apache/cloudstack
1
0
Fork 0
mirror of https://github.com/apache/cloudstack.git synced 2025-12-16 10:32:34 +01:00
Code Issues Packages Projects Releases Wiki Activity

Remove 'iam' projects (#2817)

Browse Source 
* Remove 'iam' projects

* Drop corresponding tables
This commit is contained in:
Khosrow Moossavi 2018-09-11 12:06:20 -04:00 committed by Rafael Weingärtner
parent fbf488497f
commit 56f918583d
64 changed files with 9 additions and 7709 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
api/src/main/java/com/cloud/event/EventTypes.java
View File

@ -531,19 +531,6 @@ public class EventTypes {
public static final String EVENT_UCS_ASSOCIATED_PROFILE = "UCS.ASSOCIATEPROFILE";
// IAM events
public static final String EVENT_IAM_POLICY_CREATE = "IAMPOLICY.CREATE";
public static final String EVENT_IAM_POLICY_DELETE = "IAMPOLICY.DELETE";
public static final String EVENT_IAM_POLICY_GRANT = "IAMPOLICY.GRANT";
public static final String EVENT_IAM_POLICY_REVOKE = "IAMPOLICY.REVOKE";
public static final String EVENT_IAM_GROUP_UPDATE = "IAMGROUP.UPDATE";
public static final String EVENT_IAM_GROUP_CREATE = "IAMGROUP.CREATE";
public static final String EVENT_IAM_GROUP_DELETE = "IAMGROUP.DELETE";
public static final String EVENT_IAM_GROUP_GRANT = "IAMGROUP.GRANT";
public static final String EVENT_IAM_GROUP_REVOKE = "IAMGROUP.REVOKE";
public static final String EVENT_IAM_ACCOUNT_POLICY_UPDATE = "IAMACCOUNTPOLICY.UPDATE";
// Object store migration
public static final String EVENT_MIGRATE_PREPARE_SECONDARY_STORAGE = "MIGRATE.PREPARE.SS";

2
api/src/main/java/org/apache/cloudstack/api/ApiCommandJobType.java
View File

@ -50,8 +50,6 @@ public enum ApiCommandJobType {
AffinityGroup,
InternalLbVm,
DedicatedGuestVlanRange,
IAMPolicy,
IAMGroup,
GuestOs,
GuestOsMapping,
Network

14
api/src/main/java/org/apache/cloudstack/api/ApiConstants.java
View File

@ -652,19 +652,7 @@ public class ApiConstants {
public static final String MAX_CONNECTIONS = "maxconnections";
public static final String SERVICE_STATE = "servicestate";
public static final String IAM_ACCOUNT_IDS = "accountids";
public static final String IAM_MEMBER_ACCOUNTS = "memberaccounts";
public static final String IAM_PARENT_POLICY_ID = "parentpolicyid";
public static final String IAM_PARENT_POLICY_NAME = "parentpolicyname";
public static final String IAM_POLICY_IDS = "policyids";
public static final String IAM_POLICIES = "policies";
public static final String IAM_APIS = "apis";
public static final String IAM_GROUPS = "groups";
public static final String IAM_PERMISSIONS = "permission";
public static final String IAM_ACTION = "action";
public static final String IAM_SCOPE = "scope";
public static final String IAM_SCOPE_ID = "scopeid";
public static final String IAM_ALLOW_DENY = "permission";
public static final String ENTITY_TYPE = "entitytype";
public static final String ENTITY_ID = "entityid";
public static final String EXTERNAL_ID = "externalid";
@ -737,4 +725,4 @@ public class ApiConstants {
public enum DomainDetails {
all, resource, min;
}
}
}

9
engine/schema/src/main/resources/META-INF/db/schema-41110to41200-cleanup.sql
View File

@ -17,4 +17,11 @@
--;
-- Schema upgrade cleanup from 4.11.1.0 to 4.12.0.0
--;
--;
DROP TABLE IF EXISTS `cloud`.`iam_account_policy_map`;
DROP TABLE IF EXISTS `cloud`.`iam_group_account_map`;
DROP TABLE IF EXISTS `cloud`.`iam_group_policy_map`;
DROP TABLE IF EXISTS `cloud`.`iam_group`;
DROP TABLE IF EXISTS `cloud`.`iam_policy_permission`;
DROP TABLE IF EXISTS `cloud`.`iam_policy`;

2
server/src/main/java/com/cloud/template/TemplateManagerImpl.java
View File

@ -1546,7 +1546,6 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager,
permit.put(ApiConstants.ENTITY_TYPE, VirtualMachineTemplate.class);
permit.put(ApiConstants.ENTITY_ID, id);
permit.put(ApiConstants.ACCESS_TYPE, AccessType.UseEntry);
permit.put(ApiConstants.IAM_ACTION, "listTemplates");
permit.put(ApiConstants.ACCOUNTS, accountIds);
_messageBus.publish(_name, EntityManager.MESSAGE_GRANT_ENTITY_EVENT, PublishScope.LOCAL, permit);
} else if ("remove".equalsIgnoreCase(operation)) {
@ -1563,7 +1562,6 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager,
permit.put(ApiConstants.ENTITY_TYPE, VirtualMachineTemplate.class);
permit.put(ApiConstants.ENTITY_ID, id);
permit.put(ApiConstants.ACCESS_TYPE, AccessType.UseEntry);
permit.put(ApiConstants.IAM_ACTION, "listTemplates");
permit.put(ApiConstants.ACCOUNTS, accountIds);
_messageBus.publish(_name, EntityManager.MESSAGE_REVOKE_ENTITY_EVENT, PublishScope.LOCAL, permit);
} else if ("reset".equalsIgnoreCase(operation)) {

59
services/iam/plugin/pom.xml
View File

@ -1,59 +0,0 @@
<!--
Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
-->
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<artifactId>cloud-plugin-iam</artifactId>
<name>Apache CloudStack IAM - Plugin</name>
<parent>
<groupId>org.apache.cloudstack</groupId>
<artifactId>cloudstack-service-iam</artifactId>
<version>4.12.0.0-SNAPSHOT</version>
<relativePath>../pom.xml</relativePath>
</parent>
<dependencies>
<dependency>
<groupId>org.apache.cloudstack</groupId>
<artifactId>cloud-api</artifactId>
<version>${project.version}</version>
</dependency>
<dependency>
<groupId>org.apache.cloudstack</groupId>
<artifactId>cloud-engine-schema</artifactId>
<version>${project.version}</version>
</dependency>
<dependency>
<groupId>org.apache.cloudstack</groupId>
<artifactId>cloud-server</artifactId>
<version>${project.version}</version>
</dependency>
<dependency>
<groupId>org.apache.cloudstack</groupId>
<artifactId>cloud-iam</artifactId>
<version>${project.version}</version>
</dependency>
<dependency>
<groupId>org.apache.cloudstack</groupId>
<artifactId>cloud-api</artifactId>
<version>${project.version}</version>
<type>test-jar</type>
<scope>test</scope>
</dependency>
</dependencies>
</project>

127
services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/AddAccountToIAMGroupCmd.java
View File

@ -1,127 +0,0 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.api.command.iam;
import java.util.List;
import javax.inject.Inject;
import org.apache.log4j.Logger;
import org.apache.cloudstack.iam.IAMApiService;
import org.apache.cloudstack.api.ACL;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiCommandJobType;
import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.ApiErrorCode;
import org.apache.cloudstack.api.BaseAsyncCmd;
import org.apache.cloudstack.api.Parameter;
import org.apache.cloudstack.api.ServerApiException;
import org.apache.cloudstack.api.response.AccountResponse;
import org.apache.cloudstack.api.response.iam.IAMGroupResponse;
import org.apache.cloudstack.context.CallContext;
import org.apache.cloudstack.iam.api.IAMGroup;
import com.cloud.event.EventTypes;
import com.cloud.exception.InsufficientCapacityException;
import com.cloud.exception.ResourceUnavailableException;
import com.cloud.user.Account;
@APICommand(name = "addAccountToIAMGroup", description = "add account to an iam group", responseObject = IAMGroupResponse.class)
public class AddAccountToIAMGroupCmd extends BaseAsyncCmd {
public static final Logger s_logger = Logger.getLogger(AddAccountToIAMGroupCmd.class.getName());
private static final String s_name = "addaccounttoiamgroupresponse";
@Inject
public IAMApiService _iamApiSrv;
/////////////////////////////////////////////////////
//////////////// API parameters /////////////////////
/////////////////////////////////////////////////////
@ACL
@Parameter(name = ApiConstants.ID, type = CommandType.UUID, entityType = IAMGroupResponse.class,
required = true, description = "The ID of the iam group")
private Long id;
@ACL
@Parameter(name = ApiConstants.ACCOUNTS, type = CommandType.LIST, collectionType = CommandType.UUID, entityType = AccountResponse.class, description = "comma separated list of account id that are going to be assigned to the iam group.")
private List<Long> accountIdList;
/////////////////////////////////////////////////////
/////////////////// Accessors ///////////////////////
/////////////////////////////////////////////////////
public Long getId() {
return id;
}
public List<Long> getAccountIdList() {
return accountIdList;
}
/////////////////////////////////////////////////////
/////////////// API Implementation///////////////////
/////////////////////////////////////////////////////
@Override
public String getCommandName() {
return s_name;
}
@Override
public long getEntityOwnerId() {
return Account.ACCOUNT_ID_SYSTEM; // no account info given, parent this command to SYSTEM so ERROR events are tracked
}
@Override
public void execute() throws ResourceUnavailableException,
InsufficientCapacityException, ServerApiException {
CallContext.current().setEventDetails("IAM group Id: " + getId());
IAMGroup result = _iamApiSrv.addAccountsToGroup(accountIdList, id);
if (result != null){
IAMGroupResponse response = _iamApiSrv.createIAMGroupResponse(result);
response.setResponseName(getCommandName());
setResponseObject(response);
} else {
throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to add accounts to iam group");
}
}
@Override
public String getEventType() {
return EventTypes.EVENT_IAM_GROUP_UPDATE;
}
@Override
public String getEventDescription() {
return "adding accounts to iam group";
}
@Override
public ApiCommandJobType getInstanceType() {
return ApiCommandJobType.IAMGroup;
}
}

159
services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/AddIAMPermissionToIAMPolicyCmd.java
View File

@ -1,159 +0,0 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.api.command.iam;
import javax.inject.Inject;
import org.apache.log4j.Logger;
import org.apache.cloudstack.acl.PermissionScope;
import org.apache.cloudstack.api.ACL;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiCommandJobType;
import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.ApiErrorCode;
import org.apache.cloudstack.api.BaseAsyncCmd;
import org.apache.cloudstack.api.Parameter;
import org.apache.cloudstack.api.ServerApiException;
import org.apache.cloudstack.api.response.iam.IAMPolicyResponse;
import org.apache.cloudstack.context.CallContext;
import org.apache.cloudstack.iam.IAMApiService;
import org.apache.cloudstack.iam.api.IAMPolicy;
import org.apache.cloudstack.iam.api.IAMPolicyPermission.Permission;
import com.cloud.event.EventTypes;
import com.cloud.exception.InsufficientCapacityException;
import com.cloud.exception.ResourceUnavailableException;
import com.cloud.user.Account;
@APICommand(name = "addIAMPermissionToIAMPolicy", description = "Add IAM permission to an iam policy", responseObject = IAMPolicyResponse.class)
public class AddIAMPermissionToIAMPolicyCmd extends BaseAsyncCmd {
public static final Logger s_logger = Logger.getLogger(AddIAMPermissionToIAMPolicyCmd.class.getName());
private static final String s_name = "addiampermissiontoiampolicyresponse";
@Inject
public IAMApiService _iamApiSrv;
/////////////////////////////////////////////////////
//////////////// API parameters /////////////////////
/////////////////////////////////////////////////////
@ACL
@Parameter(name = ApiConstants.ID, type = CommandType.UUID, entityType = IAMPolicyResponse.class,
required = true, description = "The ID of the iam policy")
private Long id;
@Parameter(name = ApiConstants.IAM_ACTION, type = CommandType.STRING, required = true, description = "action api name.")
private String action;
@Parameter(name = ApiConstants.ENTITY_TYPE, type = CommandType.STRING, required = false, description = "entity class simple name.")
private String entityType;
@Parameter(name = ApiConstants.IAM_SCOPE, type = CommandType.STRING,
required = false, description = "iam permission scope")
private String scope;
@Parameter(name = ApiConstants.IAM_SCOPE_ID, type = CommandType.STRING, required = false, description = "The UUID of the permission scope id")
private String scopeId;
@Parameter(name = ApiConstants.READ_ONLY, type = CommandType.BOOLEAN, required = false, description = "Read Only access is added; Only applicable when action = List/Read api name")
private Boolean readOnly;
/////////////////////////////////////////////////////
/////////////////// Accessors ///////////////////////
/////////////////////////////////////////////////////
public Long getId() {
return id;
}
public String getAction() {
return action;
}
public String getEntityType() {
return entityType;
}
public String getScope() {
return scope;
}
public Long getScopeId() {
// here we will convert the passed String UUID to Long ID since internally we store it as entity internal ID.
return _iamApiSrv.getPermissionScopeId(scope, entityType, scopeId);
}
public Boolean isReadOnly() {
return (readOnly != null) ? readOnly : false;
}
/////////////////////////////////////////////////////
/////////////// API Implementation///////////////////
/////////////////////////////////////////////////////
@Override
public String getCommandName() {
return s_name;
}
@Override
public long getEntityOwnerId() {
return Account.ACCOUNT_ID_SYSTEM; // no account info given, parent this command to SYSTEM so ERROR events are tracked
}
@Override
public void execute() throws ResourceUnavailableException,
InsufficientCapacityException, ServerApiException {
CallContext.current().setEventDetails("IAM policy Id: " + getId());
// Only explicit ALLOW is supported for this release, no explicit deny
IAMPolicy result = _iamApiSrv.addIAMPermissionToIAMPolicy(id, entityType, PermissionScope.valueOf(scope),
getScopeId(), action, Permission.Allow, false, isReadOnly());
if (result != null) {
IAMPolicyResponse response = _iamApiSrv.createIAMPolicyResponse(result);
response.setResponseName(getCommandName());
setResponseObject(response);
} else {
throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to grant permission to iam policy "
+ getId());
}
}
@Override
public String getEventType() {
return EventTypes.EVENT_IAM_POLICY_GRANT;
}
@Override
public String getEventDescription() {
return "granting permission to iam policy";
}
@Override
public ApiCommandJobType getInstanceType() {
return ApiCommandJobType.IAMPolicy;
}
}

122
services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/AttachIAMPolicyToAccountCmd.java
View File

@ -1,122 +0,0 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.api.command.iam;
import java.util.List;
import javax.inject.Inject;
import org.apache.log4j.Logger;
import org.apache.cloudstack.iam.IAMApiService;
import org.apache.cloudstack.api.ACL;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiCommandJobType;
import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.BaseAsyncCmd;
import org.apache.cloudstack.api.Parameter;
import org.apache.cloudstack.api.ServerApiException;
import org.apache.cloudstack.api.response.AccountResponse;
import org.apache.cloudstack.api.response.SuccessResponse;
import org.apache.cloudstack.api.response.iam.IAMPolicyResponse;
import org.apache.cloudstack.context.CallContext;
import com.cloud.event.EventTypes;
import com.cloud.exception.InsufficientCapacityException;
import com.cloud.exception.ResourceUnavailableException;
import com.cloud.user.Account;
@APICommand(name = "attachIAMPolicyToAccount", description = "attach iam policy to accounts", responseObject = SuccessResponse.class)
public class AttachIAMPolicyToAccountCmd extends BaseAsyncCmd {
public static final Logger s_logger = Logger.getLogger(AttachIAMPolicyToAccountCmd.class.getName());
private static final String s_name = "attachiampolicytoaccountresponse";
@Inject
public IAMApiService _iamApiSrv;
/////////////////////////////////////////////////////
//////////////// API parameters /////////////////////
/////////////////////////////////////////////////////
@ACL
@Parameter(name = ApiConstants.ID, type = CommandType.UUID, entityType = IAMPolicyResponse.class,
required = true, description = "The ID of the iam policy")
private Long id;
@ACL
@Parameter(name = ApiConstants.ACCOUNTS, type = CommandType.LIST, collectionType = CommandType.UUID, entityType = AccountResponse.class, description = "comma separated list of account id that the policy will attach to.")
private List<Long> accountIdList;
/////////////////////////////////////////////////////
/////////////////// Accessors ///////////////////////
/////////////////////////////////////////////////////
public Long getId() {
return id;
}
public List<Long> getAccountIdList() {
return accountIdList;
}
/////////////////////////////////////////////////////
/////////////// API Implementation///////////////////
/////////////////////////////////////////////////////
@Override
public String getCommandName() {
return s_name;
}
@Override
public long getEntityOwnerId() {
return Account.ACCOUNT_ID_SYSTEM; // no account info given, parent this command to SYSTEM so ERROR events are tracked
}
@Override
public void execute() throws ResourceUnavailableException,
InsufficientCapacityException, ServerApiException {
CallContext.current().setEventDetails("IAM policy Id: " + getId());
_iamApiSrv.attachIAMPolicyToAccounts(id, accountIdList);
SuccessResponse response = new SuccessResponse();
response.setResponseName(getCommandName());
setResponseObject(response);
}
@Override
public String getEventType() {
return EventTypes.EVENT_IAM_ACCOUNT_POLICY_UPDATE;
}
@Override
public String getEventDescription() {
return "adding IAM policy to accounts";
}
@Override
public ApiCommandJobType getInstanceType() {
return ApiCommandJobType.Account;
}
}

127
services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/AttachIAMPolicyToIAMGroupCmd.java
View File

@ -1,127 +0,0 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.api.command.iam;
import java.util.List;
import javax.inject.Inject;
import org.apache.log4j.Logger;
import org.apache.cloudstack.iam.IAMApiService;
import org.apache.cloudstack.api.ACL;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiCommandJobType;
import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.ApiErrorCode;
import org.apache.cloudstack.api.BaseAsyncCmd;
import org.apache.cloudstack.api.Parameter;
import org.apache.cloudstack.api.ServerApiException;
import org.apache.cloudstack.api.response.iam.IAMGroupResponse;
import org.apache.cloudstack.api.response.iam.IAMPolicyResponse;
import org.apache.cloudstack.context.CallContext;
import org.apache.cloudstack.iam.api.IAMGroup;
import com.cloud.event.EventTypes;
import com.cloud.exception.InsufficientCapacityException;
import com.cloud.exception.ResourceUnavailableException;
import com.cloud.user.Account;
@APICommand(name = "attachIAMPolicyToIAMGroup", description = "attach iam policy to an iam group", responseObject = IAMGroupResponse.class)
public class AttachIAMPolicyToIAMGroupCmd extends BaseAsyncCmd {
public static final Logger s_logger = Logger.getLogger(AttachIAMPolicyToIAMGroupCmd.class.getName());
private static final String s_name = "attachiampolicytoiamgroupresponse";
@Inject
public IAMApiService _iamApiSrv;
/////////////////////////////////////////////////////
//////////////// API parameters /////////////////////
/////////////////////////////////////////////////////
@ACL
@Parameter(name = ApiConstants.ID, type = CommandType.UUID, entityType = IAMGroupResponse.class,
required = true, description = "The ID of the iam group")
private Long id;
@ACL
@Parameter(name = ApiConstants.IAM_POLICIES, type = CommandType.LIST, collectionType = CommandType.UUID, entityType = IAMPolicyResponse.class, description = "comma separated list of iam policy id that are going to be applied to the iam group.")
private List<Long> policyIdList;
/////////////////////////////////////////////////////
/////////////////// Accessors ///////////////////////
/////////////////////////////////////////////////////
public Long getId() {
return id;
}
public List<Long> getPolicyIdList() {
return policyIdList;
}
/////////////////////////////////////////////////////
/////////////// API Implementation///////////////////
/////////////////////////////////////////////////////
@Override
public String getCommandName() {
return s_name;
}
@Override
public long getEntityOwnerId() {
return Account.ACCOUNT_ID_SYSTEM; // no account info given, parent this command to SYSTEM so ERROR events are tracked
}
@Override
public void execute() throws ResourceUnavailableException,
InsufficientCapacityException, ServerApiException {
CallContext.current().setEventDetails("IAM group Id: " + getId());
IAMGroup result = _iamApiSrv.attachIAMPoliciesToGroup(policyIdList, id);
if (result != null){
IAMGroupResponse response = _iamApiSrv.createIAMGroupResponse(result);
response.setResponseName(getCommandName());
setResponseObject(response);
} else {
throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to add roles to iam group");
}
}
@Override
public String getEventType() {
return EventTypes.EVENT_IAM_GROUP_UPDATE;
}
@Override
public String getEventDescription() {
return "adding iam roles to iam group";
}
@Override
public ApiCommandJobType getInstanceType() {
return ApiCommandJobType.IAMGroup;
}
}

168
services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/CreateIAMGroupCmd.java
View File

@ -1,168 +0,0 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.api.command.iam;
import javax.inject.Inject;
import org.apache.log4j.Logger;
import org.apache.cloudstack.iam.IAMApiService;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiCommandJobType;
import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.ApiErrorCode;
import org.apache.cloudstack.api.BaseAsyncCreateCmd;
import org.apache.cloudstack.api.Parameter;
import org.apache.cloudstack.api.ServerApiException;
import org.apache.cloudstack.api.response.DomainResponse;
import org.apache.cloudstack.api.response.iam.IAMGroupResponse;
import org.apache.cloudstack.context.CallContext;
import org.apache.cloudstack.iam.api.IAMGroup;
import com.cloud.event.EventTypes;
import com.cloud.exception.ResourceAllocationException;
import com.cloud.user.Account;
@APICommand(name = "createIAMGroup", responseObject = IAMGroupResponse.class, description = "Creates an IAM group")
public class CreateIAMGroupCmd extends BaseAsyncCreateCmd {
public static final Logger s_logger = Logger.getLogger(CreateIAMGroupCmd.class.getName());
private static final String s_name = "createiamgroupresponse";
@Inject
public IAMApiService _iamApiSrv;
// ///////////////////////////////////////////////////
// ////////////// API parameters /////////////////////
// ///////////////////////////////////////////////////
@Parameter(name = ApiConstants.ACCOUNT, type = CommandType.STRING, description = "an account for the iam group. Must be used with domainId.")
private String accountName;
@Parameter(name = ApiConstants.DOMAIN_ID, type = CommandType.UUID, description = "domainId of the account owning the iam group", entityType = DomainResponse.class)
private Long domainId;
@Parameter(name = ApiConstants.DESCRIPTION, type = CommandType.STRING, description = "optional description of the iam group")
private String description;
@Parameter(name = ApiConstants.NAME, type = CommandType.STRING, required = true, description = "name of the iam group")
private String name;
// ///////////////////////////////////////////////////
// ///////////////// Accessors ///////////////////////
// ///////////////////////////////////////////////////
public String getAccountName() {
return accountName;
}
public String getDescription() {
return description;
}
public Long getDomainId() {
return domainId;
}
public String getName() {
return name;
}
// ///////////////////////////////////////////////////
// ///////////// API Implementation///////////////////
// ///////////////////////////////////////////////////
@Override
public String getCommandName() {
return s_name;
}
@Override
public long getEntityOwnerId() {
Account account = CallContext.current().getCallingAccount();
if ((account == null) || _accountService.isAdmin(account.getId())) {
if ((domainId != null) && (accountName != null)) {
Account userAccount = _responseGenerator.findAccountByNameDomain(accountName, domainId);
if (userAccount != null) {
return userAccount.getId();
}
}
}
if (account != null) {
return account.getId();
}
return Account.ACCOUNT_ID_SYSTEM; // no account info given, parent this
// command to SYSTEM so ERROR events
// are tracked
}
@Override
public void execute() {
IAMGroup grp = _entityMgr.findById(IAMGroup.class, getEntityId());
if (grp != null) {
IAMGroupResponse response = _iamApiSrv.createIAMGroupResponse(grp);
response.setResponseName(getCommandName());
setResponseObject(response);
} else {
throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to create iam group:" + name);
}
}
@Override
public void create() throws ResourceAllocationException {
Account account = CallContext.current().getCallingAccount();
IAMGroup result = _iamApiSrv.createIAMGroup(account, name, description);
if (result != null) {
setEntityId(result.getId());
setEntityUuid(result.getUuid());
} else {
throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to create iam group entity" + name);
}
}
@Override
public String getEventType() {
return EventTypes.EVENT_IAM_GROUP_CREATE;
}
@Override
public String getEventDescription() {
return "creating IAM group";
}
@Override
public String getCreateEventType() {
return EventTypes.EVENT_IAM_GROUP_CREATE;
}
@Override
public String getCreateEventDescription() {
return "creating IAM group";
}
@Override
public ApiCommandJobType getInstanceType() {
return ApiCommandJobType.IAMGroup;
}
}

175
services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/CreateIAMPolicyCmd.java
View File

@ -1,175 +0,0 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.api.command.iam;
import javax.inject.Inject;
import org.apache.log4j.Logger;
import org.apache.cloudstack.iam.IAMApiService;
import org.apache.cloudstack.api.ACL;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiCommandJobType;
import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.ApiErrorCode;
import org.apache.cloudstack.api.BaseAsyncCreateCmd;
import org.apache.cloudstack.api.Parameter;
import org.apache.cloudstack.api.ServerApiException;
import org.apache.cloudstack.api.response.DomainResponse;
import org.apache.cloudstack.api.response.iam.IAMPolicyResponse;
import org.apache.cloudstack.context.CallContext;
import org.apache.cloudstack.iam.api.IAMPolicy;
import com.cloud.event.EventTypes;
import com.cloud.exception.ResourceAllocationException;
import com.cloud.user.Account;
@APICommand(name = "createIAMPolicy", responseObject = IAMPolicyResponse.class, description = "Creates an iam policy")
public class CreateIAMPolicyCmd extends BaseAsyncCreateCmd {
public static final Logger s_logger = Logger.getLogger(CreateIAMPolicyCmd.class.getName());
private static final String s_name = "createiampolicyresponse";
@Inject
public IAMApiService _iamApiSrv;
// ///////////////////////////////////////////////////
// ////////////// API parameters /////////////////////
// ///////////////////////////////////////////////////
@Parameter(name = ApiConstants.ACCOUNT, type = CommandType.STRING, description = "an account for the iam policy. Must be used with domainId.")
private String accountName;
@Parameter(name = ApiConstants.DOMAIN_ID, type = CommandType.UUID, description = "domainId of the account owning the iam policy", entityType = DomainResponse.class)
private Long domainId;
@Parameter(name = ApiConstants.DESCRIPTION, type = CommandType.STRING, description = "optional description of the iam policy")
private String description;
@Parameter(name = ApiConstants.NAME, type = CommandType.STRING, required = true, description = "name of the iam policy")
private String name;
@ACL
@Parameter(name = ApiConstants.IAM_PARENT_POLICY_ID, type = CommandType.UUID, description = "The ID of parent iam policy.", entityType = IAMPolicyResponse.class)
private Long parentPolicyId;
// ///////////////////////////////////////////////////
// ///////////////// Accessors ///////////////////////
// ///////////////////////////////////////////////////
public String getAccountName() {
return accountName;
}
public String getDescription() {
return description;
}
public Long getDomainId() {
return domainId;
}
public String getName() {
return name;
}
public Long getParentPolicyId() {
return parentPolicyId;
}
// ///////////////////////////////////////////////////
// ///////////// API Implementation///////////////////
// ///////////////////////////////////////////////////
@Override
public String getCommandName() {
return s_name;
}
@Override
public long getEntityOwnerId() {
Account account = CallContext.current().getCallingAccount();
if ((account == null) || _accountService.isAdmin(account.getId())) {
if ((domainId != null) && (accountName != null)) {
Account userAccount = _responseGenerator.findAccountByNameDomain(accountName, domainId);
if (userAccount != null) {
return userAccount.getId();
}
}
}
if (account != null) {
return account.getId();
}
return Account.ACCOUNT_ID_SYSTEM; // no account info given, parent this
// command to SYSTEM so ERROR events
// are tracked
}
@Override
public void execute() {
IAMPolicy policy = _entityMgr.findById(IAMPolicy.class, getEntityId());
if (policy != null) {
IAMPolicyResponse response = _iamApiSrv.createIAMPolicyResponse(policy);
response.setResponseName(getCommandName());
setResponseObject(response);
} else {
throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to create iam policy:" + name);
}
}
@Override
public void create() throws ResourceAllocationException {
Account account = CallContext.current().getCallingAccount();
IAMPolicy result = _iamApiSrv.createIAMPolicy(account, name, description, parentPolicyId);
if (result != null) {
setEntityId(result.getId());
setEntityUuid(result.getUuid());
} else {
throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to create iam policy entity" + name);
}
}
@Override
public String getEventType() {
return EventTypes.EVENT_IAM_POLICY_CREATE;
}
@Override
public String getEventDescription() {
return "creating IAM policy";
}
@Override
public String getCreateEventType() {
return EventTypes.EVENT_IAM_POLICY_CREATE;
}
@Override
public String getCreateEventDescription() {
return "creating IAM policy";
}
@Override
public ApiCommandJobType getInstanceType() {
return ApiCommandJobType.IAMPolicy;
}
}

