You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by pr...@apache.org on 2014/02/04 02:50:05 UTC
[1/2] git commit: updated refs/heads/rbac to a6d07c8
Updated Branches:
refs/heads/rbac 09eed3705 -> a6d07c873
changes to support the domain wide resources for Network
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/939b1516
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/939b1516
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/939b1516
Branch: refs/heads/rbac
Commit: 939b15169c512c2149d412204930c89976db2ba5
Parents: 09eed37
Author: Prachi Damle <pr...@cloud.com>
Authored: Mon Feb 3 17:34:03 2014 -0800
Committer: Prachi Damle <pr...@cloud.com>
Committed: Mon Feb 3 17:34:03 2014 -0800
----------------------------------------------------------------------
.../orchestration/NetworkOrchestrator.java | 4 ++
server/src/com/cloud/user/DomainManager.java | 1 +
.../acl/RoleBasedEntityAccessChecker.java | 10 +++
.../cloudstack/acl/api/AclApiServiceImpl.java | 15 +++++
.../apache/cloudstack/iam/api/IAMService.java | 4 ++
.../cloudstack/iam/server/IAMServiceImpl.java | 65 ++++++++++++++++++++
6 files changed, 99 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/939b1516/engine/orchestration/src/org/apache/cloudstack/engine/orchestration/NetworkOrchestrator.java
----------------------------------------------------------------------
diff --git a/engine/orchestration/src/org/apache/cloudstack/engine/orchestration/NetworkOrchestrator.java b/engine/orchestration/src/org/apache/cloudstack/engine/orchestration/NetworkOrchestrator.java
index 8857c00..de22e9d 100755
--- a/engine/orchestration/src/org/apache/cloudstack/engine/orchestration/NetworkOrchestrator.java
+++ b/engine/orchestration/src/org/apache/cloudstack/engine/orchestration/NetworkOrchestrator.java
@@ -2196,6 +2196,10 @@ public class NetworkOrchestrator extends ManagerBase implements NetworkOrchestra
NetworkAccountVO networkAccount = _networkAccountDao.getAccountNetworkMapByNetworkId(networkFinal.getId());
if (networkAccount != null)
_networkAccountDao.remove(networkAccount.getId());
+
+ // remove its related ACL permission
+ Pair<AclEntityType, Long> networkMsg = new Pair<AclEntityType, Long>(AclEntityType.Network, networkFinal.getId());
+ _messageBus.publish(_name, EntityManager.MESSAGE_REMOVE_ENTITY_EVENT, PublishScope.LOCAL, networkMsg);
}
NetworkOffering ntwkOff = _entityMgr.findById(NetworkOffering.class, networkFinal.getNetworkOfferingId());
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/939b1516/server/src/com/cloud/user/DomainManager.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/user/DomainManager.java b/server/src/com/cloud/user/DomainManager.java
index 27c837d..592ab81 100644
--- a/server/src/com/cloud/user/DomainManager.java
+++ b/server/src/com/cloud/user/DomainManager.java
@@ -49,5 +49,6 @@ public interface DomainManager extends DomainService {
Domain updateDomain(UpdateDomainCmd cmd);
public static final String MESSAGE_ADD_DOMAIN_EVENT = "Message.AddDomain.Event";
+ public static final String MESSAGE_REMOVE_DOMAIN_EVENT = "Message.RemoveDomain.Event";
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/939b1516/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedEntityAccessChecker.java
----------------------------------------------------------------------
diff --git a/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedEntityAccessChecker.java b/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedEntityAccessChecker.java
index acbf8d3..1b915d5a 100644
--- a/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedEntityAccessChecker.java
+++ b/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedEntityAccessChecker.java
@@ -25,6 +25,7 @@ import javax.inject.Inject;
import org.apache.log4j.Logger;
import org.apache.cloudstack.api.InternalIdentity;
+import org.apache.cloudstack.iam.api.AclGroup;
import org.apache.cloudstack.iam.api.AclPolicy;
import org.apache.cloudstack.iam.api.AclPolicyPermission;
import org.apache.cloudstack.iam.api.IAMService;
@@ -168,6 +169,15 @@ public class RoleBasedEntityAccessChecker extends DomainChecker implements Secur
policies.add(_iamSrv.getResourceOwnerPolicy());
}
+ List<AclGroup> groups = _iamSrv.listAclGroups(caller.getId());
+ for (AclGroup group : groups) {
+ // for each group find the grand parent groups.
