You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by pr...@apache.org on 2014/03/19 19:45:39 UTC
[1/3] git commit: updated refs/heads/4.4 to 0cc6b30
Repository: cloudstack
Updated Branches:
refs/heads/4.4 7ff49cb88 -> 0cc6b303e
Adding support for 'readOnly' access. AccessType.ListEntry introduced.
Conflicts:
api/src/org/apache/cloudstack/api/ApiConstants.java
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/a919f740
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/a919f740
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/a919f740
Branch: refs/heads/4.4
Commit: a919f740d0ef71fc69f2a02a77f387cc391c2c23
Parents: 7ff49cb
Author: Prachi Damle <pr...@cloud.com>
Authored: Fri Mar 14 16:44:34 2014 -0700
Committer: Prachi Damle <pr...@cloud.com>
Committed: Wed Mar 19 11:30:22 2014 -0700
----------------------------------------------------------------------
api/src/org/apache/cloudstack/acl/SecurityChecker.java | 3 ++-
api/src/org/apache/cloudstack/api/ApiConstants.java | 2 ++
.../api/command/iam/AddIAMPermissionToIAMPolicyCmd.java | 10 +++++++++-
.../src/org/apache/cloudstack/iam/IAMApiService.java | 2 +-
.../src/org/apache/cloudstack/iam/IAMApiServiceImpl.java | 11 +++++++++--
5 files changed, 23 insertions(+), 5 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/a919f740/api/src/org/apache/cloudstack/acl/SecurityChecker.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/acl/SecurityChecker.java b/api/src/org/apache/cloudstack/acl/SecurityChecker.java
index 614f604..8ca34d0 100644
--- a/api/src/org/apache/cloudstack/acl/SecurityChecker.java
+++ b/api/src/org/apache/cloudstack/acl/SecurityChecker.java
@@ -33,7 +33,8 @@ public interface SecurityChecker extends Adapter {
public enum AccessType {
ModifyProject,
OperateEntry,
- UseEntry
+ UseEntry,
+ ListEntry
}
/**
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/a919f740/api/src/org/apache/cloudstack/api/ApiConstants.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/ApiConstants.java b/api/src/org/apache/cloudstack/api/ApiConstants.java
index 6142a0d..aa7c2d4 100755
--- a/api/src/org/apache/cloudstack/api/ApiConstants.java
+++ b/api/src/org/apache/cloudstack/api/ApiConstants.java
@@ -594,6 +594,8 @@ public class ApiConstants {
public static final String SUPPORTS_REGION_LEVEL_VPC = "supportsregionLevelvpc";
public static final String SUPPORTS_STRECHED_L2_SUBNET = "supportsstrechedl2subnet";
public static final String REGION_LEVEL_VPC = "regionlevelvpc";
+ public static final String READ_ONLY = "readOnly";
+
public enum HostDetails {
all, capacity, events, stats, min;
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/a919f740/services/iam/plugin/src/org/apache/cloudstack/api/command/iam/AddIAMPermissionToIAMPolicyCmd.java
----------------------------------------------------------------------
diff --git a/services/iam/plugin/src/org/apache/cloudstack/api/command/iam/AddIAMPermissionToIAMPolicyCmd.java b/services/iam/plugin/src/org/apache/cloudstack/api/command/iam/AddIAMPermissionToIAMPolicyCmd.java
index d37cc3c..e7c5650 100644
--- a/services/iam/plugin/src/org/apache/cloudstack/api/command/iam/AddIAMPermissionToIAMPolicyCmd.java
+++ b/services/iam/plugin/src/org/apache/cloudstack/api/command/iam/AddIAMPermissionToIAMPolicyCmd.java
@@ -29,6 +29,7 @@ import org.apache.cloudstack.api.ApiErrorCode;
import org.apache.cloudstack.api.BaseAsyncCmd;
import org.apache.cloudstack.api.Parameter;
import org.apache.cloudstack.api.ServerApiException;
+import org.apache.cloudstack.api.BaseCmd.CommandType;
import org.apache.cloudstack.api.response.iam.IAMPolicyResponse;
import org.apache.cloudstack.context.CallContext;
import org.apache.cloudstack.iam.IAMApiService;
@@ -72,6 +73,9 @@ public class AddIAMPermissionToIAMPolicyCmd extends BaseAsyncCmd {
@Parameter(name = ApiConstants.IAM_SCOPE_ID, type = CommandType.STRING, required = false, description = "The UUID of the permission scope id")
private String scopeId;
+ @Parameter(name = ApiConstants.READ_ONLY, type = CommandType.BOOLEAN, required = false, description = "Read Only access is added; Only applicable when action = List/Read api name")
+ private Boolean readOnly;
+
/////////////////////////////////////////////////////
