cloudstack-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From mc...@apache.org
Subject [2/3] Fix API build error based on new DB schema, now only RoleBasedEntityAccessChecker needs to be fixed.
Date Fri, 06 Dec 2013 23:10:07 GMT
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/a416f6c3/api/src/org/apache/cloudstack/api/command/admin/acl/RevokePermissionFromAclGroupCmd.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/admin/acl/RevokePermissionFromAclGroupCmd.java b/api/src/org/apache/cloudstack/api/command/admin/acl/RevokePermissionFromAclGroupCmd.java
deleted file mode 100644
index b9a75d7..0000000
--- a/api/src/org/apache/cloudstack/api/command/admin/acl/RevokePermissionFromAclGroupCmd.java
+++ /dev/null
@@ -1,131 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements.  See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership.  The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License.  You may obtain a copy of the License at
-//
-//   http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied.  See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.api.command.admin.acl;
-
-
-import org.apache.log4j.Logger;
-
-import org.apache.cloudstack.acl.AclGroup;
-import org.apache.cloudstack.acl.SecurityChecker.AccessType;
-import org.apache.cloudstack.api.ACL;
-import org.apache.cloudstack.api.APICommand;
-import org.apache.cloudstack.api.ApiCommandJobType;
-import org.apache.cloudstack.api.ApiConstants;
-import org.apache.cloudstack.api.ApiErrorCode;
-import org.apache.cloudstack.api.BaseAsyncCmd;
-import org.apache.cloudstack.api.Parameter;
-import org.apache.cloudstack.api.ServerApiException;
-import org.apache.cloudstack.api.response.AclGroupResponse;
-import org.apache.cloudstack.context.CallContext;
-
-import com.cloud.event.EventTypes;
-import com.cloud.exception.InsufficientCapacityException;
-import com.cloud.exception.ResourceUnavailableException;
-import com.cloud.user.Account;
-
-
-@APICommand(name = "revokePermissionFromAclGroup", description = "revoke entity permission from an acl group", responseObject = AclGroupResponse.class)
-public class RevokePermissionFromAclGroupCmd extends BaseAsyncCmd {
-    public static final Logger s_logger = Logger.getLogger(RevokePermissionFromAclGroupCmd.class.getName());
-    private static final String s_name = "revokepermissiontoaclgroupresponse";
-
-    /////////////////////////////////////////////////////
-    //////////////// API parameters /////////////////////
-    /////////////////////////////////////////////////////
-
-
-    @ACL
-    @Parameter(name = ApiConstants.ID, type = CommandType.UUID, entityType = AclGroupResponse.class,
-            required = true, description = "The ID of the acl group")
-    private Long id;
-
-    @Parameter(name = ApiConstants.ENTITY_TYPE, type = CommandType.STRING, required = true, description = "entity class simple name.")
-    private String entityType;
-
-    @Parameter(name = ApiConstants.ENTITY_ID, type = CommandType.UUID, required = true, description = "The ID of the entity")
-    private Long entityId;
-
-    @Parameter(name = ApiConstants.ACCESS_TYPE, type = CommandType.STRING, required = true, description = "access type for the entity")
-    private String accessType;
-
-    /////////////////////////////////////////////////////
-    /////////////////// Accessors ///////////////////////
-    /////////////////////////////////////////////////////
-
-
-    public Long getId() {
-        return id;
-    }
-
-    public String getEntityType() {
-        return entityType;
-    }
-
-    public Long getEntityId() {
-        return entityId;
-    }
-
-    public AccessType getAccessType() {
-        return AccessType.valueOf(accessType);
-    }
-
-
-    /////////////////////////////////////////////////////
-    /////////////// API Implementation///////////////////
-    /////////////////////////////////////////////////////
-
-    @Override
-    public String getCommandName() {
-        return s_name;
-    }
-
-
-    @Override
-    public long getEntityOwnerId() {
-        return Account.ACCOUNT_ID_SYSTEM; // no account info given, parent this command to SYSTEM so ERROR events are tracked
-    }
-
-    @Override
-    public void execute() throws ResourceUnavailableException,
-            InsufficientCapacityException, ServerApiException {
-        CallContext.current().setEventDetails("Acl group Id: " + getId());
-        AclGroup result = _aclService.revokeEntityPermissionFromAclGroup(id, entityType, entityId, getAccessType());
-        if (result != null){
-            AclGroupResponse response = _responseGenerator.createAclGroupResponse(result);
-            response.setResponseName(getCommandName());
-            setResponseObject(response);
-        } else {
-            throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to grant permission to acl group");
-        }
-    }
-
-    @Override
-    public String getEventType() {
-        return EventTypes.EVENT_ACL_GROUP_GRANT;
-    }
-
-    @Override
-    public String getEventDescription() {
-        return "granting permission to acl group";
-    }
-
-    @Override
-    public ApiCommandJobType getInstanceType() {
-        return ApiCommandJobType.AclGroup;
-    }
-
-}

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/a416f6c3/api/src/org/apache/cloudstack/api/command/admin/acl/RevokePermissionFromAclRoleCmd.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/admin/acl/RevokePermissionFromAclRoleCmd.java b/api/src/org/apache/cloudstack/api/command/admin/acl/RevokePermissionFromAclRoleCmd.java
deleted file mode 100644
index 4576b76..0000000
--- a/api/src/org/apache/cloudstack/api/command/admin/acl/RevokePermissionFromAclRoleCmd.java
+++ /dev/null
@@ -1,120 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements.  See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership.  The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License.  You may obtain a copy of the License at
-//
-//   http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied.  See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.api.command.admin.acl;
-
-import java.util.List;
-
-import org.apache.log4j.Logger;
-
-import org.apache.cloudstack.acl.AclRole;
-import org.apache.cloudstack.api.ACL;
-import org.apache.cloudstack.api.APICommand;
-import org.apache.cloudstack.api.ApiCommandJobType;
-import org.apache.cloudstack.api.ApiConstants;
-import org.apache.cloudstack.api.ApiErrorCode;
-import org.apache.cloudstack.api.BaseAsyncCmd;
-import org.apache.cloudstack.api.Parameter;
-import org.apache.cloudstack.api.ServerApiException;
-import org.apache.cloudstack.api.response.AclRoleResponse;
-import org.apache.cloudstack.context.CallContext;
-
-import com.cloud.event.EventTypes;
-import com.cloud.exception.InsufficientCapacityException;
-import com.cloud.exception.ResourceUnavailableException;
-import com.cloud.user.Account;
-
-
-@APICommand(name = "revokePermissionFromAclRole", description = "Revoke api permission from an acl role", responseObject = AclRoleResponse.class)
-public class RevokePermissionFromAclRoleCmd extends BaseAsyncCmd {
-    public static final Logger s_logger = Logger.getLogger(RevokePermissionFromAclRoleCmd.class.getName());
-    private static final String s_name = "revokepermissionfromroleresponse";
-
-    /////////////////////////////////////////////////////
-    //////////////// API parameters /////////////////////
-    /////////////////////////////////////////////////////
-
-
-    @ACL
-    @Parameter(name = ApiConstants.ID, type = CommandType.UUID, entityType = AclRoleResponse.class,
-            required = true, description = "The ID of the acl role")
-    private Long id;
-
-    @ACL
-    @Parameter(name = ApiConstants.ACL_APIS, type = CommandType.LIST, collectionType = CommandType.STRING, description = "comma separated list of apis granted to the acl role. ")
-    private List<String> apiList;
-
-
-    /////////////////////////////////////////////////////
-    /////////////////// Accessors ///////////////////////
-    /////////////////////////////////////////////////////
-
-
-    public Long getId() {
-        return id;
-    }
-
-
-    public List<String> getApiList() {
-        return apiList;
-    }
-
-    /////////////////////////////////////////////////////
-    /////////////// API Implementation///////////////////
-    /////////////////////////////////////////////////////
-
-
-    @Override
-    public String getCommandName() {
-        return s_name;
-    }
-
-
-    @Override
-    public long getEntityOwnerId() {
-        return Account.ACCOUNT_ID_SYSTEM; // no account info given, parent this command to SYSTEM so ERROR events are tracked
-    }
-
-    @Override
-    public void execute() throws ResourceUnavailableException,
-            InsufficientCapacityException, ServerApiException {
-        CallContext.current().setEventDetails("Acl role Id: " + getId());
-        AclRole result = _aclService.revokeApiPermissionFromAclRole(id, apiList);
-        if (result != null) {
-            AclRoleResponse response = _responseGenerator.createAclRoleResponse(result);
-            response.setResponseName(getCommandName());
-            setResponseObject(response);
-        } else {
-            throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to revoke permission from acl role " + getId());
-        }
-    }
-
-    @Override
-    public String getEventType() {
-        return EventTypes.EVENT_ACL_ROLE_REVOKE;
-    }
-
-    @Override
-    public String getEventDescription() {
-        return "revoking permission from acl role";
-    }
-
-    @Override
-    public ApiCommandJobType getInstanceType() {
-        return ApiCommandJobType.AclRole;
-    }
-
-}

