You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by mc...@apache.org on 2013/11/21 02:37:59 UTC
git commit: updated refs/heads/rbac to 7ed0301
Updated Branches:
refs/heads/rbac e0d2423f0 -> 7ed030115
Updated DB schema and DAO layer classes according to new FS.
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/7ed03011
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/7ed03011
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/7ed03011
Branch: refs/heads/rbac
Commit: 7ed030115e144a3a44d327957132f760461e28c6
Parents: e0d2423
Author: Min Chen <mi...@citrix.com>
Authored: Wed Nov 20 17:31:03 2013 -0800
Committer: Min Chen <mi...@citrix.com>
Committed: Wed Nov 20 17:32:09 2013 -0800
----------------------------------------------------------------------
api/src/org/apache/cloudstack/acl/AclGroup.java | 4 +-
.../apache/cloudstack/acl/AclPermission.java | 41 ++++
.../org/apache/cloudstack/acl/AclPolicy.java | 31 +++
.../apache/cloudstack/acl/PermissionScope.java | 1 +
.../org/apache/cloudstack/api/ApiConstants.java | 6 +
.../command/admin/acl/CreateAclGroupCmd.java | 9 +-
.../api/response/AclGroupResponse.java | 65 +++---
.../api/response/AclPermissionResponse.java | 125 +++++++++++
.../api/response/AclPolicyResponse.java | 156 ++++++++++++++
.../com/cloud/upgrade/dao/Upgrade421to430.java | 18 +-
.../cloudstack/acl/AclGroupPolicyMapVO.java | 81 +++++++
.../org/apache/cloudstack/acl/AclGroupVO.java | 8 +
.../apache/cloudstack/acl/AclPermissionVO.java | 145 +++++++++++++
.../acl/AclPolicyPermissionMapVO.java | 81 +++++++
.../org/apache/cloudstack/acl/AclPolicyVO.java | 132 ++++++++++++
.../api/query/dao/AclGroupJoinDaoImpl.java | 42 +---
.../cloud/api/query/dao/AclPolicyJoinDao.java | 37 ++++
.../api/query/dao/AclPolicyJoinDaoImpl.java | 157 ++++++++++++++
.../com/cloud/api/query/vo/AclGroupJoinVO.java | 117 +++++++---
.../com/cloud/api/query/vo/AclPolicyJoinVO.java | 213 +++++++++++++++++++
setup/db/db/schema-421to430.sql | 183 +++++-----------
21 files changed, 1426 insertions(+), 226 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/7ed03011/api/src/org/apache/cloudstack/acl/AclGroup.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/acl/AclGroup.java b/api/src/org/apache/cloudstack/acl/AclGroup.java
index f822e4c..9fac792 100644
--- a/api/src/org/apache/cloudstack/acl/AclGroup.java
+++ b/api/src/org/apache/cloudstack/acl/AclGroup.java
@@ -19,9 +19,7 @@ package org.apache.cloudstack.acl;
import org.apache.cloudstack.api.Identity;
import org.apache.cloudstack.api.InternalIdentity;
-import com.cloud.domain.PartOf;
-
-public interface AclGroup extends PartOf, InternalIdentity, Identity {
+public interface AclGroup extends ControlledEntity, InternalIdentity, Identity {
String getName();
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/7ed03011/api/src/org/apache/cloudstack/acl/AclPermission.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/acl/AclPermission.java b/api/src/org/apache/cloudstack/acl/AclPermission.java
new file mode 100644
index 0000000..aff1503
--- /dev/null
+++ b/api/src/org/apache/cloudstack/acl/AclPermission.java
@@ -0,0 +1,41 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.acl;
+
+import org.apache.cloudstack.acl.SecurityChecker.AccessType;
+import org.apache.cloudstack.api.InternalIdentity;
+
+public interface AclPermission extends InternalIdentity {
+
+ String getAction();
+
+ String getEntityType();
+
+ AccessType getAccessType();
+
+ PermissionScope getScope();
+
+ Long getScopeId();
+
+ Permission getPermission();
+
+ public enum Permission {
+ Allow,
+ Deny
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/7ed03011/api/src/org/apache/cloudstack/acl/AclPolicy.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/acl/AclPolicy.java b/api/src/org/apache/cloudstack/acl/AclPolicy.java
new file mode 100644
index 0000000..6800f5b
--- /dev/null
+++ b/api/src/org/apache/cloudstack/acl/AclPolicy.java
@@ -0,0 +1,31 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.acl;
+
+import org.apache.cloudstack.api.Identity;
+import org.apache.cloudstack.api.InternalIdentity;
+
+public interface AclPolicy extends ControlledEntity, InternalIdentity, Identity {
+
+ String getName();
+
+ String getDescription();
+
+ public enum PolicyType {
+ Static, Dynamic
+ }
+}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/7ed03011/api/src/org/apache/cloudstack/acl/PermissionScope.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/acl/PermissionScope.java b/api/src/org/apache/cloudstack/acl/PermissionScope.java
index 5e72747..a895535 100644
--- a/api/src/org/apache/cloudstack/acl/PermissionScope.java
+++ b/api/src/org/apache/cloudstack/acl/PermissionScope.java
@@ -1,6 +1,7 @@
package org.apache.cloudstack.acl;
public enum PermissionScope {
+ RESOURCE(0),
ACCOUNT(1),
DOMAIN(2),
REGION(3);
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/7ed03011/api/src/org/apache/cloudstack/api/ApiConstants.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/ApiConstants.java b/api/src/org/apache/cloudstack/api/ApiConstants.java
index d887910..0d1878d 100755
--- a/api/src/org/apache/cloudstack/api/ApiConstants.java
+++ b/api/src/org/apache/cloudstack/api/ApiConstants.java
@@ -523,13 +523,19 @@ public class ApiConstants {
public static final String MAX_CONNECTIONS = "maxconnections";
public static final String SERVICE_STATE = "servicestate";
public static final String ACL_ACCOUNT_IDS = "accountids";
+ public static final String ACL_MEMBER_ACCOUNTS = "memberaccounts";
public static final String ACL_PARENT_ROLE_ID = "parentroleid";
public static final String ACL_PARENT_ROLE_NAME = "parentrolename";
public static final String ACL_ROLES = "roles";
public static final String ACL_ROLE_IDS = "roleids";
+ public static final String ACL_POLICIES = "policies";
public static final String ACL_APIS = "apis";
public static final String ACL_GROUPS = "groups";
public static final String ACL_PERMISSIONS = "permission";
+ public static final String ACL_ACTION = "action";
+ public static final String ACL_SCOPE = "scope";
+ public static final String ACL_SCOPE_ID = "scopeid";
+ public static final String ACL_ALLOW_DENY = "permission";
public static final String ENTITY_TYPE = "entitytype";
public static final String ENTITY_ID = "entityid";
public static final String ACCESS_TYPE = "accesstype";
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/7ed03011/api/src/org/apache/cloudstack/api/command/admin/acl/CreateAclGroupCmd.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/admin/acl/CreateAclGroupCmd.java b/api/src/org/apache/cloudstack/api/command/admin/acl/CreateAclGroupCmd.java
index 11f6c39..2f100c3 100644
--- a/api/src/org/apache/cloudstack/api/command/admin/acl/CreateAclGroupCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/admin/acl/CreateAclGroupCmd.java
@@ -32,6 +32,7 @@ import org.apache.cloudstack.context.CallContext;
import com.cloud.event.EventTypes;
import com.cloud.exception.ResourceAllocationException;
+import com.cloud.user.Account;
@APICommand(name = "createAclGroup", responseObject = AclGroupResponse.class, description = "Creates an acl group")
public class CreateAclGroupCmd extends BaseAsyncCreateCmd {
@@ -82,7 +83,13 @@ public class CreateAclGroupCmd extends BaseAsyncCreateCmd {
@Override
public long getEntityOwnerId() {
- return CallContext.current().getCallingAccount().getId();
+ Account account = CallContext.current().getCallingAccount();
+ if (account != null) {
+ return account.getId();
+ }
+
+ return Account.ACCOUNT_ID_SYSTEM;
+
}
@Override
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/7ed03011/api/src/org/apache/cloudstack/api/response/AclGroupResponse.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/response/AclGroupResponse.java b/api/src/org/apache/cloudstack/api/response/AclGroupResponse.java
index e531504..b0c54e8 100644
--- a/api/src/org/apache/cloudstack/api/response/AclGroupResponse.java
+++ b/api/src/org/apache/cloudstack/api/response/AclGroupResponse.java
@@ -30,7 +30,7 @@ import com.cloud.serializer.Param;
@SuppressWarnings("unused")
@EntityReference(value = AclGroup.class)
-public class AclGroupResponse extends BaseResponse {
