You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by mc...@apache.org on 2013/12/27 04:54:23 UTC
git commit: updated refs/heads/rbac to c950651
Updated Branches:
refs/heads/rbac e28009553 -> c950651fe
Use IAMService to implement QuerySelector adapter.
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/c950651f
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/c950651f
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/c950651f
Branch: refs/heads/rbac
Commit: c950651fe27a1742b5d2271f821e302581e4975b
Parents: e280095
Author: Min Chen <mi...@citrix.com>
Authored: Thu Dec 26 19:53:49 2013 -0800
Committer: Min Chen <mi...@citrix.com>
Committed: Thu Dec 26 19:53:49 2013 -0800
----------------------------------------------------------------------
.../org/apache/cloudstack/acl/QueryChecker.java | 58 -----------
.../apache/cloudstack/acl/QuerySelector.java | 58 +++++++++++
.../acl/entity/RoleBasedEntityQueryChecker.java | 51 ---------
.../entity/RoleBasedEntityQuerySelector.java | 51 +++++++++
services/iam/plugin/pom.xml | 7 +-
.../org/apache/cloudstack/acl/AclService.java | 6 --
.../apache/cloudstack/acl/AclServiceImpl.java | 58 -----------
.../acl/entity/RoleBasedEntityQueryChecker.java | 51 ---------
.../entity/RoleBasedEntityQuerySelector.java | 103 +++++++++++++++++++
.../apache/cloudstack/iam/api/IAMService.java | 3 +
.../cloudstack/iam/server/IAMServiceImpl.java | 10 +-
11 files changed, 230 insertions(+), 226 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/c950651f/api/src/org/apache/cloudstack/acl/QueryChecker.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/acl/QueryChecker.java b/api/src/org/apache/cloudstack/acl/QueryChecker.java
deleted file mode 100644
index e8e9cf3..0000000
--- a/api/src/org/apache/cloudstack/acl/QueryChecker.java
+++ /dev/null
@@ -1,58 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.acl;
-
-import java.util.List;
-
-import com.cloud.user.Account;
-import com.cloud.utils.component.Adapter;
-
-/**
- * QueryChecker returns granted access at domain, account or resource level.
- */
-public interface QueryChecker extends Adapter {
-
- /**
- * List granted domains for the caller, given a specific entity type.
- *
- * @param caller account to check against.
- * @param entityType entity type
- * @return list of domain Ids granted to the caller account.
- */
- List<Long> getAuthorizedDomains(Account caller, AclEntityType entityType);
-
- /**
- * List granted accounts for the caller, given a specific entity type.
- *
- * @param caller account to check against.
- * @param entityType entity type
- * @return list of domain Ids granted to the caller account.
- */
- List<Long> getAuthorizedAccounts(Account caller, AclEntityType entityType);
-
-
- /**
- * List granted resources for the caller, given a specific entity type.
- *
- * @param caller account to check against.
- * @param entityType entity type
- * @return list of domain Ids granted to the caller account.
- */
- List<Long> getAuthorizedResources(Account caller, AclEntityType entityType);
-
-
-}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/c950651f/api/src/org/apache/cloudstack/acl/QuerySelector.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/acl/QuerySelector.java b/api/src/org/apache/cloudstack/acl/QuerySelector.java
new file mode 100644
index 0000000..56bf982
--- /dev/null
+++ b/api/src/org/apache/cloudstack/acl/QuerySelector.java
@@ -0,0 +1,58 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.acl;
+
+import java.util.List;
+
+import com.cloud.user.Account;
+import com.cloud.utils.component.Adapter;
+
+/**
+ * QueryChecker returns granted access at domain, account or resource level.
+ */
+public interface QuerySelector extends Adapter {
+
+ /**
+ * List granted domains for the caller, given a specific action.
+ *
+ * @param caller account to check against.
+ * @param action action
+ * @return list of domain Ids granted to the caller account.
+ */
+ List<Long> getAuthorizedDomains(Account caller, String action);
+
+ /**
+ * List granted accounts for the caller, given a specific action.
+ *
+ * @param caller account to check against.
+ * @param action action.
+ * @return list of domain Ids granted to the caller account.
