cloudstack-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From mlsoren...@apache.org
Subject [06/50] [abbrv] git commit: updated refs/heads/resize-root to 0eb9967
Date Sat, 08 Mar 2014 00:22:39 GMT
CLOUDSTACK-5920: IAM service server.


Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/adb29b21
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/adb29b21
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/adb29b21

Branch: refs/heads/resize-root
Commit: adb29b21402d4b446471c2d2741e09cd7b2106aa
Parents: 793becf
Author: Min Chen <min.chen@citrix.com>
Authored: Tue Mar 4 17:51:17 2014 -0800
Committer: Min Chen <min.chen@citrix.com>
Committed: Wed Mar 5 09:40:55 2014 -0800

----------------------------------------------------------------------
 services/iam/server/pom.xml                     |  52 ++
 .../core/spring-iam-server-context.xml          |  40 +
 .../org/apache/cloudstack/iam/api/IAMGroup.java |  37 +
 .../apache/cloudstack/iam/api/IAMPolicy.java    |  41 +
 .../cloudstack/iam/api/IAMPolicyPermission.java |  53 ++
 .../apache/cloudstack/iam/api/IAMService.java   |  92 +++
 .../iam/server/IAMAccountPolicyMapVO.java       |  77 ++
 .../iam/server/IAMGroupAccountMapVO.java        |  78 ++
 .../iam/server/IAMGroupPolicyMapVO.java         |  79 ++
 .../cloudstack/iam/server/IAMGroupVO.java       | 122 +++
 .../iam/server/IAMPolicyPermissionVO.java       | 181 ++++
 .../cloudstack/iam/server/IAMPolicyVO.java      | 138 ++++
 .../cloudstack/iam/server/IAMServiceImpl.java   | 815 +++++++++++++++++++
 .../iam/server/dao/IAMAccountPolicyMapDao.java  |  17 +
 .../server/dao/IAMAccountPolicyMapDaoImpl.java  |  61 ++
 .../iam/server/dao/IAMGroupAccountMapDao.java   |  40 +
 .../server/dao/IAMGroupAccountMapDaoImpl.java   | 119 +++
 .../cloudstack/iam/server/dao/IAMGroupDao.java  |  28 +
 .../iam/server/dao/IAMGroupDaoImpl.java         |  59 ++
 .../iam/server/dao/IAMGroupPolicyMapDao.java    |  16 +
 .../server/dao/IAMGroupPolicyMapDaoImpl.java    |  61 ++
 .../cloudstack/iam/server/dao/IAMPolicyDao.java |  28 +
 .../iam/server/dao/IAMPolicyDaoImpl.java        |  57 ++
 .../iam/server/dao/IAMPolicyPermissionDao.java  |  39 +
 .../server/dao/IAMPolicyPermissionDaoImpl.java  | 129 +++
 .../cloudstack/iam/IAMServiceUnitTest.java      | 211 +++++
 .../iam/server/test/resources/db.properties     |  75 ++
 27 files changed, 2745 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cloudstack/blob/adb29b21/services/iam/server/pom.xml
----------------------------------------------------------------------
diff --git a/services/iam/server/pom.xml b/services/iam/server/pom.xml
new file mode 100644
index 0000000..bed8811
--- /dev/null
+++ b/services/iam/server/pom.xml
@@ -0,0 +1,52 @@
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one
+  or more contributor license agreements. See the NOTICE file
+  distributed with this work for additional information
+  regarding copyright ownership. The ASF licenses this file
+  to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance
+  with the License. You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing,
+  software distributed under the License is distributed on an
+  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  KIND, either express or implied. See the License for the
+  specific language governing permissions and limitations
+  under the License.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+  <artifactId>cloud-iam</artifactId>
+  <name>Apache CloudStack IAM - Server</name>
+  <parent>
+    <groupId>org.apache.cloudstack</groupId>
+    <artifactId>cloudstack-service-iam</artifactId>
+    <version>4.4.0-SNAPSHOT</version>
+    <relativePath>../pom.xml</relativePath>
+  </parent>
+  <dependencies>
+	<dependency>
+      <groupId>commons-io</groupId>
+      <artifactId>commons-io</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.cloudstack</groupId>
+      <artifactId>cloud-utils</artifactId>
+      <version>${project.version}</version>
+    </dependency>
+	<dependency>
+      <groupId>org.apache.cloudstack</groupId>
+      <artifactId>cloud-api</artifactId>
+      <version>${project.version}</version>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.cloudstack</groupId>
+      <artifactId>cloud-api</artifactId>
+      <version>${project.version}</version>
+      <type>test-jar</type>
+      <scope>test</scope>      
+    </dependency>       
+  </dependencies>
+</project>

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/adb29b21/services/iam/server/resources/META-INF/cloudstack/core/spring-iam-server-context.xml
----------------------------------------------------------------------
diff --git a/services/iam/server/resources/META-INF/cloudstack/core/spring-iam-server-context.xml b/services/iam/server/resources/META-INF/cloudstack/core/spring-iam-server-context.xml
new file mode 100644
index 0000000..c9f383f
--- /dev/null
+++ b/services/iam/server/resources/META-INF/cloudstack/core/spring-iam-server-context.xml
@@ -0,0 +1,40 @@
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one
+  or more contributor license agreements. See the NOTICE file
+  distributed with this work for additional information
+  regarding copyright ownership. The ASF licenses this file
+  to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance
+  with the License. You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing,
+  software distributed under the License is distributed on an
+  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  KIND, either express or implied. See the License for the
+  specific language governing permissions and limitations
+  under the License.
+-->
+<beans xmlns="http://www.springframework.org/schema/beans"
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xmlns:context="http://www.springframework.org/schema/context"
+       xmlns:aop="http://www.springframework.org/schema/aop"
+       xsi:schemaLocation="http://www.springframework.org/schema/beans
+                      http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
+                      http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-3.0.xsd
+                      http://www.springframework.org/schema/context
+                      http://www.springframework.org/schema/context/spring-context-3.0.xsd"
+                      >                     
+
+    <bean id="IAMGroupDaoImpl" class="org.apache.cloudstack.iam.server.dao.IAMGroupDaoImpl" />
+    <bean id="IAMPolicyDaoImpl" class="org.apache.cloudstack.iam.server.dao.IAMPolicyDaoImpl" />    
+    <bean id="IAMGroupAccountMapDaoImpl" class="org.apache.cloudstack.iam.server.dao.IAMGroupAccountMapDaoImpl" />
+    <bean id="IAMGroupPolicyMapDaoImpl" class="org.apache.cloudstack.iam.server.dao.IAMGroupPolicyMapDaoImpl" />    
+    <bean id="IAMPolicyPermissionDaoImpl" class="org.apache.cloudstack.iam.server.dao.IAMPolicyPermissionDaoImpl" />
+    <bean id="IAMAccountPolicyMapDaoImpl" class="org.apache.cloudstack.iam.server.dao.IAMAccountPolicyMapDaoImpl" />    
+
+        
+    <bean id="IAMServiceImpl" class="org.apache.cloudstack.iam.server.IAMServiceImpl" />
+
+</beans>

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/adb29b21/services/iam/server/src/org/apache/cloudstack/iam/api/IAMGroup.java
----------------------------------------------------------------------
diff --git a/services/iam/server/src/org/apache/cloudstack/iam/api/IAMGroup.java b/services/iam/server/src/org/apache/cloudstack/iam/api/IAMGroup.java
new file mode 100644
index 0000000..868d0a0
--- /dev/null
+++ b/services/iam/server/src/org/apache/cloudstack/iam/api/IAMGroup.java
@@ -0,0 +1,37 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.iam.api;
+
+import org.apache.cloudstack.api.Identity;
+import org.apache.cloudstack.api.InternalIdentity;
+
+public interface IAMGroup extends InternalIdentity, Identity {
+
+    String getName();
+
+    String getDescription();
+
+    @Override
+    long getId();
+
+    @Override
+    String getUuid();
+
+    String getPath();
+
+    long getAccountId();
+}

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/adb29b21/services/iam/server/src/org/apache/cloudstack/iam/api/IAMPolicy.java
----------------------------------------------------------------------
diff --git a/services/iam/server/src/org/apache/cloudstack/iam/api/IAMPolicy.java b/services/iam/server/src/org/apache/cloudstack/iam/api/IAMPolicy.java
new file mode 100644
index 0000000..e6daeb1
--- /dev/null
+++ b/services/iam/server/src/org/apache/cloudstack/iam/api/IAMPolicy.java
@@ -0,0 +1,41 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.iam.api;
+
+import org.apache.cloudstack.api.Identity;
+import org.apache.cloudstack.api.InternalIdentity;
+
+public interface IAMPolicy extends InternalIdentity, Identity {
+
+    String getName();
+
+    String getDescription();
+
+    public enum PolicyType {
+        Static, Dynamic
+    }
+
+    @Override
+    long getId();
+
+    @Override
+    String getUuid();
+
+    String getPath();
+
+    long getAccountId();
+}

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/adb29b21/services/iam/server/src/org/apache/cloudstack/iam/api/IAMPolicyPermission.java
----------------------------------------------------------------------
diff --git a/services/iam/server/src/org/apache/cloudstack/iam/api/IAMPolicyPermission.java b/services/iam/server/src/org/apache/cloudstack/iam/api/IAMPolicyPermission.java
new file mode 100644
index 0000000..b91086f
--- /dev/null
+++ b/services/iam/server/src/org/apache/cloudstack/iam/api/IAMPolicyPermission.java
@@ -0,0 +1,53 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.iam.api;
+
+
+public interface IAMPolicyPermission {
+
+    String getAction();
+
+    long getAclPolicyId();
+
+    String getEntityType();
+
+    String getAccessType();
+
+    String getScope();
+
+    Long getScopeId();
+
+    Permission getPermission();
+
+    public enum Permission {
+        Allow(true), Deny(false);
+
+        boolean result;
+
+        Permission(boolean result) {
+            this.result = result;
+        }
+
+        public boolean isGranted() {
+            return result;
+        }
+    }
+
+    long getId();
+
+    public static final long PERMISSION_SCOPE_ID_CURRENT_CALLER = -1;
+}

