You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by GitBox <gi...@apache.org> on 2018/09/11 16:06:22 UTC
[GitHub] rafaelweingartner closed pull request #2817: Remove 'iam' projects
rafaelweingartner closed pull request #2817: Remove 'iam' projects
URL: https://github.com/apache/cloudstack/pull/2817
This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:
As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):
diff --git a/api/src/main/java/com/cloud/event/EventTypes.java b/api/src/main/java/com/cloud/event/EventTypes.java
index 907b93eca10..318dc4bc305 100644
--- a/api/src/main/java/com/cloud/event/EventTypes.java
+++ b/api/src/main/java/com/cloud/event/EventTypes.java
@@ -531,19 +531,6 @@
public static final String EVENT_UCS_ASSOCIATED_PROFILE = "UCS.ASSOCIATEPROFILE";
- // IAM events
- public static final String EVENT_IAM_POLICY_CREATE = "IAMPOLICY.CREATE";
- public static final String EVENT_IAM_POLICY_DELETE = "IAMPOLICY.DELETE";
- public static final String EVENT_IAM_POLICY_GRANT = "IAMPOLICY.GRANT";
- public static final String EVENT_IAM_POLICY_REVOKE = "IAMPOLICY.REVOKE";
-
- public static final String EVENT_IAM_GROUP_UPDATE = "IAMGROUP.UPDATE";
- public static final String EVENT_IAM_GROUP_CREATE = "IAMGROUP.CREATE";
- public static final String EVENT_IAM_GROUP_DELETE = "IAMGROUP.DELETE";
- public static final String EVENT_IAM_GROUP_GRANT = "IAMGROUP.GRANT";
- public static final String EVENT_IAM_GROUP_REVOKE = "IAMGROUP.REVOKE";
- public static final String EVENT_IAM_ACCOUNT_POLICY_UPDATE = "IAMACCOUNTPOLICY.UPDATE";
-
// Object store migration
public static final String EVENT_MIGRATE_PREPARE_SECONDARY_STORAGE = "MIGRATE.PREPARE.SS";
diff --git a/api/src/main/java/org/apache/cloudstack/api/ApiCommandJobType.java b/api/src/main/java/org/apache/cloudstack/api/ApiCommandJobType.java
index ead6ce1eede..b95831b3d20 100644
--- a/api/src/main/java/org/apache/cloudstack/api/ApiCommandJobType.java
+++ b/api/src/main/java/org/apache/cloudstack/api/ApiCommandJobType.java
@@ -50,8 +50,6 @@
AffinityGroup,
InternalLbVm,
DedicatedGuestVlanRange,
- IAMPolicy,
- IAMGroup,
GuestOs,
GuestOsMapping,
Network
diff --git a/api/src/main/java/org/apache/cloudstack/api/ApiConstants.java b/api/src/main/java/org/apache/cloudstack/api/ApiConstants.java
index f03ddc7465c..b7779cb2a8d 100644
--- a/api/src/main/java/org/apache/cloudstack/api/ApiConstants.java
+++ b/api/src/main/java/org/apache/cloudstack/api/ApiConstants.java
@@ -652,19 +652,7 @@
public static final String MAX_CONNECTIONS = "maxconnections";
public static final String SERVICE_STATE = "servicestate";
- public static final String IAM_ACCOUNT_IDS = "accountids";
- public static final String IAM_MEMBER_ACCOUNTS = "memberaccounts";
- public static final String IAM_PARENT_POLICY_ID = "parentpolicyid";
- public static final String IAM_PARENT_POLICY_NAME = "parentpolicyname";
- public static final String IAM_POLICY_IDS = "policyids";
- public static final String IAM_POLICIES = "policies";
- public static final String IAM_APIS = "apis";
public static final String IAM_GROUPS = "groups";
- public static final String IAM_PERMISSIONS = "permission";
- public static final String IAM_ACTION = "action";
- public static final String IAM_SCOPE = "scope";
- public static final String IAM_SCOPE_ID = "scopeid";
- public static final String IAM_ALLOW_DENY = "permission";
public static final String ENTITY_TYPE = "entitytype";
public static final String ENTITY_ID = "entityid";
public static final String EXTERNAL_ID = "externalid";
@@ -737,4 +725,4 @@
public enum DomainDetails {
all, resource, min;
}
-}
\ No newline at end of file
+}
diff --git a/engine/schema/src/main/resources/META-INF/db/schema-41110to41200-cleanup.sql b/engine/schema/src/main/resources/META-INF/db/schema-41110to41200-cleanup.sql
index a72b33ffece..76f69015f45 100644
--- a/engine/schema/src/main/resources/META-INF/db/schema-41110to41200-cleanup.sql
+++ b/engine/schema/src/main/resources/META-INF/db/schema-41110to41200-cleanup.sql
@@ -17,4 +17,11 @@
--;
-- Schema upgrade cleanup from 4.11.1.0 to 4.12.0.0
---;
\ No newline at end of file
+--;
+
+DROP TABLE IF EXISTS `cloud`.`iam_account_policy_map`;
+DROP TABLE IF EXISTS `cloud`.`iam_group_account_map`;
+DROP TABLE IF EXISTS `cloud`.`iam_group_policy_map`;
+DROP TABLE IF EXISTS `cloud`.`iam_group`;
+DROP TABLE IF EXISTS `cloud`.`iam_policy_permission`;
+DROP TABLE IF EXISTS `cloud`.`iam_policy`;
diff --git a/server/src/main/java/com/cloud/template/TemplateManagerImpl.java b/server/src/main/java/com/cloud/template/TemplateManagerImpl.java
index 7076a669d7f..dc57a8a9ef3 100755
--- a/server/src/main/java/com/cloud/template/TemplateManagerImpl.java
+++ b/server/src/main/java/com/cloud/template/TemplateManagerImpl.java
@@ -1546,7 +1546,6 @@ public void doInTransactionWithoutResult(TransactionStatus status) {
permit.put(ApiConstants.ENTITY_TYPE, VirtualMachineTemplate.class);
permit.put(ApiConstants.ENTITY_ID, id);
permit.put(ApiConstants.ACCESS_TYPE, AccessType.UseEntry);
- permit.put(ApiConstants.IAM_ACTION, "listTemplates");
permit.put(ApiConstants.ACCOUNTS, accountIds);
_messageBus.publish(_name, EntityManager.MESSAGE_GRANT_ENTITY_EVENT, PublishScope.LOCAL, permit);
} else if ("remove".equalsIgnoreCase(operation)) {
@@ -1563,7 +1562,6 @@ public void doInTransactionWithoutResult(TransactionStatus status) {
permit.put(ApiConstants.ENTITY_TYPE, VirtualMachineTemplate.class);
permit.put(ApiConstants.ENTITY_ID, id);
permit.put(ApiConstants.ACCESS_TYPE, AccessType.UseEntry);
- permit.put(ApiConstants.IAM_ACTION, "listTemplates");
permit.put(ApiConstants.ACCOUNTS, accountIds);
_messageBus.publish(_name, EntityManager.MESSAGE_REVOKE_ENTITY_EVENT, PublishScope.LOCAL, permit);
} else if ("reset".equalsIgnoreCase(operation)) {
diff --git a/services/iam/plugin/pom.xml b/services/iam/plugin/pom.xml
deleted file mode 100644
index 1ea101d8c54..00000000000
--- a/services/iam/plugin/pom.xml
+++ /dev/null
@@ -1,59 +0,0 @@
-<!--
- Licensed to the Apache Software Foundation (ASF) under one
- or more contributor license agreements. See the NOTICE file
- distributed with this work for additional information
- regarding copyright ownership. The ASF licenses this file
- to you under the Apache License, Version 2.0 (the
- "License"); you may not use this file except in compliance
- with the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing,
- software distributed under the License is distributed on an
- "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- KIND, either express or implied. See the License for the
- specific language governing permissions and limitations
- under the License.
--->
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
- <modelVersion>4.0.0</modelVersion>
- <artifactId>cloud-plugin-iam</artifactId>
- <name>Apache CloudStack IAM - Plugin</name>
- <parent>
- <groupId>org.apache.cloudstack</groupId>
- <artifactId>cloudstack-service-iam</artifactId>
- <version>4.12.0.0-SNAPSHOT</version>
- <relativePath>../pom.xml</relativePath>
- </parent>
- <dependencies>
- <dependency>
- <groupId>org.apache.cloudstack</groupId>
- <artifactId>cloud-api</artifactId>
- <version>${project.version}</version>
- </dependency>
- <dependency>
- <groupId>org.apache.cloudstack</groupId>
- <artifactId>cloud-engine-schema</artifactId>
- <version>${project.version}</version>
- </dependency>
- <dependency>
- <groupId>org.apache.cloudstack</groupId>
- <artifactId>cloud-server</artifactId>
- <version>${project.version}</version>
- </dependency>
- <dependency>
- <groupId>org.apache.cloudstack</groupId>
- <artifactId>cloud-iam</artifactId>
- <version>${project.version}</version>
- </dependency>
- <dependency>
- <groupId>org.apache.cloudstack</groupId>
- <artifactId>cloud-api</artifactId>
- <version>${project.version}</version>
- <type>test-jar</type>
- <scope>test</scope>
- </dependency>
- </dependencies>
-</project>
diff --git a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/AddAccountToIAMGroupCmd.java b/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/AddAccountToIAMGroupCmd.java
deleted file mode 100644
index bea3fc97d10..00000000000
--- a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/AddAccountToIAMGroupCmd.java
+++ /dev/null
@@ -1,127 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.api.command.iam;
-
-import java.util.List;
-
-import javax.inject.Inject;
-
-import org.apache.log4j.Logger;
-
-import org.apache.cloudstack.iam.IAMApiService;
-import org.apache.cloudstack.api.ACL;
-import org.apache.cloudstack.api.APICommand;
-import org.apache.cloudstack.api.ApiCommandJobType;
-import org.apache.cloudstack.api.ApiConstants;
-import org.apache.cloudstack.api.ApiErrorCode;
-import org.apache.cloudstack.api.BaseAsyncCmd;
-import org.apache.cloudstack.api.Parameter;
-import org.apache.cloudstack.api.ServerApiException;
-import org.apache.cloudstack.api.response.AccountResponse;
-import org.apache.cloudstack.api.response.iam.IAMGroupResponse;
-import org.apache.cloudstack.context.CallContext;
-import org.apache.cloudstack.iam.api.IAMGroup;
-
-import com.cloud.event.EventTypes;
-import com.cloud.exception.InsufficientCapacityException;
-import com.cloud.exception.ResourceUnavailableException;
-import com.cloud.user.Account;
-
-
-@APICommand(name = "addAccountToIAMGroup", description = "add account to an iam group", responseObject = IAMGroupResponse.class)
-public class AddAccountToIAMGroupCmd extends BaseAsyncCmd {
- public static final Logger s_logger = Logger.getLogger(AddAccountToIAMGroupCmd.class.getName());
- private static final String s_name = "addaccounttoiamgroupresponse";
-
- @Inject
- public IAMApiService _iamApiSrv;
-
- /////////////////////////////////////////////////////
- //////////////// API parameters /////////////////////
- /////////////////////////////////////////////////////
-
-
- @ACL
- @Parameter(name = ApiConstants.ID, type = CommandType.UUID, entityType = IAMGroupResponse.class,
- required = true, description = "The ID of the iam group")
- private Long id;
-
- @ACL
- @Parameter(name = ApiConstants.ACCOUNTS, type = CommandType.LIST, collectionType = CommandType.UUID, entityType = AccountResponse.class, description = "comma separated list of account id that are going to be assigned to the iam group.")
- private List<Long> accountIdList;
-
-
- /////////////////////////////////////////////////////
- /////////////////// Accessors ///////////////////////
- /////////////////////////////////////////////////////
-
-
- public Long getId() {
- return id;
- }
-
-
- public List<Long> getAccountIdList() {
- return accountIdList;
- }
-
- /////////////////////////////////////////////////////
- /////////////// API Implementation///////////////////
- /////////////////////////////////////////////////////
-
-
- @Override
- public String getCommandName() {
- return s_name;
- }
-
-
- @Override
- public long getEntityOwnerId() {
- return Account.ACCOUNT_ID_SYSTEM; // no account info given, parent this command to SYSTEM so ERROR events are tracked
- }
-
- @Override
- public void execute() throws ResourceUnavailableException,
- InsufficientCapacityException, ServerApiException {
- CallContext.current().setEventDetails("IAM group Id: " + getId());
- IAMGroup result = _iamApiSrv.addAccountsToGroup(accountIdList, id);
- if (result != null){
- IAMGroupResponse response = _iamApiSrv.createIAMGroupResponse(result);
- response.setResponseName(getCommandName());
- setResponseObject(response);
- } else {
- throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to add accounts to iam group");
- }
- }
-
- @Override
- public String getEventType() {
- return EventTypes.EVENT_IAM_GROUP_UPDATE;
- }
-
- @Override
- public String getEventDescription() {
- return "adding accounts to iam group";
- }
-
- @Override
- public ApiCommandJobType getInstanceType() {
- return ApiCommandJobType.IAMGroup;
- }
-
-}
diff --git a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/AddIAMPermissionToIAMPolicyCmd.java b/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/AddIAMPermissionToIAMPolicyCmd.java
deleted file mode 100644
index d69f3d0a0b9..00000000000
--- a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/AddIAMPermissionToIAMPolicyCmd.java
+++ /dev/null
@@ -1,159 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.api.command.iam;
-
-import javax.inject.Inject;
-
-import org.apache.log4j.Logger;
-
-import org.apache.cloudstack.acl.PermissionScope;
-import org.apache.cloudstack.api.ACL;
-import org.apache.cloudstack.api.APICommand;
-import org.apache.cloudstack.api.ApiCommandJobType;
-import org.apache.cloudstack.api.ApiConstants;
-import org.apache.cloudstack.api.ApiErrorCode;
-import org.apache.cloudstack.api.BaseAsyncCmd;
-import org.apache.cloudstack.api.Parameter;
-import org.apache.cloudstack.api.ServerApiException;
-import org.apache.cloudstack.api.response.iam.IAMPolicyResponse;
-import org.apache.cloudstack.context.CallContext;
-import org.apache.cloudstack.iam.IAMApiService;
-import org.apache.cloudstack.iam.api.IAMPolicy;
-import org.apache.cloudstack.iam.api.IAMPolicyPermission.Permission;
-
-import com.cloud.event.EventTypes;
-import com.cloud.exception.InsufficientCapacityException;
-import com.cloud.exception.ResourceUnavailableException;
-import com.cloud.user.Account;
-
-
-@APICommand(name = "addIAMPermissionToIAMPolicy", description = "Add IAM permission to an iam policy", responseObject = IAMPolicyResponse.class)
-public class AddIAMPermissionToIAMPolicyCmd extends BaseAsyncCmd {
- public static final Logger s_logger = Logger.getLogger(AddIAMPermissionToIAMPolicyCmd.class.getName());
- private static final String s_name = "addiampermissiontoiampolicyresponse";
-
- @Inject
- public IAMApiService _iamApiSrv;
-
- /////////////////////////////////////////////////////
- //////////////// API parameters /////////////////////
- /////////////////////////////////////////////////////
-
-
- @ACL
- @Parameter(name = ApiConstants.ID, type = CommandType.UUID, entityType = IAMPolicyResponse.class,
- required = true, description = "The ID of the iam policy")
- private Long id;
-
- @Parameter(name = ApiConstants.IAM_ACTION, type = CommandType.STRING, required = true, description = "action api name.")
- private String action;
-
- @Parameter(name = ApiConstants.ENTITY_TYPE, type = CommandType.STRING, required = false, description = "entity class simple name.")
- private String entityType;
-
- @Parameter(name = ApiConstants.IAM_SCOPE, type = CommandType.STRING,
- required = false, description = "iam permission scope")
- private String scope;
-
- @Parameter(name = ApiConstants.IAM_SCOPE_ID, type = CommandType.STRING, required = false, description = "The UUID of the permission scope id")
- private String scopeId;
-
- @Parameter(name = ApiConstants.READ_ONLY, type = CommandType.BOOLEAN, required = false, description = "Read Only access is added; Only applicable when action = List/Read api name")
- private Boolean readOnly;
-
-
- /////////////////////////////////////////////////////
- /////////////////// Accessors ///////////////////////
- /////////////////////////////////////////////////////
-
-
- public Long getId() {
- return id;
- }
-
-
- public String getAction() {
- return action;
- }
-
- public String getEntityType() {
- return entityType;
- }
-
- public String getScope() {
- return scope;
- }
-
- public Long getScopeId() {
- // here we will convert the passed String UUID to Long ID since internally we store it as entity internal ID.
- return _iamApiSrv.getPermissionScopeId(scope, entityType, scopeId);
- }
-
- public Boolean isReadOnly() {
- return (readOnly != null) ? readOnly : false;
- }
-
- /////////////////////////////////////////////////////
- /////////////// API Implementation///////////////////
- /////////////////////////////////////////////////////
-
-
-
- @Override
- public String getCommandName() {
- return s_name;
- }
-
-
- @Override
- public long getEntityOwnerId() {
- return Account.ACCOUNT_ID_SYSTEM; // no account info given, parent this command to SYSTEM so ERROR events are tracked
- }
-
- @Override
- public void execute() throws ResourceUnavailableException,
- InsufficientCapacityException, ServerApiException {
- CallContext.current().setEventDetails("IAM policy Id: " + getId());
- // Only explicit ALLOW is supported for this release, no explicit deny
- IAMPolicy result = _iamApiSrv.addIAMPermissionToIAMPolicy(id, entityType, PermissionScope.valueOf(scope),
- getScopeId(), action, Permission.Allow, false, isReadOnly());
- if (result != null) {
- IAMPolicyResponse response = _iamApiSrv.createIAMPolicyResponse(result);
- response.setResponseName(getCommandName());
- setResponseObject(response);
- } else {
- throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to grant permission to iam policy "
- + getId());
- }
- }
-
- @Override
- public String getEventType() {
- return EventTypes.EVENT_IAM_POLICY_GRANT;
- }
-
- @Override
- public String getEventDescription() {
- return "granting permission to iam policy";
- }
-
- @Override
- public ApiCommandJobType getInstanceType() {
- return ApiCommandJobType.IAMPolicy;
- }
-
-}
diff --git a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/AttachIAMPolicyToAccountCmd.java b/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/AttachIAMPolicyToAccountCmd.java
deleted file mode 100644
index fc174cf1594..00000000000
--- a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/AttachIAMPolicyToAccountCmd.java
+++ /dev/null
@@ -1,122 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.api.command.iam;
-
-import java.util.List;
-
-import javax.inject.Inject;
-
-import org.apache.log4j.Logger;
-
-import org.apache.cloudstack.iam.IAMApiService;
-import org.apache.cloudstack.api.ACL;
-import org.apache.cloudstack.api.APICommand;
-import org.apache.cloudstack.api.ApiCommandJobType;
-import org.apache.cloudstack.api.ApiConstants;
-import org.apache.cloudstack.api.BaseAsyncCmd;
-import org.apache.cloudstack.api.Parameter;
-import org.apache.cloudstack.api.ServerApiException;
-import org.apache.cloudstack.api.response.AccountResponse;
-import org.apache.cloudstack.api.response.SuccessResponse;
-import org.apache.cloudstack.api.response.iam.IAMPolicyResponse;
-import org.apache.cloudstack.context.CallContext;
-
-import com.cloud.event.EventTypes;
-import com.cloud.exception.InsufficientCapacityException;
-import com.cloud.exception.ResourceUnavailableException;
-import com.cloud.user.Account;
-
-
-@APICommand(name = "attachIAMPolicyToAccount", description = "attach iam policy to accounts", responseObject = SuccessResponse.class)
-public class AttachIAMPolicyToAccountCmd extends BaseAsyncCmd {
- public static final Logger s_logger = Logger.getLogger(AttachIAMPolicyToAccountCmd.class.getName());
- private static final String s_name = "attachiampolicytoaccountresponse";
-
- @Inject
- public IAMApiService _iamApiSrv;
-
- /////////////////////////////////////////////////////
- //////////////// API parameters /////////////////////
- /////////////////////////////////////////////////////
-
-
- @ACL
- @Parameter(name = ApiConstants.ID, type = CommandType.UUID, entityType = IAMPolicyResponse.class,
- required = true, description = "The ID of the iam policy")
- private Long id;
-
- @ACL
- @Parameter(name = ApiConstants.ACCOUNTS, type = CommandType.LIST, collectionType = CommandType.UUID, entityType = AccountResponse.class, description = "comma separated list of account id that the policy will attach to.")
- private List<Long> accountIdList;
-
-
- /////////////////////////////////////////////////////
- /////////////////// Accessors ///////////////////////
- /////////////////////////////////////////////////////
-
-
- public Long getId() {
- return id;
- }
-
-
- public List<Long> getAccountIdList() {
- return accountIdList;
- }
-
- /////////////////////////////////////////////////////
- /////////////// API Implementation///////////////////
- /////////////////////////////////////////////////////
-
-
- @Override
- public String getCommandName() {
- return s_name;
- }
-
-
- @Override
- public long getEntityOwnerId() {
- return Account.ACCOUNT_ID_SYSTEM; // no account info given, parent this command to SYSTEM so ERROR events are tracked
- }
-
- @Override
- public void execute() throws ResourceUnavailableException,
- InsufficientCapacityException, ServerApiException {
- CallContext.current().setEventDetails("IAM policy Id: " + getId());
- _iamApiSrv.attachIAMPolicyToAccounts(id, accountIdList);
- SuccessResponse response = new SuccessResponse();
- response.setResponseName(getCommandName());
- setResponseObject(response);
- }
-
- @Override
- public String getEventType() {
- return EventTypes.EVENT_IAM_ACCOUNT_POLICY_UPDATE;
- }
-
- @Override
- public String getEventDescription() {
- return "adding IAM policy to accounts";
- }
-
- @Override
- public ApiCommandJobType getInstanceType() {
- return ApiCommandJobType.Account;
- }
-
-}
diff --git a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/AttachIAMPolicyToIAMGroupCmd.java b/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/AttachIAMPolicyToIAMGroupCmd.java
deleted file mode 100644
index 1705c4a91c3..00000000000
--- a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/AttachIAMPolicyToIAMGroupCmd.java
+++ /dev/null
@@ -1,127 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.api.command.iam;
-
-import java.util.List;
-
-import javax.inject.Inject;
-
-import org.apache.log4j.Logger;
-
-import org.apache.cloudstack.iam.IAMApiService;
-import org.apache.cloudstack.api.ACL;
-import org.apache.cloudstack.api.APICommand;
-import org.apache.cloudstack.api.ApiCommandJobType;
-import org.apache.cloudstack.api.ApiConstants;
-import org.apache.cloudstack.api.ApiErrorCode;
-import org.apache.cloudstack.api.BaseAsyncCmd;
-import org.apache.cloudstack.api.Parameter;
-import org.apache.cloudstack.api.ServerApiException;
-import org.apache.cloudstack.api.response.iam.IAMGroupResponse;
-import org.apache.cloudstack.api.response.iam.IAMPolicyResponse;
-import org.apache.cloudstack.context.CallContext;
-import org.apache.cloudstack.iam.api.IAMGroup;
-
-import com.cloud.event.EventTypes;
-import com.cloud.exception.InsufficientCapacityException;
-import com.cloud.exception.ResourceUnavailableException;
-import com.cloud.user.Account;
-
-
-@APICommand(name = "attachIAMPolicyToIAMGroup", description = "attach iam policy to an iam group", responseObject = IAMGroupResponse.class)
-public class AttachIAMPolicyToIAMGroupCmd extends BaseAsyncCmd {
- public static final Logger s_logger = Logger.getLogger(AttachIAMPolicyToIAMGroupCmd.class.getName());
- private static final String s_name = "attachiampolicytoiamgroupresponse";
-
- @Inject
- public IAMApiService _iamApiSrv;
-
- /////////////////////////////////////////////////////
- //////////////// API parameters /////////////////////
- /////////////////////////////////////////////////////
-
-
- @ACL
- @Parameter(name = ApiConstants.ID, type = CommandType.UUID, entityType = IAMGroupResponse.class,
- required = true, description = "The ID of the iam group")
- private Long id;
-
- @ACL
- @Parameter(name = ApiConstants.IAM_POLICIES, type = CommandType.LIST, collectionType = CommandType.UUID, entityType = IAMPolicyResponse.class, description = "comma separated list of iam policy id that are going to be applied to the iam group.")
- private List<Long> policyIdList;
-
-
- /////////////////////////////////////////////////////
- /////////////////// Accessors ///////////////////////
- /////////////////////////////////////////////////////
-
-
- public Long getId() {
- return id;
- }
-
-
- public List<Long> getPolicyIdList() {
- return policyIdList;
- }
-
- /////////////////////////////////////////////////////
- /////////////// API Implementation///////////////////
- /////////////////////////////////////////////////////
-
-
- @Override
- public String getCommandName() {
- return s_name;
- }
-
-
- @Override
- public long getEntityOwnerId() {
- return Account.ACCOUNT_ID_SYSTEM; // no account info given, parent this command to SYSTEM so ERROR events are tracked
- }
-
- @Override
- public void execute() throws ResourceUnavailableException,
- InsufficientCapacityException, ServerApiException {
- CallContext.current().setEventDetails("IAM group Id: " + getId());
- IAMGroup result = _iamApiSrv.attachIAMPoliciesToGroup(policyIdList, id);
- if (result != null){
- IAMGroupResponse response = _iamApiSrv.createIAMGroupResponse(result);
- response.setResponseName(getCommandName());
- setResponseObject(response);
- } else {
- throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to add roles to iam group");
- }
- }
-
- @Override
- public String getEventType() {
- return EventTypes.EVENT_IAM_GROUP_UPDATE;
- }
-
- @Override
- public String getEventDescription() {
- return "adding iam roles to iam group";
- }
-
- @Override
- public ApiCommandJobType getInstanceType() {
- return ApiCommandJobType.IAMGroup;
- }
-
-}
diff --git a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/CreateIAMGroupCmd.java b/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/CreateIAMGroupCmd.java
deleted file mode 100644
index 93940e810cd..00000000000
--- a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/CreateIAMGroupCmd.java
+++ /dev/null
@@ -1,168 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.api.command.iam;
-
-import javax.inject.Inject;
-
-import org.apache.log4j.Logger;
-
-import org.apache.cloudstack.iam.IAMApiService;
-import org.apache.cloudstack.api.APICommand;
-import org.apache.cloudstack.api.ApiCommandJobType;
-import org.apache.cloudstack.api.ApiConstants;
-import org.apache.cloudstack.api.ApiErrorCode;
-import org.apache.cloudstack.api.BaseAsyncCreateCmd;
-import org.apache.cloudstack.api.Parameter;
-import org.apache.cloudstack.api.ServerApiException;
-import org.apache.cloudstack.api.response.DomainResponse;
-import org.apache.cloudstack.api.response.iam.IAMGroupResponse;
-import org.apache.cloudstack.context.CallContext;
-import org.apache.cloudstack.iam.api.IAMGroup;
-
-import com.cloud.event.EventTypes;
-import com.cloud.exception.ResourceAllocationException;
-import com.cloud.user.Account;
-
-@APICommand(name = "createIAMGroup", responseObject = IAMGroupResponse.class, description = "Creates an IAM group")
-public class CreateIAMGroupCmd extends BaseAsyncCreateCmd {
- public static final Logger s_logger = Logger.getLogger(CreateIAMGroupCmd.class.getName());
-
- private static final String s_name = "createiamgroupresponse";
-
- @Inject
- public IAMApiService _iamApiSrv;
-
- // ///////////////////////////////////////////////////
- // ////////////// API parameters /////////////////////
- // ///////////////////////////////////////////////////
-
- @Parameter(name = ApiConstants.ACCOUNT, type = CommandType.STRING, description = "an account for the iam group. Must be used with domainId.")
- private String accountName;
-
- @Parameter(name = ApiConstants.DOMAIN_ID, type = CommandType.UUID, description = "domainId of the account owning the iam group", entityType = DomainResponse.class)
- private Long domainId;
-
- @Parameter(name = ApiConstants.DESCRIPTION, type = CommandType.STRING, description = "optional description of the iam group")
- private String description;
-
- @Parameter(name = ApiConstants.NAME, type = CommandType.STRING, required = true, description = "name of the iam group")
- private String name;
-
-
- // ///////////////////////////////////////////////////
- // ///////////////// Accessors ///////////////////////
- // ///////////////////////////////////////////////////
-
- public String getAccountName() {
- return accountName;
- }
-
- public String getDescription() {
- return description;
- }
-
- public Long getDomainId() {
- return domainId;
- }
-
- public String getName() {
- return name;
- }
-
-
- // ///////////////////////////////////////////////////
- // ///////////// API Implementation///////////////////
- // ///////////////////////////////////////////////////
-
-
- @Override
- public String getCommandName() {
- return s_name;
- }
-
- @Override
- public long getEntityOwnerId() {
- Account account = CallContext.current().getCallingAccount();
- if ((account == null) || _accountService.isAdmin(account.getId())) {
- if ((domainId != null) && (accountName != null)) {
- Account userAccount = _responseGenerator.findAccountByNameDomain(accountName, domainId);
- if (userAccount != null) {
- return userAccount.getId();
- }
- }
- }
-
- if (account != null) {
- return account.getId();
- }
-
- return Account.ACCOUNT_ID_SYSTEM; // no account info given, parent this
- // command to SYSTEM so ERROR events
- // are tracked
- }
-
- @Override
- public void execute() {
- IAMGroup grp = _entityMgr.findById(IAMGroup.class, getEntityId());
- if (grp != null) {
- IAMGroupResponse response = _iamApiSrv.createIAMGroupResponse(grp);
- response.setResponseName(getCommandName());
- setResponseObject(response);
- } else {
- throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to create iam group:" + name);
- }
- }
-
- @Override
- public void create() throws ResourceAllocationException {
- Account account = CallContext.current().getCallingAccount();
- IAMGroup result = _iamApiSrv.createIAMGroup(account, name, description);
- if (result != null) {
- setEntityId(result.getId());
- setEntityUuid(result.getUuid());
- } else {
- throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to create iam group entity" + name);
- }
-
- }
-
- @Override
- public String getEventType() {
- return EventTypes.EVENT_IAM_GROUP_CREATE;
- }
-
- @Override
- public String getEventDescription() {
- return "creating IAM group";
- }
-
- @Override
- public String getCreateEventType() {
- return EventTypes.EVENT_IAM_GROUP_CREATE;
- }
-
- @Override
- public String getCreateEventDescription() {
- return "creating IAM group";
- }
-
- @Override
- public ApiCommandJobType getInstanceType() {
- return ApiCommandJobType.IAMGroup;
- }
-
-}
diff --git a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/CreateIAMPolicyCmd.java b/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/CreateIAMPolicyCmd.java
deleted file mode 100644
index 7ebab6735a7..00000000000
--- a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/CreateIAMPolicyCmd.java
+++ /dev/null
@@ -1,175 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.api.command.iam;
-
-import javax.inject.Inject;
-
-import org.apache.log4j.Logger;
-
-import org.apache.cloudstack.iam.IAMApiService;
-import org.apache.cloudstack.api.ACL;
-import org.apache.cloudstack.api.APICommand;
-import org.apache.cloudstack.api.ApiCommandJobType;
-import org.apache.cloudstack.api.ApiConstants;
-import org.apache.cloudstack.api.ApiErrorCode;
-import org.apache.cloudstack.api.BaseAsyncCreateCmd;
-import org.apache.cloudstack.api.Parameter;
-import org.apache.cloudstack.api.ServerApiException;
-import org.apache.cloudstack.api.response.DomainResponse;
-import org.apache.cloudstack.api.response.iam.IAMPolicyResponse;
-import org.apache.cloudstack.context.CallContext;
-import org.apache.cloudstack.iam.api.IAMPolicy;
-
-import com.cloud.event.EventTypes;
-import com.cloud.exception.ResourceAllocationException;
-import com.cloud.user.Account;
-
-@APICommand(name = "createIAMPolicy", responseObject = IAMPolicyResponse.class, description = "Creates an iam policy")
-public class CreateIAMPolicyCmd extends BaseAsyncCreateCmd {
- public static final Logger s_logger = Logger.getLogger(CreateIAMPolicyCmd.class.getName());
-
- private static final String s_name = "createiampolicyresponse";
-
- @Inject
- public IAMApiService _iamApiSrv;
-
- // ///////////////////////////////////////////////////
- // ////////////// API parameters /////////////////////
- // ///////////////////////////////////////////////////
-
- @Parameter(name = ApiConstants.ACCOUNT, type = CommandType.STRING, description = "an account for the iam policy. Must be used with domainId.")
