etan39
/
cloudstack
mirror of https://github.com/apache/cloudstack.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix API build error based on new DB schema, now only 

RoleBasedEntityAccessChecker needs to be fixed.
This commit is contained in:
Min Chen 2013-12-06 15:09:00 -08:00
parent c3f480e9b9
commit a416f6c3c3
37 changed files with 752 additions and 1362 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
api/src/com/cloud/event/EventTypes.java
View File

@ -449,10 +449,10 @@ public class EventTypes {
public static final String EVENT_UCS_ASSOCIATED_PROFILE = "UCS.ASSOCIATEPROFILE";
public static final String EVENT_ACL_ROLE_CREATE = "ACLROLE.CREATE";
public static final String EVENT_ACL_ROLE_DELETE = "ACLROLE.DELETE";
public static final String EVENT_ACL_ROLE_GRANT = "ACLROLE.GRANT";
public static final String EVENT_ACL_ROLE_REVOKE = "ACLROLE.REVOKE";
public static final String EVENT_ACL_POLICY_CREATE = "ACLPOLICY.CREATE";
public static final String EVENT_ACL_POLICY_DELETE = "ACLPOLICY.DELETE";
public static final String EVENT_ACL_POLICY_GRANT = "ACLPOLICY.GRANT";
public static final String EVENT_ACL_POLICY_REVOKE = "ACLPOLICY.REVOKE";
public static final String EVENT_ACL_GROUP_UPDATE = "ACLGROUP.UPDATE";
public static final String EVENT_ACL_GROUP_CREATE = "ACLGROUP.CREATE";

66
api/src/org/apache/cloudstack/acl/AclService.java
View File

@ -18,77 +18,45 @@ package org.apache.cloudstack.acl;
import java.util.List;
import org.apache.cloudstack.acl.SecurityChecker.AccessType;
import org.apache.cloudstack.acl.AclPolicyPermission.Permission;
import com.cloud.user.Account;
import com.cloud.utils.Pair;
public interface AclService {
/**
* Creates an acl role for the given domain.
*
* @param domainId
* @param name
* @param description
* @return AclRole
*/
/* ACL group related interfaces */
AclGroup createAclGroup(Account caller, String aclGroupName, String description);
AclRole createAclRole(Long domainId, String aclRoleName, String description, Long parentRoleId);
boolean deleteAclGroup(Long aclGroupId);
/**
* Delete an acl role.
*
* @param aclRoleId
*/
boolean deleteAclRole(long aclRoleId);
AclRole grantApiPermissionToAclRole(long aclRoleId, List<String> apiNames);
AclRole revokeApiPermissionFromAclRole(long aclRoleId, List<String> apiNames);
AclGroup addAclRolesToGroup(List<Long> roleIds, Long groupId);
AclGroup removeAclRolesFromGroup(List<Long> roleIds, Long groupId);
List<AclGroup> listAclGroups(long accountId);
AclGroup addAccountsToGroup(List<Long> acctIds, Long groupId);
AclGroup removeAccountsFromGroup(List<Long> acctIds, Long groupId);
AclGroup grantEntityPermissionToAclGroup(long aclGroupId, String entityType, long entityId, AccessType accessType);
/* ACL Policy related interfaces */
AclPolicy createAclPolicy(Account caller, String aclPolicyName, String description, Long parentPolicyId);
AclGroup revokeEntityPermissionFromAclGroup(long aclGroupId, String entityType, long entityId, AccessType accessType);
boolean deleteAclPolicy(long aclPolicyId);
/**
* Creates an acl group for the given domain.
*
* @param domainId
* @param name
* @param description
* @return AclGroup
*/
List<AclPolicy> listAclPolicies(long accountId);
AclGroup createAclGroup(Long domainId, String aclGroupName, String description);
AclGroup attachAclPoliciesToGroup(List<Long> roleIds, Long groupId);
/**
* Delete an acl group.
*
* @param aclGroupId
*/
boolean deleteAclGroup(Long aclGroupId);
AclGroup removeAclPoliciesFromGroup(List<Long> roleIds, Long groupId);
List<AclRole> getAclRoles(long accountId);
AclPolicy addAclPermissionToAclPolicy(long aclPolicyId, String entityType, PermissionScope scope, Long scopeId, String action, Permission perm);
List<AclGroup> getAclGroups(long accountId);
AclPolicy removeAclPermissionFromAclPolicy(long aclPolicyId, String entityType, PermissionScope scope, Long scopeId, String action);
AclRolePermission getAclRolePermission(long accountId, String entityType, AccessType accessType);
AclPolicyPermission getAclPolicyPermission(long accountId, String entityType, String action);
Pair<List<Long>, List<Long>> getAclEntityPermission(long accountId, String entityType, AccessType accessType);
boolean isAPIAccessibleForPolicies(String apiName, List<AclPolicy> policies);
boolean isAPIAccessibleForRoles(String apiName, List<AclRole> roles);
List<AclRole> getEffectiveRoles(Account caller, ControlledEntity entity);
List<AclPolicy> getEffectivePolicies(Account caller, ControlledEntity entity);
/* Visibility related interfaces */
List<Long> getGrantedDomains(long accountId, AclEntityType entityType, String action);
List<Long> getGrantedAccounts(long accountId, AclEntityType entityType, String action);

2
api/src/org/apache/cloudstack/api/ApiCommandJobType.java
View File

@ -50,6 +50,6 @@ public enum ApiCommandJobType {
AffinityGroup,
InternalLbVm,
DedicatedGuestVlanRange,
AclRole,
AclPolicy,
AclGroup
}

7
api/src/org/apache/cloudstack/api/ApiConstants.java
View File

@ -524,10 +524,9 @@ public class ApiConstants {
public static final String SERVICE_STATE = "servicestate";
public static final String ACL_ACCOUNT_IDS = "accountids";
public static final String ACL_MEMBER_ACCOUNTS = "memberaccounts";
public static final String ACL_PARENT_ROLE_ID = "parentroleid";
public static final String ACL_PARENT_ROLE_NAME = "parentrolename";
public static final String ACL_ROLES = "roles";
public static final String ACL_ROLE_IDS = "roleids";
public static final String ACL_PARENT_POLICY_ID = "parentpolicyid";
public static final String ACL_PARENT_POLICY_NAME = "parentpolicyname";
public static final String ACL_POLICY_IDS = "policyids";
public static final String ACL_POLICIES = "policies";
public static final String ACL_APIS = "apis";
public static final String ACL_GROUPS = "groups";

6
api/src/org/apache/cloudstack/api/ResponseGenerator.java
View File

@ -23,7 +23,7 @@ import java.util.List;
import java.util.Map;
import org.apache.cloudstack.acl.AclGroup;
import org.apache.cloudstack.acl.AclRole;
import org.apache.cloudstack.acl.AclPolicy;
import org.apache.cloudstack.affinity.AffinityGroup;
import org.apache.cloudstack.affinity.AffinityGroupResponse;
import org.apache.cloudstack.api.ApiConstants.HostDetails;
@ -32,7 +32,7 @@ import org.apache.cloudstack.api.ResponseObject.ResponseView;
import org.apache.cloudstack.api.command.user.job.QueryAsyncJobResultCmd;
import org.apache.cloudstack.api.response.AccountResponse;
import org.apache.cloudstack.api.response.AclGroupResponse;
import org.apache.cloudstack.api.response.AclRoleResponse;
import org.apache.cloudstack.api.response.AclPolicyResponse;
import org.apache.cloudstack.api.response.ApplicationLoadBalancerResponse;
import org.apache.cloudstack.api.response.AsyncJobResponse;
import org.apache.cloudstack.api.response.AutoScalePolicyResponse;
@ -455,7 +455,7 @@ public interface ResponseGenerator {
IsolationMethodResponse createIsolationMethodResponse(IsolationType method);
AclRoleResponse createAclRoleResponse(AclRole role);
AclPolicyResponse createAclPolicyResponse(AclPolicy policy);
AclGroupResponse createAclGroupResponse(AclGroup group);

67
api/src/org/apache/cloudstack/api/command/admin/acl/RevokePermissionFromAclGroupCmd.java → api/src/org/apache/cloudstack/api/command/admin/acl/AddAclPermissionToAclPolicyCmd.java
View File

@ -16,11 +16,11 @@
// under the License.
package org.apache.cloudstack.api.command.admin.acl;
import org.apache.log4j.Logger;
import org.apache.cloudstack.acl.AclGroup;
import org.apache.cloudstack.acl.SecurityChecker.AccessType;
import org.apache.cloudstack.acl.AclPolicy;
import org.apache.cloudstack.acl.AclPolicyPermission.Permission;
import org.apache.cloudstack.acl.PermissionScope;
import org.apache.cloudstack.api.ACL;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiCommandJobType;
@ -29,7 +29,7 @@ import org.apache.cloudstack.api.ApiErrorCode;
import org.apache.cloudstack.api.BaseAsyncCmd;
import org.apache.cloudstack.api.Parameter;
import org.apache.cloudstack.api.ServerApiException;
import org.apache.cloudstack.api.response.AclGroupResponse;
import org.apache.cloudstack.api.response.AclPolicyResponse;
import org.apache.cloudstack.context.CallContext;
import com.cloud.event.EventTypes;
@ -38,10 +38,10 @@ import com.cloud.exception.ResourceUnavailableException;
import com.cloud.user.Account;
@APICommand(name = "revokePermissionFromAclGroup", description = "revoke entity permission from an acl group", responseObject = AclGroupResponse.class)
public class RevokePermissionFromAclGroupCmd extends BaseAsyncCmd {
public static final Logger s_logger = Logger.getLogger(RevokePermissionFromAclGroupCmd.class.getName());
private static final String s_name = "revokepermissiontoaclgroupresponse";
@APICommand(name = "addAclPermissionToAclPolicy", description = "Add Acl permission to an acl policy", responseObject = AclPolicyResponse.class)
public class AddAclPermissionToAclPolicyCmd extends BaseAsyncCmd {
public static final Logger s_logger = Logger.getLogger(AddAclPermissionToAclPolicyCmd.class.getName());
private static final String s_name = "addaclpermissiontoaclpolicyresponse";
/////////////////////////////////////////////////////
//////////////// API parameters /////////////////////
@ -49,18 +49,23 @@ public class RevokePermissionFromAclGroupCmd extends BaseAsyncCmd {
@ACL
@Parameter(name = ApiConstants.ID, type = CommandType.UUID, entityType = AclGroupResponse.class,
required = true, description = "The ID of the acl group")
@Parameter(name = ApiConstants.ID, type = CommandType.UUID, entityType = AclPolicyResponse.class,
required = true, description = "The ID of the acl policy")
private Long id;
@Parameter(name = ApiConstants.ENTITY_TYPE, type = CommandType.STRING, required = true, description = "entity class simple name.")
@Parameter(name = ApiConstants.ACL_ACTION, type = CommandType.STRING, required = true, description = "action api name.")
private String action;
@Parameter(name = ApiConstants.ENTITY_TYPE, type = CommandType.STRING, required = false, description = "entity class simple name.")
private String entityType;
@Parameter(name = ApiConstants.ENTITY_ID, type = CommandType.UUID, required = true, description = "The ID of the entity")
private Long entityId;
@Parameter(name = ApiConstants.ACL_SCOPE, type = CommandType.STRING,
required = false, description = "acl permission scope")
private String scope;
@Parameter(name = ApiConstants.ACL_SCOPE_ID, type = CommandType.UUID, required = false, description = "The ID of the permission scope id")
private Long scopeId;
@Parameter(name = ApiConstants.ACCESS_TYPE, type = CommandType.STRING, required = true, description = "access type for the entity")
private String accessType;
/////////////////////////////////////////////////////
/////////////////// Accessors ///////////////////////
@ -71,16 +76,21 @@ public class RevokePermissionFromAclGroupCmd extends BaseAsyncCmd {
return id;
}
public String getAction() {
return action;
}
public String getEntityType() {
return entityType;
}
public Long getEntityId() {
return entityId;
public String getScope() {
return scope;
}
public AccessType getAccessType() {
return AccessType.valueOf(accessType);
public Long getScopeId() {
return scopeId;
}
@ -88,6 +98,8 @@ public class RevokePermissionFromAclGroupCmd extends BaseAsyncCmd {
/////////////// API Implementation///////////////////
/////////////////////////////////////////////////////
@Override
public String getCommandName() {
return s_name;
@ -102,30 +114,31 @@ public class RevokePermissionFromAclGroupCmd extends BaseAsyncCmd {
@Override
public void execute() throws ResourceUnavailableException,
InsufficientCapacityException, ServerApiException {
CallContext.current().setEventDetails("Acl group Id: " + getId());
AclGroup result = _aclService.revokeEntityPermissionFromAclGroup(id, entityType, entityId, getAccessType());
if (result != null){
AclGroupResponse response = _responseGenerator.createAclGroupResponse(result);
CallContext.current().setEventDetails("Acl policy Id: " + getId());
// Only explicit ALLOW is supported for this release, no explicit deny
AclPolicy result = _aclService.addAclPermissionToAclPolicy(id, entityType, PermissionScope.valueOf(scope), scopeId, action, Permission.Allow);
if (result != null) {
AclPolicyResponse response = _responseGenerator.createAclPolicyResponse(result);
response.setResponseName(getCommandName());
setResponseObject(response);
} else {
throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to grant permission to acl group");
throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to grant permission to acl policy " + getId());
}
}
@Override
public String getEventType() {
return EventTypes.EVENT_ACL_GROUP_GRANT;
return EventTypes.EVENT_ACL_POLICY_GRANT;
}
@Override
public String getEventDescription() {
return "granting permission to acl group";
return "granting permission to acl policy";
}
@Override
public ApiCommandJobType getInstanceType() {
return ApiCommandJobType.AclGroup;
return ApiCommandJobType.AclPolicy;
}
}

20
api/src/org/apache/cloudstack/api/command/admin/acl/AddAclRoleToAclGroupCmd.java → api/src/org/apache/cloudstack/api/command/admin/acl/AttachAclPolicyToAclGroupCmd.java
View File

@ -30,7 +30,7 @@ import org.apache.cloudstack.api.BaseAsyncCmd;
import org.apache.cloudstack.api.Parameter;
import org.apache.cloudstack.api.ServerApiException;
import org.apache.cloudstack.api.response.AclGroupResponse;
import org.apache.cloudstack.api.response.AclRoleResponse;
import org.apache.cloudstack.api.response.AclPolicyResponse;
import org.apache.cloudstack.context.CallContext;
import com.cloud.event.EventTypes;
@ -39,10 +39,10 @@ import com.cloud.exception.ResourceUnavailableException;
import com.cloud.user.Account;
@APICommand(name = "addAclRoleToAclGroup", description = "add acl role to an acl group", responseObject = AclGroupResponse.class)
public class AddAclRoleToAclGroupCmd extends BaseAsyncCmd {
public static final Logger s_logger = Logger.getLogger(AddAclRoleToAclGroupCmd.class.getName());
private static final String s_name = "addaclroletoaclgroupresponse";
@APICommand(name = "attachAclPolicyToAclGroup", description = "attach acl policy to an acl group", responseObject = AclGroupResponse.class)
public class AttachAclPolicyToAclGroupCmd extends BaseAsyncCmd {
public static final Logger s_logger = Logger.getLogger(AttachAclPolicyToAclGroupCmd.class.getName());
private static final String s_name = "attachaclpolicytoaclgroupresponse";
/////////////////////////////////////////////////////
//////////////// API parameters /////////////////////
@ -55,8 +55,8 @@ public class AddAclRoleToAclGroupCmd extends BaseAsyncCmd {
private Long id;
@ACL
@Parameter(name = ApiConstants.ACL_ROLES, type = CommandType.LIST, collectionType = CommandType.UUID, entityType = AclRoleResponse.class, description = "comma separated list of acl role id that are going to be applied to the acl group.")
private List<Long> roleIdList;
@Parameter(name = ApiConstants.ACL_POLICIES, type = CommandType.LIST, collectionType = CommandType.UUID, entityType = AclPolicyResponse.class, description = "comma separated list of acl policy id that are going to be applied to the acl group.")
private List<Long> policyIdList;
/////////////////////////////////////////////////////
@ -69,8 +69,8 @@ public class AddAclRoleToAclGroupCmd extends BaseAsyncCmd {
}
public List<Long> getRoleIdList() {
return roleIdList;
public List<Long> getPolicyIdList() {
return policyIdList;
}
/////////////////////////////////////////////////////
@ -93,7 +93,7 @@ public class AddAclRoleToAclGroupCmd extends BaseAsyncCmd {
public void execute() throws ResourceUnavailableException,
InsufficientCapacityException, ServerApiException {
CallContext.current().setEventDetails("Acl group Id: " + getId());
AclGroup result = _aclService.addAclRolesToGroup(roleIdList, id);
AclGroup result = _aclService.attachAclPoliciesToGroup(policyIdList, id);
if (result != null){
AclGroupResponse response = _responseGenerator.createAclGroupResponse(result);
response.setResponseName(getCommandName());