102
services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/DeleteIAMGroupCmd.java
View File

@ -1,102 +0,0 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.api.command.iam;
import javax.inject.Inject;
import org.apache.log4j.Logger;
import org.apache.cloudstack.api.ACL;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiCommandJobType;
import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.ApiErrorCode;
import org.apache.cloudstack.api.BaseAsyncCmd;
import org.apache.cloudstack.api.Parameter;
import org.apache.cloudstack.api.ServerApiException;
import org.apache.cloudstack.api.response.SuccessResponse;
import org.apache.cloudstack.api.response.iam.IAMGroupResponse;
import org.apache.cloudstack.iam.IAMApiService;
import com.cloud.event.EventTypes;
import com.cloud.user.Account;
@APICommand(name = "deleteIAMGroup", description = "Deletes acl group", responseObject = SuccessResponse.class)
public class DeleteIAMGroupCmd extends BaseAsyncCmd {
public static final Logger s_logger = Logger.getLogger(DeleteIAMGroupCmd.class.getName());
private static final String s_name = "deleteaclgroupresponse";
@Inject
public IAMApiService _aclApiSrv;
/////////////////////////////////////////////////////
//////////////// API parameters /////////////////////
/////////////////////////////////////////////////////
@ACL
@Parameter(name = ApiConstants.ID, type = CommandType.UUID, description = "The ID of the acl group.", required = true, entityType = IAMGroupResponse.class)
private Long id;
/////////////////////////////////////////////////////
/////////////////// Accessors ///////////////////////
/////////////////////////////////////////////////////
public Long getId() {
return id;
}
/////////////////////////////////////////////////////
/////////////// API Implementation///////////////////
/////////////////////////////////////////////////////
@Override
public String getCommandName() {
return s_name;
}
@Override
public long getEntityOwnerId() {
return Account.ACCOUNT_ID_SYSTEM;
}
@Override
public void execute(){
boolean result = _aclApiSrv.deleteIAMGroup(id);
if (result) {
SuccessResponse response = new SuccessResponse(getCommandName());
setResponseObject(response);
} else {
throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to delete acl group");
}
}
@Override
public String getEventType() {
return EventTypes.EVENT_IAM_GROUP_DELETE;
}
@Override
public String getEventDescription() {
return "Deleting Acl group";
}
@Override
public ApiCommandJobType getInstanceType() {
return ApiCommandJobType.IAMGroup;
}
}

102
services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/DeleteIAMPolicyCmd.java
View File

@ -1,102 +0,0 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.api.command.iam;
import javax.inject.Inject;
import org.apache.log4j.Logger;
import org.apache.cloudstack.iam.IAMApiService;
import org.apache.cloudstack.api.ACL;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiCommandJobType;
import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.ApiErrorCode;
import org.apache.cloudstack.api.BaseAsyncCmd;
import org.apache.cloudstack.api.Parameter;
import org.apache.cloudstack.api.ServerApiException;
import org.apache.cloudstack.api.response.SuccessResponse;
import org.apache.cloudstack.api.response.iam.IAMPolicyResponse;
import com.cloud.event.EventTypes;
import com.cloud.user.Account;
@APICommand(name = "deleteIAMPolicy", description = "Deletes iam policy", responseObject = SuccessResponse.class)
public class DeleteIAMPolicyCmd extends BaseAsyncCmd {
public static final Logger s_logger = Logger.getLogger(DeleteIAMPolicyCmd.class.getName());
private static final String s_name = "deleteiampolicyresponse";
@Inject
public IAMApiService _iamApiSrv;
/////////////////////////////////////////////////////
//////////////// API parameters /////////////////////
/////////////////////////////////////////////////////
@ACL
@Parameter(name = ApiConstants.ID, type = CommandType.UUID, description = "The ID of the iam policy.", required = true, entityType = IAMPolicyResponse.class)
private Long id;
/////////////////////////////////////////////////////
/////////////////// Accessors ///////////////////////
/////////////////////////////////////////////////////
public Long getId() {
return id;
}
/////////////////////////////////////////////////////
/////////////// API Implementation///////////////////
/////////////////////////////////////////////////////
@Override
public String getCommandName() {
return s_name;
}
@Override
public long getEntityOwnerId() {
return Account.ACCOUNT_ID_SYSTEM;
}
@Override
public void execute(){
boolean result = _iamApiSrv.deleteIAMPolicy(id);
if (result) {
SuccessResponse response = new SuccessResponse(getCommandName());
setResponseObject(response);
} else {
throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to delete iam policy");
}
}
@Override
public String getEventType() {
return EventTypes.EVENT_IAM_POLICY_DELETE;
}
@Override
public String getEventDescription() {
return "Deleting IAM policy";
}
@Override
public ApiCommandJobType getInstanceType() {
return ApiCommandJobType.IAMPolicy;
}
}

88
services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/ListIAMGroupsCmd.java
View File

@ -1,88 +0,0 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.api.command.iam;
import javax.inject.Inject;
import org.apache.log4j.Logger;
import org.apache.cloudstack.iam.IAMApiService;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiCommandJobType;
import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.BaseListDomainResourcesCmd;
import org.apache.cloudstack.api.Parameter;
import org.apache.cloudstack.api.response.ListResponse;
import org.apache.cloudstack.api.response.iam.IAMGroupResponse;
@APICommand(name = "listIAMGroups", description = "Lists iam groups", responseObject = IAMGroupResponse.class)
public class ListIAMGroupsCmd extends BaseListDomainResourcesCmd {
public static final Logger s_logger = Logger.getLogger(ListIAMGroupsCmd.class.getName());
private static final String s_name = "listiamgroupsresponse";
@Inject
public IAMApiService _iamApiSrv;
/////////////////////////////////////////////////////
//////////////// API parameters /////////////////////
/////////////////////////////////////////////////////
@Parameter(name = ApiConstants.NAME, type = CommandType.STRING, description = "lists iam groups by name")
private String iamGroupName;
@Parameter(name = ApiConstants.ID, type = CommandType.UUID, description = "list the iam group by the id provided", entityType = IAMGroupResponse.class)
private Long id;
/////////////////////////////////////////////////////
/////////////////// Accessors ///////////////////////
/////////////////////////////////////////////////////
public String getIAMGroupName() {
return iamGroupName;
}
public Long getId(){
return id;
}
/////////////////////////////////////////////////////
/////////////// API Implementation///////////////////
/////////////////////////////////////////////////////
@Override
public String getCommandName() {
return s_name;
}
@Override
public void execute(){
ListResponse<IAMGroupResponse> response = _iamApiSrv.listIAMGroups(id, iamGroupName, getDomainId(),
getStartIndex(), getPageSizeVal());
response.setResponseName(getCommandName());
setResponseObject(response);
}
@Override
public ApiCommandJobType getInstanceType() {
return ApiCommandJobType.IAMGroup;
}
}

88
services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/ListIAMPoliciesCmd.java
View File

@ -1,88 +0,0 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.api.command.iam;
import javax.inject.Inject;
import org.apache.log4j.Logger;
import org.apache.cloudstack.iam.IAMApiService;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiCommandJobType;
import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.BaseListDomainResourcesCmd;
import org.apache.cloudstack.api.Parameter;
import org.apache.cloudstack.api.response.ListResponse;
import org.apache.cloudstack.api.response.iam.IAMPolicyResponse;
@APICommand(name = "listIAMPolicies", description = "Lists IAM policies", responseObject = IAMPolicyResponse.class)
public class ListIAMPoliciesCmd extends BaseListDomainResourcesCmd {
public static final Logger s_logger = Logger.getLogger(ListIAMPoliciesCmd.class.getName());
private static final String s_name = "listiampoliciesresponse";
@Inject
public IAMApiService _iamApiSrv;
/////////////////////////////////////////////////////
//////////////// API parameters /////////////////////
/////////////////////////////////////////////////////
@Parameter(name = ApiConstants.NAME, type = CommandType.STRING, description = "lists iam policies by name")
private String iamPolicyName;
@Parameter(name = ApiConstants.ID, type = CommandType.UUID, description = "list the iam policy by the id provided", entityType = IAMPolicyResponse.class)
private Long id;
/////////////////////////////////////////////////////
/////////////////// Accessors ///////////////////////
/////////////////////////////////////////////////////
public String getIAMPolicyName() {
return iamPolicyName;
}
public Long getId(){
return id;
}
/////////////////////////////////////////////////////
/////////////// API Implementation///////////////////
/////////////////////////////////////////////////////
@Override
public String getCommandName() {
return s_name;
}
@Override
public void execute(){
ListResponse<IAMPolicyResponse> response = _iamApiSrv.listIAMPolicies(id, iamPolicyName, getDomainId(),
getStartIndex(), getPageSizeVal());
response.setResponseName(getCommandName());
setResponseObject(response);
}
@Override
public ApiCommandJobType getInstanceType() {
return ApiCommandJobType.IAMPolicy;
}
}

127
services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/RemoveAccountFromIAMGroupCmd.java
View File

@ -1,127 +0,0 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.api.command.iam;
import java.util.List;
import javax.inject.Inject;
import org.apache.log4j.Logger;
import org.apache.cloudstack.iam.IAMApiService;
import org.apache.cloudstack.api.ACL;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiCommandJobType;
import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.ApiErrorCode;
import org.apache.cloudstack.api.BaseAsyncCmd;
import org.apache.cloudstack.api.Parameter;
import org.apache.cloudstack.api.ServerApiException;
import org.apache.cloudstack.api.response.AccountResponse;
import org.apache.cloudstack.api.response.iam.IAMGroupResponse;
import org.apache.cloudstack.context.CallContext;
import org.apache.cloudstack.iam.api.IAMGroup;
import com.cloud.event.EventTypes;
import com.cloud.exception.InsufficientCapacityException;
import com.cloud.exception.ResourceUnavailableException;
import com.cloud.user.Account;
@APICommand(name = "removeAccountFromIAMGroup", description = "remove accounts from an iam group", responseObject = IAMGroupResponse.class)
public class RemoveAccountFromIAMGroupCmd extends BaseAsyncCmd {
public static final Logger s_logger = Logger.getLogger(RemoveAccountFromIAMGroupCmd.class.getName());
private static final String s_name = "removeaccountfromiamgroupresponse";
@Inject
public IAMApiService _iamApiSrv;
/////////////////////////////////////////////////////
//////////////// API parameters /////////////////////
/////////////////////////////////////////////////////
@ACL
@Parameter(name = ApiConstants.ID, type = CommandType.UUID, entityType = IAMGroupResponse.class,
required = true, description = "The ID of the iam group")
private Long id;
@ACL
@Parameter(name = ApiConstants.ACCOUNTS, type = CommandType.LIST, collectionType = CommandType.UUID, entityType = AccountResponse.class, description = "comma separated list of account id that are going to be assigned to the iam group.")
private List<Long> accountIdList;
/////////////////////////////////////////////////////
/////////////////// Accessors ///////////////////////
/////////////////////////////////////////////////////
public Long getId() {
return id;
}
public List<Long> getAccountIdList() {
return accountIdList;
}
/////////////////////////////////////////////////////
/////////////// API Implementation///////////////////
/////////////////////////////////////////////////////
@Override
public String getCommandName() {
return s_name;
}
@Override
public long getEntityOwnerId() {
return Account.ACCOUNT_ID_SYSTEM; // no account info given, parent this command to SYSTEM so ERROR events are tracked
}
@Override
public void execute() throws ResourceUnavailableException,
InsufficientCapacityException, ServerApiException {
CallContext.current().setEventDetails("IAM group Id: " + getId());
IAMGroup result = _iamApiSrv.removeAccountsFromGroup(accountIdList, id);
if (result != null){
IAMGroupResponse response = _iamApiSrv.createIAMGroupResponse(result);
response.setResponseName(getCommandName());
setResponseObject(response);
} else {
throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to remove accounts from iam group");
}
}
@Override
public String getEventType() {
return EventTypes.EVENT_IAM_GROUP_UPDATE;
}
@Override
public String getEventDescription() {
return "removing accounts from iam group";
}
@Override
public ApiCommandJobType getInstanceType() {
return ApiCommandJobType.IAMGroup;
}
}

148
services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/RemoveIAMPermissionFromIAMPolicyCmd.java
View File

@ -1,148 +0,0 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.api.command.iam;
import javax.inject.Inject;
import org.apache.log4j.Logger;
import org.apache.cloudstack.acl.PermissionScope;
import org.apache.cloudstack.api.ACL;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiCommandJobType;
import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.ApiErrorCode;
import org.apache.cloudstack.api.BaseAsyncCmd;
import org.apache.cloudstack.api.Parameter;
import org.apache.cloudstack.api.ServerApiException;
import org.apache.cloudstack.api.response.iam.IAMPolicyResponse;
import org.apache.cloudstack.context.CallContext;
import org.apache.cloudstack.iam.IAMApiService;
import org.apache.cloudstack.iam.api.IAMPolicy;
import com.cloud.event.EventTypes;
import com.cloud.exception.InsufficientCapacityException;
import com.cloud.exception.ResourceUnavailableException;
import com.cloud.user.Account;
@APICommand(name = "removeIAMPermissionFromIAMPolicy", description = "Remove iam permission from an iam policy", responseObject = IAMPolicyResponse.class)
public class RemoveIAMPermissionFromIAMPolicyCmd extends BaseAsyncCmd {
public static final Logger s_logger = Logger.getLogger(RemoveIAMPermissionFromIAMPolicyCmd.class.getName());
private static final String s_name = "removeiampermissionfromiampolicyresponse";
@Inject
public IAMApiService _iamApiSrv;
/////////////////////////////////////////////////////
//////////////// API parameters /////////////////////
/////////////////////////////////////////////////////
@ACL
@Parameter(name = ApiConstants.ID, type = CommandType.UUID, entityType = IAMPolicyResponse.class,
required = true, description = "The ID of the iam policy")
private Long id;
@Parameter(name = ApiConstants.IAM_ACTION, type = CommandType.STRING, required = true, description = "action api name.")
private String action;
@Parameter(name = ApiConstants.ENTITY_TYPE, type = CommandType.STRING, required = false, description = "entity class simple name.")
private String entityType;
@Parameter(name = ApiConstants.IAM_SCOPE, type = CommandType.STRING,
required = false, description = "iam permission scope")
private String scope;
@Parameter(name = ApiConstants.IAM_SCOPE_ID, type = CommandType.STRING, required = false, description = "The ID of the permission scope id")
private String scopeId;
/////////////////////////////////////////////////////
/////////////////// Accessors ///////////////////////
/////////////////////////////////////////////////////
public Long getId() {
return id;
}
public String getAction() {
return action;
}
public String getEntityType() {
return entityType;
}
public String getScope() {
return scope;
}
public Long getScopeId() {
// here we will convert the passed String UUID to Long ID since internally we store it as entity internal ID.
return _iamApiSrv.getPermissionScopeId(scope, entityType, scopeId);
}
/////////////////////////////////////////////////////
/////////////// API Implementation///////////////////
/////////////////////////////////////////////////////
@Override
public String getCommandName() {
return s_name;
}
@Override
public long getEntityOwnerId() {
return Account.ACCOUNT_ID_SYSTEM; // no account info given, parent this command to SYSTEM so ERROR events are tracked
}
@Override
public void execute() throws ResourceUnavailableException,
InsufficientCapacityException, ServerApiException {
CallContext.current().setEventDetails("IAM policy Id: " + getId());
IAMPolicy result = _iamApiSrv.removeIAMPermissionFromIAMPolicy(id, entityType, PermissionScope.valueOf(scope), getScopeId(), action);
if (result != null) {
IAMPolicyResponse response = _iamApiSrv.createIAMPolicyResponse(result);
response.setResponseName(getCommandName());
setResponseObject(response);
} else {
throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to remove permission from iam policy " + getId());
}
}
@Override
public String getEventType() {
return EventTypes.EVENT_IAM_POLICY_REVOKE;
}
@Override
public String getEventDescription() {
return "removing permission from iam policy";
}
@Override
public ApiCommandJobType getInstanceType() {
return ApiCommandJobType.IAMPolicy;
}
}

122
services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/RemoveIAMPolicyFromAccountCmd.java
View File

@ -1,122 +0,0 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.api.command.iam;
import java.util.List;
import javax.inject.Inject;
import org.apache.log4j.Logger;
import org.apache.cloudstack.api.ACL;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiCommandJobType;
import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.BaseAsyncCmd;
import org.apache.cloudstack.api.Parameter;
import org.apache.cloudstack.api.ServerApiException;
import org.apache.cloudstack.api.response.AccountResponse;
import org.apache.cloudstack.api.response.SuccessResponse;
import org.apache.cloudstack.api.response.iam.IAMPolicyResponse;
import org.apache.cloudstack.context.CallContext;
import org.apache.cloudstack.iam.IAMApiService;
import com.cloud.event.EventTypes;
import com.cloud.exception.InsufficientCapacityException;
import com.cloud.exception.ResourceUnavailableException;
import com.cloud.user.Account;
@APICommand(name = "removeIAMPolicyFromAccount", description = "remove iam policy from accounts", responseObject = SuccessResponse.class)
public class RemoveIAMPolicyFromAccountCmd extends BaseAsyncCmd {
public static final Logger s_logger = Logger.getLogger(RemoveIAMPolicyFromAccountCmd.class.getName());
private static final String s_name = "removeiampolicyfromaccountresponse";
@Inject
public IAMApiService _iamApiSrv;
/////////////////////////////////////////////////////
//////////////// API parameters /////////////////////
/////////////////////////////////////////////////////
@ACL
@Parameter(name = ApiConstants.ID, type = CommandType.UUID, entityType = IAMPolicyResponse.class,
required = true, description = "The ID of the iam group")
private Long id;
@ACL
@Parameter(name = ApiConstants.ACCOUNTS, type = CommandType.LIST, collectionType = CommandType.UUID, entityType = AccountResponse.class, description = "comma separated list of iam policy id that are going to be applied to the iam group.")
private List<Long> accountIdList;
/////////////////////////////////////////////////////
/////////////////// Accessors ///////////////////////
/////////////////////////////////////////////////////
public Long getId() {
return id;
}
public List<Long> getAccountIdList() {
return accountIdList;
}
/////////////////////////////////////////////////////
/////////////// API Implementation///////////////////
/////////////////////////////////////////////////////
@Override
public String getCommandName() {
return s_name;
}
@Override
public long getEntityOwnerId() {
return Account.ACCOUNT_ID_SYSTEM; // no account info given, parent this command to SYSTEM so ERROR events are tracked
}
@Override
public void execute() throws ResourceUnavailableException,
InsufficientCapacityException, ServerApiException {
CallContext.current().setEventDetails("IAM policy Id: " + getId());
_iamApiSrv.removeIAMPolicyFromAccounts(id, accountIdList);
SuccessResponse response = new SuccessResponse();
response.setResponseName(getCommandName());
setResponseObject(response);
}
@Override
public String getEventType() {
return EventTypes.EVENT_IAM_ACCOUNT_POLICY_UPDATE;
}
@Override
public String getEventDescription() {
return "removing iam policy from accounts";
}
@Override
public ApiCommandJobType getInstanceType() {
return ApiCommandJobType.Account;
}
}

127
services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/RemoveIAMPolicyFromIAMGroupCmd.java
View File

@ -1,127 +0,0 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.api.command.iam;
import java.util.List;
import javax.inject.Inject;
import org.apache.log4j.Logger;
import org.apache.cloudstack.iam.IAMApiService;
import org.apache.cloudstack.api.ACL;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiCommandJobType;
import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.ApiErrorCode;
import org.apache.cloudstack.api.BaseAsyncCmd;
import org.apache.cloudstack.api.Parameter;
import org.apache.cloudstack.api.ServerApiException;
import org.apache.cloudstack.api.response.iam.IAMGroupResponse;
import org.apache.cloudstack.api.response.iam.IAMPolicyResponse;
import org.apache.cloudstack.context.CallContext;
import org.apache.cloudstack.iam.api.IAMGroup;
import com.cloud.event.EventTypes;
import com.cloud.exception.InsufficientCapacityException;
import com.cloud.exception.ResourceUnavailableException;
import com.cloud.user.Account;
@APICommand(name = "removeIAMPolicyFromIAMGroup", description = "remove iam policy from an iam group", responseObject = IAMGroupResponse.class)
public class RemoveIAMPolicyFromIAMGroupCmd extends BaseAsyncCmd {
public static final Logger s_logger = Logger.getLogger(RemoveIAMPolicyFromIAMGroupCmd.class.getName());
private static final String s_name = "removeiampolicyfromiamgroupresponse";
@Inject
public IAMApiService _iamApiSrv;
/////////////////////////////////////////////////////
//////////////// API parameters /////////////////////
/////////////////////////////////////////////////////
@ACL
@Parameter(name = ApiConstants.ID, type = CommandType.UUID, entityType = IAMGroupResponse.class,
required = true, description = "The ID of the iam group")
private Long id;
@ACL
@Parameter(name = ApiConstants.IAM_POLICIES, type = CommandType.LIST, collectionType = CommandType.UUID, entityType = IAMPolicyResponse.class, description = "comma separated list of iam policy id that are going to be applied to the iam group.")
private List<Long> policyIdList;
/////////////////////////////////////////////////////
/////////////////// Accessors ///////////////////////
/////////////////////////////////////////////////////
public Long getId() {
return id;
}
public List<Long> getRoleIdList() {
return policyIdList;
}
/////////////////////////////////////////////////////
/////////////// API Implementation///////////////////
/////////////////////////////////////////////////////
@Override
public String getCommandName() {
return s_name;
}
@Override
public long getEntityOwnerId() {
return Account.ACCOUNT_ID_SYSTEM; // no account info given, parent this command to SYSTEM so ERROR events are tracked
}
@Override
public void execute() throws ResourceUnavailableException,
InsufficientCapacityException, ServerApiException {
CallContext.current().setEventDetails("IAM group Id: " + getId());
IAMGroup result = _iamApiSrv.removeIAMPoliciesFromGroup(policyIdList, id);
if (result != null){
IAMGroupResponse response = _iamApiSrv.createIAMGroupResponse(result);
response.setResponseName(getCommandName());
setResponseObject(response);
} else {
throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to add roles to iam group");
}
}
@Override
public String getEventType() {
return EventTypes.EVENT_IAM_GROUP_UPDATE;
}
@Override
public String getEventDescription() {
return "removing IAM roles from IAM group";
}
@Override
public ApiCommandJobType getInstanceType() {
return ApiCommandJobType.IAMGroup;
}
}

193
services/iam/plugin/src/main/java/org/apache/cloudstack/api/response/iam/IAMGroupResponse.java
View File

@ -1,193 +0,0 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.api.response.iam;
import java.util.LinkedHashSet;
import java.util.Set;
import com.google.gson.annotations.SerializedName;
import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.BaseResponse;
import org.apache.cloudstack.api.EntityReference;
import org.apache.cloudstack.api.response.ControlledViewEntityResponse;
import org.apache.cloudstack.iam.api.IAMGroup;
import com.cloud.serializer.Param;
@SuppressWarnings("unused")
@EntityReference(value = IAMGroup.class)
public class IAMGroupResponse extends BaseResponse implements ControlledViewEntityResponse {
@SerializedName(ApiConstants.ID)
@Param(description = "the ID of the iam group")
private String id;
@SerializedName(ApiConstants.NAME)
@Param(description = "the name of the iam group")
private String name;
@SerializedName(ApiConstants.DESCRIPTION)
@Param(description = "the description of the iam group")
private String description;
@SerializedName(ApiConstants.DOMAIN_ID)
@Param(description = "the domain ID of the iam group")
private String domainId;
@SerializedName(ApiConstants.DOMAIN)
@Param(description = "the domain name of the iam role")
private String domainName;
@SerializedName(ApiConstants.ACCOUNT)
@Param(description = "the account owning the policy")
private String accountName;
@SerializedName(ApiConstants.IAM_MEMBER_ACCOUNTS)
@Param(description = "account names assigned to this iam group ")
private Set<String> accountNameList;
@SerializedName(ApiConstants.IAM_POLICIES)
@Param(description = "iam policies attached to this iam group ")
private Set<String> policyNameList;
public IAMGroupResponse() {
accountNameList = new LinkedHashSet<String>();
policyNameList = new LinkedHashSet<String>();
}
@Override
public String getObjectId() {
return getId();
}
public String getId() {
return id;
}
public void setId(String id) {
this.id = id;
}
public void setName(String name) {
this.name = name;
}
public void setDescription(String description) {
this.description = description;
}
@Override
public void setDomainId(String domainId) {
this.domainId = domainId;
}
@Override
public void setDomainName(String domainName) {
this.domainName = domainName;
}
@Override
public void setAccountName(String accountName) {
this.accountName = accountName;
}
@Override
public void setProjectId(String projectId) {
// TODO Auto-generated method stub
}
@Override
public void setProjectName(String projectName) {
// TODO Auto-generated method stub
}
public String getName() {
return name;
}
public String getDescription() {
return description;
}
public String getDomainId() {
return domainId;
}
public String getDomainName() {
return domainName;
}
public String getAccountName() {
return accountName;
}
public Set<String> getAccountNameList() {
return accountNameList;
}
public void setMemberAccounts(Set<String> accts) {
accountNameList = accts;
}
public void addMemberAccount(String acct) {
accountNameList.add(acct);
}
public void setPolicyList(Set<String> policies) {
policyNameList = policies;
}
public void addPolicy(String policy) {
policyNameList.add(policy);
}
public Set<String> getPolicyList() {
return policyNameList;
}
@Override
public int hashCode() {
final int prime = 31;
int result = 1;
result = prime * result + ((id == null) ? 0 : id.hashCode());
return result;
}
@Override
public boolean equals(Object obj) {
if (this == obj)
return true;
if (obj == null)
return false;
if (getClass() != obj.getClass())
return false;
IAMGroupResponse other = (IAMGroupResponse)obj;
if (id == null) {
if (other.id != null)
return false;
} else if (!id.equals(other.id))
return false;
return true;
}
}

124
services/iam/plugin/src/main/java/org/apache/cloudstack/api/response/iam/IAMPermissionResponse.java
View File

@ -1,124 +0,0 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.api.response.iam;
import com.google.gson.annotations.SerializedName;
import org.apache.cloudstack.acl.PermissionScope;
import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.BaseResponse;
import org.apache.cloudstack.iam.api.IAMPolicyPermission;
import com.cloud.serializer.Param;
public class IAMPermissionResponse extends BaseResponse {
@SerializedName(ApiConstants.IAM_ACTION)
@Param(description = "action of this permission")
private String action;
@SerializedName(ApiConstants.ENTITY_TYPE)
@Param(description = "the entity type of this permission")
private String entityType;
@SerializedName(ApiConstants.IAM_SCOPE)
@Param(description = "scope of this permission")
private PermissionScope scope;
@SerializedName(ApiConstants.IAM_SCOPE_ID)
@Param(description = "scope id of this permission")
private Long scopeId;
@SerializedName(ApiConstants.IAM_ALLOW_DENY)
@Param(description = "allow or deny of this permission")
private IAMPolicyPermission.Permission permission;
public String getEntityType() {
return entityType;
}
public void setEntityType(String entityType) {
this.entityType = entityType;
}
public String getAction() {
return action;
}
public void setAction(String action) {
this.action = action;
}
public PermissionScope getScope() {
return scope;
}
public void setScope(PermissionScope scope) {
this.scope = scope;
}
public Long getScopeId() {
return scopeId;
}
public void setScopeId(Long scopeId) {
this.scopeId = scopeId;
}
public IAMPolicyPermission.Permission getPermission() {
return permission;
}
public void setPermission(IAMPolicyPermission.Permission permission) {
this.permission = permission;
}
@Override
public int hashCode() {
final int prime = 31;
int result = 1;
result = prime * result + ((action == null) ? 0 : action.hashCode());
result = prime * result + ((entityType == null) ? 0 : entityType.hashCode());
result = prime * result + ((scope == null) ? 0 : scope.hashCode());
result = prime * result + ((scopeId == null) ? 0 : scopeId.hashCode());
return result;
}
@Override
public boolean equals(Object obj) {
if (this == obj)
return true;
if (obj == null)
return false;
if (getClass() != obj.getClass())
return false;
IAMPermissionResponse other = (IAMPermissionResponse) obj;
if ((entityType == null && other.entityType != null) || (entityType != null && !entityType.equals(other.entityType))) {
return false;
} else if ((action == null && other.action != null) || (action != null && !action.equals(other.action))) {
return false;
} else if ((scope == null && other.scope != null) || (scope != null && !scope.equals(other.scope))) {
return false;
} else if ((scopeId == null && other.scopeId != null) || (scopeId != null && !scopeId.equals(other.scopeId))) {
return false;
}
return true;
}
}

177
services/iam/plugin/src/main/java/org/apache/cloudstack/api/response/iam/IAMPolicyResponse.java
View File

