cloudstack-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From prachida...@apache.org
Subject [1/2] git commit: updated refs/heads/rbac to af14699
Date Fri, 24 Jan 2014 02:18:23 GMT
Updated Branches:
  refs/heads/rbac 39c0a302b -> af14699c4


- Adding OperateEntry during loading of commands

- Replace ListEntry By OperateEntry
- ApiDispatcher should pass on the API name


Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/96a64b93
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/96a64b93
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/96a64b93

Branch: refs/heads/rbac
Commit: 96a64b933eb8ef651d5c106b70dba59ae4f2fa96
Parents: 39c0a30
Author: Prachi Damle <prachi@cloud.com>
Authored: Thu Jan 23 17:50:59 2014 -0800
Committer: Prachi Damle <prachi@cloud.com>
Committed: Thu Jan 23 17:50:59 2014 -0800

----------------------------------------------------------------------
 api/src/com/cloud/user/AccountService.java      |  3 ++
 .../apache/cloudstack/acl/SecurityChecker.java  |  3 +-
 server/src/com/cloud/api/ApiDispatcher.java     | 12 ++---
 .../src/com/cloud/user/AccountManagerImpl.java  |  7 ++-
 .../acl/RoleBasedAPIAccessChecker.java          | 10 ++--
 .../acl/RoleBasedEntityAccessChecker.java       | 55 +++++++++++++++-----
 .../cloudstack/iam/api/AclPolicyPermission.java |  1 +
 .../apache/cloudstack/iam/api/IAMService.java   |  5 +-
 .../cloudstack/iam/server/IAMServiceImpl.java   |  8 +--
 .../iam/server/dao/AclPolicyPermissionDao.java  |  2 +-
 .../server/dao/AclPolicyPermissionDaoImpl.java  |  3 +-
 11 files changed, 75 insertions(+), 34 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cloudstack/blob/96a64b93/api/src/com/cloud/user/AccountService.java
----------------------------------------------------------------------
diff --git a/api/src/com/cloud/user/AccountService.java b/api/src/com/cloud/user/AccountService.java
index 2afaa64..37f6105 100755
--- a/api/src/com/cloud/user/AccountService.java
+++ b/api/src/com/cloud/user/AccountService.java
@@ -108,6 +108,9 @@ public interface AccountService {
 
     void checkAccess(Account account, AccessType accessType, boolean sameOwner, ControlledEntity...
entities) throws PermissionDeniedException;
 
+    void checkAccess(Account account, AccessType accessType, boolean sameOwner, String apiName,
+            ControlledEntity... entities) throws PermissionDeniedException;
+
     //TO be implemented, to check accessibility for an entity owned by domain
     void checkAccess(Account account, AccessType accessType, boolean sameOwner, PartOf...
entities) throws PermissionDeniedException;
 }

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/96a64b93/api/src/org/apache/cloudstack/acl/SecurityChecker.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/acl/SecurityChecker.java b/api/src/org/apache/cloudstack/acl/SecurityChecker.java
index 80fc14b..3fdcfed 100644
--- a/api/src/org/apache/cloudstack/acl/SecurityChecker.java
+++ b/api/src/org/apache/cloudstack/acl/SecurityChecker.java
@@ -36,7 +36,8 @@ public interface SecurityChecker extends Adapter {
         ModifyProject,
         UseNetwork,
         DeleteEntry,
-        OperateEntry
+        OperateEntry,
+        UseEntry
     }
 
     /**

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/96a64b93/server/src/com/cloud/api/ApiDispatcher.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/api/ApiDispatcher.java b/server/src/com/cloud/api/ApiDispatcher.java
index 9f4f766..751706d 100755
--- a/server/src/com/cloud/api/ApiDispatcher.java
+++ b/server/src/com/cloud/api/ApiDispatcher.java
@@ -40,6 +40,7 @@ import org.apache.cloudstack.acl.InfrastructureEntity;
 import org.apache.cloudstack.acl.RoleType;
 import org.apache.cloudstack.acl.SecurityChecker.AccessType;
 import org.apache.cloudstack.api.ACL;
+import org.apache.cloudstack.api.APICommand;
 import org.apache.cloudstack.api.ApiConstants;
 import org.apache.cloudstack.api.ApiErrorCode;
 import org.apache.cloudstack.api.BaseAsyncCmd;
@@ -107,19 +108,14 @@ public class ApiDispatcher {
 
     private void doAccessChecks(BaseCmd cmd, Map<Object, AccessType> entitiesToAccess)
{
         Account caller = CallContext.current().getCallingAccount();
-        Account owner = _accountMgr.getActiveAccountById(cmd.getEntityOwnerId());
 
