apache/cloudstack
1
0
Fork 0
mirror of https://github.com/apache/cloudstack.git synced 2025-10-26 08:42:29 +01:00
Code Issues Packages Projects Releases Wiki Activity
29,576 Commits 304 Branches 324 Tags
Commit Graph

291 Commits

Author SHA1 Message Date
Rohit Yadav
4347776ac6 CLOUDSTACK-8562: DB-Backed Dynamic Role Based API Access Checker 
This feature allows root administrators to define new roles and associate API
permissions to them.

A limited form of role-based access control for the CloudStack management server
API is provided through a properties file, commands.properties, embedded in the
WAR distribution. Therefore, customizing API permissions requires unpacking the
distribution and modifying this file consistently on all servers. The old system
also does not permit the specification of additional roles.

FS:
https://cwiki.apache.org/confluence/display/CLOUDSTACK/Dynamic+Role+Based+API+Access+Checker+for+CloudStack

DB-Backed Dynamic Role Based API Access Checker for CloudStack brings following
changes, features and use-cases:
- Moves the API access definitions from commands.properties to the mgmt server DB
- Allows defining custom roles (such as a read-only ROOT admin) beyond the
  current set of four (4) roles
- All roles will resolve to one of the four known roles types (Admin, Resource
  Admin, Domain Admin and User) which maintains this association by requiring
  all new defined roles to specify a role type.
- Allows changes to roles and API permissions per role at runtime including additions or
  removal of roles and/or modifications of permissions, without the need
  of restarting management server(s)

Upgrade/installation notes:
- The feature will be enabled by default for new installations, existing
  deployments will continue to use the older static role based api access checker
  with an option to enable this feature
- During fresh installation or upgrade, the upgrade paths will add four default
  roles based on the four default role types
- For ease of migration, at the time of upgrade commands.properties will be used
  to add existing set of permissions to the default roles. cloud.account
  will have a new role_id column which will be populated based on default roles
  as well

Dynamic-roles migration tool: scripts/util/migrate-dynamicroles.py
- Allows admins to migrate to the dynamic role based checker at a future date
- Performs a harder one-way migrate and update
- Migrates rules from existing commands.properties file into db and deprecates it
- Enables an internal hidden switch to enable dynamic role based checker feature

Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
 2016-05-11 09:45:19 +05:30
Wei Zhou
37301ed454 CLOUDSTACK-8958: add dedicated ips to domain (account for now) 2015-11-16 10:17:40 +01:00
Rajani Karuturi
3ff7bf771d CLOUDSTACK-8816: fixed missing resource uuid in delete network cmd 
*events before*
| management-server.AsyncJobEvent.submit.None.*
| cloudstack-events | 7             |
{"cmdInfo":"{\"id\":\"edf0a16b-54cd-442e-b644-4af933f34229\",\"response\":\"json\",\"ctxDetails\":\"{\\\"interface
com.cloud.network.Network\\\":\\\"edf0a16b-54cd-442e-b644-4af933f34229\\\"}\",\"cmdEventType\":\"NETWORK.DELETE\",\"ctxUserId\":\"2\",\"httpmethod\":\"GET\",\"_\":\"1444805881664\",\"uuid\":\"edf0a16b-54cd-442e-b644-4af933f34229\",\"ctxAccountId\":\"2\",\"ctxStartEventId\":\"1378\"}","instanceType":"None","jobId":"f7cbf481-49d0-423b-8661-5d3d678f4b96","status":"IN_PROGRESS","processStatus":"0","commandEventType":"NETWORK.DELETE","resultCode":"0","command":"org.apache.cloudstack.api.command.user.network.DeleteNetworkCmd","account":"bd73dc2e-35c0-11e5-b094-d4ae52cb9af0","user":"bd7ea748-35c0-11e5-b094-d4ae52cb9af0"}
| 736           | string           | True        | |
management-server.AsyncJobEvent.complete.None.* | cloudstack-events | 6
|
{"cmdInfo":"{\"id\":\"edf0a16b-54cd-442e-b644-4af933f34229\",\"response\":\"json\",\"ctxDetails\":\"{\\\"interface
com.cloud.network.Network\\\":\\\"edf0a16b-54cd-442e-b644-4af933f34229\\\"}\",\"cmdEventType\":\"NETWORK.DELETE\",\"ctxUserId\":\"2\",\"httpmethod\":\"GET\",\"_\":\"1444805881664\",\"uuid\":\"edf0a16b-54cd-442e-b644-4af933f34229\",\"ctxAccountId\":\"2\",\"ctxStartEventId\":\"1378\"}","instanceType":"None","jobId":"f7cbf481-49d0-423b-8661-5d3d678f4b96","status":"FAILED","processStatus":"0","commandEventType":"NETWORK.DELETE","resultCode":"530","command":"org.apache.cloudstack.api.command.user.network.DeleteNetworkCmd","jobResult":"org.apache.cloudstack.api.response.ExceptionResponse/null/{\"uuidList\":[],\"errorcode\":530,\"errortext\":\"Failed
to delete
network\"}","account":"bd73dc2e-35c0-11e5-b094-d4ae52cb9af0","user":"bd7ea748-35c0-11e5-b094-d4ae52cb9af0"}
| 884           | string           | True        |

