You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by bh...@apache.org on 2013/01/10 20:49:58 UTC
[2/2] git commit: APIAccessChecker: Make it check based on role type
and not user
Updated Branches:
refs/heads/master 1b8e17255 -> 62a42723f
APIAccessChecker: Make it check based on role type and not user
Signed-off-by: Rohit Yadav <bh...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/commit/62a42723
Tree: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/tree/62a42723
Diff: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/diff/62a42723
Branch: refs/heads/master
Commit: 62a42723f995279fcaa4a63d9b0be061d32c66ca
Parents: c6d9877
Author: Rohit Yadav <bh...@apache.org>
Authored: Thu Jan 10 11:49:15 2013 -0800
Committer: Rohit Yadav <bh...@apache.org>
Committed: Thu Jan 10 11:49:15 2013 -0800
----------------------------------------------------------------------
.../apache/cloudstack/acl/APIAccessChecker.java | 7 +-
.../acl/StaticRoleBasedAPIAccessChecker.java | 84 ++++++---------
server/src/com/cloud/api/ApiServer.java | 33 ++++++-
3 files changed, 69 insertions(+), 55 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/62a42723/api/src/org/apache/cloudstack/acl/APIAccessChecker.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/acl/APIAccessChecker.java b/api/src/org/apache/cloudstack/acl/APIAccessChecker.java
index 3194bd1..a5c656d 100644
--- a/api/src/org/apache/cloudstack/acl/APIAccessChecker.java
+++ b/api/src/org/apache/cloudstack/acl/APIAccessChecker.java
@@ -16,11 +16,8 @@
// under the License.
package org.apache.cloudstack.acl;
-import java.util.Properties;
-
+import org.apache.cloudstack.acl.RoleType;
import com.cloud.exception.PermissionDeniedException;
-import com.cloud.user.Account;
-import com.cloud.user.User;
import com.cloud.utils.component.Adapter;
/**
@@ -28,5 +25,5 @@ import com.cloud.utils.component.Adapter;
*/
public interface APIAccessChecker extends Adapter {
// Interface for checking access to an API for an user
- boolean canAccessAPI(User user, String apiCommandName) throws PermissionDeniedException;
+ boolean canAccessAPI(RoleType roleType, String apiCommandName) throws PermissionDeniedException;
}
http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/62a42723/plugins/acl/static-role-based/src/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java
----------------------------------------------------------------------
diff --git a/plugins/acl/static-role-based/src/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java b/plugins/acl/static-role-based/src/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java
index d39f87f..43ca403 100644
--- a/plugins/acl/static-role-based/src/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java
+++ b/plugins/acl/static-role-based/src/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java
@@ -27,80 +27,66 @@ import javax.ejb.Local;
import javax.naming.ConfigurationException;
import org.apache.cloudstack.acl.APIAccessChecker;
+import org.apache.cloudstack.acl.RoleType;
+import static org.apache.cloudstack.acl.RoleType.*;
import org.apache.log4j.Logger;
import com.cloud.exception.PermissionDeniedException;
import com.cloud.server.ManagementServer;
-import com.cloud.user.Account;
-import com.cloud.user.AccountManager;
-import com.cloud.user.User;
import com.cloud.utils.PropertiesUtil;
import com.cloud.utils.component.AdapterBase;
import com.cloud.utils.component.ComponentLocator;
-import com.cloud.utils.component.Inject;
import com.cloud.utils.component.PluggableService;
-/*
- * This is the default API access checker that grab's the user's account
- * based on the account type, access is granted referring to commands in all *.properties files.
- */
-
+// This is the default API access checker that grab's the user's account
+// based on the account type, access is granted
@Local(value=APIAccessChecker.class)
public class StaticRoleBasedAPIAccessChecker extends AdapterBase implements APIAccessChecker {
protected static final Logger s_logger = Logger.getLogger(StaticRoleBasedAPIAccessChecker.class);
- public static final short ADMIN_COMMAND = 1;
- public static final short DOMAIN_ADMIN_COMMAND = 4;
- public static final short RESOURCE_DOMAIN_ADMIN_COMMAND = 2;
- public static final short USER_COMMAND = 8;
- private static List<String> s_userCommands = null;
- private static List<String> s_resellerCommands = null; // AKA domain-admin
- private static List<String> s_adminCommands = null;
- private static List<String> s_resourceDomainAdminCommands = null;
- private static List<String> s_allCommands = null;
-
- protected @Inject AccountManager _accountMgr;
+ private static Set<String> s_userCommands = null;
+ private static Set<String> s_resellerCommands = null; // AKA domain-admin
+ private static Set<String> s_adminCommands = null;
+ private static Set<String> s_resourceDomainAdminCommands = null;
+ private static Set<String> s_allCommands = null;