30
api/src/org/apache/cloudstack/api/command/admin/acl/CreateAclGroupCmd.java
View File

@ -44,6 +44,9 @@ public class CreateAclGroupCmd extends BaseAsyncCreateCmd {
// ////////////// API parameters /////////////////////
// ///////////////////////////////////////////////////
@Parameter(name = ApiConstants.ACCOUNT, type = CommandType.STRING, description = "an account for the acl group. Must be used with domainId.")
private String accountName;
@Parameter(name = ApiConstants.DOMAIN_ID, type = CommandType.UUID, description = "domainId of the account owning the acl group", entityType = DomainResponse.class)
private Long domainId;
@ -58,6 +61,9 @@ public class CreateAclGroupCmd extends BaseAsyncCreateCmd {
// ///////////////// Accessors ///////////////////////
// ///////////////////////////////////////////////////
public String getAccountName() {
return accountName;
}
public String getDescription() {
return description;
@ -76,6 +82,7 @@ public class CreateAclGroupCmd extends BaseAsyncCreateCmd {
// ///////////// API Implementation///////////////////
// ///////////////////////////////////////////////////
@Override
public String getCommandName() {
return s_name;
@ -84,19 +91,29 @@ public class CreateAclGroupCmd extends BaseAsyncCreateCmd {
@Override
public long getEntityOwnerId() {
Account account = CallContext.current().getCallingAccount();
if ((account == null) || _accountService.isAdmin(account.getType())) {
if ((domainId != null) && (accountName != null)) {
Account userAccount = _responseGenerator.findAccountByNameDomain(accountName, domainId);
if (userAccount != null) {
return userAccount.getId();
}
}
}
if (account != null) {
return account.getId();
}
return Account.ACCOUNT_ID_SYSTEM;
return Account.ACCOUNT_ID_SYSTEM; // no account info given, parent this
// command to SYSTEM so ERROR events
// are tracked
}
@Override
public void execute() {
AclGroup role = _entityMgr.findById(AclGroup.class, getEntityId());
if (role != null) {
AclGroupResponse response = _responseGenerator.createAclGroupResponse(role);
AclGroup grp = _entityMgr.findById(AclGroup.class, getEntityId());
if (grp != null) {
AclGroupResponse response = _responseGenerator.createAclGroupResponse(grp);
response.setResponseName(getCommandName());
setResponseObject(response);
} else {
@ -106,7 +123,8 @@ public class CreateAclGroupCmd extends BaseAsyncCreateCmd {
@Override
public void create() throws ResourceAllocationException {
AclGroup result = _aclService.createAclGroup(domainId, name, description);
Account account = CallContext.current().getCallingAccount();
AclGroup result = _aclService.createAclGroup(account, name, description);
if (result != null) {
setEntityId(result.getId());
setEntityUuid(result.getUuid());

74
api/src/org/apache/cloudstack/api/command/admin/acl/CreateAclRoleCmd.java → api/src/org/apache/cloudstack/api/command/admin/acl/CreateAclPolicyCmd.java
View File

@ -18,7 +18,7 @@ package org.apache.cloudstack.api.command.admin.acl;
import org.apache.log4j.Logger;
import org.apache.cloudstack.acl.AclRole;
import org.apache.cloudstack.acl.AclPolicy;
import org.apache.cloudstack.api.ACL;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiCommandJobType;
@ -27,41 +27,48 @@ import org.apache.cloudstack.api.ApiErrorCode;
import org.apache.cloudstack.api.BaseAsyncCreateCmd;
import org.apache.cloudstack.api.Parameter;
import org.apache.cloudstack.api.ServerApiException;
import org.apache.cloudstack.api.response.AclRoleResponse;
import org.apache.cloudstack.api.response.AclPolicyResponse;
import org.apache.cloudstack.api.response.DomainResponse;
import org.apache.cloudstack.context.CallContext;
import com.cloud.event.EventTypes;
import com.cloud.exception.ResourceAllocationException;
import com.cloud.user.Account;
@APICommand(name = "createAclRole", responseObject = AclRoleResponse.class, description = "Creates an acl role")
public class CreateAclRoleCmd extends BaseAsyncCreateCmd {
public static final Logger s_logger = Logger.getLogger(CreateAclRoleCmd.class.getName());
@APICommand(name = "createAclPolicy", responseObject = AclPolicyResponse.class, description = "Creates an acl policy")
public class CreateAclPolicyCmd extends BaseAsyncCreateCmd {
public static final Logger s_logger = Logger.getLogger(CreateAclPolicyCmd.class.getName());
private static final String s_name = "createaclroleresponse";
private static final String s_name = "createaclpolicyresponse";
// ///////////////////////////////////////////////////
// ////////////// API parameters /////////////////////
// ///////////////////////////////////////////////////
@Parameter(name = ApiConstants.DOMAIN_ID, type = CommandType.UUID, description = "domainId of the account owning the acl role", entityType = DomainResponse.class)
@Parameter(name = ApiConstants.ACCOUNT, type = CommandType.STRING, description = "an account for the acl policy. Must be used with domainId.")
private String accountName;
@Parameter(name = ApiConstants.DOMAIN_ID, type = CommandType.UUID, description = "domainId of the account owning the acl policy", entityType = DomainResponse.class)
private Long domainId;
@Parameter(name = ApiConstants.DESCRIPTION, type = CommandType.STRING, description = "optional description of the acl role")
@Parameter(name = ApiConstants.DESCRIPTION, type = CommandType.STRING, description = "optional description of the acl policy")
private String description;
@Parameter(name = ApiConstants.NAME, type = CommandType.STRING, required = true, description = "name of the acl group")
@Parameter(name = ApiConstants.NAME, type = CommandType.STRING, required = true, description = "name of the acl policy")
private String name;
@ACL
@Parameter(name = ApiConstants.ACL_PARENT_ROLE_ID, type = CommandType.UUID, description = "The ID of parent acl role.", entityType = AclRoleResponse.class)
private Long parentRoleId;
@Parameter(name = ApiConstants.ACL_PARENT_POLICY_ID, type = CommandType.UUID, description = "The ID of parent acl policy.", entityType = AclPolicyResponse.class)
private Long parentPolicyId;
// ///////////////////////////////////////////////////
// ///////////////// Accessors ///////////////////////
// ///////////////////////////////////////////////////
public String getAccountName() {
return accountName;
}
public String getDescription() {
return description;
@ -75,8 +82,8 @@ public class CreateAclRoleCmd extends BaseAsyncCreateCmd {
return name;
}
public Long getParentRoleId() {
return parentRoleId;
public Long getParentPolicyId() {
return parentPolicyId;
}
// ///////////////////////////////////////////////////
@ -90,56 +97,73 @@ public class CreateAclRoleCmd extends BaseAsyncCreateCmd {
@Override
public long getEntityOwnerId() {
return CallContext.current().getCallingAccount().getId();
Account account = CallContext.current().getCallingAccount();
if ((account == null) || _accountService.isAdmin(account.getType())) {
if ((domainId != null) && (accountName != null)) {
Account userAccount = _responseGenerator.findAccountByNameDomain(accountName, domainId);
if (userAccount != null) {
return userAccount.getId();
}
}
}
if (account != null) {
return account.getId();
}
return Account.ACCOUNT_ID_SYSTEM; // no account info given, parent this
// command to SYSTEM so ERROR events
// are tracked
}
@Override
public void execute() {
AclRole role = _entityMgr.findById(AclRole.class, getEntityId());
if (role != null) {
AclRoleResponse response = _responseGenerator.createAclRoleResponse(role);
AclPolicy policy = _entityMgr.findById(AclPolicy.class, getEntityId());
if (policy != null) {
AclPolicyResponse response = _responseGenerator.createAclPolicyResponse(policy);
response.setResponseName(getCommandName());
setResponseObject(response);
} else {
throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to create acl role:" + name);
throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to create acl policy:" + name);
}
}
@Override
public void create() throws ResourceAllocationException {
AclRole result = _aclService.createAclRole(domainId, name, description, parentRoleId);
Account account = CallContext.current().getCallingAccount();
AclPolicy result = _aclService.createAclPolicy(account, name, description, parentPolicyId);
if (result != null) {
setEntityId(result.getId());
setEntityUuid(result.getUuid());
} else {
throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to create acl role entity" + name);
throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to create acl policy entity" + name);
}
}
@Override
public String getEventType() {
return EventTypes.EVENT_ACL_ROLE_CREATE;
return EventTypes.EVENT_ACL_POLICY_CREATE;
}
@Override
public String getEventDescription() {
return "creating Acl role";
return "creating Acl policy";
}
@Override
public String getCreateEventType() {
return EventTypes.EVENT_ACL_ROLE_CREATE;
return EventTypes.EVENT_ACL_POLICY_CREATE;
}
@Override
public String getCreateEventDescription() {
return "creating acl role";
return "creating acl policy";
}
@Override
public ApiCommandJobType getInstanceType() {
return ApiCommandJobType.AclRole;
return ApiCommandJobType.AclPolicy;
}
}

20
api/src/org/apache/cloudstack/api/command/admin/acl/DeleteAclRoleCmd.java → api/src/org/apache/cloudstack/api/command/admin/acl/DeleteAclPolicyCmd.java
View File

@ -26,23 +26,23 @@ import org.apache.cloudstack.api.ApiErrorCode;
import org.apache.cloudstack.api.BaseAsyncCmd;
import org.apache.cloudstack.api.Parameter;
import org.apache.cloudstack.api.ServerApiException;
import org.apache.cloudstack.api.response.AclRoleResponse;
import org.apache.cloudstack.api.response.AclPolicyResponse;
import org.apache.cloudstack.api.response.SuccessResponse;
import com.cloud.event.EventTypes;
import com.cloud.user.Account;
@APICommand(name = "deleteAclRole", description = "Deletes acl role", responseObject = SuccessResponse.class)
public class DeleteAclRoleCmd extends BaseAsyncCmd {
public static final Logger s_logger = Logger.getLogger(DeleteAclRoleCmd.class.getName());
private static final String s_name = "deleteaclroleresponse";
@APICommand(name = "deleteAclPolicy", description = "Deletes acl policy", responseObject = SuccessResponse.class)
public class DeleteAclPolicyCmd extends BaseAsyncCmd {
public static final Logger s_logger = Logger.getLogger(DeleteAclPolicyCmd.class.getName());
private static final String s_name = "deleteaclpolicyresponse";
/////////////////////////////////////////////////////
//////////////// API parameters /////////////////////
/////////////////////////////////////////////////////
@ACL
@Parameter(name = ApiConstants.ID, type = CommandType.UUID, description = "The ID of the acl role.", required = true, entityType = AclRoleResponse.class)
@Parameter(name = ApiConstants.ID, type = CommandType.UUID, description = "The ID of the acl role.", required = true, entityType = AclPolicyResponse.class)
private Long id;
@ -70,18 +70,18 @@ public class DeleteAclRoleCmd extends BaseAsyncCmd {
@Override
public void execute(){
boolean result = _aclService.deleteAclRole(id);
boolean result = _aclService.deleteAclPolicy(id);
if (result) {
SuccessResponse response = new SuccessResponse(getCommandName());
setResponseObject(response);
} else {
throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to delete acl role");
throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to delete acl policy");
}
}
@Override
public String getEventType() {
return EventTypes.EVENT_ACL_ROLE_DELETE;
return EventTypes.EVENT_ACL_POLICY_DELETE;
}
@Override
@ -91,6 +91,6 @@ public class DeleteAclRoleCmd extends BaseAsyncCmd {
@Override
public ApiCommandJobType getInstanceType() {
return ApiCommandJobType.AclRole;
return ApiCommandJobType.AclPolicy;
}
}

120
api/src/org/apache/cloudstack/api/command/admin/acl/GrantPermissionToAclRoleCmd.java
View File

@ -1,120 +0,0 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.api.command.admin.acl;
import java.util.List;
import org.apache.log4j.Logger;
import org.apache.cloudstack.acl.AclRole;
import org.apache.cloudstack.api.ACL;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiCommandJobType;
import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.ApiErrorCode;
import org.apache.cloudstack.api.BaseAsyncCmd;
import org.apache.cloudstack.api.Parameter;
import org.apache.cloudstack.api.ServerApiException;
import org.apache.cloudstack.api.response.AclRoleResponse;
import org.apache.cloudstack.context.CallContext;
import com.cloud.event.EventTypes;
import com.cloud.exception.InsufficientCapacityException;
import com.cloud.exception.ResourceUnavailableException;
import com.cloud.user.Account;
@APICommand(name = "grantPermissionToAclRole", description = "Grant api permission to an acl role", responseObject = AclRoleResponse.class)
public class GrantPermissionToAclRoleCmd extends BaseAsyncCmd {
public static final Logger s_logger = Logger.getLogger(GrantPermissionToAclRoleCmd.class.getName());
private static final String s_name = "grantpermissiontoroleresponse";
/////////////////////////////////////////////////////
//////////////// API parameters /////////////////////
/////////////////////////////////////////////////////
@ACL
@Parameter(name = ApiConstants.ID, type = CommandType.UUID, entityType = AclRoleResponse.class,
required = true, description = "The ID of the acl role")
private Long id;
@ACL
@Parameter(name = ApiConstants.ACL_APIS, type = CommandType.LIST, collectionType = CommandType.STRING, description = "comma separated list of apis granted to the acl role. ")
private List<String> apiList;
/////////////////////////////////////////////////////
/////////////////// Accessors ///////////////////////
/////////////////////////////////////////////////////
public Long getId() {
return id;
}
public List<String> getApiList() {
return apiList;
}
/////////////////////////////////////////////////////
/////////////// API Implementation///////////////////
/////////////////////////////////////////////////////
@Override
public String getCommandName() {
return s_name;
}
@Override
public long getEntityOwnerId() {
return Account.ACCOUNT_ID_SYSTEM; // no account info given, parent this command to SYSTEM so ERROR events are tracked
}
@Override
public void execute() throws ResourceUnavailableException,
InsufficientCapacityException, ServerApiException {
CallContext.current().setEventDetails("Acl role Id: " + getId());
AclRole result = _aclService.grantApiPermissionToAclRole(id, apiList);
if (result != null) {
AclRoleResponse response = _responseGenerator.createAclRoleResponse(result);
response.setResponseName(getCommandName());
setResponseObject(response);
} else {
throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to grant permission to acl role " + getId());
}
}
@Override
public String getEventType() {
return EventTypes.EVENT_ACL_ROLE_GRANT;
}
@Override
public String getEventDescription() {
return "granting permission to acl role";
}
@Override
public ApiCommandJobType getInstanceType() {
return ApiCommandJobType.AclRole;
}
}

24
api/src/org/apache/cloudstack/api/command/admin/acl/ListAclRolesCmd.java → api/src/org/apache/cloudstack/api/command/admin/acl/ListAclPoliciesCmd.java
View File

