rhtyd commented on a change in pull request #4071:
URL: https://github.com/apache/cloudstack/pull/4071#discussion_r439285700
##########
File path:
engine/schema/src/main/java/com/cloud/upgrade/dao/Upgrade41400to41500.java
##########
@@ -235,6 +238,267 @@ private void updateSystemVmTemplates(final Connection
conn) {
LOG.debug("Updating System Vm Template IDs Complete");
}
+ private void addRolePermissionsForNewReadOnlyAndSupportRoles(final
Connection conn) {
+ addRolePermissionsForReadOnlyAdmin(conn);
+ addRolePermissionsForReadOnlyUser(conn);
+ addRolePermissionsForAdminSupport(conn);
+ addRolePermissionsForUserSupport(conn);
+ }
+
+ private void addRolePermissionsForReadOnlyAdmin(final Connection conn) {
+ LOG.debug("Adding role permissions for new read-only admin role");
+ try {
+ PreparedStatement pstmt = conn.prepareStatement("SELECT id FROM
`cloud`.`roles` WHERE name = 'Read-Only Admin (Default)' AND is_default = 1");
+ ResultSet rs = pstmt.executeQuery();
+ if (rs.next()) {
+ long readOnlyAdminRoleId = rs.getLong(1);
+ int readOnlyAdminSortOrder = 0;
+ List<String> insertSqlForReadOnlyAdminRolePermissions = new
ArrayList<String>();
+ insertSqlForReadOnlyAdminRolePermissions.add("INSERT INTO
`cloud`.`role_permissions` (`uuid`, `role_id`, `rule`, `permission`,
`sort_order`) VALUES (UUID(), ?, 'list*', 'ALLOW', ?) ON DUPLICATE KEY UPDATE
rule=rule");
+ insertSqlForReadOnlyAdminRolePermissions.add("INSERT INTO
`cloud`.`role_permissions` (`uuid`, `role_id`, `rule`, `permission`,
`sort_order`) VALUES (UUID(), ?, 'getUploadParamsFor*', 'DENY', ?) ON DUPLICATE
KEY UPDATE rule=rule");
+ insertSqlForReadOnlyAdminRolePermissions.add("INSERT INTO
`cloud`.`role_permissions` (`uuid`, `role_id`, `rule`, `permission`,
`sort_order`) VALUES (UUID(), ?, 'get*', 'ALLOW', ?) ON DUPLICATE KEY UPDATE
rule=rule");
+ insertSqlForReadOnlyAdminRolePermissions.add("INSERT INTO
`cloud`.`role_permissions` (`uuid`, `role_id`, `rule`, `permission`,
`sort_order`) VALUES (UUID(), ?, 'cloudianIsEnabled', 'ALLOW', ?) ON DUPLICATE
KEY UPDATE rule=rule");
+ insertSqlForReadOnlyAdminRolePermissions.add("INSERT INTO
`cloud`.`role_permissions` (`uuid`, `role_id`, `rule`, `permission`,
`sort_order`) VALUES (UUID(), ?, 'quotaIsEnabled', 'ALLOW', ?) ON DUPLICATE KEY
UPDATE rule=rule");
+ insertSqlForReadOnlyAdminRolePermissions.add("INSERT INTO
`cloud`.`role_permissions` (`uuid`, `role_id`, `rule`, `permission`,
`sort_order`) VALUES (UUID(), ?, 'quotaTariffList', 'ALLOW', ?) ON DUPLICATE
KEY UPDATE rule=rule");
+ insertSqlForReadOnlyAdminRolePermissions.add("INSERT INTO
`cloud`.`role_permissions` (`uuid`, `role_id`, `rule`, `permission`,
`sort_order`) VALUES (UUID(), ?, 'quotaSummary', 'ALLOW', ?) ON DUPLICATE KEY
UPDATE rule=rule");
+ insertSqlForReadOnlyAdminRolePermissions.add("INSERT INTO
`cloud`.`role_permissions` (`uuid`, `role_id`, `rule`, `permission`,
`sort_order`) VALUES (UUID(), ?, '*', 'DENY', ?) ON DUPLICATE KEY UPDATE
rule=rule");
+
+ for(String insertSqlForReadOnlyAdmin :
insertSqlForReadOnlyAdminRolePermissions) {
+ pstmt = conn.prepareStatement(insertSqlForReadOnlyAdmin);
+ pstmt.setLong(1, readOnlyAdminRoleId);