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/a416f6c3/api/src/org/apache/cloudstack/api/response/AclEntityPermissionResponse.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/response/AclEntityPermissionResponse.java b/api/src/org/apache/cloudstack/api/response/AclEntityPermissionResponse.java
deleted file mode 100644
index da3b4b2..0000000
--- a/api/src/org/apache/cloudstack/api/response/AclEntityPermissionResponse.java
+++ /dev/null
@@ -1,112 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements.  See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership.  The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License.  You may obtain a copy of the License at
-//
-//   http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied.  See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.api.response;
-
-import com.google.gson.annotations.SerializedName;
-
-import org.apache.cloudstack.api.ApiConstants;
-import org.apache.cloudstack.api.BaseResponse;
-
-import com.cloud.serializer.Param;
-
-public class AclEntityPermissionResponse extends BaseResponse {
-
-    @SerializedName(ApiConstants.GROUP_ID)
-    @Param(description = "the ID of the acl group")
-    private String groupId;
-
-    @SerializedName(ApiConstants.ENTITY_TYPE)
-    @Param(description = "the entity type of this permission")
-    private String entityType;
-
-    @SerializedName(ApiConstants.ENTITY_ID)
-    @Param(description = "the uuid of the entity involved in this permission")
-    private String entityId;
-
-    @SerializedName(ApiConstants.ACCESS_TYPE)
-    @Param(description = "access type involved in this permission")
-    private String accessType;
-
-
-
-    public String getGroupId() {
-        return groupId;
-    }
-
-    public void setGroupId(String groupId) {
-        this.groupId = groupId;
-    }
-
-    public String getEntityType() {
-        return entityType;
-    }
-
-    public void setEntityType(String entityType) {
-        this.entityType = entityType;
-    }
-
-    public String getEntityId() {
-        return entityId;
-    }
-
-    public void setEntityId(String entityId) {
-        this.entityId = entityId;
-    }
-
-    public String getAccessType() {
-        return accessType;
-    }
-
-    public void setAccessType(String accessType) {
-        this.accessType = accessType;
-    }
-
-    @Override
-    public int hashCode() {
-        final int prime = 31;
-        int result = 1;
-        result = prime * result + ((entityType == null) ? 0 : entityType.hashCode());
-        result = prime * result + ((entityId == null) ? 0 : entityId.hashCode());
-        result = prime * result + ((accessType == null) ? 0 : accessType.hashCode());
-        return result;
-    }
-
-    @Override
-    public boolean equals(Object obj) {
-        if (this == obj)
-            return true;
-        if (obj == null)
-            return false;
-        if (getClass() != obj.getClass())
-            return false;
-        AclEntityPermissionResponse other = (AclEntityPermissionResponse) obj;
-        if (entityType == null) {
-            if (other.entityType != null)
-                return false;
-        } else if (!entityType.equals(other.entityType)) {
-            return false;
-        } else if ((entityId == null && other.entityId != null) || !entityId.equals(other.entityId)) {
-            return false;
-        } else if ((accessType == null && other.accessType != null) || !accessType.equals(other.accessType)) {
-            return false;
-        }
-        return true;
-    }
-
-
-
-}

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/a416f6c3/api/src/org/apache/cloudstack/api/response/AclRoleResponse.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/response/AclRoleResponse.java b/api/src/org/apache/cloudstack/api/response/AclRoleResponse.java
deleted file mode 100644
index 2056d35..0000000
--- a/api/src/org/apache/cloudstack/api/response/AclRoleResponse.java
+++ /dev/null
@@ -1,134 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements.  See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership.  The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License.  You may obtain a copy of the License at
-//
-//   http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied.  See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.api.response;
-
-import java.util.ArrayList;
-import java.util.List;
-
-import com.google.gson.annotations.SerializedName;
-
-import org.apache.cloudstack.acl.AclRole;
-import org.apache.cloudstack.api.ApiConstants;
-import org.apache.cloudstack.api.BaseResponse;
-import org.apache.cloudstack.api.EntityReference;
-
-import com.cloud.serializer.Param;
-
-@SuppressWarnings("unused")
-@EntityReference(value = AclRole.class)
-public class AclRoleResponse extends BaseResponse {
-
-    @SerializedName(ApiConstants.ID)
-    @Param(description = "the ID of the acl role")
-    private String id;
-
-    @SerializedName(ApiConstants.NAME)
-    @Param(description = "the name of the acl role")
-    private String name;
-
-    @SerializedName(ApiConstants.DESCRIPTION)
-    @Param(description = "the description of the acl role")
-    private String description;
-
-    @SerializedName(ApiConstants.DOMAIN_ID)
-    @Param(description = "the domain ID of the acl role")
-    private String domainId;
-
-    @SerializedName(ApiConstants.DOMAIN)
-    @Param(description = "the domain name of the acl role")
-    private String domainName;
-
-    @SerializedName(ApiConstants.ACL_APIS)
-    @Param(description = "allowed apis for the acl role ")
-    private List<String> apiList;
-
-    public AclRoleResponse() {
-        apiList = new ArrayList<String>();
-    }
-
-    @Override
-    public String getObjectId() {
-        return getId();
-    }
-
-
-    public String getId() {
-        return id;
-     }
-
-    public void setId(String id) {
-        this.id = id;
-    }
-
-
-    public void setName(String name) {
-        this.name = name;
-    }
-
-    public void setDescription(String description) {
-        this.description = description;
-    }
-
-
-    public void setDomainId(String domainId) {
-        this.domainId = domainId;
-    }
-
-    public void setDomainName(String domainName) {
-        this.domainName = domainName;
-    }
-
-    public List<String> getApiList() {
-        return apiList;
-    }
-
-    public void setApiList(List<String> apiList) {
-        this.apiList = apiList;
-    }
-
-    public void addApi(String api) {
-        apiList.add(api);
-    }
-
-    @Override
-    public int hashCode() {
-        final int prime = 31;
-        int result = 1;
-        result = prime * result + ((id == null) ? 0 : id.hashCode());
-        return result;
-    }
-
-    @Override
-    public boolean equals(Object obj) {
-        if (this == obj)
-            return true;
-        if (obj == null)
-            return false;
-        if (getClass() != obj.getClass())
-            return false;
-        AclRoleResponse other = (AclRoleResponse) obj;
-        if (id == null) {
-            if (other.id != null)
-                return false;
-        } else if (!id.equals(other.id))
-            return false;
-        return true;
-    }
-
-
-
-}

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/a416f6c3/api/src/org/apache/cloudstack/query/QueryService.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/query/QueryService.java b/api/src/org/apache/cloudstack/query/QueryService.java
index bbbb3fe..00df62e 100644
--- a/api/src/org/apache/cloudstack/query/QueryService.java
+++ b/api/src/org/apache/cloudstack/query/QueryService.java
@@ -45,7 +45,7 @@ import org.apache.cloudstack.api.command.user.volume.ListVolumesCmd;
 import org.apache.cloudstack.api.command.user.zone.ListZonesByCmd;
 import org.apache.cloudstack.api.response.AccountResponse;
 import org.apache.cloudstack.api.response.AclGroupResponse;
-import org.apache.cloudstack.api.response.AclRoleResponse;
+import org.apache.cloudstack.api.response.AclPolicyResponse;
 import org.apache.cloudstack.api.response.AsyncJobResponse;
 import org.apache.cloudstack.api.response.DiskOfferingResponse;
 import org.apache.cloudstack.api.response.DomainRouterResponse;
@@ -127,7 +127,7 @@ public interface QueryService {
 
     ListResponse<DomainRouterResponse> searchForInternalLbVms(ListInternalLBVMsCmd cmd);
 
-    public ListResponse<AclRoleResponse> listAclRoles(Long aclRoleId, String aclRoleName,
+    public ListResponse<AclPolicyResponse> listAclPolicies(Long aclPolicyId, String aclPolicyName,
             Long domainId, Long startIndex, Long pageSize);
 
     public ListResponse<AclGroupResponse> listAclGroups(Long aclGroupId, String aclGroupName,

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/a416f6c3/engine/schema/src/org/apache/cloudstack/acl/AclGroupVO.java
----------------------------------------------------------------------
diff --git a/engine/schema/src/org/apache/cloudstack/acl/AclGroupVO.java b/engine/schema/src/org/apache/cloudstack/acl/AclGroupVO.java
index 6570557..e86e710 100644
--- a/engine/schema/src/org/apache/cloudstack/acl/AclGroupVO.java
+++ b/engine/schema/src/org/apache/cloudstack/acl/AclGroupVO.java
@@ -96,6 +96,10 @@ public class AclGroupVO implements AclGroup {
         return accountId;
     }
 
