Add Scope to acl_role_permission, remove parent_role_id from acl_role

table, and create PermissionScope and AclEntityType enum types.
2025-10-26 08:42:29 +01:00 · 2013-10-07 16:09:26 -07:00 · 2013-10-07 16:09:26 -07:00 · b87b9e5c64
commit b87b9e5c64
parent 4499a7bfa0
13 changed files with 69 additions and 62 deletions
--- a/api/src/org/apache/cloudstack/acl/AclEntityType.java
+++ b/api/src/org/apache/cloudstack/acl/AclEntityType.java
@ -0,0 +1,6 @@
 package org.apache.cloudstack.acl;
 public enum AclEntityType {
    // currently supported entity, to be added one by one after we support acl on the entity
    VM;
 }
--- a/api/src/org/apache/cloudstack/acl/AclRole.java
+++ b/api/src/org/apache/cloudstack/acl/AclRole.java
@ -27,5 +27,5 @@ public interface AclRole extends PartOf, InternalIdentity, Identity {
    String getDescription();
-    Long getParentRoleId();
+    // Long getParentRoleId();
 }
--- a/api/src/org/apache/cloudstack/acl/PermissionScope.java
+++ b/api/src/org/apache/cloudstack/acl/PermissionScope.java
@ -0,0 +1,7 @@
 package org.apache.cloudstack.acl;
 public enum PermissionScope {
    ACCOUNT,
    DOMAIN,
    REGION;
 }
--- a/api/src/org/apache/cloudstack/acl/SecurityChecker.java
+++ b/api/src/org/apache/cloudstack/acl/SecurityChecker.java
@ -36,7 +36,7 @@ public interface SecurityChecker extends Adapter {
        ModifyProject,
        UseNetwork,
        DeleteEntry,
-        OperationOnEntry
+        OperateEntry
    }
    /**
--- a/api/src/org/apache/cloudstack/api/response/AclRoleResponse.java
+++ b/api/src/org/apache/cloudstack/api/response/AclRoleResponse.java
@ -44,14 +44,6 @@ public class AclRoleResponse extends BaseResponse {
    @Param(description = "the description of the acl role")
    private String description;
    @SerializedName(ApiConstants.ACL_PARENT_ROLE_ID)
    @Param(description = "parent role id that this acl role is inherited from ")
    private String parentRoleId;
    @SerializedName(ApiConstants.ACL_PARENT_ROLE_NAME)
    @Param(description = "parent role name that this acl role is inherited from ")
    private String parentRoleName;
    @SerializedName(ApiConstants.DOMAIN_ID)
    @Param(description = "the domain ID of the acl role")
    private String domainId;
@ -91,13 +83,6 @@ public class AclRoleResponse extends BaseResponse {
        this.description = description;
    }
    public void setParentRoleId(String parentId) {
        parentRoleId = parentId;
    }
    public void setParentRoleName(String parentRoleName) {
        this.parentRoleName = parentRoleName;
    }
    public void setDomainId(String domainId) {
        this.domainId = domainId;
--- a/client/tomcatconf/applicationContext.xml.in
+++ b/client/tomcatconf/applicationContext.xml.in
@ -377,6 +377,7 @@
  <bean id="AclGroupRoleMapDaoImpl" class="org.apache.cloudstack.acl.dao.AclGroupRoleMapDaoImpl"/> 
  <bean id="AclApiPermissionDaoImpl" class="org.apache.cloudstack.acl.dao.AclApiPermissionDaoImpl"/>
  <bean id="AclEntityPermissionDaoImpl" class="org.apache.cloudstack.acl.dao.AclEntityPermissionDaoImpl"/>  
  <bean id="AclRolePermissionDaoImpl" class="org.apache.cloudstack.acl.dao.AclRolePermissionDaoImpl"/>  
  <bean id="AclServiceImpl" class="org.apache.cloudstack.acl.AclServiceImpl"/>      
--- a/engine/schema/src/org/apache/cloudstack/acl/AclRoleVO.java
+++ b/engine/schema/src/org/apache/cloudstack/acl/AclRoleVO.java
@ -45,8 +45,6 @@ public class AclRoleVO implements AclRole {
    @Column(name = "uuid")
    private String uuid;
    @Column(name = "parent_role_id")
    private Long parentRoleId;
    @Column(name = "domain_id")
    private long domainId;
@ -100,15 +98,6 @@ public class AclRoleVO implements AclRole {
        return created;
    }
    @Override
    public Long getParentRoleId() {
        return parentRoleId;
    }
    public void setParentRoleId(long parentRoleId) {
        this.parentRoleId = parentRoleId;
    }
    @Override
    public long getDomainId() {
        return domainId;
--- a/engine/schema/src/org/apache/cloudstack/acl/dao/AclRolePermissionDao.java
+++ b/engine/schema/src/org/apache/cloudstack/acl/dao/AclRolePermissionDao.java
@ -16,6 +16,8 @@
 // under the License.
