Repository: cloudstack Updated Branches: refs/heads/4.4 4ca65496c -> 504bd0377
CLOUDSTACK-6533: IAM - Templates - Public templates do not have permissions to be used by ROOT group. Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/504bd037 Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/504bd037 Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/504bd037 Branch: refs/heads/4.4 Commit: 504bd0377d8053a911f9823e06ce288af057446b Parents: 4ca6549 Author: Min Chen <min.c...@citrix.com> Authored: Tue Apr 29 11:48:45 2014 -0700 Committer: Daan Hoogland <d...@onecht.net> Committed: Wed Apr 30 10:38:55 2014 +0200 ---------------------------------------------------------------------- .../plugin/src/org/apache/cloudstack/iam/IAMApiServiceImpl.java | 5 ++++- .../org/apache/cloudstack/iam/RoleBasedAPIAccessChecker.java | 2 ++ 2 files changed, 6 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cloudstack/blob/504bd037/services/iam/plugin/src/org/apache/cloudstack/iam/IAMApiServiceImpl.java ---------------------------------------------------------------------- diff --git a/services/iam/plugin/src/org/apache/cloudstack/iam/IAMApiServiceImpl.java b/services/iam/plugin/src/org/apache/cloudstack/iam/IAMApiServiceImpl.java index f9f76c1..b4c2d4d 100644 --- a/services/iam/plugin/src/org/apache/cloudstack/iam/IAMApiServiceImpl.java +++ b/services/iam/plugin/src/org/apache/cloudstack/iam/IAMApiServiceImpl.java @@ -257,7 +257,10 @@ public class IAMApiServiceImpl extends ManagerBase implements IAMApiService, Man public void onPublishMessage(String senderAddress, String subject, Object obj) { Long templateId = (Long)obj; if (templateId != null) { - s_logger.debug("MessageBus message: new public template registered: " + templateId + ", grant permission to domain admin and normal user policies"); + s_logger.debug("MessageBus message: new public template registered: " + templateId + + ", grant permission to default root admin, domain admin and normal user policies"); + _iamSrv.addIAMPermissionToIAMPolicy(new Long(Account.ACCOUNT_TYPE_ADMIN + 1), VirtualMachineTemplate.class.getSimpleName(), + PermissionScope.RESOURCE.toString(), templateId, "listTemplates", AccessType.UseEntry.toString(), Permission.Allow, false); _iamSrv.addIAMPermissionToIAMPolicy(new Long(Account.ACCOUNT_TYPE_DOMAIN_ADMIN + 1), VirtualMachineTemplate.class.getSimpleName(), PermissionScope.RESOURCE.toString(), templateId, "listTemplates", AccessType.UseEntry.toString(), Permission.Allow, false); _iamSrv.addIAMPermissionToIAMPolicy(new Long(Account.ACCOUNT_TYPE_NORMAL + 1), VirtualMachineTemplate.class.getSimpleName(), http://git-wip-us.apache.org/repos/asf/cloudstack/blob/504bd037/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedAPIAccessChecker.java ---------------------------------------------------------------------- diff --git a/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedAPIAccessChecker.java b/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedAPIAccessChecker.java index fe71912..3a3ba4d 100644 --- a/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedAPIAccessChecker.java +++ b/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedAPIAccessChecker.java @@ -132,6 +132,8 @@ public class RoleBasedAPIAccessChecker extends AdapterBase implements APIChecker // add permissions for public templates List<VMTemplateVO> pTmplts = _templateDao.listByPublic(); for (VMTemplateVO tmpl : pTmplts){ + _iamSrv.addIAMPermissionToIAMPolicy(new Long(Account.ACCOUNT_TYPE_ADMIN + 1), VirtualMachineTemplate.class.getSimpleName(), + PermissionScope.RESOURCE.toString(), tmpl.getId(), "listTemplates", AccessType.UseEntry.toString(), Permission.Allow, false); _iamSrv.addIAMPermissionToIAMPolicy(new Long(Account.ACCOUNT_TYPE_DOMAIN_ADMIN + 1), VirtualMachineTemplate.class.getSimpleName(), PermissionScope.RESOURCE.toString(), tmpl.getId(), "listTemplates", AccessType.UseEntry.toString(), Permission.Allow, false); _iamSrv.addIAMPermissionToIAMPolicy(new Long(Account.ACCOUNT_TYPE_NORMAL + 1), VirtualMachineTemplate.class.getSimpleName(),
