
}
@Override
public String getEventType() {
return EventTypes.EVENT_ACL_ROLE_REVOKE;
}
@Override
public String getEventDescription() {
return "revoking permission from acl role";
}
@Override
public ApiCommandJobType getInstanceType() {
return ApiCommandJobType.AclRole;
}
}

2
api/src/org/apache/cloudstack/api/response/AclRoleResponse.java
View File

@ -60,7 +60,7 @@ public class AclRoleResponse extends BaseResponse {
@Param(description = "the domain name of the acl role")
private String domainName;
@SerializedName(ApiConstants.ACL_ALLOWED_APIS)
@SerializedName(ApiConstants.ACL_APIS)
@Param(description = "allowed apis for the acl role ")
private List<String> apiList;

2
client/tomcatconf/applicationContext.xml.in
View File

@ -371,10 +371,12 @@
<bean id="serviceOfferingDetailsDaoImpl" class="com.cloud.service.dao.ServiceOfferingDetailsDaoImpl"/>
<bean id="AclGroupDaoImpl" class="org.apache.cloudstack.acl.dao.AclGroupDaoImpl"/>
<bean id="AclRoleDaoImpl" class="org.apache.cloudstack.acl.dao.AclRoleDaoImpl"/>
<bean id="AclRoleJoinDaoImpl" class="com.cloud.api.query.dao.AclRoleJoinDaoImpl"/>
<bean id="AclGroupAccountMapDaoImpl" class="org.apache.cloudstack.acl.dao.AclGroupAccountMapDaoImpl"/>
<bean id="AclGroupRoleMapDaoImpl" class="org.apache.cloudstack.acl.dao.AclGroupRoleMapDaoImpl"/>
<bean id="AclApiPermissionDaoImpl" class="org.apache.cloudstack.acl.dao.AclApiPermissionDaoImpl"/>
<bean id="AclEntityPermissionDaoImpl" class="org.apache.cloudstack.acl.dao.AclEntityPermissionDaoImpl"/>
<!--
Checkers

10
client/tomcatconf/commands.properties.in
View File

@ -678,3 +678,13 @@ addLdapConfiguration=3
deleteLdapConfiguration=3
listLdapUsers=3
ldapCreateAccount=3
### Acl commands
createAclRole=7
deleteAclRole=7
listAclRoles=7
grantPermissionToAclRole=7
revokePermissionFromAclRole=7
addAclRoleToAclGroup=7
removeAclRoleFromAclGroup=7

18
engine/schema/src/org/apache/cloudstack/acl/AclApiPermissionVO.java
View File

@ -32,6 +32,15 @@ public class AclApiPermissionVO implements AclApiPermission {
@Column(name = GenericDao.CREATED_COLUMN)
private Date created;
public AclApiPermissionVO() {
}
public AclApiPermissionVO(long roleid, String api) {
aclRoleId = roleid;
apiName = api;
}
@Override
public long getId() {
return id;
@ -54,4 +63,13 @@ public class AclApiPermissionVO implements AclApiPermission {
public Date getCreated() {
return created;
}
public void setAclRoleId(long aclRoleId) {
this.aclRoleId = aclRoleId;
}
public void setApiName(String apiName) {
this.apiName = apiName;
}
}

2
engine/schema/src/org/apache/cloudstack/acl/dao/AclGroupRoleMapDao.java
View File

@ -28,4 +28,6 @@ public interface AclGroupRoleMapDao extends GenericDao<AclGroupRoleMapVO, Long>
List<AclGroupRoleMapVO> listByRoleId(long roleId);
AclGroupRoleMapVO findByGroupAndRole(long groupId, long roleId);
}

14
engine/schema/src/org/apache/cloudstack/acl/dao/AclGroupRoleMapDaoImpl.java
View File

