apache/cloudstack
1
0
Fork 0
mirror of https://github.com/apache/cloudstack.git synced 2025-10-26 08:42:29 +01:00
Code Issues Packages Projects Releases Wiki Activity

APIAccessChecker: Make it check based on role type and not user

Browse Source 
Signed-off-by: Rohit Yadav <bhaisaab@apache.org>
This commit is contained in:
Rohit Yadav 2013-01-10 11:49:15 -08:00
parent c6d9877d64
commit 62a42723f9
3 changed files with 69 additions and 55 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
api/src/org/apache/cloudstack/acl/APIAccessChecker.java
View File

@ -16,11 +16,8 @@
// under the License.
package org.apache.cloudstack.acl;
import java.util.Properties;
import org.apache.cloudstack.acl.RoleType;
import com.cloud.exception.PermissionDeniedException;
import com.cloud.user.Account;
import com.cloud.user.User;
import com.cloud.utils.component.Adapter;
/**
@ -28,5 +25,5 @@ import com.cloud.utils.component.Adapter;
*/
public interface APIAccessChecker extends Adapter {
// Interface for checking access to an API for an user
boolean canAccessAPI(User user, String apiCommandName) throws PermissionDeniedException;
boolean canAccessAPI(RoleType roleType, String apiCommandName) throws PermissionDeniedException;
}

68
plugins/acl/static-role-based/src/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java
View File

@ -27,78 +27,64 @@ import javax.ejb.Local;
import javax.naming.ConfigurationException;
import org.apache.cloudstack.acl.APIAccessChecker;
import org.apache.cloudstack.acl.RoleType;
import static org.apache.cloudstack.acl.RoleType.*;
import org.apache.log4j.Logger;
import com.cloud.exception.PermissionDeniedException;
import com.cloud.server.ManagementServer;
import com.cloud.user.Account;
import com.cloud.user.AccountManager;
import com.cloud.user.User;
import com.cloud.utils.PropertiesUtil;
import com.cloud.utils.component.AdapterBase;
import com.cloud.utils.component.ComponentLocator;
import com.cloud.utils.component.Inject;
import com.cloud.utils.component.PluggableService;
/*
* This is the default API access checker that grab's the user's account
* based on the account type, access is granted referring to commands in all *.properties files.
*/
// This is the default API access checker that grab's the user's account
// based on the account type, access is granted
@Local(value=APIAccessChecker.class)
public class StaticRoleBasedAPIAccessChecker extends AdapterBase implements APIAccessChecker {
protected static final Logger s_logger = Logger.getLogger(StaticRoleBasedAPIAccessChecker.class);
public static final short ADMIN_COMMAND = 1;
public static final short DOMAIN_ADMIN_COMMAND = 4;
public static final short RESOURCE_DOMAIN_ADMIN_COMMAND = 2;
public static final short USER_COMMAND = 8;
private static List<String> s_userCommands = null;
private static List<String> s_resellerCommands = null; // AKA domain-admin
private static List<String> s_adminCommands = null;
private static List<String> s_resourceDomainAdminCommands = null;
private static List<String> s_allCommands = null;
protected @Inject AccountManager _accountMgr;
private static Set<String> s_userCommands = null;
private static Set<String> s_resellerCommands = null; // AKA domain-admin
private static Set<String> s_adminCommands = null;
private static Set<String> s_resourceDomainAdminCommands = null;
private static Set<String> s_allCommands = null;
protected StaticRoleBasedAPIAccessChecker() {
super();
s_allCommands = new ArrayList<String>();
s_userCommands = new ArrayList<String>();
s_resellerCommands = new ArrayList<String>();
s_adminCommands = new ArrayList<String>();
s_resourceDomainAdminCommands = new ArrayList<String>();
s_allCommands = new HashSet<String>();
s_userCommands = new HashSet<String>();
s_resellerCommands = new HashSet<String>();
s_adminCommands = new HashSet<String>();
s_resourceDomainAdminCommands = new HashSet<String>();
}
@Override
public boolean canAccessAPI(User user, String apiCommandName)
public boolean canAccessAPI(RoleType roleType, String apiCommandName)
throws PermissionDeniedException{
boolean commandExists = s_allCommands.contains(apiCommandName);
if(commandExists && user != null){
Long accountId = user.getAccountId();
Account userAccount = _accountMgr.getAccount(accountId);
short accountType = userAccount.getType();
return isCommandAvailableForAccount(accountType, apiCommandName);
if(commandExists) {
return isCommandAvailableForAccount(roleType, apiCommandName);
}
return commandExists;
}
private static boolean isCommandAvailableForAccount(short accountType, String commandName) {
private static boolean isCommandAvailableForAccount(RoleType roleType, String commandName) {
boolean isCommandAvailable = false;
switch (accountType) {
case Account.ACCOUNT_TYPE_ADMIN:
switch (roleType) {
case Admin:
isCommandAvailable = s_adminCommands.contains(commandName);
break;
case Account.ACCOUNT_TYPE_DOMAIN_ADMIN:
case DomainAdmin:
isCommandAvailable = s_resellerCommands.contains(commandName);
break;
case Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN:
case ResourceAdmin:
isCommandAvailable = s_resourceDomainAdminCommands.contains(commandName);
break;
case Account.ACCOUNT_TYPE_NORMAL:
case User:
isCommandAvailable = s_userCommands.contains(commandName);
break;
}
@ -157,16 +143,16 @@ public class StaticRoleBasedAPIAccessChecker extends AdapterBase implements APIA
try {
short cmdPermissions = Short.parseShort(mask);
if ((cmdPermissions & ADMIN_COMMAND) != 0) {
if ((cmdPermissions & Admin.getValue()) != 0) {
s_adminCommands.add((String) key);
}
if ((cmdPermissions & RESOURCE_DOMAIN_ADMIN_COMMAND) != 0) {
if ((cmdPermissions & ResourceAdmin.getValue()) != 0) {
s_resourceDomainAdminCommands.add((String) key);
}
if ((cmdPermissions & DOMAIN_ADMIN_COMMAND) != 0) {
if ((cmdPermissions & DomainAdmin.getValue()) != 0) {
s_resellerCommands.add((String) key);
}
if ((cmdPermissions & USER_COMMAND) != 0) {
if ((cmdPermissions & User.getValue()) != 0) {
s_userCommands.add((String) key);
}
s_allCommands.addAll(s_adminCommands);