+ List<AclGroup> parentGroups = _iamSrv.listParentAclGroupsOnPath(group.getPath());
+ for (AclGroup parentGroup : parentGroups) {
+ policies.addAll(_iamSrv.listRecursiveAclPoliciesByGroup(parentGroup.getId()));
+ }
+ }
+
return policies;
}
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/939b1516/services/iam/plugin/src/org/apache/cloudstack/acl/api/AclApiServiceImpl.java
----------------------------------------------------------------------
diff --git a/services/iam/plugin/src/org/apache/cloudstack/acl/api/AclApiServiceImpl.java b/services/iam/plugin/src/org/apache/cloudstack/acl/api/AclApiServiceImpl.java
index 892a7bb..9b8e57f 100644
--- a/services/iam/plugin/src/org/apache/cloudstack/acl/api/AclApiServiceImpl.java
+++ b/services/iam/plugin/src/org/apache/cloudstack/acl/api/AclApiServiceImpl.java
@@ -159,6 +159,21 @@ public class AclApiServiceImpl extends ManagerBase implements AclApiService, Man
}
});
+ _messageBus.subscribe(DomainManager.MESSAGE_REMOVE_DOMAIN_EVENT, new MessageSubscriber() {
+ @Override
+ public void onPublishMessage(String senderAddress, String subject, Object obj) {
+ Long domainId = ((Long) obj);
+ if (domainId != null) {
+ s_logger.debug("MessageBus message: Domain removed: " + domainId + ", removing the domain group");
+ Domain domain = _domainDao.findById(domainId);
+ List<AclGroup> groups = listDomainGroup(domain);
+ for (AclGroup group : groups) {
+ _iamSrv.deleteAclGroup(group.getId());
+ }
+ }
+ }
+ });
+
_messageBus.subscribe(TemplateManager.MESSAGE_REGISTER_PUBLIC_TEMPLATE_EVENT, new MessageSubscriber() {
@Override
public void onPublishMessage(String senderAddress, String subject, Object obj) {
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/939b1516/services/iam/server/src/org/apache/cloudstack/iam/api/IAMService.java
----------------------------------------------------------------------
diff --git a/services/iam/server/src/org/apache/cloudstack/iam/api/IAMService.java b/services/iam/server/src/org/apache/cloudstack/iam/api/IAMService.java
index 694abd5..2679aaa 100644
--- a/services/iam/server/src/org/apache/cloudstack/iam/api/IAMService.java
+++ b/services/iam/server/src/org/apache/cloudstack/iam/api/IAMService.java
@@ -85,4 +85,8 @@ public interface IAMService {
List<AclPolicyPermission> listPolicyPermissionByAccessAndEntity(long policyId, String accessType,
String entityType);
+ List<AclGroup> listParentAclGroupsOnPath(String path);
+
+ List<AclPolicy> listRecursiveAclPoliciesByGroup(long groupId);
+
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/939b1516/services/iam/server/src/org/apache/cloudstack/iam/server/IAMServiceImpl.java
----------------------------------------------------------------------
diff --git a/services/iam/server/src/org/apache/cloudstack/iam/server/IAMServiceImpl.java b/services/iam/server/src/org/apache/cloudstack/iam/server/IAMServiceImpl.java
index 1dbfaef..d6cf8cdb 100644
--- a/services/iam/server/src/org/apache/cloudstack/iam/server/IAMServiceImpl.java
+++ b/services/iam/server/src/org/apache/cloudstack/iam/server/IAMServiceImpl.java
@@ -45,6 +45,7 @@ import com.cloud.utils.db.DB;
import com.cloud.utils.db.EntityManager;
import com.cloud.utils.db.Filter;
import com.cloud.utils.db.GenericSearchBuilder;
+import com.cloud.utils.db.JoinBuilder;
import com.cloud.utils.db.JoinBuilder.JoinType;
import com.cloud.utils.db.SearchBuilder;
import com.cloud.utils.db.SearchCriteria;
@@ -255,6 +256,33 @@ public class IAMServiceImpl extends ManagerBase implements IAMService, Manager {
return new Pair<List<AclGroup>, Integer>(new ArrayList<AclGroup>(groups.first()), groups.second());
}
+ @Override
+ public List<AclGroup> listParentAclGroupsOnPath(String path) {
+
+ List<String> pathList = new ArrayList<String>();
+
+ String[] parts = path.split("/");
+
+ for (String part : parts) {
+ int start = path.indexOf(part);
+ if (start > 0) {
+ String subPath = path.substring(0, start);
+ pathList.add(subPath);
+ }
+ }
+
+ SearchBuilder<AclGroupVO> sb = _aclGroupDao.createSearchBuilder();
+ sb.and("paths", sb.entity().getPath(), SearchCriteria.Op.IN);
+
+ SearchCriteria<AclGroupVO> sc = sb.create();
+ sc.setParameters("paths", pathList.toArray());
+
+ List<AclGroupVO> groups = _aclGroupDao.search(sc, null);
+
+ return new ArrayList<AclGroup>(groups);
+
+ }
+
@DB
@Override
public AclPolicy createAclPolicy(final String aclPolicyName, final String description, final Long parentPolicyId) {
@@ -388,6 +416,37 @@ public class IAMServiceImpl extends ManagerBase implements IAMService, Manager {
return policies;
}
+ @SuppressWarnings("unchecked")
+ @Override
+ public List<AclPolicy> listRecursiveAclPoliciesByGroup(long groupId) {
