You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by pr...@apache.org on 2013/11/26 02:03:05 UTC
[2/2] git commit: updated refs/heads/rbac to cf69731
Suring startup load the API permissions from commands.properties and @APICommand annotations
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/cf69731a
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/cf69731a
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/cf69731a
Branch: refs/heads/rbac
Commit: cf69731a5229e0037ef69b59368c2db6417c9896
Parents: f231cec
Author: Prachi Damle <pr...@cloud.com>
Authored: Mon Nov 25 17:01:56 2013 -0800
Committer: Prachi Damle <pr...@cloud.com>
Committed: Mon Nov 25 17:01:56 2013 -0800
----------------------------------------------------------------------
.../apache/cloudstack/acl/AclPermission.java | 41 -----
.../cloudstack/acl/AclPolicyPermission.java | 43 +++++
.../api/response/AclPermissionResponse.java | 8 +-
.../spring-engine-schema-core-daos-context.xml | 3 +-
.../apache/cloudstack/acl/AclPermissionVO.java | 153 ----------------
.../cloudstack/acl/AclPolicyPermissionVO.java | 163 +++++++++++++++++
.../cloudstack/acl/dao/AclPermissionDao.java | 24 ---
.../acl/dao/AclPermissionDaoImpl.java | 41 -----
.../acl/dao/AclPolicyPermissionDao.java | 26 +++
.../acl/dao/AclPolicyPermissionDaoImpl.java | 43 +++++
server/src/com/cloud/api/ApiServer.java | 176 ++++++++++++++-----
.../com/cloud/api/query/vo/AclPolicyJoinVO.java | 6 +-
setup/db/db/schema-421to430.sql | 43 ++---
13 files changed, 428 insertions(+), 342 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/cf69731a/api/src/org/apache/cloudstack/acl/AclPermission.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/acl/AclPermission.java b/api/src/org/apache/cloudstack/acl/AclPermission.java
deleted file mode 100644
index aff1503..0000000
--- a/api/src/org/apache/cloudstack/acl/AclPermission.java
+++ /dev/null
@@ -1,41 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.acl;
-
-import org.apache.cloudstack.acl.SecurityChecker.AccessType;
-import org.apache.cloudstack.api.InternalIdentity;
-
-public interface AclPermission extends InternalIdentity {
-
- String getAction();
-
- String getEntityType();
-
- AccessType getAccessType();
-
- PermissionScope getScope();
-
- Long getScopeId();
-
- Permission getPermission();
-
- public enum Permission {
- Allow,
- Deny
- }
-
-}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/cf69731a/api/src/org/apache/cloudstack/acl/AclPolicyPermission.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/acl/AclPolicyPermission.java b/api/src/org/apache/cloudstack/acl/AclPolicyPermission.java
new file mode 100644
index 0000000..02d557e
--- /dev/null
+++ b/api/src/org/apache/cloudstack/acl/AclPolicyPermission.java
@@ -0,0 +1,43 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.acl;
+
+import org.apache.cloudstack.acl.SecurityChecker.AccessType;
+import org.apache.cloudstack.api.InternalIdentity;
+
+public interface AclPolicyPermission extends InternalIdentity {
+
+ String getAction();
+
+ long getAclPolicyId();
+
+ String getEntityType();
+
+ AccessType getAccessType();
+
+ PermissionScope getScope();
+
+ Long getScopeId();
+
+ Permission getPermission();
+
+ public enum Permission {
+ Allow,
+ Deny
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/cf69731a/api/src/org/apache/cloudstack/api/response/AclPermissionResponse.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/response/AclPermissionResponse.java b/api/src/org/apache/cloudstack/api/response/AclPermissionResponse.java
index 9329b24..ad928dc 100644
--- a/api/src/org/apache/cloudstack/api/response/AclPermissionResponse.java
+++ b/api/src/org/apache/cloudstack/api/response/AclPermissionResponse.java
@@ -19,7 +19,7 @@ package org.apache.cloudstack.api.response;
import com.google.gson.annotations.SerializedName;
import org.apache.cloudstack.acl.AclEntityType;
-import org.apache.cloudstack.acl.AclPermission;
+import org.apache.cloudstack.acl.AclPolicyPermission;
import org.apache.cloudstack.acl.PermissionScope;
