etan39
/
cloudstack
mirror of https://github.com/apache/cloudstack.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Move ACL response class into iam plugin, also fix AclAPiService to 

invoke IAMService method to hide internal IAM schema.
This commit is contained in:
Min Chen 2013-12-27 17:17:35 -08:00
parent 08122c9adb
commit d9be7bb968
21 changed files with 673 additions and 513 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedAPIAccessChecker.java
View File

@ -21,13 +21,11 @@ import java.util.List;
import javax.ejb.Local;
import javax.inject.Inject;
import org.apache.cloudstack.acl.APIChecker;
import org.apache.cloudstack.acl.AclPolicy;
import org.apache.cloudstack.acl.AclRole;
import org.apache.cloudstack.acl.api.AclApiService;
import org.apache.log4j.Logger;
import org.apache.cloudstack.acl.api.AclApiService;
import org.apache.cloudstack.iam.api.AclPolicy;
import com.cloud.exception.PermissionDeniedException;
import com.cloud.user.Account;
import com.cloud.user.AccountService;

11
services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedEntityAccessChecker.java
View File

@ -22,23 +22,18 @@ import java.util.List;
import javax.inject.Inject;
import org.apache.cloudstack.acl.AclPolicy;
import org.apache.cloudstack.acl.AclPolicyPermissionVO;
import org.apache.cloudstack.acl.ControlledEntity;
import org.apache.cloudstack.acl.AclEntityType;
import org.apache.cloudstack.acl.PermissionScope;
import org.apache.cloudstack.acl.SecurityChecker;
import org.apache.log4j.Logger;
import org.apache.cloudstack.acl.api.AclApiService;
import org.apache.cloudstack.acl.dao.AclGroupAccountMapDao;
import org.apache.cloudstack.acl.dao.AclPolicyPermissionDao;
import org.apache.log4j.Logger;
import org.apache.cloudstack.iam.api.AclPolicy;
import com.cloud.acl.DomainChecker;
import com.cloud.domain.dao.DomainDao;
import com.cloud.exception.PermissionDeniedException;
import com.cloud.user.Account;
import com.cloud.user.AccountService;
import com.cloud.vm.VirtualMachine;
public class RoleBasedEntityAccessChecker extends DomainChecker implements SecurityChecker {

20
services/iam/plugin/src/org/apache/cloudstack/acl/api/AclApiService.java
View File

@ -18,12 +18,15 @@ package org.apache.cloudstack.acl.api;
import java.util.List;
import org.apache.cloudstack.acl.AclGroup;
import org.apache.cloudstack.acl.AclPolicy;
import org.apache.cloudstack.acl.AclPolicyPermission;
import org.apache.cloudstack.acl.ControlledEntity;
import org.apache.cloudstack.acl.PermissionScope;
import org.apache.cloudstack.acl.AclPolicyPermission.Permission;
import org.apache.cloudstack.acl.api.response.AclGroupResponse;
import org.apache.cloudstack.acl.api.response.AclPolicyResponse;
import org.apache.cloudstack.api.response.ListResponse;
import org.apache.cloudstack.iam.api.AclGroup;
import org.apache.cloudstack.iam.api.AclPolicy;
import org.apache.cloudstack.iam.api.AclPolicyPermission;
import org.apache.cloudstack.iam.api.AclPolicyPermission.Permission;
import com.cloud.user.Account;
@ -61,5 +64,14 @@ public interface AclApiService {
List<AclPolicy> getEffectivePolicies(Account caller, ControlledEntity entity);
/* Response Generation */
AclPolicyResponse createAclPolicyResponse(AclPolicy policy);
AclGroupResponse createAclGroupResponse(AclGroup group);
ListResponse<AclGroupResponse> listAclGroups(Long aclGroupId, String aclGroupName,
Long domainId, Long startIndex, Long pageSize);
ListResponse<AclPolicyResponse> listAclPolicies(Long aclPolicyId, String aclPolicyName,
Long domainId, Long startIndex, Long pageSize);
}

521
services/iam/plugin/src/org/apache/cloudstack/acl/api/AclApiServiceImpl.java
View File

