apache/cloudstack
1
0
Fork 0
mirror of https://github.com/apache/cloudstack.git synced 2025-11-03 04:12:31 +01:00
Code Issues Packages Projects Releases Wiki Activity

Remove VO and DAO from cloud-engine-schema.

Browse Source
This commit is contained in:
Min Chen 2014-01-10 15:56:22 -08:00
parent 723f6c48eb
commit 43f0f901dd
38 changed files with 59 additions and 3018 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
api/src/org/apache/cloudstack/acl/AclApiPermission.java
View File

@ -1,11 +0,0 @@
package org.apache.cloudstack.acl;
import org.apache.cloudstack.api.InternalIdentity;
public interface AclApiPermission extends InternalIdentity {
Long getAclRoleId();
String getApiName();
}

17
api/src/org/apache/cloudstack/acl/AclEntityPermission.java
View File

@ -1,17 +0,0 @@
package org.apache.cloudstack.acl;
import org.apache.cloudstack.acl.SecurityChecker.AccessType;
import org.apache.cloudstack.api.InternalIdentity;
public interface AclEntityPermission extends InternalIdentity {
Long getAclGroupId();
String getEntityType();
Long getEntityId();
AccessType getAccessType();
boolean isAllowed();
}

27
api/src/org/apache/cloudstack/acl/AclGroup.java
View File

@ -1,27 +0,0 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.acl;
import org.apache.cloudstack.api.Identity;
import org.apache.cloudstack.api.InternalIdentity;
public interface AclGroup extends ControlledEntity, InternalIdentity, Identity {
String getName();
String getDescription();
}

31
api/src/org/apache/cloudstack/acl/AclPolicy.java
View File

@ -1,31 +0,0 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.acl;
import org.apache.cloudstack.api.Identity;
import org.apache.cloudstack.api.InternalIdentity;
public interface AclPolicy extends ControlledEntity, InternalIdentity, Identity {
String getName();
String getDescription();
public enum PolicyType {
Static, Dynamic
}
}

52
api/src/org/apache/cloudstack/acl/AclPolicyPermission.java
View File

@ -1,52 +0,0 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.acl;
import org.apache.cloudstack.acl.SecurityChecker.AccessType;
import org.apache.cloudstack.api.InternalIdentity;
public interface AclPolicyPermission extends InternalIdentity {
String getAction();
long getAclPolicyId();
String getEntityType();
AccessType getAccessType();
PermissionScope getScope();
Long getScopeId();
Permission getPermission();
public enum Permission {
Allow(true), Deny(false);
boolean result;
Permission(boolean result) {
this.result = result;
}
public boolean isGranted() {
return result;
}
}
}

4
api/src/org/apache/cloudstack/acl/AclProxyService.java
View File

@ -6,4 +6,8 @@ public interface AclProxyService {
List<String> listAclGroupsByAccount(long accountId);
void removeAccountFromAclGroups(long accountId);
void addAccountToAclGroup(long accountId, long groupId);
}

35
api/src/org/apache/cloudstack/acl/AclRole.java
View File

@ -1,35 +0,0 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.acl;
import org.apache.cloudstack.api.Identity;
import org.apache.cloudstack.api.InternalIdentity;
import com.cloud.domain.PartOf;
public interface AclRole extends PartOf, InternalIdentity, Identity {
String getName();
String getDescription();
// Long getParentRoleId();
public enum RoleType {
Static, Dynamic
}
}

34
api/src/org/apache/cloudstack/acl/AclRolePermission.java
View File

@ -1,34 +0,0 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.acl;
import org.apache.cloudstack.acl.SecurityChecker.AccessType;
import org.apache.cloudstack.api.InternalIdentity;
public interface AclRolePermission extends InternalIdentity {
Long getAclRoleId();
String getEntityType();
AccessType getAccessType();
PermissionScope getScope();
boolean isAllowed();
}

68
api/src/org/apache/cloudstack/acl/AclService.java
View File

@ -1,68 +0,0 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.acl;
import java.util.List;
import org.apache.cloudstack.acl.AclPolicyPermission.Permission;
import com.cloud.user.Account;
public interface AclService {
/* ACL group related interfaces */
AclGroup createAclGroup(Account caller, String aclGroupName, String description);
boolean deleteAclGroup(Long aclGroupId);
List<AclGroup> listAclGroups(long accountId);
AclGroup addAccountsToGroup(List<Long> acctIds, Long groupId);
AclGroup removeAccountsFromGroup(List<Long> acctIds, Long groupId);
/* ACL Policy related interfaces */
AclPolicy createAclPolicy(Account caller, String aclPolicyName, String description, Long parentPolicyId);
boolean deleteAclPolicy(long aclPolicyId);
List<AclPolicy> listAclPolicies(long accountId);
AclGroup attachAclPoliciesToGroup(List<Long> roleIds, Long groupId);
AclGroup removeAclPoliciesFromGroup(List<Long> roleIds, Long groupId);
AclPolicy addAclPermissionToAclPolicy(long aclPolicyId, String entityType, PermissionScope scope, Long scopeId, String action, Permission perm);
AclPolicy removeAclPermissionFromAclPolicy(long aclPolicyId, String entityType, PermissionScope scope, Long scopeId, String action);
AclPolicyPermission getAclPolicyPermission(long accountId, String entityType, String action);
boolean isAPIAccessibleForPolicies(String apiName, List<AclPolicy> policies);
List<AclPolicy> getEffectivePolicies(Account caller, ControlledEntity entity);
/* Visibility related interfaces */
boolean isGrantedAll(long accountId, String action);
List<Long> getGrantedDomains(long accountId, String action);
List<Long> getGrantedAccounts(long accountId, String action);
List<Long> getGrantedResources(long accountId, String action);
}

33
api/src/org/apache/cloudstack/acl/Role.java
View File

@ -1,33 +0,0 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.acl;
//metadata - consists of default dynamic roles in CS + any custom roles added by user
public interface Role {
public static final short ROOT_ADMIN = 0;
public static final short DOMAIN_ADMIN = 1;
public static final short DOMAIN_USER = 2;
public static final short OWNER = 3;
public static final short PARENT_DOMAIN_ADMIN = 4;
public static final short PARENT_DOMAIN_USER = 5;
public static final short CHILD_DOMAIN_ADMIN = 6;
public static final short CHILD_DOMAIN_USER = 7;
public long getId();
public short getRoleType();
}

3
api/src/org/apache/cloudstack/api/BaseCmd.java
View File

@ -28,7 +28,6 @@ import javax.inject.Inject;
import org.apache.log4j.Logger;
import org.apache.cloudstack.acl.AclService;
import org.apache.cloudstack.affinity.AffinityGroupService;
import org.apache.cloudstack.network.element.InternalLoadBalancerElementService;
import org.apache.cloudstack.network.lb.ApplicationLoadBalancerService;
@ -147,8 +146,6 @@ public abstract class BaseCmd {
@Inject public ApplicationLoadBalancerService _newLbSvc;
@Inject public ApplicationLoadBalancerService _appLbService;
@Inject public AffinityGroupService _affinityGroupService;
@Inject
public AclService _aclService;
@Inject public InternalLoadBalancerElementService _internalLbElementSvc;
@Inject public InternalLoadBalancerVMService _internalLbSvc;
@Inject public NetworkModel _ntwkModel;

75
engine/schema/src/org/apache/cloudstack/acl/AclApiPermissionVO.java
View File

@ -1,75 +0,0 @@
package org.apache.cloudstack.acl;
import java.util.Date;
import javax.persistence.Column;
import javax.persistence.Entity;
import javax.persistence.GeneratedValue;
import javax.persistence.GenerationType;
import javax.persistence.Id;
import javax.persistence.Table;
import com.cloud.utils.db.GenericDao;
@Entity
@Table(name = ("acl_api_permission"))
public class AclApiPermissionVO implements AclApiPermission {
@Id
@GeneratedValue(strategy = GenerationType.IDENTITY)
@Column(name = "id")
private long id;
@Column(name = "role_id")
private long aclRoleId;
@Column(name = "api")
private String apiName;
@Column(name = GenericDao.REMOVED_COLUMN)
private Date removed;
@Column(name = GenericDao.CREATED_COLUMN)
private Date created;
public AclApiPermissionVO() {
}
public AclApiPermissionVO(long roleid, String api) {
aclRoleId = roleid;
apiName = api;
}
@Override
public long getId() {
return id;
}
@Override
public Long getAclRoleId() {
return aclRoleId;
}
@Override
public String getApiName() {
return apiName;
}
public Date getRemoved() {
return removed;
}
public Date getCreated() {
return created;
}
public void setAclRoleId(long aclRoleId) {
this.aclRoleId = aclRoleId;
}
public void setApiName(String apiName) {
this.apiName = apiName;
}
}

81
engine/schema/src/org/apache/cloudstack/acl/AclGroupAccountMapVO.java
View File

@ -1,81 +0,0 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.acl;
import java.util.Date;
import javax.persistence.Column;
import javax.persistence.Entity;
import javax.persistence.GeneratedValue;
import javax.persistence.GenerationType;
import javax.persistence.Id;
import javax.persistence.Table;
import org.apache.cloudstack.api.InternalIdentity;
import com.cloud.utils.db.GenericDao;
@Entity
@Table(name = ("acl_group_account_map"))
public class AclGroupAccountMapVO implements InternalIdentity {
@Id
@GeneratedValue(strategy = GenerationType.IDENTITY)
@Column(name = "id")
private Long id;
@Column(name = "group_id")
private long aclGroupId;
@Column(name = "account_id")
private long accountId;
@Column(name = GenericDao.REMOVED_COLUMN)
private Date removed;
@Column(name = GenericDao.CREATED_COLUMN)
private Date created;
public AclGroupAccountMapVO() {
}
public AclGroupAccountMapVO(long aclGroupId, long accountId) {
this.aclGroupId = aclGroupId;
this.accountId = accountId;
}
@Override
public long getId() {
return id;
}
public long getAclGroupId() {
return aclGroupId;
}
public long getAccountId() {
return accountId;
}
public Date getRemoved() {
return removed;
}
public Date getCreated() {
return created;
}
}

81
engine/schema/src/org/apache/cloudstack/acl/AclGroupPolicyMapVO.java
View File

