Example 1 with IAMPolicyPermission
use of org.apache.cloudstack.iam.api.IAMPolicyPermission in project cloudstack by apache.
the class RoleBasedEntityQuerySelector method getAuthorizedDomains.
@Override
public List<Long> getAuthorizedDomains(Account caller, String action, AccessType accessType) {
long accountId = caller.getAccountId();
if (accessType == null) {
// default always show resources authorized to use
accessType = AccessType.UseEntry;
}
// Get the static Policies of the Caller
List<IAMPolicy> policies = _iamService.listIAMPolicies(accountId);
// for each policy, find granted permission with Domain scope
List<Long> domainIds = new ArrayList<Long>();
for (IAMPolicy policy : policies) {
List<IAMPolicyPermission> pp = new ArrayList<IAMPolicyPermission>();
pp.addAll(_iamService.listPolicyPermissionsByScope(policy.getId(), action, PermissionScope.DOMAIN.toString(), accessType.toString()));
if (pp != null) {
for (IAMPolicyPermission p : pp) {
if (p.getScopeId() != null) {
Long domainId = null;
if (p.getScopeId().longValue() == -1) {
domainId = caller.getDomainId();
//domainIds.add(caller.getDomainId());
} else {
domainId = p.getScopeId();
//domainIds.add(p.getScopeId());
}
//domainIds.add(domainId);
// add all the domain children from this domain (including this domain itself). Like RoleBasedEntityAccessChecker, we made an assumption, if DOMAIN scope is granted, it means that
// the whole domain tree is granted access.
DomainVO domain = _domainDao.findById(domainId);
List<Long> childDomains = _domainDao.getDomainChildrenIds(domain.getPath());
if (childDomains != null && childDomains.size() > 0) {
domainIds.addAll(childDomains);
}
}
}
}
}
return domainIds;
}
Also used :
DomainVO(com.cloud.domain.DomainVO)
IAMPolicyPermission(org.apache.cloudstack.iam.api.IAMPolicyPermission)
IAMPolicy(org.apache.cloudstack.iam.api.IAMPolicy)
ArrayList(java.util.ArrayList)
Example 2 with IAMPolicyPermission
use of org.apache.cloudstack.iam.api.IAMPolicyPermission in project cloudstack by apache.
the class RoleBasedEntityAccessChecker method checkAccess.
@Override
public boolean checkAccess(Account caller, ControlledEntity entity, AccessType accessType, String action) throws PermissionDeniedException {
if (caller == null) {
throw new InvalidParameterValueException("Caller cannot be passed as NULL to IAM!");
}
if (entity == null && action == null) {
throw new InvalidParameterValueException("Entity and action cannot be both NULL in checkAccess!");
}
// check IAM cache first
String accessKey = buildAccessCacheKey(caller, entity, accessType, action);
CheckAccessResult allowDeny = (CheckAccessResult) _iamSrv.getFromIAMCache(accessKey);
if (allowDeny != null) {
s_logger.debug("IAM access check for " + accessKey + " from cache: " + allowDeny.isAllow());
if (allowDeny.isAllow()) {
return true;
} else {
if (allowDeny.getDenyMsg() != null) {
throw new PermissionDeniedException(allowDeny.getDenyMsg());
} else {
return false;
}
}
}
if (entity == null && action != null) {
// check if caller can do this action
List<IAMPolicy> policies = _iamSrv.listIAMPolicies(caller.getAccountId());
boolean isAllowed = _iamSrv.isActionAllowedForPolicies(action, policies);
if (!isAllowed) {
String msg = "The action '" + action + "' not allowed for account " + caller;
_iamSrv.addToIAMCache(accessKey, new CheckAccessResult(msg));
throw new PermissionDeniedException(msg);
}
_iamSrv.addToIAMCache(accessKey, new CheckAccessResult(true));
return true;
}
// if a Project entity, skip
Account entityAccount = _accountService.getAccount(entity.getAccountId());