import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.BaseResponse;
@@ -46,7 +46,7 @@ public class AclPermissionResponse extends BaseResponse {
@SerializedName(ApiConstants.ACL_ALLOW_DENY)
@Param(description = "allow or deny of this permission")
- private AclPermission.Permission permission;
+ private AclPolicyPermission.Permission permission;
public AclEntityType getEntityType() {
return entityType;
@@ -80,11 +80,11 @@ public class AclPermissionResponse extends BaseResponse {
this.scopeId = scopeId;
}
- public AclPermission.Permission getPermission() {
+ public AclPolicyPermission.Permission getPermission() {
return permission;
}
- public void setPermission(AclPermission.Permission permission) {
+ public void setPermission(AclPolicyPermission.Permission permission) {
this.permission = permission;
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/cf69731a/engine/schema/resources/META-INF/cloudstack/core/spring-engine-schema-core-daos-context.xml
----------------------------------------------------------------------
diff --git a/engine/schema/resources/META-INF/cloudstack/core/spring-engine-schema-core-daos-context.xml b/engine/schema/resources/META-INF/cloudstack/core/spring-engine-schema-core-daos-context.xml
index 24da230..0d2dedb 100644
--- a/engine/schema/resources/META-INF/cloudstack/core/spring-engine-schema-core-daos-context.xml
+++ b/engine/schema/resources/META-INF/cloudstack/core/spring-engine-schema-core-daos-context.xml
@@ -325,7 +325,8 @@
<bean id="AclGroupRoleMapDaoImpl" class="org.apache.cloudstack.acl.dao.AclGroupRoleMapDaoImpl"/>
<bean id="AclApiPermissionDaoImpl" class="org.apache.cloudstack.acl.dao.AclApiPermissionDaoImpl"/>
<bean id="AclEntityPermissionDaoImpl" class="org.apache.cloudstack.acl.dao.AclEntityPermissionDaoImpl"/>
- <bean id="AclRolePermissionDaoImpl" class="org.apache.cloudstack.acl.dao.AclRolePermissionDaoImpl"/>
+ <bean id="AclRolePermissionDaoImpl" class="org.apache.cloudstack.acl.dao.AclRolePermissionDaoImpl"/>
+ <bean id="AclPolicyPermissionDaoImpl" class="org.apache.cloudstack.acl.dao.AclPolicyPermissionDaoImpl"/>
<bean id="databaseIntegrityChecker" class="com.cloud.upgrade.DatabaseIntegrityChecker" />
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/cf69731a/engine/schema/src/org/apache/cloudstack/acl/AclPermissionVO.java
----------------------------------------------------------------------
diff --git a/engine/schema/src/org/apache/cloudstack/acl/AclPermissionVO.java b/engine/schema/src/org/apache/cloudstack/acl/AclPermissionVO.java
deleted file mode 100644
index ef8cfc4..0000000
--- a/engine/schema/src/org/apache/cloudstack/acl/AclPermissionVO.java
+++ /dev/null
@@ -1,153 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.acl;
-
-import java.util.Date;
-
-import javax.persistence.Column;
-import javax.persistence.Entity;
-import javax.persistence.EnumType;
-import javax.persistence.Enumerated;
-import javax.persistence.GeneratedValue;
-import javax.persistence.GenerationType;
-import javax.persistence.Id;
-import javax.persistence.Table;
-
-import org.apache.cloudstack.acl.SecurityChecker.AccessType;
-
-import com.cloud.utils.db.GenericDao;
-
-@Entity
-@Table(name = ("acl_permission"))
-public class AclPermissionVO implements AclPermission {
-
- @Id
- @GeneratedValue(strategy = GenerationType.IDENTITY)
- @Column(name = "id")
- private long id;
-
- @Column(name = "action")
- private String action;
-
- @Column(name = "resource_type")
- private String entityType;
-
- @Column(name = "access_type")
- @Enumerated(value = EnumType.STRING)
- private AccessType accessType;
-
- @Column(name = "scope")
- @Enumerated(value = EnumType.STRING)
- private PermissionScope scope;
-
- @Column(name = "scope_id")
- private Long scopeId;
-
- @Column(name = "permission")
- @Enumerated(value = EnumType.STRING)
- private Permission permission;
-
- @Column(name = GenericDao.REMOVED_COLUMN)
- private Date removed;
-
- @Column(name = GenericDao.CREATED_COLUMN)
- private Date created;
-
- public AclPermissionVO() {
-
- }
-
- public AclPermissionVO(String action, String entityType, AccessType accessType, PermissionScope scope,