@ -1,81 +0,0 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.acl;
import java.util.Date;
import javax.persistence.Column;
import javax.persistence.Entity;
import javax.persistence.GeneratedValue;
import javax.persistence.GenerationType;
import javax.persistence.Id;
import javax.persistence.Table;
import org.apache.cloudstack.api.InternalIdentity;
import com.cloud.utils.db.GenericDao;
@Entity
@Table(name = ("acl_group_policy_map"))
public class AclGroupPolicyMapVO implements InternalIdentity {
@Id
@GeneratedValue(strategy = GenerationType.IDENTITY)
@Column(name = "id")
private Long id;
@Column(name = "group_id")
private long aclGroupId;
@Column(name = "policy_id")
private long aclPolicyId;
@Column(name = GenericDao.REMOVED_COLUMN)
private Date removed;
@Column(name = GenericDao.CREATED_COLUMN)
private Date created;
public AclGroupPolicyMapVO() {
}
public AclGroupPolicyMapVO(long aclGroupId, long aclPolicyId) {
this.aclGroupId = aclGroupId;
this.aclPolicyId = aclPolicyId;
}
@Override
public long getId() {
return id;
}
public long getAclGroupId() {
return aclGroupId;
}
public long getAclPolicyId() {
return aclPolicyId;
}
public Date getRemoved() {
return removed;
}
public Date getCreated() {
return created;
}
}

124
engine/schema/src/org/apache/cloudstack/acl/AclGroupVO.java
View File

@ -1,124 +0,0 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.acl;
import java.util.Date;
import java.util.UUID;
import javax.persistence.Column;
import javax.persistence.Entity;
import javax.persistence.GeneratedValue;
import javax.persistence.GenerationType;
import javax.persistence.Id;
import javax.persistence.Table;
import com.cloud.utils.db.GenericDao;
@Entity
@Table(name = ("acl_group"))
public class AclGroupVO implements AclGroup {
@Id
@GeneratedValue(strategy = GenerationType.IDENTITY)
@Column(name = "id")
private long id;
@Column(name = "name")
private String name;
@Column(name = "description")
private String description;
@Column(name = "uuid")
private String uuid;
@Column(name = "domain_id")
private long domainId;
@Column(name = "account_id")
private long accountId;
@Column(name = GenericDao.REMOVED_COLUMN)
private Date removed;
@Column(name = GenericDao.CREATED_COLUMN)
private Date created;
public AclGroupVO() {
uuid = UUID.randomUUID().toString();
}
public AclGroupVO(String name, String description) {
this.name = name;
this.description = description;
uuid = UUID.randomUUID().toString();
}
@Override
public long getId() {
return id;
}
@Override
public String getName() {
return name;
}
@Override
public String getDescription() {
return description;
}
@Override
public long getDomainId() {
return domainId;
}
public void setDomainId(long domainId) {
this.domainId = domainId;
}
@Override
public long getAccountId() {
return accountId;
}
public void setAccountId(long accountId) {
this.accountId = accountId;
}
@Override
public String getUuid() {
return uuid;
}
public void setUuid(String uuid) {
this.uuid = uuid;
}
public Date getRemoved() {
return removed;
}
public Date getCreated() {
return created;
}
@Override
public AclEntityType getEntityType() {
return AclEntityType.AclGroup;
}
}

178
engine/schema/src/org/apache/cloudstack/acl/AclPolicyPermissionVO.java
View File

@ -1,178 +0,0 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.acl;
import java.util.Date;
import javax.persistence.Column;
import javax.persistence.Entity;
import javax.persistence.EnumType;
import javax.persistence.Enumerated;
import javax.persistence.GeneratedValue;
import javax.persistence.GenerationType;
import javax.persistence.Id;
import javax.persistence.Table;
import org.apache.cloudstack.acl.SecurityChecker.AccessType;
import org.apache.cloudstack.context.CallContext;
import com.cloud.user.Account;
import com.cloud.utils.db.GenericDao;
@Entity
@Table(name = ("acl_policy_permission"))
public class AclPolicyPermissionVO implements AclPolicyPermission {
@Id
@GeneratedValue(strategy = GenerationType.IDENTITY)
@Column(name = "id")
private long id;
@Column(name = "policy_id")
private long aclPolicyId;
@Column(name = "action")
private String action;
@Column(name = "resource_type")
private String entityType;
@Column(name = "access_type")
@Enumerated(value = EnumType.STRING)
private AccessType accessType;
@Column(name = "scope")
@Enumerated(value = EnumType.STRING)
private PermissionScope scope;
@Column(name = "scope_id")
private Long scopeId;
@Column(name = "permission")
@Enumerated(value = EnumType.STRING)
private Permission permission;
@Column(name = GenericDao.REMOVED_COLUMN)
private Date removed;
@Column(name = GenericDao.CREATED_COLUMN)
private Date created;
public AclPolicyPermissionVO() {
}
public AclPolicyPermissionVO(long aclPolicyId, String action, String entityType, AccessType accessType,
PermissionScope scope,
Long scopeId, Permission permission) {
this.aclPolicyId = aclPolicyId;
this.action = action;
this.entityType = entityType;
this.accessType = accessType;
this.scope = scope;
this.scopeId = scopeId;
this.permission = permission;
}
@Override
public long getId() {
return id;
}
@Override
public long getAclPolicyId() {
return aclPolicyId;
}
public void setAclPolicyId(long aclPolicyId) {
this.aclPolicyId = aclPolicyId;
}
@Override
public String getEntityType() {
return entityType;
}
@Override
public AccessType getAccessType() {
return accessType;
}
public void setEntityType(String entityType) {
this.entityType = entityType;
}
public void setAccessType(AccessType accessType) {
this.accessType = accessType;
}
@Override
public PermissionScope getScope() {
return scope;
}
public void setScope(PermissionScope scope) {
this.scope = scope;
}
@Override
public String getAction() {
return action;
}
@Override
public Long getScopeId() {
// handle special -1 scopeId, current caller domain, account
if ( scopeId < 0 ){
Account caller = CallContext.current().getCallingAccount();
if ( scope == PermissionScope.DOMAIN){
return caller.getDomainId();
} else if (scope == PermissionScope.ACCOUNT) {
return caller.getAccountId();
}
}
return scopeId;
}
@Override
public Permission getPermission() {
return permission;
}
public void setAction(String action) {
this.action = action;
}
public void setScopeId(Long scopeId) {
this.scopeId = scopeId;
}
public void setPermission(Permission permission) {
this.permission = permission;
}
public Date getRemoved() {
return removed;
}
public Date getCreated() {
return created;
}
}

141
engine/schema/src/org/apache/cloudstack/acl/AclPolicyVO.java
View File

@ -1,141 +0,0 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.acl;
import java.util.Date;
import java.util.UUID;
import javax.persistence.Column;
import javax.persistence.Entity;
import javax.persistence.EnumType;
import javax.persistence.Enumerated;
import javax.persistence.GeneratedValue;
import javax.persistence.GenerationType;
import javax.persistence.Id;
import javax.persistence.Table;
import com.cloud.utils.db.GenericDao;
@Entity
@Table(name = ("acl_policy"))
public class AclPolicyVO implements AclPolicy {
@Id
@GeneratedValue(strategy = GenerationType.IDENTITY)
@Column(name = "id")
private long id;
@Column(name = "name")
private String name;
@Column(name = "description")
private String description;
@Column(name = "uuid")
private String uuid;
@Column(name = "domain_id")
private long domainId;
@Column(name = "account_id")
private long accountId;
@Column(name = GenericDao.REMOVED_COLUMN)
private Date removed;
@Column(name = GenericDao.CREATED_COLUMN)
private Date created;
@Column(name = "policy_type")
@Enumerated(value = EnumType.STRING)
private AclPolicy.PolicyType policyType;
public AclPolicyVO() {
uuid = UUID.randomUUID().toString();
}
public AclPolicyVO(String name, String description) {
this.name = name;
this.description = description;
uuid = UUID.randomUUID().toString();
policyType = AclPolicy.PolicyType.Static;
}
@Override
public long getId() {
return id;
}
@Override
public String getName() {
return name;
}
@Override
public String getDescription() {
return description;
}
@Override
public String getUuid() {
return uuid;
}
public void setUuid(String uuid) {
this.uuid = uuid;
}
public Date getRemoved() {
return removed;
}
public Date getCreated() {
return created;
}
@Override
public long getDomainId() {
return domainId;
}
public void setDomainId(long domainId) {
this.domainId = domainId;
}
@Override
public long getAccountId() {
return accountId;
}
public void setAccountId(long accountId) {
this.accountId = accountId;
}
public AclPolicy.PolicyType getPolicyType() {
return policyType;
}
public void setPolicyType(AclPolicy.PolicyType policyType) {
this.policyType = policyType;
}
@Override
public AclEntityType getEntityType() {
return AclEntityType.AclPolicy;
}
}

31
engine/schema/src/org/apache/cloudstack/acl/dao/AclApiPermissionDao.java
View File

@ -1,31 +0,0 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.acl.dao;
import java.util.List;
import org.apache.cloudstack.acl.AclApiPermissionVO;
import com.cloud.utils.db.GenericDao;
public interface AclApiPermissionDao extends GenericDao<AclApiPermissionVO, Long> {
List<AclApiPermissionVO> listByRoleId(long roleId);
AclApiPermissionVO findByRoleAndApi(long roleId, String api);
}

68
engine/schema/src/org/apache/cloudstack/acl/dao/AclApiPermissionDaoImpl.java
View File

@ -1,68 +0,0 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.acl.dao;
import java.util.List;
import java.util.Map;
import javax.naming.ConfigurationException;
import org.springframework.stereotype.Component;
import org.apache.cloudstack.acl.AclApiPermissionVO;
import com.cloud.utils.db.GenericDaoBase;
import com.cloud.utils.db.SearchBuilder;
import com.cloud.utils.db.SearchCriteria;
@Component
public class AclApiPermissionDaoImpl extends GenericDaoBase<AclApiPermissionVO, Long> implements AclApiPermissionDao {
private SearchBuilder<AclApiPermissionVO> findByRoleApi;
private SearchBuilder<AclApiPermissionVO> ListByRoleId;
@Override
public boolean configure(String name, Map<String, Object> params) throws ConfigurationException {
super.configure(name, params);
findByRoleApi = createSearchBuilder();
findByRoleApi.and("roleId", findByRoleApi.entity().getAclRoleId(), SearchCriteria.Op.EQ);
findByRoleApi.and("api", findByRoleApi.entity().getApiName(), SearchCriteria.Op.EQ);
findByRoleApi.done();
ListByRoleId = createSearchBuilder();
ListByRoleId.and("roleId", ListByRoleId.entity().getAclRoleId(), SearchCriteria.Op.EQ);
ListByRoleId.done();
return true;
}
@Override
public AclApiPermissionVO findByRoleAndApi(long roleId, String api) {
SearchCriteria<AclApiPermissionVO> sc = findByRoleApi.create();
sc.setParameters("roleId", roleId);
sc.setParameters("api", api);
return findOneBy(sc);
}
@Override
public List<AclApiPermissionVO> listByRoleId(long roleId) {
SearchCriteria<AclApiPermissionVO> sc = ListByRoleId.create();
sc.setParameters("roleId", roleId);
return listBy(sc);
}
}