@ -16,7 +16,6 @@
// under the License.
package org.apache.cloudstack.acl.api;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
@ -25,53 +24,33 @@ import javax.inject.Inject;
import org.apache.log4j.Logger;
import org.apache.cloudstack.acl.AclGroup;
import org.apache.cloudstack.acl.AclGroupAccountMapVO;
import org.apache.cloudstack.acl.AclGroupPolicyMapVO;
import org.apache.cloudstack.acl.AclGroupVO;
import org.apache.cloudstack.acl.AclPolicy;
import org.apache.cloudstack.acl.AclPolicyPermission;
import org.apache.cloudstack.acl.AclPolicyPermissionVO;
import org.apache.cloudstack.acl.AclPolicyVO;
import org.apache.cloudstack.acl.ControlledEntity;
import org.apache.cloudstack.acl.PermissionScope;
import org.apache.cloudstack.acl.SecurityChecker;
import org.apache.cloudstack.acl.AclPolicyPermission.Permission;
import org.apache.cloudstack.acl.SecurityChecker.AccessType;
import org.apache.cloudstack.acl.dao.AclGroupAccountMapDao;
import org.apache.cloudstack.acl.dao.AclGroupDao;
import org.apache.cloudstack.acl.dao.AclGroupPolicyMapDao;
import org.apache.cloudstack.acl.dao.AclPolicyDao;
import org.apache.cloudstack.acl.dao.AclPolicyPermissionDao;
import org.apache.cloudstack.acl.api.response.AclGroupResponse;
import org.apache.cloudstack.acl.api.response.AclPolicyResponse;
import org.apache.cloudstack.api.BaseListCmd;
import org.apache.cloudstack.context.CallContext;
import org.apache.cloudstack.api.response.ListResponse;
import org.apache.cloudstack.iam.api.AclGroup;
import org.apache.cloudstack.iam.api.AclPolicy;
import org.apache.cloudstack.iam.api.AclPolicyPermission;
import org.apache.cloudstack.iam.api.AclPolicyPermission.Permission;
import org.apache.cloudstack.iam.api.IAMService;
import com.cloud.api.ApiServerService;
import com.cloud.domain.Domain;
import com.cloud.domain.dao.DomainDao;
import com.cloud.event.ActionEvent;
import com.cloud.event.EventTypes;
import com.cloud.exception.InvalidParameterValueException;
import com.cloud.exception.PermissionDeniedException;
import com.cloud.storage.Snapshot;
import com.cloud.storage.Volume;
import com.cloud.template.VirtualMachineTemplate;
import com.cloud.user.Account;
import com.cloud.user.AccountManager;
import com.cloud.user.dao.AccountDao;
import com.cloud.uservm.UserVm;
import com.cloud.utils.component.Manager;
import com.cloud.utils.component.ManagerBase;
import com.cloud.utils.db.DB;
import com.cloud.utils.db.EntityManager;
import com.cloud.utils.db.GenericSearchBuilder;
import com.cloud.utils.db.JoinBuilder.JoinType;
import com.cloud.utils.db.SearchBuilder;
import com.cloud.utils.db.SearchCriteria;
import com.cloud.utils.db.SearchCriteria.Op;
import com.cloud.utils.db.Transaction;
import com.cloud.utils.db.TransactionCallback;
import com.cloud.utils.db.TransactionCallbackNoReturn;
import com.cloud.utils.db.TransactionStatus;
@Local(value = {AclApiService.class})
public class AclApiServiceImpl extends ManagerBase implements AclApiService, Manager {
@ -79,36 +58,15 @@ public class AclApiServiceImpl extends ManagerBase implements AclApiService, Man
public static final Logger s_logger = Logger.getLogger(AclApiServiceImpl.class);
private String _name;
@Inject
AccountManager _accountMgr;
@Inject
AccountDao _accountDao;
@Inject
AclPolicyDao _aclPolicyDao;
@Inject
AclGroupDao _aclGroupDao;
@Inject
EntityManager _entityMgr;
@Inject
AclGroupPolicyMapDao _aclGroupPolicyMapDao;
@Inject
AclGroupAccountMapDao _aclGroupAccountMapDao;
// @Inject
// AclApiPermissionDao _apiPermissionDao;
@Inject
AclPolicyPermissionDao _policyPermissionDao;
@Inject
ApiServerService _apiServer;
@Inject
IAMService _iamSrv;
@Inject
DomainDao _domainDao;
public static HashMap<String, Class> entityClassMap = new HashMap<String, Class>();
@ -125,355 +83,71 @@ public class AclApiServiceImpl extends ManagerBase implements AclApiService, Man
@ActionEvent(eventType = EventTypes.EVENT_ACL_GROUP_CREATE, eventDescription = "Creating Acl Group", create = true)
public AclGroup createAclGroup(Account caller, String aclGroupName, String description) {
Long domainId = caller.getDomainId();
if (!_accountMgr.isRootAdmin(caller.getAccountId())) {
// domain admin can only create role for his domain
if (caller.getDomainId() != domainId.longValue()) {
throw new PermissionDeniedException("Can't create acl group in domain " + domainId + ", permission denied");
}
Domain callerDomain = _domainDao.findById(domainId);
if (callerDomain == null) {
throw new InvalidParameterValueException("Caller does not have a domain");
}
// check if the role is already existing
AclGroup grp = _aclGroupDao.findByName(domainId, aclGroupName);
if (grp != null) {
throw new InvalidParameterValueException(
"Unable to create acl group with name " + aclGroupName
+ " already exisits for domain " + domainId);
}
AclGroupVO rvo = new AclGroupVO(aclGroupName, description);
rvo.setAccountId(caller.getAccountId());
rvo.setDomainId(domainId);
return _aclGroupDao.persist(rvo);
return _iamSrv.createAclGroup(aclGroupName, description, callerDomain.getPath());
}
@DB
@Override
@ActionEvent(eventType = EventTypes.EVENT_ACL_GROUP_DELETE, eventDescription = "Deleting Acl Group")
public boolean deleteAclGroup(final Long aclGroupId) {
Account caller = CallContext.current().getCallingAccount();
// get the Acl Role entity
final AclGroup grp = _aclGroupDao.findById(aclGroupId);
if (grp == null) {
throw new InvalidParameterValueException("Unable to find acl group: " + aclGroupId
+ "; failed to delete acl group.");
}
// check permissions
_accountMgr.checkAccess(caller, null, true, grp);
Transaction.execute(new TransactionCallbackNoReturn() {
@Override
public void doInTransactionWithoutResult(TransactionStatus status) {
// remove this group related entry in acl_group_role_map
List<AclGroupPolicyMapVO> groupPolicyMap = _aclGroupPolicyMapDao.listByGroupId(grp.getId());
if (groupPolicyMap != null) {
for (AclGroupPolicyMapVO gr : groupPolicyMap) {
_aclGroupPolicyMapDao.remove(gr.getId());
}
}
// remove this group related entry in acl_group_account table
List<AclGroupAccountMapVO> groupAcctMap = _aclGroupAccountMapDao.listByGroupId(grp.getId());
if (groupAcctMap != null) {
for (AclGroupAccountMapVO grpAcct : groupAcctMap) {
_aclGroupAccountMapDao.remove(grpAcct.getId());
}
}
// remove this group from acl_group table
_aclGroupDao.remove(aclGroupId);
}
});
return true;
return _iamSrv.deleteAclGroup(aclGroupId);
}
@Override
public List<AclGroup> listAclGroups(long accountId) {
GenericSearchBuilder<AclGroupAccountMapVO, Long> groupSB = _aclGroupAccountMapDao.createSearchBuilder(Long.class);
groupSB.selectFields(groupSB.entity().getAclGroupId());
groupSB.and("account", groupSB.entity().getAccountId(), Op.EQ);
SearchCriteria<Long> groupSc = groupSB.create();
List<Long> groupIds = _aclGroupAccountMapDao.customSearch(groupSc, null);
SearchBuilder<AclGroupVO> sb = _aclGroupDao.createSearchBuilder();
sb.and("ids", sb.entity().getId(), Op.IN);
SearchCriteria<AclGroupVO> sc = sb.create();
sc.setParameters("ids", groupIds.toArray(new Object[groupIds.size()]));
List<AclGroupVO> groups = _aclGroupDao.search(sc, null);
return new ArrayList<AclGroup>(groups);
return _iamSrv.listAclGroups(accountId);
}
@DB
@Override
@ActionEvent(eventType = EventTypes.EVENT_ACL_GROUP_UPDATE, eventDescription = "Adding accounts to acl group")
public AclGroup addAccountsToGroup(final List<Long> acctIds, final Long groupId) {
final Account caller = CallContext.current().getCallingAccount();
// get the Acl Group entity
AclGroup group = _aclGroupDao.findById(groupId);
if (group == null) {
throw new InvalidParameterValueException("Unable to find acl group: " + groupId
+ "; failed to add accounts to acl group.");
}
// check group permissions
_accountMgr.checkAccess(caller, null, true, group);
Transaction.execute(new TransactionCallbackNoReturn() {
@Override
public void doInTransactionWithoutResult(TransactionStatus status) {
// add entries in acl_group_account_map table
for (Long acctId : acctIds) {
// check account permissions
Account account = _accountDao.findById(acctId);
if (account == null) {
throw new InvalidParameterValueException("Unable to find account: " + acctId
+ "; failed to add account to acl group.");
}
_accountMgr.checkAccess(caller, null, true, account);
AclGroupAccountMapVO grMap = _aclGroupAccountMapDao.findByGroupAndAccount(groupId, acctId);
if (grMap == null) {
// not there already
grMap = new AclGroupAccountMapVO(groupId, acctId);
_aclGroupAccountMapDao.persist(grMap);
}
}
}
});
return group;
return _iamSrv.addAccountsToGroup(acctIds, groupId);
}
@DB
@Override
@ActionEvent(eventType = EventTypes.EVENT_ACL_GROUP_UPDATE, eventDescription = "Removing accounts from acl group")
public AclGroup removeAccountsFromGroup(final List<Long> acctIds, final Long groupId) {
final Account caller = CallContext.current().getCallingAccount();
// get the Acl Group entity
AclGroup group = _aclGroupDao.findById(groupId);
if (group == null) {
throw new InvalidParameterValueException("Unable to find acl group: " + groupId
+ "; failed to remove accounts from acl group.");
}
// check group permissions
_accountMgr.checkAccess(caller, null, true, group);
Transaction.execute(new TransactionCallbackNoReturn() {
@Override
public void doInTransactionWithoutResult(TransactionStatus status) {
// remove entries from acl_group_account_map table
for (Long acctId : acctIds) {
// check account permissions
Account account = _accountDao.findById(acctId);
if (account == null) {
throw new InvalidParameterValueException("Unable to find account: " + acctId
+ "; failed to add account to acl group.");
}
_accountMgr.checkAccess(caller, null, true, account);
AclGroupAccountMapVO grMap = _aclGroupAccountMapDao.findByGroupAndAccount(groupId, acctId);
if (grMap != null) {
// not removed yet
_aclGroupAccountMapDao.remove(grMap.getId());
}
}
}
});
return group;
return _iamSrv.removeAccountsFromGroup(acctIds, groupId);
}
@DB
@Override
@ActionEvent(eventType = EventTypes.EVENT_ACL_POLICY_CREATE, eventDescription = "Creating Acl Policy", create = true)
public AclPolicy createAclPolicy(Account caller, final String aclPolicyName, final String description, final Long parentPolicyId) {
Long domainId = caller.getDomainId();
if (!_accountMgr.isRootAdmin(caller.getAccountId())) {
// domain admin can only create role for his domain
if (caller.getDomainId() != domainId.longValue()) {
throw new PermissionDeniedException("Can't create acl role in domain " + domainId + ", permission denied");
}
}
// check if the role is already existing
AclPolicy ro = _aclPolicyDao.findByName(domainId, aclPolicyName);
if (ro != null) {
throw new InvalidParameterValueException(
"Unable to create acl policy with name " + aclPolicyName
+ " already exisits for domain " + domainId);
}
final long account_id = caller.getAccountId();
final long domain_id = domainId;
AclPolicy role = Transaction.execute(new TransactionCallback<AclPolicy>() {
@Override
public AclPolicy doInTransaction(TransactionStatus status) {
AclPolicyVO rvo = new AclPolicyVO(aclPolicyName, description);
rvo.setAccountId(account_id);
rvo.setDomainId(domain_id);
AclPolicy role = _aclPolicyDao.persist(rvo);
if (parentPolicyId != null) {
// copy parent role permissions
List<AclPolicyPermissionVO> perms = _policyPermissionDao.listByPolicy(parentPolicyId);
if (perms != null) {
for (AclPolicyPermissionVO perm : perms) {
perm.setAclPolicyId(role.getId());
_policyPermissionDao.persist(perm);
}
}
}
return role;
}
});
return role;
return _iamSrv.createAclPolicy(aclPolicyName, description, parentPolicyId);
}
@DB
@Override
@ActionEvent(eventType = EventTypes.EVENT_ACL_POLICY_DELETE, eventDescription = "Deleting Acl Policy")
public boolean deleteAclPolicy(final long aclPolicyId) {
Account caller = CallContext.current().getCallingAccount();
// get the Acl Policy entity
final AclPolicy policy = _aclPolicyDao.findById(aclPolicyId);
if (policy == null) {
