You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by pr...@apache.org on 2013/10/10 09:49:39 UTC
[4/6] git commit: updated refs/heads/rbac to 5c7db71
Tested ACL for StartVmCmd using the new RoleBasedEntityAccessChecker
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/ec4fa61a
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/ec4fa61a
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/ec4fa61a
Branch: refs/heads/rbac
Commit: ec4fa61ae30cccac3f4bc3cff9cb3b31ab1818ea
Parents: 7d1ba65
Author: Prachi Damle <pr...@cloud.com>
Authored: Thu Oct 10 00:39:31 2013 -0700
Committer: Prachi Damle <pr...@cloud.com>
Committed: Thu Oct 10 00:46:06 2013 -0700
----------------------------------------------------------------------
.../cloudstack/acl/AclRolePermission.java | 2 ++
.../api/command/user/vm/StartVMCmd.java | 3 ++
client/pom.xml | 5 +++
client/tomcatconf/applicationContext.xml.in | 1 +
client/tomcatconf/componentContext.xml.in | 1 +
client/tomcatconf/nonossComponentContext.xml.in | 1 +
.../tomcatconf/simulatorComponentContext.xml.in | 1 +
.../cloudstack/acl/AclRolePermissionVO.java | 9 +++++
.../entity/RoleBasedEntityAccessChecker.java | 35 +++++++++++++++++---
9 files changed, 53 insertions(+), 5 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/ec4fa61a/api/src/org/apache/cloudstack/acl/AclRolePermission.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/acl/AclRolePermission.java b/api/src/org/apache/cloudstack/acl/AclRolePermission.java
index 69259e2..0c0c0de 100644
--- a/api/src/org/apache/cloudstack/acl/AclRolePermission.java
+++ b/api/src/org/apache/cloudstack/acl/AclRolePermission.java
@@ -30,4 +30,6 @@ public interface AclRolePermission extends InternalIdentity {
PermissionScope getScope();
boolean isAllowed();
+
+ PermissionScope getScope();
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/ec4fa61a/api/src/org/apache/cloudstack/api/command/user/vm/StartVMCmd.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/user/vm/StartVMCmd.java b/api/src/org/apache/cloudstack/api/command/user/vm/StartVMCmd.java
index 8441ac6..e971ff2 100644
--- a/api/src/org/apache/cloudstack/api/command/user/vm/StartVMCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/user/vm/StartVMCmd.java
@@ -16,6 +16,8 @@
// under the License.
package org.apache.cloudstack.api.command.user.vm;
+import org.apache.cloudstack.acl.SecurityChecker.AccessType;
+import org.apache.cloudstack.api.ACL;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiCommandJobType;
import org.apache.cloudstack.api.ApiConstants;
@@ -50,6 +52,7 @@ public class StartVMCmd extends BaseAsyncCmd {
// ////////////// API parameters /////////////////////
// ///////////////////////////////////////////////////
+ @ACL(accessType = AccessType.OperateEntry)
@Parameter(name = ApiConstants.ID, type = CommandType.UUID, entityType=UserVmResponse.class,
required = true, description = "The ID of the virtual machine")
private Long id;
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/ec4fa61a/client/pom.xml
----------------------------------------------------------------------
diff --git a/client/pom.xml b/client/pom.xml
index f441601..99a3c3e 100644
--- a/client/pom.xml
+++ b/client/pom.xml
@@ -36,6 +36,11 @@
</dependency>
<dependency>
<groupId>org.apache.cloudstack</groupId>
+ <artifactId>cloud-plugin-acl-role-based-access-checkers</artifactId>
+ <version>${project.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.cloudstack</groupId>
<artifactId>cloud-plugin-dedicated-resources</artifactId>
<version>${project.version}</version>
</dependency>
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/ec4fa61a/client/tomcatconf/applicationContext.xml.in
----------------------------------------------------------------------
diff --git a/client/tomcatconf/applicationContext.xml.in b/client/tomcatconf/applicationContext.xml.in
index 1095e0a..da242b3 100644
--- a/client/tomcatconf/applicationContext.xml.in
+++ b/client/tomcatconf/applicationContext.xml.in
@@ -389,6 +389,7 @@
<bean id="databaseIntegrityChecker" class="com.cloud.upgrade.DatabaseIntegrityChecker" />
<bean id="domainChecker" class="com.cloud.acl.DomainChecker" />
<bean id="affinityGroupAccessChecker" class="com.cloud.acl.AffinityGroupAccessChecker" />
+ <bean id="roleBasedEntityAccessChecker" class="org.apache.cloudstack.acl.entity.RoleBasedEntityAccessChecker" />
<!--
Authenticators
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/ec4fa61a/client/tomcatconf/componentContext.xml.in
----------------------------------------------------------------------
diff --git a/client/tomcatconf/componentContext.xml.in b/client/tomcatconf/componentContext.xml.in
index 315c95b..28b8d92 100644
--- a/client/tomcatconf/componentContext.xml.in
+++ b/client/tomcatconf/componentContext.xml.in
@@ -146,6 +146,7 @@
<bean id="securityCheckers" class="com.cloud.utils.component.AdapterList">
<property name="Adapters">
<list>
+ <ref bean="roleBasedEntityAccessChecker"/>
<ref bean="affinityGroupAccessChecker"/>
<ref bean="domainChecker"/>
</list>
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/ec4fa61a/client/tomcatconf/nonossComponentContext.xml.in
----------------------------------------------------------------------
diff --git a/client/tomcatconf/nonossComponentContext.xml.in b/client/tomcatconf/nonossComponentContext.xml.in
index 0502bbc..187b63d 100644
