Merge pull request #14 from shapeblue/dynamicrbac-4.5

Make role permissions orderable

Author: John Burwell

api/src/org/apache/cloudstack/acl/RolePermission.java

@@ -27,4 +27,5 @@ enum Permission {ALLOW, DENY}
     Rule getRule();
     Permission getPermission();
     String getDescription();
+    long getSortOrder();
 }

api/src/org/apache/cloudstack/acl/RoleService.java

@@ -34,8 +34,16 @@ public interface RoleService {
     boolean deleteRole(final Role role);
 
     RolePermission findRolePermission(final Long id);
+    RolePermission findRolePermissionByUuid(final String uuid);
+
     RolePermission createRolePermission(final Role role, final Rule rule, final RolePermission.Permission permission, final String description);
-    boolean updateRolePermission(final RolePermission rolePermission, final Rule rule, final RolePermission.Permission permission, final String description);
+    /**
+     * updateRolePermission updates the order/position of an role permission
+     * The list of role permissions is treated and consumed as an ordered linked list
+     * @param rolePermission The role permission that needs to be re-ordered
+     * @param parentRolePermission The parent role permission after which the role permission should be placed
+     */
+    boolean updateRolePermission(final RolePermission rolePermission, final RolePermission parentRolePermission);
     boolean deleteRolePermission(final RolePermission rolePermission);
 
     List<Role> listRoles();

api/src/org/apache/cloudstack/api/ApiConstants.java

@@ -190,6 +190,7 @@ public class ApiConstants {
     public static final String PORTAL = "portal";
     public static final String PORTABLE_IP_ADDRESS = "portableipaddress";
     public static final String PORT_FORWARDING_SERVICE_ID = "portforwardingserviceid";
+    public static final String PARENT = "parent";
     public static final String PRIVATE_INTERFACE = "privateinterface";
     public static final String PRIVATE_IP = "privateip";
     public static final String PRIVATE_PORT = "privateport";

api/src/org/apache/cloudstack/api/command/admin/acl/UpdateRolePermissionCmd.java

@@ -18,22 +18,20 @@
 package org.apache.cloudstack.api.command.admin.acl;
 
 import com.cloud.user.Account;
-import com.google.common.base.Strings;
 import org.apache.cloudstack.acl.RolePermission;
 import org.apache.cloudstack.acl.RoleType;
-import org.apache.cloudstack.acl.Rule;
 import org.apache.cloudstack.api.APICommand;
+import org.apache.cloudstack.api.ApiArgValidator;
 import org.apache.cloudstack.api.ApiConstants;
 import org.apache.cloudstack.api.ApiErrorCode;
 import org.apache.cloudstack.api.BaseCmd;
 import org.apache.cloudstack.api.Parameter;
 import org.apache.cloudstack.api.ServerApiException;
-import org.apache.cloudstack.api.ApiArgValidator;
 import org.apache.cloudstack.api.response.RolePermissionResponse;
 import org.apache.cloudstack.api.response.SuccessResponse;
 import org.apache.cloudstack.context.CallContext;
 
-@APICommand(name = UpdateRolePermissionCmd.APINAME, description = "Updates a role permission", responseObject = SuccessResponse.class,
+@APICommand(name = UpdateRolePermissionCmd.APINAME, description = "Updates a role permission order", responseObject = SuccessResponse.class,
         requestHasSensitiveInfo = false, responseHasSensitiveInfo = false,
         since = "4.9.0",
         authorized = {RoleType.Admin})
@@ -46,39 +44,30 @@ public class UpdateRolePermissionCmd extends BaseCmd {
 
     @Parameter(name = ApiConstants.ID, type = CommandType.UUID, required = true, entityType = RolePermissionResponse.class,
             description = "ID of the role permission", validations = {ApiArgValidator.PositiveNumber})
-    private Long rolePermissionId;
-
-    @Parameter(name = ApiConstants.RULE, type = CommandType.STRING, required = true,
-            description = "The name of the API or wildcard rule such as list*", validations = {ApiArgValidator.NotNullOrEmpty})
-    private String rule;
+    private Long ruleId;
 
-    @Parameter(name = ApiConstants.PERMISSION, type = CommandType.STRING, required = true, description = "The rule permission, allow or deny. Default: deny.")
-    private String permission;
-
-    @Parameter(name = ApiConstants.DESCRIPTION, type = CommandType.STRING, description = "The description of the role permission")
-    private String description;
+    @Parameter(name = ApiConstants.PARENT, type = CommandType.STRING, required = true, entityType = RolePermissionResponse.class,
+            description = "The parent role permission uuid, use 0 to move this rule at the top of the list", validations = {ApiArgValidator.NotNullOrEmpty})
+    private String parentRuleUuid;
 