+public class AclGroupResponse extends BaseResponse implements ControlledViewEntityResponse {
@SerializedName(ApiConstants.ID)
@Param(description = "the ID of the acl group")
@@ -52,22 +52,21 @@ public class AclGroupResponse extends BaseResponse {
@Param(description = "the domain name of the acl role")
private String domainName;
- @SerializedName(ApiConstants.ACL_ACCOUNT_IDS)
- @Param(description = "account Ids assigned to this acl group ")
- private Set<String> accountIdList;
+ @SerializedName(ApiConstants.ACCOUNT)
+ @Param(description = "the account owning the policy")
+ private String accountName;
- @SerializedName(ApiConstants.ACL_ROLES)
- @Param(description = "acl roles granted to this acl group ")
- private Set<AclRoleResponse> roleList;
+ @SerializedName(ApiConstants.ACL_MEMBER_ACCOUNTS)
+ @Param(description = "account names assigned to this acl group ")
+ private Set<String> accountNameList;
- @SerializedName(ApiConstants.ACL_PERMISSIONS)
- @Param(description = "permissions granted to this acl group ")
- private Set<AclEntityPermissionResponse> permList;
+ @SerializedName(ApiConstants.ACL_POLICIES)
+ @Param(description = "acl policies attached to this acl group ")
+ private Set<String> policyNameList;
public AclGroupResponse() {
- accountIdList = new LinkedHashSet<String>();
- roleList = new LinkedHashSet<AclRoleResponse>();
- permList = new LinkedHashSet<AclEntityPermissionResponse>();
+ accountNameList = new LinkedHashSet<String>();
+ policyNameList = new LinkedHashSet<String>();
}
@Override
@@ -93,44 +92,52 @@ public class AclGroupResponse extends BaseResponse {
this.description = description;
}
+ @Override
public void setDomainId(String domainId) {
this.domainId = domainId;
}
+ @Override
public void setDomainName(String domainName) {
this.domainName = domainName;
}
- public void setAccountIdList(Set<String> acctIdList) {
- accountIdList = acctIdList;
+ @Override
+ public void setAccountName(String accountName) {
+ this.accountName = accountName;
+
}
- public void addAccountId(String acctId) {
- accountIdList.add(acctId);
+ @Override
+ public void setProjectId(String projectId) {
+ // TODO Auto-generated method stub
+
}
- public void setRoleList(Set<AclRoleResponse> roles) {
- roleList = roles;
+ @Override
+ public void setProjectName(String projectName) {
+ // TODO Auto-generated method stub
+
}
- public void addRole(AclRoleResponse role) {
- roleList.add(role);
+ public void setMemberAccounts(Set<String> accts) {
+ accountNameList = accts;
}
- public Set<AclRoleResponse> getRoleList() {
- return roleList;
+ public void addMemberAccount(String acct) {
+ accountNameList.add(acct);
}
- public Set<AclEntityPermissionResponse> getPermissionList() {
- return permList;
+ public void setPolicyList(Set<String> policies) {
+ policyNameList = policies;
}
- public void setPermissionList(Set<AclEntityPermissionResponse> perms) {
- permList = perms;
+ public void addPolicy(String policy) {
+ policyNameList.add(policy);
}
- public void addPermission(AclEntityPermissionResponse perm) {
- permList.add(perm);
+ public Set<String> getPolicyList() {
+ return policyNameList;
}
@Override
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/7ed03011/api/src/org/apache/cloudstack/api/response/AclPermissionResponse.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/response/AclPermissionResponse.java b/api/src/org/apache/cloudstack/api/response/AclPermissionResponse.java
new file mode 100644
index 0000000..9329b24
--- /dev/null
+++ b/api/src/org/apache/cloudstack/api/response/AclPermissionResponse.java
@@ -0,0 +1,125 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.api.response;
+
+import com.google.gson.annotations.SerializedName;
+
+import org.apache.cloudstack.acl.AclEntityType;
+import org.apache.cloudstack.acl.AclPermission;
+import org.apache.cloudstack.acl.PermissionScope;
+import org.apache.cloudstack.api.ApiConstants;
+import org.apache.cloudstack.api.BaseResponse;
+
+import com.cloud.serializer.Param;
+
+public class AclPermissionResponse extends BaseResponse {
+
+ @SerializedName(ApiConstants.ACL_ACTION)
+ @Param(description = "action of this permission")
+ private String action;
+
+ @SerializedName(ApiConstants.ENTITY_TYPE)
+ @Param(description = "the entity type of this permission")
+ private AclEntityType entityType;
+
+ @SerializedName(ApiConstants.ACL_SCOPE)
+ @Param(description = "scope of this permission")
+ private PermissionScope scope;
+
+ @SerializedName(ApiConstants.ACL_SCOPE_ID)
+ @Param(description = "scope id of this permission")
+ private Long scopeId;
+
+ @SerializedName(ApiConstants.ACL_ALLOW_DENY)
+ @Param(description = "allow or deny of this permission")
+ private AclPermission.Permission permission;
+
+ public AclEntityType getEntityType() {
+ return entityType;
+ }
+
+ public void setEntityType(AclEntityType entityType) {
+ this.entityType = entityType;
+ }
+
+ public String getAction() {
+ return action;
+ }
+
+ public void setAction(String action) {
+ this.action = action;
+ }
+
+ public PermissionScope getScope() {
+ return scope;
+ }
+
+ public void setScope(PermissionScope scope) {
+ this.scope = scope;
+ }
+
+ public Long getScopeId() {
+ return scopeId;
+ }
+
+ public void setScopeId(Long scopeId) {
+ this.scopeId = scopeId;
+ }
+
+ public AclPermission.Permission getPermission() {
+ return permission;
+ }
+
+ public void setPermission(AclPermission.Permission permission) {
+ this.permission = permission;
+ }
+
+ @Override
+ public int hashCode() {
+ final int prime = 31;
+ int result = 1;
+ result = prime * result + ((action == null) ? 0 : action.hashCode());
+ result = prime * result + ((entityType == null) ? 0 : entityType.hashCode());
+ result = prime * result + ((scope == null) ? 0 : scope.hashCode());
+ result = prime * result + ((scopeId == null) ? 0 : scopeId.hashCode());
+ return result;
+ }
+
+ @Override
+ public boolean equals(Object obj) {
+ if (this == obj)
+ return true;
+ if (obj == null)
+ return false;
+ if (getClass() != obj.getClass())
+ return false;
+ AclPermissionResponse other = (AclPermissionResponse) obj;
+ if ((entityType == null && other.entityType != null) || !entityType.equals(other.entityType)) {
+ return false;
+ } else if ((action == null && other.action != null) || !action.equals(other.action)) {
+ return false;
+ } else if ((scope == null && other.scope != null) || !scope.equals(other.scope)) {
+ return false;
+ } else if ((scopeId == null && other.scopeId != null) || !scopeId.equals(other.scopeId)) {
+ return false;
+ }
+ return true;
+ }
+
+
+
+}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/7ed03011/api/src/org/apache/cloudstack/api/response/AclPolicyResponse.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/response/AclPolicyResponse.java b/api/src/org/apache/cloudstack/api/response/AclPolicyResponse.java
new file mode 100644
index 0000000..6527fa4
--- /dev/null
+++ b/api/src/org/apache/cloudstack/api/response/AclPolicyResponse.java
@@ -0,0 +1,156 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.api.response;
+
+import java.util.LinkedHashSet;
+import java.util.Set;
+
+import com.google.gson.annotations.SerializedName;
+
+import org.apache.cloudstack.acl.AclPolicy;
+import org.apache.cloudstack.api.ApiConstants;
+import org.apache.cloudstack.api.BaseResponse;
+import org.apache.cloudstack.api.EntityReference;
+
+import com.cloud.serializer.Param;
+
+@SuppressWarnings("unused")
+@EntityReference(value = AclPolicy.class)
+public class AclPolicyResponse extends BaseResponse implements ControlledViewEntityResponse {
+
+ @SerializedName(ApiConstants.ID)
+ @Param(description = "the ID of the acl policy")
+ private String id;
+
+ @SerializedName(ApiConstants.NAME)
+ @Param(description = "the name of the acl policy")
+ private String name;
+
+ @SerializedName(ApiConstants.DESCRIPTION)
+ @Param(description = "the description of the acl policy")
+ private String description;
+
+ @SerializedName(ApiConstants.DOMAIN_ID)
+ @Param(description = "the domain ID of the acl policy")
+ private String domainId;
+
+ @SerializedName(ApiConstants.DOMAIN)
+ @Param(description = "the domain name of the acl policy")
