Repository: cloudstack Updated Branches: refs/heads/master dadaf8586 -> ae1d6a771
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/ae1d6a77/services/iam/plugin/src/org/apache/cloudstack/iam/IAMApiServiceImpl.java ---------------------------------------------------------------------- diff --git a/services/iam/plugin/src/org/apache/cloudstack/iam/IAMApiServiceImpl.java b/services/iam/plugin/src/org/apache/cloudstack/iam/IAMApiServiceImpl.java index 69f669c..e128cf1 100644 --- a/services/iam/plugin/src/org/apache/cloudstack/iam/IAMApiServiceImpl.java +++ b/services/iam/plugin/src/org/apache/cloudstack/iam/IAMApiServiceImpl.java @@ -27,11 +27,18 @@ import javax.inject.Inject; import javax.naming.ConfigurationException; import org.apache.log4j.Logger; +import org.bouncycastle.util.IPAddress; + +import com.amazonaws.auth.policy.Condition; +import com.amazonaws.services.ec2.model.SecurityGroup; +import com.amazonaws.services.ec2.model.Snapshot; +import com.amazonaws.services.ec2.model.Volume; +import com.amazonaws.services.ec2.model.Vpc; +import com.amazonaws.services.elasticache.model.Event; -import org.apache.cloudstack.acl.IAMEntityType; import org.apache.cloudstack.acl.PermissionScope; import org.apache.cloudstack.acl.SecurityChecker.AccessType; -import org.apache.cloudstack.affinity.AffinityGroupVO; +import org.apache.cloudstack.affinity.AffinityGroup; import org.apache.cloudstack.api.ApiConstants; import org.apache.cloudstack.api.BaseListCmd; import org.apache.cloudstack.api.InternalIdentity; @@ -54,7 +61,7 @@ import org.apache.cloudstack.api.response.iam.IAMGroupResponse; import org.apache.cloudstack.api.response.iam.IAMPermissionResponse; import org.apache.cloudstack.api.response.iam.IAMPolicyResponse; import org.apache.cloudstack.context.CallContext; -import org.apache.cloudstack.framework.jobs.impl.AsyncJobVO; +import org.apache.cloudstack.framework.jobs.AsyncJob; import org.apache.cloudstack.framework.messagebus.MessageBus; import org.apache.cloudstack.framework.messagebus.MessageSubscriber; import org.apache.cloudstack.iam.api.IAMGroup; @@ -62,9 +69,6 @@ import org.apache.cloudstack.iam.api.IAMPolicy; import org.apache.cloudstack.iam.api.IAMPolicyPermission; import org.apache.cloudstack.iam.api.IAMPolicyPermission.Permission; import org.apache.cloudstack.iam.api.IAMService; -import org.apache.cloudstack.iam.server.IAMGroupVO; -import org.apache.cloudstack.iam.server.IAMPolicyVO; -import org.apache.cloudstack.region.gslb.GlobalLoadBalancerRuleVO; import com.cloud.api.ApiServerService; import com.cloud.domain.Domain; @@ -72,50 +76,45 @@ import com.cloud.domain.DomainVO; import com.cloud.domain.dao.DomainDao; import com.cloud.event.ActionEvent; import com.cloud.event.EventTypes; -import com.cloud.event.EventVO; import com.cloud.exception.InvalidParameterValueException; -import com.cloud.network.UserIpv6AddressVO; -import com.cloud.network.VpnUserVO; -import com.cloud.network.as.AutoScalePolicyVO; -import com.cloud.network.as.AutoScaleVmGroupVO; -import com.cloud.network.as.AutoScaleVmProfileVO; -import com.cloud.network.as.ConditionVO; -import com.cloud.network.dao.IPAddressVO; -import com.cloud.network.dao.MonitoringServiceVO; -import com.cloud.network.dao.NetworkVO; -import com.cloud.network.dao.RemoteAccessVpnVO; -import