+ pstmt.setLong(2, readOnlyAdminSortOrder++);
+ pstmt.executeUpdate();
+ }
+ }
+
+ if (rs != null && !rs.isClosed()) {
+ rs.close();
+ }
+ if (pstmt != null && !pstmt.isClosed()) {
+ pstmt.close();
+ }
+ LOG.debug("Successfully added role permissions for new read-only
admin role");
+ } catch (final SQLException e) {
+ LOG.error("Exception while adding role permissions for read-only
admin role: " + e.getMessage());
+ throw new CloudRuntimeException("Exception while adding role
permissions for read-only admin role: " + e.getMessage(), e);
+ }
+ }
+
+ private void addRolePermissionsForReadOnlyUser(final Connection conn) {
+ LOG.debug("Adding role permissions for new read-only user role");
+ try {
+ PreparedStatement pstmt = conn.prepareStatement("SELECT id FROM
`cloud`.`roles` WHERE name = 'Read-Only User (Default)' AND is_default = 1");
+ ResultSet rs = pstmt.executeQuery();
+ if (rs.next()) {
+ long readOnlyUserRoleId = rs.getLong(1);
+ int readOnlyUserSortOrder = 0;
+
+ pstmt = conn.prepareStatement("SELECT rule FROM
`cloud`.`role_permissions` WHERE role_id = 4 AND permission = 'ALLOW' AND rule
LIKE 'list%' ORDER BY sort_order");
+ ResultSet rsRolePermissions = pstmt.executeQuery();
+
+ while (rsRolePermissions.next()) {
+ String rule = rsRolePermissions.getString(1);
+ pstmt = conn.prepareStatement("INSERT INTO
`cloud`.`role_permissions` (`uuid`, `role_id`, `rule`, `permission`,
`sort_order`) VALUES (UUID(), ?, ?, 'ALLOW', ?) ON DUPLICATE KEY UPDATE
rule=rule");
+ pstmt.setLong(1, readOnlyUserRoleId);
+ pstmt.setString(2, rule);
+ pstmt.setLong(3, readOnlyUserSortOrder++);
+ pstmt.executeUpdate();
+ }
+
+ pstmt = conn.prepareStatement("SELECT rule FROM
`cloud`.`role_permissions` WHERE role_id = 4 AND permission = 'ALLOW' AND rule
LIKE 'get%' AND rule NOT LIKE 'getUploadParamsFor%' ORDER BY sort_order");
+ rsRolePermissions = pstmt.executeQuery();
+
+ while (rsRolePermissions.next()) {
+ String rule = rsRolePermissions.getString(1);
+ pstmt = conn.prepareStatement("INSERT INTO
`cloud`.`role_permissions` (`uuid`, `role_id`, `rule`, `permission`,
`sort_order`) VALUES (UUID(), ?, ?, 'ALLOW', ?) ON DUPLICATE KEY UPDATE
rule=rule");
+ pstmt.setLong(1, readOnlyUserRoleId);
+ pstmt.setString(2, rule);
+ pstmt.setLong(3, readOnlyUserSortOrder++);
+ pstmt.executeUpdate();
+ }
+
+ List<String> insertSqlForReadOnlyUserRolePermissions = new
ArrayList<String>();
+ insertSqlForReadOnlyUserRolePermissions.add("INSERT INTO
`cloud`.`role_permissions` (`uuid`, `role_id`, `rule`, `permission`,
`sort_order`) VALUES (UUID(), ?, 'cloudianIsEnabled', 'ALLOW', ?) ON DUPLICATE
KEY UPDATE rule=rule");
+ insertSqlForReadOnlyUserRolePermissions.add("INSERT INTO
`cloud`.`role_permissions` (`uuid`, `role_id`, `rule`, `permission`,
`sort_order`) VALUES (UUID(), ?, 'quotaIsEnabled', 'ALLOW', ?) ON DUPLICATE KEY
UPDATE rule=rule");
+ insertSqlForReadOnlyUserRolePermissions.add("INSERT INTO
`cloud`.`role_permissions` (`uuid`, `role_id`, `rule`, `permission`,
`sort_order`) VALUES (UUID(), ?, 'quotaTariffList', 'ALLOW', ?) ON DUPLICATE
KEY UPDATE rule=rule");
+ insertSqlForReadOnlyUserRolePermissions.add("INSERT INTO
