You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by mc...@apache.org on 2014/03/03 01:15:24 UTC
[2/3] git commit: updated refs/heads/rbac to e5d7226
Pass UUID for scopeId in addIAMPermissionToIAMPolicyCmd and
removeIAMPermissionFromIAMPolicyCmd.
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/7e4c3b0e
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/7e4c3b0e
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/7e4c3b0e
Branch: refs/heads/rbac
Commit: 7e4c3b0e92e32d9c3221fcac4b74efd9a0b7fd29
Parents: ae9be65
Author: Min Chen <mi...@citrix.com>
Authored: Sun Mar 2 15:56:02 2014 -0800
Committer: Min Chen <mi...@citrix.com>
Committed: Sun Mar 2 15:56:02 2014 -0800
----------------------------------------------------------------------
.../iam/AddIAMPermissionToIAMPolicyCmd.java | 15 ++-
.../RemoveIAMPermissionFromIAMPolicyCmd.java | 11 +-
.../apache/cloudstack/iam/IAMApiService.java | 3 +
.../cloudstack/iam/IAMApiServiceImpl.java | 110 +++++++++++++++++++
.../cloudstack/iam/test/IAMApiServiceTest.java | 10 +-
5 files changed, 136 insertions(+), 13 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/7e4c3b0e/services/iam/plugin/src/org/apache/cloudstack/api/command/iam/AddIAMPermissionToIAMPolicyCmd.java
----------------------------------------------------------------------
diff --git a/services/iam/plugin/src/org/apache/cloudstack/api/command/iam/AddIAMPermissionToIAMPolicyCmd.java b/services/iam/plugin/src/org/apache/cloudstack/api/command/iam/AddIAMPermissionToIAMPolicyCmd.java
index 86afd10..a66390a 100644
--- a/services/iam/plugin/src/org/apache/cloudstack/api/command/iam/AddIAMPermissionToIAMPolicyCmd.java
+++ b/services/iam/plugin/src/org/apache/cloudstack/api/command/iam/AddIAMPermissionToIAMPolicyCmd.java
@@ -21,7 +21,6 @@ import javax.inject.Inject;
import org.apache.log4j.Logger;
import org.apache.cloudstack.acl.PermissionScope;
-import org.apache.cloudstack.iam.IAMApiService;
import org.apache.cloudstack.api.ACL;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiCommandJobType;
@@ -32,6 +31,7 @@ import org.apache.cloudstack.api.Parameter;
import org.apache.cloudstack.api.ServerApiException;
import org.apache.cloudstack.api.response.iam.IAMPolicyResponse;
import org.apache.cloudstack.context.CallContext;
+import org.apache.cloudstack.iam.IAMApiService;
import org.apache.cloudstack.iam.api.IAMPolicy;
import org.apache.cloudstack.iam.api.IAMPolicyPermission.Permission;
@@ -39,6 +39,7 @@ import com.cloud.event.EventTypes;
import com.cloud.exception.InsufficientCapacityException;
import com.cloud.exception.ResourceUnavailableException;
import com.cloud.user.Account;
+import com.cloud.utils.db.EntityManager;
@APICommand(name = "addIAMPermissionToIAMPolicy", description = "Add IAM permission to an iam policy", responseObject = IAMPolicyResponse.class)
@@ -48,6 +49,8 @@ public class AddIAMPermissionToIAMPolicyCmd extends BaseAsyncCmd {
@Inject
public IAMApiService _iamApiSrv;
+ @Inject
+ public EntityManager _entityMgr;
/////////////////////////////////////////////////////
//////////////// API parameters /////////////////////
@@ -69,8 +72,8 @@ public class AddIAMPermissionToIAMPolicyCmd extends BaseAsyncCmd {
required = false, description = "iam permission scope")
private String scope;
- @Parameter(name = ApiConstants.IAM_SCOPE_ID, type = CommandType.UUID, required = false, description = "The ID of the permission scope id")
- private Long scopeId;
+ @Parameter(name = ApiConstants.IAM_SCOPE_ID, type = CommandType.UUID, required = false, description = "The UUID of the permission scope id")
+ private String scopeId;
/////////////////////////////////////////////////////
@@ -96,10 +99,10 @@ public class AddIAMPermissionToIAMPolicyCmd extends BaseAsyncCmd {
}
public Long getScopeId() {
- return scopeId;
+ // here we will convert the passed String UUID to Long ID since internally we store it as entity internal ID.
