You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by ra...@apache.org on 2018/09/11 16:06:26 UTC
[cloudstack] branch master updated: Remove 'iam' projects (#2817)
This is an automated email from the ASF dual-hosted git repository.
rafael pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/cloudstack.git
The following commit(s) were added to refs/heads/master by this push:
new 56f9185 Remove 'iam' projects (#2817)
56f9185 is described below
commit 56f918583df279963fbe14866ae11d3d5599bb1e
Author: Khosrow Moossavi <kh...@gmail.com>
AuthorDate: Tue Sep 11 12:06:20 2018 -0400
Remove 'iam' projects (#2817)
* Remove 'iam' projects
* Drop corresponding tables
---
api/src/main/java/com/cloud/event/EventTypes.java | 13 -
.../apache/cloudstack/api/ApiCommandJobType.java | 2 -
.../org/apache/cloudstack/api/ApiConstants.java | 14 +-
.../META-INF/db/schema-41110to41200-cleanup.sql | 9 +-
.../com/cloud/template/TemplateManagerImpl.java | 2 -
services/iam/plugin/pom.xml | 59 --
.../api/command/iam/AddAccountToIAMGroupCmd.java | 127 ---
.../iam/AddIAMPermissionToIAMPolicyCmd.java | 159 ----
.../command/iam/AttachIAMPolicyToAccountCmd.java | 122 ---
.../command/iam/AttachIAMPolicyToIAMGroupCmd.java | 127 ---
.../api/command/iam/CreateIAMGroupCmd.java | 168 ----
.../api/command/iam/CreateIAMPolicyCmd.java | 175 ----
.../api/command/iam/DeleteIAMGroupCmd.java | 102 ---
.../api/command/iam/DeleteIAMPolicyCmd.java | 102 ---
.../api/command/iam/ListIAMGroupsCmd.java | 88 --
.../api/command/iam/ListIAMPoliciesCmd.java | 88 --
.../command/iam/RemoveAccountFromIAMGroupCmd.java | 127 ---
.../iam/RemoveIAMPermissionFromIAMPolicyCmd.java | 148 ----
.../command/iam/RemoveIAMPolicyFromAccountCmd.java | 122 ---
.../iam/RemoveIAMPolicyFromIAMGroupCmd.java | 127 ---
.../api/response/iam/IAMGroupResponse.java | 193 -----
.../api/response/iam/IAMPermissionResponse.java | 124 ---
.../api/response/iam/IAMPolicyResponse.java | 177 ----
.../org/apache/cloudstack/iam/IAMApiService.java | 87 --
.../apache/cloudstack/iam/IAMApiServiceImpl.java | 825 -------------------
.../cloudstack/iam/RoleBasedAPIAccessChecker.java | 287 -------
.../iam/RoleBasedEntityAccessChecker.java | 329 --------
.../iam/RoleBasedEntityQuerySelector.java | 188 -----
.../iam-access-checkers/module.properties | 18 -
.../spring-iam-access-checkers-context.xml | 35 -
.../cloudstack/iam/test/IAMApiServiceTest.java | 385 ---------
.../iam/plugin/src/test/resources/db.properties | 73 --
services/iam/pom.xml | 59 --
services/iam/server/pom.xml | 57 --
.../org/apache/cloudstack/iam/api/IAMGroup.java | 37 -
.../org/apache/cloudstack/iam/api/IAMPolicy.java | 41 -
.../cloudstack/iam/api/IAMPolicyPermission.java | 53 --
.../org/apache/cloudstack/iam/api/IAMService.java | 99 ---
.../iam/server/IAMAccountPolicyMapVO.java | 77 --
.../iam/server/IAMGroupAccountMapVO.java | 78 --
.../cloudstack/iam/server/IAMGroupPolicyMapVO.java | 79 --
.../apache/cloudstack/iam/server/IAMGroupVO.java | 122 ---
.../iam/server/IAMPolicyPermissionVO.java | 181 -----
.../apache/cloudstack/iam/server/IAMPolicyVO.java | 138 ----
.../cloudstack/iam/server/IAMServiceImpl.java | 904 ---------------------
.../iam/server/dao/IAMAccountPolicyMapDao.java | 33 -
.../iam/server/dao/IAMAccountPolicyMapDaoImpl.java | 77 --
.../iam/server/dao/IAMGroupAccountMapDao.java | 40 -
.../iam/server/dao/IAMGroupAccountMapDaoImpl.java | 119 ---
.../cloudstack/iam/server/dao/IAMGroupDao.java | 28 -
.../cloudstack/iam/server/dao/IAMGroupDaoImpl.java | 59 --
.../iam/server/dao/IAMGroupPolicyMapDao.java | 33 -
.../iam/server/dao/IAMGroupPolicyMapDaoImpl.java | 77 --
.../cloudstack/iam/server/dao/IAMPolicyDao.java | 28 -
.../iam/server/dao/IAMPolicyDaoImpl.java | 57 --
.../iam/server/dao/IAMPolicyPermissionDao.java | 39 -
.../iam/server/dao/IAMPolicyPermissionDaoImpl.java | 130 ---
.../cloudstack/core/spring-iam-server-context.xml | 47 --
.../apache/cloudstack/iam/IAMServiceUnitTest.java | 211 -----
.../iam/server/src/test/resources/db.properties | 73 --
tools/apidoc/gen_toc.py | 1 -
tools/build/build_asf.sh | 3 -
tools/build/setnextversion.sh | 3 -
tools/marvin/marvin/lib/base.py | 133 ---
64 files changed, 9 insertions(+), 7709 deletions(-)
diff --git a/api/src/main/java/com/cloud/event/EventTypes.java b/api/src/main/java/com/cloud/event/EventTypes.java
index 907b93e..318dc4b 100644
--- a/api/src/main/java/com/cloud/event/EventTypes.java
+++ b/api/src/main/java/com/cloud/event/EventTypes.java
@@ -531,19 +531,6 @@ public class EventTypes {
public static final String EVENT_UCS_ASSOCIATED_PROFILE = "UCS.ASSOCIATEPROFILE";
- // IAM events
- public static final String EVENT_IAM_POLICY_CREATE = "IAMPOLICY.CREATE";
- public static final String EVENT_IAM_POLICY_DELETE = "IAMPOLICY.DELETE";
- public static final String EVENT_IAM_POLICY_GRANT = "IAMPOLICY.GRANT";
- public static final String EVENT_IAM_POLICY_REVOKE = "IAMPOLICY.REVOKE";
-
- public static final String EVENT_IAM_GROUP_UPDATE = "IAMGROUP.UPDATE";
- public static final String EVENT_IAM_GROUP_CREATE = "IAMGROUP.CREATE";
- public static final String EVENT_IAM_GROUP_DELETE = "IAMGROUP.DELETE";
- public static final String EVENT_IAM_GROUP_GRANT = "IAMGROUP.GRANT";
- public static final String EVENT_IAM_GROUP_REVOKE = "IAMGROUP.REVOKE";
- public static final String EVENT_IAM_ACCOUNT_POLICY_UPDATE = "IAMACCOUNTPOLICY.UPDATE";
-
// Object store migration
public static final String EVENT_MIGRATE_PREPARE_SECONDARY_STORAGE = "MIGRATE.PREPARE.SS";
diff --git a/api/src/main/java/org/apache/cloudstack/api/ApiCommandJobType.java b/api/src/main/java/org/apache/cloudstack/api/ApiCommandJobType.java
index ead6ce1..b95831b 100644
--- a/api/src/main/java/org/apache/cloudstack/api/ApiCommandJobType.java
+++ b/api/src/main/java/org/apache/cloudstack/api/ApiCommandJobType.java
@@ -50,8 +50,6 @@ public enum ApiCommandJobType {
AffinityGroup,
InternalLbVm,
DedicatedGuestVlanRange,
- IAMPolicy,
- IAMGroup,
GuestOs,
GuestOsMapping,
Network
diff --git a/api/src/main/java/org/apache/cloudstack/api/ApiConstants.java b/api/src/main/java/org/apache/cloudstack/api/ApiConstants.java
index f03ddc7..b7779cb 100644
--- a/api/src/main/java/org/apache/cloudstack/api/ApiConstants.java
+++ b/api/src/main/java/org/apache/cloudstack/api/ApiConstants.java
@@ -652,19 +652,7 @@ public class ApiConstants {
public static final String MAX_CONNECTIONS = "maxconnections";
public static final String SERVICE_STATE = "servicestate";
- public static final String IAM_ACCOUNT_IDS = "accountids";
- public static final String IAM_MEMBER_ACCOUNTS = "memberaccounts";
- public static final String IAM_PARENT_POLICY_ID = "parentpolicyid";
- public static final String IAM_PARENT_POLICY_NAME = "parentpolicyname";
- public static final String IAM_POLICY_IDS = "policyids";
- public static final String IAM_POLICIES = "policies";
- public static final String IAM_APIS = "apis";
public static final String IAM_GROUPS = "groups";
- public static final String IAM_PERMISSIONS = "permission";
- public static final String IAM_ACTION = "action";
- public static final String IAM_SCOPE = "scope";
- public static final String IAM_SCOPE_ID = "scopeid";
- public static final String IAM_ALLOW_DENY = "permission";
public static final String ENTITY_TYPE = "entitytype";
public static final String ENTITY_ID = "entityid";
public static final String EXTERNAL_ID = "externalid";
@@ -737,4 +725,4 @@ public class ApiConstants {
public enum DomainDetails {
all, resource, min;
}
-}
\ No newline at end of file
+}
diff --git a/engine/schema/src/main/resources/META-INF/db/schema-41110to41200-cleanup.sql b/engine/schema/src/main/resources/META-INF/db/schema-41110to41200-cleanup.sql
index a72b33f..76f6901 100644
--- a/engine/schema/src/main/resources/META-INF/db/schema-41110to41200-cleanup.sql
+++ b/engine/schema/src/main/resources/META-INF/db/schema-41110to41200-cleanup.sql
@@ -17,4 +17,11 @@
--;
-- Schema upgrade cleanup from 4.11.1.0 to 4.12.0.0
---;
\ No newline at end of file
+--;
+
+DROP TABLE IF EXISTS `cloud`.`iam_account_policy_map`;
+DROP TABLE IF EXISTS `cloud`.`iam_group_account_map`;
+DROP TABLE IF EXISTS `cloud`.`iam_group_policy_map`;
+DROP TABLE IF EXISTS `cloud`.`iam_group`;
+DROP TABLE IF EXISTS `cloud`.`iam_policy_permission`;
+DROP TABLE IF EXISTS `cloud`.`iam_policy`;
diff --git a/server/src/main/java/com/cloud/template/TemplateManagerImpl.java b/server/src/main/java/com/cloud/template/TemplateManagerImpl.java
index 7076a66..dc57a8a 100755
--- a/server/src/main/java/com/cloud/template/TemplateManagerImpl.java
+++ b/server/src/main/java/com/cloud/template/TemplateManagerImpl.java
@@ -1546,7 +1546,6 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager,
permit.put(ApiConstants.ENTITY_TYPE, VirtualMachineTemplate.class);
permit.put(ApiConstants.ENTITY_ID, id);
permit.put(ApiConstants.ACCESS_TYPE, AccessType.UseEntry);
- permit.put(ApiConstants.IAM_ACTION, "listTemplates");
permit.put(ApiConstants.ACCOUNTS, accountIds);
_messageBus.publish(_name, EntityManager.MESSAGE_GRANT_ENTITY_EVENT, PublishScope.LOCAL, permit);
} else if ("remove".equalsIgnoreCase(operation)) {
@@ -1563,7 +1562,6 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager,
permit.put(ApiConstants.ENTITY_TYPE, VirtualMachineTemplate.class);
permit.put(ApiConstants.ENTITY_ID, id);
permit.put(ApiConstants.ACCESS_TYPE, AccessType.UseEntry);
- permit.put(ApiConstants.IAM_ACTION, "listTemplates");
permit.put(ApiConstants.ACCOUNTS, accountIds);
_messageBus.publish(_name, EntityManager.MESSAGE_REVOKE_ENTITY_EVENT, PublishScope.LOCAL, permit);
} else if ("reset".equalsIgnoreCase(operation)) {
diff --git a/services/iam/plugin/pom.xml b/services/iam/plugin/pom.xml
deleted file mode 100644
index 1ea101d..0000000
--- a/services/iam/plugin/pom.xml
+++ /dev/null
@@ -1,59 +0,0 @@
-<!--
- Licensed to the Apache Software Foundation (ASF) under one
- or more contributor license agreements. See the NOTICE file
- distributed with this work for additional information
- regarding copyright ownership. The ASF licenses this file
- to you under the Apache License, Version 2.0 (the
- "License"); you may not use this file except in compliance
- with the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing,
- software distributed under the License is distributed on an
- "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- KIND, either express or implied. See the License for the
- specific language governing permissions and limitations
- under the License.
--->
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
- <modelVersion>4.0.0</modelVersion>
- <artifactId>cloud-plugin-iam</artifactId>
- <name>Apache CloudStack IAM - Plugin</name>
- <parent>
- <groupId>org.apache.cloudstack</groupId>
- <artifactId>cloudstack-service-iam</artifactId>
- <version>4.12.0.0-SNAPSHOT</version>
- <relativePath>../pom.xml</relativePath>
- </parent>
- <dependencies>
- <dependency>
- <groupId>org.apache.cloudstack</groupId>
- <artifactId>cloud-api</artifactId>
- <version>${project.version}</version>
- </dependency>
- <dependency>
- <groupId>org.apache.cloudstack</groupId>
- <artifactId>cloud-engine-schema</artifactId>
- <version>${project.version}</version>
- </dependency>
- <dependency>
- <groupId>org.apache.cloudstack</groupId>
- <artifactId>cloud-server</artifactId>
- <version>${project.version}</version>
- </dependency>
- <dependency>
- <groupId>org.apache.cloudstack</groupId>
- <artifactId>cloud-iam</artifactId>
- <version>${project.version}</version>
- </dependency>
- <dependency>
- <groupId>org.apache.cloudstack</groupId>
- <artifactId>cloud-api</artifactId>
- <version>${project.version}</version>
- <type>test-jar</type>
- <scope>test</scope>
- </dependency>
- </dependencies>
-</project>
diff --git a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/AddAccountToIAMGroupCmd.java b/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/AddAccountToIAMGroupCmd.java
deleted file mode 100644
index bea3fc9..0000000
--- a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/AddAccountToIAMGroupCmd.java
+++ /dev/null
@@ -1,127 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.api.command.iam;
-
-import java.util.List;
-
-import javax.inject.Inject;
-
-import org.apache.log4j.Logger;
-
-import org.apache.cloudstack.iam.IAMApiService;
-import org.apache.cloudstack.api.ACL;
-import org.apache.cloudstack.api.APICommand;
-import org.apache.cloudstack.api.ApiCommandJobType;
-import org.apache.cloudstack.api.ApiConstants;
-import org.apache.cloudstack.api.ApiErrorCode;
-import org.apache.cloudstack.api.BaseAsyncCmd;
-import org.apache.cloudstack.api.Parameter;
-import org.apache.cloudstack.api.ServerApiException;
-import org.apache.cloudstack.api.response.AccountResponse;
-import org.apache.cloudstack.api.response.iam.IAMGroupResponse;
-import org.apache.cloudstack.context.CallContext;
-import org.apache.cloudstack.iam.api.IAMGroup;
-
-import com.cloud.event.EventTypes;
-import com.cloud.exception.InsufficientCapacityException;
-import com.cloud.exception.ResourceUnavailableException;
-import com.cloud.user.Account;
-
-
-@APICommand(name = "addAccountToIAMGroup", description = "add account to an iam group", responseObject = IAMGroupResponse.class)
-public class AddAccountToIAMGroupCmd extends BaseAsyncCmd {
- public static final Logger s_logger = Logger.getLogger(AddAccountToIAMGroupCmd.class.getName());
- private static final String s_name = "addaccounttoiamgroupresponse";
-
- @Inject
- public IAMApiService _iamApiSrv;
-
- /////////////////////////////////////////////////////
- //////////////// API parameters /////////////////////
- /////////////////////////////////////////////////////
-
-
- @ACL
- @Parameter(name = ApiConstants.ID, type = CommandType.UUID, entityType = IAMGroupResponse.class,
- required = true, description = "The ID of the iam group")
- private Long id;
-
- @ACL
- @Parameter(name = ApiConstants.ACCOUNTS, type = CommandType.LIST, collectionType = CommandType.UUID, entityType = AccountResponse.class, description = "comma separated list of account id that are going to be assigned to the iam group.")
- private List<Long> accountIdList;
-
-
- /////////////////////////////////////////////////////
- /////////////////// Accessors ///////////////////////
- /////////////////////////////////////////////////////
-
-
- public Long getId() {
- return id;
- }
-
-
- public List<Long> getAccountIdList() {
- return accountIdList;
- }
-
- /////////////////////////////////////////////////////
- /////////////// API Implementation///////////////////
- /////////////////////////////////////////////////////
-
-
- @Override
- public String getCommandName() {
- return s_name;
- }
-
-
- @Override
- public long getEntityOwnerId() {
- return Account.ACCOUNT_ID_SYSTEM; // no account info given, parent this command to SYSTEM so ERROR events are tracked
- }
-
- @Override
- public void execute() throws ResourceUnavailableException,
- InsufficientCapacityException, ServerApiException {
- CallContext.current().setEventDetails("IAM group Id: " + getId());
- IAMGroup result = _iamApiSrv.addAccountsToGroup(accountIdList, id);
- if (result != null){
- IAMGroupResponse response = _iamApiSrv.createIAMGroupResponse(result);
- response.setResponseName(getCommandName());
- setResponseObject(response);
- } else {
- throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to add accounts to iam group");
- }
- }
-
- @Override
- public String getEventType() {
- return EventTypes.EVENT_IAM_GROUP_UPDATE;
- }
-
- @Override
- public String getEventDescription() {
- return "adding accounts to iam group";
- }
-
- @Override
- public ApiCommandJobType getInstanceType() {
- return ApiCommandJobType.IAMGroup;
- }
-
-}
diff --git a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/AddIAMPermissionToIAMPolicyCmd.java b/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/AddIAMPermissionToIAMPolicyCmd.java
deleted file mode 100644
index d69f3d0..0000000
--- a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/AddIAMPermissionToIAMPolicyCmd.java
+++ /dev/null
@@ -1,159 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.api.command.iam;
-
-import javax.inject.Inject;
-
-import org.apache.log4j.Logger;
-
-import org.apache.cloudstack.acl.PermissionScope;
-import org.apache.cloudstack.api.ACL;
-import org.apache.cloudstack.api.APICommand;
-import org.apache.cloudstack.api.ApiCommandJobType;
-import org.apache.cloudstack.api.ApiConstants;
-import org.apache.cloudstack.api.ApiErrorCode;
-import org.apache.cloudstack.api.BaseAsyncCmd;
-import org.apache.cloudstack.api.Parameter;
-import org.apache.cloudstack.api.ServerApiException;
-import org.apache.cloudstack.api.response.iam.IAMPolicyResponse;
-import org.apache.cloudstack.context.CallContext;
-import org.apache.cloudstack.iam.IAMApiService;
-import org.apache.cloudstack.iam.api.IAMPolicy;
-import org.apache.cloudstack.iam.api.IAMPolicyPermission.Permission;
-
-import com.cloud.event.EventTypes;
-import com.cloud.exception.InsufficientCapacityException;
-import com.cloud.exception.ResourceUnavailableException;
-import com.cloud.user.Account;
-
-
-@APICommand(name = "addIAMPermissionToIAMPolicy", description = "Add IAM permission to an iam policy", responseObject = IAMPolicyResponse.class)
-public class AddIAMPermissionToIAMPolicyCmd extends BaseAsyncCmd {
- public static final Logger s_logger = Logger.getLogger(AddIAMPermissionToIAMPolicyCmd.class.getName());
- private static final String s_name = "addiampermissiontoiampolicyresponse";
-
- @Inject
- public IAMApiService _iamApiSrv;
-
- /////////////////////////////////////////////////////
- //////////////// API parameters /////////////////////
- /////////////////////////////////////////////////////
-
-
- @ACL
- @Parameter(name = ApiConstants.ID, type = CommandType.UUID, entityType = IAMPolicyResponse.class,
- required = true, description = "The ID of the iam policy")
- private Long id;
-
- @Parameter(name = ApiConstants.IAM_ACTION, type = CommandType.STRING, required = true, description = "action api name.")
- private String action;
-
- @Parameter(name = ApiConstants.ENTITY_TYPE, type = CommandType.STRING, required = false, description = "entity class simple name.")
- private String entityType;
-
- @Parameter(name = ApiConstants.IAM_SCOPE, type = CommandType.STRING,
- required = false, description = "iam permission scope")
- private String scope;
-
- @Parameter(name = ApiConstants.IAM_SCOPE_ID, type = CommandType.STRING, required = false, description = "The UUID of the permission scope id")
- private String scopeId;
-
- @Parameter(name = ApiConstants.READ_ONLY, type = CommandType.BOOLEAN, required = false, description = "Read Only access is added; Only applicable when action = List/Read api name")
- private Boolean readOnly;
-
-
- /////////////////////////////////////////////////////
- /////////////////// Accessors ///////////////////////
- /////////////////////////////////////////////////////
-
-
- public Long getId() {
- return id;
- }
-
-
- public String getAction() {
- return action;
- }
-
- public String getEntityType() {
- return entityType;
- }
-
- public String getScope() {
- return scope;
- }
-
- public Long getScopeId() {
- // here we will convert the passed String UUID to Long ID since internally we store it as entity internal ID.
- return _iamApiSrv.getPermissionScopeId(scope, entityType, scopeId);
- }
-
- public Boolean isReadOnly() {
- return (readOnly != null) ? readOnly : false;
- }
-
- /////////////////////////////////////////////////////
- /////////////// API Implementation///////////////////
- /////////////////////////////////////////////////////
-
-
-
- @Override
- public String getCommandName() {
- return s_name;
- }
-
-
- @Override
- public long getEntityOwnerId() {
- return Account.ACCOUNT_ID_SYSTEM; // no account info given, parent this command to SYSTEM so ERROR events are tracked
- }
-
- @Override
- public void execute() throws ResourceUnavailableException,
- InsufficientCapacityException, ServerApiException {
- CallContext.current().setEventDetails("IAM policy Id: " + getId());
- // Only explicit ALLOW is supported for this release, no explicit deny
- IAMPolicy result = _iamApiSrv.addIAMPermissionToIAMPolicy(id, entityType, PermissionScope.valueOf(scope),
- getScopeId(), action, Permission.Allow, false, isReadOnly());
- if (result != null) {
- IAMPolicyResponse response = _iamApiSrv.createIAMPolicyResponse(result);
- response.setResponseName(getCommandName());
- setResponseObject(response);
- } else {
- throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to grant permission to iam policy "
- + getId());
- }
- }
-
- @Override
- public String getEventType() {
- return EventTypes.EVENT_IAM_POLICY_GRANT;
- }
-
- @Override
- public String getEventDescription() {
- return "granting permission to iam policy";
- }
-
- @Override
- public ApiCommandJobType getInstanceType() {
- return ApiCommandJobType.IAMPolicy;
- }
-
-}
diff --git a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/AttachIAMPolicyToAccountCmd.java b/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/AttachIAMPolicyToAccountCmd.java
deleted file mode 100644
index fc174cf..0000000
--- a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/AttachIAMPolicyToAccountCmd.java
+++ /dev/null
@@ -1,122 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.api.command.iam;
-
-import java.util.List;
-
-import javax.inject.Inject;
-
-import org.apache.log4j.Logger;
-
-import org.apache.cloudstack.iam.IAMApiService;
-import org.apache.cloudstack.api.ACL;
-import org.apache.cloudstack.api.APICommand;
-import org.apache.cloudstack.api.ApiCommandJobType;
-import org.apache.cloudstack.api.ApiConstants;
-import org.apache.cloudstack.api.BaseAsyncCmd;
-import org.apache.cloudstack.api.Parameter;
-import org.apache.cloudstack.api.ServerApiException;
-import org.apache.cloudstack.api.response.AccountResponse;
-import org.apache.cloudstack.api.response.SuccessResponse;
-import org.apache.cloudstack.api.response.iam.IAMPolicyResponse;
-import org.apache.cloudstack.context.CallContext;
-
-import com.cloud.event.EventTypes;
-import com.cloud.exception.InsufficientCapacityException;
-import com.cloud.exception.ResourceUnavailableException;
-import com.cloud.user.Account;
-
-
-@APICommand(name = "attachIAMPolicyToAccount", description = "attach iam policy to accounts", responseObject = SuccessResponse.class)
-public class AttachIAMPolicyToAccountCmd extends BaseAsyncCmd {
- public static final Logger s_logger = Logger.getLogger(AttachIAMPolicyToAccountCmd.class.getName());
- private static final String s_name = "attachiampolicytoaccountresponse";
-
- @Inject
- public IAMApiService _iamApiSrv;
-
- /////////////////////////////////////////////////////
- //////////////// API parameters /////////////////////
- /////////////////////////////////////////////////////
-
-
- @ACL
- @Parameter(name = ApiConstants.ID, type = CommandType.UUID, entityType = IAMPolicyResponse.class,
- required = true, description = "The ID of the iam policy")
- private Long id;
-
- @ACL
- @Parameter(name = ApiConstants.ACCOUNTS, type = CommandType.LIST, collectionType = CommandType.UUID, entityType = AccountResponse.class, description = "comma separated list of account id that the policy will attach to.")
- private List<Long> accountIdList;
-
-
- /////////////////////////////////////////////////////
- /////////////////// Accessors ///////////////////////
- /////////////////////////////////////////////////////
-
-
- public Long getId() {
- return id;
- }
-
-
- public List<Long> getAccountIdList() {
- return accountIdList;
- }
-
- /////////////////////////////////////////////////////
- /////////////// API Implementation///////////////////
- /////////////////////////////////////////////////////
-
-
- @Override
- public String getCommandName() {
- return s_name;
- }
-
-
- @Override
- public long getEntityOwnerId() {
- return Account.ACCOUNT_ID_SYSTEM; // no account info given, parent this command to SYSTEM so ERROR events are tracked
- }
-
- @Override
- public void execute() throws ResourceUnavailableException,
- InsufficientCapacityException, ServerApiException {
- CallContext.current().setEventDetails("IAM policy Id: " + getId());
- _iamApiSrv.attachIAMPolicyToAccounts(id, accountIdList);
- SuccessResponse response = new SuccessResponse();
- response.setResponseName(getCommandName());
- setResponseObject(response);
- }
-
- @Override
- public String getEventType() {
- return EventTypes.EVENT_IAM_ACCOUNT_POLICY_UPDATE;
- }
-
- @Override
- public String getEventDescription() {
- return "adding IAM policy to accounts";
- }
-
- @Override
- public ApiCommandJobType getInstanceType() {
- return ApiCommandJobType.Account;
- }
-
-}
diff --git a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/AttachIAMPolicyToIAMGroupCmd.java b/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/AttachIAMPolicyToIAMGroupCmd.java
deleted file mode 100644
index 1705c4a..0000000
--- a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/AttachIAMPolicyToIAMGroupCmd.java
+++ /dev/null
@@ -1,127 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.api.command.iam;
-
-import java.util.List;
-
-import javax.inject.Inject;
-
-import org.apache.log4j.Logger;
-
-import org.apache.cloudstack.iam.IAMApiService;
-import org.apache.cloudstack.api.ACL;
-import org.apache.cloudstack.api.APICommand;
-import org.apache.cloudstack.api.ApiCommandJobType;
-import org.apache.cloudstack.api.ApiConstants;
-import org.apache.cloudstack.api.ApiErrorCode;
-import org.apache.cloudstack.api.BaseAsyncCmd;
-import org.apache.cloudstack.api.Parameter;
-import org.apache.cloudstack.api.ServerApiException;
-import org.apache.cloudstack.api.response.iam.IAMGroupResponse;
-import org.apache.cloudstack.api.response.iam.IAMPolicyResponse;
-import org.apache.cloudstack.context.CallContext;
-import org.apache.cloudstack.iam.api.IAMGroup;
-
-import com.cloud.event.EventTypes;
-import com.cloud.exception.InsufficientCapacityException;
-import com.cloud.exception.ResourceUnavailableException;
-import com.cloud.user.Account;
-
-
-@APICommand(name = "attachIAMPolicyToIAMGroup", description = "attach iam policy to an iam group", responseObject = IAMGroupResponse.class)
-public class AttachIAMPolicyToIAMGroupCmd extends BaseAsyncCmd {
- public static final Logger s_logger = Logger.getLogger(AttachIAMPolicyToIAMGroupCmd.class.getName());
- private static final String s_name = "attachiampolicytoiamgroupresponse";
-
- @Inject
- public IAMApiService _iamApiSrv;
-
- /////////////////////////////////////////////////////
- //////////////// API parameters /////////////////////
- /////////////////////////////////////////////////////
-
-
- @ACL
- @Parameter(name = ApiConstants.ID, type = CommandType.UUID, entityType = IAMGroupResponse.class,
- required = true, description = "The ID of the iam group")
- private Long id;
-
- @ACL
- @Parameter(name = ApiConstants.IAM_POLICIES, type = CommandType.LIST, collectionType = CommandType.UUID, entityType = IAMPolicyResponse.class, description = "comma separated list of iam policy id that are going to be applied to the iam group.")
- private List<Long> policyIdList;
-
-
- /////////////////////////////////////////////////////
- /////////////////// Accessors ///////////////////////
- /////////////////////////////////////////////////////
-
-
- public Long getId() {
- return id;
- }
-
-
- public List<Long> getPolicyIdList() {
- return policyIdList;
- }
-
- /////////////////////////////////////////////////////
- /////////////// API Implementation///////////////////
- /////////////////////////////////////////////////////
-
-
- @Override
- public String getCommandName() {
- return s_name;
- }
-
-
- @Override
- public long getEntityOwnerId() {
- return Account.ACCOUNT_ID_SYSTEM; // no account info given, parent this command to SYSTEM so ERROR events are tracked
- }
-
- @Override
- public void execute() throws ResourceUnavailableException,
- InsufficientCapacityException, ServerApiException {
- CallContext.current().setEventDetails("IAM group Id: " + getId());
- IAMGroup result = _iamApiSrv.attachIAMPoliciesToGroup(policyIdList, id);
- if (result != null){
- IAMGroupResponse response = _iamApiSrv.createIAMGroupResponse(result);
- response.setResponseName(getCommandName());
- setResponseObject(response);
- } else {
- throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to add roles to iam group");
- }
- }
-
- @Override
- public String getEventType() {
- return EventTypes.EVENT_IAM_GROUP_UPDATE;
- }
-
- @Override
- public String getEventDescription() {
- return "adding iam roles to iam group";
- }
-
- @Override
- public ApiCommandJobType getInstanceType() {
- return ApiCommandJobType.IAMGroup;
- }
-
-}
diff --git a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/CreateIAMGroupCmd.java b/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/CreateIAMGroupCmd.java
deleted file mode 100644
index 93940e8..0000000
--- a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/CreateIAMGroupCmd.java
+++ /dev/null
@@ -1,168 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.api.command.iam;
-
-import javax.inject.Inject;
-
-import org.apache.log4j.Logger;
-
-import org.apache.cloudstack.iam.IAMApiService;
-import org.apache.cloudstack.api.APICommand;
-import org.apache.cloudstack.api.ApiCommandJobType;
-import org.apache.cloudstack.api.ApiConstants;
-import org.apache.cloudstack.api.ApiErrorCode;
-import org.apache.cloudstack.api.BaseAsyncCreateCmd;
-import org.apache.cloudstack.api.Parameter;
-import org.apache.cloudstack.api.ServerApiException;
-import org.apache.cloudstack.api.response.DomainResponse;
-import org.apache.cloudstack.api.response.iam.IAMGroupResponse;
-import org.apache.cloudstack.context.CallContext;
-import org.apache.cloudstack.iam.api.IAMGroup;
-
-import com.cloud.event.EventTypes;
-import com.cloud.exception.ResourceAllocationException;
-import com.cloud.user.Account;
-
-@APICommand(name = "createIAMGroup", responseObject = IAMGroupResponse.class, description = "Creates an IAM group")
-public class CreateIAMGroupCmd extends BaseAsyncCreateCmd {
- public static final Logger s_logger = Logger.getLogger(CreateIAMGroupCmd.class.getName());
-
- private static final String s_name = "createiamgroupresponse";
-
- @Inject
- public IAMApiService _iamApiSrv;
-
- // ///////////////////////////////////////////////////
- // ////////////// API parameters /////////////////////
- // ///////////////////////////////////////////////////
-
- @Parameter(name = ApiConstants.ACCOUNT, type = CommandType.STRING, description = "an account for the iam group. Must be used with domainId.")
