From 97fd99b09a7a82b7bd62a8ff7cfdeca5a0063c33 Mon Sep 17 00:00:00 2001
From: Min Chen <min.chen@citrix.com>
Date: Thu, 26 Sep 2013 17:48:29 -0700
Subject: [PATCH] Add all Apis for AclRole.

---
 api/src/com/cloud/event/EventTypes.java       |   7 +
 .../org/apache/cloudstack/acl/AclService.java |  19 +--
 .../apache/cloudstack/api/ApiConstants.java   |   3 +-
 .../admin/acl/AddAclRoleToAclGroupCmd.java    |  20 ++-
 .../command/admin/acl/CreateAclRoleCmd.java   |  45 +++++-
 .../command/admin/acl/DeleteAclRoleCmd.java   |  21 ++-
 .../acl/GrantPermissionToAclRoleCmd.java      | 120 ++++++++++++++++
 .../acl/RemoveAclRoleFromAclGroupCmd.java     |  20 ++-
 .../acl/RevokePermissionFromAclRoleCmd.java   | 120 ++++++++++++++++
 .../api/response/AclRoleResponse.java         |   2 +-
 client/tomcatconf/applicationContext.xml.in   |   2 +
 client/tomcatconf/commands.properties.in      |  10 ++
 .../cloudstack/acl/AclApiPermissionVO.java    |  18 +++
 .../acl/dao/AclGroupRoleMapDao.java           |   2 +
 .../acl/dao/AclGroupRoleMapDaoImpl.java       |  14 ++
 server/src/com/cloud/api/ApiDBUtils.java      |   5 +
 .../src/com/cloud/api/ApiResponseHelper.java  |  23 +--
 .../cloud/server/ManagementServerImpl.java    |  16 ++-
 .../apache/cloudstack/acl/AclServiceImpl.java | 131 +++++++++++++++---
 19 files changed, 535 insertions(+), 63 deletions(-)
 create mode 100644 api/src/org/apache/cloudstack/api/command/admin/acl/GrantPermissionToAclRoleCmd.java
 create mode 100644 api/src/org/apache/cloudstack/api/command/admin/acl/RevokePermissionFromAclRoleCmd.java

diff --git a/api/src/com/cloud/event/EventTypes.java b/api/src/com/cloud/event/EventTypes.java
index b3aa91a442a..4b98433f35c 100755
--- a/api/src/com/cloud/event/EventTypes.java
+++ b/api/src/com/cloud/event/EventTypes.java
@@ -445,6 +445,13 @@ public class EventTypes {
     
     public static final String EVENT_UCS_ASSOCIATED_PROFILE = "UCS.ASSOCIATEPROFILE";
 
+    public static final String EVENT_ACL_ROLE_CREATE = "ACLROLE.CREATE";
+    public static final String EVENT_ACL_ROLE_DELETE = "ACLROLE.DELETE";
+    public static final String EVENT_ACL_ROLE_GRANT = "ACLROLE.GRANT";
+    public static final String EVENT_ACL_ROLE_REVOKE = "ACLROLE.REVOKE";
+    
+    public static final String EVENT_ACL_GROUP_UPDATE = "ACLGROUP.UPDATE";
+
     static {
 
         // TODO: need a way to force author adding event types to declare the entity details as well, with out braking
diff --git a/api/src/org/apache/cloudstack/acl/AclService.java b/api/src/org/apache/cloudstack/acl/AclService.java
index ff4fa2956e8..a8ed501ed4b 100644
--- a/api/src/org/apache/cloudstack/acl/AclService.java
+++ b/api/src/org/apache/cloudstack/acl/AclService.java
@@ -40,24 +40,9 @@ public interface AclService {
      */
     boolean deleteAclRole(long aclRoleId);
 
-    /** Lists Acl roles for a domain
-     * @param domainId
-     * @param aclRoleId
-     * @param aclRoleName
-     * @param startIndex
-     * @param pageSize
-     * @return
-     */
-    Pair<List<? extends AclRole>, Integer> listAclRoles(Long aclRoleId, String aclRoleName,
-            Long domainId, Long startIndex, Long pageSize);
+    AclRole grantPermissionToAclRole(long aclRoleId, List<String> apiNames);
 
-
-    /**
-     * Get the acl role for the given role id.
-     * @param roleId
-     * @return AclRole
-     */
-    AclRole getAclRole(Long roleId);
+    AclRole revokePermissionFromAclRole(long aclRoleId, List<String> apiNames);
 
     AclGroup addAclRolesToGroup(List<Long> roleIds, Long groupId);
 
diff --git a/api/src/org/apache/cloudstack/api/ApiConstants.java b/api/src/org/apache/cloudstack/api/ApiConstants.java
index 7bb4276cf83..da5e3d6a555 100755
--- a/api/src/org/apache/cloudstack/api/ApiConstants.java
+++ b/api/src/org/apache/cloudstack/api/ApiConstants.java
@@ -523,7 +523,8 @@ public class ApiConstants {
     public static final String ACL_PARENT_ROLE_NAME = "parentrolename";
     public static final String ACL_ROLES = "roles";
     public static final String ACL_ROLE_IDS = "roleids";
-    public static final String ACL_ALLOWED_APIS = "allowedapis";
+    public static final String ACL_APIS = "apis";
+
     public enum HostDetails {
         all, capacity, events, stats, min;
     }
diff --git a/api/src/org/apache/cloudstack/api/command/admin/acl/AddAclRoleToAclGroupCmd.java b/api/src/org/apache/cloudstack/api/command/admin/acl/AddAclRoleToAclGroupCmd.java
index f700831bd52..4a6fccaab5d 100644
--- a/api/src/org/apache/cloudstack/api/command/admin/acl/AddAclRoleToAclGroupCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/admin/acl/AddAclRoleToAclGroupCmd.java
@@ -23,22 +23,24 @@ import org.apache.log4j.Logger;
 import org.apache.cloudstack.acl.AclGroup;
 import org.apache.cloudstack.api.ACL;
 import org.apache.cloudstack.api.APICommand;
+import org.apache.cloudstack.api.ApiCommandJobType;
 import org.apache.cloudstack.api.ApiConstants;
 import org.apache.cloudstack.api.ApiErrorCode;
-import org.apache.cloudstack.api.BaseCmd;
+import org.apache.cloudstack.api.BaseAsyncCmd;
 import org.apache.cloudstack.api.Parameter;
 import org.apache.cloudstack.api.ServerApiException;
 import org.apache.cloudstack.api.response.AclGroupResponse;
 import org.apache.cloudstack.api.response.AclRoleResponse;
 import org.apache.cloudstack.context.CallContext;
 