+ return _iamApiSrv.getPermissionScopeId(scope, entityType, scopeId);
}
-
/////////////////////////////////////////////////////
/////////////// API Implementation///////////////////
/////////////////////////////////////////////////////
@@ -123,7 +126,7 @@ public class AddIAMPermissionToIAMPolicyCmd extends BaseAsyncCmd {
CallContext.current().setEventDetails("IAM policy Id: " + getId());
// Only explicit ALLOW is supported for this release, no explicit deny
IAMPolicy result = _iamApiSrv.addIAMPermissionToIAMPolicy(id, entityType, PermissionScope.valueOf(scope),
- scopeId, action, Permission.Allow, false);
+ getScopeId(), action, Permission.Allow, false);
if (result != null) {
IAMPolicyResponse response = _iamApiSrv.createIAMPolicyResponse(result);
response.setResponseName(getCommandName());
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/7e4c3b0e/services/iam/plugin/src/org/apache/cloudstack/api/command/iam/RemoveIAMPermissionFromIAMPolicyCmd.java
----------------------------------------------------------------------
diff --git a/services/iam/plugin/src/org/apache/cloudstack/api/command/iam/RemoveIAMPermissionFromIAMPolicyCmd.java b/services/iam/plugin/src/org/apache/cloudstack/api/command/iam/RemoveIAMPermissionFromIAMPolicyCmd.java
index db04ef7..bf065a0 100644
--- a/services/iam/plugin/src/org/apache/cloudstack/api/command/iam/RemoveIAMPermissionFromIAMPolicyCmd.java
+++ b/services/iam/plugin/src/org/apache/cloudstack/api/command/iam/RemoveIAMPermissionFromIAMPolicyCmd.java
@@ -21,7 +21,6 @@ import javax.inject.Inject;
import org.apache.log4j.Logger;
import org.apache.cloudstack.acl.PermissionScope;
-import org.apache.cloudstack.iam.IAMApiService;
import org.apache.cloudstack.api.ACL;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiCommandJobType;
@@ -32,6 +31,7 @@ import org.apache.cloudstack.api.Parameter;
import org.apache.cloudstack.api.ServerApiException;
import org.apache.cloudstack.api.response.iam.IAMPolicyResponse;
import org.apache.cloudstack.context.CallContext;
+import org.apache.cloudstack.iam.IAMApiService;
import org.apache.cloudstack.iam.api.IAMPolicy;
import com.cloud.event.EventTypes;
@@ -68,8 +68,8 @@ public class RemoveIAMPermissionFromIAMPolicyCmd extends BaseAsyncCmd {
required = false, description = "iam permission scope")
private String scope;
- @Parameter(name = ApiConstants.IAM_SCOPE_ID, type = CommandType.UUID, required = false, description = "The ID of the permission scope id")
- private Long scopeId;
+ @Parameter(name = ApiConstants.IAM_SCOPE_ID, type = CommandType.STRING, required = false, description = "The ID of the permission scope id")
+ private String scopeId;
/////////////////////////////////////////////////////
@@ -95,7 +95,8 @@ public class RemoveIAMPermissionFromIAMPolicyCmd extends BaseAsyncCmd {
}
public Long getScopeId() {
- return scopeId;
+ // here we will convert the passed String UUID to Long ID since internally we store it as entity internal ID.