33
server/src/com/cloud/api/ApiServer.java
View File

@ -53,6 +53,7 @@ import javax.servlet.http.HttpSession;
import com.cloud.utils.ReflectUtil;
import org.apache.cloudstack.acl.APIAccessChecker;
import org.apache.cloudstack.acl.ControlledEntity;
import org.apache.cloudstack.acl.RoleType;
import org.apache.cloudstack.api.*;
import org.apache.cloudstack.api.command.user.account.ListAccountsCmd;
import org.apache.cloudstack.api.command.user.account.ListProjectAccountsCmd;
@ -790,9 +791,39 @@ public class ApiServer implements HttpRequestHandler {
}
private boolean isCommandAvailable(User user, String commandName) {
if (user == null) {
return false;
}
Account account = _accountMgr.getAccount(user.getAccountId());
if (account == null) {
return false;
}
RoleType roleType = RoleType.Unknown;
short accountType = account.getType();
// Account type to role type translation
switch (accountType) {
case Account.ACCOUNT_TYPE_ADMIN:
roleType = RoleType.Admin;
break;
case Account.ACCOUNT_TYPE_DOMAIN_ADMIN:
roleType = RoleType.DomainAdmin;
break;
case Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN:
roleType = RoleType.ResourceAdmin;
break;
case Account.ACCOUNT_TYPE_NORMAL:
roleType = RoleType.User;
break;
default:
return false;
}
for (APIAccessChecker apiChecker : _apiAccessCheckers) {
// Fail the checking if any checker fails to verify
if (!apiChecker.canAccessAPI(user, commandName))
if (!apiChecker.canAccessAPI(roleType, commandName))
return false;
}
return true;