You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by pr...@apache.org on 2013/10/10 09:49:38 UTC
[3/6] git commit: updated refs/heads/rbac to 5c7db71
RoleBasedEntityAccessChecker logic now performs checkAccess for VM entity
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/7d1ba650
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/7d1ba650
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/7d1ba650
Branch: refs/heads/rbac
Commit: 7d1ba6505d83a61f30e86b5037a3a5645cc35c6b
Parents: 0b1aaf5
Author: Prachi Damle <pr...@cloud.com>
Authored: Wed Oct 9 15:21:27 2013 -0700
Committer: Prachi Damle <pr...@cloud.com>
Committed: Thu Oct 10 00:43:59 2013 -0700
----------------------------------------------------------------------
.../entity/RoleBasedEntityAccessChecker.java | 96 +++++++++-----------
1 file changed, 45 insertions(+), 51 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/7d1ba650/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/entity/RoleBasedEntityAccessChecker.java
----------------------------------------------------------------------
diff --git a/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/entity/RoleBasedEntityAccessChecker.java b/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/entity/RoleBasedEntityAccessChecker.java
index 5be8836..6031d92 100644
--- a/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/entity/RoleBasedEntityAccessChecker.java
+++ b/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/entity/RoleBasedEntityAccessChecker.java
@@ -16,6 +16,7 @@
// under the License.
package org.apache.cloudstack.acl.entity;
+import java.util.HashMap;
import java.util.List;
import javax.inject.Inject;
@@ -39,6 +40,7 @@ import org.apache.log4j.Logger;
import com.cloud.acl.DomainChecker;
import com.cloud.api.ApiDispatcher;
import com.cloud.exception.PermissionDeniedException;
+import com.cloud.template.VirtualMachineTemplate;
import com.cloud.user.Account;
import com.cloud.user.AccountService;
import com.cloud.vm.VirtualMachine;
@@ -64,75 +66,67 @@ public class RoleBasedEntityAccessChecker extends DomainChecker implements Secur
@Override
public boolean checkAccess(Account caller, ControlledEntity entity, AccessType accessType)
throws PermissionDeniedException {
+ if (entity instanceof VirtualMachine) {
- String entityType = AclEntityType.VM.toString();
+ String entityType = AclEntityType.VM.toString();
- // check if explicit allow/deny is present for this entity in
- // acl_entity_permission
+ // check if explicit allow/deny is present for this entity in
+ // acl_entity_permission
- if (entity instanceof InternalIdentity) {
- InternalIdentity entityWithId = (InternalIdentity) entity;
+ if (entity instanceof InternalIdentity) {
+ InternalIdentity entityWithId = (InternalIdentity) entity;
- List<AclGroupAccountMapVO> acctGroups = _aclGroupAccountMapDao.listByAccountId(caller.getId());
+ List<AclGroupAccountMapVO> acctGroups = _aclGroupAccountMapDao.listByAccountId(caller.getId());
- for (AclGroupAccountMapVO groupMapping : acctGroups) {
- AclEntityPermissionVO entityPermission = _entityPermissionDao.findByGroupAndEntity(
- groupMapping.getAclGroupId(), entityType, entityWithId.getId(), accessType);
+ for (AclGroupAccountMapVO groupMapping : acctGroups) {
+ AclEntityPermissionVO entityPermission = _entityPermissionDao.findByGroupAndEntity(
+ groupMapping.getAclGroupId(), entityType, entityWithId.getId(), accessType);
- if (entityPermission != null) {
- if (entityPermission.isAllowed()) {
- return true;
- } else {
- if (s_logger.isDebugEnabled()) {
- s_logger.debug("Account " + caller + " does not have permission to access resource "
- + entity + " for access type: " + accessType);
+ if (entityPermission != null) {
+ if (entityPermission.isAllowed()) {
+ return true;
+ } else {
+ if (s_logger.isDebugEnabled()) {
+ s_logger.debug("Account " + caller + " does not have permission to access resource "
+ + entity + " for access type: " + accessType);
+ }
+ throw new PermissionDeniedException(caller
+ + " does not have permission to access resource " + entity);
}
- throw new PermissionDeniedException(caller + " does not have permission to access resource "
- + entity);
}
}
}
- }
-
- // Is Caller RootAdmin? Yes, granted true
- if (_accountService.isRootAdmin(caller.getId())) {
- return true;
- }
- // Is Caller Owner of the entity? Yes, granted true
- if (caller.getId() == entity.getAccountId()) {
- return true;
- }
-
- // get all Roles of this caller w.r.t the entity
- List<AclRole> roles = _aclService.getEffectiveRoles(caller, entity);
-
- for (AclRole role : roles) {
- AclRolePermissionVO permission = _rolePermissionDao.findByRoleAndEntity(role.getId(), entityType,
- accessType);
- boolean operationAllowedForAll = true;
- if (permission.getEntityType().equals(entityType)) {
- if (permission.isAllowed()) {
- return true;
- } else {
- if (s_logger.isDebugEnabled()) {
- s_logger.debug("Account " + caller + " does not have permission to access resource " + entity
- + " for access type: " + accessType);
+ // get all Roles of this caller w.r.t the entity
+ List<AclRole> roles = _aclService.getEffectiveRoles(caller, entity);
+ HashMap<AclRole, Boolean> rolePermissionMap = new HashMap<AclRole, Boolean>();
+
+ for (AclRole role : roles) {
+ List<AclRolePermissionVO> permissions = _rolePermissionDao.listByRoleAndEntity(role.getId(),
+ entityType, accessType);
+ for (AclRolePermissionVO permission : permissions) {
+ if (permission.getEntityType().equals(entityType)) {
+ rolePermissionMap.put(role, permission.isAllowed());
+ break;
+ } else if (permission.getEntityType().equals("*")) {
+ rolePermissionMap.put(role, permission.isAllowed());
}
- throw new PermissionDeniedException(caller + " does not have permission to access resource "
- + entity);
}
- } else if (permission.getEntityType().equals("*")) {
- if (permission.isAllowed()) {
- operationAllowedForAll = true;
- } else {
- operationAllowedForAll = false;
+ if (rolePermissionMap.containsKey(role) && rolePermissionMap.get(role)) {
+ return true;
}
}
+ if (!roles.isEmpty()) { // Since we reach this point, none of the
+ // roles granted access
+ if (s_logger.isDebugEnabled()) {
+ s_logger.debug("Account " + caller + " does not have permission to access resource " + entity
+ + " for access type: " + accessType);
+ }
+ throw new PermissionDeniedException(caller + " does not have permission to access resource " + entity);
+ }
}
-
return false;
}
}