*events after*
|
management-server.AsyncJobEvent.submit.Network.5eccaece-a789-4b93-99c2-8b731ab6e328
| cloudstack-events | 1             |
{"cmdInfo":"{\"id\":\"5eccaece-a789-4b93-99c2-8b731ab6e328\",\"response\":\"json\",\"ctxDetails\":\"{\\\"interface
com.cloud.network.Network\\\":\\\"5eccaece-a789-4b93-99c2-8b731ab6e328\\\"}\",\"cmdEventType\":\"NETWORK.DELETE\",\"ctxUserId\":\"2\",\"httpmethod\":\"GET\",\"_\":\"1444814151636\",\"uuid\":\"5eccaece-a789-4b93-99c2-8b731ab6e328\",\"ctxAccountId\":\"2\",\"ctxStartEventId\":\"1424\"}","instanceType":"Network","instanceUuid":"5eccaece-a789-4b93-99c2-8b731ab6e328","jobId":"d2cd4b27-acbd-4e56-867f-fe67ebde8261","status":"IN_PROGRESS","processStatus":"0","commandEventType":"NETWORK.DELETE","resultCode":"0","command":"org.apache.cloudstack.api.command.user.network.DeleteNetworkCmd","account":"bd73dc2e-35c0-11e5-b094-d4ae52cb9af0","user":"bd7ea748-35c0-11e5-b094-d4ae52cb9af0"}
| 793           | string           | False       |
|
management-server.AsyncJobEvent.complete.Network.5eccaece-a789-4b93-99c2-8b731ab6e328
| cloudstack-events | 0             |
{"cmdInfo":"{\"id\":\"5eccaece-a789-4b93-99c2-8b731ab6e328\",\"response\":\"json\",\"ctxDetails\":\"{\\\"interface
com.cloud.network.Network\\\":\\\"5eccaece-a789-4b93-99c2-8b731ab6e328\\\"}\",\"cmdEventType\":\"NETWORK.DELETE\",\"ctxUserId\":\"2\",\"httpmethod\":\"GET\",\"_\":\"1444814151636\",\"uuid\":\"5eccaece-a789-4b93-99c2-8b731ab6e328\",\"ctxAccountId\":\"2\",\"ctxStartEventId\":\"1424\"}","instanceType":"Network","instanceUuid":"5eccaece-a789-4b93-99c2-8b731ab6e328","jobId":"d2cd4b27-acbd-4e56-867f-fe67ebde8261","status":"SUCCEEDED","processStatus":"0","commandEventType":"NETWORK.DELETE","resultCode":"0","command":"org.apache.cloudstack.api.command.user.network.DeleteNetworkCmd","jobResult":"org.apache.cloudstack.api.response.SuccessResponse/null/{\"success\":true}","account":"bd73dc2e-35c0-11e5-b094-d4ae52cb9af0","user":"bd7ea748-35c0-11e5-b094-d4ae52cb9af0"}
| 880           | string           | False       |
 2015-10-26 09:15:33 +05:30
Rajani Karuturi
ec03473c23 CLOUDSTACK-8816: fixed missing resource uuid in destroy vm event 
*event before*
| management-server.AsyncJobEvent.complete.VirtualMachine.*
| cloudstack-events | 2             |
{"cmdInfo":"{\"response\":\"json\",\"id\":\"ba45d114-9844-4123-8dc6-7ae46d10581a\",\"ctxDetails\":\"{\\\"interface
com.cloud.vm.VirtualMachine\\\":\\\"ba45d114-9844-4123-8dc6-7ae46d10581a\\\"}\",\"cmdEventType\":\"VM.DESTROY\",\"ctxUserId\":\"2\",\"httpmethod\":\"GET\",\"_\":\"1444812001047\",\"uuid\":\"ba45d114-9844-4123-8dc6-7ae46d10581a\",\"ctxAccountId\":\"2\",\"expunge\":\"true\",\"ctxStartEventId\":\"1395\"}","instanceType":"VirtualMachine","jobId":"b46faa05-7b3a-4dbf-a78d-fbc7c66c3ce3","status":"SUCCEEDED","processStatus":"0","commandEventType":"VM.DESTROY","resultCode":"0","command":"org.apache.cloudstack.api.command.admin.vm.DestroyVMCmdByAdmin","jobResult":"org.apache.cloudstack.api.response.UserVmResponse/null/{\"securitygroup\":[],\"nic\":[],\"tags\":[],\"affinitygroup\":[]}","account":"bd73dc2e-35c0-11e5-b094-d4ae52cb9af0","user":"bd7ea748-35c0-11e5-b094-d4ae52cb9af0"}
| 894           | string           | True        |