com.cloud.network.dao.Site2SiteCustomerGatewayVO; -import com.cloud.network.dao.Site2SiteVpnConnectionVO; -import com.cloud.network.dao.Site2SiteVpnGatewayVO; -import com.cloud.network.dao.SslCertVO; -import com.cloud.network.rules.FirewallRuleVO; -import com.cloud.network.rules.PortForwardingRuleVO; -import com.cloud.network.security.SecurityGroupVO; -import com.cloud.network.vpc.StaticRouteVO; -import com.cloud.network.vpc.VpcGatewayVO; -import com.cloud.network.vpc.VpcVO; -import com.cloud.projects.ProjectInvitationVO; -import com.cloud.storage.SnapshotVO; -import com.cloud.storage.VMTemplateVO; -import com.cloud.storage.VolumeVO; -import com.cloud.tags.ResourceTagVO; +import com.cloud.network.IpAddress; +import com.cloud.network.MonitoringService; +import com.cloud.network.Network; +import com.cloud.network.RemoteAccessVpn; +import com.cloud.network.Site2SiteCustomerGateway; +import com.cloud.network.Site2SiteVpnConnection; +import com.cloud.network.Site2SiteVpnGateway; +import com.cloud.network.UserIpv6Address; +import com.cloud.network.VpnUser; +import com.cloud.network.as.AutoScalePolicy; +import com.cloud.network.as.AutoScaleVmGroup; +import com.cloud.network.as.AutoScaleVmProfile; +import com.cloud.network.lb.SslCert; +import com.cloud.network.rules.FirewallRule; +import com.cloud.network.rules.PortForwardingRule; +import com.cloud.network.vpc.StaticRoute; +import com.cloud.network.vpc.VpcGateway; +import com.cloud.projects.ProjectInvitation; +import com.cloud.region.ha.GlobalLoadBalancerRule; +import com.cloud.server.ResourceTag; import com.cloud.template.TemplateManager; +import com.cloud.template.VirtualMachineTemplate; import com.cloud.user.Account; import com.cloud.user.AccountManager; import com.cloud.user.AccountVO; import com.cloud.user.DomainManager; -import com.cloud.user.SSHKeyPairVO; +import com.cloud.user.SSHKeyPair; import com.cloud.user.dao.AccountDao; import com.cloud.utils.Pair; import com.cloud.utils.component.Manager; import com.cloud.utils.component.ManagerBase; import com.cloud.utils.db.DB; import com.cloud.utils.db.EntityManager; -import com.cloud.vm.InstanceGroupVO; -import com.cloud.vm.VMInstanceVO; -import com.cloud.vm.dao.NicIpAliasVO; -import com.cloud.vm.dao.NicSecondaryIpVO; -import com.cloud.vm.snapshot.VMSnapshotVO; +import com.cloud.vm.InstanceGroup; +import com.cloud.vm.NicIpAlias; +import com.cloud.vm.NicSecondaryIp; +import com.cloud.vm.VirtualMachine; +import com.cloud.vm.snapshot.VMSnapshot; @Local(value = {IAMApiService.class}) public class IAMApiServiceImpl extends ManagerBase implements IAMApiService, Manager { @@ -144,48 +143,46 @@ public class IAMApiServiceImpl extends ManagerBase implements IAMApiService, Man @Inject EntityManager _entityMgr; - private static final Map<IAMEntityType, Class<?>> s_typeMap = new HashMap<IAMEntityType, Class<?>>(); + private static final Map<String, Class<?>> s_typeMap = new HashMap<String, Class<?