From b2ba6c05b4b9d1d1b15f704e454a710e3ed5a325 Mon Sep 17 00:00:00 2001 From: Prachi Damle Date: Wed, 19 Feb 2014 17:08:58 -0800 Subject: [PATCH] Renaming plugin packages to 'iam' instead if 'acl' --- .../{acl => iam}/AddAccountToAclGroupCmd.java | 6 +- .../AddAclPermissionToAclPolicyCmd.java | 6 +- .../AttachAclPolicyToAccountCmd.java | 6 +- .../AttachAclPolicyToAclGroupCmd.java | 8 +- .../{acl => iam}/CreateAclGroupCmd.java | 6 +- .../{acl => iam}/CreateAclPolicyCmd.java | 6 +- .../{acl => iam}/DeleteAclGroupCmd.java | 6 +- .../{acl => iam}/DeleteAclPolicyCmd.java | 6 +- .../{acl => iam}/ListAclGroupsCmd.java | 6 +- .../{acl => iam}/ListAclPoliciesCmd.java | 6 +- .../RemoveAccountFromAclGroupCmd.java | 6 +- .../RemoveAclPermissionFromAclPolicyCmd.java | 6 +- .../RemoveAclPolicyFromAccountCmd.java | 8 +- .../RemoveAclPolicyFromAclGroupCmd.java | 8 +- .../{acl => iam}/AclGroupResponse.java | 2 +- .../{acl => iam}/AclPermissionResponse.java | 10 +- .../{acl => iam}/AclPolicyResponse.java | 2 +- .../{acl/api => iam}/AclApiService.java | 168 +- .../{acl/api => iam}/AclApiServiceImpl.java | 1378 ++++++++--------- .../RoleBasedAPIAccessChecker.java | 14 +- .../RoleBasedEntityAccessChecker.java | 5 +- .../RoleBasedEntityQuerySelector.java | 4 +- .../cloudstack/acl/AclApiServiceTest.java | 18 +- 23 files changed, 850 insertions(+), 841 deletions(-) rename services/iam/plugin/src/org/apache/cloudstack/api/command/{acl => iam}/AddAccountToAclGroupCmd.java (96%) rename services/iam/plugin/src/org/apache/cloudstack/api/command/{acl => iam}/AddAclPermissionToAclPolicyCmd.java (96%) rename services/iam/plugin/src/org/apache/cloudstack/api/command/{acl => iam}/AttachAclPolicyToAccountCmd.java (96%) rename services/iam/plugin/src/org/apache/cloudstack/api/command/{acl => iam}/AttachAclPolicyToAclGroupCmd.java (95%) rename services/iam/plugin/src/org/apache/cloudstack/api/command/{acl => iam}/CreateAclGroupCmd.java (97%) rename services/iam/plugin/src/org/apache/cloudstack/api/command/{acl => iam}/CreateAclPolicyCmd.java (97%) rename services/iam/plugin/src/org/apache/cloudstack/api/command/{acl => iam}/DeleteAclGroupCmd.java (95%) rename services/iam/plugin/src/org/apache/cloudstack/api/command/{acl => iam}/DeleteAclPolicyCmd.java (95%) rename services/iam/plugin/src/org/apache/cloudstack/api/command/{acl => iam}/ListAclGroupsCmd.java (94%) rename services/iam/plugin/src/org/apache/cloudstack/api/command/{acl => iam}/ListAclPoliciesCmd.java (94%) rename services/iam/plugin/src/org/apache/cloudstack/api/command/{acl => iam}/RemoveAccountFromAclGroupCmd.java (96%) rename services/iam/plugin/src/org/apache/cloudstack/api/command/{acl => iam}/RemoveAclPermissionFromAclPolicyCmd.java (96%) rename services/iam/plugin/src/org/apache/cloudstack/api/command/{acl => iam}/RemoveAclPolicyFromAccountCmd.java (94%) rename services/iam/plugin/src/org/apache/cloudstack/api/command/{acl => iam}/RemoveAclPolicyFromAclGroupCmd.java (95%) rename services/iam/plugin/src/org/apache/cloudstack/api/response/{acl => iam}/AclGroupResponse.java (99%) rename services/iam/plugin/src/org/apache/cloudstack/api/response/{acl => iam}/AclPermissionResponse.java (94%) rename services/iam/plugin/src/org/apache/cloudstack/api/response/{acl => iam}/AclPolicyResponse.java (98%) rename services/iam/plugin/src/org/apache/cloudstack/{acl/api => iam}/AclApiService.java (93%) rename services/iam/plugin/src/org/apache/cloudstack/{acl/api => iam}/AclApiServiceImpl.java (92%) rename services/iam/plugin/src/org/apache/cloudstack/{acl => iam}/RoleBasedAPIAccessChecker.java (95%) rename services/iam/plugin/src/org/apache/cloudstack/{acl => iam}/RoleBasedEntityAccessChecker.java (97%) rename services/iam/plugin/src/org/apache/cloudstack/{acl => iam}/RoleBasedEntityQuerySelector.java (97%) diff --git a/services/iam/plugin/src/org/apache/cloudstack/api/command/acl/AddAccountToAclGroupCmd.java b/services/iam/plugin/src/org/apache/cloudstack/api/command/iam/AddAccountToAclGroupCmd.java similarity index 96% rename from services/iam/plugin/src/org/apache/cloudstack/api/command/acl/AddAccountToAclGroupCmd.java rename to services/iam/plugin/src/org/apache/cloudstack/api/command/iam/AddAccountToAclGroupCmd.java index f951e5dd07f..b63f6355046 100644 --- a/services/iam/plugin/src/org/apache/cloudstack/api/command/acl/AddAccountToAclGroupCmd.java +++ b/services/iam/plugin/src/org/apache/cloudstack/api/command/iam/AddAccountToAclGroupCmd.java @@ -14,7 +14,7 @@ // KIND, either express or implied. See the License for the // specific language governing permissions and limitations // under the License. -package org.apache.cloudstack.api.command.acl; +package org.apache.cloudstack.api.command.iam; import java.util.List; @@ -22,7 +22,7 @@ import javax.inject.Inject; import org.apache.log4j.Logger; -import org.apache.cloudstack.acl.api.AclApiService; +import org.apache.cloudstack.iam.AclApiService; import org.apache.cloudstack.api.ACL; import org.apache.cloudstack.api.APICommand; import org.apache.cloudstack.api.ApiCommandJobType; @@ -32,7 +32,7 @@ import org.apache.cloudstack.api.BaseAsyncCmd; import org.apache.cloudstack.api.Parameter; import org.apache.cloudstack.api.ServerApiException; import org.apache.cloudstack.api.response.AccountResponse; -import org.apache.cloudstack.api.response.acl.AclGroupResponse; +import org.apache.cloudstack.api.response.iam.AclGroupResponse; import org.apache.cloudstack.context.CallContext; import org.apache.cloudstack.iam.api.AclGroup; diff --git a/services/iam/plugin/src/org/apache/cloudstack/api/command/acl/AddAclPermissionToAclPolicyCmd.java b/services/iam/plugin/src/org/apache/cloudstack/api/command/iam/AddAclPermissionToAclPolicyCmd.java similarity index 96% rename from services/iam/plugin/src/org/apache/cloudstack/api/command/acl/AddAclPermissionToAclPolicyCmd.java rename to services/iam/plugin/src/org/apache/cloudstack/api/command/iam/AddAclPermissionToAclPolicyCmd.java index 9b047fd0202..e0ecb50ac64 100644 --- a/services/iam/plugin/src/org/apache/cloudstack/api/command/acl/AddAclPermissionToAclPolicyCmd.java +++ b/services/iam/plugin/src/org/apache/cloudstack/api/command/iam/AddAclPermissionToAclPolicyCmd.java @@ -14,14 +14,14 @@ // KIND, either express or implied. See the License for the // specific language governing permissions and limitations // under the License. -package org.apache.cloudstack.api.command.acl; +package org.apache.cloudstack.api.command.iam; import javax.inject.Inject; import org.apache.log4j.Logger; import org.apache.cloudstack.acl.PermissionScope; -import org.apache.cloudstack.acl.api.AclApiService; +import org.apache.cloudstack.iam.AclApiService; import org.apache.cloudstack.api.ACL; import org.apache.cloudstack.api.APICommand; import org.apache.cloudstack.api.ApiCommandJobType; @@ -30,7 +30,7 @@ import org.apache.cloudstack.api.ApiErrorCode; import org.apache.cloudstack.api.BaseAsyncCmd; import org.apache.cloudstack.api.Parameter; import org.apache.cloudstack.api.ServerApiException; -import org.apache.cloudstack.api.response.acl.AclPolicyResponse; +import org.apache.cloudstack.api.response.iam.AclPolicyResponse; import org.apache.cloudstack.context.CallContext; import org.apache.cloudstack.iam.api.AclPolicy; import org.apache.cloudstack.iam.api.AclPolicyPermission.Permission; diff --git a/services/iam/plugin/src/org/apache/cloudstack/api/command/acl/AttachAclPolicyToAccountCmd.java b/services/iam/plugin/src/org/apache/cloudstack/api/command/iam/AttachAclPolicyToAccountCmd.java similarity index 96% rename from services/iam/plugin/src/org/apache/cloudstack/api/command/acl/AttachAclPolicyToAccountCmd.java rename to services/iam/plugin/src/org/apache/cloudstack/api/command/iam/AttachAclPolicyToAccountCmd.java index 2b0b0a97f9a..c16f8bd9caf 100644 --- a/services/iam/plugin/src/org/apache/cloudstack/api/command/acl/AttachAclPolicyToAccountCmd.java +++ b/services/iam/plugin/src/org/apache/cloudstack/api/command/iam/AttachAclPolicyToAccountCmd.java @@ -14,7 +14,7 @@ // KIND, either express or implied. See the License for the // specific language governing permissions and limitations // under the License. -package org.apache.cloudstack.api.command.acl; +package org.apache.cloudstack.api.command.iam; import java.util.List; @@ -22,7 +22,7 @@ import javax.inject.Inject; import org.apache.log4j.Logger; -import org.apache.cloudstack.acl.api.AclApiService; +import org.apache.cloudstack.iam.AclApiService; import org.apache.cloudstack.api.ACL; import org.apache.cloudstack.api.APICommand; import org.apache.cloudstack.api.ApiCommandJobType; @@ -32,7 +32,7 @@ import org.apache.cloudstack.api.Parameter; import org.apache.cloudstack.api.ServerApiException; import org.apache.cloudstack.api.response.AccountResponse; import org.apache.cloudstack.api.response.SuccessResponse; -import org.apache.cloudstack.api.response.acl.AclPolicyResponse; +import org.apache.cloudstack.api.response.iam.AclPolicyResponse; import org.apache.cloudstack.context.CallContext; import com.cloud.event.EventTypes; diff --git a/services/iam/plugin/src/org/apache/cloudstack/api/command/acl/AttachAclPolicyToAclGroupCmd.java b/services/iam/plugin/src/org/apache/cloudstack/api/command/iam/AttachAclPolicyToAclGroupCmd.java similarity index 95% rename from services/iam/plugin/src/org/apache/cloudstack/api/command/acl/AttachAclPolicyToAclGroupCmd.java rename to services/iam/plugin/src/org/apache/cloudstack/api/command/iam/AttachAclPolicyToAclGroupCmd.java index 294642b10f9..cd2a3d568b6 100644 --- a/services/iam/plugin/src/org/apache/cloudstack/api/command/acl/AttachAclPolicyToAclGroupCmd.java +++ b/services/iam/plugin/src/org/apache/cloudstack/api/command/iam/AttachAclPolicyToAclGroupCmd.java @@ -14,7 +14,7 @@ // KIND, either express or implied. See the License for the // specific language governing permissions and limitations // under the License. -package org.apache.cloudstack.api.command.acl; +package org.apache.cloudstack.api.command.iam; import java.util.List; @@ -22,7 +22,7 @@ import javax.inject.Inject; import org.apache.log4j.Logger; -import org.apache.cloudstack.acl.api.AclApiService; +import org.apache.cloudstack.iam.AclApiService; import org.apache.cloudstack.api.ACL; import org.apache.cloudstack.api.APICommand; import org.apache.cloudstack.api.ApiCommandJobType; @@ -31,8 +31,8 @@ import org.apache.cloudstack.api.ApiErrorCode; import org.apache.cloudstack.api.BaseAsyncCmd; import org.apache.cloudstack.api.Parameter; import org.apache.cloudstack.api.ServerApiException; -import org.apache.cloudstack.api.response.acl.AclGroupResponse; -import org.apache.cloudstack.api.response.acl.AclPolicyResponse; +import org.apache.cloudstack.api.response.iam.AclGroupResponse; +import org.apache.cloudstack.api.response.iam.AclPolicyResponse; import org.apache.cloudstack.context.CallContext; import org.apache.cloudstack.iam.api.AclGroup; diff --git a/services/iam/plugin/src/org/apache/cloudstack/api/command/acl/CreateAclGroupCmd.java b/services/iam/plugin/src/org/apache/cloudstack/api/command/iam/CreateAclGroupCmd.java similarity index 97% rename from services/iam/plugin/src/org/apache/cloudstack/api/command/acl/CreateAclGroupCmd.java rename to services/iam/plugin/src/org/apache/cloudstack/api/command/iam/CreateAclGroupCmd.java index 2364f0fd511..3805c9f273b 100644 --- a/services/iam/plugin/src/org/apache/cloudstack/api/command/acl/CreateAclGroupCmd.java +++ b/services/iam/plugin/src/org/apache/cloudstack/api/command/iam/CreateAclGroupCmd.java @@ -14,13 +14,13 @@ // KIND, either express or implied. See the License for the // specific language governing permissions and limitations // under the License. -package org.apache.cloudstack.api.command.acl; +package org.apache.cloudstack.api.command.iam; import javax.inject.Inject; import org.apache.log4j.Logger; -import org.apache.cloudstack.acl.api.AclApiService; +import org.apache.cloudstack.iam.AclApiService; import org.apache.cloudstack.api.APICommand; import org.apache.cloudstack.api.ApiCommandJobType; import org.apache.cloudstack.api.ApiConstants; @@ -29,7 +29,7 @@ import org.apache.cloudstack.api.BaseAsyncCreateCmd; import org.apache.cloudstack.api.Parameter; import org.apache.cloudstack.api.ServerApiException; import org.apache.cloudstack.api.response.DomainResponse; -import org.apache.cloudstack.api.response.acl.AclGroupResponse; +import org.apache.cloudstack.api.response.iam.AclGroupResponse; import org.apache.cloudstack.context.CallContext; import org.apache.cloudstack.iam.api.AclGroup; diff --git a/services/iam/plugin/src/org/apache/cloudstack/api/command/acl/CreateAclPolicyCmd.java