You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by pr...@apache.org on 2014/01/03 19:51:41 UTC
[1/2] git commit: updated refs/heads/rbac to 04a0d12
Updated Branches:
refs/heads/rbac dd8dcd949 -> 04a0d12a6
Moved the loading of commands.properties to the IAM plugin
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/e5b4a1d8
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/e5b4a1d8
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/e5b4a1d8
Branch: refs/heads/rbac
Commit: e5b4a1d86923e86812519421b64084672d5a9f26
Parents: dd8dcd9
Author: Prachi Damle <pr...@cloud.com>
Authored: Fri Dec 27 23:01:10 2013 -0800
Committer: Prachi Damle <pr...@cloud.com>
Committed: Thu Jan 2 18:39:18 2014 -0800
----------------------------------------------------------------------
server/src/com/cloud/api/ApiServer.java | 144 ---------------
.../acl/RoleBasedAPIAccessChecker.java | 179 +++++++++++++++++--
services/iam/pom.xml | 20 +++
services/iam/server/pom.xml | 12 --
.../apache/cloudstack/iam/api/IAMService.java | 1 +
.../cloudstack/iam/server/IAMServiceImpl.java | 20 +++
.../cloudstack/iam/IAMServiceUnitTest.java | 1 -
7 files changed, 207 insertions(+), 170 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/e5b4a1d8/server/src/com/cloud/api/ApiServer.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/api/ApiServer.java b/server/src/com/cloud/api/ApiServer.java
index 95e13a5..e4bbf32 100755
--- a/server/src/com/cloud/api/ApiServer.java
+++ b/server/src/com/cloud/api/ApiServer.java
@@ -190,10 +190,6 @@ public class ApiServer extends ManagerBase implements HttpRequestHandler, ApiSer
private static final DateFormat _dateFormat = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ssZ");
private static Map<String, List<Class<?>>> _apiNameCmdClassMap = new HashMap<String, List<Class<?>>>();
- private static Set<String> commandsPropertiesOverrides = new HashSet<String>();
- private static Map<RoleType, Set<String>> commandsPropertiesRoleBasedApisMap = new HashMap<RoleType, Set<String>>();
-
-
private static ExecutorService _executor = new ThreadPoolExecutor(10, 150, 60, TimeUnit.SECONDS, new LinkedBlockingQueue<Runnable>(), new NamedThreadFactory("ApiServer"));
public ApiServer() {
@@ -201,7 +197,6 @@ public class ApiServer extends ManagerBase implements HttpRequestHandler, ApiSer
@Override
public boolean configure(String name, Map<String, Object> params) throws ConfigurationException {
- processMapping(PropertiesUtil.processConfigFile(new String[] { "commands.properties" }));
return true;
}
@@ -238,39 +233,6 @@ public class ApiServer extends ManagerBase implements HttpRequestHandler, ApiSer
}
}
- // drop all default policy api permissions - we reload them every time
- // to include any chanegs done to the @APICommand or
- // commands.properties.
