You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by pr...@apache.org on 2014/01/24 03:18:23 UTC
[1/2] git commit: updated refs/heads/rbac to af14699
Updated Branches:
refs/heads/rbac 39c0a302b -> af14699c4
- Adding OperateEntry during loading of commands
- Replace ListEntry By OperateEntry
- ApiDispatcher should pass on the API name
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/96a64b93
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/96a64b93
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/96a64b93
Branch: refs/heads/rbac
Commit: 96a64b933eb8ef651d5c106b70dba59ae4f2fa96
Parents: 39c0a30
Author: Prachi Damle <pr...@cloud.com>
Authored: Thu Jan 23 17:50:59 2014 -0800
Committer: Prachi Damle <pr...@cloud.com>
Committed: Thu Jan 23 17:50:59 2014 -0800
----------------------------------------------------------------------
api/src/com/cloud/user/AccountService.java | 3 ++
.../apache/cloudstack/acl/SecurityChecker.java | 3 +-
server/src/com/cloud/api/ApiDispatcher.java | 12 ++---
.../src/com/cloud/user/AccountManagerImpl.java | 7 ++-
.../acl/RoleBasedAPIAccessChecker.java | 10 ++--
.../acl/RoleBasedEntityAccessChecker.java | 55 +++++++++++++++-----
.../cloudstack/iam/api/AclPolicyPermission.java | 1 +
.../apache/cloudstack/iam/api/IAMService.java | 5 +-
.../cloudstack/iam/server/IAMServiceImpl.java | 8 +--
.../iam/server/dao/AclPolicyPermissionDao.java | 2 +-
.../server/dao/AclPolicyPermissionDaoImpl.java | 3 +-
11 files changed, 75 insertions(+), 34 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/96a64b93/api/src/com/cloud/user/AccountService.java
----------------------------------------------------------------------
diff --git a/api/src/com/cloud/user/AccountService.java b/api/src/com/cloud/user/AccountService.java
index 2afaa64..37f6105 100755
--- a/api/src/com/cloud/user/AccountService.java
+++ b/api/src/com/cloud/user/AccountService.java
@@ -108,6 +108,9 @@ public interface AccountService {
void checkAccess(Account account, AccessType accessType, boolean sameOwner, ControlledEntity... entities) throws PermissionDeniedException;
+ void checkAccess(Account account, AccessType accessType, boolean sameOwner, String apiName,
+ ControlledEntity... entities) throws PermissionDeniedException;
+
//TO be implemented, to check accessibility for an entity owned by domain
void checkAccess(Account account, AccessType accessType, boolean sameOwner, PartOf... entities) throws PermissionDeniedException;
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/96a64b93/api/src/org/apache/cloudstack/acl/SecurityChecker.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/acl/SecurityChecker.java b/api/src/org/apache/cloudstack/acl/SecurityChecker.java
index 80fc14b..3fdcfed 100644
--- a/api/src/org/apache/cloudstack/acl/SecurityChecker.java
+++ b/api/src/org/apache/cloudstack/acl/SecurityChecker.java
@@ -36,7 +36,8 @@ public interface SecurityChecker extends Adapter {
ModifyProject,
UseNetwork,
DeleteEntry,
- OperateEntry
+ OperateEntry,
+ UseEntry
}
/**
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/96a64b93/server/src/com/cloud/api/ApiDispatcher.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/api/ApiDispatcher.java b/server/src/com/cloud/api/ApiDispatcher.java
index 9f4f766..751706d 100755
--- a/server/src/com/cloud/api/ApiDispatcher.java
+++ b/server/src/com/cloud/api/ApiDispatcher.java
@@ -40,6 +40,7 @@ import org.apache.cloudstack.acl.InfrastructureEntity;
import org.apache.cloudstack.acl.RoleType;
import org.apache.cloudstack.acl.SecurityChecker.AccessType;
import org.apache.cloudstack.api.ACL;
+import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.ApiErrorCode;
import org.apache.cloudstack.api.BaseAsyncCmd;
@@ -107,19 +108,14 @@ public class ApiDispatcher {
private void doAccessChecks(BaseCmd cmd, Map<Object, AccessType> entitiesToAccess) {
Account caller = CallContext.current().getCallingAccount();
- Account owner = _accountMgr.getActiveAccountById(cmd.getEntityOwnerId());
- if (cmd instanceof BaseAsyncCreateCmd) {
- //check that caller can access the owner account.