- private String accountName;
-
- @Parameter(name = ApiConstants.DOMAIN_ID, type = CommandType.UUID, description = "domainId of the account owning the iam policy", entityType = DomainResponse.class)
- private Long domainId;
-
- @Parameter(name = ApiConstants.DESCRIPTION, type = CommandType.STRING, description = "optional description of the iam policy")
- private String description;
-
- @Parameter(name = ApiConstants.NAME, type = CommandType.STRING, required = true, description = "name of the iam policy")
- private String name;
-
- @ACL
- @Parameter(name = ApiConstants.IAM_PARENT_POLICY_ID, type = CommandType.UUID, description = "The ID of parent iam policy.", entityType = IAMPolicyResponse.class)
- private Long parentPolicyId;
-
-
- // ///////////////////////////////////////////////////
- // ///////////////// Accessors ///////////////////////
- // ///////////////////////////////////////////////////
-
- public String getAccountName() {
- return accountName;
- }
-
- public String getDescription() {
- return description;
- }
-
- public Long getDomainId() {
- return domainId;
- }
-
- public String getName() {
- return name;
- }
-
- public Long getParentPolicyId() {
- return parentPolicyId;
- }
-
- // ///////////////////////////////////////////////////
- // ///////////// API Implementation///////////////////
- // ///////////////////////////////////////////////////
-
- @Override
- public String getCommandName() {
- return s_name;
- }
-
- @Override
- public long getEntityOwnerId() {
- Account account = CallContext.current().getCallingAccount();
- if ((account == null) || _accountService.isAdmin(account.getId())) {
- if ((domainId != null) && (accountName != null)) {
- Account userAccount = _responseGenerator.findAccountByNameDomain(accountName, domainId);
- if (userAccount != null) {
- return userAccount.getId();
- }
- }
- }
-
- if (account != null) {
- return account.getId();
- }
-
- return Account.ACCOUNT_ID_SYSTEM; // no account info given, parent this
- // command to SYSTEM so ERROR events
- // are tracked
- }
-
- @Override
- public void execute() {
- IAMPolicy policy = _entityMgr.findById(IAMPolicy.class, getEntityId());
- if (policy != null) {
- IAMPolicyResponse response = _iamApiSrv.createIAMPolicyResponse(policy);
- response.setResponseName(getCommandName());
- setResponseObject(response);
- } else {
- throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to create iam policy:" + name);
- }
- }
-
- @Override
- public void create() throws ResourceAllocationException {
- Account account = CallContext.current().getCallingAccount();
- IAMPolicy result = _iamApiSrv.createIAMPolicy(account, name, description, parentPolicyId);
- if (result != null) {
- setEntityId(result.getId());
- setEntityUuid(result.getUuid());
- } else {
- throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to create iam policy entity" + name);
- }
-
- }
-
- @Override
- public String getEventType() {
- return EventTypes.EVENT_IAM_POLICY_CREATE;
- }
-
- @Override
- public String getEventDescription() {
- return "creating IAM policy";
- }
-
- @Override
- public String getCreateEventType() {
- return EventTypes.EVENT_IAM_POLICY_CREATE;
- }
-
- @Override
- public String getCreateEventDescription() {
- return "creating IAM policy";
- }
-
- @Override
- public ApiCommandJobType getInstanceType() {
- return ApiCommandJobType.IAMPolicy;
- }
-
-}
diff --git a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/DeleteIAMGroupCmd.java b/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/DeleteIAMGroupCmd.java
deleted file mode 100644
index 60b1e24fecb..00000000000
--- a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/DeleteIAMGroupCmd.java
+++ /dev/null
@@ -1,102 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.api.command.iam;
-
-import javax.inject.Inject;
-
-import org.apache.log4j.Logger;
-
-import org.apache.cloudstack.api.ACL;
-import org.apache.cloudstack.api.APICommand;
-import org.apache.cloudstack.api.ApiCommandJobType;
-import org.apache.cloudstack.api.ApiConstants;
-import org.apache.cloudstack.api.ApiErrorCode;
-import org.apache.cloudstack.api.BaseAsyncCmd;
-import org.apache.cloudstack.api.Parameter;
-import org.apache.cloudstack.api.ServerApiException;
-import org.apache.cloudstack.api.response.SuccessResponse;
-import org.apache.cloudstack.api.response.iam.IAMGroupResponse;
-import org.apache.cloudstack.iam.IAMApiService;
-
-import com.cloud.event.EventTypes;
-import com.cloud.user.Account;
-
-@APICommand(name = "deleteIAMGroup", description = "Deletes acl group", responseObject = SuccessResponse.class)
-public class DeleteIAMGroupCmd extends BaseAsyncCmd {
- public static final Logger s_logger = Logger.getLogger(DeleteIAMGroupCmd.class.getName());
- private static final String s_name = "deleteaclgroupresponse";
-
- @Inject
- public IAMApiService _aclApiSrv;
-
- /////////////////////////////////////////////////////
- //////////////// API parameters /////////////////////
- /////////////////////////////////////////////////////
-
- @ACL
- @Parameter(name = ApiConstants.ID, type = CommandType.UUID, description = "The ID of the acl group.", required = true, entityType = IAMGroupResponse.class)
- private Long id;
-
-
- /////////////////////////////////////////////////////
- /////////////////// Accessors ///////////////////////
- /////////////////////////////////////////////////////
-
- public Long getId() {
- return id;
- }
-
- /////////////////////////////////////////////////////
- /////////////// API Implementation///////////////////
- /////////////////////////////////////////////////////
-
- @Override
- public String getCommandName() {
- return s_name;
- }
-
- @Override
- public long getEntityOwnerId() {
- return Account.ACCOUNT_ID_SYSTEM;
- }
-
- @Override
- public void execute(){
- boolean result = _aclApiSrv.deleteIAMGroup(id);
- if (result) {
- SuccessResponse response = new SuccessResponse(getCommandName());
- setResponseObject(response);
- } else {
- throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to delete acl group");
- }
- }
-
- @Override
- public String getEventType() {
- return EventTypes.EVENT_IAM_GROUP_DELETE;
- }
-
- @Override
- public String getEventDescription() {
- return "Deleting Acl group";
- }
-
- @Override
- public ApiCommandJobType getInstanceType() {
- return ApiCommandJobType.IAMGroup;
- }
-}
diff --git a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/DeleteIAMPolicyCmd.java b/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/DeleteIAMPolicyCmd.java
deleted file mode 100644
index 037f4cd5991..00000000000
--- a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/DeleteIAMPolicyCmd.java
+++ /dev/null
@@ -1,102 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.api.command.iam;
-
-import javax.inject.Inject;
-
-import org.apache.log4j.Logger;
-
-import org.apache.cloudstack.iam.IAMApiService;
-import org.apache.cloudstack.api.ACL;
-import org.apache.cloudstack.api.APICommand;
-import org.apache.cloudstack.api.ApiCommandJobType;
-import org.apache.cloudstack.api.ApiConstants;
-import org.apache.cloudstack.api.ApiErrorCode;
-import org.apache.cloudstack.api.BaseAsyncCmd;
-import org.apache.cloudstack.api.Parameter;
-import org.apache.cloudstack.api.ServerApiException;
-import org.apache.cloudstack.api.response.SuccessResponse;
-import org.apache.cloudstack.api.response.iam.IAMPolicyResponse;
-
-import com.cloud.event.EventTypes;
-import com.cloud.user.Account;
-
-@APICommand(name = "deleteIAMPolicy", description = "Deletes iam policy", responseObject = SuccessResponse.class)
-public class DeleteIAMPolicyCmd extends BaseAsyncCmd {
- public static final Logger s_logger = Logger.getLogger(DeleteIAMPolicyCmd.class.getName());
- private static final String s_name = "deleteiampolicyresponse";
-
- @Inject
- public IAMApiService _iamApiSrv;
-
- /////////////////////////////////////////////////////
- //////////////// API parameters /////////////////////
- /////////////////////////////////////////////////////
-
- @ACL
- @Parameter(name = ApiConstants.ID, type = CommandType.UUID, description = "The ID of the iam policy.", required = true, entityType = IAMPolicyResponse.class)
- private Long id;
-
-
- /////////////////////////////////////////////////////
- /////////////////// Accessors ///////////////////////
- /////////////////////////////////////////////////////
-
- public Long getId() {
- return id;
- }
-
- /////////////////////////////////////////////////////
- /////////////// API Implementation///////////////////
- /////////////////////////////////////////////////////
-
- @Override
- public String getCommandName() {
- return s_name;
- }
-
- @Override
- public long getEntityOwnerId() {
- return Account.ACCOUNT_ID_SYSTEM;
- }
-
- @Override
- public void execute(){
- boolean result = _iamApiSrv.deleteIAMPolicy(id);
- if (result) {
- SuccessResponse response = new SuccessResponse(getCommandName());
- setResponseObject(response);
- } else {
- throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to delete iam policy");
- }
- }
-
- @Override
- public String getEventType() {
- return EventTypes.EVENT_IAM_POLICY_DELETE;
- }
-
- @Override
- public String getEventDescription() {
- return "Deleting IAM policy";
- }
-
- @Override
- public ApiCommandJobType getInstanceType() {
- return ApiCommandJobType.IAMPolicy;
- }
-}
diff --git a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/ListIAMGroupsCmd.java b/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/ListIAMGroupsCmd.java
deleted file mode 100644
index ece87fa3379..00000000000
--- a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/ListIAMGroupsCmd.java
+++ /dev/null
@@ -1,88 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.api.command.iam;
-
-import javax.inject.Inject;
-
-import org.apache.log4j.Logger;
-
-import org.apache.cloudstack.iam.IAMApiService;
-import org.apache.cloudstack.api.APICommand;
-import org.apache.cloudstack.api.ApiCommandJobType;
-import org.apache.cloudstack.api.ApiConstants;
-import org.apache.cloudstack.api.BaseListDomainResourcesCmd;
-import org.apache.cloudstack.api.Parameter;
-import org.apache.cloudstack.api.response.ListResponse;
-import org.apache.cloudstack.api.response.iam.IAMGroupResponse;
-
-
-@APICommand(name = "listIAMGroups", description = "Lists iam groups", responseObject = IAMGroupResponse.class)
-public class ListIAMGroupsCmd extends BaseListDomainResourcesCmd {
- public static final Logger s_logger = Logger.getLogger(ListIAMGroupsCmd.class.getName());
-
- private static final String s_name = "listiamgroupsresponse";
-
- @Inject
- public IAMApiService _iamApiSrv;
-
- /////////////////////////////////////////////////////
- //////////////// API parameters /////////////////////
- /////////////////////////////////////////////////////
-
- @Parameter(name = ApiConstants.NAME, type = CommandType.STRING, description = "lists iam groups by name")
- private String iamGroupName;
-
- @Parameter(name = ApiConstants.ID, type = CommandType.UUID, description = "list the iam group by the id provided", entityType = IAMGroupResponse.class)
- private Long id;
-
-
- /////////////////////////////////////////////////////
- /////////////////// Accessors ///////////////////////
- /////////////////////////////////////////////////////
- public String getIAMGroupName() {
- return iamGroupName;
- }
-
-
- public Long getId(){
- return id;
- }
-
- /////////////////////////////////////////////////////
- /////////////// API Implementation///////////////////
- /////////////////////////////////////////////////////
-
- @Override
- public String getCommandName() {
- return s_name;
- }
-
- @Override
- public void execute(){
-
- ListResponse<IAMGroupResponse> response = _iamApiSrv.listIAMGroups(id, iamGroupName, getDomainId(),
- getStartIndex(), getPageSizeVal());
- response.setResponseName(getCommandName());
- setResponseObject(response);
-
- }
-
- @Override
- public ApiCommandJobType getInstanceType() {
- return ApiCommandJobType.IAMGroup;
- }
-}
diff --git a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/ListIAMPoliciesCmd.java b/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/ListIAMPoliciesCmd.java
deleted file mode 100644
index 096cc3b4ce8..00000000000
--- a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/ListIAMPoliciesCmd.java
+++ /dev/null
@@ -1,88 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.api.command.iam;
-
-import javax.inject.Inject;
-
-import org.apache.log4j.Logger;
-
-import org.apache.cloudstack.iam.IAMApiService;
-import org.apache.cloudstack.api.APICommand;
-import org.apache.cloudstack.api.ApiCommandJobType;
-import org.apache.cloudstack.api.ApiConstants;
-import org.apache.cloudstack.api.BaseListDomainResourcesCmd;
-import org.apache.cloudstack.api.Parameter;
-import org.apache.cloudstack.api.response.ListResponse;
-import org.apache.cloudstack.api.response.iam.IAMPolicyResponse;
-
-
-@APICommand(name = "listIAMPolicies", description = "Lists IAM policies", responseObject = IAMPolicyResponse.class)
-public class ListIAMPoliciesCmd extends BaseListDomainResourcesCmd {
- public static final Logger s_logger = Logger.getLogger(ListIAMPoliciesCmd.class.getName());
-
- private static final String s_name = "listiampoliciesresponse";
-
- @Inject
- public IAMApiService _iamApiSrv;
-
- /////////////////////////////////////////////////////
- //////////////// API parameters /////////////////////
- /////////////////////////////////////////////////////
-
- @Parameter(name = ApiConstants.NAME, type = CommandType.STRING, description = "lists iam policies by name")
- private String iamPolicyName;
-
- @Parameter(name = ApiConstants.ID, type = CommandType.UUID, description = "list the iam policy by the id provided", entityType = IAMPolicyResponse.class)
- private Long id;
-
-
- /////////////////////////////////////////////////////
- /////////////////// Accessors ///////////////////////
- /////////////////////////////////////////////////////
- public String getIAMPolicyName() {
- return iamPolicyName;
- }
-
-
- public Long getId(){
- return id;
- }
-
- /////////////////////////////////////////////////////
- /////////////// API Implementation///////////////////
- /////////////////////////////////////////////////////
-
- @Override
- public String getCommandName() {
- return s_name;
- }
-
- @Override
- public void execute(){
-
- ListResponse<IAMPolicyResponse> response = _iamApiSrv.listIAMPolicies(id, iamPolicyName, getDomainId(),
- getStartIndex(), getPageSizeVal());
- response.setResponseName(getCommandName());
- setResponseObject(response);
-
- }
-
- @Override
- public ApiCommandJobType getInstanceType() {
- return ApiCommandJobType.IAMPolicy;
- }
-}
diff --git a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/RemoveAccountFromIAMGroupCmd.java b/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/RemoveAccountFromIAMGroupCmd.java
deleted file mode 100644
index 5ff5039c7b0..00000000000
--- a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/RemoveAccountFromIAMGroupCmd.java
+++ /dev/null
@@ -1,127 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.api.command.iam;
-
-import java.util.List;
-
-import javax.inject.Inject;
-
-import org.apache.log4j.Logger;
-
-import org.apache.cloudstack.iam.IAMApiService;
-import org.apache.cloudstack.api.ACL;
-import org.apache.cloudstack.api.APICommand;
-import org.apache.cloudstack.api.ApiCommandJobType;
-import org.apache.cloudstack.api.ApiConstants;
-import org.apache.cloudstack.api.ApiErrorCode;
-import org.apache.cloudstack.api.BaseAsyncCmd;
-import org.apache.cloudstack.api.Parameter;
-import org.apache.cloudstack.api.ServerApiException;
-import org.apache.cloudstack.api.response.AccountResponse;
-import org.apache.cloudstack.api.response.iam.IAMGroupResponse;
-import org.apache.cloudstack.context.CallContext;
-import org.apache.cloudstack.iam.api.IAMGroup;
-
-import com.cloud.event.EventTypes;
-import com.cloud.exception.InsufficientCapacityException;
-import com.cloud.exception.ResourceUnavailableException;
-import com.cloud.user.Account;
-
-
-@APICommand(name = "removeAccountFromIAMGroup", description = "remove accounts from an iam group", responseObject = IAMGroupResponse.class)
-public class RemoveAccountFromIAMGroupCmd extends BaseAsyncCmd {
- public static final Logger s_logger = Logger.getLogger(RemoveAccountFromIAMGroupCmd.class.getName());
- private static final String s_name = "removeaccountfromiamgroupresponse";
-
- @Inject
- public IAMApiService _iamApiSrv;
-
- /////////////////////////////////////////////////////
- //////////////// API parameters /////////////////////
- /////////////////////////////////////////////////////
-
-
- @ACL
- @Parameter(name = ApiConstants.ID, type = CommandType.UUID, entityType = IAMGroupResponse.class,
- required = true, description = "The ID of the iam group")
- private Long id;
-
- @ACL
- @Parameter(name = ApiConstants.ACCOUNTS, type = CommandType.LIST, collectionType = CommandType.UUID, entityType = AccountResponse.class, description = "comma separated list of account id that are going to be assigned to the iam group.")
- private List<Long> accountIdList;
-
-
- /////////////////////////////////////////////////////
- /////////////////// Accessors ///////////////////////
- /////////////////////////////////////////////////////
-
-
- public Long getId() {
- return id;
- }
-
-
- public List<Long> getAccountIdList() {
- return accountIdList;
- }
-
- /////////////////////////////////////////////////////
- /////////////// API Implementation///////////////////
- /////////////////////////////////////////////////////
-
-
- @Override
- public String getCommandName() {
- return s_name;
- }
-
-
- @Override
- public long getEntityOwnerId() {
- return Account.ACCOUNT_ID_SYSTEM; // no account info given, parent this command to SYSTEM so ERROR events are tracked
- }
-
- @Override
- public void execute() throws ResourceUnavailableException,
- InsufficientCapacityException, ServerApiException {
- CallContext.current().setEventDetails("IAM group Id: " + getId());
- IAMGroup result = _iamApiSrv.removeAccountsFromGroup(accountIdList, id);
- if (result != null){
- IAMGroupResponse response = _iamApiSrv.createIAMGroupResponse(result);
- response.setResponseName(getCommandName());
- setResponseObject(response);
- } else {
- throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to remove accounts from iam group");
- }
- }
-
- @Override
- public String getEventType() {
- return EventTypes.EVENT_IAM_GROUP_UPDATE;
- }
-
- @Override
- public String getEventDescription() {
- return "removing accounts from iam group";
- }
-
- @Override
- public ApiCommandJobType getInstanceType() {
- return ApiCommandJobType.IAMGroup;
- }
-
-}
diff --git a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/RemoveIAMPermissionFromIAMPolicyCmd.java b/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/RemoveIAMPermissionFromIAMPolicyCmd.java
deleted file mode 100644
index bf065a01a50..00000000000
--- a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/RemoveIAMPermissionFromIAMPolicyCmd.java
+++ /dev/null
@@ -1,148 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.api.command.iam;
-
-import javax.inject.Inject;
-
-import org.apache.log4j.Logger;
-
-import org.apache.cloudstack.acl.PermissionScope;
-import org.apache.cloudstack.api.ACL;
-import org.apache.cloudstack.api.APICommand;
-import org.apache.cloudstack.api.ApiCommandJobType;
-import org.apache.cloudstack.api.ApiConstants;
-import org.apache.cloudstack.api.ApiErrorCode;
-import org.apache.cloudstack.api.BaseAsyncCmd;
-import org.apache.cloudstack.api.Parameter;
-import org.apache.cloudstack.api.ServerApiException;
-import org.apache.cloudstack.api.response.iam.IAMPolicyResponse;
-import org.apache.cloudstack.context.CallContext;
-import org.apache.cloudstack.iam.IAMApiService;
-import org.apache.cloudstack.iam.api.IAMPolicy;
-
-import com.cloud.event.EventTypes;
-import com.cloud.exception.InsufficientCapacityException;
-import com.cloud.exception.ResourceUnavailableException;
-import com.cloud.user.Account;
-
-
-@APICommand(name = "removeIAMPermissionFromIAMPolicy", description = "Remove iam permission from an iam policy", responseObject = IAMPolicyResponse.class)
-public class RemoveIAMPermissionFromIAMPolicyCmd extends BaseAsyncCmd {
- public static final Logger s_logger = Logger.getLogger(RemoveIAMPermissionFromIAMPolicyCmd.class.getName());
- private static final String s_name = "removeiampermissionfromiampolicyresponse";
-
- @Inject
- public IAMApiService _iamApiSrv;
-
- /////////////////////////////////////////////////////
- //////////////// API parameters /////////////////////
- /////////////////////////////////////////////////////
-
-
- @ACL
- @Parameter(name = ApiConstants.ID, type = CommandType.UUID, entityType = IAMPolicyResponse.class,
- required = true, description = "The ID of the iam policy")
- private Long id;
-
- @Parameter(name = ApiConstants.IAM_ACTION, type = CommandType.STRING, required = true, description = "action api name.")
- private String action;
-
- @Parameter(name = ApiConstants.ENTITY_TYPE, type = CommandType.STRING, required = false, description = "entity class simple name.")
- private String entityType;
-
- @Parameter(name = ApiConstants.IAM_SCOPE, type = CommandType.STRING,
- required = false, description = "iam permission scope")
- private String scope;
-
- @Parameter(name = ApiConstants.IAM_SCOPE_ID, type = CommandType.STRING, required = false, description = "The ID of the permission scope id")
- private String scopeId;
-
-
- /////////////////////////////////////////////////////
- /////////////////// Accessors ///////////////////////
- /////////////////////////////////////////////////////
-
-
- public Long getId() {
- return id;
- }
-
-
- public String getAction() {
- return action;
- }
-
- public String getEntityType() {
- return entityType;
- }
-
- public String getScope() {
- return scope;
- }
-
- public Long getScopeId() {
- // here we will convert the passed String UUID to Long ID since internally we store it as entity internal ID.
- return _iamApiSrv.getPermissionScopeId(scope, entityType, scopeId);
- }
-
-
- /////////////////////////////////////////////////////
- /////////////// API Implementation///////////////////
- /////////////////////////////////////////////////////
-
-
- @Override
- public String getCommandName() {
- return s_name;
- }
-
-
- @Override
- public long getEntityOwnerId() {
- return Account.ACCOUNT_ID_SYSTEM; // no account info given, parent this command to SYSTEM so ERROR events are tracked
- }
-
- @Override
- public void execute() throws ResourceUnavailableException,
- InsufficientCapacityException, ServerApiException {
- CallContext.current().setEventDetails("IAM policy Id: " + getId());
- IAMPolicy result = _iamApiSrv.removeIAMPermissionFromIAMPolicy(id, entityType, PermissionScope.valueOf(scope), getScopeId(), action);
- if (result != null) {
- IAMPolicyResponse response = _iamApiSrv.createIAMPolicyResponse(result);
- response.setResponseName(getCommandName());
- setResponseObject(response);
- } else {
- throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to remove permission from iam policy " + getId());
- }
- }
-
- @Override
- public String getEventType() {
- return EventTypes.EVENT_IAM_POLICY_REVOKE;
- }
-
- @Override
- public String getEventDescription() {
- return "removing permission from iam policy";
- }
-
- @Override
- public ApiCommandJobType getInstanceType() {
- return ApiCommandJobType.IAMPolicy;
- }
-
-}
diff --git a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/RemoveIAMPolicyFromAccountCmd.java b/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/RemoveIAMPolicyFromAccountCmd.java
deleted file mode 100644
index 48c2a7386b9..00000000000
--- a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/RemoveIAMPolicyFromAccountCmd.java
+++ /dev/null
@@ -1,122 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.api.command.iam;
-
-import java.util.List;
-
-import javax.inject.Inject;
-
-import org.apache.log4j.Logger;
-
-import org.apache.cloudstack.api.ACL;
-import org.apache.cloudstack.api.APICommand;
-import org.apache.cloudstack.api.ApiCommandJobType;
-import org.apache.cloudstack.api.ApiConstants;
-import org.apache.cloudstack.api.BaseAsyncCmd;
-import org.apache.cloudstack.api.Parameter;
-import org.apache.cloudstack.api.ServerApiException;
-import org.apache.cloudstack.api.response.AccountResponse;
-import org.apache.cloudstack.api.response.SuccessResponse;
-import org.apache.cloudstack.api.response.iam.IAMPolicyResponse;
-import org.apache.cloudstack.context.CallContext;
-import org.apache.cloudstack.iam.IAMApiService;
-
-import com.cloud.event.EventTypes;
-import com.cloud.exception.InsufficientCapacityException;
-import com.cloud.exception.ResourceUnavailableException;
-import com.cloud.user.Account;
-
-
-@APICommand(name = "removeIAMPolicyFromAccount", description = "remove iam policy from accounts", responseObject = SuccessResponse.class)
-public class RemoveIAMPolicyFromAccountCmd extends BaseAsyncCmd {
- public static final Logger s_logger = Logger.getLogger(RemoveIAMPolicyFromAccountCmd.class.getName());
- private static final String s_name = "removeiampolicyfromaccountresponse";
-
- @Inject
- public IAMApiService _iamApiSrv;
-
- /////////////////////////////////////////////////////
- //////////////// API parameters /////////////////////
- /////////////////////////////////////////////////////
-
-
- @ACL
- @Parameter(name = ApiConstants.ID, type = CommandType.UUID, entityType = IAMPolicyResponse.class,
- required = true, description = "The ID of the iam group")
- private Long id;
-
- @ACL
- @Parameter(name = ApiConstants.ACCOUNTS, type = CommandType.LIST, collectionType = CommandType.UUID, entityType = AccountResponse.class, description = "comma separated list of iam policy id that are going to be applied to the iam group.")
- private List<Long> accountIdList;
-
-
- /////////////////////////////////////////////////////
- /////////////////// Accessors ///////////////////////
- /////////////////////////////////////////////////////
-
-
- public Long getId() {
- return id;
- }
-
-
- public List<Long> getAccountIdList() {
- return accountIdList;
- }
-
- /////////////////////////////////////////////////////
- /////////////// API Implementation///////////////////
- /////////////////////////////////////////////////////
-
-
- @Override
- public String getCommandName() {
- return s_name;
- }
-
-
- @Override
- public long getEntityOwnerId() {
- return Account.ACCOUNT_ID_SYSTEM; // no account info given, parent this command to SYSTEM so ERROR events are tracked
- }
-
- @Override
- public void execute() throws ResourceUnavailableException,
- InsufficientCapacityException, ServerApiException {
- CallContext.current().setEventDetails("IAM policy Id: " + getId());
- _iamApiSrv.removeIAMPolicyFromAccounts(id, accountIdList);
- SuccessResponse response = new SuccessResponse();
- response.setResponseName(getCommandName());
- setResponseObject(response);
- }
-
- @Override
- public String getEventType() {
- return EventTypes.EVENT_IAM_ACCOUNT_POLICY_UPDATE;
- }
-
- @Override
- public String getEventDescription() {
- return "removing iam policy from accounts";
- }
-
- @Override
- public ApiCommandJobType getInstanceType() {
- return ApiCommandJobType.Account;
- }
-
-}
diff --git a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/RemoveIAMPolicyFromIAMGroupCmd.java b/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/RemoveIAMPolicyFromIAMGroupCmd.java
deleted file mode 100644
index a99143d9f56..00000000000
--- a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/RemoveIAMPolicyFromIAMGroupCmd.java
+++ /dev/null
@@ -1,127 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.api.command.iam;
-
-import java.util.List;
-
-import javax.inject.Inject;
-
-import org.apache.log4j.Logger;
-
-import org.apache.cloudstack.iam.IAMApiService;
-import org.apache.cloudstack.api.ACL;
-import org.apache.cloudstack.api.APICommand;
-import org.apache.cloudstack.api.ApiCommandJobType;
-import org.apache.cloudstack.api.ApiConstants;
-import org.apache.cloudstack.api.ApiErrorCode;
-import org.apache.cloudstack.api.BaseAsyncCmd;
-import org.apache.cloudstack.api.Parameter;
-import org.apache.cloudstack.api.ServerApiException;
-import org.apache.cloudstack.api.response.iam.IAMGroupResponse;
-import org.apache.cloudstack.api.response.iam.IAMPolicyResponse;
-import org.apache.cloudstack.context.CallContext;
-import org.apache.cloudstack.iam.api.IAMGroup;
-
-import com.cloud.event.EventTypes;
-import com.cloud.exception.InsufficientCapacityException;
-import com.cloud.exception.ResourceUnavailableException;
-import com.cloud.user.Account;
-
-
-@APICommand(name = "removeIAMPolicyFromIAMGroup", description = "remove iam policy from an iam group", responseObject = IAMGroupResponse.class)
-public class RemoveIAMPolicyFromIAMGroupCmd extends BaseAsyncCmd {
- public static final Logger s_logger = Logger.getLogger(RemoveIAMPolicyFromIAMGroupCmd.class.getName());
- private static final String s_name = "removeiampolicyfromiamgroupresponse";
-
- @Inject
- public IAMApiService _iamApiSrv;
-
- /////////////////////////////////////////////////////
- //////////////// API parameters /////////////////////
- /////////////////////////////////////////////////////
-
-
- @ACL
- @Parameter(name = ApiConstants.ID, type = CommandType.UUID, entityType = IAMGroupResponse.class,
- required = true, description = "The ID of the iam group")
- private Long id;
-
- @ACL
- @Parameter(name = ApiConstants.IAM_POLICIES, type = CommandType.LIST, collectionType = CommandType.UUID, entityType = IAMPolicyResponse.class, description = "comma separated list of iam policy id that are going to be applied to the iam group.")
