cloudstack-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From prachida...@apache.org
Subject [3/3] git commit: updated refs/heads/rbac to 5798064
Date Mon, 07 Oct 2013 21:31:50 GMT
Add permission flag to acl_entity_permission


Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/57980644
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/57980644
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/57980644

Branch: refs/heads/rbac
Commit: 579806440b4c1ca0107b97cd65d30494cf804a99
Parents: 385dfc2
Author: Prachi Damle <prachi@cloud.com>
Authored: Mon Oct 7 14:30:15 2013 -0700
Committer: Prachi Damle <prachi@cloud.com>
Committed: Mon Oct 7 14:30:15 2013 -0700

----------------------------------------------------------------------
 .../apache/cloudstack/acl/AclEntityPermission.java |  2 ++
 .../cloudstack/acl/AclEntityPermissionVO.java      | 17 ++++++++++++++---
 .../acl/entity/RoleBasedEntityAccessChecker.java   | 12 ++++++++++++
 .../org/apache/cloudstack/acl/AclServiceImpl.java  |  2 +-
 setup/db/db/schema-420to430.sql                    |  3 ++-
 5 files changed, 31 insertions(+), 5 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cloudstack/blob/57980644/api/src/org/apache/cloudstack/acl/AclEntityPermission.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/acl/AclEntityPermission.java b/api/src/org/apache/cloudstack/acl/AclEntityPermission.java
index 2716406..bfe7ac9 100644
--- a/api/src/org/apache/cloudstack/acl/AclEntityPermission.java
+++ b/api/src/org/apache/cloudstack/acl/AclEntityPermission.java
@@ -12,4 +12,6 @@ public interface AclEntityPermission extends InternalIdentity {
     Long getEntityId();
 
     AccessType getAccessType();
+
+    boolean isAllowed();
 }

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/57980644/engine/schema/src/org/apache/cloudstack/acl/AclEntityPermissionVO.java
----------------------------------------------------------------------
diff --git a/engine/schema/src/org/apache/cloudstack/acl/AclEntityPermissionVO.java b/engine/schema/src/org/apache/cloudstack/acl/AclEntityPermissionVO.java
index a394516..4e0f3c0 100644
--- a/engine/schema/src/org/apache/cloudstack/acl/AclEntityPermissionVO.java
+++ b/engine/schema/src/org/apache/cloudstack/acl/AclEntityPermissionVO.java
@@ -32,7 +32,7 @@ public class AclEntityPermissionVO implements AclEntityPermission {
 
     @Column(name = "entity_id")
     private long entityId;
-    
+
     @Column(name = "entity_uuid")
     private String entityUuid;
 
@@ -40,6 +40,9 @@ public class AclEntityPermissionVO implements AclEntityPermission {
     @Enumerated(value = EnumType.STRING)
     AccessType accessType;
 
+    @Column(name = "permission")
+    private boolean permission;
+
     @Column(name = GenericDao.REMOVED_COLUMN)
     private Date removed;
 
@@ -50,14 +53,16 @@ public class AclEntityPermissionVO implements AclEntityPermission {
 
     }
 
-    public AclEntityPermissionVO(long groupId, String entityType, long entityId, String entityUuid,
AccessType atype) {
+    public AclEntityPermissionVO(long groupId, String entityType, long entityId, String entityUuid,
AccessType atype,
+            boolean permission) {
         aclGroupId = groupId;
         this.entityType = entityType;
         this.entityId = entityId;
         this.entityUuid = entityUuid;
         accessType = atype;
+        this.permission = permission;
     }
-    
+
     @Override
     public long getId() {
         return id;
@@ -115,4 +120,10 @@ public class AclEntityPermissionVO implements AclEntityPermission {
     public Date getCreated() {
         return created;
     }
+
+    @Override
+    public boolean isAllowed() {
+        return permission;
+    }
+
 }

