diff --git a/engine/schema/resources/META-INF/cloudstack/core/spring-engine-schema-core-daos-context.xml b/engine/schema/resources/META-INF/cloudstack/core/spring-engine-schema-core-daos-context.xml
index 0d2dedbdb5d..2974615ff48 100644
--- a/engine/schema/resources/META-INF/cloudstack/core/spring-engine-schema-core-daos-context.xml
+++ b/engine/schema/resources/META-INF/cloudstack/core/spring-engine-schema-core-daos-context.xml
@@ -319,13 +319,10 @@
-
-
+
+
-
-
-
-
+
diff --git a/engine/schema/src/org/apache/cloudstack/acl/dao/AclPolicyPermissionDao.java b/engine/schema/src/org/apache/cloudstack/acl/dao/AclPolicyPermissionDao.java
index a64abfdcbf9..e78cc852007 100644
--- a/engine/schema/src/org/apache/cloudstack/acl/dao/AclPolicyPermissionDao.java
+++ b/engine/schema/src/org/apache/cloudstack/acl/dao/AclPolicyPermissionDao.java
@@ -22,6 +22,7 @@ import java.util.List;
import org.apache.cloudstack.acl.AclPolicyPermission.Permission;
import org.apache.cloudstack.acl.AclPolicyPermissionVO;
import org.apache.cloudstack.acl.PermissionScope;
+import org.apache.cloudstack.acl.SecurityChecker.AccessType;
import com.cloud.utils.db.GenericDao;
@@ -35,4 +36,6 @@ public interface AclPolicyPermissionDao extends GenericDao listByPolicyActionAndEntity(long policyId, String action, String entityType);
+ List listByPolicyAccessAndEntity(long id, AccessType accessType, String entityType);
+
}
diff --git a/engine/schema/src/org/apache/cloudstack/acl/dao/AclPolicyPermissionDaoImpl.java b/engine/schema/src/org/apache/cloudstack/acl/dao/AclPolicyPermissionDaoImpl.java
index fc7b0a9128f..fc19ed73bc3 100644
--- a/engine/schema/src/org/apache/cloudstack/acl/dao/AclPolicyPermissionDaoImpl.java
+++ b/engine/schema/src/org/apache/cloudstack/acl/dao/AclPolicyPermissionDaoImpl.java
@@ -24,6 +24,7 @@ import javax.naming.ConfigurationException;
import org.apache.cloudstack.acl.AclPolicyPermission.Permission;
import org.apache.cloudstack.acl.AclPolicyPermissionVO;
import org.apache.cloudstack.acl.PermissionScope;
+import org.apache.cloudstack.acl.SecurityChecker.AccessType;
import com.cloud.utils.db.GenericDaoBase;
import com.cloud.utils.db.SearchBuilder;
@@ -51,6 +52,7 @@ public class AclPolicyPermissionDaoImpl extends GenericDaoBase listByPolicyAccessAndEntity(long policyId, AccessType accessType,
+ String entityType) {
+ SearchCriteria sc = fullSearch.create();
+ sc.setParameters("policyId", policyId);
+ sc.setParameters("entityType", entityType);
+ sc.setParameters("accessType", accessType);
+ return listBy(sc);
+ }
+
}
diff --git a/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/entity/RoleBasedEntityAccessChecker.java b/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/entity/RoleBasedEntityAccessChecker.java
index 129c0019b6e..c057bc02a91 100644
--- a/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/entity/RoleBasedEntityAccessChecker.java
+++ b/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/entity/RoleBasedEntityAccessChecker.java
@@ -16,6 +16,7 @@
// under the License.
package org.apache.cloudstack.acl.entity;
+import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
@@ -78,8 +79,14 @@ public class RoleBasedEntityAccessChecker extends DomainChecker implements Secur
HashMap policyPermissionMap = new HashMap();
for (AclPolicy policy : policies) {
- List permissions = _policyPermissionDao.listByPolicyActionAndEntity(policy.getId(),
+ List permissions = new ArrayList();
+
+ if (action != null) {
+ permissions = _policyPermissionDao.listByPolicyActionAndEntity(policy.getId(),
action, entityType);
+ } else {
+ permissions = _policyPermissionDao.listByPolicyAccessAndEntity(policy.getId(), accessType, entityType);
+ }
for (AclPolicyPermissionVO permission : permissions) {
if (checkPermissionScope(caller, permission.getScope(), entity)) {
if (permission.getEntityType().equals(entityType)) {
diff --git a/server/src/com/cloud/api/ApiServer.java b/server/src/com/cloud/api/ApiServer.java
index 882a5b1fe12..95e13a580fd 100755
--- a/server/src/com/cloud/api/ApiServer.java
+++ b/server/src/com/cloud/api/ApiServer.java
@@ -389,16 +389,17 @@ public class ApiServer extends ManagerBase implements HttpRequestHandler, ApiSer
}
_aclPermissionDao.persist(apiPermission);
}
- }
+ } else {
- for (AclEntityType entityType : entityTypes) {
- apiPermission = new AclPolicyPermissionVO(role.ordinal() + 1, apiName, entityType.toString(), null,
- permissionScope, new Long(-1), Permission.Allow);
- if (apiPermission != null) {
- if (isReadCommand) {
- apiPermission.setAccessType(AccessType.ListEntry);
+ for (AclEntityType entityType : entityTypes) {
+ apiPermission = new AclPolicyPermissionVO(role.ordinal() + 1, apiName, entityType.toString(), null,
+ permissionScope, new Long(-1), Permission.Allow);
+ if (apiPermission != null) {
+ if (isReadCommand) {
+ apiPermission.setAccessType(AccessType.ListEntry);
+ }
+ _aclPermissionDao.persist(apiPermission);
}
- _aclPermissionDao.persist(apiPermission);
}
}
diff --git a/server/src/org/apache/cloudstack/acl/AclServiceImpl.java b/server/src/org/apache/cloudstack/acl/AclServiceImpl.java
index f8ea1e6518d..3581ef07303 100644
--- a/server/src/org/apache/cloudstack/acl/AclServiceImpl.java
+++ b/server/src/org/apache/cloudstack/acl/AclServiceImpl.java
@@ -90,8 +90,8 @@ public class AclServiceImpl extends ManagerBase implements AclService, Manager {
@Inject
AclGroupAccountMapDao _aclGroupAccountMapDao;
- @Inject
- AclApiPermissionDao _apiPermissionDao;
+ // @Inject
+ // AclApiPermissionDao _apiPermissionDao;
@Inject
AclPolicyPermissionDao _policyPermissionDao;
diff --git a/setup/db/db/schema-421to430.sql b/setup/db/db/schema-421to430.sql
index ef0745817de..53e52b26def 100644
--- a/setup/db/db/schema-421to430.sql
+++ b/setup/db/db/schema-421to430.sql
@@ -360,7 +360,7 @@ CREATE TABLE `acl_policy_permission` (
`policy_id` bigint(20) unsigned NOT NULL,
`action` varchar(100) NOT NULL,
`resource_type` varchar(100) DEFAULT NULL,
- `scope_id` bigint(20) unsigned,
+ `scope_id` bigint(20) DEFAULT NULL,
`scope` varchar(40) DEFAULT NULL,
`access_type` varchar(40) DEFAULT NULL,
`permission` varchar(40) NOT NULL COMMENT 'Allow or Deny',