Updated Branches: refs/heads/rbac 288a81180 -> 6730fa2b4
Fill in implementation of AclService.getGrantedDomains, getGrantedAccounts and getGrantedResources. Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/6730fa2b Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/6730fa2b Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/6730fa2b Branch: refs/heads/rbac Commit: 6730fa2b47d165dc121c5dc9fc3e1dd42c2745f7 Parents: 288a811 Author: Min Chen <[email protected]> Authored: Mon Dec 9 14:08:54 2013 -0800 Committer: Min Chen <[email protected]> Committed: Mon Dec 9 14:08:54 2013 -0800 ---------------------------------------------------------------------- .../org/apache/cloudstack/acl/AclService.java | 6 +-- .../acl/dao/AclPolicyPermissionDao.java | 2 + .../acl/dao/AclPolicyPermissionDaoImpl.java | 50 +++++++++++++++-- .../src/com/cloud/user/AccountManagerImpl.java | 6 +-- .../apache/cloudstack/acl/AclServiceImpl.java | 57 ++++++++++++++++---- 5 files changed, 102 insertions(+), 19 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6730fa2b/api/src/org/apache/cloudstack/acl/AclService.java ---------------------------------------------------------------------- diff --git a/api/src/org/apache/cloudstack/acl/AclService.java b/api/src/org/apache/cloudstack/acl/AclService.java index 0c0ec69..c8d8b48 100644 --- a/api/src/org/apache/cloudstack/acl/AclService.java +++ b/api/src/org/apache/cloudstack/acl/AclService.java @@ -57,10 +57,10 @@ public interface AclService { List<AclPolicy> getEffectivePolicies(Account caller, ControlledEntity entity); /* Visibility related interfaces */ - List<Long> getGrantedDomains(long accountId, AclEntityType entityType, String action); + List<Long> getGrantedDomains(long accountId, String action); - List<Long> getGrantedAccounts(long accountId, AclEntityType entityType, String action); + List<Long> getGrantedAccounts(long accountId, String action); - List<Long> getGrantedResources(long accountId, AclEntityType entityType, String action); + List<Long> getGrantedResources(long accountId, String action); } http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6730fa2b/engine/schema/src/org/apache/cloudstack/acl/dao/AclPolicyPermissionDao.java ---------------------------------------------------------------------- diff --git a/engine/schema/src/org/apache/cloudstack/acl/dao/AclPolicyPermissionDao.java b/engine/schema/src/org/apache/cloudstack/acl/dao/AclPolicyPermissionDao.java index f3c6446..2defc1c 100644 --- a/engine/schema/src/org/apache/cloudstack/acl/dao/AclPolicyPermissionDao.java +++ b/engine/schema/src/org/apache/cloudstack/acl/dao/AclPolicyPermissionDao.java @@ -31,5 +31,7 @@ public interface AclPolicyPermissionDao extends GenericDao<AclPolicyPermissionVO AclPolicyPermissionVO findByPolicyAndEntity(long policyId, String entityType, PermissionScope scope, Long scopeId, String action, Permission perm); + List<AclPolicyPermissionVO> listGrantedByActionAndScope(long policyId, String action, PermissionScope scope); + } http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6730fa2b/engine/schema/src/org/apache/cloudstack/acl/dao/AclPolicyPermissionDaoImpl.java ---------------------------------------------------------------------- diff --git a/engine/schema/src/org/apache/cloudstack/acl/dao/AclPolicyPermissionDaoImpl.java b/engine/schema/src/org/apache/cloudstack/acl/dao/AclPolicyPermissionDaoImpl.java index 11b009b..fefafde 100644 --- a/engine/schema/src/org/apache/cloudstack/acl/dao/AclPolicyPermissionDaoImpl.java +++ b/engine/schema/src/org/apache/cloudstack/acl/dao/AclPolicyPermissionDaoImpl.java @@ -26,28 +26,70 @@ import org.apache.cloudstack.acl.AclPolicyPermissionVO; import org.apache.cloudstack.acl.PermissionScope; import