cloudstack-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From prachida...@apache.org
Subject [1/2] git commit: updated refs/heads/rbac to 04a0d12
Date Fri, 03 Jan 2014 18:51:41 GMT
Updated Branches:
  refs/heads/rbac dd8dcd949 -> 04a0d12a6


Moved the loading of commands.properties to the IAM plugin


Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/e5b4a1d8
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/e5b4a1d8
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/e5b4a1d8

Branch: refs/heads/rbac
Commit: e5b4a1d86923e86812519421b64084672d5a9f26
Parents: dd8dcd9
Author: Prachi Damle <prachi@cloud.com>
Authored: Fri Dec 27 23:01:10 2013 -0800
Committer: Prachi Damle <prachi@cloud.com>
Committed: Thu Jan 2 18:39:18 2014 -0800

----------------------------------------------------------------------
 server/src/com/cloud/api/ApiServer.java         | 144 ---------------
 .../acl/RoleBasedAPIAccessChecker.java          | 179 +++++++++++++++++--
 services/iam/pom.xml                            |  20 +++
 services/iam/server/pom.xml                     |  12 --
 .../apache/cloudstack/iam/api/IAMService.java   |   1 +
 .../cloudstack/iam/server/IAMServiceImpl.java   |  20 +++
 .../cloudstack/iam/IAMServiceUnitTest.java      |   1 -
 7 files changed, 207 insertions(+), 170 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cloudstack/blob/e5b4a1d8/server/src/com/cloud/api/ApiServer.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/api/ApiServer.java b/server/src/com/cloud/api/ApiServer.java
index 95e13a5..e4bbf32 100755
--- a/server/src/com/cloud/api/ApiServer.java
+++ b/server/src/com/cloud/api/ApiServer.java
@@ -190,10 +190,6 @@ public class ApiServer extends ManagerBase implements HttpRequestHandler,
ApiSer
     private static final DateFormat _dateFormat = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ssZ");
     private static Map<String, List<Class<?>>> _apiNameCmdClassMap = new
HashMap<String, List<Class<?>>>();
 
-    private static Set<String> commandsPropertiesOverrides = new HashSet<String>();
-    private static Map<RoleType, Set<String>> commandsPropertiesRoleBasedApisMap
= new HashMap<RoleType, Set<String>>();
-
-
     private static ExecutorService _executor = new ThreadPoolExecutor(10, 150, 60, TimeUnit.SECONDS,
new LinkedBlockingQueue<Runnable>(), new NamedThreadFactory("ApiServer"));
 
     public ApiServer() {
@@ -201,7 +197,6 @@ public class ApiServer extends ManagerBase implements HttpRequestHandler,
ApiSer
 
     @Override
     public boolean configure(String name, Map<String, Object> params) throws ConfigurationException
{
-        processMapping(PropertiesUtil.processConfigFile(new String[] { "commands.properties"
}));
         return true;
     }
 
@@ -238,39 +233,6 @@ public class ApiServer extends ManagerBase implements HttpRequestHandler,
ApiSer
             }
         }
 