- private String accountName;
-
- @Parameter(name = ApiConstants.DOMAIN_ID, type = CommandType.UUID, description = "domainId of the account owning the iam group", entityType = DomainResponse.class)
- private Long domainId;
-
- @Parameter(name = ApiConstants.DESCRIPTION, type = CommandType.STRING, description = "optional description of the iam group")
- private String description;
-
- @Parameter(name = ApiConstants.NAME, type = CommandType.STRING, required = true, description = "name of the iam group")
- private String name;
-
-
- // ///////////////////////////////////////////////////
- // ///////////////// Accessors ///////////////////////
- // ///////////////////////////////////////////////////
-
- public String getAccountName() {
- return accountName;
- }
-
- public String getDescription() {
- return description;
- }
-
- public Long getDomainId() {
- return domainId;
- }
-
- public String getName() {
- return name;
- }
-
-
- // ///////////////////////////////////////////////////
- // ///////////// API Implementation///////////////////
- // ///////////////////////////////////////////////////
-
-
- @Override
- public String getCommandName() {
- return s_name;
- }
-
- @Override
- public long getEntityOwnerId() {
- Account account = CallContext.current().getCallingAccount();
- if ((account == null) || _accountService.isAdmin(account.getId())) {
- if ((domainId != null) && (accountName != null)) {
- Account userAccount = _responseGenerator.findAccountByNameDomain(accountName, domainId);
- if (userAccount != null) {
- return userAccount.getId();
- }
- }
- }
-
- if (account != null) {
- return account.getId();
- }
-
- return Account.ACCOUNT_ID_SYSTEM; // no account info given, parent this
- // command to SYSTEM so ERROR events
- // are tracked
- }
-
- @Override
- public void execute() {
- IAMGroup grp = _entityMgr.findById(IAMGroup.class, getEntityId());
- if (grp != null) {
- IAMGroupResponse response = _iamApiSrv.createIAMGroupResponse(grp);
- response.setResponseName(getCommandName());
- setResponseObject(response);
- } else {
- throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to create iam group:" + name);
- }
- }
-
- @Override
- public void create() throws ResourceAllocationException {
- Account account = CallContext.current().getCallingAccount();
- IAMGroup result = _iamApiSrv.createIAMGroup(account, name, description);
- if (result != null) {
- setEntityId(result.getId());
- setEntityUuid(result.getUuid());
- } else {
- throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to create iam group entity" + name);
- }
-
- }
-
- @Override
- public String getEventType() {
- return EventTypes.EVENT_IAM_GROUP_CREATE;
- }
-
- @Override
- public String getEventDescription() {
- return "creating IAM group";
- }
-
- @Override
- public String getCreateEventType() {
- return EventTypes.EVENT_IAM_GROUP_CREATE;
- }
-
- @Override
- public String getCreateEventDescription() {
- return "creating IAM group";
- }
-
- @Override
- public ApiCommandJobType getInstanceType() {
- return ApiCommandJobType.IAMGroup;
- }
-
-}
diff --git a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/CreateIAMPolicyCmd.java b/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/CreateIAMPolicyCmd.java
deleted file mode 100644
index 7ebab67..0000000
--- a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/CreateIAMPolicyCmd.java
+++ /dev/null
@@ -1,175 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.api.command.iam;
-
-import javax.inject.Inject;
-
-import org.apache.log4j.Logger;
-
-import org.apache.cloudstack.iam.IAMApiService;
-import org.apache.cloudstack.api.ACL;
-import org.apache.cloudstack.api.APICommand;
-import org.apache.cloudstack.api.ApiCommandJobType;
-import org.apache.cloudstack.api.ApiConstants;
-import org.apache.cloudstack.api.ApiErrorCode;
-import org.apache.cloudstack.api.BaseAsyncCreateCmd;
-import org.apache.cloudstack.api.Parameter;
-import org.apache.cloudstack.api.ServerApiException;
-import org.apache.cloudstack.api.response.DomainResponse;
-import org.apache.cloudstack.api.response.iam.IAMPolicyResponse;
-import org.apache.cloudstack.context.CallContext;
-import org.apache.cloudstack.iam.api.IAMPolicy;
-
-import com.cloud.event.EventTypes;
-import com.cloud.exception.ResourceAllocationException;
-import com.cloud.user.Account;
-
-@APICommand(name = "createIAMPolicy", responseObject = IAMPolicyResponse.class, description = "Creates an iam policy")
-public class CreateIAMPolicyCmd extends BaseAsyncCreateCmd {
- public static final Logger s_logger = Logger.getLogger(CreateIAMPolicyCmd.class.getName());
-
- private static final String s_name = "createiampolicyresponse";
-
- @Inject
- public IAMApiService _iamApiSrv;
-
- // ///////////////////////////////////////////////////
- // ////////////// API parameters /////////////////////
- // ///////////////////////////////////////////////////
-
- @Parameter(name = ApiConstants.ACCOUNT, type = CommandType.STRING, description = "an account for the iam policy. Must be used with domainId.")
- private String accountName;
-
- @Parameter(name = ApiConstants.DOMAIN_ID, type = CommandType.UUID, description = "domainId of the account owning the iam policy", entityType = DomainResponse.class)
- private Long domainId;
-
- @Parameter(name = ApiConstants.DESCRIPTION, type = CommandType.STRING, description = "optional description of the iam policy")
- private String description;
-
- @Parameter(name = ApiConstants.NAME, type = CommandType.STRING, required = true, description = "name of the iam policy")
- private String name;
-
- @ACL
- @Parameter(name = ApiConstants.IAM_PARENT_POLICY_ID, type = CommandType.UUID, description = "The ID of parent iam policy.", entityType = IAMPolicyResponse.class)
- private Long parentPolicyId;
-
-
- // ///////////////////////////////////////////////////
- // ///////////////// Accessors ///////////////////////
- // ///////////////////////////////////////////////////
-
- public String getAccountName() {
- return accountName;
- }
-
- public String getDescription() {
- return description;
- }
-
- public Long getDomainId() {
- return domainId;
- }
-
- public String getName() {
- return name;
- }
-
- public Long getParentPolicyId() {
- return parentPolicyId;
- }
-
- // ///////////////////////////////////////////////////
- // ///////////// API Implementation///////////////////
- // ///////////////////////////////////////////////////
-
- @Override
- public String getCommandName() {
- return s_name;
- }
-
- @Override
- public long getEntityOwnerId() {
- Account account = CallContext.current().getCallingAccount();
- if ((account == null) || _accountService.isAdmin(account.getId())) {
- if ((domainId != null) && (accountName != null)) {
- Account userAccount = _responseGenerator.findAccountByNameDomain(accountName, domainId);
- if (userAccount != null) {
- return userAccount.getId();
- }
- }
- }
-
- if (account != null) {
- return account.getId();
- }
-
- return Account.ACCOUNT_ID_SYSTEM; // no account info given, parent this
- // command to SYSTEM so ERROR events
- // are tracked
- }
-
- @Override
- public void execute() {
- IAMPolicy policy = _entityMgr.findById(IAMPolicy.class, getEntityId());
- if (policy != null) {
- IAMPolicyResponse response = _iamApiSrv.createIAMPolicyResponse(policy);
- response.setResponseName(getCommandName());
- setResponseObject(response);
- } else {
- throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to create iam policy:" + name);
- }
- }
-
- @Override
- public void create() throws ResourceAllocationException {
- Account account = CallContext.current().getCallingAccount();
- IAMPolicy result = _iamApiSrv.createIAMPolicy(account, name, description, parentPolicyId);
- if (result != null) {
- setEntityId(result.getId());
- setEntityUuid(result.getUuid());
- } else {
- throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to create iam policy entity" + name);
- }
-
- }
-
- @Override
- public String getEventType() {
- return EventTypes.EVENT_IAM_POLICY_CREATE;
- }
-
- @Override
- public String getEventDescription() {
- return "creating IAM policy";
- }
-
- @Override
- public String getCreateEventType() {
- return EventTypes.EVENT_IAM_POLICY_CREATE;
- }
-
- @Override
- public String getCreateEventDescription() {
- return "creating IAM policy";
- }
-
- @Override
- public ApiCommandJobType getInstanceType() {
- return ApiCommandJobType.IAMPolicy;
- }
-
-}
diff --git a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/DeleteIAMGroupCmd.java b/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/DeleteIAMGroupCmd.java
deleted file mode 100644
index 60b1e24..0000000
--- a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/DeleteIAMGroupCmd.java
+++ /dev/null
@@ -1,102 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.api.command.iam;
-
-import javax.inject.Inject;
-
-import org.apache.log4j.Logger;
-
-import org.apache.cloudstack.api.ACL;
-import org.apache.cloudstack.api.APICommand;
-import org.apache.cloudstack.api.ApiCommandJobType;
-import org.apache.cloudstack.api.ApiConstants;
-import org.apache.cloudstack.api.ApiErrorCode;
-import org.apache.cloudstack.api.BaseAsyncCmd;
-import org.apache.cloudstack.api.Parameter;
-import org.apache.cloudstack.api.ServerApiException;
-import org.apache.cloudstack.api.response.SuccessResponse;
-import org.apache.cloudstack.api.response.iam.IAMGroupResponse;
-import org.apache.cloudstack.iam.IAMApiService;
-
-import com.cloud.event.EventTypes;
-import com.cloud.user.Account;
-
-@APICommand(name = "deleteIAMGroup", description = "Deletes acl group", responseObject = SuccessResponse.class)
-public class DeleteIAMGroupCmd extends BaseAsyncCmd {
- public static final Logger s_logger = Logger.getLogger(DeleteIAMGroupCmd.class.getName());
- private static final String s_name = "deleteaclgroupresponse";
-
- @Inject
- public IAMApiService _aclApiSrv;
-
- /////////////////////////////////////////////////////
- //////////////// API parameters /////////////////////
- /////////////////////////////////////////////////////
-
- @ACL
- @Parameter(name = ApiConstants.ID, type = CommandType.UUID, description = "The ID of the acl group.", required = true, entityType = IAMGroupResponse.class)
- private Long id;
-
-
- /////////////////////////////////////////////////////
- /////////////////// Accessors ///////////////////////
- /////////////////////////////////////////////////////
-
- public Long getId() {
- return id;
- }
-
- /////////////////////////////////////////////////////
- /////////////// API Implementation///////////////////
- /////////////////////////////////////////////////////
-
- @Override
- public String getCommandName() {
- return s_name;
- }
-
- @Override
- public long getEntityOwnerId() {
- return Account.ACCOUNT_ID_SYSTEM;
- }
-
- @Override
- public void execute(){
- boolean result = _aclApiSrv.deleteIAMGroup(id);
- if (result) {
- SuccessResponse response = new SuccessResponse(getCommandName());
- setResponseObject(response);
- } else {
- throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to delete acl group");
- }
- }
-
- @Override
- public String getEventType() {
- return EventTypes.EVENT_IAM_GROUP_DELETE;
- }
-
- @Override
- public String getEventDescription() {
- return "Deleting Acl group";
- }
-
- @Override
- public ApiCommandJobType getInstanceType() {
- return ApiCommandJobType.IAMGroup;
- }
-}
diff --git a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/DeleteIAMPolicyCmd.java b/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/DeleteIAMPolicyCmd.java
deleted file mode 100644
index 037f4cd..0000000
--- a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/DeleteIAMPolicyCmd.java
+++ /dev/null
@@ -1,102 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.api.command.iam;
-
-import javax.inject.Inject;
-
-import org.apache.log4j.Logger;
-
-import org.apache.cloudstack.iam.IAMApiService;
-import org.apache.cloudstack.api.ACL;
-import org.apache.cloudstack.api.APICommand;
-import org.apache.cloudstack.api.ApiCommandJobType;
-import org.apache.cloudstack.api.ApiConstants;
-import org.apache.cloudstack.api.ApiErrorCode;
-import org.apache.cloudstack.api.BaseAsyncCmd;
-import org.apache.cloudstack.api.Parameter;
-import org.apache.cloudstack.api.ServerApiException;
-import org.apache.cloudstack.api.response.SuccessResponse;
-import org.apache.cloudstack.api.response.iam.IAMPolicyResponse;
-
-import com.cloud.event.EventTypes;
-import com.cloud.user.Account;
-
-@APICommand(name = "deleteIAMPolicy", description = "Deletes iam policy", responseObject = SuccessResponse.class)
-public class DeleteIAMPolicyCmd extends BaseAsyncCmd {
- public static final Logger s_logger = Logger.getLogger(DeleteIAMPolicyCmd.class.getName());
- private static final String s_name = "deleteiampolicyresponse";
-
- @Inject
- public IAMApiService _iamApiSrv;
-
- /////////////////////////////////////////////////////
- //////////////// API parameters /////////////////////
- /////////////////////////////////////////////////////
-
- @ACL
- @Parameter(name = ApiConstants.ID, type = CommandType.UUID, description = "The ID of the iam policy.", required = true, entityType = IAMPolicyResponse.class)
- private Long id;
-
-
- /////////////////////////////////////////////////////
- /////////////////// Accessors ///////////////////////
- /////////////////////////////////////////////////////
-
- public Long getId() {
- return id;
- }
-
- /////////////////////////////////////////////////////
- /////////////// API Implementation///////////////////
- /////////////////////////////////////////////////////
-
- @Override
- public String getCommandName() {
- return s_name;
- }
-
- @Override
- public long getEntityOwnerId() {
- return Account.ACCOUNT_ID_SYSTEM;
- }
-
- @Override
- public void execute(){
- boolean result = _iamApiSrv.deleteIAMPolicy(id);
- if (result) {
- SuccessResponse response = new SuccessResponse(getCommandName());
- setResponseObject(response);
- } else {
- throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to delete iam policy");
- }
- }
-
- @Override
- public String getEventType() {
- return EventTypes.EVENT_IAM_POLICY_DELETE;
- }
-
- @Override
- public String getEventDescription() {
- return "Deleting IAM policy";
- }
-
- @Override
- public ApiCommandJobType getInstanceType() {
- return ApiCommandJobType.IAMPolicy;
- }
-}
diff --git a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/ListIAMGroupsCmd.java b/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/ListIAMGroupsCmd.java
deleted file mode 100644
index ece87fa..0000000
--- a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/ListIAMGroupsCmd.java
+++ /dev/null
@@ -1,88 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.api.command.iam;
-
-import javax.inject.Inject;
-
-import org.apache.log4j.Logger;
-
-import org.apache.cloudstack.iam.IAMApiService;
-import org.apache.cloudstack.api.APICommand;
-import org.apache.cloudstack.api.ApiCommandJobType;
-import org.apache.cloudstack.api.ApiConstants;
-import org.apache.cloudstack.api.BaseListDomainResourcesCmd;
-import org.apache.cloudstack.api.Parameter;
-import org.apache.cloudstack.api.response.ListResponse;
-import org.apache.cloudstack.api.response.iam.IAMGroupResponse;
-
-
-@APICommand(name = "listIAMGroups", description = "Lists iam groups", responseObject = IAMGroupResponse.class)
-public class ListIAMGroupsCmd extends BaseListDomainResourcesCmd {
- public static final Logger s_logger = Logger.getLogger(ListIAMGroupsCmd.class.getName());
-
- private static final String s_name = "listiamgroupsresponse";
-
- @Inject
- public IAMApiService _iamApiSrv;
-
- /////////////////////////////////////////////////////
- //////////////// API parameters /////////////////////
- /////////////////////////////////////////////////////
-
- @Parameter(name = ApiConstants.NAME, type = CommandType.STRING, description = "lists iam groups by name")
- private String iamGroupName;
-
- @Parameter(name = ApiConstants.ID, type = CommandType.UUID, description = "list the iam group by the id provided", entityType = IAMGroupResponse.class)
- private Long id;
-
-
- /////////////////////////////////////////////////////
- /////////////////// Accessors ///////////////////////
- /////////////////////////////////////////////////////
- public String getIAMGroupName() {
- return iamGroupName;
- }
-
-
- public Long getId(){
- return id;
- }
-
- /////////////////////////////////////////////////////
- /////////////// API Implementation///////////////////
- /////////////////////////////////////////////////////
-
- @Override
- public String getCommandName() {
- return s_name;
- }
-
- @Override
- public void execute(){
-
- ListResponse<IAMGroupResponse> response = _iamApiSrv.listIAMGroups(id, iamGroupName, getDomainId(),
- getStartIndex(), getPageSizeVal());
- response.setResponseName(getCommandName());
- setResponseObject(response);
-
- }
-
- @Override
- public ApiCommandJobType getInstanceType() {
- return ApiCommandJobType.IAMGroup;
- }
-}
diff --git a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/ListIAMPoliciesCmd.java b/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/ListIAMPoliciesCmd.java
deleted file mode 100644
index 096cc3b..0000000
--- a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/ListIAMPoliciesCmd.java
+++ /dev/null
@@ -1,88 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.api.command.iam;
-
-import javax.inject.Inject;
-
-import org.apache.log4j.Logger;
-
-import org.apache.cloudstack.iam.IAMApiService;
-import org.apache.cloudstack.api.APICommand;
-import org.apache.cloudstack.api.ApiCommandJobType;
-import org.apache.cloudstack.api.ApiConstants;
-import org.apache.cloudstack.api.BaseListDomainResourcesCmd;
-import org.apache.cloudstack.api.Parameter;
-import org.apache.cloudstack.api.response.ListResponse;
-import org.apache.cloudstack.api.response.iam.IAMPolicyResponse;
-
-
-@APICommand(name = "listIAMPolicies", description = "Lists IAM policies", responseObject = IAMPolicyResponse.class)
-public class ListIAMPoliciesCmd extends BaseListDomainResourcesCmd {
- public static final Logger s_logger = Logger.getLogger(ListIAMPoliciesCmd.class.getName());
-
- private static final String s_name = "listiampoliciesresponse";
-
- @Inject
- public IAMApiService _iamApiSrv;
-
- /////////////////////////////////////////////////////
- //////////////// API parameters /////////////////////
- /////////////////////////////////////////////////////
-
- @Parameter(name = ApiConstants.NAME, type = CommandType.STRING, description = "lists iam policies by name")
- private String iamPolicyName;
-
- @Parameter(name = ApiConstants.ID, type = CommandType.UUID, description = "list the iam policy by the id provided", entityType = IAMPolicyResponse.class)
- private Long id;
-
-
- /////////////////////////////////////////////////////
- /////////////////// Accessors ///////////////////////
- /////////////////////////////////////////////////////
- public String getIAMPolicyName() {
- return iamPolicyName;
- }
-
-
- public Long getId(){
- return id;
- }
-
- /////////////////////////////////////////////////////
- /////////////// API Implementation///////////////////
- /////////////////////////////////////////////////////
-
- @Override
- public String getCommandName() {
- return s_name;
- }
-
- @Override
- public void execute(){
-
- ListResponse<IAMPolicyResponse> response = _iamApiSrv.listIAMPolicies(id, iamPolicyName, getDomainId(),
- getStartIndex(), getPageSizeVal());
- response.setResponseName(getCommandName());
- setResponseObject(response);
-
- }
-
- @Override
- public ApiCommandJobType getInstanceType() {
- return ApiCommandJobType.IAMPolicy;
- }
-}
diff --git a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/RemoveAccountFromIAMGroupCmd.java b/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/RemoveAccountFromIAMGroupCmd.java
deleted file mode 100644
index 5ff5039..0000000
--- a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/RemoveAccountFromIAMGroupCmd.java
+++ /dev/null
@@ -1,127 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.api.command.iam;
-
-import java.util.List;
-
-import javax.inject.Inject;
-
-import org.apache.log4j.Logger;
-
-import org.apache.cloudstack.iam.IAMApiService;
-import org.apache.cloudstack.api.ACL;
-import org.apache.cloudstack.api.APICommand;
-import org.apache.cloudstack.api.ApiCommandJobType;
-import org.apache.cloudstack.api.ApiConstants;
-import org.apache.cloudstack.api.ApiErrorCode;
-import org.apache.cloudstack.api.BaseAsyncCmd;
-import org.apache.cloudstack.api.Parameter;
-import org.apache.cloudstack.api.ServerApiException;
-import org.apache.cloudstack.api.response.AccountResponse;
-import org.apache.cloudstack.api.response.iam.IAMGroupResponse;
-import org.apache.cloudstack.context.CallContext;
-import org.apache.cloudstack.iam.api.IAMGroup;
-
-import com.cloud.event.EventTypes;
-import com.cloud.exception.InsufficientCapacityException;
-import com.cloud.exception.ResourceUnavailableException;
-import com.cloud.user.Account;
-
-
-@APICommand(name = "removeAccountFromIAMGroup", description = "remove accounts from an iam group", responseObject = IAMGroupResponse.class)
-public class RemoveAccountFromIAMGroupCmd extends BaseAsyncCmd {
- public static final Logger s_logger = Logger.getLogger(RemoveAccountFromIAMGroupCmd.class.getName());
- private static final String s_name = "removeaccountfromiamgroupresponse";
-
- @Inject
- public IAMApiService _iamApiSrv;
-
- /////////////////////////////////////////////////////
- //////////////// API parameters /////////////////////
- /////////////////////////////////////////////////////
-
-
- @ACL
- @Parameter(name = ApiConstants.ID, type = CommandType.UUID, entityType = IAMGroupResponse.class,
- required = true, description = "The ID of the iam group")
- private Long id;
-
- @ACL
- @Parameter(name = ApiConstants.ACCOUNTS, type = CommandType.LIST, collectionType = CommandType.UUID, entityType = AccountResponse.class, description = "comma separated list of account id that are going to be assigned to the iam group.")
- private List<Long> accountIdList;
-
-
- /////////////////////////////////////////////////////
- /////////////////// Accessors ///////////////////////
- /////////////////////////////////////////////////////
-
-
- public Long getId() {
- return id;
- }
-
-
- public List<Long> getAccountIdList() {
- return accountIdList;
- }
-
- /////////////////////////////////////////////////////
- /////////////// API Implementation///////////////////
- /////////////////////////////////////////////////////
-
-
- @Override
- public String getCommandName() {
- return s_name;
- }
-
-
- @Override
- public long getEntityOwnerId() {
- return Account.ACCOUNT_ID_SYSTEM; // no account info given, parent this command to SYSTEM so ERROR events are tracked
- }
-
- @Override
- public void execute() throws ResourceUnavailableException,
- InsufficientCapacityException, ServerApiException {
- CallContext.current().setEventDetails("IAM group Id: " + getId());
- IAMGroup result = _iamApiSrv.removeAccountsFromGroup(accountIdList, id);
- if (result != null){
- IAMGroupResponse response = _iamApiSrv.createIAMGroupResponse(result);
- response.setResponseName(getCommandName());
- setResponseObject(response);
- } else {
- throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to remove accounts from iam group");
- }
- }
-
- @Override
- public String getEventType() {
- return EventTypes.EVENT_IAM_GROUP_UPDATE;
- }
-
- @Override
- public String getEventDescription() {
- return "removing accounts from iam group";
- }
-
- @Override
- public ApiCommandJobType getInstanceType() {
- return ApiCommandJobType.IAMGroup;
- }
-
-}
diff --git a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/RemoveIAMPermissionFromIAMPolicyCmd.java b/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/RemoveIAMPermissionFromIAMPolicyCmd.java
deleted file mode 100644
index bf065a0..0000000
--- a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/RemoveIAMPermissionFromIAMPolicyCmd.java
+++ /dev/null
@@ -1,148 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.api.command.iam;
-
-import javax.inject.Inject;
-
-import org.apache.log4j.Logger;
-
-import org.apache.cloudstack.acl.PermissionScope;
-import org.apache.cloudstack.api.ACL;
-import org.apache.cloudstack.api.APICommand;
-import org.apache.cloudstack.api.ApiCommandJobType;
-import org.apache.cloudstack.api.ApiConstants;
-import org.apache.cloudstack.api.ApiErrorCode;
-import org.apache.cloudstack.api.BaseAsyncCmd;
-import org.apache.cloudstack.api.Parameter;
-import org.apache.cloudstack.api.ServerApiException;
-import org.apache.cloudstack.api.response.iam.IAMPolicyResponse;
-import org.apache.cloudstack.context.CallContext;
-import org.apache.cloudstack.iam.IAMApiService;
-import org.apache.cloudstack.iam.api.IAMPolicy;
-
-import com.cloud.event.EventTypes;
-import com.cloud.exception.InsufficientCapacityException;
-import com.cloud.exception.ResourceUnavailableException;
-import com.cloud.user.Account;
-
-
-@APICommand(name = "removeIAMPermissionFromIAMPolicy", description = "Remove iam permission from an iam policy", responseObject = IAMPolicyResponse.class)
-public class RemoveIAMPermissionFromIAMPolicyCmd extends BaseAsyncCmd {
- public static final Logger s_logger = Logger.getLogger(RemoveIAMPermissionFromIAMPolicyCmd.class.getName());
- private static final String s_name = "removeiampermissionfromiampolicyresponse";
-
- @Inject
- public IAMApiService _iamApiSrv;
-
- /////////////////////////////////////////////////////
- //////////////// API parameters /////////////////////
- /////////////////////////////////////////////////////
-
-
- @ACL
- @Parameter(name = ApiConstants.ID, type = CommandType.UUID, entityType = IAMPolicyResponse.class,
- required = true, description = "The ID of the iam policy")
- private Long id;
-
- @Parameter(name = ApiConstants.IAM_ACTION, type = CommandType.STRING, required = true, description = "action api name.")
- private String action;
-
- @Parameter(name = ApiConstants.ENTITY_TYPE, type = CommandType.STRING, required = false, description = "entity class simple name.")
- private String entityType;
-
- @Parameter(name = ApiConstants.IAM_SCOPE, type = CommandType.STRING,
- required = false, description = "iam permission scope")
- private String scope;
-
- @Parameter(name = ApiConstants.IAM_SCOPE_ID, type = CommandType.STRING, required = false, description = "The ID of the permission scope id")
- private String scopeId;
-
-
- /////////////////////////////////////////////////////
- /////////////////// Accessors ///////////////////////
- /////////////////////////////////////////////////////
-
-
- public Long getId() {
- return id;
- }
-
-
- public String getAction() {
- return action;
- }
-
- public String getEntityType() {
- return entityType;
- }
-
- public String getScope() {
- return scope;
- }
-
- public Long getScopeId() {
- // here we will convert the passed String UUID to Long ID since internally we store it as entity internal ID.
- return _iamApiSrv.getPermissionScopeId(scope, entityType, scopeId);
- }
-
-
- /////////////////////////////////////////////////////
- /////////////// API Implementation///////////////////
- /////////////////////////////////////////////////////
-
-
- @Override
- public String getCommandName() {
- return s_name;
- }
-
-
- @Override
- public long getEntityOwnerId() {
- return Account.ACCOUNT_ID_SYSTEM; // no account info given, parent this command to SYSTEM so ERROR events are tracked
- }
-
- @Override
- public void execute() throws ResourceUnavailableException,
- InsufficientCapacityException, ServerApiException {
- CallContext.current().setEventDetails("IAM policy Id: " + getId());
- IAMPolicy result = _iamApiSrv.removeIAMPermissionFromIAMPolicy(id, entityType, PermissionScope.valueOf(scope), getScopeId(), action);
- if (result != null) {
- IAMPolicyResponse response = _iamApiSrv.createIAMPolicyResponse(result);
- response.setResponseName(getCommandName());
- setResponseObject(response);
- } else {
- throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to remove permission from iam policy " + getId());
- }
- }
-
- @Override
- public String getEventType() {
- return EventTypes.EVENT_IAM_POLICY_REVOKE;
- }
-
- @Override
- public String getEventDescription() {
- return "removing permission from iam policy";
- }
-
- @Override
- public ApiCommandJobType getInstanceType() {
- return ApiCommandJobType.IAMPolicy;
- }
-
-}
diff --git a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/RemoveIAMPolicyFromAccountCmd.java b/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/RemoveIAMPolicyFromAccountCmd.java
deleted file mode 100644
index 48c2a73..0000000
--- a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/RemoveIAMPolicyFromAccountCmd.java
+++ /dev/null
@@ -1,122 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.api.command.iam;
-
-import java.util.List;
-
-import javax.inject.Inject;
-
-import org.apache.log4j.Logger;
-
-import org.apache.cloudstack.api.ACL;
-import org.apache.cloudstack.api.APICommand;
-import org.apache.cloudstack.api.ApiCommandJobType;
-import org.apache.cloudstack.api.ApiConstants;
-import org.apache.cloudstack.api.BaseAsyncCmd;
-import org.apache.cloudstack.api.Parameter;
-import org.apache.cloudstack.api.ServerApiException;
-import org.apache.cloudstack.api.response.AccountResponse;
-import org.apache.cloudstack.api.response.SuccessResponse;
-import org.apache.cloudstack.api.response.iam.IAMPolicyResponse;
-import org.apache.cloudstack.context.CallContext;
-import org.apache.cloudstack.iam.IAMApiService;
-
-import com.cloud.event.EventTypes;
-import com.cloud.exception.InsufficientCapacityException;
-import com.cloud.exception.ResourceUnavailableException;
-import com.cloud.user.Account;
-
-
-@APICommand(name = "removeIAMPolicyFromAccount", description = "remove iam policy from accounts", responseObject = SuccessResponse.class)
-public class RemoveIAMPolicyFromAccountCmd extends BaseAsyncCmd {
- public static final Logger s_logger = Logger.getLogger(RemoveIAMPolicyFromAccountCmd.class.getName());
- private static final String s_name = "removeiampolicyfromaccountresponse";
-
- @Inject
- public IAMApiService _iamApiSrv;
-
- /////////////////////////////////////////////////////
- //////////////// API parameters /////////////////////
- /////////////////////////////////////////////////////
-
-
- @ACL
- @Parameter(name = ApiConstants.ID, type = CommandType.UUID, entityType = IAMPolicyResponse.class,
- required = true, description = "The ID of the iam group")
- private Long id;
-
- @ACL
- @Parameter(name = ApiConstants.ACCOUNTS, type = CommandType.LIST, collectionType = CommandType.UUID, entityType = AccountResponse.class, description = "comma separated list of iam policy id that are going to be applied to the iam group.")
- private List<Long> accountIdList;
-
-
- /////////////////////////////////////////////////////
- /////////////////// Accessors ///////////////////////
- /////////////////////////////////////////////////////
-
-
- public Long getId() {
- return id;
- }
-
-
- public List<Long> getAccountIdList() {
- return accountIdList;
- }
-
- /////////////////////////////////////////////////////
- /////////////// API Implementation///////////////////
- /////////////////////////////////////////////////////
-
-
- @Override
- public String getCommandName() {
- return s_name;
- }
-
-
- @Override
- public long getEntityOwnerId() {
- return Account.ACCOUNT_ID_SYSTEM; // no account info given, parent this command to SYSTEM so ERROR events are tracked
- }
-
- @Override
- public void execute() throws ResourceUnavailableException,
- InsufficientCapacityException, ServerApiException {
- CallContext.current().setEventDetails("IAM policy Id: " + getId());
- _iamApiSrv.removeIAMPolicyFromAccounts(id, accountIdList);
- SuccessResponse response = new SuccessResponse();
- response.setResponseName(getCommandName());
- setResponseObject(response);
- }
-
- @Override
- public String getEventType() {
- return EventTypes.EVENT_IAM_ACCOUNT_POLICY_UPDATE;
- }
-
- @Override
- public String getEventDescription() {
- return "removing iam policy from accounts";
- }
-
- @Override
- public ApiCommandJobType getInstanceType() {
- return ApiCommandJobType.Account;
- }
-
-}
diff --git a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/RemoveIAMPolicyFromIAMGroupCmd.java b/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/RemoveIAMPolicyFromIAMGroupCmd.java
deleted file mode 100644
index a99143d..0000000
--- a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/RemoveIAMPolicyFromIAMGroupCmd.java
+++ /dev/null
@@ -1,127 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.api.command.iam;
-
-import java.util.List;
-
-import javax.inject.Inject;
-
-import org.apache.log4j.Logger;
-
-import org.apache.cloudstack.iam.IAMApiService;
-import org.apache.cloudstack.api.ACL;
-import org.apache.cloudstack.api.APICommand;
-import org.apache.cloudstack.api.ApiCommandJobType;
-import org.apache.cloudstack.api.ApiConstants;
-import org.apache.cloudstack.api.ApiErrorCode;
-import org.apache.cloudstack.api.BaseAsyncCmd;
-import org.apache.cloudstack.api.Parameter;
-import org.apache.cloudstack.api.ServerApiException;
-import org.apache.cloudstack.api.response.iam.IAMGroupResponse;
-import org.apache.cloudstack.api.response.iam.IAMPolicyResponse;
-import org.apache.cloudstack.context.CallContext;
-import org.apache.cloudstack.iam.api.IAMGroup;
-
-import com.cloud.event.EventTypes;
-import com.cloud.exception.InsufficientCapacityException;
-import com.cloud.exception.ResourceUnavailableException;
-import com.cloud.user.Account;
-
-
-@APICommand(name = "removeIAMPolicyFromIAMGroup", description = "remove iam policy from an iam group", responseObject = IAMGroupResponse.class)
-public class RemoveIAMPolicyFromIAMGroupCmd extends BaseAsyncCmd {
- public static final Logger s_logger = Logger.getLogger(RemoveIAMPolicyFromIAMGroupCmd.class.getName());
- private static final String s_name = "removeiampolicyfromiamgroupresponse";
-
- @Inject
- public IAMApiService _iamApiSrv;
-
- /////////////////////////////////////////////////////
- //////////////// API parameters /////////////////////
- /////////////////////////////////////////////////////
-
-
- @ACL
- @Parameter(name = ApiConstants.ID, type = CommandType.UUID, entityType = IAMGroupResponse.class,
- required = true, description = "The ID of the iam group")
- private Long id;
-
- @ACL
- @Parameter(name = ApiConstants.IAM_POLICIES, type = CommandType.LIST, collectionType = CommandType.UUID, entityType = IAMPolicyResponse.class, description = "comma separated list of iam policy id that are going to be applied to the iam group.")