- _accountMgr.checkAccess(caller, null, true, owner);
- }
+ APICommand commandAnnotation = cmd.getClass().getAnnotation(APICommand.class);
+ String apiName = commandAnnotation != null ? commandAnnotation.name() : null;
if (!entitiesToAccess.isEmpty()) {
- //check that caller can access the owner account.
- _accountMgr.checkAccess(caller, null, true, owner);
for (Object entity : entitiesToAccess.keySet()) {
if (entity instanceof ControlledEntity) {
- _accountMgr.checkAccess(caller, entitiesToAccess.get(entity), true, (ControlledEntity)entity);
+ _accountMgr.checkAccess(caller, entitiesToAccess.get(entity), false, apiName, (ControlledEntity) entity);
} else if (entity instanceof InfrastructureEntity) {
//FIXME: Move this code in adapter, remove code from Account manager
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/96a64b93/server/src/com/cloud/user/AccountManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/user/AccountManagerImpl.java b/server/src/com/cloud/user/AccountManagerImpl.java
index f89e629..2771859 100755
--- a/server/src/com/cloud/user/AccountManagerImpl.java
+++ b/server/src/com/cloud/user/AccountManagerImpl.java
@@ -447,6 +447,11 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
@Override
public void checkAccess(Account caller, AccessType accessType, boolean sameOwner, ControlledEntity... entities) {
+ checkAccess(caller, accessType, sameOwner, null, entities);
+ }
+
+ @Override
+ public void checkAccess(Account caller, AccessType accessType, boolean sameOwner, String apiName, ControlledEntity... entities) {
//check for the same owner
Long ownerId = null;
ControlledEntity prevEntity = null;
@@ -492,7 +497,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
}
boolean granted = false;
for (SecurityChecker checker : _securityCheckers) {
- if (checker.checkAccess(caller, entity, accessType)) {
+ if (checker.checkAccess(caller, entity, accessType, apiName)) {
if (s_logger.isDebugEnabled()) {
s_logger.debug("Access to " + entity + " granted to " + caller + " by " + checker.getName());
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/96a64b93/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedAPIAccessChecker.java
----------------------------------------------------------------------
diff --git a/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedAPIAccessChecker.java b/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedAPIAccessChecker.java
index acd1457..fc39e10 100644
--- a/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedAPIAccessChecker.java
+++ b/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedAPIAccessChecker.java
@@ -30,9 +30,11 @@ import org.apache.log4j.Logger;
import org.apache.cloudstack.acl.SecurityChecker.AccessType;
import org.apache.cloudstack.api.APICommand;
+import org.apache.cloudstack.api.BaseAsyncCreateCmd;
import org.apache.cloudstack.api.BaseCmd;
import org.apache.cloudstack.api.BaseListCmd;
import org.apache.cloudstack.iam.api.AclPolicy;
+import org.apache.cloudstack.iam.api.AclPolicyPermission;
import org.apache.cloudstack.iam.api.AclPolicyPermission.Permission;
import org.apache.cloudstack.iam.api.IAMService;
@@ -205,7 +207,9 @@ public class RoleBasedAPIAccessChecker extends AdapterBase implements APIChecker
try {
cmdObj = (BaseCmd) cmdClass.newInstance();
if (cmdObj instanceof BaseListCmd) {
- accessType = AccessType.ListEntry;
+ accessType = AccessType.UseEntry;
+ } else if (!(cmdObj instanceof BaseAsyncCreateCmd)) {
+ accessType = AccessType.OperateEntry;
}
} catch (Exception e) {
throw new CloudRuntimeException(String.format(
@@ -238,11 +242,11 @@ public class RoleBasedAPIAccessChecker extends AdapterBase implements APIChecker
