You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by pr...@apache.org on 2014/03/05 03:15:11 UTC
git commit: updated refs/heads/rbac to 695d689
Repository: cloudstack
Updated Branches:
refs/heads/rbac 690c5d4d2 -> 695d689de
Adding annotations for more admin APIs
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/695d689d
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/695d689d
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/695d689d
Branch: refs/heads/rbac
Commit: 695d689de5e3caeaf047dcfc39dffb71daae9a82
Parents: 690c5d4
Author: Prachi Damle <pr...@cloud.com>
Authored: Tue Mar 4 18:14:05 2014 -0800
Committer: Prachi Damle <pr...@cloud.com>
Committed: Tue Mar 4 18:14:05 2014 -0800
----------------------------------------------------------------------
.../api/command/admin/account/CreateAccountCmd.java | 3 ++-
.../api/command/admin/account/DeleteAccountCmd.java | 7 +++++--
.../command/admin/account/DisableAccountCmd.java | 6 +++++-
.../api/command/admin/account/EnableAccountCmd.java | 6 +++++-
.../api/command/admin/account/LockAccountCmd.java | 3 ++-
.../api/command/admin/account/UpdateAccountCmd.java | 7 +++++--
.../admin/internallb/ListInternalLBVMsCmd.java | 3 ++-
.../admin/internallb/StartInternalLBVMCmd.java | 7 +++++--
.../admin/internallb/StopInternalLBVMCmd.java | 7 +++++--
server/src/com/cloud/user/AccountManagerImpl.java | 16 ++++++++--------
10 files changed, 44 insertions(+), 21 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/695d689d/api/src/org/apache/cloudstack/api/command/admin/account/CreateAccountCmd.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/admin/account/CreateAccountCmd.java b/api/src/org/apache/cloudstack/api/command/admin/account/CreateAccountCmd.java
index 6a76644..a2399cf 100644
--- a/api/src/org/apache/cloudstack/api/command/admin/account/CreateAccountCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/admin/account/CreateAccountCmd.java
@@ -21,6 +21,7 @@ import java.util.Map;
import org.apache.log4j.Logger;
+import org.apache.cloudstack.acl.IAMEntityType;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.ApiErrorCode;
@@ -35,7 +36,7 @@ import org.apache.cloudstack.context.CallContext;
import com.cloud.user.Account;
import com.cloud.user.UserAccount;
-@APICommand(name = "createAccount", description = "Creates an account", responseObject = AccountResponse.class)
+@APICommand(name = "createAccount", description = "Creates an account", responseObject = AccountResponse.class, entityType = { IAMEntityType.Account })
public class CreateAccountCmd extends BaseCmd {
public static final Logger s_logger = Logger.getLogger(CreateAccountCmd.class.getName());
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/695d689d/api/src/org/apache/cloudstack/api/command/admin/account/DeleteAccountCmd.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/admin/account/DeleteAccountCmd.java b/api/src/org/apache/cloudstack/api/command/admin/account/DeleteAccountCmd.java
index 7c1b206..f1547a4 100644
--- a/api/src/org/apache/cloudstack/api/command/admin/account/DeleteAccountCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/admin/account/DeleteAccountCmd.java
@@ -20,6 +20,9 @@ import javax.inject.Inject;
import org.apache.log4j.Logger;
+import org.apache.cloudstack.acl.IAMEntityType;
+import org.apache.cloudstack.acl.SecurityChecker.AccessType;
+import org.apache.cloudstack.api.ACL;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiCommandJobType;
import org.apache.cloudstack.api.ApiConstants;
@@ -36,7 +39,7 @@ import com.cloud.event.EventTypes;
import com.cloud.user.Account;
import com.cloud.user.User;
-@APICommand(name = "deleteAccount", description = "Deletes a account, and all users associated with this account", responseObject = SuccessResponse.class)
+@APICommand(name = "deleteAccount", description = "Deletes a account, and all users associated with this account", responseObject = SuccessResponse.class, entityType = { IAMEntityType.Account })
public class DeleteAccountCmd extends BaseAsyncCmd {
public static final Logger s_logger = Logger.getLogger(DeleteAccountCmd.class.getName());
