cloudstack-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From prachida...@apache.org
Subject git commit: updated refs/heads/rbac to 28b81e4
Date Mon, 06 Jan 2014 05:44:19 GMT
Updated Branches:
  refs/heads/rbac d374cd5a2 -> 28b81e423


Changing the access checkers to work with IAM server


Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/28b81e42
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/28b81e42
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/28b81e42

Branch: refs/heads/rbac
Commit: 28b81e423ec3cad3da7aecf39d6dc092945aaf69
Parents: d374cd5
Author: Prachi Damle <prachi@cloud.com>
Authored: Sun Jan 5 21:40:50 2014 -0800
Committer: Prachi Damle <prachi@cloud.com>
Committed: Sun Jan 5 21:41:39 2014 -0800

----------------------------------------------------------------------
 .../acl/RoleBasedAPIAccessChecker.java          |  2 +-
 .../acl/RoleBasedEntityAccessChecker.java       | 25 +++++++++-----------
 .../cloudstack/acl/api/AclApiService.java       |  2 --
 .../cloudstack/acl/api/AclApiServiceImpl.java   |  9 ++-----
 .../apache/cloudstack/iam/api/IAMService.java   |  6 +++--
 .../cloudstack/iam/server/IAMServiceImpl.java   | 19 +++++++++++----
 .../iam/server/dao/AclPolicyPermissionDao.java  |  2 +-
 .../server/dao/AclPolicyPermissionDaoImpl.java  |  3 ++-
 8 files changed, 35 insertions(+), 33 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cloudstack/blob/28b81e42/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedAPIAccessChecker.java
----------------------------------------------------------------------
diff --git a/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedAPIAccessChecker.java
b/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedAPIAccessChecker.java
index 1586c52..d193c94 100644
--- a/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedAPIAccessChecker.java
+++ b/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedAPIAccessChecker.java
@@ -86,7 +86,7 @@ public class RoleBasedAPIAccessChecker extends AdapterBase implements APIChecker
 
         List<AclPolicy> policies = _iamSrv.listAclPolicies(account.getAccountId());
 
-        boolean isAllowed = _iamSrv.isAPIAccessibleForPolicies(commandName, policies);
+        boolean isAllowed = _iamSrv.isActionAllowedForPolicies(commandName, policies);
         if (!isAllowed) {
             throw new PermissionDeniedException("The API does not exist or is blacklisted.
api: " + commandName);
         }

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/28b81e42/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedEntityAccessChecker.java
----------------------------------------------------------------------
diff --git a/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedEntityAccessChecker.java
b/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedEntityAccessChecker.java
index fa74604..e180000 100644
--- a/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedEntityAccessChecker.java
+++ b/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedEntityAccessChecker.java
@@ -25,9 +25,9 @@ import javax.inject.Inject;
 import org.apache.log4j.Logger;
 
 import org.apache.cloudstack.acl.api.AclApiService;
-import org.apache.cloudstack.acl.dao.AclGroupAccountMapDao;
-import org.apache.cloudstack.acl.dao.AclPolicyPermissionDao;
 import org.apache.cloudstack.iam.api.AclPolicy;
+import org.apache.cloudstack.iam.api.AclPolicyPermission;
+import org.apache.cloudstack.iam.api.IAMService;
 
 import com.cloud.acl.DomainChecker;
 import com.cloud.domain.dao.DomainDao;
@@ -47,10 +47,7 @@ public class RoleBasedEntityAccessChecker extends DomainChecker implements
Secur
     @Inject DomainDao _domainDao;
 
     @Inject
-    AclGroupAccountMapDao _aclGroupAccountMapDao;
-
-    @Inject
-    AclPolicyPermissionDao _policyPermissionDao;
+    IAMService _iamSrv;
 