protected StaticRoleBasedAPIAccessChecker() {
super();
- s_allCommands = new ArrayList<String>();
- s_userCommands = new ArrayList<String>();
- s_resellerCommands = new ArrayList<String>();
- s_adminCommands = new ArrayList<String>();
- s_resourceDomainAdminCommands = new ArrayList<String>();
+ s_allCommands = new HashSet<String>();
+ s_userCommands = new HashSet<String>();
+ s_resellerCommands = new HashSet<String>();
+ s_adminCommands = new HashSet<String>();
+ s_resourceDomainAdminCommands = new HashSet<String>();
}
@Override
- public boolean canAccessAPI(User user, String apiCommandName)
+ public boolean canAccessAPI(RoleType roleType, String apiCommandName)
throws PermissionDeniedException{
boolean commandExists = s_allCommands.contains(apiCommandName);
- if(commandExists && user != null){
- Long accountId = user.getAccountId();
- Account userAccount = _accountMgr.getAccount(accountId);
- short accountType = userAccount.getType();
- return isCommandAvailableForAccount(accountType, apiCommandName);
+ if(commandExists) {
+ return isCommandAvailableForAccount(roleType, apiCommandName);
}
return commandExists;
}
- private static boolean isCommandAvailableForAccount(short accountType, String commandName) {
+ private static boolean isCommandAvailableForAccount(RoleType roleType, String commandName) {
boolean isCommandAvailable = false;
- switch (accountType) {
- case Account.ACCOUNT_TYPE_ADMIN:
- isCommandAvailable = s_adminCommands.contains(commandName);
- break;
- case Account.ACCOUNT_TYPE_DOMAIN_ADMIN:
- isCommandAvailable = s_resellerCommands.contains(commandName);
- break;
- case Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN:
- isCommandAvailable = s_resourceDomainAdminCommands.contains(commandName);
- break;
- case Account.ACCOUNT_TYPE_NORMAL:
- isCommandAvailable = s_userCommands.contains(commandName);
- break;
+ switch (roleType) {
+ case Admin:
+ isCommandAvailable = s_adminCommands.contains(commandName);
+ break;
+ case DomainAdmin:
+ isCommandAvailable = s_resellerCommands.contains(commandName);
+ break;
+ case ResourceAdmin:
+ isCommandAvailable = s_resourceDomainAdminCommands.contains(commandName);
+ break;
+ case User:
+ isCommandAvailable = s_userCommands.contains(commandName);
+ break;
}
return isCommandAvailable;
}
@@ -157,16 +143,16 @@ public class StaticRoleBasedAPIAccessChecker extends AdapterBase implements APIA
try {
short cmdPermissions = Short.parseShort(mask);
- if ((cmdPermissions & ADMIN_COMMAND) != 0) {
+ if ((cmdPermissions & Admin.getValue()) != 0) {
s_adminCommands.add((String) key);
}
- if ((cmdPermissions & RESOURCE_DOMAIN_ADMIN_COMMAND) != 0) {
+ if ((cmdPermissions & ResourceAdmin.getValue()) != 0) {
s_resourceDomainAdminCommands.add((String) key);
}
- if ((cmdPermissions & DOMAIN_ADMIN_COMMAND) != 0) {
+ if ((cmdPermissions & DomainAdmin.getValue()) != 0) {
s_resellerCommands.add((String) key);
}
- if ((cmdPermissions & USER_COMMAND) != 0) {
+ if ((cmdPermissions & User.getValue()) != 0) {
s_userCommands.add((String) key);
}
s_allCommands.addAll(s_adminCommands);
http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/62a42723/server/src/com/cloud/api/ApiServer.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/api/ApiServer.java b/server/src/com/cloud/api/ApiServer.java
index 17a2b29..1c1e8ca 100755
--- a/server/src/com/cloud/api/ApiServer.java
+++ b/server/src/com/cloud/api/ApiServer.java
@@ -53,6 +53,7 @@ import javax.servlet.http.HttpSession;
import com.cloud.utils.ReflectUtil;
import org.apache.cloudstack.acl.APIAccessChecker;
import org.apache.cloudstack.acl.ControlledEntity;
+import org.apache.cloudstack.acl.RoleType;
import org.apache.cloudstack.api.*;
import org.apache.cloudstack.api.command.user.account.ListAccountsCmd;
import org.apache.cloudstack.api.command.user.account.ListProjectAccountsCmd;
@@ -790,9 +791,39 @@ public class ApiServer implements HttpRequestHandler {
}
private boolean isCommandAvailable(User user, String commandName) {
+ if (user == null) {
+ return false;
+ }
+
+ Account account = _accountMgr.getAccount(user.getAccountId());
+ if (account == null) {
+ return false;
+ }
+
+ RoleType roleType = RoleType.Unknown;
+ short accountType = account.getType();
+
+ // Account type to role type translation
+ switch (accountType) {
+ case Account.ACCOUNT_TYPE_ADMIN:
+ roleType = RoleType.Admin;
+ break;
+ case Account.ACCOUNT_TYPE_DOMAIN_ADMIN:
+ roleType = RoleType.DomainAdmin;
+ break;
+ case Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN:
+ roleType = RoleType.ResourceAdmin;
+ break;
+ case Account.ACCOUNT_TYPE_NORMAL:
+ roleType = RoleType.User;
+ break;
+ default:
+ return false;
+ }
+
for (APIAccessChecker apiChecker : _apiAccessCheckers) {
// Fail the checking if any checker fails to verify
- if (!apiChecker.canAccessAPI(user, commandName))
+ if (!apiChecker.canAccessAPI(roleType, commandName))
return false;
}
return true;