+ private String domainName;
+
+ @SerializedName(ApiConstants.ACCOUNT)
+ @Param(description = "the account owning the policy")
+ private String accountName;
+
+ @SerializedName(ApiConstants.ACL_PERMISSIONS)
+ @Param(description = "set of permissions for the acl policy")
+ private Set<AclPermissionResponse> permissionList;
+
+ public AclPolicyResponse() {
+ permissionList = new LinkedHashSet<AclPermissionResponse>();
+ }
+
+ @Override
+ public String getObjectId() {
+ return getId();
+ }
+
+
+ public String getId() {
+ return id;
+ }
+
+ public void setId(String id) {
+ this.id = id;
+ }
+
+
+ public void setName(String name) {
+ this.name = name;
+ }
+
+ public void setDescription(String description) {
+ this.description = description;
+ }
+
+ @Override
+ public void setDomainId(String domainId) {
+ this.domainId = domainId;
+ }
+
+ @Override
+ public void setDomainName(String domainName) {
+ this.domainName = domainName;
+ }
+
+ public Set<AclPermissionResponse> getPermissionList() {
+ return permissionList;
+ }
+
+ public void setPermissionList(Set<AclPermissionResponse> perms) {
+ permissionList = perms;
+ }
+
+ public void addPermission(AclPermissionResponse perm) {
+ permissionList.add(perm);
+ }
+
+ @Override
+ public void setAccountName(String accountName) {
+ this.accountName = accountName;
+ }
+
+ @Override
+ public void setProjectId(String projectId) {
+ // TODO Auto-generated method stub
+
+ }
+
+ @Override
+ public void setProjectName(String projectName) {
+ // TODO Auto-generated method stub
+
+ }
+
+ @Override
+ public int hashCode() {
+ final int prime = 31;
+ int result = 1;
+ result = prime * result + ((id == null) ? 0 : id.hashCode());
+ return result;
+ }
+
+ @Override
+ public boolean equals(Object obj) {
+ if (this == obj)
+ return true;
+ if (obj == null)
+ return false;
+ if (getClass() != obj.getClass())
+ return false;
+ AclPolicyResponse other = (AclPolicyResponse) obj;
+ if (id == null) {
+ if (other.id != null)
+ return false;
+ } else if (!id.equals(other.id))
+ return false;
+ return true;
+ }
+
+
+
+}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/7ed03011/engine/schema/src/com/cloud/upgrade/dao/Upgrade421to430.java
----------------------------------------------------------------------
diff --git a/engine/schema/src/com/cloud/upgrade/dao/Upgrade421to430.java b/engine/schema/src/com/cloud/upgrade/dao/Upgrade421to430.java
index 791297c..94a0c91 100644
--- a/engine/schema/src/com/cloud/upgrade/dao/Upgrade421to430.java
+++ b/engine/schema/src/com/cloud/upgrade/dao/Upgrade421to430.java
@@ -63,8 +63,8 @@ public class Upgrade421to430 implements DbUpgrade {
@Override
public void performDataMigration(Connection conn) {
populateACLGroupAccountMap(conn);
- populateACLGroupRoleMap(conn);
- populateACLRoleBasedAPIPermission(conn);
+ populateACLGroupPolicyMap(conn);
+ //populateACLRoleBasedAPIPermission(conn);
}
// populate acl_group_account_map table for existing accounts
@@ -112,23 +112,23 @@ public class Upgrade421to430 implements DbUpgrade {
s_logger.debug("Completed populate acl_group_account_map for existing accounts.");
}
- // populate acl_group_role_map table for existing accounts
- private void populateACLGroupRoleMap(Connection conn) {
+ // populate acl_group_policy_map table for existing accounts
+ private void populateACLGroupPolicyMap(Connection conn) {
PreparedStatement sqlInsert = null;
ResultSet rs = null;
- s_logger.debug("Populating acl_group_role_map table for default groups and roles...");
+ s_logger.debug("Populating acl_group_policy_map table for default groups and policies...");
try {
sqlInsert = conn
- .prepareStatement("INSERT INTO `cloud`.`acl_group_role_map` (group_id, role_id, created) values(?, ?, Now())");
+ .prepareStatement("INSERT INTO `cloud`.`acl_group_policy_map` (group_id, policy_id, created) values(?, ?, Now())");
for (int i = 1; i < 6; i++) {
- // insert entry in acl_group_role_map table, 1 to 1 mapping for default group and role
+ // insert entry in acl_group_policy_map table, 1 to 1 mapping for default group and policy
sqlInsert.setLong(1, i);
sqlInsert.setLong(2, i);
sqlInsert.executeUpdate();
}
} catch (SQLException e) {
- String msg = "Unable to populate acl_group_role_map for default groups and roles." + e.getMessage();
+ String msg = "Unable to populate acl_group_policy_map for default groups and policies." + e.getMessage();
s_logger.error(msg);
throw new CloudRuntimeException(msg, e);
} finally {
@@ -143,7 +143,7 @@ public class Upgrade421to430 implements DbUpgrade {
} catch (SQLException e) {
}
}
- s_logger.debug("Completed populate acl_group_role_map for existing accounts.");
+ s_logger.debug("Completed populate acl_group_policy_map for existing accounts.");
}
private void populateACLRoleBasedAPIPermission(Connection conn) {
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/7ed03011/engine/schema/src/org/apache/cloudstack/acl/AclGroupPolicyMapVO.java
----------------------------------------------------------------------
diff --git a/engine/schema/src/org/apache/cloudstack/acl/AclGroupPolicyMapVO.java b/engine/schema/src/org/apache/cloudstack/acl/AclGroupPolicyMapVO.java
new file mode 100644
index 0000000..984d482
--- /dev/null
+++ b/engine/schema/src/org/apache/cloudstack/acl/AclGroupPolicyMapVO.java
@@ -0,0 +1,81 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.acl;
+
+import java.util.Date;
+
+import javax.persistence.Column;
+import javax.persistence.Entity;
+import javax.persistence.GeneratedValue;
+import javax.persistence.GenerationType;
+import javax.persistence.Id;
+import javax.persistence.Table;
+
+import org.apache.cloudstack.api.InternalIdentity;
+
+import com.cloud.utils.db.GenericDao;
+
+@Entity
+@Table(name = ("acl_group_policy_map"))
+public class AclGroupPolicyMapVO implements InternalIdentity {
+ @Id
+ @GeneratedValue(strategy = GenerationType.IDENTITY)
+ @Column(name = "id")
+ private Long id;
+
+ @Column(name = "group_id")
+ private long aclGroupId;
+
+ @Column(name = "policy_id")
+ private long aclPolicyId;
+
+ @Column(name = GenericDao.REMOVED_COLUMN)
+ private Date removed;
+
+ @Column(name = GenericDao.CREATED_COLUMN)
+ private Date created;
+
+ public AclGroupPolicyMapVO() {
+ }
+
+ public AclGroupPolicyMapVO(long aclGroupId, long aclPolicyId) {
+ this.aclGroupId = aclGroupId;
+ this.aclPolicyId = aclPolicyId;
+ }
+
+ @Override
+ public long getId() {
+ return id;
+ }
+
+ public long getAclGroupId() {
+ return aclGroupId;
+ }
+
+
+ public long getAclPolicyId() {
+ return aclPolicyId;
+ }
+
+ public Date getRemoved() {
+ return removed;
+ }
+
+ public Date getCreated() {
+ return created;
+ }
+}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/7ed03011/engine/schema/src/org/apache/cloudstack/acl/AclGroupVO.java
----------------------------------------------------------------------
diff --git a/engine/schema/src/org/apache/cloudstack/acl/AclGroupVO.java b/engine/schema/src/org/apache/cloudstack/acl/AclGroupVO.java
index 45e22eb..6570557 100644
--- a/engine/schema/src/org/apache/cloudstack/acl/AclGroupVO.java
+++ b/engine/schema/src/org/apache/cloudstack/acl/AclGroupVO.java
@@ -48,6 +48,9 @@ public class AclGroupVO implements AclGroup {
@Column(name = "domain_id")
private long domainId;
+ @Column(name = "account_id")
+ private long accountId;
+
@Column(name = GenericDao.REMOVED_COLUMN)
private Date removed;
@@ -89,6 +92,11 @@ public class AclGroupVO implements AclGroup {
}
@Override
+ public long getAccountId() {
+ return accountId;
+ }
+
+ @Override
public String getUuid() {
return uuid;
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/7ed03011/engine/schema/src/org/apache/cloudstack/acl/AclPermissionVO.java
----------------------------------------------------------------------
diff --git a/engine/schema/src/org/apache/cloudstack/acl/AclPermissionVO.java b/engine/schema/src/org/apache/cloudstack/acl/AclPermissionVO.java
new file mode 100644
index 0000000..1bcecab
--- /dev/null
+++ b/engine/schema/src/org/apache/cloudstack/acl/AclPermissionVO.java
@@ -0,0 +1,145 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.acl;
+
+import java.util.Date;
