You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by mc...@apache.org on 2014/03/06 23:07:24 UTC
[41/50] [abbrv] git commit: updated refs/heads/rbac to 48e08fe
CLOUDSTACK-5920: Add some interface methods and constants required by
IAM.
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/793becf5
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/793becf5
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/793becf5
Branch: refs/heads/rbac
Commit: 793becf524520c62fd5df35b22128db13347f6c9
Parents: d0ae4d9
Author: Min Chen <mi...@citrix.com>
Authored: Tue Mar 4 17:34:50 2014 -0800
Committer: Min Chen <mi...@citrix.com>
Committed: Wed Mar 5 09:40:55 2014 -0800
----------------------------------------------------------------------
api/src/com/cloud/event/EventTypes.java | 13 ++++
.../apache/cloudstack/acl/PermissionScope.java | 25 +++++++
.../apache/cloudstack/acl/QuerySelector.java | 72 ++++++++++++++++++++
.../apache/cloudstack/acl/SecurityChecker.java | 22 +++++-
.../org/apache/cloudstack/api/APICommand.java | 3 +
.../cloudstack/api/ApiCommandJobType.java | 4 +-
.../org/apache/cloudstack/api/ApiConstants.java | 18 +++++
.../src/com/cloud/template/TemplateManager.java | 3 +
server/src/com/cloud/acl/DomainChecker.java | 6 ++
server/src/com/cloud/api/ApiServer.java | 3 +-
server/src/com/cloud/api/ApiServerService.java | 2 +
server/src/com/cloud/user/AccountManager.java | 4 ++
server/src/com/cloud/user/DomainManager.java | 3 +
utils/src/com/cloud/utils/db/EntityManager.java | 6 ++
14 files changed, 181 insertions(+), 3 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/793becf5/api/src/com/cloud/event/EventTypes.java
----------------------------------------------------------------------
diff --git a/api/src/com/cloud/event/EventTypes.java b/api/src/com/cloud/event/EventTypes.java
index 7dd8772..ec54ea1 100755
--- a/api/src/com/cloud/event/EventTypes.java
+++ b/api/src/com/cloud/event/EventTypes.java
@@ -455,6 +455,19 @@ public class EventTypes {
public static final String EVENT_UCS_ASSOCIATED_PROFILE = "UCS.ASSOCIATEPROFILE";
+ // IAM events
+ public static final String EVENT_IAM_POLICY_CREATE = "IAMPOLICY.CREATE";
+ public static final String EVENT_IAM_POLICY_DELETE = "IAMPOLICY.DELETE";
+ public static final String EVENT_IAM_POLICY_GRANT = "IAMPOLICY.GRANT";
+ public static final String EVENT_IAM_POLICY_REVOKE = "IAMPOLICY.REVOKE";
+
+ public static final String EVENT_IAM_GROUP_UPDATE = "IAMGROUP.UPDATE";
+ public static final String EVENT_IAM_GROUP_CREATE = "IAMGROUP.CREATE";
+ public static final String EVENT_IAM_GROUP_DELETE = "IAMGROUP.DELETE";
+ public static final String EVENT_IAM_GROUP_GRANT = "IAMGROUP.GRANT";
+ public static final String EVENT_IAM_GROUP_REVOKE = "IAMGROUP.REVOKE";
+ public static final String EVENT_IAM_ACCOUNT_POLICY_UPDATE = "IAMACCOUNTPOLICY.UPDATE";
+
// Object store migration
public static final String EVENT_MIGRATE_PREPARE_SECONDARY_STORAGE = "MIGRATE.PREPARE.SS";
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/793becf5/api/src/org/apache/cloudstack/acl/PermissionScope.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/acl/PermissionScope.java b/api/src/org/apache/cloudstack/acl/PermissionScope.java
new file mode 100644
index 0000000..03dbc10
--- /dev/null
+++ b/api/src/org/apache/cloudstack/acl/PermissionScope.java
@@ -0,0 +1,25 @@
+package org.apache.cloudstack.acl;
+
+public enum PermissionScope {
+ RESOURCE(0),
+ ACCOUNT(1),
+ DOMAIN(2),
+ REGION(3), ALL(4);
+
+ private int _scale;
+
+ private PermissionScope(int scale) {
+ _scale = scale;
+ }
+
+ public int getScale() {
+ return _scale;
+ }
+
+ public boolean greaterThan(PermissionScope s) {
+ if (_scale > s.getScale())
+ return true;
+ else
+ return false;
+ }
+}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/793becf5/api/src/org/apache/cloudstack/acl/QuerySelector.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/acl/QuerySelector.java b/api/src/org/apache/cloudstack/acl/QuerySelector.java
new file mode 100644
index 0000000..b89aa4e
--- /dev/null
+++ b/api/src/org/apache/cloudstack/acl/QuerySelector.java
@@ -0,0 +1,72 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.acl;
+
+import java.util.List;
+
+import com.cloud.user.Account;
+import com.cloud.utils.component.Adapter;
+
+/**
+ * QueryChecker returns granted access at domain, account or resource level.