>>(); static { - s_typeMap.put(IAMEntityType.VirtualMachine, VMInstanceVO.class); - s_typeMap.put(IAMEntityType.Volume, VolumeVO.class); - s_typeMap.put(IAMEntityType.ResourceTag, ResourceTagVO.class); - s_typeMap.put(IAMEntityType.Account, AccountVO.class); - s_typeMap.put(IAMEntityType.AffinityGroup, AffinityGroupVO.class); - s_typeMap.put(IAMEntityType.AutoScalePolicy, AutoScalePolicyVO.class); - s_typeMap.put(IAMEntityType.AutoScaleVmProfile, AutoScaleVmProfileVO.class); - s_typeMap.put(IAMEntityType.AutoScaleVmGroup, AutoScaleVmGroupVO.class); - s_typeMap.put(IAMEntityType.Condition, ConditionVO.class); - s_typeMap.put(IAMEntityType.Vpc, VpcVO.class); - s_typeMap.put(IAMEntityType.VpcGateway, VpcGatewayVO.class); - s_typeMap.put(IAMEntityType.PrivateGateway, RemoteAccessVpnVO.class); - s_typeMap.put(IAMEntityType.VpnUser, VpnUserVO.class); - s_typeMap.put(IAMEntityType.VMSnapshot, VMSnapshotVO.class); - s_typeMap.put(IAMEntityType.VirtualMachineTemplate, VMTemplateVO.class); - s_typeMap.put(IAMEntityType.UserIpv6Address, UserIpv6AddressVO.class); - s_typeMap.put(IAMEntityType.StaticRoute, StaticRouteVO.class); - s_typeMap.put(IAMEntityType.SSHKeyPair, SSHKeyPairVO.class); - s_typeMap.put(IAMEntityType.Snapshot, SnapshotVO.class); - s_typeMap.put(IAMEntityType.Site2SiteVpnGateway, Site2SiteVpnGatewayVO.class); - s_typeMap.put(IAMEntityType.Site2SiteCustomerGateway, Site2SiteCustomerGatewayVO.class); - s_typeMap.put(IAMEntityType.Site2SiteVpnConnection, Site2SiteVpnConnectionVO.class); - s_typeMap.put(IAMEntityType.SecurityGroup, SecurityGroupVO.class); - s_typeMap.put(IAMEntityType.RemoteAccessVpn, RemoteAccessVpnVO.class); - s_typeMap.put(IAMEntityType.PublicIpAddress, IPAddressVO.class); - s_typeMap.put(IAMEntityType.ProjectInvitation, ProjectInvitationVO.class); - s_typeMap.put(IAMEntityType.NicSecondaryIp, NicSecondaryIpVO.class); - s_typeMap.put(IAMEntityType.NicIpAlias, NicIpAliasVO.class); - s_typeMap.put(IAMEntityType.Network, NetworkVO.class); - s_typeMap.put(IAMEntityType.IpAddress, IPAddressVO.class); - s_typeMap.put(IAMEntityType.InstanceGroup, InstanceGroupVO.class); - s_typeMap.put(IAMEntityType.GlobalLoadBalancerRule, GlobalLoadBalancerRuleVO.class); - s_typeMap.put(IAMEntityType.FirewallRule, FirewallRuleVO.class); - s_typeMap.put(IAMEntityType.PortForwardingRule, PortForwardingRuleVO.class); - s_typeMap.put(IAMEntityType.Event, EventVO.class); - s_typeMap.put(IAMEntityType.AsyncJob, AsyncJobVO.class); - s_typeMap.put(IAMEntityType.IAMGroup, IAMGroupVO.class); - s_typeMap.put(IAMEntityType.IAMPolicy, IAMPolicyVO.class); - s_typeMap.put(IAMEntityType.MonitorService, MonitoringServiceVO.class); - s_typeMap.put(IAMEntityType.SSLCert, SslCertVO.class); + s_typeMap.put(VirtualMachine.class.getSimpleName(), VirtualMachine.class); + s_typeMap.put(Volume.class.getSimpleName(), Volume.class); + s_typeMap.put(ResourceTag.class.getSimpleName(), ResourceTag.class); + s_typeMap.put(Account.class.getSimpleName(), Account.class); + s_typeMap.put(AffinityGroup.class.getSimpleName(), AffinityGroup.class); + s_typeMap.put(AutoScalePolicy.class.getSimpleName(), AutoScalePolicy.class); + s_typeMap.put(AutoScaleVmProfile.class.getSimpleName(), AutoScaleVmProfile.class); + s_typeMap.put(AutoScaleVmGroup.class.getSimpleName(), AutoScaleVmGroup.class); + s_typeMap.put(Condition.class.getSimpleName(), Condition.class); + s_typeMap.put(Vpc.class.getSimpleName(), Vpc.class); + s_typeMap.put(VpcGateway.class.getSimpleName(), VpcGateway.class); + s_typeMap.put(VpnUser.class.getSimpleName(), VpnUser.class); + s_typeMap.put(VMSnapshot.class.getSimpleName(), VMSnapshot.class); + s_typeMap.put(VirtualMachineTemplate.class.getSimpleName(), VirtualMachineTemplate.class); + s_typeMap.put(UserIpv6Address.class.getSimpleName(), UserIpv6Address.class); + s_typeMap.put(StaticRoute.class.getSimpleName(), StaticRoute.class); + s_typeMap.put(SSHKeyPair.class.getSimpleName(), SSHKeyPair.class); + s_typeMap.put(Snapshot.class.getSimpleName(), Snapshot.class); + s_typeMap.put(Site2SiteVpnGateway.class.getSimpleName(), Site2SiteVpnGateway.class); + s_typeMap.put(Site2SiteCustomerGateway.class.getSimpleName(), Site2SiteCustomerGateway.class); + s_typeMap.put(Site2SiteVpnConnection.class.getSimpleName(), Site2SiteVpnConnection.class); + s_typeMap.put(SecurityGroup.class.getSimpleName(), SecurityGroup.class); + s_typeMap.put(RemoteAccessVpn.class.getSimpleName(), RemoteAccessVpn.class); + s_typeMap.put(ProjectInvitation.class.getSimpleName(), ProjectInvitation.class); + s_typeMap.put(NicSecondaryIp.class.getSimpleName(), NicSecondaryIp.class); + s_typeMap.put(NicIpAlias.class.getSimpleName(), NicIpAlias.class); + s_typeMap.put(Network.class.getSimpleName(), Network.class); + s_typeMap.put(IpAddress.class.getSimpleName(), IPAddress.class); + s_typeMap.put(InstanceGroup.class.getSimpleName(), InstanceGroup.class); + s_typeMap.put(GlobalLoadBalancerRule.class.getSimpleName(), GlobalLoadBalancerRule.class); + s_typeMap.put(FirewallRule.class.getSimpleName(), FirewallRule.class); + s_typeMap.put(PortForwardingRule.class.getSimpleName(), PortForwardingRule.class); + s_typeMap.put(Event.class.getSimpleName(), Event.class); + s_typeMap.put(AsyncJob.class.getSimpleName(), AsyncJob.class); + s_typeMap.put(IAMGroup.class.getSimpleName(), IAMGroup.class); + s_typeMap.put(IAMPolicy.class.getSimpleName(), IAMPolicy.class); + s_typeMap.put(MonitoringService.class.getSimpleName(), MonitoringService.class); + s_typeMap.put(SslCert.class.getSimpleName(), SslCert.class); } @Override @@ -261,9 +258,9 @@ public class IAMApiServiceImpl extends ManagerBase implements IAMApiService, Man Long templateId = (Long)obj; if (templateId != null) { s_logger.debug("MessageBus message: new public template registered: " + templateId + ", grant permission to domain admin and normal user policies"); - _iamSrv.addIAMPermissionToIAMPolicy(new Long(Account.ACCOUNT_TYPE_DOMAIN_ADMIN + 1), IAMEntityType.VirtualMachineTemplate.toString(), + _iamSrv.addIAMPermissionToIAMPolicy(new Long(Account.ACCOUNT_TYPE_DOMAIN_ADMIN + 1), VirtualMachineTemplate.class.getSimpleName(), PermissionScope.RESOURCE.toString(), templateId, "listTemplates", AccessType.UseEntry.toString(), Permission.Allow, false); - _iamSrv.addIAMPermissionToIAMPolicy(new Long(Account.ACCOUNT_TYPE_NORMAL + 1), IAMEntityType.VirtualMachineTemplate.toString(), + _iamSrv.addIAMPermissionToIAMPolicy(new Long(Account.ACCOUNT_TYPE_NORMAL + 1), VirtualMachineTemplate.class.getSimpleName(), PermissionScope.RESOURCE.toString(), templateId, "listTemplates", AccessType.UseEntry.toString(), Permission.Allow, false); } } @@ -283,9 +280,9 @@ public class IAMApiServiceImpl extends ManagerBase implements IAMApiService, Man _messageBus.subscribe(EntityManager.MESSAGE_REMOVE_ENTITY_EVENT, new MessageSubscriber() { @Override public void onPublishMessage(String senderAddress, String subject, Object obj) { - Pair<IAMEntityType, Long> entity = (Pair<IAMEntityType, Long>)obj; + Pair<Class<?