@ -1,177 +0,0 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.api.response.iam;
import java.util.LinkedHashSet;
import java.util.Set;
import com.google.gson.annotations.SerializedName;
import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.BaseResponse;
import org.apache.cloudstack.api.EntityReference;
import org.apache.cloudstack.api.response.ControlledViewEntityResponse;
import org.apache.cloudstack.iam.api.IAMPolicy;
import com.cloud.serializer.Param;
@SuppressWarnings("unused")
@EntityReference(value = IAMPolicy.class)
public class IAMPolicyResponse extends BaseResponse implements ControlledViewEntityResponse {
@SerializedName(ApiConstants.ID)
@Param(description = "the ID of the iam policy")
private String id;
@SerializedName(ApiConstants.NAME)
@Param(description = "the name of the iam policy")
private String name;
@SerializedName(ApiConstants.DESCRIPTION)
@Param(description = "the description of the iam policy")
private String description;
@SerializedName(ApiConstants.DOMAIN_ID)
@Param(description = "the domain ID of the iam policy")
private String domainId;
@SerializedName(ApiConstants.DOMAIN)
@Param(description = "the domain name of the iam policy")
private String domainName;
@SerializedName(ApiConstants.ACCOUNT)
@Param(description = "the account owning the policy")
private String accountName;
@SerializedName(ApiConstants.IAM_PERMISSIONS)
@Param(description = "set of permissions for the iam policy")
private Set<IAMPermissionResponse> permissionList;
public IAMPolicyResponse() {
permissionList = new LinkedHashSet<IAMPermissionResponse>();
}
@Override
public String getObjectId() {
return getId();
}
public String getId() {
return id;
}
public void setId(String id) {
this.id = id;
}
public void setName(String name) {
this.name = name;
}
public void setDescription(String description) {
this.description = description;
}
@Override
public void setDomainId(String domainId) {
this.domainId = domainId;
}
@Override
public void setDomainName(String domainName) {
this.domainName = domainName;
}
public Set<IAMPermissionResponse> getPermissionList() {
return permissionList;
}
public void setPermissionList(Set<IAMPermissionResponse> perms) {
permissionList = perms;
}
public void addPermission(IAMPermissionResponse perm) {
permissionList.add(perm);
}
@Override
public void setAccountName(String accountName) {
this.accountName = accountName;
}
@Override
public void setProjectId(String projectId) {
// TODO Auto-generated method stub
}
@Override
public void setProjectName(String projectName) {
// TODO Auto-generated method stub
}
public String getName() {
return name;
}
public String getDescription() {
return description;
}
public String getDomainId() {
return domainId;
}
public String getDomainName() {
return domainName;
}
public String getAccountName() {
return accountName;
}
@Override
public int hashCode() {
final int prime = 31;
int result = 1;
result = prime * result + ((id == null) ? 0 : id.hashCode());
return result;
}
@Override
public boolean equals(Object obj) {
if (this == obj)
return true;
if (obj == null)
return false;
if (getClass() != obj.getClass())
return false;
IAMPolicyResponse other = (IAMPolicyResponse) obj;
if (id == null) {
if (other.id != null)
return false;
} else if (!id.equals(other.id))
return false;
return true;
}
}

87
services/iam/plugin/src/main/java/org/apache/cloudstack/iam/IAMApiService.java
View File

@ -1,87 +0,0 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.iam;
import java.util.List;
import org.apache.cloudstack.acl.PermissionScope;
import org.apache.cloudstack.acl.SecurityChecker.AccessType;
import org.apache.cloudstack.api.response.ListResponse;
import org.apache.cloudstack.api.response.iam.IAMGroupResponse;
import org.apache.cloudstack.api.response.iam.IAMPolicyResponse;
import org.apache.cloudstack.iam.api.IAMGroup;
import org.apache.cloudstack.iam.api.IAMPolicy;
import org.apache.cloudstack.iam.api.IAMPolicyPermission;
import org.apache.cloudstack.iam.api.IAMPolicyPermission.Permission;
import com.cloud.user.Account;
import com.cloud.utils.component.PluggableService;
public interface IAMApiService extends PluggableService {
/* ACL group related interfaces */
IAMGroup createIAMGroup(Account caller, String iamGroupName, String description);
boolean deleteIAMGroup(Long iamGroupId);
List<IAMGroup> listIAMGroups(long accountId);
IAMGroup addAccountsToGroup(List<Long> acctIds, Long groupId);
IAMGroup removeAccountsFromGroup(List<Long> acctIds, Long groupId);
/* IAM Policy related interfaces */
IAMPolicy createIAMPolicy(Account caller, String iamPolicyName, String description, Long parentPolicyId);
boolean deleteIAMPolicy(long iamPolicyId);
List<IAMPolicy> listIAMPolicies(long accountId);
IAMGroup attachIAMPoliciesToGroup(List<Long> policyIds, Long groupId);
IAMGroup removeIAMPoliciesFromGroup(List<Long> policyIds, Long groupId);
void attachIAMPolicyToAccounts(Long policyId, List<Long> accountIds);
void removeIAMPolicyFromAccounts(Long policyId, List<Long> accountIds);
IAMPolicy addIAMPermissionToIAMPolicy(long iamPolicyId, String entityType, PermissionScope scope, Long scopeId,
String action, Permission perm, Boolean recursive, Boolean readOnly);
IAMPolicy removeIAMPermissionFromIAMPolicy(long iamPolicyId, String entityType, PermissionScope scope, Long scopeId, String action);
IAMPolicyPermission getIAMPolicyPermission(long accountId, String entityType, String action);
/* Utility routine to grant/revoke invidivual resource to list of accounts */
void grantEntityPermissioinToAccounts(String entityType, Long entityId, AccessType accessType, String action, List<Long> accountIds);
void revokeEntityPermissioinFromAccounts(String entityType, Long entityId, AccessType accessType, String action, List<Long> accountIds);
/* Response Generation */
IAMPolicyResponse createIAMPolicyResponse(IAMPolicy policy);
IAMGroupResponse createIAMGroupResponse(IAMGroup group);
ListResponse<IAMGroupResponse> listIAMGroups(Long iamGroupId, String iamGroupName,
Long domainId, Long startIndex, Long pageSize);
ListResponse<IAMPolicyResponse> listIAMPolicies(Long iamPolicyId, String iamPolicyName,
Long domainId, Long startIndex, Long pageSize);
// Convert passed scope uuid to internal scope long id
Long getPermissionScopeId(String scope, String entityType, String scopeId);
}

825
services/iam/plugin/src/main/java/org/apache/cloudstack/iam/IAMApiServiceImpl.java
View File

@ -1,825 +0,0 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.iam;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import javax.inject.Inject;
import javax.naming.ConfigurationException;
import org.apache.log4j.Logger;
import org.bouncycastle.util.IPAddress;
import com.amazonaws.auth.policy.Condition;
import com.amazonaws.services.ec2.model.SecurityGroup;
import com.amazonaws.services.ec2.model.Snapshot;
import com.amazonaws.services.ec2.model.Volume;
import com.amazonaws.services.ec2.model.Vpc;
import com.amazonaws.services.elasticache.model.Event;
import org.apache.cloudstack.acl.PermissionScope;
import org.apache.cloudstack.acl.SecurityChecker.AccessType;
import org.apache.cloudstack.affinity.AffinityGroup;
import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.BaseListCmd;
import org.apache.cloudstack.api.InternalIdentity;
import org.apache.cloudstack.api.command.iam.AddAccountToIAMGroupCmd;
import org.apache.cloudstack.api.command.iam.AddIAMPermissionToIAMPolicyCmd;
import org.apache.cloudstack.api.command.iam.AttachIAMPolicyToAccountCmd;
import org.apache.cloudstack.api.command.iam.AttachIAMPolicyToIAMGroupCmd;
import org.apache.cloudstack.api.command.iam.CreateIAMGroupCmd;
import org.apache.cloudstack.api.command.iam.CreateIAMPolicyCmd;
import org.apache.cloudstack.api.command.iam.DeleteIAMGroupCmd;
import org.apache.cloudstack.api.command.iam.DeleteIAMPolicyCmd;
import org.apache.cloudstack.api.command.iam.ListIAMGroupsCmd;
import org.apache.cloudstack.api.command.iam.ListIAMPoliciesCmd;
import org.apache.cloudstack.api.command.iam.RemoveAccountFromIAMGroupCmd;
import org.apache.cloudstack.api.command.iam.RemoveIAMPermissionFromIAMPolicyCmd;
import org.apache.cloudstack.api.command.iam.RemoveIAMPolicyFromAccountCmd;
import org.apache.cloudstack.api.command.iam.RemoveIAMPolicyFromIAMGroupCmd;
import org.apache.cloudstack.api.response.ListResponse;
import org.apache.cloudstack.api.response.iam.IAMGroupResponse;
import org.apache.cloudstack.api.response.iam.IAMPermissionResponse;
import org.apache.cloudstack.api.response.iam.IAMPolicyResponse;
import org.apache.cloudstack.context.CallContext;
import org.apache.cloudstack.framework.jobs.AsyncJob;
import org.apache.cloudstack.framework.messagebus.MessageBus;
import org.apache.cloudstack.framework.messagebus.MessageSubscriber;
import org.apache.cloudstack.iam.api.IAMGroup;
import org.apache.cloudstack.iam.api.IAMPolicy;
import org.apache.cloudstack.iam.api.IAMPolicyPermission;
import org.apache.cloudstack.iam.api.IAMPolicyPermission.Permission;
import org.apache.cloudstack.iam.api.IAMService;
import com.cloud.api.ApiServerService;
import com.cloud.domain.Domain;
import com.cloud.domain.DomainVO;
import com.cloud.domain.dao.DomainDao;
import com.cloud.event.ActionEvent;
import com.cloud.event.EventTypes;
import com.cloud.exception.InvalidParameterValueException;
import com.cloud.network.IpAddress;
import com.cloud.network.MonitoringService;
import com.cloud.network.Network;
import com.cloud.network.RemoteAccessVpn;
import com.cloud.network.Site2SiteCustomerGateway;
import com.cloud.network.Site2SiteVpnConnection;
import com.cloud.network.Site2SiteVpnGateway;
import com.cloud.network.UserIpv6Address;
import com.cloud.network.VpnUser;
import com.cloud.network.as.AutoScalePolicy;
import com.cloud.network.as.AutoScaleVmGroup;
import com.cloud.network.as.AutoScaleVmProfile;
import com.cloud.network.lb.SslCert;
import com.cloud.network.rules.FirewallRule;
import com.cloud.network.rules.PortForwardingRule;
import com.cloud.network.vpc.StaticRoute;
import com.cloud.network.vpc.VpcGateway;
import com.cloud.projects.ProjectInvitation;
import com.cloud.region.ha.GlobalLoadBalancerRule;
import com.cloud.server.ResourceTag;
import com.cloud.template.TemplateManager;
import com.cloud.template.VirtualMachineTemplate;
import com.cloud.user.Account;
import com.cloud.user.AccountManager;
import com.cloud.user.AccountVO;
import com.cloud.user.DomainManager;
import com.cloud.user.SSHKeyPair;
import com.cloud.user.dao.AccountDao;
import com.cloud.utils.Pair;
import com.cloud.utils.component.Manager;
import com.cloud.utils.component.ManagerBase;
import com.cloud.utils.db.DB;
import com.cloud.utils.db.EntityManager;
import com.cloud.vm.InstanceGroup;
import com.cloud.vm.NicIpAlias;
import com.cloud.vm.NicSecondaryIp;
import com.cloud.vm.VirtualMachine;
import com.cloud.vm.snapshot.VMSnapshot;
public class IAMApiServiceImpl extends ManagerBase implements IAMApiService, Manager {
public static final Logger s_logger = Logger.getLogger(IAMApiServiceImpl.class);
private String _name;
@Inject
ApiServerService _apiServer;
@Inject
IAMService _iamSrv;
@Inject
DomainDao _domainDao;
@Inject
AccountDao _accountDao;
@Inject
AccountManager _accountMgr;
@Inject
MessageBus _messageBus;
@Inject
EntityManager _entityMgr;
private static final Map<String, Class<?>> s_typeMap = new HashMap<String, Class<?>>();
static {
s_typeMap.put(VirtualMachine.class.getSimpleName(), VirtualMachine.class);
s_typeMap.put(Volume.class.getSimpleName(), Volume.class);
s_typeMap.put(ResourceTag.class.getSimpleName(), ResourceTag.class);
s_typeMap.put(Account.class.getSimpleName(), Account.class);
s_typeMap.put(AffinityGroup.class.getSimpleName(), AffinityGroup.class);
s_typeMap.put(AutoScalePolicy.class.getSimpleName(), AutoScalePolicy.class);
s_typeMap.put(AutoScaleVmProfile.class.getSimpleName(), AutoScaleVmProfile.class);
s_typeMap.put(AutoScaleVmGroup.class.getSimpleName(), AutoScaleVmGroup.class);
s_typeMap.put(Condition.class.getSimpleName(), Condition.class);
s_typeMap.put(Vpc.class.getSimpleName(), Vpc.class);
s_typeMap.put(VpcGateway.class.getSimpleName(), VpcGateway.class);
s_typeMap.put(VpnUser.class.getSimpleName(), VpnUser.class);
s_typeMap.put(VMSnapshot.class.getSimpleName(), VMSnapshot.class);
s_typeMap.put(VirtualMachineTemplate.class.getSimpleName(), VirtualMachineTemplate.class);
s_typeMap.put(UserIpv6Address.class.getSimpleName(), UserIpv6Address.class);
s_typeMap.put(StaticRoute.class.getSimpleName(), StaticRoute.class);
s_typeMap.put(SSHKeyPair.class.getSimpleName(), SSHKeyPair.class);
s_typeMap.put(Snapshot.class.getSimpleName(), Snapshot.class);
s_typeMap.put(Site2SiteVpnGateway.class.getSimpleName(), Site2SiteVpnGateway.class);
s_typeMap.put(Site2SiteCustomerGateway.class.getSimpleName(), Site2SiteCustomerGateway.class);
s_typeMap.put(Site2SiteVpnConnection.class.getSimpleName(), Site2SiteVpnConnection.class);
s_typeMap.put(SecurityGroup.class.getSimpleName(), SecurityGroup.class);
s_typeMap.put(RemoteAccessVpn.class.getSimpleName(), RemoteAccessVpn.class);
s_typeMap.put(ProjectInvitation.class.getSimpleName(), ProjectInvitation.class);
s_typeMap.put(NicSecondaryIp.class.getSimpleName(), NicSecondaryIp.class);
s_typeMap.put(NicIpAlias.class.getSimpleName(), NicIpAlias.class);
s_typeMap.put(Network.class.getSimpleName(), Network.class);
s_typeMap.put(IpAddress.class.getSimpleName(), IPAddress.class);
s_typeMap.put(InstanceGroup.class.getSimpleName(), InstanceGroup.class);
s_typeMap.put(GlobalLoadBalancerRule.class.getSimpleName(), GlobalLoadBalancerRule.class);
s_typeMap.put(FirewallRule.class.getSimpleName(), FirewallRule.class);
s_typeMap.put(PortForwardingRule.class.getSimpleName(), PortForwardingRule.class);
s_typeMap.put(Event.class.getSimpleName(), Event.class);
s_typeMap.put(AsyncJob.class.getSimpleName(), AsyncJob.class);
s_typeMap.put(IAMGroup.class.getSimpleName(), IAMGroup.class);
s_typeMap.put(IAMPolicy.class.getSimpleName(), IAMPolicy.class);
s_typeMap.put(MonitoringService.class.getSimpleName(), MonitoringService.class);
s_typeMap.put(SslCert.class.getSimpleName(), SslCert.class);
}
@Override
public boolean configure(final String name, final Map<String, Object> params) throws ConfigurationException {
_messageBus.subscribe(AccountManager.MESSAGE_ADD_ACCOUNT_EVENT, new MessageSubscriber() {
@Override
public void onPublishMessage(String senderAddress, String subject, Object obj) {
HashMap<Long, Long> acctGroupMap = (HashMap<Long, Long>) obj;
for (Long accountId : acctGroupMap.keySet()) {
Long groupId = acctGroupMap.get(accountId);
s_logger.debug("MessageBus message: new Account Added: " + accountId + ", adding it to groupId :"
+ groupId);
addAccountToIAMGroup(accountId, groupId);
// add it to domain group too
AccountVO account = _accountDao.findById(accountId);
Domain domain = _domainDao.findById(account.getDomainId());
if (domain != null) {
List<IAMGroup> domainGroups = listDomainGroup(domain);
if (domainGroups != null) {
for (IAMGroup group : domainGroups) {
addAccountToIAMGroup(accountId, new Long(group.getId()));
}
}
}
}
}
});
_messageBus.subscribe(AccountManager.MESSAGE_REMOVE_ACCOUNT_EVENT, new MessageSubscriber() {
@Override
public void onPublishMessage(String senderAddress, String subject, Object obj) {
Long accountId = ((Long) obj);
if (accountId != null) {
s_logger.debug("MessageBus message: Account removed: " + accountId
+ ", releasing the group associations");
removeAccountFromIAMGroups(accountId);
}
}
});
_messageBus.subscribe(DomainManager.MESSAGE_ADD_DOMAIN_EVENT, new MessageSubscriber() {
@Override
public void onPublishMessage(String senderAddress, String subject, Object obj) {
Long domainId = ((Long) obj);
if (domainId != null) {
s_logger.debug("MessageBus message: new Domain created: " + domainId + ", creating a new group");
Domain domain = _domainDao.findById(domainId);
_iamSrv.createIAMGroup("DomainGrp-" + domain.getUuid(), "Domain group", domain.getPath());
}
}
});
_messageBus.subscribe(DomainManager.MESSAGE_REMOVE_DOMAIN_EVENT, new MessageSubscriber() {
@Override
public void onPublishMessage(String senderAddress, String subject, Object obj) {
Long domainId = ((Long) obj);
if (domainId != null) {
s_logger.debug("MessageBus message: Domain removed: " + domainId + ", removing the domain group");
Domain domain = _domainDao.findById(domainId);
List<IAMGroup> groups = listDomainGroup(domain);
for (IAMGroup group : groups) {
_iamSrv.deleteIAMGroup(group.getId());
}
}
}
});
_messageBus.subscribe(TemplateManager.MESSAGE_REGISTER_PUBLIC_TEMPLATE_EVENT, new MessageSubscriber() {
@Override
public void onPublishMessage(String senderAddress, String subject, Object obj) {
Long templateId = (Long)obj;
if (templateId != null) {
s_logger.debug("MessageBus message: new public template registered: " + templateId
+ ", grant permission to default root admin, domain admin and normal user policies");
_iamSrv.addIAMPermissionToIAMPolicy(new Long(Account.ACCOUNT_TYPE_ADMIN + 1), VirtualMachineTemplate.class.getSimpleName(),
PermissionScope.RESOURCE.toString(), templateId, "listTemplates", AccessType.UseEntry.toString(), Permission.Allow, false);
_iamSrv.addIAMPermissionToIAMPolicy(new Long(Account.ACCOUNT_TYPE_DOMAIN_ADMIN + 1), VirtualMachineTemplate.class.getSimpleName(),
PermissionScope.RESOURCE.toString(), templateId, "listTemplates", AccessType.UseEntry.toString(), Permission.Allow, false);
_iamSrv.addIAMPermissionToIAMPolicy(new Long(Account.ACCOUNT_TYPE_NORMAL + 1), VirtualMachineTemplate.class.getSimpleName(),
PermissionScope.RESOURCE.toString(), templateId, "listTemplates", AccessType.UseEntry.toString(), Permission.Allow, false);
}
}
});
_messageBus.subscribe(TemplateManager.MESSAGE_RESET_TEMPLATE_PERMISSION_EVENT, new MessageSubscriber() {
@Override
public void onPublishMessage(String senderAddress, String subject, Object obj) {
Long templateId = (Long)obj;
if (templateId != null) {
s_logger.debug("MessageBus message: reset template permission: " + templateId);
resetTemplatePermission(templateId);
}
}
});
_messageBus.subscribe(EntityManager.MESSAGE_REMOVE_ENTITY_EVENT, new MessageSubscriber() {
@Override
public void onPublishMessage(String senderAddress, String subject, Object obj) {
Pair<Class<?>, Long> entity = (Pair<Class<?>, Long>)obj;
if (entity != null) {
String entityType = entity.first().getSimpleName();
Long entityId = entity.second();
s_logger.debug("MessageBus message: delete an entity: (" + entityType + "," + entityId + "), remove its related permission");
_iamSrv.removeIAMPermissionForEntity(entityType, entityId);
}
}
});
_messageBus.subscribe(EntityManager.MESSAGE_GRANT_ENTITY_EVENT, new MessageSubscriber() {
@Override
public void onPublishMessage(String senderAddress, String subject, Object obj) {
Map<String, Object> permit = (Map<String, Object>)obj;
if (permit != null) {
Class<?> entityType = (Class<?>)permit.get(ApiConstants.ENTITY_TYPE);
Long entityId = (Long)permit.get(ApiConstants.ENTITY_ID);
AccessType accessType = (AccessType)permit.get(ApiConstants.ACCESS_TYPE);
String action = (String)permit.get(ApiConstants.IAM_ACTION);
List<Long> acctIds = (List<Long>)permit.get(ApiConstants.ACCOUNTS);
s_logger.debug("MessageBus message: grant accounts permission to an entity: (" + entityType + "," + entityId + ")");
grantEntityPermissioinToAccounts(entityType.getSimpleName(), entityId, accessType, action, acctIds);
}
}
});
_messageBus.subscribe(EntityManager.MESSAGE_REVOKE_ENTITY_EVENT, new MessageSubscriber() {
@Override
public void onPublishMessage(String senderAddress, String subject, Object obj) {
Map<String, Object> permit = (Map<String, Object>)obj;
if (permit != null) {
Class<?> entityType = (Class<?>)permit.get(ApiConstants.ENTITY_TYPE);
Long entityId = (Long)permit.get(ApiConstants.ENTITY_ID);
AccessType accessType = (AccessType)permit.get(ApiConstants.ACCESS_TYPE);
String action = (String)permit.get(ApiConstants.IAM_ACTION);
List<Long> acctIds = (List<Long>)permit.get(ApiConstants.ACCOUNTS);
s_logger.debug("MessageBus message: revoke from accounts permission to an entity: (" + entityType + "," + entityId + ")");
revokeEntityPermissioinFromAccounts(entityType.getSimpleName(), entityId, accessType, action, acctIds);
}
}
});
_messageBus.subscribe(EntityManager.MESSAGE_ADD_DOMAIN_WIDE_ENTITY_EVENT, new MessageSubscriber() {
@Override
public void onPublishMessage(String senderAddress, String subject, Object obj) {
Map<String, Object> params = (Map<String, Object>) obj;
if (params != null) {
addDomainWideResourceAccess(params);
}
}
});
return super.configure(name, params);
}
@Override
public boolean start() {
s_logger.info("Populating IAM group and account association for default accounts...");
// populate group <-> account association if not present for CS admin
// and system accounts
populateIAMGroupAdminAccountMap();
return true;
}
private void populateIAMGroupAdminAccountMap() {
List<Long> sysAccts = new ArrayList<Long>();
sysAccts.add(Account.ACCOUNT_ID_SYSTEM);
sysAccts.add(Account.ACCOUNT_ID_SYSTEM + 1);
_iamSrv.addAccountsToGroup(sysAccts, new Long(Account.ACCOUNT_TYPE_ADMIN + 1));
}
private void addDomainWideResourceAccess(Map<String, Object> params) {
Class<?> entityType = (Class<?>)params.get(ApiConstants.ENTITY_TYPE);
Long entityId = (Long) params.get(ApiConstants.ENTITY_ID);
Long domainId = (Long) params.get(ApiConstants.DOMAIN_ID);
Boolean isRecursive = (Boolean) params.get(ApiConstants.SUBDOMAIN_ACCESS);
if (entityType == Network.class) {
createPolicyAndAddToDomainGroup("DomainWideNetwork-" + entityId, "domain wide network", entityType.toString(),
entityId, "listNetworks", AccessType.UseEntry, domainId, isRecursive);
} else if (entityType == AffinityGroup.class) {
createPolicyAndAddToDomainGroup("DomainWideNetwork-" + entityId, "domain wide affinityGroup", entityType.toString(),
entityId, "listAffinityGroups", AccessType.UseEntry, domainId, isRecursive);
}
}
private void createPolicyAndAddToDomainGroup(String policyName, String description, String entityType,
Long entityId, String action, AccessType accessType, Long domainId, Boolean recursive) {
Domain domain = _domainDao.findById(domainId);
if (domain != null) {
IAMPolicy policy = _iamSrv.createIAMPolicy(policyName, description, null, domain.getPath());
_iamSrv.addIAMPermissionToIAMPolicy(policy.getId(), entityType, PermissionScope.RESOURCE.toString(),
entityId, action, accessType.toString(), Permission.Allow, recursive);
List<Long> policyList = new ArrayList<Long>();
policyList.add(new Long(policy.getId()));
List<IAMGroup> domainGroups = listDomainGroup(domain);
if (domainGroups != null) {
for (IAMGroup group : domainGroups) {
_iamSrv.attachIAMPoliciesToGroup(policyList, group.getId());
}
}
}
}
@DB
@Override
@ActionEvent(eventType = EventTypes.EVENT_IAM_GROUP_CREATE, eventDescription = "Creating Acl Group", create = true)
public IAMGroup createIAMGroup(Account caller, String iamGroupName, String description) {
Long domainId = caller.getDomainId();
Domain callerDomain = _domainDao.findById(domainId);
if (callerDomain == null) {
throw new InvalidParameterValueException("Caller does not have a domain");
}
return _iamSrv.createIAMGroup(iamGroupName, description, callerDomain.getPath());
}
@DB
@Override
@ActionEvent(eventType = EventTypes.EVENT_IAM_GROUP_DELETE, eventDescription = "Deleting Acl Group")
public boolean deleteIAMGroup(final Long iamGroupId) {
return _iamSrv.deleteIAMGroup(iamGroupId);
}
@Override
public List<IAMGroup> listIAMGroups(long accountId) {
return _iamSrv.listIAMGroups(accountId);
}
@DB
@Override
@ActionEvent(eventType = EventTypes.EVENT_IAM_GROUP_UPDATE, eventDescription = "Adding accounts to acl group")
public IAMGroup addAccountsToGroup(final List<Long> acctIds, final Long groupId) {
return _iamSrv.addAccountsToGroup(acctIds, groupId);
}
private void removeAccountFromIAMGroups(long accountId) {
List<IAMGroup> groups = listIAMGroups(accountId);
List<Long> accts = new ArrayList<Long>();
accts.add(accountId);
if (groups != null) {
for (IAMGroup grp : groups) {
removeAccountsFromGroup(accts, grp.getId());
}
}
}
private void addAccountToIAMGroup(long accountId, long groupId) {
List<Long> accts = new ArrayList<Long>();
accts.add(accountId);
addAccountsToGroup(accts, groupId);
}
@DB
@Override
@ActionEvent(eventType = EventTypes.EVENT_IAM_GROUP_UPDATE, eventDescription = "Removing accounts from acl group")
public IAMGroup removeAccountsFromGroup(final List<Long> acctIds, final Long groupId) {
return _iamSrv.removeAccountsFromGroup(acctIds, groupId);
}
@DB
@Override
@ActionEvent(eventType = EventTypes.EVENT_IAM_POLICY_CREATE, eventDescription = "Creating IAM Policy", create = true)
public IAMPolicy createIAMPolicy(Account caller, final String iamPolicyName, final String description, final Long parentPolicyId) {
Long domainId = caller.getDomainId();
Domain callerDomain = _domainDao.findById(domainId);
if (callerDomain == null) {
throw new InvalidParameterValueException("Caller does not have a domain");
}
return _iamSrv.createIAMPolicy(iamPolicyName, description, parentPolicyId, callerDomain.getPath());
}
@DB
@Override
@ActionEvent(eventType = EventTypes.EVENT_IAM_POLICY_DELETE, eventDescription = "Deleting IAM Policy")
public boolean deleteIAMPolicy(final long iamPolicyId) {
return _iamSrv.deleteIAMPolicy(iamPolicyId);
}
@Override
public List<IAMPolicy> listIAMPolicies(long accountId) {
return _iamSrv.listIAMPolicies(accountId);
}
@DB
@Override
@ActionEvent(eventType = EventTypes.EVENT_IAM_GROUP_UPDATE, eventDescription = "Attaching policy to acl group")
public IAMGroup attachIAMPoliciesToGroup(final List<Long> policyIds, final Long groupId) {
return _iamSrv.attachIAMPoliciesToGroup(policyIds, groupId);
}
@DB
@Override
@ActionEvent(eventType = EventTypes.EVENT_IAM_GROUP_UPDATE, eventDescription = "Removing policies from acl group")
public IAMGroup removeIAMPoliciesFromGroup(final List<Long> policyIds, final Long groupId) {
return _iamSrv.removeIAMPoliciesFromGroup(policyIds, groupId);
}
@DB
@Override
@ActionEvent(eventType = EventTypes.EVENT_IAM_ACCOUNT_POLICY_UPDATE, eventDescription = "Attaching policy to accounts")
public void attachIAMPolicyToAccounts(final Long policyId, final List<Long> accountIds) {
_iamSrv.attachIAMPolicyToAccounts(policyId, accountIds);
}
@DB
@Override
@ActionEvent(eventType = EventTypes.EVENT_IAM_ACCOUNT_POLICY_UPDATE, eventDescription = "Removing policy from accounts")
public void removeIAMPolicyFromAccounts(final Long policyId, final List<Long> accountIds) {
_iamSrv.removeIAMPolicyFromAccounts(policyId, accountIds);
}
@DB
@Override
@ActionEvent(eventType = EventTypes.EVENT_IAM_POLICY_GRANT, eventDescription = "Granting acl permission to IAM Policy")
public IAMPolicy addIAMPermissionToIAMPolicy(long iamPolicyId, String entityType, PermissionScope scope,
Long scopeId, String action, Permission perm, Boolean recursive, Boolean readOnly) {
Class<?> cmdClass = _apiServer.getCmdClass(action);
AccessType accessType = null;
if (BaseListCmd.class.isAssignableFrom(cmdClass)) {
if (readOnly) {
accessType = AccessType.ListEntry;
} else {
accessType = AccessType.UseEntry;
}
} else {
accessType = AccessType.OperateEntry;
}
String accessTypeStr = (accessType != null) ? accessType.toString() : null;
return _iamSrv.addIAMPermissionToIAMPolicy(iamPolicyId, entityType, scope.toString(), scopeId, action,
accessTypeStr, perm, recursive);
}
@DB
@Override
@ActionEvent(eventType = EventTypes.EVENT_IAM_POLICY_REVOKE, eventDescription = "Revoking acl permission from IAM Policy")
public IAMPolicy removeIAMPermissionFromIAMPolicy(long iamPolicyId, String entityType, PermissionScope scope, Long scopeId, String action) {
return _iamSrv.removeIAMPermissionFromIAMPolicy(iamPolicyId, entityType, scope.toString(), scopeId, action);
}
@Override
public IAMPolicyPermission getIAMPolicyPermission(long accountId, String entityType, String action) {
List<IAMPolicy> policies = _iamSrv.listIAMPolicies(accountId);
IAMPolicyPermission curPerm = null;
for (IAMPolicy policy : policies) {
List<IAMPolicyPermission> perms = _iamSrv.listPolicyPermissionByActionAndEntity(policy.getId(), action,
entityType);
if (perms == null || perms.size() == 0)
continue;
IAMPolicyPermission perm = perms.get(0); // just pick one
if (curPerm == null) {
curPerm = perm;
} else if (PermissionScope.valueOf(perm.getScope()).greaterThan(PermissionScope.valueOf(curPerm.getScope()))) {
// pick the more relaxed allowed permission
curPerm = perm;
}
}
return curPerm;
}
@Override
public IAMPolicyResponse createIAMPolicyResponse(IAMPolicy policy) {
IAMPolicyResponse response = new IAMPolicyResponse();
response.setId(policy.getUuid());
response.setName(policy.getName());
response.setDescription(policy.getDescription());
String domainPath = policy.getPath();
if (domainPath != null) {
DomainVO domain = _domainDao.findDomainByPath(domainPath);
if (domain != null) {
response.setDomainId(domain.getUuid());
response.setDomainName(domain.getName());
}
}
long accountId = policy.getAccountId();
AccountVO owner = _accountDao.findById(accountId);
if (owner != null) {
response.setAccountName(owner.getAccountName());
}
// find permissions associated with this policy
List<IAMPolicyPermission> permissions = _iamSrv.listPolicyPermissions(policy.getId());
if (permissions != null && permissions.size() > 0) {
for (IAMPolicyPermission permission : permissions) {
IAMPermissionResponse perm = new IAMPermissionResponse();
perm.setAction(permission.getAction());
if (permission.getEntityType() != null) {
perm.setEntityType(permission.getEntityType());
}
if (permission.getScope() != null) {
perm.setScope(PermissionScope.valueOf(permission.getScope()));
}
perm.setScopeId(permission.getScopeId());
perm.setPermission(permission.getPermission());
response.addPermission(perm);
}
}
response.setObjectName("aclpolicy");
return response;
}
@Override
public IAMGroupResponse createIAMGroupResponse(IAMGroup group) {
IAMGroupResponse response = new IAMGroupResponse();
response.setId(group.getUuid());
response.setName(group.getName());
response.setDescription(group.getDescription());
String domainPath = group.getPath();
if (domainPath != null) {
DomainVO domain = _domainDao.findDomainByPath(domainPath);
if (domain != null) {
response.setDomainId(domain.getUuid());
response.setDomainName(domain.getName());
}
}
long accountId = group.getAccountId();
AccountVO owner = _accountDao.findById(accountId);
if (owner != null) {
response.setAccountName(owner.getAccountName());
}
// find all the members in this group
List<Long> members = _iamSrv.listAccountsByGroup(group.getId());
if (members != null && members.size() > 0) {
for (Long member : members) {
AccountVO mem = _accountDao.findById(member);
if (mem != null) {
response.addMemberAccount(mem.getAccountName());
}
}
}
// find all the policies attached to this group
List<IAMPolicy> policies = _iamSrv.listIAMPoliciesByGroup(group.getId());
if (policies != null && policies.size() > 0) {
for (IAMPolicy policy : policies) {
response.addPolicy(policy.getName());
}
}
response.setObjectName("aclgroup");
return response;
}
public List<IAMGroup> listDomainGroup(Domain domain) {
if (domain != null) {
String domainPath = domain.getPath();
// search for groups
Pair<List<IAMGroup>, Integer> result = _iamSrv.listIAMGroups(null, "DomainGrp-" + domain.getUuid(),
domainPath, null, null);
return result.first();
}
return new ArrayList<IAMGroup>();
}
@Override
public ListResponse<IAMGroupResponse> listIAMGroups(Long iamGroupId, String iamGroupName, Long domainId, Long startIndex, Long pageSize) {
// acl check
Account caller = CallContext.current().getCallingAccount();
Domain domain = null;
if (domainId != null) {
domain = _domainDao.findById(domainId);
if (domain == null) {
throw new InvalidParameterValueException("Domain id=" + domainId + " doesn't exist");
}
_accountMgr.checkAccess(caller, domain);
} else {
domain = _domainDao.findById(caller.getDomainId());
}
String domainPath = domain.getPath();
// search for groups
Pair<List<IAMGroup>, Integer> result = _iamSrv.listIAMGroups(iamGroupId, iamGroupName, domainPath, startIndex, pageSize);
// generate group response
ListResponse<IAMGroupResponse> response = new ListResponse<IAMGroupResponse>();
List<IAMGroupResponse> groupResponses = new ArrayList<IAMGroupResponse>();
for (IAMGroup group : result.first()) {
IAMGroupResponse resp = createIAMGroupResponse(group);
groupResponses.add(resp);
}
response.setResponses(groupResponses, result.second());
return response;
}
@Override
public ListResponse<IAMPolicyResponse> listIAMPolicies(Long iamPolicyId, String iamPolicyName, Long domainId, Long startIndex,
Long pageSize) {
// acl check
Account caller = CallContext.current().getCallingAccount();
Domain domain = null;
if (domainId != null) {
domain = _domainDao.findById(domainId);
if (domain == null) {
throw new InvalidParameterValueException("Domain id=" + domainId + " doesn't exist");
}
_accountMgr.checkAccess(caller, domain);
} else {
domain = _domainDao.findById(caller.getDomainId());
}
String domainPath = domain.getPath();
// search for policies
Pair<List<IAMPolicy>, Integer> result = _iamSrv.listIAMPolicies(iamPolicyId, iamPolicyName, domainPath, startIndex, pageSize);
// generate policy response
ListResponse<IAMPolicyResponse> response = new ListResponse<IAMPolicyResponse>();
List<IAMPolicyResponse> policyResponses = new ArrayList<IAMPolicyResponse>();
for (IAMPolicy policy : result.first()) {
IAMPolicyResponse resp = createIAMPolicyResponse(policy);
policyResponses.add(resp);
}
response.setResponses(policyResponses, result.second());
return response;
}
@Override
public void grantEntityPermissioinToAccounts(String entityType, Long entityId, AccessType accessType, String action, List<Long> accountIds) {
// check if there is already a policy with only this permission added to it
IAMPolicy policy = _iamSrv.getResourceGrantPolicy(entityType, entityId, accessType.toString(), action);
if (policy == null) {
// not found, just create a policy with resource grant permission
Account caller = CallContext.current().getCallingAccount();
String aclPolicyName = "policyGrant" + entityType + entityId;
String description = "Policy to grant permission to " + entityType + entityId;
policy = createIAMPolicy(caller, aclPolicyName, description, null);
// add permission to this policy
addIAMPermissionToIAMPolicy(policy.getId(), entityType, PermissionScope.RESOURCE, entityId, action,
Permission.Allow, false, false);
}
// attach this policy to list of accounts if not attached already
Long policyId = policy.getId();
for (Long acctId : accountIds) {
if (!isPolicyAttachedToAccount(policyId, acctId)) {
attachIAMPolicyToAccounts(policyId, Collections.singletonList(acctId));
}
}
}
@Override
public void revokeEntityPermissioinFromAccounts(String entityType, Long entityId, AccessType accessType, String action, List<Long> accountIds) {
// there should already a policy with only this permission added to it, this call is mainly used
IAMPolicy policy = _iamSrv.getResourceGrantPolicy(entityType, entityId, accessType.toString(), action);
if (policy == null) {
s_logger.warn("Cannot find a policy associated with this entity permissioin to be revoked, just return");
return;
}
// detach this policy from list of accounts if not detached already
Long policyId = policy.getId();
for (Long acctId : accountIds) {
if (isPolicyAttachedToAccount(policyId, acctId)) {
removeIAMPolicyFromAccounts(policyId, Collections.singletonList(acctId));
}
}
}
private boolean isPolicyAttachedToAccount(Long policyId, Long accountId) {
List<IAMPolicy> pList = listIAMPolicies(accountId);
for (IAMPolicy p : pList) {
if (p.getId() == policyId.longValue()) {
return true;
}
}
return false;
}
private void resetTemplatePermission(Long templateId){
// reset template will change template to private, so we need to remove its permission for domain admin and normal user group
_iamSrv.removeIAMPermissionFromIAMPolicy(new Long(Account.ACCOUNT_TYPE_DOMAIN_ADMIN + 1), VirtualMachineTemplate.class.getSimpleName(),
PermissionScope.RESOURCE.toString(), templateId, "listTemplates");
_iamSrv.removeIAMPermissionFromIAMPolicy(new Long(Account.ACCOUNT_TYPE_NORMAL + 1), VirtualMachineTemplate.class.getSimpleName(),
PermissionScope.RESOURCE.toString(), templateId, "listTemplates");
// check if there is a policy with only UseEntry permission for this template added
IAMPolicy policy = _iamSrv.getResourceGrantPolicy(VirtualMachineTemplate.class.getSimpleName(), templateId, AccessType.UseEntry.toString(), "listTemplates");
if ( policy == null ){
s_logger.info("No policy found for this template grant: " + templateId + ", no detach to be done");
return;
}
// delete the policy, which should detach it from groups and accounts
_iamSrv.deleteIAMPolicy(policy.getId());
}
@Override
public Long getPermissionScopeId(String scope, String entityType, String scopeId) {
if (scopeId.equals("-1")) {
return -1L;
}
PermissionScope permScope = PermissionScope.valueOf(scope);
InternalIdentity entity = null;
switch (permScope) {
case DOMAIN:
entity = _domainDao.findByUuid(scopeId);
break;
case ACCOUNT:
entity = _accountDao.findByUuid(scopeId);
break;
case RESOURCE:
Class<?> clazz = s_typeMap.get(entityType);
entity = (InternalIdentity)_entityMgr.findByUuid(clazz, scopeId);
}
if (entity != null) {
return entity.getId();
}
throw new InvalidParameterValueException("Unable to find scopeId " + scopeId + " with scope " + scope + " and type " + entityType);
}
@Override
public List<Class<?>> getCommands() {
List<Class<?>> cmdList = new ArrayList<Class<?>>();
cmdList.add(CreateIAMPolicyCmd.class);
cmdList.add(DeleteIAMPolicyCmd.class);
cmdList.add(ListIAMPoliciesCmd.class);
cmdList.add(AddIAMPermissionToIAMPolicyCmd.class);
cmdList.add(RemoveIAMPermissionFromIAMPolicyCmd.class);
cmdList.add(AttachIAMPolicyToIAMGroupCmd.class);
cmdList.add(RemoveIAMPolicyFromIAMGroupCmd.class);
cmdList.add(CreateIAMGroupCmd.class);
cmdList.add(DeleteIAMGroupCmd.class);
cmdList.add(ListIAMGroupsCmd.class);
cmdList.add(AddAccountToIAMGroupCmd.class);
cmdList.add(RemoveAccountFromIAMGroupCmd.class);
cmdList.add(AttachIAMPolicyToAccountCmd.class);
cmdList.add(RemoveIAMPolicyFromAccountCmd.class);
return cmdList;
}
}