+import com.cloud.event.EventTypes;
 import com.cloud.exception.InsufficientCapacityException;
 import com.cloud.exception.ResourceUnavailableException;
 import com.cloud.user.Account;
 
 
 @APICommand(name = "addAclRoleToAclGroup", description = "add acl role to an acl group", responseObject = AclGroupResponse.class)
-public class AddAclRoleToAclGroupCmd extends BaseCmd {
+public class AddAclRoleToAclGroupCmd extends BaseAsyncCmd {
     public static final Logger s_logger = Logger.getLogger(AddAclRoleToAclGroupCmd.class.getName());
     private static final String s_name = "addaclroletoaclgroupresponse";
 
@@ -101,5 +103,19 @@ public class AddAclRoleToAclGroupCmd extends BaseCmd {
         }
     }
 
+    @Override
+    public String getEventType() {
+        return EventTypes.EVENT_ACL_GROUP_UPDATE;
+    }
+
+    @Override
+    public String getEventDescription() {
+        return "adding acl roles to acl group";
+    }
+
+    @Override
+    public ApiCommandJobType getInstanceType() {
+        return ApiCommandJobType.AclGroup;
+    }
 
 }
diff --git a/api/src/org/apache/cloudstack/api/command/admin/acl/CreateAclRoleCmd.java b/api/src/org/apache/cloudstack/api/command/admin/acl/CreateAclRoleCmd.java
index 59bc7ae4c84..0e6867acf40 100644
--- a/api/src/org/apache/cloudstack/api/command/admin/acl/CreateAclRoleCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/admin/acl/CreateAclRoleCmd.java
@@ -20,18 +20,21 @@ import org.apache.log4j.Logger;
 
 import org.apache.cloudstack.acl.AclRole;
 import org.apache.cloudstack.api.APICommand;
+import org.apache.cloudstack.api.ApiCommandJobType;
 import org.apache.cloudstack.api.ApiConstants;
 import org.apache.cloudstack.api.ApiErrorCode;
-import org.apache.cloudstack.api.BaseCmd;
+import org.apache.cloudstack.api.BaseAsyncCreateCmd;
 import org.apache.cloudstack.api.Parameter;
 import org.apache.cloudstack.api.ServerApiException;
 import org.apache.cloudstack.api.response.AclRoleResponse;
 import org.apache.cloudstack.api.response.DomainResponse;
 
+import com.cloud.event.EventTypes;
+import com.cloud.exception.ResourceAllocationException;
 import com.cloud.user.Account;
 
 @APICommand(name = "createAclRole", responseObject = AclRoleResponse.class, description = "Creates an acl role")
-public class CreateAclRoleCmd extends BaseCmd {
+public class CreateAclRoleCmd extends BaseAsyncCreateCmd {
     public static final Logger s_logger = Logger.getLogger(CreateAclRoleCmd.class.getName());
 
     private static final String s_name = "createaclroleresponse";
@@ -84,7 +87,7 @@ public class CreateAclRoleCmd extends BaseCmd {
 
     @Override
     public void execute() {
-        AclRole role = _aclService.createAclRole(domainId, name, description);
+        AclRole role = _entityMgr.findById(AclRole.class, getEntityId());
         if (role != null) {
             AclRoleResponse response = _responseGenerator.createAclRoleResponse(role);
             response.setResponseName(getCommandName());
@@ -94,5 +97,41 @@ public class CreateAclRoleCmd extends BaseCmd {
         }
     }
 
+    @Override
+    public void create() throws ResourceAllocationException {
+        AclRole result = _aclService.createAclRole(domainId, name, description);
+        if (result != null) {
+            setEntityId(result.getId());
+            setEntityUuid(result.getUuid());
+        } else {
+            throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to create acl role entity" + name);
+        }
+
+    }
+
+    @Override
+    public String getEventType() {
+        return EventTypes.EVENT_ACL_ROLE_CREATE;
+    }
+
+    @Override
+    public String getEventDescription() {
+        return "creating Acl role";
+    }
+
+    @Override
+    public String getCreateEventType() {
+        return EventTypes.EVENT_ACL_ROLE_CREATE;
+    }
+
+    @Override
+    public String getCreateEventDescription() {
+        return "creating acl role";
+    }
+
+    @Override
+    public ApiCommandJobType getInstanceType() {
+        return ApiCommandJobType.AclRole;
+    }
 
