From 56f918583df279963fbe14866ae11d3d5599bb1e Mon Sep 17 00:00:00 2001 From: Khosrow Moossavi Date: Tue, 11 Sep 2018 12:06:20 -0400 Subject: [PATCH] Remove 'iam' projects (#2817) * Remove 'iam' projects * Drop corresponding tables --- .../main/java/com/cloud/event/EventTypes.java | 13 - .../cloudstack/api/ApiCommandJobType.java | 2 - .../apache/cloudstack/api/ApiConstants.java | 14 +- .../db/schema-41110to41200-cleanup.sql | 9 +- .../cloud/template/TemplateManagerImpl.java | 2 - services/iam/plugin/pom.xml | 59 -- .../command/iam/AddAccountToIAMGroupCmd.java | 127 --- .../iam/AddIAMPermissionToIAMPolicyCmd.java | 159 --- .../iam/AttachIAMPolicyToAccountCmd.java | 122 --- .../iam/AttachIAMPolicyToIAMGroupCmd.java | 127 --- .../api/command/iam/CreateIAMGroupCmd.java | 168 ---- .../api/command/iam/CreateIAMPolicyCmd.java | 175 ---- .../api/command/iam/DeleteIAMGroupCmd.java | 102 -- .../api/command/iam/DeleteIAMPolicyCmd.java | 102 -- .../api/command/iam/ListIAMGroupsCmd.java | 88 -- .../api/command/iam/ListIAMPoliciesCmd.java | 88 -- .../iam/RemoveAccountFromIAMGroupCmd.java | 127 --- .../RemoveIAMPermissionFromIAMPolicyCmd.java | 148 --- .../iam/RemoveIAMPolicyFromAccountCmd.java | 122 --- .../iam/RemoveIAMPolicyFromIAMGroupCmd.java | 127 --- .../api/response/iam/IAMGroupResponse.java | 193 ---- .../response/iam/IAMPermissionResponse.java | 124 --- .../api/response/iam/IAMPolicyResponse.java | 177 ---- .../apache/cloudstack/iam/IAMApiService.java | 87 -- .../cloudstack/iam/IAMApiServiceImpl.java | 825 ---------------- .../iam/RoleBasedAPIAccessChecker.java | 287 ------ .../iam/RoleBasedEntityAccessChecker.java | 329 ------- .../iam/RoleBasedEntityQuerySelector.java | 188 ---- .../iam-access-checkers/module.properties | 18 - .../spring-iam-access-checkers-context.xml | 35 - .../iam/test/IAMApiServiceTest.java | 385 -------- .../plugin/src/test/resources/db.properties | 73 -- services/iam/pom.xml | 59 -- services/iam/server/pom.xml | 57 -- .../apache/cloudstack/iam/api/IAMGroup.java | 37 - .../apache/cloudstack/iam/api/IAMPolicy.java | 41 - .../iam/api/IAMPolicyPermission.java | 53 - .../apache/cloudstack/iam/api/IAMService.java | 99 -- .../iam/server/IAMAccountPolicyMapVO.java | 77 -- .../iam/server/IAMGroupAccountMapVO.java | 78 -- .../iam/server/IAMGroupPolicyMapVO.java | 79 -- .../cloudstack/iam/server/IAMGroupVO.java | 122 --- .../iam/server/IAMPolicyPermissionVO.java | 181 ---- .../cloudstack/iam/server/IAMPolicyVO.java | 138 --- .../cloudstack/iam/server/IAMServiceImpl.java | 904 ------------------ .../server/dao/IAMAccountPolicyMapDao.java | 33 - .../dao/IAMAccountPolicyMapDaoImpl.java | 77 -- .../iam/server/dao/IAMGroupAccountMapDao.java | 40 - .../server/dao/IAMGroupAccountMapDaoImpl.java | 119 --- .../iam/server/dao/IAMGroupDao.java | 28 - .../iam/server/dao/IAMGroupDaoImpl.java | 59 -- .../iam/server/dao/IAMGroupPolicyMapDao.java | 33 - .../server/dao/IAMGroupPolicyMapDaoImpl.java | 77 -- .../iam/server/dao/IAMPolicyDao.java | 28 - .../iam/server/dao/IAMPolicyDaoImpl.java | 57 -- .../server/dao/IAMPolicyPermissionDao.java | 39 - .../dao/IAMPolicyPermissionDaoImpl.java | 130 --- .../core/spring-iam-server-context.xml | 47 - .../cloudstack/iam/IAMServiceUnitTest.java | 211 ---- .../server/src/test/resources/db.properties | 73 -- tools/apidoc/gen_toc.py | 1 - tools/build/build_asf.sh | 3 - tools/build/setnextversion.sh | 3 - tools/marvin/marvin/lib/base.py | 133 --- 64 files changed, 9 insertions(+), 7709 deletions(-) delete mode 100644 services/iam/plugin/pom.xml delete mode 100644 services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/AddAccountToIAMGroupCmd.java delete mode 100644 services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/AddIAMPermissionToIAMPolicyCmd.java delete mode 100644 services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/AttachIAMPolicyToAccountCmd.java delete mode 100644 services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/AttachIAMPolicyToIAMGroupCmd.java delete mode 100644 services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/CreateIAMGroupCmd.java delete mode 100644 services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/CreateIAMPolicyCmd.java delete mode 100644 services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/DeleteIAMGroupCmd.java delete mode 100644 services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/DeleteIAMPolicyCmd.java delete mode 100644 services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/ListIAMGroupsCmd.java delete mode 100644 services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/ListIAMPoliciesCmd.java delete mode 100644 services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/RemoveAccountFromIAMGroupCmd.java delete mode 100644 services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/RemoveIAMPermissionFromIAMPolicyCmd.java delete mode 100644 services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/RemoveIAMPolicyFromAccountCmd.java delete mode 100644 services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/RemoveIAMPolicyFromIAMGroupCmd.java delete mode 100644 services/iam/plugin/src/main/java/org/apache/cloudstack/api/response/iam/IAMGroupResponse.java delete mode 100644 services/iam/plugin/src/main/java/org/apache/cloudstack/api/response/iam/IAMPermissionResponse.java delete mode 100644 services/iam/plugin/src/main/java/org/apache/cloudstack/api/response/iam/IAMPolicyResponse.java delete mode 100644 services/iam/plugin/src/main/java/org/apache/cloudstack/iam/IAMApiService.java delete mode 100644 services/iam/plugin/src/main/java/org/apache/cloudstack/iam/IAMApiServiceImpl.java delete mode 100644 services/iam/plugin/src/main/java/org/apache/cloudstack/iam/RoleBasedAPIAccessChecker.java delete mode 100644 services/iam/plugin/src/main/java/org/apache/cloudstack/iam/RoleBasedEntityAccessChecker.java delete mode 100644 services/iam/plugin/src/main/java/org/apache/cloudstack/iam/RoleBasedEntityQuerySelector.java delete mode 100644 services/iam/plugin/src/main/resources/META-INF/cloudstack/iam-access-checkers/module.properties delete mode 100644 services/iam/plugin/src/main/resources/META-INF/cloudstack/iam-access-checkers/spring-iam-access-checkers-context.xml delete mode 100644 services/iam/plugin/src/test/java/org/apache/cloudstack/iam/test/IAMApiServiceTest.java delete mode 100644 services/iam/plugin/src/test/resources/db.properties delete mode 100644 services/iam/pom.xml delete mode 100644 services/iam/server/pom.xml delete mode 100644 services/iam/server/src/main/java/org/apache/cloudstack/iam/api/IAMGroup.java delete mode 100644 services/iam/server/src/main/java/org/apache/cloudstack/iam/api/IAMPolicy.java delete mode 100644 services/iam/server/src/main/java/org/apache/cloudstack/iam/api/IAMPolicyPermission.java delete mode 100644 services/iam/server/src/main/java/org/apache/cloudstack/iam/api/IAMService.java delete mode 100644 services/iam/server/src/main/java/org/apache/cloudstack/iam/server/IAMAccountPolicyMapVO.java delete mode 100644 services/iam/server/src/main/java/org/apache/cloudstack/iam/server/IAMGroupAccountMapVO.java delete mode 100644 services/iam/server/src/main/java/org/apache/cloudstack/iam/server/IAMGroupPolicyMapVO.java delete mode 100644 services/iam/server/src/main/java/org/apache/cloudstack/iam/server/IAMGroupVO.java delete mode 100644 services/iam/server/src/main/java/org/apache/cloudstack/iam/server/IAMPolicyPermissionVO.java delete mode 100644 services/iam/server/src/main/java/org/apache/cloudstack/iam/server/IAMPolicyVO.java delete mode 100644 services/iam/server/src/main/java/org/apache/cloudstack/iam/server/IAMServiceImpl.java delete mode 100644 services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMAccountPolicyMapDao.java delete mode 100644 services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMAccountPolicyMapDaoImpl.java delete mode 100644 services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMGroupAccountMapDao.java delete mode 100644 services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMGroupAccountMapDaoImpl.java delete mode 100644 services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMGroupDao.java delete mode 100644 services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMGroupDaoImpl.java delete mode 100644 services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMGroupPolicyMapDao.java delete mode 100644 services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMGroupPolicyMapDaoImpl.java delete mode 100644 services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMPolicyDao.java delete mode 100644 services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMPolicyDaoImpl.java delete mode 100644 services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMPolicyPermissionDao.java delete mode 100644 services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMPolicyPermissionDaoImpl.java delete mode 100644 services/iam/server/src/main/resources/META-INF/cloudstack/core/spring-iam-server-context.xml delete mode 100644 services/iam/server/src/test/java/org/apache/cloudstack/iam/IAMServiceUnitTest.java delete mode 100644 services/iam/server/src/test/resources/db.properties diff --git a/api/src/main/java/com/cloud/event/EventTypes.java b/api/src/main/java/com/cloud/event/EventTypes.java index 907b93eca10..318dc4bc305 100644 --- a/api/src/main/java/com/cloud/event/EventTypes.java +++ b/api/src/main/java/com/cloud/event/EventTypes.java @@ -531,19 +531,6 @@ public class EventTypes { public static final String EVENT_UCS_ASSOCIATED_PROFILE = "UCS.ASSOCIATEPROFILE"; - // IAM events - public static final String EVENT_IAM_POLICY_CREATE = "IAMPOLICY.CREATE"; - public static final String EVENT_IAM_POLICY_DELETE = "IAMPOLICY.DELETE"; - public static final String EVENT_IAM_POLICY_GRANT = "IAMPOLICY.GRANT"; - public static final String EVENT_IAM_POLICY_REVOKE = "IAMPOLICY.REVOKE"; - - public static final String EVENT_IAM_GROUP_UPDATE = "IAMGROUP.UPDATE"; - public static final String EVENT_IAM_GROUP_CREATE = "IAMGROUP.CREATE"; - public static final String EVENT_IAM_GROUP_DELETE = "IAMGROUP.DELETE"; - public static final String EVENT_IAM_GROUP_GRANT = "IAMGROUP.GRANT"; - public static final String EVENT_IAM_GROUP_REVOKE = "IAMGROUP.REVOKE"; - public static final String EVENT_IAM_ACCOUNT_POLICY_UPDATE = "IAMACCOUNTPOLICY.UPDATE"; - // Object store migration public static final String EVENT_MIGRATE_PREPARE_SECONDARY_STORAGE = "MIGRATE.PREPARE.SS"; diff --git a/api/src/main/java/org/apache/cloudstack/api/ApiCommandJobType.java b/api/src/main/java/org/apache/cloudstack/api/ApiCommandJobType.java index ead6ce1eede..b95831b3d20 100644 --- a/api/src/main/java/org/apache/cloudstack/api/ApiCommandJobType.java +++ b/api/src/main/java/org/apache/cloudstack/api/ApiCommandJobType.java @@ -50,8 +50,6 @@ public enum ApiCommandJobType { AffinityGroup, InternalLbVm, DedicatedGuestVlanRange, - IAMPolicy, - IAMGroup, GuestOs, GuestOsMapping, Network diff --git a/api/src/main/java/org/apache/cloudstack/api/ApiConstants.java b/api/src/main/java/org/apache/cloudstack/api/ApiConstants.java index f03ddc7465c..b7779cb2a8d 100644 --- a/api/src/main/java/org/apache/cloudstack/api/ApiConstants.java +++ b/api/src/main/java/org/apache/cloudstack/api/ApiConstants.java @@ -652,19 +652,7 @@ public class ApiConstants { public static final String MAX_CONNECTIONS = "maxconnections"; public static final String SERVICE_STATE = "servicestate"; - public static final String IAM_ACCOUNT_IDS = "accountids"; - public static final String IAM_MEMBER_ACCOUNTS = "memberaccounts"; - public static final String IAM_PARENT_POLICY_ID = "parentpolicyid"; - public static final String IAM_PARENT_POLICY_NAME = "parentpolicyname"; - public static final String IAM_POLICY_IDS = "policyids"; - public static final String IAM_POLICIES = "policies"; - public static final String IAM_APIS = "apis"; public static final String IAM_GROUPS = "groups"; - public static final String IAM_PERMISSIONS = "permission"; - public static final String IAM_ACTION = "action"; - public static final String IAM_SCOPE = "scope"; - public static final String IAM_SCOPE_ID = "scopeid"; - public static final String IAM_ALLOW_DENY = "permission"; public static final String ENTITY_TYPE = "entitytype"; public static final String ENTITY_ID = "entityid"; public static final String EXTERNAL_ID = "externalid"; @@ -737,4 +725,4 @@ public class ApiConstants { public enum DomainDetails { all, resource, min; } -} \ No newline at end of file +} diff --git a/engine/schema/src/main/resources/META-INF/db/schema-41110to41200-cleanup.sql b/engine/schema/src/main/resources/META-INF/db/schema-41110to41200-cleanup.sql index a72b33ffece..76f69015f45 100644 --- a/engine/schema/src/main/resources/META-INF/db/schema-41110to41200-cleanup.sql +++ b/engine/schema/src/main/resources/META-INF/db/schema-41110to41200-cleanup.sql @@ -17,4 +17,11 @@ --; -- Schema upgrade cleanup from 4.11.1.0 to 4.12.0.0 ---; \ No newline at end of file +--; + +DROP TABLE IF EXISTS `cloud`.`iam_account_policy_map`; +DROP TABLE IF EXISTS `cloud`.`iam_group_account_map`; +DROP TABLE IF EXISTS `cloud`.`iam_group_policy_map`; +DROP TABLE IF EXISTS `cloud`.`iam_group`; +DROP TABLE IF EXISTS `cloud`.`iam_policy_permission`; +DROP TABLE IF EXISTS `cloud`.`iam_policy`; diff --git a/server/src/main/java/com/cloud/template/TemplateManagerImpl.java b/server/src/main/java/com/cloud/template/TemplateManagerImpl.java index 7076a669d7f..dc57a8a9ef3 100755 --- a/server/src/main/java/com/cloud/template/TemplateManagerImpl.java +++ b/server/src/main/java/com/cloud/template/TemplateManagerImpl.java @@ -1546,7 +1546,6 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager, permit.put(ApiConstants.ENTITY_TYPE, VirtualMachineTemplate.class); permit.put(ApiConstants.ENTITY_ID, id); permit.put(ApiConstants.ACCESS_TYPE, AccessType.UseEntry); - permit.put(ApiConstants.IAM_ACTION, "listTemplates"); permit.put(ApiConstants.ACCOUNTS, accountIds); _messageBus.publish(_name, EntityManager.MESSAGE_GRANT_ENTITY_EVENT, PublishScope.LOCAL, permit); } else if ("remove".equalsIgnoreCase(operation)) { @@ -1563,7 +1562,6 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager, permit.put(ApiConstants.ENTITY_TYPE, VirtualMachineTemplate.class); permit.put(ApiConstants.ENTITY_ID, id); permit.put(ApiConstants.ACCESS_TYPE, AccessType.UseEntry); - permit.put(ApiConstants.IAM_ACTION, "listTemplates"); permit.put(ApiConstants.ACCOUNTS, accountIds); _messageBus.publish(_name, EntityManager.MESSAGE_REVOKE_ENTITY_EVENT, PublishScope.LOCAL, permit); } else if ("reset".equalsIgnoreCase(operation)) { diff --git a/services/iam/plugin/pom.xml b/services/iam/plugin/pom.xml deleted file mode 100644 index 1ea101d8c54..00000000000 --- a/services/iam/plugin/pom.xml +++ /dev/null @@ -1,59 +0,0 @@ - - - 4.0.0 - cloud-plugin-iam - Apache CloudStack IAM - Plugin - - org.apache.cloudstack - cloudstack-service-iam - 4.12.0.0-SNAPSHOT - ../pom.xml - - - - org.apache.cloudstack - cloud-api - ${project.version} - - - org.apache.cloudstack - cloud-engine-schema - ${project.version} - - - org.apache.cloudstack - cloud-server - ${project.version} - - - org.apache.cloudstack - cloud-iam - ${project.version} - - - org.apache.cloudstack - cloud-api - ${project.version} - test-jar - test - - - diff --git a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/AddAccountToIAMGroupCmd.java b/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/AddAccountToIAMGroupCmd.java deleted file mode 100644 index bea3fc97d10..00000000000 --- a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/AddAccountToIAMGroupCmd.java +++ /dev/null @@ -1,127 +0,0 @@ -// Licensed to the Apache Software Foundation (ASF) under one -// or more contributor license agreements. See the NOTICE file -// distributed with this work for additional information -// regarding copyright ownership. The ASF licenses this file -// to you under the Apache License, Version 2.0 (the -// "License"); you may not use this file except in compliance -// with the License. You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. -package org.apache.cloudstack.api.command.iam; - -import java.util.List; - -import javax.inject.Inject; - -import org.apache.log4j.Logger; - -import org.apache.cloudstack.iam.IAMApiService; -import org.apache.cloudstack.api.ACL; -import org.apache.cloudstack.api.APICommand; -import org.apache.cloudstack.api.ApiCommandJobType; -import org.apache.cloudstack.api.ApiConstants; -import org.apache.cloudstack.api.ApiErrorCode; -import org.apache.cloudstack.api.BaseAsyncCmd; -import org.apache.cloudstack.api.Parameter; -import org.apache.cloudstack.api.ServerApiException; -import org.apache.cloudstack.api.response.AccountResponse; -import org.apache.cloudstack.api.response.iam.IAMGroupResponse; -import org.apache.cloudstack.context.CallContext; -import org.apache.cloudstack.iam.api.IAMGroup; - -import com.cloud.event.EventTypes; -import com.cloud.exception.InsufficientCapacityException; -import com.cloud.exception.ResourceUnavailableException; -import com.cloud.user.Account; - - -@APICommand(name = "addAccountToIAMGroup", description = "add account to an iam group", responseObject = IAMGroupResponse.class) -public class AddAccountToIAMGroupCmd extends BaseAsyncCmd { - public static final Logger s_logger = Logger.getLogger(AddAccountToIAMGroupCmd.class.getName()); - private static final String s_name = "addaccounttoiamgroupresponse"; - - @Inject - public IAMApiService _iamApiSrv; - - ///////////////////////////////////////////////////// - //////////////// API parameters ///////////////////// - ///////////////////////////////////////////////////// - - - @ACL - @Parameter(name = ApiConstants.ID, type = CommandType.UUID, entityType = IAMGroupResponse.class, - required = true, description = "The ID of the iam group") - private Long id; - - @ACL - @Parameter(name = ApiConstants.ACCOUNTS, type = CommandType.LIST, collectionType = CommandType.UUID, entityType = AccountResponse.class, description = "comma separated list of account id that are going to be assigned to the iam group.") - private List accountIdList; - - - ///////////////////////////////////////////////////// - /////////////////// Accessors /////////////////////// - ///////////////////////////////////////////////////// - - - public Long getId() { - return id; - } - - - public List getAccountIdList() { - return accountIdList; - } - - ///////////////////////////////////////////////////// - /////////////// API Implementation/////////////////// - ///////////////////////////////////////////////////// - - - @Override - public String getCommandName() { - return s_name; - } - - - @Override - public long getEntityOwnerId() { - return Account.ACCOUNT_ID_SYSTEM; // no account info given, parent this command to SYSTEM so ERROR events are tracked - } - - @Override - public void execute() throws ResourceUnavailableException, - InsufficientCapacityException, ServerApiException { - CallContext.current().setEventDetails("IAM group Id: " + getId()); - IAMGroup result = _iamApiSrv.addAccountsToGroup(accountIdList, id); - if (result != null){ - IAMGroupResponse response = _iamApiSrv.createIAMGroupResponse(result); - response.setResponseName(getCommandName()); - setResponseObject(response); - } else { - throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to add accounts to iam group"); - } - } - - @Override - public String getEventType() { - return EventTypes.EVENT_IAM_GROUP_UPDATE; - } - - @Override - public String getEventDescription() { - return "adding accounts to iam group"; - } - - @Override - public ApiCommandJobType getInstanceType() { - return ApiCommandJobType.IAMGroup; - } - -} diff --git a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/AddIAMPermissionToIAMPolicyCmd.java b/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/AddIAMPermissionToIAMPolicyCmd.java deleted file mode 100644 index d69f3d0a0b9..00000000000 --- a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/AddIAMPermissionToIAMPolicyCmd.java +++ /dev/null @@ -1,159 +0,0 @@ -// Licensed to the Apache Software Foundation (ASF) under one -// or more contributor license agreements. See the NOTICE file -// distributed with this work for additional information -// regarding copyright ownership. The ASF licenses this file -// to you under the Apache License, Version 2.0 (the -// "License"); you may not use this file except in compliance -// with the License. You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. -package org.apache.cloudstack.api.command.iam; - -import javax.inject.Inject; - -import org.apache.log4j.Logger; - -import org.apache.cloudstack.acl.PermissionScope; -import org.apache.cloudstack.api.ACL; -import org.apache.cloudstack.api.APICommand; -import org.apache.cloudstack.api.ApiCommandJobType; -import org.apache.cloudstack.api.ApiConstants; -import org.apache.cloudstack.api.ApiErrorCode; -import org.apache.cloudstack.api.BaseAsyncCmd; -import org.apache.cloudstack.api.Parameter; -import org.apache.cloudstack.api.ServerApiException; -import org.apache.cloudstack.api.response.iam.IAMPolicyResponse; -import org.apache.cloudstack.context.CallContext; -import org.apache.cloudstack.iam.IAMApiService; -import org.apache.cloudstack.iam.api.IAMPolicy; -import org.apache.cloudstack.iam.api.IAMPolicyPermission.Permission; - -import com.cloud.event.EventTypes; -import com.cloud.exception.InsufficientCapacityException; -import com.cloud.exception.ResourceUnavailableException; -import com.cloud.user.Account; - - -@APICommand(name = "addIAMPermissionToIAMPolicy", description = "Add IAM permission to an iam policy", responseObject = IAMPolicyResponse.class) -public class AddIAMPermissionToIAMPolicyCmd extends BaseAsyncCmd { - public static final Logger s_logger = Logger.getLogger(AddIAMPermissionToIAMPolicyCmd.class.getName()); - private static final String s_name = "addiampermissiontoiampolicyresponse"; - - @Inject - public IAMApiService _iamApiSrv; - - ///////////////////////////////////////////////////// - //////////////// API parameters ///////////////////// - ///////////////////////////////////////////////////// - - - @ACL - @Parameter(name = ApiConstants.ID, type = CommandType.UUID, entityType = IAMPolicyResponse.class, - required = true, description = "The ID of the iam policy") - private Long id; - - @Parameter(name = ApiConstants.IAM_ACTION, type = CommandType.STRING, required = true, description = "action api name.") - private String action; - - @Parameter(name = ApiConstants.ENTITY_TYPE, type = CommandType.STRING, required = false, description = "entity class simple name.") - private String entityType; - - @Parameter(name = ApiConstants.IAM_SCOPE, type = CommandType.STRING, - required = false, description = "iam permission scope") - private String scope; - - @Parameter(name = ApiConstants.IAM_SCOPE_ID, type = CommandType.STRING, required = false, description = "The UUID of the permission scope id") - private String scopeId; - - @Parameter(name = ApiConstants.READ_ONLY, type = CommandType.BOOLEAN, required = false, description = "Read Only access is added; Only applicable when action = List/Read api name") - private Boolean readOnly; - - - ///////////////////////////////////////////////////// - /////////////////// Accessors /////////////////////// - ///////////////////////////////////////////////////// - - - public Long getId() { - return id; - } - - - public String getAction() { - return action; - } - - public String getEntityType() { - return entityType; - } - - public String getScope() { - return scope; - } - - public Long getScopeId() { - // here we will convert the passed String UUID to Long ID since internally we store it as entity internal ID. - return _iamApiSrv.getPermissionScopeId(scope, entityType, scopeId); - } - - public Boolean isReadOnly() { - return (readOnly != null) ? readOnly : false; - } - - ///////////////////////////////////////////////////// - /////////////// API Implementation/////////////////// - ///////////////////////////////////////////////////// - - - - @Override - public String getCommandName() { - return s_name; - } - - - @Override - public long getEntityOwnerId() { - return Account.ACCOUNT_ID_SYSTEM; // no account info given, parent this command to SYSTEM so ERROR events are tracked - } - - @Override - public void execute() throws ResourceUnavailableException, - InsufficientCapacityException, ServerApiException { - CallContext.current().setEventDetails("IAM policy Id: " + getId()); - // Only explicit ALLOW is supported for this release, no explicit deny - IAMPolicy result = _iamApiSrv.addIAMPermissionToIAMPolicy(id, entityType, PermissionScope.valueOf(scope), - getScopeId(), action, Permission.Allow, false, isReadOnly()); - if (result != null) { - IAMPolicyResponse response = _iamApiSrv.createIAMPolicyResponse(result); - response.setResponseName(getCommandName()); - setResponseObject(response); - } else { - throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to grant permission to iam policy " - + getId()); - } - } - - @Override - public String getEventType() { - return EventTypes.EVENT_IAM_POLICY_GRANT; - } - - @Override - public String getEventDescription() { - return "granting permission to iam policy"; - } - - @Override - public ApiCommandJobType getInstanceType() { - return ApiCommandJobType.IAMPolicy; - } - -} diff --git a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/AttachIAMPolicyToAccountCmd.java b/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/AttachIAMPolicyToAccountCmd.java deleted file mode 100644 index fc174cf1594..00000000000 --- a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/AttachIAMPolicyToAccountCmd.java +++ /dev/null @@ -1,122 +0,0 @@ -// Licensed to the Apache Software Foundation (ASF) under one -// or more contributor license agreements. See the NOTICE file -// distributed with this work for additional information -// regarding copyright ownership. The ASF licenses this file -// to you under the Apache License, Version 2.0 (the -// "License"); you may not use this file except in compliance -// with the License. You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. -package org.apache.cloudstack.api.command.iam; - -import java.util.List; - -import javax.inject.Inject; - -import org.apache.log4j.Logger; - -import org.apache.cloudstack.iam.IAMApiService; -import org.apache.cloudstack.api.ACL; -import org.apache.cloudstack.api.APICommand; -import org.apache.cloudstack.api.ApiCommandJobType; -import org.apache.cloudstack.api.ApiConstants; -import org.apache.cloudstack.api.BaseAsyncCmd; -import org.apache.cloudstack.api.Parameter; -import org.apache.cloudstack.api.ServerApiException; -import org.apache.cloudstack.api.response.AccountResponse; -import org.apache.cloudstack.api.response.SuccessResponse; -import org.apache.cloudstack.api.response.iam.IAMPolicyResponse; -import org.apache.cloudstack.context.CallContext; - -import com.cloud.event.EventTypes; -import com.cloud.exception.InsufficientCapacityException; -import com.cloud.exception.ResourceUnavailableException; -import com.cloud.user.Account; - - -@APICommand(name = "attachIAMPolicyToAccount", description = "attach iam policy to accounts", responseObject = SuccessResponse.class) -public class AttachIAMPolicyToAccountCmd extends BaseAsyncCmd { - public static final Logger s_logger = Logger.getLogger(AttachIAMPolicyToAccountCmd.class.getName()); - private static final String s_name = "attachiampolicytoaccountresponse"; - - @Inject - public IAMApiService _iamApiSrv; - - ///////////////////////////////////////////////////// - //////////////// API parameters ///////////////////// - ///////////////////////////////////////////////////// - - - @ACL - @Parameter(name = ApiConstants.ID, type = CommandType.UUID, entityType = IAMPolicyResponse.class, - required = true, description = "The ID of the iam policy") - private Long id; - - @ACL - @Parameter(name = ApiConstants.ACCOUNTS, type = CommandType.LIST, collectionType = CommandType.UUID, entityType = AccountResponse.class, description = "comma separated list of account id that the policy will attach to.") - private List accountIdList; - - - ///////////////////////////////////////////////////// - /////////////////// Accessors /////////////////////// - ///////////////////////////////////////////////////// - - - public Long getId() { - return id; - } - - - public List getAccountIdList() { - return accountIdList; - } - - ///////////////////////////////////////////////////// - /////////////// API Implementation/////////////////// - ///////////////////////////////////////////////////// - - - @Override - public String getCommandName() { - return s_name; - } - - - @Override - public long getEntityOwnerId() { - return Account.ACCOUNT_ID_SYSTEM; // no account info given, parent this command to SYSTEM so ERROR events are tracked - } - - @Override - public void execute() throws ResourceUnavailableException, - InsufficientCapacityException, ServerApiException { - CallContext.current().setEventDetails("IAM policy Id: " + getId()); - _iamApiSrv.attachIAMPolicyToAccounts(id, accountIdList); - SuccessResponse response = new SuccessResponse(); - response.setResponseName(getCommandName()); - setResponseObject(response); - } - - @Override - public String getEventType() { - return EventTypes.EVENT_IAM_ACCOUNT_POLICY_UPDATE; - } - - @Override - public String getEventDescription() { - return "adding IAM policy to accounts"; - } - - @Override - public ApiCommandJobType getInstanceType() { - return ApiCommandJobType.Account; - } - -} diff --git a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/AttachIAMPolicyToIAMGroupCmd.java b/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/AttachIAMPolicyToIAMGroupCmd.java deleted file mode 100644 index 1705c4a91c3..00000000000 --- a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/AttachIAMPolicyToIAMGroupCmd.java +++ /dev/null @@ -1,127 +0,0 @@ -// Licensed to the Apache Software Foundation (ASF) under one -// or more contributor license agreements. See the NOTICE file -// distributed with this work for additional information -// regarding copyright ownership. The ASF licenses this file -// to you under the Apache License, Version 2.0 (the -// "License"); you may not use this file except in compliance -// with the License. You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. -package org.apache.cloudstack.api.command.iam; - -import java.util.List; - -import javax.inject.Inject; - -import org.apache.log4j.Logger; - -import org.apache.cloudstack.iam.IAMApiService; -import org.apache.cloudstack.api.ACL; -import org.apache.cloudstack.api.APICommand; -import org.apache.cloudstack.api.ApiCommandJobType; -import org.apache.cloudstack.api.ApiConstants; -import org.apache.cloudstack.api.ApiErrorCode; -import org.apache.cloudstack.api.BaseAsyncCmd; -import org.apache.cloudstack.api.Parameter; -import org.apache.cloudstack.api.ServerApiException; -import org.apache.cloudstack.api.response.iam.IAMGroupResponse; -import org.apache.cloudstack.api.response.iam.IAMPolicyResponse; -import org.apache.cloudstack.context.CallContext; -import org.apache.cloudstack.iam.api.IAMGroup; - -import com.cloud.event.EventTypes; -import com.cloud.exception.InsufficientCapacityException; -import com.cloud.exception.ResourceUnavailableException; -import com.cloud.user.Account; - - -@APICommand(name = "attachIAMPolicyToIAMGroup", description = "attach iam policy to an iam group", responseObject = IAMGroupResponse.class) -public class AttachIAMPolicyToIAMGroupCmd extends BaseAsyncCmd { - public static final Logger s_logger = Logger.getLogger(AttachIAMPolicyToIAMGroupCmd.class.getName()); - private static final String s_name = "attachiampolicytoiamgroupresponse"; - - @Inject - public IAMApiService _iamApiSrv; - - ///////////////////////////////////////////////////// - //////////////// API parameters ///////////////////// - ///////////////////////////////////////////////////// - - - @ACL - @Parameter(name = ApiConstants.ID, type = CommandType.UUID, entityType = IAMGroupResponse.class, - required = true, description = "The ID of the iam group") - private Long id; - - @ACL - @Parameter(name = ApiConstants.IAM_POLICIES, type = CommandType.LIST, collectionType = CommandType.UUID, entityType = IAMPolicyResponse.class, description = "comma separated list of iam policy id that are going to be applied to the iam group.") - private List policyIdList; - - - ///////////////////////////////////////////////////// - /////////////////// Accessors /////////////////////// - ///////////////////////////////////////////////////// - - - public Long getId() { - return id; - } - - - public List getPolicyIdList() { - return policyIdList; - } - - ///////////////////////////////////////////////////// - /////////////// API Implementation/////////////////// - ///////////////////////////////////////////////////// - - - @Override - public String getCommandName() { - return s_name; - } - - - @Override - public long getEntityOwnerId() { - return Account.ACCOUNT_ID_SYSTEM; // no account info given, parent this command to SYSTEM so ERROR events are tracked - } - - @Override - public void execute() throws ResourceUnavailableException, - InsufficientCapacityException, ServerApiException { - CallContext.current().setEventDetails("IAM group Id: " + getId()); - IAMGroup result = _iamApiSrv.attachIAMPoliciesToGroup(policyIdList, id); - if (result != null){ - IAMGroupResponse response = _iamApiSrv.createIAMGroupResponse(result); - response.setResponseName(getCommandName()); - setResponseObject(response); - } else { - throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to add roles to iam