You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by pr...@apache.org on 2014/01/06 06:44:19 UTC
git commit: updated refs/heads/rbac to 28b81e4
Updated Branches:
refs/heads/rbac d374cd5a2 -> 28b81e423
Changing the access checkers to work with IAM server
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/28b81e42
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/28b81e42
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/28b81e42
Branch: refs/heads/rbac
Commit: 28b81e423ec3cad3da7aecf39d6dc092945aaf69
Parents: d374cd5
Author: Prachi Damle <pr...@cloud.com>
Authored: Sun Jan 5 21:40:50 2014 -0800
Committer: Prachi Damle <pr...@cloud.com>
Committed: Sun Jan 5 21:41:39 2014 -0800
----------------------------------------------------------------------
.../acl/RoleBasedAPIAccessChecker.java | 2 +-
.../acl/RoleBasedEntityAccessChecker.java | 25 +++++++++-----------
.../cloudstack/acl/api/AclApiService.java | 2 --
.../cloudstack/acl/api/AclApiServiceImpl.java | 9 ++-----
.../apache/cloudstack/iam/api/IAMService.java | 6 +++--
.../cloudstack/iam/server/IAMServiceImpl.java | 19 +++++++++++----
.../iam/server/dao/AclPolicyPermissionDao.java | 2 +-
.../server/dao/AclPolicyPermissionDaoImpl.java | 3 ++-
8 files changed, 35 insertions(+), 33 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/28b81e42/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedAPIAccessChecker.java
----------------------------------------------------------------------
diff --git a/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedAPIAccessChecker.java b/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedAPIAccessChecker.java
index 1586c52..d193c94 100644
--- a/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedAPIAccessChecker.java
+++ b/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedAPIAccessChecker.java
@@ -86,7 +86,7 @@ public class RoleBasedAPIAccessChecker extends AdapterBase implements APIChecker
List<AclPolicy> policies = _iamSrv.listAclPolicies(account.getAccountId());
- boolean isAllowed = _iamSrv.isAPIAccessibleForPolicies(commandName, policies);
+ boolean isAllowed = _iamSrv.isActionAllowedForPolicies(commandName, policies);
if (!isAllowed) {
throw new PermissionDeniedException("The API does not exist or is blacklisted. api: " + commandName);
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/28b81e42/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedEntityAccessChecker.java
----------------------------------------------------------------------
diff --git a/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedEntityAccessChecker.java b/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedEntityAccessChecker.java
index fa74604..e180000 100644
--- a/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedEntityAccessChecker.java
+++ b/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedEntityAccessChecker.java
@@ -25,9 +25,9 @@ import javax.inject.Inject;
import org.apache.log4j.Logger;
import org.apache.cloudstack.acl.api.AclApiService;
-import org.apache.cloudstack.acl.dao.AclGroupAccountMapDao;
-import org.apache.cloudstack.acl.dao.AclPolicyPermissionDao;
import org.apache.cloudstack.iam.api.AclPolicy;
+import org.apache.cloudstack.iam.api.AclPolicyPermission;
+import org.apache.cloudstack.iam.api.IAMService;
import com.cloud.acl.DomainChecker;
import com.cloud.domain.dao.DomainDao;
@@ -47,10 +47,7 @@ public class RoleBasedEntityAccessChecker extends DomainChecker implements Secur
@Inject DomainDao _domainDao;
@Inject
- AclGroupAccountMapDao _aclGroupAccountMapDao;
-
- @Inject
- AclPolicyPermissionDao _policyPermissionDao;
+ IAMService _iamSrv;
@Override
@@ -74,15 +71,15 @@ public class RoleBasedEntityAccessChecker extends DomainChecker implements Secur
HashMap<AclPolicy, Boolean> policyPermissionMap = new HashMap<AclPolicy, Boolean>();
for (AclPolicy policy : policies) {
- List<AclPolicyPermissionVO> permissions = new ArrayList<AclPolicyPermissionVO>();
+ List<AclPolicyPermission> permissions = new ArrayList<AclPolicyPermission>();
if (action != null) {
- permissions = _policyPermissionDao.listByPolicyActionAndEntity(policy.getId(),
- action, entityType);
+ permissions = _iamSrv.listPolicyPermissionByEntityType(policy.getId(), action, entityType);
} else {
- permissions = _policyPermissionDao.listByPolicyAccessAndEntity(policy.getId(), accessType, entityType);
+ permissions = _iamSrv.listPolicyPermissionByAccessType(policy.getId(), accessType.toString(),
+ entityType, action);
}
- for (AclPolicyPermissionVO permission : permissions) {
+ for (AclPolicyPermission permission : permissions) {
if (checkPermissionScope(caller, permission.getScope(), entity)) {
if (permission.getEntityType().equals(entityType)) {
