diff --git a/api/src/com/cloud/event/EventTypes.java b/api/src/com/cloud/event/EventTypes.java index 0406c3e852d..0ccea7459ff 100755 --- a/api/src/com/cloud/event/EventTypes.java +++ b/api/src/com/cloud/event/EventTypes.java @@ -449,10 +449,10 @@ public class EventTypes { public static final String EVENT_UCS_ASSOCIATED_PROFILE = "UCS.ASSOCIATEPROFILE"; - public static final String EVENT_ACL_ROLE_CREATE = "ACLROLE.CREATE"; - public static final String EVENT_ACL_ROLE_DELETE = "ACLROLE.DELETE"; - public static final String EVENT_ACL_ROLE_GRANT = "ACLROLE.GRANT"; - public static final String EVENT_ACL_ROLE_REVOKE = "ACLROLE.REVOKE"; + public static final String EVENT_ACL_POLICY_CREATE = "ACLPOLICY.CREATE"; + public static final String EVENT_ACL_POLICY_DELETE = "ACLPOLICY.DELETE"; + public static final String EVENT_ACL_POLICY_GRANT = "ACLPOLICY.GRANT"; + public static final String EVENT_ACL_POLICY_REVOKE = "ACLPOLICY.REVOKE"; public static final String EVENT_ACL_GROUP_UPDATE = "ACLGROUP.UPDATE"; public static final String EVENT_ACL_GROUP_CREATE = "ACLGROUP.CREATE"; diff --git a/api/src/org/apache/cloudstack/acl/AclService.java b/api/src/org/apache/cloudstack/acl/AclService.java index dbdcf0bdce5..0c0ec69fdab 100644 --- a/api/src/org/apache/cloudstack/acl/AclService.java +++ b/api/src/org/apache/cloudstack/acl/AclService.java @@ -18,77 +18,45 @@ package org.apache.cloudstack.acl; import java.util.List; -import org.apache.cloudstack.acl.SecurityChecker.AccessType; +import org.apache.cloudstack.acl.AclPolicyPermission.Permission; import com.cloud.user.Account; -import com.cloud.utils.Pair; public interface AclService { - /** - * Creates an acl role for the given domain. - * - * @param domainId - * @param name - * @param description - * @return AclRole - */ + /* ACL group related interfaces */ + AclGroup createAclGroup(Account caller, String aclGroupName, String description); - AclRole createAclRole(Long domainId, String aclRoleName, String description, Long parentRoleId); + boolean deleteAclGroup(Long aclGroupId); - /** - * Delete an acl role. - * - * @param aclRoleId - */ - boolean deleteAclRole(long aclRoleId); - - AclRole grantApiPermissionToAclRole(long aclRoleId, List apiNames); - - AclRole revokeApiPermissionFromAclRole(long aclRoleId, List apiNames); - - AclGroup addAclRolesToGroup(List roleIds, Long groupId); - - AclGroup removeAclRolesFromGroup(List roleIds, Long groupId); + List listAclGroups(long accountId); AclGroup addAccountsToGroup(List acctIds, Long groupId); AclGroup removeAccountsFromGroup(List acctIds, Long groupId); - AclGroup grantEntityPermissionToAclGroup(long aclGroupId, String entityType, long entityId, AccessType accessType); + /* ACL Policy related interfaces */ + AclPolicy createAclPolicy(Account caller, String aclPolicyName, String description, Long parentPolicyId); - AclGroup revokeEntityPermissionFromAclGroup(long aclGroupId, String entityType, long entityId, AccessType accessType); + boolean deleteAclPolicy(long aclPolicyId); - /** - * Creates an acl group for the given domain. - * - * @param domainId - * @param name - * @param description - * @return AclGroup - */ + List listAclPolicies(long accountId); - AclGroup createAclGroup(Long domainId, String aclGroupName, String description); + AclGroup attachAclPoliciesToGroup(List roleIds, Long groupId); - /** - * Delete an acl group. - * - * @param aclGroupId - */ - boolean deleteAclGroup(Long aclGroupId); + AclGroup removeAclPoliciesFromGroup(List roleIds, Long groupId); - List getAclRoles(long accountId); + AclPolicy addAclPermissionToAclPolicy(long aclPolicyId, String entityType, PermissionScope scope, Long scopeId, String action, Permission perm); - List getAclGroups(long accountId); + AclPolicy removeAclPermissionFromAclPolicy(long aclPolicyId, String entityType, PermissionScope scope, Long scopeId, String action); - AclRolePermission getAclRolePermission(long accountId, String entityType, AccessType accessType); + AclPolicyPermission getAclPolicyPermission(long accountId, String entityType, String action); - Pair, List> getAclEntityPermission(long accountId, String entityType, AccessType accessType); + boolean isAPIAccessibleForPolicies(String apiName, List policies); - boolean isAPIAccessibleForRoles(String apiName, List roles); - - List getEffectiveRoles(Account caller, ControlledEntity entity); + List getEffectivePolicies(Account caller, ControlledEntity entity); + /* Visibility related interfaces */ List getGrantedDomains(long accountId, AclEntityType entityType, String action); List getGrantedAccounts(long accountId, AclEntityType entityType, String action); diff --git a/api/src/org/apache/cloudstack/api/ApiCommandJobType.java b/api/src/org/apache/cloudstack/api/ApiCommandJobType.java index 6f9ac2dbf33..0e79e660cad 100644 --- a/api/src/org/apache/cloudstack/api/ApiCommandJobType.java +++ b/api/src/org/apache/cloudstack/api/ApiCommandJobType.java @@ -50,6 +50,6 @@ public enum ApiCommandJobType { AffinityGroup, InternalLbVm, DedicatedGuestVlanRange, - AclRole, + AclPolicy, AclGroup } \ No newline at end of file diff --git a/api/src/org/apache/cloudstack/api/ApiConstants.java b/api/src/org/apache/cloudstack/api/ApiConstants.java index 0d1878d3aa7..50a2bfd65ac 100755 --- a/api/src/org/apache/cloudstack/api/ApiConstants.java +++ b/api/src/org/apache/cloudstack/api/ApiConstants.java @@ -524,10 +524,9 @@ public class ApiConstants { public static final String SERVICE_STATE = "servicestate"; public static final String ACL_ACCOUNT_IDS = "accountids"; public static final String ACL_MEMBER_ACCOUNTS = "memberaccounts"; - public static final String ACL_PARENT_ROLE_ID = "parentroleid"; - public static final String ACL_PARENT_ROLE_NAME = "parentrolename"; - public static final String ACL_ROLES = "roles"; - public static final String ACL_ROLE_IDS = "roleids"; + public static final String ACL_PARENT_POLICY_ID = "parentpolicyid"; + public static final String ACL_PARENT_POLICY_NAME = "parentpolicyname"; + public static final String ACL_POLICY_IDS = "policyids"; public static final String ACL_POLICIES = "policies"; public static final String ACL_APIS = "apis"; public static final String ACL_GROUPS = "groups"; diff --git a/api/src/org/apache/cloudstack/api/ResponseGenerator.java b/api/src/org/apache/cloudstack/api/ResponseGenerator.java index f70f6caaf22..4b222d2f0a3 100644 --- a/api/src/org/apache/cloudstack/api/ResponseGenerator.java +++ b/api/src/org/apache/cloudstack/api/ResponseGenerator.java @@ -23,7 +23,7 @@ import java.util.List; import java.util.Map; import org.apache.cloudstack.acl.AclGroup; -import org.apache.cloudstack.acl.AclRole; +import org.apache.cloudstack.acl.AclPolicy; import org.apache.cloudstack.affinity.AffinityGroup; import org.apache.cloudstack.affinity.AffinityGroupResponse; import org.apache.cloudstack.api.ApiConstants.HostDetails; @@ -32,7 +32,7 @@ import org.apache.cloudstack.api.ResponseObject.ResponseView; import org.apache.cloudstack.api.command.user.job.QueryAsyncJobResultCmd; import org.apache.cloudstack.api.response.AccountResponse; import org.apache.cloudstack.api.response.AclGroupResponse; -import org.apache.cloudstack.api.response.AclRoleResponse; +import org.apache.cloudstack.api.response.AclPolicyResponse; import org.apache.cloudstack.api.response.ApplicationLoadBalancerResponse; import org.apache.cloudstack.api.response.AsyncJobResponse; import org.apache.cloudstack.api.response.AutoScalePolicyResponse; @@ -455,7 +455,7 @@ public interface ResponseGenerator { IsolationMethodResponse createIsolationMethodResponse(IsolationType method); - AclRoleResponse createAclRoleResponse(AclRole role); + AclPolicyResponse createAclPolicyResponse(AclPolicy policy); AclGroupResponse createAclGroupResponse(AclGroup group); diff --git a/api/src/org/apache/cloudstack/api/command/admin/acl/RevokePermissionFromAclGroupCmd.java b/api/src/org/apache/cloudstack/api/command/admin/acl/AddAclPermissionToAclPolicyCmd.java similarity index 59% rename from api/src/org/apache/cloudstack/api/command/admin/acl/RevokePermissionFromAclGroupCmd.java rename to api/src/org/apache/cloudstack/api/command/admin/acl/AddAclPermissionToAclPolicyCmd.java index b9a75d732eb..6a634bef349 100644 --- a/api/src/org/apache/cloudstack/api/command/admin/acl/RevokePermissionFromAclGroupCmd.java +++ b/api/src/org/apache/cloudstack/api/command/admin/acl/AddAclPermissionToAclPolicyCmd.java @@ -16,11 +16,11 @@ // under the License. package org.apache.cloudstack.api.command.admin.acl; - import org.apache.log4j.Logger; -import org.apache.cloudstack.acl.AclGroup; -import org.apache.cloudstack.acl.SecurityChecker.AccessType; +import org.apache.cloudstack.acl.AclPolicy; +import org.apache.cloudstack.acl.AclPolicyPermission.Permission; +import org.apache.cloudstack.acl.PermissionScope; import org.apache.cloudstack.api.ACL; import org.apache.cloudstack.api.APICommand; import org.apache.cloudstack.api.ApiCommandJobType; @@ -29,7 +29,7 @@ import org.apache.cloudstack.api.ApiErrorCode; import org.apache.cloudstack.api.BaseAsyncCmd; import org.apache.cloudstack.api.Parameter; import org.apache.cloudstack.api.ServerApiException; -import org.apache.cloudstack.api.response.AclGroupResponse; +import org.apache.cloudstack.api.response.AclPolicyResponse; import org.apache.cloudstack.context.CallContext; import com.cloud.event.EventTypes; @@ -38,10 +38,10 @@ import com.cloud.exception.ResourceUnavailableException; import com.cloud.user.Account; -@APICommand(name = "revokePermissionFromAclGroup", description = "revoke entity permission from an acl group", responseObject = AclGroupResponse.class) -public class RevokePermissionFromAclGroupCmd extends BaseAsyncCmd { - public static final Logger s_logger = Logger.getLogger(RevokePermissionFromAclGroupCmd.class.getName()); - private static final String s_name = "revokepermissiontoaclgroupresponse"; +@APICommand(name = "addAclPermissionToAclPolicy", description = "Add Acl permission to an acl policy", responseObject = AclPolicyResponse.class) +public class AddAclPermissionToAclPolicyCmd extends BaseAsyncCmd { + public static final Logger s_logger = Logger.getLogger(AddAclPermissionToAclPolicyCmd.class.getName()); + private static final String s_name = "addaclpermissiontoaclpolicyresponse"; ///////////////////////////////////////////////////// //////////////// API parameters ///////////////////// @@ -49,18 +49,23 @@ public class RevokePermissionFromAclGroupCmd extends BaseAsyncCmd { @ACL - @Parameter(name = ApiConstants.ID, type = CommandType.UUID, entityType = AclGroupResponse.class, - required = true, description = "The ID of the acl group") + @Parameter(name = ApiConstants.ID, type = CommandType.UUID, entityType = AclPolicyResponse.class, + required = true, description = "The ID of the acl policy") private Long id; - @Parameter(name = ApiConstants.ENTITY_TYPE, type = CommandType.STRING, required = true, description = "entity class simple name.") + @Parameter(name = ApiConstants.ACL_ACTION, type = CommandType.STRING, required = true, description = "action api name.") + private String action; + + @Parameter(name = ApiConstants.ENTITY_TYPE, type = CommandType.STRING, required = false, description = "entity class simple name.") private String entityType; - @Parameter(name = ApiConstants.ENTITY_ID, type = CommandType.UUID, required = true, description = "The ID of the entity") - private Long entityId; + @Parameter(name = ApiConstants.ACL_SCOPE, type = CommandType.STRING, + required = false, description = "acl permission scope") + private String scope; + + @Parameter(name = ApiConstants.ACL_SCOPE_ID, type = CommandType.UUID, required = false, description = "The ID of the permission scope id") + private Long scopeId; - @Parameter(name = ApiConstants.ACCESS_TYPE, type = CommandType.STRING, required = true, description = "access type for the entity") - private String accessType; ///////////////////////////////////////////////////// /////////////////// Accessors /////////////////////// @@ -71,16 +76,21 @@ public class RevokePermissionFromAclGroupCmd extends BaseAsyncCmd { return id; } + + public String getAction() { + return action; + } + public String getEntityType() { return entityType; } - public Long getEntityId() { - return entityId; + public String getScope() { + return scope; } - public AccessType getAccessType() { - return AccessType.valueOf(accessType); + public Long getScopeId() { + return scopeId; } @@ -88,6 +98,8 @@ public class RevokePermissionFromAclGroupCmd extends BaseAsyncCmd { /////////////// API Implementation/////////////////// ///////////////////////////////////////////////////// + + @Override public String getCommandName() { return s_name; @@ -102,30 +114,31 @@ public class RevokePermissionFromAclGroupCmd extends BaseAsyncCmd { @Override public void execute() throws ResourceUnavailableException, InsufficientCapacityException, ServerApiException { - CallContext.current().setEventDetails("Acl group Id: " + getId()); - AclGroup result = _aclService.revokeEntityPermissionFromAclGroup(id, entityType, entityId, getAccessType()); - if (result != null){ - AclGroupResponse response = _responseGenerator.createAclGroupResponse(result); + CallContext.current().setEventDetails("Acl policy Id: " + getId()); + // Only explicit ALLOW is supported for this release, no explicit deny + AclPolicy result = _aclService.addAclPermissionToAclPolicy(id, entityType, PermissionScope.valueOf(scope), scopeId, action, Permission.Allow); + if (result != null) { + AclPolicyResponse response = _responseGenerator.createAclPolicyResponse(result); response.setResponseName(getCommandName()); setResponseObject(response); } else { - throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to grant permission to acl group"); + throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to grant permission to acl policy " + getId()); } } @Override public String getEventType() { - return EventTypes.EVENT_ACL_GROUP_GRANT; + return EventTypes.EVENT_ACL_POLICY_GRANT; } @Override public String getEventDescription() { - return "granting permission to acl group"; + return "granting permission to acl policy"; } @Override public ApiCommandJobType getInstanceType() { - return ApiCommandJobType.AclGroup; + return ApiCommandJobType.AclPolicy; } } diff --git a/api/src/org/apache/cloudstack/api/command/admin/acl/AddAclRoleToAclGroupCmd.java b/api/src/org/apache/cloudstack/api/command/admin/acl/AttachAclPolicyToAclGroupCmd.java similarity index 80% rename from api/src/org/apache/cloudstack/api/command/admin/acl/AddAclRoleToAclGroupCmd.java rename to api/src/org/apache/cloudstack/api/command/admin/acl/AttachAclPolicyToAclGroupCmd.java index 4a6fccaab5d..33cb59f24e8 100644 --- a/api/src/org/apache/cloudstack/api/command/admin/acl/AddAclRoleToAclGroupCmd.java +++ b/api/src/org/apache/cloudstack/api/command/admin/acl/AttachAclPolicyToAclGroupCmd.java @@ -30,7 +30,7 @@ import org.apache.cloudstack.api.BaseAsyncCmd; import org.apache.cloudstack.api.Parameter; import org.apache.cloudstack.api.ServerApiException; import org.apache.cloudstack.api.response.AclGroupResponse; -import org.apache.cloudstack.api.response.AclRoleResponse; +import org.apache.cloudstack.api.response.AclPolicyResponse; import org.apache.cloudstack.context.CallContext; import com.cloud.event.EventTypes; @@ -39,10 +39,10 @@ import com.cloud.exception.ResourceUnavailableException; import com.cloud.user.Account; -@APICommand(name = "addAclRoleToAclGroup", description = "add acl role to an acl group", responseObject = AclGroupResponse.class) -public class AddAclRoleToAclGroupCmd extends BaseAsyncCmd { - public static final Logger s_logger = Logger.getLogger(AddAclRoleToAclGroupCmd.class.getName()); - private static final String s_name = "addaclroletoaclgroupresponse"; +@APICommand(name = "attachAclPolicyToAclGroup", description = "attach acl policy to an acl group", responseObject = AclGroupResponse.class) +public class AttachAclPolicyToAclGroupCmd extends BaseAsyncCmd { + public static final Logger s_logger = Logger.getLogger(AttachAclPolicyToAclGroupCmd.class.getName()); + private static final String s_name = "attachaclpolicytoaclgroupresponse"; ///////////////////////////////////////////////////// //////////////// API parameters ///////////////////// @@ -55,8 +55,8 @@ public class AddAclRoleToAclGroupCmd extends BaseAsyncCmd { private Long id; @ACL - @Parameter(name = ApiConstants.ACL_ROLES, type = CommandType.LIST, collectionType = CommandType.UUID, entityType = AclRoleResponse.class, description = "comma separated list of acl role id that are going to be applied to the acl group.") - private List roleIdList; + @Parameter(name = ApiConstants.ACL_POLICIES, type = CommandType.LIST, collectionType = CommandType.UUID, entityType = AclPolicyResponse.class, description = "comma separated list of acl policy id that are going to be applied to the acl group.") + private List