Pass UUID for scopeId in addIAMPermissionToIAMPolicyCmd and removeIAMPermissionFromIAMPolicyCmd.
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/7e4c3b0e Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/7e4c3b0e Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/7e4c3b0e Branch: refs/heads/rbac Commit: 7e4c3b0e92e32d9c3221fcac4b74efd9a0b7fd29 Parents: ae9be65 Author: Min Chen <min.c...@citrix.com> Authored: Sun Mar 2 15:56:02 2014 -0800 Committer: Min Chen <min.c...@citrix.com> Committed: Sun Mar 2 15:56:02 2014 -0800 ---------------------------------------------------------------------- .../iam/AddIAMPermissionToIAMPolicyCmd.java | 15 ++- .../RemoveIAMPermissionFromIAMPolicyCmd.java | 11 +- .../apache/cloudstack/iam/IAMApiService.java | 3 + .../cloudstack/iam/IAMApiServiceImpl.java | 110 +++++++++++++++++++ .../cloudstack/iam/test/IAMApiServiceTest.java | 10 +- 5 files changed, 136 insertions(+), 13 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cloudstack/blob/7e4c3b0e/services/iam/plugin/src/org/apache/cloudstack/api/command/iam/AddIAMPermissionToIAMPolicyCmd.java ---------------------------------------------------------------------- diff --git a/services/iam/plugin/src/org/apache/cloudstack/api/command/iam/AddIAMPermissionToIAMPolicyCmd.java b/services/iam/plugin/src/org/apache/cloudstack/api/command/iam/AddIAMPermissionToIAMPolicyCmd.java index 86afd10..a66390a 100644 --- a/services/iam/plugin/src/org/apache/cloudstack/api/command/iam/AddIAMPermissionToIAMPolicyCmd.java +++ b/services/iam/plugin/src/org/apache/cloudstack/api/command/iam/AddIAMPermissionToIAMPolicyCmd.java @@ -21,7 +21,6 @@ import javax.inject.Inject; import org.apache.log4j.Logger; import org.apache.cloudstack.acl.PermissionScope; -import org.apache.cloudstack.iam.IAMApiService; import org.apache.cloudstack.api.ACL; import org.apache.cloudstack.api.APICommand; import org.apache.cloudstack.api.ApiCommandJobType; @@ -32,6 +31,7 @@ import org.apache.cloudstack.api.Parameter; import org.apache.cloudstack.api.ServerApiException; import org.apache.cloudstack.api.response.iam.IAMPolicyResponse; import org.apache.cloudstack.context.CallContext; +import org.apache.cloudstack.iam.IAMApiService; import org.apache.cloudstack.iam.api.IAMPolicy; import org.apache.cloudstack.iam.api.IAMPolicyPermission.Permission; @@ -39,6 +39,7 @@ import com.cloud.event.EventTypes; import com.cloud.exception.InsufficientCapacityException; import com.cloud.exception.ResourceUnavailableException; import com.cloud.user.Account; +import com.cloud.utils.db.EntityManager; @APICommand(name = "addIAMPermissionToIAMPolicy", description = "Add IAM permission to an iam policy", responseObject = IAMPolicyResponse.class) @@ -48,6 +49,8 @@ public class AddIAMPermissionToIAMPolicyCmd extends BaseAsyncCmd { @Inject public IAMApiService _iamApiSrv; + @Inject + public EntityManager _entityMgr; ///////////////////////////////////////////////////// //////////////// API parameters ///////////////////// @@ -69,8 +72,8 @@ public class AddIAMPermissionToIAMPolicyCmd extends BaseAsyncCmd { required = false, description = "iam permission scope") private String scope; - @Parameter(name = ApiConstants.IAM_SCOPE_ID, type = CommandType.UUID, required = false, description = "The ID of the permission scope id") - private Long scopeId; + @Parameter(name = ApiConstants.IAM_SCOPE_ID, type = CommandType.UUID, required = false, description = "The UUID of the permission scope id") + private String scopeId; ///////////////////////////////////////////////////// @@ -96,10 +99,10 @@ public class AddIAMPermissionToIAMPolicyCmd extends BaseAsyncCmd { } public Long getScopeId() { - return scopeId; + // here we will convert the passed String UUID to Long ID since internally we store it as entity internal ID. + return _iamApiSrv.getPermissionScopeId(scope, entityType, scopeId); } - ///////////////////////////////////////////////////// /////////////// API Implementation/////////////////// ///////////////////////////////////////////////////// @@ -123,7 +126,7 @@ public class AddIAMPermissionToIAMPolicyCmd extends BaseAsyncCmd { CallContext.current().setEventDetails("IAM policy Id: " + getId()); // Only explicit ALLOW is supported for this release, no explicit deny IAMPolicy result = _iamApiSrv.addIAMPermissionToIAMPolicy(id, entityType, PermissionScope.valueOf(scope), - scopeId, action, Permission.Allow, false); + getScopeId(), action, Permission.Allow, false); if (result != null) { IAMPolicyResponse response = _iamApiSrv.createIAMPolicyResponse(result); response.setResponseName(getCommandName()); http://git-wip-us.apache.org/repos/asf/cloudstack/blob/7e4c3b0e/services/iam/plugin/src/org/apache/cloudstack/api/command/iam/RemoveIAMPermissionFromIAMPolicyCmd.java ---------------------------------------------------------------------- diff --git a/services/iam/plugin/src/org/apache/cloudstack/api/command/iam/RemoveIAMPermissionFromIAMPolicyCmd.java b/services/iam/plugin/src/org/apache/cloudstack/api/command/iam/RemoveIAMPermissionFromIAMPolicyCmd.java index db04ef7..bf065a0 100644 --- a/services/iam/plugin/src/org/apache/cloudstack/api/command/iam/RemoveIAMPermissionFromIAMPolicyCmd.java +++ b/services/iam/plugin/src/org/apache/cloudstack/api/command/iam/RemoveIAMPermissionFromIAMPolicyCmd.java @@ -21,7 +21,6 @@ import javax.inject.Inject; import org.apache.log4j.Logger; import org.apache.cloudstack.acl.PermissionScope; -import org.apache.cloudstack.iam.IAMApiService; import org.apache.cloudstack.api.ACL; import org.apache.cloudstack.api.APICommand; import org.apache.cloudstack.api.ApiCommandJobType; @@ -32,6 +31,7 @@ import org.apache.cloudstack.api.Parameter; import org.apache.cloudstack.api.ServerApiException; import org.apache.cloudstack.api.response.iam.IAMPolicyResponse; import org.apache.cloudstack.context.CallContext; +import org.apache.cloudstack.iam.IAMApiService; import org.apache.cloudstack.iam.api.IAMPolicy; import com.cloud.event.EventTypes; @@ -68,8 +68,8 @@ public class RemoveIAMPermissionFromIAMPolicyCmd extends BaseAsyncCmd { required = false, description = "iam permission scope") private String scope; - @Parameter(name = ApiConstants.IAM_SCOPE_ID, type = CommandType.UUID, required = false, description = "The ID of the permission scope id") - private Long scopeId; + @Parameter(name = ApiConstants.IAM_SCOPE_ID, type = CommandType.STRING, required = false, description = "The ID of the permission scope id") + private String scopeId; ///////////////////////////////////////////////////// @@ -95,7 +95,8 @@ public class RemoveIAMPermissionFromIAMPolicyCmd extends BaseAsyncCmd { } public Long getScopeId() { - return scopeId; + // here we will convert the passed String UUID to Long ID since internally we store it as entity internal ID. + return _iamApiSrv.getPermissionScopeId(scope, entityType, scopeId); } @@ -119,7 +120,7 @@ public class RemoveIAMPermissionFromIAMPolicyCmd extends BaseAsyncCmd { public void execute() throws ResourceUnavailableException, InsufficientCapacityException, ServerApiException { CallContext.current().setEventDetails("IAM policy Id: " + getId()); - IAMPolicy result = _iamApiSrv.removeIAMPermissionFromIAMPolicy(id, entityType, PermissionScope.valueOf(scope), scopeId, action); + IAMPolicy result = _iamApiSrv.removeIAMPermissionFromIAMPolicy(id, entityType, PermissionScope.valueOf(scope), getScopeId(), action); if (result != null) { IAMPolicyResponse response = _iamApiSrv.createIAMPolicyResponse(result); response.setResponseName(getCommandName()); http://git-wip-us.apache.org/repos/asf/cloudstack/blob/7e4c3b0e/services/iam/plugin/src/org/apache/cloudstack/iam/IAMApiService.java ---------------------------------------------------------------------- diff --git a/services/iam/plugin/src/org/apache/cloudstack/iam/IAMApiService.java b/services/iam/plugin/src/org/apache/cloudstack/iam/IAMApiService.java index b9e680a..bb8f03b 100644 --- a/services/iam/plugin/src/org/apache/cloudstack/iam/IAMApiService.java +++ b/services/iam/plugin/src/org/apache/cloudstack/iam/IAMApiService.java @@ -81,4 +81,7 @@ public interface IAMApiService extends PluggableService { ListResponse<IAMPolicyResponse> listIAMPolicies(Long iamPolicyId, String iamPolicyName, Long domainId, Long startIndex, Long pageSize); + + // Convert passed scope uuid to internal scope long id + Long getPermissionScopeId(String scope, String entityType, String scopeId); } http://git-wip-us.apache.org/repos/asf/cloudstack/blob/7e4c3b0e/services/iam/plugin/src/org/apache/cloudstack/iam/IAMApiServiceImpl.java ---------------------------------------------------------------------- diff --git a/services/iam/plugin/src/org/apache/cloudstack/iam/IAMApiServiceImpl.java b/services/iam/plugin/src/org/apache/cloudstack/iam/IAMApiServiceImpl.java index 393fe0e..945f48e 100644 --- a/services/iam/plugin/src/org/apache/cloudstack/iam/IAMApiServiceImpl.java +++ b/services/iam/plugin/src/org/apache/cloudstack/iam/IAMApiServiceImpl.java @@ -31,8 +31,10 @@ import org.apache.log4j.Logger; import org.apache.cloudstack.acl.IAMEntityType; import org.apache.cloudstack.acl.PermissionScope; import org.apache.cloudstack.acl.SecurityChecker.AccessType; +import org.apache.cloudstack.affinity.AffinityGroupVO; import org.apache.cloudstack.api.ApiConstants; import org.apache.cloudstack.api.BaseListCmd; +import org.apache.cloudstack.api.InternalIdentity; import org.apache.cloudstack.api.command.iam.AddAccountToIAMGroupCmd; import org.apache.cloudstack.api.command.iam.AddIAMPermissionToIAMPolicyCmd; import org.apache.cloudstack.api.command.iam.AttachIAMPolicyToAccountCmd; @@ -52,6 +54,7 @@ import org.apache.cloudstack.api.response.iam.IAMGroupResponse; import org.apache.cloudstack.api.response.iam.IAMPermissionResponse; import org.apache.cloudstack.api.response.iam.IAMPolicyResponse; import org.apache.cloudstack.context.CallContext; +import org.apache.cloudstack.framework.jobs.impl.AsyncJobVO; import org.apache.cloudstack.framework.messagebus.MessageBus; import org.apache.cloudstack.framework.messagebus.MessageSubscriber; import org.apache.cloudstack.iam.api.IAMGroup; @@ -59,6 +62,9 @@ import org.apache.cloudstack.iam.api.IAMPolicy; import org.apache.cloudstack.iam.api.IAMPolicyPermission; import org.apache.cloudstack.iam.api.IAMPolicyPermission.Permission; import org.apache.cloudstack.iam.api.IAMService; +import org.apache.cloudstack.iam.server.IAMGroupVO; +import org.apache.cloudstack.iam.server.IAMPolicyVO; +import org.apache.cloudstack.region.gslb.GlobalLoadBalancerRuleVO; import com.cloud.api.ApiServerService; import com.cloud.domain.Domain; @@ -66,18 +72,50 @@ import com.cloud.domain.DomainVO; import com.cloud.domain.dao.DomainDao; import com.cloud.event.ActionEvent; import com.cloud.event.EventTypes; +import com.cloud.event.EventVO; import com.cloud.exception.InvalidParameterValueException; +import com.cloud.network.UserIpv6AddressVO; +import com.cloud.network.VpnUserVO; +import com.cloud.network.as.AutoScalePolicyVO; +import com.cloud.network.as.AutoScaleVmGroupVO; +import com.cloud.network.as.AutoScaleVmProfileVO; +import com.cloud.network.as.ConditionVO; +import com.cloud.network.dao.IPAddressVO; +import com.cloud.network.dao.MonitoringServiceVO; +import com.cloud.network.dao.NetworkVO; +import com.cloud.network.dao.RemoteAccessVpnVO; +import com.cloud.network.dao.Site2SiteCustomerGatewayVO; +import com.cloud.network.dao.Site2SiteVpnConnectionVO; +import com.cloud.network.dao.Site2SiteVpnGatewayVO; +import