apache/cloudstack
1
0
Fork 0
mirror of https://github.com/apache/cloudstack.git synced 2025-10-26 08:42:29 +01:00
Code Issues Packages Projects Releases Wiki Activity

Use IAMService to implement QuerySelector adapter.

Browse Source
This commit is contained in:
Min Chen 2013-12-26 19:53:49 -08:00
parent e280095536
commit c950651fe2
9 changed files with 138 additions and 134 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
api/src/org/apache/cloudstack/acl/QueryChecker.java → api/src/org/apache/cloudstack/acl/QuerySelector.java
View File

@ -24,35 +24,35 @@ import com.cloud.utils.component.Adapter;
/** /**
* QueryChecker returns granted access at domain, account or resource level. * QueryChecker returns granted access at domain, account or resource level.
*/ */
public interface QueryChecker extends Adapter { public interface QuerySelector extends Adapter {
/** /**
* List granted domains for the caller, given a specific entity type. * List granted domains for the caller, given a specific action.
* *
* @param caller account to check against. * @param caller account to check against.
* @param entityType entity type * @param action action
* @return list of domain Ids granted to the caller account. * @return list of domain Ids granted to the caller account.
*/ */
List<Long> getAuthorizedDomains(Account caller, AclEntityType entityType); List<Long> getAuthorizedDomains(Account caller, String action);
/** /**
* List granted accounts for the caller, given a specific entity type. * List granted accounts for the caller, given a specific action.
* *
* @param caller account to check against. * @param caller account to check against.
* @param entityType entity type * @param action action.
* @return list of domain Ids granted to the caller account. * @return list of domain Ids granted to the caller account.
*/ */
List<Long> getAuthorizedAccounts(Account caller, AclEntityType entityType); List<Long> getAuthorizedAccounts(Account caller, String action);
/** /**
* List granted resources for the caller, given a specific entity type. * List granted resources for the caller, given a specific action.
* *
* @param caller account to check against. * @param caller account to check against.
* @param entityType entity type * @param action action.
* @return list of domain Ids granted to the caller account. * @return list of domain Ids granted to the caller account.
*/ */
List<Long> getAuthorizedResources(Account caller, AclEntityType entityType); List<Long> getAuthorizedResources(Account caller, String action);
} }

14
plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/entity/RoleBasedEntityQueryChecker.java → plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/entity/RoleBasedEntityQuerySelector.java
View File

@ -20,32 +20,32 @@ import java.util.List;
import org.apache.log4j.Logger; import org.apache.log4j.Logger;
import org.apache.cloudstack.acl.AclEntityType; import org.apache.cloudstack.acl.QuerySelector;
import org.apache.cloudstack.acl.QueryChecker;
import com.cloud.user.Account; import com.cloud.user.Account;
import com.cloud.utils.component.AdapterBase; import com.cloud.utils.component.AdapterBase;
public class RoleBasedEntityQueryChecker extends AdapterBase implements QueryChecker { public class RoleBasedEntityQuerySelector extends AdapterBase implements QuerySelector {
private static final Logger s_logger = Logger.getLogger(RoleBasedEntityQueryChecker.class.getName()); private static final Logger s_logger = Logger.getLogger(RoleBasedEntityQuerySelector.class.getName());
@Override @Override
public List<Long> getAuthorizedDomains(Account caller, AclEntityType entityType) { public List<Long> getAuthorizedDomains(Account caller, String action) {
// TODO Auto-generated method stub // TODO Auto-generated method stub
return null; return null;
} }
@Override @Override
public List<Long> getAuthorizedAccounts(Account caller, AclEntityType entityType) { public List<Long> getAuthorizedAccounts(Account caller, String action) {
// TODO Auto-generated method stub // TODO Auto-generated method stub
return null; return null;
} }
@Override @Override
public List<Long> getAuthorizedResources(Account caller, AclEntityType entityType) { public List<Long> getAuthorizedResources(Account caller, String action) {
// TODO Auto-generated method stub // TODO Auto-generated method stub
return null; return null;
} }
} }