group"); - } - } - - @Override - public String getEventType() { - return EventTypes.EVENT_IAM_GROUP_UPDATE; - } - - @Override - public String getEventDescription() { - return "adding iam roles to iam group"; - } - - @Override - public ApiCommandJobType getInstanceType() { - return ApiCommandJobType.IAMGroup; - } - -} diff --git a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/CreateIAMGroupCmd.java b/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/CreateIAMGroupCmd.java deleted file mode 100644 index 93940e810cd..00000000000 --- a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/CreateIAMGroupCmd.java +++ /dev/null @@ -1,168 +0,0 @@ -// Licensed to the Apache Software Foundation (ASF) under one -// or more contributor license agreements. See the NOTICE file -// distributed with this work for additional information -// regarding copyright ownership. The ASF licenses this file -// to you under the Apache License, Version 2.0 (the -// "License"); you may not use this file except in compliance -// with the License. You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. -package org.apache.cloudstack.api.command.iam; - -import javax.inject.Inject; - -import org.apache.log4j.Logger; - -import org.apache.cloudstack.iam.IAMApiService; -import org.apache.cloudstack.api.APICommand; -import org.apache.cloudstack.api.ApiCommandJobType; -import org.apache.cloudstack.api.ApiConstants; -import org.apache.cloudstack.api.ApiErrorCode; -import org.apache.cloudstack.api.BaseAsyncCreateCmd; -import org.apache.cloudstack.api.Parameter; -import org.apache.cloudstack.api.ServerApiException; -import org.apache.cloudstack.api.response.DomainResponse; -import org.apache.cloudstack.api.response.iam.IAMGroupResponse; -import org.apache.cloudstack.context.CallContext; -import org.apache.cloudstack.iam.api.IAMGroup; - -import com.cloud.event.EventTypes; -import com.cloud.exception.ResourceAllocationException; -import com.cloud.user.Account; - -@APICommand(name = "createIAMGroup", responseObject = IAMGroupResponse.class, description = "Creates an IAM group") -public class CreateIAMGroupCmd extends BaseAsyncCreateCmd { - public static final Logger s_logger = Logger.getLogger(CreateIAMGroupCmd.class.getName()); - - private static final String s_name = "createiamgroupresponse"; - - @Inject - public IAMApiService _iamApiSrv; - - // /////////////////////////////////////////////////// - // ////////////// API parameters ///////////////////// - // /////////////////////////////////////////////////// - - @Parameter(name = ApiConstants.ACCOUNT, type = CommandType.STRING, description = "an account for the iam group. Must be used with domainId.") - private String accountName; - - @Parameter(name = ApiConstants.DOMAIN_ID, type = CommandType.UUID, description = "domainId of the account owning the iam group", entityType = DomainResponse.class) - private Long domainId; - - @Parameter(name = ApiConstants.DESCRIPTION, type = CommandType.STRING, description = "optional description of the iam group") - private String description; - - @Parameter(name = ApiConstants.NAME, type = CommandType.STRING, required = true, description = "name of the iam group") - private String name; - - - // /////////////////////////////////////////////////// - // ///////////////// Accessors /////////////////////// - // /////////////////////////////////////////////////// - - public String getAccountName() { - return accountName; - } - - public String getDescription() { - return description; - } - - public Long getDomainId() { - return domainId; - } - - public String getName() { - return name; - } - - - // /////////////////////////////////////////////////// - // ///////////// API Implementation/////////////////// - // /////////////////////////////////////////////////// - - - @Override - public String getCommandName() { - return s_name; - } - - @Override - public long getEntityOwnerId() { - Account account = CallContext.current().getCallingAccount(); - if ((account == null) || _accountService.isAdmin(account.getId())) { - if ((domainId != null) && (accountName != null)) { - Account userAccount = _responseGenerator.findAccountByNameDomain(accountName, domainId); - if (userAccount != null) { - return userAccount.getId(); - } - } - } - - if (account != null) { - return account.getId(); - } - - return Account.ACCOUNT_ID_SYSTEM; // no account info given, parent this - // command to SYSTEM so ERROR events - // are tracked - } - - @Override - public void execute() { - IAMGroup grp = _entityMgr.findById(IAMGroup.class, getEntityId()); - if (grp != null) { - IAMGroupResponse response = _iamApiSrv.createIAMGroupResponse(grp); - response.setResponseName(getCommandName()); - setResponseObject(response); - } else { - throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to create iam group:" + name); - } - } - - @Override - public void create() throws ResourceAllocationException { - Account account = CallContext.current().getCallingAccount(); - IAMGroup result = _iamApiSrv.createIAMGroup(account, name, description); - if (result != null) { - setEntityId(result.getId()); - setEntityUuid(result.getUuid()); - } else { - throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to create iam group entity" + name); - } - - } - - @Override - public String getEventType() { - return EventTypes.EVENT_IAM_GROUP_CREATE; - } - - @Override - public String getEventDescription() { - return "creating IAM group"; - } - - @Override - public String getCreateEventType() { - return EventTypes.EVENT_IAM_GROUP_CREATE; - } - - @Override - public String getCreateEventDescription() { - return "creating IAM group"; - } - - @Override - public ApiCommandJobType getInstanceType() { - return ApiCommandJobType.IAMGroup; - } - -} diff --git a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/CreateIAMPolicyCmd.java b/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/CreateIAMPolicyCmd.java deleted file mode 100644 index 7ebab6735a7..00000000000 --- a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/CreateIAMPolicyCmd.java +++ /dev/null @@ -1,175 +0,0 @@ -// Licensed to the Apache Software Foundation (ASF) under one -// or more contributor license agreements. See the NOTICE file -// distributed with this work for additional information -// regarding copyright ownership. The ASF licenses this file -// to you under the Apache License, Version 2.0 (the -// "License"); you may not use this file except in compliance -// with the License. You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. -package org.apache.cloudstack.api.command.iam; - -import javax.inject.Inject; - -import org.apache.log4j.Logger; - -import org.apache.cloudstack.iam.IAMApiService; -import org.apache.cloudstack.api.ACL; -import org.apache.cloudstack.api.APICommand; -import org.apache.cloudstack.api.ApiCommandJobType; -import org.apache.cloudstack.api.ApiConstants; -import org.apache.cloudstack.api.ApiErrorCode; -import org.apache.cloudstack.api.BaseAsyncCreateCmd; -import org.apache.cloudstack.api.Parameter; -import org.apache.cloudstack.api.ServerApiException; -import org.apache.cloudstack.api.response.DomainResponse; -import org.apache.cloudstack.api.response.iam.IAMPolicyResponse; -import org.apache.cloudstack.context.CallContext; -import org.apache.cloudstack.iam.api.IAMPolicy; - -import com.cloud.event.EventTypes; -import com.cloud.exception.ResourceAllocationException; -import com.cloud.user.Account; - -@APICommand(name = "createIAMPolicy", responseObject = IAMPolicyResponse.class, description = "Creates an iam policy") -public class CreateIAMPolicyCmd extends BaseAsyncCreateCmd { - public static final Logger s_logger = Logger.getLogger(CreateIAMPolicyCmd.class.getName()); - - private static final String s_name = "createiampolicyresponse"; - - @Inject - public IAMApiService _iamApiSrv; - - // /////////////////////////////////////////////////// - // ////////////// API parameters ///////////////////// - // /////////////////////////////////////////////////// - - @Parameter(name = ApiConstants.ACCOUNT, type = CommandType.STRING, description = "an account for the iam policy. Must be used with domainId.") - private String accountName; - - @Parameter(name = ApiConstants.DOMAIN_ID, type = CommandType.UUID, description = "domainId of the account owning the iam policy", entityType = DomainResponse.class) - private Long domainId; - - @Parameter(name = ApiConstants.DESCRIPTION, type = CommandType.STRING, description = "optional description of the iam policy") - private String description; - - @Parameter(name = ApiConstants.NAME, type = CommandType.STRING, required = true, description = "name of the iam policy") - private String name; - - @ACL - @Parameter(name = ApiConstants.IAM_PARENT_POLICY_ID, type = CommandType.UUID, description = "The ID of parent iam policy.", entityType = IAMPolicyResponse.class) - private Long parentPolicyId; - - - // /////////////////////////////////////////////////// - // ///////////////// Accessors /////////////////////// - // /////////////////////////////////////////////////// - - public String getAccountName() { - return accountName; - } - - public String getDescription() { - return description; - } - - public Long getDomainId() { - return domainId; - } - - public String getName() { - return name; - } - - public Long getParentPolicyId() { - return parentPolicyId; - } - - // /////////////////////////////////////////////////// - // ///////////// API Implementation/////////////////// - // /////////////////////////////////////////////////// - - @Override - public String getCommandName() { - return s_name; - } - - @Override - public long getEntityOwnerId() { - Account account = CallContext.current().getCallingAccount(); - if ((account == null) || _accountService.isAdmin(account.getId())) { - if ((domainId != null) && (accountName != null)) { - Account userAccount = _responseGenerator.findAccountByNameDomain(accountName, domainId); - if (userAccount != null) { - return userAccount.getId(); - } - } - } - - if (account != null) { - return account.getId(); - } - - return Account.ACCOUNT_ID_SYSTEM; // no account info given, parent this - // command to SYSTEM so ERROR events - // are tracked - } - - @Override - public void execute() { - IAMPolicy policy = _entityMgr.findById(IAMPolicy.class, getEntityId()); - if (policy != null) { - IAMPolicyResponse response = _iamApiSrv.createIAMPolicyResponse(policy); - response.setResponseName(getCommandName()); - setResponseObject(response); - } else { - throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to create iam policy:" + name); - } - } - - @Override - public void create() throws ResourceAllocationException { - Account account = CallContext.current().getCallingAccount(); - IAMPolicy result = _iamApiSrv.createIAMPolicy(account, name, description, parentPolicyId); - if (result != null) { - setEntityId(result.getId()); - setEntityUuid(result.getUuid()); - } else { - throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to create iam policy entity" + name); - } - - } - - @Override - public String getEventType() { - return EventTypes.EVENT_IAM_POLICY_CREATE; - } - - @Override - public String getEventDescription() { - return "creating IAM policy"; - } - - @Override - public String getCreateEventType() { - return EventTypes.EVENT_IAM_POLICY_CREATE; - } - - @Override - public String getCreateEventDescription() { - return "creating IAM policy"; - } - - @Override - public ApiCommandJobType getInstanceType() { - return ApiCommandJobType.IAMPolicy; - } - -} diff --git a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/DeleteIAMGroupCmd.java b/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/DeleteIAMGroupCmd.java deleted file mode 100644 index 60b1e24fecb..00000000000 --- a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/DeleteIAMGroupCmd.java +++ /dev/null @@ -1,102 +0,0 @@ -// Licensed to the Apache Software Foundation (ASF) under one -// or more contributor license agreements. See the NOTICE file -// distributed with this work for additional information -// regarding copyright ownership. The ASF licenses this file -// to you under the Apache License, Version 2.0 (the -// "License"); you may not use this file except in compliance -// with the License. You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. -package org.apache.cloudstack.api.command.iam; - -import javax.inject.Inject; - -import org.apache.log4j.Logger; - -import org.apache.cloudstack.api.ACL; -import org.apache.cloudstack.api.APICommand; -import org.apache.cloudstack.api.ApiCommandJobType; -import org.apache.cloudstack.api.ApiConstants; -import org.apache.cloudstack.api.ApiErrorCode; -import org.apache.cloudstack.api.BaseAsyncCmd; -import org.apache.cloudstack.api.Parameter; -import org.apache.cloudstack.api.ServerApiException; -import org.apache.cloudstack.api.response.SuccessResponse; -import org.apache.cloudstack.api.response.iam.IAMGroupResponse; -import org.apache.cloudstack.iam.IAMApiService; - -import com.cloud.event.EventTypes; -import com.cloud.user.Account; - -@APICommand(name = "deleteIAMGroup", description = "Deletes acl group", responseObject = SuccessResponse.class) -public class DeleteIAMGroupCmd extends BaseAsyncCmd { - public static final Logger s_logger = Logger.getLogger(DeleteIAMGroupCmd.class.getName()); - private static final String s_name = "deleteaclgroupresponse"; - - @Inject - public IAMApiService _aclApiSrv; - - ///////////////////////////////////////////////////// - //////////////// API parameters ///////////////////// - ///////////////////////////////////////////////////// - - @ACL - @Parameter(name = ApiConstants.ID, type = CommandType.UUID, description = "The ID of the acl group.", required = true, entityType = IAMGroupResponse.class) - private Long id; - - - ///////////////////////////////////////////////////// - /////////////////// Accessors /////////////////////// - ///////////////////////////////////////////////////// - - public Long getId() { - return id; - } - - ///////////////////////////////////////////////////// - /////////////// API Implementation/////////////////// - ///////////////////////////////////////////////////// - - @Override - public String getCommandName() { - return s_name; - } - - @Override - public long getEntityOwnerId() { - return Account.ACCOUNT_ID_SYSTEM; - } - - @Override - public void execute(){ - boolean result = _aclApiSrv.deleteIAMGroup(id); - if (result) { - SuccessResponse response = new SuccessResponse(getCommandName()); - setResponseObject(response); - } else { - throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to delete acl group"); - } - } - - @Override - public String getEventType() { - return EventTypes.EVENT_IAM_GROUP_DELETE; - } - - @Override - public String getEventDescription() { - return "Deleting Acl group"; - } - - @Override - public ApiCommandJobType getInstanceType() { - return ApiCommandJobType.IAMGroup; - } -} diff --git a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/DeleteIAMPolicyCmd.java b/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/DeleteIAMPolicyCmd.java deleted file mode 100644 index 037f4cd5991..00000000000 --- a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/DeleteIAMPolicyCmd.java +++ /dev/null @@ -1,102 +0,0 @@ -// Licensed to the Apache Software Foundation (ASF) under one -// or more contributor license agreements. See the NOTICE file -// distributed with this work for additional information -// regarding copyright ownership. The ASF licenses this file -// to you under the Apache License, Version 2.0 (the -// "License"); you may not use this file except in compliance -// with the License. You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. -package org.apache.cloudstack.api.command.iam; - -import javax.inject.Inject; - -import org.apache.log4j.Logger; - -import org.apache.cloudstack.iam.IAMApiService; -import org.apache.cloudstack.api.ACL; -import org.apache.cloudstack.api.APICommand; -import org.apache.cloudstack.api.ApiCommandJobType; -import org.apache.cloudstack.api.ApiConstants; -import org.apache.cloudstack.api.ApiErrorCode; -import org.apache.cloudstack.api.BaseAsyncCmd; -import org.apache.cloudstack.api.Parameter; -import org.apache.cloudstack.api.ServerApiException; -import org.apache.cloudstack.api.response.SuccessResponse; -import org.apache.cloudstack.api.response.iam.IAMPolicyResponse; - -import com.cloud.event.EventTypes; -import com.cloud.user.Account; - -@APICommand(name = "deleteIAMPolicy", description = "Deletes iam policy", responseObject = SuccessResponse.class) -public class DeleteIAMPolicyCmd extends BaseAsyncCmd { - public static final Logger s_logger = Logger.getLogger(DeleteIAMPolicyCmd.class.getName()); - private static final String s_name = "deleteiampolicyresponse"; - - @Inject - public IAMApiService _iamApiSrv; - - ///////////////////////////////////////////////////// - //////////////// API parameters ///////////////////// - ///////////////////////////////////////////////////// - - @ACL - @Parameter(name = ApiConstants.ID, type = CommandType.UUID, description = "The ID of the iam policy.", required = true, entityType = IAMPolicyResponse.class) - private Long id; - - - ///////////////////////////////////////////////////// - /////////////////// Accessors /////////////////////// - ///////////////////////////////////////////////////// - - public Long getId() { - return id; - } - - ///////////////////////////////////////////////////// - /////////////// API Implementation/////////////////// - ///////////////////////////////////////////////////// - - @Override - public String getCommandName() { - return s_name; - } - - @Override - public long getEntityOwnerId() { - return Account.ACCOUNT_ID_SYSTEM; - } - - @Override - public void execute(){ - boolean result = _iamApiSrv.deleteIAMPolicy(id); - if (result) { - SuccessResponse response = new SuccessResponse(getCommandName()); - setResponseObject(response); - } else { - throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to delete iam policy"); - } - } - - @Override - public String getEventType() { - return EventTypes.EVENT_IAM_POLICY_DELETE; - } - - @Override - public String getEventDescription() { - return "Deleting IAM policy"; - } - - @Override - public ApiCommandJobType getInstanceType() { - return ApiCommandJobType.IAMPolicy; - } -} diff --git a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/ListIAMGroupsCmd.java b/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/ListIAMGroupsCmd.java deleted file mode 100644 index ece87fa3379..00000000000 --- a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/ListIAMGroupsCmd.java +++ /dev/null @@ -1,88 +0,0 @@ -// Licensed to the Apache Software Foundation (ASF) under one -// or more contributor license agreements. See the NOTICE file -// distributed with this work for additional information -// regarding copyright ownership. The ASF licenses this file -// to you under the Apache License, Version 2.0 (the -// "License"); you may not use this file except in compliance -// with the License. You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. -package org.apache.cloudstack.api.command.iam; - -import javax.inject.Inject; - -import org.apache.log4j.Logger; - -import org.apache.cloudstack.iam.IAMApiService; -import org.apache.cloudstack.api.APICommand; -import org.apache.cloudstack.api.ApiCommandJobType; -import org.apache.cloudstack.api.ApiConstants; -import org.apache.cloudstack.api.BaseListDomainResourcesCmd; -import org.apache.cloudstack.api.Parameter; -import org.apache.cloudstack.api.response.ListResponse; -import org.apache.cloudstack.api.response.iam.IAMGroupResponse; - - -@APICommand(name = "listIAMGroups", description = "Lists iam groups", responseObject = IAMGroupResponse.class) -public class ListIAMGroupsCmd extends BaseListDomainResourcesCmd { - public static final Logger s_logger = Logger.getLogger(ListIAMGroupsCmd.class.getName()); - - private static final String s_name = "listiamgroupsresponse"; - - @Inject - public IAMApiService _iamApiSrv; - - ///////////////////////////////////////////////////// - //////////////// API parameters ///////////////////// - ///////////////////////////////////////////////////// - - @Parameter(name = ApiConstants.NAME, type = CommandType.STRING, description = "lists iam groups by name") - private String iamGroupName; - - @Parameter(name = ApiConstants.ID, type = CommandType.UUID, description = "list the iam group by the id provided", entityType = IAMGroupResponse.class) - private Long id; - - - ///////////////////////////////////////////////////// - /////////////////// Accessors /////////////////////// - ///////////////////////////////////////////////////// - public String getIAMGroupName() { - return iamGroupName; - } - - - public Long getId(){ - return id; - } - - ///////////////////////////////////////////////////// - /////////////// API Implementation/////////////////// - ///////////////////////////////////////////////////// - - @Override - public String getCommandName() { - return s_name; - } - - @Override - public void execute(){ - - ListResponse response = _iamApiSrv.listIAMGroups(id, iamGroupName, getDomainId(), - getStartIndex(), getPageSizeVal()); - response.setResponseName(getCommandName()); - setResponseObject(response); - - } - - @Override - public ApiCommandJobType getInstanceType() { - return ApiCommandJobType.IAMGroup; - } -} diff --git a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/ListIAMPoliciesCmd.java b/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/ListIAMPoliciesCmd.java deleted file mode 100644 index 096cc3b4ce8..00000000000 --- a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/ListIAMPoliciesCmd.java +++ /dev/null @@ -1,88 +0,0 @@ -// Licensed to the Apache Software Foundation (ASF) under one -// or more contributor license agreements. See the NOTICE file -// distributed with this work for additional information -// regarding copyright ownership. The ASF licenses this file -// to you under the Apache License, Version 2.0 (the -// "License"); you may not use this file except in compliance -// with the License. You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. -package org.apache.cloudstack.api.command.iam; - -import javax.inject.Inject; - -import org.apache.log4j.Logger; - -import org.apache.cloudstack.iam.IAMApiService; -import org.apache.cloudstack.api.APICommand; -import org.apache.cloudstack.api.ApiCommandJobType; -import org.apache.cloudstack.api.ApiConstants; -import org.apache.cloudstack.api.BaseListDomainResourcesCmd; -import org.apache.cloudstack.api.Parameter; -import org.apache.cloudstack.api.response.ListResponse; -import org.apache.cloudstack.api.response.iam.IAMPolicyResponse; - - -@APICommand(name = "listIAMPolicies", description = "Lists IAM policies", responseObject = IAMPolicyResponse.class) -public class ListIAMPoliciesCmd extends BaseListDomainResourcesCmd { - public static final Logger s_logger = Logger.getLogger(ListIAMPoliciesCmd.class.getName()); - - private static final String s_name = "listiampoliciesresponse"; - - @Inject - public IAMApiService _iamApiSrv; - - ///////////////////////////////////////////////////// - //////////////// API parameters ///////////////////// - ///////////////////////////////////////////////////// - - @Parameter(name = ApiConstants.NAME, type = CommandType.STRING, description = "lists iam policies by name") - private String iamPolicyName; - - @Parameter(name = ApiConstants.ID, type = CommandType.UUID, description = "list the iam policy by the id provided", entityType = IAMPolicyResponse.class) - private Long id; - - - ///////////////////////////////////////////////////// - /////////////////// Accessors /////////////////////// - ///////////////////////////////////////////////////// - public String getIAMPolicyName() { - return iamPolicyName; - } - - - public Long getId(){ - return id; - } - - ///////////////////////////////////////////////////// - /////////////// API Implementation/////////////////// - ///////////////////////////////////////////////////// - - @Override - public String getCommandName() { - return s_name; - } - - @Override - public void execute(){ - - ListResponse response = _iamApiSrv.listIAMPolicies(id, iamPolicyName, getDomainId(), - getStartIndex(), getPageSizeVal()); - response.setResponseName(getCommandName()); - setResponseObject(response); - - } - - @Override - public ApiCommandJobType getInstanceType() { - return ApiCommandJobType.IAMPolicy; - } -} diff --git a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/RemoveAccountFromIAMGroupCmd.java b/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/RemoveAccountFromIAMGroupCmd.java deleted file mode 100644 index 5ff5039c7b0..00000000000 --- a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/RemoveAccountFromIAMGroupCmd.java +++ /dev/null @@ -1,127 +0,0 @@ -// Licensed to the Apache Software Foundation (ASF) under one -// or more contributor license agreements. See the NOTICE file -// distributed with this work for additional information -// regarding copyright ownership. The ASF licenses this file -// to you under the Apache License, Version 2.0 (the -// "License"); you may not use this file except in compliance -// with the License. You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. -package org.apache.cloudstack.api.command.iam; - -import java.util.List; - -import javax.inject.Inject; - -import org.apache.log4j.Logger; - -import org.apache.cloudstack.iam.IAMApiService; -import org.apache.cloudstack.api.ACL; -import org.apache.cloudstack.api.APICommand; -import org.apache.cloudstack.api.ApiCommandJobType; -import org.apache.cloudstack.api.ApiConstants; -import org.apache.cloudstack.api.ApiErrorCode; -import org.apache.cloudstack.api.BaseAsyncCmd; -import org.apache.cloudstack.api.Parameter; -import org.apache.cloudstack.api.ServerApiException; -import org.apache.cloudstack.api.response.AccountResponse; -import org.apache.cloudstack.api.response.iam.IAMGroupResponse; -import org.apache.cloudstack.context.CallContext; -import org.apache.cloudstack.iam.api.IAMGroup; - -import com.cloud.event.EventTypes; -import com.cloud.exception.InsufficientCapacityException; -import com.cloud.exception.ResourceUnavailableException; -import com.cloud.user.Account; - - -@APICommand(name = "removeAccountFromIAMGroup", description = "remove accounts from an iam group", responseObject = IAMGroupResponse.class) -public class RemoveAccountFromIAMGroupCmd extends BaseAsyncCmd { - public static final Logger s_logger = Logger.getLogger(RemoveAccountFromIAMGroupCmd.class.getName()); - private static final String s_name = "removeaccountfromiamgroupresponse"; - - @Inject - public IAMApiService _iamApiSrv; - - ///////////////////////////////////////////////////// - //////////////// API parameters ///////////////////// - ///////////////////////////////////////////////////// - - - @ACL - @Parameter(name = ApiConstants.ID, type = CommandType.UUID, entityType = IAMGroupResponse.class, - required = true, description = "The ID of the iam group") - private Long id; - - @ACL - @Parameter(name = ApiConstants.ACCOUNTS, type = CommandType.LIST, collectionType = CommandType.UUID, entityType = AccountResponse.class, description = "comma separated list of account id that are going to be assigned to the iam group.") - private List accountIdList; - - - ///////////////////////////////////////////////////// - /////////////////// Accessors /////////////////////// - ///////////////////////////////////////////////////// - - - public Long getId() { - return id; - } - - - public List getAccountIdList() { - return accountIdList; - } - - ///////////////////////////////////////////////////// - /////////////// API Implementation/////////////////// - ///////////////////////////////////////////////////// - - - @Override - public String getCommandName() { - return s_name; - } - - - @Override - public long getEntityOwnerId() { - return Account.ACCOUNT_ID_SYSTEM; // no account info given, parent this command to SYSTEM so ERROR events are tracked - } - - @Override - public void execute() throws ResourceUnavailableException, - InsufficientCapacityException, ServerApiException { - CallContext.current().setEventDetails("IAM group Id: " + getId()); - IAMGroup result = _iamApiSrv.removeAccountsFromGroup(accountIdList, id); - if (result != null){ - IAMGroupResponse response = _iamApiSrv.createIAMGroupResponse(result); - response.setResponseName(getCommandName()); - setResponseObject(response); - } else { - throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to remove accounts from iam group"); - } - } - - @Override - public String getEventType() { - return EventTypes.EVENT_IAM_GROUP_UPDATE; - } - - @Override - public String getEventDescription() { - return "removing accounts from iam group"; - } - - @Override - public ApiCommandJobType getInstanceType() { - return ApiCommandJobType.IAMGroup; - } - -} diff --git a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/RemoveIAMPermissionFromIAMPolicyCmd.java b/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/RemoveIAMPermissionFromIAMPolicyCmd.java deleted file mode 100644 index bf065a01a50..00000000000 --- a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/RemoveIAMPermissionFromIAMPolicyCmd.java +++ /dev/null @@ -1,148 +0,0 @@ -// Licensed to the Apache Software Foundation (ASF) under one -// or more contributor license agreements. See the NOTICE file -// distributed with this work for additional information -// regarding copyright ownership. The ASF licenses this file -// to you under the Apache License, Version 2.0 (the -// "License"); you may not use this file except in compliance -// with the License. You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. -package org.apache.cloudstack.api.command.iam; - -import javax.inject.Inject; - -import org.apache.log4j.Logger; - -import org.apache.cloudstack.acl.PermissionScope; -import org.apache.cloudstack.api.ACL; -import org.apache.cloudstack.api.APICommand; -import org.apache.cloudstack.api.ApiCommandJobType; -import org.apache.cloudstack.api.ApiConstants; -import org.apache.cloudstack.api.ApiErrorCode; -import org.apache.cloudstack.api.BaseAsyncCmd; -import org.apache.cloudstack.api.Parameter; -import org.apache.cloudstack.api.ServerApiException; -import org.apache.cloudstack.api.response.iam.IAMPolicyResponse; -import org.apache.cloudstack.context.CallContext; -import org.apache.cloudstack.iam.IAMApiService; -import org.apache.cloudstack.iam.api.IAMPolicy; - -import com.cloud.event.EventTypes; -import com.cloud.exception.InsufficientCapacityException; -import com.cloud.exception.ResourceUnavailableException; -import com.cloud.user.Account; - - -@APICommand(name = "removeIAMPermissionFromIAMPolicy", description = "Remove iam permission from an iam policy", responseObject = IAMPolicyResponse.class) -public class RemoveIAMPermissionFromIAMPolicyCmd extends BaseAsyncCmd { - public static final Logger s_logger = Logger.getLogger(RemoveIAMPermissionFromIAMPolicyCmd.class.getName()); - private static final String s_name = "removeiampermissionfromiampolicyresponse"; - - @Inject - public IAMApiService _iamApiSrv; - - ///////////////////////////////////////////////////// - //////////////// API parameters ///////////////////// - ///////////////////////////////////////////////////// - - - @ACL - @Parameter(name = ApiConstants.ID, type = CommandType.UUID, entityType = IAMPolicyResponse.class, - required = true, description = "The ID of the iam policy") - private Long id; - - @Parameter(name = ApiConstants.IAM_ACTION, type = CommandType.STRING, required = true, description = "action api name.") - private String action; - - @Parameter(name = ApiConstants.ENTITY_TYPE, type = CommandType.STRING, required = false, description = "entity class simple name.") - private String entityType; - - @Parameter(name = ApiConstants.IAM_SCOPE, type = CommandType.STRING, - required = false, description = "iam permission scope") - private String scope; - - @Parameter(name = ApiConstants.IAM_SCOPE_ID, type = CommandType.STRING, required = false, description = "The ID of the permission scope id") - private String scopeId; - - - ///////////////////////////////////////////////////// - /////////////////// Accessors /////////////////////// - ///////////////////////////////////////////////////// - - - public Long getId() { - return id; - } - - - public String getAction() { - return action; - } - - public String getEntityType() { - return entityType; - } - - public String getScope() { - return scope; - } - - public Long getScopeId() { - // here we will convert the passed String UUID to Long ID since internally we store it as entity internal ID. - return _iamApiSrv.getPermissionScopeId(scope, entityType, scopeId); - } - - - ///////////////////////////////////////////////////// - /////////////// API Implementation/////////////////// - ///////////////////////////////////////////////////// - - - @Override - public String getCommandName() { - return s_name; - } - - - @Override - public long getEntityOwnerId() { - return Account.ACCOUNT_ID_SYSTEM; // no account info given, parent this command to SYSTEM so ERROR events are tracked - } - - @Override - public void execute() throws ResourceUnavailableException, - InsufficientCapacityException, ServerApiException { - CallContext.current().setEventDetails("IAM policy Id: " + getId()); - IAMPolicy result = _iamApiSrv.removeIAMPermissionFromIAMPolicy(id, entityType, PermissionScope.valueOf(scope), getScopeId(), action); - if (result != null) { - IAMPolicyResponse response = _iamApiSrv.createIAMPolicyResponse(result); - response.setResponseName(getCommandName()); - setResponseObject(response); - } else { - throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to remove permission from iam policy " + getId()); - } - } - - @Override - public String getEventType() { - return EventTypes.EVENT_IAM_POLICY_REVOKE; - } - - @Override - public String getEventDescription() { - return "removing permission from iam policy"; - } - - @Override - public ApiCommandJobType getInstanceType() { - return ApiCommandJobType.IAMPolicy; - } - -} diff --git a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/RemoveIAMPolicyFromAccountCmd.java b/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/RemoveIAMPolicyFromAccountCmd.java deleted file mode 100644 index 48c2a7386b9..00000000000 --- a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/RemoveIAMPolicyFromAccountCmd.java +++ /dev/null @@ -1,122 +0,0 @@ -// Licensed to the Apache Software Foundation (ASF) under one -// or more contributor license agreements. See the NOTICE file -// distributed with this work for additional information -// regarding copyright ownership. The ASF licenses this file -// to you under the Apache License, Version 2.0 (the -// "License"); you may not use this file except in compliance -// with the License. You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. -package org.apache.cloudstack.api.command.iam; - -import java.util.List; - -import javax.inject.Inject; - -import org.apache.log4j.Logger; - -import org.apache.cloudstack.api.ACL; -import org.apache.cloudstack.api.APICommand; -import org.apache.cloudstack.api.ApiCommandJobType; -import org.apache.cloudstack.api.ApiConstants; -import org.apache.cloudstack.api.BaseAsyncCmd; -import org.apache.cloudstack.api.Parameter; -import org.apache.cloudstack.api.ServerApiException; -import org.apache.cloudstack.api.response.AccountResponse; -import org.apache.cloudstack.api.response.SuccessResponse; -import org.apache.cloudstack.api.response.iam.IAMPolicyResponse; -import org.apache.cloudstack.context.CallContext; -import org.apache.cloudstack.iam.IAMApiService; - -import com.cloud.event.EventTypes; -import com.cloud.exception.InsufficientCapacityException; -import com.cloud.exception.ResourceUnavailableException; -import com.cloud.user.Account; - - -@APICommand(name = "removeIAMPolicyFromAccount", description = "remove iam policy from accounts", responseObject = SuccessResponse.class) -public class RemoveIAMPolicyFromAccountCmd extends BaseAsyncCmd { - public static final Logger s_logger = Logger.getLogger(RemoveIAMPolicyFromAccountCmd.class.getName()); - private static final String s_name = "removeiampolicyfromaccountresponse"; - - @Inject - public IAMApiService _iamApiSrv; - - ///////////////////////////////////////////////////// - //////////////// API parameters ///////////////////// - ///////////////////////////////////////////////////// - - - @ACL - @Parameter(name = ApiConstants.ID, type = CommandType.UUID, entityType = IAMPolicyResponse.class, - required = true, description = "The ID of the iam group") - private Long id; - - @ACL - @Parameter(name = ApiConstants.ACCOUNTS, type = CommandType.LIST, collectionType = CommandType.UUID, entityType = AccountResponse.class, description = "comma separated list of iam policy id that are going to be applied to the iam group.") - private List accountIdList; - - - ///////////////////////////////////////////////////// - /////////////////// Accessors /////////////////////// - ///////////////////////////////////////////////////// - - - public Long getId() { - return id; - } - - - public List getAccountIdList() { - return accountIdList; - } - - ///////////////////////////////////////////////////// - /////////////// API Implementation/////////////////// - ///////////////////////////////////////////////////// - - - @Override - public String getCommandName() { - return s_name; - } - - - @Override - public long getEntityOwnerId() { - return Account.ACCOUNT_ID_SYSTEM; // no account info given, parent this command to SYSTEM so ERROR events are tracked - } - - @Override - public void execute() throws ResourceUnavailableException, - InsufficientCapacityException, ServerApiException { - CallContext.current().setEventDetails("IAM policy Id: " + getId()); - _iamApiSrv.removeIAMPolicyFromAccounts(id, accountIdList); - SuccessResponse response = new SuccessResponse(); - response.setResponseName(getCommandName()); - setResponseObject(response); - } - - @Override - public String getEventType() { - return EventTypes.EVENT_IAM_ACCOUNT_POLICY_UPDATE; - } - - @Override - public String getEventDescription() { - return "removing iam policy from accounts"; - } - - @Override - public ApiCommandJobType getInstanceType() { - return ApiCommandJobType.Account; - } - -} diff --git a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/RemoveIAMPolicyFromIAMGroupCmd.java b/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/RemoveIAMPolicyFromIAMGroupCmd.java deleted file mode 100644 index a99143d9f56..00000000000 --- a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/command/iam/RemoveIAMPolicyFromIAMGroupCmd.java +++ /dev/null @@ -1,127 +0,0 @@ -// Licensed to the Apache Software Foundation (ASF) under one -// or more contributor license agreements. See the NOTICE file -// distributed with this work for additional information -// regarding copyright ownership. The ASF licenses this file -// to you under the Apache License, Version 2.0 (the -// "License"); you may not use this file except in compliance -// with the License. You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. -package org.apache.cloudstack.api.command.iam; - -import java.util.List; - -import javax.inject.Inject; - -import org.apache.log4j.Logger; - -import org.apache.cloudstack.iam.IAMApiService; -import org.apache.cloudstack.api.ACL; -import org.apache.cloudstack.api.APICommand; -import org.apache.cloudstack.api.ApiCommandJobType; -import org.apache.cloudstack.api.ApiConstants; -import org.apache.cloudstack.api.ApiErrorCode; -import org.apache.cloudstack.api.BaseAsyncCmd; -import org.apache.cloudstack.api.Parameter; -import org.apache.cloudstack.api.ServerApiException; -import org.apache.cloudstack.api.response.iam.IAMGroupResponse; -import org.apache.cloudstack.api.response.iam.IAMPolicyResponse; -import org.apache.cloudstack.context.CallContext; -import org.apache.cloudstack.iam.api.IAMGroup; - -import com.cloud.event.EventTypes; -import com.cloud.exception.InsufficientCapacityException; -import com.cloud.exception.ResourceUnavailableException; -import com.cloud.user.Account; - - -@APICommand(name = "removeIAMPolicyFromIAMGroup", description = "remove iam policy from an iam group", responseObject = IAMGroupResponse.class) -public class RemoveIAMPolicyFromIAMGroupCmd extends BaseAsyncCmd { - public static final Logger s_logger = Logger.getLogger(RemoveIAMPolicyFromIAMGroupCmd.class.getName()); - private static final String s_name = "removeiampolicyfromiamgroupresponse"; - - @Inject - public IAMApiService _iamApiSrv; - - ///////////////////////////////////////////////////// - //////////////// API parameters ///////////////////// - ///////////////////////////////////////////////////// - - - @ACL - @Parameter(name = ApiConstants.ID, type = CommandType.UUID, entityType = IAMGroupResponse.class, - required = true, description = "The ID of the iam group") - private Long id; - - @ACL - @Parameter(name = ApiConstants.IAM_POLICIES, type = CommandType.LIST, collectionType = CommandType.UUID, entityType = IAMPolicyResponse.class, description = "comma separated list of iam policy id that are going to be applied to the iam group.") - private List policyIdList; - - - ///////////////////////////////////////////////////// - /////////////////// Accessors /////////////////////// - ///////////////////////////////////////////////////// - - - public Long getId() { - return id; - } - - - public List getRoleIdList() { - return policyIdList; - } - - ///////////////////////////////////////////////////// - /////////////// API Implementation/////////////////// - ///////////////////////////////////////////////////// - - - @Override - public String getCommandName() { - return s_name; - } - - - @Override - public long getEntityOwnerId() { - return Account.ACCOUNT_ID_SYSTEM; // no account info given, parent this command to SYSTEM so ERROR events are tracked - } - - @Override - public void execute() throws ResourceUnavailableException, - InsufficientCapacityException, ServerApiException { - CallContext.current().setEventDetails("IAM group Id: " + getId()); - IAMGroup result = _iamApiSrv.removeIAMPoliciesFromGroup(policyIdList, id); - if (result != null){ - IAMGroupResponse response = _iamApiSrv.createIAMGroupResponse(result); - response.setResponseName(getCommandName()); - setResponseObject(response); - } else { - throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to add roles to iam group"); - } - } - - @Override - public String getEventType() { - return EventTypes.EVENT_IAM_GROUP_UPDATE; - } - - @Override - public String getEventDescription() { - return "removing IAM roles from IAM group"; - } - - @Override - public ApiCommandJobType getInstanceType() { - return ApiCommandJobType.IAMGroup; - } - -} diff --git a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/response/iam/IAMGroupResponse.java b/services/iam/plugin/src/main/java/org/apache/cloudstack/api/response/iam/IAMGroupResponse.java deleted file mode 100644 index af28d53ff3c..00000000000 --- a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/response/iam/IAMGroupResponse.java +++ /dev/null @@ -1,193 +0,0 @@ -// Licensed to the Apache Software Foundation (ASF) under one -// or more contributor license agreements. See the NOTICE file -// distributed with this work for additional information -// regarding copyright ownership. The ASF licenses this file -// to you under the Apache License, Version 2.0 (the -// "License"); you may not use this file except in compliance -// with the License. You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. -package org.apache.cloudstack.api.response.iam; - -import java.util.LinkedHashSet; -import java.util.Set; - -import com.google.gson.annotations.SerializedName; - -import org.apache.cloudstack.api.ApiConstants; -import org.apache.cloudstack.api.BaseResponse; -import org.apache.cloudstack.api.EntityReference; -import org.apache.cloudstack.api.response.ControlledViewEntityResponse; -import org.apache.cloudstack.iam.api.IAMGroup; - -import com.cloud.serializer.Param; - -@SuppressWarnings("unused") -@EntityReference(value = IAMGroup.class) -public class IAMGroupResponse extends BaseResponse implements ControlledViewEntityResponse { - - @SerializedName(ApiConstants.ID) - @Param(description = "the ID of the iam group") - private String id; - - @SerializedName(ApiConstants.NAME) - @Param(description = "the name of the iam group") - private String name; - - @SerializedName(ApiConstants.DESCRIPTION) - @Param(description = "the description of the iam group") - private String description; - - @SerializedName(ApiConstants.DOMAIN_ID) - @Param(description = "the domain ID of the iam group") - private String domainId; - - @SerializedName(ApiConstants.DOMAIN) - @Param(description = "the domain name of the iam role") - private String domainName; - - @SerializedName(ApiConstants.ACCOUNT) - @Param(description = "the account owning the policy") - private String accountName; - - @SerializedName(ApiConstants.IAM_MEMBER_ACCOUNTS) - @Param(description = "account names assigned to this iam group ") - private Set accountNameList; - - @SerializedName(ApiConstants.IAM_POLICIES) - @Param(description = "iam policies attached to this iam group ") - private Set policyNameList; - - public IAMGroupResponse() { - accountNameList = new LinkedHashSet(); - policyNameList = new LinkedHashSet(); - } - - @Override - public String getObjectId() { - return getId(); - } - - - public String getId() { - return id; - } - - public void setId(String id) { - this.id = id; - } - - - public void setName(String name) { - this.name = name; - } - - public void setDescription(String description) { - this.description = description; - } - - @Override - public void setDomainId(String domainId) { - this.domainId = domainId; - } - - @Override - public void setDomainName(String domainName) { - this.domainName = domainName; - } - - @Override - public void setAccountName(String accountName) { - this.accountName = accountName; - - } - - @Override - public void setProjectId(String projectId) { - // TODO Auto-generated method stub - - } - - @Override - public void setProjectName(String projectName) { - // TODO Auto-generated method stub - - } - - public String getName() { - return name; - } - - public String getDescription() { - return description; - } - - public String getDomainId() { - return domainId; - } - - public String getDomainName() { - return domainName; - } - - public String getAccountName() { - return accountName; - } - - public Set getAccountNameList() { - return accountNameList; - } - - public void setMemberAccounts(Set accts) { - accountNameList = accts; - } - - public void addMemberAccount(String acct) { - accountNameList.add(acct); - } - - public void setPolicyList(Set policies) { - policyNameList = policies; - } - - public void addPolicy(String policy) { - policyNameList.add(policy); - } - - public Set getPolicyList() { - return policyNameList; - } - - @Override - public int hashCode() { - final int prime = 31; - int result = 1; - result = prime * result + ((id == null) ? 0 : id.hashCode()); - return result; - } - - @Override - public boolean equals(Object obj) { - if (this == obj) - return true; - if (obj == null) - return false; - if (getClass() != obj.getClass()) - return false; - IAMGroupResponse other = (IAMGroupResponse)obj; - if (id == null) { - if (other.id != null) - return false; - } else if (!id.equals(other.id)) - return false; - return true; - } - -} diff --git a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/response/iam/IAMPermissionResponse.java b/services/iam/plugin/src/main/java/org/apache/cloudstack/api/response/iam/IAMPermissionResponse.java deleted file mode 100644 index 046e1f4d34c..00000000000 --- a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/response/iam/IAMPermissionResponse.java +++ /dev/null @@ -1,124 +0,0 @@ -// Licensed to the Apache Software Foundation (ASF) under one -// or more contributor license agreements. See the NOTICE file -// distributed with this work for additional information -// regarding copyright ownership. The ASF licenses this file -// to you under the Apache License, Version 2.0 (the -// "License"); you may not use this file except in compliance -// with the License. You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. -package org.apache.cloudstack.api.response.iam; - -import com.google.gson.annotations.SerializedName; - -import org.apache.cloudstack.acl.PermissionScope; -import org.apache.cloudstack.api.ApiConstants; -import org.apache.cloudstack.api.BaseResponse; -import org.apache.cloudstack.iam.api.IAMPolicyPermission; - -import com.cloud.serializer.Param; - -public class IAMPermissionResponse extends BaseResponse { - - @SerializedName(ApiConstants.IAM_ACTION) - @Param(description = "action of this permission") - private String action; - - @SerializedName(ApiConstants.ENTITY_TYPE) - @Param(description = "the entity type of this permission") - private String entityType; - - @SerializedName(ApiConstants.IAM_SCOPE) - @Param(description = "scope of this permission") - private PermissionScope scope; - - @SerializedName(ApiConstants.IAM_SCOPE_ID) - @Param(description = "scope id of this permission") - private Long scopeId; - - @SerializedName(ApiConstants.IAM_ALLOW_DENY) - @Param(description = "allow or deny of this permission") - private IAMPolicyPermission.Permission permission; - - public String getEntityType() { - return entityType; - } - - public void setEntityType(String entityType) { - this.entityType = entityType; - } - - public String getAction() { - return action; - } - - public void setAction(String action) { - this.action = action; - } - - public PermissionScope getScope() { - return scope; - } - - public void setScope(PermissionScope scope) { - this.scope = scope; - } - - public Long getScopeId() { - return scopeId; - } - - public void setScopeId(Long scopeId) { - this.scopeId = scopeId; - } - - public IAMPolicyPermission.Permission getPermission() { - return permission; - } - - public void setPermission(IAMPolicyPermission.Permission permission) { - this.permission = permission; - } - - @Override - public int hashCode() { - final int prime = 31; - int result = 1; - result = prime * result + ((action == null) ? 0 : action.hashCode()); - result = prime * result + ((entityType == null) ? 0 : entityType.hashCode()); - result = prime * result + ((scope == null) ? 0 : scope.hashCode()); - result = prime * result + ((scopeId == null) ? 0 : scopeId.hashCode()); - return result; - } - - @Override - public boolean equals(Object obj) { - if (this == obj) - return true; - if (obj == null) - return false; - if (getClass() != obj.getClass()) - return false; - IAMPermissionResponse other = (IAMPermissionResponse) obj; - if ((entityType == null && other.entityType != null) || (entityType != null && !entityType.equals(other.entityType))) { - return false; - } else if ((action == null && other.action != null) || (action != null && !action.equals(other.action))) { - return false; - } else if ((scope == null && other.scope != null) || (scope != null && !scope.equals(other.scope))) { - return false; - } else if ((scopeId == null && other.scopeId != null) || (scopeId != null && !scopeId.equals(other.scopeId))) { - return false; - } - return true; - } - - - -} diff --git a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/response/iam/IAMPolicyResponse.java b/services/iam/plugin/src/main/java/org/apache/cloudstack/api/response/iam/IAMPolicyResponse.java deleted file mode 100644 index dc29369a39c..00000000000 --- a/services/iam/plugin/src/main/java/org/apache/cloudstack/api/response/iam/IAMPolicyResponse.java +++ /dev/null @@ -1,177 +0,0 @@ -// Licensed to the Apache Software Foundation (ASF) under one -// or more contributor license agreements. See the NOTICE file -// distributed with this work for additional information -// regarding copyright ownership. The ASF licenses this file -// to you under the Apache License, Version 2.0 (the -// "License"); you may not use this file except in compliance -// with the License. You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. -package org.apache.cloudstack.api.response.iam; - -import java.util.LinkedHashSet; -import java.util.Set; - -import com.google.gson.annotations.SerializedName; - -import org.apache.cloudstack.api.ApiConstants; -import org.apache.cloudstack.api.BaseResponse; -import org.apache.cloudstack.api.EntityReference; -import org.apache.cloudstack.api.response.ControlledViewEntityResponse; -import org.apache.cloudstack.iam.api.IAMPolicy; - -import com.cloud.serializer.Param; - -@SuppressWarnings("unused") -@EntityReference(value = IAMPolicy.class) -public class IAMPolicyResponse extends BaseResponse implements ControlledViewEntityResponse { - - @SerializedName(ApiConstants.ID) - @Param(description = "the ID of the iam policy") - private String id; - - @SerializedName(ApiConstants.NAME) - @Param(description = "the name of the iam policy") - private String name; - - @SerializedName(ApiConstants.DESCRIPTION) - @Param(description = "the description of the iam policy") - private String description; - - @SerializedName(ApiConstants.DOMAIN_ID) - @Param(description = "the domain ID of the iam policy") - private String domainId; - - @SerializedName(ApiConstants.DOMAIN) - @Param(description = "the domain name of the iam policy") - private String domainName; - - @SerializedName(ApiConstants.ACCOUNT) - @Param(description = "the account owning the policy") - private String accountName; - - @SerializedName(ApiConstants.IAM_PERMISSIONS) - @Param(description = "set of permissions for the iam policy") - private Set permissionList; - - public IAMPolicyResponse() { - permissionList = new LinkedHashSet(); - } - - @Override - public String getObjectId() { - return getId(); - } - - - public String getId() { - return id; - } - - public void setId(String id) { - this.id = id; - } - - - public void setName(String name) { - this.name = name; - } - - public void setDescription(String description) { - this.description = description; - } - - @Override - public void setDomainId(String domainId) { - this.domainId = domainId; - } - - @Override - public void setDomainName(String domainName) { - this.domainName = domainName; - } - - public Set getPermissionList() { - return permissionList; - } - - public void setPermissionList(Set perms) { - permissionList = perms; - } - - public void addPermission(IAMPermissionResponse perm) { - permissionList.add(perm); - } - - @Override - public void setAccountName(String accountName) { - this.accountName = accountName; - } - - @Override - public void setProjectId(String projectId) { - // TODO Auto-generated method stub - - } - - @Override - public void setProjectName(String projectName) { - // TODO Auto-generated method stub - - } - - public String getName() { - return name; - } - - public String getDescription() { - return description; - } - - public String getDomainId() { - return domainId; - } - - public String getDomainName() { - return domainName; - } - - public String getAccountName() { - return accountName; - } - - @Override - public int hashCode() { - final int prime = 31; - int result = 1; - result = prime * result + ((id == null) ? 0 : id.hashCode()); - return result; - } - - @Override - public boolean equals(Object obj) { - if (this == obj) - return true; - if (obj == null) - return false; - if (getClass() != obj.getClass()) - return false; - IAMPolicyResponse other = (IAMPolicyResponse) obj; - if (id == null) { - if (other.id != null) - return false; - } else if (!id.equals(other.id)) - return false; - return true; - } - - - -} diff --git a/services/iam/plugin/src/main/java/org/apache/cloudstack/iam/IAMApiService.java b/services/iam/plugin/src/main/java/org/apache/cloudstack/iam/IAMApiService.java deleted file mode 100644 index 6735d4804d1..00000000000 --- a/services/iam/plugin/src/main/java/org/apache/cloudstack/iam/IAMApiService.java +++ /dev/null @@ -1,87 +0,0 @@ -// Licensed to the Apache Software Foundation (ASF) under one -// or more contributor license agreements. See the NOTICE file -// distributed with this work for additional information -// regarding copyright ownership. The ASF licenses this file -// to you under the Apache License, Version 2.0 (the -// "License"); you may not use this file except in compliance -// with the License. You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. -package org.apache.cloudstack.iam; - -import java.util.List; - -import org.apache.cloudstack.acl.PermissionScope; -import org.apache.cloudstack.acl.SecurityChecker.AccessType; -import org.apache.cloudstack.api.response.ListResponse; -import org.apache.cloudstack.api.response.iam.IAMGroupResponse; -import org.apache.cloudstack.api.response.iam.IAMPolicyResponse; -import org.apache.cloudstack.iam.api.IAMGroup; -import org.apache.cloudstack.iam.api.IAMPolicy; -import org.apache.cloudstack.iam.api.IAMPolicyPermission; -import org.apache.cloudstack.iam.api.IAMPolicyPermission.Permission; - -import com.cloud.user.Account; -import com.cloud.utils.component.PluggableService; - -public interface IAMApiService extends PluggableService { - - /* ACL group related interfaces */ - IAMGroup createIAMGroup(Account caller, String iamGroupName, String description); - - boolean deleteIAMGroup(Long iamGroupId); - - List listIAMGroups(long accountId); - - IAMGroup addAccountsToGroup(List acctIds, Long groupId); - - IAMGroup removeAccountsFromGroup(List acctIds, Long groupId); - - /* IAM Policy related interfaces */ - IAMPolicy createIAMPolicy(Account caller, String iamPolicyName, String description, Long parentPolicyId); - - boolean deleteIAMPolicy(long iamPolicyId); - - List listIAMPolicies(long accountId); - - IAMGroup attachIAMPoliciesToGroup(List policyIds, Long groupId); - - IAMGroup removeIAMPoliciesFromGroup(List policyIds, Long groupId); - - void attachIAMPolicyToAccounts(Long policyId, List accountIds); - - void removeIAMPolicyFromAccounts(Long policyId, List accountIds); - - IAMPolicy addIAMPermissionToIAMPolicy(long iamPolicyId, String entityType, PermissionScope scope, Long scopeId, - String action, Permission perm, Boolean recursive, Boolean readOnly); - - IAMPolicy removeIAMPermissionFromIAMPolicy(long iamPolicyId, String entityType, PermissionScope scope, Long scopeId, String action); - - IAMPolicyPermission getIAMPolicyPermission(long accountId, String entityType, String action); - - /* Utility routine to grant/revoke invidivual resource to list of accounts */ - void grantEntityPermissioinToAccounts(String entityType, Long entityId, AccessType accessType, String action, List accountIds); - - void revokeEntityPermissioinFromAccounts(String entityType, Long entityId, AccessType accessType, String action, List accountIds); - - /* Response Generation */ - IAMPolicyResponse createIAMPolicyResponse(IAMPolicy policy); - - IAMGroupResponse createIAMGroupResponse(IAMGroup group); - - ListResponse listIAMGroups(Long iamGroupId, String iamGroupName, - Long domainId, Long startIndex, Long pageSize); - - ListResponse listIAMPolicies(Long iamPolicyId, String iamPolicyName, - Long domainId, Long startIndex, Long pageSize); - - // Convert passed scope uuid to internal scope long id - Long getPermissionScopeId(String scope, String entityType, String scopeId); -} diff --git a/services/iam/plugin/src/main/java/org/apache/cloudstack/iam/IAMApiServiceImpl.java b/services/iam/plugin/src/main/java/org/apache/cloudstack/iam/IAMApiServiceImpl.java deleted file mode 100644 index b0dc3839ade..00000000000 --- a/services/iam/plugin/src/main/java/org/apache/cloudstack/iam/IAMApiServiceImpl.java +++ /dev/null @@ -1,825 +0,0 @@ -// Licensed to the Apache Software Foundation (ASF) under one -// or more contributor license agreements. See the NOTICE file -// distributed with this work for additional information -// regarding copyright ownership. The ASF licenses this file -// to you under the Apache License, Version 2.0 (the -// "License"); you may not use this file except in compliance -// with the License. You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. -package org.apache.cloudstack.iam; - -import java.util.ArrayList; -import java.util.Collections; -import java.util.HashMap; -import java.util.List; -import java.util.Map; - -import javax.inject.Inject; -import javax.naming.ConfigurationException; - -import org.apache.log4j.Logger; -import org.bouncycastle.util.IPAddress; - -import com.amazonaws.auth.policy.Condition; -import com.amazonaws.services.ec2.model.SecurityGroup; -import com.amazonaws.services.ec2.model.Snapshot; -import com.amazonaws.services.ec2.model.Volume; -import com.amazonaws.services.ec2.model.Vpc; -import com.amazonaws.services.elasticache.model.Event; - -import org.apache.cloudstack.acl.PermissionScope; -import org.apache.cloudstack.acl.SecurityChecker.AccessType; -import org.apache.cloudstack.affinity.AffinityGroup; -import org.apache.cloudstack.api.ApiConstants; -import org.apache.cloudstack.api.BaseListCmd; -import org.apache.cloudstack.api.InternalIdentity; -import org.apache.cloudstack.api.command.iam.AddAccountToIAMGroupCmd; -import org.apache.cloudstack.api.command.iam.AddIAMPermissionToIAMPolicyCmd; -import org.apache.cloudstack.api.command.iam.AttachIAMPolicyToAccountCmd; -import org.apache.cloudstack.api.command.iam.AttachIAMPolicyToIAMGroupCmd; -import org.apache.cloudstack.api.command.iam.CreateIAMGroupCmd; -import org.apache.cloudstack.api.command.iam.CreateIAMPolicyCmd; -import org.apache.cloudstack.api.command.iam.DeleteIAMGroupCmd; -import org.apache.cloudstack.api.command.iam.DeleteIAMPolicyCmd; -import org.apache.cloudstack.api.command.iam.ListIAMGroupsCmd; -import org.apache.cloudstack.api.command.iam.ListIAMPoliciesCmd; -import org.apache.cloudstack.api.command.iam.RemoveAccountFromIAMGroupCmd; -import org.apache.cloudstack.api.command.iam.RemoveIAMPermissionFromIAMPolicyCmd; -import org.apache.cloudstack.api.command.iam.RemoveIAMPolicyFromAccountCmd; -import org.apache.cloudstack.api.command.iam.RemoveIAMPolicyFromIAMGroupCmd; -import org.apache.cloudstack.api.response.ListResponse; -import org.apache.cloudstack.api.response.iam.IAMGroupResponse; -import org.apache.cloudstack.api.response.iam.IAMPermissionResponse; -import org.apache.cloudstack.api.response.iam.IAMPolicyResponse; -import org.apache.cloudstack.context.CallContext; -import org.apache.cloudstack.framework.jobs.AsyncJob; -import org.apache.cloudstack.framework.messagebus.MessageBus; -import org.apache.cloudstack.framework.messagebus.MessageSubscriber; -import org.apache.cloudstack.iam.api.IAMGroup; -import org.apache.cloudstack.iam.api.IAMPolicy; -import org.apache.cloudstack.iam.api.IAMPolicyPermission; -import org.apache.cloudstack.iam.api.IAMPolicyPermission.Permission; -import org.apache.cloudstack.iam.api.IAMService; - -import com.cloud.api.ApiServerService; -import com.cloud.domain.Domain; -import com.cloud.domain.DomainVO; -import com.cloud.domain.dao.DomainDao; -import com.cloud.event.ActionEvent; -import com.cloud.event.EventTypes; -import com.cloud.exception.InvalidParameterValueException; -import com.cloud.network.IpAddress; -import com.cloud.network.MonitoringService; -import com.cloud.network.Network; -import com.cloud.network.RemoteAccessVpn; -import com.cloud.network.Site2SiteCustomerGateway; -import com.cloud.network.Site2SiteVpnConnection; -import com.cloud.network.Site2SiteVpnGateway; -import com.cloud.network.UserIpv6Address; -import com.cloud.network.VpnUser; -import com.cloud.network.as.AutoScalePolicy; -import com.cloud.network.as.AutoScaleVmGroup; -import com.cloud.network.as.AutoScaleVmProfile; -import com.cloud.network.lb.SslCert; -import com.cloud.network.rules.FirewallRule; -import com.cloud.network.rules.PortForwardingRule; -import com.cloud.network.vpc.StaticRoute; -import com.cloud.network.vpc.VpcGateway; -import com.cloud.projects.ProjectInvitation; -import com.cloud.region.ha.GlobalLoadBalancerRule; -import com.cloud.server.ResourceTag; -import com.cloud.template.TemplateManager; -import com.cloud.template.VirtualMachineTemplate; -import com.cloud.user.Account; -import com.cloud.user.AccountManager; -import com.cloud.user.AccountVO; -import com.cloud.user.DomainManager; -import com.cloud.user.SSHKeyPair; -import com.cloud.user.dao.AccountDao; -import com.cloud.utils.Pair; -import com.cloud.utils.component.Manager; -import com.cloud.utils.component.ManagerBase; -import com.cloud.utils.db.DB; -import com.cloud.utils.db.EntityManager; -import com.cloud.vm.InstanceGroup; -import com.cloud.vm.NicIpAlias; -import com.cloud.vm.NicSecondaryIp; -import com.cloud.vm.VirtualMachine; -import com.cloud.vm.snapshot.VMSnapshot; - -public class IAMApiServiceImpl extends ManagerBase implements IAMApiService, Manager { - - public static final Logger s_logger = Logger.getLogger(IAMApiServiceImpl.class); - private String _name; - - @Inject - ApiServerService _apiServer; - - @Inject - IAMService _iamSrv; - - @Inject - DomainDao _domainDao; - - @Inject - AccountDao _accountDao; - - @Inject - AccountManager _accountMgr; - - @Inject - MessageBus _messageBus; - - @Inject - EntityManager _entityMgr; - - private static final Map> s_typeMap = new HashMap>(); - static { - s_typeMap.put(VirtualMachine.class.getSimpleName(), VirtualMachine.class); - s_typeMap.put(Volume.class.getSimpleName(), Volume.class); - s_typeMap.put(ResourceTag.class.getSimpleName(), ResourceTag.class); - s_typeMap.put(Account.class.getSimpleName(), Account.class); - s_typeMap.put(AffinityGroup.class.getSimpleName(), AffinityGroup.class); - s_typeMap.put(AutoScalePolicy.class.getSimpleName(), AutoScalePolicy.class); - s_typeMap.put(AutoScaleVmProfile.class.getSimpleName(), AutoScaleVmProfile.class); - s_typeMap.put(AutoScaleVmGroup.class.getSimpleName(), AutoScaleVmGroup.class); - s_typeMap.put(Condition.class.getSimpleName(), Condition.class); - s_typeMap.put(Vpc.class.getSimpleName(), Vpc.class); - s_typeMap.put(VpcGateway.class.getSimpleName(), VpcGateway.class); - s_typeMap.put(VpnUser.class.getSimpleName(), VpnUser.class); - s_typeMap.put(VMSnapshot.class.getSimpleName(), VMSnapshot.class); - s_typeMap.put(VirtualMachineTemplate.class.getSimpleName(), VirtualMachineTemplate.class); - s_typeMap.put(UserIpv6Address.class.getSimpleName(), UserIpv6Address.class); - s_typeMap.put(StaticRoute.class.getSimpleName(), StaticRoute.class); - s_typeMap.put(SSHKeyPair.class.getSimpleName(), SSHKeyPair.class); - s_typeMap.put(Snapshot.class.getSimpleName(), Snapshot.class); - s_typeMap.put(Site2SiteVpnGateway.class.getSimpleName(), Site2SiteVpnGateway.class); - s_typeMap.put(Site2SiteCustomerGateway.class.getSimpleName(), Site2SiteCustomerGateway.class); - s_typeMap.put(Site2SiteVpnConnection.class.getSimpleName(), Site2SiteVpnConnection.class); - s_typeMap.put(SecurityGroup.class.getSimpleName(), SecurityGroup.class); - s_typeMap.put(RemoteAccessVpn.class.getSimpleName(), RemoteAccessVpn.class); - s_typeMap.put(ProjectInvitation.class.getSimpleName(), ProjectInvitation.class); - s_typeMap.put(NicSecondaryIp.class.getSimpleName(), NicSecondaryIp.class); - s_typeMap.put(NicIpAlias.class.getSimpleName(), NicIpAlias.class); - s_typeMap.put(Network.class.getSimpleName(), Network.class); - s_typeMap.put(IpAddress.class.getSimpleName(), IPAddress.class); - s_typeMap.put(InstanceGroup.class.getSimpleName(), InstanceGroup.class); - s_typeMap.put(GlobalLoadBalancerRule.class.getSimpleName(), GlobalLoadBalancerRule.class); - s_typeMap.put(FirewallRule.class.getSimpleName(), FirewallRule.class); - s_typeMap.put(PortForwardingRule.class.getSimpleName(), PortForwardingRule.class); - s_typeMap.put(Event.class.getSimpleName(), Event.class); - s_typeMap.put(AsyncJob.class.getSimpleName(), AsyncJob.class); - s_typeMap.put(IAMGroup.class.getSimpleName(), IAMGroup.class); - s_typeMap.put(IAMPolicy.class.getSimpleName(), IAMPolicy.class); - s_typeMap.put(MonitoringService.class.getSimpleName(), MonitoringService.class); - s_typeMap.put(SslCert.class.getSimpleName(), SslCert.class); - } - - @Override - public boolean configure(final String name, final Map params) throws ConfigurationException { - - _messageBus.subscribe(AccountManager.MESSAGE_ADD_ACCOUNT_EVENT, new MessageSubscriber() { - @Override - public void onPublishMessage(String senderAddress, String subject, Object obj) { - HashMap acctGroupMap = (HashMap) obj; - for (Long accountId : acctGroupMap.keySet()) { - Long groupId = acctGroupMap.get(accountId); - s_logger.debug("MessageBus message: new Account Added: " + accountId + ", adding it to groupId :" - + groupId); - addAccountToIAMGroup(accountId, groupId); - // add it to domain group too - AccountVO account = _accountDao.findById(accountId); - Domain domain = _domainDao.findById(account.getDomainId()); - if (domain != null) { - List domainGroups = listDomainGroup(domain); - - if (domainGroups != null) { - for (IAMGroup group : domainGroups) { - addAccountToIAMGroup(accountId, new Long(group.getId())); - } - } - } - } - } - }); - - _messageBus.subscribe(AccountManager.MESSAGE_REMOVE_ACCOUNT_EVENT, new MessageSubscriber() { - @Override - public void onPublishMessage(String senderAddress, String subject, Object obj) { - Long accountId = ((Long) obj); - if (accountId != null) { - s_logger.debug("MessageBus message: Account removed: " + accountId - + ", releasing the group associations"); - removeAccountFromIAMGroups(accountId); - } - } - }); - - _messageBus.subscribe(DomainManager.MESSAGE_ADD_DOMAIN_EVENT, new MessageSubscriber() { - @Override - public void onPublishMessage(String senderAddress, String subject, Object obj) { - Long domainId = ((Long) obj); - if (domainId != null) { - s_logger.debug("MessageBus message: new Domain created: " + domainId + ", creating a new group"); - Domain domain = _domainDao.findById(domainId); - _iamSrv.createIAMGroup("DomainGrp-" + domain.getUuid(), "Domain group", domain.getPath()); - } - } - }); - - _messageBus.subscribe(DomainManager.MESSAGE_REMOVE_DOMAIN_EVENT, new MessageSubscriber() { - @Override - public void onPublishMessage(String senderAddress, String subject, Object obj) { - Long domainId = ((Long) obj); - if (domainId != null) { - s_logger.debug("MessageBus message: Domain removed: " + domainId + ", removing the domain group"); - Domain domain = _domainDao.findById(domainId); - List groups = listDomainGroup(domain); - for (IAMGroup group : groups) { - _iamSrv.deleteIAMGroup(group.getId()); - } - } - } - }); - - _messageBus.subscribe(TemplateManager.MESSAGE_REGISTER_PUBLIC_TEMPLATE_EVENT, new MessageSubscriber() { - @Override - public void onPublishMessage(String senderAddress, String subject, Object obj) { - Long templateId = (Long)obj; - if (templateId != null) { - s_logger.debug("MessageBus message: new public template registered: " + templateId - + ", grant permission to default root admin, domain admin and normal user policies"); - _iamSrv.addIAMPermissionToIAMPolicy(new Long(Account.ACCOUNT_TYPE_ADMIN + 1), VirtualMachineTemplate.class.getSimpleName(), - PermissionScope.RESOURCE.toString(), templateId, "listTemplates", AccessType.UseEntry.toString(), Permission.Allow, false); - _iamSrv.addIAMPermissionToIAMPolicy(new Long(Account.ACCOUNT_TYPE_DOMAIN_ADMIN + 1), VirtualMachineTemplate.class.getSimpleName(), - PermissionScope.RESOURCE.toString(), templateId, "listTemplates", AccessType.UseEntry.toString(), Permission.Allow, false); - _iamSrv.addIAMPermissionToIAMPolicy(new Long(Account.ACCOUNT_TYPE_NORMAL + 1), VirtualMachineTemplate.class.getSimpleName(), - PermissionScope.RESOURCE.toString(), templateId, "listTemplates", AccessType.UseEntry.toString(), Permission.Allow, false); - } - } - }); - - _messageBus.subscribe(TemplateManager.MESSAGE_RESET_TEMPLATE_PERMISSION_EVENT, new MessageSubscriber() { - @Override - public void onPublishMessage(String senderAddress, String subject, Object obj) { - Long templateId = (Long)obj; - if (templateId != null) { - s_logger.debug("MessageBus message: reset template permission: " + templateId); - resetTemplatePermission(templateId); - } - } - }); - - _messageBus.subscribe(EntityManager.MESSAGE_REMOVE_ENTITY_EVENT, new MessageSubscriber() { - @Override - public void onPublishMessage(String senderAddress, String subject, Object obj) { - Pair, Long> entity = (Pair, Long>)obj; - if (entity != null) { - String entityType = entity.first().getSimpleName(); - Long entityId = entity.second(); - s_logger.debug("MessageBus message: delete an entity: (" + entityType + "," + entityId + "), remove its related permission"); - _iamSrv.removeIAMPermissionForEntity(entityType, entityId); - } - } - }); - - - _messageBus.subscribe(EntityManager.MESSAGE_GRANT_ENTITY_EVENT, new MessageSubscriber() { - @Override - public void onPublishMessage(String senderAddress, String subject, Object obj) { - Map permit = (Map)obj; - if (permit != null) { - Class entityType = (Class)permit.get(ApiConstants.ENTITY_TYPE); - Long entityId = (Long)permit.get(ApiConstants.ENTITY_ID); - AccessType accessType = (AccessType)permit.get(ApiConstants.ACCESS_TYPE); - String action = (String)permit.get(ApiConstants.IAM_ACTION); - List acctIds = (List)permit.get(ApiConstants.ACCOUNTS); - s_logger.debug("MessageBus message: grant accounts permission to an entity: (" + entityType + "," + entityId + ")"); - grantEntityPermissioinToAccounts(entityType.getSimpleName(), entityId, accessType, action, acctIds); - } - } - }); - - _messageBus.subscribe(EntityManager.MESSAGE_REVOKE_ENTITY_EVENT, new MessageSubscriber() { - @Override - public void onPublishMessage(String senderAddress, String subject, Object obj) { - Map permit = (Map)obj; - if (permit != null) { - Class entityType = (Class)permit.get(ApiConstants.ENTITY_TYPE); - Long entityId = (Long)permit.get(ApiConstants.ENTITY_ID); - AccessType accessType = (AccessType)permit.get(ApiConstants.ACCESS_TYPE); - String action = (String)permit.get(ApiConstants.IAM_ACTION); - List acctIds = (List)permit.get(ApiConstants.ACCOUNTS); - s_logger.debug("MessageBus message: revoke from accounts permission to an entity: (" + entityType + "," + entityId + ")"); - revokeEntityPermissioinFromAccounts(entityType.getSimpleName(), entityId, accessType, action, acctIds); - } - } - }); - - _messageBus.subscribe(EntityManager.MESSAGE_ADD_DOMAIN_WIDE_ENTITY_EVENT, new MessageSubscriber() { - @Override - public void onPublishMessage(String senderAddress, String subject, Object obj) { - Map params = (Map) obj; - if (params != null) { - addDomainWideResourceAccess(params); - } - } - }); - - return super.configure(name, params); - } - - @Override - public boolean start() { - s_logger.info("Populating IAM group and account association for default accounts..."); - - // populate group <-> account association if not present for CS admin - // and system accounts - populateIAMGroupAdminAccountMap(); - - return true; - } - - private void populateIAMGroupAdminAccountMap() { - List sysAccts = new ArrayList(); - sysAccts.add(Account.ACCOUNT_ID_SYSTEM); - sysAccts.add(Account.ACCOUNT_ID_SYSTEM + 1); - _iamSrv.addAccountsToGroup(sysAccts, new Long(Account.ACCOUNT_TYPE_ADMIN + 1)); - } - - private void addDomainWideResourceAccess(Map params) { - - Class entityType = (Class)params.get(ApiConstants.ENTITY_TYPE); - Long entityId = (Long) params.get(ApiConstants.ENTITY_ID); - Long domainId = (Long) params.get(ApiConstants.DOMAIN_ID); - Boolean isRecursive = (Boolean) params.get(ApiConstants.SUBDOMAIN_ACCESS); - - if (entityType == Network.class) { - createPolicyAndAddToDomainGroup("DomainWideNetwork-" + entityId, "domain wide network", entityType.toString(), - entityId, "listNetworks", AccessType.UseEntry, domainId, isRecursive); - } else if (entityType == AffinityGroup.class) { - createPolicyAndAddToDomainGroup("DomainWideNetwork-" + entityId, "domain wide affinityGroup", entityType.toString(), - entityId, "listAffinityGroups", AccessType.UseEntry, domainId, isRecursive); - } - - } - - private void createPolicyAndAddToDomainGroup(String policyName, String description, String entityType, - Long entityId, String action, AccessType accessType, Long domainId, Boolean recursive) { - - Domain domain = _domainDao.findById(domainId); - if (domain != null) { - IAMPolicy policy = _iamSrv.createIAMPolicy(policyName, description, null, domain.getPath()); - _iamSrv.addIAMPermissionToIAMPolicy(policy.getId(), entityType, PermissionScope.RESOURCE.toString(), - entityId, action, accessType.toString(), Permission.Allow, recursive); - List policyList = new ArrayList(); - policyList.add(new Long(policy.getId())); - - List domainGroups = listDomainGroup(domain); - if (domainGroups != null) { - for (IAMGroup group : domainGroups) { - _iamSrv.attachIAMPoliciesToGroup(policyList, group.getId()); - } - } - } - } - - @DB - @Override - @ActionEvent(eventType = EventTypes.EVENT_IAM_GROUP_CREATE, eventDescription = "Creating Acl Group", create = true) - public IAMGroup createIAMGroup(Account caller, String iamGroupName, String description) { - Long domainId = caller.getDomainId(); - Domain callerDomain = _domainDao.findById(domainId); - if (callerDomain == null) { - throw new InvalidParameterValueException("Caller does not have a domain"); - } - return _iamSrv.createIAMGroup(iamGroupName, description, callerDomain.getPath()); - } - - @DB - @Override - @ActionEvent(eventType = EventTypes.EVENT_IAM_GROUP_DELETE, eventDescription = "Deleting Acl Group") - public boolean deleteIAMGroup(final Long iamGroupId) { - return _iamSrv.deleteIAMGroup(iamGroupId); - } - - @Override - public List listIAMGroups(long accountId) { - return _iamSrv.listIAMGroups(accountId); - } - - - @DB - @Override - @ActionEvent(eventType = EventTypes.EVENT_IAM_GROUP_UPDATE, eventDescription = "Adding accounts to acl group") - public IAMGroup addAccountsToGroup(final List acctIds, final Long groupId) { - return _iamSrv.addAccountsToGroup(acctIds, groupId); - } - - - private void removeAccountFromIAMGroups(long accountId) { - List groups = listIAMGroups(accountId); - List accts = new ArrayList(); - accts.add(accountId); - if (groups != null) { - for (IAMGroup grp : groups) { - removeAccountsFromGroup(accts, grp.getId()); - } - } - } - - private void addAccountToIAMGroup(long accountId, long groupId) { - List accts = new ArrayList(); - accts.add(accountId); - addAccountsToGroup(accts, groupId); - } - - @DB - @Override - @ActionEvent(eventType = EventTypes.EVENT_IAM_GROUP_UPDATE, eventDescription = "Removing accounts from acl group") - public IAMGroup removeAccountsFromGroup(final List acctIds, final Long groupId) { - return _iamSrv.removeAccountsFromGroup(acctIds, groupId); - } - - @DB - @Override - @ActionEvent(eventType = EventTypes.EVENT_IAM_POLICY_CREATE, eventDescription = "Creating IAM Policy", create = true) - public IAMPolicy createIAMPolicy(Account caller, final String iamPolicyName, final String description, final Long parentPolicyId) { - Long domainId = caller.getDomainId(); - Domain callerDomain = _domainDao.findById(domainId); - if (callerDomain == null) { - throw new InvalidParameterValueException("Caller does not have a domain"); - } - return _iamSrv.createIAMPolicy(iamPolicyName, description, parentPolicyId, callerDomain.getPath()); - } - - @DB - @Override - @ActionEvent(eventType = EventTypes.EVENT_IAM_POLICY_DELETE, eventDescription = "Deleting IAM Policy") - public boolean deleteIAMPolicy(final long iamPolicyId) { - return _iamSrv.deleteIAMPolicy(iamPolicyId); - } - - - @Override - public List listIAMPolicies(long accountId) { - return _iamSrv.listIAMPolicies(accountId); - } - - @DB - @Override - @ActionEvent(eventType = EventTypes.EVENT_IAM_GROUP_UPDATE, eventDescription = "Attaching policy to acl group") - public IAMGroup attachIAMPoliciesToGroup(final List policyIds, final Long groupId) { - return _iamSrv.attachIAMPoliciesToGroup(policyIds, groupId); - } - - @DB - @Override - @ActionEvent(eventType = EventTypes.EVENT_IAM_GROUP_UPDATE, eventDescription = "Removing policies from acl group") - public IAMGroup removeIAMPoliciesFromGroup(final List policyIds, final Long groupId) { - return _iamSrv.removeIAMPoliciesFromGroup(policyIds, groupId); - } - - - @DB - @Override - @ActionEvent(eventType = EventTypes.EVENT_IAM_ACCOUNT_POLICY_UPDATE, eventDescription = "Attaching policy to accounts") - public void attachIAMPolicyToAccounts(final Long policyId, final List accountIds) { - _iamSrv.attachIAMPolicyToAccounts(policyId, accountIds); - } - - @DB - @Override - @ActionEvent(eventType = EventTypes.EVENT_IAM_ACCOUNT_POLICY_UPDATE, eventDescription = "Removing policy from accounts") - public void removeIAMPolicyFromAccounts(final Long policyId, final List accountIds) { - _iamSrv.removeIAMPolicyFromAccounts(policyId, accountIds); - } - - @DB - @Override - @ActionEvent(eventType = EventTypes.EVENT_IAM_POLICY_GRANT, eventDescription = "Granting acl permission to IAM Policy") - public IAMPolicy addIAMPermissionToIAMPolicy(long iamPolicyId, String entityType, PermissionScope scope, - Long scopeId, String action, Permission perm, Boolean recursive, Boolean readOnly) { - Class cmdClass = _apiServer.getCmdClass(action); - AccessType accessType = null; - if (BaseListCmd.class.isAssignableFrom(cmdClass)) { - if (readOnly) { - accessType = AccessType.ListEntry; - } else { - accessType = AccessType.UseEntry; - } - } else { - accessType = AccessType.OperateEntry; - } - String accessTypeStr = (accessType != null) ? accessType.toString() : null; - return _iamSrv.addIAMPermissionToIAMPolicy(iamPolicyId, entityType, scope.toString(), scopeId, action, - accessTypeStr, perm, recursive); - } - - @DB - @Override - @ActionEvent(eventType = EventTypes.EVENT_IAM_POLICY_REVOKE, eventDescription = "Revoking acl permission from IAM Policy") - public IAMPolicy removeIAMPermissionFromIAMPolicy(long iamPolicyId, String entityType, PermissionScope scope, Long scopeId, String action) { - return _iamSrv.removeIAMPermissionFromIAMPolicy(iamPolicyId, entityType, scope.toString(), scopeId, action); - } - - @Override - public IAMPolicyPermission getIAMPolicyPermission(long accountId, String entityType, String action) { - List policies = _iamSrv.listIAMPolicies(accountId); - IAMPolicyPermission curPerm = null; - for (IAMPolicy policy : policies) { - List perms = _iamSrv.listPolicyPermissionByActionAndEntity(policy.getId(), action, - entityType); - if (perms == null || perms.size() == 0) - continue; - IAMPolicyPermission perm = perms.get(0); // just pick one - if (curPerm == null) { - curPerm = perm; - } else if (PermissionScope.valueOf(perm.getScope()).greaterThan(PermissionScope.valueOf(curPerm.getScope()))) { - // pick the more relaxed allowed permission - curPerm = perm; - } - } - - return curPerm; - } - - - @Override - public IAMPolicyResponse createIAMPolicyResponse(IAMPolicy policy) { - IAMPolicyResponse response = new IAMPolicyResponse(); - response.setId(policy.getUuid()); - response.setName(policy.getName()); - response.setDescription(policy.getDescription()); - String domainPath = policy.getPath(); - if (domainPath != null) { - DomainVO domain = _domainDao.findDomainByPath(domainPath); - if (domain != null) { - response.setDomainId(domain.getUuid()); - response.setDomainName(domain.getName()); - } - } - long accountId = policy.getAccountId(); - AccountVO owner = _accountDao.findById(accountId); - if (owner != null) { - response.setAccountName(owner.getAccountName()); - } - // find permissions associated with this policy - List permissions = _iamSrv.listPolicyPermissions(policy.getId()); - if (permissions != null && permissions.size() > 0) { - for (IAMPolicyPermission permission : permissions) { - IAMPermissionResponse perm = new IAMPermissionResponse(); - perm.setAction(permission.getAction()); - if (permission.getEntityType() != null) { - perm.setEntityType(permission.getEntityType()); - } - if (permission.getScope() != null) { - perm.setScope(PermissionScope.valueOf(permission.getScope())); - } - perm.setScopeId(permission.getScopeId()); - perm.setPermission(permission.getPermission()); - response.addPermission(perm); - } - } - response.setObjectName("aclpolicy"); - return response; - } - - @Override - public IAMGroupResponse createIAMGroupResponse(IAMGroup group) { - IAMGroupResponse response = new IAMGroupResponse(); - response.setId(group.getUuid()); - response.setName(group.getName()); - response.setDescription(group.getDescription()); - String domainPath = group.getPath(); - if (domainPath != null) { - DomainVO domain = _domainDao.findDomainByPath(domainPath); - if (domain != null) { - response.setDomainId(domain.getUuid()); - response.setDomainName(domain.getName()); - } - } - long accountId = group.getAccountId(); - AccountVO owner = _accountDao.findById(accountId); - if (owner != null) { - response.setAccountName(owner.getAccountName()); - } - // find all the members in this group - List members = _iamSrv.listAccountsByGroup(group.getId()); - if (members != null && members.size() > 0) { - for (Long member : members) { - AccountVO mem = _accountDao.findById(member); - if (mem != null) { - response.addMemberAccount(mem.getAccountName()); - } - } - } - - // find all the policies attached to this group - List policies = _iamSrv.listIAMPoliciesByGroup(group.getId()); - if (policies != null && policies.size() > 0) { - for (IAMPolicy policy : policies) { - response.addPolicy(policy.getName()); - } - } - - response.setObjectName("aclgroup"); - return response; - - } - - public List listDomainGroup(Domain domain) { - - if (domain != null) { - String domainPath = domain.getPath(); - // search for groups - Pair, Integer> result = _iamSrv.listIAMGroups(null, "DomainGrp-" + domain.getUuid(), - domainPath, null, null); - return result.first(); - } - return new ArrayList(); - - } - - @Override - public ListResponse listIAMGroups(Long iamGroupId, String iamGroupName, Long domainId, Long startIndex, Long pageSize) { - // acl check - Account caller = CallContext.current().getCallingAccount(); - - Domain domain = null; - if (domainId != null) { - domain = _domainDao.findById(domainId); - if (domain == null) { - throw new InvalidParameterValueException("Domain id=" + domainId + " doesn't exist"); - } - - _accountMgr.checkAccess(caller, domain); - } else { - domain = _domainDao.findById(caller.getDomainId()); - } - String domainPath = domain.getPath(); - // search for groups - Pair, Integer> result = _iamSrv.listIAMGroups(iamGroupId, iamGroupName, domainPath, startIndex, pageSize); - // generate group response - ListResponse response = new ListResponse(); - List groupResponses = new ArrayList(); - for (IAMGroup group : result.first()) { - IAMGroupResponse resp = createIAMGroupResponse(group); - groupResponses.add(resp); - } - response.setResponses(groupResponses, result.second()); - return response; - } - - @Override - public ListResponse listIAMPolicies(Long iamPolicyId, String iamPolicyName, Long domainId, Long startIndex, - Long pageSize) { - // acl check - Account caller = CallContext.current().getCallingAccount(); - - Domain domain = null; - if (domainId != null) { - domain = _domainDao.findById(domainId); - if (domain == null) { - throw new InvalidParameterValueException("Domain id=" + domainId + " doesn't exist"); - } - - _accountMgr.checkAccess(caller, domain); - } else { - domain = _domainDao.findById(caller.getDomainId()); - } - String domainPath = domain.getPath(); - // search for policies - Pair, Integer> result = _iamSrv.listIAMPolicies(iamPolicyId, iamPolicyName, domainPath, startIndex, pageSize); - // generate policy response - ListResponse response = new ListResponse(); - List policyResponses = new ArrayList(); - for (IAMPolicy policy : result.first()) { - IAMPolicyResponse resp = createIAMPolicyResponse(policy); - policyResponses.add(resp); - } - response.setResponses(policyResponses, result.second()); - return response; - } - - @Override - public void grantEntityPermissioinToAccounts(String entityType, Long entityId, AccessType accessType, String action, List accountIds) { - // check if there is already a policy with only this permission added to it - IAMPolicy policy = _iamSrv.getResourceGrantPolicy(entityType, entityId, accessType.toString(), action); - if (policy == null) { - // not found, just create a policy with resource grant permission - Account caller = CallContext.current().getCallingAccount(); - String aclPolicyName = "policyGrant" + entityType + entityId; - String description = "Policy to grant permission to " + entityType + entityId; - policy = createIAMPolicy(caller, aclPolicyName, description, null); - // add permission to this policy - addIAMPermissionToIAMPolicy(policy.getId(), entityType, PermissionScope.RESOURCE, entityId, action, - Permission.Allow, false, false); - } - // attach this policy to list of accounts if not attached already - Long policyId = policy.getId(); - for (Long acctId : accountIds) { - if (!isPolicyAttachedToAccount(policyId, acctId)) { - attachIAMPolicyToAccounts(policyId, Collections.singletonList(acctId)); - } - } - } - - @Override - public void revokeEntityPermissioinFromAccounts(String entityType, Long entityId, AccessType accessType, String action, List accountIds) { - // there should already a policy with only this permission added to it, this call is mainly used - IAMPolicy policy = _iamSrv.getResourceGrantPolicy(entityType, entityId, accessType.toString(), action); - if (policy == null) { - s_logger.warn("Cannot find a policy associated with this entity permissioin to be revoked, just return"); - return; - } - // detach this policy from list of accounts if not detached already - Long policyId = policy.getId(); - for (Long acctId : accountIds) { - if (isPolicyAttachedToAccount(policyId, acctId)) { - removeIAMPolicyFromAccounts(policyId, Collections.singletonList(acctId)); - } - } - - } - - private boolean isPolicyAttachedToAccount(Long policyId, Long accountId) { - List pList = listIAMPolicies(accountId); - for (IAMPolicy p : pList) { - if (p.getId() == policyId.longValue()) { - return true; - } - } - return false; - } - - private void resetTemplatePermission(Long templateId){ - // reset template will change template to private, so we need to remove its permission for domain admin and normal user group - _iamSrv.removeIAMPermissionFromIAMPolicy(new Long(Account.ACCOUNT_TYPE_DOMAIN_ADMIN + 1), VirtualMachineTemplate.class.getSimpleName(), - PermissionScope.RESOURCE.toString(), templateId, "listTemplates"); - _iamSrv.removeIAMPermissionFromIAMPolicy(new Long(Account.ACCOUNT_TYPE_NORMAL + 1), VirtualMachineTemplate.class.getSimpleName(), - PermissionScope.RESOURCE.toString(), templateId, "listTemplates"); - // check if there is a policy with only UseEntry permission for this template added - IAMPolicy policy = _iamSrv.getResourceGrantPolicy(VirtualMachineTemplate.class.getSimpleName(), templateId, AccessType.UseEntry.toString(), "listTemplates"); - if ( policy == null ){ - s_logger.info("No policy found for this template grant: " + templateId + ", no detach to be done"); - return; - } - // delete the policy, which should detach it from groups and accounts - _iamSrv.deleteIAMPolicy(policy.getId()); - - } - - @Override - public Long getPermissionScopeId(String scope, String entityType, String scopeId) { - if (scopeId.equals("-1")) { - return -1L; - } - PermissionScope permScope = PermissionScope.valueOf(scope); - InternalIdentity entity = null; - switch (permScope) { - case DOMAIN: - entity = _domainDao.findByUuid(scopeId); - break; - case ACCOUNT: - entity = _accountDao.findByUuid(scopeId); - break; - case RESOURCE: - Class clazz = s_typeMap.get(entityType); - entity = (InternalIdentity)_entityMgr.findByUuid(clazz, scopeId); - } - - if (entity != null) { - return entity.getId(); - } - throw new InvalidParameterValueException("Unable to find scopeId " + scopeId + " with scope " + scope + " and type " + entityType); - } - - @Override - public List> getCommands() { - List> cmdList = new ArrayList>(); - cmdList.add(CreateIAMPolicyCmd.class); - cmdList.add(DeleteIAMPolicyCmd.class); - cmdList.add(ListIAMPoliciesCmd.class); - cmdList.add(AddIAMPermissionToIAMPolicyCmd.class); - cmdList.add(RemoveIAMPermissionFromIAMPolicyCmd.class); - cmdList.add(AttachIAMPolicyToIAMGroupCmd.class); - cmdList.add(RemoveIAMPolicyFromIAMGroupCmd.class); - cmdList.add(CreateIAMGroupCmd.class); - cmdList.add(DeleteIAMGroupCmd.class); - cmdList.add(ListIAMGroupsCmd.class); - cmdList.add(AddAccountToIAMGroupCmd.class); - cmdList.add(RemoveAccountFromIAMGroupCmd.class); - cmdList.add(AttachIAMPolicyToAccountCmd.class); - cmdList.add(RemoveIAMPolicyFromAccountCmd.class); - return cmdList; - } -} diff --git a/services/iam/plugin/src/main/java/org/apache/cloudstack/iam/RoleBasedAPIAccessChecker.java b/services/iam/plugin/src/main/java/org/apache/cloudstack/iam/RoleBasedAPIAccessChecker.java deleted file mode 100644 index 3072b77a5cd..00000000000 --- a/services/iam/plugin/src/main/java/org/apache/cloudstack/iam/RoleBasedAPIAccessChecker.java +++ /dev/null @@ -1,287 +0,0 @@ -// Licensed to the Apache Software Foundation (ASF) under one -// or more contributor license agreements. See the NOTICE file -// distributed with this work for additional information -// regarding copyright ownership. The ASF licenses this file -// to you under the Apache License, Version 2.0 (the -// "License"); you may not use this file except in compliance -// with the License. You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. -package org.apache.cloudstack.iam; - -import java.util.HashMap; -import java.util.HashSet; -import java.util.List; -import java.util.Map; -import java.util.Set; - -import javax.inject.Inject; -import javax.naming.ConfigurationException; - -import org.apache.log4j.Logger; - -import org.apache.cloudstack.acl.APIChecker; -import org.apache.cloudstack.acl.PermissionScope; -import org.apache.cloudstack.acl.RoleType; -import org.apache.cloudstack.acl.SecurityChecker.AccessType; -import org.apache.cloudstack.api.APICommand; -import org.apache.cloudstack.api.BaseCmd; -import org.apache.cloudstack.api.BaseListCmd; -import org.apache.cloudstack.iam.api.IAMPolicy; -import org.apache.cloudstack.iam.api.IAMPolicyPermission; -import org.apache.cloudstack.iam.api.IAMPolicyPermission.Permission; -import org.apache.cloudstack.iam.api.IAMService; - -import com.cloud.api.ApiServerService; -import com.cloud.exception.PermissionDeniedException; -import com.cloud.storage.VMTemplateVO; -import com.cloud.storage.dao.VMTemplateDao; -import com.cloud.template.VirtualMachineTemplate; -import com.cloud.user.Account; -import com.cloud.user.AccountService; -import com.cloud.user.User; -import com.cloud.utils.PropertiesUtil; -import com.cloud.utils.component.AdapterBase; -import com.cloud.utils.component.PluggableService; -import com.cloud.utils.exception.CloudRuntimeException; - -//This is the Role Based API access checker that grab's the account's roles -//based on the set of roles, access is granted if any of the role has access to the api -public class RoleBasedAPIAccessChecker extends AdapterBase implements APIChecker { - - protected static final Logger s_logger = Logger.getLogger(RoleBasedAPIAccessChecker.class); - - @Inject - AccountService _accountService; - @Inject - ApiServerService _apiServer; - @Inject - IAMService _iamSrv; - @Inject - VMTemplateDao _templateDao; - - Set commandsPropertiesOverrides = new HashSet(); - Map> commandsPropertiesRoleBasedApisMap = new HashMap>(); - - List _services; - - protected RoleBasedAPIAccessChecker() { - super(); - for (RoleType roleType : RoleType.values()) { - commandsPropertiesRoleBasedApisMap.put(roleType, new HashSet()); - } - } - - @Override - public boolean checkAccess(User user, String commandName) throws PermissionDeniedException { - Account account = _accountService.getAccount(user.getAccountId()); - if (account == null) { - throw new PermissionDeniedException("The account id=" + user.getAccountId() + "for user id=" + user.getId() - + "is null"); - } - - List policies = _iamSrv.listIAMPolicies(account.getAccountId()); - - boolean isAllowed = _iamSrv.isActionAllowedForPolicies(commandName, policies); - if (!isAllowed) { - throw new PermissionDeniedException("The API does not exist or is blacklisted. api: " + commandName); - } - return isAllowed; - } - - @Override - public boolean configure(String name, Map params) throws ConfigurationException { - super.configure(name, params); - - processMapping(PropertiesUtil.processConfigFile(new String[] { "commands.properties" })); - return true; - } - - @Override - public boolean start() { - - // drop all default policy api permissions - we reload them every time - // to include any changes done to the @APICommand or - // commands.properties. - - for (RoleType role : RoleType.values()) { - Long policyId = getDefaultPolicyId(role); - if (policyId != null) { - _iamSrv.resetIAMPolicy(policyId); - } - } - - // add the system-domain capability - - _iamSrv.addIAMPermissionToIAMPolicy(new Long(Account.ACCOUNT_TYPE_ADMIN + 1), null, null, null, - "SystemCapability", null, Permission.Allow, false); - _iamSrv.addIAMPermissionToIAMPolicy(new Long(Account.ACCOUNT_TYPE_DOMAIN_ADMIN + 1), null, null, null, - "DomainCapability", null, Permission.Allow, false); - _iamSrv.addIAMPermissionToIAMPolicy(new Long(Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN + 1), null, null, null, - "DomainResourceCapability", null, Permission.Allow, false); - - // add permissions for public templates - List pTmplts = _templateDao.listByPublic(); - for (VMTemplateVO tmpl : pTmplts){ - _iamSrv.addIAMPermissionToIAMPolicy(new Long(Account.ACCOUNT_TYPE_ADMIN + 1), VirtualMachineTemplate.class.getSimpleName(), - PermissionScope.RESOURCE.toString(), tmpl.getId(), "listTemplates", AccessType.UseEntry.toString(), Permission.Allow, false); - _iamSrv.addIAMPermissionToIAMPolicy(new Long(Account.ACCOUNT_TYPE_DOMAIN_ADMIN + 1), VirtualMachineTemplate.class.getSimpleName(), - PermissionScope.RESOURCE.toString(), tmpl.getId(), "listTemplates", AccessType.UseEntry.toString(), Permission.Allow, false); - _iamSrv.addIAMPermissionToIAMPolicy(new Long(Account.ACCOUNT_TYPE_NORMAL + 1), VirtualMachineTemplate.class.getSimpleName(), - PermissionScope.RESOURCE.toString(), tmpl.getId(), "listTemplates", AccessType.UseEntry.toString(), Permission.Allow, false); - } - - for (PluggableService service : _services) { - for (Class cmdClass : service.getCommands()) { - APICommand command = cmdClass.getAnnotation(APICommand.class); - if (!commandsPropertiesOverrides.contains(command.name())) { - for (RoleType role : command.authorized()) { - addDefaultAclPolicyPermission(command.name(), cmdClass, role); - } - } - } - } - - // read commands.properties and load api acl permissions - - // commands.properties overrides any @APICommand authorization - - for (String apiName : commandsPropertiesOverrides) { - Class cmdClass = _apiServer.getCmdClass(apiName); - for (RoleType role : RoleType.values()) { - if (commandsPropertiesRoleBasedApisMap.get(role).contains(apiName)) { - // insert permission for this role for this api - addDefaultAclPolicyPermission(apiName, cmdClass, role); - } - } - } - - return super.start(); - } - - private Long getDefaultPolicyId(RoleType role) { - Long policyId = null; - switch (role) { - case User: - policyId = new Long(Account.ACCOUNT_TYPE_NORMAL + 1); - break; - - case Admin: - policyId = new Long(Account.ACCOUNT_TYPE_ADMIN + 1); - break; - - case DomainAdmin: - policyId = new Long(Account.ACCOUNT_TYPE_DOMAIN_ADMIN + 1); - break; - - case ResourceAdmin: - policyId = new Long(Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN + 1); - break; - } - - return policyId; - } - - private void processMapping(Map configMap) { - for (Map.Entry entry : configMap.entrySet()) { - String apiName = entry.getKey(); - String roleMask = entry.getValue(); - commandsPropertiesOverrides.add(apiName); - try { - short cmdPermissions = Short.parseShort(roleMask); - for (RoleType roleType : RoleType.values()) { - if ((cmdPermissions & roleType.getMask()) != 0) - commandsPropertiesRoleBasedApisMap.get(roleType).add(apiName); - } - } catch (NumberFormatException nfe) { - s_logger.info("Malformed key=value pair for entry: " + entry.toString()); - } - } - } - - public List getServices() { - return _services; - } - - @Inject - public void setServices(List services) { - _services = services; - } - - private void addDefaultAclPolicyPermission(String apiName, Class cmdClass, RoleType role) { - AccessType accessType = null; - Class[] entityTypes = null; - - PermissionScope permissionScope = PermissionScope.ACCOUNT; - Long policyId = getDefaultPolicyId(role); - switch (role) { - case User: - permissionScope = PermissionScope.ACCOUNT; - break; - - case Admin: - permissionScope = PermissionScope.ALL; - break; - - case DomainAdmin: - permissionScope = PermissionScope.DOMAIN; - break; - - case ResourceAdmin: - permissionScope = PermissionScope.DOMAIN; - break; - } - - boolean