     /////////////////////////////////////////////////////
     /////////////////// Accessors ///////////////////////
     /////////////////////////////////////////////////////
 
-    public Long getRolePermissionId() {
-        return rolePermissionId;
+    public Long getRuleId() {
+        return ruleId;
     }
 
-    public Rule getRule() {
-        return new Rule(rule);
-    }
-
-    public RolePermission.Permission getPermission() {
-        if (Strings.isNullOrEmpty(permission)) {
+    public RolePermission getParentRolePermission() {
+        // A null or 0 previous id means this rule is moved to the top of the list
+        if (parentRuleUuid.equals("0")) {
             return null;
         }
-        return RolePermission.Permission.valueOf(permission.toUpperCase());
-    }
-
-    public String getDescription() {
-        return description;
+        final RolePermission parentRolePermission = roleService.findRolePermissionByUuid(parentRuleUuid);
+        if (parentRolePermission == null) {
+            throw new ServerApiException(ApiErrorCode.PARAM_ERROR, "Invalid parent role permission id provided");
+        }
+        return parentRolePermission;
     }
 
     /////////////////////////////////////////////////////
@@ -97,12 +86,12 @@ public long getEntityOwnerId() {
 
     @Override
     public void execute() {
-        RolePermission rolePermission = roleService.findRolePermission(getRolePermissionId());
+        final RolePermission rolePermission = roleService.findRolePermission(getRuleId());
         if (rolePermission == null) {
             throw new ServerApiException(ApiErrorCode.PARAM_ERROR, "Invalid role permission id provided");
         }
-        CallContext.current().setEventDetails("Role permission id: " + rolePermission.getId() + ", rule:" + getRule() + ", permission: " + getPermission() + ", description: " + getDescription());
-        boolean result = roleService.updateRolePermission(rolePermission, getRule(), getPermission(), getDescription());
+        CallContext.current().setEventDetails("Role permission id: " + rolePermission.getId() + ", parent role permission uuid:" + parentRuleUuid);
+        boolean result = roleService.updateRolePermission(rolePermission, getParentRolePermission());
         SuccessResponse response = new SuccessResponse(getCommandName());
         response.setSuccess(result);
         setResponseObject(response);

engine/schema/src/com/cloud/upgrade/dao/Upgrade452to453.java

@@ -62,68 +62,21 @@ public File[] getPrepareScripts() {
 
     @Override
     public void performDataMigration(Connection conn) {
-        setupRolesAndPermissionsForDynamicRBAC(conn);
+        setupRolesAndPermissionsForDynamicChecker(conn);
     }
 
