More changes to support 'readOnly' access

api/src/org/apache/cloudstack/api/ApiConstants.java

@@ -591,7 +591,7 @@ public class ApiConstants {
     public static final String VGPUTYPE = "vgputype";
     public static final String REMAININGCAPACITY = "remainingcapacity";
     public static final String DISTRIBUTED_VPC_ROUTER = "distributedvpcrouter";
-    public static final String READ_ONLY = "readOnly";
+    public static final String READ_ONLY = "readonly";
 
 
     public enum HostDetails {

server/src/com/cloud/acl/DomainChecker.java

@@ -328,6 +328,17 @@ public class DomainChecker extends AdapterBase implements SecurityChecker {
     @Override
     public boolean checkAccess(Account caller, ControlledEntity entity, AccessType accessType, String action)
             throws PermissionDeniedException {
+
+        if (action != null && ("SystemCapability".equals(action))) {
+            if (caller != null && caller.getType() == Account.ACCOUNT_TYPE_ADMIN) {
+                return true;
+            }
+
+        } else if (action != null && ("DomainCapability".equals(action))) {
+            if (caller != null && caller.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) {
+                return true;
+            }
+        }
         return checkAccess(caller, entity, accessType);
     }
 }

services/iam/plugin/src/org/apache/cloudstack/api/command/iam/AddIAMPermissionToIAMPolicyCmd.java

@@ -29,7 +29,6 @@ import org.apache.cloudstack.api.ApiErrorCode;
 import org.apache.cloudstack.api.BaseAsyncCmd;
 import org.apache.cloudstack.api.Parameter;
 import org.apache.cloudstack.api.ServerApiException;
-import org.apache.cloudstack.api.BaseCmd.CommandType;
 import org.apache.cloudstack.api.response.iam.IAMPolicyResponse;
 import org.apache.cloudstack.context.CallContext;
 import org.apache.cloudstack.iam.IAMApiService;

services/iam/plugin/src/org/apache/cloudstack/iam/IAMApiServiceImpl.java

@@ -721,7 +721,8 @@ public class IAMApiServiceImpl extends ManagerBase implements IAMApiService, Man
             String description = "Policy to grant permission to " + entityType + entityId;
             policy = createIAMPolicy(caller, aclPolicyName, description, null);
             // add permission to this policy
-            addIAMPermissionToIAMPolicy(policy.getId(), entityType, PermissionScope.RESOURCE, entityId, action, Permission.Allow, false);
+            addIAMPermissionToIAMPolicy(policy.getId(), entityType, PermissionScope.RESOURCE, entityId, action,
+                    Permission.Allow, false, false);
         }
         // attach this policy to list of accounts if not attached already
         Long policyId = policy.getId();

services/iam/plugin/test/org/apache/cloudstack/iam/test/IAMApiServiceTest.java

@@ -295,8 +295,8 @@ public class IAMApiServiceTest {
                 _iamSrv.addIAMPermissionToIAMPolicy(policyId, VirtualMachine.class.getSimpleName(),
                         PermissionScope.RESOURCE.toString(), resId, "listVirtualMachines",
                         AccessType.UseEntry.toString(), Permission.Allow, false)).thenReturn(policy);
-        _aclSrv.addIAMPermissionToIAMPolicy(policyId, VirtualMachine.class.getSimpleName(),
-                PermissionScope.RESOURCE, resId, "listVirtualMachines", Permission.Allow, false);
+        _aclSrv.addIAMPermissionToIAMPolicy(policyId, IAMEntityType.VirtualMachine.toString(),
+                PermissionScope.RESOURCE, resId, "listVirtualMachines", Permission.Allow, false, false);
         Pair<List<IAMPolicy>, Integer> policyList = new Pair<List<IAMPolicy>, Integer>(policies, 1);
         List<IAMPolicyPermission> policyPerms = new ArrayList<IAMPolicyPermission>();
         IAMPolicyPermission perm = new IAMPolicyPermissionVO(policyId, "listVirtualMachines",