throw new InvalidParameterValueException("Unable to find acl policy: " + aclPolicyId
+ "; failed to delete acl policy.");
}
// check permissions
_accountMgr.checkAccess(caller, null, true, policy);
Transaction.execute(new TransactionCallbackNoReturn() {
@Override
public void doInTransactionWithoutResult(TransactionStatus status) {
// remove this role related entry in acl_group_role_map
List<AclGroupPolicyMapVO> groupPolicyMap = _aclGroupPolicyMapDao.listByPolicyId(policy.getId());
if (groupPolicyMap != null) {
for (AclGroupPolicyMapVO gr : groupPolicyMap) {
_aclGroupPolicyMapDao.remove(gr.getId());
}
}
// remove this policy related entry in acl_policy_permission table
List<AclPolicyPermissionVO> policyPermMap = _policyPermissionDao.listByPolicy(policy.getId());
if (policyPermMap != null) {
for (AclPolicyPermissionVO policyPerm : policyPermMap) {
_policyPermissionDao.remove(policyPerm.getId());
}
}
// remove this role from acl_role table
_aclPolicyDao.remove(aclPolicyId);
}
});
return true;
return _iamSrv.deleteAclPolicy(aclPolicyId);
}
@Override
public List<AclPolicy> listAclPolicies(long accountId) {
// static policies of the account
SearchBuilder<AclGroupAccountMapVO> groupSB = _aclGroupAccountMapDao.createSearchBuilder();
groupSB.and("account", groupSB.entity().getAccountId(), Op.EQ);
GenericSearchBuilder<AclGroupPolicyMapVO, Long> policySB = _aclGroupPolicyMapDao.createSearchBuilder(Long.class);
policySB.selectFields(policySB.entity().getAclPolicyId());
policySB.join("accountgroupjoin", groupSB, groupSB.entity().getAclGroupId(), policySB.entity().getAclGroupId(),
JoinType.INNER);
policySB.done();
SearchCriteria<Long> policySc = policySB.create();
policySc.setJoinParameters("accountgroupjoin", "account", accountId);
List<Long> policyIds = _aclGroupPolicyMapDao.customSearch(policySc, null);
SearchBuilder<AclPolicyVO> sb = _aclPolicyDao.createSearchBuilder();
sb.and("ids", sb.entity().getId(), Op.IN);
SearchCriteria<AclPolicyVO> sc = sb.create();
sc.setParameters("ids", policyIds.toArray(new Object[policyIds.size()]));
List<AclPolicyVO> policies = _aclPolicyDao.customSearch(sc, null);
return new ArrayList<AclPolicy>(policies);
return _iamSrv.listAclPolicies(accountId);
}
@DB
@Override
@ActionEvent(eventType = EventTypes.EVENT_ACL_GROUP_UPDATE, eventDescription = "Attaching policy to acl group")
public AclGroup attachAclPoliciesToGroup(final List<Long> policyIds, final Long groupId) {
final Account caller = CallContext.current().getCallingAccount();
// get the Acl Group entity
AclGroup group = _aclGroupDao.findById(groupId);
if (group == null) {
throw new InvalidParameterValueException("Unable to find acl group: " + groupId
+ "; failed to add roles to acl group.");
}
// check group permissions
_accountMgr.checkAccess(caller, null, true, group);
Transaction.execute(new TransactionCallbackNoReturn() {
@Override
public void doInTransactionWithoutResult(TransactionStatus status) {
// add entries in acl_group_policy_map table
for (Long policyId : policyIds) {
// check policy permissions
AclPolicy policy = _aclPolicyDao.findById(policyId);
if (policy == null) {
throw new InvalidParameterValueException("Unable to find acl policy: " + policyId
+ "; failed to add policies to acl group.");
}
_accountMgr.checkAccess(caller, null, true, policy);
AclGroupPolicyMapVO grMap = _aclGroupPolicyMapDao.findByGroupAndPolicy(groupId, policyId);
if (grMap == null) {
// not there already
grMap = new AclGroupPolicyMapVO(groupId, policyId);
_aclGroupPolicyMapDao.persist(grMap);
}
}
}
});
return group;
return _iamSrv.attachAclPoliciesToGroup(policyIds, groupId);
}
@DB
@Override
@ActionEvent(eventType = EventTypes.EVENT_ACL_GROUP_UPDATE, eventDescription = "Removing policies from acl group")
public AclGroup removeAclPoliciesFromGroup(final List<Long> policyIds, final Long groupId) {
final Account caller = CallContext.current().getCallingAccount();
// get the Acl Group entity
AclGroup group = _aclGroupDao.findById(groupId);
if (group == null) {
throw new InvalidParameterValueException("Unable to find acl group: " + groupId
+ "; failed to remove roles from acl group.");
}
// check group permissions
_accountMgr.checkAccess(caller, null, true, group);
Transaction.execute(new TransactionCallbackNoReturn() {
@Override
public void doInTransactionWithoutResult(TransactionStatus status) {
// add entries in acl_group_role_map table
for (Long policyId : policyIds) {
// check policy permissions
AclPolicy policy = _aclPolicyDao.findById(policyId);
if (policy == null) {
throw new InvalidParameterValueException("Unable to find acl policy: " + policyId
+ "; failed to add policies to acl group.");
}
_accountMgr.checkAccess(caller, null, true, policy);
AclGroupPolicyMapVO grMap = _aclGroupPolicyMapDao.findByGroupAndPolicy(groupId, policyId);
if (grMap != null) {
// not removed yet
_aclGroupPolicyMapDao.remove(grMap.getId());
}
}
}
});
return group;
return _iamSrv.removeAclPoliciesFromGroup(policyIds, groupId);
}
/*
@ -545,95 +219,33 @@ public class AclApiServiceImpl extends ManagerBase implements AclApiService, Man
@Override
@ActionEvent(eventType = EventTypes.EVENT_ACL_POLICY_GRANT, eventDescription = "Granting acl permission to Acl Policy")
public AclPolicy addAclPermissionToAclPolicy(long aclPolicyId, String entityType, PermissionScope scope, Long scopeId, String action, Permission perm) {
Account caller = CallContext.current().getCallingAccount();
// get the Acl Policy entity
AclPolicy policy = _aclPolicyDao.findById(aclPolicyId);
if (policy == null) {
throw new InvalidParameterValueException("Unable to find acl policy: " + aclPolicyId
+ "; failed to add permission to policy.");
Class<?> cmdClass = _apiServer.getCmdClass(action);
AccessType accessType = null;
if (BaseListCmd.class.isAssignableFrom(cmdClass)) {
accessType = AccessType.ListEntry;
}
// check permissions
_accountMgr.checkAccess(caller, null, true, policy);
// get the entity and check permission
Class entityClass = entityClassMap.get(entityType);
if (entityClass == null) {
throw new InvalidParameterValueException("Entity type " + entityType + " permission granting is not supported yet");
}
if (scope == PermissionScope.RESOURCE && scopeId != null) {
ControlledEntity entity = (ControlledEntity)_entityMgr.findById(entityClass, scopeId);
if (entity == null) {
throw new InvalidParameterValueException("Unable to find entity " + entityType + " by id: " + scopeId);
}
_accountMgr.checkAccess(caller, null, true, entity);
}
// add entry in acl_policy_permission table
AclPolicyPermissionVO permit = _policyPermissionDao.findByPolicyAndEntity(aclPolicyId, entityType, scope, scopeId, action, perm);
if (permit == null) {
// not there already
Class<?> cmdClass = _apiServer.getCmdClass(action);
AccessType accessType = null;
if (BaseListCmd.class.isAssignableFrom(cmdClass)) {
accessType = AccessType.ListEntry;
}
permit = new AclPolicyPermissionVO(aclPolicyId, action, entityType, accessType,
scope, scopeId, perm);
_policyPermissionDao.persist(permit);
}
return policy;
return _iamSrv.addAclPermissionToAclPolicy(aclPolicyId, entityType, scope.toString(), scopeId, action, accessType.toString(), perm);
}
@DB
@Override
@ActionEvent(eventType = EventTypes.EVENT_ACL_POLICY_REVOKE, eventDescription = "Revoking acl permission from Acl Policy")
public AclPolicy removeAclPermissionFromAclPolicy(long aclPolicyId, String entityType, PermissionScope scope, Long scopeId, String action) {
Account caller = CallContext.current().getCallingAccount();
// get the Acl Policy entity
AclPolicy policy = _aclPolicyDao.findById(aclPolicyId);
if (policy == null) {
throw new InvalidParameterValueException("Unable to find acl policy: " + aclPolicyId
+ "; failed to revoke permission from policy.");
}
// check permissions
_accountMgr.checkAccess(caller, null, true, policy);
// get the entity and check permission
Class entityClass = entityClassMap.get(entityType);
if (entityClass == null) {
throw new InvalidParameterValueException("Entity type " + entityType + " permission revoke is not supported yet");
}
if (scope == PermissionScope.RESOURCE && scopeId != null) {
ControlledEntity entity = (ControlledEntity)_entityMgr.findById(entityClass, scopeId);
if (entity == null) {
throw new InvalidParameterValueException("Unable to find entity " + entityType + " by id: " + scopeId);
}
_accountMgr.checkAccess(caller, null, true, entity);
}
// remove entry from acl_entity_permission table
AclPolicyPermissionVO permit = _policyPermissionDao.findByPolicyAndEntity(aclPolicyId, entityType, scope, scopeId, action, null);
if (permit != null) {
// not removed yet
_policyPermissionDao.remove(permit.getId());
}
return policy;
return _iamSrv.removeAclPermissionFromAclPolicy(aclPolicyId, entityType, scope.toString(), scopeId, action);
}
@Override
public AclPolicyPermission getAclPolicyPermission(long accountId, String entityType, String action) {
List<AclPolicy> roles = listAclPolicies(accountId);
List<AclPolicy> policies = _iamSrv.listAclPolicies(accountId);
AclPolicyPermission curPerm = null;
for (AclPolicy role : roles) {
AclPolicyPermissionVO perm = _policyPermissionDao.findByPolicyAndEntity(role.getId(), entityType, null, null, action, Permission.Allow);
if (perm == null)
for (AclPolicy policy : policies) {
List<AclPolicyPermission> perms = _iamSrv.listPollcyPermissionByEntityType(policy.getId(), action, entityType);
if (perms == null || perms.size() == 0)
continue;
AclPolicyPermission perm = perms.get(0); // just pick one
if (curPerm == null) {
curPerm = perm;
} else if (perm.getScope().greaterThan(curPerm.getScope())) {
} else if (PermissionScope.valueOf(perm.getScope()).greaterThan(PermissionScope.valueOf(curPerm.getScope()))) {
// pick the more relaxed allowed permission
curPerm = perm;
}
@ -646,44 +258,47 @@ public class AclApiServiceImpl extends ManagerBase implements AclApiService, Man
@Override
public boolean isAPIAccessibleForPolicies(String apiName, List<AclPolicy> policies) {
boolean accessible = false;
List<Long> policyIds = new ArrayList<Long>();
for (AclPolicy policy : policies) {
policyIds.add(policy.getId());
}
SearchBuilder<AclPolicyPermissionVO> sb = _policyPermissionDao.createSearchBuilder();
sb.and("action", sb.entity().getAction(), Op.EQ);
sb.and("policyId", sb.entity().getAclPolicyId(), Op.IN);
SearchCriteria<AclPolicyPermissionVO> sc = sb.create();
sc.setParameters("policyId", policyIds.toArray(new Object[policyIds.size()]));
List<AclPolicyPermissionVO> permissions = _policyPermissionDao.customSearch(sc, null);
if (permissions != null && !permissions.isEmpty()) {
accessible = true;
}
return accessible;
return _iamSrv.isAPIAccessibleForPolicies(apiName, policies);
}
@Override
public List<AclPolicy> getEffectivePolicies(Account caller, ControlledEntity entity) {
// Get the static Policies of the Caller
List<AclPolicy> policies = listAclPolicies(caller.getId());
List<AclPolicy> policies = _iamSrv.listAclPolicies(caller.getId());
// add any dynamic policies w.r.t the entity
if (caller.getId() == entity.getAccountId()) {
// The caller owns the entity
AclPolicy owner = _aclPolicyDao.findByName(Domain.ROOT_DOMAIN, "RESOURCE_OWNER");
policies.add(owner);
policies.add(_iamSrv.getResourceOwnerPolicy());
}
return policies;
}
@Override
public AclPolicyResponse createAclPolicyResponse(AclPolicy policy) {
// TODO Auto-generated method stub
return null;
}
@Override
public AclGroupResponse createAclGroupResponse(AclGroup group) {
// TODO Auto-generated method stub
return null;
}
@Override
public ListResponse<org.apache.cloudstack.acl.api.response.AclGroupResponse> listAclGroups(Long aclGroupId, String aclGroupName, Long domainId, Long startIndex, Long pageSize) {
// TODO Auto-generated method stub
return null;
}
@Override
public ListResponse<org.apache.cloudstack.acl.api.response.AclPolicyResponse> listAclPolicies(Long aclPolicyId, String aclPolicyName, Long domainId, Long startIndex,
Long pageSize) {
// TODO Auto-generated method stub
return null;
}
}

