Example 16 with IAMPolicy
use of org.apache.cloudstack.iam.api.IAMPolicy in project cloudstack by apache.
the class IAMServiceImpl method addIAMPermissionToIAMPolicy.
@DB
@Override
public IAMPolicy addIAMPermissionToIAMPolicy(long iamPolicyId, String entityType, String scope, Long scopeId, String action, String accessType, Permission perm, Boolean recursive) {
// get the Acl Policy entity
IAMPolicy policy = _aclPolicyDao.findById(iamPolicyId);
if (policy == null) {
throw new InvalidParameterValueException("Unable to find acl policy: " + iamPolicyId + "; failed to add permission to policy.");
}
// add entry in acl_policy_permission table
IAMPolicyPermissionVO permit = _policyPermissionDao.findByPolicyAndEntity(iamPolicyId, entityType, scope, scopeId, action, perm, accessType);
if (permit == null) {
// not there already
permit = new IAMPolicyPermissionVO(iamPolicyId, action, entityType, accessType, scope, scopeId, perm, recursive);
_policyPermissionDao.persist(permit);
}
invalidateIAMCache();
return policy;
}
Also used :
IAMPolicy(org.apache.cloudstack.iam.api.IAMPolicy)
InvalidParameterValueException(com.cloud.exception.InvalidParameterValueException)
DB(com.cloud.utils.db.DB)
Example 17 with IAMPolicy
use of org.apache.cloudstack.iam.api.IAMPolicy in project cloudstack by apache.
the class IAMServiceImpl method removeIAMPoliciesFromGroup.
@DB
@Override
public IAMGroup removeIAMPoliciesFromGroup(final List<Long> policyIds, final Long groupId) {
// get the Acl Group entity
IAMGroup group = _aclGroupDao.findById(groupId);
if (group == null) {
throw new InvalidParameterValueException("Unable to find acl group: " + groupId + "; failed to remove roles from acl group.");
}
Transaction.execute(new TransactionCallbackNoReturn() {
@Override
public void doInTransactionWithoutResult(TransactionStatus status) {
// add entries in acl_group_role_map table
for (Long policyId : policyIds) {
IAMPolicy policy = _aclPolicyDao.findById(policyId);
if (policy == null) {
throw new InvalidParameterValueException("Unable to find acl policy: " + policyId + "; failed to add policies to acl group.");
}
IAMGroupPolicyMapVO grMap = _aclGroupPolicyMapDao.findByGroupAndPolicy(groupId, policyId);
if (grMap != null) {
// not removed yet
_aclGroupPolicyMapDao.remove(grMap.getId());
}
}
}
});
invalidateIAMCache();
return group;
}
Also used :
IAMGroup(org.apache.cloudstack.iam.api.IAMGroup)
InvalidParameterValueException(com.cloud.exception.InvalidParameterValueException)
IAMPolicy(org.apache.cloudstack.iam.api.IAMPolicy)
TransactionStatus(com.cloud.utils.db.TransactionStatus)
TransactionCallbackNoReturn(com.cloud.utils.db.TransactionCallbackNoReturn)
DB(com.cloud.utils.db.DB)
Example 18 with IAMPolicy
use of org.apache.cloudstack.iam.api.IAMPolicy in project cloudstack by apache.
the class IAMServiceImpl method createIAMPolicy.
@DB
@Override
public IAMPolicy createIAMPolicy(final String iamPolicyName, final String description, final Long parentPolicyId, final String path) {
// check if the policy is already existing
IAMPolicy ro = _aclPolicyDao.findByName(iamPolicyName);
if (ro != null) {
throw new InvalidParameterValueException("Unable to create acl policy with name " + iamPolicyName + " already exists");
}
IAMPolicy role = Transaction.execute(new TransactionCallback<IAMPolicy>() {
@Override
public IAMPolicy doInTransaction(TransactionStatus status) {
IAMPolicyVO rvo = new IAMPolicyVO(iamPolicyName, description);
rvo.setPath(path);
IAMPolicy role = _aclPolicyDao.persist(rvo);
if (parentPolicyId != null) {
// copy parent role permissions
List<IAMPolicyPermissionVO> perms = _policyPermissionDao.listByPolicy(parentPolicyId);
if (perms != null) {
for (IAMPolicyPermissionVO perm : perms) {
perm.setAclPolicyId(role.getId());
_policyPermissionDao.persist(perm);
}
}
}
return role;
}
});
return role;
}
Also used :
IAMPolicy(org.apache.cloudstack.iam.api.IAMPolicy)
InvalidParameterValueException(com.cloud.exception.InvalidParameterValueException)
TransactionStatus(com.cloud.utils.db.TransactionStatus)
ArrayList(java.util.ArrayList)
List(java.util.List)
DB(com.cloud.utils.db.DB)
Example 19 with IAMPolicy
use of org.apache.cloudstack.iam.api.IAMPolicy in project cloudstack by apache.
the class IAMServiceImpl method isActionAllowedForPolicies.