if (entityTypes == null || entityTypes.length == 0) {
- _iamSrv.addAclPermissionToAclPolicy(policyId, null, permissionScope.toString(), new Long(-1),
+ _iamSrv.addAclPermissionToAclPolicy(policyId, null, permissionScope.toString(), new Long(AclPolicyPermission.PERMISSION_SCOPE_ID_CURRENT_CALLER),
apiName, (accessType == null) ? null : accessType.toString(), Permission.Allow);
} else {
for (AclEntityType entityType : entityTypes) {
- _iamSrv.addAclPermissionToAclPolicy(policyId, entityType.toString(), permissionScope.toString(), new Long(-1),
+ _iamSrv.addAclPermissionToAclPolicy(policyId, entityType.toString(), permissionScope.toString(), new Long(AclPolicyPermission.PERMISSION_SCOPE_ID_CURRENT_CALLER),
apiName, (accessType == null) ? null : accessType.toString(), Permission.Allow);
}
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/96a64b93/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedEntityAccessChecker.java
----------------------------------------------------------------------
diff --git a/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedEntityAccessChecker.java b/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedEntityAccessChecker.java
index e2b149b..4802456 100644
--- a/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedEntityAccessChecker.java
+++ b/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedEntityAccessChecker.java
@@ -24,6 +24,7 @@ import javax.inject.Inject;
import org.apache.log4j.Logger;
+import org.apache.cloudstack.api.InternalIdentity;
import org.apache.cloudstack.iam.api.AclPolicy;
import org.apache.cloudstack.iam.api.AclPolicyPermission;
import org.apache.cloudstack.iam.api.IAMService;
@@ -71,7 +72,7 @@ public class RoleBasedEntityAccessChecker extends DomainChecker implements Secur
String entityType = entity.getEntityType().toString();
if (accessType == null) {
- accessType = AccessType.ListEntry;
+ accessType = AccessType.UseEntry;
}
// get all Policies of this caller w.r.t the entity
@@ -82,13 +83,21 @@ public class RoleBasedEntityAccessChecker extends DomainChecker implements Secur
List<AclPolicyPermission> permissions = new ArrayList<AclPolicyPermission>();
if (action != null) {
- permissions = _iamSrv.listPolicyPermissionByEntityType(policy.getId(), action, entityType);
+ permissions = _iamSrv.listPolicyPermissionByActionAndEntity(policy.getId(), action, entityType);
+ if (permissions.isEmpty()) {
+ if (accessType != null) {
+ permissions.addAll(_iamSrv.listPolicyPermissionByAccessAndEntity(policy.getId(),
+ accessType.toString(), entityType));
+ }
+ }
} else {
- permissions = _iamSrv.listPolicyPermissionByAccessType(policy.getId(), accessType.toString(),
- entityType, action);
+ if (accessType != null) {
+ permissions.addAll(_iamSrv.listPolicyPermissionByAccessAndEntity(policy.getId(),
+ accessType.toString(), entityType));
+ }
}
for (AclPolicyPermission permission : permissions) {
- if (checkPermissionScope(caller, permission.getScope(), entity)) {
+ if (checkPermissionScope(caller, permission.getScope(), permission.getScopeId(), entity)) {
if (permission.getEntityType().equals(entityType)) {
policyPermissionMap.put(policy, permission.getPermission().isGranted());
break;
@@ -114,18 +123,38 @@ public class RoleBasedEntityAccessChecker extends DomainChecker implements Secur
return false;
}
- private boolean checkPermissionScope(Account caller, String scope, ControlledEntity entity) {
+ private boolean checkPermissionScope(Account caller, String scope, Long scopeId, ControlledEntity entity) {
- if (scope.equals(PermissionScope.ACCOUNT.name())) {
- if(caller.getAccountId() == entity.getAccountId()){
- return true;