14
services/iam/plugin/src/org/apache/cloudstack/acl/api/command/AddAccountToAclGroupCmd.java
View File

@ -18,9 +18,12 @@ package org.apache.cloudstack.acl.api.command;
import java.util.List;
import javax.inject.Inject;
import org.apache.log4j.Logger;
import org.apache.cloudstack.acl.AclGroup;
import org.apache.cloudstack.acl.api.AclApiService;
import org.apache.cloudstack.acl.api.response.AclGroupResponse;
import org.apache.cloudstack.api.ACL;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiCommandJobType;
@ -30,8 +33,8 @@ import org.apache.cloudstack.api.BaseAsyncCmd;
import org.apache.cloudstack.api.Parameter;
import org.apache.cloudstack.api.ServerApiException;
import org.apache.cloudstack.api.response.AccountResponse;
import org.apache.cloudstack.api.response.AclGroupResponse;
import org.apache.cloudstack.context.CallContext;
import org.apache.cloudstack.iam.api.AclGroup;
import com.cloud.event.EventTypes;
import com.cloud.exception.InsufficientCapacityException;
@ -44,6 +47,9 @@ public class AddAccountToAclGroupCmd extends BaseAsyncCmd {
public static final Logger s_logger = Logger.getLogger(AddAccountToAclGroupCmd.class.getName());
private static final String s_name = "addaccounttoaclgroupresponse";
@Inject
public AclApiService _aclApiSrv;
/////////////////////////////////////////////////////
//////////////// API parameters /////////////////////
/////////////////////////////////////////////////////
@ -93,9 +99,9 @@ public class AddAccountToAclGroupCmd extends BaseAsyncCmd {
public void execute() throws ResourceUnavailableException,
InsufficientCapacityException, ServerApiException {
CallContext.current().setEventDetails("Acl group Id: " + getId());
AclGroup result = _aclService.addAccountsToGroup(accountIdList, id);
AclGroup result = _aclApiSrv.addAccountsToGroup(accountIdList, id);
if (result != null){
AclGroupResponse response = _responseGenerator.createAclGroupResponse(result);
AclGroupResponse response = _aclApiSrv.createAclGroupResponse(result);
response.setResponseName(getCommandName());
setResponseObject(response);
} else {

16
services/iam/plugin/src/org/apache/cloudstack/acl/api/command/AddAclPermissionToAclPolicyCmd.java
View File

