Search in sources :

Example 1 with IAMPolicy

use of org.apache.cloudstack.iam.api.IAMPolicy in project cloudstack by apache.

the class IAMApiServiceImpl method createIAMGroupResponse.

@Override
public IAMGroupResponse createIAMGroupResponse(IAMGroup group) {
    IAMGroupResponse response = new IAMGroupResponse();
    response.setId(group.getUuid());
    response.setName(group.getName());
    response.setDescription(group.getDescription());
    String domainPath = group.getPath();
    if (domainPath != null) {
        DomainVO domain = _domainDao.findDomainByPath(domainPath);
        if (domain != null) {
            response.setDomainId(domain.getUuid());
            response.setDomainName(domain.getName());
        }
    }
    long accountId = group.getAccountId();
    AccountVO owner = _accountDao.findById(accountId);
    if (owner != null) {
        response.setAccountName(owner.getAccountName());
    }
    // find all the members in this group
    List<Long> members = _iamSrv.listAccountsByGroup(group.getId());
    if (members != null && members.size() > 0) {
        for (Long member : members) {
            AccountVO mem = _accountDao.findById(member);
            if (mem != null) {
                response.addMemberAccount(mem.getAccountName());
            }
        }
    }
    // find all the policies attached to this group
    List<IAMPolicy> policies = _iamSrv.listIAMPoliciesByGroup(group.getId());
    if (policies != null && policies.size() > 0) {
        for (IAMPolicy policy : policies) {
            response.addPolicy(policy.getName());
        }
    }
    response.setObjectName("aclgroup");
    return response;
}
Also used : DomainVO(com.cloud.domain.DomainVO) IAMPolicy(org.apache.cloudstack.iam.api.IAMPolicy) IAMGroupResponse(org.apache.cloudstack.api.response.iam.IAMGroupResponse) AccountVO(com.cloud.user.AccountVO)

Example 2 with IAMPolicy

use of org.apache.cloudstack.iam.api.IAMPolicy in project cloudstack by apache.

the class RoleBasedEntityQuerySelector method getAuthorizedDomains.

@Override
public List<Long> getAuthorizedDomains(Account caller, String action, AccessType accessType) {
    long accountId = caller.getAccountId();
    if (accessType == null) {
        // default always show resources authorized to use
        accessType = AccessType.UseEntry;
    }
    // Get the static Policies of the Caller
    List<IAMPolicy> policies = _iamService.listIAMPolicies(accountId);
    // for each policy, find granted permission with Domain scope
    List<Long> domainIds = new ArrayList<Long>();
    for (IAMPolicy policy : policies) {
        List<IAMPolicyPermission> pp = new ArrayList<IAMPolicyPermission>();
        pp.addAll(_iamService.listPolicyPermissionsByScope(policy.getId(), action, PermissionScope.DOMAIN.toString(), accessType.toString()));
        if (pp != null) {
            for (IAMPolicyPermission p : pp) {
                if (p.getScopeId() != null) {
                    Long domainId = null;
                    if (p.getScopeId().longValue() == -1) {
                        domainId = caller.getDomainId();
                    //domainIds.add(caller.getDomainId());
                    } else {
                        domainId = p.getScopeId();
                    //domainIds.add(p.getScopeId());
                    }
                    //domainIds.add(domainId);
                    // add all the domain children from this domain (including this domain itself). Like RoleBasedEntityAccessChecker, we made an assumption, if DOMAIN scope is granted, it means that
                    // the whole domain tree is granted access.
                    DomainVO domain = _domainDao.findById(domainId);
                    List<Long> childDomains = _domainDao.getDomainChildrenIds(domain.getPath());
                    if (childDomains != null && childDomains.size() > 0) {
                        domainIds.addAll(childDomains);
                    }
                }
            }
        }
    }
    return domainIds;
}
Also used : DomainVO(com.cloud.domain.DomainVO) IAMPolicyPermission(org.apache.cloudstack.iam.api.IAMPolicyPermission) IAMPolicy(org.apache.cloudstack.iam.api.IAMPolicy) ArrayList(java.util.ArrayList)

Example 3 with IAMPolicy

use of org.apache.cloudstack.iam.api.IAMPolicy in project cloudstack by apache.

the class IAMApiServiceTest method addRemovePolicyToGroupTest.