+ if(scopeId != null && !scopeId.equals(new Long(AclPolicyPermission.PERMISSION_SCOPE_ID_CURRENT_CALLER))){
+ //scopeId is set
+ if (scope.equals(PermissionScope.ACCOUNT.name())) {
+ if(scopeId == entity.getAccountId()){
+ return true;
+ }
+ } else if (scope.equals(PermissionScope.DOMAIN.name())) {
+ if (_domainDao.isChildDomain(scopeId, entity.getDomainId())) {
+ return true;
+ }
+ } else if (scope.equals(PermissionScope.RESOURCE.name())) {
+ if (entity instanceof InternalIdentity) {
+ InternalIdentity entityWithId = (InternalIdentity) entity;
+ if(scopeId.equals(entityWithId.getId())){
+ return true;
+ }
+ }
}
- } else if (scope.equals(PermissionScope.DOMAIN.name())) {
- if (_domainDao.isChildDomain(caller.getDomainId(), entity.getDomainId())) {
- return true;
+ } else if (scopeId == null || scopeId.equals(new Long(AclPolicyPermission.PERMISSION_SCOPE_ID_CURRENT_CALLER))) {
+ if (scope.equals(PermissionScope.ACCOUNT.name())) {
+ if(caller.getAccountId() == entity.getAccountId()){
+ return true;
+ }
+ } else if (scope.equals(PermissionScope.DOMAIN.name())) {
+ if (_domainDao.isChildDomain(caller.getDomainId(), entity.getDomainId())) {
+ return true;
+ }
}
}
-
+
return false;
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/96a64b93/services/iam/server/src/org/apache/cloudstack/iam/api/AclPolicyPermission.java
----------------------------------------------------------------------
diff --git a/services/iam/server/src/org/apache/cloudstack/iam/api/AclPolicyPermission.java b/services/iam/server/src/org/apache/cloudstack/iam/api/AclPolicyPermission.java
index 38e5d05..f0352bc 100644
--- a/services/iam/server/src/org/apache/cloudstack/iam/api/AclPolicyPermission.java
+++ b/services/iam/server/src/org/apache/cloudstack/iam/api/AclPolicyPermission.java
@@ -49,4 +49,5 @@ public interface AclPolicyPermission {
long getId();
+ public static final long PERMISSION_SCOPE_ID_CURRENT_CALLER = -1;
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/96a64b93/services/iam/server/src/org/apache/cloudstack/iam/api/IAMService.java
----------------------------------------------------------------------
diff --git a/services/iam/server/src/org/apache/cloudstack/iam/api/IAMService.java b/services/iam/server/src/org/apache/cloudstack/iam/api/IAMService.java
index 2d303d1..90dbb57 100644
--- a/services/iam/server/src/org/apache/cloudstack/iam/api/IAMService.java
+++ b/services/iam/server/src/org/apache/cloudstack/iam/api/IAMService.java
@@ -66,7 +66,7 @@ public interface IAMService {
List<AclPolicyPermission> listPolicyPermissionsByScope(long policyId, String action, String scope);
- List<AclPolicyPermission> listPolicyPermissionByEntityType(long policyId, String action, String entityType);
+ List<AclPolicyPermission> listPolicyPermissionByActionAndEntity(long policyId, String action, String entityType);
boolean isActionAllowedForPolicies(String action, List<AclPolicy> policies);
@@ -74,6 +74,7 @@ public interface IAMService {
AclPolicy resetAclPolicy(long aclPolicyId);
- List<AclPolicyPermission> listPolicyPermissionByAccessType(long policyId, String accessType, String entityType, String action);
+ List<AclPolicyPermission> listPolicyPermissionByAccessAndEntity(long policyId, String accessType,
+ String entityType);
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/96a64b93/services/iam/server/src/org/apache/cloudstack/iam/server/IAMServiceImpl.java
----------------------------------------------------------------------
diff --git a/services/iam/server/src/org/apache/cloudstack/iam/server/IAMServiceImpl.java b/services/iam/server/src/org/apache/cloudstack/iam/server/IAMServiceImpl.java
index 6eb3223..8a070dd 100644
