cloudstack-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From mc...@apache.org
Subject git commit: updated refs/heads/rbac to 72812cd
Date Wed, 29 Jan 2014 01:42:27 GMT
Updated Branches:
  refs/heads/rbac 748dc1541 -> 72812cdf2


Grant public template permission to domain admin and normal user policy.

Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/72812cdf
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/72812cdf
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/72812cdf

Branch: refs/heads/rbac
Commit: 72812cdf22b1f76f96b1e94e018b9b634dd70678
Parents: 748dc15
Author: Min Chen <min.chen@citrix.com>
Authored: Tue Jan 28 17:41:27 2014 -0800
Committer: Min Chen <min.chen@citrix.com>
Committed: Tue Jan 28 17:41:27 2014 -0800

----------------------------------------------------------------------
 .../src/com/cloud/template/TemplateManager.java      |  1 +
 .../cloud/template/HypervisorTemplateAdapter.java    |  8 ++++++++
 .../cloudstack/acl/RoleBasedAPIAccessChecker.java    | 13 +++++++++++++
 .../apache/cloudstack/acl/api/AclApiServiceImpl.java | 15 +++++++++++++++
 4 files changed, 37 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cloudstack/blob/72812cdf/engine/components-api/src/com/cloud/template/TemplateManager.java
----------------------------------------------------------------------
diff --git a/engine/components-api/src/com/cloud/template/TemplateManager.java b/engine/components-api/src/com/cloud/template/TemplateManager.java
index 0a07f6b..7cb53cf 100755
--- a/engine/components-api/src/com/cloud/template/TemplateManager.java
+++ b/engine/components-api/src/com/cloud/template/TemplateManager.java
@@ -113,4 +113,5 @@ public interface TemplateManager {
 
     TemplateInfo prepareIso(long isoId, long dcId);
 
+    public static final String MESSAGE_REGISTER_PUBLIC_TEMPLATE_EVENT = "Message.RegisterPublicTemplate.Event";
 }

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/72812cdf/server/src/com/cloud/template/HypervisorTemplateAdapter.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/template/HypervisorTemplateAdapter.java b/server/src/com/cloud/template/HypervisorTemplateAdapter.java
index 25e79db..deda42a 100755
--- a/server/src/com/cloud/template/HypervisorTemplateAdapter.java
+++ b/server/src/com/cloud/template/HypervisorTemplateAdapter.java
@@ -44,6 +44,8 @@ import org.apache.cloudstack.framework.async.AsyncCallFuture;
 import org.apache.cloudstack.framework.async.AsyncCallbackDispatcher;
 import org.apache.cloudstack.framework.async.AsyncCompletionCallback;
 import org.apache.cloudstack.framework.async.AsyncRpcContext;
+import org.apache.cloudstack.framework.messagebus.MessageBus;
+import org.apache.cloudstack.framework.messagebus.PublishScope;
 import org.apache.cloudstack.storage.datastore.db.TemplateDataStoreVO;
 import org.apache.cloudstack.storage.image.datastore.ImageStoreEntity;
 
@@ -95,6 +97,8 @@ public class HypervisorTemplateAdapter extends TemplateAdapterBase {
     EndPointSelector _epSelector;
     @Inject
     DataCenterDao _dcDao;
+    @Inject
+    MessageBus _messageBus;
 
     @Override
     public String getName() {
@@ -267,6 +271,10 @@ public class HypervisorTemplateAdapter extends TemplateAdapterBase {
         TemplateInfo template = context.template;
         if (result.isSuccess()) {
             VMTemplateVO tmplt = _tmpltDao.findById(template.getId());
+            // need to grant permission for public templates
+            if (tmplt.isPublicTemplate()) {
+                _messageBus.publish(_name, TemplateManager.MESSAGE_REGISTER_PUBLIC_TEMPLATE_EVENT,
PublishScope.LOCAL, tmplt.getId());
+            }
             long accountId = tmplt.getAccountId();
             if (template.getSize() != null) {
                 // publish usage event

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/72812cdf/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedAPIAccessChecker.java
----------------------------------------------------------------------
diff --git a/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedAPIAccessChecker.java
b/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedAPIAccessChecker.java
index fc39e10..5a32298 100644
--- a/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedAPIAccessChecker.java
+++ b/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedAPIAccessChecker.java
@@ -40,6 +40,8 @@ import org.apache.cloudstack.iam.api.IAMService;
 
 import com.cloud.api.ApiServerService;
 import com.cloud.exception.PermissionDeniedException;
+import com.cloud.storage.VMTemplateVO;
+import com.cloud.storage.dao.VMTemplateDao;
 import com.cloud.user.Account;
 import com.cloud.user.AccountService;
 import com.cloud.user.User;
@@ -61,6 +63,8 @@ public class RoleBasedAPIAccessChecker extends AdapterBase implements APIChecker
     ApiServerService _apiServer;
     @Inject
     IAMService _iamSrv;
+    @Inject
+    VMTemplateDao _templateDao;
 