@ -33,6 +33,7 @@ import com.cloud.utils.db.SearchCriteria;
public class AclGroupRoleMapDaoImpl extends GenericDaoBase<AclGroupRoleMapVO, Long> implements AclGroupRoleMapDao {
private SearchBuilder<AclGroupRoleMapVO> ListByGroupId;
private SearchBuilder<AclGroupRoleMapVO> ListByRoleId;
private SearchBuilder<AclGroupRoleMapVO> findByRoleGroupId;
@Override
public boolean configure(String name, Map<String, Object> params) throws ConfigurationException {
@ -46,6 +47,11 @@ public class AclGroupRoleMapDaoImpl extends GenericDaoBase<AclGroupRoleMapVO, Lo
ListByRoleId.and("roleId", ListByRoleId.entity().getAclRoleId(), SearchCriteria.Op.EQ);
ListByRoleId.done();
findByRoleGroupId = createSearchBuilder();
findByRoleGroupId.and("roleId", findByRoleGroupId.entity().getAclRoleId(), SearchCriteria.Op.EQ);
findByRoleGroupId.and("groupId", findByRoleGroupId.entity().getAclGroupId(), SearchCriteria.Op.EQ);
findByRoleGroupId.done();
return true;
}
@ -63,4 +69,12 @@ public class AclGroupRoleMapDaoImpl extends GenericDaoBase<AclGroupRoleMapVO, Lo
return listBy(sc);
}
@Override
public AclGroupRoleMapVO findByGroupAndRole(long groupId, long roleId) {
SearchCriteria<AclGroupRoleMapVO> sc = findByRoleGroupId.create();
sc.setParameters("roleId", roleId);
sc.setParameters("groupId", groupId);
return findOneBy(sc);
}
}

5
server/src/com/cloud/api/ApiDBUtils.java
View File

@ -25,6 +25,7 @@ import java.util.Set;
import javax.annotation.PostConstruct;
import javax.inject.Inject;
import org.apache.cloudstack.acl.AclRole;
import org.apache.cloudstack.affinity.AffinityGroup;
import org.apache.cloudstack.affinity.AffinityGroupResponse;
import org.apache.cloudstack.affinity.dao.AffinityGroupDao;
@ -1678,6 +1679,10 @@ public class ApiDBUtils {
return _affinityGroupJoinDao.setAffinityGroupResponse(resp, group);
}
public static List<AclRoleJoinVO> newAclRoleView(AclRole role) {
return _aclRoleJoinDao.newAclRoleView(role);
}
public static AclRoleResponse newAclRoleResponse(AclRoleJoinVO role) {
return _aclRoleJoinDao.newAclRoleResponse(role);
}

23
server/src/com/cloud/api/ApiResponseHelper.java
View File

@ -151,6 +151,7 @@ import org.apache.cloudstack.usage.UsageTypes;
import com.cloud.api.query.ViewResponseHelper;
import com.cloud.api.query.vo.AccountJoinVO;
import com.cloud.api.query.vo.AclRoleJoinVO;
import com.cloud.api.query.vo.AsyncJobJoinVO;
import com.cloud.api.query.vo.ControlledViewEntity;
import com.cloud.api.query.vo.DataCenterJoinVO;
@ -3674,24 +3675,10 @@ public class ApiResponseHelper implements ResponseGenerator {
@Override
public AclRoleResponse createAclRoleResponse(AclRole role) {
AclRoleResponse response = new AclRoleResponse();
response.setId(role.getUuid());
response.setName(role.getName());
response.setDescription(role.getDescription());
Domain domain = _entityMgr.findById(Domain.class, role.getDomainId());
if (domain != null) {
response.setDomainId(domain.getUuid());
response.setDomainName(domain.getName());
}
if (role.getParentRoleId() != null ){
AclRole parRole = _entityMgr.findById(AclRole.class, role.getParentRoleId());
if (parRole != null) {
response.setParentRoleId(parRole.getUuid());
}
}
response.setObjectName("aclrole");
return response;
List<AclRoleJoinVO> viewRoles = ApiDBUtils.newAclRoleView(role);
List<AclRoleResponse> listRoles = ViewResponseHelper.createAclRoleResponses(viewRoles);
assert listRoles != null && listRoles.size() == 1 : "There should be one acl role returned";
return listRoles.get(0);
}
@Override

