You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by mc...@apache.org on 2014/03/06 23:07:26 UTC
[43/50] [abbrv] git commit: updated refs/heads/rbac to 48e08fe
CLOUDSTACK-5920: IAM service server.
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/adb29b21
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/adb29b21
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/adb29b21
Branch: refs/heads/rbac
Commit: adb29b21402d4b446471c2d2741e09cd7b2106aa
Parents: 793becf
Author: Min Chen <mi...@citrix.com>
Authored: Tue Mar 4 17:51:17 2014 -0800
Committer: Min Chen <mi...@citrix.com>
Committed: Wed Mar 5 09:40:55 2014 -0800
----------------------------------------------------------------------
services/iam/server/pom.xml | 52 ++
.../core/spring-iam-server-context.xml | 40 +
.../org/apache/cloudstack/iam/api/IAMGroup.java | 37 +
.../apache/cloudstack/iam/api/IAMPolicy.java | 41 +
.../cloudstack/iam/api/IAMPolicyPermission.java | 53 ++
.../apache/cloudstack/iam/api/IAMService.java | 92 +++
.../iam/server/IAMAccountPolicyMapVO.java | 77 ++
.../iam/server/IAMGroupAccountMapVO.java | 78 ++
.../iam/server/IAMGroupPolicyMapVO.java | 79 ++
.../cloudstack/iam/server/IAMGroupVO.java | 122 +++
.../iam/server/IAMPolicyPermissionVO.java | 181 ++++
.../cloudstack/iam/server/IAMPolicyVO.java | 138 ++++
.../cloudstack/iam/server/IAMServiceImpl.java | 815 +++++++++++++++++++
.../iam/server/dao/IAMAccountPolicyMapDao.java | 17 +
.../server/dao/IAMAccountPolicyMapDaoImpl.java | 61 ++
.../iam/server/dao/IAMGroupAccountMapDao.java | 40 +
.../server/dao/IAMGroupAccountMapDaoImpl.java | 119 +++
.../cloudstack/iam/server/dao/IAMGroupDao.java | 28 +
.../iam/server/dao/IAMGroupDaoImpl.java | 59 ++
.../iam/server/dao/IAMGroupPolicyMapDao.java | 16 +
.../server/dao/IAMGroupPolicyMapDaoImpl.java | 61 ++
.../cloudstack/iam/server/dao/IAMPolicyDao.java | 28 +
.../iam/server/dao/IAMPolicyDaoImpl.java | 57 ++
.../iam/server/dao/IAMPolicyPermissionDao.java | 39 +
.../server/dao/IAMPolicyPermissionDaoImpl.java | 129 +++
.../cloudstack/iam/IAMServiceUnitTest.java | 211 +++++
.../iam/server/test/resources/db.properties | 75 ++
27 files changed, 2745 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/adb29b21/services/iam/server/pom.xml
----------------------------------------------------------------------
diff --git a/services/iam/server/pom.xml b/services/iam/server/pom.xml
new file mode 100644
index 0000000..bed8811
--- /dev/null
+++ b/services/iam/server/pom.xml
@@ -0,0 +1,52 @@
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+ <modelVersion>4.0.0</modelVersion>
+ <artifactId>cloud-iam</artifactId>
+ <name>Apache CloudStack IAM - Server</name>
+ <parent>
+ <groupId>org.apache.cloudstack</groupId>
+ <artifactId>cloudstack-service-iam</artifactId>
+ <version>4.4.0-SNAPSHOT</version>
+ <relativePath>../pom.xml</relativePath>
+ </parent>
+ <dependencies>
+ <dependency>
+ <groupId>commons-io</groupId>
+ <artifactId>commons-io</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.cloudstack</groupId>
+ <artifactId>cloud-utils</artifactId>
+ <version>${project.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.cloudstack</groupId>
+ <artifactId>cloud-api</artifactId>
+ <version>${project.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.cloudstack</groupId>
+ <artifactId>cloud-api</artifactId>
+ <version>${project.version}</version>
+ <type>test-jar</type>
+ <scope>test</scope>
+ </dependency>
+ </dependencies>
+</project>
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/adb29b21/services/iam/server/resources/META-INF/cloudstack/core/spring-iam-server-context.xml
----------------------------------------------------------------------
diff --git a/services/iam/server/resources/META-INF/cloudstack/core/spring-iam-server-context.xml b/services/iam/server/resources/META-INF/cloudstack/core/spring-iam-server-context.xml
new file mode 100644
index 0000000..c9f383f
--- /dev/null
+++ b/services/iam/server/resources/META-INF/cloudstack/core/spring-iam-server-context.xml
@@ -0,0 +1,40 @@
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<beans xmlns="http://www.springframework.org/schema/beans"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xmlns:context="http://www.springframework.org/schema/context"
+ xmlns:aop="http://www.springframework.org/schema/aop"
+ xsi:schemaLocation="http://www.springframework.org/schema/beans
+ http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
+ http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-3.0.xsd
+ http://www.springframework.org/schema/context
+ http://www.springframework.org/schema/context/spring-context-3.0.xsd"
+ >
+
+ <bean id="IAMGroupDaoImpl" class="org.apache.cloudstack.iam.server.dao.IAMGroupDaoImpl" />
+ <bean id="IAMPolicyDaoImpl" class="org.apache.cloudstack.iam.server.dao.IAMPolicyDaoImpl" />
+ <bean id="IAMGroupAccountMapDaoImpl" class="org.apache.cloudstack.iam.server.dao.IAMGroupAccountMapDaoImpl" />
+ <bean id="IAMGroupPolicyMapDaoImpl" class="org.apache.cloudstack.iam.server.dao.IAMGroupPolicyMapDaoImpl" />
+ <bean id="IAMPolicyPermissionDaoImpl" class="org.apache.cloudstack.iam.server.dao.IAMPolicyPermissionDaoImpl" />
+ <bean id="IAMAccountPolicyMapDaoImpl" class="org.apache.cloudstack.iam.server.dao.IAMAccountPolicyMapDaoImpl" />
+
+
+ <bean id="IAMServiceImpl" class="org.apache.cloudstack.iam.server.IAMServiceImpl" />
+
+</beans>
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/adb29b21/services/iam/server/src/org/apache/cloudstack/iam/api/IAMGroup.java
----------------------------------------------------------------------
diff --git a/services/iam/server/src/org/apache/cloudstack/iam/api/IAMGroup.java b/services/iam/server/src/org/apache/cloudstack/iam/api/IAMGroup.java
new file mode 100644
index 0000000..868d0a0
--- /dev/null
+++ b/services/iam/server/src/org/apache/cloudstack/iam/api/IAMGroup.java
@@ -0,0 +1,37 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.iam.api;
+
+import org.apache.cloudstack.api.Identity;
+import org.apache.cloudstack.api.InternalIdentity;
+
+public interface IAMGroup extends InternalIdentity, Identity {
+
+ String getName();
+
+ String getDescription();
+
+ @Override
+ long getId();
+
+ @Override
+ String getUuid();
+
+ String getPath();
+
+ long getAccountId();
+}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/adb29b21/services/iam/server/src/org/apache/cloudstack/iam/api/IAMPolicy.java
----------------------------------------------------------------------
diff --git a/services/iam/server/src/org/apache/cloudstack/iam/api/IAMPolicy.java b/services/iam/server/src/org/apache/cloudstack/iam/api/IAMPolicy.java
new file mode 100644
index 0000000..e6daeb1
--- /dev/null
+++ b/services/iam/server/src/org/apache/cloudstack/iam/api/IAMPolicy.java
@@ -0,0 +1,41 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.iam.api;
+
+import org.apache.cloudstack.api.Identity;
+import org.apache.cloudstack.api.InternalIdentity;
+
+public interface IAMPolicy extends InternalIdentity, Identity {
+
+ String getName();
+
+ String getDescription();
+
+ public enum PolicyType {
+ Static, Dynamic
+ }
+
+ @Override
+ long getId();
+
+ @Override
+ String getUuid();
+
+ String getPath();
+
+ long getAccountId();
+}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/adb29b21/services/iam/server/src/org/apache/cloudstack/iam/api/IAMPolicyPermission.java
----------------------------------------------------------------------
diff --git a/services/iam/server/src/org/apache/cloudstack/iam/api/IAMPolicyPermission.java b/services/iam/server/src/org/apache/cloudstack/iam/api/IAMPolicyPermission.java
new file mode 100644
index 0000000..b91086f
--- /dev/null
+++ b/services/iam/server/src/org/apache/cloudstack/iam/api/IAMPolicyPermission.java
@@ -0,0 +1,53 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.iam.api;
+
+
+public interface IAMPolicyPermission {
+
+ String getAction();
+
+ long getAclPolicyId();
+
+ String getEntityType();
+
+ String getAccessType();
+
+ String getScope();
+
+ Long getScopeId();
+
+ Permission getPermission();
+
+ public enum Permission {
+ Allow(true), Deny(false);
+
+ boolean result;
+
+ Permission(boolean result) {
+ this.result = result;
+ }
+
