Add Scope to acl_role_permission, remove parent_role_id from acl_role

table, and create PermissionScope and AclEntityType enum types.

api/src/org/apache/cloudstack/acl/AclEntityType.java

@@ -0,0 +1,6 @@
+package org.apache.cloudstack.acl;
+
+public enum AclEntityType {
+    // currently supported entity, to be added one by one after we support acl on the entity
+    VM;
+}

api/src/org/apache/cloudstack/acl/AclRole.java

@@ -27,5 +27,5 @@ public interface AclRole extends PartOf, InternalIdentity, Identity {
 
     String getDescription();
 
-    Long getParentRoleId();
+    // Long getParentRoleId();
 }

api/src/org/apache/cloudstack/acl/PermissionScope.java

@@ -0,0 +1,7 @@
+package org.apache.cloudstack.acl;
+
+public enum PermissionScope {
+    ACCOUNT,
+    DOMAIN,
+    REGION;
+}

api/src/org/apache/cloudstack/acl/SecurityChecker.java

@@ -36,7 +36,7 @@ public interface SecurityChecker extends Adapter {
         ModifyProject,
         UseNetwork,
         DeleteEntry,
-        OperationOnEntry
+        OperateEntry
     }
 
     /**

api/src/org/apache/cloudstack/api/response/AclRoleResponse.java

@@ -44,14 +44,6 @@ public class AclRoleResponse extends BaseResponse {
     @Param(description = "the description of the acl role")
     private String description;
 
-    @SerializedName(ApiConstants.ACL_PARENT_ROLE_ID)
-    @Param(description = "parent role id that this acl role is inherited from ")
-    private String parentRoleId;
-
-    @SerializedName(ApiConstants.ACL_PARENT_ROLE_NAME)
-    @Param(description = "parent role name that this acl role is inherited from ")
-    private String parentRoleName;
-
     @SerializedName(ApiConstants.DOMAIN_ID)
     @Param(description = "the domain ID of the acl role")
     private String domainId;
@@ -91,13 +83,6 @@ public class AclRoleResponse extends BaseResponse {
         this.description = description;
     }
 
-    public void setParentRoleId(String parentId) {
-        parentRoleId = parentId;
-    }
-
-    public void setParentRoleName(String parentRoleName) {
-        this.parentRoleName = parentRoleName;
-    }
 
     public void setDomainId(String domainId) {
         this.domainId = domainId;

client/tomcatconf/applicationContext.xml.in

@@ -377,6 +377,7 @@
   <bean id="AclGroupRoleMapDaoImpl" class="org.apache.cloudstack.acl.dao.AclGroupRoleMapDaoImpl"/> 
   <bean id="AclApiPermissionDaoImpl" class="org.apache.cloudstack.acl.dao.AclApiPermissionDaoImpl"/>
   <bean id="AclEntityPermissionDaoImpl" class="org.apache.cloudstack.acl.dao.AclEntityPermissionDaoImpl"/>  
+  <bean id="AclRolePermissionDaoImpl" class="org.apache.cloudstack.acl.dao.AclRolePermissionDaoImpl"/>  
   <bean id="AclServiceImpl" class="org.apache.cloudstack.acl.AclServiceImpl"/>      
   
    

engine/schema/src/org/apache/cloudstack/acl/AclRoleVO.java

@@ -45,8 +45,6 @@ public class AclRoleVO implements AclRole {
     @Column(name = "uuid")
     private String uuid;
 
-    @Column(name = "parent_role_id")
-    private Long parentRoleId;
 
     @Column(name = "domain_id")
     private long domainId;
@@ -100,15 +98,6 @@ public class AclRoleVO implements AclRole {
         return created;
     }
 
-    @Override
-    public Long getParentRoleId() {
-        return parentRoleId;
-    }
-
-    public void setParentRoleId(long parentRoleId) {
-        this.parentRoleId = parentRoleId;
-    }
-
     @Override
     public long getDomainId() {
         return domainId;

engine/schema/src/org/apache/cloudstack/acl/dao/AclRolePermissionDao.java

@@ -16,6 +16,8 @@
 // under the License.
 package org.apache.cloudstack.acl.dao;
 