private static final String s_name = "deleteaccountresponse";
@@ -44,7 +47,7 @@ public class DeleteAccountCmd extends BaseAsyncCmd {
/////////////////////////////////////////////////////
//////////////// API parameters /////////////////////
/////////////////////////////////////////////////////
-
+ @ACL(accessType = AccessType.OperateEntry)
@Parameter(name = ApiConstants.ID, type = CommandType.UUID, entityType = AccountResponse.class, required = true, description = "Account id")
private Long id;
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/695d689d/api/src/org/apache/cloudstack/api/command/admin/account/DisableAccountCmd.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/admin/account/DisableAccountCmd.java b/api/src/org/apache/cloudstack/api/command/admin/account/DisableAccountCmd.java
index bc6bfa5..028481c 100644
--- a/api/src/org/apache/cloudstack/api/command/admin/account/DisableAccountCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/admin/account/DisableAccountCmd.java
@@ -20,6 +20,9 @@ import javax.inject.Inject;
import org.apache.log4j.Logger;
+import org.apache.cloudstack.acl.IAMEntityType;
+import org.apache.cloudstack.acl.SecurityChecker.AccessType;
+import org.apache.cloudstack.api.ACL;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiCommandJobType;
import org.apache.cloudstack.api.ApiConstants;
@@ -38,7 +41,7 @@ import com.cloud.exception.ConcurrentOperationException;
import com.cloud.exception.ResourceUnavailableException;
import com.cloud.user.Account;
-@APICommand(name = "disableAccount", description = "Disables an account", responseObject = AccountResponse.class)
+@APICommand(name = "disableAccount", description = "Disables an account", responseObject = AccountResponse.class, entityType = { IAMEntityType.Account })
public class DisableAccountCmd extends BaseAsyncCmd {
public static final Logger s_logger = Logger.getLogger(DisableAccountCmd.class.getName());
private static final String s_name = "disableaccountresponse";
@@ -46,6 +49,7 @@ public class DisableAccountCmd extends BaseAsyncCmd {
/////////////////////////////////////////////////////
//////////////// API parameters /////////////////////
/////////////////////////////////////////////////////
+ @ACL(accessType = AccessType.OperateEntry)
@Parameter(name = ApiConstants.ID, type = CommandType.UUID, entityType = AccountResponse.class, description = "Account id")
private Long id;
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/695d689d/api/src/org/apache/cloudstack/api/command/admin/account/EnableAccountCmd.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/admin/account/EnableAccountCmd.java b/api/src/org/apache/cloudstack/api/command/admin/account/EnableAccountCmd.java
index 8f97d23..9e38d3a 100644
--- a/api/src/org/apache/cloudstack/api/command/admin/account/EnableAccountCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/admin/account/EnableAccountCmd.java
@@ -20,6 +20,9 @@ import javax.inject.Inject;
import org.apache.log4j.Logger;
+import org.apache.cloudstack.acl.IAMEntityType;
+import org.apache.cloudstack.acl.SecurityChecker.AccessType;
+import org.apache.cloudstack.api.ACL;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.ApiErrorCode;
@@ -33,7 +36,7 @@ import org.apache.cloudstack.region.RegionService;
import com.cloud.user.Account;
-@APICommand(name = "enableAccount", description = "Enables an account", responseObject = AccountResponse.class)
+@APICommand(name = "enableAccount", description = "Enables an account", responseObject = AccountResponse.class, entityType = { IAMEntityType.Account })
public class EnableAccountCmd extends BaseCmd {
public static final Logger s_logger = Logger.getLogger(EnableAccountCmd.class.getName());
private static final String s_name = "enableaccountresponse";
@@ -41,6 +44,7 @@ public class EnableAccountCmd extends BaseCmd {
/////////////////////////////////////////////////////
//////////////// API parameters /////////////////////
/////////////////////////////////////////////////////
+ @ACL(accessType = AccessType.OperateEntry)
@Parameter(name = ApiConstants.ID, type = CommandType.UUID, entityType = AccountResponse.class, description = "Account id")