+
+import javax.persistence.Column;
+import javax.persistence.Entity;
+import javax.persistence.EnumType;
+import javax.persistence.Enumerated;
+import javax.persistence.GeneratedValue;
+import javax.persistence.GenerationType;
+import javax.persistence.Id;
+import javax.persistence.Table;
+
+import org.apache.cloudstack.acl.SecurityChecker.AccessType;
+
+import com.cloud.utils.db.GenericDao;
+
+@Entity
+@Table(name = ("acl_permission"))
+public class AclPermissionVO implements AclPermission {
+
+ @Id
+ @GeneratedValue(strategy = GenerationType.IDENTITY)
+ @Column(name = "id")
+ private long id;
+
+ @Column(name = "action")
+ private String action;
+
+ @Column(name = "resource_type")
+ private String entityType;
+
+ @Column(name = "access_type")
+ @Enumerated(value = EnumType.STRING)
+ private AccessType accessType;
+
+ @Column(name = "scope")
+ @Enumerated(value = EnumType.STRING)
+ private PermissionScope scope;
+
+ @Column(name = "scope_id")
+ private Long scopeId;
+
+ @Column(name = "permission")
+ @Enumerated(value = EnumType.STRING)
+ private Permission permission;
+
+ @Column(name = GenericDao.REMOVED_COLUMN)
+ private Date removed;
+
+ @Column(name = GenericDao.CREATED_COLUMN)
+ private Date created;
+
+ public AclPermissionVO() {
+
+ }
+
+
+
+ @Override
+ public long getId() {
+ return id;
+ }
+
+
+ @Override
+ public String getEntityType() {
+ return entityType;
+ }
+
+ @Override
+ public AccessType getAccessType() {
+ return accessType;
+ }
+
+
+ public void setEntityType(String entityType) {
+ this.entityType = entityType;
+ }
+
+ public void setAccessType(AccessType accessType) {
+ this.accessType = accessType;
+ }
+
+ @Override
+ public PermissionScope getScope() {
+ return scope;
+ }
+
+ public void setScope(PermissionScope scope) {
+ this.scope = scope;
+ }
+
+
+ @Override
+ public String getAction() {
+ return action;
+ }
+
+ @Override
+ public Long getScopeId() {
+ return scopeId;
+ }
+
+ @Override
+ public Permission getPermission() {
+ return permission;
+ }
+
+ public void setAction(String action) {
+ this.action = action;
+ }
+
+ public void setScopeId(Long scopeId) {
+ this.scopeId = scopeId;
+ }
+
+ public void setPermission(Permission permission) {
+ this.permission = permission;
+ }
+
+ public Date getRemoved() {
+ return removed;
+ }
+
+ public Date getCreated() {
+ return created;
+ }
+}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/7ed03011/engine/schema/src/org/apache/cloudstack/acl/AclPolicyPermissionMapVO.java
----------------------------------------------------------------------
diff --git a/engine/schema/src/org/apache/cloudstack/acl/AclPolicyPermissionMapVO.java b/engine/schema/src/org/apache/cloudstack/acl/AclPolicyPermissionMapVO.java
new file mode 100644
index 0000000..7ffecbf
--- /dev/null
+++ b/engine/schema/src/org/apache/cloudstack/acl/AclPolicyPermissionMapVO.java
@@ -0,0 +1,81 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.acl;
+
+import java.util.Date;
+
+import javax.persistence.Column;
+import javax.persistence.Entity;
+import javax.persistence.GeneratedValue;
+import javax.persistence.GenerationType;
+import javax.persistence.Id;
+import javax.persistence.Table;
+
+import org.apache.cloudstack.api.InternalIdentity;
+
+import com.cloud.utils.db.GenericDao;
+
+@Entity
+@Table(name = ("acl_policy_permission_map"))
+public class AclPolicyPermissionMapVO implements InternalIdentity {
+ @Id
+ @GeneratedValue(strategy = GenerationType.IDENTITY)
+ @Column(name = "id")
+ private Long id;
+
+ @Column(name = "policy_id")
+ private long aclPolicyId;
+
+ @Column(name = "permission_id")
+ private long aclPermissionId;
+
+ @Column(name = GenericDao.REMOVED_COLUMN)
+ private Date removed;
+
+ @Column(name = GenericDao.CREATED_COLUMN)
+ private Date created;
+
+ public AclPolicyPermissionMapVO() {
+ }
+
+ public AclPolicyPermissionMapVO(long aclPolicyId, long aclPermissionId) {
+ this.aclPolicyId = aclPolicyId;
+ this.aclPermissionId = aclPermissionId;
+ }
+
+ @Override
+ public long getId() {
+ return id;
+ }
+
+
+ public long getAclPolicyId() {
+ return aclPolicyId;
+ }
+
+ public long getAclPermissionId() {
+ return aclPermissionId;
+ }
+
+ public Date getRemoved() {
+ return removed;
+ }
+
+ public Date getCreated() {
+ return created;
+ }
+}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/7ed03011/engine/schema/src/org/apache/cloudstack/acl/AclPolicyVO.java
----------------------------------------------------------------------
diff --git a/engine/schema/src/org/apache/cloudstack/acl/AclPolicyVO.java b/engine/schema/src/org/apache/cloudstack/acl/AclPolicyVO.java
new file mode 100644
index 0000000..24b9888
--- /dev/null
+++ b/engine/schema/src/org/apache/cloudstack/acl/AclPolicyVO.java
@@ -0,0 +1,132 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.acl;
+
+import java.util.Date;
+import java.util.UUID;
+
+import javax.persistence.Column;
+import javax.persistence.Entity;
+import javax.persistence.EnumType;
+import javax.persistence.Enumerated;
+import javax.persistence.GeneratedValue;
+import javax.persistence.GenerationType;
+import javax.persistence.Id;
+import javax.persistence.Table;
+
+import com.cloud.utils.db.GenericDao;
+
+@Entity
+@Table(name = ("acl_policy"))
+public class AclPolicyVO implements AclPolicy {
+ @Id
+ @GeneratedValue(strategy = GenerationType.IDENTITY)
+ @Column(name = "id")
+ private long id;
+
+ @Column(name = "name")
+ private String name;
+
+ @Column(name = "description")
+ private String description;
+
+ @Column(name = "uuid")
+ private String uuid;
+
+ @Column(name = "domain_id")
+ private long domainId;
+
+ @Column(name = "account_id")
+ private long accountId;
+
+ @Column(name = GenericDao.REMOVED_COLUMN)
+ private Date removed;
+
+ @Column(name = GenericDao.CREATED_COLUMN)
+ private Date created;
+
+ @Column(name = "policy_type")
+ @Enumerated(value = EnumType.STRING)
+ private AclPolicy.PolicyType policyType;
+
+ public AclPolicyVO() {
+ uuid = UUID.randomUUID().toString();
+ }
+
+ public AclPolicyVO(String name, String description) {
+ this.name = name;
+ this.description = description;
+ uuid = UUID.randomUUID().toString();
+ policyType = AclPolicy.PolicyType.Static;
+ }
+
+ @Override
+ public long getId() {
+ return id;
+ }
+
+ @Override
+ public String getName() {
+ return name;
+ }
+
+ @Override
+ public String getDescription() {
+ return description;
+ }
+
+
+ @Override
+ public String getUuid() {
+ return uuid;
+ }
+
+ public void setUuid(String uuid) {
+ this.uuid = uuid;
+ }
+
+ public Date getRemoved() {
+ return removed;
+ }
+
+ public Date getCreated() {
+ return created;
+ }
+
+ @Override
+ public long getDomainId() {
+ return domainId;
+ }
+
+ public void setDomainId(long domainId) {
+ this.domainId = domainId;
+ }
+
+ @Override
+ public long getAccountId() {
+ return accountId;
+ }
+
+ public AclPolicy.PolicyType getPolicyType() {
+ return policyType;
+ }
+
+ public void setPolicyType(AclPolicy.PolicyType policyType) {
+ this.policyType = policyType;
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/7ed03011/server/src/com/cloud/api/query/dao/AclGroupJoinDaoImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/api/query/dao/AclGroupJoinDaoImpl.java b/server/src/com/cloud/api/query/dao/AclGroupJoinDaoImpl.java
index a1ffad2..355f561 100644
--- a/server/src/com/cloud/api/query/dao/AclGroupJoinDaoImpl.java
+++ b/server/src/com/cloud/api/query/dao/AclGroupJoinDaoImpl.java
@@ -30,9 +30,7 @@ import org.springframework.stereotype.Component;
import org.apache.cloudstack.acl.AclGroup;
import org.apache.cloudstack.acl.AclGroupAccountMapVO;
import org.apache.cloudstack.acl.dao.AclGroupAccountMapDao;
-import org.apache.cloudstack.api.response.AclEntityPermissionResponse;
import org.apache.cloudstack.api.response.AclGroupResponse;
-import org.apache.cloudstack.api.response.AclRoleResponse;
import org.apache.cloudstack.framework.config.dao.ConfigurationDao;
import com.cloud.api.query.vo.AclGroupJoinVO;
@@ -80,46 +78,28 @@ public class AclGroupJoinDaoImpl extends GenericDaoBase<AclGroupJoinVO, Long> im
response.setDescription(group.getDescription());
response.setDomainId(group.getDomainUuid());