@ -16,11 +16,13 @@
// under the License.
package org.apache.cloudstack.acl.api.command;
import javax.inject.Inject;
import org.apache.log4j.Logger;
import org.apache.cloudstack.acl.AclPolicy;
import org.apache.cloudstack.acl.AclPolicyPermission.Permission;
import org.apache.cloudstack.acl.PermissionScope;
import org.apache.cloudstack.acl.api.AclApiService;
import org.apache.cloudstack.acl.api.response.AclPolicyResponse;
import org.apache.cloudstack.api.ACL;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiCommandJobType;
@ -29,8 +31,9 @@ import org.apache.cloudstack.api.ApiErrorCode;
import org.apache.cloudstack.api.BaseAsyncCmd;
import org.apache.cloudstack.api.Parameter;
import org.apache.cloudstack.api.ServerApiException;
import org.apache.cloudstack.api.response.AclPolicyResponse;
import org.apache.cloudstack.context.CallContext;
import org.apache.cloudstack.iam.api.AclPolicy;
import org.apache.cloudstack.iam.api.AclPolicyPermission.Permission;
import com.cloud.event.EventTypes;
import com.cloud.exception.InsufficientCapacityException;
@ -43,6 +46,9 @@ public class AddAclPermissionToAclPolicyCmd extends BaseAsyncCmd {
public static final Logger s_logger = Logger.getLogger(AddAclPermissionToAclPolicyCmd.class.getName());
private static final String s_name = "addaclpermissiontoaclpolicyresponse";
@Inject
public AclApiService _aclApiSrv;
/////////////////////////////////////////////////////
//////////////// API parameters /////////////////////
/////////////////////////////////////////////////////
@ -116,9 +122,9 @@ public class AddAclPermissionToAclPolicyCmd extends BaseAsyncCmd {
InsufficientCapacityException, ServerApiException {
CallContext.current().setEventDetails("Acl policy Id: " + getId());
// Only explicit ALLOW is supported for this release, no explicit deny
AclPolicy result = _aclService.addAclPermissionToAclPolicy(id, entityType, PermissionScope.valueOf(scope), scopeId, action, Permission.Allow);
AclPolicy result = _aclApiSrv.addAclPermissionToAclPolicy(id, entityType, PermissionScope.valueOf(scope), scopeId, action, Permission.Allow);
if (result != null) {
AclPolicyResponse response = _responseGenerator.createAclPolicyResponse(result);
AclPolicyResponse response = _aclApiSrv.createAclPolicyResponse(result);
response.setResponseName(getCommandName());
setResponseObject(response);
} else {

16
services/iam/plugin/src/org/apache/cloudstack/acl/api/command/AttachAclPolicyToAclGroupCmd.java
View File

@ -18,9 +18,13 @@ package org.apache.cloudstack.acl.api.command;
import java.util.List;
import javax.inject.Inject;
import org.apache.log4j.Logger;
import org.apache.cloudstack.acl.AclGroup;
import org.apache.cloudstack.acl.api.AclApiService;
import org.apache.cloudstack.acl.api.response.AclGroupResponse;
import org.apache.cloudstack.acl.api.response.AclPolicyResponse;
import org.apache.cloudstack.api.ACL;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiCommandJobType;
@ -29,9 +33,8 @@ import org.apache.cloudstack.api.ApiErrorCode;
import org.apache.cloudstack.api.BaseAsyncCmd;
import org.apache.cloudstack.api.Parameter;
import org.apache.cloudstack.api.ServerApiException;
import org.apache.cloudstack.api.response.AclGroupResponse;
import org.apache.cloudstack.api.response.AclPolicyResponse;
import org.apache.cloudstack.context.CallContext;
import org.apache.cloudstack.iam.api.AclGroup;
import com.cloud.event.EventTypes;
import com.cloud.exception.InsufficientCapacityException;
@ -44,6 +47,9 @@ public class AttachAclPolicyToAclGroupCmd extends BaseAsyncCmd {
public static final Logger s_logger = Logger.getLogger(AttachAclPolicyToAclGroupCmd.class.getName());
private static final String s_name = "attachaclpolicytoaclgroupresponse";
@Inject
public AclApiService _aclApiSrv;
/////////////////////////////////////////////////////
//////////////// API parameters /////////////////////
/////////////////////////////////////////////////////
@ -93,9 +99,9 @@ public class AttachAclPolicyToAclGroupCmd extends BaseAsyncCmd {
public void execute() throws ResourceUnavailableException,
InsufficientCapacityException, ServerApiException {
CallContext.current().setEventDetails("Acl group Id: " + getId());
AclGroup result = _aclService.attachAclPoliciesToGroup(policyIdList, id);
AclGroup result = _aclApiSrv.attachAclPoliciesToGroup(policyIdList, id);
if (result != null){
AclGroupResponse response = _responseGenerator.createAclGroupResponse(result);
AclGroupResponse response = _aclApiSrv.createAclGroupResponse(result);
response.setResponseName(getCommandName());
setResponseObject(response);
} else {

14
services/iam/plugin/src/org/apache/cloudstack/acl/api/command/CreateAclGroupCmd.java
View File

@ -16,9 +16,12 @@
// under the License.
package org.apache.cloudstack.acl.api.command;
import javax.inject.Inject;
import org.apache.log4j.Logger;
import org.apache.cloudstack.acl.AclGroup;
import org.apache.cloudstack.acl.api.AclApiService;
import org.apache.cloudstack.acl.api.response.AclGroupResponse;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiCommandJobType;
import org.apache.cloudstack.api.ApiConstants;
@ -26,9 +29,9 @@ import org.apache.cloudstack.api.ApiErrorCode;
import org.apache.cloudstack.api.BaseAsyncCreateCmd;
import org.apache.cloudstack.api.Parameter;
import org.apache.cloudstack.api.ServerApiException;
import org.apache.cloudstack.api.response.AclGroupResponse;
import org.apache.cloudstack.api.response.DomainResponse;
import org.apache.cloudstack.context.CallContext;
import org.apache.cloudstack.iam.api.AclGroup;
import com.cloud.event.EventTypes;
import com.cloud.exception.ResourceAllocationException;
@ -40,6 +43,9 @@ public class CreateAclGroupCmd extends BaseAsyncCreateCmd {
private static final String s_name = "createaclgroupresponse";
@Inject
public AclApiService _aclApiSrv;
// ///////////////////////////////////////////////////
// ////////////// API parameters /////////////////////
// ///////////////////////////////////////////////////
@ -113,7 +119,7 @@ public class CreateAclGroupCmd extends BaseAsyncCreateCmd {
public void execute() {
AclGroup grp = _entityMgr.findById(AclGroup.class, getEntityId());
if (grp != null) {
AclGroupResponse response = _responseGenerator.createAclGroupResponse(grp);
AclGroupResponse response = _aclApiSrv.createAclGroupResponse(grp);
response.setResponseName(getCommandName());
setResponseObject(response);
} else {
@ -124,7 +130,7 @@ public class CreateAclGroupCmd extends BaseAsyncCreateCmd {
@Override
public void create() throws ResourceAllocationException {
Account account = CallContext.current().getCallingAccount();
AclGroup result = _aclService.createAclGroup(account, name, description);
AclGroup result = _aclApiSrv.createAclGroup(account, name, description);
if (result != null) {
setEntityId(result.getId());
setEntityUuid(result.getUuid());

14
services/iam/plugin/src/org/apache/cloudstack/acl/api/command/CreateAclPolicyCmd.java
View File

@ -16,9 +16,12 @@
// under the License.
package org.apache.cloudstack.acl.api.command;
import javax.inject.Inject;
import org.apache.log4j.Logger;
import org.apache.cloudstack.acl.AclPolicy;
import org.apache.cloudstack.acl.api.AclApiService;
import org.apache.cloudstack.acl.api.response.AclPolicyResponse;
import org.apache.cloudstack.api.ACL;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiCommandJobType;
@ -27,9 +30,9 @@ import org.apache.cloudstack.api.ApiErrorCode;
import org.apache.cloudstack.api.BaseAsyncCreateCmd;
import org.apache.cloudstack.api.Parameter;
import org.apache.cloudstack.api.ServerApiException;
import org.apache.cloudstack.api.response.AclPolicyResponse;
import org.apache.cloudstack.api.response.DomainResponse;
import org.apache.cloudstack.context.CallContext;
import org.apache.cloudstack.iam.api.AclPolicy;
import com.cloud.event.EventTypes;
import com.cloud.exception.ResourceAllocationException;
@ -41,6 +44,9 @@ public class CreateAclPolicyCmd extends BaseAsyncCreateCmd {
private static final String s_name = "createaclpolicyresponse";
@Inject
public AclApiService _aclApiSrv;
// ///////////////////////////////////////////////////
// ////////////// API parameters /////////////////////
// ///////////////////////////////////////////////////
@ -120,7 +126,7 @@ public class CreateAclPolicyCmd extends BaseAsyncCreateCmd {
public void execute() {
AclPolicy policy = _entityMgr.findById(AclPolicy.class, getEntityId());
if (policy != null) {
AclPolicyResponse response = _responseGenerator.createAclPolicyResponse(policy);
AclPolicyResponse response = _aclApiSrv.createAclPolicyResponse(policy);
response.setResponseName(getCommandName());
setResponseObject(response);
} else {
@ -131,7 +137,7 @@ public class CreateAclPolicyCmd extends BaseAsyncCreateCmd {
@Override
public void create() throws ResourceAllocationException {
Account account = CallContext.current().getCallingAccount();
AclPolicy result = _aclService.createAclPolicy(account, name, description, parentPolicyId);
AclPolicy result = _aclApiSrv.createAclPolicy(account, name, description, parentPolicyId);
if (result != null) {
setEntityId(result.getId());
setEntityUuid(result.getUuid());

