19eb06bd3e
version to 4.4.1 on remaining modules
2014-07-26 20:35:31 +02:00
6ba541afb7
Disable IAM feature from 4.4 release.
...
Conflicts:
test/integration/smoke/test_vm_iam.py
2014-05-21 13:49:11 +02:00
42e547cf02
CLOUDSTACK-6617: [Automation] detach / resize volume test cases failing
...
with permission error.
2014-05-13 11:34:29 +02:00
89e0e63253
CLOUDSTACK-6600: fix a bug in IAM cache in constructing cache key.
2014-05-13 11:21:22 +02:00
ad8d26958c
CLOUDSTACK-6600:IAM Security checker needs to have cache to improve
...
checkAccess performance.
2014-05-13 11:19:23 +02:00
c32b7ab7c8
CLOUDSTACK-6517: IAM - Admin is allowed to create PortFowarding rule for a regular user, when admin does not have " UseEntry" permission for IpAddress.
...
Changes:
- IAM was applying ordering on accessTypes. Thus if an account had Operate, he got USe access as well. So even if IAM schema did not have 'UseEntry" permission for IpAddress, some other 'OperateEntry' permission on IpAddress was letting this operation go through.
- Fixed IAM to NOT do ordering of access types anymore. IAm will perform strict accessType check only.
- This fix is needed so that admin does not get permission to USE resources from other account just becase he has OPERATE access on those resources due to some other APIs.
- However due to this fix, we break backwards compatibilty with CS 4.3.
- CS 4.3 allowed root admin to do the createPF operation for a user by passing in networkId of the user.
- Same was the case for domain admins within their domains
- Why this worked was due to CS 4.3 simply returning true for root admin/domain admin
- So to maintain backwards compatibilty, we are adding the logic to return "true" for root admin and domain admin just like CS 4.3.
- Exception is: For Network, AffinityGroup and Templates, we still call IAM even for root admin/domain admin, since thats what CS 4.3 did. Just for these 3 resource_types, it used to perform access checks even for root admin/domain admin.
2014-05-01 08:36:39 +02:00
504bd0377d
CLOUDSTACK-6533: IAM - Templates - Public templates do not have
...
permissions to be used by ROOT group.
2014-04-30 10:38:55 +02:00
0233bc88ba
CLOUDSTACK-6458: IAM - When a domain is deleted , the group created for this domian is not removed.
...
Changes:
- When domain is deleted, IAM service will not find it unless it selects using 'removed' column
2014-04-25 21:57:41 +02:00
2bba381a63
CLOUDSTACK-6501:IAM - DomainAdmin - When listVirtualMachines is used
...
with listall=true and account and domainId , Vms owned by the account
account is not listed.
2014-04-25 21:27:13 +02:00
52f40433b9
CLOUDSTACK-6474: IAM - Not able to list shared networks that is created with scope="all"
...
Changes:
- On startup the root domain group should be created
- Also the SYSTEM and Root Admin accounts should be added to that group
- This will make sure that the root domain shared network's policy gets attached to the root domain group
2014-04-23 09:41:43 +02:00
48c9b46328
CLOUDSTACK-6349: IAM - No error message presented to the user , when invalid password is provided.
...
- AccountManager now works using accountId instead of accountType in following methods too:
- isResourceDomainAdmin()
- isAdmin()
2014-04-16 11:26:57 -07:00
ba55002132
CLOUDSTACK-6428:IAM - Domain Admin - When his sub-domainId is passed to
...
the listVirtualMachine command, Vms from all the domains are being
listed.
2014-04-16 10:10:45 -07:00
ffd877595d
Fix RoleBasedQuerySelector to handle new listAll semantics. If
...
listAll=true, show all resources that caller (or impersonater) has
ListEntry access type; otherwise, show all resources that caller (or
impersonater) has UseEntry access type.
2014-04-04 18:44:59 -07:00
8ddf0a42b7
CLOUDSTACK-6330 [Automation] createRemoteAccessVpn call fails with access permission error
...
- Correcting the EntityType for PublicIpAddress entity
- Adding the EntityType in the @APICommand for *IPAddrCmds
2014-04-03 23:07:10 -07:00
f2ab2c10b8
All BaseAsyncCreateCmd commands will also be grouped into "OperateEntry" accesstype
2014-04-03 23:07:07 -07:00
4367d1406b
Change AccountManagerImpl.checkAccess to invoke SecurityChecker
...
interface that takes multiple controlled entities.
2014-04-01 17:31:56 -07:00
a8a0e84b88
Split the Root Admin policy to allow 'ListEntry' access for listing resources for scope 'all', but 'UseEntry' access only within Account scope
...