@ -23,32 +23,32 @@ import org.apache.cloudstack.api.ApiCommandJobType;
import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.BaseListDomainResourcesCmd;
import org.apache.cloudstack.api.Parameter;
import org.apache.cloudstack.api.response.AclRoleResponse;
import org.apache.cloudstack.api.response.AclPolicyResponse;
import org.apache.cloudstack.api.response.ListResponse;
@APICommand(name = "listAclRoles", description = "Lists acl roles", responseObject = AclRoleResponse.class)
public class ListAclRolesCmd extends BaseListDomainResourcesCmd {
public static final Logger s_logger = Logger.getLogger(ListAclRolesCmd.class.getName());
@APICommand(name = "listAclPolicies", description = "Lists acl policies", responseObject = AclPolicyResponse.class)
public class ListAclPoliciesCmd extends BaseListDomainResourcesCmd {
public static final Logger s_logger = Logger.getLogger(ListAclPoliciesCmd.class.getName());
private static final String s_name = "listaclrolesresponse";
private static final String s_name = "listaclpoliciesresponse";
/////////////////////////////////////////////////////
//////////////// API parameters /////////////////////
/////////////////////////////////////////////////////
@Parameter(name = ApiConstants.NAME, type = CommandType.STRING, description = "lists acl roles by name")
private String aclRoleName;
@Parameter(name = ApiConstants.NAME, type = CommandType.STRING, description = "lists acl policies by name")
private String aclPolicyName;
@Parameter(name = ApiConstants.ID, type = CommandType.UUID, description = "list the acl role by the id provided", entityType = AclRoleResponse.class)
@Parameter(name = ApiConstants.ID, type = CommandType.UUID, description = "list the acl policy by the id provided", entityType = AclPolicyResponse.class)
private Long id;
/////////////////////////////////////////////////////
/////////////////// Accessors ///////////////////////
/////////////////////////////////////////////////////
public String getAclRoleName() {
return aclRoleName;
public String getAclPolicyName() {
return aclPolicyName;
}
@ -68,7 +68,7 @@ public class ListAclRolesCmd extends BaseListDomainResourcesCmd {
@Override
public void execute(){
ListResponse<AclRoleResponse> response = _queryService.listAclRoles(id, aclRoleName, getDomainId(),
ListResponse<AclPolicyResponse> response = _queryService.listAclPolicies(id, aclPolicyName, getDomainId(),
getStartIndex(), getPageSizeVal());
response.setResponseName(getCommandName());
setResponseObject(response);
@ -77,6 +77,6 @@ public class ListAclRolesCmd extends BaseListDomainResourcesCmd {
@Override
public ApiCommandJobType getInstanceType() {
return ApiCommandJobType.AclRole;
return ApiCommandJobType.AclPolicy;
}
}

64
api/src/org/apache/cloudstack/api/command/admin/acl/GrantPermissionToAclGroupCmd.java → api/src/org/apache/cloudstack/api/command/admin/acl/RemoveAclPermissionFromAclPolicyCmd.java
View File

@ -16,11 +16,10 @@
// under the License.
package org.apache.cloudstack.api.command.admin.acl;
import org.apache.log4j.Logger;
import org.apache.cloudstack.acl.AclGroup;
import org.apache.cloudstack.acl.SecurityChecker.AccessType;
import org.apache.cloudstack.acl.AclPolicy;
import org.apache.cloudstack.acl.PermissionScope;
import org.apache.cloudstack.api.ACL;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiCommandJobType;
@ -29,7 +28,7 @@ import org.apache.cloudstack.api.ApiErrorCode;
import org.apache.cloudstack.api.BaseAsyncCmd;
import org.apache.cloudstack.api.Parameter;
import org.apache.cloudstack.api.ServerApiException;
import org.apache.cloudstack.api.response.AclGroupResponse;
import org.apache.cloudstack.api.response.AclPolicyResponse;
import org.apache.cloudstack.context.CallContext;
import com.cloud.event.EventTypes;
@ -38,10 +37,10 @@ import com.cloud.exception.ResourceUnavailableException;
import com.cloud.user.Account;
@APICommand(name = "grantPermissionToAclGroup", description = "grant entity permission to an acl group", responseObject = AclGroupResponse.class)
public class GrantPermissionToAclGroupCmd extends BaseAsyncCmd {
public static final Logger s_logger = Logger.getLogger(GrantPermissionToAclGroupCmd.class.getName());
private static final String s_name = "grantpermissiontoaclgroupresponse";
@APICommand(name = "removeAclPermissionFromAclPolicy", description = "Remove acl permission from an acl policy", responseObject = AclPolicyResponse.class)
public class RemoveAclPermissionFromAclPolicyCmd extends BaseAsyncCmd {
public static final Logger s_logger = Logger.getLogger(RemoveAclPermissionFromAclPolicyCmd.class.getName());
private static final String s_name = "removeaclpermissionfromaclpolicyresponse";
/////////////////////////////////////////////////////
//////////////// API parameters /////////////////////
@ -49,18 +48,23 @@ public class GrantPermissionToAclGroupCmd extends BaseAsyncCmd {
@ACL
@Parameter(name = ApiConstants.ID, type = CommandType.UUID, entityType = AclGroupResponse.class,
required = true, description = "The ID of the acl group")
@Parameter(name = ApiConstants.ID, type = CommandType.UUID, entityType = AclPolicyResponse.class,
required = true, description = "The ID of the acl policy")
private Long id;
@Parameter(name = ApiConstants.ENTITY_TYPE, type = CommandType.STRING, required = true, description = "entity class simple name.")
@Parameter(name = ApiConstants.ACL_ACTION, type = CommandType.STRING, required = true, description = "action api name.")
private String action;
@Parameter(name = ApiConstants.ENTITY_TYPE, type = CommandType.STRING, required = false, description = "entity class simple name.")
private String entityType;
@Parameter(name = ApiConstants.ENTITY_ID, type = CommandType.UUID, required = true, description = "The ID of the entity")
private Long entityId;
@Parameter(name = ApiConstants.ACL_SCOPE, type = CommandType.STRING,
required = false, description = "acl permission scope")
private String scope;
@Parameter(name = ApiConstants.ACL_SCOPE_ID, type = CommandType.UUID, required = false, description = "The ID of the permission scope id")
private Long scopeId;
@Parameter(name = ApiConstants.ACCESS_TYPE, type = CommandType.STRING, required = true, description = "access type for the entity")
private String accessType;
/////////////////////////////////////////////////////
/////////////////// Accessors ///////////////////////
@ -71,16 +75,21 @@ public class GrantPermissionToAclGroupCmd extends BaseAsyncCmd {
return id;
}
public String getAction() {
return action;
}
public String getEntityType() {
return entityType;
}
public Long getEntityId() {
return entityId;
public String getScope() {
return scope;
}
public AccessType getAccessType() {
return AccessType.valueOf(accessType);
public Long getScopeId() {
return scopeId;
}
@ -88,6 +97,7 @@ public class GrantPermissionToAclGroupCmd extends BaseAsyncCmd {
/////////////// API Implementation///////////////////
/////////////////////////////////////////////////////
@Override
public String getCommandName() {
return s_name;
@ -102,30 +112,30 @@ public class GrantPermissionToAclGroupCmd extends BaseAsyncCmd {
@Override
public void execute() throws ResourceUnavailableException,
InsufficientCapacityException, ServerApiException {
CallContext.current().setEventDetails("Acl group Id: " + getId());
AclGroup result = _aclService.grantEntityPermissionToAclGroup(id, entityType, entityId, getAccessType());
if (result != null){
AclGroupResponse response = _responseGenerator.createAclGroupResponse(result);
CallContext.current().setEventDetails("Acl policy Id: " + getId());
AclPolicy result = _aclService.removeAclPermissionFromAclPolicy(id, entityType, PermissionScope.valueOf(scope), scopeId, action);
if (result != null) {
AclPolicyResponse response = _responseGenerator.createAclPolicyResponse(result);
response.setResponseName(getCommandName());
setResponseObject(response);
} else {
throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to grant permission to acl group");
throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to remove permission from acl policy " + getId());
}
}
@Override
public String getEventType() {
return EventTypes.EVENT_ACL_GROUP_GRANT;
return EventTypes.EVENT_ACL_POLICY_REVOKE;
}
@Override
public String getEventDescription() {
return "granting permission to acl group";
return "removing permission from acl policy";
}
@Override
public ApiCommandJobType getInstanceType() {
return ApiCommandJobType.AclGroup;
return ApiCommandJobType.AclPolicy;
}
}

18
api/src/org/apache/cloudstack/api/command/admin/acl/RemoveAclRoleFromAclGroupCmd.java → api/src/org/apache/cloudstack/api/command/admin/acl/RemoveAclPolicyFromAclGroupCmd.java
View File

@ -30,7 +30,7 @@ import org.apache.cloudstack.api.BaseAsyncCmd;
import org.apache.cloudstack.api.Parameter;
import org.apache.cloudstack.api.ServerApiException;
import org.apache.cloudstack.api.response.AclGroupResponse;
import org.apache.cloudstack.api.response.AclRoleResponse;
import org.apache.cloudstack.api.response.AclPolicyResponse;
import org.apache.cloudstack.context.CallContext;
import com.cloud.event.EventTypes;
@ -39,10 +39,10 @@ import com.cloud.exception.ResourceUnavailableException;
import com.cloud.user.Account;
@APICommand(name = "removeAclRoleFromAclGroup", description = "remove acl role to an acl group", responseObject = AclGroupResponse.class)
public class RemoveAclRoleFromAclGroupCmd extends BaseAsyncCmd {
public static final Logger s_logger = Logger.getLogger(RemoveAclRoleFromAclGroupCmd.class.getName());
private static final String s_name = "removeaclroletoaclgroupresponse";
@APICommand(name = "removeAclPolicyFromAclGroup", description = "remove acl policy from an acl group", responseObject = AclGroupResponse.class)
public class RemoveAclPolicyFromAclGroupCmd extends BaseAsyncCmd {
public static final Logger s_logger = Logger.getLogger(RemoveAclPolicyFromAclGroupCmd.class.getName());
private static final String s_name = "removeaclpolicyfromaclgroupresponse";
/////////////////////////////////////////////////////
//////////////// API parameters /////////////////////
@ -55,8 +55,8 @@ public class RemoveAclRoleFromAclGroupCmd extends BaseAsyncCmd {
private Long id;
@ACL
@Parameter(name = ApiConstants.ACL_ROLES, type = CommandType.LIST, collectionType = CommandType.UUID, entityType = AclRoleResponse.class, description = "comma separated list of acl role id that are going to be applied to the acl group.")
private List<Long> roleIdList;
@Parameter(name = ApiConstants.ACL_POLICIES, type = CommandType.LIST, collectionType = CommandType.UUID, entityType = AclPolicyResponse.class, description = "comma separated list of acl policy id that are going to be applied to the acl group.")
private List<Long> policyIdList;
/////////////////////////////////////////////////////
@ -70,7 +70,7 @@ public class RemoveAclRoleFromAclGroupCmd extends BaseAsyncCmd {
public List<Long> getRoleIdList() {
return roleIdList;
return policyIdList;
}
/////////////////////////////////////////////////////
@ -93,7 +93,7 @@ public class RemoveAclRoleFromAclGroupCmd extends BaseAsyncCmd {
public void execute() throws ResourceUnavailableException,
InsufficientCapacityException, ServerApiException {
CallContext.current().setEventDetails("Acl group Id: " + getId());
AclGroup result = _aclService.removeAclRolesFromGroup(roleIdList, id);
AclGroup result = _aclService.removeAclPoliciesFromGroup(policyIdList, id);
if (result != null){
AclGroupResponse response = _responseGenerator.createAclGroupResponse(result);
response.setResponseName(getCommandName());

120
api/src/org/apache/cloudstack/api/command/admin/acl/RevokePermissionFromAclRoleCmd.java
View File

@ -1,120 +0,0 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.api.command.admin.acl;
import java.util.List;
import org.apache.log4j.Logger;
import org.apache.cloudstack.acl.AclRole;
import org.apache.cloudstack.api.ACL;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiCommandJobType;
import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.ApiErrorCode;
import org.apache.cloudstack.api.BaseAsyncCmd;
import org.apache.cloudstack.api.Parameter;
import org.apache.cloudstack.api.ServerApiException;
import org.apache.cloudstack.api.response.AclRoleResponse;
import org.apache.cloudstack.context.CallContext;
import com.cloud.event.EventTypes;
import com.cloud.exception.InsufficientCapacityException;
import com.cloud.exception.ResourceUnavailableException;
import com.cloud.user.Account;
@APICommand(name = "revokePermissionFromAclRole", description = "Revoke api permission from an acl role", responseObject = AclRoleResponse.class)
public class RevokePermissionFromAclRoleCmd extends BaseAsyncCmd {
public static final Logger s_logger = Logger.getLogger(RevokePermissionFromAclRoleCmd.class.getName());
private static final String s_name = "revokepermissionfromroleresponse";
/////////////////////////////////////////////////////
//////////////// API parameters /////////////////////
/////////////////////////////////////////////////////
@ACL
@Parameter(name = ApiConstants.ID, type = CommandType.UUID, entityType = AclRoleResponse.class,
required = true, description = "The ID of the acl role")
private Long id;
@ACL
@Parameter(name = ApiConstants.ACL_APIS, type = CommandType.LIST, collectionType = CommandType.STRING, description = "comma separated list of apis granted to the acl role. ")
private List<String> apiList;
/////////////////////////////////////////////////////
/////////////////// Accessors ///////////////////////
/////////////////////////////////////////////////////
public Long getId() {
return id;
}
public List<String> getApiList() {
return apiList;
}
/////////////////////////////////////////////////////
/////////////// API Implementation///////////////////
/////////////////////////////////////////////////////
@Override
public String getCommandName() {
return s_name;
}
@Override
public long getEntityOwnerId() {
return Account.ACCOUNT_ID_SYSTEM; // no account info given, parent this command to SYSTEM so ERROR events are tracked
}
@Override
public void execute() throws ResourceUnavailableException,
InsufficientCapacityException, ServerApiException {
CallContext.current().setEventDetails("Acl role Id: " + getId());
AclRole result = _aclService.revokeApiPermissionFromAclRole(id, apiList);
if (result != null) {
AclRoleResponse response = _responseGenerator.createAclRoleResponse(result);
response.setResponseName(getCommandName());
setResponseObject(response);
} else {
throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to revoke permission from acl role " + getId());
}
}
@Override
public String getEventType() {
return EventTypes.EVENT_ACL_ROLE_REVOKE;
}
@Override
public String getEventDescription() {
return "revoking permission from acl role";
}
@Override
public ApiCommandJobType getInstanceType() {
return ApiCommandJobType.AclRole;
}
}

112
api/src/org/apache/cloudstack/api/response/AclEntityPermissionResponse.java
View File

@ -1,112 +0,0 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.api.response;
import com.google.gson.annotations.SerializedName;
import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.BaseResponse;
import com.cloud.serializer.Param;
public class AclEntityPermissionResponse extends BaseResponse {
@SerializedName(ApiConstants.GROUP_ID)
@Param(description = "the ID of the acl group")
private String groupId;
@SerializedName(ApiConstants.ENTITY_TYPE)
@Param(description = "the entity type of this permission")
private String entityType;
@SerializedName(ApiConstants.ENTITY_ID)
@Param(description = "the uuid of the entity involved in this permission")
private String entityId;
@SerializedName(ApiConstants.ACCESS_TYPE)
@Param(description = "access type involved in this permission")
private String accessType;
public String getGroupId() {
return groupId;
}
public void setGroupId(String groupId) {
this.groupId = groupId;
}
public String getEntityType() {
return entityType;
}
public void setEntityType(String entityType) {
this.entityType = entityType;
}
public String getEntityId() {
return entityId;
}
public void setEntityId(String entityId) {
this.entityId = entityId;
}
public String getAccessType() {
return accessType;
}
public void setAccessType(String accessType) {
this.accessType = accessType;
}
@Override
public int hashCode() {
final int prime = 31;
int result = 1;
result = prime * result + ((entityType == null) ? 0 : entityType.hashCode());
result = prime * result + ((entityId == null) ? 0 : entityId.hashCode());
result = prime * result + ((accessType == null) ? 0 : accessType.hashCode());
return result;
}
@Override
public boolean equals(Object obj) {
if (this == obj)
return true;
if (obj == null)
return false;
if (getClass() != obj.getClass())
return false;
AclEntityPermissionResponse other = (AclEntityPermissionResponse) obj;
if (entityType == null) {
if (other.entityType != null)
return false;
} else if (!entityType.equals(other.entityType)) {
return false;
} else if ((entityId == null && other.entityId != null) || !entityId.equals(other.entityId)) {
return false;
} else if ((accessType == null && other.accessType != null) || !accessType.equals(other.accessType)) {
return false;
}
return true;
}
}