-        // drop all default policy api permissions - we reload them every time
-        // to include any chanegs done to the @APICommand or
-        // commands.properties.
-        SearchBuilder<AclPolicyPermissionVO> sb = _aclPermissionDao.createSearchBuilder();
-        sb.and("policyId", sb.entity().getAclPolicyId(), SearchCriteria.Op.EQ);
-        sb.and("scope", sb.entity().getScope(), SearchCriteria.Op.EQ);
-        sb.done();
-
-        SearchCriteria<AclPolicyPermissionVO> permissionSC = sb.create();
-
-        for (RoleType role : RoleType.values()) {
-            permissionSC.setParameters("policyId", role.ordinal() + 1);
-            switch (role) {
-            case User:
-                permissionSC.setParameters("scope", PermissionScope.ACCOUNT.toString());
-                break;
-
-            case Admin:
-                permissionSC.setParameters("scope", PermissionScope.ALL.toString());
-                break;
-
-            case DomainAdmin:
-                permissionSC.setParameters("scope", PermissionScope.DOMAIN.toString());
-                break;
-
-            case ResourceAdmin:
-                permissionSC.setParameters("scope", PermissionScope.DOMAIN.toString());
-                break;
-            }
-            _aclPermissionDao.expunge(permissionSC);
-
-        }
-
         for(Class<?> cmdClass: cmdClasses) {
             APICommand at = cmdClass.getAnnotation(APICommand.class);
             if (at == null) {
@@ -283,28 +245,8 @@ public class ApiServer extends ManagerBase implements HttpRequestHandler,
ApiSer
                 _apiNameCmdClassMap.put(apiName, apiCmdList);
             }
             apiCmdList.add(cmdClass);
-
-            if (!commandsPropertiesOverrides.contains(apiName)) {
-                for (RoleType role : at.authorized()) {
-                    addDefaultAclPolicyPermission(apiName, cmdClass, role);
-                }
-            }
-        }
-
-        // read commands.properties and load api acl permissions -
-        // commands.properties overrides any @APICommand authorization
-
-        for (String apiName : commandsPropertiesOverrides) {
-            Class<?> cmdClass = getCmdClass(apiName);
-            for (RoleType role : RoleType.values()) {
-                if (commandsPropertiesRoleBasedApisMap.get(role).contains(apiName)) {
-                    // insert permission for this role for this api
-                    addDefaultAclPolicyPermission(apiName, cmdClass, role);
-                }
-            }
         }
 
-
         encodeApiResponse = Boolean.valueOf(_configDao.getValue(Config.EncodeApiResponse.key()));
         String jsonType = _configDao.getValue(Config.JavaScriptDefaultContentType.key());
         if (jsonType != null) {
@@ -319,92 +261,6 @@ public class ApiServer extends ManagerBase implements HttpRequestHandler,
ApiSer
         return true;
     }
 
-    private void processMapping(Map<String, String> configMap) {
-        for (RoleType roleType : RoleType.values()) {
-            commandsPropertiesRoleBasedApisMap.put(roleType, new HashSet<String>());
-        }
-
-        for (Map.Entry<String, String> entry : configMap.entrySet()) {
-            String apiName = entry.getKey();
-            String roleMask = entry.getValue();
-            commandsPropertiesOverrides.add(apiName);
-            try {
-                short cmdPermissions = Short.parseShort(roleMask);
-                for (RoleType roleType : RoleType.values()) {
-                    if ((cmdPermissions & roleType.getValue()) != 0)
-                        commandsPropertiesRoleBasedApisMap.get(roleType).add(apiName);
-                }
-            } catch (NumberFormatException nfe) {
-                s_logger.info("Malformed key=value pair for entry: " + entry.toString());
-            }
-        }
-    }
-
-    private void addDefaultAclPolicyPermission(String apiName, Class<?> cmdClass, RoleType
role) {
-
-        boolean isReadCommand = false;
-        AclEntityType[] entityTypes = null;
-        if (cmdClass != null) {
-            BaseCmd cmdObj;
-            try {
-                cmdObj = (BaseCmd) cmdClass.newInstance();
-                if (cmdObj instanceof BaseListCmd) {
-                    isReadCommand = true;
-                }
-            } catch (Exception e) {
-                throw new CloudRuntimeException(String.format(
-                        "%s is claimed as an API command, but it cannot be instantiated",
cmdClass.getName()));
-            }
-
-            APICommand at = cmdClass.getAnnotation(APICommand.class);
-            entityTypes = at.entityType();
-        }
-
-        AclPolicyPermissionVO apiPermission = null;
-        PermissionScope permissionScope = PermissionScope.ACCOUNT;
-        switch (role) {
-        case User:
-            permissionScope = PermissionScope.ACCOUNT;
-            break;
-
-        case Admin:
-            permissionScope = PermissionScope.ALL;
-            break;
-
-        case DomainAdmin:
-            permissionScope = PermissionScope.DOMAIN;
-            break;
-
-        case ResourceAdmin:
-            permissionScope = PermissionScope.DOMAIN;
-            break;
-        }
-
-        if (entityTypes == null || entityTypes.length == 0) {
-            apiPermission = new AclPolicyPermissionVO(role.ordinal() + 1, apiName, null,
null, permissionScope,
-                    new Long(-1), Permission.Allow);
-            if (apiPermission != null) {
-                if (isReadCommand) {
-                    apiPermission.setAccessType(AccessType.ListEntry);
-                }
-                _aclPermissionDao.persist(apiPermission);
-            }
-        } else {
-
-            for (AclEntityType entityType : entityTypes) {
-                apiPermission = new AclPolicyPermissionVO(role.ordinal() + 1, apiName, entityType.toString(),
null,
-                        permissionScope, new Long(-1), Permission.Allow);
-                if (apiPermission != null) {
-                    if (isReadCommand) {
-                        apiPermission.setAccessType(AccessType.ListEntry);
-                    }
-                    _aclPermissionDao.persist(apiPermission);
-                }
-            }
-        }
-
-    }
-
     // NOTE: handle() only handles over the wire (OTW) requests from integration.api.port
8096
     // If integration api port is not configured, actual OTW requests will be received by
ApiServlet
     @SuppressWarnings({ "unchecked", "rawtypes" })