16
server/src/com/cloud/server/ManagementServerImpl.java
View File

@ -57,6 +57,13 @@ import org.apache.cloudstack.api.command.admin.account.DisableAccountCmd;
import org.apache.cloudstack.api.command.admin.account.EnableAccountCmd;
import org.apache.cloudstack.api.command.admin.account.LockAccountCmd;
import org.apache.cloudstack.api.command.admin.account.UpdateAccountCmd;
import org.apache.cloudstack.api.command.admin.acl.AddAclRoleToAclGroupCmd;
import org.apache.cloudstack.api.command.admin.acl.CreateAclRoleCmd;
import org.apache.cloudstack.api.command.admin.acl.DeleteAclRoleCmd;
import org.apache.cloudstack.api.command.admin.acl.GrantPermissionToAclRoleCmd;
import org.apache.cloudstack.api.command.admin.acl.ListAclRolesCmd;
import org.apache.cloudstack.api.command.admin.acl.RemoveAclRoleFromAclGroupCmd;
import org.apache.cloudstack.api.command.admin.acl.RevokePermissionFromAclRoleCmd;
import org.apache.cloudstack.api.command.admin.autoscale.CreateCounterCmd;
import org.apache.cloudstack.api.command.admin.autoscale.DeleteCounterCmd;
import org.apache.cloudstack.api.command.admin.cluster.AddClusterCmd;
@ -2853,6 +2860,13 @@ public class ManagementServerImpl extends ManagerBase implements ManagementServe
cmdList.add(ReplaceNetworkACLListCmd.class);
cmdList.add(UpdateNetworkACLItemCmd.class);
cmdList.add(CleanVMReservationsCmd.class);
cmdList.add(CreateAclRoleCmd.class);
cmdList.add(DeleteAclRoleCmd.class);
cmdList.add(ListAclRolesCmd.class);
cmdList.add(GrantPermissionToAclRoleCmd.class);
cmdList.add(RevokePermissionFromAclRoleCmd.class);
cmdList.add(AddAclRoleToAclGroupCmd.class);
cmdList.add(RemoveAclRoleFromAclGroupCmd.class);
return cmdList;
}
@ -3157,7 +3171,7 @@ public class ManagementServerImpl extends ManagerBase implements ManagementServe
}
@Override
@ActionEvent(eventType = "", eventDescription = "", async = true)
@ActionEvent(eventType = "", eventDescription = "", async = true)
public VMInstanceVO destroySystemVM(DestroySystemVmCmd cmd) {
VMInstanceVO systemVm = _vmInstanceDao.findByIdTypes(cmd.getId(), VirtualMachine.Type.ConsoleProxy, VirtualMachine.Type.SecondaryStorageVm);

