diff --git a/api/src/org/apache/cloudstack/acl/AclEntityType.java b/api/src/org/apache/cloudstack/acl/AclEntityType.java
new file mode 100644
index 00000000000..1ce3a70dd8f
--- /dev/null
+++ b/api/src/org/apache/cloudstack/acl/AclEntityType.java
@@ -0,0 +1,6 @@
+package org.apache.cloudstack.acl;
+
+public enum AclEntityType {
+ // currently supported entity, to be added one by one after we support acl on the entity
+ VM;
+}
diff --git a/api/src/org/apache/cloudstack/acl/AclRole.java b/api/src/org/apache/cloudstack/acl/AclRole.java
index 0aaed719b0a..33248799a5b 100644
--- a/api/src/org/apache/cloudstack/acl/AclRole.java
+++ b/api/src/org/apache/cloudstack/acl/AclRole.java
@@ -27,5 +27,5 @@ public interface AclRole extends PartOf, InternalIdentity, Identity {
String getDescription();
- Long getParentRoleId();
+ // Long getParentRoleId();
}
diff --git a/api/src/org/apache/cloudstack/acl/PermissionScope.java b/api/src/org/apache/cloudstack/acl/PermissionScope.java
new file mode 100644
index 00000000000..f33e4c3a389
--- /dev/null
+++ b/api/src/org/apache/cloudstack/acl/PermissionScope.java
@@ -0,0 +1,7 @@
+package org.apache.cloudstack.acl;
+
+public enum PermissionScope {
+ ACCOUNT,
+ DOMAIN,
+ REGION;
+}
diff --git a/api/src/org/apache/cloudstack/acl/SecurityChecker.java b/api/src/org/apache/cloudstack/acl/SecurityChecker.java
index 9943f6b2c59..4348255a3ab 100644
--- a/api/src/org/apache/cloudstack/acl/SecurityChecker.java
+++ b/api/src/org/apache/cloudstack/acl/SecurityChecker.java
@@ -36,7 +36,7 @@ public interface SecurityChecker extends Adapter {
ModifyProject,
UseNetwork,
DeleteEntry,
- OperationOnEntry
+ OperateEntry
}
/**
diff --git a/api/src/org/apache/cloudstack/api/response/AclRoleResponse.java b/api/src/org/apache/cloudstack/api/response/AclRoleResponse.java
index 68a9a598a92..2056d350db4 100644
--- a/api/src/org/apache/cloudstack/api/response/AclRoleResponse.java
+++ b/api/src/org/apache/cloudstack/api/response/AclRoleResponse.java
@@ -44,14 +44,6 @@ public class AclRoleResponse extends BaseResponse {
@Param(description = "the description of the acl role")
private String description;
- @SerializedName(ApiConstants.ACL_PARENT_ROLE_ID)
- @Param(description = "parent role id that this acl role is inherited from ")
- private String parentRoleId;
-
- @SerializedName(ApiConstants.ACL_PARENT_ROLE_NAME)
- @Param(description = "parent role name that this acl role is inherited from ")
- private String parentRoleName;
-
@SerializedName(ApiConstants.DOMAIN_ID)
@Param(description = "the domain ID of the acl role")
private String domainId;
@@ -91,13 +83,6 @@ public class AclRoleResponse extends BaseResponse {
this.description = description;
}
- public void setParentRoleId(String parentId) {
- parentRoleId = parentId;
- }
-
- public void setParentRoleName(String parentRoleName) {
- this.parentRoleName = parentRoleName;
- }
public void setDomainId(String domainId) {
this.domainId = domainId;
diff --git a/client/tomcatconf/applicationContext.xml.in b/client/tomcatconf/applicationContext.xml.in
index e88bc72ea3c..1095e0a578c 100644
--- a/client/tomcatconf/applicationContext.xml.in
+++ b/client/tomcatconf/applicationContext.xml.in
@@ -377,6 +377,7 @@
+
diff --git a/engine/schema/src/org/apache/cloudstack/acl/AclRoleVO.java b/engine/schema/src/org/apache/cloudstack/acl/AclRoleVO.java
index 34ff57c8494..767fdfeddaf 100644
--- a/engine/schema/src/org/apache/cloudstack/acl/AclRoleVO.java
+++ b/engine/schema/src/org/apache/cloudstack/acl/AclRoleVO.java
@@ -45,8 +45,6 @@ public class AclRoleVO implements AclRole {
@Column(name = "uuid")
private String uuid;
- @Column(name = "parent_role_id")
- private Long parentRoleId;
@Column(name = "domain_id")
private long domainId;
@@ -100,15 +98,6 @@ public class AclRoleVO implements AclRole {
return created;
}
- @Override
- public Long getParentRoleId() {
- return parentRoleId;
- }
-
- public void setParentRoleId(long parentRoleId) {
- this.parentRoleId = parentRoleId;
- }
-
@Override
public long getDomainId() {
return domainId;
diff --git a/engine/schema/src/org/apache/cloudstack/acl/dao/AclRolePermissionDao.java b/engine/schema/src/org/apache/cloudstack/acl/dao/AclRolePermissionDao.java
index 74d491dc600..64da36cc581 100644
--- a/engine/schema/src/org/apache/cloudstack/acl/dao/AclRolePermissionDao.java
+++ b/engine/schema/src/org/apache/cloudstack/acl/dao/AclRolePermissionDao.java
@@ -16,6 +16,8 @@
// under the License.