--- a/services/iam/server/src/org/apache/cloudstack/iam/server/IAMServiceImpl.java
+++ b/services/iam/server/src/org/apache/cloudstack/iam/server/IAMServiceImpl.java
@@ -670,7 +670,8 @@ public class IAMServiceImpl extends ManagerBase implements IAMService, Manager {
@SuppressWarnings("unchecked")
@Override
- public List<AclPolicyPermission> listPolicyPermissionByEntityType(long policyId, String action, String entityType) {
+ public List<AclPolicyPermission> listPolicyPermissionByActionAndEntity(long policyId, String action,
+ String entityType) {
@SuppressWarnings("rawtypes")
List pp = _policyPermissionDao.listByPolicyActionAndEntity(policyId, action, entityType);
return pp;
@@ -678,9 +679,10 @@ public class IAMServiceImpl extends ManagerBase implements IAMService, Manager {
@SuppressWarnings("unchecked")
@Override
- public List<AclPolicyPermission> listPolicyPermissionByAccessType(long policyId, String accessType, String entityType, String action) {
+ public List<AclPolicyPermission> listPolicyPermissionByAccessAndEntity(long policyId, String accessType,
+ String entityType) {
@SuppressWarnings("rawtypes")
- List pp = _policyPermissionDao.listByPolicyAccessAndEntity(policyId, accessType, entityType, action);
+ List pp = _policyPermissionDao.listByPolicyAccessAndEntity(policyId, accessType, entityType);
return pp;
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/96a64b93/services/iam/server/src/org/apache/cloudstack/iam/server/dao/AclPolicyPermissionDao.java
----------------------------------------------------------------------
diff --git a/services/iam/server/src/org/apache/cloudstack/iam/server/dao/AclPolicyPermissionDao.java b/services/iam/server/src/org/apache/cloudstack/iam/server/dao/AclPolicyPermissionDao.java
index 5abadf9..53c8983 100644
--- a/services/iam/server/src/org/apache/cloudstack/iam/server/dao/AclPolicyPermissionDao.java
+++ b/services/iam/server/src/org/apache/cloudstack/iam/server/dao/AclPolicyPermissionDao.java
@@ -33,6 +33,6 @@ public interface AclPolicyPermissionDao extends GenericDao<AclPolicyPermissionVO
List<AclPolicyPermissionVO> listByPolicyActionAndEntity(long policyId, String action, String entityType);
- List<AclPolicyPermissionVO> listByPolicyAccessAndEntity(long id, String accessType, String entityType, String action);
+ List<AclPolicyPermissionVO> listByPolicyAccessAndEntity(long policyId, String accessType, String entityType);
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/96a64b93/services/iam/server/src/org/apache/cloudstack/iam/server/dao/AclPolicyPermissionDaoImpl.java
----------------------------------------------------------------------
diff --git a/services/iam/server/src/org/apache/cloudstack/iam/server/dao/AclPolicyPermissionDaoImpl.java b/services/iam/server/src/org/apache/cloudstack/iam/server/dao/AclPolicyPermissionDaoImpl.java
index b014cb4..d738e00 100644
--- a/services/iam/server/src/org/apache/cloudstack/iam/server/dao/AclPolicyPermissionDaoImpl.java
+++ b/services/iam/server/src/org/apache/cloudstack/iam/server/dao/AclPolicyPermissionDaoImpl.java
@@ -104,12 +104,11 @@ public class AclPolicyPermissionDaoImpl extends GenericDaoBase<AclPolicyPermissi
@Override
public List<AclPolicyPermissionVO> listByPolicyAccessAndEntity(long policyId, String accessType,
- String entityType, String action) {
+ String entityType) {
SearchCriteria<AclPolicyPermissionVO> sc = fullSearch.create();
sc.setParameters("policyId", policyId);
sc.setParameters("entityType", entityType);
sc.setParameters("accessType", accessType);
- sc.setParameters("action", action);
return listBy(sc);
}
[2/2] git commit: updated refs/heads/rbac to af14699
Posted by pr...@apache.org.