- private List<Long> policyIdList;
-
-
- /////////////////////////////////////////////////////
- /////////////////// Accessors ///////////////////////
- /////////////////////////////////////////////////////
-
-
- public Long getId() {
- return id;
- }
-
-
- public List<Long> getRoleIdList() {
- return policyIdList;
- }
-
- /////////////////////////////////////////////////////
- /////////////// API Implementation///////////////////
- /////////////////////////////////////////////////////
-
-
- @Override
- public String getCommandName() {
- return s_name;
- }
-
-
- @Override
- public long getEntityOwnerId() {
- return Account.ACCOUNT_ID_SYSTEM; // no account info given, parent this command to SYSTEM so ERROR events are tracked
- }
-
- @Override
- public void execute() throws ResourceUnavailableException,
- InsufficientCapacityException, ServerApiException {
- CallContext.current().setEventDetails("IAM group Id: " + getId());
- IAMGroup result = _iamApiSrv.removeIAMPoliciesFromGroup(policyIdList, id);
- if (result != null){
- IAMGroupResponse response = _iamApiSrv.createIAMGroupResponse(result);
- response.setResponseName(getCommandName());
- setResponseObject(response);
- } else {
- throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to add roles to iam group");
- }
- }
-
- @Override
- public String getEventType() {
- return EventTypes.EVENT_IAM_GROUP_UPDATE;
- }
-
- @Override
- public String getEventDescription() {
- return "removing IAM roles from IAM group";
- }
-
- @Override
- public ApiCommandJobType getInstanceType() {
- return ApiCommandJobType.IAMGroup;
- }
-
-}
diff --git a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/response/iam/IAMGroupResponse.java b/services/iam/plugin/src/main/java/org/apache/cloudstack/api/response/iam/IAMGroupResponse.java
deleted file mode 100644
index af28d53ff3c..00000000000
--- a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/response/iam/IAMGroupResponse.java
+++ /dev/null
@@ -1,193 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.api.response.iam;
-
-import java.util.LinkedHashSet;
-import java.util.Set;
-
-import com.google.gson.annotations.SerializedName;
-
-import org.apache.cloudstack.api.ApiConstants;
-import org.apache.cloudstack.api.BaseResponse;
-import org.apache.cloudstack.api.EntityReference;
-import org.apache.cloudstack.api.response.ControlledViewEntityResponse;
-import org.apache.cloudstack.iam.api.IAMGroup;
-
-import com.cloud.serializer.Param;
-
-@SuppressWarnings("unused")
-@EntityReference(value = IAMGroup.class)
-public class IAMGroupResponse extends BaseResponse implements ControlledViewEntityResponse {
-
- @SerializedName(ApiConstants.ID)
- @Param(description = "the ID of the iam group")
- private String id;
-
- @SerializedName(ApiConstants.NAME)
- @Param(description = "the name of the iam group")
- private String name;
-
- @SerializedName(ApiConstants.DESCRIPTION)
- @Param(description = "the description of the iam group")
- private String description;
-
- @SerializedName(ApiConstants.DOMAIN_ID)
- @Param(description = "the domain ID of the iam group")
- private String domainId;
-
- @SerializedName(ApiConstants.DOMAIN)
- @Param(description = "the domain name of the iam role")
- private String domainName;
-
- @SerializedName(ApiConstants.ACCOUNT)
- @Param(description = "the account owning the policy")
- private String accountName;
-
- @SerializedName(ApiConstants.IAM_MEMBER_ACCOUNTS)
- @Param(description = "account names assigned to this iam group ")
- private Set<String> accountNameList;
-
- @SerializedName(ApiConstants.IAM_POLICIES)
- @Param(description = "iam policies attached to this iam group ")
- private Set<String> policyNameList;
-
- public IAMGroupResponse() {
- accountNameList = new LinkedHashSet<String>();
- policyNameList = new LinkedHashSet<String>();
- }
-
- @Override
- public String getObjectId() {
- return getId();
- }
-
-
- public String getId() {
- return id;
- }
-
- public void setId(String id) {
- this.id = id;
- }
-
-
- public void setName(String name) {
- this.name = name;
- }
-
- public void setDescription(String description) {
- this.description = description;
- }
-
- @Override
- public void setDomainId(String domainId) {
- this.domainId = domainId;
- }
-
- @Override
- public void setDomainName(String domainName) {
- this.domainName = domainName;
- }
-
- @Override
- public void setAccountName(String accountName) {
- this.accountName = accountName;
-
- }
-
- @Override
- public void setProjectId(String projectId) {
- // TODO Auto-generated method stub
-
- }
-
- @Override
- public void setProjectName(String projectName) {
- // TODO Auto-generated method stub
-
- }
-
- public String getName() {
- return name;
- }
-
- public String getDescription() {
- return description;
- }
-
- public String getDomainId() {
- return domainId;
- }
-
- public String getDomainName() {
- return domainName;
- }
-
- public String getAccountName() {
- return accountName;
- }
-
- public Set<String> getAccountNameList() {
- return accountNameList;
- }
-
- public void setMemberAccounts(Set<String> accts) {
- accountNameList = accts;
- }
-
- public void addMemberAccount(String acct) {
- accountNameList.add(acct);
- }
-
- public void setPolicyList(Set<String> policies) {
- policyNameList = policies;
- }
-
- public void addPolicy(String policy) {
- policyNameList.add(policy);
- }
-
- public Set<String> getPolicyList() {
- return policyNameList;
- }
-
- @Override
- public int hashCode() {
- final int prime = 31;
- int result = 1;
- result = prime * result + ((id == null) ? 0 : id.hashCode());
- return result;
- }
-
- @Override
- public boolean equals(Object obj) {
- if (this == obj)
- return true;
- if (obj == null)
- return false;
- if (getClass() != obj.getClass())
- return false;
- IAMGroupResponse other = (IAMGroupResponse)obj;
- if (id == null) {
- if (other.id != null)
- return false;
- } else if (!id.equals(other.id))
- return false;
- return true;
- }
-
-}
diff --git a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/response/iam/IAMPermissionResponse.java b/services/iam/plugin/src/main/java/org/apache/cloudstack/api/response/iam/IAMPermissionResponse.java
deleted file mode 100644
index 046e1f4d34c..00000000000
--- a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/response/iam/IAMPermissionResponse.java
+++ /dev/null
@@ -1,124 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.api.response.iam;
-
-import com.google.gson.annotations.SerializedName;
-
-import org.apache.cloudstack.acl.PermissionScope;
-import org.apache.cloudstack.api.ApiConstants;
-import org.apache.cloudstack.api.BaseResponse;
-import org.apache.cloudstack.iam.api.IAMPolicyPermission;
-
-import com.cloud.serializer.Param;
-
-public class IAMPermissionResponse extends BaseResponse {
-
- @SerializedName(ApiConstants.IAM_ACTION)
- @Param(description = "action of this permission")
- private String action;
-
- @SerializedName(ApiConstants.ENTITY_TYPE)
- @Param(description = "the entity type of this permission")
- private String entityType;
-
- @SerializedName(ApiConstants.IAM_SCOPE)
- @Param(description = "scope of this permission")
- private PermissionScope scope;
-
- @SerializedName(ApiConstants.IAM_SCOPE_ID)
- @Param(description = "scope id of this permission")
- private Long scopeId;
-
- @SerializedName(ApiConstants.IAM_ALLOW_DENY)
- @Param(description = "allow or deny of this permission")
- private IAMPolicyPermission.Permission permission;
-
- public String getEntityType() {
- return entityType;
- }
-
- public void setEntityType(String entityType) {
- this.entityType = entityType;
- }
-
- public String getAction() {
- return action;
- }
-
- public void setAction(String action) {
- this.action = action;
- }
-
- public PermissionScope getScope() {
- return scope;
- }
-
- public void setScope(PermissionScope scope) {
- this.scope = scope;
- }
-
- public Long getScopeId() {
- return scopeId;
- }
-
- public void setScopeId(Long scopeId) {
- this.scopeId = scopeId;
- }
-
- public IAMPolicyPermission.Permission getPermission() {
- return permission;
- }
-
- public void setPermission(IAMPolicyPermission.Permission permission) {
- this.permission = permission;
- }
-
- @Override
- public int hashCode() {
- final int prime = 31;
- int result = 1;
- result = prime * result + ((action == null) ? 0 : action.hashCode());
- result = prime * result + ((entityType == null) ? 0 : entityType.hashCode());
- result = prime * result + ((scope == null) ? 0 : scope.hashCode());
- result = prime * result + ((scopeId == null) ? 0 : scopeId.hashCode());
- return result;
- }
-
- @Override
- public boolean equals(Object obj) {
- if (this == obj)
- return true;
- if (obj == null)
- return false;
- if (getClass() != obj.getClass())
- return false;
- IAMPermissionResponse other = (IAMPermissionResponse) obj;
- if ((entityType == null && other.entityType != null) || (entityType != null && !entityType.equals(other.entityType))) {
- return false;
- } else if ((action == null && other.action != null) || (action != null && !action.equals(other.action))) {
- return false;
- } else if ((scope == null && other.scope != null) || (scope != null && !scope.equals(other.scope))) {
- return false;
- } else if ((scopeId == null && other.scopeId != null) || (scopeId != null && !scopeId.equals(other.scopeId))) {
- return false;
- }
- return true;
- }
-
-
-
-}
diff --git a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/response/iam/IAMPolicyResponse.java b/services/iam/plugin/src/main/java/org/apache/cloudstack/api/response/iam/IAMPolicyResponse.java
deleted file mode 100644
index dc29369a39c..00000000000
--- a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/response/iam/IAMPolicyResponse.java
+++ /dev/null
@@ -1,177 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.api.response.iam;
-
-import java.util.LinkedHashSet;
-import java.util.Set;
-
-import com.google.gson.annotations.SerializedName;
-
-import org.apache.cloudstack.api.ApiConstants;
-import org.apache.cloudstack.api.BaseResponse;
-import org.apache.cloudstack.api.EntityReference;
-import org.apache.cloudstack.api.response.ControlledViewEntityResponse;
-import org.apache.cloudstack.iam.api.IAMPolicy;
-
-import com.cloud.serializer.Param;
-
-@SuppressWarnings("unused")
-@EntityReference(value = IAMPolicy.class)
-public class IAMPolicyResponse extends BaseResponse implements ControlledViewEntityResponse {
-
- @SerializedName(ApiConstants.ID)
- @Param(description = "the ID of the iam policy")
- private String id;
-
- @SerializedName(ApiConstants.NAME)
- @Param(description = "the name of the iam policy")
- private String name;
-
- @SerializedName(ApiConstants.DESCRIPTION)
- @Param(description = "the description of the iam policy")
- private String description;
-
- @SerializedName(ApiConstants.DOMAIN_ID)
- @Param(description = "the domain ID of the iam policy")
- private String domainId;
-
- @SerializedName(ApiConstants.DOMAIN)
- @Param(description = "the domain name of the iam policy")
- private String domainName;
-
- @SerializedName(ApiConstants.ACCOUNT)
- @Param(description = "the account owning the policy")
- private String accountName;
-
- @SerializedName(ApiConstants.IAM_PERMISSIONS)
- @Param(description = "set of permissions for the iam policy")
- private Set<IAMPermissionResponse> permissionList;
-
- public IAMPolicyResponse() {
- permissionList = new LinkedHashSet<IAMPermissionResponse>();
- }
-
- @Override
- public String getObjectId() {
- return getId();
- }
-
-
- public String getId() {
- return id;
- }
-
- public void setId(String id) {
- this.id = id;
- }
-
-
- public void setName(String name) {
- this.name = name;
- }
-
- public void setDescription(String description) {
- this.description = description;
- }
-
- @Override
- public void setDomainId(String domainId) {
- this.domainId = domainId;
- }
-
- @Override
- public void setDomainName(String domainName) {
- this.domainName = domainName;
- }
-
- public Set<IAMPermissionResponse> getPermissionList() {
- return permissionList;
- }
-
- public void setPermissionList(Set<IAMPermissionResponse> perms) {
- permissionList = perms;
- }
-
- public void addPermission(IAMPermissionResponse perm) {
- permissionList.add(perm);
- }
-
- @Override
- public void setAccountName(String accountName) {
- this.accountName = accountName;
- }
-
- @Override
- public void setProjectId(String projectId) {
- // TODO Auto-generated method stub
-
- }
-
- @Override
- public void setProjectName(String projectName) {
- // TODO Auto-generated method stub
-
- }
-
- public String getName() {
- return name;
- }
-
- public String getDescription() {
- return description;
- }
-
- public String getDomainId() {
- return domainId;
- }
-
- public String getDomainName() {
- return domainName;
- }
-
- public String getAccountName() {
- return accountName;
- }
-
- @Override
- public int hashCode() {
- final int prime = 31;
- int result = 1;
- result = prime * result + ((id == null) ? 0 : id.hashCode());
- return result;
- }
-
- @Override
- public boolean equals(Object obj) {
- if (this == obj)
- return true;
- if (obj == null)
- return false;
- if (getClass() != obj.getClass())
- return false;
- IAMPolicyResponse other = (IAMPolicyResponse) obj;
- if (id == null) {
- if (other.id != null)
- return false;
- } else if (!id.equals(other.id))
- return false;
- return true;
- }
-
-
-
-}
diff --git a/services/iam/plugin/src/main/java/org/apache/cloudstack/iam/IAMApiService.java b/services/iam/plugin/src/main/java/org/apache/cloudstack/iam/IAMApiService.java
deleted file mode 100644
index 6735d4804d1..00000000000
--- a/services/iam/plugin/src/main/java/org/apache/cloudstack/iam/IAMApiService.java
+++ /dev/null
@@ -1,87 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.iam;
-
-import java.util.List;
-
-import org.apache.cloudstack.acl.PermissionScope;
-import org.apache.cloudstack.acl.SecurityChecker.AccessType;
-import org.apache.cloudstack.api.response.ListResponse;
-import org.apache.cloudstack.api.response.iam.IAMGroupResponse;
-import org.apache.cloudstack.api.response.iam.IAMPolicyResponse;
-import org.apache.cloudstack.iam.api.IAMGroup;
-import org.apache.cloudstack.iam.api.IAMPolicy;
-import org.apache.cloudstack.iam.api.IAMPolicyPermission;
-import org.apache.cloudstack.iam.api.IAMPolicyPermission.Permission;
-
-import com.cloud.user.Account;
-import com.cloud.utils.component.PluggableService;
-
-public interface IAMApiService extends PluggableService {
-
- /* ACL group related interfaces */
- IAMGroup createIAMGroup(Account caller, String iamGroupName, String description);
-
- boolean deleteIAMGroup(Long iamGroupId);
-
- List<IAMGroup> listIAMGroups(long accountId);
-
- IAMGroup addAccountsToGroup(List<Long> acctIds, Long groupId);
-
- IAMGroup removeAccountsFromGroup(List<Long> acctIds, Long groupId);
-
- /* IAM Policy related interfaces */
- IAMPolicy createIAMPolicy(Account caller, String iamPolicyName, String description, Long parentPolicyId);
-
- boolean deleteIAMPolicy(long iamPolicyId);
-
- List<IAMPolicy> listIAMPolicies(long accountId);
-
- IAMGroup attachIAMPoliciesToGroup(List<Long> policyIds, Long groupId);
-
- IAMGroup removeIAMPoliciesFromGroup(List<Long> policyIds, Long groupId);
-
- void attachIAMPolicyToAccounts(Long policyId, List<Long> accountIds);
-
- void removeIAMPolicyFromAccounts(Long policyId, List<Long> accountIds);
-
- IAMPolicy addIAMPermissionToIAMPolicy(long iamPolicyId, String entityType, PermissionScope scope, Long scopeId,
- String action, Permission perm, Boolean recursive, Boolean readOnly);
-
- IAMPolicy removeIAMPermissionFromIAMPolicy(long iamPolicyId, String entityType, PermissionScope scope, Long scopeId, String action);
-
- IAMPolicyPermission getIAMPolicyPermission(long accountId, String entityType, String action);
-
- /* Utility routine to grant/revoke invidivual resource to list of accounts */
- void grantEntityPermissioinToAccounts(String entityType, Long entityId, AccessType accessType, String action, List<Long> accountIds);
-
- void revokeEntityPermissioinFromAccounts(String entityType, Long entityId, AccessType accessType, String action, List<Long> accountIds);
-
- /* Response Generation */
- IAMPolicyResponse createIAMPolicyResponse(IAMPolicy policy);
-
- IAMGroupResponse createIAMGroupResponse(IAMGroup group);
-
- ListResponse<IAMGroupResponse> listIAMGroups(Long iamGroupId, String iamGroupName,
- Long domainId, Long startIndex, Long pageSize);
-
- ListResponse<IAMPolicyResponse> listIAMPolicies(Long iamPolicyId, String iamPolicyName,
- Long domainId, Long startIndex, Long pageSize);
-
- // Convert passed scope uuid to internal scope long id
- Long getPermissionScopeId(String scope, String entityType, String scopeId);
-}
diff --git a/services/iam/plugin/src/main/java/org/apache/cloudstack/iam/IAMApiServiceImpl.java b/services/iam/plugin/src/main/java/org/apache/cloudstack/iam/IAMApiServiceImpl.java
deleted file mode 100644
index b0dc3839ade..00000000000
--- a/services/iam/plugin/src/main/java/org/apache/cloudstack/iam/IAMApiServiceImpl.java
+++ /dev/null
@@ -1,825 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.iam;
-
-import java.util.ArrayList;
-import java.util.Collections;
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
-
-import javax.inject.Inject;
-import javax.naming.ConfigurationException;
-
-import org.apache.log4j.Logger;
-import org.bouncycastle.util.IPAddress;
-
-import com.amazonaws.auth.policy.Condition;
-import com.amazonaws.services.ec2.model.SecurityGroup;
-import com.amazonaws.services.ec2.model.Snapshot;
-import com.amazonaws.services.ec2.model.Volume;
-import com.amazonaws.services.ec2.model.Vpc;
-import com.amazonaws.services.elasticache.model.Event;
-
-import org.apache.cloudstack.acl.PermissionScope;
-import org.apache.cloudstack.acl.SecurityChecker.AccessType;
-import org.apache.cloudstack.affinity.AffinityGroup;
-import org.apache.cloudstack.api.ApiConstants;
-import org.apache.cloudstack.api.BaseListCmd;
-import org.apache.cloudstack.api.InternalIdentity;
-import org.apache.cloudstack.api.command.iam.AddAccountToIAMGroupCmd;
-import org.apache.cloudstack.api.command.iam.AddIAMPermissionToIAMPolicyCmd;
-import org.apache.cloudstack.api.command.iam.AttachIAMPolicyToAccountCmd;
-import org.apache.cloudstack.api.command.iam.AttachIAMPolicyToIAMGroupCmd;
-import org.apache.cloudstack.api.command.iam.CreateIAMGroupCmd;
-import org.apache.cloudstack.api.command.iam.CreateIAMPolicyCmd;
-import org.apache.cloudstack.api.command.iam.DeleteIAMGroupCmd;
-import org.apache.cloudstack.api.command.iam.DeleteIAMPolicyCmd;
-import org.apache.cloudstack.api.command.iam.ListIAMGroupsCmd;
-import org.apache.cloudstack.api.command.iam.ListIAMPoliciesCmd;
-import org.apache.cloudstack.api.command.iam.RemoveAccountFromIAMGroupCmd;
-import org.apache.cloudstack.api.command.iam.RemoveIAMPermissionFromIAMPolicyCmd;
-import org.apache.cloudstack.api.command.iam.RemoveIAMPolicyFromAccountCmd;
-import org.apache.cloudstack.api.command.iam.RemoveIAMPolicyFromIAMGroupCmd;
-import org.apache.cloudstack.api.response.ListResponse;
-import org.apache.cloudstack.api.response.iam.IAMGroupResponse;
-import org.apache.cloudstack.api.response.iam.IAMPermissionResponse;
-import org.apache.cloudstack.api.response.iam.IAMPolicyResponse;
-import org.apache.cloudstack.context.CallContext;
-import org.apache.cloudstack.framework.jobs.AsyncJob;
-import org.apache.cloudstack.framework.messagebus.MessageBus;
-import org.apache.cloudstack.framework.messagebus.MessageSubscriber;
-import org.apache.cloudstack.iam.api.IAMGroup;
-import org.apache.cloudstack.iam.api.IAMPolicy;
-import org.apache.cloudstack.iam.api.IAMPolicyPermission;
-import org.apache.cloudstack.iam.api.IAMPolicyPermission.Permission;
-import org.apache.cloudstack.iam.api.IAMService;
-
-import com.cloud.api.ApiServerService;
-import com.cloud.domain.Domain;
-import com.cloud.domain.DomainVO;
-import com.cloud.domain.dao.DomainDao;
-import com.cloud.event.ActionEvent;
-import com.cloud.event.EventTypes;
-import com.cloud.exception.InvalidParameterValueException;
-import com.cloud.network.IpAddress;
-import com.cloud.network.MonitoringService;
-import com.cloud.network.Network;
-import com.cloud.network.RemoteAccessVpn;
-import com.cloud.network.Site2SiteCustomerGateway;
-import com.cloud.network.Site2SiteVpnConnection;
-import com.cloud.network.Site2SiteVpnGateway;
-import com.cloud.network.UserIpv6Address;
-import com.cloud.network.VpnUser;
-import com.cloud.network.as.AutoScalePolicy;
-import com.cloud.network.as.AutoScaleVmGroup;
-import com.cloud.network.as.AutoScaleVmProfile;
-import com.cloud.network.lb.SslCert;
-import com.cloud.network.rules.FirewallRule;
-import com.cloud.network.rules.PortForwardingRule;
-import com.cloud.network.vpc.StaticRoute;
-import com.cloud.network.vpc.VpcGateway;
-import com.cloud.projects.ProjectInvitation;
-import com.cloud.region.ha.GlobalLoadBalancerRule;
-import com.cloud.server.ResourceTag;
-import com.cloud.template.TemplateManager;
-import com.cloud.template.VirtualMachineTemplate;
-import com.cloud.user.Account;
-import com.cloud.user.AccountManager;
-import com.cloud.user.AccountVO;
-import com.cloud.user.DomainManager;
-import com.cloud.user.SSHKeyPair;
-import com.cloud.user.dao.AccountDao;
-import com.cloud.utils.Pair;
-import com.cloud.utils.component.Manager;
-import com.cloud.utils.component.ManagerBase;
-import com.cloud.utils.db.DB;
-import com.cloud.utils.db.EntityManager;
-import com.cloud.vm.InstanceGroup;
-import com.cloud.vm.NicIpAlias;
-import com.cloud.vm.NicSecondaryIp;
-import com.cloud.vm.VirtualMachine;
-import com.cloud.vm.snapshot.VMSnapshot;
-
-public class IAMApiServiceImpl extends ManagerBase implements IAMApiService, Manager {
-
- public static final Logger s_logger = Logger.getLogger(IAMApiServiceImpl.class);
- private String _name;
-
- @Inject
- ApiServerService _apiServer;
-
- @Inject
- IAMService _iamSrv;
-
- @Inject
- DomainDao _domainDao;
-
- @Inject
- AccountDao _accountDao;
-
- @Inject
- AccountManager _accountMgr;
-
- @Inject
- MessageBus _messageBus;
-
- @Inject
- EntityManager _entityMgr;
-
- private static final Map<String, Class<?>> s_typeMap = new HashMap<String, Class<?>>();
- static {
- s_typeMap.put(VirtualMachine.class.getSimpleName(), VirtualMachine.class);
- s_typeMap.put(Volume.class.getSimpleName(), Volume.class);
- s_typeMap.put(ResourceTag.class.getSimpleName(), ResourceTag.class);
- s_typeMap.put(Account.class.getSimpleName(), Account.class);
- s_typeMap.put(AffinityGroup.class.getSimpleName(), AffinityGroup.class);
- s_typeMap.put(AutoScalePolicy.class.getSimpleName(), AutoScalePolicy.class);
- s_typeMap.put(AutoScaleVmProfile.class.getSimpleName(), AutoScaleVmProfile.class);
- s_typeMap.put(AutoScaleVmGroup.class.getSimpleName(), AutoScaleVmGroup.class);
- s_typeMap.put(Condition.class.getSimpleName(), Condition.class);
- s_typeMap.put(Vpc.class.getSimpleName(), Vpc.class);
- s_typeMap.put(VpcGateway.class.getSimpleName(), VpcGateway.class);
- s_typeMap.put(VpnUser.class.getSimpleName(), VpnUser.class);
- s_typeMap.put(VMSnapshot.class.getSimpleName(), VMSnapshot.class);
- s_typeMap.put(VirtualMachineTemplate.class.getSimpleName(), VirtualMachineTemplate.class);
- s_typeMap.put(UserIpv6Address.class.getSimpleName(), UserIpv6Address.class);
- s_typeMap.put(StaticRoute.class.getSimpleName(), StaticRoute.class);
- s_typeMap.put(SSHKeyPair.class.getSimpleName(), SSHKeyPair.class);
- s_typeMap.put(Snapshot.class.getSimpleName(), Snapshot.class);
- s_typeMap.put(Site2SiteVpnGateway.class.getSimpleName(), Site2SiteVpnGateway.class);
- s_typeMap.put(Site2SiteCustomerGateway.class.getSimpleName(), Site2SiteCustomerGateway.class);
- s_typeMap.put(Site2SiteVpnConnection.class.getSimpleName(), Site2SiteVpnConnection.class);
- s_typeMap.put(SecurityGroup.class.getSimpleName(), SecurityGroup.class);
- s_typeMap.put(RemoteAccessVpn.class.getSimpleName(), RemoteAccessVpn.class);
- s_typeMap.put(ProjectInvitation.class.getSimpleName(), ProjectInvitation.class);
- s_typeMap.put(NicSecondaryIp.class.getSimpleName(), NicSecondaryIp.class);
- s_typeMap.put(NicIpAlias.class.getSimpleName(), NicIpAlias.class);
- s_typeMap.put(Network.class.getSimpleName(), Network.class);
- s_typeMap.put(IpAddress.class.getSimpleName(), IPAddress.class);
- s_typeMap.put(InstanceGroup.class.getSimpleName(), InstanceGroup.class);
- s_typeMap.put(GlobalLoadBalancerRule.class.getSimpleName(), GlobalLoadBalancerRule.class);
- s_typeMap.put(FirewallRule.class.getSimpleName(), FirewallRule.class);
- s_typeMap.put(PortForwardingRule.class.getSimpleName(), PortForwardingRule.class);
- s_typeMap.put(Event.class.getSimpleName(), Event.class);
- s_typeMap.put(AsyncJob.class.getSimpleName(), AsyncJob.class);
- s_typeMap.put(IAMGroup.class.getSimpleName(), IAMGroup.class);
- s_typeMap.put(IAMPolicy.class.getSimpleName(), IAMPolicy.class);
- s_typeMap.put(MonitoringService.class.getSimpleName(), MonitoringService.class);
- s_typeMap.put(SslCert.class.getSimpleName(), SslCert.class);
- }
-
- @Override
- public boolean configure(final String name, final Map<String, Object> params) throws ConfigurationException {
-
- _messageBus.subscribe(AccountManager.MESSAGE_ADD_ACCOUNT_EVENT, new MessageSubscriber() {
- @Override
- public void onPublishMessage(String senderAddress, String subject, Object obj) {
- HashMap<Long, Long> acctGroupMap = (HashMap<Long, Long>) obj;
- for (Long accountId : acctGroupMap.keySet()) {
- Long groupId = acctGroupMap.get(accountId);
- s_logger.debug("MessageBus message: new Account Added: " + accountId + ", adding it to groupId :"
- + groupId);
- addAccountToIAMGroup(accountId, groupId);
- // add it to domain group too
- AccountVO account = _accountDao.findById(accountId);
- Domain domain = _domainDao.findById(account.getDomainId());
- if (domain != null) {
- List<IAMGroup> domainGroups = listDomainGroup(domain);
-
- if (domainGroups != null) {
- for (IAMGroup group : domainGroups) {
- addAccountToIAMGroup(accountId, new Long(group.getId()));
- }
- }
- }
- }
- }
- });
-
- _messageBus.subscribe(AccountManager.MESSAGE_REMOVE_ACCOUNT_EVENT, new MessageSubscriber() {
- @Override
- public void onPublishMessage(String senderAddress, String subject, Object obj) {
- Long accountId = ((Long) obj);
- if (accountId != null) {
- s_logger.debug("MessageBus message: Account removed: " + accountId
- + ", releasing the group associations");
- removeAccountFromIAMGroups(accountId);
- }
- }
- });
-
- _messageBus.subscribe(DomainManager.MESSAGE_ADD_DOMAIN_EVENT, new MessageSubscriber() {
- @Override
- public void onPublishMessage(String senderAddress, String subject, Object obj) {
- Long domainId = ((Long) obj);
- if (domainId != null) {
- s_logger.debug("MessageBus message: new Domain created: " + domainId + ", creating a new group");
- Domain domain = _domainDao.findById(domainId);
- _iamSrv.createIAMGroup("DomainGrp-" + domain.getUuid(), "Domain group", domain.getPath());
- }
- }
- });
-
- _messageBus.subscribe(DomainManager.MESSAGE_REMOVE_DOMAIN_EVENT, new MessageSubscriber() {
- @Override
- public void onPublishMessage(String senderAddress, String subject, Object obj) {
- Long domainId = ((Long) obj);
- if (domainId != null) {
- s_logger.debug("MessageBus message: Domain removed: " + domainId + ", removing the domain group");
- Domain domain = _domainDao.findById(domainId);
- List<IAMGroup> groups = listDomainGroup(domain);
- for (IAMGroup group : groups) {
- _iamSrv.deleteIAMGroup(group.getId());
- }
- }
- }
- });
-
- _messageBus.subscribe(TemplateManager.MESSAGE_REGISTER_PUBLIC_TEMPLATE_EVENT, new MessageSubscriber() {
- @Override
- public void onPublishMessage(String senderAddress, String subject, Object obj) {
- Long templateId = (Long)obj;
- if (templateId != null) {
- s_logger.debug("MessageBus message: new public template registered: " + templateId
- + ", grant permission to default root admin, domain admin and normal user policies");
- _iamSrv.addIAMPermissionToIAMPolicy(new Long(Account.ACCOUNT_TYPE_ADMIN + 1), VirtualMachineTemplate.class.getSimpleName(),
- PermissionScope.RESOURCE.toString(), templateId, "listTemplates", AccessType.UseEntry.toString(), Permission.Allow, false);
- _iamSrv.addIAMPermissionToIAMPolicy(new Long(Account.ACCOUNT_TYPE_DOMAIN_ADMIN + 1), VirtualMachineTemplate.class.getSimpleName(),
- PermissionScope.RESOURCE.toString(), templateId, "listTemplates", AccessType.UseEntry.toString(), Permission.Allow, false);
- _iamSrv.addIAMPermissionToIAMPolicy(new Long(Account.ACCOUNT_TYPE_NORMAL + 1), VirtualMachineTemplate.class.getSimpleName(),
- PermissionScope.RESOURCE.toString(), templateId, "listTemplates", AccessType.UseEntry.toString(), Permission.Allow, false);
- }
- }
- });
-
- _messageBus.subscribe(TemplateManager.MESSAGE_RESET_TEMPLATE_PERMISSION_EVENT, new MessageSubscriber() {
- @Override
- public void onPublishMessage(String senderAddress, String subject, Object obj) {
- Long templateId = (Long)obj;
- if (templateId != null) {
- s_logger.debug("MessageBus message: reset template permission: " + templateId);
- resetTemplatePermission(templateId);
- }
- }
- });
-
- _messageBus.subscribe(EntityManager.MESSAGE_REMOVE_ENTITY_EVENT, new MessageSubscriber() {
- @Override
- public void onPublishMessage(String senderAddress, String subject, Object obj) {
- Pair<Class<?>, Long> entity = (Pair<Class<?>, Long>)obj;
- if (entity != null) {
- String entityType = entity.first().getSimpleName();
- Long entityId = entity.second();
- s_logger.debug("MessageBus message: delete an entity: (" + entityType + "," + entityId + "), remove its related permission");
- _iamSrv.removeIAMPermissionForEntity(entityType, entityId);
- }
- }
- });
-
-
- _messageBus.subscribe(EntityManager.MESSAGE_GRANT_ENTITY_EVENT, new MessageSubscriber() {
- @Override
- public void onPublishMessage(String senderAddress, String subject, Object obj) {
- Map<String, Object> permit = (Map<String, Object>)obj;
- if (permit != null) {
- Class<?> entityType = (Class<?>)permit.get(ApiConstants.ENTITY_TYPE);
- Long entityId = (Long)permit.get(ApiConstants.ENTITY_ID);
- AccessType accessType = (AccessType)permit.get(ApiConstants.ACCESS_TYPE);
- String action = (String)permit.get(ApiConstants.IAM_ACTION);
- List<Long> acctIds = (List<Long>)permit.get(ApiConstants.ACCOUNTS);
- s_logger.debug("MessageBus message: grant accounts permission to an entity: (" + entityType + "," + entityId + ")");
- grantEntityPermissioinToAccounts(entityType.getSimpleName(), entityId, accessType, action, acctIds);
- }
- }
- });
-
- _messageBus.subscribe(EntityManager.MESSAGE_REVOKE_ENTITY_EVENT, new MessageSubscriber() {
- @Override
- public void onPublishMessage(String senderAddress, String subject, Object obj) {
- Map<String, Object> permit = (Map<String, Object>)obj;
- if (permit != null) {
- Class<?> entityType = (Class<?>)permit.get(ApiConstants.ENTITY_TYPE);
- Long entityId = (Long)permit.get(ApiConstants.ENTITY_ID);
- AccessType accessType = (AccessType)permit.get(ApiConstants.ACCESS_TYPE);
- String action = (String)permit.get(ApiConstants.IAM_ACTION);
- List<Long> acctIds = (List<Long>)permit.get(ApiConstants.ACCOUNTS);
- s_logger.debug("MessageBus message: revoke from accounts permission to an entity: (" + entityType + "," + entityId + ")");
- revokeEntityPermissioinFromAccounts(entityType.getSimpleName(), entityId, accessType, action, acctIds);
- }
- }
- });
-
- _messageBus.subscribe(EntityManager.MESSAGE_ADD_DOMAIN_WIDE_ENTITY_EVENT, new MessageSubscriber() {
- @Override
- public void onPublishMessage(String senderAddress, String subject, Object obj) {
- Map<String, Object> params = (Map<String, Object>) obj;
- if (params != null) {
- addDomainWideResourceAccess(params);
- }
- }
- });
-
- return super.configure(name, params);
- }
-
- @Override
- public boolean start() {
- s_logger.info("Populating IAM group and account association for default accounts...");
-
- // populate group <-> account association if not present for CS admin
- // and system accounts
- populateIAMGroupAdminAccountMap();
-
- return true;
- }
-
- private void populateIAMGroupAdminAccountMap() {
- List<Long> sysAccts = new ArrayList<Long>();
- sysAccts.add(Account.ACCOUNT_ID_SYSTEM);
- sysAccts.add(Account.ACCOUNT_ID_SYSTEM + 1);
- _iamSrv.addAccountsToGroup(sysAccts, new Long(Account.ACCOUNT_TYPE_ADMIN + 1));
- }
-
- private void addDomainWideResourceAccess(Map<String, Object> params) {
-
- Class<?> entityType = (Class<?>)params.get(ApiConstants.ENTITY_TYPE);
- Long entityId = (Long) params.get(ApiConstants.ENTITY_ID);
- Long domainId = (Long) params.get(ApiConstants.DOMAIN_ID);
- Boolean isRecursive = (Boolean) params.get(ApiConstants.SUBDOMAIN_ACCESS);
-
- if (entityType == Network.class) {
- createPolicyAndAddToDomainGroup("DomainWideNetwork-" + entityId, "domain wide network", entityType.toString(),
- entityId, "listNetworks", AccessType.UseEntry, domainId, isRecursive);
- } else if (entityType == AffinityGroup.class) {
- createPolicyAndAddToDomainGroup("DomainWideNetwork-" + entityId, "domain wide affinityGroup", entityType.toString(),
- entityId, "listAffinityGroups", AccessType.UseEntry, domainId, isRecursive);
- }
-
- }
-
- private void createPolicyAndAddToDomainGroup(String policyName, String description, String entityType,
- Long entityId, String action, AccessType accessType, Long domainId, Boolean recursive) {
-
- Domain domain = _domainDao.findById(domainId);
- if (domain != null) {
- IAMPolicy policy = _iamSrv.createIAMPolicy(policyName, description, null, domain.getPath());
- _iamSrv.addIAMPermissionToIAMPolicy(policy.getId(), entityType, PermissionScope.RESOURCE.toString(),
