apache/cloudstack
1
0
Fork 0
mirror of https://github.com/apache/cloudstack.git synced 2025-10-26 08:42:29 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add Scope to acl_role_permission, remove parent_role_id from acl_role

Browse Source 
table, and create PermissionScope and AclEntityType enum types.
This commit is contained in:
Min Chen 2013-10-07 16:09:26 -07:00
parent 4499a7bfa0
commit b87b9e5c64
13 changed files with 69 additions and 62 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
api/src/org/apache/cloudstack/acl/AclEntityType.java Normal file
View File

@ -0,0 +1,6 @@
package org.apache.cloudstack.acl;
public enum AclEntityType {
// currently supported entity, to be added one by one after we support acl on the entity
VM;
}

2
api/src/org/apache/cloudstack/acl/AclRole.java
View File

@ -27,5 +27,5 @@ public interface AclRole extends PartOf, InternalIdentity, Identity {
String getDescription();
Long getParentRoleId();
// Long getParentRoleId();
}

7
api/src/org/apache/cloudstack/acl/PermissionScope.java Normal file
View File

@ -0,0 +1,7 @@
package org.apache.cloudstack.acl;
public enum PermissionScope {
ACCOUNT,
DOMAIN,
REGION;
}

2
api/src/org/apache/cloudstack/acl/SecurityChecker.java
View File

@ -36,7 +36,7 @@ public interface SecurityChecker extends Adapter {
ModifyProject,
UseNetwork,
DeleteEntry,
OperationOnEntry
OperateEntry
}
/**

15
api/src/org/apache/cloudstack/api/response/AclRoleResponse.java
View File

@ -44,14 +44,6 @@ public class AclRoleResponse extends BaseResponse {
@Param(description = "the description of the acl role")
private String description;
@SerializedName(ApiConstants.ACL_PARENT_ROLE_ID)
@Param(description = "parent role id that this acl role is inherited from ")
private String parentRoleId;
@SerializedName(ApiConstants.ACL_PARENT_ROLE_NAME)
@Param(description = "parent role name that this acl role is inherited from ")
private String parentRoleName;
@SerializedName(ApiConstants.DOMAIN_ID)
@Param(description = "the domain ID of the acl role")
private String domainId;
@ -91,13 +83,6 @@ public class AclRoleResponse extends BaseResponse {
this.description = description;
}
public void setParentRoleId(String parentId) {
parentRoleId = parentId;
}
public void setParentRoleName(String parentRoleName) {
this.parentRoleName = parentRoleName;
}
public void setDomainId(String domainId) {
this.domainId = domainId;

1
client/tomcatconf/applicationContext.xml.in
View File

@ -377,6 +377,7 @@
<bean id="AclGroupRoleMapDaoImpl" class="org.apache.cloudstack.acl.dao.AclGroupRoleMapDaoImpl"/>
<bean id="AclApiPermissionDaoImpl" class="org.apache.cloudstack.acl.dao.AclApiPermissionDaoImpl"/>
<bean id="AclEntityPermissionDaoImpl" class="org.apache.cloudstack.acl.dao.AclEntityPermissionDaoImpl"/>
<bean id="AclRolePermissionDaoImpl" class="org.apache.cloudstack.acl.dao.AclRolePermissionDaoImpl"/>
<bean id="AclServiceImpl" class="org.apache.cloudstack.acl.AclServiceImpl"/>

11
engine/schema/src/org/apache/cloudstack/acl/AclRoleVO.java
View File

@ -45,8 +45,6 @@ public class AclRoleVO implements AclRole {
@Column(name = "uuid")
private String uuid;
@Column(name = "parent_role_id")
private Long parentRoleId;
@Column(name = "domain_id")
private long domainId;
@ -100,15 +98,6 @@ public class AclRoleVO implements AclRole {
return created;
}
@Override
public Long getParentRoleId() {
return parentRoleId;
}
public void setParentRoleId(long parentRoleId) {
this.parentRoleId = parentRoleId;
}
@Override
public long getDomainId() {
return domainId;

4
engine/schema/src/org/apache/cloudstack/acl/dao/AclRolePermissionDao.java
View File