b/services/iam/plugin/src/org/apache/cloudstack/api/command/iam/CreateAclPolicyCmd.java similarity index 97% rename from services/iam/plugin/src/org/apache/cloudstack/api/command/acl/CreateAclPolicyCmd.java rename to services/iam/plugin/src/org/apache/cloudstack/api/command/iam/CreateAclPolicyCmd.java index 9cc282a39f0..3bddc35a120 100644 --- a/services/iam/plugin/src/org/apache/cloudstack/api/command/acl/CreateAclPolicyCmd.java +++ b/services/iam/plugin/src/org/apache/cloudstack/api/command/iam/CreateAclPolicyCmd.java @@ -14,13 +14,13 @@ // KIND, either express or implied. See the License for the // specific language governing permissions and limitations // under the License. -package org.apache.cloudstack.api.command.acl; +package org.apache.cloudstack.api.command.iam; import javax.inject.Inject; import org.apache.log4j.Logger; -import org.apache.cloudstack.acl.api.AclApiService; +import org.apache.cloudstack.iam.AclApiService; import org.apache.cloudstack.api.ACL; import org.apache.cloudstack.api.APICommand; import org.apache.cloudstack.api.ApiCommandJobType; @@ -30,7 +30,7 @@ import org.apache.cloudstack.api.BaseAsyncCreateCmd; import org.apache.cloudstack.api.Parameter; import org.apache.cloudstack.api.ServerApiException; import org.apache.cloudstack.api.response.DomainResponse; -import org.apache.cloudstack.api.response.acl.AclPolicyResponse; +import org.apache.cloudstack.api.response.iam.AclPolicyResponse; import org.apache.cloudstack.context.CallContext; import org.apache.cloudstack.iam.api.AclPolicy; diff --git a/services/iam/plugin/src/org/apache/cloudstack/api/command/acl/DeleteAclGroupCmd.java b/services/iam/plugin/src/org/apache/cloudstack/api/command/iam/DeleteAclGroupCmd.java similarity index 95% rename from services/iam/plugin/src/org/apache/cloudstack/api/command/acl/DeleteAclGroupCmd.java rename to services/iam/plugin/src/org/apache/cloudstack/api/command/iam/DeleteAclGroupCmd.java index 447342e25fd..38f13f4d48d 100644 --- a/services/iam/plugin/src/org/apache/cloudstack/api/command/acl/DeleteAclGroupCmd.java +++ b/services/iam/plugin/src/org/apache/cloudstack/api/command/iam/DeleteAclGroupCmd.java @@ -14,13 +14,13 @@ // KIND, either express or implied. See the License for the // specific language governing permissions and limitations // under the License. -package org.apache.cloudstack.api.command.acl; +package org.apache.cloudstack.api.command.iam; import javax.inject.Inject; import org.apache.log4j.Logger; -import org.apache.cloudstack.acl.api.AclApiService; +import org.apache.cloudstack.iam.AclApiService; import org.apache.cloudstack.api.ACL; import org.apache.cloudstack.api.APICommand; import org.apache.cloudstack.api.ApiCommandJobType; @@ -30,7 +30,7 @@ import org.apache.cloudstack.api.BaseAsyncCmd; import org.apache.cloudstack.api.Parameter; import org.apache.cloudstack.api.ServerApiException; import org.apache.cloudstack.api.response.SuccessResponse; -import org.apache.cloudstack.api.response.acl.AclGroupResponse; +import org.apache.cloudstack.api.response.iam.AclGroupResponse; import com.cloud.event.EventTypes; import com.cloud.user.Account; diff --git a/services/iam/plugin/src/org/apache/cloudstack/api/command/acl/DeleteAclPolicyCmd.java b/services/iam/plugin/src/org/apache/cloudstack/api/command/iam/DeleteAclPolicyCmd.java similarity index 95% rename from services/iam/plugin/src/org/apache/cloudstack/api/command/acl/DeleteAclPolicyCmd.java rename to services/iam/plugin/src/org/apache/cloudstack/api/command/iam/DeleteAclPolicyCmd.java index 7977ad03081..c9fc9ba51cc 100644 --- a/services/iam/plugin/src/org/apache/cloudstack/api/command/acl/DeleteAclPolicyCmd.java +++ b/services/iam/plugin/src/org/apache/cloudstack/api/command/iam/DeleteAclPolicyCmd.java @@ -14,13 +14,13 @@ // KIND, either express or implied. See the License for the // specific language governing permissions and limitations // under the License. -package org.apache.cloudstack.api.command.acl; +package org.apache.cloudstack.api.command.iam; import javax.inject.Inject; import org.apache.log4j.Logger; -import org.apache.cloudstack.acl.api.AclApiService; +import org.apache.cloudstack.iam.AclApiService; import org.apache.cloudstack.api.ACL; import org.apache.cloudstack.api.APICommand; import org.apache.cloudstack.api.ApiCommandJobType; @@ -30,7 +30,7 @@ import org.apache.cloudstack.api.BaseAsyncCmd; import org.apache.cloudstack.api.Parameter; import org.apache.cloudstack.api.ServerApiException; import org.apache.cloudstack.api.response.SuccessResponse; -import org.apache.cloudstack.api.response.acl.AclPolicyResponse; +import org.apache.cloudstack.api.response.iam.AclPolicyResponse; import com.cloud.event.EventTypes; import com.cloud.user.Account; diff --git a/services/iam/plugin/src/org/apache/cloudstack/api/command/acl/ListAclGroupsCmd.java b/services/iam/plugin/src/org/apache/cloudstack/api/command/iam/ListAclGroupsCmd.java similarity index 94% rename from services/iam/plugin/src/org/apache/cloudstack/api/command/acl/ListAclGroupsCmd.java rename to services/iam/plugin/src/org/apache/cloudstack/api/command/iam/ListAclGroupsCmd.java index d626a4c24fe..2e724932907 100644 --- a/services/iam/plugin/src/org/apache/cloudstack/api/command/acl/ListAclGroupsCmd.java +++ b/services/iam/plugin/src/org/apache/cloudstack/api/command/iam/ListAclGroupsCmd.java @@ -14,20 +14,20 @@ // KIND, either express or implied. See the License for the // specific language governing permissions and limitations // under the License. -package org.apache.cloudstack.api.command.acl; +package org.apache.cloudstack.api.command.iam; import javax.inject.Inject; import org.apache.log4j.Logger; -import org.apache.cloudstack.acl.api.AclApiService; +import org.apache.cloudstack.iam.AclApiService; import org.apache.cloudstack.api.APICommand; import org.apache.cloudstack.api.ApiCommandJobType; import org.apache.cloudstack.api.ApiConstants; import org.apache.cloudstack.api.BaseListDomainResourcesCmd; import org.apache.cloudstack.api.Parameter; import org.apache.cloudstack.api.response.ListResponse; -import org.apache.cloudstack.api.response.acl.AclGroupResponse; +import org.apache.cloudstack.api.response.iam.AclGroupResponse; @APICommand(name = "listAclGroups", description = "Lists acl groups", responseObject = AclGroupResponse.class) diff --git a/services/iam/plugin/src/org/apache/cloudstack/api/command/acl/ListAclPoliciesCmd.java b/services/iam/plugin/src/org/apache/cloudstack/api/command/iam/ListAclPoliciesCmd.java similarity index 94% rename from services/iam/plugin/src/org/apache/cloudstack/api/command/acl/ListAclPoliciesCmd.java rename to services/iam/plugin/src/org/apache/cloudstack/api/command/iam/ListAclPoliciesCmd.java index d4866dd939f..b5b2d8d01e4 100644 --- a/services/iam/plugin/src/org/apache/cloudstack/api/command/acl/ListAclPoliciesCmd.java +++ b/services/iam/plugin/src/org/apache/cloudstack/api/command/iam/ListAclPoliciesCmd.java @@ -14,20 +14,20 @@ // KIND, either express or implied. See the License for the // specific language governing permissions and limitations // under the License. -package org.apache.cloudstack.api.command.acl; +package org.apache.cloudstack.api.command.iam; import javax.inject.Inject; import org.apache.log4j.Logger; -import org.apache.cloudstack.acl.api.AclApiService; +import org.apache.cloudstack.iam.AclApiService; import org.apache.cloudstack.api.APICommand; import org.apache.cloudstack.api.ApiCommandJobType; import org.apache.cloudstack.api.ApiConstants; import org.apache.cloudstack.api.BaseListDomainResourcesCmd; import org.apache.cloudstack.api.Parameter; import org.apache.cloudstack.api.response.ListResponse; -import org.apache.cloudstack.api.response.acl.AclPolicyResponse; +import org.apache.cloudstack.api.response.iam.AclPolicyResponse; @APICommand(name = "listAclPolicies", description = "Lists acl policies", responseObject = AclPolicyResponse.class) diff --git a/services/iam/plugin/src/org/apache/cloudstack/api/command/acl/RemoveAccountFromAclGroupCmd.java b/services/iam/plugin/src/org/apache/cloudstack/api/command/iam/RemoveAccountFromAclGroupCmd.java similarity index 96% rename from services/iam/plugin/src/org/apache/cloudstack/api/command/acl/RemoveAccountFromAclGroupCmd.java rename to services/iam/plugin/src/org/apache/cloudstack/api/command/iam/RemoveAccountFromAclGroupCmd.java index ab03f84b49e..a370e0a490b 100644 --- a/services/iam/plugin/src/org/apache/cloudstack/api/command/acl/RemoveAccountFromAclGroupCmd.java +++ b/services/iam/plugin/src/org/apache/cloudstack/api/command/iam/RemoveAccountFromAclGroupCmd.java @@ -14,7 +14,7 @@ // KIND, either express or implied. See the License for the // specific language governing permissions and limitations // under the License. -package org.apache.cloudstack.api.command.acl; +package org.apache.cloudstack.api.command.iam; import java.util.List; @@ -22,7 +22,7 @@ import javax.inject.Inject; import org.apache.log4j.Logger; -import org.apache.cloudstack.acl.api.AclApiService; +import org.apache.cloudstack.iam.AclApiService; import org.apache.cloudstack.api.ACL; import org.apache.cloudstack.api.APICommand; import org.apache.cloudstack.api.ApiCommandJobType; @@ -32,7 +32,7 @@ import org.apache.cloudstack.api.BaseAsyncCmd; import org.apache.cloudstack.api.Parameter; import org.apache.cloudstack.api.ServerApiException; import org.apache.cloudstack.api.response.AccountResponse; -import org.apache.cloudstack.api.response.acl.AclGroupResponse; +import org.apache.cloudstack.api.response.iam.AclGroupResponse; import org.apache.cloudstack.context.CallContext; import org.apache.cloudstack.iam.api.AclGroup; diff --git a/services/iam/plugin/src/org/apache/cloudstack/api/command/acl/RemoveAclPermissionFromAclPolicyCmd.java b/services/iam/plugin/src/org/apache/cloudstack/api/command/iam/RemoveAclPermissionFromAclPolicyCmd.java similarity index 96% rename from services/iam/plugin/src/org/apache/cloudstack/api/command/acl/RemoveAclPermissionFromAclPolicyCmd.java rename to services/iam/plugin/src/org/apache/cloudstack/api/command/iam/RemoveAclPermissionFromAclPolicyCmd.java index f9e54b08a67..9236ef16561 100644 --- a/services/iam/plugin/src/org/apache/cloudstack/api/command/acl/RemoveAclPermissionFromAclPolicyCmd.java +++ b/services/iam/plugin/src/org/apache/cloudstack/api/command/iam/RemoveAclPermissionFromAclPolicyCmd.java @@ -14,14 +14,14 @@ // KIND, either express or implied. See the License for the // specific language governing permissions and limitations // under the License. -package org.apache.cloudstack.api.command.acl; +package org.apache.cloudstack.api.command.iam; import javax.inject.Inject; import org.apache.log4j.Logger; import org.apache.cloudstack.acl.PermissionScope; -import org.apache.cloudstack.acl.api.AclApiService; +import org.apache.cloudstack.iam.AclApiService; import org.apache.cloudstack.api.ACL; import org.apache.cloudstack.api.APICommand; import org.apache.cloudstack.api.ApiCommandJobType; @@ -30,7 +30,7 @@ import org.apache.cloudstack.api.ApiErrorCode; import org.apache.cloudstack.api.BaseAsyncCmd; import org.apache.cloudstack.api.Parameter; import org.apache.cloudstack.api.ServerApiException; -import org.apache.cloudstack.api.response.acl.AclPolicyResponse; +import org.apache.cloudstack.api.response.iam.AclPolicyResponse; import org.apache.cloudstack.context.CallContext; import org.apache.cloudstack.iam.api.AclPolicy; diff --git a/services/iam/plugin/src/org/apache/cloudstack/api/command/acl/RemoveAclPolicyFromAccountCmd.java b/services/iam/plugin/src/org/apache/cloudstack/api/command/iam/RemoveAclPolicyFromAccountCmd.java similarity index 94% rename from services/iam/plugin/src/org/apache/cloudstack/api/command/acl/RemoveAclPolicyFromAccountCmd.java rename to services/iam/plugin/src/org/apache/cloudstack/api/command/iam/RemoveAclPolicyFromAccountCmd.java index fb632823ff3..bf2c4933047 100644 --- a/services/iam/plugin/src/org/apache/cloudstack/api/command/acl/RemoveAclPolicyFromAccountCmd.java +++ b/services/iam/plugin/src/org/apache/cloudstack/api/command/iam/RemoveAclPolicyFromAccountCmd.java @@ -14,7 +14,7 @@ // KIND, either express or implied. See the License for the // specific language governing permissions and limitations // under the License. -package org.apache.cloudstack.api.command.acl; +package org.apache.cloudstack.api.command.iam; import java.util.List; @@ -22,7 +22,7 @@ import javax.inject.Inject; import org.apache.log4j.Logger; -import org.apache.cloudstack.acl.api.AclApiService; +import org.apache.cloudstack.iam.AclApiService; import org.apache.cloudstack.api.ACL; import org.apache.cloudstack.api.APICommand; import org.apache.cloudstack.api.ApiCommandJobType; @@ -31,8 +31,8 @@ import org.apache.cloudstack.api.BaseAsyncCmd; import org.apache.cloudstack.api.Parameter; import org.apache.cloudstack.api.ServerApiException; import org.apache.cloudstack.api.response.SuccessResponse; -import org.apache.cloudstack.api.response.acl.AclGroupResponse; -import org.apache.cloudstack.api.response.acl.AclPolicyResponse; +import org.apache.cloudstack.api.response.iam.AclGroupResponse; +import org.apache.cloudstack.api.response.iam.AclPolicyResponse; import org.apache.cloudstack.context.CallContext; import com.cloud.event.EventTypes; diff --git a/services/iam/plugin/src/org/apache/cloudstack/api/command/acl/RemoveAclPolicyFromAclGroupCmd.java b/services/iam/plugin/src/org/apache/cloudstack/api/command/iam/RemoveAclPolicyFromAclGroupCmd.java similarity index 95% rename from services/iam/plugin/src/org/apache/cloudstack/api/command/acl/RemoveAclPolicyFromAclGroupCmd.java rename to services/iam/plugin/src/org/apache/cloudstack/api/command/iam/RemoveAclPolicyFromAclGroupCmd.java index ecf709def99..88dfa7bd778 100644 --- a/services/iam/plugin/src/org/apache/cloudstack/api/command/acl/RemoveAclPolicyFromAclGroupCmd.java +++ b/services/iam/plugin/src/org/apache/cloudstack/api/command/iam/RemoveAclPolicyFromAclGroupCmd.java @@ -14,7 +14,7 @@ // KIND, either express or implied. See the License for the // specific language governing permissions and limitations // under the License. -package org.apache.cloudstack.api.command.acl; +package org.apache.cloudstack.api.command.iam; import java.util.List; @@ -22,7 +22,7 @@ import javax.inject.Inject; import org.apache.log4j.Logger; -import org.apache.cloudstack.acl.api.AclApiService; +import org.apache.cloudstack.iam.AclApiService; import org.apache.cloudstack.api.ACL; import org.apache.cloudstack.api.APICommand; import org.apache.cloudstack.api.ApiCommandJobType; @@ -31,8 +31,8 @@ import org.apache.cloudstack.api.ApiErrorCode; import org.apache.cloudstack.api.BaseAsyncCmd; import org.apache.cloudstack.api.Parameter; import org.apache.cloudstack.api.ServerApiException; -import org.apache.cloudstack.api.response.acl.AclGroupResponse; -import org.apache.cloudstack.api.response.acl.AclPolicyResponse; +import org.apache.cloudstack.api.response.iam.AclGroupResponse; +import org.apache.cloudstack.api.response.iam.AclPolicyResponse; import org.apache.cloudstack.context.CallContext; import org.apache.cloudstack.iam.api.AclGroup; diff --git a/services/iam/plugin/src/org/apache/cloudstack/api/response/acl/AclGroupResponse.java b/services/iam/plugin/src/org/apache/cloudstack/api/response/iam/AclGroupResponse.java similarity index 99% rename from services/iam/plugin/src/org/apache/cloudstack/api/response/acl/AclGroupResponse.java rename to services/iam/plugin/src/org/apache/cloudstack/api/response/iam/AclGroupResponse.java index 1cc3f6a704c..8c4adc1cc39 100644 --- a/services/iam/plugin/src/org/apache/cloudstack/api/response/acl/AclGroupResponse.java +++ b/services/iam/plugin/src/org/apache/cloudstack/api/response/iam/AclGroupResponse.java @@ -14,7 +14,7 @@ // KIND, either express or implied. See the License for the // specific language governing permissions and limitations // under the License. -package org.apache.cloudstack.api.response.acl; +package org.apache.cloudstack.api.response.iam; import java.util.LinkedHashSet; import java.util.Set; diff --git a/services/iam/plugin/src/org/apache/cloudstack/api/response/acl/AclPermissionResponse.java b/services/iam/plugin/src/org/apache/cloudstack/api/response/iam/AclPermissionResponse.java similarity index 94% rename from services/iam/plugin/src/org/apache/cloudstack/api/response/acl/AclPermissionResponse.java rename to services/iam/plugin/src/org/apache/cloudstack/api/response/iam/AclPermissionResponse.java index f44144caab5..68b4df9c496 100644 --- a/services/iam/plugin/src/org/apache/cloudstack/api/response/acl/AclPermissionResponse.java +++ b/services/iam/plugin/src/org/apache/cloudstack/api/response/iam/AclPermissionResponse.java @@ -14,11 +14,11 @@ // KIND, either express or implied. See the License for the // specific language governing permissions and limitations // under the License. -package org.apache.cloudstack.api.response.acl; +package org.apache.cloudstack.api.response.iam; import com.google.gson.annotations.SerializedName; -import org.apache.cloudstack.acl.AclEntityType; +import org.apache.cloudstack.acl.IAMEntityType; import org.apache.cloudstack.acl.PermissionScope; import org.apache.cloudstack.api.ApiConstants; import org.apache.cloudstack.api.BaseResponse; @@ -34,7 +34,7 @@ public class AclPermissionResponse extends BaseResponse { @SerializedName(ApiConstants.ENTITY_TYPE) @Param(description = "the entity type of this permission") - private AclEntityType entityType; + private IAMEntityType entityType; @SerializedName(ApiConstants.ACL_SCOPE) @Param(description = "scope of this permission") @@ -48,11 +48,11 @@ public class AclPermissionResponse extends BaseResponse { @Param(description = "allow or deny of this permission") private AclPolicyPermission.Permission permission; - public AclEntityType getEntityType() { + public IAMEntityType getEntityType() { return entityType; } - public void setEntityType(AclEntityType entityType) { + public void setEntityType(IAMEntityType entityType) { this.entityType = entityType; } diff --git a/services/iam/plugin/src/org/apache/cloudstack/api/response/acl/AclPolicyResponse.java b/services/iam/plugin/src/org/apache/cloudstack/api/response/iam/AclPolicyResponse.java similarity index 98% rename from services/iam/plugin/src/org/apache/cloudstack/api/response/acl/AclPolicyResponse.java rename to services/iam/plugin/src/org/apache/cloudstack/api/response/iam/AclPolicyResponse.java index 76651d8b018..12d90deaa94 100644 --- a/services/iam/plugin/src/org/apache/cloudstack/api/response/acl/AclPolicyResponse.java +++ b/services/iam/plugin/src/org/apache/cloudstack/api/response/iam/AclPolicyResponse.java @@ -14,7 +14,7 @@ // KIND, either express or implied. See the License for the // specific language governing permissions and limitations // under the License. -package org.apache.cloudstack.api.response.acl; +package org.apache.cloudstack.api.response.iam; import java.util.LinkedHashSet; import java.util.Set; diff --git a/services/iam/plugin/src/org/apache/cloudstack/acl/api/AclApiService.java b/services/iam/plugin/src/org/apache/cloudstack/iam/AclApiService.java similarity index 93% rename from services/iam/plugin/src/org/apache/cloudstack/acl/api/AclApiService.java rename to services/iam/plugin/src/org/apache/cloudstack/iam/AclApiService.java index 18064d8a5c6..0cb1e228b85 100644 --- a/services/iam/plugin/src/org/apache/cloudstack/acl/api/AclApiService.java +++ b/services/iam/plugin/src/org/apache/cloudstack/iam/AclApiService.java @@ -1,84 +1,84 @@ -// Licensed to the Apache Software Foundation (ASF) under one -// or more contributor license agreements. See the NOTICE file -// distributed with this work for additional information -// regarding copyright ownership. The ASF licenses this file -// to you under the Apache License, Version 2.0 (the -// "License"); you may not use this file except in compliance -// with the License. You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. -package org.apache.cloudstack.acl.api; - -import java.util.List; - -import org.apache.cloudstack.acl.PermissionScope; -import org.apache.cloudstack.acl.SecurityChecker.AccessType; -import org.apache.cloudstack.api.response.ListResponse; -import org.apache.cloudstack.api.response.acl.AclGroupResponse; -import org.apache.cloudstack.api.response.acl.AclPolicyResponse; -import org.apache.cloudstack.iam.api.AclGroup; -import org.apache.cloudstack.iam.api.AclPolicy; -import org.apache.cloudstack.iam.api.AclPolicyPermission; -import org.apache.cloudstack.iam.api.AclPolicyPermission.Permission; - -import com.cloud.user.Account; -import com.cloud.utils.component.PluggableService; - -public interface AclApiService extends PluggableService { - - /* ACL group related interfaces */ - AclGroup createAclGroup(Account caller, String aclGroupName, String description); - - boolean deleteAclGroup(Long aclGroupId); - - List listAclGroups(long accountId); - - AclGroup addAccountsToGroup(List acctIds, Long groupId); - - AclGroup removeAccountsFromGroup(List acctIds, Long groupId); - - /* ACL Policy related interfaces */ - AclPolicy createAclPolicy(Account caller, String aclPolicyName, String description, Long parentPolicyId); - - boolean deleteAclPolicy(long aclPolicyId); - - List listAclPolicies(long accountId); - - AclGroup attachAclPoliciesToGroup(List policyIds, Long groupId); - - AclGroup removeAclPoliciesFromGroup(List policyIds, Long groupId); - - void attachAclPolicyToAccounts(Long policyId, List accountIds); - - void removeAclPolicyFromAccounts(Long policyId, List accountIds); - - AclPolicy addAclPermissionToAclPolicy(long aclPolicyId, String entityType, PermissionScope scope, Long scopeId, - String action, Permission perm, Boolean recursive); - - AclPolicy removeAclPermissionFromAclPolicy(long aclPolicyId, String entityType, PermissionScope scope, Long scopeId, String action); - - AclPolicyPermission getAclPolicyPermission(long accountId, String entityType, String action); - - /* Utility routine to grant/revoke invidivual resource to list of accounts */ - void grantEntityPermissioinToAccounts(String entityType, Long entityId, AccessType accessType, String action, List accountIds); - - void revokeEntityPermissioinFromAccounts(String entityType, Long entityId, AccessType accessType, String action, List accountIds); - - /* Response Generation */ - AclPolicyResponse createAclPolicyResponse(AclPolicy policy); - - AclGroupResponse createAclGroupResponse(AclGroup group); - - ListResponse listAclGroups(Long aclGroupId, String aclGroupName, - Long domainId, Long startIndex, Long pageSize); - - ListResponse listAclPolicies(Long aclPolicyId, String aclPolicyName, - Long domainId, Long startIndex, Long pageSize); -} +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. +package org.apache.cloudstack.iam; + +import java.util.List; + +import org.apache.cloudstack.acl.PermissionScope; +import org.apache.cloudstack.acl.SecurityChecker.AccessType; +import org.apache.cloudstack.api.response.ListResponse; +import org.apache.cloudstack.api.response.iam.AclGroupResponse; +import org.apache.cloudstack.api.response.iam.AclPolicyResponse; +import org.apache.cloudstack.iam.api.AclGroup; +import org.apache.cloudstack.iam.api.AclPolicy; +import org.apache.cloudstack.iam.api.AclPolicyPermission; +import org.apache.cloudstack.iam.api.AclPolicyPermission.Permission; + +import com.cloud.user.Account; +import com.cloud.utils.component.PluggableService; + +public interface AclApiService extends PluggableService { + + /* ACL group related interfaces */ + AclGroup createAclGroup(Account caller, String aclGroupName, String description); + + boolean deleteAclGroup(Long aclGroupId); + + List listAclGroups(long accountId); + + AclGroup addAccountsToGroup(List acctIds, Long groupId); + + AclGroup removeAccountsFromGroup(List acctIds, Long groupId); + + /* ACL Policy related interfaces */ + AclPolicy createAclPolicy(Account caller, String aclPolicyName, String description, Long parentPolicyId); + + boolean deleteAclPolicy(long aclPolicyId); + + List listAclPolicies(long accountId); + + AclGroup attachAclPoliciesToGroup(List policyIds, Long groupId); + + AclGroup removeAclPoliciesFromGroup(List policyIds, Long groupId); + + void attachAclPolicyToAccounts(Long policyId, List accountIds); + + void removeAclPolicyFromAccounts(Long policyId, List accountIds); + + AclPolicy addAclPermissionToAclPolicy(long aclPolicyId, String entityType, PermissionScope scope, Long scopeId, + String action, Permission perm, Boolean recursive); + + AclPolicy removeAclPermissionFromAclPolicy(long aclPolicyId, String entityType, PermissionScope scope, Long scopeId, String action); + + AclPolicyPermission getAclPolicyPermission(long accountId, String entityType, String action); + + /* Utility routine to grant/revoke invidivual resource to list of accounts */ + void grantEntityPermissioinToAccounts(String entityType, Long entityId, AccessType accessType, String action, List accountIds); + + void revokeEntityPermissioinFromAccounts(String entityType, Long entityId, AccessType accessType, String action, List accountIds); + + /* Response Generation */ + AclPolicyResponse createAclPolicyResponse(AclPolicy policy); + + AclGroupResponse createAclGroupResponse(AclGroup group); + + ListResponse listAclGroups(Long aclGroupId, String aclGroupName, + Long