package org.apache.cloudstack.acl.dao;
+import java.util.List;
+
import org.apache.cloudstack.acl.AclRolePermissionVO;
import org.apache.cloudstack.acl.SecurityChecker.AccessType;
@@ -25,4 +27,6 @@ public interface AclRolePermissionDao extends GenericDao findByRole(long roleId);
+
}
diff --git a/engine/schema/src/org/apache/cloudstack/acl/dao/AclRolePermissionDaoImpl.java b/engine/schema/src/org/apache/cloudstack/acl/dao/AclRolePermissionDaoImpl.java
index c7141f8057f..73a0aac6522 100644
--- a/engine/schema/src/org/apache/cloudstack/acl/dao/AclRolePermissionDaoImpl.java
+++ b/engine/schema/src/org/apache/cloudstack/acl/dao/AclRolePermissionDaoImpl.java
@@ -16,6 +16,7 @@
// under the License.
package org.apache.cloudstack.acl.dao;
+import java.util.List;
import java.util.Map;
import javax.naming.ConfigurationException;
@@ -59,4 +60,12 @@ public class AclRolePermissionDaoImpl extends GenericDaoBase findByRole(long roleId) {
+ SearchCriteria sc = findByRoleEntity.create();
+ sc.setParameters("roleId", roleId);
+ return listBy(sc);
+ }
+
}
diff --git a/server/src/com/cloud/api/query/dao/AclRoleJoinDaoImpl.java b/server/src/com/cloud/api/query/dao/AclRoleJoinDaoImpl.java
index a5a3cb8c11a..416cb0f0a85 100644
--- a/server/src/com/cloud/api/query/dao/AclRoleJoinDaoImpl.java
+++ b/server/src/com/cloud/api/query/dao/AclRoleJoinDaoImpl.java
@@ -70,8 +70,6 @@ public class AclRoleJoinDaoImpl extends GenericDaoBase impl
response.setId(role.getUuid());
response.setName(role.getName());
response.setDescription(role.getDescription());
- response.setParentRoleId(role.getParentRoleUuid());
- response.setParentRoleName(role.getParentRoleName());
response.setDomainId(role.getDomainUuid());
response.setDomainName(role.getName());
if (role.getApiName() != null) {
diff --git a/server/src/com/cloud/api/query/vo/AclRoleJoinVO.java b/server/src/com/cloud/api/query/vo/AclRoleJoinVO.java
index 52895847b9b..97809ef3537 100644
--- a/server/src/com/cloud/api/query/vo/AclRoleJoinVO.java
+++ b/server/src/com/cloud/api/query/vo/AclRoleJoinVO.java
@@ -44,15 +44,6 @@ public class AclRoleJoinVO extends BaseViewVO {
@Column(name = "uuid")
private String uuid;
- @Column(name = "parent_role_id")
- private Long parentRoleId;
-
- @Column(name = "parent_role_uuid")
- private String parentRoleUuid;
-
- @Column(name = "parent_role_name")
- private String parentRoleName;
-
@Column(name = "domain_id")
private long domainId;
@@ -99,10 +90,6 @@ public class AclRoleJoinVO extends BaseViewVO {
return uuid;
}
- public Long getParentRoleId() {
- return parentRoleId;
- }
-
public long getDomainId() {
return domainId;
}
@@ -131,12 +118,4 @@ public class AclRoleJoinVO extends BaseViewVO {
return created;
}
- public String getParentRoleUuid() {
- return parentRoleUuid;
- }
-
- public String getParentRoleName() {
- return parentRoleName;
- }
-
}
diff --git a/server/src/org/apache/cloudstack/acl/AclServiceImpl.java b/server/src/org/apache/cloudstack/acl/AclServiceImpl.java
index ecff79409fc..1ae8825a33d 100644
--- a/server/src/org/apache/cloudstack/acl/AclServiceImpl.java
+++ b/server/src/org/apache/cloudstack/acl/AclServiceImpl.java
@@ -32,6 +32,7 @@ import org.apache.cloudstack.acl.dao.AclGroupAccountMapDao;
import org.apache.cloudstack.acl.dao.AclGroupDao;
import org.apache.cloudstack.acl.dao.AclGroupRoleMapDao;
import org.apache.cloudstack.acl.dao.AclRoleDao;
+import org.apache.cloudstack.acl.dao.AclRolePermissionDao;
import org.apache.cloudstack.api.Identity;