287
services/iam/plugin/src/main/java/org/apache/cloudstack/iam/RoleBasedAPIAccessChecker.java
View File

@ -1,287 +0,0 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.iam;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.inject.Inject;
import javax.naming.ConfigurationException;
import org.apache.log4j.Logger;
import org.apache.cloudstack.acl.APIChecker;
import org.apache.cloudstack.acl.PermissionScope;
import org.apache.cloudstack.acl.RoleType;
import org.apache.cloudstack.acl.SecurityChecker.AccessType;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.BaseCmd;
import org.apache.cloudstack.api.BaseListCmd;
import org.apache.cloudstack.iam.api.IAMPolicy;
import org.apache.cloudstack.iam.api.IAMPolicyPermission;
import org.apache.cloudstack.iam.api.IAMPolicyPermission.Permission;
import org.apache.cloudstack.iam.api.IAMService;
import com.cloud.api.ApiServerService;
import com.cloud.exception.PermissionDeniedException;
import com.cloud.storage.VMTemplateVO;
import com.cloud.storage.dao.VMTemplateDao;
import com.cloud.template.VirtualMachineTemplate;
import com.cloud.user.Account;
import com.cloud.user.AccountService;
import com.cloud.user.User;
import com.cloud.utils.PropertiesUtil;
import com.cloud.utils.component.AdapterBase;
import com.cloud.utils.component.PluggableService;
import com.cloud.utils.exception.CloudRuntimeException;
//This is the Role Based API access checker that grab's the account's roles
//based on the set of roles, access is granted if any of the role has access to the api
public class RoleBasedAPIAccessChecker extends AdapterBase implements APIChecker {
protected static final Logger s_logger = Logger.getLogger(RoleBasedAPIAccessChecker.class);
@Inject
AccountService _accountService;
@Inject
ApiServerService _apiServer;
@Inject
IAMService _iamSrv;
@Inject
VMTemplateDao _templateDao;
Set<String> commandsPropertiesOverrides = new HashSet<String>();
Map<RoleType, Set<String>> commandsPropertiesRoleBasedApisMap = new HashMap<RoleType, Set<String>>();
List<PluggableService> _services;
protected RoleBasedAPIAccessChecker() {
super();
for (RoleType roleType : RoleType.values()) {
commandsPropertiesRoleBasedApisMap.put(roleType, new HashSet<String>());
}
}
@Override
public boolean checkAccess(User user, String commandName) throws PermissionDeniedException {
Account account = _accountService.getAccount(user.getAccountId());
if (account == null) {
throw new PermissionDeniedException("The account id=" + user.getAccountId() + "for user id=" + user.getId()
+ "is null");
}
List<IAMPolicy> policies = _iamSrv.listIAMPolicies(account.getAccountId());
boolean isAllowed = _iamSrv.isActionAllowedForPolicies(commandName, policies);
if (!isAllowed) {
throw new PermissionDeniedException("The API does not exist or is blacklisted. api: " + commandName);
}
return isAllowed;
}
@Override
public boolean configure(String name, Map<String, Object> params) throws ConfigurationException {
super.configure(name, params);
processMapping(PropertiesUtil.processConfigFile(new String[] { "commands.properties" }));
return true;
}
@Override
public boolean start() {
// drop all default policy api permissions - we reload them every time
// to include any changes done to the @APICommand or
// commands.properties.
for (RoleType role : RoleType.values()) {
Long policyId = getDefaultPolicyId(role);
if (policyId != null) {
_iamSrv.resetIAMPolicy(policyId);
}
}
// add the system-domain capability
_iamSrv.addIAMPermissionToIAMPolicy(new Long(Account.ACCOUNT_TYPE_ADMIN + 1), null, null, null,
"SystemCapability", null, Permission.Allow, false);
_iamSrv.addIAMPermissionToIAMPolicy(new Long(Account.ACCOUNT_TYPE_DOMAIN_ADMIN + 1), null, null, null,
"DomainCapability", null, Permission.Allow, false);
_iamSrv.addIAMPermissionToIAMPolicy(new Long(Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN + 1), null, null, null,
"DomainResourceCapability", null, Permission.Allow, false);
// add permissions for public templates
List<VMTemplateVO> pTmplts = _templateDao.listByPublic();
for (VMTemplateVO tmpl : pTmplts){
_iamSrv.addIAMPermissionToIAMPolicy(new Long(Account.ACCOUNT_TYPE_ADMIN + 1), VirtualMachineTemplate.class.getSimpleName(),
PermissionScope.RESOURCE.toString(), tmpl.getId(), "listTemplates", AccessType.UseEntry.toString(), Permission.Allow, false);
_iamSrv.addIAMPermissionToIAMPolicy(new Long(Account.ACCOUNT_TYPE_DOMAIN_ADMIN + 1), VirtualMachineTemplate.class.getSimpleName(),
PermissionScope.RESOURCE.toString(), tmpl.getId(), "listTemplates", AccessType.UseEntry.toString(), Permission.Allow, false);
_iamSrv.addIAMPermissionToIAMPolicy(new Long(Account.ACCOUNT_TYPE_NORMAL + 1), VirtualMachineTemplate.class.getSimpleName(),
PermissionScope.RESOURCE.toString(), tmpl.getId(), "listTemplates", AccessType.UseEntry.toString(), Permission.Allow, false);
}
for (PluggableService service : _services) {
for (Class<?> cmdClass : service.getCommands()) {
APICommand command = cmdClass.getAnnotation(APICommand.class);
if (!commandsPropertiesOverrides.contains(command.name())) {
for (RoleType role : command.authorized()) {
addDefaultAclPolicyPermission(command.name(), cmdClass, role);
}
}
}
}
// read commands.properties and load api acl permissions -
// commands.properties overrides any @APICommand authorization
for (String apiName : commandsPropertiesOverrides) {
Class<?> cmdClass = _apiServer.getCmdClass(apiName);
for (RoleType role : RoleType.values()) {
if (commandsPropertiesRoleBasedApisMap.get(role).contains(apiName)) {
// insert permission for this role for this api
addDefaultAclPolicyPermission(apiName, cmdClass, role);
}
}
}
return super.start();
}
private Long getDefaultPolicyId(RoleType role) {
Long policyId = null;
switch (role) {
case User:
policyId = new Long(Account.ACCOUNT_TYPE_NORMAL + 1);
break;
case Admin:
policyId = new Long(Account.ACCOUNT_TYPE_ADMIN + 1);
break;
case DomainAdmin:
policyId = new Long(Account.ACCOUNT_TYPE_DOMAIN_ADMIN + 1);
break;
case ResourceAdmin:
policyId = new Long(Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN + 1);
break;
}
return policyId;
}
private void processMapping(Map<String, String> configMap) {
for (Map.Entry<String, String> entry : configMap.entrySet()) {
String apiName = entry.getKey();
String roleMask = entry.getValue();
commandsPropertiesOverrides.add(apiName);
try {
short cmdPermissions = Short.parseShort(roleMask);
for (RoleType roleType : RoleType.values()) {
if ((cmdPermissions & roleType.getMask()) != 0)
commandsPropertiesRoleBasedApisMap.get(roleType).add(apiName);
}
} catch (NumberFormatException nfe) {
s_logger.info("Malformed key=value pair for entry: " + entry.toString());
}
}
}
public List<PluggableService> getServices() {
return _services;
}
@Inject
public void setServices(List<PluggableService> services) {
_services = services;
}
private void addDefaultAclPolicyPermission(String apiName, Class<?> cmdClass, RoleType role) {
AccessType accessType = null;
Class<?>[] entityTypes = null;
PermissionScope permissionScope = PermissionScope.ACCOUNT;
Long policyId = getDefaultPolicyId(role);
switch (role) {
case User:
permissionScope = PermissionScope.ACCOUNT;
break;
case Admin:
permissionScope = PermissionScope.ALL;
break;
case DomainAdmin:
permissionScope = PermissionScope.DOMAIN;
break;
case ResourceAdmin:
permissionScope = PermissionScope.DOMAIN;
break;
}
boolean addAccountScopedUseEntry = false;
if (cmdClass != null) {
BaseCmd cmdObj;
try {
cmdObj = (BaseCmd) cmdClass.newInstance();
if (cmdObj instanceof BaseListCmd) {
if (permissionScope == PermissionScope.ACCOUNT) {
accessType = AccessType.UseEntry;
} else {
accessType = AccessType.ListEntry;
addAccountScopedUseEntry = true;
}
} else {
accessType = AccessType.OperateEntry;
}
} catch (Exception e) {
throw new CloudRuntimeException(String.format(
"%s is claimed as an API command, but it cannot be instantiated", cmdClass.getName()));
}
APICommand at = cmdClass.getAnnotation(APICommand.class);
entityTypes = at.entityType();
}
if (entityTypes == null || entityTypes.length == 0) {
_iamSrv.addIAMPermissionToIAMPolicy(policyId, null, permissionScope.toString(), new Long(IAMPolicyPermission.PERMISSION_SCOPE_ID_CURRENT_CALLER),
apiName, (accessType == null) ? null : accessType.toString(), Permission.Allow, false);
if (addAccountScopedUseEntry) {
_iamSrv.addIAMPermissionToIAMPolicy(policyId, null, PermissionScope.ACCOUNT.toString(), new Long(
IAMPolicyPermission.PERMISSION_SCOPE_ID_CURRENT_CALLER), apiName, AccessType.UseEntry.toString(), Permission.Allow, false);
}
} else {
for (Class<?> entityType : entityTypes) {
_iamSrv.addIAMPermissionToIAMPolicy(policyId, entityType.getSimpleName(), permissionScope.toString(), new Long(
IAMPolicyPermission.PERMISSION_SCOPE_ID_CURRENT_CALLER),
apiName, (accessType == null) ? null : accessType.toString(), Permission.Allow, false);
if (addAccountScopedUseEntry) {
_iamSrv.addIAMPermissionToIAMPolicy(policyId, entityType.getSimpleName(), PermissionScope.ACCOUNT.toString(), new Long(
IAMPolicyPermission.PERMISSION_SCOPE_ID_CURRENT_CALLER), apiName, AccessType.UseEntry.toString(), Permission.Allow, false);
}
}
}
}
}

329
services/iam/plugin/src/main/java/org/apache/cloudstack/iam/RoleBasedEntityAccessChecker.java
View File

@ -1,329 +0,0 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.iam;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import javax.inject.Inject;
import org.apache.log4j.Logger;
import org.apache.cloudstack.acl.ControlledEntity;
import org.apache.cloudstack.acl.PermissionScope;
import org.apache.cloudstack.acl.SecurityChecker;
import org.apache.cloudstack.acl.SecurityChecker.AccessType;
import org.apache.cloudstack.api.InternalIdentity;
import org.apache.cloudstack.iam.api.IAMGroup;
import org.apache.cloudstack.iam.api.IAMPolicy;
import org.apache.cloudstack.iam.api.IAMPolicyPermission;
import org.apache.cloudstack.iam.api.IAMService;
import com.cloud.acl.DomainChecker;
import com.cloud.domain.dao.DomainDao;
import com.cloud.exception.InvalidParameterValueException;
import com.cloud.exception.PermissionDeniedException;
import com.cloud.user.Account;
import com.cloud.user.AccountService;
public class RoleBasedEntityAccessChecker extends DomainChecker implements SecurityChecker {
private static final Logger s_logger = Logger.getLogger(RoleBasedEntityAccessChecker.class.getName());
@Inject
AccountService _accountService;
@Inject DomainDao _domainDao;
@Inject
IAMService _iamSrv;
@Override
public boolean checkAccess(Account caller, ControlledEntity entity, AccessType accessType)
throws PermissionDeniedException {
return checkAccess(caller, entity, accessType, null);
}
private String buildAccessCacheKey(Account caller, ControlledEntity entity, AccessType accessType, String action) {
StringBuffer key = new StringBuffer();
key.append(caller.getAccountId());
key.append("-");
String entityType = null;
if (entity != null && entity.getEntityType() != null) {
entityType = entity.getEntityType().getSimpleName();
if (entity instanceof InternalIdentity) {
entityType += ((InternalIdentity)entity).getId();
}
}
key.append(entityType != null ? entityType : "null");
key.append("-");
key.append(accessType != null ? accessType.toString() : "null");
key.append("-");
key.append(action != null ? action : "null");
return key.toString();
}
@Override
public boolean checkAccess(Account caller, ControlledEntity entity, AccessType accessType, String action)
throws PermissionDeniedException {
if (caller == null) {
throw new InvalidParameterValueException("Caller cannot be passed as NULL to IAM!");
}
if (entity == null && action == null) {
throw new InvalidParameterValueException("Entity and action cannot be both NULL in checkAccess!");
}
// check IAM cache first
String accessKey = buildAccessCacheKey(caller, entity, accessType, action);
CheckAccessResult allowDeny = (CheckAccessResult)_iamSrv.getFromIAMCache(accessKey);
if (allowDeny != null) {
s_logger.debug("IAM access check for " + accessKey + " from cache: " + allowDeny.isAllow());
if (allowDeny.isAllow()) {
return true;
} else {
if (allowDeny.getDenyMsg() != null) {
throw new PermissionDeniedException(allowDeny.getDenyMsg());
} else {
return false;
}
}
}
if (entity == null && action != null) {
// check if caller can do this action
List<IAMPolicy> policies = _iamSrv.listIAMPolicies(caller.getAccountId());
boolean isAllowed = _iamSrv.isActionAllowedForPolicies(action, policies);
if (!isAllowed) {
String msg = "The action '" + action + "' not allowed for account " + caller;
_iamSrv.addToIAMCache(accessKey, new CheckAccessResult(msg));
throw new PermissionDeniedException(msg);
}
_iamSrv.addToIAMCache(accessKey, new CheckAccessResult(true));
return true;
}
// if a Project entity, skip
Account entityAccount = _accountService.getAccount(entity.getAccountId());
if (entityAccount != null && entityAccount.getType() == Account.ACCOUNT_TYPE_PROJECT) {
_iamSrv.addToIAMCache(accessKey, new CheckAccessResult(false));
return false;
}
String entityType = null;
if (entity.getEntityType() != null) {
entityType = entity.getEntityType().getSimpleName();
}
if (accessType == null) {
accessType = AccessType.UseEntry;
}
// get all Policies of this caller by considering recursive domain group policy
List<IAMPolicy> policies = getEffectivePolicies(caller);
HashMap<IAMPolicy, Boolean> policyPermissionMap = new HashMap<IAMPolicy, Boolean>();
for (IAMPolicy policy : policies) {
List<IAMPolicyPermission> permissions = new ArrayList<IAMPolicyPermission>();
if (action != null) {
permissions = _iamSrv.listPolicyPermissionByActionAndEntity(policy.getId(), action, entityType);
if (permissions.isEmpty()) {
if (accessType != null) {
for (AccessType type : AccessType.values()) {
if (type.ordinal() >= accessType.ordinal()) {
permissions.addAll(_iamSrv.listPolicyPermissionByAccessAndEntity(policy.getId(),
type.toString(), entityType));
}
}
}
}
} else {
if (accessType != null) {
for (AccessType type : AccessType.values()) {
if (type.ordinal() >= accessType.ordinal()) {
permissions.addAll(_iamSrv.listPolicyPermissionByAccessAndEntity(policy.getId(),
type.toString(), entityType));
}
}
}
}
for (IAMPolicyPermission permission : permissions) {
if (checkPermissionScope(caller, permission.getScope(), permission.getScopeId(), entity)) {
if (permission.getEntityType().equals(entityType)) {
policyPermissionMap.put(policy, permission.getPermission().isGranted());
break;
} else if (permission.getEntityType().equals("*")) {
policyPermissionMap.put(policy, permission.getPermission().isGranted());
}
}
}
if (policyPermissionMap.containsKey(policy) && policyPermissionMap.get(policy)) {
_iamSrv.addToIAMCache(accessKey, new CheckAccessResult(true));
return true;
}
}
if (!policies.isEmpty()) { // Since we reach this point, none of the
// roles granted access
String msg = "Account " + caller + " does not have permission to access resource " + entity
+ " for access type: " + accessType;
if (s_logger.isDebugEnabled()) {
s_logger.debug(msg);
}
_iamSrv.addToIAMCache(accessKey, new CheckAccessResult(msg));
throw new PermissionDeniedException(msg);
}
_iamSrv.addToIAMCache(accessKey, new CheckAccessResult(false));
return false;
}
@Override
public boolean checkAccess(Account caller, AccessType accessType, String action, ControlledEntity... entities)
throws PermissionDeniedException {
// operate access on multiple entities?
if (accessType != null && accessType == AccessType.OperateEntry) {
// In this case caller MUST own n-1 entities.
for (ControlledEntity entity : entities) {
checkAccess(caller, entity, accessType, action);
boolean otherEntitiesAccess = true;
for (ControlledEntity otherEntity : entities) {
if (otherEntity.getAccountId() == caller.getAccountId()
|| (checkAccess(caller, otherEntity, accessType, action) && otherEntity.getAccountId() == entity
.getAccountId())) {
continue;
} else {
otherEntitiesAccess = false;
break;
}
}
if (otherEntitiesAccess) {
return true;
}
}
throw new PermissionDeniedException(caller
+ " does not have permission to perform this operation on these resources");
} else {
for (ControlledEntity entity : entities) {
if (!checkAccess(caller, entity, accessType, action)) {
return false;
}
}
return true;
}
}
private boolean checkPermissionScope(Account caller, String scope, Long scopeId, ControlledEntity entity) {
if(scopeId != null && !scopeId.equals(new Long(IAMPolicyPermission.PERMISSION_SCOPE_ID_CURRENT_CALLER))){
//scopeId is set
if (scope.equals(PermissionScope.ACCOUNT.name())) {
if(scopeId == entity.getAccountId()){
return true;
}
} else if (scope.equals(PermissionScope.DOMAIN.name())) {
if (_domainDao.isChildDomain(scopeId, entity.getDomainId())) {
return true;
}
} else if (scope.equals(PermissionScope.RESOURCE.name())) {
if (entity instanceof InternalIdentity) {
InternalIdentity entityWithId = (InternalIdentity) entity;
if(scopeId.equals(entityWithId.getId())){
return true;
}
}
}
} else if (scopeId == null || scopeId.equals(new Long(IAMPolicyPermission.PERMISSION_SCOPE_ID_CURRENT_CALLER))) {
if (scope.equals(PermissionScope.ACCOUNT.name())) {
if(caller.getAccountId() == entity.getAccountId()){
return true;
}
} else if (scope.equals(PermissionScope.DOMAIN.name())) {
if (_domainDao.isChildDomain(caller.getDomainId(), entity.getDomainId())) {
return true;
}
}
}
return false;
}
private List<IAMPolicy> getEffectivePolicies(Account caller) {
List<IAMPolicy> policies = _iamSrv.listIAMPolicies(caller.getId());
List<IAMGroup> groups = _iamSrv.listIAMGroups(caller.getId());
for (IAMGroup group : groups) {
// for each group find the grand parent groups.
List<IAMGroup> parentGroups = _iamSrv.listParentIAMGroups(group.getId());
for (IAMGroup parentGroup : parentGroups) {
policies.addAll(_iamSrv.listRecursiveIAMPoliciesByGroup(parentGroup.getId()));
}
}
return policies;
}
private class CheckAccessResult {
boolean allow;
String denyMsg;
public CheckAccessResult(boolean aw) {
this(aw, null);
}
public CheckAccessResult(String msg) {
this(false, msg);
}
public CheckAccessResult(boolean aw, String msg) {
allow = aw;
denyMsg = msg;
}
public boolean isAllow() {
return allow;
}
public void setAllow(boolean aw) {
allow = aw;
}
public String getDenyMsg() {
return denyMsg;
}
public void setDenyMsg(String denyMsg) {
this.denyMsg = denyMsg;
}
}
}

