cloudstack-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From mc...@apache.org
Subject [1/2] Remove old APIs and old security checker plugins. Also use QuerySelector adapater in ACL search routine.
Date Fri, 10 Jan 2014 23:02:44 GMT
Updated Branches:
  refs/heads/rbac e6238baa3 -> e42a262f6


http://git-wip-us.apache.org/repos/asf/cloudstack/blob/e42a262f/plugins/acl/role-based-access-checkers/resources/META-INF/cloudstack/acl-role-based-access-checkers/spring-acl-role-based-access-checkers-context.xml
----------------------------------------------------------------------
diff --git a/plugins/acl/role-based-access-checkers/resources/META-INF/cloudstack/acl-role-based-access-checkers/spring-acl-role-based-access-checkers-context.xml b/plugins/acl/role-based-access-checkers/resources/META-INF/cloudstack/acl-role-based-access-checkers/spring-acl-role-based-access-checkers-context.xml
deleted file mode 100644
index 78b233d..0000000
--- a/plugins/acl/role-based-access-checkers/resources/META-INF/cloudstack/acl-role-based-access-checkers/spring-acl-role-based-access-checkers-context.xml
+++ /dev/null
@@ -1,32 +0,0 @@
-<!--
-  Licensed to the Apache Software Foundation (ASF) under one
-  or more contributor license agreements. See the NOTICE file
-  distributed with this work for additional information
-  regarding copyright ownership. The ASF licenses this file
-  to you under the Apache License, Version 2.0 (the
-  "License"); you may not use this file except in compliance
-  with the License. You may obtain a copy of the License at
-
-  http://www.apache.org/licenses/LICENSE-2.0
-
-  Unless required by applicable law or agreed to in writing,
-  software distributed under the License is distributed on an
-  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-  KIND, either express or implied. See the License for the
-  specific language governing permissions and limitations
-  under the License.
--->
-<beans xmlns="http://www.springframework.org/schema/beans"
-       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-       xmlns:context="http://www.springframework.org/schema/context"
-       xmlns:aop="http://www.springframework.org/schema/aop"
-       xsi:schemaLocation="http://www.springframework.org/schema/beans
-                      http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
-                      http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-3.0.xsd
-                      http://www.springframework.org/schema/context
-                      http://www.springframework.org/schema/context/spring-context-3.0.xsd"
-                      >                     
-
-    <bean id="RoleBasedEntityAccessChecker" class="org.apache.cloudstack.acl.entity.RoleBasedEntityAccessChecker" />
-
-</beans>

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/e42a262f/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/api/RoleBasedAPIAccessChecker.java
----------------------------------------------------------------------
diff --git a/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/api/RoleBasedAPIAccessChecker.java b/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/api/RoleBasedAPIAccessChecker.java
deleted file mode 100644
index 23f25ca..0000000
--- a/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/api/RoleBasedAPIAccessChecker.java
+++ /dev/null
@@ -1,68 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements.  See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership.  The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License.  You may obtain a copy of the License at
-//
-//   http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied.  See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.acl.api;
-
-import java.util.List;
-
-import javax.ejb.Local;
-import javax.inject.Inject;
-
-import org.apache.cloudstack.acl.APIChecker;
-import org.apache.cloudstack.acl.AclPolicy;
-import org.apache.cloudstack.acl.AclRole;
-import org.apache.cloudstack.acl.AclService;
-import org.apache.log4j.Logger;
-
-import com.cloud.exception.PermissionDeniedException;
-import com.cloud.user.Account;
-import com.cloud.user.AccountService;
-import com.cloud.user.User;
-import com.cloud.utils.component.AdapterBase;
-
-// This is the Role Based API access checker that grab's the  account's roles
-// based on the set of roles, access is granted if any of the role has access to the api
-@Local(value=APIChecker.class)
-public class RoleBasedAPIAccessChecker extends AdapterBase implements APIChecker {
-
-    protected static final Logger s_logger = Logger.getLogger(RoleBasedAPIAccessChecker.class);
-
-    @Inject AccountService _accountService;
-    @Inject AclService _aclService;
-
-    protected RoleBasedAPIAccessChecker() {
-        super();
-    }
-
-    @Override
-    public boolean checkAccess(User user, String commandName)
-            throws PermissionDeniedException {
-        Account account = _accountService.getAccount(user.getAccountId());
-        if (account == null) {
-            throw new PermissionDeniedException("The account id=" + user.getAccountId() + "for user id=" + user.getId() + "is null");
-        }
-
-        List<AclPolicy> policies = _aclService.listAclPolicies(account.getAccountId());
-
-
-        boolean isAllowed = _aclService.isAPIAccessibleForPolicies(commandName, policies);
-        if (!isAllowed) {
-            throw new PermissionDeniedException("The API does not exist or is blacklisted. api: " + commandName);
-        }
-        return isAllowed;
-    }
-
-}

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/e42a262f/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/entity/RoleBasedEntityAccessChecker.java
----------------------------------------------------------------------
diff --git a/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/entity/RoleBasedEntityAccessChecker.java b/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/entity/RoleBasedEntityAccessChecker.java
deleted file mode 100644
index c057bc0..0000000
--- a/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/entity/RoleBasedEntityAccessChecker.java
+++ /dev/null
@@ -1,131 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements.  See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership.  The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License.  You may obtain a copy of the License at
-//
-//   http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied.  See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.acl.entity;
-
-import java.util.ArrayList;
-import java.util.HashMap;
-import java.util.List;
-
-import javax.inject.Inject;
-
-import org.apache.cloudstack.acl.AclPolicy;
-import org.apache.cloudstack.acl.AclPolicyPermissionVO;
-import org.apache.cloudstack.acl.AclService;
-import org.apache.cloudstack.acl.ControlledEntity;
-import org.apache.cloudstack.acl.AclEntityType;
-import org.apache.cloudstack.acl.PermissionScope;
-import org.apache.cloudstack.acl.SecurityChecker;
-import org.apache.cloudstack.acl.dao.AclGroupAccountMapDao;
-import org.apache.cloudstack.acl.dao.AclPolicyPermissionDao;
-import org.apache.log4j.Logger;
-
-import com.cloud.acl.DomainChecker;
-import com.cloud.domain.dao.DomainDao;
-import com.cloud.exception.PermissionDeniedException;
-import com.cloud.user.Account;
-import com.cloud.user.AccountService;
-import com.cloud.vm.VirtualMachine;
-
-public class RoleBasedEntityAccessChecker extends DomainChecker implements SecurityChecker {
-
-    private static final Logger s_logger = Logger.getLogger(RoleBasedEntityAccessChecker.class.getName());
-
-    @Inject
-    AccountService _accountService;
-    @Inject
-    AclService _aclService;
-    
-    @Inject DomainDao _domainDao;
-
-    @Inject
-    AclGroupAccountMapDao _aclGroupAccountMapDao;
-
-    @Inject
-    AclPolicyPermissionDao _policyPermissionDao;
-
-
-    @Override
-    public boolean checkAccess(Account caller, ControlledEntity entity, AccessType accessType)
-            throws PermissionDeniedException {
-        return checkAccess(caller, entity, accessType, null);
-    }
-
-    @Override
-    public boolean checkAccess(Account caller, ControlledEntity entity, AccessType accessType, String action)
-            throws PermissionDeniedException {
-
-        String entityType = entity.getEntityType().toString();
-
-        if (accessType == null) {
-            accessType = AccessType.ListEntry;
-        }
-
-        // get all Policies of this caller w.r.t the entity
-        List<AclPolicy> policies = _aclService.getEffectivePolicies(caller, entity);
-        HashMap<AclPolicy, Boolean> policyPermissionMap = new HashMap<AclPolicy, Boolean>();
-
-        for (AclPolicy policy : policies) {
-            List<AclPolicyPermissionVO> permissions = new ArrayList<AclPolicyPermissionVO>();
-
-            if (action != null) {
-                permissions = _policyPermissionDao.listByPolicyActionAndEntity(policy.getId(),
-                    action, entityType);
-            } else {
-                permissions = _policyPermissionDao.listByPolicyAccessAndEntity(policy.getId(), accessType, entityType);
-            }
-            for (AclPolicyPermissionVO permission : permissions) {
-                if (checkPermissionScope(caller, permission.getScope(), entity)) {
-                    if (permission.getEntityType().equals(entityType)) {
-                        policyPermissionMap.put(policy, permission.getPermission().isGranted());
-                        break;
-                    } else if (permission.getEntityType().equals("*")) {
-                        policyPermissionMap.put(policy, permission.getPermission().isGranted());
-                    }
-                }
-            }
-            if (policyPermissionMap.containsKey(policy) && policyPermissionMap.get(policy)) {
-                return true;
-            }
-        }
-
-        if (!policies.isEmpty()) { // Since we reach this point, none of the
-                                   // roles granted access
-            if (s_logger.isDebugEnabled()) {
-                s_logger.debug("Account " + caller + " does not have permission to access resource " + entity
-                        + " for access type: " + accessType);
-            }
-            throw new PermissionDeniedException(caller + " does not have permission to access resource " + entity);
-        }
-
-        return false;
-    }
-
-    private boolean checkPermissionScope(Account caller, PermissionScope scope, ControlledEntity entity) {
-        
-        if(scope.equals(PermissionScope.ACCOUNT)){
-            if(caller.getAccountId() == entity.getAccountId()){
-                return true;
-            }
-        }else if(scope.equals(PermissionScope.DOMAIN)){
-            if (_domainDao.isChildDomain(caller.getDomainId(), entity.getDomainId())) {
-                return true;
-            }
-        }
-        
-        return false;
-    }
-}