@ -16,6 +16,8 @@
// under the License.
package org.apache.cloudstack.acl.dao;
import java.util.List;
import org.apache.cloudstack.acl.AclRolePermissionVO;
import org.apache.cloudstack.acl.SecurityChecker.AccessType;
@ -25,4 +27,6 @@ public interface AclRolePermissionDao extends GenericDao<AclRolePermissionVO, Lo
AclRolePermissionVO findByRoleAndEntity(long roleId, String entityType, AccessType accessType);
List<AclRolePermissionVO> findByRole(long roleId);
}

9
engine/schema/src/org/apache/cloudstack/acl/dao/AclRolePermissionDaoImpl.java
View File

@ -16,6 +16,7 @@
// under the License.
package org.apache.cloudstack.acl.dao;
import java.util.List;
import java.util.Map;
import javax.naming.ConfigurationException;
@ -59,4 +60,12 @@ public class AclRolePermissionDaoImpl extends GenericDaoBase<AclRolePermissionVO
sc.setParameters("accessType", accessType);
return findOneBy(sc);
}
@Override
public List<AclRolePermissionVO> findByRole(long roleId) {
SearchCriteria<AclRolePermissionVO> sc = findByRoleEntity.create();
sc.setParameters("roleId", roleId);
return listBy(sc);
}
}

2
server/src/com/cloud/api/query/dao/AclRoleJoinDaoImpl.java
View File

@ -70,8 +70,6 @@ public class AclRoleJoinDaoImpl extends GenericDaoBase<AclRoleJoinVO, Long> impl
response.setId(role.getUuid());
response.setName(role.getName());
response.setDescription(role.getDescription());
response.setParentRoleId(role.getParentRoleUuid());
response.setParentRoleName(role.getParentRoleName());
response.setDomainId(role.getDomainUuid());
response.setDomainName(role.getName());
if (role.getApiName() != null) {

21
server/src/com/cloud/api/query/vo/AclRoleJoinVO.java
View File

@ -44,15 +44,6 @@ public class AclRoleJoinVO extends BaseViewVO {
@Column(name = "uuid")
private String uuid;
@Column(name = "parent_role_id")
private Long parentRoleId;
@Column(name = "parent_role_uuid")
private String parentRoleUuid;
@Column(name = "parent_role_name")
private String parentRoleName;
@Column(name = "domain_id")
private long domainId;
@ -99,10 +90,6 @@ public class AclRoleJoinVO extends BaseViewVO {
return uuid;
}
public Long getParentRoleId() {
return parentRoleId;
}
public long getDomainId() {
return domainId;
}
@ -131,12 +118,4 @@ public class AclRoleJoinVO extends BaseViewVO {
return created;
}
public String getParentRoleUuid() {
return parentRoleUuid;
}
public String getParentRoleName() {
return parentRoleName;
}
}

21
server/src/org/apache/cloudstack/acl/AclServiceImpl.java
View File

@ -32,6 +32,7 @@ import org.apache.cloudstack.acl.dao.AclGroupAccountMapDao;
import org.apache.cloudstack.acl.dao.AclGroupDao;
import org.apache.cloudstack.acl.dao.AclGroupRoleMapDao;
import org.apache.cloudstack.acl.dao.AclRoleDao;
import org.apache.cloudstack.acl.dao.AclRolePermissionDao;
import org.apache.cloudstack.api.Identity;
import org.apache.cloudstack.context.CallContext;
@ -87,6 +88,9 @@ public class AclServiceImpl extends ManagerBase implements AclService, Manager {
@Inject
AclApiPermissionDao _apiPermissionDao;
@Inject
AclRolePermissionDao _rolePermissionDao;
@Inject
AclEntityPermissionDao _entityPermissionDao;
@ -118,14 +122,27 @@ public class AclServiceImpl extends ManagerBase implements AclService, Manager {
"Unable to create acl role with name " + aclRoleName
+ " already exisits for domain " + domainId);
}
Transaction txn = Transaction.currentTxn();
txn.start();
AclRoleVO rvo = new AclRoleVO(aclRoleName, description);
if (domainId != null) {
rvo.setDomainId(domainId);
}
AclRole role = _aclRoleDao.persist(rvo);
if (parentRoleId != null) {
rvo.setParentRoleId(parentRoleId);
// copy parent role permissions
List<AclRolePermissionVO> perms = _rolePermissionDao.findByRole(parentRoleId);
if (perms != null) {
for (AclRolePermissionVO perm : perms) {
perm.setAclRoleId(role.getId());
_rolePermissionDao.persist(perm);
}
}
}
return _aclRoleDao.persist(rvo);
txn.commit();
return role;
}
@DB

