cloudstack-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From prachida...@apache.org
Subject [4/6] git commit: updated refs/heads/rbac to 5c7db71
Date Thu, 10 Oct 2013 07:49:39 GMT
Tested ACL for StartVmCmd using the new RoleBasedEntityAccessChecker


Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/ec4fa61a
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/ec4fa61a
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/ec4fa61a

Branch: refs/heads/rbac
Commit: ec4fa61ae30cccac3f4bc3cff9cb3b31ab1818ea
Parents: 7d1ba65
Author: Prachi Damle <prachi@cloud.com>
Authored: Thu Oct 10 00:39:31 2013 -0700
Committer: Prachi Damle <prachi@cloud.com>
Committed: Thu Oct 10 00:46:06 2013 -0700

----------------------------------------------------------------------
 .../cloudstack/acl/AclRolePermission.java       |  2 ++
 .../api/command/user/vm/StartVMCmd.java         |  3 ++
 client/pom.xml                                  |  5 +++
 client/tomcatconf/applicationContext.xml.in     |  1 +
 client/tomcatconf/componentContext.xml.in       |  1 +
 client/tomcatconf/nonossComponentContext.xml.in |  1 +
 .../tomcatconf/simulatorComponentContext.xml.in |  1 +
 .../cloudstack/acl/AclRolePermissionVO.java     |  9 +++++
 .../entity/RoleBasedEntityAccessChecker.java    | 35 +++++++++++++++++---
 9 files changed, 53 insertions(+), 5 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cloudstack/blob/ec4fa61a/api/src/org/apache/cloudstack/acl/AclRolePermission.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/acl/AclRolePermission.java b/api/src/org/apache/cloudstack/acl/AclRolePermission.java
index 69259e2..0c0c0de 100644
--- a/api/src/org/apache/cloudstack/acl/AclRolePermission.java
+++ b/api/src/org/apache/cloudstack/acl/AclRolePermission.java
@@ -30,4 +30,6 @@ public interface AclRolePermission extends InternalIdentity {
     PermissionScope getScope();
 
     boolean isAllowed();
+
+    PermissionScope getScope();
 }

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/ec4fa61a/api/src/org/apache/cloudstack/api/command/user/vm/StartVMCmd.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/user/vm/StartVMCmd.java b/api/src/org/apache/cloudstack/api/command/user/vm/StartVMCmd.java
index 8441ac6..e971ff2 100644
--- a/api/src/org/apache/cloudstack/api/command/user/vm/StartVMCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/user/vm/StartVMCmd.java
@@ -16,6 +16,8 @@
 // under the License.
 package org.apache.cloudstack.api.command.user.vm;
 
+import org.apache.cloudstack.acl.SecurityChecker.AccessType;
+import org.apache.cloudstack.api.ACL;
 import org.apache.cloudstack.api.APICommand;
 import org.apache.cloudstack.api.ApiCommandJobType;
 import org.apache.cloudstack.api.ApiConstants;
@@ -50,6 +52,7 @@ public class StartVMCmd extends BaseAsyncCmd {
     // ////////////// API parameters /////////////////////
     // ///////////////////////////////////////////////////
 
+    @ACL(accessType = AccessType.OperateEntry)
     @Parameter(name = ApiConstants.ID, type = CommandType.UUID, entityType=UserVmResponse.class,
             required = true, description = "The ID of the virtual machine")
     private Long id;

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/ec4fa61a/client/pom.xml
----------------------------------------------------------------------
diff --git a/client/pom.xml b/client/pom.xml
index f441601..99a3c3e 100644
--- a/client/pom.xml
+++ b/client/pom.xml
@@ -36,6 +36,11 @@
     </dependency>
     <dependency>
       <groupId>org.apache.cloudstack</groupId>
+      <artifactId>cloud-plugin-acl-role-based-access-checkers</artifactId>
+      <version>${project.version}</version>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.cloudstack</groupId>
       <artifactId>cloud-plugin-dedicated-resources</artifactId>
       <version>${project.version}</version>
     </dependency>

