cloudstack-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From mc...@apache.org
Subject [5/6] git commit: updated refs/heads/master to 94ebc90
Date Fri, 04 Apr 2014 23:47:41 GMT
Split the Root Admin policy to allow 'ListEntry' access for listing resources for scope 'all',
but 'UseEntry' access only within Account scope

Same with Domain Admin policy


Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/df302bdb
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/df302bdb
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/df302bdb

Branch: refs/heads/master
Commit: df302bdb3e99feb3d55832d295f38363ad25151e
Parents: a509f94
Author: Prachi Damle <prachi@cloud.com>
Authored: Tue Apr 1 16:01:36 2014 -0700
Committer: Min Chen <min.chen@citrix.com>
Committed: Fri Apr 4 16:38:29 2014 -0700

----------------------------------------------------------------------
 .../iam/RoleBasedAPIAccessChecker.java          | 49 +++++++++++++-------
 1 file changed, 32 insertions(+), 17 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cloudstack/blob/df302bdb/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedAPIAccessChecker.java
----------------------------------------------------------------------
diff --git a/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedAPIAccessChecker.java
b/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedAPIAccessChecker.java
index 9964d48..b7f672c 100644
--- a/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedAPIAccessChecker.java
+++ b/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedAPIAccessChecker.java
@@ -218,23 +218,6 @@ public class RoleBasedAPIAccessChecker extends AdapterBase implements
APIChecker
     private void addDefaultAclPolicyPermission(String apiName, Class<?> cmdClass, RoleType
role) {
         AccessType accessType = null;
         Class<?>[] entityTypes = null;
-        if (cmdClass != null) {
-            BaseCmd cmdObj;
-            try {
-                cmdObj = (BaseCmd) cmdClass.newInstance();
-                if (cmdObj instanceof BaseListCmd) {
-                    accessType = AccessType.UseEntry;
-                } else if (!(cmdObj instanceof BaseAsyncCreateCmd)) {
-                    accessType = AccessType.OperateEntry;
-                }
-            } catch (Exception e) {
-                throw new CloudRuntimeException(String.format(
-                        "%s is claimed as an API command, but it cannot be instantiated",
cmdClass.getName()));
-             }
-
-            APICommand at = cmdClass.getAnnotation(APICommand.class);
-            entityTypes = at.entityType();
-        }
 
         PermissionScope permissionScope = PermissionScope.ACCOUNT;
         Long policyId = getDefaultPolicyId(role);
@@ -256,15 +239,47 @@ public class RoleBasedAPIAccessChecker extends AdapterBase implements
APIChecker
             break;
          }
 
+        boolean addAccountScopedUseEntry = false;
+
+        if (cmdClass != null) {
+            BaseCmd cmdObj;
+            try {
+                cmdObj = (BaseCmd) cmdClass.newInstance();
+                if (cmdObj instanceof BaseListCmd) {
+                    if (permissionScope == PermissionScope.ACCOUNT) {
+                        accessType = AccessType.UseEntry;
+                    } else {
+                        accessType = AccessType.ListEntry;
+                        addAccountScopedUseEntry = true;
+                    }
+                } else if (!(cmdObj instanceof BaseAsyncCreateCmd)) {
+                    accessType = AccessType.OperateEntry;
+                }
+            } catch (Exception e) {
+                throw new CloudRuntimeException(String.format(
+                        "%s is claimed as an API command, but it cannot be instantiated",
cmdClass.getName()));
+            }
+
+            APICommand at = cmdClass.getAnnotation(APICommand.class);
+            entityTypes = at.entityType();
+        }
 
         if (entityTypes == null || entityTypes.length == 0) {
             _iamSrv.addIAMPermissionToIAMPolicy(policyId, null, permissionScope.toString(),
new Long(IAMPolicyPermission.PERMISSION_SCOPE_ID_CURRENT_CALLER),
                     apiName, (accessType == null) ? null : accessType.toString(), Permission.Allow,
false);
+            if (addAccountScopedUseEntry) {
+                _iamSrv.addIAMPermissionToIAMPolicy(policyId, null, PermissionScope.ACCOUNT.toString(),
new Long(
+                        IAMPolicyPermission.PERMISSION_SCOPE_ID_CURRENT_CALLER), apiName,
AccessType.UseEntry.toString(), Permission.Allow, false);
+            }
         } else {
             for (Class<?> entityType : entityTypes) {
                 _iamSrv.addIAMPermissionToIAMPolicy(policyId, entityType.getSimpleName(),
permissionScope.toString(), new Long(
                         IAMPolicyPermission.PERMISSION_SCOPE_ID_CURRENT_CALLER),
                         apiName, (accessType == null) ? null : accessType.toString(), Permission.Allow,
false);
+                if (addAccountScopedUseEntry) {
+                    _iamSrv.addIAMPermissionToIAMPolicy(policyId, entityType.getSimpleName(),
PermissionScope.ACCOUNT.toString(), new Long(
+                            IAMPolicyPermission.PERMISSION_SCOPE_ID_CURRENT_CALLER), apiName,
AccessType.UseEntry.toString(), Permission.Allow, false);
+                }
             }
          }
 


Mime
View raw message