+ */
+ List<Long> getAuthorizedAccounts(Account caller, String action);
+
+
+ /**
+ * List granted resources for the caller, given a specific action.
+ *
+ * @param caller account to check against.
+ * @param action action.
+ * @return list of domain Ids granted to the caller account.
+ */
+ List<Long> getAuthorizedResources(Account caller, String action);
+
+
+}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/c950651f/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/entity/RoleBasedEntityQueryChecker.java
----------------------------------------------------------------------
diff --git a/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/entity/RoleBasedEntityQueryChecker.java b/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/entity/RoleBasedEntityQueryChecker.java
deleted file mode 100644
index 7ddc8fd..0000000
--- a/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/entity/RoleBasedEntityQueryChecker.java
+++ /dev/null
@@ -1,51 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.acl.entity;
-
-import java.util.List;
-
-import org.apache.log4j.Logger;
-
-import org.apache.cloudstack.acl.AclEntityType;
-import org.apache.cloudstack.acl.QueryChecker;
-
-import com.cloud.user.Account;
-import com.cloud.utils.component.AdapterBase;
-
-public class RoleBasedEntityQueryChecker extends AdapterBase implements QueryChecker {
-
- private static final Logger s_logger = Logger.getLogger(RoleBasedEntityQueryChecker.class.getName());
-
- @Override
- public List<Long> getAuthorizedDomains(Account caller, AclEntityType entityType) {
- // TODO Auto-generated method stub
- return null;
- }
-
- @Override
- public List<Long> getAuthorizedAccounts(Account caller, AclEntityType entityType) {
- // TODO Auto-generated method stub
- return null;
- }
-
- @Override
- public List<Long> getAuthorizedResources(Account caller, AclEntityType entityType) {
- // TODO Auto-generated method stub
- return null;
- }
-
-}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/c950651f/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/entity/RoleBasedEntityQuerySelector.java
----------------------------------------------------------------------
diff --git a/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/entity/RoleBasedEntityQuerySelector.java b/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/entity/RoleBasedEntityQuerySelector.java
new file mode 100644
index 0000000..3deea5c
--- /dev/null
+++ b/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/entity/RoleBasedEntityQuerySelector.java
@@ -0,0 +1,51 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.acl.entity;
+
+import java.util.List;
+
+import org.apache.log4j.Logger;
+
+import org.apache.cloudstack.acl.QuerySelector;
+
+import com.cloud.user.Account;
+import com.cloud.utils.component.AdapterBase;
+
+public class RoleBasedEntityQuerySelector extends AdapterBase implements QuerySelector {
+
+ private static final Logger s_logger = Logger.getLogger(RoleBasedEntityQuerySelector.class.getName());
+
+ @Override
+ public List<Long> getAuthorizedDomains(Account caller, String action) {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public List<Long> getAuthorizedAccounts(Account caller, String action) {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public List<Long> getAuthorizedResources(Account caller, String action) {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+
+}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/c950651f/services/iam/plugin/pom.xml
----------------------------------------------------------------------
diff --git a/services/iam/plugin/pom.xml b/services/iam/plugin/pom.xml
index f58cc47..e674100 100644
--- a/services/iam/plugin/pom.xml
+++ b/services/iam/plugin/pom.xml
@@ -41,6 +41,11 @@
<groupId>org.apache.cloudstack</groupId>
<artifactId>cloud-server</artifactId>
<version>${project.version}</version>
- </dependency>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.cloudstack</groupId>