policyPermissionMap.put(policy, permission.getPermission().isGranted());
@@ -109,13 +106,13 @@ public class RoleBasedEntityAccessChecker extends DomainChecker implements Secur
return false;
}
- private boolean checkPermissionScope(Account caller, PermissionScope scope, ControlledEntity entity) {
+ private boolean checkPermissionScope(Account caller, String scope, ControlledEntity entity) {
- if(scope.equals(PermissionScope.ACCOUNT)){
+ if (scope.equals(PermissionScope.ACCOUNT.name())) {
if(caller.getAccountId() == entity.getAccountId()){
return true;
}
- }else if(scope.equals(PermissionScope.DOMAIN)){
+ } else if (scope.equals(PermissionScope.DOMAIN.name())) {
if (_domainDao.isChildDomain(caller.getDomainId(), entity.getDomainId())) {
return true;
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/28b81e42/services/iam/plugin/src/org/apache/cloudstack/acl/api/AclApiService.java
----------------------------------------------------------------------
diff --git a/services/iam/plugin/src/org/apache/cloudstack/acl/api/AclApiService.java b/services/iam/plugin/src/org/apache/cloudstack/acl/api/AclApiService.java
index 344e59c..12ecf8b 100644
--- a/services/iam/plugin/src/org/apache/cloudstack/acl/api/AclApiService.java
+++ b/services/iam/plugin/src/org/apache/cloudstack/acl/api/AclApiService.java
@@ -60,8 +60,6 @@ public interface AclApiService {
AclPolicyPermission getAclPolicyPermission(long accountId, String entityType, String action);
- boolean isAPIAccessibleForPolicies(String apiName, List<AclPolicy> policies);
-
List<AclPolicy> getEffectivePolicies(Account caller, ControlledEntity entity);
/* Response Generation */
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/28b81e42/services/iam/plugin/src/org/apache/cloudstack/acl/api/AclApiServiceImpl.java
----------------------------------------------------------------------
diff --git a/services/iam/plugin/src/org/apache/cloudstack/acl/api/AclApiServiceImpl.java b/services/iam/plugin/src/org/apache/cloudstack/acl/api/AclApiServiceImpl.java
index 02d015c..b117d0c 100644
--- a/services/iam/plugin/src/org/apache/cloudstack/acl/api/AclApiServiceImpl.java
+++ b/services/iam/plugin/src/org/apache/cloudstack/acl/api/AclApiServiceImpl.java
@@ -174,7 +174,8 @@ public class AclApiServiceImpl extends ManagerBase implements AclApiService, Man
List<AclPolicy> policies = _iamSrv.listAclPolicies(accountId);
AclPolicyPermission curPerm = null;
for (AclPolicy policy : policies) {
- List<AclPolicyPermission> perms = _iamSrv.listPollcyPermissionByEntityType(policy.getId(), action, entityType);
+ List<AclPolicyPermission> perms = _iamSrv.listPolicyPermissionByEntityType(policy.getId(), action,
+ entityType);
if (perms == null || perms.size() == 0)
continue;
AclPolicyPermission perm = perms.get(0); // just pick one
@@ -190,12 +191,6 @@ public class AclApiServiceImpl extends ManagerBase implements AclApiService, Man
}
-
- @Override
- public boolean isAPIAccessibleForPolicies(String apiName, List<AclPolicy> policies) {
- return _iamSrv.isAPIAccessibleForPolicies(apiName, policies);
- }
-
@Override
public List<AclPolicy> getEffectivePolicies(Account caller, ControlledEntity entity) {
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/28b81e42/services/iam/server/src/org/apache/cloudstack/iam/api/IAMService.java
----------------------------------------------------------------------
diff --git a/services/iam/server/src/org/apache/cloudstack/iam/api/IAMService.java b/services/iam/server/src/org/apache/cloudstack/iam/api/IAMService.java
index f85803b..2d303d1 100644
--- a/services/iam/server/src/org/apache/cloudstack/iam/api/IAMService.java
+++ b/services/iam/server/src/org/apache/cloudstack/iam/api/IAMService.java
@@ -66,12 +66,14 @@ public interface IAMService {
List<AclPolicyPermission> listPolicyPermissionsByScope(long policyId, String action, String scope);
- List<AclPolicyPermission> listPollcyPermissionByEntityType(long policyId, String action, String entityType);
+ List<AclPolicyPermission> listPolicyPermissionByEntityType(long policyId, String action, String entityType);
- boolean isAPIAccessibleForPolicies(String apiName, List<AclPolicy> policies);
+ boolean isActionAllowedForPolicies(String action, List<AclPolicy> policies);
List<Long> getGrantedEntities(long accountId, String action, String scope);
AclPolicy resetAclPolicy(long aclPolicyId);
+ List<AclPolicyPermission> listPolicyPermissionByAccessType(long policyId, String accessType, String entityType, String action);
+
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/28b81e42/services/iam/server/src/org/apache/cloudstack/iam/server/IAMServiceImpl.java
----------------------------------------------------------------------