 
     @Override
@@ -74,15 +71,15 @@ public class RoleBasedEntityAccessChecker extends DomainChecker implements
Secur
         HashMap<AclPolicy, Boolean> policyPermissionMap = new HashMap<AclPolicy,
Boolean>();
 
         for (AclPolicy policy : policies) {
-            List<AclPolicyPermissionVO> permissions = new ArrayList<AclPolicyPermissionVO>();
+            List<AclPolicyPermission> permissions = new ArrayList<AclPolicyPermission>();
 
             if (action != null) {
-                permissions = _policyPermissionDao.listByPolicyActionAndEntity(policy.getId(),
-                    action, entityType);
+                permissions = _iamSrv.listPolicyPermissionByEntityType(policy.getId(), action,
entityType);
             } else {
-                permissions = _policyPermissionDao.listByPolicyAccessAndEntity(policy.getId(),
accessType, entityType);
+                permissions = _iamSrv.listPolicyPermissionByAccessType(policy.getId(), accessType.toString(),
+                        entityType, action);
             }
-            for (AclPolicyPermissionVO permission : permissions) {
+            for (AclPolicyPermission permission : permissions) {
                 if (checkPermissionScope(caller, permission.getScope(), entity)) {
                     if (permission.getEntityType().equals(entityType)) {
                         policyPermissionMap.put(policy, permission.getPermission().isGranted());
@@ -109,13 +106,13 @@ public class RoleBasedEntityAccessChecker extends DomainChecker implements
Secur
         return false;
     }
 
-    private boolean checkPermissionScope(Account caller, PermissionScope scope, ControlledEntity
entity) {
+    private boolean checkPermissionScope(Account caller, String scope, ControlledEntity entity)
{
         
-        if(scope.equals(PermissionScope.ACCOUNT)){
+        if (scope.equals(PermissionScope.ACCOUNT.name())) {
             if(caller.getAccountId() == entity.getAccountId()){
                 return true;
             }
-        }else if(scope.equals(PermissionScope.DOMAIN)){
+        } else if (scope.equals(PermissionScope.DOMAIN.name())) {
             if (_domainDao.isChildDomain(caller.getDomainId(), entity.getDomainId())) {
                 return true;
             }

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/28b81e42/services/iam/plugin/src/org/apache/cloudstack/acl/api/AclApiService.java
----------------------------------------------------------------------
diff --git a/services/iam/plugin/src/org/apache/cloudstack/acl/api/AclApiService.java b/services/iam/plugin/src/org/apache/cloudstack/acl/api/AclApiService.java
index 344e59c..12ecf8b 100644
--- a/services/iam/plugin/src/org/apache/cloudstack/acl/api/AclApiService.java
+++ b/services/iam/plugin/src/org/apache/cloudstack/acl/api/AclApiService.java
@@ -60,8 +60,6 @@ public interface AclApiService {
 
     AclPolicyPermission getAclPolicyPermission(long accountId, String entityType, String
action);
 
-    boolean isAPIAccessibleForPolicies(String apiName, List<AclPolicy> policies);
-
     List<AclPolicy> getEffectivePolicies(Account caller, ControlledEntity entity);
 
     /* Response Generation */

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/28b81e42/services/iam/plugin/src/org/apache/cloudstack/acl/api/AclApiServiceImpl.java
----------------------------------------------------------------------
diff --git a/services/iam/plugin/src/org/apache/cloudstack/acl/api/AclApiServiceImpl.java
b/services/iam/plugin/src/org/apache/cloudstack/acl/api/AclApiServiceImpl.java
index 02d015c..b117d0c 100644
--- a/services/iam/plugin/src/org/apache/cloudstack/acl/api/AclApiServiceImpl.java
+++ b/services/iam/plugin/src/org/apache/cloudstack/acl/api/AclApiServiceImpl.java
@@ -174,7 +174,8 @@ public class AclApiServiceImpl extends ManagerBase implements AclApiService,
Man
         List<AclPolicy> policies = _iamSrv.listAclPolicies(accountId);
         AclPolicyPermission curPerm = null;
         for (AclPolicy policy : policies) {
-            List<AclPolicyPermission> perms = _iamSrv.listPollcyPermissionByEntityType(policy.getId(),
action, entityType);
+            List<AclPolicyPermission> perms = _iamSrv.listPolicyPermissionByEntityType(policy.getId(),
action,
+                    entityType);
             if (perms == null || perms.size() == 0)
                 continue;
             AclPolicyPermission perm = perms.get(0); // just pick one
@@ -190,12 +191,6 @@ public class AclApiServiceImpl extends ManagerBase implements AclApiService,
Man
     }
 