addAccountScopedUseEntry = false; - - if (cmdClass != null) { - BaseCmd cmdObj; - try { - cmdObj = (BaseCmd) cmdClass.newInstance(); - if (cmdObj instanceof BaseListCmd) { - if (permissionScope == PermissionScope.ACCOUNT) { - accessType = AccessType.UseEntry; - } else { - accessType = AccessType.ListEntry; - addAccountScopedUseEntry = true; - } - } else { - accessType = AccessType.OperateEntry; - } - } catch (Exception e) { - throw new CloudRuntimeException(String.format( - "%s is claimed as an API command, but it cannot be instantiated", cmdClass.getName())); - } - - APICommand at = cmdClass.getAnnotation(APICommand.class); - entityTypes = at.entityType(); - } - - if (entityTypes == null || entityTypes.length == 0) { - _iamSrv.addIAMPermissionToIAMPolicy(policyId, null, permissionScope.toString(), new Long(IAMPolicyPermission.PERMISSION_SCOPE_ID_CURRENT_CALLER), - apiName, (accessType == null) ? null : accessType.toString(), Permission.Allow, false); - if (addAccountScopedUseEntry) { - _iamSrv.addIAMPermissionToIAMPolicy(policyId, null, PermissionScope.ACCOUNT.toString(), new Long( - IAMPolicyPermission.PERMISSION_SCOPE_ID_CURRENT_CALLER), apiName, AccessType.UseEntry.toString(), Permission.Allow, false); - } - } else { - for (Class entityType : entityTypes) { - _iamSrv.addIAMPermissionToIAMPolicy(policyId, entityType.getSimpleName(), permissionScope.toString(), new Long( - IAMPolicyPermission.PERMISSION_SCOPE_ID_CURRENT_CALLER), - apiName, (accessType == null) ? null : accessType.toString(), Permission.Allow, false); - if (addAccountScopedUseEntry) { - _iamSrv.addIAMPermissionToIAMPolicy(policyId, entityType.getSimpleName(), PermissionScope.ACCOUNT.toString(), new Long( - IAMPolicyPermission.PERMISSION_SCOPE_ID_CURRENT_CALLER), apiName, AccessType.UseEntry.toString(), Permission.Allow, false); - } - } - } - - } - -} diff --git a/services/iam/plugin/src/main/java/org/apache/cloudstack/iam/RoleBasedEntityAccessChecker.java b/services/iam/plugin/src/main/java/org/apache/cloudstack/iam/RoleBasedEntityAccessChecker.java deleted file mode 100644 index ce9d9755aef..00000000000 --- a/services/iam/plugin/src/main/java/org/apache/cloudstack/iam/RoleBasedEntityAccessChecker.java +++ /dev/null @@ -1,329 +0,0 @@ -// Licensed to the Apache Software Foundation (ASF) under one -// or more contributor license agreements. See the NOTICE file -// distributed with this work for additional information -// regarding copyright ownership. The ASF licenses this file -// to you under the Apache License, Version 2.0 (the -// "License"); you may not use this file except in compliance -// with the License. You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. -package org.apache.cloudstack.iam; - -import java.util.ArrayList; -import java.util.HashMap; -import java.util.List; - -import javax.inject.Inject; - -import org.apache.log4j.Logger; - -import org.apache.cloudstack.acl.ControlledEntity; -import org.apache.cloudstack.acl.PermissionScope; -import org.apache.cloudstack.acl.SecurityChecker; -import org.apache.cloudstack.acl.SecurityChecker.AccessType; -import org.apache.cloudstack.api.InternalIdentity; -import org.apache.cloudstack.iam.api.IAMGroup; -import org.apache.cloudstack.iam.api.IAMPolicy; -import org.apache.cloudstack.iam.api.IAMPolicyPermission; -import org.apache.cloudstack.iam.api.IAMService; - -import com.cloud.acl.DomainChecker; -import com.cloud.domain.dao.DomainDao; -import com.cloud.exception.InvalidParameterValueException; -import com.cloud.exception.PermissionDeniedException; -import com.cloud.user.Account; -import com.cloud.user.AccountService; - -public class RoleBasedEntityAccessChecker extends DomainChecker implements SecurityChecker { - - private static final Logger s_logger = Logger.getLogger(RoleBasedEntityAccessChecker.class.getName()); - - @Inject - AccountService _accountService; - - @Inject DomainDao _domainDao; - - @Inject - IAMService _iamSrv; - - - @Override - public boolean checkAccess(Account caller, ControlledEntity entity, AccessType accessType) - throws PermissionDeniedException { - return checkAccess(caller, entity, accessType, null); - } - - private String buildAccessCacheKey(Account caller, ControlledEntity entity, AccessType accessType, String action) { - StringBuffer key = new StringBuffer(); - key.append(caller.getAccountId()); - key.append("-"); - String entityType = null; - if (entity != null && entity.getEntityType() != null) { - entityType = entity.getEntityType().getSimpleName(); - if (entity instanceof InternalIdentity) { - entityType += ((InternalIdentity)entity).getId(); - } - } - key.append(entityType != null ? entityType : "null"); - key.append("-"); - key.append(accessType != null ? accessType.toString() : "null"); - key.append("-"); - key.append(action != null ? action : "null"); - return key.toString(); - } - - @Override - public boolean checkAccess(Account caller, ControlledEntity entity, AccessType accessType, String action) - throws PermissionDeniedException { - - if (caller == null) { - throw new InvalidParameterValueException("Caller cannot be passed as NULL to IAM!"); - } - - if (entity == null && action == null) { - throw new InvalidParameterValueException("Entity and action cannot be both NULL in checkAccess!"); - } - - // check IAM cache first - String accessKey = buildAccessCacheKey(caller, entity, accessType, action); - CheckAccessResult allowDeny = (CheckAccessResult)_iamSrv.getFromIAMCache(accessKey); - if (allowDeny != null) { - s_logger.debug("IAM access check for " + accessKey + " from cache: " + allowDeny.isAllow()); - if (allowDeny.isAllow()) { - return true; - } else { - if (allowDeny.getDenyMsg() != null) { - throw new PermissionDeniedException(allowDeny.getDenyMsg()); - } else { - return false; - } - } - } - - if (entity == null && action != null) { - // check if caller can do this action - List policies = _iamSrv.listIAMPolicies(caller.getAccountId()); - - boolean isAllowed = _iamSrv.isActionAllowedForPolicies(action, policies); - if (!isAllowed) { - String msg = "The action '" + action + "' not allowed for account " + caller; - _iamSrv.addToIAMCache(accessKey, new CheckAccessResult(msg)); - throw new PermissionDeniedException(msg); - } - _iamSrv.addToIAMCache(accessKey, new CheckAccessResult(true)); - return true; - } - - - // if a Project entity, skip - Account entityAccount = _accountService.getAccount(entity.getAccountId()); - if (entityAccount != null && entityAccount.getType() == Account.ACCOUNT_TYPE_PROJECT) { - _iamSrv.addToIAMCache(accessKey, new CheckAccessResult(false)); - return false; - } - - String entityType = null; - if (entity.getEntityType() != null) { - entityType = entity.getEntityType().getSimpleName(); - } - - if (accessType == null) { - accessType = AccessType.UseEntry; - } - - // get all Policies of this caller by considering recursive domain group policy - List policies = getEffectivePolicies(caller); - HashMap policyPermissionMap = new HashMap(); - - for (IAMPolicy policy : policies) { - List permissions = new ArrayList(); - - if (action != null) { - permissions = _iamSrv.listPolicyPermissionByActionAndEntity(policy.getId(), action, entityType); - if (permissions.isEmpty()) { - if (accessType != null) { - for (AccessType type : AccessType.values()) { - if (type.ordinal() >= accessType.ordinal()) { - permissions.addAll(_iamSrv.listPolicyPermissionByAccessAndEntity(policy.getId(), - type.toString(), entityType)); - } - } - } - } - } else { - if (accessType != null) { - for (AccessType type : AccessType.values()) { - if (type.ordinal() >= accessType.ordinal()) { - permissions.addAll(_iamSrv.listPolicyPermissionByAccessAndEntity(policy.getId(), - type.toString(), entityType)); - } - } - } - } - for (IAMPolicyPermission permission : permissions) { - if (checkPermissionScope(caller, permission.getScope(), permission.getScopeId(), entity)) { - if (permission.getEntityType().equals(entityType)) { - policyPermissionMap.put(policy, permission.getPermission().isGranted()); - break; - } else if (permission.getEntityType().equals("*")) { - policyPermissionMap.put(policy, permission.getPermission().isGranted()); - } - } - } - if (policyPermissionMap.containsKey(policy) && policyPermissionMap.get(policy)) { - _iamSrv.addToIAMCache(accessKey, new CheckAccessResult(true)); - return true; - } - } - - if (!policies.isEmpty()) { // Since we reach this point, none of the - // roles granted access - - String msg = "Account " + caller + " does not have permission to access resource " + entity - + " for access type: " + accessType; - if (s_logger.isDebugEnabled()) { - s_logger.debug(msg); - } - _iamSrv.addToIAMCache(accessKey, new CheckAccessResult(msg)); - throw new PermissionDeniedException(msg); - } - - _iamSrv.addToIAMCache(accessKey, new CheckAccessResult(false)); - return false; - } - - @Override - public boolean checkAccess(Account caller, AccessType accessType, String action, ControlledEntity... entities) - throws PermissionDeniedException { - - // operate access on multiple entities? - if (accessType != null && accessType == AccessType.OperateEntry) { - // In this case caller MUST own n-1 entities. - - for (ControlledEntity entity : entities) { - checkAccess(caller, entity, accessType, action); - - boolean otherEntitiesAccess = true; - - for (ControlledEntity otherEntity : entities) { - if (otherEntity.getAccountId() == caller.getAccountId() - || (checkAccess(caller, otherEntity, accessType, action) && otherEntity.getAccountId() == entity - .getAccountId())) { - continue; - } else { - otherEntitiesAccess = false; - break; - } - } - - if (otherEntitiesAccess) { - return true; - } - } - - throw new PermissionDeniedException(caller - + " does not have permission to perform this operation on these resources"); - - } else { - for (ControlledEntity entity : entities) { - if (!checkAccess(caller, entity, accessType, action)) { - return false; - } - } - return true; - } - } - - private boolean checkPermissionScope(Account caller, String scope, Long scopeId, ControlledEntity entity) { - - if(scopeId != null && !scopeId.equals(new Long(IAMPolicyPermission.PERMISSION_SCOPE_ID_CURRENT_CALLER))){ - //scopeId is set - if (scope.equals(PermissionScope.ACCOUNT.name())) { - if(scopeId == entity.getAccountId()){ - return true; - } - } else if (scope.equals(PermissionScope.DOMAIN.name())) { - if (_domainDao.isChildDomain(scopeId, entity.getDomainId())) { - return true; - } - } else if (scope.equals(PermissionScope.RESOURCE.name())) { - if (entity instanceof InternalIdentity) { - InternalIdentity entityWithId = (InternalIdentity) entity; - if(scopeId.equals(entityWithId.getId())){ - return true; - } - } - } - } else if (scopeId == null || scopeId.equals(new Long(IAMPolicyPermission.PERMISSION_SCOPE_ID_CURRENT_CALLER))) { - if (scope.equals(PermissionScope.ACCOUNT.name())) { - if(caller.getAccountId() == entity.getAccountId()){ - return true; - } - } else if (scope.equals(PermissionScope.DOMAIN.name())) { - if (_domainDao.isChildDomain(caller.getDomainId(), entity.getDomainId())) { - return true; - } - } - } - return false; - } - - private List getEffectivePolicies(Account caller) { - - List policies = _iamSrv.listIAMPolicies(caller.getId()); - - List groups = _iamSrv.listIAMGroups(caller.getId()); - for (IAMGroup group : groups) { - // for each group find the grand parent groups. - List parentGroups = _iamSrv.listParentIAMGroups(group.getId()); - for (IAMGroup parentGroup : parentGroups) { - policies.addAll(_iamSrv.listRecursiveIAMPoliciesByGroup(parentGroup.getId())); - } - } - - return policies; - } - - private class CheckAccessResult { - boolean allow; - String denyMsg; - - public CheckAccessResult(boolean aw) { - this(aw, null); - } - - public CheckAccessResult(String msg) { - this(false, msg); - } - - public CheckAccessResult(boolean aw, String msg) { - allow = aw; - denyMsg = msg; - } - - public boolean isAllow() { - return allow; - } - - public void setAllow(boolean aw) { - allow = aw; - } - - - public String getDenyMsg() { - return denyMsg; - } - - public void setDenyMsg(String denyMsg) { - this.denyMsg = denyMsg; - } - - } -} diff --git a/services/iam/plugin/src/main/java/org/apache/cloudstack/iam/RoleBasedEntityQuerySelector.java b/services/iam/plugin/src/main/java/org/apache/cloudstack/iam/RoleBasedEntityQuerySelector.java deleted file mode 100644 index a9be17a1cd4..00000000000 --- a/services/iam/plugin/src/main/java/org/apache/cloudstack/iam/RoleBasedEntityQuerySelector.java +++ /dev/null @@ -1,188 +0,0 @@ -// Licensed to the Apache Software Foundation (ASF) under one -// or more contributor license agreements. See the NOTICE file -// distributed with this work for additional information -// regarding copyright ownership. The ASF licenses this file -// to you under the Apache License, Version 2.0 (the -// "License"); you may not use this file except in compliance -// with the License. You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. -package org.apache.cloudstack.iam; - -import java.util.ArrayList; -import java.util.List; - -import javax.inject.Inject; - -import org.apache.log4j.Logger; - -import org.apache.cloudstack.acl.PermissionScope; -import org.apache.cloudstack.acl.QuerySelector; -import org.apache.cloudstack.acl.SecurityChecker.AccessType; -import org.apache.cloudstack.iam.api.IAMGroup; -import org.apache.cloudstack.iam.api.IAMPolicy; -import org.apache.cloudstack.iam.api.IAMPolicyPermission; -import org.apache.cloudstack.iam.api.IAMService; - -import com.cloud.domain.DomainVO; -import com.cloud.domain.dao.DomainDao; -import com.cloud.user.Account; -import com.cloud.utils.component.AdapterBase; - -public class RoleBasedEntityQuerySelector extends AdapterBase implements QuerySelector { - - private static final Logger s_logger = Logger.getLogger(RoleBasedEntityQuerySelector.class.getName()); - - @Inject - IAMService _iamService; - @Inject - DomainDao _domainDao; - - @Override - public List getAuthorizedDomains(Account caller, String action, AccessType accessType) { - long accountId = caller.getAccountId(); - if (accessType == null) { - accessType = AccessType.UseEntry; // default always show resources authorized to use - } - // Get the static Policies of the Caller - List policies = _iamService.listIAMPolicies(accountId); - // for each policy, find granted permission with Domain scope - List domainIds = new ArrayList(); - for (IAMPolicy policy : policies) { - List pp = new ArrayList(); - pp.addAll(_iamService.listPolicyPermissionsByScope(policy.getId(), action, - PermissionScope.DOMAIN.toString(), accessType.toString())); - - if (pp != null) { - for (IAMPolicyPermission p : pp) { - if (p.getScopeId() != null) { - Long domainId = null; - if (p.getScopeId().longValue() == -1) { - domainId = caller.getDomainId(); - //domainIds.add(caller.getDomainId()); - } else { - domainId = p.getScopeId(); - //domainIds.add(p.getScopeId()); - } - //domainIds.add(domainId); - // add all the domain children from this domain (including this domain itself). Like RoleBasedEntityAccessChecker, we made an assumption, if DOMAIN scope is granted, it means that - // the whole domain tree is granted access. - DomainVO domain = _domainDao.findById(domainId); - List childDomains = _domainDao.getDomainChildrenIds(domain.getPath()); - if (childDomains != null && childDomains.size() > 0) { - domainIds.addAll(childDomains); - } - - } - } - } - } - return domainIds; - } - - @Override - public List getAuthorizedAccounts(Account caller, String action, AccessType accessType) { - long accountId = caller.getAccountId(); - if (accessType == null) { - accessType = AccessType.UseEntry; // default always show resources authorized to use - } - // Get the static Policies of the Caller - List policies = _iamService.listIAMPolicies(accountId); - // for each policy, find granted permission with Account scope - List accountIds = new ArrayList(); - for (IAMPolicy policy : policies) { - List pp = new ArrayList(); - pp.addAll(_iamService.listPolicyPermissionsByScope(policy.getId(), action, - PermissionScope.ACCOUNT.toString(), accessType.toString())); - - if (pp != null) { - for (IAMPolicyPermission p : pp) { - if (p.getScopeId() != null) { - if (p.getScopeId().longValue() == -1) { - accountIds.add(caller.getId()); - } else { - accountIds.add(p.getScopeId()); - } - } - } - } - } - return accountIds; - } - - @Override - public List getAuthorizedResources(Account caller, String action, AccessType accessType) { - long accountId = caller.getAccountId(); - if (accessType == null) { - accessType = AccessType.UseEntry; // default always show resources authorized to use - } - // Get the static Policies of the Caller - List policies = _iamService.listIAMPolicies(accountId); - - // add the policies that grant recursive access - List groups = _iamService.listIAMGroups(caller.getId()); - for (IAMGroup group : groups) { - // for each group find the grand parent groups. - List parentGroups = _iamService.listParentIAMGroups(group.getId()); - for (IAMGroup parentGroup : parentGroups) { - policies.addAll(_iamService.listRecursiveIAMPoliciesByGroup(parentGroup.getId())); - } - } - - // for each policy, find granted permission with Resource scope - List entityIds = new ArrayList(); - for (IAMPolicy policy : policies) { - List pp = new ArrayList(); - pp.addAll(_iamService.listPolicyPermissionsByScope(policy.getId(), action, - PermissionScope.RESOURCE.toString(), accessType.toString())); - - if (pp != null) { - for (IAMPolicyPermission p : pp) { - if (p.getScopeId() != null) { - entityIds.add(p.getScopeId()); - } - } - } - } - return entityIds; - } - - @Override - public boolean isGrantedAll(Account caller, String action, AccessType accessType) { - long accountId = caller.getAccountId(); - if (accessType == null) { - accessType = AccessType.UseEntry; // default always show resources authorized to use - } - // Get the static Policies of the Caller - List policies = _iamService.listIAMPolicies(accountId); - // for each policy, find granted permission with ALL scope - for (IAMPolicy policy : policies) { - List pp = new ArrayList(); - pp.addAll(_iamService.listPolicyPermissionsByScope(policy.getId(), action, PermissionScope.ALL.toString(), - accessType.toString())); - if (pp != null && pp.size() > 0) { - return true; - } - } - return false; - } - - @Override - public List listAclGroupsByAccount(long accountId) { - List groups = _iamService.listIAMGroups(accountId); - List groupNames = new ArrayList(); - for (IAMGroup grp : groups) { - groupNames.add(grp.getName()); - } - return groupNames; - } - -} - diff --git a/services/iam/plugin/src/main/resources/META-INF/cloudstack/iam-access-checkers/module.properties b/services/iam/plugin/src/main/resources/META-INF/cloudstack/iam-access-checkers/module.properties deleted file mode 100644 index c87480d47b5..00000000000 --- a/services/iam/plugin/src/main/resources/META-INF/cloudstack/iam-access-checkers/module.properties +++ /dev/null @@ -1,18 +0,0 @@ -# Licensed to the Apache Software Foundation (ASF) under one -# or more contributor license agreements. See the NOTICE file -# distributed with this work for additional information -# regarding copyright ownership. The ASF licenses this file -# to you under the Apache License, Version 2.0 (the -# "License"); you may not use this file except in compliance -# with the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, -# software distributed under the License is distributed on an -# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -# KIND, either express or implied. See the License for the -# specific language governing permissions and limitations -# under the License. -name=iam-access-checkers -parent=api \ No newline at end of file diff --git a/services/iam/plugin/src/main/resources/META-INF/cloudstack/iam-access-checkers/spring-iam-access-checkers-context.xml b/services/iam/plugin/src/main/resources/META-INF/cloudstack/iam-access-checkers/spring-iam-access-checkers-context.xml deleted file mode 100644 index 87e8c941814..00000000000 --- a/services/iam/plugin/src/main/resources/META-INF/cloudstack/iam-access-checkers/spring-iam-access-checkers-context.xml +++ /dev/null @@ -1,35 +0,0 @@ - - - - - - - - - diff --git a/services/iam/plugin/src/test/java/org/apache/cloudstack/iam/test/IAMApiServiceTest.java b/services/iam/plugin/src/test/java/org/apache/cloudstack/iam/test/IAMApiServiceTest.java deleted file mode 100644 index 84e1e56255c..00000000000 --- a/services/iam/plugin/src/test/java/org/apache/cloudstack/iam/test/IAMApiServiceTest.java +++ /dev/null @@ -1,385 +0,0 @@ -// Licensed to the Apache Software Foundation (ASF) under one -// or more contributor license agreements. See the NOTICE file -// distributed with this work for additional information -// regarding copyright ownership. The ASF licenses this file -// to you under the Apache License, Version 2.0 (the -// "License"); you may not use this file except in compliance -// with the License. You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. -package org.apache.cloudstack.iam.test; - -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertFalse; -import static org.junit.Assert.assertNotNull; -import static org.junit.Assert.assertTrue; -import static org.mockito.Mockito.doNothing; -import static org.mockito.Mockito.when; - -import java.io.IOException; -import java.util.ArrayList; -import java.util.List; -import java.util.Set; -import java.util.UUID; - -import javax.inject.Inject; -import javax.naming.ConfigurationException; - -import org.junit.After; -import org.junit.Before; -import org.junit.BeforeClass; -import org.junit.Test; -import org.junit.runner.RunWith; -import org.mockito.Mockito; -import org.springframework.context.annotation.Bean; -import org.springframework.context.annotation.ComponentScan; -import org.springframework.context.annotation.ComponentScan.Filter; -import org.springframework.context.annotation.Configuration; -import org.springframework.context.annotation.FilterType; -import org.springframework.core.type.classreading.MetadataReader; -import org.springframework.core.type.classreading.MetadataReaderFactory; -import org.springframework.core.type.filter.TypeFilter; -import org.springframework.test.context.ContextConfiguration; -import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; -import org.springframework.test.context.support.AnnotationConfigContextLoader; - -import org.apache.cloudstack.acl.PermissionScope; -import org.apache.cloudstack.acl.SecurityChecker.AccessType; -import org.apache.cloudstack.api.command.user.vm.ListVMsCmd; -import org.apache.cloudstack.api.response.ListResponse; -import org.apache.cloudstack.api.response.iam.IAMGroupResponse; -import org.apache.cloudstack.api.response.iam.IAMPermissionResponse; -import org.apache.cloudstack.api.response.iam.IAMPolicyResponse; -import org.apache.cloudstack.context.CallContext; -import org.apache.cloudstack.framework.messagebus.MessageBus; -import org.apache.cloudstack.iam.IAMApiService; -import org.apache.cloudstack.iam.IAMApiServiceImpl; -import org.apache.cloudstack.iam.api.IAMGroup; -import org.apache.cloudstack.iam.api.IAMPolicy; -import org.apache.cloudstack.iam.api.IAMPolicyPermission; -import org.apache.cloudstack.iam.api.IAMPolicyPermission.Permission; -import org.apache.cloudstack.iam.api.IAMService; -import org.apache.cloudstack.iam.server.IAMGroupVO; -import org.apache.cloudstack.iam.server.IAMPolicyPermissionVO; -import org.apache.cloudstack.iam.server.IAMPolicyVO; -import org.apache.cloudstack.test.utils.SpringUtils; - -import com.cloud.api.ApiServerService; -import com.cloud.domain.DomainVO; -import com.cloud.domain.dao.DomainDao; -import com.cloud.network.dao.NetworkDomainDao; -import com.cloud.user.Account; -import com.cloud.user.AccountManager; -import com.cloud.user.AccountVO; -import com.cloud.user.UserVO; -import com.cloud.user.dao.AccountDao; -import com.cloud.utils.Pair; -import com.cloud.utils.component.ComponentContext; -import com.cloud.utils.db.EntityManager; -import com.cloud.vm.VirtualMachine; - -@RunWith(SpringJUnit4ClassRunner.class) -@ContextConfiguration(loader = AnnotationConfigContextLoader.class) -public class IAMApiServiceTest { - - @Inject - IAMService _iamSrv; - - @Inject - DomainDao _domainDao; - - @Inject - IAMApiService _aclSrv; - - @Inject - AccountManager _accountMgr; - - @Inject - AccountDao _accountDao; - - @Inject - ApiServerService _apiServer; - - private static Account caller; - private static Long callerId; - private static String callerAccountName = "tester"; - private static Long callerDomainId = 3L; - private static String callerDomainPath = "/root/testdomain"; - private static DomainVO callerDomain; - - @BeforeClass - public static void setUpClass() throws ConfigurationException { - } - - @Before - public void setUp() { - ComponentContext.initComponentsLifeCycle(); - caller = new AccountVO(callerAccountName, callerDomainId, null, Account.ACCOUNT_TYPE_ADMIN, UUID.randomUUID().toString()); - callerId = caller.getId(); - callerDomain = new DomainVO(); - callerDomain.setPath(callerDomainPath); - UserVO user = new UserVO(1, "testuser", "password", "firstname", "lastName", "email", "timezone", UUID.randomUUID().toString()); - CallContext.register(user, caller); - - when(_domainDao.findById(callerDomainId)).thenReturn(callerDomain); - doNothing().when(_accountMgr).checkAccess(caller, callerDomain); - } - - @Test - public void createIAMGroupTest() { - IAMGroup group = new IAMGroupVO("group1", "tester group1"); - List groups = new ArrayList(); - groups.add(group); - Pair, Integer> grpList = new Pair, Integer>(groups, 1); - when(_iamSrv.createIAMGroup("group1", "tester group1", callerDomainPath)).thenReturn(group); - when(_iamSrv.listIAMGroups(null, null, callerDomainPath, 0L, 20L)).thenReturn(grpList); - - IAMGroup createdGrp = _aclSrv.createIAMGroup(caller, "group1", "tester group1"); - assertNotNull("IAM group 'group1' failed to create ", createdGrp); - ListResponse grpResp = _aclSrv.listIAMGroups(null, null, callerDomainId, 0L, 20L); - assertTrue("No. of response items should be one", grpResp.getCount() == 1); - IAMGroupResponse resp = grpResp.getResponses().get(0); - assertEquals("Error in created group name", "group1", resp.getName()); - } - - @Test - public void deleteIAMGroupTest() { - when(_iamSrv.deleteIAMGroup(1L)).thenReturn(true); - assertTrue("failed to delete acl group 1", _aclSrv.deleteIAMGroup(1L)); - } - - @Test - public void listIAMGroupTest() { - IAMGroup group = new IAMGroupVO("group1", "tester group1"); - List groups = new ArrayList(); - groups.add(group); - when(_iamSrv.listIAMGroups(callerId)).thenReturn(groups); - List grps = _aclSrv.listIAMGroups(callerId); - assertTrue(grps != null && grps.size() == 1); - IAMGroup grp = grps.get(0); - assertEquals("Error to retrieve group", "group1", grp.getName()); - } - - @Test - public void addRemoveAccountToGroupTest() { - IAMGroup group = new IAMGroupVO("group1", "tester group1"); - List groups = new ArrayList(); - groups.add(group); - Long groupId = group.getId(); - List acctIds = new ArrayList(); - AccountVO acct1 = new AccountVO(100L); - acct1.setAccountName("account1"); - AccountVO acct2 = new AccountVO(200L); - acct2.setAccountName("account2"); - acctIds.add(acct1.getId()); - acctIds.add(acct2.getId()); - when(_accountDao.findById(acct1.getId())).thenReturn(acct1); - when(_accountDao.findById(acct2.getId())).thenReturn(acct2); - when(_iamSrv.addAccountsToGroup(acctIds, groupId)).thenReturn(group); - when(_iamSrv.listAccountsByGroup(groupId)).thenReturn(acctIds); - Pair, Integer> grpList = new Pair, Integer>(groups, 1); - when(_iamSrv.listIAMGroups(null, "group1", callerDomainPath, 0L, 20L)).thenReturn(grpList); - _aclSrv.addAccountsToGroup(acctIds, groupId); - ListResponse grpResp = _aclSrv.listIAMGroups(null, "group1", callerDomainId, 0L, 20L); - assertTrue("No. of response items should be one", grpResp.getCount() == 1); - IAMGroupResponse resp = grpResp.getResponses().get(0); - Set acctNames = resp.getAccountNameList(); - assertEquals("There should be 2 accounts in the group", 2, acctNames.size()); - assertTrue("account1 should be assigned to the group", acctNames.contains("account1")); - assertTrue("account2 should be assigned to the group", acctNames.contains("account2")); - // remove "account2" from group1 - acctIds.remove(1); - List rmAccts = new ArrayList(); - rmAccts.add(acct2.getId()); - when(_iamSrv.removeAccountsFromGroup(rmAccts, groupId)).thenReturn(group); - _aclSrv.removeAccountsFromGroup(acctIds, groupId); - grpResp = _aclSrv.listIAMGroups(null, "group1", callerDomainId, 0L, 20L); - assertTrue("No. of response items should be one", grpResp.getCount() == 1); - resp = grpResp.getResponses().get(0); - acctNames = resp.getAccountNameList(); - assertEquals("There should be 1 accounts in the group", 1, acctNames.size()); - assertFalse("account2 should not belong to the group anymore", acctNames.contains("account2")); - } - - @Test - public void createIAMPolicyTest() { - IAMPolicy policy = new IAMPolicyVO("policy1", "tester policy1"); - List policies = new ArrayList(); - policies.add(policy); - Pair, Integer> policyList = new Pair, Integer>(policies, 1); - when(_iamSrv.createIAMPolicy("policy1", "tester policy1", null, callerDomainPath)).thenReturn(policy); - when(_iamSrv.listIAMPolicies(null, null, callerDomainPath, 0L, 20L)).thenReturn(policyList); - - IAMPolicy createdPolicy = _aclSrv.createIAMPolicy(caller, "policy1", "tester policy1", null); - assertNotNull("IAM policy 'policy1' failed to create ", createdPolicy); - ListResponse policyResp = _aclSrv.listIAMPolicies(null, null, callerDomainId, 0L, 20L); - assertTrue("No. of response items should be one", policyResp.getCount() == 1); - IAMPolicyResponse resp = policyResp.getResponses().get(0); - assertEquals("Error in created group name", "policy1", resp.getName()); - } - - @Test - public void deleteIAMPolicyTest() { - when(_iamSrv.deleteIAMPolicy(1L)).thenReturn(true); - assertTrue("failed to delete acl policy 1", _aclSrv.deleteIAMPolicy(1L)); - } - - @Test - public void listIAMPolicyTest() { - IAMPolicy policy = new IAMPolicyVO("policy1", "tester policy1"); - List policies = new ArrayList(); - policies.add(policy); - when(_iamSrv.listIAMPolicies(callerId)).thenReturn(policies); - List polys = _aclSrv.listIAMPolicies(callerId); - assertTrue(polys != null && polys.size() == 1); - IAMPolicy p = polys.get(0); - assertEquals("Error to retrieve group", "policy1", p.getName()); - } - - @Test - public void addRemovePolicyToGroupTest() { - IAMGroup group = new IAMGroupVO("group1", "tester group1"); - List groups = new ArrayList(); - groups.add(group); - Long groupId = group.getId(); - List policyIds = new ArrayList(); - policyIds.add(100L); - policyIds.add(200L); - IAMPolicy policy1 = new IAMPolicyVO("policy1", "my first policy"); - IAMPolicy policy2 = new IAMPolicyVO("policy2", "my second policy"); - List policies = new ArrayList(); - policies.add(policy1); - policies.add(policy2); - when(_iamSrv.attachIAMPoliciesToGroup(policyIds, groupId)).thenReturn(group); - when(_iamSrv.listIAMPoliciesByGroup(groupId)).thenReturn(policies); - Pair, Integer> grpList = new Pair, Integer>(groups, 1); - when(_iamSrv.listIAMGroups(null, "group1", callerDomainPath, 0L, 20L)).thenReturn(grpList); - _aclSrv.attachIAMPoliciesToGroup(policyIds, groupId); - ListResponse grpResp = _aclSrv.listIAMGroups(null, "group1", callerDomainId, 0L, 20L); - assertTrue("No. of response items should be one", grpResp.getCount() == 1); - IAMGroupResponse resp = grpResp.getResponses().get(0); - Set policyNames = resp.getPolicyList(); - assertEquals("There should be 2 policies in the group", 2, policyNames.size()); - assertTrue("policy1 should be assigned to the group", policyNames.contains("policy1")); - assertTrue("policy2 should be assigned to the group", policyNames.contains("policy2")); - // remove "policy2" from group1 - policyIds.remove(1); - policies.remove(policy2); - when(_iamSrv.removeIAMPoliciesFromGroup(policyIds, groupId)).thenReturn(group); - _aclSrv.removeIAMPoliciesFromGroup(policyIds, groupId); - grpResp = _aclSrv.listIAMGroups(null, "group1", callerDomainId, 0L, 20L); - assertTrue("No. of response items should be one", grpResp.getCount() == 1); - resp = grpResp.getResponses().get(0); - policyNames = resp.getPolicyList(); - assertEquals("There should be 1 policy attached to the group", 1, policyNames.size()); - assertFalse("policy2 should not belong to the group anymore", policyNames.contains("policy2")); - } - - @Test - public void addRemovePermissionToPolicyTest() { - IAMPolicy policy = new IAMPolicyVO("policy1", "tester policy1"); - List policies = new ArrayList(); - policies.add(policy); - Long policyId = policy.getId(); - Long resId = 200L; - Class clz = ListVMsCmd.class; - when(_apiServer.getCmdClass("listVirtualMachines")).thenReturn(clz); - when( - _iamSrv.addIAMPermissionToIAMPolicy(policyId, VirtualMachine.class.getSimpleName(), - PermissionScope.RESOURCE.toString(), resId, "listVirtualMachines", - AccessType.UseEntry.toString(), Permission.Allow, false)).thenReturn(policy); - _aclSrv.addIAMPermissionToIAMPolicy(policyId, VirtualMachine.class.getSimpleName(), - PermissionScope.RESOURCE, resId, "listVirtualMachines", Permission.Allow, false, false); - Pair, Integer> policyList = new Pair, Integer>(policies, 1); - List policyPerms = new ArrayList(); - IAMPolicyPermission perm = new IAMPolicyPermissionVO(policyId, "listVirtualMachines", - VirtualMachine.class.getSimpleName(), AccessType.UseEntry.toString(), - PermissionScope.RESOURCE.toString(), - resId, Permission.Allow, false); - policyPerms.add(perm); - when(_iamSrv.listIAMPolicies(null, "policy1", callerDomainPath, 