*event after*
|
management-server.AsyncJobEvent.complete.VirtualMachine.22e3bf71-91c8-4b18-a57e-af02d79dbb58
| cloudstack-events | 0             |
{"cmdInfo":"{\"response\":\"json\",\"id\":\"22e3bf71-91c8-4b18-a57e-af02d79dbb58\",\"ctxDetails\":\"{\\\"interface
com.cloud.vm.VirtualMachine\\\":\\\"22e3bf71-91c8-4b18-a57e-af02d79dbb58\\\"}\",\"cmdEventType\":\"VM.DESTROY\",\"ctxUserId\":\"2\",\"httpmethod\":\"GET\",\"_\":\"1444813240169\",\"uuid\":\"22e3bf71-91c8-4b18-a57e-af02d79dbb58\",\"ctxAccountId\":\"2\",\"expunge\":\"true\",\"ctxStartEventId\":\"1418\"}","instanceType":"VirtualMachine","instanceUuid":"22e3bf71-91c8-4b18-a57e-af02d79dbb58","jobId":"256ca2e7-de05-4b33-b32a-aa8567f05160","status":"SUCCEEDED","processStatus":"0","commandEventType":"VM.DESTROY","resultCode":"0","command":"org.apache.cloudstack.api.command.admin.vm.DestroyVMCmdByAdmin","jobResult":"org.apache.cloudstack.api.response.UserVmResponse/null/{\"securitygroup\":[],\"nic\":[],\"tags\":[],\"affinitygroup\":[]}","account":"bd73dc2e-35c0-11e5-b094-d4ae52cb9af0","user":"bd7ea748-35c0-11e5-b094-d4ae52cb9af0"}
| 948           | string           | False       |
 2015-10-26 09:15:32 +05:30
Rajani Karuturi
04554ddd24 Cloudstack-8816: Fixed missing resource uuid in delete snapshot events 
*event before*