134
api/src/org/apache/cloudstack/api/response/AclRoleResponse.java
View File

@ -1,134 +0,0 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.api.response;
import java.util.ArrayList;
import java.util.List;
import com.google.gson.annotations.SerializedName;
import org.apache.cloudstack.acl.AclRole;
import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.BaseResponse;
import org.apache.cloudstack.api.EntityReference;
import com.cloud.serializer.Param;
@SuppressWarnings("unused")
@EntityReference(value = AclRole.class)
public class AclRoleResponse extends BaseResponse {
@SerializedName(ApiConstants.ID)
@Param(description = "the ID of the acl role")
private String id;
@SerializedName(ApiConstants.NAME)
@Param(description = "the name of the acl role")
private String name;
@SerializedName(ApiConstants.DESCRIPTION)
@Param(description = "the description of the acl role")
private String description;
@SerializedName(ApiConstants.DOMAIN_ID)
@Param(description = "the domain ID of the acl role")
private String domainId;
@SerializedName(ApiConstants.DOMAIN)
@Param(description = "the domain name of the acl role")
private String domainName;
@SerializedName(ApiConstants.ACL_APIS)
@Param(description = "allowed apis for the acl role ")
private List<String> apiList;
public AclRoleResponse() {
apiList = new ArrayList<String>();
}
@Override
public String getObjectId() {
return getId();
}
public String getId() {
return id;
}
public void setId(String id) {
this.id = id;
}
public void setName(String name) {
this.name = name;
}
public void setDescription(String description) {
this.description = description;
}
public void setDomainId(String domainId) {
this.domainId = domainId;
}
public void setDomainName(String domainName) {
this.domainName = domainName;
}
public List<String> getApiList() {
return apiList;
}
public void setApiList(List<String> apiList) {
this.apiList = apiList;
}
public void addApi(String api) {
apiList.add(api);
}
@Override
public int hashCode() {
final int prime = 31;
int result = 1;
result = prime * result + ((id == null) ? 0 : id.hashCode());
return result;
}
@Override
public boolean equals(Object obj) {
if (this == obj)
return true;
if (obj == null)
return false;
if (getClass() != obj.getClass())
return false;
AclRoleResponse other = (AclRoleResponse) obj;
if (id == null) {
if (other.id != null)
return false;
} else if (!id.equals(other.id))
return false;
return true;
}
}

4
api/src/org/apache/cloudstack/query/QueryService.java
View File

@ -45,7 +45,7 @@ import org.apache.cloudstack.api.command.user.volume.ListVolumesCmd;
import org.apache.cloudstack.api.command.user.zone.ListZonesByCmd;
import org.apache.cloudstack.api.response.AccountResponse;
import org.apache.cloudstack.api.response.AclGroupResponse;
import org.apache.cloudstack.api.response.AclRoleResponse;
import org.apache.cloudstack.api.response.AclPolicyResponse;
import org.apache.cloudstack.api.response.AsyncJobResponse;
import org.apache.cloudstack.api.response.DiskOfferingResponse;
import org.apache.cloudstack.api.response.DomainRouterResponse;
@ -127,7 +127,7 @@ public interface QueryService {
ListResponse<DomainRouterResponse> searchForInternalLbVms(ListInternalLBVMsCmd cmd);
public ListResponse<AclRoleResponse> listAclRoles(Long aclRoleId, String aclRoleName,
public ListResponse<AclPolicyResponse> listAclPolicies(Long aclPolicyId, String aclPolicyName,
Long domainId, Long startIndex, Long pageSize);
public ListResponse<AclGroupResponse> listAclGroups(Long aclGroupId, String aclGroupName,

4
engine/schema/src/org/apache/cloudstack/acl/AclGroupVO.java
View File

@ -96,6 +96,10 @@ public class AclGroupVO implements AclGroup {
return accountId;
}
public void setAccountId(long accountId) {
this.accountId = accountId;
}
@Override
public String getUuid() {
return uuid;

4
engine/schema/src/org/apache/cloudstack/acl/AclPolicyPermissionVO.java
View File

@ -97,6 +97,10 @@ public class AclPolicyPermissionVO implements AclPolicyPermission {
}
public void setAclPolicyId(long aclPolicyId) {
this.aclPolicyId = aclPolicyId;
}
@Override
public String getEntityType() {
return entityType;

4
engine/schema/src/org/apache/cloudstack/acl/AclPolicyVO.java
View File

@ -121,6 +121,10 @@ public class AclPolicyVO implements AclPolicy {
return accountId;
}
public void setAccountId(long accountId) {
this.accountId = accountId;
}
public AclPolicy.PolicyType getPolicyType() {
return policyType;
}

9
engine/schema/src/org/apache/cloudstack/acl/dao/AclPolicyPermissionDao.java
View File

@ -17,10 +17,19 @@
package org.apache.cloudstack.acl.dao;
import java.util.List;
import org.apache.cloudstack.acl.AclPolicyPermission.Permission;
import org.apache.cloudstack.acl.AclPolicyPermissionVO;
import org.apache.cloudstack.acl.PermissionScope;
import com.cloud.utils.db.GenericDao;
public interface AclPolicyPermissionDao extends GenericDao<AclPolicyPermissionVO, Long> {
List<AclPolicyPermissionVO> listByPolicy(long policyId);
AclPolicyPermissionVO findByPolicyAndEntity(long policyId, String entityType, PermissionScope scope, Long scopeId, String action, Permission perm);
}

18
engine/schema/src/org/apache/cloudstack/acl/dao/AclPolicyPermissionDaoImpl.java
View File

@ -16,21 +16,20 @@
// under the License.
package org.apache.cloudstack.acl.dao;
import java.util.List;
import java.util.Map;
import javax.naming.ConfigurationException;
import org.apache.cloudstack.acl.AclPolicyPermission.Permission;
import org.apache.cloudstack.acl.AclPolicyPermissionVO;
import org.apache.cloudstack.acl.PermissionScope;
import com.cloud.utils.db.GenericDaoBase;
public class AclPolicyPermissionDaoImpl extends GenericDaoBase<AclPolicyPermissionVO, Long> implements
AclPolicyPermissionDao {
public AclPolicyPermissionDaoImpl()
{
}
@Override
public boolean configure(String name, Map<String, Object> params) throws ConfigurationException {
@ -39,5 +38,16 @@ public class AclPolicyPermissionDaoImpl extends GenericDaoBase<AclPolicyPermissi
return true;
}
@Override
public List<AclPolicyPermissionVO> listByPolicy(long policyId) {
// TODO Auto-generated method stub
return null;
}
@Override
public AclPolicyPermissionVO findByPolicyAndEntity(long policyId, String entityType, PermissionScope scope, Long scopeId, String action, Permission perm) {
// TODO Auto-generated method stub
return null;
}
}

4
plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/api/RoleBasedAPIAccessChecker.java
View File

@ -54,10 +54,10 @@ public class RoleBasedAPIAccessChecker extends AdapterBase implements APIChecker
throw new PermissionDeniedException("The account id=" + user.getAccountId() + "for user id=" + user.getId() + "is null");
}
List<AclRole> roles = _aclService.getAclRoles(account.getAccountId());
List<AclRole> roles = _aclService.listAclPolicies(account.getAccountId());
boolean isAllowed = _aclService.isAPIAccessibleForRoles(commandName, roles);
boolean isAllowed = _aclService.isAPIAccessibleForPolicies(commandName, roles);
if (!isAllowed) {
throw new PermissionDeniedException("The API does not exist or is blacklisted. api: " + commandName);
}

2
plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/entity/RoleBasedEntityAccessChecker.java
View File

@ -106,7 +106,7 @@ public class RoleBasedEntityAccessChecker extends DomainChecker implements Secur
}
// get all Roles of this caller w.r.t the entity
List<AclRole> roles = _aclService.getEffectiveRoles(caller, entity);
List<AclRole> roles = _aclService.getEffectivePolicies(caller, entity);
HashMap<AclRole, Boolean> rolePermissionMap = new HashMap<AclRole, Boolean>();
for (AclRole role : roles) {

26
server/src/com/cloud/api/ApiDBUtils.java
View File

@ -26,7 +26,7 @@ import javax.annotation.PostConstruct;
import javax.inject.Inject;
import org.apache.cloudstack.acl.AclGroup;
import org.apache.cloudstack.acl.AclRole;
import org.apache.cloudstack.acl.AclPolicy;
import org.apache.cloudstack.affinity.AffinityGroup;
import org.apache.cloudstack.affinity.AffinityGroupResponse;
import org.apache.cloudstack.affinity.dao.AffinityGroupDao;
@ -36,7 +36,7 @@ import org.apache.cloudstack.api.ApiConstants.VMDetails;
import org.apache.cloudstack.api.ResponseObject.ResponseView;
import org.apache.cloudstack.api.response.AccountResponse;
import org.apache.cloudstack.api.response.AclGroupResponse;
import org.apache.cloudstack.api.response.AclRoleResponse;
import org.apache.cloudstack.api.response.AclPolicyResponse;
import org.apache.cloudstack.api.response.AsyncJobResponse;
import org.apache.cloudstack.api.response.DiskOfferingResponse;
import org.apache.cloudstack.api.response.DomainRouterResponse;
@ -70,7 +70,7 @@ import org.apache.cloudstack.storage.datastore.db.StoragePoolVO;
import com.cloud.api.query.dao.AccountJoinDao;
import com.cloud.api.query.dao.AclGroupJoinDao;
import com.cloud.api.query.dao.AclRoleJoinDao;
import com.cloud.api.query.dao.AclPolicyJoinDao;
import com.cloud.api.query.dao.AffinityGroupJoinDao;
import com.cloud.api.query.dao.AsyncJobJoinDao;
import com.cloud.api.query.dao.DataCenterJoinDao;
@ -92,7 +92,7 @@ import com.cloud.api.query.dao.UserVmJoinDao;
import com.cloud.api.query.dao.VolumeJoinDao;
import com.cloud.api.query.vo.AccountJoinVO;
import com.cloud.api.query.vo.AclGroupJoinVO;
import com.cloud.api.query.vo.AclRoleJoinVO;
import com.cloud.api.query.vo.AclPolicyJoinVO;
import com.cloud.api.query.vo.AffinityGroupJoinVO;
import com.cloud.api.query.vo.AsyncJobJoinVO;
import com.cloud.api.query.vo.DataCenterJoinVO;
@ -411,7 +411,7 @@ public class ApiDBUtils {
static GlobalLoadBalancingRulesService _gslbService;
static NetworkACLDao _networkACLDao;
static AccountService _accountService;
static AclRoleJoinDao _aclRoleJoinDao;
static AclPolicyJoinDao _aclPolicyJoinDao;
static AclGroupJoinDao _aclGroupJoinDao;
static ResourceMetaDataService _resourceDetailsService;
@ -527,7 +527,7 @@ public class ApiDBUtils {
@Inject private ServiceOfferingDetailsDao serviceOfferingDetailsDao;
@Inject private AccountService accountService;
@Inject
private AclRoleJoinDao aclRoleJoinDao;
private AclPolicyJoinDao aclPolicyJoinDao;
@Inject
private AclGroupJoinDao aclGroupJoinDao;
@Inject private ConfigurationManager configMgr;
@ -643,7 +643,7 @@ public class ApiDBUtils {
_statsCollector = StatsCollector.getInstance();
_networkACLDao = networkACLDao;
_accountService = accountService;
_aclRoleJoinDao = aclRoleJoinDao;
_aclPolicyJoinDao = aclPolicyJoinDao;
_aclGroupJoinDao = aclGroupJoinDao;
_resourceDetailsService = resourceDetailsService;
}
@ -1698,16 +1698,16 @@ public class ApiDBUtils {
return _affinityGroupJoinDao.setAffinityGroupResponse(resp, group);
}
public static List<AclRoleJoinVO> newAclRoleView(AclRole role) {
return _aclRoleJoinDao.newAclRoleView(role);
public static List<AclPolicyJoinVO> newAclPolicyView(AclPolicy policy) {
return _aclPolicyJoinDao.newAclPolicyView(policy);
}
public static AclRoleResponse newAclRoleResponse(AclRoleJoinVO role) {
return _aclRoleJoinDao.newAclRoleResponse(role);
public static AclPolicyResponse newAclPolicyResponse(AclPolicyJoinVO policy) {
return _aclPolicyJoinDao.newAclPolicyResponse(policy);
}
public static AclRoleResponse fillAclRoleDetails(AclRoleResponse resp, AclRoleJoinVO role) {
return _aclRoleJoinDao.setAclRoleResponse(resp, role);
public static AclPolicyResponse fillAclPolicyDetails(AclPolicyResponse resp, AclPolicyJoinVO policy) {
return _aclPolicyJoinDao.setAclPolicyResponse(resp, policy);
}
public static List<AclGroupJoinVO> newAclGroupView(AclGroup group) {

16
server/src/com/cloud/api/ApiResponseHelper.java
View File

@ -34,7 +34,7 @@ import javax.inject.Inject;
import org.apache.log4j.Logger;
import org.apache.cloudstack.acl.AclGroup;
import org.apache.cloudstack.acl.AclRole;
import org.apache.cloudstack.acl.AclPolicy;
import org.apache.cloudstack.acl.ControlledEntity;
import org.apache.cloudstack.acl.ControlledEntity.ACLType;
import org.apache.cloudstack.affinity.AffinityGroup;
@ -46,7 +46,7 @@ import org.apache.cloudstack.api.ResponseObject.ResponseView;
import org.apache.cloudstack.api.command.user.job.QueryAsyncJobResultCmd;
import org.apache.cloudstack.api.response.AccountResponse;
import org.apache.cloudstack.api.response.AclGroupResponse;
import org.apache.cloudstack.api.response.AclRoleResponse;
import org.apache.cloudstack.api.response.AclPolicyResponse;
import org.apache.cloudstack.api.response.ApplicationLoadBalancerInstanceResponse;
import org.apache.cloudstack.api.response.ApplicationLoadBalancerResponse;
import org.apache.cloudstack.api.response.ApplicationLoadBalancerRuleResponse;
@ -155,7 +155,7 @@ import org.apache.cloudstack.usage.UsageTypes;
import com.cloud.api.query.ViewResponseHelper;
import com.cloud.api.query.vo.AccountJoinVO;
import com.cloud.api.query.vo.AclGroupJoinVO;
import com.cloud.api.query.vo.AclRoleJoinVO;
import com.cloud.api.query.vo.AclPolicyJoinVO;
import com.cloud.api.query.vo.AsyncJobJoinVO;
import com.cloud.api.query.vo.ControlledViewEntity;
import com.cloud.api.query.vo.DataCenterJoinVO;
@ -3709,11 +3709,11 @@ public class ApiResponseHelper implements ResponseGenerator {
}
@Override
public AclRoleResponse createAclRoleResponse(AclRole role) {
List<AclRoleJoinVO> viewRoles = ApiDBUtils.newAclRoleView(role);
List<AclRoleResponse> listRoles = ViewResponseHelper.createAclRoleResponses(viewRoles);
assert listRoles != null && listRoles.size() == 1 : "There should be one acl role returned";
return listRoles.get(0);
public AclPolicyResponse createAclPolicyResponse(AclPolicy policy) {
List<AclPolicyJoinVO> viewPolicies = ApiDBUtils.newAclPolicyView(policy);
List<AclPolicyResponse> listPolicies = ViewResponseHelper.createAclPolicyResponses(viewPolicies);
assert listPolicies != null && listPolicies.size() == 1 : "There should be one acl policy returned";
return listPolicies.get(0);
}
@Override

