diff --git a/api/src/org/apache/cloudstack/acl/PermissionScope.java b/api/src/org/apache/cloudstack/acl/PermissionScope.java index a895535e52f..03dbc107f0b 100644 --- a/api/src/org/apache/cloudstack/acl/PermissionScope.java +++ b/api/src/org/apache/cloudstack/acl/PermissionScope.java @@ -4,7 +4,7 @@ public enum PermissionScope { RESOURCE(0), ACCOUNT(1), DOMAIN(2), - REGION(3); + REGION(3), ALL(4); private int _scale; diff --git a/engine/schema/src/org/apache/cloudstack/acl/AclPermissionVO.java b/engine/schema/src/org/apache/cloudstack/acl/AclPermissionVO.java index 1bcecabdd61..ef8cfc48d47 100644 --- a/engine/schema/src/org/apache/cloudstack/acl/AclPermissionVO.java +++ b/engine/schema/src/org/apache/cloudstack/acl/AclPermissionVO.java @@ -71,7 +71,15 @@ public class AclPermissionVO implements AclPermission { } - + public AclPermissionVO(String action, String entityType, AccessType accessType, PermissionScope scope, + Long scopeId, Permission permission) { + this.action = action; + this.entityType = entityType; + this.accessType = accessType; + this.scope = scope; + this.scopeId = scopeId; + this.permission = permission; + } @Override public long getId() { diff --git a/engine/schema/src/org/apache/cloudstack/acl/dao/AclPermissionDao.java b/engine/schema/src/org/apache/cloudstack/acl/dao/AclPermissionDao.java new file mode 100644 index 00000000000..d24b0445166 --- /dev/null +++ b/engine/schema/src/org/apache/cloudstack/acl/dao/AclPermissionDao.java @@ -0,0 +1,24 @@ +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. +package org.apache.cloudstack.acl.dao; + +import org.apache.cloudstack.acl.AclPermissionVO; +import com.cloud.utils.db.GenericDao; + +public interface AclPermissionDao extends GenericDao { + +} diff --git a/engine/schema/src/org/apache/cloudstack/acl/dao/AclPermissionDaoImpl.java b/engine/schema/src/org/apache/cloudstack/acl/dao/AclPermissionDaoImpl.java new file mode 100644 index 00000000000..1b5f63ecb86 --- /dev/null +++ b/engine/schema/src/org/apache/cloudstack/acl/dao/AclPermissionDaoImpl.java @@ -0,0 +1,41 @@ +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. +package org.apache.cloudstack.acl.dao; + +import java.util.Map; + +import javax.naming.ConfigurationException; + +import org.apache.cloudstack.acl.AclPermissionVO; +import com.cloud.utils.db.GenericDaoBase; + +public class AclPermissionDaoImpl extends GenericDaoBase implements AclPermissionDao { + + public AclPermissionDaoImpl() + { + + } + + @Override + public boolean configure(String name, Map params) throws ConfigurationException { + super.configure(name, params); + + return true; + } + + +} diff --git a/engine/schema/src/org/apache/cloudstack/acl/dao/AclPolicyPermissionMapDao.java b/engine/schema/src/org/apache/cloudstack/acl/dao/AclPolicyPermissionMapDao.java new file mode 100644 index 00000000000..0b18e363060 --- /dev/null +++ b/engine/schema/src/org/apache/cloudstack/acl/dao/AclPolicyPermissionMapDao.java @@ -0,0 +1,25 @@ +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. +package org.apache.cloudstack.acl.dao; + +import org.apache.cloudstack.acl.AclPolicyPermissionMapVO; + +import com.cloud.utils.db.GenericDao; + +public interface AclPolicyPermissionMapDao extends GenericDao { + +} diff --git a/engine/schema/src/org/apache/cloudstack/acl/dao/AclPolicyPermissionMapDaoImpl.java b/engine/schema/src/org/apache/cloudstack/acl/dao/AclPolicyPermissionMapDaoImpl.java new file mode 100644 index 00000000000..fe4579d3cf9 --- /dev/null +++ b/engine/schema/src/org/apache/cloudstack/acl/dao/AclPolicyPermissionMapDaoImpl.java @@ -0,0 +1,43 @@ +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. +package org.apache.cloudstack.acl.dao; + +import java.util.Map; + +import javax.naming.ConfigurationException; + +import org.apache.cloudstack.acl.AclPolicyPermissionMapVO; + +import com.cloud.utils.db.GenericDaoBase; + +public class AclPolicyPermissionMapDaoImpl extends GenericDaoBase implements + AclPolicyPermissionMapDao { + + public AclPolicyPermissionMapDaoImpl() + { + + } + + @Override + public boolean configure(String name, Map params) throws ConfigurationException { + super.configure(name, params); + + return true; + } + + +} diff --git a/server/src/com/cloud/api/ApiServer.java b/server/src/com/cloud/api/ApiServer.java index 0ed6a683409..1dfbd4511a1 100755 --- a/server/src/com/cloud/api/ApiServer.java +++ b/server/src/com/cloud/api/ApiServer.java @@ -52,6 +52,14 @@ import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; import org.apache.cloudstack.acl.APIChecker; +import org.apache.cloudstack.acl.AclPermissionVO; +import org.apache.cloudstack.acl.AclPolicyPermissionMapVO; +import org.apache.cloudstack.acl.PermissionScope; +import org.apache.cloudstack.acl.RoleType; +import org.apache.cloudstack.acl.AclPermission.Permission; +import org.apache.cloudstack.acl.SecurityChecker.AccessType; +import org.apache.cloudstack.acl.dao.AclPermissionDao; +import org.apache.cloudstack.acl.dao.AclPolicyPermissionMapDao; import org.apache.cloudstack.api.APICommand; import org.apache.cloudstack.api.ApiErrorCode; import org.apache.cloudstack.api.BaseAsyncCmd; @@ -171,6 +179,10 @@ public class ApiServer extends ManagerBase implements HttpRequestHandler, ApiSer List _pluggableServices; List _apiAccessCheckers; + @Inject + private AclPermissionDao _aclPermissionDao; + @Inject + private AclPolicyPermissionMapDao _aclPolicyPermissionMapDao; @Inject protected ApiAsyncJobDispatcher _asyncDispatcher; @@ -233,6 +245,51 @@ public class ApiServer extends ManagerBase implements HttpRequestHandler, ApiSer _apiNameCmdClassMap.put(apiName, apiCmdList); } apiCmdList.add(cmdClass); + + boolean isReadCommand = false; + BaseCmd cmdObj; + try { + cmdObj = (BaseCmd) cmdClass.newInstance(); + if (cmdObj instanceof BaseListCmd) { + isReadCommand = true; + } + } catch (Exception e) { + } + + for (RoleType role : at.authorized()) { + AclPermissionVO apiPermission = null; + switch (role) { + case User: + apiPermission = new AclPermissionVO(apiName, null, null, PermissionScope.ACCOUNT, null, + Permission.Allow); + break; + + case Admin: + apiPermission = new AclPermissionVO(apiName, null, null, PermissionScope.ALL, null, + Permission.Allow); + break; + + case DomainAdmin: + apiPermission = new AclPermissionVO(apiName, null, null, PermissionScope.DOMAIN, null, + Permission.Allow); + break; + + case ResourceAdmin: + apiPermission = new AclPermissionVO(apiName, null, null, PermissionScope.DOMAIN, null, + Permission.Allow); + break; + } + + if (apiPermission != null) { + if (isReadCommand) { + apiPermission.setAccessType(AccessType.ListEntry); + } + _aclPermissionDao.persist(apiPermission); + AclPolicyPermissionMapVO policyPermMapEntry = new AclPolicyPermissionMapVO(role.ordinal() + 1, + apiPermission.getId()); + _aclPolicyPermissionMapDao.persist(policyPermMapEntry); + } + } } encodeApiResponse = Boolean.valueOf(_configDao.getValue(Config.EncodeApiResponse.key()));