| management-server.AsyncJobEvent.complete.Snapshot.*
| cloudstack-events | 26            |
{"cmdInfo":"{\"id\":\"2ebabd8f-0b34-4461-8071-0917c231ca49\",\"response\":\"json\",\"ctxDetails\":\"{\\\"interface
com.cloud.storage.Snapshot\\\":\\\"2ebabd8f-0b34-4461-8071-0917c231ca49\\\"}\",\"cmdEventType\":\"SNAPSHOT.DELETE\",\"ctxUserId\":\"2\",\"httpmethod\":\"GET\",\"_\":\"1444803845320\",\"uuid\":\"2ebabd8f-0b34-4461-8071-0917c231ca49\",\"ctxAccountId\":\"2\",\"ctxStartEventId\":\"1345\"}","instanceType":"Snapshot","jobId":"fab1feaf-3b4f-4158-b332-a78e43fee5e0","status":"SUCCEEDED","processStatus":"0","commandEventType":"SNAPSHOT.DELETE","resultCode":"0","command":"org.apache.cloudstack.api.command.user.snapshot.DeleteSnapshotCmd","jobResult":"org.apache.cloudstack.api.response.SuccessResponse/null/{\"success\":true}","account":"bd73dc2e-35c0-11e5-b094-d4ae52cb9af0","user":"bd7ea748-35c0-11e5-b094-d4ae52cb9af0"}

*After*

|
management-server.AsyncJobEvent.complete.Snapshot.f25ad748-2fe3-4911-b40c-4698425c8a2f
| cloudstack-events | 0             |
{"cmdInfo":"{\"id\":\"f25ad748-2fe3-4911-b40c-4698425c8a2f\",\"response\":\"json\",\"ctxDetails\":\"{\\\"interface
com.cloud.storage.Snapshot\\\":\\\"f25ad748-2fe3-4911-b40c-4698425c8a2f\\\"}\",\"cmdEventType\":\"SNAPSHOT.DELETE\",\"ctxUserId\":\"2\",\"httpmethod\":\"GET\",\"_\":\"1444806612980\",\"uuid\":\"f25ad748-2fe3-4911-b40c-4698425c8a2f\",\"ctxAccountId\":\"2\",\"ctxStartEventId\":\"1388\"}","instanceType":"Snapshot","instanceUuid":"f25ad748-2fe3-4911-b40c-4698425c8a2f","jobId":"69849909-9082-481c-b8ee-9ddc1608fe8d","status":"SUCCEEDED","processStatus":"0","commandEventType":"SNAPSHOT.DELETE","resultCode":"0","command":"org.apache.cloudstack.api.command.user.snapshot.DeleteSnapshotCmd","jobResult":"org.apache.cloudstack.api.response.SuccessResponse/null/{\"success\":true}","account":"bd73dc2e-35c0-11e5-b094-d4ae52cb9af0","user":"bd7ea748-35c0-11e5-b094-d4ae52cb9af0"}
| 886           | string           | True        |
 2015-10-26 09:15:32 +05:30
Laszlo Hornyak
a81b59e2a4 Revert "some unused fields deleted" 
This reverts commit 31db58f7204ac8bb434599ff51d794640718845c.
 2014-12-03 18:09:49 +01:00
Wei Zhou
c25d4fdea2 CLOUDSTACK-7847: Separate ListDomains cmd to use two different views 2014-12-03 12:33:57 +01:00
Wei Zhou
0407fb334f CLOUDSTACK-7847: add max.domain.* in global setting and display domain resources in listDomainsCmd response 2014-12-02 11:52:10 +01:00
Min Chen
4e7af26c9f CLOUDSTACK-7981: listVirtualMachine is too slow in case of duplicate 
resource tags due to joining user_vm_details to user_vm_view.
 2014-11-26 17:23:07 -08:00
Laszlo Hornyak
31db58f720 some unused fields deleted 
Signed-off-by: Laszlo Hornyak <laszlo.hornyak@gmail.com>
 2014-11-23 19:49:04 +01:00
Laszlo Hornyak
3577423da9 removed executable flags from java classes 
Signed-off-by: Laszlo Hornyak <laszlo.hornyak@gmail.com>
 2014-11-23 19:49:01 +01:00
seif
59ea2e2960 Added the listHostTags API command 2014-08-17 20:38:46 -06:00
seif
67ca2557f9 Changes for a new API command to list the storage tags 2014-08-07 17:46:06 -06:00
Alena Prokharchyk
887f027a9a CLOUDSTACK-6907: lisVolumes - make a decision whether to set service or disk offering in the response, based on the DiskOfferingVO type entry, not the volume Type 2014-06-12 16:25:04 -07:00
Murali Reddy
965346cad1 CLOUDSTACK-6712: NPE in findJobInstanceUuid() in ApiDBUtils 2014-05-20 10:26:12 +05:30
Sanjay Tripathi
35cd61c463 CLOUDSTACK-6649: CS is not giving the system-wide capacity for GPU reosurce. 2014-05-14 15:05:28 +05:30
Tanner Danzey
601827e6b3 CLOUDSTACK-5907, CLOUDSTACK-6396: KVM/RBD & KVM/CLVM volumes mistakenly shown as OVM, disables snapshotting 
modified:   server/src/com/cloud/api/ApiDBUtils.java