- Long scopeId, Permission permission) {
- this.action = action;
- this.entityType = entityType;
- this.accessType = accessType;
- this.scope = scope;
- this.scopeId = scopeId;
- this.permission = permission;
- }
-
- @Override
- public long getId() {
- return id;
- }
-
-
- @Override
- public String getEntityType() {
- return entityType;
- }
-
- @Override
- public AccessType getAccessType() {
- return accessType;
- }
-
-
- public void setEntityType(String entityType) {
- this.entityType = entityType;
- }
-
- public void setAccessType(AccessType accessType) {
- this.accessType = accessType;
- }
-
- @Override
- public PermissionScope getScope() {
- return scope;
- }
-
- public void setScope(PermissionScope scope) {
- this.scope = scope;
- }
-
-
- @Override
- public String getAction() {
- return action;
- }
-
- @Override
- public Long getScopeId() {
- return scopeId;
- }
-
- @Override
- public Permission getPermission() {
- return permission;
- }
-
- public void setAction(String action) {
- this.action = action;
- }
-
- public void setScopeId(Long scopeId) {
- this.scopeId = scopeId;
- }
-
- public void setPermission(Permission permission) {
- this.permission = permission;
- }
-
- public Date getRemoved() {
- return removed;
- }
-
- public Date getCreated() {
- return created;
- }
-}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/cf69731a/engine/schema/src/org/apache/cloudstack/acl/AclPolicyPermissionVO.java
----------------------------------------------------------------------
diff --git a/engine/schema/src/org/apache/cloudstack/acl/AclPolicyPermissionVO.java b/engine/schema/src/org/apache/cloudstack/acl/AclPolicyPermissionVO.java
new file mode 100644
index 0000000..0b23b0b
--- /dev/null
+++ b/engine/schema/src/org/apache/cloudstack/acl/AclPolicyPermissionVO.java
@@ -0,0 +1,163 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.acl;
+
+import java.util.Date;
+
+import javax.persistence.Column;
+import javax.persistence.Entity;
+import javax.persistence.EnumType;
+import javax.persistence.Enumerated;
+import javax.persistence.GeneratedValue;
+import javax.persistence.GenerationType;
+import javax.persistence.Id;
+import javax.persistence.Table;
+
+import org.apache.cloudstack.acl.SecurityChecker.AccessType;
+
+import com.cloud.utils.db.GenericDao;
+
+@Entity
+@Table(name = ("acl_policy_permission"))
+public class AclPolicyPermissionVO implements AclPolicyPermission {
+
+ @Id
+ @GeneratedValue(strategy = GenerationType.IDENTITY)
+ @Column(name = "id")
+ private long id;
+
+ @Column(name = "policy_id")
+ private long aclPolicyId;
+
+ @Column(name = "action")
+ private String action;
+
+ @Column(name = "resource_type")
+ private String entityType;
+
+ @Column(name = "access_type")
+ @Enumerated(value = EnumType.STRING)
+ private AccessType accessType;
+
+ @Column(name = "scope")
+ @Enumerated(value = EnumType.STRING)
+ private PermissionScope scope;
+
+ @Column(name = "scope_id")
+ private Long scopeId;
+
+ @Column(name = "permission")
+ @Enumerated(value = EnumType.STRING)
+ private Permission permission;
+
+ @Column(name = GenericDao.REMOVED_COLUMN)
+ private Date removed;
+
+ @Column(name = GenericDao.CREATED_COLUMN)
+ private Date created;
+
+ public AclPolicyPermissionVO() {
+
+ }
+
+ public AclPolicyPermissionVO(long aclPolicyId, String action, String entityType, AccessType accessType,
+ PermissionScope scope,
+ Long scopeId, Permission permission) {
+ this.aclPolicyId = aclPolicyId;
+ this.action = action;
+ this.entityType = entityType;
+ this.accessType = accessType;
+ this.scope = scope;
+ this.scopeId = scopeId;
+ this.permission = permission;
+ }
+
+ @Override
+ public long getId() {
+ return id;
+ }
+
+ @Override
+ public long getAclPolicyId() {
+ return aclPolicyId;
+ }
+
+
+ @Override
+ public String getEntityType() {
+ return entityType;
+ }
+
+ @Override
+ public AccessType getAccessType() {
+ return accessType;
+ }
+
+
+ public void setEntityType(String entityType) {
+ this.entityType = entityType;
+ }
+
+ public void setAccessType(AccessType accessType) {
