You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by mc...@apache.org on 2013/12/09 23:09:11 UTC
git commit: updated refs/heads/rbac to 6730fa2
Updated Branches:
refs/heads/rbac 288a81180 -> 6730fa2b4
Fill in implementation of AclService.getGrantedDomains,
getGrantedAccounts and getGrantedResources.
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/6730fa2b
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/6730fa2b
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/6730fa2b
Branch: refs/heads/rbac
Commit: 6730fa2b47d165dc121c5dc9fc3e1dd42c2745f7
Parents: 288a811
Author: Min Chen <mi...@citrix.com>
Authored: Mon Dec 9 14:08:54 2013 -0800
Committer: Min Chen <mi...@citrix.com>
Committed: Mon Dec 9 14:08:54 2013 -0800
----------------------------------------------------------------------
.../org/apache/cloudstack/acl/AclService.java | 6 +--
.../acl/dao/AclPolicyPermissionDao.java | 2 +
.../acl/dao/AclPolicyPermissionDaoImpl.java | 50 +++++++++++++++--
.../src/com/cloud/user/AccountManagerImpl.java | 6 +--
.../apache/cloudstack/acl/AclServiceImpl.java | 57 ++++++++++++++++----
5 files changed, 102 insertions(+), 19 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6730fa2b/api/src/org/apache/cloudstack/acl/AclService.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/acl/AclService.java b/api/src/org/apache/cloudstack/acl/AclService.java
index 0c0ec69..c8d8b48 100644
--- a/api/src/org/apache/cloudstack/acl/AclService.java
+++ b/api/src/org/apache/cloudstack/acl/AclService.java
@@ -57,10 +57,10 @@ public interface AclService {
List<AclPolicy> getEffectivePolicies(Account caller, ControlledEntity entity);
/* Visibility related interfaces */
- List<Long> getGrantedDomains(long accountId, AclEntityType entityType, String action);
+ List<Long> getGrantedDomains(long accountId, String action);
- List<Long> getGrantedAccounts(long accountId, AclEntityType entityType, String action);
+ List<Long> getGrantedAccounts(long accountId, String action);
- List<Long> getGrantedResources(long accountId, AclEntityType entityType, String action);
+ List<Long> getGrantedResources(long accountId, String action);
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6730fa2b/engine/schema/src/org/apache/cloudstack/acl/dao/AclPolicyPermissionDao.java
----------------------------------------------------------------------
diff --git a/engine/schema/src/org/apache/cloudstack/acl/dao/AclPolicyPermissionDao.java b/engine/schema/src/org/apache/cloudstack/acl/dao/AclPolicyPermissionDao.java
index f3c6446..2defc1c 100644
--- a/engine/schema/src/org/apache/cloudstack/acl/dao/AclPolicyPermissionDao.java
+++ b/engine/schema/src/org/apache/cloudstack/acl/dao/AclPolicyPermissionDao.java
@@ -31,5 +31,7 @@ public interface AclPolicyPermissionDao extends GenericDao<AclPolicyPermissionVO
AclPolicyPermissionVO findByPolicyAndEntity(long policyId, String entityType, PermissionScope scope, Long scopeId, String action, Permission perm);
+ List<AclPolicyPermissionVO> listGrantedByActionAndScope(long policyId, String action, PermissionScope scope);
+
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6730fa2b/engine/schema/src/org/apache/cloudstack/acl/dao/AclPolicyPermissionDaoImpl.java
----------------------------------------------------------------------
diff --git a/engine/schema/src/org/apache/cloudstack/acl/dao/AclPolicyPermissionDaoImpl.java b/engine/schema/src/org/apache/cloudstack/acl/dao/AclPolicyPermissionDaoImpl.java
index 11b009b..fefafde 100644
--- a/engine/schema/src/org/apache/cloudstack/acl/dao/AclPolicyPermissionDaoImpl.java
+++ b/engine/schema/src/org/apache/cloudstack/acl/dao/AclPolicyPermissionDaoImpl.java
@@ -26,28 +26,70 @@ import org.apache.cloudstack.acl.AclPolicyPermissionVO;
import org.apache.cloudstack.acl.PermissionScope;
import com.cloud.utils.db.GenericDaoBase;