- private List<Long> policyIdList;
-
-
- /////////////////////////////////////////////////////
- /////////////////// Accessors ///////////////////////
- /////////////////////////////////////////////////////
-
-
- public Long getId() {
- return id;
- }
-
-
- public List<Long> getRoleIdList() {
- return policyIdList;
- }
-
- /////////////////////////////////////////////////////
- /////////////// API Implementation///////////////////
- /////////////////////////////////////////////////////
-
-
- @Override
- public String getCommandName() {
- return s_name;
- }
-
-
- @Override
- public long getEntityOwnerId() {
- return Account.ACCOUNT_ID_SYSTEM; // no account info given, parent this command to SYSTEM so ERROR events are tracked
- }
-
- @Override
- public void execute() throws ResourceUnavailableException,
- InsufficientCapacityException, ServerApiException {
- CallContext.current().setEventDetails("IAM group Id: " + getId());
- IAMGroup result = _iamApiSrv.removeIAMPoliciesFromGroup(policyIdList, id);
- if (result != null){
- IAMGroupResponse response = _iamApiSrv.createIAMGroupResponse(result);
- response.setResponseName(getCommandName());
- setResponseObject(response);
- } else {
- throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to add roles to iam group");
- }
- }
-
- @Override
- public String getEventType() {
- return EventTypes.EVENT_IAM_GROUP_UPDATE;
- }
-
- @Override
- public String getEventDescription() {
- return "removing IAM roles from IAM group";
- }
-
- @Override
- public ApiCommandJobType getInstanceType() {
- return ApiCommandJobType.IAMGroup;
- }
-
-}
diff --git a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/response/iam/IAMGroupResponse.java b/services/iam/plugin/src/main/java/org/apache/cloudstack/api/response/iam/IAMGroupResponse.java
deleted file mode 100644
index af28d53..0000000
--- a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/response/iam/IAMGroupResponse.java
+++ /dev/null
@@ -1,193 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.api.response.iam;
-
-import java.util.LinkedHashSet;
-import java.util.Set;
-
-import com.google.gson.annotations.SerializedName;
-
-import org.apache.cloudstack.api.ApiConstants;
-import org.apache.cloudstack.api.BaseResponse;
-import org.apache.cloudstack.api.EntityReference;
-import org.apache.cloudstack.api.response.ControlledViewEntityResponse;
-import org.apache.cloudstack.iam.api.IAMGroup;
-
-import com.cloud.serializer.Param;
-
-@SuppressWarnings("unused")
-@EntityReference(value = IAMGroup.class)
-public class IAMGroupResponse extends BaseResponse implements ControlledViewEntityResponse {
-
- @SerializedName(ApiConstants.ID)
- @Param(description = "the ID of the iam group")
- private String id;
-
- @SerializedName(ApiConstants.NAME)
- @Param(description = "the name of the iam group")
- private String name;
-
- @SerializedName(ApiConstants.DESCRIPTION)
- @Param(description = "the description of the iam group")
- private String description;
-
- @SerializedName(ApiConstants.DOMAIN_ID)
- @Param(description = "the domain ID of the iam group")
- private String domainId;
-
- @SerializedName(ApiConstants.DOMAIN)
- @Param(description = "the domain name of the iam role")
- private String domainName;
-
- @SerializedName(ApiConstants.ACCOUNT)
- @Param(description = "the account owning the policy")
- private String accountName;
-
- @SerializedName(ApiConstants.IAM_MEMBER_ACCOUNTS)
- @Param(description = "account names assigned to this iam group ")
- private Set<String> accountNameList;
-
- @SerializedName(ApiConstants.IAM_POLICIES)
- @Param(description = "iam policies attached to this iam group ")
- private Set<String> policyNameList;
-
- public IAMGroupResponse() {
- accountNameList = new LinkedHashSet<String>();
- policyNameList = new LinkedHashSet<String>();
- }
-
- @Override
- public String getObjectId() {
- return getId();
- }
-
-
- public String getId() {
- return id;
- }
-
- public void setId(String id) {
- this.id = id;
- }
-
-
- public void setName(String name) {
- this.name = name;
- }
-
- public void setDescription(String description) {
- this.description = description;
- }
-
- @Override
- public void setDomainId(String domainId) {
- this.domainId = domainId;
- }
-
- @Override
- public void setDomainName(String domainName) {
- this.domainName = domainName;
- }
-
- @Override
- public void setAccountName(String accountName) {
- this.accountName = accountName;
-
- }
-
- @Override
- public void setProjectId(String projectId) {
- // TODO Auto-generated method stub
-
- }
-
- @Override
- public void setProjectName(String projectName) {
- // TODO Auto-generated method stub
-
- }
-
- public String getName() {
- return name;
- }
-
- public String getDescription() {
- return description;
- }
-
- public String getDomainId() {
- return domainId;
- }
-
- public String getDomainName() {
- return domainName;
- }
-
- public String getAccountName() {
- return accountName;
- }
-
- public Set<String> getAccountNameList() {
- return accountNameList;
- }
-
- public void setMemberAccounts(Set<String> accts) {
- accountNameList = accts;
- }
-
- public void addMemberAccount(String acct) {
- accountNameList.add(acct);
- }
-
- public void setPolicyList(Set<String> policies) {
- policyNameList = policies;
- }
-
- public void addPolicy(String policy) {
- policyNameList.add(policy);
- }
-
- public Set<String> getPolicyList() {
- return policyNameList;
- }
-
- @Override
- public int hashCode() {
- final int prime = 31;
- int result = 1;
- result = prime * result + ((id == null) ? 0 : id.hashCode());
- return result;
- }
-
- @Override
- public boolean equals(Object obj) {
- if (this == obj)
- return true;
- if (obj == null)
- return false;
- if (getClass() != obj.getClass())
- return false;
- IAMGroupResponse other = (IAMGroupResponse)obj;
- if (id == null) {
- if (other.id != null)
- return false;
- } else if (!id.equals(other.id))
- return false;
- return true;
- }
-
-}
diff --git a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/response/iam/IAMPermissionResponse.java b/services/iam/plugin/src/main/java/org/apache/cloudstack/api/response/iam/IAMPermissionResponse.java
deleted file mode 100644
index 046e1f4..0000000
--- a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/response/iam/IAMPermissionResponse.java
+++ /dev/null
@@ -1,124 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.api.response.iam;
-
-import com.google.gson.annotations.SerializedName;
-
-import org.apache.cloudstack.acl.PermissionScope;
-import org.apache.cloudstack.api.ApiConstants;
-import org.apache.cloudstack.api.BaseResponse;
-import org.apache.cloudstack.iam.api.IAMPolicyPermission;
-
-import com.cloud.serializer.Param;
-
-public class IAMPermissionResponse extends BaseResponse {
-
- @SerializedName(ApiConstants.IAM_ACTION)
- @Param(description = "action of this permission")
- private String action;
-
- @SerializedName(ApiConstants.ENTITY_TYPE)
- @Param(description = "the entity type of this permission")
- private String entityType;
-
- @SerializedName(ApiConstants.IAM_SCOPE)
- @Param(description = "scope of this permission")
- private PermissionScope scope;
-
- @SerializedName(ApiConstants.IAM_SCOPE_ID)
- @Param(description = "scope id of this permission")
- private Long scopeId;
-
- @SerializedName(ApiConstants.IAM_ALLOW_DENY)
- @Param(description = "allow or deny of this permission")
- private IAMPolicyPermission.Permission permission;
-
- public String getEntityType() {
- return entityType;
- }
-
- public void setEntityType(String entityType) {
- this.entityType = entityType;
- }
-
- public String getAction() {
- return action;
- }
-
- public void setAction(String action) {
- this.action = action;
- }
-
- public PermissionScope getScope() {
- return scope;
- }
-
- public void setScope(PermissionScope scope) {
- this.scope = scope;
- }
-
- public Long getScopeId() {
- return scopeId;
- }
-
- public void setScopeId(Long scopeId) {
- this.scopeId = scopeId;
- }
-
- public IAMPolicyPermission.Permission getPermission() {
- return permission;
- }
-
- public void setPermission(IAMPolicyPermission.Permission permission) {
- this.permission = permission;
- }
-
- @Override
- public int hashCode() {
- final int prime = 31;
- int result = 1;
- result = prime * result + ((action == null) ? 0 : action.hashCode());
- result = prime * result + ((entityType == null) ? 0 : entityType.hashCode());
- result = prime * result + ((scope == null) ? 0 : scope.hashCode());
- result = prime * result + ((scopeId == null) ? 0 : scopeId.hashCode());
- return result;
- }
-
- @Override
- public boolean equals(Object obj) {
- if (this == obj)
- return true;
- if (obj == null)
- return false;
- if (getClass() != obj.getClass())
- return false;
- IAMPermissionResponse other = (IAMPermissionResponse) obj;
- if ((entityType == null && other.entityType != null) || (entityType != null && !entityType.equals(other.entityType))) {
- return false;
- } else if ((action == null && other.action != null) || (action != null && !action.equals(other.action))) {
- return false;
- } else if ((scope == null && other.scope != null) || (scope != null && !scope.equals(other.scope))) {
- return false;
- } else if ((scopeId == null && other.scopeId != null) || (scopeId != null && !scopeId.equals(other.scopeId))) {
- return false;
- }
- return true;
- }
-
-
-
-}
diff --git a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/response/iam/IAMPolicyResponse.java b/services/iam/plugin/src/main/java/org/apache/cloudstack/api/response/iam/IAMPolicyResponse.java
deleted file mode 100644
index dc29369..0000000
--- a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/response/iam/IAMPolicyResponse.java
+++ /dev/null
@@ -1,177 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.api.response.iam;
-
-import java.util.LinkedHashSet;
-import java.util.Set;
-
-import com.google.gson.annotations.SerializedName;
-
-import org.apache.cloudstack.api.ApiConstants;
-import org.apache.cloudstack.api.BaseResponse;
-import org.apache.cloudstack.api.EntityReference;
-import org.apache.cloudstack.api.response.ControlledViewEntityResponse;
-import org.apache.cloudstack.iam.api.IAMPolicy;
-
-import com.cloud.serializer.Param;
-
-@SuppressWarnings("unused")
-@EntityReference(value = IAMPolicy.class)
-public class IAMPolicyResponse extends BaseResponse implements ControlledViewEntityResponse {
-
- @SerializedName(ApiConstants.ID)
- @Param(description = "the ID of the iam policy")
- private String id;
-
- @SerializedName(ApiConstants.NAME)
- @Param(description = "the name of the iam policy")
- private String name;
-
- @SerializedName(ApiConstants.DESCRIPTION)
- @Param(description = "the description of the iam policy")
- private String description;
-
- @SerializedName(ApiConstants.DOMAIN_ID)
- @Param(description = "the domain ID of the iam policy")
- private String domainId;
-
- @SerializedName(ApiConstants.DOMAIN)
- @Param(description = "the domain name of the iam policy")
- private String domainName;
-
- @SerializedName(ApiConstants.ACCOUNT)
- @Param(description = "the account owning the policy")
- private String accountName;
-
- @SerializedName(ApiConstants.IAM_PERMISSIONS)
- @Param(description = "set of permissions for the iam policy")
- private Set<IAMPermissionResponse> permissionList;
-
- public IAMPolicyResponse() {
- permissionList = new LinkedHashSet<IAMPermissionResponse>();
- }
-
- @Override
- public String getObjectId() {
- return getId();
- }
-
-
- public String getId() {
- return id;
- }
-
- public void setId(String id) {
- this.id = id;
- }
-
-
- public void setName(String name) {
- this.name = name;
- }
-
- public void setDescription(String description) {
- this.description = description;
- }
-
- @Override
- public void setDomainId(String domainId) {
- this.domainId = domainId;
- }
-
- @Override
- public void setDomainName(String domainName) {
- this.domainName = domainName;
- }
-
- public Set<IAMPermissionResponse> getPermissionList() {
- return permissionList;
- }
-
- public void setPermissionList(Set<IAMPermissionResponse> perms) {
- permissionList = perms;
- }
-
- public void addPermission(IAMPermissionResponse perm) {
- permissionList.add(perm);
- }
-
- @Override
- public void setAccountName(String accountName) {
- this.accountName = accountName;
- }
-
- @Override
- public void setProjectId(String projectId) {
- // TODO Auto-generated method stub
-
- }
-
- @Override
- public void setProjectName(String projectName) {
- // TODO Auto-generated method stub
-
- }
-
- public String getName() {
- return name;
- }
-
- public String getDescription() {
- return description;
- }
-
- public String getDomainId() {
- return domainId;
- }
-
- public String getDomainName() {
- return domainName;
- }
-
- public String getAccountName() {
- return accountName;
- }
-
- @Override
- public int hashCode() {
- final int prime = 31;
- int result = 1;
- result = prime * result + ((id == null) ? 0 : id.hashCode());
- return result;
- }
-
- @Override
- public boolean equals(Object obj) {
- if (this == obj)
- return true;
- if (obj == null)
- return false;
- if (getClass() != obj.getClass())
- return false;
- IAMPolicyResponse other = (IAMPolicyResponse) obj;
- if (id == null) {
- if (other.id != null)
- return false;
- } else if (!id.equals(other.id))
- return false;
- return true;
- }
-
-
-
-}
diff --git a/services/iam/plugin/src/main/java/org/apache/cloudstack/iam/IAMApiService.java b/services/iam/plugin/src/main/java/org/apache/cloudstack/iam/IAMApiService.java
deleted file mode 100644
index 6735d48..0000000
--- a/services/iam/plugin/src/main/java/org/apache/cloudstack/iam/IAMApiService.java
+++ /dev/null
@@ -1,87 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.iam;
-
-import java.util.List;
-
-import org.apache.cloudstack.acl.PermissionScope;
-import org.apache.cloudstack.acl.SecurityChecker.AccessType;
-import org.apache.cloudstack.api.response.ListResponse;
-import org.apache.cloudstack.api.response.iam.IAMGroupResponse;
-import org.apache.cloudstack.api.response.iam.IAMPolicyResponse;
-import org.apache.cloudstack.iam.api.IAMGroup;
-import org.apache.cloudstack.iam.api.IAMPolicy;
-import org.apache.cloudstack.iam.api.IAMPolicyPermission;
-import org.apache.cloudstack.iam.api.IAMPolicyPermission.Permission;
-
-import com.cloud.user.Account;
-import com.cloud.utils.component.PluggableService;
-
-public interface IAMApiService extends PluggableService {
-
- /* ACL group related interfaces */
- IAMGroup createIAMGroup(Account caller, String iamGroupName, String description);
-
- boolean deleteIAMGroup(Long iamGroupId);
-
- List<IAMGroup> listIAMGroups(long accountId);
-
- IAMGroup addAccountsToGroup(List<Long> acctIds, Long groupId);
-
- IAMGroup removeAccountsFromGroup(List<Long> acctIds, Long groupId);
-
- /* IAM Policy related interfaces */
- IAMPolicy createIAMPolicy(Account caller, String iamPolicyName, String description, Long parentPolicyId);
-
- boolean deleteIAMPolicy(long iamPolicyId);
-
- List<IAMPolicy> listIAMPolicies(long accountId);
-
- IAMGroup attachIAMPoliciesToGroup(List<Long> policyIds, Long groupId);
-
- IAMGroup removeIAMPoliciesFromGroup(List<Long> policyIds, Long groupId);
-
- void attachIAMPolicyToAccounts(Long policyId, List<Long> accountIds);
-
- void removeIAMPolicyFromAccounts(Long policyId, List<Long> accountIds);
-
- IAMPolicy addIAMPermissionToIAMPolicy(long iamPolicyId, String entityType, PermissionScope scope, Long scopeId,
- String action, Permission perm, Boolean recursive, Boolean readOnly);
-
- IAMPolicy removeIAMPermissionFromIAMPolicy(long iamPolicyId, String entityType, PermissionScope scope, Long scopeId, String action);
-
- IAMPolicyPermission getIAMPolicyPermission(long accountId, String entityType, String action);
-
- /* Utility routine to grant/revoke invidivual resource to list of accounts */
- void grantEntityPermissioinToAccounts(String entityType, Long entityId, AccessType accessType, String action, List<Long> accountIds);
-
- void revokeEntityPermissioinFromAccounts(String entityType, Long entityId, AccessType accessType, String action, List<Long> accountIds);
-
- /* Response Generation */
- IAMPolicyResponse createIAMPolicyResponse(IAMPolicy policy);
-
- IAMGroupResponse createIAMGroupResponse(IAMGroup group);
-
- ListResponse<IAMGroupResponse> listIAMGroups(Long iamGroupId, String iamGroupName,
- Long domainId, Long startIndex, Long pageSize);
-
- ListResponse<IAMPolicyResponse> listIAMPolicies(Long iamPolicyId, String iamPolicyName,
- Long domainId, Long startIndex, Long pageSize);
-
- // Convert passed scope uuid to internal scope long id
- Long getPermissionScopeId(String scope, String entityType, String scopeId);
-}
diff --git a/services/iam/plugin/src/main/java/org/apache/cloudstack/iam/IAMApiServiceImpl.java b/services/iam/plugin/src/main/java/org/apache/cloudstack/iam/IAMApiServiceImpl.java
deleted file mode 100644
index b0dc383..0000000
--- a/services/iam/plugin/src/main/java/org/apache/cloudstack/iam/IAMApiServiceImpl.java
+++ /dev/null
@@ -1,825 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.iam;
-
-import java.util.ArrayList;
-import java.util.Collections;
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
-
-import javax.inject.Inject;
-import javax.naming.ConfigurationException;
-
-import org.apache.log4j.Logger;
-import org.bouncycastle.util.IPAddress;
-
-import com.amazonaws.auth.policy.Condition;
-import com.amazonaws.services.ec2.model.SecurityGroup;
-import com.amazonaws.services.ec2.model.Snapshot;
-import com.amazonaws.services.ec2.model.Volume;
-import com.amazonaws.services.ec2.model.Vpc;
-import com.amazonaws.services.elasticache.model.Event;
-
-import org.apache.cloudstack.acl.PermissionScope;
-import org.apache.cloudstack.acl.SecurityChecker.AccessType;
-import org.apache.cloudstack.affinity.AffinityGroup;
-import org.apache.cloudstack.api.ApiConstants;
-import org.apache.cloudstack.api.BaseListCmd;
-import org.apache.cloudstack.api.InternalIdentity;
-import org.apache.cloudstack.api.command.iam.AddAccountToIAMGroupCmd;
-import org.apache.cloudstack.api.command.iam.AddIAMPermissionToIAMPolicyCmd;
-import org.apache.cloudstack.api.command.iam.AttachIAMPolicyToAccountCmd;
-import org.apache.cloudstack.api.command.iam.AttachIAMPolicyToIAMGroupCmd;
-import org.apache.cloudstack.api.command.iam.CreateIAMGroupCmd;
-import org.apache.cloudstack.api.command.iam.CreateIAMPolicyCmd;
-import org.apache.cloudstack.api.command.iam.DeleteIAMGroupCmd;
-import org.apache.cloudstack.api.command.iam.DeleteIAMPolicyCmd;
-import org.apache.cloudstack.api.command.iam.ListIAMGroupsCmd;
-import org.apache.cloudstack.api.command.iam.ListIAMPoliciesCmd;
-import org.apache.cloudstack.api.command.iam.RemoveAccountFromIAMGroupCmd;
-import org.apache.cloudstack.api.command.iam.RemoveIAMPermissionFromIAMPolicyCmd;
-import org.apache.cloudstack.api.command.iam.RemoveIAMPolicyFromAccountCmd;
-import org.apache.cloudstack.api.command.iam.RemoveIAMPolicyFromIAMGroupCmd;
-import org.apache.cloudstack.api.response.ListResponse;
-import org.apache.cloudstack.api.response.iam.IAMGroupResponse;
-import org.apache.cloudstack.api.response.iam.IAMPermissionResponse;
-import org.apache.cloudstack.api.response.iam.IAMPolicyResponse;
-import org.apache.cloudstack.context.CallContext;
-import org.apache.cloudstack.framework.jobs.AsyncJob;
-import org.apache.cloudstack.framework.messagebus.MessageBus;
-import org.apache.cloudstack.framework.messagebus.MessageSubscriber;
-import org.apache.cloudstack.iam.api.IAMGroup;
-import org.apache.cloudstack.iam.api.IAMPolicy;
-import org.apache.cloudstack.iam.api.IAMPolicyPermission;
-import org.apache.cloudstack.iam.api.IAMPolicyPermission.Permission;
-import org.apache.cloudstack.iam.api.IAMService;
-
-import com.cloud.api.ApiServerService;
-import com.cloud.domain.Domain;
-import com.cloud.domain.DomainVO;
-import com.cloud.domain.dao.DomainDao;
-import com.cloud.event.ActionEvent;
-import com.cloud.event.EventTypes;
-import com.cloud.exception.InvalidParameterValueException;
-import com.cloud.network.IpAddress;
-import com.cloud.network.MonitoringService;
-import com.cloud.network.Network;
-import com.cloud.network.RemoteAccessVpn;
-import com.cloud.network.Site2SiteCustomerGateway;
-import com.cloud.network.Site2SiteVpnConnection;
-import com.cloud.network.Site2SiteVpnGateway;
-import com.cloud.network.UserIpv6Address;
-import com.cloud.network.VpnUser;
-import com.cloud.network.as.AutoScalePolicy;
-import com.cloud.network.as.AutoScaleVmGroup;
-import com.cloud.network.as.AutoScaleVmProfile;
-import com.cloud.network.lb.SslCert;
-import com.cloud.network.rules.FirewallRule;
-import com.cloud.network.rules.PortForwardingRule;
-import com.cloud.network.vpc.StaticRoute;
-import com.cloud.network.vpc.VpcGateway;
-import com.cloud.projects.ProjectInvitation;
-import com.cloud.region.ha.GlobalLoadBalancerRule;
-import com.cloud.server.ResourceTag;
-import com.cloud.template.TemplateManager;
-import com.cloud.template.VirtualMachineTemplate;
-import com.cloud.user.Account;
-import com.cloud.user.AccountManager;
-import com.cloud.user.AccountVO;
-import com.cloud.user.DomainManager;
-import com.cloud.user.SSHKeyPair;
-import com.cloud.user.dao.AccountDao;
-import com.cloud.utils.Pair;
-import com.cloud.utils.component.Manager;
-import com.cloud.utils.component.ManagerBase;
-import com.cloud.utils.db.DB;
-import com.cloud.utils.db.EntityManager;
-import com.cloud.vm.InstanceGroup;
-import com.cloud.vm.NicIpAlias;
-import com.cloud.vm.NicSecondaryIp;
-import com.cloud.vm.VirtualMachine;
-import com.cloud.vm.snapshot.VMSnapshot;
-
-public class IAMApiServiceImpl extends ManagerBase implements IAMApiService, Manager {
-
- public static final Logger s_logger = Logger.getLogger(IAMApiServiceImpl.class);
- private String _name;
-
- @Inject
- ApiServerService _apiServer;
-
- @Inject
- IAMService _iamSrv;
-
- @Inject
- DomainDao _domainDao;
-
- @Inject
- AccountDao _accountDao;
-
- @Inject
- AccountManager _accountMgr;
-
- @Inject
- MessageBus _messageBus;
-
- @Inject
- EntityManager _entityMgr;
-
- private static final Map<String, Class<?>> s_typeMap = new HashMap<String, Class<?>>();
- static {
- s_typeMap.put(VirtualMachine.class.getSimpleName(), VirtualMachine.class);
- s_typeMap.put(Volume.class.getSimpleName(), Volume.class);
- s_typeMap.put(ResourceTag.class.getSimpleName(), ResourceTag.class);
- s_typeMap.put(Account.class.getSimpleName(), Account.class);
- s_typeMap.put(AffinityGroup.class.getSimpleName(), AffinityGroup.class);
- s_typeMap.put(AutoScalePolicy.class.getSimpleName(), AutoScalePolicy.class);
- s_typeMap.put(AutoScaleVmProfile.class.getSimpleName(), AutoScaleVmProfile.class);
- s_typeMap.put(AutoScaleVmGroup.class.getSimpleName(), AutoScaleVmGroup.class);
- s_typeMap.put(Condition.class.getSimpleName(), Condition.class);
- s_typeMap.put(Vpc.class.getSimpleName(), Vpc.class);
- s_typeMap.put(VpcGateway.class.getSimpleName(), VpcGateway.class);
- s_typeMap.put(VpnUser.class.getSimpleName(), VpnUser.class);
- s_typeMap.put(VMSnapshot.class.getSimpleName(), VMSnapshot.class);
- s_typeMap.put(VirtualMachineTemplate.class.getSimpleName(), VirtualMachineTemplate.class);
- s_typeMap.put(UserIpv6Address.class.getSimpleName(), UserIpv6Address.class);
- s_typeMap.put(StaticRoute.class.getSimpleName(), StaticRoute.class);
- s_typeMap.put(SSHKeyPair.class.getSimpleName(), SSHKeyPair.class);
- s_typeMap.put(Snapshot.class.getSimpleName(), Snapshot.class);
- s_typeMap.put(Site2SiteVpnGateway.class.getSimpleName(), Site2SiteVpnGateway.class);
- s_typeMap.put(Site2SiteCustomerGateway.class.getSimpleName(), Site2SiteCustomerGateway.class);
- s_typeMap.put(Site2SiteVpnConnection.class.getSimpleName(), Site2SiteVpnConnection.class);
- s_typeMap.put(SecurityGroup.class.getSimpleName(), SecurityGroup.class);
- s_typeMap.put(RemoteAccessVpn.class.getSimpleName(), RemoteAccessVpn.class);
- s_typeMap.put(ProjectInvitation.class.getSimpleName(), ProjectInvitation.class);
- s_typeMap.put(NicSecondaryIp.class.getSimpleName(), NicSecondaryIp.class);
- s_typeMap.put(NicIpAlias.class.getSimpleName(), NicIpAlias.class);
- s_typeMap.put(Network.class.getSimpleName(), Network.class);
- s_typeMap.put(IpAddress.class.getSimpleName(), IPAddress.class);
- s_typeMap.put(InstanceGroup.class.getSimpleName(), InstanceGroup.class);
- s_typeMap.put(GlobalLoadBalancerRule.class.getSimpleName(), GlobalLoadBalancerRule.class);
- s_typeMap.put(FirewallRule.class.getSimpleName(), FirewallRule.class);
- s_typeMap.put(PortForwardingRule.class.getSimpleName(), PortForwardingRule.class);
- s_typeMap.put(Event.class.getSimpleName(), Event.class);
- s_typeMap.put(AsyncJob.class.getSimpleName(), AsyncJob.class);
- s_typeMap.put(IAMGroup.class.getSimpleName(), IAMGroup.class);
- s_typeMap.put(IAMPolicy.class.getSimpleName(), IAMPolicy.class);
- s_typeMap.put(MonitoringService.class.getSimpleName(), MonitoringService.class);
- s_typeMap.put(SslCert.class.getSimpleName(), SslCert.class);
- }
-
- @Override
- public boolean configure(final String name, final Map<String, Object> params) throws ConfigurationException {
-
- _messageBus.subscribe(AccountManager.MESSAGE_ADD_ACCOUNT_EVENT, new MessageSubscriber() {
- @Override
- public void onPublishMessage(String senderAddress, String subject, Object obj) {
- HashMap<Long, Long> acctGroupMap = (HashMap<Long, Long>) obj;
- for (Long accountId : acctGroupMap.keySet()) {
- Long groupId = acctGroupMap.get(accountId);
- s_logger.debug("MessageBus message: new Account Added: " + accountId + ", adding it to groupId :"
- + groupId);
- addAccountToIAMGroup(accountId, groupId);
- // add it to domain group too
- AccountVO account = _accountDao.findById(accountId);
- Domain domain = _domainDao.findById(account.getDomainId());
- if (domain != null) {
- List<IAMGroup> domainGroups = listDomainGroup(domain);
-
- if (domainGroups != null) {
- for (IAMGroup group : domainGroups) {
- addAccountToIAMGroup(accountId, new Long(group.getId()));
- }
- }
- }
- }
- }
- });
-
- _messageBus.subscribe(AccountManager.MESSAGE_REMOVE_ACCOUNT_EVENT, new MessageSubscriber() {
- @Override
- public void onPublishMessage(String senderAddress, String subject, Object obj) {
- Long accountId = ((Long) obj);
- if (accountId != null) {
- s_logger.debug("MessageBus message: Account removed: " + accountId
- + ", releasing the group associations");
- removeAccountFromIAMGroups(accountId);
- }
- }
- });
-
- _messageBus.subscribe(DomainManager.MESSAGE_ADD_DOMAIN_EVENT, new MessageSubscriber() {
- @Override
- public void onPublishMessage(String senderAddress, String subject, Object obj) {
- Long domainId = ((Long) obj);
- if (domainId != null) {
- s_logger.debug("MessageBus message: new Domain created: " + domainId + ", creating a new group");
- Domain domain = _domainDao.findById(domainId);
- _iamSrv.createIAMGroup("DomainGrp-" + domain.getUuid(), "Domain group", domain.getPath());
- }
- }
- });
-
- _messageBus.subscribe(DomainManager.MESSAGE_REMOVE_DOMAIN_EVENT, new MessageSubscriber() {
- @Override
- public void onPublishMessage(String senderAddress, String subject, Object obj) {
- Long domainId = ((Long) obj);
- if (domainId != null) {
- s_logger.debug("MessageBus message: Domain removed: " + domainId + ", removing the domain group");
- Domain domain = _domainDao.findById(domainId);
- List<IAMGroup> groups = listDomainGroup(domain);
- for (IAMGroup group : groups) {
- _iamSrv.deleteIAMGroup(group.getId());
- }
- }
- }
- });
-
- _messageBus.subscribe(TemplateManager.MESSAGE_REGISTER_PUBLIC_TEMPLATE_EVENT, new MessageSubscriber() {
- @Override
- public void onPublishMessage(String senderAddress, String subject, Object obj) {
- Long templateId = (Long)obj;
- if (templateId != null) {
- s_logger.debug("MessageBus message: new public template registered: " + templateId
- + ", grant permission to default root admin, domain admin and normal user policies");
- _iamSrv.addIAMPermissionToIAMPolicy(new Long(Account.ACCOUNT_TYPE_ADMIN + 1), VirtualMachineTemplate.class.getSimpleName(),
- PermissionScope.RESOURCE.toString(), templateId, "listTemplates", AccessType.UseEntry.toString(), Permission.Allow, false);
- _iamSrv.addIAMPermissionToIAMPolicy(new Long(Account.ACCOUNT_TYPE_DOMAIN_ADMIN + 1), VirtualMachineTemplate.class.getSimpleName(),
- PermissionScope.RESOURCE.toString(), templateId, "listTemplates", AccessType.UseEntry.toString(), Permission.Allow, false);
- _iamSrv.addIAMPermissionToIAMPolicy(new Long(Account.ACCOUNT_TYPE_NORMAL + 1), VirtualMachineTemplate.class.getSimpleName(),
- PermissionScope.RESOURCE.toString(), templateId, "listTemplates", AccessType.UseEntry.toString(), Permission.Allow, false);
- }
- }
- });
-
- _messageBus.subscribe(TemplateManager.MESSAGE_RESET_TEMPLATE_PERMISSION_EVENT, new MessageSubscriber() {
- @Override
- public void onPublishMessage(String senderAddress, String subject, Object obj) {
- Long templateId = (Long)obj;
- if (templateId != null) {
- s_logger.debug("MessageBus message: reset template permission: " + templateId);
- resetTemplatePermission(templateId);
- }
- }
- });
-
- _messageBus.subscribe(EntityManager.MESSAGE_REMOVE_ENTITY_EVENT, new MessageSubscriber() {
- @Override
- public void onPublishMessage(String senderAddress, String subject, Object obj) {
- Pair<Class<?>, Long> entity = (Pair<Class<?>, Long>)obj;
- if (entity != null) {
- String entityType = entity.first().getSimpleName();
- Long entityId = entity.second();
- s_logger.debug("MessageBus message: delete an entity: (" + entityType + "," + entityId + "), remove its related permission");
- _iamSrv.removeIAMPermissionForEntity(entityType, entityId);
- }
- }
- });
-
-
- _messageBus.subscribe(EntityManager.MESSAGE_GRANT_ENTITY_EVENT, new MessageSubscriber() {
- @Override
- public void onPublishMessage(String senderAddress, String subject, Object obj) {
- Map<String, Object> permit = (Map<String, Object>)obj;
- if (permit != null) {
- Class<?> entityType = (Class<?>)permit.get(ApiConstants.ENTITY_TYPE);
- Long entityId = (Long)permit.get(ApiConstants.ENTITY_ID);
- AccessType accessType = (AccessType)permit.get(ApiConstants.ACCESS_TYPE);
- String action = (String)permit.get(ApiConstants.IAM_ACTION);
- List<Long> acctIds = (List<Long>)permit.get(ApiConstants.ACCOUNTS);
- s_logger.debug("MessageBus message: grant accounts permission to an entity: (" + entityType + "," + entityId + ")");
- grantEntityPermissioinToAccounts(entityType.getSimpleName(), entityId, accessType, action, acctIds);
- }
- }
- });
-
- _messageBus.subscribe(EntityManager.MESSAGE_REVOKE_ENTITY_EVENT, new MessageSubscriber() {
- @Override
- public void onPublishMessage(String senderAddress, String subject, Object obj) {
- Map<String, Object> permit = (Map<String, Object>)obj;
- if (permit != null) {
- Class<?> entityType = (Class<?>)permit.get(ApiConstants.ENTITY_TYPE);
- Long entityId = (Long)permit.get(ApiConstants.ENTITY_ID);
- AccessType accessType = (AccessType)permit.get(ApiConstants.ACCESS_TYPE);
- String action = (String)permit.get(ApiConstants.IAM_ACTION);
- List<Long> acctIds = (List<Long>)permit.get(ApiConstants.ACCOUNTS);
- s_logger.debug("MessageBus message: revoke from accounts permission to an entity: (" + entityType + "," + entityId + ")");
- revokeEntityPermissioinFromAccounts(entityType.getSimpleName(), entityId, accessType, action, acctIds);
- }
- }
- });
-
- _messageBus.subscribe(EntityManager.MESSAGE_ADD_DOMAIN_WIDE_ENTITY_EVENT, new MessageSubscriber() {
- @Override
- public void onPublishMessage(String senderAddress, String subject, Object obj) {
- Map<String, Object> params = (Map<String, Object>) obj;
- if (params != null) {
- addDomainWideResourceAccess(params);
- }
- }
- });
-
- return super.configure(name, params);
- }
-
- @Override
- public boolean start() {
- s_logger.info("Populating IAM group and account association for default accounts...");
-
- // populate group <-> account association if not present for CS admin
- // and system accounts
- populateIAMGroupAdminAccountMap();
-
- return true;
- }
-
- private void populateIAMGroupAdminAccountMap() {
- List<Long> sysAccts = new ArrayList<Long>();
- sysAccts.add(Account.ACCOUNT_ID_SYSTEM);
- sysAccts.add(Account.ACCOUNT_ID_SYSTEM + 1);
- _iamSrv.addAccountsToGroup(sysAccts, new Long(Account.ACCOUNT_TYPE_ADMIN + 1));
- }
-
- private void addDomainWideResourceAccess(Map<String, Object> params) {
-
- Class<?> entityType = (Class<?>)params.get(ApiConstants.ENTITY_TYPE);
- Long entityId = (Long) params.get(ApiConstants.ENTITY_ID);
- Long domainId = (Long) params.get(ApiConstants.DOMAIN_ID);
- Boolean isRecursive = (Boolean) params.get(ApiConstants.SUBDOMAIN_ACCESS);
-
- if (entityType == Network.class) {
- createPolicyAndAddToDomainGroup("DomainWideNetwork-" + entityId, "domain wide network", entityType.toString(),
- entityId, "listNetworks", AccessType.UseEntry, domainId, isRecursive);
- } else if (entityType == AffinityGroup.class) {
- createPolicyAndAddToDomainGroup("DomainWideNetwork-" + entityId, "domain wide affinityGroup", entityType.toString(),
- entityId, "listAffinityGroups", AccessType.UseEntry, domainId, isRecursive);
- }
-
- }
-
- private void createPolicyAndAddToDomainGroup(String policyName, String description, String entityType,
- Long entityId, String action, AccessType accessType, Long domainId, Boolean recursive) {
-
- Domain domain = _domainDao.findById(domainId);
- if (domain != null) {
- IAMPolicy policy = _iamSrv.createIAMPolicy(policyName, description, null, domain.getPath());
- _iamSrv.addIAMPermissionToIAMPolicy(policy.getId(), entityType, PermissionScope.RESOURCE.toString(),
