You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by mc...@apache.org on 2013/01/12 00:51:03 UTC
[10/32] git commit: plugins: Check access based on roleType,
remove unnecessary properties.in file
plugins: Check access based on roleType, remove unnecessary properties.in file
- Fix StaticRoleBasedAPIAccessChecker to check api access based on roletype
- Remove properties file which is not needed now for api discovery plugin
Signed-off-by: Rohit Yadav <bh...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/commit/345c179e
Tree: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/tree/345c179e
Diff: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/diff/345c179e
Branch: refs/heads/api_limit
Commit: 345c179e77dce7ba471f6846fac785bd34bda294
Parents: 8f26e17
Author: Rohit Yadav <bh...@apache.org>
Authored: Thu Jan 10 15:53:18 2013 -0800
Committer: Rohit Yadav <bh...@apache.org>
Committed: Thu Jan 10 15:55:02 2013 -0800
----------------------------------------------------------------------
.../api-discovery_commands.properties.in | 23 ---
.../acl/StaticRoleBasedAPIAccessChecker.java | 138 +++++---------
2 files changed, 49 insertions(+), 112 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/345c179e/client/tomcatconf/api-discovery_commands.properties.in
----------------------------------------------------------------------
diff --git a/client/tomcatconf/api-discovery_commands.properties.in b/client/tomcatconf/api-discovery_commands.properties.in
deleted file mode 100644
index 49ddfde..0000000
--- a/client/tomcatconf/api-discovery_commands.properties.in
+++ /dev/null
@@ -1,23 +0,0 @@
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements. See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership. The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations
-# under the License.
-
-# bitmap of permissions at the end of each classname, 1 = ADMIN, 2 =
-# RESOURCE_DOMAIN_ADMIN, 4 = DOMAIN_ADMIN, 8 = USER
-# Please standardize naming conventions to camel-case (even for acronyms).
-
-# CloudStack API Discovery service command
-listApis=15
http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/345c179e/plugins/acl/static-role-based/src/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java
----------------------------------------------------------------------
diff --git a/plugins/acl/static-role-based/src/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java b/plugins/acl/static-role-based/src/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java
index 43ca403..689540a 100644
--- a/plugins/acl/static-role-based/src/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java
+++ b/plugins/acl/static-role-based/src/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java
@@ -16,28 +16,23 @@
// under the License.
package org.apache.cloudstack.acl;
-import java.io.File;
-import java.io.FileInputStream;
-import java.io.FileNotFoundException;
-import java.io.IOException;
-import java.io.InputStream;
-import java.util.*;
+import com.cloud.exception.PermissionDeniedException;
+import com.cloud.server.ManagementServer;
+import com.cloud.utils.component.AdapterBase;
+import com.cloud.utils.component.ComponentLocator;
+import com.cloud.utils.component.PluggableService;
import javax.ejb.Local;
import javax.naming.ConfigurationException;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
-import org.apache.cloudstack.acl.APIAccessChecker;
-import org.apache.cloudstack.acl.RoleType;
import static org.apache.cloudstack.acl.RoleType.*;
import org.apache.log4j.Logger;
-import com.cloud.exception.PermissionDeniedException;
-import com.cloud.server.ManagementServer;
-import com.cloud.utils.PropertiesUtil;
-import com.cloud.utils.component.AdapterBase;
-import com.cloud.utils.component.ComponentLocator;
-import com.cloud.utils.component.PluggableService;
-
// This is the default API access checker that grab's the user's account
// based on the account type, access is granted
@Local(value=APIAccessChecker.class)
@@ -60,35 +55,29 @@ public class StaticRoleBasedAPIAccessChecker extends AdapterBase implements APIA
}
@Override
- public boolean canAccessAPI(RoleType roleType, String apiCommandName)
- throws PermissionDeniedException{
-
- boolean commandExists = s_allCommands.contains(apiCommandName);
-
- if(commandExists) {
- return isCommandAvailableForAccount(roleType, apiCommandName);
- }
-
- return commandExists;
- }
-
- private static boolean isCommandAvailableForAccount(RoleType roleType, String commandName) {
