cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CLOUDSTACK-8562) User Definable Roles
Date Fri, 22 Apr 2016 14:09:13 GMT

    [ https://issues.apache.org/jira/browse/CLOUDSTACK-8562?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15253993#comment-15253993
] 

ASF GitHub Bot commented on CLOUDSTACK-8562:
--------------------------------------------

Github user jburwell commented on a diff in the pull request:

    https://github.com/apache/cloudstack/pull/1489#discussion_r60743961
  
    --- Diff: server/src/org/apache/cloudstack/acl/RoleManagerImpl.java ---
    @@ -0,0 +1,273 @@
    +// Licensed to the Apache Software Foundation (ASF) under one
    +// or more contributor license agreements.  See the NOTICE file
    +// distributed with this work for additional information
    +// regarding copyright ownership.  The ASF licenses this file
    +// to you under the Apache License, Version 2.0 (the
    +// "License"); you may not use this file except in compliance
    +// with the License.  You may obtain a copy of the License at
    +//
    +//   http://www.apache.org/licenses/LICENSE-2.0
    +//
    +// Unless required by applicable law or agreed to in writing,
    +// software distributed under the License is distributed on an
    +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
    +// KIND, either express or implied.  See the License for the
    +// specific language governing permissions and limitations
    +// under the License.
    +package org.apache.cloudstack.acl;
    +
    +import com.cloud.event.ActionEvent;
    +import com.cloud.event.EventTypes;
    +import com.cloud.exception.PermissionDeniedException;
    +import com.cloud.user.Account;
    +import com.cloud.user.dao.AccountDao;
    +import com.cloud.utils.PropertiesUtil;
    +import com.cloud.utils.component.ManagerBase;
    +import com.cloud.utils.component.PluggableService;
    +import com.cloud.utils.db.Transaction;
    +import com.cloud.utils.db.TransactionCallback;
    +import com.cloud.utils.db.TransactionStatus;
    +import com.google.common.base.Strings;
    +import org.apache.cloudstack.acl.dao.RoleDao;
    +import org.apache.cloudstack.acl.dao.RolePermissionsDao;
    +import org.apache.cloudstack.api.ApiErrorCode;
    +import org.apache.cloudstack.api.ServerApiException;
    +import org.apache.cloudstack.api.command.admin.acl.CreateRoleCmd;
    +import org.apache.cloudstack.api.command.admin.acl.CreateRolePermissionCmd;
    +import org.apache.cloudstack.api.command.admin.acl.DeleteRoleCmd;
    +import org.apache.cloudstack.api.command.admin.acl.DeleteRolePermissionCmd;
    +import org.apache.cloudstack.api.command.admin.acl.ListRolePermissionsCmd;
    +import org.apache.cloudstack.api.command.admin.acl.ListRolesCmd;
    +import org.apache.cloudstack.api.command.admin.acl.UpdateRoleCmd;
    +import org.apache.cloudstack.api.command.admin.acl.UpdateRolePermissionCmd;
    +import org.apache.cloudstack.context.CallContext;
    +import org.apache.cloudstack.framework.config.ConfigKey;
    +import org.apache.cloudstack.framework.config.Configurable;
    +
    +import javax.ejb.Local;
    +import javax.inject.Inject;
    +import java.io.File;
    +import java.util.ArrayList;
    +import java.util.List;
    +
    +@Local(value = {RoleService.class})
    +public class RoleManagerImpl extends ManagerBase implements RoleService, Configurable,
PluggableService {
    +    @Inject
    +    private AccountDao accountDao;
    +    @Inject
    +    private RoleDao roleDao;
    +    @Inject
    +    private RolePermissionsDao rolePermissionsDao;
    +
    +    private void checkCallerAccess() {
    +        if (!isEnabled()) {
    +            throw new PermissionDeniedException("Dynamic api checker is not enabled,
aborting role operation");
    +        }
    +        Account caller = CallContext.current().getCallingAccount();
    +        if (caller == null || caller.getRoleId() == null) {
    +            throw new PermissionDeniedException("Restricted API called by an invalid
user account");
    +        }
    +        Role callerRole = findRole(caller.getRoleId());
    +        if (callerRole == null || callerRole.getRoleType() != RoleType.Admin) {
    +            throw new PermissionDeniedException("Restricted API called by an user account
of non-Admin role type");
    +        }
    +    }
    +
    +    @Override
    +    public boolean isEnabled() {
    +        File apiCmdFile = PropertiesUtil.findConfigFile(PropertiesUtil.getDefaultApiCommandsFileName());
    +        return RoleService.EnableDynamicApiChecker.value() && (apiCmdFile ==
null || !apiCmdFile.exists());
    +    }
    +
    +    @Override
    +    public Role findRole(final Long id) {
    +        if (id == null || id < 1L) {
    +            return null;
    +        }
    +        return roleDao.findById(id);
    +    }
    +
    +    @Override
    +    public RolePermission findRolePermission(final Long id) {
    +        if (id == null) {
    +            return null;
    +        }
    +        return rolePermissionsDao.findById(id);
    +    }
    +
    +    @Override
    +    @ActionEvent(eventType = EventTypes.EVENT_ROLE_CREATE, eventDescription = "creating
Role")
    +    public Role createRole(final String name, final RoleType roleType, final String description)
{
    +        checkCallerAccess();
    +        if (roleType == null || roleType == RoleType.Unknown) {
    +            throw new ServerApiException(ApiErrorCode.PARAM_ERROR, "Invalid role type
provided");
    +        }
    +        return Transaction.execute(new TransactionCallback<RoleVO>() {
    +            @Override
    +            public RoleVO doInTransaction(TransactionStatus status) {
    +                return roleDao.persist(new RoleVO(name, roleType, description));
    +            }