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/adb29b21/services/iam/server/src/org/apache/cloudstack/iam/api/IAMService.java
----------------------------------------------------------------------
diff --git a/services/iam/server/src/org/apache/cloudstack/iam/api/IAMService.java b/services/iam/server/src/org/apache/cloudstack/iam/api/IAMService.java
new file mode 100644
index 0000000..74a0885
--- /dev/null
+++ b/services/iam/server/src/org/apache/cloudstack/iam/api/IAMService.java
@@ -0,0 +1,92 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.iam.api;
+
+import java.util.List;
+
+import org.apache.cloudstack.iam.api.IAMPolicyPermission.Permission;
+
+import com.cloud.utils.Pair;
+
+public interface IAMService {
+
+    /* IAM group related interfaces */
+    IAMGroup createIAMGroup(String iamGroupName, String description, String path);
+
+    boolean deleteIAMGroup(Long iamGroupId);
+
+    List<IAMGroup> listIAMGroups(long accountId);
+
+    IAMGroup addAccountsToGroup(List<Long> acctIds, Long groupId);
+
+    IAMGroup removeAccountsFromGroup(List<Long> acctIds, Long groupId);
+
+    List<Long> listAccountsByGroup(long groupId);
+
+    Pair<List<IAMGroup>, Integer> listIAMGroups(Long iamGroupId, String iamGroupName, String path, Long startIndex, Long pageSize);
+
+    /* IAM Policy related interfaces */
+    IAMPolicy createIAMPolicy(String iamPolicyName, String description, Long parentPolicyId, String path);
+
+    boolean deleteIAMPolicy(long iamPolicyId);
+
+    List<IAMPolicy> listIAMPolicies(long accountId);
+
+    List<IAMPolicy> listIAMPoliciesByGroup(long groupId);
+
+    Pair<List<IAMPolicy>, Integer> listIAMPolicies(Long iamPolicyId, String iamPolicyName, String path, Long startIndex, Long pageSize);
+
+    IAMGroup attachIAMPoliciesToGroup(List<Long> policyIds, Long groupId);
+
+    IAMGroup removeIAMPoliciesFromGroup(List<Long> policyIds, Long groupId);
+
+    void attachIAMPolicyToAccounts(Long policyId, List<Long> acctIds);
+
+    void removeIAMPolicyFromAccounts(Long policyId, List<Long> acctIds);
+
+    IAMPolicy addIAMPermissionToIAMPolicy(long iamPolicyId, String entityType, String scope, Long scopeId,
+            String action, String accessType, Permission perm, Boolean recursive);
+
+    IAMPolicy removeIAMPermissionFromIAMPolicy(long iamPolicyId, String entityType, String scope, Long scopeId,
+            String action);
+
+    void removeIAMPermissionForEntity(final String entityType, final Long entityId);
+
+    IAMPolicy getResourceGrantPolicy(String entityType, Long entityId, String accessType, String action);
+
+    IAMPolicy getResourceOwnerPolicy();
+
+    List<IAMPolicyPermission> listPolicyPermissions(long policyId);
+
+    List<IAMPolicyPermission> listPolicyPermissionsByScope(long policyId, String action, String scope);
+
+    List<IAMPolicyPermission> listPolicyPermissionByActionAndEntity(long policyId, String action, String entityType);
+
+    boolean isActionAllowedForPolicies(String action, List<IAMPolicy> policies);
+
+    List<Long> getGrantedEntities(long accountId, String action, String scope);
+
+    IAMPolicy resetIAMPolicy(long iamPolicyId);
+
+    List<IAMPolicyPermission> listPolicyPermissionByAccessAndEntity(long policyId, String accessType,
+            String entityType);
+
+    List<IAMGroup> listParentIAMGroups(long groupId);
+
+    List<IAMPolicy> listRecursiveIAMPoliciesByGroup(long groupId);
+
+}

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/adb29b21/services/iam/server/src/org/apache/cloudstack/iam/server/IAMAccountPolicyMapVO.java
----------------------------------------------------------------------
diff --git a/services/iam/server/src/org/apache/cloudstack/iam/server/IAMAccountPolicyMapVO.java b/services/iam/server/src/org/apache/cloudstack/iam/server/IAMAccountPolicyMapVO.java
new file mode 100644
index 0000000..18f085a
--- /dev/null
+++ b/services/iam/server/src/org/apache/cloudstack/iam/server/IAMAccountPolicyMapVO.java
@@ -0,0 +1,77 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.iam.server;
+
+import java.util.Date;
+
+import javax.persistence.Column;
+import javax.persistence.Entity;
+import javax.persistence.GeneratedValue;
+import javax.persistence.GenerationType;
+import javax.persistence.Id;
+import javax.persistence.Table;
+
+import com.cloud.utils.db.GenericDao;
+
+@Entity
+@Table(name = ("iam_account_policy_map"))
+public class IAMAccountPolicyMapVO {
+    @Id
+    @GeneratedValue(strategy = GenerationType.IDENTITY)
+    @Column(name = "id")
+    private Long id;
+
+    @Column(name = "account_id")
+    private long accountId;
+
+    @Column(name = "policy_id")
+    private long iamPolicyId;
+
+    @Column(name = GenericDao.REMOVED_COLUMN)
+    private Date removed;
+
+    @Column(name = GenericDao.CREATED_COLUMN)
+    private Date created;
+
+    public IAMAccountPolicyMapVO() {
+    }
+
+    public IAMAccountPolicyMapVO(long accountId, long iamPolicyId) {
+        this.accountId = accountId;
+        this.iamPolicyId = iamPolicyId;
+    }
+
+    public long getId() {
+        return id;
+    }
+
+    public long getAccountId() {
+        return accountId;
+    }
+
+    public long getIamPolicyId() {
+        return iamPolicyId;
+    }
+
+    public Date getRemoved() {
+        return removed;
+    }
+
+    public Date getCreated() {
+        return created;
+    }
+}

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/adb29b21/services/iam/server/src/org/apache/cloudstack/iam/server/IAMGroupAccountMapVO.java
----------------------------------------------------------------------
diff --git a/services/iam/server/src/org/apache/cloudstack/iam/server/IAMGroupAccountMapVO.java b/services/iam/server/src/org/apache/cloudstack/iam/server/IAMGroupAccountMapVO.java
new file mode 100644
index 0000000..dac7d35
--- /dev/null
+++ b/services/iam/server/src/org/apache/cloudstack/iam/server/IAMGroupAccountMapVO.java
@@ -0,0 +1,78 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.iam.server;
+
+import java.util.Date;
+
+import javax.persistence.Column;
+import javax.persistence.Entity;
+import javax.persistence.GeneratedValue;
+import javax.persistence.GenerationType;
+import javax.persistence.Id;
+import javax.persistence.Table;
+
+import com.cloud.utils.db.GenericDao;
+
+@Entity
+@Table(name = ("iam_group_account_map"))
+public class IAMGroupAccountMapVO {
+    @Id
+    @GeneratedValue(strategy = GenerationType.IDENTITY)
+    @Column(name = "id")
+    private Long id;
+
+    @Column(name = "group_id")
+    private long aclGroupId;
+
+    @Column(name = "account_id")
+    private long accountId;
+
+    @Column(name = GenericDao.REMOVED_COLUMN)
+    private Date removed;
+
+    @Column(name = GenericDao.CREATED_COLUMN)
+    private Date created;
+
+    public IAMGroupAccountMapVO() {
+    }
+
+    public IAMGroupAccountMapVO(long aclGroupId, long accountId) {
+        this.aclGroupId = aclGroupId;
+        this.accountId = accountId;
+    }
+
+    public long getId() {
+        return id;
+    }
+
+    public long getAclGroupId() {
+        return aclGroupId;
+    }
+
+
+    public long getAccountId() {
+        return accountId;
+    }
+
+    public Date getRemoved() {
+        return removed;
+    }
+
+    public Date getCreated() {
+        return created;
+    }
+}

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/adb29b21/services/iam/server/src/org/apache/cloudstack/iam/server/IAMGroupPolicyMapVO.java
----------------------------------------------------------------------
diff --git a/services/iam/server/src/org/apache/cloudstack/iam/server/IAMGroupPolicyMapVO.java b/services/iam/server/src/org/apache/cloudstack/iam/server/IAMGroupPolicyMapVO.java
new file mode 100644
index 0000000..946d1f7
--- /dev/null
+++ b/services/iam/server/src/org/apache/cloudstack/iam/server/IAMGroupPolicyMapVO.java
@@ -0,0 +1,79 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.iam.server;
+
+import java.util.Date;
+
+import javax.persistence.Column;
+import javax.persistence.Entity;
+import javax.persistence.GeneratedValue;
+import javax.persistence.GenerationType;
+import javax.persistence.Id;
+import javax.persistence.Table;
+
+
+import com.cloud.utils.db.GenericDao;
+
+@Entity
+@Table(name = ("iam_group_policy_map"))
+public class IAMGroupPolicyMapVO {
+    @Id
+    @GeneratedValue(strategy = GenerationType.IDENTITY)
+    @Column(name = "id")
+    private Long id;
+
+    @Column(name = "group_id")
+    private long aclGroupId;
+
+    @Column(name = "policy_id")
+    private long aclPolicyId;
+
+    @Column(name = GenericDao.REMOVED_COLUMN)
+    private Date removed;
+
+    @Column(name = GenericDao.CREATED_COLUMN)
+    private Date created;
+
+    public IAMGroupPolicyMapVO() {
+    }
+
+    public IAMGroupPolicyMapVO(long aclGroupId, long aclPolicyId) {
+        this.aclGroupId = aclGroupId;
+        this.aclPolicyId = aclPolicyId;
+    }
+
+    public long getId() {
+        return id;
+    }
+
+    public long getAclGroupId() {
+        return aclGroupId;
+    }
+
+
+    public long getAclPolicyId() {
+        return aclPolicyId;
+    }
+
+    public Date getRemoved() {
+        return removed;
+    }
+
+    public Date getCreated() {
+        return created;
+    }
+}