private Long id;
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/695d689d/api/src/org/apache/cloudstack/api/command/admin/account/LockAccountCmd.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/admin/account/LockAccountCmd.java b/api/src/org/apache/cloudstack/api/command/admin/account/LockAccountCmd.java
index 93ec1be..ddc1628 100644
--- a/api/src/org/apache/cloudstack/api/command/admin/account/LockAccountCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/admin/account/LockAccountCmd.java
@@ -18,6 +18,7 @@ package org.apache.cloudstack.api.command.admin.account;
import org.apache.log4j.Logger;
+import org.apache.cloudstack.acl.IAMEntityType;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.BaseCmd;
@@ -27,7 +28,7 @@ import org.apache.cloudstack.api.response.DomainResponse;
import com.cloud.user.Account;
-@APICommand(name = "lockAccount", description = "Locks an account", responseObject = AccountResponse.class)
+@APICommand(name = "lockAccount", description = "Locks an account", responseObject = AccountResponse.class, entityType = { IAMEntityType.Account })
public class LockAccountCmd extends BaseCmd {
public static final Logger s_logger = Logger.getLogger(LockAccountCmd.class.getName());
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/695d689d/api/src/org/apache/cloudstack/api/command/admin/account/UpdateAccountCmd.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/admin/account/UpdateAccountCmd.java b/api/src/org/apache/cloudstack/api/command/admin/account/UpdateAccountCmd.java
index f5038d5..d423848 100644
--- a/api/src/org/apache/cloudstack/api/command/admin/account/UpdateAccountCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/admin/account/UpdateAccountCmd.java
@@ -23,6 +23,9 @@ import javax.inject.Inject;
import org.apache.log4j.Logger;
+import org.apache.cloudstack.acl.IAMEntityType;
+import org.apache.cloudstack.acl.SecurityChecker.AccessType;
+import org.apache.cloudstack.api.ACL;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.ApiErrorCode;
@@ -36,7 +39,7 @@ import org.apache.cloudstack.region.RegionService;
import com.cloud.user.Account;
-@APICommand(name = "updateAccount", description = "Updates account information for the authenticated user", responseObject = AccountResponse.class)
+@APICommand(name = "updateAccount", description = "Updates account information for the authenticated user", responseObject = AccountResponse.class, entityType = { IAMEntityType.Account })
public class UpdateAccountCmd extends BaseCmd {
public static final Logger s_logger = Logger.getLogger(UpdateAccountCmd.class.getName());
private static final String s_name = "updateaccountresponse";
@@ -44,7 +47,7 @@ public class UpdateAccountCmd extends BaseCmd {
/////////////////////////////////////////////////////
//////////////// API parameters /////////////////////
/////////////////////////////////////////////////////
-
+ @ACL(accessType = AccessType.OperateEntry)
@Parameter(name = ApiConstants.ID, type = CommandType.UUID, entityType = AccountResponse.class, description = "Account id")
private Long id;
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/695d689d/api/src/org/apache/cloudstack/api/command/admin/internallb/ListInternalLBVMsCmd.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/admin/internallb/ListInternalLBVMsCmd.java b/api/src/org/apache/cloudstack/api/command/admin/internallb/ListInternalLBVMsCmd.java
index 0e01be1..1cec188 100644
--- a/api/src/org/apache/cloudstack/api/command/admin/internallb/ListInternalLBVMsCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/admin/internallb/ListInternalLBVMsCmd.java
@@ -18,6 +18,7 @@ package org.apache.cloudstack.api.command.admin.internallb;
import org.apache.log4j.Logger;
+import org.apache.cloudstack.acl.IAMEntityType;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiCommandJobType;
import org.apache.cloudstack.api.ApiConstants;
@@ -34,7 +35,7 @@ import org.apache.cloudstack.api.response.ZoneResponse;
import com.cloud.network.router.VirtualRouter.Role;