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/e5b4a1d8/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedAPIAccessChecker.java
----------------------------------------------------------------------
diff --git a/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedAPIAccessChecker.java
b/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedAPIAccessChecker.java
index f133f37..1586c52 100644
--- a/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedAPIAccessChecker.java
+++ b/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedAPIAccessChecker.java
@@ -16,52 +16,205 @@
 // under the License.
 package org.apache.cloudstack.acl;
 
+import java.util.HashMap;
+import java.util.HashSet;
 import java.util.List;
+import java.util.Map;
+import java.util.Set;
 
 import javax.ejb.Local;
 import javax.inject.Inject;
+import javax.naming.ConfigurationException;
 
 import org.apache.log4j.Logger;
 
-import org.apache.cloudstack.acl.api.AclApiService;
+import org.apache.cloudstack.acl.APIChecker;
+import org.apache.cloudstack.acl.AclEntityType;
+import org.apache.cloudstack.acl.PermissionScope;
+import org.apache.cloudstack.acl.RoleType;
+import org.apache.cloudstack.acl.SecurityChecker.AccessType;
+import org.apache.cloudstack.api.APICommand;
+import org.apache.cloudstack.api.BaseCmd;
+import org.apache.cloudstack.api.BaseListCmd;
 import org.apache.cloudstack.iam.api.AclPolicy;
+import org.apache.cloudstack.iam.api.AclPolicyPermission.Permission;
+import org.apache.cloudstack.iam.api.IAMService;
 
+import com.cloud.api.ApiServerService;
 import com.cloud.exception.PermissionDeniedException;
 import com.cloud.user.Account;
 import com.cloud.user.AccountService;
 import com.cloud.user.User;
+import com.cloud.utils.PropertiesUtil;
 import com.cloud.utils.component.AdapterBase;
+import com.cloud.utils.component.PluggableService;
+import com.cloud.utils.exception.CloudRuntimeException;
 
-// This is the Role Based API access checker that grab's the  account's roles
-// based on the set of roles, access is granted if any of the role has access to the api
+//This is the Role Based API access checker that grab's the  account's roles
+//based on the set of roles, access is granted if any of the role has access to the api
 @Local(value=APIChecker.class)
 public class RoleBasedAPIAccessChecker extends AdapterBase implements APIChecker {
 
     protected static final Logger s_logger = Logger.getLogger(RoleBasedAPIAccessChecker.class);
 