+import java.util.List;
+
 import org.apache.cloudstack.acl.AclRolePermissionVO;
 import org.apache.cloudstack.acl.SecurityChecker.AccessType;
 
@@ -25,4 +27,6 @@ public interface AclRolePermissionDao extends GenericDao<AclRolePermissionVO, Lo
 
     AclRolePermissionVO findByRoleAndEntity(long roleId, String entityType, AccessType accessType);
 
+    List<AclRolePermissionVO> findByRole(long roleId);
+
 }

engine/schema/src/org/apache/cloudstack/acl/dao/AclRolePermissionDaoImpl.java

@@ -16,6 +16,7 @@
 // under the License.
 package org.apache.cloudstack.acl.dao;
 
+import java.util.List;
 import java.util.Map;
 
 import javax.naming.ConfigurationException;
@@ -59,4 +60,12 @@ public class AclRolePermissionDaoImpl extends GenericDaoBase<AclRolePermissionVO
         sc.setParameters("accessType", accessType);
         return findOneBy(sc);
     }
+
+    @Override
+    public List<AclRolePermissionVO> findByRole(long roleId) {
+        SearchCriteria<AclRolePermissionVO> sc = findByRoleEntity.create();
+        sc.setParameters("roleId", roleId);
+        return listBy(sc);
+    }
+
 }

server/src/com/cloud/api/query/dao/AclRoleJoinDaoImpl.java

@@ -70,8 +70,6 @@ public class AclRoleJoinDaoImpl extends GenericDaoBase<AclRoleJoinVO, Long> impl
         response.setId(role.getUuid());
         response.setName(role.getName());
         response.setDescription(role.getDescription());
-        response.setParentRoleId(role.getParentRoleUuid());
-        response.setParentRoleName(role.getParentRoleName());
         response.setDomainId(role.getDomainUuid());
         response.setDomainName(role.getName());
         if (role.getApiName() != null) {

server/src/com/cloud/api/query/vo/AclRoleJoinVO.java

@@ -44,15 +44,6 @@ public class AclRoleJoinVO extends BaseViewVO {
     @Column(name = "uuid")
     private String uuid;
 
-    @Column(name = "parent_role_id")
-    private Long parentRoleId;
-
-    @Column(name = "parent_role_uuid")
-    private String parentRoleUuid;
-
-    @Column(name = "parent_role_name")
-    private String parentRoleName;
-
     @Column(name = "domain_id")
     private long domainId;
 
@@ -99,10 +90,6 @@ public class AclRoleJoinVO extends BaseViewVO {
         return uuid;
     }
 
-    public Long getParentRoleId() {
-        return parentRoleId;
-    }
-
     public long getDomainId() {
         return domainId;
     }
@@ -131,12 +118,4 @@ public class AclRoleJoinVO extends BaseViewVO {
         return created;
     }
 
-    public String getParentRoleUuid() {
-        return parentRoleUuid;
-    }
-
-    public String getParentRoleName() {
-        return parentRoleName;
-    }
-
 }

server/src/org/apache/cloudstack/acl/AclServiceImpl.java

@@ -32,6 +32,7 @@ import org.apache.cloudstack.acl.dao.AclGroupAccountMapDao;
 import org.apache.cloudstack.acl.dao.AclGroupDao;
 import org.apache.cloudstack.acl.dao.AclGroupRoleMapDao;
 import org.apache.cloudstack.acl.dao.AclRoleDao;
+import org.apache.cloudstack.acl.dao.AclRolePermissionDao;
 import org.apache.cloudstack.api.Identity;
 import org.apache.cloudstack.context.CallContext;
 
@@ -87,6 +88,9 @@ public class AclServiceImpl extends ManagerBase implements AclService, Manager {
     @Inject
     AclApiPermissionDao _apiPermissionDao;
 
+    @Inject
+    AclRolePermissionDao _rolePermissionDao;
+
     @Inject
     AclEntityPermissionDao _entityPermissionDao;
 