- SearchBuilder<AclPolicyPermissionVO> sb = _aclPermissionDao.createSearchBuilder();
- sb.and("policyId", sb.entity().getAclPolicyId(), SearchCriteria.Op.EQ);
- sb.and("scope", sb.entity().getScope(), SearchCriteria.Op.EQ);
- sb.done();
-
- SearchCriteria<AclPolicyPermissionVO> permissionSC = sb.create();
-
- for (RoleType role : RoleType.values()) {
- permissionSC.setParameters("policyId", role.ordinal() + 1);
- switch (role) {
- case User:
- permissionSC.setParameters("scope", PermissionScope.ACCOUNT.toString());
- break;
-
- case Admin:
- permissionSC.setParameters("scope", PermissionScope.ALL.toString());
- break;
-
- case DomainAdmin:
- permissionSC.setParameters("scope", PermissionScope.DOMAIN.toString());
- break;
-
- case ResourceAdmin:
- permissionSC.setParameters("scope", PermissionScope.DOMAIN.toString());
- break;
- }
- _aclPermissionDao.expunge(permissionSC);
-
- }
-
for(Class<?> cmdClass: cmdClasses) {
APICommand at = cmdClass.getAnnotation(APICommand.class);
if (at == null) {
@@ -283,28 +245,8 @@ public class ApiServer extends ManagerBase implements HttpRequestHandler, ApiSer
_apiNameCmdClassMap.put(apiName, apiCmdList);
}
apiCmdList.add(cmdClass);
-
- if (!commandsPropertiesOverrides.contains(apiName)) {
- for (RoleType role : at.authorized()) {
- addDefaultAclPolicyPermission(apiName, cmdClass, role);
- }
- }
- }
-
- // read commands.properties and load api acl permissions -
- // commands.properties overrides any @APICommand authorization
-
- for (String apiName : commandsPropertiesOverrides) {
- Class<?> cmdClass = getCmdClass(apiName);
- for (RoleType role : RoleType.values()) {
- if (commandsPropertiesRoleBasedApisMap.get(role).contains(apiName)) {
- // insert permission for this role for this api
- addDefaultAclPolicyPermission(apiName, cmdClass, role);
- }
- }
}
-
encodeApiResponse = Boolean.valueOf(_configDao.getValue(Config.EncodeApiResponse.key()));
String jsonType = _configDao.getValue(Config.JavaScriptDefaultContentType.key());
if (jsonType != null) {
@@ -319,92 +261,6 @@ public class ApiServer extends ManagerBase implements HttpRequestHandler, ApiSer
return true;
}
- private void processMapping(Map<String, String> configMap) {
- for (RoleType roleType : RoleType.values()) {
- commandsPropertiesRoleBasedApisMap.put(roleType, new HashSet<String>());
- }
-
- for (Map.Entry<String, String> entry : configMap.entrySet()) {
- String apiName = entry.getKey();
- String roleMask = entry.getValue();
- commandsPropertiesOverrides.add(apiName);
- try {
- short cmdPermissions = Short.parseShort(roleMask);
- for (RoleType roleType : RoleType.values()) {
- if ((cmdPermissions & roleType.getValue()) != 0)
- commandsPropertiesRoleBasedApisMap.get(roleType).add(apiName);
- }
- } catch (NumberFormatException nfe) {
- s_logger.info("Malformed key=value pair for entry: " + entry.toString());
- }
- }
- }
-
- private void addDefaultAclPolicyPermission(String apiName, Class<?> cmdClass, RoleType role) {
-
- boolean isReadCommand = false;
- AclEntityType[] entityTypes = null;
- if (cmdClass != null) {
- BaseCmd cmdObj;
- try {
- cmdObj = (BaseCmd) cmdClass.newInstance();
- if (cmdObj instanceof BaseListCmd) {
- isReadCommand = true;
- }
- } catch (Exception e) {
- throw new CloudRuntimeException(String.format(
- "%s is claimed as an API command, but it cannot be instantiated", cmdClass.getName()));
- }
-
- APICommand at = cmdClass.getAnnotation(APICommand.class);
- entityTypes = at.entityType();
- }
-
