diff --git a/api/src/org/apache/cloudstack/acl/QueryChecker.java b/api/src/org/apache/cloudstack/acl/QuerySelector.java similarity index 69% rename from api/src/org/apache/cloudstack/acl/QueryChecker.java rename to api/src/org/apache/cloudstack/acl/QuerySelector.java index e8e9cf3aa08..56bf982774c 100644 --- a/api/src/org/apache/cloudstack/acl/QueryChecker.java +++ b/api/src/org/apache/cloudstack/acl/QuerySelector.java @@ -24,35 +24,35 @@ import com.cloud.utils.component.Adapter; /** * QueryChecker returns granted access at domain, account or resource level. */ -public interface QueryChecker extends Adapter { +public interface QuerySelector extends Adapter { /** - * List granted domains for the caller, given a specific entity type. + * List granted domains for the caller, given a specific action. * * @param caller account to check against. - * @param entityType entity type + * @param action action * @return list of domain Ids granted to the caller account. */ - List getAuthorizedDomains(Account caller, AclEntityType entityType); + List getAuthorizedDomains(Account caller, String action); /** - * List granted accounts for the caller, given a specific entity type. + * List granted accounts for the caller, given a specific action. * * @param caller account to check against. - * @param entityType entity type + * @param action action. * @return list of domain Ids granted to the caller account. */ - List getAuthorizedAccounts(Account caller, AclEntityType entityType); + List getAuthorizedAccounts(Account caller, String action); /** - * List granted resources for the caller, given a specific entity type. + * List granted resources for the caller, given a specific action. * * @param caller account to check against. - * @param entityType entity type + * @param action action. * @return list of domain Ids granted to the caller account. */ - List getAuthorizedResources(Account caller, AclEntityType entityType); + List getAuthorizedResources(Account caller, String action); } diff --git a/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/entity/RoleBasedEntityQueryChecker.java b/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/entity/RoleBasedEntityQuerySelector.java similarity index 72% rename from plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/entity/RoleBasedEntityQueryChecker.java rename to plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/entity/RoleBasedEntityQuerySelector.java index 7ddc8fdeaa5..3deea5c05b7 100644 --- a/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/entity/RoleBasedEntityQueryChecker.java +++ b/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/entity/RoleBasedEntityQuerySelector.java @@ -20,32 +20,32 @@ import java.util.List; import org.apache.log4j.Logger; -import org.apache.cloudstack.acl.AclEntityType; -import org.apache.cloudstack.acl.QueryChecker; +import org.apache.cloudstack.acl.QuerySelector; import com.cloud.user.Account; import com.cloud.utils.component.AdapterBase; -public class RoleBasedEntityQueryChecker extends AdapterBase implements QueryChecker { +public class RoleBasedEntityQuerySelector extends AdapterBase implements QuerySelector { - private static final Logger s_logger = Logger.getLogger(RoleBasedEntityQueryChecker.class.getName()); + private static final Logger s_logger = Logger.getLogger(RoleBasedEntityQuerySelector.class.getName()); @Override - public List getAuthorizedDomains(Account caller, AclEntityType entityType) { + public List getAuthorizedDomains(Account caller, String action) { // TODO Auto-generated method stub return null; } @Override - public List getAuthorizedAccounts(Account caller, AclEntityType entityType) { + public List getAuthorizedAccounts(Account caller, String action) { // TODO Auto-generated method stub return null; } @Override - public List getAuthorizedResources(Account caller, AclEntityType entityType) { + public List getAuthorizedResources(Account caller, String action) { // TODO Auto-generated method stub return null; } + } diff --git a/services/iam/plugin/pom.xml b/services/iam/plugin/pom.xml index f58cc478e8a..e674100b39f 100644 --- a/services/iam/plugin/pom.xml +++ b/services/iam/plugin/pom.xml @@ -41,6 +41,11 @@ org.apache.cloudstack cloud-server ${project.version} - + + + org.apache.cloudstack + cloud-iam + ${project.version} + diff --git a/services/iam/plugin/src/org/apache/cloudstack/acl/AclService.java b/services/iam/plugin/src/org/apache/cloudstack/acl/AclService.java index c8d8b48867b..889a0d3b783 100644 --- a/services/iam/plugin/src/org/apache/cloudstack/acl/AclService.java +++ b/services/iam/plugin/src/org/apache/cloudstack/acl/AclService.java @@ -56,11 +56,5 @@ public interface AclService { List getEffectivePolicies(Account caller, ControlledEntity entity); - /* Visibility related interfaces */ - List getGrantedDomains(long accountId, String action); - - List getGrantedAccounts(long accountId, String action); - - List getGrantedResources(long