policyIdList; ///////////////////////////////////////////////////// @@ -69,8 +69,8 @@ public class AddAclRoleToAclGroupCmd extends BaseAsyncCmd { } - public List getRoleIdList() { - return roleIdList; + public List getPolicyIdList() { + return policyIdList; } ///////////////////////////////////////////////////// @@ -93,7 +93,7 @@ public class AddAclRoleToAclGroupCmd extends BaseAsyncCmd { public void execute() throws ResourceUnavailableException, InsufficientCapacityException, ServerApiException { CallContext.current().setEventDetails("Acl group Id: " + getId()); - AclGroup result = _aclService.addAclRolesToGroup(roleIdList, id); + AclGroup result = _aclService.attachAclPoliciesToGroup(policyIdList, id); if (result != null){ AclGroupResponse response = _responseGenerator.createAclGroupResponse(result); response.setResponseName(getCommandName()); diff --git a/api/src/org/apache/cloudstack/api/command/admin/acl/CreateAclGroupCmd.java b/api/src/org/apache/cloudstack/api/command/admin/acl/CreateAclGroupCmd.java index 2f100c3b1b6..d6d965fcc96 100644 --- a/api/src/org/apache/cloudstack/api/command/admin/acl/CreateAclGroupCmd.java +++ b/api/src/org/apache/cloudstack/api/command/admin/acl/CreateAclGroupCmd.java @@ -44,6 +44,9 @@ public class CreateAclGroupCmd extends BaseAsyncCreateCmd { // ////////////// API parameters ///////////////////// // /////////////////////////////////////////////////// + @Parameter(name = ApiConstants.ACCOUNT, type = CommandType.STRING, description = "an account for the acl group. Must be used with domainId.") + private String accountName; + @Parameter(name = ApiConstants.DOMAIN_ID, type = CommandType.UUID, description = "domainId of the account owning the acl group", entityType = DomainResponse.class) private Long domainId; @@ -58,6 +61,9 @@ public class CreateAclGroupCmd extends BaseAsyncCreateCmd { // ///////////////// Accessors /////////////////////// // /////////////////////////////////////////////////// + public String getAccountName() { + return accountName; + } public String getDescription() { return description; @@ -76,6 +82,7 @@ public class CreateAclGroupCmd extends BaseAsyncCreateCmd { // ///////////// API Implementation/////////////////// // /////////////////////////////////////////////////// + @Override public String getCommandName() { return s_name; @@ -84,19 +91,29 @@ public class CreateAclGroupCmd extends BaseAsyncCreateCmd { @Override public long getEntityOwnerId() { Account account = CallContext.current().getCallingAccount(); + if ((account == null) || _accountService.isAdmin(account.getType())) { + if ((domainId != null) && (accountName != null)) { + Account userAccount = _responseGenerator.findAccountByNameDomain(accountName, domainId); + if (userAccount != null) { + return userAccount.getId(); + } + } + } + if (account != null) { return account.getId(); } - return Account.ACCOUNT_ID_SYSTEM; - + return Account.ACCOUNT_ID_SYSTEM; // no account info given, parent this + // command to SYSTEM so ERROR events + // are tracked } @Override public void execute() { - AclGroup role = _entityMgr.findById(AclGroup.class, getEntityId()); - if (role != null) { - AclGroupResponse response = _responseGenerator.createAclGroupResponse(role); + AclGroup grp = _entityMgr.findById(AclGroup.class, getEntityId()); + if (grp != null) { + AclGroupResponse response = _responseGenerator.createAclGroupResponse(grp); response.setResponseName(getCommandName()); setResponseObject(response); } else { @@ -106,7 +123,8 @@ public class CreateAclGroupCmd extends BaseAsyncCreateCmd { @Override public void create() throws ResourceAllocationException { - AclGroup result = _aclService.createAclGroup(domainId, name, description); + Account account = CallContext.current().getCallingAccount(); + AclGroup result = _aclService.createAclGroup(account, name, description); if (result != null) { setEntityId(result.getId()); setEntityUuid(result.getUuid()); diff --git a/api/src/org/apache/cloudstack/api/command/admin/acl/CreateAclRoleCmd.java b/api/src/org/apache/cloudstack/api/command/admin/acl/CreateAclPolicyCmd.java similarity index 57% rename from api/src/org/apache/cloudstack/api/command/admin/acl/CreateAclRoleCmd.java rename to api/src/org/apache/cloudstack/api/command/admin/acl/CreateAclPolicyCmd.java index 5663ac52a49..b423dabec00 100644 --- a/api/src/org/apache/cloudstack/api/command/admin/acl/CreateAclRoleCmd.java +++ b/api/src/org/apache/cloudstack/api/command/admin/acl/CreateAclPolicyCmd.java @@ -18,7 +18,7 @@ package org.apache.cloudstack.api.command.admin.acl; import org.apache.log4j.Logger; -import org.apache.cloudstack.acl.AclRole; +import org.apache.cloudstack.acl.AclPolicy; import org.apache.cloudstack.api.ACL; import org.apache.cloudstack.api.APICommand; import org.apache.cloudstack.api.ApiCommandJobType; @@ -27,41 +27,48 @@ import org.apache.cloudstack.api.ApiErrorCode; import org.apache.cloudstack.api.BaseAsyncCreateCmd; import org.apache.cloudstack.api.Parameter; import org.apache.cloudstack.api.ServerApiException; -import org.apache.cloudstack.api.response.AclRoleResponse; +import org.apache.cloudstack.api.response.AclPolicyResponse; import org.apache.cloudstack.api.response.DomainResponse; import org.apache.cloudstack.context.CallContext; import com.cloud.event.EventTypes; import com.cloud.exception.ResourceAllocationException; +import com.cloud.user.Account; -@APICommand(name = "createAclRole", responseObject = AclRoleResponse.class, description = "Creates an acl role") -public class CreateAclRoleCmd extends BaseAsyncCreateCmd { - public static final Logger s_logger = Logger.getLogger(CreateAclRoleCmd.class.getName()); +@APICommand(name = "createAclPolicy", responseObject = AclPolicyResponse.class, description = "Creates an acl policy") +public class CreateAclPolicyCmd extends BaseAsyncCreateCmd { + public static final Logger s_logger = Logger.getLogger(CreateAclPolicyCmd.class.getName()); - private static final String s_name = "createaclroleresponse"; + private static final String s_name = "createaclpolicyresponse"; // /////////////////////////////////////////////////// // ////////////// API parameters ///////////////////// // /////////////////////////////////////////////////// - @Parameter(name = ApiConstants.DOMAIN_ID, type = CommandType.UUID, description = "domainId of the account owning the acl role", entityType = DomainResponse.class) + @Parameter(name = ApiConstants.ACCOUNT, type = CommandType.STRING, description = "an account for the acl policy. Must be used with domainId.") + private String accountName; + + @Parameter(name = ApiConstants.DOMAIN_ID, type = CommandType.UUID, description = "domainId of the account owning the acl policy", entityType = DomainResponse.class) private Long domainId; - @Parameter(name = ApiConstants.DESCRIPTION, type = CommandType.STRING, description = "optional description of the acl role") + @Parameter(name = ApiConstants.DESCRIPTION, type = CommandType.STRING, description = "optional description of the acl policy") private String description; - @Parameter(name = ApiConstants.NAME, type = CommandType.STRING, required = true, description = "name of the acl group") + @Parameter(name = ApiConstants.NAME, type = CommandType.STRING, required = true, description = "name of the acl policy") private String name; @ACL - @Parameter(name = ApiConstants.ACL_PARENT_ROLE_ID, type = CommandType.UUID, description = "The ID of parent acl role.", entityType = AclRoleResponse.class) - private Long parentRoleId; + @Parameter(name = ApiConstants.ACL_PARENT_POLICY_ID, type = CommandType.UUID, description = "The ID of parent acl policy.", entityType = AclPolicyResponse.class) + private Long parentPolicyId; // /////////////////////////////////////////////////// // ///////////////// Accessors /////////////////////// // /////////////////////////////////////////////////// + public String getAccountName() { + return accountName; + } public String getDescription() { return description; @@ -75,8 +82,8 @@ public class CreateAclRoleCmd extends BaseAsyncCreateCmd { return name; } - public Long getParentRoleId() { - return parentRoleId; + public Long getParentPolicyId() { + return parentPolicyId; } // /////////////////////////////////////////////////// @@ -90,56 +97,73 @@ public class CreateAclRoleCmd extends BaseAsyncCreateCmd { @Override public long getEntityOwnerId() { - return CallContext.current().getCallingAccount().getId(); + Account account = CallContext.current().getCallingAccount(); + if ((account == null) || _accountService.isAdmin(account.getType())) { + if ((domainId != null) && (accountName != null)) { + Account userAccount = _responseGenerator.findAccountByNameDomain(accountName, domainId); + if (userAccount != null) { + return userAccount.getId(); + } + } + } + + if (account != null) { + return account.getId(); + } + + return Account.ACCOUNT_ID_SYSTEM; // no account info given, parent this + // command to SYSTEM so ERROR events + // are tracked } @Override public void execute() { - AclRole role = _entityMgr.findById(AclRole.class, getEntityId()); - if (role != null) { - AclRoleResponse response = _responseGenerator.createAclRoleResponse(role); + AclPolicy policy = _entityMgr.findById(AclPolicy.class, getEntityId()); + if (policy != null) { + AclPolicyResponse response = _responseGenerator.createAclPolicyResponse(policy); response.setResponseName(getCommandName()); setResponseObject(response); } else { - throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to create acl role:" + name); + throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to create acl policy:" + name); } } @Override public void create() throws ResourceAllocationException { - AclRole result = _aclService.createAclRole(domainId, name, description, parentRoleId); + Account account = CallContext.current().getCallingAccount(); + AclPolicy result = _aclService.createAclPolicy(account, name, description, parentPolicyId); if (result != null) { setEntityId(result.getId()); setEntityUuid(result.getUuid()); } else { - throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to create acl role entity" + name); + throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to create acl policy entity" + name); } } @Override public String getEventType() { - return EventTypes.EVENT_ACL_ROLE_CREATE; + return EventTypes.EVENT_ACL_POLICY_CREATE; } @Override public String getEventDescription() { - return "creating Acl role"; + return "creating Acl policy"; } @Override public String getCreateEventType() { - return EventTypes.EVENT_ACL_ROLE_CREATE; + return EventTypes.EVENT_ACL_POLICY_CREATE; } @Override public String getCreateEventDescription() { - return "creating acl role"; + return "creating acl policy"; } @Override public ApiCommandJobType getInstanceType() { - return ApiCommandJobType.AclRole; + return ApiCommandJobType.AclPolicy; } } diff --git a/api/src/org/apache/cloudstack/api/command/admin/acl/DeleteAclRoleCmd.java b/api/src/org/apache/cloudstack/api/command/admin/acl/DeleteAclPolicyCmd.java similarity index 83% rename from api/src/org/apache/cloudstack/api/command/admin/acl/DeleteAclRoleCmd.java rename to api/src/org/apache/cloudstack/api/command/admin/acl/DeleteAclPolicyCmd.java index 5a2afe13ddd..d7216fa46ed 100644 --- a/api/src/org/apache/cloudstack/api/command/admin/acl/DeleteAclRoleCmd.java +++ b/api/src/org/apache/cloudstack/api/command/admin/acl/DeleteAclPolicyCmd.java @@ -26,23 +26,23 @@ import org.apache.cloudstack.api.ApiErrorCode; import org.apache.cloudstack.api.BaseAsyncCmd; import org.apache.cloudstack.api.Parameter; import org.apache.cloudstack.api.ServerApiException; -import org.apache.cloudstack.api.response.AclRoleResponse; +import org.apache.cloudstack.api.response.AclPolicyResponse; import org.apache.cloudstack.api.response.SuccessResponse; import com.cloud.event.EventTypes; import com.cloud.user.Account; -@APICommand(name = "deleteAclRole", description = "Deletes acl role", responseObject = SuccessResponse.class) -public class DeleteAclRoleCmd extends BaseAsyncCmd { - public static final Logger s_logger = Logger.getLogger(DeleteAclRoleCmd.class.getName()); - private static final String s_name = "deleteaclroleresponse"; +@APICommand(name = "deleteAclPolicy", description = "Deletes acl policy", responseObject = SuccessResponse.class) +public class DeleteAclPolicyCmd extends BaseAsyncCmd { + public static final Logger s_logger = Logger.getLogger(DeleteAclPolicyCmd.class.getName()); + private static final String s_name = "deleteaclpolicyresponse"; ///////////////////////////////////////////////////// //////////////// API parameters ///////////////////// ///////////////////////////////////////////////////// @ACL - @Parameter(name = ApiConstants.ID, type = CommandType.UUID, description = "The ID of the acl role.", required = true, entityType = AclRoleResponse.class) + @Parameter(name = ApiConstants.ID, type = CommandType.UUID, description = "The ID of the acl role.", required = true, entityType = AclPolicyResponse.class) private Long id; @@ -70,18 +70,18 @@ public class DeleteAclRoleCmd extends BaseAsyncCmd { @Override public void execute(){ - boolean result = _aclService.deleteAclRole(id); + boolean result = _aclService.deleteAclPolicy(id); if (result) { SuccessResponse response = new SuccessResponse(getCommandName()); setResponseObject(response); } else { - throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to delete acl role"); + throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to delete acl policy"); } } @Override public String getEventType() { - return EventTypes.EVENT_ACL_ROLE_DELETE; + return EventTypes.EVENT_ACL_POLICY_DELETE; } @Override @@ -91,6 +91,6 @@ public class DeleteAclRoleCmd extends BaseAsyncCmd { @Override public ApiCommandJobType getInstanceType() { - return ApiCommandJobType.AclRole; + return ApiCommandJobType.AclPolicy; } } diff --git a/api/src/org/apache/cloudstack/api/command/admin/acl/GrantPermissionToAclRoleCmd.java b/api/src/org/apache/cloudstack/api/command/admin/acl/GrantPermissionToAclRoleCmd.java deleted file mode 100644 index c0c00833aec..00000000000 --- a/api/src/org/apache/cloudstack/api/command/admin/acl/GrantPermissionToAclRoleCmd.java +++ /dev/null @@ -1,120 +0,0 @@ -// Licensed to the Apache Software Foundation (ASF) under one -// or more contributor license agreements. See the NOTICE file -// distributed with this work for additional information -// regarding copyright ownership. The ASF licenses this file -// to you under the Apache License, Version 2.0 (the -// "License"); you may not use this file except in compliance -// with the License. You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. -package org.apache.cloudstack.api.command.admin.acl; - -import java.util.List; - -import org.apache.log4j.Logger; - -import org.apache.cloudstack.acl.AclRole; -import org.apache.cloudstack.api.ACL; -import org.apache.cloudstack.api.APICommand; -import org.apache.cloudstack.api.ApiCommandJobType; -import org.apache.cloudstack.api.ApiConstants; -import org.apache.cloudstack.api.ApiErrorCode; -import org.apache.cloudstack.api.BaseAsyncCmd; -import org.apache.cloudstack.api.Parameter; -import org.apache.cloudstack.api.ServerApiException; -import org.apache.cloudstack.api.response.AclRoleResponse; -import org.apache.cloudstack.context.CallContext; - -import com.cloud.event.EventTypes; -import com.cloud.exception.InsufficientCapacityException; -import com.cloud.exception.ResourceUnavailableException; -import com.cloud.user.Account; - - -@APICommand(name = "grantPermissionToAclRole", description = "Grant api permission to an acl role", responseObject = AclRoleResponse.class) -public class GrantPermissionToAclRoleCmd extends BaseAsyncCmd { - public static final Logger s_logger = Logger.getLogger(GrantPermissionToAclRoleCmd.class.getName()); - private static final String s_name = "grantpermissiontoroleresponse"; - - ///////////////////////////////////////////////////// - //////////////// API parameters ///////////////////// - ///////////////////////////////////////////////////// - - - @ACL - @Parameter(name = ApiConstants.ID, type = CommandType.UUID, entityType = AclRoleResponse.class, - required = true, description = "The ID of the acl role") - private Long id; - - @ACL - @Parameter(name = ApiConstants.ACL_APIS, type = CommandType.LIST, collectionType = CommandType.STRING, description = "comma separated list of apis granted to the acl role. ") - private List apiList; - - - ///////////////////////////////////////////////////// - /////////////////// Accessors /////////////////////// - ///////////////////////////////////////////////////// - - - public Long getId() { - return id; - } - - - public List getApiList() { - return apiList; - } - - ///////////////////////////////////////////////////// - /////////////// API Implementation/////////////////// - ///////////////////////////////////////////////////// - - - @Override - public String getCommandName() { - return