 package org.apache.cloudstack.acl.dao;
 import java.util.List;
 import org.apache.cloudstack.acl.AclRolePermissionVO;
 import org.apache.cloudstack.acl.SecurityChecker.AccessType;
@ -25,4 +27,6 @@ public interface AclRolePermissionDao extends GenericDao<AclRolePermissionVO, Lo
    AclRolePermissionVO findByRoleAndEntity(long roleId, String entityType, AccessType accessType);
    List<AclRolePermissionVO> findByRole(long roleId);
 }
--- a/engine/schema/src/org/apache/cloudstack/acl/dao/AclRolePermissionDaoImpl.java
+++ b/engine/schema/src/org/apache/cloudstack/acl/dao/AclRolePermissionDaoImpl.java
@ -16,6 +16,7 @@
 // under the License.
 package org.apache.cloudstack.acl.dao;
 import java.util.List;
 import java.util.Map;
 import javax.naming.ConfigurationException;
@ -59,4 +60,12 @@ public class AclRolePermissionDaoImpl extends GenericDaoBase<AclRolePermissionVO
        sc.setParameters("accessType", accessType);
        return findOneBy(sc);
    }
    @Override
    public List<AclRolePermissionVO> findByRole(long roleId) {
        SearchCriteria<AclRolePermissionVO> sc = findByRoleEntity.create();
        sc.setParameters("roleId", roleId);
        return listBy(sc);
    }
 }
--- a/server/src/com/cloud/api/query/dao/AclRoleJoinDaoImpl.java
+++ b/server/src/com/cloud/api/query/dao/AclRoleJoinDaoImpl.java
@ -70,8 +70,6 @@ public class AclRoleJoinDaoImpl extends GenericDaoBase<AclRoleJoinVO, Long> impl
        response.setId(role.getUuid());
        response.setName(role.getName());
        response.setDescription(role.getDescription());
        response.setParentRoleId(role.getParentRoleUuid());
        response.setParentRoleName(role.getParentRoleName());
        response.setDomainId(role.getDomainUuid());
        response.setDomainName(role.getName());
        if (role.getApiName() != null) {
--- a/server/src/com/cloud/api/query/vo/AclRoleJoinVO.java
+++ b/server/src/com/cloud/api/query/vo/AclRoleJoinVO.java
@ -44,15 +44,6 @@ public class AclRoleJoinVO extends BaseViewVO {
    @Column(name = "uuid")
    private String uuid;
    @Column(name = "parent_role_id")
    private Long parentRoleId;
    @Column(name = "parent_role_uuid")
    private String parentRoleUuid;
    @Column(name = "parent_role_name")
    private String parentRoleName;
    @Column(name = "domain_id")
    private long domainId;
@ -99,10 +90,6 @@ public class AclRoleJoinVO extends BaseViewVO {
        return uuid;
    }
    public Long getParentRoleId() {
        return parentRoleId;
    }
    public long getDomainId() {
        return domainId;
    }
@ -131,12 +118,4 @@ public class AclRoleJoinVO extends BaseViewVO {
        return created;
    }
    public String getParentRoleUuid() {
        return parentRoleUuid;
    }
    public String getParentRoleName() {
        return parentRoleName;
    }
 }
--- a/server/src/org/apache/cloudstack/acl/AclServiceImpl.java
+++ b/server/src/org/apache/cloudstack/acl/AclServiceImpl.java
@ -32,6 +32,7 @@ import org.apache.cloudstack.acl.dao.AclGroupAccountMapDao;
 import org.apache.cloudstack.acl.dao.AclGroupDao;
 import org.apache.cloudstack.acl.dao.AclGroupRoleMapDao;
 import org.apache.cloudstack.acl.dao.AclRoleDao;
 import org.apache.cloudstack.acl.dao.AclRolePermissionDao;
 import org.apache.cloudstack.api.Identity;
 import org.apache.cloudstack.context.CallContext;