+ public boolean isGranted() {
+ return result;
+ }
+ }
+
+ long getId();
+
+ public static final long PERMISSION_SCOPE_ID_CURRENT_CALLER = -1;
+}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/adb29b21/services/iam/server/src/org/apache/cloudstack/iam/api/IAMService.java
----------------------------------------------------------------------
diff --git a/services/iam/server/src/org/apache/cloudstack/iam/api/IAMService.java b/services/iam/server/src/org/apache/cloudstack/iam/api/IAMService.java
new file mode 100644
index 0000000..74a0885
--- /dev/null
+++ b/services/iam/server/src/org/apache/cloudstack/iam/api/IAMService.java
@@ -0,0 +1,92 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.iam.api;
+
+import java.util.List;
+
+import org.apache.cloudstack.iam.api.IAMPolicyPermission.Permission;
+
+import com.cloud.utils.Pair;
+
+public interface IAMService {
+
+ /* IAM group related interfaces */
+ IAMGroup createIAMGroup(String iamGroupName, String description, String path);
+
+ boolean deleteIAMGroup(Long iamGroupId);
+
+ List<IAMGroup> listIAMGroups(long accountId);
+
+ IAMGroup addAccountsToGroup(List<Long> acctIds, Long groupId);
+
+ IAMGroup removeAccountsFromGroup(List<Long> acctIds, Long groupId);
+
+ List<Long> listAccountsByGroup(long groupId);
+
+ Pair<List<IAMGroup>, Integer> listIAMGroups(Long iamGroupId, String iamGroupName, String path, Long startIndex, Long pageSize);
+
+ /* IAM Policy related interfaces */
+ IAMPolicy createIAMPolicy(String iamPolicyName, String description, Long parentPolicyId, String path);
+
+ boolean deleteIAMPolicy(long iamPolicyId);
+
+ List<IAMPolicy> listIAMPolicies(long accountId);
+
+ List<IAMPolicy> listIAMPoliciesByGroup(long groupId);
+
+ Pair<List<IAMPolicy>, Integer> listIAMPolicies(Long iamPolicyId, String iamPolicyName, String path, Long startIndex, Long pageSize);
+
+ IAMGroup attachIAMPoliciesToGroup(List<Long> policyIds, Long groupId);
+
+ IAMGroup removeIAMPoliciesFromGroup(List<Long> policyIds, Long groupId);
+
+ void attachIAMPolicyToAccounts(Long policyId, List<Long> acctIds);
+
+ void removeIAMPolicyFromAccounts(Long policyId, List<Long> acctIds);
+
+ IAMPolicy addIAMPermissionToIAMPolicy(long iamPolicyId, String entityType, String scope, Long scopeId,
+ String action, String accessType, Permission perm, Boolean recursive);
+
+ IAMPolicy removeIAMPermissionFromIAMPolicy(long iamPolicyId, String entityType, String scope, Long scopeId,
+ String action);
+
+ void removeIAMPermissionForEntity(final String entityType, final Long entityId);
+
+ IAMPolicy getResourceGrantPolicy(String entityType, Long entityId, String accessType, String action);
+
+ IAMPolicy getResourceOwnerPolicy();
+
+ List<IAMPolicyPermission> listPolicyPermissions(long policyId);
+
+ List<IAMPolicyPermission> listPolicyPermissionsByScope(long policyId, String action, String scope);
+
+ List<IAMPolicyPermission> listPolicyPermissionByActionAndEntity(long policyId, String action, String entityType);
+
+ boolean isActionAllowedForPolicies(String action, List<IAMPolicy> policies);
+
+ List<Long> getGrantedEntities(long accountId, String action, String scope);
+
+ IAMPolicy resetIAMPolicy(long iamPolicyId);
+
+ List<IAMPolicyPermission> listPolicyPermissionByAccessAndEntity(long policyId, String accessType,
+ String entityType);
+
+ List<IAMGroup> listParentIAMGroups(long groupId);
+
+ List<IAMPolicy> listRecursiveIAMPoliciesByGroup(long groupId);
+
+}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/adb29b21/services/iam/server/src/org/apache/cloudstack/iam/server/IAMAccountPolicyMapVO.java
----------------------------------------------------------------------
diff --git a/services/iam/server/src/org/apache/cloudstack/iam/server/IAMAccountPolicyMapVO.java b/services/iam/server/src/org/apache/cloudstack/iam/server/IAMAccountPolicyMapVO.java
new file mode 100644
index 0000000..18f085a
--- /dev/null
+++ b/services/iam/server/src/org/apache/cloudstack/iam/server/IAMAccountPolicyMapVO.java
@@ -0,0 +1,77 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.iam.server;
+
+import java.util.Date;
+
+import javax.persistence.Column;
+import javax.persistence.Entity;
+import javax.persistence.GeneratedValue;
+import javax.persistence.GenerationType;
+import javax.persistence.Id;
+import javax.persistence.Table;
+
+import com.cloud.utils.db.GenericDao;
+
+@Entity
+@Table(name = ("iam_account_policy_map"))
+public class IAMAccountPolicyMapVO {
+ @Id
+ @GeneratedValue(strategy = GenerationType.IDENTITY)
+ @Column(name = "id")
+ private Long id;
+
+ @Column(name = "account_id")
+ private long accountId;
+
+ @Column(name = "policy_id")
+ private long iamPolicyId;
+
+ @Column(name = GenericDao.REMOVED_COLUMN)
+ private Date removed;
+
+ @Column(name = GenericDao.CREATED_COLUMN)
+ private Date created;
+
+ public IAMAccountPolicyMapVO() {
+ }
+
+ public IAMAccountPolicyMapVO(long accountId, long iamPolicyId) {
+ this.accountId = accountId;
+ this.iamPolicyId = iamPolicyId;
+ }
+
+ public long getId() {
+ return id;
+ }
+
+ public long getAccountId() {
+ return accountId;
+ }
+
+ public long getIamPolicyId() {
+ return iamPolicyId;
+ }
+
+ public Date getRemoved() {
+ return removed;
+ }
+
+ public Date getCreated() {
+ return created;
+ }
+}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/adb29b21/services/iam/server/src/org/apache/cloudstack/iam/server/IAMGroupAccountMapVO.java
----------------------------------------------------------------------
diff --git a/services/iam/server/src/org/apache/cloudstack/iam/server/IAMGroupAccountMapVO.java b/services/iam/server/src/org/apache/cloudstack/iam/server/IAMGroupAccountMapVO.java
new file mode 100644
index 0000000..dac7d35
--- /dev/null
+++ b/services/iam/server/src/org/apache/cloudstack/iam/server/IAMGroupAccountMapVO.java
@@ -0,0 +1,78 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.iam.server;
+
+import java.util.Date;
+
+import javax.persistence.Column;
+import javax.persistence.Entity;
+import javax.persistence.GeneratedValue;
+import javax.persistence.GenerationType;
+import javax.persistence.Id;
+import javax.persistence.Table;
+
+import com.cloud.utils.db.GenericDao;
+
+@Entity
+@Table(name = ("iam_group_account_map"))
+public class IAMGroupAccountMapVO {
+ @Id
+ @GeneratedValue(strategy = GenerationType.IDENTITY)
+ @Column(name = "id")
+ private Long id;
+
+ @Column(name = "group_id")
+ private long aclGroupId;
+
+ @Column(name = "account_id")
+ private long accountId;
+
+ @Column(name = GenericDao.REMOVED_COLUMN)
+ private Date removed;
+
+ @Column(name = GenericDao.CREATED_COLUMN)
+ private Date created;
+
+ public IAMGroupAccountMapVO() {
+ }
+
+ public IAMGroupAccountMapVO(long aclGroupId, long accountId) {
+ this.aclGroupId = aclGroupId;
+ this.accountId = accountId;
+ }
+
+ public long getId() {
+ return id;
+ }
+
+ public long getAclGroupId() {
+ return aclGroupId;
+ }
+
+
+ public long getAccountId() {
+ return accountId;
+ }
+
+ public Date getRemoved() {
+ return removed;
+ }
+
+ public Date getCreated() {
+ return created;
+ }
+}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/adb29b21/services/iam/server/src/org/apache/cloudstack/iam/server/IAMGroupPolicyMapVO.java
----------------------------------------------------------------------
diff --git a/services/iam/server/src/org/apache/cloudstack/iam/server/IAMGroupPolicyMapVO.java b/services/iam/server/src/org/apache/cloudstack/iam/server/IAMGroupPolicyMapVO.java
new file mode 100644
index 0000000..946d1f7
--- /dev/null
+++ b/services/iam/server/src/org/apache/cloudstack/iam/server/IAMGroupPolicyMapVO.java
@@ -0,0 +1,79 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.iam.server;
+
+import java.util.Date;
+
+import javax.persistence.Column;
+import javax.persistence.Entity;
+import javax.persistence.GeneratedValue;
+import javax.persistence.GenerationType;
+import javax.persistence.Id;
+import javax.persistence.Table;
+
+
+import com.cloud.utils.db.GenericDao;
+
+@Entity
+@Table(name = ("iam_group_policy_map"))
+public class IAMGroupPolicyMapVO {
+ @Id
+ @GeneratedValue(strategy = GenerationType.IDENTITY)
+ @Column(name = "id")
+ private Long id;
+
+ @Column(name = "group_id")
+ private long aclGroupId;
+