-@APICommand(name = "listInternalLoadBalancerVMs", description = "List internal LB VMs.", responseObject = DomainRouterResponse.class)
+@APICommand(name = "listInternalLoadBalancerVMs", description = "List internal LB VMs.", responseObject = DomainRouterResponse.class, entityType = { IAMEntityType.VirtualMachine })
public class ListInternalLBVMsCmd extends BaseListProjectAndAccountResourcesCmd {
public static final Logger s_logger = Logger.getLogger(ListInternalLBVMsCmd.class.getName());
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/695d689d/api/src/org/apache/cloudstack/api/command/admin/internallb/StartInternalLBVMCmd.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/admin/internallb/StartInternalLBVMCmd.java b/api/src/org/apache/cloudstack/api/command/admin/internallb/StartInternalLBVMCmd.java
index 56dcb4f..b747c30 100644
--- a/api/src/org/apache/cloudstack/api/command/admin/internallb/StartInternalLBVMCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/admin/internallb/StartInternalLBVMCmd.java
@@ -18,6 +18,9 @@ package org.apache.cloudstack.api.command.admin.internallb;
import org.apache.log4j.Logger;
+import org.apache.cloudstack.acl.IAMEntityType;
+import org.apache.cloudstack.acl.SecurityChecker.AccessType;
+import org.apache.cloudstack.api.ACL;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiCommandJobType;
import org.apache.cloudstack.api.ApiConstants;
@@ -36,7 +39,7 @@ import com.cloud.exception.ResourceUnavailableException;
import com.cloud.network.router.VirtualRouter;
import com.cloud.network.router.VirtualRouter.Role;
-@APICommand(name = "startInternalLoadBalancerVM", responseObject = DomainRouterResponse.class, description = "Starts an existing internal lb vm.")
+@APICommand(name = "startInternalLoadBalancerVM", responseObject = DomainRouterResponse.class, description = "Starts an existing internal lb vm.", entityType = { IAMEntityType.VirtualMachine })
public class StartInternalLBVMCmd extends BaseAsyncCmd {
public static final Logger s_logger = Logger.getLogger(StartInternalLBVMCmd.class.getName());
private static final String s_name = "startinternallbvmresponse";
@@ -44,7 +47,7 @@ public class StartInternalLBVMCmd extends BaseAsyncCmd {
/////////////////////////////////////////////////////
//////////////// API parameters /////////////////////
/////////////////////////////////////////////////////
-
+ @ACL(accessType = AccessType.OperateEntry)
@Parameter(name = ApiConstants.ID, type = CommandType.UUID, entityType = DomainRouterResponse.class, required = true, description = "the ID of the internal lb vm")
private Long id;
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/695d689d/api/src/org/apache/cloudstack/api/command/admin/internallb/StopInternalLBVMCmd.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/admin/internallb/StopInternalLBVMCmd.java b/api/src/org/apache/cloudstack/api/command/admin/internallb/StopInternalLBVMCmd.java
index 9da4db0..f8a8b7b 100644
--- a/api/src/org/apache/cloudstack/api/command/admin/internallb/StopInternalLBVMCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/admin/internallb/StopInternalLBVMCmd.java
@@ -18,6 +18,9 @@ package org.apache.cloudstack.api.command.admin.internallb;
import org.apache.log4j.Logger;
+import org.apache.cloudstack.acl.IAMEntityType;
+import org.apache.cloudstack.acl.SecurityChecker.AccessType;
+import org.apache.cloudstack.api.ACL;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiCommandJobType;
import org.apache.cloudstack.api.ApiConstants;
@@ -35,7 +38,7 @@ import com.cloud.exception.ResourceUnavailableException;
import com.cloud.network.router.VirtualRouter;
import com.cloud.network.router.VirtualRouter.Role;
-@APICommand(name = "stopInternalLoadBalancerVM", description = "Stops an Internal LB vm.", responseObject = DomainRouterResponse.class)
+@APICommand(name = "stopInternalLoadBalancerVM", description = "Stops an Internal LB vm.", responseObject = DomainRouterResponse.class, entityType = { IAMEntityType.VirtualMachine })
public class StopInternalLBVMCmd extends BaseAsyncCmd {
public static final Logger s_logger = Logger.getLogger(StopInternalLBVMCmd.class.getName());
