Updated Branches: refs/heads/rbac bb271926f -> 8c15e6165
Created plugin for RoleBased Checkers Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/8c15e616 Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/8c15e616 Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/8c15e616 Branch: refs/heads/rbac Commit: 8c15e61653cb5f9c074923fc02789bc4a7585839 Parents: bb27192 Author: Prachi Damle <[email protected]> Authored: Tue Oct 1 18:16:06 2013 -0700 Committer: Prachi Damle <[email protected]> Committed: Tue Oct 1 18:16:06 2013 -0700 ---------------------------------------------------------------------- plugins/acl/role-based-access-checkers/pom.xml | 32 +++++++++ .../acl/api/RoleBasedAPIAccessChecker.java | 74 ++++++++++++++++++++ 2 files changed, 106 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cloudstack/blob/8c15e616/plugins/acl/role-based-access-checkers/pom.xml ---------------------------------------------------------------------- diff --git a/plugins/acl/role-based-access-checkers/pom.xml b/plugins/acl/role-based-access-checkers/pom.xml new file mode 100644 index 0000000..06cee20 --- /dev/null +++ b/plugins/acl/role-based-access-checkers/pom.xml @@ -0,0 +1,32 @@ +<!-- + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. +--> +<project xmlns="http://maven.apache.org/POM/4.0.0"; + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; + xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 + http://maven.apache.org/xsd/maven-4.0.0.xsd";> + <modelVersion>4.0.0</modelVersion> + <artifactId>cloud-plugin-acl-role-based-access-checkers</artifactId> + <name>Apache CloudStack Plugin - ACL Role Based Access Checkers</name> + <parent> + <groupId>org.apache.cloudstack</groupId> + <artifactId>cloudstack-plugins</artifactId> + <version>4.3.0-SNAPSHOT</version> + <relativePath>../../pom.xml</relativePath> + </parent> +</project> http://git-wip-us.apache.org/repos/asf/cloudstack/blob/8c15e616/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/api/RoleBasedAPIAccessChecker.java ---------------------------------------------------------------------- diff --git a/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/api/RoleBasedAPIAccessChecker.java b/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/api/RoleBasedAPIAccessChecker.java new file mode 100644 index 0000000..18fcdf9 --- /dev/null +++ b/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/api/RoleBasedAPIAccessChecker.java @@ -0,0 +1,74 @@ +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. +package org.apache.cloudstack.acl.api; + +import java.util.HashMap; +import java.util.HashSet; +import java.util.List; +import java.util.Map; +import java.util.Set; + +import javax.ejb.Local; +import javax.inject.Inject; +import javax.naming.ConfigurationException; + +import org.apache.cloudstack.acl.APIChecker; +import org.apache.cloudstack.acl.AclRole; +import org.apache.cloudstack.acl.AclService; +import org.apache.log4j.Logger; + +import com.cloud.exception.PermissionDeniedException; +import com.cloud.user.Account; +import com.cloud.user.AccountService; +import com.cloud.user.User; +import com.cloud.utils.PropertiesUtil; +import com.cloud.utils.component.AdapterBase; +import com.cloud.utils.component.PluggableService; + +// This is the default API access checker that grab's the user's account +// based on the account type, access is granted +@Local(value=APIChecker.class) +public class RoleBasedAPIAccessChecker extends AdapterBase implements APIChecker { + + protected static final Logger s_logger = Logger.getLogger(RoleBasedAPIAccessChecker.class); + + @Inject AccountService _accountService; + @Inject AclService _aclService; + + protected RoleBasedAPIAccessChecker() { + super(); + } + + @Override + public boolean checkAccess(User user, String commandName) + throws PermissionDeniedException { + Account account = _accountService.getAccount(user.getAccountId()); + if (account == null) { + throw new PermissionDeniedException("The account id=" + user.getAccountId() + "for user id=" + user.getId() + "is null"); + } + + List<AclRole> roles = _aclService.getAclRoles(account.getAccountId()); + + + boolean isAllowed = _aclService.isAPIAccessibleForRoles(commandName, roles); + if (!isAllowed) { + throw new PermissionDeniedException("The API does not exist or is blacklisted. api: " + commandName); + } + return isAllowed; + } + +}