- entityId, action, accessType.toString(), Permission.Allow, recursive);
- List<Long> policyList = new ArrayList<Long>();
- policyList.add(new Long(policy.getId()));
-
- List<IAMGroup> domainGroups = listDomainGroup(domain);
- if (domainGroups != null) {
- for (IAMGroup group : domainGroups) {
- _iamSrv.attachIAMPoliciesToGroup(policyList, group.getId());
- }
- }
- }
- }
-
- @DB
- @Override
- @ActionEvent(eventType = EventTypes.EVENT_IAM_GROUP_CREATE, eventDescription = "Creating Acl Group", create = true)
- public IAMGroup createIAMGroup(Account caller, String iamGroupName, String description) {
- Long domainId = caller.getDomainId();
- Domain callerDomain = _domainDao.findById(domainId);
- if (callerDomain == null) {
- throw new InvalidParameterValueException("Caller does not have a domain");
- }
- return _iamSrv.createIAMGroup(iamGroupName, description, callerDomain.getPath());
- }
-
- @DB
- @Override
- @ActionEvent(eventType = EventTypes.EVENT_IAM_GROUP_DELETE, eventDescription = "Deleting Acl Group")
- public boolean deleteIAMGroup(final Long iamGroupId) {
- return _iamSrv.deleteIAMGroup(iamGroupId);
- }
-
- @Override
- public List<IAMGroup> listIAMGroups(long accountId) {
- return _iamSrv.listIAMGroups(accountId);
- }
-
-
- @DB
- @Override
- @ActionEvent(eventType = EventTypes.EVENT_IAM_GROUP_UPDATE, eventDescription = "Adding accounts to acl group")
- public IAMGroup addAccountsToGroup(final List<Long> acctIds, final Long groupId) {
- return _iamSrv.addAccountsToGroup(acctIds, groupId);
- }
-
-
- private void removeAccountFromIAMGroups(long accountId) {
- List<IAMGroup> groups = listIAMGroups(accountId);
- List<Long> accts = new ArrayList<Long>();
- accts.add(accountId);
- if (groups != null) {
- for (IAMGroup grp : groups) {
- removeAccountsFromGroup(accts, grp.getId());
- }
- }
- }
-
- private void addAccountToIAMGroup(long accountId, long groupId) {
- List<Long> accts = new ArrayList<Long>();
- accts.add(accountId);
- addAccountsToGroup(accts, groupId);
- }
-
- @DB
- @Override
- @ActionEvent(eventType = EventTypes.EVENT_IAM_GROUP_UPDATE, eventDescription = "Removing accounts from acl group")
- public IAMGroup removeAccountsFromGroup(final List<Long> acctIds, final Long groupId) {
- return _iamSrv.removeAccountsFromGroup(acctIds, groupId);
- }
-
- @DB
- @Override
- @ActionEvent(eventType = EventTypes.EVENT_IAM_POLICY_CREATE, eventDescription = "Creating IAM Policy", create = true)
- public IAMPolicy createIAMPolicy(Account caller, final String iamPolicyName, final String description, final Long parentPolicyId) {
- Long domainId = caller.getDomainId();
- Domain callerDomain = _domainDao.findById(domainId);
- if (callerDomain == null) {
- throw new InvalidParameterValueException("Caller does not have a domain");
- }
- return _iamSrv.createIAMPolicy(iamPolicyName, description, parentPolicyId, callerDomain.getPath());
- }
-
- @DB
- @Override
- @ActionEvent(eventType = EventTypes.EVENT_IAM_POLICY_DELETE, eventDescription = "Deleting IAM Policy")
- public boolean deleteIAMPolicy(final long iamPolicyId) {
- return _iamSrv.deleteIAMPolicy(iamPolicyId);
- }
-
-
- @Override
- public List<IAMPolicy> listIAMPolicies(long accountId) {
- return _iamSrv.listIAMPolicies(accountId);
- }
-
- @DB
- @Override
- @ActionEvent(eventType = EventTypes.EVENT_IAM_GROUP_UPDATE, eventDescription = "Attaching policy to acl group")
- public IAMGroup attachIAMPoliciesToGroup(final List<Long> policyIds, final Long groupId) {
- return _iamSrv.attachIAMPoliciesToGroup(policyIds, groupId);
- }
-
- @DB
- @Override
- @ActionEvent(eventType = EventTypes.EVENT_IAM_GROUP_UPDATE, eventDescription = "Removing policies from acl group")
- public IAMGroup removeIAMPoliciesFromGroup(final List<Long> policyIds, final Long groupId) {
- return _iamSrv.removeIAMPoliciesFromGroup(policyIds, groupId);
- }
-
-
- @DB
- @Override
- @ActionEvent(eventType = EventTypes.EVENT_IAM_ACCOUNT_POLICY_UPDATE, eventDescription = "Attaching policy to accounts")
- public void attachIAMPolicyToAccounts(final Long policyId, final List<Long> accountIds) {
- _iamSrv.attachIAMPolicyToAccounts(policyId, accountIds);
- }
-
- @DB
- @Override
- @ActionEvent(eventType = EventTypes.EVENT_IAM_ACCOUNT_POLICY_UPDATE, eventDescription = "Removing policy from accounts")
- public void removeIAMPolicyFromAccounts(final Long policyId, final List<Long> accountIds) {
- _iamSrv.removeIAMPolicyFromAccounts(policyId, accountIds);
- }
-
- @DB
- @Override
- @ActionEvent(eventType = EventTypes.EVENT_IAM_POLICY_GRANT, eventDescription = "Granting acl permission to IAM Policy")
- public IAMPolicy addIAMPermissionToIAMPolicy(long iamPolicyId, String entityType, PermissionScope scope,
- Long scopeId, String action, Permission perm, Boolean recursive, Boolean readOnly) {
- Class<?> cmdClass = _apiServer.getCmdClass(action);
- AccessType accessType = null;
- if (BaseListCmd.class.isAssignableFrom(cmdClass)) {
- if (readOnly) {
- accessType = AccessType.ListEntry;
- } else {
- accessType = AccessType.UseEntry;
- }
- } else {
- accessType = AccessType.OperateEntry;
- }
- String accessTypeStr = (accessType != null) ? accessType.toString() : null;
- return _iamSrv.addIAMPermissionToIAMPolicy(iamPolicyId, entityType, scope.toString(), scopeId, action,
- accessTypeStr, perm, recursive);
- }
-
- @DB
- @Override
- @ActionEvent(eventType = EventTypes.EVENT_IAM_POLICY_REVOKE, eventDescription = "Revoking acl permission from IAM Policy")
- public IAMPolicy removeIAMPermissionFromIAMPolicy(long iamPolicyId, String entityType, PermissionScope scope, Long scopeId, String action) {
- return _iamSrv.removeIAMPermissionFromIAMPolicy(iamPolicyId, entityType, scope.toString(), scopeId, action);
- }
-
- @Override
- public IAMPolicyPermission getIAMPolicyPermission(long accountId, String entityType, String action) {
- List<IAMPolicy> policies = _iamSrv.listIAMPolicies(accountId);
- IAMPolicyPermission curPerm = null;
- for (IAMPolicy policy : policies) {
- List<IAMPolicyPermission> perms = _iamSrv.listPolicyPermissionByActionAndEntity(policy.getId(), action,
- entityType);
- if (perms == null || perms.size() == 0)
- continue;
- IAMPolicyPermission perm = perms.get(0); // just pick one
- if (curPerm == null) {
- curPerm = perm;
- } else if (PermissionScope.valueOf(perm.getScope()).greaterThan(PermissionScope.valueOf(curPerm.getScope()))) {
- // pick the more relaxed allowed permission
- curPerm = perm;
- }
- }
-
- return curPerm;
- }
-
-
- @Override
- public IAMPolicyResponse createIAMPolicyResponse(IAMPolicy policy) {
- IAMPolicyResponse response = new IAMPolicyResponse();
- response.setId(policy.getUuid());
- response.setName(policy.getName());
- response.setDescription(policy.getDescription());
- String domainPath = policy.getPath();
- if (domainPath != null) {
- DomainVO domain = _domainDao.findDomainByPath(domainPath);
- if (domain != null) {
- response.setDomainId(domain.getUuid());
- response.setDomainName(domain.getName());
- }
- }
- long accountId = policy.getAccountId();
- AccountVO owner = _accountDao.findById(accountId);
- if (owner != null) {
- response.setAccountName(owner.getAccountName());
- }
- // find permissions associated with this policy
- List<IAMPolicyPermission> permissions = _iamSrv.listPolicyPermissions(policy.getId());
- if (permissions != null && permissions.size() > 0) {
- for (IAMPolicyPermission permission : permissions) {
- IAMPermissionResponse perm = new IAMPermissionResponse();
- perm.setAction(permission.getAction());
- if (permission.getEntityType() != null) {
- perm.setEntityType(permission.getEntityType());
- }
- if (permission.getScope() != null) {
- perm.setScope(PermissionScope.valueOf(permission.getScope()));
- }
- perm.setScopeId(permission.getScopeId());
- perm.setPermission(permission.getPermission());
- response.addPermission(perm);
- }
- }
- response.setObjectName("aclpolicy");
- return response;
- }
-
- @Override
- public IAMGroupResponse createIAMGroupResponse(IAMGroup group) {
- IAMGroupResponse response = new IAMGroupResponse();
- response.setId(group.getUuid());
- response.setName(group.getName());
- response.setDescription(group.getDescription());
- String domainPath = group.getPath();
- if (domainPath != null) {
- DomainVO domain = _domainDao.findDomainByPath(domainPath);
- if (domain != null) {
- response.setDomainId(domain.getUuid());
- response.setDomainName(domain.getName());
- }
- }
- long accountId = group.getAccountId();
- AccountVO owner = _accountDao.findById(accountId);
- if (owner != null) {
- response.setAccountName(owner.getAccountName());
- }
- // find all the members in this group
- List<Long> members = _iamSrv.listAccountsByGroup(group.getId());
- if (members != null && members.size() > 0) {
- for (Long member : members) {
- AccountVO mem = _accountDao.findById(member);
- if (mem != null) {
- response.addMemberAccount(mem.getAccountName());
- }
- }
- }
-
- // find all the policies attached to this group
- List<IAMPolicy> policies = _iamSrv.listIAMPoliciesByGroup(group.getId());
- if (policies != null && policies.size() > 0) {
- for (IAMPolicy policy : policies) {
- response.addPolicy(policy.getName());
- }
- }
-
- response.setObjectName("aclgroup");
- return response;
-
- }
-
- public List<IAMGroup> listDomainGroup(Domain domain) {
-
- if (domain != null) {
- String domainPath = domain.getPath();
- // search for groups
- Pair<List<IAMGroup>, Integer> result = _iamSrv.listIAMGroups(null, "DomainGrp-" + domain.getUuid(),
- domainPath, null, null);
- return result.first();
- }
- return new ArrayList<IAMGroup>();
-
- }
-
- @Override
- public ListResponse<IAMGroupResponse> listIAMGroups(Long iamGroupId, String iamGroupName, Long domainId, Long startIndex, Long pageSize) {
- // acl check
- Account caller = CallContext.current().getCallingAccount();
-
- Domain domain = null;
- if (domainId != null) {
- domain = _domainDao.findById(domainId);
- if (domain == null) {
- throw new InvalidParameterValueException("Domain id=" + domainId + " doesn't exist");
- }
-
- _accountMgr.checkAccess(caller, domain);
- } else {
- domain = _domainDao.findById(caller.getDomainId());
- }
- String domainPath = domain.getPath();
- // search for groups
- Pair<List<IAMGroup>, Integer> result = _iamSrv.listIAMGroups(iamGroupId, iamGroupName, domainPath, startIndex, pageSize);
- // generate group response
- ListResponse<IAMGroupResponse> response = new ListResponse<IAMGroupResponse>();
- List<IAMGroupResponse> groupResponses = new ArrayList<IAMGroupResponse>();
- for (IAMGroup group : result.first()) {
- IAMGroupResponse resp = createIAMGroupResponse(group);
- groupResponses.add(resp);
- }
- response.setResponses(groupResponses, result.second());
- return response;
- }
-
- @Override
- public ListResponse<IAMPolicyResponse> listIAMPolicies(Long iamPolicyId, String iamPolicyName, Long domainId, Long startIndex,
- Long pageSize) {
- // acl check
- Account caller = CallContext.current().getCallingAccount();
-
- Domain domain = null;
- if (domainId != null) {
- domain = _domainDao.findById(domainId);
- if (domain == null) {
- throw new InvalidParameterValueException("Domain id=" + domainId + " doesn't exist");
- }
-
- _accountMgr.checkAccess(caller, domain);
- } else {
- domain = _domainDao.findById(caller.getDomainId());
- }
- String domainPath = domain.getPath();
- // search for policies
- Pair<List<IAMPolicy>, Integer> result = _iamSrv.listIAMPolicies(iamPolicyId, iamPolicyName, domainPath, startIndex, pageSize);
- // generate policy response
- ListResponse<IAMPolicyResponse> response = new ListResponse<IAMPolicyResponse>();
- List<IAMPolicyResponse> policyResponses = new ArrayList<IAMPolicyResponse>();
- for (IAMPolicy policy : result.first()) {
- IAMPolicyResponse resp = createIAMPolicyResponse(policy);
- policyResponses.add(resp);
- }
- response.setResponses(policyResponses, result.second());
- return response;
- }
-
- @Override
- public void grantEntityPermissioinToAccounts(String entityType, Long entityId, AccessType accessType, String action, List<Long> accountIds) {
- // check if there is already a policy with only this permission added to it
- IAMPolicy policy = _iamSrv.getResourceGrantPolicy(entityType, entityId, accessType.toString(), action);
- if (policy == null) {
- // not found, just create a policy with resource grant permission
- Account caller = CallContext.current().getCallingAccount();
- String aclPolicyName = "policyGrant" + entityType + entityId;
- String description = "Policy to grant permission to " + entityType + entityId;
- policy = createIAMPolicy(caller, aclPolicyName, description, null);
- // add permission to this policy
- addIAMPermissionToIAMPolicy(policy.getId(), entityType, PermissionScope.RESOURCE, entityId, action,
- Permission.Allow, false, false);
- }
- // attach this policy to list of accounts if not attached already
- Long policyId = policy.getId();
- for (Long acctId : accountIds) {
- if (!isPolicyAttachedToAccount(policyId, acctId)) {
- attachIAMPolicyToAccounts(policyId, Collections.singletonList(acctId));
- }
- }
- }
-
- @Override
- public void revokeEntityPermissioinFromAccounts(String entityType, Long entityId, AccessType accessType, String action, List<Long> accountIds) {
- // there should already a policy with only this permission added to it, this call is mainly used
- IAMPolicy policy = _iamSrv.getResourceGrantPolicy(entityType, entityId, accessType.toString(), action);
- if (policy == null) {
- s_logger.warn("Cannot find a policy associated with this entity permissioin to be revoked, just return");
- return;
- }
- // detach this policy from list of accounts if not detached already
- Long policyId = policy.getId();
- for (Long acctId : accountIds) {
- if (isPolicyAttachedToAccount(policyId, acctId)) {
- removeIAMPolicyFromAccounts(policyId, Collections.singletonList(acctId));
- }
- }
-
- }
-
- private boolean isPolicyAttachedToAccount(Long policyId, Long accountId) {
- List<IAMPolicy> pList = listIAMPolicies(accountId);
- for (IAMPolicy p : pList) {
- if (p.getId() == policyId.longValue()) {
- return true;
- }
- }
- return false;
- }
-
- private void resetTemplatePermission(Long templateId){
- // reset template will change template to private, so we need to remove its permission for domain admin and normal user group
- _iamSrv.removeIAMPermissionFromIAMPolicy(new Long(Account.ACCOUNT_TYPE_DOMAIN_ADMIN + 1), VirtualMachineTemplate.class.getSimpleName(),
- PermissionScope.RESOURCE.toString(), templateId, "listTemplates");
- _iamSrv.removeIAMPermissionFromIAMPolicy(new Long(Account.ACCOUNT_TYPE_NORMAL + 1), VirtualMachineTemplate.class.getSimpleName(),
- PermissionScope.RESOURCE.toString(), templateId, "listTemplates");
- // check if there is a policy with only UseEntry permission for this template added
- IAMPolicy policy = _iamSrv.getResourceGrantPolicy(VirtualMachineTemplate.class.getSimpleName(), templateId, AccessType.UseEntry.toString(), "listTemplates");
- if ( policy == null ){
- s_logger.info("No policy found for this template grant: " + templateId + ", no detach to be done");
- return;
- }
- // delete the policy, which should detach it from groups and accounts
- _iamSrv.deleteIAMPolicy(policy.getId());
-
- }
-
- @Override
- public Long getPermissionScopeId(String scope, String entityType, String scopeId) {
- if (scopeId.equals("-1")) {
- return -1L;
- }
- PermissionScope permScope = PermissionScope.valueOf(scope);
- InternalIdentity entity = null;
- switch (permScope) {
- case DOMAIN:
- entity = _domainDao.findByUuid(scopeId);
- break;
- case ACCOUNT:
- entity = _accountDao.findByUuid(scopeId);
- break;
- case RESOURCE:
- Class<?> clazz = s_typeMap.get(entityType);
- entity = (InternalIdentity)_entityMgr.findByUuid(clazz, scopeId);
- }
-
- if (entity != null) {
- return entity.getId();
- }
- throw new InvalidParameterValueException("Unable to find scopeId " + scopeId + " with scope " + scope + " and type " + entityType);
- }
-
- @Override
- public List<Class<?>> getCommands() {
- List<Class<?>> cmdList = new ArrayList<Class<?>>();
- cmdList.add(CreateIAMPolicyCmd.class);
- cmdList.add(DeleteIAMPolicyCmd.class);
- cmdList.add(ListIAMPoliciesCmd.class);
- cmdList.add(AddIAMPermissionToIAMPolicyCmd.class);
- cmdList.add(RemoveIAMPermissionFromIAMPolicyCmd.class);
- cmdList.add(AttachIAMPolicyToIAMGroupCmd.class);
- cmdList.add(RemoveIAMPolicyFromIAMGroupCmd.class);
- cmdList.add(CreateIAMGroupCmd.class);
- cmdList.add(DeleteIAMGroupCmd.class);
- cmdList.add(ListIAMGroupsCmd.class);
- cmdList.add(AddAccountToIAMGroupCmd.class);
- cmdList.add(RemoveAccountFromIAMGroupCmd.class);
- cmdList.add(AttachIAMPolicyToAccountCmd.class);
- cmdList.add(RemoveIAMPolicyFromAccountCmd.class);
- return cmdList;
- }
-}
diff --git a/services/iam/plugin/src/main/java/org/apache/cloudstack/iam/RoleBasedAPIAccessChecker.java b/services/iam/plugin/src/main/java/org/apache/cloudstack/iam/RoleBasedAPIAccessChecker.java
deleted file mode 100644
index 3072b77a5cd..00000000000
--- a/services/iam/plugin/src/main/java/org/apache/cloudstack/iam/RoleBasedAPIAccessChecker.java
+++ /dev/null
@@ -1,287 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.iam;
-
-import java.util.HashMap;
-import java.util.HashSet;
-import java.util.List;
-import java.util.Map;
-import java.util.Set;
-
-import javax.inject.Inject;
-import javax.naming.ConfigurationException;
-
-import org.apache.log4j.Logger;
-
-import org.apache.cloudstack.acl.APIChecker;
-import org.apache.cloudstack.acl.PermissionScope;
-import org.apache.cloudstack.acl.RoleType;
-import org.apache.cloudstack.acl.SecurityChecker.AccessType;
-import org.apache.cloudstack.api.APICommand;
-import org.apache.cloudstack.api.BaseCmd;
-import org.apache.cloudstack.api.BaseListCmd;
-import org.apache.cloudstack.iam.api.IAMPolicy;
-import org.apache.cloudstack.iam.api.IAMPolicyPermission;
-import org.apache.cloudstack.iam.api.IAMPolicyPermission.Permission;
-import org.apache.cloudstack.iam.api.IAMService;
-
-import com.cloud.api.ApiServerService;
-import com.cloud.exception.PermissionDeniedException;
-import com.cloud.storage.VMTemplateVO;
-import com.cloud.storage.dao.VMTemplateDao;
-import com.cloud.template.VirtualMachineTemplate;
-import com.cloud.user.Account;
-import com.cloud.user.AccountService;
-import com.cloud.user.User;
-import com.cloud.utils.PropertiesUtil;
-import com.cloud.utils.component.AdapterBase;
-import com.cloud.utils.component.PluggableService;
-import com.cloud.utils.exception.CloudRuntimeException;
-
-//This is the Role Based API access checker that grab's the account's roles
-//based on the set of roles, access is granted if any of the role has access to the api
-public class RoleBasedAPIAccessChecker extends AdapterBase implements APIChecker {
-
- protected static final Logger s_logger = Logger.getLogger(RoleBasedAPIAccessChecker.class);
-
- @Inject
- AccountService _accountService;
- @Inject
- ApiServerService _apiServer;
- @Inject
- IAMService _iamSrv;
- @Inject
- VMTemplateDao _templateDao;
-
- Set<String> commandsPropertiesOverrides = new HashSet<String>();
- Map<RoleType, Set<String>> commandsPropertiesRoleBasedApisMap = new HashMap<RoleType, Set<String>>();
-
- List<PluggableService> _services;
-
- protected RoleBasedAPIAccessChecker() {
- super();
- for (RoleType roleType : RoleType.values()) {
- commandsPropertiesRoleBasedApisMap.put(roleType, new HashSet<String>());
- }
- }
-
- @Override
- public boolean checkAccess(User user, String commandName) throws PermissionDeniedException {
- Account account = _accountService.getAccount(user.getAccountId());
- if (account == null) {
- throw new PermissionDeniedException("The account id=" + user.getAccountId() + "for user id=" + user.getId()
- + "is null");
- }
-
- List<IAMPolicy> policies = _iamSrv.listIAMPolicies(account.getAccountId());
-
- boolean isAllowed = _iamSrv.isActionAllowedForPolicies(commandName, policies);
- if (!isAllowed) {
- throw new PermissionDeniedException("The API does not exist or is blacklisted. api: " + commandName);
- }
- return isAllowed;
- }
-
- @Override
- public boolean configure(String name, Map<String, Object> params) throws ConfigurationException {
- super.configure(name, params);
-
- processMapping(PropertiesUtil.processConfigFile(new String[] { "commands.properties" }));
- return true;
- }
-
- @Override
- public boolean start() {
-
- // drop all default policy api permissions - we reload them every time
- // to include any changes done to the @APICommand or
- // commands.properties.
-
- for (RoleType role : RoleType.values()) {
- Long policyId = getDefaultPolicyId(role);
- if (policyId != null) {
- _iamSrv.resetIAMPolicy(policyId);
- }
- }
-
- // add the system-domain capability
-
- _iamSrv.addIAMPermissionToIAMPolicy(new Long(Account.ACCOUNT_TYPE_ADMIN + 1), null, null, null,
- "SystemCapability", null, Permission.Allow, false);
- _iamSrv.addIAMPermissionToIAMPolicy(new Long(Account.ACCOUNT_TYPE_DOMAIN_ADMIN + 1), null, null, null,
- "DomainCapability", null, Permission.Allow, false);
- _iamSrv.addIAMPermissionToIAMPolicy(new Long(Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN + 1), null, null, null,
- "DomainResourceCapability", null, Permission.Allow, false);
-
- // add permissions for public templates
- List<VMTemplateVO> pTmplts = _templateDao.listByPublic();
- for (VMTemplateVO tmpl : pTmplts){
- _iamSrv.addIAMPermissionToIAMPolicy(new Long(Account.ACCOUNT_TYPE_ADMIN + 1), VirtualMachineTemplate.class.getSimpleName(),
- PermissionScope.RESOURCE.toString(), tmpl.getId(), "listTemplates", AccessType.UseEntry.toString(), Permission.Allow, false);
- _iamSrv.addIAMPermissionToIAMPolicy(new Long(Account.ACCOUNT_TYPE_DOMAIN_ADMIN + 1), VirtualMachineTemplate.class.getSimpleName(),
- PermissionScope.RESOURCE.toString(), tmpl.getId(), "listTemplates", AccessType.UseEntry.toString(), Permission.Allow, false);
- _iamSrv.addIAMPermissionToIAMPolicy(new Long(Account.ACCOUNT_TYPE_NORMAL + 1), VirtualMachineTemplate.class.getSimpleName(),
- PermissionScope.RESOURCE.toString(), tmpl.getId(), "listTemplates", AccessType.UseEntry.toString(), Permission.Allow, false);
- }
-
- for (PluggableService service : _services) {
- for (Class<?> cmdClass : service.getCommands()) {
- APICommand command = cmdClass.getAnnotation(APICommand.class);
- if (!commandsPropertiesOverrides.contains(command.name())) {
- for (RoleType role : command.authorized()) {
- addDefaultAclPolicyPermission(command.name(), cmdClass, role);
- }
- }
- }
- }
-
- // read commands.properties and load api acl permissions -
- // commands.properties overrides any @APICommand authorization
-
- for (String apiName : commandsPropertiesOverrides) {
- Class<?> cmdClass = _apiServer.getCmdClass(apiName);
- for (RoleType role : RoleType.values()) {
- if (commandsPropertiesRoleBasedApisMap.get(role).contains(apiName)) {
- // insert permission for this role for this api
- addDefaultAclPolicyPermission(apiName, cmdClass, role);
- }
- }
- }
-
- return super.start();
- }
-
- private Long getDefaultPolicyId(RoleType role) {
- Long policyId = null;
- switch (role) {
- case User:
- policyId = new Long(Account.ACCOUNT_TYPE_NORMAL + 1);
- break;
-
- case Admin:
- policyId = new Long(Account.ACCOUNT_TYPE_ADMIN + 1);
- break;
-
- case DomainAdmin:
- policyId = new Long(Account.ACCOUNT_TYPE_DOMAIN_ADMIN + 1);
- break;
-
- case ResourceAdmin:
- policyId = new Long(Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN + 1);
- break;
- }
-
- return policyId;
- }
-
- private void processMapping(Map<String, String> configMap) {
- for (Map.Entry<String, String> entry : configMap.entrySet()) {
- String apiName = entry.getKey();
- String roleMask = entry.getValue();
- commandsPropertiesOverrides.add(apiName);
- try {
- short cmdPermissions = Short.parseShort(roleMask);
- for (RoleType roleType : RoleType.values()) {
- if ((cmdPermissions & roleType.getMask()) != 0)
- commandsPropertiesRoleBasedApisMap.get(roleType).add(apiName);
- }
- } catch (NumberFormatException nfe) {
- s_logger.info("Malformed key=value pair for entry: " + entry.toString());
- }
- }
- }
-
- public List<PluggableService> getServices() {
- return _services;
- }
-
- @Inject
- public void setServices(List<PluggableService> services) {
- _services = services;
- }
-
- private void addDefaultAclPolicyPermission(String apiName, Class<?> cmdClass, RoleType role) {
- AccessType accessType = null;
- Class<?>[] entityTypes = null;
-
- PermissionScope permissionScope = PermissionScope.ACCOUNT;
- Long policyId = getDefaultPolicyId(role);
- switch (role) {
- case User:
- permissionScope = PermissionScope.ACCOUNT;
- break;
-
- case Admin:
- permissionScope = PermissionScope.ALL;
- break;
-
- case DomainAdmin:
- permissionScope = PermissionScope.DOMAIN;
- break;
-
- case ResourceAdmin:
- permissionScope = PermissionScope.DOMAIN;
- break;
- }
-
- boolean addAccountScopedUseEntry = false;
-
- if (cmdClass != null) {
- BaseCmd cmdObj;
- try {
- cmdObj = (BaseCmd) cmdClass.newInstance();
- if (cmdObj instanceof BaseListCmd) {
- if (permissionScope == PermissionScope.ACCOUNT) {
- accessType = AccessType.UseEntry;
- } else {
- accessType = AccessType.ListEntry;
- addAccountScopedUseEntry = true;
- }
- } else {
- accessType = AccessType.OperateEntry;
- }
- } catch (Exception e) {
- throw new CloudRuntimeException(String.format(
- "%s is claimed as an API command, but it cannot be instantiated", cmdClass.getName()));
- }
-
- APICommand at = cmdClass.getAnnotation(APICommand.class);
- entityTypes = at.entityType();
- }
-
- if (entityTypes == null || entityTypes.length == 0) {
- _iamSrv.addIAMPermissionToIAMPolicy(policyId, null, permissionScope.toString(), new Long(IAMPolicyPermission.PERMISSION_SCOPE_ID_CURRENT_CALLER),
- apiName, (accessType == null) ? null : accessType.toString(), Permission.Allow, false);
- if (addAccountScopedUseEntry) {
- _iamSrv.addIAMPermissionToIAMPolicy(policyId, null, PermissionScope.ACCOUNT.toString(), new Long(
- IAMPolicyPermission.PERMISSION_SCOPE_ID_CURRENT_CALLER), apiName, AccessType.UseEntry.toString(), Permission.Allow, false);
- }
- } else {
- for (Class<?> entityType : entityTypes) {
- _iamSrv.addIAMPermissionToIAMPolicy(policyId, entityType.getSimpleName(), permissionScope.toString(), new Long(
- IAMPolicyPermission.PERMISSION_SCOPE_ID_CURRENT_CALLER),
- apiName, (accessType == null) ? null : accessType.toString(), Permission.Allow, false);
- if (addAccountScopedUseEntry) {
- _iamSrv.addIAMPermissionToIAMPolicy(policyId, entityType.getSimpleName(), PermissionScope.ACCOUNT.toString(), new Long(
- IAMPolicyPermission.PERMISSION_SCOPE_ID_CURRENT_CALLER), apiName, AccessType.UseEntry.toString(), Permission.Allow, false);
- }
- }
- }
-
- }
-
-}
diff --git a/services/iam/plugin/src/main/java/org/apache/cloudstack/iam/RoleBasedEntityAccessChecker.java b/services/iam/plugin/src/main/java/org/apache/cloudstack/iam/RoleBasedEntityAccessChecker.java
deleted file mode 100644
index ce9d9755aef..00000000000
--- a/services/iam/plugin/src/main/java/org/apache/cloudstack/iam/RoleBasedEntityAccessChecker.java
+++ /dev/null
@@ -1,329 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.iam;
-
-import java.util.ArrayList;
-import java.util.HashMap;
-import java.util.List;
-
-import javax.inject.Inject;
-
-import org.apache.log4j.Logger;
-
-import org.apache.cloudstack.acl.ControlledEntity;
-import org.apache.cloudstack.acl.PermissionScope;
-import org.apache.cloudstack.acl.SecurityChecker;
-import org.apache.cloudstack.acl.SecurityChecker.AccessType;
-import org.apache.cloudstack.api.InternalIdentity;
-import org.apache.cloudstack.iam.api.IAMGroup;
-import org.apache.cloudstack.iam.api.IAMPolicy;
-import org.apache.cloudstack.iam.api.IAMPolicyPermission;
-import org.apache.cloudstack.iam.api.IAMService;
-
-import com.cloud.acl.DomainChecker;
-import com.cloud.domain.dao.DomainDao;
-import com.cloud.exception.InvalidParameterValueException;
-import com.cloud.exception.PermissionDeniedException;
-import com.cloud.user.Account;
-import com.cloud.user.AccountService;
-
-public class RoleBasedEntityAccessChecker extends DomainChecker implements SecurityChecker {
-
- private static final Logger s_logger = Logger.getLogger(RoleBasedEntityAccessChecker.class.getName());
-
- @Inject
- AccountService _accountService;
-
- @Inject DomainDao _domainDao;
-
- @Inject
- IAMService _iamSrv;
-
-
- @Override
- public boolean checkAccess(Account caller, ControlledEntity entity, AccessType accessType)
- throws PermissionDeniedException {
- return checkAccess(caller, entity, accessType, null);
- }
-
- private String buildAccessCacheKey(Account caller, ControlledEntity entity, AccessType accessType, String action) {
- StringBuffer key = new StringBuffer();
- key.append(caller.getAccountId());
- key.append("-");
- String entityType = null;
- if (entity != null && entity.getEntityType() != null) {
- entityType = entity.getEntityType().getSimpleName();
- if (entity instanceof InternalIdentity) {
- entityType += ((InternalIdentity)entity).getId();
- }
- }
- key.append(entityType != null ? entityType : "null");
- key.append("-");
- key.append(accessType != null ? accessType.toString() : "null");
- key.append("-");
- key.append(action != null ? action : "null");
- return key.toString();
- }
-
- @Override
- public boolean checkAccess(Account caller, ControlledEntity entity, AccessType accessType, String action)
- throws PermissionDeniedException {
-
- if (caller == null) {
- throw new InvalidParameterValueException("Caller cannot be passed as NULL to IAM!");
- }
-
- if (entity == null && action == null) {
- throw new InvalidParameterValueException("Entity and action cannot be both NULL in checkAccess!");
- }
-
- // check IAM cache first
- String accessKey = buildAccessCacheKey(caller, entity, accessType, action);
- CheckAccessResult allowDeny = (CheckAccessResult)_iamSrv.getFromIAMCache(accessKey);
- if (allowDeny != null) {
- s_logger.debug("IAM access check for " + accessKey + " from cache: " + allowDeny.isAllow());
- if (allowDeny.isAllow()) {
- return true;
- } else {
- if (allowDeny.getDenyMsg() != null) {
- throw new PermissionDeniedException(allowDeny.getDenyMsg());
- } else {
- return false;
- }
- }
- }
-
- if (entity == null && action != null) {
- // check if caller can do this action
- List<IAMPolicy> policies = _iamSrv.listIAMPolicies(caller.getAccountId());
-
- boolean isAllowed = _iamSrv.isActionAllowedForPolicies(action, policies);
- if (!isAllowed) {
- String msg = "The action '" + action + "' not allowed for account " + caller;
- _iamSrv.addToIAMCache(accessKey, new CheckAccessResult(msg));
- throw new PermissionDeniedException(msg);
- }
- _iamSrv.addToIAMCache(accessKey, new CheckAccessResult(true));
- return true;
- }
-
-
- // if a Project entity, skip
- Account entityAccount = _accountService.getAccount(entity.getAccountId());
- if (entityAccount != null && entityAccount.getType() == Account.ACCOUNT_TYPE_PROJECT) {
- _iamSrv.addToIAMCache(accessKey, new CheckAccessResult(false));
- return false;
- }
-
- String entityType = null;
- if (entity.getEntityType() != null) {
- entityType = entity.getEntityType().getSimpleName();
- }
-
- if (accessType == null) {
- accessType = AccessType.UseEntry;
- }
-
- // get all Policies of this caller by considering recursive domain group policy
- List<IAMPolicy> policies = getEffectivePolicies(caller);
- HashMap<IAMPolicy, Boolean> policyPermissionMap = new HashMap<IAMPolicy, Boolean>();
-
- for (IAMPolicy policy : policies) {
- List<IAMPolicyPermission> permissions = new ArrayList<IAMPolicyPermission>();
-
- if (action != null) {
- permissions = _iamSrv.listPolicyPermissionByActionAndEntity(policy.getId(), action, entityType);
- if (permissions.isEmpty()) {
- if (accessType != null) {
- for (AccessType type : AccessType.values()) {
- if (type.ordinal() >= accessType.ordinal()) {
- permissions.addAll(_iamSrv.listPolicyPermissionByAccessAndEntity(policy.getId(),
- type.toString(), entityType));
- }
- }
- }
- }
- } else {
- if (accessType != null) {
- for (AccessType type : AccessType.values()) {
- if (type.ordinal() >= accessType.ordinal()) {
- permissions.addAll(_iamSrv.listPolicyPermissionByAccessAndEntity(policy.getId(),
- type.toString(), entityType));
- }
- }
- }
- }
- for (IAMPolicyPermission permission : permissions) {
- if (checkPermissionScope(caller, permission.getScope(), permission.getScopeId(), entity)) {
- if (permission.getEntityType().equals(entityType)) {
- policyPermissionMap.put(policy, permission.getPermission().isGranted());
- break;
- } else if (permission.getEntityType().equals("*")) {
- policyPermissionMap.put(policy, permission.getPermission().isGranted());
- }
- }
- }
- if (policyPermissionMap.containsKey(policy) && policyPermissionMap.get(policy)) {
- _iamSrv.addToIAMCache(accessKey, new CheckAccessResult(true));
- return true;
- }
- }
-
- if (!policies.isEmpty()) { // Since we reach this point, none of the
- // roles granted access
-
- String msg = "Account " + caller + " does not have permission to access resource " + entity
- + " for access type: " + accessType;
- if (s_logger.isDebugEnabled()) {
- s_logger.debug(msg);
- }
- _iamSrv.addToIAMCache(accessKey, new CheckAccessResult(msg));
- throw new PermissionDeniedException(msg);
- }
-
- _iamSrv.addToIAMCache(accessKey, new CheckAccessResult(false));
- return false;
- }
-
- @Override
- public boolean checkAccess(Account caller, AccessType accessType, String action, ControlledEntity... entities)
- throws PermissionDeniedException {
-
- // operate access on multiple entities?
- if (accessType != null && accessType == AccessType.OperateEntry) {
- // In this case caller MUST own n-1 entities.