40
engine/schema/src/org/apache/cloudstack/acl/dao/AclGroupAccountMapDao.java
View File

@ -1,40 +0,0 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.acl.dao;
import java.util.List;
import org.apache.cloudstack.acl.AclGroupAccountMapVO;
import com.cloud.utils.db.GenericDao;
public interface AclGroupAccountMapDao extends GenericDao<AclGroupAccountMapVO, Long> {
List<AclGroupAccountMapVO> listByGroupId(long groupId);
List<AclGroupAccountMapVO> listByAccountId(long accountId);
AclGroupAccountMapVO findAccountInAdminGroup(long accountId);
AclGroupAccountMapVO findByGroupAndAccount(long groupId, long acctId);
void removeAccountFromGroups(long accountId);
AclGroupAccountMapVO findAccountInDomainAdminGroup(long accountId);
AclGroupAccountMapVO findAccountInUserGroup(long accountId);
}

119
engine/schema/src/org/apache/cloudstack/acl/dao/AclGroupAccountMapDaoImpl.java
View File

@ -1,119 +0,0 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.acl.dao;
import java.util.List;
import java.util.Map;
import javax.naming.ConfigurationException;
import org.apache.log4j.Logger;
import org.springframework.stereotype.Component;
import org.apache.cloudstack.acl.AclGroupAccountMapVO;
import com.cloud.utils.db.GenericDaoBase;
import com.cloud.utils.db.SearchBuilder;
import com.cloud.utils.db.SearchCriteria;
@Component
public class AclGroupAccountMapDaoImpl extends GenericDaoBase<AclGroupAccountMapVO, Long> implements AclGroupAccountMapDao {
private SearchBuilder<AclGroupAccountMapVO> ListByGroupId;
private SearchBuilder<AclGroupAccountMapVO> ListByAccountId;
private SearchBuilder<AclGroupAccountMapVO> _findByAccountAndGroupId;
public static final Logger s_logger = Logger.getLogger(AclGroupAccountMapDaoImpl.class.getName());
@Override
public boolean configure(String name, Map<String, Object> params) throws ConfigurationException {
super.configure(name, params);
ListByGroupId = createSearchBuilder();
ListByGroupId.and("groupId", ListByGroupId.entity().getAclGroupId(), SearchCriteria.Op.EQ);
ListByGroupId.done();
ListByAccountId = createSearchBuilder();
ListByAccountId.and("accountId", ListByAccountId.entity().getAccountId(), SearchCriteria.Op.EQ);
ListByAccountId.done();
_findByAccountAndGroupId = createSearchBuilder();
_findByAccountAndGroupId
.and("groupId", _findByAccountAndGroupId.entity().getAclGroupId(), SearchCriteria.Op.EQ);
_findByAccountAndGroupId.and("accountId", _findByAccountAndGroupId.entity().getAccountId(),
SearchCriteria.Op.EQ);
_findByAccountAndGroupId.done();
return true;
}
@Override
public List<AclGroupAccountMapVO> listByGroupId(long groupId) {
SearchCriteria<AclGroupAccountMapVO> sc = ListByGroupId.create();
sc.setParameters("groupId", groupId);
return listBy(sc);
}
@Override
public List<AclGroupAccountMapVO> listByAccountId(long accountId) {
SearchCriteria<AclGroupAccountMapVO> sc = ListByAccountId.create();
sc.setParameters("accountId", accountId);
return listBy(sc);
}
@Override
public AclGroupAccountMapVO findAccountInAdminGroup(long accountId) {
SearchCriteria<AclGroupAccountMapVO> sc = _findByAccountAndGroupId.create();
sc.setParameters("accountId", accountId);
sc.setParameters("groupId", 2);
return findOneBy(sc);
}
@Override
public AclGroupAccountMapVO findAccountInDomainAdminGroup(long accountId) {
SearchCriteria<AclGroupAccountMapVO> sc = _findByAccountAndGroupId.create();
sc.setParameters("accountId", accountId);
sc.setParameters("groupId", 3);
return findOneBy(sc);
}
@Override
public AclGroupAccountMapVO findAccountInUserGroup(long accountId) {
SearchCriteria<AclGroupAccountMapVO> sc = _findByAccountAndGroupId.create();
sc.setParameters("accountId", accountId);
sc.setParameters("groupId", 1);
return findOneBy(sc);
}
@Override
public AclGroupAccountMapVO findByGroupAndAccount(long groupId, long acctId) {
SearchCriteria<AclGroupAccountMapVO> sc = _findByAccountAndGroupId.create();
sc.setParameters("accountId", acctId);
sc.setParameters("groupId", groupId);
return findOneBy(sc);
}
@Override
public void removeAccountFromGroups(long accountId) {
SearchCriteria<AclGroupAccountMapVO> sc = ListByAccountId.create();
sc.setParameters("accountId", accountId);
int rowsRemoved = remove(sc);
if (rowsRemoved > 0) {
s_logger.debug("Removed account id=" + accountId + " from " + rowsRemoved + " groups");
}
}
}

28
engine/schema/src/org/apache/cloudstack/acl/dao/AclGroupDao.java
View File

@ -1,28 +0,0 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.acl.dao;
import org.apache.cloudstack.acl.AclGroup;
import org.apache.cloudstack.acl.AclGroupVO;
import com.cloud.utils.db.GenericDao;
public interface AclGroupDao extends GenericDao<AclGroupVO, Long> {
AclGroup findByName(Long domainId, String groupName);
}

59
engine/schema/src/org/apache/cloudstack/acl/dao/AclGroupDaoImpl.java
View File

@ -1,59 +0,0 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.acl.dao;
import java.util.Map;
import javax.naming.ConfigurationException;
import org.springframework.stereotype.Component;
import org.apache.cloudstack.acl.AclGroup;
import org.apache.cloudstack.acl.AclGroupVO;
import com.cloud.utils.db.GenericDaoBase;
import com.cloud.utils.db.SearchBuilder;
import com.cloud.utils.db.SearchCriteria;
@Component
public class AclGroupDaoImpl extends GenericDaoBase<AclGroupVO, Long> implements AclGroupDao {
private SearchBuilder<AclGroupVO> nameSearch;
@Override
public boolean configure(String name, Map<String, Object> params) throws ConfigurationException {
super.configure(name, params);
nameSearch = createSearchBuilder();
nameSearch.and("name", nameSearch.entity().getName(), SearchCriteria.Op.EQ);
nameSearch.and("domainId", nameSearch.entity().getDomainId(), SearchCriteria.Op.EQ);
nameSearch.done();
return true;
}
@Override
public AclGroup findByName(Long domainId, String name) {
SearchCriteria<AclGroupVO> sc = nameSearch.create();
sc.setParameters("name", name);
if (domainId != null) {
sc.setParameters("domainId", domainId);
}
return findOneBy(sc);
}
}

17
engine/schema/src/org/apache/cloudstack/acl/dao/AclGroupPolicyMapDao.java
View File

@ -1,17 +0,0 @@
package org.apache.cloudstack.acl.dao;
import java.util.List;
import org.apache.cloudstack.acl.AclGroupPolicyMapVO;
import com.cloud.utils.db.GenericDao;
public interface AclGroupPolicyMapDao extends GenericDao<AclGroupPolicyMapVO, Long> {
List<AclGroupPolicyMapVO> listByGroupId(long groupId);
List<AclGroupPolicyMapVO> listByPolicyId(long policyId);
AclGroupPolicyMapVO findByGroupAndPolicy(long groupId, long policyId);
}

61
engine/schema/src/org/apache/cloudstack/acl/dao/AclGroupPolicyMapDaoImpl.java
View File

@ -1,61 +0,0 @@
package org.apache.cloudstack.acl.dao;
import java.util.List;
import java.util.Map;
import javax.naming.ConfigurationException;
import org.apache.cloudstack.acl.AclGroupPolicyMapVO;
import com.cloud.utils.db.GenericDaoBase;
import com.cloud.utils.db.SearchBuilder;
import com.cloud.utils.db.SearchCriteria;
public class AclGroupPolicyMapDaoImpl extends GenericDaoBase<AclGroupPolicyMapVO, Long> implements AclGroupPolicyMapDao {
private SearchBuilder<AclGroupPolicyMapVO> ListByGroupId;
private SearchBuilder<AclGroupPolicyMapVO> ListByPolicyId;
private SearchBuilder<AclGroupPolicyMapVO> findByPolicyGroupId;
@Override
public boolean configure(String name, Map<String, Object> params) throws ConfigurationException {
super.configure(name, params);
ListByGroupId = createSearchBuilder();
ListByGroupId.and("groupId", ListByGroupId.entity().getAclGroupId(), SearchCriteria.Op.EQ);
ListByGroupId.done();
ListByPolicyId = createSearchBuilder();
ListByPolicyId.and("policyId", ListByPolicyId.entity().getAclPolicyId(), SearchCriteria.Op.EQ);
ListByPolicyId.done();
findByPolicyGroupId = createSearchBuilder();
findByPolicyGroupId.and("policyId", findByPolicyGroupId.entity().getAclPolicyId(), SearchCriteria.Op.EQ);
findByPolicyGroupId.and("groupId", findByPolicyGroupId.entity().getAclGroupId(), SearchCriteria.Op.EQ);
findByPolicyGroupId.done();
return true;
}
@Override
public List<AclGroupPolicyMapVO> listByGroupId(long groupId) {
SearchCriteria<AclGroupPolicyMapVO> sc = ListByGroupId.create();
sc.setParameters("groupId", groupId);
return listBy(sc);
}
@Override
public List<AclGroupPolicyMapVO> listByPolicyId(long policyId) {
SearchCriteria<AclGroupPolicyMapVO> sc = ListByPolicyId.create();
sc.setParameters("policyId", policyId);
return listBy(sc);
}
@Override
public AclGroupPolicyMapVO findByGroupAndPolicy(long groupId, long policyId) {
SearchCriteria<AclGroupPolicyMapVO> sc = findByPolicyGroupId.create();
sc.setParameters("policyId", policyId);
sc.setParameters("groupId", groupId);
return findOneBy(sc);
}
}

28
engine/schema/src/org/apache/cloudstack/acl/dao/AclPolicyDao.java
View File

@ -1,28 +0,0 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.acl.dao;
import org.apache.cloudstack.acl.AclPolicy;
import org.apache.cloudstack.acl.AclPolicyVO;
import com.cloud.utils.db.GenericDao;
public interface AclPolicyDao extends GenericDao<AclPolicyVO, Long> {
AclPolicy findByName(Long domainId, String policyName);
}

59
engine/schema/src/org/apache/cloudstack/acl/dao/AclPolicyDaoImpl.java
View File