10
services/iam/plugin/src/org/apache/cloudstack/acl/api/command/DeleteAclGroupCmd.java
View File

@ -16,8 +16,12 @@
// under the License.
package org.apache.cloudstack.acl.api.command;
import javax.inject.Inject;
import org.apache.log4j.Logger;
import org.apache.cloudstack.acl.api.AclApiService;
import org.apache.cloudstack.acl.api.response.AclGroupResponse;
import org.apache.cloudstack.api.ACL;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiCommandJobType;
@ -26,7 +30,6 @@ import org.apache.cloudstack.api.ApiErrorCode;
import org.apache.cloudstack.api.BaseAsyncCmd;
import org.apache.cloudstack.api.Parameter;
import org.apache.cloudstack.api.ServerApiException;
import org.apache.cloudstack.api.response.AclGroupResponse;
import org.apache.cloudstack.api.response.SuccessResponse;
import com.cloud.event.EventTypes;
@ -37,6 +40,9 @@ public class DeleteAclGroupCmd extends BaseAsyncCmd {
public static final Logger s_logger = Logger.getLogger(DeleteAclGroupCmd.class.getName());
private static final String s_name = "deleteaclgroupresponse";
@Inject
public AclApiService _aclApiSrv;
/////////////////////////////////////////////////////
//////////////// API parameters /////////////////////
/////////////////////////////////////////////////////
@ -70,7 +76,7 @@ public class DeleteAclGroupCmd extends BaseAsyncCmd {
@Override
public void execute(){
boolean result = _aclService.deleteAclGroup(id);
boolean result = _aclApiSrv.deleteAclGroup(id);
if (result) {
SuccessResponse response = new SuccessResponse(getCommandName());
setResponseObject(response);

10
services/iam/plugin/src/org/apache/cloudstack/acl/api/command/DeleteAclPolicyCmd.java
View File

@ -16,8 +16,12 @@
// under the License.
package org.apache.cloudstack.acl.api.command;
import javax.inject.Inject;
import org.apache.log4j.Logger;
import org.apache.cloudstack.acl.api.AclApiService;
import org.apache.cloudstack.acl.api.response.AclPolicyResponse;
import org.apache.cloudstack.api.ACL;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiCommandJobType;
@ -26,7 +30,6 @@ import org.apache.cloudstack.api.ApiErrorCode;
import org.apache.cloudstack.api.BaseAsyncCmd;
import org.apache.cloudstack.api.Parameter;
import org.apache.cloudstack.api.ServerApiException;
import org.apache.cloudstack.api.response.AclPolicyResponse;
import org.apache.cloudstack.api.response.SuccessResponse;
import com.cloud.event.EventTypes;
@ -37,6 +40,9 @@ public class DeleteAclPolicyCmd extends BaseAsyncCmd {
public static final Logger s_logger = Logger.getLogger(DeleteAclPolicyCmd.class.getName());
private static final String s_name = "deleteaclpolicyresponse";
@Inject
public AclApiService _aclApiSrv;
/////////////////////////////////////////////////////
//////////////// API parameters /////////////////////
/////////////////////////////////////////////////////
@ -70,7 +76,7 @@ public class DeleteAclPolicyCmd extends BaseAsyncCmd {
@Override
public void execute(){
boolean result = _aclService.deleteAclPolicy(id);
boolean result = _aclApiSrv.deleteAclPolicy(id);
if (result) {
SuccessResponse response = new SuccessResponse(getCommandName());
setResponseObject(response);

10
services/iam/plugin/src/org/apache/cloudstack/acl/api/command/ListAclGroupsCmd.java
View File

@ -16,14 +16,17 @@
// under the License.
package org.apache.cloudstack.acl.api.command;
import javax.inject.Inject;
import org.apache.log4j.Logger;
import org.apache.cloudstack.acl.api.AclApiService;
import org.apache.cloudstack.acl.api.response.AclGroupResponse;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiCommandJobType;
import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.BaseListDomainResourcesCmd;
import org.apache.cloudstack.api.Parameter;
import org.apache.cloudstack.api.response.AclGroupResponse;
import org.apache.cloudstack.api.response.ListResponse;
@ -33,6 +36,9 @@ public class ListAclGroupsCmd extends BaseListDomainResourcesCmd {
private static final String s_name = "listaclgroupsresponse";
@Inject
public AclApiService _aclApiSrv;
/////////////////////////////////////////////////////
//////////////// API parameters /////////////////////
/////////////////////////////////////////////////////
@ -68,7 +74,7 @@ public class ListAclGroupsCmd extends BaseListDomainResourcesCmd {
@Override
public void execute(){
ListResponse<AclGroupResponse> response = _queryService.listAclGroups(id, aclGroupName, getDomainId(),
ListResponse<AclGroupResponse> response = _aclApiSrv.listAclGroups(id, aclGroupName, getDomainId(),
getStartIndex(), getPageSizeVal());
response.setResponseName(getCommandName());
setResponseObject(response);

10
services/iam/plugin/src/org/apache/cloudstack/acl/api/command/ListAclPoliciesCmd.java
View File

@ -16,14 +16,17 @@
// under the License.
package org.apache.cloudstack.acl.api.command;
import javax.inject.Inject;
import org.apache.log4j.Logger;
import org.apache.cloudstack.acl.api.AclApiService;
import org.apache.cloudstack.acl.api.response.AclPolicyResponse;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiCommandJobType;
import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.BaseListDomainResourcesCmd;
import org.apache.cloudstack.api.Parameter;
import org.apache.cloudstack.api.response.AclPolicyResponse;
import org.apache.cloudstack.api.response.ListResponse;
@ -33,6 +36,9 @@ public class ListAclPoliciesCmd extends BaseListDomainResourcesCmd {
private static final String s_name = "listaclpoliciesresponse";
@Inject
public AclApiService _aclApiSrv;
/////////////////////////////////////////////////////
//////////////// API parameters /////////////////////
/////////////////////////////////////////////////////
@ -68,7 +74,7 @@ public class ListAclPoliciesCmd extends BaseListDomainResourcesCmd {
@Override
public void execute(){
ListResponse<AclPolicyResponse> response = _queryService.listAclPolicies(id, aclPolicyName, getDomainId(),
ListResponse<AclPolicyResponse> response = _aclApiSrv.listAclPolicies(id, aclPolicyName, getDomainId(),
getStartIndex(), getPageSizeVal());
response.setResponseName(getCommandName());
setResponseObject(response);

14
services/iam/plugin/src/org/apache/cloudstack/acl/api/command/RemoveAccountFromAclGroupCmd.java
View File