67
server/src/com/cloud/api/ApiServer.java
View File

@ -51,14 +51,44 @@ import javax.naming.ConfigurationException;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.apache.commons.codec.binary.Base64;
import org.apache.http.ConnectionClosedException;
import org.apache.http.HttpException;
import org.apache.http.HttpRequest;
import org.apache.http.HttpResponse;
import org.apache.http.HttpServerConnection;
import org.apache.http.HttpStatus;
import org.apache.http.NameValuePair;
import org.apache.http.client.utils.URLEncodedUtils;
import org.apache.http.entity.BasicHttpEntity;
import org.apache.http.impl.DefaultHttpResponseFactory;
import org.apache.http.impl.DefaultHttpServerConnection;
import org.apache.http.impl.NoConnectionReuseStrategy;
import org.apache.http.impl.SocketHttpServerConnection;
import org.apache.http.params.BasicHttpParams;
import org.apache.http.params.CoreConnectionPNames;
import org.apache.http.params.CoreProtocolPNames;
import org.apache.http.params.HttpParams;
import org.apache.http.protocol.BasicHttpContext;
import org.apache.http.protocol.BasicHttpProcessor;
import org.apache.http.protocol.HttpContext;
import org.apache.http.protocol.HttpRequestHandler;
import org.apache.http.protocol.HttpRequestHandlerRegistry;
import org.apache.http.protocol.HttpService;
import org.apache.http.protocol.ResponseConnControl;
import org.apache.http.protocol.ResponseContent;
import org.apache.http.protocol.ResponseDate;
import org.apache.http.protocol.ResponseServer;
import org.apache.log4j.Logger;
import org.springframework.stereotype.Component;
import org.apache.cloudstack.acl.APIChecker;
import org.apache.cloudstack.acl.AclPolicyPermission.Permission;
import org.apache.cloudstack.acl.AclPolicyPermissionVO;
import org.apache.cloudstack.acl.PermissionScope;
import org.apache.cloudstack.acl.RoleType;
import org.apache.cloudstack.acl.AclPolicyPermission.Permission;
import org.apache.cloudstack.acl.SecurityChecker.AccessType;
import org.apache.cloudstack.acl.dao.AclPolicyPermissionDao;
import org.apache.cloudstack.affinity.AffinityGroupVMMapVO;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiErrorCode;
import org.apache.cloudstack.api.BaseAsyncCmd;
@ -96,36 +126,6 @@ import org.apache.cloudstack.framework.jobs.AsyncJob;
import org.apache.cloudstack.framework.jobs.AsyncJobManager;
import org.apache.cloudstack.framework.jobs.impl.AsyncJobVO;
import org.apache.cloudstack.managed.context.ManagedContextRunnable;
import org.apache.commons.codec.binary.Base64;
import org.apache.http.ConnectionClosedException;
import org.apache.http.HttpException;
import org.apache.http.HttpRequest;
import org.apache.http.HttpResponse;
import org.apache.http.HttpServerConnection;
import org.apache.http.HttpStatus;
import org.apache.http.NameValuePair;
import org.apache.http.client.utils.URLEncodedUtils;
import org.apache.http.entity.BasicHttpEntity;
import org.apache.http.impl.DefaultHttpResponseFactory;
import org.apache.http.impl.DefaultHttpServerConnection;
import org.apache.http.impl.NoConnectionReuseStrategy;
import org.apache.http.impl.SocketHttpServerConnection;
import org.apache.http.params.BasicHttpParams;
import org.apache.http.params.CoreConnectionPNames;
import org.apache.http.params.CoreProtocolPNames;
import org.apache.http.params.HttpParams;
import org.apache.http.protocol.BasicHttpContext;
import org.apache.http.protocol.BasicHttpProcessor;
import org.apache.http.protocol.HttpContext;
import org.apache.http.protocol.HttpRequestHandler;
import org.apache.http.protocol.HttpRequestHandlerRegistry;
import org.apache.http.protocol.HttpService;
import org.apache.http.protocol.ResponseConnControl;
import org.apache.http.protocol.ResponseContent;
import org.apache.http.protocol.ResponseDate;
import org.apache.http.protocol.ResponseServer;
import org.apache.log4j.Logger;
import org.springframework.stereotype.Component;
import com.cloud.api.response.ApiResponseSerializer;
import com.cloud.configuration.Config;
@ -1017,7 +1017,8 @@ public class ApiServer extends ManagerBase implements HttpRequestHandler, ApiSer
}
}
private Class<?> getCmdClass(String cmdName) {
@Override
public Class<?> getCmdClass(String cmdName) {
List<Class<?>> cmdList = _apiNameCmdClassMap.get(cmdName);
if (cmdList == null || cmdList.size() == 0)
return null;

2
server/src/com/cloud/api/ApiServerService.java
View File

@ -35,4 +35,6 @@ public interface ApiServerService {
public String getSerializedApiError(ServerApiException ex, Map<String, Object[]> apiCommandParams, String responseType);
public String handleRequest(Map params, String responseType, StringBuffer auditTrailSb) throws ServerApiException;
public Class<?> getCmdClass(String cmdName);
}

68
server/src/com/cloud/api/query/QueryManagerImpl.java
View File

@ -30,7 +30,7 @@ import org.apache.log4j.Logger;
import org.springframework.stereotype.Component;
import org.apache.cloudstack.acl.AclGroup;
import org.apache.cloudstack.acl.AclRole;
import org.apache.cloudstack.acl.AclPolicy;
import org.apache.cloudstack.acl.AclService;
import org.apache.cloudstack.acl.ControlledEntity.ACLType;
import org.apache.cloudstack.acl.dao.AclGroupDao;
@ -71,7 +71,7 @@ import org.apache.cloudstack.api.command.user.volume.ListVolumesCmd;
import org.apache.cloudstack.api.command.user.zone.ListZonesByCmd;
import org.apache.cloudstack.api.response.AccountResponse;
import org.apache.cloudstack.api.response.AclGroupResponse;
import org.apache.cloudstack.api.response.AclRoleResponse;
import org.apache.cloudstack.api.response.AclPolicyResponse;
import org.apache.cloudstack.api.response.AsyncJobResponse;
import org.apache.cloudstack.api.response.DiskOfferingResponse;
import org.apache.cloudstack.api.response.DomainRouterResponse;
@ -100,7 +100,7 @@ import org.apache.cloudstack.query.QueryService;
import com.cloud.api.query.dao.AccountJoinDao;
import com.cloud.api.query.dao.AclGroupJoinDao;
import com.cloud.api.query.dao.AclRoleJoinDao;
import com.cloud.api.query.dao.AclPolicyJoinDao;
import com.cloud.api.query.dao.AffinityGroupJoinDao;
import com.cloud.api.query.dao.AsyncJobJoinDao;
import com.cloud.api.query.dao.DataCenterJoinDao;
@ -122,6 +122,7 @@ import com.cloud.api.query.dao.UserVmJoinDao;
import com.cloud.api.query.dao.VolumeJoinDao;
import com.cloud.api.query.vo.AccountJoinVO;
import com.cloud.api.query.vo.AclGroupJoinVO;
import com.cloud.api.query.vo.AclPolicyJoinVO;
import com.cloud.api.query.vo.AclRoleJoinVO;
import com.cloud.api.query.vo.AffinityGroupJoinVO;
import com.cloud.api.query.vo.AsyncJobJoinVO;
@ -350,10 +351,10 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
AffinityGroupDomainMapDao _affinityGroupDomainMapDao;
@Inject
AclRoleJoinDao _aclRoleJoinDao;
AclPolicyJoinDao _aclPolicyJoinDao;
@Inject
AclPolicyDao _aclRoleDao;
AclPolicyDao _aclPolicyDao;
@Inject
AclGroupJoinDao _aclGroupJoinDao;
@ -3308,28 +3309,29 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
}
@Override
public ListResponse<AclRoleResponse> listAclRoles(Long aclRoleId, String aclRoleName, Long domainId, Long startIndex, Long pageSize) {
Pair<List<AclRoleJoinVO>, Integer> result = listAclRolesInternal(aclRoleId, aclRoleName, domainId, true, true, startIndex, pageSize);
ListResponse<AclRoleResponse> response = new ListResponse<AclRoleResponse>();
public ListResponse<AclPolicyResponse> listAclPolicies(Long aclPolicyId, String aclPolicyName, Long domainId, Long startIndex, Long pageSize) {
Pair<List<AclPolicyJoinVO>, Integer> result = listAclPoliciesInternal(aclPolicyId, aclPolicyName, domainId, true, true, startIndex, pageSize);
ListResponse<AclPolicyResponse> response = new ListResponse<AclPolicyResponse>();
List<AclRoleResponse> roleResponses = ViewResponseHelper.createAclRoleResponses(result.first());
List<AclPolicyResponse> roleResponses = ViewResponseHelper.createAclPolicyResponses(result.first());
response.setResponses(roleResponses, result.second());
return response;
}
private Pair<List<AclRoleJoinVO>, Integer> listAclRolesInternal(Long aclRoleId, String aclRoleName, Long domainId, boolean isRecursive, boolean listAll, Long startIndex,
private Pair<List<AclPolicyJoinVO>, Integer> listAclPoliciesInternal(Long aclPolicyId, String aclPolicyName, Long domainId, boolean isRecursive, boolean listAll,
Long startIndex,
Long pageSize) {
Account caller = CallContext.current().getCallingAccount();
Boolean listForDomain = false;
if (aclRoleId != null) {
AclRole role = _aclRoleDao.findById(aclRoleId);
if (role == null) {
throw new InvalidParameterValueException("Unable to find acl role by id " + aclRoleId);
if (aclPolicyId != null) {
AclPolicy policy = _aclPolicyDao.findById(aclPolicyId);
if (policy == null) {
throw new InvalidParameterValueException("Unable to find acl policy by id " + aclPolicyId);
}
_accountMgr.checkAccess(caller, null, true, role);
_accountMgr.checkAccess(caller, null, true, policy);
}
if (domainId != null) {
@ -3340,17 +3342,17 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
_accountMgr.checkAccess(caller, domain);
if (aclRoleName != null) {
AclRole role = _aclRoleDao.findByName(domainId, aclRoleName);
if (role == null) {
throw new InvalidParameterValueException("Unable to find acl role by name " + aclRoleName
if (aclPolicyName != null) {
AclPolicy policy = _aclPolicyDao.findByName(domainId, aclPolicyName);
if (policy == null) {
throw new InvalidParameterValueException("Unable to find acl policy by name " + aclPolicyName
+ " in domain " + domainId);
}
_accountMgr.checkAccess(caller, null, true, role);
_accountMgr.checkAccess(caller, null, true, policy);
}
}
if (aclRoleId == null) {
if (aclPolicyId == null) {
if (_accountMgr.isAdmin(caller.getType()) && listAll && domainId == null) {
listForDomain = true;
isRecursive = true;
@ -3365,7 +3367,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
Filter searchFilter = new Filter(AclRoleJoinVO.class, "id", true, startIndex, pageSize);
SearchBuilder<AclRoleJoinVO> sb = _aclRoleJoinDao.createSearchBuilder();
SearchBuilder<AclPolicyJoinVO> sb = _aclPolicyJoinDao.createSearchBuilder();
sb.select(null, Func.DISTINCT, sb.entity().getId()); // select distinct ids
sb.and("name", sb.entity().getName(), SearchCriteria.Op.EQ);
@ -3376,14 +3378,14 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
sb.and("path", sb.entity().getDomainPath(), SearchCriteria.Op.LIKE);
}
SearchCriteria<AclRoleJoinVO> sc = sb.create();
SearchCriteria<AclPolicyJoinVO> sc = sb.create();
if (aclRoleName != null) {
sc.setParameters("name", aclRoleName);
if (aclPolicyName != null) {
sc.setParameters("name", aclPolicyName);
}
if (aclRoleId != null) {
sc.setParameters("id", aclRoleId);
if (aclPolicyId != null) {
sc.setParameters("id", aclPolicyId);
}
if (listForDomain) {
@ -3396,21 +3398,21 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
}
// search role details by ids
Pair<List<AclRoleJoinVO>, Integer> uniqueRolePair = _aclRoleJoinDao.searchAndCount(sc, searchFilter);
// search policy details by ids
Pair<List<AclPolicyJoinVO>, Integer> uniqueRolePair = _aclPolicyJoinDao.searchAndCount(sc, searchFilter);
Integer count = uniqueRolePair.second();
if (count.intValue() == 0) {
// empty result
return uniqueRolePair;
}
List<AclRoleJoinVO> uniqueRoles = uniqueRolePair.first();
List<AclPolicyJoinVO> uniqueRoles = uniqueRolePair.first();
Long[] vrIds = new Long[uniqueRoles.size()];
int i = 0;
for (AclRoleJoinVO v : uniqueRoles) {
for (AclPolicyJoinVO v : uniqueRoles) {
vrIds[i++] = v.getId();
}
List<AclRoleJoinVO> vrs = _aclRoleJoinDao.searchByIds(vrIds);
return new Pair<List<AclRoleJoinVO>, Integer>(vrs, count);
List<AclPolicyJoinVO> vrs = _aclPolicyJoinDao.searchByIds(vrIds);
return new Pair<List<AclPolicyJoinVO>, Integer>(vrs, count);
}
@Override

20
server/src/com/cloud/api/query/ViewResponseHelper.java
View File

@ -29,7 +29,7 @@ import org.apache.cloudstack.api.ApiConstants.VMDetails;
import org.apache.cloudstack.api.ResponseObject.ResponseView;
import org.apache.cloudstack.api.response.AccountResponse;
import org.apache.cloudstack.api.response.AclGroupResponse;
import org.apache.cloudstack.api.response.AclRoleResponse;
import org.apache.cloudstack.api.response.AclPolicyResponse;
import org.apache.cloudstack.api.response.AsyncJobResponse;
import org.apache.cloudstack.api.response.DiskOfferingResponse;
import org.apache.cloudstack.api.response.DomainRouterResponse;
@ -55,7 +55,7 @@ import org.apache.cloudstack.context.CallContext;
import com.cloud.api.ApiDBUtils;
import com.cloud.api.query.vo.AccountJoinVO;
import com.cloud.api.query.vo.AclGroupJoinVO;
import com.cloud.api.query.vo.AclRoleJoinVO;
import com.cloud.api.query.vo.AclPolicyJoinVO;
import com.cloud.api.query.vo.AffinityGroupJoinVO;
import com.cloud.api.query.vo.AsyncJobJoinVO;
import com.cloud.api.query.vo.DataCenterJoinVO;
@ -445,20 +445,20 @@ public class ViewResponseHelper {
return new ArrayList<AffinityGroupResponse>(vrDataList.values());
}
public static List<AclRoleResponse> createAclRoleResponses(List<AclRoleJoinVO> roles) {
Hashtable<Long, AclRoleResponse> vrDataList = new Hashtable<Long, AclRoleResponse>();
for (AclRoleJoinVO vr : roles) {
AclRoleResponse vrData = vrDataList.get(vr.getId());
public static List<AclPolicyResponse> createAclPolicyResponses(List<AclPolicyJoinVO> policies) {
Hashtable<Long, AclPolicyResponse> vrDataList = new Hashtable<Long, AclPolicyResponse>();
for (AclPolicyJoinVO vr : policies) {
AclPolicyResponse vrData = vrDataList.get(vr.getId());
if (vrData == null) {
// first time encountering this Acl role
vrData = ApiDBUtils.newAclRoleResponse(vr);
// first time encountering this Acl policy
vrData = ApiDBUtils.newAclPolicyResponse(vr);
} else {
// update vms
vrData = ApiDBUtils.fillAclRoleDetails(vrData, vr);
vrData = ApiDBUtils.fillAclPolicyDetails(vrData, vr);
}
vrDataList.put(vr.getId(), vrData);
}
return new ArrayList<AclRoleResponse>(vrDataList.values());
return new ArrayList<AclPolicyResponse>(vrDataList.values());
}
public static List<AclGroupResponse> createAclGroupResponses(List<AclGroupJoinVO> groups) {

2
server/src/com/cloud/api/query/dao/AclPolicyJoinDaoImpl.java
View File

@ -37,7 +37,7 @@ import com.cloud.utils.db.SearchBuilder;
import com.cloud.utils.db.SearchCriteria;
@Component
@Local(value = {AclRoleJoinDao.class})
@Local(value = {AclPolicyJoinDao.class})
public class AclPolicyJoinDaoImpl extends GenericDaoBase<AclPolicyJoinVO, Long> implements AclPolicyJoinDao {
public static final Logger s_logger = Logger.getLogger(AclPolicyJoinDaoImpl.class);

36
server/src/com/cloud/api/query/dao/AclRoleJoinDao.java
View File

@ -1,36 +0,0 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package com.cloud.api.query.dao;
import java.util.List;
import org.apache.cloudstack.acl.AclRole;
import org.apache.cloudstack.api.response.AclRoleResponse;
import com.cloud.api.query.vo.AclRoleJoinVO;
import com.cloud.utils.db.GenericDao;
public interface AclRoleJoinDao extends GenericDao<AclRoleJoinVO, Long> {
AclRoleResponse newAclRoleResponse(AclRoleJoinVO role);
AclRoleResponse setAclRoleResponse(AclRoleResponse response, AclRoleJoinVO os);
List<AclRoleJoinVO> newAclRoleView(AclRole role);
List<AclRoleJoinVO> searchByIds(Long... ids);
}