    +        });
    +    }
    +
    +    @Override
    +    @ActionEvent(eventType = EventTypes.EVENT_ROLE_UPDATE, eventDescription = "updating
Role")
    +    public boolean updateRole(final Role role, final String name, final RoleType roleType,
final String description) {
    +        checkCallerAccess();
    +        if (role == null) {
    +            return false;
    +        }
    +        if (roleType != null && roleType == RoleType.Unknown) {
    +            throw new ServerApiException(ApiErrorCode.PARAM_ERROR, "Unknown is not a
valid role type");
    +        }
    +        RoleVO roleVO = (RoleVO) role;
    +        if (!Strings.isNullOrEmpty(name)) {
    +            roleVO.setName(name);
    +        }
    +        if (roleType != null) {
    +            if (role.getId() <= RoleType.User.getId()) {
    +                throw new PermissionDeniedException("The role type of default roles cannot
be changed");
    +            }
    +            List<? extends Account> accounts = accountDao.findAccountsByRole(role.getId());
    +            if (accounts == null || accounts.isEmpty()) {
    +                roleVO.setRoleType(roleType);
    +            } else {
    +                throw new PermissionDeniedException("Found accounts that have role in
use, won't allow to change role type");
    +            }
    +        }
    +        if (!Strings.isNullOrEmpty(description)) {
    +            roleVO.setDescription(description);
    +        }
    +        return roleDao.update(role.getId(), roleVO);
    +    }
    +
    +    @Override
    +    @ActionEvent(eventType = EventTypes.EVENT_ROLE_DELETE, eventDescription = "deleting
Role")
    +    public boolean deleteRole(final Role role) {
    +        checkCallerAccess();
    +        if (role == null) {
    +            return false;
    +        }
    +        if (role.getId() <= RoleType.User.getId()) {
    +            throw new PermissionDeniedException("Default roles cannot be deleted");
    +        }
    +        List<? extends Account> accounts = accountDao.findAccountsByRole(role.getId());
    +        if (accounts == null || accounts.size() == 0) {
    +            return Transaction.execute(new TransactionCallback<Boolean>() {
    +                @Override
    +                public Boolean doInTransaction(TransactionStatus status) {
    +                    List<? extends RolePermission> rolePermissions = rolePermissionsDao.findAllByRoleId(role.getId());
    +                    if (rolePermissions != null && !rolePermissions.isEmpty())
{
    +                        for (RolePermission rolePermission : rolePermissions) {
    +                            rolePermissionsDao.remove(rolePermission.getId());
    +                        }
    +                    }
    +                    return roleDao.remove(role.getId());
    +                }
    +            });
    +        }
    +        throw new PermissionDeniedException("Found accounts that have role in use, won't
allow to delete role");
    +    }
    +
    +    @Override
    +    @ActionEvent(eventType = EventTypes.EVENT_ROLE_PERMISSION_CREATE, eventDescription
= "creating Role Permission")
    +    public RolePermission createRolePermission(final Role role, final Rule rule, final
RolePermission.Permission permission, final String description) {
    +        checkCallerAccess();
    +        return Transaction.execute(new TransactionCallback<RolePermissionVO>()
{
    +            @Override
    +            public RolePermissionVO doInTransaction(TransactionStatus status) {
    +                return rolePermissionsDao.persist(new RolePermissionVO(role.getId(),
rule.toString(), permission, description));
    +            }
    +        });
    +    }
    +
    +    @Override
    +    @ActionEvent(eventType = EventTypes.EVENT_ROLE_PERMISSION_UPDATE, eventDescription
= "updating Role Permission")
    +    public boolean updateRolePermission(final RolePermission rolePermission, final Rule
rule, final RolePermission.Permission permission, final String description) {
    +        checkCallerAccess();
    +        if (rolePermission == null) {
    +            return false;
    +        }
    +        RolePermissionVO rolePermissionVO = (RolePermissionVO) rolePermission;
    +        if (rule != null) {
    +            rolePermissionVO.setRule(rule.toString());
    +        }
    +        if (permission != null) {
    +            rolePermissionVO.setPermission(permission);
    +        }
    +        if (!Strings.isNullOrEmpty(description)) {
    +            rolePermissionVO.setDescription(description);
    +        }
    +        return rolePermissionsDao.update(rolePermission.getId(), rolePermissionVO);
    +    }
    +
    +    @Override
    +    @ActionEvent(eventType = EventTypes.EVENT_ROLE_PERMISSION_DELETE, eventDescription
= "deleting Role Permission")
    +    public boolean deleteRolePermission(final RolePermission rolePermission) {
    +        checkCallerAccess();
    +        return rolePermission != null && rolePermissionsDao.remove(rolePermission.getId());
    +    }
    +
    +    private List<Role> toRoleList(final List<? extends Role> roles) {
    --- End diff --
    
    Have you considered this method to a common utility method?


> User Definable Roles
> --------------------
>
>                 Key: CLOUDSTACK-8562
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8562
>             Project: CloudStack
>          Issue Type: New Feature
>      Security Level: Public(Anyone can view this level - this is the default.) 
>          Components: Management Server
>            Reporter: Paul Angus
>            Assignee: Rohit Yadav
>
> Static command.properties moved to database and made user definable



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message