Yair Zaslavsky has uploaded a new change for review.
Change subject: engine: Adding Manipulate provider action group
......................................................................
engine: Adding Manipulate provider action group
Adding manipulate pprovider action group
and Provider Manager role for permission handling
of providers.
As previously manipulating providers was associated with the
action group for creating a DC, the upgrade script must create
permissions for all objects that have permission with create dc on them.
Change-Id: I360db0b3168331ca0c67335679bfc825461e5091
Signed-off-by: Yair Zaslavsky <yzasl...@redhat.com>
---
M
backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/provider/AddProviderCommand.java
M
backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/provider/ImportProviderCertificateChainCommand.java
M
backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/provider/ImportProviderCetificateCommand.java
M
backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/provider/RemoveProviderCommand.java
M
backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/provider/TestProviderConnectivityCommand.java
M
backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/provider/UpdateProviderCommand.java
M
backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/provider/network/AddSubnetToProviderCommand.java
M
backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/provider/network/RemoveSubnetFromProviderCommand.java
M
backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/action/VdcActionType.java
M
backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/businessentities/ActionGroup.java
M
backend/manager/modules/restapi/interface/definition/src/main/java/org/ovirt/engine/api/model/PermitType.java
M
frontend/webadmin/modules/uicommonweb/src/main/java/org/ovirt/engine/ui/uicommonweb/models/configure/roles_ui/RoleTreeView.java
M
frontend/webadmin/modules/uicompat/src/main/java/org/ovirt/engine/ui/uicompat/LocalizedEnums.java
M
frontend/webadmin/modules/uicompat/src/main/java/org/ovirt/engine/ui/uicompat/UIConstants.java
M
frontend/webadmin/modules/uicompat/src/main/resources/org/ovirt/engine/ui/uicompat/LocalizedEnums.properties
A packaging/dbscripts/upgrade/03_06_0580_add_manipulate_provider_role.sql
16 files changed, 76 insertions(+), 13 deletions(-)
git pull ssh://gerrit.ovirt.org:29418/ovirt-engine refs/changes/94/35494/1
diff --git
a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/provider/AddProviderCommand.java
b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/provider/AddProviderCommand.java
index 84ef462..f32563b 100644
---
a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/provider/AddProviderCommand.java
+++
b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/provider/AddProviderCommand.java
@@ -56,7 +56,7 @@
public List<PermissionSubject> getPermissionCheckSubjects() {
return Collections.singletonList(new PermissionSubject(Guid.SYSTEM,
VdcObjectType.System,
- ActionGroup.CREATE_STORAGE_POOL));
+ ActionGroup.MANIPULATE_PROVIDERS));
}
@Override
diff --git
a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/provider/ImportProviderCertificateChainCommand.java
b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/provider/ImportProviderCertificateChainCommand.java
index ecaf4e0..e389cbf 100644
---
a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/provider/ImportProviderCertificateChainCommand.java
+++
b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/provider/ImportProviderCertificateChainCommand.java
@@ -53,7 +53,7 @@
// Need to revisit that when designing the permission scheme for
providers
return Collections.singletonList(new PermissionSubject(Guid.SYSTEM,
VdcObjectType.System,
- ActionGroup.CREATE_STORAGE_POOL));
+ ActionGroup.MANIPULATE_PROVIDERS));
}
private void saveChainToTrustStore(List<? extends Certificate> chain) {
diff --git
a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/provider/ImportProviderCetificateCommand.java
b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/provider/ImportProviderCetificateCommand.java
index d6338da..5c9e71e 100644
---
a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/provider/ImportProviderCetificateCommand.java
+++
b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/provider/ImportProviderCetificateCommand.java