+ List<AclGroupPolicyMapVO> policyGrpMap = _aclGroupPolicyMapDao.listByGroupId(groupId);
+ if (policyGrpMap == null || policyGrpMap.size() == 0) {
+ return new ArrayList<AclPolicy>();
+ }
+
+ List<Long> policyIds = new ArrayList<Long>();
+ for (AclGroupPolicyMapVO pg : policyGrpMap) {
+ policyIds.add(pg.getAclPolicyId());
+ }
+
+ SearchBuilder<AclPolicyPermissionVO> permSb = _policyPermissionDao.createSearchBuilder();
+ permSb.and("isRecursive", permSb.entity().isRecursive(), Op.EQ);
+
+ SearchBuilder<AclPolicyVO> sb = _aclPolicyDao.createSearchBuilder();
+ sb.and("ids", sb.entity().getId(), Op.IN);
+ sb.join("recursivePerm", permSb, sb.entity().getId(), permSb.entity().getAclPolicyId(),
+ JoinBuilder.JoinType.INNER);
+
+ SearchCriteria<AclPolicyVO> sc = sb.create();
+ sc.setParameters("ids", policyIds.toArray(new Object[policyIds.size()]));
+ sc.setJoinParameters("recursivePerm", "isRecursive", true);
+
+ @SuppressWarnings("rawtypes")
+ List policies = _aclPolicyDao.customSearch(sc, null);
+
+ return policies;
+ }
+
@SuppressWarnings("unchecked")
@Override
@@ -591,7 +650,13 @@ public class IAMServiceImpl extends ManagerBase implements IAMService, Manager {
// remove entry from acl_entity_permission table
List<AclPolicyPermissionVO> permitList = _policyPermissionDao.listByEntity(entityType, entityId);
for (AclPolicyPermissionVO permit : permitList) {
+ long policyId = permit.getAclPolicyId();
_policyPermissionDao.remove(permit.getId());
+
+ // remove the policy of there are no other permissions
+ if ((_policyPermissionDao.listByPolicy(policyId)).isEmpty()) {
+ deleteAclPolicy(policyId);
+ }
}
}
});
[2/2] git commit: updated refs/heads/rbac to a6d07c8
Posted by pr...@apache.org.
Changes to QuerySelector to list the parent group resources with recursive = true access
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/a6d07c87
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/a6d07c87
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/a6d07c87
Branch: refs/heads/rbac
Commit: a6d07c873cac5eb16c5de7ae29f2912a7501ac6a
Parents: 939b151
Author: Prachi Damle <pr...@cloud.com>
Authored: Mon Feb 3 17:49:33 2014 -0800
Committer: Prachi Damle <pr...@cloud.com>
Committed: Mon Feb 3 17:49:33 2014 -0800
----------------------------------------------------------------------
.../engine/orchestration/NetworkOrchestrator.java | 2 +-
.../cloudstack/acl/RoleBasedEntityAccessChecker.java | 2 +-
.../cloudstack/acl/RoleBasedEntityQuerySelector.java | 11 +++++++++++
.../src/org/apache/cloudstack/iam/api/IAMService.java | 2 +-
.../org/apache/cloudstack/iam/server/IAMServiceImpl.java | 7 ++++++-
5 files changed, 20 insertions(+), 4 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/a6d07c87/engine/orchestration/src/org/apache/cloudstack/engine/orchestration/NetworkOrchestrator.java
----------------------------------------------------------------------
diff --git a/engine/orchestration/src/org/apache/cloudstack/engine/orchestration/NetworkOrchestrator.java b/engine/orchestration/src/org/apache/cloudstack/engine/orchestration/NetworkOrchestrator.java
index de22e9d..1ea8d2e 100755
--- a/engine/orchestration/src/org/apache/cloudstack/engine/orchestration/NetworkOrchestrator.java
+++ b/engine/orchestration/src/org/apache/cloudstack/engine/orchestration/NetworkOrchestrator.java
@@ -2196,7 +2196,7 @@ public class NetworkOrchestrator extends ManagerBase implements NetworkOrchestra
NetworkAccountVO networkAccount = _networkAccountDao.getAccountNetworkMapByNetworkId(networkFinal.getId());
if (networkAccount != null)
_networkAccountDao.remove(networkAccount.getId());
-
+
// remove its related ACL permission
Pair<AclEntityType, Long> networkMsg = new Pair<AclEntityType, Long>(AclEntityType.Network, networkFinal.getId());
_messageBus.publish(_name, EntityManager.MESSAGE_REMOVE_ENTITY_EVENT, PublishScope.LOCAL, networkMsg);
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/a6d07c87/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedEntityAccessChecker.java
----------------------------------------------------------------------
diff --git a/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedEntityAccessChecker.java b/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedEntityAccessChecker.java
index 1b915d5a..65249a6 100644
--- a/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedEntityAccessChecker.java
+++ b/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedEntityAccessChecker.java
@@ -172,7 +172,7 @@ public class RoleBasedEntityAccessChecker extends DomainChecker implements Secur
List<AclGroup> groups = _iamSrv.listAclGroups(caller.getId());
for (AclGroup group : groups) {
// for each group find the grand parent groups.