if (entityAccount != null && entityAccount.getType() == Account.ACCOUNT_TYPE_PROJECT) {
_iamSrv.addToIAMCache(accessKey, new CheckAccessResult(false));
return false;
}
String entityType = null;
if (entity.getEntityType() != null) {
entityType = entity.getEntityType().getSimpleName();
}
if (accessType == null) {
accessType = AccessType.UseEntry;
}
// get all Policies of this caller by considering recursive domain group policy
List<IAMPolicy> policies = getEffectivePolicies(caller);
HashMap<IAMPolicy, Boolean> policyPermissionMap = new HashMap<IAMPolicy, Boolean>();
for (IAMPolicy policy : policies) {
List<IAMPolicyPermission> permissions = new ArrayList<IAMPolicyPermission>();
if (action != null) {
permissions = _iamSrv.listPolicyPermissionByActionAndEntity(policy.getId(), action, entityType);
if (permissions.isEmpty()) {
if (accessType != null) {
for (AccessType type : AccessType.values()) {
if (type.ordinal() >= accessType.ordinal()) {
permissions.addAll(_iamSrv.listPolicyPermissionByAccessAndEntity(policy.getId(), type.toString(), entityType));
}
}
}
}
} else {
if (accessType != null) {
for (AccessType type : AccessType.values()) {
if (type.ordinal() >= accessType.ordinal()) {
permissions.addAll(_iamSrv.listPolicyPermissionByAccessAndEntity(policy.getId(), type.toString(), entityType));
}
}
}
}
for (IAMPolicyPermission permission : permissions) {
if (checkPermissionScope(caller, permission.getScope(), permission.getScopeId(), entity)) {
if (permission.getEntityType().equals(entityType)) {
policyPermissionMap.put(policy, permission.getPermission().isGranted());
break;
} else if (permission.getEntityType().equals("*")) {
policyPermissionMap.put(policy, permission.getPermission().isGranted());
}
}
}
if (policyPermissionMap.containsKey(policy) && policyPermissionMap.get(policy)) {
_iamSrv.addToIAMCache(accessKey, new CheckAccessResult(true));
return true;
}
}
if (!policies.isEmpty()) {
// Since we reach this point, none of the
// roles granted access
String msg = "Account " + caller + " does not have permission to access resource " + entity + " for access type: " + accessType;
if (s_logger.isDebugEnabled()) {
s_logger.debug(msg);
}
_iamSrv.addToIAMCache(accessKey, new CheckAccessResult(msg));
throw new PermissionDeniedException(msg);
}
_iamSrv.addToIAMCache(accessKey, new CheckAccessResult(false));
return false;
}
Also used :
Account(com.cloud.user.Account)
IAMPolicy(org.apache.cloudstack.iam.api.IAMPolicy)
HashMap(java.util.HashMap)
ArrayList(java.util.ArrayList)
IAMPolicyPermission(org.apache.cloudstack.iam.api.IAMPolicyPermission)
InvalidParameterValueException(com.cloud.exception.InvalidParameterValueException)
PermissionDeniedException(com.cloud.exception.PermissionDeniedException)
AccessType(org.apache.cloudstack.acl.SecurityChecker.AccessType)
Example 3 with IAMPolicyPermission
use of org.apache.cloudstack.iam.api.IAMPolicyPermission in project cloudstack by apache.
the class RoleBasedEntityQuerySelector method getAuthorizedResources.
@Override
public List<Long> getAuthorizedResources(Account caller, String action, AccessType accessType) {
long accountId = caller.getAccountId();
if (accessType == null) {
// default always show resources authorized to use
accessType = AccessType.UseEntry;
}
// Get the static Policies of the Caller
List<IAMPolicy> policies = _iamService.listIAMPolicies(accountId);
// add the policies that grant recursive access
List<IAMGroup> groups = _iamService.listIAMGroups(caller.getId());
for (IAMGroup group : groups) {
// for each group find the grand parent groups.