+ @Column(name = "policy_id")
+ private long aclPolicyId;
+
+ @Column(name = GenericDao.REMOVED_COLUMN)
+ private Date removed;
+
+ @Column(name = GenericDao.CREATED_COLUMN)
+ private Date created;
+
+ public IAMGroupPolicyMapVO() {
+ }
+
+ public IAMGroupPolicyMapVO(long aclGroupId, long aclPolicyId) {
+ this.aclGroupId = aclGroupId;
+ this.aclPolicyId = aclPolicyId;
+ }
+
+ public long getId() {
+ return id;
+ }
+
+ public long getAclGroupId() {
+ return aclGroupId;
+ }
+
+
+ public long getAclPolicyId() {
+ return aclPolicyId;
+ }
+
+ public Date getRemoved() {
+ return removed;
+ }
+
+ public Date getCreated() {
+ return created;
+ }
+}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/adb29b21/services/iam/server/src/org/apache/cloudstack/iam/server/IAMGroupVO.java
----------------------------------------------------------------------
diff --git a/services/iam/server/src/org/apache/cloudstack/iam/server/IAMGroupVO.java b/services/iam/server/src/org/apache/cloudstack/iam/server/IAMGroupVO.java
new file mode 100644
index 0000000..80edb89
--- /dev/null
+++ b/services/iam/server/src/org/apache/cloudstack/iam/server/IAMGroupVO.java
@@ -0,0 +1,122 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.iam.server;
+
+import java.util.Date;
+import java.util.UUID;
+
+import javax.persistence.Column;
+import javax.persistence.Entity;
+import javax.persistence.GeneratedValue;
+import javax.persistence.GenerationType;
+import javax.persistence.Id;
+import javax.persistence.Table;
+
+import org.apache.cloudstack.iam.api.IAMGroup;
+
+import com.cloud.utils.db.GenericDao;
+
+@Entity
+@Table(name = ("iam_group"))
+public class IAMGroupVO implements IAMGroup {
+ @Id
+ @GeneratedValue(strategy = GenerationType.IDENTITY)
+ @Column(name = "id")
+ private long id;
+
+ @Column(name = "name")
+ private String name;
+
+ @Column(name = "description")
+ private String description;
+
+ @Column(name = "uuid")
+ private String uuid;
+
+ @Column(name = "path")
+ private String path;
+
+ @Column(name = "account_id")
+ private long accountId;
+
+ @Column(name = GenericDao.REMOVED_COLUMN)
+ private Date removed;
+
+ @Column(name = GenericDao.CREATED_COLUMN)
+ private Date created;
+
+ public IAMGroupVO() {
+ uuid = UUID.randomUUID().toString();
+ }
+
+ public IAMGroupVO(String name, String description) {
+ this.name = name;
+ this.description = description;
+ uuid = UUID.randomUUID().toString();
+ path = "/";
+ }
+
+ @Override
+ public long getId() {
+ return id;
+ }
+
+ @Override
+ public String getName() {
+ return name;
+ }
+
+ @Override
+ public String getDescription() {
+ return description;
+ }
+
+ @Override
+ public String getPath() {
+ return path;
+ }
+
+ public void setPath(String path) {
+ this.path = path;
+ }
+
+ @Override
+ public long getAccountId() {
+ return accountId;
+ }
+
+ public void setAccountId(long acctId) {
+ accountId = acctId;
+ }
+
+ @Override
+ public String getUuid() {
+ return uuid;
+ }
+
+ public void setUuid(String uuid) {
+ this.uuid = uuid;
+ }
+
+ public Date getRemoved() {
+ return removed;
+ }
+
+ public Date getCreated() {
+ return created;
+ }
+}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/adb29b21/services/iam/server/src/org/apache/cloudstack/iam/server/IAMPolicyPermissionVO.java
----------------------------------------------------------------------
diff --git a/services/iam/server/src/org/apache/cloudstack/iam/server/IAMPolicyPermissionVO.java b/services/iam/server/src/org/apache/cloudstack/iam/server/IAMPolicyPermissionVO.java
new file mode 100644
index 0000000..13d6b81
--- /dev/null
+++ b/services/iam/server/src/org/apache/cloudstack/iam/server/IAMPolicyPermissionVO.java
@@ -0,0 +1,181 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.iam.server;
+
+import java.util.Date;
+
+import javax.persistence.Column;
+import javax.persistence.Entity;
+import javax.persistence.EnumType;
+import javax.persistence.Enumerated;
+import javax.persistence.GeneratedValue;
+import javax.persistence.GenerationType;
+import javax.persistence.Id;
+import javax.persistence.Table;
+
+import org.apache.cloudstack.iam.api.IAMPolicyPermission;
+import com.cloud.utils.db.GenericDao;
+
+@Entity
+@Table(name = ("iam_policy_permission"))
+public class IAMPolicyPermissionVO implements IAMPolicyPermission {
+
+ @Id
+ @GeneratedValue(strategy = GenerationType.IDENTITY)
+ @Column(name = "id")
+ private long id;
+
+ @Column(name = "policy_id")
+ private long aclPolicyId;
+
+ @Column(name = "action")
+ private String action;
+
+ @Column(name = "resource_type")
+ private String entityType;
+
+ @Column(name = "access_type")
+ private String accessType;
+
+ @Column(name = "scope")
+ private String scope;
+
+ @Column(name = "scope_id")
+ private Long scopeId;
+
+ @Column(name = "permission")
+ @Enumerated(value = EnumType.STRING)
+ private Permission permission;
+
+ @Column(name = "recursive")
+ private Boolean recursive;
+
+ @Column(name = GenericDao.REMOVED_COLUMN)
+ private Date removed;
+
+ @Column(name = GenericDao.CREATED_COLUMN)
+ private Date created;
+
+ public IAMPolicyPermissionVO() {
+
+ }
+
+ public IAMPolicyPermissionVO(long aclPolicyId, String action, String entityType, String accessType, String scope,
+ Long scopeId, Permission permission, Boolean recursive) {
+ this.aclPolicyId = aclPolicyId;
+ this.action = action;
+ this.entityType = entityType;
+ this.accessType = accessType;
+ this.scope = scope;
+ this.scopeId = scopeId;
+ this.permission = permission;
+ this.recursive = recursive;
+ }
+
+ @Override
+ public long getId() {
+ return id;
+ }
+
+ @Override
+ public long getAclPolicyId() {
+ return aclPolicyId;
+ }
+
+
+ public void setAclPolicyId(long aclPolicyId) {
+ this.aclPolicyId = aclPolicyId;
+ }
+
+ @Override
+ public String getEntityType() {
+ return entityType;
+ }
+
+ @Override
+ public String getAccessType() {
+ return accessType;
+ }
+
+
+ public void setEntityType(String entityType) {
+ this.entityType = entityType;
+ }
+
+ public void setAccessType(String accessType) {
+ this.accessType = accessType;
+ }
+
+ @Override
+ public String getScope() {
+ return scope;
+ }
+
+ public void setScope(String scope) {
+ this.scope = scope;
+ }
+
+
+ @Override
+ public String getAction() {
+ return action;
+ }
+
+ @Override
+ public Long getScopeId() {
+ // TODO
+ // handle special -1 scopeId, current caller domain, account
+ /*
+ * if ( scopeId < 0 ){ Account caller =
+ * CallContext.current().getCallingAccount(); if ( scope ==
+ * PermissionScope.DOMAIN){ return caller.getDomainId(); } else if
+ * (scope == PermissionScope.ACCOUNT) { return caller.getAccountId(); }
+ * }
+ */
+ return scopeId;
+ }
+
+ @Override
+ public Permission getPermission() {
+ return permission;
+ }
+
+ public void setAction(String action) {
+ this.action = action;
+ }
+
+ public void setScopeId(Long scopeId) {
+ this.scopeId = scopeId;
+ }
+
+ public void setPermission(Permission permission) {
+ this.permission = permission;
+ }
+
+ public Date getRemoved() {
+ return removed;
+ }
+
+ public Date getCreated() {
+ return created;
+ }
+
+ public Boolean isRecursive() {
+ return recursive;
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/adb29b21/services/iam/server/src/org/apache/cloudstack/iam/server/IAMPolicyVO.java
----------------------------------------------------------------------
diff --git a/services/iam/server/src/org/apache/cloudstack/iam/server/IAMPolicyVO.java b/services/iam/server/src/org/apache/cloudstack/iam/server/IAMPolicyVO.java
new file mode 100644
index 0000000..25ebd01
--- /dev/null
+++ b/services/iam/server/src/org/apache/cloudstack/iam/server/IAMPolicyVO.java
@@ -0,0 +1,138 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.iam.server;
+
+import java.util.Date;
+import java.util.UUID;
+
+import javax.persistence.Column;
+import javax.persistence.Entity;
+import javax.persistence.EnumType;
+import javax.persistence.Enumerated;
+import javax.persistence.GeneratedValue;
+import javax.persistence.GenerationType;
+import javax.persistence.Id;
+import javax.persistence.Table;
+
+import org.apache.cloudstack.iam.api.IAMPolicy;
+
+import com.cloud.utils.db.GenericDao;
+
+@Entity
+@Table(name = ("iam_policy"))
+public class IAMPolicyVO implements IAMPolicy {