@@ -118,14 +122,27 @@ public class AclServiceImpl extends ManagerBase implements AclService, Manager {
                     "Unable to create acl role with name " + aclRoleName
                             + " already exisits for domain " + domainId);
         }
+
+        Transaction txn = Transaction.currentTxn();
+        txn.start();
         AclRoleVO rvo = new AclRoleVO(aclRoleName, description);
         if (domainId != null) {
             rvo.setDomainId(domainId);
         }
+        AclRole role = _aclRoleDao.persist(rvo);
         if (parentRoleId != null) {
-            rvo.setParentRoleId(parentRoleId);
+            // copy parent role permissions
+            List<AclRolePermissionVO> perms = _rolePermissionDao.findByRole(parentRoleId);
+            if (perms != null) {
+                for (AclRolePermissionVO perm : perms) {
+                    perm.setAclRoleId(role.getId());
+                    _rolePermissionDao.persist(perm);
+                }
+            }
         }
-        return _aclRoleDao.persist(rvo);
+        txn.commit();
+
+        return role;
     }
 
     @DB

setup/db/db/schema-420to430.sql

@@ -312,14 +312,12 @@ CREATE TABLE `cloud`.`acl_role` (
   `name` varchar(255) NOT NULL,
   `description` varchar(255) default NULL,  
   `uuid` varchar(40),
-  `parent_role_id` bigint unsigned DEFAULT 0,
   `domain_id` bigint unsigned NOT NULL,  
   `removed` datetime COMMENT 'date the role was removed',
   `created` datetime COMMENT 'date the role was created',
   PRIMARY KEY  (`id`),
   INDEX `i_acl_role__removed`(`removed`),
-  CONSTRAINT `uc_acl_role__uuid` UNIQUE (`uuid`),  
+  CONSTRAINT `uc_acl_role__uuid` UNIQUE (`uuid`)  
-  CONSTRAINT `fk_acl_role__parent_role_id` FOREIGN KEY(`parent_role_id`) REFERENCES `acl_role` (`id`) ON DELETE CASCADE  
 ) ENGINE=InnoDB AUTO_INCREMENT=1 DEFAULT CHARSET=utf8;
 
 CREATE TABLE `cloud`.`acl_group_role_map` (
@@ -334,11 +332,12 @@ CREATE TABLE `cloud`.`acl_group_role_map` (
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8;        
 
 
-INSERT IGNORE INTO `cloud`.`acl_role` (id, name, description, uuid, domain_id, created) VALUES (1,'NORMAL', 'Domain user role', UUID(), 1, Now());
+INSERT IGNORE INTO `cloud`.`acl_role` (id, name, description, uuid, domain_id, created) VALUES (1, 'NORMAL', 'Domain user role', UUID(), 1, Now());
 INSERT IGNORE INTO `cloud`.`acl_role` (id, name, description, uuid, domain_id, created) VALUES (2, 'ADMIN', 'Root admin role', UUID(), 1, Now());
 INSERT IGNORE INTO `cloud`.`acl_role` (id, name, description, uuid, domain_id, created) VALUES (3, 'DOMAIN_ADMIN', 'Domain admin role', UUID(), 1, Now());
 INSERT IGNORE INTO `cloud`.`acl_role` (id, name, description, uuid, domain_id, created) VALUES (4, 'RESOURCE_DOMAIN_ADMIN', 'Resource domain admin role', UUID(), 1, Now());
 INSERT IGNORE INTO `cloud`.`acl_role` (id, name, description, uuid, domain_id, created) VALUES (5, 'READ_ONLY_ADMIN', 'Read only admin role', UUID(), 1, Now());
+INSERT IGNORE INTO `cloud`.`acl_role` (id, name, description, uuid, domain_id, created) VALUES (6, 'RESOURCE_OWNER', 'Resource owner role', UUID(), -1, Now());
 
 INSERT IGNORE INTO `cloud`.`acl_group` (id, name, description, uuid, domain_id, created) VALUES (1, 'NORMAL', 'Domain user group', UUID(), 1, Now());
 INSERT IGNORE INTO `cloud`.`acl_group` (id, name, description, uuid, domain_id, created) VALUES (2, 'ADMIN', 'Root admin group', UUID(), 1, Now());
@@ -375,11 +374,29 @@ CREATE TABLE `cloud`.`acl_role_permission` (
   `role_id` bigint unsigned NOT NULL,
   `entity_type` varchar(100) NOT NULL,
   `access_type` varchar(40) NOT NULL,
+  `scope` varchar(100) NOT NULL,
   `permission` int(1) unsigned NOT NULL COMMENT '1 allowed, 0 for denied',
   PRIMARY KEY  (`id`),
   CONSTRAINT `fk_acl_role_permission___role_id` FOREIGN KEY(`role_id`) REFERENCES `acl_role` (`id`) ON DELETE CASCADE
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
 