@Override
public boolean isActionAllowedForPolicies(String action, List<IAMPolicy> policies) {
boolean allowed = false;
if (policies == null || policies.size() == 0) {
return allowed;
}
List<Long> policyIds = new ArrayList<Long>();
for (IAMPolicy policy : policies) {
policyIds.add(policy.getId());
}
SearchBuilder<IAMPolicyPermissionVO> sb = _policyPermissionDao.createSearchBuilder();
sb.and("action", sb.entity().getAction(), Op.EQ);
sb.and("policyId", sb.entity().getAclPolicyId(), Op.IN);
SearchCriteria<IAMPolicyPermissionVO> sc = sb.create();
sc.setParameters("policyId", policyIds.toArray(new Object[policyIds.size()]));
sc.setParameters("action", action);
List<IAMPolicyPermissionVO> permissions = _policyPermissionDao.customSearch(sc, null);
if (permissions != null && !permissions.isEmpty()) {
allowed = true;
}
return allowed;
}Example 20 with IAMPolicy
use of org.apache.cloudstack.iam.api.IAMPolicy in project cloudstack by apache.
the class RoleBasedEntityQuerySelector method getAuthorizedAccounts.
@Override
public List<Long> getAuthorizedAccounts(Account caller, String action, AccessType accessType) {
long accountId = caller.getAccountId();
if (accessType == null) {
// default always show resources authorized to use
accessType = AccessType.UseEntry;
}
// Get the static Policies of the Caller
List<IAMPolicy> policies = _iamService.listIAMPolicies(accountId);
// for each policy, find granted permission with Account scope
List<Long> accountIds = new ArrayList<Long>();
for (IAMPolicy policy : policies) {
List<IAMPolicyPermission> pp = new ArrayList<IAMPolicyPermission>();
pp.addAll(_iamService.listPolicyPermissionsByScope(policy.getId(), action, PermissionScope.ACCOUNT.toString(), accessType.toString()));
if (pp != null) {
for (IAMPolicyPermission p : pp) {
if (p.getScopeId() != null) {
if (p.getScopeId().longValue() == -1) {
accountIds.add(caller.getId());
} else {
accountIds.add(p.getScopeId());
}
}
}
}
}
return accountIds;
}
Also used :
IAMPolicyPermission(org.apache.cloudstack.iam.api.IAMPolicyPermission)
IAMPolicy(org.apache.cloudstack.iam.api.IAMPolicy)
ArrayList(java.util.ArrayList)
Aggregations
IAMPolicy (org.apache.cloudstack.iam.api.IAMPolicy)35
ArrayList (java.util.ArrayList)16
InvalidParameterValueException (com.cloud.exception.InvalidParameterValueException)12
DB (com.cloud.utils.db.DB)7
List (java.util.List)7
IAMPolicyPermission (org.apache.cloudstack.iam.api.IAMPolicyPermission)7
TransactionStatus (com.cloud.utils.db.TransactionStatus)6
IAMPolicyResponse (org.apache.cloudstack.api.response.iam.IAMPolicyResponse)6
IAMGroup (org.apache.cloudstack.iam.api.IAMGroup)6
Account (com.cloud.user.Account)5
TransactionCallbackNoReturn (com.cloud.utils.db.TransactionCallbackNoReturn)5
IAMPolicyVO (org.apache.cloudstack.iam.server.IAMPolicyVO)5
Test (org.junit.Test)5
Pair (com.cloud.utils.Pair)4
ServerApiException (org.apache.cloudstack.api.ServerApiException)4
Domain (com.cloud.domain.Domain)2
DomainVO (com.cloud.domain.DomainVO)2
PermissionDeniedException (com.cloud.exception.PermissionDeniedException)2
IAMGroupResponse (org.apache.cloudstack.api.response.iam.IAMGroupResponse)2
VirtualMachineTemplate (com.cloud.template.VirtualMachineTemplate)1