`cloud`.`role_permissions` (`uuid`, `role_id`, `rule`, `permission`,
`sort_order`) VALUES (UUID(), ?, 'quotaSummary', 'ALLOW', ?) ON DUPLICATE KEY
UPDATE rule=rule");
+ insertSqlForReadOnlyUserRolePermissions.add("INSERT INTO
`cloud`.`role_permissions` (`uuid`, `role_id`, `rule`, `permission`,
`sort_order`) VALUES (UUID(), ?, '*', 'DENY', ?) ON DUPLICATE KEY UPDATE
rule=rule");
+
+ for(String insertSqlForReadOnlyUser :
insertSqlForReadOnlyUserRolePermissions) {
+ pstmt = conn.prepareStatement(insertSqlForReadOnlyUser);
+ pstmt.setLong(1, readOnlyUserRoleId);
+ pstmt.setLong(2, readOnlyUserSortOrder++);
+ pstmt.executeUpdate();
+ }
+
+ if (rsRolePermissions != null &&
!rsRolePermissions.isClosed()) {
+ rsRolePermissions.close();
+ }
+ }
+
+ if (rs != null && !rs.isClosed()) {
+ rs.close();
+ }
+ if (pstmt != null && !pstmt.isClosed()) {
+ pstmt.close();
+ }
+ LOG.debug("Successfully added role permissions for new read-only
user role");
+ } catch (final SQLException e) {
+ LOG.error("Exception while adding role permissions for read-only
user role: " + e.getMessage());
+ throw new CloudRuntimeException("Exception while adding role
permissions for read-only user role: " + e.getMessage(), e);
+ }
+ }
+
+ private void addRolePermissionsForAdminSupport(final Connection conn) {
+ LOG.debug("Adding role permissions for new admin support role");
+ try {
+ PreparedStatement pstmt = conn.prepareStatement("SELECT id FROM
`cloud`.`roles` WHERE name = 'Admin-Support (Default)' AND is_default = 1");
+ ResultSet rs = pstmt.executeQuery();
+ if (rs.next()) {
+ long adminSupportRoleId = rs.getLong(1);
+ int adminSupportSortOrder = 0;
+
+ pstmt = conn.prepareStatement("SELECT id FROM `cloud`.`roles`
WHERE name = 'Read-Only Admin (Default)' AND is_default = 1");
+ ResultSet rsReadOnlyAdmin = pstmt.executeQuery();
+ if (rsReadOnlyAdmin.next()) {
+ long readOnlyAdminRoleId = rsReadOnlyAdmin.getLong(1);
+ pstmt = conn.prepareStatement("SELECT rule FROM
`cloud`.`role_permissions` WHERE role_id = ? AND permission = 'ALLOW' ORDER BY
sort_order");
+ pstmt.setLong(1, readOnlyAdminRoleId);
+ ResultSet rsRolePermissions = pstmt.executeQuery();
+
+ while (rsRolePermissions.next()) {
+ String rule = rsRolePermissions.getString(1);
+ pstmt = conn.prepareStatement("INSERT INTO
`cloud`.`role_permissions` (`uuid`, `role_id`, `rule`, `permission`,
`sort_order`) VALUES (UUID(), ?, ?, 'ALLOW', ?) ON DUPLICATE KEY UPDATE
rule=rule");
+ pstmt.setLong(1, adminSupportRoleId);
+ pstmt.setString(2, rule);
+ pstmt.setLong(3, adminSupportSortOrder++);
+ pstmt.executeUpdate();
+ }
+
+ List<String> insertSqlForAdminSupportRolePermissions = new
ArrayList<String>();
+ insertSqlForAdminSupportRolePermissions.add("INSERT INTO
`cloud`.`role_permissions` (`uuid`, `role_id`, `rule`, `permission`,
`sort_order`) VALUES (UUID(), ?, 'prepareHostForMaintenance', 'ALLOW', ?) ON
DUPLICATE KEY UPDATE rule=rule");
Review comment:
nit - Could be made less verbose by doing a loop on the API strings and
add the string to the collection/list. Same for other parts of code.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