--- a/client/tomcatconf/nonossComponentContext.xml.in
+++ b/client/tomcatconf/nonossComponentContext.xml.in
@@ -243,6 +243,7 @@
<bean id="securityCheckers" class="com.cloud.utils.component.AdapterList">
<property name="Adapters">
<list>
+ <ref bean="roleBasedEntityAccessChecker"/>
<ref bean="affinityGroupAccessChecker"/>
<ref bean="domainChecker"/>
</list>
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/ec4fa61a/client/tomcatconf/simulatorComponentContext.xml.in
----------------------------------------------------------------------
diff --git a/client/tomcatconf/simulatorComponentContext.xml.in b/client/tomcatconf/simulatorComponentContext.xml.in
index 82ff433..ef480b0 100644
--- a/client/tomcatconf/simulatorComponentContext.xml.in
+++ b/client/tomcatconf/simulatorComponentContext.xml.in
@@ -93,6 +93,7 @@
<bean id="securityCheckers" class="com.cloud.utils.component.AdapterList">
<property name="Adapters">
<list>
+ <ref bean="roleBasedEntityAccessChecker"/>
<ref bean="affinityGroupAccessChecker"/>
<ref bean="domainChecker"/>
</list>
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/ec4fa61a/engine/schema/src/org/apache/cloudstack/acl/AclRolePermissionVO.java
----------------------------------------------------------------------
diff --git a/engine/schema/src/org/apache/cloudstack/acl/AclRolePermissionVO.java b/engine/schema/src/org/apache/cloudstack/acl/AclRolePermissionVO.java
index b0fb230..bb993d0 100644
--- a/engine/schema/src/org/apache/cloudstack/acl/AclRolePermissionVO.java
+++ b/engine/schema/src/org/apache/cloudstack/acl/AclRolePermissionVO.java
@@ -53,6 +53,7 @@ public class AclRolePermissionVO implements AclRolePermission {
@Column(name = "permission")
private boolean allowed;
+
public AclRolePermissionVO() {
}
@@ -114,4 +115,12 @@ public class AclRolePermissionVO implements AclRolePermission {
this.allowed = allowed;
}
+ @Override
+ public PermissionScope getScope() {
+ return scope;
+ }
+
+ public void setScope(PermissionScope scope) {
+ this.scope = scope;
+ }
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/ec4fa61a/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/entity/RoleBasedEntityAccessChecker.java
----------------------------------------------------------------------
diff --git a/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/entity/RoleBasedEntityAccessChecker.java b/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/entity/RoleBasedEntityAccessChecker.java
index 6031d92..5a0abf5 100644
--- a/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/entity/RoleBasedEntityAccessChecker.java
+++ b/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/entity/RoleBasedEntityAccessChecker.java
@@ -28,6 +28,7 @@ import org.apache.cloudstack.acl.AclRole;
import org.apache.cloudstack.acl.AclRolePermissionVO;
import org.apache.cloudstack.acl.AclService;
import org.apache.cloudstack.acl.ControlledEntity;
+import org.apache.cloudstack.acl.PermissionScope;
import org.apache.cloudstack.acl.SecurityChecker;
import org.apache.cloudstack.acl.SecurityChecker.AccessType;
import org.apache.cloudstack.acl.dao.AclEntityPermissionDao;
@@ -39,6 +40,7 @@ import org.apache.log4j.Logger;
import com.cloud.acl.DomainChecker;
import com.cloud.api.ApiDispatcher;
+import com.cloud.domain.dao.DomainDao;
import com.cloud.exception.PermissionDeniedException;
import com.cloud.template.VirtualMachineTemplate;
import com.cloud.user.Account;
@@ -53,6 +55,8 @@ public class RoleBasedEntityAccessChecker extends DomainChecker implements Secur
AccountService _accountService;
@Inject
AclService _aclService;
+
+ @Inject DomainDao _domainDao;
@Inject
AclGroupAccountMapDao _aclGroupAccountMapDao;
@@ -70,6 +74,10 @@ public class RoleBasedEntityAccessChecker extends DomainChecker implements Secur
String entityType = AclEntityType.VM.toString();
+ if (accessType == null) {
+ accessType = AccessType.ListEntry;
+ }
+
// check if explicit allow/deny is present for this entity in
// acl_entity_permission
@@ -105,11 +113,13 @@ public class RoleBasedEntityAccessChecker extends DomainChecker implements Secur
List<AclRolePermissionVO> permissions = _rolePermissionDao.listByRoleAndEntity(role.getId(),
entityType, accessType);
for (AclRolePermissionVO permission : permissions) {
- if (permission.getEntityType().equals(entityType)) {
- rolePermissionMap.put(role, permission.isAllowed());
- break;
- } else if (permission.getEntityType().equals("*")) {
- rolePermissionMap.put(role, permission.isAllowed());
+ if (checkPermissionScope(caller, permission.getScope(), entity)) {
+ if (permission.getEntityType().equals(entityType)) {
+ rolePermissionMap.put(role, permission.isAllowed());
+ break;
+ } else if (permission.getEntityType().equals("*")) {
+ rolePermissionMap.put(role, permission.isAllowed());
+ }
}
}
if (rolePermissionMap.containsKey(role) && rolePermissionMap.get(role)) {
@@ -129,4 +139,19 @@ public class RoleBasedEntityAccessChecker extends DomainChecker implements Secur
return false;
}
+
+ private boolean checkPermissionScope(Account caller, PermissionScope scope, ControlledEntity entity) {
+
+ if(scope.equals(PermissionScope.ACCOUNT)){
+ if(caller.getAccountId() == entity.getAccountId()){
+ return true;
+ }
+ }else if(scope.equals(PermissionScope.DOMAIN)){
+ if (_domainDao.isChildDomain(caller.getDomainId(), entity.getDomainId())) {
+ return true;
+ }
+ }
+
+ return false;
+ }
}