+ */
+public interface QuerySelector extends Adapter {
+
+ /**
+ * List granted domains for the caller, given a specific action.
+ *
+ * @param caller account to check against.
+ * @param action action
+ * @return list of domain Ids granted to the caller account.
+ */
+ List<Long> getAuthorizedDomains(Account caller, String action);
+
+ /**
+ * List granted accounts for the caller, given a specific action.
+ *
+ * @param caller account to check against.
+ * @param action action.
+ * @return list of domain Ids granted to the caller account.
+ */
+ List<Long> getAuthorizedAccounts(Account caller, String action);
+
+
+ /**
+ * List granted resources for the caller, given a specific action.
+ *
+ * @param caller account to check against.
+ * @param action action.
+ * @return list of domain Ids granted to the caller account.
+ */
+ List<Long> getAuthorizedResources(Account caller, String action);
+
+ /**
+ * Check if this account is associated with a policy with scope of ALL
+ * @param caller account to check
+ * @param action action.
+ * @return true if this account is attached with a policy for the given action of ALL scope.
+ */
+ boolean isGrantedAll(Account caller, String action);
+
+ /**
+ * List of ACL group the given account belongs to
+ * @param accountId account id.
+ * @return ACL group names
+ */
+ List<String> listAclGroupsByAccount(long accountId);
+
+}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/793becf5/api/src/org/apache/cloudstack/acl/SecurityChecker.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/acl/SecurityChecker.java b/api/src/org/apache/cloudstack/acl/SecurityChecker.java
index ab3f7c5..aab88fe 100644
--- a/api/src/org/apache/cloudstack/acl/SecurityChecker.java
+++ b/api/src/org/apache/cloudstack/acl/SecurityChecker.java
@@ -31,7 +31,7 @@ import com.cloud.utils.component.Adapter;
public interface SecurityChecker extends Adapter {
public enum AccessType {
- ListEntry, ModifyEntry, ModifyProject, UseNetwork
+ ListEntry, ModifyEntry, ModifyProject, UseNetwork, OperateEntry, UseEntry
}
/**
@@ -76,6 +76,26 @@ public interface SecurityChecker extends Adapter {
boolean checkAccess(Account caller, ControlledEntity entity, AccessType accessType) throws PermissionDeniedException;
/**
+ * Checks if the account can access the object.
+ *
+ * @param caller
+ * account to check against.
+ * @param entity
+ * object that the account is trying to access.
+ * @param accessType
+ * TODO
+ * @param action
+ * name of the API
+ * @return true if access allowed. false if this adapter cannot provide
+ * permission.
+ * @throws PermissionDeniedException
+ * if this adapter is suppose to authenticate ownership and the
+ * check failed.
+ */
+ boolean checkAccess(Account caller, ControlledEntity entity, AccessType accessType, String action) throws PermissionDeniedException;
+
+
+ /**
* Checks if the user belongs to an account that can access the object.