>, Long> entity = (Pair<Class<?>, Long>)obj; if (entity != null) { - String entityType = entity.first().toString(); + String entityType = entity.first().getSimpleName(); Long entityId = entity.second(); s_logger.debug("MessageBus message: delete an entity: (" + entityType + "," + entityId + "), remove its related permission"); _iamSrv.removeIAMPermissionForEntity(entityType, entityId); @@ -299,13 +296,13 @@ public class IAMApiServiceImpl extends ManagerBase implements IAMApiService, Man public void onPublishMessage(String senderAddress, String subject, Object obj) { Map<String, Object> permit = (Map<String, Object>)obj; if (permit != null) { - String entityType = (String)permit.get(ApiConstants.ENTITY_TYPE); + Class<?> entityType = (Class<?>)permit.get(ApiConstants.ENTITY_TYPE); Long entityId = (Long)permit.get(ApiConstants.ENTITY_ID); AccessType accessType = (AccessType)permit.get(ApiConstants.ACCESS_TYPE); String action = (String)permit.get(ApiConstants.IAM_ACTION); List<Long> acctIds = (List<Long>)permit.get(ApiConstants.ACCOUNTS); s_logger.debug("MessageBus message: grant accounts permission to an entity: (" + entityType + "," + entityId + ")"); - grantEntityPermissioinToAccounts(entityType, entityId, accessType, action, acctIds); + grantEntityPermissioinToAccounts(entityType.getSimpleName(), entityId, accessType, action, acctIds); } } }); @@ -315,13 +312,13 @@ public class IAMApiServiceImpl extends ManagerBase implements IAMApiService, Man public void onPublishMessage(String senderAddress, String subject, Object obj) { Map<String, Object> permit = (Map<String, Object>)obj; if (permit != null) { - String entityType = (String)permit.get(ApiConstants.ENTITY_TYPE); + Class<?> entityType = (Class<?>)permit.get(ApiConstants.ENTITY_TYPE); Long entityId = (Long)permit.get(ApiConstants.ENTITY_ID); AccessType accessType = (AccessType)permit.get(ApiConstants.ACCESS_TYPE); String action = (String)permit.get(ApiConstants.IAM_ACTION); List<Long> acctIds = (List<Long>)permit.get(ApiConstants.ACCOUNTS); s_logger.debug("MessageBus message: revoke from accounts permission to an entity: (" + entityType + "," + entityId + ")"); - revokeEntityPermissioinFromAccounts(entityType, entityId, accessType, action, acctIds); + revokeEntityPermissioinFromAccounts(entityType.getSimpleName(), entityId, accessType, action, acctIds); } } }); @@ -359,15 +356,15 @@ public class IAMApiServiceImpl extends ManagerBase implements IAMApiService, Man private void addDomainWideResourceAccess(Map<String, Object> params) { - IAMEntityType entityType = (IAMEntityType)params.get(ApiConstants.ENTITY_TYPE); + Class<?> entityType = (Class<?>)params.get(ApiConstants.ENTITY_TYPE); Long entityId = (Long) params.get(ApiConstants.ENTITY_ID); Long domainId = (Long) params.get(ApiConstants.DOMAIN_ID); Boolean isRecursive = (Boolean) params.get(ApiConstants.SUBDOMAIN_ACCESS); - if (entityType == IAMEntityType.Network) { + if (entityType == Network.class) { createPolicyAndAddToDomainGroup("DomainWideNetwork-" + entityId, "domain wide network", entityType.toString(), entityId, "listNetworks", AccessType.UseEntry, domainId, isRecursive); - } else if (entityType == IAMEntityType.AffinityGroup) { + } else if (entityType == AffinityGroup.class) { createPolicyAndAddToDomainGroup("DomainWideNetwork-" + entityId, "domain