diff --git a/services/iam/server/src/org/apache/cloudstack/iam/server/IAMServiceImpl.java b/services/iam/server/src/org/apache/cloudstack/iam/server/IAMServiceImpl.java
index 3696bb9..e6fcdcd 100644
--- a/services/iam/server/src/org/apache/cloudstack/iam/server/IAMServiceImpl.java
+++ b/services/iam/server/src/org/apache/cloudstack/iam/server/IAMServiceImpl.java
@@ -601,9 +601,9 @@ public class IAMServiceImpl extends ManagerBase implements IAMService, Manager {
}
@Override
- public boolean isAPIAccessibleForPolicies(String apiName, List<AclPolicy> policies) {
+ public boolean isActionAllowedForPolicies(String action, List<AclPolicy> policies) {
- boolean accessible = false;
+ boolean allowed = false;
List<Long> policyIds = new ArrayList<Long>();
for (AclPolicy policy : policies) {
@@ -616,14 +616,15 @@ public class IAMServiceImpl extends ManagerBase implements IAMService, Manager {
SearchCriteria<AclPolicyPermissionVO> sc = sb.create();
sc.setParameters("policyId", policyIds.toArray(new Object[policyIds.size()]));
+ sc.setParameters("action", action);
List<AclPolicyPermissionVO> permissions = _policyPermissionDao.customSearch(sc, null);
if (permissions != null && !permissions.isEmpty()) {
- accessible = true;
+ allowed = true;
}
- return accessible;
+ return allowed;
}
@@ -664,7 +665,7 @@ public class IAMServiceImpl extends ManagerBase implements IAMService, Manager {
}
@Override
- public List<AclPolicyPermission> listPollcyPermissionByEntityType(long policyId, String action, String entityType) {
+ public List<AclPolicyPermission> listPolicyPermissionByEntityType(long policyId, String action, String entityType) {
List<AclPolicyPermissionVO> pp = _policyPermissionDao.listByPolicyActionAndEntity(policyId, action, entityType);
List<AclPolicyPermission> pl = new ArrayList<AclPolicyPermission>();
pl.addAll(pp);
@@ -672,6 +673,14 @@ public class IAMServiceImpl extends ManagerBase implements IAMService, Manager {
}
@Override
+ public List<AclPolicyPermission> listPolicyPermissionByAccessType(long policyId, String accessType, String entityType, String action) {
+ List<AclPolicyPermissionVO> pp = _policyPermissionDao.listByPolicyAccessAndEntity(policyId, accessType, entityType, action);
+ List<AclPolicyPermission> pl = new ArrayList<AclPolicyPermission>();
+ pl.addAll(pp);
+ return pl;
+ }
+
+ @Override
public AclPolicy getResourceOwnerPolicy() {
return _aclPolicyDao.findByName("RESOURCE_OWNER");
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/28b81e42/services/iam/server/src/org/apache/cloudstack/iam/server/dao/AclPolicyPermissionDao.java
----------------------------------------------------------------------
diff --git a/services/iam/server/src/org/apache/cloudstack/iam/server/dao/AclPolicyPermissionDao.java b/services/iam/server/src/org/apache/cloudstack/iam/server/dao/AclPolicyPermissionDao.java
index f2da895..5abadf9 100644
--- a/services/iam/server/src/org/apache/cloudstack/iam/server/dao/AclPolicyPermissionDao.java
+++ b/services/iam/server/src/org/apache/cloudstack/iam/server/dao/AclPolicyPermissionDao.java
@@ -33,6 +33,6 @@ public interface AclPolicyPermissionDao extends GenericDao<AclPolicyPermissionVO
List<AclPolicyPermissionVO> listByPolicyActionAndEntity(long policyId, String action, String entityType);
- List<AclPolicyPermissionVO> listByPolicyAccessAndEntity(long id, String accessType, String entityType);
+ List<AclPolicyPermissionVO> listByPolicyAccessAndEntity(long id, String accessType, String entityType, String action);
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/28b81e42/services/iam/server/src/org/apache/cloudstack/iam/server/dao/AclPolicyPermissionDaoImpl.java
----------------------------------------------------------------------
diff --git a/services/iam/server/src/org/apache/cloudstack/iam/server/dao/AclPolicyPermissionDaoImpl.java b/services/iam/server/src/org/apache/cloudstack/iam/server/dao/AclPolicyPermissionDaoImpl.java
index d738e00..b014cb4 100644
--- a/services/iam/server/src/org/apache/cloudstack/iam/server/dao/AclPolicyPermissionDaoImpl.java
+++ b/services/iam/server/src/org/apache/cloudstack/iam/server/dao/AclPolicyPermissionDaoImpl.java
@@ -104,11 +104,12 @@ public class AclPolicyPermissionDaoImpl extends GenericDaoBase<AclPolicyPermissi
@Override
public List<AclPolicyPermissionVO> listByPolicyAccessAndEntity(long policyId, String accessType,
- String entityType) {
+ String entityType, String action) {
SearchCriteria<AclPolicyPermissionVO> sc = fullSearch.create();
sc.setParameters("policyId", policyId);
sc.setParameters("entityType", entityType);
sc.setParameters("accessType", accessType);
+ sc.setParameters("action", action);
return listBy(sc);
}