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/e42a262f/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/entity/RoleBasedEntityQuerySelector.java
----------------------------------------------------------------------
diff --git a/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/entity/RoleBasedEntityQuerySelector.java b/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/entity/RoleBasedEntityQuerySelector.java
deleted file mode 100644
index 3deea5c..0000000
--- a/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/entity/RoleBasedEntityQuerySelector.java
+++ /dev/null
@@ -1,51 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements.  See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership.  The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License.  You may obtain a copy of the License at
-//
-//   http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied.  See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.acl.entity;
-
-import java.util.List;
-
-import org.apache.log4j.Logger;
-
-import org.apache.cloudstack.acl.QuerySelector;
-
-import com.cloud.user.Account;
-import com.cloud.utils.component.AdapterBase;
-
-public class RoleBasedEntityQuerySelector extends AdapterBase implements QuerySelector {
-
-    private static final Logger s_logger = Logger.getLogger(RoleBasedEntityQuerySelector.class.getName());
-
-    @Override
-    public List<Long> getAuthorizedDomains(Account caller, String action) {
-        // TODO Auto-generated method stub
-        return null;
-    }
-
-    @Override
-    public List<Long> getAuthorizedAccounts(Account caller, String action) {
-        // TODO Auto-generated method stub
-        return null;
-    }
-
-    @Override
-    public List<Long> getAuthorizedResources(Account caller, String action) {
-        // TODO Auto-generated method stub
-        return null;
-    }
-
-
-}

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/e42a262f/server/src/com/cloud/api/ApiDBUtils.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/api/ApiDBUtils.java b/server/src/com/cloud/api/ApiDBUtils.java
index 5b894fb..7a7b84a 100755
--- a/server/src/com/cloud/api/ApiDBUtils.java
+++ b/server/src/com/cloud/api/ApiDBUtils.java
@@ -25,8 +25,6 @@ import java.util.Set;
 import javax.annotation.PostConstruct;
 import javax.inject.Inject;
 
-import org.apache.cloudstack.acl.AclGroup;
-import org.apache.cloudstack.acl.AclPolicy;
 import org.apache.cloudstack.affinity.AffinityGroup;
 import org.apache.cloudstack.affinity.AffinityGroupResponse;
 import org.apache.cloudstack.affinity.dao.AffinityGroupDao;
@@ -35,8 +33,6 @@ import org.apache.cloudstack.api.ApiConstants.HostDetails;
 import org.apache.cloudstack.api.ApiConstants.VMDetails;
 import org.apache.cloudstack.api.ResponseObject.ResponseView;
 import org.apache.cloudstack.api.response.AccountResponse;
-import org.apache.cloudstack.api.response.AclGroupResponse;
-import org.apache.cloudstack.api.response.AclPolicyResponse;
 import org.apache.cloudstack.api.response.AsyncJobResponse;
 import org.apache.cloudstack.api.response.DiskOfferingResponse;
 import org.apache.cloudstack.api.response.DomainRouterResponse;
@@ -69,8 +65,6 @@ import org.apache.cloudstack.storage.datastore.db.PrimaryDataStoreDao;
 import org.apache.cloudstack.storage.datastore.db.StoragePoolVO;
 
 import com.cloud.api.query.dao.AccountJoinDao;
-import com.cloud.api.query.dao.AclGroupJoinDao;
-import com.cloud.api.query.dao.AclPolicyJoinDao;
 import com.cloud.api.query.dao.AffinityGroupJoinDao;
 import com.cloud.api.query.dao.AsyncJobJoinDao;
 import com.cloud.api.query.dao.DataCenterJoinDao;
@@ -91,8 +85,6 @@ import com.cloud.api.query.dao.UserAccountJoinDao;
 import com.cloud.api.query.dao.UserVmJoinDao;
 import com.cloud.api.query.dao.VolumeJoinDao;
 import com.cloud.api.query.vo.AccountJoinVO;
-import com.cloud.api.query.vo.AclGroupJoinVO;
-import com.cloud.api.query.vo.AclPolicyJoinVO;
 import com.cloud.api.query.vo.AffinityGroupJoinVO;
 import com.cloud.api.query.vo.AsyncJobJoinVO;
 import com.cloud.api.query.vo.DataCenterJoinVO;
@@ -411,8 +403,6 @@ public class ApiDBUtils {
     static GlobalLoadBalancingRulesService _gslbService;
     static NetworkACLDao _networkACLDao;
     static AccountService _accountService;
-    static AclPolicyJoinDao _aclPolicyJoinDao;
-    static AclGroupJoinDao _aclGroupJoinDao;
     static ResourceMetaDataService _resourceDetailsService;
 
     @Inject
@@ -526,10 +516,6 @@ public class ApiDBUtils {
     @Inject private NetworkACLDao networkACLDao;
     @Inject private ServiceOfferingDetailsDao serviceOfferingDetailsDao;
     @Inject private AccountService accountService;
-    @Inject
-    private AclPolicyJoinDao aclPolicyJoinDao;
-    @Inject
-    private AclGroupJoinDao aclGroupJoinDao;
     @Inject private ConfigurationManager configMgr;
     @Inject private DataCenterDetailsDao zoneDetailsDao;
     @Inject private  ResourceMetaDataService resourceDetailsService;
@@ -643,8 +629,6 @@ public class ApiDBUtils {
         _statsCollector = StatsCollector.getInstance();
         _networkACLDao = networkACLDao;
         _accountService = accountService;
-        _aclPolicyJoinDao = aclPolicyJoinDao;
-        _aclGroupJoinDao = aclGroupJoinDao;
         _resourceDetailsService = resourceDetailsService;
     }
 
@@ -1520,9 +1504,6 @@ public class ApiDBUtils {
         return _userAccountJoinDao.searchByAccountId(accountId);
     }
 
-    public static List<AclGroupJoinVO> findAclGroupByAccountId(long accountId) {
-        return _aclGroupJoinDao.findAclGroupsByAccount(accountId);
-    }
 
     public static ProjectAccountResponse newProjectAccountResponse(ProjectAccountJoinVO proj) {
         return _projectAccountJoinDao.newProjectAccountResponse(proj);
@@ -1698,29 +1679,6 @@ public class ApiDBUtils {
         return _affinityGroupJoinDao.setAffinityGroupResponse(resp, group);
     }
 
-    public static List<AclPolicyJoinVO> newAclPolicyView(AclPolicy policy) {
-        return _aclPolicyJoinDao.newAclPolicyView(policy);
-    }
-
-    public static AclPolicyResponse newAclPolicyResponse(AclPolicyJoinVO policy) {
-        return _aclPolicyJoinDao.newAclPolicyResponse(policy);
-    }
-
-    public static AclPolicyResponse fillAclPolicyDetails(AclPolicyResponse resp, AclPolicyJoinVO policy) {
-        return _aclPolicyJoinDao.setAclPolicyResponse(resp, policy);
-    }
-
-    public static List<AclGroupJoinVO> newAclGroupView(AclGroup group) {
-        return _aclGroupJoinDao.newAclGroupView(group);
-    }
-
-    public static AclGroupResponse newAclGroupResponse(AclGroupJoinVO group) {
-        return _aclGroupJoinDao.newAclGroupResponse(group);
-    }
-
-    public static AclGroupResponse fillAclGroupDetails(AclGroupResponse resp, AclGroupJoinVO group) {
-        return _aclGroupJoinDao.setAclGroupResponse(resp, group);
-    }
 
     public static List<? extends LoadBalancer> listSiteLoadBalancers(long gslbRuleId) {
         return _gslbService.listSiteLoadBalancers(gslbRuleId);