+import com.cloud.utils.db.SearchBuilder;
+import com.cloud.utils.db.SearchCriteria;
public class AclPolicyPermissionDaoImpl extends GenericDaoBase<AclPolicyPermissionVO, Long> implements
AclPolicyPermissionDao {
+ private SearchBuilder<AclPolicyPermissionVO> policyIdSearch;
+ private SearchBuilder<AclPolicyPermissionVO> fullSearch;
+ private SearchBuilder<AclPolicyPermissionVO> actionScopeSearch;
@Override
public boolean configure(String name, Map<String, Object> params) throws ConfigurationException {
super.configure(name, params);
+ policyIdSearch = createSearchBuilder();
+ policyIdSearch.and("policyId", policyIdSearch.entity().getAclPolicyId(), SearchCriteria.Op.EQ);
+ policyIdSearch.done();
+
+ fullSearch = createSearchBuilder();
+ fullSearch.and("policyId", fullSearch.entity().getAclPolicyId(), SearchCriteria.Op.EQ);
+ fullSearch.and("entityType", fullSearch.entity().getEntityType(), SearchCriteria.Op.EQ);
+ fullSearch.and("scope", fullSearch.entity().getScope(), SearchCriteria.Op.EQ);
+ fullSearch.and("scopeId", fullSearch.entity().getScopeId(), SearchCriteria.Op.EQ);
+ fullSearch.and("action", fullSearch.entity().getAction(), SearchCriteria.Op.EQ);
+ fullSearch.and("permission", fullSearch.entity().getPermission(), SearchCriteria.Op.EQ);
+ fullSearch.done();
+
+ actionScopeSearch = createSearchBuilder();
+ actionScopeSearch.and("policyId", actionScopeSearch.entity().getAclPolicyId(), SearchCriteria.Op.EQ);
+ actionScopeSearch.and("scope", actionScopeSearch.entity().getScope(), SearchCriteria.Op.EQ);
+ actionScopeSearch.and("action", actionScopeSearch.entity().getAction(), SearchCriteria.Op.EQ);
+ actionScopeSearch.and("permission", actionScopeSearch.entity().getPermission(), SearchCriteria.Op.EQ);
+ actionScopeSearch.done();
+
return true;
}
@Override
public List<AclPolicyPermissionVO> listByPolicy(long policyId) {
- // TODO Auto-generated method stub
- return null;
+ SearchCriteria<AclPolicyPermissionVO> sc = policyIdSearch.create();
+ sc.setParameters("policyId", policyId);
+ return listBy(sc);
}
@Override
public AclPolicyPermissionVO findByPolicyAndEntity(long policyId, String entityType, PermissionScope scope, Long scopeId, String action, Permission perm) {
- // TODO Auto-generated method stub
- return null;
+ SearchCriteria<AclPolicyPermissionVO> sc = fullSearch.create();
+ sc.setParameters("policyId", policyId);
+ sc.setParameters("entityType", entityType);
+ sc.setParameters("scope", scope);
+ sc.setParameters("scopeId", scopeId);
+ sc.setParameters("action", action);
+ sc.setParameters("permission", perm);
+ return findOneBy(sc);
+ }
+
+ @Override
+ public List<AclPolicyPermissionVO> listGrantedByActionAndScope(long policyId, String action, PermissionScope scope) {
+ SearchCriteria<AclPolicyPermissionVO> sc = actionScopeSearch.create();
+ sc.setParameters("policyId", policyId);
+ sc.setParameters("action", action);
+ sc.setParameters("scope", scope);
+ sc.setParameters("permission", Permission.Allow);
+ return listBy(sc);
}
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6730fa2b/server/src/com/cloud/user/AccountManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/user/AccountManagerImpl.java b/server/src/com/cloud/user/AccountManagerImpl.java
index 0ddc37a..3decaf0 100755
--- a/server/src/com/cloud/user/AccountManagerImpl.java
+++ b/server/src/com/cloud/user/AccountManagerImpl.java
@@ -2610,9 +2610,9 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
// search for policy permissions associated with caller to get all his authorized domains, accounts, and resources
// Assumption: if a domain is in grantedDomains, then all the accounts under this domain will not be returned in "grantedAccounts". Similarly, if an account
// is in grantedAccounts, then all the resources owned by this account will not be returned in "grantedResources".