@@ -71,7 +71,7 @@
// Need to revisit that when designing the permission scheme for
providers
return Collections.singletonList(new PermissionSubject(Guid.SYSTEM,
VdcObjectType.System,
- ActionGroup.CREATE_STORAGE_POOL));
+ ActionGroup.MANIPULATE_PROVIDERS));
}
private void saveCertificateToTrustStore(final Certificate cert) {
diff --git
a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/provider/RemoveProviderCommand.java
b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/provider/RemoveProviderCommand.java
index ec721e6..5566aad 100644
---
a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/provider/RemoveProviderCommand.java
+++
b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/provider/RemoveProviderCommand.java
@@ -69,7 +69,7 @@
public List<PermissionSubject> getPermissionCheckSubjects() {
return Collections.singletonList(new PermissionSubject(Guid.SYSTEM,
VdcObjectType.System,
- ActionGroup.CREATE_STORAGE_POOL));
+ ActionGroup.MANIPULATE_PROVIDERS));
}
@Override
diff --git
a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/provider/TestProviderConnectivityCommand.java
b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/provider/TestProviderConnectivityCommand.java
index d9a481d..319ba17 100644
---
a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/provider/TestProviderConnectivityCommand.java
+++
b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/provider/TestProviderConnectivityCommand.java
@@ -41,7 +41,7 @@
public List<PermissionSubject> getPermissionCheckSubjects() {
return Collections.singletonList(new PermissionSubject(Guid.SYSTEM,
VdcObjectType.System,
- ActionGroup.CREATE_STORAGE_POOL));
+ ActionGroup.MANIPULATE_PROVIDERS));
}
}
diff --git
a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/provider/UpdateProviderCommand.java
b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/provider/UpdateProviderCommand.java
index 6352748..90a58bf 100644
---
a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/provider/UpdateProviderCommand.java
+++
b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/provider/UpdateProviderCommand.java
@@ -73,7 +73,7 @@
public List<PermissionSubject> getPermissionCheckSubjects() {
return Collections.singletonList(new PermissionSubject(Guid.SYSTEM,
VdcObjectType.System,
- ActionGroup.CREATE_STORAGE_POOL));
+ ActionGroup.MANIPULATE_PROVIDERS));
}
@Override
diff --git
a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/provider/network/AddSubnetToProviderCommand.java
b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/provider/network/AddSubnetToProviderCommand.java
index a622507..5e15d3a 100644
---
a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/provider/network/AddSubnetToProviderCommand.java
+++
b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/provider/network/AddSubnetToProviderCommand.java
@@ -93,7 +93,7 @@
public List<PermissionSubject> getPermissionCheckSubjects() {
return Collections.singletonList(new PermissionSubject(Guid.SYSTEM,
VdcObjectType.System,
- ActionGroup.CREATE_STORAGE_POOL));
+ ActionGroup.MANIPULATE_PROVIDERS));
}
@Override
diff --git
a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/provider/network/RemoveSubnetFromProviderCommand.java
b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/provider/network/RemoveSubnetFromProviderCommand.java
index 0a2c8b8..737679c 100644
---
a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/provider/network/RemoveSubnetFromProviderCommand.java
+++
b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/provider/network/RemoveSubnetFromProviderCommand.java
@@ -83,6 +83,6 @@
public List<PermissionSubject> getPermissionCheckSubjects() {
return Collections.singletonList(new PermissionSubject(Guid.SYSTEM,
VdcObjectType.System,
- ActionGroup.CREATE_STORAGE_POOL));
+ ActionGroup.MANIPULATE_PROVIDERS));
}
}
diff --git
a/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/action/VdcActionType.java
b/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/action/VdcActionType.java
index 4fd3d76..f8d3a78 100644
---
a/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/action/VdcActionType.java
+++
b/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/action/VdcActionType.java
@@ -310,9 +310,9 @@
AddExternalEvent(1500, ActionGroup.INJECT_EXTERNAL_EVENTS,