@ -18,9 +18,12 @@ package org.apache.cloudstack.acl.api.command;
import java.util.List;
import javax.inject.Inject;
import org.apache.log4j.Logger;
import org.apache.cloudstack.acl.AclGroup;
import org.apache.cloudstack.acl.api.AclApiService;
import org.apache.cloudstack.acl.api.response.AclGroupResponse;
import org.apache.cloudstack.api.ACL;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiCommandJobType;
@ -30,8 +33,8 @@ import org.apache.cloudstack.api.BaseAsyncCmd;
import org.apache.cloudstack.api.Parameter;
import org.apache.cloudstack.api.ServerApiException;
import org.apache.cloudstack.api.response.AccountResponse;
import org.apache.cloudstack.api.response.AclGroupResponse;
import org.apache.cloudstack.context.CallContext;
import org.apache.cloudstack.iam.api.AclGroup;
import com.cloud.event.EventTypes;
import com.cloud.exception.InsufficientCapacityException;
@ -44,6 +47,9 @@ public class RemoveAccountFromAclGroupCmd extends BaseAsyncCmd {
public static final Logger s_logger = Logger.getLogger(RemoveAccountFromAclGroupCmd.class.getName());
private static final String s_name = "removeaccountfromaclgroupresponse";
@Inject
public AclApiService _aclApiSrv;
/////////////////////////////////////////////////////
//////////////// API parameters /////////////////////
/////////////////////////////////////////////////////
@ -93,9 +99,9 @@ public class RemoveAccountFromAclGroupCmd extends BaseAsyncCmd {
public void execute() throws ResourceUnavailableException,
InsufficientCapacityException, ServerApiException {
CallContext.current().setEventDetails("Acl group Id: " + getId());
AclGroup result = _aclService.removeAccountsFromGroup(accountIdList, id);
AclGroup result = _aclApiSrv.removeAccountsFromGroup(accountIdList, id);
if (result != null){
AclGroupResponse response = _responseGenerator.createAclGroupResponse(result);
AclGroupResponse response = _aclApiSrv.createAclGroupResponse(result);
response.setResponseName(getCommandName());
setResponseObject(response);
} else {

14
services/iam/plugin/src/org/apache/cloudstack/acl/api/command/RemoveAclPermissionFromAclPolicyCmd.java
View File

@ -16,10 +16,13 @@
// under the License.
package org.apache.cloudstack.acl.api.command;
import javax.inject.Inject;
import org.apache.log4j.Logger;
import org.apache.cloudstack.acl.AclPolicy;
import org.apache.cloudstack.acl.PermissionScope;
import org.apache.cloudstack.acl.api.AclApiService;
import org.apache.cloudstack.acl.api.response.AclPolicyResponse;
import org.apache.cloudstack.api.ACL;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiCommandJobType;
@ -28,8 +31,8 @@ import org.apache.cloudstack.api.ApiErrorCode;
import org.apache.cloudstack.api.BaseAsyncCmd;
import org.apache.cloudstack.api.Parameter;
import org.apache.cloudstack.api.ServerApiException;
import org.apache.cloudstack.api.response.AclPolicyResponse;
import org.apache.cloudstack.context.CallContext;
import org.apache.cloudstack.iam.api.AclPolicy;
import com.cloud.event.EventTypes;
import com.cloud.exception.InsufficientCapacityException;
@ -42,6 +45,9 @@ public class RemoveAclPermissionFromAclPolicyCmd extends BaseAsyncCmd {
public static final Logger s_logger = Logger.getLogger(RemoveAclPermissionFromAclPolicyCmd.class.getName());
private static final String s_name = "removeaclpermissionfromaclpolicyresponse";
@Inject
public AclApiService _aclApiSrv;
/////////////////////////////////////////////////////
//////////////// API parameters /////////////////////
/////////////////////////////////////////////////////
@ -113,9 +119,9 @@ public class RemoveAclPermissionFromAclPolicyCmd extends BaseAsyncCmd {
public void execute() throws ResourceUnavailableException,
InsufficientCapacityException, ServerApiException {
CallContext.current().setEventDetails("Acl policy Id: " + getId());
AclPolicy result = _aclService.removeAclPermissionFromAclPolicy(id, entityType, PermissionScope.valueOf(scope), scopeId, action);
AclPolicy result = _aclApiSrv.removeAclPermissionFromAclPolicy(id, entityType, PermissionScope.valueOf(scope), scopeId, action);
if (result != null) {
AclPolicyResponse response = _responseGenerator.createAclPolicyResponse(result);
AclPolicyResponse response = _aclApiSrv.createAclPolicyResponse(result);
response.setResponseName(getCommandName());
setResponseObject(response);
} else {

16
services/iam/plugin/src/org/apache/cloudstack/acl/api/command/RemoveAclPolicyFromAclGroupCmd.java
View File

@ -18,9 +18,13 @@ package org.apache.cloudstack.acl.api.command;
import java.util.List;
import javax.inject.Inject;
import org.apache.log4j.Logger;
import org.apache.cloudstack.acl.AclGroup;
import org.apache.cloudstack.acl.api.AclApiService;
import org.apache.cloudstack.acl.api.response.AclGroupResponse;
import org.apache.cloudstack.acl.api.response.AclPolicyResponse;
import org.apache.cloudstack.api.ACL;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiCommandJobType;
@ -29,9 +33,8 @@ import org.apache.cloudstack.api.ApiErrorCode;
import org.apache.cloudstack.api.BaseAsyncCmd;
import org.apache.cloudstack.api.Parameter;
import org.apache.cloudstack.api.ServerApiException;
import org.apache.cloudstack.api.response.AclGroupResponse;
import org.apache.cloudstack.api.response.AclPolicyResponse;
import org.apache.cloudstack.context.CallContext;
import org.apache.cloudstack.iam.api.AclGroup;
import com.cloud.event.EventTypes;
import com.cloud.exception.InsufficientCapacityException;
@ -44,6 +47,9 @@ public class RemoveAclPolicyFromAclGroupCmd extends BaseAsyncCmd {
public static final Logger s_logger = Logger.getLogger(RemoveAclPolicyFromAclGroupCmd.class.getName());
private static final String s_name = "removeaclpolicyfromaclgroupresponse";
@Inject
public AclApiService _aclApiSrv;
/////////////////////////////////////////////////////
//////////////// API parameters /////////////////////
/////////////////////////////////////////////////////
@ -93,9 +99,9 @@ public class RemoveAclPolicyFromAclGroupCmd extends BaseAsyncCmd {
public void execute() throws ResourceUnavailableException,
InsufficientCapacityException, ServerApiException {
CallContext.current().setEventDetails("Acl group Id: " + getId());
AclGroup result = _aclService.removeAclPoliciesFromGroup(policyIdList, id);
AclGroup result = _aclApiSrv.removeAclPoliciesFromGroup(policyIdList, id);
if (result != null){
AclGroupResponse response = _responseGenerator.createAclGroupResponse(result);
AclGroupResponse response = _aclApiSrv.createAclGroupResponse(result);
response.setResponseName(getCommandName());
setResponseObject(response);
} else {

169
services/iam/plugin/src/org/apache/cloudstack/acl/api/response/AclGroupResponse.java Normal file
View File

@ -0,0 +1,169 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.acl.api.response;
import java.util.LinkedHashSet;
import java.util.Set;
import com.google.gson.annotations.SerializedName;
import org.apache.cloudstack.acl.AclGroup;
import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.BaseResponse;
import org.apache.cloudstack.api.EntityReference;
import org.apache.cloudstack.api.response.ControlledViewEntityResponse;
import com.cloud.serializer.Param;
@SuppressWarnings("unused")
@EntityReference(value = AclGroup.class)
public class AclGroupResponse extends BaseResponse implements ControlledViewEntityResponse {
@SerializedName(ApiConstants.ID)
@Param(description = "the ID of the acl group")
private String id;
@SerializedName(ApiConstants.NAME)
@Param(description = "the name of the acl group")
private String name;
@SerializedName(ApiConstants.DESCRIPTION)
@Param(description = "the description of the acl group")
private String description;
@SerializedName(ApiConstants.DOMAIN_ID)
@Param(description = "the domain ID of the acl group")
private String domainId;
@SerializedName(ApiConstants.DOMAIN)
@Param(description = "the domain name of the acl role")
private String domainName;
@SerializedName(ApiConstants.ACCOUNT)
@Param(description = "the account owning the policy")
private String accountName;
@SerializedName(ApiConstants.ACL_MEMBER_ACCOUNTS)
@Param(description = "account names assigned to this acl group ")
private Set<String> accountNameList;
@SerializedName(ApiConstants.ACL_POLICIES)
@Param(description = "acl policies attached to this acl group ")
private Set<String> policyNameList;
public AclGroupResponse() {
accountNameList = new LinkedHashSet<String>();
policyNameList = new LinkedHashSet<String>();
}
@Override
public String getObjectId() {
return getId();
}
public String getId() {
return id;
}
public void setId(String id) {
this.id = id;
}
public void setName(String name) {
this.name = name;
}
public void setDescription(String description) {
this.description = description;
}
@Override
public void setDomainId(String domainId) {
this.domainId = domainId;
}
@Override
public void setDomainName(String domainName) {
this.domainName = domainName;
}
@Override
public void setAccountName(String accountName) {
this.accountName = accountName;
}
@Override
public void setProjectId(String projectId) {
// TODO Auto-generated method stub
}
@Override
public void setProjectName(String projectName) {
// TODO Auto-generated method stub
}
public void setMemberAccounts(Set<String> accts) {
accountNameList = accts;
}
public void addMemberAccount(String acct) {
accountNameList.add(acct);
}
public void setPolicyList(Set<String> policies) {
policyNameList = policies;
}
public void addPolicy(String policy) {
policyNameList.add(policy);
}
public Set<String> getPolicyList() {
return policyNameList;
}
@Override
public int hashCode() {
final int prime = 31;
int result = 1;
result = prime * result + ((id == null) ? 0 : id.hashCode());
return result;
}
@Override
public boolean equals(Object obj) {
if (this == obj)
return true;
if (obj == null)
return false;
if (getClass() != obj.getClass())
return false;
AclGroupResponse other = (AclGroupResponse)obj;
if (id == null) {
if (other.id != null)
return false;
} else if (!id.equals(other.id))
return false;
return true;
}
}

