incubator-cloudstack-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bhais...@apache.org
Subject git commit: APIChecker: Make interface generic, pass user and not just role
Date Mon, 14 Jan 2013 23:08:59 GMT
Updated Branches:
  refs/heads/master 9139949d9 -> 896e505da


APIChecker: Make interface generic, pass user and not just role

Signed-off-by: Rohit Yadav <bhaisaab@apache.org>


Project: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/commit/896e505d
Tree: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/tree/896e505d
Diff: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/diff/896e505d

Branch: refs/heads/master
Commit: 896e505da6de08e723b339e748064de10d250c8c
Parents: 9139949
Author: Rohit Yadav <bhaisaab@apache.org>
Authored: Mon Jan 14 15:06:46 2013 -0800
Committer: Rohit Yadav <bhaisaab@apache.org>
Committed: Mon Jan 14 15:08:45 2013 -0800

----------------------------------------------------------------------
 api/src/org/apache/cloudstack/acl/APIChecker.java  |    4 ++--
 .../acl/StaticRoleBasedAPIAccessChecker.java       |   12 +++++++++++-
 server/src/com/cloud/api/ApiServer.java            |    4 +---
 3 files changed, 14 insertions(+), 6 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/896e505d/api/src/org/apache/cloudstack/acl/APIChecker.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/acl/APIChecker.java b/api/src/org/apache/cloudstack/acl/APIChecker.java
index b14dfe1..9e5c6c6 100644
--- a/api/src/org/apache/cloudstack/acl/APIChecker.java
+++ b/api/src/org/apache/cloudstack/acl/APIChecker.java
@@ -17,11 +17,11 @@
 package org.apache.cloudstack.acl;
 
 import com.cloud.exception.PermissionDeniedException;
-import org.apache.cloudstack.acl.RoleType;
+import com.cloud.user.User;
 import com.cloud.utils.component.Adapter;
 
 // APIChecker checks the ownership and access control to API requests
 public interface APIChecker extends Adapter {
     // Interface for checking access for a role using apiname
-    boolean checkAccess(RoleType roleType, String apiCommandName) throws PermissionDeniedException;
+    boolean checkAccess(User user, String apiCommandName) throws PermissionDeniedException;
 }

http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/896e505d/plugins/acl/static-role-based/src/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java
----------------------------------------------------------------------
diff --git a/plugins/acl/static-role-based/src/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java
b/plugins/acl/static-role-based/src/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java
index affd69e..55db288 100644
--- a/plugins/acl/static-role-based/src/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java
+++ b/plugins/acl/static-role-based/src/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java
@@ -18,6 +18,9 @@ package org.apache.cloudstack.acl;
 
 import com.cloud.exception.PermissionDeniedException;
 import com.cloud.server.ManagementServer;
+import com.cloud.user.Account;
+import com.cloud.user.AccountService;
+import com.cloud.user.User;
 import com.cloud.utils.component.AdapterBase;
 import com.cloud.utils.component.ComponentLocator;
 import com.cloud.utils.component.PluggableService;
@@ -42,6 +45,8 @@ public class StaticRoleBasedAPIAccessChecker extends AdapterBase implements
APIC
     private static Map<RoleType, Set<String>> s_roleBasedApisMap =
             new HashMap<RoleType, Set<String>>();
 
+    private static AccountService s_accountService;
+
     protected StaticRoleBasedAPIAccessChecker() {
         super();
         for (RoleType roleType: RoleType.values())
@@ -49,8 +54,10 @@ public class StaticRoleBasedAPIAccessChecker extends AdapterBase implements
APIC
     }
 
     @Override
-    public boolean checkAccess(RoleType roleType, String commandName)
+    public boolean checkAccess(User user, String commandName)
             throws PermissionDeniedException {
+        Account account = s_accountService.getAccount(user.getAccountId());
+        RoleType roleType = s_accountService.getRoleType(account);
         boolean isAllowed = s_roleBasedApisMap.get(roleType).contains(commandName);
         if (!isAllowed) {
             throw new PermissionDeniedException("The API does not exist or is blacklisted.
Role type=" + roleType.toString() + " is not allowed to request the api: " + commandName);
@@ -64,6 +71,9 @@ public class StaticRoleBasedAPIAccessChecker extends AdapterBase implements
APIC
 
         // Read command properties files to build the static map per role.
         ComponentLocator locator = ComponentLocator.getLocator(ManagementServer.Name);
+
+        s_accountService = locator.getManager(AccountService.class);
+
         List<PluggableService> services = locator.getAllPluggableServices();
         services.add((PluggableService) ComponentLocator.getComponent(ManagementServer.Name));
 

http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/896e505d/server/src/com/cloud/api/ApiServer.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/api/ApiServer.java b/server/src/com/cloud/api/ApiServer.java
index 03462e4..c8511b2 100755
--- a/server/src/com/cloud/api/ApiServer.java
+++ b/server/src/com/cloud/api/ApiServer.java
@@ -785,11 +785,9 @@ public class ApiServer implements HttpRequestHandler {
             throw new PermissionDeniedException("User is null for role based API access check
for command" + commandName);
         }
 
-        Account account = _accountMgr.getAccount(user.getAccountId());
-        RoleType roleType = _accountMgr.getRoleType(account);
         for (APIChecker apiChecker : _apiAccessCheckers) {
             // Fail the checking if any checker fails to verify
-            if (!apiChecker.checkAccess(roleType, commandName))
+            if (!apiChecker.checkAccess(user, commandName))
                 return false;
         }
         return true;


Mime
View raw message