+ this.accessType = accessType;
+ }
+
+ @Override
+ public PermissionScope getScope() {
+ return scope;
+ }
+
+ public void setScope(PermissionScope scope) {
+ this.scope = scope;
+ }
+
+
+ @Override
+ public String getAction() {
+ return action;
+ }
+
+ @Override
+ public Long getScopeId() {
+ return scopeId;
+ }
+
+ @Override
+ public Permission getPermission() {
+ return permission;
+ }
+
+ public void setAction(String action) {
+ this.action = action;
+ }
+
+ public void setScopeId(Long scopeId) {
+ this.scopeId = scopeId;
+ }
+
+ public void setPermission(Permission permission) {
+ this.permission = permission;
+ }
+
+ public Date getRemoved() {
+ return removed;
+ }
+
+ public Date getCreated() {
+ return created;
+ }
+}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/cf69731a/engine/schema/src/org/apache/cloudstack/acl/dao/AclPermissionDao.java
----------------------------------------------------------------------
diff --git a/engine/schema/src/org/apache/cloudstack/acl/dao/AclPermissionDao.java b/engine/schema/src/org/apache/cloudstack/acl/dao/AclPermissionDao.java
deleted file mode 100644
index d24b044..0000000
--- a/engine/schema/src/org/apache/cloudstack/acl/dao/AclPermissionDao.java
+++ /dev/null
@@ -1,24 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.acl.dao;
-
-import org.apache.cloudstack.acl.AclPermissionVO;
-import com.cloud.utils.db.GenericDao;
-
-public interface AclPermissionDao extends GenericDao<AclPermissionVO, Long> {
-
-}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/cf69731a/engine/schema/src/org/apache/cloudstack/acl/dao/AclPermissionDaoImpl.java
----------------------------------------------------------------------
diff --git a/engine/schema/src/org/apache/cloudstack/acl/dao/AclPermissionDaoImpl.java b/engine/schema/src/org/apache/cloudstack/acl/dao/AclPermissionDaoImpl.java
deleted file mode 100644
index 1b5f63e..0000000
--- a/engine/schema/src/org/apache/cloudstack/acl/dao/AclPermissionDaoImpl.java
+++ /dev/null
@@ -1,41 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.acl.dao;
-
-import java.util.Map;
-
-import javax.naming.ConfigurationException;
-
-import org.apache.cloudstack.acl.AclPermissionVO;
-import com.cloud.utils.db.GenericDaoBase;
-
-public class AclPermissionDaoImpl extends GenericDaoBase<AclPermissionVO, Long> implements AclPermissionDao {
-
- public AclPermissionDaoImpl()
- {
-
- }
-
- @Override
- public boolean configure(String name, Map<String, Object> params) throws ConfigurationException {
- super.configure(name, params);
-
- return true;
- }
-
-
-}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/cf69731a/engine/schema/src/org/apache/cloudstack/acl/dao/AclPolicyPermissionDao.java
----------------------------------------------------------------------
diff --git a/engine/schema/src/org/apache/cloudstack/acl/dao/AclPolicyPermissionDao.java b/engine/schema/src/org/apache/cloudstack/acl/dao/AclPolicyPermissionDao.java
new file mode 100644
index 0000000..f8d3cb5
--- /dev/null
+++ b/engine/schema/src/org/apache/cloudstack/acl/dao/AclPolicyPermissionDao.java
@@ -0,0 +1,26 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.acl.dao;
+
+
+import org.apache.cloudstack.acl.AclPolicyPermissionVO;
+
+import com.cloud.utils.db.GenericDao;
+
+public interface AclPolicyPermissionDao extends GenericDao<AclPolicyPermissionVO, Long> {
+
+}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/cf69731a/engine/schema/src/org/apache/cloudstack/acl/dao/AclPolicyPermissionDaoImpl.java
----------------------------------------------------------------------
diff --git a/engine/schema/src/org/apache/cloudstack/acl/dao/AclPolicyPermissionDaoImpl.java b/engine/schema/src/org/apache/cloudstack/acl/dao/AclPolicyPermissionDaoImpl.java
new file mode 100644
index 0000000..1160d30
--- /dev/null
+++ b/engine/schema/src/org/apache/cloudstack/acl/dao/AclPolicyPermissionDaoImpl.java
@@ -0,0 +1,43 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.acl.dao;
+
+import java.util.Map;
+
+import javax.naming.ConfigurationException;
+