Signed-off-by: Daan Hoogland <daan@onecht.net>
 2014-05-05 15:15:25 +02:00
Prachi Damle
9514c9e045 CLOUDSTACK-6349: IAM - No error message presented to the user , when 
invalid password is provided.

- AccountManager now works using accountId instead of accountType in
following methods too:
- isResourceDomainAdmin()
- isAdmin()
 2014-04-28 11:10:50 -07:00
Alena Prokharchyk
9c4d20cb68 Revert "Return isolation methods as a part of listPhysicalNetworks call" 
This reverts commit 316f23ed5fe7ae77e1054add368b2c05dfeef331.
 2014-04-22 18:06:46 -07:00
Alena Prokharchyk
316f23ed5f Return isolation methods as a part of listPhysicalNetworks call 2014-04-22 14:57:04 -07:00
Murali Reddy
2b51207510 persist fact that network can span multiple zones, if network offering 
has strechedL2Subnet capability and return the zones in which
network spans in the networkreponse object
 2014-03-20 17:01:33 +05:30
Min Chen
99bdc8d875 Merge branch 'master' into rbac. 2014-03-13 11:05:03 -07:00
Sanjay Tripathi
c7d31fe288 CLOUDSTACK-4760 : Enabling GPU support for XenServer. 
CLOUDSTACK-4762 : Enabling VGPU support for XenServer.