188
services/iam/plugin/src/main/java/org/apache/cloudstack/iam/RoleBasedEntityQuerySelector.java
View File

@ -1,188 +0,0 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.iam;
import java.util.ArrayList;
import java.util.List;
import javax.inject.Inject;
import org.apache.log4j.Logger;
import org.apache.cloudstack.acl.PermissionScope;
import org.apache.cloudstack.acl.QuerySelector;
import org.apache.cloudstack.acl.SecurityChecker.AccessType;
import org.apache.cloudstack.iam.api.IAMGroup;
import org.apache.cloudstack.iam.api.IAMPolicy;
import org.apache.cloudstack.iam.api.IAMPolicyPermission;
import org.apache.cloudstack.iam.api.IAMService;
import com.cloud.domain.DomainVO;
import com.cloud.domain.dao.DomainDao;
import com.cloud.user.Account;
import com.cloud.utils.component.AdapterBase;
public class RoleBasedEntityQuerySelector extends AdapterBase implements QuerySelector {
private static final Logger s_logger = Logger.getLogger(RoleBasedEntityQuerySelector.class.getName());
@Inject
IAMService _iamService;
@Inject
DomainDao _domainDao;
@Override
public List<Long> getAuthorizedDomains(Account caller, String action, AccessType accessType) {
long accountId = caller.getAccountId();
if (accessType == null) {
accessType = AccessType.UseEntry; // default always show resources authorized to use
}
// Get the static Policies of the Caller
List<IAMPolicy> policies = _iamService.listIAMPolicies(accountId);
// for each policy, find granted permission with Domain scope
List<Long> domainIds = new ArrayList<Long>();
for (IAMPolicy policy : policies) {
List<IAMPolicyPermission> pp = new ArrayList<IAMPolicyPermission>();
pp.addAll(_iamService.listPolicyPermissionsByScope(policy.getId(), action,
PermissionScope.DOMAIN.toString(), accessType.toString()));
if (pp != null) {
for (IAMPolicyPermission p : pp) {
if (p.getScopeId() != null) {
Long domainId = null;
if (p.getScopeId().longValue() == -1) {
domainId = caller.getDomainId();
//domainIds.add(caller.getDomainId());
} else {
domainId = p.getScopeId();
//domainIds.add(p.getScopeId());
}
//domainIds.add(domainId);
// add all the domain children from this domain (including this domain itself). Like RoleBasedEntityAccessChecker, we made an assumption, if DOMAIN scope is granted, it means that
// the whole domain tree is granted access.
DomainVO domain = _domainDao.findById(domainId);
List<Long> childDomains = _domainDao.getDomainChildrenIds(domain.getPath());
if (childDomains != null && childDomains.size() > 0) {
domainIds.addAll(childDomains);
}
}
}
}
}
return domainIds;
}
@Override
public List<Long> getAuthorizedAccounts(Account caller, String action, AccessType accessType) {
long accountId = caller.getAccountId();
if (accessType == null) {
accessType = AccessType.UseEntry; // default always show resources authorized to use
}
// Get the static Policies of the Caller
List<IAMPolicy> policies = _iamService.listIAMPolicies(accountId);
// for each policy, find granted permission with Account scope
List<Long> accountIds = new ArrayList<Long>();
for (IAMPolicy policy : policies) {
List<IAMPolicyPermission> pp = new ArrayList<IAMPolicyPermission>();
pp.addAll(_iamService.listPolicyPermissionsByScope(policy.getId(), action,
PermissionScope.ACCOUNT.toString(), accessType.toString()));
if (pp != null) {
for (IAMPolicyPermission p : pp) {
if (p.getScopeId() != null) {
if (p.getScopeId().longValue() == -1) {
accountIds.add(caller.getId());
} else {
accountIds.add(p.getScopeId());
}
}
}
}
}
return accountIds;
}
@Override
public List<Long> getAuthorizedResources(Account caller, String action, AccessType accessType) {
long accountId = caller.getAccountId();
if (accessType == null) {
accessType = AccessType.UseEntry; // default always show resources authorized to use
}
// Get the static Policies of the Caller
List<IAMPolicy> policies = _iamService.listIAMPolicies(accountId);
// add the policies that grant recursive access
List<IAMGroup> groups = _iamService.listIAMGroups(caller.getId());
for (IAMGroup group : groups) {
// for each group find the grand parent groups.
List<IAMGroup> parentGroups = _iamService.listParentIAMGroups(group.getId());
for (IAMGroup parentGroup : parentGroups) {
policies.addAll(_iamService.listRecursiveIAMPoliciesByGroup(parentGroup.getId()));
}
}
// for each policy, find granted permission with Resource scope
List<Long> entityIds = new ArrayList<Long>();
for (IAMPolicy policy : policies) {
List<IAMPolicyPermission> pp = new ArrayList<IAMPolicyPermission>();
pp.addAll(_iamService.listPolicyPermissionsByScope(policy.getId(), action,
PermissionScope.RESOURCE.toString(), accessType.toString()));
if (pp != null) {
for (IAMPolicyPermission p : pp) {
if (p.getScopeId() != null) {
entityIds.add(p.getScopeId());
}
}
}
}
return entityIds;
}
@Override
public boolean isGrantedAll(Account caller, String action, AccessType accessType) {
long accountId = caller.getAccountId();
if (accessType == null) {
accessType = AccessType.UseEntry; // default always show resources authorized to use
}
// Get the static Policies of the Caller
List<IAMPolicy> policies = _iamService.listIAMPolicies(accountId);
// for each policy, find granted permission with ALL scope
for (IAMPolicy policy : policies) {
List<IAMPolicyPermission> pp = new ArrayList<IAMPolicyPermission>();
pp.addAll(_iamService.listPolicyPermissionsByScope(policy.getId(), action, PermissionScope.ALL.toString(),
accessType.toString()));
if (pp != null && pp.size() > 0) {
return true;
}
}
return false;
}
@Override
public List<String> listAclGroupsByAccount(long accountId) {
List<IAMGroup> groups = _iamService.listIAMGroups(accountId);
List<String> groupNames = new ArrayList<String>();
for (IAMGroup grp : groups) {
groupNames.add(grp.getName());
}
return groupNames;
}
}

18
services/iam/plugin/src/main/resources/META-INF/cloudstack/iam-access-checkers/module.properties
View File

@ -1,18 +0,0 @@
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
name=iam-access-checkers
parent=api

35
services/iam/plugin/src/main/resources/META-INF/cloudstack/iam-access-checkers/spring-iam-access-checkers-context.xml
View File

@ -1,35 +0,0 @@
<!--
Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
-->
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:aop="http://www.springframework.org/schema/aop"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context.xsd"
>
<bean id="RoleBasedAPIAccessChecker" class="org.apache.cloudstack.iam.RoleBasedAPIAccessChecker" />
<bean id="RoleBasedEntityAccessChecker" class="org.apache.cloudstack.iam.RoleBasedEntityAccessChecker" />
<bean id="RoleBasedEntityQuerySelector" class="org.apache.cloudstack.iam.RoleBasedEntityQuerySelector" />
<bean id="IAMApiServiceImpl" class="org.apache.cloudstack.iam.IAMApiServiceImpl" />
</beans>

385
services/iam/plugin/src/test/java/org/apache/cloudstack/iam/test/IAMApiServiceTest.java
View File

@ -1,385 +0,0 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.iam.test;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.assertTrue;
import static org.mockito.Mockito.doNothing;
import static org.mockito.Mockito.when;
import java.io.IOException;
import java.util.ArrayList;
import java.util.List;
import java.util.Set;
import java.util.UUID;
import javax.inject.Inject;
import javax.naming.ConfigurationException;
import org.junit.After;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.mockito.Mockito;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.ComponentScan;
import org.springframework.context.annotation.ComponentScan.Filter;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.FilterType;
import org.springframework.core.type.classreading.MetadataReader;
import org.springframework.core.type.classreading.MetadataReaderFactory;
import org.springframework.core.type.filter.TypeFilter;
import org.springframework.test.context.ContextConfiguration;
import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
import org.springframework.test.context.support.AnnotationConfigContextLoader;
import org.apache.cloudstack.acl.PermissionScope;
import org.apache.cloudstack.acl.SecurityChecker.AccessType;
import org.apache.cloudstack.api.command.user.vm.ListVMsCmd;
import org.apache.cloudstack.api.response.ListResponse;
import org.apache.cloudstack.api.response.iam.IAMGroupResponse;
import org.apache.cloudstack.api.response.iam.IAMPermissionResponse;
import org.apache.cloudstack.api.response.iam.IAMPolicyResponse;
import org.apache.cloudstack.context.CallContext;
import org.apache.cloudstack.framework.messagebus.MessageBus;
import org.apache.cloudstack.iam.IAMApiService;
import org.apache.cloudstack.iam.IAMApiServiceImpl;
import org.apache.cloudstack.iam.api.IAMGroup;
import org.apache.cloudstack.iam.api.IAMPolicy;
import org.apache.cloudstack.iam.api.IAMPolicyPermission;
import org.apache.cloudstack.iam.api.IAMPolicyPermission.Permission;
import org.apache.cloudstack.iam.api.IAMService;
import org.apache.cloudstack.iam.server.IAMGroupVO;
import org.apache.cloudstack.iam.server.IAMPolicyPermissionVO;
import org.apache.cloudstack.iam.server.IAMPolicyVO;
import org.apache.cloudstack.test.utils.SpringUtils;
import com.cloud.api.ApiServerService;
import com.cloud.domain.DomainVO;
import com.cloud.domain.dao.DomainDao;
import com.cloud.network.dao.NetworkDomainDao;
import com.cloud.user.Account;
import com.cloud.user.AccountManager;
import com.cloud.user.AccountVO;
import com.cloud.user.UserVO;
import com.cloud.user.dao.AccountDao;
import com.cloud.utils.Pair;
import com.cloud.utils.component.ComponentContext;
import com.cloud.utils.db.EntityManager;
import com.cloud.vm.VirtualMachine;
@RunWith(SpringJUnit4ClassRunner.class)
@ContextConfiguration(loader = AnnotationConfigContextLoader.class)
public class IAMApiServiceTest {
@Inject
IAMService _iamSrv;
@Inject
DomainDao _domainDao;
@Inject
IAMApiService _aclSrv;
@Inject
AccountManager _accountMgr;
@Inject
AccountDao _accountDao;
@Inject
ApiServerService _apiServer;
private static Account caller;
private static Long callerId;
private static String callerAccountName = "tester";
private static Long callerDomainId = 3L;
private static String callerDomainPath = "/root/testdomain";
private static DomainVO callerDomain;
@BeforeClass
public static void setUpClass() throws ConfigurationException {
}
@Before
public void setUp() {
ComponentContext.initComponentsLifeCycle();
caller = new AccountVO(callerAccountName, callerDomainId, null, Account.ACCOUNT_TYPE_ADMIN, UUID.randomUUID().toString());
callerId = caller.getId();
callerDomain = new DomainVO();
callerDomain.setPath(callerDomainPath);
UserVO user = new UserVO(1, "testuser", "password", "firstname", "lastName", "email", "timezone", UUID.randomUUID().toString());
CallContext.register(user, caller);
when(_domainDao.findById(callerDomainId)).thenReturn(callerDomain);
doNothing().when(_accountMgr).checkAccess(caller, callerDomain);
}
@Test
public void createIAMGroupTest() {
IAMGroup group = new IAMGroupVO("group1", "tester group1");
List<IAMGroup> groups = new ArrayList<IAMGroup>();
groups.add(group);
Pair<List<IAMGroup>, Integer> grpList = new Pair<List<IAMGroup>, Integer>(groups, 1);
when(_iamSrv.createIAMGroup("group1", "tester group1", callerDomainPath)).thenReturn(group);
when(_iamSrv.listIAMGroups(null, null, callerDomainPath, 0L, 20L)).thenReturn(grpList);
IAMGroup createdGrp = _aclSrv.createIAMGroup(caller, "group1", "tester group1");
assertNotNull("IAM group 'group1' failed to create ", createdGrp);
ListResponse<IAMGroupResponse> grpResp = _aclSrv.listIAMGroups(null, null, callerDomainId, 0L, 20L);
assertTrue("No. of response items should be one", grpResp.getCount() == 1);
IAMGroupResponse resp = grpResp.getResponses().get(0);
assertEquals("Error in created group name", "group1", resp.getName());
}
@Test
public void deleteIAMGroupTest() {
when(_iamSrv.deleteIAMGroup(1L)).thenReturn(true);
assertTrue("failed to delete acl group 1", _aclSrv.deleteIAMGroup(1L));
}
@Test
public void listIAMGroupTest() {
IAMGroup group = new IAMGroupVO("group1", "tester group1");
List<IAMGroup> groups = new ArrayList<IAMGroup>();
groups.add(group);
when(_iamSrv.listIAMGroups(callerId)).thenReturn(groups);
List<IAMGroup> grps = _aclSrv.listIAMGroups(callerId);
assertTrue(grps != null && grps.size() == 1);
IAMGroup grp = grps.get(0);
assertEquals("Error to retrieve group", "group1", grp.getName());
}
@Test
public void addRemoveAccountToGroupTest() {
IAMGroup group = new IAMGroupVO("group1", "tester group1");
List<IAMGroup> groups = new ArrayList<IAMGroup>();
groups.add(group);
Long groupId = group.getId();
List<Long> acctIds = new ArrayList<Long>();
AccountVO acct1 = new AccountVO(100L);
acct1.setAccountName("account1");
AccountVO acct2 = new AccountVO(200L);
acct2.setAccountName("account2");
acctIds.add(acct1.getId());
acctIds.add(acct2.getId());
when(_accountDao.findById(acct1.getId())).thenReturn(acct1);
when(_accountDao.findById(acct2.getId())).thenReturn(acct2);
when(_iamSrv.addAccountsToGroup(acctIds, groupId)).thenReturn(group);
when(_iamSrv.listAccountsByGroup(groupId)).thenReturn(acctIds);
Pair<List<IAMGroup>, Integer> grpList = new Pair<List<IAMGroup>, Integer>(groups, 1);
when(_iamSrv.listIAMGroups(null, "group1", callerDomainPath, 0L, 20L)).thenReturn(grpList);
_aclSrv.addAccountsToGroup(acctIds, groupId);
ListResponse<IAMGroupResponse> grpResp = _aclSrv.listIAMGroups(null, "group1", callerDomainId, 0L, 20L);
assertTrue("No. of response items should be one", grpResp.getCount() == 1);
IAMGroupResponse resp = grpResp.getResponses().get(0);
Set<String> acctNames = resp.getAccountNameList();
assertEquals("There should be 2 accounts in the group", 2, acctNames.size());
assertTrue("account1 should be assigned to the group", acctNames.contains("account1"));
assertTrue("account2 should be assigned to the group", acctNames.contains("account2"));
// remove "account2" from group1
acctIds.remove(1);
List<Long> rmAccts = new ArrayList<Long>();
rmAccts.add(acct2.getId());
when(_iamSrv.removeAccountsFromGroup(rmAccts, groupId)).thenReturn(group);
_aclSrv.removeAccountsFromGroup(acctIds, groupId);
grpResp = _aclSrv.listIAMGroups(null, "group1", callerDomainId, 0L, 20L);
assertTrue("No. of response items should be one", grpResp.getCount() == 1);
resp = grpResp.getResponses().get(0);
acctNames = resp.getAccountNameList();
assertEquals("There should be 1 accounts in the group", 1, acctNames.size());
assertFalse("account2 should not belong to the group anymore", acctNames.contains("account2"));
}
@Test
public void createIAMPolicyTest() {
IAMPolicy policy = new IAMPolicyVO("policy1", "tester policy1");
List<IAMPolicy> policies = new ArrayList<IAMPolicy>();
policies.add(policy);
Pair<List<IAMPolicy>, Integer> policyList = new Pair<List<IAMPolicy>, Integer>(policies, 1);
when(_iamSrv.createIAMPolicy("policy1", "tester policy1", null, callerDomainPath)).thenReturn(policy);
when(_iamSrv.listIAMPolicies(null, null, callerDomainPath, 0L, 20L)).thenReturn(policyList);
IAMPolicy createdPolicy = _aclSrv.createIAMPolicy(caller, "policy1", "tester policy1", null);
assertNotNull("IAM policy 'policy1' failed to create ", createdPolicy);
ListResponse<IAMPolicyResponse> policyResp = _aclSrv.listIAMPolicies(null, null, callerDomainId, 0L, 20L);
assertTrue("No. of response items should be one", policyResp.getCount() == 1);
IAMPolicyResponse resp = policyResp.getResponses().get(0);
assertEquals("Error in created group name", "policy1", resp.getName());
}
@Test
public void deleteIAMPolicyTest() {
when(_iamSrv.deleteIAMPolicy(1L)).thenReturn(true);
assertTrue("failed to delete acl policy 1", _aclSrv.deleteIAMPolicy(1L));
}
@Test
public void listIAMPolicyTest() {
IAMPolicy policy = new IAMPolicyVO("policy1", "tester policy1");
List<IAMPolicy> policies = new ArrayList<IAMPolicy>();
policies.add(policy);
when(_iamSrv.listIAMPolicies(callerId)).thenReturn(policies);
List<IAMPolicy> polys = _aclSrv.listIAMPolicies(callerId);
assertTrue(polys != null && polys.size() == 1);
IAMPolicy p = polys.get(0);
assertEquals("Error to retrieve group", "policy1", p.getName());
}
@Test
public void addRemovePolicyToGroupTest() {
IAMGroup group = new IAMGroupVO("group1", "tester group1");
List<IAMGroup> groups = new ArrayList<IAMGroup>();
groups.add(group);
Long groupId = group.getId();
List<Long> policyIds = new ArrayList<Long>();
policyIds.add(100L);
policyIds.add(200L);
IAMPolicy policy1 = new IAMPolicyVO("policy1", "my first policy");
IAMPolicy policy2 = new IAMPolicyVO("policy2", "my second policy");
List<IAMPolicy> policies = new ArrayList<IAMPolicy>();
policies.add(policy1);
policies.add(policy2);
when(_iamSrv.attachIAMPoliciesToGroup(policyIds, groupId)).thenReturn(group);
when(_iamSrv.listIAMPoliciesByGroup(groupId)).thenReturn(policies);
Pair<List<IAMGroup>, Integer> grpList = new Pair<List<IAMGroup>, Integer>(groups, 1);
when(_iamSrv.listIAMGroups(null, "group1", callerDomainPath, 0L, 20L)).thenReturn(grpList);
_aclSrv.attachIAMPoliciesToGroup(policyIds, groupId);
ListResponse<IAMGroupResponse> grpResp = _aclSrv.listIAMGroups(null, "group1", callerDomainId, 0L, 20L);
assertTrue("No. of response items should be one", grpResp.getCount() == 1);
IAMGroupResponse resp = grpResp.getResponses().get(0);
Set<String> policyNames = resp.getPolicyList();
assertEquals("There should be 2 policies in the group", 2, policyNames.size());
assertTrue("policy1 should be assigned to the group", policyNames.contains("policy1"));
assertTrue("policy2 should be assigned to the group", policyNames.contains("policy2"));
// remove "policy2" from group1
policyIds.remove(1);
policies.remove(policy2);
when(_iamSrv.removeIAMPoliciesFromGroup(policyIds, groupId)).thenReturn(group);
_aclSrv.removeIAMPoliciesFromGroup(policyIds, groupId);
grpResp = _aclSrv.listIAMGroups(null, "group1", callerDomainId, 0L, 20L);
assertTrue("No. of response items should be one", grpResp.getCount() == 1);
resp = grpResp.getResponses().get(0);
policyNames = resp.getPolicyList();
assertEquals("There should be 1 policy attached to the group", 1, policyNames.size());
assertFalse("policy2 should not belong to the group anymore", policyNames.contains("policy2"));
}
@Test
public void addRemovePermissionToPolicyTest() {
IAMPolicy policy = new IAMPolicyVO("policy1", "tester policy1");
List<IAMPolicy> policies = new ArrayList<IAMPolicy>();
policies.add(policy);
Long policyId = policy.getId();
Long resId = 200L;
Class clz = ListVMsCmd.class;
when(_apiServer.getCmdClass("listVirtualMachines")).thenReturn(clz);
when(
_iamSrv.addIAMPermissionToIAMPolicy(policyId, VirtualMachine.class.getSimpleName(),
PermissionScope.RESOURCE.toString(), resId, "listVirtualMachines",
AccessType.UseEntry.toString(), Permission.Allow, false)).thenReturn(policy);
_aclSrv.addIAMPermissionToIAMPolicy(policyId, VirtualMachine.class.getSimpleName(),
PermissionScope.RESOURCE, resId, "listVirtualMachines", Permission.Allow, false, false);
Pair<List<IAMPolicy>, Integer> policyList = new Pair<List<IAMPolicy>, Integer>(policies, 1);
List<IAMPolicyPermission> policyPerms = new ArrayList<IAMPolicyPermission>();
IAMPolicyPermission perm = new IAMPolicyPermissionVO(policyId, "listVirtualMachines",
VirtualMachine.class.getSimpleName(), AccessType.UseEntry.toString(),
PermissionScope.RESOURCE.toString(),
resId, Permission.Allow, false);
policyPerms.add(perm);
when(_iamSrv.listIAMPolicies(null, "policy1", callerDomainPath, 0L, 20L)).thenReturn(policyList);
when(_iamSrv.listPolicyPermissions(policyId)).thenReturn(policyPerms);
ListResponse<IAMPolicyResponse> policyResp = _aclSrv.listIAMPolicies(null, "policy1", callerDomainId, 0L, 20L);
assertTrue("No. of response items should be one", policyResp.getCount() == 1);
IAMPolicyResponse resp = policyResp.getResponses().get(0);
Set<IAMPermissionResponse> permList = resp.getPermissionList();
assertTrue("Permission list should not be empty", permList != null && permList.size() > 0);
IAMPermissionResponse permResp = permList.iterator().next();
assertEquals("There should be one permission for listVirtualMachines", "listVirtualMachines", permResp.getAction());
//remove permission from policy
policyPerms.remove(perm);
_aclSrv.removeIAMPermissionFromIAMPolicy(policyId, VirtualMachine.class.getSimpleName(),
PermissionScope.RESOURCE, resId, "listVirtualMachines");
policyResp = _aclSrv.listIAMPolicies(null, "policy1", callerDomainId, 0L, 20L);
assertTrue("No. of response items should be one", policyResp.getCount() == 1);
resp = policyResp.getResponses().get(0);
permList = resp.getPermissionList();
assertTrue("Permission list should be empty", permList != null && permList.size() == 0);
}
@After
public void tearDown() {
}
@Configuration
@ComponentScan(basePackageClasses = {IAMApiServiceImpl.class}, includeFilters = {@Filter(value = TestConfiguration.Library.class, type = FilterType.CUSTOM)}, useDefaultFilters = false)
public static class TestConfiguration extends SpringUtils.CloudStackTestConfiguration {
@Bean
public DomainDao domainDao() {
return Mockito.mock(DomainDao.class);
}
@Bean
public IAMService iamService() {
return Mockito.mock(IAMService.class);
}
@Bean
public AccountDao accountDao() {
return Mockito.mock(AccountDao.class);
}
@Bean
public NetworkDomainDao networkDomainDao() {
return Mockito.mock(NetworkDomainDao.class);
}
@Bean
public AccountManager accountManager() {
return Mockito.mock(AccountManager.class);
}
@Bean
public MessageBus messageBus() {
return Mockito.mock(MessageBus.class);
}
@Bean
public EntityManager entityMgr() {
return Mockito.mock(EntityManager.class);
}
@Bean
public ApiServerService apiServerService() {
return Mockito.mock(ApiServerService.class);
}
public static class Library implements TypeFilter {
@Override
public boolean match(MetadataReader mdr, MetadataReaderFactory arg1) throws IOException {
ComponentScan cs = TestConfiguration.class.getAnnotation(ComponentScan.class);
return SpringUtils.includedInBasePackageClasses(mdr.getClassMetadata().getClassName(), cs);
}
}
}
}

73
services/iam/plugin/src/test/resources/db.properties
View File

@ -1,73 +0,0 @@
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
# management server clustering parameters, change cluster.node.IP to the machine IP address
# in which the management server is running
cluster.node.IP=127.0.0.1
cluster.servlet.port=9090
region.id=1
# CloudStack database settings
db.cloud.username=cloud
db.cloud.password=cloud
db.root.password=
db.cloud.host=localhost
db.cloud.driver=jdbc:mysql
db.cloud.port=3306
db.cloud.name=cloud
# CloudStack database tuning parameters
db.cloud.maxActive=250
db.cloud.maxIdle=30
db.cloud.maxWait=10000
db.cloud.autoReconnect=true
db.cloud.validationQuery=SELECT 1
db.cloud.testOnBorrow=true
db.cloud.testWhileIdle=true
db.cloud.timeBetweenEvictionRunsMillis=40000
db.cloud.minEvictableIdleTimeMillis=240000
db.cloud.poolPreparedStatements=false
db.cloud.url.params=prepStmtCacheSize=517&cachePrepStmts=true&prepStmtCacheSqlLimit=4096
# usage database settings
db.usage.username=cloud
db.usage.password=cloud
db.usage.host=localhost
# It's not guaranteed that using a different DB provider than the one from the regular cloud DB will work
db.usage.driver=jdbc:mysql
db.usage.port=3306
db.usage.name=cloud_usage
# usage database tuning parameters
db.usage.maxActive=100
db.usage.maxIdle=30
db.usage.maxWait=10000
db.usage.autoReconnect=true
# Simulator database settings
db.simulator.username=cloud
db.simulator.password=cloud
db.simulator.host=localhost
# It's not guaranteed that using a different DB provider than the one from the regular cloud DB will work
db.simulator.driver=jdbc:mysql
db.simulator.port=3306
db.simulator.name=simulator
db.simulator.maxActive=250
db.simulator.maxIdle=30
db.simulator.maxWait=10000
db.simulator.autoReconnect=true

