git commit: updated refs/heads/4.4 to a8a0e84

Tue, 01 Apr 2014 16:03:07 -0700 

Repository: cloudstack
Updated Branches:
  refs/heads/4.4 b917184fd -> a8a0e84b8


Split the Root Admin policy to allow 'ListEntry' access for listing resources 
for scope 'all', but 'UseEntry' access only within Account scope

Same with Domain Admin policy


Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/a8a0e84b
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/a8a0e84b
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/a8a0e84b

Branch: refs/heads/4.4
Commit: a8a0e84b88b2635d3603a663925f1571c3d86b9d
Parents: b917184
Author: Prachi Damle <pra...@cloud.com>
Authored: Tue Apr 1 16:01:36 2014 -0700
Committer: Prachi Damle <pra...@cloud.com>
Committed: Tue Apr 1 16:01:36 2014 -0700

----------------------------------------------------------------------
 .../iam/RoleBasedAPIAccessChecker.java          | 49 +++++++++++++-------
 1 file changed, 32 insertions(+), 17 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cloudstack/blob/a8a0e84b/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedAPIAccessChecker.java
----------------------------------------------------------------------
diff --git 
a/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedAPIAccessChecker.java
 
b/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedAPIAccessChecker.java
index 9964d48..b7f672c 100644
--- 
a/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedAPIAccessChecker.java
+++ 
b/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedAPIAccessChecker.java
@@ -218,23 +218,6 @@ public class RoleBasedAPIAccessChecker extends AdapterBase 
implements APIChecker
     private void addDefaultAclPolicyPermission(String apiName, Class<?> 
cmdClass, RoleType role) {
         AccessType accessType = null;
         Class<?>[] entityTypes = null;
-        if (cmdClass != null) {
-            BaseCmd cmdObj;
-            try {
-                cmdObj = (BaseCmd) cmdClass.newInstance();
-                if (cmdObj instanceof BaseListCmd) {
-                    accessType = AccessType.UseEntry;
-                } else if (!(cmdObj instanceof BaseAsyncCreateCmd)) {
-                    accessType = AccessType.OperateEntry;
-                }
-            } catch (Exception e) {
-                throw new CloudRuntimeException(String.format(
-                        "%s is claimed as an API command, but it cannot be 
instantiated", cmdClass.getName()));
-             }
-
-            APICommand at = cmdClass.getAnnotation(APICommand.class);
-            entityTypes = at.entityType();
-        }
 
         PermissionScope permissionScope = PermissionScope.ACCOUNT;
         Long policyId = getDefaultPolicyId(role);
@@ -256,15 +239,47 @@ public class RoleBasedAPIAccessChecker extends 
AdapterBase implements APIChecker
             break;
          }
 
+        boolean addAccountScopedUseEntry = false;
+
+        if (cmdClass != null) {
+            BaseCmd cmdObj;
+            try {
+                cmdObj = (BaseCmd) cmdClass.newInstance();
+                if (cmdObj instanceof BaseListCmd) {
+                    if (permissionScope == PermissionScope.ACCOUNT) {
+                        accessType = AccessType.UseEntry;
+                    } else {
+                        accessType = AccessType.ListEntry;
+                        addAccountScopedUseEntry = true;
+                    }
+                } else if (!(cmdObj instanceof BaseAsyncCreateCmd)) {
+                    accessType = AccessType.OperateEntry;
+                }
+            } catch (Exception e) {
+                throw new CloudRuntimeException(String.format(
+                        "%s is claimed as an API command, but it cannot be 
instantiated", cmdClass.getName()));
+            }
+
+            APICommand at = cmdClass.getAnnotation(APICommand.class);
+            entityTypes = at.entityType();
+        }
 
         if (entityTypes == null || entityTypes.length == 0) {
             _iamSrv.addIAMPermissionToIAMPolicy(policyId, null, 
permissionScope.toString(), new 
Long(IAMPolicyPermission.PERMISSION_SCOPE_ID_CURRENT_CALLER),
                     apiName, (accessType == null) ? null : 
accessType.toString(), Permission.Allow, false);
+            if (addAccountScopedUseEntry) {
+                _iamSrv.addIAMPermissionToIAMPolicy(policyId, null, 
PermissionScope.ACCOUNT.toString(), new Long(
+                        
IAMPolicyPermission.PERMISSION_SCOPE_ID_CURRENT_CALLER), apiName, 
AccessType.UseEntry.toString(), Permission.Allow, false);
+            }
         } else {
             for (Class<?> entityType : entityTypes) {
                 _iamSrv.addIAMPermissionToIAMPolicy(policyId, 
entityType.getSimpleName(), permissionScope.toString(), new Long(
                         
IAMPolicyPermission.PERMISSION_SCOPE_ID_CURRENT_CALLER),
                         apiName, (accessType == null) ? null : 
accessType.toString(), Permission.Allow, false);
+                if (addAccountScopedUseEntry) {
+                    _iamSrv.addIAMPermissionToIAMPolicy(policyId, 
entityType.getSimpleName(), PermissionScope.ACCOUNT.toString(), new Long(
+                            
IAMPolicyPermission.PERMISSION_SCOPE_ID_CURRENT_CALLER), apiName, 
AccessType.UseEntry.toString(), Permission.Allow, false);
+                }
             }
          }

Reply via email to