com.cloud.utils.db.GenericDaoBase; +import com.cloud.utils.db.SearchBuilder; +import com.cloud.utils.db.SearchCriteria; public class AclPolicyPermissionDaoImpl extends GenericDaoBase<AclPolicyPermissionVO, Long> implements AclPolicyPermissionDao { + private SearchBuilder<AclPolicyPermissionVO> policyIdSearch; + private SearchBuilder<AclPolicyPermissionVO> fullSearch; + private SearchBuilder<AclPolicyPermissionVO> actionScopeSearch; @Override public boolean configure(String name, Map<String, Object> params) throws ConfigurationException { super.configure(name, params); + policyIdSearch = createSearchBuilder(); + policyIdSearch.and("policyId", policyIdSearch.entity().getAclPolicyId(), SearchCriteria.Op.EQ); + policyIdSearch.done(); + + fullSearch = createSearchBuilder(); + fullSearch.and("policyId", fullSearch.entity().getAclPolicyId(), SearchCriteria.Op.EQ); + fullSearch.and("entityType", fullSearch.entity().getEntityType(), SearchCriteria.Op.EQ); + fullSearch.and("scope", fullSearch.entity().getScope(), SearchCriteria.Op.EQ); + fullSearch.and("scopeId", fullSearch.entity().getScopeId(), SearchCriteria.Op.EQ); + fullSearch.and("action", fullSearch.entity().getAction(), SearchCriteria.Op.EQ); + fullSearch.and("permission", fullSearch.entity().getPermission(), SearchCriteria.Op.EQ); + fullSearch.done(); + + actionScopeSearch = createSearchBuilder(); + actionScopeSearch.and("policyId", actionScopeSearch.entity().getAclPolicyId(), SearchCriteria.Op.EQ); + actionScopeSearch.and("scope", actionScopeSearch.entity().getScope(), SearchCriteria.Op.EQ); + actionScopeSearch.and("action", actionScopeSearch.entity().getAction(), SearchCriteria.Op.EQ); + actionScopeSearch.and("permission", actionScopeSearch.entity().getPermission(), SearchCriteria.Op.EQ); + actionScopeSearch.done(); + return true; } @Override public List<AclPolicyPermissionVO> listByPolicy(long policyId) { - // TODO Auto-generated method stub - return null; + SearchCriteria<AclPolicyPermissionVO> sc = policyIdSearch.create(); + sc.setParameters("policyId", policyId); + return listBy(sc); } @Override public AclPolicyPermissionVO findByPolicyAndEntity(long policyId, String entityType, PermissionScope scope, Long scopeId, String action, Permission perm) { - // TODO Auto-generated method stub - return null; + SearchCriteria<AclPolicyPermissionVO> sc = fullSearch.create(); + sc.setParameters("policyId", policyId); + sc.setParameters("entityType", entityType); + sc.setParameters("scope", scope); + sc.setParameters("scopeId", scopeId); + sc.setParameters("action", action); + sc.setParameters("permission", perm); + return findOneBy(sc); + } + + @Override + public List<AclPolicyPermissionVO> listGrantedByActionAndScope(long policyId, String action, PermissionScope scope) { + SearchCriteria<AclPolicyPermissionVO> sc = actionScopeSearch.create(); + sc.setParameters("policyId", policyId); + sc.setParameters("action", action); + sc.setParameters("scope", scope); + sc.setParameters("permission", Permission.Allow); + return listBy(sc); } } http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6730fa2b/server/src/com/cloud/user/AccountManagerImpl.java ---------------------------------------------------------------------- diff --git a/server/src/com/cloud/user/AccountManagerImpl.java b/server/src/com/cloud/user/AccountManagerImpl.java index 0ddc37a..3decaf0 100755 --- a/server/src/com/cloud/user/AccountManagerImpl.java +++ b/server/src/com/cloud/user/AccountManagerImpl.java @@ -2610,9 +2610,9 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M // search for policy permissions associated with caller to get all his authorized domains, accounts, and resources // Assumption: if a domain is in grantedDomains, then all the accounts under this domain