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/adb29b21/services/iam/server/src/org/apache/cloudstack/iam/server/IAMGroupVO.java
----------------------------------------------------------------------
diff --git a/services/iam/server/src/org/apache/cloudstack/iam/server/IAMGroupVO.java b/services/iam/server/src/org/apache/cloudstack/iam/server/IAMGroupVO.java
new file mode 100644
index 0000000..80edb89
--- /dev/null
+++ b/services/iam/server/src/org/apache/cloudstack/iam/server/IAMGroupVO.java
@@ -0,0 +1,122 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.iam.server;
+
+import java.util.Date;
+import java.util.UUID;
+
+import javax.persistence.Column;
+import javax.persistence.Entity;
+import javax.persistence.GeneratedValue;
+import javax.persistence.GenerationType;
+import javax.persistence.Id;
+import javax.persistence.Table;
+
+import org.apache.cloudstack.iam.api.IAMGroup;
+
+import com.cloud.utils.db.GenericDao;
+
+@Entity
+@Table(name = ("iam_group"))
+public class IAMGroupVO implements IAMGroup {
+    @Id
+    @GeneratedValue(strategy = GenerationType.IDENTITY)
+    @Column(name = "id")
+    private long id;
+
+    @Column(name = "name")
+    private String name;
+
+    @Column(name = "description")
+    private String description;
+
+    @Column(name = "uuid")
+    private String uuid;
+
+    @Column(name = "path")
+    private String path;
+
+    @Column(name = "account_id")
+    private long accountId;
+
+    @Column(name = GenericDao.REMOVED_COLUMN)
+    private Date removed;
+
+    @Column(name = GenericDao.CREATED_COLUMN)
+    private Date created;
+
+    public IAMGroupVO() {
+        uuid = UUID.randomUUID().toString();
+    }
+
+    public IAMGroupVO(String name, String description) {
+        this.name = name;
+        this.description = description;
+        uuid = UUID.randomUUID().toString();
+        path = "/";
+    }
+
+    @Override
+    public long getId() {
+        return id;
+    }
+
+    @Override
+    public String getName() {
+        return name;
+    }
+
+    @Override
+    public String getDescription() {
+        return description;
+    }
+
+    @Override
+    public String getPath() {
+        return path;
+    }
+
+    public void setPath(String path) {
+        this.path = path;
+    }
+
+    @Override
+    public long getAccountId() {
+        return accountId;
+    }
+
+    public void setAccountId(long acctId) {
+        accountId = acctId;
+    }
+
+    @Override
+    public String getUuid() {
+        return uuid;
+    }
+
+    public void setUuid(String uuid) {
+        this.uuid = uuid;
+    }
+
+    public Date getRemoved() {
+        return removed;
+    }
+
+    public Date getCreated() {
+        return created;
+    }
+}

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/adb29b21/services/iam/server/src/org/apache/cloudstack/iam/server/IAMPolicyPermissionVO.java
----------------------------------------------------------------------
diff --git a/services/iam/server/src/org/apache/cloudstack/iam/server/IAMPolicyPermissionVO.java b/services/iam/server/src/org/apache/cloudstack/iam/server/IAMPolicyPermissionVO.java
new file mode 100644
index 0000000..13d6b81
--- /dev/null
+++ b/services/iam/server/src/org/apache/cloudstack/iam/server/IAMPolicyPermissionVO.java
@@ -0,0 +1,181 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.iam.server;
+
+import java.util.Date;
+
+import javax.persistence.Column;
+import javax.persistence.Entity;
+import javax.persistence.EnumType;
+import javax.persistence.Enumerated;
+import javax.persistence.GeneratedValue;
+import javax.persistence.GenerationType;
+import javax.persistence.Id;
+import javax.persistence.Table;
+
+import org.apache.cloudstack.iam.api.IAMPolicyPermission;
+import com.cloud.utils.db.GenericDao;
+
+@Entity
+@Table(name = ("iam_policy_permission"))
+public class IAMPolicyPermissionVO implements IAMPolicyPermission {
+
+    @Id
+    @GeneratedValue(strategy = GenerationType.IDENTITY)
+    @Column(name = "id")
+    private long id;
+
+    @Column(name = "policy_id")
+    private long aclPolicyId;
+
+    @Column(name = "action")
+    private String action;
+
+    @Column(name = "resource_type")
+    private String entityType;
+
+    @Column(name = "access_type")
+    private String accessType;
+
+    @Column(name = "scope")
+    private String scope;
+
+    @Column(name = "scope_id")
+    private Long scopeId;
+
+    @Column(name = "permission")
+    @Enumerated(value = EnumType.STRING)
+    private Permission permission;
+
+    @Column(name = "recursive")
+    private Boolean recursive;
+
+    @Column(name = GenericDao.REMOVED_COLUMN)
+    private Date removed;
+
+    @Column(name = GenericDao.CREATED_COLUMN)
+    private Date created;
+
+    public IAMPolicyPermissionVO() {
+
+    }
+
+    public IAMPolicyPermissionVO(long aclPolicyId, String action, String entityType, String accessType, String scope,
+            Long scopeId, Permission permission, Boolean recursive) {
+        this.aclPolicyId = aclPolicyId;
+        this.action = action;
+        this.entityType = entityType;
+        this.accessType = accessType;
+        this.scope = scope;
+        this.scopeId = scopeId;
+        this.permission = permission;
+        this.recursive = recursive;
+    }
+
+    @Override
+    public long getId() {
+        return id;
+    }
+
+    @Override
+    public long getAclPolicyId() {
+        return aclPolicyId;
+    }
+
+
+    public void setAclPolicyId(long aclPolicyId) {
+        this.aclPolicyId = aclPolicyId;
+    }
+
+    @Override
+    public String getEntityType() {
+        return entityType;
+    }
+
+    @Override
+    public String getAccessType() {
+        return accessType;
+    }
+
+
+    public void setEntityType(String entityType) {
+        this.entityType = entityType;
+    }
+
+    public void setAccessType(String accessType) {
+        this.accessType = accessType;
+    }
+
+    @Override
+    public String getScope() {
+        return scope;
+    }
+
+    public void setScope(String scope) {
+        this.scope = scope;
+    }
+
+
+    @Override
+    public String getAction() {
+        return action;
+    }
+
+    @Override
+    public Long getScopeId() {
+        // TODO
+        // handle special -1 scopeId, current caller domain, account
+        /*
+         * if ( scopeId < 0 ){ Account caller =
+         * CallContext.current().getCallingAccount(); if ( scope ==
+         * PermissionScope.DOMAIN){ return caller.getDomainId(); } else if
+         * (scope == PermissionScope.ACCOUNT) { return caller.getAccountId(); }
+         * }
+         */
+        return scopeId;
+    }
+
+    @Override
+    public Permission getPermission() {
+        return permission;
+    }
+
+    public void setAction(String action) {
+        this.action = action;
+    }
+
+    public void setScopeId(Long scopeId) {
+        this.scopeId = scopeId;
+    }
+
+    public void setPermission(Permission permission) {
+        this.permission = permission;
+    }
+
+    public Date getRemoved() {
+        return removed;
+    }
+
+    public Date getCreated() {
+        return created;
+    }
+
+    public Boolean isRecursive() {
+        return recursive;
+    }
+
+}

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/adb29b21/services/iam/server/src/org/apache/cloudstack/iam/server/IAMPolicyVO.java
----------------------------------------------------------------------
diff --git a/services/iam/server/src/org/apache/cloudstack/iam/server/IAMPolicyVO.java b/services/iam/server/src/org/apache/cloudstack/iam/server/IAMPolicyVO.java
new file mode 100644
index 0000000..25ebd01
--- /dev/null
+++ b/services/iam/server/src/org/apache/cloudstack/iam/server/IAMPolicyVO.java
@@ -0,0 +1,138 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.iam.server;
+
+import java.util.Date;
+import java.util.UUID;
+
+import javax.persistence.Column;
+import javax.persistence.Entity;
+import javax.persistence.EnumType;
+import javax.persistence.Enumerated;
+import javax.persistence.GeneratedValue;
+import javax.persistence.GenerationType;
+import javax.persistence.Id;
+import javax.persistence.Table;
+
+import org.apache.cloudstack.iam.api.IAMPolicy;
+
+import com.cloud.utils.db.GenericDao;
+
+@Entity
+@Table(name = ("iam_policy"))
+public class IAMPolicyVO implements IAMPolicy {
+    @Id
+    @GeneratedValue(strategy = GenerationType.IDENTITY)
+    @Column(name = "id")
+    private long id;
+
+    @Column(name = "name")
+    private String name;
+
+    @Column(name = "description")
+    private String description;
+
+    @Column(name = "uuid")
+    private String uuid;
+
+    @Column(name = "path")
+    private String path;
+
+    @Column(name = "account_id")
+    private long accountId;
+
+    @Column(name = GenericDao.REMOVED_COLUMN)
+    private Date removed;
+
+    @Column(name = GenericDao.CREATED_COLUMN)
+    private Date created;
+
+    @Column(name = "policy_type")
+    @Enumerated(value = EnumType.STRING)
+    private IAMPolicy.PolicyType policyType;
+
+    public IAMPolicyVO() {
+        uuid = UUID.randomUUID().toString();
+    }
+
+    public IAMPolicyVO(String name, String description) {
+        this.name = name;
+        this.description = description;
+        uuid = UUID.randomUUID().toString();
+        policyType = IAMPolicy.PolicyType.Static;
+    }
+
+    @Override
+    public long getId() {
+        return id;
+    }
+
+    @Override
+    public String getName() {
+        return name;
+    }
+
+    @Override
+    public String getDescription() {
+        return description;
+    }
+
+
+    @Override
+    public String getUuid() {
+        return uuid;
+    }
+
+    public void setUuid(String uuid) {
+        this.uuid = uuid;
+    }
+
+    public Date getRemoved() {
+        return removed;
+    }
+
+    public Date getCreated() {
+        return created;
+    }
+
+    @Override
+    public String getPath() {
+        return path;
+    }
+
+    public void setPath(String path) {
+        this.path = path;
+    }
+
+    @Override
+    public long getAccountId() {
+        return accountId;
+    }
+
+    public void setAccountId(long accountId) {
+        this.accountId = accountId;
+    }
+
+    public IAMPolicy.PolicyType getPolicyType() {
+        return policyType;
+    }
+
+    public void setPolicyType(IAMPolicy.PolicyType policyType) {
+        this.policyType = policyType;
+    }
+
+}