@ -1,59 +0,0 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.acl.dao;
import java.util.Map;
import javax.naming.ConfigurationException;
import org.springframework.stereotype.Component;
import org.apache.cloudstack.acl.AclPolicy;
import org.apache.cloudstack.acl.AclPolicyVO;
import com.cloud.utils.db.GenericDaoBase;
import com.cloud.utils.db.SearchBuilder;
import com.cloud.utils.db.SearchCriteria;
@Component
public class AclPolicyDaoImpl extends GenericDaoBase<AclPolicyVO, Long> implements AclPolicyDao {
private SearchBuilder<AclPolicyVO> nameSearch;
@Override
public boolean configure(String name, Map<String, Object> params) throws ConfigurationException {
super.configure(name, params);
nameSearch = createSearchBuilder();
nameSearch.and("name", nameSearch.entity().getName(), SearchCriteria.Op.EQ);
nameSearch.and("domainId", nameSearch.entity().getDomainId(), SearchCriteria.Op.EQ);
nameSearch.done();
return true;
}
@Override
public AclPolicy findByName(Long domainId, String name) {
SearchCriteria<AclPolicyVO> sc = nameSearch.create();
sc.setParameters("name", name);
if (domainId != null) {
sc.setParameters("domainId", domainId);
}
return findOneBy(sc);
}
}

41
engine/schema/src/org/apache/cloudstack/acl/dao/AclPolicyPermissionDao.java
View File

@ -1,41 +0,0 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.acl.dao;
import java.util.List;
import org.apache.cloudstack.acl.AclPolicyPermission.Permission;
import org.apache.cloudstack.acl.AclPolicyPermissionVO;
import org.apache.cloudstack.acl.PermissionScope;
import org.apache.cloudstack.acl.SecurityChecker.AccessType;
import com.cloud.utils.db.GenericDao;
public interface AclPolicyPermissionDao extends GenericDao<AclPolicyPermissionVO, Long> {
List<AclPolicyPermissionVO> listByPolicy(long policyId);
AclPolicyPermissionVO findByPolicyAndEntity(long policyId, String entityType, PermissionScope scope, Long scopeId, String action, Permission perm);
List<AclPolicyPermissionVO> listGrantedByActionAndScope(long policyId, String action, PermissionScope scope);
List<AclPolicyPermissionVO> listByPolicyActionAndEntity(long policyId, String action, String entityType);
List<AclPolicyPermissionVO> listByPolicyAccessAndEntity(long id, AccessType accessType, String entityType);
}

116
engine/schema/src/org/apache/cloudstack/acl/dao/AclPolicyPermissionDaoImpl.java
View File

@ -1,116 +0,0 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.acl.dao;
import java.util.List;
import java.util.Map;
import javax.naming.ConfigurationException;
import org.apache.cloudstack.acl.AclPolicyPermission.Permission;
import org.apache.cloudstack.acl.AclPolicyPermissionVO;
import org.apache.cloudstack.acl.PermissionScope;
import org.apache.cloudstack.acl.SecurityChecker.AccessType;
import com.cloud.utils.db.GenericDaoBase;
import com.cloud.utils.db.SearchBuilder;
import com.cloud.utils.db.SearchCriteria;
public class AclPolicyPermissionDaoImpl extends GenericDaoBase<AclPolicyPermissionVO, Long> implements
AclPolicyPermissionDao {
private SearchBuilder<AclPolicyPermissionVO> policyIdSearch;
private SearchBuilder<AclPolicyPermissionVO> fullSearch;
private SearchBuilder<AclPolicyPermissionVO> actionScopeSearch;
@Override
public boolean configure(String name, Map<String, Object> params) throws ConfigurationException {
super.configure(name, params);
policyIdSearch = createSearchBuilder();
policyIdSearch.and("policyId", policyIdSearch.entity().getAclPolicyId(), SearchCriteria.Op.EQ);
policyIdSearch.done();
fullSearch = createSearchBuilder();
fullSearch.and("policyId", fullSearch.entity().getAclPolicyId(), SearchCriteria.Op.EQ);
fullSearch.and("entityType", fullSearch.entity().getEntityType(), SearchCriteria.Op.EQ);
fullSearch.and("scope", fullSearch.entity().getScope(), SearchCriteria.Op.EQ);
fullSearch.and("scopeId", fullSearch.entity().getScopeId(), SearchCriteria.Op.EQ);
fullSearch.and("action", fullSearch.entity().getAction(), SearchCriteria.Op.EQ);
fullSearch.and("permission", fullSearch.entity().getPermission(), SearchCriteria.Op.EQ);
fullSearch.and("accessType", fullSearch.entity().getAccessType(), SearchCriteria.Op.EQ);
fullSearch.done();
actionScopeSearch = createSearchBuilder();
actionScopeSearch.and("policyId", actionScopeSearch.entity().getAclPolicyId(), SearchCriteria.Op.EQ);
actionScopeSearch.and("scope", actionScopeSearch.entity().getScope(), SearchCriteria.Op.EQ);
actionScopeSearch.and("action", actionScopeSearch.entity().getAction(), SearchCriteria.Op.EQ);
actionScopeSearch.and("permission", actionScopeSearch.entity().getPermission(), SearchCriteria.Op.EQ);
actionScopeSearch.done();
return true;
}
@Override
public List<AclPolicyPermissionVO> listByPolicy(long policyId) {
SearchCriteria<AclPolicyPermissionVO> sc = policyIdSearch.create();
sc.setParameters("policyId", policyId);
return listBy(sc);
}
@Override
public AclPolicyPermissionVO findByPolicyAndEntity(long policyId, String entityType, PermissionScope scope, Long scopeId, String action, Permission perm) {
SearchCriteria<AclPolicyPermissionVO> sc = fullSearch.create();
sc.setParameters("policyId", policyId);
sc.setParameters("entityType", entityType);
sc.setParameters("scope", scope);
sc.setParameters("scopeId", scopeId);
sc.setParameters("action", action);
sc.setParameters("permission", perm);
return findOneBy(sc);
}
@Override
public List<AclPolicyPermissionVO> listGrantedByActionAndScope(long policyId, String action, PermissionScope scope) {
SearchCriteria<AclPolicyPermissionVO> sc = actionScopeSearch.create();
sc.setParameters("policyId", policyId);
sc.setParameters("action", action);
sc.setParameters("scope", scope);
sc.setParameters("permission", Permission.Allow);
return listBy(sc);
}
@Override
public List<AclPolicyPermissionVO> listByPolicyActionAndEntity(long policyId, String action, String entityType) {
SearchCriteria<AclPolicyPermissionVO> sc = fullSearch.create();
sc.setParameters("policyId", policyId);
sc.setParameters("entityType", entityType);
sc.setParameters("action", action);
return listBy(sc);
}
@Override
public List<AclPolicyPermissionVO> listByPolicyAccessAndEntity(long policyId, AccessType accessType,
String entityType) {
SearchCriteria<AclPolicyPermissionVO> sc = fullSearch.create();
sc.setParameters("policyId", policyId);
sc.setParameters("entityType", entityType);
sc.setParameters("accessType", accessType);
return listBy(sc);
}
}

11
server/src/com/cloud/api/ApiServer.java
View File

@ -83,13 +83,6 @@ import org.apache.log4j.Logger;
import org.springframework.stereotype.Component;
import org.apache.cloudstack.acl.APIChecker;
import org.apache.cloudstack.acl.AclEntityType;
import org.apache.cloudstack.acl.AclPolicyPermission.Permission;
import org.apache.cloudstack.acl.AclPolicyPermissionVO;
import org.apache.cloudstack.acl.PermissionScope;
import org.apache.cloudstack.acl.RoleType;
import org.apache.cloudstack.acl.SecurityChecker.AccessType;
import org.apache.cloudstack.acl.dao.AclPolicyPermissionDao;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiErrorCode;
import org.apache.cloudstack.api.BaseAsyncCmd;
@ -149,14 +142,12 @@ import com.cloud.user.UserAccount;
import com.cloud.user.UserVO;
import com.cloud.utils.NumbersUtil;
import com.cloud.utils.Pair;
import com.cloud.utils.PropertiesUtil;
import com.cloud.utils.StringUtils;
import com.cloud.utils.component.ComponentContext;
import com.cloud.utils.component.ManagerBase;
import com.cloud.utils.component.PluggableService;
import com.cloud.utils.concurrency.NamedThreadFactory;
import com.cloud.utils.db.EntityManager;
import com.cloud.utils.db.SearchBuilder;
import com.cloud.utils.db.SearchCriteria;
import com.cloud.utils.db.TransactionLegacy;
import com.cloud.utils.exception.CloudRuntimeException;
@ -181,8 +172,6 @@ public class ApiServer extends ManagerBase implements HttpRequestHandler, ApiSer
List<PluggableService> _pluggableServices;
List<APIChecker> _apiAccessCheckers;
@Inject
private AclPolicyPermissionDao _aclPermissionDao;
@Inject
protected ApiAsyncJobDispatcher _asyncDispatcher;

214
server/src/com/cloud/api/query/vo/AclGroupJoinVO.java
View File

@ -1,214 +0,0 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package com.cloud.api.query.vo;
import java.util.Date;
import javax.persistence.Column;
import javax.persistence.Entity;
import javax.persistence.EnumType;
import javax.persistence.Enumerated;
import javax.persistence.GeneratedValue;
import javax.persistence.GenerationType;
import javax.persistence.Id;
import javax.persistence.Table;
import org.apache.cloudstack.acl.AclEntityType;
import org.apache.cloudstack.acl.SecurityChecker.AccessType;
import com.cloud.utils.db.GenericDao;
@Entity
@Table(name = ("acl_group_view"))
public class AclGroupJoinVO extends BaseViewVO implements ControlledViewEntity {
@Id
@GeneratedValue(strategy = GenerationType.IDENTITY)
@Column(name = "id")
private long id;
@Column(name = "name")
private String name;
@Column(name = "description")
private String description;
@Column(name = "uuid")
private String uuid;
@Column(name = "domain_id")
private long domainId;
@Column(name = "domain_uuid")
private String domainUuid;
@Column(name = "domain_name")
private String domainName;
@Column(name = "domain_path")
private String domainPath;
@Column(name = GenericDao.REMOVED_COLUMN)
private Date removed;
@Column(name = GenericDao.CREATED_COLUMN)
private Date created;
@Column(name = "policy_id")
private long policyId;
@Column(name = "policy_uuid")
private String policyUuid;
@Column(name = "policy_name")
private String policyName;
@Column(name = "account_id")
private long accountId;
@Column(name = "account_uuid")
private String accountUuid;
@Column(name = "account_name")
private String accountName;
@Column(name = "account_type")
private short accountType;
@Column(name = "member_account_id")
private long memberAccountId;
@Column(name = "member_account_uuid")
private String memberAccountUuid;
@Column(name = "member_account_name")
private String memberAccountName;
public AclGroupJoinVO() {
}
@Override
public long getId() {
return id;
}
public String getName() {
return name;
}
public String getDescription() {
return description;
}
@Override
public String getUuid() {
return uuid;
}
@Override
public long getDomainId() {
return domainId;
}
@Override
public String getDomainUuid() {
return domainUuid;
}
@Override
public String getDomainName() {
return domainName;
}
@Override
public String getDomainPath() {
return domainPath;
}
public Date getRemoved() {
return removed;
}
public Date getCreated() {
return created;
}
public long getPolicyId() {
return policyId;
}
public String getPolicyUuid() {
return policyUuid;
}
public String getPolicyName() {
return policyName;
}
@Override
public long getAccountId() {
return accountId;
}
@Override
public String getAccountUuid() {
return accountUuid;
}
@Override
public String getAccountName() {
return accountName;
}
@Override
public short getAccountType() {
return accountType;
}
@Override
public String getProjectUuid() {
// TODO Auto-generated method stub
return null;
}
@Override
public String getProjectName() {
// TODO Auto-generated method stub
return null;
}
public long getMemberAccountId() {
return memberAccountId;
}
public String getMemberAccountUuid() {
return memberAccountUuid;
}
public String getMemberAccountName() {
return memberAccountName;
}
@Override
public AclEntityType getEntityType() {
return AclEntityType.AclGroup;
}
}