+import org.apache.cloudstack.acl.AclPolicyPermissionVO;
+
+import com.cloud.utils.db.GenericDaoBase;
+
+public class AclPolicyPermissionDaoImpl extends GenericDaoBase<AclPolicyPermissionVO, Long> implements
+ AclPolicyPermissionDao {
+
+ public AclPolicyPermissionDaoImpl()
+ {
+
+ }
+
+ @Override
+ public boolean configure(String name, Map<String, Object> params) throws ConfigurationException {
+ super.configure(name, params);
+
+ return true;
+ }
+
+
+}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/cf69731a/server/src/com/cloud/api/ApiServer.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/api/ApiServer.java b/server/src/com/cloud/api/ApiServer.java
index 1dfbd45..5b0d7cc 100755
--- a/server/src/com/cloud/api/ApiServer.java
+++ b/server/src/com/cloud/api/ApiServer.java
@@ -52,14 +52,13 @@ import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.apache.cloudstack.acl.APIChecker;
-import org.apache.cloudstack.acl.AclPermissionVO;
-import org.apache.cloudstack.acl.AclPolicyPermissionMapVO;
+import org.apache.cloudstack.acl.AclPolicyPermissionVO;
import org.apache.cloudstack.acl.PermissionScope;
import org.apache.cloudstack.acl.RoleType;
-import org.apache.cloudstack.acl.AclPermission.Permission;
+import org.apache.cloudstack.acl.AclPolicyPermission.Permission;
import org.apache.cloudstack.acl.SecurityChecker.AccessType;
-import org.apache.cloudstack.acl.dao.AclPermissionDao;
-import org.apache.cloudstack.acl.dao.AclPolicyPermissionMapDao;
+import org.apache.cloudstack.acl.dao.AclPolicyPermissionDao;
+import org.apache.cloudstack.affinity.AffinityGroupVMMapVO;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiErrorCode;
import org.apache.cloudstack.api.BaseAsyncCmd;
@@ -149,12 +148,14 @@ import com.cloud.user.UserAccount;
import com.cloud.user.UserVO;
import com.cloud.utils.NumbersUtil;
import com.cloud.utils.Pair;
+import com.cloud.utils.PropertiesUtil;
import com.cloud.utils.StringUtils;
import com.cloud.utils.component.ComponentContext;
import com.cloud.utils.component.ManagerBase;
import com.cloud.utils.component.PluggableService;
import com.cloud.utils.concurrency.NamedThreadFactory;
import com.cloud.utils.db.EntityManager;
+import com.cloud.utils.db.SearchBuilder;
import com.cloud.utils.db.SearchCriteria;
import com.cloud.utils.db.TransactionLegacy;
import com.cloud.utils.exception.CloudRuntimeException;
@@ -180,9 +181,7 @@ public class ApiServer extends ManagerBase implements HttpRequestHandler, ApiSer
List<PluggableService> _pluggableServices;
List<APIChecker> _apiAccessCheckers;
@Inject
- private AclPermissionDao _aclPermissionDao;
- @Inject
- private AclPolicyPermissionMapDao _aclPolicyPermissionMapDao;
+ private AclPolicyPermissionDao _aclPermissionDao;
@Inject
protected ApiAsyncJobDispatcher _asyncDispatcher;
@@ -190,6 +189,10 @@ public class ApiServer extends ManagerBase implements HttpRequestHandler, ApiSer
private static final DateFormat _dateFormat = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ssZ");
private static Map<String, List<Class<?>>> _apiNameCmdClassMap = new HashMap<String, List<Class<?>>>();
+ private static Set<String> commandsPropertiesOverrides = new HashSet<String>();
+ private static Map<RoleType, Set<String>> commandsPropertiesRoleBasedApisMap = new HashMap<RoleType, Set<String>>();
+
+
private static ExecutorService _executor = new ThreadPoolExecutor(10, 150, 60, TimeUnit.SECONDS, new LinkedBlockingQueue<Runnable>(), new NamedThreadFactory("ApiServer"));
public ApiServer() {
@@ -197,6 +200,7 @@ public class ApiServer extends ManagerBase implements HttpRequestHandler, ApiSer
@Override
public boolean configure(String name, Map<String, Object> params) throws ConfigurationException {
+ processMapping(PropertiesUtil.processConfigFile(new String[] { "commands.properties" }));
return true;
}
@@ -233,6 +237,40 @@ public class ApiServer extends ManagerBase implements HttpRequestHandler, ApiSer
}
}
+ // drop all default policy api permissions - we reload them every time
+ // to include any chanegs done to the @APICommand or
+ // commands.properties.