-
- for (ControlledEntity entity : entities) {
- checkAccess(caller, entity, accessType, action);
-
- boolean otherEntitiesAccess = true;
-
- for (ControlledEntity otherEntity : entities) {
- if (otherEntity.getAccountId() == caller.getAccountId()
- || (checkAccess(caller, otherEntity, accessType, action) && otherEntity.getAccountId() == entity
- .getAccountId())) {
- continue;
- } else {
- otherEntitiesAccess = false;
- break;
- }
- }
-
- if (otherEntitiesAccess) {
- return true;
- }
- }
-
- throw new PermissionDeniedException(caller
- + " does not have permission to perform this operation on these resources");
-
- } else {
- for (ControlledEntity entity : entities) {
- if (!checkAccess(caller, entity, accessType, action)) {
- return false;
- }
- }
- return true;
- }
- }
-
- private boolean checkPermissionScope(Account caller, String scope, Long scopeId, ControlledEntity entity) {
-
- if(scopeId != null && !scopeId.equals(new Long(IAMPolicyPermission.PERMISSION_SCOPE_ID_CURRENT_CALLER))){
- //scopeId is set
- if (scope.equals(PermissionScope.ACCOUNT.name())) {
- if(scopeId == entity.getAccountId()){
- return true;
- }
- } else if (scope.equals(PermissionScope.DOMAIN.name())) {
- if (_domainDao.isChildDomain(scopeId, entity.getDomainId())) {
- return true;
- }
- } else if (scope.equals(PermissionScope.RESOURCE.name())) {
- if (entity instanceof InternalIdentity) {
- InternalIdentity entityWithId = (InternalIdentity) entity;
- if(scopeId.equals(entityWithId.getId())){
- return true;
- }
- }
- }
- } else if (scopeId == null || scopeId.equals(new Long(IAMPolicyPermission.PERMISSION_SCOPE_ID_CURRENT_CALLER))) {
- if (scope.equals(PermissionScope.ACCOUNT.name())) {
- if(caller.getAccountId() == entity.getAccountId()){
- return true;
- }
- } else if (scope.equals(PermissionScope.DOMAIN.name())) {
- if (_domainDao.isChildDomain(caller.getDomainId(), entity.getDomainId())) {
- return true;
- }
- }
- }
- return false;
- }
-
- private List<IAMPolicy> getEffectivePolicies(Account caller) {
-
- List<IAMPolicy> policies = _iamSrv.listIAMPolicies(caller.getId());
-
- List<IAMGroup> groups = _iamSrv.listIAMGroups(caller.getId());
- for (IAMGroup group : groups) {
- // for each group find the grand parent groups.
- List<IAMGroup> parentGroups = _iamSrv.listParentIAMGroups(group.getId());
- for (IAMGroup parentGroup : parentGroups) {
- policies.addAll(_iamSrv.listRecursiveIAMPoliciesByGroup(parentGroup.getId()));
- }
- }
-
- return policies;
- }
-
- private class CheckAccessResult {
- boolean allow;
- String denyMsg;
-
- public CheckAccessResult(boolean aw) {
- this(aw, null);
- }
-
- public CheckAccessResult(String msg) {
- this(false, msg);
- }
-
- public CheckAccessResult(boolean aw, String msg) {
- allow = aw;
- denyMsg = msg;
- }
-
- public boolean isAllow() {
- return allow;
- }
-
- public void setAllow(boolean aw) {
- allow = aw;
- }
-
-
- public String getDenyMsg() {
- return denyMsg;
- }
-
- public void setDenyMsg(String denyMsg) {
- this.denyMsg = denyMsg;
- }
-
- }
-}
diff --git a/services/iam/plugin/src/main/java/org/apache/cloudstack/iam/RoleBasedEntityQuerySelector.java b/services/iam/plugin/src/main/java/org/apache/cloudstack/iam/RoleBasedEntityQuerySelector.java
deleted file mode 100644
index a9be17a1cd4..00000000000
--- a/services/iam/plugin/src/main/java/org/apache/cloudstack/iam/RoleBasedEntityQuerySelector.java
+++ /dev/null
@@ -1,188 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.iam;
-
-import java.util.ArrayList;
-import java.util.List;
-
-import javax.inject.Inject;
-
-import org.apache.log4j.Logger;
-
-import org.apache.cloudstack.acl.PermissionScope;
-import org.apache.cloudstack.acl.QuerySelector;
-import org.apache.cloudstack.acl.SecurityChecker.AccessType;
-import org.apache.cloudstack.iam.api.IAMGroup;
-import org.apache.cloudstack.iam.api.IAMPolicy;
-import org.apache.cloudstack.iam.api.IAMPolicyPermission;
-import org.apache.cloudstack.iam.api.IAMService;
-
-import com.cloud.domain.DomainVO;
-import com.cloud.domain.dao.DomainDao;
-import com.cloud.user.Account;
-import com.cloud.utils.component.AdapterBase;
-
-public class RoleBasedEntityQuerySelector extends AdapterBase implements QuerySelector {
-
- private static final Logger s_logger = Logger.getLogger(RoleBasedEntityQuerySelector.class.getName());
-
- @Inject
- IAMService _iamService;
- @Inject
- DomainDao _domainDao;
-
- @Override
- public List<Long> getAuthorizedDomains(Account caller, String action, AccessType accessType) {
- long accountId = caller.getAccountId();
- if (accessType == null) {
- accessType = AccessType.UseEntry; // default always show resources authorized to use
- }
- // Get the static Policies of the Caller
- List<IAMPolicy> policies = _iamService.listIAMPolicies(accountId);
- // for each policy, find granted permission with Domain scope
- List<Long> domainIds = new ArrayList<Long>();
- for (IAMPolicy policy : policies) {
- List<IAMPolicyPermission> pp = new ArrayList<IAMPolicyPermission>();
- pp.addAll(_iamService.listPolicyPermissionsByScope(policy.getId(), action,
- PermissionScope.DOMAIN.toString(), accessType.toString()));
-
- if (pp != null) {
- for (IAMPolicyPermission p : pp) {
- if (p.getScopeId() != null) {
- Long domainId = null;
- if (p.getScopeId().longValue() == -1) {
- domainId = caller.getDomainId();
- //domainIds.add(caller.getDomainId());
- } else {
- domainId = p.getScopeId();
- //domainIds.add(p.getScopeId());
- }
- //domainIds.add(domainId);
- // add all the domain children from this domain (including this domain itself). Like RoleBasedEntityAccessChecker, we made an assumption, if DOMAIN scope is granted, it means that
- // the whole domain tree is granted access.
- DomainVO domain = _domainDao.findById(domainId);
- List<Long> childDomains = _domainDao.getDomainChildrenIds(domain.getPath());
- if (childDomains != null && childDomains.size() > 0) {
- domainIds.addAll(childDomains);
- }
-
- }
- }
- }
- }
- return domainIds;
- }
-
- @Override
- public List<Long> getAuthorizedAccounts(Account caller, String action, AccessType accessType) {
- long accountId = caller.getAccountId();
- if (accessType == null) {
- accessType = AccessType.UseEntry; // default always show resources authorized to use
- }
- // Get the static Policies of the Caller
- List<IAMPolicy> policies = _iamService.listIAMPolicies(accountId);
- // for each policy, find granted permission with Account scope
- List<Long> accountIds = new ArrayList<Long>();
- for (IAMPolicy policy : policies) {
- List<IAMPolicyPermission> pp = new ArrayList<IAMPolicyPermission>();
- pp.addAll(_iamService.listPolicyPermissionsByScope(policy.getId(), action,
- PermissionScope.ACCOUNT.toString(), accessType.toString()));
-
- if (pp != null) {
- for (IAMPolicyPermission p : pp) {
- if (p.getScopeId() != null) {
- if (p.getScopeId().longValue() == -1) {
- accountIds.add(caller.getId());
- } else {
- accountIds.add(p.getScopeId());
- }
- }
- }
- }
- }
- return accountIds;
- }
-
- @Override
- public List<Long> getAuthorizedResources(Account caller, String action, AccessType accessType) {
- long accountId = caller.getAccountId();
- if (accessType == null) {
- accessType = AccessType.UseEntry; // default always show resources authorized to use
- }
- // Get the static Policies of the Caller
- List<IAMPolicy> policies = _iamService.listIAMPolicies(accountId);
-
- // add the policies that grant recursive access
- List<IAMGroup> groups = _iamService.listIAMGroups(caller.getId());
- for (IAMGroup group : groups) {
- // for each group find the grand parent groups.
- List<IAMGroup> parentGroups = _iamService.listParentIAMGroups(group.getId());
- for (IAMGroup parentGroup : parentGroups) {
- policies.addAll(_iamService.listRecursiveIAMPoliciesByGroup(parentGroup.getId()));
- }
- }
-
- // for each policy, find granted permission with Resource scope
- List<Long> entityIds = new ArrayList<Long>();
- for (IAMPolicy policy : policies) {
- List<IAMPolicyPermission> pp = new ArrayList<IAMPolicyPermission>();
- pp.addAll(_iamService.listPolicyPermissionsByScope(policy.getId(), action,
- PermissionScope.RESOURCE.toString(), accessType.toString()));
-
- if (pp != null) {
- for (IAMPolicyPermission p : pp) {
- if (p.getScopeId() != null) {
- entityIds.add(p.getScopeId());
- }
- }
- }
- }
- return entityIds;
- }
-
- @Override
- public boolean isGrantedAll(Account caller, String action, AccessType accessType) {
- long accountId = caller.getAccountId();
- if (accessType == null) {
- accessType = AccessType.UseEntry; // default always show resources authorized to use
- }
- // Get the static Policies of the Caller
- List<IAMPolicy> policies = _iamService.listIAMPolicies(accountId);
- // for each policy, find granted permission with ALL scope
- for (IAMPolicy policy : policies) {
- List<IAMPolicyPermission> pp = new ArrayList<IAMPolicyPermission>();
- pp.addAll(_iamService.listPolicyPermissionsByScope(policy.getId(), action, PermissionScope.ALL.toString(),
- accessType.toString()));
- if (pp != null && pp.size() > 0) {
- return true;
- }
- }
- return false;
- }
-
- @Override
- public List<String> listAclGroupsByAccount(long accountId) {
- List<IAMGroup> groups = _iamService.listIAMGroups(accountId);
- List<String> groupNames = new ArrayList<String>();
- for (IAMGroup grp : groups) {
- groupNames.add(grp.getName());
- }
- return groupNames;
- }
-
-}
-
diff --git a/services/iam/plugin/src/main/resources/META-INF/cloudstack/iam-access-checkers/module.properties b/services/iam/plugin/src/main/resources/META-INF/cloudstack/iam-access-checkers/module.properties
deleted file mode 100644
index c87480d47b5..00000000000
--- a/services/iam/plugin/src/main/resources/META-INF/cloudstack/iam-access-checkers/module.properties
+++ /dev/null
@@ -1,18 +0,0 @@
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements. See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership. The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations
-# under the License.
-name=iam-access-checkers
-parent=api
\ No newline at end of file
diff --git a/services/iam/plugin/src/main/resources/META-INF/cloudstack/iam-access-checkers/spring-iam-access-checkers-context.xml b/services/iam/plugin/src/main/resources/META-INF/cloudstack/iam-access-checkers/spring-iam-access-checkers-context.xml
deleted file mode 100644
index 87e8c941814..00000000000
--- a/services/iam/plugin/src/main/resources/META-INF/cloudstack/iam-access-checkers/spring-iam-access-checkers-context.xml
+++ /dev/null
@@ -1,35 +0,0 @@
-<!--
- Licensed to the Apache Software Foundation (ASF) under one
- or more contributor license agreements. See the NOTICE file
- distributed with this work for additional information
- regarding copyright ownership. The ASF licenses this file
- to you under the Apache License, Version 2.0 (the
- "License"); you may not use this file except in compliance
- with the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing,
- software distributed under the License is distributed on an
- "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- KIND, either express or implied. See the License for the
- specific language governing permissions and limitations
- under the License.
--->
-<beans xmlns="http://www.springframework.org/schema/beans"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xmlns:context="http://www.springframework.org/schema/context"
- xmlns:aop="http://www.springframework.org/schema/aop"
- xsi:schemaLocation="http://www.springframework.org/schema/beans
- http://www.springframework.org/schema/beans/spring-beans.xsd
- http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop.xsd
- http://www.springframework.org/schema/context
- http://www.springframework.org/schema/context/spring-context.xsd"
- >
-
- <bean id="RoleBasedAPIAccessChecker" class="org.apache.cloudstack.iam.RoleBasedAPIAccessChecker" />
- <bean id="RoleBasedEntityAccessChecker" class="org.apache.cloudstack.iam.RoleBasedEntityAccessChecker" />
- <bean id="RoleBasedEntityQuerySelector" class="org.apache.cloudstack.iam.RoleBasedEntityQuerySelector" />
- <bean id="IAMApiServiceImpl" class="org.apache.cloudstack.iam.IAMApiServiceImpl" />
-
-</beans>
diff --git a/services/iam/plugin/src/test/java/org/apache/cloudstack/iam/test/IAMApiServiceTest.java b/services/iam/plugin/src/test/java/org/apache/cloudstack/iam/test/IAMApiServiceTest.java
deleted file mode 100644
index 84e1e56255c..00000000000
--- a/services/iam/plugin/src/test/java/org/apache/cloudstack/iam/test/IAMApiServiceTest.java
+++ /dev/null
@@ -1,385 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.iam.test;
-
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertFalse;
-import static org.junit.Assert.assertNotNull;
-import static org.junit.Assert.assertTrue;
-import static org.mockito.Mockito.doNothing;
-import static org.mockito.Mockito.when;
-
-import java.io.IOException;
-import java.util.ArrayList;
-import java.util.List;
-import java.util.Set;
-import java.util.UUID;
-
-import javax.inject.Inject;
-import javax.naming.ConfigurationException;
-
-import org.junit.After;
-import org.junit.Before;
-import org.junit.BeforeClass;
-import org.junit.Test;
-import org.junit.runner.RunWith;
-import org.mockito.Mockito;
-import org.springframework.context.annotation.Bean;
-import org.springframework.context.annotation.ComponentScan;
-import org.springframework.context.annotation.ComponentScan.Filter;
-import org.springframework.context.annotation.Configuration;
-import org.springframework.context.annotation.FilterType;
-import org.springframework.core.type.classreading.MetadataReader;
-import org.springframework.core.type.classreading.MetadataReaderFactory;
-import org.springframework.core.type.filter.TypeFilter;
-import org.springframework.test.context.ContextConfiguration;
-import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
-import org.springframework.test.context.support.AnnotationConfigContextLoader;
-
-import org.apache.cloudstack.acl.PermissionScope;
-import org.apache.cloudstack.acl.SecurityChecker.AccessType;
-import org.apache.cloudstack.api.command.user.vm.ListVMsCmd;
-import org.apache.cloudstack.api.response.ListResponse;
-import org.apache.cloudstack.api.response.iam.IAMGroupResponse;
-import org.apache.cloudstack.api.response.iam.IAMPermissionResponse;
-import org.apache.cloudstack.api.response.iam.IAMPolicyResponse;
-import org.apache.cloudstack.context.CallContext;
-import org.apache.cloudstack.framework.messagebus.MessageBus;
-import org.apache.cloudstack.iam.IAMApiService;
-import org.apache.cloudstack.iam.IAMApiServiceImpl;
-import org.apache.cloudstack.iam.api.IAMGroup;
-import org.apache.cloudstack.iam.api.IAMPolicy;
-import org.apache.cloudstack.iam.api.IAMPolicyPermission;
-import org.apache.cloudstack.iam.api.IAMPolicyPermission.Permission;
-import org.apache.cloudstack.iam.api.IAMService;
-import org.apache.cloudstack.iam.server.IAMGroupVO;
-import org.apache.cloudstack.iam.server.IAMPolicyPermissionVO;
-import org.apache.cloudstack.iam.server.IAMPolicyVO;
-import org.apache.cloudstack.test.utils.SpringUtils;
-
-import com.cloud.api.ApiServerService;
-import com.cloud.domain.DomainVO;
-import com.cloud.domain.dao.DomainDao;
-import com.cloud.network.dao.NetworkDomainDao;
-import com.cloud.user.Account;
-import com.cloud.user.AccountManager;
-import com.cloud.user.AccountVO;
-import com.cloud.user.UserVO;
-import com.cloud.user.dao.AccountDao;
-import com.cloud.utils.Pair;
-import com.cloud.utils.component.ComponentContext;
-import com.cloud.utils.db.EntityManager;
-import com.cloud.vm.VirtualMachine;
-
-@RunWith(SpringJUnit4ClassRunner.class)
-@ContextConfiguration(loader = AnnotationConfigContextLoader.class)
-public class IAMApiServiceTest {
-
- @Inject
- IAMService _iamSrv;
-
- @Inject
- DomainDao _domainDao;
-
- @Inject
- IAMApiService _aclSrv;
-
- @Inject
- AccountManager _accountMgr;
-
- @Inject
- AccountDao _accountDao;
-
- @Inject
- ApiServerService _apiServer;
-
- private static Account caller;
- private static Long callerId;
- private static String callerAccountName = "tester";
- private static Long callerDomainId = 3L;
- private static String callerDomainPath = "/root/testdomain";
- private static DomainVO callerDomain;
-
- @BeforeClass
- public static void setUpClass() throws ConfigurationException {
- }
-
- @Before
- public void setUp() {
- ComponentContext.initComponentsLifeCycle();
- caller = new AccountVO(callerAccountName, callerDomainId, null, Account.ACCOUNT_TYPE_ADMIN, UUID.randomUUID().toString());
- callerId = caller.getId();
- callerDomain = new DomainVO();
- callerDomain.setPath(callerDomainPath);
- UserVO user = new UserVO(1, "testuser", "password", "firstname", "lastName", "email", "timezone", UUID.randomUUID().toString());
- CallContext.register(user, caller);
-
- when(_domainDao.findById(callerDomainId)).thenReturn(callerDomain);
- doNothing().when(_accountMgr).checkAccess(caller, callerDomain);
- }
-
- @Test
- public void createIAMGroupTest() {
- IAMGroup group = new IAMGroupVO("group1", "tester group1");
- List<IAMGroup> groups = new ArrayList<IAMGroup>();
- groups.add(group);
- Pair<List<IAMGroup>, Integer> grpList = new Pair<List<IAMGroup>, Integer>(groups, 1);
- when(_iamSrv.createIAMGroup("group1", "tester group1", callerDomainPath)).thenReturn(group);
- when(_iamSrv.listIAMGroups(null, null, callerDomainPath, 0L, 20L)).thenReturn(grpList);
-
- IAMGroup createdGrp = _aclSrv.createIAMGroup(caller, "group1", "tester group1");
- assertNotNull("IAM group 'group1' failed to create ", createdGrp);
- ListResponse<IAMGroupResponse> grpResp = _aclSrv.listIAMGroups(null, null, callerDomainId, 0L, 20L);
- assertTrue("No. of response items should be one", grpResp.getCount() == 1);
- IAMGroupResponse resp = grpResp.getResponses().get(0);
- assertEquals("Error in created group name", "group1", resp.getName());
- }
-
- @Test
- public void deleteIAMGroupTest() {
- when(_iamSrv.deleteIAMGroup(1L)).thenReturn(true);
- assertTrue("failed to delete acl group 1", _aclSrv.deleteIAMGroup(1L));
- }
-
- @Test
- public void listIAMGroupTest() {
- IAMGroup group = new IAMGroupVO("group1", "tester group1");
- List<IAMGroup> groups = new ArrayList<IAMGroup>();
- groups.add(group);
- when(_iamSrv.listIAMGroups(callerId)).thenReturn(groups);
- List<IAMGroup> grps = _aclSrv.listIAMGroups(callerId);
- assertTrue(grps != null && grps.size() == 1);
- IAMGroup grp = grps.get(0);
- assertEquals("Error to retrieve group", "group1", grp.getName());
- }
-
- @Test
- public void addRemoveAccountToGroupTest() {
- IAMGroup group = new IAMGroupVO("group1", "tester group1");
- List<IAMGroup> groups = new ArrayList<IAMGroup>();
- groups.add(group);
- Long groupId = group.getId();
- List<Long> acctIds = new ArrayList<Long>();
- AccountVO acct1 = new AccountVO(100L);
- acct1.setAccountName("account1");
- AccountVO acct2 = new AccountVO(200L);
- acct2.setAccountName("account2");
- acctIds.add(acct1.getId());
- acctIds.add(acct2.getId());
- when(_accountDao.findById(acct1.getId())).thenReturn(acct1);
- when(_accountDao.findById(acct2.getId())).thenReturn(acct2);
- when(_iamSrv.addAccountsToGroup(acctIds, groupId)).thenReturn(group);
- when(_iamSrv.listAccountsByGroup(groupId)).thenReturn(acctIds);
- Pair<List<IAMGroup>, Integer> grpList = new Pair<List<IAMGroup>, Integer>(groups, 1);
- when(_iamSrv.listIAMGroups(null, "group1", callerDomainPath, 0L, 20L)).thenReturn(grpList);
- _aclSrv.addAccountsToGroup(acctIds, groupId);
- ListResponse<IAMGroupResponse> grpResp = _aclSrv.listIAMGroups(null, "group1", callerDomainId, 0L, 20L);
- assertTrue("No. of response items should be one", grpResp.getCount() == 1);
- IAMGroupResponse resp = grpResp.getResponses().get(0);
- Set<String> acctNames = resp.getAccountNameList();
- assertEquals("There should be 2 accounts in the group", 2, acctNames.size());
- assertTrue("account1 should be assigned to the group", acctNames.contains("account1"));
- assertTrue("account2 should be assigned to the group", acctNames.contains("account2"));
- // remove "account2" from group1
- acctIds.remove(1);
- List<Long> rmAccts = new ArrayList<Long>();
- rmAccts.add(acct2.getId());
- when(_iamSrv.removeAccountsFromGroup(rmAccts, groupId)).thenReturn(group);
- _aclSrv.removeAccountsFromGroup(acctIds, groupId);
- grpResp = _aclSrv.listIAMGroups(null, "group1", callerDomainId, 0L, 20L);
- assertTrue("No. of response items should be one", grpResp.getCount() == 1);
- resp = grpResp.getResponses().get(0);
- acctNames = resp.getAccountNameList();
- assertEquals("There should be 1 accounts in the group", 1, acctNames.size());
- assertFalse("account2 should not belong to the group anymore", acctNames.contains("account2"));
- }
-
- @Test
- public void createIAMPolicyTest() {
- IAMPolicy policy = new IAMPolicyVO("policy1", "tester policy1");
- List<IAMPolicy> policies = new ArrayList<IAMPolicy>();
- policies.add(policy);
- Pair<List<IAMPolicy>, Integer> policyList = new Pair<List<IAMPolicy>, Integer>(policies, 1);
- when(_iamSrv.createIAMPolicy("policy1", "tester policy1", null, callerDomainPath)).thenReturn(policy);
- when(_iamSrv.listIAMPolicies(null, null, callerDomainPath, 0L, 20L)).thenReturn(policyList);
-
- IAMPolicy createdPolicy = _aclSrv.createIAMPolicy(caller, "policy1", "tester policy1", null);
- assertNotNull("IAM policy 'policy1' failed to create ", createdPolicy);
- ListResponse<IAMPolicyResponse> policyResp = _aclSrv.listIAMPolicies(null, null, callerDomainId, 0L, 20L);
- assertTrue("No. of response items should be one", policyResp.getCount() == 1);
- IAMPolicyResponse resp = policyResp.getResponses().get(0);
- assertEquals("Error in created group name", "policy1", resp.getName());
- }
-
- @Test
- public void deleteIAMPolicyTest() {
- when(_iamSrv.deleteIAMPolicy(1L)).thenReturn(true);
- assertTrue("failed to delete acl policy 1", _aclSrv.deleteIAMPolicy(1L));
- }
-
- @Test
- public void listIAMPolicyTest() {
- IAMPolicy policy = new IAMPolicyVO("policy1", "tester policy1");
- List<IAMPolicy> policies = new ArrayList<IAMPolicy>();
- policies.add(policy);
- when(_iamSrv.listIAMPolicies(callerId)).thenReturn(policies);
- List<IAMPolicy> polys = _aclSrv.listIAMPolicies(callerId);
- assertTrue(polys != null && polys.size() == 1);
- IAMPolicy p = polys.get(0);
- assertEquals("Error to retrieve group", "policy1", p.getName());
- }
-
- @Test
- public void addRemovePolicyToGroupTest() {
- IAMGroup group = new IAMGroupVO("group1", "tester group1");
- List<IAMGroup> groups = new ArrayList<IAMGroup>();
- groups.add(group);
- Long groupId = group.getId();
- List<Long> policyIds = new ArrayList<Long>();
- policyIds.add(100L);
- policyIds.add(200L);
- IAMPolicy policy1 = new IAMPolicyVO("policy1", "my first policy");
- IAMPolicy policy2 = new IAMPolicyVO("policy2", "my second policy");
- List<IAMPolicy> policies = new ArrayList<IAMPolicy>();
- policies.add(policy1);
- policies.add(policy2);
- when(_iamSrv.attachIAMPoliciesToGroup(policyIds, groupId)).thenReturn(group);
- when(_iamSrv.listIAMPoliciesByGroup(groupId)).thenReturn(policies);
- Pair<List<IAMGroup>, Integer> grpList = new Pair<List<IAMGroup>, Integer>(groups, 1);
- when(_iamSrv.listIAMGroups(null, "group1", callerDomainPath, 0L, 20L)).thenReturn(grpList);
- _aclSrv.attachIAMPoliciesToGroup(policyIds, groupId);
- ListResponse<IAMGroupResponse> grpResp = _aclSrv.listIAMGroups(null, "group1", callerDomainId, 0L, 20L);
- assertTrue("No. of response items should be one", grpResp.getCount() == 1);
- IAMGroupResponse resp = grpResp.getResponses().get(0);
- Set<String> policyNames = resp.getPolicyList();
- assertEquals("There should be 2 policies in the group", 2, policyNames.size());
- assertTrue("policy1 should be assigned to the group", policyNames.contains("policy1"));
- assertTrue("policy2 should be assigned to the group", policyNames.contains("policy2"));
- // remove "policy2" from group1
- policyIds.remove(1);
- policies.remove(policy2);
- when(_iamSrv.removeIAMPoliciesFromGroup(policyIds, groupId)).thenReturn(group);
- _aclSrv.removeIAMPoliciesFromGroup(policyIds, groupId);
- grpResp = _aclSrv.listIAMGroups(null, "group1", callerDomainId, 0L, 20L);
- assertTrue("No. of response items should be one", grpResp.getCount() == 1);
- resp = grpResp.getResponses().get(0);
- policyNames = resp.getPolicyList();
- assertEquals("There should be 1 policy attached to the group", 1, policyNames.size());
- assertFalse("policy2 should not belong to the group anymore", policyNames.contains("policy2"));
- }
-
- @Test
- public void addRemovePermissionToPolicyTest() {
- IAMPolicy policy = new IAMPolicyVO("policy1", "tester policy1");
- List<IAMPolicy> policies = new ArrayList<IAMPolicy>();
- policies.add(policy);
- Long policyId = policy.getId();
- Long resId = 200L;
- Class clz = ListVMsCmd.class;
- when(_apiServer.getCmdClass("listVirtualMachines")).thenReturn(clz);
- when(
- _iamSrv.addIAMPermissionToIAMPolicy(policyId, VirtualMachine.class.getSimpleName(),
- PermissionScope.RESOURCE.toString(), resId, "listVirtualMachines",
- AccessType.UseEntry.toString(), Permission.Allow, false)).thenReturn(policy);
- _aclSrv.addIAMPermissionToIAMPolicy(policyId, VirtualMachine.class.getSimpleName(),
- PermissionScope.RESOURCE, resId, "listVirtualMachines", Permission.Allow, false, false);
- Pair<List<IAMPolicy>, Integer> policyList = new Pair<List<IAMPolicy>, Integer>(policies, 1);
- List<IAMPolicyPermission> policyPerms = new ArrayList<IAMPolicyPermission>();
- IAMPolicyPermission perm = new IAMPolicyPermissionVO(policyId, "listVirtualMachines",
- VirtualMachine.class.getSimpleName(), AccessType.UseEntry.toString(),
- PermissionScope.RESOURCE.toString(),
- resId, Permission.Allow, false);
- policyPerms.add(perm);
- when(_iamSrv.listIAMPolicies(null, "policy1", callerDomainPath, 0L, 20L)).thenReturn(policyList);
- when(_iamSrv.listPolicyPermissions(policyId)).thenReturn(policyPerms);
- ListResponse<IAMPolicyResponse> policyResp = _aclSrv.listIAMPolicies(null, "policy1", callerDomainId, 0L, 20L);
- assertTrue("No. of response items should be one", policyResp.getCount() == 1);
- IAMPolicyResponse resp = policyResp.getResponses().get(0);
- Set<IAMPermissionResponse> permList = resp.getPermissionList();
- assertTrue("Permission list should not be empty", permList != null && permList.size() > 0);
- IAMPermissionResponse permResp = permList.iterator().next();
- assertEquals("There should be one permission for listVirtualMachines", "listVirtualMachines", permResp.getAction());
-
- //remove permission from policy
- policyPerms.remove(perm);
- _aclSrv.removeIAMPermissionFromIAMPolicy(policyId, VirtualMachine.class.getSimpleName(),
- PermissionScope.RESOURCE, resId, "listVirtualMachines");
- policyResp = _aclSrv.listIAMPolicies(null, "policy1", callerDomainId, 0L, 20L);
- assertTrue("No. of response items should be one", policyResp.getCount() == 1);
- resp = policyResp.getResponses().get(0);
- permList = resp.getPermissionList();
- assertTrue("Permission list should be empty", permList != null && permList.size() == 0);
- }
-
- @After
- public void tearDown() {
- }
-
- @Configuration
- @ComponentScan(basePackageClasses = {IAMApiServiceImpl.class}, includeFilters = {@Filter(value = TestConfiguration.Library.class, type = FilterType.CUSTOM)}, useDefaultFilters = false)
- public static class TestConfiguration extends SpringUtils.CloudStackTestConfiguration {
-
- @Bean
- public DomainDao domainDao() {
- return Mockito.mock(DomainDao.class);
- }
-
- @Bean
- public IAMService iamService() {
- return Mockito.mock(IAMService.class);
- }
-
- @Bean
- public AccountDao accountDao() {
- return Mockito.mock(AccountDao.class);
- }
-
- @Bean
- public NetworkDomainDao networkDomainDao() {
- return Mockito.mock(NetworkDomainDao.class);
- }
-
- @Bean
- public AccountManager accountManager() {
- return Mockito.mock(AccountManager.class);
- }
-
- @Bean
- public MessageBus messageBus() {
- return Mockito.mock(MessageBus.class);
- }
-
- @Bean
- public EntityManager entityMgr() {
- return Mockito.mock(EntityManager.class);
- }
-
- @Bean
- public ApiServerService apiServerService() {
- return Mockito.mock(ApiServerService.class);
- }
-
- public static class Library implements TypeFilter {
-
- @Override
- public boolean match(MetadataReader mdr, MetadataReaderFactory arg1) throws IOException {
- ComponentScan cs = TestConfiguration.class.getAnnotation(ComponentScan.class);
- return SpringUtils.includedInBasePackageClasses(mdr.getClassMetadata().getClassName(), cs);
- }
- }
- }
-}
diff --git a/services/iam/plugin/src/test/resources/db.properties b/services/iam/plugin/src/test/resources/db.properties
deleted file mode 100644
index fc2fb33669c..00000000000
--- a/services/iam/plugin/src/test/resources/db.properties
+++ /dev/null
@@ -1,73 +0,0 @@
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements. See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership. The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations
-# under the License.
-
-
-# management server clustering parameters, change cluster.node.IP to the machine IP address
-# in which the management server is running
-cluster.node.IP=127.0.0.1
-cluster.servlet.port=9090
-region.id=1
-
-# CloudStack database settings
-db.cloud.username=cloud
-db.cloud.password=cloud
-db.root.password=
-db.cloud.host=localhost
-db.cloud.driver=jdbc:mysql
-db.cloud.port=3306
-db.cloud.name=cloud
-
-# CloudStack database tuning parameters
-db.cloud.maxActive=250
-db.cloud.maxIdle=30
-db.cloud.maxWait=10000
-db.cloud.autoReconnect=true
-db.cloud.validationQuery=SELECT 1
-db.cloud.testOnBorrow=true
-db.cloud.testWhileIdle=true
-db.cloud.timeBetweenEvictionRunsMillis=40000
-db.cloud.minEvictableIdleTimeMillis=240000
-db.cloud.poolPreparedStatements=false
-db.cloud.url.params=prepStmtCacheSize=517&cachePrepStmts=true&prepStmtCacheSqlLimit=4096
-
-# usage database settings
-db.usage.username=cloud
-db.usage.password=cloud
-db.usage.host=localhost
-# It's not guaranteed that using a different DB provider than the one from the regular cloud DB will work
-db.usage.driver=jdbc:mysql
-db.usage.port=3306
-db.usage.name=cloud_usage
-
-# usage database tuning parameters
-db.usage.maxActive=100
-db.usage.maxIdle=30
-db.usage.maxWait=10000
-db.usage.autoReconnect=true
-
-# Simulator database settings
-db.simulator.username=cloud
-db.simulator.password=cloud
-db.simulator.host=localhost
-# It's not guaranteed that using a different DB provider than the one from the regular cloud DB will work
-db.simulator.driver=jdbc:mysql
-db.simulator.port=3306
-db.simulator.name=simulator
-db.simulator.maxActive=250
-db.simulator.maxIdle=30
-db.simulator.maxWait=10000
-db.simulator.autoReconnect=true
diff --git a/services/iam/pom.xml b/services/iam/pom.xml
deleted file mode 100644
index 2d0baedce1c..00000000000
--- a/services/iam/pom.xml
+++ /dev/null
@@ -1,59 +0,0 @@
-<!--
- Licensed to the Apache Software Foundation (ASF) under one
- or more contributor license agreements. See the NOTICE file
- distributed with this work for additional information
- regarding copyright ownership. The ASF licenses this file
- to you under the Apache License, Version 2.0 (the
- "License"); you may not use this file except in compliance
- with the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing,
- software distributed under the License is distributed on an
- "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- KIND, either express or implied. See the License for the
- specific language governing permissions and limitations
- under the License.
