CLOUDSTACK-5920: Add some interface methods and constants required by

IAM.
2025-10-26 08:42:29 +01:00 · 2014-03-04 17:34:50 -08:00 · 2014-03-04 17:34:50 -08:00 · 793becf524
commit 793becf524
parent d0ae4d9a9f
14 changed files with 181 additions and 3 deletions
--- a/api/src/com/cloud/event/EventTypes.java
+++ b/api/src/com/cloud/event/EventTypes.java
@ -455,6 +455,19 @@ public class EventTypes {

    public static final String EVENT_UCS_ASSOCIATED_PROFILE = "UCS.ASSOCIATEPROFILE";

+    // IAM events
+    public static final String EVENT_IAM_POLICY_CREATE = "IAMPOLICY.CREATE";
+    public static final String EVENT_IAM_POLICY_DELETE = "IAMPOLICY.DELETE";
+    public static final String EVENT_IAM_POLICY_GRANT = "IAMPOLICY.GRANT";
+    public static final String EVENT_IAM_POLICY_REVOKE = "IAMPOLICY.REVOKE";
+
+    public static final String EVENT_IAM_GROUP_UPDATE = "IAMGROUP.UPDATE";
+    public static final String EVENT_IAM_GROUP_CREATE = "IAMGROUP.CREATE";
+    public static final String EVENT_IAM_GROUP_DELETE = "IAMGROUP.DELETE";
+    public static final String EVENT_IAM_GROUP_GRANT = "IAMGROUP.GRANT";
+    public static final String EVENT_IAM_GROUP_REVOKE = "IAMGROUP.REVOKE";
+    public static final String EVENT_IAM_ACCOUNT_POLICY_UPDATE = "IAMACCOUNTPOLICY.UPDATE";
+
    // Object store migration
    public static final String EVENT_MIGRATE_PREPARE_SECONDARY_STORAGE = "MIGRATE.PREPARE.SS";

--- a/api/src/org/apache/cloudstack/acl/PermissionScope.java
+++ b/api/src/org/apache/cloudstack/acl/PermissionScope.java
@ -0,0 +1,25 @@
+package org.apache.cloudstack.acl;
+
+public enum PermissionScope {
+    RESOURCE(0),
+    ACCOUNT(1),
+    DOMAIN(2),
+ REGION(3), ALL(4);
+
+    private int _scale;
+
+    private PermissionScope(int scale) {
+        _scale = scale;
+    }
+
+    public int getScale() {
+        return _scale;
+    }
+
+    public boolean greaterThan(PermissionScope s) {
+        if (_scale > s.getScale())
+            return true;
+        else
+            return false;
+    }
+}
--- a/api/src/org/apache/cloudstack/acl/QuerySelector.java
+++ b/api/src/org/apache/cloudstack/acl/QuerySelector.java
@ -0,0 +1,72 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.acl;
+
+import java.util.List;
+
+import com.cloud.user.Account;
+import com.cloud.utils.component.Adapter;
+
+/**
+ * QueryChecker returns granted access at domain, account or resource level.
+ */
+public interface QuerySelector extends Adapter {
+
+    /**
+    * List granted domains for the caller, given a specific action.
+    *
+    * @param caller account to check against.
+    * @param action action
+    * @return list of domain Ids granted to the caller account.
+    */
+    List<Long> getAuthorizedDomains(Account caller, String action);
+
+    /**
+    * List granted accounts for the caller, given a specific action.
+    *
+    * @param caller account to check against.
+    * @param action action.
+    * @return list of domain Ids granted to the caller account.
+    */
+    List<Long> getAuthorizedAccounts(Account caller, String action);
+
+
+    /**
+    * List granted resources for the caller, given a specific action.
+    *
+    * @param caller account to check against.
+    * @param action action.
+    * @return list of domain Ids granted to the caller account.
+    */
+    List<Long> getAuthorizedResources(Account caller, String action);
+
+    /**
+     * Check if this account is associated with a policy with scope of ALL
+     * @param caller account to check
+     * @param action action.
+     * @return true if this account is attached with a policy for the given action of ALL scope.
+     */
+    boolean isGrantedAll(Account caller, String action);
+
+    /**
+     * List of ACL group the given account belongs to
+     * @param accountId account id.
+     * @return ACL group names
+     */
+    List<String> listAclGroupsByAccount(long accountId);
+
+}
--- a/api/src/org/apache/cloudstack/acl/SecurityChecker.java
+++ b/api/src/org/apache/cloudstack/acl/SecurityChecker.java
@ -31,7 +31,7 @@ import com.cloud.utils.component.Adapter;
 public interface SecurityChecker extends Adapter {