+ SearchBuilder<AclPolicyPermissionVO> sb = _aclPermissionDao.createSearchBuilder();
+ sb.and("policyId", sb.entity().getAclPolicyId(), SearchCriteria.Op.EQ);
+ sb.and("resourceType", sb.entity().getEntityType(), SearchCriteria.Op.NULL);
+ sb.and("scope", sb.entity().getScope(), SearchCriteria.Op.EQ);
+ sb.done();
+
+ SearchCriteria<AclPolicyPermissionVO> permissionSC = sb.create();
+
+ for (RoleType role : RoleType.values()) {
+ permissionSC.setParameters("policyId", role.ordinal() + 1);
+ switch (role) {
+ case User:
+ permissionSC.setParameters("scope", PermissionScope.ACCOUNT.toString());
+ break;
+
+ case Admin:
+ permissionSC.setParameters("scope", PermissionScope.ALL.toString());
+ break;
+
+ case DomainAdmin:
+ permissionSC.setParameters("scope", PermissionScope.DOMAIN.toString());
+ break;
+
+ case ResourceAdmin:
+ permissionSC.setParameters("scope", PermissionScope.DOMAIN.toString());
+ break;
+ }
+ _aclPermissionDao.expunge(permissionSC);
+
+ }
+
for(Class<?> cmdClass: cmdClasses) {
APICommand at = cmdClass.getAnnotation(APICommand.class);
if (at == null) {
@@ -246,52 +284,27 @@ public class ApiServer extends ManagerBase implements HttpRequestHandler, ApiSer
}
apiCmdList.add(cmdClass);
- boolean isReadCommand = false;
- BaseCmd cmdObj;
- try {
- cmdObj = (BaseCmd) cmdClass.newInstance();
- if (cmdObj instanceof BaseListCmd) {
- isReadCommand = true;
+ if (!commandsPropertiesOverrides.contains(apiName)) {
+ for (RoleType role : at.authorized()) {
+ addDefaultAclPolicyPermission(apiName, cmdClass, role);
}
- } catch (Exception e) {
}
+ }
- for (RoleType role : at.authorized()) {
- AclPermissionVO apiPermission = null;
- switch (role) {
- case User:
- apiPermission = new AclPermissionVO(apiName, null, null, PermissionScope.ACCOUNT, null,
- Permission.Allow);
- break;
-
- case Admin:
- apiPermission = new AclPermissionVO(apiName, null, null, PermissionScope.ALL, null,
- Permission.Allow);
- break;
-
- case DomainAdmin:
- apiPermission = new AclPermissionVO(apiName, null, null, PermissionScope.DOMAIN, null,
- Permission.Allow);
- break;
-
- case ResourceAdmin:
- apiPermission = new AclPermissionVO(apiName, null, null, PermissionScope.DOMAIN, null,
- Permission.Allow);
- break;
- }
+ // read commands.properties and load api acl permissions -
+ // commands.properties overrides any @APICommand authorization
- if (apiPermission != null) {
- if (isReadCommand) {
- apiPermission.setAccessType(AccessType.ListEntry);
- }
- _aclPermissionDao.persist(apiPermission);
- AclPolicyPermissionMapVO policyPermMapEntry = new AclPolicyPermissionMapVO(role.ordinal() + 1,
- apiPermission.getId());
- _aclPolicyPermissionMapDao.persist(policyPermMapEntry);
+ for (String apiName : commandsPropertiesOverrides) {
+ Class<?> cmdClass = getCmdClass(apiName);
+ for (RoleType role : RoleType.values()) {
+ if (commandsPropertiesRoleBasedApisMap.get(role).contains(apiName)) {
+ // insert permission for this role for this api
+ addDefaultAclPolicyPermission(apiName, cmdClass, role);
}
}
}
+
encodeApiResponse = Boolean.valueOf(_configDao.getValue(Config.EncodeApiResponse.key()));
String jsonType = _configDao.getValue(Config.JavaScriptDefaultContentType.key());
if (jsonType != null) {
@@ -306,6 +319,74 @@ public class ApiServer extends ManagerBase implements HttpRequestHandler, ApiSer
return true;
}
+ private void processMapping(Map<String, String> configMap) {
+ for (RoleType roleType : RoleType.values()) {
+ commandsPropertiesRoleBasedApisMap.put(roleType, new HashSet<String>());
+ }
+
+ for (Map.Entry<String, String> entry : configMap.entrySet()) {
+ String apiName = entry.getKey();
+ String roleMask = entry.getValue();
+ commandsPropertiesOverrides.add(apiName);
+ try {
+ short cmdPermissions = Short.parseShort(roleMask);
+ for (RoleType roleType : RoleType.values()) {
+ if ((cmdPermissions & roleType.getValue()) != 0)
+ commandsPropertiesRoleBasedApisMap.get(roleType).add(apiName);
+ }
+ } catch (NumberFormatException nfe) {
+ s_logger.info("Malformed key=value pair for entry: " + entry.toString());
