Updated Branches: refs/heads/rbac 0ce176c0d -> b44413616
Adding the correct policyIds for the command permission loading Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/b4441361 Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/b4441361 Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/b4441361 Branch: refs/heads/rbac Commit: b444136166066afa3a118f0d7ead6550e971446e Parents: 0ce176c Author: Prachi Damle <pra...@cloud.com> Authored: Fri Jan 17 16:55:32 2014 -0800 Committer: Prachi Damle <pra...@cloud.com> Committed: Fri Jan 17 16:55:32 2014 -0800 ---------------------------------------------------------------------- .../acl/RoleBasedAPIAccessChecker.java | 31 ++++++++++++++++++-- 1 file changed, 28 insertions(+), 3 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cloudstack/blob/b4441361/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedAPIAccessChecker.java ---------------------------------------------------------------------- diff --git a/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedAPIAccessChecker.java b/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedAPIAccessChecker.java index c81c31a..11110b2 100644 --- a/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedAPIAccessChecker.java +++ b/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedAPIAccessChecker.java @@ -105,7 +105,8 @@ public class RoleBasedAPIAccessChecker extends AdapterBase implements APIChecker // commands.properties. for (RoleType role : RoleType.values()) { - _iamSrv.resetAclPolicy(role.ordinal() + 1); + Long policyId = getDefaultPolicyId(role); + _iamSrv.resetAclPolicy(policyId); } for (PluggableService service : _services) { @@ -135,6 +136,29 @@ public class RoleBasedAPIAccessChecker extends AdapterBase implements APIChecker return super.start(); } + private Long getDefaultPolicyId(RoleType role) { + Long policyId = null; + switch (role) { + case User: + policyId = new Long(Account.ACCOUNT_TYPE_NORMAL + 1); + break; + + case Admin: + policyId = new Long(Account.ACCOUNT_TYPE_ADMIN + 1); + break; + + case DomainAdmin: + policyId = new Long(Account.ACCOUNT_TYPE_DOMAIN_ADMIN + 1); + break; + + case ResourceAdmin: + policyId = new Long(Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN + 1); + break; + } + + return policyId; + } + private void processMapping(Map<String, String> configMap) { for (Map.Entry<String, String> entry : configMap.entrySet()) { String apiName = entry.getKey(); @@ -182,6 +206,7 @@ public class RoleBasedAPIAccessChecker extends AdapterBase implements APIChecker } PermissionScope permissionScope = PermissionScope.ACCOUNT; + Long policyId = getDefaultPolicyId(role); switch (role) { case User: permissionScope = PermissionScope.ACCOUNT; @@ -202,11 +227,11 @@ public class RoleBasedAPIAccessChecker extends AdapterBase implements APIChecker if (entityTypes == null || entityTypes.length == 0) { - _iamSrv.addAclPermissionToAclPolicy(new Long(role.ordinal()) + 1, null, permissionScope.toString(), new Long(-1), + _iamSrv.addAclPermissionToAclPolicy(policyId, null, permissionScope.toString(), new Long(-1), apiName, (accessType == null) ? null : accessType.toString(), Permission.Allow); } else { for (AclEntityType entityType : entityTypes) { - _iamSrv.addAclPermissionToAclPolicy(new Long(role.ordinal()) + 1, entityType.toString(), permissionScope.toString(), new Long(-1), + _iamSrv.addAclPermissionToAclPolicy(policyId, entityType.toString(), permissionScope.toString(), new Long(-1), apiName, (accessType == null) ? null : accessType.toString(), Permission.Allow); } }