218
server/src/com/cloud/api/query/vo/AclPolicyJoinVO.java
View File

@ -1,218 +0,0 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package com.cloud.api.query.vo;
import java.util.Date;
import javax.persistence.Column;
import javax.persistence.Entity;
import javax.persistence.EnumType;
import javax.persistence.Enumerated;
import javax.persistence.GeneratedValue;
import javax.persistence.GenerationType;
import javax.persistence.Id;
import javax.persistence.Table;
import org.apache.cloudstack.acl.AclEntityType;
import org.apache.cloudstack.acl.AclPolicyPermission;
import org.apache.cloudstack.acl.PermissionScope;
import org.apache.cloudstack.acl.SecurityChecker.AccessType;
import com.cloud.utils.db.GenericDao;
@Entity
@Table(name = ("acl_policy_view"))
public class AclPolicyJoinVO extends BaseViewVO implements ControlledViewEntity {
@Id
@GeneratedValue(strategy = GenerationType.IDENTITY)
@Column(name = "id")
private long id;
@Column(name = "name")
private String name;
@Column(name = "description")
private String description;
@Column(name = "uuid")
private String uuid;
@Column(name = "domain_id")
private long domainId;
@Column(name = "domain_uuid")
private String domainUuid;
@Column(name = "domain_name")
private String domainName;
@Column(name = "domain_path")
private String domainPath;
@Column(name = "account_id")
private long accountId;
@Column(name = "account_uuid")
private String accountUuid;
@Column(name = "account_name")
private String accountName;
@Column(name = "account_type")
private short accountType;
@Column(name = "permission_action")
private String permissionAction;
@Column(name = "permission_entity_type")
@Enumerated(value = EnumType.STRING)
private AclEntityType permissionEntityType;
@Column(name = "permission_scope_id")
private Long permissionScopeId;
@Column(name = "permission_scope_type")
@Enumerated(value = EnumType.STRING)
private PermissionScope permissionScope;
@Column(name = "permission_access_type")
@Enumerated(value = EnumType.STRING)
private AccessType permissionAccessType;
@Column(name = "permission_allow_deny")
@Enumerated(value = EnumType.STRING)
private AclPolicyPermission.Permission permissionAllowDeny;
@Column(name = GenericDao.REMOVED_COLUMN)
private Date removed;
@Column(name = GenericDao.CREATED_COLUMN)
private Date created;
public AclPolicyJoinVO() {
}
@Override
public long getId() {
return id;
}
public String getName() {
return name;
}
public String getDescription() {
return description;
}
@Override
public String getUuid() {
return uuid;
}
@Override
public long getDomainId() {
return domainId;
}
@Override
public String getDomainUuid() {
return domainUuid;
}
@Override
public String getDomainName() {
return domainName;
}
@Override
public String getDomainPath() {
return domainPath;
}
@Override
public long getAccountId() {
return accountId;
}
@Override
public String getAccountUuid() {
return accountUuid;
}
@Override
public String getAccountName() {
return accountName;
}
@Override
public short getAccountType() {
return accountType;
}
@Override
public String getProjectUuid() {
// TODO Auto-generated method stub
return null;
}
@Override
public String getProjectName() {
// TODO Auto-generated method stub
return null;
}
public Date getRemoved() {
return removed;
}
public Date getCreated() {
return created;
}
public String getPermissionAction() {
return permissionAction;
}
public AclEntityType getPermissionEntityType() {
return permissionEntityType;
}
public Long getPermissionScopeId() {
return permissionScopeId;
}
public PermissionScope getPermissionScope() {
return permissionScope;
}
public AccessType getPermissionAccessType() {
return permissionAccessType;
}
public AclPolicyPermission.Permission getPermissionAllowDeny() {
return permissionAllowDeny;
}
@Override
public AclEntityType getEntityType() {
return AclEntityType.AclPolicy;
}
}

117
server/src/com/cloud/api/query/vo/AclRoleJoinVO.java
View File

@ -1,117 +0,0 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package com.cloud.api.query.vo;
import java.util.Date;
import javax.persistence.Column;
import javax.persistence.Entity;
import javax.persistence.GeneratedValue;
import javax.persistence.GenerationType;
import javax.persistence.Id;
import javax.persistence.Table;
import com.cloud.utils.db.GenericDao;
@Entity
@Table(name = ("acl_role_view"))
public class AclRoleJoinVO extends BaseViewVO {
@Id
@GeneratedValue(strategy = GenerationType.IDENTITY)
@Column(name = "id")
private long id;
@Column(name = "name")
private String name;
@Column(name = "description")
private String description;
@Column(name = "uuid")
private String uuid;
@Column(name = "domain_id")
private long domainId;
@Column(name = "domain_uuid")
private String domainUuid;
@Column(name = "domain_name")
private String domainName;
@Column(name = "domain_path")
private String domainPath;
@Column(name = "api_name")
private String apiName;
@Column(name = GenericDao.REMOVED_COLUMN)
private Date removed;
@Column(name = GenericDao.CREATED_COLUMN)
private Date created;
public AclRoleJoinVO() {
}
@Override
public long getId() {
return id;
}
public String getName() {
return name;
}
public String getDescription() {
return description;
}
public String getUuid() {
return uuid;
}
public long getDomainId() {
return domainId;
}
public String getDomainUuid() {
return domainUuid;
}
public String getDomainName() {
return domainName;
}
public String getDomainPath() {
return domainPath;
}
public String getApiName() {
return apiName;
}
public Date getRemoved() {
return removed;
}
public Date getCreated() {
return created;
}
}

82
server/src/com/cloud/user/AccountManagerImpl.java
View File

@ -40,18 +40,12 @@ import javax.naming.ConfigurationException;
import org.apache.commons.codec.binary.Base64;
import org.apache.log4j.Logger;
import org.apache.cloudstack.acl.AclEntityType;
import org.apache.cloudstack.acl.AclGroupAccountMapVO;
import org.apache.cloudstack.acl.AclPolicyPermission;
import org.apache.cloudstack.acl.AclService;
import org.apache.cloudstack.acl.AclProxyService;
import org.apache.cloudstack.acl.ControlledEntity;
import org.apache.cloudstack.acl.PermissionScope;
import org.apache.cloudstack.acl.QuerySelector;
import org.apache.cloudstack.acl.RoleType;
import org.apache.cloudstack.acl.SecurityChecker;
import org.apache.cloudstack.acl.SecurityChecker.AccessType;
import org.apache.cloudstack.acl.dao.AclGroupAccountMapDao;
import org.apache.cloudstack.acl.dao.AclPolicyPermissionDao;
import org.apache.cloudstack.affinity.AffinityGroup;
import org.apache.cloudstack.affinity.dao.AffinityGroupDao;
import org.apache.cloudstack.api.command.admin.account.UpdateAccountCmd;
@ -258,16 +252,11 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
private GlobalLoadBalancerRuleDao _gslbRuleDao;
@Inject
private AclGroupAccountMapDao _aclGroupAccountDao;
@Inject
private AclService _aclService;
private AclProxyService _aclProxy;
@Inject
QuerySelector _aclQuerySelector; // we assume that there should be one type of QuerySelector adapter
@Inject
private AclPolicyPermissionDao _aclPolicyPermissionDao;
@Inject
public com.cloud.region.ha.GlobalLoadBalancingRulesService _gslbService;
@ -370,9 +359,8 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
@Override
public boolean isRootAdmin(long accountId) {
// refer to account_group_map and check if account is in Root 'Admin' group
AclGroupAccountMapVO rootAdminGroupMember = _aclGroupAccountDao.findAccountInAdminGroup(accountId);
if (rootAdminGroupMember != null) {
AccountVO acct = _accountDao.findById(accountId);
if (acct != null && acct.getType() == Account.ACCOUNT_TYPE_ADMIN) {
return true;
}
return false;
@ -380,9 +368,8 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
@Override
public boolean isDomainAdmin(long accountId) {
// refer to account_group_map and check if account is in Domain 'Admin' group
AclGroupAccountMapVO domainAdminGroupMember = _aclGroupAccountDao.findAccountInDomainAdminGroup(accountId);
if (domainAdminGroupMember != null) {
AccountVO acct = _accountDao.findById(accountId);
if (acct != null && acct.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) {
return true;
}
return false;
@ -390,9 +377,8 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
@Override
public boolean isNormalUser(long accountId) {
// refer to account_group_map and check if account is in 'User' group
AclGroupAccountMapVO user = _aclGroupAccountDao.findAccountInUserGroup(accountId);
if (user != null) {
AccountVO acct = _accountDao.findById(accountId);
if (acct != null && acct.getType() == Account.ACCOUNT_TYPE_NORMAL) {
return true;
}
return false;
@ -638,7 +624,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
_projectAccountDao.removeAccountFromProjects(accountId);
//delete the account from group
_aclGroupAccountDao.removeAccountFromGroups(accountId);
_aclProxy.removeAccountFromAclGroups(accountId);
// delete all vm groups belonging to accont
List<InstanceGroupVO> groups = _vmGroupDao.listByAccountId(accountId);
@ -991,8 +977,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
// create correct account and group association based on accountType
if (accountType != Account.ACCOUNT_TYPE_PROJECT) {
AclGroupAccountMapVO grpAcct = new AclGroupAccountMapVO(accountType + 1, accountId);
_aclGroupAccountDao.persist(grpAcct);
_aclProxy.addAccountToAclGroup(accountId, accountType + 1);
}
return new Pair<Long, Account>(user.getId(), account);
@ -2343,11 +2328,6 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
checkAccess(caller, domain);
}
if (id != null) {
// look for an individual entity, no other permission criteria are needed
return;
}
if (accountName != null) {
if (projectId != null) {
throw new InvalidParameterValueException("Account and projectId can't be specified together");
@ -2365,7 +2345,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
if (userAccount != null) {
checkAccess(caller, null, false, userAccount);
//check permissions
// check permissions
permittedAccounts.add(userAccount.getId());
} else {
throw new InvalidParameterValueException("could not find account " + accountName + " in domain " + domain.getUuid());
@ -2376,7 +2356,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
if (projectId != null) {
if (!forProjectInvitation) {
if (projectId.longValue() == -1) {
if (isNormalUser(caller.getId())) {
if (caller.getType() == Account.ACCOUNT_TYPE_NORMAL) {
permittedAccounts.addAll(_projectMgr.listPermittedProjectAccounts(caller.getId()));
} else {
domainIdRecursiveListProject.third(Project.ListProjectResourcesCriteria.ListProjectResourcesOnly);
@ -2393,27 +2373,33 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
}
}
} else {
domainIdRecursiveListProject.third(Project.ListProjectResourcesCriteria.SkipProjectResources);
// get caller role permission on VM List
//TODO: this method needs to pass the entity type instead of current hard-code to VM for now. Also, api action name
// should be passed in caller context.
AclPolicyPermission policyPerm = _aclService.getAclPolicyPermission(caller.getId(),
AclEntityType.VirtualMachine.toString(), "listVirtualMachine");
if (policyPerm == null) {
// no list entry permission
throw new PermissionDeniedException("Caller has no policy permission assigned to list VM");
if (id == null) {
domainIdRecursiveListProject.third(Project.ListProjectResourcesCriteria.SkipProjectResources);
}
if (permittedAccounts.isEmpty()) {
// no account name is specified
if (policyPerm.getScope() == PermissionScope.ACCOUNT || !listAll) {
// only resource owner can see it, only match account
if (permittedAccounts.isEmpty() && domainId == null) {
if (caller.getType() == Account.ACCOUNT_TYPE_NORMAL) {
permittedAccounts.add(caller.getId());
} else if (!listAll) {
if (id == null) {
permittedAccounts.add(caller.getId());
} else if (caller.getType() != Account.ACCOUNT_TYPE_ADMIN) {
domainIdRecursiveListProject.first(caller.getDomainId());
domainIdRecursiveListProject.second(true);
}
} else if (domainId == null) {
if (caller.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) {
domainIdRecursiveListProject.first(caller.getDomainId());
domainIdRecursiveListProject.second(true);
}
}
} else if (domainId != null) {
if (caller.getType() == Account.ACCOUNT_TYPE_NORMAL) {
permittedAccounts.add(caller.getId());
} else if (policyPerm.getScope() == PermissionScope.DOMAIN) {
// match domain tree based on cmd.isRecursive flag or not
domainIdRecursiveListProject.first(caller.getDomainId());
}
}
}
}