- AclPolicyPermissionVO apiPermission = null;
- PermissionScope permissionScope = PermissionScope.ACCOUNT;
- switch (role) {
- case User:
- permissionScope = PermissionScope.ACCOUNT;
- break;
-
- case Admin:
- permissionScope = PermissionScope.ALL;
- break;
-
- case DomainAdmin:
- permissionScope = PermissionScope.DOMAIN;
- break;
-
- case ResourceAdmin:
- permissionScope = PermissionScope.DOMAIN;
- break;
- }
-
- if (entityTypes == null || entityTypes.length == 0) {
- apiPermission = new AclPolicyPermissionVO(role.ordinal() + 1, apiName, null, null, permissionScope,
- new Long(-1), Permission.Allow);
- if (apiPermission != null) {
- if (isReadCommand) {
- apiPermission.setAccessType(AccessType.ListEntry);
- }
- _aclPermissionDao.persist(apiPermission);
- }
- } else {
-
- for (AclEntityType entityType : entityTypes) {
- apiPermission = new AclPolicyPermissionVO(role.ordinal() + 1, apiName, entityType.toString(), null,
- permissionScope, new Long(-1), Permission.Allow);
- if (apiPermission != null) {
- if (isReadCommand) {
- apiPermission.setAccessType(AccessType.ListEntry);
- }
- _aclPermissionDao.persist(apiPermission);
- }
- }
- }
-
- }
-
// NOTE: handle() only handles over the wire (OTW) requests from integration.api.port 8096
// If integration api port is not configured, actual OTW requests will be received by ApiServlet
@SuppressWarnings({ "unchecked", "rawtypes" })
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/e5b4a1d8/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedAPIAccessChecker.java
----------------------------------------------------------------------
diff --git a/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedAPIAccessChecker.java b/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedAPIAccessChecker.java
index f133f37..1586c52 100644
--- a/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedAPIAccessChecker.java
+++ b/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedAPIAccessChecker.java
@@ -16,52 +16,205 @@
// under the License.
package org.apache.cloudstack.acl;
+import java.util.HashMap;
+import java.util.HashSet;
import java.util.List;
+import java.util.Map;
+import java.util.Set;
import javax.ejb.Local;
import javax.inject.Inject;
+import javax.naming.ConfigurationException;
import org.apache.log4j.Logger;
-import org.apache.cloudstack.acl.api.AclApiService;
+import org.apache.cloudstack.acl.APIChecker;
+import org.apache.cloudstack.acl.AclEntityType;
+import org.apache.cloudstack.acl.PermissionScope;
+import org.apache.cloudstack.acl.RoleType;
+import org.apache.cloudstack.acl.SecurityChecker.AccessType;
+import org.apache.cloudstack.api.APICommand;
+import org.apache.cloudstack.api.BaseCmd;
+import org.apache.cloudstack.api.BaseListCmd;
import org.apache.cloudstack.iam.api.AclPolicy;
+import org.apache.cloudstack.iam.api.AclPolicyPermission.Permission;
+import org.apache.cloudstack.iam.api.IAMService;
+import com.cloud.api.ApiServerService;
import com.cloud.exception.PermissionDeniedException;
import com.cloud.user.Account;
import com.cloud.user.AccountService;
import com.cloud.user.User;
+import com.cloud.utils.PropertiesUtil;
import com.cloud.utils.component.AdapterBase;
+import com.cloud.utils.component.PluggableService;
+import com.cloud.utils.exception.CloudRuntimeException;
-// This is the Role Based API access checker that grab's the account's roles
-// based on the set of roles, access is granted if any of the role has access to the api