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/e42a262f/server/src/com/cloud/api/ApiResponseHelper.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/api/ApiResponseHelper.java b/server/src/com/cloud/api/ApiResponseHelper.java
index b3f42f8..1a999ac 100755
--- a/server/src/com/cloud/api/ApiResponseHelper.java
+++ b/server/src/com/cloud/api/ApiResponseHelper.java
@@ -33,8 +33,6 @@ import javax.inject.Inject;
 
 import org.apache.log4j.Logger;
 
-import org.apache.cloudstack.acl.AclGroup;
-import org.apache.cloudstack.acl.AclPolicy;
 import org.apache.cloudstack.acl.ControlledEntity;
 import org.apache.cloudstack.acl.ControlledEntity.ACLType;
 import org.apache.cloudstack.affinity.AffinityGroup;
@@ -45,8 +43,6 @@ import org.apache.cloudstack.api.ResponseGenerator;
 import org.apache.cloudstack.api.ResponseObject.ResponseView;
 import org.apache.cloudstack.api.command.user.job.QueryAsyncJobResultCmd;
 import org.apache.cloudstack.api.response.AccountResponse;
-import org.apache.cloudstack.api.response.AclGroupResponse;
-import org.apache.cloudstack.api.response.AclPolicyResponse;
 import org.apache.cloudstack.api.response.ApplicationLoadBalancerInstanceResponse;
 import org.apache.cloudstack.api.response.ApplicationLoadBalancerResponse;
 import org.apache.cloudstack.api.response.ApplicationLoadBalancerRuleResponse;
@@ -154,8 +150,6 @@ import org.apache.cloudstack.usage.UsageTypes;
 
 import com.cloud.api.query.ViewResponseHelper;
 import com.cloud.api.query.vo.AccountJoinVO;
-import com.cloud.api.query.vo.AclGroupJoinVO;
-import com.cloud.api.query.vo.AclPolicyJoinVO;
 import com.cloud.api.query.vo.AsyncJobJoinVO;
 import com.cloud.api.query.vo.ControlledViewEntity;
 import com.cloud.api.query.vo.DataCenterJoinVO;
@@ -3707,22 +3701,6 @@ public class ApiResponseHelper implements ResponseGenerator {
         }
     }
 
-    @Override
-    public AclPolicyResponse createAclPolicyResponse(AclPolicy policy) {
-        List<AclPolicyJoinVO> viewPolicies = ApiDBUtils.newAclPolicyView(policy);
-        List<AclPolicyResponse> listPolicies = ViewResponseHelper.createAclPolicyResponses(viewPolicies);
-        assert listPolicies != null && listPolicies.size() == 1 : "There should be one acl policy returned";
-        return listPolicies.get(0);
-    }
-
-    @Override
-    public AclGroupResponse createAclGroupResponse(AclGroup group) {
-        List<AclGroupJoinVO> viewGroups = ApiDBUtils.newAclGroupView(group);
-        List<AclGroupResponse> listGroups = ViewResponseHelper.createAclGroupResponses(viewGroups);
-        assert listGroups != null && listGroups.size() == 1 : "There should be one acl role returned";
-        return listGroups.get(0);
-    }
-
 
     @Override
     public PortableIpRangeResponse createPortableIPRangeResponse(PortableIpRange ipRange) {

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/e42a262f/server/src/com/cloud/api/query/QueryManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/api/query/QueryManagerImpl.java b/server/src/com/cloud/api/query/QueryManagerImpl.java
index b807f4a..fd1804a 100644
--- a/server/src/com/cloud/api/query/QueryManagerImpl.java
+++ b/server/src/com/cloud/api/query/QueryManagerImpl.java
@@ -29,12 +29,7 @@ import javax.inject.Inject;
 import org.apache.log4j.Logger;
 import org.springframework.stereotype.Component;
 
-import org.apache.cloudstack.acl.AclGroup;
-import org.apache.cloudstack.acl.AclPolicy;
-import org.apache.cloudstack.acl.AclService;
 import org.apache.cloudstack.acl.ControlledEntity.ACLType;
-import org.apache.cloudstack.acl.dao.AclGroupDao;
-import org.apache.cloudstack.acl.dao.AclPolicyDao;
 import org.apache.cloudstack.affinity.AffinityGroupDomainMapVO;
 import org.apache.cloudstack.affinity.AffinityGroupResponse;
 import org.apache.cloudstack.affinity.AffinityGroupVMMapVO;
@@ -74,8 +69,6 @@ import org.apache.cloudstack.api.command.user.volume.ListResourceDetailsCmd;
 import org.apache.cloudstack.api.command.user.volume.ListVolumesCmd;
 import org.apache.cloudstack.api.command.user.zone.ListZonesCmd;
 import org.apache.cloudstack.api.response.AccountResponse;
-import org.apache.cloudstack.api.response.AclGroupResponse;
-import org.apache.cloudstack.api.response.AclPolicyResponse;
 import org.apache.cloudstack.api.response.AsyncJobResponse;
 import org.apache.cloudstack.api.response.DiskOfferingResponse;
 import org.apache.cloudstack.api.response.DomainRouterResponse;
@@ -103,8 +96,6 @@ import org.apache.cloudstack.framework.config.dao.ConfigurationDao;
 import org.apache.cloudstack.query.QueryService;
 
 import com.cloud.api.query.dao.AccountJoinDao;
-import com.cloud.api.query.dao.AclGroupJoinDao;
-import com.cloud.api.query.dao.AclPolicyJoinDao;
 import com.cloud.api.query.dao.AffinityGroupJoinDao;
 import com.cloud.api.query.dao.AsyncJobJoinDao;
 import com.cloud.api.query.dao.DataCenterJoinDao;
@@ -125,9 +116,6 @@ import com.cloud.api.query.dao.UserAccountJoinDao;
 import com.cloud.api.query.dao.UserVmJoinDao;
 import com.cloud.api.query.dao.VolumeJoinDao;
 import com.cloud.api.query.vo.AccountJoinVO;
-import com.cloud.api.query.vo.AclGroupJoinVO;
-import com.cloud.api.query.vo.AclPolicyJoinVO;
-import com.cloud.api.query.vo.AclRoleJoinVO;
 import com.cloud.api.query.vo.AffinityGroupJoinVO;
 import com.cloud.api.query.vo.AsyncJobJoinVO;
 import com.cloud.api.query.vo.DataCenterJoinVO;
@@ -218,8 +206,6 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
 
     public static final Logger s_logger = Logger.getLogger(QueryManagerImpl.class);
 
-    // public static ViewResponseHelper _responseGenerator;
-
     @Inject
     private AccountManager _accountMgr;
 
@@ -354,20 +340,6 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
     @Inject
     AffinityGroupDomainMapDao _affinityGroupDomainMapDao;
 
-    @Inject
-    AclPolicyJoinDao _aclPolicyJoinDao;
-
-    @Inject
-    AclPolicyDao _aclPolicyDao;
-
-    @Inject
-    AclGroupJoinDao _aclGroupJoinDao;
-
-    @Inject
-    AclGroupDao _aclGroupDao;
-
-    @Inject
-    AclService _aclService;
     
     @Inject NetworkDetailsDao _networkDetailsDao;
     
@@ -3334,214 +3306,4 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
         return resourceDetailResponse;
     }
 