750
server/src/org/apache/cloudstack/acl/AclServiceImpl.java
View File

@ -1,750 +0,0 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.acl;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import javax.ejb.Local;
import javax.inject.Inject;
import org.apache.log4j.Logger;
import org.apache.cloudstack.acl.AclPolicyPermission.Permission;
import org.apache.cloudstack.acl.SecurityChecker.AccessType;
import org.apache.cloudstack.acl.dao.AclGroupAccountMapDao;
import org.apache.cloudstack.acl.dao.AclGroupDao;
import org.apache.cloudstack.acl.dao.AclGroupPolicyMapDao;
import org.apache.cloudstack.acl.dao.AclPolicyDao;
import org.apache.cloudstack.acl.dao.AclPolicyPermissionDao;
import org.apache.cloudstack.api.BaseListCmd;
import org.apache.cloudstack.context.CallContext;
import com.cloud.api.ApiServerService;
import com.cloud.domain.Domain;
import com.cloud.event.ActionEvent;
import com.cloud.event.EventTypes;
import com.cloud.exception.InvalidParameterValueException;
import com.cloud.exception.PermissionDeniedException;
import com.cloud.storage.Snapshot;
import com.cloud.storage.Volume;
import com.cloud.template.VirtualMachineTemplate;
import com.cloud.user.Account;
import com.cloud.user.AccountManager;
import com.cloud.user.dao.AccountDao;
import com.cloud.uservm.UserVm;
import com.cloud.utils.component.Manager;
import com.cloud.utils.component.ManagerBase;
import com.cloud.utils.db.DB;
import com.cloud.utils.db.EntityManager;
import com.cloud.utils.db.GenericSearchBuilder;
import com.cloud.utils.db.JoinBuilder.JoinType;
import com.cloud.utils.db.SearchBuilder;
import com.cloud.utils.db.SearchCriteria;
import com.cloud.utils.db.SearchCriteria.Op;
import com.cloud.utils.db.Transaction;
import com.cloud.utils.db.TransactionCallback;
import com.cloud.utils.db.TransactionCallbackNoReturn;
import com.cloud.utils.db.TransactionStatus;
@Local(value = {AclService.class})
public class AclServiceImpl extends ManagerBase implements AclService, Manager {
public static final Logger s_logger = Logger.getLogger(AclServiceImpl.class);
private String _name;
@Inject
AccountManager _accountMgr;
@Inject
AccountDao _accountDao;
@Inject
AclPolicyDao _aclPolicyDao;
@Inject
AclGroupDao _aclGroupDao;
@Inject
EntityManager _entityMgr;
@Inject
AclGroupPolicyMapDao _aclGroupPolicyMapDao;
@Inject
AclGroupAccountMapDao _aclGroupAccountMapDao;
// @Inject
// AclApiPermissionDao _apiPermissionDao;
@Inject
AclPolicyPermissionDao _policyPermissionDao;
@Inject
ApiServerService _apiServer;
public static HashMap<String, Class> entityClassMap = new HashMap<String, Class>();
static {
entityClassMap.put("VirtualMachine", UserVm.class);
entityClassMap.put("Volume", Volume.class);
entityClassMap.put("Template", VirtualMachineTemplate.class);
entityClassMap.put("Snapshot", Snapshot.class);
// To be filled in later depending on the entity permission grant scope
}
@DB
@Override
@ActionEvent(eventType = EventTypes.EVENT_ACL_GROUP_CREATE, eventDescription = "Creating Acl Group", create = true)
public AclGroup createAclGroup(Account caller, String aclGroupName, String description) {
Long domainId = caller.getDomainId();
if (!_accountMgr.isRootAdmin(caller.getAccountId())) {
// domain admin can only create role for his domain
if (caller.getDomainId() != domainId.longValue()) {
throw new PermissionDeniedException("Can't create acl group in domain " + domainId + ", permission denied");
}
}
// check if the role is already existing
AclGroup grp = _aclGroupDao.findByName(domainId, aclGroupName);
if (grp != null) {
throw new InvalidParameterValueException(
"Unable to create acl group with name " + aclGroupName
+ " already exisits for domain " + domainId);
}
AclGroupVO rvo = new AclGroupVO(aclGroupName, description);
rvo.setAccountId(caller.getAccountId());
rvo.setDomainId(domainId);
return _aclGroupDao.persist(rvo);
}
@DB
@Override
@ActionEvent(eventType = EventTypes.EVENT_ACL_GROUP_DELETE, eventDescription = "Deleting Acl Group")
public boolean deleteAclGroup(final Long aclGroupId) {
Account caller = CallContext.current().getCallingAccount();
// get the Acl Role entity
final AclGroup grp = _aclGroupDao.findById(aclGroupId);
if (grp == null) {
throw new InvalidParameterValueException("Unable to find acl group: " + aclGroupId
+ "; failed to delete acl group.");
}
// check permissions
_accountMgr.checkAccess(caller, null, true, grp);
Transaction.execute(new TransactionCallbackNoReturn() {
@Override
public void doInTransactionWithoutResult(TransactionStatus status) {
// remove this group related entry in acl_group_role_map
List<AclGroupPolicyMapVO> groupPolicyMap = _aclGroupPolicyMapDao.listByGroupId(grp.getId());
if (groupPolicyMap != null) {
for (AclGroupPolicyMapVO gr : groupPolicyMap) {
_aclGroupPolicyMapDao.remove(gr.getId());
}
}
// remove this group related entry in acl_group_account table
List<AclGroupAccountMapVO> groupAcctMap = _aclGroupAccountMapDao.listByGroupId(grp.getId());
if (groupAcctMap != null) {
for (AclGroupAccountMapVO grpAcct : groupAcctMap) {
_aclGroupAccountMapDao.remove(grpAcct.getId());
}
}
// remove this group from acl_group table
_aclGroupDao.remove(aclGroupId);
}
});
return true;
}
@Override
public List<AclGroup> listAclGroups(long accountId) {
GenericSearchBuilder<AclGroupAccountMapVO, Long> groupSB = _aclGroupAccountMapDao.createSearchBuilder(Long.class);
groupSB.selectFields(groupSB.entity().getAclGroupId());
groupSB.and("account", groupSB.entity().getAccountId(), Op.EQ);
SearchCriteria<Long> groupSc = groupSB.create();
List<Long> groupIds = _aclGroupAccountMapDao.customSearch(groupSc, null);
SearchBuilder<AclGroupVO> sb = _aclGroupDao.createSearchBuilder();
sb.and("ids", sb.entity().getId(), Op.IN);
SearchCriteria<AclGroupVO> sc = sb.create();
sc.setParameters("ids", groupIds.toArray(new Object[groupIds.size()]));
List<AclGroupVO> groups = _aclGroupDao.search(sc, null);
return new ArrayList<AclGroup>(groups);
}
@DB
@Override
@ActionEvent(eventType = EventTypes.EVENT_ACL_GROUP_UPDATE, eventDescription = "Adding accounts to acl group")
public AclGroup addAccountsToGroup(final List<Long> acctIds, final Long groupId) {
final Account caller = CallContext.current().getCallingAccount();
// get the Acl Group entity
AclGroup group = _aclGroupDao.findById(groupId);
if (group == null) {
throw new InvalidParameterValueException("Unable to find acl group: " + groupId
+ "; failed to add accounts to acl group.");
}
// check group permissions
_accountMgr.checkAccess(caller, null, true, group);
Transaction.execute(new TransactionCallbackNoReturn() {
@Override
public void doInTransactionWithoutResult(TransactionStatus status) {
// add entries in acl_group_account_map table
for (Long acctId : acctIds) {
// check account permissions
Account account = _accountDao.findById(acctId);
if (account == null) {
throw new InvalidParameterValueException("Unable to find account: " + acctId
+ "; failed to add account to acl group.");
}
_accountMgr.checkAccess(caller, null, true, account);
AclGroupAccountMapVO grMap = _aclGroupAccountMapDao.findByGroupAndAccount(groupId, acctId);
if (grMap == null) {
// not there already
grMap = new AclGroupAccountMapVO(groupId, acctId);
_aclGroupAccountMapDao.persist(grMap);
}
}
}
});
return group;
}
@DB
@Override
@ActionEvent(eventType = EventTypes.EVENT_ACL_GROUP_UPDATE, eventDescription = "Removing accounts from acl group")
public AclGroup removeAccountsFromGroup(final List<Long> acctIds, final Long groupId) {
final Account caller = CallContext.current().getCallingAccount();
// get the Acl Group entity
AclGroup group = _aclGroupDao.findById(groupId);
if (group == null) {
throw new InvalidParameterValueException("Unable to find acl group: " + groupId
+ "; failed to remove accounts from acl group.");
}
// check group permissions
_accountMgr.checkAccess(caller, null, true, group);
Transaction.execute(new TransactionCallbackNoReturn() {
@Override
public void doInTransactionWithoutResult(TransactionStatus status) {
// remove entries from acl_group_account_map table
for (Long acctId : acctIds) {
// check account permissions
Account account = _accountDao.findById(acctId);
if (account == null) {
throw new InvalidParameterValueException("Unable to find account: " + acctId
+ "; failed to add account to acl group.");
}
_accountMgr.checkAccess(caller, null, true, account);
AclGroupAccountMapVO grMap = _aclGroupAccountMapDao.findByGroupAndAccount(groupId, acctId);
if (grMap != null) {
// not removed yet
_aclGroupAccountMapDao.remove(grMap.getId());
}
}
}
});
return group;
}
@DB
@Override
@ActionEvent(eventType = EventTypes.EVENT_ACL_POLICY_CREATE, eventDescription = "Creating Acl Policy", create = true)
public AclPolicy createAclPolicy(Account caller, final String aclPolicyName, final String description, final Long parentPolicyId) {
Long domainId = caller.getDomainId();
if (!_accountMgr.isRootAdmin(caller.getAccountId())) {
// domain admin can only create role for his domain
if (caller.getDomainId() != domainId.longValue()) {
throw new PermissionDeniedException("Can't create acl role in domain " + domainId + ", permission denied");
}
}
// check if the role is already existing
AclPolicy ro = _aclPolicyDao.findByName(domainId, aclPolicyName);
if (ro != null) {
throw new InvalidParameterValueException(
"Unable to create acl policy with name " + aclPolicyName
+ " already exisits for domain " + domainId);
}
final long account_id = caller.getAccountId();
final long domain_id = domainId;
AclPolicy role = Transaction.execute(new TransactionCallback<AclPolicy>() {
@Override
public AclPolicy doInTransaction(TransactionStatus status) {
AclPolicyVO rvo = new AclPolicyVO(aclPolicyName, description);
rvo.setAccountId(account_id);
rvo.setDomainId(domain_id);
AclPolicy role = _aclPolicyDao.persist(rvo);
if (parentPolicyId != null) {
// copy parent role permissions
List<AclPolicyPermissionVO> perms = _policyPermissionDao.listByPolicy(parentPolicyId);
if (perms != null) {
for (AclPolicyPermissionVO perm : perms) {
perm.setAclPolicyId(role.getId());
_policyPermissionDao.persist(perm);
}
}
}
return role;
}
});
return role;
}
@DB
@Override
@ActionEvent(eventType = EventTypes.EVENT_ACL_POLICY_DELETE, eventDescription = "Deleting Acl Policy")
public boolean deleteAclPolicy(final long aclPolicyId) {
Account caller = CallContext.current().getCallingAccount();
// get the Acl Policy entity
final AclPolicy policy = _aclPolicyDao.findById(aclPolicyId);
if (policy == null) {
throw new InvalidParameterValueException("Unable to find acl policy: " + aclPolicyId
+ "; failed to delete acl policy.");
}
// check permissions
_accountMgr.checkAccess(caller, null, true, policy);
Transaction.execute(new TransactionCallbackNoReturn() {
@Override
public void doInTransactionWithoutResult(TransactionStatus status) {
// remove this role related entry in acl_group_role_map
List<AclGroupPolicyMapVO> groupPolicyMap = _aclGroupPolicyMapDao.listByPolicyId(policy.getId());
if (groupPolicyMap != null) {
for (AclGroupPolicyMapVO gr : groupPolicyMap) {
_aclGroupPolicyMapDao.remove(gr.getId());
}
}
// remove this policy related entry in acl_policy_permission table
List<AclPolicyPermissionVO> policyPermMap = _policyPermissionDao.listByPolicy(policy.getId());
if (policyPermMap != null) {
for (AclPolicyPermissionVO policyPerm : policyPermMap) {
_policyPermissionDao.remove(policyPerm.getId());
}
}
// remove this role from acl_role table
_aclPolicyDao.remove(aclPolicyId);
}
});
return true;
}
@Override
public List<AclPolicy> listAclPolicies(long accountId) {
// static policies of the account
SearchBuilder<AclGroupAccountMapVO> groupSB = _aclGroupAccountMapDao.createSearchBuilder();
groupSB.and("account", groupSB.entity().getAccountId(), Op.EQ);
GenericSearchBuilder<AclGroupPolicyMapVO, Long> policySB = _aclGroupPolicyMapDao.createSearchBuilder(Long.class);
policySB.selectFields(policySB.entity().getAclPolicyId());
policySB.join("accountgroupjoin", groupSB, groupSB.entity().getAclGroupId(), policySB.entity().getAclGroupId(),
JoinType.INNER);
policySB.done();
SearchCriteria<Long> policySc = policySB.create();
policySc.setJoinParameters("accountgroupjoin", "account", accountId);
List<Long> policyIds = _aclGroupPolicyMapDao.customSearch(policySc, null);
SearchBuilder<AclPolicyVO> sb = _aclPolicyDao.createSearchBuilder();