+//This is the Role Based API access checker that grab's the account's roles
+//based on the set of roles, access is granted if any of the role has access to the api
@Local(value=APIChecker.class)
public class RoleBasedAPIAccessChecker extends AdapterBase implements APIChecker {
protected static final Logger s_logger = Logger.getLogger(RoleBasedAPIAccessChecker.class);
- @Inject AccountService _accountService;
- @Inject AclApiService _aclService;
+ @Inject
+ AccountService _accountService;
+ @Inject
+ ApiServerService _apiServer;
+ @Inject
+ IAMService _iamSrv;
+
+ Set<String> commandsPropertiesOverrides = new HashSet<String>();
+ Map<RoleType, Set<String>> commandsPropertiesRoleBasedApisMap = new HashMap<RoleType, Set<String>>();
+
+ List<PluggableService> _services;
protected RoleBasedAPIAccessChecker() {
super();
- }
+ for (RoleType roleType : RoleType.values()) {
+ commandsPropertiesRoleBasedApisMap.put(roleType, new HashSet<String>());
+ }
+ }
@Override
- public boolean checkAccess(User user, String commandName)
- throws PermissionDeniedException {
+ public boolean checkAccess(User user, String commandName) throws PermissionDeniedException {
Account account = _accountService.getAccount(user.getAccountId());
if (account == null) {
- throw new PermissionDeniedException("The account id=" + user.getAccountId() + "for user id=" + user.getId() + "is null");
+ throw new PermissionDeniedException("The account id=" + user.getAccountId() + "for user id=" + user.getId()
+ + "is null");
}
- List<AclPolicy> policies = _aclService.listAclPolicies(account.getAccountId());
-
+ List<AclPolicy> policies = _iamSrv.listAclPolicies(account.getAccountId());
- boolean isAllowed = _aclService.isAPIAccessibleForPolicies(commandName, policies);
+ boolean isAllowed = _iamSrv.isAPIAccessibleForPolicies(commandName, policies);
if (!isAllowed) {
throw new PermissionDeniedException("The API does not exist or is blacklisted. api: " + commandName);
}
return isAllowed;
- }
+ }
+
+ @Override
+ public boolean configure(String name, Map<String, Object> params) throws ConfigurationException {
+ super.configure(name, params);
+
+ processMapping(PropertiesUtil.processConfigFile(new String[] { "commands.properties" }));
+ return true;
+ }
+
+ @Override
+ public boolean start() {
+
+ // drop all default policy api permissions - we reload them every time
+ // to include any changes done to the @APICommand or
+ // commands.properties.
+
+ for (RoleType role : RoleType.values()) {
+ _iamSrv.resetAclPolicy(role.ordinal() + 1);
+ }
+
+ for (PluggableService service : _services) {
+ for (Class<?> cmdClass : service.getCommands()) {
+ APICommand command = cmdClass.getAnnotation(APICommand.class);
+ if (!commandsPropertiesOverrides.contains(command.name())) {
+ for (RoleType role : command.authorized()) {
+ addDefaultAclPolicyPermission(command.name(), cmdClass, role);
+ }
+ }
+ }
+ }
+
+ // read commands.properties and load api acl permissions -
+ // commands.properties overrides any @APICommand authorization
+
+ for (String apiName : commandsPropertiesOverrides) {
+ Class<?> cmdClass = _apiServer.getCmdClass(apiName);
+ for (RoleType role : RoleType.values()) {
+ if (commandsPropertiesRoleBasedApisMap.get(role).contains(apiName)) {
+ // insert permission for this role for this api
+ addDefaultAclPolicyPermission(apiName, cmdClass, role);
+ }
+ }
+ }
+
+ return super.start();
+ }
+
+ private void processMapping(Map<String, String> configMap) {
+ for (Map.Entry<String, String> entry : configMap.entrySet()) {