domainId, Long startIndex, Long pageSize); + + ListResponse listAclPolicies(Long aclPolicyId, String aclPolicyName, + Long domainId, Long startIndex, Long pageSize); +} diff --git a/services/iam/plugin/src/org/apache/cloudstack/acl/api/AclApiServiceImpl.java b/services/iam/plugin/src/org/apache/cloudstack/iam/AclApiServiceImpl.java similarity index 92% rename from services/iam/plugin/src/org/apache/cloudstack/acl/api/AclApiServiceImpl.java rename to services/iam/plugin/src/org/apache/cloudstack/iam/AclApiServiceImpl.java index a8fd2c5b217..996f8d4de3f 100644 --- a/services/iam/plugin/src/org/apache/cloudstack/acl/api/AclApiServiceImpl.java +++ b/services/iam/plugin/src/org/apache/cloudstack/iam/AclApiServiceImpl.java @@ -1,690 +1,690 @@ -// Licensed to the Apache Software Foundation (ASF) under one -// or more contributor license agreements. See the NOTICE file -// distributed with this work for additional information -// regarding copyright ownership. The ASF licenses this file -// to you under the Apache License, Version 2.0 (the -// "License"); you may not use this file except in compliance -// with the License. You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. -package org.apache.cloudstack.acl.api; - -import java.util.ArrayList; -import java.util.Collections; -import java.util.HashMap; -import java.util.List; -import java.util.Map; - -import javax.ejb.Local; -import javax.inject.Inject; -import javax.naming.ConfigurationException; - -import org.apache.log4j.Logger; - -import org.apache.cloudstack.acl.AclEntityType; -import org.apache.cloudstack.acl.PermissionScope; -import org.apache.cloudstack.acl.SecurityChecker.AccessType; -import org.apache.cloudstack.api.ApiConstants; -import org.apache.cloudstack.api.BaseListCmd; -import org.apache.cloudstack.api.command.acl.AddAccountToAclGroupCmd; -import org.apache.cloudstack.api.command.acl.AddAclPermissionToAclPolicyCmd; -import org.apache.cloudstack.api.command.acl.AttachAclPolicyToAccountCmd; -import org.apache.cloudstack.api.command.acl.AttachAclPolicyToAclGroupCmd; -import org.apache.cloudstack.api.command.acl.CreateAclGroupCmd; -import org.apache.cloudstack.api.command.acl.CreateAclPolicyCmd; -import org.apache.cloudstack.api.command.acl.DeleteAclGroupCmd; -import org.apache.cloudstack.api.command.acl.DeleteAclPolicyCmd; -import org.apache.cloudstack.api.command.acl.ListAclGroupsCmd; -import org.apache.cloudstack.api.command.acl.ListAclPoliciesCmd; -import org.apache.cloudstack.api.command.acl.RemoveAccountFromAclGroupCmd; -import org.apache.cloudstack.api.command.acl.RemoveAclPermissionFromAclPolicyCmd; -import org.apache.cloudstack.api.command.acl.RemoveAclPolicyFromAccountCmd; -import org.apache.cloudstack.api.command.acl.RemoveAclPolicyFromAclGroupCmd; -import org.apache.cloudstack.api.response.ListResponse; -import org.apache.cloudstack.api.response.acl.AclGroupResponse; -import org.apache.cloudstack.api.response.acl.AclPermissionResponse; -import org.apache.cloudstack.api.response.acl.AclPolicyResponse; -import org.apache.cloudstack.context.CallContext; -import org.apache.cloudstack.framework.messagebus.MessageBus; -import org.apache.cloudstack.framework.messagebus.MessageSubscriber; -import org.apache.cloudstack.iam.api.AclGroup; -import org.apache.cloudstack.iam.api.AclPolicy; -import org.apache.cloudstack.iam.api.AclPolicyPermission; -import org.apache.cloudstack.iam.api.AclPolicyPermission.Permission; -import org.apache.cloudstack.iam.api.IAMService; - -import com.cloud.api.ApiServerService; -import com.cloud.domain.Domain; -import com.cloud.domain.DomainVO; -import com.cloud.domain.dao.DomainDao; -import com.cloud.event.ActionEvent; -import com.cloud.event.EventTypes; -import com.cloud.exception.InvalidParameterValueException; -import com.cloud.template.TemplateManager; -import com.cloud.user.Account; -import com.cloud.user.AccountManager; -import com.cloud.user.AccountVO; -import com.cloud.user.DomainManager; -import com.cloud.user.dao.AccountDao; -import com.cloud.utils.Pair; -import com.cloud.utils.component.Manager; -import com.cloud.utils.component.ManagerBase; -import com.cloud.utils.db.DB; -import com.cloud.utils.db.EntityManager; - -@Local(value = {AclApiService.class}) -public class AclApiServiceImpl extends ManagerBase implements AclApiService, Manager { - - public static final Logger s_logger = Logger.getLogger(AclApiServiceImpl.class); - private String _name; - - @Inject - ApiServerService _apiServer; - - @Inject - IAMService _iamSrv; - - @Inject - DomainDao _domainDao; - - @Inject - AccountDao _accountDao; - - @Inject - AccountManager _accountMgr; - - @Inject - MessageBus _messageBus; - - @Override - public boolean configure(final String name, final Map params) throws ConfigurationException { - _messageBus.subscribe(AccountManager.MESSAGE_ADD_ACCOUNT_EVENT, new MessageSubscriber() { - @Override - public void onPublishMessage(String senderAddress, String subject, Object obj) { - HashMap acctGroupMap = (HashMap) obj; - for (Long accountId : acctGroupMap.keySet()) { - Long groupId = acctGroupMap.get(accountId); - s_logger.debug("MessageBus message: new Account Added: " + accountId + ", adding it to groupId :" - + groupId); - addAccountToAclGroup(accountId, groupId); - // add it to domain group too - AccountVO account = _accountDao.findById(accountId); - Domain domain = _domainDao.findById(account.getDomainId()); - if (domain != null) { - List domainGroups = listDomainGroup(domain); - - if (domainGroups != null) { - for (AclGroup group : domainGroups) { - addAccountToAclGroup(accountId, new Long(group.getId())); - } - } - } - } - } - }); - - _messageBus.subscribe(AccountManager.MESSAGE_REMOVE_ACCOUNT_EVENT, new MessageSubscriber() { - @Override - public void onPublishMessage(String senderAddress, String subject, Object obj) { - Long accountId = ((Long) obj); - if (accountId != null) { - s_logger.debug("MessageBus message: Account removed: " + accountId - + ", releasing the group associations"); - removeAccountFromAclGroups(accountId); - } - } - }); - - _messageBus.subscribe(DomainManager.MESSAGE_ADD_DOMAIN_EVENT, new MessageSubscriber() { - @Override - public void onPublishMessage(String senderAddress, String subject, Object obj) { - Long domainId = ((Long) obj); - if (domainId != null) { - s_logger.debug("MessageBus message: new Domain created: " + domainId + ", creating a new group"); - Domain domain = _domainDao.findById(domainId); - _iamSrv.createAclGroup("DomainGrp-" + domain.getUuid(), "Domain group", domain.getPath()); - } - } - }); - - _messageBus.subscribe(DomainManager.MESSAGE_REMOVE_DOMAIN_EVENT, new MessageSubscriber() { - @Override - public void onPublishMessage(String senderAddress, String subject, Object obj) { - Long domainId = ((Long) obj); - if (domainId != null) { - s_logger.debug("MessageBus message: Domain removed: " + domainId + ", removing the domain group"); - Domain domain = _domainDao.findById(domainId); - List groups = listDomainGroup(domain); - for (AclGroup group : groups) { - _iamSrv.deleteAclGroup(group.getId()); - } - } - } - }); - - _messageBus.subscribe(TemplateManager.MESSAGE_REGISTER_PUBLIC_TEMPLATE_EVENT, new MessageSubscriber() { - @Override - public void onPublishMessage(String senderAddress, String subject, Object obj) { - Long templateId = (Long)obj; - if (templateId != null) { - s_logger.debug("MessageBus message: new public template registered: " + templateId + ", grant permission to domain admin and normal user policies"); - _iamSrv.addAclPermissionToAclPolicy(new Long(Account.ACCOUNT_TYPE_DOMAIN_ADMIN + 1), AclEntityType.VirtualMachineTemplate.toString(), - PermissionScope.RESOURCE.toString(), templateId, "listTemplates", AccessType.UseEntry.toString(), Permission.Allow, false); - _iamSrv.addAclPermissionToAclPolicy(new Long(Account.ACCOUNT_TYPE_NORMAL + 1), AclEntityType.VirtualMachineTemplate.toString(), - PermissionScope.RESOURCE.toString(), templateId, "listTemplates", AccessType.UseEntry.toString(), Permission.Allow, false); - } - } - }); - - _messageBus.subscribe(TemplateManager.MESSAGE_RESET_TEMPLATE_PERMISSION_EVENT, new MessageSubscriber() { - @Override - public void onPublishMessage(String senderAddress, String subject, Object obj) { - Long templateId = (Long)obj; - if (templateId != null) { - s_logger.debug("MessageBus message: reset template permission: " + templateId); - resetTemplatePermission(templateId); - } - } - }); - - _messageBus.subscribe(EntityManager.MESSAGE_REMOVE_ENTITY_EVENT, new MessageSubscriber() { - @Override - public void onPublishMessage(String senderAddress, String subject, Object obj) { - Pair entity = (Pair)obj; - if (entity != null) { - String entityType = entity.first().toString(); - Long entityId = entity.second(); - s_logger.debug("MessageBus message: delete an entity: (" + entityType + "," + entityId + "), remove its related permission"); - _iamSrv.removeAclPermissionForEntity(entityType, entityId); - } - } - }); - +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. +package org.apache.cloudstack.iam; - _messageBus.subscribe(EntityManager.MESSAGE_GRANT_ENTITY_EVENT, new MessageSubscriber() { - @Override - public void onPublishMessage(String senderAddress, String subject, Object obj) { - Map permit = (Map)obj; - if (permit != null) { - String entityType = (String)permit.get(ApiConstants.ENTITY_TYPE); - Long entityId = (Long)permit.get(ApiConstants.ENTITY_ID); - AccessType accessType = (AccessType)permit.get(ApiConstants.ACCESS_TYPE); - String action = (String)permit.get(ApiConstants.ACL_ACTION); - List acctIds = (List)permit.get(ApiConstants.ACCOUNTS); - s_logger.debug("MessageBus message: grant accounts permission to an entity: (" + entityType + "," + entityId + ")"); - grantEntityPermissioinToAccounts(entityType, entityId, accessType, action, acctIds); - } - } - }); - - _messageBus.subscribe(EntityManager.MESSAGE_REVOKE_ENTITY_EVENT, new MessageSubscriber() { - @Override - public void onPublishMessage(String senderAddress, String subject, Object obj) { - Map permit = (Map)obj; - if (permit != null) { - String entityType = (String)permit.get(ApiConstants.ENTITY_TYPE); - Long entityId = (Long)permit.get(ApiConstants.ENTITY_ID); - AccessType accessType = (AccessType)permit.get(ApiConstants.ACCESS_TYPE); - String action = (String)permit.get(ApiConstants.ACL_ACTION); - List acctIds = (List)permit.get(ApiConstants.ACCOUNTS); - s_logger.debug("MessageBus message: revoke from accounts permission to an entity: (" + entityType + "," + entityId + ")"); - revokeEntityPermissioinFromAccounts(entityType, entityId, accessType, action, acctIds); - } - } - }); - - _messageBus.subscribe(EntityManager.MESSAGE_ADD_DOMAIN_WIDE_ENTITY_EVENT, new MessageSubscriber() { - @Override - public void onPublishMessage(String senderAddress, String subject, Object obj) { - Map params = (Map) obj; - if (params != null) { - addDomainWideResourceAccess(params); - } - } - }); - - return super.configure(name, params); - } - - private void addDomainWideResourceAccess(Map params) { - - AclEntityType entityType = (AclEntityType)params.get(ApiConstants.ENTITY_TYPE); - Long entityId = (Long) params.get(ApiConstants.ENTITY_ID); - Long domainId = (Long) params.get(ApiConstants.DOMAIN_ID); - Boolean isRecursive = (Boolean) params.get(ApiConstants.SUBDOMAIN_ACCESS); - - if (entityType == AclEntityType.Network) { - createPolicyAndAddToDomainGroup("DomainWideNetwork-" + entityId, "domain wide network", entityType.toString(), - entityId, "listNetworks", AccessType.UseEntry, domainId, isRecursive); - } else if (entityType == AclEntityType.AffinityGroup) { - createPolicyAndAddToDomainGroup("DomainWideNetwork-" + entityId, "domain wide affinityGroup", entityType.toString(), - entityId, "listAffinityGroups", AccessType.UseEntry, domainId, isRecursive); - } - - } - - private void createPolicyAndAddToDomainGroup(String policyName, String description, String entityType, - Long entityId, String action, AccessType accessType, Long domainId, Boolean recursive) { - - Domain domain = _domainDao.findById(domainId); - if (domain != null) { - AclPolicy policy = _iamSrv.createAclPolicy(policyName, description, null, domain.getPath()); - _iamSrv.addAclPermissionToAclPolicy(policy.getId(), entityType, PermissionScope.RESOURCE.toString(), - entityId, action, accessType.toString(), Permission.Allow, recursive); - List policyList = new ArrayList(); - policyList.add(new Long(policy.getId())); - - List domainGroups = listDomainGroup(domain); - if (domainGroups != null) { - for (AclGroup group : domainGroups) { - _iamSrv.attachAclPoliciesToGroup(policyList, group.getId()); - } - } - } - } - - @DB - @Override - @ActionEvent(eventType = EventTypes.EVENT_ACL_GROUP_CREATE, eventDescription = "Creating Acl Group", create = true) - public AclGroup createAclGroup(Account caller, String aclGroupName, String description) { - Long domainId = caller.getDomainId(); - Domain callerDomain = _domainDao.findById(domainId); - if (callerDomain == null) { - throw new InvalidParameterValueException("Caller does not have a domain"); - } - return _iamSrv.createAclGroup(aclGroupName, description, callerDomain.getPath()); - } - - @DB - @Override - @ActionEvent(eventType = EventTypes.EVENT_ACL_GROUP_DELETE, eventDescription = "Deleting Acl Group") - public boolean deleteAclGroup(final Long aclGroupId) { - return _iamSrv.deleteAclGroup(aclGroupId); - } - - @Override - public List listAclGroups(long accountId) { - return _iamSrv.listAclGroups(accountId); - } - - - @DB - @Override - @ActionEvent(eventType = EventTypes.EVENT_ACL_GROUP_UPDATE, eventDescription = "Adding accounts to acl group") - public AclGroup addAccountsToGroup(final List acctIds, final Long groupId) { - return _iamSrv.addAccountsToGroup(acctIds, groupId); - } - - - private void removeAccountFromAclGroups(long accountId) { - List groups = listAclGroups(accountId); - List accts = new ArrayList(); - accts.add(accountId); - if (groups != null) { - for (AclGroup grp : groups) { - removeAccountsFromGroup(accts, grp.getId()); - } - } - } - - private void addAccountToAclGroup(long accountId, long groupId) { - List accts = new ArrayList(); - accts.add(accountId); - addAccountsToGroup(accts, groupId); - } - - @DB - @Override - @ActionEvent(eventType = EventTypes.EVENT_ACL_GROUP_UPDATE, eventDescription = "Removing accounts from acl group") - public AclGroup removeAccountsFromGroup(final List acctIds, final Long groupId) { - return _iamSrv.removeAccountsFromGroup(acctIds, groupId); - } - - @DB - @Override - @ActionEvent(eventType = EventTypes.EVENT_ACL_POLICY_CREATE, eventDescription = "Creating Acl Policy", create = true) - public AclPolicy createAclPolicy(Account caller, final String aclPolicyName, final String description, final Long parentPolicyId) { - Long domainId = caller.getDomainId(); - Domain callerDomain = _domainDao.findById(domainId); - if (callerDomain == null) { - throw new InvalidParameterValueException("Caller does not have a domain"); - } - return _iamSrv.createAclPolicy(aclPolicyName, description, parentPolicyId, callerDomain.getPath()); - } - - @DB - @Override - @ActionEvent(eventType = EventTypes.EVENT_ACL_POLICY_DELETE, eventDescription = "Deleting Acl Policy") - public boolean deleteAclPolicy(final long aclPolicyId) { - return _iamSrv.deleteAclPolicy(aclPolicyId); - } - - - @Override - public List listAclPolicies(long accountId) { - return _iamSrv.listAclPolicies(accountId); - } - - @DB - @Override - @ActionEvent(eventType = EventTypes.EVENT_ACL_GROUP_UPDATE, eventDescription = "Attaching policy to acl group") - public AclGroup attachAclPoliciesToGroup(final List policyIds, final Long groupId) { - return _iamSrv.attachAclPoliciesToGroup(policyIds, groupId); - } - - @DB - @Override - @ActionEvent(eventType = EventTypes.EVENT_ACL_GROUP_UPDATE, eventDescription = "Removing policies from acl group") - public AclGroup removeAclPoliciesFromGroup(final List policyIds, final Long groupId) { - return _iamSrv.removeAclPoliciesFromGroup(policyIds, groupId); - } - - - @DB - @Override - @ActionEvent(eventType = EventTypes.EVENT_ACL_ACCOUNT_POLICY_UPDATE, eventDescription = "Attaching policy to accounts") - public void attachAclPolicyToAccounts(final Long policyId, final List accountIds) { - _iamSrv.attachAclPolicyToAccounts(policyId, accountIds); - } - - @DB - @Override - @ActionEvent(eventType = EventTypes.EVENT_ACL_ACCOUNT_POLICY_UPDATE, eventDescription = "Removing policy from accounts") - public void removeAclPolicyFromAccounts(final Long policyId, final List accountIds) { - _iamSrv.removeAclPolicyFromAccounts(policyId, accountIds); - } - - @DB - @Override - @ActionEvent(eventType = EventTypes.EVENT_ACL_POLICY_GRANT, eventDescription = "Granting acl permission to Acl Policy") - public AclPolicy addAclPermissionToAclPolicy(long aclPolicyId, String entityType, PermissionScope scope, - Long scopeId, String action, Permission perm, Boolean recursive) { - Class cmdClass = _apiServer.getCmdClass(action); - AccessType accessType = null; - if (BaseListCmd.class.isAssignableFrom(cmdClass)) { - accessType = AccessType.UseEntry; - } - return _iamSrv.addAclPermissionToAclPolicy(aclPolicyId, entityType, scope.toString(), scopeId, action, - accessType.toString(), perm, recursive); - } - - @DB - @Override - @ActionEvent(eventType = EventTypes.EVENT_ACL_POLICY_REVOKE, eventDescription = "Revoking acl permission from Acl Policy") - public AclPolicy removeAclPermissionFromAclPolicy(long aclPolicyId, String entityType, PermissionScope scope, Long scopeId, String action) { - return _iamSrv.removeAclPermissionFromAclPolicy(aclPolicyId, entityType, scope.toString(), scopeId, action); - } - - @Override - public AclPolicyPermission getAclPolicyPermission(long accountId, String entityType, String action) { - List policies = _iamSrv.listAclPolicies(accountId); - AclPolicyPermission curPerm = null; - for (AclPolicy policy : policies) { - List perms = _iamSrv.listPolicyPermissionByActionAndEntity(policy.getId(), action, - entityType); - if (perms == null || perms.size() == 0) - continue; - AclPolicyPermission perm = perms.get(0); // just pick one - if (curPerm == null) { - curPerm = perm; - } else if (PermissionScope.valueOf(perm.getScope()).greaterThan(PermissionScope.valueOf(curPerm.getScope()))) { - // pick the more relaxed allowed permission - curPerm = perm; - } - } - - return curPerm; - } - - - @Override - public AclPolicyResponse createAclPolicyResponse(AclPolicy policy) { - AclPolicyResponse response = new AclPolicyResponse(); - response.setId(policy.getUuid()); - response.setName(policy.getName()); - response.setDescription(policy.getDescription()); - String domainPath = policy.getPath(); - if (domainPath != null) { - DomainVO domain = _domainDao.findDomainByPath(domainPath); - if (domain != null) { - response.setDomainId(domain.getUuid()); - response.setDomainName(domain.getName()); - } - } - long accountId = policy.getAccountId(); - AccountVO owner = _accountDao.findById(accountId); - if (owner != null) { - response.setAccountName(owner.getAccountName()); - } - // find permissions associated with this policy - List permissions = _iamSrv.listPolicyPermissions(policy.getId()); - if (permissions != null && permissions.size() > 0) { - for (AclPolicyPermission permission : permissions) { - AclPermissionResponse perm = new AclPermissionResponse(); - perm.setAction(permission.getAction()); - if (permission.getEntityType() != null) { - perm.setEntityType(AclEntityType.valueOf(permission.getEntityType())); - } - if (permission.getScope() != null) { - perm.setScope(PermissionScope.valueOf(permission.getScope())); - } - perm.setScopeId(permission.getScopeId()); - perm.setPermission(permission.getPermission()); - response.addPermission(perm); - } - } - response.setObjectName("aclpolicy"); - return response; - } - - @Override - public AclGroupResponse createAclGroupResponse(AclGroup group) { - AclGroupResponse response = new AclGroupResponse(); - response.setId(group.getUuid()); - response.setName(group.getName()); - response.setDescription(group.getDescription()); - String domainPath = group.getPath(); - if (domainPath != null) { - DomainVO domain = _domainDao.findDomainByPath(domainPath); - if (domain != null) { - response.setDomainId(domain.getUuid()); - response.setDomainName(domain.getName()); - } - } - long accountId = group.getAccountId(); - AccountVO owner = _accountDao.findById(accountId); - if (owner != null) { - response.setAccountName(owner.getAccountName()); - } - // find all the members in this group - List members = _iamSrv.listAccountsByGroup(group.getId()); - if (members != null && members.size() > 0) { - for (Long member : members) { - AccountVO mem = _accountDao.findById(member); - if (mem != null) { - response.addMemberAccount(mem.getAccountName()); - } - } - } - - // find all the policies attached to this group - List policies = _iamSrv.listAclPoliciesByGroup(group.getId()); - if (policies != null && policies.size() > 0) { - for (AclPolicy policy : policies) { - response.addPolicy(policy.getName()); - } - } - - response.setObjectName("aclgroup"); - return response; - - } - - public List listDomainGroup(Domain domain) { - - if (domain != null) { - String domainPath = domain.getPath(); - // search for groups - Pair, Integer> result = _iamSrv.listAclGroups(null, "DomainGrp-" + domain.getUuid(), - domainPath, null, null); - return result.first(); - } - return new ArrayList(); - - } - - @Override - public ListResponse listAclGroups(Long aclGroupId, String aclGroupName, Long domainId, Long startIndex, Long pageSize) { - // acl check - Account caller = CallContext.current().getCallingAccount(); - - Domain domain = null; - if (domainId != null) { - domain = _domainDao.findById(domainId); - if (domain == null) { - throw new InvalidParameterValueException("Domain id=" + domainId + " doesn't exist"); - } - - _accountMgr.checkAccess(caller, domain); - } else { - domain = _domainDao.findById(caller.getDomainId()); - } - String domainPath = domain.getPath(); - // search for groups - Pair, Integer> result = _iamSrv.listAclGroups(aclGroupId, aclGroupName, domainPath, startIndex, pageSize); - // generate group response - ListResponse response = new ListResponse(); - List groupResponses = new ArrayList(); - for (AclGroup group : result.first()) { - AclGroupResponse resp = createAclGroupResponse(group); - groupResponses.add(resp); - } - response.setResponses(groupResponses, result.second()); - return response; - } - - @Override - public ListResponse listAclPolicies(Long aclPolicyId, String aclPolicyName, Long domainId, Long startIndex, - Long pageSize) { - // acl check - Account caller = CallContext.current().getCallingAccount(); - - Domain domain = null; - if (domainId != null) { - domain = _domainDao.findById(domainId); - if (domain == null) { - throw new InvalidParameterValueException("Domain id=" + domainId + " doesn't exist"); - } - - _accountMgr.checkAccess(caller, domain); - } else { - domain = _domainDao.findById(caller.getDomainId()); - } - String domainPath = domain.getPath(); - // search for policies - Pair, Integer> result = _iamSrv.listAclPolicies(aclPolicyId, aclPolicyName, domainPath, startIndex, pageSize); - // generate policy response - ListResponse response = new ListResponse(); - List policyResponses = new ArrayList(); - for (AclPolicy policy : result.first()) { - AclPolicyResponse resp = createAclPolicyResponse(policy); - policyResponses.add(resp); - } - response.setResponses(policyResponses, result.second()); - return response; - } - - @Override - public void grantEntityPermissioinToAccounts(String entityType, Long entityId, AccessType accessType, String action, List accountIds) { - // check if there is already a policy with only this permission added to it - AclPolicy policy = _iamSrv.getResourceGrantPolicy(entityType, entityId, accessType.toString(), action); - if (policy == null) { - // not found, just create a policy with resource grant permission - Account caller = CallContext.current().getCallingAccount(); - String aclPolicyName = "policyGrant" + entityType + entityId; - String description = "Policy to grant permission to " + entityType + entityId; - policy = createAclPolicy(caller, aclPolicyName, description, null); - // add permission to this policy - addAclPermissionToAclPolicy(policy.getId(), entityType, PermissionScope.RESOURCE, entityId, action, Permission.Allow, false); - } - // attach this policy to list of accounts if not attached already - Long policyId = policy.getId(); - for (Long acctId : accountIds) { - if (!isPolicyAttachedToAccount(policyId, acctId)) { - attachAclPolicyToAccounts(policyId, Collections.singletonList(acctId)); - } - } - } - - @Override - public void revokeEntityPermissioinFromAccounts(String entityType, Long entityId, AccessType accessType, String action, List accountIds) { - // there should already a policy with only this permission added to it, this call is mainly used - AclPolicy policy = _iamSrv.getResourceGrantPolicy(entityType, entityId, accessType.toString(), action); - if (policy == null) { - s_logger.warn("Cannot find a policy associated with this entity permissioin to be revoked, just return"); - return; - } - // detach this policy from list of accounts if not detached already - Long policyId = policy.getId(); - for (Long acctId : accountIds) { - if (isPolicyAttachedToAccount(policyId, acctId)) { - removeAclPolicyFromAccounts(policyId, Collections.singletonList(acctId)); - } - } - - } - - private boolean isPolicyAttachedToAccount(Long policyId, Long accountId) { - List pList = listAclPolicies(accountId); - for (AclPolicy p : pList) { - if (p.getId() == policyId.longValue()) { - return true; - } - } - return false; - } - - private void resetTemplatePermission(Long templateId){ - // reset template will change template to private, so we need to remove its permission for domain admin and normal user group - _iamSrv.removeAclPermissionFromAclPolicy(new Long(Account.ACCOUNT_TYPE_DOMAIN_ADMIN + 1), AclEntityType.VirtualMachineTemplate.toString(), - PermissionScope.RESOURCE.toString(), templateId, "listTemplates"); - _iamSrv.removeAclPermissionFromAclPolicy(new Long(Account.ACCOUNT_TYPE_NORMAL + 1), AclEntityType.VirtualMachineTemplate.toString(), - PermissionScope.RESOURCE.toString(), templateId, "listTemplates"); - // check if there is a policy with only UseEntry permission for this template added - AclPolicy policy = _iamSrv.getResourceGrantPolicy(AclEntityType.VirtualMachineTemplate.toString(), templateId, AccessType.UseEntry.toString(), "listTemplates"); - if ( policy == null ){ - s_logger.info("No policy found for this template grant: " + templateId + ", no detach to be done"); - return; - } - // delete the policy, which should detach it from groups and accounts - _iamSrv.deleteAclPolicy(policy.getId()); - - } - - @Override - public List> getCommands() { - List> cmdList = new ArrayList>(); - cmdList.add(CreateAclPolicyCmd.class); - cmdList.add(DeleteAclPolicyCmd.class); - cmdList.add(ListAclPoliciesCmd.class); - cmdList.add(AddAclPermissionToAclPolicyCmd.class); - cmdList.add(RemoveAclPermissionFromAclPolicyCmd.class); - cmdList.add(AttachAclPolicyToAclGroupCmd.class); - cmdList.add(RemoveAclPolicyFromAclGroupCmd.class); - cmdList.add(CreateAclGroupCmd.class); - cmdList.add(DeleteAclGroupCmd.class); - cmdList.add(ListAclGroupsCmd.class); - cmdList.add(AddAccountToAclGroupCmd.class); - cmdList.add(RemoveAccountFromAclGroupCmd.class); - cmdList.add(AttachAclPolicyToAccountCmd.class); - cmdList.add(RemoveAclPolicyFromAccountCmd.class); - return cmdList; - } -} +import java.util.ArrayList; +import java.util.Collections; +import java.util.HashMap; +import java.util.List; +import java.util.Map; + +import javax.ejb.Local; +import javax.inject.Inject; +import javax.naming.ConfigurationException; + +import org.apache.log4j.Logger; + +import org.apache.cloudstack.acl.IAMEntityType; +import org.apache.cloudstack.acl.PermissionScope; +import org.apache.cloudstack.acl.SecurityChecker.AccessType; +import org.apache.cloudstack.api.ApiConstants; +import org.apache.cloudstack.api.BaseListCmd; +import org.apache.cloudstack.api.command.iam.AddAccountToAclGroupCmd; +import org.apache.cloudstack.api.command.iam.AddAclPermissionToAclPolicyCmd; +import org.apache.cloudstack.api.command.iam.AttachAclPolicyToAccountCmd; +import org.apache.cloudstack.api.command.iam.AttachAclPolicyToAclGroupCmd; +import org.apache.cloudstack.api.command.iam.CreateAclGroupCmd; +import org.apache.cloudstack.api.command.iam.CreateAclPolicyCmd; +import org.apache.cloudstack.api.command.iam.DeleteAclGroupCmd; +import org.apache.cloudstack.api.command.iam.DeleteAclPolicyCmd; +import org.apache.cloudstack.api.command.iam.ListAclGroupsCmd; +import org.apache.cloudstack.api.command.iam.ListAclPoliciesCmd; +import org.apache.cloudstack.api.command.iam.RemoveAccountFromAclGroupCmd; +import org.apache.cloudstack.api.command.iam.RemoveAclPermissionFromAclPolicyCmd; +import org.apache.cloudstack.api.command.iam.RemoveAclPolicyFromAccountCmd; +import org.apache.cloudstack.api.command.iam.RemoveAclPolicyFromAclGroupCmd; +import org.apache.cloudstack.api.response.ListResponse; +import org.apache.cloudstack.api.response.iam.AclGroupResponse; +import org.apache.cloudstack.api.response.iam.AclPermissionResponse; +import org.apache.cloudstack.api.response.iam.AclPolicyResponse; +import org.apache.cloudstack.context.CallContext; +import org.apache.cloudstack.framework.messagebus.MessageBus; +import org.apache.cloudstack.framework.messagebus.MessageSubscriber; +import org.apache.cloudstack.iam.api.AclGroup; +import org.apache.cloudstack.iam.api.AclPolicy; +import org.apache.cloudstack.iam.api.AclPolicyPermission; +import org.apache.cloudstack.iam.api.AclPolicyPermission.Permission; +import org.apache.cloudstack.iam.api.IAMService; + +import com.cloud.api.ApiServerService; +import com.cloud.domain.Domain; +import com.cloud.domain.DomainVO; +import com.cloud.domain.dao.DomainDao; +import com.cloud.event.ActionEvent; +import com.cloud.event.EventTypes; +import com.cloud.exception.InvalidParameterValueException; +import com.cloud.template.TemplateManager; +import com.cloud.user.Account; +import com.cloud.user.AccountManager; +import com.cloud.user.AccountVO; +import com.cloud.user.DomainManager; +import com.cloud.user.dao.AccountDao; +import com.cloud.utils.Pair; +import com.cloud.utils.component.Manager; +import com.cloud.utils.component.ManagerBase; +import com.cloud.utils.db.DB; +import com.cloud.utils.db.EntityManager; + +@Local(value = {AclApiService.class}) +public class AclApiServiceImpl extends ManagerBase implements AclApiService, Manager { + + public static final Logger s_logger = Logger.getLogger(AclApiServiceImpl.class); + private String _name; + + @Inject + ApiServerService _apiServer; + + @Inject + IAMService _iamSrv; + + @Inject + DomainDao _domainDao; + + @Inject + AccountDao _accountDao; + + @Inject + AccountManager _accountMgr; + + @Inject + MessageBus _messageBus; + + @Override + public boolean configure(final String name, final Map params) throws ConfigurationException { + _messageBus.subscribe(AccountManager.MESSAGE_ADD_ACCOUNT_EVENT, new MessageSubscriber() { + @Override + public void onPublishMessage(String senderAddress, String subject, Object obj) { + HashMap acctGroupMap = (HashMap) obj; + for (Long accountId : acctGroupMap.keySet()) { + Long groupId = acctGroupMap.get(accountId); + s_logger.debug("MessageBus message: new Account Added: " + accountId + ", adding it to groupId :" + + groupId); + addAccountToAclGroup(accountId, groupId); + // add it to domain group too + AccountVO account = _accountDao.findById(accountId); + Domain domain = _domainDao.findById(account.getDomainId()); + if (domain != null) { + List domainGroups = listDomainGroup(domain); + + if (domainGroups != null) { + for (AclGroup group : domainGroups) { + addAccountToAclGroup(accountId, new Long(group.getId())); + } + } + } + } + } + }); + + _messageBus.subscribe(AccountManager.MESSAGE_REMOVE_ACCOUNT_EVENT, new MessageSubscriber() { + @Override + public void onPublishMessage(String senderAddress, String subject, Object obj) { + Long accountId = ((Long) obj); + if (accountId != null) { + s_logger.debug("MessageBus message: Account removed: " + accountId + + ", releasing the group associations"); + removeAccountFromAclGroups(accountId); + } + } + }); + + _messageBus.subscribe(DomainManager.MESSAGE_ADD_DOMAIN_EVENT, new MessageSubscriber() { + @Override + public void onPublishMessage(String senderAddress, String subject, Object obj) { + Long domainId = ((Long) obj); + if (domainId != null) { + s_logger.debug("MessageBus message: new Domain created: " + domainId + ", creating a new group"); + Domain domain = _domainDao.findById(domainId); + _iamSrv.createAclGroup("DomainGrp-" + domain.getUuid(), "Domain group", domain.getPath()); + } + } + }); + + _messageBus.subscribe(DomainManager.MESSAGE_REMOVE_DOMAIN_EVENT, new MessageSubscriber() { + @Override + public void onPublishMessage(String senderAddress, String subject, Object obj) { + Long domainId = ((Long) obj); + if (domainId != null) { + s_logger.debug("MessageBus message: Domain removed: " + domainId + ", removing the domain group"); + Domain domain = _domainDao.findById(domainId); + List groups = listDomainGroup(domain); + for (AclGroup group : groups) { + _iamSrv.deleteAclGroup(group.getId()); + } + } + } + }); + + _messageBus.subscribe(TemplateManager.MESSAGE_REGISTER_PUBLIC_TEMPLATE_EVENT, new MessageSubscriber() { + @Override + public void onPublishMessage(String senderAddress, String subject, Object obj) { + Long templateId = (Long)obj; + if (templateId != null) { + s_logger.debug("MessageBus message: new public template registered: " + templateId + ", grant permission to domain admin and normal user policies"); + _iamSrv.addAclPermissionToAclPolicy(new Long(Account.ACCOUNT_TYPE_DOMAIN_ADMIN + 1), IAMEntityType.VirtualMachineTemplate.toString(), + PermissionScope.RESOURCE.toString(), templateId, "listTemplates", AccessType.UseEntry.toString(), Permission.Allow, false); + _iamSrv.addAclPermissionToAclPolicy(new Long(Account.ACCOUNT_TYPE_NORMAL + 1), IAMEntityType.VirtualMachineTemplate.toString(), + PermissionScope.RESOURCE.toString(), templateId, "listTemplates", AccessType.UseEntry.toString(), Permission.Allow, false); + } + } + }); + + _messageBus.subscribe(TemplateManager.MESSAGE_RESET_TEMPLATE_PERMISSION_EVENT, new MessageSubscriber() { + @Override + public void onPublishMessage(String senderAddress, String subject, Object obj) { + Long templateId = (Long)obj; + if (templateId != null) { + s_logger.debug("MessageBus message: reset template permission: " + templateId); + resetTemplatePermission(templateId); + } + } + }); + + _messageBus.subscribe(EntityManager.MESSAGE_REMOVE_ENTITY_EVENT, new MessageSubscriber() { + @Override + public void onPublishMessage(String senderAddress, String subject, Object obj) { + Pair entity = (Pair)obj; + if (entity != null) { + String entityType = entity.first().toString(); + Long entityId = entity.second(); + s_logger.debug("MessageBus message: delete an entity: (" + entityType + "," + entityId + "), remove its related permission"); + _iamSrv.removeAclPermissionForEntity(entityType, entityId); + } + } + }); + + + _messageBus.subscribe(EntityManager.MESSAGE_GRANT_ENTITY_EVENT, new MessageSubscriber() { + @Override + public void onPublishMessage(String senderAddress, String subject, Object obj) { + Map permit = (Map)obj; + if (permit != null) { + String entityType = (String)permit.get(ApiConstants.ENTITY_TYPE); + Long entityId = (Long)permit.get(ApiConstants.ENTITY_ID); + AccessType accessType = (AccessType)permit.get(ApiConstants.ACCESS_TYPE); + String action = (String)permit.get(ApiConstants.ACL_ACTION); + List acctIds = (List)permit.get(ApiConstants.ACCOUNTS); + s_logger.debug("MessageBus message: grant accounts permission to an entity: (" + entityType + "," + entityId + ")"); + grantEntityPermissioinToAccounts(entityType, entityId, accessType, action, acctIds); + } + } + }); + + _messageBus.subscribe(EntityManager.MESSAGE_REVOKE_ENTITY_EVENT, new MessageSubscriber() { + @Override + public void onPublishMessage(String senderAddress, String subject, Object obj) { + Map permit = (Map)obj; + if (permit != null) { + String entityType = (String)permit.get(ApiConstants.ENTITY_TYPE); + Long entityId = (Long)permit.get(ApiConstants.ENTITY_ID); + AccessType accessType = (AccessType)permit.get(ApiConstants.ACCESS_TYPE); + String action = (String)permit.get(ApiConstants.ACL_ACTION); + List acctIds = (List)permit.get(ApiConstants.ACCOUNTS); + s_logger.debug("MessageBus message: revoke from accounts permission to an entity: (" + entityType + "," + entityId + ")"); + revokeEntityPermissioinFromAccounts(entityType, entityId, accessType, action, acctIds); + } + } + }); + + _messageBus.subscribe(EntityManager.MESSAGE_ADD_DOMAIN_WIDE_ENTITY_EVENT, new MessageSubscriber() { + @Override + public void onPublishMessage(String senderAddress, String subject, Object obj) { + Map params = (Map) obj; + if (params != null) { + addDomainWideResourceAccess(params); + } + } + }); + + return super.configure(name, params); + } + + private void addDomainWideResourceAccess(Map params) { + + IAMEntityType entityType = (IAMEntityType)params.get(ApiConstants.ENTITY_TYPE); + Long entityId = (Long) params.get(ApiConstants.ENTITY_ID); + Long domainId = (Long) params.get(ApiConstants.DOMAIN_ID); + Boolean isRecursive = (Boolean) params.get(ApiConstants.SUBDOMAIN_ACCESS); + + if (entityType == IAMEntityType.Network) { + createPolicyAndAddToDomainGroup("DomainWideNetwork-" + entityId, "domain wide network", entityType.toString(), + entityId, "listNetworks", AccessType.UseEntry, domainId, isRecursive); + } else if (entityType == IAMEntityType.AffinityGroup) { + createPolicyAndAddToDomainGroup("DomainWideNetwork-" + entityId, "domain