-    @Override
-    public ListResponse<AclPolicyResponse> listAclPolicies(Long aclPolicyId, String aclPolicyName, Long domainId, Long startIndex, Long pageSize) {
-        Pair<List<AclPolicyJoinVO>, Integer> result = listAclPoliciesInternal(aclPolicyId, aclPolicyName, domainId, true, true, startIndex, pageSize);
-        ListResponse<AclPolicyResponse> response = new ListResponse<AclPolicyResponse>();
-
-        List<AclPolicyResponse> roleResponses = ViewResponseHelper.createAclPolicyResponses(result.first());
-        response.setResponses(roleResponses, result.second());
-        return response;
-    }
-
-    private Pair<List<AclPolicyJoinVO>, Integer> listAclPoliciesInternal(Long aclPolicyId, String aclPolicyName, Long domainId, boolean isRecursive, boolean listAll,
-            Long startIndex,
-            Long pageSize) {
-
-        Account caller = CallContext.current().getCallingAccount();
-        Boolean listForDomain = false;
-
-        if (aclPolicyId != null) {
-            AclPolicy policy = _aclPolicyDao.findById(aclPolicyId);
-            if (policy == null) {
-                throw new InvalidParameterValueException("Unable to find acl policy by id " + aclPolicyId);
-            }
-
-            _accountMgr.checkAccess(caller, null, true, policy);
-        }
-
-        if (domainId != null) {
-            Domain domain = _domainDao.findById(domainId);
-            if (domain == null) {
-                throw new InvalidParameterValueException("Domain id=" + domainId + " doesn't exist");
-            }
-
-            _accountMgr.checkAccess(caller, domain);
-
-            if (aclPolicyName != null) {
-                AclPolicy policy = _aclPolicyDao.findByName(domainId, aclPolicyName);
-                if (policy == null) {
-                    throw new InvalidParameterValueException("Unable to find acl policy by name " + aclPolicyName
-                            + " in domain " + domainId);
-                }
-                _accountMgr.checkAccess(caller, null, true, policy);
-            }
-        }
-
-        if (aclPolicyId == null) {
-            if (_accountMgr.isAdmin(caller.getType()) && listAll && domainId == null) {
-                listForDomain = true;
-                isRecursive = true;
-                if (domainId == null) {
-                    domainId = caller.getDomainId();
-                }
-            } else if (_accountMgr.isAdmin(caller.getType()) && domainId != null) {
-                listForDomain = true;
-            }
-        }
-
-        Filter searchFilter = new Filter(AclRoleJoinVO.class, "id", true, startIndex, pageSize);
-
-
-        SearchBuilder<AclPolicyJoinVO> sb = _aclPolicyJoinDao.createSearchBuilder();
-        sb.select(null, Func.DISTINCT, sb.entity().getId()); // select distinct ids
-
-        sb.and("name", sb.entity().getName(), SearchCriteria.Op.EQ);
-        sb.and("domainId", sb.entity().getDomainId(), SearchCriteria.Op.EQ);
-        sb.and("id", sb.entity().getId(), SearchCriteria.Op.EQ);
-
-        if (listForDomain && isRecursive) {
-            sb.and("path", sb.entity().getDomainPath(), SearchCriteria.Op.LIKE);
-        }
-
-        SearchCriteria<AclPolicyJoinVO> sc = sb.create();
-
-        if (aclPolicyName != null) {
-            sc.setParameters("name", aclPolicyName);
-        }
-
-        if (aclPolicyId != null) {
-            sc.setParameters("id", aclPolicyId);
-        }
-
-        if (listForDomain) {
-            if (isRecursive) {
-                Domain domain = _domainDao.findById(domainId);
-                sc.setParameters("path", domain.getPath() + "%");
-            } else {
-                sc.setParameters("domainId", domainId);
-            }
-        }
-
-
-        // search policy details by ids
-        Pair<List<AclPolicyJoinVO>, Integer> uniqueRolePair = _aclPolicyJoinDao.searchAndCount(sc, searchFilter);
-        Integer count = uniqueRolePair.second();
-        if (count.intValue() == 0) {
-            // empty result
-            return uniqueRolePair;
-        }
-        List<AclPolicyJoinVO> uniqueRoles = uniqueRolePair.first();
-        Long[] vrIds = new Long[uniqueRoles.size()];
-        int i = 0;
-        for (AclPolicyJoinVO v : uniqueRoles) {
-            vrIds[i++] = v.getId();
-        }
-        List<AclPolicyJoinVO> vrs = _aclPolicyJoinDao.searchByIds(vrIds);
-        return new Pair<List<AclPolicyJoinVO>, Integer>(vrs, count);
-    }
-
-    @Override
-    public ListResponse<AclGroupResponse> listAclGroups(Long aclGroupId, String aclGroupName, Long domainId, Long startIndex, Long pageSize) {
-        Pair<List<AclGroupJoinVO>, Integer> result = listAclGroupsInternal(aclGroupId, aclGroupName, domainId, true, true, startIndex, pageSize);
-        ListResponse<AclGroupResponse> response = new ListResponse<AclGroupResponse>();
-
-        List<AclGroupResponse> groupResponses = ViewResponseHelper.createAclGroupResponses(result.first());
-        response.setResponses(groupResponses, result.second());
-        return response;
-    }
-
-    private Pair<List<AclGroupJoinVO>, Integer> listAclGroupsInternal(Long aclGroupId, String aclGroupName, Long domainId, boolean isRecursive, boolean listAll, Long startIndex,
-            Long pageSize) {
-
-        Account caller = CallContext.current().getCallingAccount();
-        Boolean listForDomain = false;
-
-        if (aclGroupId != null) {
-            AclGroup group = _aclGroupDao.findById(aclGroupId);
-            if (group == null) {
-                throw new InvalidParameterValueException("Unable to find acl group by id " + aclGroupId);
-            }
-
-            _accountMgr.checkAccess(caller, null, true, group);
-        }
-
-        if (domainId != null) {
-            Domain domain = _domainDao.findById(domainId);
-            if (domain == null) {
-                throw new InvalidParameterValueException("Domain id=" + domainId + " doesn't exist");
-            }
-
-            _accountMgr.checkAccess(caller, domain);
-
-            if (aclGroupName != null) {
-                AclGroup group = _aclGroupDao.findByName(domainId, aclGroupName);
-                if (group == null) {
-                    throw new InvalidParameterValueException("Unable to find acl group by name " + aclGroupName
-                            + " in domain " + domainId);
-                }
-                _accountMgr.checkAccess(caller, null, true, group);
-            }
-        }
-
-        if (aclGroupId == null) {
-            if (_accountMgr.isAdmin(caller.getType()) && listAll && domainId == null) {
-                listForDomain = true;
-                isRecursive = true;
-                if (domainId == null) {
-                    domainId = caller.getDomainId();
-                }
-            } else if (_accountMgr.isAdmin(caller.getType()) && domainId != null) {
-                listForDomain = true;
-            }
-        }
-
-        Filter searchFilter = new Filter(AclGroupJoinVO.class, "id", true, startIndex, pageSize);
-
-        SearchBuilder<AclGroupJoinVO> sb = _aclGroupJoinDao.createSearchBuilder();
-        sb.select(null, Func.DISTINCT, sb.entity().getId()); // select distinct ids
-
-        sb.and("name", sb.entity().getName(), SearchCriteria.Op.EQ);
-        sb.and("domainId", sb.entity().getDomainId(), SearchCriteria.Op.EQ);
-        sb.and("id", sb.entity().getId(), SearchCriteria.Op.EQ);
-
-        if (listForDomain && isRecursive) {
-            sb.and("path", sb.entity().getDomainPath(), SearchCriteria.Op.LIKE);
-        }
-
-        SearchCriteria<AclGroupJoinVO> sc = sb.create();
-
-        if (aclGroupName != null) {
-            sc.setParameters("name", aclGroupName);
-        }
-
-        if (aclGroupId != null) {
-            sc.setParameters("id", aclGroupId);
-        }
-
-        if (listForDomain) {
-            if (isRecursive) {
-                Domain domain = _domainDao.findById(domainId);
-                sc.setParameters("path", domain.getPath() + "%");
-            } else {
-                sc.setParameters("domainId", domainId);
-            }
-        }
-
-        // search group details by ids
-        Pair<List<AclGroupJoinVO>, Integer> uniqueGroupPair = _aclGroupJoinDao.searchAndCount(sc, searchFilter);
-        Integer count = uniqueGroupPair.second();
-        if (count.intValue() == 0) {
-            // empty result
-            return uniqueGroupPair;
-        }
-        List<AclGroupJoinVO> uniqueGroups = uniqueGroupPair.first();
-        Long[] vrIds = new Long[uniqueGroups.size()];
-        int i = 0;
-        for (AclGroupJoinVO v : uniqueGroups) {
-            vrIds[i++] = v.getId();
-        }
-        List<AclGroupJoinVO> vrs = _aclGroupJoinDao.searchByIds(vrIds);
-        return new Pair<List<AclGroupJoinVO>, Integer>(vrs, count);
-    }
 }