59
services/iam/pom.xml
View File

@ -1,59 +0,0 @@
<!--
Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
-->
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<artifactId>cloudstack-service-iam</artifactId>
<name>Apache CloudStack IAM Service</name>
<packaging>pom</packaging>
<parent>
<groupId>org.apache.cloudstack</groupId>
<artifactId>cloudstack-services</artifactId>
<version>4.7.0-SNAPSHOT</version>
<relativePath>../pom.xml</relativePath>
</parent>
<build>
<defaultGoal>install</defaultGoal>
</build>
<modules>
<module>plugin</module>
<module>server</module>
</modules>
<!--
<dependencies>
<dependency>
<groupId>org.apache.cloudstack</groupId>
<artifactId>cloud-api</artifactId>
<version>${project.version}</version>
</dependency>
<dependency>
<groupId>org.apache.cloudstack</groupId>
<artifactId>cloud-utils</artifactId>
<version>${project.version}</version>
</dependency>
<dependency>
<groupId>org.apache.cloudstack</groupId>
<artifactId>cloud-api</artifactId>
<version>${project.version}</version>
<type>test-jar</type>
<scope>test</scope>
</dependency>
</dependencies>
-->
</project>

57
services/iam/server/pom.xml
View File

@ -1,57 +0,0 @@
<!--
Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
-->
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<artifactId>cloud-iam</artifactId>
<name>Apache CloudStack IAM - Server</name>
<parent>
<groupId>org.apache.cloudstack</groupId>
<artifactId>cloudstack-service-iam</artifactId>
<version>4.12.0.0-SNAPSHOT</version>
<relativePath>../pom.xml</relativePath>
</parent>
<dependencies>
<dependency>
<groupId>commons-io</groupId>
<artifactId>commons-io</artifactId>
</dependency>
<dependency>
<groupId>net.sf.ehcache</groupId>
<artifactId>ehcache-core</artifactId>
</dependency>
<dependency>
<groupId>org.apache.cloudstack</groupId>
<artifactId>cloud-utils</artifactId>
<version>${project.version}</version>
</dependency>
<dependency>
<groupId>org.apache.cloudstack</groupId>
<artifactId>cloud-api</artifactId>
<version>${project.version}</version>
</dependency>
<dependency>
<groupId>org.apache.cloudstack</groupId>
<artifactId>cloud-api</artifactId>
<version>${project.version}</version>
<type>test-jar</type>
<scope>test</scope>
</dependency>
</dependencies>
</project>

37
services/iam/server/src/main/java/org/apache/cloudstack/iam/api/IAMGroup.java
View File

@ -1,37 +0,0 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.iam.api;
import org.apache.cloudstack.api.Identity;
import org.apache.cloudstack.api.InternalIdentity;
public interface IAMGroup extends InternalIdentity, Identity {
String getName();
String getDescription();
@Override
long getId();
@Override
String getUuid();
String getPath();
long getAccountId();
}

41
services/iam/server/src/main/java/org/apache/cloudstack/iam/api/IAMPolicy.java
View File

@ -1,41 +0,0 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.iam.api;
import org.apache.cloudstack.api.Identity;
import org.apache.cloudstack.api.InternalIdentity;
public interface IAMPolicy extends InternalIdentity, Identity {
String getName();
String getDescription();
public enum PolicyType {
Static, Dynamic
}
@Override
long getId();
@Override
String getUuid();
String getPath();
long getAccountId();
}

53
services/iam/server/src/main/java/org/apache/cloudstack/iam/api/IAMPolicyPermission.java
View File

@ -1,53 +0,0 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.iam.api;
public interface IAMPolicyPermission {
String getAction();
long getAclPolicyId();
String getEntityType();
String getAccessType();
String getScope();
Long getScopeId();
Permission getPermission();
public enum Permission {
Allow(true), Deny(false);
boolean result;
Permission(boolean result) {
this.result = result;
}
public boolean isGranted() {
return result;
}
}
long getId();
public static final long PERMISSION_SCOPE_ID_CURRENT_CALLER = -1;
}

99
services/iam/server/src/main/java/org/apache/cloudstack/iam/api/IAMService.java
View File

@ -1,99 +0,0 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.iam.api;
import java.util.List;
import org.apache.cloudstack.iam.api.IAMPolicyPermission.Permission;
import com.cloud.utils.Pair;
public interface IAMService {
/* IAM group related interfaces */
IAMGroup createIAMGroup(String iamGroupName, String description, String path);
boolean deleteIAMGroup(Long iamGroupId);
List<IAMGroup> listIAMGroups(long accountId);
IAMGroup addAccountsToGroup(List<Long> acctIds, Long groupId);
IAMGroup removeAccountsFromGroup(List<Long> acctIds, Long groupId);
List<Long> listAccountsByGroup(long groupId);
Pair<List<IAMGroup>, Integer> listIAMGroups(Long iamGroupId, String iamGroupName, String path, Long startIndex, Long pageSize);
/* IAM Policy related interfaces */
IAMPolicy createIAMPolicy(String iamPolicyName, String description, Long parentPolicyId, String path);
boolean deleteIAMPolicy(long iamPolicyId);
List<IAMPolicy> listIAMPolicies(long accountId);
List<IAMPolicy> listIAMPoliciesByGroup(long groupId);
Pair<List<IAMPolicy>, Integer> listIAMPolicies(Long iamPolicyId, String iamPolicyName, String path, Long startIndex, Long pageSize);
IAMGroup attachIAMPoliciesToGroup(List<Long> policyIds, Long groupId);
IAMGroup removeIAMPoliciesFromGroup(List<Long> policyIds, Long groupId);
void attachIAMPolicyToAccounts(Long policyId, List<Long> acctIds);
void removeIAMPolicyFromAccounts(Long policyId, List<Long> acctIds);
IAMPolicy addIAMPermissionToIAMPolicy(long iamPolicyId, String entityType, String scope, Long scopeId,
String action, String accessType, Permission perm, Boolean recursive);
IAMPolicy removeIAMPermissionFromIAMPolicy(long iamPolicyId, String entityType, String scope, Long scopeId,
String action);
void removeIAMPermissionForEntity(final String entityType, final Long entityId);
IAMPolicy getResourceGrantPolicy(String entityType, Long entityId, String accessType, String action);
IAMPolicy getResourceOwnerPolicy();
List<IAMPolicyPermission> listPolicyPermissions(long policyId);
List<IAMPolicyPermission> listPolicyPermissionsByScope(long policyId, String action, String scope, String accessType);
List<IAMPolicyPermission> listPolicyPermissionByActionAndEntity(long policyId, String action, String entityType);
boolean isActionAllowedForPolicies(String action, List<IAMPolicy> policies);
List<Long> getGrantedEntities(long accountId, String action, String scope);
IAMPolicy resetIAMPolicy(long iamPolicyId);
List<IAMPolicyPermission> listPolicyPermissionByAccessAndEntity(long policyId, String accessType,
String entityType);
List<IAMGroup> listParentIAMGroups(long groupId);
List<IAMPolicy> listRecursiveIAMPoliciesByGroup(long groupId);
/* Interface used for cache IAM checkAccess result */
void addToIAMCache(Object accessKey, Object allowDeny);
Object getFromIAMCache(Object accessKey);
void invalidateIAMCache();
}

77
services/iam/server/src/main/java/org/apache/cloudstack/iam/server/IAMAccountPolicyMapVO.java
View File

@ -1,77 +0,0 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.iam.server;
import java.util.Date;
import javax.persistence.Column;
import javax.persistence.Entity;
import javax.persistence.GeneratedValue;
import javax.persistence.GenerationType;
import javax.persistence.Id;
import javax.persistence.Table;
import com.cloud.utils.db.GenericDao;
@Entity
@Table(name = ("iam_account_policy_map"))
public class IAMAccountPolicyMapVO {
@Id
@GeneratedValue(strategy = GenerationType.IDENTITY)
@Column(name = "id")
private Long id;
@Column(name = "account_id")
private long accountId;
@Column(name = "policy_id")
private long iamPolicyId;
@Column(name = GenericDao.REMOVED_COLUMN)
private Date removed;
@Column(name = GenericDao.CREATED_COLUMN)
private Date created;
public IAMAccountPolicyMapVO() {
}
public IAMAccountPolicyMapVO(long accountId, long iamPolicyId) {
this.accountId = accountId;
this.iamPolicyId = iamPolicyId;
}
public long getId() {
return id;
}
public long getAccountId() {
return accountId;
}
public long getIamPolicyId() {
return iamPolicyId;
}
public Date getRemoved() {
return removed;
}
public Date getCreated() {
return created;
}
}

78
services/iam/server/src/main/java/org/apache/cloudstack/iam/server/IAMGroupAccountMapVO.java
View File

@ -1,78 +0,0 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.iam.server;
import java.util.Date;
import javax.persistence.Column;
import javax.persistence.Entity;
import javax.persistence.GeneratedValue;
import javax.persistence.GenerationType;
import javax.persistence.Id;
import javax.persistence.Table;
import com.cloud.utils.db.GenericDao;
@Entity
@Table(name = ("iam_group_account_map"))
public class IAMGroupAccountMapVO {
@Id
@GeneratedValue(strategy = GenerationType.IDENTITY)
@Column(name = "id")
private Long id;
@Column(name = "group_id")
private long aclGroupId;
@Column(name = "account_id")
private long accountId;
@Column(name = GenericDao.REMOVED_COLUMN)
private Date removed;
@Column(name = GenericDao.CREATED_COLUMN)
private Date created;
public IAMGroupAccountMapVO() {
}
public IAMGroupAccountMapVO(long aclGroupId, long accountId) {
this.aclGroupId = aclGroupId;
this.accountId = accountId;
}
public long getId() {
return id;
}
public long getAclGroupId() {
return aclGroupId;
}
public long getAccountId() {
return accountId;
}
public Date getRemoved() {
return removed;
}
public Date getCreated() {
return created;
}
}

79
services/iam/server/src/main/java/org/apache/cloudstack/iam/server/IAMGroupPolicyMapVO.java
View File

@ -1,79 +0,0 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.iam.server;
import java.util.Date;
import javax.persistence.Column;
import javax.persistence.Entity;
import javax.persistence.GeneratedValue;
import javax.persistence.GenerationType;
import javax.persistence.Id;
import javax.persistence.Table;
import com.cloud.utils.db.GenericDao;
@Entity
@Table(name = ("iam_group_policy_map"))
public class IAMGroupPolicyMapVO {
@Id
@GeneratedValue(strategy = GenerationType.IDENTITY)
@Column(name = "id")
private Long id;
@Column(name = "group_id")
private long aclGroupId;
@Column(name = "policy_id")
private long aclPolicyId;
@Column(name = GenericDao.REMOVED_COLUMN)
private Date removed;
@Column(name = GenericDao.CREATED_COLUMN)
private Date created;
public IAMGroupPolicyMapVO() {
}
public IAMGroupPolicyMapVO(long aclGroupId, long aclPolicyId) {
this.aclGroupId = aclGroupId;
this.aclPolicyId = aclPolicyId;
}
public long getId() {
return id;
}
public long getAclGroupId() {
return aclGroupId;
}
public long getAclPolicyId() {
return aclPolicyId;
}
public Date getRemoved() {
return removed;
}
public Date getCreated() {
return created;
}
}

122
services/iam/server/src/main/java/org/apache/cloudstack/iam/server/IAMGroupVO.java
View File

@ -1,122 +0,0 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.iam.server;
import java.util.Date;
import java.util.UUID;
import javax.persistence.Column;
import javax.persistence.Entity;
import javax.persistence.GeneratedValue;
import javax.persistence.GenerationType;
import javax.persistence.Id;
import javax.persistence.Table;
import org.apache.cloudstack.iam.api.IAMGroup;
import com.cloud.utils.db.GenericDao;
@Entity
@Table(name = ("iam_group"))
public class IAMGroupVO implements IAMGroup {
@Id
@GeneratedValue(strategy = GenerationType.IDENTITY)
@Column(name = "id")
private long id;
@Column(name = "name")
private String name;
@Column(name = "description")
private String description;
@Column(name = "uuid")
private String uuid;
@Column(name = "path")
private String path;
@Column(name = "account_id")
private long accountId;
@Column(name = GenericDao.REMOVED_COLUMN)
private Date removed;
@Column(name = GenericDao.CREATED_COLUMN)
private Date created;
public IAMGroupVO() {
uuid = UUID.randomUUID().toString();
}
public IAMGroupVO(String name, String description) {
this.name = name;
this.description = description;
uuid = UUID.randomUUID().toString();
path = "/";
}
@Override
public long getId() {
return id;
}
@Override
public String getName() {
return name;
}
@Override
public String getDescription() {
return description;
}
@Override
public String getPath() {
return path;
}
public void setPath(String path) {
this.path = path;
}
@Override
public long getAccountId() {
return accountId;
}
public void setAccountId(long acctId) {
accountId = acctId;
}
@Override
public String getUuid() {
return uuid;
}
public void setUuid(String uuid) {
this.uuid = uuid;
}
public Date getRemoved() {
return removed;
}
public Date getCreated() {
return created;
}
}

181
services/iam/server/src/main/java/org/apache/cloudstack/iam/server/IAMPolicyPermissionVO.java
View File

@ -1,181 +0,0 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.iam.server;
import java.util.Date;
import javax.persistence.Column;
import javax.persistence.Entity;
import javax.persistence.EnumType;
import javax.persistence.Enumerated;
import javax.persistence.GeneratedValue;
import javax.persistence.GenerationType;
import javax.persistence.Id;
import javax.persistence.Table;
import org.apache.cloudstack.iam.api.IAMPolicyPermission;
import com.cloud.utils.db.GenericDao;
@Entity
@Table(name = ("iam_policy_permission"))
public class IAMPolicyPermissionVO implements IAMPolicyPermission {
@Id
@GeneratedValue(strategy = GenerationType.IDENTITY)
@Column(name = "id")
private long id;
@Column(name = "policy_id")
private long aclPolicyId;
@Column(name = "action")
private String action;
@Column(name = "resource_type")
private String entityType;
@Column(name = "access_type")
private String accessType;
@Column(name = "scope")
private String scope;
@Column(name = "scope_id")
private Long scopeId;
@Column(name = "permission")
@Enumerated(value = EnumType.STRING)
private Permission permission;
@Column(name = "recursive")
private Boolean recursive;
@Column(name = GenericDao.REMOVED_COLUMN)
private Date removed;
@Column(name = GenericDao.CREATED_COLUMN)
private Date created;
public IAMPolicyPermissionVO() {
}
public IAMPolicyPermissionVO(long aclPolicyId, String action, String entityType, String accessType, String scope,
Long scopeId, Permission permission, Boolean recursive) {
this.aclPolicyId = aclPolicyId;
this.action = action;
this.entityType = entityType;
this.accessType = accessType;
this.scope = scope;
this.scopeId = scopeId;
this.permission = permission;
this.recursive = recursive;
}
@Override
public long getId() {
return id;
}
@Override
public long getAclPolicyId() {
return aclPolicyId;
}
public void setAclPolicyId(long aclPolicyId) {
this.aclPolicyId = aclPolicyId;
}
@Override
public String getEntityType() {
return entityType;
}
@Override
public String getAccessType() {
return accessType;
}
public void setEntityType(String entityType) {
this.entityType = entityType;
}
public void setAccessType(String accessType) {
this.accessType = accessType;
}
@Override
public String getScope() {
return scope;
}
public void setScope(String scope) {
this.scope = scope;
}
@Override
public String getAction() {
return action;
}
@Override
public Long getScopeId() {
// TODO
// handle special -1 scopeId, current caller domain, account
/*
* if ( scopeId < 0 ){ Account caller =
* CallContext.current().getCallingAccount(); if ( scope ==
* PermissionScope.DOMAIN){ return caller.getDomainId(); } else if
* (scope == PermissionScope.ACCOUNT) { return caller.getAccountId(); }
* }
*/
return scopeId;
}
@Override
public Permission getPermission() {
return permission;
}
public void setAction(String action) {
this.action = action;
}
public void setScopeId(Long scopeId) {
this.scopeId = scopeId;
}
public void setPermission(Permission permission) {
this.permission = permission;
}
public Date getRemoved() {
return removed;
}
public Date getCreated() {
return created;
}
public Boolean isRecursive() {
return recursive;
}
}

138
services/iam/server/src/main/java/org/apache/cloudstack/iam/server/IAMPolicyVO.java
View File

@ -1,138 +0,0 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.iam.server;
import java.util.Date;
import java.util.UUID;
import javax.persistence.Column;
import javax.persistence.Entity;
import javax.persistence.EnumType;
import javax.persistence.Enumerated;
import javax.persistence.GeneratedValue;
import javax.persistence.GenerationType;
import javax.persistence.Id;
import javax.persistence.Table;
import org.apache.cloudstack.iam.api.IAMPolicy;
import com.cloud.utils.db.GenericDao;
@Entity
@Table(name = ("iam_policy"))
public class IAMPolicyVO implements IAMPolicy {
@Id
@GeneratedValue(strategy = GenerationType.IDENTITY)
@Column(name = "id")
private long id;
@Column(name = "name")
private String name;
@Column(name = "description")
private String description;
@Column(name = "uuid")
private String uuid;
@Column(name = "path")
private String path;
@Column(name = "account_id")
private long accountId;
@Column(name = GenericDao.REMOVED_COLUMN)
private Date removed;
@Column(name = GenericDao.CREATED_COLUMN)
private Date created;
@Column(name = "policy_type")
@Enumerated(value = EnumType.STRING)
private IAMPolicy.PolicyType policyType;
public IAMPolicyVO() {
uuid = UUID.randomUUID().toString();
}
public IAMPolicyVO(String name, String description) {
this.name = name;
this.description = description;
uuid = UUID.randomUUID().toString();
policyType = IAMPolicy.PolicyType.Static;
}
@Override
public long getId() {
return id;
}
@Override
public String getName() {
return name;
}
@Override
public String getDescription() {
return description;
}
@Override
public String getUuid() {
return uuid;
}
public void setUuid(String uuid) {
this.uuid = uuid;
}
public Date getRemoved() {
return removed;
}
public Date getCreated() {
return created;
}
@Override
public String getPath() {
return path;
}
public void setPath(String path) {
this.path = path;
}
@Override
public long getAccountId() {
return accountId;
}
public void setAccountId(long accountId) {
this.accountId = accountId;
}
public IAMPolicy.PolicyType getPolicyType() {
return policyType;
}
public void setPolicyType(IAMPolicy.PolicyType policyType) {
this.policyType = policyType;
}
}

904
services/iam/server/src/main/java/org/apache/cloudstack/iam/server/IAMServiceImpl.java
View File