+ return _iamApiSrv.getPermissionScopeId(scope, entityType, scopeId);
}
@@ -119,7 +120,7 @@ public class RemoveIAMPermissionFromIAMPolicyCmd extends BaseAsyncCmd {
public void execute() throws ResourceUnavailableException,
InsufficientCapacityException, ServerApiException {
CallContext.current().setEventDetails("IAM policy Id: " + getId());
- IAMPolicy result = _iamApiSrv.removeIAMPermissionFromIAMPolicy(id, entityType, PermissionScope.valueOf(scope), scopeId, action);
+ IAMPolicy result = _iamApiSrv.removeIAMPermissionFromIAMPolicy(id, entityType, PermissionScope.valueOf(scope), getScopeId(), action);
if (result != null) {
IAMPolicyResponse response = _iamApiSrv.createIAMPolicyResponse(result);
response.setResponseName(getCommandName());
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/7e4c3b0e/services/iam/plugin/src/org/apache/cloudstack/iam/IAMApiService.java
----------------------------------------------------------------------
diff --git a/services/iam/plugin/src/org/apache/cloudstack/iam/IAMApiService.java b/services/iam/plugin/src/org/apache/cloudstack/iam/IAMApiService.java
index b9e680a..bb8f03b 100644
--- a/services/iam/plugin/src/org/apache/cloudstack/iam/IAMApiService.java
+++ b/services/iam/plugin/src/org/apache/cloudstack/iam/IAMApiService.java
@@ -81,4 +81,7 @@ public interface IAMApiService extends PluggableService {
ListResponse<IAMPolicyResponse> listIAMPolicies(Long iamPolicyId, String iamPolicyName,
Long domainId, Long startIndex, Long pageSize);
+
+ // Convert passed scope uuid to internal scope long id
+ Long getPermissionScopeId(String scope, String entityType, String scopeId);
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/7e4c3b0e/services/iam/plugin/src/org/apache/cloudstack/iam/IAMApiServiceImpl.java
----------------------------------------------------------------------
diff --git a/services/iam/plugin/src/org/apache/cloudstack/iam/IAMApiServiceImpl.java b/services/iam/plugin/src/org/apache/cloudstack/iam/IAMApiServiceImpl.java
index 393fe0e..945f48e 100644
--- a/services/iam/plugin/src/org/apache/cloudstack/iam/IAMApiServiceImpl.java
+++ b/services/iam/plugin/src/org/apache/cloudstack/iam/IAMApiServiceImpl.java
@@ -31,8 +31,10 @@ import org.apache.log4j.Logger;
import org.apache.cloudstack.acl.IAMEntityType;
import org.apache.cloudstack.acl.PermissionScope;
import org.apache.cloudstack.acl.SecurityChecker.AccessType;
+import org.apache.cloudstack.affinity.AffinityGroupVO;
import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.BaseListCmd;
+import org.apache.cloudstack.api.InternalIdentity;
import org.apache.cloudstack.api.command.iam.AddAccountToIAMGroupCmd;
import org.apache.cloudstack.api.command.iam.AddIAMPermissionToIAMPolicyCmd;
import org.apache.cloudstack.api.command.iam.AttachIAMPolicyToAccountCmd;
@@ -52,6 +54,7 @@ import org.apache.cloudstack.api.response.iam.IAMGroupResponse;
import org.apache.cloudstack.api.response.iam.IAMPermissionResponse;
import org.apache.cloudstack.api.response.iam.IAMPolicyResponse;
import org.apache.cloudstack.context.CallContext;