/////////////////// Accessors ///////////////////////
@@ -100,6 +104,10 @@ public class AddIAMPermissionToIAMPolicyCmd extends BaseAsyncCmd {
return _iamApiSrv.getPermissionScopeId(scope, entityType, scopeId);
}
+ public Boolean isReadOnly() {
+ return (readOnly != null) ? readOnly : false;
+ }
+
/////////////////////////////////////////////////////
/////////////// API Implementation///////////////////
/////////////////////////////////////////////////////
@@ -123,7 +131,7 @@ public class AddIAMPermissionToIAMPolicyCmd extends BaseAsyncCmd {
CallContext.current().setEventDetails("IAM policy Id: " + getId());
// Only explicit ALLOW is supported for this release, no explicit deny
IAMPolicy result = _iamApiSrv.addIAMPermissionToIAMPolicy(id, entityType, PermissionScope.valueOf(scope),
- getScopeId(), action, Permission.Allow, false);
+ getScopeId(), action, Permission.Allow, false, isReadOnly());
if (result != null) {
IAMPolicyResponse response = _iamApiSrv.createIAMPolicyResponse(result);
response.setResponseName(getCommandName());
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/a919f740/services/iam/plugin/src/org/apache/cloudstack/iam/IAMApiService.java
----------------------------------------------------------------------
diff --git a/services/iam/plugin/src/org/apache/cloudstack/iam/IAMApiService.java b/services/iam/plugin/src/org/apache/cloudstack/iam/IAMApiService.java
index bb8f03b..6735d48 100644
--- a/services/iam/plugin/src/org/apache/cloudstack/iam/IAMApiService.java
+++ b/services/iam/plugin/src/org/apache/cloudstack/iam/IAMApiService.java
@@ -60,7 +60,7 @@ public interface IAMApiService extends PluggableService {
void removeIAMPolicyFromAccounts(Long policyId, List<Long> accountIds);
IAMPolicy addIAMPermissionToIAMPolicy(long iamPolicyId, String entityType, PermissionScope scope, Long scopeId,
- String action, Permission perm, Boolean recursive);
+ String action, Permission perm, Boolean recursive, Boolean readOnly);
IAMPolicy removeIAMPermissionFromIAMPolicy(long iamPolicyId, String entityType, PermissionScope scope, Long scopeId, String action);
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/a919f740/services/iam/plugin/src/org/apache/cloudstack/iam/IAMApiServiceImpl.java
----------------------------------------------------------------------
diff --git a/services/iam/plugin/src/org/apache/cloudstack/iam/IAMApiServiceImpl.java b/services/iam/plugin/src/org/apache/cloudstack/iam/IAMApiServiceImpl.java
index e128cf1..467caed 100644
--- a/services/iam/plugin/src/org/apache/cloudstack/iam/IAMApiServiceImpl.java
+++ b/services/iam/plugin/src/org/apache/cloudstack/iam/IAMApiServiceImpl.java
@@ -40,6 +40,7 @@ import org.apache.cloudstack.acl.PermissionScope;
import org.apache.cloudstack.acl.SecurityChecker.AccessType;
import org.apache.cloudstack.affinity.AffinityGroup;
import org.apache.cloudstack.api.ApiConstants;
+import org.apache.cloudstack.api.BaseAsyncCreateCmd;
import org.apache.cloudstack.api.BaseListCmd;
import org.apache.cloudstack.api.InternalIdentity;
import org.apache.cloudstack.api.command.iam.AddAccountToIAMGroupCmd;
@@ -506,11 +507,17 @@ public class IAMApiServiceImpl extends ManagerBase implements IAMApiService, Man
@Override
@ActionEvent(eventType = EventTypes.EVENT_IAM_POLICY_GRANT, eventDescription = "Granting acl permission to IAM Policy")
public IAMPolicy addIAMPermissionToIAMPolicy(long iamPolicyId, String entityType, PermissionScope scope,
- Long scopeId, String action, Permission perm, Boolean recursive) {
+ Long scopeId, String action, Permission perm, Boolean recursive, Boolean readOnly) {
Class<?> cmdClass = _apiServer.getCmdClass(action);
AccessType accessType = null;
if (BaseListCmd.class.isAssignableFrom(cmdClass)) {
- accessType = AccessType.UseEntry;
+ if (readOnly) {
+ accessType = AccessType.ListEntry;
+ } else {
+ accessType = AccessType.UseEntry;
+ }
+ } else if (!(BaseAsyncCreateCmd.class.isAssignableFrom(cmdClass))) {
+ accessType = AccessType.OperateEntry;
}
String accessTypeStr = (accessType != null) ? accessType.toString() : null;
return _iamSrv.addIAMPermissionToIAMPolicy(iamPolicyId, entityType, scope.toString(), scopeId, action,
[3/3] git commit: updated refs/heads/4.4 to 0cc6b30
Posted by pr...@apache.org.