*
* @param user
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/793becf5/api/src/org/apache/cloudstack/api/APICommand.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/APICommand.java b/api/src/org/apache/cloudstack/api/APICommand.java
index f0b46a4..6211afc 100644
--- a/api/src/org/apache/cloudstack/api/APICommand.java
+++ b/api/src/org/apache/cloudstack/api/APICommand.java
@@ -22,6 +22,7 @@ import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
import java.lang.annotation.Target;
+import org.apache.cloudstack.acl.IAMEntityType;
import org.apache.cloudstack.acl.RoleType;
@Retention(RetentionPolicy.RUNTIME)
@@ -44,4 +45,6 @@ public @interface APICommand {
boolean responseHasSensitiveInfo() default true;
RoleType[] authorized() default {};
+
+ IAMEntityType[] entityType() default {};
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/793becf5/api/src/org/apache/cloudstack/api/ApiCommandJobType.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/ApiCommandJobType.java b/api/src/org/apache/cloudstack/api/ApiCommandJobType.java
index 3067af8..f27f001 100644
--- a/api/src/org/apache/cloudstack/api/ApiCommandJobType.java
+++ b/api/src/org/apache/cloudstack/api/ApiCommandJobType.java
@@ -49,5 +49,7 @@ public enum ApiCommandJobType {
LoadBalancerRule,
AffinityGroup,
InternalLbVm,
- DedicatedGuestVlanRange
+ DedicatedGuestVlanRange,
+ IAMPolicy,
+ IAMGroup
}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/793becf5/api/src/org/apache/cloudstack/api/ApiConstants.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/ApiConstants.java b/api/src/org/apache/cloudstack/api/ApiConstants.java
index 7b7f9ca..14df653 100755
--- a/api/src/org/apache/cloudstack/api/ApiConstants.java
+++ b/api/src/org/apache/cloudstack/api/ApiConstants.java
@@ -544,6 +544,24 @@ public class ApiConstants {
public static final String ROUTING = "isrouting";
public static final String MAX_CONNECTIONS = "maxconnections";
public static final String SERVICE_STATE = "servicestate";
+
+ public static final String IAM_ACCOUNT_IDS = "accountids";
+ public static final String IAM_MEMBER_ACCOUNTS = "memberaccounts";
+ public static final String IAM_PARENT_POLICY_ID = "parentpolicyid";
+ public static final String IAM_PARENT_POLICY_NAME = "parentpolicyname";
+ public static final String IAM_POLICY_IDS = "policyids";
+ public static final String IAM_POLICIES = "policies";
+ public static final String IAM_APIS = "apis";
+ public static final String IAM_GROUPS = "groups";
+ public static final String IAM_PERMISSIONS = "permission";
+ public static final String IAM_ACTION = "action";
+ public static final String IAM_SCOPE = "scope";
+ public static final String IAM_SCOPE_ID = "scopeid";
+ public static final String IAM_ALLOW_DENY = "permission";
+ public static final String ENTITY_TYPE = "entitytype";
+ public static final String ENTITY_ID = "entityid";
+ public static final String ACCESS_TYPE = "accesstype";
+
public static final String RESOURCE_DETAILS = "resourcedetails";
public static final String EXPUNGE = "expunge";
public static final String FOR_DISPLAY = "fordisplay";
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/793becf5/engine/components-api/src/com/cloud/template/TemplateManager.java
----------------------------------------------------------------------
diff --git a/engine/components-api/src/com/cloud/template/TemplateManager.java b/engine/components-api/src/com/cloud/template/TemplateManager.java
index 0557a29..5987ac0 100755
--- a/engine/components-api/src/com/cloud/template/TemplateManager.java
+++ b/engine/components-api/src/com/cloud/template/TemplateManager.java
@@ -122,4 +122,7 @@ public interface TemplateManager {
*/
void prepareIsoForVmProfile(VirtualMachineProfile profile);
+ public static final String MESSAGE_REGISTER_PUBLIC_TEMPLATE_EVENT = "Message.RegisterPublicTemplate.Event";
+ public static final String MESSAGE_RESET_TEMPLATE_PERMISSION_EVENT = "Message.ResetTemplatePermission.Event";
+
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/793becf5/server/src/com/cloud/acl/DomainChecker.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/acl/DomainChecker.java b/server/src/com/cloud/acl/DomainChecker.java