+ String apiName = entry.getKey();
+ String roleMask = entry.getValue();
+ commandsPropertiesOverrides.add(apiName);
+ try {
+ short cmdPermissions = Short.parseShort(roleMask);
+ for (RoleType roleType : RoleType.values()) {
+ if ((cmdPermissions & roleType.getValue()) != 0)
+ commandsPropertiesRoleBasedApisMap.get(roleType).add(apiName);
+ }
+ } catch (NumberFormatException nfe) {
+ s_logger.info("Malformed key=value pair for entry: " + entry.toString());
+ }
+ }
+ }
+
+ public List<PluggableService> getServices() {
+ return _services;
+ }
+
+ @Inject
+ public void setServices(List<PluggableService> _services) {
+ this._services = _services;
+ }
+
+ private void addDefaultAclPolicyPermission(String apiName, Class<?> cmdClass, RoleType role) {
+
+ AccessType accessType = null;
+ AclEntityType[] entityTypes = null;
+ if (cmdClass != null) {
+ BaseCmd cmdObj;
+ try {
+ cmdObj = (BaseCmd) cmdClass.newInstance();
+ if (cmdObj instanceof BaseListCmd) {
+ accessType = AccessType.ListEntry;
+ }
+ } catch (Exception e) {
+ throw new CloudRuntimeException(String.format(
+ "%s is claimed as an API command, but it cannot be instantiated", cmdClass.getName()));
+ }
+
+ APICommand at = cmdClass.getAnnotation(APICommand.class);
+ entityTypes = at.entityType();
+ }
+
+ PermissionScope permissionScope = PermissionScope.ACCOUNT;
+ switch (role) {
+ case User:
+ permissionScope = PermissionScope.ACCOUNT;
+ break;
+
+ case Admin:
+ permissionScope = PermissionScope.ALL;
+ break;
+
+ case DomainAdmin:
+ permissionScope = PermissionScope.DOMAIN;
+ break;
+
+ case ResourceAdmin:
+ permissionScope = PermissionScope.DOMAIN;
+ break;
+ }
+
+
+ if (entityTypes == null || entityTypes.length == 0) {
+ _iamSrv.addAclPermissionToAclPolicy(new Long(role.ordinal()) + 1, null, permissionScope.toString(), new Long(-1),
+ apiName, accessType.toString(), Permission.Allow);
+ } else {
+ for (AclEntityType entityType : entityTypes) {
+ _iamSrv.addAclPermissionToAclPolicy(new Long(role.ordinal()) + 1, entityType.toString(), permissionScope.toString(), new Long(-1),
+ apiName, accessType.toString(), Permission.Allow);
+ }
+ }
+
+ }
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/e5b4a1d8/services/iam/pom.xml
----------------------------------------------------------------------
diff --git a/services/iam/pom.xml b/services/iam/pom.xml
index babb9c8..ea5c05a 100644
--- a/services/iam/pom.xml
+++ b/services/iam/pom.xml
@@ -34,4 +34,24 @@
<module>plugin</module>
<module>server</module>
</modules>
+ <dependencies>
+ <dependency>
+ <groupId>org.apache.cloudstack</groupId>
+ <artifactId>cloud-api</artifactId>
+ <version>${project.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.cloudstack</groupId>
+ <artifactId>cloud-utils</artifactId>
+ <version>${project.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.cloudstack</groupId>
+ <artifactId>cloud-api</artifactId>
+ <version>${project.version}</version>
+ <type>test-jar</type>
+ <scope>test</scope>
+ </dependency>
+ </dependencies>
+
</project>
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/e5b4a1d8/services/iam/server/pom.xml
----------------------------------------------------------------------
diff --git a/services/iam/server/pom.xml b/services/iam/server/pom.xml
index cf6dcf2..bc3a698 100644
--- a/services/iam/server/pom.xml
+++ b/services/iam/server/pom.xml
@@ -28,18 +28,6 @@
</parent>
<dependencies>
<dependency>
- <groupId>log4j</groupId>
- <artifactId>log4j</artifactId>