IAMEntityType change in the test after merge
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/0cc6b303
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/0cc6b303
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/0cc6b303
Branch: refs/heads/4.4
Commit: 0cc6b303e099d8a3fe3e143e4e5f71a3e4ca29fb
Parents: b3e2219
Author: Prachi Damle <pr...@cloud.com>
Authored: Wed Mar 19 10:59:45 2014 -0700
Committer: Prachi Damle <pr...@cloud.com>
Committed: Wed Mar 19 11:31:23 2014 -0700
----------------------------------------------------------------------
.../test/org/apache/cloudstack/iam/test/IAMApiServiceTest.java | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/0cc6b303/services/iam/plugin/test/org/apache/cloudstack/iam/test/IAMApiServiceTest.java
----------------------------------------------------------------------
diff --git a/services/iam/plugin/test/org/apache/cloudstack/iam/test/IAMApiServiceTest.java b/services/iam/plugin/test/org/apache/cloudstack/iam/test/IAMApiServiceTest.java
index 1f09720..84e1e56 100644
--- a/services/iam/plugin/test/org/apache/cloudstack/iam/test/IAMApiServiceTest.java
+++ b/services/iam/plugin/test/org/apache/cloudstack/iam/test/IAMApiServiceTest.java
@@ -295,7 +295,7 @@ public class IAMApiServiceTest {
_iamSrv.addIAMPermissionToIAMPolicy(policyId, VirtualMachine.class.getSimpleName(),
PermissionScope.RESOURCE.toString(), resId, "listVirtualMachines",
AccessType.UseEntry.toString(), Permission.Allow, false)).thenReturn(policy);
- _aclSrv.addIAMPermissionToIAMPolicy(policyId, IAMEntityType.VirtualMachine.toString(),
+ _aclSrv.addIAMPermissionToIAMPolicy(policyId, VirtualMachine.class.getSimpleName(),
PermissionScope.RESOURCE, resId, "listVirtualMachines", Permission.Allow, false, false);
Pair<List<IAMPolicy>, Integer> policyList = new Pair<List<IAMPolicy>, Integer>(policies, 1);
List<IAMPolicyPermission> policyPerms = new ArrayList<IAMPolicyPermission>();
[2/3] git commit: updated refs/heads/4.4 to 0cc6b30
Posted by pr...@apache.org.
More changes to support 'readOnly' access
Conflicts:
api/src/org/apache/cloudstack/api/ApiConstants.java
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/b3e22191
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/b3e22191
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/b3e22191
Branch: refs/heads/4.4
Commit: b3e22191cb53145abd064d09264407b7e000c49f
Parents: a919f74
Author: Prachi Damle <pr...@cloud.com>
Authored: Tue Mar 18 17:04:27 2014 -0700
Committer: Prachi Damle <pr...@cloud.com>
Committed: Wed Mar 19 11:31:06 2014 -0700
----------------------------------------------------------------------
api/src/org/apache/cloudstack/api/ApiConstants.java | 2 +-
server/src/com/cloud/acl/DomainChecker.java | 11 +++++++++++
.../api/command/iam/AddIAMPermissionToIAMPolicyCmd.java | 1 -
.../src/org/apache/cloudstack/iam/IAMApiServiceImpl.java | 3 ++-
.../apache/cloudstack/iam/test/IAMApiServiceTest.java | 4 ++--
5 files changed, 16 insertions(+), 5 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/b3e22191/api/src/org/apache/cloudstack/api/ApiConstants.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/ApiConstants.java b/api/src/org/apache/cloudstack/api/ApiConstants.java
index aa7c2d4..cc2c93b 100755
--- a/api/src/org/apache/cloudstack/api/ApiConstants.java
+++ b/api/src/org/apache/cloudstack/api/ApiConstants.java
@@ -594,7 +594,7 @@ public class ApiConstants {
public static final String SUPPORTS_REGION_LEVEL_VPC = "supportsregionLevelvpc";
public static final String SUPPORTS_STRECHED_L2_SUBNET = "supportsstrechedl2subnet";
public static final String REGION_LEVEL_VPC = "regionlevelvpc";
- public static final String READ_ONLY = "readOnly";
+ public static final String READ_ONLY = "readonly";
public enum HostDetails {
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/b3e22191/server/src/com/cloud/acl/DomainChecker.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/acl/DomainChecker.java b/server/src/com/cloud/acl/DomainChecker.java
index cb6921d..ea129f7 100755
--- a/server/src/com/cloud/acl/DomainChecker.java
+++ b/server/src/com/cloud/acl/DomainChecker.java
@@ -328,6 +328,17 @@ public class DomainChecker extends AdapterBase implements SecurityChecker {
@Override