+    public void setAccountId(long accountId) {
+        this.accountId = accountId;
+    }
+
     @Override
     public String getUuid() {
     	return uuid;

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/a416f6c3/engine/schema/src/org/apache/cloudstack/acl/AclPolicyPermissionVO.java
----------------------------------------------------------------------
diff --git a/engine/schema/src/org/apache/cloudstack/acl/AclPolicyPermissionVO.java b/engine/schema/src/org/apache/cloudstack/acl/AclPolicyPermissionVO.java
index 0b23b0b..0d93b4f 100644
--- a/engine/schema/src/org/apache/cloudstack/acl/AclPolicyPermissionVO.java
+++ b/engine/schema/src/org/apache/cloudstack/acl/AclPolicyPermissionVO.java
@@ -97,6 +97,10 @@ public class AclPolicyPermissionVO implements AclPolicyPermission {
     }
 
 
+    public void setAclPolicyId(long aclPolicyId) {
+        this.aclPolicyId = aclPolicyId;
+    }
+
     @Override
     public String getEntityType() {
         return entityType;

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/a416f6c3/engine/schema/src/org/apache/cloudstack/acl/AclPolicyVO.java
----------------------------------------------------------------------
diff --git a/engine/schema/src/org/apache/cloudstack/acl/AclPolicyVO.java b/engine/schema/src/org/apache/cloudstack/acl/AclPolicyVO.java
index 24b9888..5210016 100644
--- a/engine/schema/src/org/apache/cloudstack/acl/AclPolicyVO.java
+++ b/engine/schema/src/org/apache/cloudstack/acl/AclPolicyVO.java
@@ -121,6 +121,10 @@ public class AclPolicyVO implements AclPolicy {
         return accountId;
     }
 
+    public void setAccountId(long accountId) {
+        this.accountId = accountId;
+    }
+
     public AclPolicy.PolicyType getPolicyType() {
         return policyType;
     }

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/a416f6c3/engine/schema/src/org/apache/cloudstack/acl/dao/AclPolicyPermissionDao.java
----------------------------------------------------------------------
diff --git a/engine/schema/src/org/apache/cloudstack/acl/dao/AclPolicyPermissionDao.java b/engine/schema/src/org/apache/cloudstack/acl/dao/AclPolicyPermissionDao.java
index f8d3cb5..f3c6446 100644
--- a/engine/schema/src/org/apache/cloudstack/acl/dao/AclPolicyPermissionDao.java
+++ b/engine/schema/src/org/apache/cloudstack/acl/dao/AclPolicyPermissionDao.java
@@ -17,10 +17,19 @@
 package org.apache.cloudstack.acl.dao;
 
 
+import java.util.List;
+
+import org.apache.cloudstack.acl.AclPolicyPermission.Permission;
 import org.apache.cloudstack.acl.AclPolicyPermissionVO;
+import org.apache.cloudstack.acl.PermissionScope;
 
 import com.cloud.utils.db.GenericDao;
 
 public interface AclPolicyPermissionDao extends GenericDao<AclPolicyPermissionVO, Long> {
 
+    List<AclPolicyPermissionVO> listByPolicy(long policyId);
+
+    AclPolicyPermissionVO findByPolicyAndEntity(long policyId, String entityType, PermissionScope scope, Long scopeId, String action, Permission perm);
+
+
 }

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/a416f6c3/engine/schema/src/org/apache/cloudstack/acl/dao/AclPolicyPermissionDaoImpl.java
----------------------------------------------------------------------
diff --git a/engine/schema/src/org/apache/cloudstack/acl/dao/AclPolicyPermissionDaoImpl.java b/engine/schema/src/org/apache/cloudstack/acl/dao/AclPolicyPermissionDaoImpl.java
index 1160d30..11b009b 100644
--- a/engine/schema/src/org/apache/cloudstack/acl/dao/AclPolicyPermissionDaoImpl.java
+++ b/engine/schema/src/org/apache/cloudstack/acl/dao/AclPolicyPermissionDaoImpl.java
@@ -16,21 +16,20 @@
 // under the License.
 package org.apache.cloudstack.acl.dao;
 
+import java.util.List;
 import java.util.Map;
 
 import javax.naming.ConfigurationException;
 
+import org.apache.cloudstack.acl.AclPolicyPermission.Permission;
 import org.apache.cloudstack.acl.AclPolicyPermissionVO;
+import org.apache.cloudstack.acl.PermissionScope;
 
 import com.cloud.utils.db.GenericDaoBase;
 
 public class AclPolicyPermissionDaoImpl extends GenericDaoBase<AclPolicyPermissionVO, Long> implements
         AclPolicyPermissionDao {
 
-    public AclPolicyPermissionDaoImpl()
-    {
-
-    }
 
     @Override
     public boolean configure(String name, Map<String, Object> params) throws ConfigurationException {
@@ -39,5 +38,16 @@ public class AclPolicyPermissionDaoImpl extends GenericDaoBase<AclPolicyPermissi
         return true;
     }
 
+    @Override
+    public List<AclPolicyPermissionVO> listByPolicy(long policyId) {
+        // TODO Auto-generated method stub
+        return null;
+    }
+
+    @Override
+    public AclPolicyPermissionVO findByPolicyAndEntity(long policyId, String entityType, PermissionScope scope, Long scopeId, String action, Permission perm) {
+        // TODO Auto-generated method stub
+        return null;
+    }
 
 }

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/a416f6c3/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/api/RoleBasedAPIAccessChecker.java
----------------------------------------------------------------------
diff --git a/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/api/RoleBasedAPIAccessChecker.java b/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/api/RoleBasedAPIAccessChecker.java
index 027ff58..f43194a 100644
--- a/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/api/RoleBasedAPIAccessChecker.java
+++ b/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/api/RoleBasedAPIAccessChecker.java
@@ -54,10 +54,10 @@ public class RoleBasedAPIAccessChecker extends AdapterBase implements APIChecker
             throw new PermissionDeniedException("The account id=" + user.getAccountId() + "for user id=" + user.getId() + "is null");
         }
 
-        List<AclRole> roles = _aclService.getAclRoles(account.getAccountId());
+        List<AclRole> roles = _aclService.listAclPolicies(account.getAccountId());
 
 
-        boolean isAllowed = _aclService.isAPIAccessibleForRoles(commandName, roles);
+        boolean isAllowed = _aclService.isAPIAccessibleForPolicies(commandName, roles);
         if (!isAllowed) {
             throw new PermissionDeniedException("The API does not exist or is blacklisted. api: " + commandName);
         }

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/a416f6c3/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/entity/RoleBasedEntityAccessChecker.java
----------------------------------------------------------------------
diff --git a/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/entity/RoleBasedEntityAccessChecker.java b/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/entity/RoleBasedEntityAccessChecker.java
index 5a0abf5..6d1fe01 100644
--- a/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/entity/RoleBasedEntityAccessChecker.java
+++ b/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/entity/RoleBasedEntityAccessChecker.java
@@ -106,7 +106,7 @@ public class RoleBasedEntityAccessChecker extends DomainChecker implements Secur
             }
 
             // get all Roles of this caller w.r.t the entity
-            List<AclRole> roles = _aclService.getEffectiveRoles(caller, entity);
+            List<AclRole> roles = _aclService.getEffectivePolicies(caller, entity);
             HashMap<AclRole, Boolean> rolePermissionMap = new HashMap<AclRole, Boolean>();
 
             for (AclRole role : roles) {

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/a416f6c3/server/src/com/cloud/api/ApiDBUtils.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/api/ApiDBUtils.java b/server/src/com/cloud/api/ApiDBUtils.java
index 3ae7142..f6e7cd8 100755
--- a/server/src/com/cloud/api/ApiDBUtils.java
+++ b/server/src/com/cloud/api/ApiDBUtils.java
@@ -26,7 +26,7 @@ import javax.annotation.PostConstruct;
 import javax.inject.Inject;
 