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/e42a262f/server/src/com/cloud/api/query/ViewResponseHelper.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/api/query/ViewResponseHelper.java b/server/src/com/cloud/api/query/ViewResponseHelper.java
index 478cbfb..3a35c96 100644
--- a/server/src/com/cloud/api/query/ViewResponseHelper.java
+++ b/server/src/com/cloud/api/query/ViewResponseHelper.java
@@ -28,8 +28,6 @@ import org.apache.cloudstack.api.ApiConstants.HostDetails;
 import org.apache.cloudstack.api.ApiConstants.VMDetails;
 import org.apache.cloudstack.api.ResponseObject.ResponseView;
 import org.apache.cloudstack.api.response.AccountResponse;
-import org.apache.cloudstack.api.response.AclGroupResponse;
-import org.apache.cloudstack.api.response.AclPolicyResponse;
 import org.apache.cloudstack.api.response.AsyncJobResponse;
 import org.apache.cloudstack.api.response.DiskOfferingResponse;
 import org.apache.cloudstack.api.response.DomainRouterResponse;
@@ -54,8 +52,6 @@ import org.apache.cloudstack.context.CallContext;
 
 import com.cloud.api.ApiDBUtils;
 import com.cloud.api.query.vo.AccountJoinVO;
-import com.cloud.api.query.vo.AclGroupJoinVO;
-import com.cloud.api.query.vo.AclPolicyJoinVO;
 import com.cloud.api.query.vo.AffinityGroupJoinVO;
 import com.cloud.api.query.vo.AsyncJobJoinVO;
 import com.cloud.api.query.vo.DataCenterJoinVO;
@@ -444,36 +440,4 @@ public class ViewResponseHelper {
         }
         return new ArrayList<AffinityGroupResponse>(vrDataList.values());
     }
-
-    public static List<AclPolicyResponse> createAclPolicyResponses(List<AclPolicyJoinVO> policies) {
-        Hashtable<Long, AclPolicyResponse> vrDataList = new Hashtable<Long, AclPolicyResponse>();
-        for (AclPolicyJoinVO vr : policies) {
-            AclPolicyResponse vrData = vrDataList.get(vr.getId());
-            if (vrData == null) {
-                // first time encountering this Acl policy
-                vrData = ApiDBUtils.newAclPolicyResponse(vr);
-            } else {
-                // update vms
-                vrData = ApiDBUtils.fillAclPolicyDetails(vrData, vr);
-            }
-            vrDataList.put(vr.getId(), vrData);
-        }
-        return new ArrayList<AclPolicyResponse>(vrDataList.values());
-    }
-
-    public static List<AclGroupResponse> createAclGroupResponses(List<AclGroupJoinVO> groups) {
-        Hashtable<Long, AclGroupResponse> vrDataList = new Hashtable<Long, AclGroupResponse>();
-        for (AclGroupJoinVO vr : groups) {
-            AclGroupResponse vrData = vrDataList.get(vr.getId());
-            if (vrData == null) {
-                // first time encountering this Acl role
-                vrData = ApiDBUtils.newAclGroupResponse(vr);
-            } else {
-                // update vms
-                vrData = ApiDBUtils.fillAclGroupDetails(vrData, vr);
-            }
-            vrDataList.put(vr.getId(), vrData);
-        }
-        return new ArrayList<AclGroupResponse>(vrDataList.values());
-    }
 }

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/e42a262f/server/src/com/cloud/api/query/dao/AccountJoinDaoImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/api/query/dao/AccountJoinDaoImpl.java b/server/src/com/cloud/api/query/dao/AccountJoinDaoImpl.java
index da13bad..8c2b195 100644
--- a/server/src/com/cloud/api/query/dao/AccountJoinDaoImpl.java
+++ b/server/src/com/cloud/api/query/dao/AccountJoinDaoImpl.java
@@ -24,16 +24,15 @@ import javax.inject.Inject;
 import org.apache.log4j.Logger;
 import org.springframework.stereotype.Component;
 
+import org.apache.cloudstack.acl.AclProxyService;
 import org.apache.cloudstack.api.ResponseObject.ResponseView;
 import org.apache.cloudstack.api.response.AccountResponse;
-import org.apache.cloudstack.api.response.AclGroupResponse;
 import org.apache.cloudstack.api.response.ResourceLimitAndCountResponse;
 import org.apache.cloudstack.api.response.UserResponse;
 
 import com.cloud.api.ApiDBUtils;
 import com.cloud.api.query.ViewResponseHelper;
 import com.cloud.api.query.vo.AccountJoinVO;
-import com.cloud.api.query.vo.AclGroupJoinVO;
 import com.cloud.api.query.vo.UserAccountJoinVO;
 import com.cloud.configuration.Resource.ResourceType;
 import com.cloud.user.Account;
@@ -50,6 +49,8 @@ public class AccountJoinDaoImpl extends GenericDaoBase<AccountJoinVO, Long> impl
     private final SearchBuilder<AccountJoinVO> acctIdSearch;
     @Inject
     public AccountManager _accountMgr;
+    @Inject
+    AclProxyService _aclProxy;
 
     protected AccountJoinDaoImpl() {
 
@@ -105,9 +106,7 @@ public class AccountJoinDaoImpl extends GenericDaoBase<AccountJoinVO, Long> impl
         accountResponse.setObjectName("account");
         
         // add all the acl groups for an account
-        List<AclGroupJoinVO> groupsForAccount = ApiDBUtils.findAclGroupByAccountId(account.getId());
-        List<AclGroupResponse> groupResponses = ViewResponseHelper.createAclGroupResponses(groupsForAccount);
-        accountResponse.setGroups(groupResponses);
+        accountResponse.setGroups(_aclProxy.listAclGroupsByAccount(account.getId()));
 
         return accountResponse;
     }

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/e42a262f/server/src/com/cloud/api/query/dao/AclGroupJoinDao.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/api/query/dao/AclGroupJoinDao.java b/server/src/com/cloud/api/query/dao/AclGroupJoinDao.java
deleted file mode 100644
index ccebf21..0000000
--- a/server/src/com/cloud/api/query/dao/AclGroupJoinDao.java
+++ /dev/null
@@ -1,38 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements.  See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership.  The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License.  You may obtain a copy of the License at
-//
-//   http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied.  See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package com.cloud.api.query.dao;
-
-import java.util.List;
-
-import org.apache.cloudstack.acl.AclGroup;
-import org.apache.cloudstack.api.response.AclGroupResponse;
-
-import com.cloud.api.query.vo.AclGroupJoinVO;
-import com.cloud.utils.db.GenericDao;
-
-public interface AclGroupJoinDao extends GenericDao<AclGroupJoinVO, Long> {
-
-    AclGroupResponse newAclGroupResponse(AclGroupJoinVO group);
-
-    AclGroupResponse setAclGroupResponse(AclGroupResponse response, AclGroupJoinVO os);
-
-    List<AclGroupJoinVO> newAclGroupView(AclGroup group);
-
-    List<AclGroupJoinVO> searchByIds(Long... ids);
-
-    List<AclGroupJoinVO> findAclGroupsByAccount(long accountId);
-}