Same with Domain Admin policy
2014-04-01 16:01:36 -07:00
9962cf1706
SecurityChecker can accept multiple ControlledEntity
2014-04-01 12:06:13 -07:00
412af7c2e6
RoleBasedEntityAccessChecker should skip Project resources. IAM does not support Projects yet.
2014-03-28 18:54:19 -07:00
a5b9814f7a
Fixes to ensure Network entity checkAccess invokes the IAM service
2014-03-24 17:09:43 -07:00
0cc6b303e0
IAMEntityType change in the test after merge
2014-03-19 11:31:23 -07:00
b3e22191cb
More changes to support 'readOnly' access
...
Conflicts:
api/src/org/apache/cloudstack/api/ApiConstants.java
2014-03-19 11:31:06 -07:00
a919f740d0
Adding support for 'readOnly' access. AccessType.ListEntry introduced.
...
Conflicts:
api/src/org/apache/cloudstack/api/ApiConstants.java
2014-03-19 11:30:22 -07:00
ae6b9a0829
Remove IAMEntityType to use existing VO interface class to annotate
...
entityType.
2014-03-17 16:59:19 -07:00
d9696b26e1
After merge, fix isRootAdmin() calls to use accountId instead of type
2014-03-13 13:28:40 -07:00
f2d4b4d60e
Use IAMService to populate group-account association for system/admin
...
account to solve unit test failure.
2014-03-11 16:31:03 -07:00
b554d4ac1f
Fix issues found through FindBugs.
2014-03-11 11:49:48 -07:00
1c85af3193
A production/QA Setup does not populate the admin and SYSTEM accounts during database setup. So IAM plugin needs to insert the necessary group <-> account map in the DB during startup
2014-03-10 17:30:00 -07:00
748c090b29
Fix unapproved licens issue.
2014-03-10 11:27:10 -07:00
056d21e14b
Fix bugs found from marvin test.
2014-03-04 11:16:45 -08:00
61b47850f2
Bug fix identified by marvin test.
2014-03-03 17:26:16 -08:00
e5d722654a
Rename IAMEntityType.AclGroup and AclPolicy.
2014-03-02 16:06:29 -08:00
7e4c3b0e92
Pass UUID for scopeId in addIAMPermissionToIAMPolicyCmd and
...
removeIAMPermissionFromIAMPolicyCmd.
2014-03-02 15:56:02 -08:00
9f47466fea
Fix some issues in renaming iam api, also fix marvin library.
2014-02-26 17:30:34 -08:00
45a96e4e4c
renaming Acl to IAM in module.properties for the plugin
2014-02-25 17:02:41 -08:00
6309887800
iam/server changes: Rename Acl to IAM
2014-02-25 16:43:25 -08:00
187f9cd0a2
iam/plugin: Rename Acl to IAM everywhere
2014-02-25 16:43:23 -08:00
b2ba6c05b4
Renaming plugin packages to 'iam' instead if 'acl'
2014-02-25 16:43:20 -08:00
26e92af62d
Rename IAM api and response package name so that they are following
...
convention used by ApiXmlDocWriter.
2014-02-18 16:08:06 -08:00
586ee74000
Clean up SecurityChecker.AccessType and modify code to use them
...
consistently.
2014-02-14 11:23:05 -08:00
4b75fa806a
Fix a NPE bug in listAclPolicies.
2014-02-13 17:57:49 -08:00
5bfc75cac9
Fix test build failure.
2014-02-13 11:21:07 -08:00
5854c0bbeb
Fix Path cannot be null error in creating ACL Policy.
2014-02-11 22:45:57 -08:00
97ec3f6628
Fix an AclEntityType cast bug.
2014-02-11 22:26:52 -08:00
63e42d3c47
Handle scopeId=-1 properly, which indicates current caller domain or
...
account.
2014-02-07 15:56:03 -08:00
7c0170e3e9
Hook up IAM update for updateTemplatePermission api.
2014-02-05 16:04:13 -08:00
022b9b8f80
Add access for domain wide createAffinityGroup
2014-02-03 18:14:56 -08:00
a6d07c873c
Changes to QuerySelector to list the parent group resources with recursive = true access
2014-02-03 17:49:33 -08:00
939b15169c
changes to support the domain wide resources for Network
2014-02-03 17:34:03 -08:00
d12422bf68
Add policies to domain group for CreateNetwork usecase for a domain wide shared network
2014-01-29 23:56:25 -08:00
Daan Hoogland
Min Chen
Prachi Damle