response.setDomainName(group.getName());
- if (group.getAccountId() > 0) {
- response.addAccountId(group.getAccountUuid());
+ response.setAccountName(group.getAccountName());
+ if (group.getMemberAccountId() > 0) {
+ response.addMemberAccount(group.getMemberAccountName());
}
- if (group.getRoleId() > 0) {
- AclRoleResponse roleResp = new AclRoleResponse();
- roleResp.setId(group.getRoleUuid());
- roleResp.setName(group.getRoleName());
- response.addRole(roleResp);
- }
- if (group.getEntityId() > 0) {
- AclEntityPermissionResponse permResp = new AclEntityPermissionResponse();
- permResp.setEntityId(group.getEntityUuid());
- permResp.setEntityType(group.getEntityType());
- permResp.setAccessType(group.getAccessType().toString());
- response.addPermission(permResp);
+ if (group.getPolicyId() > 0) {
+ response.addPolicy(group.getPolicyName());
}
+
response.setObjectName("aclgroup");
-
return response;
}
@Override
public AclGroupResponse setAclGroupResponse(AclGroupResponse response, AclGroupJoinVO group) {
- if (group.getAccountId() > 0) {
- response.addAccountId(group.getAccountUuid());
+ if (group.getMemberAccountId() > 0) {
+ response.addMemberAccount(group.getMemberAccountName());
}
- if (group.getRoleId() > 0) {
- AclRoleResponse roleResp = new AclRoleResponse();
- roleResp.setId(group.getRoleUuid());
- roleResp.setName(group.getRoleName());
- response.addRole(roleResp);
- }
- if (group.getEntityId() > 0) {
- AclEntityPermissionResponse permResp = new AclEntityPermissionResponse();
- permResp.setEntityId(group.getEntityUuid());
- permResp.setEntityType(group.getEntityType());
- permResp.setAccessType(group.getAccessType().toString());
- response.addPermission(permResp);
+ if (group.getPolicyId() > 0) {
+ response.addPolicy(group.getPolicyName());
}
+
return response;
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/7ed03011/server/src/com/cloud/api/query/dao/AclPolicyJoinDao.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/api/query/dao/AclPolicyJoinDao.java b/server/src/com/cloud/api/query/dao/AclPolicyJoinDao.java
new file mode 100644
index 0000000..8f00464
--- /dev/null
+++ b/server/src/com/cloud/api/query/dao/AclPolicyJoinDao.java
@@ -0,0 +1,37 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package com.cloud.api.query.dao;
+
+import java.util.List;
+
+import org.apache.cloudstack.acl.AclPolicy;
+import org.apache.cloudstack.api.response.AclPolicyResponse;
+
+import com.cloud.api.query.vo.AclPolicyJoinVO;
+import com.cloud.utils.db.GenericDao;
+
+
+public interface AclPolicyJoinDao extends GenericDao<AclPolicyJoinVO, Long> {
+
+ AclPolicyResponse newAclPolicyResponse(AclPolicyJoinVO role);
+
+ AclPolicyResponse setAclPolicyResponse(AclPolicyResponse response, AclPolicyJoinVO os);
+
+ List<AclPolicyJoinVO> newAclPolicyView(AclPolicy role);
+
+ List<AclPolicyJoinVO> searchByIds(Long... ids);
+}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/7ed03011/server/src/com/cloud/api/query/dao/AclPolicyJoinDaoImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/api/query/dao/AclPolicyJoinDaoImpl.java b/server/src/com/cloud/api/query/dao/AclPolicyJoinDaoImpl.java
new file mode 100644
index 0000000..216a9e0
--- /dev/null
+++ b/server/src/com/cloud/api/query/dao/AclPolicyJoinDaoImpl.java
@@ -0,0 +1,157 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package com.cloud.api.query.dao;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import javax.ejb.Local;
+import javax.inject.Inject;
+
+import org.apache.log4j.Logger;
+import org.springframework.stereotype.Component;
+
+import org.apache.cloudstack.acl.AclPolicy;
+import org.apache.cloudstack.api.response.AclPermissionResponse;
+import org.apache.cloudstack.api.response.AclPolicyResponse;
+import org.apache.cloudstack.framework.config.dao.ConfigurationDao;
+
+import com.cloud.api.query.vo.AclPolicyJoinVO;
+import com.cloud.user.AccountManager;
+import com.cloud.utils.db.GenericDaoBase;
+import com.cloud.utils.db.SearchBuilder;
+import com.cloud.utils.db.SearchCriteria;
+
+@Component
+@Local(value = {AclRoleJoinDao.class})
+public class AclPolicyJoinDaoImpl extends GenericDaoBase<AclPolicyJoinVO, Long> implements AclPolicyJoinDao {
+ public static final Logger s_logger = Logger.getLogger(AclPolicyJoinDaoImpl.class);
+
+
+ private final SearchBuilder<AclPolicyJoinVO> policyIdSearch;
+ private final SearchBuilder<AclPolicyJoinVO> policySearch;
+ @Inject
+ public AccountManager _accountMgr;
+ @Inject
+ public ConfigurationDao _configDao;
+
+ protected AclPolicyJoinDaoImpl() {
+
+ policySearch = createSearchBuilder();
+ policySearch.and("idIN", policySearch.entity().getId(), SearchCriteria.Op.IN);
+ policySearch.done();
+
+ policyIdSearch = createSearchBuilder();
+ policyIdSearch.and("id", policyIdSearch.entity().getId(), SearchCriteria.Op.EQ);
+ policyIdSearch.done();
+
+ _count = "select count(distinct id) from acl_policy_view WHERE ";
+ }
+
+
+
+ @Override
+ public AclPolicyResponse newAclPolicyResponse(AclPolicyJoinVO policy) {
+
+ AclPolicyResponse response = new AclPolicyResponse();
+ response.setId(policy.getUuid());
+ response.setName(policy.getName());
+ response.setDescription(policy.getDescription());
+ response.setDomainId(policy.getDomainUuid());
+ response.setDomainName(policy.getName());
+ response.setAccountName(policy.getAccountName());
+ if (policy.getPermissionAction() != null) {
+ AclPermissionResponse perm = new AclPermissionResponse();
+ perm.setAction(policy.getPermissionAction());
+ perm.setEntityType(policy.getPermissionEntityType());
+ perm.setScope(policy.getPermissionScope());
+ perm.setScopeId(policy.getPermissionScopeId());
+ perm.setPermission(policy.getPermissionAllowDeny());
+ response.addPermission(perm);
+ }
+
+ response.setObjectName("aclpolicy");
+ return response;
+ }
+
+ @Override
+ public AclPolicyResponse setAclPolicyResponse(AclPolicyResponse response, AclPolicyJoinVO policy) {
+ if (policy.getPermissionAction() != null) {
+ AclPermissionResponse perm = new AclPermissionResponse();
+ perm.setAction(policy.getPermissionAction());
+ perm.setEntityType(policy.getPermissionEntityType());
+ perm.setScope(policy.getPermissionScope());
+ perm.setScopeId(policy.getPermissionScopeId());
+ perm.setPermission(policy.getPermissionAllowDeny());
+ response.addPermission(perm);
+ }
+ return response;
+ }
+
+ @Override
+ public List<AclPolicyJoinVO> newAclPolicyView(AclPolicy policy) {
+ SearchCriteria<AclPolicyJoinVO> sc = policyIdSearch.create();
+ sc.setParameters("id", policy.getId());
+ return searchIncludingRemoved(sc, null, null, false);
+
+ }
+
+ @Override
+ public List<AclPolicyJoinVO> searchByIds(Long... policyIds) {
+ // set detail batch query size
+ int DETAILS_BATCH_SIZE = 2000;
+ String batchCfg = _configDao.getValue("detail.batch.query.size");
+ if (batchCfg != null) {
+ DETAILS_BATCH_SIZE = Integer.parseInt(batchCfg);
+ }
+ // query details by batches
+ List<AclPolicyJoinVO> uvList = new ArrayList<AclPolicyJoinVO>();
+ // query details by batches
+ int curr_index = 0;
+ if (policyIds.length > DETAILS_BATCH_SIZE) {
+ while ((curr_index + DETAILS_BATCH_SIZE) <= policyIds.length) {
+ Long[] ids = new Long[DETAILS_BATCH_SIZE];
+ for (int k = 0, j = curr_index; j < curr_index + DETAILS_BATCH_SIZE; j++, k++) {
+ ids[k] = policyIds[j];
+ }
+ SearchCriteria<AclPolicyJoinVO> sc = policySearch.create();
+ sc.setParameters("idIN", ids);
+ List<AclPolicyJoinVO> vms = searchIncludingRemoved(sc, null, null, false);
+ if (vms != null) {
+ uvList.addAll(vms);
+ }
+ curr_index += DETAILS_BATCH_SIZE;
+ }
+ }
+ if (curr_index < policyIds.length) {
+ int batch_size = (policyIds.length - curr_index);
+ // set the ids value
+ Long[] ids = new Long[batch_size];
+ for (int k = 0, j = curr_index; j < curr_index + batch_size; j++, k++) {
+ ids[k] = policyIds[j];
+ }
+ SearchCriteria<AclPolicyJoinVO> sc = policySearch.create();
+ sc.setParameters("idIN", ids);
+ List<AclPolicyJoinVO> vms = searchIncludingRemoved(sc, null, null, false);
+ if (vms != null) {
+ uvList.addAll(vms);
+ }
+ }
+ return uvList;
