Skip to content

Commit 72812cd

Browse files
committed
Grant public template permission to domain admin and normal user policy.
1 parent 748dc15 commit 72812cd

4 files changed

Lines changed: 37 additions & 0 deletions

File tree

engine/components-api/src/com/cloud/template/TemplateManager.java

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -113,4 +113,5 @@ public interface TemplateManager {
113113

114114
TemplateInfo prepareIso(long isoId, long dcId);
115115

116+
public static final String MESSAGE_REGISTER_PUBLIC_TEMPLATE_EVENT = "Message.RegisterPublicTemplate.Event";
116117
}

server/src/com/cloud/template/HypervisorTemplateAdapter.java

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -44,6 +44,8 @@
4444
import org.apache.cloudstack.framework.async.AsyncCallbackDispatcher;
4545
import org.apache.cloudstack.framework.async.AsyncCompletionCallback;
4646
import org.apache.cloudstack.framework.async.AsyncRpcContext;
47+
import org.apache.cloudstack.framework.messagebus.MessageBus;
48+
import org.apache.cloudstack.framework.messagebus.PublishScope;
4749
import org.apache.cloudstack.storage.datastore.db.TemplateDataStoreVO;
4850
import org.apache.cloudstack.storage.image.datastore.ImageStoreEntity;
4951

@@ -95,6 +97,8 @@ public class HypervisorTemplateAdapter extends TemplateAdapterBase {
9597
EndPointSelector _epSelector;
9698
@Inject
9799
DataCenterDao _dcDao;
100+
@Inject
101+
MessageBus _messageBus;
98102

99103
@Override
100104
public String getName() {
@@ -267,6 +271,10 @@ protected Void createTemplateAsyncCallBack(AsyncCallbackDispatcher<HypervisorTem
267271
TemplateInfo template = context.template;
268272
if (result.isSuccess()) {
269273
VMTemplateVO tmplt = _tmpltDao.findById(template.getId());
274+
// need to grant permission for public templates
275+
if (tmplt.isPublicTemplate()) {
276+
_messageBus.publish(_name, TemplateManager.MESSAGE_REGISTER_PUBLIC_TEMPLATE_EVENT, PublishScope.LOCAL, tmplt.getId());
277+
}
270278
long accountId = tmplt.getAccountId();
271279
if (template.getSize() != null) {
272280
// publish usage event

services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedAPIAccessChecker.java

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -40,6 +40,8 @@
4040

4141
import com.cloud.api.ApiServerService;
4242
import com.cloud.exception.PermissionDeniedException;
43+
import com.cloud.storage.VMTemplateVO;
44+
import com.cloud.storage.dao.VMTemplateDao;
4345
import com.cloud.user.Account;
4446
import com.cloud.user.AccountService;
4547
import com.cloud.user.User;
@@ -61,6 +63,8 @@ public class RoleBasedAPIAccessChecker extends AdapterBase implements APIChecker
6163
ApiServerService _apiServer;
6264
@Inject
6365
IAMService _iamSrv;
66+
@Inject
67+
VMTemplateDao _templateDao;
6468

6569
Set<String> commandsPropertiesOverrides = new HashSet<String>();
6670
Map<RoleType, Set<String>> commandsPropertiesRoleBasedApisMap = new HashMap<RoleType, Set<String>>();
@@ -122,6 +126,15 @@ public boolean start() {
122126
_iamSrv.addAclPermissionToAclPolicy(new Long(Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN + 1), null, null, null,
123127
"DomainResourceCapability", null, Permission.Allow);
124128

129+
// add permissions for public templates
130+
List<VMTemplateVO> pTmplts = _templateDao.listByPublic();
131+
for (VMTemplateVO tmpl : pTmplts){
132+
_iamSrv.addAclPermissionToAclPolicy(new Long(Account.ACCOUNT_TYPE_DOMAIN_ADMIN + 1), AclEntityType.VirtualMachineTemplate.toString(),
133+
PermissionScope.RESOURCE.toString(), tmpl.getId(), "listTemplates", AccessType.UseEntry.toString(), Permission.Allow);
134+
_iamSrv.addAclPermissionToAclPolicy(new Long(Account.ACCOUNT_TYPE_NORMAL + 1), AclEntityType.VirtualMachineTemplate.toString(),
135+
PermissionScope.RESOURCE.toString(), tmpl.getId(), "listTemplates", AccessType.UseEntry.toString(), Permission.Allow);
136+
}
137+
125138
for (PluggableService service : _services) {
126139
for (Class<?> cmdClass : service.getCommands()) {
127140
APICommand command = cmdClass.getAnnotation(APICommand.class);

services/iam/plugin/src/org/apache/cloudstack/acl/api/AclApiServiceImpl.java

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -65,6 +65,7 @@
6565
import com.cloud.event.ActionEvent;
6666
import com.cloud.event.EventTypes;
6767
import com.cloud.exception.InvalidParameterValueException;
68+
import com.cloud.template.TemplateManager;
6869
import com.cloud.user.Account;
6970
import com.cloud.user.AccountManager;
7071
import com.cloud.user.AccountVO;
@@ -150,6 +151,20 @@ public void onPublishMessage(String senderAddress, String subject, Object obj) {
150151
}
151152
});
152153

154+
_messageBus.subscribe(TemplateManager.MESSAGE_REGISTER_PUBLIC_TEMPLATE_EVENT, new MessageSubscriber() {
155+
@Override
156+
public void onPublishMessage(String senderAddress, String subject, Object obj) {
157+
Long templateId = (Long)obj;
158+
if (templateId != null) {
159+
s_logger.debug("MessageBus message: new public template registered: " + templateId + ", grant permission to domain admin and normal user policies");
160+
_iamSrv.addAclPermissionToAclPolicy(new Long(Account.ACCOUNT_TYPE_DOMAIN_ADMIN + 1), AclEntityType.VirtualMachineTemplate.toString(),
161+
PermissionScope.RESOURCE.toString(), templateId, "listTemplates", AccessType.UseEntry.toString(), Permission.Allow);
162+
_iamSrv.addAclPermissionToAclPolicy(new Long(Account.ACCOUNT_TYPE_NORMAL + 1), AclEntityType.VirtualMachineTemplate.toString(),
163+
PermissionScope.RESOURCE.toString(), templateId, "listTemplates", AccessType.UseEntry.toString(), Permission.Allow);
164+
}
165+
}
166+
});
167+
153168
return super.configure(name, params);
154169
}
155170

0 commit comments

Comments
 (0)