 }
diff --git a/api/src/org/apache/cloudstack/api/command/admin/acl/DeleteAclRoleCmd.java b/api/src/org/apache/cloudstack/api/command/admin/acl/DeleteAclRoleCmd.java
index 3f1be71454f..5a2afe13ddd 100644
--- a/api/src/org/apache/cloudstack/api/command/admin/acl/DeleteAclRoleCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/admin/acl/DeleteAclRoleCmd.java
@@ -20,18 +20,20 @@ import org.apache.log4j.Logger;
 
 import org.apache.cloudstack.api.ACL;
 import org.apache.cloudstack.api.APICommand;
+import org.apache.cloudstack.api.ApiCommandJobType;
 import org.apache.cloudstack.api.ApiConstants;
 import org.apache.cloudstack.api.ApiErrorCode;
-import org.apache.cloudstack.api.BaseCmd;
+import org.apache.cloudstack.api.BaseAsyncCmd;
 import org.apache.cloudstack.api.Parameter;
 import org.apache.cloudstack.api.ServerApiException;
 import org.apache.cloudstack.api.response.AclRoleResponse;
 import org.apache.cloudstack.api.response.SuccessResponse;
 
+import com.cloud.event.EventTypes;
 import com.cloud.user.Account;
 
 @APICommand(name = "deleteAclRole", description = "Deletes acl role", responseObject = SuccessResponse.class)
-public class DeleteAclRoleCmd extends BaseCmd {
+public class DeleteAclRoleCmd extends BaseAsyncCmd {
     public static final Logger s_logger = Logger.getLogger(DeleteAclRoleCmd.class.getName());
     private static final String s_name = "deleteaclroleresponse";
 
@@ -76,4 +78,19 @@ public class DeleteAclRoleCmd extends BaseCmd {
             throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to delete acl role");
         }
     }
+
+    @Override
+    public String getEventType() {
+        return EventTypes.EVENT_ACL_ROLE_DELETE;
+    }
+
+    @Override
+    public String getEventDescription() {
+        return "Deleting Acl role";
+    }
+
+    @Override
+    public ApiCommandJobType getInstanceType() {
+        return ApiCommandJobType.AclRole;
+    }
 }
diff --git a/api/src/org/apache/cloudstack/api/command/admin/acl/GrantPermissionToAclRoleCmd.java b/api/src/org/apache/cloudstack/api/command/admin/acl/GrantPermissionToAclRoleCmd.java
new file mode 100644
index 00000000000..a93e790e29a
--- /dev/null
+++ b/api/src/org/apache/cloudstack/api/command/admin/acl/GrantPermissionToAclRoleCmd.java
@@ -0,0 +1,120 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.api.command.admin.acl;
+
+import java.util.List;
+
+import org.apache.log4j.Logger;
+
+import org.apache.cloudstack.acl.AclRole;
+import org.apache.cloudstack.api.ACL;
+import org.apache.cloudstack.api.APICommand;
+import org.apache.cloudstack.api.ApiCommandJobType;
+import org.apache.cloudstack.api.ApiConstants;
+import org.apache.cloudstack.api.ApiErrorCode;
+import org.apache.cloudstack.api.BaseAsyncCmd;
+import org.apache.cloudstack.api.Parameter;
+import org.apache.cloudstack.api.ServerApiException;
+import org.apache.cloudstack.api.response.AclRoleResponse;
+import org.apache.cloudstack.context.CallContext;
+
+import com.cloud.event.EventTypes;
+import com.cloud.exception.InsufficientCapacityException;
+import com.cloud.exception.ResourceUnavailableException;
+import com.cloud.user.Account;
+
+
+@APICommand(name = "grantPermissionToAclRole", description = "Grant api permission to an acl role", responseObject = AclRoleResponse.class)
+public class GrantPermissionToAclRoleCmd extends BaseAsyncCmd {
+    public static final Logger s_logger = Logger.getLogger(GrantPermissionToAclRoleCmd.class.getName());
+    private static final String s_name = "grantpermissiontoroleresponse";
+
+    /////////////////////////////////////////////////////
+    //////////////// API parameters /////////////////////
+    /////////////////////////////////////////////////////
+
+
+    @ACL
+    @Parameter(name = ApiConstants.ID, type = CommandType.UUID, entityType = AclRoleResponse.class,
+            required = true, description = "The ID of the acl role")
+    private Long id;
+
+    @ACL
+    @Parameter(name = ApiConstants.ACL_APIS, type = CommandType.LIST, collectionType = CommandType.STRING, description = "comma separated list of apis granted to the acl role. ")
+    private List<String> apiList;
+
+
+    /////////////////////////////////////////////////////
+    /////////////////// Accessors ///////////////////////
+    /////////////////////////////////////////////////////
+
+
+    public Long getId() {
+        return id;
+    }
+
+
+    public List<String> getApiList() {
+        return apiList;
+    }
+
+    /////////////////////////////////////////////////////
+    /////////////// API Implementation///////////////////
+    /////////////////////////////////////////////////////
+
+
+    @Override
+    public String getCommandName() {
+        return s_name;
+    }
+
+
+    @Override
+    public long getEntityOwnerId() {
+        return Account.ACCOUNT_ID_SYSTEM; // no account info given, parent this command to SYSTEM so ERROR events are tracked
+    }
+
+    @Override
+    public void execute() throws ResourceUnavailableException,
+            InsufficientCapacityException, ServerApiException {
+        CallContext.current().setEventDetails("Acl role Id: " + getId());
+        AclRole result = _aclService.grantPermissionToAclRole(id, apiList);
+        if (result != null) {
+            AclRoleResponse response = _responseGenerator.createAclRoleResponse(result);
+            response.setResponseName(getCommandName());
+            setResponseObject(response);
+        } else {
+            throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to grant permission to acl role " + getId());
+        }
+    }
+
+    @Override
+    public String getEventType() {
+        return EventTypes.EVENT_ACL_ROLE_GRANT;
+    }
+
+    @Override
+    public String getEventDescription() {
+        return "granting permission to acl role";
+    }
+
+    @Override
+    public ApiCommandJobType getInstanceType() {
+        return ApiCommandJobType.AclRole;
+    }
+
+}
diff --git a/api/src/org/apache/cloudstack/api/command/admin/acl/RemoveAclRoleFromAclGroupCmd.java b/api/src/org/apache/cloudstack/api/command/admin/acl/RemoveAclRoleFromAclGroupCmd.java
index 11ea8c260ff..b06bb46381f 100644
--- a/api/src/org/apache/cloudstack/api/command/admin/acl/RemoveAclRoleFromAclGroupCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/admin/acl/RemoveAclRoleFromAclGroupCmd.java
@@ -23,22 +23,24 @@ import org.apache.log4j.Logger;
 import org.apache.cloudstack.acl.AclGroup;
 import org.apache.cloudstack.api.ACL;
 import org.apache.cloudstack.api.APICommand;
+import org.apache.cloudstack.api.ApiCommandJobType;
 import org.apache.cloudstack.api.ApiConstants;
 import org.apache.cloudstack.api.ApiErrorCode;
-import org.apache.cloudstack.api.BaseCmd;
+import org.apache.cloudstack.api.BaseAsyncCmd;
 import org.apache.cloudstack.api.Parameter;
 import org.apache.cloudstack.api.ServerApiException;
 import org.apache.cloudstack.api.response.AclGroupResponse;
 import org.apache.cloudstack.api.response.AclRoleResponse;
 import org.apache.cloudstack.context.CallContext;
 