7
services/iam/plugin/pom.xml
View File

@ -41,6 +41,11 @@
<groupId>org.apache.cloudstack</groupId> <groupId>org.apache.cloudstack</groupId>
<artifactId>cloud-server</artifactId> <artifactId>cloud-server</artifactId>
<version>${project.version}</version> <version>${project.version}</version>
</dependency> </dependency>
<dependency>
<groupId>org.apache.cloudstack</groupId>
<artifactId>cloud-iam</artifactId>
<version>${project.version}</version>
</dependency>
</dependencies> </dependencies>
</project> </project>

6
services/iam/plugin/src/org/apache/cloudstack/acl/AclService.java
View File

@ -56,11 +56,5 @@ public interface AclService {
List<AclPolicy> getEffectivePolicies(Account caller, ControlledEntity entity); List<AclPolicy> getEffectivePolicies(Account caller, ControlledEntity entity);
/* Visibility related interfaces */
List<Long> getGrantedDomains(long accountId, String action);
List<Long> getGrantedAccounts(long accountId, String action);
List<Long> getGrantedResources(long accountId, String action);
} }

58
services/iam/plugin/src/org/apache/cloudstack/acl/AclServiceImpl.java
View File

@ -27,7 +27,6 @@ import org.apache.log4j.Logger;
import org.apache.cloudstack.acl.AclPolicyPermission.Permission; import org.apache.cloudstack.acl.AclPolicyPermission.Permission;
import org.apache.cloudstack.acl.SecurityChecker.AccessType; import org.apache.cloudstack.acl.SecurityChecker.AccessType;
import org.apache.cloudstack.acl.dao.AclApiPermissionDao;
import org.apache.cloudstack.acl.dao.AclGroupAccountMapDao; import org.apache.cloudstack.acl.dao.AclGroupAccountMapDao;
import org.apache.cloudstack.acl.dao.AclGroupDao; import org.apache.cloudstack.acl.dao.AclGroupDao;
import org.apache.cloudstack.acl.dao.AclGroupPolicyMapDao; import org.apache.cloudstack.acl.dao.AclGroupPolicyMapDao;
@ -676,61 +675,4 @@ public class AclServiceImpl extends ManagerBase implements AclService, Manager {
return policies; return policies;
} }
@Override
public List<Long> getGrantedDomains(long accountId, String action) {
// Get the static Policies of the Caller
List<AclPolicy> policies = listAclPolicies(accountId);
// for each policy, find granted permission with Domain scope
List<Long> domainIds = new ArrayList<Long>();
for (AclPolicy policy : policies) {
List<AclPolicyPermissionVO> pp = _policyPermissionDao.listGrantedByActionAndScope(policy.getId(), action, PermissionScope.DOMAIN);
if (pp != null) {
for (AclPolicyPermissionVO p : pp) {
if (p.getScopeId() != null) {
domainIds.add(p.getScopeId());
}
}
}
}
return domainIds;
}
@Override
public List<Long> getGrantedAccounts(long accountId, String action) {
// Get the static Policies of the Caller
List<AclPolicy> policies = listAclPolicies(accountId);
// for each policy, find granted permission with Account scope
List<Long> accountIds = new ArrayList<Long>();
for (AclPolicy policy : policies) {
List<AclPolicyPermissionVO> pp = _policyPermissionDao.listGrantedByActionAndScope(policy.getId(), action, PermissionScope.ACCOUNT);
if (pp != null) {
for (AclPolicyPermissionVO p : pp) {
if (p.getScopeId() != null) {
accountIds.add(p.getScopeId());
}
}
}
}
return accountIds;
}
@Override
public List<Long> getGrantedResources(long accountId, String action) {
// Get the static Policies of the Caller
List<AclPolicy> policies = listAclPolicies(accountId);
// for each policy, find granted permission with Resource scope
List<Long> entityIds = new ArrayList<Long>();
for (AclPolicy policy : policies) {
List<AclPolicyPermissionVO> pp = _policyPermissionDao.listGrantedByActionAndScope(policy.getId(), action, PermissionScope.RESOURCE);
if (pp != null) {
for (AclPolicyPermissionVO p : pp) {
if (p.getScopeId() != null) {
entityIds.add(p.getScopeId());
}
}
}
}
return entityIds;
}
} }

