You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by pr...@apache.org on 2014/01/22 23:03:02 UTC
[1/2] git commit: updated refs/heads/rbac to 39c0a30
Updated Branches:
refs/heads/rbac 33cd1ab92 -> 39c0a302b
Correcting the "security.checkers.order" to include the class name for RoleBasedEntityAccessChecker
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/935c3e60
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/935c3e60
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/935c3e60
Branch: refs/heads/rbac
Commit: 935c3e60fc1224e2e9892abaf398768b8e169245
Parents: 33cd1ab
Author: Prachi Damle <pr...@cloud.com>
Authored: Tue Jan 21 16:13:14 2014 -0800
Committer: Prachi Damle <pr...@cloud.com>
Committed: Wed Jan 22 13:59:57 2014 -0800
----------------------------------------------------------------------
.../META-INF/cloudstack/core/spring-core-registry-core-context.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/935c3e60/core/resources/META-INF/cloudstack/core/spring-core-registry-core-context.xml
----------------------------------------------------------------------
diff --git a/core/resources/META-INF/cloudstack/core/spring-core-registry-core-context.xml b/core/resources/META-INF/cloudstack/core/spring-core-registry-core-context.xml
index f2d2681..0f58d7d 100644
--- a/core/resources/META-INF/cloudstack/core/spring-core-registry-core-context.xml
+++ b/core/resources/META-INF/cloudstack/core/spring-core-registry-core-context.xml
@@ -46,7 +46,7 @@
<property name="orderConfigKey" value="security.checkers.order" />
<property name="excludeKey" value="security.checkers.exclude" />
<property name="orderConfigDefault"
- value="roleBasedEntityAccessChecker,AffinityGroupAccessChecker,DomainChecker" />
+ value="RoleBasedEntityAccessChecker,AffinityGroupAccessChecker,DomainChecker" />
</bean>
<bean id="resourceDiscoverersRegistry"
[2/2] git commit: updated refs/heads/rbac to 39c0a30
Posted by pr...@apache.org.
Fix the isRootAdmin and isDomainAdmin to return true or false even if the permission is denied by IAM
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/39c0a302
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/39c0a302
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/39c0a302
Branch: refs/heads/rbac
Commit: 39c0a302b4601a29c34f2b39e98180cd433ab8d4
Parents: 935c3e6
Author: Prachi Damle <pr...@cloud.com>
Authored: Wed Jan 22 13:58:34 2014 -0800
Committer: Prachi Damle <pr...@cloud.com>
Committed: Wed Jan 22 13:59:59 2014 -0800
----------------------------------------------------------------------
.../src/com/cloud/user/AccountManagerImpl.java | 24 +++++++++++++-------
.../acl/RoleBasedAPIAccessChecker.java | 9 ++++++++
setup/db/db/schema-430to440.sql | 4 ----
3 files changed, 25 insertions(+), 12 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/39c0a302/server/src/com/cloud/user/AccountManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/user/AccountManagerImpl.java b/server/src/com/cloud/user/AccountManagerImpl.java
index 9b9a4b8..f89e629 100755
--- a/server/src/com/cloud/user/AccountManagerImpl.java
+++ b/server/src/com/cloud/user/AccountManagerImpl.java
@@ -368,11 +368,15 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
public boolean isRootAdmin(long accountId) {
AccountVO acct = _accountDao.findById(accountId);
for (SecurityChecker checker : _securityCheckers) {
- if (checker.checkAccess(acct, null, null, "SystemCapability")) {
- if (s_logger.isDebugEnabled()) {
- s_logger.debug("Root Access granted to " + acct + " by " + checker.getName());
+ try {
+ if (checker.checkAccess(acct, null, null, "SystemCapability")) {
+ if (s_logger.isDebugEnabled()) {
+ s_logger.debug("Root Access granted to " + acct + " by " + checker.getName());
+ }
+ return true;
}
- return true;
+ } catch (PermissionDeniedException ex) {
+ return false;
}
}
@@ -383,11 +387,15 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
public boolean isDomainAdmin(long accountId) {
AccountVO acct = _accountDao.findById(accountId);
for (SecurityChecker checker : _securityCheckers) {
- if (checker.checkAccess(acct, null, null, "DomainCapability")) {
- if (s_logger.isDebugEnabled()) {
- s_logger.debug("Root Access granted to " + acct + " by " + checker.getName());
+ try {
+ if (checker.checkAccess(acct, null, null, "DomainCapability")) {
+ if (s_logger.isDebugEnabled()) {
+ s_logger.debug("Root Access granted to " + acct + " by " + checker.getName());
+ }
+ return true;
}
- return true;
+ } catch (PermissionDeniedException ex) {
+ return false;
}
}
return false;
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/39c0a302/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedAPIAccessChecker.java
----------------------------------------------------------------------
diff --git a/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedAPIAccessChecker.java b/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedAPIAccessChecker.java
index 67b6f46..acd1457 100644
--- a/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedAPIAccessChecker.java
+++ b/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedAPIAccessChecker.java
@@ -111,6 +111,15 @@ public class RoleBasedAPIAccessChecker extends AdapterBase implements APIChecker
}
}
+ // add the system-domain capability
+
+ _iamSrv.addAclPermissionToAclPolicy(new Long(Account.ACCOUNT_TYPE_ADMIN + 1), null, null, null,
+ "SystemCapability", null, Permission.Allow);
+ _iamSrv.addAclPermissionToAclPolicy(new Long(Account.ACCOUNT_TYPE_DOMAIN_ADMIN + 1), null, null, null,
+ "DomainCapability", null, Permission.Allow);
+ _iamSrv.addAclPermissionToAclPolicy(new Long(Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN + 1), null, null, null,
+ "DomainResourceCapability", null, Permission.Allow);
+
for (PluggableService service : _services) {
for (Class<?> cmdClass : service.getCommands()) {
APICommand command = cmdClass.getAnnotation(APICommand.class);
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/39c0a302/setup/db/db/schema-430to440.sql
----------------------------------------------------------------------
diff --git a/setup/db/db/schema-430to440.sql b/setup/db/db/schema-430to440.sql
index 7cf569a..5cd54af 100644
--- a/setup/db/db/schema-430to440.sql
+++ b/setup/db/db/schema-430to440.sql
@@ -538,7 +538,3 @@ INSERT INTO `cloud`.`acl_group_policy_map` (group_id, policy_id, created) values
INSERT INTO `cloud`.`acl_group_policy_map` (group_id, policy_id, created) values(4, 4, Now());
INSERT INTO `cloud`.`acl_group_policy_map` (group_id, policy_id, created) values(5, 5, Now());
-INSERT IGNORE INTO `cloud`.`acl_policy_permission` (id, policy_id, action, permission, created) VALUES (1, 2, 'SystemCapability', 'Allow', Now());
-INSERT IGNORE INTO `cloud`.`acl_policy_permission` (id, policy_id, action, permission, created) VALUES (2, 3, 'DomainCapability', 'Allow', Now());
-INSERT IGNORE INTO `cloud`.`acl_policy_permission` (id, policy_id, action, permission, created) VALUES (3, 4, 'DomainResourceCapability', 'Allow', Now());
-