- boolean isCommandAvailable = false;
- switch (roleType) {
- case Admin:
- isCommandAvailable = s_adminCommands.contains(commandName);
- break;
- case DomainAdmin:
- isCommandAvailable = s_resellerCommands.contains(commandName);
- break;
- case ResourceAdmin:
- isCommandAvailable = s_resourceDomainAdminCommands.contains(commandName);
- break;
- case User:
- isCommandAvailable = s_userCommands.contains(commandName);
- break;
+ public boolean canAccessAPI(RoleType roleType, String commandName)
+ throws PermissionDeniedException {
+
+ boolean commandExists = s_allCommands.contains(commandName);
+ boolean commandAccessible = false;
+
+ if (commandExists) {
+ switch (roleType) {
+ case Admin:
+ commandAccessible = s_adminCommands.contains(commandName);
+ break;
+ case DomainAdmin:
+ commandAccessible = s_resellerCommands.contains(commandName);
+ break;
+ case ResourceAdmin:
+ commandAccessible = s_resourceDomainAdminCommands.contains(commandName);
+ break;
+ case User:
+ commandAccessible = s_userCommands.contains(commandName);
+ break;
+ }
}
- return isCommandAvailable;
+ return commandExists && commandAccessible;
}
@Override
@@ -100,69 +89,40 @@ public class StaticRoleBasedAPIAccessChecker extends AdapterBase implements APIA
List<PluggableService> services = locator.getAllPluggableServices();
services.add((PluggableService) ComponentLocator.getComponent(ManagementServer.Name));
- List<String> configFiles = new ArrayList<String>();
+ Map<String, String> configPropertiesMap = new HashMap<String, String>();
for (PluggableService service : services) {
- configFiles.addAll(Arrays.asList(service.getPropertiesFiles()));
+ configPropertiesMap.putAll(service.getProperties());
}
- processConfigFiles(configFiles);
+ processConfigFiles(configPropertiesMap);
return true;
}
- private void processConfigFiles(List<String> configFiles) {
- Properties preProcessedCommands = new Properties();
-
- for (String configFile : configFiles) {
- File commandsFile = PropertiesUtil.findConfigFile(configFile);
- if (commandsFile != null) {
- try {
- preProcessedCommands.load(new FileInputStream(commandsFile));
- } catch (FileNotFoundException fnfex) {
- // in case of a file within a jar in classpath, try to open stream using url
- InputStream stream = PropertiesUtil.openStreamFromURL(configFile);
- if (stream != null) {
- try {
- preProcessedCommands.load(stream);
- } catch (IOException e) {
- s_logger.error("IO Exception, unable to find properties file:", fnfex);
- }
- } else {
- s_logger.error("Unable to find properites file", fnfex);
- }
- } catch (IOException ioe) {
- s_logger.error("IO Exception loading properties file", ioe);
- }
- }
- }
-
- for (Object key : preProcessedCommands.keySet()) {
- String preProcessedCommand = preProcessedCommands.getProperty((String) key);
- int splitIndex = preProcessedCommand.lastIndexOf(";");
- // Backward compatible to old style, apiname=pkg;mask
- String mask = preProcessedCommand.substring(splitIndex+1);
-
+ private void processConfigFiles(Map<String, String> config) {
+ for (Map.Entry<String, String> entry: config.entrySet()) {
+ String apiName = entry.getKey();
+ String roleMask = entry.getValue();
try {
- short cmdPermissions = Short.parseShort(mask);
+ short cmdPermissions = Short.parseShort(roleMask);
if ((cmdPermissions & Admin.getValue()) != 0) {
- s_adminCommands.add((String) key);
+ s_adminCommands.add(apiName);
}
if ((cmdPermissions & ResourceAdmin.getValue()) != 0) {
- s_resourceDomainAdminCommands.add((String) key);
+ s_resourceDomainAdminCommands.add(apiName);
}
if ((cmdPermissions & DomainAdmin.getValue()) != 0) {
- s_resellerCommands.add((String) key);
+ s_resellerCommands.add(apiName);
}
if ((cmdPermissions & User.getValue()) != 0) {
- s_userCommands.add((String) key);
+ s_userCommands.add(apiName);
}
- s_allCommands.addAll(s_adminCommands);
- s_allCommands.addAll(s_resourceDomainAdminCommands);
- s_allCommands.addAll(s_userCommands);
- s_allCommands.addAll(s_resellerCommands);
} catch (NumberFormatException nfe) {
- s_logger.info("Malformed command.properties permissions value, key = " + key + ", value = " + preProcessedCommand);
+ s_logger.info("Malformed commands.properties permissions value, for entry: " + entry.toString());
}
}
+ s_allCommands.addAll(s_adminCommands);
+ s_allCommands.addAll(s_resourceDomainAdminCommands);
+ s_allCommands.addAll(s_userCommands);
+ s_allCommands.addAll(s_resellerCommands);
}
-
}