51
services/iam/plugin/src/org/apache/cloudstack/acl/entity/RoleBasedEntityQueryChecker.java
View File

@ -1,51 +0,0 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.acl.entity;
import java.util.List;
import org.apache.log4j.Logger;
import org.apache.cloudstack.acl.AclEntityType;
import org.apache.cloudstack.acl.QueryChecker;
import com.cloud.user.Account;
import com.cloud.utils.component.AdapterBase;
public class RoleBasedEntityQueryChecker extends AdapterBase implements QueryChecker {
private static final Logger s_logger = Logger.getLogger(RoleBasedEntityQueryChecker.class.getName());
@Override
public List<Long> getAuthorizedDomains(Account caller, AclEntityType entityType) {
// TODO Auto-generated method stub
return null;
}
@Override
public List<Long> getAuthorizedAccounts(Account caller, AclEntityType entityType) {
// TODO Auto-generated method stub
return null;
}
@Override
public List<Long> getAuthorizedResources(Account caller, AclEntityType entityType) {
// TODO Auto-generated method stub
return null;
}
}

103
services/iam/plugin/src/org/apache/cloudstack/acl/entity/RoleBasedEntityQuerySelector.java Normal file
View File

@ -0,0 +1,103 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.acl.entity;
import java.util.ArrayList;
import java.util.List;
import javax.inject.Inject;
import org.apache.log4j.Logger;
import org.apache.cloudstack.acl.PermissionScope;
import org.apache.cloudstack.acl.QuerySelector;
import org.apache.cloudstack.iam.api.AclPolicy;
import org.apache.cloudstack.iam.api.AclPolicyPermission;
import org.apache.cloudstack.iam.api.IAMService;
import com.cloud.user.Account;
import com.cloud.utils.component.AdapterBase;
public class RoleBasedEntityQuerySelector extends AdapterBase implements QuerySelector {
private static final Logger s_logger = Logger.getLogger(RoleBasedEntityQuerySelector.class.getName());
@Inject
IAMService _iamService;
@Override
public List<Long> getAuthorizedDomains(Account caller, String action) {
long accountId = caller.getAccountId();
// Get the static Policies of the Caller
List<AclPolicy> policies = _iamService.listAclPolicies(accountId);
// for each policy, find granted permission with Domain scope
List<Long> domainIds = new ArrayList<Long>();
for (AclPolicy policy : policies) {
List<AclPolicyPermission> pp = _iamService.listPolicyPermissionsByScope(policy.getId(), action, PermissionScope.DOMAIN.toString());
if (pp != null) {
for (AclPolicyPermission p : pp) {
if (p.getScopeId() != null) {
domainIds.add(p.getScopeId());
}
}
}
}
return domainIds;
}
@Override
public List<Long> getAuthorizedAccounts(Account caller, String action) {
long accountId = caller.getAccountId();
// Get the static Policies of the Caller
List<AclPolicy> policies = _iamService.listAclPolicies(accountId);
// for each policy, find granted permission with Account scope
List<Long> accountIds = new ArrayList<Long>();
for (AclPolicy policy : policies) {
List<AclPolicyPermission> pp = _iamService.listPolicyPermissionsByScope(policy.getId(), action, PermissionScope.ACCOUNT.toString());
if (pp != null) {
for (AclPolicyPermission p : pp) {
if (p.getScopeId() != null) {
accountIds.add(p.getScopeId());
}
}
}
}
return accountIds;
}
@Override
public List<Long> getAuthorizedResources(Account caller, String action) {
long accountId = caller.getAccountId();
// Get the static Policies of the Caller
List<AclPolicy> policies = _iamService.listAclPolicies(accountId);
// for each policy, find granted permission with Resource scope
List<Long> entityIds = new ArrayList<Long>();
for (AclPolicy policy : policies) {
List<AclPolicyPermission> pp = _iamService.listPolicyPermissionsByScope(policy.getId(), action, PermissionScope.RESOURCE.toString());
if (pp != null) {
for (AclPolicyPermission p : pp) {
if (p.getScopeId() != null) {
entityIds.add(p.getScopeId());
}
}
}
}
return entityIds;
}
}

