Changes to QuerySelector to list the parent group resources with recursive = true access

engine/orchestration/src/org/apache/cloudstack/engine/orchestration/NetworkOrchestrator.java

@@ -2196,7 +2196,7 @@ public class NetworkOrchestrator extends ManagerBase implements NetworkOrchestra
                                 NetworkAccountVO networkAccount = _networkAccountDao.getAccountNetworkMapByNetworkId(networkFinal.getId());
                                 if (networkAccount != null)
                                     _networkAccountDao.remove(networkAccount.getId());
-                                
+
                                 // remove its related ACL permission
                                 Pair<AclEntityType, Long> networkMsg = new Pair<AclEntityType, Long>(AclEntityType.Network, networkFinal.getId());
                                 _messageBus.publish(_name, EntityManager.MESSAGE_REMOVE_ENTITY_EVENT, PublishScope.LOCAL, networkMsg);

services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedEntityAccessChecker.java

@@ -172,7 +172,7 @@ public class RoleBasedEntityAccessChecker extends DomainChecker implements Secur
         List<AclGroup> groups = _iamSrv.listAclGroups(caller.getId());
         for (AclGroup group : groups) {
             // for each group find the grand parent groups.
-            List<AclGroup> parentGroups = _iamSrv.listParentAclGroupsOnPath(group.getPath());
+            List<AclGroup> parentGroups = _iamSrv.listParentAclGroups(group.getId());
             for (AclGroup parentGroup : parentGroups) {
                 policies.addAll(_iamSrv.listRecursiveAclPoliciesByGroup(parentGroup.getId()));
             }

services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedEntityQuerySelector.java

@@ -83,6 +83,17 @@ public class RoleBasedEntityQuerySelector extends AdapterBase implements QuerySe
         long accountId = caller.getAccountId();
         // Get the static Policies of the Caller
         List<AclPolicy> policies = _iamService.listAclPolicies(accountId);
+
+        // add the policies that grant recursive access
+        List<AclGroup> groups = _iamService.listAclGroups(caller.getId());
+        for (AclGroup group : groups) {
+            // for each group find the grand parent groups.
+            List<AclGroup> parentGroups = _iamService.listParentAclGroups(group.getId());
+            for (AclGroup parentGroup : parentGroups) {
+                policies.addAll(_iamService.listRecursiveAclPoliciesByGroup(parentGroup.getId()));
+            }
+        }
+
         // for each policy, find granted permission with Resource scope
         List<Long> entityIds = new ArrayList<Long>();
         for (AclPolicy policy : policies) {

services/iam/server/src/org/apache/cloudstack/iam/api/IAMService.java

@@ -85,7 +85,7 @@ public interface IAMService {
     List<AclPolicyPermission> listPolicyPermissionByAccessAndEntity(long policyId, String accessType,
             String entityType);
 
-    List<AclGroup> listParentAclGroupsOnPath(String path);
+    List<AclGroup> listParentAclGroups(long groupId);
 
     List<AclPolicy> listRecursiveAclPoliciesByGroup(long groupId);
 

services/iam/server/src/org/apache/cloudstack/iam/server/IAMServiceImpl.java

@@ -257,8 +257,13 @@ public class IAMServiceImpl extends ManagerBase implements IAMService, Manager {
     }
 
     @Override
-    public List<AclGroup> listParentAclGroupsOnPath(String path) {
+    public List<AclGroup> listParentAclGroups(long groupId) {
+        AclGroup group = _aclGroupDao.findById(groupId);
+        if (group == null) {
+            throw new InvalidParameterValueException("Unable to find acl group by id " + groupId);
+        }
 
+        String path = group.getPath();
         List<String> pathList = new ArrayList<String>();
 
         String[] parts = path.split("/");