+ @Id
+ @GeneratedValue(strategy = GenerationType.IDENTITY)
+ @Column(name = "id")
+ private long id;
+
+ @Column(name = "name")
+ private String name;
+
+ @Column(name = "description")
+ private String description;
+
+ @Column(name = "uuid")
+ private String uuid;
+
+ @Column(name = "path")
+ private String path;
+
+ @Column(name = "account_id")
+ private long accountId;
+
+ @Column(name = GenericDao.REMOVED_COLUMN)
+ private Date removed;
+
+ @Column(name = GenericDao.CREATED_COLUMN)
+ private Date created;
+
+ @Column(name = "policy_type")
+ @Enumerated(value = EnumType.STRING)
+ private IAMPolicy.PolicyType policyType;
+
+ public IAMPolicyVO() {
+ uuid = UUID.randomUUID().toString();
+ }
+
+ public IAMPolicyVO(String name, String description) {
+ this.name = name;
+ this.description = description;
+ uuid = UUID.randomUUID().toString();
+ policyType = IAMPolicy.PolicyType.Static;
+ }
+
+ @Override
+ public long getId() {
+ return id;
+ }
+
+ @Override
+ public String getName() {
+ return name;
+ }
+
+ @Override
+ public String getDescription() {
+ return description;
+ }
+
+
+ @Override
+ public String getUuid() {
+ return uuid;
+ }
+
+ public void setUuid(String uuid) {
+ this.uuid = uuid;
+ }
+
+ public Date getRemoved() {
+ return removed;
+ }
+
+ public Date getCreated() {
+ return created;
+ }
+
+ @Override
+ public String getPath() {
+ return path;
+ }
+
+ public void setPath(String path) {
+ this.path = path;
+ }
+
+ @Override
+ public long getAccountId() {
+ return accountId;
+ }
+
+ public void setAccountId(long accountId) {
+ this.accountId = accountId;
+ }
+
+ public IAMPolicy.PolicyType getPolicyType() {
+ return policyType;
+ }
+
+ public void setPolicyType(IAMPolicy.PolicyType policyType) {
+ this.policyType = policyType;
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/adb29b21/services/iam/server/src/org/apache/cloudstack/iam/server/IAMServiceImpl.java
----------------------------------------------------------------------
diff --git a/services/iam/server/src/org/apache/cloudstack/iam/server/IAMServiceImpl.java b/services/iam/server/src/org/apache/cloudstack/iam/server/IAMServiceImpl.java
new file mode 100644
index 0000000..097d84f
--- /dev/null
+++ b/services/iam/server/src/org/apache/cloudstack/iam/server/IAMServiceImpl.java
@@ -0,0 +1,815 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.iam.server;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import javax.ejb.Local;
+import javax.inject.Inject;
+
+import org.apache.log4j.Logger;
+
+import org.apache.cloudstack.acl.PermissionScope;
+import org.apache.cloudstack.iam.api.IAMGroup;
+import org.apache.cloudstack.iam.api.IAMPolicy;
+import org.apache.cloudstack.iam.api.IAMPolicyPermission;
+import org.apache.cloudstack.iam.api.IAMPolicyPermission.Permission;
+import org.apache.cloudstack.iam.api.IAMService;
+import org.apache.cloudstack.iam.server.dao.IAMAccountPolicyMapDao;
+import org.apache.cloudstack.iam.server.dao.IAMGroupAccountMapDao;
+import org.apache.cloudstack.iam.server.dao.IAMGroupDao;
+import org.apache.cloudstack.iam.server.dao.IAMGroupPolicyMapDao;
+import org.apache.cloudstack.iam.server.dao.IAMPolicyDao;
+import org.apache.cloudstack.iam.server.dao.IAMPolicyPermissionDao;
+
+import com.cloud.exception.InvalidParameterValueException;
+import com.cloud.utils.Pair;
+import com.cloud.utils.component.Manager;
+import com.cloud.utils.component.ManagerBase;
+import com.cloud.utils.db.DB;
+import com.cloud.utils.db.EntityManager;
+import com.cloud.utils.db.Filter;
+import com.cloud.utils.db.GenericSearchBuilder;
+import com.cloud.utils.db.JoinBuilder;
+import com.cloud.utils.db.JoinBuilder.JoinType;
+import com.cloud.utils.db.SearchBuilder;
+import com.cloud.utils.db.SearchCriteria;
+import com.cloud.utils.db.SearchCriteria.Op;
+import com.cloud.utils.db.Transaction;
+import com.cloud.utils.db.TransactionCallback;
+import com.cloud.utils.db.TransactionCallbackNoReturn;
+import com.cloud.utils.db.TransactionStatus;
+
+@Local(value = {IAMService.class})
+public class IAMServiceImpl extends ManagerBase implements IAMService, Manager {
+
+ public static final Logger s_logger = Logger.getLogger(IAMServiceImpl.class);
+ private String _name;
+
+ @Inject
+ IAMPolicyDao _aclPolicyDao;
+
+ @Inject
+ IAMGroupDao _aclGroupDao;
+
+ @Inject
+ EntityManager _entityMgr;
+
+ @Inject
+ IAMGroupPolicyMapDao _aclGroupPolicyMapDao;
+
+ @Inject
+ IAMAccountPolicyMapDao _aclAccountPolicyMapDao;
+
+ @Inject
+ IAMGroupAccountMapDao _aclGroupAccountMapDao;
+
+ @Inject
+ IAMPolicyPermissionDao _policyPermissionDao;
+
+ @DB
+ @Override
+ public IAMGroup createIAMGroup(String iamGroupName, String description, String path) {
+ // check if the group is already existing
+ IAMGroup grp = _aclGroupDao.findByName(path, iamGroupName);
+ if (grp != null) {
+ throw new InvalidParameterValueException(
+ "Unable to create acl group with name " + iamGroupName
+ + " already exisits for path " + path);
+ }
+ IAMGroupVO rvo = new IAMGroupVO(iamGroupName, description);
+ rvo.setPath(path);
+
+ return _aclGroupDao.persist(rvo);
+ }
+
+ @DB
+ @Override
+ public boolean deleteIAMGroup(final Long iamGroupId) {
+ // get the Acl Group entity
+ final IAMGroup grp = _aclGroupDao.findById(iamGroupId);
+ if (grp == null) {
+ throw new InvalidParameterValueException("Unable to find acl group: " + iamGroupId
+ + "; failed to delete acl group.");
+ }
+
+ Transaction.execute(new TransactionCallbackNoReturn() {
+ @Override
+ public void doInTransactionWithoutResult(TransactionStatus status) {
+ // remove this group related entry in acl_group_role_map
+ List<IAMGroupPolicyMapVO> groupPolicyMap = _aclGroupPolicyMapDao.listByGroupId(grp.getId());
+ if (groupPolicyMap != null) {
+ for (IAMGroupPolicyMapVO gr : groupPolicyMap) {
+ _aclGroupPolicyMapDao.remove(gr.getId());
+ }
+ }
+
+ // remove this group related entry in acl_group_account table
+ List<IAMGroupAccountMapVO> groupAcctMap = _aclGroupAccountMapDao.listByGroupId(grp.getId());
+ if (groupAcctMap != null) {
+ for (IAMGroupAccountMapVO grpAcct : groupAcctMap) {
+ _aclGroupAccountMapDao.remove(grpAcct.getId());
+ }
+ }
+
+ // remove this group from acl_group table
+ _aclGroupDao.remove(iamGroupId);
+ }
+ });
+
+ return true;
+ }
+
+ @SuppressWarnings("unchecked")
+ @Override
+ public List<IAMGroup> listIAMGroups(long accountId) {
+
+ GenericSearchBuilder<IAMGroupAccountMapVO, Long> groupSB = _aclGroupAccountMapDao.createSearchBuilder(Long.class);
+ groupSB.selectFields(groupSB.entity().getAclGroupId());
+ groupSB.and("account", groupSB.entity().getAccountId(), Op.EQ);
+ SearchCriteria<Long> groupSc = groupSB.create();
+ groupSc.setParameters("account", accountId);
+
+ List<Long> groupIds = _aclGroupAccountMapDao.customSearch(groupSc, null);
+
+ SearchBuilder<IAMGroupVO> sb = _aclGroupDao.createSearchBuilder();
+ sb.and("ids", sb.entity().getId(), Op.IN);
+ SearchCriteria<IAMGroupVO> sc = sb.create();
+ sc.setParameters("ids", groupIds.toArray(new Object[groupIds.size()]));
+ @SuppressWarnings("rawtypes")
+ List groups = _aclGroupDao.search(sc, null);
+ return groups;
+ }
+
+ @DB
+ @Override
+ public IAMGroup addAccountsToGroup(final List<Long> acctIds, final Long groupId) {
+ // get the Acl Group entity
+ IAMGroup group = _aclGroupDao.findById(groupId);
+ if (group == null) {
+ throw new InvalidParameterValueException("Unable to find acl group: " + groupId
+ + "; failed to add accounts to acl group.");
+ }
+
+ Transaction.execute(new TransactionCallbackNoReturn() {
+ @Override
+ public void doInTransactionWithoutResult(TransactionStatus status) {
+ // add entries in acl_group_account_map table
+ for (Long acctId : acctIds) {
+ // check account permissions
+ IAMGroupAccountMapVO grMap = _aclGroupAccountMapDao.findByGroupAndAccount(groupId, acctId);
+ if (grMap == null) {
+ // not there already
+ grMap = new IAMGroupAccountMapVO(groupId, acctId);
+ _aclGroupAccountMapDao.persist(grMap);
+ }
+ }
+ }
+ });
+ return group;
+ }
+
+ @DB
+ @Override
+ public IAMGroup removeAccountsFromGroup(final List<Long> acctIds, final Long groupId) {
+ // get the Acl Group entity
+ IAMGroup group = _aclGroupDao.findById(groupId);
+ if (group == null) {
