You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by hu...@apache.org on 2013/01/15 09:21:20 UTC
[4/26] git commit: APIChecker: Make interface generic,
pass user and not just role
APIChecker: Make interface generic, pass user and not just role
Signed-off-by: Rohit Yadav <bh...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/commit/896e505d
Tree: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/tree/896e505d
Diff: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/diff/896e505d
Branch: refs/heads/cloud-agent-with-openvswitch
Commit: 896e505da6de08e723b339e748064de10d250c8c
Parents: 9139949
Author: Rohit Yadav <bh...@apache.org>
Authored: Mon Jan 14 15:06:46 2013 -0800
Committer: Rohit Yadav <bh...@apache.org>
Committed: Mon Jan 14 15:08:45 2013 -0800
----------------------------------------------------------------------
api/src/org/apache/cloudstack/acl/APIChecker.java | 4 ++--
.../acl/StaticRoleBasedAPIAccessChecker.java | 12 +++++++++++-
server/src/com/cloud/api/ApiServer.java | 4 +---
3 files changed, 14 insertions(+), 6 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/896e505d/api/src/org/apache/cloudstack/acl/APIChecker.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/acl/APIChecker.java b/api/src/org/apache/cloudstack/acl/APIChecker.java
index b14dfe1..9e5c6c6 100644
--- a/api/src/org/apache/cloudstack/acl/APIChecker.java
+++ b/api/src/org/apache/cloudstack/acl/APIChecker.java
@@ -17,11 +17,11 @@
package org.apache.cloudstack.acl;
import com.cloud.exception.PermissionDeniedException;
-import org.apache.cloudstack.acl.RoleType;
+import com.cloud.user.User;
import com.cloud.utils.component.Adapter;
// APIChecker checks the ownership and access control to API requests
public interface APIChecker extends Adapter {
// Interface for checking access for a role using apiname
- boolean checkAccess(RoleType roleType, String apiCommandName) throws PermissionDeniedException;
+ boolean checkAccess(User user, String apiCommandName) throws PermissionDeniedException;
}
http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/896e505d/plugins/acl/static-role-based/src/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java
----------------------------------------------------------------------
diff --git a/plugins/acl/static-role-based/src/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java b/plugins/acl/static-role-based/src/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java
index affd69e..55db288 100644
--- a/plugins/acl/static-role-based/src/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java
+++ b/plugins/acl/static-role-based/src/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java
@@ -18,6 +18,9 @@ package org.apache.cloudstack.acl;
import com.cloud.exception.PermissionDeniedException;
import com.cloud.server.ManagementServer;
+import com.cloud.user.Account;
+import com.cloud.user.AccountService;
+import com.cloud.user.User;
import com.cloud.utils.component.AdapterBase;
import com.cloud.utils.component.ComponentLocator;
import com.cloud.utils.component.PluggableService;
@@ -42,6 +45,8 @@ public class StaticRoleBasedAPIAccessChecker extends AdapterBase implements APIC
private static Map<RoleType, Set<String>> s_roleBasedApisMap =
new HashMap<RoleType, Set<String>>();
+ private static AccountService s_accountService;
+
protected StaticRoleBasedAPIAccessChecker() {
super();
for (RoleType roleType: RoleType.values())
@@ -49,8 +54,10 @@ public class StaticRoleBasedAPIAccessChecker extends AdapterBase implements APIC
}
@Override
- public boolean checkAccess(RoleType roleType, String commandName)
+ public boolean checkAccess(User user, String commandName)
throws PermissionDeniedException {
+ Account account = s_accountService.getAccount(user.getAccountId());
+ RoleType roleType = s_accountService.getRoleType(account);
boolean isAllowed = s_roleBasedApisMap.get(roleType).contains(commandName);
if (!isAllowed) {
throw new PermissionDeniedException("The API does not exist or is blacklisted. Role type=" + roleType.toString() + " is not allowed to request the api: " + commandName);
@@ -64,6 +71,9 @@ public class StaticRoleBasedAPIAccessChecker extends AdapterBase implements APIC
// Read command properties files to build the static map per role.
ComponentLocator locator = ComponentLocator.getLocator(ManagementServer.Name);
+
+ s_accountService = locator.getManager(AccountService.class);
+
List<PluggableService> services = locator.getAllPluggableServices();
services.add((PluggableService) ComponentLocator.getComponent(ManagementServer.Name));
http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/896e505d/server/src/com/cloud/api/ApiServer.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/api/ApiServer.java b/server/src/com/cloud/api/ApiServer.java
index 03462e4..c8511b2 100755
--- a/server/src/com/cloud/api/ApiServer.java
+++ b/server/src/com/cloud/api/ApiServer.java
@@ -785,11 +785,9 @@ public class ApiServer implements HttpRequestHandler {
throw new PermissionDeniedException("User is null for role based API access check for command" + commandName);
}
- Account account = _accountMgr.getAccount(user.getAccountId());
- RoleType roleType = _accountMgr.getRoleType(account);
for (APIChecker apiChecker : _apiAccessCheckers) {
// Fail the checking if any checker fails to verify
- if (!apiChecker.checkAccess(roleType, commandName))
+ if (!apiChecker.checkAccess(user, commandName))
return false;
}
return true;