--->
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
- <modelVersion>4.0.0</modelVersion>
- <artifactId>cloudstack-service-iam</artifactId>
- <name>Apache CloudStack IAM Service</name>
- <packaging>pom</packaging>
- <parent>
- <groupId>org.apache.cloudstack</groupId>
- <artifactId>cloudstack-services</artifactId>
- <version>4.7.0-SNAPSHOT</version>
- <relativePath>../pom.xml</relativePath>
- </parent>
- <build>
- <defaultGoal>install</defaultGoal>
- </build>
- <modules>
- <module>plugin</module>
- <module>server</module>
- </modules>
-<!--
- <dependencies>
- <dependency>
- <groupId>org.apache.cloudstack</groupId>
- <artifactId>cloud-api</artifactId>
- <version>${project.version}</version>
- </dependency>
- <dependency>
- <groupId>org.apache.cloudstack</groupId>
- <artifactId>cloud-utils</artifactId>
- <version>${project.version}</version>
- </dependency>
- <dependency>
- <groupId>org.apache.cloudstack</groupId>
- <artifactId>cloud-api</artifactId>
- <version>${project.version}</version>
- <type>test-jar</type>
- <scope>test</scope>
- </dependency>
- </dependencies>
--->
-</project>
diff --git a/services/iam/server/pom.xml b/services/iam/server/pom.xml
deleted file mode 100644
index 15840a8c31b..00000000000
--- a/services/iam/server/pom.xml
+++ /dev/null
@@ -1,57 +0,0 @@
-<!--
- Licensed to the Apache Software Foundation (ASF) under one
- or more contributor license agreements. See the NOTICE file
- distributed with this work for additional information
- regarding copyright ownership. The ASF licenses this file
- to you under the Apache License, Version 2.0 (the
- "License"); you may not use this file except in compliance
- with the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing,
- software distributed under the License is distributed on an
- "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- KIND, either express or implied. See the License for the
- specific language governing permissions and limitations
- under the License.
--->
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
- <modelVersion>4.0.0</modelVersion>
- <artifactId>cloud-iam</artifactId>
- <name>Apache CloudStack IAM - Server</name>
- <parent>
- <groupId>org.apache.cloudstack</groupId>
- <artifactId>cloudstack-service-iam</artifactId>
- <version>4.12.0.0-SNAPSHOT</version>
- <relativePath>../pom.xml</relativePath>
- </parent>
- <dependencies>
- <dependency>
- <groupId>commons-io</groupId>
- <artifactId>commons-io</artifactId>
- </dependency>
- <dependency>
- <groupId>net.sf.ehcache</groupId>
- <artifactId>ehcache-core</artifactId>
- </dependency>
- <dependency>
- <groupId>org.apache.cloudstack</groupId>
- <artifactId>cloud-utils</artifactId>
- <version>${project.version}</version>
- </dependency>
- <dependency>
- <groupId>org.apache.cloudstack</groupId>
- <artifactId>cloud-api</artifactId>
- <version>${project.version}</version>
- </dependency>
- <dependency>
- <groupId>org.apache.cloudstack</groupId>
- <artifactId>cloud-api</artifactId>
- <version>${project.version}</version>
- <type>test-jar</type>
- <scope>test</scope>
- </dependency>
- </dependencies>
-</project>
diff --git a/services/iam/server/src/main/java/org/apache/cloudstack/iam/api/IAMGroup.java b/services/iam/server/src/main/java/org/apache/cloudstack/iam/api/IAMGroup.java
deleted file mode 100644
index 868d0a0d449..00000000000
--- a/services/iam/server/src/main/java/org/apache/cloudstack/iam/api/IAMGroup.java
+++ /dev/null
@@ -1,37 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.iam.api;
-
-import org.apache.cloudstack.api.Identity;
-import org.apache.cloudstack.api.InternalIdentity;
-
-public interface IAMGroup extends InternalIdentity, Identity {
-
- String getName();
-
- String getDescription();
-
- @Override
- long getId();
-
- @Override
- String getUuid();
-
- String getPath();
-
- long getAccountId();
-}
diff --git a/services/iam/server/src/main/java/org/apache/cloudstack/iam/api/IAMPolicy.java b/services/iam/server/src/main/java/org/apache/cloudstack/iam/api/IAMPolicy.java
deleted file mode 100644
index e6daeb11c68..00000000000
--- a/services/iam/server/src/main/java/org/apache/cloudstack/iam/api/IAMPolicy.java
+++ /dev/null
@@ -1,41 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.iam.api;
-
-import org.apache.cloudstack.api.Identity;
-import org.apache.cloudstack.api.InternalIdentity;
-
-public interface IAMPolicy extends InternalIdentity, Identity {
-
- String getName();
-
- String getDescription();
-
- public enum PolicyType {
- Static, Dynamic
- }
-
- @Override
- long getId();
-
- @Override
- String getUuid();
-
- String getPath();
-
- long getAccountId();
-}
diff --git a/services/iam/server/src/main/java/org/apache/cloudstack/iam/api/IAMPolicyPermission.java b/services/iam/server/src/main/java/org/apache/cloudstack/iam/api/IAMPolicyPermission.java
deleted file mode 100644
index b91086fc869..00000000000
--- a/services/iam/server/src/main/java/org/apache/cloudstack/iam/api/IAMPolicyPermission.java
+++ /dev/null
@@ -1,53 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.iam.api;
-
-
-public interface IAMPolicyPermission {
-
- String getAction();
-
- long getAclPolicyId();
-
- String getEntityType();
-
- String getAccessType();
-
- String getScope();
-
- Long getScopeId();
-
- Permission getPermission();
-
- public enum Permission {
- Allow(true), Deny(false);
-
- boolean result;
-
- Permission(boolean result) {
- this.result = result;
- }
-
- public boolean isGranted() {
- return result;
- }
- }
-
- long getId();
-
- public static final long PERMISSION_SCOPE_ID_CURRENT_CALLER = -1;
-}
diff --git a/services/iam/server/src/main/java/org/apache/cloudstack/iam/api/IAMService.java b/services/iam/server/src/main/java/org/apache/cloudstack/iam/api/IAMService.java
deleted file mode 100644
index 3a470ee677f..00000000000
--- a/services/iam/server/src/main/java/org/apache/cloudstack/iam/api/IAMService.java
+++ /dev/null
@@ -1,99 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.iam.api;
-
-import java.util.List;
-
-import org.apache.cloudstack.iam.api.IAMPolicyPermission.Permission;
-
-import com.cloud.utils.Pair;
-
-public interface IAMService {
-
- /* IAM group related interfaces */
- IAMGroup createIAMGroup(String iamGroupName, String description, String path);
-
- boolean deleteIAMGroup(Long iamGroupId);
-
- List<IAMGroup> listIAMGroups(long accountId);
-
- IAMGroup addAccountsToGroup(List<Long> acctIds, Long groupId);
-
- IAMGroup removeAccountsFromGroup(List<Long> acctIds, Long groupId);
-
- List<Long> listAccountsByGroup(long groupId);
-
- Pair<List<IAMGroup>, Integer> listIAMGroups(Long iamGroupId, String iamGroupName, String path, Long startIndex, Long pageSize);
-
- /* IAM Policy related interfaces */
- IAMPolicy createIAMPolicy(String iamPolicyName, String description, Long parentPolicyId, String path);
-
- boolean deleteIAMPolicy(long iamPolicyId);
-
- List<IAMPolicy> listIAMPolicies(long accountId);
-
- List<IAMPolicy> listIAMPoliciesByGroup(long groupId);
-
- Pair<List<IAMPolicy>, Integer> listIAMPolicies(Long iamPolicyId, String iamPolicyName, String path, Long startIndex, Long pageSize);
-
- IAMGroup attachIAMPoliciesToGroup(List<Long> policyIds, Long groupId);
-
- IAMGroup removeIAMPoliciesFromGroup(List<Long> policyIds, Long groupId);
-
- void attachIAMPolicyToAccounts(Long policyId, List<Long> acctIds);
-
- void removeIAMPolicyFromAccounts(Long policyId, List<Long> acctIds);
-
- IAMPolicy addIAMPermissionToIAMPolicy(long iamPolicyId, String entityType, String scope, Long scopeId,
- String action, String accessType, Permission perm, Boolean recursive);
-
- IAMPolicy removeIAMPermissionFromIAMPolicy(long iamPolicyId, String entityType, String scope, Long scopeId,
- String action);
-
- void removeIAMPermissionForEntity(final String entityType, final Long entityId);
-
- IAMPolicy getResourceGrantPolicy(String entityType, Long entityId, String accessType, String action);
-
- IAMPolicy getResourceOwnerPolicy();
-
- List<IAMPolicyPermission> listPolicyPermissions(long policyId);
-
- List<IAMPolicyPermission> listPolicyPermissionsByScope(long policyId, String action, String scope, String accessType);
-
- List<IAMPolicyPermission> listPolicyPermissionByActionAndEntity(long policyId, String action, String entityType);
-
- boolean isActionAllowedForPolicies(String action, List<IAMPolicy> policies);
-
- List<Long> getGrantedEntities(long accountId, String action, String scope);
-
- IAMPolicy resetIAMPolicy(long iamPolicyId);
-
- List<IAMPolicyPermission> listPolicyPermissionByAccessAndEntity(long policyId, String accessType,
- String entityType);
-
- List<IAMGroup> listParentIAMGroups(long groupId);
-
- List<IAMPolicy> listRecursiveIAMPoliciesByGroup(long groupId);
-
- /* Interface used for cache IAM checkAccess result */
- void addToIAMCache(Object accessKey, Object allowDeny);
-
- Object getFromIAMCache(Object accessKey);
-
- void invalidateIAMCache();
-
-}
diff --git a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/IAMAccountPolicyMapVO.java b/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/IAMAccountPolicyMapVO.java
deleted file mode 100644
index 18f085a28fd..00000000000
--- a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/IAMAccountPolicyMapVO.java
+++ /dev/null
@@ -1,77 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.iam.server;
-
-import java.util.Date;
-
-import javax.persistence.Column;
-import javax.persistence.Entity;
-import javax.persistence.GeneratedValue;
-import javax.persistence.GenerationType;
-import javax.persistence.Id;
-import javax.persistence.Table;
-
-import com.cloud.utils.db.GenericDao;
-
-@Entity
-@Table(name = ("iam_account_policy_map"))
-public class IAMAccountPolicyMapVO {
- @Id
- @GeneratedValue(strategy = GenerationType.IDENTITY)
- @Column(name = "id")
- private Long id;
-
- @Column(name = "account_id")
- private long accountId;
-
- @Column(name = "policy_id")
- private long iamPolicyId;
-
- @Column(name = GenericDao.REMOVED_COLUMN)
- private Date removed;
-
- @Column(name = GenericDao.CREATED_COLUMN)
- private Date created;
-
- public IAMAccountPolicyMapVO() {
- }
-
- public IAMAccountPolicyMapVO(long accountId, long iamPolicyId) {
- this.accountId = accountId;
- this.iamPolicyId = iamPolicyId;
- }
-
- public long getId() {
- return id;
- }
-
- public long getAccountId() {
- return accountId;
- }
-
- public long getIamPolicyId() {
- return iamPolicyId;
- }
-
- public Date getRemoved() {
- return removed;
- }
-
- public Date getCreated() {
- return created;
- }
-}
diff --git a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/IAMGroupAccountMapVO.java b/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/IAMGroupAccountMapVO.java
deleted file mode 100644
index dac7d35ef67..00000000000
--- a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/IAMGroupAccountMapVO.java
+++ /dev/null
@@ -1,78 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.iam.server;
-
-import java.util.Date;
-
-import javax.persistence.Column;
-import javax.persistence.Entity;
-import javax.persistence.GeneratedValue;
-import javax.persistence.GenerationType;
-import javax.persistence.Id;
-import javax.persistence.Table;
-
-import com.cloud.utils.db.GenericDao;
-
-@Entity
-@Table(name = ("iam_group_account_map"))
-public class IAMGroupAccountMapVO {
- @Id
- @GeneratedValue(strategy = GenerationType.IDENTITY)
- @Column(name = "id")
- private Long id;
-
- @Column(name = "group_id")
- private long aclGroupId;
-
- @Column(name = "account_id")
- private long accountId;
-
- @Column(name = GenericDao.REMOVED_COLUMN)
- private Date removed;
-
- @Column(name = GenericDao.CREATED_COLUMN)
- private Date created;
-
- public IAMGroupAccountMapVO() {
- }
-
- public IAMGroupAccountMapVO(long aclGroupId, long accountId) {
- this.aclGroupId = aclGroupId;
- this.accountId = accountId;
- }
-
- public long getId() {
- return id;
- }
-
- public long getAclGroupId() {
- return aclGroupId;
- }
-
-
- public long getAccountId() {
- return accountId;
- }
-
- public Date getRemoved() {
- return removed;
- }
-
- public Date getCreated() {
- return created;
- }
-}
diff --git a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/IAMGroupPolicyMapVO.java b/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/IAMGroupPolicyMapVO.java
deleted file mode 100644
index 946d1f796a2..00000000000
--- a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/IAMGroupPolicyMapVO.java
+++ /dev/null
@@ -1,79 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.iam.server;
-
-import java.util.Date;
-
-import javax.persistence.Column;
-import javax.persistence.Entity;
-import javax.persistence.GeneratedValue;
-import javax.persistence.GenerationType;
-import javax.persistence.Id;
-import javax.persistence.Table;
-
-
-import com.cloud.utils.db.GenericDao;
-
-@Entity
-@Table(name = ("iam_group_policy_map"))
-public class IAMGroupPolicyMapVO {
- @Id
- @GeneratedValue(strategy = GenerationType.IDENTITY)
- @Column(name = "id")
- private Long id;
-
- @Column(name = "group_id")
- private long aclGroupId;
-
- @Column(name = "policy_id")
- private long aclPolicyId;
-
- @Column(name = GenericDao.REMOVED_COLUMN)
- private Date removed;
-
- @Column(name = GenericDao.CREATED_COLUMN)
- private Date created;
-
- public IAMGroupPolicyMapVO() {
- }
-
- public IAMGroupPolicyMapVO(long aclGroupId, long aclPolicyId) {
- this.aclGroupId = aclGroupId;
- this.aclPolicyId = aclPolicyId;
- }
-
- public long getId() {
- return id;
- }
-
- public long getAclGroupId() {
- return aclGroupId;
- }
-
-
- public long getAclPolicyId() {
- return aclPolicyId;
- }
-
- public Date getRemoved() {
- return removed;
- }
-
- public Date getCreated() {
- return created;
- }
-}
diff --git a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/IAMGroupVO.java b/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/IAMGroupVO.java
deleted file mode 100644
index 80edb8977a7..00000000000
--- a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/IAMGroupVO.java
+++ /dev/null
@@ -1,122 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.iam.server;
-
-import java.util.Date;
-import java.util.UUID;
-
-import javax.persistence.Column;
-import javax.persistence.Entity;
-import javax.persistence.GeneratedValue;
-import javax.persistence.GenerationType;
-import javax.persistence.Id;
-import javax.persistence.Table;
-
-import org.apache.cloudstack.iam.api.IAMGroup;
-
-import com.cloud.utils.db.GenericDao;
-
-@Entity
-@Table(name = ("iam_group"))
-public class IAMGroupVO implements IAMGroup {
- @Id
- @GeneratedValue(strategy = GenerationType.IDENTITY)
- @Column(name = "id")
- private long id;
-
- @Column(name = "name")
- private String name;
-
- @Column(name = "description")
- private String description;
-
- @Column(name = "uuid")
- private String uuid;
-
- @Column(name = "path")
- private String path;
-
- @Column(name = "account_id")
- private long accountId;
-
- @Column(name = GenericDao.REMOVED_COLUMN)
- private Date removed;
-
- @Column(name = GenericDao.CREATED_COLUMN)
- private Date created;
-
- public IAMGroupVO() {
- uuid = UUID.randomUUID().toString();
- }
-
- public IAMGroupVO(String name, String description) {
- this.name = name;
- this.description = description;
- uuid = UUID.randomUUID().toString();
- path = "/";
- }
-
- @Override
- public long getId() {
- return id;
- }
-
- @Override
- public String getName() {
- return name;
- }
-
- @Override
- public String getDescription() {
- return description;
- }
-
- @Override
- public String getPath() {
- return path;
- }
-
- public void setPath(String path) {
- this.path = path;
- }
-
- @Override
- public long getAccountId() {
- return accountId;
- }
-
- public void setAccountId(long acctId) {
- accountId = acctId;
- }
-
- @Override
- public String getUuid() {
- return uuid;
- }
-
- public void setUuid(String uuid) {
- this.uuid = uuid;
- }
-
- public Date getRemoved() {
- return removed;
- }
-
- public Date getCreated() {
- return created;
- }
-}
diff --git a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/IAMPolicyPermissionVO.java b/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/IAMPolicyPermissionVO.java
deleted file mode 100644
index 13d6b814e53..00000000000
--- a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/IAMPolicyPermissionVO.java
+++ /dev/null
@@ -1,181 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.iam.server;
-
-import java.util.Date;
-
-import javax.persistence.Column;
-import javax.persistence.Entity;
-import javax.persistence.EnumType;
-import javax.persistence.Enumerated;
-import javax.persistence.GeneratedValue;
-import javax.persistence.GenerationType;
-import javax.persistence.Id;
-import javax.persistence.Table;
-
-import org.apache.cloudstack.iam.api.IAMPolicyPermission;
-import com.cloud.utils.db.GenericDao;
-
-@Entity
-@Table(name = ("iam_policy_permission"))
-public class IAMPolicyPermissionVO implements IAMPolicyPermission {
-
- @Id
- @GeneratedValue(strategy = GenerationType.IDENTITY)
- @Column(name = "id")
- private long id;
-
- @Column(name = "policy_id")
- private long aclPolicyId;
-
- @Column(name = "action")
- private String action;
-
- @Column(name = "resource_type")
- private String entityType;
-
- @Column(name = "access_type")
- private String accessType;
-
- @Column(name = "scope")
- private String scope;
-
- @Column(name = "scope_id")
- private Long scopeId;
-
- @Column(name = "permission")
- @Enumerated(value = EnumType.STRING)
- private Permission permission;
-
- @Column(name = "recursive")
- private Boolean recursive;
-
- @Column(name = GenericDao.REMOVED_COLUMN)
- private Date removed;
-
- @Column(name = GenericDao.CREATED_COLUMN)
- private Date created;
-
- public IAMPolicyPermissionVO() {
-
- }
-
- public IAMPolicyPermissionVO(long aclPolicyId, String action, String entityType, String accessType, String scope,
- Long scopeId, Permission permission, Boolean recursive) {
- this.aclPolicyId = aclPolicyId;
- this.action = action;
- this.entityType = entityType;
- this.accessType = accessType;
- this.scope = scope;
- this.scopeId = scopeId;
- this.permission = permission;
- this.recursive = recursive;
- }
-
- @Override
- public long getId() {
- return id;
- }
-
- @Override
- public long getAclPolicyId() {
- return aclPolicyId;
- }
-
-
- public void setAclPolicyId(long aclPolicyId) {
- this.aclPolicyId = aclPolicyId;
- }
-
- @Override
- public String getEntityType() {
- return entityType;
- }
-
- @Override
- public String getAccessType() {
- return accessType;
- }
-
-
- public void setEntityType(String entityType) {
- this.entityType = entityType;
- }
-
- public void setAccessType(String accessType) {
- this.accessType = accessType;
- }
-
- @Override
- public String getScope() {
- return scope;
- }
-
- public void setScope(String scope) {
- this.scope = scope;
- }
-
-
- @Override
- public String getAction() {
- return action;
- }
-
- @Override
- public Long getScopeId() {
- // TODO
- // handle special -1 scopeId, current caller domain, account
- /*
- * if ( scopeId < 0 ){ Account caller =
- * CallContext.current().getCallingAccount(); if ( scope ==
- * PermissionScope.DOMAIN){ return caller.getDomainId(); } else if
- * (scope == PermissionScope.ACCOUNT) { return caller.getAccountId(); }
- * }
- */
- return scopeId;
- }
-
- @Override
- public Permission getPermission() {
- return permission;
- }
-
- public void setAction(String action) {
- this.action = action;
- }
-
- public void setScopeId(Long scopeId) {
- this.scopeId = scopeId;
- }
-
- public void setPermission(Permission permission) {
- this.permission = permission;
- }
-
- public Date getRemoved() {
- return removed;
- }
-
- public Date getCreated() {
- return created;
- }
-
- public Boolean isRecursive() {
- return recursive;
- }
-
-}
diff --git a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/IAMPolicyVO.java b/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/IAMPolicyVO.java
deleted file mode 100644
index 25ebd011f39..00000000000
--- a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/IAMPolicyVO.java
+++ /dev/null
@@ -1,138 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.iam.server;
-
-import java.util.Date;
-import java.util.UUID;
-
-import javax.persistence.Column;
-import javax.persistence.Entity;
-import javax.persistence.EnumType;
-import javax.persistence.Enumerated;
-import javax.persistence.GeneratedValue;
-import javax.persistence.GenerationType;
-import javax.persistence.Id;
-import javax.persistence.Table;
-
-import org.apache.cloudstack.iam.api.IAMPolicy;
-
-import com.cloud.utils.db.GenericDao;
-
-@Entity
-@Table(name = ("iam_policy"))
-public class IAMPolicyVO implements IAMPolicy {
- @Id
- @GeneratedValue(strategy = GenerationType.IDENTITY)
- @Column(name = "id")
- private long id;
-
- @Column(name = "name")
- private String name;
-
- @Column(name = "description")
- private String description;
-
- @Column(name = "uuid")
- private String uuid;
-
- @Column(name = "path")
- private String path;
-
- @Column(name = "account_id")
- private long accountId;
-
- @Column(name = GenericDao.REMOVED_COLUMN)
- private Date removed;
-
- @Column(name = GenericDao.CREATED_COLUMN)
- private Date created;
-
- @Column(name = "policy_type")
- @Enumerated(value = EnumType.STRING)
- private IAMPolicy.PolicyType policyType;
-
- public IAMPolicyVO() {
- uuid = UUID.randomUUID().toString();
- }
-
- public IAMPolicyVO(String name, String description) {
- this.name = name;
- this.description = description;
- uuid = UUID.randomUUID().toString();
- policyType = IAMPolicy.PolicyType.Static;
- }
-
- @Override
- public long getId() {
- return id;
- }
-
- @Override
- public String getName() {
- return name;
- }
-
- @Override
- public String getDescription() {
- return description;
- }
-
-
- @Override
- public String getUuid() {
- return uuid;
- }
-
- public void setUuid(String uuid) {
- this.uuid = uuid;
- }
-
- public Date getRemoved() {
- return removed;
- }
-
- public Date getCreated() {
- return created;
- }
-
- @Override
- public String getPath() {
- return path;
- }
-
- public void setPath(String path) {
- this.path = path;
- }
-
- @Override
- public long getAccountId() {
- return accountId;
- }
-
- public void setAccountId(long accountId) {
- this.accountId = accountId;
- }
-
- public IAMPolicy.PolicyType getPolicyType() {
- return policyType;
- }
-
- public void setPolicyType(IAMPolicy.PolicyType policyType) {
- this.policyType = policyType;
- }
-
-}
diff --git a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/IAMServiceImpl.java b/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/IAMServiceImpl.java
deleted file mode 100644
index 4ae694b50ff..00000000000
--- a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/IAMServiceImpl.java
+++ /dev/null
@@ -1,904 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.iam.server;
-
-import java.util.ArrayList;
-import java.util.List;
-import java.util.Map;
-
-import javax.inject.Inject;
-import javax.naming.ConfigurationException;
-
-import net.sf.ehcache.Cache;
-import net.sf.ehcache.CacheManager;
-import net.sf.ehcache.Element;
-
-import org.apache.log4j.Logger;
-
-import org.apache.cloudstack.acl.PermissionScope;
-import org.apache.cloudstack.iam.api.IAMGroup;
-import org.apache.cloudstack.iam.api.IAMPolicy;
-import org.apache.cloudstack.iam.api.IAMPolicyPermission;
-import org.apache.cloudstack.iam.api.IAMPolicyPermission.Permission;
-import org.apache.cloudstack.iam.api.IAMService;
-import org.apache.cloudstack.iam.server.dao.IAMAccountPolicyMapDao;
-import org.apache.cloudstack.iam.server.dao.IAMGroupAccountMapDao;
-import org.apache.cloudstack.iam.server.dao.IAMGroupDao;
-import org.apache.cloudstack.iam.server.dao.IAMGroupPolicyMapDao;
-import org.apache.cloudstack.iam.server.dao.IAMPolicyDao;
-import org.apache.cloudstack.iam.server.dao.IAMPolicyPermissionDao;
-
-import com.cloud.exception.InvalidParameterValueException;
-import com.cloud.utils.NumbersUtil;
-import com.cloud.utils.Pair;
-import com.cloud.utils.component.Manager;
-import com.cloud.utils.component.ManagerBase;
-import com.cloud.utils.db.DB;
-import com.cloud.utils.db.EntityManager;
-import com.cloud.utils.db.Filter;
-import com.cloud.utils.db.GenericSearchBuilder;
-import com.cloud.utils.db.JoinBuilder;
-import com.cloud.utils.db.JoinBuilder.JoinType;
-import com.cloud.utils.db.SearchBuilder;
-import com.cloud.utils.db.SearchCriteria;
-import com.cloud.utils.db.SearchCriteria.Op;
-import com.cloud.utils.db.Transaction;
-import com.cloud.utils.db.TransactionCallback;
-import com.cloud.utils.db.TransactionCallbackNoReturn;
-import com.cloud.utils.db.TransactionStatus;
-
-public class IAMServiceImpl extends ManagerBase implements IAMService, Manager {
-
- public static final Logger s_logger = Logger.getLogger(IAMServiceImpl.class);
- private String _name;
-
- @Inject
- IAMPolicyDao _aclPolicyDao;
-
- @Inject
- IAMGroupDao _aclGroupDao;
-
- @Inject
- EntityManager _entityMgr;
-
- @Inject
- IAMGroupPolicyMapDao _aclGroupPolicyMapDao;
-
- @Inject
- IAMAccountPolicyMapDao _aclAccountPolicyMapDao;
-
- @Inject
- IAMGroupAccountMapDao _aclGroupAccountMapDao;
-
- @Inject
- IAMPolicyPermissionDao _policyPermissionDao;
-
- private Cache _iamCache;
-
- private void createIAMCache(final Map<String, ? extends Object> params) {
- final String value = (String)params.get("cache.size");
-
- if (value != null) {
- final CacheManager cm = CacheManager.create();
- final int maxElements = NumbersUtil.parseInt(value, 0);
- final int live = NumbersUtil.parseInt((String)params.get("cache.time.to.live"), 300);
- final int idle = NumbersUtil.parseInt((String)params.get("cache.time.to.idle"), 300);
- _iamCache = new Cache(getName(), maxElements, false, live == -1, live == -1 ? Integer.MAX_VALUE : live, idle);
- cm.addCache(_iamCache);
- s_logger.info("IAM Cache created: " + _iamCache.toString());
- } else {
- _iamCache = null;
- }
- }
-
- @Override
- public void addToIAMCache(Object accessKey, Object allowDeny) {
- if (_iamCache != null) {
- try {
- s_logger.debug("Put IAM access check for " + accessKey + " in cache");
- _iamCache.put(new Element(accessKey, allowDeny));
- } catch (final Exception e) {
- s_logger.debug("Can't put " + accessKey + " to IAM cache", e);
- }
- }
- }
-
- @Override
- public void invalidateIAMCache() {
- //This may need to use event bus to publish to other MS, but event bus now is missing this functionality to handle PublishScope.GLOBAL
- if (_iamCache != null) {
- s_logger.debug("Invalidate IAM cache");
- _iamCache.removeAll();
- }
- }
-
- @Override
- public Object getFromIAMCache(Object accessKey) {
- if (_iamCache != null) {
- final Element element = _iamCache.get(accessKey);
- return element == null ? null : element.getObjectValue();
- }
- return null;
- }
-
- @Override
- public boolean configure(final String name, final Map<String, Object> params) throws ConfigurationException {
- boolean result = super.configure(name, params);
- // create IAM cache
- createIAMCache(params);
- return result;
- }
-
- @DB
- @Override
- public IAMGroup createIAMGroup(String iamGroupName, String description, String path) {
- // check if the group is already existing
- IAMGroup grp = _aclGroupDao.findByName(path, iamGroupName);
- if (grp != null) {
- throw new InvalidParameterValueException(
- "Unable to create acl group with name " + iamGroupName
- + " already exists for path " + path);
- }
- IAMGroupVO rvo = new IAMGroupVO(iamGroupName, description);
- rvo.setPath(path);
-
- return _aclGroupDao.persist(rvo);
- }
-
- @DB
- @Override
- public boolean deleteIAMGroup(final Long iamGroupId) {
- // get the Acl Group entity
- final IAMGroup grp = _aclGroupDao.findById(iamGroupId);
- if (grp == null) {
- throw new InvalidParameterValueException("Unable to find acl group: " + iamGroupId
- + "; failed to delete acl group.");
- }
-
- Transaction.execute(new TransactionCallbackNoReturn() {
- @Override
- public void doInTransactionWithoutResult(TransactionStatus status) {
- // remove this group related entry in acl_group_policy_map
- List<IAMGroupPolicyMapVO> groupPolicyMap = _aclGroupPolicyMapDao.listByGroupId(grp.getId());
- if (groupPolicyMap != null) {
- for (IAMGroupPolicyMapVO gr : groupPolicyMap) {
- _aclGroupPolicyMapDao.remove(gr.getId());
- }
- }
-
- // remove this group related entry in acl_group_account table
- List<IAMGroupAccountMapVO> groupAcctMap = _aclGroupAccountMapDao.listByGroupId(grp.getId());
- if (groupAcctMap != null) {
- for (IAMGroupAccountMapVO grpAcct : groupAcctMap) {
- _aclGroupAccountMapDao.remove(grpAcct.getId());
- }
- }
-
- // remove this group from acl_group table
- _aclGroupDao.remove(iamGroupId);
- }
- });
-
- invalidateIAMCache();
- return true;
- }
-
- @SuppressWarnings("unchecked")
- @Override
- public List<IAMGroup> listIAMGroups(long accountId) {
-
- GenericSearchBuilder<IAMGroupAccountMapVO, Long> groupSB = _aclGroupAccountMapDao.createSearchBuilder(Long.class);
- groupSB.selectFields(groupSB.entity().getAclGroupId());
- groupSB.and("account", groupSB.entity().getAccountId(), Op.EQ);
- SearchCriteria<Long> groupSc = groupSB.create();
- groupSc.setParameters("account", accountId);
-
- List<Long> groupIds = _aclGroupAccountMapDao.customSearch(groupSc, null);
-
- if (groupIds == null || groupIds.isEmpty()) {
- return new ArrayList<IAMGroup>();
- }
- SearchBuilder<IAMGroupVO> sb = _aclGroupDao.createSearchBuilder();
- sb.and("ids", sb.entity().getId(), Op.IN);
- SearchCriteria<IAMGroupVO> sc = sb.create();
- sc.setParameters("ids", groupIds.toArray(new Object[groupIds.size()]));
- @SuppressWarnings("rawtypes")
- List groups = _aclGroupDao.search(sc, null);
- return groups;
- }
-
- @DB
- @Override
- public IAMGroup addAccountsToGroup(final List<Long> acctIds, final Long groupId) {
- // get the Acl Group entity
- IAMGroup group = _aclGroupDao.findById(groupId);
- if (group == null) {
- throw new InvalidParameterValueException("Unable to find acl group: " + groupId
- + "; failed to add accounts to acl group.");
- }
-
- Transaction.execute(new TransactionCallbackNoReturn() {
- @Override
- public void doInTransactionWithoutResult(TransactionStatus status) {
- // add entries in acl_group_account_map table
- for (Long acctId : acctIds) {
- // check account permissions
- IAMGroupAccountMapVO grMap = _aclGroupAccountMapDao.findByGroupAndAccount(groupId, acctId);
- if (grMap == null) {
- // not there already
- grMap = new IAMGroupAccountMapVO(groupId, acctId);
- _aclGroupAccountMapDao.persist(grMap);
- }
- }
- }
- });
-
- invalidateIAMCache();
- return group;
- }
-
- @DB
- @Override
- public IAMGroup removeAccountsFromGroup(final List<Long> acctIds, final Long groupId) {
- // get the Acl Group entity
- IAMGroup group = _aclGroupDao.findById(groupId);
- if (group == null) {
- throw new InvalidParameterValueException("Unable to find acl group: " + groupId