List<IAMGroup> parentGroups = _iamService.listParentIAMGroups(group.getId());
for (IAMGroup parentGroup : parentGroups) {
policies.addAll(_iamService.listRecursiveIAMPoliciesByGroup(parentGroup.getId()));
}
}
// for each policy, find granted permission with Resource scope
List<Long> entityIds = new ArrayList<Long>();
for (IAMPolicy policy : policies) {
List<IAMPolicyPermission> pp = new ArrayList<IAMPolicyPermission>();
pp.addAll(_iamService.listPolicyPermissionsByScope(policy.getId(), action, PermissionScope.RESOURCE.toString(), accessType.toString()));
if (pp != null) {
for (IAMPolicyPermission p : pp) {
if (p.getScopeId() != null) {
entityIds.add(p.getScopeId());
}
}
}
}
return entityIds;
}
Also used :
IAMGroup(org.apache.cloudstack.iam.api.IAMGroup)
IAMPolicyPermission(org.apache.cloudstack.iam.api.IAMPolicyPermission)
IAMPolicy(org.apache.cloudstack.iam.api.IAMPolicy)
ArrayList(java.util.ArrayList)
Example 4 with IAMPolicyPermission
use of org.apache.cloudstack.iam.api.IAMPolicyPermission in project cloudstack by apache.
the class RoleBasedEntityQuerySelector method getAuthorizedAccounts.
@Override
public List<Long> getAuthorizedAccounts(Account caller, String action, AccessType accessType) {
long accountId = caller.getAccountId();
if (accessType == null) {
// default always show resources authorized to use
accessType = AccessType.UseEntry;
}
// Get the static Policies of the Caller
List<IAMPolicy> policies = _iamService.listIAMPolicies(accountId);
// for each policy, find granted permission with Account scope
List<Long> accountIds = new ArrayList<Long>();
for (IAMPolicy policy : policies) {
List<IAMPolicyPermission> pp = new ArrayList<IAMPolicyPermission>();
pp.addAll(_iamService.listPolicyPermissionsByScope(policy.getId(), action, PermissionScope.ACCOUNT.toString(), accessType.toString()));
if (pp != null) {
for (IAMPolicyPermission p : pp) {
if (p.getScopeId() != null) {
if (p.getScopeId().longValue() == -1) {
accountIds.add(caller.getId());
} else {
accountIds.add(p.getScopeId());
}
}
}
}
}
return accountIds;
}
Also used :
IAMPolicyPermission(org.apache.cloudstack.iam.api.IAMPolicyPermission)
IAMPolicy(org.apache.cloudstack.iam.api.IAMPolicy)
ArrayList(java.util.ArrayList)
Example 5 with IAMPolicyPermission
use of org.apache.cloudstack.iam.api.IAMPolicyPermission in project cloudstack by apache.
the class IAMApiServiceTest method addRemovePermissionToPolicyTest.
@Test
public void addRemovePermissionToPolicyTest() {
IAMPolicy policy = new IAMPolicyVO("policy1", "tester policy1");
List<IAMPolicy> policies = new ArrayList<IAMPolicy>();
policies.add(policy);
Long policyId = policy.getId();
Long resId = 200L;
Class clz = ListVMsCmd.class;
when(_apiServer.getCmdClass("listVirtualMachines")).thenReturn(clz);
when(_iamSrv.addIAMPermissionToIAMPolicy(policyId, VirtualMachine.class.getSimpleName(), PermissionScope.RESOURCE.toString(), resId, "listVirtualMachines", AccessType.UseEntry.toString(), Permission.Allow, false)).thenReturn(policy);
_aclSrv.addIAMPermissionToIAMPolicy(policyId, VirtualMachine.class.getSimpleName(), PermissionScope.RESOURCE, resId, "listVirtualMachines", Permission.Allow, false, false);
Pair<List<IAMPolicy>, Integer> policyList = new Pair<List<IAMPolicy>, Integer>(policies, 1);
List<IAMPolicyPermission> policyPerms = new ArrayList<IAMPolicyPermission>();