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/e42a262f/server/src/com/cloud/api/query/dao/AclGroupJoinDaoImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/api/query/dao/AclGroupJoinDaoImpl.java b/server/src/com/cloud/api/query/dao/AclGroupJoinDaoImpl.java
deleted file mode 100644
index 355f561..0000000
--- a/server/src/com/cloud/api/query/dao/AclGroupJoinDaoImpl.java
+++ /dev/null
@@ -1,173 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements.  See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership.  The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License.  You may obtain a copy of the License at
-//
-//   http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied.  See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package com.cloud.api.query.dao;
-
-import java.util.ArrayList;
-import java.util.HashSet;
-import java.util.List;
-import java.util.Set;
-
-import javax.ejb.Local;
-import javax.inject.Inject;
-
-import org.apache.log4j.Logger;
-import org.springframework.stereotype.Component;
-
-import org.apache.cloudstack.acl.AclGroup;
-import org.apache.cloudstack.acl.AclGroupAccountMapVO;
-import org.apache.cloudstack.acl.dao.AclGroupAccountMapDao;
-import org.apache.cloudstack.api.response.AclGroupResponse;
-import org.apache.cloudstack.framework.config.dao.ConfigurationDao;
-
-import com.cloud.api.query.vo.AclGroupJoinVO;
-import com.cloud.user.AccountManager;
-import com.cloud.utils.db.GenericDaoBase;
-import com.cloud.utils.db.SearchBuilder;
-import com.cloud.utils.db.SearchCriteria;
-
-@Component
-@Local(value = {AclGroupJoinDao.class})
-public class AclGroupJoinDaoImpl extends GenericDaoBase<AclGroupJoinVO, Long> implements AclGroupJoinDao {
-    public static final Logger s_logger = Logger.getLogger(AclGroupJoinDaoImpl.class);
-
-
-    private final SearchBuilder<AclGroupJoinVO> grpIdSearch;
-    private final SearchBuilder<AclGroupJoinVO> grpSearch;
-    @Inject
-    public AccountManager _accountMgr;
-    @Inject
-    public ConfigurationDao _configDao;
-    @Inject
-    public AclGroupAccountMapDao _grpAccountDao;
-
-    protected AclGroupJoinDaoImpl() {
-
-        grpSearch = createSearchBuilder();
-        grpSearch.and("idIN", grpSearch.entity().getId(), SearchCriteria.Op.IN);
-        grpSearch.done();
-
-        grpIdSearch = createSearchBuilder();
-        grpIdSearch.and("id", grpIdSearch.entity().getId(), SearchCriteria.Op.EQ);
-        grpIdSearch.done();
-
-        _count = "select count(distinct id) from acl_group_view WHERE ";
-    }
-
-
-
-    @Override
-    public AclGroupResponse newAclGroupResponse(AclGroupJoinVO group) {
-
-        AclGroupResponse response = new AclGroupResponse();
-        response.setId(group.getUuid());
-        response.setName(group.getName());
-        response.setDescription(group.getDescription());
-        response.setDomainId(group.getDomainUuid());
-        response.setDomainName(group.getName());
-        response.setAccountName(group.getAccountName());
-        if (group.getMemberAccountId() > 0) {
-            response.addMemberAccount(group.getMemberAccountName());
-        }
-        if (group.getPolicyId() > 0) {
-            response.addPolicy(group.getPolicyName());
-        }
-
-        response.setObjectName("aclgroup");
-
-        return response;
-    }
-
-    @Override
-    public AclGroupResponse setAclGroupResponse(AclGroupResponse response, AclGroupJoinVO group) {
-        if (group.getMemberAccountId() > 0) {
-            response.addMemberAccount(group.getMemberAccountName());
-        }
-        if (group.getPolicyId() > 0) {
-            response.addPolicy(group.getPolicyName());
-        }
-
-        return response;
-    }
-
-    @Override
-    public List<AclGroupJoinVO> newAclGroupView(AclGroup group) {
-        SearchCriteria<AclGroupJoinVO> sc = grpIdSearch.create();
-        sc.setParameters("id", group.getId());
-        return searchIncludingRemoved(sc, null, null, false);
-
-    }
-
-    @Override
-    public List<AclGroupJoinVO> searchByIds(Long... grpIds) {
-        // set detail batch query size
-        int DETAILS_BATCH_SIZE = 2000;
-        String batchCfg = _configDao.getValue("detail.batch.query.size");
-        if (batchCfg != null) {
-            DETAILS_BATCH_SIZE = Integer.parseInt(batchCfg);
-        }
-        // query details by batches
-        List<AclGroupJoinVO> uvList = new ArrayList<AclGroupJoinVO>();
-        // query details by batches
-        int curr_index = 0;
-        if (grpIds.length > DETAILS_BATCH_SIZE) {
-            while ((curr_index + DETAILS_BATCH_SIZE) <= grpIds.length) {
-                Long[] ids = new Long[DETAILS_BATCH_SIZE];
-                for (int k = 0, j = curr_index; j < curr_index + DETAILS_BATCH_SIZE; j++, k++) {
-                    ids[k] = grpIds[j];
-                }
-                SearchCriteria<AclGroupJoinVO> sc = grpSearch.create();
-                sc.setParameters("idIN", ids);
-                List<AclGroupJoinVO> vms = searchIncludingRemoved(sc, null, null, false);
-                if (vms != null) {
-                    uvList.addAll(vms);
-                }
-                curr_index += DETAILS_BATCH_SIZE;
-            }
-        }
-        if (curr_index < grpIds.length) {
-            int batch_size = (grpIds.length - curr_index);
-            // set the ids value
-            Long[] ids = new Long[batch_size];
-            for (int k = 0, j = curr_index; j < curr_index + batch_size; j++, k++) {
-                ids[k] = grpIds[j];
-            }
-            SearchCriteria<AclGroupJoinVO> sc = grpSearch.create();
-            sc.setParameters("idIN", ids);
-            List<AclGroupJoinVO> vms = searchIncludingRemoved(sc, null, null, false);
-            if (vms != null) {
-                uvList.addAll(vms);
-            }
-        }
-        return uvList;
-    }
-
-    @Override
-    public List<AclGroupJoinVO> findAclGroupsByAccount(long accountId) {
-        List<AclGroupAccountMapVO> grpMap = _grpAccountDao.listByAccountId(accountId);
-        if (grpMap != null && grpMap.size() > 0) {
-            Set<Long> grpList = new HashSet<Long>();
-            for (AclGroupAccountMapVO m : grpMap) {
-                grpList.add(m.getAclGroupId());
-            }
-            return searchByIds(grpList.toArray(new Long[grpList.size()]));
-        }
-        else{
-            return null;
-        }
-    }
-
-}

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/e42a262f/server/src/com/cloud/api/query/dao/AclPolicyJoinDao.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/api/query/dao/AclPolicyJoinDao.java b/server/src/com/cloud/api/query/dao/AclPolicyJoinDao.java
deleted file mode 100644
index 8f00464..0000000
--- a/server/src/com/cloud/api/query/dao/AclPolicyJoinDao.java
+++ /dev/null
@@ -1,37 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements.  See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership.  The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License.  You may obtain a copy of the License at
-//
-//   http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied.  See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package com.cloud.api.query.dao;
-
-import java.util.List;
-
-import org.apache.cloudstack.acl.AclPolicy;
-import org.apache.cloudstack.api.response.AclPolicyResponse;
-
-import com.cloud.api.query.vo.AclPolicyJoinVO;
-import com.cloud.utils.db.GenericDao;
-
-
-public interface AclPolicyJoinDao extends GenericDao<AclPolicyJoinVO, Long> {
-
-    AclPolicyResponse newAclPolicyResponse(AclPolicyJoinVO role);
-
-    AclPolicyResponse setAclPolicyResponse(AclPolicyResponse response, AclPolicyJoinVO os);
-
-    List<AclPolicyJoinVO> newAclPolicyView(AclPolicy role);
-
-    List<AclPolicyJoinVO> searchByIds(Long... ids);
-}

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/e42a262f/server/src/com/cloud/api/query/dao/AclPolicyJoinDaoImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/api/query/dao/AclPolicyJoinDaoImpl.java b/server/src/com/cloud/api/query/dao/AclPolicyJoinDaoImpl.java
deleted file mode 100644
index 7929c3a..0000000
--- a/server/src/com/cloud/api/query/dao/AclPolicyJoinDaoImpl.java
+++ /dev/null
@@ -1,157 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements.  See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership.  The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License.  You may obtain a copy of the License at
-//
-//   http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied.  See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package com.cloud.api.query.dao;
-
-import java.util.ArrayList;
-import java.util.List;
-
-import javax.ejb.Local;
-import javax.inject.Inject;
-
-import org.apache.log4j.Logger;
-import org.springframework.stereotype.Component;
-
-import org.apache.cloudstack.acl.AclPolicy;
-import org.apache.cloudstack.api.response.AclPermissionResponse;
-import org.apache.cloudstack.api.response.AclPolicyResponse;
-import org.apache.cloudstack.framework.config.dao.ConfigurationDao;
-
-import com.cloud.api.query.vo.AclPolicyJoinVO;
-import com.cloud.user.AccountManager;
-import com.cloud.utils.db.GenericDaoBase;
-import com.cloud.utils.db.SearchBuilder;
-import com.cloud.utils.db.SearchCriteria;
-
-@Component
-@Local(value = {AclPolicyJoinDao.class})
-public class AclPolicyJoinDaoImpl extends GenericDaoBase<AclPolicyJoinVO, Long> implements AclPolicyJoinDao {
-    public static final Logger s_logger = Logger.getLogger(AclPolicyJoinDaoImpl.class);
-
-
-    private final SearchBuilder<AclPolicyJoinVO> policyIdSearch;
-    private final SearchBuilder<AclPolicyJoinVO> policySearch;
-    @Inject
-    public AccountManager _accountMgr;
-    @Inject
-    public ConfigurationDao _configDao;
-
-    protected AclPolicyJoinDaoImpl() {
-
-        policySearch = createSearchBuilder();
-        policySearch.and("idIN", policySearch.entity().getId(), SearchCriteria.Op.IN);
-        policySearch.done();
-
-        policyIdSearch = createSearchBuilder();
-        policyIdSearch.and("id", policyIdSearch.entity().getId(), SearchCriteria.Op.EQ);
-        policyIdSearch.done();
-
-        _count = "select count(distinct id) from acl_policy_view WHERE ";
-    }
-
-
-
-    @Override
-    public AclPolicyResponse newAclPolicyResponse(AclPolicyJoinVO policy) {
-
-        AclPolicyResponse response = new AclPolicyResponse();
-        response.setId(policy.getUuid());
-        response.setName(policy.getName());
-        response.setDescription(policy.getDescription());
-        response.setDomainId(policy.getDomainUuid());
-        response.setDomainName(policy.getName());
-        response.setAccountName(policy.getAccountName());
-        if (policy.getPermissionAction() != null) {
-            AclPermissionResponse perm = new AclPermissionResponse();
-            perm.setAction(policy.getPermissionAction());
-            perm.setEntityType(policy.getPermissionEntityType());
-            perm.setScope(policy.getPermissionScope());
-            perm.setScopeId(policy.getPermissionScopeId());
-            perm.setPermission(policy.getPermissionAllowDeny());
-            response.addPermission(perm);
-        }
-
-        response.setObjectName("aclpolicy");
-        return response;
-    }
-
-    @Override
-    public AclPolicyResponse setAclPolicyResponse(AclPolicyResponse response, AclPolicyJoinVO policy) {
-        if (policy.getPermissionAction() != null) {
-            AclPermissionResponse perm = new AclPermissionResponse();
-            perm.setAction(policy.getPermissionAction());
-            perm.setEntityType(policy.getPermissionEntityType());
-            perm.setScope(policy.getPermissionScope());
-            perm.setScopeId(policy.getPermissionScopeId());
-            perm.setPermission(policy.getPermissionAllowDeny());
-            response.addPermission(perm);
-        }
-        return response;
-    }
-
-    @Override
-    public List<AclPolicyJoinVO> newAclPolicyView(AclPolicy policy) {
-        SearchCriteria<AclPolicyJoinVO> sc = policyIdSearch.create();
-        sc.setParameters("id", policy.getId());
-        return searchIncludingRemoved(sc, null, null, false);
-
-    }
-
-    @Override
-    public List<AclPolicyJoinVO> searchByIds(Long... policyIds) {
-        // set detail batch query size
-        int DETAILS_BATCH_SIZE = 2000;
-        String batchCfg = _configDao.getValue("detail.batch.query.size");
-        if (batchCfg != null) {
-            DETAILS_BATCH_SIZE = Integer.parseInt(batchCfg);
-        }
-        // query details by batches
-        List<AclPolicyJoinVO> uvList = new ArrayList<AclPolicyJoinVO>();
-        // query details by batches
-        int curr_index = 0;
-        if (policyIds.length > DETAILS_BATCH_SIZE) {
-            while ((curr_index + DETAILS_BATCH_SIZE) <= policyIds.length) {
-                Long[] ids = new Long[DETAILS_BATCH_SIZE];
-                for (int k = 0, j = curr_index; j < curr_index + DETAILS_BATCH_SIZE; j++, k++) {
-                    ids[k] = policyIds[j];
-                }
-                SearchCriteria<AclPolicyJoinVO> sc = policySearch.create();
-                sc.setParameters("idIN", ids);
-                List<AclPolicyJoinVO> vms = searchIncludingRemoved(sc, null, null, false);
-                if (vms != null) {
-                    uvList.addAll(vms);
-                }
-                curr_index += DETAILS_BATCH_SIZE;
-            }
-        }
-        if (curr_index < policyIds.length) {
-            int batch_size = (policyIds.length - curr_index);
-            // set the ids value
-            Long[] ids = new Long[batch_size];
-            for (int k = 0, j = curr_index; j < curr_index + batch_size; j++, k++) {
-                ids[k] = policyIds[j];
-            }
-            SearchCriteria<AclPolicyJoinVO> sc = policySearch.create();
-            sc.setParameters("idIN", ids);
-            List<AclPolicyJoinVO> vms = searchIncludingRemoved(sc, null, null, false);
-            if (vms != null) {
-                uvList.addAll(vms);
-            }
-        }
-        return uvList;
-    }
-
-}