- </dependency>
- <dependency>
- <groupId>com.google.code.gson</groupId>
- <artifactId>gson</artifactId>
- </dependency>
- <dependency>
- <groupId>commons-codec</groupId>
- <artifactId>commons-codec</artifactId>
- </dependency>
- <dependency>
<groupId>org.apache.cloudstack</groupId>
<artifactId>cloud-utils</artifactId>
<version>${project.version}</version>
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/e5b4a1d8/services/iam/server/src/org/apache/cloudstack/iam/api/IAMService.java
----------------------------------------------------------------------
diff --git a/services/iam/server/src/org/apache/cloudstack/iam/api/IAMService.java b/services/iam/server/src/org/apache/cloudstack/iam/api/IAMService.java
index 355e8cf..f85803b 100644
--- a/services/iam/server/src/org/apache/cloudstack/iam/api/IAMService.java
+++ b/services/iam/server/src/org/apache/cloudstack/iam/api/IAMService.java
@@ -72,5 +72,6 @@ public interface IAMService {
List<Long> getGrantedEntities(long accountId, String action, String scope);
+ AclPolicy resetAclPolicy(long aclPolicyId);
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/e5b4a1d8/services/iam/server/src/org/apache/cloudstack/iam/server/IAMServiceImpl.java
----------------------------------------------------------------------
diff --git a/services/iam/server/src/org/apache/cloudstack/iam/server/IAMServiceImpl.java b/services/iam/server/src/org/apache/cloudstack/iam/server/IAMServiceImpl.java
index 5695996..3696bb9 100644
--- a/services/iam/server/src/org/apache/cloudstack/iam/server/IAMServiceImpl.java
+++ b/services/iam/server/src/org/apache/cloudstack/iam/server/IAMServiceImpl.java
@@ -579,6 +579,26 @@ public class IAMServiceImpl extends ManagerBase implements IAMService, Manager {
}
+ @DB
+ @Override
+ public AclPolicy resetAclPolicy(long aclPolicyId) {
+ // get the Acl Policy entity
+ AclPolicy policy = _aclPolicyDao.findById(aclPolicyId);
+ if (policy == null) {
+ throw new InvalidParameterValueException("Unable to find acl policy: " + aclPolicyId
+ + "; failed to reset the policy.");
+ }
+
+ SearchBuilder<AclPolicyPermissionVO> sb = _policyPermissionDao.createSearchBuilder();
+ sb.and("policyId", sb.entity().getAclPolicyId(), SearchCriteria.Op.EQ);
+ sb.and("scope", sb.entity().getScope(), SearchCriteria.Op.EQ);
+ sb.done();
+ SearchCriteria<AclPolicyPermissionVO> permissionSC = sb.create();
+ permissionSC.setParameters("policyId", aclPolicyId);
+ _policyPermissionDao.expunge(permissionSC);
+
+ return policy;
+ }
@Override
public boolean isAPIAccessibleForPolicies(String apiName, List<AclPolicy> policies) {
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/e5b4a1d8/services/iam/server/test/org/apache/cloudstack/iam/IAMServiceUnitTest.java
----------------------------------------------------------------------
diff --git a/services/iam/server/test/org/apache/cloudstack/iam/IAMServiceUnitTest.java b/services/iam/server/test/org/apache/cloudstack/iam/IAMServiceUnitTest.java
index 121f60d..437b0ea 100644
--- a/services/iam/server/test/org/apache/cloudstack/iam/IAMServiceUnitTest.java
+++ b/services/iam/server/test/org/apache/cloudstack/iam/IAMServiceUnitTest.java
@@ -17,7 +17,6 @@
package org.apache.cloudstack.iam;
import static org.junit.Assert.assertNotNull;
-import static org.mockito.Matchers.anyLong;
import static org.mockito.Matchers.eq;
import static org.mockito.Mockito.when;
[2/2] git commit: updated refs/heads/rbac to 04a0d12
Posted by pr...@apache.org.