s_name; - } - - - @Override - public long getEntityOwnerId() { - return Account.ACCOUNT_ID_SYSTEM; // no account info given, parent this command to SYSTEM so ERROR events are tracked - } - - @Override - public void execute() throws ResourceUnavailableException, - InsufficientCapacityException, ServerApiException { - CallContext.current().setEventDetails("Acl role Id: " + getId()); - AclRole result = _aclService.grantApiPermissionToAclRole(id, apiList); - if (result != null) { - AclRoleResponse response = _responseGenerator.createAclRoleResponse(result); - response.setResponseName(getCommandName()); - setResponseObject(response); - } else { - throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to grant permission to acl role " + getId()); - } - } - - @Override - public String getEventType() { - return EventTypes.EVENT_ACL_ROLE_GRANT; - } - - @Override - public String getEventDescription() { - return "granting permission to acl role"; - } - - @Override - public ApiCommandJobType getInstanceType() { - return ApiCommandJobType.AclRole; - } - -} diff --git a/api/src/org/apache/cloudstack/api/command/admin/acl/ListAclRolesCmd.java b/api/src/org/apache/cloudstack/api/command/admin/acl/ListAclPoliciesCmd.java similarity index 75% rename from api/src/org/apache/cloudstack/api/command/admin/acl/ListAclRolesCmd.java rename to api/src/org/apache/cloudstack/api/command/admin/acl/ListAclPoliciesCmd.java index e9ebf78fad5..7c9cdbe47d7 100644 --- a/api/src/org/apache/cloudstack/api/command/admin/acl/ListAclRolesCmd.java +++ b/api/src/org/apache/cloudstack/api/command/admin/acl/ListAclPoliciesCmd.java @@ -23,32 +23,32 @@ import org.apache.cloudstack.api.ApiCommandJobType; import org.apache.cloudstack.api.ApiConstants; import org.apache.cloudstack.api.BaseListDomainResourcesCmd; import org.apache.cloudstack.api.Parameter; -import org.apache.cloudstack.api.response.AclRoleResponse; +import org.apache.cloudstack.api.response.AclPolicyResponse; import org.apache.cloudstack.api.response.ListResponse; -@APICommand(name = "listAclRoles", description = "Lists acl roles", responseObject = AclRoleResponse.class) -public class ListAclRolesCmd extends BaseListDomainResourcesCmd { - public static final Logger s_logger = Logger.getLogger(ListAclRolesCmd.class.getName()); +@APICommand(name = "listAclPolicies", description = "Lists acl policies", responseObject = AclPolicyResponse.class) +public class ListAclPoliciesCmd extends BaseListDomainResourcesCmd { + public static final Logger s_logger = Logger.getLogger(ListAclPoliciesCmd.class.getName()); - private static final String s_name = "listaclrolesresponse"; + private static final String s_name = "listaclpoliciesresponse"; ///////////////////////////////////////////////////// //////////////// API parameters ///////////////////// ///////////////////////////////////////////////////// - @Parameter(name = ApiConstants.NAME, type = CommandType.STRING, description = "lists acl roles by name") - private String aclRoleName; + @Parameter(name = ApiConstants.NAME, type = CommandType.STRING, description = "lists acl policies by name") + private String aclPolicyName; - @Parameter(name = ApiConstants.ID, type = CommandType.UUID, description = "list the acl role by the id provided", entityType = AclRoleResponse.class) + @Parameter(name = ApiConstants.ID, type = CommandType.UUID, description = "list the acl policy by the id provided", entityType = AclPolicyResponse.class) private Long id; ///////////////////////////////////////////////////// /////////////////// Accessors /////////////////////// ///////////////////////////////////////////////////// - public String getAclRoleName() { - return aclRoleName; + public String getAclPolicyName() { + return aclPolicyName; } @@ -68,7 +68,7 @@ public class ListAclRolesCmd extends BaseListDomainResourcesCmd { @Override public void execute(){ - ListResponse response = _queryService.listAclRoles(id, aclRoleName, getDomainId(), + ListResponse response = _queryService.listAclPolicies(id, aclPolicyName, getDomainId(), getStartIndex(), getPageSizeVal()); response.setResponseName(getCommandName()); setResponseObject(response); @@ -77,6 +77,6 @@ public class ListAclRolesCmd extends BaseListDomainResourcesCmd { @Override public ApiCommandJobType getInstanceType() { - return ApiCommandJobType.AclRole; + return ApiCommandJobType.AclPolicy; } } diff --git a/api/src/org/apache/cloudstack/api/command/admin/acl/GrantPermissionToAclGroupCmd.java b/api/src/org/apache/cloudstack/api/command/admin/acl/RemoveAclPermissionFromAclPolicyCmd.java similarity index 61% rename from api/src/org/apache/cloudstack/api/command/admin/acl/GrantPermissionToAclGroupCmd.java rename to api/src/org/apache/cloudstack/api/command/admin/acl/RemoveAclPermissionFromAclPolicyCmd.java index 9fefa75e4b0..84d35301545 100644 --- a/api/src/org/apache/cloudstack/api/command/admin/acl/GrantPermissionToAclGroupCmd.java +++ b/api/src/org/apache/cloudstack/api/command/admin/acl/RemoveAclPermissionFromAclPolicyCmd.java @@ -16,11 +16,10 @@ // under the License. package org.apache.cloudstack.api.command.admin.acl; - import org.apache.log4j.Logger; -import org.apache.cloudstack.acl.AclGroup; -import org.apache.cloudstack.acl.SecurityChecker.AccessType; +import org.apache.cloudstack.acl.AclPolicy; +import org.apache.cloudstack.acl.PermissionScope; import org.apache.cloudstack.api.ACL; import org.apache.cloudstack.api.APICommand; import org.apache.cloudstack.api.ApiCommandJobType; @@ -29,7 +28,7 @@ import org.apache.cloudstack.api.ApiErrorCode; import org.apache.cloudstack.api.BaseAsyncCmd; import org.apache.cloudstack.api.Parameter; import org.apache.cloudstack.api.ServerApiException; -import org.apache.cloudstack.api.response.AclGroupResponse; +import org.apache.cloudstack.api.response.AclPolicyResponse; import org.apache.cloudstack.context.CallContext; import com.cloud.event.EventTypes; @@ -38,10 +37,10 @@ import com.cloud.exception.ResourceUnavailableException; import com.cloud.user.Account; -@APICommand(name = "grantPermissionToAclGroup", description = "grant entity permission to an acl group", responseObject = AclGroupResponse.class) -public class GrantPermissionToAclGroupCmd extends BaseAsyncCmd { - public static final Logger s_logger = Logger.getLogger(GrantPermissionToAclGroupCmd.class.getName()); - private static final String s_name = "grantpermissiontoaclgroupresponse"; +@APICommand(name = "removeAclPermissionFromAclPolicy", description = "Remove acl permission from an acl policy", responseObject = AclPolicyResponse.class) +public class RemoveAclPermissionFromAclPolicyCmd extends BaseAsyncCmd { + public static final Logger s_logger = Logger.getLogger(RemoveAclPermissionFromAclPolicyCmd.class.getName()); + private static final String s_name = "removeaclpermissionfromaclpolicyresponse"; ///////////////////////////////////////////////////// //////////////// API parameters ///////////////////// @@ -49,18 +48,23 @@ public class GrantPermissionToAclGroupCmd extends BaseAsyncCmd { @ACL - @Parameter(name = ApiConstants.ID, type = CommandType.UUID, entityType = AclGroupResponse.class, - required = true, description = "The ID of the acl group") + @Parameter(name = ApiConstants.ID, type = CommandType.UUID, entityType = AclPolicyResponse.class, + required = true, description = "The ID of the acl policy") private Long id; - @Parameter(name = ApiConstants.ENTITY_TYPE, type = CommandType.STRING, required = true, description = "entity class simple name.") + @Parameter(name = ApiConstants.ACL_ACTION, type = CommandType.STRING, required = true, description = "action api name.") + private String action; + + @Parameter(name = ApiConstants.ENTITY_TYPE, type = CommandType.STRING, required = false, description = "entity class simple name.") private String entityType; - @Parameter(name = ApiConstants.ENTITY_ID, type = CommandType.UUID, required = true, description = "The ID of the entity") - private Long entityId; + @Parameter(name = ApiConstants.ACL_SCOPE, type = CommandType.STRING, + required = false, description = "acl permission scope") + private String scope; + + @Parameter(name = ApiConstants.ACL_SCOPE_ID, type = CommandType.UUID, required = false, description = "The ID of the permission scope id") + private Long scopeId; - @Parameter(name = ApiConstants.ACCESS_TYPE, type = CommandType.STRING, required = true, description = "access type for the entity") - private String accessType; ///////////////////////////////////////////////////// /////////////////// Accessors /////////////////////// @@ -71,16 +75,21 @@ public class GrantPermissionToAclGroupCmd extends BaseAsyncCmd { return id; } + + public String getAction() { + return action; + } + public String getEntityType() { return entityType; } - public Long getEntityId() { - return entityId; + public String getScope() { + return scope; } - public AccessType getAccessType() { - return AccessType.valueOf(accessType); + public Long getScopeId() { + return scopeId; } @@ -88,6 +97,7 @@ public class GrantPermissionToAclGroupCmd extends BaseAsyncCmd { /////////////// API Implementation/////////////////// ///////////////////////////////////////////////////// + @Override public String getCommandName() { return s_name; @@ -102,30 +112,30 @@ public class GrantPermissionToAclGroupCmd extends BaseAsyncCmd { @Override public void execute() throws ResourceUnavailableException, InsufficientCapacityException, ServerApiException { - CallContext.current().setEventDetails("Acl group Id: " + getId()); - AclGroup result = _aclService.grantEntityPermissionToAclGroup(id, entityType, entityId, getAccessType()); - if (result != null){ - AclGroupResponse response = _responseGenerator.createAclGroupResponse(result); + CallContext.current().setEventDetails("Acl policy Id: " + getId()); + AclPolicy result = _aclService.removeAclPermissionFromAclPolicy(id, entityType, PermissionScope.valueOf(scope), scopeId, action); + if (result != null) { + AclPolicyResponse response = _responseGenerator.createAclPolicyResponse(result); response.setResponseName(getCommandName()); setResponseObject(response); } else { - throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to grant permission to acl group"); + throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to remove permission from acl policy " + getId()); } } @Override public String getEventType() { - return EventTypes.EVENT_ACL_GROUP_GRANT; + return EventTypes.EVENT_ACL_POLICY_REVOKE; } @Override public String getEventDescription() { - return "granting permission to acl group"; + return "removing permission from acl policy"; } @Override public ApiCommandJobType getInstanceType() { - return ApiCommandJobType.AclGroup; + return ApiCommandJobType.AclPolicy; } } diff --git a/api/src/org/apache/cloudstack/api/command/admin/acl/RemoveAclRoleFromAclGroupCmd.java b/api/src/org/apache/cloudstack/api/command/admin/acl/RemoveAclPolicyFromAclGroupCmd.java similarity index 82% rename from api/src/org/apache/cloudstack/api/command/admin/acl/RemoveAclRoleFromAclGroupCmd.java rename to api/src/org/apache/cloudstack/api/command/admin/acl/RemoveAclPolicyFromAclGroupCmd.java index b06bb46381f..4b92a1e209a 100644 --- a/api/src/org/apache/cloudstack/api/command/admin/acl/RemoveAclRoleFromAclGroupCmd.java +++ b/api/src/org/apache/cloudstack/api/command/admin/acl/RemoveAclPolicyFromAclGroupCmd.java @@ -30,7 +30,7 @@ import org.apache.cloudstack.api.BaseAsyncCmd; import org.apache.cloudstack.api.Parameter; import org.apache.cloudstack.api.ServerApiException; import org.apache.cloudstack.api.response.AclGroupResponse; -import org.apache.cloudstack.api.response.AclRoleResponse; +import org.apache.cloudstack.api.response.AclPolicyResponse; import org.apache.cloudstack.context.CallContext; import com.cloud.event.EventTypes; @@ -39,10 +39,10 @@ import com.cloud.exception.ResourceUnavailableException; import com.cloud.user.Account; -@APICommand(name = "removeAclRoleFromAclGroup", description = "remove acl role to an acl group", responseObject = AclGroupResponse.class) -public class RemoveAclRoleFromAclGroupCmd extends BaseAsyncCmd { - public static final Logger s_logger = Logger.getLogger(RemoveAclRoleFromAclGroupCmd.class.getName()); - private static final String s_name = "removeaclroletoaclgroupresponse"; +@APICommand(name = "removeAclPolicyFromAclGroup", description = "remove acl policy from an acl group", responseObject = AclGroupResponse.class) +public class RemoveAclPolicyFromAclGroupCmd extends BaseAsyncCmd { + public static final Logger s_logger = Logger.getLogger(RemoveAclPolicyFromAclGroupCmd.class.getName()); + private static final String s_name = "removeaclpolicyfromaclgroupresponse"; ///////////////////////////////////////////////////// //////////////// API parameters ///////////////////// @@ -55,8 +55,8 @@ public class RemoveAclRoleFromAclGroupCmd extends BaseAsyncCmd { private Long id; @ACL - @Parameter(name = ApiConstants.ACL_ROLES, type = CommandType.LIST, collectionType = CommandType.UUID, entityType = AclRoleResponse.class, description = "comma separated list of acl role id that are going to be applied to the acl group.") - private List roleIdList; + @Parameter(name = ApiConstants.ACL_POLICIES, type = CommandType.LIST, collectionType = CommandType.UUID, entityType = AclPolicyResponse.class, description = "comma separated list of acl policy id that are going to be applied to the acl group.") + private List policyIdList; ///////////////////////////////////////////////////// @@ -70,7 +70,7 @@ public class RemoveAclRoleFromAclGroupCmd extends BaseAsyncCmd { public List getRoleIdList() { - return roleIdList; + return policyIdList; } ///////////////////////////////////////////////////// @@ -93,7 +93,7 @@ public class RemoveAclRoleFromAclGroupCmd extends BaseAsyncCmd { public void execute() throws ResourceUnavailableException, InsufficientCapacityException, ServerApiException { CallContext.current().setEventDetails("Acl group Id: " + getId()); - AclGroup result = _aclService.removeAclRolesFromGroup(roleIdList, id); + AclGroup result = _aclService.removeAclPoliciesFromGroup(policyIdList, id); if (result != null){ AclGroupResponse response = _responseGenerator.createAclGroupResponse(result); response.setResponseName(getCommandName()); diff --git a/api/src/org/apache/cloudstack/api/command/admin/acl/RevokePermissionFromAclRoleCmd.java b/api/src/org/apache/cloudstack/api/command/admin/acl/RevokePermissionFromAclRoleCmd.java deleted file mode 100644 index 4576b765580..00000000000 --- a/api/src/org/apache/cloudstack/api/command/admin/acl/RevokePermissionFromAclRoleCmd.java +++ /dev/null @@ -1,120 +0,0 @@ -// Licensed to the Apache Software Foundation (ASF) under one -// or more contributor license agreements. See the NOTICE file -// distributed with this work for additional information -// regarding copyright ownership. The ASF licenses this file -// to you under the Apache License, Version 2.0 (the -// "License"); you may not use this file except in compliance -// with the License. You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. -package org.apache.cloudstack.api.command.admin.acl; - -import java.util.List; - -import org.apache.log4j.Logger; - -import org.apache.cloudstack.acl.AclRole; -import org.apache.cloudstack.api.ACL; -import org.apache.cloudstack.api.APICommand; -import org.apache.cloudstack.api.ApiCommandJobType; -import org.apache.cloudstack.api.ApiConstants; -import org.apache.cloudstack.api.ApiErrorCode; -import org.apache.cloudstack.api.BaseAsyncCmd; -import org.apache.cloudstack.api.Parameter; -import org.apache.cloudstack.api.ServerApiException; -import org.apache.cloudstack.api.response.AclRoleResponse; -import org.apache.cloudstack.context.CallContext; - -import com.cloud.event.EventTypes; -import com.cloud.exception.InsufficientCapacityException; -import com.cloud.exception.ResourceUnavailableException; -import com.cloud.user.Account; - - -@APICommand(name = "revokePermissionFromAclRole", description = "Revoke api permission from an acl role", responseObject = AclRoleResponse.class) -public class RevokePermissionFromAclRoleCmd extends BaseAsyncCmd { - public static final Logger s_logger = Logger.getLogger(RevokePermissionFromAclRoleCmd.class.getName()); - private static final String s_name = "revokepermissionfromroleresponse"; - - ///////////////////////////////////////////////////// - //////////////// API parameters ///////////////////// - ///////////////////////////////////////////////////// - - - @ACL - @Parameter(name = ApiConstants.ID, type = CommandType.UUID, entityType = AclRoleResponse.class, - required = true, description = "The ID of the acl role") - private Long id; - - @ACL - @Parameter(name = ApiConstants.ACL_APIS, type = CommandType.LIST, collectionType = CommandType.STRING, description = "comma separated list of apis granted to the acl role. ") - private List apiList; - - - ///////////////////////////////////////////////////// - /////////////////// Accessors /////////////////////// - ///////////////////////////////////////////////////// - - - public Long getId() { - return id; - } - - - public List getApiList() { - return apiList; - } - - ///////////////////////////////////////////////////// - /////////////// API Implementation/////////////////// - ///////////////////////////////////////////////////// - - - @Override - public String getCommandName() { - return s_name; - } - - - @Override - public long getEntityOwnerId() { - return Account.ACCOUNT_ID_SYSTEM; // no account info given, parent this command to SYSTEM so ERROR events are tracked - } - - @Override - public void execute() throws ResourceUnavailableException, - InsufficientCapacityException, ServerApiException { - CallContext.current().setEventDetails("Acl role Id: " + getId()); - AclRole result = _aclService.revokeApiPermissionFromAclRole(id, apiList); - if (result != null) { - AclRoleResponse response = _responseGenerator.createAclRoleResponse(result); - response.setResponseName(getCommandName()); - setResponseObject(response); - } else { - throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to revoke permission from acl role " + getId()); - } - } - - @Override - public String getEventType() { - return EventTypes.EVENT_ACL_ROLE_REVOKE; - } - - @Override - public String getEventDescription() { - return "revoking permission from acl role"; - } - - @Override - public ApiCommandJobType getInstanceType() { - return ApiCommandJobType.AclRole; - } - -} diff --git a/api/src/org/apache/cloudstack/api/response/AclEntityPermissionResponse.java b/api/src/org/apache/cloudstack/api/response/AclEntityPermissionResponse.java deleted file mode 100644 index da3b4b20899..00000000000 --- a/api/src/org/apache/cloudstack/api/response/AclEntityPermissionResponse.java +++ /dev/null @@ -1,112 +0,0 @@ -// Licensed to the Apache Software Foundation (ASF) under one -// or more contributor license agreements. See the NOTICE file -// distributed with this work for additional information -// regarding copyright ownership. The ASF licenses this file -// to you under the Apache License, Version 2.0 (the -// "License"); you may not use this file except in compliance -// with the License. You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. -package org.apache.cloudstack.api.response; - -import com.google.gson.annotations.SerializedName; - -import org.apache.cloudstack.api.ApiConstants; -import org.apache.cloudstack.api.BaseResponse; - -import com.cloud.serializer.Param; - -public class AclEntityPermissionResponse extends BaseResponse { - - @SerializedName(ApiConstants.GROUP_ID) - @Param(description = "the ID of the acl group") - private String groupId; - - @SerializedName(ApiConstants.ENTITY_TYPE) - @Param(description = "the entity type of this permission") - private String entityType; - - @SerializedName(ApiConstants.ENTITY_ID) - @Param(description = "the uuid of the entity involved in this permission") - private String entityId; - - @SerializedName(ApiConstants.ACCESS_TYPE) - @Param(description = "access type involved in this permission") - private String accessType; - - - - public String getGroupId() { - return groupId; - } - - public void setGroupId(String groupId) { - this.groupId = groupId; - } - - public String getEntityType() { - return entityType; - } - - public void setEntityType(String entityType) { - this.entityType = entityType; - } - - public String getEntityId() { - return entityId; - } - - public void setEntityId(String entityId) { - this.entityId = entityId; - } - - public String getAccessType() { - return accessType; - } - - public void setAccessType(String accessType) { - this.accessType = accessType; - } - - @Override - public int hashCode() { - final int prime = 31; - int result = 1; - result = prime * result + ((entityType == null) ? 0 : entityType.hashCode()); - result = prime * result + ((entityId == null) ? 0 : entityId.hashCode()); - result = prime * result + ((accessType == null) ? 0 : accessType.hashCode()); - return result; - } - - @Override - public boolean equals(Object obj) { - if (this == obj) - return true; - if (obj == null) - return false; - if (getClass() != obj.getClass()) - return false; - AclEntityPermissionResponse other = (AclEntityPermissionResponse) obj; - if (entityType == null) { - if (other.entityType != null) - return false; - } else if (!entityType.equals(other.entityType)) { - return false; - } else if ((entityId == null && other.entityId != null) || !entityId.equals(other.entityId)) { - return false; - } else if ((accessType == null && other.accessType != null) || !accessType.equals(other.accessType)) { - return false; - } - return true; - } - - - -} diff --git a/api/src/org/apache/cloudstack/api/response/AclRoleResponse.java b/api/src/org/apache/cloudstack/api/response/AclRoleResponse.java deleted file mode 100644 index 2056d350db4..00000000000 --- a/api/src/org/apache/cloudstack/api/response/AclRoleResponse.java +++ /dev/null @@ -1,134 +0,0 @@ -// Licensed to the Apache Software Foundation (ASF) under one -// or more contributor license agreements. See the NOTICE file -// distributed with this work for additional information -// regarding copyright ownership. The ASF licenses this file -// to you under the Apache License, Version 2.0 (the -// "License"); you may not use this file except in compliance -// with the License. You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. -package org.apache.cloudstack.api.response; - -import java.util.ArrayList; -import java.util.List; - -import com.google.gson.annotations.SerializedName; - -import org.apache.cloudstack.acl.AclRole; -import org.apache.cloudstack.api.ApiConstants; -import org.apache.cloudstack.api.BaseResponse; -import org.apache.cloudstack.api.EntityReference; - -import com.cloud.serializer.Param; - -@SuppressWarnings("unused") -@EntityReference(value = AclRole.class) -public class AclRoleResponse extends BaseResponse { - - @SerializedName(ApiConstants.ID) - @Param(description = "the ID of the acl role") - private String id; - - @SerializedName(ApiConstants.NAME) - @Param(description = "the name of the acl role") - private String name; - - @SerializedName(ApiConstants.DESCRIPTION) - @Param(description = "the description of the acl role") - private String description; - - @SerializedName(ApiConstants.DOMAIN_ID) - @Param(description = "the domain ID of the acl role") - private String domainId; - - @SerializedName(ApiConstants.DOMAIN) - @Param(description = "the domain name of the acl role") - private String domainName; - - @SerializedName(ApiConstants.ACL_APIS) - @Param(description = "allowed apis for the acl role ") - private List apiList; - - public AclRoleResponse() { - apiList = new ArrayList(); - } - - @Override - public String getObjectId() { - return getId(); - } - - - public String getId() { - return id; - } - - public void setId(String id) { - this.id = id; - } - - - public void setName(String name) { - this.name = name; - } - - public void setDescription(String description) { - this.description = description; - } - - - public void setDomainId(String domainId) { - this.domainId = domainId; - } - - public void setDomainName(String domainName) { - this.domainName = domainName; - } - - public List getApiList() { - return apiList; - } - - public void setApiList(List apiList) { - this.apiList = apiList; - } - - public void addApi(String api) { - apiList.add(api); - } - - @Override - public int hashCode() { - final int prime = 31; - int result = 1; - result = prime * result + ((id == null) ? 0 : id.hashCode()); - return result; - } - - @Override - public boolean equals(Object obj) { - if (this == obj) - return true; - if (obj == null) - return false; - if (getClass() != obj.getClass()) - return false; - AclRoleResponse other = (AclRoleResponse) obj; - if (id == null) { - if (other.id != null) - return false; - } else if (!id.equals(other.id)) - return false; - return true; - } - - - -} diff --git a/api/src/org/apache/cloudstack/query/QueryService.java b/api/src/org/apache/cloudstack/query/QueryService.java index bbbb3fe9dd8..00df62e96ca 100644 --- a/api/src/org/apache/cloudstack/query/QueryService.java +++ b/api/src/org/apache/cloudstack/query/QueryService.java @@ -45,7 +45,7 @@ import org.apache.cloudstack.api.command.user.volume.ListVolumesCmd; import org.apache.cloudstack.api.command.user.zone.ListZonesByCmd; import org.apache.cloudstack.api.response.AccountResponse; import org.apache.cloudstack.api.response.AclGroupResponse; -import org.apache.cloudstack.api.response.AclRoleResponse; +import org.apache.cloudstack.api.response.AclPolicyResponse; import org.apache.cloudstack.api.response.AsyncJobResponse; import org.apache.cloudstack.api.response.DiskOfferingResponse; import org.apache.cloudstack.api.response.DomainRouterResponse; @@ -127,7 +127,7 @@ public interface QueryService { ListResponse searchForInternalLbVms(ListInternalLBVMsCmd cmd); - public ListResponse listAclRoles(Long aclRoleId, String aclRoleName, + public ListResponse listAclPolicies(Long aclPolicyId, String aclPolicyName, Long domainId, Long startIndex, Long pageSize); public ListResponse listAclGroups(Long aclGroupId, String aclGroupName, diff --git a/engine/schema/src/org/apache/cloudstack/acl/AclGroupVO.java b/engine/schema/src/org/apache/cloudstack/acl/AclGroupVO.java index 6570557bca3..e86e710ab1c 100644 --- a/engine/schema/src/org/apache/cloudstack/acl/AclGroupVO.java +++ b/engine/schema/src/org/apache/cloudstack/acl/AclGroupVO.java @@ -96,6 +96,10 @@ public class AclGroupVO implements AclGroup { return accountId; } + public void setAccountId(long accountId) { + this.accountId = accountId; + } + @Override public String getUuid() { return uuid; diff --git a/engine/schema/src/org/apache/cloudstack/acl/AclPolicyPermissionVO.java b/engine/schema/src/org/apache/cloudstack/acl/AclPolicyPermissionVO.java index 0b23b0bc944..0d93b4f7b36 100644 --- a/engine/schema/src/org/apache/cloudstack/acl/AclPolicyPermissionVO.java +++ b/engine/schema/src/org/apache/cloudstack/acl/AclPolicyPermissionVO.java @@ -97,6 +97,10 @@ public class AclPolicyPermissionVO implements AclPolicyPermission { } + public void setAclPolicyId(long aclPolicyId) { + this.aclPolicyId = aclPolicyId; + } + @Override public String getEntityType() { return entityType; diff --git a/engine/schema/src/org/apache/cloudstack/acl/AclPolicyVO.java b/engine/schema/src/org/apache/cloudstack/acl/AclPolicyVO.java index 24b98882d4b..521001610bb 100644 --- a/engine/schema/src/org/apache/cloudstack/acl/AclPolicyVO.java +++ b/engine/schema/src/org/apache/cloudstack/acl/AclPolicyVO.java @@ -121,6 +121,10 @@ public class AclPolicyVO implements AclPolicy { return accountId; } + public void setAccountId(long accountId) { + this.accountId = accountId; + } + public AclPolicy.PolicyType getPolicyType() { return policyType; } diff --git a/engine/schema/src/org/apache/cloudstack/acl/dao/AclPolicyPermissionDao.java b/engine/schema/src/org/apache/cloudstack/acl/dao/AclPolicyPermissionDao.java index f8d3cb5c220..f3c6446e0fe 100644 --- a/engine/schema/src/org/apache/cloudstack/acl/dao/AclPolicyPermissionDao.java +++ b/engine/schema/src/org/apache/cloudstack/acl/dao/AclPolicyPermissionDao.java @@ -17,10 +17,19 @@ package org.apache.cloudstack.acl.dao; +import java.util.List; + +import org.apache.cloudstack.acl.AclPolicyPermission.Permission; import org.apache.cloudstack.acl.AclPolicyPermissionVO; +import org.apache.cloudstack.acl.PermissionScope; import com.cloud.utils.db.GenericDao; public interface AclPolicyPermissionDao extends GenericDao { + List listByPolicy(long policyId); + + AclPolicyPermissionVO findByPolicyAndEntity(long policyId, String entityType, PermissionScope scope, Long scopeId, String action, Permission perm); + + } diff --git a/engine/schema/src/org/apache/cloudstack/acl/dao/AclPolicyPermissionDaoImpl.java b/engine/schema/src/org/apache/cloudstack/acl/dao/AclPolicyPermissionDaoImpl.java index 1160d30c959..11b009b30c5 100644 --- a/engine/schema/src/org/apache/cloudstack/acl/dao/AclPolicyPermissionDaoImpl.java +++ b/engine/schema/src/org/apache/cloudstack/acl/dao/AclPolicyPermissionDaoImpl.java @@ -16,21 +16,20 @@ // under the License. package org.apache.cloudstack.acl.dao; +import java.util.List; import java.util.Map; import javax.naming.ConfigurationException; +import org.apache.cloudstack.acl.AclPolicyPermission.Permission; import org.apache.cloudstack.acl.AclPolicyPermissionVO; +import org.apache.cloudstack.acl.PermissionScope; import com.cloud.utils.db.GenericDaoBase; public class AclPolicyPermissionDaoImpl extends GenericDaoBase implements AclPolicyPermissionDao { - public AclPolicyPermissionDaoImpl() - { - - } @Override public boolean configure(String name, Map params) throws ConfigurationException { @@ -39,5 +38,16 @@ public class AclPolicyPermissionDaoImpl extends GenericDaoBase listByPolicy(long policyId) { + // TODO Auto-generated method stub + return null; + } + + @Override + public AclPolicyPermissionVO findByPolicyAndEntity(long policyId, String entityType, PermissionScope scope, Long scopeId, String action, Permission perm) { + // TODO Auto-generated method stub + return null; + } } diff --git a/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/api/RoleBasedAPIAccessChecker.java b/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/api/RoleBasedAPIAccessChecker.java index 027ff580128..f43194aeecc 100644 --- a/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/api/RoleBasedAPIAccessChecker.java +++ b/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/api/RoleBasedAPIAccessChecker.java @@ -54,10 +54,10 @@ public class RoleBasedAPIAccessChecker extends AdapterBase implements APIChecker throw new PermissionDeniedException("The account id=" + user.getAccountId() + "for user id=" + user.getId() + "is null"); } - List roles = _aclService.getAclRoles(account.getAccountId()); + List roles = _aclService.listAclPolicies(account.getAccountId()); - boolean isAllowed = _aclService.isAPIAccessibleForRoles(commandName, roles); + boolean isAllowed = _aclService.isAPIAccessibleForPolicies(commandName, roles); if (!isAllowed) { throw new PermissionDeniedException("The API does not exist or is blacklisted. api: " + commandName); } diff --git a/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/entity/RoleBasedEntityAccessChecker.java b/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/entity/RoleBasedEntityAccessChecker.java index 5a0abf5de17..6d1fe019ad0 100644 --- a/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/entity/RoleBasedEntityAccessChecker.java +++ b/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/entity/RoleBasedEntityAccessChecker.java @@ -106,7 +106,7 @@ public class RoleBasedEntityAccessChecker extends DomainChecker implements Secur } // get all Roles of this caller w.r.t the entity - List roles = _aclService.getEffectiveRoles(caller, entity); + List roles = _aclService.getEffectivePolicies(caller, entity); HashMap rolePermissionMap = new HashMap(); for (AclRole role : roles) { diff --git a/server/src/com/cloud/api/ApiDBUtils.java b/server/src/com/cloud/api/ApiDBUtils.java index 3ae7142c571..f6e7cd8b57d 100755 --- a/server/src/com/cloud/api/ApiDBUtils.java +++ b/server/src/com/cloud/api/ApiDBUtils.java @@ -26,7 +26,7 @@ import javax.annotation.PostConstruct; import javax.inject.Inject; import org.apache.cloudstack.acl.AclGroup; -import org.apache.cloudstack.acl.AclRole; +import org.apache.cloudstack.acl.AclPolicy; import org.apache.cloudstack.affinity.AffinityGroup; import org.apache.cloudstack.affinity.AffinityGroupResponse; import org.apache.cloudstack.affinity.dao.AffinityGroupDao; @@ -36,7 +36,7 @@ import org.apache.cloudstack.api.ApiConstants.VMDetails; import org.apache.cloudstack.api.ResponseObject.ResponseView; import org.apache.cloudstack.api.response.AccountResponse; import org.apache.cloudstack.api.response.AclGroupResponse; -import org.apache.cloudstack.api.response.AclRoleResponse; +import org.apache.cloudstack.api.response.AclPolicyResponse; import org.apache.cloudstack.api.response.AsyncJobResponse; import org.apache.cloudstack.api.response.DiskOfferingResponse; import org.apache.cloudstack.api.response.DomainRouterResponse; @@ -70,7 +70,7 @@ import org.apache.cloudstack.storage.datastore.db.StoragePoolVO; import com.cloud.api.query.dao.AccountJoinDao; import com.cloud.api.query.dao.AclGroupJoinDao; -import com.cloud.api.query.dao.AclRoleJoinDao; +import com.cloud.api.query.dao.AclPolicyJoinDao; import com.cloud.api.query.dao.AffinityGroupJoinDao; import com.cloud.api.query.dao.AsyncJobJoinDao; import com.cloud.api.query.dao.DataCenterJoinDao; @@ -92,7 +92,7 @@ import com.cloud.api.query.dao.UserVmJoinDao; import com.cloud.api.query.dao.VolumeJoinDao; import com.cloud.api.query.vo.AccountJoinVO; import com.cloud.api.query.vo.AclGroupJoinVO; -import