-        if (cmd instanceof BaseAsyncCreateCmd) {
-            //check that caller can access the owner account.
-            _accountMgr.checkAccess(caller, null, true, owner);
-        }
+        APICommand commandAnnotation = cmd.getClass().getAnnotation(APICommand.class);
+        String apiName = commandAnnotation != null ? commandAnnotation.name() : null;
 
         if (!entitiesToAccess.isEmpty()) {
-            //check that caller can access the owner account.
-            _accountMgr.checkAccess(caller, null, true, owner);
             for (Object entity : entitiesToAccess.keySet()) {
                 if (entity instanceof ControlledEntity) {
-                    _accountMgr.checkAccess(caller, entitiesToAccess.get(entity), true, (ControlledEntity)entity);
+                    _accountMgr.checkAccess(caller, entitiesToAccess.get(entity), false,
apiName, (ControlledEntity) entity);
                 } else if (entity instanceof InfrastructureEntity) {
                     //FIXME: Move this code in adapter, remove code from Account manager
                 }

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/96a64b93/server/src/com/cloud/user/AccountManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/user/AccountManagerImpl.java b/server/src/com/cloud/user/AccountManagerImpl.java
index f89e629..2771859 100755
--- a/server/src/com/cloud/user/AccountManagerImpl.java
+++ b/server/src/com/cloud/user/AccountManagerImpl.java
@@ -447,6 +447,11 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager,
M
 
     @Override
     public void checkAccess(Account caller, AccessType accessType, boolean sameOwner, ControlledEntity...
entities) {
+        checkAccess(caller, accessType, sameOwner, null, entities);
+    }
+
+    @Override
+    public void checkAccess(Account caller, AccessType accessType, boolean sameOwner, String
apiName, ControlledEntity... entities) {
         //check for the same owner
         Long ownerId = null;
         ControlledEntity prevEntity = null;
@@ -492,7 +497,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager,
M
             }
             boolean granted = false;
             for (SecurityChecker checker : _securityCheckers) {
-                if (checker.checkAccess(caller, entity, accessType)) {
+                if (checker.checkAccess(caller, entity, accessType, apiName)) {
                     if (s_logger.isDebugEnabled()) {
                         s_logger.debug("Access to " + entity + " granted to " + caller +
" by " + checker.getName());
                     }

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/96a64b93/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedAPIAccessChecker.java
----------------------------------------------------------------------
diff --git a/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedAPIAccessChecker.java
b/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedAPIAccessChecker.java
index acd1457..fc39e10 100644
--- a/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedAPIAccessChecker.java
+++ b/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedAPIAccessChecker.java
@@ -30,9 +30,11 @@ import org.apache.log4j.Logger;
 
 import org.apache.cloudstack.acl.SecurityChecker.AccessType;
 import org.apache.cloudstack.api.APICommand;
+import org.apache.cloudstack.api.BaseAsyncCreateCmd;
 import org.apache.cloudstack.api.BaseCmd;
 import org.apache.cloudstack.api.BaseListCmd;
 import org.apache.cloudstack.iam.api.AclPolicy;
+import org.apache.cloudstack.iam.api.AclPolicyPermission;
 import org.apache.cloudstack.iam.api.AclPolicyPermission.Permission;
 import org.apache.cloudstack.iam.api.IAMService;
 