+ throw new InvalidParameterValueException("Unable to find acl group: " + groupId
+ + "; failed to remove accounts from acl group.");
+ }
+
+ Transaction.execute(new TransactionCallbackNoReturn() {
+ @Override
+ public void doInTransactionWithoutResult(TransactionStatus status) {
+ // remove entries from acl_group_account_map table
+ for (Long acctId : acctIds) {
+ IAMGroupAccountMapVO grMap = _aclGroupAccountMapDao.findByGroupAndAccount(groupId, acctId);
+ if (grMap != null) {
+ // not removed yet
+ _aclGroupAccountMapDao.remove(grMap.getId());
+ }
+ }
+ }
+ });
+ return group;
+ }
+
+ @Override
+ public List<Long> listAccountsByGroup(long groupId) {
+ List<IAMGroupAccountMapVO> grpAcctMap = _aclGroupAccountMapDao.listByGroupId(groupId);
+ if (grpAcctMap == null || grpAcctMap.size() == 0) {
+ return new ArrayList<Long>();
+ }
+
+ List<Long> accts = new ArrayList<Long>();
+ for (IAMGroupAccountMapVO grpAcct : grpAcctMap) {
+ accts.add(grpAcct.getAccountId());
+ }
+ return accts;
+ }
+
+ @Override
+ public Pair<List<IAMGroup>, Integer> listIAMGroups(Long iamGroupId, String iamGroupName, String path, Long startIndex, Long pageSize) {
+ if (iamGroupId != null) {
+ IAMGroup group = _aclGroupDao.findById(iamGroupId);
+ if (group == null) {
+ throw new InvalidParameterValueException("Unable to find acl group by id " + iamGroupId);
+ }
+ }
+
+ Filter searchFilter = new Filter(IAMGroupVO.class, "id", true, startIndex, pageSize);
+
+ SearchBuilder<IAMGroupVO> sb = _aclGroupDao.createSearchBuilder();
+ sb.and("name", sb.entity().getName(), SearchCriteria.Op.EQ);
+ sb.and("path", sb.entity().getPath(), SearchCriteria.Op.LIKE);
+ sb.and("id", sb.entity().getId(), SearchCriteria.Op.EQ);
+
+ SearchCriteria<IAMGroupVO> sc = sb.create();
+
+ if (iamGroupName != null) {
+ sc.setParameters("name", iamGroupName);
+ }
+
+ if (iamGroupId != null) {
+ sc.setParameters("id", iamGroupId);
+ }
+
+ sc.setParameters("path", path + "%");
+
+ Pair<List<IAMGroupVO>, Integer> groups = _aclGroupDao.searchAndCount(sc, searchFilter);
+ return new Pair<List<IAMGroup>, Integer>(new ArrayList<IAMGroup>(groups.first()), groups.second());
+ }
+
+ @Override
+ public List<IAMGroup> listParentIAMGroups(long groupId) {
+ IAMGroup group = _aclGroupDao.findById(groupId);
+ if (group == null) {
+ throw new InvalidParameterValueException("Unable to find acl group by id " + groupId);
+ }
+
+ String path = group.getPath();
+ List<String> pathList = new ArrayList<String>();
+
+ String[] parts = path.split("/");
+
+ for (String part : parts) {
+ int start = path.indexOf(part);
+ if (start > 0) {
+ String subPath = path.substring(0, start);
+ pathList.add(subPath);
+ }
+ }
+
+ if (pathList.isEmpty()) {
+ return new ArrayList<IAMGroup>();
+ }
+
+ SearchBuilder<IAMGroupVO> sb = _aclGroupDao.createSearchBuilder();
+ sb.and("paths", sb.entity().getPath(), SearchCriteria.Op.IN);
+
+ SearchCriteria<IAMGroupVO> sc = sb.create();
+ sc.setParameters("paths", pathList.toArray());
+
+ List<IAMGroupVO> groups = _aclGroupDao.search(sc, null);
+
+ return new ArrayList<IAMGroup>(groups);
+
+ }
+
+ @DB
+ @Override
+ public IAMPolicy createIAMPolicy(final String iamPolicyName, final String description, final Long parentPolicyId, final String path) {
+
+ // check if the policy is already existing
+ IAMPolicy ro = _aclPolicyDao.findByName(iamPolicyName);
+ if (ro != null) {
+ throw new InvalidParameterValueException(
+ "Unable to create acl policy with name " + iamPolicyName
+ + " already exisits");
+ }
+
+ IAMPolicy role = Transaction.execute(new TransactionCallback<IAMPolicy>() {
+ @Override
+ public IAMPolicy doInTransaction(TransactionStatus status) {
+ IAMPolicyVO rvo = new IAMPolicyVO(iamPolicyName, description);
+ rvo.setPath(path);
+
+ IAMPolicy role = _aclPolicyDao.persist(rvo);
+ if (parentPolicyId != null) {
+ // copy parent role permissions
+ List<IAMPolicyPermissionVO> perms = _policyPermissionDao.listByPolicy(parentPolicyId);
+ if (perms != null) {
+ for (IAMPolicyPermissionVO perm : perms) {
+ perm.setAclPolicyId(role.getId());
+ _policyPermissionDao.persist(perm);
+ }
+ }
+ }
+ return role;
+ }
+ });
+
+
+ return role;
+ }
+
+ @DB
+ @Override
+ public boolean deleteIAMPolicy(final long iamPolicyId) {
+ // get the Acl Policy entity
+ final IAMPolicy policy = _aclPolicyDao.findById(iamPolicyId);
+ if (policy == null) {
+ throw new InvalidParameterValueException("Unable to find acl policy: " + iamPolicyId
+ + "; failed to delete acl policy.");
+ }
+
+ Transaction.execute(new TransactionCallbackNoReturn() {
+ @Override
+ public void doInTransactionWithoutResult(TransactionStatus status) {
+ // remove this role related entry in acl_group_role_map
+ List<IAMGroupPolicyMapVO> groupPolicyMap = _aclGroupPolicyMapDao.listByPolicyId(policy.getId());
+ if (groupPolicyMap != null) {
+ for (IAMGroupPolicyMapVO gr : groupPolicyMap) {
+ _aclGroupPolicyMapDao.remove(gr.getId());
+ }
+ }
+
+ // remove this policy related entry in acl_account_policy_map table
+ List<IAMAccountPolicyMapVO> policyAcctMap = _aclAccountPolicyMapDao.listByPolicyId(policy.getId());
+ if (policyAcctMap != null) {
+ for (IAMAccountPolicyMapVO policyAcct : policyAcctMap) {
+ _aclAccountPolicyMapDao.remove(policyAcct.getId());
+ }
+ }
+
+ // remove this policy related entry in acl_policy_permission table
+ List<IAMPolicyPermissionVO> policyPermMap = _policyPermissionDao.listByPolicy(policy.getId());
+ if (policyPermMap != null) {
+ for (IAMPolicyPermissionVO policyPerm : policyPermMap) {
+ _policyPermissionDao.remove(policyPerm.getId());
+ }
+ }
+
+ // remove this role from acl_role table
+ _aclPolicyDao.remove(iamPolicyId);
+ }
+ });
+
+ return true;
+ }
+
+
+ @SuppressWarnings("unchecked")
+ @Override
+ public List<IAMPolicy> listIAMPolicies(long accountId) {
+
+ // static policies of the account
+ SearchBuilder<IAMGroupAccountMapVO> groupSB = _aclGroupAccountMapDao.createSearchBuilder();
+ groupSB.and("account", groupSB.entity().getAccountId(), Op.EQ);
+
+ GenericSearchBuilder<IAMGroupPolicyMapVO, Long> policySB = _aclGroupPolicyMapDao.createSearchBuilder(Long.class);
+ policySB.selectFields(policySB.entity().getAclPolicyId());
+ policySB.join("accountgroupjoin", groupSB, groupSB.entity().getAclGroupId(), policySB.entity().getAclGroupId(),
+ JoinType.INNER);
+ policySB.done();
+ SearchCriteria<Long> policySc = policySB.create();
+ policySc.setJoinParameters("accountgroupjoin", "account", accountId);
+
+ List<Long> policyIds = _aclGroupPolicyMapDao.customSearch(policySc, null);
+ // add policies directly attached to the account
+ List<IAMAccountPolicyMapVO> acctPolicies = _aclAccountPolicyMapDao.listByAccountId(accountId);
+ for (IAMAccountPolicyMapVO p : acctPolicies) {
+ policyIds.add(p.getIamPolicyId());
+ }
+ if (policyIds.size() == 0) {
+ return new ArrayList<IAMPolicy>();
+ }
+ SearchBuilder<IAMPolicyVO> sb = _aclPolicyDao.createSearchBuilder();
+ sb.and("ids", sb.entity().getId(), Op.IN);
+ SearchCriteria<IAMPolicyVO> sc = sb.create();
+ sc.setParameters("ids", policyIds.toArray(new Object[policyIds.size()]));
+ @SuppressWarnings("rawtypes")
+ List policies = _aclPolicyDao.customSearch(sc, null);
+
+ return policies;
+
+ }
+
+ @SuppressWarnings("unchecked")
+ @Override
+ public List<IAMPolicy> listIAMPoliciesByGroup(long groupId) {
+ List<IAMGroupPolicyMapVO> policyGrpMap = _aclGroupPolicyMapDao.listByGroupId(groupId);
+ if (policyGrpMap == null || policyGrpMap.size() == 0) {
+ return new ArrayList<IAMPolicy>();
+ }
+
+ List<Long> policyIds = new ArrayList<Long>();
+ for (IAMGroupPolicyMapVO pg : policyGrpMap) {
+ policyIds.add(pg.getAclPolicyId());
+ }
+
+ SearchBuilder<IAMPolicyVO> sb = _aclPolicyDao.createSearchBuilder();
+ sb.and("ids", sb.entity().getId(), Op.IN);
+ SearchCriteria<IAMPolicyVO> sc = sb.create();
+ sc.setParameters("ids", policyIds.toArray(new Object[policyIds.size()]));
+ @SuppressWarnings("rawtypes")
+ List policies = _aclPolicyDao.customSearch(sc, null);
+
+ return policies;
+ }
+
+ @SuppressWarnings("unchecked")
+ @Override
+ public List<IAMPolicy> listRecursiveIAMPoliciesByGroup(long groupId) {
+ List<IAMGroupPolicyMapVO> policyGrpMap = _aclGroupPolicyMapDao.listByGroupId(groupId);
+ if (policyGrpMap == null || policyGrpMap.size() == 0) {