 
-
-    @Override
-    public boolean isAPIAccessibleForPolicies(String apiName, List<AclPolicy> policies)
{
-        return _iamSrv.isAPIAccessibleForPolicies(apiName, policies);
-    }
-
     @Override
     public List<AclPolicy> getEffectivePolicies(Account caller, ControlledEntity entity)
{
 

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/28b81e42/services/iam/server/src/org/apache/cloudstack/iam/api/IAMService.java
----------------------------------------------------------------------
diff --git a/services/iam/server/src/org/apache/cloudstack/iam/api/IAMService.java b/services/iam/server/src/org/apache/cloudstack/iam/api/IAMService.java
index f85803b..2d303d1 100644
--- a/services/iam/server/src/org/apache/cloudstack/iam/api/IAMService.java
+++ b/services/iam/server/src/org/apache/cloudstack/iam/api/IAMService.java
@@ -66,12 +66,14 @@ public interface IAMService {
 
     List<AclPolicyPermission> listPolicyPermissionsByScope(long policyId, String action,
String scope);
 
-    List<AclPolicyPermission> listPollcyPermissionByEntityType(long policyId, String
action, String entityType);
+    List<AclPolicyPermission> listPolicyPermissionByEntityType(long policyId, String
action, String entityType);
 
-    boolean isAPIAccessibleForPolicies(String apiName, List<AclPolicy> policies);
+    boolean isActionAllowedForPolicies(String action, List<AclPolicy> policies);
 
     List<Long> getGrantedEntities(long accountId, String action, String scope);
 
     AclPolicy resetAclPolicy(long aclPolicyId);
 
+    List<AclPolicyPermission> listPolicyPermissionByAccessType(long policyId, String
accessType, String entityType, String action);
+
 }

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/28b81e42/services/iam/server/src/org/apache/cloudstack/iam/server/IAMServiceImpl.java
----------------------------------------------------------------------
diff --git a/services/iam/server/src/org/apache/cloudstack/iam/server/IAMServiceImpl.java
b/services/iam/server/src/org/apache/cloudstack/iam/server/IAMServiceImpl.java
index 3696bb9..e6fcdcd 100644
--- a/services/iam/server/src/org/apache/cloudstack/iam/server/IAMServiceImpl.java
+++ b/services/iam/server/src/org/apache/cloudstack/iam/server/IAMServiceImpl.java
@@ -601,9 +601,9 @@ public class IAMServiceImpl extends ManagerBase implements IAMService,
Manager {
     }
 
     @Override
-    public boolean isAPIAccessibleForPolicies(String apiName, List<AclPolicy> policies)
{
+    public boolean isActionAllowedForPolicies(String action, List<AclPolicy> policies)
{
 
-        boolean accessible = false;
+        boolean allowed = false;
 
         List<Long> policyIds = new ArrayList<Long>();
         for (AclPolicy policy : policies) {
@@ -616,14 +616,15 @@ public class IAMServiceImpl extends ManagerBase implements IAMService,
Manager {
 
         SearchCriteria<AclPolicyPermissionVO> sc = sb.create();
         sc.setParameters("policyId", policyIds.toArray(new Object[policyIds.size()]));
+        sc.setParameters("action", action);
 
         List<AclPolicyPermissionVO> permissions = _policyPermissionDao.customSearch(sc,
null);
 
         if (permissions != null && !permissions.isEmpty()) {
-            accessible = true;
+            allowed = true;
         }
 