+import org.apache.cloudstack.framework.jobs.impl.AsyncJobVO;
import org.apache.cloudstack.framework.messagebus.MessageBus;
import org.apache.cloudstack.framework.messagebus.MessageSubscriber;
import org.apache.cloudstack.iam.api.IAMGroup;
@@ -59,6 +62,9 @@ import org.apache.cloudstack.iam.api.IAMPolicy;
import org.apache.cloudstack.iam.api.IAMPolicyPermission;
import org.apache.cloudstack.iam.api.IAMPolicyPermission.Permission;
import org.apache.cloudstack.iam.api.IAMService;
+import org.apache.cloudstack.iam.server.IAMGroupVO;
+import org.apache.cloudstack.iam.server.IAMPolicyVO;
+import org.apache.cloudstack.region.gslb.GlobalLoadBalancerRuleVO;
import com.cloud.api.ApiServerService;
import com.cloud.domain.Domain;
@@ -66,18 +72,50 @@ import com.cloud.domain.DomainVO;
import com.cloud.domain.dao.DomainDao;
import com.cloud.event.ActionEvent;
import com.cloud.event.EventTypes;
+import com.cloud.event.EventVO;
import com.cloud.exception.InvalidParameterValueException;
+import com.cloud.network.UserIpv6AddressVO;
+import com.cloud.network.VpnUserVO;
+import com.cloud.network.as.AutoScalePolicyVO;
+import com.cloud.network.as.AutoScaleVmGroupVO;
+import com.cloud.network.as.AutoScaleVmProfileVO;
+import com.cloud.network.as.ConditionVO;
+import com.cloud.network.dao.IPAddressVO;
+import com.cloud.network.dao.MonitoringServiceVO;
+import com.cloud.network.dao.NetworkVO;
+import com.cloud.network.dao.RemoteAccessVpnVO;
+import com.cloud.network.dao.Site2SiteCustomerGatewayVO;
+import com.cloud.network.dao.Site2SiteVpnConnectionVO;
+import com.cloud.network.dao.Site2SiteVpnGatewayVO;
+import com.cloud.network.dao.SslCertVO;
+import com.cloud.network.rules.FirewallRuleVO;
+import com.cloud.network.rules.PortForwardingRuleVO;
+import com.cloud.network.security.SecurityGroupVO;
+import com.cloud.network.vpc.StaticRouteVO;
+import com.cloud.network.vpc.VpcGatewayVO;
+import com.cloud.network.vpc.VpcVO;
+import com.cloud.projects.ProjectInvitationVO;
+import com.cloud.storage.SnapshotVO;
+import com.cloud.storage.VMTemplateVO;
+import com.cloud.storage.VolumeVO;
+import com.cloud.tags.ResourceTagVO;
import com.cloud.template.TemplateManager;
import com.cloud.user.Account;
import com.cloud.user.AccountManager;
import com.cloud.user.AccountVO;
import com.cloud.user.DomainManager;
+import com.cloud.user.SSHKeyPairVO;
import com.cloud.user.dao.AccountDao;
import com.cloud.utils.Pair;
import com.cloud.utils.component.Manager;
import com.cloud.utils.component.ManagerBase;
import com.cloud.utils.db.DB;
import com.cloud.utils.db.EntityManager;
+import com.cloud.vm.InstanceGroupVO;
+import com.cloud.vm.UserVmVO;
+import com.cloud.vm.dao.NicIpAliasVO;
+import com.cloud.vm.dao.NicSecondaryIpVO;
+import com.cloud.vm.snapshot.VMSnapshotVO;
@Local(value = {IAMApiService.class})
public class IAMApiServiceImpl extends ManagerBase implements IAMApiService, Manager {
@@ -103,6 +141,53 @@ public class IAMApiServiceImpl extends ManagerBase implements IAMApiService, Man
@Inject
MessageBus _messageBus;
+ @Inject
+ EntityManager _entityMgr;
+