- entityId, action, accessType.toString(), Permission.Allow, recursive);
- List<Long> policyList = new ArrayList<Long>();
- policyList.add(new Long(policy.getId()));
-
- List<IAMGroup> domainGroups = listDomainGroup(domain);
- if (domainGroups != null) {
- for (IAMGroup group : domainGroups) {
- _iamSrv.attachIAMPoliciesToGroup(policyList, group.getId());
- }
- }
- }
- }
-
- @DB
- @Override
- @ActionEvent(eventType = EventTypes.EVENT_IAM_GROUP_CREATE, eventDescription = "Creating Acl Group", create = true)
- public IAMGroup createIAMGroup(Account caller, String iamGroupName, String description) {
- Long domainId = caller.getDomainId();
- Domain callerDomain = _domainDao.findById(domainId);
- if (callerDomain == null) {
- throw new InvalidParameterValueException("Caller does not have a domain");
- }
- return _iamSrv.createIAMGroup(iamGroupName, description, callerDomain.getPath());
- }
-
- @DB
- @Override
- @ActionEvent(eventType = EventTypes.EVENT_IAM_GROUP_DELETE, eventDescription = "Deleting Acl Group")
- public boolean deleteIAMGroup(final Long iamGroupId) {
- return _iamSrv.deleteIAMGroup(iamGroupId);
- }
-
- @Override
- public List<IAMGroup> listIAMGroups(long accountId) {
- return _iamSrv.listIAMGroups(accountId);
- }
-
-
- @DB
- @Override
- @ActionEvent(eventType = EventTypes.EVENT_IAM_GROUP_UPDATE, eventDescription = "Adding accounts to acl group")
- public IAMGroup addAccountsToGroup(final List<Long> acctIds, final Long groupId) {
- return _iamSrv.addAccountsToGroup(acctIds, groupId);
- }
-
-
- private void removeAccountFromIAMGroups(long accountId) {
- List<IAMGroup> groups = listIAMGroups(accountId);
- List<Long> accts = new ArrayList<Long>();
- accts.add(accountId);
- if (groups != null) {
- for (IAMGroup grp : groups) {
- removeAccountsFromGroup(accts, grp.getId());
- }
- }
- }
-
- private void addAccountToIAMGroup(long accountId, long groupId) {
- List<Long> accts = new ArrayList<Long>();
- accts.add(accountId);
- addAccountsToGroup(accts, groupId);
- }
-
- @DB
- @Override
- @ActionEvent(eventType = EventTypes.EVENT_IAM_GROUP_UPDATE, eventDescription = "Removing accounts from acl group")
- public IAMGroup removeAccountsFromGroup(final List<Long> acctIds, final Long groupId) {
- return _iamSrv.removeAccountsFromGroup(acctIds, groupId);
- }
-
- @DB
- @Override
- @ActionEvent(eventType = EventTypes.EVENT_IAM_POLICY_CREATE, eventDescription = "Creating IAM Policy", create = true)
- public IAMPolicy createIAMPolicy(Account caller, final String iamPolicyName, final String description, final Long parentPolicyId) {
- Long domainId = caller.getDomainId();
- Domain callerDomain = _domainDao.findById(domainId);
- if (callerDomain == null) {
- throw new InvalidParameterValueException("Caller does not have a domain");
- }
- return _iamSrv.createIAMPolicy(iamPolicyName, description, parentPolicyId, callerDomain.getPath());
- }
-
- @DB
- @Override
- @ActionEvent(eventType = EventTypes.EVENT_IAM_POLICY_DELETE, eventDescription = "Deleting IAM Policy")
- public boolean deleteIAMPolicy(final long iamPolicyId) {
- return _iamSrv.deleteIAMPolicy(iamPolicyId);
- }
-
-
- @Override
- public List<IAMPolicy> listIAMPolicies(long accountId) {
- return _iamSrv.listIAMPolicies(accountId);
- }
-
- @DB
- @Override
- @ActionEvent(eventType = EventTypes.EVENT_IAM_GROUP_UPDATE, eventDescription = "Attaching policy to acl group")
- public IAMGroup attachIAMPoliciesToGroup(final List<Long> policyIds, final Long groupId) {
- return _iamSrv.attachIAMPoliciesToGroup(policyIds, groupId);
- }
-
- @DB
- @Override
- @ActionEvent(eventType = EventTypes.EVENT_IAM_GROUP_UPDATE, eventDescription = "Removing policies from acl group")
- public IAMGroup removeIAMPoliciesFromGroup(final List<Long> policyIds, final Long groupId) {
- return _iamSrv.removeIAMPoliciesFromGroup(policyIds, groupId);
- }
-
-
- @DB
- @Override
- @ActionEvent(eventType = EventTypes.EVENT_IAM_ACCOUNT_POLICY_UPDATE, eventDescription = "Attaching policy to accounts")
- public void attachIAMPolicyToAccounts(final Long policyId, final List<Long> accountIds) {
- _iamSrv.attachIAMPolicyToAccounts(policyId, accountIds);
- }
-
- @DB
- @Override
- @ActionEvent(eventType = EventTypes.EVENT_IAM_ACCOUNT_POLICY_UPDATE, eventDescription = "Removing policy from accounts")
- public void removeIAMPolicyFromAccounts(final Long policyId, final List<Long> accountIds) {
- _iamSrv.removeIAMPolicyFromAccounts(policyId, accountIds);
- }
-
- @DB
- @Override
- @ActionEvent(eventType = EventTypes.EVENT_IAM_POLICY_GRANT, eventDescription = "Granting acl permission to IAM Policy")
- public IAMPolicy addIAMPermissionToIAMPolicy(long iamPolicyId, String entityType, PermissionScope scope,
- Long scopeId, String action, Permission perm, Boolean recursive, Boolean readOnly) {
- Class<?> cmdClass = _apiServer.getCmdClass(action);
- AccessType accessType = null;
- if (BaseListCmd.class.isAssignableFrom(cmdClass)) {
- if (readOnly) {
- accessType = AccessType.ListEntry;
- } else {
- accessType = AccessType.UseEntry;
- }
- } else {
- accessType = AccessType.OperateEntry;
- }
- String accessTypeStr = (accessType != null) ? accessType.toString() : null;
- return _iamSrv.addIAMPermissionToIAMPolicy(iamPolicyId, entityType, scope.toString(), scopeId, action,
- accessTypeStr, perm, recursive);
- }
-
- @DB
- @Override
- @ActionEvent(eventType = EventTypes.EVENT_IAM_POLICY_REVOKE, eventDescription = "Revoking acl permission from IAM Policy")
- public IAMPolicy removeIAMPermissionFromIAMPolicy(long iamPolicyId, String entityType, PermissionScope scope, Long scopeId, String action) {
- return _iamSrv.removeIAMPermissionFromIAMPolicy(iamPolicyId, entityType, scope.toString(), scopeId, action);
- }
-
- @Override
- public IAMPolicyPermission getIAMPolicyPermission(long accountId, String entityType, String action) {
- List<IAMPolicy> policies = _iamSrv.listIAMPolicies(accountId);
- IAMPolicyPermission curPerm = null;
- for (IAMPolicy policy : policies) {
- List<IAMPolicyPermission> perms = _iamSrv.listPolicyPermissionByActionAndEntity(policy.getId(), action,
- entityType);
- if (perms == null || perms.size() == 0)
- continue;
- IAMPolicyPermission perm = perms.get(0); // just pick one
- if (curPerm == null) {
- curPerm = perm;
- } else if (PermissionScope.valueOf(perm.getScope()).greaterThan(PermissionScope.valueOf(curPerm.getScope()))) {
- // pick the more relaxed allowed permission
- curPerm = perm;
- }
- }
-
- return curPerm;
- }
-
-
- @Override
- public IAMPolicyResponse createIAMPolicyResponse(IAMPolicy policy) {
- IAMPolicyResponse response = new IAMPolicyResponse();
- response.setId(policy.getUuid());
- response.setName(policy.getName());
- response.setDescription(policy.getDescription());
- String domainPath = policy.getPath();
- if (domainPath != null) {
- DomainVO domain = _domainDao.findDomainByPath(domainPath);
- if (domain != null) {
- response.setDomainId(domain.getUuid());
- response.setDomainName(domain.getName());
- }
- }
- long accountId = policy.getAccountId();
- AccountVO owner = _accountDao.findById(accountId);
- if (owner != null) {
- response.setAccountName(owner.getAccountName());
- }
- // find permissions associated with this policy
- List<IAMPolicyPermission> permissions = _iamSrv.listPolicyPermissions(policy.getId());
- if (permissions != null && permissions.size() > 0) {
- for (IAMPolicyPermission permission : permissions) {
- IAMPermissionResponse perm = new IAMPermissionResponse();
- perm.setAction(permission.getAction());
- if (permission.getEntityType() != null) {
- perm.setEntityType(permission.getEntityType());
- }
- if (permission.getScope() != null) {
- perm.setScope(PermissionScope.valueOf(permission.getScope()));
- }
- perm.setScopeId(permission.getScopeId());
- perm.setPermission(permission.getPermission());
- response.addPermission(perm);
- }
- }
- response.setObjectName("aclpolicy");
- return response;
- }
-
- @Override
- public IAMGroupResponse createIAMGroupResponse(IAMGroup group) {
- IAMGroupResponse response = new IAMGroupResponse();
- response.setId(group.getUuid());
- response.setName(group.getName());
- response.setDescription(group.getDescription());
- String domainPath = group.getPath();
- if (domainPath != null) {
- DomainVO domain = _domainDao.findDomainByPath(domainPath);
- if (domain != null) {
- response.setDomainId(domain.getUuid());
- response.setDomainName(domain.getName());
- }
- }
- long accountId = group.getAccountId();
- AccountVO owner = _accountDao.findById(accountId);
- if (owner != null) {
- response.setAccountName(owner.getAccountName());
- }
- // find all the members in this group
- List<Long> members = _iamSrv.listAccountsByGroup(group.getId());
- if (members != null && members.size() > 0) {
- for (Long member : members) {
- AccountVO mem = _accountDao.findById(member);
- if (mem != null) {
- response.addMemberAccount(mem.getAccountName());
- }
- }
- }
-
- // find all the policies attached to this group
- List<IAMPolicy> policies = _iamSrv.listIAMPoliciesByGroup(group.getId());
- if (policies != null && policies.size() > 0) {
- for (IAMPolicy policy : policies) {
- response.addPolicy(policy.getName());
- }
- }
-
- response.setObjectName("aclgroup");
- return response;
-
- }
-
- public List<IAMGroup> listDomainGroup(Domain domain) {
-
- if (domain != null) {
- String domainPath = domain.getPath();
- // search for groups
- Pair<List<IAMGroup>, Integer> result = _iamSrv.listIAMGroups(null, "DomainGrp-" + domain.getUuid(),
- domainPath, null, null);
- return result.first();
- }
- return new ArrayList<IAMGroup>();
-
- }
-
- @Override
- public ListResponse<IAMGroupResponse> listIAMGroups(Long iamGroupId, String iamGroupName, Long domainId, Long startIndex, Long pageSize) {
- // acl check
- Account caller = CallContext.current().getCallingAccount();
-
- Domain domain = null;
- if (domainId != null) {
- domain = _domainDao.findById(domainId);
- if (domain == null) {
- throw new InvalidParameterValueException("Domain id=" + domainId + " doesn't exist");
- }
-
- _accountMgr.checkAccess(caller, domain);
- } else {
- domain = _domainDao.findById(caller.getDomainId());
- }
- String domainPath = domain.getPath();
- // search for groups
- Pair<List<IAMGroup>, Integer> result = _iamSrv.listIAMGroups(iamGroupId, iamGroupName, domainPath, startIndex, pageSize);
- // generate group response
- ListResponse<IAMGroupResponse> response = new ListResponse<IAMGroupResponse>();
- List<IAMGroupResponse> groupResponses = new ArrayList<IAMGroupResponse>();
- for (IAMGroup group : result.first()) {
- IAMGroupResponse resp = createIAMGroupResponse(group);
- groupResponses.add(resp);
- }
- response.setResponses(groupResponses, result.second());
- return response;
- }
-
- @Override
- public ListResponse<IAMPolicyResponse> listIAMPolicies(Long iamPolicyId, String iamPolicyName, Long domainId, Long startIndex,
- Long pageSize) {
- // acl check
- Account caller = CallContext.current().getCallingAccount();
-
- Domain domain = null;
- if (domainId != null) {
- domain = _domainDao.findById(domainId);
- if (domain == null) {
- throw new InvalidParameterValueException("Domain id=" + domainId + " doesn't exist");
- }
-
- _accountMgr.checkAccess(caller, domain);
- } else {
- domain = _domainDao.findById(caller.getDomainId());
- }
- String domainPath = domain.getPath();
- // search for policies
- Pair<List<IAMPolicy>, Integer> result = _iamSrv.listIAMPolicies(iamPolicyId, iamPolicyName, domainPath, startIndex, pageSize);
- // generate policy response
- ListResponse<IAMPolicyResponse> response = new ListResponse<IAMPolicyResponse>();
- List<IAMPolicyResponse> policyResponses = new ArrayList<IAMPolicyResponse>();
- for (IAMPolicy policy : result.first()) {
- IAMPolicyResponse resp = createIAMPolicyResponse(policy);
- policyResponses.add(resp);
- }
- response.setResponses(policyResponses, result.second());
- return response;
- }
-
- @Override
- public void grantEntityPermissioinToAccounts(String entityType, Long entityId, AccessType accessType, String action, List<Long> accountIds) {
- // check if there is already a policy with only this permission added to it
- IAMPolicy policy = _iamSrv.getResourceGrantPolicy(entityType, entityId, accessType.toString(), action);
- if (policy == null) {
- // not found, just create a policy with resource grant permission
- Account caller = CallContext.current().getCallingAccount();
- String aclPolicyName = "policyGrant" + entityType + entityId;
- String description = "Policy to grant permission to " + entityType + entityId;
- policy = createIAMPolicy(caller, aclPolicyName, description, null);
- // add permission to this policy
- addIAMPermissionToIAMPolicy(policy.getId(), entityType, PermissionScope.RESOURCE, entityId, action,
- Permission.Allow, false, false);
- }
- // attach this policy to list of accounts if not attached already
- Long policyId = policy.getId();
- for (Long acctId : accountIds) {
- if (!isPolicyAttachedToAccount(policyId, acctId)) {
- attachIAMPolicyToAccounts(policyId, Collections.singletonList(acctId));
- }
- }
- }
-
- @Override
- public void revokeEntityPermissioinFromAccounts(String entityType, Long entityId, AccessType accessType, String action, List<Long> accountIds) {
- // there should already a policy with only this permission added to it, this call is mainly used
- IAMPolicy policy = _iamSrv.getResourceGrantPolicy(entityType, entityId, accessType.toString(), action);
- if (policy == null) {
- s_logger.warn("Cannot find a policy associated with this entity permissioin to be revoked, just return");
- return;
- }
- // detach this policy from list of accounts if not detached already
- Long policyId = policy.getId();
- for (Long acctId : accountIds) {
- if (isPolicyAttachedToAccount(policyId, acctId)) {
- removeIAMPolicyFromAccounts(policyId, Collections.singletonList(acctId));
- }
- }
-
- }
-
- private boolean isPolicyAttachedToAccount(Long policyId, Long accountId) {
- List<IAMPolicy> pList = listIAMPolicies(accountId);
- for (IAMPolicy p : pList) {
- if (p.getId() == policyId.longValue()) {
- return true;
- }
- }
- return false;
- }
-
- private void resetTemplatePermission(Long templateId){
- // reset template will change template to private, so we need to remove its permission for domain admin and normal user group
- _iamSrv.removeIAMPermissionFromIAMPolicy(new Long(Account.ACCOUNT_TYPE_DOMAIN_ADMIN + 1), VirtualMachineTemplate.class.getSimpleName(),
- PermissionScope.RESOURCE.toString(), templateId, "listTemplates");
- _iamSrv.removeIAMPermissionFromIAMPolicy(new Long(Account.ACCOUNT_TYPE_NORMAL + 1), VirtualMachineTemplate.class.getSimpleName(),
- PermissionScope.RESOURCE.toString(), templateId, "listTemplates");
- // check if there is a policy with only UseEntry permission for this template added
- IAMPolicy policy = _iamSrv.getResourceGrantPolicy(VirtualMachineTemplate.class.getSimpleName(), templateId, AccessType.UseEntry.toString(), "listTemplates");
- if ( policy == null ){
- s_logger.info("No policy found for this template grant: " + templateId + ", no detach to be done");
- return;
- }
- // delete the policy, which should detach it from groups and accounts
- _iamSrv.deleteIAMPolicy(policy.getId());
-
- }
-
- @Override
- public Long getPermissionScopeId(String scope, String entityType, String scopeId) {
- if (scopeId.equals("-1")) {
- return -1L;
- }
- PermissionScope permScope = PermissionScope.valueOf(scope);
- InternalIdentity entity = null;
- switch (permScope) {
- case DOMAIN:
- entity = _domainDao.findByUuid(scopeId);
- break;
- case ACCOUNT:
- entity = _accountDao.findByUuid(scopeId);
- break;
- case RESOURCE:
- Class<?> clazz = s_typeMap.get(entityType);
- entity = (InternalIdentity)_entityMgr.findByUuid(clazz, scopeId);
- }
-
- if (entity != null) {
- return entity.getId();
- }
- throw new InvalidParameterValueException("Unable to find scopeId " + scopeId + " with scope " + scope + " and type " + entityType);
- }
-
- @Override
- public List<Class<?>> getCommands() {
- List<Class<?>> cmdList = new ArrayList<Class<?>>();
- cmdList.add(CreateIAMPolicyCmd.class);
- cmdList.add(DeleteIAMPolicyCmd.class);
- cmdList.add(ListIAMPoliciesCmd.class);
- cmdList.add(AddIAMPermissionToIAMPolicyCmd.class);
- cmdList.add(RemoveIAMPermissionFromIAMPolicyCmd.class);
- cmdList.add(AttachIAMPolicyToIAMGroupCmd.class);
- cmdList.add(RemoveIAMPolicyFromIAMGroupCmd.class);
- cmdList.add(CreateIAMGroupCmd.class);
- cmdList.add(DeleteIAMGroupCmd.class);
- cmdList.add(ListIAMGroupsCmd.class);
- cmdList.add(AddAccountToIAMGroupCmd.class);
- cmdList.add(RemoveAccountFromIAMGroupCmd.class);
- cmdList.add(AttachIAMPolicyToAccountCmd.class);
- cmdList.add(RemoveIAMPolicyFromAccountCmd.class);
- return cmdList;
- }
-}
diff --git a/services/iam/plugin/src/main/java/org/apache/cloudstack/iam/RoleBasedAPIAccessChecker.java b/services/iam/plugin/src/main/java/org/apache/cloudstack/iam/RoleBasedAPIAccessChecker.java
deleted file mode 100644
index 3072b77..0000000
--- a/services/iam/plugin/src/main/java/org/apache/cloudstack/iam/RoleBasedAPIAccessChecker.java
+++ /dev/null
@@ -1,287 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.iam;
-
-import java.util.HashMap;
-import java.util.HashSet;
-import java.util.List;
-import java.util.Map;
-import java.util.Set;
-
-import javax.inject.Inject;
-import javax.naming.ConfigurationException;
-
-import org.apache.log4j.Logger;
-
-import org.apache.cloudstack.acl.APIChecker;
-import org.apache.cloudstack.acl.PermissionScope;
-import org.apache.cloudstack.acl.RoleType;
-import org.apache.cloudstack.acl.SecurityChecker.AccessType;
-import org.apache.cloudstack.api.APICommand;
-import org.apache.cloudstack.api.BaseCmd;
-import org.apache.cloudstack.api.BaseListCmd;
-import org.apache.cloudstack.iam.api.IAMPolicy;
-import org.apache.cloudstack.iam.api.IAMPolicyPermission;
-import org.apache.cloudstack.iam.api.IAMPolicyPermission.Permission;
-import org.apache.cloudstack.iam.api.IAMService;
-
-import com.cloud.api.ApiServerService;
-import com.cloud.exception.PermissionDeniedException;
-import com.cloud.storage.VMTemplateVO;
-import com.cloud.storage.dao.VMTemplateDao;
-import com.cloud.template.VirtualMachineTemplate;
-import com.cloud.user.Account;
-import com.cloud.user.AccountService;
-import com.cloud.user.User;
-import com.cloud.utils.PropertiesUtil;
-import com.cloud.utils.component.AdapterBase;
-import com.cloud.utils.component.PluggableService;
-import com.cloud.utils.exception.CloudRuntimeException;
-
-//This is the Role Based API access checker that grab's the account's roles
-//based on the set of roles, access is granted if any of the role has access to the api
-public class RoleBasedAPIAccessChecker extends AdapterBase implements APIChecker {
-
- protected static final Logger s_logger = Logger.getLogger(RoleBasedAPIAccessChecker.class);
-
- @Inject
- AccountService _accountService;
- @Inject
- ApiServerService _apiServer;
- @Inject
- IAMService _iamSrv;
- @Inject
- VMTemplateDao _templateDao;
-
- Set<String> commandsPropertiesOverrides = new HashSet<String>();
- Map<RoleType, Set<String>> commandsPropertiesRoleBasedApisMap = new HashMap<RoleType, Set<String>>();
-
- List<PluggableService> _services;
-
- protected RoleBasedAPIAccessChecker() {
- super();
- for (RoleType roleType : RoleType.values()) {
- commandsPropertiesRoleBasedApisMap.put(roleType, new HashSet<String>());
- }
- }
-
- @Override
- public boolean checkAccess(User user, String commandName) throws PermissionDeniedException {
- Account account = _accountService.getAccount(user.getAccountId());
- if (account == null) {
- throw new PermissionDeniedException("The account id=" + user.getAccountId() + "for user id=" + user.getId()
- + "is null");
- }
-
- List<IAMPolicy> policies = _iamSrv.listIAMPolicies(account.getAccountId());
-
- boolean isAllowed = _iamSrv.isActionAllowedForPolicies(commandName, policies);
- if (!isAllowed) {
- throw new PermissionDeniedException("The API does not exist or is blacklisted. api: " + commandName);
- }
- return isAllowed;
- }
-
- @Override
- public boolean configure(String name, Map<String, Object> params) throws ConfigurationException {
- super.configure(name, params);
-
- processMapping(PropertiesUtil.processConfigFile(new String[] { "commands.properties" }));
- return true;
- }
-
- @Override
- public boolean start() {
-
- // drop all default policy api permissions - we reload them every time
- // to include any changes done to the @APICommand or
- // commands.properties.
-
- for (RoleType role : RoleType.values()) {
- Long policyId = getDefaultPolicyId(role);
- if (policyId != null) {
- _iamSrv.resetIAMPolicy(policyId);
- }
- }
-
- // add the system-domain capability
-
- _iamSrv.addIAMPermissionToIAMPolicy(new Long(Account.ACCOUNT_TYPE_ADMIN + 1), null, null, null,
- "SystemCapability", null, Permission.Allow, false);
- _iamSrv.addIAMPermissionToIAMPolicy(new Long(Account.ACCOUNT_TYPE_DOMAIN_ADMIN + 1), null, null, null,
- "DomainCapability", null, Permission.Allow, false);
- _iamSrv.addIAMPermissionToIAMPolicy(new Long(Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN + 1), null, null, null,
- "DomainResourceCapability", null, Permission.Allow, false);
-
- // add permissions for public templates
- List<VMTemplateVO> pTmplts = _templateDao.listByPublic();
- for (VMTemplateVO tmpl : pTmplts){
- _iamSrv.addIAMPermissionToIAMPolicy(new Long(Account.ACCOUNT_TYPE_ADMIN + 1), VirtualMachineTemplate.class.getSimpleName(),
- PermissionScope.RESOURCE.toString(), tmpl.getId(), "listTemplates", AccessType.UseEntry.toString(), Permission.Allow, false);
- _iamSrv.addIAMPermissionToIAMPolicy(new Long(Account.ACCOUNT_TYPE_DOMAIN_ADMIN + 1), VirtualMachineTemplate.class.getSimpleName(),
- PermissionScope.RESOURCE.toString(), tmpl.getId(), "listTemplates", AccessType.UseEntry.toString(), Permission.Allow, false);
- _iamSrv.addIAMPermissionToIAMPolicy(new Long(Account.ACCOUNT_TYPE_NORMAL + 1), VirtualMachineTemplate.class.getSimpleName(),
- PermissionScope.RESOURCE.toString(), tmpl.getId(), "listTemplates", AccessType.UseEntry.toString(), Permission.Allow, false);
- }
-
- for (PluggableService service : _services) {
- for (Class<?> cmdClass : service.getCommands()) {
- APICommand command = cmdClass.getAnnotation(APICommand.class);
- if (!commandsPropertiesOverrides.contains(command.name())) {
- for (RoleType role : command.authorized()) {
- addDefaultAclPolicyPermission(command.name(), cmdClass, role);
- }
- }
- }
- }
-
- // read commands.properties and load api acl permissions -
- // commands.properties overrides any @APICommand authorization
-
- for (String apiName : commandsPropertiesOverrides) {
- Class<?> cmdClass = _apiServer.getCmdClass(apiName);
- for (RoleType role : RoleType.values()) {
- if (commandsPropertiesRoleBasedApisMap.get(role).contains(apiName)) {
- // insert permission for this role for this api
- addDefaultAclPolicyPermission(apiName, cmdClass, role);
- }
- }
- }
-
- return super.start();
- }
-
- private Long getDefaultPolicyId(RoleType role) {
- Long policyId = null;
- switch (role) {
- case User:
- policyId = new Long(Account.ACCOUNT_TYPE_NORMAL + 1);
- break;
-
- case Admin:
- policyId = new Long(Account.ACCOUNT_TYPE_ADMIN + 1);
- break;
-
- case DomainAdmin:
- policyId = new Long(Account.ACCOUNT_TYPE_DOMAIN_ADMIN + 1);
- break;
-
- case ResourceAdmin:
- policyId = new Long(Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN + 1);
- break;
- }
-
- return policyId;
- }
-
- private void processMapping(Map<String, String> configMap) {
- for (Map.Entry<String, String> entry : configMap.entrySet()) {
- String apiName = entry.getKey();
- String roleMask = entry.getValue();
- commandsPropertiesOverrides.add(apiName);
- try {
- short cmdPermissions = Short.parseShort(roleMask);
- for (RoleType roleType : RoleType.values()) {
- if ((cmdPermissions & roleType.getMask()) != 0)
- commandsPropertiesRoleBasedApisMap.get(roleType).add(apiName);
- }
- } catch (NumberFormatException nfe) {
- s_logger.info("Malformed key=value pair for entry: " + entry.toString());
- }
- }
- }
-
- public List<PluggableService> getServices() {
- return _services;
- }
-
- @Inject
- public void setServices(List<PluggableService> services) {
- _services = services;
- }
-
- private void addDefaultAclPolicyPermission(String apiName, Class<?> cmdClass, RoleType role) {
- AccessType accessType = null;
- Class<?>[] entityTypes = null;
-
- PermissionScope permissionScope = PermissionScope.ACCOUNT;
- Long policyId = getDefaultPolicyId(role);
- switch (role) {
- case User:
- permissionScope = PermissionScope.ACCOUNT;
- break;
-
- case Admin:
- permissionScope = PermissionScope.ALL;
- break;
-
- case DomainAdmin:
- permissionScope = PermissionScope.DOMAIN;
- break;
-
- case ResourceAdmin:
- permissionScope = PermissionScope.DOMAIN;
- break;
- }
-
- boolean addAccountScopedUseEntry = false;
-
- if (cmdClass != null) {
- BaseCmd cmdObj;
- try {
- cmdObj = (BaseCmd) cmdClass.newInstance();
- if (cmdObj instanceof BaseListCmd) {
- if (permissionScope == PermissionScope.ACCOUNT) {
- accessType = AccessType.UseEntry;
- } else {
- accessType = AccessType.ListEntry;
- addAccountScopedUseEntry = true;
- }
- } else {
- accessType = AccessType.OperateEntry;
- }
- } catch (Exception e) {
- throw new CloudRuntimeException(String.format(
- "%s is claimed as an API command, but it cannot be instantiated", cmdClass.getName()));
- }
-
- APICommand at = cmdClass.getAnnotation(APICommand.class);
- entityTypes = at.entityType();
- }
-
- if (entityTypes == null || entityTypes.length == 0) {
- _iamSrv.addIAMPermissionToIAMPolicy(policyId, null, permissionScope.toString(), new Long(IAMPolicyPermission.PERMISSION_SCOPE_ID_CURRENT_CALLER),
- apiName, (accessType == null) ? null : accessType.toString(), Permission.Allow, false);
- if (addAccountScopedUseEntry) {
- _iamSrv.addIAMPermissionToIAMPolicy(policyId, null, PermissionScope.ACCOUNT.toString(), new Long(
- IAMPolicyPermission.PERMISSION_SCOPE_ID_CURRENT_CALLER), apiName, AccessType.UseEntry.toString(), Permission.Allow, false);
- }
- } else {
- for (Class<?> entityType : entityTypes) {
- _iamSrv.addIAMPermissionToIAMPolicy(policyId, entityType.getSimpleName(), permissionScope.toString(), new Long(
- IAMPolicyPermission.PERMISSION_SCOPE_ID_CURRENT_CALLER),
- apiName, (accessType == null) ? null : accessType.toString(), Permission.Allow, false);
- if (addAccountScopedUseEntry) {
- _iamSrv.addIAMPermissionToIAMPolicy(policyId, entityType.getSimpleName(), PermissionScope.ACCOUNT.toString(), new Long(
- IAMPolicyPermission.PERMISSION_SCOPE_ID_CURRENT_CALLER), apiName, AccessType.UseEntry.toString(), Permission.Allow, false);
- }
- }
- }
-
- }
-
-}
diff --git a/services/iam/plugin/src/main/java/org/apache/cloudstack/iam/RoleBasedEntityAccessChecker.java b/services/iam/plugin/src/main/java/org/apache/cloudstack/iam/RoleBasedEntityAccessChecker.java
deleted file mode 100644
index ce9d975..0000000
--- a/services/iam/plugin/src/main/java/org/apache/cloudstack/iam/RoleBasedEntityAccessChecker.java
+++ /dev/null
@@ -1,329 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.iam;
-
-import java.util.ArrayList;
-import java.util.HashMap;
-import java.util.List;
-
-import javax.inject.Inject;
-
-import org.apache.log4j.Logger;
-
-import org.apache.cloudstack.acl.ControlledEntity;
-import org.apache.cloudstack.acl.PermissionScope;
-import org.apache.cloudstack.acl.SecurityChecker;
-import org.apache.cloudstack.acl.SecurityChecker.AccessType;
-import org.apache.cloudstack.api.InternalIdentity;
-import org.apache.cloudstack.iam.api.IAMGroup;
-import org.apache.cloudstack.iam.api.IAMPolicy;
-import org.apache.cloudstack.iam.api.IAMPolicyPermission;
-import org.apache.cloudstack.iam.api.IAMService;
-
-import com.cloud.acl.DomainChecker;
-import com.cloud.domain.dao.DomainDao;
-import com.cloud.exception.InvalidParameterValueException;
-import com.cloud.exception.PermissionDeniedException;
-import com.cloud.user.Account;
-import com.cloud.user.AccountService;
-
-public class RoleBasedEntityAccessChecker extends DomainChecker implements SecurityChecker {
-
- private static final Logger s_logger = Logger.getLogger(RoleBasedEntityAccessChecker.class.getName());
-
- @Inject
- AccountService _accountService;
-
- @Inject DomainDao _domainDao;
-
- @Inject
- IAMService _iamSrv;
-
-
- @Override
- public boolean checkAccess(Account caller, ControlledEntity entity, AccessType accessType)
- throws PermissionDeniedException {
- return checkAccess(caller, entity, accessType, null);
- }
-
- private String buildAccessCacheKey(Account caller, ControlledEntity entity, AccessType accessType, String action) {
- StringBuffer key = new StringBuffer();
- key.append(caller.getAccountId());
- key.append("-");
- String entityType = null;
- if (entity != null && entity.getEntityType() != null) {
- entityType = entity.getEntityType().getSimpleName();
- if (entity instanceof InternalIdentity) {
- entityType += ((InternalIdentity)entity).getId();
- }
- }
- key.append(entityType != null ? entityType : "null");
- key.append("-");
- key.append(accessType != null ? accessType.toString() : "null");
- key.append("-");
- key.append(action != null ? action : "null");
- return key.toString();
- }
-
- @Override
- public boolean checkAccess(Account caller, ControlledEntity entity, AccessType accessType, String action)
- throws PermissionDeniedException {
-
- if (caller == null) {
- throw new InvalidParameterValueException("Caller cannot be passed as NULL to IAM!");
- }
-
- if (entity == null && action == null) {
- throw new InvalidParameterValueException("Entity and action cannot be both NULL in checkAccess!");
- }
-
- // check IAM cache first
- String accessKey = buildAccessCacheKey(caller, entity, accessType, action);
- CheckAccessResult allowDeny = (CheckAccessResult)_iamSrv.getFromIAMCache(accessKey);
- if (allowDeny != null) {
- s_logger.debug("IAM access check for " + accessKey + " from cache: " + allowDeny.isAllow());
- if (allowDeny.isAllow()) {
- return true;
- } else {
- if (allowDeny.getDenyMsg() != null) {
- throw new PermissionDeniedException(allowDeny.getDenyMsg());
- } else {
- return false;
- }
- }
- }
-
- if (entity == null && action != null) {
- // check if caller can do this action
- List<IAMPolicy> policies = _iamSrv.listIAMPolicies(caller.getAccountId());
-
- boolean isAllowed = _iamSrv.isActionAllowedForPolicies(action, policies);
- if (!isAllowed) {
- String msg = "The action '" + action + "' not allowed for account " + caller;
- _iamSrv.addToIAMCache(accessKey, new CheckAccessResult(msg));
- throw new PermissionDeniedException(msg);
- }
- _iamSrv.addToIAMCache(accessKey, new CheckAccessResult(true));
- return true;
- }
-
-
- // if a Project entity, skip
- Account entityAccount = _accountService.getAccount(entity.getAccountId());
- if (entityAccount != null && entityAccount.getType() == Account.ACCOUNT_TYPE_PROJECT) {
- _iamSrv.addToIAMCache(accessKey, new CheckAccessResult(false));
- return false;
- }
-
- String entityType = null;
- if (entity.getEntityType() != null) {
- entityType = entity.getEntityType().getSimpleName();
- }
-
- if (accessType == null) {
- accessType = AccessType.UseEntry;
- }
-
- // get all Policies of this caller by considering recursive domain group policy
- List<IAMPolicy> policies = getEffectivePolicies(caller);
- HashMap<IAMPolicy, Boolean> policyPermissionMap = new HashMap<IAMPolicy, Boolean>();
-
- for (IAMPolicy policy : policies) {
- List<IAMPolicyPermission> permissions = new ArrayList<IAMPolicyPermission>();
-
- if (action != null) {
- permissions = _iamSrv.listPolicyPermissionByActionAndEntity(policy.getId(), action, entityType);
- if (permissions.isEmpty()) {
- if (accessType != null) {
- for (AccessType type : AccessType.values()) {
- if (type.ordinal() >= accessType.ordinal()) {
- permissions.addAll(_iamSrv.listPolicyPermissionByAccessAndEntity(policy.getId(),
- type.toString(), entityType));
- }
- }
- }
- }
- } else {
- if (accessType != null) {
- for (AccessType type : AccessType.values()) {
- if (type.ordinal() >= accessType.ordinal()) {
- permissions.addAll(_iamSrv.listPolicyPermissionByAccessAndEntity(policy.getId(),
- type.toString(), entityType));
- }
- }
- }
- }
- for (IAMPolicyPermission permission : permissions) {
- if (checkPermissionScope(caller, permission.getScope(), permission.getScopeId(), entity)) {
- if (permission.getEntityType().equals(entityType)) {
- policyPermissionMap.put(policy, permission.getPermission().isGranted());
- break;
- } else if (permission.getEntityType().equals("*")) {
- policyPermissionMap.put(policy, permission.getPermission().isGranted());
- }
- }
- }
- if (policyPermissionMap.containsKey(policy) && policyPermissionMap.get(policy)) {
- _iamSrv.addToIAMCache(accessKey, new CheckAccessResult(true));
- return true;
- }
- }
-
- if (!policies.isEmpty()) { // Since we reach this point, none of the
- // roles granted access
-
- String msg = "Account " + caller + " does not have permission to access resource " + entity
- + " for access type: " + accessType;
- if (s_logger.isDebugEnabled()) {
- s_logger.debug(msg);
- }
- _iamSrv.addToIAMCache(accessKey, new CheckAccessResult(msg));
- throw new PermissionDeniedException(msg);
- }
-
- _iamSrv.addToIAMCache(accessKey, new CheckAccessResult(false));
- return false;
- }
-
- @Override
- public boolean checkAccess(Account caller, AccessType accessType, String action, ControlledEntity... entities)
- throws PermissionDeniedException {
-
- // operate access on multiple entities?
