CLOUDSTACK-6533: IAM - Templates - Public templates do not have

permissions to be used by ROOT group.
2014-04-29 11:48:45 -07:00 · 2014-04-29 11:48:45 -07:00 · b42ad3ccaa
parent 4f45c972c3
commit b42ad3ccaa
2 changed files with 6 additions and 1 deletions
--- a/services/iam/plugin/src/org/apache/cloudstack/iam/IAMApiServiceImpl.java
+++ b/services/iam/plugin/src/org/apache/cloudstack/iam/IAMApiServiceImpl.java
@ -257,7 +257,10 @@ public class IAMApiServiceImpl extends ManagerBase implements IAMApiService, Man
            public void onPublishMessage(String senderAddress, String subject, Object obj) {
                Long templateId = (Long)obj;
                if (templateId != null) {
-                    s_logger.debug("MessageBus message: new public template registered: " + templateId + ", grant permission to domain admin and normal user policies");
+                    s_logger.debug("MessageBus message: new public template registered: " + templateId
+                            + ", grant permission to default root admin, domain admin and normal user policies");
+                    _iamSrv.addIAMPermissionToIAMPolicy(new Long(Account.ACCOUNT_TYPE_ADMIN + 1), VirtualMachineTemplate.class.getSimpleName(),
+                            PermissionScope.RESOURCE.toString(), templateId, "listTemplates", AccessType.UseEntry.toString(), Permission.Allow, false);
                    _iamSrv.addIAMPermissionToIAMPolicy(new Long(Account.ACCOUNT_TYPE_DOMAIN_ADMIN + 1), VirtualMachineTemplate.class.getSimpleName(),
                            PermissionScope.RESOURCE.toString(), templateId, "listTemplates", AccessType.UseEntry.toString(), Permission.Allow, false);
                    _iamSrv.addIAMPermissionToIAMPolicy(new Long(Account.ACCOUNT_TYPE_NORMAL + 1), VirtualMachineTemplate.class.getSimpleName(),
--- a/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedAPIAccessChecker.java
+++ b/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedAPIAccessChecker.java
@ -132,6 +132,8 @@ public class RoleBasedAPIAccessChecker extends AdapterBase implements APIChecker
        // add permissions for public templates
        List<VMTemplateVO> pTmplts = _templateDao.listByPublic();
        for (VMTemplateVO tmpl : pTmplts){
+            _iamSrv.addIAMPermissionToIAMPolicy(new Long(Account.ACCOUNT_TYPE_ADMIN + 1), VirtualMachineTemplate.class.getSimpleName(),
+                    PermissionScope.RESOURCE.toString(), tmpl.getId(), "listTemplates", AccessType.UseEntry.toString(), Permission.Allow, false);
            _iamSrv.addIAMPermissionToIAMPolicy(new Long(Account.ACCOUNT_TYPE_DOMAIN_ADMIN + 1), VirtualMachineTemplate.class.getSimpleName(),
                    PermissionScope.RESOURCE.toString(), tmpl.getId(), "listTemplates", AccessType.UseEntry.toString(), Permission.Allow, false);
            _iamSrv.addIAMPermissionToIAMPolicy(new Long(Account.ACCOUNT_TYPE_NORMAL + 1), VirtualMachineTemplate.class.getSimpleName(),