    public enum AccessType {
-        ListEntry, ModifyEntry, ModifyProject, UseNetwork
+        ListEntry, ModifyEntry, ModifyProject, UseNetwork, OperateEntry, UseEntry
    }

    /**
@ -75,6 +75,26 @@ public interface SecurityChecker extends Adapter {
     */
    boolean checkAccess(Account caller, ControlledEntity entity, AccessType accessType) throws PermissionDeniedException;

+    /**
+     * Checks if the account can access the object.
+     *
+     * @param caller
+     *            account to check against.
+     * @param entity
+     *            object that the account is trying to access.
+     * @param accessType
+     *            TODO
+     * @param action
+     *            name of the API
+     * @return true if access allowed. false if this adapter cannot provide
+     *         permission.
+     * @throws PermissionDeniedException
+     *             if this adapter is suppose to authenticate ownership and the
+     *             check failed.
+     */
+    boolean checkAccess(Account caller, ControlledEntity entity, AccessType accessType, String action) throws PermissionDeniedException;
+
+
    /**
     * Checks if the user belongs to an account that can access the object.
     *
--- a/api/src/org/apache/cloudstack/api/APICommand.java
+++ b/api/src/org/apache/cloudstack/api/APICommand.java
@ -22,6 +22,7 @@ import java.lang.annotation.Retention;
 import java.lang.annotation.RetentionPolicy;
 import java.lang.annotation.Target;

+import org.apache.cloudstack.acl.IAMEntityType;
 import org.apache.cloudstack.acl.RoleType;

@Retention(RetentionPolicy.RUNTIME)
@ -44,4 +45,6 @@ public @interface APICommand {
    boolean responseHasSensitiveInfo() default true;

    RoleType[] authorized() default {};
+
+    IAMEntityType[] entityType() default {};
 }
--- a/api/src/org/apache/cloudstack/api/ApiCommandJobType.java
+++ b/api/src/org/apache/cloudstack/api/ApiCommandJobType.java
@ -49,5 +49,7 @@ public enum ApiCommandJobType {
    LoadBalancerRule,
    AffinityGroup,
    InternalLbVm,
-    DedicatedGuestVlanRange
+    DedicatedGuestVlanRange,
+    IAMPolicy,
+    IAMGroup
 }
--- a/api/src/org/apache/cloudstack/api/ApiConstants.java
+++ b/api/src/org/apache/cloudstack/api/ApiConstants.java
@ -544,6 +544,24 @@ public class ApiConstants {
    public static final String ROUTING = "isrouting";
    public static final String MAX_CONNECTIONS = "maxconnections";
    public static final String SERVICE_STATE = "servicestate";
+
+    public static final String IAM_ACCOUNT_IDS = "accountids";
+    public static final String IAM_MEMBER_ACCOUNTS = "memberaccounts";
+    public static final String IAM_PARENT_POLICY_ID = "parentpolicyid";
+    public static final String IAM_PARENT_POLICY_NAME = "parentpolicyname";
+    public static final String IAM_POLICY_IDS = "policyids";
+    public static final String IAM_POLICIES = "policies";
+    public static final String IAM_APIS = "apis";
+    public static final String IAM_GROUPS = "groups";
+    public static final String IAM_PERMISSIONS = "permission";
+    public static final String IAM_ACTION = "action";
+    public static final String IAM_SCOPE = "scope";
+    public static final String IAM_SCOPE_ID = "scopeid";
+    public static final String IAM_ALLOW_DENY = "permission";
+    public static final String ENTITY_TYPE = "entitytype";
+    public static final String ENTITY_ID = "entityid";
+    public static final String ACCESS_TYPE = "accesstype";
+
    public static final String RESOURCE_DETAILS = "resourcedetails";
    public static final String EXPUNGE = "expunge";
    public static final String FOR_DISPLAY = "fordisplay";
--- a/engine/components-api/src/com/cloud/template/TemplateManager.java
+++ b/engine/components-api/src/com/cloud/template/TemplateManager.java
@ -122,4 +122,7 @@ public interface TemplateManager {
     */
    void prepareIsoForVmProfile(VirtualMachineProfile profile);