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/e42a262f/server/src/com/cloud/server/ManagementServerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/server/ManagementServerImpl.java b/server/src/com/cloud/server/ManagementServerImpl.java
index d2caf67..22e72b4 100755
--- a/server/src/com/cloud/server/ManagementServerImpl.java
+++ b/server/src/com/cloud/server/ManagementServerImpl.java
@@ -57,18 +57,6 @@ import org.apache.cloudstack.api.command.admin.account.DisableAccountCmd;
 import org.apache.cloudstack.api.command.admin.account.EnableAccountCmd;
 import org.apache.cloudstack.api.command.admin.account.LockAccountCmd;
 import org.apache.cloudstack.api.command.admin.account.UpdateAccountCmd;
-import org.apache.cloudstack.api.command.admin.acl.AddAccountToAclGroupCmd;
-import org.apache.cloudstack.api.command.admin.acl.AddAclPermissionToAclPolicyCmd;
-import org.apache.cloudstack.api.command.admin.acl.AttachAclPolicyToAclGroupCmd;
-import org.apache.cloudstack.api.command.admin.acl.CreateAclGroupCmd;
-import org.apache.cloudstack.api.command.admin.acl.CreateAclPolicyCmd;
-import org.apache.cloudstack.api.command.admin.acl.DeleteAclGroupCmd;
-import org.apache.cloudstack.api.command.admin.acl.DeleteAclPolicyCmd;
-import org.apache.cloudstack.api.command.admin.acl.ListAclGroupsCmd;
-import org.apache.cloudstack.api.command.admin.acl.ListAclPoliciesCmd;
-import org.apache.cloudstack.api.command.admin.acl.RemoveAccountFromAclGroupCmd;
-import org.apache.cloudstack.api.command.admin.acl.RemoveAclPermissionFromAclPolicyCmd;
-import org.apache.cloudstack.api.command.admin.acl.RemoveAclPolicyFromAclGroupCmd;
 import org.apache.cloudstack.api.command.admin.autoscale.CreateCounterCmd;
 import org.apache.cloudstack.api.command.admin.autoscale.DeleteCounterCmd;
 import org.apache.cloudstack.api.command.admin.cluster.AddClusterCmd;
@@ -2880,18 +2868,6 @@ public class ManagementServerImpl extends ManagerBase implements ManagementServe
         cmdList.add(ReplaceNetworkACLListCmd.class);
         cmdList.add(UpdateNetworkACLItemCmd.class);
         cmdList.add(CleanVMReservationsCmd.class);
-        cmdList.add(CreateAclPolicyCmd.class);
-        cmdList.add(DeleteAclPolicyCmd.class);
-        cmdList.add(ListAclPoliciesCmd.class);
-        cmdList.add(AddAclPermissionToAclPolicyCmd.class);
-        cmdList.add(RemoveAclPermissionFromAclPolicyCmd.class);
-        cmdList.add(AttachAclPolicyToAclGroupCmd.class);
-        cmdList.add(RemoveAclPolicyFromAclGroupCmd.class);
-        cmdList.add(CreateAclGroupCmd.class);
-        cmdList.add(DeleteAclGroupCmd.class);
-        cmdList.add(ListAclGroupsCmd.class);
-        cmdList.add(AddAccountToAclGroupCmd.class);
-        cmdList.add(RemoveAccountFromAclGroupCmd.class);
         return cmdList;
     }
 

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/e42a262f/server/src/com/cloud/user/AccountManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/user/AccountManagerImpl.java b/server/src/com/cloud/user/AccountManagerImpl.java
index adabec6..15d0c55 100755
--- a/server/src/com/cloud/user/AccountManagerImpl.java
+++ b/server/src/com/cloud/user/AccountManagerImpl.java
@@ -46,6 +46,7 @@ import org.apache.cloudstack.acl.AclPolicyPermission;
 import org.apache.cloudstack.acl.AclService;
 import org.apache.cloudstack.acl.ControlledEntity;
 import org.apache.cloudstack.acl.PermissionScope;
+import org.apache.cloudstack.acl.QuerySelector;
 import org.apache.cloudstack.acl.RoleType;
 import org.apache.cloudstack.acl.SecurityChecker;
 import org.apache.cloudstack.acl.SecurityChecker.AccessType;
@@ -263,6 +264,9 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
     private AclService _aclService;
 
     @Inject
+    QuerySelector _aclQuerySelector;  // we assume that there should be one type of QuerySelector adapter
+
+    @Inject
     private AclPolicyPermissionDao _aclPolicyPermissionDao;
 
     @Inject
@@ -2490,16 +2494,16 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
             // search for policy permissions associated with caller to get all his authorized domains, accounts, and resources
             // Assumption: if a domain is in grantedDomains, then all the accounts under this domain will not be returned in "grantedAccounts". Similarly, if an account
             // is in grantedAccounts, then all the resources owned by this account will not be returned in "grantedResources".
-            boolean grantedAll = _aclService.isGrantedAll(caller.getId(), action);
+            boolean grantedAll = _aclQuerySelector.isGrantedAll(caller, action);
             if ( grantedAll ){
                 if ( domainId != null ){
                     permittedDomains.add(domainId);
                 }
             }
             else {
-                List<Long> grantedDomains = _aclService.getGrantedDomains(caller.getId(), action);
-                List<Long> grantedAccounts = _aclService.getGrantedAccounts(caller.getId(), action);
-                List<Long> grantedResources = _aclService.getGrantedResources(caller.getId(), action);
+                List<Long> grantedDomains = _aclQuerySelector.getAuthorizedDomains(caller, action);
+                List<Long> grantedAccounts = _aclQuerySelector.getAuthorizedAccounts(caller, action);
+                List<Long> grantedResources = _aclQuerySelector.getAuthorizedResources(caller, action);
 
                 if (domainId != null) {
                     // specific domain is specified

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/e42a262f/services/iam/plugin/resources/META-INF/cloudstack/acl-role-based-access-checkers/spring-acl-role-based-access-checkers-context.xml
----------------------------------------------------------------------
diff --git a/services/iam/plugin/resources/META-INF/cloudstack/acl-role-based-access-checkers/spring-acl-role-based-access-checkers-context.xml b/services/iam/plugin/resources/META-INF/cloudstack/acl-role-based-access-checkers/spring-acl-role-based-access-checkers-context.xml
index 78b233d..66f5253 100644
--- a/services/iam/plugin/resources/META-INF/cloudstack/acl-role-based-access-checkers/spring-acl-role-based-access-checkers-context.xml
+++ b/services/iam/plugin/resources/META-INF/cloudstack/acl-role-based-access-checkers/spring-acl-role-based-access-checkers-context.xml
@@ -27,6 +27,8 @@
                       http://www.springframework.org/schema/context/spring-context-3.0.xsd"
                       >                     
 