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/57980644/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/entity/RoleBasedEntityAccessChecker.java
----------------------------------------------------------------------
diff --git a/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/entity/RoleBasedEntityAccessChecker.java
b/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/entity/RoleBasedEntityAccessChecker.java
index 0f83b28..fa8bed1 100644
--- a/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/entity/RoleBasedEntityAccessChecker.java
+++ b/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/entity/RoleBasedEntityAccessChecker.java
@@ -20,11 +20,14 @@ import java.util.List;
 
 import javax.inject.Inject;
 
+import org.apache.cloudstack.acl.AclGroupAccountMapVO;
 import org.apache.cloudstack.acl.AclRole;
 import org.apache.cloudstack.acl.AclService;
 import org.apache.cloudstack.acl.ControlledEntity;
 import org.apache.cloudstack.acl.SecurityChecker;
 import org.apache.cloudstack.acl.SecurityChecker.AccessType;
+import org.apache.cloudstack.acl.dao.AclGroupAccountMapDao;
+import org.apache.cloudstack.acl.dao.AclGroupDao;
 
 import com.cloud.acl.DomainChecker;
 import com.cloud.exception.PermissionDeniedException;
@@ -39,10 +42,19 @@ public class RoleBasedEntityAccessChecker extends DomainChecker implements
Secur
     @Inject
     AclService _aclService;
 
+    @Inject
+    AclGroupAccountMapDao _aclGroupAccountMapDao;
+
     @Override
     public boolean checkAccess(Account caller, ControlledEntity entity, AccessType accessType)
             throws PermissionDeniedException {
 
+        // check if explicit allow/deny is present for this entity in
+        // acl_entity_permission
+
+        List<AclGroupAccountMapVO> acctGroups = _aclGroupAccountMapDao.listByAccountId(caller.getId());
+
+
         // Is Caller RootAdmin? Yes, granted true
         if (_accountService.isRootAdmin(caller.getId())) {
             return true;

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/57980644/server/src/org/apache/cloudstack/acl/AclServiceImpl.java
----------------------------------------------------------------------
diff --git a/server/src/org/apache/cloudstack/acl/AclServiceImpl.java b/server/src/org/apache/cloudstack/acl/AclServiceImpl.java
index 69f9d3d..ecff794 100644
--- a/server/src/org/apache/cloudstack/acl/AclServiceImpl.java
+++ b/server/src/org/apache/cloudstack/acl/AclServiceImpl.java
@@ -259,7 +259,7 @@ public class AclServiceImpl extends ManagerBase implements AclService,
Manager {
             if (entity instanceof Identity) {
                 entityUuid = ((Identity)entity).getUuid();
             }
-            perm = new AclEntityPermissionVO(aclGroupId, entityType, entityId, entityUuid,
accessType);
+            perm = new AclEntityPermissionVO(aclGroupId, entityType, entityId, entityUuid,
accessType, true);
             _entityPermissionDao.persist(perm);
         }
         return group;

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/57980644/setup/db/db/schema-420to430.sql
----------------------------------------------------------------------
diff --git a/setup/db/db/schema-420to430.sql b/setup/db/db/schema-420to430.sql
index 6d03a6d..ecc2049 100644
--- a/setup/db/db/schema-420to430.sql
+++ b/setup/db/db/schema-420to430.sql
@@ -362,7 +362,8 @@ CREATE TABLE `cloud`.`acl_entity_permission` (
   `entity_type` varchar(100) NOT NULL,
   `entity_id` bigint unsigned NOT NULL,
   `entity_uuid` varchar(40),  
-  `access_type` varchar(40) NOT NULL,  
+  `access_type` varchar(40) NOT NULL,
+  `permission` int(1) unsigned NOT NULL COMMENT '1 allowed, 0 for denied',
   `removed` datetime COMMENT 'date the permission was revoked',
   `created` datetime COMMENT 'date the permission was granted',   
   PRIMARY KEY  (`id`),


Mime
View raw message