QuotaDependency.NONE),
// Providers
- AddProvider(1600, false, QuotaDependency.NONE),
- UpdateProvider(1601, false, QuotaDependency.NONE),
- RemoveProvider(1602, false, QuotaDependency.NONE),
+ AddProvider(1600, ActionGroup.MANIPULATE_PROVIDERS, false,
QuotaDependency.NONE),
+ UpdateProvider(1601, ActionGroup.MANIPULATE_PROVIDERS, false,
QuotaDependency.NONE),
+ RemoveProvider(1602, ActionGroup.MANIPULATE_PROVIDERS, false,
QuotaDependency.NONE),
TestProviderConnectivity(1603, false, QuotaDependency.NONE),
ImportProviderCertificateChain(1604, false, QuotaDependency.NONE),
AddNetworkOnProvider(1605, ActionGroup.CREATE_STORAGE_POOL_NETWORK, false,
QuotaDependency.NONE),
diff --git
a/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/businessentities/ActionGroup.java
b/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/businessentities/ActionGroup.java
index ea9bb44..c17d527 100644
---
a/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/businessentities/ActionGroup.java
+++
b/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/businessentities/ActionGroup.java
@@ -143,7 +143,9 @@
CREATE_MAC_POOL(1660, RoleType.ADMIN, true, ApplicationMode.VirtOnly),
EDIT_MAC_POOL(1661, RoleType.ADMIN, true, ApplicationMode.VirtOnly),
DELETE_MAC_POOL(1662, RoleType.ADMIN, true, ApplicationMode.VirtOnly),
- CONFIGURE_MAC_POOL(1663, RoleType.ADMIN, true, ApplicationMode.VirtOnly);
+ CONFIGURE_MAC_POOL(1663, RoleType.ADMIN, true, ApplicationMode.VirtOnly),
+
+ MANIPULATE_PROVIDERS(1700, RoleType.ADMIN, true, ApplicationMode.AllModes);
private int id;
diff --git
a/backend/manager/modules/restapi/interface/definition/src/main/java/org/ovirt/engine/api/model/PermitType.java
b/backend/manager/modules/restapi/interface/definition/src/main/java/org/ovirt/engine/api/model/PermitType.java
index 6ea1c7e..b74e931 100644
---
a/backend/manager/modules/restapi/interface/definition/src/main/java/org/ovirt/engine/api/model/PermitType.java
+++
b/backend/manager/modules/restapi/interface/definition/src/main/java/org/ovirt/engine/api/model/PermitType.java
@@ -118,6 +118,7 @@
AUDIT_LOG_MANAGEMENT,
// affinity groups CRUD commands
MANIPULATE_AFFINITY_GROUPS,
+ MANIPULATE_PROVIDER,
// Mac Pool action groups
CREATE_MAC_POOL,
diff --git
a/frontend/webadmin/modules/uicommonweb/src/main/java/org/ovirt/engine/ui/uicommonweb/models/configure/roles_ui/RoleTreeView.java
b/frontend/webadmin/modules/uicommonweb/src/main/java/org/ovirt/engine/ui/uicommonweb/models/configure/roles_ui/RoleTreeView.java
index 85653f6..aa1f3b3 100644
---
a/frontend/webadmin/modules/uicommonweb/src/main/java/org/ovirt/engine/ui/uicommonweb/models/configure/roles_ui/RoleTreeView.java
+++
b/frontend/webadmin/modules/uicommonweb/src/main/java/org/ovirt/engine/ui/uicommonweb/models/configure/roles_ui/RoleTreeView.java
@@ -78,7 +78,9 @@
createVmRoleTree(),
createVmPoolRoleTree(),
createDiskRoleTree(),
- createMacPoolRoleTree() });
+ createMacPoolRoleTree(),
+ createProivderRoleTree()
+ });
// nothing to filter
if
(!ApplicationModeHelper.getUiMode().equals(ApplicationMode.AllModes)) {
@@ -87,6 +89,14 @@
return tree;
}
+ private static RoleNode createProivderRoleTree() {
+ return new RoleNode(getConstants().macPoolTree(), new RoleNode[] {
+ new RoleNode(getConstants().basicOperationsRoleTree(), new
RoleNode[] {
+ new RoleNode(ActionGroup.MANIPULATE_ROLES,
getConstants().allowToManipulateProvider())
+ })
+ });
+ }
+
protected static RoleNode createMacPoolRoleTree() {
return new RoleNode(getConstants().macPoolTree(), new RoleNode[]{
new RoleNode(getConstants().basicOperationsRoleTree(), new
RoleNode[]{
diff --git
a/frontend/webadmin/modules/uicompat/src/main/java/org/ovirt/engine/ui/uicompat/LocalizedEnums.java
b/frontend/webadmin/modules/uicompat/src/main/java/org/ovirt/engine/ui/uicompat/LocalizedEnums.java
index bdcbbc8..e21dbf1 100644
---
a/frontend/webadmin/modules/uicompat/src/main/java/org/ovirt/engine/ui/uicompat/LocalizedEnums.java
+++
b/frontend/webadmin/modules/uicompat/src/main/java/org/ovirt/engine/ui/uicompat/LocalizedEnums.java
@@ -199,6 +199,8 @@
String ActionGroup___DELETE_NETWORK_VNIC_PROFILE();
String ActionGroup___MANIPULATE_AFFINITY_GROUPS();
+
+ String ActionGroup___MANIPULATE_PROVIDERS();
// Gluster action groups
String ActionGroup___CREATE_GLUSTER_VOLUME();