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/adb29b21/services/iam/server/src/org/apache/cloudstack/iam/server/IAMServiceImpl.java
----------------------------------------------------------------------
diff --git a/services/iam/server/src/org/apache/cloudstack/iam/server/IAMServiceImpl.java b/services/iam/server/src/org/apache/cloudstack/iam/server/IAMServiceImpl.java
new file mode 100644
index 0000000..097d84f
--- /dev/null
+++ b/services/iam/server/src/org/apache/cloudstack/iam/server/IAMServiceImpl.java
@@ -0,0 +1,815 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.iam.server;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import javax.ejb.Local;
+import javax.inject.Inject;
+
+import org.apache.log4j.Logger;
+
+import org.apache.cloudstack.acl.PermissionScope;
+import org.apache.cloudstack.iam.api.IAMGroup;
+import org.apache.cloudstack.iam.api.IAMPolicy;
+import org.apache.cloudstack.iam.api.IAMPolicyPermission;
+import org.apache.cloudstack.iam.api.IAMPolicyPermission.Permission;
+import org.apache.cloudstack.iam.api.IAMService;
+import org.apache.cloudstack.iam.server.dao.IAMAccountPolicyMapDao;
+import org.apache.cloudstack.iam.server.dao.IAMGroupAccountMapDao;
+import org.apache.cloudstack.iam.server.dao.IAMGroupDao;
+import org.apache.cloudstack.iam.server.dao.IAMGroupPolicyMapDao;
+import org.apache.cloudstack.iam.server.dao.IAMPolicyDao;
+import org.apache.cloudstack.iam.server.dao.IAMPolicyPermissionDao;
+
+import com.cloud.exception.InvalidParameterValueException;
+import com.cloud.utils.Pair;
+import com.cloud.utils.component.Manager;
+import com.cloud.utils.component.ManagerBase;
+import com.cloud.utils.db.DB;
+import com.cloud.utils.db.EntityManager;
+import com.cloud.utils.db.Filter;
+import com.cloud.utils.db.GenericSearchBuilder;
+import com.cloud.utils.db.JoinBuilder;
+import com.cloud.utils.db.JoinBuilder.JoinType;
+import com.cloud.utils.db.SearchBuilder;
+import com.cloud.utils.db.SearchCriteria;
+import com.cloud.utils.db.SearchCriteria.Op;
+import com.cloud.utils.db.Transaction;
+import com.cloud.utils.db.TransactionCallback;
+import com.cloud.utils.db.TransactionCallbackNoReturn;
+import com.cloud.utils.db.TransactionStatus;
+
+@Local(value = {IAMService.class})
+public class IAMServiceImpl extends ManagerBase implements IAMService, Manager {
+
+    public static final Logger s_logger = Logger.getLogger(IAMServiceImpl.class);
+    private String _name;
+
+    @Inject
+    IAMPolicyDao _aclPolicyDao;
+
+    @Inject
+    IAMGroupDao _aclGroupDao;
+
+    @Inject
+    EntityManager _entityMgr;
+
+    @Inject
+    IAMGroupPolicyMapDao _aclGroupPolicyMapDao;
+
+    @Inject
+    IAMAccountPolicyMapDao _aclAccountPolicyMapDao;
+
+    @Inject
+    IAMGroupAccountMapDao _aclGroupAccountMapDao;
+
+    @Inject
+    IAMPolicyPermissionDao _policyPermissionDao;
+
+    @DB
+    @Override
+    public IAMGroup createIAMGroup(String iamGroupName, String description, String path) {
+        // check if the group is already existing
+        IAMGroup grp = _aclGroupDao.findByName(path, iamGroupName);
+        if (grp != null) {
+            throw new InvalidParameterValueException(
+                    "Unable to create acl group with name " + iamGroupName
+                    + " already exisits for path " + path);
+        }
+        IAMGroupVO rvo = new IAMGroupVO(iamGroupName, description);
+        rvo.setPath(path);
+
+        return _aclGroupDao.persist(rvo);
+    }
+
+    @DB
+    @Override
+    public boolean deleteIAMGroup(final Long iamGroupId) {
+        // get the Acl Group entity
+        final IAMGroup grp = _aclGroupDao.findById(iamGroupId);
+        if (grp == null) {
+            throw new InvalidParameterValueException("Unable to find acl group: " + iamGroupId
+                    + "; failed to delete acl group.");
+        }
+
+        Transaction.execute(new TransactionCallbackNoReturn() {
+            @Override
+            public void doInTransactionWithoutResult(TransactionStatus status) {
+                // remove this group related entry in acl_group_role_map
+                List<IAMGroupPolicyMapVO> groupPolicyMap = _aclGroupPolicyMapDao.listByGroupId(grp.getId());
+                if (groupPolicyMap != null) {
+                    for (IAMGroupPolicyMapVO gr : groupPolicyMap) {
+                        _aclGroupPolicyMapDao.remove(gr.getId());
+                    }
+                }
+
+                // remove this group related entry in acl_group_account table
+                List<IAMGroupAccountMapVO> groupAcctMap = _aclGroupAccountMapDao.listByGroupId(grp.getId());
+                if (groupAcctMap != null) {
+                    for (IAMGroupAccountMapVO grpAcct : groupAcctMap) {
+                        _aclGroupAccountMapDao.remove(grpAcct.getId());
+                    }
+                }
+
+                // remove this group from acl_group table
+                _aclGroupDao.remove(iamGroupId);
+            }
+        });
+
+        return true;
+    }
+
+    @SuppressWarnings("unchecked")
+    @Override
+    public List<IAMGroup> listIAMGroups(long accountId) {
+
+        GenericSearchBuilder<IAMGroupAccountMapVO, Long> groupSB = _aclGroupAccountMapDao.createSearchBuilder(Long.class);
+        groupSB.selectFields(groupSB.entity().getAclGroupId());
+        groupSB.and("account", groupSB.entity().getAccountId(), Op.EQ);
+        SearchCriteria<Long> groupSc = groupSB.create();
+        groupSc.setParameters("account", accountId);
+
+        List<Long> groupIds = _aclGroupAccountMapDao.customSearch(groupSc, null);
+
+        SearchBuilder<IAMGroupVO> sb = _aclGroupDao.createSearchBuilder();
+        sb.and("ids", sb.entity().getId(), Op.IN);
+        SearchCriteria<IAMGroupVO> sc = sb.create();
+        sc.setParameters("ids", groupIds.toArray(new Object[groupIds.size()]));
+        @SuppressWarnings("rawtypes")
+        List groups = _aclGroupDao.search(sc, null);
+        return groups;
+    }
+
+    @DB
+    @Override
+    public IAMGroup addAccountsToGroup(final List<Long> acctIds, final Long groupId) {
+        // get the Acl Group entity
+        IAMGroup group = _aclGroupDao.findById(groupId);
+        if (group == null) {
+            throw new InvalidParameterValueException("Unable to find acl group: " + groupId
+                    + "; failed to add accounts to acl group.");
+        }
+
+        Transaction.execute(new TransactionCallbackNoReturn() {
+            @Override
+            public void doInTransactionWithoutResult(TransactionStatus status) {
+                // add entries in acl_group_account_map table
+                for (Long acctId : acctIds) {
+                    // check account permissions
+                    IAMGroupAccountMapVO grMap = _aclGroupAccountMapDao.findByGroupAndAccount(groupId, acctId);
+                    if (grMap == null) {
+                        // not there already
+                        grMap = new IAMGroupAccountMapVO(groupId, acctId);
+                        _aclGroupAccountMapDao.persist(grMap);
+                    }
+                }
+            }
+        });
+        return group;
+    }
+
+    @DB
+    @Override
+    public IAMGroup removeAccountsFromGroup(final List<Long> acctIds, final Long groupId) {
+        // get the Acl Group entity
+        IAMGroup group = _aclGroupDao.findById(groupId);
+        if (group == null) {
+            throw new InvalidParameterValueException("Unable to find acl group: " + groupId
+                    + "; failed to remove accounts from acl group.");
+        }
+
+        Transaction.execute(new TransactionCallbackNoReturn() {
+            @Override
+            public void doInTransactionWithoutResult(TransactionStatus status) {
+                // remove entries from acl_group_account_map table
+                for (Long acctId : acctIds) {
+                    IAMGroupAccountMapVO grMap = _aclGroupAccountMapDao.findByGroupAndAccount(groupId, acctId);
+                    if (grMap != null) {
+                        // not removed yet
+                        _aclGroupAccountMapDao.remove(grMap.getId());
+                    }
+                }
+            }
+        });
+        return group;
+    }
+
+    @Override
+    public List<Long> listAccountsByGroup(long groupId) {
+        List<IAMGroupAccountMapVO> grpAcctMap = _aclGroupAccountMapDao.listByGroupId(groupId);
+        if (grpAcctMap == null || grpAcctMap.size() == 0) {
+            return new ArrayList<Long>();
+        }
+
+        List<Long> accts = new ArrayList<Long>();
+        for (IAMGroupAccountMapVO grpAcct : grpAcctMap) {
+            accts.add(grpAcct.getAccountId());
+        }
+        return accts;
+    }
+
+    @Override
+    public Pair<List<IAMGroup>, Integer> listIAMGroups(Long iamGroupId, String iamGroupName, String path, Long startIndex, Long pageSize) {
+        if (iamGroupId != null) {
+            IAMGroup group = _aclGroupDao.findById(iamGroupId);
+            if (group == null) {
+                throw new InvalidParameterValueException("Unable to find acl group by id " + iamGroupId);
+            }
+        }
+
+        Filter searchFilter = new Filter(IAMGroupVO.class, "id", true, startIndex, pageSize);
+
+        SearchBuilder<IAMGroupVO> sb = _aclGroupDao.createSearchBuilder();
+        sb.and("name", sb.entity().getName(), SearchCriteria.Op.EQ);
+        sb.and("path", sb.entity().getPath(), SearchCriteria.Op.LIKE);
+        sb.and("id", sb.entity().getId(), SearchCriteria.Op.EQ);
+
+        SearchCriteria<IAMGroupVO> sc = sb.create();
+
+        if (iamGroupName != null) {
+            sc.setParameters("name", iamGroupName);
+        }
+
+        if (iamGroupId != null) {
+            sc.setParameters("id", iamGroupId);
+        }
+
+        sc.setParameters("path", path + "%");
+
+        Pair<List<IAMGroupVO>, Integer> groups = _aclGroupDao.searchAndCount(sc, searchFilter);
+        return new Pair<List<IAMGroup>, Integer>(new ArrayList<IAMGroup>(groups.first()), groups.second());
+    }
+
+    @Override
+    public List<IAMGroup> listParentIAMGroups(long groupId) {
+        IAMGroup group = _aclGroupDao.findById(groupId);
+        if (group == null) {
+            throw new InvalidParameterValueException("Unable to find acl group by id " + groupId);
+        }
+
+        String path = group.getPath();
+        List<String> pathList = new ArrayList<String>();
+
+        String[] parts = path.split("/");
+
+        for (String part : parts) {
+            int start = path.indexOf(part);
+            if (start > 0) {
+                String subPath = path.substring(0, start);
+                pathList.add(subPath);
+            }
+        }
+
+        if (pathList.isEmpty()) {
+            return new ArrayList<IAMGroup>();
+        }
+
+        SearchBuilder<IAMGroupVO> sb = _aclGroupDao.createSearchBuilder();
+        sb.and("paths", sb.entity().getPath(), SearchCriteria.Op.IN);
+
+        SearchCriteria<IAMGroupVO> sc = sb.create();
+        sc.setParameters("paths", pathList.toArray());
+
+        List<IAMGroupVO> groups = _aclGroupDao.search(sc, null);
+
+        return new ArrayList<IAMGroup>(groups);
+
+    }
+
+    @DB
+    @Override
+    public IAMPolicy createIAMPolicy(final String iamPolicyName, final String description, final Long parentPolicyId, final String path) {
+
+        // check if the policy is already existing
+        IAMPolicy ro = _aclPolicyDao.findByName(iamPolicyName);
+        if (ro != null) {
+            throw new InvalidParameterValueException(
+                    "Unable to create acl policy with name " + iamPolicyName
+                    + " already exisits");
+        }
+
+        IAMPolicy role = Transaction.execute(new TransactionCallback<IAMPolicy>() {
+            @Override
+            public IAMPolicy doInTransaction(TransactionStatus status) {
+                IAMPolicyVO rvo = new IAMPolicyVO(iamPolicyName, description);
+                rvo.setPath(path);
+
+                IAMPolicy role = _aclPolicyDao.persist(rvo);
+                if (parentPolicyId != null) {
+                    // copy parent role permissions
+                    List<IAMPolicyPermissionVO> perms = _policyPermissionDao.listByPolicy(parentPolicyId);
+                    if (perms != null) {
+                        for (IAMPolicyPermissionVO perm : perms) {
+                            perm.setAclPolicyId(role.getId());
+                            _policyPermissionDao.persist(perm);
+                        }
+                    }
+                }
+                return role;
+            }
+        });
+
+
+        return role;
+    }
+
+    @DB
+    @Override
+    public boolean deleteIAMPolicy(final long iamPolicyId) {
+        // get the Acl Policy entity
+        final IAMPolicy policy = _aclPolicyDao.findById(iamPolicyId);
+        if (policy == null) {
+            throw new InvalidParameterValueException("Unable to find acl policy: " + iamPolicyId
+                    + "; failed to delete acl policy.");
+        }
+
+        Transaction.execute(new TransactionCallbackNoReturn() {
+            @Override
+            public void doInTransactionWithoutResult(TransactionStatus status) {
+                // remove this role related entry in acl_group_role_map
+                List<IAMGroupPolicyMapVO> groupPolicyMap = _aclGroupPolicyMapDao.listByPolicyId(policy.getId());
+                if (groupPolicyMap != null) {
+                    for (IAMGroupPolicyMapVO gr : groupPolicyMap) {
+                        _aclGroupPolicyMapDao.remove(gr.getId());
+                    }
+                }
+
+                // remove this policy related entry in acl_account_policy_map table
+                List<IAMAccountPolicyMapVO> policyAcctMap = _aclAccountPolicyMapDao.listByPolicyId(policy.getId());
+                if (policyAcctMap != null) {
+                    for (IAMAccountPolicyMapVO policyAcct : policyAcctMap) {
+                        _aclAccountPolicyMapDao.remove(policyAcct.getId());
+                    }
+                }
+
+                // remove this policy related entry in acl_policy_permission table
+                List<IAMPolicyPermissionVO> policyPermMap = _policyPermissionDao.listByPolicy(policy.getId());
+                if (policyPermMap != null) {
+                    for (IAMPolicyPermissionVO policyPerm : policyPermMap) {
+                        _policyPermissionDao.remove(policyPerm.getId());
+                    }
+                }
+
+                // remove this role from acl_role table
+                _aclPolicyDao.remove(iamPolicyId);
+            }
+        });
+
+        return true;
+    }
+
+
+    @SuppressWarnings("unchecked")
+    @Override
+    public List<IAMPolicy> listIAMPolicies(long accountId) {
+
+        // static policies of the account
+        SearchBuilder<IAMGroupAccountMapVO> groupSB = _aclGroupAccountMapDao.createSearchBuilder();
+        groupSB.and("account", groupSB.entity().getAccountId(), Op.EQ);
+
+        GenericSearchBuilder<IAMGroupPolicyMapVO, Long> policySB = _aclGroupPolicyMapDao.createSearchBuilder(Long.class);
+        policySB.selectFields(policySB.entity().getAclPolicyId());
+        policySB.join("accountgroupjoin", groupSB, groupSB.entity().getAclGroupId(), policySB.entity().getAclGroupId(),
+                JoinType.INNER);
+        policySB.done();
+        SearchCriteria<Long> policySc = policySB.create();
+        policySc.setJoinParameters("accountgroupjoin", "account", accountId);
+
+        List<Long> policyIds = _aclGroupPolicyMapDao.customSearch(policySc, null);
+        // add policies directly attached to the account
+        List<IAMAccountPolicyMapVO> acctPolicies = _aclAccountPolicyMapDao.listByAccountId(accountId);
+        for (IAMAccountPolicyMapVO p : acctPolicies) {
+            policyIds.add(p.getIamPolicyId());
+        }
+        if (policyIds.size() == 0) {
+            return new ArrayList<IAMPolicy>();
+        }
+        SearchBuilder<IAMPolicyVO> sb = _aclPolicyDao.createSearchBuilder();
+        sb.and("ids", sb.entity().getId(), Op.IN);
+        SearchCriteria<IAMPolicyVO> sc = sb.create();
+        sc.setParameters("ids", policyIds.toArray(new Object[policyIds.size()]));
+        @SuppressWarnings("rawtypes")
+        List policies = _aclPolicyDao.customSearch(sc, null);
+
+        return policies;
+
+    }
+
+    @SuppressWarnings("unchecked")
+    @Override
+    public List<IAMPolicy> listIAMPoliciesByGroup(long groupId) {
+        List<IAMGroupPolicyMapVO> policyGrpMap = _aclGroupPolicyMapDao.listByGroupId(groupId);