@ -1,904 +0,0 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.iam.server;
import java.util.ArrayList;
import java.util.List;
import java.util.Map;
import javax.inject.Inject;
import javax.naming.ConfigurationException;
import net.sf.ehcache.Cache;
import net.sf.ehcache.CacheManager;
import net.sf.ehcache.Element;
import org.apache.log4j.Logger;
import org.apache.cloudstack.acl.PermissionScope;
import org.apache.cloudstack.iam.api.IAMGroup;
import org.apache.cloudstack.iam.api.IAMPolicy;
import org.apache.cloudstack.iam.api.IAMPolicyPermission;
import org.apache.cloudstack.iam.api.IAMPolicyPermission.Permission;
import org.apache.cloudstack.iam.api.IAMService;
import org.apache.cloudstack.iam.server.dao.IAMAccountPolicyMapDao;
import org.apache.cloudstack.iam.server.dao.IAMGroupAccountMapDao;
import org.apache.cloudstack.iam.server.dao.IAMGroupDao;
import org.apache.cloudstack.iam.server.dao.IAMGroupPolicyMapDao;
import org.apache.cloudstack.iam.server.dao.IAMPolicyDao;
import org.apache.cloudstack.iam.server.dao.IAMPolicyPermissionDao;
import com.cloud.exception.InvalidParameterValueException;
import com.cloud.utils.NumbersUtil;
import com.cloud.utils.Pair;
import com.cloud.utils.component.Manager;
import com.cloud.utils.component.ManagerBase;
import com.cloud.utils.db.DB;
import com.cloud.utils.db.EntityManager;
import com.cloud.utils.db.Filter;
import com.cloud.utils.db.GenericSearchBuilder;
import com.cloud.utils.db.JoinBuilder;
import com.cloud.utils.db.JoinBuilder.JoinType;
import com.cloud.utils.db.SearchBuilder;
import com.cloud.utils.db.SearchCriteria;
import com.cloud.utils.db.SearchCriteria.Op;
import com.cloud.utils.db.Transaction;
import com.cloud.utils.db.TransactionCallback;
import com.cloud.utils.db.TransactionCallbackNoReturn;
import com.cloud.utils.db.TransactionStatus;
public class IAMServiceImpl extends ManagerBase implements IAMService, Manager {
public static final Logger s_logger = Logger.getLogger(IAMServiceImpl.class);
private String _name;
@Inject
IAMPolicyDao _aclPolicyDao;
@Inject
IAMGroupDao _aclGroupDao;
@Inject
EntityManager _entityMgr;
@Inject
IAMGroupPolicyMapDao _aclGroupPolicyMapDao;
@Inject
IAMAccountPolicyMapDao _aclAccountPolicyMapDao;
@Inject
IAMGroupAccountMapDao _aclGroupAccountMapDao;
@Inject
IAMPolicyPermissionDao _policyPermissionDao;
private Cache _iamCache;
private void createIAMCache(final Map<String, ? extends Object> params) {
final String value = (String)params.get("cache.size");
if (value != null) {
final CacheManager cm = CacheManager.create();
final int maxElements = NumbersUtil.parseInt(value, 0);
final int live = NumbersUtil.parseInt((String)params.get("cache.time.to.live"), 300);
final int idle = NumbersUtil.parseInt((String)params.get("cache.time.to.idle"), 300);
_iamCache = new Cache(getName(), maxElements, false, live == -1, live == -1 ? Integer.MAX_VALUE : live, idle);
cm.addCache(_iamCache);
s_logger.info("IAM Cache created: " + _iamCache.toString());
} else {
_iamCache = null;
}
}
@Override
public void addToIAMCache(Object accessKey, Object allowDeny) {
if (_iamCache != null) {
try {
s_logger.debug("Put IAM access check for " + accessKey + " in cache");
_iamCache.put(new Element(accessKey, allowDeny));
} catch (final Exception e) {
s_logger.debug("Can't put " + accessKey + " to IAM cache", e);
}
}
}
@Override
public void invalidateIAMCache() {
//This may need to use event bus to publish to other MS, but event bus now is missing this functionality to handle PublishScope.GLOBAL
if (_iamCache != null) {
s_logger.debug("Invalidate IAM cache");
_iamCache.removeAll();
}
}
@Override
public Object getFromIAMCache(Object accessKey) {
if (_iamCache != null) {
final Element element = _iamCache.get(accessKey);
return element == null ? null : element.getObjectValue();
}
return null;
}
@Override
public boolean configure(final String name, final Map<String, Object> params) throws ConfigurationException {
boolean result = super.configure(name, params);
// create IAM cache
createIAMCache(params);
return result;
}
@DB
@Override
public IAMGroup createIAMGroup(String iamGroupName, String description, String path) {
// check if the group is already existing
IAMGroup grp = _aclGroupDao.findByName(path, iamGroupName);
if (grp != null) {
throw new InvalidParameterValueException(
"Unable to create acl group with name " + iamGroupName
+ " already exists for path " + path);
}
IAMGroupVO rvo = new IAMGroupVO(iamGroupName, description);
rvo.setPath(path);
return _aclGroupDao.persist(rvo);
}
@DB
@Override
public boolean deleteIAMGroup(final Long iamGroupId) {
// get the Acl Group entity
final IAMGroup grp = _aclGroupDao.findById(iamGroupId);
if (grp == null) {
throw new InvalidParameterValueException("Unable to find acl group: " + iamGroupId
+ "; failed to delete acl group.");
}
Transaction.execute(new TransactionCallbackNoReturn() {
@Override
public void doInTransactionWithoutResult(TransactionStatus status) {
// remove this group related entry in acl_group_policy_map
List<IAMGroupPolicyMapVO> groupPolicyMap = _aclGroupPolicyMapDao.listByGroupId(grp.getId());
if (groupPolicyMap != null) {
for (IAMGroupPolicyMapVO gr : groupPolicyMap) {
_aclGroupPolicyMapDao.remove(gr.getId());
}
}
// remove this group related entry in acl_group_account table
List<IAMGroupAccountMapVO> groupAcctMap = _aclGroupAccountMapDao.listByGroupId(grp.getId());
if (groupAcctMap != null) {
for (IAMGroupAccountMapVO grpAcct : groupAcctMap) {
_aclGroupAccountMapDao.remove(grpAcct.getId());
}
}
// remove this group from acl_group table
_aclGroupDao.remove(iamGroupId);
}
});
invalidateIAMCache();
return true;
}
@SuppressWarnings("unchecked")
@Override
public List<IAMGroup> listIAMGroups(long accountId) {
GenericSearchBuilder<IAMGroupAccountMapVO, Long> groupSB = _aclGroupAccountMapDao.createSearchBuilder(Long.class);
groupSB.selectFields(groupSB.entity().getAclGroupId());
groupSB.and("account", groupSB.entity().getAccountId(), Op.EQ);
SearchCriteria<Long> groupSc = groupSB.create();
groupSc.setParameters("account", accountId);
List<Long> groupIds = _aclGroupAccountMapDao.customSearch(groupSc, null);
if (groupIds == null || groupIds.isEmpty()) {
return new ArrayList<IAMGroup>();
}
SearchBuilder<IAMGroupVO> sb = _aclGroupDao.createSearchBuilder();
sb.and("ids", sb.entity().getId(), Op.IN);
SearchCriteria<IAMGroupVO> sc = sb.create();
sc.setParameters("ids", groupIds.toArray(new Object[groupIds.size()]));
@SuppressWarnings("rawtypes")
List groups = _aclGroupDao.search(sc, null);
return groups;
}
@DB
@Override
public IAMGroup addAccountsToGroup(final List<Long> acctIds, final Long groupId) {
// get the Acl Group entity
IAMGroup group = _aclGroupDao.findById(groupId);
if (group == null) {
throw new InvalidParameterValueException("Unable to find acl group: " + groupId
+ "; failed to add accounts to acl group.");
}
Transaction.execute(new TransactionCallbackNoReturn() {
@Override
public void doInTransactionWithoutResult(TransactionStatus status) {
// add entries in acl_group_account_map table
for (Long acctId : acctIds) {
// check account permissions
IAMGroupAccountMapVO grMap = _aclGroupAccountMapDao.findByGroupAndAccount(groupId, acctId);
if (grMap == null) {
// not there already
grMap = new IAMGroupAccountMapVO(groupId, acctId);
_aclGroupAccountMapDao.persist(grMap);
}
}
}
});
invalidateIAMCache();
return group;
}
@DB
@Override
public IAMGroup removeAccountsFromGroup(final List<Long> acctIds, final Long groupId) {
// get the Acl Group entity
IAMGroup group = _aclGroupDao.findById(groupId);
if (group == null) {
throw new InvalidParameterValueException("Unable to find acl group: " + groupId
+ "; failed to remove accounts from acl group.");
}
Transaction.execute(new TransactionCallbackNoReturn() {
@Override
public void doInTransactionWithoutResult(TransactionStatus status) {
// remove entries from acl_group_account_map table
for (Long acctId : acctIds) {
IAMGroupAccountMapVO grMap = _aclGroupAccountMapDao.findByGroupAndAccount(groupId, acctId);
if (grMap != null) {
// not removed yet
_aclGroupAccountMapDao.remove(grMap.getId());
}
}
}
});
invalidateIAMCache();
return group;
}
@Override
public List<Long> listAccountsByGroup(long groupId) {
List<IAMGroupAccountMapVO> grpAcctMap = _aclGroupAccountMapDao.listByGroupId(groupId);
if (grpAcctMap == null || grpAcctMap.size() == 0) {
return new ArrayList<Long>();
}
List<Long> accts = new ArrayList<Long>();
for (IAMGroupAccountMapVO grpAcct : grpAcctMap) {
accts.add(grpAcct.getAccountId());
}
return accts;
}
@Override
public Pair<List<IAMGroup>, Integer> listIAMGroups(Long iamGroupId, String iamGroupName, String path, Long startIndex, Long pageSize) {
if (iamGroupId != null) {
IAMGroup group = _aclGroupDao.findById(iamGroupId);
if (group == null) {
throw new InvalidParameterValueException("Unable to find acl group by id " + iamGroupId);
}
}
Filter searchFilter = new Filter(IAMGroupVO.class, "id", true, startIndex, pageSize);
SearchBuilder<IAMGroupVO> sb = _aclGroupDao.createSearchBuilder();
sb.and("name", sb.entity().getName(), SearchCriteria.Op.EQ);
sb.and("path", sb.entity().getPath(), SearchCriteria.Op.LIKE);
sb.and("id", sb.entity().getId(), SearchCriteria.Op.EQ);
SearchCriteria<IAMGroupVO> sc = sb.create();
if (iamGroupName != null) {
sc.setParameters("name", iamGroupName);
}
if (iamGroupId != null) {
sc.setParameters("id", iamGroupId);
}
sc.setParameters("path", path + "%");
Pair<List<IAMGroupVO>, Integer> groups = _aclGroupDao.searchAndCount(sc, searchFilter);
return new Pair<List<IAMGroup>, Integer>(new ArrayList<IAMGroup>(groups.first()), groups.second());
}
@Override
public List<IAMGroup> listParentIAMGroups(long groupId) {
IAMGroup group = _aclGroupDao.findById(groupId);
if (group == null) {
throw new InvalidParameterValueException("Unable to find acl group by id " + groupId);
}
String path = group.getPath();
List<String> pathList = new ArrayList<String>();
String[] parts = path.split("/");
for (String part : parts) {
int start = path.indexOf(part);
if (start > 0) {
String subPath = path.substring(0, start);
pathList.add(subPath);
}
}
if (pathList.isEmpty()) {
return new ArrayList<IAMGroup>();
}
SearchBuilder<IAMGroupVO> sb = _aclGroupDao.createSearchBuilder();
sb.and("paths", sb.entity().getPath(), SearchCriteria.Op.IN);
SearchCriteria<IAMGroupVO> sc = sb.create();
sc.setParameters("paths", pathList.toArray());
List<IAMGroupVO> groups = _aclGroupDao.search(sc, null);
return new ArrayList<IAMGroup>(groups);
}
@DB
@Override
public IAMPolicy createIAMPolicy(final String iamPolicyName, final String description, final Long parentPolicyId, final String path) {
// check if the policy is already existing
IAMPolicy ro = _aclPolicyDao.findByName(iamPolicyName);
if (ro != null) {
throw new InvalidParameterValueException(
"Unable to create acl policy with name " + iamPolicyName
+ " already exists");
}
IAMPolicy role = Transaction.execute(new TransactionCallback<IAMPolicy>() {
@Override
public IAMPolicy doInTransaction(TransactionStatus status) {
IAMPolicyVO rvo = new IAMPolicyVO(iamPolicyName, description);
rvo.setPath(path);
IAMPolicy role = _aclPolicyDao.persist(rvo);
if (parentPolicyId != null) {
// copy parent role permissions
List<IAMPolicyPermissionVO> perms = _policyPermissionDao.listByPolicy(parentPolicyId);
if (perms != null) {
for (IAMPolicyPermissionVO perm : perms) {
perm.setAclPolicyId(role.getId());
_policyPermissionDao.persist(perm);
}
}
}
return role;
}
});
return role;
}
@DB
@Override
public boolean deleteIAMPolicy(final long iamPolicyId) {
// get the Acl Policy entity
final IAMPolicy policy = _aclPolicyDao.findById(iamPolicyId);
if (policy == null) {
throw new InvalidParameterValueException("Unable to find acl policy: " + iamPolicyId
+ "; failed to delete acl policy.");
}
Transaction.execute(new TransactionCallbackNoReturn() {
@Override
public void doInTransactionWithoutResult(TransactionStatus status) {
// remove this policy related entry in acl_group_policy_map
List<IAMGroupPolicyMapVO> groupPolicyMap = _aclGroupPolicyMapDao.listByPolicyId(policy.getId());
if (groupPolicyMap != null) {
for (IAMGroupPolicyMapVO gr : groupPolicyMap) {
_aclGroupPolicyMapDao.remove(gr.getId());
}
}
// remove this policy related entry in acl_account_policy_map table
List<IAMAccountPolicyMapVO> policyAcctMap = _aclAccountPolicyMapDao.listByPolicyId(policy.getId());
if (policyAcctMap != null) {
for (IAMAccountPolicyMapVO policyAcct : policyAcctMap) {
_aclAccountPolicyMapDao.remove(policyAcct.getId());
}
}
// remove this policy related entry in acl_policy_permission table
List<IAMPolicyPermissionVO> policyPermMap = _policyPermissionDao.listByPolicy(policy.getId());
if (policyPermMap != null) {
for (IAMPolicyPermissionVO policyPerm : policyPermMap) {
_policyPermissionDao.remove(policyPerm.getId());
}
}
// remove this role from acl_role table
_aclPolicyDao.remove(iamPolicyId);
}
});
invalidateIAMCache();
return true;
}
@SuppressWarnings("unchecked")
@Override
public List<IAMPolicy> listIAMPolicies(long accountId) {
// static policies of the account
SearchBuilder<IAMGroupAccountMapVO> groupSB = _aclGroupAccountMapDao.createSearchBuilder();
groupSB.and("account", groupSB.entity().getAccountId(), Op.EQ);
GenericSearchBuilder<IAMGroupPolicyMapVO, Long> policySB = _aclGroupPolicyMapDao.createSearchBuilder(Long.class);
policySB.selectFields(policySB.entity().getAclPolicyId());
policySB.join("accountgroupjoin", groupSB, groupSB.entity().getAclGroupId(), policySB.entity().getAclGroupId(),
JoinType.INNER);
policySB.done();
SearchCriteria<Long> policySc = policySB.create();
policySc.setJoinParameters("accountgroupjoin", "account", accountId);
List<Long> policyIds = _aclGroupPolicyMapDao.customSearch(policySc, null);
// add policies directly attached to the account
List<IAMAccountPolicyMapVO> acctPolicies = _aclAccountPolicyMapDao.listByAccountId(accountId);
for (IAMAccountPolicyMapVO p : acctPolicies) {
policyIds.add(p.getIamPolicyId());
}
if (policyIds.size() == 0) {
return new ArrayList<IAMPolicy>();
}
SearchBuilder<IAMPolicyVO> sb = _aclPolicyDao.createSearchBuilder();
sb.and("ids", sb.entity().getId(), Op.IN);
SearchCriteria<IAMPolicyVO> sc = sb.create();
sc.setParameters("ids", policyIds.toArray(new Object[policyIds.size()]));
@SuppressWarnings("rawtypes")
List policies = _aclPolicyDao.customSearch(sc, null);
return policies;
}
@SuppressWarnings("unchecked")
@Override
public List<IAMPolicy> listIAMPoliciesByGroup(long groupId) {
List<IAMGroupPolicyMapVO> policyGrpMap = _aclGroupPolicyMapDao.listByGroupId(groupId);
if (policyGrpMap == null || policyGrpMap.size() == 0) {
return new ArrayList<IAMPolicy>();
}
List<Long> policyIds = new ArrayList<Long>();
for (IAMGroupPolicyMapVO pg : policyGrpMap) {
policyIds.add(pg.getAclPolicyId());
}
SearchBuilder<IAMPolicyVO> sb = _aclPolicyDao.createSearchBuilder();
sb.and("ids", sb.entity().getId(), Op.IN);
SearchCriteria<IAMPolicyVO> sc = sb.create();
sc.setParameters("ids", policyIds.toArray(new Object[policyIds.size()]));
@SuppressWarnings("rawtypes")
List policies = _aclPolicyDao.customSearch(sc, null);
return policies;
}
@SuppressWarnings("unchecked")
@Override
public List<IAMPolicy> listRecursiveIAMPoliciesByGroup(long groupId) {
List<IAMGroupPolicyMapVO> policyGrpMap = _aclGroupPolicyMapDao.listByGroupId(groupId);
if (policyGrpMap == null || policyGrpMap.size() == 0) {
return new ArrayList<IAMPolicy>();
}
List<Long> policyIds = new ArrayList<Long>();
for (IAMGroupPolicyMapVO pg : policyGrpMap) {
policyIds.add(pg.getAclPolicyId());
}
SearchBuilder<IAMPolicyPermissionVO> permSb = _policyPermissionDao.createSearchBuilder();
permSb.and("isRecursive", permSb.entity().isRecursive(), Op.EQ);
SearchBuilder<IAMPolicyVO> sb = _aclPolicyDao.createSearchBuilder();
sb.and("ids", sb.entity().getId(), Op.IN);
sb.join("recursivePerm", permSb, sb.entity().getId(), permSb.entity().getAclPolicyId(),
JoinBuilder.JoinType.INNER);
SearchCriteria<IAMPolicyVO> sc = sb.create();
sc.setParameters("ids", policyIds.toArray(new Object[policyIds.size()]));
sc.setJoinParameters("recursivePerm", "isRecursive", true);
@SuppressWarnings("rawtypes")
List policies = _aclPolicyDao.customSearch(sc, null);
return policies;
}
@SuppressWarnings("unchecked")
@Override
public Pair<List<IAMPolicy>, Integer> listIAMPolicies(Long iamPolicyId, String iamPolicyName, String path, Long startIndex, Long pageSize) {
if (iamPolicyId != null) {
IAMPolicy policy = _aclPolicyDao.findById(iamPolicyId);
if (policy == null) {
throw new InvalidParameterValueException("Unable to find acl policy by id " + iamPolicyId);
}
}
Filter searchFilter = new Filter(IAMPolicyVO.class, "id", true, startIndex, pageSize);
SearchBuilder<IAMPolicyVO> sb = _aclPolicyDao.createSearchBuilder();
sb.and("name", sb.entity().getName(), SearchCriteria.Op.EQ);
sb.and("path", sb.entity().getPath(), SearchCriteria.Op.LIKE);
sb.and("id", sb.entity().getId(), SearchCriteria.Op.EQ);
SearchCriteria<IAMPolicyVO> sc = sb.create();
if (iamPolicyName != null) {
sc.setParameters("name", iamPolicyName);
}
if (iamPolicyId != null) {
sc.setParameters("id", iamPolicyId);
}
sc.setParameters("path", path + "%");
Pair<List<IAMPolicyVO>, Integer> policies = _aclPolicyDao.searchAndCount(sc, searchFilter);
@SuppressWarnings("rawtypes")
List policyList = policies.first();
return new Pair<List<IAMPolicy>, Integer>(policyList, policies.second());
}
@DB
@Override
public IAMGroup attachIAMPoliciesToGroup(final List<Long> policyIds, final Long groupId) {
// get the Acl Group entity
IAMGroup group = _aclGroupDao.findById(groupId);
if (group == null) {
throw new InvalidParameterValueException("Unable to find acl group: " + groupId
+ "; failed to add roles to acl group.");
}
Transaction.execute(new TransactionCallbackNoReturn() {
@Override
public void doInTransactionWithoutResult(TransactionStatus status) {
// add entries in acl_group_policy_map table
for (Long policyId : policyIds) {
IAMPolicy policy = _aclPolicyDao.findById(policyId);
if (policy == null) {
throw new InvalidParameterValueException("Unable to find acl policy: " + policyId
+ "; failed to add policies to acl group.");
}
IAMGroupPolicyMapVO grMap = _aclGroupPolicyMapDao.findByGroupAndPolicy(groupId, policyId);
if (grMap == null) {
// not there already
grMap = new IAMGroupPolicyMapVO(groupId, policyId);
_aclGroupPolicyMapDao.persist(grMap);
}
}
}
});
invalidateIAMCache();
return group;
}
@DB
@Override
public IAMGroup removeIAMPoliciesFromGroup(final List<Long> policyIds, final Long groupId) {
// get the Acl Group entity
IAMGroup group = _aclGroupDao.findById(groupId);
if (group == null) {
throw new InvalidParameterValueException("Unable to find acl group: " + groupId
+ "; failed to remove roles from acl group.");
}
Transaction.execute(new TransactionCallbackNoReturn() {
@Override
public void doInTransactionWithoutResult(TransactionStatus status) {
// add entries in acl_group_role_map table
for (Long policyId : policyIds) {
IAMPolicy policy = _aclPolicyDao.findById(policyId);
if (policy == null) {
throw new InvalidParameterValueException("Unable to find acl policy: " + policyId
+ "; failed to add policies to acl group.");
}
IAMGroupPolicyMapVO grMap = _aclGroupPolicyMapDao.findByGroupAndPolicy(groupId, policyId);
if (grMap != null) {
// not removed yet
_aclGroupPolicyMapDao.remove(grMap.getId());
}
}
}
});
invalidateIAMCache();
return group;
}
@Override
public void attachIAMPolicyToAccounts(final Long policyId, final List<Long> acctIds) {
IAMPolicy policy = _aclPolicyDao.findById(policyId);
if (policy == null) {
throw new InvalidParameterValueException("Unable to find acl policy: " + policyId
+ "; failed to add policy to account.");
}
Transaction.execute(new TransactionCallbackNoReturn() {
@Override
public void doInTransactionWithoutResult(TransactionStatus status) {
// add entries in acl_group_policy_map table
for (Long acctId : acctIds) {
IAMAccountPolicyMapVO acctMap = _aclAccountPolicyMapDao.findByAccountAndPolicy(acctId, policyId);
if (acctMap == null) {
// not there already
acctMap = new IAMAccountPolicyMapVO(acctId, policyId);
_aclAccountPolicyMapDao.persist(acctMap);
}
}
}
});
invalidateIAMCache();
}
@Override
public void removeIAMPolicyFromAccounts(final Long policyId, final List<Long> acctIds) {
IAMPolicy policy = _aclPolicyDao.findById(policyId);
if (policy == null) {
throw new InvalidParameterValueException("Unable to find acl policy: " + policyId
+ "; failed to add policy to account.");
}
Transaction.execute(new TransactionCallbackNoReturn() {
@Override
public void doInTransactionWithoutResult(TransactionStatus status) {
// add entries in acl_group_policy_map table
for (Long acctId : acctIds) {
IAMAccountPolicyMapVO acctMap = _aclAccountPolicyMapDao.findByAccountAndPolicy(acctId, policyId);
if (acctMap != null) {
// exists
_aclAccountPolicyMapDao.remove(acctMap.getId());
}
}
}
});
invalidateIAMCache();
}
@DB
@Override
public IAMPolicy addIAMPermissionToIAMPolicy(long iamPolicyId, String entityType, String scope, Long scopeId,
String action, String accessType, Permission perm, Boolean recursive) {
// get the Acl Policy entity
IAMPolicy policy = _aclPolicyDao.findById(iamPolicyId);
if (policy == null) {
throw new InvalidParameterValueException("Unable to find acl policy: " + iamPolicyId
+ "; failed to add permission to policy.");
}
// add entry in acl_policy_permission table
IAMPolicyPermissionVO permit = _policyPermissionDao.findByPolicyAndEntity(iamPolicyId, entityType, scope,
scopeId, action, perm, accessType);
if (permit == null) {
// not there already
permit = new IAMPolicyPermissionVO(iamPolicyId, action, entityType, accessType, scope, scopeId, perm,
recursive);
_policyPermissionDao.persist(permit);
}
invalidateIAMCache();
return policy;
}
@DB
@Override
public IAMPolicy removeIAMPermissionFromIAMPolicy(long iamPolicyId, String entityType, String scope, Long scopeId,
String action) {
// get the Acl Policy entity
IAMPolicy policy = _aclPolicyDao.findById(iamPolicyId);
if (policy == null) {
throw new InvalidParameterValueException("Unable to find acl policy: " + iamPolicyId
+ "; failed to revoke permission from policy.");
}
// remove entry from acl_entity_permission table
IAMPolicyPermissionVO permit = _policyPermissionDao.findByPolicyAndEntity(iamPolicyId, entityType, scope,
scopeId, action, Permission.Allow, null);
if (permit != null) {
// not removed yet
_policyPermissionDao.remove(permit.getId());
}
invalidateIAMCache();
return policy;
}
@DB
@Override
public void removeIAMPermissionForEntity(final String entityType, final Long entityId) {
Transaction.execute(new TransactionCallbackNoReturn() {
@Override
public void doInTransactionWithoutResult(TransactionStatus status) {
// remove entry from acl_entity_permission table
List<IAMPolicyPermissionVO> permitList = _policyPermissionDao.listByEntity(entityType, entityId);
for (IAMPolicyPermissionVO permit : permitList) {
long policyId = permit.getAclPolicyId();
_policyPermissionDao.remove(permit.getId());
// remove the policy if there are no other permissions
if ((_policyPermissionDao.listByPolicy(policyId)).isEmpty()) {
deleteIAMPolicy(policyId);
}
}
}
});
invalidateIAMCache();
}
@DB
@Override
public IAMPolicy resetIAMPolicy(long iamPolicyId) {
// get the Acl Policy entity
IAMPolicy policy = _aclPolicyDao.findById(iamPolicyId);
if (policy == null) {
throw new InvalidParameterValueException("Unable to find acl policy: " + iamPolicyId
+ "; failed to reset the policy.");
}
SearchBuilder<IAMPolicyPermissionVO> sb = _policyPermissionDao.createSearchBuilder();
sb.and("policyId", sb.entity().getAclPolicyId(), SearchCriteria.Op.EQ);
sb.and("scope", sb.entity().getScope(), SearchCriteria.Op.EQ);
sb.done();
SearchCriteria<IAMPolicyPermissionVO> permissionSC = sb.create();
permissionSC.setParameters("policyId", iamPolicyId);
_policyPermissionDao.expunge(permissionSC);
invalidateIAMCache();
return policy;
}
@Override
public boolean isActionAllowedForPolicies(String action, List<IAMPolicy> policies) {
boolean allowed = false;
if (policies == null || policies.size() == 0) {
return allowed;
}
List<Long> policyIds = new ArrayList<Long>();
for (IAMPolicy policy : policies) {
policyIds.add(policy.getId());
}
SearchBuilder<IAMPolicyPermissionVO> sb = _policyPermissionDao.createSearchBuilder();
sb.and("action", sb.entity().getAction(), Op.EQ);
sb.and("policyId", sb.entity().getAclPolicyId(), Op.IN);
SearchCriteria<IAMPolicyPermissionVO> sc = sb.create();
sc.setParameters("policyId", policyIds.toArray(new Object[policyIds.size()]));
sc.setParameters("action", action);
List<IAMPolicyPermissionVO> permissions = _policyPermissionDao.customSearch(sc, null);
if (permissions != null && !permissions.isEmpty()) {
allowed = true;
}
return allowed;
}
@Override
public List<Long> getGrantedEntities(long accountId, String action, String scope) {
// Get the static Policies of the Caller
List<IAMPolicy> policies = listIAMPolicies(accountId);
// for each policy, find granted permission within the given scope
List<Long> entityIds = new ArrayList<Long>();
for (IAMPolicy policy : policies) {
List<IAMPolicyPermissionVO> pp = _policyPermissionDao.listByPolicyActionAndScope(policy.getId(), action,
scope, null);
if (pp != null) {
for (IAMPolicyPermissionVO p : pp) {
if (p.getScopeId() != null) {
entityIds.add(p.getScopeId());
}
}
}
}
return entityIds;
}
@Override
@SuppressWarnings("unchecked")
public List<IAMPolicyPermission> listPolicyPermissions(long policyId) {
@SuppressWarnings("rawtypes")
List pp = _policyPermissionDao.listByPolicy(policyId);
return pp;
}
@SuppressWarnings("unchecked")
@Override
public List<IAMPolicyPermission> listPolicyPermissionsByScope(long policyId, String action, String scope,
String accessType) {
@SuppressWarnings("rawtypes")
List pp = _policyPermissionDao.listByPolicyActionAndScope(policyId, action, scope, accessType);
return pp;
}
@SuppressWarnings("unchecked")
@Override
public List<IAMPolicyPermission> listPolicyPermissionByActionAndEntity(long policyId, String action,
String entityType) {
@SuppressWarnings("rawtypes")
List pp = _policyPermissionDao.listByPolicyActionAndEntity(policyId, action, entityType);
return pp;
}
@SuppressWarnings("unchecked")
@Override
public List<IAMPolicyPermission> listPolicyPermissionByAccessAndEntity(long policyId, String accessType,
String entityType) {
@SuppressWarnings("rawtypes")
List pp = _policyPermissionDao.listByPolicyAccessAndEntity(policyId, accessType, entityType);
return pp;
}
@Override
public IAMPolicy getResourceOwnerPolicy() {
return _aclPolicyDao.findByName("RESOURCE_OWNER");
}
// search for policy with only one resource grant permission
@Override
public IAMPolicy getResourceGrantPolicy(String entityType, Long entityId, String accessType, String action) {
List<IAMPolicyVO> policyList = _aclPolicyDao.listAll();
for (IAMPolicyVO policy : policyList) {
List<IAMPolicyPermission> pp = listPolicyPermissions(policy.getId());
if (pp != null && pp.size() == 1) {
// resource grant policy should only have one ACL permission assigned
IAMPolicyPermission permit = pp.get(0);
if (permit.getEntityType().equals(entityType) && permit.getScope().equals(PermissionScope.RESOURCE.toString())
&& permit.getScopeId().longValue() == entityId.longValue()) {
if (accessType != null && permit.getAccessType().equals(accessType)) {
return policy;
} else if (action != null && permit.getAction().equals(action)) {
return policy;
}
}
}
}
return null;
}
}

33
services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMAccountPolicyMapDao.java
View File

@ -1,33 +0,0 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.iam.server.dao;
import java.util.List;
import org.apache.cloudstack.iam.server.IAMAccountPolicyMapVO;
import com.cloud.utils.db.GenericDao;
public interface IAMAccountPolicyMapDao extends GenericDao<IAMAccountPolicyMapVO, Long> {
List<IAMAccountPolicyMapVO> listByAccountId(long acctId);
List<IAMAccountPolicyMapVO> listByPolicyId(long policyId);
IAMAccountPolicyMapVO findByAccountAndPolicy(long acctId, long policyId);
}

77
services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMAccountPolicyMapDaoImpl.java
View File

@ -1,77 +0,0 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.iam.server.dao;
import java.util.List;
import java.util.Map;
import javax.naming.ConfigurationException;
import org.apache.cloudstack.iam.server.IAMAccountPolicyMapVO;
import com.cloud.utils.db.GenericDaoBase;
import com.cloud.utils.db.SearchBuilder;
import com.cloud.utils.db.SearchCriteria;
public class IAMAccountPolicyMapDaoImpl extends GenericDaoBase<IAMAccountPolicyMapVO, Long> implements IAMAccountPolicyMapDao {
private SearchBuilder<IAMAccountPolicyMapVO> ListByAccountId;
private SearchBuilder<IAMAccountPolicyMapVO> ListByPolicyId;
private SearchBuilder<IAMAccountPolicyMapVO> findByPolicyAccountId;
@Override
public boolean configure(String name, Map<String, Object> params) throws ConfigurationException {
super.configure(name, params);
ListByAccountId = createSearchBuilder();
ListByAccountId.and("accountId", ListByAccountId.entity().getAccountId(), SearchCriteria.Op.EQ);
ListByAccountId.done();
ListByPolicyId = createSearchBuilder();
ListByPolicyId.and("policyId", ListByPolicyId.entity().getIamPolicyId(), SearchCriteria.Op.EQ);
ListByPolicyId.done();
findByPolicyAccountId = createSearchBuilder();
findByPolicyAccountId.and("policyId", findByPolicyAccountId.entity().getIamPolicyId(), SearchCriteria.Op.EQ);
findByPolicyAccountId.and("accountId", findByPolicyAccountId.entity().getAccountId(), SearchCriteria.Op.EQ);
findByPolicyAccountId.done();
return true;
}
@Override
public List<IAMAccountPolicyMapVO> listByAccountId(long acctId) {
SearchCriteria<IAMAccountPolicyMapVO> sc = ListByAccountId.create();
sc.setParameters("accountId", acctId);
return listBy(sc);
}
@Override
public List<IAMAccountPolicyMapVO> listByPolicyId(long policyId) {
SearchCriteria<IAMAccountPolicyMapVO> sc = ListByPolicyId.create();
sc.setParameters("policyId", policyId);
return listBy(sc);
}
@Override
public IAMAccountPolicyMapVO findByAccountAndPolicy(long acctId, long policyId) {
SearchCriteria<IAMAccountPolicyMapVO> sc = findByPolicyAccountId.create();
sc.setParameters("policyId", policyId);
sc.setParameters("accountId", acctId);
return findOneBy(sc);
}
}

40
services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMGroupAccountMapDao.java
View File

@ -1,40 +0,0 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.iam.server.dao;
import java.util.List;
import org.apache.cloudstack.iam.server.IAMGroupAccountMapVO;
import com.cloud.utils.db.GenericDao;
public interface IAMGroupAccountMapDao extends GenericDao<IAMGroupAccountMapVO, Long> {
List<IAMGroupAccountMapVO> listByGroupId(long groupId);
List<IAMGroupAccountMapVO> listByAccountId(long accountId);
IAMGroupAccountMapVO findAccountInAdminGroup(long accountId);
IAMGroupAccountMapVO findByGroupAndAccount(long groupId, long acctId);
void removeAccountFromGroups(long accountId);
IAMGroupAccountMapVO findAccountInDomainAdminGroup(long accountId);
IAMGroupAccountMapVO findAccountInUserGroup(long accountId);
}

119
services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMGroupAccountMapDaoImpl.java
View File

@ -1,119 +0,0 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.iam.server.dao;
import java.util.List;
import java.util.Map;
import javax.naming.ConfigurationException;
import org.apache.cloudstack.iam.server.IAMGroupAccountMapVO;
import org.apache.log4j.Logger;
import org.springframework.stereotype.Component;
import com.cloud.utils.db.GenericDaoBase;
import com.cloud.utils.db.SearchBuilder;
import com.cloud.utils.db.SearchCriteria;
@Component
public class IAMGroupAccountMapDaoImpl extends GenericDaoBase<IAMGroupAccountMapVO, Long> implements IAMGroupAccountMapDao {
private SearchBuilder<IAMGroupAccountMapVO> ListByGroupId;
private SearchBuilder<IAMGroupAccountMapVO> ListByAccountId;
private SearchBuilder<IAMGroupAccountMapVO> _findByAccountAndGroupId;
public static final Logger s_logger = Logger.getLogger(IAMGroupAccountMapDaoImpl.class.getName());
@Override
public boolean configure(String name, Map<String, Object> params) throws ConfigurationException {
super.configure(name, params);
ListByGroupId = createSearchBuilder();
ListByGroupId.and("groupId", ListByGroupId.entity().getAclGroupId(), SearchCriteria.Op.EQ);
ListByGroupId.done();
ListByAccountId = createSearchBuilder();
ListByAccountId.and("accountId", ListByAccountId.entity().getAccountId(), SearchCriteria.Op.EQ);
ListByAccountId.done();
_findByAccountAndGroupId = createSearchBuilder();
_findByAccountAndGroupId
.and("groupId", _findByAccountAndGroupId.entity().getAclGroupId(), SearchCriteria.Op.EQ);
_findByAccountAndGroupId.and("accountId", _findByAccountAndGroupId.entity().getAccountId(),
SearchCriteria.Op.EQ);
_findByAccountAndGroupId.done();
return true;
}
@Override
public List<IAMGroupAccountMapVO> listByGroupId(long groupId) {
SearchCriteria<IAMGroupAccountMapVO> sc = ListByGroupId.create();
sc.setParameters("groupId", groupId);
return listBy(sc);
}
@Override
public List<IAMGroupAccountMapVO> listByAccountId(long accountId) {
SearchCriteria<IAMGroupAccountMapVO> sc = ListByAccountId.create();
sc.setParameters("accountId", accountId);
return listBy(sc);
}
@Override
public IAMGroupAccountMapVO findAccountInAdminGroup(long accountId) {
SearchCriteria<IAMGroupAccountMapVO> sc = _findByAccountAndGroupId.create();
sc.setParameters("accountId", accountId);
sc.setParameters("groupId", 2);
return findOneBy(sc);
}
@Override
public IAMGroupAccountMapVO findAccountInDomainAdminGroup(long accountId) {
SearchCriteria<IAMGroupAccountMapVO> sc = _findByAccountAndGroupId.create();
sc.setParameters("accountId", accountId);
sc.setParameters("groupId", 3);
return findOneBy(sc);
}
@Override
public IAMGroupAccountMapVO findAccountInUserGroup(long accountId) {
SearchCriteria<IAMGroupAccountMapVO> sc = _findByAccountAndGroupId.create();
sc.setParameters("accountId", accountId);
sc.setParameters("groupId", 1);
return findOneBy(sc);
}
@Override
public IAMGroupAccountMapVO findByGroupAndAccount(long groupId, long acctId) {
SearchCriteria<IAMGroupAccountMapVO> sc = _findByAccountAndGroupId.create();
sc.setParameters("accountId", acctId);
sc.setParameters("groupId", groupId);
return findOneBy(sc);
}
@Override
public void removeAccountFromGroups(long accountId) {
SearchCriteria<IAMGroupAccountMapVO> sc = ListByAccountId.create();
sc.setParameters("accountId", accountId);
int rowsRemoved = remove(sc);
if (rowsRemoved > 0) {
s_logger.debug("Removed account id=" + accountId + " from " + rowsRemoved + " groups");
}
}
}

28
services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMGroupDao.java
View File

@ -1,28 +0,0 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.iam.server.dao;
import org.apache.cloudstack.iam.api.IAMGroup;
import org.apache.cloudstack.iam.server.IAMGroupVO;
import com.cloud.utils.db.GenericDao;
public interface IAMGroupDao extends GenericDao<IAMGroupVO, Long> {
IAMGroup findByName(String path, String groupName);
}

59
services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMGroupDaoImpl.java
View File