145
server/src/com/cloud/api/query/dao/AclRoleJoinDaoImpl.java
View File

@ -1,145 +0,0 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package com.cloud.api.query.dao;
import java.util.ArrayList;
import java.util.List;
import javax.ejb.Local;
import javax.inject.Inject;
import org.apache.log4j.Logger;
import org.springframework.stereotype.Component;
import org.apache.cloudstack.acl.AclRole;
import org.apache.cloudstack.api.response.AclRoleResponse;
import org.apache.cloudstack.framework.config.dao.ConfigurationDao;
import com.cloud.api.query.vo.AclRoleJoinVO;
import com.cloud.user.AccountManager;
import com.cloud.utils.db.GenericDaoBase;
import com.cloud.utils.db.SearchBuilder;
import com.cloud.utils.db.SearchCriteria;
@Component
@Local(value = {AclRoleJoinDao.class})
public class AclRoleJoinDaoImpl extends GenericDaoBase<AclRoleJoinVO, Long> implements AclRoleJoinDao {
public static final Logger s_logger = Logger.getLogger(AclRoleJoinDaoImpl.class);
private final SearchBuilder<AclRoleJoinVO> roleIdSearch;
private final SearchBuilder<AclRoleJoinVO> roleSearch;
@Inject
public AccountManager _accountMgr;
@Inject
public ConfigurationDao _configDao;
protected AclRoleJoinDaoImpl() {
roleSearch = createSearchBuilder();
roleSearch.and("idIN", roleSearch.entity().getId(), SearchCriteria.Op.IN);
roleSearch.done();
roleIdSearch = createSearchBuilder();
roleIdSearch.and("id", roleIdSearch.entity().getId(), SearchCriteria.Op.EQ);
roleIdSearch.done();
_count = "select count(distinct id) from acl_role_view WHERE ";
}
@Override
public AclRoleResponse newAclRoleResponse(AclRoleJoinVO role) {
AclRoleResponse response = new AclRoleResponse();
response.setId(role.getUuid());
response.setName(role.getName());
response.setDescription(role.getDescription());
response.setDomainId(role.getDomainUuid());
response.setDomainName(role.getName());
if (role.getApiName() != null) {
response.addApi(role.getApiName());
}
response.setObjectName("aclrole");
return response;
}
@Override
public AclRoleResponse setAclRoleResponse(AclRoleResponse response, AclRoleJoinVO role) {
if (role.getApiName() != null) {
response.addApi(role.getApiName());
}
return response;
}
@Override
public List<AclRoleJoinVO> newAclRoleView(AclRole role) {
SearchCriteria<AclRoleJoinVO> sc = roleIdSearch.create();
sc.setParameters("id", role.getId());
return searchIncludingRemoved(sc, null, null, false);
}
@Override
public List<AclRoleJoinVO> searchByIds(Long... roleIds) {
// set detail batch query size
int DETAILS_BATCH_SIZE = 2000;
String batchCfg = _configDao.getValue("detail.batch.query.size");
if (batchCfg != null) {
DETAILS_BATCH_SIZE = Integer.parseInt(batchCfg);
}
// query details by batches
List<AclRoleJoinVO> uvList = new ArrayList<AclRoleJoinVO>();
// query details by batches
int curr_index = 0;
if (roleIds.length > DETAILS_BATCH_SIZE) {
while ((curr_index + DETAILS_BATCH_SIZE) <= roleIds.length) {
Long[] ids = new Long[DETAILS_BATCH_SIZE];
for (int k = 0, j = curr_index; j < curr_index + DETAILS_BATCH_SIZE; j++, k++) {
ids[k] = roleIds[j];
}
SearchCriteria<AclRoleJoinVO> sc = roleSearch.create();
sc.setParameters("idIN", ids);
List<AclRoleJoinVO> vms = searchIncludingRemoved(sc, null, null, false);
if (vms != null) {
uvList.addAll(vms);
}
curr_index += DETAILS_BATCH_SIZE;
}
}
if (curr_index < roleIds.length) {
int batch_size = (roleIds.length - curr_index);
// set the ids value
Long[] ids = new Long[batch_size];
for (int k = 0, j = curr_index; j < curr_index + batch_size; j++, k++) {
ids[k] = roleIds[j];
}
SearchCriteria<AclRoleJoinVO> sc = roleSearch.create();
sc.setParameters("idIN", ids);
List<AclRoleJoinVO> vms = searchIncludingRemoved(sc, null, null, false);
if (vms != null) {
uvList.addAll(vms);
}
}
return uvList;
}
}

32
server/src/com/cloud/server/ManagementServerImpl.java
View File

@ -58,19 +58,17 @@ import org.apache.cloudstack.api.command.admin.account.EnableAccountCmd;
import org.apache.cloudstack.api.command.admin.account.LockAccountCmd;
import org.apache.cloudstack.api.command.admin.account.UpdateAccountCmd;
import org.apache.cloudstack.api.command.admin.acl.AddAccountToAclGroupCmd;
import org.apache.cloudstack.api.command.admin.acl.AddAclRoleToAclGroupCmd;
import org.apache.cloudstack.api.command.admin.acl.AddAclPermissionToAclPolicyCmd;
import org.apache.cloudstack.api.command.admin.acl.AttachAclPolicyToAclGroupCmd;
import org.apache.cloudstack.api.command.admin.acl.CreateAclGroupCmd;
import org.apache.cloudstack.api.command.admin.acl.CreateAclRoleCmd;
import org.apache.cloudstack.api.command.admin.acl.CreateAclPolicyCmd;
import org.apache.cloudstack.api.command.admin.acl.DeleteAclGroupCmd;
import org.apache.cloudstack.api.command.admin.acl.DeleteAclRoleCmd;
import org.apache.cloudstack.api.command.admin.acl.GrantPermissionToAclGroupCmd;
import org.apache.cloudstack.api.command.admin.acl.GrantPermissionToAclRoleCmd;
import org.apache.cloudstack.api.command.admin.acl.DeleteAclPolicyCmd;
import org.apache.cloudstack.api.command.admin.acl.ListAclGroupsCmd;
import org.apache.cloudstack.api.command.admin.acl.ListAclRolesCmd;
import org.apache.cloudstack.api.command.admin.acl.ListAclPoliciesCmd;
import org.apache.cloudstack.api.command.admin.acl.RemoveAccountFromAclGroupCmd;
import org.apache.cloudstack.api.command.admin.acl.RemoveAclRoleFromAclGroupCmd;
import org.apache.cloudstack.api.command.admin.acl.RevokePermissionFromAclGroupCmd;
import org.apache.cloudstack.api.command.admin.acl.RevokePermissionFromAclRoleCmd;
import org.apache.cloudstack.api.command.admin.acl.RemoveAclPermissionFromAclPolicyCmd;
import org.apache.cloudstack.api.command.admin.acl.RemoveAclPolicyFromAclGroupCmd;
import org.apache.cloudstack.api.command.admin.autoscale.CreateCounterCmd;
import org.apache.cloudstack.api.command.admin.autoscale.DeleteCounterCmd;
import org.apache.cloudstack.api.command.admin.cluster.AddClusterCmd;
@ -2882,20 +2880,18 @@ public class ManagementServerImpl extends ManagerBase implements ManagementServe
cmdList.add(ReplaceNetworkACLListCmd.class);
cmdList.add(UpdateNetworkACLItemCmd.class);
cmdList.add(CleanVMReservationsCmd.class);
cmdList.add(CreateAclRoleCmd.class);
cmdList.add(DeleteAclRoleCmd.class);
cmdList.add(ListAclRolesCmd.class);
cmdList.add(GrantPermissionToAclRoleCmd.class);
cmdList.add(RevokePermissionFromAclRoleCmd.class);
cmdList.add(AddAclRoleToAclGroupCmd.class);
cmdList.add(RemoveAclRoleFromAclGroupCmd.class);
cmdList.add(CreateAclPolicyCmd.class);
cmdList.add(DeleteAclPolicyCmd.class);
cmdList.add(ListAclPoliciesCmd.class);
cmdList.add(AddAclPermissionToAclPolicyCmd.class);
cmdList.add(RemoveAclPermissionFromAclPolicyCmd.class);
cmdList.add(AttachAclPolicyToAclGroupCmd.class);
cmdList.add(RemoveAclPolicyFromAclGroupCmd.class);
cmdList.add(CreateAclGroupCmd.class);
cmdList.add(DeleteAclGroupCmd.class);
cmdList.add(ListAclGroupsCmd.class);
cmdList.add(AddAccountToAclGroupCmd.class);
cmdList.add(RemoveAccountFromAclGroupCmd.class);
cmdList.add(GrantPermissionToAclGroupCmd.class);
cmdList.add(RevokePermissionFromAclGroupCmd.class);
return cmdList;
}

28
server/src/com/cloud/user/AccountManagerImpl.java
View File

@ -42,7 +42,7 @@ import org.apache.log4j.Logger;
import org.apache.cloudstack.acl.AclEntityType;
import org.apache.cloudstack.acl.AclGroupAccountMapVO;
import org.apache.cloudstack.acl.AclRolePermission;
import org.apache.cloudstack.acl.AclPolicyPermission;
import org.apache.cloudstack.acl.AclService;
import org.apache.cloudstack.acl.ControlledEntity;
import org.apache.cloudstack.acl.PermissionScope;
@ -50,7 +50,7 @@ import org.apache.cloudstack.acl.RoleType;
import org.apache.cloudstack.acl.SecurityChecker;
import org.apache.cloudstack.acl.SecurityChecker.AccessType;
import org.apache.cloudstack.acl.dao.AclGroupAccountMapDao;
import org.apache.cloudstack.acl.dao.AclRolePermissionDao;
import org.apache.cloudstack.acl.dao.AclPolicyPermissionDao;
import org.apache.cloudstack.affinity.AffinityGroup;
import org.apache.cloudstack.affinity.dao.AffinityGroupDao;
import org.apache.cloudstack.api.command.admin.account.UpdateAccountCmd;
@ -264,7 +264,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
private AclService _aclService;
@Inject
private AclRolePermissionDao _aclRolePermissionDao;
private AclPolicyPermissionDao _aclPolicyPermissionDao;
@Inject
public com.cloud.region.ha.GlobalLoadBalancingRulesService _gslbService;
@ -2391,17 +2391,19 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
} else {
domainIdRecursiveListProject.third(Project.ListProjectResourcesCriteria.SkipProjectResources);
// get caller role permission on VM List
AclRolePermission rolePerm = _aclService.getAclRolePermission(caller.getId(), AclEntityType.VM.toString(), AccessType.ListEntry);
if (rolePerm == null) {
//TODO: this method needs to pass the entity type instead of current hard-code to VM for now. Also, api action name
// should be passed in caller context.
AclPolicyPermission policyPerm = _aclService.getAclPolicyPermission(caller.getId(), AclEntityType.VM.toString(), "listVirtualMachine");
if (policyPerm == null) {
// no list entry permission
throw new PermissionDeniedException("Caller has no role permission assigned to list VM");
throw new PermissionDeniedException("Caller has no policy permission assigned to list VM");
}
if (permittedAccounts.isEmpty()) {
// no account name is specified
if (rolePerm.getScope() == PermissionScope.ACCOUNT || !listAll) {
if (policyPerm.getScope() == PermissionScope.ACCOUNT || !listAll) {
// only resource owner can see it, only match account
permittedAccounts.add(caller.getId());
} else if (rolePerm.getScope() == PermissionScope.DOMAIN) {
} else if (policyPerm.getScope() == PermissionScope.DOMAIN) {
// match domain tree based on cmd.isRecursive flag or not
domainIdRecursiveListProject.first(caller.getDomainId());
}
@ -2649,20 +2651,20 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
if (isRecursive) {
for (int i = 0; i < permittedDomains.size(); i++) {
Domain domain = _domainDao.findById(permittedDomains.get(i));
aclSc.addOr("domainPath" + i, SearchCriteria.Op.LIKE, domain.getPath() + "%");
aclSc.addOr("domainPath", SearchCriteria.Op.LIKE, domain.getPath() + "%");
}
} else {
aclSc.addOr("domainIdIN", SearchCriteria.Op.IN, permittedDomains.toArray());
aclSc.addOr("domainId", SearchCriteria.Op.IN, permittedDomains.toArray());
}
}
if (!permittedAccounts.isEmpty()) {
aclSc.addOr("accountIdIN", SearchCriteria.Op.IN, permittedAccounts.toArray());
aclSc.addOr("accountId", SearchCriteria.Op.IN, permittedAccounts.toArray());
}
if (!permittedResources.isEmpty()) {
aclSc.addOr("idIn", SearchCriteria.Op.IN, permittedResources.toArray());
aclSc.addOr("id", SearchCriteria.Op.IN, permittedResources.toArray());
}
sc.addAnd("accountIdIn", SearchCriteria.Op.SC, aclSc);
sc.addAnd("accountId", SearchCriteria.Op.SC, aclSc);
}
}

