diff --git a/api/src/org/apache/cloudstack/acl/APIAccessChecker.java b/api/src/org/apache/cloudstack/acl/APIChecker.java
similarity index 72%
rename from api/src/org/apache/cloudstack/acl/APIAccessChecker.java
rename to api/src/org/apache/cloudstack/acl/APIChecker.java
index 1645fa2c832..61dd7de75cb 100644
--- a/api/src/org/apache/cloudstack/acl/APIAccessChecker.java
+++ b/api/src/org/apache/cloudstack/acl/APIChecker.java
@@ -19,10 +19,10 @@ package org.apache.cloudstack.acl;
import org.apache.cloudstack.acl.RoleType;
import com.cloud.utils.component.Adapter;
-/**
- * APIAccessChecker checks the ownership and access control to API requests
- */
-public interface APIAccessChecker extends Adapter {
- // Interface for checking access to an API for an user
- boolean canAccessAPI(RoleType roleType, String apiCommandName);
+// APIChecker checks the ownership and access control to API requests
+public interface APIChecker extends Adapter {
+ // Interface for checking access for a role using apiname
+ boolean checkAccess(RoleType roleType, String apiCommandName);
+ // Interface for checking existence of an api by name
+ boolean checkExistence(String apiCommandName);
}
diff --git a/client/tomcatconf/components.xml.in b/client/tomcatconf/components.xml.in
index b779c860cc2..bb39839c820 100755
--- a/client/tomcatconf/components.xml.in
+++ b/client/tomcatconf/components.xml.in
@@ -53,7 +53,7 @@ under the License.
true
-
+
diff --git a/plugins/acl/static-role-based/src/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java b/plugins/acl/static-role-based/src/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java
index d6bf3f63c74..740fbbc6456 100644
--- a/plugins/acl/static-role-based/src/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java
+++ b/plugins/acl/static-role-based/src/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java
@@ -29,13 +29,12 @@ import java.util.List;
import java.util.Map;
import java.util.Set;
-import static org.apache.cloudstack.acl.RoleType.*;
import org.apache.log4j.Logger;
// This is the default API access checker that grab's the user's account
// based on the account type, access is granted
-@Local(value=APIAccessChecker.class)
-public class StaticRoleBasedAPIAccessChecker extends AdapterBase implements APIAccessChecker {
+@Local(value=APIChecker.class)
+public class StaticRoleBasedAPIAccessChecker extends AdapterBase implements APIChecker {
protected static final Logger s_logger = Logger.getLogger(StaticRoleBasedAPIAccessChecker.class);
@@ -50,10 +49,19 @@ public class StaticRoleBasedAPIAccessChecker extends AdapterBase implements APIA
}
@Override
- public boolean canAccessAPI(RoleType roleType, String commandName) {
+ public boolean checkAccess(RoleType roleType, String commandName) {
return s_roleBasedApisMap.get(roleType).contains(commandName);
}
+ @Override
+ public boolean checkExistence(String apiName) {
+ for (RoleType roleType: RoleType.values()) {
+ if (s_roleBasedApisMap.get(roleType).contains(apiName))
+ return true;
+ }
+ return false;
+ }
+
@Override
public boolean configure(String name, Map params) throws ConfigurationException {
super.configure(name, params);
diff --git a/server/src/com/cloud/api/ApiServer.java b/server/src/com/cloud/api/ApiServer.java
index be3c08716cc..7663e8e724a 100755
--- a/server/src/com/cloud/api/ApiServer.java
+++ b/server/src/com/cloud/api/ApiServer.java
@@ -51,8 +51,7 @@ import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import com.cloud.utils.ReflectUtil;
-import org.apache.cloudstack.acl.APIAccessChecker;
-import org.apache.cloudstack.acl.ControlledEntity;
+import org.apache.cloudstack.acl.APIChecker;
import org.apache.cloudstack.acl.RoleType;
import org.apache.cloudstack.api.*;
import org.apache.cloudstack.api.command.user.account.ListAccountsCmd;
@@ -146,8 +145,8 @@ public class ApiServer implements HttpRequestHandler {
@Inject private DomainManager _domainMgr = null;
@Inject private AsyncJobManager _asyncMgr = null;
- @Inject(adapter = APIAccessChecker.class)
- protected Adapters _apiAccessCheckers;
+ @Inject(adapter = APIChecker.class)
+ protected Adapters _apiAccessCheckers;
private Account _systemAccount = null;
private User _systemUser = null;
@@ -558,7 +557,7 @@ public class ApiServer implements HttpRequestHandler {
return true;
} else {
// check against every available command to see if the command exists or not
- if (!isCommandAvailable(null, commandName) && !commandName.equals("login") && !commandName.equals("logout")) {
+ if (!doesCommandExist(commandName) && !commandName.equals("login") && !commandName.equals("logout")) {
s_logger.debug("The given command:" + commandName + " does not exist or it is not available for user with id:" + userId);
throw new ServerApiException(BaseCmd.UNSUPPORTED_ACTION_ERROR, "The given command does not exist or it is not available for user");
}
@@ -790,17 +789,25 @@ public class ApiServer implements HttpRequestHandler {
return true;
}
- private boolean isCommandAvailable(User user, String commandName)
- throws PermissionDeniedException {
+ private boolean doesCommandExist(String apiName) {
+ for (APIChecker apiChecker : _apiAccessCheckers) {
+ // If any checker has api info on the command, return true
+ if (apiChecker.checkExistence(apiName))
+ return true;
+ }
+ return false;
+ }
+
+ private boolean isCommandAvailable(User user, String commandName) {
if (user == null) {
return false;
}
Account account = _accountMgr.getAccount(user.getAccountId());
RoleType roleType = _accountMgr.getRoleType(account);
- for (APIAccessChecker apiChecker : _apiAccessCheckers) {
+ for (APIChecker apiChecker : _apiAccessCheckers) {
// Fail the checking if any checker fails to verify
- if (!apiChecker.canAccessAPI(roleType, commandName))
+ if (!apiChecker.checkAccess(roleType, commandName))
return false;
}
return true;