index 31b273f..f8acceb 100755
--- a/server/src/com/cloud/acl/DomainChecker.java
+++ b/server/src/com/cloud/acl/DomainChecker.java
@@ -319,4 +319,10 @@ public class DomainChecker extends AdapterBase implements SecurityChecker {
}
return false;
}
+
+ @Override
+ public boolean checkAccess(Account caller, ControlledEntity entity, AccessType accessType, String action)
+ throws PermissionDeniedException {
+ return checkAccess(caller, entity, accessType);
+ }
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/793becf5/server/src/com/cloud/api/ApiServer.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/api/ApiServer.java b/server/src/com/cloud/api/ApiServer.java
index 3df599e..05fe6e8 100755
--- a/server/src/com/cloud/api/ApiServer.java
+++ b/server/src/com/cloud/api/ApiServer.java
@@ -891,7 +891,8 @@ public class ApiServer extends ManagerBase implements HttpRequestHandler, ApiSer
}
}
- private Class<?> getCmdClass(String cmdName) {
+ @Override
+ public Class<?> getCmdClass(String cmdName) {
return s_apiNameCmdClassMap.get(cmdName);
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/793becf5/server/src/com/cloud/api/ApiServerService.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/api/ApiServerService.java b/server/src/com/cloud/api/ApiServerService.java
index 8e078c6..bf0ba23 100644
--- a/server/src/com/cloud/api/ApiServerService.java
+++ b/server/src/com/cloud/api/ApiServerService.java
@@ -41,4 +41,6 @@ public interface ApiServerService {
public String getSerializedApiError(ServerApiException ex, Map<String, Object[]> apiCommandParams, String responseType);
public String handleRequest(Map params, String responseType, StringBuffer auditTrailSb) throws ServerApiException;
+
+ public Class<?> getCmdClass(String cmdName);
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/793becf5/server/src/com/cloud/user/AccountManager.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/user/AccountManager.java b/server/src/com/cloud/user/AccountManager.java
index 1f191fc..983caf1 100755
--- a/server/src/com/cloud/user/AccountManager.java
+++ b/server/src/com/cloud/user/AccountManager.java
@@ -188,4 +188,8 @@ public interface AccountManager extends AccountService {
* @return account object
*/
Account lockAccount(String accountName, Long domainId, Long accountId);
+
+ public static final String MESSAGE_ADD_ACCOUNT_EVENT = "Message.AddAccount.Event";
+
+ public static final String MESSAGE_REMOVE_ACCOUNT_EVENT = "Message.RemoveAccount.Event";
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/793becf5/server/src/com/cloud/user/DomainManager.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/user/DomainManager.java b/server/src/com/cloud/user/DomainManager.java
index 41d9d34..f72b18a 100644
--- a/server/src/com/cloud/user/DomainManager.java
+++ b/server/src/com/cloud/user/DomainManager.java
@@ -47,4 +47,7 @@ public interface DomainManager extends DomainService {
* @return Domain object if the command succeeded
*/
Domain updateDomain(UpdateDomainCmd cmd);
+
+ public static final String MESSAGE_ADD_DOMAIN_EVENT = "Message.AddDomain.Event";
+ public static final String MESSAGE_REMOVE_DOMAIN_EVENT = "Message.RemoveDomain.Event";
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/793becf5/utils/src/com/cloud/utils/db/EntityManager.java
----------------------------------------------------------------------
diff --git a/utils/src/com/cloud/utils/db/EntityManager.java b/utils/src/com/cloud/utils/db/EntityManager.java
index 7612a75..8f4e385 100644
--- a/utils/src/com/cloud/utils/db/EntityManager.java
+++ b/utils/src/com/cloud/utils/db/EntityManager.java
@@ -75,4 +75,10 @@ public interface EntityManager {
public <T, K extends Serializable> void remove(Class<T> entityType, K id);
public <T, K extends Serializable> T findByIdIncludingRemoved(Class<T> entityType, K id);
+
+ public static final String MESSAGE_REMOVE_ENTITY_EVENT = "Message.RemoveEntity.Event";
+
+ public static final String MESSAGE_GRANT_ENTITY_EVENT = "Message.GrantEntity.Event";
+ public static final String MESSAGE_REVOKE_ENTITY_EVENT = "Message.RevokeEntity.Event";
+ public static final String MESSAGE_ADD_DOMAIN_WIDE_ENTITY_EVENT = "Message.AddDomainWideEntity.Event";
}