com.cloud.network.dao.SslCertVO; +import com.cloud.network.rules.FirewallRuleVO; +import com.cloud.network.rules.PortForwardingRuleVO; +import com.cloud.network.security.SecurityGroupVO; +import com.cloud.network.vpc.StaticRouteVO; +import com.cloud.network.vpc.VpcGatewayVO; +import com.cloud.network.vpc.VpcVO; +import com.cloud.projects.ProjectInvitationVO; +import com.cloud.storage.SnapshotVO; +import com.cloud.storage.VMTemplateVO; +import com.cloud.storage.VolumeVO; +import com.cloud.tags.ResourceTagVO; import com.cloud.template.TemplateManager; import com.cloud.user.Account; import com.cloud.user.AccountManager; import com.cloud.user.AccountVO; import com.cloud.user.DomainManager; +import com.cloud.user.SSHKeyPairVO; import com.cloud.user.dao.AccountDao; import com.cloud.utils.Pair; import com.cloud.utils.component.Manager; import com.cloud.utils.component.ManagerBase; import com.cloud.utils.db.DB; import com.cloud.utils.db.EntityManager; +import com.cloud.vm.InstanceGroupVO; +import com.cloud.vm.UserVmVO; +import com.cloud.vm.dao.NicIpAliasVO; +import com.cloud.vm.dao.NicSecondaryIpVO; +import com.cloud.vm.snapshot.VMSnapshotVO; @Local(value = {IAMApiService.class}) public class IAMApiServiceImpl extends ManagerBase implements IAMApiService, Manager { @@ -103,6 +141,53 @@ public class IAMApiServiceImpl extends ManagerBase implements IAMApiService, Man @Inject MessageBus _messageBus; + @Inject + EntityManager _entityMgr; + + private static final Map<IAMEntityType, Class<?>> s_typeMap = new HashMap<IAMEntityType, Class<?>>(); + static { + s_typeMap.put(IAMEntityType.VirtualMachine, UserVmVO.class); + s_typeMap.put(IAMEntityType.Volume, VolumeVO.class); + s_typeMap.put(IAMEntityType.ResourceTag, ResourceTagVO.class); + s_typeMap.put(IAMEntityType.Account, AccountVO.class); + s_typeMap.put(IAMEntityType.AffinityGroup, AffinityGroupVO.class); + s_typeMap.put(IAMEntityType.AutoScalePolicy, AutoScalePolicyVO.class); + s_typeMap.put(IAMEntityType.AutoScaleVmProfile, AutoScaleVmProfileVO.class); + s_typeMap.put(IAMEntityType.AutoScaleVmGroup, AutoScaleVmGroupVO.class); + s_typeMap.put(IAMEntityType.Condition, ConditionVO.class); + s_typeMap.put(IAMEntityType.Vpc, VpcVO.class); + s_typeMap.put(IAMEntityType.VpcGateway, VpcGatewayVO.class); + s_typeMap.put(IAMEntityType.PrivateGateway, RemoteAccessVpnVO.class); + s_typeMap.put(IAMEntityType.VpnUser, VpnUserVO.class); + s_typeMap.put(IAMEntityType.VMSnapshot, VMSnapshotVO.class); + s_typeMap.put(IAMEntityType.VirtualMachineTemplate, VMTemplateVO.class); + s_typeMap.put(IAMEntityType.UserIpv6Address, UserIpv6AddressVO.class); + s_typeMap.put(IAMEntityType.StaticRoute, StaticRouteVO.class); + s_typeMap.put(IAMEntityType.SSHKeyPair, SSHKeyPairVO.class); + s_typeMap.put(IAMEntityType.Snapshot, SnapshotVO.class); + s_typeMap.put(IAMEntityType.Site2SiteVpnGateway, Site2SiteVpnGatewayVO.class); + s_typeMap.put(IAMEntityType.Site2SiteCustomerGateway, Site2SiteCustomerGatewayVO.class); + s_typeMap.put(IAMEntityType.Site2SiteVpnConnection, Site2SiteVpnConnectionVO.class); + s_typeMap.put(IAMEntityType.SecurityGroup, SecurityGroupVO.class); + s_typeMap.put(IAMEntityType.RemoteAccessVpn, RemoteAccessVpnVO.class); + s_typeMap.put(IAMEntityType.PublicIpAddress, IPAddressVO.class); + s_typeMap.put(IAMEntityType.ProjectInvitation, ProjectInvitationVO.class); + s_typeMap.put(IAMEntityType.NicSecondaryIp, NicSecondaryIpVO.class); + s_typeMap.put(IAMEntityType.NicIpAlias, NicIpAliasVO.class); + s_typeMap.put(IAMEntityType.Network, NetworkVO.class); + s_typeMap.put(IAMEntityType.IpAddress, IPAddressVO.class); + s_typeMap.put(IAMEntityType.InstanceGroup, InstanceGroupVO.class); + s_typeMap.put(IAMEntityType.GlobalLoadBalancerRule, GlobalLoadBalancerRuleVO.class); + s_typeMap.put(IAMEntityType.FirewallRule, FirewallRuleVO.class); + s_typeMap.put(IAMEntityType.PortForwardingRule, PortForwardingRuleVO.class); + s_typeMap.put(IAMEntityType.Event, EventVO.class); + s_typeMap.put(IAMEntityType.AsyncJob, AsyncJobVO.class); + s_typeMap.put(IAMEntityType.AclGroup, IAMGroupVO.class); + s_typeMap.put(IAMEntityType.AclPolicy, IAMPolicyVO.class); + s_typeMap.put(IAMEntityType.MonitorService, MonitoringServiceVO.class); + s_typeMap.put(IAMEntityType.SSLCert, SslCertVO.class); + } + @Override