Updated Branches: refs/heads/rbac 015d06e7f -> cf69731a5
Loading api permissions from commands.properties during startup Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/f231cec5 Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/f231cec5 Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/f231cec5 Branch: refs/heads/rbac Commit: f231cec5b7a5f75d4b74cc04a98db1462f97f548 Parents: 015d06e Author: Prachi Damle <[email protected]> Authored: Mon Nov 25 10:58:45 2013 -0800 Committer: Prachi Damle <[email protected]> Committed: Mon Nov 25 10:59:12 2013 -0800 ---------------------------------------------------------------------- .../apache/cloudstack/acl/PermissionScope.java | 2 +- .../apache/cloudstack/acl/AclPermissionVO.java | 10 +++- .../cloudstack/acl/dao/AclPermissionDao.java | 24 +++++++++ .../acl/dao/AclPermissionDaoImpl.java | 41 ++++++++++++++ .../acl/dao/AclPolicyPermissionMapDao.java | 25 +++++++++ .../acl/dao/AclPolicyPermissionMapDaoImpl.java | 43 +++++++++++++++ server/src/com/cloud/api/ApiServer.java | 57 ++++++++++++++++++++ 7 files changed, 200 insertions(+), 2 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cloudstack/blob/f231cec5/api/src/org/apache/cloudstack/acl/PermissionScope.java ---------------------------------------------------------------------- diff --git a/api/src/org/apache/cloudstack/acl/PermissionScope.java b/api/src/org/apache/cloudstack/acl/PermissionScope.java index a895535..03dbc10 100644 --- a/api/src/org/apache/cloudstack/acl/PermissionScope.java +++ b/api/src/org/apache/cloudstack/acl/PermissionScope.java @@ -4,7 +4,7 @@ public enum PermissionScope { RESOURCE(0), ACCOUNT(1), DOMAIN(2), - REGION(3); + REGION(3), ALL(4); private int _scale; http://git-wip-us.apache.org/repos/asf/cloudstack/blob/f231cec5/engine/schema/src/org/apache/cloudstack/acl/AclPermissionVO.java ---------------------------------------------------------------------- diff --git a/engine/schema/src/org/apache/cloudstack/acl/AclPermissionVO.java b/engine/schema/src/org/apache/cloudstack/acl/AclPermissionVO.java index 1bcecab..ef8cfc4 100644 --- a/engine/schema/src/org/apache/cloudstack/acl/AclPermissionVO.java +++ b/engine/schema/src/org/apache/cloudstack/acl/AclPermissionVO.java @@ -71,7 +71,15 @@ public class AclPermissionVO implements AclPermission { } - + public AclPermissionVO(String action, String entityType, AccessType accessType, PermissionScope scope, + Long scopeId, Permission permission) { + this.action = action; + this.entityType = entityType; + this.accessType = accessType; + this.scope = scope; + this.scopeId = scopeId; + this.permission = permission; + } @Override public long getId() { http://git-wip-us.apache.org/repos/asf/cloudstack/blob/f231cec5/engine/schema/src/org/apache/cloudstack/acl/dao/AclPermissionDao.java ---------------------------------------------------------------------- diff --git a/engine/schema/src/org/apache/cloudstack/acl/dao/AclPermissionDao.java b/engine/schema/src/org/apache/cloudstack/acl/dao/AclPermissionDao.java new file mode 100644 index 0000000..d24b044 --- /dev/null +++ b/engine/schema/src/org/apache/cloudstack/acl/dao/AclPermissionDao.java @@ -0,0 +1,24 @@ +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. +package org.apache.cloudstack.acl.dao; + +import org.apache.cloudstack.acl.AclPermissionVO; +import com.cloud.utils.db.GenericDao; + +public interface AclPermissionDao extends GenericDao<AclPermissionVO, Long> { + +} http://git-wip-us.apache.org/repos/asf/cloudstack/blob/f231cec5/engine/schema/src/org/apache/cloudstack/acl/dao/AclPermissionDaoImpl.java ---------------------------------------------------------------------- diff --git a/engine/schema/src/org/apache/cloudstack/acl/dao/AclPermissionDaoImpl.java b/engine/schema/src/org/apache/cloudstack/acl/dao/AclPermissionDaoImpl.java new file mode 100644 index 0000000..1b5f63e --- /dev/null +++ b/engine/schema/src/org/apache/cloudstack/acl/dao/AclPermissionDaoImpl.java @@ -0,0 +1,41 @@ +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. +package org.apache.cloudstack.acl.dao; + +import java.util.Map; + +import javax.naming.ConfigurationException; + +import org.apache.cloudstack.acl.AclPermissionVO; +import com.cloud.utils.db.GenericDaoBase; + +public class AclPermissionDaoImpl extends GenericDaoBase<AclPermissionVO, Long> implements AclPermissionDao { + + public AclPermissionDaoImpl() + { + + } + + @Override + public boolean configure(String name, Map<String, Object> params) throws ConfigurationException { + super.configure(name, params); + + return true; + } + + +} http://git-wip-us.apache.org/repos/asf/cloudstack/blob/f231cec5/engine/schema/src/org/apache/cloudstack/acl/dao/AclPolicyPermissionMapDao.java ---------------------------------------------------------------------- diff --git a/engine/schema/src/org/apache/cloudstack/acl/dao/AclPolicyPermissionMapDao.java b/engine/schema/src/org/apache/cloudstack/acl/dao/AclPolicyPermissionMapDao.java new file mode 100644 index 0000000..0b18e36 --- /dev/null +++ b/engine/schema/src/org/apache/cloudstack/acl/dao/AclPolicyPermissionMapDao.java @@ -0,0 +1,25 @@ +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. +package org.apache.cloudstack.acl.dao; + +import org.apache.cloudstack.acl.AclPolicyPermissionMapVO; + +import com.cloud.utils.db.GenericDao; + +public interface AclPolicyPermissionMapDao extends GenericDao<AclPolicyPermissionMapVO, Long> { + +} http://git-wip-us.apache.org/repos/asf/cloudstack/blob/f231cec5/engine/schema/src/org/apache/cloudstack/acl/dao/AclPolicyPermissionMapDaoImpl.java ---------------------------------------------------------------------- diff --git a/engine/schema/src/org/apache/cloudstack/acl/dao/AclPolicyPermissionMapDaoImpl.java b/engine/schema/src/org/apache/cloudstack/acl/dao/AclPolicyPermissionMapDaoImpl.java new file mode 100644 index 0000000..fe4579d --- /dev/null +++ b/engine/schema/src/org/apache/cloudstack/acl/dao/AclPolicyPermissionMapDaoImpl.java @@ -0,0 +1,43 @@ +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. +package org.apache.cloudstack.acl.dao; + +import java.util.Map; + +import javax.naming.ConfigurationException; + +import org.apache.cloudstack.acl.AclPolicyPermissionMapVO; + +import com.cloud.utils.db.GenericDaoBase; + +public class AclPolicyPermissionMapDaoImpl extends GenericDaoBase<AclPolicyPermissionMapVO, Long> implements + AclPolicyPermissionMapDao { + + public AclPolicyPermissionMapDaoImpl() + { + + } + + @Override + public boolean configure(String name, Map<String, Object> params) throws ConfigurationException { + super.configure(name, params); + + return true; + } + + +} http://git-wip-us.apache.org/repos/asf/cloudstack/blob/f231cec5/server/src/com/cloud/api/ApiServer.java ---------------------------------------------------------------------- diff --git a/server/src/com/cloud/api/ApiServer.java b/server/src/com/cloud/api/ApiServer.java index 0ed6a68..1dfbd45 100755 --- a/server/src/com/cloud/api/ApiServer.java +++ b/server/src/com/cloud/api/ApiServer.java @@ -52,6 +52,14 @@ import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; import org.apache.cloudstack.acl.APIChecker; +import org.apache.cloudstack.acl.AclPermissionVO; +import org.apache.cloudstack.acl.AclPolicyPermissionMapVO; +import org.apache.cloudstack.acl.PermissionScope; +import org.apache.cloudstack.acl.RoleType; +import org.apache.cloudstack.acl.AclPermission.Permission; +import org.apache.cloudstack.acl.SecurityChecker.AccessType; +import org.apache.cloudstack.acl.dao.AclPermissionDao; +import org.apache.cloudstack.acl.dao.AclPolicyPermissionMapDao; import org.apache.cloudstack.api.APICommand; import org.apache.cloudstack.api.ApiErrorCode; import org.apache.cloudstack.api.BaseAsyncCmd; @@ -171,6 +179,10 @@ public class ApiServer extends ManagerBase implements HttpRequestHandler, ApiSer List<PluggableService> _pluggableServices; List<APIChecker> _apiAccessCheckers; + @Inject + private AclPermissionDao _aclPermissionDao; + @Inject + private AclPolicyPermissionMapDao _aclPolicyPermissionMapDao; @Inject protected ApiAsyncJobDispatcher _asyncDispatcher; @@ -233,6 +245,51 @@ public class ApiServer extends ManagerBase implements HttpRequestHandler, ApiSer _apiNameCmdClassMap.put(apiName, apiCmdList); } apiCmdList.add(cmdClass); + + boolean isReadCommand = false; + BaseCmd cmdObj; + try { + cmdObj = (BaseCmd) cmdClass.newInstance(); + if (cmdObj instanceof BaseListCmd) { + isReadCommand = true; + } + } catch (Exception e) { + } + + for (RoleType role : at.authorized()) { + AclPermissionVO apiPermission = null; + switch (role) { + case User: + apiPermission = new AclPermissionVO(apiName, null, null, PermissionScope.ACCOUNT, null, + Permission.Allow); + break; + + case Admin: + apiPermission = new AclPermissionVO(apiName, null, null, PermissionScope.ALL, null, + Permission.Allow); + break; + + case DomainAdmin: + apiPermission = new AclPermissionVO(apiName, null, null, PermissionScope.DOMAIN, null, + Permission.Allow); + break; + + case ResourceAdmin: + apiPermission = new AclPermissionVO(apiName, null, null, PermissionScope.DOMAIN, null, + Permission.Allow); + break; + } + + if (apiPermission != null) { + if (isReadCommand) { + apiPermission.setAccessType(AccessType.ListEntry); + } + _aclPermissionDao.persist(apiPermission); + AclPolicyPermissionMapVO policyPermMapEntry = new AclPolicyPermissionMapVO(role.ordinal() + 1, + apiPermission.getId()); + _aclPolicyPermissionMapDao.persist(policyPermMapEntry); + } + } } encodeApiResponse = Boolean.valueOf(_configDao.getValue(Config.EncodeApiResponse.key()));