@@ -205,7 +207,9 @@ public class RoleBasedAPIAccessChecker extends AdapterBase implements
APIChecker
             try {
                 cmdObj = (BaseCmd) cmdClass.newInstance();
                 if (cmdObj instanceof BaseListCmd) {
-                    accessType = AccessType.ListEntry;
+                    accessType = AccessType.UseEntry;
+                } else if (!(cmdObj instanceof BaseAsyncCreateCmd)) {
+                    accessType = AccessType.OperateEntry;
                 }
             } catch (Exception e) {
                 throw new CloudRuntimeException(String.format(
@@ -238,11 +242,11 @@ public class RoleBasedAPIAccessChecker extends AdapterBase implements
APIChecker
 
 
         if (entityTypes == null || entityTypes.length == 0) {
-            _iamSrv.addAclPermissionToAclPolicy(policyId, null, permissionScope.toString(),
new Long(-1),
+            _iamSrv.addAclPermissionToAclPolicy(policyId, null, permissionScope.toString(),
new Long(AclPolicyPermission.PERMISSION_SCOPE_ID_CURRENT_CALLER),
                     apiName, (accessType == null) ? null : accessType.toString(), Permission.Allow);
         } else {
             for (AclEntityType entityType : entityTypes) {
-                _iamSrv.addAclPermissionToAclPolicy(policyId, entityType.toString(), permissionScope.toString(),
new Long(-1),
+                _iamSrv.addAclPermissionToAclPolicy(policyId, entityType.toString(), permissionScope.toString(),
new Long(AclPolicyPermission.PERMISSION_SCOPE_ID_CURRENT_CALLER),
                         apiName, (accessType == null) ? null : accessType.toString(), Permission.Allow);
             }
          }

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/96a64b93/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedEntityAccessChecker.java
----------------------------------------------------------------------
diff --git a/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedEntityAccessChecker.java
b/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedEntityAccessChecker.java
index e2b149b..4802456 100644
--- a/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedEntityAccessChecker.java
+++ b/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedEntityAccessChecker.java
@@ -24,6 +24,7 @@ import javax.inject.Inject;
 
 import org.apache.log4j.Logger;
 
+import org.apache.cloudstack.api.InternalIdentity;
 import org.apache.cloudstack.iam.api.AclPolicy;
 import org.apache.cloudstack.iam.api.AclPolicyPermission;
 import org.apache.cloudstack.iam.api.IAMService;
@@ -71,7 +72,7 @@ public class RoleBasedEntityAccessChecker extends DomainChecker implements
Secur
         String entityType = entity.getEntityType().toString();
 
         if (accessType == null) {
-            accessType = AccessType.ListEntry;
+            accessType = AccessType.UseEntry;
         }
 
         // get all Policies of this caller w.r.t the entity
@@ -82,13 +83,21 @@ public class RoleBasedEntityAccessChecker extends DomainChecker implements
Secur
             List<AclPolicyPermission> permissions = new ArrayList<AclPolicyPermission>();
 
             if (action != null) {
-                permissions = _iamSrv.listPolicyPermissionByEntityType(policy.getId(), action,
entityType);
+                permissions = _iamSrv.listPolicyPermissionByActionAndEntity(policy.getId(),
action, entityType);
+                if (permissions.isEmpty()) {
+                    if (accessType != null) {
+                        permissions.addAll(_iamSrv.listPolicyPermissionByAccessAndEntity(policy.getId(),
+                                accessType.toString(), entityType));
+                    }
+                }
             } else {
-                permissions = _iamSrv.listPolicyPermissionByAccessType(policy.getId(), accessType.toString(),
-                        entityType, action);
+                if (accessType != null) {
+                    permissions.addAll(_iamSrv.listPolicyPermissionByAccessAndEntity(policy.getId(),
+                            accessType.toString(), entityType));
+                }
             }
             for (AclPolicyPermission permission : permissions) {
-                if (checkPermissionScope(caller, permission.getScope(), entity)) {
+                if (checkPermissionScope(caller, permission.getScope(), permission.getScopeId(),
entity)) {
                     if (permission.getEntityType().equals(entityType)) {
                         policyPermissionMap.put(policy, permission.getPermission().isGranted());
                         break;
@@ -114,18 +123,38 @@ public class RoleBasedEntityAccessChecker extends DomainChecker implements
Secur
         return false;
     }
 
-    private boolean checkPermissionScope(Account caller, String scope, ControlledEntity entity)
{
+    private boolean checkPermissionScope(Account caller, String scope, Long scopeId, ControlledEntity
entity) {
 