@ -87,6 +88,9 @@ public class AclServiceImpl extends ManagerBase implements AclService, Manager {
    @Inject
    AclApiPermissionDao _apiPermissionDao;
    @Inject
    AclRolePermissionDao _rolePermissionDao;
    @Inject
    AclEntityPermissionDao _entityPermissionDao;
@ -118,14 +122,27 @@ public class AclServiceImpl extends ManagerBase implements AclService, Manager {
                    "Unable to create acl role with name " + aclRoleName
                            + " already exisits for domain " + domainId);
        }
        Transaction txn = Transaction.currentTxn();
        txn.start();
        AclRoleVO rvo = new AclRoleVO(aclRoleName, description);
        if (domainId != null) {
            rvo.setDomainId(domainId);
        }
        AclRole role = _aclRoleDao.persist(rvo);
        if (parentRoleId != null) {
-            rvo.setParentRoleId(parentRoleId);
+            // copy parent role permissions
            List<AclRolePermissionVO> perms = _rolePermissionDao.findByRole(parentRoleId);
            if (perms != null) {
                for (AclRolePermissionVO perm : perms) {
                    perm.setAclRoleId(role.getId());
                    _rolePermissionDao.persist(perm);
                }
-        return _aclRoleDao.persist(rvo);
+            }
        }
        txn.commit();
        return role;
    }
    @DB
--- a/setup/db/db/schema-420to430.sql
+++ b/setup/db/db/schema-420to430.sql
@ -312,14 +312,12 @@ CREATE TABLE `cloud`.`acl_role` (
  `name` varchar(255) NOT NULL,
  `description` varchar(255) default NULL,  
  `uuid` varchar(40),
  `parent_role_id` bigint unsigned DEFAULT 0,
  `domain_id` bigint unsigned NOT NULL,  
  `removed` datetime COMMENT 'date the role was removed',
  `created` datetime COMMENT 'date the role was created',
  PRIMARY KEY  (`id`),
  INDEX `i_acl_role__removed`(`removed`),
-  CONSTRAINT `uc_acl_role__uuid` UNIQUE (`uuid`),  
+  CONSTRAINT `uc_acl_role__uuid` UNIQUE (`uuid`)  
  CONSTRAINT `fk_acl_role__parent_role_id` FOREIGN KEY(`parent_role_id`) REFERENCES `acl_role` (`id`) ON DELETE CASCADE  
 ) ENGINE=InnoDB AUTO_INCREMENT=1 DEFAULT CHARSET=utf8;
 CREATE TABLE `cloud`.`acl_group_role_map` (
@ -339,6 +337,7 @@ INSERT IGNORE INTO `cloud`.`acl_role` (id, name, description, uuid, domain_id, c
 INSERT IGNORE INTO `cloud`.`acl_role` (id, name, description, uuid, domain_id, created) VALUES (3, 'DOMAIN_ADMIN', 'Domain admin role', UUID(), 1, Now());
 INSERT IGNORE INTO `cloud`.`acl_role` (id, name, description, uuid, domain_id, created) VALUES (4, 'RESOURCE_DOMAIN_ADMIN', 'Resource domain admin role', UUID(), 1, Now());
 INSERT IGNORE INTO `cloud`.`acl_role` (id, name, description, uuid, domain_id, created) VALUES (5, 'READ_ONLY_ADMIN', 'Read only admin role', UUID(), 1, Now());
 INSERT IGNORE INTO `cloud`.`acl_role` (id, name, description, uuid, domain_id, created) VALUES (6, 'RESOURCE_OWNER', 'Resource owner role', UUID(), -1, Now());
 INSERT IGNORE INTO `cloud`.`acl_group` (id, name, description, uuid, domain_id, created) VALUES (1, 'NORMAL', 'Domain user group', UUID(), 1, Now());
 INSERT IGNORE INTO `cloud`.`acl_group` (id, name, description, uuid, domain_id, created) VALUES (2, 'ADMIN', 'Root admin group', UUID(), 1, Now());
@ -375,11 +374,29 @@ CREATE TABLE `cloud`.`acl_role_permission` (
  `role_id` bigint unsigned NOT NULL,
  `entity_type` varchar(100) NOT NULL,
  `access_type` varchar(40) NOT NULL,