+ private static final Map<IAMEntityType, Class<?>> s_typeMap = new HashMap<IAMEntityType, Class<?>>();
+ static {
+ s_typeMap.put(IAMEntityType.VirtualMachine, UserVmVO.class);
+ s_typeMap.put(IAMEntityType.Volume, VolumeVO.class);
+ s_typeMap.put(IAMEntityType.ResourceTag, ResourceTagVO.class);
+ s_typeMap.put(IAMEntityType.Account, AccountVO.class);
+ s_typeMap.put(IAMEntityType.AffinityGroup, AffinityGroupVO.class);
+ s_typeMap.put(IAMEntityType.AutoScalePolicy, AutoScalePolicyVO.class);
+ s_typeMap.put(IAMEntityType.AutoScaleVmProfile, AutoScaleVmProfileVO.class);
+ s_typeMap.put(IAMEntityType.AutoScaleVmGroup, AutoScaleVmGroupVO.class);
+ s_typeMap.put(IAMEntityType.Condition, ConditionVO.class);
+ s_typeMap.put(IAMEntityType.Vpc, VpcVO.class);
+ s_typeMap.put(IAMEntityType.VpcGateway, VpcGatewayVO.class);
+ s_typeMap.put(IAMEntityType.PrivateGateway, RemoteAccessVpnVO.class);
+ s_typeMap.put(IAMEntityType.VpnUser, VpnUserVO.class);
+ s_typeMap.put(IAMEntityType.VMSnapshot, VMSnapshotVO.class);
+ s_typeMap.put(IAMEntityType.VirtualMachineTemplate, VMTemplateVO.class);
+ s_typeMap.put(IAMEntityType.UserIpv6Address, UserIpv6AddressVO.class);
+ s_typeMap.put(IAMEntityType.StaticRoute, StaticRouteVO.class);
+ s_typeMap.put(IAMEntityType.SSHKeyPair, SSHKeyPairVO.class);
+ s_typeMap.put(IAMEntityType.Snapshot, SnapshotVO.class);
+ s_typeMap.put(IAMEntityType.Site2SiteVpnGateway, Site2SiteVpnGatewayVO.class);
+ s_typeMap.put(IAMEntityType.Site2SiteCustomerGateway, Site2SiteCustomerGatewayVO.class);
+ s_typeMap.put(IAMEntityType.Site2SiteVpnConnection, Site2SiteVpnConnectionVO.class);
+ s_typeMap.put(IAMEntityType.SecurityGroup, SecurityGroupVO.class);
+ s_typeMap.put(IAMEntityType.RemoteAccessVpn, RemoteAccessVpnVO.class);
+ s_typeMap.put(IAMEntityType.PublicIpAddress, IPAddressVO.class);
+ s_typeMap.put(IAMEntityType.ProjectInvitation, ProjectInvitationVO.class);
+ s_typeMap.put(IAMEntityType.NicSecondaryIp, NicSecondaryIpVO.class);
+ s_typeMap.put(IAMEntityType.NicIpAlias, NicIpAliasVO.class);
+ s_typeMap.put(IAMEntityType.Network, NetworkVO.class);
+ s_typeMap.put(IAMEntityType.IpAddress, IPAddressVO.class);
+ s_typeMap.put(IAMEntityType.InstanceGroup, InstanceGroupVO.class);
+ s_typeMap.put(IAMEntityType.GlobalLoadBalancerRule, GlobalLoadBalancerRuleVO.class);
+ s_typeMap.put(IAMEntityType.FirewallRule, FirewallRuleVO.class);
+ s_typeMap.put(IAMEntityType.PortForwardingRule, PortForwardingRuleVO.class);
+ s_typeMap.put(IAMEntityType.Event, EventVO.class);
+ s_typeMap.put(IAMEntityType.AsyncJob, AsyncJobVO.class);
+ s_typeMap.put(IAMEntityType.AclGroup, IAMGroupVO.class);
+ s_typeMap.put(IAMEntityType.AclPolicy, IAMPolicyVO.class);
+ s_typeMap.put(IAMEntityType.MonitorService, MonitoringServiceVO.class);
+ s_typeMap.put(IAMEntityType.SSLCert, SslCertVO.class);
+ }
+
@Override
public boolean configure(final String name, final Map<String, Object> params) throws ConfigurationException {
_messageBus.subscribe(AccountManager.MESSAGE_ADD_ACCOUNT_EVENT, new MessageSubscriber() {
@@ -669,6 +754,31 @@ public class IAMApiServiceImpl extends ManagerBase implements IAMApiService, Man
