Remove ACL permission for a particular entity when it is deleted. The

hook is currently only done for deleteTemplateCmd.
2025-11-02 20:02:29 +01:00 · 2014-01-28 18:17:01 -08:00 · 2014-01-28 18:17:01 -08:00 · 0063b60701
commit 0063b60701
parent 72812cdf22
7 changed files with 56 additions and 1 deletions
--- a/server/src/com/cloud/template/HypervisorTemplateAdapter.java
+++ b/server/src/com/cloud/template/HypervisorTemplateAdapter.java
@ -27,6 +27,7 @@ import javax.inject.Inject;

 import org.apache.log4j.Logger;

+import org.apache.cloudstack.acl.AclEntityType;
 import org.apache.cloudstack.api.command.user.iso.DeleteIsoCmd;
 import org.apache.cloudstack.api.command.user.iso.RegisterIsoCmd;
 import org.apache.cloudstack.api.command.user.template.DeleteTemplateCmd;
@ -69,8 +70,10 @@ import com.cloud.storage.VMTemplateZoneVO;
 import com.cloud.storage.dao.VMTemplateZoneDao;
 import com.cloud.storage.download.DownloadMonitor;
 import com.cloud.user.Account;
+import com.cloud.utils.Pair;
 import com.cloud.utils.UriUtils;
 import com.cloud.utils.db.DB;
+import com.cloud.utils.db.EntityManager;
 import com.cloud.utils.exception.CloudRuntimeException;

@Local(value = TemplateAdapter.class)
@ -399,6 +402,11 @@ public class HypervisorTemplateAdapter extends TemplateAdapterBase {
                    _resourceLimitMgr.recalculateResourceCount(template.getAccountId(), account.getDomainId(), ResourceType.secondary_storage.getOrdinal());
                }
            }
+
+            // remove its related ACL permission
+            Pair<AclEntityType, Long> tmplt = new Pair<AclEntityType, Long>(AclEntityType.VirtualMachineTemplate, template.getId());
+            _messageBus.publish(_name, EntityManager.MESSAGE_REMOVE_ENTITY_EVENT, PublishScope.LOCAL, tmplt);
+
        }
        return success;

--- a/services/iam/plugin/src/org/apache/cloudstack/acl/api/AclApiServiceImpl.java
+++ b/services/iam/plugin/src/org/apache/cloudstack/acl/api/AclApiServiceImpl.java
@ -75,6 +75,7 @@ import com.cloud.utils.Pair;
 import com.cloud.utils.component.Manager;
 import com.cloud.utils.component.ManagerBase;
 import com.cloud.utils.db.DB;
+import com.cloud.utils.db.EntityManager;

@Local(value = {AclApiService.class})
 public class AclApiServiceImpl extends ManagerBase implements AclApiService, Manager {
@ -165,6 +166,19 @@ public class AclApiServiceImpl extends ManagerBase implements AclApiService, Man
            }
        });

+        _messageBus.subscribe(EntityManager.MESSAGE_REMOVE_ENTITY_EVENT, new MessageSubscriber() {
+            @Override
+            public void onPublishMessage(String senderAddress, String subject, Object obj) {
+                Pair<AclEntityType, Long> entity = (Pair<AclEntityType, Long>)obj;
+                if (entity != null) {
+                    String entityType = entity.first().toString();
+                    Long entityId = entity.second();
+                    s_logger.debug("MessageBus message: delete an entity: (" + entityType + "," + entityId + "), remove its related permission");
+                    _iamSrv.removeAclPermissionForEntity(entityType, entityId);
+                }
+            }
+        });
+
        return super.configure(name, params);
    }

--- a/services/iam/server/src/org/apache/cloudstack/iam/api/IAMService.java
+++ b/services/iam/server/src/org/apache/cloudstack/iam/api/IAMService.java
@ -64,6 +64,8 @@ public interface IAMService {
    AclPolicy removeAclPermissionFromAclPolicy(long aclPolicyId, String entityType, String scope, Long scopeId,
            String action);

+    void removeAclPermissionForEntity(final String entityType, final Long entityId);
+
    AclPolicy getResourceOwnerPolicy();