+        if (policyGrpMap == null || policyGrpMap.size() == 0) {
+            return new ArrayList<IAMPolicy>();
+        }
+
+        List<Long> policyIds = new ArrayList<Long>();
+        for (IAMGroupPolicyMapVO pg : policyGrpMap) {
+            policyIds.add(pg.getAclPolicyId());
+        }
+
+        SearchBuilder<IAMPolicyVO> sb = _aclPolicyDao.createSearchBuilder();
+        sb.and("ids", sb.entity().getId(), Op.IN);
+        SearchCriteria<IAMPolicyVO> sc = sb.create();
+        sc.setParameters("ids", policyIds.toArray(new Object[policyIds.size()]));
+        @SuppressWarnings("rawtypes")
+        List policies = _aclPolicyDao.customSearch(sc, null);
+
+        return policies;
+    }
+
+    @SuppressWarnings("unchecked")
+    @Override
+    public List<IAMPolicy> listRecursiveIAMPoliciesByGroup(long groupId) {
+        List<IAMGroupPolicyMapVO> policyGrpMap = _aclGroupPolicyMapDao.listByGroupId(groupId);
+        if (policyGrpMap == null || policyGrpMap.size() == 0) {
+            return new ArrayList<IAMPolicy>();
+        }
+
+        List<Long> policyIds = new ArrayList<Long>();
+        for (IAMGroupPolicyMapVO pg : policyGrpMap) {
+            policyIds.add(pg.getAclPolicyId());
+        }
+
+        SearchBuilder<IAMPolicyPermissionVO> permSb = _policyPermissionDao.createSearchBuilder();
+        permSb.and("isRecursive", permSb.entity().isRecursive(), Op.EQ);
+
+        SearchBuilder<IAMPolicyVO> sb = _aclPolicyDao.createSearchBuilder();
+        sb.and("ids", sb.entity().getId(), Op.IN);
+        sb.join("recursivePerm", permSb, sb.entity().getId(), permSb.entity().getAclPolicyId(),
+                JoinBuilder.JoinType.INNER);
+
+        SearchCriteria<IAMPolicyVO> sc = sb.create();
+        sc.setParameters("ids", policyIds.toArray(new Object[policyIds.size()]));
+        sc.setJoinParameters("recursivePerm", "isRecursive", true);
+
+        @SuppressWarnings("rawtypes")
+        List policies = _aclPolicyDao.customSearch(sc, null);
+
+        return policies;
+    }
+
+
+    @SuppressWarnings("unchecked")
+    @Override
+    public Pair<List<IAMPolicy>, Integer> listIAMPolicies(Long iamPolicyId, String iamPolicyName, String path, Long startIndex, Long pageSize) {
+
+        if (iamPolicyId != null) {
+            IAMPolicy policy = _aclPolicyDao.findById(iamPolicyId);
+            if (policy == null) {
+                throw new InvalidParameterValueException("Unable to find acl policy by id " + iamPolicyId);
+            }
+        }
+
+        Filter searchFilter = new Filter(IAMPolicyVO.class, "id", true, startIndex, pageSize);
+
+        SearchBuilder<IAMPolicyVO> sb = _aclPolicyDao.createSearchBuilder();
+        sb.and("name", sb.entity().getName(), SearchCriteria.Op.EQ);
+        sb.and("path", sb.entity().getPath(), SearchCriteria.Op.LIKE);
+        sb.and("id", sb.entity().getId(), SearchCriteria.Op.EQ);
+
+        SearchCriteria<IAMPolicyVO> sc = sb.create();
+
+        if (iamPolicyName != null) {
+            sc.setParameters("name", iamPolicyName);
+        }
+
+        if (iamPolicyId != null) {
+            sc.setParameters("id", iamPolicyId);
+        }
+
+        sc.setParameters("path", path + "%");
+
+        Pair<List<IAMPolicyVO>, Integer> policies = _aclPolicyDao.searchAndCount(sc, searchFilter);
+        @SuppressWarnings("rawtypes")
+        List policyList = policies.first();
+        return new Pair<List<IAMPolicy>, Integer>(policyList, policies.second());
+    }
+
+    @DB
+    @Override
+    public IAMGroup attachIAMPoliciesToGroup(final List<Long> policyIds, final Long groupId) {
+        // get the Acl Group entity
+        IAMGroup group = _aclGroupDao.findById(groupId);
+        if (group == null) {
+            throw new InvalidParameterValueException("Unable to find acl group: " + groupId
+                    + "; failed to add roles to acl group.");
+        }
+
+        Transaction.execute(new TransactionCallbackNoReturn() {
+            @Override
+            public void doInTransactionWithoutResult(TransactionStatus status) {
+                // add entries in acl_group_policy_map table
+                for (Long policyId : policyIds) {
+                    IAMPolicy policy = _aclPolicyDao.findById(policyId);
+                    if (policy == null) {
+                        throw new InvalidParameterValueException("Unable to find acl policy: " + policyId
+                                + "; failed to add policies to acl group.");
+                    }
+
+                    IAMGroupPolicyMapVO grMap = _aclGroupPolicyMapDao.findByGroupAndPolicy(groupId, policyId);
+                    if (grMap == null) {
+                        // not there already
+                        grMap = new IAMGroupPolicyMapVO(groupId, policyId);
+                        _aclGroupPolicyMapDao.persist(grMap);
+                    }
+                }
+            }
+        });
+
+        return group;
+    }
+
+    @DB
+    @Override
+    public IAMGroup removeIAMPoliciesFromGroup(final List<Long> policyIds, final Long groupId) {
+        // get the Acl Group entity
+        IAMGroup group = _aclGroupDao.findById(groupId);
+        if (group == null) {
+            throw new InvalidParameterValueException("Unable to find acl group: " + groupId
+                    + "; failed to remove roles from acl group.");
+        }
+
+        Transaction.execute(new TransactionCallbackNoReturn() {
+            @Override
+            public void doInTransactionWithoutResult(TransactionStatus status) {
+                // add entries in acl_group_role_map table
+                for (Long policyId : policyIds) {
+                    IAMPolicy policy = _aclPolicyDao.findById(policyId);
+                    if (policy == null) {
+                        throw new InvalidParameterValueException("Unable to find acl policy: " + policyId
+                                + "; failed to add policies to acl group.");
+                    }
+
+                    IAMGroupPolicyMapVO grMap = _aclGroupPolicyMapDao.findByGroupAndPolicy(groupId, policyId);
+                    if (grMap != null) {
+                        // not removed yet
+                        _aclGroupPolicyMapDao.remove(grMap.getId());
+                    }
+                }
+            }
+        });
+        return group;
+    }
+
+
+    @Override
+    public void attachIAMPolicyToAccounts(final Long policyId, final List<Long> acctIds) {
+        IAMPolicy policy = _aclPolicyDao.findById(policyId);
+        if (policy == null) {
+            throw new InvalidParameterValueException("Unable to find acl policy: " + policyId
+                    + "; failed to add policy to account.");
+        }
+
+        Transaction.execute(new TransactionCallbackNoReturn() {
+            @Override
+            public void doInTransactionWithoutResult(TransactionStatus status) {
+                // add entries in acl_group_policy_map table
+                for (Long acctId : acctIds) {
+                    IAMAccountPolicyMapVO acctMap = _aclAccountPolicyMapDao.findByAccountAndPolicy(acctId, policyId);
+                    if (acctMap == null) {
+                        // not there already
+                        acctMap = new IAMAccountPolicyMapVO(acctId, policyId);
+                        _aclAccountPolicyMapDao.persist(acctMap);
+                    }
+                }
+            }
+        });
+    }
+
+    @Override
+    public void removeIAMPolicyFromAccounts(final Long policyId, final List<Long> acctIds) {
+        IAMPolicy policy = _aclPolicyDao.findById(policyId);
+        if (policy == null) {
+            throw new InvalidParameterValueException("Unable to find acl policy: " + policyId
+                    + "; failed to add policy to account.");
+        }
+
+        Transaction.execute(new TransactionCallbackNoReturn() {
+            @Override
+            public void doInTransactionWithoutResult(TransactionStatus status) {
+                // add entries in acl_group_policy_map table
+                for (Long acctId : acctIds) {
+                    IAMAccountPolicyMapVO acctMap = _aclAccountPolicyMapDao.findByAccountAndPolicy(acctId, policyId);
+                    if (acctMap != null) {
+                        // exists
+                        _aclAccountPolicyMapDao.remove(acctMap.getId());
+                    }
+                }
+            }
+        });
+    }
+
+    @DB
+    @Override
+    public IAMPolicy addIAMPermissionToIAMPolicy(long iamPolicyId, String entityType, String scope, Long scopeId,
+            String action, String accessType, Permission perm, Boolean recursive) {
+        // get the Acl Policy entity
+        IAMPolicy policy = _aclPolicyDao.findById(iamPolicyId);
+        if (policy == null) {
+            throw new InvalidParameterValueException("Unable to find acl policy: " + iamPolicyId
+                    + "; failed to add permission to policy.");
+        }
+
+        // add entry in acl_policy_permission table
+        IAMPolicyPermissionVO permit = _policyPermissionDao.findByPolicyAndEntity(iamPolicyId, entityType, scope, scopeId, action, perm);
+        if (permit == null) {
+            // not there already
+            permit = new IAMPolicyPermissionVO(iamPolicyId, action, entityType, accessType, scope, scopeId, perm,
+                    recursive);
+            _policyPermissionDao.persist(permit);
+        }
+        return policy;
+
+    }
+
+    @DB
+    @Override
+    public IAMPolicy removeIAMPermissionFromIAMPolicy(long iamPolicyId, String entityType, String scope, Long scopeId,
+            String action) {
+        // get the Acl Policy entity
+        IAMPolicy policy = _aclPolicyDao.findById(iamPolicyId);
+        if (policy == null) {
+            throw new InvalidParameterValueException("Unable to find acl policy: " + iamPolicyId
+                    + "; failed to revoke permission from policy.");
+        }
+        // remove entry from acl_entity_permission table
+        IAMPolicyPermissionVO permit = _policyPermissionDao.findByPolicyAndEntity(iamPolicyId, entityType, scope, scopeId, action, Permission.Allow);
+        if (permit != null) {
+            // not removed yet
+            _policyPermissionDao.remove(permit.getId());
+        }
+        return policy;
+    }
+
+    @DB
+    @Override
+    public void removeIAMPermissionForEntity(final String entityType, final Long entityId) {
+        Transaction.execute(new TransactionCallbackNoReturn() {
+            @Override
+            public void doInTransactionWithoutResult(TransactionStatus status) {
+                // remove entry from acl_entity_permission table
+                List<IAMPolicyPermissionVO> permitList = _policyPermissionDao.listByEntity(entityType, entityId);
+                for (IAMPolicyPermissionVO permit : permitList) {
+                    long policyId = permit.getAclPolicyId();
+                    _policyPermissionDao.remove(permit.getId());
+
+                    // remove the policy if there are no other permissions
+                    if ((_policyPermissionDao.listByPolicy(policyId)).isEmpty()) {
+                        deleteIAMPolicy(policyId);
+                    }
+                }
+            }
+        });
+    }
+
+    @DB
+    @Override
+    public IAMPolicy resetIAMPolicy(long iamPolicyId) {
+        // get the Acl Policy entity
+        IAMPolicy policy = _aclPolicyDao.findById(iamPolicyId);
+        if (policy == null) {
+            throw new InvalidParameterValueException("Unable to find acl policy: " + iamPolicyId
+                    + "; failed to reset the policy.");
+        }
+
+        SearchBuilder<IAMPolicyPermissionVO> sb = _policyPermissionDao.createSearchBuilder();
+        sb.and("policyId", sb.entity().getAclPolicyId(), SearchCriteria.Op.EQ);
+        sb.and("scope", sb.entity().getScope(), SearchCriteria.Op.EQ);
+        sb.done();
+        SearchCriteria<IAMPolicyPermissionVO> permissionSC = sb.create();
+        permissionSC.setParameters("policyId", iamPolicyId);
+        _policyPermissionDao.expunge(permissionSC);
+
+        return policy;
+    }
+
+    @Override
+    public boolean isActionAllowedForPolicies(String action, List<IAMPolicy> policies) {
+
+        boolean allowed = false;
+
+        if (policies == null || policies.size() == 0) {
+            return allowed;
+        }
+
+        List<Long> policyIds = new ArrayList<Long>();
+        for (IAMPolicy policy : policies) {
+            policyIds.add(policy.getId());
+        }
+
+        SearchBuilder<IAMPolicyPermissionVO> sb = _policyPermissionDao.createSearchBuilder();
+        sb.and("action", sb.entity().getAction(), Op.EQ);
+        sb.and("policyId", sb.entity().getAclPolicyId(), Op.IN);
+
+        SearchCriteria<IAMPolicyPermissionVO> sc = sb.create();
+        sc.setParameters("policyId", policyIds.toArray(new Object[policyIds.size()]));
+        sc.setParameters("action", action);
+
+        List<IAMPolicyPermissionVO> permissions = _policyPermissionDao.customSearch(sc, null);
+
+        if (permissions != null && !permissions.isEmpty()) {
+            allowed = true;
+        }
+
+        return allowed;
+    }
+
+
+    @Override
+    public List<Long> getGrantedEntities(long accountId, String action, String scope) {
+        // Get the static Policies of the Caller
+        List<IAMPolicy> policies = listIAMPolicies(accountId);
+        // for each policy, find granted permission within the given scope
+        List<Long> entityIds = new ArrayList<Long>();
+        for (IAMPolicy policy : policies) {
+            List<IAMPolicyPermissionVO> pp = _policyPermissionDao.listGrantedByActionAndScope(policy.getId(), action,
+                    scope);
+            if (pp != null) {
+                for (IAMPolicyPermissionVO p : pp) {
+                    if (p.getScopeId() != null) {
+                        entityIds.add(p.getScopeId());
+                    }
+                }
+            }
+        }
+        return entityIds;
+    }
+
+    @Override
+    @SuppressWarnings("unchecked")
+    public List<IAMPolicyPermission> listPolicyPermissions(long policyId) {
+        @SuppressWarnings("rawtypes")
+        List pp = _policyPermissionDao.listByPolicy(policyId);
+        return pp;
+    }
+
+    @SuppressWarnings("unchecked")
+    @Override
+    public List<IAMPolicyPermission> listPolicyPermissionsByScope(long policyId, String action, String scope) {
+        @SuppressWarnings("rawtypes")
+        List pp = _policyPermissionDao.listGrantedByActionAndScope(policyId, action, scope);
+        return pp;
+    }
+
+    @SuppressWarnings("unchecked")
+    @Override
+    public List<IAMPolicyPermission> listPolicyPermissionByActionAndEntity(long policyId, String action,
+            String entityType) {
+        @SuppressWarnings("rawtypes")
+        List pp = _policyPermissionDao.listByPolicyActionAndEntity(policyId, action, entityType);
+        return pp;
+    }
+
+    @SuppressWarnings("unchecked")
+    @Override
+    public List<IAMPolicyPermission> listPolicyPermissionByAccessAndEntity(long policyId, String accessType,
+            String entityType) {
+        @SuppressWarnings("rawtypes")
+        List pp = _policyPermissionDao.listByPolicyAccessAndEntity(policyId, accessType, entityType);
+        return pp;
+    }
+
+    @Override
+    public IAMPolicy getResourceOwnerPolicy() {
+        return _aclPolicyDao.findByName("RESOURCE_OWNER");
+    }
+
+    // search for policy with only one resource grant permission
+    @Override
+    public IAMPolicy getResourceGrantPolicy(String entityType, Long entityId, String accessType, String action) {
+        List<IAMPolicyVO> policyList = _aclPolicyDao.listAll();
+        for (IAMPolicyVO policy : policyList){
+            List<IAMPolicyPermission> pp = listPolicyPermissions(policy.getId());
+            if ( pp != null && pp.size() == 1){
+                // resource grant policy should only have one ACL permission assigned
+                IAMPolicyPermission permit = pp.get(0);
+                if ( permit.getEntityType().equals(entityType) && permit.getScope().equals(PermissionScope.RESOURCE.toString()) && permit.getScopeId().longValue() == entityId.longValue()){
+                    if (accessType != null && permit.getAccessType().equals(accessType)){
+                        return policy;
+                    } else if (action != null && permit.getAction().equals(action)) {
+                        return policy;
+                    }
+                }
+            }
+        }
+        return null;
+    }
+
+}