@Test
public void addRemovePolicyToGroupTest() {
    IAMGroup group = new IAMGroupVO("group1", "tester group1");
    List<IAMGroup> groups = new ArrayList<IAMGroup>();
    groups.add(group);
    Long groupId = group.getId();
    List<Long> policyIds = new ArrayList<Long>();
    policyIds.add(100L);
    policyIds.add(200L);
    IAMPolicy policy1 = new IAMPolicyVO("policy1", "my first policy");
    IAMPolicy policy2 = new IAMPolicyVO("policy2", "my second policy");
    List<IAMPolicy> policies = new ArrayList<IAMPolicy>();
    policies.add(policy1);
    policies.add(policy2);
    when(_iamSrv.attachIAMPoliciesToGroup(policyIds, groupId)).thenReturn(group);
    when(_iamSrv.listIAMPoliciesByGroup(groupId)).thenReturn(policies);
    Pair<List<IAMGroup>, Integer> grpList = new Pair<List<IAMGroup>, Integer>(groups, 1);
    when(_iamSrv.listIAMGroups(null, "group1", callerDomainPath, 0L, 20L)).thenReturn(grpList);
    _aclSrv.attachIAMPoliciesToGroup(policyIds, groupId);
    ListResponse<IAMGroupResponse> grpResp = _aclSrv.listIAMGroups(null, "group1", callerDomainId, 0L, 20L);
    assertTrue("No. of response items should be one", grpResp.getCount() == 1);
    IAMGroupResponse resp = grpResp.getResponses().get(0);
    Set<String> policyNames = resp.getPolicyList();
    assertEquals("There should be 2 policies in the group", 2, policyNames.size());
    assertTrue("policy1 should be assigned to the group", policyNames.contains("policy1"));
    assertTrue("policy2 should be assigned to the group", policyNames.contains("policy2"));
    // remove "policy2" from group1
    policyIds.remove(1);
    policies.remove(policy2);
    when(_iamSrv.removeIAMPoliciesFromGroup(policyIds, groupId)).thenReturn(group);
    _aclSrv.removeIAMPoliciesFromGroup(policyIds, groupId);
    grpResp = _aclSrv.listIAMGroups(null, "group1", callerDomainId, 0L, 20L);
    assertTrue("No. of response items should be one", grpResp.getCount() == 1);
    resp = grpResp.getResponses().get(0);
    policyNames = resp.getPolicyList();
    assertEquals("There should be 1 policy attached to the group", 1, policyNames.size());
    assertFalse("policy2 should not belong to the group anymore", policyNames.contains("policy2"));
}
Also used : IAMGroupVO(org.apache.cloudstack.iam.server.IAMGroupVO) IAMGroup(org.apache.cloudstack.iam.api.IAMGroup) IAMPolicy(org.apache.cloudstack.iam.api.IAMPolicy) IAMPolicyVO(org.apache.cloudstack.iam.server.IAMPolicyVO) ArrayList(java.util.ArrayList) IAMGroupResponse(org.apache.cloudstack.api.response.iam.IAMGroupResponse) List(java.util.List) ArrayList(java.util.ArrayList) Pair(com.cloud.utils.Pair) Test(org.junit.Test)

Example 4 with IAMPolicy

use of org.apache.cloudstack.iam.api.IAMPolicy in project cloudstack by apache.

the class IAMApiServiceTest method createIAMPolicyTest.

@Test
public void createIAMPolicyTest() {
    IAMPolicy policy = new IAMPolicyVO("policy1", "tester policy1");
    List<IAMPolicy> policies = new ArrayList<IAMPolicy>();
    policies.add(policy);
    Pair<List<IAMPolicy>, Integer> policyList = new Pair<List<IAMPolicy>, Integer>(policies, 1);
    when(_iamSrv.createIAMPolicy("policy1", "tester policy1", null, callerDomainPath)).thenReturn(policy);
    when(_iamSrv.listIAMPolicies(null, null, callerDomainPath, 0L, 20L)).thenReturn(policyList);
    IAMPolicy createdPolicy = _aclSrv.createIAMPolicy(caller, "policy1", "tester policy1", null);
    assertNotNull("IAM policy 'policy1' failed to create ", createdPolicy);
    ListResponse<IAMPolicyResponse> policyResp = _aclSrv.listIAMPolicies(null, null, callerDomainId, 0L, 20L);
    assertTrue("No. of response items should be one", policyResp.getCount() == 1);
    IAMPolicyResponse resp = policyResp.getResponses().get(0);
    assertEquals("Error in created group name", "policy1", resp.getName());
}
Also used : IAMPolicy(org.apache.cloudstack.iam.api.IAMPolicy) IAMPolicyVO(org.apache.cloudstack.iam.server.IAMPolicyVO) ArrayList(java.util.ArrayList) List(java.util.List) ArrayList(java.util.ArrayList) Pair(com.cloud.utils.Pair) IAMPolicyResponse(org.apache.cloudstack.api.response.iam.IAMPolicyResponse) Test(org.junit.Test)

