mirror of https://github.com/apache/cloudstack.git
server: optimize account creation by pre-loading the role permissions
This commit is contained in:
Wei Zhou
parent
1a251c8b78
commit
e5848acdd0
|
|
@ -19,6 +19,7 @@ package org.apache.cloudstack.acl;
|
|||
import com.cloud.exception.PermissionDeniedException;
|
||||
import com.cloud.user.Account;
|
||||
import com.cloud.user.User;
|
||||
import com.cloud.utils.Pair;
|
||||
import com.cloud.utils.component.Adapter;
|
||||
|
||||
import java.util.List;
|
||||
|
|
@ -43,4 +44,7 @@ public interface APIChecker extends Adapter {
|
|||
*/
|
||||
List<String> getApisAllowedToUser(Role role, User user, List<String> apiNames) throws PermissionDeniedException;
|
||||
boolean isEnabled();
|
||||
|
||||
Pair<Role, List<RolePermission>> getRolePermissions(long roleId);
|
||||
boolean checkAccess(Account account, String commandName, Role accountRole, List<RolePermission> allPermissions);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -107,7 +107,8 @@ public class DynamicRoleBasedAPIAccessChecker extends AdapterBase implements API
|
|||
return accountService.getAccount(accountId);
|
||||
}
|
||||
|
||||
protected Pair<Role, List<RolePermission>> getRolePermissions(long roleId) {
|
||||
@Override
|
||||
public Pair<Role, List<RolePermission>> getRolePermissions(long roleId) {
|
||||
final Role accountRole = roleService.findRole(roleId);
|
||||
if (accountRole == null || accountRole.getId() < 1L) {
|
||||
return new Pair<>(null, null);
|
||||
|
|
@ -149,7 +150,7 @@ public class DynamicRoleBasedAPIAccessChecker extends AdapterBase implements API
|
|||
throw new PermissionDeniedException(String.format("Account role for user id [%s] cannot be found.", user.getUuid()));
|
||||
}
|
||||
if (accountRole.getRoleType() == RoleType.Admin && accountRole.getId() == RoleType.Admin.getId()) {
|
||||
logger.info("Account for user id {} is Root Admin or Domain Admin, all APIs are allowed.", user.getUuid());
|
||||
logger.info("Account for user id {} is Root Admin, all APIs are allowed.", user.getUuid());
|
||||
return true;
|
||||
}
|
||||
List<RolePermission> allPermissions = roleAndPermissions.second();
|
||||
|
|
@ -180,6 +181,25 @@ public class DynamicRoleBasedAPIAccessChecker extends AdapterBase implements API
|
|||
throw new UnavailableCommandException(String.format("The API [%s] does not exist or is not available for the account %s.", commandName, account));
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean checkAccess(Account account, String commandName, Role accountRole, List<RolePermission> allPermissions) {
|
||||
if (accountRole == null) {
|
||||
throw new PermissionDeniedException(String.format("The account [%s] has role null or unknown.", account));
|
||||
}
|
||||
|
||||
if (accountRole.getRoleType() == RoleType.Admin && accountRole.getId() == RoleType.Admin.getId()) {
|
||||
if (logger.isTraceEnabled()) {
|
||||
logger.trace(String.format("Account [%s] is Root Admin, all APIs are allowed.", account));
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
if (checkApiPermissionByRole(accountRole, commandName, allPermissions)) {
|
||||
return true;
|
||||
}
|
||||
throw new UnavailableCommandException(String.format("The API [%s] does not exist or is not available for the account %s.", commandName, account));
|
||||
}
|
||||
|
||||
/**
|
||||
* Only one strategy should be used between StaticRoleBasedAPIAccessChecker and DynamicRoleBasedAPIAccessChecker
|
||||
* Default behavior is to use the Dynamic version. The StaticRoleBasedAPIAccessChecker is the legacy version.