-        return accessible;
+        return allowed;
     }
 
 
@@ -664,7 +665,7 @@ public class IAMServiceImpl extends ManagerBase implements IAMService,
Manager {
     }
 
     @Override
-    public List<AclPolicyPermission> listPollcyPermissionByEntityType(long policyId,
String action, String entityType) {
+    public List<AclPolicyPermission> listPolicyPermissionByEntityType(long policyId,
String action, String entityType) {
         List<AclPolicyPermissionVO> pp = _policyPermissionDao.listByPolicyActionAndEntity(policyId,
action, entityType);
         List<AclPolicyPermission> pl = new ArrayList<AclPolicyPermission>();
         pl.addAll(pp);
@@ -672,6 +673,14 @@ public class IAMServiceImpl extends ManagerBase implements IAMService,
Manager {
     }
 
     @Override
+    public List<AclPolicyPermission> listPolicyPermissionByAccessType(long policyId,
String accessType, String entityType, String action) {
+        List<AclPolicyPermissionVO> pp = _policyPermissionDao.listByPolicyAccessAndEntity(policyId,
accessType, entityType, action);
+        List<AclPolicyPermission> pl = new ArrayList<AclPolicyPermission>();
+        pl.addAll(pp);
+        return pl;
+    }
+    
+    @Override
     public AclPolicy getResourceOwnerPolicy() {
         return _aclPolicyDao.findByName("RESOURCE_OWNER");
     }

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/28b81e42/services/iam/server/src/org/apache/cloudstack/iam/server/dao/AclPolicyPermissionDao.java
----------------------------------------------------------------------
diff --git a/services/iam/server/src/org/apache/cloudstack/iam/server/dao/AclPolicyPermissionDao.java
b/services/iam/server/src/org/apache/cloudstack/iam/server/dao/AclPolicyPermissionDao.java
index f2da895..5abadf9 100644
--- a/services/iam/server/src/org/apache/cloudstack/iam/server/dao/AclPolicyPermissionDao.java
+++ b/services/iam/server/src/org/apache/cloudstack/iam/server/dao/AclPolicyPermissionDao.java
@@ -33,6 +33,6 @@ public interface AclPolicyPermissionDao extends GenericDao<AclPolicyPermissionVO
 
     List<AclPolicyPermissionVO> listByPolicyActionAndEntity(long policyId, String action,
String entityType);
 
-    List<AclPolicyPermissionVO> listByPolicyAccessAndEntity(long id, String accessType,
String entityType);
+    List<AclPolicyPermissionVO> listByPolicyAccessAndEntity(long id, String accessType,
String entityType, String action);
 
 }

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/28b81e42/services/iam/server/src/org/apache/cloudstack/iam/server/dao/AclPolicyPermissionDaoImpl.java
----------------------------------------------------------------------
diff --git a/services/iam/server/src/org/apache/cloudstack/iam/server/dao/AclPolicyPermissionDaoImpl.java
b/services/iam/server/src/org/apache/cloudstack/iam/server/dao/AclPolicyPermissionDaoImpl.java
index d738e00..b014cb4 100644
--- a/services/iam/server/src/org/apache/cloudstack/iam/server/dao/AclPolicyPermissionDaoImpl.java
+++ b/services/iam/server/src/org/apache/cloudstack/iam/server/dao/AclPolicyPermissionDaoImpl.java
@@ -104,11 +104,12 @@ public class AclPolicyPermissionDaoImpl extends GenericDaoBase<AclPolicyPermissi
 
     @Override
     public List<AclPolicyPermissionVO> listByPolicyAccessAndEntity(long policyId, String
accessType,
-            String entityType) {
+            String entityType, String action) {
         SearchCriteria<AclPolicyPermissionVO> sc = fullSearch.create();
         sc.setParameters("policyId", policyId);
         sc.setParameters("entityType", entityType);
         sc.setParameters("accessType", accessType);
+        sc.setParameters("action", action);
         return listBy(sc);
     }
 


Mime
View raw message