-        if (scope.equals(PermissionScope.ACCOUNT.name())) {
-            if(caller.getAccountId() == entity.getAccountId()){
-                return true;
+        if(scopeId != null && !scopeId.equals(new Long(AclPolicyPermission.PERMISSION_SCOPE_ID_CURRENT_CALLER))){
+            //scopeId is set
+            if (scope.equals(PermissionScope.ACCOUNT.name())) {
+                if(scopeId == entity.getAccountId()){
+                    return true;
+                }
+            } else if (scope.equals(PermissionScope.DOMAIN.name())) {
+                if (_domainDao.isChildDomain(scopeId, entity.getDomainId())) {
+                    return true;
+                }
+            } else if (scope.equals(PermissionScope.RESOURCE.name())) {
+                if (entity instanceof InternalIdentity) {
+                    InternalIdentity entityWithId = (InternalIdentity) entity;
+                    if(scopeId.equals(entityWithId.getId())){
+                        return true;
+                    }
+                }
             }
-        } else if (scope.equals(PermissionScope.DOMAIN.name())) {
-            if (_domainDao.isChildDomain(caller.getDomainId(), entity.getDomainId())) {
-                return true;
+        } else if (scopeId == null || scopeId.equals(new Long(AclPolicyPermission.PERMISSION_SCOPE_ID_CURRENT_CALLER)))
{
+            if (scope.equals(PermissionScope.ACCOUNT.name())) {
+                if(caller.getAccountId() == entity.getAccountId()){
+                    return true;
+                }
+            } else if (scope.equals(PermissionScope.DOMAIN.name())) {
+                if (_domainDao.isChildDomain(caller.getDomainId(), entity.getDomainId()))
{
+                    return true;
+                }
             }
         }
-
+        
         return false;
     }
 

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/96a64b93/services/iam/server/src/org/apache/cloudstack/iam/api/AclPolicyPermission.java
----------------------------------------------------------------------
diff --git a/services/iam/server/src/org/apache/cloudstack/iam/api/AclPolicyPermission.java
b/services/iam/server/src/org/apache/cloudstack/iam/api/AclPolicyPermission.java
index 38e5d05..f0352bc 100644
--- a/services/iam/server/src/org/apache/cloudstack/iam/api/AclPolicyPermission.java
+++ b/services/iam/server/src/org/apache/cloudstack/iam/api/AclPolicyPermission.java
@@ -49,4 +49,5 @@ public interface AclPolicyPermission {
 
     long getId();
 
+    public static final long PERMISSION_SCOPE_ID_CURRENT_CALLER = -1;
 }

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/96a64b93/services/iam/server/src/org/apache/cloudstack/iam/api/IAMService.java
----------------------------------------------------------------------
diff --git a/services/iam/server/src/org/apache/cloudstack/iam/api/IAMService.java b/services/iam/server/src/org/apache/cloudstack/iam/api/IAMService.java
index 2d303d1..90dbb57 100644
--- a/services/iam/server/src/org/apache/cloudstack/iam/api/IAMService.java
+++ b/services/iam/server/src/org/apache/cloudstack/iam/api/IAMService.java
@@ -66,7 +66,7 @@ public interface IAMService {
 
     List<AclPolicyPermission> listPolicyPermissionsByScope(long policyId, String action,
String scope);
 
-    List<AclPolicyPermission> listPolicyPermissionByEntityType(long policyId, String
action, String entityType);
+    List<AclPolicyPermission> listPolicyPermissionByActionAndEntity(long policyId,
String action, String entityType);
 
     boolean isActionAllowedForPolicies(String action, List<AclPolicy> policies);
 
@@ -74,6 +74,7 @@ public interface IAMService {
 
     AclPolicy resetAclPolicy(long aclPolicyId);
 
-    List<AclPolicyPermission> listPolicyPermissionByAccessType(long policyId, String
accessType, String entityType, String action);
+    List<AclPolicyPermission> listPolicyPermissionByAccessAndEntity(long policyId,
String accessType,
+            String entityType);
 