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/adb29b21/services/iam/server/src/org/apache/cloudstack/iam/server/dao/IAMAccountPolicyMapDao.java
----------------------------------------------------------------------
diff --git a/services/iam/server/src/org/apache/cloudstack/iam/server/dao/IAMAccountPolicyMapDao.java b/services/iam/server/src/org/apache/cloudstack/iam/server/dao/IAMAccountPolicyMapDao.java
new file mode 100644
index 0000000..4caf659
--- /dev/null
+++ b/services/iam/server/src/org/apache/cloudstack/iam/server/dao/IAMAccountPolicyMapDao.java
@@ -0,0 +1,17 @@
+package org.apache.cloudstack.iam.server.dao;
+
+import java.util.List;
+
+import org.apache.cloudstack.iam.server.IAMAccountPolicyMapVO;
+
+import com.cloud.utils.db.GenericDao;
+
+public interface IAMAccountPolicyMapDao extends GenericDao<IAMAccountPolicyMapVO, Long> {
+
+    List<IAMAccountPolicyMapVO> listByAccountId(long acctId);
+
+    List<IAMAccountPolicyMapVO> listByPolicyId(long policyId);
+
+    IAMAccountPolicyMapVO findByAccountAndPolicy(long acctId, long policyId);
+
+}

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/adb29b21/services/iam/server/src/org/apache/cloudstack/iam/server/dao/IAMAccountPolicyMapDaoImpl.java
----------------------------------------------------------------------
diff --git a/services/iam/server/src/org/apache/cloudstack/iam/server/dao/IAMAccountPolicyMapDaoImpl.java b/services/iam/server/src/org/apache/cloudstack/iam/server/dao/IAMAccountPolicyMapDaoImpl.java
new file mode 100644
index 0000000..3ecca3b
--- /dev/null
+++ b/services/iam/server/src/org/apache/cloudstack/iam/server/dao/IAMAccountPolicyMapDaoImpl.java
@@ -0,0 +1,61 @@
+package org.apache.cloudstack.iam.server.dao;
+
+import java.util.List;
+import java.util.Map;
+
+import javax.naming.ConfigurationException;
+
+import org.apache.cloudstack.iam.server.IAMAccountPolicyMapVO;
+
+import com.cloud.utils.db.GenericDaoBase;
+import com.cloud.utils.db.SearchBuilder;
+import com.cloud.utils.db.SearchCriteria;
+
+public class IAMAccountPolicyMapDaoImpl extends GenericDaoBase<IAMAccountPolicyMapVO, Long> implements IAMAccountPolicyMapDao {
+
+    private SearchBuilder<IAMAccountPolicyMapVO> ListByAccountId;
+    private SearchBuilder<IAMAccountPolicyMapVO> ListByPolicyId;
+    private SearchBuilder<IAMAccountPolicyMapVO> findByPolicyAccountId;
+
+    @Override
+    public boolean configure(String name, Map<String, Object> params) throws ConfigurationException {
+        super.configure(name, params);
+
+        ListByAccountId = createSearchBuilder();
+        ListByAccountId.and("accountId", ListByAccountId.entity().getAccountId(), SearchCriteria.Op.EQ);
+        ListByAccountId.done();
+
+        ListByPolicyId = createSearchBuilder();
+        ListByPolicyId.and("policyId", ListByPolicyId.entity().getIamPolicyId(), SearchCriteria.Op.EQ);
+        ListByPolicyId.done();
+
+        findByPolicyAccountId = createSearchBuilder();
+        findByPolicyAccountId.and("policyId", findByPolicyAccountId.entity().getIamPolicyId(), SearchCriteria.Op.EQ);
+        findByPolicyAccountId.and("accountId", findByPolicyAccountId.entity().getAccountId(), SearchCriteria.Op.EQ);
+        findByPolicyAccountId.done();
+
+        return true;
+    }
+
+    @Override
+    public List<IAMAccountPolicyMapVO> listByAccountId(long acctId) {
+        SearchCriteria<IAMAccountPolicyMapVO> sc = ListByAccountId.create();
+        sc.setParameters("accountId", acctId);
+        return listBy(sc);
+    }
+
+    @Override
+    public List<IAMAccountPolicyMapVO> listByPolicyId(long policyId) {
+        SearchCriteria<IAMAccountPolicyMapVO> sc = ListByPolicyId.create();
+        sc.setParameters("policyId", policyId);
+        return listBy(sc);
+    }
+
+    @Override
+    public IAMAccountPolicyMapVO findByAccountAndPolicy(long acctId, long policyId) {
+        SearchCriteria<IAMAccountPolicyMapVO> sc = findByPolicyAccountId.create();
+        sc.setParameters("policyId", policyId);
+        sc.setParameters("accountId", acctId);
+        return findOneBy(sc);
+    }
+}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/adb29b21/services/iam/server/src/org/apache/cloudstack/iam/server/dao/IAMGroupAccountMapDao.java
----------------------------------------------------------------------
diff --git a/services/iam/server/src/org/apache/cloudstack/iam/server/dao/IAMGroupAccountMapDao.java b/services/iam/server/src/org/apache/cloudstack/iam/server/dao/IAMGroupAccountMapDao.java
new file mode 100644
index 0000000..a94dbaa
--- /dev/null
+++ b/services/iam/server/src/org/apache/cloudstack/iam/server/dao/IAMGroupAccountMapDao.java
@@ -0,0 +1,40 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.iam.server.dao;
+
+import java.util.List;
+
+import org.apache.cloudstack.iam.server.IAMGroupAccountMapVO;
+
+import com.cloud.utils.db.GenericDao;
+
+public interface IAMGroupAccountMapDao extends GenericDao<IAMGroupAccountMapVO, Long> {
+
+    List<IAMGroupAccountMapVO> listByGroupId(long groupId);
+
+    List<IAMGroupAccountMapVO> listByAccountId(long accountId);
+
+    IAMGroupAccountMapVO findAccountInAdminGroup(long accountId);
+
+    IAMGroupAccountMapVO findByGroupAndAccount(long groupId, long acctId);
+
+    void removeAccountFromGroups(long accountId);
+
+    IAMGroupAccountMapVO findAccountInDomainAdminGroup(long accountId);
+
+    IAMGroupAccountMapVO findAccountInUserGroup(long accountId);
+}