3
services/iam/server/src/org/apache/cloudstack/iam/api/IAMService.java
View File

@ -50,8 +50,11 @@ public interface IAMService {
AclPolicy removeAclPermissionFromAclPolicy(long aclPolicyId, String entityType, String scope, Long scopeId, AclPolicy removeAclPermissionFromAclPolicy(long aclPolicyId, String entityType, String scope, Long scopeId,
String action); String action);
List<AclPolicyPermission> listPolicyPermissionsByScope(long policyId, String action, String scope);
boolean isAPIAccessibleForPolicies(String apiName, List<AclPolicy> policies); boolean isAPIAccessibleForPolicies(String apiName, List<AclPolicy> policies);
List<Long> getGrantedEntities(long accountId, String action, String scope); List<Long> getGrantedEntities(long accountId, String action, String scope);
} }

10
services/iam/server/src/org/apache/cloudstack/iam/server/IAMServiceImpl.java
View File

@ -24,8 +24,10 @@ import javax.inject.Inject;
import org.apache.log4j.Logger; import org.apache.log4j.Logger;
import org.apache.cloudstack.context.CallContext;
import org.apache.cloudstack.iam.api.AclGroup; import org.apache.cloudstack.iam.api.AclGroup;
import org.apache.cloudstack.iam.api.AclPolicy; import org.apache.cloudstack.iam.api.AclPolicy;
import org.apache.cloudstack.iam.api.AclPolicyPermission;
import org.apache.cloudstack.iam.api.AclPolicyPermission.Permission; import org.apache.cloudstack.iam.api.AclPolicyPermission.Permission;
import org.apache.cloudstack.iam.api.IAMService; import org.apache.cloudstack.iam.api.IAMService;
import org.apache.cloudstack.iam.server.dao.AclGroupAccountMapDao; import org.apache.cloudstack.iam.server.dao.AclGroupAccountMapDao;
@ -33,7 +35,6 @@ import org.apache.cloudstack.iam.server.dao.AclGroupDao;
import org.apache.cloudstack.iam.server.dao.AclGroupPolicyMapDao; import org.apache.cloudstack.iam.server.dao.AclGroupPolicyMapDao;
import org.apache.cloudstack.iam.server.dao.AclPolicyDao; import org.apache.cloudstack.iam.server.dao.AclPolicyDao;
import org.apache.cloudstack.iam.server.dao.AclPolicyPermissionDao; import org.apache.cloudstack.iam.server.dao.AclPolicyPermissionDao;
import org.apache.cloudstack.context.CallContext;
import com.cloud.event.ActionEvent; import com.cloud.event.ActionEvent;
import com.cloud.event.EventTypes; import com.cloud.event.EventTypes;
@ -539,5 +540,12 @@ public class IAMServiceImpl extends ManagerBase implements IAMService, Manager {
return entityIds; return entityIds;
} }
@Override
public List<AclPolicyPermission> listPolicyPermissionsByScope(long policyId, String action, String scope) {
List<AclPolicyPermissionVO> pp = _policyPermissionDao.listGrantedByActionAndScope(policyId, action, scope);
List<AclPolicyPermission> pl = new ArrayList<AclPolicyPermission>();
pl.addAll(pp);
return pl;
}
} }