  `scope` varchar(100) NOT NULL,
  `permission` int(1) unsigned NOT NULL COMMENT '1 allowed, 0 for denied',
  PRIMARY KEY  (`id`),
  CONSTRAINT `fk_acl_role_permission___role_id` FOREIGN KEY(`role_id`) REFERENCES `acl_role` (`id`) ON DELETE CASCADE
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
 INSERT IGNORE INTO `cloud`.`acl_role_permission` (role_id, entity_type, access_type, scope, permission) VALUES (6, '*', 'CreateEntry', 'ACCOUNT', 1);
 INSERT IGNORE INTO `cloud`.`acl_role_permission` (role_id, entity_type, access_type, scope, permission) VALUES (6, '*', 'ListEntry', 'ACCOUNT', 1);
 INSERT IGNORE INTO `cloud`.`acl_role_permission` (role_id, entity_type, access_type, scope, permission) VALUES (6, '*', 'ModifyEntry', 'ACCOUNT', 1);
 INSERT IGNORE INTO `cloud`.`acl_role_permission` (role_id, entity_type, access_type, scope, permission) VALUES (6, '*', 'DeleteEntry', 'ACCOUNT', 1);
 INSERT IGNORE INTO `cloud`.`acl_role_permission` (role_id, entity_type, access_type, scope, permission) VALUES (6, '*', 'OperateEntry', 'ACCOUNT', 1);
 INSERT IGNORE INTO `cloud`.`acl_role_permission` (role_id, entity_type, access_type, scope, permission) VALUES (3, '*', 'CreateEntry', 'DOMAIN', 1);
 INSERT IGNORE INTO `cloud`.`acl_role_permission` (role_id, entity_type, access_type, scope, permission) VALUES (3, '*', 'ListEntry', 'DOMAIN', 1);
 INSERT IGNORE INTO `cloud`.`acl_role_permission` (role_id, entity_type, access_type, scope, permission) VALUES (3, '*', 'ModifyEntry', 'DOMAIN', 1);
 INSERT IGNORE INTO `cloud`.`acl_role_permission` (role_id, entity_type, access_type, scope, permission) VALUES (3, '*', 'DeleteEntry', 'DOMAIN', 1);
 INSERT IGNORE INTO `cloud`.`acl_role_permission` (role_id, entity_type, access_type, scope, permission) VALUES (3, '*', 'OperateEntry', 'DOMAIN', 1);
 INSERT IGNORE INTO `cloud`.`acl_role_permission` (role_id, entity_type, access_type, scope, permission) VALUES (1, '*', 'CreateEntry', 'REGION', 1);
 INSERT IGNORE INTO `cloud`.`acl_role_permission` (role_id, entity_type, access_type, scope, permission) VALUES (1, '*', 'ListEntry', 'REGION', 1);
 INSERT IGNORE INTO `cloud`.`acl_role_permission` (role_id, entity_type, access_type, scope, permission) VALUES (1, '*', 'ModifyEntry', 'REGION', 1);
 INSERT IGNORE INTO `cloud`.`acl_role_permission` (role_id, entity_type, access_type, scope, permission) VALUES (1, '*', 'DeleteEntry', 'REGION', 1);
 INSERT IGNORE INTO `cloud`.`acl_role_permission` (role_id, entity_type, access_type, scope, permission) VALUES (1, '*', 'OperateEntry', 'REGION', 1);
 DROP VIEW IF EXISTS `cloud`.`acl_role_view`;
 CREATE VIEW `cloud`.`acl_role_view` AS
    select 
@ -387,9 +404,6 @@ CREATE VIEW `cloud`.`acl_role_view` AS
        acl_role.uuid uuid,        
        acl_role.name name,
        acl_role.description description,
        parent_role.id parent_role_id,
        parent_role.uuid parent_role_uuid,
        parent_role.name parent_role_name,
        acl_role.removed removed,
        acl_role.created created,
        domain.id domain_id,
@ -402,8 +416,6 @@ CREATE VIEW `cloud`.`acl_role_view` AS
            inner join
        `cloud`.`domain` ON acl_role.domain_id = domain.id
            left join
        `cloud`.`acl_role` parent_role on parent_role.id = acl_role.parent_role_id    
            left join
        `cloud`.`acl_api_permission` ON acl_role.id = acl_api_permission.role_id;