0L, 20L)).thenReturn(policyList); - when(_iamSrv.listPolicyPermissions(policyId)).thenReturn(policyPerms); - ListResponse policyResp = _aclSrv.listIAMPolicies(null, "policy1", callerDomainId, 0L, 20L); - assertTrue("No. of response items should be one", policyResp.getCount() == 1); - IAMPolicyResponse resp = policyResp.getResponses().get(0); - Set permList = resp.getPermissionList(); - assertTrue("Permission list should not be empty", permList != null && permList.size() > 0); - IAMPermissionResponse permResp = permList.iterator().next(); - assertEquals("There should be one permission for listVirtualMachines", "listVirtualMachines", permResp.getAction()); - - //remove permission from policy - policyPerms.remove(perm); - _aclSrv.removeIAMPermissionFromIAMPolicy(policyId, VirtualMachine.class.getSimpleName(), - PermissionScope.RESOURCE, resId, "listVirtualMachines"); - policyResp = _aclSrv.listIAMPolicies(null, "policy1", callerDomainId, 0L, 20L); - assertTrue("No. of response items should be one", policyResp.getCount() == 1); - resp = policyResp.getResponses().get(0); - permList = resp.getPermissionList(); - assertTrue("Permission list should be empty", permList != null && permList.size() == 0); - } - - @After - public void tearDown() { - } - - @Configuration - @ComponentScan(basePackageClasses = {IAMApiServiceImpl.class}, includeFilters = {@Filter(value = TestConfiguration.Library.class, type = FilterType.CUSTOM)}, useDefaultFilters = false) - public static class TestConfiguration extends SpringUtils.CloudStackTestConfiguration { - - @Bean - public DomainDao domainDao() { - return Mockito.mock(DomainDao.class); - } - - @Bean - public IAMService iamService() { - return Mockito.mock(IAMService.class); - } - - @Bean - public AccountDao accountDao() { - return Mockito.mock(AccountDao.class); - } - - @Bean - public NetworkDomainDao networkDomainDao() { - return Mockito.mock(NetworkDomainDao.class); - } - - @Bean - public AccountManager accountManager() { - return Mockito.mock(AccountManager.class); - } - - @Bean - public MessageBus messageBus() { - return Mockito.mock(MessageBus.class); - } - - @Bean - public EntityManager entityMgr() { - return Mockito.mock(EntityManager.class); - } - - @Bean - public ApiServerService apiServerService() { - return Mockito.mock(ApiServerService.class); - } - - public static class Library implements TypeFilter { - - @Override - public boolean match(MetadataReader mdr, MetadataReaderFactory arg1) throws IOException { - ComponentScan cs = TestConfiguration.class.getAnnotation(ComponentScan.class); - return SpringUtils.includedInBasePackageClasses(mdr.getClassMetadata().getClassName(), cs); - } - } - } -} diff --git a/services/iam/plugin/src/test/resources/db.properties b/services/iam/plugin/src/test/resources/db.properties deleted file mode 100644 index fc2fb33669c..00000000000 --- a/services/iam/plugin/src/test/resources/db.properties +++ /dev/null @@ -1,73 +0,0 @@ -# Licensed to the Apache Software Foundation (ASF) under one -# or more contributor license agreements. See the NOTICE file -# distributed with this work for additional information -# regarding copyright ownership. The ASF licenses this file -# to you under the Apache License, Version 2.0 (the -# "License"); you may not use this file except in compliance -# with the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, -# software distributed under the License is distributed on an -# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -# KIND, either express or implied. See the License for the -# specific language governing permissions and limitations -# under the License. - - -# management server clustering parameters, change cluster.node.IP to the machine IP address -# in which the management server is running -cluster.node.IP=127.0.0.1 -cluster.servlet.port=9090 -region.id=1 - -# CloudStack database settings -db.cloud.username=cloud -db.cloud.password=cloud -db.root.password= -db.cloud.host=localhost -db.cloud.driver=jdbc:mysql -db.cloud.port=3306 -db.cloud.name=cloud - -# CloudStack database tuning parameters -db.cloud.maxActive=250 -db.cloud.maxIdle=30 -db.cloud.maxWait=10000 -db.cloud.autoReconnect=true -db.cloud.validationQuery=SELECT 1 -db.cloud.testOnBorrow=true -db.cloud.testWhileIdle=true -db.cloud.timeBetweenEvictionRunsMillis=40000 -db.cloud.minEvictableIdleTimeMillis=240000 -db.cloud.poolPreparedStatements=false -db.cloud.url.params=prepStmtCacheSize=517&cachePrepStmts=true&prepStmtCacheSqlLimit=4096 - -# usage database settings -db.usage.username=cloud -db.usage.password=cloud -db.usage.host=localhost -# It's not guaranteed that using a different DB provider than the one from the regular cloud DB will work -db.usage.driver=jdbc:mysql -db.usage.port=3306 -db.usage.name=cloud_usage - -# usage database tuning parameters -db.usage.maxActive=100 -db.usage.maxIdle=30 -db.usage.maxWait=10000 -db.usage.autoReconnect=true - -# Simulator database settings -db.simulator.username=cloud -db.simulator.password=cloud -db.simulator.host=localhost -# It's not guaranteed that using a different DB provider than the one from the regular cloud DB will work -db.simulator.driver=jdbc:mysql -db.simulator.port=3306 -db.simulator.name=simulator -db.simulator.maxActive=250 -db.simulator.maxIdle=30 -db.simulator.maxWait=10000 -db.simulator.autoReconnect=true diff --git a/services/iam/pom.xml b/services/iam/pom.xml deleted file mode 100644 index 2d0baedce1c..00000000000 --- a/services/iam/pom.xml +++ /dev/null @@ -1,59 +0,0 @@ - - - 4.0.0 - cloudstack-service-iam - Apache CloudStack IAM Service - pom - - org.apache.cloudstack - cloudstack-services - 4.7.0-SNAPSHOT - ../pom.xml - - - install - - - plugin - server - - - diff --git a/services/iam/server/pom.xml b/services/iam/server/pom.xml deleted file mode 100644 index 15840a8c31b..00000000000 --- a/services/iam/server/pom.xml +++ /dev/null @@ -1,57 +0,0 @@ - - - 4.0.0 - cloud-iam - Apache CloudStack IAM - Server - - org.apache.cloudstack - cloudstack-service-iam - 4.12.0.0-SNAPSHOT - ../pom.xml - - - - commons-io - commons-io - - - net.sf.ehcache - ehcache-core - - - org.apache.cloudstack - cloud-utils - ${project.version} - - - org.apache.cloudstack - cloud-api - ${project.version} - - - org.apache.cloudstack - cloud-api - ${project.version} - test-jar - test - - - diff --git a/services/iam/server/src/main/java/org/apache/cloudstack/iam/api/IAMGroup.java b/services/iam/server/src/main/java/org/apache/cloudstack/iam/api/IAMGroup.java deleted file mode 100644 index 868d0a0d449..00000000000 --- a/services/iam/server/src/main/java/org/apache/cloudstack/iam/api/IAMGroup.java +++ /dev/null @@ -1,37 +0,0 @@ -// Licensed to the Apache Software Foundation (ASF) under one -// or more contributor license agreements. See the NOTICE file -// distributed with this work for additional information -// regarding copyright ownership. The ASF licenses this file -// to you under the Apache License, Version 2.0 (the -// "License"); you may not use this file except in compliance -// with the License. You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. -package org.apache.cloudstack.iam.api; - -import org.apache.cloudstack.api.Identity; -import org.apache.cloudstack.api.InternalIdentity; - -public interface IAMGroup extends InternalIdentity, Identity { - - String getName(); - - String getDescription(); - - @Override - long getId(); - - @Override - String getUuid(); - - String getPath(); - - long getAccountId(); -} diff --git a/services/iam/server/src/main/java/org/apache/cloudstack/iam/api/IAMPolicy.java b/services/iam/server/src/main/java/org/apache/cloudstack/iam/api/IAMPolicy.java deleted file mode 100644 index e6daeb11c68..00000000000 --- a/services/iam/server/src/main/java/org/apache/cloudstack/iam/api/IAMPolicy.java +++ /dev/null @@ -1,41 +0,0 @@ -// Licensed to the Apache Software Foundation (ASF) under one -// or more contributor license agreements. See the NOTICE file -// distributed with this work for additional information -// regarding copyright ownership. The ASF licenses this file -// to you under the Apache License, Version 2.0 (the -// "License"); you may not use this file except in compliance -// with the License. You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. -package org.apache.cloudstack.iam.api; - -import org.apache.cloudstack.api.Identity; -import org.apache.cloudstack.api.InternalIdentity; - -public interface IAMPolicy extends InternalIdentity, Identity { - - String getName(); - - String getDescription(); - - public enum PolicyType { - Static, Dynamic - } - - @Override - long getId(); - - @Override - String getUuid(); - - String getPath(); - - long getAccountId(); -} diff --git a/services/iam/server/src/main/java/org/apache/cloudstack/iam/api/IAMPolicyPermission.java b/services/iam/server/src/main/java/org/apache/cloudstack/iam/api/IAMPolicyPermission.java deleted file mode 100644 index b91086fc869..00000000000 --- a/services/iam/server/src/main/java/org/apache/cloudstack/iam/api/IAMPolicyPermission.java +++ /dev/null @@ -1,53 +0,0 @@ -// Licensed to the Apache Software Foundation (ASF) under one -// or more contributor license agreements. See the NOTICE file -// distributed with this work for additional information -// regarding copyright ownership. The ASF licenses this file -// to you under the Apache License, Version 2.0 (the -// "License"); you may not use this file except in compliance -// with the License. You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. -package org.apache.cloudstack.iam.api; - - -public interface IAMPolicyPermission { - - String getAction(); - - long getAclPolicyId(); - - String getEntityType(); - - String getAccessType(); - - String getScope(); - - Long getScopeId(); - - Permission getPermission(); - - public enum Permission { - Allow(true), Deny(false); - - boolean result; - - Permission(boolean result) { - this.result = result; - } - - public boolean isGranted() { - return result; - } - } - - long getId(); - - public static final long PERMISSION_SCOPE_ID_CURRENT_CALLER = -1; -} diff --git a/services/iam/server/src/main/java/org/apache/cloudstack/iam/api/IAMService.java b/services/iam/server/src/main/java/org/apache/cloudstack/iam/api/IAMService.java deleted file mode 100644 index 3a470ee677f..00000000000 --- a/services/iam/server/src/main/java/org/apache/cloudstack/iam/api/IAMService.java +++ /dev/null @@ -1,99 +0,0 @@ -// Licensed to the Apache Software Foundation (ASF) under one -// or more contributor license agreements. See the NOTICE file -// distributed with this work for additional information -// regarding copyright ownership. The ASF licenses this file -// to you under the Apache License, Version 2.0 (the -// "License"); you may not use this file except in compliance -// with the License. You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. -package org.apache.cloudstack.iam.api; - -import java.util.List; - -import org.apache.cloudstack.iam.api.IAMPolicyPermission.Permission; - -import com.cloud.utils.Pair; - -public interface IAMService { - - /* IAM group related interfaces */ - IAMGroup createIAMGroup(String iamGroupName, String description, String path); - - boolean deleteIAMGroup(Long iamGroupId); - - List listIAMGroups(long accountId); - - IAMGroup addAccountsToGroup(List acctIds, Long groupId); - - IAMGroup removeAccountsFromGroup(List acctIds, Long groupId); - - List listAccountsByGroup(long groupId); - - Pair, Integer> listIAMGroups(Long iamGroupId, String iamGroupName, String path, Long startIndex, Long pageSize); - - /* IAM Policy related interfaces */ - IAMPolicy createIAMPolicy(String iamPolicyName, String description, Long parentPolicyId, String path); - - boolean deleteIAMPolicy(long iamPolicyId); - - List listIAMPolicies(long accountId); - - List listIAMPoliciesByGroup(long groupId); - - Pair, Integer> listIAMPolicies(Long iamPolicyId, String iamPolicyName, String path, Long startIndex, Long pageSize); - - IAMGroup attachIAMPoliciesToGroup(List policyIds, Long groupId); - - IAMGroup removeIAMPoliciesFromGroup(List policyIds, Long groupId); - - void attachIAMPolicyToAccounts(Long policyId, List acctIds); - - void removeIAMPolicyFromAccounts(Long policyId, List acctIds); - - IAMPolicy addIAMPermissionToIAMPolicy(long iamPolicyId, String entityType, String scope, Long scopeId, - String action, String accessType, Permission perm, Boolean recursive); - - IAMPolicy removeIAMPermissionFromIAMPolicy(long iamPolicyId, String entityType, String scope, Long scopeId, - String action); - - void removeIAMPermissionForEntity(final String entityType, final Long entityId); - - IAMPolicy getResourceGrantPolicy(String entityType, Long entityId, String accessType, String action); - - IAMPolicy getResourceOwnerPolicy(); - - List listPolicyPermissions(long policyId); - - List listPolicyPermissionsByScope(long policyId, String action, String scope, String accessType); - - List listPolicyPermissionByActionAndEntity(long policyId, String action, String entityType); - - boolean isActionAllowedForPolicies(String action, List policies); - - List getGrantedEntities(long accountId, String action, String scope); - - IAMPolicy resetIAMPolicy(long iamPolicyId); - - List listPolicyPermissionByAccessAndEntity(long policyId, String accessType, - String entityType); - - List listParentIAMGroups(long groupId); - - List listRecursiveIAMPoliciesByGroup(long groupId); - - /* Interface used for cache IAM checkAccess result */ - void addToIAMCache(Object accessKey, Object allowDeny); - - Object getFromIAMCache(Object accessKey); - - void invalidateIAMCache(); - -} diff --git a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/IAMAccountPolicyMapVO.java b/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/IAMAccountPolicyMapVO.java deleted file mode 100644 index 18f085a28fd..00000000000 --- a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/IAMAccountPolicyMapVO.java +++ /dev/null @@ -1,77 +0,0 @@ -// Licensed to the Apache Software Foundation (ASF) under one -// or more contributor license agreements. See the NOTICE file -// distributed with this work for additional information -// regarding copyright ownership. The ASF licenses this file -// to you under the Apache License, Version 2.0 (the -// "License"); you may not use this file except in compliance -// with the License. You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. -package org.apache.cloudstack.iam.server; - -import java.util.Date; - -import javax.persistence.Column; -import javax.persistence.Entity; -import javax.persistence.GeneratedValue; -import javax.persistence.GenerationType; -import javax.persistence.Id; -import javax.persistence.Table; - -import com.cloud.utils.db.GenericDao; - -@Entity -@Table(name = ("iam_account_policy_map")) -public class IAMAccountPolicyMapVO { - @Id - @GeneratedValue(strategy = GenerationType.IDENTITY) - @Column(name = "id") - private Long id; - - @Column(name = "account_id") - private long accountId; - - @Column(name = "policy_id") - private long iamPolicyId; - - @Column(name = GenericDao.REMOVED_COLUMN) - private Date removed; - - @Column(name = GenericDao.CREATED_COLUMN) - private Date created; - - public IAMAccountPolicyMapVO() { - } - - public IAMAccountPolicyMapVO(long accountId, long iamPolicyId) { - this.accountId = accountId; - this.iamPolicyId = iamPolicyId; - } - - public long getId() { - return id; - } - - public long getAccountId() { - return accountId; - } - - public long getIamPolicyId() { - return iamPolicyId; - } - - public Date getRemoved() { - return removed; - } - - public Date getCreated() { - return created; - } -} diff --git a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/IAMGroupAccountMapVO.java b/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/IAMGroupAccountMapVO.java deleted file mode 100644 index dac7d35ef67..00000000000 --- a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/IAMGroupAccountMapVO.java +++ /dev/null @@ -1,78 +0,0 @@ -// Licensed to the Apache Software Foundation (ASF) under one -// or more contributor license agreements. See the NOTICE file -// distributed with this work for additional information -// regarding copyright ownership. The ASF licenses this file -// to you under the Apache License, Version 2.0 (the -// "License"); you may not use this file except in compliance -// with the License. You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. -package org.apache.cloudstack.iam.server; - -import java.util.Date; - -import javax.persistence.Column; -import javax.persistence.Entity; -import javax.persistence.GeneratedValue; -import javax.persistence.GenerationType; -import javax.persistence.Id; -import javax.persistence.Table; - -import com.cloud.utils.db.GenericDao; - -@Entity -@Table(name = ("iam_group_account_map")) -public class IAMGroupAccountMapVO { - @Id - @GeneratedValue(strategy = GenerationType.IDENTITY) - @Column(name = "id") - private Long id; - - @Column(name = "group_id") - private long aclGroupId; - - @Column(name = "account_id") - private long accountId; - - @Column(name = GenericDao.REMOVED_COLUMN) - private Date removed; - - @Column(name = GenericDao.CREATED_COLUMN) - private Date created; - - public IAMGroupAccountMapVO() { - } - - public IAMGroupAccountMapVO(long aclGroupId, long accountId) { - this.aclGroupId = aclGroupId; - this.accountId = accountId; - } - - public long getId() { - return id; - } - - public long getAclGroupId() { - return aclGroupId; - } - - - public long getAccountId() { - return accountId; - } - - public Date getRemoved() { - return removed; - } - - public Date getCreated() { - return created; - } -} diff --git a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/IAMGroupPolicyMapVO.java b/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/IAMGroupPolicyMapVO.java deleted file mode 100644 index 946d1f796a2..00000000000 --- a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/IAMGroupPolicyMapVO.java +++ /dev/null @@ -1,79 +0,0 @@ -// Licensed to the Apache Software Foundation (ASF) under one -// or more contributor license agreements. See the NOTICE file -// distributed with this work for additional information -// regarding copyright ownership. The ASF licenses this file -// to you under the Apache License, Version 2.0 (the -// "License"); you may not use this file except in compliance -// with the License. You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. -package org.apache.cloudstack.iam.server; - -import java.util.Date; - -import javax.persistence.Column; -import javax.persistence.Entity; -import javax.persistence.GeneratedValue; -import javax.persistence.GenerationType; -import javax.persistence.Id; -import javax.persistence.Table; - - -import com.cloud.utils.db.GenericDao; - -@Entity -@Table(name = ("iam_group_policy_map")) -public class IAMGroupPolicyMapVO { - @Id - @GeneratedValue(strategy = GenerationType.IDENTITY) - @Column(name = "id") - private Long id; - - @Column(name = "group_id") - private long aclGroupId; - - @Column(name = "policy_id") - private long aclPolicyId; - - @Column(name = GenericDao.REMOVED_COLUMN) - private Date removed; - - @Column(name = GenericDao.CREATED_COLUMN) - private Date created; - - public IAMGroupPolicyMapVO() { - } - - public IAMGroupPolicyMapVO(long aclGroupId, long aclPolicyId) { - this.aclGroupId = aclGroupId; - this.aclPolicyId = aclPolicyId; - } - - public long getId() { - return id; - } - - public long getAclGroupId() { - return aclGroupId; - } - - - public long getAclPolicyId() { - return aclPolicyId; - } - - public Date getRemoved() { - return removed; - } - - public Date getCreated() { - return created; - } -} diff --git a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/IAMGroupVO.java b/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/IAMGroupVO.java deleted file mode 100644 index 80edb8977a7..00000000000 --- a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/IAMGroupVO.java +++ /dev/null @@ -1,122 +0,0 @@ -// Licensed to the Apache Software Foundation (ASF) under one -// or more contributor license agreements. See the NOTICE file -// distributed with this work for additional information -// regarding copyright ownership. The ASF licenses this file -// to you under the Apache License, Version 2.0 (the -// "License"); you may not use this file except in compliance -// with the License. You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. -package org.apache.cloudstack.iam.server; - -import java.util.Date; -import java.util.UUID; - -import javax.persistence.Column; -import javax.persistence.Entity; -import javax.persistence.GeneratedValue; -import javax.persistence.GenerationType; -import javax.persistence.Id; -import javax.persistence.Table; - -import org.apache.cloudstack.iam.api.IAMGroup; - -import com.cloud.utils.db.GenericDao; - -@Entity -@Table(name = ("iam_group")) -public class IAMGroupVO implements IAMGroup { - @Id - @GeneratedValue(strategy = GenerationType.IDENTITY) - @Column(name = "id") - private long id; - - @Column(name = "name") - private String name; - - @Column(name = "description") - private String description; - - @Column(name = "uuid") - private String uuid; - - @Column(name = "path") - private String path; - - @Column(name = "account_id") - private long accountId; - - @Column(name = GenericDao.REMOVED_COLUMN) - private Date removed; - - @Column(name = GenericDao.CREATED_COLUMN) - private Date created; - - public IAMGroupVO() { - uuid = UUID.randomUUID().toString(); - } - - public IAMGroupVO(String name, String description) { - this.name = name; - this.description = description; - uuid = UUID.randomUUID().toString(); - path = "/"; - } - - @Override - public long getId() { - return id; - } - - @Override - public String getName() { - return name; - } - - @Override - public String getDescription() { - return description; - } - - @Override - public String getPath() { - return path; - } - - public void setPath(String path) { - this.path = path; - } - - @Override - public long getAccountId() { - return accountId; - } - - public void setAccountId(long acctId) { - accountId = acctId; - } - - @Override - public String getUuid() { - return uuid; - } - - public void setUuid(String uuid) { - this.uuid = uuid; - } - - public Date getRemoved() { - return removed; - } - - public Date getCreated() { - return created; - } -} diff --git a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/IAMPolicyPermissionVO.java b/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/IAMPolicyPermissionVO.java deleted file mode 100644 index 13d6b814e53..00000000000 --- a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/IAMPolicyPermissionVO.java +++ /dev/null @@ -1,181 +0,0 @@ -// Licensed to the Apache Software Foundation (ASF) under one -// or more contributor license agreements. See the NOTICE file -// distributed with this work for additional information -// regarding copyright ownership. The ASF licenses this file -// to you under the Apache License, Version 2.0 (the -// "License"); you may not use this file except in compliance -// with the License. You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. -package org.apache.cloudstack.iam.server; - -import java.util.Date; - -import javax.persistence.Column; -import javax.persistence.Entity; -import javax.persistence.EnumType; -import javax.persistence.Enumerated; -import javax.persistence.GeneratedValue; -import javax.persistence.GenerationType; -import javax.persistence.Id; -import javax.persistence.Table; - -import org.apache.cloudstack.iam.api.IAMPolicyPermission; -import com.cloud.utils.db.GenericDao; - -@Entity -@Table(name = ("iam_policy_permission")) -public class IAMPolicyPermissionVO implements IAMPolicyPermission { - - @Id - @GeneratedValue(strategy = GenerationType.IDENTITY) - @Column(name = "id") - private long id; - - @Column(name = "policy_id") - private long aclPolicyId; - - @Column(name = "action") - private String action; - - @Column(name = "resource_type") - private String entityType; - - @Column(name = "access_type") - private String accessType; - - @Column(name = "scope") - private String scope; - - @Column(name = "scope_id") - private Long scopeId; - - @Column(name = "permission") - @Enumerated(value = EnumType.STRING) - private Permission permission; - - @Column(name = "recursive") - private Boolean recursive; - - @Column(name = GenericDao.REMOVED_COLUMN) - private Date removed; - - @Column(name = GenericDao.CREATED_COLUMN) - private Date created; - - public IAMPolicyPermissionVO() { - - } - - public IAMPolicyPermissionVO(long aclPolicyId, String action, String entityType, String accessType, String scope, - Long scopeId, Permission permission, Boolean recursive) { - this.aclPolicyId = aclPolicyId; - this.action = action; - this.entityType = entityType; - this.accessType = accessType; - this.scope = scope; - this.scopeId = scopeId; - this.permission = permission; - this.recursive = recursive; - } - - @Override - public long getId() { - return id; - } - - @Override - public long getAclPolicyId() { - return aclPolicyId; - } - - - public void setAclPolicyId(long aclPolicyId) { - this.aclPolicyId = aclPolicyId; - } - - @Override - public String getEntityType() { - return entityType; - } - - @Override - public String getAccessType() { - return accessType; - } - - - public void setEntityType(String entityType) { - this.entityType = entityType; - } - - public void setAccessType(String accessType) { - this.accessType = accessType; - } - - @Override - public String getScope() { - return scope; - } - - public void setScope(String scope) { - this.scope = scope; - } - - - @Override - public String getAction() { - return action; - } - - @Override - public Long getScopeId() { - // TODO - // handle special -1 scopeId, current caller domain, account - /* - * if ( scopeId < 0 ){ Account caller = - * CallContext.current().getCallingAccount(); if ( scope == - * PermissionScope.DOMAIN){ return caller.getDomainId(); } else if - * (scope == PermissionScope.ACCOUNT) { return caller.getAccountId(); } - * } - */ - return scopeId; - } - - @Override - public Permission getPermission() { - return permission; - } - - public void setAction(String action) { - this.action = action; - } - - public void setScopeId(Long scopeId) { - this.scopeId = scopeId; - } - - public void setPermission(Permission permission) { - this.permission = permission; - } - - public Date getRemoved() { - return removed; - } - - public Date getCreated() { - return created; - } - - public Boolean isRecursive() { - return recursive; - } - -} diff --git a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/IAMPolicyVO.java b/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/IAMPolicyVO.java deleted file mode 100644 index 25ebd011f39..00000000000 --- a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/IAMPolicyVO.java +++ /dev/null @@ -1,138 +0,0 @@ -// Licensed to the Apache Software Foundation (ASF) under one -// or more contributor license agreements. See the NOTICE file -// distributed with this work for additional information -// regarding copyright ownership. The ASF licenses this file -// to you under the Apache License, Version 2.0 (the -// "License"); you may not use this file except in compliance -// with the License. You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. -package org.apache.cloudstack.iam.server; - -import java.util.Date; -import java.util.UUID; - -import javax.persistence.Column; -import javax.persistence.Entity; -import javax.persistence.EnumType; -import javax.persistence.Enumerated; -import javax.persistence.GeneratedValue; -import javax.persistence.GenerationType; -import javax.persistence.Id; -import javax.persistence.Table; - -import org.apache.cloudstack.iam.api.IAMPolicy; - -import com.cloud.utils.db.GenericDao; - -@Entity -@Table(name = ("iam_policy")) -public class IAMPolicyVO implements IAMPolicy { - @Id - @GeneratedValue(strategy = GenerationType.IDENTITY) - @Column(name = "id") - private long id; - - @Column(name = "name") - private String name; - - @Column(name = "description") - private String description; - - @Column(name = "uuid") - private String uuid; - - @Column(name = "path") - private String path; - - @Column(name = "account_id") - private long accountId; - - @Column(name = GenericDao.REMOVED_COLUMN) - private Date removed; - - @Column(name = GenericDao.CREATED_COLUMN) - private Date created; - - @Column(name = "policy_type") - @Enumerated(value = EnumType.STRING) - private IAMPolicy.PolicyType policyType; - - public IAMPolicyVO() { - uuid = UUID.randomUUID().toString(); - } - - public IAMPolicyVO(String name, String description) { - this.name = name; - this.description = description; - uuid = UUID.randomUUID().toString(); - policyType = IAMPolicy.PolicyType.Static; - } - - @Override - public long getId() { - return id; - } - - @Override - public String getName() { - return name; - } - - @Override - public String getDescription() { - return description; - } - - - @Override - public String getUuid() { - return uuid; - } - - public void setUuid(String uuid) { - this.uuid = uuid; - } - - public Date getRemoved() { - return removed; - } - - public Date getCreated() { - return created; - } - - @Override - public String getPath() { - return path; - } - - public void setPath(String path) { - this.path = path; - } - - @Override - public long getAccountId() { - return accountId; - } - - public void setAccountId(long accountId) { - this.accountId = accountId; - } - - public IAMPolicy.PolicyType getPolicyType() { - return policyType; - } - - public void setPolicyType(IAMPolicy.PolicyType policyType) { - this.policyType = policyType; - } - -} diff --git a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/IAMServiceImpl.java b/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/IAMServiceImpl.java deleted file mode 100644 index 4ae694b50ff..00000000000 --- a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/IAMServiceImpl.java +++ /dev/null @@ -1,904 +0,0 @@ -// Licensed to the Apache Software Foundation (ASF) under one -// or more contributor license agreements. See the NOTICE file -// distributed with this work for additional information -// regarding copyright ownership. The ASF licenses this file -// to you under the Apache License, Version 2.0 (the -// "License"); you may not use this file except in compliance -// with the License. You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. -package org.apache.cloudstack.iam.server; - -import java.util.ArrayList; -import java.util.List; -import java.util.Map; - -import javax.inject.Inject; -import javax.naming.ConfigurationException; - -import net.sf.ehcache.Cache; -import net.sf.ehcache.CacheManager; -import net.sf.ehcache.Element; - -import org.apache.log4j.Logger; - -import org.apache.cloudstack.acl.PermissionScope; -import org.apache.cloudstack.iam.api.IAMGroup; -import org.apache.cloudstack.iam.api.IAMPolicy; -import org.apache.cloudstack.iam.api.IAMPolicyPermission; -import org.apache.cloudstack.iam.api.IAMPolicyPermission.Permission; -import org.apache.cloudstack.iam.api.IAMService; -import org.apache.cloudstack.iam.server.dao.IAMAccountPolicyMapDao; -import org.apache.cloudstack.iam.server.dao.IAMGroupAccountMapDao; -import org.apache.cloudstack.iam.server.dao.IAMGroupDao; -import org.apache.cloudstack.iam.server.dao.IAMGroupPolicyMapDao; -import org.apache.cloudstack.iam.server.dao.IAMPolicyDao; -import org.apache.cloudstack.iam.server.dao.IAMPolicyPermissionDao; - -import com.cloud.exception.InvalidParameterValueException; -import com.cloud.utils.NumbersUtil; -import com.cloud.utils.Pair; -import com.cloud.utils.component.Manager; -import com.cloud.utils.component.ManagerBase; -import com.cloud.utils.db.DB; -import com.cloud.utils.db.EntityManager; -import com.cloud.utils.db.Filter; -import com.cloud.utils.db.GenericSearchBuilder; -import com.cloud.utils.db.JoinBuilder; -import com.cloud.utils.db.JoinBuilder.JoinType; -import com.cloud.utils.db.SearchBuilder; -import com.cloud.utils.db.SearchCriteria; -import com.cloud.utils.db.SearchCriteria.Op; -import com.cloud.utils.db.Transaction; -import com.cloud.utils.db.TransactionCallback; -import com.cloud.utils.db.TransactionCallbackNoReturn; -import com.cloud.utils.db.TransactionStatus; - -public class IAMServiceImpl extends ManagerBase implements IAMService, Manager { - - public static final Logger s_logger = Logger.getLogger(IAMServiceImpl.class); - private String _name; - - @Inject - IAMPolicyDao _aclPolicyDao; - - @Inject - IAMGroupDao _aclGroupDao; - - @Inject - EntityManager _entityMgr; - - @Inject - IAMGroupPolicyMapDao _aclGroupPolicyMapDao; - - @Inject - IAMAccountPolicyMapDao _aclAccountPolicyMapDao; - - @Inject - IAMGroupAccountMapDao _aclGroupAccountMapDao; - - @Inject - IAMPolicyPermissionDao _policyPermissionDao; - - private Cache _iamCache; - - private void createIAMCache(final Map params) { - final String value = (String)params.get("cache.size"); - - if (value != null) { - final CacheManager cm = CacheManager.create(); - final int maxElements = NumbersUtil.parseInt(value, 0); - final int live = NumbersUtil.parseInt((String)params.get("cache.time.to.live"), 300); - final int idle = NumbersUtil.parseInt((String)params.get("cache.time.to.idle"), 300); - _iamCache = new Cache(getName(), maxElements, false, live == -1, live == -1 ? Integer.MAX_VALUE : live, idle); - cm.addCache(_iamCache); - s_logger.info("IAM Cache created: " + _iamCache.toString()); - } else { - _iamCache = null; - } - } - - @Override - public void addToIAMCache(Object accessKey, Object allowDeny) { - if (_iamCache != null) { - try { - s_logger.debug("Put IAM access check for " + accessKey + " in