30
setup/db/db/schema-420to430.sql
View File

@ -312,14 +312,12 @@ CREATE TABLE `cloud`.`acl_role` (
`name` varchar(255) NOT NULL,
`description` varchar(255) default NULL,
`uuid` varchar(40),
`parent_role_id` bigint unsigned DEFAULT 0,
`domain_id` bigint unsigned NOT NULL,
`removed` datetime COMMENT 'date the role was removed',
`created` datetime COMMENT 'date the role was created',
PRIMARY KEY (`id`),
INDEX `i_acl_role__removed`(`removed`),
CONSTRAINT `uc_acl_role__uuid` UNIQUE (`uuid`),
CONSTRAINT `fk_acl_role__parent_role_id` FOREIGN KEY(`parent_role_id`) REFERENCES `acl_role` (`id`) ON DELETE CASCADE
CONSTRAINT `uc_acl_role__uuid` UNIQUE (`uuid`)
) ENGINE=InnoDB AUTO_INCREMENT=1 DEFAULT CHARSET=utf8;
CREATE TABLE `cloud`.`acl_group_role_map` (
@ -334,11 +332,12 @@ CREATE TABLE `cloud`.`acl_group_role_map` (
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
INSERT IGNORE INTO `cloud`.`acl_role` (id, name, description, uuid, domain_id, created) VALUES (1,'NORMAL', 'Domain user role', UUID(), 1, Now());
INSERT IGNORE INTO `cloud`.`acl_role` (id, name, description, uuid, domain_id, created) VALUES (1, 'NORMAL', 'Domain user role', UUID(), 1, Now());
INSERT IGNORE INTO `cloud`.`acl_role` (id, name, description, uuid, domain_id, created) VALUES (2, 'ADMIN', 'Root admin role', UUID(), 1, Now());
INSERT IGNORE INTO `cloud`.`acl_role` (id, name, description, uuid, domain_id, created) VALUES (3, 'DOMAIN_ADMIN', 'Domain admin role', UUID(), 1, Now());
INSERT IGNORE INTO `cloud`.`acl_role` (id, name, description, uuid, domain_id, created) VALUES (4, 'RESOURCE_DOMAIN_ADMIN', 'Resource domain admin role', UUID(), 1, Now());
INSERT IGNORE INTO `cloud`.`acl_role` (id, name, description, uuid, domain_id, created) VALUES (5, 'READ_ONLY_ADMIN', 'Read only admin role', UUID(), 1, Now());
INSERT IGNORE INTO `cloud`.`acl_role` (id, name, description, uuid, domain_id, created) VALUES (6, 'RESOURCE_OWNER', 'Resource owner role', UUID(), -1, Now());
INSERT IGNORE INTO `cloud`.`acl_group` (id, name, description, uuid, domain_id, created) VALUES (1, 'NORMAL', 'Domain user group', UUID(), 1, Now());
INSERT IGNORE INTO `cloud`.`acl_group` (id, name, description, uuid, domain_id, created) VALUES (2, 'ADMIN', 'Root admin group', UUID(), 1, Now());
@ -375,11 +374,29 @@ CREATE TABLE `cloud`.`acl_role_permission` (
`role_id` bigint unsigned NOT NULL,
`entity_type` varchar(100) NOT NULL,
`access_type` varchar(40) NOT NULL,
`scope` varchar(100) NOT NULL,
`permission` int(1) unsigned NOT NULL COMMENT '1 allowed, 0 for denied',
PRIMARY KEY (`id`),
CONSTRAINT `fk_acl_role_permission___role_id` FOREIGN KEY(`role_id`) REFERENCES `acl_role` (`id`) ON DELETE CASCADE
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
INSERT IGNORE INTO `cloud`.`acl_role_permission` (role_id, entity_type, access_type, scope, permission) VALUES (6, '*', 'CreateEntry', 'ACCOUNT', 1);