-    private void createDefaultRole(final Connection conn, final Long id, final String name, final RoleType roleType) {
-        final String insertSql = String.format("INSERT INTO `cloud`.`roles` (`id`, `uuid`, `name`, `role_type`, `description`) values (%d, UUID(), '%s', '%s', 'Default %s role');",
-                id, name, roleType.name(), roleType.name().toLowerCase());
-        try ( PreparedStatement updatePstmt = conn.prepareStatement(insertSql) ) {
-            updatePstmt.executeUpdate();
-        } catch (SQLException e) {
-            throw new CloudRuntimeException("Unable to create default role with id: " + id + " name: " + name, e);
-        }
-    }
-
-    private void createRoleMapping(final Connection conn, final Long roleId, final String apiName) {
-        final String insertSql = String.format("INSERT INTO `cloud`.`role_permissions` (`uuid`, `role_id`, `rule`, `permission`) values (UUID(), %d, '%s', 'ALLOW') ON DUPLICATE KEY UPDATE rule=rule;",
-                roleId, apiName);
-        try ( PreparedStatement updatePstmt = conn.prepareStatement(insertSql)) {
-            updatePstmt.executeUpdate();
-        } catch (SQLException ignored) {
-            s_logger.debug("Unable to insert mapping for role id:" + roleId + " apiName: " + apiName);
-        }
-    }
-
-    private void addRoleColumnAndMigrateAccountTable(final Connection conn, final RoleType[] roleTypes) {
-        // Add role_id column to account table
-        final String alterTableSql = "ALTER TABLE `cloud`.`account` ADD COLUMN `role_id` bigint(20) unsigned COMMENT 'role id for this account' AFTER `type`, " +
-                "ADD KEY `fk_account__role_id` (`role_id`), " +
-                "ADD CONSTRAINT `fk_account__role_id` FOREIGN KEY (`role_id`) REFERENCES `roles` (`id`);";
-        try (PreparedStatement pstmt = conn.prepareStatement(alterTableSql)) {
-            pstmt.executeUpdate();
-            s_logger.info("Altered cloud.account table and added column role_id");
-        } catch (SQLException e) {
-            if (e.getMessage().contains("role_id")) {
-                s_logger.warn("cloud.account table already has the role_id column, skipping altering table and migration of accounts");
-                return;
-            } else {
-                throw new CloudRuntimeException("Unable to create column quota_calculated in table cloud_usage.cloud_usage", e);
-            }
-        }
-        // Migrate existing account to one of default roles based on account type
-        migrateAccountsToDefaultRoles(conn, roleTypes);
-    }
-
-    private void migrateAccountsToDefaultRoles(final Connection conn, final RoleType[] roleTypes) {
-        // Migrate existing accounts to default roles based on account type
-        try (PreparedStatement selectStatement = conn.prepareStatement("SELECT `id`, `type` FROM `cloud`.`account`;");
-             ResultSet selectResultSet = selectStatement.executeQuery()) {
+    private void migrateAccountsToDefaultRoles(final Connection conn) {
+        try (final PreparedStatement selectStatement = conn.prepareStatement("SELECT `id`, `type` FROM `cloud`.`account`;");
+             final ResultSet selectResultSet = selectStatement.executeQuery()) {
             while (selectResultSet.next()) {
-                Long accountId = selectResultSet.getLong(1);
-                Short accountType = selectResultSet.getShort(2);
-                Long roleId = null;
-                for (RoleType roleType : roleTypes) {
-                    if (roleType.getAccountType() == accountType) {
-                        roleId = roleType.getId();
-                        break;
-                    }
-                }
-                // Skip is account type does not match any of the default roles
-                if (roleId == null) {
+                final Long accountId = selectResultSet.getLong(1);
+                final Short accountType = selectResultSet.getShort(2);
+                final Long roleId = RoleType.getByAccountType(accountType).getId();
+                if (roleId < 1L || roleId > 4L) {
+                    s_logger.warn("Skipping role ID migration due to invalid role_id resolved for account id=" + accountId);
                     continue;
                 }
-                try (PreparedStatement updateStatement = conn.prepareStatement("UPDATE `cloud`.`account` SET role_id = ? WHERE id = ?;")) {
+                try (final PreparedStatement updateStatement = conn.prepareStatement("UPDATE `cloud`.`account` SET account.role_id = ? WHERE account.id = ? ;")) {
                     updateStatement.setLong(1, roleId);
                     updateStatement.setLong(2, accountId);
                     updateStatement.executeUpdate();
@@ -138,33 +91,25 @@ private void migrateAccountsToDefaultRoles(final Connection conn, final RoleType
         s_logger.debug("Done migrating existing accounts to use one of default roles based on account type");
     }
 
-    private void setupRolesAndPermissionsForDynamicRBAC(final Connection conn) {
-        // If there are existing roles, avoid resetting data
-        try (PreparedStatement selectStatement = conn.prepareStatement("SELECT * FROM `cloud`.`roles`")) {
-            ResultSet resultSet = selectStatement.executeQuery();
-            if (resultSet != null && resultSet.next()) {
-                resultSet.close();
-                if (s_logger.isDebugEnabled()) {
-                    s_logger.debug("Found existing roles. Skipping migration of commands.properties to dynamic roles table.");
-                }
+    private void setupRolesAndPermissionsForDynamicChecker(final Connection conn) {
+        final String alterTableSql = "ALTER TABLE `cloud`.`account` " +
+                "ADD COLUMN `role_id` bigint(20) unsigned COMMENT 'role id for this account' AFTER `type`, " +
+                "ADD KEY `fk_account__role_id` (`role_id`), " +
+                "ADD CONSTRAINT `fk_account__role_id` FOREIGN KEY (`role_id`) REFERENCES `roles` (`id`);";
+        try (final PreparedStatement pstmt = conn.prepareStatement(alterTableSql)) {
+            pstmt.executeUpdate();
+        } catch (SQLException e) {
+            if (e.getMessage().contains("role_id")) {
+                s_logger.warn("cloud.account table already has the role_id column, skipping altering table and migration of accounts");
                 return;
+            } else {
+                throw new CloudRuntimeException("Unable to create column quota_calculated in table cloud_usage.cloud_usage", e);
             }
-        } catch (SQLException e) {
-            s_logger.error("Unable to find existing roles, if you need to add default roles please add them manually. Giving up!");
-            return;
-        }
-
-        // Add default roles
-        RoleType[] roleTypes = new RoleType[] {RoleType.Admin, RoleType.ResourceAdmin, RoleType.DomainAdmin, RoleType.User};
-        for (RoleType roleType: roleTypes) {
-            createDefaultRole(conn, roleType.getId(), roleType.name(), roleType);
         }
 