wide affinityGroup", entityType.toString(), entityId, "listAffinityGroups", AccessType.UseEntry, domainId, isRecursive); } @@ -575,7 +572,7 @@ public class IAMApiServiceImpl extends ManagerBase implements IAMApiService, Man IAMPermissionResponse perm = new IAMPermissionResponse(); perm.setAction(permission.getAction()); if (permission.getEntityType() != null) { - perm.setEntityType(IAMEntityType.valueOf(permission.getEntityType())); + perm.setEntityType(permission.getEntityType()); } if (permission.getScope() != null) { perm.setScope(PermissionScope.valueOf(permission.getScope())); @@ -758,12 +755,12 @@ public class IAMApiServiceImpl extends ManagerBase implements IAMApiService, Man private void resetTemplatePermission(Long templateId){ // reset template will change template to private, so we need to remove its permission for domain admin and normal user group - _iamSrv.removeIAMPermissionFromIAMPolicy(new Long(Account.ACCOUNT_TYPE_DOMAIN_ADMIN + 1), IAMEntityType.VirtualMachineTemplate.toString(), + _iamSrv.removeIAMPermissionFromIAMPolicy(new Long(Account.ACCOUNT_TYPE_DOMAIN_ADMIN + 1), VirtualMachineTemplate.class.getSimpleName(), PermissionScope.RESOURCE.toString(), templateId, "listTemplates"); - _iamSrv.removeIAMPermissionFromIAMPolicy(new Long(Account.ACCOUNT_TYPE_NORMAL + 1), IAMEntityType.VirtualMachineTemplate.toString(), + _iamSrv.removeIAMPermissionFromIAMPolicy(new Long(Account.ACCOUNT_TYPE_NORMAL + 1), VirtualMachineTemplate.class.getSimpleName(), PermissionScope.RESOURCE.toString(), templateId, "listTemplates"); // check if there is a policy with only UseEntry permission for this template added - IAMPolicy policy = _iamSrv.getResourceGrantPolicy(IAMEntityType.VirtualMachineTemplate.toString(), templateId, AccessType.UseEntry.toString(), "listTemplates"); + IAMPolicy policy = _iamSrv.getResourceGrantPolicy(VirtualMachineTemplate.class.getSimpleName(), templateId, AccessType.UseEntry.toString(), "listTemplates"); if ( policy == null ){ s_logger.info("No policy found for this template grant: " + templateId + ", no detach to be done"); return; @@ -788,7 +785,7 @@ public class IAMApiServiceImpl extends ManagerBase implements IAMApiService, Man entity = _accountDao.findByUuid(scopeId); break; case RESOURCE: - Class<?> clazz = s_typeMap.get(IAMEntityType.valueOf(entityType)); + Class<?> clazz = s_typeMap.get(entityType); entity = (InternalIdentity)_entityMgr.findByUuid(clazz, scopeId); } http://git-wip-us.apache.org/repos/asf/cloudstack/blob/ae1d6a77/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedAPIAccessChecker.java ---------------------------------------------------------------------- diff --git a/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedAPIAccessChecker.java b/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedAPIAccessChecker.java index fb75db3..1afe5e8 100644 --- a/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedAPIAccessChecker.java +++ b/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedAPIAccessChecker.java @@ -29,7 +29,6 @@ import javax.naming.ConfigurationException; import org.apache.log4j.Logger; import org.apache.cloudstack.acl.APIChecker; -import org.apache.cloudstack.acl.IAMEntityType; import org.apache.cloudstack.acl.PermissionScope; import org.apache.cloudstack.acl.RoleType; import