+ <artifactId>cloud-iam</artifactId>
+ <version>${project.version}</version>
+ </dependency>
</dependencies>
</project>
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/c950651f/services/iam/plugin/src/org/apache/cloudstack/acl/AclService.java
----------------------------------------------------------------------
diff --git a/services/iam/plugin/src/org/apache/cloudstack/acl/AclService.java b/services/iam/plugin/src/org/apache/cloudstack/acl/AclService.java
index c8d8b48..889a0d3 100644
--- a/services/iam/plugin/src/org/apache/cloudstack/acl/AclService.java
+++ b/services/iam/plugin/src/org/apache/cloudstack/acl/AclService.java
@@ -56,11 +56,5 @@ public interface AclService {
List<AclPolicy> getEffectivePolicies(Account caller, ControlledEntity entity);
- /* Visibility related interfaces */
- List<Long> getGrantedDomains(long accountId, String action);
-
- List<Long> getGrantedAccounts(long accountId, String action);
-
- List<Long> getGrantedResources(long accountId, String action);
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/c950651f/services/iam/plugin/src/org/apache/cloudstack/acl/AclServiceImpl.java
----------------------------------------------------------------------
diff --git a/services/iam/plugin/src/org/apache/cloudstack/acl/AclServiceImpl.java b/services/iam/plugin/src/org/apache/cloudstack/acl/AclServiceImpl.java
index 3581ef0..628672e 100644
--- a/services/iam/plugin/src/org/apache/cloudstack/acl/AclServiceImpl.java
+++ b/services/iam/plugin/src/org/apache/cloudstack/acl/AclServiceImpl.java
@@ -27,7 +27,6 @@ import org.apache.log4j.Logger;
import org.apache.cloudstack.acl.AclPolicyPermission.Permission;
import org.apache.cloudstack.acl.SecurityChecker.AccessType;
-import org.apache.cloudstack.acl.dao.AclApiPermissionDao;
import org.apache.cloudstack.acl.dao.AclGroupAccountMapDao;
import org.apache.cloudstack.acl.dao.AclGroupDao;
import org.apache.cloudstack.acl.dao.AclGroupPolicyMapDao;
@@ -676,61 +675,4 @@ public class AclServiceImpl extends ManagerBase implements AclService, Manager {
return policies;
}
- @Override
- public List<Long> getGrantedDomains(long accountId, String action) {
- // Get the static Policies of the Caller
- List<AclPolicy> policies = listAclPolicies(accountId);
- // for each policy, find granted permission with Domain scope
- List<Long> domainIds = new ArrayList<Long>();
- for (AclPolicy policy : policies) {
- List<AclPolicyPermissionVO> pp = _policyPermissionDao.listGrantedByActionAndScope(policy.getId(), action, PermissionScope.DOMAIN);
- if (pp != null) {
- for (AclPolicyPermissionVO p : pp) {
- if (p.getScopeId() != null) {
- domainIds.add(p.getScopeId());
- }
- }
- }
- }
- return domainIds;
- }
-
- @Override
- public List<Long> getGrantedAccounts(long accountId, String action) {
- // Get the static Policies of the Caller
- List<AclPolicy> policies = listAclPolicies(accountId);
- // for each policy, find granted permission with Account scope
- List<Long> accountIds = new ArrayList<Long>();
- for (AclPolicy policy : policies) {
- List<AclPolicyPermissionVO> pp = _policyPermissionDao.listGrantedByActionAndScope(policy.getId(), action, PermissionScope.ACCOUNT);
- if (pp != null) {
- for (AclPolicyPermissionVO p : pp) {
- if (p.getScopeId() != null) {
- accountIds.add(p.getScopeId());
- }
- }
- }
- }
- return accountIds;
- }
-
- @Override
- public List<Long> getGrantedResources(long accountId, String action) {
- // Get the static Policies of the Caller
- List<AclPolicy> policies = listAclPolicies(accountId);
- // for each policy, find granted permission with Resource scope
- List<Long> entityIds = new ArrayList<Long>();
- for (AclPolicy policy : policies) {
- List<AclPolicyPermissionVO> pp = _policyPermissionDao.listGrantedByActionAndScope(policy.getId(), action, PermissionScope.RESOURCE);
- if (pp != null) {
- for (AclPolicyPermissionVO p : pp) {
- if (p.getScopeId() != null) {
- entityIds.add(p.getScopeId());
- }