 import org.apache.cloudstack.acl.AclGroup;
-import org.apache.cloudstack.acl.AclRole;
+import org.apache.cloudstack.acl.AclPolicy;
 import org.apache.cloudstack.affinity.AffinityGroup;
 import org.apache.cloudstack.affinity.AffinityGroupResponse;
 import org.apache.cloudstack.affinity.dao.AffinityGroupDao;
@@ -36,7 +36,7 @@ import org.apache.cloudstack.api.ApiConstants.VMDetails;
 import org.apache.cloudstack.api.ResponseObject.ResponseView;
 import org.apache.cloudstack.api.response.AccountResponse;
 import org.apache.cloudstack.api.response.AclGroupResponse;
-import org.apache.cloudstack.api.response.AclRoleResponse;
+import org.apache.cloudstack.api.response.AclPolicyResponse;
 import org.apache.cloudstack.api.response.AsyncJobResponse;
 import org.apache.cloudstack.api.response.DiskOfferingResponse;
 import org.apache.cloudstack.api.response.DomainRouterResponse;
@@ -70,7 +70,7 @@ import org.apache.cloudstack.storage.datastore.db.StoragePoolVO;
 
 import com.cloud.api.query.dao.AccountJoinDao;
 import com.cloud.api.query.dao.AclGroupJoinDao;
-import com.cloud.api.query.dao.AclRoleJoinDao;
+import com.cloud.api.query.dao.AclPolicyJoinDao;
 import com.cloud.api.query.dao.AffinityGroupJoinDao;
 import com.cloud.api.query.dao.AsyncJobJoinDao;
 import com.cloud.api.query.dao.DataCenterJoinDao;
@@ -92,7 +92,7 @@ import com.cloud.api.query.dao.UserVmJoinDao;
 import com.cloud.api.query.dao.VolumeJoinDao;
 import com.cloud.api.query.vo.AccountJoinVO;
 import com.cloud.api.query.vo.AclGroupJoinVO;
-import com.cloud.api.query.vo.AclRoleJoinVO;
+import com.cloud.api.query.vo.AclPolicyJoinVO;
 import com.cloud.api.query.vo.AffinityGroupJoinVO;
 import com.cloud.api.query.vo.AsyncJobJoinVO;
 import com.cloud.api.query.vo.DataCenterJoinVO;
@@ -411,7 +411,7 @@ public class ApiDBUtils {
     static GlobalLoadBalancingRulesService _gslbService;
     static NetworkACLDao _networkACLDao;
     static AccountService _accountService;
-    static AclRoleJoinDao _aclRoleJoinDao;
+    static AclPolicyJoinDao _aclPolicyJoinDao;
     static AclGroupJoinDao _aclGroupJoinDao;
     static ResourceMetaDataService _resourceDetailsService;
 
@@ -527,7 +527,7 @@ public class ApiDBUtils {
     @Inject private ServiceOfferingDetailsDao serviceOfferingDetailsDao;
     @Inject private AccountService accountService;
     @Inject
-    private AclRoleJoinDao aclRoleJoinDao;
+    private AclPolicyJoinDao aclPolicyJoinDao;
     @Inject
     private AclGroupJoinDao aclGroupJoinDao;
     @Inject private ConfigurationManager configMgr;
@@ -643,7 +643,7 @@ public class ApiDBUtils {
         _statsCollector = StatsCollector.getInstance();
         _networkACLDao = networkACLDao;
         _accountService = accountService;
-        _aclRoleJoinDao = aclRoleJoinDao;
+        _aclPolicyJoinDao = aclPolicyJoinDao;
         _aclGroupJoinDao = aclGroupJoinDao;
         _resourceDetailsService = resourceDetailsService;
     }
@@ -1698,16 +1698,16 @@ public class ApiDBUtils {
         return _affinityGroupJoinDao.setAffinityGroupResponse(resp, group);
     }
 
-    public static List<AclRoleJoinVO> newAclRoleView(AclRole role) {
-        return _aclRoleJoinDao.newAclRoleView(role);
+    public static List<AclPolicyJoinVO> newAclPolicyView(AclPolicy policy) {
+        return _aclPolicyJoinDao.newAclPolicyView(policy);
     }
 
-    public static AclRoleResponse newAclRoleResponse(AclRoleJoinVO role) {
-        return _aclRoleJoinDao.newAclRoleResponse(role);
+    public static AclPolicyResponse newAclPolicyResponse(AclPolicyJoinVO policy) {
+        return _aclPolicyJoinDao.newAclPolicyResponse(policy);
     }
 
-    public static AclRoleResponse fillAclRoleDetails(AclRoleResponse resp, AclRoleJoinVO role) {
-        return _aclRoleJoinDao.setAclRoleResponse(resp, role);
+    public static AclPolicyResponse fillAclPolicyDetails(AclPolicyResponse resp, AclPolicyJoinVO policy) {
+        return _aclPolicyJoinDao.setAclPolicyResponse(resp, policy);
     }
 
     public static List<AclGroupJoinVO> newAclGroupView(AclGroup group) {

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/a416f6c3/server/src/com/cloud/api/ApiResponseHelper.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/api/ApiResponseHelper.java b/server/src/com/cloud/api/ApiResponseHelper.java
index 16f3c65..271c7d9 100755
--- a/server/src/com/cloud/api/ApiResponseHelper.java
+++ b/server/src/com/cloud/api/ApiResponseHelper.java
@@ -34,7 +34,7 @@ import javax.inject.Inject;
 import org.apache.log4j.Logger;
 
 import org.apache.cloudstack.acl.AclGroup;
-import org.apache.cloudstack.acl.AclRole;
+import org.apache.cloudstack.acl.AclPolicy;
 import org.apache.cloudstack.acl.ControlledEntity;
 import org.apache.cloudstack.acl.ControlledEntity.ACLType;
 import org.apache.cloudstack.affinity.AffinityGroup;
@@ -46,7 +46,7 @@ import org.apache.cloudstack.api.ResponseObject.ResponseView;
 import org.apache.cloudstack.api.command.user.job.QueryAsyncJobResultCmd;
 import org.apache.cloudstack.api.response.AccountResponse;
 import org.apache.cloudstack.api.response.AclGroupResponse;
-import org.apache.cloudstack.api.response.AclRoleResponse;
+import org.apache.cloudstack.api.response.AclPolicyResponse;
 import org.apache.cloudstack.api.response.ApplicationLoadBalancerInstanceResponse;
 import org.apache.cloudstack.api.response.ApplicationLoadBalancerResponse;
 import org.apache.cloudstack.api.response.ApplicationLoadBalancerRuleResponse;
@@ -155,7 +155,7 @@ import org.apache.cloudstack.usage.UsageTypes;
 import com.cloud.api.query.ViewResponseHelper;
 import com.cloud.api.query.vo.AccountJoinVO;
 import com.cloud.api.query.vo.AclGroupJoinVO;
-import com.cloud.api.query.vo.AclRoleJoinVO;
+import com.cloud.api.query.vo.AclPolicyJoinVO;
 import com.cloud.api.query.vo.AsyncJobJoinVO;
 import com.cloud.api.query.vo.ControlledViewEntity;
 import com.cloud.api.query.vo.DataCenterJoinVO;
@@ -3709,11 +3709,11 @@ public class ApiResponseHelper implements ResponseGenerator {
     }
 
     @Override
-    public AclRoleResponse createAclRoleResponse(AclRole role) {
-        List<AclRoleJoinVO> viewRoles = ApiDBUtils.newAclRoleView(role);
-        List<AclRoleResponse> listRoles = ViewResponseHelper.createAclRoleResponses(viewRoles);
-        assert listRoles != null && listRoles.size() == 1 : "There should be one acl role returned";
-        return listRoles.get(0);
+    public AclPolicyResponse createAclPolicyResponse(AclPolicy policy) {
+        List<AclPolicyJoinVO> viewPolicies = ApiDBUtils.newAclPolicyView(policy);
+        List<AclPolicyResponse> listPolicies = ViewResponseHelper.createAclPolicyResponses(viewPolicies);
+        assert listPolicies != null && listPolicies.size() == 1 : "There should be one acl policy returned";
+        return listPolicies.get(0);
     }
 
     @Override

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/a416f6c3/server/src/com/cloud/api/ApiServer.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/api/ApiServer.java b/server/src/com/cloud/api/ApiServer.java
index 5b0d7cc..672ad12 100755
--- a/server/src/com/cloud/api/ApiServer.java
+++ b/server/src/com/cloud/api/ApiServer.java
@@ -51,14 +51,44 @@ import javax.naming.ConfigurationException;
 import javax.servlet.http.HttpServletResponse;
 import javax.servlet.http.HttpSession;
 