- if (accessType != null && accessType == AccessType.OperateEntry) {
- // In this case caller MUST own n-1 entities.
-
- for (ControlledEntity entity : entities) {
- checkAccess(caller, entity, accessType, action);
-
- boolean otherEntitiesAccess = true;
-
- for (ControlledEntity otherEntity : entities) {
- if (otherEntity.getAccountId() == caller.getAccountId()
- || (checkAccess(caller, otherEntity, accessType, action) && otherEntity.getAccountId() == entity
- .getAccountId())) {
- continue;
- } else {
- otherEntitiesAccess = false;
- break;
- }
- }
-
- if (otherEntitiesAccess) {
- return true;
- }
- }
-
- throw new PermissionDeniedException(caller
- + " does not have permission to perform this operation on these resources");
-
- } else {
- for (ControlledEntity entity : entities) {
- if (!checkAccess(caller, entity, accessType, action)) {
- return false;
- }
- }
- return true;
- }
- }
-
- private boolean checkPermissionScope(Account caller, String scope, Long scopeId, ControlledEntity entity) {
-
- if(scopeId != null && !scopeId.equals(new Long(IAMPolicyPermission.PERMISSION_SCOPE_ID_CURRENT_CALLER))){
- //scopeId is set
- if (scope.equals(PermissionScope.ACCOUNT.name())) {
- if(scopeId == entity.getAccountId()){
- return true;
- }
- } else if (scope.equals(PermissionScope.DOMAIN.name())) {
- if (_domainDao.isChildDomain(scopeId, entity.getDomainId())) {
- return true;
- }
- } else if (scope.equals(PermissionScope.RESOURCE.name())) {
- if (entity instanceof InternalIdentity) {
- InternalIdentity entityWithId = (InternalIdentity) entity;
- if(scopeId.equals(entityWithId.getId())){
- return true;
- }
- }
- }
- } else if (scopeId == null || scopeId.equals(new Long(IAMPolicyPermission.PERMISSION_SCOPE_ID_CURRENT_CALLER))) {
- if (scope.equals(PermissionScope.ACCOUNT.name())) {
- if(caller.getAccountId() == entity.getAccountId()){
- return true;
- }
- } else if (scope.equals(PermissionScope.DOMAIN.name())) {
- if (_domainDao.isChildDomain(caller.getDomainId(), entity.getDomainId())) {
- return true;
- }
- }
- }
- return false;
- }
-
- private List<IAMPolicy> getEffectivePolicies(Account caller) {
-
- List<IAMPolicy> policies = _iamSrv.listIAMPolicies(caller.getId());
-
- List<IAMGroup> groups = _iamSrv.listIAMGroups(caller.getId());
- for (IAMGroup group : groups) {
- // for each group find the grand parent groups.
- List<IAMGroup> parentGroups = _iamSrv.listParentIAMGroups(group.getId());
- for (IAMGroup parentGroup : parentGroups) {
- policies.addAll(_iamSrv.listRecursiveIAMPoliciesByGroup(parentGroup.getId()));
- }
- }
-
- return policies;
- }
-
- private class CheckAccessResult {
- boolean allow;
- String denyMsg;
-
- public CheckAccessResult(boolean aw) {
- this(aw, null);
- }
-
- public CheckAccessResult(String msg) {
- this(false, msg);
- }
-
- public CheckAccessResult(boolean aw, String msg) {
- allow = aw;
- denyMsg = msg;
- }
-
- public boolean isAllow() {
- return allow;
- }
-
- public void setAllow(boolean aw) {
- allow = aw;
- }
-
-
- public String getDenyMsg() {
- return denyMsg;
- }
-
- public void setDenyMsg(String denyMsg) {
- this.denyMsg = denyMsg;
- }
-
- }
-}
diff --git a/services/iam/plugin/src/main/java/org/apache/cloudstack/iam/RoleBasedEntityQuerySelector.java b/services/iam/plugin/src/main/java/org/apache/cloudstack/iam/RoleBasedEntityQuerySelector.java
deleted file mode 100644
index a9be17a..0000000
--- a/services/iam/plugin/src/main/java/org/apache/cloudstack/iam/RoleBasedEntityQuerySelector.java
+++ /dev/null
@@ -1,188 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.iam;
-
-import java.util.ArrayList;
-import java.util.List;
-
-import javax.inject.Inject;
-
-import org.apache.log4j.Logger;
-
-import org.apache.cloudstack.acl.PermissionScope;
-import org.apache.cloudstack.acl.QuerySelector;
-import org.apache.cloudstack.acl.SecurityChecker.AccessType;
-import org.apache.cloudstack.iam.api.IAMGroup;
-import org.apache.cloudstack.iam.api.IAMPolicy;
-import org.apache.cloudstack.iam.api.IAMPolicyPermission;
-import org.apache.cloudstack.iam.api.IAMService;
-
-import com.cloud.domain.DomainVO;
-import com.cloud.domain.dao.DomainDao;
-import com.cloud.user.Account;
-import com.cloud.utils.component.AdapterBase;
-
-public class RoleBasedEntityQuerySelector extends AdapterBase implements QuerySelector {
-
- private static final Logger s_logger = Logger.getLogger(RoleBasedEntityQuerySelector.class.getName());
-
- @Inject
- IAMService _iamService;
- @Inject
- DomainDao _domainDao;
-
- @Override
- public List<Long> getAuthorizedDomains(Account caller, String action, AccessType accessType) {
- long accountId = caller.getAccountId();
- if (accessType == null) {
- accessType = AccessType.UseEntry; // default always show resources authorized to use
- }
- // Get the static Policies of the Caller
- List<IAMPolicy> policies = _iamService.listIAMPolicies(accountId);
- // for each policy, find granted permission with Domain scope
- List<Long> domainIds = new ArrayList<Long>();
- for (IAMPolicy policy : policies) {
- List<IAMPolicyPermission> pp = new ArrayList<IAMPolicyPermission>();
- pp.addAll(_iamService.listPolicyPermissionsByScope(policy.getId(), action,
- PermissionScope.DOMAIN.toString(), accessType.toString()));
-
- if (pp != null) {
- for (IAMPolicyPermission p : pp) {
- if (p.getScopeId() != null) {
- Long domainId = null;
- if (p.getScopeId().longValue() == -1) {
- domainId = caller.getDomainId();
- //domainIds.add(caller.getDomainId());
- } else {
- domainId = p.getScopeId();
- //domainIds.add(p.getScopeId());
- }
- //domainIds.add(domainId);
- // add all the domain children from this domain (including this domain itself). Like RoleBasedEntityAccessChecker, we made an assumption, if DOMAIN scope is granted, it means that
- // the whole domain tree is granted access.
- DomainVO domain = _domainDao.findById(domainId);
- List<Long> childDomains = _domainDao.getDomainChildrenIds(domain.getPath());
- if (childDomains != null && childDomains.size() > 0) {
- domainIds.addAll(childDomains);
- }
-
- }
- }
- }
- }
- return domainIds;
- }
-
- @Override
- public List<Long> getAuthorizedAccounts(Account caller, String action, AccessType accessType) {
- long accountId = caller.getAccountId();
- if (accessType == null) {
- accessType = AccessType.UseEntry; // default always show resources authorized to use
- }
- // Get the static Policies of the Caller
- List<IAMPolicy> policies = _iamService.listIAMPolicies(accountId);
- // for each policy, find granted permission with Account scope
- List<Long> accountIds = new ArrayList<Long>();
- for (IAMPolicy policy : policies) {
- List<IAMPolicyPermission> pp = new ArrayList<IAMPolicyPermission>();
- pp.addAll(_iamService.listPolicyPermissionsByScope(policy.getId(), action,
- PermissionScope.ACCOUNT.toString(), accessType.toString()));
-
- if (pp != null) {
- for (IAMPolicyPermission p : pp) {
- if (p.getScopeId() != null) {
- if (p.getScopeId().longValue() == -1) {
- accountIds.add(caller.getId());
- } else {
- accountIds.add(p.getScopeId());
- }
- }
- }
- }
- }
- return accountIds;
- }
-
- @Override
- public List<Long> getAuthorizedResources(Account caller, String action, AccessType accessType) {
- long accountId = caller.getAccountId();
- if (accessType == null) {
- accessType = AccessType.UseEntry; // default always show resources authorized to use
- }
- // Get the static Policies of the Caller
- List<IAMPolicy> policies = _iamService.listIAMPolicies(accountId);
-
- // add the policies that grant recursive access
- List<IAMGroup> groups = _iamService.listIAMGroups(caller.getId());
- for (IAMGroup group : groups) {
- // for each group find the grand parent groups.
- List<IAMGroup> parentGroups = _iamService.listParentIAMGroups(group.getId());
- for (IAMGroup parentGroup : parentGroups) {
- policies.addAll(_iamService.listRecursiveIAMPoliciesByGroup(parentGroup.getId()));
- }
- }
-
- // for each policy, find granted permission with Resource scope
- List<Long> entityIds = new ArrayList<Long>();
- for (IAMPolicy policy : policies) {
- List<IAMPolicyPermission> pp = new ArrayList<IAMPolicyPermission>();
- pp.addAll(_iamService.listPolicyPermissionsByScope(policy.getId(), action,
- PermissionScope.RESOURCE.toString(), accessType.toString()));
-
- if (pp != null) {
- for (IAMPolicyPermission p : pp) {
- if (p.getScopeId() != null) {
- entityIds.add(p.getScopeId());
- }
- }
- }
- }
- return entityIds;
- }
-
- @Override
- public boolean isGrantedAll(Account caller, String action, AccessType accessType) {
- long accountId = caller.getAccountId();
- if (accessType == null) {
- accessType = AccessType.UseEntry; // default always show resources authorized to use
- }
- // Get the static Policies of the Caller
- List<IAMPolicy> policies = _iamService.listIAMPolicies(accountId);
- // for each policy, find granted permission with ALL scope
- for (IAMPolicy policy : policies) {
- List<IAMPolicyPermission> pp = new ArrayList<IAMPolicyPermission>();
- pp.addAll(_iamService.listPolicyPermissionsByScope(policy.getId(), action, PermissionScope.ALL.toString(),
- accessType.toString()));
- if (pp != null && pp.size() > 0) {
- return true;
- }
- }
- return false;
- }
-
- @Override
- public List<String> listAclGroupsByAccount(long accountId) {
- List<IAMGroup> groups = _iamService.listIAMGroups(accountId);
- List<String> groupNames = new ArrayList<String>();
- for (IAMGroup grp : groups) {
- groupNames.add(grp.getName());
- }
- return groupNames;
- }
-
-}
-
diff --git a/services/iam/plugin/src/main/resources/META-INF/cloudstack/iam-access-checkers/module.properties b/services/iam/plugin/src/main/resources/META-INF/cloudstack/iam-access-checkers/module.properties
deleted file mode 100644
index c87480d..0000000
--- a/services/iam/plugin/src/main/resources/META-INF/cloudstack/iam-access-checkers/module.properties
+++ /dev/null
@@ -1,18 +0,0 @@
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements. See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership. The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations
-# under the License.
-name=iam-access-checkers
-parent=api
\ No newline at end of file
diff --git a/services/iam/plugin/src/main/resources/META-INF/cloudstack/iam-access-checkers/spring-iam-access-checkers-context.xml b/services/iam/plugin/src/main/resources/META-INF/cloudstack/iam-access-checkers/spring-iam-access-checkers-context.xml
deleted file mode 100644
index 87e8c94..0000000
--- a/services/iam/plugin/src/main/resources/META-INF/cloudstack/iam-access-checkers/spring-iam-access-checkers-context.xml
+++ /dev/null
@@ -1,35 +0,0 @@
-<!--
- Licensed to the Apache Software Foundation (ASF) under one
- or more contributor license agreements. See the NOTICE file
- distributed with this work for additional information
- regarding copyright ownership. The ASF licenses this file
- to you under the Apache License, Version 2.0 (the
- "License"); you may not use this file except in compliance
- with the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing,
- software distributed under the License is distributed on an
- "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- KIND, either express or implied. See the License for the
- specific language governing permissions and limitations
- under the License.
--->
-<beans xmlns="http://www.springframework.org/schema/beans"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xmlns:context="http://www.springframework.org/schema/context"
- xmlns:aop="http://www.springframework.org/schema/aop"
- xsi:schemaLocation="http://www.springframework.org/schema/beans
- http://www.springframework.org/schema/beans/spring-beans.xsd
- http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop.xsd
- http://www.springframework.org/schema/context
- http://www.springframework.org/schema/context/spring-context.xsd"
- >
-
- <bean id="RoleBasedAPIAccessChecker" class="org.apache.cloudstack.iam.RoleBasedAPIAccessChecker" />
- <bean id="RoleBasedEntityAccessChecker" class="org.apache.cloudstack.iam.RoleBasedEntityAccessChecker" />
- <bean id="RoleBasedEntityQuerySelector" class="org.apache.cloudstack.iam.RoleBasedEntityQuerySelector" />
- <bean id="IAMApiServiceImpl" class="org.apache.cloudstack.iam.IAMApiServiceImpl" />
-
-</beans>
diff --git a/services/iam/plugin/src/test/java/org/apache/cloudstack/iam/test/IAMApiServiceTest.java b/services/iam/plugin/src/test/java/org/apache/cloudstack/iam/test/IAMApiServiceTest.java
deleted file mode 100644
index 84e1e56..0000000
--- a/services/iam/plugin/src/test/java/org/apache/cloudstack/iam/test/IAMApiServiceTest.java
+++ /dev/null
@@ -1,385 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.iam.test;
-
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertFalse;
-import static org.junit.Assert.assertNotNull;
-import static org.junit.Assert.assertTrue;
-import static org.mockito.Mockito.doNothing;
-import static org.mockito.Mockito.when;
-
-import java.io.IOException;
-import java.util.ArrayList;
-import java.util.List;
-import java.util.Set;
-import java.util.UUID;
-
-import javax.inject.Inject;
-import javax.naming.ConfigurationException;
-
-import org.junit.After;
-import org.junit.Before;
-import org.junit.BeforeClass;
-import org.junit.Test;
-import org.junit.runner.RunWith;
-import org.mockito.Mockito;
-import org.springframework.context.annotation.Bean;
-import org.springframework.context.annotation.ComponentScan;
-import org.springframework.context.annotation.ComponentScan.Filter;
-import org.springframework.context.annotation.Configuration;
-import org.springframework.context.annotation.FilterType;
-import org.springframework.core.type.classreading.MetadataReader;
-import org.springframework.core.type.classreading.MetadataReaderFactory;
-import org.springframework.core.type.filter.TypeFilter;
-import org.springframework.test.context.ContextConfiguration;
-import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
-import org.springframework.test.context.support.AnnotationConfigContextLoader;
-
-import org.apache.cloudstack.acl.PermissionScope;
-import org.apache.cloudstack.acl.SecurityChecker.AccessType;
-import org.apache.cloudstack.api.command.user.vm.ListVMsCmd;
-import org.apache.cloudstack.api.response.ListResponse;
-import org.apache.cloudstack.api.response.iam.IAMGroupResponse;
-import org.apache.cloudstack.api.response.iam.IAMPermissionResponse;
-import org.apache.cloudstack.api.response.iam.IAMPolicyResponse;
-import org.apache.cloudstack.context.CallContext;
-import org.apache.cloudstack.framework.messagebus.MessageBus;
-import org.apache.cloudstack.iam.IAMApiService;
-import org.apache.cloudstack.iam.IAMApiServiceImpl;
-import org.apache.cloudstack.iam.api.IAMGroup;
-import org.apache.cloudstack.iam.api.IAMPolicy;
-import org.apache.cloudstack.iam.api.IAMPolicyPermission;
-import org.apache.cloudstack.iam.api.IAMPolicyPermission.Permission;
-import org.apache.cloudstack.iam.api.IAMService;
-import org.apache.cloudstack.iam.server.IAMGroupVO;
-import org.apache.cloudstack.iam.server.IAMPolicyPermissionVO;
-import org.apache.cloudstack.iam.server.IAMPolicyVO;
-import org.apache.cloudstack.test.utils.SpringUtils;
-
-import com.cloud.api.ApiServerService;
-import com.cloud.domain.DomainVO;
-import com.cloud.domain.dao.DomainDao;
-import com.cloud.network.dao.NetworkDomainDao;
-import com.cloud.user.Account;
-import com.cloud.user.AccountManager;
-import com.cloud.user.AccountVO;
-import com.cloud.user.UserVO;
-import com.cloud.user.dao.AccountDao;
-import com.cloud.utils.Pair;
-import com.cloud.utils.component.ComponentContext;
-import com.cloud.utils.db.EntityManager;
-import com.cloud.vm.VirtualMachine;
-
-@RunWith(SpringJUnit4ClassRunner.class)
-@ContextConfiguration(loader = AnnotationConfigContextLoader.class)
-public class IAMApiServiceTest {
-
- @Inject
- IAMService _iamSrv;
-
- @Inject
- DomainDao _domainDao;
-
- @Inject
- IAMApiService _aclSrv;
-
- @Inject
- AccountManager _accountMgr;
-
- @Inject
- AccountDao _accountDao;
-
- @Inject
- ApiServerService _apiServer;
-
- private static Account caller;
- private static Long callerId;
- private static String callerAccountName = "tester";
- private static Long callerDomainId = 3L;
- private static String callerDomainPath = "/root/testdomain";
- private static DomainVO callerDomain;
-
- @BeforeClass
- public static void setUpClass() throws ConfigurationException {
- }
-
- @Before
- public void setUp() {
- ComponentContext.initComponentsLifeCycle();
- caller = new AccountVO(callerAccountName, callerDomainId, null, Account.ACCOUNT_TYPE_ADMIN, UUID.randomUUID().toString());
- callerId = caller.getId();
- callerDomain = new DomainVO();
- callerDomain.setPath(callerDomainPath);
- UserVO user = new UserVO(1, "testuser", "password", "firstname", "lastName", "email", "timezone", UUID.randomUUID().toString());
- CallContext.register(user, caller);
-
- when(_domainDao.findById(callerDomainId)).thenReturn(callerDomain);
- doNothing().when(_accountMgr).checkAccess(caller, callerDomain);
- }
-
- @Test
- public void createIAMGroupTest() {
- IAMGroup group = new IAMGroupVO("group1", "tester group1");
- List<IAMGroup> groups = new ArrayList<IAMGroup>();
- groups.add(group);
- Pair<List<IAMGroup>, Integer> grpList = new Pair<List<IAMGroup>, Integer>(groups, 1);
- when(_iamSrv.createIAMGroup("group1", "tester group1", callerDomainPath)).thenReturn(group);
- when(_iamSrv.listIAMGroups(null, null, callerDomainPath, 0L, 20L)).thenReturn(grpList);
-
- IAMGroup createdGrp = _aclSrv.createIAMGroup(caller, "group1", "tester group1");
- assertNotNull("IAM group 'group1' failed to create ", createdGrp);
- ListResponse<IAMGroupResponse> grpResp = _aclSrv.listIAMGroups(null, null, callerDomainId, 0L, 20L);
- assertTrue("No. of response items should be one", grpResp.getCount() == 1);
- IAMGroupResponse resp = grpResp.getResponses().get(0);
- assertEquals("Error in created group name", "group1", resp.getName());
- }
-
- @Test
- public void deleteIAMGroupTest() {
- when(_iamSrv.deleteIAMGroup(1L)).thenReturn(true);
- assertTrue("failed to delete acl group 1", _aclSrv.deleteIAMGroup(1L));
- }
-
- @Test
- public void listIAMGroupTest() {
- IAMGroup group = new IAMGroupVO("group1", "tester group1");
- List<IAMGroup> groups = new ArrayList<IAMGroup>();
- groups.add(group);
- when(_iamSrv.listIAMGroups(callerId)).thenReturn(groups);
- List<IAMGroup> grps = _aclSrv.listIAMGroups(callerId);
- assertTrue(grps != null && grps.size() == 1);
- IAMGroup grp = grps.get(0);
- assertEquals("Error to retrieve group", "group1", grp.getName());
- }
-
- @Test
- public void addRemoveAccountToGroupTest() {
- IAMGroup group = new IAMGroupVO("group1", "tester group1");
- List<IAMGroup> groups = new ArrayList<IAMGroup>();
- groups.add(group);
- Long groupId = group.getId();
- List<Long> acctIds = new ArrayList<Long>();
- AccountVO acct1 = new AccountVO(100L);
- acct1.setAccountName("account1");
- AccountVO acct2 = new AccountVO(200L);
- acct2.setAccountName("account2");
- acctIds.add(acct1.getId());
- acctIds.add(acct2.getId());
- when(_accountDao.findById(acct1.getId())).thenReturn(acct1);
- when(_accountDao.findById(acct2.getId())).thenReturn(acct2);
- when(_iamSrv.addAccountsToGroup(acctIds, groupId)).thenReturn(group);
- when(_iamSrv.listAccountsByGroup(groupId)).thenReturn(acctIds);
- Pair<List<IAMGroup>, Integer> grpList = new Pair<List<IAMGroup>, Integer>(groups, 1);
- when(_iamSrv.listIAMGroups(null, "group1", callerDomainPath, 0L, 20L)).thenReturn(grpList);
- _aclSrv.addAccountsToGroup(acctIds, groupId);
- ListResponse<IAMGroupResponse> grpResp = _aclSrv.listIAMGroups(null, "group1", callerDomainId, 0L, 20L);
- assertTrue("No. of response items should be one", grpResp.getCount() == 1);
- IAMGroupResponse resp = grpResp.getResponses().get(0);
- Set<String> acctNames = resp.getAccountNameList();
- assertEquals("There should be 2 accounts in the group", 2, acctNames.size());
- assertTrue("account1 should be assigned to the group", acctNames.contains("account1"));
- assertTrue("account2 should be assigned to the group", acctNames.contains("account2"));
- // remove "account2" from group1
- acctIds.remove(1);
- List<Long> rmAccts = new ArrayList<Long>();
- rmAccts.add(acct2.getId());
- when(_iamSrv.removeAccountsFromGroup(rmAccts, groupId)).thenReturn(group);
- _aclSrv.removeAccountsFromGroup(acctIds, groupId);
- grpResp = _aclSrv.listIAMGroups(null, "group1", callerDomainId, 0L, 20L);
- assertTrue("No. of response items should be one", grpResp.getCount() == 1);
- resp = grpResp.getResponses().get(0);
- acctNames = resp.getAccountNameList();
- assertEquals("There should be 1 accounts in the group", 1, acctNames.size());
- assertFalse("account2 should not belong to the group anymore", acctNames.contains("account2"));
- }
-
- @Test
- public void createIAMPolicyTest() {
- IAMPolicy policy = new IAMPolicyVO("policy1", "tester policy1");
- List<IAMPolicy> policies = new ArrayList<IAMPolicy>();
- policies.add(policy);
- Pair<List<IAMPolicy>, Integer> policyList = new Pair<List<IAMPolicy>, Integer>(policies, 1);
- when(_iamSrv.createIAMPolicy("policy1", "tester policy1", null, callerDomainPath)).thenReturn(policy);
- when(_iamSrv.listIAMPolicies(null, null, callerDomainPath, 0L, 20L)).thenReturn(policyList);
-
- IAMPolicy createdPolicy = _aclSrv.createIAMPolicy(caller, "policy1", "tester policy1", null);
- assertNotNull("IAM policy 'policy1' failed to create ", createdPolicy);
- ListResponse<IAMPolicyResponse> policyResp = _aclSrv.listIAMPolicies(null, null, callerDomainId, 0L, 20L);
- assertTrue("No. of response items should be one", policyResp.getCount() == 1);
- IAMPolicyResponse resp = policyResp.getResponses().get(0);
- assertEquals("Error in created group name", "policy1", resp.getName());
- }
-
- @Test
- public void deleteIAMPolicyTest() {
- when(_iamSrv.deleteIAMPolicy(1L)).thenReturn(true);
- assertTrue("failed to delete acl policy 1", _aclSrv.deleteIAMPolicy(1L));
- }
-
- @Test
- public void listIAMPolicyTest() {
- IAMPolicy policy = new IAMPolicyVO("policy1", "tester policy1");
- List<IAMPolicy> policies = new ArrayList<IAMPolicy>();
- policies.add(policy);
- when(_iamSrv.listIAMPolicies(callerId)).thenReturn(policies);
- List<IAMPolicy> polys = _aclSrv.listIAMPolicies(callerId);
- assertTrue(polys != null && polys.size() == 1);
- IAMPolicy p = polys.get(0);
- assertEquals("Error to retrieve group", "policy1", p.getName());
- }
-
- @Test
- public void addRemovePolicyToGroupTest() {
- IAMGroup group = new IAMGroupVO("group1", "tester group1");
- List<IAMGroup> groups = new ArrayList<IAMGroup>();
- groups.add(group);
- Long groupId = group.getId();
- List<Long> policyIds = new ArrayList<Long>();
- policyIds.add(100L);
- policyIds.add(200L);
- IAMPolicy policy1 = new IAMPolicyVO("policy1", "my first policy");
- IAMPolicy policy2 = new IAMPolicyVO("policy2", "my second policy");
- List<IAMPolicy> policies = new ArrayList<IAMPolicy>();
- policies.add(policy1);
- policies.add(policy2);
- when(_iamSrv.attachIAMPoliciesToGroup(policyIds, groupId)).thenReturn(group);
- when(_iamSrv.listIAMPoliciesByGroup(groupId)).thenReturn(policies);
- Pair<List<IAMGroup>, Integer> grpList = new Pair<List<IAMGroup>, Integer>(groups, 1);
- when(_iamSrv.listIAMGroups(null, "group1", callerDomainPath, 0L, 20L)).thenReturn(grpList);
- _aclSrv.attachIAMPoliciesToGroup(policyIds, groupId);
- ListResponse<IAMGroupResponse> grpResp = _aclSrv.listIAMGroups(null, "group1", callerDomainId, 0L, 20L);
- assertTrue("No. of response items should be one", grpResp.getCount() == 1);
- IAMGroupResponse resp = grpResp.getResponses().get(0);
- Set<String> policyNames = resp.getPolicyList();
- assertEquals("There should be 2 policies in the group", 2, policyNames.size());
- assertTrue("policy1 should be assigned to the group", policyNames.contains("policy1"));
- assertTrue("policy2 should be assigned to the group", policyNames.contains("policy2"));
- // remove "policy2" from group1
- policyIds.remove(1);
- policies.remove(policy2);
- when(_iamSrv.removeIAMPoliciesFromGroup(policyIds, groupId)).thenReturn(group);
- _aclSrv.removeIAMPoliciesFromGroup(policyIds, groupId);
- grpResp = _aclSrv.listIAMGroups(null, "group1", callerDomainId, 0L, 20L);
- assertTrue("No. of response items should be one", grpResp.getCount() == 1);
- resp = grpResp.getResponses().get(0);
- policyNames = resp.getPolicyList();
- assertEquals("There should be 1 policy attached to the group", 1, policyNames.size());
- assertFalse("policy2 should not belong to the group anymore", policyNames.contains("policy2"));
- }
-
- @Test
- public void addRemovePermissionToPolicyTest() {
- IAMPolicy policy = new IAMPolicyVO("policy1", "tester policy1");
- List<IAMPolicy> policies = new ArrayList<IAMPolicy>();
- policies.add(policy);
- Long policyId = policy.getId();
- Long resId = 200L;
- Class clz = ListVMsCmd.class;
- when(_apiServer.getCmdClass("listVirtualMachines")).thenReturn(clz);
- when(
- _iamSrv.addIAMPermissionToIAMPolicy(policyId, VirtualMachine.class.getSimpleName(),
- PermissionScope.RESOURCE.toString(), resId, "listVirtualMachines",
- AccessType.UseEntry.toString(), Permission.Allow, false)).thenReturn(policy);
- _aclSrv.addIAMPermissionToIAMPolicy(policyId, VirtualMachine.class.getSimpleName(),
- PermissionScope.RESOURCE, resId, "listVirtualMachines", Permission.Allow, false, false);
- Pair<List<IAMPolicy>, Integer> policyList = new Pair<List<IAMPolicy>, Integer>(policies, 1);
- List<IAMPolicyPermission> policyPerms = new ArrayList<IAMPolicyPermission>();
- IAMPolicyPermission perm = new IAMPolicyPermissionVO(policyId, "listVirtualMachines",
- VirtualMachine.class.getSimpleName(), AccessType.UseEntry.toString(),
- PermissionScope.RESOURCE.toString(),
- resId, Permission.Allow, false);
- policyPerms.add(perm);
- when(_iamSrv.listIAMPolicies(null, "policy1", callerDomainPath, 0L, 20L)).thenReturn(policyList);
- when(_iamSrv.listPolicyPermissions(policyId)).thenReturn(policyPerms);
- ListResponse<IAMPolicyResponse> policyResp = _aclSrv.listIAMPolicies(null, "policy1", callerDomainId, 0L, 20L);
- assertTrue("No. of response items should be one", policyResp.getCount() == 1);
- IAMPolicyResponse resp = policyResp.getResponses().get(0);
- Set<IAMPermissionResponse> permList = resp.getPermissionList();
- assertTrue("Permission list should not be empty", permList != null && permList.size() > 0);
- IAMPermissionResponse permResp = permList.iterator().next();
- assertEquals("There should be one permission for listVirtualMachines", "listVirtualMachines", permResp.getAction());
-
- //remove permission from policy
- policyPerms.remove(perm);
- _aclSrv.removeIAMPermissionFromIAMPolicy(policyId, VirtualMachine.class.getSimpleName(),
- PermissionScope.RESOURCE, resId, "listVirtualMachines");
- policyResp = _aclSrv.listIAMPolicies(null, "policy1", callerDomainId, 0L, 20L);
- assertTrue("No. of response items should be one", policyResp.getCount() == 1);
- resp = policyResp.getResponses().get(0);
- permList = resp.getPermissionList();
- assertTrue("Permission list should be empty", permList != null && permList.size() == 0);
- }
-
- @After
- public void tearDown() {
- }
-
- @Configuration
- @ComponentScan(basePackageClasses = {IAMApiServiceImpl.class}, includeFilters = {@Filter(value = TestConfiguration.Library.class, type = FilterType.CUSTOM)}, useDefaultFilters = false)
- public static class TestConfiguration extends SpringUtils.CloudStackTestConfiguration {
-
- @Bean
- public DomainDao domainDao() {
- return Mockito.mock(DomainDao.class);
- }
-
- @Bean
- public IAMService iamService() {
- return Mockito.mock(IAMService.class);
- }
-
- @Bean
- public AccountDao accountDao() {
- return Mockito.mock(AccountDao.class);
- }
-
- @Bean
- public NetworkDomainDao networkDomainDao() {
- return Mockito.mock(NetworkDomainDao.class);
- }
-
- @Bean
- public AccountManager accountManager() {
- return Mockito.mock(AccountManager.class);
- }
-
- @Bean
- public MessageBus messageBus() {
- return Mockito.mock(MessageBus.class);
- }
-
- @Bean
- public EntityManager entityMgr() {
- return Mockito.mock(EntityManager.class);
- }
-
- @Bean
- public ApiServerService apiServerService() {
- return Mockito.mock(ApiServerService.class);
- }
-
- public static class Library implements TypeFilter {
-
- @Override
- public boolean match(MetadataReader mdr, MetadataReaderFactory arg1) throws IOException {
- ComponentScan cs = TestConfiguration.class.getAnnotation(ComponentScan.class);
- return SpringUtils.includedInBasePackageClasses(mdr.getClassMetadata().getClassName(), cs);
- }
- }
- }
-}
diff --git a/services/iam/plugin/src/test/resources/db.properties b/services/iam/plugin/src/test/resources/db.properties
deleted file mode 100644
index fc2fb33..0000000
--- a/services/iam/plugin/src/test/resources/db.properties
+++ /dev/null
@@ -1,73 +0,0 @@
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements. See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership. The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations
-# under the License.