+ }
+ }
+ }
+
+ private void addDefaultAclPolicyPermission(String apiName, Class<?> cmdClass, RoleType role) {
+
+ boolean isReadCommand = false;
+ if (cmdClass != null) {
+ BaseCmd cmdObj;
+ try {
+ cmdObj = (BaseCmd) cmdClass.newInstance();
+ if (cmdObj instanceof BaseListCmd) {
+ isReadCommand = true;
+ }
+ } catch (Exception e) {
+ throw new CloudRuntimeException(String.format(
+ "%s is claimed as an API command, but it cannot be instantiated", cmdClass.getName()));
+ }
+ }
+
+ AclPolicyPermissionVO apiPermission = null;
+ switch (role) {
+ case User:
+ apiPermission = new AclPolicyPermissionVO(role.ordinal() + 1, apiName, null, null, PermissionScope.ACCOUNT,
+ null, Permission.Allow);
+ break;
+
+ case Admin:
+ apiPermission = new AclPolicyPermissionVO(role.ordinal() + 1, apiName, null, null, PermissionScope.ALL,
+ null, Permission.Allow);
+ break;
+
+ case DomainAdmin:
+ apiPermission = new AclPolicyPermissionVO(role.ordinal() + 1, apiName, null, null, PermissionScope.DOMAIN,
+ null, Permission.Allow);
+ break;
+
+ case ResourceAdmin:
+ apiPermission = new AclPolicyPermissionVO(role.ordinal() + 1, apiName, null, null, PermissionScope.DOMAIN,
+ null, Permission.Allow);
+ break;
+ }
+
+ if (apiPermission != null) {
+ if (isReadCommand) {
+ apiPermission.setAccessType(AccessType.ListEntry);
+ }
+ _aclPermissionDao.persist(apiPermission);
+ }
+ }
+
// NOTE: handle() only handles over the wire (OTW) requests from integration.api.port 8096
// If integration api port is not configured, actual OTW requests will be received by ApiServlet
@SuppressWarnings({ "unchecked", "rawtypes" })
@@ -945,7 +1026,8 @@ public class ApiServer extends ManagerBase implements HttpRequestHandler, ApiSer
else {
// determine the cmd class based on calling context
ResponseView view = ResponseView.Restricted;
- if (_accountMgr.isRootAdmin(CallContext.current().getCallingAccount().getId())) {
+ if (CallContext.current() != null
+ && _accountMgr.isRootAdmin(CallContext.current().getCallingAccount().getId())) {
view = ResponseView.Full;
}
for (Class<?> cmdClass : cmdList) {
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/cf69731a/server/src/com/cloud/api/query/vo/AclPolicyJoinVO.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/api/query/vo/AclPolicyJoinVO.java b/server/src/com/cloud/api/query/vo/AclPolicyJoinVO.java
index a94ef01..3f6eff0 100644
--- a/server/src/com/cloud/api/query/vo/AclPolicyJoinVO.java
+++ b/server/src/com/cloud/api/query/vo/AclPolicyJoinVO.java
@@ -28,7 +28,7 @@ import javax.persistence.Id;
import javax.persistence.Table;
import org.apache.cloudstack.acl.AclEntityType;
-import org.apache.cloudstack.acl.AclPermission;
+import org.apache.cloudstack.acl.AclPolicyPermission;
import org.apache.cloudstack.acl.PermissionScope;
import org.apache.cloudstack.acl.SecurityChecker.AccessType;
@@ -95,7 +95,7 @@ public class AclPolicyJoinVO extends BaseViewVO implements ControlledViewEntity
@Column(name = "permission_allow_deny")
@Enumerated(value = EnumType.STRING)
- private AclPermission.Permission permissionAllowDeny;
+ private AclPolicyPermission.Permission permissionAllowDeny;
@Column(name = GenericDao.REMOVED_COLUMN)
private Date removed;
@@ -206,7 +206,7 @@ public class AclPolicyJoinVO extends BaseViewVO implements ControlledViewEntity
return permissionAccessType;
}
- public AclPermission.Permission getPermissionAllowDeny() {
+ public AclPolicyPermission.Permission getPermissionAllowDeny() {
return permissionAllowDeny;
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/cf69731a/setup/db/db/schema-421to430.sql
----------------------------------------------------------------------
diff --git a/setup/db/db/schema-421to430.sql b/setup/db/db/schema-421to430.sql
index 7d78c9e..01c2daf 100644
--- a/setup/db/db/schema-421to430.sql
+++ b/setup/db/db/schema-421to430.sql
@@ -355,32 +355,23 @@ CREATE TABLE `acl_group_policy_map` (
CONSTRAINT `fk_acl_group_policy_map__policy_id` FOREIGN KEY (`policy_id`) REFERENCES `acl_policy` (`id`) ON DELETE CASCADE