fixing the build _ AffinityGroup command changes
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/af14699c
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/af14699c
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/af14699c
Branch: refs/heads/rbac
Commit: af14699c4c8b742efbba9a80f43cd9d9f32bb559
Parents: 96a64b9
Author: Prachi Damle <pr...@cloud.com>
Authored: Thu Jan 23 18:17:43 2014 -0800
Committer: Prachi Damle <pr...@cloud.com>
Committed: Thu Jan 23 18:17:43 2014 -0800
----------------------------------------------------------------------
.../command/user/affinitygroup/CreateAffinityGroupCmd.java | 3 ++-
.../command/user/affinitygroup/DeleteAffinityGroupCmd.java | 3 ++-
.../api/command/user/affinitygroup/ListAffinityGroupsCmd.java | 3 ++-
.../network/contrail/management/MockAccountManager.java | 7 +++++++
server/test/com/cloud/user/MockAccountManagerImpl.java | 7 +++++++
.../apache/cloudstack/acl/RoleBasedEntityAccessChecker.java | 1 -
.../src/org/apache/cloudstack/acl/api/AclApiServiceImpl.java | 2 +-
7 files changed, 21 insertions(+), 5 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/af14699c/api/src/org/apache/cloudstack/api/command/user/affinitygroup/CreateAffinityGroupCmd.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/user/affinitygroup/CreateAffinityGroupCmd.java b/api/src/org/apache/cloudstack/api/command/user/affinitygroup/CreateAffinityGroupCmd.java
index a3f3c09..a79e9fd 100644
--- a/api/src/org/apache/cloudstack/api/command/user/affinitygroup/CreateAffinityGroupCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/user/affinitygroup/CreateAffinityGroupCmd.java
@@ -18,6 +18,7 @@ package org.apache.cloudstack.api.command.user.affinitygroup;
import org.apache.log4j.Logger;
+import org.apache.cloudstack.acl.AclEntityType;
import org.apache.cloudstack.affinity.AffinityGroup;
import org.apache.cloudstack.affinity.AffinityGroupResponse;
import org.apache.cloudstack.api.APICommand;
@@ -34,7 +35,7 @@ import com.cloud.event.EventTypes;
import com.cloud.exception.ResourceAllocationException;
import com.cloud.user.Account;
-@APICommand(name = "createAffinityGroup", responseObject = AffinityGroupResponse.class, description = "Creates an affinity/anti-affinity group")
+@APICommand(name = "createAffinityGroup", responseObject = AffinityGroupResponse.class, description = "Creates an affinity/anti-affinity group", entityType = { AclEntityType.AffinityGroup })
public class CreateAffinityGroupCmd extends BaseAsyncCreateCmd {
public static final Logger s_logger = Logger.getLogger(CreateAffinityGroupCmd.class.getName());
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/af14699c/api/src/org/apache/cloudstack/api/command/user/affinitygroup/DeleteAffinityGroupCmd.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/user/affinitygroup/DeleteAffinityGroupCmd.java b/api/src/org/apache/cloudstack/api/command/user/affinitygroup/DeleteAffinityGroupCmd.java
index 74b207a..0bbe247 100644
--- a/api/src/org/apache/cloudstack/api/command/user/affinitygroup/DeleteAffinityGroupCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/user/affinitygroup/DeleteAffinityGroupCmd.java
@@ -18,6 +18,7 @@ package org.apache.cloudstack.api.command.user.affinitygroup;
import org.apache.log4j.Logger;
+import org.apache.cloudstack.acl.AclEntityType;
import org.apache.cloudstack.affinity.AffinityGroupResponse;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiCommandJobType;
@@ -34,7 +35,7 @@ import com.cloud.event.EventTypes;
import com.cloud.exception.InvalidParameterValueException;
import com.cloud.user.Account;
-@APICommand(name = "deleteAffinityGroup", description = "Deletes affinity group", responseObject = SuccessResponse.class)
+@APICommand(name = "deleteAffinityGroup", description = "Deletes affinity group", responseObject = SuccessResponse.class, entityType = { AclEntityType.AffinityGroup })
public class DeleteAffinityGroupCmd extends BaseAsyncCmd {
public static final Logger s_logger = Logger.getLogger(DeleteAffinityGroupCmd.class.getName());
private static final String s_name = "deleteaffinitygroupresponse";
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/af14699c/api/src/org/apache/cloudstack/api/command/user/affinitygroup/ListAffinityGroupsCmd.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/user/affinitygroup/ListAffinityGroupsCmd.java b/api/src/org/apache/cloudstack/api/command/user/affinitygroup/ListAffinityGroupsCmd.java
index 0761a64..262ecc7 100644
--- a/api/src/org/apache/cloudstack/api/command/user/affinitygroup/ListAffinityGroupsCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/user/affinitygroup/ListAffinityGroupsCmd.java