- List<AclGroup> parentGroups = _iamSrv.listParentAclGroupsOnPath(group.getPath());
+ List<AclGroup> parentGroups = _iamSrv.listParentAclGroups(group.getId());
for (AclGroup parentGroup : parentGroups) {
policies.addAll(_iamSrv.listRecursiveAclPoliciesByGroup(parentGroup.getId()));
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/a6d07c87/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedEntityQuerySelector.java
----------------------------------------------------------------------
diff --git a/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedEntityQuerySelector.java b/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedEntityQuerySelector.java
index 8299819..8ff81ed 100644
--- a/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedEntityQuerySelector.java
+++ b/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedEntityQuerySelector.java
@@ -83,6 +83,17 @@ public class RoleBasedEntityQuerySelector extends AdapterBase implements QuerySe
long accountId = caller.getAccountId();
// Get the static Policies of the Caller
List<AclPolicy> policies = _iamService.listAclPolicies(accountId);
+
+ // add the policies that grant recursive access
+ List<AclGroup> groups = _iamService.listAclGroups(caller.getId());
+ for (AclGroup group : groups) {
+ // for each group find the grand parent groups.
+ List<AclGroup> parentGroups = _iamService.listParentAclGroups(group.getId());
+ for (AclGroup parentGroup : parentGroups) {
+ policies.addAll(_iamService.listRecursiveAclPoliciesByGroup(parentGroup.getId()));
+ }
+ }
+
// for each policy, find granted permission with Resource scope
List<Long> entityIds = new ArrayList<Long>();
for (AclPolicy policy : policies) {
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/a6d07c87/services/iam/server/src/org/apache/cloudstack/iam/api/IAMService.java
----------------------------------------------------------------------
diff --git a/services/iam/server/src/org/apache/cloudstack/iam/api/IAMService.java b/services/iam/server/src/org/apache/cloudstack/iam/api/IAMService.java
index 2679aaa..2b26e72 100644
--- a/services/iam/server/src/org/apache/cloudstack/iam/api/IAMService.java
+++ b/services/iam/server/src/org/apache/cloudstack/iam/api/IAMService.java
@@ -85,7 +85,7 @@ public interface IAMService {
List<AclPolicyPermission> listPolicyPermissionByAccessAndEntity(long policyId, String accessType,
String entityType);
- List<AclGroup> listParentAclGroupsOnPath(String path);
+ List<AclGroup> listParentAclGroups(long groupId);
List<AclPolicy> listRecursiveAclPoliciesByGroup(long groupId);
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/a6d07c87/services/iam/server/src/org/apache/cloudstack/iam/server/IAMServiceImpl.java
----------------------------------------------------------------------
diff --git a/services/iam/server/src/org/apache/cloudstack/iam/server/IAMServiceImpl.java b/services/iam/server/src/org/apache/cloudstack/iam/server/IAMServiceImpl.java
index d6cf8cdb..e4e048d 100644
--- a/services/iam/server/src/org/apache/cloudstack/iam/server/IAMServiceImpl.java
+++ b/services/iam/server/src/org/apache/cloudstack/iam/server/IAMServiceImpl.java
@@ -257,8 +257,13 @@ public class IAMServiceImpl extends ManagerBase implements IAMService, Manager {
}
@Override
- public List<AclGroup> listParentAclGroupsOnPath(String path) {
+ public List<AclGroup> listParentAclGroups(long groupId) {
+ AclGroup group = _aclGroupDao.findById(groupId);
+ if (group == null) {
+ throw new InvalidParameterValueException("Unable to find acl group by id " + groupId);
+ }
+ String path = group.getPath();
List<String> pathList = new ArrayList<String>();
String[] parts = path.split("/");