Skip to content

Commit 748dc15

Browse files
committed
Support attaching policy to account.
1 parent 91317dc commit 748dc15

14 files changed

Lines changed: 489 additions & 46 deletions

File tree

api/src/com/cloud/event/EventTypes.java

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -459,6 +459,7 @@ public class EventTypes {
459459
public static final String EVENT_ACL_GROUP_DELETE = "ACLGROUP.DELETE";
460460
public static final String EVENT_ACL_GROUP_GRANT = "ACLGROUP.GRANT";
461461
public static final String EVENT_ACL_GROUP_REVOKE = "ACLGROUP.REVOKE";
462+
public static final String EVENT_ACL_ACCOUNT_POLICY_UPDATE = "ACLACCOUNTPOLICY.UPDATE";
462463

463464
// Object store migration
464465
public static final String EVENT_MIGRATE_PREPARE_SECONDARY_STORAGE = "MIGRATE.PREPARE.SS";

client/tomcatconf/commands.properties.in

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -718,6 +718,8 @@ addAccountToAclGroup=1
718718
removeAccountFromAclGroup=1
719719
attachAclPolicyToAclGroup=1
720720
removeAclPolicyFromAclGroup=1
721+
attachAclPolicyToAccount=1
722+
removeAclPolicyFromAccount=1
721723

722724
#### juniper-contrail commands
723725
createServiceInstance=1

services/iam/plugin/src/org/apache/cloudstack/acl/api/AclApiService.java

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -50,9 +50,13 @@ public interface AclApiService extends PluggableService {
5050

5151
List<AclPolicy> listAclPolicies(long accountId);
5252

53-
AclGroup attachAclPoliciesToGroup(List<Long> roleIds, Long groupId);
53+
AclGroup attachAclPoliciesToGroup(List<Long> policyIds, Long groupId);
5454

55-
AclGroup removeAclPoliciesFromGroup(List<Long> roleIds, Long groupId);
55+
AclGroup removeAclPoliciesFromGroup(List<Long> policyIds, Long groupId);
56+
57+
void attachAclPolicyToAccounts(Long policyId, List<Long> accountIds);
58+
59+
void removeAclPolicyFromAccounts(Long policyId, List<Long> accountIds);
5660

5761
AclPolicy addAclPermissionToAclPolicy(long aclPolicyId, String entityType, PermissionScope scope, Long scopeId, String action, Permission perm);
5862

services/iam/plugin/src/org/apache/cloudstack/acl/api/AclApiServiceImpl.java

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -32,6 +32,7 @@
3232
import org.apache.cloudstack.acl.SecurityChecker.AccessType;
3333
import org.apache.cloudstack.acl.api.command.AddAccountToAclGroupCmd;
3434
import org.apache.cloudstack.acl.api.command.AddAclPermissionToAclPolicyCmd;
35+
import org.apache.cloudstack.acl.api.command.AttachAclPolicyToAccountCmd;
3536
import org.apache.cloudstack.acl.api.command.AttachAclPolicyToAclGroupCmd;
3637
import org.apache.cloudstack.acl.api.command.CreateAclGroupCmd;
3738
import org.apache.cloudstack.acl.api.command.CreateAclPolicyCmd;
@@ -41,6 +42,7 @@
4142
import org.apache.cloudstack.acl.api.command.ListAclPoliciesCmd;
4243
import org.apache.cloudstack.acl.api.command.RemoveAccountFromAclGroupCmd;
4344
import org.apache.cloudstack.acl.api.command.RemoveAclPermissionFromAclPolicyCmd;
45+
import org.apache.cloudstack.acl.api.command.RemoveAclPolicyFromAccountCmd;
4446
import org.apache.cloudstack.acl.api.command.RemoveAclPolicyFromAclGroupCmd;
4547
import org.apache.cloudstack.acl.api.response.AclGroupResponse;
4648
import org.apache.cloudstack.acl.api.response.AclPermissionResponse;
@@ -243,6 +245,20 @@ public AclGroup removeAclPoliciesFromGroup(final List<Long> policyIds, final Lon
243245
}
244246