131
server/src/org/apache/cloudstack/acl/AclServiceImpl.java
View File

@ -26,10 +26,13 @@ import org.apache.log4j.Logger;
import org.apache.cloudstack.acl.dao.AclApiPermissionDao;
import org.apache.cloudstack.acl.dao.AclEntityPermissionDao;
import org.apache.cloudstack.acl.dao.AclGroupAccountMapDao;
import org.apache.cloudstack.acl.dao.AclGroupDao;
import org.apache.cloudstack.acl.dao.AclGroupRoleMapDao;
import org.apache.cloudstack.acl.dao.AclRoleDao;
import org.apache.cloudstack.context.CallContext;
import com.cloud.event.ActionEvent;
import com.cloud.event.EventTypes;
import com.cloud.exception.InvalidParameterValueException;
import com.cloud.exception.PermissionDeniedException;
import com.cloud.user.Account;
@ -51,6 +54,9 @@ public class AclServiceImpl extends ManagerBase implements AclService, Manager {
@Inject
AclRoleDao _aclRoleDao;
@Inject
AclGroupDao _aclGroupDao;
@Inject
AclGroupRoleMapDao _aclGroupRoleMapDao;
@ -66,6 +72,7 @@ public class AclServiceImpl extends ManagerBase implements AclService, Manager {
@DB
@Override
@ActionEvent(eventType = EventTypes.EVENT_ACL_ROLE_CREATE, eventDescription = "Creating Acl Role", create = true)
public AclRole createAclRole(Long domainId, String aclRoleName, String description) {
Account caller = CallContext.current().getCallingAccount();
if (!_accountMgr.isRootAdmin(caller.getAccountId())) {
@ -90,6 +97,7 @@ public class AclServiceImpl extends ManagerBase implements AclService, Manager {
@DB
@Override
@ActionEvent(eventType = EventTypes.EVENT_ACL_ROLE_DELETE, eventDescription = "Deleting Acl Role")
public boolean deleteAclRole(long aclRoleId) {
Account caller = CallContext.current().getCallingAccount();
// get the Acl Role entity
@ -99,12 +107,7 @@ public class AclServiceImpl extends ManagerBase implements AclService, Manager {
+ "; failed to delete acl role.");
}
// check permissions
if (!_accountMgr.isRootAdmin(caller.getAccountId())) {
// domain admin can only delete role for his domain
if (caller.getDomainId() != role.getDomainId()) {
throw new PermissionDeniedException("Can't delete acl role in domain " + role.getDomainId() + ", permission denied");
}
}
_accountMgr.checkAccess(caller, null, true, role);
// remove this role related entry in acl_group_role_map
List<AclGroupRoleMapVO> groupRoleMap = _aclGroupRoleMapDao.listByRoleId(role.getId());
@ -128,28 +131,124 @@ public class AclServiceImpl extends ManagerBase implements AclService, Manager {
return true;
}
@DB
@Override
public Pair<List<? extends AclRole>, Integer> listAclRoles(Long aclRoleId, String aclRoleName, Long domainId, Long startIndex, Long pageSize) {
// TODO Auto-generated method stub
return null;
@ActionEvent(eventType = EventTypes.EVENT_ACL_ROLE_GRANT, eventDescription = "Granting permission to Acl Role")
public AclRole grantPermissionToAclRole(long aclRoleId, List<String> apiNames) {
Account caller = CallContext.current().getCallingAccount();
// get the Acl Role entity
AclRole role = _aclRoleDao.findById(aclRoleId);
if (role == null) {
throw new InvalidParameterValueException("Unable to find acl role: " + aclRoleId
+ "; failed to grant permission to role.");
}
// check permissions
_accountMgr.checkAccess(caller, null, true, role);
// add entries in acl_api_permission table
for (String api : apiNames) {
AclApiPermissionVO perm = _apiPermissionDao.findByRoleAndApi(aclRoleId, api);
if (perm == null) {
// not there already
perm = new AclApiPermissionVO(aclRoleId, api);
_apiPermissionDao.persist(perm);
}
}
return role;
}
@DB
@Override
public AclRole getAclRole(Long roleId) {
// TODO Auto-generated method stub
return null;
@ActionEvent(eventType = EventTypes.EVENT_ACL_ROLE_REVOKE, eventDescription = "Revoking permission from Acl Role")
public AclRole revokePermissionFromAclRole(long aclRoleId, List<String> apiNames) {
Account caller = CallContext.current().getCallingAccount();
// get the Acl Role entity
AclRole role = _aclRoleDao.findById(aclRoleId);
if (role == null) {
throw new InvalidParameterValueException("Unable to find acl role: " + aclRoleId
+ "; failed to revoke permission from role.");
}
// check permissions
_accountMgr.checkAccess(caller, null, true, role);
// add entries in acl_api_permission table
for (String api : apiNames) {
AclApiPermissionVO perm = _apiPermissionDao.findByRoleAndApi(aclRoleId, api);
if (perm != null) {
// not removed yet
_apiPermissionDao.remove(perm.getId());
}
}
return role;
}
@DB
@Override
@ActionEvent(eventType = EventTypes.EVENT_ACL_GROUP_UPDATE, eventDescription = "Adding roles to acl group")
public AclGroup addAclRolesToGroup(List<Long> roleIds, Long groupId) {
// TODO Auto-generated method stub
return null;
Account caller = CallContext.current().getCallingAccount();
// get the Acl Group entity
AclGroup group = _aclGroupDao.findById(groupId);
if (group == null) {
throw new InvalidParameterValueException("Unable to find acl group: " + groupId
+ "; failed to add roles to acl group.");
}
// check group permissions
_accountMgr.checkAccess(caller, null, true, group);
// add entries in acl_group_role_map table
for (Long roleId : roleIds) {
// check role permissions
AclRole role = _aclRoleDao.findById(roleId);
if ( role == null ){
throw new InvalidParameterValueException("Unable to find acl role: " + roleId
+ "; failed to add roles to acl group.");
}
_accountMgr.checkAccess(caller,null, true, role);
AclGroupRoleMapVO grMap = _aclGroupRoleMapDao.findByGroupAndRole(groupId, roleId);
if (grMap == null) {
// not there already
grMap = new AclGroupRoleMapVO(groupId, roleId);
_aclGroupRoleMapDao.persist(grMap);
}
}
return group;
}
@DB
@Override
@ActionEvent(eventType = EventTypes.EVENT_ACL_GROUP_UPDATE, eventDescription = "Removing roles from acl group")
public AclGroup removeAclRolesFromGroup(List<Long> roleIds, Long groupId) {
// TODO Auto-generated method stub
return null;
Account caller = CallContext.current().getCallingAccount();
// get the Acl Group entity
AclGroup group = _aclGroupDao.findById(groupId);
if (group == null) {
throw new InvalidParameterValueException("Unable to find acl group: " + groupId
+ "; failed to remove roles from acl group.");
}
// check group permissions
_accountMgr.checkAccess(caller, null, true, group);
// add entries in acl_group_role_map table
for (Long roleId : roleIds) {
// check role permissions
AclRole role = _aclRoleDao.findById(roleId);
if (role == null) {
throw new InvalidParameterValueException("Unable to find acl role: " + roleId
+ "; failed to add roles to acl group.");
}
_accountMgr.checkAccess(caller, null, true, role);
AclGroupRoleMapVO grMap = _aclGroupRoleMapDao.findByGroupAndRole(groupId, roleId);
if (grMap != null) {
// not removed yet
_aclGroupRoleMapDao.remove(grMap.getId());
}
}
return group;
}
@Override