import org.apache.cloudstack.context.CallContext;
@@ -87,6 +88,9 @@ public class AclServiceImpl extends ManagerBase implements AclService, Manager {
@Inject
AclApiPermissionDao _apiPermissionDao;
+ @Inject
+ AclRolePermissionDao _rolePermissionDao;
+
@Inject
AclEntityPermissionDao _entityPermissionDao;
@@ -118,14 +122,27 @@ public class AclServiceImpl extends ManagerBase implements AclService, Manager {
"Unable to create acl role with name " + aclRoleName
+ " already exisits for domain " + domainId);
}
+
+ Transaction txn = Transaction.currentTxn();
+ txn.start();
AclRoleVO rvo = new AclRoleVO(aclRoleName, description);
if (domainId != null) {
rvo.setDomainId(domainId);
}
+ AclRole role = _aclRoleDao.persist(rvo);
if (parentRoleId != null) {
- rvo.setParentRoleId(parentRoleId);
+ // copy parent role permissions
+ List perms = _rolePermissionDao.findByRole(parentRoleId);
+ if (perms != null) {
+ for (AclRolePermissionVO perm : perms) {
+ perm.setAclRoleId(role.getId());
+ _rolePermissionDao.persist(perm);
+ }
+ }
}
- return _aclRoleDao.persist(rvo);
+ txn.commit();
+
+ return role;
}
@DB
diff --git a/setup/db/db/schema-420to430.sql b/setup/db/db/schema-420to430.sql
index ecc2049900f..25e0054770e 100644
--- a/setup/db/db/schema-420to430.sql
+++ b/setup/db/db/schema-420to430.sql
@@ -312,14 +312,12 @@ CREATE TABLE `cloud`.`acl_role` (
`name` varchar(255) NOT NULL,
`description` varchar(255) default NULL,
`uuid` varchar(40),
- `parent_role_id` bigint unsigned DEFAULT 0,
`domain_id` bigint unsigned NOT NULL,
`removed` datetime COMMENT 'date the role was removed',
`created` datetime COMMENT 'date the role was created',
PRIMARY KEY (`id`),
INDEX `i_acl_role__removed`(`removed`),
- CONSTRAINT `uc_acl_role__uuid` UNIQUE (`uuid`),
- CONSTRAINT `fk_acl_role__parent_role_id` FOREIGN KEY(`parent_role_id`) REFERENCES `acl_role` (`id`) ON DELETE CASCADE
+ CONSTRAINT `uc_acl_role__uuid` UNIQUE (`uuid`)
) ENGINE=InnoDB AUTO_INCREMENT=1 DEFAULT CHARSET=utf8;
CREATE TABLE `cloud`.`acl_group_role_map` (
@@ -334,11 +332,12 @@ CREATE TABLE `cloud`.`acl_group_role_map` (
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
-INSERT IGNORE INTO `cloud`.`acl_role` (id, name, description, uuid, domain_id, created) VALUES (1,'NORMAL', 'Domain user role', UUID(), 1, Now());
+INSERT IGNORE INTO `cloud`.`acl_role` (id, name, description, uuid, domain_id, created) VALUES (1, 'NORMAL', 'Domain user role', UUID(), 1, Now());
INSERT IGNORE INTO `cloud`.`acl_role` (id, name, description, uuid, domain_id, created) VALUES (2, 'ADMIN', 'Root admin role', UUID(), 1, Now());
INSERT IGNORE INTO `cloud`.`acl_role` (id, name, description, uuid, domain_id, created) VALUES (3, 'DOMAIN_ADMIN', 'Domain admin role', UUID(), 1, Now());
INSERT IGNORE INTO `cloud`.`acl_role` (id, name, description, uuid, domain_id, created) VALUES (4, 'RESOURCE_DOMAIN_ADMIN', 'Resource domain admin role', UUID(), 1, Now());
INSERT IGNORE INTO `cloud`.`acl_role` (id, name, description, uuid, domain_id, created) VALUES (5, 'READ_ONLY_ADMIN', 'Read only admin role', UUID(), 1, Now());
+INSERT IGNORE INTO `cloud`.`acl_role` (id, name, description, uuid, domain_id, created) VALUES (6, 'RESOURCE_OWNER', 'Resource owner role', UUID(), -1, Now());
INSERT IGNORE INTO `cloud`.`acl_group` (id, name, description, uuid, domain_id, created) VALUES (1, 'NORMAL', 'Domain user group', UUID(), 1, Now());
INSERT IGNORE INTO `cloud`.`acl_group` (id, name, description, uuid, domain_id, created) VALUES (2, 'ADMIN', 'Root admin group', UUID(), 1, Now());