+import org.apache.commons.codec.binary.Base64;
+import org.apache.http.ConnectionClosedException;
+import org.apache.http.HttpException;
+import org.apache.http.HttpRequest;
+import org.apache.http.HttpResponse;
+import org.apache.http.HttpServerConnection;
+import org.apache.http.HttpStatus;
+import org.apache.http.NameValuePair;
+import org.apache.http.client.utils.URLEncodedUtils;
+import org.apache.http.entity.BasicHttpEntity;
+import org.apache.http.impl.DefaultHttpResponseFactory;
+import org.apache.http.impl.DefaultHttpServerConnection;
+import org.apache.http.impl.NoConnectionReuseStrategy;
+import org.apache.http.impl.SocketHttpServerConnection;
+import org.apache.http.params.BasicHttpParams;
+import org.apache.http.params.CoreConnectionPNames;
+import org.apache.http.params.CoreProtocolPNames;
+import org.apache.http.params.HttpParams;
+import org.apache.http.protocol.BasicHttpContext;
+import org.apache.http.protocol.BasicHttpProcessor;
+import org.apache.http.protocol.HttpContext;
+import org.apache.http.protocol.HttpRequestHandler;
+import org.apache.http.protocol.HttpRequestHandlerRegistry;
+import org.apache.http.protocol.HttpService;
+import org.apache.http.protocol.ResponseConnControl;
+import org.apache.http.protocol.ResponseContent;
+import org.apache.http.protocol.ResponseDate;
+import org.apache.http.protocol.ResponseServer;
+import org.apache.log4j.Logger;
+import org.springframework.stereotype.Component;
+
 import org.apache.cloudstack.acl.APIChecker;
+import org.apache.cloudstack.acl.AclPolicyPermission.Permission;
 import org.apache.cloudstack.acl.AclPolicyPermissionVO;
 import org.apache.cloudstack.acl.PermissionScope;
 import org.apache.cloudstack.acl.RoleType;
-import org.apache.cloudstack.acl.AclPolicyPermission.Permission;
 import org.apache.cloudstack.acl.SecurityChecker.AccessType;
 import org.apache.cloudstack.acl.dao.AclPolicyPermissionDao;
-import org.apache.cloudstack.affinity.AffinityGroupVMMapVO;
 import org.apache.cloudstack.api.APICommand;
 import org.apache.cloudstack.api.ApiErrorCode;
 import org.apache.cloudstack.api.BaseAsyncCmd;
@@ -96,36 +126,6 @@ import org.apache.cloudstack.framework.jobs.AsyncJob;
 import org.apache.cloudstack.framework.jobs.AsyncJobManager;
 import org.apache.cloudstack.framework.jobs.impl.AsyncJobVO;
 import org.apache.cloudstack.managed.context.ManagedContextRunnable;
-import org.apache.commons.codec.binary.Base64;
-import org.apache.http.ConnectionClosedException;
-import org.apache.http.HttpException;
-import org.apache.http.HttpRequest;
-import org.apache.http.HttpResponse;
-import org.apache.http.HttpServerConnection;
-import org.apache.http.HttpStatus;
-import org.apache.http.NameValuePair;
-import org.apache.http.client.utils.URLEncodedUtils;
-import org.apache.http.entity.BasicHttpEntity;
-import org.apache.http.impl.DefaultHttpResponseFactory;
-import org.apache.http.impl.DefaultHttpServerConnection;
-import org.apache.http.impl.NoConnectionReuseStrategy;
-import org.apache.http.impl.SocketHttpServerConnection;
-import org.apache.http.params.BasicHttpParams;
-import org.apache.http.params.CoreConnectionPNames;
-import org.apache.http.params.CoreProtocolPNames;
-import org.apache.http.params.HttpParams;
-import org.apache.http.protocol.BasicHttpContext;
-import org.apache.http.protocol.BasicHttpProcessor;
-import org.apache.http.protocol.HttpContext;
-import org.apache.http.protocol.HttpRequestHandler;
-import org.apache.http.protocol.HttpRequestHandlerRegistry;
-import org.apache.http.protocol.HttpService;
-import org.apache.http.protocol.ResponseConnControl;
-import org.apache.http.protocol.ResponseContent;
-import org.apache.http.protocol.ResponseDate;
-import org.apache.http.protocol.ResponseServer;
-import org.apache.log4j.Logger;
-import org.springframework.stereotype.Component;
 
 import com.cloud.api.response.ApiResponseSerializer;
 import com.cloud.configuration.Config;
@@ -1017,7 +1017,8 @@ public class ApiServer extends ManagerBase implements HttpRequestHandler, ApiSer
         }
     }
 
-    private Class<?> getCmdClass(String cmdName) {
+    @Override
+    public Class<?> getCmdClass(String cmdName) {
         List<Class<?>> cmdList = _apiNameCmdClassMap.get(cmdName);
         if (cmdList == null || cmdList.size() == 0)
             return null;

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/a416f6c3/server/src/com/cloud/api/ApiServerService.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/api/ApiServerService.java b/server/src/com/cloud/api/ApiServerService.java
index dac81c6..4a4ae1e 100644
--- a/server/src/com/cloud/api/ApiServerService.java
+++ b/server/src/com/cloud/api/ApiServerService.java
@@ -35,4 +35,6 @@ public interface ApiServerService {
     public String getSerializedApiError(ServerApiException ex, Map<String, Object[]> apiCommandParams, String responseType);
 
     public String handleRequest(Map params, String responseType, StringBuffer auditTrailSb) throws ServerApiException;
+
+    public Class<?> getCmdClass(String cmdName);
 }

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/a416f6c3/server/src/com/cloud/api/query/QueryManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/api/query/QueryManagerImpl.java b/server/src/com/cloud/api/query/QueryManagerImpl.java
index 8eff952..4a3e882 100644
--- a/server/src/com/cloud/api/query/QueryManagerImpl.java
+++ b/server/src/com/cloud/api/query/QueryManagerImpl.java
@@ -30,7 +30,7 @@ import org.apache.log4j.Logger;
 import org.springframework.stereotype.Component;
 
 import org.apache.cloudstack.acl.AclGroup;
-import org.apache.cloudstack.acl.AclRole;
+import org.apache.cloudstack.acl.AclPolicy;
 import org.apache.cloudstack.acl.AclService;
 import org.apache.cloudstack.acl.ControlledEntity.ACLType;
 import org.apache.cloudstack.acl.dao.AclGroupDao;
@@ -71,7 +71,7 @@ import org.apache.cloudstack.api.command.user.volume.ListVolumesCmd;
 import org.apache.cloudstack.api.command.user.zone.ListZonesByCmd;
 import org.apache.cloudstack.api.response.AccountResponse;
 import org.apache.cloudstack.api.response.AclGroupResponse;
-import org.apache.cloudstack.api.response.AclRoleResponse;
+import org.apache.cloudstack.api.response.AclPolicyResponse;
 import org.apache.cloudstack.api.response.AsyncJobResponse;
 import org.apache.cloudstack.api.response.DiskOfferingResponse;
 import org.apache.cloudstack.api.response.DomainRouterResponse;
@@ -100,7 +100,7 @@ import org.apache.cloudstack.query.QueryService;
 
 import com.cloud.api.query.dao.AccountJoinDao;
 import com.cloud.api.query.dao.AclGroupJoinDao;
-import com.cloud.api.query.dao.AclRoleJoinDao;
+import com.cloud.api.query.dao.AclPolicyJoinDao;
 import com.cloud.api.query.dao.AffinityGroupJoinDao;
 import com.cloud.api.query.dao.AsyncJobJoinDao;
 import com.cloud.api.query.dao.DataCenterJoinDao;
@@ -122,6 +122,7 @@ import com.cloud.api.query.dao.UserVmJoinDao;
 import com.cloud.api.query.dao.VolumeJoinDao;
 import com.cloud.api.query.vo.AccountJoinVO;
 import com.cloud.api.query.vo.AclGroupJoinVO;
+import com.cloud.api.query.vo.AclPolicyJoinVO;
 import com.cloud.api.query.vo.AclRoleJoinVO;
 import com.cloud.api.query.vo.AffinityGroupJoinVO;
 import com.cloud.api.query.vo.AsyncJobJoinVO;
@@ -350,10 +351,10 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
     AffinityGroupDomainMapDao _affinityGroupDomainMapDao;
 
     @Inject
-    AclRoleJoinDao _aclRoleJoinDao;
+    AclPolicyJoinDao _aclPolicyJoinDao;
 
     @Inject
-    AclPolicyDao _aclRoleDao;
+    AclPolicyDao _aclPolicyDao;
 
     @Inject
     AclGroupJoinDao _aclGroupJoinDao;
@@ -3308,28 +3309,29 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
     }
 
     @Override
-    public ListResponse<AclRoleResponse> listAclRoles(Long aclRoleId, String aclRoleName, Long domainId, Long startIndex, Long pageSize) {
-        Pair<List<AclRoleJoinVO>, Integer> result = listAclRolesInternal(aclRoleId, aclRoleName, domainId, true, true, startIndex, pageSize);
-        ListResponse<AclRoleResponse> response = new ListResponse<AclRoleResponse>();
+    public ListResponse<AclPolicyResponse> listAclPolicies(Long aclPolicyId, String aclPolicyName, Long domainId, Long startIndex, Long pageSize) {
+        Pair<List<AclPolicyJoinVO>, Integer> result = listAclPoliciesInternal(aclPolicyId, aclPolicyName, domainId, true, true, startIndex, pageSize);
+        ListResponse<AclPolicyResponse> response = new ListResponse<AclPolicyResponse>();
 
