Adding support for 'readOnly' access. AccessType.ListEntry introduced.

2025-11-02 20:02:29 +01:00 · 2014-03-14 16:44:34 -07:00 · 2014-03-14 16:44:34 -07:00 · e09f97aa63
commit e09f97aa63
parent 289ac0465c
5 changed files with 22 additions and 5 deletions
--- a/api/src/org/apache/cloudstack/acl/SecurityChecker.java
+++ b/api/src/org/apache/cloudstack/acl/SecurityChecker.java
@ -33,7 +33,8 @@ public interface SecurityChecker extends Adapter {
    public enum AccessType {
        ModifyProject,
        OperateEntry,
-        UseEntry
+        UseEntry,
+        ListEntry
    }

    /**
--- a/api/src/org/apache/cloudstack/api/ApiConstants.java
+++ b/api/src/org/apache/cloudstack/api/ApiConstants.java
@ -591,6 +591,7 @@ public class ApiConstants {
    public static final String VGPUTYPE = "vgputype";
    public static final String REMAININGCAPACITY = "remainingcapacity";
    public static final String DISTRIBUTED_VPC_ROUTER = "distributedvpcrouter";
+    public static final String READ_ONLY = "readOnly";


    public enum HostDetails {
--- a/services/iam/plugin/src/org/apache/cloudstack/api/command/iam/AddIAMPermissionToIAMPolicyCmd.java
+++ b/services/iam/plugin/src/org/apache/cloudstack/api/command/iam/AddIAMPermissionToIAMPolicyCmd.java
@ -29,6 +29,7 @@ import org.apache.cloudstack.api.ApiErrorCode;
 import org.apache.cloudstack.api.BaseAsyncCmd;
 import org.apache.cloudstack.api.Parameter;
 import org.apache.cloudstack.api.ServerApiException;
+import org.apache.cloudstack.api.BaseCmd.CommandType;
 import org.apache.cloudstack.api.response.iam.IAMPolicyResponse;
 import org.apache.cloudstack.context.CallContext;
 import org.apache.cloudstack.iam.IAMApiService;
@ -72,6 +73,9 @@ public class AddIAMPermissionToIAMPolicyCmd extends BaseAsyncCmd {
    @Parameter(name = ApiConstants.IAM_SCOPE_ID, type = CommandType.STRING, required = false, description = "The UUID of the permission scope id")
    private String scopeId;

+    @Parameter(name = ApiConstants.READ_ONLY, type = CommandType.BOOLEAN, required = false, description = "Read Only access is added; Only applicable when action = List/Read api name")
+    private Boolean readOnly;
+

    /////////////////////////////////////////////////////
    /////////////////// Accessors ///////////////////////
@ -100,6 +104,10 @@ public class AddIAMPermissionToIAMPolicyCmd extends BaseAsyncCmd {
        return _iamApiSrv.getPermissionScopeId(scope, entityType, scopeId);
    }

+    public Boolean isReadOnly() {
+        return (readOnly != null) ? readOnly : false;
+    }
+
    /////////////////////////////////////////////////////
    /////////////// API Implementation///////////////////
    /////////////////////////////////////////////////////
@ -123,7 +131,7 @@ public class AddIAMPermissionToIAMPolicyCmd extends BaseAsyncCmd {
        CallContext.current().setEventDetails("IAM policy Id: " + getId());
        // Only explicit ALLOW is supported for this release, no explicit deny
        IAMPolicy result = _iamApiSrv.addIAMPermissionToIAMPolicy(id, entityType, PermissionScope.valueOf(scope),
-                getScopeId(), action, Permission.Allow, false);
+                getScopeId(), action, Permission.Allow, false, isReadOnly());
        if (result != null) {
            IAMPolicyResponse response = _iamApiSrv.createIAMPolicyResponse(result);
            response.setResponseName(getCommandName());
--- a/services/iam/plugin/src/org/apache/cloudstack/iam/IAMApiService.java
+++ b/services/iam/plugin/src/org/apache/cloudstack/iam/IAMApiService.java
@ -60,7 +60,7 @@ public interface IAMApiService extends PluggableService {
    void removeIAMPolicyFromAccounts(Long policyId, List<Long> accountIds);

    IAMPolicy addIAMPermissionToIAMPolicy(long iamPolicyId, String entityType, PermissionScope scope, Long scopeId,
-            String action, Permission perm, Boolean recursive);
+            String action, Permission perm, Boolean recursive, Boolean readOnly);

    IAMPolicy removeIAMPermissionFromIAMPolicy(long iamPolicyId, String entityType, PermissionScope scope, Long scopeId, String action);

--- a/services/iam/plugin/src/org/apache/cloudstack/iam/IAMApiServiceImpl.java
+++ b/services/iam/plugin/src/org/apache/cloudstack/iam/IAMApiServiceImpl.java
@ -40,6 +40,7 @@ import org.apache.cloudstack.acl.PermissionScope;
 import org.apache.cloudstack.acl.SecurityChecker.AccessType;
 import org.apache.cloudstack.affinity.AffinityGroup;
 import org.apache.cloudstack.api.ApiConstants;
+import org.apache.cloudstack.api.BaseAsyncCreateCmd;
 import org.apache.cloudstack.api.BaseListCmd;
 import org.apache.cloudstack.api.InternalIdentity;
 import org.apache.cloudstack.api.command.iam.AddAccountToIAMGroupCmd;
@ -506,11 +507,17 @@ public class IAMApiServiceImpl extends ManagerBase implements IAMApiService, Man
    @Override
    @ActionEvent(eventType = EventTypes.EVENT_IAM_POLICY_GRANT, eventDescription = "Granting acl permission to IAM Policy")
    public IAMPolicy addIAMPermissionToIAMPolicy(long iamPolicyId, String entityType, PermissionScope scope,
-            Long scopeId, String action, Permission perm, Boolean recursive) {
+            Long scopeId, String action, Permission perm, Boolean recursive, Boolean readOnly) {
        Class<?> cmdClass = _apiServer.getCmdClass(action);
        AccessType accessType = null;
        if (BaseListCmd.class.isAssignableFrom(cmdClass)) {
-            accessType = AccessType.UseEntry;
+            if (readOnly) {
+                accessType = AccessType.ListEntry;
+            } else {
+                accessType = AccessType.UseEntry;
+            }
+        } else if (!(BaseAsyncCreateCmd.class.isAssignableFrom(cmdClass))) {
+            accessType = AccessType.OperateEntry;
        }
        String accessTypeStr = (accessType != null) ? accessType.toString() : null;
        return _iamSrv.addIAMPermissionToIAMPolicy(iamPolicyId, entityType, scope.toString(), scopeId, action,