+import com.cloud.event.EventTypes;
 import com.cloud.exception.InsufficientCapacityException;
 import com.cloud.exception.ResourceUnavailableException;
 import com.cloud.user.Account;
 
 
 @APICommand(name = "removeAclRoleFromAclGroup", description = "remove acl role to an acl group", responseObject = AclGroupResponse.class)
-public class RemoveAclRoleFromAclGroupCmd extends BaseCmd {
+public class RemoveAclRoleFromAclGroupCmd extends BaseAsyncCmd {
     public static final Logger s_logger = Logger.getLogger(RemoveAclRoleFromAclGroupCmd.class.getName());
     private static final String s_name = "removeaclroletoaclgroupresponse";
 
@@ -101,5 +103,19 @@ public class RemoveAclRoleFromAclGroupCmd extends BaseCmd {
         }
     }
 
+    @Override
+    public String getEventType() {
+        return EventTypes.EVENT_ACL_GROUP_UPDATE;
+    }
+
+    @Override
+    public String getEventDescription() {
+        return "removing acl roles from acl group";
+    }
+
+    @Override
+    public ApiCommandJobType getInstanceType() {
+        return ApiCommandJobType.AclGroup;
+    }
 
 }
diff --git a/api/src/org/apache/cloudstack/api/command/admin/acl/RevokePermissionFromAclRoleCmd.java b/api/src/org/apache/cloudstack/api/command/admin/acl/RevokePermissionFromAclRoleCmd.java
new file mode 100644
index 00000000000..68db1181203
--- /dev/null
+++ b/api/src/org/apache/cloudstack/api/command/admin/acl/RevokePermissionFromAclRoleCmd.java
@@ -0,0 +1,120 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.api.command.admin.acl;
+
+import java.util.List;
+
+import org.apache.log4j.Logger;
+
+import org.apache.cloudstack.acl.AclRole;
+import org.apache.cloudstack.api.ACL;
+import org.apache.cloudstack.api.APICommand;
+import org.apache.cloudstack.api.ApiCommandJobType;
+import org.apache.cloudstack.api.ApiConstants;
+import org.apache.cloudstack.api.ApiErrorCode;
+import org.apache.cloudstack.api.BaseAsyncCmd;
+import org.apache.cloudstack.api.Parameter;
+import org.apache.cloudstack.api.ServerApiException;
+import org.apache.cloudstack.api.response.AclRoleResponse;
+import org.apache.cloudstack.context.CallContext;
+
+import com.cloud.event.EventTypes;
+import com.cloud.exception.InsufficientCapacityException;
+import com.cloud.exception.ResourceUnavailableException;
+import com.cloud.user.Account;
+
+
+@APICommand(name = "revokePermissionFromAclRole", description = "Revoke api permission from an acl role", responseObject = AclRoleResponse.class)
+public class RevokePermissionFromAclRoleCmd extends BaseAsyncCmd {
+    public static final Logger s_logger = Logger.getLogger(RevokePermissionFromAclRoleCmd.class.getName());
+    private static final String s_name = "revokepermissionfromroleresponse";
+
+    /////////////////////////////////////////////////////
+    //////////////// API parameters /////////////////////
+    /////////////////////////////////////////////////////
+
+
+    @ACL
+    @Parameter(name = ApiConstants.ID, type = CommandType.UUID, entityType = AclRoleResponse.class,
+            required = true, description = "The ID of the acl role")
+    private Long id;
+
+    @ACL
+    @Parameter(name = ApiConstants.ACL_APIS, type = CommandType.LIST, collectionType = CommandType.STRING, description = "comma separated list of apis granted to the acl role. ")
+    private List<String> apiList;
+
+
+    /////////////////////////////////////////////////////
+    /////////////////// Accessors ///////////////////////
+    /////////////////////////////////////////////////////
+
+
+    public Long getId() {
+        return id;
+    }
+
+
+    public List<String> getApiList() {
+        return apiList;
+    }
+
+    /////////////////////////////////////////////////////
+    /////////////// API Implementation///////////////////
+    /////////////////////////////////////////////////////
+
+
+    @Override
+    public String getCommandName() {
+        return s_name;
+    }
+
+
+    @Override
+    public long getEntityOwnerId() {
+        return Account.ACCOUNT_ID_SYSTEM; // no account info given, parent this command to SYSTEM so ERROR events are tracked
+    }
+
+    @Override
+    public void execute() throws ResourceUnavailableException,
+            InsufficientCapacityException, ServerApiException {
+        CallContext.current().setEventDetails("Acl role Id: " + getId());
+        AclRole result = _aclService.revokePermissionFromAclRole(id, apiList);
+        if (result != null) {
+            AclRoleResponse response = _responseGenerator.createAclRoleResponse(result);
+            response.setResponseName(getCommandName());
+            setResponseObject(response);
+        } else {
+            throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to revoke permission from acl role " + getId());
+        }
+    }
+
+    @Override
+    public String getEventType() {
+        return EventTypes.EVENT_ACL_ROLE_REVOKE;
+    }
+
+    @Override
+    public String getEventDescription() {
+        return "revoking permission from acl role";
+    }
+
+    @Override
+    public ApiCommandJobType getInstanceType() {
+        return ApiCommandJobType.AclRole;
+    }
+
+}
diff --git a/api/src/org/apache/cloudstack/api/response/AclRoleResponse.java b/api/src/org/apache/cloudstack/api/response/AclRoleResponse.java
index 527261fd779..68a9a598a92 100644
--- a/api/src/org/apache/cloudstack/api/response/AclRoleResponse.java
+++ b/api/src/org/apache/cloudstack/api/response/AclRoleResponse.java
@@ -60,7 +60,7 @@ public class AclRoleResponse extends BaseResponse {
     @Param(description = "the domain name of the acl role")
     private String domainName;
 