+ return new ArrayList<IAMPolicy>();
+ }
+
+ List<Long> policyIds = new ArrayList<Long>();
+ for (IAMGroupPolicyMapVO pg : policyGrpMap) {
+ policyIds.add(pg.getAclPolicyId());
+ }
+
+ SearchBuilder<IAMPolicyPermissionVO> permSb = _policyPermissionDao.createSearchBuilder();
+ permSb.and("isRecursive", permSb.entity().isRecursive(), Op.EQ);
+
+ SearchBuilder<IAMPolicyVO> sb = _aclPolicyDao.createSearchBuilder();
+ sb.and("ids", sb.entity().getId(), Op.IN);
+ sb.join("recursivePerm", permSb, sb.entity().getId(), permSb.entity().getAclPolicyId(),
+ JoinBuilder.JoinType.INNER);
+
+ SearchCriteria<IAMPolicyVO> sc = sb.create();
+ sc.setParameters("ids", policyIds.toArray(new Object[policyIds.size()]));
+ sc.setJoinParameters("recursivePerm", "isRecursive", true);
+
+ @SuppressWarnings("rawtypes")
+ List policies = _aclPolicyDao.customSearch(sc, null);
+
+ return policies;
+ }
+
+
+ @SuppressWarnings("unchecked")
+ @Override
+ public Pair<List<IAMPolicy>, Integer> listIAMPolicies(Long iamPolicyId, String iamPolicyName, String path, Long startIndex, Long pageSize) {
+
+ if (iamPolicyId != null) {
+ IAMPolicy policy = _aclPolicyDao.findById(iamPolicyId);
+ if (policy == null) {
+ throw new InvalidParameterValueException("Unable to find acl policy by id " + iamPolicyId);
+ }
+ }
+
+ Filter searchFilter = new Filter(IAMPolicyVO.class, "id", true, startIndex, pageSize);
+
+ SearchBuilder<IAMPolicyVO> sb = _aclPolicyDao.createSearchBuilder();
+ sb.and("name", sb.entity().getName(), SearchCriteria.Op.EQ);
+ sb.and("path", sb.entity().getPath(), SearchCriteria.Op.LIKE);
+ sb.and("id", sb.entity().getId(), SearchCriteria.Op.EQ);
+
+ SearchCriteria<IAMPolicyVO> sc = sb.create();
+
+ if (iamPolicyName != null) {
+ sc.setParameters("name", iamPolicyName);
+ }
+
+ if (iamPolicyId != null) {
+ sc.setParameters("id", iamPolicyId);
+ }
+
+ sc.setParameters("path", path + "%");
+
+ Pair<List<IAMPolicyVO>, Integer> policies = _aclPolicyDao.searchAndCount(sc, searchFilter);
+ @SuppressWarnings("rawtypes")
+ List policyList = policies.first();
+ return new Pair<List<IAMPolicy>, Integer>(policyList, policies.second());
+ }
+
+ @DB
+ @Override
+ public IAMGroup attachIAMPoliciesToGroup(final List<Long> policyIds, final Long groupId) {
+ // get the Acl Group entity
+ IAMGroup group = _aclGroupDao.findById(groupId);
+ if (group == null) {
+ throw new InvalidParameterValueException("Unable to find acl group: " + groupId
+ + "; failed to add roles to acl group.");
+ }
+
+ Transaction.execute(new TransactionCallbackNoReturn() {
+ @Override
+ public void doInTransactionWithoutResult(TransactionStatus status) {
+ // add entries in acl_group_policy_map table
+ for (Long policyId : policyIds) {
+ IAMPolicy policy = _aclPolicyDao.findById(policyId);
+ if (policy == null) {
+ throw new InvalidParameterValueException("Unable to find acl policy: " + policyId
+ + "; failed to add policies to acl group.");
+ }
+
+ IAMGroupPolicyMapVO grMap = _aclGroupPolicyMapDao.findByGroupAndPolicy(groupId, policyId);
+ if (grMap == null) {
+ // not there already
+ grMap = new IAMGroupPolicyMapVO(groupId, policyId);
+ _aclGroupPolicyMapDao.persist(grMap);
+ }
+ }
+ }
+ });
+
+ return group;
+ }
+
+ @DB
+ @Override
+ public IAMGroup removeIAMPoliciesFromGroup(final List<Long> policyIds, final Long groupId) {
+ // get the Acl Group entity
+ IAMGroup group = _aclGroupDao.findById(groupId);
+ if (group == null) {
+ throw new InvalidParameterValueException("Unable to find acl group: " + groupId
+ + "; failed to remove roles from acl group.");
+ }
+
+ Transaction.execute(new TransactionCallbackNoReturn() {
+ @Override
+ public void doInTransactionWithoutResult(TransactionStatus status) {
+ // add entries in acl_group_role_map table
+ for (Long policyId : policyIds) {
+ IAMPolicy policy = _aclPolicyDao.findById(policyId);
+ if (policy == null) {
+ throw new InvalidParameterValueException("Unable to find acl policy: " + policyId
+ + "; failed to add policies to acl group.");
+ }
+
+ IAMGroupPolicyMapVO grMap = _aclGroupPolicyMapDao.findByGroupAndPolicy(groupId, policyId);
+ if (grMap != null) {
+ // not removed yet
+ _aclGroupPolicyMapDao.remove(grMap.getId());
+ }
+ }
+ }
+ });
+ return group;
+ }
+
+
+ @Override
+ public void attachIAMPolicyToAccounts(final Long policyId, final List<Long> acctIds) {
+ IAMPolicy policy = _aclPolicyDao.findById(policyId);
+ if (policy == null) {
+ throw new InvalidParameterValueException("Unable to find acl policy: " + policyId
+ + "; failed to add policy to account.");
+ }
+
+ Transaction.execute(new TransactionCallbackNoReturn() {
+ @Override
+ public void doInTransactionWithoutResult(TransactionStatus status) {
+ // add entries in acl_group_policy_map table
+ for (Long acctId : acctIds) {
+ IAMAccountPolicyMapVO acctMap = _aclAccountPolicyMapDao.findByAccountAndPolicy(acctId, policyId);
+ if (acctMap == null) {
+ // not there already
+ acctMap = new IAMAccountPolicyMapVO(acctId, policyId);
+ _aclAccountPolicyMapDao.persist(acctMap);
+ }
+ }
+ }
+ });
+ }
+
+ @Override
+ public void removeIAMPolicyFromAccounts(final Long policyId, final List<Long> acctIds) {
+ IAMPolicy policy = _aclPolicyDao.findById(policyId);
+ if (policy == null) {
+ throw new InvalidParameterValueException("Unable to find acl policy: " + policyId
+ + "; failed to add policy to account.");
+ }
+
+ Transaction.execute(new TransactionCallbackNoReturn() {
+ @Override
+ public void doInTransactionWithoutResult(TransactionStatus status) {
+ // add entries in acl_group_policy_map table
+ for (Long acctId : acctIds) {
+ IAMAccountPolicyMapVO acctMap = _aclAccountPolicyMapDao.findByAccountAndPolicy(acctId, policyId);
+ if (acctMap != null) {
+ // exists
+ _aclAccountPolicyMapDao.remove(acctMap.getId());
+ }
+ }
+ }
+ });
+ }
+
+ @DB
+ @Override
+ public IAMPolicy addIAMPermissionToIAMPolicy(long iamPolicyId, String entityType, String scope, Long scopeId,
+ String action, String accessType, Permission perm, Boolean recursive) {
+ // get the Acl Policy entity
+ IAMPolicy policy = _aclPolicyDao.findById(iamPolicyId);
+ if (policy == null) {
+ throw new InvalidParameterValueException("Unable to find acl policy: " + iamPolicyId
+ + "; failed to add permission to policy.");
+ }
+
+ // add entry in acl_policy_permission table
+ IAMPolicyPermissionVO permit = _policyPermissionDao.findByPolicyAndEntity(iamPolicyId, entityType, scope, scopeId, action, perm);
+ if (permit == null) {
+ // not there already
+ permit = new IAMPolicyPermissionVO(iamPolicyId, action, entityType, accessType, scope, scopeId, perm,
+ recursive);
+ _policyPermissionDao.persist(permit);
+ }
+ return policy;
+
+ }
+
+ @DB
+ @Override
+ public IAMPolicy removeIAMPermissionFromIAMPolicy(long iamPolicyId, String entityType, String scope, Long scopeId,
+ String action) {
+ // get the Acl Policy entity
+ IAMPolicy policy = _aclPolicyDao.findById(iamPolicyId);
+ if (policy == null) {
+ throw new InvalidParameterValueException("Unable to find acl policy: " + iamPolicyId
+ + "; failed to revoke permission from policy.");
+ }
+ // remove entry from acl_entity_permission table
+ IAMPolicyPermissionVO permit = _policyPermissionDao.findByPolicyAndEntity(iamPolicyId, entityType, scope, scopeId, action, Permission.Allow);
+ if (permit != null) {
+ // not removed yet
+ _policyPermissionDao.remove(permit.getId());
+ }
+ return policy;
+ }
+
+ @DB
+ @Override
+ public void removeIAMPermissionForEntity(final String entityType, final Long entityId) {
+ Transaction.execute(new TransactionCallbackNoReturn() {
+ @Override
+ public void doInTransactionWithoutResult(TransactionStatus status) {
+ // remove entry from acl_entity_permission table
+ List<IAMPolicyPermissionVO> permitList = _policyPermissionDao.listByEntity(entityType, entityId);
+ for (IAMPolicyPermissionVO permit : permitList) {
+ long policyId = permit.getAclPolicyId();
+ _policyPermissionDao.remove(permit.getId());
+
+ // remove the policy if there are no other permissions
+ if ((_policyPermissionDao.listByPolicy(policyId)).isEmpty()) {
+ deleteIAMPolicy(policyId);
+ }
+ }
+ }
+ });
+ }
+
+ @DB
+ @Override
+ public IAMPolicy resetIAMPolicy(long iamPolicyId) {
+ // get the Acl Policy entity