- }
- }
- }
- return entityIds;
- }
-
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/c950651f/services/iam/plugin/src/org/apache/cloudstack/acl/entity/RoleBasedEntityQueryChecker.java
----------------------------------------------------------------------
diff --git a/services/iam/plugin/src/org/apache/cloudstack/acl/entity/RoleBasedEntityQueryChecker.java b/services/iam/plugin/src/org/apache/cloudstack/acl/entity/RoleBasedEntityQueryChecker.java
deleted file mode 100644
index 7ddc8fd..0000000
--- a/services/iam/plugin/src/org/apache/cloudstack/acl/entity/RoleBasedEntityQueryChecker.java
+++ /dev/null
@@ -1,51 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.acl.entity;
-
-import java.util.List;
-
-import org.apache.log4j.Logger;
-
-import org.apache.cloudstack.acl.AclEntityType;
-import org.apache.cloudstack.acl.QueryChecker;
-
-import com.cloud.user.Account;
-import com.cloud.utils.component.AdapterBase;
-
-public class RoleBasedEntityQueryChecker extends AdapterBase implements QueryChecker {
-
- private static final Logger s_logger = Logger.getLogger(RoleBasedEntityQueryChecker.class.getName());
-
- @Override
- public List<Long> getAuthorizedDomains(Account caller, AclEntityType entityType) {
- // TODO Auto-generated method stub
- return null;
- }
-
- @Override
- public List<Long> getAuthorizedAccounts(Account caller, AclEntityType entityType) {
- // TODO Auto-generated method stub
- return null;
- }
-
- @Override
- public List<Long> getAuthorizedResources(Account caller, AclEntityType entityType) {
- // TODO Auto-generated method stub
- return null;
- }
-
-}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/c950651f/services/iam/plugin/src/org/apache/cloudstack/acl/entity/RoleBasedEntityQuerySelector.java
----------------------------------------------------------------------
diff --git a/services/iam/plugin/src/org/apache/cloudstack/acl/entity/RoleBasedEntityQuerySelector.java b/services/iam/plugin/src/org/apache/cloudstack/acl/entity/RoleBasedEntityQuerySelector.java
new file mode 100644
index 0000000..bf84a34
--- /dev/null
+++ b/services/iam/plugin/src/org/apache/cloudstack/acl/entity/RoleBasedEntityQuerySelector.java
@@ -0,0 +1,103 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.acl.entity;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import javax.inject.Inject;
+
+import org.apache.log4j.Logger;
+
+import org.apache.cloudstack.acl.PermissionScope;
+import org.apache.cloudstack.acl.QuerySelector;
+import org.apache.cloudstack.iam.api.AclPolicy;
+import org.apache.cloudstack.iam.api.AclPolicyPermission;
+import org.apache.cloudstack.iam.api.IAMService;
+
+import com.cloud.user.Account;
+import com.cloud.utils.component.AdapterBase;
+
+public class RoleBasedEntityQuerySelector extends AdapterBase implements QuerySelector {
+
+ private static final Logger s_logger = Logger.getLogger(RoleBasedEntityQuerySelector.class.getName());
+
+ @Inject
+ IAMService _iamService;
+
+ @Override
+ public List<Long> getAuthorizedDomains(Account caller, String action) {
+ long accountId = caller.getAccountId();
+ // Get the static Policies of the Caller
+ List<AclPolicy> policies = _iamService.listAclPolicies(accountId);
+ // for each policy, find granted permission with Domain scope
+ List<Long> domainIds = new ArrayList<Long>();
+ for (AclPolicy policy : policies) {
+ List<AclPolicyPermission> pp = _iamService.listPolicyPermissionsByScope(policy.getId(), action, PermissionScope.DOMAIN.toString());
+ if (pp != null) {
+ for (AclPolicyPermission p : pp) {
+ if (p.getScopeId() != null) {
+ domainIds.add(p.getScopeId());
+ }
+ }
+ }
+ }
+ return domainIds;
+ }
+
+ @Override
+ public List<Long> getAuthorizedAccounts(Account caller, String action) {
+ long accountId = caller.getAccountId();
+ // Get the static Policies of the Caller
+ List<AclPolicy> policies = _iamService.listAclPolicies(accountId);
+ // for each policy, find granted permission with Account scope