Example 5 with IAMPolicy

use of org.apache.cloudstack.iam.api.IAMPolicy in project cloudstack by apache.

the class IAMServiceImpl method deleteIAMPolicy.

@DB
@Override
public boolean deleteIAMPolicy(final long iamPolicyId) {
    // get the Acl Policy entity
    final IAMPolicy policy = _aclPolicyDao.findById(iamPolicyId);
    if (policy == null) {
        throw new InvalidParameterValueException("Unable to find acl policy: " + iamPolicyId + "; failed to delete acl policy.");
    }
    Transaction.execute(new TransactionCallbackNoReturn() {

        @Override
        public void doInTransactionWithoutResult(TransactionStatus status) {
            // remove this policy related entry in acl_group_policy_map
            List<IAMGroupPolicyMapVO> groupPolicyMap = _aclGroupPolicyMapDao.listByPolicyId(policy.getId());
            if (groupPolicyMap != null) {
                for (IAMGroupPolicyMapVO gr : groupPolicyMap) {
                    _aclGroupPolicyMapDao.remove(gr.getId());
                }
            }
            // remove this policy related entry in acl_account_policy_map table
            List<IAMAccountPolicyMapVO> policyAcctMap = _aclAccountPolicyMapDao.listByPolicyId(policy.getId());
            if (policyAcctMap != null) {
                for (IAMAccountPolicyMapVO policyAcct : policyAcctMap) {
                    _aclAccountPolicyMapDao.remove(policyAcct.getId());
                }
            }
            // remove this policy related entry in acl_policy_permission table
            List<IAMPolicyPermissionVO> policyPermMap = _policyPermissionDao.listByPolicy(policy.getId());
            if (policyPermMap != null) {
                for (IAMPolicyPermissionVO policyPerm : policyPermMap) {
                    _policyPermissionDao.remove(policyPerm.getId());
                }
            }
            // remove this role from acl_role table
            _aclPolicyDao.remove(iamPolicyId);
        }
    });
    invalidateIAMCache();
    return true;
}
Also used : IAMPolicy(org.apache.cloudstack.iam.api.IAMPolicy) InvalidParameterValueException(com.cloud.exception.InvalidParameterValueException) TransactionStatus(com.cloud.utils.db.TransactionStatus) TransactionCallbackNoReturn(com.cloud.utils.db.TransactionCallbackNoReturn) ArrayList(java.util.ArrayList) List(java.util.List) DB(com.cloud.utils.db.DB)

Aggregations

IAMPolicy (org.apache.cloudstack.iam.api.IAMPolicy)35 ArrayList (java.util.ArrayList)16 InvalidParameterValueException (com.cloud.exception.InvalidParameterValueException)12 DB (com.cloud.utils.db.DB)7 List (java.util.List)7 IAMPolicyPermission (org.apache.cloudstack.iam.api.IAMPolicyPermission)7 TransactionStatus (com.cloud.utils.db.TransactionStatus)6 IAMPolicyResponse (org.apache.cloudstack.api.response.iam.IAMPolicyResponse)6 IAMGroup (org.apache.cloudstack.iam.api.IAMGroup)6 Account (com.cloud.user.Account)5 TransactionCallbackNoReturn (com.cloud.utils.db.TransactionCallbackNoReturn)5 IAMPolicyVO (org.apache.cloudstack.iam.server.IAMPolicyVO)5 Test (org.junit.Test)5 Pair (com.cloud.utils.Pair)4 ServerApiException (org.apache.cloudstack.api.ServerApiException)4 Domain (com.cloud.domain.Domain)2 DomainVO (com.cloud.domain.DomainVO)2 PermissionDeniedException (com.cloud.exception.PermissionDeniedException)2 IAMGroupResponse (org.apache.cloudstack.api.response.iam.IAMGroupResponse)2 VirtualMachineTemplate (com.cloud.template.VirtualMachineTemplate)1