-
-
-# management server clustering parameters, change cluster.node.IP to the machine IP address
-# in which the management server is running
-cluster.node.IP=127.0.0.1
-cluster.servlet.port=9090
-region.id=1
-
-# CloudStack database settings
-db.cloud.username=cloud
-db.cloud.password=cloud
-db.root.password=
-db.cloud.host=localhost
-db.cloud.driver=jdbc:mysql
-db.cloud.port=3306
-db.cloud.name=cloud
-
-# CloudStack database tuning parameters
-db.cloud.maxActive=250
-db.cloud.maxIdle=30
-db.cloud.maxWait=10000
-db.cloud.autoReconnect=true
-db.cloud.validationQuery=SELECT 1
-db.cloud.testOnBorrow=true
-db.cloud.testWhileIdle=true
-db.cloud.timeBetweenEvictionRunsMillis=40000
-db.cloud.minEvictableIdleTimeMillis=240000
-db.cloud.poolPreparedStatements=false
-db.cloud.url.params=prepStmtCacheSize=517&cachePrepStmts=true&prepStmtCacheSqlLimit=4096
-
-# usage database settings
-db.usage.username=cloud
-db.usage.password=cloud
-db.usage.host=localhost
-# It's not guaranteed that using a different DB provider than the one from the regular cloud DB will work
-db.usage.driver=jdbc:mysql
-db.usage.port=3306
-db.usage.name=cloud_usage
-
-# usage database tuning parameters
-db.usage.maxActive=100
-db.usage.maxIdle=30
-db.usage.maxWait=10000
-db.usage.autoReconnect=true
-
-# Simulator database settings
-db.simulator.username=cloud
-db.simulator.password=cloud
-db.simulator.host=localhost
-# It's not guaranteed that using a different DB provider than the one from the regular cloud DB will work
-db.simulator.driver=jdbc:mysql
-db.simulator.port=3306
-db.simulator.name=simulator
-db.simulator.maxActive=250
-db.simulator.maxIdle=30
-db.simulator.maxWait=10000
-db.simulator.autoReconnect=true
diff --git a/services/iam/pom.xml b/services/iam/pom.xml
deleted file mode 100644
index 2d0baed..0000000
--- a/services/iam/pom.xml
+++ /dev/null
@@ -1,59 +0,0 @@
-<!--
- Licensed to the Apache Software Foundation (ASF) under one
- or more contributor license agreements. See the NOTICE file
- distributed with this work for additional information
- regarding copyright ownership. The ASF licenses this file
- to you under the Apache License, Version 2.0 (the
- "License"); you may not use this file except in compliance
- with the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing,
- software distributed under the License is distributed on an
- "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- KIND, either express or implied. See the License for the
- specific language governing permissions and limitations
- under the License.
--->
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
- <modelVersion>4.0.0</modelVersion>
- <artifactId>cloudstack-service-iam</artifactId>
- <name>Apache CloudStack IAM Service</name>
- <packaging>pom</packaging>
- <parent>
- <groupId>org.apache.cloudstack</groupId>
- <artifactId>cloudstack-services</artifactId>
- <version>4.7.0-SNAPSHOT</version>
- <relativePath>../pom.xml</relativePath>
- </parent>
- <build>
- <defaultGoal>install</defaultGoal>
- </build>
- <modules>
- <module>plugin</module>
- <module>server</module>
- </modules>
-<!--
- <dependencies>
- <dependency>
- <groupId>org.apache.cloudstack</groupId>
- <artifactId>cloud-api</artifactId>
- <version>${project.version}</version>
- </dependency>
- <dependency>
- <groupId>org.apache.cloudstack</groupId>
- <artifactId>cloud-utils</artifactId>
- <version>${project.version}</version>
- </dependency>
- <dependency>
- <groupId>org.apache.cloudstack</groupId>
- <artifactId>cloud-api</artifactId>
- <version>${project.version}</version>
- <type>test-jar</type>
- <scope>test</scope>
- </dependency>
- </dependencies>
--->
-</project>
diff --git a/services/iam/server/pom.xml b/services/iam/server/pom.xml
deleted file mode 100644
index 15840a8..0000000
--- a/services/iam/server/pom.xml
+++ /dev/null
@@ -1,57 +0,0 @@
-<!--
- Licensed to the Apache Software Foundation (ASF) under one
- or more contributor license agreements. See the NOTICE file
- distributed with this work for additional information
- regarding copyright ownership. The ASF licenses this file
- to you under the Apache License, Version 2.0 (the
- "License"); you may not use this file except in compliance
- with the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing,
- software distributed under the License is distributed on an
- "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- KIND, either express or implied. See the License for the
- specific language governing permissions and limitations
- under the License.
--->
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
- <modelVersion>4.0.0</modelVersion>
- <artifactId>cloud-iam</artifactId>
- <name>Apache CloudStack IAM - Server</name>
- <parent>
- <groupId>org.apache.cloudstack</groupId>
- <artifactId>cloudstack-service-iam</artifactId>
- <version>4.12.0.0-SNAPSHOT</version>
- <relativePath>../pom.xml</relativePath>
- </parent>
- <dependencies>
- <dependency>
- <groupId>commons-io</groupId>
- <artifactId>commons-io</artifactId>
- </dependency>
- <dependency>
- <groupId>net.sf.ehcache</groupId>
- <artifactId>ehcache-core</artifactId>
- </dependency>
- <dependency>
- <groupId>org.apache.cloudstack</groupId>
- <artifactId>cloud-utils</artifactId>
- <version>${project.version}</version>
- </dependency>
- <dependency>
- <groupId>org.apache.cloudstack</groupId>
- <artifactId>cloud-api</artifactId>
- <version>${project.version}</version>
- </dependency>
- <dependency>
- <groupId>org.apache.cloudstack</groupId>
- <artifactId>cloud-api</artifactId>
- <version>${project.version}</version>
- <type>test-jar</type>
- <scope>test</scope>
- </dependency>
- </dependencies>
-</project>
diff --git a/services/iam/server/src/main/java/org/apache/cloudstack/iam/api/IAMGroup.java b/services/iam/server/src/main/java/org/apache/cloudstack/iam/api/IAMGroup.java
deleted file mode 100644
index 868d0a0..0000000
--- a/services/iam/server/src/main/java/org/apache/cloudstack/iam/api/IAMGroup.java
+++ /dev/null
@@ -1,37 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.iam.api;
-
-import org.apache.cloudstack.api.Identity;
-import org.apache.cloudstack.api.InternalIdentity;
-
-public interface IAMGroup extends InternalIdentity, Identity {
-
- String getName();
-
- String getDescription();
-
- @Override
- long getId();
-
- @Override
- String getUuid();
-
- String getPath();
-
- long getAccountId();
-}
diff --git a/services/iam/server/src/main/java/org/apache/cloudstack/iam/api/IAMPolicy.java b/services/iam/server/src/main/java/org/apache/cloudstack/iam/api/IAMPolicy.java
deleted file mode 100644
index e6daeb1..0000000
--- a/services/iam/server/src/main/java/org/apache/cloudstack/iam/api/IAMPolicy.java
+++ /dev/null
@@ -1,41 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.iam.api;
-
-import org.apache.cloudstack.api.Identity;
-import org.apache.cloudstack.api.InternalIdentity;
-
-public interface IAMPolicy extends InternalIdentity, Identity {
-
- String getName();
-
- String getDescription();
-
- public enum PolicyType {
- Static, Dynamic
- }
-
- @Override
- long getId();
-
- @Override
- String getUuid();
-
- String getPath();
-
- long getAccountId();
-}
diff --git a/services/iam/server/src/main/java/org/apache/cloudstack/iam/api/IAMPolicyPermission.java b/services/iam/server/src/main/java/org/apache/cloudstack/iam/api/IAMPolicyPermission.java
deleted file mode 100644
index b91086f..0000000
--- a/services/iam/server/src/main/java/org/apache/cloudstack/iam/api/IAMPolicyPermission.java
+++ /dev/null
@@ -1,53 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.iam.api;
-
-
-public interface IAMPolicyPermission {
-
- String getAction();
-
- long getAclPolicyId();
-
- String getEntityType();
-
- String getAccessType();
-
- String getScope();
-
- Long getScopeId();
-
- Permission getPermission();
-
- public enum Permission {
- Allow(true), Deny(false);
-
- boolean result;
-
- Permission(boolean result) {
- this.result = result;
- }
-
- public boolean isGranted() {
- return result;
- }
- }
-
- long getId();
-
- public static final long PERMISSION_SCOPE_ID_CURRENT_CALLER = -1;
-}
diff --git a/services/iam/server/src/main/java/org/apache/cloudstack/iam/api/IAMService.java b/services/iam/server/src/main/java/org/apache/cloudstack/iam/api/IAMService.java
deleted file mode 100644
index 3a470ee..0000000
--- a/services/iam/server/src/main/java/org/apache/cloudstack/iam/api/IAMService.java
+++ /dev/null
@@ -1,99 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.iam.api;
-
-import java.util.List;
-
-import org.apache.cloudstack.iam.api.IAMPolicyPermission.Permission;
-
-import com.cloud.utils.Pair;
-
-public interface IAMService {
-
- /* IAM group related interfaces */
- IAMGroup createIAMGroup(String iamGroupName, String description, String path);
-
- boolean deleteIAMGroup(Long iamGroupId);
-
- List<IAMGroup> listIAMGroups(long accountId);
-
- IAMGroup addAccountsToGroup(List<Long> acctIds, Long groupId);
-
- IAMGroup removeAccountsFromGroup(List<Long> acctIds, Long groupId);
-
- List<Long> listAccountsByGroup(long groupId);
-
- Pair<List<IAMGroup>, Integer> listIAMGroups(Long iamGroupId, String iamGroupName, String path, Long startIndex, Long pageSize);
-
- /* IAM Policy related interfaces */
- IAMPolicy createIAMPolicy(String iamPolicyName, String description, Long parentPolicyId, String path);
-
- boolean deleteIAMPolicy(long iamPolicyId);
-
- List<IAMPolicy> listIAMPolicies(long accountId);
-
- List<IAMPolicy> listIAMPoliciesByGroup(long groupId);
-
- Pair<List<IAMPolicy>, Integer> listIAMPolicies(Long iamPolicyId, String iamPolicyName, String path, Long startIndex, Long pageSize);
-
- IAMGroup attachIAMPoliciesToGroup(List<Long> policyIds, Long groupId);
-
- IAMGroup removeIAMPoliciesFromGroup(List<Long> policyIds, Long groupId);
-
- void attachIAMPolicyToAccounts(Long policyId, List<Long> acctIds);
-
- void removeIAMPolicyFromAccounts(Long policyId, List<Long> acctIds);
-
- IAMPolicy addIAMPermissionToIAMPolicy(long iamPolicyId, String entityType, String scope, Long scopeId,
- String action, String accessType, Permission perm, Boolean recursive);
-
- IAMPolicy removeIAMPermissionFromIAMPolicy(long iamPolicyId, String entityType, String scope, Long scopeId,
- String action);
-
- void removeIAMPermissionForEntity(final String entityType, final Long entityId);
-
- IAMPolicy getResourceGrantPolicy(String entityType, Long entityId, String accessType, String action);
-
- IAMPolicy getResourceOwnerPolicy();
-
- List<IAMPolicyPermission> listPolicyPermissions(long policyId);
-
- List<IAMPolicyPermission> listPolicyPermissionsByScope(long policyId, String action, String scope, String accessType);
-
- List<IAMPolicyPermission> listPolicyPermissionByActionAndEntity(long policyId, String action, String entityType);
-
- boolean isActionAllowedForPolicies(String action, List<IAMPolicy> policies);
-
- List<Long> getGrantedEntities(long accountId, String action, String scope);
-
- IAMPolicy resetIAMPolicy(long iamPolicyId);
-
- List<IAMPolicyPermission> listPolicyPermissionByAccessAndEntity(long policyId, String accessType,
- String entityType);
-
- List<IAMGroup> listParentIAMGroups(long groupId);
-
- List<IAMPolicy> listRecursiveIAMPoliciesByGroup(long groupId);
-
- /* Interface used for cache IAM checkAccess result */
- void addToIAMCache(Object accessKey, Object allowDeny);
-
- Object getFromIAMCache(Object accessKey);
-
- void invalidateIAMCache();
-
-}
diff --git a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/IAMAccountPolicyMapVO.java b/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/IAMAccountPolicyMapVO.java
deleted file mode 100644
index 18f085a..0000000
--- a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/IAMAccountPolicyMapVO.java
+++ /dev/null
@@ -1,77 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.iam.server;
-
-import java.util.Date;
-
-import javax.persistence.Column;
-import javax.persistence.Entity;
-import javax.persistence.GeneratedValue;
-import javax.persistence.GenerationType;
-import javax.persistence.Id;
-import javax.persistence.Table;
-
-import com.cloud.utils.db.GenericDao;
-
-@Entity
-@Table(name = ("iam_account_policy_map"))
-public class IAMAccountPolicyMapVO {
- @Id
- @GeneratedValue(strategy = GenerationType.IDENTITY)
- @Column(name = "id")
- private Long id;
-
- @Column(name = "account_id")
- private long accountId;
-
- @Column(name = "policy_id")
- private long iamPolicyId;
-
- @Column(name = GenericDao.REMOVED_COLUMN)
- private Date removed;
-
- @Column(name = GenericDao.CREATED_COLUMN)
- private Date created;
-
- public IAMAccountPolicyMapVO() {
- }
-
- public IAMAccountPolicyMapVO(long accountId, long iamPolicyId) {
- this.accountId = accountId;
- this.iamPolicyId = iamPolicyId;
- }
-
- public long getId() {
- return id;
- }
-
- public long getAccountId() {
- return accountId;
- }
-
- public long getIamPolicyId() {
- return iamPolicyId;
- }
-
- public Date getRemoved() {
- return removed;
- }
-
- public Date getCreated() {
- return created;
- }
-}
diff --git a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/IAMGroupAccountMapVO.java b/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/IAMGroupAccountMapVO.java
deleted file mode 100644
index dac7d35..0000000
--- a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/IAMGroupAccountMapVO.java
+++ /dev/null
@@ -1,78 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.iam.server;
-
-import java.util.Date;
-
-import javax.persistence.Column;
-import javax.persistence.Entity;
-import javax.persistence.GeneratedValue;
-import javax.persistence.GenerationType;
-import javax.persistence.Id;
-import javax.persistence.Table;
-
-import com.cloud.utils.db.GenericDao;
-
-@Entity
-@Table(name = ("iam_group_account_map"))
-public class IAMGroupAccountMapVO {
- @Id
- @GeneratedValue(strategy = GenerationType.IDENTITY)
- @Column(name = "id")
- private Long id;
-
- @Column(name = "group_id")
- private long aclGroupId;
-
- @Column(name = "account_id")
- private long accountId;
-
- @Column(name = GenericDao.REMOVED_COLUMN)
- private Date removed;
-
- @Column(name = GenericDao.CREATED_COLUMN)
- private Date created;
-
- public IAMGroupAccountMapVO() {
- }
-
- public IAMGroupAccountMapVO(long aclGroupId, long accountId) {
- this.aclGroupId = aclGroupId;
- this.accountId = accountId;
- }
-
- public long getId() {
- return id;
- }
-
- public long getAclGroupId() {
- return aclGroupId;
- }
-
-
- public long getAccountId() {
- return accountId;
- }
-
- public Date getRemoved() {
- return removed;
- }
-
- public Date getCreated() {
- return created;
- }
-}
diff --git a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/IAMGroupPolicyMapVO.java b/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/IAMGroupPolicyMapVO.java
deleted file mode 100644
index 946d1f7..0000000
--- a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/IAMGroupPolicyMapVO.java
+++ /dev/null
@@ -1,79 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.iam.server;
-
-import java.util.Date;
-
-import javax.persistence.Column;
-import javax.persistence.Entity;
-import javax.persistence.GeneratedValue;
-import javax.persistence.GenerationType;
-import javax.persistence.Id;
-import javax.persistence.Table;
-
-
-import com.cloud.utils.db.GenericDao;
-
-@Entity
-@Table(name = ("iam_group_policy_map"))
-public class IAMGroupPolicyMapVO {
- @Id
- @GeneratedValue(strategy = GenerationType.IDENTITY)
- @Column(name = "id")
- private Long id;
-
- @Column(name = "group_id")
- private long aclGroupId;
-
- @Column(name = "policy_id")
- private long aclPolicyId;
-
- @Column(name = GenericDao.REMOVED_COLUMN)
- private Date removed;
-
- @Column(name = GenericDao.CREATED_COLUMN)
- private Date created;
-
- public IAMGroupPolicyMapVO() {
- }
-
- public IAMGroupPolicyMapVO(long aclGroupId, long aclPolicyId) {
- this.aclGroupId = aclGroupId;
- this.aclPolicyId = aclPolicyId;
- }
-
- public long getId() {
- return id;
- }
-
- public long getAclGroupId() {
- return aclGroupId;
- }
-
-
- public long getAclPolicyId() {
- return aclPolicyId;
- }
-
- public Date getRemoved() {
- return removed;
- }
-
- public Date getCreated() {
- return created;
- }
-}
diff --git a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/IAMGroupVO.java b/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/IAMGroupVO.java
deleted file mode 100644
index 80edb89..0000000
--- a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/IAMGroupVO.java
+++ /dev/null
@@ -1,122 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.iam.server;
-
-import java.util.Date;
-import java.util.UUID;
-
-import javax.persistence.Column;
-import javax.persistence.Entity;
-import javax.persistence.GeneratedValue;
-import javax.persistence.GenerationType;
-import javax.persistence.Id;
-import javax.persistence.Table;
-
-import org.apache.cloudstack.iam.api.IAMGroup;
-
-import com.cloud.utils.db.GenericDao;
-
-@Entity
-@Table(name = ("iam_group"))
-public class IAMGroupVO implements IAMGroup {
- @Id
- @GeneratedValue(strategy = GenerationType.IDENTITY)
- @Column(name = "id")
- private long id;
-
- @Column(name = "name")
- private String name;
-
- @Column(name = "description")
- private String description;
-
- @Column(name = "uuid")
- private String uuid;
-
- @Column(name = "path")
- private String path;
-
- @Column(name = "account_id")
- private long accountId;
-
- @Column(name = GenericDao.REMOVED_COLUMN)
- private Date removed;
-
- @Column(name = GenericDao.CREATED_COLUMN)
- private Date created;
-
- public IAMGroupVO() {
- uuid = UUID.randomUUID().toString();
- }
-
- public IAMGroupVO(String name, String description) {
- this.name = name;
- this.description = description;
- uuid = UUID.randomUUID().toString();
- path = "/";
- }
-
- @Override
- public long getId() {
- return id;
- }
-
- @Override
- public String getName() {
- return name;
- }
-
- @Override
- public String getDescription() {
- return description;
- }
-
- @Override
- public String getPath() {
- return path;
- }
-
- public void setPath(String path) {
- this.path = path;
- }
-
- @Override
- public long getAccountId() {
- return accountId;
- }
-
- public void setAccountId(long acctId) {
- accountId = acctId;
- }
-
- @Override
- public String getUuid() {
- return uuid;
- }
-
- public void setUuid(String uuid) {
- this.uuid = uuid;
- }
-
- public Date getRemoved() {
- return removed;
- }
-
- public Date getCreated() {
- return created;
- }
-}
diff --git a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/IAMPolicyPermissionVO.java b/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/IAMPolicyPermissionVO.java
deleted file mode 100644
index 13d6b81..0000000
--- a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/IAMPolicyPermissionVO.java
+++ /dev/null
@@ -1,181 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.iam.server;
-
-import java.util.Date;
-
-import javax.persistence.Column;
-import javax.persistence.Entity;
-import javax.persistence.EnumType;
-import javax.persistence.Enumerated;
-import javax.persistence.GeneratedValue;
-import javax.persistence.GenerationType;
-import javax.persistence.Id;
-import javax.persistence.Table;
-
-import org.apache.cloudstack.iam.api.IAMPolicyPermission;
-import com.cloud.utils.db.GenericDao;
-
-@Entity
-@Table(name = ("iam_policy_permission"))
-public class IAMPolicyPermissionVO implements IAMPolicyPermission {
-
- @Id
- @GeneratedValue(strategy = GenerationType.IDENTITY)
- @Column(name = "id")
- private long id;
-
- @Column(name = "policy_id")
- private long aclPolicyId;
-
- @Column(name = "action")
- private String action;
-
- @Column(name = "resource_type")
- private String entityType;
-
- @Column(name = "access_type")
- private String accessType;
-
- @Column(name = "scope")
- private String scope;
-
- @Column(name = "scope_id")
- private Long scopeId;
-
- @Column(name = "permission")
- @Enumerated(value = EnumType.STRING)
- private Permission permission;
-
- @Column(name = "recursive")
- private Boolean recursive;
-
- @Column(name = GenericDao.REMOVED_COLUMN)
- private Date removed;
-
- @Column(name = GenericDao.CREATED_COLUMN)
- private Date created;
-
- public IAMPolicyPermissionVO() {
-
- }
-
- public IAMPolicyPermissionVO(long aclPolicyId, String action, String entityType, String accessType, String scope,
- Long scopeId, Permission permission, Boolean recursive) {
- this.aclPolicyId = aclPolicyId;
- this.action = action;
- this.entityType = entityType;
- this.accessType = accessType;
- this.scope = scope;
- this.scopeId = scopeId;
- this.permission = permission;
- this.recursive = recursive;
- }
-
- @Override
- public long getId() {
- return id;
- }
-
- @Override
- public long getAclPolicyId() {
- return aclPolicyId;
- }
-
-
- public void setAclPolicyId(long aclPolicyId) {
- this.aclPolicyId = aclPolicyId;
- }
-
- @Override
- public String getEntityType() {
- return entityType;
- }
-
- @Override
- public String getAccessType() {
- return accessType;
- }
-
-
- public void setEntityType(String entityType) {
- this.entityType = entityType;
- }
-
- public void setAccessType(String accessType) {
- this.accessType = accessType;
- }
-
- @Override
- public String getScope() {
- return scope;
- }
-
- public void setScope(String scope) {
- this.scope = scope;
- }
-
-
- @Override
- public String getAction() {
- return action;
- }
-
- @Override
- public Long getScopeId() {
- // TODO
- // handle special -1 scopeId, current caller domain, account
- /*
- * if ( scopeId < 0 ){ Account caller =
- * CallContext.current().getCallingAccount(); if ( scope ==
- * PermissionScope.DOMAIN){ return caller.getDomainId(); } else if
- * (scope == PermissionScope.ACCOUNT) { return caller.getAccountId(); }
- * }
- */
- return scopeId;
- }
-
- @Override
- public Permission getPermission() {
- return permission;
- }
-
- public void setAction(String action) {
- this.action = action;
- }
-
- public void setScopeId(Long scopeId) {
- this.scopeId = scopeId;
- }
-
- public void setPermission(Permission permission) {
- this.permission = permission;
- }
-
- public Date getRemoved() {
- return removed;
- }
-
- public Date getCreated() {
- return created;
- }
-
- public Boolean isRecursive() {
- return recursive;
- }
-
-}
diff --git a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/IAMPolicyVO.java b/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/IAMPolicyVO.java
deleted file mode 100644
index 25ebd01..0000000
--- a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/IAMPolicyVO.java
+++ /dev/null
@@ -1,138 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.iam.server;
-
-import java.util.Date;
-import java.util.UUID;
-
-import javax.persistence.Column;
-import javax.persistence.Entity;
-import javax.persistence.EnumType;
-import javax.persistence.Enumerated;
-import javax.persistence.GeneratedValue;
-import javax.persistence.GenerationType;
-import javax.persistence.Id;
-import javax.persistence.Table;
-
-import org.apache.cloudstack.iam.api.IAMPolicy;
-
-import com.cloud.utils.db.GenericDao;
-
-@Entity
-@Table(name = ("iam_policy"))
-public class IAMPolicyVO implements IAMPolicy {
- @Id
- @GeneratedValue(strategy = GenerationType.IDENTITY)
- @Column(name = "id")
- private long id;
-
- @Column(name = "name")
- private String name;
-
- @Column(name = "description")
- private String description;
-
- @Column(name = "uuid")
- private String uuid;
-
- @Column(name = "path")
- private String path;
-
- @Column(name = "account_id")
- private long accountId;
-
- @Column(name = GenericDao.REMOVED_COLUMN)
- private Date removed;
-
- @Column(name = GenericDao.CREATED_COLUMN)
- private Date created;
-
- @Column(name = "policy_type")
- @Enumerated(value = EnumType.STRING)
- private IAMPolicy.PolicyType policyType;
-
- public IAMPolicyVO() {
- uuid = UUID.randomUUID().toString();
- }
-
- public IAMPolicyVO(String name, String description) {
- this.name = name;
- this.description = description;
- uuid = UUID.randomUUID().toString();
- policyType = IAMPolicy.PolicyType.Static;
- }
-
- @Override
- public long getId() {
- return id;
- }
-
- @Override
- public String getName() {
- return name;
- }
-
- @Override
- public String getDescription() {
- return description;
- }
-
-
- @Override
- public String getUuid() {
- return uuid;
- }
-
- public void setUuid(String uuid) {
- this.uuid = uuid;
- }
-
- public Date getRemoved() {
- return removed;
- }
-
- public Date getCreated() {
- return created;
- }
-
- @Override
- public String getPath() {
- return path;
- }
-
- public void setPath(String path) {
- this.path = path;
- }
-
- @Override
- public long getAccountId() {
- return accountId;
- }
-
- public void setAccountId(long accountId) {
- this.accountId = accountId;
- }
-
- public IAMPolicy.PolicyType getPolicyType() {
- return policyType;
- }
-
- public void setPolicyType(IAMPolicy.PolicyType policyType) {
- this.policyType = policyType;
- }
-
-}
diff --git a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/IAMServiceImpl.java b/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/IAMServiceImpl.java
deleted file mode 100644
index 4ae694b..0000000
--- a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/IAMServiceImpl.java
+++ /dev/null
@@ -1,904 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.iam.server;
-
-import java.util.ArrayList;
-import java.util.List;
-import java.util.Map;
-
-import javax.inject.Inject;
-import javax.naming.ConfigurationException;
-
-import net.sf.ehcache.Cache;
-import net.sf.ehcache.CacheManager;
-import net.sf.ehcache.Element;
-
-import org.apache.log4j.Logger;
-
-import org.apache.cloudstack.acl.PermissionScope;
-import org.apache.cloudstack.iam.api.IAMGroup;
-import org.apache.cloudstack.iam.api.IAMPolicy;
-import org.apache.cloudstack.iam.api.IAMPolicyPermission;
-import org.apache.cloudstack.iam.api.IAMPolicyPermission.Permission;
-import org.apache.cloudstack.iam.api.IAMService;
-import org.apache.cloudstack.iam.server.dao.IAMAccountPolicyMapDao;
-import org.apache.cloudstack.iam.server.dao.IAMGroupAccountMapDao;
-import org.apache.cloudstack.iam.server.dao.IAMGroupDao;
-import org.apache.cloudstack.iam.server.dao.IAMGroupPolicyMapDao;
-import org.apache.cloudstack.iam.server.dao.IAMPolicyDao;
-import org.apache.cloudstack.iam.server.dao.IAMPolicyPermissionDao;
-
-import com.cloud.exception.InvalidParameterValueException;
-import com.cloud.utils.NumbersUtil;
-import com.cloud.utils.Pair;
-import com.cloud.utils.component.Manager;
-import com.cloud.utils.component.ManagerBase;
-import com.cloud.utils.db.DB;
-import com.cloud.utils.db.EntityManager;
-import com.cloud.utils.db.Filter;
-import com.cloud.utils.db.GenericSearchBuilder;
-import com.cloud.utils.db.JoinBuilder;
-import com.cloud.utils.db.JoinBuilder.JoinType;
-import com.cloud.utils.db.SearchBuilder;
-import com.cloud.utils.db.SearchCriteria;
-import com.cloud.utils.db.SearchCriteria.Op;
-import com.cloud.utils.db.Transaction;
-import com.cloud.utils.db.TransactionCallback;
-import com.cloud.utils.db.TransactionCallbackNoReturn;
-import com.cloud.utils.db.TransactionStatus;
-
-public class IAMServiceImpl extends ManagerBase implements IAMService, Manager {
-
- public static final Logger s_logger = Logger.getLogger(IAMServiceImpl.class);
- private String _name;
-
- @Inject
- IAMPolicyDao _aclPolicyDao;
-
- @Inject
- IAMGroupDao _aclGroupDao;
-
- @Inject
- EntityManager _entityMgr;
-
- @Inject
- IAMGroupPolicyMapDao _aclGroupPolicyMapDao;
-
- @Inject
- IAMAccountPolicyMapDao _aclAccountPolicyMapDao;
-
- @Inject
- IAMGroupAccountMapDao _aclGroupAccountMapDao;
-
- @Inject
- IAMPolicyPermissionDao _policyPermissionDao;
-
- private Cache _iamCache;
-
- private void createIAMCache(final Map<String, ? extends Object> params) {
- final String value = (String)params.get("cache.size");
-
- if (value != null) {
- final CacheManager cm = CacheManager.create();
- final int maxElements = NumbersUtil.parseInt(value, 0);
- final int live = NumbersUtil.parseInt((String)params.get("cache.time.to.live"), 300);
- final int idle = NumbersUtil.parseInt((String)params.get("cache.time.to.idle"), 300);
- _iamCache = new Cache(getName(), maxElements, false, live == -1, live == -1 ? Integer.MAX_VALUE : live, idle);
- cm.addCache(_iamCache);
- s_logger.info("IAM Cache created: " + _iamCache.toString());
- } else {
- _iamCache = null;
- }
- }
-
- @Override
- public void addToIAMCache(Object accessKey, Object allowDeny) {
- if (_iamCache != null) {
- try {
- s_logger.debug("Put IAM access check for " + accessKey + " in cache");
- _iamCache.put(new Element(accessKey, allowDeny));
- } catch (final Exception e) {
- s_logger.debug("Can't put " + accessKey + " to IAM cache", e);
- }
- }
- }
-
- @Override
- public void invalidateIAMCache() {
- //This may need to use event bus to publish to other MS, but event bus now is missing this functionality to handle PublishScope.GLOBAL
- if (_iamCache != null) {
- s_logger.debug("Invalidate IAM cache");
- _iamCache.removeAll();
- }
- }
-
- @Override
- public Object getFromIAMCache(Object accessKey) {
- if (_iamCache != null) {
- final Element element = _iamCache.get(accessKey);
- return element == null ? null : element.getObjectValue();
- }
- return null;
- }
-
- @Override
- public boolean configure(final String name, final Map<String, Object> params) throws ConfigurationException {
- boolean result = super.configure(name, params);
- // create IAM cache
- createIAMCache(params);
- return result;
- }
-
- @DB
- @Override
- public IAMGroup createIAMGroup(String iamGroupName, String description, String path) {
- // check if the group is already existing
- IAMGroup grp = _aclGroupDao.findByName(path, iamGroupName);
- if (grp != null) {
- throw new InvalidParameterValueException(
- "Unable to create acl group with name " + iamGroupName
- + " already exists for path " + path);
- }
- IAMGroupVO rvo = new IAMGroupVO(iamGroupName, description);
- rvo.setPath(path);
-
- return _aclGroupDao.persist(rvo);
- }
-
- @DB
- @Override
- public boolean deleteIAMGroup(final Long iamGroupId) {
- // get the Acl Group entity
- final IAMGroup grp = _aclGroupDao.findById(iamGroupId);
- if (grp == null) {
- throw new InvalidParameterValueException("Unable to find acl group: " + iamGroupId
- + "; failed to delete acl group.");
- }
-
- Transaction.execute(new TransactionCallbackNoReturn() {
- @Override
- public void doInTransactionWithoutResult(TransactionStatus status) {
- // remove this group related entry in acl_group_policy_map
- List<IAMGroupPolicyMapVO> groupPolicyMap = _aclGroupPolicyMapDao.listByGroupId(grp.getId());
- if (groupPolicyMap != null) {
- for (IAMGroupPolicyMapVO gr : groupPolicyMap) {
- _aclGroupPolicyMapDao.remove(gr.getId());
- }
- }
-
- // remove this group related entry in acl_group_account table
- List<IAMGroupAccountMapVO> groupAcctMap = _aclGroupAccountMapDao.listByGroupId(grp.getId());
- if (groupAcctMap != null) {
- for (IAMGroupAccountMapVO grpAcct : groupAcctMap) {
- _aclGroupAccountMapDao.remove(grpAcct.getId());
- }
- }
-
- // remove this group from acl_group table
- _aclGroupDao.remove(iamGroupId);
- }
- });
-
- invalidateIAMCache();
- return true;
- }
-
- @SuppressWarnings("unchecked")
- @Override
- public List<IAMGroup> listIAMGroups(long accountId) {
-
- GenericSearchBuilder<IAMGroupAccountMapVO, Long> groupSB = _aclGroupAccountMapDao.createSearchBuilder(Long.class);
- groupSB.selectFields(groupSB.entity().getAclGroupId());
- groupSB.and("account", groupSB.entity().getAccountId(), Op.EQ);
- SearchCriteria<Long> groupSc = groupSB.create();
- groupSc.setParameters("account", accountId);
-