-    @Inject AccountService _accountService;
-    @Inject AclApiService _aclService;
+    @Inject
+    AccountService _accountService;
+    @Inject
+    ApiServerService _apiServer;
+    @Inject
+    IAMService _iamSrv;
+
+    Set<String> commandsPropertiesOverrides = new HashSet<String>();
+    Map<RoleType, Set<String>> commandsPropertiesRoleBasedApisMap = new HashMap<RoleType,
Set<String>>();
+
+    List<PluggableService> _services;
 
     protected RoleBasedAPIAccessChecker() {
         super();
-    }
+        for (RoleType roleType : RoleType.values()) {
+            commandsPropertiesRoleBasedApisMap.put(roleType, new HashSet<String>());
+        }
+     }
 
     @Override
-    public boolean checkAccess(User user, String commandName)
-            throws PermissionDeniedException {
+    public boolean checkAccess(User user, String commandName) throws PermissionDeniedException
{
         Account account = _accountService.getAccount(user.getAccountId());
         if (account == null) {
-            throw new PermissionDeniedException("The account id=" + user.getAccountId() +
"for user id=" + user.getId() + "is null");
+            throw new PermissionDeniedException("The account id=" + user.getAccountId() +
"for user id=" + user.getId()
+                    + "is null");
         }
 
-        List<AclPolicy> policies = _aclService.listAclPolicies(account.getAccountId());
-
+        List<AclPolicy> policies = _iamSrv.listAclPolicies(account.getAccountId());
 
-        boolean isAllowed = _aclService.isAPIAccessibleForPolicies(commandName, policies);
+        boolean isAllowed = _iamSrv.isAPIAccessibleForPolicies(commandName, policies);
         if (!isAllowed) {
             throw new PermissionDeniedException("The API does not exist or is blacklisted.
api: " + commandName);
         }
         return isAllowed;
-    }
+     }
+
+    @Override
+    public boolean configure(String name, Map<String, Object> params) throws ConfigurationException
{
+        super.configure(name, params);
+
+        processMapping(PropertiesUtil.processConfigFile(new String[] { "commands.properties"
}));
+        return true;
+     }
+
+    @Override
+    public boolean start() {
+
+        // drop all default policy api permissions - we reload them every time
+        // to include any changes done to the @APICommand or
+        // commands.properties.
+
+        for (RoleType role : RoleType.values()) {
+            _iamSrv.resetAclPolicy(role.ordinal() + 1);
+         }
+
+        for (PluggableService service : _services) {
+            for (Class<?> cmdClass : service.getCommands()) {
+                APICommand command = cmdClass.getAnnotation(APICommand.class);
+                if (!commandsPropertiesOverrides.contains(command.name())) {
+                    for (RoleType role : command.authorized()) {
+                        addDefaultAclPolicyPermission(command.name(), cmdClass, role);
+                    }
+                 }
+             }
+         }
+
+        // read commands.properties and load api acl permissions -
+        // commands.properties overrides any @APICommand authorization
+
+        for (String apiName : commandsPropertiesOverrides) {
+            Class<?> cmdClass = _apiServer.getCmdClass(apiName);
+            for (RoleType role : RoleType.values()) {
+                if (commandsPropertiesRoleBasedApisMap.get(role).contains(apiName)) {
+                    // insert permission for this role for this api
+                    addDefaultAclPolicyPermission(apiName, cmdClass, role);
+                }
+             }
+         }
+
+        return super.start();
+     }
+
+    private void processMapping(Map<String, String> configMap) {
+        for (Map.Entry<String, String> entry : configMap.entrySet()) {
+            String apiName = entry.getKey();
+            String roleMask = entry.getValue();
+            commandsPropertiesOverrides.add(apiName);
+            try {
+                short cmdPermissions = Short.parseShort(roleMask);
+                for (RoleType roleType : RoleType.values()) {
+                    if ((cmdPermissions & roleType.getValue()) != 0)
+                        commandsPropertiesRoleBasedApisMap.get(roleType).add(apiName);
+                }
+            } catch (NumberFormatException nfe) {
+                s_logger.info("Malformed key=value pair for entry: " + entry.toString());
+             }
+         }
+     }
+
+    public List<PluggableService> getServices() {
+        return _services;
+     }
+
+    @Inject
+    public void setServices(List<PluggableService> _services) {
+        this._services = _services;
+     }
+
+    private void addDefaultAclPolicyPermission(String apiName, Class<?> cmdClass, RoleType
role) {
+
+        AccessType accessType = null;
+        AclEntityType[] entityTypes = null;
+        if (cmdClass != null) {
+            BaseCmd cmdObj;
+            try {
+                cmdObj = (BaseCmd) cmdClass.newInstance();
+                if (cmdObj instanceof BaseListCmd) {
+                    accessType = AccessType.ListEntry;
+                }
+            } catch (Exception e) {
+                throw new CloudRuntimeException(String.format(
+                        "%s is claimed as an API command, but it cannot be instantiated",
cmdClass.getName()));
+             }
+
+            APICommand at = cmdClass.getAnnotation(APICommand.class);
+            entityTypes = at.entityType();
+        }
+
+        PermissionScope permissionScope = PermissionScope.ACCOUNT;
+        switch (role) {
+        case User:
+            permissionScope = PermissionScope.ACCOUNT;
+            break;
+
+        case Admin:
+            permissionScope = PermissionScope.ALL;
+            break;
+
+        case DomainAdmin:
+            permissionScope = PermissionScope.DOMAIN;
+            break;
+
+        case ResourceAdmin:
+            permissionScope = PermissionScope.DOMAIN;
+            break;
+         }
+
+       
+        if (entityTypes == null || entityTypes.length == 0) {
+            _iamSrv.addAclPermissionToAclPolicy(new Long(role.ordinal()) + 1, null, permissionScope.toString(),
new Long(-1),
+                    apiName, accessType.toString(), Permission.Allow);
+        } else {
+            for (AclEntityType entityType : entityTypes) {
+                _iamSrv.addAclPermissionToAclPolicy(new Long(role.ordinal()) + 1, entityType.toString(),
permissionScope.toString(), new Long(-1),
+                        apiName, accessType.toString(), Permission.Allow);
+            }
+         }
+
+     }
 