wide affinityGroup", entityType.toString(), + entityId, "listAffinityGroups", AccessType.UseEntry, domainId, isRecursive); + } + + } + + private void createPolicyAndAddToDomainGroup(String policyName, String description, String entityType, + Long entityId, String action, AccessType accessType, Long domainId, Boolean recursive) { + + Domain domain = _domainDao.findById(domainId); + if (domain != null) { + AclPolicy policy = _iamSrv.createAclPolicy(policyName, description, null, domain.getPath()); + _iamSrv.addAclPermissionToAclPolicy(policy.getId(), entityType, PermissionScope.RESOURCE.toString(), + entityId, action, accessType.toString(), Permission.Allow, recursive); + List policyList = new ArrayList(); + policyList.add(new Long(policy.getId())); + + List domainGroups = listDomainGroup(domain); + if (domainGroups != null) { + for (AclGroup group : domainGroups) { + _iamSrv.attachAclPoliciesToGroup(policyList, group.getId()); + } + } + } + } + + @DB + @Override + @ActionEvent(eventType = EventTypes.EVENT_ACL_GROUP_CREATE, eventDescription = "Creating Acl Group", create = true) + public AclGroup createAclGroup(Account caller, String aclGroupName, String description) { + Long domainId = caller.getDomainId(); + Domain callerDomain = _domainDao.findById(domainId); + if (callerDomain == null) { + throw new InvalidParameterValueException("Caller does not have a domain"); + } + return _iamSrv.createAclGroup(aclGroupName, description, callerDomain.getPath()); + } + + @DB + @Override + @ActionEvent(eventType = EventTypes.EVENT_ACL_GROUP_DELETE, eventDescription = "Deleting Acl Group") + public boolean deleteAclGroup(final Long aclGroupId) { + return _iamSrv.deleteAclGroup(aclGroupId); + } + + @Override + public List listAclGroups(long accountId) { + return _iamSrv.listAclGroups(accountId); + } + + + @DB + @Override + @ActionEvent(eventType = EventTypes.EVENT_ACL_GROUP_UPDATE, eventDescription = "Adding accounts to acl group") + public AclGroup addAccountsToGroup(final List acctIds, final Long groupId) { + return _iamSrv.addAccountsToGroup(acctIds, groupId); + } + + + private void removeAccountFromAclGroups(long accountId) { + List groups = listAclGroups(accountId); + List accts = new ArrayList(); + accts.add(accountId); + if (groups != null) { + for (AclGroup grp : groups) { + removeAccountsFromGroup(accts, grp.getId()); + } + } + } + + private void addAccountToAclGroup(long accountId, long groupId) { + List accts = new ArrayList(); + accts.add(accountId); + addAccountsToGroup(accts, groupId); + } + + @DB + @Override + @ActionEvent(eventType = EventTypes.EVENT_ACL_GROUP_UPDATE, eventDescription = "Removing accounts from acl group") + public AclGroup removeAccountsFromGroup(final List acctIds, final Long groupId) { + return _iamSrv.removeAccountsFromGroup(acctIds, groupId); + } + + @DB + @Override + @ActionEvent(eventType = EventTypes.EVENT_ACL_POLICY_CREATE, eventDescription = "Creating Acl Policy", create = true) + public AclPolicy createAclPolicy(Account caller, final String aclPolicyName, final String description, final Long parentPolicyId) { + Long domainId = caller.getDomainId(); + Domain callerDomain = _domainDao.findById(domainId); + if (callerDomain == null) { + throw new InvalidParameterValueException("Caller does not have a domain"); + } + return _iamSrv.createAclPolicy(aclPolicyName, description, parentPolicyId, callerDomain.getPath()); + } + + @DB + @Override + @ActionEvent(eventType = EventTypes.EVENT_ACL_POLICY_DELETE, eventDescription = "Deleting Acl Policy") + public boolean deleteAclPolicy(final long aclPolicyId) { + return _iamSrv.deleteAclPolicy(aclPolicyId); + } + + + @Override + public List listAclPolicies(long accountId) { + return _iamSrv.listAclPolicies(accountId); + } + + @DB + @Override + @ActionEvent(eventType = EventTypes.EVENT_ACL_GROUP_UPDATE, eventDescription = "Attaching policy to acl group") + public AclGroup attachAclPoliciesToGroup(final List policyIds, final Long groupId) { + return _iamSrv.attachAclPoliciesToGroup(policyIds, groupId); + } + + @DB + @Override + @ActionEvent(eventType = EventTypes.EVENT_ACL_GROUP_UPDATE, eventDescription = "Removing policies from acl group") + public AclGroup removeAclPoliciesFromGroup(final List policyIds, final Long groupId) { + return _iamSrv.removeAclPoliciesFromGroup(policyIds, groupId); + } + + + @DB + @Override + @ActionEvent(eventType = EventTypes.EVENT_ACL_ACCOUNT_POLICY_UPDATE, eventDescription = "Attaching policy to accounts") + public void attachAclPolicyToAccounts(final Long policyId, final List accountIds) { + _iamSrv.attachAclPolicyToAccounts(policyId, accountIds); + } + + @DB + @Override + @ActionEvent(eventType = EventTypes.EVENT_ACL_ACCOUNT_POLICY_UPDATE, eventDescription = "Removing policy from accounts") + public void removeAclPolicyFromAccounts(final Long policyId, final List accountIds) { + _iamSrv.removeAclPolicyFromAccounts(policyId, accountIds); + } + + @DB + @Override + @ActionEvent(eventType = EventTypes.EVENT_ACL_POLICY_GRANT, eventDescription = "Granting acl permission to Acl Policy") + public AclPolicy addAclPermissionToAclPolicy(long aclPolicyId, String entityType, PermissionScope scope, + Long scopeId, String action, Permission perm, Boolean recursive) { + Class cmdClass = _apiServer.getCmdClass(action); + AccessType accessType = null; + if (BaseListCmd.class.isAssignableFrom(cmdClass)) { + accessType = AccessType.UseEntry; + } + return _iamSrv.addAclPermissionToAclPolicy(aclPolicyId, entityType, scope.toString(), scopeId, action, + accessType.toString(), perm, recursive); + } + + @DB + @Override + @ActionEvent(eventType = EventTypes.EVENT_ACL_POLICY_REVOKE, eventDescription = "Revoking acl permission from Acl Policy") + public AclPolicy removeAclPermissionFromAclPolicy(long aclPolicyId, String entityType, PermissionScope scope, Long scopeId, String action) { + return _iamSrv.removeAclPermissionFromAclPolicy(aclPolicyId, entityType, scope.toString(), scopeId, action); + } + + @Override + public AclPolicyPermission getAclPolicyPermission(long accountId, String entityType, String action) { + List policies = _iamSrv.listAclPolicies(accountId); + AclPolicyPermission curPerm = null; + for (AclPolicy policy : policies) { + List perms = _iamSrv.listPolicyPermissionByActionAndEntity(policy.getId(), action, + entityType); + if (perms == null || perms.size() == 0) + continue; + AclPolicyPermission perm = perms.get(0); // just pick one + if (curPerm == null) { + curPerm = perm; + } else if (PermissionScope.valueOf(perm.getScope()).greaterThan(PermissionScope.valueOf(curPerm.getScope()))) { + // pick the more relaxed allowed permission + curPerm = perm; + } + } + + return curPerm; + } + + + @Override + public AclPolicyResponse createAclPolicyResponse(AclPolicy policy) { + AclPolicyResponse response = new AclPolicyResponse(); + response.setId(policy.getUuid()); + response.setName(policy.getName()); + response.setDescription(policy.getDescription()); + String domainPath = policy.getPath(); + if (domainPath != null) { + DomainVO domain = _domainDao.findDomainByPath(domainPath); + if (domain != null) { + response.setDomainId(domain.getUuid()); + response.setDomainName(domain.getName()); + } + } + long accountId = policy.getAccountId(); + AccountVO owner = _accountDao.findById(accountId); + if (owner != null) { + response.setAccountName(owner.getAccountName()); + } + // find permissions associated with this policy + List permissions = _iamSrv.listPolicyPermissions(policy.getId()); + if (permissions != null && permissions.size() > 0) { + for (AclPolicyPermission permission : permissions) { + AclPermissionResponse perm = new AclPermissionResponse(); + perm.setAction(permission.getAction()); + if (permission.getEntityType() != null) { + perm.setEntityType(IAMEntityType.valueOf(permission.getEntityType())); + } + if (permission.getScope() != null) { + perm.setScope(PermissionScope.valueOf(permission.getScope())); + } + perm.setScopeId(permission.getScopeId()); + perm.setPermission(permission.getPermission()); + response.addPermission(perm); + } + } + response.setObjectName("aclpolicy"); + return response; + } + + @Override + public AclGroupResponse createAclGroupResponse(AclGroup group) { + AclGroupResponse response = new AclGroupResponse(); + response.setId(group.getUuid()); + response.setName(group.getName()); + response.setDescription(group.getDescription()); + String domainPath = group.getPath(); + if (domainPath != null) { + DomainVO domain = _domainDao.findDomainByPath(domainPath); + if (domain != null) { + response.setDomainId(domain.getUuid()); + response.setDomainName(domain.getName()); + } + } + long accountId = group.getAccountId(); + AccountVO owner = _accountDao.findById(accountId); + if (owner != null) { + response.setAccountName(owner.getAccountName()); + } + // find all the members in this group + List members = _iamSrv.listAccountsByGroup(group.getId()); + if (members != null && members.size() > 0) { + for (Long member : members) { + AccountVO mem = _accountDao.findById(member); + if (mem != null) { + response.addMemberAccount(mem.getAccountName()); + } + } + } + + // find all the policies attached to this group + List policies = _iamSrv.listAclPoliciesByGroup(group.getId()); + if (policies != null && policies.size() > 0) { + for (AclPolicy policy : policies) { + response.addPolicy(policy.getName()); + } + } + + response.setObjectName("aclgroup"); + return response; + + } + + public List listDomainGroup(Domain domain) { + + if (domain != null) { + String domainPath = domain.getPath(); + // search for groups + Pair, Integer> result = _iamSrv.listAclGroups(null, "DomainGrp-" + domain.getUuid(), + domainPath, null, null); + return result.first(); + } + return new ArrayList(); + + } + + @Override + public ListResponse listAclGroups(Long aclGroupId, String aclGroupName, Long domainId, Long startIndex, Long pageSize) { + // acl check + Account caller = CallContext.current().getCallingAccount(); + + Domain domain = null; + if (domainId != null) { + domain = _domainDao.findById(domainId); + if (domain == null) { + throw new InvalidParameterValueException("Domain id=" + domainId + " doesn't exist"); + } + + _accountMgr.checkAccess(caller, domain); + } else { + domain = _domainDao.findById(caller.getDomainId()); + } + String domainPath = domain.getPath(); + // search for groups + Pair, Integer> result = _iamSrv.listAclGroups(aclGroupId, aclGroupName, domainPath, startIndex, pageSize); + // generate group response + ListResponse response = new ListResponse(); + List groupResponses = new ArrayList(); + for (AclGroup group : result.first()) { + AclGroupResponse resp = createAclGroupResponse(group); + groupResponses.add(resp); + } + response.setResponses(groupResponses, result.second()); + return response; + } + + @Override + public ListResponse listAclPolicies(Long aclPolicyId, String aclPolicyName, Long domainId, Long startIndex, + Long pageSize) { + // acl check + Account caller = CallContext.current().getCallingAccount(); + + Domain domain = null; + if (domainId != null) { + domain = _domainDao.findById(domainId); + if (domain == null) { + throw new InvalidParameterValueException("Domain id=" + domainId + " doesn't exist"); + } + + _accountMgr.checkAccess(caller, domain); + } else { + domain = _domainDao.findById(caller.getDomainId()); + } + String domainPath = domain.getPath(); + // search for policies + Pair, Integer> result = _iamSrv.listAclPolicies(aclPolicyId, aclPolicyName, domainPath, startIndex, pageSize); + // generate policy response + ListResponse response = new ListResponse(); + List policyResponses = new ArrayList(); + for (AclPolicy policy : result.first()) { + AclPolicyResponse resp = createAclPolicyResponse(policy); + policyResponses.add(resp); + } + response.setResponses(policyResponses, result.second()); + return response; + } + + @Override + public void grantEntityPermissioinToAccounts(String entityType, Long entityId, AccessType accessType, String action, List accountIds) { + // check if there is already a policy with only this permission added to it + AclPolicy policy = _iamSrv.getResourceGrantPolicy(entityType, entityId, accessType.toString(), action); + if (policy == null) { + // not found, just create a policy with resource grant permission + Account caller = CallContext.current().getCallingAccount(); + String aclPolicyName = "policyGrant" + entityType + entityId; + String description = "Policy to grant permission to " + entityType + entityId; + policy = createAclPolicy(caller, aclPolicyName, description, null); + // add permission to this policy + addAclPermissionToAclPolicy(policy.getId(), entityType, PermissionScope.RESOURCE, entityId, action, Permission.Allow, false); + } + // attach this policy to list of accounts if not attached already + Long policyId = policy.getId(); + for (Long acctId : accountIds) { + if (!isPolicyAttachedToAccount(policyId, acctId)) { + attachAclPolicyToAccounts(policyId, Collections.singletonList(acctId)); + } + } + } + + @Override + public void revokeEntityPermissioinFromAccounts(String entityType, Long entityId, AccessType accessType, String action, List accountIds) { + // there should already a policy with only this permission added to it, this call is mainly used + AclPolicy policy = _iamSrv.getResourceGrantPolicy(entityType, entityId, accessType.toString(), action); + if (policy == null) { + s_logger.warn("Cannot find a policy associated with this entity permissioin to be revoked, just return"); + return; + } + // detach this policy from list of accounts if not detached already + Long policyId = policy.getId(); + for (Long acctId : accountIds) { + if (isPolicyAttachedToAccount(policyId, acctId)) { + removeAclPolicyFromAccounts(policyId, Collections.singletonList(acctId)); + } + } + + } + + private boolean isPolicyAttachedToAccount(Long policyId, Long accountId) { + List pList = listAclPolicies(accountId); + for (AclPolicy p : pList) { + if (p.getId() == policyId.longValue()) { + return true; + } + } + return false; + } + + private void resetTemplatePermission(Long templateId){ + // reset template will change template to private, so we need to remove its permission for domain admin and normal user group + _iamSrv.removeAclPermissionFromAclPolicy(new Long(Account.ACCOUNT_TYPE_DOMAIN_ADMIN + 1), IAMEntityType.VirtualMachineTemplate.toString(), + PermissionScope.RESOURCE.toString(), templateId, "listTemplates"); + _iamSrv.removeAclPermissionFromAclPolicy(new Long(Account.ACCOUNT_TYPE_NORMAL + 1), IAMEntityType.VirtualMachineTemplate.toString(), + PermissionScope.RESOURCE.toString(), templateId, "listTemplates"); + // check if there is a policy with only UseEntry permission for this template added + AclPolicy policy = _iamSrv.getResourceGrantPolicy(IAMEntityType.VirtualMachineTemplate.toString(), templateId, AccessType.UseEntry.toString(), "listTemplates"); + if ( policy == null ){ + s_logger.info("No policy found for this template grant: " + templateId + ", no detach to be done"); + return; + } + // delete the policy, which should detach it from groups and accounts + _iamSrv.deleteAclPolicy(policy.getId()); + + } + + @Override + public List> getCommands() { + List> cmdList = new ArrayList>(); + cmdList.add(CreateAclPolicyCmd.class); + cmdList.add(DeleteAclPolicyCmd.class); + cmdList.add(ListAclPoliciesCmd.class); + cmdList.add(AddAclPermissionToAclPolicyCmd.class); + cmdList.add(RemoveAclPermissionFromAclPolicyCmd.class); + cmdList.add(AttachAclPolicyToAclGroupCmd.class); + cmdList.add(RemoveAclPolicyFromAclGroupCmd.class); + cmdList.add(CreateAclGroupCmd.class); + cmdList.add(DeleteAclGroupCmd.class); + cmdList.add(ListAclGroupsCmd.class); + cmdList.add(AddAccountToAclGroupCmd.class); + cmdList.add(RemoveAccountFromAclGroupCmd.class); + cmdList.add(AttachAclPolicyToAccountCmd.class); + cmdList.add(RemoveAclPolicyFromAccountCmd.class); + return cmdList; + } +} diff --git a/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedAPIAccessChecker.java b/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedAPIAccessChecker.java similarity index 95% rename from services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedAPIAccessChecker.java rename to services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedAPIAccessChecker.java index 01e3d752726..448e45fc101 100644 --- a/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedAPIAccessChecker.java +++ b/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedAPIAccessChecker.java @@ -14,7 +14,7 @@ // KIND, either express or implied. See the License for the // specific language governing permissions and limitations // under the License. -package org.apache.cloudstack.acl; +package org.apache.cloudstack.iam; import java.util.HashMap; import java.util.HashSet; @@ -28,6 +28,10 @@ import javax.naming.ConfigurationException; import org.apache.log4j.Logger; +import org.apache.cloudstack.acl.APIChecker; +import org.apache.cloudstack.acl.IAMEntityType; +import org.apache.cloudstack.acl.PermissionScope; +import org.apache.cloudstack.acl.RoleType; import org.apache.cloudstack.acl.SecurityChecker.AccessType; import org.apache.cloudstack.api.APICommand; import org.apache.cloudstack.api.BaseAsyncCreateCmd; @@ -129,9 +133,9 @@ public class RoleBasedAPIAccessChecker extends AdapterBase implements APIChecker // add permissions for public templates List pTmplts = _templateDao.listByPublic(); for (VMTemplateVO tmpl : pTmplts){ - _iamSrv.addAclPermissionToAclPolicy(new Long(Account.ACCOUNT_TYPE_DOMAIN_ADMIN + 1), AclEntityType.VirtualMachineTemplate.toString(), + _iamSrv.addAclPermissionToAclPolicy(new Long(Account.ACCOUNT_TYPE_DOMAIN_ADMIN + 1), IAMEntityType.VirtualMachineTemplate.toString(), PermissionScope.RESOURCE.toString(), tmpl.getId(), "listTemplates", AccessType.UseEntry.toString(), Permission.Allow, false); - _iamSrv.addAclPermissionToAclPolicy(new Long(Account.ACCOUNT_TYPE_NORMAL + 1), AclEntityType.VirtualMachineTemplate.toString(), + _iamSrv.addAclPermissionToAclPolicy(new Long(Account.ACCOUNT_TYPE_NORMAL + 1), IAMEntityType.VirtualMachineTemplate.toString(), PermissionScope.RESOURCE.toString(), tmpl.getId(), "listTemplates", AccessType.UseEntry.toString(), Permission.Allow, false); } @@ -214,7 +218,7 @@ public class RoleBasedAPIAccessChecker extends AdapterBase implements APIChecker private void addDefaultAclPolicyPermission(String apiName, Class cmdClass, RoleType role) { AccessType accessType = null; - AclEntityType[] entityTypes = null; + IAMEntityType[] entityTypes = null; if (cmdClass != null) { BaseCmd cmdObj; try { @@ -258,7 +262,7 @@ public class RoleBasedAPIAccessChecker extends AdapterBase implements APIChecker _iamSrv.addAclPermissionToAclPolicy(policyId, null, permissionScope.toString(), new Long(AclPolicyPermission.PERMISSION_SCOPE_ID_CURRENT_CALLER), apiName, (accessType == null) ? null : accessType.toString(), Permission.Allow, false); } else { - for (AclEntityType entityType : entityTypes) { + for (IAMEntityType entityType : entityTypes) { _iamSrv.addAclPermissionToAclPolicy(policyId, entityType.toString(), permissionScope.toString(), new Long(AclPolicyPermission.PERMISSION_SCOPE_ID_CURRENT_CALLER), apiName, (accessType == null) ? null : accessType.toString(), Permission.Allow, false); } diff --git a/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedEntityAccessChecker.java b/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedEntityAccessChecker.java similarity index 97% rename from services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedEntityAccessChecker.java rename to services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedEntityAccessChecker.java index 65249a6e608..5420f840fe2 100644 --- a/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedEntityAccessChecker.java +++ b/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedEntityAccessChecker.java @@ -14,7 +14,7 @@ // KIND, either express or implied. See the License for the // specific language governing permissions and limitations // under the License. -package org.apache.cloudstack.acl; +package org.apache.cloudstack.iam; import java.util.ArrayList; import java.util.HashMap; @@ -24,6 +24,9 @@ import javax.inject.Inject; import org.apache.log4j.Logger; +import org.apache.cloudstack.acl.ControlledEntity; +import org.apache.cloudstack.acl.PermissionScope; +import org.apache.cloudstack.acl.SecurityChecker; import org.apache.cloudstack.api.InternalIdentity; import org.apache.cloudstack.iam.api.AclGroup; import org.apache.cloudstack.iam.api.AclPolicy; diff --git a/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedEntityQuerySelector.java b/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedEntityQuerySelector.java similarity index 97% rename from services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedEntityQuerySelector.java rename to services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedEntityQuerySelector.java index 7b8715fd992..4cec0d9acd9 100644 --- a/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedEntityQuerySelector.java +++ b/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedEntityQuerySelector.java @@ -14,7 +14,7 @@ // KIND, either express or implied. See the License for the // specific language governing permissions and limitations // under the License. -package org.apache.cloudstack.acl; +package org.apache.cloudstack.iam; import java.util.ArrayList; import java.util.List; @@ -23,6 +23,8 @@ import javax.inject.Inject; import org.apache.log4j.Logger; +import org.apache.cloudstack.acl.PermissionScope; +import org.apache.cloudstack.acl.QuerySelector; import org.apache.cloudstack.iam.api.AclGroup; import org.apache.cloudstack.iam.api.AclPolicy; import org.apache.cloudstack.iam.api.AclPolicyPermission; diff --git a/services/iam/plugin/test/org/apache/cloudstack/acl/AclApiServiceTest.java b/services/iam/plugin/test/org/apache/cloudstack/acl/AclApiServiceTest.java index 02b73316aa0..daf5b64f133 100644 --- a/services/iam/plugin/test/org/apache/cloudstack/acl/AclApiServiceTest.java +++ b/services/iam/plugin/test/org/apache/cloudstack/acl/AclApiServiceTest.java @@ -35,13 +35,13 @@ import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; import org.springframework.test.context.support.AnnotationConfigContextLoader; import org.apache.cloudstack.acl.SecurityChecker.AccessType; -import org.apache.cloudstack.acl.api.AclApiService; -import org.apache.cloudstack.acl.api.AclApiServiceImpl; +import org.apache.cloudstack.iam.AclApiService; +import org.apache.cloudstack.iam.AclApiServiceImpl; import org.apache.cloudstack.api.command.user.vm.ListVMsCmd; import org.apache.cloudstack.api.response.ListResponse; -import org.apache.cloudstack.api.response.acl.AclGroupResponse; -import org.apache.cloudstack.api.response.acl.AclPermissionResponse; -import org.apache.cloudstack.api.response.acl.AclPolicyResponse; +import org.apache.cloudstack.api.response.iam.AclGroupResponse; +import org.apache.cloudstack.api.response.iam.AclPermissionResponse; +import org.apache.cloudstack.api.response.iam.AclPolicyResponse; import org.apache.cloudstack.context.CallContext; import org.apache.cloudstack.framework.messagebus.MessageBus; import org.apache.cloudstack.iam.api.AclGroup; @@ -273,12 +273,12 @@ public class AclApiServiceTest { Class clz = ListVMsCmd.class; when(_apiServer.getCmdClass("listVirtualMachines")).thenReturn(clz); when( - _iamSrv.addAclPermissionToAclPolicy(policyId, AclEntityType.VirtualMachine.toString(), PermissionScope.RESOURCE.toString(), resId, "listVirtualMachines", + _iamSrv.addAclPermissionToAclPolicy(policyId, IAMEntityType.VirtualMachine.toString(), PermissionScope.RESOURCE.toString(), resId, "listVirtualMachines", AccessType.UseEntry.toString(), Permission.Allow, false)).thenReturn(policy); - _aclSrv.addAclPermissionToAclPolicy(policyId, AclEntityType.VirtualMachine.toString(), PermissionScope.RESOURCE, resId, "listVirtualMachines", Permission.Allow, false); + _aclSrv.addAclPermissionToAclPolicy(policyId, IAMEntityType.VirtualMachine.toString(), PermissionScope.RESOURCE, resId, "listVirtualMachines", Permission.Allow, false); Pair, Integer> policyList = new Pair, Integer>(policies, 1); List policyPerms = new ArrayList(); - AclPolicyPermission perm = new AclPolicyPermissionVO(policyId, "listVirtualMachines", AclEntityType.VirtualMachine.toString(), AccessType.UseEntry.toString(), + AclPolicyPermission perm = new AclPolicyPermissionVO(policyId, "listVirtualMachines", IAMEntityType.VirtualMachine.toString(), AccessType.UseEntry.toString(), PermissionScope.RESOURCE.toString(), resId, Permission.Allow, false); policyPerms.add(perm); @@ -294,7 +294,7 @@ public class AclApiServiceTest { //remove permission from policy policyPerms.remove(perm); - _aclSrv.removeAclPermissionFromAclPolicy(policyId, AclEntityType.VirtualMachine.toString(), PermissionScope.RESOURCE, resId, "listVirtualMachines"); + _aclSrv.removeAclPermissionFromAclPolicy(policyId, IAMEntityType.VirtualMachine.toString(), PermissionScope.RESOURCE, resId, "listVirtualMachines"); policyResp = _aclSrv.listAclPolicies(null, "policy1", callerDomainId, 0L, 20L); assertTrue("No. of response items should be one", policyResp.getCount() == 1); resp = policyResp.getResponses().get(0);