}
@Override
+ public Long getPermissionScopeId(String scope, String entityType, String scopeId) {
+ if (scopeId.equals("-1")) {
+ return -1L;
+ }
+ PermissionScope permScope = PermissionScope.valueOf(scope);
+ InternalIdentity entity = null;
+ switch (permScope) {
+ case DOMAIN:
+ entity = _domainDao.findByUuid(scopeId);
+ break;
+ case ACCOUNT:
+ entity = _accountDao.findByUuid(scopeId);
+ break;
+ case RESOURCE:
+ Class<?> clazz = s_typeMap.get(entityType);
+ entity = (InternalIdentity)_entityMgr.findByUuid(clazz, scopeId);
+ }
+
+ if (entity != null) {
+ return entity.getId();
+ }
+ throw new InvalidParameterValueException("Unable to find scopeId " + scopeId + " with scope " + scope + " and type " + entityType);
+ }
+
+ @Override
public List<Class<?>> getCommands() {
List<Class<?>> cmdList = new ArrayList<Class<?>>();
cmdList.add(CreateIAMPolicyCmd.class);
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/7e4c3b0e/services/iam/plugin/test/org/apache/cloudstack/iam/test/IAMApiServiceTest.java
----------------------------------------------------------------------
diff --git a/services/iam/plugin/test/org/apache/cloudstack/iam/test/IAMApiServiceTest.java b/services/iam/plugin/test/org/apache/cloudstack/iam/test/IAMApiServiceTest.java
index 4b376ce..dc5c168 100644
--- a/services/iam/plugin/test/org/apache/cloudstack/iam/test/IAMApiServiceTest.java
+++ b/services/iam/plugin/test/org/apache/cloudstack/iam/test/IAMApiServiceTest.java
@@ -37,8 +37,6 @@ import org.springframework.test.context.support.AnnotationConfigContextLoader;
import org.apache.cloudstack.acl.IAMEntityType;
import org.apache.cloudstack.acl.PermissionScope;
import org.apache.cloudstack.acl.SecurityChecker.AccessType;
-import org.apache.cloudstack.iam.IAMApiServiceImpl;
-import org.apache.cloudstack.iam.IAMApiService;
import org.apache.cloudstack.api.command.user.vm.ListVMsCmd;
import org.apache.cloudstack.api.response.ListResponse;
import org.apache.cloudstack.api.response.iam.IAMGroupResponse;
@@ -46,6 +44,8 @@ import org.apache.cloudstack.api.response.iam.IAMPermissionResponse;
import org.apache.cloudstack.api.response.iam.IAMPolicyResponse;
import org.apache.cloudstack.context.CallContext;
import org.apache.cloudstack.framework.messagebus.MessageBus;
+import org.apache.cloudstack.iam.IAMApiService;
+import org.apache.cloudstack.iam.IAMApiServiceImpl;
import org.apache.cloudstack.iam.api.IAMGroup;
import org.apache.cloudstack.iam.api.IAMPolicy;
import org.apache.cloudstack.iam.api.IAMPolicyPermission;
@@ -67,6 +67,7 @@ import com.cloud.user.UserVO;
import com.cloud.user.dao.AccountDao;
import com.cloud.utils.Pair;
import com.cloud.utils.component.ComponentContext;
+import com.cloud.utils.db.EntityManager;
@RunWith(SpringJUnit4ClassRunner.class)
@ContextConfiguration(loader = AnnotationConfigContextLoader.class)
@@ -347,6 +348,11 @@ public class IAMApiServiceTest {
}
@Bean
+ public EntityManager entityMgr() {
+ return Mockito.mock(EntityManager.class);
+ }
+
+ @Bean
public ApiServerService apiServerService() {
return Mockito.mock(ApiServerService.class);
}