 }

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/e5b4a1d8/services/iam/pom.xml
----------------------------------------------------------------------
diff --git a/services/iam/pom.xml b/services/iam/pom.xml
index babb9c8..ea5c05a 100644
--- a/services/iam/pom.xml
+++ b/services/iam/pom.xml
@@ -34,4 +34,24 @@
     <module>plugin</module>
     <module>server</module>
   </modules>
+  <dependencies>
+    <dependency>
+      <groupId>org.apache.cloudstack</groupId>
+      <artifactId>cloud-api</artifactId>
+      <version>${project.version}</version>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.cloudstack</groupId>
+      <artifactId>cloud-utils</artifactId>
+      <version>${project.version}</version>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.cloudstack</groupId>
+      <artifactId>cloud-api</artifactId>
+      <version>${project.version}</version>
+      <type>test-jar</type>
+      <scope>test</scope>      
+    </dependency>	
+  </dependencies>
+  
 </project>

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/e5b4a1d8/services/iam/server/pom.xml
----------------------------------------------------------------------
diff --git a/services/iam/server/pom.xml b/services/iam/server/pom.xml
index cf6dcf2..bc3a698 100644
--- a/services/iam/server/pom.xml
+++ b/services/iam/server/pom.xml
@@ -28,18 +28,6 @@
   </parent>
   <dependencies>
     <dependency>
-      <groupId>log4j</groupId>
-      <artifactId>log4j</artifactId>
-    </dependency>
-    <dependency>
-      <groupId>com.google.code.gson</groupId>
-      <artifactId>gson</artifactId>
-    </dependency>
-    <dependency>
-      <groupId>commons-codec</groupId>
-      <artifactId>commons-codec</artifactId>
-    </dependency>
-    <dependency>
       <groupId>org.apache.cloudstack</groupId>
       <artifactId>cloud-utils</artifactId>
       <version>${project.version}</version>