-    @SerializedName(ApiConstants.ACL_ALLOWED_APIS)
+    @SerializedName(ApiConstants.ACL_APIS)
     @Param(description = "allowed apis for the acl role ")
     private List<String> apiList;
 
diff --git a/client/tomcatconf/applicationContext.xml.in b/client/tomcatconf/applicationContext.xml.in
index 96b09516276..78aa661248a 100644
--- a/client/tomcatconf/applicationContext.xml.in
+++ b/client/tomcatconf/applicationContext.xml.in
@@ -371,10 +371,12 @@
   <bean id="serviceOfferingDetailsDaoImpl" class="com.cloud.service.dao.ServiceOfferingDetailsDaoImpl"/>
   <bean id="AclGroupDaoImpl" class="org.apache.cloudstack.acl.dao.AclGroupDaoImpl"/>
   <bean id="AclRoleDaoImpl" class="org.apache.cloudstack.acl.dao.AclRoleDaoImpl"/>  
+  <bean id="AclRoleJoinDaoImpl" class="com.cloud.api.query.dao.AclRoleJoinDaoImpl"/>    
   <bean id="AclGroupAccountMapDaoImpl" class="org.apache.cloudstack.acl.dao.AclGroupAccountMapDaoImpl"/>
   <bean id="AclGroupRoleMapDaoImpl" class="org.apache.cloudstack.acl.dao.AclGroupRoleMapDaoImpl"/> 
   <bean id="AclApiPermissionDaoImpl" class="org.apache.cloudstack.acl.dao.AclApiPermissionDaoImpl"/>
   <bean id="AclEntityPermissionDaoImpl" class="org.apache.cloudstack.acl.dao.AclEntityPermissionDaoImpl"/>    
+  
    
   <!--
     Checkers
diff --git a/client/tomcatconf/commands.properties.in b/client/tomcatconf/commands.properties.in
index 58c770d95f0..be446bc904b 100644
--- a/client/tomcatconf/commands.properties.in
+++ b/client/tomcatconf/commands.properties.in
@@ -678,3 +678,13 @@ addLdapConfiguration=3
 deleteLdapConfiguration=3
 listLdapUsers=3
 ldapCreateAccount=3
+
+### Acl commands
+createAclRole=7
+deleteAclRole=7
+listAclRoles=7
+grantPermissionToAclRole=7
+revokePermissionFromAclRole=7
+addAclRoleToAclGroup=7
+removeAclRoleFromAclGroup=7
+
diff --git a/engine/schema/src/org/apache/cloudstack/acl/AclApiPermissionVO.java b/engine/schema/src/org/apache/cloudstack/acl/AclApiPermissionVO.java
index fbd7c5e67c6..05f948dbd74 100644
--- a/engine/schema/src/org/apache/cloudstack/acl/AclApiPermissionVO.java
+++ b/engine/schema/src/org/apache/cloudstack/acl/AclApiPermissionVO.java
@@ -32,6 +32,15 @@ public class AclApiPermissionVO implements AclApiPermission {
     @Column(name = GenericDao.CREATED_COLUMN)
     private Date created;
 
+    public AclApiPermissionVO() {
+
+    }
+
+    public AclApiPermissionVO(long roleid, String api) {
+        aclRoleId = roleid;
+        apiName = api;
+    }
+
     @Override
     public long getId() {
         return id;
@@ -54,4 +63,13 @@ public class AclApiPermissionVO implements AclApiPermission {
     public Date getCreated() {
         return created;
     }
+
+    public void setAclRoleId(long aclRoleId) {
+        this.aclRoleId = aclRoleId;
+    }
+
+    public void setApiName(String apiName) {
+        this.apiName = apiName;
+    }
+
 }
diff --git a/engine/schema/src/org/apache/cloudstack/acl/dao/AclGroupRoleMapDao.java b/engine/schema/src/org/apache/cloudstack/acl/dao/AclGroupRoleMapDao.java
index eb1825fd60d..0dfddb4e3a7 100644
--- a/engine/schema/src/org/apache/cloudstack/acl/dao/AclGroupRoleMapDao.java
+++ b/engine/schema/src/org/apache/cloudstack/acl/dao/AclGroupRoleMapDao.java
@@ -28,4 +28,6 @@ public interface AclGroupRoleMapDao extends GenericDao<AclGroupRoleMapVO, Long>
 
     List<AclGroupRoleMapVO> listByRoleId(long roleId);
 