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/7ed03011/server/src/com/cloud/api/query/vo/AclGroupJoinVO.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/api/query/vo/AclGroupJoinVO.java b/server/src/com/cloud/api/query/vo/AclGroupJoinVO.java
index 5d67e34..de73061 100644
--- a/server/src/com/cloud/api/query/vo/AclGroupJoinVO.java
+++ b/server/src/com/cloud/api/query/vo/AclGroupJoinVO.java
@@ -27,13 +27,14 @@ import javax.persistence.GenerationType;
import javax.persistence.Id;
import javax.persistence.Table;
+import org.apache.cloudstack.acl.PermissionScope;
import org.apache.cloudstack.acl.SecurityChecker.AccessType;
import com.cloud.utils.db.GenericDao;
@Entity
@Table(name = ("acl_group_view"))
-public class AclGroupJoinVO extends BaseViewVO {
+public class AclGroupJoinVO extends BaseViewVO implements ControlledViewEntity {
@Id
@GeneratedValue(strategy = GenerationType.IDENTITY)
@Column(name = "id")
@@ -66,14 +67,14 @@ public class AclGroupJoinVO extends BaseViewVO {
@Column(name = GenericDao.CREATED_COLUMN)
private Date created;
- @Column(name = "role_id")
- private long roleId;
+ @Column(name = "policy_id")
+ private long policyId;
- @Column(name = "role_uuid")
- private String roleUuid;
+ @Column(name = "policy_uuid")
+ private String policyUuid;
- @Column(name = "role_name")
- private String roleName;
+ @Column(name = "policy_name")
+ private String policyName;
@Column(name = "account_id")
private long accountId;
@@ -84,18 +85,34 @@ public class AclGroupJoinVO extends BaseViewVO {
@Column(name = "account_name")
private String accountName;
- @Column(name = "entity_type")
- private String entityType;
+ @Column(name = "account_type")
+ private short accountType;
- @Column(name = "entity_id")
- private long entityId;
+ @Column(name = "member_account_id")
+ private long memberAccountId;
- @Column(name = "entity_uuid")
- private String entityUuid;
+ @Column(name = "member_account_uuid")
+ private String memberAccountUuid;
- @Column(name = "access_type")
+ @Column(name = "member_account_name")
+ private String memberAccountName;
+
+ @Column(name = "permission_action")
+ private String permissionAction;
+
+ @Column(name = "permission_entity_type")
+ private String permissionEntityType;
+
+ @Column(name = "permission_scope_id")
+ private long permissionScopeId;
+
+ @Column(name = "permission_scope_type")
@Enumerated(value = EnumType.STRING)
- AccessType accessType;
+ PermissionScope permissionScope;
+
+ @Column(name = "permission_access_type")
+ @Enumerated(value = EnumType.STRING)
+ AccessType permissionAccessType;
public AclGroupJoinVO() {
}
@@ -114,22 +131,27 @@ public class AclGroupJoinVO extends BaseViewVO {
return description;
}
+ @Override
public String getUuid() {
return uuid;
}
+ @Override
public long getDomainId() {
return domainId;
}
+ @Override
public String getDomainUuid() {
return domainUuid;
}
+ @Override
public String getDomainName() {
return domainName;
}
+ @Override
public String getDomainPath() {
return domainPath;
}
@@ -143,44 +165,81 @@ public class AclGroupJoinVO extends BaseViewVO {
return created;
}
- public long getRoleId() {
- return roleId;
+ public long getPolicyId() {
+ return policyId;
}
- public String getRoleUuid() {
- return roleUuid;
+ public String getPolicyUuid() {
+ return policyUuid;
}
- public String getRoleName() {
- return roleName;
+ public String getPolicyName() {
+ return policyName;
}
+ @Override
public long getAccountId() {
return accountId;
}
+ @Override
public String getAccountUuid() {
return accountUuid;
}
+ @Override
public String getAccountName() {
return accountName;
}
- public String getEntityType() {
- return entityType;
+ @Override
+ public short getAccountType() {
+ return accountType;
+ }
+
+ @Override
+ public String getProjectUuid() {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public String getProjectName() {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ public long getMemberAccountId() {
+ return memberAccountId;
+ }
+
+ public String getMemberAccountUuid() {
+ return memberAccountUuid;
+ }
+
+ public String getMemberAccountName() {
+ return memberAccountName;
+ }
+
+ public String getPermissionAction() {
+ return permissionAction;
+ }
+
+ public String getPermissionEntityType() {
+ return permissionEntityType;
}
- public long getEntityId() {
- return entityId;
+ public long getPermissionScopeId() {
+ return permissionScopeId;
}
- public String getEntityUuid() {
- return entityUuid;
+ public PermissionScope getPermissionScope() {
+ return permissionScope;
}
- public AccessType getAccessType() {
- return accessType;
+ public AccessType getPermissionAccessType() {
+ return permissionAccessType;
}
+
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/7ed03011/server/src/com/cloud/api/query/vo/AclPolicyJoinVO.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/api/query/vo/AclPolicyJoinVO.java b/server/src/com/cloud/api/query/vo/AclPolicyJoinVO.java
new file mode 100644
index 0000000..a94ef01
--- /dev/null
+++ b/server/src/com/cloud/api/query/vo/AclPolicyJoinVO.java
@@ -0,0 +1,213 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package com.cloud.api.query.vo;
+
+import java.util.Date;
+
+import javax.persistence.Column;
+import javax.persistence.Entity;
+import javax.persistence.EnumType;
+import javax.persistence.Enumerated;
+import javax.persistence.GeneratedValue;
+import javax.persistence.GenerationType;
+import javax.persistence.Id;
+import javax.persistence.Table;
+
+import org.apache.cloudstack.acl.AclEntityType;
+import org.apache.cloudstack.acl.AclPermission;
+import org.apache.cloudstack.acl.PermissionScope;
+import org.apache.cloudstack.acl.SecurityChecker.AccessType;
+
+import com.cloud.utils.db.GenericDao;
+
+@Entity
+@Table(name = ("acl_policy_view"))
+public class AclPolicyJoinVO extends BaseViewVO implements ControlledViewEntity {
+ @Id
+ @GeneratedValue(strategy = GenerationType.IDENTITY)
+ @Column(name = "id")
+ private long id;
+
+ @Column(name = "name")
+ private String name;
+
+ @Column(name = "description")
+ private String description;
+
+ @Column(name = "uuid")
+ private String uuid;
+
+ @Column(name = "domain_id")
+ private long domainId;
+
+ @Column(name = "domain_uuid")
+ private String domainUuid;
+
+ @Column(name = "domain_name")
+ private String domainName;
+
+ @Column(name = "domain_path")
+ private String domainPath;
+
+ @Column(name = "account_id")
+ private long accountId;
+
+ @Column(name = "account_uuid")
+ private String accountUuid;
+
+ @Column(name = "account_name")
+ private String accountName;
+
+ @Column(name = "account_type")
+ private short accountType;
+
+ @Column(name = "permission_action")
+ private String permissionAction;
+
+ @Column(name = "permission_entity_type")
+ @Enumerated(value = EnumType.STRING)
+ private AclEntityType permissionEntityType;
+
+ @Column(name = "permission_scope_id")
+ private Long permissionScopeId;
+
+ @Column(name = "permission_scope_type")
+ @Enumerated(value = EnumType.STRING)
+ private PermissionScope permissionScope;
+
+ @Column(name = "permission_access_type")
+ @Enumerated(value = EnumType.STRING)
+ private AccessType permissionAccessType;
+
+ @Column(name = "permission_allow_deny")
+ @Enumerated(value = EnumType.STRING)
+ private AclPermission.Permission permissionAllowDeny;
+
+ @Column(name = GenericDao.REMOVED_COLUMN)
+ private Date removed;
+
+ @Column(name = GenericDao.CREATED_COLUMN)
+ private Date created;
+
+ public AclPolicyJoinVO() {
+ }
+
+ @Override
+ public long getId() {
+ return id;
+ }
+
+
+ public String getName() {
+ return name;
+ }
+
+ public String getDescription() {
+ return description;
+ }
+
+ @Override
+ public String getUuid() {
+ return uuid;
+ }
+
+ @Override
+ public long getDomainId() {
+ return domainId;
+ }
+
+ @Override
+ public String getDomainUuid() {
+ return domainUuid;
+ }
+
+ @Override
+ public String getDomainName() {
+ return domainName;
+ }
+
+ @Override
+ public String getDomainPath() {
+ return domainPath;
+ }
+
+ @Override
+ public long getAccountId() {
+ return accountId;
+ }
+
+ @Override
+ public String getAccountUuid() {
+ return accountUuid;
+ }
+
+ @Override
+ public String getAccountName() {
+ return accountName;
+ }
+
+ @Override