- List<Long> grantedDomains = _aclService.getGrantedDomains(caller.getId(), AclEntityType.VM, action);
- List<Long> grantedAccounts = _aclService.getGrantedAccounts(caller.getId(), AclEntityType.VM, action);
- List<Long> grantedResources = _aclService.getGrantedResources(caller.getId(), AclEntityType.VM, action);
+ List<Long> grantedDomains = _aclService.getGrantedDomains(caller.getId(), action);
+ List<Long> grantedAccounts = _aclService.getGrantedAccounts(caller.getId(), action);
+ List<Long> grantedResources = _aclService.getGrantedResources(caller.getId(), action);
if (domainId != null) {
// specific domain is specified
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6730fa2b/server/src/org/apache/cloudstack/acl/AclServiceImpl.java
----------------------------------------------------------------------
diff --git a/server/src/org/apache/cloudstack/acl/AclServiceImpl.java b/server/src/org/apache/cloudstack/acl/AclServiceImpl.java
index 9b39733..1ab4efe 100644
--- a/server/src/org/apache/cloudstack/acl/AclServiceImpl.java
+++ b/server/src/org/apache/cloudstack/acl/AclServiceImpl.java
@@ -678,21 +678,60 @@ public class AclServiceImpl extends ManagerBase implements AclService, Manager {
}
@Override
- public List<Long> getGrantedDomains(long accountId, AclEntityType entityType, String action) {
- // TODO Auto-generated method stub
- return null;
+ public List<Long> getGrantedDomains(long accountId, String action) {
+ // Get the static Policies of the Caller
+ List<AclPolicy> policies = listAclPolicies(accountId);
+ // for each policy, find granted permission with Domain scope
+ List<Long> domainIds = new ArrayList<Long>();
+ for (AclPolicy policy : policies) {
+ List<AclPolicyPermissionVO> pp = _policyPermissionDao.listGrantedByActionAndScope(policy.getId(), action, PermissionScope.DOMAIN);
+ if (pp != null) {
+ for (AclPolicyPermissionVO p : pp) {
+ if (p.getScopeId() != null) {
+ domainIds.add(p.getScopeId());
+ }
+ }
+ }
+ }
+ return domainIds;
}
@Override
- public List<Long> getGrantedAccounts(long accountId, AclEntityType entityType, String action) {
- // TODO Auto-generated method stub
- return null;
+ public List<Long> getGrantedAccounts(long accountId, String action) {
+ // Get the static Policies of the Caller
+ List<AclPolicy> policies = listAclPolicies(accountId);
+ // for each policy, find granted permission with Account scope
+ List<Long> accountIds = new ArrayList<Long>();
+ for (AclPolicy policy : policies) {
+ List<AclPolicyPermissionVO> pp = _policyPermissionDao.listGrantedByActionAndScope(policy.getId(), action, PermissionScope.ACCOUNT);
+ if (pp != null) {
+ for (AclPolicyPermissionVO p : pp) {
+ if (p.getScopeId() != null) {
+ accountIds.add(p.getScopeId());
+ }
+ }
+ }
+ }
+ return accountIds;
}
@Override
- public List<Long> getGrantedResources(long accountId, AclEntityType entityType, String action) {
- // TODO Auto-generated method stub
- return null;
+ public List<Long> getGrantedResources(long accountId, String action) {
+ // Get the static Policies of the Caller
+ List<AclPolicy> policies = listAclPolicies(accountId);
+ // for each policy, find granted permission with Resource scope
+ List<Long> entityIds = new ArrayList<Long>();
+ for (AclPolicy policy : policies) {
+ List<AclPolicyPermissionVO> pp = _policyPermissionDao.listGrantedByActionAndScope(policy.getId(), action, PermissionScope.RESOURCE);
+ if (pp != null) {
+ for (AclPolicyPermissionVO p : pp) {
+ if (p.getScopeId() != null) {
+ entityIds.add(p.getScopeId());
+ }
+ }
+ }
+ }
+ return entityIds;
}
}