cache"); - _iamCache.put(new Element(accessKey, allowDeny)); - } catch (final Exception e) { - s_logger.debug("Can't put " + accessKey + " to IAM cache", e); - } - } - } - - @Override - public void invalidateIAMCache() { - //This may need to use event bus to publish to other MS, but event bus now is missing this functionality to handle PublishScope.GLOBAL - if (_iamCache != null) { - s_logger.debug("Invalidate IAM cache"); - _iamCache.removeAll(); - } - } - - @Override - public Object getFromIAMCache(Object accessKey) { - if (_iamCache != null) { - final Element element = _iamCache.get(accessKey); - return element == null ? null : element.getObjectValue(); - } - return null; - } - - @Override - public boolean configure(final String name, final Map params) throws ConfigurationException { - boolean result = super.configure(name, params); - // create IAM cache - createIAMCache(params); - return result; - } - - @DB - @Override - public IAMGroup createIAMGroup(String iamGroupName, String description, String path) { - // check if the group is already existing - IAMGroup grp = _aclGroupDao.findByName(path, iamGroupName); - if (grp != null) { - throw new InvalidParameterValueException( - "Unable to create acl group with name " + iamGroupName - + " already exists for path " + path); - } - IAMGroupVO rvo = new IAMGroupVO(iamGroupName, description); - rvo.setPath(path); - - return _aclGroupDao.persist(rvo); - } - - @DB - @Override - public boolean deleteIAMGroup(final Long iamGroupId) { - // get the Acl Group entity - final IAMGroup grp = _aclGroupDao.findById(iamGroupId); - if (grp == null) { - throw new InvalidParameterValueException("Unable to find acl group: " + iamGroupId - + "; failed to delete acl group."); - } - - Transaction.execute(new TransactionCallbackNoReturn() { - @Override - public void doInTransactionWithoutResult(TransactionStatus status) { - // remove this group related entry in acl_group_policy_map - List groupPolicyMap = _aclGroupPolicyMapDao.listByGroupId(grp.getId()); - if (groupPolicyMap != null) { - for (IAMGroupPolicyMapVO gr : groupPolicyMap) { - _aclGroupPolicyMapDao.remove(gr.getId()); - } - } - - // remove this group related entry in acl_group_account table - List groupAcctMap = _aclGroupAccountMapDao.listByGroupId(grp.getId()); - if (groupAcctMap != null) { - for (IAMGroupAccountMapVO grpAcct : groupAcctMap) { - _aclGroupAccountMapDao.remove(grpAcct.getId()); - } - } - - // remove this group from acl_group table - _aclGroupDao.remove(iamGroupId); - } - }); - - invalidateIAMCache(); - return true; - } - - @SuppressWarnings("unchecked") - @Override - public List listIAMGroups(long accountId) { - - GenericSearchBuilder groupSB = _aclGroupAccountMapDao.createSearchBuilder(Long.class); - groupSB.selectFields(groupSB.entity().getAclGroupId()); - groupSB.and("account", groupSB.entity().getAccountId(), Op.EQ); - SearchCriteria groupSc = groupSB.create(); - groupSc.setParameters("account", accountId); - - List groupIds = _aclGroupAccountMapDao.customSearch(groupSc, null); - - if (groupIds == null || groupIds.isEmpty()) { - return new ArrayList(); - } - SearchBuilder sb = _aclGroupDao.createSearchBuilder(); - sb.and("ids", sb.entity().getId(), Op.IN); - SearchCriteria sc = sb.create(); - sc.setParameters("ids", groupIds.toArray(new Object[groupIds.size()])); - @SuppressWarnings("rawtypes") - List groups = _aclGroupDao.search(sc, null); - return groups; - } - - @DB - @Override - public IAMGroup addAccountsToGroup(final List acctIds, final Long groupId) { - // get the Acl Group entity - IAMGroup group = _aclGroupDao.findById(groupId); - if (group == null) { - throw new InvalidParameterValueException("Unable to find acl group: " + groupId - + "; failed to add accounts to acl group."); - } - - Transaction.execute(new TransactionCallbackNoReturn() { - @Override - public void doInTransactionWithoutResult(TransactionStatus status) { - // add entries in acl_group_account_map table - for (Long acctId : acctIds) { - // check account permissions - IAMGroupAccountMapVO grMap = _aclGroupAccountMapDao.findByGroupAndAccount(groupId, acctId); - if (grMap == null) { - // not there already - grMap = new IAMGroupAccountMapVO(groupId, acctId); - _aclGroupAccountMapDao.persist(grMap); - } - } - } - }); - - invalidateIAMCache(); - return group; - } - - @DB - @Override - public IAMGroup removeAccountsFromGroup(final List acctIds, final Long groupId) { - // get the Acl Group entity - IAMGroup group = _aclGroupDao.findById(groupId); - if (group == null) { - throw new InvalidParameterValueException("Unable to find acl group: " + groupId - + "; failed to remove accounts from acl group."); - } - - Transaction.execute(new TransactionCallbackNoReturn() { - @Override - public void doInTransactionWithoutResult(TransactionStatus status) { - // remove entries from acl_group_account_map table - for (Long acctId : acctIds) { - IAMGroupAccountMapVO grMap = _aclGroupAccountMapDao.findByGroupAndAccount(groupId, acctId); - if (grMap != null) { - // not removed yet - _aclGroupAccountMapDao.remove(grMap.getId()); - } - } - } - }); - - invalidateIAMCache(); - return group; - } - - @Override - public List listAccountsByGroup(long groupId) { - List grpAcctMap = _aclGroupAccountMapDao.listByGroupId(groupId); - if (grpAcctMap == null || grpAcctMap.size() == 0) { - return new ArrayList(); - } - - List accts = new ArrayList(); - for (IAMGroupAccountMapVO grpAcct : grpAcctMap) { - accts.add(grpAcct.getAccountId()); - } - return accts; - } - - @Override - public Pair, Integer> listIAMGroups(Long iamGroupId, String iamGroupName, String path, Long startIndex, Long pageSize) { - if (iamGroupId != null) { - IAMGroup group = _aclGroupDao.findById(iamGroupId); - if (group == null) { - throw new InvalidParameterValueException("Unable to find acl group by id " + iamGroupId); - } - } - - Filter searchFilter = new Filter(IAMGroupVO.class, "id", true, startIndex, pageSize); - - SearchBuilder sb = _aclGroupDao.createSearchBuilder(); - sb.and("name", sb.entity().getName(), SearchCriteria.Op.EQ); - sb.and("path", sb.entity().getPath(), SearchCriteria.Op.LIKE); - sb.and("id", sb.entity().getId(), SearchCriteria.Op.EQ); - - SearchCriteria sc = sb.create(); - - if (iamGroupName != null) { - sc.setParameters("name", iamGroupName); - } - - if (iamGroupId != null) { - sc.setParameters("id", iamGroupId); - } - - sc.setParameters("path", path + "%"); - - Pair, Integer> groups = _aclGroupDao.searchAndCount(sc, searchFilter); - return new Pair, Integer>(new ArrayList(groups.first()), groups.second()); - } - - @Override - public List listParentIAMGroups(long groupId) { - IAMGroup group = _aclGroupDao.findById(groupId); - if (group == null) { - throw new InvalidParameterValueException("Unable to find acl group by id " + groupId); - } - - String path = group.getPath(); - List pathList = new ArrayList(); - - String[] parts = path.split("/"); - - for (String part : parts) { - int start = path.indexOf(part); - if (start > 0) { - String subPath = path.substring(0, start); - pathList.add(subPath); - } - } - - if (pathList.isEmpty()) { - return new ArrayList(); - } - - SearchBuilder sb = _aclGroupDao.createSearchBuilder(); - sb.and("paths", sb.entity().getPath(), SearchCriteria.Op.IN); - - SearchCriteria sc = sb.create(); - sc.setParameters("paths", pathList.toArray()); - - List groups = _aclGroupDao.search(sc, null); - - return new ArrayList(groups); - - } - - @DB - @Override - public IAMPolicy createIAMPolicy(final String iamPolicyName, final String description, final Long parentPolicyId, final String path) { - - // check if the policy is already existing - IAMPolicy ro = _aclPolicyDao.findByName(iamPolicyName); - if (ro != null) { - throw new InvalidParameterValueException( - "Unable to create acl policy with name " + iamPolicyName - + " already exists"); - } - - IAMPolicy role = Transaction.execute(new TransactionCallback() { - @Override - public IAMPolicy doInTransaction(TransactionStatus status) { - IAMPolicyVO rvo = new IAMPolicyVO(iamPolicyName, description); - rvo.setPath(path); - - IAMPolicy role = _aclPolicyDao.persist(rvo); - if (parentPolicyId != null) { - // copy parent role permissions - List perms = _policyPermissionDao.listByPolicy(parentPolicyId); - if (perms != null) { - for (IAMPolicyPermissionVO perm : perms) { - perm.setAclPolicyId(role.getId()); - _policyPermissionDao.persist(perm); - } - } - } - return role; - } - }); - - - return role; - } - - @DB - @Override - public boolean deleteIAMPolicy(final long iamPolicyId) { - // get the Acl Policy entity - final IAMPolicy policy = _aclPolicyDao.findById(iamPolicyId); - if (policy == null) { - throw new InvalidParameterValueException("Unable to find acl policy: " + iamPolicyId - + "; failed to delete acl policy."); - } - - Transaction.execute(new TransactionCallbackNoReturn() { - @Override - public void doInTransactionWithoutResult(TransactionStatus status) { - // remove this policy related entry in acl_group_policy_map - List groupPolicyMap = _aclGroupPolicyMapDao.listByPolicyId(policy.getId()); - if (groupPolicyMap != null) { - for (IAMGroupPolicyMapVO gr : groupPolicyMap) { - _aclGroupPolicyMapDao.remove(gr.getId()); - } - } - - // remove this policy related entry in acl_account_policy_map table - List policyAcctMap = _aclAccountPolicyMapDao.listByPolicyId(policy.getId()); - if (policyAcctMap != null) { - for (IAMAccountPolicyMapVO policyAcct : policyAcctMap) { - _aclAccountPolicyMapDao.remove(policyAcct.getId()); - } - } - - // remove this policy related entry in acl_policy_permission table - List policyPermMap = _policyPermissionDao.listByPolicy(policy.getId()); - if (policyPermMap != null) { - for (IAMPolicyPermissionVO policyPerm : policyPermMap) { - _policyPermissionDao.remove(policyPerm.getId()); - } - } - - // remove this role from acl_role table - _aclPolicyDao.remove(iamPolicyId); - } - }); - - invalidateIAMCache(); - - return true; - } - - - @SuppressWarnings("unchecked") - @Override - public List listIAMPolicies(long accountId) { - - // static policies of the account - SearchBuilder groupSB = _aclGroupAccountMapDao.createSearchBuilder(); - groupSB.and("account", groupSB.entity().getAccountId(), Op.EQ); - - GenericSearchBuilder policySB = _aclGroupPolicyMapDao.createSearchBuilder(Long.class); - policySB.selectFields(policySB.entity().getAclPolicyId()); - policySB.join("accountgroupjoin", groupSB, groupSB.entity().getAclGroupId(), policySB.entity().getAclGroupId(), - JoinType.INNER); - policySB.done(); - SearchCriteria policySc = policySB.create(); - policySc.setJoinParameters("accountgroupjoin", "account", accountId); - - List policyIds = _aclGroupPolicyMapDao.customSearch(policySc, null); - // add policies directly attached to the account - List acctPolicies = _aclAccountPolicyMapDao.listByAccountId(accountId); - for (IAMAccountPolicyMapVO p : acctPolicies) { - policyIds.add(p.getIamPolicyId()); - } - if (policyIds.size() == 0) { - return new ArrayList(); - } - SearchBuilder sb = _aclPolicyDao.createSearchBuilder(); - sb.and("ids", sb.entity().getId(), Op.IN); - SearchCriteria sc = sb.create(); - sc.setParameters("ids", policyIds.toArray(new Object[policyIds.size()])); - @SuppressWarnings("rawtypes") - List policies = _aclPolicyDao.customSearch(sc, null); - - return policies; - - } - - @SuppressWarnings("unchecked") - @Override - public List listIAMPoliciesByGroup(long groupId) { - List policyGrpMap = _aclGroupPolicyMapDao.listByGroupId(groupId); - if (policyGrpMap == null || policyGrpMap.size() == 0) { - return new ArrayList(); - } - - List policyIds = new ArrayList(); - for (IAMGroupPolicyMapVO pg : policyGrpMap) { - policyIds.add(pg.getAclPolicyId()); - } - - SearchBuilder sb = _aclPolicyDao.createSearchBuilder(); - sb.and("ids", sb.entity().getId(), Op.IN); - SearchCriteria sc = sb.create(); - sc.setParameters("ids", policyIds.toArray(new Object[policyIds.size()])); - @SuppressWarnings("rawtypes") - List policies = _aclPolicyDao.customSearch(sc, null); - - return policies; - } - - @SuppressWarnings("unchecked") - @Override - public List listRecursiveIAMPoliciesByGroup(long groupId) { - List policyGrpMap = _aclGroupPolicyMapDao.listByGroupId(groupId); - if (policyGrpMap == null || policyGrpMap.size() == 0) { - return new ArrayList(); - } - - List policyIds = new ArrayList(); - for (IAMGroupPolicyMapVO pg : policyGrpMap) { - policyIds.add(pg.getAclPolicyId()); - } - - SearchBuilder permSb = _policyPermissionDao.createSearchBuilder(); - permSb.and("isRecursive", permSb.entity().isRecursive(), Op.EQ); - - SearchBuilder sb = _aclPolicyDao.createSearchBuilder(); - sb.and("ids", sb.entity().getId(), Op.IN); - sb.join("recursivePerm", permSb, sb.entity().getId(), permSb.entity().getAclPolicyId(), - JoinBuilder.JoinType.INNER); - - SearchCriteria sc = sb.create(); - sc.setParameters("ids", policyIds.toArray(new Object[policyIds.size()])); - sc.setJoinParameters("recursivePerm", "isRecursive", true); - - @SuppressWarnings("rawtypes") - List policies = _aclPolicyDao.customSearch(sc, null); - - return policies; - } - - - @SuppressWarnings("unchecked") - @Override - public Pair, Integer> listIAMPolicies(Long iamPolicyId, String iamPolicyName, String path, Long startIndex, Long pageSize) { - - if (iamPolicyId != null) { - IAMPolicy policy = _aclPolicyDao.findById(iamPolicyId); - if (policy == null) { - throw new InvalidParameterValueException("Unable to find acl policy by id " + iamPolicyId); - } - } - - Filter searchFilter = new Filter(IAMPolicyVO.class, "id", true, startIndex, pageSize); - - SearchBuilder sb = _aclPolicyDao.createSearchBuilder(); - sb.and("name", sb.entity().getName(), SearchCriteria.Op.EQ); - sb.and("path", sb.entity().getPath(), SearchCriteria.Op.LIKE); - sb.and("id", sb.entity().getId(), SearchCriteria.Op.EQ); - - SearchCriteria sc = sb.create(); - - if (iamPolicyName != null) { - sc.setParameters("name", iamPolicyName); - } - - if (iamPolicyId != null) { - sc.setParameters("id", iamPolicyId); - } - - sc.setParameters("path", path + "%"); - - Pair, Integer> policies = _aclPolicyDao.searchAndCount(sc, searchFilter); - @SuppressWarnings("rawtypes") - List policyList = policies.first(); - return new Pair, Integer>(policyList, policies.second()); - } - - @DB - @Override - public IAMGroup attachIAMPoliciesToGroup(final List policyIds, final Long groupId) { - // get the Acl Group entity - IAMGroup group = _aclGroupDao.findById(groupId); - if (group == null) { - throw new InvalidParameterValueException("Unable to find acl group: " + groupId - + "; failed to add roles to acl group."); - } - - Transaction.execute(new TransactionCallbackNoReturn() { - @Override - public void doInTransactionWithoutResult(TransactionStatus status) { - // add entries in acl_group_policy_map table - for (Long policyId : policyIds) { - IAMPolicy policy = _aclPolicyDao.findById(policyId); - if (policy == null) { - throw new InvalidParameterValueException("Unable to find acl policy: " + policyId - + "; failed to add policies to acl group."); - } - - IAMGroupPolicyMapVO grMap = _aclGroupPolicyMapDao.findByGroupAndPolicy(groupId, policyId); - if (grMap == null) { - // not there already - grMap = new IAMGroupPolicyMapVO(groupId, policyId); - _aclGroupPolicyMapDao.persist(grMap); - } - } - } - }); - - invalidateIAMCache(); - return group; - } - - @DB - @Override - public IAMGroup removeIAMPoliciesFromGroup(final List policyIds, final Long groupId) { - // get the Acl Group entity - IAMGroup group = _aclGroupDao.findById(groupId); - if (group == null) { - throw new InvalidParameterValueException("Unable to find acl group: " + groupId - + "; failed to remove roles from acl group."); - } - - Transaction.execute(new TransactionCallbackNoReturn() { - @Override - public void doInTransactionWithoutResult(TransactionStatus status) { - // add entries in acl_group_role_map table - for (Long policyId : policyIds) { - IAMPolicy policy = _aclPolicyDao.findById(policyId); - if (policy == null) { - throw new InvalidParameterValueException("Unable to find acl policy: " + policyId - + "; failed to add policies to acl group."); - } - - IAMGroupPolicyMapVO grMap = _aclGroupPolicyMapDao.findByGroupAndPolicy(groupId, policyId); - if (grMap != null) { - // not removed yet - _aclGroupPolicyMapDao.remove(grMap.getId()); - } - } - } - }); - - invalidateIAMCache(); - return group; - } - - - @Override - public void attachIAMPolicyToAccounts(final Long policyId, final List acctIds) { - IAMPolicy policy = _aclPolicyDao.findById(policyId); - if (policy == null) { - throw new InvalidParameterValueException("Unable to find acl policy: " + policyId - + "; failed to add policy to account."); - } - - Transaction.execute(new TransactionCallbackNoReturn() { - @Override - public void doInTransactionWithoutResult(TransactionStatus status) { - // add entries in acl_group_policy_map table - for (Long acctId : acctIds) { - IAMAccountPolicyMapVO acctMap = _aclAccountPolicyMapDao.findByAccountAndPolicy(acctId, policyId); - if (acctMap == null) { - // not there already - acctMap = new IAMAccountPolicyMapVO(acctId, policyId); - _aclAccountPolicyMapDao.persist(acctMap); - } - } - } - }); - - invalidateIAMCache(); - } - - @Override - public void removeIAMPolicyFromAccounts(final Long policyId, final List acctIds) { - IAMPolicy policy = _aclPolicyDao.findById(policyId); - if (policy == null) { - throw new InvalidParameterValueException("Unable to find acl policy: " + policyId - + "; failed to add policy to account."); - } - - Transaction.execute(new TransactionCallbackNoReturn() { - @Override - public void doInTransactionWithoutResult(TransactionStatus status) { - // add entries in acl_group_policy_map table - for (Long acctId : acctIds) { - IAMAccountPolicyMapVO acctMap = _aclAccountPolicyMapDao.findByAccountAndPolicy(acctId, policyId); - if (acctMap != null) { - // exists - _aclAccountPolicyMapDao.remove(acctMap.getId()); - } - } - } - }); - - invalidateIAMCache(); - } - - @DB - @Override - public IAMPolicy addIAMPermissionToIAMPolicy(long iamPolicyId, String entityType, String scope, Long scopeId, - String action, String accessType, Permission perm, Boolean recursive) { - // get the Acl Policy entity - IAMPolicy policy = _aclPolicyDao.findById(iamPolicyId); - if (policy == null) { - throw new InvalidParameterValueException("Unable to find acl policy: " + iamPolicyId - + "; failed to add permission to policy."); - } - - // add entry in acl_policy_permission table - IAMPolicyPermissionVO permit = _policyPermissionDao.findByPolicyAndEntity(iamPolicyId, entityType, scope, - scopeId, action, perm, accessType); - if (permit == null) { - // not there already - permit = new IAMPolicyPermissionVO(iamPolicyId, action, entityType, accessType, scope, scopeId, perm, - recursive); - _policyPermissionDao.persist(permit); - } - - invalidateIAMCache(); - return policy; - - } - - @DB - @Override - public IAMPolicy removeIAMPermissionFromIAMPolicy(long iamPolicyId, String entityType, String scope, Long scopeId, - String action) { - // get the Acl Policy entity - IAMPolicy policy = _aclPolicyDao.findById(iamPolicyId); - if (policy == null) { - throw new InvalidParameterValueException("Unable to find acl policy: " + iamPolicyId - + "; failed to revoke permission from policy."); - } - // remove entry from acl_entity_permission table - IAMPolicyPermissionVO permit = _policyPermissionDao.findByPolicyAndEntity(iamPolicyId, entityType, scope, - scopeId, action, Permission.Allow, null); - if (permit != null) { - // not removed yet - _policyPermissionDao.remove(permit.getId()); - } - - invalidateIAMCache(); - return policy; - } - - @DB - @Override - public void removeIAMPermissionForEntity(final String entityType, final Long entityId) { - Transaction.execute(new TransactionCallbackNoReturn() { - @Override - public void doInTransactionWithoutResult(TransactionStatus status) { - // remove entry from acl_entity_permission table - List permitList = _policyPermissionDao.listByEntity(entityType, entityId); - for (IAMPolicyPermissionVO permit : permitList) { - long policyId = permit.getAclPolicyId(); - _policyPermissionDao.remove(permit.getId()); - - // remove the policy if there are no other permissions - if ((_policyPermissionDao.listByPolicy(policyId)).isEmpty()) { - deleteIAMPolicy(policyId); - } - } - } - }); - - invalidateIAMCache(); - } - - @DB - @Override - public IAMPolicy resetIAMPolicy(long iamPolicyId) { - // get the Acl Policy entity - IAMPolicy policy = _aclPolicyDao.findById(iamPolicyId); - if (policy == null) { - throw new InvalidParameterValueException("Unable to find acl policy: " + iamPolicyId - + "; failed to reset the policy."); - } - - SearchBuilder sb = _policyPermissionDao.createSearchBuilder(); - sb.and("policyId", sb.entity().getAclPolicyId(), SearchCriteria.Op.EQ); - sb.and("scope", sb.entity().getScope(), SearchCriteria.Op.EQ); - sb.done(); - SearchCriteria permissionSC = sb.create(); - permissionSC.setParameters("policyId", iamPolicyId); - _policyPermissionDao.expunge(permissionSC); - - invalidateIAMCache(); - return policy; - } - - @Override - public boolean isActionAllowedForPolicies(String action, List policies) { - - boolean allowed = false; - - if (policies == null || policies.size() == 0) { - return allowed; - } - - List policyIds = new ArrayList(); - for (IAMPolicy policy : policies) { - policyIds.add(policy.getId()); - } - - SearchBuilder sb = _policyPermissionDao.createSearchBuilder(); - sb.and("action", sb.entity().getAction(), Op.EQ); - sb.and("policyId", sb.entity().getAclPolicyId(), Op.IN); - - SearchCriteria sc = sb.create(); - sc.setParameters("policyId", policyIds.toArray(new Object[policyIds.size()])); - sc.setParameters("action", action); - - List permissions = _policyPermissionDao.customSearch(sc, null); - - if (permissions != null && !permissions.isEmpty()) { - allowed = true; - } - - return allowed; - } - - - @Override - public List getGrantedEntities(long accountId, String action, String scope) { - // Get the static Policies of the Caller - List policies = listIAMPolicies(accountId); - // for each policy, find granted permission within the given scope - List entityIds = new ArrayList(); - for (IAMPolicy policy : policies) { - List pp = _policyPermissionDao.listByPolicyActionAndScope(policy.getId(), action, - scope, null); - if (pp != null) { - for (IAMPolicyPermissionVO p : pp) { - if (p.getScopeId() != null) { - entityIds.add(p.getScopeId()); - } - } - } - } - return entityIds; - } - - @Override - @SuppressWarnings("unchecked") - public List listPolicyPermissions(long policyId) { - @SuppressWarnings("rawtypes") - List pp = _policyPermissionDao.listByPolicy(policyId); - return pp; - } - - @SuppressWarnings("unchecked") - @Override - public List listPolicyPermissionsByScope(long policyId, String action, String scope, - String accessType) { - @SuppressWarnings("rawtypes") - List pp = _policyPermissionDao.listByPolicyActionAndScope(policyId, action, scope, accessType); - return pp; - } - - @SuppressWarnings("unchecked") - @Override - public List listPolicyPermissionByActionAndEntity(long policyId, String action, - String entityType) { - @SuppressWarnings("rawtypes") - List pp = _policyPermissionDao.listByPolicyActionAndEntity(policyId, action, entityType); - return pp; - } - - @SuppressWarnings("unchecked") - @Override - public List listPolicyPermissionByAccessAndEntity(long policyId, String accessType, - String entityType) { - @SuppressWarnings("rawtypes") - List pp = _policyPermissionDao.listByPolicyAccessAndEntity(policyId, accessType, entityType); - return pp; - } - - @Override - public IAMPolicy getResourceOwnerPolicy() { - return _aclPolicyDao.findByName("RESOURCE_OWNER"); - } - - // search for policy with only one resource grant permission - @Override - public IAMPolicy getResourceGrantPolicy(String entityType, Long entityId, String accessType, String action) { - List policyList = _aclPolicyDao.listAll(); - for (IAMPolicyVO policy : policyList) { - List pp = listPolicyPermissions(policy.getId()); - if (pp != null && pp.size() == 1) { - // resource grant policy should only have one ACL permission assigned - IAMPolicyPermission permit = pp.get(0); - if (permit.getEntityType().equals(entityType) && permit.getScope().equals(PermissionScope.RESOURCE.toString()) - && permit.getScopeId().longValue() == entityId.longValue()) { - if (accessType != null && permit.getAccessType().equals(accessType)) { - return policy; - } else if (action != null && permit.getAction().equals(action)) { - return policy; - } - } - } - } - return null; - } - -} diff --git a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMAccountPolicyMapDao.java b/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMAccountPolicyMapDao.java deleted file mode 100644 index 0162589e35b..00000000000 --- a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMAccountPolicyMapDao.java +++ /dev/null @@ -1,33 +0,0 @@ -// Licensed to the Apache Software Foundation (ASF) under one -// or more contributor license agreements. See the NOTICE file -// distributed with this work for additional information -// regarding copyright ownership. The ASF licenses this file -// to you under the Apache License, Version 2.0 (the -// "License"); you may not use this file except in compliance -// with the License. You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. -package org.apache.cloudstack.iam.server.dao; - -import java.util.List; - -import org.apache.cloudstack.iam.server.IAMAccountPolicyMapVO; - -import com.cloud.utils.db.GenericDao; - -public interface IAMAccountPolicyMapDao extends GenericDao { - - List listByAccountId(long acctId); - - List listByPolicyId(long policyId); - - IAMAccountPolicyMapVO findByAccountAndPolicy(long acctId, long policyId); - -} diff --git a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMAccountPolicyMapDaoImpl.java b/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMAccountPolicyMapDaoImpl.java deleted file mode 100644 index d74e86f2db6..00000000000 --- a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMAccountPolicyMapDaoImpl.java +++ /dev/null @@ -1,77 +0,0 @@ -// Licensed to the Apache Software Foundation (ASF) under one -// or more contributor license agreements. See the NOTICE file -// distributed with this work for additional information -// regarding copyright ownership. The ASF licenses this file -// to you under the Apache License, Version 2.0 (the -// "License"); you may not use this file except in compliance -// with the License. You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. -package org.apache.cloudstack.iam.server.dao; - -import java.util.List; -import java.util.Map; - -import javax.naming.ConfigurationException; - -import org.apache.cloudstack.iam.server.IAMAccountPolicyMapVO; - -import com.cloud.utils.db.GenericDaoBase; -import com.cloud.utils.db.SearchBuilder; -import com.cloud.utils.db.SearchCriteria; - -public class IAMAccountPolicyMapDaoImpl extends GenericDaoBase implements IAMAccountPolicyMapDao { - - private SearchBuilder ListByAccountId; - private SearchBuilder ListByPolicyId; - private SearchBuilder findByPolicyAccountId; - - @Override - public boolean configure(String name, Map params) throws ConfigurationException { - super.configure(name, params); - - ListByAccountId = createSearchBuilder(); - ListByAccountId.and("accountId", ListByAccountId.entity().getAccountId(), SearchCriteria.Op.EQ); - ListByAccountId.done(); - - ListByPolicyId = createSearchBuilder(); - ListByPolicyId.and("policyId", ListByPolicyId.entity().getIamPolicyId(), SearchCriteria.Op.EQ); - ListByPolicyId.done(); - - findByPolicyAccountId = createSearchBuilder(); - findByPolicyAccountId.and("policyId", findByPolicyAccountId.entity().getIamPolicyId(), SearchCriteria.Op.EQ); - findByPolicyAccountId.and("accountId", findByPolicyAccountId.entity().getAccountId(), SearchCriteria.Op.EQ); - findByPolicyAccountId.done(); - - return true; - } - - @Override - public List listByAccountId(long acctId) { - SearchCriteria sc = ListByAccountId.create(); - sc.setParameters("accountId", acctId); - return listBy(sc); - } - - @Override - public List listByPolicyId(long policyId) { - SearchCriteria sc = ListByPolicyId.create(); - sc.setParameters("policyId", policyId); - return listBy(sc); - } - - @Override - public IAMAccountPolicyMapVO findByAccountAndPolicy(long acctId, long policyId) { - SearchCriteria sc = findByPolicyAccountId.create(); - sc.setParameters("policyId", policyId); - sc.setParameters("accountId", acctId); - return findOneBy(sc); - } -} \ No newline at end of file diff --git a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMGroupAccountMapDao.java b/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMGroupAccountMapDao.java deleted file mode 100644 index a94dbaae9c7..00000000000 --- a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMGroupAccountMapDao.java +++ /dev/null @@ -1,40 +0,0 @@ -// Licensed to the Apache Software Foundation (ASF) under one -// or more contributor license agreements. See the NOTICE file -// distributed with this work for additional information -// regarding copyright ownership. The ASF licenses this file -// to you under the Apache License, Version 2.0 (the -// "License"); you may not use this file except in compliance -// with the License. You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. -package org.apache.cloudstack.iam.server.dao; - -import java.util.List; - -import org.apache.cloudstack.iam.server.IAMGroupAccountMapVO; - -import com.cloud.utils.db.GenericDao; - -public interface IAMGroupAccountMapDao extends GenericDao { - - List listByGroupId(long groupId); - - List listByAccountId(long accountId); - - IAMGroupAccountMapVO findAccountInAdminGroup(long accountId); - - IAMGroupAccountMapVO findByGroupAndAccount(long groupId, long acctId); - - void removeAccountFromGroups(long accountId); - - IAMGroupAccountMapVO findAccountInDomainAdminGroup(long accountId); - - IAMGroupAccountMapVO findAccountInUserGroup(long accountId); -} diff --git a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMGroupAccountMapDaoImpl.java b/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMGroupAccountMapDaoImpl.java deleted file mode 100644 index 4bb5d1a59fb..00000000000 --- a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMGroupAccountMapDaoImpl.java +++ /dev/null @@ -1,119 +0,0 @@ -// Licensed to the Apache Software Foundation (ASF) under one -// or more contributor license agreements. See the NOTICE file -// distributed with this work for additional information -// regarding copyright ownership. The ASF licenses this file -// to you under the Apache License, Version 2.0 (the -// "License"); you may not use this file except in compliance -// with the License. You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. -package org.apache.cloudstack.iam.server.dao; - -import java.util.List; -import java.util.Map; - -import javax.naming.ConfigurationException; - -import org.apache.cloudstack.iam.server.IAMGroupAccountMapVO; -import org.apache.log4j.Logger; -import org.springframework.stereotype.Component; - - -import com.cloud.utils.db.GenericDaoBase; -import com.cloud.utils.db.SearchBuilder; -import com.cloud.utils.db.SearchCriteria; - -@Component -public class IAMGroupAccountMapDaoImpl extends GenericDaoBase implements IAMGroupAccountMapDao { - private SearchBuilder ListByGroupId; - private SearchBuilder ListByAccountId; - private SearchBuilder _findByAccountAndGroupId; - - public static final Logger s_logger = Logger.getLogger(IAMGroupAccountMapDaoImpl.class.getName()); - - @Override - public boolean configure(String name, Map params) throws ConfigurationException { - super.configure(name, params); - - ListByGroupId = createSearchBuilder(); - ListByGroupId.and("groupId", ListByGroupId.entity().getAclGroupId(), SearchCriteria.Op.EQ); - ListByGroupId.done(); - - ListByAccountId = createSearchBuilder(); - ListByAccountId.and("accountId", ListByAccountId.entity().getAccountId(), SearchCriteria.Op.EQ); - ListByAccountId.done(); - - _findByAccountAndGroupId = createSearchBuilder(); - _findByAccountAndGroupId - .and("groupId", _findByAccountAndGroupId.entity().getAclGroupId(), SearchCriteria.Op.EQ); - _findByAccountAndGroupId.and("accountId", _findByAccountAndGroupId.entity().getAccountId(), - SearchCriteria.Op.EQ); - _findByAccountAndGroupId.done(); - - return true; - } - - @Override - public List listByGroupId(long groupId) { - SearchCriteria sc = ListByGroupId.create(); - sc.setParameters("groupId", groupId); - return listBy(sc); - } - - @Override - public List listByAccountId(long accountId) { - SearchCriteria sc = ListByAccountId.create(); - sc.setParameters("accountId", accountId); - return listBy(sc); - } - - @Override - public IAMGroupAccountMapVO findAccountInAdminGroup(long accountId) { - SearchCriteria sc = _findByAccountAndGroupId.create(); - sc.setParameters("accountId", accountId); - sc.setParameters("groupId", 2); - return findOneBy(sc); - } - - @Override - public IAMGroupAccountMapVO findAccountInDomainAdminGroup(long accountId) { - SearchCriteria sc = _findByAccountAndGroupId.create(); - sc.setParameters("accountId", accountId); - sc.setParameters("groupId", 3); - return findOneBy(sc); - } - - @Override - public IAMGroupAccountMapVO findAccountInUserGroup(long accountId) { - SearchCriteria sc = _findByAccountAndGroupId.create(); - sc.setParameters("accountId", accountId); - sc.setParameters("groupId", 1); - return findOneBy(sc); - } - - @Override - public IAMGroupAccountMapVO findByGroupAndAccount(long groupId, long acctId) { - SearchCriteria sc = _findByAccountAndGroupId.create(); - sc.setParameters("accountId", acctId); - sc.setParameters("groupId", groupId); - return