This feature allows root administrators to define new roles and associate API
permissions to them.
A limited form of role-based access control for the CloudStack management server
API is provided through a properties file, commands.properties, embedded in the
WAR distribution. Therefore, customizing API permissions requires unpacking the
distribution and modifying this file consistently on all servers. The old system
also does not permit the specification of additional roles.
FS:
https://cwiki.apache.org/confluence/display/CLOUDSTACK/Dynamic+Role+Based+API+Access+Checker+for+CloudStack
DB-Backed Dynamic Role Based API Access Checker for CloudStack brings following
changes, features and use-cases:
- Moves the API access definitions from commands.properties to the mgmt server DB
- Allows defining custom roles (such as a read-only ROOT admin) beyond the
current set of four (4) roles
- All roles will resolve to one of the four known roles types (Admin, Resource
Admin, Domain Admin and User) which maintains this association by requiring
all new defined roles to specify a role type.
- Allows changes to roles and API permissions per role at runtime including additions or
removal of roles and/or modifications of permissions, without the need
of restarting management server(s)
Upgrade/installation notes:
- The feature will be enabled by default for new installations, existing
deployments will continue to use the older static role based api access checker
with an option to enable this feature
- During fresh installation or upgrade, the upgrade paths will add four default
roles based on the four default role types
- For ease of migration, at the time of upgrade commands.properties will be used
to add existing set of permissions to the default roles. cloud.account
will have a new role_id column which will be populated based on default roles
as well
Dynamic-roles migration tool: scripts/util/migrate-dynamicroles.py
- Allows admins to migrate to the dynamic role based checker at a future date
- Performs a harder one-way migrate and update
- Migrates rules from existing commands.properties file into db and deprecates it
- Enables an internal hidden switch to enable dynamic role based checker feature
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
- Removed regex. based search/replace of sensitive data on API response introduced as part of commit b0c6d47347
- Added new response serializer to skip sensitive data from getting logged based on annotation present in resposne object fields
- Added new parameter 'isSensitive' to @Param for marking a field as sensitive in response objects
This removes extra whitespaces from the JSON serialized response.
After the fix, tested to work with:
- Present UI
- CloudMonkey
- Old buggy json parsers
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
(cherry picked from commit 921ad057de)
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
API discovery plugin will return embedded entities for marvin to
discovery and generate it's API classes.
Signed-off-by: Prasanna Santhanam <tsp@apache.org>
This is part 1 of list API refactoring. Commands covered:
listVmsCmd, listRoutersCmd Response covered:
UserVmResponse, DomainRouterResponse. DB views created:
user_vm_view, domain_router_view.
Signed-off-by: Rohit Yadav <bhaisaab@apache.org>
- Refactor VPN and VM APIs to admin and user pkgs
- Names space, org.apache.cloudstack
- Fix refactored apis in commands*.in
- Fix comments etc.
- Expand tabs, remove trailing whitespace
Signed-off-by: Rohit Yadav <bhaisaab@apache.org>
Description:
Incorrectly removed part of the XML serializer that serialized
the IdentityProxy object in normal responses, when putting in
support for serialization of lists of IdentityProxy objects in
exception responses as part of the code changes put in for bug
13217, resulting in this bug. Putting it back in place.
Description:
Modified the IdentityTypeAdapter's custom serializer to
identify whether this is an exception response that is being
serialized, by checking if the idFieldName is set. If so,
serialize both uuid and the uuidProperty (for eg, zoneId and
"zoneId" (string)) and pass back the json representation of that.
Modified XML serializer also to build a list of uuids+fieldnames.
Introduced a new field "cserrorcode" in ExceptionResponse. This
refers to an error code that can be according to the specific
Exception being thrown. This will be serialized as usual. There
shouldn't be any need to do a db lookup for conversion for these
error codes.
Description:
Modify Exception handling to enable addition of multiple
uuids in a single exception thrown by API functions. Both
XML and JSON outputs will store all uuids and Fieldnames.
This will make it easier to provide more information when
an exception occurs - for example, a zone id, a cluster id,
host id, and then a specific property id.
Description:
Added a field name for the db id in the IdentityProxy class, and
modified setProxyObject() to take an additional id name parameter.
This will let us know the name of the uuid that we are returning.
E.g.- domainId, zoneId, etc. The client can view this field in
the json/xml output. Modified the JSON/XML serialization routines
to append this new parameter to the serialized output for Exception
Responses.
Description:
1) Put in an IdentityProxy object in the ExceptionResponse class.
This allows us to copy over the IdentityProxy object contained
in the exception caught by handlerequest() when thrown by the
command's execute() method, into the Response object that is
prepared to return an exception response to the calling API
invocation.
2) Modified the GSON serialization method to conver the entire
exception object into JSON format and not just the error text.
3) Modify the updateDomain API to populate the exception it throws
upon detecting a duplicate domain to include the tablename and
domain db id in the exception's IdentityProxy object.
NOTE:
1) We can modify the base exception classes and the ExceptionResponse
class to contain a list of IdentityProxy objects rather than a
single one.
2) We will need to modify all commands such that wherever applicable
(wherever a db id is involved), they populate the IdentityProxy
object(s) before throwing an exception.
Description:
1) Adding two new classes, CloudException and RunTimeCloudException.
The former extends Exception and the latter RunTimeException.
These will be used by classes that formerly directly extended
Exception and RuntimeException. These two classes have an attribute
of type IdentityProxy to enable exceptions fill in db ids in separate
attribute fields rather than in a string. Doing so will allow the
serialization module (GSON for JSON and other for XML) to kick in
and convert this db id to a uuid in ApiServer.java just before the
JSON/XML responses are sent out.
2) Moving IdentityProxy.java from api/ to utils/ since
both CloudException and RuntimeCloudException refer to it.
3) Changing references to IdentityProxy class from api/ to utils/.
4) While rebasing to master, a new file was added, merging
api/src/com/cloud/api/response/IsoVmResponse.java to this diff.
Rohit Yadav
Koushik Das
Min Chen
Prachi Damle
Alena Prokharchyk
Daan Hoogland
Alex Huang
Laszlo Hornyak
Prasanna Santhanam
Rohit Yadav
Jessica Wang
David Nalley
frank
Vijayendra Bhamidipati
U-CITRITE\vijayendra1
Kelven Yang
Naredula Janardhana Reddy