Return-Path: X-Original-To: apmail-cloudstack-commits-archive@www.apache.org Delivered-To: apmail-cloudstack-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 6425410917 for ; Thu, 10 Oct 2013 07:49:49 +0000 (UTC) Received: (qmail 77077 invoked by uid 500); 10 Oct 2013 07:49:41 -0000 Delivered-To: apmail-cloudstack-commits-archive@cloudstack.apache.org Received: (qmail 76981 invoked by uid 500); 10 Oct 2013 07:49:40 -0000 Mailing-List: contact commits-help@cloudstack.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cloudstack.apache.org Delivered-To: mailing list commits@cloudstack.apache.org Received: (qmail 76926 invoked by uid 99); 10 Oct 2013 07:49:37 -0000 Received: from tyr.zones.apache.org (HELO tyr.zones.apache.org) (140.211.11.114) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 10 Oct 2013 07:49:37 +0000 Received: by tyr.zones.apache.org (Postfix, from userid 65534) id 2E29C913CBA; Thu, 10 Oct 2013 07:49:37 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: prachidamle@apache.org To: commits@cloudstack.apache.org Date: Thu, 10 Oct 2013 07:49:38 -0000 Message-Id: <51c723d7bf3140259c5facae6164b8ec@git.apache.org> In-Reply-To: References: X-Mailer: ASF-Git Admin Mailer Subject: [3/6] git commit: updated refs/heads/rbac to 5c7db71 RoleBasedEntityAccessChecker logic now performs checkAccess for VM entity Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/7d1ba650 Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/7d1ba650 Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/7d1ba650 Branch: refs/heads/rbac Commit: 7d1ba6505d83a61f30e86b5037a3a5645cc35c6b Parents: 0b1aaf5 Author: Prachi Damle Authored: Wed Oct 9 15:21:27 2013 -0700 Committer: Prachi Damle Committed: Thu Oct 10 00:43:59 2013 -0700 ---------------------------------------------------------------------- .../entity/RoleBasedEntityAccessChecker.java | 96 +++++++++----------- 1 file changed, 45 insertions(+), 51 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cloudstack/blob/7d1ba650/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/entity/RoleBasedEntityAccessChecker.java ---------------------------------------------------------------------- diff --git a/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/entity/RoleBasedEntityAccessChecker.java b/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/entity/RoleBasedEntityAccessChecker.java index 5be8836..6031d92 100644 --- a/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/entity/RoleBasedEntityAccessChecker.java +++ b/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/entity/RoleBasedEntityAccessChecker.java @@ -16,6 +16,7 @@ // under the License. package org.apache.cloudstack.acl.entity; +import java.util.HashMap; import java.util.List; import javax.inject.Inject; @@ -39,6 +40,7 @@ import org.apache.log4j.Logger; import com.cloud.acl.DomainChecker; import com.cloud.api.ApiDispatcher; import com.cloud.exception.PermissionDeniedException; +import com.cloud.template.VirtualMachineTemplate; import com.cloud.user.Account; import com.cloud.user.AccountService; import com.cloud.vm.VirtualMachine; @@ -64,75 +66,67 @@ public class RoleBasedEntityAccessChecker extends DomainChecker implements Secur @Override public boolean checkAccess(Account caller, ControlledEntity entity, AccessType accessType) throws PermissionDeniedException { + if (entity instanceof VirtualMachine) { - String entityType = AclEntityType.VM.toString(); + String entityType = AclEntityType.VM.toString(); - // check if explicit allow/deny is present for this entity in - // acl_entity_permission + // check if explicit allow/deny is present for this entity in + // acl_entity_permission - if (entity instanceof InternalIdentity) { - InternalIdentity entityWithId = (InternalIdentity) entity; + if (entity instanceof InternalIdentity) { + InternalIdentity entityWithId = (InternalIdentity) entity; - List acctGroups = _aclGroupAccountMapDao.listByAccountId(caller.getId()); + List acctGroups = _aclGroupAccountMapDao.listByAccountId(caller.getId()); - for (AclGroupAccountMapVO groupMapping : acctGroups) { - AclEntityPermissionVO entityPermission = _entityPermissionDao.findByGroupAndEntity( - groupMapping.getAclGroupId(), entityType, entityWithId.getId(), accessType); + for (AclGroupAccountMapVO groupMapping : acctGroups) { + AclEntityPermissionVO entityPermission = _entityPermissionDao.findByGroupAndEntity( + groupMapping.getAclGroupId(), entityType, entityWithId.getId(), accessType); - if (entityPermission != null) { - if (entityPermission.isAllowed()) { - return true; - } else { - if (s_logger.isDebugEnabled()) { - s_logger.debug("Account " + caller + " does not have permission to access resource " - + entity + " for access type: " + accessType); + if (entityPermission != null) { + if (entityPermission.isAllowed()) { + return true; + } else { + if (s_logger.isDebugEnabled()) { + s_logger.debug("Account " + caller + " does not have permission to access resource " + + entity + " for access type: " + accessType); + } + throw new PermissionDeniedException(caller + + " does not have permission to access resource " + entity); } - throw new PermissionDeniedException(caller + " does not have permission to access resource " - + entity); } } } - } - - // Is Caller RootAdmin? Yes, granted true - if (_accountService.isRootAdmin(caller.getId())) { - return true; - } - // Is Caller Owner of the entity? Yes, granted true - if (caller.getId() == entity.getAccountId()) { - return true; - } - - // get all Roles of this caller w.r.t the entity - List roles = _aclService.getEffectiveRoles(caller, entity); - - for (AclRole role : roles) { - AclRolePermissionVO permission = _rolePermissionDao.findByRoleAndEntity(role.getId(), entityType, - accessType); - boolean operationAllowedForAll = true; - if (permission.getEntityType().equals(entityType)) { - if (permission.isAllowed()) { - return true; - } else { - if (s_logger.isDebugEnabled()) { - s_logger.debug("Account " + caller + " does not have permission to access resource " + entity - + " for access type: " + accessType); + // get all Roles of this caller w.r.t the entity + List roles = _aclService.getEffectiveRoles(caller, entity); + HashMap rolePermissionMap = new HashMap(); + + for (AclRole role : roles) { + List permissions = _rolePermissionDao.listByRoleAndEntity(role.getId(), + entityType, accessType); + for (AclRolePermissionVO permission : permissions) { + if (permission.getEntityType().equals(entityType)) { + rolePermissionMap.put(role, permission.isAllowed()); + break; + } else if (permission.getEntityType().equals("*")) { + rolePermissionMap.put(role, permission.isAllowed()); } - throw new PermissionDeniedException(caller + " does not have permission to access resource " - + entity); } - } else if (permission.getEntityType().equals("*")) { - if (permission.isAllowed()) { - operationAllowedForAll = true; - } else { - operationAllowedForAll = false; + if (rolePermissionMap.containsKey(role) && rolePermissionMap.get(role)) { + return true; } } + if (!roles.isEmpty()) { // Since we reach this point, none of the + // roles granted access + if (s_logger.isDebugEnabled()) { + s_logger.debug("Account " + caller + " does not have permission to access resource " + entity + + " for access type: " + accessType); + } + throw new PermissionDeniedException(caller + " does not have permission to access resource " + entity); + } } - return false; } }