731
server/src/org/apache/cloudstack/acl/AclServiceImpl.java
View File

@ -18,15 +18,14 @@ package org.apache.cloudstack.acl;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import javax.ejb.Local;
import javax.inject.Inject;
import org.apache.log4j.Logger;
import org.apache.cloudstack.acl.AclPolicyPermission.Permission;
import org.apache.cloudstack.acl.SecurityChecker.AccessType;
import org.apache.cloudstack.acl.dao.AclApiPermissionDao;
import org.apache.cloudstack.acl.dao.AclGroupAccountMapDao;
@ -34,9 +33,10 @@ import org.apache.cloudstack.acl.dao.AclGroupDao;
import org.apache.cloudstack.acl.dao.AclGroupPolicyMapDao;
import org.apache.cloudstack.acl.dao.AclPolicyDao;
import org.apache.cloudstack.acl.dao.AclPolicyPermissionDao;
import org.apache.cloudstack.api.Identity;
import org.apache.cloudstack.api.BaseListCmd;
import org.apache.cloudstack.context.CallContext;
import com.cloud.api.ApiServerService;
import com.cloud.domain.Domain;
import com.cloud.event.ActionEvent;
import com.cloud.event.EventTypes;
@ -49,7 +49,6 @@ import com.cloud.user.Account;
import com.cloud.user.AccountManager;
import com.cloud.user.dao.AccountDao;
import com.cloud.uservm.UserVm;
import com.cloud.utils.Pair;
import com.cloud.utils.component.Manager;
import com.cloud.utils.component.ManagerBase;
import com.cloud.utils.db.DB;
@ -77,7 +76,7 @@ public class AclServiceImpl extends ManagerBase implements AclService, Manager {
AccountDao _accountDao;
@Inject
AclPolicyDao _aclRoleDao;
AclPolicyDao _aclPolicyDao;
@Inject
AclGroupDao _aclGroupDao;
@ -97,6 +96,9 @@ public class AclServiceImpl extends ManagerBase implements AclService, Manager {
@Inject
AclPolicyPermissionDao _policyPermissionDao;
@Inject
ApiServerService _apiServer;
public static HashMap<String, Class> entityClassMap = new HashMap<String, Class>();
@ -110,306 +112,88 @@ public class AclServiceImpl extends ManagerBase implements AclService, Manager {
@DB
@Override
@ActionEvent(eventType = EventTypes.EVENT_ACL_ROLE_CREATE, eventDescription = "Creating Acl Role", create = true)
public AclRole createAclRole(Long domainId, final String aclRoleName, final String description, final Long parentRoleId) {
Account caller = CallContext.current().getCallingAccount();
if (domainId == null) {
domainId = caller.getDomainId();
}
@ActionEvent(eventType = EventTypes.EVENT_ACL_GROUP_CREATE, eventDescription = "Creating Acl Group", create = true)
public AclGroup createAclGroup(Account caller, String aclGroupName, String description) {
Long domainId = caller.getDomainId();
if (!_accountMgr.isRootAdmin(caller.getAccountId())) {
// domain admin can only create role for his domain
if (caller.getDomainId() != domainId.longValue()) {
throw new PermissionDeniedException("Can't create acl role in domain " + domainId + ", permission denied");
throw new PermissionDeniedException("Can't create acl group in domain " + domainId + ", permission denied");
}
}
// check if the role is already existing
AclRole ro = _aclRoleDao.findByName(domainId, aclRoleName);
if (ro != null) {
AclGroup grp = _aclGroupDao.findByName(domainId, aclGroupName);
if (grp != null) {
throw new InvalidParameterValueException(
"Unable to create acl role with name " + aclRoleName
"Unable to create acl group with name " + aclGroupName
+ " already exisits for domain " + domainId);
}
AclGroupVO rvo = new AclGroupVO(aclGroupName, description);
rvo.setAccountId(caller.getAccountId());
rvo.setDomainId(domainId);
final long domain_id = domainId;
AclRole role = Transaction.execute(new TransactionCallback<AclRole>() {
@Override
public AclRole doInTransaction(TransactionStatus status) {
AclRoleVO rvo = new AclRoleVO(aclRoleName, description);
rvo.setDomainId(domain_id);
AclRole role = _aclRoleDao.persist(rvo);
if (parentRoleId != null) {
// copy parent role permissions
List<AclRolePermissionVO> perms = _policyPermissionDao.listByRole(parentRoleId);
if (perms != null) {
for (AclRolePermissionVO perm : perms) {
perm.setAclRoleId(role.getId());
_policyPermissionDao.persist(perm);
}
}
}
return role;
}
});
return role;
return _aclGroupDao.persist(rvo);
}
@DB
@Override
@ActionEvent(eventType = EventTypes.EVENT_ACL_ROLE_DELETE, eventDescription = "Deleting Acl Role")
public boolean deleteAclRole(final long aclRoleId) {
@ActionEvent(eventType = EventTypes.EVENT_ACL_GROUP_DELETE, eventDescription = "Deleting Acl Group")
public boolean deleteAclGroup(final Long aclGroupId) {
Account caller = CallContext.current().getCallingAccount();
// get the Acl Role entity
final AclRole role = _aclRoleDao.findById(aclRoleId);
if (role == null) {
throw new InvalidParameterValueException("Unable to find acl role: " + aclRoleId
+ "; failed to delete acl role.");
final AclGroup grp = _aclGroupDao.findById(aclGroupId);
if (grp == null) {
throw new InvalidParameterValueException("Unable to find acl group: " + aclGroupId
+ "; failed to delete acl group.");
}
// check permissions
_accountMgr.checkAccess(caller, null, true, role);
_accountMgr.checkAccess(caller, null, true, grp);
Transaction.execute(new TransactionCallbackNoReturn() {
@Override
public void doInTransactionWithoutResult(TransactionStatus status) {
// remove this role related entry in acl_group_role_map
List<AclGroupRoleMapVO> groupRoleMap = _aclGroupPolicyMapDao.listByRoleId(role.getId());
if (groupRoleMap != null) {
for (AclGroupRoleMapVO gr : groupRoleMap) {
// remove this group related entry in acl_group_role_map
List<AclGroupPolicyMapVO> groupPolicyMap = _aclGroupPolicyMapDao.listByGroupId(grp.getId());
if (groupPolicyMap != null) {
for (AclGroupPolicyMapVO gr : groupPolicyMap) {
_aclGroupPolicyMapDao.remove(gr.getId());
}
}
// remove this role related entry in acl_api_permission table
List<AclApiPermissionVO> roleApiMap = _apiPermissionDao.listByRoleId(role.getId());
if (roleApiMap != null) {
for (AclApiPermissionVO roleApi : roleApiMap) {
_apiPermissionDao.remove(roleApi.getId());
// remove this group related entry in acl_group_account table
List<AclGroupAccountMapVO> groupAcctMap = _aclGroupAccountMapDao.listByGroupId(grp.getId());
if (groupAcctMap != null) {
for (AclGroupAccountMapVO grpAcct : groupAcctMap) {
_aclGroupAccountMapDao.remove(grpAcct.getId());
}
}
// remove this role from acl_role table
_aclRoleDao.remove(aclRoleId);
// remove this group from acl_group table
_aclGroupDao.remove(aclGroupId);
}
});
return true;
}
@DB
@Override
@ActionEvent(eventType = EventTypes.EVENT_ACL_ROLE_GRANT, eventDescription = "Granting permission to Acl Role")
public AclRole grantApiPermissionToAclRole(final long aclRoleId, final List<String> apiNames) {
Account caller = CallContext.current().getCallingAccount();
// get the Acl Role entity
AclRole role = _aclRoleDao.findById(aclRoleId);
if (role == null) {
throw new InvalidParameterValueException("Unable to find acl role: " + aclRoleId
+ "; failed to grant permission to role.");
}
// check permissions
_accountMgr.checkAccess(caller, null, true, role);
public List<AclGroup> listAclGroups(long accountId) {
Transaction.execute(new TransactionCallbackNoReturn() {
@Override
public void doInTransactionWithoutResult(TransactionStatus status) {
// add entries in acl_api_permission table
for (String api : apiNames) {
AclApiPermissionVO perm = _apiPermissionDao.findByRoleAndApi(aclRoleId, api);
if (perm == null) {
// not there already
perm = new AclApiPermissionVO(aclRoleId, api);
_apiPermissionDao.persist(perm);
}
}
}
});
return role;
GenericSearchBuilder<AclGroupAccountMapVO, Long> groupSB = _aclGroupAccountMapDao.createSearchBuilder(Long.class);
groupSB.selectFields(groupSB.entity().getAclGroupId());
groupSB.and("account", groupSB.entity().getAccountId(), Op.EQ);
SearchCriteria<Long> groupSc = groupSB.create();
}
List<Long> groupIds = _aclGroupAccountMapDao.customSearch(groupSc, null);
@DB
@Override
@ActionEvent(eventType = EventTypes.EVENT_ACL_ROLE_REVOKE, eventDescription = "Revoking permission from Acl Role")
public AclRole revokeApiPermissionFromAclRole(final long aclRoleId, final List<String> apiNames) {
Account caller = CallContext.current().getCallingAccount();
// get the Acl Role entity
AclRole role = _aclRoleDao.findById(aclRoleId);
if (role == null) {
throw new InvalidParameterValueException("Unable to find acl role: " + aclRoleId
+ "; failed to revoke permission from role.");
}
// check permissions
_accountMgr.checkAccess(caller, null, true, role);
SearchBuilder<AclGroupVO> sb = _aclGroupDao.createSearchBuilder();
sb.and("ids", sb.entity().getId(), Op.IN);
SearchCriteria<AclGroupVO> sc = sb.create();
sc.setParameters("ids", groupIds.toArray(new Object[groupIds.size()]));
List<AclGroupVO> groups = _aclGroupDao.search(sc, null);
Transaction.execute(new TransactionCallbackNoReturn() {
@Override
public void doInTransactionWithoutResult(TransactionStatus status) {
// remove entries from acl_api_permission table
for (String api : apiNames) {
AclApiPermissionVO perm = _apiPermissionDao.findByRoleAndApi(aclRoleId, api);
if (perm != null) {
// not removed yet
_apiPermissionDao.remove(perm.getId());
}
}
}
});
return role;
}
@DB
@Override
@ActionEvent(eventType = EventTypes.EVENT_ACL_GROUP_GRANT, eventDescription = "Granting entity permission to Acl Group")
public AclGroup grantEntityPermissionToAclGroup(long aclGroupId, String entityType, long entityId, AccessType accessType) {
Account caller = CallContext.current().getCallingAccount();
// get the Acl Group entity
AclGroup group = _aclGroupDao.findById(aclGroupId);
if (group == null) {
throw new InvalidParameterValueException("Unable to find acl group: " + aclGroupId
+ "; failed to grant permission to group.");
}
// check permissions
_accountMgr.checkAccess(caller, null, true, group);
// get the entity and check permission
Class entityClass = entityClassMap.get(entityType);
if (entityClass == null) {
throw new InvalidParameterValueException("Entity type " + entityType + " permission granting is not supported yet");
}
ControlledEntity entity = (ControlledEntity)_entityMgr.findById(entityClass, entityId);
if (entity == null) {
throw new InvalidParameterValueException("Unable to find entity " + entityType + " by id: " + entityId);
}
_accountMgr.checkAccess(caller,null, true, entity);
// add entry in acl_entity_permission table
AclEntityPermissionVO perm = _entityPermissionDao.findByGroupAndEntity(aclGroupId, entityType, entityId, accessType);
if (perm == null) {
// not there already
String entityUuid = String.valueOf(entityId);
if (entity instanceof Identity) {
entityUuid = ((Identity)entity).getUuid();
}
perm = new AclEntityPermissionVO(aclGroupId, entityType, entityId, entityUuid, accessType, true);
_entityPermissionDao.persist(perm);
}
return group;
}
@DB
@Override
@ActionEvent(eventType = EventTypes.EVENT_ACL_GROUP_REVOKE, eventDescription = "Revoking entity permission from Acl Group")
public AclGroup revokeEntityPermissionFromAclGroup(long aclGroupId, String entityType, long entityId, AccessType accessType) {
Account caller = CallContext.current().getCallingAccount();
// get the Acl Group entity
AclGroup group = _aclGroupDao.findById(aclGroupId);
if (group == null) {
throw new InvalidParameterValueException("Unable to find acl group: " + aclGroupId
+ "; failed to revoke permission from group.");
}
// check permissions
_accountMgr.checkAccess(caller, null, true, group);
// get the entity and check permission
Class entityClass = entityClassMap.get(entityType);
if (entityClass == null) {
throw new InvalidParameterValueException("Entity type " + entityType + " permission revoke is not supported yet");
}
ControlledEntity entity = (ControlledEntity)_entityMgr.findById(entityClass, entityId);
if (entity == null) {
throw new InvalidParameterValueException("Unable to find entity " + entityType + " by id: " + entityId);
}
_accountMgr.checkAccess(caller, null, true, entity);
// remove entry from acl_entity_permission table
AclEntityPermissionVO perm = _entityPermissionDao.findByGroupAndEntity(aclGroupId, entityType, entityId, accessType);
if (perm != null) {
// not removed yet
_entityPermissionDao.remove(perm.getId());
}
return group;
}
@DB
@Override
@ActionEvent(eventType = EventTypes.EVENT_ACL_GROUP_UPDATE, eventDescription = "Adding roles to acl group")
public AclGroup addAclRolesToGroup(final List<Long> roleIds, final Long groupId) {
final Account caller = CallContext.current().getCallingAccount();
// get the Acl Group entity
AclGroup group = _aclGroupDao.findById(groupId);
if (group == null) {
throw new InvalidParameterValueException("Unable to find acl group: " + groupId
+ "; failed to add roles to acl group.");
}
// check group permissions
_accountMgr.checkAccess(caller, null, true, group);
Transaction.execute(new TransactionCallbackNoReturn() {
@Override
public void doInTransactionWithoutResult(TransactionStatus status) {
// add entries in acl_group_role_map table
for (Long roleId : roleIds) {
// check role permissions
AclRole role = _aclRoleDao.findById(roleId);
if (role == null) {
throw new InvalidParameterValueException("Unable to find acl role: " + roleId
+ "; failed to add roles to acl group.");
}
_accountMgr.checkAccess(caller, null, true, role);
AclGroupRoleMapVO grMap = _aclGroupPolicyMapDao.findByGroupAndRole(groupId, roleId);
if (grMap == null) {
// not there already
grMap = new AclGroupRoleMapVO(groupId, roleId);
_aclGroupPolicyMapDao.persist(grMap);
}
}
}
});
return group;
}
@DB
@Override
@ActionEvent(eventType = EventTypes.EVENT_ACL_GROUP_UPDATE, eventDescription = "Removing roles from acl group")
public AclGroup removeAclRolesFromGroup(final List<Long> roleIds, final Long groupId) {
final Account caller = CallContext.current().getCallingAccount();
// get the Acl Group entity
AclGroup group = _aclGroupDao.findById(groupId);
if (group == null) {
throw new InvalidParameterValueException("Unable to find acl group: " + groupId
+ "; failed to remove roles from acl group.");
}
// check group permissions
_accountMgr.checkAccess(caller, null, true, group);
Transaction.execute(new TransactionCallbackNoReturn() {
@Override
public void doInTransactionWithoutResult(TransactionStatus status) {
// add entries in acl_group_role_map table
for (Long roleId : roleIds) {
// check role permissions
AclRole role = _aclRoleDao.findById(roleId);
if (role == null) {
throw new InvalidParameterValueException("Unable to find acl role: " + roleId
+ "; failed to add roles to acl group.");
}
_accountMgr.checkAccess(caller, null, true, role);
AclGroupRoleMapVO grMap = _aclGroupPolicyMapDao.findByGroupAndRole(groupId, roleId);
if (grMap != null) {
// not removed yet
_aclGroupPolicyMapDao.remove(grMap.getId());
}
}
}
});
return group;
return new ArrayList<AclGroup>(groups);
}
@DB
@ -491,104 +275,350 @@ public class AclServiceImpl extends ManagerBase implements AclService, Manager {
@DB
@Override
@ActionEvent(eventType = EventTypes.EVENT_ACL_GROUP_CREATE, eventDescription = "Creating Acl Group", create = true)
public AclGroup createAclGroup(Long domainId, String aclGroupName, String description) {
Account caller = CallContext.current().getCallingAccount();
if (domainId == null) {
domainId = caller.getDomainId(); // use caller's domain id
}
@ActionEvent(eventType = EventTypes.EVENT_ACL_POLICY_CREATE, eventDescription = "Creating Acl Policy", create = true)
public AclPolicy createAclPolicy(Account caller, final String aclPolicyName, final String description, final Long parentPolicyId) {
Long domainId = caller.getDomainId();
if (!_accountMgr.isRootAdmin(caller.getAccountId())) {
// domain admin can only create role for his domain
if (caller.getDomainId() != domainId.longValue()) {
throw new PermissionDeniedException("Can't create acl group in domain " + domainId + ", permission denied");
throw new PermissionDeniedException("Can't create acl role in domain " + domainId + ", permission denied");
}
}
// check if the role is already existing
AclGroup grp = _aclGroupDao.findByName(domainId, aclGroupName);
if (grp != null) {
AclPolicy ro = _aclPolicyDao.findByName(domainId, aclPolicyName);
if (ro != null) {
throw new InvalidParameterValueException(
"Unable to create acl group with name " + aclGroupName
"Unable to create acl policy with name " + aclPolicyName
+ " already exisits for domain " + domainId);
}
AclGroupVO rvo = new AclGroupVO(aclGroupName, description);
rvo.setDomainId(domainId);
return _aclGroupDao.persist(rvo);
final long account_id = caller.getAccountId();
final long domain_id = domainId;
AclPolicy role = Transaction.execute(new TransactionCallback<AclPolicy>() {
@Override
public AclPolicy doInTransaction(TransactionStatus status) {
AclPolicyVO rvo = new AclPolicyVO(aclPolicyName, description);
rvo.setAccountId(account_id);
rvo.setDomainId(domain_id);
AclPolicy role = _aclPolicyDao.persist(rvo);
if (parentPolicyId != null) {
// copy parent role permissions
List<AclPolicyPermissionVO> perms = _policyPermissionDao.listByPolicy(parentPolicyId);
if (perms != null) {
for (AclPolicyPermissionVO perm : perms) {
perm.setAclPolicyId(role.getId());
