cloudstack-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From prachida...@apache.org
Subject [1/6] git commit: updated refs/heads/rbac to 5c7db71
Date Thu, 10 Oct 2013 07:49:36 GMT
Updated Branches:
  refs/heads/rbac 2b4703b6e -> 5c7db71bb


SecurityChecker checking against the acl_entity_permission table


Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/7ebb9728
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/7ebb9728
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/7ebb9728

Branch: refs/heads/rbac
Commit: 7ebb972885e7dc5714f376168425f3c25aec065e
Parents: 2b4703b
Author: Prachi Damle <prachi@cloud.com>
Authored: Mon Oct 7 16:29:49 2013 -0700
Committer: Prachi Damle <prachi@cloud.com>
Committed: Thu Oct 10 00:41:11 2013 -0700

----------------------------------------------------------------------
 .../entity/RoleBasedEntityAccessChecker.java    | 37 ++++++++++++++++++--
 1 file changed, 35 insertions(+), 2 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cloudstack/blob/7ebb9728/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/entity/RoleBasedEntityAccessChecker.java
----------------------------------------------------------------------
diff --git a/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/entity/RoleBasedEntityAccessChecker.java
b/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/entity/RoleBasedEntityAccessChecker.java
index fa8bed1..21ced06 100644
--- a/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/entity/RoleBasedEntityAccessChecker.java
+++ b/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/entity/RoleBasedEntityAccessChecker.java
@@ -20,16 +20,21 @@ import java.util.List;
 
 import javax.inject.Inject;
 
+import org.apache.cloudstack.acl.AclEntityPermissionVO;
 import org.apache.cloudstack.acl.AclGroupAccountMapVO;
 import org.apache.cloudstack.acl.AclRole;
 import org.apache.cloudstack.acl.AclService;
 import org.apache.cloudstack.acl.ControlledEntity;
 import org.apache.cloudstack.acl.SecurityChecker;
 import org.apache.cloudstack.acl.SecurityChecker.AccessType;
+import org.apache.cloudstack.acl.dao.AclEntityPermissionDao;
 import org.apache.cloudstack.acl.dao.AclGroupAccountMapDao;
 import org.apache.cloudstack.acl.dao.AclGroupDao;
+import org.apache.cloudstack.api.InternalIdentity;
+import org.apache.log4j.Logger;
 
 import com.cloud.acl.DomainChecker;
+import com.cloud.api.ApiDispatcher;
 import com.cloud.exception.PermissionDeniedException;
 import com.cloud.user.Account;
 import com.cloud.user.AccountService;
@@ -37,6 +42,8 @@ import com.cloud.vm.VirtualMachine;
 
 public class RoleBasedEntityAccessChecker extends DomainChecker implements SecurityChecker
{
 
+    private static final Logger s_logger = Logger.getLogger(RoleBasedEntityAccessChecker.class.getName());
+
     @Inject
     AccountService _accountService;
     @Inject
@@ -45,15 +52,41 @@ public class RoleBasedEntityAccessChecker extends DomainChecker implements
Secur
     @Inject
     AclGroupAccountMapDao _aclGroupAccountMapDao;
 
+    @Inject
+    AclEntityPermissionDao _entityPermissionDao;
+
     @Override
     public boolean checkAccess(Account caller, ControlledEntity entity, AccessType accessType)
             throws PermissionDeniedException {
 
+        String entityType = "";
+
         // check if explicit allow/deny is present for this entity in
         // acl_entity_permission
 
-        List<AclGroupAccountMapVO> acctGroups = _aclGroupAccountMapDao.listByAccountId(caller.getId());
-
+        if (entity instanceof InternalIdentity) {
+            InternalIdentity entityWithId = (InternalIdentity) entity;
+
+            List<AclGroupAccountMapVO> acctGroups = _aclGroupAccountMapDao.listByAccountId(caller.getId());
+
+            for (AclGroupAccountMapVO groupMapping : acctGroups) {
+                AclEntityPermissionVO entityPermission = _entityPermissionDao.findByGroupAndEntity(
+                        groupMapping.getAclGroupId(), entityType, entityWithId.getId(), accessType);
+
+                if (entityPermission != null) {
+                    if (entityPermission.isAllowed()) {
+                        return true;
+                    } else {
+                        if (s_logger.isDebugEnabled()) {
+                            s_logger.debug("Account " + caller + " does not have permission
to access resource "
+                                    + entity + " for access type: " + accessType);
+                        }
+                        throw new PermissionDeniedException(caller + " does not have permission
to access resource "
+                                + entity);
+                    }
+                }
+            }
+        }
 
         // Is Caller RootAdmin? Yes, granted true
         if (_accountService.isRootAdmin(caller.getId())) {


Mime
View raw message