+    public static final String MESSAGE_REGISTER_PUBLIC_TEMPLATE_EVENT = "Message.RegisterPublicTemplate.Event";
+    public static final String MESSAGE_RESET_TEMPLATE_PERMISSION_EVENT = "Message.ResetTemplatePermission.Event";
+
 }
--- a/server/src/com/cloud/acl/DomainChecker.java
+++ b/server/src/com/cloud/acl/DomainChecker.java
@ -319,4 +319,10 @@ public class DomainChecker extends AdapterBase implements SecurityChecker {
        }
        return false;
    }
+
+    @Override
+    public boolean checkAccess(Account caller, ControlledEntity entity, AccessType accessType, String action)
+            throws PermissionDeniedException {
+        return checkAccess(caller, entity, accessType);
+    }
 }
--- a/server/src/com/cloud/api/ApiServer.java
+++ b/server/src/com/cloud/api/ApiServer.java
@ -891,7 +891,8 @@ public class ApiServer extends ManagerBase implements HttpRequestHandler, ApiSer
        }
    }

-    private Class<?> getCmdClass(String cmdName) {
+    @Override
+    public Class<?> getCmdClass(String cmdName) {
        return s_apiNameCmdClassMap.get(cmdName);
    }

--- a/server/src/com/cloud/api/ApiServerService.java
+++ b/server/src/com/cloud/api/ApiServerService.java
@ -41,4 +41,6 @@ public interface ApiServerService {
    public String getSerializedApiError(ServerApiException ex, Map<String, Object[]> apiCommandParams, String responseType);

    public String handleRequest(Map params, String responseType, StringBuffer auditTrailSb) throws ServerApiException;
+
+    public Class<?> getCmdClass(String cmdName);
 }
--- a/server/src/com/cloud/user/AccountManager.java
+++ b/server/src/com/cloud/user/AccountManager.java
@ -188,4 +188,8 @@ public interface AccountManager extends AccountService {
     * @return account object
     */
    Account lockAccount(String accountName, Long domainId, Long accountId);
+
+    public static final String MESSAGE_ADD_ACCOUNT_EVENT = "Message.AddAccount.Event";
+
+    public static final String MESSAGE_REMOVE_ACCOUNT_EVENT = "Message.RemoveAccount.Event";
 }
--- a/server/src/com/cloud/user/DomainManager.java
+++ b/server/src/com/cloud/user/DomainManager.java
@ -47,4 +47,7 @@ public interface DomainManager extends DomainService {
     * @return Domain object if the command succeeded
     */
    Domain updateDomain(UpdateDomainCmd cmd);
+
+    public static final String MESSAGE_ADD_DOMAIN_EVENT = "Message.AddDomain.Event";
+    public static final String MESSAGE_REMOVE_DOMAIN_EVENT = "Message.RemoveDomain.Event";
 }
--- a/utils/src/com/cloud/utils/db/EntityManager.java
+++ b/utils/src/com/cloud/utils/db/EntityManager.java
@ -75,4 +75,10 @@ public interface EntityManager {
    public <T, K extends Serializable> void remove(Class<T> entityType, K id);

    public <T, K extends Serializable> T findByIdIncludingRemoved(Class<T> entityType, K id);
+
+    public static final String MESSAGE_REMOVE_ENTITY_EVENT = "Message.RemoveEntity.Event";
+
+    public static final String MESSAGE_GRANT_ENTITY_EVENT = "Message.GrantEntity.Event";
+    public static final String MESSAGE_REVOKE_ENTITY_EVENT = "Message.RevokeEntity.Event";
+    public static final String MESSAGE_ADD_DOMAIN_WIDE_ENTITY_EVENT = "Message.AddDomainWideEntity.Event";
 }