|
||||
|
|
|
|||
|
|
@ -21,8 +21,8 @@ import java.util.Map;
|
|||
|
||||
import javax.inject.Inject;
|
||||
import javax.naming.ConfigurationException;
|
||||
import org.apache.cloudstack.acl.RolePermissionEntity.Permission;
|
||||
|
||||
import org.apache.cloudstack.acl.RolePermissionEntity.Permission;
|
||||
import org.apache.cloudstack.context.CallContext;
|
||||
|
||||
import com.cloud.exception.PermissionDeniedException;
|
||||
|
|
@ -33,6 +33,7 @@ import com.cloud.projects.dao.ProjectAccountDao;
|
|||
import com.cloud.user.Account;
|
||||
import com.cloud.user.AccountService;
|
||||
import com.cloud.user.User;
|
||||
import com.cloud.utils.Pair;
|
||||
import com.cloud.utils.component.AdapterBase;
|
||||
import com.cloud.utils.component.PluggableService;
|
||||
|
||||
|
|
@ -195,4 +196,14 @@ public class ProjectRoleBasedApiAccessChecker extends AdapterBase implements AP
|
|||
public void setServices(List<PluggableService> services) {
|
||||
this.services = services;
|
||||
}
|
||||
|
||||
@Override
|
||||
public Pair<Role, List<RolePermission>> getRolePermissions(long roleId) {
|
||||
return null;
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean checkAccess(Account account, String commandName, Role accountRole, List<RolePermission> allPermissions) {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -33,6 +33,7 @@ import com.cloud.exception.PermissionDeniedException;
|
|||
import com.cloud.user.Account;
|
||||
import com.cloud.user.AccountService;
|
||||
import com.cloud.user.User;
|
||||
import com.cloud.utils.Pair;
|
||||
import com.cloud.utils.PropertiesUtil;
|
||||
import com.cloud.utils.component.AdapterBase;
|
||||
import com.cloud.utils.component.PluggableService;
|
||||
|
|
@ -200,4 +201,13 @@ public class StaticRoleBasedAPIAccessChecker extends AdapterBase implements APIA
|
|||
this.commandPropertyFiles = commandPropertyFiles;
|
||||
}
|
||||
|
||||
@Override
|
||||
public Pair<Role, List<RolePermission>> getRolePermissions(long roleId) {
|
||||
return null;
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean checkAccess(Account account, String commandName, Role accountRole, List<RolePermission> allPermissions) {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -27,6 +27,7 @@ import net.sf.ehcache.Cache;
|
|||
import net.sf.ehcache.CacheManager;
|
||||
|
||||
import org.apache.cloudstack.acl.Role;
|
||||
import org.apache.cloudstack.acl.RolePermission;
|
||||
import org.apache.cloudstack.utils.reflectiontostringbuilderutils.ReflectionToStringBuilderUtils;
|
||||
import org.springframework.stereotype.Component;
|
||||
|
||||
|
|
@ -42,6 +43,7 @@ import com.cloud.exception.RequestLimitException;
|
|||
import com.cloud.user.Account;
|
||||
import com.cloud.user.AccountService;
|
||||
import com.cloud.user.User;
|
||||
import com.cloud.utils.Pair;
|
||||
import com.cloud.utils.component.AdapterBase;
|
||||
|
||||
@Component
|
||||
|
|
@ -256,4 +258,14 @@ public class ApiRateLimitServiceImpl extends AdapterBase implements APIChecker,
|
|||
this.enabled = enabled;
|
||||
|
||||
}
|
||||
|
||||
@Override
|
||||
public Pair<Role, List<RolePermission>> getRolePermissions(long roleId) {
|
||||
return null;
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean checkAccess(Account account, String commandName, Role accountRole, List<RolePermission> allPermissions) {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -47,6 +47,7 @@ import org.apache.cloudstack.acl.ControlledEntity;
|
|||
import org.apache.cloudstack.acl.InfrastructureEntity;
|
||||
import org.apache.cloudstack.acl.QuerySelector;
|
||||
import org.apache.cloudstack.acl.Role;
|
||||
import org.apache.cloudstack.acl.RolePermission;
|
||||
import org.apache.cloudstack.acl.RoleService;
|
||||
import org.apache.cloudstack.acl.RoleType;
|
||||
import org.apache.cloudstack.acl.SecurityChecker;
|
||||
|
|
@ -1431,29 +1432,35 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
|
|||
requested.getUuid(),
|
||||
requested.getRoleId()));
|
||||
}
|
||||
if (caller.getRoleId().equals(requested.getRoleId())) {
|
||||
return;
|
||||
}
|
||||
List<APIChecker> apiCheckers = getEnabledApiCheckers();
|
||||
for (APIChecker apiChecker : apiCheckers) {
|
||||
checkApiAccess(apiChecker, caller, requested);
|
||||
}
|
||||
}
|
||||
|
||||
private void checkApiAccess(APIChecker apiChecker, Account caller, Account requested) throws PermissionDeniedException {
|
||||
Pair<Role, List<RolePermission>> roleAndPermissionsForCaller = apiChecker.getRolePermissions(caller.getRoleId());
|
||||
Pair<Role, List<RolePermission>> roleAndPermissionsForRequested = apiChecker.getRolePermissions(requested.getRoleId());
|
||||
for (String command : apiNameList) {
|
||||
try {
|
||||
checkApiAccess(apiCheckers, requested, command);
|
||||
} catch (PermissionDeniedException pde) {
|
||||
if (logger.isTraceEnabled()) {
|
||||
logger.trace(String.format(
|
||||
"Checking for permission to \"%s\" is irrelevant as it is not requested for %s [%s]",
|
||||
command,
|
||||
requested.getAccountName(),
|
||||
requested.getUuid()
|
||||
)
|
||||
);
|
||||
if (roleAndPermissionsForRequested == null) {
|
||||
apiChecker.checkAccess(caller, command);
|
||||
} else {
|
||||
apiChecker.checkAccess(caller, command, roleAndPermissionsForRequested.first(), roleAndPermissionsForRequested.second());
|
||||
}
|
||||
} catch (PermissionDeniedException pde) {
|
||||
continue;
|
||||
}
|
||||
// so requested can, now make sure caller can as well
|
||||
try {
|
||||
if (logger.isTraceEnabled()) {
|
||||
logger.trace(String.format("permission to \"%s\" is requested",
|
||||
command));
|
||||
if (roleAndPermissionsForCaller == null) {
|
||||
apiChecker.checkAccess(caller, command);
|
||||
} else {
|
||||
apiChecker.checkAccess(caller, command, roleAndPermissionsForCaller.first(), roleAndPermissionsForCaller.second());
|
||||
}
|
||||
checkApiAccess(apiCheckers, caller, command);
|
||||
} catch (PermissionDeniedException pde) {
|
||||
String msg = String.format("User of Account %s and domain %s can not create an account with access to more privileges they have themself.",
|
||||
caller, _domainMgr.getDomain(caller.getDomainId()));
|
||||
|
|
|
|||
Loading…
Reference in New Issue