This feature is to enable the GPU-passthrough and vGPU functionality,
with the help of this feature, admins/users will be able to leverage
the GPU graphics unit power by deploying a virtul machine with GPU or
vGPU support or by changing the service offering of an existing VM
at any later point of time. There GPU/vGPU enabled VMs are able to run
graphical applications.
For now, this feature is only supported with XenServer hypervisor but
can be extended to add the support of other hypervisors.
 2014-03-11 15:44:51 +05:30
Min Chen
929fbabaa2 Merge branch 'master' into rbac. 2014-01-17 14:37:08 -08:00
Alex Huang
68b8891c62 Removed all reminants of the IdentityService. Created the KeysManager to move the management 
of keys out of management server
 2014-01-14 13:11:35 -08:00
Min Chen
e42a262f6c Remove old APIs and old security checker plugins. Also use QuerySelector 
adapater in ACL search routine.
 2014-01-10 14:54:31 -08:00
Alex Huang
ae8560b195 Moved security out into its own jar. Will be adding more to it. Fixed a few white space issues brought up by checkstyle in eclipse. 2014-01-09 16:12:25 -08:00
Devdeep Singh
e59420c514 CLOUDSTACK-5691: Fix for attaching an uploaded volume to instance running 
on hyperv. There were multiple issues here. Upload volume was actually
failing because the post download check for vhd on the cifs share was
unsuccessful. Also the agent code wasn't parsing the volume path correctly.
Fixed it too.
 2014-01-03 16:55:28 +05:30
Min Chen
d2922b9254 Separate ListAccounts cmd to use two different views. 2013-12-12 17:52:45 -08:00
Min Chen
312ff76f69 Separate listZones cmd to use two different views, also renamed previous 
listZonesByCmd to listZonesCmd.
 2013-12-12 17:40:30 -08:00
Alex Huang
be5e5cc641 All Checkstyle problems corrected 2013-12-12 12:26:07 -08:00
Min Chen
8f21eca922 Separate Template/ISO related APIs to use two different views. 2013-12-10 12:23:39 -08:00
Min Chen
a416f6c3c3 Fix API build error based on new DB schema, now only 
RoleBasedEntityAccessChecker needs to be fixed.
 2013-12-06 15:09:00 -08:00
Min Chen
015d06e7fc Separate all volume related APIs to two Cmd classes based on two 
response views.
 2013-11-22 18:48:20 -08:00
Alex Huang
d620df2bdd Reformatted all of the code. 2013-11-21 06:15:26 -08:00
Alex Huang
8d62744681 Reformat all source code. Added checkstyle to check the source code 2013-11-20 07:26:53 -08:00
Min Chen
ce3638bb03 Merge branch 'master' into rbac. 2013-11-04 15:49:29 -08:00
Min Chen
2ef4d5200c Merge branch 'master' into rbac. 2013-10-31 17:16:33 -07:00
Wei Zhou
5109498783 CLOUDSTACK-4830: allow create account and user by domain admin 
(cherry picked from commit 0d12e3eb9d4fb0166fc553da7366f4da786daa14)
 2013-10-31 11:36:54 +01:00
Alena Prokharchyk
591dcd1d1c ResourceDetails: added "display" field to a bunch of VOs - determines whether the detail should be returned to the regular user 2013-10-29 09:18:11 -07:00
Alena Prokharchyk
2cac1aaa0f Moved ResourceDao and ResourceDaoBase to cloud-engine-schema/org/apache/cloudstack (used to be mistakenly placed under com/cloud/cloud) 2013-10-28 15:03:57 -07:00
Alena Prokharchyk
5caeab782d ResourceDetails - 
1) added createDetail to ResourceDetailDao interface to provide generic way of creating resourceDetail DB objects
2) added resource details support for firewall rules
 2013-10-28 14:45:52 -07:00
Alena Prokharchyk
300f626d42 Renamed ResourceDetailDaoImpl to ResourceDetailDaoBase 2013-10-25 14:21:20 -07:00
Alena Prokharchyk
0fb4d9d5a2 Made all resource details DAOs (nic_details, user_vm_details, template_details, volume_details, service_offering_details) extend from the same base class as although details are being stored in diff tables, those tables have the same structure and same accessors. 2013-10-25 10:56:19 -07:00
Alena Prokharchyk
24725f8e21 ResourceDetails: 
1) Added support for Zone resource details
2) Renamed DcDetailsDao to DataCenterDetailsDao to follow the CS name convention for DataCenter related classes
 2013-10-24 15:54:49 -07:00
Alena Prokharchyk
2bb716efd8 ResourceMetaData (Resource details) fixes: 
* changed name for TaggedResourceType enum to ResourceObjectType as this enum is used both by ResourceMetaData and ResourceTags code
* enhanced the enum with extra fields resourceTagsSupport (boolean) and metadataSupport identifying if the resource supports tags and/or metadata.
* cleanup unused @Inject objects from the ResourceMetaDataManager
 2013-10-23 17:39:16 -07:00
Alena Prokharchyk
818e6f98fd CLOUDSTACK-4874: added resource tags to the Service offering object. Tags can be created by using createTag API command; you can list service offerings by tags when pass "resourceTag" parameter to the listServiceOfferings call 2013-10-15 17:08:55 -07:00
Min Chen
f59e47b263 Clean up ListVMsCmd implementation to not using Criteria class. 2013-10-08 15:11:56 -07:00
Min Chen
440f03e548 Revert "Fix a listAccount regression due to root admin role refactoring." 
This reverts commit d79cb380e1d42e40d2f76e6f2a265786a7fa100d.
 2013-10-07 12:00:38 -07:00
Min Chen
d79cb380e1 Fix a listAccount regression due to root admin role refactoring. 2013-10-07 11:53:38 -07:00