com.cloud.api.query.vo.AclRoleJoinVO; +import com.cloud.api.query.vo.AclPolicyJoinVO; import com.cloud.api.query.vo.AffinityGroupJoinVO; import com.cloud.api.query.vo.AsyncJobJoinVO; import com.cloud.api.query.vo.DataCenterJoinVO; @@ -411,7 +411,7 @@ public class ApiDBUtils { static GlobalLoadBalancingRulesService _gslbService; static NetworkACLDao _networkACLDao; static AccountService _accountService; - static AclRoleJoinDao _aclRoleJoinDao; + static AclPolicyJoinDao _aclPolicyJoinDao; static AclGroupJoinDao _aclGroupJoinDao; static ResourceMetaDataService _resourceDetailsService; @@ -527,7 +527,7 @@ public class ApiDBUtils { @Inject private ServiceOfferingDetailsDao serviceOfferingDetailsDao; @Inject private AccountService accountService; @Inject - private AclRoleJoinDao aclRoleJoinDao; + private AclPolicyJoinDao aclPolicyJoinDao; @Inject private AclGroupJoinDao aclGroupJoinDao; @Inject private ConfigurationManager configMgr; @@ -643,7 +643,7 @@ public class ApiDBUtils { _statsCollector = StatsCollector.getInstance(); _networkACLDao = networkACLDao; _accountService = accountService; - _aclRoleJoinDao = aclRoleJoinDao; + _aclPolicyJoinDao = aclPolicyJoinDao; _aclGroupJoinDao = aclGroupJoinDao; _resourceDetailsService = resourceDetailsService; } @@ -1698,16 +1698,16 @@ public class ApiDBUtils { return _affinityGroupJoinDao.setAffinityGroupResponse(resp, group); } - public static List newAclRoleView(AclRole role) { - return _aclRoleJoinDao.newAclRoleView(role); + public static List newAclPolicyView(AclPolicy policy) { + return _aclPolicyJoinDao.newAclPolicyView(policy); } - public static AclRoleResponse newAclRoleResponse(AclRoleJoinVO role) { - return _aclRoleJoinDao.newAclRoleResponse(role); + public static AclPolicyResponse newAclPolicyResponse(AclPolicyJoinVO policy) { + return _aclPolicyJoinDao.newAclPolicyResponse(policy); } - public static AclRoleResponse fillAclRoleDetails(AclRoleResponse resp, AclRoleJoinVO role) { - return _aclRoleJoinDao.setAclRoleResponse(resp, role); + public static AclPolicyResponse fillAclPolicyDetails(AclPolicyResponse resp, AclPolicyJoinVO policy) { + return _aclPolicyJoinDao.setAclPolicyResponse(resp, policy); } public static List newAclGroupView(AclGroup group) { diff --git a/server/src/com/cloud/api/ApiResponseHelper.java b/server/src/com/cloud/api/ApiResponseHelper.java index 16f3c65ecd4..271c7d946df 100755 --- a/server/src/com/cloud/api/ApiResponseHelper.java +++ b/server/src/com/cloud/api/ApiResponseHelper.java @@ -34,7 +34,7 @@ import javax.inject.Inject; import org.apache.log4j.Logger; import org.apache.cloudstack.acl.AclGroup; -import org.apache.cloudstack.acl.AclRole; +import org.apache.cloudstack.acl.AclPolicy; import org.apache.cloudstack.acl.ControlledEntity; import org.apache.cloudstack.acl.ControlledEntity.ACLType; import org.apache.cloudstack.affinity.AffinityGroup; @@ -46,7 +46,7 @@ import org.apache.cloudstack.api.ResponseObject.ResponseView; import org.apache.cloudstack.api.command.user.job.QueryAsyncJobResultCmd; import org.apache.cloudstack.api.response.AccountResponse; import org.apache.cloudstack.api.response.AclGroupResponse; -import org.apache.cloudstack.api.response.AclRoleResponse; +import org.apache.cloudstack.api.response.AclPolicyResponse; import org.apache.cloudstack.api.response.ApplicationLoadBalancerInstanceResponse; import org.apache.cloudstack.api.response.ApplicationLoadBalancerResponse; import org.apache.cloudstack.api.response.ApplicationLoadBalancerRuleResponse; @@ -155,7 +155,7 @@ import org.apache.cloudstack.usage.UsageTypes; import com.cloud.api.query.ViewResponseHelper; import com.cloud.api.query.vo.AccountJoinVO; import com.cloud.api.query.vo.AclGroupJoinVO; -import com.cloud.api.query.vo.AclRoleJoinVO; +import com.cloud.api.query.vo.AclPolicyJoinVO; import com.cloud.api.query.vo.AsyncJobJoinVO; import com.cloud.api.query.vo.ControlledViewEntity; import com.cloud.api.query.vo.DataCenterJoinVO; @@ -3709,11 +3709,11 @@ public class ApiResponseHelper implements ResponseGenerator { } @Override - public AclRoleResponse createAclRoleResponse(AclRole role) { - List viewRoles = ApiDBUtils.newAclRoleView(role); - List listRoles = ViewResponseHelper.createAclRoleResponses(viewRoles); - assert listRoles != null && listRoles.size() == 1 : "There should be one acl role returned"; - return listRoles.get(0); + public AclPolicyResponse createAclPolicyResponse(AclPolicy policy) { + List viewPolicies = ApiDBUtils.newAclPolicyView(policy); + List listPolicies = ViewResponseHelper.createAclPolicyResponses(viewPolicies); + assert listPolicies != null && listPolicies.size() == 1 : "There should be one acl policy returned"; + return listPolicies.get(0); } @Override diff --git a/server/src/com/cloud/api/ApiServer.java b/server/src/com/cloud/api/ApiServer.java index 5b0d7ccb6b5..672ad129832 100755 --- a/server/src/com/cloud/api/ApiServer.java +++ b/server/src/com/cloud/api/ApiServer.java @@ -51,14 +51,44 @@ import javax.naming.ConfigurationException; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; +import org.apache.commons.codec.binary.Base64; +import org.apache.http.ConnectionClosedException; +import org.apache.http.HttpException; +import org.apache.http.HttpRequest; +import org.apache.http.HttpResponse; +import org.apache.http.HttpServerConnection; +import org.apache.http.HttpStatus; +import org.apache.http.NameValuePair; +import org.apache.http.client.utils.URLEncodedUtils; +import org.apache.http.entity.BasicHttpEntity; +import org.apache.http.impl.DefaultHttpResponseFactory; +import org.apache.http.impl.DefaultHttpServerConnection; +import org.apache.http.impl.NoConnectionReuseStrategy; +import org.apache.http.impl.SocketHttpServerConnection; +import org.apache.http.params.BasicHttpParams; +import org.apache.http.params.CoreConnectionPNames; +import org.apache.http.params.CoreProtocolPNames; +import org.apache.http.params.HttpParams; +import org.apache.http.protocol.BasicHttpContext; +import org.apache.http.protocol.BasicHttpProcessor; +import org.apache.http.protocol.HttpContext; +import org.apache.http.protocol.HttpRequestHandler; +import org.apache.http.protocol.HttpRequestHandlerRegistry; +import org.apache.http.protocol.HttpService; +import org.apache.http.protocol.ResponseConnControl; +import org.apache.http.protocol.ResponseContent; +import org.apache.http.protocol.ResponseDate; +import org.apache.http.protocol.ResponseServer; +import org.apache.log4j.Logger; +import org.springframework.stereotype.Component; + import org.apache.cloudstack.acl.APIChecker; +import org.apache.cloudstack.acl.AclPolicyPermission.Permission; import org.apache.cloudstack.acl.AclPolicyPermissionVO; import org.apache.cloudstack.acl.PermissionScope; import org.apache.cloudstack.acl.RoleType; -import org.apache.cloudstack.acl.AclPolicyPermission.Permission; import org.apache.cloudstack.acl.SecurityChecker.AccessType; import org.apache.cloudstack.acl.dao.AclPolicyPermissionDao; -import org.apache.cloudstack.affinity.AffinityGroupVMMapVO; import org.apache.cloudstack.api.APICommand; import org.apache.cloudstack.api.ApiErrorCode; import org.apache.cloudstack.api.BaseAsyncCmd; @@ -96,36 +126,6 @@ import org.apache.cloudstack.framework.jobs.AsyncJob; import org.apache.cloudstack.framework.jobs.AsyncJobManager; import org.apache.cloudstack.framework.jobs.impl.AsyncJobVO; import org.apache.cloudstack.managed.context.ManagedContextRunnable; -import org.apache.commons.codec.binary.Base64; -import org.apache.http.ConnectionClosedException; -import org.apache.http.HttpException; -import org.apache.http.HttpRequest; -import org.apache.http.HttpResponse; -import org.apache.http.HttpServerConnection; -import org.apache.http.HttpStatus; -import org.apache.http.NameValuePair; -import org.apache.http.client.utils.URLEncodedUtils; -import org.apache.http.entity.BasicHttpEntity; -import org.apache.http.impl.DefaultHttpResponseFactory; -import org.apache.http.impl.DefaultHttpServerConnection; -import org.apache.http.impl.NoConnectionReuseStrategy; -import org.apache.http.impl.SocketHttpServerConnection; -import org.apache.http.params.BasicHttpParams; -import org.apache.http.params.CoreConnectionPNames; -import org.apache.http.params.CoreProtocolPNames; -import org.apache.http.params.HttpParams; -import org.apache.http.protocol.BasicHttpContext; -import org.apache.http.protocol.BasicHttpProcessor; -import org.apache.http.protocol.HttpContext; -import org.apache.http.protocol.HttpRequestHandler; -import org.apache.http.protocol.HttpRequestHandlerRegistry; -import org.apache.http.protocol.HttpService; -import org.apache.http.protocol.ResponseConnControl; -import org.apache.http.protocol.ResponseContent; -import org.apache.http.protocol.ResponseDate; -import org.apache.http.protocol.ResponseServer; -import org.apache.log4j.Logger; -import org.springframework.stereotype.Component; import com.cloud.api.response.ApiResponseSerializer; import com.cloud.configuration.Config; @@ -1017,7 +1017,8 @@ public class ApiServer extends ManagerBase implements HttpRequestHandler, ApiSer } } - private Class getCmdClass(String cmdName) { + @Override + public Class getCmdClass(String cmdName) { List> cmdList = _apiNameCmdClassMap.get(cmdName); if (cmdList == null || cmdList.size() == 0) return null; diff --git a/server/src/com/cloud/api/ApiServerService.java b/server/src/com/cloud/api/ApiServerService.java index dac81c665c4..4a4ae1e350e 100644 --- a/server/src/com/cloud/api/ApiServerService.java +++ b/server/src/com/cloud/api/ApiServerService.java @@ -35,4 +35,6 @@ public interface ApiServerService { public String getSerializedApiError(ServerApiException ex, Map apiCommandParams, String responseType); public String handleRequest(Map params, String responseType, StringBuffer auditTrailSb) throws ServerApiException; + + public Class getCmdClass(String cmdName); } diff --git a/server/src/com/cloud/api/query/QueryManagerImpl.java b/server/src/com/cloud/api/query/QueryManagerImpl.java index 8eff952f711..4a3e882e208 100644 --- a/server/src/com/cloud/api/query/QueryManagerImpl.java +++ b/server/src/com/cloud/api/query/QueryManagerImpl.java @@ -30,7 +30,7 @@ import org.apache.log4j.Logger; import org.springframework.stereotype.Component; import org.apache.cloudstack.acl.AclGroup; -import org.apache.cloudstack.acl.AclRole; +import org.apache.cloudstack.acl.AclPolicy; import org.apache.cloudstack.acl.AclService; import org.apache.cloudstack.acl.ControlledEntity.ACLType; import org.apache.cloudstack.acl.dao.AclGroupDao; @@ -71,7 +71,7 @@ import org.apache.cloudstack.api.command.user.volume.ListVolumesCmd; import org.apache.cloudstack.api.command.user.zone.ListZonesByCmd; import org.apache.cloudstack.api.response.AccountResponse; import org.apache.cloudstack.api.response.AclGroupResponse; -import org.apache.cloudstack.api.response.AclRoleResponse; +import org.apache.cloudstack.api.response.AclPolicyResponse; import org.apache.cloudstack.api.response.AsyncJobResponse; import org.apache.cloudstack.api.response.DiskOfferingResponse; import org.apache.cloudstack.api.response.DomainRouterResponse; @@ -100,7 +100,7 @@ import org.apache.cloudstack.query.QueryService; import com.cloud.api.query.dao.AccountJoinDao; import com.cloud.api.query.dao.AclGroupJoinDao; -import com.cloud.api.query.dao.AclRoleJoinDao; +import com.cloud.api.query.dao.AclPolicyJoinDao; import com.cloud.api.query.dao.AffinityGroupJoinDao; import com.cloud.api.query.dao.AsyncJobJoinDao; import com.cloud.api.query.dao.DataCenterJoinDao; @@ -122,6 +122,7 @@ import com.cloud.api.query.dao.UserVmJoinDao; import com.cloud.api.query.dao.VolumeJoinDao; import com.cloud.api.query.vo.AccountJoinVO; import com.cloud.api.query.vo.AclGroupJoinVO; +import com.cloud.api.query.vo.AclPolicyJoinVO; import com.cloud.api.query.vo.AclRoleJoinVO; import com.cloud.api.query.vo.AffinityGroupJoinVO; import com.cloud.api.query.vo.AsyncJobJoinVO; @@ -350,10 +351,10 @@ public class QueryManagerImpl extends ManagerBase implements QueryService { AffinityGroupDomainMapDao _affinityGroupDomainMapDao; @Inject - AclRoleJoinDao _aclRoleJoinDao; + AclPolicyJoinDao _aclPolicyJoinDao; @Inject - AclPolicyDao _aclRoleDao; + AclPolicyDao _aclPolicyDao; @Inject AclGroupJoinDao _aclGroupJoinDao; @@ -3308,28 +3309,29 @@ public class QueryManagerImpl extends ManagerBase implements QueryService { } @Override - public ListResponse listAclRoles(Long aclRoleId, String aclRoleName, Long domainId, Long startIndex, Long pageSize) { - Pair, Integer> result = listAclRolesInternal(aclRoleId, aclRoleName, domainId, true, true, startIndex, pageSize); - ListResponse response = new ListResponse(); + public ListResponse listAclPolicies(Long aclPolicyId, String aclPolicyName, Long domainId, Long startIndex, Long pageSize) { + Pair, Integer> result = listAclPoliciesInternal(aclPolicyId, aclPolicyName, domainId, true, true, startIndex, pageSize); + ListResponse response = new ListResponse(); - List roleResponses = ViewResponseHelper.createAclRoleResponses(result.first()); + List roleResponses = ViewResponseHelper.createAclPolicyResponses(result.first()); response.setResponses(roleResponses, result.second()); return response; } - private Pair, Integer> listAclRolesInternal(Long aclRoleId, String aclRoleName, Long domainId, boolean isRecursive, boolean listAll, Long startIndex, + private Pair, Integer> listAclPoliciesInternal(Long aclPolicyId, String aclPolicyName, Long domainId, boolean isRecursive, boolean listAll, + Long startIndex, Long pageSize) { Account caller = CallContext.current().getCallingAccount(); Boolean listForDomain = false; - if (aclRoleId != null) { - AclRole role = _aclRoleDao.findById(aclRoleId); - if (role == null) { - throw new InvalidParameterValueException("Unable to find acl role by id " + aclRoleId); + if (aclPolicyId != null) { + AclPolicy policy = _aclPolicyDao.findById(aclPolicyId); + if (policy == null) { + throw new InvalidParameterValueException("Unable to find acl policy by id " + aclPolicyId); } - _accountMgr.checkAccess(caller, null, true, role); + _accountMgr.checkAccess(caller, null, true, policy); } if (domainId != null) { @@ -3340,17 +3342,17 @@ public class QueryManagerImpl extends ManagerBase implements QueryService { _accountMgr.checkAccess(caller, domain); - if (aclRoleName != null) { - AclRole role = _aclRoleDao.findByName(domainId, aclRoleName); - if (role == null) { - throw new InvalidParameterValueException("Unable to find acl role by name " + aclRoleName + if (aclPolicyName != null) { + AclPolicy policy = _aclPolicyDao.findByName(domainId, aclPolicyName); + if (policy == null) { + throw new InvalidParameterValueException("Unable to find acl policy by name " + aclPolicyName + " in domain " + domainId); } - _accountMgr.checkAccess(caller, null, true, role); + _accountMgr.checkAccess(caller, null, true, policy); } } - if (aclRoleId == null) { + if (aclPolicyId == null) { if (_accountMgr.isAdmin(caller.getType()) && listAll && domainId == null) { listForDomain = true; isRecursive = true; @@ -3365,7 +3367,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService { Filter searchFilter = new Filter(AclRoleJoinVO.class, "id", true, startIndex, pageSize); - SearchBuilder sb = _aclRoleJoinDao.createSearchBuilder(); + SearchBuilder sb = _aclPolicyJoinDao.createSearchBuilder(); sb.select(null, Func.DISTINCT, sb.entity().getId()); // select distinct ids sb.and("name", sb.entity().getName(), SearchCriteria.Op.EQ); @@ -3376,14 +3378,14 @@ public class QueryManagerImpl extends ManagerBase implements QueryService { sb.and("path", sb.entity().getDomainPath(), SearchCriteria.Op.LIKE); } - SearchCriteria sc = sb.create(); + SearchCriteria sc = sb.create(); - if (aclRoleName != null) { - sc.setParameters("name", aclRoleName); + if (aclPolicyName != null) { + sc.setParameters("name", aclPolicyName); } - if (aclRoleId != null) { - sc.setParameters("id", aclRoleId); + if (aclPolicyId != null) { + sc.setParameters("id", aclPolicyId); } if (listForDomain) { @@ -3396,21 +3398,21 @@ public class QueryManagerImpl extends ManagerBase implements QueryService { } - // search role details by ids - Pair, Integer> uniqueRolePair = _aclRoleJoinDao.searchAndCount(sc, searchFilter); + // search policy details by ids + Pair, Integer> uniqueRolePair = _aclPolicyJoinDao.searchAndCount(sc, searchFilter); Integer count = uniqueRolePair.second(); if (count.intValue() == 0) { // empty result return uniqueRolePair; } - List uniqueRoles = uniqueRolePair.first(); + List uniqueRoles = uniqueRolePair.first(); Long[] vrIds = new Long[uniqueRoles.size()]; int i = 0; - for (AclRoleJoinVO v : uniqueRoles) { + for (AclPolicyJoinVO v : uniqueRoles) { vrIds[i++] = v.getId(); } - List vrs = _aclRoleJoinDao.searchByIds(vrIds); - return new Pair, Integer>(vrs, count); + List vrs = _aclPolicyJoinDao.searchByIds(vrIds); + return new Pair, Integer>(vrs, count); } @Override diff --git a/server/src/com/cloud/api/query/ViewResponseHelper.java