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
-CREATE TABLE `acl_permission` (
+CREATE TABLE `acl_policy_permission` (
`id` bigint(20) unsigned NOT NULL AUTO_INCREMENT,
+ `policy_id` bigint(20) unsigned NOT NULL,
`action` varchar(100) NOT NULL,
- `resource_type` varchar(100) NOT NULL,
- `scope_id` bigint(20) unsigned NOT NULL,
+ `resource_type` varchar(100) DEFAULT NULL,
+ `scope_id` bigint(20) unsigned,
`scope` varchar(40) DEFAULT NULL,
- `access_type` varchar(40) NOT NULL,
+ `access_type` varchar(40) DEFAULT NULL,
`permission` varchar(40) NOT NULL COMMENT 'Allow or Deny',
`removed` datetime DEFAULT NULL COMMENT 'date the permission was revoked',
`created` datetime DEFAULT NULL COMMENT 'date the permission was granted',
PRIMARY KEY (`id`),
- UNIQUE KEY `id` (`id`)
+ UNIQUE KEY `id` (`id`),
+ KEY `fk_acl_policy_permission__policy_id` (`policy_id`),
+ CONSTRAINT `fk_acl_policy_permission__policy_id` FOREIGN KEY (`policy_id`) REFERENCES `acl_policy` (`id`) ON DELETE CASCADE
) ENGINE=InnoDB AUTO_INCREMENT=1 DEFAULT CHARSET=utf8;
-CREATE TABLE `acl_policy_permission_map` (
- `id` bigint(20) unsigned NOT NULL AUTO_INCREMENT,
- `policy_id` bigint(20) unsigned NOT NULL,
- `permission_id` bigint(20) unsigned NOT NULL,
- `removed` datetime DEFAULT NULL COMMENT 'date the permission was removed from the policy',
- `created` datetime DEFAULT NULL COMMENT 'date the permission was added to the policy',
- PRIMARY KEY (`id`),
- KEY `fk_acl_policy_permission_map__policy_id` (`policy_id`),
- KEY `fk_acl_policy_permission_map__permission_id` (`permission_id`),
- CONSTRAINT `fk_acl_policy_permission_map__policy_id` FOREIGN KEY (`policy_id`) REFERENCES `acl_policy` (`id`) ON DELETE CASCADE,
- CONSTRAINT `fk_acl_policy_permission_map__permission_id` FOREIGN KEY (`permission_id`) REFERENCES `acl_permission` (`id`) ON DELETE CASCADE
-) ENGINE=InnoDB AUTO_INCREMENT=6 DEFAULT CHARSET=utf8;
INSERT IGNORE INTO `cloud`.`acl_policy` (id, name, description, uuid, domain_id, account_id, created, policy_type) VALUES (1, 'NORMAL', 'Domain user role', UUID(), 1, 1, Now(), 'Static');
INSERT IGNORE INTO `cloud`.`acl_policy` (id, name, description, uuid, domain_id, account_id, created, policy_type) VALUES (2, 'ADMIN', 'Root admin role', UUID(), 1, 1, Now(), 'Static');
@@ -412,12 +403,12 @@ CREATE OR REPLACE VIEW `cloud`.`acl_policy_view` AS
account.uuid account_uuid,
account.account_name account_name,
account.type account_type,
- acl_permission.action permission_action,
- acl_permission.resource_type permission_entity_type,
- acl_permission.scope permission_scope,
- acl_permission.scope_id permission_scope_id,
- acl_permission.access_type permission_access_type,
- acl_permission.permission permission_allow_deny
+ acl_policy_permission.action permission_action,
+ acl_policy_permission.resource_type permission_entity_type,
+ acl_policy_permission.scope permission_scope,
+ acl_policy_permission.scope_id permission_scope_id,
+ acl_policy_permission.access_type permission_access_type,
+ acl_policy_permission.permission permission_allow_deny
from
`cloud`.`acl_policy`
inner join
@@ -425,9 +416,7 @@ CREATE OR REPLACE VIEW `cloud`.`acl_policy_view` AS
inner join
`cloud`.`account` ON acl_policy.account_id = account.id
left join
- `cloud`.`acl_policy_permission_map` ON acl_policy.id = acl_policy_permission_map.policy_id
- left join
- `cloud`.`acl_permission` ON acl_permission.id = acl_policy_permission_map.permission_id;
+ `cloud`.`acl_policy_permission` ON acl_policy.id = acl_policy_permission.policy_id;
CREATE OR REPLACE VIEW `cloud`.`acl_group_view` AS
@@ -463,8 +452,6 @@ CREATE OR REPLACE VIEW `cloud`.`acl_group_view` AS
left join
`cloud`.`acl_policy` ON acl_group_policy_map.policy_id = acl_policy.id
left join
- `cloud`.`acl_policy_permission_map` ON acl_group.id = acl_policy_permission_map.policy_id
- left join
`cloud`.`acl_group_account_map` ON acl_group.id = acl_group_account_map.group_id
left join
`cloud`.`account` member_account ON acl_group_account_map.account_id = member_account.id;