public boolean checkAccess(Account caller, ControlledEntity entity, AccessType accessType, String action)
throws PermissionDeniedException {
+
+ if (action != null && ("SystemCapability".equals(action))) {
+ if (caller != null && caller.getType() == Account.ACCOUNT_TYPE_ADMIN) {
+ return true;
+ }
+
+ } else if (action != null && ("DomainCapability".equals(action))) {
+ if (caller != null && caller.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) {
+ return true;
+ }
+ }
return checkAccess(caller, entity, accessType);
}
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/b3e22191/services/iam/plugin/src/org/apache/cloudstack/api/command/iam/AddIAMPermissionToIAMPolicyCmd.java
----------------------------------------------------------------------
diff --git a/services/iam/plugin/src/org/apache/cloudstack/api/command/iam/AddIAMPermissionToIAMPolicyCmd.java b/services/iam/plugin/src/org/apache/cloudstack/api/command/iam/AddIAMPermissionToIAMPolicyCmd.java
index e7c5650..d69f3d0 100644
--- a/services/iam/plugin/src/org/apache/cloudstack/api/command/iam/AddIAMPermissionToIAMPolicyCmd.java
+++ b/services/iam/plugin/src/org/apache/cloudstack/api/command/iam/AddIAMPermissionToIAMPolicyCmd.java
@@ -29,7 +29,6 @@ import org.apache.cloudstack.api.ApiErrorCode;
import org.apache.cloudstack.api.BaseAsyncCmd;
import org.apache.cloudstack.api.Parameter;
import org.apache.cloudstack.api.ServerApiException;
-import org.apache.cloudstack.api.BaseCmd.CommandType;
import org.apache.cloudstack.api.response.iam.IAMPolicyResponse;
import org.apache.cloudstack.context.CallContext;
import org.apache.cloudstack.iam.IAMApiService;
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/b3e22191/services/iam/plugin/src/org/apache/cloudstack/iam/IAMApiServiceImpl.java
----------------------------------------------------------------------
diff --git a/services/iam/plugin/src/org/apache/cloudstack/iam/IAMApiServiceImpl.java b/services/iam/plugin/src/org/apache/cloudstack/iam/IAMApiServiceImpl.java
index 467caed..5d35ee2 100644
--- a/services/iam/plugin/src/org/apache/cloudstack/iam/IAMApiServiceImpl.java
+++ b/services/iam/plugin/src/org/apache/cloudstack/iam/IAMApiServiceImpl.java
@@ -721,7 +721,8 @@ public class IAMApiServiceImpl extends ManagerBase implements IAMApiService, Man
String description = "Policy to grant permission to " + entityType + entityId;
policy = createIAMPolicy(caller, aclPolicyName, description, null);
// add permission to this policy
- addIAMPermissionToIAMPolicy(policy.getId(), entityType, PermissionScope.RESOURCE, entityId, action, Permission.Allow, false);
+ addIAMPermissionToIAMPolicy(policy.getId(), entityType, PermissionScope.RESOURCE, entityId, action,
+ Permission.Allow, false, false);
}
// attach this policy to list of accounts if not attached already
Long policyId = policy.getId();
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/b3e22191/services/iam/plugin/test/org/apache/cloudstack/iam/test/IAMApiServiceTest.java
----------------------------------------------------------------------
diff --git a/services/iam/plugin/test/org/apache/cloudstack/iam/test/IAMApiServiceTest.java b/services/iam/plugin/test/org/apache/cloudstack/iam/test/IAMApiServiceTest.java
index 49c4c9f..1f09720 100644
--- a/services/iam/plugin/test/org/apache/cloudstack/iam/test/IAMApiServiceTest.java
+++ b/services/iam/plugin/test/org/apache/cloudstack/iam/test/IAMApiServiceTest.java
@@ -295,8 +295,8 @@ public class IAMApiServiceTest {
_iamSrv.addIAMPermissionToIAMPolicy(policyId, VirtualMachine.class.getSimpleName(),
PermissionScope.RESOURCE.toString(), resId, "listVirtualMachines",
AccessType.UseEntry.toString(), Permission.Allow, false)).thenReturn(policy);
- _aclSrv.addIAMPermissionToIAMPolicy(policyId, VirtualMachine.class.getSimpleName(),
- PermissionScope.RESOURCE, resId, "listVirtualMachines", Permission.Allow, false);
+ _aclSrv.addIAMPermissionToIAMPolicy(policyId, IAMEntityType.VirtualMachine.toString(),
+ PermissionScope.RESOURCE, resId, "listVirtualMachines", Permission.Allow, false, false);
Pair<List<IAMPolicy>, Integer> policyList = new Pair<List<IAMPolicy>, Integer>(policies, 1);
List<IAMPolicyPermission> policyPerms = new ArrayList<IAMPolicyPermission>();
IAMPolicyPermission perm = new IAMPolicyPermissionVO(policyId, "listVirtualMachines",