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/e5b4a1d8/services/iam/server/src/org/apache/cloudstack/iam/api/IAMService.java
----------------------------------------------------------------------
diff --git a/services/iam/server/src/org/apache/cloudstack/iam/api/IAMService.java b/services/iam/server/src/org/apache/cloudstack/iam/api/IAMService.java
index 355e8cf..f85803b 100644
--- a/services/iam/server/src/org/apache/cloudstack/iam/api/IAMService.java
+++ b/services/iam/server/src/org/apache/cloudstack/iam/api/IAMService.java
@@ -72,5 +72,6 @@ public interface IAMService {
 
     List<Long> getGrantedEntities(long accountId, String action, String scope);
 
+    AclPolicy resetAclPolicy(long aclPolicyId);
 
 }

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/e5b4a1d8/services/iam/server/src/org/apache/cloudstack/iam/server/IAMServiceImpl.java
----------------------------------------------------------------------
diff --git a/services/iam/server/src/org/apache/cloudstack/iam/server/IAMServiceImpl.java
b/services/iam/server/src/org/apache/cloudstack/iam/server/IAMServiceImpl.java
index 5695996..3696bb9 100644
--- a/services/iam/server/src/org/apache/cloudstack/iam/server/IAMServiceImpl.java
+++ b/services/iam/server/src/org/apache/cloudstack/iam/server/IAMServiceImpl.java
@@ -579,6 +579,26 @@ public class IAMServiceImpl extends ManagerBase implements IAMService,
Manager {
     }
 
 
+    @DB
+    @Override
+    public AclPolicy resetAclPolicy(long aclPolicyId) {
+        // get the Acl Policy entity
+        AclPolicy policy = _aclPolicyDao.findById(aclPolicyId);
+        if (policy == null) {
+            throw new InvalidParameterValueException("Unable to find acl policy: " + aclPolicyId
+                    + "; failed to reset the policy.");
+        }
+
+        SearchBuilder<AclPolicyPermissionVO> sb = _policyPermissionDao.createSearchBuilder();
+        sb.and("policyId", sb.entity().getAclPolicyId(), SearchCriteria.Op.EQ);
+        sb.and("scope", sb.entity().getScope(), SearchCriteria.Op.EQ);
+        sb.done();
+        SearchCriteria<AclPolicyPermissionVO> permissionSC = sb.create();
+        permissionSC.setParameters("policyId", aclPolicyId);
+        _policyPermissionDao.expunge(permissionSC);
+
+        return policy;
+    }
 
     @Override
     public boolean isAPIAccessibleForPolicies(String apiName, List<AclPolicy> policies)
{

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/e5b4a1d8/services/iam/server/test/org/apache/cloudstack/iam/IAMServiceUnitTest.java
----------------------------------------------------------------------
diff --git a/services/iam/server/test/org/apache/cloudstack/iam/IAMServiceUnitTest.java b/services/iam/server/test/org/apache/cloudstack/iam/IAMServiceUnitTest.java
index 121f60d..437b0ea 100644
--- a/services/iam/server/test/org/apache/cloudstack/iam/IAMServiceUnitTest.java
+++ b/services/iam/server/test/org/apache/cloudstack/iam/IAMServiceUnitTest.java
@@ -17,7 +17,6 @@
 package org.apache.cloudstack.iam;
 
 import static org.junit.Assert.assertNotNull;
-import static org.mockito.Matchers.anyLong;
 import static org.mockito.Matchers.eq;
 import static org.mockito.Mockito.when;
 


Mime
View raw message