+ IAMPolicy policy = _aclPolicyDao.findById(iamPolicyId);
+ if (policy == null) {
+ throw new InvalidParameterValueException("Unable to find acl policy: " + iamPolicyId
+ + "; failed to reset the policy.");
+ }
+
+ SearchBuilder<IAMPolicyPermissionVO> sb = _policyPermissionDao.createSearchBuilder();
+ sb.and("policyId", sb.entity().getAclPolicyId(), SearchCriteria.Op.EQ);
+ sb.and("scope", sb.entity().getScope(), SearchCriteria.Op.EQ);
+ sb.done();
+ SearchCriteria<IAMPolicyPermissionVO> permissionSC = sb.create();
+ permissionSC.setParameters("policyId", iamPolicyId);
+ _policyPermissionDao.expunge(permissionSC);
+
+ return policy;
+ }
+
+ @Override
+ public boolean isActionAllowedForPolicies(String action, List<IAMPolicy> policies) {
+
+ boolean allowed = false;
+
+ if (policies == null || policies.size() == 0) {
+ return allowed;
+ }
+
+ List<Long> policyIds = new ArrayList<Long>();
+ for (IAMPolicy policy : policies) {
+ policyIds.add(policy.getId());
+ }
+
+ SearchBuilder<IAMPolicyPermissionVO> sb = _policyPermissionDao.createSearchBuilder();
+ sb.and("action", sb.entity().getAction(), Op.EQ);
+ sb.and("policyId", sb.entity().getAclPolicyId(), Op.IN);
+
+ SearchCriteria<IAMPolicyPermissionVO> sc = sb.create();
+ sc.setParameters("policyId", policyIds.toArray(new Object[policyIds.size()]));
+ sc.setParameters("action", action);
+
+ List<IAMPolicyPermissionVO> permissions = _policyPermissionDao.customSearch(sc, null);
+
+ if (permissions != null && !permissions.isEmpty()) {
+ allowed = true;
+ }
+
+ return allowed;
+ }
+
+
+ @Override
+ public List<Long> getGrantedEntities(long accountId, String action, String scope) {
+ // Get the static Policies of the Caller
+ List<IAMPolicy> policies = listIAMPolicies(accountId);
+ // for each policy, find granted permission within the given scope
+ List<Long> entityIds = new ArrayList<Long>();
+ for (IAMPolicy policy : policies) {
+ List<IAMPolicyPermissionVO> pp = _policyPermissionDao.listGrantedByActionAndScope(policy.getId(), action,
+ scope);
+ if (pp != null) {
+ for (IAMPolicyPermissionVO p : pp) {
+ if (p.getScopeId() != null) {
+ entityIds.add(p.getScopeId());
+ }
+ }
+ }
+ }
+ return entityIds;
+ }
+
+ @Override
+ @SuppressWarnings("unchecked")
+ public List<IAMPolicyPermission> listPolicyPermissions(long policyId) {
+ @SuppressWarnings("rawtypes")
+ List pp = _policyPermissionDao.listByPolicy(policyId);
+ return pp;
+ }
+
+ @SuppressWarnings("unchecked")
+ @Override
+ public List<IAMPolicyPermission> listPolicyPermissionsByScope(long policyId, String action, String scope) {
+ @SuppressWarnings("rawtypes")
+ List pp = _policyPermissionDao.listGrantedByActionAndScope(policyId, action, scope);
+ return pp;
+ }
+
+ @SuppressWarnings("unchecked")
+ @Override
+ public List<IAMPolicyPermission> listPolicyPermissionByActionAndEntity(long policyId, String action,
+ String entityType) {
+ @SuppressWarnings("rawtypes")
+ List pp = _policyPermissionDao.listByPolicyActionAndEntity(policyId, action, entityType);
+ return pp;
+ }
+
+ @SuppressWarnings("unchecked")
+ @Override
+ public List<IAMPolicyPermission> listPolicyPermissionByAccessAndEntity(long policyId, String accessType,
+ String entityType) {
+ @SuppressWarnings("rawtypes")
+ List pp = _policyPermissionDao.listByPolicyAccessAndEntity(policyId, accessType, entityType);
+ return pp;
+ }
+
+ @Override
+ public IAMPolicy getResourceOwnerPolicy() {
+ return _aclPolicyDao.findByName("RESOURCE_OWNER");
+ }
+
+ // search for policy with only one resource grant permission
+ @Override
+ public IAMPolicy getResourceGrantPolicy(String entityType, Long entityId, String accessType, String action) {
+ List<IAMPolicyVO> policyList = _aclPolicyDao.listAll();
+ for (IAMPolicyVO policy : policyList){
+ List<IAMPolicyPermission> pp = listPolicyPermissions(policy.getId());
+ if ( pp != null && pp.size() == 1){
+ // resource grant policy should only have one ACL permission assigned
+ IAMPolicyPermission permit = pp.get(0);
+ if ( permit.getEntityType().equals(entityType) && permit.getScope().equals(PermissionScope.RESOURCE.toString()) && permit.getScopeId().longValue() == entityId.longValue()){
+ if (accessType != null && permit.getAccessType().equals(accessType)){
+ return policy;
+ } else if (action != null && permit.getAction().equals(action)) {
+ return policy;
+ }
+ }
+ }
+ }
+ return null;
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/adb29b21/services/iam/server/src/org/apache/cloudstack/iam/server/dao/IAMAccountPolicyMapDao.java
----------------------------------------------------------------------
diff --git a/services/iam/server/src/org/apache/cloudstack/iam/server/dao/IAMAccountPolicyMapDao.java b/services/iam/server/src/org/apache/cloudstack/iam/server/dao/IAMAccountPolicyMapDao.java
new file mode 100644
index 0000000..4caf659
--- /dev/null
+++ b/services/iam/server/src/org/apache/cloudstack/iam/server/dao/IAMAccountPolicyMapDao.java
@@ -0,0 +1,17 @@
+package org.apache.cloudstack.iam.server.dao;
+
+import java.util.List;
+
+import org.apache.cloudstack.iam.server.IAMAccountPolicyMapVO;
+
+import com.cloud.utils.db.GenericDao;
+
+public interface IAMAccountPolicyMapDao extends GenericDao<IAMAccountPolicyMapVO, Long> {
+
+ List<IAMAccountPolicyMapVO> listByAccountId(long acctId);
+
+ List<IAMAccountPolicyMapVO> listByPolicyId(long policyId);
+
+ IAMAccountPolicyMapVO findByAccountAndPolicy(long acctId, long policyId);
+
+}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/adb29b21/services/iam/server/src/org/apache/cloudstack/iam/server/dao/IAMAccountPolicyMapDaoImpl.java
----------------------------------------------------------------------
diff --git a/services/iam/server/src/org/apache/cloudstack/iam/server/dao/IAMAccountPolicyMapDaoImpl.java b/services/iam/server/src/org/apache/cloudstack/iam/server/dao/IAMAccountPolicyMapDaoImpl.java
new file mode 100644
index 0000000..3ecca3b
--- /dev/null
+++ b/services/iam/server/src/org/apache/cloudstack/iam/server/dao/IAMAccountPolicyMapDaoImpl.java
@@ -0,0 +1,61 @@
+package org.apache.cloudstack.iam.server.dao;
+
+import java.util.List;
+import java.util.Map;
+
+import javax.naming.ConfigurationException;
+
+import org.apache.cloudstack.iam.server.IAMAccountPolicyMapVO;
+
+import com.cloud.utils.db.GenericDaoBase;
+import com.cloud.utils.db.SearchBuilder;
+import com.cloud.utils.db.SearchCriteria;
+
+public class IAMAccountPolicyMapDaoImpl extends GenericDaoBase<IAMAccountPolicyMapVO, Long> implements IAMAccountPolicyMapDao {
+
+ private SearchBuilder<IAMAccountPolicyMapVO> ListByAccountId;
+ private SearchBuilder<IAMAccountPolicyMapVO> ListByPolicyId;
+ private SearchBuilder<IAMAccountPolicyMapVO> findByPolicyAccountId;
+
+ @Override
+ public boolean configure(String name, Map<String, Object> params) throws ConfigurationException {
+ super.configure(name, params);
+
+ ListByAccountId = createSearchBuilder();
+ ListByAccountId.and("accountId", ListByAccountId.entity().getAccountId(), SearchCriteria.Op.EQ);
+ ListByAccountId.done();
+
+ ListByPolicyId = createSearchBuilder();
+ ListByPolicyId.and("policyId", ListByPolicyId.entity().getIamPolicyId(), SearchCriteria.Op.EQ);
+ ListByPolicyId.done();
+
+ findByPolicyAccountId = createSearchBuilder();
+ findByPolicyAccountId.and("policyId", findByPolicyAccountId.entity().getIamPolicyId(), SearchCriteria.Op.EQ);
+ findByPolicyAccountId.and("accountId", findByPolicyAccountId.entity().getAccountId(), SearchCriteria.Op.EQ);
+ findByPolicyAccountId.done();
+
+ return true;
+ }
+
+ @Override
+ public List<IAMAccountPolicyMapVO> listByAccountId(long acctId) {
+ SearchCriteria<IAMAccountPolicyMapVO> sc = ListByAccountId.create();
+ sc.setParameters("accountId", acctId);
+ return listBy(sc);
+ }
+
+ @Override
+ public List<IAMAccountPolicyMapVO> listByPolicyId(long policyId) {
+ SearchCriteria<IAMAccountPolicyMapVO> sc = ListByPolicyId.create();
+ sc.setParameters("policyId", policyId);
+ return listBy(sc);
+ }
+
+ @Override
+ public IAMAccountPolicyMapVO findByAccountAndPolicy(long acctId, long policyId) {
+ SearchCriteria<IAMAccountPolicyMapVO> sc = findByPolicyAccountId.create();
+ sc.setParameters("policyId", policyId);
+ sc.setParameters("accountId", acctId);