245247

248+
@DB
249+
@Override
250+
@ActionEvent(eventType = EventTypes.EVENT_ACL_ACCOUNT_POLICY_UPDATE, eventDescription = "Attaching policy to accounts")
251+
public void attachAclPolicyToAccounts(final Long policyId, final List<Long> accountIds) {
252+
_iamSrv.attachAclPolicyToAccounts(policyId, accountIds);
253+
}
254+
255+
@DB
256+
@Override
257+
@ActionEvent(eventType = EventTypes.EVENT_ACL_ACCOUNT_POLICY_UPDATE, eventDescription = "Removing policy from accounts")
258+
public void removeAclPolicyFromAccounts(final Long policyId, final List<Long> accountIds) {
259+
_iamSrv.removeAclPolicyFromAccounts(policyId, accountIds);
260+
}
261+
246262
@DB
247263
@Override
248264
@ActionEvent(eventType = EventTypes.EVENT_ACL_POLICY_GRANT, eventDescription = "Granting acl permission to Acl Policy")
@@ -439,6 +455,8 @@ public List<Class<?>> getCommands() {
439455
cmdList.add(ListAclGroupsCmd.class);
440456
cmdList.add(AddAccountToAclGroupCmd.class);
441457
cmdList.add(RemoveAccountFromAclGroupCmd.class);
458+
cmdList.add(AttachAclPolicyToAccountCmd.class);
459+
cmdList.add(RemoveAclPolicyFromAccountCmd.class);
442460
return cmdList;
443461
}
444462
}
Lines changed: 122 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,122 @@
1+
// Licensed to the Apache Software Foundation (ASF) under one
2+
// or more contributor license agreements. See the NOTICE file
3+
// distributed with this work for additional information
4+
// regarding copyright ownership. The ASF licenses this file
5+
// to you under the Apache License, Version 2.0 (the
6+
// "License"); you may not use this file except in compliance
7+
// with the License. You may obtain a copy of the License at
8+
//
9+
// http://www.apache.org/licenses/LICENSE-2.0
10+
//
11+
// Unless required by applicable law or agreed to in writing,
12+
// software distributed under the License is distributed on an
13+
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
14+
// KIND, either express or implied. See the License for the
15+
// specific language governing permissions and limitations
16+
// under the License.
17+
package org.apache.cloudstack.acl.api.command;
18+
19+
import java.util.List;
20+
21+
import javax.inject.Inject;
22+
23+
import org.apache.log4j.Logger;
24+
25+
import org.apache.cloudstack.acl.api.AclApiService;
26+
import org.apache.cloudstack.acl.api.response.AclPolicyResponse;
27+
import org.apache.cloudstack.api.ACL;
28+
import org.apache.cloudstack.api.APICommand;
29+
import org.apache.cloudstack.api.ApiCommandJobType;
30+
import org.apache.cloudstack.api.ApiConstants;
31+
import org.apache.cloudstack.api.BaseAsyncCmd;
32+
import org.apache.cloudstack.api.Parameter;
33+
import org.apache.cloudstack.api.ServerApiException;
34+
import org.apache.cloudstack.api.response.AccountResponse;
35+
import org.apache.cloudstack.api.response.SuccessResponse;
36+
import org.apache.cloudstack.context.CallContext;
37+
38+
import com.cloud.event.EventTypes;
39+
import com.cloud.exception.InsufficientCapacityException;
40+
import com.cloud.exception.ResourceUnavailableException;
41+
import com.cloud.user.Account;
42+
43+
44+
@APICommand(name = "attachAclPolicyToAccount", description = "attach acl policy to accounts", responseObject = SuccessResponse.class)
45+
public class AttachAclPolicyToAccountCmd extends BaseAsyncCmd {
46+
public static final Logger s_logger = Logger.getLogger(AttachAclPolicyToAccountCmd.class.getName());
47+
private static final String s_name = "attachaclpolicytoaccountresponse";
48+
49+
@Inject
50+
public AclApiService _aclApiSrv;
51+
52+
/////////////////////////////////////////////////////
53+
//////////////// API parameters /////////////////////
54+
/////////////////////////////////////////////////////
55+
56+
57+
@ACL
58+
@Parameter(name = ApiConstants.ID, type = CommandType.UUID, entityType = AclPolicyResponse.class,
59+
required = true, description = "The ID of the acl policy")
60+
private Long id;
61+
62+
@ACL
63+
@Parameter(name = ApiConstants.ACCOUNTS, type = CommandType.LIST, collectionType = CommandType.UUID, entityType = AccountResponse.class, description = "comma separated list of account id that the policy will attach to.")
64+
private List<Long> accountIdList;
65+
66+
67+
/////////////////////////////////////////////////////
68+
/////////////////// Accessors ///////////////////////
69+
/////////////////////////////////////////////////////
70+
71+
72+
public Long getId() {
73+
return id;
74+
}
75+
76+
77+
public List<Long> getAccountIdList() {
78+
return accountIdList;
79+
}
80+
81+
/////////////////////////////////////////////////////
82+
/////////////// API Implementation///////////////////
83+
/////////////////////////////////////////////////////
84+
85+
86+
@Override
87+
public String getCommandName() {
88+
return s_name;
89+
}
90+
91+
92+
@Override
93+
public long getEntityOwnerId() {
94+
return Account.ACCOUNT_ID_SYSTEM; // no account info given, parent this command to SYSTEM so ERROR events are tracked
95+
}
96+
97+
@Override
98+
public void execute() throws ResourceUnavailableException,
99+
InsufficientCapacityException, ServerApiException {
100+
CallContext.current().setEventDetails("Acl policy Id: " + getId());
101+