b/server/src/com/cloud/api/query/ViewResponseHelper.java index 7f5168c04c7..cfb097e1b7b 100644 --- a/server/src/com/cloud/api/query/ViewResponseHelper.java +++ b/server/src/com/cloud/api/query/ViewResponseHelper.java @@ -29,7 +29,7 @@ import org.apache.cloudstack.api.ApiConstants.VMDetails; import org.apache.cloudstack.api.ResponseObject.ResponseView; import org.apache.cloudstack.api.response.AccountResponse; import org.apache.cloudstack.api.response.AclGroupResponse; -import org.apache.cloudstack.api.response.AclRoleResponse; +import org.apache.cloudstack.api.response.AclPolicyResponse; import org.apache.cloudstack.api.response.AsyncJobResponse; import org.apache.cloudstack.api.response.DiskOfferingResponse; import org.apache.cloudstack.api.response.DomainRouterResponse; @@ -55,7 +55,7 @@ import org.apache.cloudstack.context.CallContext; import com.cloud.api.ApiDBUtils; import com.cloud.api.query.vo.AccountJoinVO; import com.cloud.api.query.vo.AclGroupJoinVO; -import com.cloud.api.query.vo.AclRoleJoinVO; +import com.cloud.api.query.vo.AclPolicyJoinVO; import com.cloud.api.query.vo.AffinityGroupJoinVO; import com.cloud.api.query.vo.AsyncJobJoinVO; import com.cloud.api.query.vo.DataCenterJoinVO; @@ -445,20 +445,20 @@ public class ViewResponseHelper { return new ArrayList(vrDataList.values()); } - public static List createAclRoleResponses(List roles) { - Hashtable vrDataList = new Hashtable(); - for (AclRoleJoinVO vr : roles) { - AclRoleResponse vrData = vrDataList.get(vr.getId()); + public static List createAclPolicyResponses(List policies) { + Hashtable vrDataList = new Hashtable(); + for (AclPolicyJoinVO vr : policies) { + AclPolicyResponse vrData = vrDataList.get(vr.getId()); if (vrData == null) { - // first time encountering this Acl role - vrData = ApiDBUtils.newAclRoleResponse(vr); + // first time encountering this Acl policy + vrData = ApiDBUtils.newAclPolicyResponse(vr); } else { // update vms - vrData = ApiDBUtils.fillAclRoleDetails(vrData, vr); + vrData = ApiDBUtils.fillAclPolicyDetails(vrData, vr); } vrDataList.put(vr.getId(), vrData); } - return new ArrayList(vrDataList.values()); + return new ArrayList(vrDataList.values()); } public static List createAclGroupResponses(List groups) { diff --git a/server/src/com/cloud/api/query/dao/AclPolicyJoinDaoImpl.java b/server/src/com/cloud/api/query/dao/AclPolicyJoinDaoImpl.java index 216a9e05617..7929c3a7b8d 100644 --- a/server/src/com/cloud/api/query/dao/AclPolicyJoinDaoImpl.java +++ b/server/src/com/cloud/api/query/dao/AclPolicyJoinDaoImpl.java @@ -37,7 +37,7 @@ import com.cloud.utils.db.SearchBuilder; import com.cloud.utils.db.SearchCriteria; @Component -@Local(value = {AclRoleJoinDao.class}) +@Local(value = {AclPolicyJoinDao.class}) public class AclPolicyJoinDaoImpl extends GenericDaoBase implements AclPolicyJoinDao { public static final Logger s_logger = Logger.getLogger(AclPolicyJoinDaoImpl.class); diff --git a/server/src/com/cloud/api/query/dao/AclRoleJoinDao.java b/server/src/com/cloud/api/query/dao/AclRoleJoinDao.java deleted file mode 100644 index e35e66cbfba..00000000000 --- a/server/src/com/cloud/api/query/dao/AclRoleJoinDao.java +++ /dev/null @@ -1,36 +0,0 @@ -// Licensed to the Apache Software Foundation (ASF) under one -// or more contributor license agreements. See the NOTICE file -// distributed with this work for additional information -// regarding copyright ownership. The ASF licenses this file -// to you under the Apache License, Version 2.0 (the -// "License"); you may not use this file except in compliance -// with the License. You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. -package com.cloud.api.query.dao; - -import java.util.List; - -import org.apache.cloudstack.acl.AclRole; -import org.apache.cloudstack.api.response.AclRoleResponse; - -import com.cloud.api.query.vo.AclRoleJoinVO; -import com.cloud.utils.db.GenericDao; - -public interface AclRoleJoinDao extends GenericDao { - - AclRoleResponse newAclRoleResponse(AclRoleJoinVO role); - - AclRoleResponse setAclRoleResponse(AclRoleResponse response, AclRoleJoinVO os); - - List newAclRoleView(AclRole role); - - List searchByIds(Long... ids); -} diff --git a/server/src/com/cloud/api/query/dao/AclRoleJoinDaoImpl.java b/server/src/com/cloud/api/query/dao/AclRoleJoinDaoImpl.java deleted file mode 100644 index 416cb0f0a85..00000000000 --- a/server/src/com/cloud/api/query/dao/AclRoleJoinDaoImpl.java +++ /dev/null @@ -1,145 +0,0 @@ -// Licensed to the Apache Software Foundation (ASF) under one -// or more contributor license agreements. See the NOTICE file -// distributed with this work for additional information -// regarding copyright ownership. The ASF licenses this file -// to you under the Apache License, Version 2.0 (the -// "License"); you may not use this file except in compliance -// with the License. You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. -package com.cloud.api.query.dao; - -import java.util.ArrayList; -import java.util.List; - -import javax.ejb.Local; -import javax.inject.Inject; - -import org.apache.log4j.Logger; -import org.springframework.stereotype.Component; - -import org.apache.cloudstack.acl.AclRole; -import org.apache.cloudstack.api.response.AclRoleResponse; -import org.apache.cloudstack.framework.config.dao.ConfigurationDao; - -import com.cloud.api.query.vo.AclRoleJoinVO; -import com.cloud.user.AccountManager; -import com.cloud.utils.db.GenericDaoBase; -import com.cloud.utils.db.SearchBuilder; -import com.cloud.utils.db.SearchCriteria; - -@Component -@Local(value = {AclRoleJoinDao.class}) -public class AclRoleJoinDaoImpl extends GenericDaoBase implements AclRoleJoinDao { - public static final Logger s_logger = Logger.getLogger(AclRoleJoinDaoImpl.class); - - - private final SearchBuilder roleIdSearch; - private final SearchBuilder roleSearch; - @Inject - public AccountManager _accountMgr; - @Inject - public ConfigurationDao _configDao; - - protected AclRoleJoinDaoImpl() { - - roleSearch = createSearchBuilder(); - roleSearch.and("idIN", roleSearch.entity().getId(), SearchCriteria.Op.IN); - roleSearch.done(); - - roleIdSearch = createSearchBuilder(); - roleIdSearch.and("id", roleIdSearch.entity().getId(), SearchCriteria.Op.EQ); - roleIdSearch.done(); - - _count = "select count(distinct id) from acl_role_view WHERE "; - } - - - - @Override - public AclRoleResponse newAclRoleResponse(AclRoleJoinVO role) { - - AclRoleResponse response = new AclRoleResponse(); - response.setId(role.getUuid()); - response.setName(role.getName()); - response.setDescription(role.getDescription()); - response.setDomainId(role.getDomainUuid()); - response.setDomainName(role.getName()); - if (role.getApiName() != null) { - response.addApi(role.getApiName()); - } - - response.setObjectName("aclrole"); - - - return response; - } - - @Override - public AclRoleResponse setAclRoleResponse(AclRoleResponse response, AclRoleJoinVO role) { - if (role.getApiName() != null) { - response.addApi(role.getApiName()); - } - return response; - } - - @Override - public List newAclRoleView(AclRole role) { - SearchCriteria sc = roleIdSearch.create(); - sc.setParameters("id", role.getId()); - return searchIncludingRemoved(sc, null, null, false); - - } - - @Override - public List searchByIds(Long... roleIds) { - // set detail batch query size - int DETAILS_BATCH_SIZE = 2000; - String batchCfg = _configDao.getValue("detail.batch.query.size"); - if (batchCfg != null) { - DETAILS_BATCH_SIZE = Integer.parseInt(batchCfg); - } - // query details by batches - List uvList = new ArrayList(); - // query details by batches - int curr_index = 0; - if (roleIds.length > DETAILS_BATCH_SIZE) { - while ((curr_index + DETAILS_BATCH_SIZE) <= roleIds.length) { - Long[] ids = new Long[DETAILS_BATCH_SIZE]; - for (int k = 0, j = curr_index; j < curr_index + DETAILS_BATCH_SIZE; j++, k++) { - ids[k] = roleIds[j]; - } - SearchCriteria sc = roleSearch.create(); - sc.setParameters("idIN", ids); - List vms = searchIncludingRemoved(sc, null, null, false); - if (vms != null) { - uvList.addAll(vms); - } - curr_index += DETAILS_BATCH_SIZE; - } - } - if (curr_index < roleIds.length) { - int batch_size = (roleIds.length - curr_index); - // set the ids value - Long[] ids = new Long[batch_size]; - for (int k = 0, j = curr_index; j < curr_index + batch_size; j++, k++) { - ids[k] = roleIds[j]; - } - SearchCriteria sc = roleSearch.create(); - sc.setParameters("idIN", ids); - List vms = searchIncludingRemoved(sc, null, null, false); - if (vms != null) { - uvList.addAll(vms); - } - } - return uvList; - } - -} diff --git a/server/src/com/cloud/server/ManagementServerImpl.java b/server/src/com/cloud/server/ManagementServerImpl.java index 2c960ffec5c..12de4bdd650 100755 --- a/server/src/com/cloud/server/ManagementServerImpl.java +++ b/server/src/com/cloud/server/ManagementServerImpl.java @@ -58,19 +58,17 @@ import org.apache.cloudstack.api.command.admin.account.EnableAccountCmd; import org.apache.cloudstack.api.command.admin.account.LockAccountCmd; import org.apache.cloudstack.api.command.admin.account.UpdateAccountCmd; import org.apache.cloudstack.api.command.admin.acl.AddAccountToAclGroupCmd; -import org.apache.cloudstack.api.command.admin.acl.AddAclRoleToAclGroupCmd; +import org.apache.cloudstack.api.command.admin.acl.AddAclPermissionToAclPolicyCmd; +import org.apache.cloudstack.api.command.admin.acl.AttachAclPolicyToAclGroupCmd; import org.apache.cloudstack.api.command.admin.acl.CreateAclGroupCmd; -import org.apache.cloudstack.api.command.admin.acl.CreateAclRoleCmd; +import org.apache.cloudstack.api.command.admin.acl.CreateAclPolicyCmd; import org.apache.cloudstack.api.command.admin.acl.DeleteAclGroupCmd; -import org.apache.cloudstack.api.command.admin.acl.DeleteAclRoleCmd; -import org.apache.cloudstack.api.command.admin.acl.GrantPermissionToAclGroupCmd; -import org.apache.cloudstack.api.command.admin.acl.GrantPermissionToAclRoleCmd; +import org.apache.cloudstack.api.command.admin.acl.DeleteAclPolicyCmd; import org.apache.cloudstack.api.command.admin.acl.ListAclGroupsCmd; -import org.apache.cloudstack.api.command.admin.acl.ListAclRolesCmd; +import org.apache.cloudstack.api.command.admin.acl.ListAclPoliciesCmd; import org.apache.cloudstack.api.command.admin.acl.RemoveAccountFromAclGroupCmd; -import org.apache.cloudstack.api.command.admin.acl.RemoveAclRoleFromAclGroupCmd; -import org.apache.cloudstack.api.command.admin.acl.RevokePermissionFromAclGroupCmd; -import org.apache.cloudstack.api.command.admin.acl.RevokePermissionFromAclRoleCmd; +import org.apache.cloudstack.api.command.admin.acl.RemoveAclPermissionFromAclPolicyCmd; +import org.apache.cloudstack.api.command.admin.acl.RemoveAclPolicyFromAclGroupCmd; import org.apache.cloudstack.api.command.admin.autoscale.CreateCounterCmd; import org.apache.cloudstack.api.command.admin.autoscale.DeleteCounterCmd; import org.apache.cloudstack.api.command.admin.cluster.AddClusterCmd; @@ -2882,20 +2880,18 @@ public class ManagementServerImpl extends ManagerBase implements ManagementServe cmdList.add(ReplaceNetworkACLListCmd.class); cmdList.add(UpdateNetworkACLItemCmd.class); cmdList.add(CleanVMReservationsCmd.class); - cmdList.add(CreateAclRoleCmd.class); - cmdList.add(DeleteAclRoleCmd.class); - cmdList.add(ListAclRolesCmd.class); - cmdList.add(GrantPermissionToAclRoleCmd.class); - cmdList.add(RevokePermissionFromAclRoleCmd.class); - cmdList.add(AddAclRoleToAclGroupCmd.class); - cmdList.add(RemoveAclRoleFromAclGroupCmd.class); + cmdList.add(CreateAclPolicyCmd.class); + cmdList.add(DeleteAclPolicyCmd.class); + cmdList.add(ListAclPoliciesCmd.class); + cmdList.add(AddAclPermissionToAclPolicyCmd.class); + cmdList.add(RemoveAclPermissionFromAclPolicyCmd.class); + cmdList.add(AttachAclPolicyToAclGroupCmd.class); + cmdList.add(RemoveAclPolicyFromAclGroupCmd.class); cmdList.add(CreateAclGroupCmd.class); cmdList.add(DeleteAclGroupCmd.class); cmdList.add(ListAclGroupsCmd.class); cmdList.add(AddAccountToAclGroupCmd.class); cmdList.add(RemoveAccountFromAclGroupCmd.class); - cmdList.add(GrantPermissionToAclGroupCmd.class); - cmdList.add(RevokePermissionFromAclGroupCmd.class); return cmdList; } diff --git a/server/src/com/cloud/user/AccountManagerImpl.java b/server/src/com/cloud/user/AccountManagerImpl.java index 1e32aefec30..0ddc37a09ad 100755 --- a/server/src/com/cloud/user/AccountManagerImpl.java +++ b/server/src/com/cloud/user/AccountManagerImpl.java @@ -42,7 +42,7 @@ import org.apache.log4j.Logger; import org.apache.cloudstack.acl.AclEntityType; import org.apache.cloudstack.acl.AclGroupAccountMapVO; -import org.apache.cloudstack.acl.AclRolePermission; +import org.apache.cloudstack.acl.AclPolicyPermission; import org.apache.cloudstack.acl.AclService; import org.apache.cloudstack.acl.ControlledEntity; import org.apache.cloudstack.acl.PermissionScope; @@ -50,7 +50,7 @@ import org.apache.cloudstack.acl.RoleType; import org.apache.cloudstack.acl.SecurityChecker; import org.apache.cloudstack.acl.SecurityChecker.AccessType; import org.apache.cloudstack.acl.dao.AclGroupAccountMapDao; -import org.apache.cloudstack.acl.dao.AclRolePermissionDao; +import org.apache.cloudstack.acl.dao.AclPolicyPermissionDao; import org.apache.cloudstack.affinity.AffinityGroup; import org.apache.cloudstack.affinity.dao.AffinityGroupDao; import org.apache.cloudstack.api.command.admin.account.UpdateAccountCmd; @@ -264,7 +264,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M private AclService _aclService; @Inject - private AclRolePermissionDao _aclRolePermissionDao; + private AclPolicyPermissionDao _aclPolicyPermissionDao; @Inject public com.cloud.region.ha.GlobalLoadBalancingRulesService _gslbService; @@ -2391,17 +2391,19 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M } else { domainIdRecursiveListProject.third(Project.ListProjectResourcesCriteria.SkipProjectResources); // get caller role permission on VM List - AclRolePermission rolePerm = _aclService.getAclRolePermission(caller.getId(), AclEntityType.VM.toString(), AccessType.ListEntry); - if (rolePerm == null) { + //TODO: this method needs to pass the entity type instead of current hard-code to VM for now. Also, api action name + // should be passed in caller context. + AclPolicyPermission policyPerm = _aclService.getAclPolicyPermission(caller.getId(), AclEntityType.VM.toString(), "listVirtualMachine"); + if (policyPerm == null) { // no list entry permission - throw new PermissionDeniedException("Caller has no role permission assigned to list VM"); + throw new PermissionDeniedException("Caller has no policy permission assigned to list VM"); } if (permittedAccounts.isEmpty()) { // no account name is specified - if (rolePerm.getScope() == PermissionScope.ACCOUNT || !listAll) { + if (policyPerm.getScope() == PermissionScope.ACCOUNT || !listAll) { // only resource owner can see it, only match account permittedAccounts.add(caller.getId()); - } else if (rolePerm.getScope() == PermissionScope.DOMAIN) { + } else if (policyPerm.getScope() == PermissionScope.DOMAIN) { // match domain tree based on cmd.isRecursive flag or not domainIdRecursiveListProject.first(caller.getDomainId()); } @@ -2649,20 +2651,20 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M if (isRecursive) { for (int i = 0; i < permittedDomains.size(); i++) { Domain domain = _domainDao.findById(permittedDomains.get(i)); - aclSc.addOr("domainPath" + i, SearchCriteria.Op.LIKE, domain.getPath() + "%"); + aclSc.addOr("domainPath", SearchCriteria.Op.LIKE, domain.getPath() + "%"); } } else { - aclSc.addOr("domainIdIN", SearchCriteria.Op.IN, permittedDomains.toArray()); + aclSc.addOr("domainId", SearchCriteria.Op.IN, permittedDomains.toArray()); } } if (!permittedAccounts.isEmpty()) { - aclSc.addOr("accountIdIN", SearchCriteria.Op.IN, permittedAccounts.toArray()); + aclSc.addOr("accountId", SearchCriteria.Op.IN, permittedAccounts.toArray()); } if (!permittedResources.isEmpty()) { - aclSc.addOr("idIn", SearchCriteria.Op.IN, permittedResources.toArray()); + aclSc.addOr("id", SearchCriteria.Op.IN, permittedResources.toArray()); } - sc.addAnd("accountIdIn", SearchCriteria.Op.SC, aclSc); + sc.addAnd("accountId", SearchCriteria.Op.SC, aclSc); } } diff --git a/server/src/org/apache/cloudstack/acl/AclServiceImpl.java b/server/src/org/apache/cloudstack/acl/AclServiceImpl.java index 3e952f48389..9b3973364b1 100644 --- a/server/src/org/apache/cloudstack/acl/AclServiceImpl.java +++ b/server/src/org/apache/cloudstack/acl/AclServiceImpl.java @@ -18,15 +18,14 @@ package org.apache.cloudstack.acl; import java.util.ArrayList; import java.util.HashMap; -import java.util.HashSet; import java.util.List; -import java.util.Set; import javax.ejb.Local; import javax.inject.Inject; import org.apache.log4j.Logger; +import org.apache.cloudstack.acl.AclPolicyPermission.Permission; import org.apache.cloudstack.acl.SecurityChecker.AccessType; import org.apache.cloudstack.acl.dao.AclApiPermissionDao; import org.apache.cloudstack.acl.dao.AclGroupAccountMapDao; @@ -34,9 +33,10 @@ import org.apache.cloudstack.acl.dao.AclGroupDao; import org.apache.cloudstack.acl.dao.AclGroupPolicyMapDao; import org.apache.cloudstack.acl.dao.AclPolicyDao; import org.apache.cloudstack.acl.dao.AclPolicyPermissionDao; -import org.apache.cloudstack.api.Identity; +import org.apache.cloudstack.api.BaseListCmd; import org.apache.cloudstack.context.CallContext; +import com.cloud.api.ApiServerService; import com.cloud.domain.Domain; import com.cloud.event.ActionEvent; import com.cloud.event.EventTypes; @@ -49,7 +49,6 @@ import com.cloud.user.Account; import com.cloud.user.AccountManager; import com.cloud.user.dao.AccountDao; import com.cloud.uservm.UserVm; -import com.cloud.utils.Pair; import com.cloud.utils.component.Manager; import com.cloud.utils.component.ManagerBase; import com.cloud.utils.db.DB; @@ -77,7 +76,7 @@ public class AclServiceImpl extends ManagerBase implements AclService, Manager { AccountDao _accountDao; @Inject - AclPolicyDao _aclRoleDao; + AclPolicyDao _aclPolicyDao; @Inject AclGroupDao _aclGroupDao; @@ -97,6 +96,9 @@ public class AclServiceImpl extends ManagerBase implements AclService, Manager { @Inject AclPolicyPermissionDao _policyPermissionDao; + @Inject + ApiServerService _apiServer; + public static HashMap entityClassMap = new HashMap(); @@ -110,306 +112,88 @@ public class AclServiceImpl extends ManagerBase implements AclService, Manager { @DB @Override - @ActionEvent(eventType = EventTypes.EVENT_ACL_ROLE_CREATE, eventDescription = "Creating Acl Role", create = true) - public AclRole createAclRole(Long domainId, final String aclRoleName, final String description, final Long parentRoleId) { - Account caller = CallContext.current().getCallingAccount(); - if (domainId == null) { - domainId = caller.getDomainId(); - } + @ActionEvent(eventType = EventTypes.EVENT_ACL_GROUP_CREATE, eventDescription = "Creating Acl Group", create = true) + public AclGroup createAclGroup(Account caller, String aclGroupName, String description) { + Long domainId = caller.getDomainId(); + if (!