Adding @ACL annotation to Volume commands
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/04a0d12a
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/04a0d12a
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/04a0d12a
Branch: refs/heads/rbac
Commit: 04a0d12a68d705d271ab0f200e45300ad5e8c751
Parents: e5b4a1d
Author: Prachi Damle <pr...@cloud.com>
Authored: Thu Jan 2 18:37:26 2014 -0800
Committer: Prachi Damle <pr...@cloud.com>
Committed: Thu Jan 2 18:39:20 2014 -0800
----------------------------------------------------------------------
.../cloudstack/api/command/user/volume/AttachVolumeCmd.java | 3 +++
.../cloudstack/api/command/user/volume/DeleteVolumeCmd.java | 3 +++
.../cloudstack/api/command/user/volume/DetachVolumeCmd.java | 3 +++
.../cloudstack/api/command/user/volume/ExtractVolumeCmd.java | 3 +++
.../apache/cloudstack/api/command/user/volume/ListVolumesCmd.java | 3 +++
.../cloudstack/api/command/user/volume/ResizeVolumeCmd.java | 3 +++
.../cloudstack/api/command/user/volume/UpdateVolumeCmd.java | 3 +++
7 files changed, 21 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/04a0d12a/api/src/org/apache/cloudstack/api/command/user/volume/AttachVolumeCmd.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/user/volume/AttachVolumeCmd.java b/api/src/org/apache/cloudstack/api/command/user/volume/AttachVolumeCmd.java
index eb864ba..8203db6 100644
--- a/api/src/org/apache/cloudstack/api/command/user/volume/AttachVolumeCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/user/volume/AttachVolumeCmd.java
@@ -15,6 +15,8 @@
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.api.command.user.volume;
+import org.apache.cloudstack.api.ACL;
+import org.apache.cloudstack.acl.SecurityChecker.AccessType;
import org.apache.log4j.Logger;
@@ -60,6 +62,7 @@ public class AttachVolumeCmd extends BaseAsyncCmd {
required=true, description="the ID of the disk volume")
private Long id;
+ @ACL(accessType = AccessType.OperateEntry)
@Parameter(name=ApiConstants.VIRTUAL_MACHINE_ID, type=CommandType.UUID, entityType=UserVmResponse.class,
required=true, description=" the ID of the virtual machine")
private Long virtualMachineId;
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/04a0d12a/api/src/org/apache/cloudstack/api/command/user/volume/DeleteVolumeCmd.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/user/volume/DeleteVolumeCmd.java b/api/src/org/apache/cloudstack/api/command/user/volume/DeleteVolumeCmd.java
index 73cc827..8061ac5 100644
--- a/api/src/org/apache/cloudstack/api/command/user/volume/DeleteVolumeCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/user/volume/DeleteVolumeCmd.java
@@ -15,6 +15,8 @@
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.api.command.user.volume;
+import org.apache.cloudstack.api.ACL;
+import org.apache.cloudstack.acl.SecurityChecker.AccessType;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiConstants;
@@ -41,6 +43,7 @@ public class DeleteVolumeCmd extends BaseCmd {
//////////////// API parameters /////////////////////
/////////////////////////////////////////////////////
+ @ACL(accessType = AccessType.OperateEntry)
@Parameter(name=ApiConstants.ID, type=CommandType.UUID, entityType=VolumeResponse.class,
required=true, description="The ID of the disk volume")
private Long id;
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/04a0d12a/api/src/org/apache/cloudstack/api/command/user/volume/DetachVolumeCmd.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/user/volume/DetachVolumeCmd.java b/api/src/org/apache/cloudstack/api/command/user/volume/DetachVolumeCmd.java
index fc68fe1..f02037f 100644
--- a/api/src/org/apache/cloudstack/api/command/user/volume/DetachVolumeCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/user/volume/DetachVolumeCmd.java
@@ -15,6 +15,8 @@
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.api.command.user.volume;
+import org.apache.cloudstack.api.ACL;
+import org.apache.cloudstack.acl.SecurityChecker.AccessType;
import org.apache.log4j.Logger;
@@ -44,6 +46,7 @@ public class DetachVolumeCmd extends BaseAsyncCmd {
//////////////// API parameters /////////////////////
/////////////////////////////////////////////////////
+ @ACL(accessType = AccessType.OperateEntry)
@Parameter(name=ApiConstants.ID, type=CommandType.UUID, entityType=VolumeResponse.class,
description="the ID of the disk volume")