-        List<AclRoleResponse> roleResponses = ViewResponseHelper.createAclRoleResponses(result.first());
+        List<AclPolicyResponse> roleResponses = ViewResponseHelper.createAclPolicyResponses(result.first());
         response.setResponses(roleResponses, result.second());
         return response;
     }
 
-    private Pair<List<AclRoleJoinVO>, Integer> listAclRolesInternal(Long aclRoleId, String aclRoleName, Long domainId, boolean isRecursive, boolean listAll, Long startIndex,
+    private Pair<List<AclPolicyJoinVO>, Integer> listAclPoliciesInternal(Long aclPolicyId, String aclPolicyName, Long domainId, boolean isRecursive, boolean listAll,
+            Long startIndex,
             Long pageSize) {
 
         Account caller = CallContext.current().getCallingAccount();
         Boolean listForDomain = false;
 
-        if (aclRoleId != null) {
-            AclRole role = _aclRoleDao.findById(aclRoleId);
-            if (role == null) {
-                throw new InvalidParameterValueException("Unable to find acl role by id " + aclRoleId);
+        if (aclPolicyId != null) {
+            AclPolicy policy = _aclPolicyDao.findById(aclPolicyId);
+            if (policy == null) {
+                throw new InvalidParameterValueException("Unable to find acl policy by id " + aclPolicyId);
             }
 
-            _accountMgr.checkAccess(caller, null, true, role);
+            _accountMgr.checkAccess(caller, null, true, policy);
         }
 
         if (domainId != null) {
@@ -3340,17 +3342,17 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
 
             _accountMgr.checkAccess(caller, domain);
 
-            if (aclRoleName != null) {
-                AclRole role = _aclRoleDao.findByName(domainId, aclRoleName);
-                if (role == null) {
-                    throw new InvalidParameterValueException("Unable to find acl role by name " + aclRoleName
+            if (aclPolicyName != null) {
+                AclPolicy policy = _aclPolicyDao.findByName(domainId, aclPolicyName);
+                if (policy == null) {
+                    throw new InvalidParameterValueException("Unable to find acl policy by name " + aclPolicyName
                             + " in domain " + domainId);
                 }
-                _accountMgr.checkAccess(caller, null, true, role);
+                _accountMgr.checkAccess(caller, null, true, policy);
             }
         }
 
-        if (aclRoleId == null) {
+        if (aclPolicyId == null) {
             if (_accountMgr.isAdmin(caller.getType()) && listAll && domainId == null) {
                 listForDomain = true;
                 isRecursive = true;
@@ -3365,7 +3367,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
         Filter searchFilter = new Filter(AclRoleJoinVO.class, "id", true, startIndex, pageSize);
 
 
-        SearchBuilder<AclRoleJoinVO> sb = _aclRoleJoinDao.createSearchBuilder();
+        SearchBuilder<AclPolicyJoinVO> sb = _aclPolicyJoinDao.createSearchBuilder();
         sb.select(null, Func.DISTINCT, sb.entity().getId()); // select distinct ids
 
         sb.and("name", sb.entity().getName(), SearchCriteria.Op.EQ);
@@ -3376,14 +3378,14 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
             sb.and("path", sb.entity().getDomainPath(), SearchCriteria.Op.LIKE);
         }
 
-        SearchCriteria<AclRoleJoinVO> sc = sb.create();
+        SearchCriteria<AclPolicyJoinVO> sc = sb.create();
 
-        if (aclRoleName != null) {
-            sc.setParameters("name", aclRoleName);
+        if (aclPolicyName != null) {
+            sc.setParameters("name", aclPolicyName);
         }
 
-        if (aclRoleId != null) {
-            sc.setParameters("id", aclRoleId);
+        if (aclPolicyId != null) {
+            sc.setParameters("id", aclPolicyId);
         }
 
         if (listForDomain) {
@@ -3396,21 +3398,21 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
         }
 
 
-        // search role details by ids
-        Pair<List<AclRoleJoinVO>, Integer> uniqueRolePair = _aclRoleJoinDao.searchAndCount(sc, searchFilter);
+        // search policy details by ids
+        Pair<List<AclPolicyJoinVO>, Integer> uniqueRolePair = _aclPolicyJoinDao.searchAndCount(sc, searchFilter);
         Integer count = uniqueRolePair.second();
         if (count.intValue() == 0) {
             // empty result
             return uniqueRolePair;
         }
-        List<AclRoleJoinVO> uniqueRoles = uniqueRolePair.first();
+        List<AclPolicyJoinVO> uniqueRoles = uniqueRolePair.first();
         Long[] vrIds = new Long[uniqueRoles.size()];
         int i = 0;
-        for (AclRoleJoinVO v : uniqueRoles) {
+        for (AclPolicyJoinVO v : uniqueRoles) {
             vrIds[i++] = v.getId();
         }
-        List<AclRoleJoinVO> vrs = _aclRoleJoinDao.searchByIds(vrIds);
-        return new Pair<List<AclRoleJoinVO>, Integer>(vrs, count);
+        List<AclPolicyJoinVO> vrs = _aclPolicyJoinDao.searchByIds(vrIds);
+        return new Pair<List<AclPolicyJoinVO>, Integer>(vrs, count);
     }
 
     @Override

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/a416f6c3/server/src/com/cloud/api/query/ViewResponseHelper.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/api/query/ViewResponseHelper.java b/server/src/com/cloud/api/query/ViewResponseHelper.java
index 7f5168c..cfb097e 100644
--- a/server/src/com/cloud/api/query/ViewResponseHelper.java
+++ b/server/src/com/cloud/api/query/ViewResponseHelper.java
@@ -29,7 +29,7 @@ import org.apache.cloudstack.api.ApiConstants.VMDetails;
 import org.apache.cloudstack.api.ResponseObject.ResponseView;
 import org.apache.cloudstack.api.response.AccountResponse;
 import org.apache.cloudstack.api.response.AclGroupResponse;
-import org.apache.cloudstack.api.response.AclRoleResponse;
+import org.apache.cloudstack.api.response.AclPolicyResponse;
 import org.apache.cloudstack.api.response.AsyncJobResponse;
 import org.apache.cloudstack.api.response.DiskOfferingResponse;
 import org.apache.cloudstack.api.response.DomainRouterResponse;
@@ -55,7 +55,7 @@ import org.apache.cloudstack.context.CallContext;
 import com.cloud.api.ApiDBUtils;
 import com.cloud.api.query.vo.AccountJoinVO;
 import com.cloud.api.query.vo.AclGroupJoinVO;
-import com.cloud.api.query.vo.AclRoleJoinVO;
+import com.cloud.api.query.vo.AclPolicyJoinVO;
 import com.cloud.api.query.vo.AffinityGroupJoinVO;
 import com.cloud.api.query.vo.AsyncJobJoinVO;
 import com.cloud.api.query.vo.DataCenterJoinVO;
@@ -445,20 +445,20 @@ public class ViewResponseHelper {
         return new ArrayList<AffinityGroupResponse>(vrDataList.values());
     }
 
-    public static List<AclRoleResponse> createAclRoleResponses(List<AclRoleJoinVO> roles) {
-        Hashtable<Long, AclRoleResponse> vrDataList = new Hashtable<Long, AclRoleResponse>();
-        for (AclRoleJoinVO vr : roles) {
-            AclRoleResponse vrData = vrDataList.get(vr.getId());
+    public static List<AclPolicyResponse> createAclPolicyResponses(List<AclPolicyJoinVO> policies) {
+        Hashtable<Long, AclPolicyResponse> vrDataList = new Hashtable<Long, AclPolicyResponse>();
+        for (AclPolicyJoinVO vr : policies) {
+            AclPolicyResponse vrData = vrDataList.get(vr.getId());
             if (vrData == null) {
-                // first time encountering this Acl role
-                vrData = ApiDBUtils.newAclRoleResponse(vr);
+                // first time encountering this Acl policy
+                vrData = ApiDBUtils.newAclPolicyResponse(vr);
             } else {
                 // update vms
-                vrData = ApiDBUtils.fillAclRoleDetails(vrData, vr);
+                vrData = ApiDBUtils.fillAclPolicyDetails(vrData, vr);
             }
             vrDataList.put(vr.getId(), vrData);
         }
-        return new ArrayList<AclRoleResponse>(vrDataList.values());
+        return new ArrayList<AclPolicyResponse>(vrDataList.values());
     }
 
     public static List<AclGroupResponse> createAclGroupResponses(List<AclGroupJoinVO> groups) {

