cloudstack-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From prachida...@apache.org
Subject [3/6] git commit: updated refs/heads/rbac to 5c7db71
Date Thu, 10 Oct 2013 07:49:38 GMT
RoleBasedEntityAccessChecker logic now performs checkAccess for VM entity


Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/7d1ba650
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/7d1ba650
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/7d1ba650

Branch: refs/heads/rbac
Commit: 7d1ba6505d83a61f30e86b5037a3a5645cc35c6b
Parents: 0b1aaf5
Author: Prachi Damle <prachi@cloud.com>
Authored: Wed Oct 9 15:21:27 2013 -0700
Committer: Prachi Damle <prachi@cloud.com>
Committed: Thu Oct 10 00:43:59 2013 -0700

----------------------------------------------------------------------
 .../entity/RoleBasedEntityAccessChecker.java    | 96 +++++++++-----------
 1 file changed, 45 insertions(+), 51 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cloudstack/blob/7d1ba650/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/entity/RoleBasedEntityAccessChecker.java
----------------------------------------------------------------------
diff --git a/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/entity/RoleBasedEntityAccessChecker.java
b/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/entity/RoleBasedEntityAccessChecker.java
index 5be8836..6031d92 100644
--- a/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/entity/RoleBasedEntityAccessChecker.java
+++ b/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/entity/RoleBasedEntityAccessChecker.java
@@ -16,6 +16,7 @@
 // under the License.
 package org.apache.cloudstack.acl.entity;
 
+import java.util.HashMap;
 import java.util.List;
 
 import javax.inject.Inject;
@@ -39,6 +40,7 @@ import org.apache.log4j.Logger;
 import com.cloud.acl.DomainChecker;
 import com.cloud.api.ApiDispatcher;
 import com.cloud.exception.PermissionDeniedException;
+import com.cloud.template.VirtualMachineTemplate;
 import com.cloud.user.Account;
 import com.cloud.user.AccountService;
 import com.cloud.vm.VirtualMachine;
@@ -64,75 +66,67 @@ public class RoleBasedEntityAccessChecker extends DomainChecker implements
Secur
     @Override
     public boolean checkAccess(Account caller, ControlledEntity entity, AccessType accessType)
             throws PermissionDeniedException {
+        if (entity instanceof VirtualMachine) {
 
-        String entityType = AclEntityType.VM.toString();
+            String entityType = AclEntityType.VM.toString();
 
-        // check if explicit allow/deny is present for this entity in
-        // acl_entity_permission
+            // check if explicit allow/deny is present for this entity in
+            // acl_entity_permission
 
-        if (entity instanceof InternalIdentity) {
-            InternalIdentity entityWithId = (InternalIdentity) entity;
+            if (entity instanceof InternalIdentity) {
+                InternalIdentity entityWithId = (InternalIdentity) entity;
 
-            List<AclGroupAccountMapVO> acctGroups = _aclGroupAccountMapDao.listByAccountId(caller.getId());
+                List<AclGroupAccountMapVO> acctGroups = _aclGroupAccountMapDao.listByAccountId(caller.getId());
 
-            for (AclGroupAccountMapVO groupMapping : acctGroups) {
-                AclEntityPermissionVO entityPermission = _entityPermissionDao.findByGroupAndEntity(
-                        groupMapping.getAclGroupId(), entityType, entityWithId.getId(), accessType);
+                for (AclGroupAccountMapVO groupMapping : acctGroups) {
+                    AclEntityPermissionVO entityPermission = _entityPermissionDao.findByGroupAndEntity(
+                            groupMapping.getAclGroupId(), entityType, entityWithId.getId(),
accessType);
 
-                if (entityPermission != null) {
-                    if (entityPermission.isAllowed()) {
-                        return true;
-                    } else {
-                        if (s_logger.isDebugEnabled()) {
-                            s_logger.debug("Account " + caller + " does not have permission
to access resource "
-                                    + entity + " for access type: " + accessType);
+                    if (entityPermission != null) {
+                        if (entityPermission.isAllowed()) {
+                            return true;
+                        } else {
+                            if (s_logger.isDebugEnabled()) {
+                                s_logger.debug("Account " + caller + " does not have permission
to access resource "
+                                        + entity + " for access type: " + accessType);
+                            }
+                            throw new PermissionDeniedException(caller
+                                    + " does not have permission to access resource " + entity);
                         }
-                        throw new PermissionDeniedException(caller + " does not have permission
to access resource "
-                                + entity);
                     }
                 }
             }
-        }
-
-        // Is Caller RootAdmin? Yes, granted true
-        if (_accountService.isRootAdmin(caller.getId())) {
-            return true;
-        }
-        // Is Caller Owner of the entity? Yes, granted true
-        if (caller.getId() == entity.getAccountId()) {
-            return true;
-        }
-
-        // get all Roles of this caller w.r.t the entity
-        List<AclRole> roles = _aclService.getEffectiveRoles(caller, entity);
-
-        for (AclRole role : roles) {
-            AclRolePermissionVO permission = _rolePermissionDao.findByRoleAndEntity(role.getId(),
entityType,
-                    accessType);
-            boolean operationAllowedForAll = true;
 
-            if (permission.getEntityType().equals(entityType)) {
-                if (permission.isAllowed()) {
-                    return true;
-                } else {
-                    if (s_logger.isDebugEnabled()) {
-                        s_logger.debug("Account " + caller + " does not have permission to
access resource " + entity
-                                + " for access type: " + accessType);
+            // get all Roles of this caller w.r.t the entity
+            List<AclRole> roles = _aclService.getEffectiveRoles(caller, entity);
+            HashMap<AclRole, Boolean> rolePermissionMap = new HashMap<AclRole, Boolean>();
+
+            for (AclRole role : roles) {
+                List<AclRolePermissionVO> permissions = _rolePermissionDao.listByRoleAndEntity(role.getId(),
+                        entityType, accessType);
+                for (AclRolePermissionVO permission : permissions) {
+                    if (permission.getEntityType().equals(entityType)) {
+                        rolePermissionMap.put(role, permission.isAllowed());
+                        break;
+                    } else if (permission.getEntityType().equals("*")) {
+                        rolePermissionMap.put(role, permission.isAllowed());
                     }
-                    throw new PermissionDeniedException(caller + " does not have permission
to access resource "
-                            + entity);
                 }
-            } else if (permission.getEntityType().equals("*")) {
-                if (permission.isAllowed()) {
-                    operationAllowedForAll = true;
-                } else {
-                    operationAllowedForAll = false;
+                if (rolePermissionMap.containsKey(role) && rolePermissionMap.get(role))
{
+                    return true;
                 }
             }
 
+            if (!roles.isEmpty()) { // Since we reach this point, none of the
+                                    // roles granted access
+                if (s_logger.isDebugEnabled()) {
+                    s_logger.debug("Account " + caller + " does not have permission to access
resource " + entity
+                            + " for access type: " + accessType);
+                }
+                throw new PermissionDeniedException(caller + " does not have permission to
access resource " + entity);
+            }
         }
 
-
         return false;
     }
 }


Mime
View raw message