- + "; failed to remove accounts from acl group.");
- }
-
- Transaction.execute(new TransactionCallbackNoReturn() {
- @Override
- public void doInTransactionWithoutResult(TransactionStatus status) {
- // remove entries from acl_group_account_map table
- for (Long acctId : acctIds) {
- IAMGroupAccountMapVO grMap = _aclGroupAccountMapDao.findByGroupAndAccount(groupId, acctId);
- if (grMap != null) {
- // not removed yet
- _aclGroupAccountMapDao.remove(grMap.getId());
- }
- }
- }
- });
-
- invalidateIAMCache();
- return group;
- }
-
- @Override
- public List<Long> listAccountsByGroup(long groupId) {
- List<IAMGroupAccountMapVO> grpAcctMap = _aclGroupAccountMapDao.listByGroupId(groupId);
- if (grpAcctMap == null || grpAcctMap.size() == 0) {
- return new ArrayList<Long>();
- }
-
- List<Long> accts = new ArrayList<Long>();
- for (IAMGroupAccountMapVO grpAcct : grpAcctMap) {
- accts.add(grpAcct.getAccountId());
- }
- return accts;
- }
-
- @Override
- public Pair<List<IAMGroup>, Integer> listIAMGroups(Long iamGroupId, String iamGroupName, String path, Long startIndex, Long pageSize) {
- if (iamGroupId != null) {
- IAMGroup group = _aclGroupDao.findById(iamGroupId);
- if (group == null) {
- throw new InvalidParameterValueException("Unable to find acl group by id " + iamGroupId);
- }
- }
-
- Filter searchFilter = new Filter(IAMGroupVO.class, "id", true, startIndex, pageSize);
-
- SearchBuilder<IAMGroupVO> sb = _aclGroupDao.createSearchBuilder();
- sb.and("name", sb.entity().getName(), SearchCriteria.Op.EQ);
- sb.and("path", sb.entity().getPath(), SearchCriteria.Op.LIKE);
- sb.and("id", sb.entity().getId(), SearchCriteria.Op.EQ);
-
- SearchCriteria<IAMGroupVO> sc = sb.create();
-
- if (iamGroupName != null) {
- sc.setParameters("name", iamGroupName);
- }
-
- if (iamGroupId != null) {
- sc.setParameters("id", iamGroupId);
- }
-
- sc.setParameters("path", path + "%");
-
- Pair<List<IAMGroupVO>, Integer> groups = _aclGroupDao.searchAndCount(sc, searchFilter);
- return new Pair<List<IAMGroup>, Integer>(new ArrayList<IAMGroup>(groups.first()), groups.second());
- }
-
- @Override
- public List<IAMGroup> listParentIAMGroups(long groupId) {
- IAMGroup group = _aclGroupDao.findById(groupId);
- if (group == null) {
- throw new InvalidParameterValueException("Unable to find acl group by id " + groupId);
- }
-
- String path = group.getPath();
- List<String> pathList = new ArrayList<String>();
-
- String[] parts = path.split("/");
-
- for (String part : parts) {
- int start = path.indexOf(part);
- if (start > 0) {
- String subPath = path.substring(0, start);
- pathList.add(subPath);
- }
- }
-
- if (pathList.isEmpty()) {
- return new ArrayList<IAMGroup>();
- }
-
- SearchBuilder<IAMGroupVO> sb = _aclGroupDao.createSearchBuilder();
- sb.and("paths", sb.entity().getPath(), SearchCriteria.Op.IN);
-
- SearchCriteria<IAMGroupVO> sc = sb.create();
- sc.setParameters("paths", pathList.toArray());
-
- List<IAMGroupVO> groups = _aclGroupDao.search(sc, null);
-
- return new ArrayList<IAMGroup>(groups);
-
- }
-
- @DB
- @Override
- public IAMPolicy createIAMPolicy(final String iamPolicyName, final String description, final Long parentPolicyId, final String path) {
-
- // check if the policy is already existing
- IAMPolicy ro = _aclPolicyDao.findByName(iamPolicyName);
- if (ro != null) {
- throw new InvalidParameterValueException(
- "Unable to create acl policy with name " + iamPolicyName
- + " already exists");
- }
-
- IAMPolicy role = Transaction.execute(new TransactionCallback<IAMPolicy>() {
- @Override
- public IAMPolicy doInTransaction(TransactionStatus status) {
- IAMPolicyVO rvo = new IAMPolicyVO(iamPolicyName, description);
- rvo.setPath(path);
-
- IAMPolicy role = _aclPolicyDao.persist(rvo);
- if (parentPolicyId != null) {
- // copy parent role permissions
- List<IAMPolicyPermissionVO> perms = _policyPermissionDao.listByPolicy(parentPolicyId);
- if (perms != null) {
- for (IAMPolicyPermissionVO perm : perms) {
- perm.setAclPolicyId(role.getId());
- _policyPermissionDao.persist(perm);
- }
- }
- }
- return role;
- }
- });
-
-
- return role;
- }
-
- @DB
- @Override
- public boolean deleteIAMPolicy(final long iamPolicyId) {
- // get the Acl Policy entity
- final IAMPolicy policy = _aclPolicyDao.findById(iamPolicyId);
- if (policy == null) {
- throw new InvalidParameterValueException("Unable to find acl policy: " + iamPolicyId
- + "; failed to delete acl policy.");
- }
-
- Transaction.execute(new TransactionCallbackNoReturn() {
- @Override
- public void doInTransactionWithoutResult(TransactionStatus status) {
- // remove this policy related entry in acl_group_policy_map
- List<IAMGroupPolicyMapVO> groupPolicyMap = _aclGroupPolicyMapDao.listByPolicyId(policy.getId());
- if (groupPolicyMap != null) {
- for (IAMGroupPolicyMapVO gr : groupPolicyMap) {
- _aclGroupPolicyMapDao.remove(gr.getId());
- }
- }
-
- // remove this policy related entry in acl_account_policy_map table
- List<IAMAccountPolicyMapVO> policyAcctMap = _aclAccountPolicyMapDao.listByPolicyId(policy.getId());
- if (policyAcctMap != null) {
- for (IAMAccountPolicyMapVO policyAcct : policyAcctMap) {
- _aclAccountPolicyMapDao.remove(policyAcct.getId());
- }
- }
-
- // remove this policy related entry in acl_policy_permission table
- List<IAMPolicyPermissionVO> policyPermMap = _policyPermissionDao.listByPolicy(policy.getId());
- if (policyPermMap != null) {
- for (IAMPolicyPermissionVO policyPerm : policyPermMap) {
- _policyPermissionDao.remove(policyPerm.getId());
- }
- }
-
- // remove this role from acl_role table
- _aclPolicyDao.remove(iamPolicyId);
- }
- });
-
- invalidateIAMCache();
-
- return true;
- }
-
-
- @SuppressWarnings("unchecked")
- @Override
- public List<IAMPolicy> listIAMPolicies(long accountId) {
-
- // static policies of the account
- SearchBuilder<IAMGroupAccountMapVO> groupSB = _aclGroupAccountMapDao.createSearchBuilder();
- groupSB.and("account", groupSB.entity().getAccountId(), Op.EQ);
-
- GenericSearchBuilder<IAMGroupPolicyMapVO, Long> policySB = _aclGroupPolicyMapDao.createSearchBuilder(Long.class);
- policySB.selectFields(policySB.entity().getAclPolicyId());
- policySB.join("accountgroupjoin", groupSB, groupSB.entity().getAclGroupId(), policySB.entity().getAclGroupId(),
- JoinType.INNER);
- policySB.done();
- SearchCriteria<Long> policySc = policySB.create();
- policySc.setJoinParameters("accountgroupjoin", "account", accountId);
-
- List<Long> policyIds = _aclGroupPolicyMapDao.customSearch(policySc, null);
- // add policies directly attached to the account
- List<IAMAccountPolicyMapVO> acctPolicies = _aclAccountPolicyMapDao.listByAccountId(accountId);
- for (IAMAccountPolicyMapVO p : acctPolicies) {
- policyIds.add(p.getIamPolicyId());
- }
- if (policyIds.size() == 0) {
- return new ArrayList<IAMPolicy>();
- }
- SearchBuilder<IAMPolicyVO> sb = _aclPolicyDao.createSearchBuilder();
- sb.and("ids", sb.entity().getId(), Op.IN);
- SearchCriteria<IAMPolicyVO> sc = sb.create();
- sc.setParameters("ids", policyIds.toArray(new Object[policyIds.size()]));
- @SuppressWarnings("rawtypes")
- List policies = _aclPolicyDao.customSearch(sc, null);
-
- return policies;
-
- }
-
- @SuppressWarnings("unchecked")
- @Override
- public List<IAMPolicy> listIAMPoliciesByGroup(long groupId) {
- List<IAMGroupPolicyMapVO> policyGrpMap = _aclGroupPolicyMapDao.listByGroupId(groupId);
- if (policyGrpMap == null || policyGrpMap.size() == 0) {
- return new ArrayList<IAMPolicy>();
- }
-
- List<Long> policyIds = new ArrayList<Long>();
- for (IAMGroupPolicyMapVO pg : policyGrpMap) {
- policyIds.add(pg.getAclPolicyId());
- }
-
- SearchBuilder<IAMPolicyVO> sb = _aclPolicyDao.createSearchBuilder();
- sb.and("ids", sb.entity().getId(), Op.IN);
- SearchCriteria<IAMPolicyVO> sc = sb.create();
- sc.setParameters("ids", policyIds.toArray(new Object[policyIds.size()]));
- @SuppressWarnings("rawtypes")
- List policies = _aclPolicyDao.customSearch(sc, null);
-
- return policies;
- }
-
- @SuppressWarnings("unchecked")
- @Override
- public List<IAMPolicy> listRecursiveIAMPoliciesByGroup(long groupId) {
- List<IAMGroupPolicyMapVO> policyGrpMap = _aclGroupPolicyMapDao.listByGroupId(groupId);
- if (policyGrpMap == null || policyGrpMap.size() == 0) {
- return new ArrayList<IAMPolicy>();
- }
-
- List<Long> policyIds = new ArrayList<Long>();
- for (IAMGroupPolicyMapVO pg : policyGrpMap) {
- policyIds.add(pg.getAclPolicyId());
- }
-
- SearchBuilder<IAMPolicyPermissionVO> permSb = _policyPermissionDao.createSearchBuilder();
- permSb.and("isRecursive", permSb.entity().isRecursive(), Op.EQ);
-
- SearchBuilder<IAMPolicyVO> sb = _aclPolicyDao.createSearchBuilder();
- sb.and("ids", sb.entity().getId(), Op.IN);
- sb.join("recursivePerm", permSb, sb.entity().getId(), permSb.entity().getAclPolicyId(),
- JoinBuilder.JoinType.INNER);
-
- SearchCriteria<IAMPolicyVO> sc = sb.create();
- sc.setParameters("ids", policyIds.toArray(new Object[policyIds.size()]));
- sc.setJoinParameters("recursivePerm", "isRecursive", true);
-
- @SuppressWarnings("rawtypes")
- List policies = _aclPolicyDao.customSearch(sc, null);
-
- return policies;
- }
-
-
- @SuppressWarnings("unchecked")
- @Override
- public Pair<List<IAMPolicy>, Integer> listIAMPolicies(Long iamPolicyId, String iamPolicyName, String path, Long startIndex, Long pageSize) {
-
- if (iamPolicyId != null) {
- IAMPolicy policy = _aclPolicyDao.findById(iamPolicyId);
- if (policy == null) {
- throw new InvalidParameterValueException("Unable to find acl policy by id " + iamPolicyId);
- }
- }
-
- Filter searchFilter = new Filter(IAMPolicyVO.class, "id", true, startIndex, pageSize);
-
- SearchBuilder<IAMPolicyVO> sb = _aclPolicyDao.createSearchBuilder();
- sb.and("name", sb.entity().getName(), SearchCriteria.Op.EQ);
- sb.and("path", sb.entity().getPath(), SearchCriteria.Op.LIKE);
- sb.and("id", sb.entity().getId(), SearchCriteria.Op.EQ);
-
- SearchCriteria<IAMPolicyVO> sc = sb.create();
-
- if (iamPolicyName != null) {
- sc.setParameters("name", iamPolicyName);
- }
-
- if (iamPolicyId != null) {
- sc.setParameters("id", iamPolicyId);
- }
-
- sc.setParameters("path", path + "%");
-
- Pair<List<IAMPolicyVO>, Integer> policies = _aclPolicyDao.searchAndCount(sc, searchFilter);
- @SuppressWarnings("rawtypes")
- List policyList = policies.first();
- return new Pair<List<IAMPolicy>, Integer>(policyList, policies.second());
- }
-
- @DB
- @Override
- public IAMGroup attachIAMPoliciesToGroup(final List<Long> policyIds, final Long groupId) {
- // get the Acl Group entity
- IAMGroup group = _aclGroupDao.findById(groupId);
- if (group == null) {
- throw new InvalidParameterValueException("Unable to find acl group: " + groupId
- + "; failed to add roles to acl group.");
- }
-
- Transaction.execute(new TransactionCallbackNoReturn() {
- @Override
- public void doInTransactionWithoutResult(TransactionStatus status) {
- // add entries in acl_group_policy_map table
- for (Long policyId : policyIds) {
- IAMPolicy policy = _aclPolicyDao.findById(policyId);
- if (policy == null) {
- throw new InvalidParameterValueException("Unable to find acl policy: " + policyId
- + "; failed to add policies to acl group.");
- }
-
- IAMGroupPolicyMapVO grMap = _aclGroupPolicyMapDao.findByGroupAndPolicy(groupId, policyId);
- if (grMap == null) {
- // not there already
- grMap = new IAMGroupPolicyMapVO(groupId, policyId);
- _aclGroupPolicyMapDao.persist(grMap);
- }
- }
- }
- });
-
- invalidateIAMCache();
- return group;
- }
-
- @DB
- @Override
- public IAMGroup removeIAMPoliciesFromGroup(final List<Long> policyIds, final Long groupId) {
- // get the Acl Group entity
- IAMGroup group = _aclGroupDao.findById(groupId);
- if (group == null) {
- throw new InvalidParameterValueException("Unable to find acl group: " + groupId
- + "; failed to remove roles from acl group.");
- }
-
- Transaction.execute(new TransactionCallbackNoReturn() {
- @Override
- public void doInTransactionWithoutResult(TransactionStatus status) {
- // add entries in acl_group_role_map table
- for (Long policyId : policyIds) {
- IAMPolicy policy = _aclPolicyDao.findById(policyId);
- if (policy == null) {
- throw new InvalidParameterValueException("Unable to find acl policy: " + policyId
- + "; failed to add policies to acl group.");
- }
-
- IAMGroupPolicyMapVO grMap = _aclGroupPolicyMapDao.findByGroupAndPolicy(groupId, policyId);
- if (grMap != null) {
- // not removed yet
- _aclGroupPolicyMapDao.remove(grMap.getId());
- }
- }
- }
- });
-
- invalidateIAMCache();
- return group;
- }
-
-
- @Override
- public void attachIAMPolicyToAccounts(final Long policyId, final List<Long> acctIds) {
- IAMPolicy policy = _aclPolicyDao.findById(policyId);
- if (policy == null) {
- throw new InvalidParameterValueException("Unable to find acl policy: " + policyId
- + "; failed to add policy to account.");
- }
-
- Transaction.execute(new TransactionCallbackNoReturn() {
- @Override
- public void doInTransactionWithoutResult(TransactionStatus status) {
- // add entries in acl_group_policy_map table
- for (Long acctId : acctIds) {
- IAMAccountPolicyMapVO acctMap = _aclAccountPolicyMapDao.findByAccountAndPolicy(acctId, policyId);
- if (acctMap == null) {
- // not there already
- acctMap = new IAMAccountPolicyMapVO(acctId, policyId);
- _aclAccountPolicyMapDao.persist(acctMap);
- }
- }
- }
- });
-
- invalidateIAMCache();
- }
-
- @Override
- public void removeIAMPolicyFromAccounts(final Long policyId, final List<Long> acctIds) {
- IAMPolicy policy = _aclPolicyDao.findById(policyId);
- if (policy == null) {
- throw new InvalidParameterValueException("Unable to find acl policy: " + policyId
- + "; failed to add policy to account.");
- }
-
- Transaction.execute(new TransactionCallbackNoReturn() {
- @Override
- public void doInTransactionWithoutResult(TransactionStatus status) {
- // add entries in acl_group_policy_map table
- for (Long acctId : acctIds) {
- IAMAccountPolicyMapVO acctMap = _aclAccountPolicyMapDao.findByAccountAndPolicy(acctId, policyId);
- if (acctMap != null) {
- // exists
- _aclAccountPolicyMapDao.remove(acctMap.getId());
- }
- }
- }
- });
-
- invalidateIAMCache();
- }
-
- @DB
- @Override
- public IAMPolicy addIAMPermissionToIAMPolicy(long iamPolicyId, String entityType, String scope, Long scopeId,
- String action, String accessType, Permission perm, Boolean recursive) {
- // get the Acl Policy entity
- IAMPolicy policy = _aclPolicyDao.findById(iamPolicyId);
- if (policy == null) {
- throw new InvalidParameterValueException("Unable to find acl policy: " + iamPolicyId
- + "; failed to add permission to policy.");
- }
-
- // add entry in acl_policy_permission table
- IAMPolicyPermissionVO permit = _policyPermissionDao.findByPolicyAndEntity(iamPolicyId, entityType, scope,
- scopeId, action, perm, accessType);
- if (permit == null) {
- // not there already
- permit = new IAMPolicyPermissionVO(iamPolicyId, action, entityType, accessType, scope, scopeId, perm,
- recursive);
- _policyPermissionDao.persist(permit);
- }
-
- invalidateIAMCache();
- return policy;
-
- }
-
- @DB
- @Override
- public IAMPolicy removeIAMPermissionFromIAMPolicy(long iamPolicyId, String entityType, String scope, Long scopeId,
- String action) {
- // get the Acl Policy entity
- IAMPolicy policy = _aclPolicyDao.findById(iamPolicyId);
- if (policy == null) {
- throw new InvalidParameterValueException("Unable to find acl policy: " + iamPolicyId
- + "; failed to revoke permission from policy.");
- }
- // remove entry from acl_entity_permission table
- IAMPolicyPermissionVO permit = _policyPermissionDao.findByPolicyAndEntity(iamPolicyId, entityType, scope,
- scopeId, action, Permission.Allow, null);
- if (permit != null) {
- // not removed yet
- _policyPermissionDao.remove(permit.getId());
- }
-
- invalidateIAMCache();
- return policy;
- }
-
- @DB
- @Override
- public void removeIAMPermissionForEntity(final String entityType, final Long entityId) {
- Transaction.execute(new TransactionCallbackNoReturn() {
- @Override
- public void doInTransactionWithoutResult(TransactionStatus status) {
- // remove entry from acl_entity_permission table
- List<IAMPolicyPermissionVO> permitList = _policyPermissionDao.listByEntity(entityType, entityId);
- for (IAMPolicyPermissionVO permit : permitList) {
- long policyId = permit.getAclPolicyId();
- _policyPermissionDao.remove(permit.getId());
-
- // remove the policy if there are no other permissions
- if ((_policyPermissionDao.listByPolicy(policyId)).isEmpty()) {
- deleteIAMPolicy(policyId);
- }
- }
- }
- });
-
- invalidateIAMCache();
- }
-
- @DB
- @Override
- public IAMPolicy resetIAMPolicy(long iamPolicyId) {
- // get the Acl Policy entity
- IAMPolicy policy = _aclPolicyDao.findById(iamPolicyId);
- if (policy == null) {
- throw new InvalidParameterValueException("Unable to find acl policy: " + iamPolicyId
- + "; failed to reset the policy.");
- }
-
- SearchBuilder<IAMPolicyPermissionVO> sb = _policyPermissionDao.createSearchBuilder();
- sb.and("policyId", sb.entity().getAclPolicyId(), SearchCriteria.Op.EQ);
- sb.and("scope", sb.entity().getScope(), SearchCriteria.Op.EQ);
- sb.done();
- SearchCriteria<IAMPolicyPermissionVO> permissionSC = sb.create();
- permissionSC.setParameters("policyId", iamPolicyId);
- _policyPermissionDao.expunge(permissionSC);
-
- invalidateIAMCache();
- return policy;
- }
-
- @Override
- public boolean isActionAllowedForPolicies(String action, List<IAMPolicy> policies) {
-
- boolean allowed = false;
-
- if (policies == null || policies.size() == 0) {
- return allowed;
- }
-
- List<Long> policyIds = new ArrayList<Long>();
- for (IAMPolicy policy : policies) {
- policyIds.add(policy.getId());
- }
-
- SearchBuilder<IAMPolicyPermissionVO> sb = _policyPermissionDao.createSearchBuilder();
- sb.and("action", sb.entity().getAction(), Op.EQ);
- sb.and("policyId", sb.entity().getAclPolicyId(), Op.IN);
-
- SearchCriteria<IAMPolicyPermissionVO> sc = sb.create();
- sc.setParameters("policyId", policyIds.toArray(new Object[policyIds.size()]));
- sc.setParameters("action", action);
-
- List<IAMPolicyPermissionVO> permissions = _policyPermissionDao.customSearch(sc, null);
-
- if (permissions != null && !permissions.isEmpty()) {
- allowed = true;
- }
-
- return allowed;
- }
-
-
- @Override
- public List<Long> getGrantedEntities(long accountId, String action, String scope) {
- // Get the static Policies of the Caller
- List<IAMPolicy> policies = listIAMPolicies(accountId);
- // for each policy, find granted permission within the given scope
- List<Long> entityIds = new ArrayList<Long>();
- for (IAMPolicy policy : policies) {
- List<IAMPolicyPermissionVO> pp = _policyPermissionDao.listByPolicyActionAndScope(policy.getId(), action,
- scope, null);
- if (pp != null) {
- for (IAMPolicyPermissionVO p : pp) {
- if (p.getScopeId() != null) {
- entityIds.add(p.getScopeId());
- }
- }
- }
- }
- return entityIds;
- }
-
- @Override
- @SuppressWarnings("unchecked")
- public List<IAMPolicyPermission> listPolicyPermissions(long policyId) {
- @SuppressWarnings("rawtypes")
- List pp = _policyPermissionDao.listByPolicy(policyId);
- return pp;
- }
-
- @SuppressWarnings("unchecked")
- @Override
- public List<IAMPolicyPermission> listPolicyPermissionsByScope(long policyId, String action, String scope,
- String accessType) {
- @SuppressWarnings("rawtypes")
- List pp = _policyPermissionDao.listByPolicyActionAndScope(policyId, action, scope, accessType);
- return pp;
- }
-
- @SuppressWarnings("unchecked")
- @Override
- public List<IAMPolicyPermission> listPolicyPermissionByActionAndEntity(long policyId, String action,
- String entityType) {
- @SuppressWarnings("rawtypes")
- List pp = _policyPermissionDao.listByPolicyActionAndEntity(policyId, action, entityType);
- return pp;
- }
-
- @SuppressWarnings("unchecked")
- @Override
- public List<IAMPolicyPermission> listPolicyPermissionByAccessAndEntity(long policyId, String accessType,
- String entityType) {
- @SuppressWarnings("rawtypes")
- List pp = _policyPermissionDao.listByPolicyAccessAndEntity(policyId, accessType, entityType);
- return pp;
- }
-
- @Override
- public IAMPolicy getResourceOwnerPolicy() {
- return _aclPolicyDao.findByName("RESOURCE_OWNER");
- }
-
- // search for policy with only one resource grant permission
- @Override
- public IAMPolicy getResourceGrantPolicy(String entityType, Long entityId, String accessType, String action) {
- List<IAMPolicyVO> policyList = _aclPolicyDao.listAll();
- for (IAMPolicyVO policy : policyList) {
- List<IAMPolicyPermission> pp = listPolicyPermissions(policy.getId());
- if (pp != null && pp.size() == 1) {
- // resource grant policy should only have one ACL permission assigned
- IAMPolicyPermission permit = pp.get(0);
- if (permit.getEntityType().equals(entityType) && permit.getScope().equals(PermissionScope.RESOURCE.toString())
- && permit.getScopeId().longValue() == entityId.longValue()) {
- if (accessType != null && permit.getAccessType().equals(accessType)) {
- return policy;
- } else if (action != null && permit.getAction().equals(action)) {
- return policy;
- }
- }
- }
- }
- return null;
- }
-
-}
diff --git a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMAccountPolicyMapDao.java b/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMAccountPolicyMapDao.java
deleted file mode 100644
index 0162589e35b..00000000000
--- a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMAccountPolicyMapDao.java
+++ /dev/null
@@ -1,33 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.iam.server.dao;
-
-import java.util.List;
-
-import org.apache.cloudstack.iam.server.IAMAccountPolicyMapVO;
-
-import com.cloud.utils.db.GenericDao;
-
-public interface IAMAccountPolicyMapDao extends GenericDao<IAMAccountPolicyMapVO, Long> {
-
- List<IAMAccountPolicyMapVO> listByAccountId(long acctId);
-
- List<IAMAccountPolicyMapVO> listByPolicyId(long policyId);
-
- IAMAccountPolicyMapVO findByAccountAndPolicy(long acctId, long policyId);
-
-}
diff --git a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMAccountPolicyMapDaoImpl.java b/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMAccountPolicyMapDaoImpl.java
deleted file mode 100644
index d74e86f2db6..00000000000
--- a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMAccountPolicyMapDaoImpl.java
+++ /dev/null
@@ -1,77 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.iam.server.dao;
-
-import java.util.List;
-import java.util.Map;
-
-import javax.naming.ConfigurationException;
-
-import org.apache.cloudstack.iam.server.IAMAccountPolicyMapVO;
-
-import com.cloud.utils.db.GenericDaoBase;
-import com.cloud.utils.db.SearchBuilder;
-import com.cloud.utils.db.SearchCriteria;
-
-public class IAMAccountPolicyMapDaoImpl extends GenericDaoBase<IAMAccountPolicyMapVO, Long> implements IAMAccountPolicyMapDao {
-
- private SearchBuilder<IAMAccountPolicyMapVO> ListByAccountId;
- private SearchBuilder<IAMAccountPolicyMapVO> ListByPolicyId;
- private SearchBuilder<IAMAccountPolicyMapVO> findByPolicyAccountId;
-
- @Override
- public boolean configure(String name, Map<String, Object> params) throws ConfigurationException {
- super.configure(name, params);
-
- ListByAccountId = createSearchBuilder();
- ListByAccountId.and("accountId", ListByAccountId.entity().getAccountId(), SearchCriteria.Op.EQ);
- ListByAccountId.done();
-
- ListByPolicyId = createSearchBuilder();
- ListByPolicyId.and("policyId", ListByPolicyId.entity().getIamPolicyId(), SearchCriteria.Op.EQ);
- ListByPolicyId.done();
-
- findByPolicyAccountId = createSearchBuilder();
- findByPolicyAccountId.and("policyId", findByPolicyAccountId.entity().getIamPolicyId(), SearchCriteria.Op.EQ);
- findByPolicyAccountId.and("accountId", findByPolicyAccountId.entity().getAccountId(), SearchCriteria.Op.EQ);
- findByPolicyAccountId.done();
-
- return true;
- }
-
- @Override
- public List<IAMAccountPolicyMapVO> listByAccountId(long acctId) {
- SearchCriteria<IAMAccountPolicyMapVO> sc = ListByAccountId.create();
- sc.setParameters("accountId", acctId);
- return listBy(sc);
- }
-
- @Override
- public List<IAMAccountPolicyMapVO> listByPolicyId(long policyId) {
- SearchCriteria<IAMAccountPolicyMapVO> sc = ListByPolicyId.create();
- sc.setParameters("policyId", policyId);
- return listBy(sc);
- }
-
- @Override
- public IAMAccountPolicyMapVO findByAccountAndPolicy(long acctId, long policyId) {
- SearchCriteria<IAMAccountPolicyMapVO> sc = findByPolicyAccountId.create();
- sc.setParameters("policyId", policyId);
- sc.setParameters("accountId", acctId);
- return findOneBy(sc);
- }
-}
\ No newline at end of file
diff --git a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMGroupAccountMapDao.java b/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMGroupAccountMapDao.java
deleted file mode 100644
index a94dbaae9c7..00000000000
--- a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMGroupAccountMapDao.java
+++ /dev/null
@@ -1,40 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.iam.server.dao;
-
-import java.util.List;
-
-import org.apache.cloudstack.iam.server.IAMGroupAccountMapVO;
-
-import com.cloud.utils.db.GenericDao;
-
-public interface IAMGroupAccountMapDao extends GenericDao<IAMGroupAccountMapVO, Long> {
-
- List<IAMGroupAccountMapVO> listByGroupId(long groupId);
-
- List<IAMGroupAccountMapVO> listByAccountId(long accountId);
-
- IAMGroupAccountMapVO findAccountInAdminGroup(long accountId);
-
- IAMGroupAccountMapVO findByGroupAndAccount(long groupId, long acctId);
-
- void removeAccountFromGroups(long accountId);
-
- IAMGroupAccountMapVO findAccountInDomainAdminGroup(long accountId);
-
- IAMGroupAccountMapVO findAccountInUserGroup(long accountId);
-}
diff --git a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMGroupAccountMapDaoImpl.java b/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMGroupAccountMapDaoImpl.java
deleted file mode 100644
index 4bb5d1a59fb..00000000000
--- a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMGroupAccountMapDaoImpl.java
+++ /dev/null
@@ -1,119 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.iam.server.dao;
-
-import java.util.List;
-import java.util.Map;
-
-import javax.naming.ConfigurationException;
-
-import org.apache.cloudstack.iam.server.IAMGroupAccountMapVO;
-import org.apache.log4j.Logger;
-import org.springframework.stereotype.Component;
-
-
-import com.cloud.utils.db.GenericDaoBase;
-import com.cloud.utils.db.SearchBuilder;
-import com.cloud.utils.db.SearchCriteria;
-
-@Component
-public class IAMGroupAccountMapDaoImpl extends GenericDaoBase<IAMGroupAccountMapVO, Long> implements IAMGroupAccountMapDao {
- private SearchBuilder<IAMGroupAccountMapVO> ListByGroupId;
- private SearchBuilder<IAMGroupAccountMapVO> ListByAccountId;
- private SearchBuilder<IAMGroupAccountMapVO> _findByAccountAndGroupId;
-
- public static final Logger s_logger = Logger.getLogger(IAMGroupAccountMapDaoImpl.class.getName());
-
- @Override
- public boolean configure(String name, Map<String, Object> params) throws ConfigurationException {
- super.configure(name, params);
-
- ListByGroupId = createSearchBuilder();
- ListByGroupId.and("groupId", ListByGroupId.entity().getAclGroupId(), SearchCriteria.Op.EQ);
- ListByGroupId.done();
-
- ListByAccountId = createSearchBuilder();
- ListByAccountId.and("accountId", ListByAccountId.entity().getAccountId(), SearchCriteria.Op.EQ);
- ListByAccountId.done();
-
- _findByAccountAndGroupId = createSearchBuilder();
- _findByAccountAndGroupId
- .and("groupId", _findByAccountAndGroupId.entity().getAclGroupId(), SearchCriteria.Op.EQ);
- _findByAccountAndGroupId.and("accountId", _findByAccountAndGroupId.entity().getAccountId(),
- SearchCriteria.Op.EQ);
- _findByAccountAndGroupId.done();
-
- return true;
- }
-
- @Override
- public List<IAMGroupAccountMapVO> listByGroupId(long groupId) {
- SearchCriteria<IAMGroupAccountMapVO> sc = ListByGroupId.create();
- sc.setParameters("groupId", groupId);
- return listBy(sc);
- }
-
- @Override
- public List<IAMGroupAccountMapVO> listByAccountId(long accountId) {
- SearchCriteria<IAMGroupAccountMapVO> sc = ListByAccountId.create();
- sc.setParameters("accountId", accountId);
- return listBy(sc);
- }
-
- @Override
- public IAMGroupAccountMapVO findAccountInAdminGroup(long accountId) {
- SearchCriteria<IAMGroupAccountMapVO> sc = _findByAccountAndGroupId.create();
- sc.setParameters("accountId", accountId);
- sc.setParameters("groupId", 2);
- return findOneBy(sc);
- }
-
- @Override
- public IAMGroupAccountMapVO findAccountInDomainAdminGroup(long accountId) {
- SearchCriteria<IAMGroupAccountMapVO> sc = _findByAccountAndGroupId.create();
- sc.setParameters("accountId", accountId);
- sc.setParameters("groupId", 3);
- return findOneBy(sc);
- }
-
- @Override
- public IAMGroupAccountMapVO findAccountInUserGroup(long accountId) {
- SearchCriteria<IAMGroupAccountMapVO> sc = _findByAccountAndGroupId.create();
- sc.setParameters("accountId", accountId);
- sc.setParameters("groupId", 1);
- return findOneBy(sc);
- }
-
- @Override
- public IAMGroupAccountMapVO findByGroupAndAccount(long groupId, long acctId) {
- SearchCriteria<IAMGroupAccountMapVO> sc = _findByAccountAndGroupId.create();
- sc.setParameters("accountId", acctId);
- sc.setParameters("groupId", groupId);
- return findOneBy(sc);
- }
-
- @Override
- public void removeAccountFromGroups(long accountId) {
- SearchCriteria<IAMGroupAccountMapVO> sc = ListByAccountId.create();
- sc.setParameters("accountId", accountId);
-
- int rowsRemoved = remove(sc);
- if (rowsRemoved > 0) {
- s_logger.debug("Removed account id=" + accountId + " from " + rowsRemoved + " groups");
- }
- }
-}
diff --git a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMGroupDao.java b/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMGroupDao.java
deleted file mode 100644
index 54408a6d390..00000000000
--- a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMGroupDao.java
+++ /dev/null
@@ -1,28 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.iam.server.dao;
-
-import org.apache.cloudstack.iam.api.IAMGroup;
-import org.apache.cloudstack.iam.server.IAMGroupVO;
-
-import com.cloud.utils.db.GenericDao;
-
-public interface IAMGroupDao extends GenericDao<IAMGroupVO, Long> {
-
- IAMGroup findByName(String path, String groupName);
-
-}
diff --git a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMGroupDaoImpl.java b/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMGroupDaoImpl.java
deleted file mode 100644
index 45be0b3f21c..00000000000
--- a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMGroupDaoImpl.java
+++ /dev/null
@@ -1,59 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.iam.server.dao;
-
-import java.util.Map;
-
-import javax.naming.ConfigurationException;
-
-import org.apache.cloudstack.iam.api.IAMGroup;
-import org.apache.cloudstack.iam.server.IAMGroupVO;
-import org.springframework.stereotype.Component;
-
-
-import com.cloud.utils.db.GenericDaoBase;
-import com.cloud.utils.db.SearchBuilder;