accountId, String action); } diff --git a/services/iam/plugin/src/org/apache/cloudstack/acl/AclServiceImpl.java b/services/iam/plugin/src/org/apache/cloudstack/acl/AclServiceImpl.java index 3581ef07303..628672e90ae 100644 --- a/services/iam/plugin/src/org/apache/cloudstack/acl/AclServiceImpl.java +++ b/services/iam/plugin/src/org/apache/cloudstack/acl/AclServiceImpl.java @@ -27,7 +27,6 @@ import org.apache.log4j.Logger; import org.apache.cloudstack.acl.AclPolicyPermission.Permission; import org.apache.cloudstack.acl.SecurityChecker.AccessType; -import org.apache.cloudstack.acl.dao.AclApiPermissionDao; import org.apache.cloudstack.acl.dao.AclGroupAccountMapDao; import org.apache.cloudstack.acl.dao.AclGroupDao; import org.apache.cloudstack.acl.dao.AclGroupPolicyMapDao; @@ -676,61 +675,4 @@ public class AclServiceImpl extends ManagerBase implements AclService, Manager { return policies; } - @Override - public List getGrantedDomains(long accountId, String action) { - // Get the static Policies of the Caller - List policies = listAclPolicies(accountId); - // for each policy, find granted permission with Domain scope - List domainIds = new ArrayList(); - for (AclPolicy policy : policies) { - List pp = _policyPermissionDao.listGrantedByActionAndScope(policy.getId(), action, PermissionScope.DOMAIN); - if (pp != null) { - for (AclPolicyPermissionVO p : pp) { - if (p.getScopeId() != null) { - domainIds.add(p.getScopeId()); - } - } - } - } - return domainIds; - } - - @Override - public List getGrantedAccounts(long accountId, String action) { - // Get the static Policies of the Caller - List policies = listAclPolicies(accountId); - // for each policy, find granted permission with Account scope - List accountIds = new ArrayList(); - for (AclPolicy policy : policies) { - List pp = _policyPermissionDao.listGrantedByActionAndScope(policy.getId(), action, PermissionScope.ACCOUNT); - if (pp != null) { - for (AclPolicyPermissionVO p : pp) { - if (p.getScopeId() != null) { - accountIds.add(p.getScopeId()); - } - } - } - } - return accountIds; - } - - @Override - public List getGrantedResources(long accountId, String action) { - // Get the static Policies of the Caller - List policies = listAclPolicies(accountId); - // for each policy, find granted permission with Resource scope - List entityIds = new ArrayList(); - for (AclPolicy policy : policies) { - List pp = _policyPermissionDao.listGrantedByActionAndScope(policy.getId(), action, PermissionScope.RESOURCE); - if (pp != null) { - for (AclPolicyPermissionVO p : pp) { - if (p.getScopeId() != null) { - entityIds.add(p.getScopeId()); - } - } - } - } - return entityIds; - } - } diff --git a/services/iam/plugin/src/org/apache/cloudstack/acl/entity/RoleBasedEntityQueryChecker.java b/services/iam/plugin/src/org/apache/cloudstack/acl/entity/RoleBasedEntityQueryChecker.java deleted file mode 100644 index 7ddc8fdeaa5..00000000000 --- a/services/iam/plugin/src/org/apache/cloudstack/acl/entity/RoleBasedEntityQueryChecker.java +++ /dev/null @@ -1,51 +0,0 @@ -// Licensed to the Apache Software Foundation (ASF) under one -// or more contributor license agreements. See the NOTICE file -// distributed with this work for additional information -// regarding copyright ownership. The ASF licenses this file -// to you under the Apache License, Version 2.0 (the -// "License"); you may not use this file except in compliance -// with the License. You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. -package org.apache.cloudstack.acl.entity; - -import java.util.List; - -import org.apache.log4j.Logger; - -import org.apache.cloudstack.acl.AclEntityType; -import org.apache.cloudstack.acl.QueryChecker; - -import com.cloud.user.Account; -import com.cloud.utils.component.AdapterBase; - -public class RoleBasedEntityQueryChecker extends AdapterBase implements QueryChecker { - - private static final Logger s_logger = Logger.getLogger(RoleBasedEntityQueryChecker.class.getName()); - - @Override - public List getAuthorizedDomains(Account caller, AclEntityType entityType) { - // TODO Auto-generated method stub - return null; - } - - @Override - public List getAuthorizedAccounts(Account caller, AclEntityType entityType) { - // TODO Auto-generated method stub - return null; - } - - @Override - public List getAuthorizedResources(Account caller, AclEntityType entityType) { - // TODO Auto-generated method stub - return null; - } - -} diff --git a/services/iam/plugin/src/org/apache/cloudstack/acl/entity/RoleBasedEntityQuerySelector.java b/services/iam/plugin/src/org/apache/cloudstack/acl/entity/RoleBasedEntityQuerySelector.java new file mode 100644 index 00000000000..bf84a3460d3 --- /dev/null +++ b/services/iam/plugin/src/org/apache/cloudstack/acl/entity/RoleBasedEntityQuerySelector.java @@ -0,0 +1,103 @@ +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. +package org.apache.cloudstack.acl.entity; + +import java.util.ArrayList; +import