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/adb29b21/services/iam/server/src/org/apache/cloudstack/iam/server/dao/IAMGroupAccountMapDaoImpl.java
----------------------------------------------------------------------
diff --git a/services/iam/server/src/org/apache/cloudstack/iam/server/dao/IAMGroupAccountMapDaoImpl.java b/services/iam/server/src/org/apache/cloudstack/iam/server/dao/IAMGroupAccountMapDaoImpl.java
new file mode 100644
index 0000000..4bb5d1a
--- /dev/null
+++ b/services/iam/server/src/org/apache/cloudstack/iam/server/dao/IAMGroupAccountMapDaoImpl.java
@@ -0,0 +1,119 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.iam.server.dao;
+
+import java.util.List;
+import java.util.Map;
+
+import javax.naming.ConfigurationException;
+
+import org.apache.cloudstack.iam.server.IAMGroupAccountMapVO;
+import org.apache.log4j.Logger;
+import org.springframework.stereotype.Component;
+
+
+import com.cloud.utils.db.GenericDaoBase;
+import com.cloud.utils.db.SearchBuilder;
+import com.cloud.utils.db.SearchCriteria;
+
+@Component
+public class IAMGroupAccountMapDaoImpl extends GenericDaoBase<IAMGroupAccountMapVO, Long> implements IAMGroupAccountMapDao {
+    private SearchBuilder<IAMGroupAccountMapVO> ListByGroupId;
+    private SearchBuilder<IAMGroupAccountMapVO> ListByAccountId;
+    private SearchBuilder<IAMGroupAccountMapVO> _findByAccountAndGroupId;
+
+    public static final Logger s_logger = Logger.getLogger(IAMGroupAccountMapDaoImpl.class.getName());
+
+    @Override
+    public boolean configure(String name, Map<String, Object> params) throws ConfigurationException {
+        super.configure(name, params);
+
+        ListByGroupId = createSearchBuilder();
+        ListByGroupId.and("groupId", ListByGroupId.entity().getAclGroupId(), SearchCriteria.Op.EQ);
+        ListByGroupId.done();
+
+        ListByAccountId = createSearchBuilder();
+        ListByAccountId.and("accountId", ListByAccountId.entity().getAccountId(), SearchCriteria.Op.EQ);
+        ListByAccountId.done();
+
+        _findByAccountAndGroupId = createSearchBuilder();
+        _findByAccountAndGroupId
+                .and("groupId", _findByAccountAndGroupId.entity().getAclGroupId(), SearchCriteria.Op.EQ);
+        _findByAccountAndGroupId.and("accountId", _findByAccountAndGroupId.entity().getAccountId(),
+                SearchCriteria.Op.EQ);
+        _findByAccountAndGroupId.done();
+
+        return true;
+    }
+
+    @Override
+    public List<IAMGroupAccountMapVO> listByGroupId(long groupId) {
+        SearchCriteria<IAMGroupAccountMapVO> sc = ListByGroupId.create();
+        sc.setParameters("groupId", groupId);
+        return listBy(sc);
+    }
+
+    @Override
+    public List<IAMGroupAccountMapVO> listByAccountId(long accountId) {
+        SearchCriteria<IAMGroupAccountMapVO> sc = ListByAccountId.create();
+        sc.setParameters("accountId", accountId);
+        return listBy(sc);
+    }
+
+    @Override
+    public IAMGroupAccountMapVO findAccountInAdminGroup(long accountId) {
+        SearchCriteria<IAMGroupAccountMapVO> sc = _findByAccountAndGroupId.create();
+        sc.setParameters("accountId", accountId);
+        sc.setParameters("groupId", 2);
+        return findOneBy(sc);
+    }
+
+    @Override
+    public IAMGroupAccountMapVO findAccountInDomainAdminGroup(long accountId) {
+        SearchCriteria<IAMGroupAccountMapVO> sc = _findByAccountAndGroupId.create();
+        sc.setParameters("accountId", accountId);
+        sc.setParameters("groupId", 3);
+        return findOneBy(sc);
+    }
+
+    @Override
+    public IAMGroupAccountMapVO findAccountInUserGroup(long accountId) {
+        SearchCriteria<IAMGroupAccountMapVO> sc = _findByAccountAndGroupId.create();
+        sc.setParameters("accountId", accountId);
+        sc.setParameters("groupId", 1);
+        return findOneBy(sc);
+    }
+
+    @Override
+    public IAMGroupAccountMapVO findByGroupAndAccount(long groupId, long acctId) {
+        SearchCriteria<IAMGroupAccountMapVO> sc = _findByAccountAndGroupId.create();
+        sc.setParameters("accountId", acctId);
+        sc.setParameters("groupId", groupId);
+        return findOneBy(sc);
+    }
+
+    @Override
+    public void removeAccountFromGroups(long accountId) {
+        SearchCriteria<IAMGroupAccountMapVO> sc = ListByAccountId.create();
+        sc.setParameters("accountId", accountId);
+
+        int rowsRemoved = remove(sc);
+        if (rowsRemoved > 0) {
+            s_logger.debug("Removed account id=" + accountId + " from " + rowsRemoved + " groups");
+        }
+    }
+}