+    AclGroupRoleMapVO findByGroupAndRole(long groupId, long roleId);
+
 }
diff --git a/engine/schema/src/org/apache/cloudstack/acl/dao/AclGroupRoleMapDaoImpl.java b/engine/schema/src/org/apache/cloudstack/acl/dao/AclGroupRoleMapDaoImpl.java
index 2d582163df8..3204dae2a1e 100644
--- a/engine/schema/src/org/apache/cloudstack/acl/dao/AclGroupRoleMapDaoImpl.java
+++ b/engine/schema/src/org/apache/cloudstack/acl/dao/AclGroupRoleMapDaoImpl.java
@@ -33,6 +33,7 @@ import com.cloud.utils.db.SearchCriteria;
 public class AclGroupRoleMapDaoImpl extends GenericDaoBase<AclGroupRoleMapVO, Long> implements AclGroupRoleMapDao {
     private SearchBuilder<AclGroupRoleMapVO> ListByGroupId;
     private SearchBuilder<AclGroupRoleMapVO> ListByRoleId;
+    private SearchBuilder<AclGroupRoleMapVO> findByRoleGroupId;
 
     @Override
     public boolean configure(String name, Map<String, Object> params) throws ConfigurationException {
@@ -46,6 +47,11 @@ public class AclGroupRoleMapDaoImpl extends GenericDaoBase<AclGroupRoleMapVO, Lo
         ListByRoleId.and("roleId", ListByRoleId.entity().getAclRoleId(), SearchCriteria.Op.EQ);
         ListByRoleId.done();
 
+        findByRoleGroupId = createSearchBuilder();
+        findByRoleGroupId.and("roleId", findByRoleGroupId.entity().getAclRoleId(), SearchCriteria.Op.EQ);
+        findByRoleGroupId.and("groupId", findByRoleGroupId.entity().getAclGroupId(), SearchCriteria.Op.EQ);
+        findByRoleGroupId.done();
+
         return true;
     }
 
@@ -63,4 +69,12 @@ public class AclGroupRoleMapDaoImpl extends GenericDaoBase<AclGroupRoleMapVO, Lo
         return listBy(sc);
     }
 
+    @Override
+    public AclGroupRoleMapVO findByGroupAndRole(long groupId, long roleId) {
+        SearchCriteria<AclGroupRoleMapVO> sc = findByRoleGroupId.create();
+        sc.setParameters("roleId", roleId);
+        sc.setParameters("groupId", groupId);
+        return findOneBy(sc);
+    }
+
 }
diff --git a/server/src/com/cloud/api/ApiDBUtils.java b/server/src/com/cloud/api/ApiDBUtils.java
index 874e4c47355..352500cc871 100755
--- a/server/src/com/cloud/api/ApiDBUtils.java
+++ b/server/src/com/cloud/api/ApiDBUtils.java
@@ -25,6 +25,7 @@ import java.util.Set;
 import javax.annotation.PostConstruct;
 import javax.inject.Inject;
 
+import org.apache.cloudstack.acl.AclRole;
 import org.apache.cloudstack.affinity.AffinityGroup;
 import org.apache.cloudstack.affinity.AffinityGroupResponse;
 import org.apache.cloudstack.affinity.dao.AffinityGroupDao;
@@ -1678,6 +1679,10 @@ public class ApiDBUtils {
         return _affinityGroupJoinDao.setAffinityGroupResponse(resp, group);
     }
 
+    public static List<AclRoleJoinVO> newAclRoleView(AclRole role) {
+        return _aclRoleJoinDao.newAclRoleView(role);
+    }
+
     public static AclRoleResponse newAclRoleResponse(AclRoleJoinVO role) {
         return _aclRoleJoinDao.newAclRoleResponse(role);
     }
diff --git a/server/src/com/cloud/api/ApiResponseHelper.java b/server/src/com/cloud/api/ApiResponseHelper.java
index 99c67eb8658..c4ab6b86a22 100755
--- a/server/src/com/cloud/api/ApiResponseHelper.java
+++ b/server/src/com/cloud/api/ApiResponseHelper.java
@@ -151,6 +151,7 @@ import org.apache.cloudstack.usage.UsageTypes;
 
 import com.cloud.api.query.ViewResponseHelper;
 import com.cloud.api.query.vo.AccountJoinVO;
+import com.cloud.api.query.vo.AclRoleJoinVO;
 import com.cloud.api.query.vo.AsyncJobJoinVO;
 import com.cloud.api.query.vo.ControlledViewEntity;
 import com.cloud.api.query.vo.DataCenterJoinVO;
@@ -3674,24 +3675,10 @@ public class ApiResponseHelper implements ResponseGenerator {
 
     @Override
     public AclRoleResponse createAclRoleResponse(AclRole role) {
-        AclRoleResponse response = new AclRoleResponse();
-
-        response.setId(role.getUuid());
-        response.setName(role.getName());
-        response.setDescription(role.getDescription());
-        Domain domain = _entityMgr.findById(Domain.class, role.getDomainId());
-        if (domain != null) {
-            response.setDomainId(domain.getUuid());
-            response.setDomainName(domain.getName());
-        }
-        if (role.getParentRoleId() != null ){
-            AclRole parRole = _entityMgr.findById(AclRole.class, role.getParentRoleId());
-            if (parRole != null) {
-                response.setParentRoleId(parRole.getUuid());
-            }
-        }
-        response.setObjectName("aclrole");
-        return response;
+        List<AclRoleJoinVO> viewRoles = ApiDBUtils.newAclRoleView(role);
+        List<AclRoleResponse> listRoles = ViewResponseHelper.createAclRoleResponses(viewRoles);
+        assert listRoles != null && listRoles.size() == 1 : "There should be one acl role returned";
+        return listRoles.get(0);
     }
 