_accountMgr.isRootAdmin(caller.getAccountId())) { // domain admin can only create role for his domain if (caller.getDomainId() != domainId.longValue()) { - throw new PermissionDeniedException("Can't create acl role in domain " + domainId + ", permission denied"); + throw new PermissionDeniedException("Can't create acl group in domain " + domainId + ", permission denied"); } } // check if the role is already existing - AclRole ro = _aclRoleDao.findByName(domainId, aclRoleName); - if (ro != null) { + AclGroup grp = _aclGroupDao.findByName(domainId, aclGroupName); + if (grp != null) { throw new InvalidParameterValueException( - "Unable to create acl role with name " + aclRoleName + "Unable to create acl group with name " + aclGroupName + " already exisits for domain " + domainId); } + AclGroupVO rvo = new AclGroupVO(aclGroupName, description); + rvo.setAccountId(caller.getAccountId()); + rvo.setDomainId(domainId); - final long domain_id = domainId; - AclRole role = Transaction.execute(new TransactionCallback() { - @Override - public AclRole doInTransaction(TransactionStatus status) { - AclRoleVO rvo = new AclRoleVO(aclRoleName, description); - rvo.setDomainId(domain_id); - AclRole role = _aclRoleDao.persist(rvo); - if (parentRoleId != null) { - // copy parent role permissions - List perms = _policyPermissionDao.listByRole(parentRoleId); - if (perms != null) { - for (AclRolePermissionVO perm : perms) { - perm.setAclRoleId(role.getId()); - _policyPermissionDao.persist(perm); - } - } - } - return role; - } - }); - - - return role; + return _aclGroupDao.persist(rvo); } @DB @Override - @ActionEvent(eventType = EventTypes.EVENT_ACL_ROLE_DELETE, eventDescription = "Deleting Acl Role") - public boolean deleteAclRole(final long aclRoleId) { + @ActionEvent(eventType = EventTypes.EVENT_ACL_GROUP_DELETE, eventDescription = "Deleting Acl Group") + public boolean deleteAclGroup(final Long aclGroupId) { Account caller = CallContext.current().getCallingAccount(); // get the Acl Role entity - final AclRole role = _aclRoleDao.findById(aclRoleId); - if (role == null) { - throw new InvalidParameterValueException("Unable to find acl role: " + aclRoleId - + "; failed to delete acl role."); + final AclGroup grp = _aclGroupDao.findById(aclGroupId); + if (grp == null) { + throw new InvalidParameterValueException("Unable to find acl group: " + aclGroupId + + "; failed to delete acl group."); } // check permissions - _accountMgr.checkAccess(caller, null, true, role); + _accountMgr.checkAccess(caller, null, true, grp); Transaction.execute(new TransactionCallbackNoReturn() { @Override public void doInTransactionWithoutResult(TransactionStatus status) { - // remove this role related entry in acl_group_role_map - List groupRoleMap = _aclGroupPolicyMapDao.listByRoleId(role.getId()); - if (groupRoleMap != null) { - for (AclGroupRoleMapVO gr : groupRoleMap) { + // remove this group related entry in acl_group_role_map + List groupPolicyMap = _aclGroupPolicyMapDao.listByGroupId(grp.getId()); + if (groupPolicyMap != null) { + for (AclGroupPolicyMapVO gr : groupPolicyMap) { _aclGroupPolicyMapDao.remove(gr.getId()); } } - // remove this role related entry in acl_api_permission table - List roleApiMap = _apiPermissionDao.listByRoleId(role.getId()); - if (roleApiMap != null) { - for (AclApiPermissionVO roleApi : roleApiMap) { - _apiPermissionDao.remove(roleApi.getId()); + // remove this group related entry in acl_group_account table + List groupAcctMap = _aclGroupAccountMapDao.listByGroupId(grp.getId()); + if (groupAcctMap != null) { + for (AclGroupAccountMapVO grpAcct : groupAcctMap) { + _aclGroupAccountMapDao.remove(grpAcct.getId()); } } - // remove this role from acl_role table - _aclRoleDao.remove(aclRoleId); + // remove this group from acl_group table + _aclGroupDao.remove(aclGroupId); } }); return true; } - - @DB @Override - @ActionEvent(eventType = EventTypes.EVENT_ACL_ROLE_GRANT, eventDescription = "Granting permission to Acl Role") - public AclRole grantApiPermissionToAclRole(final long aclRoleId, final List apiNames) { - Account caller = CallContext.current().getCallingAccount(); - // get the Acl Role entity - AclRole role = _aclRoleDao.findById(aclRoleId); - if (role == null) { - throw new InvalidParameterValueException("Unable to find acl role: " + aclRoleId - + "; failed to grant permission to role."); - } - // check permissions - _accountMgr.checkAccess(caller, null, true, role); + public List listAclGroups(long accountId) { - Transaction.execute(new TransactionCallbackNoReturn() { - @Override - public void doInTransactionWithoutResult(TransactionStatus status) { - // add entries in acl_api_permission table - for (String api : apiNames) { - AclApiPermissionVO perm = _apiPermissionDao.findByRoleAndApi(aclRoleId, api); - if (perm == null) { - // not there already - perm = new AclApiPermissionVO(aclRoleId, api); - _apiPermissionDao.persist(perm); - } - } - } - }); - - return role; + GenericSearchBuilder groupSB = _aclGroupAccountMapDao.createSearchBuilder(Long.class); + groupSB.selectFields(groupSB.entity().getAclGroupId()); + groupSB.and("account", groupSB.entity().getAccountId(), Op.EQ); + SearchCriteria groupSc = groupSB.create(); - } + List groupIds = _aclGroupAccountMapDao.customSearch(groupSc, null); - @DB - @Override - @ActionEvent(eventType = EventTypes.EVENT_ACL_ROLE_REVOKE, eventDescription = "Revoking permission from Acl Role") - public AclRole revokeApiPermissionFromAclRole(final long aclRoleId, final List apiNames) { - Account caller = CallContext.current().getCallingAccount(); - // get the Acl Role entity - AclRole role = _aclRoleDao.findById(aclRoleId); - if (role == null) { - throw new InvalidParameterValueException("Unable to find acl role: " + aclRoleId - + "; failed to revoke permission from role."); - } - // check permissions - _accountMgr.checkAccess(caller, null, true, role); + SearchBuilder sb = _aclGroupDao.createSearchBuilder(); + sb.and("ids", sb.entity().getId(), Op.IN); + SearchCriteria sc = sb.create(); + sc.setParameters("ids", groupIds.toArray(new Object[groupIds.size()])); + List groups = _aclGroupDao.search(sc, null); - Transaction.execute(new TransactionCallbackNoReturn() { - @Override - public void doInTransactionWithoutResult(TransactionStatus status) { - // remove entries from acl_api_permission table - for (String api : apiNames) { - AclApiPermissionVO perm = _apiPermissionDao.findByRoleAndApi(aclRoleId, api); - if (perm != null) { - // not removed yet - _apiPermissionDao.remove(perm.getId()); - } - } - } - }); - return role; - } - - @DB - @Override - @ActionEvent(eventType = EventTypes.EVENT_ACL_GROUP_GRANT, eventDescription = "Granting entity permission to Acl Group") - public AclGroup grantEntityPermissionToAclGroup(long aclGroupId, String entityType, long entityId, AccessType accessType) { - Account caller = CallContext.current().getCallingAccount(); - // get the Acl Group entity - AclGroup group = _aclGroupDao.findById(aclGroupId); - if (group == null) { - throw new InvalidParameterValueException("Unable to find acl group: " + aclGroupId - + "; failed to grant permission to group."); - } - // check permissions - _accountMgr.checkAccess(caller, null, true, group); - - // get the entity and check permission - Class entityClass = entityClassMap.get(entityType); - if (entityClass == null) { - throw new InvalidParameterValueException("Entity type " + entityType + " permission granting is not supported yet"); - } - ControlledEntity entity = (ControlledEntity)_entityMgr.findById(entityClass, entityId); - if (entity == null) { - throw new InvalidParameterValueException("Unable to find entity " + entityType + " by id: " + entityId); - } - _accountMgr.checkAccess(caller,null, true, entity); - - // add entry in acl_entity_permission table - AclEntityPermissionVO perm = _entityPermissionDao.findByGroupAndEntity(aclGroupId, entityType, entityId, accessType); - if (perm == null) { - // not there already - String entityUuid = String.valueOf(entityId); - if (entity instanceof Identity) { - entityUuid = ((Identity)entity).getUuid(); - } - perm = new AclEntityPermissionVO(aclGroupId, entityType, entityId, entityUuid, accessType, true); - _entityPermissionDao.persist(perm); - } - return group; - - } - - @DB - @Override - @ActionEvent(eventType = EventTypes.EVENT_ACL_GROUP_REVOKE, eventDescription = "Revoking entity permission from Acl Group") - public AclGroup revokeEntityPermissionFromAclGroup(long aclGroupId, String entityType, long entityId, AccessType accessType) { - Account caller = CallContext.current().getCallingAccount(); - // get the Acl Group entity - AclGroup group = _aclGroupDao.findById(aclGroupId); - if (group == null) { - throw new InvalidParameterValueException("Unable to find acl group: " + aclGroupId - + "; failed to revoke permission from group."); - } - // check permissions - _accountMgr.checkAccess(caller, null, true, group); - - // get the entity and check permission - Class entityClass = entityClassMap.get(entityType); - if (entityClass == null) { - throw new InvalidParameterValueException("Entity type " + entityType + " permission revoke is not supported yet"); - } - ControlledEntity entity = (ControlledEntity)_entityMgr.findById(entityClass, entityId); - if (entity == null) { - throw new InvalidParameterValueException("Unable to find entity " + entityType + " by id: " + entityId); - } - _accountMgr.checkAccess(caller, null, true, entity); - - // remove entry from acl_entity_permission table - AclEntityPermissionVO perm = _entityPermissionDao.findByGroupAndEntity(aclGroupId, entityType, entityId, accessType); - if (perm != null) { - // not removed yet - _entityPermissionDao.remove(perm.getId()); - } - return group; - } - - @DB - @Override - @ActionEvent(eventType = EventTypes.EVENT_ACL_GROUP_UPDATE, eventDescription = "Adding roles to acl group") - public AclGroup addAclRolesToGroup(final List roleIds, final Long groupId) { - final Account caller = CallContext.current().getCallingAccount(); - // get the Acl Group entity - AclGroup group = _aclGroupDao.findById(groupId); - if (group == null) { - throw new InvalidParameterValueException("Unable to find acl group: " + groupId - + "; failed to add roles to acl group."); - } - // check group permissions - _accountMgr.checkAccess(caller, null, true, group); - - Transaction.execute(new TransactionCallbackNoReturn() { - @Override - public void doInTransactionWithoutResult(TransactionStatus status) { - // add entries in acl_group_role_map table - for (Long roleId : roleIds) { - // check role permissions - AclRole role = _aclRoleDao.findById(roleId); - if (role == null) { - throw new InvalidParameterValueException("Unable to find acl role: " + roleId - + "; failed to add roles to acl group."); - } - _accountMgr.checkAccess(caller, null, true, role); - - AclGroupRoleMapVO grMap = _aclGroupPolicyMapDao.findByGroupAndRole(groupId, roleId); - if (grMap == null) { - // not there already - grMap = new AclGroupRoleMapVO(groupId, roleId); - _aclGroupPolicyMapDao.persist(grMap); - } - } - } - }); - - return group; - } - - @DB - @Override - @ActionEvent(eventType = EventTypes.EVENT_ACL_GROUP_UPDATE, eventDescription = "Removing roles from acl group") - public AclGroup removeAclRolesFromGroup(final List roleIds, final Long groupId) { - final Account caller = CallContext.current().getCallingAccount(); - // get the Acl Group entity - AclGroup group = _aclGroupDao.findById(groupId); - if (group == null) { - throw new InvalidParameterValueException("Unable to find acl group: " + groupId - + "; failed to remove roles from acl group."); - } - // check group permissions - _accountMgr.checkAccess(caller, null, true, group); - - Transaction.execute(new TransactionCallbackNoReturn() { - @Override - public void doInTransactionWithoutResult(TransactionStatus status) { - // add entries in acl_group_role_map table - for (Long roleId : roleIds) { - // check role permissions - AclRole role = _aclRoleDao.findById(roleId); - if (role == null) { - throw new InvalidParameterValueException("Unable to find acl role: " + roleId - + "; failed to add roles to acl group."); - } - _accountMgr.checkAccess(caller, null, true, role); - - AclGroupRoleMapVO grMap = _aclGroupPolicyMapDao.findByGroupAndRole(groupId, roleId); - if (grMap != null) { - // not removed yet - _aclGroupPolicyMapDao.remove(grMap.getId()); - } - } - } - }); - return group; + return new ArrayList(groups); } @DB @@ -491,104 +275,350 @@ public class AclServiceImpl extends ManagerBase implements AclService, Manager { @DB @Override - @ActionEvent(eventType = EventTypes.EVENT_ACL_GROUP_CREATE, eventDescription = "Creating Acl Group", create = true) - public AclGroup createAclGroup(Long domainId, String aclGroupName, String description) { - Account caller = CallContext.current().getCallingAccount(); - if (domainId == null) { - domainId = caller.getDomainId(); // use caller's domain id - } + @ActionEvent(eventType = EventTypes.EVENT_ACL_POLICY_CREATE, eventDescription = "Creating Acl Policy", create = true) + public AclPolicy createAclPolicy(Account caller, final String aclPolicyName, final String description, final Long parentPolicyId) { + Long domainId = caller.getDomainId(); + if (!