will not be returned in "grantedAccounts". Similarly, if an account // is in grantedAccounts, then all the resources owned by this account will not be returned in "grantedResources". - List<Long> grantedDomains = _aclService.getGrantedDomains(caller.getId(), AclEntityType.VM, action); - List<Long> grantedAccounts = _aclService.getGrantedAccounts(caller.getId(), AclEntityType.VM, action); - List<Long> grantedResources = _aclService.getGrantedResources(caller.getId(), AclEntityType.VM, action); + List<Long> grantedDomains = _aclService.getGrantedDomains(caller.getId(), action); + List<Long> grantedAccounts = _aclService.getGrantedAccounts(caller.getId(), action); + List<Long> grantedResources = _aclService.getGrantedResources(caller.getId(), action); if (domainId != null) { // specific domain is specified http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6730fa2b/server/src/org/apache/cloudstack/acl/AclServiceImpl.java ---------------------------------------------------------------------- diff --git a/server/src/org/apache/cloudstack/acl/AclServiceImpl.java b/server/src/org/apache/cloudstack/acl/AclServiceImpl.java index 9b39733..1ab4efe 100644 --- a/server/src/org/apache/cloudstack/acl/AclServiceImpl.java +++ b/server/src/org/apache/cloudstack/acl/AclServiceImpl.java @@ -678,21 +678,60 @@ public class AclServiceImpl extends ManagerBase implements AclService, Manager { } @Override - public List<Long> getGrantedDomains(long accountId, AclEntityType entityType, String action) { - // TODO Auto-generated method stub - return null; + public List<Long> getGrantedDomains(long accountId, String action) { + // Get the static Policies of the Caller + List<AclPolicy> policies = listAclPolicies(accountId); + // for each policy, find granted permission with Domain scope + List<Long> domainIds = new ArrayList<Long>(); + for (AclPolicy policy : policies) { + List<AclPolicyPermissionVO> pp = _policyPermissionDao.listGrantedByActionAndScope(policy.getId(), action, PermissionScope.DOMAIN); + if (pp != null) { + for (AclPolicyPermissionVO p : pp) { + if (p.getScopeId() != null) { + domainIds.add(p.getScopeId()); + } + } + } + } + return domainIds; } @Override - public List<Long> getGrantedAccounts(long accountId, AclEntityType entityType, String action) { - // TODO Auto-generated method stub - return null; + public List<Long> getGrantedAccounts(long accountId, String action) { + // Get the static Policies of the Caller + List<AclPolicy> policies = listAclPolicies(accountId); + // for each policy, find granted permission with Account scope + List<Long> accountIds = new ArrayList<Long>(); + for (AclPolicy policy : policies) { + List<AclPolicyPermissionVO> pp = _policyPermissionDao.listGrantedByActionAndScope(policy.getId(), action, PermissionScope.ACCOUNT); + if (pp != null) { + for (AclPolicyPermissionVO p : pp) { + if (p.getScopeId() != null) { + accountIds.add(p.getScopeId()); + } + } + } + } + return accountIds; } @Override - public List<Long> getGrantedResources(long accountId, AclEntityType entityType, String action) { - // TODO Auto-generated method stub - return null; + public List<Long> getGrantedResources(long accountId, String action) { + // Get the static Policies of the Caller + List<AclPolicy> policies = listAclPolicies(accountId); + // for each policy, find granted permission with Resource scope + List<Long> entityIds = new ArrayList<Long>(); + for (AclPolicy policy : policies) { + List<AclPolicyPermissionVO> pp = _policyPermissionDao.listGrantedByActionAndScope(policy.getId(), action, PermissionScope.RESOURCE); + if (pp != null) { + for (AclPolicyPermissionVO p : pp) { + if (p.getScopeId() != null) { + entityIds.add(p.getScopeId()); + } + } + } + } + return entityIds; } }