_aclApiSrv.attachAclPolicyToAccounts(id, accountIdList);
102+
SuccessResponse response = new SuccessResponse();
103+
response.setResponseName(getCommandName());
104+
setResponseObject(response);
105+
}
106+
107+
@Override
108+
public String getEventType() {
109+
return EventTypes.EVENT_ACL_ACCOUNT_POLICY_UPDATE;
110+
}
111+
112+
@Override
113+
public String getEventDescription() {
114+
return "adding acl policy to accounts";
115+
}
116+
117+
@Override
118+
public ApiCommandJobType getInstanceType() {
119+
return ApiCommandJobType.Account;
120+
}
121+
122+
}
Lines changed: 122 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,122 @@
1+
// Licensed to the Apache Software Foundation (ASF) under one
2+
// or more contributor license agreements. See the NOTICE file
3+
// distributed with this work for additional information
4+
// regarding copyright ownership. The ASF licenses this file
5+
// to you under the Apache License, Version 2.0 (the
6+
// "License"); you may not use this file except in compliance
7+
// with the License. You may obtain a copy of the License at
8+
//
9+
// http://www.apache.org/licenses/LICENSE-2.0
10+
//
11+
// Unless required by applicable law or agreed to in writing,
12+
// software distributed under the License is distributed on an
13+
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
14+
// KIND, either express or implied. See the License for the
15+
// specific language governing permissions and limitations
16+
// under the License.
17+
package org.apache.cloudstack.acl.api.command;
18+
19+
import java.util.List;
20+
21+
import javax.inject.Inject;
22+
23+
import org.apache.log4j.Logger;
24+
25+
import org.apache.cloudstack.acl.api.AclApiService;
26+
import org.apache.cloudstack.acl.api.response.AclGroupResponse;
27+
import org.apache.cloudstack.acl.api.response.AclPolicyResponse;
28+
import org.apache.cloudstack.api.ACL;
29+
import org.apache.cloudstack.api.APICommand;
30+
import org.apache.cloudstack.api.ApiCommandJobType;
31+
import org.apache.cloudstack.api.ApiConstants;
32+
import org.apache.cloudstack.api.BaseAsyncCmd;
33+
import org.apache.cloudstack.api.Parameter;
34+
import org.apache.cloudstack.api.ServerApiException;
35+
import org.apache.cloudstack.api.response.SuccessResponse;
36+
import org.apache.cloudstack.context.CallContext;
37+
38+
import com.cloud.event.EventTypes;
39+
import com.cloud.exception.InsufficientCapacityException;
40+
import com.cloud.exception.ResourceUnavailableException;
41+
import com.cloud.user.Account;
42+
43+
44+
@APICommand(name = "removeAclPolicyFromAccount", description = "remove acl policy from accounts", responseObject = SuccessResponse.class)
45+
public class RemoveAclPolicyFromAccountCmd extends BaseAsyncCmd {
46+
public static final Logger s_logger = Logger.getLogger(RemoveAclPolicyFromAccountCmd.class.getName());
47+
private static final String s_name = "removeaclpolicyfromaccountresponse";
48+
49+
@Inject
50+
public AclApiService _aclApiSrv;
51+
52+
/////////////////////////////////////////////////////
53+
//////////////// API parameters /////////////////////
54+
/////////////////////////////////////////////////////
55+
56+
57+
@ACL
58+
@Parameter(name = ApiConstants.ID, type = CommandType.UUID, entityType = AclGroupResponse.class,
59+
required = true, description = "The ID of the acl group")
60+
private Long id;
61+
62+
@ACL
63+
@Parameter(name = ApiConstants.ACCOUNTS, type = CommandType.LIST, collectionType = CommandType.UUID, entityType = AclPolicyResponse.class, description = "comma separated list of acl policy id that are going to be applied to the acl group.")
64+
private List<Long> accountIdList;
65+
66+
67+
/////////////////////////////////////////////////////
68+
/////////////////// Accessors ///////////////////////
69+
/////////////////////////////////////////////////////
70+
71+
72+
public Long getId() {
73+
return id;
74+
}
75+
76+
77+
public List<Long> getAccountIdList() {
78+
return accountIdList;
79+
}
80+
81+
/////////////////////////////////////////////////////
82+
/////////////// API Implementation///////////////////
83+
/////////////////////////////////////////////////////
84+
85+
86+
@Override
87+
public String getCommandName() {
88+
return s_name;
89+
}
90+
91+
92+
@Override
93+
public long getEntityOwnerId() {
94+
return Account.ACCOUNT_ID_SYSTEM; // no account info given, parent this command to SYSTEM so ERROR events are tracked
95+
}
96+
97+
@Override
98+
public void execute() throws ResourceUnavailableException,
99+
InsufficientCapacityException, ServerApiException {
100+
CallContext.current().setEventDetails("Acl policy Id: " + getId());
101+
_aclApiSrv.removeAclPolicyFromAccounts(id, accountIdList);
102+
SuccessResponse response = new SuccessResponse();
103+
response.setResponseName(getCommandName());
104+
setResponseObject(response);
105+
}
106+
107+
@Override
108+
public String getEventType() {
109+
return EventTypes.EVENT_ACL_ACCOUNT_POLICY_UPDATE;
110+
}
111+
112+
@Override
113+
public String getEventDescription() {
114+
return "removing acl policy from accounts";
115+
}
116+
117+
@Override
118+
public ApiCommandJobType getInstanceType() {
119+
return ApiCommandJobType.Account;
120+
}
121+
122+
}