     Set<String> commandsPropertiesOverrides = new HashSet<String>();
     Map<RoleType, Set<String>> commandsPropertiesRoleBasedApisMap = new HashMap<RoleType,
Set<String>>();
@@ -122,6 +126,15 @@ public class RoleBasedAPIAccessChecker extends AdapterBase implements
APIChecker
         _iamSrv.addAclPermissionToAclPolicy(new Long(Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN
+ 1), null, null, null,
                 "DomainResourceCapability", null, Permission.Allow);
 
+        // add permissions for public templates
+        List<VMTemplateVO> pTmplts = _templateDao.listByPublic();
+        for (VMTemplateVO tmpl : pTmplts){
+            _iamSrv.addAclPermissionToAclPolicy(new Long(Account.ACCOUNT_TYPE_DOMAIN_ADMIN
+ 1), AclEntityType.VirtualMachineTemplate.toString(),
+                    PermissionScope.RESOURCE.toString(), tmpl.getId(), "listTemplates", AccessType.UseEntry.toString(),
Permission.Allow);
+            _iamSrv.addAclPermissionToAclPolicy(new Long(Account.ACCOUNT_TYPE_NORMAL + 1),
AclEntityType.VirtualMachineTemplate.toString(),
+                    PermissionScope.RESOURCE.toString(), tmpl.getId(), "listTemplates", AccessType.UseEntry.toString(),
Permission.Allow);
+        }
+
         for (PluggableService service : _services) {
             for (Class<?> cmdClass : service.getCommands()) {
                 APICommand command = cmdClass.getAnnotation(APICommand.class);

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/72812cdf/services/iam/plugin/src/org/apache/cloudstack/acl/api/AclApiServiceImpl.java
----------------------------------------------------------------------
diff --git a/services/iam/plugin/src/org/apache/cloudstack/acl/api/AclApiServiceImpl.java
b/services/iam/plugin/src/org/apache/cloudstack/acl/api/AclApiServiceImpl.java
index d50f4f2..35f7d96 100644
--- a/services/iam/plugin/src/org/apache/cloudstack/acl/api/AclApiServiceImpl.java
+++ b/services/iam/plugin/src/org/apache/cloudstack/acl/api/AclApiServiceImpl.java
@@ -65,6 +65,7 @@ import com.cloud.domain.dao.DomainDao;
 import com.cloud.event.ActionEvent;
 import com.cloud.event.EventTypes;
 import com.cloud.exception.InvalidParameterValueException;
+import com.cloud.template.TemplateManager;
 import com.cloud.user.Account;
 import com.cloud.user.AccountManager;
 import com.cloud.user.AccountVO;
@@ -150,6 +151,20 @@ public class AclApiServiceImpl extends ManagerBase implements AclApiService,
Man
             }
         });
 
+        _messageBus.subscribe(TemplateManager.MESSAGE_REGISTER_PUBLIC_TEMPLATE_EVENT, new
MessageSubscriber() {
+            @Override
+            public void onPublishMessage(String senderAddress, String subject, Object obj)
{
+                Long templateId = (Long)obj;
+                if (templateId != null) {
+                    s_logger.debug("MessageBus message: new public template registered: "
+ templateId + ", grant permission to domain admin and normal user policies");
+                    _iamSrv.addAclPermissionToAclPolicy(new Long(Account.ACCOUNT_TYPE_DOMAIN_ADMIN
+ 1), AclEntityType.VirtualMachineTemplate.toString(),
+                            PermissionScope.RESOURCE.toString(), templateId, "listTemplates",
AccessType.UseEntry.toString(), Permission.Allow);
+                    _iamSrv.addAclPermissionToAclPolicy(new Long(Account.ACCOUNT_TYPE_NORMAL
+ 1), AclEntityType.VirtualMachineTemplate.toString(),
+                            PermissionScope.RESOURCE.toString(), templateId, "listTemplates",
AccessType.UseEntry.toString(), Permission.Allow);
+                }
+            }
+        });
+
         return super.configure(name, params);
     }
 


Mime
View raw message