125
services/iam/plugin/src/org/apache/cloudstack/acl/api/response/AclPermissionResponse.java Normal file
View File

@ -0,0 +1,125 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.acl.api.response;
import com.google.gson.annotations.SerializedName;
import org.apache.cloudstack.acl.AclEntityType;
import org.apache.cloudstack.acl.AclPolicyPermission;
import org.apache.cloudstack.acl.PermissionScope;
import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.BaseResponse;
import com.cloud.serializer.Param;
public class AclPermissionResponse extends BaseResponse {
@SerializedName(ApiConstants.ACL_ACTION)
@Param(description = "action of this permission")
private String action;
@SerializedName(ApiConstants.ENTITY_TYPE)
@Param(description = "the entity type of this permission")
private AclEntityType entityType;
@SerializedName(ApiConstants.ACL_SCOPE)
@Param(description = "scope of this permission")
private PermissionScope scope;
@SerializedName(ApiConstants.ACL_SCOPE_ID)
@Param(description = "scope id of this permission")
private Long scopeId;
@SerializedName(ApiConstants.ACL_ALLOW_DENY)
@Param(description = "allow or deny of this permission")
private AclPolicyPermission.Permission permission;
public AclEntityType getEntityType() {
return entityType;
}
public void setEntityType(AclEntityType entityType) {
this.entityType = entityType;
}
public String getAction() {
return action;
}
public void setAction(String action) {
this.action = action;
}
public PermissionScope getScope() {
return scope;
}
public void setScope(PermissionScope scope) {
this.scope = scope;
}
public Long getScopeId() {
return scopeId;
}
public void setScopeId(Long scopeId) {
this.scopeId = scopeId;
}
public AclPolicyPermission.Permission getPermission() {
return permission;
}
public void setPermission(AclPolicyPermission.Permission permission) {
this.permission = permission;
}
@Override
public int hashCode() {
final int prime = 31;
int result = 1;
result = prime * result + ((action == null) ? 0 : action.hashCode());
result = prime * result + ((entityType == null) ? 0 : entityType.hashCode());
result = prime * result + ((scope == null) ? 0 : scope.hashCode());
result = prime * result + ((scopeId == null) ? 0 : scopeId.hashCode());
return result;
}
@Override
public boolean equals(Object obj) {
if (this == obj)
return true;
if (obj == null)
return false;
if (getClass() != obj.getClass())
return false;
AclPermissionResponse other = (AclPermissionResponse) obj;
if ((entityType == null && other.entityType != null) || !entityType.equals(other.entityType)) {
return false;
} else if ((action == null && other.action != null) || !action.equals(other.action)) {
return false;
} else if ((scope == null && other.scope != null) || !scope.equals(other.scope)) {
return false;
} else if ((scopeId == null && other.scopeId != null) || !scopeId.equals(other.scopeId)) {
return false;
}
return true;
}
}

157
services/iam/plugin/src/org/apache/cloudstack/acl/api/response/AclPolicyResponse.java Normal file
View File

@ -0,0 +1,157 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.acl.api.response;
import java.util.LinkedHashSet;
import java.util.Set;
import com.google.gson.annotations.SerializedName;
import org.apache.cloudstack.acl.AclPolicy;
import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.BaseResponse;
import org.apache.cloudstack.api.EntityReference;
import org.apache.cloudstack.api.response.ControlledViewEntityResponse;
import com.cloud.serializer.Param;
@SuppressWarnings("unused")
@EntityReference(value = AclPolicy.class)
public class AclPolicyResponse extends BaseResponse implements ControlledViewEntityResponse {
@SerializedName(ApiConstants.ID)
@Param(description = "the ID of the acl policy")
private String id;
@SerializedName(ApiConstants.NAME)
@Param(description = "the name of the acl policy")
private String name;
@SerializedName(ApiConstants.DESCRIPTION)
@Param(description = "the description of the acl policy")
private String description;
@SerializedName(ApiConstants.DOMAIN_ID)
@Param(description = "the domain ID of the acl policy")
private String domainId;
@SerializedName(ApiConstants.DOMAIN)
@Param(description = "the domain name of the acl policy")
private String domainName;
@SerializedName(ApiConstants.ACCOUNT)
@Param(description = "the account owning the policy")
private String accountName;
@SerializedName(ApiConstants.ACL_PERMISSIONS)
@Param(description = "set of permissions for the acl policy")
private Set<AclPermissionResponse> permissionList;
public AclPolicyResponse() {
permissionList = new LinkedHashSet<AclPermissionResponse>();
}
@Override
public String getObjectId() {
return getId();
}
public String getId() {
return id;
}
public void setId(String id) {
this.id = id;
}
public void setName(String name) {
this.name = name;
}
public void setDescription(String description) {
this.description = description;
}
@Override
public void setDomainId(String domainId) {
this.domainId = domainId;
}
@Override
public void setDomainName(String domainName) {
this.domainName = domainName;
}
public Set<AclPermissionResponse> getPermissionList() {
return permissionList;
}
public void setPermissionList(Set<AclPermissionResponse> perms) {
permissionList = perms;
}
public void addPermission(AclPermissionResponse perm) {
permissionList.add(perm);
}
@Override
public void setAccountName(String accountName) {
this.accountName = accountName;
}
@Override
public void setProjectId(String projectId) {
// TODO Auto-generated method stub
}
@Override
public void setProjectName(String projectName) {
// TODO Auto-generated method stub
}
@Override
public int hashCode() {
final int prime = 31;
int result = 1;
result = prime * result + ((id == null) ? 0 : id.hashCode());
return result;
}
@Override
public boolean equals(Object obj) {
if (this == obj)
return true;
if (obj == null)
return false;
if (getClass() != obj.getClass())
return false;
AclPolicyResponse other = (AclPolicyResponse) obj;
if (id == null) {
if (other.id != null)
return false;
} else if (!id.equals(other.id))
return false;
return true;
}
}

4
services/iam/server/src/org/apache/cloudstack/iam/api/IAMService.java
View File

@ -50,8 +50,12 @@ public interface IAMService {
AclPolicy removeAclPermissionFromAclPolicy(long aclPolicyId, String entityType, String scope, Long scopeId,
String action);
AclPolicy getResourceOwnerPolicy();
List<AclPolicyPermission> listPolicyPermissionsByScope(long policyId, String action, String scope);
List<AclPolicyPermission> listPollcyPermissionByEntityType(long policyId, String action, String entityType);
boolean isAPIAccessibleForPolicies(String apiName, List<AclPolicy> policies);
List<Long> getGrantedEntities(long accountId, String action, String scope);

13
services/iam/server/src/org/apache/cloudstack/iam/server/IAMServiceImpl.java
View File

@ -535,4 +535,17 @@ public class IAMServiceImpl extends ManagerBase implements IAMService, Manager {
return pl;
}
@Override
public List<AclPolicyPermission> listPollcyPermissionByEntityType(long policyId, String action, String entityType) {
List<AclPolicyPermissionVO> pp = _policyPermissionDao.listByPolicyActionAndEntity(policyId, action, entityType);
List<AclPolicyPermission> pl = new ArrayList<AclPolicyPermission>();
pl.addAll(pp);
return pl;
}
@Override
public AclPolicy getResourceOwnerPolicy() {
return _aclPolicyDao.findByName("RESOURCE_OWNER");
}
}