-        // Add role_id column to account and map existing accounts to default roles
-        addRoleColumnAndMigrateAccountTable(conn, roleTypes);
+        migrateAccountsToDefaultRoles(conn);
 
-        // Add default set of role-api mapping when commands.properties file is not found
-        Map<String, String> apiMap = PropertiesUtil.processConfigFile(new String[] { PropertiesUtil.getDefaultApiCommandsFileName() });
+        final Map<String, String> apiMap = PropertiesUtil.processConfigFile(new String[] { PropertiesUtil.getDefaultApiCommandsFileName() });
         if (apiMap == null || apiMap.isEmpty()) {
             if (s_logger.isDebugEnabled()) {
                 s_logger.debug("The commands.properties file and default role permissions were not found. " +
@@ -175,33 +120,12 @@ private void setupRolesAndPermissionsForDynamicRBAC(final Connection conn) {
                 s_logger.error("Unable to find default role-api mapping sql file, please configure api per role manually");
                 return;
             }
-            try(FileReader reader = new FileReader(new File(script));) {
+            try(final FileReader reader = new FileReader(new File(script))) {
                 ScriptRunner runner = new ScriptRunner(conn, false, true);
                 runner.runScript(reader);
             } catch (SQLException | IOException e) {
                 s_logger.error("Unable to insert default api-role mappings from file: " + script + ". Please configure api per role manually, giving up!", e);
             }
-        } else {
-            // If commands.properties file exists, use it to create the mappings
-            for (RoleType roleType : roleTypes) {
-                // Allow all for root admin
-                if (roleType == RoleType.Admin) {
-                    createRoleMapping(conn, roleType.getId(), "*");
-                    continue;
-                }
-                for (Map.Entry<String, String> entry : apiMap.entrySet()) {
-                    String apiName = entry.getKey();
-                    String roleMask = entry.getValue();
-                    try {
-                        short cmdPermissions = Short.parseShort(roleMask);
-                        if ((cmdPermissions & roleType.getMask()) != 0) {
-                            createRoleMapping(conn, roleType.getId(), apiName);
-                        }
-                    } catch (NumberFormatException nfe) {
-                        s_logger.info("Malformed key=value pair for entry: " + entry.toString());
-                    }
-                }
-            }
         }
     }
 

engine/schema/src/org/apache/cloudstack/acl/RolePermissionVO.java

@@ -51,6 +51,9 @@ public class RolePermissionVO implements RolePermission {
     @Column(name = "description")
     private String description;
 
+    @Column(name = "sort_order")
+    private long sortOrder = 0;
+
     public RolePermissionVO() {
         this.uuid = UUID.randomUUID().toString();
     }
@@ -106,4 +109,12 @@ public String getDescription() {
     public void setDescription(String description) {
         this.description = description;
     }
+
+    public long getSortOrder() {
+        return sortOrder;
+    }
+
+    public void setSortOrder(long sortOrder) {
+        this.sortOrder = sortOrder;
+    }
 }

engine/schema/src/org/apache/cloudstack/acl/dao/RolePermissionsDao.java

@@ -23,5 +23,32 @@
 import java.util.List;
 
 public interface RolePermissionsDao extends GenericDao<RolePermissionVO, Long> {
-    List<RolePermissionVO> findAllByRoleId(Long roleId);
+    /**
+     * Adds a new role permission at the end of the list of role permissions
+     * @param item the new role permission
+     * @return returns persisted role permission
+     */
+    RolePermissionVO persist(final RolePermissionVO item);
+
+    /**
+     * Moves an existing role permission under a given parent role permission
+     * @param item an existing role permission
+     * @param parentId the new parent ID after move for the role permission
+     * @return returns true on success
+     */
+    boolean update(final RolePermissionVO item, final RolePermissionVO parent);
+
+    /**
+     * Removes an existing role permission and updates the ordered linked-list of role's permissions list
+     * @param id the ID of the role permission to be removed
+     * @return returns true on success
+     */
+    boolean remove(Long id);
+
+    /**
+     * Returns ordered linked-list of role permission for a given role
+     * @param roleId the ID of the role
+     * @return returns list of role permissions
+     */
+    List<RolePermissionVO> findAllByRoleIdSorted(Long roleId);
 }