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/ec4fa61a/client/tomcatconf/applicationContext.xml.in
----------------------------------------------------------------------
diff --git a/client/tomcatconf/applicationContext.xml.in b/client/tomcatconf/applicationContext.xml.in
index 1095e0a..da242b3 100644
--- a/client/tomcatconf/applicationContext.xml.in
+++ b/client/tomcatconf/applicationContext.xml.in
@@ -389,6 +389,7 @@
   <bean id="databaseIntegrityChecker" class="com.cloud.upgrade.DatabaseIntegrityChecker"
/>
   <bean id="domainChecker" class="com.cloud.acl.DomainChecker" />
   <bean id="affinityGroupAccessChecker" class="com.cloud.acl.AffinityGroupAccessChecker"
/>
+  <bean id="roleBasedEntityAccessChecker" class="org.apache.cloudstack.acl.entity.RoleBasedEntityAccessChecker"
/>
   
   <!--
     Authenticators

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/ec4fa61a/client/tomcatconf/componentContext.xml.in
----------------------------------------------------------------------
diff --git a/client/tomcatconf/componentContext.xml.in b/client/tomcatconf/componentContext.xml.in
index 315c95b..28b8d92 100644
--- a/client/tomcatconf/componentContext.xml.in
+++ b/client/tomcatconf/componentContext.xml.in
@@ -146,6 +146,7 @@
   <bean id="securityCheckers" class="com.cloud.utils.component.AdapterList">
     <property name="Adapters">
       <list>
+      	  <ref bean="roleBasedEntityAccessChecker"/>
 		  <ref bean="affinityGroupAccessChecker"/>
           <ref bean="domainChecker"/>
       </list>

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/ec4fa61a/client/tomcatconf/nonossComponentContext.xml.in
----------------------------------------------------------------------
diff --git a/client/tomcatconf/nonossComponentContext.xml.in b/client/tomcatconf/nonossComponentContext.xml.in
index 0502bbc..187b63d 100644
--- a/client/tomcatconf/nonossComponentContext.xml.in
+++ b/client/tomcatconf/nonossComponentContext.xml.in
@@ -243,6 +243,7 @@
   <bean id="securityCheckers" class="com.cloud.utils.component.AdapterList">
     <property name="Adapters">
       <list>
+	      <ref bean="roleBasedEntityAccessChecker"/>
 	      <ref bean="affinityGroupAccessChecker"/>
           <ref bean="domainChecker"/>
       </list>

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/ec4fa61a/client/tomcatconf/simulatorComponentContext.xml.in
----------------------------------------------------------------------
diff --git a/client/tomcatconf/simulatorComponentContext.xml.in b/client/tomcatconf/simulatorComponentContext.xml.in
index 82ff433..ef480b0 100644
--- a/client/tomcatconf/simulatorComponentContext.xml.in
+++ b/client/tomcatconf/simulatorComponentContext.xml.in
@@ -93,6 +93,7 @@
   <bean id="securityCheckers" class="com.cloud.utils.component.AdapterList">
     <property name="Adapters">
       <list>
+        <ref bean="roleBasedEntityAccessChecker"/>
 	    <ref bean="affinityGroupAccessChecker"/>
         <ref bean="domainChecker"/>
       </list>

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/ec4fa61a/engine/schema/src/org/apache/cloudstack/acl/AclRolePermissionVO.java
----------------------------------------------------------------------
diff --git a/engine/schema/src/org/apache/cloudstack/acl/AclRolePermissionVO.java b/engine/schema/src/org/apache/cloudstack/acl/AclRolePermissionVO.java
index b0fb230..bb993d0 100644
--- a/engine/schema/src/org/apache/cloudstack/acl/AclRolePermissionVO.java
+++ b/engine/schema/src/org/apache/cloudstack/acl/AclRolePermissionVO.java
@@ -53,6 +53,7 @@ public class AclRolePermissionVO implements AclRolePermission {
     @Column(name = "permission")
     private boolean allowed;
 
+
     public AclRolePermissionVO() {
 
     }
@@ -114,4 +115,12 @@ public class AclRolePermissionVO implements AclRolePermission {
         this.allowed = allowed;
     }
 
