Examples with IAMPolicy org.apache.cloudstack.iam.api.IAMPolicy used on opensource projects

Example 26 with IAMPolicy

use of org.apache.cloudstack.iam.api.IAMPolicy in project cloudstack by apache.

the class IAMServiceImpl method removeIAMPermissionFromIAMPolicy.

@DB
@Override
public IAMPolicy removeIAMPermissionFromIAMPolicy(long iamPolicyId, String entityType, String scope, Long scopeId, String action) {
    // get the Acl Policy entity
    IAMPolicy policy = _aclPolicyDao.findById(iamPolicyId);
    if (policy == null) {
        throw new InvalidParameterValueException("Unable to find acl policy: " + iamPolicyId + "; failed to revoke permission from policy.");
    }
    // remove entry from acl_entity_permission table
    IAMPolicyPermissionVO permit = _policyPermissionDao.findByPolicyAndEntity(iamPolicyId, entityType, scope, scopeId, action, Permission.Allow, null);
    if (permit != null) {
        // not removed yet
        _policyPermissionDao.remove(permit.getId());
    }
    invalidateIAMCache();
    return policy;
}

Example 27 with IAMPolicy

use of org.apache.cloudstack.iam.api.IAMPolicy in project cloudstack by apache.

the class IAMServiceImpl method removeIAMPolicyFromAccounts.

@Override
public void removeIAMPolicyFromAccounts(final Long policyId, final List<Long> acctIds) {
    IAMPolicy policy = _aclPolicyDao.findById(policyId);
    if (policy == null) {
        throw new InvalidParameterValueException("Unable to find acl policy: " + policyId + "; failed to add policy to account.");
    }
    Transaction.execute(new TransactionCallbackNoReturn() {

        @Override
        public void doInTransactionWithoutResult(TransactionStatus status) {
            // add entries in acl_group_policy_map table
            for (Long acctId : acctIds) {
                IAMAccountPolicyMapVO acctMap = _aclAccountPolicyMapDao.findByAccountAndPolicy(acctId, policyId);
                if (acctMap != null) {
                    // exists
                    _aclAccountPolicyMapDao.remove(acctMap.getId());
                }
            }
        }
    });
    invalidateIAMCache();
}

Example 28 with IAMPolicy

use of org.apache.cloudstack.iam.api.IAMPolicy in project cloudstack by apache.

the class IAMApiServiceImpl method resetTemplatePermission.

private void resetTemplatePermission(Long templateId) {
    // reset template will change template to private, so we need to remove its permission for domain admin and normal user group
    _iamSrv.removeIAMPermissionFromIAMPolicy(new Long(Account.ACCOUNT_TYPE_DOMAIN_ADMIN + 1), VirtualMachineTemplate.class.getSimpleName(), PermissionScope.RESOURCE.toString(), templateId, "listTemplates");
    _iamSrv.removeIAMPermissionFromIAMPolicy(new Long(Account.ACCOUNT_TYPE_NORMAL + 1), VirtualMachineTemplate.class.getSimpleName(), PermissionScope.RESOURCE.toString(), templateId, "listTemplates");
    // check if there is a policy with only UseEntry permission for this template added
    IAMPolicy policy = _iamSrv.getResourceGrantPolicy(VirtualMachineTemplate.class.getSimpleName(), templateId, AccessType.UseEntry.toString(), "listTemplates");
    if (policy == null) {
        s_logger.info("No policy found for this template grant: " + templateId + ", no detach to be done");
        return;
    }
    // delete the policy, which should detach it from groups and accounts
    _iamSrv.deleteIAMPolicy(policy.getId());
}

Example 29 with IAMPolicy

use of org.apache.cloudstack.iam.api.IAMPolicy in project cloudstack by apache.

the class IAMApiServiceImpl method grantEntityPermissioinToAccounts.

@Override
public void grantEntityPermissioinToAccounts(String entityType, Long entityId, AccessType accessType, String action, List<Long> accountIds) {
    // check if there is already a policy with only this permission added to it
    IAMPolicy policy = _iamSrv.getResourceGrantPolicy(entityType, entityId, accessType.toString(), action);
    if (policy == null) {
        // not found, just create a policy with resource grant permission
        Account caller = CallContext.current().getCallingAccount();
        String aclPolicyName = "policyGrant" + entityType + entityId;
        String description = "Policy to grant permission to " + entityType + entityId;
        policy = createIAMPolicy(caller, aclPolicyName, description, null);
        // add permission to this policy
        addIAMPermissionToIAMPolicy(policy.getId(), entityType, PermissionScope.RESOURCE, entityId, action, Permission.Allow, false, false);
    }
    // attach this policy to list of accounts if not attached already
    Long policyId = policy.getId();
    for (Long acctId : accountIds) {
        if (!isPolicyAttachedToAccount(policyId, acctId)) {
            attachIAMPolicyToAccounts(policyId, Collections.singletonList(acctId));
        }
    }
}

Example 30 with IAMPolicy

use of org.apache.cloudstack.iam.api.IAMPolicy in project cloudstack by apache.

the class AddIAMPermissionToIAMPolicyCmd method execute.

@Override
public void execute() throws ResourceUnavailableException, InsufficientCapacityException, ServerApiException {
    CallContext.current().setEventDetails("IAM policy Id: " + getId());
    // Only explicit ALLOW is supported for this release, no explicit deny
    IAMPolicy result = _iamApiSrv.addIAMPermissionToIAMPolicy(id, entityType, PermissionScope.valueOf(scope), getScopeId(), action, Permission.Allow, false, isReadOnly());
    if (result != null) {
        IAMPolicyResponse response = _iamApiSrv.createIAMPolicyResponse(result);
        response.setResponseName(getCommandName());
        setResponseObject(response);
    } else {
        throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to grant permission to iam policy " + getId());
    }
}