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/adb29b21/services/iam/server/src/org/apache/cloudstack/iam/server/dao/IAMGroupDao.java
----------------------------------------------------------------------
diff --git a/services/iam/server/src/org/apache/cloudstack/iam/server/dao/IAMGroupDao.java b/services/iam/server/src/org/apache/cloudstack/iam/server/dao/IAMGroupDao.java
new file mode 100644
index 0000000..54408a6
--- /dev/null
+++ b/services/iam/server/src/org/apache/cloudstack/iam/server/dao/IAMGroupDao.java
@@ -0,0 +1,28 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.iam.server.dao;
+
+import org.apache.cloudstack.iam.api.IAMGroup;
+import org.apache.cloudstack.iam.server.IAMGroupVO;
+
+import com.cloud.utils.db.GenericDao;
+
+public interface IAMGroupDao extends GenericDao<IAMGroupVO, Long> {
+
+    IAMGroup findByName(String path, String groupName);
+
+}

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/adb29b21/services/iam/server/src/org/apache/cloudstack/iam/server/dao/IAMGroupDaoImpl.java
----------------------------------------------------------------------
diff --git a/services/iam/server/src/org/apache/cloudstack/iam/server/dao/IAMGroupDaoImpl.java b/services/iam/server/src/org/apache/cloudstack/iam/server/dao/IAMGroupDaoImpl.java
new file mode 100644
index 0000000..45be0b3
--- /dev/null
+++ b/services/iam/server/src/org/apache/cloudstack/iam/server/dao/IAMGroupDaoImpl.java
@@ -0,0 +1,59 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.iam.server.dao;
+
+import java.util.Map;
+
+import javax.naming.ConfigurationException;
+
+import org.apache.cloudstack.iam.api.IAMGroup;
+import org.apache.cloudstack.iam.server.IAMGroupVO;
+import org.springframework.stereotype.Component;
+
+
+import com.cloud.utils.db.GenericDaoBase;
+import com.cloud.utils.db.SearchBuilder;
+import com.cloud.utils.db.SearchCriteria;
+
+@Component
+public class IAMGroupDaoImpl extends GenericDaoBase<IAMGroupVO, Long> implements IAMGroupDao {
+    private SearchBuilder<IAMGroupVO> nameSearch;
+
+    @Override
+    public boolean configure(String name, Map<String, Object> params) throws ConfigurationException {
+        super.configure(name, params);
+
+        nameSearch = createSearchBuilder();
+        nameSearch.and("name", nameSearch.entity().getName(), SearchCriteria.Op.EQ);
+        nameSearch.and("path", nameSearch.entity().getPath(), SearchCriteria.Op.EQ);
+        nameSearch.done();
+
+
+        return true;
+    }
+
+    @Override
+    public IAMGroup findByName(String path, String name) {
+        SearchCriteria<IAMGroupVO> sc = nameSearch.create();
+        sc.setParameters("name", name);
+        if (path != null) {
+            sc.setParameters("path", path);
+        }
+        return findOneBy(sc);
+    }
+
+}


Mime
View raw message