diff --git
a/frontend/webadmin/modules/uicompat/src/main/java/org/ovirt/engine/ui/uicompat/UIConstants.java
b/frontend/webadmin/modules/uicompat/src/main/java/org/ovirt/engine/ui/uicompat/UIConstants.java
index fde7b44..c2d00ec 100644
---
a/frontend/webadmin/modules/uicompat/src/main/java/org/ovirt/engine/ui/uicompat/UIConstants.java
+++
b/frontend/webadmin/modules/uicompat/src/main/java/org/ovirt/engine/ui/uicompat/UIConstants.java
@@ -2426,6 +2426,9 @@
@DefaultStringValue("Configure")
String allowToUseMacPoolTooltip();
+ @DefaultStringValue("Configure")
+ String allowToManipulateProvider();
+
@DefaultStringValue("The following volumes were found not to be of the
suggested replica-3 type : \n")
String optimiseForVirtStoreWarning();
diff --git
a/frontend/webadmin/modules/uicompat/src/main/resources/org/ovirt/engine/ui/uicompat/LocalizedEnums.properties
b/frontend/webadmin/modules/uicompat/src/main/resources/org/ovirt/engine/ui/uicompat/LocalizedEnums.properties
index 4289f4b..b41f9f0 100644
---
a/frontend/webadmin/modules/uicompat/src/main/resources/org/ovirt/engine/ui/uicompat/LocalizedEnums.properties
+++
b/frontend/webadmin/modules/uicompat/src/main/resources/org/ovirt/engine/ui/uicompat/LocalizedEnums.properties
@@ -100,6 +100,7 @@
ActionGroup___MANIPULATE_GLUSTER_HOOK=Manipulate Gluster Hook
ActionGroup___MANIPULATE_GLUSTER_SERVICE=Manipulate Service
ActionGroup___MANIPULATE_AFFINITY_GROUPS=Manipulate Affinity Groups
+ActionGroup___MANIPULATE_PROVIDERS=Manipulate External Providers
ActionGroup___CREATE_MAC_POOL=Create
ActionGroup___EDIT_MAC_POOL=Edit Settings
ActionGroup___DELETE_MAC_POOL=Delete
diff --git
a/packaging/dbscripts/upgrade/03_06_0580_add_manipulate_provider_role.sql
b/packaging/dbscripts/upgrade/03_06_0580_add_manipulate_provider_role.sql
new file mode 100644
index 0000000..40f4d0f
--- /dev/null
+++ b/packaging/dbscripts/upgrade/03_06_0580_add_manipulate_provider_role.sql
@@ -0,0 +1,44 @@
+Create or replace FUNCTION __temp_add_manipulate_provider_action_group()
+RETURNS VOID
+ AS $procedure$
+ DECLARE
+ v_SUPER_USER_ID UUID;
+ v_DATA_CENTER_ADMIN_ID UUID;
+ v_MANIPULATE_PROVIDER_ACTION_GROUP_ID INTEGER;
+ v_PROVIDER_MANAGER_ROLE_ID UUID;
+ v_CREATE_STORAGE_POOL_ACTION_GROUP_ID INTEGER;
+
+BEGIN
+ v_SUPER_USER_ID := '00000000-0000-0000-0000-000000000001';
+ v_DATA_CENTER_ADMIN_ID := 'DEF00002-0000-0000-0000-DEF000000002';
+ v_MANIPULATE_PROVIDER_ACTION_GROUP_ID = 1700;
+ v_CREATE_STORAGE_POOL_ACTION_GROUP_ID = 700;
+ v_PROVIDER_MANAGER_ROLE_ID := 'DEF00011-0000-0000-0000-DEF000001616';
+
+INSERT INTO roles_groups (role_id, action_group_id) VALUES (V_SUPER_USER_ID,
V_MANIPULATE_PROVIDER_ACTION_GROUP_ID);
+INSERT INTO roles_groups (role_id, action_group_id) VALUES
(V_DATA_CENTER_ADMIN_ID, V_MANIPULATE_PROVIDER_ACTION_GROUP_ID);
+INSERT INTO roles(id, name, description, is_readonly, role_type,
allows_viewing_children, app_mode)
+SELECT v_PROVIDER_MANAGER_ROLE_ID, 'ProviderManager', 'Provider Manager',
true, 1, true, 255
+ WHERE NOT EXISTS (
+ SELECT id FROM roles
+ WHERE id = v_PROVIDER_MANAGER_ROLE_ID
+ );
+INSERT INTO roles_groups (role_id, action_group_id) VALUES
(v_PROVIDER_MANAGER_ROLE_ID, V_MANIPULATE_PROVIDER_ACTION_GROUP_ID);
+
+
+--As the role for manipulating providers have changed, we must give
+--Permissions to those who are assigned with CREATE_SOTRAGE_POOL_ID
+--to be able to manipulate providers as well
+INSERT INTO permissions (id, role_id, ad_element_id, object_id,
object_type_id)
+ SELECT uuid_generate_v1(), v_PROVIDER_MANAGER_ROLE_ID, ad_element_id,
object_id, object_type_id from permissions
+ WHERE role_id IN (
+ SELECT role_id FROM roles_groups where action_group_id =
v_CREATE_STORAGE_POOL_ACTION_GROUP_ID
+ );
+
+END; $procedure$
+
+LANGUAGE plpgsql;
+
+select __temp_add_manipulate_provider_action_group();
+drop function __temp_add_manipulate_provider_action_group();
+
--
To view, visit http://gerrit.ovirt.org/35494
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I360db0b3168331ca0c67335679bfc825461e5091
Gerrit-PatchSet: 1
Gerrit-Project: ovirt-engine
Gerrit-Branch: master
Gerrit-Owner: Yair Zaslavsky <yzasl...@redhat.com>
_______________________________________________
Engine-patches mailing list
Engine-patches@ovirt.org
http://lists.ovirt.org/mailman/listinfo/engine-patches
