cloudstack-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From prachida...@apache.org
Subject [1/2] git commit: updated refs/heads/rbac to f1ecd9e
Date Sat, 11 Jan 2014 09:14:02 GMT
Updated Branches:
  refs/heads/rbac 4bb31c204 -> f1ecd9ed3


RootAdmin and DomainAdmin access check via IAM


Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/6cd121fe
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/6cd121fe
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/6cd121fe

Branch: refs/heads/rbac
Commit: 6cd121fe7b5a38641cb9f8b1df10dab564aa31f8
Parents: 4bb31c2
Author: Prachi Damle <prachi@cloud.com>
Authored: Fri Jan 10 17:06:10 2014 -0800
Committer: Prachi Damle <prachi@cloud.com>
Committed: Fri Jan 10 17:06:10 2014 -0800

----------------------------------------------------------------------
 .../src/com/cloud/user/AccountManagerImpl.java   | 19 +++++++++++++++----
 .../acl/RoleBasedEntityAccessChecker.java        | 11 +++++++++++
 2 files changed, 26 insertions(+), 4 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6cd121fe/server/src/com/cloud/user/AccountManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/user/AccountManagerImpl.java b/server/src/com/cloud/user/AccountManagerImpl.java
index 22dd4ed..1701464 100755
--- a/server/src/com/cloud/user/AccountManagerImpl.java
+++ b/server/src/com/cloud/user/AccountManagerImpl.java
@@ -360,17 +360,28 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager,
M
     @Override
     public boolean isRootAdmin(long accountId) {
         AccountVO acct = _accountDao.findById(accountId);
-        if (acct != null && acct.getType() == Account.ACCOUNT_TYPE_ADMIN) {
-            return true;
+        for (SecurityChecker checker : _securityCheckers) {
+            if (checker.checkAccess(acct, null, null, "SystemCapability")) {
+                if (s_logger.isDebugEnabled()) {
+                    s_logger.debug("Root Access granted to " + acct + " by " + checker.getName());
+                }
+                return true;
+            }
         }
+
         return false;
     }
 
     @Override
     public boolean isDomainAdmin(long accountId) {
         AccountVO acct = _accountDao.findById(accountId);
-        if (acct != null && acct.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN)
{
-            return true;
+        for (SecurityChecker checker : _securityCheckers) {
+            if (checker.checkAccess(acct, null, null, "DomainCapability")) {
+                if (s_logger.isDebugEnabled()) {
+                    s_logger.debug("Root Access granted to " + acct + " by " + checker.getName());
+                }
+                return true;
+            }
         }
         return false;
     }

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6cd121fe/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedEntityAccessChecker.java
----------------------------------------------------------------------
diff --git a/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedEntityAccessChecker.java
b/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedEntityAccessChecker.java
index 040a3e5..85e7278 100644
--- a/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedEntityAccessChecker.java
+++ b/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedEntityAccessChecker.java
@@ -57,6 +57,17 @@ public class RoleBasedEntityAccessChecker extends DomainChecker implements
Secur
     public boolean checkAccess(Account caller, ControlledEntity entity, AccessType accessType,
String action)
             throws PermissionDeniedException {
 
+        if (entity == null && action != null) {
+            // check if caller can do this action
+            List<AclPolicy> policies = _iamSrv.listAclPolicies(caller.getAccountId());
+
+            boolean isAllowed = _iamSrv.isActionAllowedForPolicies(action, policies);
+            if (!isAllowed) {
+                throw new PermissionDeniedException("The action '" + action + "' not allowed
for account " + caller);
+            }
+            return true;
+        }
+
         String entityType = entity.getEntityType().toString();
 
         if (accessType == null) {


Mime
View raw message