org.apache.cloudstack.acl.SecurityChecker.AccessType; @@ -46,6 +45,7 @@ import com.cloud.api.ApiServerService; import com.cloud.exception.PermissionDeniedException; import com.cloud.storage.VMTemplateVO; import com.cloud.storage.dao.VMTemplateDao; +import com.cloud.template.VirtualMachineTemplate; import com.cloud.user.Account; import com.cloud.user.AccountService; import com.cloud.user.User; @@ -133,9 +133,9 @@ public class RoleBasedAPIAccessChecker extends AdapterBase implements APIChecker // add permissions for public templates List<VMTemplateVO> pTmplts = _templateDao.listByPublic(); for (VMTemplateVO tmpl : pTmplts){ - _iamSrv.addIAMPermissionToIAMPolicy(new Long(Account.ACCOUNT_TYPE_DOMAIN_ADMIN + 1), IAMEntityType.VirtualMachineTemplate.toString(), + _iamSrv.addIAMPermissionToIAMPolicy(new Long(Account.ACCOUNT_TYPE_DOMAIN_ADMIN + 1), VirtualMachineTemplate.class.getSimpleName(), PermissionScope.RESOURCE.toString(), tmpl.getId(), "listTemplates", AccessType.UseEntry.toString(), Permission.Allow, false); - _iamSrv.addIAMPermissionToIAMPolicy(new Long(Account.ACCOUNT_TYPE_NORMAL + 1), IAMEntityType.VirtualMachineTemplate.toString(), + _iamSrv.addIAMPermissionToIAMPolicy(new Long(Account.ACCOUNT_TYPE_NORMAL + 1), VirtualMachineTemplate.class.getSimpleName(), PermissionScope.RESOURCE.toString(), tmpl.getId(), "listTemplates", AccessType.UseEntry.toString(), Permission.Allow, false); } @@ -218,7 +218,7 @@ public class RoleBasedAPIAccessChecker extends AdapterBase implements APIChecker private void addDefaultAclPolicyPermission(String apiName, Class<?> cmdClass, RoleType role) { AccessType accessType = null; - IAMEntityType[] entityTypes = null; + Class<?>[] entityTypes = null; if (cmdClass != null) { BaseCmd cmdObj; try { @@ -262,8 +262,9 @@ public class RoleBasedAPIAccessChecker extends AdapterBase implements APIChecker _iamSrv.addIAMPermissionToIAMPolicy(policyId, null, permissionScope.toString(), new Long(IAMPolicyPermission.PERMISSION_SCOPE_ID_CURRENT_CALLER), apiName, (accessType == null) ? null : accessType.toString(), Permission.Allow, false); } else { - for (IAMEntityType entityType : entityTypes) { - _iamSrv.addIAMPermissionToIAMPolicy(policyId, entityType.toString(), permissionScope.toString(), new Long(IAMPolicyPermission.PERMISSION_SCOPE_ID_CURRENT_CALLER), + for (Class<?> entityType : entityTypes) { + _iamSrv.addIAMPermissionToIAMPolicy(policyId, entityType.getSimpleName(), permissionScope.toString(), new Long( + IAMPolicyPermission.PERMISSION_SCOPE_ID_CURRENT_CALLER), apiName, (accessType == null) ? null : accessType.toString(), Permission.Allow, false); } } http://git-wip-us.apache.org/repos/asf/cloudstack/blob/ae1d6a77/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedEntityAccessChecker.java ---------------------------------------------------------------------- diff --git a/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedEntityAccessChecker.java b/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedEntityAccessChecker.java index 3fe854a..3ab3749 100644 --- a/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedEntityAccessChecker.java +++ b/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedEntityAccessChecker.java @@ -83,7 +83,7 @@ public class RoleBasedEntityAccessChecker extends DomainChecker