public boolean configure(final String name, final Map<String, Object> params) throws ConfigurationException { _messageBus.subscribe(AccountManager.MESSAGE_ADD_ACCOUNT_EVENT, new MessageSubscriber() { @@ -669,6 +754,31 @@ public class IAMApiServiceImpl extends ManagerBase implements IAMApiService, Man } @Override + public Long getPermissionScopeId(String scope, String entityType, String scopeId) { + if (scopeId.equals("-1")) { + return -1L; + } + PermissionScope permScope = PermissionScope.valueOf(scope); + InternalIdentity entity = null; + switch (permScope) { + case DOMAIN: + entity = _domainDao.findByUuid(scopeId); + break; + case ACCOUNT: + entity = _accountDao.findByUuid(scopeId); + break; + case RESOURCE: + Class<?> clazz = s_typeMap.get(entityType); + entity = (InternalIdentity)_entityMgr.findByUuid(clazz, scopeId); + } + + if (entity != null) { + return entity.getId(); + } + throw new InvalidParameterValueException("Unable to find scopeId " + scopeId + " with scope " + scope + " and type " + entityType); + } + + @Override public List<Class<?>> getCommands() { List<Class<?>> cmdList = new ArrayList<Class<?>>(); cmdList.add(CreateIAMPolicyCmd.class); http://git-wip-us.apache.org/repos/asf/cloudstack/blob/7e4c3b0e/services/iam/plugin/test/org/apache/cloudstack/iam/test/IAMApiServiceTest.java ---------------------------------------------------------------------- diff --git a/services/iam/plugin/test/org/apache/cloudstack/iam/test/IAMApiServiceTest.java b/services/iam/plugin/test/org/apache/cloudstack/iam/test/IAMApiServiceTest.java index 4b376ce..dc5c168 100644 --- a/services/iam/plugin/test/org/apache/cloudstack/iam/test/IAMApiServiceTest.java +++ b/services/iam/plugin/test/org/apache/cloudstack/iam/test/IAMApiServiceTest.java @@ -37,8 +37,6 @@ import org.springframework.test.context.support.AnnotationConfigContextLoader; import org.apache.cloudstack.acl.IAMEntityType; import org.apache.cloudstack.acl.PermissionScope; import org.apache.cloudstack.acl.SecurityChecker.AccessType; -import org.apache.cloudstack.iam.IAMApiServiceImpl; -import org.apache.cloudstack.iam.IAMApiService; import org.apache.cloudstack.api.command.user.vm.ListVMsCmd; import org.apache.cloudstack.api.response.ListResponse; import org.apache.cloudstack.api.response.iam.IAMGroupResponse; @@ -46,6 +44,8 @@ import org.apache.cloudstack.api.response.iam.IAMPermissionResponse; import org.apache.cloudstack.api.response.iam.IAMPolicyResponse; import org.apache.cloudstack.context.CallContext; import org.apache.cloudstack.framework.messagebus.MessageBus; +import org.apache.cloudstack.iam.IAMApiService; +import org.apache.cloudstack.iam.IAMApiServiceImpl; import org.apache.cloudstack.iam.api.IAMGroup; import org.apache.cloudstack.iam.api.IAMPolicy; import org.apache.cloudstack.iam.api.IAMPolicyPermission; @@ -67,6 +67,7 @@ import com.cloud.user.UserVO; import com.cloud.user.dao.AccountDao; import com.cloud.utils.Pair; import com.cloud.utils.component.ComponentContext; +import com.cloud.utils.db.EntityManager; @RunWith(SpringJUnit4ClassRunner.class) @ContextConfiguration(loader = AnnotationConfigContextLoader.class) @@ -347,6 +348,11 @@ public class IAMApiServiceTest { } @Bean + public EntityManager entityMgr() { + return Mockito.mock(EntityManager.class); + } + + @Bean public ApiServerService apiServerService() { return Mockito.mock(ApiServerService.class); }