IAMPolicyPermission perm = new IAMPolicyPermissionVO(policyId, "listVirtualMachines", VirtualMachine.class.getSimpleName(), AccessType.UseEntry.toString(), PermissionScope.RESOURCE.toString(), resId, Permission.Allow, false);
policyPerms.add(perm);
when(_iamSrv.listIAMPolicies(null, "policy1", callerDomainPath, 0L, 20L)).thenReturn(policyList);
when(_iamSrv.listPolicyPermissions(policyId)).thenReturn(policyPerms);
ListResponse<IAMPolicyResponse> policyResp = _aclSrv.listIAMPolicies(null, "policy1", callerDomainId, 0L, 20L);
assertTrue("No. of response items should be one", policyResp.getCount() == 1);
IAMPolicyResponse resp = policyResp.getResponses().get(0);
Set<IAMPermissionResponse> permList = resp.getPermissionList();
assertTrue("Permission list should not be empty", permList != null && permList.size() > 0);
IAMPermissionResponse permResp = permList.iterator().next();
assertEquals("There should be one permission for listVirtualMachines", "listVirtualMachines", permResp.getAction());
//remove permission from policy
policyPerms.remove(perm);
_aclSrv.removeIAMPermissionFromIAMPolicy(policyId, VirtualMachine.class.getSimpleName(), PermissionScope.RESOURCE, resId, "listVirtualMachines");
policyResp = _aclSrv.listIAMPolicies(null, "policy1", callerDomainId, 0L, 20L);
assertTrue("No. of response items should be one", policyResp.getCount() == 1);
resp = policyResp.getResponses().get(0);
permList = resp.getPermissionList();
assertTrue("Permission list should be empty", permList != null && permList.size() == 0);
}
Also used :
IAMPolicy(org.apache.cloudstack.iam.api.IAMPolicy)
IAMPolicyVO(org.apache.cloudstack.iam.server.IAMPolicyVO)
ArrayList(java.util.ArrayList)
IAMPolicyPermissionVO(org.apache.cloudstack.iam.server.IAMPolicyPermissionVO)
IAMPolicyResponse(org.apache.cloudstack.api.response.iam.IAMPolicyResponse)
ListVMsCmd(org.apache.cloudstack.api.command.user.vm.ListVMsCmd)
IAMPolicyPermission(org.apache.cloudstack.iam.api.IAMPolicyPermission)
IAMPermissionResponse(org.apache.cloudstack.api.response.iam.IAMPermissionResponse)
BeforeClass(org.junit.BeforeClass)
List(java.util.List)
ArrayList(java.util.ArrayList)
VirtualMachine(com.cloud.vm.VirtualMachine)
Pair(com.cloud.utils.Pair)
Test(org.junit.Test)
Aggregations
IAMPolicyPermission (org.apache.cloudstack.iam.api.IAMPolicyPermission)8
IAMPolicy (org.apache.cloudstack.iam.api.IAMPolicy)7
ArrayList (java.util.ArrayList)6
DomainVO (com.cloud.domain.DomainVO)2
IAMPermissionResponse (org.apache.cloudstack.api.response.iam.IAMPermissionResponse)2
IAMPolicyResponse (org.apache.cloudstack.api.response.iam.IAMPolicyResponse)2
InvalidParameterValueException (com.cloud.exception.InvalidParameterValueException)1
PermissionDeniedException (com.cloud.exception.PermissionDeniedException)1
Account (com.cloud.user.Account)1
AccountVO (com.cloud.user.AccountVO)1
Pair (com.cloud.utils.Pair)1
VirtualMachine (com.cloud.vm.VirtualMachine)1
HashMap (java.util.HashMap)1
List (java.util.List)1
AccessType (org.apache.cloudstack.acl.SecurityChecker.AccessType)1
ListVMsCmd (org.apache.cloudstack.api.command.user.vm.ListVMsCmd)1
IAMGroup (org.apache.cloudstack.iam.api.IAMGroup)1
IAMPolicyPermissionVO (org.apache.cloudstack.iam.server.IAMPolicyPermissionVO)1
IAMPolicyVO (org.apache.cloudstack.iam.server.IAMPolicyVO)1
BeforeClass (org.junit.BeforeClass)1