+ List<Long> accountIds = new ArrayList<Long>();
+ for (AclPolicy policy : policies) {
+ List<AclPolicyPermission> pp = _iamService.listPolicyPermissionsByScope(policy.getId(), action, PermissionScope.ACCOUNT.toString());
+ if (pp != null) {
+ for (AclPolicyPermission p : pp) {
+ if (p.getScopeId() != null) {
+ accountIds.add(p.getScopeId());
+ }
+ }
+ }
+ }
+ return accountIds;
+ }
+
+ @Override
+ public List<Long> getAuthorizedResources(Account caller, String action) {
+ long accountId = caller.getAccountId();
+ // Get the static Policies of the Caller
+ List<AclPolicy> policies = _iamService.listAclPolicies(accountId);
+ // for each policy, find granted permission with Resource scope
+ List<Long> entityIds = new ArrayList<Long>();
+ for (AclPolicy policy : policies) {
+ List<AclPolicyPermission> pp = _iamService.listPolicyPermissionsByScope(policy.getId(), action, PermissionScope.RESOURCE.toString());
+ if (pp != null) {
+ for (AclPolicyPermission p : pp) {
+ if (p.getScopeId() != null) {
+ entityIds.add(p.getScopeId());
+ }
+ }
+ }
+ }
+ return entityIds;
+ }
+
+
+}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/c950651f/services/iam/server/src/org/apache/cloudstack/iam/api/IAMService.java
----------------------------------------------------------------------
diff --git a/services/iam/server/src/org/apache/cloudstack/iam/api/IAMService.java b/services/iam/server/src/org/apache/cloudstack/iam/api/IAMService.java
index 0532abb..9695efd 100644
--- a/services/iam/server/src/org/apache/cloudstack/iam/api/IAMService.java
+++ b/services/iam/server/src/org/apache/cloudstack/iam/api/IAMService.java
@@ -50,8 +50,11 @@ public interface IAMService {
AclPolicy removeAclPermissionFromAclPolicy(long aclPolicyId, String entityType, String scope, Long scopeId,
String action);
+ List<AclPolicyPermission> listPolicyPermissionsByScope(long policyId, String action, String scope);
+
boolean isAPIAccessibleForPolicies(String apiName, List<AclPolicy> policies);
List<Long> getGrantedEntities(long accountId, String action, String scope);
+
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/c950651f/services/iam/server/src/org/apache/cloudstack/iam/server/IAMServiceImpl.java
----------------------------------------------------------------------
diff --git a/services/iam/server/src/org/apache/cloudstack/iam/server/IAMServiceImpl.java b/services/iam/server/src/org/apache/cloudstack/iam/server/IAMServiceImpl.java
index 3ec32e3..fa7c922 100644
--- a/services/iam/server/src/org/apache/cloudstack/iam/server/IAMServiceImpl.java
+++ b/services/iam/server/src/org/apache/cloudstack/iam/server/IAMServiceImpl.java
@@ -24,8 +24,10 @@ import javax.inject.Inject;
import org.apache.log4j.Logger;
+import org.apache.cloudstack.context.CallContext;
import org.apache.cloudstack.iam.api.AclGroup;
import org.apache.cloudstack.iam.api.AclPolicy;
+import org.apache.cloudstack.iam.api.AclPolicyPermission;
import org.apache.cloudstack.iam.api.AclPolicyPermission.Permission;
import org.apache.cloudstack.iam.api.IAMService;
import org.apache.cloudstack.iam.server.dao.AclGroupAccountMapDao;
@@ -33,7 +35,6 @@ import org.apache.cloudstack.iam.server.dao.AclGroupDao;
import org.apache.cloudstack.iam.server.dao.AclGroupPolicyMapDao;
import org.apache.cloudstack.iam.server.dao.AclPolicyDao;
import org.apache.cloudstack.iam.server.dao.AclPolicyPermissionDao;
-import org.apache.cloudstack.context.CallContext;
import com.cloud.event.ActionEvent;
import com.cloud.event.EventTypes;
@@ -539,5 +540,12 @@ public class IAMServiceImpl extends ManagerBase implements IAMService, Manager {
return entityIds;
}
+ @Override
+ public List<AclPolicyPermission> listPolicyPermissionsByScope(long policyId, String action, String scope) {
+ List<AclPolicyPermissionVO> pp = _policyPermissionDao.listGrantedByActionAndScope(policyId, action, scope);
+ List<AclPolicyPermission> pl = new ArrayList<AclPolicyPermission>();
+ pl.addAll(pp);
+ return pl;
+ }
}