-import com.cloud.utils.db.SearchCriteria;
-
-@Component
-public class IAMGroupDaoImpl extends GenericDaoBase<IAMGroupVO, Long> implements IAMGroupDao {
- private SearchBuilder<IAMGroupVO> nameSearch;
-
- @Override
- public boolean configure(String name, Map<String, Object> params) throws ConfigurationException {
- super.configure(name, params);
-
- nameSearch = createSearchBuilder();
- nameSearch.and("name", nameSearch.entity().getName(), SearchCriteria.Op.EQ);
- nameSearch.and("path", nameSearch.entity().getPath(), SearchCriteria.Op.EQ);
- nameSearch.done();
-
-
- return true;
- }
-
- @Override
- public IAMGroup findByName(String path, String name) {
- SearchCriteria<IAMGroupVO> sc = nameSearch.create();
- sc.setParameters("name", name);
- if (path != null) {
- sc.setParameters("path", path);
- }
- return findOneBy(sc);
- }
-
-}
diff --git a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMGroupPolicyMapDao.java b/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMGroupPolicyMapDao.java
deleted file mode 100644
index 3f5f232e7d3..00000000000
--- a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMGroupPolicyMapDao.java
+++ /dev/null
@@ -1,33 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.iam.server.dao;
-
-import java.util.List;
-
-import org.apache.cloudstack.iam.server.IAMGroupPolicyMapVO;
-
-import com.cloud.utils.db.GenericDao;
-
-public interface IAMGroupPolicyMapDao extends GenericDao<IAMGroupPolicyMapVO, Long> {
-
- List<IAMGroupPolicyMapVO> listByGroupId(long groupId);
-
- List<IAMGroupPolicyMapVO> listByPolicyId(long policyId);
-
- IAMGroupPolicyMapVO findByGroupAndPolicy(long groupId, long policyId);
-
-}
diff --git a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMGroupPolicyMapDaoImpl.java b/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMGroupPolicyMapDaoImpl.java
deleted file mode 100644
index ac42f04a119..00000000000
--- a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMGroupPolicyMapDaoImpl.java
+++ /dev/null
@@ -1,77 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.iam.server.dao;
-
-import java.util.List;
-import java.util.Map;
-
-import javax.naming.ConfigurationException;
-
-import org.apache.cloudstack.iam.server.IAMGroupPolicyMapVO;
-
-import com.cloud.utils.db.GenericDaoBase;
-import com.cloud.utils.db.SearchBuilder;
-import com.cloud.utils.db.SearchCriteria;
-
-public class IAMGroupPolicyMapDaoImpl extends GenericDaoBase<IAMGroupPolicyMapVO, Long> implements IAMGroupPolicyMapDao {
-
- private SearchBuilder<IAMGroupPolicyMapVO> ListByGroupId;
- private SearchBuilder<IAMGroupPolicyMapVO> ListByPolicyId;
- private SearchBuilder<IAMGroupPolicyMapVO> findByPolicyGroupId;
-
- @Override
- public boolean configure(String name, Map<String, Object> params) throws ConfigurationException {
- super.configure(name, params);
-
- ListByGroupId = createSearchBuilder();
- ListByGroupId.and("groupId", ListByGroupId.entity().getAclGroupId(), SearchCriteria.Op.EQ);
- ListByGroupId.done();
-
- ListByPolicyId = createSearchBuilder();
- ListByPolicyId.and("policyId", ListByPolicyId.entity().getAclPolicyId(), SearchCriteria.Op.EQ);
- ListByPolicyId.done();
-
- findByPolicyGroupId = createSearchBuilder();
- findByPolicyGroupId.and("policyId", findByPolicyGroupId.entity().getAclPolicyId(), SearchCriteria.Op.EQ);
- findByPolicyGroupId.and("groupId", findByPolicyGroupId.entity().getAclGroupId(), SearchCriteria.Op.EQ);
- findByPolicyGroupId.done();
-
- return true;
- }
-
- @Override
- public List<IAMGroupPolicyMapVO> listByGroupId(long groupId) {
- SearchCriteria<IAMGroupPolicyMapVO> sc = ListByGroupId.create();
- sc.setParameters("groupId", groupId);
- return listBy(sc);
- }
-
- @Override
- public List<IAMGroupPolicyMapVO> listByPolicyId(long policyId) {
- SearchCriteria<IAMGroupPolicyMapVO> sc = ListByPolicyId.create();
- sc.setParameters("policyId", policyId);
- return listBy(sc);
- }
-
- @Override
- public IAMGroupPolicyMapVO findByGroupAndPolicy(long groupId, long policyId) {
- SearchCriteria<IAMGroupPolicyMapVO> sc = findByPolicyGroupId.create();
- sc.setParameters("policyId", policyId);
- sc.setParameters("groupId", groupId);
- return findOneBy(sc);
- }
-}
\ No newline at end of file
diff --git a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMPolicyDao.java b/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMPolicyDao.java
deleted file mode 100644
index ace7d8585ac..00000000000
--- a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMPolicyDao.java
+++ /dev/null
@@ -1,28 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.iam.server.dao;
-
-import org.apache.cloudstack.iam.api.IAMPolicy;
-import org.apache.cloudstack.iam.server.IAMPolicyVO;
-
-import com.cloud.utils.db.GenericDao;
-
-public interface IAMPolicyDao extends GenericDao<IAMPolicyVO, Long> {
-
- IAMPolicy findByName(String policyName);
-
-}
diff --git a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMPolicyDaoImpl.java b/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMPolicyDaoImpl.java
deleted file mode 100644
index 293cf6f59ee..00000000000
--- a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMPolicyDaoImpl.java
+++ /dev/null
@@ -1,57 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.iam.server.dao;
-
-import java.util.Map;
-
-import javax.naming.ConfigurationException;
-
-import org.apache.cloudstack.iam.api.IAMPolicy;
-import org.apache.cloudstack.iam.server.IAMPolicyVO;
-import org.springframework.stereotype.Component;
-
-import com.cloud.utils.db.GenericDaoBase;
-import com.cloud.utils.db.SearchBuilder;
-import com.cloud.utils.db.SearchCriteria;
-
-@Component
-public class IAMPolicyDaoImpl extends GenericDaoBase<IAMPolicyVO, Long> implements IAMPolicyDao {
- private SearchBuilder<IAMPolicyVO> nameSearch;
-
- @Override
- public boolean configure(String name, Map<String, Object> params) throws ConfigurationException {
- super.configure(name, params);
-
- nameSearch = createSearchBuilder();
- nameSearch.and("name", nameSearch.entity().getName(), SearchCriteria.Op.EQ);
- // nameSearch.and("domainId", nameSearch.entity().getDomainId(),
- // SearchCriteria.Op.EQ);
- nameSearch.done();
-
-
- return true;
- }
-
- @Override
- public IAMPolicy findByName(String name) {
- SearchCriteria<IAMPolicyVO> sc = nameSearch.create();
- sc.setParameters("name", name);
-
- return findOneBy(sc);
- }
-
-}
diff --git a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMPolicyPermissionDao.java b/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMPolicyPermissionDao.java
deleted file mode 100644
index ebb4916470d..00000000000
--- a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMPolicyPermissionDao.java
+++ /dev/null
@@ -1,39 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.iam.server.dao;
-import java.util.List;
-
-import org.apache.cloudstack.iam.api.IAMPolicyPermission.Permission;
-import org.apache.cloudstack.iam.server.IAMPolicyPermissionVO;
-
-import com.cloud.utils.db.GenericDao;
-
-public interface IAMPolicyPermissionDao extends GenericDao<IAMPolicyPermissionVO, Long> {
-
- List<IAMPolicyPermissionVO> listByPolicy(long policyId);
-
- IAMPolicyPermissionVO findByPolicyAndEntity(long policyId, String entityType, String scope, Long scopeId,
- String action, Permission perm, String accessType);
-
- List<IAMPolicyPermissionVO> listByPolicyActionAndScope(long policyId, String action, String scope, String accessType);
-
- List<IAMPolicyPermissionVO> listByPolicyActionAndEntity(long policyId, String action, String entityType);
-
- List<IAMPolicyPermissionVO> listByPolicyAccessAndEntity(long policyId, String accessType, String entityType);
-
- List<IAMPolicyPermissionVO> listByEntity(String entityType, Long entityId);
-}
diff --git a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMPolicyPermissionDaoImpl.java b/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMPolicyPermissionDaoImpl.java
deleted file mode 100644
index 44b77d1163e..00000000000
--- a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMPolicyPermissionDaoImpl.java
+++ /dev/null
@@ -1,130 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.iam.server.dao;
-
-import java.util.List;
-import java.util.Map;
-
-import javax.naming.ConfigurationException;
-
-import org.apache.cloudstack.iam.api.IAMPolicyPermission.Permission;
-import org.apache.cloudstack.iam.server.IAMPolicyPermissionVO;
-
-import com.cloud.utils.db.GenericDaoBase;
-import com.cloud.utils.db.SearchBuilder;
-import com.cloud.utils.db.SearchCriteria;
-
-public class IAMPolicyPermissionDaoImpl extends GenericDaoBase<IAMPolicyPermissionVO, Long> implements
- IAMPolicyPermissionDao {
-
- private SearchBuilder<IAMPolicyPermissionVO> policyIdSearch;
- private SearchBuilder<IAMPolicyPermissionVO> fullSearch;
- private SearchBuilder<IAMPolicyPermissionVO> entitySearch;
-
- @Override
- public boolean configure(String name, Map<String, Object> params) throws ConfigurationException {
- super.configure(name, params);
-
- policyIdSearch = createSearchBuilder();
- policyIdSearch.and("policyId", policyIdSearch.entity().getAclPolicyId(), SearchCriteria.Op.EQ);
- policyIdSearch.done();
-
- fullSearch = createSearchBuilder();
- fullSearch.and("policyId", fullSearch.entity().getAclPolicyId(), SearchCriteria.Op.EQ);
- fullSearch.and("entityType", fullSearch.entity().getEntityType(), SearchCriteria.Op.EQ);
- fullSearch.and("scope", fullSearch.entity().getScope(), SearchCriteria.Op.EQ);
- fullSearch.and("scopeId", fullSearch.entity().getScopeId(), SearchCriteria.Op.EQ);
- fullSearch.and("action", fullSearch.entity().getAction(), SearchCriteria.Op.EQ);
- fullSearch.and("permission", fullSearch.entity().getPermission(), SearchCriteria.Op.EQ);
- fullSearch.and("accessType", fullSearch.entity().getAccessType(), SearchCriteria.Op.EQ);
- fullSearch.done();
-
- entitySearch = createSearchBuilder();
- entitySearch.and("entityType", entitySearch.entity().getEntityType(), SearchCriteria.Op.EQ);
- entitySearch.and("scopeId", entitySearch.entity().getScopeId(), SearchCriteria.Op.EQ);
- entitySearch.done();
-
- return true;
- }
-
- @Override
- public List<IAMPolicyPermissionVO> listByPolicy(long policyId) {
- SearchCriteria<IAMPolicyPermissionVO> sc = policyIdSearch.create();
- sc.setParameters("policyId", policyId);
- return listBy(sc);
- }
-
- @Override
- public IAMPolicyPermissionVO findByPolicyAndEntity(long policyId, String entityType, String scope, Long scopeId,
- String action, Permission perm, String accessType) {
- SearchCriteria<IAMPolicyPermissionVO> sc = fullSearch.create();
- sc.setParameters("policyId", policyId);
- sc.setParameters("entityType", entityType);
- sc.setParameters("scope", scope);
- sc.setParameters("scopeId", scopeId);
- sc.setParameters("action", action);
- sc.setParameters("permission", perm);
- if (accessType != null) {
- // accessType can be optional, used mainly in list apis with
- // ListEntry and UseEntry distinction
- sc.setParameters("accessType", accessType);
- }
- return findOneBy(sc);
- }
-
- @Override
- public List<IAMPolicyPermissionVO> listByPolicyActionAndScope(long policyId, String action, String scope, String accessType) {
- SearchCriteria<IAMPolicyPermissionVO> sc = fullSearch.create();
- sc.setParameters("policyId", policyId);
- sc.setParameters("action", action);
- sc.setParameters("scope", scope);
- sc.setParameters("permission", Permission.Allow);
- if ( accessType != null ){
- // accessType can be optional, used mainly in list apis with ListEntry and UseEntry distinction
- sc.setParameters("accessType", accessType);
- }
- return listBy(sc);
- }
-
- @Override
- public List<IAMPolicyPermissionVO> listByPolicyActionAndEntity(long policyId, String action, String entityType) {
- SearchCriteria<IAMPolicyPermissionVO> sc = fullSearch.create();
- sc.setParameters("policyId", policyId);
- sc.setParameters("entityType", entityType);
- sc.setParameters("action", action);
- return listBy(sc);
- }
-
- @Override
- public List<IAMPolicyPermissionVO> listByPolicyAccessAndEntity(long policyId, String accessType,
- String entityType) {
- SearchCriteria<IAMPolicyPermissionVO> sc = fullSearch.create();
- sc.setParameters("policyId", policyId);
- sc.setParameters("entityType", entityType);
- sc.setParameters("accessType", accessType);
- return listBy(sc);
- }
-
- @Override
- public List<IAMPolicyPermissionVO> listByEntity(String entityType, Long entityId) {
- SearchCriteria<IAMPolicyPermissionVO> sc = entitySearch.create();
- sc.setParameters("entityType", entityType);
- sc.setParameters("scopeId", entityId);
- return listBy(sc);
- }
-
-}
diff --git a/services/iam/server/src/main/resources/META-INF/cloudstack/core/spring-iam-server-context.xml b/services/iam/server/src/main/resources/META-INF/cloudstack/core/spring-iam-server-context.xml
deleted file mode 100644
index 1c7983608dd..00000000000
--- a/services/iam/server/src/main/resources/META-INF/cloudstack/core/spring-iam-server-context.xml
+++ /dev/null
@@ -1,47 +0,0 @@
-<!--
- Licensed to the Apache Software Foundation (ASF) under one
- or more contributor license agreements. See the NOTICE file
- distributed with this work for additional information
- regarding copyright ownership. The ASF licenses this file
- to you under the Apache License, Version 2.0 (the
- "License"); you may not use this file except in compliance
- with the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing,
- software distributed under the License is distributed on an
- "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- KIND, either express or implied. See the License for the
- specific language governing permissions and limitations
- under the License.
--->
-<beans xmlns="http://www.springframework.org/schema/beans"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xmlns:context="http://www.springframework.org/schema/context"
- xmlns:aop="http://www.springframework.org/schema/aop"
- xsi:schemaLocation="http://www.springframework.org/schema/beans
- http://www.springframework.org/schema/beans/spring-beans.xsd
- http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop.xsd
- http://www.springframework.org/schema/context
- http://www.springframework.org/schema/context/spring-context.xsd"
- >
-
- <bean id="IAMGroupDaoImpl" class="org.apache.cloudstack.iam.server.dao.IAMGroupDaoImpl" />
- <bean id="IAMPolicyDaoImpl" class="org.apache.cloudstack.iam.server.dao.IAMPolicyDaoImpl" />
- <bean id="IAMGroupAccountMapDaoImpl" class="org.apache.cloudstack.iam.server.dao.IAMGroupAccountMapDaoImpl" />
- <bean id="IAMGroupPolicyMapDaoImpl" class="org.apache.cloudstack.iam.server.dao.IAMGroupPolicyMapDaoImpl" />
- <bean id="IAMPolicyPermissionDaoImpl" class="org.apache.cloudstack.iam.server.dao.IAMPolicyPermissionDaoImpl" />
- <bean id="IAMAccountPolicyMapDaoImpl" class="org.apache.cloudstack.iam.server.dao.IAMAccountPolicyMapDaoImpl" />
-
-
- <bean id="IAMServiceImpl" class="org.apache.cloudstack.iam.server.IAMServiceImpl" >
- <property name="configParams">
- <map>
- <entry key="cache.size" value="5000" />
- <entry key="cache.time.to.live" value="300" />
- </map>
- </property>
- </bean>
-
-</beans>
diff --git a/services/iam/server/src/test/java/org/apache/cloudstack/iam/IAMServiceUnitTest.java b/services/iam/server/src/test/java/org/apache/cloudstack/iam/IAMServiceUnitTest.java
deleted file mode 100644
index 53cfc71f936..00000000000
--- a/services/iam/server/src/test/java/org/apache/cloudstack/iam/IAMServiceUnitTest.java
+++ /dev/null
@@ -1,211 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.iam;
-
-import static org.junit.Assert.assertNotNull;
-import static org.mockito.Matchers.eq;
-import static org.mockito.Mockito.when;
-
-import java.io.IOException;
-import java.util.ArrayList;
-import java.util.List;
-
-import javax.inject.Inject;
-import javax.naming.ConfigurationException;
-
-import org.junit.After;
-import org.junit.Before;
-import org.junit.BeforeClass;
-import org.junit.Test;
-import org.junit.runner.RunWith;
-import org.mockito.Mockito;
-import org.springframework.context.annotation.Bean;
-import org.springframework.context.annotation.ComponentScan;
-import org.springframework.context.annotation.ComponentScan.Filter;
-import org.springframework.context.annotation.Configuration;
-import org.springframework.context.annotation.FilterType;
-import org.springframework.core.type.classreading.MetadataReader;
-import org.springframework.core.type.classreading.MetadataReaderFactory;
-import org.springframework.core.type.filter.TypeFilter;
-import org.springframework.test.context.ContextConfiguration;
-import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
-import org.springframework.test.context.support.AnnotationConfigContextLoader;
-
-import org.apache.cloudstack.iam.api.IAMGroup;
-import org.apache.cloudstack.iam.api.IAMPolicy;
-import org.apache.cloudstack.iam.api.IAMService;
-import org.apache.cloudstack.iam.server.IAMGroupVO;
-import org.apache.cloudstack.iam.server.IAMPolicyVO;
-import org.apache.cloudstack.iam.server.IAMServiceImpl;
-import org.apache.cloudstack.iam.server.dao.IAMAccountPolicyMapDao;
-import org.apache.cloudstack.iam.server.dao.IAMGroupAccountMapDao;
-import org.apache.cloudstack.iam.server.dao.IAMGroupDao;
-import org.apache.cloudstack.iam.server.dao.IAMGroupPolicyMapDao;
-import org.apache.cloudstack.iam.server.dao.IAMPolicyDao;
-import org.apache.cloudstack.iam.server.dao.IAMPolicyPermissionDao;
-import org.apache.cloudstack.test.utils.SpringUtils;
-
-import com.cloud.exception.InvalidParameterValueException;
-import com.cloud.utils.component.ComponentContext;
-import com.cloud.utils.db.EntityManager;
-import com.cloud.utils.db.SearchCriteria;
-
-@RunWith(SpringJUnit4ClassRunner.class)
-@ContextConfiguration(loader = AnnotationConfigContextLoader.class)
-public class IAMServiceUnitTest {
-
- @Inject
- IAMService _iamService;
-
- @Inject
- IAMPolicyDao _aclPolicyDao;
-
- @Inject
- IAMGroupDao _aclGroupDao;
-
- @Inject
- EntityManager _entityMgr;
-
- @Inject
- IAMGroupPolicyMapDao _aclGroupPolicyMapDao;
-
- @Inject
- IAMGroupAccountMapDao _aclGroupAccountMapDao;
-
- @Inject
- IAMPolicyPermissionDao _policyPermissionDao;
-
- @BeforeClass
- public static void setUpClass() throws ConfigurationException {
- }
-
- @Before
- public void setUp() {
- ComponentContext.initComponentsLifeCycle();
- IAMGroupVO group = new IAMGroupVO("group1", "my first group");
- Mockito.when(_aclGroupDao.persist(Mockito.any(IAMGroupVO.class))).thenReturn(group);
- List<IAMGroupVO> groups = new ArrayList<IAMGroupVO>();
- groups.add(group);
- when(_aclGroupDao.search(Mockito.any(SearchCriteria.class), Mockito.any(com.cloud.utils.db.Filter.class)))
- .thenReturn(groups);
-
- IAMPolicyVO policy = new IAMPolicyVO("policy1", "my first policy");
- Mockito.when(_aclPolicyDao.persist(Mockito.any(IAMPolicyVO.class))).thenReturn(policy);
-
- }
-
- @After
- public void tearDown() {
- }
-
- @Test(expected = InvalidParameterValueException.class)
- public void createAclGroupTest() {
- IAMGroup group = _iamService.createIAMGroup("group1", "my first group", "/root/mydomain");
- assertNotNull("Acl group 'group1' failed to create ", group);
-
- IAMGroupVO group2 = new IAMGroupVO("group1", "my second group");
- when(_aclGroupDao.findByName(eq("/root/mydomain"), eq("group1"))).thenReturn(group2);
-
- IAMGroup group3 = _iamService.createIAMGroup("group1", "my first group", "/root/mydomain");
- }
-
- @Test(expected = InvalidParameterValueException.class)
- public void deleteAclGroupInvalidIdTest() {
- when(_aclGroupDao.findById(20L)).thenReturn(null);
- _iamService.deleteIAMGroup(20L);
- }
-
- @Test
- public void accountGroupMaptest() {
- // create group
- IAMGroupVO group = new IAMGroupVO("group1", "my first group");
-
- // add account to group
- List<Long> accountIds = new ArrayList<Long>();
- accountIds.add(100L);
- when(_aclGroupDao.findById(20L)).thenReturn(group);
- _iamService.addAccountsToGroup(accountIds, 20L);
-
- _iamService.removeAccountsFromGroup(accountIds, 20L);
- }
-
- @Test(expected = InvalidParameterValueException.class)
- public void createAclPolicyTest() {
- IAMPolicy policy = _iamService.createIAMPolicy("policy1", "my first policy", null, "/root/mydomain");
- assertNotNull("Acl policy 'policy1' failed to create ", policy);
-
- IAMPolicyVO rvo = new IAMPolicyVO("policy2", "second policy");
- when(_aclPolicyDao.findByName(eq("policy2"))).thenReturn(rvo);
-
- _iamService.createIAMPolicy("policy2", "second policy", null, "/root/mydomain");
- }
-
- @Test(expected = InvalidParameterValueException.class)
- public void deleteAclPolicyInvalidIdTest() {
- when(_aclPolicyDao.findById(34L)).thenReturn(null);
- _iamService.deleteIAMPolicy(34L);
- }
-
- @Configuration
- @ComponentScan(basePackageClasses = {IAMServiceImpl.class}, includeFilters = {@Filter(value = TestConfiguration.Library.class, type = FilterType.CUSTOM)}, useDefaultFilters = false)
- public static class TestConfiguration extends SpringUtils.CloudStackTestConfiguration {
-
- @Bean
- public IAMPolicyDao aclPolicyDao() {
- return Mockito.mock(IAMPolicyDao.class);
- }
-
- @Bean
- public IAMGroupDao aclGroupDao() {
- return Mockito.mock(IAMGroupDao.class);
- }
-
- @Bean
- public EntityManager entityManager() {
- return Mockito.mock(EntityManager.class);
- }
-
- @Bean
- public IAMGroupPolicyMapDao aclGroupPolicyMapDao() {
- return Mockito.mock(IAMGroupPolicyMapDao.class);
- }
-
- @Bean
- public IAMGroupAccountMapDao aclGroupAccountMapDao() {
- return Mockito.mock(IAMGroupAccountMapDao.class);
- }
-
- @Bean
- public IAMAccountPolicyMapDao aclAccountPolicyMapDao() {
- return Mockito.mock(IAMAccountPolicyMapDao.class);
- }
-
- @Bean
- public IAMPolicyPermissionDao aclPolicyPermissionDao() {
- return Mockito.mock(IAMPolicyPermissionDao.class);
- }
-
- public static class Library implements TypeFilter {
-
- @Override
- public boolean match(MetadataReader mdr, MetadataReaderFactory arg1) throws IOException {
- ComponentScan cs = TestConfiguration.class.getAnnotation(ComponentScan.class);
- return SpringUtils.includedInBasePackageClasses(mdr.getClassMetadata().getClassName(), cs);
- }
- }
- }
-}
diff --git a/services/iam/server/src/test/resources/db.properties b/services/iam/server/src/test/resources/db.properties
deleted file mode 100644
index a672d63f799..00000000000
--- a/services/iam/server/src/test/resources/db.properties
+++ /dev/null
@@ -1,73 +0,0 @@
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements. See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership. The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations
-# under the License.
-
-
-# management server clustering parameters, change cluster.node.IP to the machine IP address
-# in which the management server(Tomcat) is running
-cluster.node.IP=127.0.0.1
-cluster.servlet.port=9090
-region.id=1
-
-# CloudStack database settings
-db.cloud.username=cloud
-db.cloud.password=cloud
-db.root.password=
-db.cloud.host=localhost
-db.cloud.driver=jdbc:mysql
-db.cloud.port=3306
-db.cloud.name=cloud
-
-# CloudStack database tuning parameters
-db.cloud.maxActive=250
-db.cloud.maxIdle=30
-db.cloud.maxWait=10000
-db.cloud.autoReconnect=true
-db.cloud.validationQuery=SELECT 1
-db.cloud.testOnBorrow=true
-db.cloud.testWhileIdle=true
-db.cloud.timeBetweenEvictionRunsMillis=40000
-db.cloud.minEvictableIdleTimeMillis=240000
-db.cloud.poolPreparedStatements=false
-db.cloud.url.params=prepStmtCacheSize=517&cachePrepStmts=true&prepStmtCacheSqlLimit=4096
-
-# usage database settings
-db.usage.username=cloud
-db.usage.password=cloud
-db.usage.host=localhost
-# It's not guaranteed that using a different DB provider than the one from the regular cloud DB will work
-db.usage.driver=jdbc:mysql
-db.usage.port=3306
-db.usage.name=cloud_usage
-
-# usage database tuning parameters
-db.usage.maxActive=100
-db.usage.maxIdle=30
-db.usage.maxWait=10000
-db.usage.autoReconnect=true
-
-# Simulator database settings
-db.simulator.username=cloud
-db.simulator.password=cloud
-db.simulator.host=localhost
-# It's not guaranteed that using a different DB provider than the one from the regular cloud DB will work
-db.simulator.driver=jdbc:mysql
-db.simulator.port=3306
-db.simulator.name=simulator
-db.simulator.maxActive=250
-db.simulator.maxIdle=30
-db.simulator.maxWait=10000
-db.simulator.autoReconnect=true
diff --git a/tools/apidoc/gen_toc.py b/tools/apidoc/gen_toc.py
index f45f030ac40..3bf52a36a46 100644
--- a/tools/apidoc/gen_toc.py
+++ b/tools/apidoc/gen_toc.py
@@ -169,7 +169,6 @@
'Ucs' : 'UCS',
'CacheStores' : 'Cache Stores',
'CacheStore' : 'Cache Store',
- 'IAM' : 'IAM',
'OvsElement' : 'Ovs Element',
'StratosphereSsp' : ' Stratosphere SSP',
'Metrics' : 'Metrics',
diff --git a/tools/build/build_asf.sh b/tools/build/build_asf.sh
index ecccb959226..7530be58860 100755
--- a/tools/build/build_asf.sh
+++ b/tools/build/build_asf.sh
@@ -100,9 +100,6 @@ perl -pi -e "s/-SNAPSHOT//" tools/apidoc/pom.xml
perl -pi -e "s/-SNAPSHOT//" build/replace.properties
perl -pi -e "s/-SNAPSHOT//" tools/marvin/setup.py
perl -pi -e "s/-SNAPSHOT//" tools/marvin/marvin/deployAndRun.py
-perl -pi -e "s/-SNAPSHOT//" services/iam/plugin/pom.xml
-perl -pi -e "s/-SNAPSHOT//" services/iam/pom.xm
-perl -pi -e "s/-SNAPSHOT//" services/iam/server/pom.xml
perl -pi -e "s/-SNAPSHOT//" tools/docker/Dockerfile
perl -pi -e "s/-SNAPSHOT//" tools/docker/Dockerfile.marvin
perl -pi -e "s/-SNAPSHOT//" tools/docker/Dockerfile.centos6
diff --git a/tools/build/setnextversion.sh b/tools/build/setnextversion.sh
index 2f9c980b1e3..3b31ea915e7 100755
--- a/tools/build/setnextversion.sh
+++ b/tools/build/setnextversion.sh
@@ -131,9 +131,6 @@ echo "setting new version numbers"
mvn versions:set -DnewVersion=$version -P vmware -P developer -P systemvm -P simulator -Dnoredist versions:commit
perl -pi -e "s/$currentversion/$version/" debian/changelog
-perl -pi -e "s/$currentversion/$version/" services/iam/plugin/pom.xml
-perl -pi -e "s/$currentversion/$version/" services/iam/pom.xml
-perl -pi -e "s/$currentversion/$version/" services/iam/server/pom.xml
perl -pi -e "s/$currentversion/$version/" tools/apidoc/pom.xml
perl -pi -e "s/$currentversion/$version/" tools/checkstyle/pom.xml
perl -pi -e "s/$currentversion/$version/" tools/marvin/setup.py
diff --git a/tools/marvin/marvin/lib/base.py b/tools/marvin/marvin/lib/base.py
index fdfed774f84..c4d8783b6de 100755
--- a/tools/marvin/marvin/lib/base.py
+++ b/tools/marvin/marvin/lib/base.py
@@ -5096,139 +5096,6 @@ def list(cls, apiclient, **kwargs):
cmd.listall = True
return(apiclient.listNics(cmd))
-class IAMGroup:
- def __init__(self, items):
- self.__dict__.update(items)
-
- @classmethod
- def create(cls, apiclient, iam_grp, account=None, domainid=None):
- cmd = createIAMGroup.createIAMGroupCmd()
- cmd.name = iam_grp['name']
- cmd.description = iam_grp['description']
- if account:
- cmd.account = account
- if domainid:
- cmd.domainid = domainid
- return IAMGroup(apiclient.createIAMGroup(cmd).__dict__)
-
- def update(self, apiclient):
- pass
-
- def delete(self, apiclient):
- cmd = deleteIAMGroup.deleteIAMGroupCmd()
- cmd.id = self.id
- return apiclient.deleteIAMGroup(cmd)
-
- @classmethod
- def list(cls, apiclient, **kwargs):
- cmd = listIAMGroups.listIAMGroupsCmd()
- [setattr(cmd, k, v) for k, v in kwargs.items()]
- if 'account' in kwargs.keys() and 'domainid' in kwargs.keys():
- cmd.listall = True
- return apiclient.listIAMGroups(cmd)
-
- def addAccount(self, apiclient, accts):
- """Add accounts to iam group"""
- cmd = addAccountToIAMGroup.addAccountToIAMGroupCmd()
- cmd.id = self.id
- cmd.accounts = [str(acct.id) for acct in accts]
- apiclient.addAccountToIAMGroup(cmd)
- return
-
- def removeAccount(self, apiclient, accts):
- """ Remove accounts from iam group"""
- cmd = removeAccountFromIAMGroup.removeAccountFromIAMGroupCmd()
- cmd.id = self.id
- cmd.accounts = [str(acct.id) for acct in accts]
- apiclient.removeAccountFromIAMGroup(cmd)
- return
-
- def attachPolicy(self, apiclient, policies):
- """Add policies to iam group"""
- cmd = attachIAMPolicyToIAMGroup.attachIAMPolicyToIAMGroupCmd()
- cmd.id = self.id
- cmd.policies = [str(policy.id) for policy in policies]
- apiclient.attachIAMPolicyToIAMGroup(cmd)
- return
-
- def detachPolicy(self, apiclient, policies):
- """Remove policies from iam group"""
- cmd = removeIAMPolicyFromIAMGroup.removeIAMPolicyFromIAMGroupCmd()
- cmd.id = self.id
- cmd.policies = [str(policy.id) for policy in policies]
- apiclient.removeIAMPolicyFromIAMGroup(cmd)
- return
-
-class IAMPolicy:
- def __init__(self, items):
- self.__dict__.update(items)
-
- @classmethod
- def create(cls, apiclient, iam_policy, account=None, domainid=None):
- cmd = createIAMPolicy.createIAMPolicyCmd()
- cmd.name = iam_policy['name']
- cmd.description = iam_policy['description']
- if account:
- cmd.account = account
- if domainid:
- cmd.domainid = domainid
- return IAMPolicy(apiclient.createIAMPolicy(cmd).__dict__)
-
- def update(self, apiclient):
- pass
-
- def delete(self, apiclient):
- cmd = deleteIAMPolicy.deleteIAMPolicyCmd()
- cmd.id = self.id
- return apiclient.deleteIAMPolicy(cmd)
-
- @classmethod
- def list(cls, apiclient, **kwargs):
- cmd = listIAMPolicies.listIAMPoliciesCmd()
- [setattr(cmd, k, v) for k, v in kwargs.items()]
- if 'account' in kwargs.keys() and 'domainid' in kwargs.keys():
- cmd.listall = True
- return apiclient.listIAMPoliciesCmd(cmd)
-
- def addPermission(self, apiclient, permission):
- """Add permission to iam policy"""
- cmd = addIAMPermissionToIAMPolicy.addIAMPermissionToIAMPolicyCmd()
- cmd.id = self.id
- cmd.action = permission['action']
- cmd.entitytype = permission['entitytype']
- cmd.scope = permission['scope']
- cmd.scopeid = permission['scopeid']
- apiclient.addIAMPermissionToIAMPolicy(cmd)
- return
-
- def removePermission(self, apiclient, permission):
- """Remove permission from iam policy"""
- cmd = removeIAMPermissionFromIAMPolicy.\
- removeIAMPermissionFromIAMPolicyCmd()
- cmd.id = self.id
- cmd.action = permission['action']
- cmd.entitytype = permission['entitytype']
- cmd.scope = permission['scope']
- cmd.scopeid = permission['scopeid']
- apiclient.removeIAMPermissionFromIAMPolicy(cmd)
- return
-
- def attachAccount(self, apiclient, accts):
- """Attach iam policy to accounts"""
- cmd = attachIAMPolicyToAccount.attachIAMPolicyToAccountCmd()
- cmd.id = self.id
- cmd.accounts = [str(acct.id) for acct in accts]
- apiclient.attachIAMPolicyToAccount(cmd)
- return
-
- def detachAccount(self, apiclient, accts):
- """Detach iam policy from accounts"""
- cmd = removeIAMPolicyFromAccount.removeIAMPolicyFromAccountCmd()
- cmd.id = self.id
- cmd.accounts = [str(acct.id) for acct in accts]
- apiclient.removeIAMPolicyFromAccount(cmd)
- return
-
class SimulatorMock:
"""Manage simulator mock lifecycle"""
def __init__(self, items):
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services