-    <bean id="RoleBasedEntityAccessChecker" class="org.apache.cloudstack.acl.entity.RoleBasedEntityAccessChecker" />
+    <bean id="RoleBasedAPIAccessChecker" class="org.apache.cloudstack.acl.RoleBasedAPIAccessChecker" />
+    <bean id="RoleBasedEntityAccessChecker" class="org.apache.cloudstack.acl.RoleBasedEntityAccessChecker" />
+    <bean id="RoleBasedEntityQuerySelector" class="org.apache.cloudstack.acl.RoleBasedEntityQuerySelector" />
 
 </beans>

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/e42a262f/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedEntityQuerySelector.java
----------------------------------------------------------------------
diff --git a/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedEntityQuerySelector.java b/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedEntityQuerySelector.java
index e32b2d1..3e76a7e 100644
--- a/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedEntityQuerySelector.java
+++ b/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedEntityQuerySelector.java
@@ -23,8 +23,6 @@ import javax.inject.Inject;
 
 import org.apache.log4j.Logger;
 
-import org.apache.cloudstack.acl.PermissionScope;
-import org.apache.cloudstack.acl.QuerySelector;
 import org.apache.cloudstack.iam.api.AclPolicy;
 import org.apache.cloudstack.iam.api.AclPolicyPermission;
 import org.apache.cloudstack.iam.api.IAMService;
@@ -99,5 +97,19 @@ public class RoleBasedEntityQuerySelector extends AdapterBase implements QuerySe
         return entityIds;
     }
 
+    @Override
+    public boolean isGrantedAll(Account caller, String action) {
+        long accountId = caller.getAccountId();
+        // Get the static Policies of the Caller
+        List<AclPolicy> policies = _iamService.listAclPolicies(accountId);
+        // for each policy, find granted permission with ALL scope
+        for (AclPolicy policy : policies) {
+            List<AclPolicyPermission> pp = _iamService.listPolicyPermissionsByScope(policy.getId(), action, PermissionScope.ALL.toString());
+            if (pp != null && pp.size() > 0) {
+                return true;
+            }
+        }
+        return false;
+    }
 
 }

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/e42a262f/services/iam/plugin/src/org/apache/cloudstack/acl/api/AclApiService.java
----------------------------------------------------------------------
diff --git a/services/iam/plugin/src/org/apache/cloudstack/acl/api/AclApiService.java b/services/iam/plugin/src/org/apache/cloudstack/acl/api/AclApiService.java
index 3d7bb3c..273c383 100644
--- a/services/iam/plugin/src/org/apache/cloudstack/acl/api/AclApiService.java
+++ b/services/iam/plugin/src/org/apache/cloudstack/acl/api/AclApiService.java
@@ -18,6 +18,7 @@ package org.apache.cloudstack.acl.api;
 
 import java.util.List;
 
+import org.apache.cloudstack.acl.AclProxyService;
 import org.apache.cloudstack.acl.PermissionScope;
 import org.apache.cloudstack.acl.api.response.AclGroupResponse;
 import org.apache.cloudstack.acl.api.response.AclPolicyResponse;
@@ -28,8 +29,9 @@ import org.apache.cloudstack.iam.api.AclPolicyPermission;
 import org.apache.cloudstack.iam.api.AclPolicyPermission.Permission;
 
 import com.cloud.user.Account;
+import com.cloud.utils.component.PluggableService;
 
-public interface AclApiService {
+public interface AclApiService extends AclProxyService, PluggableService {
 
     /* ACL group related interfaces */
     AclGroup createAclGroup(Account caller, String aclGroupName, String description);

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/e42a262f/services/iam/plugin/src/org/apache/cloudstack/acl/api/AclApiServiceImpl.java
----------------------------------------------------------------------
diff --git a/services/iam/plugin/src/org/apache/cloudstack/acl/api/AclApiServiceImpl.java b/services/iam/plugin/src/org/apache/cloudstack/acl/api/AclApiServiceImpl.java
index 3fca5d5..8a1d70f 100644
--- a/services/iam/plugin/src/org/apache/cloudstack/acl/api/AclApiServiceImpl.java
+++ b/services/iam/plugin/src/org/apache/cloudstack/acl/api/AclApiServiceImpl.java
@@ -27,6 +27,18 @@ import org.apache.log4j.Logger;
 import org.apache.cloudstack.acl.AclEntityType;
 import org.apache.cloudstack.acl.PermissionScope;
 import org.apache.cloudstack.acl.SecurityChecker.AccessType;
+import org.apache.cloudstack.acl.api.command.AddAccountToAclGroupCmd;
+import org.apache.cloudstack.acl.api.command.AddAclPermissionToAclPolicyCmd;
+import org.apache.cloudstack.acl.api.command.AttachAclPolicyToAclGroupCmd;
+import org.apache.cloudstack.acl.api.command.CreateAclGroupCmd;
+import org.apache.cloudstack.acl.api.command.CreateAclPolicyCmd;
+import org.apache.cloudstack.acl.api.command.DeleteAclGroupCmd;
+import org.apache.cloudstack.acl.api.command.DeleteAclPolicyCmd;
+import org.apache.cloudstack.acl.api.command.ListAclGroupsCmd;
+import org.apache.cloudstack.acl.api.command.ListAclPoliciesCmd;
+import org.apache.cloudstack.acl.api.command.RemoveAccountFromAclGroupCmd;
+import org.apache.cloudstack.acl.api.command.RemoveAclPermissionFromAclPolicyCmd;
+import org.apache.cloudstack.acl.api.command.RemoveAclPolicyFromAclGroupCmd;
 import org.apache.cloudstack.acl.api.response.AclGroupResponse;
 import org.apache.cloudstack.acl.api.response.AclPermissionResponse;
 import org.apache.cloudstack.acl.api.response.AclPolicyResponse;
@@ -100,6 +112,16 @@ public class AclApiServiceImpl extends ManagerBase implements AclApiService, Man
         return _iamSrv.listAclGroups(accountId);
     }
 
+    @Override
+    public List<String> listAclGroupsByAccount(long accountId) {
+        List<AclGroup> groups = listAclGroups(accountId);
+        List<String> groupNames = new ArrayList<String>();
+        for (AclGroup grp : groups) {
+            groupNames.add(grp.getName());
+        }
+        return groupNames;
+    }
+
     @DB
     @Override
     @ActionEvent(eventType = EventTypes.EVENT_ACL_GROUP_UPDATE, eventDescription = "Adding accounts to acl group")
@@ -330,4 +352,21 @@ public class AclApiServiceImpl extends ManagerBase implements AclApiService, Man
         return response;
     }
 
+    @Override
+    public List<Class<?>> getCommands() {
+        List<Class<?>> cmdList = new ArrayList<Class<?>>();
+        cmdList.add(CreateAclPolicyCmd.class);
+        cmdList.add(DeleteAclPolicyCmd.class);
+        cmdList.add(ListAclPoliciesCmd.class);
+        cmdList.add(AddAclPermissionToAclPolicyCmd.class);
+        cmdList.add(RemoveAclPermissionFromAclPolicyCmd.class);
+        cmdList.add(AttachAclPolicyToAclGroupCmd.class);
+        cmdList.add(RemoveAclPolicyFromAclGroupCmd.class);
+        cmdList.add(CreateAclGroupCmd.class);
+        cmdList.add(DeleteAclGroupCmd.class);
+        cmdList.add(ListAclGroupsCmd.class);
+        cmdList.add(AddAccountToAclGroupCmd.class);
+        cmdList.add(RemoveAccountFromAclGroupCmd.class);
+        return cmdList;
+    }
 }


Mime
View raw message