INSERT IGNORE INTO `cloud`.`acl_role_permission` (role_id, entity_type, access_type, scope, permission) VALUES (6, '*', 'ListEntry', 'ACCOUNT', 1);
INSERT IGNORE INTO `cloud`.`acl_role_permission` (role_id, entity_type, access_type, scope, permission) VALUES (6, '*', 'ModifyEntry', 'ACCOUNT', 1);
INSERT IGNORE INTO `cloud`.`acl_role_permission` (role_id, entity_type, access_type, scope, permission) VALUES (6, '*', 'DeleteEntry', 'ACCOUNT', 1);
INSERT IGNORE INTO `cloud`.`acl_role_permission` (role_id, entity_type, access_type, scope, permission) VALUES (6, '*', 'OperateEntry', 'ACCOUNT', 1);
INSERT IGNORE INTO `cloud`.`acl_role_permission` (role_id, entity_type, access_type, scope, permission) VALUES (3, '*', 'CreateEntry', 'DOMAIN', 1);
INSERT IGNORE INTO `cloud`.`acl_role_permission` (role_id, entity_type, access_type, scope, permission) VALUES (3, '*', 'ListEntry', 'DOMAIN', 1);
INSERT IGNORE INTO `cloud`.`acl_role_permission` (role_id, entity_type, access_type, scope, permission) VALUES (3, '*', 'ModifyEntry', 'DOMAIN', 1);
INSERT IGNORE INTO `cloud`.`acl_role_permission` (role_id, entity_type, access_type, scope, permission) VALUES (3, '*', 'DeleteEntry', 'DOMAIN', 1);
INSERT IGNORE INTO `cloud`.`acl_role_permission` (role_id, entity_type, access_type, scope, permission) VALUES (3, '*', 'OperateEntry', 'DOMAIN', 1);
INSERT IGNORE INTO `cloud`.`acl_role_permission` (role_id, entity_type, access_type, scope, permission) VALUES (1, '*', 'CreateEntry', 'REGION', 1);
INSERT IGNORE INTO `cloud`.`acl_role_permission` (role_id, entity_type, access_type, scope, permission) VALUES (1, '*', 'ListEntry', 'REGION', 1);
INSERT IGNORE INTO `cloud`.`acl_role_permission` (role_id, entity_type, access_type, scope, permission) VALUES (1, '*', 'ModifyEntry', 'REGION', 1);
INSERT IGNORE INTO `cloud`.`acl_role_permission` (role_id, entity_type, access_type, scope, permission) VALUES (1, '*', 'DeleteEntry', 'REGION', 1);
INSERT IGNORE INTO `cloud`.`acl_role_permission` (role_id, entity_type, access_type, scope, permission) VALUES (1, '*', 'OperateEntry', 'REGION', 1);
DROP VIEW IF EXISTS `cloud`.`acl_role_view`;
CREATE VIEW `cloud`.`acl_role_view` AS
select
@ -387,9 +404,6 @@ CREATE VIEW `cloud`.`acl_role_view` AS
acl_role.uuid uuid,
acl_role.name name,
acl_role.description description,
parent_role.id parent_role_id,
parent_role.uuid parent_role_uuid,
parent_role.name parent_role_name,
acl_role.removed removed,
acl_role.created created,
domain.id domain_id,
@ -402,8 +416,6 @@ CREATE VIEW `cloud`.`acl_role_view` AS
inner join
`cloud`.`domain` ON acl_role.domain_id = domain.id
left join
`cloud`.`acl_role` parent_role on parent_role.id = acl_role.parent_role_id
left join
`cloud`.`acl_api_permission` ON acl_role.id = acl_api_permission.role_id;