+ return findOneBy(sc);
+ }
+}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/adb29b21/services/iam/server/src/org/apache/cloudstack/iam/server/dao/IAMGroupAccountMapDao.java
----------------------------------------------------------------------
diff --git a/services/iam/server/src/org/apache/cloudstack/iam/server/dao/IAMGroupAccountMapDao.java b/services/iam/server/src/org/apache/cloudstack/iam/server/dao/IAMGroupAccountMapDao.java
new file mode 100644
index 0000000..a94dbaa
--- /dev/null
+++ b/services/iam/server/src/org/apache/cloudstack/iam/server/dao/IAMGroupAccountMapDao.java
@@ -0,0 +1,40 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.iam.server.dao;
+
+import java.util.List;
+
+import org.apache.cloudstack.iam.server.IAMGroupAccountMapVO;
+
+import com.cloud.utils.db.GenericDao;
+
+public interface IAMGroupAccountMapDao extends GenericDao<IAMGroupAccountMapVO, Long> {
+
+ List<IAMGroupAccountMapVO> listByGroupId(long groupId);
+
+ List<IAMGroupAccountMapVO> listByAccountId(long accountId);
+
+ IAMGroupAccountMapVO findAccountInAdminGroup(long accountId);
+
+ IAMGroupAccountMapVO findByGroupAndAccount(long groupId, long acctId);
+
+ void removeAccountFromGroups(long accountId);
+
+ IAMGroupAccountMapVO findAccountInDomainAdminGroup(long accountId);
+
+ IAMGroupAccountMapVO findAccountInUserGroup(long accountId);
+}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/adb29b21/services/iam/server/src/org/apache/cloudstack/iam/server/dao/IAMGroupAccountMapDaoImpl.java
----------------------------------------------------------------------
diff --git a/services/iam/server/src/org/apache/cloudstack/iam/server/dao/IAMGroupAccountMapDaoImpl.java b/services/iam/server/src/org/apache/cloudstack/iam/server/dao/IAMGroupAccountMapDaoImpl.java
new file mode 100644
index 0000000..4bb5d1a
--- /dev/null
+++ b/services/iam/server/src/org/apache/cloudstack/iam/server/dao/IAMGroupAccountMapDaoImpl.java
@@ -0,0 +1,119 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.iam.server.dao;
+
+import java.util.List;
+import java.util.Map;
+
+import javax.naming.ConfigurationException;
+
+import org.apache.cloudstack.iam.server.IAMGroupAccountMapVO;
+import org.apache.log4j.Logger;
+import org.springframework.stereotype.Component;
+
+
+import com.cloud.utils.db.GenericDaoBase;
+import com.cloud.utils.db.SearchBuilder;
+import com.cloud.utils.db.SearchCriteria;
+
+@Component
+public class IAMGroupAccountMapDaoImpl extends GenericDaoBase<IAMGroupAccountMapVO, Long> implements IAMGroupAccountMapDao {
+ private SearchBuilder<IAMGroupAccountMapVO> ListByGroupId;
+ private SearchBuilder<IAMGroupAccountMapVO> ListByAccountId;
+ private SearchBuilder<IAMGroupAccountMapVO> _findByAccountAndGroupId;
+
+ public static final Logger s_logger = Logger.getLogger(IAMGroupAccountMapDaoImpl.class.getName());
+
+ @Override
+ public boolean configure(String name, Map<String, Object> params) throws ConfigurationException {
+ super.configure(name, params);
+
+ ListByGroupId = createSearchBuilder();
+ ListByGroupId.and("groupId", ListByGroupId.entity().getAclGroupId(), SearchCriteria.Op.EQ);
+ ListByGroupId.done();
+
+ ListByAccountId = createSearchBuilder();
+ ListByAccountId.and("accountId", ListByAccountId.entity().getAccountId(), SearchCriteria.Op.EQ);
+ ListByAccountId.done();
+
+ _findByAccountAndGroupId = createSearchBuilder();
+ _findByAccountAndGroupId
+ .and("groupId", _findByAccountAndGroupId.entity().getAclGroupId(), SearchCriteria.Op.EQ);
+ _findByAccountAndGroupId.and("accountId", _findByAccountAndGroupId.entity().getAccountId(),
+ SearchCriteria.Op.EQ);
+ _findByAccountAndGroupId.done();
+
+ return true;
+ }
+
+ @Override
+ public List<IAMGroupAccountMapVO> listByGroupId(long groupId) {
+ SearchCriteria<IAMGroupAccountMapVO> sc = ListByGroupId.create();
+ sc.setParameters("groupId", groupId);
+ return listBy(sc);
+ }
+
+ @Override
+ public List<IAMGroupAccountMapVO> listByAccountId(long accountId) {
+ SearchCriteria<IAMGroupAccountMapVO> sc = ListByAccountId.create();
+ sc.setParameters("accountId", accountId);
+ return listBy(sc);
+ }
+
+ @Override
+ public IAMGroupAccountMapVO findAccountInAdminGroup(long accountId) {
+ SearchCriteria<IAMGroupAccountMapVO> sc = _findByAccountAndGroupId.create();
+ sc.setParameters("accountId", accountId);
+ sc.setParameters("groupId", 2);
+ return findOneBy(sc);
+ }
+
+ @Override
+ public IAMGroupAccountMapVO findAccountInDomainAdminGroup(long accountId) {
+ SearchCriteria<IAMGroupAccountMapVO> sc = _findByAccountAndGroupId.create();
+ sc.setParameters("accountId", accountId);
+ sc.setParameters("groupId", 3);
+ return findOneBy(sc);
+ }
+
+ @Override
+ public IAMGroupAccountMapVO findAccountInUserGroup(long accountId) {
+ SearchCriteria<IAMGroupAccountMapVO> sc = _findByAccountAndGroupId.create();
+ sc.setParameters("accountId", accountId);
+ sc.setParameters("groupId", 1);
+ return findOneBy(sc);
+ }
+
+ @Override
+ public IAMGroupAccountMapVO findByGroupAndAccount(long groupId, long acctId) {
+ SearchCriteria<IAMGroupAccountMapVO> sc = _findByAccountAndGroupId.create();
+ sc.setParameters("accountId", acctId);
+ sc.setParameters("groupId", groupId);
+ return findOneBy(sc);
+ }
+
+ @Override
+ public void removeAccountFromGroups(long accountId) {
+ SearchCriteria<IAMGroupAccountMapVO> sc = ListByAccountId.create();
+ sc.setParameters("accountId", accountId);
+
+ int rowsRemoved = remove(sc);
+ if (rowsRemoved > 0) {
+ s_logger.debug("Removed account id=" + accountId + " from " + rowsRemoved + " groups");
+ }
+ }
+}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/adb29b21/services/iam/server/src/org/apache/cloudstack/iam/server/dao/IAMGroupDao.java
----------------------------------------------------------------------
diff --git a/services/iam/server/src/org/apache/cloudstack/iam/server/dao/IAMGroupDao.java b/services/iam/server/src/org/apache/cloudstack/iam/server/dao/IAMGroupDao.java
new file mode 100644
index 0000000..54408a6
--- /dev/null
+++ b/services/iam/server/src/org/apache/cloudstack/iam/server/dao/IAMGroupDao.java
@@ -0,0 +1,28 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.iam.server.dao;
+
+import org.apache.cloudstack.iam.api.IAMGroup;
+import org.apache.cloudstack.iam.server.IAMGroupVO;
+
+import com.cloud.utils.db.GenericDao;
+
+public interface IAMGroupDao extends GenericDao<IAMGroupVO, Long> {
+
+ IAMGroup findByName(String path, String groupName);
+
+}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/adb29b21/services/iam/server/src/org/apache/cloudstack/iam/server/dao/IAMGroupDaoImpl.java
----------------------------------------------------------------------
diff --git a/services/iam/server/src/org/apache/cloudstack/iam/server/dao/IAMGroupDaoImpl.java b/services/iam/server/src/org/apache/cloudstack/iam/server/dao/IAMGroupDaoImpl.java
new file mode 100644
index 0000000..45be0b3
--- /dev/null
+++ b/services/iam/server/src/org/apache/cloudstack/iam/server/dao/IAMGroupDaoImpl.java
@@ -0,0 +1,59 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.iam.server.dao;
+
+import java.util.Map;
+
+import javax.naming.ConfigurationException;
+
+import org.apache.cloudstack.iam.api.IAMGroup;
+import org.apache.cloudstack.iam.server.IAMGroupVO;
+import org.springframework.stereotype.Component;
+
+
+import com.cloud.utils.db.GenericDaoBase;
+import com.cloud.utils.db.SearchBuilder;
+import com.cloud.utils.db.SearchCriteria;
+
+@Component
+public class IAMGroupDaoImpl extends GenericDaoBase<IAMGroupVO, Long> implements IAMGroupDao {
+ private SearchBuilder<IAMGroupVO> nameSearch;
+
+ @Override
+ public boolean configure(String name, Map<String, Object> params) throws ConfigurationException {
+ super.configure(name, params);
+
+ nameSearch = createSearchBuilder();
+ nameSearch.and("name", nameSearch.entity().getName(), SearchCriteria.Op.EQ);
+ nameSearch.and("path", nameSearch.entity().getPath(), SearchCriteria.Op.EQ);
+ nameSearch.done();
+
+
+ return true;
+ }
+
+ @Override
+ public IAMGroup findByName(String path, String name) {
+ SearchCriteria<IAMGroupVO> sc = nameSearch.create();
+ sc.setParameters("name", name);
+ if (path != null) {
+ sc.setParameters("path", path);
+ }
+ return findOneBy(sc);
+ }
+
+}