- List<Long> groupIds = _aclGroupAccountMapDao.customSearch(groupSc, null);
-
- if (groupIds == null || groupIds.isEmpty()) {
- return new ArrayList<IAMGroup>();
- }
- SearchBuilder<IAMGroupVO> sb = _aclGroupDao.createSearchBuilder();
- sb.and("ids", sb.entity().getId(), Op.IN);
- SearchCriteria<IAMGroupVO> sc = sb.create();
- sc.setParameters("ids", groupIds.toArray(new Object[groupIds.size()]));
- @SuppressWarnings("rawtypes")
- List groups = _aclGroupDao.search(sc, null);
- return groups;
- }
-
- @DB
- @Override
- public IAMGroup addAccountsToGroup(final List<Long> acctIds, final Long groupId) {
- // get the Acl Group entity
- IAMGroup group = _aclGroupDao.findById(groupId);
- if (group == null) {
- throw new InvalidParameterValueException("Unable to find acl group: " + groupId
- + "; failed to add accounts to acl group.");
- }
-
- Transaction.execute(new TransactionCallbackNoReturn() {
- @Override
- public void doInTransactionWithoutResult(TransactionStatus status) {
- // add entries in acl_group_account_map table
- for (Long acctId : acctIds) {
- // check account permissions
- IAMGroupAccountMapVO grMap = _aclGroupAccountMapDao.findByGroupAndAccount(groupId, acctId);
- if (grMap == null) {
- // not there already
- grMap = new IAMGroupAccountMapVO(groupId, acctId);
- _aclGroupAccountMapDao.persist(grMap);
- }
- }
- }
- });
-
- invalidateIAMCache();
- return group;
- }
-
- @DB
- @Override
- public IAMGroup removeAccountsFromGroup(final List<Long> acctIds, final Long groupId) {
- // get the Acl Group entity
- IAMGroup group = _aclGroupDao.findById(groupId);
- if (group == null) {
- throw new InvalidParameterValueException("Unable to find acl group: " + groupId
- + "; failed to remove accounts from acl group.");
- }
-
- Transaction.execute(new TransactionCallbackNoReturn() {
- @Override
- public void doInTransactionWithoutResult(TransactionStatus status) {
- // remove entries from acl_group_account_map table
- for (Long acctId : acctIds) {
- IAMGroupAccountMapVO grMap = _aclGroupAccountMapDao.findByGroupAndAccount(groupId, acctId);
- if (grMap != null) {
- // not removed yet
- _aclGroupAccountMapDao.remove(grMap.getId());
- }
- }
- }
- });
-
- invalidateIAMCache();
- return group;
- }
-
- @Override
- public List<Long> listAccountsByGroup(long groupId) {
- List<IAMGroupAccountMapVO> grpAcctMap = _aclGroupAccountMapDao.listByGroupId(groupId);
- if (grpAcctMap == null || grpAcctMap.size() == 0) {
- return new ArrayList<Long>();
- }
-
- List<Long> accts = new ArrayList<Long>();
- for (IAMGroupAccountMapVO grpAcct : grpAcctMap) {
- accts.add(grpAcct.getAccountId());
- }
- return accts;
- }
-
- @Override
- public Pair<List<IAMGroup>, Integer> listIAMGroups(Long iamGroupId, String iamGroupName, String path, Long startIndex, Long pageSize) {
- if (iamGroupId != null) {
- IAMGroup group = _aclGroupDao.findById(iamGroupId);
- if (group == null) {
- throw new InvalidParameterValueException("Unable to find acl group by id " + iamGroupId);
- }
- }
-
- Filter searchFilter = new Filter(IAMGroupVO.class, "id", true, startIndex, pageSize);
-
- SearchBuilder<IAMGroupVO> sb = _aclGroupDao.createSearchBuilder();
- sb.and("name", sb.entity().getName(), SearchCriteria.Op.EQ);
- sb.and("path", sb.entity().getPath(), SearchCriteria.Op.LIKE);
- sb.and("id", sb.entity().getId(), SearchCriteria.Op.EQ);
-
- SearchCriteria<IAMGroupVO> sc = sb.create();
-
- if (iamGroupName != null) {
- sc.setParameters("name", iamGroupName);
- }
-
- if (iamGroupId != null) {
- sc.setParameters("id", iamGroupId);
- }
-
- sc.setParameters("path", path + "%");
-
- Pair<List<IAMGroupVO>, Integer> groups = _aclGroupDao.searchAndCount(sc, searchFilter);
- return new Pair<List<IAMGroup>, Integer>(new ArrayList<IAMGroup>(groups.first()), groups.second());
- }
-
- @Override
- public List<IAMGroup> listParentIAMGroups(long groupId) {
- IAMGroup group = _aclGroupDao.findById(groupId);
- if (group == null) {
- throw new InvalidParameterValueException("Unable to find acl group by id " + groupId);
- }
-
- String path = group.getPath();
- List<String> pathList = new ArrayList<String>();
-
- String[] parts = path.split("/");
-
- for (String part : parts) {
- int start = path.indexOf(part);
- if (start > 0) {
- String subPath = path.substring(0, start);
- pathList.add(subPath);
- }
- }
-
- if (pathList.isEmpty()) {
- return new ArrayList<IAMGroup>();
- }
-
- SearchBuilder<IAMGroupVO> sb = _aclGroupDao.createSearchBuilder();
- sb.and("paths", sb.entity().getPath(), SearchCriteria.Op.IN);
-
- SearchCriteria<IAMGroupVO> sc = sb.create();
- sc.setParameters("paths", pathList.toArray());
-
- List<IAMGroupVO> groups = _aclGroupDao.search(sc, null);
-
- return new ArrayList<IAMGroup>(groups);
-
- }
-
- @DB
- @Override
- public IAMPolicy createIAMPolicy(final String iamPolicyName, final String description, final Long parentPolicyId, final String path) {
-
- // check if the policy is already existing
- IAMPolicy ro = _aclPolicyDao.findByName(iamPolicyName);
- if (ro != null) {
- throw new InvalidParameterValueException(
- "Unable to create acl policy with name " + iamPolicyName
- + " already exists");
- }
-
- IAMPolicy role = Transaction.execute(new TransactionCallback<IAMPolicy>() {
- @Override
- public IAMPolicy doInTransaction(TransactionStatus status) {
- IAMPolicyVO rvo = new IAMPolicyVO(iamPolicyName, description);
- rvo.setPath(path);
-
- IAMPolicy role = _aclPolicyDao.persist(rvo);
- if (parentPolicyId != null) {
- // copy parent role permissions
- List<IAMPolicyPermissionVO> perms = _policyPermissionDao.listByPolicy(parentPolicyId);
- if (perms != null) {
- for (IAMPolicyPermissionVO perm : perms) {
- perm.setAclPolicyId(role.getId());
- _policyPermissionDao.persist(perm);
- }
- }
- }
- return role;
- }
- });
-
-
- return role;
- }
-
- @DB
- @Override
- public boolean deleteIAMPolicy(final long iamPolicyId) {
- // get the Acl Policy entity
- final IAMPolicy policy = _aclPolicyDao.findById(iamPolicyId);
- if (policy == null) {
- throw new InvalidParameterValueException("Unable to find acl policy: " + iamPolicyId
- + "; failed to delete acl policy.");
- }
-
- Transaction.execute(new TransactionCallbackNoReturn() {
- @Override
- public void doInTransactionWithoutResult(TransactionStatus status) {
- // remove this policy related entry in acl_group_policy_map
- List<IAMGroupPolicyMapVO> groupPolicyMap = _aclGroupPolicyMapDao.listByPolicyId(policy.getId());
- if (groupPolicyMap != null) {
- for (IAMGroupPolicyMapVO gr : groupPolicyMap) {
- _aclGroupPolicyMapDao.remove(gr.getId());
- }
- }
-
- // remove this policy related entry in acl_account_policy_map table
- List<IAMAccountPolicyMapVO> policyAcctMap = _aclAccountPolicyMapDao.listByPolicyId(policy.getId());
- if (policyAcctMap != null) {
- for (IAMAccountPolicyMapVO policyAcct : policyAcctMap) {
- _aclAccountPolicyMapDao.remove(policyAcct.getId());
- }
- }
-
- // remove this policy related entry in acl_policy_permission table
- List<IAMPolicyPermissionVO> policyPermMap = _policyPermissionDao.listByPolicy(policy.getId());
- if (policyPermMap != null) {
- for (IAMPolicyPermissionVO policyPerm : policyPermMap) {
- _policyPermissionDao.remove(policyPerm.getId());
- }
- }
-
- // remove this role from acl_role table
- _aclPolicyDao.remove(iamPolicyId);
- }
- });
-
- invalidateIAMCache();
-
- return true;
- }
-
-
- @SuppressWarnings("unchecked")
- @Override
- public List<IAMPolicy> listIAMPolicies(long accountId) {
-
- // static policies of the account
- SearchBuilder<IAMGroupAccountMapVO> groupSB = _aclGroupAccountMapDao.createSearchBuilder();
- groupSB.and("account", groupSB.entity().getAccountId(), Op.EQ);
-
- GenericSearchBuilder<IAMGroupPolicyMapVO, Long> policySB = _aclGroupPolicyMapDao.createSearchBuilder(Long.class);
- policySB.selectFields(policySB.entity().getAclPolicyId());
- policySB.join("accountgroupjoin", groupSB, groupSB.entity().getAclGroupId(), policySB.entity().getAclGroupId(),
- JoinType.INNER);
- policySB.done();
- SearchCriteria<Long> policySc = policySB.create();
- policySc.setJoinParameters("accountgroupjoin", "account", accountId);
-
- List<Long> policyIds = _aclGroupPolicyMapDao.customSearch(policySc, null);
- // add policies directly attached to the account
- List<IAMAccountPolicyMapVO> acctPolicies = _aclAccountPolicyMapDao.listByAccountId(accountId);
- for (IAMAccountPolicyMapVO p : acctPolicies) {
- policyIds.add(p.getIamPolicyId());
- }
- if (policyIds.size() == 0) {
- return new ArrayList<IAMPolicy>();
- }
- SearchBuilder<IAMPolicyVO> sb = _aclPolicyDao.createSearchBuilder();
- sb.and("ids", sb.entity().getId(), Op.IN);
- SearchCriteria<IAMPolicyVO> sc = sb.create();
- sc.setParameters("ids", policyIds.toArray(new Object[policyIds.size()]));
- @SuppressWarnings("rawtypes")
- List policies = _aclPolicyDao.customSearch(sc, null);
-
- return policies;
-
- }
-
- @SuppressWarnings("unchecked")
- @Override
- public List<IAMPolicy> listIAMPoliciesByGroup(long groupId) {
- List<IAMGroupPolicyMapVO> policyGrpMap = _aclGroupPolicyMapDao.listByGroupId(groupId);
- if (policyGrpMap == null || policyGrpMap.size() == 0) {
- return new ArrayList<IAMPolicy>();
- }
-
- List<Long> policyIds = new ArrayList<Long>();
- for (IAMGroupPolicyMapVO pg : policyGrpMap) {
- policyIds.add(pg.getAclPolicyId());
- }
-
- SearchBuilder<IAMPolicyVO> sb = _aclPolicyDao.createSearchBuilder();
- sb.and("ids", sb.entity().getId(), Op.IN);
- SearchCriteria<IAMPolicyVO> sc = sb.create();
- sc.setParameters("ids", policyIds.toArray(new Object[policyIds.size()]));
- @SuppressWarnings("rawtypes")
- List policies = _aclPolicyDao.customSearch(sc, null);
-
- return policies;
- }
-
- @SuppressWarnings("unchecked")
- @Override
- public List<IAMPolicy> listRecursiveIAMPoliciesByGroup(long groupId) {
- List<IAMGroupPolicyMapVO> policyGrpMap = _aclGroupPolicyMapDao.listByGroupId(groupId);
- if (policyGrpMap == null || policyGrpMap.size() == 0) {
- return new ArrayList<IAMPolicy>();
- }
-
- List<Long> policyIds = new ArrayList<Long>();
- for (IAMGroupPolicyMapVO pg : policyGrpMap) {
- policyIds.add(pg.getAclPolicyId());
- }
-
- SearchBuilder<IAMPolicyPermissionVO> permSb = _policyPermissionDao.createSearchBuilder();
- permSb.and("isRecursive", permSb.entity().isRecursive(), Op.EQ);
-
- SearchBuilder<IAMPolicyVO> sb = _aclPolicyDao.createSearchBuilder();
- sb.and("ids", sb.entity().getId(), Op.IN);
- sb.join("recursivePerm", permSb, sb.entity().getId(), permSb.entity().getAclPolicyId(),
- JoinBuilder.JoinType.INNER);
-
- SearchCriteria<IAMPolicyVO> sc = sb.create();
- sc.setParameters("ids", policyIds.toArray(new Object[policyIds.size()]));
- sc.setJoinParameters("recursivePerm", "isRecursive", true);
-
- @SuppressWarnings("rawtypes")
- List policies = _aclPolicyDao.customSearch(sc, null);
-
- return policies;
- }
-
-
- @SuppressWarnings("unchecked")
- @Override
- public Pair<List<IAMPolicy>, Integer> listIAMPolicies(Long iamPolicyId, String iamPolicyName, String path, Long startIndex, Long pageSize) {
-
- if (iamPolicyId != null) {
- IAMPolicy policy = _aclPolicyDao.findById(iamPolicyId);
- if (policy == null) {
- throw new InvalidParameterValueException("Unable to find acl policy by id " + iamPolicyId);
- }
- }
-
- Filter searchFilter = new Filter(IAMPolicyVO.class, "id", true, startIndex, pageSize);
-
- SearchBuilder<IAMPolicyVO> sb = _aclPolicyDao.createSearchBuilder();
- sb.and("name", sb.entity().getName(), SearchCriteria.Op.EQ);
- sb.and("path", sb.entity().getPath(), SearchCriteria.Op.LIKE);
- sb.and("id", sb.entity().getId(), SearchCriteria.Op.EQ);
-
- SearchCriteria<IAMPolicyVO> sc = sb.create();
-
- if (iamPolicyName != null) {
- sc.setParameters("name", iamPolicyName);
- }
-
- if (iamPolicyId != null) {
- sc.setParameters("id", iamPolicyId);
- }
-
- sc.setParameters("path", path + "%");
-
- Pair<List<IAMPolicyVO>, Integer> policies = _aclPolicyDao.searchAndCount(sc, searchFilter);
- @SuppressWarnings("rawtypes")
- List policyList = policies.first();
- return new Pair<List<IAMPolicy>, Integer>(policyList, policies.second());
- }
-
- @DB
- @Override
- public IAMGroup attachIAMPoliciesToGroup(final List<Long> policyIds, final Long groupId) {
- // get the Acl Group entity
- IAMGroup group = _aclGroupDao.findById(groupId);
- if (group == null) {
- throw new InvalidParameterValueException("Unable to find acl group: " + groupId
- + "; failed to add roles to acl group.");
- }
-
- Transaction.execute(new TransactionCallbackNoReturn() {
- @Override
- public void doInTransactionWithoutResult(TransactionStatus status) {
- // add entries in acl_group_policy_map table
- for (Long policyId : policyIds) {
- IAMPolicy policy = _aclPolicyDao.findById(policyId);
- if (policy == null) {
- throw new InvalidParameterValueException("Unable to find acl policy: " + policyId
- + "; failed to add policies to acl group.");
- }
-
- IAMGroupPolicyMapVO grMap = _aclGroupPolicyMapDao.findByGroupAndPolicy(groupId, policyId);
- if (grMap == null) {
- // not there already
- grMap = new IAMGroupPolicyMapVO(groupId, policyId);
- _aclGroupPolicyMapDao.persist(grMap);
- }
- }
- }
- });
-
- invalidateIAMCache();
- return group;
- }
-
- @DB
- @Override
- public IAMGroup removeIAMPoliciesFromGroup(final List<Long> policyIds, final Long groupId) {
- // get the Acl Group entity
- IAMGroup group = _aclGroupDao.findById(groupId);
- if (group == null) {
- throw new InvalidParameterValueException("Unable to find acl group: " + groupId
- + "; failed to remove roles from acl group.");
- }
-
- Transaction.execute(new TransactionCallbackNoReturn() {
- @Override
- public void doInTransactionWithoutResult(TransactionStatus status) {
- // add entries in acl_group_role_map table
- for (Long policyId : policyIds) {
- IAMPolicy policy = _aclPolicyDao.findById(policyId);
- if (policy == null) {
- throw new InvalidParameterValueException("Unable to find acl policy: " + policyId
- + "; failed to add policies to acl group.");
- }
-
- IAMGroupPolicyMapVO grMap = _aclGroupPolicyMapDao.findByGroupAndPolicy(groupId, policyId);
- if (grMap != null) {
- // not removed yet
- _aclGroupPolicyMapDao.remove(grMap.getId());
- }
- }
- }
- });
-
- invalidateIAMCache();
- return group;
- }
-
-
- @Override
- public void attachIAMPolicyToAccounts(final Long policyId, final List<Long> acctIds) {
- IAMPolicy policy = _aclPolicyDao.findById(policyId);
- if (policy == null) {
- throw new InvalidParameterValueException("Unable to find acl policy: " + policyId
- + "; failed to add policy to account.");
- }
-
- Transaction.execute(new TransactionCallbackNoReturn() {
- @Override
- public void doInTransactionWithoutResult(TransactionStatus status) {
- // add entries in acl_group_policy_map table
- for (Long acctId : acctIds) {
- IAMAccountPolicyMapVO acctMap = _aclAccountPolicyMapDao.findByAccountAndPolicy(acctId, policyId);
- if (acctMap == null) {
- // not there already
- acctMap = new IAMAccountPolicyMapVO(acctId, policyId);
- _aclAccountPolicyMapDao.persist(acctMap);
- }
- }
- }
- });
-
- invalidateIAMCache();
- }
-
- @Override
- public void removeIAMPolicyFromAccounts(final Long policyId, final List<Long> acctIds) {
- IAMPolicy policy = _aclPolicyDao.findById(policyId);
- if (policy == null) {
- throw new InvalidParameterValueException("Unable to find acl policy: " + policyId
- + "; failed to add policy to account.");
- }
-
- Transaction.execute(new TransactionCallbackNoReturn() {
- @Override
- public void doInTransactionWithoutResult(TransactionStatus status) {
- // add entries in acl_group_policy_map table
- for (Long acctId : acctIds) {
- IAMAccountPolicyMapVO acctMap = _aclAccountPolicyMapDao.findByAccountAndPolicy(acctId, policyId);
- if (acctMap != null) {
- // exists
- _aclAccountPolicyMapDao.remove(acctMap.getId());
- }
- }
- }
- });
-
- invalidateIAMCache();
- }
-
- @DB
- @Override
- public IAMPolicy addIAMPermissionToIAMPolicy(long iamPolicyId, String entityType, String scope, Long scopeId,
- String action, String accessType, Permission perm, Boolean recursive) {
- // get the Acl Policy entity
- IAMPolicy policy = _aclPolicyDao.findById(iamPolicyId);
- if (policy == null) {
- throw new InvalidParameterValueException("Unable to find acl policy: " + iamPolicyId
- + "; failed to add permission to policy.");
- }
-
- // add entry in acl_policy_permission table
- IAMPolicyPermissionVO permit = _policyPermissionDao.findByPolicyAndEntity(iamPolicyId, entityType, scope,
- scopeId, action, perm, accessType);
- if (permit == null) {
- // not there already
- permit = new IAMPolicyPermissionVO(iamPolicyId, action, entityType, accessType, scope, scopeId, perm,
- recursive);
- _policyPermissionDao.persist(permit);
- }
-
- invalidateIAMCache();
- return policy;
-
- }
-
- @DB
- @Override
- public IAMPolicy removeIAMPermissionFromIAMPolicy(long iamPolicyId, String entityType, String scope, Long scopeId,
- String action) {
- // get the Acl Policy entity
- IAMPolicy policy = _aclPolicyDao.findById(iamPolicyId);
- if (policy == null) {
- throw new InvalidParameterValueException("Unable to find acl policy: " + iamPolicyId
- + "; failed to revoke permission from policy.");
- }
- // remove entry from acl_entity_permission table
- IAMPolicyPermissionVO permit = _policyPermissionDao.findByPolicyAndEntity(iamPolicyId, entityType, scope,
- scopeId, action, Permission.Allow, null);
- if (permit != null) {
- // not removed yet
- _policyPermissionDao.remove(permit.getId());
- }
-
- invalidateIAMCache();
- return policy;
- }
-
- @DB
- @Override
- public void removeIAMPermissionForEntity(final String entityType, final Long entityId) {
- Transaction.execute(new TransactionCallbackNoReturn() {
- @Override
- public void doInTransactionWithoutResult(TransactionStatus status) {
- // remove entry from acl_entity_permission table
- List<IAMPolicyPermissionVO> permitList = _policyPermissionDao.listByEntity(entityType, entityId);
- for (IAMPolicyPermissionVO permit : permitList) {
- long policyId = permit.getAclPolicyId();
- _policyPermissionDao.remove(permit.getId());
-
- // remove the policy if there are no other permissions
- if ((_policyPermissionDao.listByPolicy(policyId)).isEmpty()) {
- deleteIAMPolicy(policyId);
- }
- }
- }
- });
-
- invalidateIAMCache();
- }
-
- @DB
- @Override
- public IAMPolicy resetIAMPolicy(long iamPolicyId) {
- // get the Acl Policy entity
- IAMPolicy policy = _aclPolicyDao.findById(iamPolicyId);
- if (policy == null) {
- throw new InvalidParameterValueException("Unable to find acl policy: " + iamPolicyId
- + "; failed to reset the policy.");
- }
-
- SearchBuilder<IAMPolicyPermissionVO> sb = _policyPermissionDao.createSearchBuilder();
- sb.and("policyId", sb.entity().getAclPolicyId(), SearchCriteria.Op.EQ);
- sb.and("scope", sb.entity().getScope(), SearchCriteria.Op.EQ);
- sb.done();
- SearchCriteria<IAMPolicyPermissionVO> permissionSC = sb.create();
- permissionSC.setParameters("policyId", iamPolicyId);
- _policyPermissionDao.expunge(permissionSC);
-
- invalidateIAMCache();
- return policy;
- }
-
- @Override
- public boolean isActionAllowedForPolicies(String action, List<IAMPolicy> policies) {
-
- boolean allowed = false;
-
- if (policies == null || policies.size() == 0) {
- return allowed;
- }
-
- List<Long> policyIds = new ArrayList<Long>();
- for (IAMPolicy policy : policies) {
- policyIds.add(policy.getId());
- }
-
- SearchBuilder<IAMPolicyPermissionVO> sb = _policyPermissionDao.createSearchBuilder();
- sb.and("action", sb.entity().getAction(), Op.EQ);
- sb.and("policyId", sb.entity().getAclPolicyId(), Op.IN);
-
- SearchCriteria<IAMPolicyPermissionVO> sc = sb.create();
- sc.setParameters("policyId", policyIds.toArray(new Object[policyIds.size()]));
- sc.setParameters("action", action);
-
- List<IAMPolicyPermissionVO> permissions = _policyPermissionDao.customSearch(sc, null);
-
- if (permissions != null && !permissions.isEmpty()) {
- allowed = true;
- }
-
- return allowed;
- }
-
-
- @Override
- public List<Long> getGrantedEntities(long accountId, String action, String scope) {
- // Get the static Policies of the Caller
- List<IAMPolicy> policies = listIAMPolicies(accountId);
- // for each policy, find granted permission within the given scope
- List<Long> entityIds = new ArrayList<Long>();
- for (IAMPolicy policy : policies) {
- List<IAMPolicyPermissionVO> pp = _policyPermissionDao.listByPolicyActionAndScope(policy.getId(), action,
- scope, null);
- if (pp != null) {
- for (IAMPolicyPermissionVO p : pp) {
- if (p.getScopeId() != null) {
- entityIds.add(p.getScopeId());
- }
- }
- }
- }
- return entityIds;
- }
-
- @Override
- @SuppressWarnings("unchecked")
- public List<IAMPolicyPermission> listPolicyPermissions(long policyId) {
- @SuppressWarnings("rawtypes")
- List pp = _policyPermissionDao.listByPolicy(policyId);
- return pp;
- }
-
- @SuppressWarnings("unchecked")
- @Override
- public List<IAMPolicyPermission> listPolicyPermissionsByScope(long policyId, String action, String scope,
- String accessType) {
- @SuppressWarnings("rawtypes")
- List pp = _policyPermissionDao.listByPolicyActionAndScope(policyId, action, scope, accessType);
- return pp;
- }
-
- @SuppressWarnings("unchecked")
- @Override
- public List<IAMPolicyPermission> listPolicyPermissionByActionAndEntity(long policyId, String action,
- String entityType) {
- @SuppressWarnings("rawtypes")
- List pp = _policyPermissionDao.listByPolicyActionAndEntity(policyId, action, entityType);
- return pp;
- }
-
- @SuppressWarnings("unchecked")
- @Override
- public List<IAMPolicyPermission> listPolicyPermissionByAccessAndEntity(long policyId, String accessType,
- String entityType) {
- @SuppressWarnings("rawtypes")
- List pp = _policyPermissionDao.listByPolicyAccessAndEntity(policyId, accessType, entityType);
- return pp;
- }
-
- @Override
- public IAMPolicy getResourceOwnerPolicy() {
- return _aclPolicyDao.findByName("RESOURCE_OWNER");
- }
-
- // search for policy with only one resource grant permission
- @Override
- public IAMPolicy getResourceGrantPolicy(String entityType, Long entityId, String accessType, String action) {
- List<IAMPolicyVO> policyList = _aclPolicyDao.listAll();
- for (IAMPolicyVO policy : policyList) {
- List<IAMPolicyPermission> pp = listPolicyPermissions(policy.getId());
- if (pp != null && pp.size() == 1) {
- // resource grant policy should only have one ACL permission assigned
- IAMPolicyPermission permit = pp.get(0);
- if (permit.getEntityType().equals(entityType) && permit.getScope().equals(PermissionScope.RESOURCE.toString())
- && permit.getScopeId().longValue() == entityId.longValue()) {
- if (accessType != null && permit.getAccessType().equals(accessType)) {
- return policy;
- } else if (action != null && permit.getAction().equals(action)) {
- return policy;
- }
- }
- }
- }
- return null;
- }
-
-}
diff --git a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMAccountPolicyMapDao.java b/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMAccountPolicyMapDao.java
deleted file mode 100644
index 0162589..0000000
--- a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMAccountPolicyMapDao.java
+++ /dev/null
@@ -1,33 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.iam.server.dao;
-
-import java.util.List;
-
-import org.apache.cloudstack.iam.server.IAMAccountPolicyMapVO;
-
-import com.cloud.utils.db.GenericDao;
-
-public interface IAMAccountPolicyMapDao extends GenericDao<IAMAccountPolicyMapVO, Long> {
-
- List<IAMAccountPolicyMapVO> listByAccountId(long acctId);
-
- List<IAMAccountPolicyMapVO> listByPolicyId(long policyId);
-
- IAMAccountPolicyMapVO findByAccountAndPolicy(long acctId, long policyId);
-
-}
diff --git a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMAccountPolicyMapDaoImpl.java b/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMAccountPolicyMapDaoImpl.java
deleted file mode 100644
index d74e86f..0000000
--- a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMAccountPolicyMapDaoImpl.java
+++ /dev/null
@@ -1,77 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.iam.server.dao;
-
-import java.util.List;
-import java.util.Map;
-
-import javax.naming.ConfigurationException;
-
-import org.apache.cloudstack.iam.server.IAMAccountPolicyMapVO;
-
-import com.cloud.utils.db.GenericDaoBase;
-import com.cloud.utils.db.SearchBuilder;
-import com.cloud.utils.db.SearchCriteria;
-
-public class IAMAccountPolicyMapDaoImpl extends GenericDaoBase<IAMAccountPolicyMapVO, Long> implements IAMAccountPolicyMapDao {
-
- private SearchBuilder<IAMAccountPolicyMapVO> ListByAccountId;
- private SearchBuilder<IAMAccountPolicyMapVO> ListByPolicyId;
- private SearchBuilder<IAMAccountPolicyMapVO> findByPolicyAccountId;
-
- @Override
- public boolean configure(String name, Map<String, Object> params) throws ConfigurationException {
- super.configure(name, params);
-
- ListByAccountId = createSearchBuilder();
- ListByAccountId.and("accountId", ListByAccountId.entity().getAccountId(), SearchCriteria.Op.EQ);
- ListByAccountId.done();
-
- ListByPolicyId = createSearchBuilder();
- ListByPolicyId.and("policyId", ListByPolicyId.entity().getIamPolicyId(), SearchCriteria.Op.EQ);
- ListByPolicyId.done();
-
- findByPolicyAccountId = createSearchBuilder();
- findByPolicyAccountId.and("policyId", findByPolicyAccountId.entity().getIamPolicyId(), SearchCriteria.Op.EQ);
- findByPolicyAccountId.and("accountId", findByPolicyAccountId.entity().getAccountId(), SearchCriteria.Op.EQ);
- findByPolicyAccountId.done();
-
- return true;
- }
-
- @Override
- public List<IAMAccountPolicyMapVO> listByAccountId(long acctId) {
- SearchCriteria<IAMAccountPolicyMapVO> sc = ListByAccountId.create();
- sc.setParameters("accountId", acctId);
- return listBy(sc);
- }
-
- @Override
- public List<IAMAccountPolicyMapVO> listByPolicyId(long policyId) {
- SearchCriteria<IAMAccountPolicyMapVO> sc = ListByPolicyId.create();
- sc.setParameters("policyId", policyId);
- return listBy(sc);
- }
-
- @Override
- public IAMAccountPolicyMapVO findByAccountAndPolicy(long acctId, long policyId) {
- SearchCriteria<IAMAccountPolicyMapVO> sc = findByPolicyAccountId.create();
- sc.setParameters("policyId", policyId);
- sc.setParameters("accountId", acctId);
- return findOneBy(sc);
- }
-}
\ No newline at end of file
diff --git a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMGroupAccountMapDao.java b/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMGroupAccountMapDao.java
deleted file mode 100644
index a94dbaa..0000000
--- a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMGroupAccountMapDao.java
+++ /dev/null
@@ -1,40 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.iam.server.dao;
-
-import java.util.List;
-
-import org.apache.cloudstack.iam.server.IAMGroupAccountMapVO;
-
-import com.cloud.utils.db.GenericDao;
-
-public interface IAMGroupAccountMapDao extends GenericDao<IAMGroupAccountMapVO, Long> {
-
- List<IAMGroupAccountMapVO> listByGroupId(long groupId);
-
- List<IAMGroupAccountMapVO> listByAccountId(long accountId);
-
- IAMGroupAccountMapVO findAccountInAdminGroup(long accountId);
-
- IAMGroupAccountMapVO findByGroupAndAccount(long groupId, long acctId);
-
- void removeAccountFromGroups(long accountId);
-
- IAMGroupAccountMapVO findAccountInDomainAdminGroup(long accountId);
-
- IAMGroupAccountMapVO findAccountInUserGroup(long accountId);
-}
diff --git a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMGroupAccountMapDaoImpl.java b/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMGroupAccountMapDaoImpl.java
deleted file mode 100644
index 4bb5d1a..0000000
--- a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMGroupAccountMapDaoImpl.java
+++ /dev/null
@@ -1,119 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.iam.server.dao;
-
-import java.util.List;
-import java.util.Map;
-
-import javax.naming.ConfigurationException;
-
-import org.apache.cloudstack.iam.server.IAMGroupAccountMapVO;
-import org.apache.log4j.Logger;
-import org.springframework.stereotype.Component;
-
-
-import com.cloud.utils.db.GenericDaoBase;
-import com.cloud.utils.db.SearchBuilder;
-import com.cloud.utils.db.SearchCriteria;
-
-@Component
-public class IAMGroupAccountMapDaoImpl extends GenericDaoBase<IAMGroupAccountMapVO, Long> implements IAMGroupAccountMapDao {
- private SearchBuilder<IAMGroupAccountMapVO> ListByGroupId;
- private SearchBuilder<IAMGroupAccountMapVO> ListByAccountId;
- private SearchBuilder<IAMGroupAccountMapVO> _findByAccountAndGroupId;
-
- public static final Logger s_logger = Logger.getLogger(IAMGroupAccountMapDaoImpl.class.getName());
-
- @Override
- public boolean configure(String name, Map<String, Object> params) throws ConfigurationException {
- super.configure(name, params);
-
- ListByGroupId = createSearchBuilder();
- ListByGroupId.and("groupId", ListByGroupId.entity().getAclGroupId(), SearchCriteria.Op.EQ);
- ListByGroupId.done();
-
- ListByAccountId = createSearchBuilder();
- ListByAccountId.and("accountId", ListByAccountId.entity().getAccountId(), SearchCriteria.Op.EQ);
- ListByAccountId.done();
-
- _findByAccountAndGroupId = createSearchBuilder();
- _findByAccountAndGroupId
- .and("groupId", _findByAccountAndGroupId.entity().getAclGroupId(), SearchCriteria.Op.EQ);
- _findByAccountAndGroupId.and("accountId", _findByAccountAndGroupId.entity().getAccountId(),
- SearchCriteria.Op.EQ);
- _findByAccountAndGroupId.done();
-
- return true;
- }
-
- @Override
- public List<IAMGroupAccountMapVO> listByGroupId(long groupId) {
- SearchCriteria<IAMGroupAccountMapVO> sc = ListByGroupId.create();
- sc.setParameters("groupId", groupId);
- return listBy(sc);
- }
-
- @Override
- public List<IAMGroupAccountMapVO> listByAccountId(long accountId) {
- SearchCriteria<IAMGroupAccountMapVO> sc = ListByAccountId.create();
- sc.setParameters("accountId", accountId);
- return listBy(sc);
- }
-
- @Override
- public IAMGroupAccountMapVO findAccountInAdminGroup(long accountId) {
- SearchCriteria<IAMGroupAccountMapVO> sc = _findByAccountAndGroupId.create();
- sc.setParameters("accountId", accountId);
- sc.setParameters("groupId", 2);
- return findOneBy(sc);
- }
-
- @Override
- public IAMGroupAccountMapVO findAccountInDomainAdminGroup(long accountId) {
- SearchCriteria<IAMGroupAccountMapVO> sc = _findByAccountAndGroupId.create();
- sc.setParameters("accountId", accountId);
- sc.setParameters("groupId", 3);
- return findOneBy(sc);
- }
-
- @Override
- public IAMGroupAccountMapVO findAccountInUserGroup(long accountId) {
- SearchCriteria<IAMGroupAccountMapVO> sc = _findByAccountAndGroupId.create();
- sc.setParameters("accountId", accountId);
- sc.setParameters("groupId", 1);
- return findOneBy(sc);
- }
-
- @Override
- public IAMGroupAccountMapVO findByGroupAndAccount(long groupId, long acctId) {
- SearchCriteria<IAMGroupAccountMapVO> sc = _findByAccountAndGroupId.create();
- sc.setParameters("accountId", acctId);
- sc.setParameters("groupId", groupId);
- return findOneBy(sc);
- }
-
- @Override
- public void removeAccountFromGroups(long accountId) {
- SearchCriteria<IAMGroupAccountMapVO> sc = ListByAccountId.create();
- sc.setParameters("accountId", accountId);
-
- int rowsRemoved = remove(sc);
- if (rowsRemoved > 0) {
- s_logger.debug("Removed account id=" + accountId + " from " + rowsRemoved + " groups");
- }
- }
-}
diff --git a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMGroupDao.java b/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMGroupDao.java
deleted file mode 100644
index 54408a6..0000000
--- a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMGroupDao.java
+++ /dev/null
@@ -1,28 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.iam.server.dao;
-
-import org.apache.cloudstack.iam.api.IAMGroup;