 }

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/96a64b93/services/iam/server/src/org/apache/cloudstack/iam/server/IAMServiceImpl.java
----------------------------------------------------------------------
diff --git a/services/iam/server/src/org/apache/cloudstack/iam/server/IAMServiceImpl.java
b/services/iam/server/src/org/apache/cloudstack/iam/server/IAMServiceImpl.java
index 6eb3223..8a070dd 100644
--- a/services/iam/server/src/org/apache/cloudstack/iam/server/IAMServiceImpl.java
+++ b/services/iam/server/src/org/apache/cloudstack/iam/server/IAMServiceImpl.java
@@ -670,7 +670,8 @@ public class IAMServiceImpl extends ManagerBase implements IAMService,
Manager {
 
     @SuppressWarnings("unchecked")
     @Override
-    public List<AclPolicyPermission> listPolicyPermissionByEntityType(long policyId,
String action, String entityType) {
+    public List<AclPolicyPermission> listPolicyPermissionByActionAndEntity(long policyId,
String action,
+            String entityType) {
         @SuppressWarnings("rawtypes")
         List pp = _policyPermissionDao.listByPolicyActionAndEntity(policyId, action, entityType);
         return pp;
@@ -678,9 +679,10 @@ public class IAMServiceImpl extends ManagerBase implements IAMService,
Manager {
 
     @SuppressWarnings("unchecked")
     @Override
-    public List<AclPolicyPermission> listPolicyPermissionByAccessType(long policyId,
String accessType, String entityType, String action) {
+    public List<AclPolicyPermission> listPolicyPermissionByAccessAndEntity(long policyId,
String accessType,
+            String entityType) {
         @SuppressWarnings("rawtypes")
-        List pp = _policyPermissionDao.listByPolicyAccessAndEntity(policyId, accessType,
entityType, action);
+        List pp = _policyPermissionDao.listByPolicyAccessAndEntity(policyId, accessType,
entityType);
         return pp;
     }
 

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/96a64b93/services/iam/server/src/org/apache/cloudstack/iam/server/dao/AclPolicyPermissionDao.java
----------------------------------------------------------------------
diff --git a/services/iam/server/src/org/apache/cloudstack/iam/server/dao/AclPolicyPermissionDao.java
b/services/iam/server/src/org/apache/cloudstack/iam/server/dao/AclPolicyPermissionDao.java
index 5abadf9..53c8983 100644
--- a/services/iam/server/src/org/apache/cloudstack/iam/server/dao/AclPolicyPermissionDao.java
+++ b/services/iam/server/src/org/apache/cloudstack/iam/server/dao/AclPolicyPermissionDao.java
@@ -33,6 +33,6 @@ public interface AclPolicyPermissionDao extends GenericDao<AclPolicyPermissionVO
 
     List<AclPolicyPermissionVO> listByPolicyActionAndEntity(long policyId, String action,
String entityType);
 
-    List<AclPolicyPermissionVO> listByPolicyAccessAndEntity(long id, String accessType,
String entityType, String action);
+    List<AclPolicyPermissionVO> listByPolicyAccessAndEntity(long policyId, String accessType,
String entityType);
 
 }

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/96a64b93/services/iam/server/src/org/apache/cloudstack/iam/server/dao/AclPolicyPermissionDaoImpl.java
----------------------------------------------------------------------
diff --git a/services/iam/server/src/org/apache/cloudstack/iam/server/dao/AclPolicyPermissionDaoImpl.java
b/services/iam/server/src/org/apache/cloudstack/iam/server/dao/AclPolicyPermissionDaoImpl.java
index b014cb4..d738e00 100644
--- a/services/iam/server/src/org/apache/cloudstack/iam/server/dao/AclPolicyPermissionDaoImpl.java
+++ b/services/iam/server/src/org/apache/cloudstack/iam/server/dao/AclPolicyPermissionDaoImpl.java
@@ -104,12 +104,11 @@ public class AclPolicyPermissionDaoImpl extends GenericDaoBase<AclPolicyPermissi
 
     @Override
     public List<AclPolicyPermissionVO> listByPolicyAccessAndEntity(long policyId, String
accessType,
-            String entityType, String action) {
+            String entityType) {
         SearchCriteria<AclPolicyPermissionVO> sc = fullSearch.create();
         sc.setParameters("policyId", policyId);
         sc.setParameters("entityType", entityType);
         sc.setParameters("accessType", accessType);
-        sc.setParameters("action", action);
         return listBy(sc);
     }
 


Mime
View raw message