@ -1,59 +0,0 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.iam.server.dao;
import java.util.Map;
import javax.naming.ConfigurationException;
import org.apache.cloudstack.iam.api.IAMGroup;
import org.apache.cloudstack.iam.server.IAMGroupVO;
import org.springframework.stereotype.Component;
import com.cloud.utils.db.GenericDaoBase;
import com.cloud.utils.db.SearchBuilder;
import com.cloud.utils.db.SearchCriteria;
@Component
public class IAMGroupDaoImpl extends GenericDaoBase<IAMGroupVO, Long> implements IAMGroupDao {
private SearchBuilder<IAMGroupVO> nameSearch;
@Override
public boolean configure(String name, Map<String, Object> params) throws ConfigurationException {
super.configure(name, params);
nameSearch = createSearchBuilder();
nameSearch.and("name", nameSearch.entity().getName(), SearchCriteria.Op.EQ);
nameSearch.and("path", nameSearch.entity().getPath(), SearchCriteria.Op.EQ);
nameSearch.done();
return true;
}
@Override
public IAMGroup findByName(String path, String name) {
SearchCriteria<IAMGroupVO> sc = nameSearch.create();
sc.setParameters("name", name);
if (path != null) {
sc.setParameters("path", path);
}
return findOneBy(sc);
}
}

33
services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMGroupPolicyMapDao.java
View File

@ -1,33 +0,0 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.iam.server.dao;
import java.util.List;
import org.apache.cloudstack.iam.server.IAMGroupPolicyMapVO;
import com.cloud.utils.db.GenericDao;
public interface IAMGroupPolicyMapDao extends GenericDao<IAMGroupPolicyMapVO, Long> {
List<IAMGroupPolicyMapVO> listByGroupId(long groupId);
List<IAMGroupPolicyMapVO> listByPolicyId(long policyId);
IAMGroupPolicyMapVO findByGroupAndPolicy(long groupId, long policyId);
}

77
services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMGroupPolicyMapDaoImpl.java
View File

@ -1,77 +0,0 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.iam.server.dao;
import java.util.List;
import java.util.Map;
import javax.naming.ConfigurationException;
import org.apache.cloudstack.iam.server.IAMGroupPolicyMapVO;
import com.cloud.utils.db.GenericDaoBase;
import com.cloud.utils.db.SearchBuilder;
import com.cloud.utils.db.SearchCriteria;
public class IAMGroupPolicyMapDaoImpl extends GenericDaoBase<IAMGroupPolicyMapVO, Long> implements IAMGroupPolicyMapDao {
private SearchBuilder<IAMGroupPolicyMapVO> ListByGroupId;
private SearchBuilder<IAMGroupPolicyMapVO> ListByPolicyId;
private SearchBuilder<IAMGroupPolicyMapVO> findByPolicyGroupId;
@Override
public boolean configure(String name, Map<String, Object> params) throws ConfigurationException {
super.configure(name, params);
ListByGroupId = createSearchBuilder();
ListByGroupId.and("groupId", ListByGroupId.entity().getAclGroupId(), SearchCriteria.Op.EQ);
ListByGroupId.done();
ListByPolicyId = createSearchBuilder();
ListByPolicyId.and("policyId", ListByPolicyId.entity().getAclPolicyId(), SearchCriteria.Op.EQ);
ListByPolicyId.done();
findByPolicyGroupId = createSearchBuilder();
findByPolicyGroupId.and("policyId", findByPolicyGroupId.entity().getAclPolicyId(), SearchCriteria.Op.EQ);
findByPolicyGroupId.and("groupId", findByPolicyGroupId.entity().getAclGroupId(), SearchCriteria.Op.EQ);
findByPolicyGroupId.done();
return true;
}
@Override
public List<IAMGroupPolicyMapVO> listByGroupId(long groupId) {
SearchCriteria<IAMGroupPolicyMapVO> sc = ListByGroupId.create();
sc.setParameters("groupId", groupId);
return listBy(sc);
}
@Override
public List<IAMGroupPolicyMapVO> listByPolicyId(long policyId) {
SearchCriteria<IAMGroupPolicyMapVO> sc = ListByPolicyId.create();
sc.setParameters("policyId", policyId);
return listBy(sc);
}
@Override
public IAMGroupPolicyMapVO findByGroupAndPolicy(long groupId, long policyId) {
SearchCriteria<IAMGroupPolicyMapVO> sc = findByPolicyGroupId.create();
sc.setParameters("policyId", policyId);
sc.setParameters("groupId", groupId);
return findOneBy(sc);
}
}

28
services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMPolicyDao.java
View File

@ -1,28 +0,0 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.iam.server.dao;
import org.apache.cloudstack.iam.api.IAMPolicy;
import org.apache.cloudstack.iam.server.IAMPolicyVO;
import com.cloud.utils.db.GenericDao;
public interface IAMPolicyDao extends GenericDao<IAMPolicyVO, Long> {
IAMPolicy findByName(String policyName);
}

57
services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMPolicyDaoImpl.java
View File

@ -1,57 +0,0 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.iam.server.dao;
import java.util.Map;
import javax.naming.ConfigurationException;
import org.apache.cloudstack.iam.api.IAMPolicy;
import org.apache.cloudstack.iam.server.IAMPolicyVO;
import org.springframework.stereotype.Component;
import com.cloud.utils.db.GenericDaoBase;
import com.cloud.utils.db.SearchBuilder;
import com.cloud.utils.db.SearchCriteria;
@Component
public class IAMPolicyDaoImpl extends GenericDaoBase<IAMPolicyVO, Long> implements IAMPolicyDao {
private SearchBuilder<IAMPolicyVO> nameSearch;
@Override
public boolean configure(String name, Map<String, Object> params) throws ConfigurationException {
super.configure(name, params);
nameSearch = createSearchBuilder();
nameSearch.and("name", nameSearch.entity().getName(), SearchCriteria.Op.EQ);
// nameSearch.and("domainId", nameSearch.entity().getDomainId(),
// SearchCriteria.Op.EQ);
nameSearch.done();
return true;
}
@Override
public IAMPolicy findByName(String name) {
SearchCriteria<IAMPolicyVO> sc = nameSearch.create();
sc.setParameters("name", name);
return findOneBy(sc);
}
}

39
services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMPolicyPermissionDao.java
View File

@ -1,39 +0,0 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.iam.server.dao;
import java.util.List;
import org.apache.cloudstack.iam.api.IAMPolicyPermission.Permission;
import org.apache.cloudstack.iam.server.IAMPolicyPermissionVO;
import com.cloud.utils.db.GenericDao;
public interface IAMPolicyPermissionDao extends GenericDao<IAMPolicyPermissionVO, Long> {
List<IAMPolicyPermissionVO> listByPolicy(long policyId);
IAMPolicyPermissionVO findByPolicyAndEntity(long policyId, String entityType, String scope, Long scopeId,
String action, Permission perm, String accessType);
List<IAMPolicyPermissionVO> listByPolicyActionAndScope(long policyId, String action, String scope, String accessType);
List<IAMPolicyPermissionVO> listByPolicyActionAndEntity(long policyId, String action, String entityType);
List<IAMPolicyPermissionVO> listByPolicyAccessAndEntity(long policyId, String accessType, String entityType);
List<IAMPolicyPermissionVO> listByEntity(String entityType, Long entityId);
}

130
services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMPolicyPermissionDaoImpl.java
View File

@ -1,130 +0,0 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.iam.server.dao;
import java.util.List;
import java.util.Map;
import javax.naming.ConfigurationException;
import org.apache.cloudstack.iam.api.IAMPolicyPermission.Permission;
import org.apache.cloudstack.iam.server.IAMPolicyPermissionVO;
import com.cloud.utils.db.GenericDaoBase;
import com.cloud.utils.db.SearchBuilder;
import com.cloud.utils.db.SearchCriteria;
public class IAMPolicyPermissionDaoImpl extends GenericDaoBase<IAMPolicyPermissionVO, Long> implements
IAMPolicyPermissionDao {
private SearchBuilder<IAMPolicyPermissionVO> policyIdSearch;
private SearchBuilder<IAMPolicyPermissionVO> fullSearch;
private SearchBuilder<IAMPolicyPermissionVO> entitySearch;
@Override
public boolean configure(String name, Map<String, Object> params) throws ConfigurationException {
super.configure(name, params);
policyIdSearch = createSearchBuilder();
policyIdSearch.and("policyId", policyIdSearch.entity().getAclPolicyId(), SearchCriteria.Op.EQ);
policyIdSearch.done();
fullSearch = createSearchBuilder();
fullSearch.and("policyId", fullSearch.entity().getAclPolicyId(), SearchCriteria.Op.EQ);
fullSearch.and("entityType", fullSearch.entity().getEntityType(), SearchCriteria.Op.EQ);
fullSearch.and("scope", fullSearch.entity().getScope(), SearchCriteria.Op.EQ);
fullSearch.and("scopeId", fullSearch.entity().getScopeId(), SearchCriteria.Op.EQ);
fullSearch.and("action", fullSearch.entity().getAction(), SearchCriteria.Op.EQ);
fullSearch.and("permission", fullSearch.entity().getPermission(), SearchCriteria.Op.EQ);
fullSearch.and("accessType", fullSearch.entity().getAccessType(), SearchCriteria.Op.EQ);
fullSearch.done();
entitySearch = createSearchBuilder();
entitySearch.and("entityType", entitySearch.entity().getEntityType(), SearchCriteria.Op.EQ);
entitySearch.and("scopeId", entitySearch.entity().getScopeId(), SearchCriteria.Op.EQ);
entitySearch.done();
return true;
}
@Override
public List<IAMPolicyPermissionVO> listByPolicy(long policyId) {
SearchCriteria<IAMPolicyPermissionVO> sc = policyIdSearch.create();
sc.setParameters("policyId", policyId);
return listBy(sc);
}
@Override
public IAMPolicyPermissionVO findByPolicyAndEntity(long policyId, String entityType, String scope, Long scopeId,
String action, Permission perm, String accessType) {
SearchCriteria<IAMPolicyPermissionVO> sc = fullSearch.create();
sc.setParameters("policyId", policyId);
sc.setParameters("entityType", entityType);
sc.setParameters("scope", scope);
sc.setParameters("scopeId", scopeId);
sc.setParameters("action", action);
sc.setParameters("permission", perm);
if (accessType != null) {
// accessType can be optional, used mainly in list apis with
// ListEntry and UseEntry distinction
sc.setParameters("accessType", accessType);
}
return findOneBy(sc);
}
@Override
public List<IAMPolicyPermissionVO> listByPolicyActionAndScope(long policyId, String action, String scope, String accessType) {
SearchCriteria<IAMPolicyPermissionVO> sc = fullSearch.create();
sc.setParameters("policyId", policyId);
sc.setParameters("action", action);
sc.setParameters("scope", scope);
sc.setParameters("permission", Permission.Allow);
if ( accessType != null ){
// accessType can be optional, used mainly in list apis with ListEntry and UseEntry distinction
sc.setParameters("accessType", accessType);
}
return listBy(sc);
}
@Override
public List<IAMPolicyPermissionVO> listByPolicyActionAndEntity(long policyId, String action, String entityType) {
SearchCriteria<IAMPolicyPermissionVO> sc = fullSearch.create();
sc.setParameters("policyId", policyId);
sc.setParameters("entityType", entityType);
sc.setParameters("action", action);
return listBy(sc);
}
@Override
public List<IAMPolicyPermissionVO> listByPolicyAccessAndEntity(long policyId, String accessType,
String entityType) {
SearchCriteria<IAMPolicyPermissionVO> sc = fullSearch.create();
sc.setParameters("policyId", policyId);
sc.setParameters("entityType", entityType);
sc.setParameters("accessType", accessType);
return listBy(sc);
}
@Override
public List<IAMPolicyPermissionVO> listByEntity(String entityType, Long entityId) {
SearchCriteria<IAMPolicyPermissionVO> sc = entitySearch.create();
sc.setParameters("entityType", entityType);
sc.setParameters("scopeId", entityId);
return listBy(sc);
}
}

47
services/iam/server/src/main/resources/META-INF/cloudstack/core/spring-iam-server-context.xml
View File

@ -1,47 +0,0 @@
<!--
Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
-->
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:aop="http://www.springframework.org/schema/aop"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context.xsd"
>
<bean id="IAMGroupDaoImpl" class="org.apache.cloudstack.iam.server.dao.IAMGroupDaoImpl" />
<bean id="IAMPolicyDaoImpl" class="org.apache.cloudstack.iam.server.dao.IAMPolicyDaoImpl" />
<bean id="IAMGroupAccountMapDaoImpl" class="org.apache.cloudstack.iam.server.dao.IAMGroupAccountMapDaoImpl" />
<bean id="IAMGroupPolicyMapDaoImpl" class="org.apache.cloudstack.iam.server.dao.IAMGroupPolicyMapDaoImpl" />
<bean id="IAMPolicyPermissionDaoImpl" class="org.apache.cloudstack.iam.server.dao.IAMPolicyPermissionDaoImpl" />
<bean id="IAMAccountPolicyMapDaoImpl" class="org.apache.cloudstack.iam.server.dao.IAMAccountPolicyMapDaoImpl" />
<bean id="IAMServiceImpl" class="org.apache.cloudstack.iam.server.IAMServiceImpl" >
<property name="configParams">
<map>
<entry key="cache.size" value="5000" />
<entry key="cache.time.to.live" value="300" />
</map>
</property>
</bean>
</beans>

211
services/iam/server/src/test/java/org/apache/cloudstack/iam/IAMServiceUnitTest.java
View File

@ -1,211 +0,0 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.iam;
import static org.junit.Assert.assertNotNull;
import static org.mockito.Matchers.eq;
import static org.mockito.Mockito.when;
import java.io.IOException;
import java.util.ArrayList;
import java.util.List;
import javax.inject.Inject;
import javax.naming.ConfigurationException;
import org.junit.After;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.mockito.Mockito;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.ComponentScan;
import org.springframework.context.annotation.ComponentScan.Filter;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.FilterType;
import org.springframework.core.type.classreading.MetadataReader;
import org.springframework.core.type.classreading.MetadataReaderFactory;
import org.springframework.core.type.filter.TypeFilter;
import org.springframework.test.context.ContextConfiguration;
import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
import org.springframework.test.context.support.AnnotationConfigContextLoader;
import org.apache.cloudstack.iam.api.IAMGroup;
import org.apache.cloudstack.iam.api.IAMPolicy;
import org.apache.cloudstack.iam.api.IAMService;
import org.apache.cloudstack.iam.server.IAMGroupVO;
import org.apache.cloudstack.iam.server.IAMPolicyVO;
import org.apache.cloudstack.iam.server.IAMServiceImpl;
import org.apache.cloudstack.iam.server.dao.IAMAccountPolicyMapDao;
import org.apache.cloudstack.iam.server.dao.IAMGroupAccountMapDao;
import org.apache.cloudstack.iam.server.dao.IAMGroupDao;
import org.apache.cloudstack.iam.server.dao.IAMGroupPolicyMapDao;
import org.apache.cloudstack.iam.server.dao.IAMPolicyDao;
import org.apache.cloudstack.iam.server.dao.IAMPolicyPermissionDao;
import org.apache.cloudstack.test.utils.SpringUtils;
import com.cloud.exception.InvalidParameterValueException;
import com.cloud.utils.component.ComponentContext;
import com.cloud.utils.db.EntityManager;
import com.cloud.utils.db.SearchCriteria;
@RunWith(SpringJUnit4ClassRunner.class)
@ContextConfiguration(loader = AnnotationConfigContextLoader.class)
public class IAMServiceUnitTest {
@Inject
IAMService _iamService;
@Inject
IAMPolicyDao _aclPolicyDao;
@Inject
IAMGroupDao _aclGroupDao;
@Inject
EntityManager _entityMgr;
@Inject
IAMGroupPolicyMapDao _aclGroupPolicyMapDao;
@Inject
IAMGroupAccountMapDao _aclGroupAccountMapDao;
@Inject
IAMPolicyPermissionDao _policyPermissionDao;
@BeforeClass
public static void setUpClass() throws ConfigurationException {
}
@Before
public void setUp() {
ComponentContext.initComponentsLifeCycle();
IAMGroupVO group = new IAMGroupVO("group1", "my first group");
Mockito.when(_aclGroupDao.persist(Mockito.any(IAMGroupVO.class))).thenReturn(group);
List<IAMGroupVO> groups = new ArrayList<IAMGroupVO>();
groups.add(group);
when(_aclGroupDao.search(Mockito.any(SearchCriteria.class), Mockito.any(com.cloud.utils.db.Filter.class)))
.thenReturn(groups);
IAMPolicyVO policy = new IAMPolicyVO("policy1", "my first policy");
Mockito.when(_aclPolicyDao.persist(Mockito.any(IAMPolicyVO.class))).thenReturn(policy);
}
@After
public void tearDown() {
}
@Test(expected = InvalidParameterValueException.class)
public void createAclGroupTest() {
IAMGroup group = _iamService.createIAMGroup("group1", "my first group", "/root/mydomain");
assertNotNull("Acl group 'group1' failed to create ", group);
IAMGroupVO group2 = new IAMGroupVO("group1", "my second group");
when(_aclGroupDao.findByName(eq("/root/mydomain"), eq("group1"))).thenReturn(group2);
IAMGroup group3 = _iamService.createIAMGroup("group1", "my first group", "/root/mydomain");
}
@Test(expected = InvalidParameterValueException.class)
public void deleteAclGroupInvalidIdTest() {
when(_aclGroupDao.findById(20L)).thenReturn(null);
_iamService.deleteIAMGroup(20L);
}
@Test
public void accountGroupMaptest() {
// create group
IAMGroupVO group = new IAMGroupVO("group1", "my first group");
// add account to group
List<Long> accountIds = new ArrayList<Long>();
accountIds.add(100L);
when(_aclGroupDao.findById(20L)).thenReturn(group);
_iamService.addAccountsToGroup(accountIds, 20L);
_iamService.removeAccountsFromGroup(accountIds, 20L);
}
@Test(expected = InvalidParameterValueException.class)
public void createAclPolicyTest() {
IAMPolicy policy = _iamService.createIAMPolicy("policy1", "my first policy", null, "/root/mydomain");
assertNotNull("Acl policy 'policy1' failed to create ", policy);
IAMPolicyVO rvo = new IAMPolicyVO("policy2", "second policy");
when(_aclPolicyDao.findByName(eq("policy2"))).thenReturn(rvo);
_iamService.createIAMPolicy("policy2", "second policy", null, "/root/mydomain");
}
@Test(expected = InvalidParameterValueException.class)
public void deleteAclPolicyInvalidIdTest() {
when(_aclPolicyDao.findById(34L)).thenReturn(null);
_iamService.deleteIAMPolicy(34L);
}
@Configuration
@ComponentScan(basePackageClasses = {IAMServiceImpl.class}, includeFilters = {@Filter(value = TestConfiguration.Library.class, type = FilterType.CUSTOM)}, useDefaultFilters = false)
public static class TestConfiguration extends SpringUtils.CloudStackTestConfiguration {
@Bean
public IAMPolicyDao aclPolicyDao() {
return Mockito.mock(IAMPolicyDao.class);
}
@Bean
public IAMGroupDao aclGroupDao() {
return Mockito.mock(IAMGroupDao.class);
}
@Bean
public EntityManager entityManager() {
return Mockito.mock(EntityManager.class);
}
@Bean
public IAMGroupPolicyMapDao aclGroupPolicyMapDao() {
return Mockito.mock(IAMGroupPolicyMapDao.class);
}
@Bean
public IAMGroupAccountMapDao aclGroupAccountMapDao() {
return Mockito.mock(IAMGroupAccountMapDao.class);
}
@Bean
public IAMAccountPolicyMapDao aclAccountPolicyMapDao() {
return Mockito.mock(IAMAccountPolicyMapDao.class);
}
@Bean
public IAMPolicyPermissionDao aclPolicyPermissionDao() {
return Mockito.mock(IAMPolicyPermissionDao.class);
}
public static class Library implements TypeFilter {
@Override
public boolean match(MetadataReader mdr, MetadataReaderFactory arg1) throws IOException {
ComponentScan cs = TestConfiguration.class.getAnnotation(ComponentScan.class);
return SpringUtils.includedInBasePackageClasses(mdr.getClassMetadata().getClassName(), cs);
}
}
}
}

73
services/iam/server/src/test/resources/db.properties
View File

@ -1,73 +0,0 @@
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
# management server clustering parameters, change cluster.node.IP to the machine IP address
# in which the management server(Tomcat) is running
cluster.node.IP=127.0.0.1
cluster.servlet.port=9090
region.id=1
# CloudStack database settings
db.cloud.username=cloud
db.cloud.password=cloud
db.root.password=
db.cloud.host=localhost
db.cloud.driver=jdbc:mysql
db.cloud.port=3306
db.cloud.name=cloud
# CloudStack database tuning parameters
db.cloud.maxActive=250
db.cloud.maxIdle=30
db.cloud.maxWait=10000
db.cloud.autoReconnect=true
db.cloud.validationQuery=SELECT 1
db.cloud.testOnBorrow=true
db.cloud.testWhileIdle=true
db.cloud.timeBetweenEvictionRunsMillis=40000
db.cloud.minEvictableIdleTimeMillis=240000
db.cloud.poolPreparedStatements=false
db.cloud.url.params=prepStmtCacheSize=517&cachePrepStmts=true&prepStmtCacheSqlLimit=4096
# usage database settings
db.usage.username=cloud
db.usage.password=cloud
db.usage.host=localhost
# It's not guaranteed that using a different DB provider than the one from the regular cloud DB will work
db.usage.driver=jdbc:mysql
db.usage.port=3306
db.usage.name=cloud_usage
# usage database tuning parameters
db.usage.maxActive=100
db.usage.maxIdle=30
db.usage.maxWait=10000
db.usage.autoReconnect=true
# Simulator database settings
db.simulator.username=cloud
db.simulator.password=cloud
db.simulator.host=localhost
# It's not guaranteed that using a different DB provider than the one from the regular cloud DB will work
db.simulator.driver=jdbc:mysql
db.simulator.port=3306
db.simulator.name=simulator
db.simulator.maxActive=250
db.simulator.maxIdle=30
db.simulator.maxWait=10000
db.simulator.autoReconnect=true

1
tools/apidoc/gen_toc.py
View File

@ -169,7 +169,6 @@ known_categories = {
'Ucs' : 'UCS',
'CacheStores' : 'Cache Stores',
'CacheStore' : 'Cache Store',
'IAM' : 'IAM',
'OvsElement' : 'Ovs Element',
'StratosphereSsp' : ' Stratosphere SSP',
'Metrics' : 'Metrics',

3
tools/build/build_asf.sh
View File

@ -100,9 +100,6 @@ perl -pi -e "s/-SNAPSHOT//" tools/apidoc/pom.xml
perl -pi -e "s/-SNAPSHOT//" build/replace.properties
perl -pi -e "s/-SNAPSHOT//" tools/marvin/setup.py
perl -pi -e "s/-SNAPSHOT//" tools/marvin/marvin/deployAndRun.py
perl -pi -e "s/-SNAPSHOT//" services/iam/plugin/pom.xml
perl -pi -e "s/-SNAPSHOT//" services/iam/pom.xm
perl -pi -e "s/-SNAPSHOT//" services/iam/server/pom.xml
perl -pi -e "s/-SNAPSHOT//" tools/docker/Dockerfile
perl -pi -e "s/-SNAPSHOT//" tools/docker/Dockerfile.marvin
perl -pi -e "s/-SNAPSHOT//" tools/docker/Dockerfile.centos6

3
tools/build/setnextversion.sh
View File

@ -131,9 +131,6 @@ echo "setting new version numbers"
mvn versions:set -DnewVersion=$version -P vmware -P developer -P systemvm -P simulator -Dnoredist versions:commit
perl -pi -e "s/$currentversion/$version/" debian/changelog
perl -pi -e "s/$currentversion/$version/" services/iam/plugin/pom.xml
perl -pi -e "s/$currentversion/$version/" services/iam/pom.xml
perl -pi -e "s/$currentversion/$version/" services/iam/server/pom.xml
perl -pi -e "s/$currentversion/$version/" tools/apidoc/pom.xml
perl -pi -e "s/$currentversion/$version/" tools/checkstyle/pom.xml
perl -pi -e "s/$currentversion/$version/" tools/marvin/setup.py

133
tools/marvin/marvin/lib/base.py
View File

@ -5096,139 +5096,6 @@ class NIC:
cmd.listall = True
return(apiclient.listNics(cmd))
class IAMGroup:
def __init__(self, items):
self.__dict__.update(items)
@classmethod
def create(cls, apiclient, iam_grp, account=None, domainid=None):
cmd = createIAMGroup.createIAMGroupCmd()
cmd.name = iam_grp['name']
cmd.description = iam_grp['description']
if account:
cmd.account = account
if domainid:
cmd.domainid = domainid
return IAMGroup(apiclient.createIAMGroup(cmd).__dict__)
def update(self, apiclient):
pass
def delete(self, apiclient):
cmd = deleteIAMGroup.deleteIAMGroupCmd()
cmd.id = self.id
return apiclient.deleteIAMGroup(cmd)
@classmethod
def list(cls, apiclient, **kwargs):
cmd = listIAMGroups.listIAMGroupsCmd()
[setattr(cmd, k, v) for k, v in kwargs.items()]
if 'account' in kwargs.keys() and 'domainid' in kwargs.keys():
cmd.listall = True
return apiclient.listIAMGroups(cmd)
def addAccount(self, apiclient, accts):
"""Add accounts to iam group"""
cmd = addAccountToIAMGroup.addAccountToIAMGroupCmd()
cmd.id = self.id
cmd.accounts = [str(acct.id) for acct in accts]
apiclient.addAccountToIAMGroup(cmd)
return
def removeAccount(self, apiclient, accts):
""" Remove accounts from iam group"""
cmd = removeAccountFromIAMGroup.removeAccountFromIAMGroupCmd()
cmd.id = self.id
cmd.accounts = [str(acct.id) for acct in accts]
apiclient.removeAccountFromIAMGroup(cmd)
return
def attachPolicy(self, apiclient, policies):
"""Add policies to iam group"""
cmd = attachIAMPolicyToIAMGroup.attachIAMPolicyToIAMGroupCmd()
cmd.id = self.id
cmd.policies = [str(policy.id) for policy in policies]
apiclient.attachIAMPolicyToIAMGroup(cmd)
return
def detachPolicy(self, apiclient, policies):
"""Remove policies from iam group"""
cmd = removeIAMPolicyFromIAMGroup.removeIAMPolicyFromIAMGroupCmd()
cmd.id = self.id
cmd.policies = [str(policy.id) for policy in policies]
apiclient.removeIAMPolicyFromIAMGroup(cmd)
return
class IAMPolicy:
def __init__(self, items):
self.__dict__.update(items)
@classmethod
def create(cls, apiclient, iam_policy, account=None, domainid=None):
cmd = createIAMPolicy.createIAMPolicyCmd()
cmd.name = iam_policy['name']
cmd.description = iam_policy['description']
if account:
cmd.account = account
if domainid:
cmd.domainid = domainid
return IAMPolicy(apiclient.createIAMPolicy(cmd).__dict__)
def update(self, apiclient):
pass
def delete(self, apiclient):
cmd = deleteIAMPolicy.deleteIAMPolicyCmd()
cmd.id = self.id
return apiclient.deleteIAMPolicy(cmd)
@classmethod
def list(cls, apiclient, **kwargs):
cmd = listIAMPolicies.listIAMPoliciesCmd()
[setattr(cmd, k, v) for k, v in kwargs.items()]
if 'account' in kwargs.keys() and 'domainid' in kwargs.keys():
cmd.listall = True
return apiclient.listIAMPoliciesCmd(cmd)
def addPermission(self, apiclient, permission):
"""Add permission to iam policy"""
cmd = addIAMPermissionToIAMPolicy.addIAMPermissionToIAMPolicyCmd()
cmd.id = self.id
cmd.action = permission['action']
cmd.entitytype = permission['entitytype']
cmd.scope = permission['scope']
cmd.scopeid = permission['scopeid']
apiclient.addIAMPermissionToIAMPolicy(cmd)
return
def removePermission(self, apiclient, permission):
"""Remove permission from iam policy"""
cmd = removeIAMPermissionFromIAMPolicy.\
removeIAMPermissionFromIAMPolicyCmd()
cmd.id = self.id
cmd.action = permission['action']
cmd.entitytype = permission['entitytype']
cmd.scope = permission['scope']
cmd.scopeid = permission['scopeid']
apiclient.removeIAMPermissionFromIAMPolicy(cmd)
return
def attachAccount(self, apiclient, accts):
"""Attach iam policy to accounts"""
cmd = attachIAMPolicyToAccount.attachIAMPolicyToAccountCmd()
cmd.id = self.id
cmd.accounts = [str(acct.id) for acct in accts]
apiclient.attachIAMPolicyToAccount(cmd)
return
def detachAccount(self, apiclient, accts):
"""Detach iam policy from accounts"""
cmd = removeIAMPolicyFromAccount.removeIAMPolicyFromAccountCmd()
cmd.id = self.id
cmd.accounts = [str(acct.id) for acct in accts]
apiclient.removeIAMPolicyFromAccount(cmd)
return
class SimulatorMock:
"""Manage simulator mock lifecycle"""
def __init__(self, items):