private static final String s_name = "stopinternallbvmresponse";
@@ -43,7 +46,7 @@ public class StopInternalLBVMCmd extends BaseAsyncCmd {
// ///////////////////////////////////////////////////
// ////////////// API parameters /////////////////////
// ///////////////////////////////////////////////////
-
+ @ACL(accessType = AccessType.OperateEntry)
@Parameter(name = ApiConstants.ID, type = CommandType.UUID, entityType = DomainRouterResponse.class, required = true, description = "the ID of the internal lb vm")
private Long id;
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/695d689d/server/src/com/cloud/user/AccountManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/user/AccountManagerImpl.java b/server/src/com/cloud/user/AccountManagerImpl.java
index 8f4d3ab..d5e4afc 100755
--- a/server/src/com/cloud/user/AccountManagerImpl.java
+++ b/server/src/com/cloud/user/AccountManagerImpl.java
@@ -1106,7 +1106,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
throw new PermissionDeniedException("user id : " + id + " is system account, update is not allowed");
}
- checkAccess(CallContext.current().getCallingAccount(), null, true, account);
+ checkAccess(CallContext.current().getCallingAccount(), AccessType.OperateEntry, true, account);
if (firstName != null) {
if (firstName.isEmpty()) {
@@ -1220,7 +1220,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
throw new InvalidParameterValueException("User id : " + userId + " is a system user, disabling is not allowed");
}
- checkAccess(caller, null, true, account);
+ checkAccess(caller, AccessType.OperateEntry, true, account);
boolean success = doSetUserStatus(userId, State.disabled);
if (success) {
@@ -1258,7 +1258,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
throw new InvalidParameterValueException("User id : " + userId + " is a system user, enabling is not allowed");
}
- checkAccess(caller, null, true, account);
+ checkAccess(caller, AccessType.OperateEntry, true, account);
boolean success = Transaction.execute(new TransactionCallback<Boolean>() {
@Override
@@ -1307,7 +1307,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
throw new PermissionDeniedException("user id : " + userId + " is a system user, locking is not allowed");
}
- checkAccess(caller, null, true, account);
+ checkAccess(caller, AccessType.OperateEntry, true, account);
// make sure the account is enabled too
// if the user is either locked already or disabled already, don't change state...only lock currently enabled
@@ -1416,7 +1416,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
// Check if user performing the action is allowed to modify this account
Account caller = CallContext.current().getCallingAccount();
- checkAccess(caller, null, true, account);
+ checkAccess(caller, AccessType.OperateEntry, true, account);
boolean success = enableAccount(account.getId());
if (success) {
@@ -1450,7 +1450,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
throw new PermissionDeniedException("Account id : " + accountId + " is a system account, lock is not allowed");
}
- checkAccess(caller, null, true, account);
+ checkAccess(caller, AccessType.OperateEntry, true, account);
if (lockAccount(account.getId())) {
CallContext.current().putContextParameter(Account.class, account.getUuid());
@@ -1480,7 +1480,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
throw new PermissionDeniedException("Account id : " + accountId + " is a system account, disable is not allowed");
}
- checkAccess(caller, null, true, account);
+ checkAccess(caller, AccessType.OperateEntry, true, account);
if (disableAccount(account.getId())) {
CallContext.current().putContextParameter(Account.class, account.getUuid());
@@ -1599,7 +1599,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
throw new InvalidParameterValueException("The user is default and can't be removed");
}
- checkAccess(CallContext.current().getCallingAccount(), null, true, account);
+ checkAccess(CallContext.current().getCallingAccount(), AccessType.OperateEntry, true, account);
CallContext.current().putContextParameter(User.class, user.getUuid());
return _userDao.remove(id);
}