sb.and("ids", sb.entity().getId(), Op.IN);
SearchCriteria<AclPolicyVO> sc = sb.create();
sc.setParameters("ids", policyIds.toArray(new Object[policyIds.size()]));
List<AclPolicyVO> policies = _aclPolicyDao.customSearch(sc, null);
return new ArrayList<AclPolicy>(policies);
}
@DB
@Override
@ActionEvent(eventType = EventTypes.EVENT_ACL_GROUP_UPDATE, eventDescription = "Attaching policy to acl group")
public AclGroup attachAclPoliciesToGroup(final List<Long> policyIds, final Long groupId) {
final Account caller = CallContext.current().getCallingAccount();
// get the Acl Group entity
AclGroup group = _aclGroupDao.findById(groupId);
if (group == null) {
throw new InvalidParameterValueException("Unable to find acl group: " + groupId
+ "; failed to add roles to acl group.");
}
// check group permissions
_accountMgr.checkAccess(caller, null, true, group);
Transaction.execute(new TransactionCallbackNoReturn() {
@Override
public void doInTransactionWithoutResult(TransactionStatus status) {
// add entries in acl_group_policy_map table
for (Long policyId : policyIds) {
// check policy permissions
AclPolicy policy = _aclPolicyDao.findById(policyId);
if (policy == null) {
throw new InvalidParameterValueException("Unable to find acl policy: " + policyId
+ "; failed to add policies to acl group.");
}
_accountMgr.checkAccess(caller, null, true, policy);
AclGroupPolicyMapVO grMap = _aclGroupPolicyMapDao.findByGroupAndPolicy(groupId, policyId);
if (grMap == null) {
// not there already
grMap = new AclGroupPolicyMapVO(groupId, policyId);
_aclGroupPolicyMapDao.persist(grMap);
}
}
}
});
return group;
}
@DB
@Override
@ActionEvent(eventType = EventTypes.EVENT_ACL_GROUP_UPDATE, eventDescription = "Removing policies from acl group")
public AclGroup removeAclPoliciesFromGroup(final List<Long> policyIds, final Long groupId) {
final Account caller = CallContext.current().getCallingAccount();
// get the Acl Group entity
AclGroup group = _aclGroupDao.findById(groupId);
if (group == null) {
throw new InvalidParameterValueException("Unable to find acl group: " + groupId
+ "; failed to remove roles from acl group.");
}
// check group permissions
_accountMgr.checkAccess(caller, null, true, group);
Transaction.execute(new TransactionCallbackNoReturn() {
@Override
public void doInTransactionWithoutResult(TransactionStatus status) {
// add entries in acl_group_role_map table
for (Long policyId : policyIds) {
// check policy permissions
AclPolicy policy = _aclPolicyDao.findById(policyId);
if (policy == null) {
throw new InvalidParameterValueException("Unable to find acl policy: " + policyId
+ "; failed to add policies to acl group.");
}
_accountMgr.checkAccess(caller, null, true, policy);
AclGroupPolicyMapVO grMap = _aclGroupPolicyMapDao.findByGroupAndPolicy(groupId, policyId);
if (grMap != null) {
// not removed yet
_aclGroupPolicyMapDao.remove(grMap.getId());
}
}
}
});
return group;
}
/*
@DB
@Override
@ActionEvent(eventType = EventTypes.EVENT_ACL_POLICY_GRANT, eventDescription = "Granting permission to Acl Role")
public AclP addAclPermissionToAclPolicy(final long aclRoleId, final List<String> apiNames) {
Account caller = CallContext.current().getCallingAccount();
// get the Acl Role entity
AclRole role = _aclPolicyDao.findById(aclRoleId);
if (role == null) {
throw new InvalidParameterValueException("Unable to find acl role: " + aclRoleId
+ "; failed to grant permission to role.");
}
// check permissions
_accountMgr.checkAccess(caller, null, true, role);
Transaction.execute(new TransactionCallbackNoReturn() {
@Override
public void doInTransactionWithoutResult(TransactionStatus status) {
// add entries in acl_api_permission table
for (String api : apiNames) {
AclApiPermissionVO perm = _apiPermissionDao.findByRoleAndApi(aclRoleId, api);
if (perm == null) {
// not there already
perm = new AclApiPermissionVO(aclRoleId, api);
_apiPermissionDao.persist(perm);
}
}
}
});
return role;
}
@DB
@Override
@ActionEvent(eventType = EventTypes.EVENT_ACL_POLICY_REVOKE, eventDescription = "Revoking permission from Acl Role")
public AclRole revokeApiPermissionFromAclRole(final long aclRoleId, final List<String> apiNames) {
Account caller = CallContext.current().getCallingAccount();
// get the Acl Role entity
AclRole role = _aclPolicyDao.findById(aclRoleId);
if (role == null) {
throw new InvalidParameterValueException("Unable to find acl role: " + aclRoleId
+ "; failed to revoke permission from role.");
}
// check permissions
_accountMgr.checkAccess(caller, null, true, role);
Transaction.execute(new TransactionCallbackNoReturn() {
@Override
public void doInTransactionWithoutResult(TransactionStatus status) {
// remove entries from acl_api_permission table
for (String api : apiNames) {
AclApiPermissionVO perm = _apiPermissionDao.findByRoleAndApi(aclRoleId, api);
if (perm != null) {
// not removed yet
_apiPermissionDao.remove(perm.getId());
}
}
}
});
return role;
}
*/
@DB
@Override
@ActionEvent(eventType = EventTypes.EVENT_ACL_POLICY_GRANT, eventDescription = "Granting acl permission to Acl Policy")
public AclPolicy addAclPermissionToAclPolicy(long aclPolicyId, String entityType, PermissionScope scope, Long scopeId, String action, Permission perm) {
Account caller = CallContext.current().getCallingAccount();
// get the Acl Policy entity
AclPolicy policy = _aclPolicyDao.findById(aclPolicyId);
if (policy == null) {
throw new InvalidParameterValueException("Unable to find acl policy: " + aclPolicyId
+ "; failed to add permission to policy.");
}
// check permissions
_accountMgr.checkAccess(caller, null, true, policy);
// get the entity and check permission
Class entityClass = entityClassMap.get(entityType);
if (entityClass == null) {
throw new InvalidParameterValueException("Entity type " + entityType + " permission granting is not supported yet");
}
if (scope == PermissionScope.RESOURCE && scopeId != null) {
ControlledEntity entity = (ControlledEntity)_entityMgr.findById(entityClass, scopeId);
if (entity == null) {
throw new InvalidParameterValueException("Unable to find entity " + entityType + " by id: " + scopeId);
}
_accountMgr.checkAccess(caller, null, true, entity);
}
// add entry in acl_policy_permission table
AclPolicyPermissionVO permit = _policyPermissionDao.findByPolicyAndEntity(aclPolicyId, entityType, scope, scopeId, action, perm);
if (permit == null) {
// not there already
Class<?> cmdClass = _apiServer.getCmdClass(action);
AccessType accessType = null;
if (BaseListCmd.class.isAssignableFrom(cmdClass)) {
accessType = AccessType.ListEntry;
}
permit = new AclPolicyPermissionVO(aclPolicyId, action, entityType, accessType,
scope, scopeId, perm);
_policyPermissionDao.persist(permit);
}
return policy;
}
@DB
@Override
@ActionEvent(eventType = EventTypes.EVENT_ACL_POLICY_REVOKE, eventDescription = "Revoking acl permission from Acl Policy")
public AclPolicy removeAclPermissionFromAclPolicy(long aclPolicyId, String entityType, PermissionScope scope, Long scopeId, String action) {
Account caller = CallContext.current().getCallingAccount();
// get the Acl Policy entity
AclPolicy policy = _aclPolicyDao.findById(aclPolicyId);
if (policy == null) {
throw new InvalidParameterValueException("Unable to find acl policy: " + aclPolicyId
+ "; failed to revoke permission from policy.");
}
// check permissions
_accountMgr.checkAccess(caller, null, true, policy);
// get the entity and check permission
Class entityClass = entityClassMap.get(entityType);
if (entityClass == null) {
throw new InvalidParameterValueException("Entity type " + entityType + " permission revoke is not supported yet");
}
if (scope == PermissionScope.RESOURCE && scopeId != null) {
ControlledEntity entity = (ControlledEntity)_entityMgr.findById(entityClass, scopeId);
if (entity == null) {
throw new InvalidParameterValueException("Unable to find entity " + entityType + " by id: " + scopeId);
}
_accountMgr.checkAccess(caller, null, true, entity);
}
// remove entry from acl_entity_permission table
AclPolicyPermissionVO permit = _policyPermissionDao.findByPolicyAndEntity(aclPolicyId, entityType, scope, scopeId, action, null);
if (permit != null) {
// not removed yet
_policyPermissionDao.remove(permit.getId());
}
return policy;
}
@Override
public AclPolicyPermission getAclPolicyPermission(long accountId, String entityType, String action) {
List<AclPolicy> roles = listAclPolicies(accountId);
AclPolicyPermission curPerm = null;
for (AclPolicy role : roles) {
AclPolicyPermissionVO perm = _policyPermissionDao.findByPolicyAndEntity(role.getId(), entityType, null, null, action, Permission.Allow);
if (perm == null)
continue;
if (curPerm == null) {
curPerm = perm;
} else if (perm.getScope().greaterThan(curPerm.getScope())) {
// pick the more relaxed allowed permission
curPerm = perm;
}
}
return curPerm;
}
@Override
public boolean isAPIAccessibleForPolicies(String apiName, List<AclPolicy> policies) {
boolean accessible = false;
List<Long> policyIds = new ArrayList<Long>();
for (AclPolicy policy : policies) {
policyIds.add(policy.getId());
}
SearchBuilder<AclPolicyPermissionVO> sb = _policyPermissionDao.createSearchBuilder();
sb.and("action", sb.entity().getAction(), Op.EQ);
sb.and("policyId", sb.entity().getAclPolicyId(), Op.IN);
SearchCriteria<AclPolicyPermissionVO> sc = sb.create();
sc.setParameters("policyId", policyIds.toArray(new Object[policyIds.size()]));
List<AclPolicyPermissionVO> permissions = _policyPermissionDao.customSearch(sc, null);
if (permissions != null && !permissions.isEmpty()) {
accessible = true;
}
return accessible;
}
@Override
public List<AclPolicy> getEffectivePolicies(Account caller, ControlledEntity entity) {
// Get the static Policies of the Caller
List<AclPolicy> policies = listAclPolicies(caller.getId());
// add any dynamic policies w.r.t the entity
if (caller.getId() == entity.getAccountId()) {
// The caller owns the entity
AclPolicy owner = _aclPolicyDao.findByName(Domain.ROOT_DOMAIN, "RESOURCE_OWNER");
policies.add(owner);
}
return policies;
}
@Override
public List<Long> getGrantedDomains(long accountId, String action) {
// Get the static Policies of the Caller
List<AclPolicy> policies = listAclPolicies(accountId);
// for each policy, find granted permission with Domain scope
List<Long> domainIds = new ArrayList<Long>();
for (AclPolicy policy : policies) {
List<AclPolicyPermissionVO> pp = _policyPermissionDao.listGrantedByActionAndScope(policy.getId(), action, PermissionScope.DOMAIN);
if (pp != null) {
for (AclPolicyPermissionVO p : pp) {
if (p.getScopeId() != null) {
domainIds.add(p.getScopeId());
}
}
}
}
return domainIds;
}
@Override
public List<Long> getGrantedAccounts(long accountId, String action) {
// Get the static Policies of the Caller
List<AclPolicy> policies = listAclPolicies(accountId);
// for each policy, find granted permission with Account scope
List<Long> accountIds = new ArrayList<Long>();
for (AclPolicy policy : policies) {
List<AclPolicyPermissionVO> pp = _policyPermissionDao.listGrantedByActionAndScope(policy.getId(), action, PermissionScope.ACCOUNT);
if (pp != null) {
for (AclPolicyPermissionVO p : pp) {
if (p.getScopeId() != null) {
accountIds.add(p.getScopeId());
}
}
}
}
return accountIds;
}
@Override
public List<Long> getGrantedResources(long accountId, String action) {
// Get the static Policies of the Caller
List<AclPolicy> policies = listAclPolicies(accountId);
// for each policy, find granted permission with Resource scope
List<Long> entityIds = new ArrayList<Long>();
for (AclPolicy policy : policies) {
List<AclPolicyPermissionVO> pp = _policyPermissionDao.listGrantedByActionAndScope(policy.getId(), action, PermissionScope.RESOURCE);
if (pp != null) {
for (AclPolicyPermissionVO p : pp) {
if (p.getScopeId() != null) {
entityIds.add(p.getScopeId());
}
}
}
}
return entityIds;
}
@Override
public boolean isGrantedAll(long accountId, String action) {
// Get the static Policies of the Caller
List<AclPolicy> policies = listAclPolicies(accountId);
// for each policy, find granted permission with Domain scope
List<Long> domainIds = new ArrayList<Long>();
for (AclPolicy policy : policies) {
List<AclPolicyPermissionVO> pp = _policyPermissionDao.listGrantedByActionAndScope(policy.getId(), action, PermissionScope.ALL);
if (pp != null && pp.size() > 0) {
return true;
}
}
return false;
}
}