_policyPermissionDao.persist(perm);
}
}
}
return role;
}
});
return role;
}
@DB
@Override
@ActionEvent(eventType = EventTypes.EVENT_ACL_GROUP_DELETE, eventDescription = "Deleting Acl Group")
public boolean deleteAclGroup(final Long aclGroupId) {
@ActionEvent(eventType = EventTypes.EVENT_ACL_POLICY_DELETE, eventDescription = "Deleting Acl Policy")
public boolean deleteAclPolicy(final long aclPolicyId) {
Account caller = CallContext.current().getCallingAccount();
// get the Acl Role entity
final AclGroup grp = _aclGroupDao.findById(aclGroupId);
if (grp == null) {
throw new InvalidParameterValueException("Unable to find acl group: " + aclGroupId
+ "; failed to delete acl group.");
// get the Acl Policy entity
final AclPolicy policy = _aclPolicyDao.findById(aclPolicyId);
if (policy == null) {
throw new InvalidParameterValueException("Unable to find acl policy: " + aclPolicyId
+ "; failed to delete acl policy.");
}
// check permissions
_accountMgr.checkAccess(caller, null, true, grp);
_accountMgr.checkAccess(caller, null, true, policy);
Transaction.execute(new TransactionCallbackNoReturn() {
@Override
public void doInTransactionWithoutResult(TransactionStatus status) {
// remove this group related entry in acl_group_role_map
List<AclGroupRoleMapVO> groupRoleMap = _aclGroupPolicyMapDao.listByGroupId(grp.getId());
if (groupRoleMap != null) {
for (AclGroupRoleMapVO gr : groupRoleMap) {
// remove this role related entry in acl_group_role_map
List<AclGroupPolicyMapVO> groupPolicyMap = _aclGroupPolicyMapDao.listByPolicyId(policy.getId());
if (groupPolicyMap != null) {
for (AclGroupPolicyMapVO gr : groupPolicyMap) {
_aclGroupPolicyMapDao.remove(gr.getId());
}
}
// remove this group related entry in acl_group_account table
List<AclGroupAccountMapVO> groupAcctMap = _aclGroupAccountMapDao.listByGroupId(grp.getId());
if (groupAcctMap != null) {
for (AclGroupAccountMapVO grpAcct : groupAcctMap) {
_aclGroupAccountMapDao.remove(grpAcct.getId());
// remove this policy related entry in acl_policy_permission table
List<AclPolicyPermissionVO> policyPermMap = _policyPermissionDao.listByPolicy(policy.getId());
if (policyPermMap != null) {
for (AclPolicyPermissionVO policyPerm : policyPermMap) {
_policyPermissionDao.remove(policyPerm.getId());
}
}
// remove this group from acl_group table
_aclGroupDao.remove(aclGroupId);
// remove this role from acl_role table
_aclPolicyDao.remove(aclPolicyId);
}
});
return true;
}
@Override
public List<AclRole> getAclRoles(long accountId) {
public List<AclPolicy> listAclPolicies(long accountId) {
// static roles of the account
SearchBuilder<AclGroupAccountMapVO> groupSB = _aclGroupAccountMapDao.createSearchBuilder();
groupSB.and("account", groupSB.entity().getAccountId(), Op.EQ);
GenericSearchBuilder<AclGroupRoleMapVO, Long> roleSB = _aclGroupPolicyMapDao.createSearchBuilder(Long.class);
roleSB.selectFields(roleSB.entity().getAclRoleId());
roleSB.join("accountgroupjoin", groupSB, groupSB.entity().getAclGroupId(), roleSB.entity().getAclGroupId(),
GenericSearchBuilder<AclGroupPolicyMapVO, Long> policySB = _aclGroupPolicyMapDao.createSearchBuilder(Long.class);
policySB.selectFields(policySB.entity().getAclPolicyId());
policySB.join("accountgroupjoin", groupSB, groupSB.entity().getAclGroupId(), policySB.entity().getAclGroupId(),
JoinType.INNER);
roleSB.done();
SearchCriteria<Long> roleSc = roleSB.create();
roleSc.setJoinParameters("accountgroupjoin", "account", accountId);
policySB.done();
SearchCriteria<Long> policySc = policySB.create();
policySc.setJoinParameters("accountgroupjoin", "account", accountId);
List<Long> roleIds = _aclGroupPolicyMapDao.customSearch(roleSc, null);
List<Long> roleIds = _aclGroupPolicyMapDao.customSearch(policySc, null);
SearchBuilder<AclRoleVO> sb = _aclRoleDao.createSearchBuilder();
SearchBuilder<AclPolicyVO> sb = _aclPolicyDao.createSearchBuilder();
sb.and("ids", sb.entity().getId(), Op.IN);
SearchCriteria<AclRoleVO> sc = sb.create();
SearchCriteria<AclPolicyVO> sc = sb.create();
sc.setParameters("ids", roleIds.toArray(new Object[roleIds.size()]));
List<AclRoleVO> roles = _aclRoleDao.customSearch(sc, null);
List<AclPolicyVO> policies = _aclPolicyDao.customSearch(sc, null);
return new ArrayList<AclRole>(roles);
return new ArrayList<AclPolicy>(policies);
}
@DB
@Override
public AclRolePermission getAclRolePermission(long accountId, String entityType, AccessType accessType) {
List<AclRole> roles = getAclRoles(accountId);
AclRolePermission curPerm = null;
for (AclRole role : roles) {
AclRolePermission perm = _policyPermissionDao.findByRoleEntityAndPermission(role.getId(), entityType, accessType, true);
@ActionEvent(eventType = EventTypes.EVENT_ACL_GROUP_UPDATE, eventDescription = "Attaching policy to acl group")
public AclGroup attachAclPoliciesToGroup(final List<Long> policyIds, final Long groupId) {
final Account caller = CallContext.current().getCallingAccount();
// get the Acl Group entity
AclGroup group = _aclGroupDao.findById(groupId);
if (group == null) {
throw new InvalidParameterValueException("Unable to find acl group: " + groupId
+ "; failed to add roles to acl group.");
}
// check group permissions
_accountMgr.checkAccess(caller, null, true, group);
Transaction.execute(new TransactionCallbackNoReturn() {
@Override
public void doInTransactionWithoutResult(TransactionStatus status) {
// add entries in acl_group_policy_map table
for (Long policyId : policyIds) {
// check policy permissions
AclPolicy policy = _aclPolicyDao.findById(policyId);
if (policy == null) {
throw new InvalidParameterValueException("Unable to find acl policy: " + policyId
+ "; failed to add policies to acl group.");
}
_accountMgr.checkAccess(caller, null, true, policy);
AclGroupPolicyMapVO grMap = _aclGroupPolicyMapDao.findByGroupAndPolicy(groupId, policyId);
if (grMap == null) {
// not there already
grMap = new AclGroupPolicyMapVO(groupId, policyId);
_aclGroupPolicyMapDao.persist(grMap);
}
}
}
});
return group;
}
@DB
@Override
@ActionEvent(eventType = EventTypes.EVENT_ACL_GROUP_UPDATE, eventDescription = "Removing policies from acl group")
public AclGroup removeAclPoliciesFromGroup(final List<Long> policyIds, final Long groupId) {
final Account caller = CallContext.current().getCallingAccount();
// get the Acl Group entity
AclGroup group = _aclGroupDao.findById(groupId);
if (group == null) {
throw new InvalidParameterValueException("Unable to find acl group: " + groupId
+ "; failed to remove roles from acl group.");
}
// check group permissions
_accountMgr.checkAccess(caller, null, true, group);
Transaction.execute(new TransactionCallbackNoReturn() {
@Override
public void doInTransactionWithoutResult(TransactionStatus status) {
// add entries in acl_group_role_map table
for (Long policyId : policyIds) {
// check policy permissions
AclPolicy policy = _aclPolicyDao.findById(policyId);
if (policy == null) {
throw new InvalidParameterValueException("Unable to find acl policy: " + policyId
+ "; failed to add policies to acl group.");
}
_accountMgr.checkAccess(caller, null, true, policy);
AclGroupPolicyMapVO grMap = _aclGroupPolicyMapDao.findByGroupAndPolicy(groupId, policyId);
if (grMap != null) {
// not removed yet
_aclGroupPolicyMapDao.remove(grMap.getId());
}
}
}
});
return group;
}
/*
@DB
@Override
@ActionEvent(eventType = EventTypes.EVENT_ACL_POLICY_GRANT, eventDescription = "Granting permission to Acl Role")
public AclP addAclPermissionToAclPolicy(final long aclRoleId, final List<String> apiNames) {
Account caller = CallContext.current().getCallingAccount();
// get the Acl Role entity
AclRole role = _aclPolicyDao.findById(aclRoleId);
if (role == null) {
throw new InvalidParameterValueException("Unable to find acl role: " + aclRoleId
+ "; failed to grant permission to role.");
}
// check permissions
_accountMgr.checkAccess(caller, null, true, role);
Transaction.execute(new TransactionCallbackNoReturn() {
@Override
public void doInTransactionWithoutResult(TransactionStatus status) {
// add entries in acl_api_permission table
for (String api : apiNames) {
AclApiPermissionVO perm = _apiPermissionDao.findByRoleAndApi(aclRoleId, api);
if (perm == null) {
// not there already
perm = new AclApiPermissionVO(aclRoleId, api);
_apiPermissionDao.persist(perm);
}
}
}
});
return role;
}
@DB
@Override
@ActionEvent(eventType = EventTypes.EVENT_ACL_POLICY_REVOKE, eventDescription = "Revoking permission from Acl Role")
public AclRole revokeApiPermissionFromAclRole(final long aclRoleId, final List<String> apiNames) {
Account caller = CallContext.current().getCallingAccount();
// get the Acl Role entity
AclRole role = _aclPolicyDao.findById(aclRoleId);
if (role == null) {
throw new InvalidParameterValueException("Unable to find acl role: " + aclRoleId
+ "; failed to revoke permission from role.");
}
// check permissions
_accountMgr.checkAccess(caller, null, true, role);
Transaction.execute(new TransactionCallbackNoReturn() {
@Override
public void doInTransactionWithoutResult(TransactionStatus status) {
// remove entries from acl_api_permission table
for (String api : apiNames) {
AclApiPermissionVO perm = _apiPermissionDao.findByRoleAndApi(aclRoleId, api);
if (perm != null) {
// not removed yet
_apiPermissionDao.remove(perm.getId());
}
}
}
});
return role;
}
*/
@DB
@Override
@ActionEvent(eventType = EventTypes.EVENT_ACL_POLICY_GRANT, eventDescription = "Granting acl permission to Acl Policy")
public AclPolicy addAclPermissionToAclPolicy(long aclPolicyId, String entityType, PermissionScope scope, Long scopeId, String action, Permission perm) {
Account caller = CallContext.current().getCallingAccount();
// get the Acl Policy entity
AclPolicy policy = _aclPolicyDao.findById(aclPolicyId);
if (policy == null) {
throw new InvalidParameterValueException("Unable to find acl policy: " + aclPolicyId
+ "; failed to add permission to policy.");
}
// check permissions
_accountMgr.checkAccess(caller, null, true, policy);
// get the entity and check permission
Class entityClass = entityClassMap.get(entityType);
if (entityClass == null) {
throw new InvalidParameterValueException("Entity type " + entityType + " permission granting is not supported yet");
}
if (scope == PermissionScope.RESOURCE && scopeId != null) {
ControlledEntity entity = (ControlledEntity)_entityMgr.findById(entityClass, scopeId);
if (entity == null) {
throw new InvalidParameterValueException("Unable to find entity " + entityType + " by id: " + scopeId);
}
_accountMgr.checkAccess(caller, null, true, entity);
}
// add entry in acl_policy_permission table
AclPolicyPermissionVO permit = _policyPermissionDao.findByPolicyAndEntity(aclPolicyId, entityType, scope, scopeId, action, perm);
if (permit == null) {
// not there already
Class<?> cmdClass = _apiServer.getCmdClass(action);
AccessType accessType = null;
if (BaseListCmd.class.isAssignableFrom(cmdClass)) {
accessType = AccessType.ListEntry;
}
permit = new AclPolicyPermissionVO(aclPolicyId, action, entityType, accessType,
scope, scopeId, perm);
_policyPermissionDao.persist(permit);
}
return policy;
}
@DB
@Override
@ActionEvent(eventType = EventTypes.EVENT_ACL_POLICY_REVOKE, eventDescription = "Revoking acl permission from Acl Policy")
public AclPolicy removeAclPermissionFromAclPolicy(long aclPolicyId, String entityType, PermissionScope scope, Long scopeId, String action) {
Account caller = CallContext.current().getCallingAccount();
// get the Acl Policy entity
AclPolicy policy = _aclPolicyDao.findById(aclPolicyId);
if (policy == null) {
throw new InvalidParameterValueException("Unable to find acl policy: " + aclPolicyId
+ "; failed to revoke permission from policy.");
}
// check permissions
_accountMgr.checkAccess(caller, null, true, policy);
// get the entity and check permission
Class entityClass = entityClassMap.get(entityType);
if (entityClass == null) {
throw new InvalidParameterValueException("Entity type " + entityType + " permission revoke is not supported yet");
}
if (scope == PermissionScope.RESOURCE && scopeId != null) {
ControlledEntity entity = (ControlledEntity)_entityMgr.findById(entityClass, scopeId);
if (entity == null) {
throw new InvalidParameterValueException("Unable to find entity " + entityType + " by id: " + scopeId);
}
_accountMgr.checkAccess(caller, null, true, entity);
}
// remove entry from acl_entity_permission table
AclPolicyPermissionVO permit = _policyPermissionDao.findByPolicyAndEntity(aclPolicyId, entityType, scope, scopeId, action, null);
if (permit != null) {
// not removed yet
_policyPermissionDao.remove(permit.getId());
}
return policy;
}
@Override
public AclPolicyPermission getAclPolicyPermission(long accountId, String entityType, String action) {
List<AclPolicy> roles = listAclPolicies(accountId);
AclPolicyPermission curPerm = null;
for (AclPolicy role : roles) {
AclPolicyPermissionVO perm = _policyPermissionDao.findByPolicyAndEntity(role.getId(), entityType, null, null, action, Permission.Allow);
if (perm == null)
continue;
if (curPerm == null) {
@ -602,66 +632,27 @@ public class AclServiceImpl extends ManagerBase implements AclService, Manager {
return curPerm;
}
@Override
public List<AclGroup> getAclGroups(long accountId) {
GenericSearchBuilder<AclGroupAccountMapVO, Long> groupSB = _aclGroupAccountMapDao.createSearchBuilder(Long.class);
groupSB.selectFields(groupSB.entity().getAclGroupId());
groupSB.and("account", groupSB.entity().getAccountId(), Op.EQ);
SearchCriteria<Long> groupSc = groupSB.create();
List<Long> groupIds = _aclGroupAccountMapDao.customSearch(groupSc, null);
SearchBuilder<AclGroupVO> sb = _aclGroupDao.createSearchBuilder();
sb.and("ids", sb.entity().getId(), Op.IN);
SearchCriteria<AclGroupVO> sc = sb.create();
sc.setParameters("ids", groupIds.toArray(new Object[groupIds.size()]));
List<AclGroupVO> groups = _aclGroupDao.search(sc, null);
return new ArrayList<AclGroup>(groups);
}
@Override
public Pair<List<Long>, List<Long>> getAclEntityPermission(long accountId, String entityType, AccessType accessType) {
List<AclGroup> groups = getAclGroups(accountId);
if (groups == null || groups.size() == 0) {
return new Pair<List<Long>, List<Long>>(new ArrayList<Long>(), new ArrayList<Long>());
}
Set<Long> allowedIds = new HashSet<Long>();
Set<Long> deniedIds = new HashSet<Long>();
for (AclGroup grp : groups) {
// get allowed id and denied list for each group
List<Long> allowedIdList = _entityPermissionDao.findEntityIdByGroupAndPermission(grp.getId(), entityType, accessType, true);
if (allowedIdList != null) {
allowedIds.addAll(allowedIdList);
}
List<Long> deniedIdList = _entityPermissionDao.findEntityIdByGroupAndPermission(grp.getId(), entityType, accessType, false);
if (deniedIdList != null) {
deniedIds.addAll(deniedIdList);
}
}
return new Pair<List<Long>, List<Long>>(new ArrayList<Long>(allowedIds), new ArrayList<Long>(deniedIds))
;
}
@Override
public boolean isAPIAccessibleForRoles(String apiName, List<AclRole> roles) {
public boolean isAPIAccessibleForPolicies(String apiName, List<AclPolicy> policies) {
boolean accessible = false;
List<Long> roleIds = new ArrayList<Long>();
for (AclRole role : roles) {
roleIds.add(role.getId());
List<Long> policyIds = new ArrayList<Long>();
for (AclPolicy policy : policies) {
policyIds.add(policy.getId());
}
SearchBuilder<AclApiPermissionVO> sb = _apiPermissionDao.createSearchBuilder();
sb.and("apiName", sb.entity().getApiName(), Op.EQ);
sb.and("roleId", sb.entity().getAclRoleId(), Op.IN);
SearchBuilder<AclPolicyPermissionVO> sb = _policyPermissionDao.createSearchBuilder();
sb.and("action", sb.entity().getAction(), Op.EQ);
sb.and("policyId", sb.entity().getAclPolicyId(), Op.IN);
sb.and("entityType", sb.entity().getEntityType(), Op.NULL);
SearchCriteria<AclApiPermissionVO> sc = sb.create();
sc.setParameters("roleId", roleIds.toArray(new Object[roleIds.size()]));
SearchCriteria<AclPolicyPermissionVO> sc = sb.create();
sc.setParameters("policyId", policyIds.toArray(new Object[policyIds.size()]));
List<AclApiPermissionVO> permissions = _apiPermissionDao.customSearch(sc, null);
List<AclPolicyPermissionVO> permissions = _policyPermissionDao.customSearch(sc, null);
if (permissions != null && !permissions.isEmpty()) {
accessible = true;
@ -671,19 +662,19 @@ public class AclServiceImpl extends ManagerBase implements AclService, Manager {
}
@Override
public List<AclRole> getEffectiveRoles(Account caller, ControlledEntity entity) {
public List<AclPolicy> getEffectivePolicies(Account caller, ControlledEntity entity) {
// Get the static Roles of the Caller
List<AclRole> roles = getAclRoles(caller.getId());
// Get the static Policies of the Caller
List<AclPolicy> policies = listAclPolicies(caller.getId());
// add any dynamic roles w.r.t the entity
if (caller.getId() == entity.getAccountId()) {
// The caller owns the entity
AclRole owner = _aclRoleDao.findByName(Domain.ROOT_DOMAIN, "RESOURCE_OWNER");
roles.add(owner);
AclPolicy owner = _aclPolicyDao.findByName(Domain.ROOT_DOMAIN, "RESOURCE_OWNER");
policies.add(owner);
}
return roles;
return policies;
}
@Override