_accountMgr.isRootAdmin(caller.getAccountId())) { // domain admin can only create role for his domain if (caller.getDomainId() != domainId.longValue()) { - throw new PermissionDeniedException("Can't create acl group in domain " + domainId + ", permission denied"); + throw new PermissionDeniedException("Can't create acl role in domain " + domainId + ", permission denied"); } } // check if the role is already existing - AclGroup grp = _aclGroupDao.findByName(domainId, aclGroupName); - if (grp != null) { + AclPolicy ro = _aclPolicyDao.findByName(domainId, aclPolicyName); + if (ro != null) { throw new InvalidParameterValueException( - "Unable to create acl group with name " + aclGroupName + "Unable to create acl policy with name " + aclPolicyName + " already exisits for domain " + domainId); } - AclGroupVO rvo = new AclGroupVO(aclGroupName, description); - rvo.setDomainId(domainId); - return _aclGroupDao.persist(rvo); + final long account_id = caller.getAccountId(); + final long domain_id = domainId; + AclPolicy role = Transaction.execute(new TransactionCallback() { + @Override + public AclPolicy doInTransaction(TransactionStatus status) { + AclPolicyVO rvo = new AclPolicyVO(aclPolicyName, description); + rvo.setAccountId(account_id); + rvo.setDomainId(domain_id); + AclPolicy role = _aclPolicyDao.persist(rvo); + if (parentPolicyId != null) { + // copy parent role permissions + List perms = _policyPermissionDao.listByPolicy(parentPolicyId); + if (perms != null) { + for (AclPolicyPermissionVO perm : perms) { + perm.setAclPolicyId(role.getId()); + _policyPermissionDao.persist(perm); + } + } + } + return role; + } + }); + + + return role; } @DB @Override - @ActionEvent(eventType = EventTypes.EVENT_ACL_GROUP_DELETE, eventDescription = "Deleting Acl Group") - public boolean deleteAclGroup(final Long aclGroupId) { + @ActionEvent(eventType = EventTypes.EVENT_ACL_POLICY_DELETE, eventDescription = "Deleting Acl Policy") + public boolean deleteAclPolicy(final long aclPolicyId) { Account caller = CallContext.current().getCallingAccount(); - // get the Acl Role entity - final AclGroup grp = _aclGroupDao.findById(aclGroupId); - if (grp == null) { - throw new InvalidParameterValueException("Unable to find acl group: " + aclGroupId - + "; failed to delete acl group."); + // get the Acl Policy entity + final AclPolicy policy = _aclPolicyDao.findById(aclPolicyId); + if (policy == null) { + throw new InvalidParameterValueException("Unable to find acl policy: " + aclPolicyId + + "; failed to delete acl policy."); } // check permissions - _accountMgr.checkAccess(caller, null, true, grp); + _accountMgr.checkAccess(caller, null, true, policy); Transaction.execute(new TransactionCallbackNoReturn() { @Override public void doInTransactionWithoutResult(TransactionStatus status) { - // remove this group related entry in acl_group_role_map - List groupRoleMap = _aclGroupPolicyMapDao.listByGroupId(grp.getId()); - if (groupRoleMap != null) { - for (AclGroupRoleMapVO gr : groupRoleMap) { + // remove this role related entry in acl_group_role_map + List groupPolicyMap = _aclGroupPolicyMapDao.listByPolicyId(policy.getId()); + if (groupPolicyMap != null) { + for (AclGroupPolicyMapVO gr : groupPolicyMap) { _aclGroupPolicyMapDao.remove(gr.getId()); } } - // remove this group related entry in acl_group_account table - List groupAcctMap = _aclGroupAccountMapDao.listByGroupId(grp.getId()); - if (groupAcctMap != null) { - for (AclGroupAccountMapVO grpAcct : groupAcctMap) { - _aclGroupAccountMapDao.remove(grpAcct.getId()); + // remove this policy related entry in acl_policy_permission table + List policyPermMap = _policyPermissionDao.listByPolicy(policy.getId()); + if (policyPermMap != null) { + for (AclPolicyPermissionVO policyPerm : policyPermMap) { + _policyPermissionDao.remove(policyPerm.getId()); } } - // remove this group from acl_group table - _aclGroupDao.remove(aclGroupId); + // remove this role from acl_role table + _aclPolicyDao.remove(aclPolicyId); } }); return true; } + @Override - public List getAclRoles(long accountId) { + public List listAclPolicies(long accountId) { // static roles of the account SearchBuilder groupSB = _aclGroupAccountMapDao.createSearchBuilder(); groupSB.and("account", groupSB.entity().getAccountId(), Op.EQ); - GenericSearchBuilder roleSB = _aclGroupPolicyMapDao.createSearchBuilder(Long.class); - roleSB.selectFields(roleSB.entity().getAclRoleId()); - roleSB.join("accountgroupjoin", groupSB, groupSB.entity().getAclGroupId(), roleSB.entity().getAclGroupId(), + GenericSearchBuilder policySB = _aclGroupPolicyMapDao.createSearchBuilder(Long.class); + policySB.selectFields(policySB.entity().getAclPolicyId()); + policySB.join("accountgroupjoin", groupSB, groupSB.entity().getAclGroupId(), policySB.entity().getAclGroupId(), JoinType.INNER); - roleSB.done(); - SearchCriteria roleSc = roleSB.create(); - roleSc.setJoinParameters("accountgroupjoin", "account", accountId); + policySB.done(); + SearchCriteria policySc = policySB.create(); + policySc.setJoinParameters("accountgroupjoin", "account", accountId); - List roleIds = _aclGroupPolicyMapDao.customSearch(roleSc, null); + List roleIds = _aclGroupPolicyMapDao.customSearch(policySc, null); - SearchBuilder sb = _aclRoleDao.createSearchBuilder(); + SearchBuilder sb = _aclPolicyDao.createSearchBuilder(); sb.and("ids", sb.entity().getId(), Op.IN); - SearchCriteria sc = sb.create(); + SearchCriteria sc = sb.create(); sc.setParameters("ids", roleIds.toArray(new Object[roleIds.size()])); - List roles = _aclRoleDao.customSearch(sc, null); + List policies = _aclPolicyDao.customSearch(sc, null); - return new ArrayList(roles); + return new ArrayList(policies); } + @DB @Override - public AclRolePermission getAclRolePermission(long accountId, String entityType, AccessType accessType) { - List roles = getAclRoles(accountId); - AclRolePermission curPerm = null; - for (AclRole role : roles) { - AclRolePermission perm = _policyPermissionDao.findByRoleEntityAndPermission(role.getId(), entityType, accessType, true); + @ActionEvent(eventType = EventTypes.EVENT_ACL_GROUP_UPDATE, eventDescription = "Attaching policy to acl group") + public AclGroup attachAclPoliciesToGroup(final List policyIds, final Long groupId) { + final Account caller = CallContext.current().getCallingAccount(); + // get the Acl Group entity + AclGroup group = _aclGroupDao.findById(groupId); + if (group == null) { + throw new InvalidParameterValueException("Unable to find acl group: " + groupId + + "; failed to add roles to acl group."); + } + // check group permissions + _accountMgr.checkAccess(caller, null, true, group); + + Transaction.execute(new TransactionCallbackNoReturn() { + @Override + public void doInTransactionWithoutResult(TransactionStatus status) { + // add entries in acl_group_policy_map table + for (Long policyId : policyIds) { + // check policy permissions + AclPolicy policy = _aclPolicyDao.findById(policyId); + if (policy == null) { + throw new InvalidParameterValueException("Unable to find acl policy: " + policyId + + "; failed to add policies to acl group."); + } + _accountMgr.checkAccess(caller, null, true, policy); + + AclGroupPolicyMapVO grMap = _aclGroupPolicyMapDao.findByGroupAndPolicy(groupId, policyId); + if (grMap == null) { + // not there already + grMap = new AclGroupPolicyMapVO(groupId, policyId); + _aclGroupPolicyMapDao.persist(grMap); + } + } + } + }); + + return group; + } + + @DB + @Override + @ActionEvent(eventType = EventTypes.EVENT_ACL_GROUP_UPDATE, eventDescription = "Removing policies from acl group") + public AclGroup removeAclPoliciesFromGroup(final List policyIds, final Long groupId) { + final Account caller = CallContext.current().getCallingAccount(); + // get the Acl Group entity + AclGroup group = _aclGroupDao.findById(groupId); + if (group == null) { + throw new InvalidParameterValueException("Unable to find acl group: " + groupId + + "; failed to remove roles from acl group."); + } + // check group permissions + _accountMgr.checkAccess(caller, null, true, group); + + Transaction.execute(new TransactionCallbackNoReturn() { + @Override + public void doInTransactionWithoutResult(TransactionStatus status) { + // add entries in acl_group_role_map table + for (Long policyId : policyIds) { + // check policy permissions + AclPolicy policy = _aclPolicyDao.findById(policyId); + if (policy == null) { + throw new InvalidParameterValueException("Unable to find acl policy: " + policyId + + "; failed to add policies to acl group."); + } + _accountMgr.checkAccess(caller, null, true, policy); + + AclGroupPolicyMapVO grMap = _aclGroupPolicyMapDao.findByGroupAndPolicy(groupId, policyId); + if (grMap != null) { + // not removed yet + _aclGroupPolicyMapDao.remove(grMap.getId()); + } + } + } + }); + return group; + } + + /* + @DB + @Override + @ActionEvent(eventType = EventTypes.EVENT_ACL_POLICY_GRANT, eventDescription = "Granting permission to Acl Role") + public AclP addAclPermissionToAclPolicy(final long aclRoleId, final List apiNames) { + Account caller = CallContext.current().getCallingAccount(); + // get the Acl Role entity + AclRole role = _aclPolicyDao.findById(aclRoleId); + if (role == null) { + throw new InvalidParameterValueException("Unable to find acl role: " + aclRoleId + + "; failed to grant permission to role."); + } + // check permissions + _accountMgr.checkAccess(caller, null, true, role); + + Transaction.execute(new TransactionCallbackNoReturn() { + @Override + public void doInTransactionWithoutResult(TransactionStatus status) { + // add entries in acl_api_permission table + for (String api : apiNames) { + AclApiPermissionVO perm = _apiPermissionDao.findByRoleAndApi(aclRoleId, api); + if (perm == null) { + // not there already + perm = new AclApiPermissionVO(aclRoleId, api); + _apiPermissionDao.persist(perm); + } + } + } + }); + + return role; + + } + + @DB + @Override + @ActionEvent(eventType = EventTypes.EVENT_ACL_POLICY_REVOKE, eventDescription = "Revoking permission from Acl Role") + public AclRole revokeApiPermissionFromAclRole(final long aclRoleId, final List apiNames) { + Account caller = CallContext.current().getCallingAccount(); + // get the Acl Role entity + AclRole role = _aclPolicyDao.findById(aclRoleId); + if (role == null) { + throw new InvalidParameterValueException("Unable to find acl role: " + aclRoleId + + "; failed to revoke permission from role."); + } + // check permissions + _accountMgr.checkAccess(caller, null, true, role); + + Transaction.execute(new TransactionCallbackNoReturn() { + @Override + public void doInTransactionWithoutResult(TransactionStatus status) { + // remove entries from acl_api_permission table + for (String api : apiNames) { + AclApiPermissionVO perm = _apiPermissionDao.findByRoleAndApi(aclRoleId, api); + if (perm != null) { + // not removed yet + _apiPermissionDao.remove(perm.getId()); + } + } + } + }); + return role; + } + */ + + @DB + @Override + @ActionEvent(eventType = EventTypes.EVENT_ACL_POLICY_GRANT, eventDescription = "Granting acl permission to Acl Policy") + public AclPolicy addAclPermissionToAclPolicy(long aclPolicyId, String entityType, PermissionScope scope, Long scopeId, String action, Permission perm) { + Account caller = CallContext.current().getCallingAccount(); + // get the Acl Policy entity + AclPolicy policy = _aclPolicyDao.findById(aclPolicyId); + if (policy == null) { + throw new InvalidParameterValueException("Unable to find acl policy: " + aclPolicyId + + "; failed to add permission to policy."); + } + // check permissions + _accountMgr.checkAccess(caller, null, true, policy); + + // get the entity and check permission + Class entityClass = entityClassMap.get(entityType); + if (entityClass == null) { + throw new InvalidParameterValueException("Entity type " + entityType + " permission granting is not supported yet"); + } + if (scope == PermissionScope.RESOURCE && scopeId != null) { + ControlledEntity entity = (ControlledEntity)_entityMgr.findById(entityClass, scopeId); + if (entity == null) { + throw new InvalidParameterValueException("Unable to find entity " + entityType + " by id: " + scopeId); + } + _accountMgr.checkAccess(caller, null, true, entity); + } + + // add entry in acl_policy_permission table + AclPolicyPermissionVO permit = _policyPermissionDao.findByPolicyAndEntity(aclPolicyId, entityType, scope, scopeId, action, perm); + if (permit == null) { + // not there already + Class cmdClass = _apiServer.getCmdClass(action); + AccessType accessType = null; + if (BaseListCmd.class.isAssignableFrom(cmdClass)) { + accessType = AccessType.ListEntry; + } + permit = new AclPolicyPermissionVO(aclPolicyId, action, entityType, accessType, + scope, scopeId, perm); + _policyPermissionDao.persist(permit); + } + return policy; + + } + + @DB + @Override + @ActionEvent(eventType = EventTypes.EVENT_ACL_POLICY_REVOKE, eventDescription = "Revoking acl permission from Acl Policy") + public AclPolicy removeAclPermissionFromAclPolicy(long aclPolicyId, String entityType, PermissionScope scope, Long scopeId, String action) { + Account caller = CallContext.current().getCallingAccount(); + // get the Acl Policy entity + AclPolicy policy = _aclPolicyDao.findById(aclPolicyId); + if (policy == null) { + throw new InvalidParameterValueException("Unable to find acl policy: " + aclPolicyId + + "; failed to revoke permission from policy."); + } + // check permissions + _accountMgr.checkAccess(caller, null, true, policy); + + // get the entity and check permission + Class entityClass = entityClassMap.get(entityType); + if (entityClass == null) { + throw new InvalidParameterValueException("Entity type " + entityType + " permission revoke is not supported yet"); + } + if (scope == PermissionScope.RESOURCE && scopeId != null) { + ControlledEntity entity = (ControlledEntity)_entityMgr.findById(entityClass, scopeId); + if (entity == null) { + throw new InvalidParameterValueException("Unable to find entity " + entityType + " by id: " + scopeId); + } + _accountMgr.checkAccess(caller, null, true, entity); + } + + // remove entry from acl_entity_permission table + AclPolicyPermissionVO permit = _policyPermissionDao.findByPolicyAndEntity(aclPolicyId, entityType, scope, scopeId, action, null); + if (permit != null) { + // not removed yet + _policyPermissionDao.remove(permit.getId()); + } + return policy; + } + + + + @Override + public AclPolicyPermission getAclPolicyPermission(long accountId, String entityType, String action) { + List roles = listAclPolicies(accountId); + AclPolicyPermission curPerm = null; + for (AclPolicy role : roles) { + AclPolicyPermissionVO perm = _policyPermissionDao.findByPolicyAndEntity(role.getId(), entityType, null, null, action, Permission.Allow); if (perm == null) continue; if (curPerm == null) { @@ -602,66 +632,27 @@ public class AclServiceImpl extends ManagerBase implements AclService, Manager { return curPerm; } - @Override - public List getAclGroups(long accountId) { - GenericSearchBuilder groupSB = _aclGroupAccountMapDao.createSearchBuilder(Long.class); - groupSB.selectFields(groupSB.entity().getAclGroupId()); - groupSB.and("account", groupSB.entity().getAccountId(), Op.EQ); - SearchCriteria groupSc = groupSB.create(); - - List groupIds = _aclGroupAccountMapDao.customSearch(groupSc, null); - - SearchBuilder sb = _aclGroupDao.createSearchBuilder(); - sb.and("ids", sb.entity().getId(), Op.IN); - SearchCriteria sc = sb.create(); - sc.setParameters("ids", groupIds.toArray(new Object[groupIds.size()])); - List groups = _aclGroupDao.search(sc, null); - - return new ArrayList(groups); - } @Override - public Pair, List> getAclEntityPermission(long accountId, String entityType, AccessType accessType) { - List groups = getAclGroups(accountId); - if (groups == null || groups.size() == 0) { - return new Pair, List>(new ArrayList(), new ArrayList()); - } - Set allowedIds = new HashSet(); - Set deniedIds = new HashSet(); - for (AclGroup grp : groups) { - // get allowed id and denied list for each group - List allowedIdList = _entityPermissionDao.findEntityIdByGroupAndPermission(grp.getId(), entityType, accessType, true); - if (allowedIdList != null) { - allowedIds.addAll(allowedIdList); - } - List deniedIdList = _entityPermissionDao.findEntityIdByGroupAndPermission(grp.getId(), entityType, accessType, false); - if (deniedIdList != null) { - deniedIds.addAll(deniedIdList); - } - } - return new Pair, List>(new ArrayList(allowedIds), new ArrayList(deniedIds)) - ; - } - - @Override - public boolean isAPIAccessibleForRoles(String apiName, List roles) { + public boolean isAPIAccessibleForPolicies(String apiName, List policies) { boolean accessible = false; - List roleIds = new ArrayList(); - for (AclRole role : roles) { - roleIds.add(role.getId()); + List policyIds = new ArrayList(); + for (AclPolicy policy : policies) { + policyIds.add(policy.getId()); } - SearchBuilder sb = _apiPermissionDao.createSearchBuilder(); - sb.and("apiName", sb.entity().getApiName(), Op.EQ); - sb.and("roleId", sb.entity().getAclRoleId(), Op.IN); + SearchBuilder sb = _policyPermissionDao.createSearchBuilder(); + sb.and("action", sb.entity().getAction(), Op.EQ); + sb.and("policyId", sb.entity().getAclPolicyId(), Op.IN); + sb.and("entityType", sb.entity().getEntityType(), Op.NULL); - SearchCriteria sc = sb.create(); - sc.setParameters("roleId", roleIds.toArray(new Object[roleIds.size()])); + SearchCriteria sc = sb.create(); + sc.setParameters("policyId", policyIds.toArray(new Object[policyIds.size()])); - List permissions = _apiPermissionDao.customSearch(sc, null); + List permissions = _policyPermissionDao.customSearch(sc, null); if (permissions != null && !permissions.isEmpty()) { accessible = true; @@ -671,19 +662,19 @@ public class AclServiceImpl extends ManagerBase implements AclService, Manager { } @Override - public List getEffectiveRoles(Account caller, ControlledEntity entity) { + public List getEffectivePolicies(Account caller, ControlledEntity entity) { - // Get the static Roles of the Caller - List roles = getAclRoles(caller.getId()); + // Get the static Policies of the Caller + List policies = listAclPolicies(caller.getId()); // add any dynamic roles w.r.t the entity if (caller.getId() == entity.getAccountId()) { // The caller owns the entity - AclRole owner = _aclRoleDao.findByName(Domain.ROOT_DOMAIN, "RESOURCE_OWNER"); - roles.add(owner); + AclPolicy owner = _aclPolicyDao.findByName(Domain.ROOT_DOMAIN, "RESOURCE_OWNER"); + policies.add(owner); } - return roles; + return policies; } @Override