     @Override
diff --git a/server/src/com/cloud/server/ManagementServerImpl.java b/server/src/com/cloud/server/ManagementServerImpl.java
index 824b3133143..3ec65835327 100755
--- a/server/src/com/cloud/server/ManagementServerImpl.java
+++ b/server/src/com/cloud/server/ManagementServerImpl.java
@@ -57,6 +57,13 @@ import org.apache.cloudstack.api.command.admin.account.DisableAccountCmd;
 import org.apache.cloudstack.api.command.admin.account.EnableAccountCmd;
 import org.apache.cloudstack.api.command.admin.account.LockAccountCmd;
 import org.apache.cloudstack.api.command.admin.account.UpdateAccountCmd;
+import org.apache.cloudstack.api.command.admin.acl.AddAclRoleToAclGroupCmd;
+import org.apache.cloudstack.api.command.admin.acl.CreateAclRoleCmd;
+import org.apache.cloudstack.api.command.admin.acl.DeleteAclRoleCmd;
+import org.apache.cloudstack.api.command.admin.acl.GrantPermissionToAclRoleCmd;
+import org.apache.cloudstack.api.command.admin.acl.ListAclRolesCmd;
+import org.apache.cloudstack.api.command.admin.acl.RemoveAclRoleFromAclGroupCmd;
+import org.apache.cloudstack.api.command.admin.acl.RevokePermissionFromAclRoleCmd;
 import org.apache.cloudstack.api.command.admin.autoscale.CreateCounterCmd;
 import org.apache.cloudstack.api.command.admin.autoscale.DeleteCounterCmd;
 import org.apache.cloudstack.api.command.admin.cluster.AddClusterCmd;
@@ -2853,6 +2860,13 @@ public class ManagementServerImpl extends ManagerBase implements ManagementServe
         cmdList.add(ReplaceNetworkACLListCmd.class);
         cmdList.add(UpdateNetworkACLItemCmd.class);
         cmdList.add(CleanVMReservationsCmd.class);
+        cmdList.add(CreateAclRoleCmd.class);
+        cmdList.add(DeleteAclRoleCmd.class);
+        cmdList.add(ListAclRolesCmd.class);
+        cmdList.add(GrantPermissionToAclRoleCmd.class);
+        cmdList.add(RevokePermissionFromAclRoleCmd.class);
+        cmdList.add(AddAclRoleToAclGroupCmd.class);
+        cmdList.add(RemoveAclRoleFromAclGroupCmd.class);
         return cmdList;
     }
 
@@ -3157,7 +3171,7 @@ public class ManagementServerImpl extends ManagerBase implements ManagementServe
     }
 
     @Override
-    @ActionEvent(eventType = "", eventDescription = "", async = true)    
+    @ActionEvent(eventType = "", eventDescription = "", async = true)
     public VMInstanceVO destroySystemVM(DestroySystemVmCmd cmd) {
         VMInstanceVO systemVm = _vmInstanceDao.findByIdTypes(cmd.getId(), VirtualMachine.Type.ConsoleProxy, VirtualMachine.Type.SecondaryStorageVm);
 
diff --git a/server/src/org/apache/cloudstack/acl/AclServiceImpl.java b/server/src/org/apache/cloudstack/acl/AclServiceImpl.java
index 5ef9ed669d4..d1741f7ef20 100644
--- a/server/src/org/apache/cloudstack/acl/AclServiceImpl.java
+++ b/server/src/org/apache/cloudstack/acl/AclServiceImpl.java
@@ -26,10 +26,13 @@ import org.apache.log4j.Logger;
 import org.apache.cloudstack.acl.dao.AclApiPermissionDao;
 import org.apache.cloudstack.acl.dao.AclEntityPermissionDao;
 import org.apache.cloudstack.acl.dao.AclGroupAccountMapDao;
+import org.apache.cloudstack.acl.dao.AclGroupDao;
 import org.apache.cloudstack.acl.dao.AclGroupRoleMapDao;
 import org.apache.cloudstack.acl.dao.AclRoleDao;
 import org.apache.cloudstack.context.CallContext;
 
+import com.cloud.event.ActionEvent;
+import com.cloud.event.EventTypes;
 import com.cloud.exception.InvalidParameterValueException;
 import com.cloud.exception.PermissionDeniedException;
 import com.cloud.user.Account;
@@ -51,6 +54,9 @@ public class AclServiceImpl extends ManagerBase implements AclService, Manager {
     @Inject
     AclRoleDao _aclRoleDao;
 
+    @Inject
+    AclGroupDao _aclGroupDao;
+
     @Inject
     AclGroupRoleMapDao _aclGroupRoleMapDao;
 
@@ -66,6 +72,7 @@ public class AclServiceImpl extends ManagerBase implements AclService, Manager {
 
     @DB
     @Override
+    @ActionEvent(eventType = EventTypes.EVENT_ACL_ROLE_CREATE, eventDescription = "Creating Acl Role", create = true)
     public AclRole createAclRole(Long domainId, String aclRoleName, String description) {
         Account caller = CallContext.current().getCallingAccount();
         if (!_accountMgr.isRootAdmin(caller.getAccountId())) {
@@ -90,6 +97,7 @@ public class AclServiceImpl extends ManagerBase implements AclService, Manager {
 
     @DB
     @Override
+    @ActionEvent(eventType = EventTypes.EVENT_ACL_ROLE_DELETE, eventDescription = "Deleting Acl Role")
     public boolean deleteAclRole(long aclRoleId) {
         Account caller = CallContext.current().getCallingAccount();
         // get the Acl Role entity
@@ -99,12 +107,7 @@ public class AclServiceImpl extends ManagerBase implements AclService, Manager {
                     + "; failed to delete acl role.");
         }
         // check permissions
-        if (!_accountMgr.isRootAdmin(caller.getAccountId())) {
-            // domain admin can only delete role for his domain
-            if (caller.getDomainId() != role.getDomainId()) {
-                throw new PermissionDeniedException("Can't delete acl role in domain " + role.getDomainId() + ", permission denied");
-            }
-        }
+        _accountMgr.checkAccess(caller, null, true, role);
 