19
services/iam/plugin/src/org/apache/cloudstack/acl/api/AclApiServiceImpl.java
View File

@ -129,6 +129,25 @@ public class AclApiServiceImpl extends ManagerBase implements AclApiService, Man
return _iamSrv.addAccountsToGroup(acctIds, groupId);
}
@Override
public void removeAccountFromAclGroups(long accountId) {
List<AclGroup> groups = listAclGroups(accountId);
List<Long> accts = new ArrayList<Long>();
accts.add(accountId);
if (groups != null) {
for (AclGroup grp : groups) {
removeAccountsFromGroup(accts, grp.getId());
}
}
}
@Override
public void addAccountToAclGroup(long accountId, long groupId) {
List<Long> accts = new ArrayList<Long>();
accts.add(accountId);
addAccountsToGroup(accts, groupId);
}
@DB
@Override
@ActionEvent(eventType = EventTypes.EVENT_ACL_GROUP_UPDATE, eventDescription = "Removing accounts from acl group")

2
services/iam/plugin/src/org/apache/cloudstack/acl/api/response/AclGroupResponse.java
View File

@ -21,11 +21,11 @@ import java.util.Set;
import com.google.gson.annotations.SerializedName;
import org.apache.cloudstack.acl.AclGroup;
import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.BaseResponse;
import org.apache.cloudstack.api.EntityReference;
import org.apache.cloudstack.api.response.ControlledViewEntityResponse;
import org.apache.cloudstack.iam.api.AclGroup;
import com.cloud.serializer.Param;

2
services/iam/plugin/src/org/apache/cloudstack/acl/api/response/AclPolicyResponse.java
View File

@ -21,11 +21,11 @@ import java.util.Set;
import com.google.gson.annotations.SerializedName;
import org.apache.cloudstack.acl.AclPolicy;
import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.BaseResponse;
import org.apache.cloudstack.api.EntityReference;
import org.apache.cloudstack.api.response.ControlledViewEntityResponse;
import org.apache.cloudstack.iam.api.AclPolicy;
import com.cloud.serializer.Param;