services/iam/server/resources/META-INF/cloudstack/core/spring-iam-server-context.xml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -32,6 +32,8 @@
3232
<bean id="AclGroupAccountMapDaoImpl" class="org.apache.cloudstack.iam.server.dao.AclGroupAccountMapDaoImpl" />
3333
<bean id="AclGroupPolicyMapDaoImpl" class="org.apache.cloudstack.iam.server.dao.AclGroupPolicyMapDaoImpl" />
3434
<bean id="AclPolicyPermissionDaoImpl" class="org.apache.cloudstack.iam.server.dao.AclPolicyPermissionDaoImpl" />
35+
<bean id="AclAccountPolicyMapDaoImpl" class="org.apache.cloudstack.iam.server.dao.AclAccountPolicyMapDaoImpl" />
36+
3537

3638
<bean id="IAMServiceImpl" class="org.apache.cloudstack.iam.server.IAMServiceImpl" />
3739

services/iam/server/src/org/apache/cloudstack/iam/api/IAMService.java

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -54,6 +54,10 @@ public interface IAMService {
5454

5555
AclGroup removeAclPoliciesFromGroup(List<Long> policyIds, Long groupId);
5656

57+
void attachAclPolicyToAccounts(Long policyId, List<Long> acctIds);
58+
59+
void removeAclPolicyFromAccounts(Long policyId, List<Long> acctIds);
60+
5761
AclPolicy addAclPermissionToAclPolicy(long aclPolicyId, String entityType, String scope, Long scopeId,
5862
String action, String accessType, Permission perm);
5963

0 commit comments

Comments
 (0)