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/a416f6c3/server/src/com/cloud/api/query/dao/AclPolicyJoinDaoImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/api/query/dao/AclPolicyJoinDaoImpl.java b/server/src/com/cloud/api/query/dao/AclPolicyJoinDaoImpl.java
index 216a9e0..7929c3a 100644
--- a/server/src/com/cloud/api/query/dao/AclPolicyJoinDaoImpl.java
+++ b/server/src/com/cloud/api/query/dao/AclPolicyJoinDaoImpl.java
@@ -37,7 +37,7 @@ import com.cloud.utils.db.SearchBuilder;
 import com.cloud.utils.db.SearchCriteria;
 
 @Component
-@Local(value = {AclRoleJoinDao.class})
+@Local(value = {AclPolicyJoinDao.class})
 public class AclPolicyJoinDaoImpl extends GenericDaoBase<AclPolicyJoinVO, Long> implements AclPolicyJoinDao {
     public static final Logger s_logger = Logger.getLogger(AclPolicyJoinDaoImpl.class);
 

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/a416f6c3/server/src/com/cloud/api/query/dao/AclRoleJoinDao.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/api/query/dao/AclRoleJoinDao.java b/server/src/com/cloud/api/query/dao/AclRoleJoinDao.java
deleted file mode 100644
index e35e66c..0000000
--- a/server/src/com/cloud/api/query/dao/AclRoleJoinDao.java
+++ /dev/null
@@ -1,36 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements.  See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership.  The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License.  You may obtain a copy of the License at
-//
-//   http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied.  See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package com.cloud.api.query.dao;
-
-import java.util.List;
-
-import org.apache.cloudstack.acl.AclRole;
-import org.apache.cloudstack.api.response.AclRoleResponse;
-
-import com.cloud.api.query.vo.AclRoleJoinVO;
-import com.cloud.utils.db.GenericDao;
-
-public interface AclRoleJoinDao extends GenericDao<AclRoleJoinVO, Long> {
-
-    AclRoleResponse newAclRoleResponse(AclRoleJoinVO role);
-
-    AclRoleResponse setAclRoleResponse(AclRoleResponse response, AclRoleJoinVO os);
-
-    List<AclRoleJoinVO> newAclRoleView(AclRole role);
-
-    List<AclRoleJoinVO> searchByIds(Long... ids);
-}

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/a416f6c3/server/src/com/cloud/api/query/dao/AclRoleJoinDaoImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/api/query/dao/AclRoleJoinDaoImpl.java b/server/src/com/cloud/api/query/dao/AclRoleJoinDaoImpl.java
deleted file mode 100644
index 416cb0f..0000000
--- a/server/src/com/cloud/api/query/dao/AclRoleJoinDaoImpl.java
+++ /dev/null
@@ -1,145 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements.  See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership.  The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License.  You may obtain a copy of the License at
-//
-//   http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied.  See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package com.cloud.api.query.dao;
-
-import java.util.ArrayList;
-import java.util.List;
-
-import javax.ejb.Local;
-import javax.inject.Inject;
-
-import org.apache.log4j.Logger;
-import org.springframework.stereotype.Component;
-
-import org.apache.cloudstack.acl.AclRole;
-import org.apache.cloudstack.api.response.AclRoleResponse;
-import org.apache.cloudstack.framework.config.dao.ConfigurationDao;
-
-import com.cloud.api.query.vo.AclRoleJoinVO;
-import com.cloud.user.AccountManager;
-import com.cloud.utils.db.GenericDaoBase;
-import com.cloud.utils.db.SearchBuilder;
-import com.cloud.utils.db.SearchCriteria;
-
-@Component
-@Local(value = {AclRoleJoinDao.class})
-public class AclRoleJoinDaoImpl extends GenericDaoBase<AclRoleJoinVO, Long> implements AclRoleJoinDao {
-    public static final Logger s_logger = Logger.getLogger(AclRoleJoinDaoImpl.class);
-
-
-    private final SearchBuilder<AclRoleJoinVO> roleIdSearch;
-    private final SearchBuilder<AclRoleJoinVO> roleSearch;
-    @Inject
-    public AccountManager _accountMgr;
-    @Inject
-    public ConfigurationDao _configDao;
-
-    protected AclRoleJoinDaoImpl() {
-
-        roleSearch = createSearchBuilder();
-        roleSearch.and("idIN", roleSearch.entity().getId(), SearchCriteria.Op.IN);
-        roleSearch.done();
-
-        roleIdSearch = createSearchBuilder();
-        roleIdSearch.and("id", roleIdSearch.entity().getId(), SearchCriteria.Op.EQ);
-        roleIdSearch.done();
-
-        _count = "select count(distinct id) from acl_role_view WHERE ";
-    }
-
-
-
-    @Override
-    public AclRoleResponse newAclRoleResponse(AclRoleJoinVO role) {
-
-        AclRoleResponse response = new AclRoleResponse();
-        response.setId(role.getUuid());
-        response.setName(role.getName());
-        response.setDescription(role.getDescription());
-        response.setDomainId(role.getDomainUuid());
-        response.setDomainName(role.getName());
-        if (role.getApiName() != null) {
-            response.addApi(role.getApiName());
-        }
-
-        response.setObjectName("aclrole");
-        
-
-        return response;
-    }
-
-    @Override
-    public AclRoleResponse setAclRoleResponse(AclRoleResponse response, AclRoleJoinVO role) {
-        if (role.getApiName() != null) {
-            response.addApi(role.getApiName());
-        }
-        return response;
-    }
-
-    @Override
-    public List<AclRoleJoinVO> newAclRoleView(AclRole role) {
-        SearchCriteria<AclRoleJoinVO> sc = roleIdSearch.create();
-        sc.setParameters("id", role.getId());
-        return searchIncludingRemoved(sc, null, null, false);
-
-    }
-
-    @Override
-    public List<AclRoleJoinVO> searchByIds(Long... roleIds) {
-        // set detail batch query size
-        int DETAILS_BATCH_SIZE = 2000;
-        String batchCfg = _configDao.getValue("detail.batch.query.size");
-        if (batchCfg != null) {
-            DETAILS_BATCH_SIZE = Integer.parseInt(batchCfg);
-        }
-        // query details by batches
-        List<AclRoleJoinVO> uvList = new ArrayList<AclRoleJoinVO>();
-        // query details by batches
-        int curr_index = 0;
-        if (roleIds.length > DETAILS_BATCH_SIZE) {
-            while ((curr_index + DETAILS_BATCH_SIZE) <= roleIds.length) {
-                Long[] ids = new Long[DETAILS_BATCH_SIZE];
-                for (int k = 0, j = curr_index; j < curr_index + DETAILS_BATCH_SIZE; j++, k++) {
-                    ids[k] = roleIds[j];
-                }
-                SearchCriteria<AclRoleJoinVO> sc = roleSearch.create();
-                sc.setParameters("idIN", ids);
-                List<AclRoleJoinVO> vms = searchIncludingRemoved(sc, null, null, false);
-                if (vms != null) {
-                    uvList.addAll(vms);
-                }
-                curr_index += DETAILS_BATCH_SIZE;
-            }
-        }
-        if (curr_index < roleIds.length) {
-            int batch_size = (roleIds.length - curr_index);
-            // set the ids value
-            Long[] ids = new Long[batch_size];
-            for (int k = 0, j = curr_index; j < curr_index + batch_size; j++, k++) {
-                ids[k] = roleIds[j];
-            }
-            SearchCriteria<AclRoleJoinVO> sc = roleSearch.create();
-            sc.setParameters("idIN", ids);
-            List<AclRoleJoinVO> vms = searchIncludingRemoved(sc, null, null, false);
-            if (vms != null) {
-                uvList.addAll(vms);
-            }
-        }
-        return uvList;
-    }
-
-}