java.util.List; + +import javax.inject.Inject; + +import org.apache.log4j.Logger; + +import org.apache.cloudstack.acl.PermissionScope; +import org.apache.cloudstack.acl.QuerySelector; +import org.apache.cloudstack.iam.api.AclPolicy; +import org.apache.cloudstack.iam.api.AclPolicyPermission; +import org.apache.cloudstack.iam.api.IAMService; + +import com.cloud.user.Account; +import com.cloud.utils.component.AdapterBase; + +public class RoleBasedEntityQuerySelector extends AdapterBase implements QuerySelector { + + private static final Logger s_logger = Logger.getLogger(RoleBasedEntityQuerySelector.class.getName()); + + @Inject + IAMService _iamService; + + @Override + public List getAuthorizedDomains(Account caller, String action) { + long accountId = caller.getAccountId(); + // Get the static Policies of the Caller + List policies = _iamService.listAclPolicies(accountId); + // for each policy, find granted permission with Domain scope + List domainIds = new ArrayList(); + for (AclPolicy policy : policies) { + List pp = _iamService.listPolicyPermissionsByScope(policy.getId(), action, PermissionScope.DOMAIN.toString()); + if (pp != null) { + for (AclPolicyPermission p : pp) { + if (p.getScopeId() != null) { + domainIds.add(p.getScopeId()); + } + } + } + } + return domainIds; + } + + @Override + public List getAuthorizedAccounts(Account caller, String action) { + long accountId = caller.getAccountId(); + // Get the static Policies of the Caller + List policies = _iamService.listAclPolicies(accountId); + // for each policy, find granted permission with Account scope + List accountIds = new ArrayList(); + for (AclPolicy policy : policies) { + List pp = _iamService.listPolicyPermissionsByScope(policy.getId(), action, PermissionScope.ACCOUNT.toString()); + if (pp != null) { + for (AclPolicyPermission p : pp) { + if (p.getScopeId() != null) { + accountIds.add(p.getScopeId()); + } + } + } + } + return accountIds; + } + + @Override + public List getAuthorizedResources(Account caller, String action) { + long accountId = caller.getAccountId(); + // Get the static Policies of the Caller + List policies = _iamService.listAclPolicies(accountId); + // for each policy, find granted permission with Resource scope + List entityIds = new ArrayList(); + for (AclPolicy policy : policies) { + List pp = _iamService.listPolicyPermissionsByScope(policy.getId(), action, PermissionScope.RESOURCE.toString()); + if (pp != null) { + for (AclPolicyPermission p : pp) { + if (p.getScopeId() != null) { + entityIds.add(p.getScopeId()); + } + } + } + } + return entityIds; + } + + +} diff --git a/services/iam/server/src/org/apache/cloudstack/iam/api/IAMService.java b/services/iam/server/src/org/apache/cloudstack/iam/api/IAMService.java index 0532abb7863..9695efda200 100644 --- a/services/iam/server/src/org/apache/cloudstack/iam/api/IAMService.java +++ b/services/iam/server/src/org/apache/cloudstack/iam/api/IAMService.java @@ -50,8 +50,11 @@ public interface IAMService { AclPolicy removeAclPermissionFromAclPolicy(long aclPolicyId, String entityType, String scope, Long scopeId, String action); + List listPolicyPermissionsByScope(long policyId, String action, String scope); + boolean isAPIAccessibleForPolicies(String apiName, List policies); List getGrantedEntities(long accountId, String action, String scope); + } diff --git a/services/iam/server/src/org/apache/cloudstack/iam/server/IAMServiceImpl.java b/services/iam/server/src/org/apache/cloudstack/iam/server/IAMServiceImpl.java index 3ec32e34a7e..fa7c9222ccc 100644 --- a/services/iam/server/src/org/apache/cloudstack/iam/server/IAMServiceImpl.java +++ b/services/iam/server/src/org/apache/cloudstack/iam/server/IAMServiceImpl.java @@ -24,8 +24,10 @@ import javax.inject.Inject; import org.apache.log4j.Logger; +import org.apache.cloudstack.context.CallContext; import org.apache.cloudstack.iam.api.AclGroup; import org.apache.cloudstack.iam.api.AclPolicy; +import org.apache.cloudstack.iam.api.AclPolicyPermission; import org.apache.cloudstack.iam.api.AclPolicyPermission.Permission; import org.apache.cloudstack.iam.api.IAMService; import org.apache.cloudstack.iam.server.dao.AclGroupAccountMapDao; @@ -33,7 +35,6 @@ import org.apache.cloudstack.iam.server.dao.AclGroupDao; import org.apache.cloudstack.iam.server.dao.AclGroupPolicyMapDao; import org.apache.cloudstack.iam.server.dao.AclPolicyDao; import org.apache.cloudstack.iam.server.dao.AclPolicyPermissionDao; -import org.apache.cloudstack.context.CallContext; import com.cloud.event.ActionEvent; import com.cloud.event.EventTypes; @@ -539,5 +540,12 @@ public class IAMServiceImpl extends ManagerBase implements IAMService, Manager { return entityIds; } + @Override + public List listPolicyPermissionsByScope(long policyId, String action, String scope) { + List pp = _policyPermissionDao.listGrantedByActionAndScope(policyId, action, scope); + List pl = new ArrayList(); + pl.addAll(pp); + return pl; + } }