apache/cloudstack
1
0
Fork 0
mirror of https://github.com/apache/cloudstack.git synced 2025-12-17 02:53:18 +01:00
Code Issues Packages Projects Releases Wiki Activity

APIAccessChecker: Refactor and simply plugin implementation using better data structures

Browse Source 
Signed-off-by: Rohit Yadav <bhaisaab@apache.org>
This commit is contained in:
Rohit Yadav 2013-01-10 17:21:58 -08:00
parent e63e352508
commit 18bdc58ceb
2 changed files with 14 additions and 53 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
api/src/org/apache/cloudstack/acl/APIAccessChecker.java
View File

@ -17,7 +17,6 @@
package org.apache.cloudstack.acl; package org.apache.cloudstack.acl;
import org.apache.cloudstack.acl.RoleType; import org.apache.cloudstack.acl.RoleType;
import com.cloud.exception.PermissionDeniedException;
import com.cloud.utils.component.Adapter; import com.cloud.utils.component.Adapter;
/** /**
@ -25,5 +24,5 @@ import com.cloud.utils.component.Adapter;
*/ */
public interface APIAccessChecker extends Adapter { public interface APIAccessChecker extends Adapter {
// Interface for checking access to an API for an user // Interface for checking access to an API for an user
boolean canAccessAPI(RoleType roleType, String apiCommandName) throws PermissionDeniedException; boolean canAccessAPI(RoleType roleType, String apiCommandName);
} }

64
plugins/acl/static-role-based/src/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java
View File

@ -16,7 +16,6 @@
// under the License. // under the License.
package org.apache.cloudstack.acl; package org.apache.cloudstack.acl;
import com.cloud.exception.PermissionDeniedException;
import com.cloud.server.ManagementServer; import com.cloud.server.ManagementServer;
import com.cloud.utils.component.AdapterBase; import com.cloud.utils.component.AdapterBase;
import com.cloud.utils.component.ComponentLocator; import com.cloud.utils.component.ComponentLocator;
@ -39,45 +38,20 @@ import org.apache.log4j.Logger;
public class StaticRoleBasedAPIAccessChecker extends AdapterBase implements APIAccessChecker { public class StaticRoleBasedAPIAccessChecker extends AdapterBase implements APIAccessChecker {
protected static final Logger s_logger = Logger.getLogger(StaticRoleBasedAPIAccessChecker.class); protected static final Logger s_logger = Logger.getLogger(StaticRoleBasedAPIAccessChecker.class);
private static Set<String> s_userCommands = null;
private static Set<String> s_resellerCommands = null; // AKA domain-admin private static Map<RoleType, Set<String>> s_roleBasedApisMap =
private static Set<String> s_adminCommands = null; new HashMap<RoleType, Set<String>>();
private static Set<String> s_resourceDomainAdminCommands = null;
private static Set<String> s_allCommands = null;
protected StaticRoleBasedAPIAccessChecker() { protected StaticRoleBasedAPIAccessChecker() {
super(); super();
s_allCommands = new HashSet<String>(); for (RoleType roleType: RoleType.values()) {
s_userCommands = new HashSet<String>(); s_roleBasedApisMap.put(roleType, new HashSet<String>());
s_resellerCommands = new HashSet<String>(); }
s_adminCommands = new HashSet<String>();
s_resourceDomainAdminCommands = new HashSet<String>();
} }
@Override @Override
public boolean canAccessAPI(RoleType roleType, String commandName) public boolean canAccessAPI(RoleType roleType, String commandName) {
throws PermissionDeniedException { return s_roleBasedApisMap.get(roleType).contains(commandName);
boolean commandExists = s_allCommands.contains(commandName);
boolean commandAccessible = false;
if (commandExists) {
switch (roleType) {
case Admin:
commandAccessible = s_adminCommands.contains(commandName);
break;
case DomainAdmin:
commandAccessible = s_resellerCommands.contains(commandName);
break;
case ResourceAdmin:
commandAccessible = s_resourceDomainAdminCommands.contains(commandName);
break;
case User:
commandAccessible = s_userCommands.contains(commandName);
break;
}
}
return commandExists && commandAccessible;
} }
@Override @Override
@ -98,31 +72,19 @@ public class StaticRoleBasedAPIAccessChecker extends AdapterBase implements APIA
return true; return true;
} }
private void processConfigFiles(Map<String, String> config) { private void processConfigFiles(Map<String, String> configMap) {
for (Map.Entry<String, String> entry: config.entrySet()) { for (Map.Entry<String, String> entry: configMap.entrySet()) {
String apiName = entry.getKey(); String apiName = entry.getKey();
String roleMask = entry.getValue(); String roleMask = entry.getValue();
try { try {
short cmdPermissions = Short.parseShort(roleMask); short cmdPermissions = Short.parseShort(roleMask);
if ((cmdPermissions & Admin.getValue()) != 0) { for (RoleType roleType: RoleType.values()) {
s_adminCommands.add(apiName); if ((cmdPermissions & roleType.getValue()) != 0)
} s_roleBasedApisMap.get(roleType).add(apiName);
if ((cmdPermissions & ResourceAdmin.getValue()) != 0) {
s_resourceDomainAdminCommands.add(apiName);
}
if ((cmdPermissions & DomainAdmin.getValue()) != 0) {
s_resellerCommands.add(apiName);
}
if ((cmdPermissions & User.getValue()) != 0) {
s_userCommands.add(apiName);
} }
} catch (NumberFormatException nfe) { } catch (NumberFormatException nfe) {
s_logger.info("Malformed commands.properties permissions value, for entry: " + entry.toString()); s_logger.info("Malformed commands.properties permissions value, for entry: " + entry.toString());
} }
} }
s_allCommands.addAll(s_adminCommands);
s_allCommands.addAll(s_resourceDomainAdminCommands);
s_allCommands.addAll(s_userCommands);
s_allCommands.addAll(s_resellerCommands);
} }
} }