cloudstack-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From prachida...@apache.org
Subject [1/3] git commit: updated refs/heads/rbac to 5798064
Date Mon, 07 Oct 2013 21:31:48 GMT
Updated Branches:
  refs/heads/rbac ddd4f8091 -> 579806440


APIChecker helper methods implemented


Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/2bbe6f59
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/2bbe6f59
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/2bbe6f59

Branch: refs/heads/rbac
Commit: 2bbe6f59376a96022f873d11066874d5cb802552
Parents: ddd4f80
Author: Prachi Damle <prachi@cloud.com>
Authored: Thu Oct 3 13:28:19 2013 -0700
Committer: Prachi Damle <prachi@cloud.com>
Committed: Mon Oct 7 12:33:24 2013 -0700

----------------------------------------------------------------------
 .../acl/api/RoleBasedAPIAccessChecker.java      | 11 +---
 .../apache/cloudstack/acl/AclServiceImpl.java   | 53 ++++++++++++++++++--
 2 files changed, 51 insertions(+), 13 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cloudstack/blob/2bbe6f59/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/api/RoleBasedAPIAccessChecker.java
----------------------------------------------------------------------
diff --git a/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/api/RoleBasedAPIAccessChecker.java
b/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/api/RoleBasedAPIAccessChecker.java
index 18fcdf9..027ff58 100644
--- a/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/api/RoleBasedAPIAccessChecker.java
+++ b/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/api/RoleBasedAPIAccessChecker.java
@@ -16,15 +16,10 @@
 // under the License.
 package org.apache.cloudstack.acl.api;
 
-import java.util.HashMap;
-import java.util.HashSet;
 import java.util.List;
-import java.util.Map;
-import java.util.Set;
 
 import javax.ejb.Local;
 import javax.inject.Inject;
-import javax.naming.ConfigurationException;
 
 import org.apache.cloudstack.acl.APIChecker;
 import org.apache.cloudstack.acl.AclRole;
@@ -35,12 +30,10 @@ import com.cloud.exception.PermissionDeniedException;
 import com.cloud.user.Account;
 import com.cloud.user.AccountService;
 import com.cloud.user.User;
-import com.cloud.utils.PropertiesUtil;
 import com.cloud.utils.component.AdapterBase;
-import com.cloud.utils.component.PluggableService;
 
-// This is the default API access checker that grab's the user's account
-// based on the account type, access is granted
+// This is the Role Based API access checker that grab's the  account's roles
+// based on the set of roles, access is granted if any of the role has access to the api
 @Local(value=APIChecker.class)
 public class RoleBasedAPIAccessChecker extends AdapterBase implements APIChecker {
 

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/2bbe6f59/server/src/org/apache/cloudstack/acl/AclServiceImpl.java
----------------------------------------------------------------------
diff --git a/server/src/org/apache/cloudstack/acl/AclServiceImpl.java b/server/src/org/apache/cloudstack/acl/AclServiceImpl.java
index c8fc54c..69f9d3d 100644
--- a/server/src/org/apache/cloudstack/acl/AclServiceImpl.java
+++ b/server/src/org/apache/cloudstack/acl/AclServiceImpl.java
@@ -16,6 +16,7 @@
 // under the License.
 package org.apache.cloudstack.acl;
 
+import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.List;
 
@@ -49,6 +50,11 @@ import com.cloud.utils.component.Manager;
 import com.cloud.utils.component.ManagerBase;
 import com.cloud.utils.db.DB;
 import com.cloud.utils.db.EntityManager;
+import com.cloud.utils.db.GenericSearchBuilder;
+import com.cloud.utils.db.JoinBuilder.JoinType;
+import com.cloud.utils.db.SearchBuilder;
+import com.cloud.utils.db.SearchCriteria;
+import com.cloud.utils.db.SearchCriteria.Op;
 import com.cloud.utils.db.Transaction;
 
 @Local(value = {AclService.class})
@@ -507,14 +513,53 @@ public class AclServiceImpl extends ManagerBase implements AclService,
Manager {
 
     @Override
     public List<AclRole> getAclRoles(long accountId) {
-        // TODO Auto-generated method stub
-        return null;
+
+        SearchBuilder<AclGroupAccountMapVO> groupSB = _aclGroupAccountMapDao.createSearchBuilder();
+        groupSB.and("account", groupSB.entity().getAccountId(), Op.EQ);
+
+        GenericSearchBuilder<AclGroupRoleMapVO, Long> roleSB = _aclGroupRoleMapDao.createSearchBuilder(Long.class);
+        roleSB.selectField(roleSB.entity().getAclRoleId());
+        roleSB.join("accountgroupjoin", groupSB, groupSB.entity().getAclGroupId(), roleSB.entity().getAclGroupId(),
+                JoinType.INNER);
+        roleSB.done();
+        SearchCriteria<Long> roleSc = roleSB.create();
+        roleSc.setJoinParameters("accountgroupjoin", "account", accountId);
+
+        List<Long> roleIds = _aclGroupRoleMapDao.customSearch(roleSc, null);
+
+        SearchBuilder<AclRoleVO> sb = _aclRoleDao.createSearchBuilder();
+        sb.and("ids", sb.entity().getId(), Op.IN);
+        SearchCriteria<AclRoleVO> sc = sb.create();
+        sc.setParameters("ids", roleIds.toArray(new Object[roleIds.size()]));
+        List<AclRoleVO> roles = _aclRoleDao.customSearch(sc, null);
+
+        return new ArrayList<AclRole>(roles);
     }
 
     @Override
     public boolean isAPIAccessibleForRoles(String apiName, List<AclRole> roles) {
-        // TODO Auto-generated method stub
-        return false;
+
+        boolean accessible = false;
+
+        List<Long> roleIds = new ArrayList<Long>();
+        for (AclRole role : roles) {
+            roleIds.add(role.getId());
+        }
+
+        SearchBuilder<AclApiPermissionVO> sb = _apiPermissionDao.createSearchBuilder();
+        sb.and("apiName", sb.entity().getApiName(), Op.EQ);
+        sb.and("roleId", sb.entity().getAclRoleId(), Op.IN);
+
+        SearchCriteria<AclApiPermissionVO> sc = sb.create();
+        sc.setParameters("roleId", roleIds.toArray(new Object[roleIds.size()]));
+
+        List<AclApiPermissionVO> permissions = _apiPermissionDao.customSearch(sc, null);
+
+        if (permissions != null && !permissions.isEmpty()) {
+            accessible = true;
+        }
+
+        return accessible;
     }
 
 }


Mime
View raw message