@@ -375,11 +374,29 @@ CREATE TABLE `cloud`.`acl_role_permission` (
`role_id` bigint unsigned NOT NULL,
`entity_type` varchar(100) NOT NULL,
`access_type` varchar(40) NOT NULL,
+ `scope` varchar(100) NOT NULL,
`permission` int(1) unsigned NOT NULL COMMENT '1 allowed, 0 for denied',
PRIMARY KEY (`id`),
CONSTRAINT `fk_acl_role_permission___role_id` FOREIGN KEY(`role_id`) REFERENCES `acl_role` (`id`) ON DELETE CASCADE
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+
+INSERT IGNORE INTO `cloud`.`acl_role_permission` (role_id, entity_type, access_type, scope, permission) VALUES (6, '*', 'CreateEntry', 'ACCOUNT', 1);
+INSERT IGNORE INTO `cloud`.`acl_role_permission` (role_id, entity_type, access_type, scope, permission) VALUES (6, '*', 'ListEntry', 'ACCOUNT', 1);
+INSERT IGNORE INTO `cloud`.`acl_role_permission` (role_id, entity_type, access_type, scope, permission) VALUES (6, '*', 'ModifyEntry', 'ACCOUNT', 1);
+INSERT IGNORE INTO `cloud`.`acl_role_permission` (role_id, entity_type, access_type, scope, permission) VALUES (6, '*', 'DeleteEntry', 'ACCOUNT', 1);
+INSERT IGNORE INTO `cloud`.`acl_role_permission` (role_id, entity_type, access_type, scope, permission) VALUES (6, '*', 'OperateEntry', 'ACCOUNT', 1);
+INSERT IGNORE INTO `cloud`.`acl_role_permission` (role_id, entity_type, access_type, scope, permission) VALUES (3, '*', 'CreateEntry', 'DOMAIN', 1);
+INSERT IGNORE INTO `cloud`.`acl_role_permission` (role_id, entity_type, access_type, scope, permission) VALUES (3, '*', 'ListEntry', 'DOMAIN', 1);
+INSERT IGNORE INTO `cloud`.`acl_role_permission` (role_id, entity_type, access_type, scope, permission) VALUES (3, '*', 'ModifyEntry', 'DOMAIN', 1);
+INSERT IGNORE INTO `cloud`.`acl_role_permission` (role_id, entity_type, access_type, scope, permission) VALUES (3, '*', 'DeleteEntry', 'DOMAIN', 1);
+INSERT IGNORE INTO `cloud`.`acl_role_permission` (role_id, entity_type, access_type, scope, permission) VALUES (3, '*', 'OperateEntry', 'DOMAIN', 1);
+INSERT IGNORE INTO `cloud`.`acl_role_permission` (role_id, entity_type, access_type, scope, permission) VALUES (1, '*', 'CreateEntry', 'REGION', 1);
+INSERT IGNORE INTO `cloud`.`acl_role_permission` (role_id, entity_type, access_type, scope, permission) VALUES (1, '*', 'ListEntry', 'REGION', 1);
+INSERT IGNORE INTO `cloud`.`acl_role_permission` (role_id, entity_type, access_type, scope, permission) VALUES (1, '*', 'ModifyEntry', 'REGION', 1);
+INSERT IGNORE INTO `cloud`.`acl_role_permission` (role_id, entity_type, access_type, scope, permission) VALUES (1, '*', 'DeleteEntry', 'REGION', 1);
+INSERT IGNORE INTO `cloud`.`acl_role_permission` (role_id, entity_type, access_type, scope, permission) VALUES (1, '*', 'OperateEntry', 'REGION', 1);
+
DROP VIEW IF EXISTS `cloud`.`acl_role_view`;
CREATE VIEW `cloud`.`acl_role_view` AS
select
@@ -387,9 +404,6 @@ CREATE VIEW `cloud`.`acl_role_view` AS
acl_role.uuid uuid,
acl_role.name name,
acl_role.description description,
- parent_role.id parent_role_id,
- parent_role.uuid parent_role_uuid,
- parent_role.name parent_role_name,
acl_role.removed removed,
acl_role.created created,
domain.id domain_id,
@@ -402,8 +416,6 @@ CREATE VIEW `cloud`.`acl_role_view` AS
inner join
`cloud`.`domain` ON acl_role.domain_id = domain.id
left join
- `cloud`.`acl_role` parent_role on parent_role.id = acl_role.parent_role_id
- left join
`cloud`.`acl_api_permission` ON acl_role.id = acl_api_permission.role_id;