-import org.apache.cloudstack.iam.server.IAMGroupVO;
-
-import com.cloud.utils.db.GenericDao;
-
-public interface IAMGroupDao extends GenericDao<IAMGroupVO, Long> {
-
- IAMGroup findByName(String path, String groupName);
-
-}
diff --git a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMGroupDaoImpl.java b/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMGroupDaoImpl.java
deleted file mode 100644
index 45be0b3..0000000
--- a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMGroupDaoImpl.java
+++ /dev/null
@@ -1,59 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.iam.server.dao;
-
-import java.util.Map;
-
-import javax.naming.ConfigurationException;
-
-import org.apache.cloudstack.iam.api.IAMGroup;
-import org.apache.cloudstack.iam.server.IAMGroupVO;
-import org.springframework.stereotype.Component;
-
-
-import com.cloud.utils.db.GenericDaoBase;
-import com.cloud.utils.db.SearchBuilder;
-import com.cloud.utils.db.SearchCriteria;
-
-@Component
-public class IAMGroupDaoImpl extends GenericDaoBase<IAMGroupVO, Long> implements IAMGroupDao {
- private SearchBuilder<IAMGroupVO> nameSearch;
-
- @Override
- public boolean configure(String name, Map<String, Object> params) throws ConfigurationException {
- super.configure(name, params);
-
- nameSearch = createSearchBuilder();
- nameSearch.and("name", nameSearch.entity().getName(), SearchCriteria.Op.EQ);
- nameSearch.and("path", nameSearch.entity().getPath(), SearchCriteria.Op.EQ);
- nameSearch.done();
-
-
- return true;
- }
-
- @Override
- public IAMGroup findByName(String path, String name) {
- SearchCriteria<IAMGroupVO> sc = nameSearch.create();
- sc.setParameters("name", name);
- if (path != null) {
- sc.setParameters("path", path);
- }
- return findOneBy(sc);
- }
-
-}
diff --git a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMGroupPolicyMapDao.java b/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMGroupPolicyMapDao.java
deleted file mode 100644
index 3f5f232..0000000
--- a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMGroupPolicyMapDao.java
+++ /dev/null
@@ -1,33 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.iam.server.dao;
-
-import java.util.List;
-
-import org.apache.cloudstack.iam.server.IAMGroupPolicyMapVO;
-
-import com.cloud.utils.db.GenericDao;
-
-public interface IAMGroupPolicyMapDao extends GenericDao<IAMGroupPolicyMapVO, Long> {
-
- List<IAMGroupPolicyMapVO> listByGroupId(long groupId);
-
- List<IAMGroupPolicyMapVO> listByPolicyId(long policyId);
-
- IAMGroupPolicyMapVO findByGroupAndPolicy(long groupId, long policyId);
-
-}
diff --git a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMGroupPolicyMapDaoImpl.java b/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMGroupPolicyMapDaoImpl.java
deleted file mode 100644
index ac42f04..0000000
--- a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMGroupPolicyMapDaoImpl.java
+++ /dev/null
@@ -1,77 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.iam.server.dao;
-
-import java.util.List;
-import java.util.Map;
-
-import javax.naming.ConfigurationException;
-
-import org.apache.cloudstack.iam.server.IAMGroupPolicyMapVO;
-
-import com.cloud.utils.db.GenericDaoBase;
-import com.cloud.utils.db.SearchBuilder;
-import com.cloud.utils.db.SearchCriteria;
-
-public class IAMGroupPolicyMapDaoImpl extends GenericDaoBase<IAMGroupPolicyMapVO, Long> implements IAMGroupPolicyMapDao {
-
- private SearchBuilder<IAMGroupPolicyMapVO> ListByGroupId;
- private SearchBuilder<IAMGroupPolicyMapVO> ListByPolicyId;
- private SearchBuilder<IAMGroupPolicyMapVO> findByPolicyGroupId;
-
- @Override
- public boolean configure(String name, Map<String, Object> params) throws ConfigurationException {
- super.configure(name, params);
-
- ListByGroupId = createSearchBuilder();
- ListByGroupId.and("groupId", ListByGroupId.entity().getAclGroupId(), SearchCriteria.Op.EQ);
- ListByGroupId.done();
-
- ListByPolicyId = createSearchBuilder();
- ListByPolicyId.and("policyId", ListByPolicyId.entity().getAclPolicyId(), SearchCriteria.Op.EQ);
- ListByPolicyId.done();
-
- findByPolicyGroupId = createSearchBuilder();
- findByPolicyGroupId.and("policyId", findByPolicyGroupId.entity().getAclPolicyId(), SearchCriteria.Op.EQ);
- findByPolicyGroupId.and("groupId", findByPolicyGroupId.entity().getAclGroupId(), SearchCriteria.Op.EQ);
- findByPolicyGroupId.done();
-
- return true;
- }
-
- @Override
- public List<IAMGroupPolicyMapVO> listByGroupId(long groupId) {
- SearchCriteria<IAMGroupPolicyMapVO> sc = ListByGroupId.create();
- sc.setParameters("groupId", groupId);
- return listBy(sc);
- }
-
- @Override
- public List<IAMGroupPolicyMapVO> listByPolicyId(long policyId) {
- SearchCriteria<IAMGroupPolicyMapVO> sc = ListByPolicyId.create();
- sc.setParameters("policyId", policyId);
- return listBy(sc);
- }
-
- @Override
- public IAMGroupPolicyMapVO findByGroupAndPolicy(long groupId, long policyId) {
- SearchCriteria<IAMGroupPolicyMapVO> sc = findByPolicyGroupId.create();
- sc.setParameters("policyId", policyId);
- sc.setParameters("groupId", groupId);
- return findOneBy(sc);
- }
-}
\ No newline at end of file
diff --git a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMPolicyDao.java b/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMPolicyDao.java
deleted file mode 100644
index ace7d85..0000000
--- a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMPolicyDao.java
+++ /dev/null
@@ -1,28 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.iam.server.dao;
-
-import org.apache.cloudstack.iam.api.IAMPolicy;
-import org.apache.cloudstack.iam.server.IAMPolicyVO;
-
-import com.cloud.utils.db.GenericDao;
-
-public interface IAMPolicyDao extends GenericDao<IAMPolicyVO, Long> {
-
- IAMPolicy findByName(String policyName);
-
-}
diff --git a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMPolicyDaoImpl.java b/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMPolicyDaoImpl.java
deleted file mode 100644
index 293cf6f..0000000
--- a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMPolicyDaoImpl.java
+++ /dev/null
@@ -1,57 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.iam.server.dao;
-
-import java.util.Map;
-
-import javax.naming.ConfigurationException;
-
-import org.apache.cloudstack.iam.api.IAMPolicy;
-import org.apache.cloudstack.iam.server.IAMPolicyVO;
-import org.springframework.stereotype.Component;
-
-import com.cloud.utils.db.GenericDaoBase;
-import com.cloud.utils.db.SearchBuilder;
-import com.cloud.utils.db.SearchCriteria;
-
-@Component
-public class IAMPolicyDaoImpl extends GenericDaoBase<IAMPolicyVO, Long> implements IAMPolicyDao {
- private SearchBuilder<IAMPolicyVO> nameSearch;
-
- @Override
- public boolean configure(String name, Map<String, Object> params) throws ConfigurationException {
- super.configure(name, params);
-
- nameSearch = createSearchBuilder();
- nameSearch.and("name", nameSearch.entity().getName(), SearchCriteria.Op.EQ);
- // nameSearch.and("domainId", nameSearch.entity().getDomainId(),
- // SearchCriteria.Op.EQ);
- nameSearch.done();
-
-
- return true;
- }
-
- @Override
- public IAMPolicy findByName(String name) {
- SearchCriteria<IAMPolicyVO> sc = nameSearch.create();
- sc.setParameters("name", name);
-
- return findOneBy(sc);
- }
-
-}
diff --git a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMPolicyPermissionDao.java b/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMPolicyPermissionDao.java
deleted file mode 100644
index ebb4916..0000000
--- a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMPolicyPermissionDao.java
+++ /dev/null
@@ -1,39 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.iam.server.dao;
-import java.util.List;
-
-import org.apache.cloudstack.iam.api.IAMPolicyPermission.Permission;
-import org.apache.cloudstack.iam.server.IAMPolicyPermissionVO;
-
-import com.cloud.utils.db.GenericDao;
-
-public interface IAMPolicyPermissionDao extends GenericDao<IAMPolicyPermissionVO, Long> {
-
- List<IAMPolicyPermissionVO> listByPolicy(long policyId);
-
- IAMPolicyPermissionVO findByPolicyAndEntity(long policyId, String entityType, String scope, Long scopeId,
- String action, Permission perm, String accessType);
-
- List<IAMPolicyPermissionVO> listByPolicyActionAndScope(long policyId, String action, String scope, String accessType);
-
- List<IAMPolicyPermissionVO> listByPolicyActionAndEntity(long policyId, String action, String entityType);
-
- List<IAMPolicyPermissionVO> listByPolicyAccessAndEntity(long policyId, String accessType, String entityType);
-
- List<IAMPolicyPermissionVO> listByEntity(String entityType, Long entityId);
-}
diff --git a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMPolicyPermissionDaoImpl.java b/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMPolicyPermissionDaoImpl.java
deleted file mode 100644
index 44b77d1..0000000
--- a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMPolicyPermissionDaoImpl.java
+++ /dev/null
@@ -1,130 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.iam.server.dao;
-
-import java.util.List;
-import java.util.Map;
-
-import javax.naming.ConfigurationException;
-
-import org.apache.cloudstack.iam.api.IAMPolicyPermission.Permission;
-import org.apache.cloudstack.iam.server.IAMPolicyPermissionVO;
-
-import com.cloud.utils.db.GenericDaoBase;
-import com.cloud.utils.db.SearchBuilder;
-import com.cloud.utils.db.SearchCriteria;
-
-public class IAMPolicyPermissionDaoImpl extends GenericDaoBase<IAMPolicyPermissionVO, Long> implements
- IAMPolicyPermissionDao {
-
- private SearchBuilder<IAMPolicyPermissionVO> policyIdSearch;
- private SearchBuilder<IAMPolicyPermissionVO> fullSearch;
- private SearchBuilder<IAMPolicyPermissionVO> entitySearch;
-
- @Override
- public boolean configure(String name, Map<String, Object> params) throws ConfigurationException {
- super.configure(name, params);
-
- policyIdSearch = createSearchBuilder();
- policyIdSearch.and("policyId", policyIdSearch.entity().getAclPolicyId(), SearchCriteria.Op.EQ);
- policyIdSearch.done();
-
- fullSearch = createSearchBuilder();
- fullSearch.and("policyId", fullSearch.entity().getAclPolicyId(), SearchCriteria.Op.EQ);
- fullSearch.and("entityType", fullSearch.entity().getEntityType(), SearchCriteria.Op.EQ);
- fullSearch.and("scope", fullSearch.entity().getScope(), SearchCriteria.Op.EQ);
- fullSearch.and("scopeId", fullSearch.entity().getScopeId(), SearchCriteria.Op.EQ);
- fullSearch.and("action", fullSearch.entity().getAction(), SearchCriteria.Op.EQ);
- fullSearch.and("permission", fullSearch.entity().getPermission(), SearchCriteria.Op.EQ);
- fullSearch.and("accessType", fullSearch.entity().getAccessType(), SearchCriteria.Op.EQ);
- fullSearch.done();
-
- entitySearch = createSearchBuilder();
- entitySearch.and("entityType", entitySearch.entity().getEntityType(), SearchCriteria.Op.EQ);
- entitySearch.and("scopeId", entitySearch.entity().getScopeId(), SearchCriteria.Op.EQ);
- entitySearch.done();
-
- return true;
- }
-
- @Override
- public List<IAMPolicyPermissionVO> listByPolicy(long policyId) {
- SearchCriteria<IAMPolicyPermissionVO> sc = policyIdSearch.create();
- sc.setParameters("policyId", policyId);
- return listBy(sc);
- }
-
- @Override
- public IAMPolicyPermissionVO findByPolicyAndEntity(long policyId, String entityType, String scope, Long scopeId,
- String action, Permission perm, String accessType) {
- SearchCriteria<IAMPolicyPermissionVO> sc = fullSearch.create();
- sc.setParameters("policyId", policyId);
- sc.setParameters("entityType", entityType);
- sc.setParameters("scope", scope);
- sc.setParameters("scopeId", scopeId);
- sc.setParameters("action", action);
- sc.setParameters("permission", perm);
- if (accessType != null) {
- // accessType can be optional, used mainly in list apis with
- // ListEntry and UseEntry distinction
- sc.setParameters("accessType", accessType);
- }
- return findOneBy(sc);
- }
-
- @Override
- public List<IAMPolicyPermissionVO> listByPolicyActionAndScope(long policyId, String action, String scope, String accessType) {
- SearchCriteria<IAMPolicyPermissionVO> sc = fullSearch.create();
- sc.setParameters("policyId", policyId);
- sc.setParameters("action", action);
- sc.setParameters("scope", scope);
- sc.setParameters("permission", Permission.Allow);
- if ( accessType != null ){
- // accessType can be optional, used mainly in list apis with ListEntry and UseEntry distinction
- sc.setParameters("accessType", accessType);
- }
- return listBy(sc);
- }
-
- @Override
- public List<IAMPolicyPermissionVO> listByPolicyActionAndEntity(long policyId, String action, String entityType) {
- SearchCriteria<IAMPolicyPermissionVO> sc = fullSearch.create();
- sc.setParameters("policyId", policyId);
- sc.setParameters("entityType", entityType);
- sc.setParameters("action", action);
- return listBy(sc);
- }
-
- @Override
- public List<IAMPolicyPermissionVO> listByPolicyAccessAndEntity(long policyId, String accessType,
- String entityType) {
- SearchCriteria<IAMPolicyPermissionVO> sc = fullSearch.create();
- sc.setParameters("policyId", policyId);
- sc.setParameters("entityType", entityType);
- sc.setParameters("accessType", accessType);
- return listBy(sc);
- }
-
- @Override
- public List<IAMPolicyPermissionVO> listByEntity(String entityType, Long entityId) {
- SearchCriteria<IAMPolicyPermissionVO> sc = entitySearch.create();
- sc.setParameters("entityType", entityType);
- sc.setParameters("scopeId", entityId);
- return listBy(sc);
- }
-
-}
diff --git a/services/iam/server/src/main/resources/META-INF/cloudstack/core/spring-iam-server-context.xml b/services/iam/server/src/main/resources/META-INF/cloudstack/core/spring-iam-server-context.xml
deleted file mode 100644
index 1c79836..0000000
--- a/services/iam/server/src/main/resources/META-INF/cloudstack/core/spring-iam-server-context.xml
+++ /dev/null
@@ -1,47 +0,0 @@
-<!--
- Licensed to the Apache Software Foundation (ASF) under one
- or more contributor license agreements. See the NOTICE file
- distributed with this work for additional information
- regarding copyright ownership. The ASF licenses this file
- to you under the Apache License, Version 2.0 (the
- "License"); you may not use this file except in compliance
- with the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing,
- software distributed under the License is distributed on an
- "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- KIND, either express or implied. See the License for the
- specific language governing permissions and limitations
- under the License.
--->
-<beans xmlns="http://www.springframework.org/schema/beans"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xmlns:context="http://www.springframework.org/schema/context"
- xmlns:aop="http://www.springframework.org/schema/aop"
- xsi:schemaLocation="http://www.springframework.org/schema/beans
- http://www.springframework.org/schema/beans/spring-beans.xsd
- http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop.xsd
- http://www.springframework.org/schema/context
- http://www.springframework.org/schema/context/spring-context.xsd"
- >
-
- <bean id="IAMGroupDaoImpl" class="org.apache.cloudstack.iam.server.dao.IAMGroupDaoImpl" />
- <bean id="IAMPolicyDaoImpl" class="org.apache.cloudstack.iam.server.dao.IAMPolicyDaoImpl" />
- <bean id="IAMGroupAccountMapDaoImpl" class="org.apache.cloudstack.iam.server.dao.IAMGroupAccountMapDaoImpl" />
- <bean id="IAMGroupPolicyMapDaoImpl" class="org.apache.cloudstack.iam.server.dao.IAMGroupPolicyMapDaoImpl" />
- <bean id="IAMPolicyPermissionDaoImpl" class="org.apache.cloudstack.iam.server.dao.IAMPolicyPermissionDaoImpl" />
- <bean id="IAMAccountPolicyMapDaoImpl" class="org.apache.cloudstack.iam.server.dao.IAMAccountPolicyMapDaoImpl" />
-
-
- <bean id="IAMServiceImpl" class="org.apache.cloudstack.iam.server.IAMServiceImpl" >
- <property name="configParams">
- <map>
- <entry key="cache.size" value="5000" />
- <entry key="cache.time.to.live" value="300" />
- </map>
- </property>
- </bean>
-
-</beans>
diff --git a/services/iam/server/src/test/java/org/apache/cloudstack/iam/IAMServiceUnitTest.java b/services/iam/server/src/test/java/org/apache/cloudstack/iam/IAMServiceUnitTest.java
deleted file mode 100644
index 53cfc71..0000000
--- a/services/iam/server/src/test/java/org/apache/cloudstack/iam/IAMServiceUnitTest.java
+++ /dev/null
@@ -1,211 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.iam;
-
-import static org.junit.Assert.assertNotNull;
-import static org.mockito.Matchers.eq;
-import static org.mockito.Mockito.when;
-
-import java.io.IOException;
-import java.util.ArrayList;
-import java.util.List;
-
-import javax.inject.Inject;
-import javax.naming.ConfigurationException;
-
-import org.junit.After;
-import org.junit.Before;
-import org.junit.BeforeClass;
-import org.junit.Test;
-import org.junit.runner.RunWith;
-import org.mockito.Mockito;
-import org.springframework.context.annotation.Bean;
-import org.springframework.context.annotation.ComponentScan;
-import org.springframework.context.annotation.ComponentScan.Filter;
-import org.springframework.context.annotation.Configuration;
-import org.springframework.context.annotation.FilterType;
-import org.springframework.core.type.classreading.MetadataReader;
-import org.springframework.core.type.classreading.MetadataReaderFactory;
-import org.springframework.core.type.filter.TypeFilter;
-import org.springframework.test.context.ContextConfiguration;
-import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
-import org.springframework.test.context.support.AnnotationConfigContextLoader;
-
-import org.apache.cloudstack.iam.api.IAMGroup;
-import org.apache.cloudstack.iam.api.IAMPolicy;
-import org.apache.cloudstack.iam.api.IAMService;
-import org.apache.cloudstack.iam.server.IAMGroupVO;
-import org.apache.cloudstack.iam.server.IAMPolicyVO;
-import org.apache.cloudstack.iam.server.IAMServiceImpl;
-import org.apache.cloudstack.iam.server.dao.IAMAccountPolicyMapDao;
-import org.apache.cloudstack.iam.server.dao.IAMGroupAccountMapDao;
-import org.apache.cloudstack.iam.server.dao.IAMGroupDao;
-import org.apache.cloudstack.iam.server.dao.IAMGroupPolicyMapDao;
-import org.apache.cloudstack.iam.server.dao.IAMPolicyDao;
-import org.apache.cloudstack.iam.server.dao.IAMPolicyPermissionDao;
-import org.apache.cloudstack.test.utils.SpringUtils;
-
-import com.cloud.exception.InvalidParameterValueException;
-import com.cloud.utils.component.ComponentContext;
-import com.cloud.utils.db.EntityManager;
-import com.cloud.utils.db.SearchCriteria;
-
-@RunWith(SpringJUnit4ClassRunner.class)
-@ContextConfiguration(loader = AnnotationConfigContextLoader.class)
-public class IAMServiceUnitTest {
-
- @Inject
- IAMService _iamService;
-
- @Inject
- IAMPolicyDao _aclPolicyDao;
-
- @Inject
- IAMGroupDao _aclGroupDao;
-
- @Inject
- EntityManager _entityMgr;
-
- @Inject
- IAMGroupPolicyMapDao _aclGroupPolicyMapDao;
-
- @Inject
- IAMGroupAccountMapDao _aclGroupAccountMapDao;
-
- @Inject
- IAMPolicyPermissionDao _policyPermissionDao;
-
- @BeforeClass
- public static void setUpClass() throws ConfigurationException {
- }
-
- @Before
- public void setUp() {
- ComponentContext.initComponentsLifeCycle();
- IAMGroupVO group = new IAMGroupVO("group1", "my first group");
- Mockito.when(_aclGroupDao.persist(Mockito.any(IAMGroupVO.class))).thenReturn(group);
- List<IAMGroupVO> groups = new ArrayList<IAMGroupVO>();
- groups.add(group);
- when(_aclGroupDao.search(Mockito.any(SearchCriteria.class), Mockito.any(com.cloud.utils.db.Filter.class)))
- .thenReturn(groups);
-
- IAMPolicyVO policy = new IAMPolicyVO("policy1", "my first policy");
- Mockito.when(_aclPolicyDao.persist(Mockito.any(IAMPolicyVO.class))).thenReturn(policy);
-
- }
-
- @After
- public void tearDown() {
- }
-
- @Test(expected = InvalidParameterValueException.class)
- public void createAclGroupTest() {
- IAMGroup group = _iamService.createIAMGroup("group1", "my first group", "/root/mydomain");
- assertNotNull("Acl group 'group1' failed to create ", group);
-
- IAMGroupVO group2 = new IAMGroupVO("group1", "my second group");
- when(_aclGroupDao.findByName(eq("/root/mydomain"), eq("group1"))).thenReturn(group2);
-
- IAMGroup group3 = _iamService.createIAMGroup("group1", "my first group", "/root/mydomain");
- }
-
- @Test(expected = InvalidParameterValueException.class)
- public void deleteAclGroupInvalidIdTest() {
- when(_aclGroupDao.findById(20L)).thenReturn(null);
- _iamService.deleteIAMGroup(20L);
- }
-
- @Test
- public void accountGroupMaptest() {
- // create group
- IAMGroupVO group = new IAMGroupVO("group1", "my first group");
-
- // add account to group
- List<Long> accountIds = new ArrayList<Long>();
- accountIds.add(100L);
- when(_aclGroupDao.findById(20L)).thenReturn(group);
- _iamService.addAccountsToGroup(accountIds, 20L);
-
- _iamService.removeAccountsFromGroup(accountIds, 20L);
- }
-
- @Test(expected = InvalidParameterValueException.class)
- public void createAclPolicyTest() {
- IAMPolicy policy = _iamService.createIAMPolicy("policy1", "my first policy", null, "/root/mydomain");
- assertNotNull("Acl policy 'policy1' failed to create ", policy);
-
- IAMPolicyVO rvo = new IAMPolicyVO("policy2", "second policy");
- when(_aclPolicyDao.findByName(eq("policy2"))).thenReturn(rvo);
-
- _iamService.createIAMPolicy("policy2", "second policy", null, "/root/mydomain");
- }
-
- @Test(expected = InvalidParameterValueException.class)
- public void deleteAclPolicyInvalidIdTest() {
- when(_aclPolicyDao.findById(34L)).thenReturn(null);
- _iamService.deleteIAMPolicy(34L);
- }
-
- @Configuration
- @ComponentScan(basePackageClasses = {IAMServiceImpl.class}, includeFilters = {@Filter(value = TestConfiguration.Library.class, type = FilterType.CUSTOM)}, useDefaultFilters = false)
- public static class TestConfiguration extends SpringUtils.CloudStackTestConfiguration {
-
- @Bean
- public IAMPolicyDao aclPolicyDao() {
- return Mockito.mock(IAMPolicyDao.class);
- }
-
- @Bean
- public IAMGroupDao aclGroupDao() {
- return Mockito.mock(IAMGroupDao.class);
- }
-
- @Bean
- public EntityManager entityManager() {
- return Mockito.mock(EntityManager.class);
- }
-
- @Bean
- public IAMGroupPolicyMapDao aclGroupPolicyMapDao() {
- return Mockito.mock(IAMGroupPolicyMapDao.class);
- }
-
- @Bean
- public IAMGroupAccountMapDao aclGroupAccountMapDao() {
- return Mockito.mock(IAMGroupAccountMapDao.class);
- }
-
- @Bean
- public IAMAccountPolicyMapDao aclAccountPolicyMapDao() {
- return Mockito.mock(IAMAccountPolicyMapDao.class);
- }
-
- @Bean
- public IAMPolicyPermissionDao aclPolicyPermissionDao() {
- return Mockito.mock(IAMPolicyPermissionDao.class);
- }
-
- public static class Library implements TypeFilter {
-
- @Override
- public boolean match(MetadataReader mdr, MetadataReaderFactory arg1) throws IOException {
- ComponentScan cs = TestConfiguration.class.getAnnotation(ComponentScan.class);
- return SpringUtils.includedInBasePackageClasses(mdr.getClassMetadata().getClassName(), cs);
- }
- }
- }
-}
diff --git a/services/iam/server/src/test/resources/db.properties b/services/iam/server/src/test/resources/db.properties
deleted file mode 100644
index a672d63..0000000
--- a/services/iam/server/src/test/resources/db.properties
+++ /dev/null
@@ -1,73 +0,0 @@
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements. See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership. The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations
-# under the License.
-
-
-# management server clustering parameters, change cluster.node.IP to the machine IP address
-# in which the management server(Tomcat) is running
-cluster.node.IP=127.0.0.1
-cluster.servlet.port=9090
-region.id=1
-
-# CloudStack database settings
-db.cloud.username=cloud
-db.cloud.password=cloud
-db.root.password=
-db.cloud.host=localhost
-db.cloud.driver=jdbc:mysql
-db.cloud.port=3306
-db.cloud.name=cloud
-
-# CloudStack database tuning parameters
-db.cloud.maxActive=250
-db.cloud.maxIdle=30
-db.cloud.maxWait=10000
-db.cloud.autoReconnect=true
-db.cloud.validationQuery=SELECT 1
-db.cloud.testOnBorrow=true
-db.cloud.testWhileIdle=true
-db.cloud.timeBetweenEvictionRunsMillis=40000
-db.cloud.minEvictableIdleTimeMillis=240000
-db.cloud.poolPreparedStatements=false
-db.cloud.url.params=prepStmtCacheSize=517&cachePrepStmts=true&prepStmtCacheSqlLimit=4096
-
-# usage database settings
-db.usage.username=cloud
-db.usage.password=cloud
-db.usage.host=localhost
-# It's not guaranteed that using a different DB provider than the one from the regular cloud DB will work
-db.usage.driver=jdbc:mysql
-db.usage.port=3306
-db.usage.name=cloud_usage
-
-# usage database tuning parameters
-db.usage.maxActive=100
-db.usage.maxIdle=30
-db.usage.maxWait=10000
-db.usage.autoReconnect=true
-
-# Simulator database settings
-db.simulator.username=cloud
-db.simulator.password=cloud
-db.simulator.host=localhost
-# It's not guaranteed that using a different DB provider than the one from the regular cloud DB will work
-db.simulator.driver=jdbc:mysql
-db.simulator.port=3306
-db.simulator.name=simulator
-db.simulator.maxActive=250
-db.simulator.maxIdle=30
-db.simulator.maxWait=10000
-db.simulator.autoReconnect=true
diff --git a/tools/apidoc/gen_toc.py b/tools/apidoc/gen_toc.py
index f45f030..3bf52a3 100644
--- a/tools/apidoc/gen_toc.py
+++ b/tools/apidoc/gen_toc.py
@@ -169,7 +169,6 @@ known_categories = {
'Ucs' : 'UCS',
'CacheStores' : 'Cache Stores',
'CacheStore' : 'Cache Store',
- 'IAM' : 'IAM',
'OvsElement' : 'Ovs Element',
'StratosphereSsp' : ' Stratosphere SSP',
'Metrics' : 'Metrics',
diff --git a/tools/build/build_asf.sh b/tools/build/build_asf.sh
index ecccb95..7530be5 100755
--- a/tools/build/build_asf.sh
+++ b/tools/build/build_asf.sh
@@ -100,9 +100,6 @@ perl -pi -e "s/-SNAPSHOT//" tools/apidoc/pom.xml
perl -pi -e "s/-SNAPSHOT//" build/replace.properties
perl -pi -e "s/-SNAPSHOT//" tools/marvin/setup.py
perl -pi -e "s/-SNAPSHOT//" tools/marvin/marvin/deployAndRun.py
-perl -pi -e "s/-SNAPSHOT//" services/iam/plugin/pom.xml
-perl -pi -e "s/-SNAPSHOT//" services/iam/pom.xm
-perl -pi -e "s/-SNAPSHOT//" services/iam/server/pom.xml
perl -pi -e "s/-SNAPSHOT//" tools/docker/Dockerfile
perl -pi -e "s/-SNAPSHOT//" tools/docker/Dockerfile.marvin
perl -pi -e "s/-SNAPSHOT//" tools/docker/Dockerfile.centos6
diff --git a/tools/build/setnextversion.sh b/tools/build/setnextversion.sh
index 2f9c980..3b31ea9 100755
--- a/tools/build/setnextversion.sh
+++ b/tools/build/setnextversion.sh
@@ -131,9 +131,6 @@ echo "setting new version numbers"
mvn versions:set -DnewVersion=$version -P vmware -P developer -P systemvm -P simulator -Dnoredist versions:commit
perl -pi -e "s/$currentversion/$version/" debian/changelog
-perl -pi -e "s/$currentversion/$version/" services/iam/plugin/pom.xml
-perl -pi -e "s/$currentversion/$version/" services/iam/pom.xml
-perl -pi -e "s/$currentversion/$version/" services/iam/server/pom.xml
perl -pi -e "s/$currentversion/$version/" tools/apidoc/pom.xml
perl -pi -e "s/$currentversion/$version/" tools/checkstyle/pom.xml
perl -pi -e "s/$currentversion/$version/" tools/marvin/setup.py
diff --git a/tools/marvin/marvin/lib/base.py b/tools/marvin/marvin/lib/base.py
index fdfed77..c4d8783 100755
--- a/tools/marvin/marvin/lib/base.py
+++ b/tools/marvin/marvin/lib/base.py
@@ -5096,139 +5096,6 @@ class NIC:
cmd.listall = True
return(apiclient.listNics(cmd))
-class IAMGroup:
- def __init__(self, items):
- self.__dict__.update(items)
-
- @classmethod
- def create(cls, apiclient, iam_grp, account=None, domainid=None):
- cmd = createIAMGroup.createIAMGroupCmd()
- cmd.name = iam_grp['name']
- cmd.description = iam_grp['description']
- if account:
- cmd.account = account
- if domainid:
- cmd.domainid = domainid
- return IAMGroup(apiclient.createIAMGroup(cmd).__dict__)
-
- def update(self, apiclient):
- pass
-
- def delete(self, apiclient):
- cmd = deleteIAMGroup.deleteIAMGroupCmd()
- cmd.id = self.id
- return apiclient.deleteIAMGroup(cmd)
-
- @classmethod
- def list(cls, apiclient, **kwargs):
- cmd = listIAMGroups.listIAMGroupsCmd()
- [setattr(cmd, k, v) for k, v in kwargs.items()]
- if 'account' in kwargs.keys() and 'domainid' in kwargs.keys():
- cmd.listall = True
- return apiclient.listIAMGroups(cmd)
-
- def addAccount(self, apiclient, accts):
- """Add accounts to iam group"""
- cmd = addAccountToIAMGroup.addAccountToIAMGroupCmd()
- cmd.id = self.id
- cmd.accounts = [str(acct.id) for acct in accts]
- apiclient.addAccountToIAMGroup(cmd)
- return
-
- def removeAccount(self, apiclient, accts):
- """ Remove accounts from iam group"""
- cmd = removeAccountFromIAMGroup.removeAccountFromIAMGroupCmd()
- cmd.id = self.id
- cmd.accounts = [str(acct.id) for acct in accts]
- apiclient.removeAccountFromIAMGroup(cmd)
- return
-
- def attachPolicy(self, apiclient, policies):
- """Add policies to iam group"""
- cmd = attachIAMPolicyToIAMGroup.attachIAMPolicyToIAMGroupCmd()
- cmd.id = self.id
- cmd.policies = [str(policy.id) for policy in policies]
- apiclient.attachIAMPolicyToIAMGroup(cmd)
- return
-
- def detachPolicy(self, apiclient, policies):
- """Remove policies from iam group"""
- cmd = removeIAMPolicyFromIAMGroup.removeIAMPolicyFromIAMGroupCmd()
- cmd.id = self.id
- cmd.policies = [str(policy.id) for policy in policies]
- apiclient.removeIAMPolicyFromIAMGroup(cmd)
- return
-
-class IAMPolicy:
- def __init__(self, items):
- self.__dict__.update(items)
-
- @classmethod
- def create(cls, apiclient, iam_policy, account=None, domainid=None):
- cmd = createIAMPolicy.createIAMPolicyCmd()
- cmd.name = iam_policy['name']
- cmd.description = iam_policy['description']
- if account:
- cmd.account = account
- if domainid:
- cmd.domainid = domainid
- return IAMPolicy(apiclient.createIAMPolicy(cmd).__dict__)
-
- def update(self, apiclient):
- pass
-
- def delete(self, apiclient):
- cmd = deleteIAMPolicy.deleteIAMPolicyCmd()
- cmd.id = self.id
- return apiclient.deleteIAMPolicy(cmd)
-
- @classmethod
- def list(cls, apiclient, **kwargs):
- cmd = listIAMPolicies.listIAMPoliciesCmd()
- [setattr(cmd, k, v) for k, v in kwargs.items()]
- if 'account' in kwargs.keys() and 'domainid' in kwargs.keys():
- cmd.listall = True
- return apiclient.listIAMPoliciesCmd(cmd)
-
- def addPermission(self, apiclient, permission):
- """Add permission to iam policy"""
- cmd = addIAMPermissionToIAMPolicy.addIAMPermissionToIAMPolicyCmd()
- cmd.id = self.id
- cmd.action = permission['action']
- cmd.entitytype = permission['entitytype']
- cmd.scope = permission['scope']
- cmd.scopeid = permission['scopeid']
- apiclient.addIAMPermissionToIAMPolicy(cmd)
- return
-
- def removePermission(self, apiclient, permission):
- """Remove permission from iam policy"""
- cmd = removeIAMPermissionFromIAMPolicy.\
- removeIAMPermissionFromIAMPolicyCmd()
- cmd.id = self.id
- cmd.action = permission['action']
- cmd.entitytype = permission['entitytype']
- cmd.scope = permission['scope']
- cmd.scopeid = permission['scopeid']
- apiclient.removeIAMPermissionFromIAMPolicy(cmd)
- return
-
- def attachAccount(self, apiclient, accts):
- """Attach iam policy to accounts"""
- cmd = attachIAMPolicyToAccount.attachIAMPolicyToAccountCmd()
- cmd.id = self.id
- cmd.accounts = [str(acct.id) for acct in accts]
- apiclient.attachIAMPolicyToAccount(cmd)
- return
-
- def detachAccount(self, apiclient, accts):
- """Detach iam policy from accounts"""
- cmd = removeIAMPolicyFromAccount.removeIAMPolicyFromAccountCmd()
- cmd.id = self.id
- cmd.accounts = [str(acct.id) for acct in accts]
- apiclient.removeIAMPolicyFromAccount(cmd)
- return
-
class SimulatorMock:
"""Manage simulator mock lifecycle"""
def __init__(self, items):