findOneBy(sc); - } - - @Override - public void removeAccountFromGroups(long accountId) { - SearchCriteria sc = ListByAccountId.create(); - sc.setParameters("accountId", accountId); - - int rowsRemoved = remove(sc); - if (rowsRemoved > 0) { - s_logger.debug("Removed account id=" + accountId + " from " + rowsRemoved + " groups"); - } - } -} diff --git a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMGroupDao.java b/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMGroupDao.java deleted file mode 100644 index 54408a6d390..00000000000 --- a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMGroupDao.java +++ /dev/null @@ -1,28 +0,0 @@ -// Licensed to the Apache Software Foundation (ASF) under one -// or more contributor license agreements. See the NOTICE file -// distributed with this work for additional information -// regarding copyright ownership. The ASF licenses this file -// to you under the Apache License, Version 2.0 (the -// "License"); you may not use this file except in compliance -// with the License. You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. -package org.apache.cloudstack.iam.server.dao; - -import org.apache.cloudstack.iam.api.IAMGroup; -import org.apache.cloudstack.iam.server.IAMGroupVO; - -import com.cloud.utils.db.GenericDao; - -public interface IAMGroupDao extends GenericDao { - - IAMGroup findByName(String path, String groupName); - -} diff --git a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMGroupDaoImpl.java b/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMGroupDaoImpl.java deleted file mode 100644 index 45be0b3f21c..00000000000 --- a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMGroupDaoImpl.java +++ /dev/null @@ -1,59 +0,0 @@ -// Licensed to the Apache Software Foundation (ASF) under one -// or more contributor license agreements. See the NOTICE file -// distributed with this work for additional information -// regarding copyright ownership. The ASF licenses this file -// to you under the Apache License, Version 2.0 (the -// "License"); you may not use this file except in compliance -// with the License. You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. -package org.apache.cloudstack.iam.server.dao; - -import java.util.Map; - -import javax.naming.ConfigurationException; - -import org.apache.cloudstack.iam.api.IAMGroup; -import org.apache.cloudstack.iam.server.IAMGroupVO; -import org.springframework.stereotype.Component; - - -import com.cloud.utils.db.GenericDaoBase; -import com.cloud.utils.db.SearchBuilder; -import com.cloud.utils.db.SearchCriteria; - -@Component -public class IAMGroupDaoImpl extends GenericDaoBase implements IAMGroupDao { - private SearchBuilder nameSearch; - - @Override - public boolean configure(String name, Map params) throws ConfigurationException { - super.configure(name, params); - - nameSearch = createSearchBuilder(); - nameSearch.and("name", nameSearch.entity().getName(), SearchCriteria.Op.EQ); - nameSearch.and("path", nameSearch.entity().getPath(), SearchCriteria.Op.EQ); - nameSearch.done(); - - - return true; - } - - @Override - public IAMGroup findByName(String path, String name) { - SearchCriteria sc = nameSearch.create(); - sc.setParameters("name", name); - if (path != null) { - sc.setParameters("path", path); - } - return findOneBy(sc); - } - -} diff --git a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMGroupPolicyMapDao.java b/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMGroupPolicyMapDao.java deleted file mode 100644 index 3f5f232e7d3..00000000000 --- a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMGroupPolicyMapDao.java +++ /dev/null @@ -1,33 +0,0 @@ -// Licensed to the Apache Software Foundation (ASF) under one -// or more contributor license agreements. See the NOTICE file -// distributed with this work for additional information -// regarding copyright ownership. The ASF licenses this file -// to you under the Apache License, Version 2.0 (the -// "License"); you may not use this file except in compliance -// with the License. You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. -package org.apache.cloudstack.iam.server.dao; - -import java.util.List; - -import org.apache.cloudstack.iam.server.IAMGroupPolicyMapVO; - -import com.cloud.utils.db.GenericDao; - -public interface IAMGroupPolicyMapDao extends GenericDao { - - List listByGroupId(long groupId); - - List listByPolicyId(long policyId); - - IAMGroupPolicyMapVO findByGroupAndPolicy(long groupId, long policyId); - -} diff --git a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMGroupPolicyMapDaoImpl.java b/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMGroupPolicyMapDaoImpl.java deleted file mode 100644 index ac42f04a119..00000000000 --- a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMGroupPolicyMapDaoImpl.java +++ /dev/null @@ -1,77 +0,0 @@ -// Licensed to the Apache Software Foundation (ASF) under one -// or more contributor license agreements. See the NOTICE file -// distributed with this work for additional information -// regarding copyright ownership. The ASF licenses this file -// to you under the Apache License, Version 2.0 (the -// "License"); you may not use this file except in compliance -// with the License. You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. -package org.apache.cloudstack.iam.server.dao; - -import java.util.List; -import java.util.Map; - -import javax.naming.ConfigurationException; - -import org.apache.cloudstack.iam.server.IAMGroupPolicyMapVO; - -import com.cloud.utils.db.GenericDaoBase; -import com.cloud.utils.db.SearchBuilder; -import com.cloud.utils.db.SearchCriteria; - -public class IAMGroupPolicyMapDaoImpl extends GenericDaoBase implements IAMGroupPolicyMapDao { - - private SearchBuilder ListByGroupId; - private SearchBuilder ListByPolicyId; - private SearchBuilder findByPolicyGroupId; - - @Override - public boolean configure(String name, Map params) throws ConfigurationException { - super.configure(name, params); - - ListByGroupId = createSearchBuilder(); - ListByGroupId.and("groupId", ListByGroupId.entity().getAclGroupId(), SearchCriteria.Op.EQ); - ListByGroupId.done(); - - ListByPolicyId = createSearchBuilder(); - ListByPolicyId.and("policyId", ListByPolicyId.entity().getAclPolicyId(), SearchCriteria.Op.EQ); - ListByPolicyId.done(); - - findByPolicyGroupId = createSearchBuilder(); - findByPolicyGroupId.and("policyId", findByPolicyGroupId.entity().getAclPolicyId(), SearchCriteria.Op.EQ); - findByPolicyGroupId.and("groupId", findByPolicyGroupId.entity().getAclGroupId(), SearchCriteria.Op.EQ); - findByPolicyGroupId.done(); - - return true; - } - - @Override - public List listByGroupId(long groupId) { - SearchCriteria sc = ListByGroupId.create(); - sc.setParameters("groupId", groupId); - return listBy(sc); - } - - @Override - public List listByPolicyId(long policyId) { - SearchCriteria sc = ListByPolicyId.create(); - sc.setParameters("policyId", policyId); - return listBy(sc); - } - - @Override - public IAMGroupPolicyMapVO findByGroupAndPolicy(long groupId, long policyId) { - SearchCriteria sc = findByPolicyGroupId.create(); - sc.setParameters("policyId", policyId); - sc.setParameters("groupId", groupId); - return findOneBy(sc); - } -} \ No newline at end of file diff --git a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMPolicyDao.java b/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMPolicyDao.java deleted file mode 100644 index ace7d8585ac..00000000000 --- a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMPolicyDao.java +++ /dev/null @@ -1,28 +0,0 @@ -// Licensed to the Apache Software Foundation (ASF) under one -// or more contributor license agreements. See the NOTICE file -// distributed with this work for additional information -// regarding copyright ownership. The ASF licenses this file -// to you under the Apache License, Version 2.0 (the -// "License"); you may not use this file except in compliance -// with the License. You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. -package org.apache.cloudstack.iam.server.dao; - -import org.apache.cloudstack.iam.api.IAMPolicy; -import org.apache.cloudstack.iam.server.IAMPolicyVO; - -import com.cloud.utils.db.GenericDao; - -public interface IAMPolicyDao extends GenericDao { - - IAMPolicy findByName(String policyName); - -} diff --git a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMPolicyDaoImpl.java b/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMPolicyDaoImpl.java deleted file mode 100644 index 293cf6f59ee..00000000000 --- a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMPolicyDaoImpl.java +++ /dev/null @@ -1,57 +0,0 @@ -// Licensed to the Apache Software Foundation (ASF) under one -// or more contributor license agreements. See the NOTICE file -// distributed with this work for additional information -// regarding copyright ownership. The ASF licenses this file -// to you under the Apache License, Version 2.0 (the -// "License"); you may not use this file except in compliance -// with the License. You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. -package org.apache.cloudstack.iam.server.dao; - -import java.util.Map; - -import javax.naming.ConfigurationException; - -import org.apache.cloudstack.iam.api.IAMPolicy; -import org.apache.cloudstack.iam.server.IAMPolicyVO; -import org.springframework.stereotype.Component; - -import com.cloud.utils.db.GenericDaoBase; -import com.cloud.utils.db.SearchBuilder; -import com.cloud.utils.db.SearchCriteria; - -@Component -public class IAMPolicyDaoImpl extends GenericDaoBase implements IAMPolicyDao { - private SearchBuilder nameSearch; - - @Override - public boolean configure(String name, Map params) throws ConfigurationException { - super.configure(name, params); - - nameSearch = createSearchBuilder(); - nameSearch.and("name", nameSearch.entity().getName(), SearchCriteria.Op.EQ); - // nameSearch.and("domainId", nameSearch.entity().getDomainId(), - // SearchCriteria.Op.EQ); - nameSearch.done(); - - - return true; - } - - @Override - public IAMPolicy findByName(String name) { - SearchCriteria sc = nameSearch.create(); - sc.setParameters("name", name); - - return findOneBy(sc); - } - -} diff --git a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMPolicyPermissionDao.java b/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMPolicyPermissionDao.java deleted file mode 100644 index ebb4916470d..00000000000 --- a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMPolicyPermissionDao.java +++ /dev/null @@ -1,39 +0,0 @@ -// Licensed to the Apache Software Foundation (ASF) under one -// or more contributor license agreements. See the NOTICE file -// distributed with this work for additional information -// regarding copyright ownership. The ASF licenses this file -// to you under the Apache License, Version 2.0 (the -// "License"); you may not use this file except in compliance -// with the License. You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. -package org.apache.cloudstack.iam.server.dao; -import java.util.List; - -import org.apache.cloudstack.iam.api.IAMPolicyPermission.Permission; -import org.apache.cloudstack.iam.server.IAMPolicyPermissionVO; - -import com.cloud.utils.db.GenericDao; - -public interface IAMPolicyPermissionDao extends GenericDao { - - List listByPolicy(long policyId); - - IAMPolicyPermissionVO findByPolicyAndEntity(long policyId, String entityType, String scope, Long scopeId, - String action, Permission perm, String accessType); - - List listByPolicyActionAndScope(long policyId, String action, String scope, String accessType); - - List listByPolicyActionAndEntity(long policyId, String action, String entityType); - - List listByPolicyAccessAndEntity(long policyId, String accessType, String entityType); - - List listByEntity(String entityType, Long entityId); -} diff --git a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMPolicyPermissionDaoImpl.java b/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMPolicyPermissionDaoImpl.java deleted file mode 100644 index 44b77d1163e..00000000000 --- a/services/iam/server/src/main/java/org/apache/cloudstack/iam/server/dao/IAMPolicyPermissionDaoImpl.java +++ /dev/null @@ -1,130 +0,0 @@ -// Licensed to the Apache Software Foundation (ASF) under one -// or more contributor license agreements. See the NOTICE file -// distributed with this work for additional information -// regarding copyright ownership. The ASF licenses this file -// to you under the Apache License, Version 2.0 (the -// "License"); you may not use this file except in compliance -// with the License. You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. -package org.apache.cloudstack.iam.server.dao; - -import java.util.List; -import java.util.Map; - -import javax.naming.ConfigurationException; - -import org.apache.cloudstack.iam.api.IAMPolicyPermission.Permission; -import org.apache.cloudstack.iam.server.IAMPolicyPermissionVO; - -import com.cloud.utils.db.GenericDaoBase; -import com.cloud.utils.db.SearchBuilder; -import com.cloud.utils.db.SearchCriteria; - -public class IAMPolicyPermissionDaoImpl extends GenericDaoBase implements - IAMPolicyPermissionDao { - - private SearchBuilder policyIdSearch; - private SearchBuilder fullSearch; - private SearchBuilder entitySearch; - - @Override - public boolean configure(String name, Map params) throws ConfigurationException { - super.configure(name, params); - - policyIdSearch = createSearchBuilder(); - policyIdSearch.and("policyId", policyIdSearch.entity().getAclPolicyId(), SearchCriteria.Op.EQ); - policyIdSearch.done(); - - fullSearch = createSearchBuilder(); - fullSearch.and("policyId", fullSearch.entity().getAclPolicyId(), SearchCriteria.Op.EQ); - fullSearch.and("entityType", fullSearch.entity().getEntityType(), SearchCriteria.Op.EQ); - fullSearch.and("scope", fullSearch.entity().getScope(), SearchCriteria.Op.EQ); - fullSearch.and("scopeId", fullSearch.entity().getScopeId(), SearchCriteria.Op.EQ); - fullSearch.and("action", fullSearch.entity().getAction(), SearchCriteria.Op.EQ); - fullSearch.and("permission", fullSearch.entity().getPermission(), SearchCriteria.Op.EQ); - fullSearch.and("accessType", fullSearch.entity().getAccessType(), SearchCriteria.Op.EQ); - fullSearch.done(); - - entitySearch = createSearchBuilder(); - entitySearch.and("entityType", entitySearch.entity().getEntityType(), SearchCriteria.Op.EQ); - entitySearch.and("scopeId", entitySearch.entity().getScopeId(), SearchCriteria.Op.EQ); - entitySearch.done(); - - return true; - } - - @Override - public List listByPolicy(long policyId) { - SearchCriteria sc = policyIdSearch.create(); - sc.setParameters("policyId", policyId); - return listBy(sc); - } - - @Override - public IAMPolicyPermissionVO findByPolicyAndEntity(long policyId, String entityType, String scope, Long scopeId, - String action, Permission perm, String accessType) { - SearchCriteria sc = fullSearch.create(); - sc.setParameters("policyId", policyId); - sc.setParameters("entityType", entityType); - sc.setParameters("scope", scope); - sc.setParameters("scopeId", scopeId); - sc.setParameters("action", action); - sc.setParameters("permission", perm); - if (accessType != null) { - // accessType can be optional, used mainly in list apis with - // ListEntry and UseEntry distinction - sc.setParameters("accessType", accessType); - } - return findOneBy(sc); - } - - @Override - public List listByPolicyActionAndScope(long policyId, String action, String scope, String accessType) { - SearchCriteria sc = fullSearch.create(); - sc.setParameters("policyId", policyId); - sc.setParameters("action", action); - sc.setParameters("scope", scope); - sc.setParameters("permission", Permission.Allow); - if ( accessType != null ){ - // accessType can be optional, used mainly in list apis with ListEntry and UseEntry distinction - sc.setParameters("accessType", accessType); - } - return listBy(sc); - } - - @Override - public List listByPolicyActionAndEntity(long policyId, String action, String entityType) { - SearchCriteria sc = fullSearch.create(); - sc.setParameters("policyId", policyId); - sc.setParameters("entityType", entityType); - sc.setParameters("action", action); - return listBy(sc); - } - - @Override - public List listByPolicyAccessAndEntity(long policyId, String accessType, - String entityType) { - SearchCriteria sc = fullSearch.create(); - sc.setParameters("policyId", policyId); - sc.setParameters("entityType", entityType); - sc.setParameters("accessType", accessType); - return listBy(sc); - } - - @Override - public List listByEntity(String entityType, Long entityId) { - SearchCriteria sc = entitySearch.create(); - sc.setParameters("entityType", entityType); - sc.setParameters("scopeId", entityId); - return listBy(sc); - } - -} diff --git a/services/iam/server/src/main/resources/META-INF/cloudstack/core/spring-iam-server-context.xml b/services/iam/server/src/main/resources/META-INF/cloudstack/core/spring-iam-server-context.xml deleted file mode 100644 index 1c7983608dd..00000000000 --- a/services/iam/server/src/main/resources/META-INF/cloudstack/core/spring-iam-server-context.xml +++ /dev/null @@ -1,47 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - diff --git a/services/iam/server/src/test/java/org/apache/cloudstack/iam/IAMServiceUnitTest.java b/services/iam/server/src/test/java/org/apache/cloudstack/iam/IAMServiceUnitTest.java deleted file mode 100644 index 53cfc71f936..00000000000 --- a/services/iam/server/src/test/java/org/apache/cloudstack/iam/IAMServiceUnitTest.java +++ /dev/null @@ -1,211 +0,0 @@ -// Licensed to the Apache Software Foundation (ASF) under one -// or more contributor license agreements. See the NOTICE file -// distributed with this work for additional information -// regarding copyright ownership. The ASF licenses this file -// to you under the Apache License, Version 2.0 (the -// "License"); you may not use this file except in compliance -// with the License. You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. -package org.apache.cloudstack.iam; - -import static org.junit.Assert.assertNotNull; -import static org.mockito.Matchers.eq; -import static org.mockito.Mockito.when; - -import java.io.IOException; -import java.util.ArrayList; -import java.util.List; - -import javax.inject.Inject; -import javax.naming.ConfigurationException; - -import org.junit.After; -import org.junit.Before; -import org.junit.BeforeClass; -import org.junit.Test; -import org.junit.runner.RunWith; -import org.mockito.Mockito; -import org.springframework.context.annotation.Bean; -import org.springframework.context.annotation.ComponentScan; -import org.springframework.context.annotation.ComponentScan.Filter; -import org.springframework.context.annotation.Configuration; -import org.springframework.context.annotation.FilterType; -import org.springframework.core.type.classreading.MetadataReader; -import org.springframework.core.type.classreading.MetadataReaderFactory; -import org.springframework.core.type.filter.TypeFilter; -import org.springframework.test.context.ContextConfiguration; -import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; -import org.springframework.test.context.support.AnnotationConfigContextLoader; - -import org.apache.cloudstack.iam.api.IAMGroup; -import org.apache.cloudstack.iam.api.IAMPolicy; -import org.apache.cloudstack.iam.api.IAMService; -import org.apache.cloudstack.iam.server.IAMGroupVO; -import org.apache.cloudstack.iam.server.IAMPolicyVO; -import org.apache.cloudstack.iam.server.IAMServiceImpl; -import org.apache.cloudstack.iam.server.dao.IAMAccountPolicyMapDao; -import org.apache.cloudstack.iam.server.dao.IAMGroupAccountMapDao; -import org.apache.cloudstack.iam.server.dao.IAMGroupDao; -import org.apache.cloudstack.iam.server.dao.IAMGroupPolicyMapDao; -import org.apache.cloudstack.iam.server.dao.IAMPolicyDao; -import org.apache.cloudstack.iam.server.dao.IAMPolicyPermissionDao; -import org.apache.cloudstack.test.utils.SpringUtils; - -import com.cloud.exception.InvalidParameterValueException; -import com.cloud.utils.component.ComponentContext; -import com.cloud.utils.db.EntityManager; -import com.cloud.utils.db.SearchCriteria; - -@RunWith(SpringJUnit4ClassRunner.class) -@ContextConfiguration(loader = AnnotationConfigContextLoader.class) -public class IAMServiceUnitTest { - - @Inject - IAMService _iamService; - - @Inject - IAMPolicyDao _aclPolicyDao; - - @Inject - IAMGroupDao _aclGroupDao; - - @Inject - EntityManager _entityMgr; - - @Inject - IAMGroupPolicyMapDao _aclGroupPolicyMapDao; - - @Inject - IAMGroupAccountMapDao _aclGroupAccountMapDao; - - @Inject - IAMPolicyPermissionDao _policyPermissionDao; - - @BeforeClass - public static void setUpClass() throws ConfigurationException { - } - - @Before - public void setUp() { - ComponentContext.initComponentsLifeCycle(); - IAMGroupVO group = new IAMGroupVO("group1", "my first group"); - Mockito.when(_aclGroupDao.persist(Mockito.any(IAMGroupVO.class))).thenReturn(group); - List groups = new ArrayList(); - groups.add(group); - when(_aclGroupDao.search(Mockito.any(SearchCriteria.class), Mockito.any(com.cloud.utils.db.Filter.class))) - .thenReturn(groups); - - IAMPolicyVO policy = new IAMPolicyVO("policy1", "my first policy"); - Mockito.when(_aclPolicyDao.persist(Mockito.any(IAMPolicyVO.class))).thenReturn(policy); - - } - - @After - public void tearDown() { - } - - @Test(expected = InvalidParameterValueException.class) - public void createAclGroupTest() { - IAMGroup group = _iamService.createIAMGroup("group1", "my first group", "/root/mydomain"); - assertNotNull("Acl group 'group1' failed to create ", group); - - IAMGroupVO group2 = new IAMGroupVO("group1", "my second group"); - when(_aclGroupDao.findByName(eq("/root/mydomain"), eq("group1"))).thenReturn(group2); - - IAMGroup group3 = _iamService.createIAMGroup("group1", "my first group", "/root/mydomain"); - } - - @Test(expected = InvalidParameterValueException.class) - public void deleteAclGroupInvalidIdTest() { - when(_aclGroupDao.findById(20L)).thenReturn(null); - _iamService.deleteIAMGroup(20L); - } - - @Test - public void accountGroupMaptest() { - // create group - IAMGroupVO group = new IAMGroupVO("group1", "my first group"); - - // add account to group - List accountIds = new ArrayList(); - accountIds.add(100L); - when(_aclGroupDao.findById(20L)).thenReturn(group); - _iamService.addAccountsToGroup(accountIds, 20L); - - _iamService.removeAccountsFromGroup(accountIds, 20L); - } - - @Test(expected = InvalidParameterValueException.class) - public void createAclPolicyTest() { - IAMPolicy policy = _iamService.createIAMPolicy("policy1", "my first policy", null, "/root/mydomain"); - assertNotNull("Acl policy 'policy1' failed to create ", policy); - - IAMPolicyVO rvo = new IAMPolicyVO("policy2", "second policy"); - when(_aclPolicyDao.findByName(eq("policy2"))).thenReturn(rvo); - - _iamService.createIAMPolicy("policy2", "second policy", null, "/root/mydomain"); - } - - @Test(expected = InvalidParameterValueException.class) - public void deleteAclPolicyInvalidIdTest() { - when(_aclPolicyDao.findById(34L)).thenReturn(null); - _iamService.deleteIAMPolicy(34L); - } - - @Configuration - @ComponentScan(basePackageClasses = {IAMServiceImpl.class}, includeFilters = {@Filter(value = TestConfiguration.Library.class, type = FilterType.CUSTOM)}, useDefaultFilters = false) - public static class TestConfiguration extends SpringUtils.CloudStackTestConfiguration { - - @Bean - public IAMPolicyDao aclPolicyDao() { - return Mockito.mock(IAMPolicyDao.class); - } - - @Bean - public IAMGroupDao aclGroupDao() { - return Mockito.mock(IAMGroupDao.class); - } - - @Bean - public EntityManager entityManager() { - return Mockito.mock(EntityManager.class); - } - - @Bean - public IAMGroupPolicyMapDao aclGroupPolicyMapDao() { - return Mockito.mock(IAMGroupPolicyMapDao.class); - } - - @Bean - public IAMGroupAccountMapDao aclGroupAccountMapDao() { - return Mockito.mock(IAMGroupAccountMapDao.class); - } - - @Bean - public IAMAccountPolicyMapDao aclAccountPolicyMapDao() { - return Mockito.mock(IAMAccountPolicyMapDao.class); - } - - @Bean - public IAMPolicyPermissionDao aclPolicyPermissionDao() { - return Mockito.mock(IAMPolicyPermissionDao.class); - } - - public static class Library implements TypeFilter { - - @Override - public boolean match(MetadataReader mdr, MetadataReaderFactory arg1) throws IOException { - ComponentScan cs = TestConfiguration.class.getAnnotation(ComponentScan.class); - return SpringUtils.includedInBasePackageClasses(mdr.getClassMetadata().getClassName(), cs); - } - } - } -} diff --git a/services/iam/server/src/test/resources/db.properties b/services/iam/server/src/test/resources/db.properties deleted file mode 100644 index a672d63f799..00000000000 --- a/services/iam/server/src/test/resources/db.properties +++ /dev/null @@ -1,73 +0,0 @@ -# Licensed to the Apache Software Foundation (ASF) under one -# or more contributor license agreements. See the NOTICE file -# distributed with this work for additional information -# regarding copyright ownership. The ASF licenses this file -# to you under the Apache License, Version 2.0 (the -# "License"); you may not use this file except in compliance -# with the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, -# software distributed under the License is distributed on an -# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -# KIND, either express or implied. See the License for the -# specific language governing permissions and limitations -# under the License. - - -# management server clustering parameters, change cluster.node.IP to the machine IP address -# in which the management server(Tomcat) is running -cluster.node.IP=127.0.0.1 -cluster.servlet.port=9090 -region.id=1 - -# CloudStack database settings -db.cloud.username=cloud -db.cloud.password=cloud -db.root.password= -db.cloud.host=localhost -db.cloud.driver=jdbc:mysql -db.cloud.port=3306 -db.cloud.name=cloud - -# CloudStack database tuning parameters -db.cloud.maxActive=250 -db.cloud.maxIdle=30 -db.cloud.maxWait=10000 -db.cloud.autoReconnect=true -db.cloud.validationQuery=SELECT 1 -db.cloud.testOnBorrow=true -db.cloud.testWhileIdle=true -db.cloud.timeBetweenEvictionRunsMillis=40000 -db.cloud.minEvictableIdleTimeMillis=240000 -db.cloud.poolPreparedStatements=false -db.cloud.url.params=prepStmtCacheSize=517&cachePrepStmts=true&prepStmtCacheSqlLimit=4096 - -# usage database settings -db.usage.username=cloud -db.usage.password=cloud -db.usage.host=localhost -# It's not guaranteed that using a different DB provider than the one from the regular cloud DB will work -db.usage.driver=jdbc:mysql -db.usage.port=3306 -db.usage.name=cloud_usage - -# usage database tuning parameters -db.usage.maxActive=100 -db.usage.maxIdle=30 -db.usage.maxWait=10000 -db.usage.autoReconnect=true - -# Simulator database settings -db.simulator.username=cloud -db.simulator.password=cloud -db.simulator.host=localhost -# It's not guaranteed that using a different DB provider than the one from the regular cloud DB will work -db.simulator.driver=jdbc:mysql -db.simulator.port=3306 -db.simulator.name=simulator -db.simulator.maxActive=250 -db.simulator.maxIdle=30 -db.simulator.maxWait=10000 -db.simulator.autoReconnect=true diff --git a/tools/apidoc/gen_toc.py b/tools/apidoc/gen_toc.py index f45f030ac40..3bf52a36a46 100644 --- a/tools/apidoc/gen_toc.py +++ b/tools/apidoc/gen_toc.py @@ -169,7 +169,6 @@ known_categories = { 'Ucs' : 'UCS', 'CacheStores' : 'Cache Stores', 'CacheStore' : 'Cache Store', - 'IAM' : 'IAM', 'OvsElement' : 'Ovs Element', 'StratosphereSsp' : ' Stratosphere SSP', 'Metrics' : 'Metrics', diff --git a/tools/build/build_asf.sh b/tools/build/build_asf.sh index ecccb959226..7530be58860 100755 --- a/tools/build/build_asf.sh +++ b/tools/build/build_asf.sh @@ -100,9 +100,6 @@ perl -pi -e "s/-SNAPSHOT//" tools/apidoc/pom.xml perl -pi -e "s/-SNAPSHOT//" build/replace.properties perl -pi -e "s/-SNAPSHOT//" tools/marvin/setup.py perl -pi -e "s/-SNAPSHOT//" tools/marvin/marvin/deployAndRun.py -perl -pi -e "s/-SNAPSHOT//" services/iam/plugin/pom.xml -perl -pi -e "s/-SNAPSHOT//" services/iam/pom.xm -perl -pi -e "s/-SNAPSHOT//" services/iam/server/pom.xml perl -pi -e "s/-SNAPSHOT//" tools/docker/Dockerfile perl -pi -e "s/-SNAPSHOT//" tools/docker/Dockerfile.marvin perl -pi -e "s/-SNAPSHOT//" tools/docker/Dockerfile.centos6 diff --git a/tools/build/setnextversion.sh b/tools/build/setnextversion.sh index 2f9c980b1e3..3b31ea915e7 100755 --- a/tools/build/setnextversion.sh +++ b/tools/build/setnextversion.sh @@ -131,9 +131,6 @@ echo "setting new version numbers" mvn versions:set -DnewVersion=$version -P vmware -P developer -P systemvm -P simulator -Dnoredist versions:commit perl -pi -e "s/$currentversion/$version/" debian/changelog -perl -pi -e "s/$currentversion/$version/" services/iam/plugin/pom.xml -perl -pi -e "s/$currentversion/$version/" services/iam/pom.xml -perl -pi -e "s/$currentversion/$version/" services/iam/server/pom.xml perl -pi -e "s/$currentversion/$version/" tools/apidoc/pom.xml perl -pi -e "s/$currentversion/$version/" tools/checkstyle/pom.xml perl -pi -e "s/$currentversion/$version/" tools/marvin/setup.py diff --git a/tools/marvin/marvin/lib/base.py b/tools/marvin/marvin/lib/base.py index fdfed774f84..c4d8783b6de 100755 --- a/tools/marvin/marvin/lib/base.py +++ b/tools/marvin/marvin/lib/base.py @@ -5096,139 +5096,6 @@ class NIC: cmd.listall = True return(apiclient.listNics(cmd)) -class IAMGroup: - def __init__(self, items): - self.__dict__.update(items) - - @classmethod - def create(cls, apiclient, iam_grp, account=None, domainid=None): - cmd = createIAMGroup.createIAMGroupCmd() - cmd.name = iam_grp['name'] - cmd.description = iam_grp['description'] - if account: - cmd.account = account - if domainid: - cmd.domainid = domainid - return IAMGroup(apiclient.createIAMGroup(cmd).__dict__) - - def update(self, apiclient): - pass - - def delete(self, apiclient): - cmd = deleteIAMGroup.deleteIAMGroupCmd() - cmd.id = self.id - return apiclient.deleteIAMGroup(cmd) - - @classmethod - def list(cls, apiclient, **kwargs): - cmd = listIAMGroups.listIAMGroupsCmd() - [setattr(cmd, k, v) for k, v in kwargs.items()] - if 'account' in kwargs.keys() and 'domainid' in kwargs.keys(): - cmd.listall = True - return apiclient.listIAMGroups(cmd) - - def addAccount(self, apiclient, accts): - """Add accounts to iam group""" - cmd = addAccountToIAMGroup.addAccountToIAMGroupCmd() - cmd.id = self.id - cmd.accounts = [str(acct.id) for acct in accts] - apiclient.addAccountToIAMGroup(cmd) - return - - def removeAccount(self, apiclient, accts): - """ Remove accounts from iam group""" - cmd = removeAccountFromIAMGroup.removeAccountFromIAMGroupCmd() - cmd.id = self.id - cmd.accounts = [str(acct.id) for acct in accts] - apiclient.removeAccountFromIAMGroup(cmd) - return - - def attachPolicy(self, apiclient, policies): - """Add policies to iam group""" - cmd = attachIAMPolicyToIAMGroup.attachIAMPolicyToIAMGroupCmd() - cmd.id = self.id - cmd.policies = [str(policy.id) for policy in policies] - apiclient.attachIAMPolicyToIAMGroup(cmd) - return - - def detachPolicy(self, apiclient, policies): - """Remove policies from iam group""" - cmd = removeIAMPolicyFromIAMGroup.removeIAMPolicyFromIAMGroupCmd() - cmd.id = self.id - cmd.policies = [str(policy.id) for policy in policies] - apiclient.removeIAMPolicyFromIAMGroup(cmd) - return - -class IAMPolicy: - def __init__(self, items): - self.__dict__.update(items) - - @classmethod - def create(cls, apiclient, iam_policy, account=None, domainid=None): - cmd = createIAMPolicy.createIAMPolicyCmd() - cmd.name = iam_policy['name'] - cmd.description = iam_policy['description'] - if account: - cmd.account = account - if domainid: - cmd.domainid = domainid - return IAMPolicy(apiclient.createIAMPolicy(cmd).__dict__) - - def update(self, apiclient): - pass - - def delete(self, apiclient): - cmd = deleteIAMPolicy.deleteIAMPolicyCmd() - cmd.id = self.id - return apiclient.deleteIAMPolicy(cmd) - - @classmethod - def list(cls, apiclient, **kwargs): - cmd = listIAMPolicies.listIAMPoliciesCmd() - [setattr(cmd, k, v) for k, v in kwargs.items()] - if 'account' in kwargs.keys() and 'domainid' in kwargs.keys(): - cmd.listall = True - return apiclient.listIAMPoliciesCmd(cmd) - - def addPermission(self, apiclient, permission): - """Add permission to iam policy""" - cmd = addIAMPermissionToIAMPolicy.addIAMPermissionToIAMPolicyCmd() - cmd.id = self.id - cmd.action = permission['action'] - cmd.entitytype = permission['entitytype'] - cmd.scope = permission['scope'] - cmd.scopeid = permission['scopeid'] - apiclient.addIAMPermissionToIAMPolicy(cmd) - return - - def removePermission(self, apiclient, permission): - """Remove permission from iam policy""" - cmd = removeIAMPermissionFromIAMPolicy.\ - removeIAMPermissionFromIAMPolicyCmd() - cmd.id = self.id - cmd.action = permission['action'] - cmd.entitytype = permission['entitytype'] - cmd.scope = permission['scope'] - cmd.scopeid = permission['scopeid'] - apiclient.removeIAMPermissionFromIAMPolicy(cmd) - return - - def attachAccount(self, apiclient, accts): - """Attach iam policy to accounts""" - cmd = attachIAMPolicyToAccount.attachIAMPolicyToAccountCmd() - cmd.id = self.id - cmd.accounts = [str(acct.id) for acct in accts] - apiclient.attachIAMPolicyToAccount(cmd) - return - - def detachAccount(self, apiclient, accts): - """Detach iam policy from accounts""" - cmd = removeIAMPolicyFromAccount.removeIAMPolicyFromAccountCmd() - cmd.id = self.id - cmd.accounts = [str(acct.id) for acct in accts] - apiclient.removeIAMPolicyFromAccount(cmd) - return - class SimulatorMock: """Manage simulator mock lifecycle""" def __init__(self, items):