+ public short getAccountType() {
+ return accountType;
+ }
+
+ @Override
+ public String getProjectUuid() {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public String getProjectName() {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ public Date getRemoved() {
+ return removed;
+ }
+
+ public Date getCreated() {
+ return created;
+ }
+
+
+ public String getPermissionAction() {
+ return permissionAction;
+ }
+
+ public AclEntityType getPermissionEntityType() {
+ return permissionEntityType;
+ }
+
+ public Long getPermissionScopeId() {
+ return permissionScopeId;
+ }
+
+ public PermissionScope getPermissionScope() {
+ return permissionScope;
+ }
+
+ public AccessType getPermissionAccessType() {
+ return permissionAccessType;
+ }
+
+ public AclPermission.Permission getPermissionAllowDeny() {
+ return permissionAllowDeny;
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/7ed03011/setup/db/db/schema-421to430.sql
----------------------------------------------------------------------
diff --git a/setup/db/db/schema-421to430.sql b/setup/db/db/schema-421to430.sql
index b09e729..7d78c9e 100644
--- a/setup/db/db/schema-421to430.sql
+++ b/setup/db/db/schema-421to430.sql
@@ -325,31 +325,6 @@ CREATE TABLE `cloud`.`acl_group_account_map` (
CONSTRAINT `fk_acl_group_vm_map__account_id` FOREIGN KEY(`account_id`) REFERENCES `account` (`id`) ON DELETE CASCADE
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
-CREATE TABLE `cloud`.`acl_role` (
- `id` bigint unsigned NOT NULL UNIQUE auto_increment,
- `name` varchar(255) NOT NULL,
- `description` varchar(255) default NULL,
- `uuid` varchar(40),
- `domain_id` bigint unsigned NOT NULL,
- `removed` datetime COMMENT 'date the role was removed',
- `created` datetime COMMENT 'date the role was created',
- `role_type` varchar(64) DEFAULT 'Static' COMMENT 'Static or Dynamic',
- PRIMARY KEY (`id`),
- INDEX `i_acl_role__removed`(`removed`),
- CONSTRAINT `uc_acl_role__uuid` UNIQUE (`uuid`)
-) ENGINE=InnoDB AUTO_INCREMENT=1 DEFAULT CHARSET=utf8;
-
-
-CREATE TABLE `cloud`.`acl_group_role_map` (
- `id` bigint unsigned NOT NULL auto_increment,
- `group_id` bigint unsigned NOT NULL,
- `role_id` bigint unsigned NOT NULL,
- `removed` datetime COMMENT 'date the role was revoked from the group',
- `created` datetime COMMENT 'date the role was granted to the group',
- PRIMARY KEY (`id`),
- CONSTRAINT `fk_acl_group_role_map__group_id` FOREIGN KEY(`group_id`) REFERENCES `acl_group` (`id`) ON DELETE CASCADE,
- CONSTRAINT `fk_acl_group_role_map__role_id` FOREIGN KEY(`role_id`) REFERENCES `acl_role` (`id`) ON DELETE CASCADE
-) ENGINE=InnoDB DEFAULT CHARSET=utf8;
CREATE TABLE `acl_policy` (
`id` bigint(20) unsigned NOT NULL AUTO_INCREMENT,
@@ -360,10 +335,11 @@ CREATE TABLE `acl_policy` (
`account_id` bigint unsigned NOT NULL,
`removed` datetime DEFAULT NULL COMMENT 'date the role was removed',
`created` datetime DEFAULT NULL COMMENT 'date the role was created',
+ `policy_type` varchar(64) DEFAULT 'Static' COMMENT 'Static or Dynamic',
PRIMARY KEY (`id`),
UNIQUE KEY `id` (`id`),
- UNIQUE KEY `uc_acl_role__uuid` (`uuid`),
- KEY `i_acl_role__removed` (`removed`)
+ UNIQUE KEY `uc_acl_policy__uuid` (`uuid`),
+ KEY `i_acl_policy__removed` (`removed`)
) ENGINE=InnoDB AUTO_INCREMENT=1 DEFAULT CHARSET=utf8;
CREATE TABLE `acl_group_policy_map` (
@@ -386,7 +362,7 @@ CREATE TABLE `acl_permission` (
`scope_id` bigint(20) unsigned NOT NULL,
`scope` varchar(40) DEFAULT NULL,
`access_type` varchar(40) NOT NULL,
- `permission` int(1) unsigned NOT NULL COMMENT '1 allowed, 0 for denied',
+ `permission` varchar(40) NOT NULL COMMENT 'Allow or Deny',
`removed` datetime DEFAULT NULL COMMENT 'date the permission was revoked',
`created` datetime DEFAULT NULL COMMENT 'date the permission was granted',
PRIMARY KEY (`id`),
@@ -406,100 +382,55 @@ CREATE TABLE `acl_policy_permission_map` (
CONSTRAINT `fk_acl_policy_permission_map__permission_id` FOREIGN KEY (`permission_id`) REFERENCES `acl_permission` (`id`) ON DELETE CASCADE
) ENGINE=InnoDB AUTO_INCREMENT=6 DEFAULT CHARSET=utf8;
-INSERT IGNORE INTO `cloud`.`acl_role` (id, name, description, uuid, domain_id, created, role_type) VALUES (1, 'NORMAL', 'Domain user role', UUID(), 1, Now(), 'Static');
-INSERT IGNORE INTO `cloud`.`acl_role` (id, name, description, uuid, domain_id, created, role_type) VALUES (2, 'ADMIN', 'Root admin role', UUID(), 1, Now(), 'Static');
-INSERT IGNORE INTO `cloud`.`acl_role` (id, name, description, uuid, domain_id, created, role_type) VALUES (3, 'DOMAIN_ADMIN', 'Domain admin role', UUID(), 1, Now(), 'Static');
-INSERT IGNORE INTO `cloud`.`acl_role` (id, name, description, uuid, domain_id, created, role_type) VALUES (4, 'RESOURCE_DOMAIN_ADMIN', 'Resource domain admin role', UUID(), 1, Now(), 'Static');
-INSERT IGNORE INTO `cloud`.`acl_role` (id, name, description, uuid, domain_id, created, role_type) VALUES (5, 'READ_ONLY_ADMIN', 'Read only admin role', UUID(), 1, Now(), 'Static');
-INSERT IGNORE INTO `cloud`.`acl_role` (id, name, description, uuid, domain_id, created, role_type) VALUES (6, 'RESOURCE_OWNER', 'Resource owner role', UUID(), 1, Now(), 'Dynamic');
-
-INSERT IGNORE INTO `cloud`.`acl_group` (id, name, description, uuid, domain_id, created) VALUES (1, 'NORMAL', 'Domain user group', UUID(), 1, Now());
-INSERT IGNORE INTO `cloud`.`acl_group` (id, name, description, uuid, domain_id, created) VALUES (2, 'ADMIN', 'Root admin group', UUID(), 1, Now());
-INSERT IGNORE INTO `cloud`.`acl_group` (id, name, description, uuid, domain_id, created) VALUES (3, 'DOMAIN_ADMIN', 'Domain admin group', UUID(), 1, Now());
-INSERT IGNORE INTO `cloud`.`acl_group` (id, name, description, uuid, domain_id, created) VALUES (4, 'RESOURCE_DOMAIN_ADMIN', 'Resource domain admin group', UUID(), 1, Now());
-INSERT IGNORE INTO `cloud`.`acl_group` (id, name, description, uuid, domain_id, created) VALUES (5, 'READ_ONLY_ADMIN', 'Read only admin group', UUID(), 1, Now());
+INSERT IGNORE INTO `cloud`.`acl_policy` (id, name, description, uuid, domain_id, account_id, created, policy_type) VALUES (1, 'NORMAL', 'Domain user role', UUID(), 1, 1, Now(), 'Static');
+INSERT IGNORE INTO `cloud`.`acl_policy` (id, name, description, uuid, domain_id, account_id, created, policy_type) VALUES (2, 'ADMIN', 'Root admin role', UUID(), 1, 1, Now(), 'Static');
+INSERT IGNORE INTO `cloud`.`acl_policy` (id, name, description, uuid, domain_id, account_id, created, policy_type) VALUES (3, 'DOMAIN_ADMIN', 'Domain admin role', UUID(), 1, 1, Now(), 'Static');
+INSERT IGNORE INTO `cloud`.`acl_policy` (id, name, description, uuid, domain_id, account_id, created, policy_type) VALUES (4, 'RESOURCE_DOMAIN_ADMIN', 'Resource domain admin role', UUID(), 1, 1, Now(), 'Static');
+INSERT IGNORE INTO `cloud`.`acl_policy` (id, name, description, uuid, domain_id, account_id, created, policy_type) VALUES (5, 'READ_ONLY_ADMIN', 'Read only admin role', UUID(), 1, 1, Now(), 'Static');
+INSERT IGNORE INTO `cloud`.`acl_policy` (id, name, description, uuid, domain_id, account_id, created, policy_type) VALUES (6, 'RESOURCE_OWNER', 'Resource owner role', UUID(), 1, 1, Now(), 'Dynamic');
-CREATE TABLE `cloud`.`acl_api_permission` (
- `id` bigint unsigned NOT NULL UNIQUE auto_increment,
- `role_id` bigint unsigned NOT NULL,
- `api` varchar(255) NOT NULL,
- `removed` datetime COMMENT 'date the permission was revoked',
- `created` datetime COMMENT 'date the permission was granted',
- PRIMARY KEY (`id`),
- CONSTRAINT `fk_acl_api_permission__role_id` FOREIGN KEY(`role_id`) REFERENCES `acl_role` (`id`) ON DELETE CASCADE
-) ENGINE=InnoDB DEFAULT CHARSET=utf8;
-CREATE TABLE `cloud`.`acl_entity_permission` (
- `id` bigint unsigned NOT NULL UNIQUE auto_increment,
- `group_id` bigint unsigned NOT NULL,
- `entity_type` varchar(100) NOT NULL,
- `entity_id` bigint unsigned NOT NULL,
- `entity_uuid` varchar(40),
- `access_type` varchar(40) NOT NULL,
- `permission` int(1) unsigned NOT NULL COMMENT '1 allowed, 0 for denied',
- `removed` datetime COMMENT 'date the permission was revoked',
- `created` datetime COMMENT 'date the permission was granted',
- PRIMARY KEY (`id`),