+
+INSERT IGNORE INTO `cloud`.`acl_role_permission` (role_id, entity_type, access_type, scope, permission) VALUES (6, '*', 'CreateEntry', 'ACCOUNT', 1);
+INSERT IGNORE INTO `cloud`.`acl_role_permission` (role_id, entity_type, access_type, scope, permission) VALUES (6, '*', 'ListEntry', 'ACCOUNT', 1);
+INSERT IGNORE INTO `cloud`.`acl_role_permission` (role_id, entity_type, access_type, scope, permission) VALUES (6, '*', 'ModifyEntry', 'ACCOUNT', 1);
+INSERT IGNORE INTO `cloud`.`acl_role_permission` (role_id, entity_type, access_type, scope, permission) VALUES (6, '*', 'DeleteEntry', 'ACCOUNT', 1);
+INSERT IGNORE INTO `cloud`.`acl_role_permission` (role_id, entity_type, access_type, scope, permission) VALUES (6, '*', 'OperateEntry', 'ACCOUNT', 1);
+INSERT IGNORE INTO `cloud`.`acl_role_permission` (role_id, entity_type, access_type, scope, permission) VALUES (3, '*', 'CreateEntry', 'DOMAIN', 1);
+INSERT IGNORE INTO `cloud`.`acl_role_permission` (role_id, entity_type, access_type, scope, permission) VALUES (3, '*', 'ListEntry', 'DOMAIN', 1);
+INSERT IGNORE INTO `cloud`.`acl_role_permission` (role_id, entity_type, access_type, scope, permission) VALUES (3, '*', 'ModifyEntry', 'DOMAIN', 1);
+INSERT IGNORE INTO `cloud`.`acl_role_permission` (role_id, entity_type, access_type, scope, permission) VALUES (3, '*', 'DeleteEntry', 'DOMAIN', 1);
+INSERT IGNORE INTO `cloud`.`acl_role_permission` (role_id, entity_type, access_type, scope, permission) VALUES (3, '*', 'OperateEntry', 'DOMAIN', 1);
+INSERT IGNORE INTO `cloud`.`acl_role_permission` (role_id, entity_type, access_type, scope, permission) VALUES (1, '*', 'CreateEntry', 'REGION', 1);
+INSERT IGNORE INTO `cloud`.`acl_role_permission` (role_id, entity_type, access_type, scope, permission) VALUES (1, '*', 'ListEntry', 'REGION', 1);
+INSERT IGNORE INTO `cloud`.`acl_role_permission` (role_id, entity_type, access_type, scope, permission) VALUES (1, '*', 'ModifyEntry', 'REGION', 1);
+INSERT IGNORE INTO `cloud`.`acl_role_permission` (role_id, entity_type, access_type, scope, permission) VALUES (1, '*', 'DeleteEntry', 'REGION', 1);
+INSERT IGNORE INTO `cloud`.`acl_role_permission` (role_id, entity_type, access_type, scope, permission) VALUES (1, '*', 'OperateEntry', 'REGION', 1);
+
 DROP VIEW IF EXISTS `cloud`.`acl_role_view`;
 CREATE VIEW `cloud`.`acl_role_view` AS
     select 
@@ -387,9 +404,6 @@ CREATE VIEW `cloud`.`acl_role_view` AS
         acl_role.uuid uuid,        
         acl_role.name name,
         acl_role.description description,
-        parent_role.id parent_role_id,
-        parent_role.uuid parent_role_uuid,
-        parent_role.name parent_role_name,
         acl_role.removed removed,
         acl_role.created created,
         domain.id domain_id,
@@ -402,8 +416,6 @@ CREATE VIEW `cloud`.`acl_role_view` AS
             inner join
         `cloud`.`domain` ON acl_role.domain_id = domain.id
             left join
-        `cloud`.`acl_role` parent_role on parent_role.id = acl_role.parent_role_id    
-            left join
         `cloud`.`acl_api_permission` ON acl_role.id = acl_api_permission.role_id;