@@ -17,6 +17,7 @@
package org.apache.cloudstack.api.command.user.affinitygroup;
import org.apache.log4j.Logger;
+import org.apache.cloudstack.acl.AclEntityType;
import org.apache.cloudstack.affinity.AffinityGroupResponse;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiCommandJobType;
@@ -26,7 +27,7 @@ import org.apache.cloudstack.api.Parameter;
import org.apache.cloudstack.api.response.ListResponse;
import org.apache.cloudstack.api.response.UserVmResponse;
-@APICommand(name = "listAffinityGroups", description = "Lists affinity groups", responseObject = AffinityGroupResponse.class)
+@APICommand(name = "listAffinityGroups", description = "Lists affinity groups", responseObject = AffinityGroupResponse.class, entityType = { AclEntityType.AffinityGroup })
public class ListAffinityGroupsCmd extends BaseListAccountResourcesCmd {
public static final Logger s_logger = Logger.getLogger(ListAffinityGroupsCmd.class.getName());
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/af14699c/plugins/network-elements/juniper-contrail/test/org/apache/cloudstack/network/contrail/management/MockAccountManager.java
----------------------------------------------------------------------
diff --git a/plugins/network-elements/juniper-contrail/test/org/apache/cloudstack/network/contrail/management/MockAccountManager.java b/plugins/network-elements/juniper-contrail/test/org/apache/cloudstack/network/contrail/management/MockAccountManager.java
index 04cdc7c..67dd406 100644
--- a/plugins/network-elements/juniper-contrail/test/org/apache/cloudstack/network/contrail/management/MockAccountManager.java
+++ b/plugins/network-elements/juniper-contrail/test/org/apache/cloudstack/network/contrail/management/MockAccountManager.java
@@ -372,4 +372,11 @@ public class MockAccountManager extends ManagerBase implements AccountManager {
}
+ @Override
+ public void checkAccess(Account account, AccessType accessType, boolean sameOwner, String apiName,
+ ControlledEntity... entities) throws PermissionDeniedException {
+ // TODO Auto-generated method stub
+
+ }
+
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/af14699c/server/test/com/cloud/user/MockAccountManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/test/com/cloud/user/MockAccountManagerImpl.java b/server/test/com/cloud/user/MockAccountManagerImpl.java
index f0986aa..fa786bf 100644
--- a/server/test/com/cloud/user/MockAccountManagerImpl.java
+++ b/server/test/com/cloud/user/MockAccountManagerImpl.java
@@ -344,4 +344,11 @@ public class MockAccountManagerImpl extends ManagerBase implements Manager, Acco
return null;
}
+ @Override
+ public void checkAccess(Account account, AccessType accessType, boolean sameOwner, String apiName,
+ ControlledEntity... entities) throws PermissionDeniedException {
+ // TODO Auto-generated method stub
+
+ }
+
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/af14699c/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedEntityAccessChecker.java
----------------------------------------------------------------------
diff --git a/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedEntityAccessChecker.java b/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedEntityAccessChecker.java
index 4802456..acbf8d3 100644
--- a/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedEntityAccessChecker.java
+++ b/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedEntityAccessChecker.java
@@ -154,7 +154,6 @@ public class RoleBasedEntityAccessChecker extends DomainChecker implements Secur
}
}
}
-
return false;
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/af14699c/services/iam/plugin/src/org/apache/cloudstack/acl/api/AclApiServiceImpl.java
----------------------------------------------------------------------
diff --git a/services/iam/plugin/src/org/apache/cloudstack/acl/api/AclApiServiceImpl.java b/services/iam/plugin/src/org/apache/cloudstack/acl/api/AclApiServiceImpl.java
index d3be747..7651548 100644
--- a/services/iam/plugin/src/org/apache/cloudstack/acl/api/AclApiServiceImpl.java
+++ b/services/iam/plugin/src/org/apache/cloudstack/acl/api/AclApiServiceImpl.java
@@ -241,7 +241,7 @@ public class AclApiServiceImpl extends ManagerBase implements AclApiService, Man
List<AclPolicy> policies = _iamSrv.listAclPolicies(accountId);
AclPolicyPermission curPerm = null;
for (AclPolicy policy : policies) {
- List<AclPolicyPermission> perms = _iamSrv.listPolicyPermissionByEntityType(policy.getId(), action,
+ List<AclPolicyPermission> perms = _iamSrv.listPolicyPermissionByActionAndEntity(policy.getId(), action,
entityType);
if (perms == null || perms.size() == 0)
continue;