- CONSTRAINT `fk_acl_entity_permission__group_id` FOREIGN KEY(`group_id`) REFERENCES `acl_group` (`id`) ON DELETE CASCADE
-) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+INSERT IGNORE INTO `cloud`.`acl_group` (id, name, description, uuid, domain_id, account_id, created) VALUES (1, 'NORMAL', 'Domain user group', UUID(), 1, 1, Now());
+INSERT IGNORE INTO `cloud`.`acl_group` (id, name, description, uuid, domain_id, account_id, created) VALUES (2, 'ADMIN', 'Root admin group', UUID(), 1, 1, Now());
+INSERT IGNORE INTO `cloud`.`acl_group` (id, name, description, uuid, domain_id, account_id, created) VALUES (3, 'DOMAIN_ADMIN', 'Domain admin group', UUID(), 1, 1, Now());
+INSERT IGNORE INTO `cloud`.`acl_group` (id, name, description, uuid, domain_id, account_id, created) VALUES (4, 'RESOURCE_DOMAIN_ADMIN', 'Resource domain admin group', UUID(), 1, 1, Now());
+INSERT IGNORE INTO `cloud`.`acl_group` (id, name, description, uuid, domain_id, account_id, created) VALUES (5, 'READ_ONLY_ADMIN', 'Read only admin group', UUID(), 1, 1, Now());
-CREATE TABLE `cloud`.`acl_role_permission` (
- `id` bigint unsigned NOT NULL UNIQUE auto_increment,
- `role_id` bigint unsigned NOT NULL,
- `entity_type` varchar(100) NOT NULL,
- `access_type` varchar(40) NOT NULL,
- `scope` varchar(100) NOT NULL,
- `permission` int(1) unsigned NOT NULL COMMENT '1 allowed, 0 for denied',
- PRIMARY KEY (`id`),
- CONSTRAINT `fk_acl_role_permission___role_id` FOREIGN KEY(`role_id`) REFERENCES `acl_role` (`id`) ON DELETE CASCADE
-) ENGINE=InnoDB DEFAULT CHARSET=utf8;
-
-
-INSERT IGNORE INTO `cloud`.`acl_role_permission` (role_id, entity_type, access_type, scope, permission) VALUES (6, '*', 'CreateEntry', 'ACCOUNT', 1);
-INSERT IGNORE INTO `cloud`.`acl_role_permission` (role_id, entity_type, access_type, scope, permission) VALUES (6, '*', 'ListEntry', 'ACCOUNT', 1);
-INSERT IGNORE INTO `cloud`.`acl_role_permission` (role_id, entity_type, access_type, scope, permission) VALUES (6, '*', 'ModifyEntry', 'ACCOUNT', 1);
-INSERT IGNORE INTO `cloud`.`acl_role_permission` (role_id, entity_type, access_type, scope, permission) VALUES (6, '*', 'DeleteEntry', 'ACCOUNT', 1);
-INSERT IGNORE INTO `cloud`.`acl_role_permission` (role_id, entity_type, access_type, scope, permission) VALUES (6, '*', 'OperateEntry', 'ACCOUNT', 1);
-INSERT IGNORE INTO `cloud`.`acl_role_permission` (role_id, entity_type, access_type, scope, permission) VALUES (3, '*', 'CreateEntry', 'DOMAIN', 1);
-INSERT IGNORE INTO `cloud`.`acl_role_permission` (role_id, entity_type, access_type, scope, permission) VALUES (3, '*', 'ListEntry', 'DOMAIN', 1);
-INSERT IGNORE INTO `cloud`.`acl_role_permission` (role_id, entity_type, access_type, scope, permission) VALUES (3, '*', 'ModifyEntry', 'DOMAIN', 1);
-INSERT IGNORE INTO `cloud`.`acl_role_permission` (role_id, entity_type, access_type, scope, permission) VALUES (3, '*', 'DeleteEntry', 'DOMAIN', 1);
-INSERT IGNORE INTO `cloud`.`acl_role_permission` (role_id, entity_type, access_type, scope, permission) VALUES (3, '*', 'OperateEntry', 'DOMAIN', 1);
-INSERT IGNORE INTO `cloud`.`acl_role_permission` (role_id, entity_type, access_type, scope, permission) VALUES (2, '*', 'CreateEntry', 'REGION', 1);
-INSERT IGNORE INTO `cloud`.`acl_role_permission` (role_id, entity_type, access_type, scope, permission) VALUES (2, '*', 'ListEntry', 'REGION', 1);
-INSERT IGNORE INTO `cloud`.`acl_role_permission` (role_id, entity_type, access_type, scope, permission) VALUES (2, '*', 'ModifyEntry', 'REGION', 1);
-INSERT IGNORE INTO `cloud`.`acl_role_permission` (role_id, entity_type, access_type, scope, permission) VALUES (2, '*', 'DeleteEntry', 'REGION', 1);
-INSERT IGNORE INTO `cloud`.`acl_role_permission` (role_id, entity_type, access_type, scope, permission) VALUES (2, '*', 'OperateEntry', 'REGION', 1);
-INSERT IGNORE INTO `cloud`.`acl_role_permission` (role_id, entity_type, access_type, scope, permission) VALUES (1, '*', 'CreateEntry', 'ACCOUNT', 1);
-INSERT IGNORE INTO `cloud`.`acl_role_permission` (role_id, entity_type, access_type, scope, permission) VALUES (1, '*', 'ListEntry', 'ACCOUNT', 1);
-INSERT IGNORE INTO `cloud`.`acl_role_permission` (role_id, entity_type, access_type, scope, permission) VALUES (1, '*', 'ModifyEntry', 'ACCOUNT', 1);
-INSERT IGNORE INTO `cloud`.`acl_role_permission` (role_id, entity_type, access_type, scope, permission) VALUES (1, '*', 'DeleteEntry', 'ACCOUNT', 1);
-INSERT IGNORE INTO `cloud`.`acl_role_permission` (role_id, entity_type, access_type, scope, permission) VALUES (1, '*', 'OperateEntry', 'ACCOUNT', 1);
-
-DROP VIEW IF EXISTS `cloud`.`acl_role_view`;
-CREATE VIEW `cloud`.`acl_role_view` AS
+CREATE OR REPLACE VIEW `cloud`.`acl_policy_view` AS
select
- acl_role.id id,
- acl_role.uuid uuid,
- acl_role.name name,
- acl_role.description description,
- acl_role.removed removed,
- acl_role.created created,
+ acl_policy.id id,
+ acl_policy.uuid uuid,
+ acl_policy.name name,
+ acl_policy.description description,
+ acl_policy.removed removed,
+ acl_policy.created created,
domain.id domain_id,
domain.uuid domain_uuid,
domain.name domain_name,
domain.path domain_path,
- acl_api_permission.api api_name
+ account.id account_id,
+ account.uuid account_uuid,
+ account.account_name account_name,
+ account.type account_type,
+ acl_permission.action permission_action,
+ acl_permission.resource_type permission_entity_type,
+ acl_permission.scope permission_scope,
+ acl_permission.scope_id permission_scope_id,
+ acl_permission.access_type permission_access_type,
+ acl_permission.permission permission_allow_deny
from
- `cloud`.`acl_role`
+ `cloud`.`acl_policy`
inner join
- `cloud`.`domain` ON acl_role.domain_id = domain.id
+ `cloud`.`domain` ON acl_policy.domain_id = domain.id
+ inner join
+ `cloud`.`account` ON acl_policy.account_id = account.id
left join
- `cloud`.`acl_api_permission` ON acl_role.id = acl_api_permission.role_id;
-
-
-DROP VIEW IF EXISTS `cloud`.`acl_group_view`;
-CREATE VIEW `cloud`.`acl_group_view` AS
+ `cloud`.`acl_policy_permission_map` ON acl_policy.id = acl_policy_permission_map.policy_id
+ left join
+ `cloud`.`acl_permission` ON acl_permission.id = acl_policy_permission_map.permission_id;
+
+
+CREATE OR REPLACE VIEW `cloud`.`acl_group_view` AS
select
acl_group.id id,
acl_group.uuid uuid,
@@ -511,30 +442,34 @@ CREATE VIEW `cloud`.`acl_group_view` AS
domain.uuid domain_uuid,
domain.name domain_name,
domain.path domain_path,
- acl_role.id role_id,
- acl_role.uuid role_uuid,
- acl_role.name role_name,
account.id account_id,
account.uuid account_uuid,
- account.account_name account_name,
- acl_entity_permission.entity_id entity_id,
- acl_entity_permission.entity_uuid entity_uuid,
- acl_entity_permission.entity_type entity_type,
- acl_entity_permission.access_type access_type
+ account.account_name account_name,
+ account.type account_type,
+ member_account.id member_account_id,
+ member_account.uuid member_account_uuid,
+ member_account.account_name member_account_name,
+ acl_policy.id policy_id,
+ acl_policy.uuid policy_uuid,
+ acl_policy.name policy_name
from
`cloud`.`acl_group`
inner join
`cloud`.`domain` ON acl_group.domain_id = domain.id
+ inner join
+ `cloud`.`account` ON acl_group.account_id = account.id
left join
- `cloud`.`acl_group_role_map` on acl_group.id = acl_group_role_map.group_id
+ `cloud`.`acl_group_policy_map` ON acl_group.id = acl_group_policy_map.group_id
left join
- `cloud`.`acl_role` on acl_group_role_map.role_id = acl_role.id
+ `cloud`.`acl_policy` ON acl_group_policy_map.policy_id = acl_policy.id
left join
- `cloud`.`acl_group_account_map` ON acl_group.id = acl_group_account_map.group_id
+ `cloud`.`acl_policy_permission_map` ON acl_group.id = acl_policy_permission_map.policy_id
left join
- `cloud`.`account` ON acl_group_account_map.account_id = account.id
+ `cloud`.`acl_group_account_map` ON acl_group.id = acl_group_account_map.group_id
left join
- `cloud`.`acl_entity_permission` ON acl_group.id = acl_entity_permission.group_id;
+ `cloud`.`account` member_account ON acl_group_account_map.account_id = member_account.id;
+
+
DROP VIEW IF EXISTS `cloud`.`volume_view`;
CREATE VIEW `cloud`.`volume_view` AS