private Long id;
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/04a0d12a/api/src/org/apache/cloudstack/api/command/user/volume/ExtractVolumeCmd.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/user/volume/ExtractVolumeCmd.java b/api/src/org/apache/cloudstack/api/command/user/volume/ExtractVolumeCmd.java
index 08116fc..336e51b 100644
--- a/api/src/org/apache/cloudstack/api/command/user/volume/ExtractVolumeCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/user/volume/ExtractVolumeCmd.java
@@ -15,6 +15,8 @@
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.api.command.user.volume;
+import org.apache.cloudstack.api.ACL;
+import org.apache.cloudstack.acl.SecurityChecker.AccessType;
import java.net.URISyntaxException;
@@ -48,6 +50,7 @@ public class ExtractVolumeCmd extends BaseAsyncCmd {
//////////////// API parameters /////////////////////
/////////////////////////////////////////////////////
+ @ACL(accessType = AccessType.OperateEntry)
@Parameter(name=ApiConstants.ID, type=CommandType.UUID, entityType=VolumeResponse.class,
required=true, description="the ID of the volume")
private Long id;
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/04a0d12a/api/src/org/apache/cloudstack/api/command/user/volume/ListVolumesCmd.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/user/volume/ListVolumesCmd.java b/api/src/org/apache/cloudstack/api/command/user/volume/ListVolumesCmd.java
index 900cd75..e012b36 100644
--- a/api/src/org/apache/cloudstack/api/command/user/volume/ListVolumesCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/user/volume/ListVolumesCmd.java
@@ -15,6 +15,8 @@
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.api.command.user.volume;
+import org.apache.cloudstack.api.ACL;
+import org.apache.cloudstack.acl.SecurityChecker.AccessType;
import org.apache.log4j.Logger;
@@ -49,6 +51,7 @@ public class ListVolumesCmd extends BaseListTaggedResourcesCmd {
description="list volumes on specified host")
private Long hostId;
+ @ACL(accessType = AccessType.OperateEntry)
@Parameter(name=ApiConstants.ID, type=CommandType.UUID, entityType=VolumeResponse.class,
description="the ID of the disk volume")
private Long id;
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/04a0d12a/api/src/org/apache/cloudstack/api/command/user/volume/ResizeVolumeCmd.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/user/volume/ResizeVolumeCmd.java b/api/src/org/apache/cloudstack/api/command/user/volume/ResizeVolumeCmd.java
index 85bf433..c9ab4d0 100644
--- a/api/src/org/apache/cloudstack/api/command/user/volume/ResizeVolumeCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/user/volume/ResizeVolumeCmd.java
@@ -15,6 +15,8 @@
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.api.command.user.volume;
+import org.apache.cloudstack.api.ACL;
+import org.apache.cloudstack.acl.SecurityChecker.AccessType;
import org.apache.log4j.Logger;
@@ -49,6 +51,7 @@ public class ResizeVolumeCmd extends BaseAsyncCmd {
//////////////// API parameters /////////////////////
/////////////////////////////////////////////////////
+ @ACL(accessType = AccessType.OperateEntry)
@Parameter(name=ApiConstants.ID, entityType=VolumeResponse.class, type=CommandType.UUID, description="the ID of the disk volume")
private Long id;
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/04a0d12a/api/src/org/apache/cloudstack/api/command/user/volume/UpdateVolumeCmd.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/user/volume/UpdateVolumeCmd.java b/api/src/org/apache/cloudstack/api/command/user/volume/UpdateVolumeCmd.java
index 859ad8a..829d369 100644
--- a/api/src/org/apache/cloudstack/api/command/user/volume/UpdateVolumeCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/user/volume/UpdateVolumeCmd.java
@@ -15,6 +15,8 @@
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.api.command.user.volume;
+import org.apache.cloudstack.api.ACL;
+import org.apache.cloudstack.acl.SecurityChecker.AccessType;
import org.apache.log4j.Logger;
@@ -43,6 +45,7 @@ public class UpdateVolumeCmd extends BaseAsyncCmd {
//////////////// API parameters /////////////////////
/////////////////////////////////////////////////////
+ @ACL(accessType = AccessType.OperateEntry)
@Parameter(name=ApiConstants.ID, type=CommandType.UUID, entityType=VolumeResponse.class, description="the ID of the disk volume")
private Long id;