         // remove this role related entry in acl_group_role_map
         List<AclGroupRoleMapVO> groupRoleMap = _aclGroupRoleMapDao.listByRoleId(role.getId());
@@ -128,28 +131,124 @@ public class AclServiceImpl extends ManagerBase implements AclService, Manager {
         return true;
     }
 
+
+    @DB
     @Override
-    public Pair<List<? extends AclRole>, Integer> listAclRoles(Long aclRoleId, String aclRoleName, Long domainId, Long startIndex, Long pageSize) {
-        // TODO Auto-generated method stub
-        return null;
+    @ActionEvent(eventType = EventTypes.EVENT_ACL_ROLE_GRANT, eventDescription = "Granting permission to Acl Role")
+    public AclRole grantPermissionToAclRole(long aclRoleId, List<String> apiNames) {
+        Account caller = CallContext.current().getCallingAccount();
+        // get the Acl Role entity
+        AclRole role = _aclRoleDao.findById(aclRoleId);
+        if (role == null) {
+            throw new InvalidParameterValueException("Unable to find acl role: " + aclRoleId
+                    + "; failed to grant permission to role.");
+        }
+        // check permissions
+        _accountMgr.checkAccess(caller, null, true, role);
+
+        // add entries in acl_api_permission table
+        for (String api : apiNames) {
+            AclApiPermissionVO perm = _apiPermissionDao.findByRoleAndApi(aclRoleId, api);
+            if (perm == null) {
+                // not there already
+                perm = new AclApiPermissionVO(aclRoleId, api);
+                _apiPermissionDao.persist(perm);
+            }
+        }
+        return role;
+
     }
 
+    @DB
     @Override
-    public AclRole getAclRole(Long roleId) {
-        // TODO Auto-generated method stub
-        return null;
+    @ActionEvent(eventType = EventTypes.EVENT_ACL_ROLE_REVOKE, eventDescription = "Revoking permission from Acl Role")
+    public AclRole revokePermissionFromAclRole(long aclRoleId, List<String> apiNames) {
+        Account caller = CallContext.current().getCallingAccount();
+        // get the Acl Role entity
+        AclRole role = _aclRoleDao.findById(aclRoleId);
+        if (role == null) {
+            throw new InvalidParameterValueException("Unable to find acl role: " + aclRoleId
+                    + "; failed to revoke permission from role.");
+        }
+        // check permissions
+        _accountMgr.checkAccess(caller, null, true, role);
+
+        // add entries in acl_api_permission table
+        for (String api : apiNames) {
+            AclApiPermissionVO perm = _apiPermissionDao.findByRoleAndApi(aclRoleId, api);
+            if (perm != null) {
+                // not removed yet
+                _apiPermissionDao.remove(perm.getId());
+            }
+        }
+        return role;
     }
 
+    @DB
     @Override
+    @ActionEvent(eventType = EventTypes.EVENT_ACL_GROUP_UPDATE, eventDescription = "Adding roles to acl group")
     public AclGroup addAclRolesToGroup(List<Long> roleIds, Long groupId) {
-        // TODO Auto-generated method stub
-        return null;
+        Account caller = CallContext.current().getCallingAccount();
+        // get the Acl Group entity
+        AclGroup group = _aclGroupDao.findById(groupId);
+        if (group == null) {
+            throw new InvalidParameterValueException("Unable to find acl group: " + groupId
+                    + "; failed to add roles to acl group.");
+        }
+        // check group permissions
+        _accountMgr.checkAccess(caller, null, true, group);
+ 
+        // add entries in acl_group_role_map table
+        for (Long roleId : roleIds) {
+            // check role permissions
+            AclRole role = _aclRoleDao.findById(roleId);
+            if ( role == null ){
+                throw new InvalidParameterValueException("Unable to find acl role: " + roleId
+                        + "; failed to add roles to acl group.");
+            }
+            _accountMgr.checkAccess(caller,null, true, role);
+            
+            AclGroupRoleMapVO grMap = _aclGroupRoleMapDao.findByGroupAndRole(groupId, roleId);
+            if (grMap == null) {
+                // not there already
+                grMap = new AclGroupRoleMapVO(groupId, roleId);
+                _aclGroupRoleMapDao.persist(grMap);
+            }
+        }
+        return group;
     }
 
+    @DB
     @Override
+    @ActionEvent(eventType = EventTypes.EVENT_ACL_GROUP_UPDATE, eventDescription = "Removing roles from acl group")
     public AclGroup removeAclRolesFromGroup(List<Long> roleIds, Long groupId) {
-        // TODO Auto-generated method stub
-        return null;
+        Account caller = CallContext.current().getCallingAccount();
+        // get the Acl Group entity
+        AclGroup group = _aclGroupDao.findById(groupId);
+        if (group == null) {
+            throw new InvalidParameterValueException("Unable to find acl group: " + groupId
+                    + "; failed to remove roles from acl group.");
+        }
+        // check group permissions
+        _accountMgr.checkAccess(caller, null, true, group);
+
+        // add entries in acl_group_role_map table
+        for (Long roleId : roleIds) {
+            // check role permissions
+            AclRole role = _aclRoleDao.findById(roleId);
+            if (role == null) {
+                throw new InvalidParameterValueException("Unable to find acl role: " + roleId
+                        + "; failed to add roles to acl group.");
+            }
+            _accountMgr.checkAccess(caller, null, true, role);
+
+            AclGroupRoleMapVO grMap = _aclGroupRoleMapDao.findByGroupAndRole(groupId, roleId);
+            if (grMap != null) {
+                // not removed yet
+                _aclGroupRoleMapDao.remove(grMap.getId());
+            }
+        }
+        return group;
     }
 
     @Override