implements Secur String entityType = null; if (entity.getEntityType() != null) { - entityType = entity.getEntityType().toString(); + entityType = entity.getEntityType().getSimpleName(); } if (accessType == null) { http://git-wip-us.apache.org/repos/asf/cloudstack/blob/ae1d6a77/services/iam/plugin/test/org/apache/cloudstack/iam/test/IAMApiServiceTest.java ---------------------------------------------------------------------- diff --git a/services/iam/plugin/test/org/apache/cloudstack/iam/test/IAMApiServiceTest.java b/services/iam/plugin/test/org/apache/cloudstack/iam/test/IAMApiServiceTest.java index b825ab2..49c4c9f 100644 --- a/services/iam/plugin/test/org/apache/cloudstack/iam/test/IAMApiServiceTest.java +++ b/services/iam/plugin/test/org/apache/cloudstack/iam/test/IAMApiServiceTest.java @@ -50,7 +50,6 @@ import org.springframework.test.context.ContextConfiguration; import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; import org.springframework.test.context.support.AnnotationConfigContextLoader; -import org.apache.cloudstack.acl.IAMEntityType; import org.apache.cloudstack.acl.PermissionScope; import org.apache.cloudstack.acl.SecurityChecker.AccessType; import org.apache.cloudstack.api.command.user.vm.ListVMsCmd; @@ -84,6 +83,7 @@ import com.cloud.user.dao.AccountDao; import com.cloud.utils.Pair; import com.cloud.utils.component.ComponentContext; import com.cloud.utils.db.EntityManager; +import com.cloud.vm.VirtualMachine; @RunWith(SpringJUnit4ClassRunner.class) @ContextConfiguration(loader = AnnotationConfigContextLoader.class) @@ -292,15 +292,15 @@ public class IAMApiServiceTest { Class clz = ListVMsCmd.class; when(_apiServer.getCmdClass("listVirtualMachines")).thenReturn(clz); when( - _iamSrv.addIAMPermissionToIAMPolicy(policyId, IAMEntityType.VirtualMachine.toString(), + _iamSrv.addIAMPermissionToIAMPolicy(policyId, VirtualMachine.class.getSimpleName(), PermissionScope.RESOURCE.toString(), resId, "listVirtualMachines", AccessType.UseEntry.toString(), Permission.Allow, false)).thenReturn(policy); - _aclSrv.addIAMPermissionToIAMPolicy(policyId, IAMEntityType.VirtualMachine.toString(), + _aclSrv.addIAMPermissionToIAMPolicy(policyId, VirtualMachine.class.getSimpleName(), PermissionScope.RESOURCE, resId, "listVirtualMachines", Permission.Allow, false); Pair<List<IAMPolicy>, Integer> policyList = new Pair<List<IAMPolicy>, Integer>(policies, 1); List<IAMPolicyPermission> policyPerms = new ArrayList<IAMPolicyPermission>(); IAMPolicyPermission perm = new IAMPolicyPermissionVO(policyId, "listVirtualMachines", - IAMEntityType.VirtualMachine.toString(), AccessType.UseEntry.toString(), + VirtualMachine.class.getSimpleName(), AccessType.UseEntry.toString(), PermissionScope.RESOURCE.toString(), resId, Permission.Allow, false); policyPerms.add(perm); @@ -316,7 +316,7 @@ public class IAMApiServiceTest { //remove permission from policy policyPerms.remove(perm); - _aclSrv.removeIAMPermissionFromIAMPolicy(policyId, IAMEntityType.VirtualMachine.toString(), + _aclSrv.removeIAMPermissionFromIAMPolicy(policyId, VirtualMachine.class.getSimpleName(), PermissionScope.RESOURCE, resId, "listVirtualMachines"); policyResp = _aclSrv.listIAMPolicies(null, "policy1", callerDomainId, 0L, 20L); assertTrue("No. of response items should be one", policyResp.getCount() == 1);