    List<AclPolicyPermission> listPolicyPermissions(long policyId);
--- a/services/iam/server/src/org/apache/cloudstack/iam/server/IAMServiceImpl.java
+++ b/services/iam/server/src/org/apache/cloudstack/iam/server/IAMServiceImpl.java
@ -579,6 +579,20 @@ public class IAMServiceImpl extends ManagerBase implements IAMService, Manager {
        return policy;
    }

+    @DB
+    @Override
+    public void removeAclPermissionForEntity(final String entityType, final Long entityId) {
+        Transaction.execute(new TransactionCallbackNoReturn() {
+            @Override
+            public void doInTransactionWithoutResult(TransactionStatus status) {
+                // remove entry from acl_entity_permission table
+                List<AclPolicyPermissionVO> permitList = _policyPermissionDao.listByEntity(entityType, entityId);
+                for (AclPolicyPermissionVO permit : permitList) {
+                    _policyPermissionDao.remove(permit.getId());
+                }
+            }
+        });
+    }

    @DB
    @Override
--- a/services/iam/server/src/org/apache/cloudstack/iam/server/dao/AclPolicyPermissionDao.java
+++ b/services/iam/server/src/org/apache/cloudstack/iam/server/dao/AclPolicyPermissionDao.java
@ -16,10 +16,10 @@
 // under the License.
 package org.apache.cloudstack.iam.server.dao;
 import java.util.List;
+
 import org.apache.cloudstack.iam.api.AclPolicyPermission.Permission;
 import org.apache.cloudstack.iam.server.AclPolicyPermissionVO;

-
 import com.cloud.utils.db.GenericDao;

 public interface AclPolicyPermissionDao extends GenericDao<AclPolicyPermissionVO, Long> {
@ -35,4 +35,5 @@ public interface AclPolicyPermissionDao extends GenericDao<AclPolicyPermissionVO

    List<AclPolicyPermissionVO> listByPolicyAccessAndEntity(long policyId, String accessType, String entityType);

+    List<AclPolicyPermissionVO> listByEntity(String entityType, Long entityId);
 }
--- a/services/iam/server/src/org/apache/cloudstack/iam/server/dao/AclPolicyPermissionDaoImpl.java
+++ b/services/iam/server/src/org/apache/cloudstack/iam/server/dao/AclPolicyPermissionDaoImpl.java
@ -34,6 +34,7 @@ public class AclPolicyPermissionDaoImpl extends GenericDaoBase<AclPolicyPermissi
    private SearchBuilder<AclPolicyPermissionVO> policyIdSearch;
    private SearchBuilder<AclPolicyPermissionVO> fullSearch;
    private SearchBuilder<AclPolicyPermissionVO> actionScopeSearch;
+    private SearchBuilder<AclPolicyPermissionVO> entitySearch;

    @Override
    public boolean configure(String name, Map<String, Object> params) throws ConfigurationException {
@ -60,6 +61,11 @@ public class AclPolicyPermissionDaoImpl extends GenericDaoBase<AclPolicyPermissi
        actionScopeSearch.and("permission", actionScopeSearch.entity().getPermission(), SearchCriteria.Op.EQ);
        actionScopeSearch.done();

+        entitySearch = createSearchBuilder();
+        entitySearch.and("entityType", fullSearch.entity().getEntityType(), SearchCriteria.Op.EQ);
+        entitySearch.and("scopeId", fullSearch.entity().getScopeId(), SearchCriteria.Op.EQ);
+        entitySearch.done();
+
        return true;
    }

@ -112,4 +118,12 @@ public class AclPolicyPermissionDaoImpl extends GenericDaoBase<AclPolicyPermissi
        return listBy(sc);
    }

+    @Override
+    public List<AclPolicyPermissionVO> listByEntity(String entityType, Long entityId) {
+        SearchCriteria<AclPolicyPermissionVO> sc = fullSearch.create();
+        sc.setParameters("entityType", entityType);
+        sc.setParameters("scopeId", entityId);
+        return listBy(sc);
+    }
+
 }
--- a/utils/src/com/cloud/utils/db/EntityManager.java
+++ b/utils/src/com/cloud/utils/db/EntityManager.java
@ -70,4 +70,6 @@ public interface EntityManager {
    public <T> List<? extends T> list(Class<T> entityType);

    public <T, K extends Serializable> void remove(Class<T> entityType, K id);
+
+    public static final String MESSAGE_REMOVE_ENTITY_EVENT = "Message.RemoveEntity.Event";
 }