+    @Override
+    public PermissionScope getScope() {
+        return scope;
+    }
+
+    public void setScope(PermissionScope scope) {
+        this.scope = scope;
+    }
 }

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/ec4fa61a/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/entity/RoleBasedEntityAccessChecker.java
----------------------------------------------------------------------
diff --git a/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/entity/RoleBasedEntityAccessChecker.java
b/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/entity/RoleBasedEntityAccessChecker.java
index 6031d92..5a0abf5 100644
--- a/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/entity/RoleBasedEntityAccessChecker.java
+++ b/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/entity/RoleBasedEntityAccessChecker.java
@@ -28,6 +28,7 @@ import org.apache.cloudstack.acl.AclRole;
 import org.apache.cloudstack.acl.AclRolePermissionVO;
 import org.apache.cloudstack.acl.AclService;
 import org.apache.cloudstack.acl.ControlledEntity;
+import org.apache.cloudstack.acl.PermissionScope;
 import org.apache.cloudstack.acl.SecurityChecker;
 import org.apache.cloudstack.acl.SecurityChecker.AccessType;
 import org.apache.cloudstack.acl.dao.AclEntityPermissionDao;
@@ -39,6 +40,7 @@ import org.apache.log4j.Logger;
 
 import com.cloud.acl.DomainChecker;
 import com.cloud.api.ApiDispatcher;
+import com.cloud.domain.dao.DomainDao;
 import com.cloud.exception.PermissionDeniedException;
 import com.cloud.template.VirtualMachineTemplate;
 import com.cloud.user.Account;
@@ -53,6 +55,8 @@ public class RoleBasedEntityAccessChecker extends DomainChecker implements
Secur
     AccountService _accountService;
     @Inject
     AclService _aclService;
+    
+    @Inject DomainDao _domainDao;
 
     @Inject
     AclGroupAccountMapDao _aclGroupAccountMapDao;
@@ -70,6 +74,10 @@ public class RoleBasedEntityAccessChecker extends DomainChecker implements
Secur
 
             String entityType = AclEntityType.VM.toString();
 
+            if (accessType == null) {
+                accessType = AccessType.ListEntry;
+            }
+
             // check if explicit allow/deny is present for this entity in
             // acl_entity_permission
 
@@ -105,11 +113,13 @@ public class RoleBasedEntityAccessChecker extends DomainChecker implements
Secur
                 List<AclRolePermissionVO> permissions = _rolePermissionDao.listByRoleAndEntity(role.getId(),
                         entityType, accessType);
                 for (AclRolePermissionVO permission : permissions) {
-                    if (permission.getEntityType().equals(entityType)) {
-                        rolePermissionMap.put(role, permission.isAllowed());
-                        break;
-                    } else if (permission.getEntityType().equals("*")) {
-                        rolePermissionMap.put(role, permission.isAllowed());
+                    if (checkPermissionScope(caller, permission.getScope(), entity)) {
+                        if (permission.getEntityType().equals(entityType)) {
+                            rolePermissionMap.put(role, permission.isAllowed());
+                            break;
+                        } else if (permission.getEntityType().equals("*")) {
+                            rolePermissionMap.put(role, permission.isAllowed());
+                        }
                     }
                 }
                 if (rolePermissionMap.containsKey(role) && rolePermissionMap.get(role))
{
@@ -129,4 +139,19 @@ public class RoleBasedEntityAccessChecker extends DomainChecker implements
Secur
 
         return false;
     }
+
+    private boolean checkPermissionScope(Account caller, PermissionScope scope, ControlledEntity
entity) {
+        
+        if(scope.equals(PermissionScope.ACCOUNT)){
+            if(caller.getAccountId() == entity.getAccountId()){
+                return true;
+            }
+        }else if(scope.equals(PermissionScope.DOMAIN)){
+            if (_domainDao.isChildDomain(caller.getDomainId(), entity.getDomainId())) {
+                return true;
+            }
+        }
+        
+        return false;
+    }
 }


Mime
View raw message