[Engine-patches] Change in ovirt-engine[master]: engine: Add alternate permission subjects list

masayag Tue, 11 Dec 2012 07:00:07 -0800

Moti Asayag has uploaded a new change for review.

Change subject: engine: Add alternate permission subjects list
......................................................................


engine: Add alternate permission subjects list

The patch extends the CommandBase authorization to define
a secondary list of permissions. By default the secondary list is
not defined. However, by overriding it, a command provides another
set of permissions subjects to be examined. The authorization is
considered as succeeded if any of the lists passes the permissions
check.

Change-Id: I32e60540308c6bf6495b472608e307dc695edd11
Signed-off-by: Moti Asayag <masa...@redhat.com>
---
M 
backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/CommandBase.java
1 file changed, 32 insertions(+), 8 deletions(-)


  git pull ssh://gerrit.ovirt.org:29418/ovirt-engine refs/changes/47/9847/1

diff --git 
a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/CommandBase.java
 
b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/CommandBase.java
index 20bd121..01a63f6 100644
--- 
a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/CommandBase.java
+++ 
b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/CommandBase.java
@@ -22,12 +22,12 @@
 import org.ovirt.engine.core.bll.interfaces.BackendInternal;
 import org.ovirt.engine.core.bll.job.ExecutionContext;
 import org.ovirt.engine.core.bll.job.ExecutionHandler;
+import org.ovirt.engine.core.bll.quota.InvalidQuotaParametersException;
 import org.ovirt.engine.core.bll.quota.QuotaConsumptionParameter;
-import org.ovirt.engine.core.bll.quota.QuotaStorageDependent;
-import org.ovirt.engine.core.bll.quota.QuotaVdsDependent;
 import org.ovirt.engine.core.bll.quota.QuotaConsumptionParametersWrapper;
 import org.ovirt.engine.core.bll.quota.QuotaManager;
-import org.ovirt.engine.core.bll.quota.InvalidQuotaParametersException;
+import org.ovirt.engine.core.bll.quota.QuotaStorageDependent;
+import org.ovirt.engine.core.bll.quota.QuotaVdsDependent;
 import org.ovirt.engine.core.bll.session.SessionDataContainer;
 import org.ovirt.engine.core.bll.tasks.AsyncTaskUtils;
 import org.ovirt.engine.core.bll.tasks.SPMAsyncTaskHandler;
@@ -832,11 +832,12 @@
             return false;
         }
 
-        // Get identifiers and types of the objects whose permissions have to 
be
-        // checked:
+        // Get identifiers and types of the objects whose permissions have to 
be checked
         final List<PermissionSubject> permSubjects = 
getPermissionCheckSubjects();
+        final List<PermissionSubject> alternatePermSubjects = 
getAlternatePermissionCheckSubjects();
 
-        if (permSubjects == null || permSubjects.isEmpty()) {
+        if (permSubjects == null || permSubjects.isEmpty()
+                || alternatePermSubjects != null && 
alternatePermSubjects.isEmpty()) {
             if (log.isDebugEnabled()) {
                 log.debugFormat("The set of objects to check is null or empty 
for action {0}.", getActionType());
             }
@@ -847,6 +848,21 @@
         if (isQuotaDependant()) {
             addQuotaPermissionSubject(permSubjects);
         }
+
+        // If we are here then we should check the permissions are granted
+        return checkPermissions(permSubjects) || 
checkAlternatePermissions(alternatePermSubjects);
+    }
+
+    private boolean checkAlternatePermissions(final List<PermissionSubject> 
permSubjects) {
+        if (checkPermissions(permSubjects)) {
+            getReturnValue().getCanDoActionMessages().clear();
+            setActionMessageParameters();
+            return true;
+        }
+        return false;
+    }
+
+    private boolean checkPermissions(final List<PermissionSubject> 
permSubjects) {
 
         for (PermissionSubject permSubject : permSubjects) {
             final Guid objectId = permSubject.getObjectId();
@@ -875,8 +891,6 @@
                 return false;
             }
         }
-
-        // If we are here then we should grant the permission:
         return true;
     }
 
@@ -1527,6 +1541,16 @@
     public abstract List<PermissionSubject> getPermissionCheckSubjects();
 
     /**
+     * An alternative entities collection to {@link 
#getPermissionCheckSubjects()} which the user should have the
+     * required permissions for in order to pass authorization check of the 
command.
+     *
+     * @return Map of GUIDs to Object types
+     */
+    public List<PermissionSubject> getAlternatePermissionCheckSubjects(){
+        return null;
+    }
+
+    /**
      * Returns the properties which used to populate the job message. The 
default properties resolving will use
      * {@link #getPermissionCheckSubjects()} to get the entities associated 
with the command. The property key is the
      * type of the entity by {@code VdcObjectType.name()} and the value is the 
name of the entity or the entity


--
To view, visit http://gerrit.ovirt.org/9847
To unsubscribe, visit http://gerrit.ovirt.org/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I32e60540308c6bf6495b472608e307dc695edd11
Gerrit-PatchSet: 1
Gerrit-Project: ovirt-engine
Gerrit-Branch: master
Gerrit-Owner: Moti Asayag <masa...@redhat.com>
_______________________________________________
Engine-patches mailing list
Engine-patches@ovirt.org
http://lists.ovirt.org/mailman/listinfo/engine-patches

[Engine-patches] Change in ovirt-engine[master]: engine: Add alternate permission subjects list

Reply via email to