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/a416f6c3/server/src/com/cloud/server/ManagementServerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/server/ManagementServerImpl.java b/server/src/com/cloud/server/ManagementServerImpl.java
index 2c960ff..12de4bd 100755
--- a/server/src/com/cloud/server/ManagementServerImpl.java
+++ b/server/src/com/cloud/server/ManagementServerImpl.java
@@ -58,19 +58,17 @@ import org.apache.cloudstack.api.command.admin.account.EnableAccountCmd;
 import org.apache.cloudstack.api.command.admin.account.LockAccountCmd;
 import org.apache.cloudstack.api.command.admin.account.UpdateAccountCmd;
 import org.apache.cloudstack.api.command.admin.acl.AddAccountToAclGroupCmd;
-import org.apache.cloudstack.api.command.admin.acl.AddAclRoleToAclGroupCmd;
+import org.apache.cloudstack.api.command.admin.acl.AddAclPermissionToAclPolicyCmd;
+import org.apache.cloudstack.api.command.admin.acl.AttachAclPolicyToAclGroupCmd;
 import org.apache.cloudstack.api.command.admin.acl.CreateAclGroupCmd;
-import org.apache.cloudstack.api.command.admin.acl.CreateAclRoleCmd;
+import org.apache.cloudstack.api.command.admin.acl.CreateAclPolicyCmd;
 import org.apache.cloudstack.api.command.admin.acl.DeleteAclGroupCmd;
-import org.apache.cloudstack.api.command.admin.acl.DeleteAclRoleCmd;
-import org.apache.cloudstack.api.command.admin.acl.GrantPermissionToAclGroupCmd;
-import org.apache.cloudstack.api.command.admin.acl.GrantPermissionToAclRoleCmd;
+import org.apache.cloudstack.api.command.admin.acl.DeleteAclPolicyCmd;
 import org.apache.cloudstack.api.command.admin.acl.ListAclGroupsCmd;
-import org.apache.cloudstack.api.command.admin.acl.ListAclRolesCmd;
+import org.apache.cloudstack.api.command.admin.acl.ListAclPoliciesCmd;
 import org.apache.cloudstack.api.command.admin.acl.RemoveAccountFromAclGroupCmd;
-import org.apache.cloudstack.api.command.admin.acl.RemoveAclRoleFromAclGroupCmd;
-import org.apache.cloudstack.api.command.admin.acl.RevokePermissionFromAclGroupCmd;
-import org.apache.cloudstack.api.command.admin.acl.RevokePermissionFromAclRoleCmd;
+import org.apache.cloudstack.api.command.admin.acl.RemoveAclPermissionFromAclPolicyCmd;
+import org.apache.cloudstack.api.command.admin.acl.RemoveAclPolicyFromAclGroupCmd;
 import org.apache.cloudstack.api.command.admin.autoscale.CreateCounterCmd;
 import org.apache.cloudstack.api.command.admin.autoscale.DeleteCounterCmd;
 import org.apache.cloudstack.api.command.admin.cluster.AddClusterCmd;
@@ -2882,20 +2880,18 @@ public class ManagementServerImpl extends ManagerBase implements ManagementServe
         cmdList.add(ReplaceNetworkACLListCmd.class);
         cmdList.add(UpdateNetworkACLItemCmd.class);
         cmdList.add(CleanVMReservationsCmd.class);
-        cmdList.add(CreateAclRoleCmd.class);
-        cmdList.add(DeleteAclRoleCmd.class);
-        cmdList.add(ListAclRolesCmd.class);
-        cmdList.add(GrantPermissionToAclRoleCmd.class);
-        cmdList.add(RevokePermissionFromAclRoleCmd.class);
-        cmdList.add(AddAclRoleToAclGroupCmd.class);
-        cmdList.add(RemoveAclRoleFromAclGroupCmd.class);
+        cmdList.add(CreateAclPolicyCmd.class);
+        cmdList.add(DeleteAclPolicyCmd.class);
+        cmdList.add(ListAclPoliciesCmd.class);
+        cmdList.add(AddAclPermissionToAclPolicyCmd.class);
+        cmdList.add(RemoveAclPermissionFromAclPolicyCmd.class);
+        cmdList.add(AttachAclPolicyToAclGroupCmd.class);
+        cmdList.add(RemoveAclPolicyFromAclGroupCmd.class);
         cmdList.add(CreateAclGroupCmd.class);
         cmdList.add(DeleteAclGroupCmd.class);
         cmdList.add(ListAclGroupsCmd.class);
         cmdList.add(AddAccountToAclGroupCmd.class);
         cmdList.add(RemoveAccountFromAclGroupCmd.class);
-        cmdList.add(GrantPermissionToAclGroupCmd.class);
-        cmdList.add(RevokePermissionFromAclGroupCmd.class);
         return cmdList;
     }
 

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/a416f6c3/server/src/com/cloud/user/AccountManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/user/AccountManagerImpl.java b/server/src/com/cloud/user/AccountManagerImpl.java
index 1e32aef..0ddc37a 100755
--- a/server/src/com/cloud/user/AccountManagerImpl.java
+++ b/server/src/com/cloud/user/AccountManagerImpl.java
@@ -42,7 +42,7 @@ import org.apache.log4j.Logger;
 
 import org.apache.cloudstack.acl.AclEntityType;
 import org.apache.cloudstack.acl.AclGroupAccountMapVO;
-import org.apache.cloudstack.acl.AclRolePermission;
+import org.apache.cloudstack.acl.AclPolicyPermission;
 import org.apache.cloudstack.acl.AclService;
 import org.apache.cloudstack.acl.ControlledEntity;
 import org.apache.cloudstack.acl.PermissionScope;
@@ -50,7 +50,7 @@ import org.apache.cloudstack.acl.RoleType;
 import org.apache.cloudstack.acl.SecurityChecker;
 import org.apache.cloudstack.acl.SecurityChecker.AccessType;
 import org.apache.cloudstack.acl.dao.AclGroupAccountMapDao;
-import org.apache.cloudstack.acl.dao.AclRolePermissionDao;
+import org.apache.cloudstack.acl.dao.AclPolicyPermissionDao;
 import org.apache.cloudstack.affinity.AffinityGroup;
 import org.apache.cloudstack.affinity.dao.AffinityGroupDao;
 import org.apache.cloudstack.api.command.admin.account.UpdateAccountCmd;
@@ -264,7 +264,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
     private AclService _aclService;
 
     @Inject
-    private AclRolePermissionDao _aclRolePermissionDao;
+    private AclPolicyPermissionDao _aclPolicyPermissionDao;
 
     @Inject
     public com.cloud.region.ha.GlobalLoadBalancingRulesService _gslbService;
@@ -2391,17 +2391,19 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
         } else {
             domainIdRecursiveListProject.third(Project.ListProjectResourcesCriteria.SkipProjectResources);
             // get caller role permission on VM List
-            AclRolePermission rolePerm = _aclService.getAclRolePermission(caller.getId(), AclEntityType.VM.toString(), AccessType.ListEntry);
-            if (rolePerm == null) {
+            //TODO: this method needs to pass the entity type instead of current hard-code to VM for now. Also, api action name
+            // should be passed in caller context.
+            AclPolicyPermission policyPerm = _aclService.getAclPolicyPermission(caller.getId(), AclEntityType.VM.toString(), "listVirtualMachine");
+            if (policyPerm == null) {
                 // no list entry permission
-                throw new PermissionDeniedException("Caller has no role permission assigned to list VM");
+                throw new PermissionDeniedException("Caller has no policy permission assigned to list VM");
             }
             if (permittedAccounts.isEmpty()) {
                 // no account name is specified
-                if (rolePerm.getScope() == PermissionScope.ACCOUNT || !listAll) {
+                if (policyPerm.getScope() == PermissionScope.ACCOUNT || !listAll) {
                     // only resource owner can see it, only match account
                     permittedAccounts.add(caller.getId());
-                } else if (rolePerm.getScope() == PermissionScope.DOMAIN) {
+                } else if (policyPerm.getScope() == PermissionScope.DOMAIN) {
                     // match domain tree based on cmd.isRecursive flag or not
                     domainIdRecursiveListProject.first(caller.getDomainId());
                 }
@@ -2649,20 +2651,20 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
             if (isRecursive) {
                 for (int i = 0; i < permittedDomains.size(); i++) {
                     Domain domain = _domainDao.findById(permittedDomains.get(i));
-                    aclSc.addOr("domainPath" + i, SearchCriteria.Op.LIKE, domain.getPath() + "%");
+                    aclSc.addOr("domainPath", SearchCriteria.Op.LIKE, domain.getPath() + "%");
                 }
             } else {
-                aclSc.addOr("domainIdIN", SearchCriteria.Op.IN, permittedDomains.toArray());
+                aclSc.addOr("domainId", SearchCriteria.Op.IN, permittedDomains.toArray());
             }
         }
         if (!permittedAccounts.isEmpty()) {
-            aclSc.addOr("accountIdIN", SearchCriteria.Op.IN, permittedAccounts.toArray());
+            aclSc.addOr("accountId", SearchCriteria.Op.IN, permittedAccounts.toArray());
         }
         if (!permittedResources.isEmpty()) {
-            aclSc.addOr("idIn", SearchCriteria.Op.IN, permittedResources.toArray());
+            aclSc.addOr("id", SearchCriteria.Op.IN, permittedResources.toArray());
         }
 
-        sc.addAnd("accountIdIn", SearchCriteria.Op.SC, aclSc);
+        sc.addAnd("accountId", SearchCriteria.Op.SC, aclSc);
     }
 
 }


Mime
View raw message