Gilad Chaplik has uploaded a new change for review. Change subject: engine: back-compat for disk profiles ......................................................................
engine: back-compat for disk profiles Adding a second disk profile to a storage domain enforce the user to specify the disk profile, which breaks backward compatibility when using disk profiles. This patch solves it by selecting a disk profile out of user permitted disk profiles. * Adds 'attach disk profile' role. * Adding 'everyone' permission on that role to all disk profiles. * User query to fetch only disk profiles that has permission on the disk profile. * Already attached disk profiles (without permissions) will be shown in UI. * Specific error message for disk profiles authorization (instead of generic one). Change-Id: Ie1910a086e46cbbf8eb2e40a6e6f185a2c5fa3aa Bug-Url: https://bugzilla.redhat.com/1160846 Signed-off-by: Gilad Chaplik <gchap...@redhat.com> --- M backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/AddDiskCommand.java M backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/AddVmCommand.java M backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/AddVmTemplateCommand.java M backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/CommonVmPoolWithVmsCommand.java M backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/ImportVmCommand.java M backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/ImportVmTemplateCommand.java M backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/MoveOrCopyDiskCommand.java M backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/PredefinedRoles.java M backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/RegisterDiskCommand.java M backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/UpdateVmDiskCommand.java M backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/lsm/LiveMigrateVmDisksCommand.java M backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/profiles/AddDiskProfileCommand.java M backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/profiles/DiskProfileHelper.java M backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/businessentities/ActionGroup.java M backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/errors/VdcBllMessages.java M backend/manager/modules/dal/src/main/resources/bundles/AppErrors.properties M backend/manager/modules/dal/src/test/java/org/ovirt/engine/core/dao/RoleDAOTest.java M backend/manager/modules/dal/src/test/resources/fixtures.xml M backend/manager/modules/restapi/interface/definition/src/main/java/org/ovirt/engine/api/model/PermitType.java M backend/manager/modules/restapi/types/src/main/java/org/ovirt/engine/api/restapi/types/PermitMapper.java M frontend/webadmin/modules/frontend/src/main/java/org/ovirt/engine/ui/frontend/AppErrors.java M frontend/webadmin/modules/uicommonweb/src/main/java/org/ovirt/engine/ui/uicommonweb/models/configure/roles_ui/RoleTreeView.java M frontend/webadmin/modules/uicompat/src/main/java/org/ovirt/engine/ui/uicompat/LocalizedEnums.java M frontend/webadmin/modules/uicompat/src/main/java/org/ovirt/engine/ui/uicompat/UIConstants.java M frontend/webadmin/modules/uicompat/src/main/resources/org/ovirt/engine/ui/uicompat/LocalizedEnums.properties M frontend/webadmin/modules/userportal-gwtp/src/main/resources/org/ovirt/engine/ui/frontend/AppErrors.properties M frontend/webadmin/modules/webadmin/src/main/resources/org/ovirt/engine/ui/frontend/AppErrors.properties M packaging/dbscripts/create_views.sql M packaging/dbscripts/disk_profiles_sp.sql A packaging/dbscripts/upgrade/03_05_1220_attach_disk_profile_permission.sql 30 files changed, 234 insertions(+), 39 deletions(-) git pull ssh://gerrit.ovirt.org:29418/ovirt-engine refs/changes/17/36817/1 diff --git a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/AddDiskCommand.java b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/AddDiskCommand.java index 814fb9d..2f74cac 100644 --- a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/AddDiskCommand.java +++ b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/AddDiskCommand.java @@ -605,7 +605,7 @@ protected boolean setAndValidateDiskProfiles() { return validate(DiskProfileHelper.setAndValidateDiskProfiles(Collections.singletonMap(getDiskImageInfo(), - getStorageDomainId()), getStoragePool().getcompatibility_version())); + getStorageDomainId()), getStoragePool().getcompatibility_version(), getCurrentUser())); } @Override diff --git a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/AddVmCommand.java b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/AddVmCommand.java index 0f7ce8c..999c8d8 100644 --- a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/AddVmCommand.java +++ b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/AddVmCommand.java @@ -647,7 +647,7 @@ map.put(diskImage, diskImage.getStorageIds().get(0)); } return validate(DiskProfileHelper.setAndValidateDiskProfiles(map, - getStoragePool().getcompatibility_version())); + getStoragePool().getcompatibility_version(), getCurrentUser())); } return true; } diff --git a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/AddVmTemplateCommand.java b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/AddVmTemplateCommand.java index 8a1c35f..a722a04 100644 --- a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/AddVmTemplateCommand.java +++ b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/AddVmTemplateCommand.java @@ -455,7 +455,7 @@ map.put(diskImage, diskImage.getStorageIds().get(0)); } return validate(DiskProfileHelper.setAndValidateDiskProfiles(map, - getStoragePool().getcompatibility_version())); + getStoragePool().getcompatibility_version(), getCurrentUser())); } return true; } diff --git a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/CommonVmPoolWithVmsCommand.java b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/CommonVmPoolWithVmsCommand.java index 63dd741..ecb90ee 100644 --- a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/CommonVmPoolWithVmsCommand.java +++ b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/CommonVmPoolWithVmsCommand.java @@ -416,7 +416,7 @@ map.put(diskImage, diskImage.getStorageIds().get(0)); } return validate(DiskProfileHelper.setAndValidateDiskProfiles(map, - getStoragePool().getcompatibility_version())); + getStoragePool().getcompatibility_version(), getCurrentUser())); } return true; } diff --git a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/ImportVmCommand.java b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/ImportVmCommand.java index 8f0593f..60cd702 100644 --- a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/ImportVmCommand.java +++ b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/ImportVmCommand.java @@ -1340,7 +1340,7 @@ } } return validate(DiskProfileHelper.setAndValidateDiskProfiles(map, - getStoragePool().getcompatibility_version())); + getStoragePool().getcompatibility_version(), getCurrentUser())); } return true; } diff --git a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/ImportVmTemplateCommand.java b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/ImportVmTemplateCommand.java index 26c88d0..271c180 100644 --- a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/ImportVmTemplateCommand.java +++ b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/ImportVmTemplateCommand.java @@ -553,7 +553,7 @@ map.put(diskImage, imageToDestinationDomainMap.get(diskImage.getId())); } return validate(DiskProfileHelper.setAndValidateDiskProfiles(map, - getStoragePool().getcompatibility_version())); + getStoragePool().getcompatibility_version(), getCurrentUser())); } return true; } diff --git a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/MoveOrCopyDiskCommand.java b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/MoveOrCopyDiskCommand.java index c4da09c..904f254 100644 --- a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/MoveOrCopyDiskCommand.java +++ b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/MoveOrCopyDiskCommand.java @@ -404,7 +404,7 @@ protected boolean setAndValidateDiskProfiles() { getImage().setDiskProfileId(getParameters().getDiskProfileId()); return validate(DiskProfileHelper.setAndValidateDiskProfiles(Collections.singletonMap(getImage(), - getParameters().getStorageDomainId()), getStoragePool().getcompatibility_version())); + getParameters().getStorageDomainId()), getStoragePool().getcompatibility_version(), getCurrentUser())); } @Override diff --git a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/PredefinedRoles.java b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/PredefinedRoles.java index 41dcb5d..6dcfcc5 100644 --- a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/PredefinedRoles.java +++ b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/PredefinedRoles.java @@ -26,7 +26,8 @@ INSTANCE_OPERATOR(new Guid("DEF00012-0000-0000-0000-DEF000000012")), TAG_ADMIN(new Guid("DEF00011-0000-0000-0000-DEF000000013")), BOOKMARK_ADMIN(new Guid("DEF00011-0000-0000-0000-DEF000000014")), - EVENT_NOTIFICATION_ADMIN(new Guid("DEF00011-0000-0000-0000-DEF000000015")); + EVENT_NOTIFICATION_ADMIN(new Guid("DEF00011-0000-0000-0000-DEF000000015")), + DISK_PROFILE_USER(new Guid("DEF00020-0000-0000-0000-ABC000000010")); private Guid id; diff --git a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/RegisterDiskCommand.java b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/RegisterDiskCommand.java index 7257437..2eedecf 100644 --- a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/RegisterDiskCommand.java +++ b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/RegisterDiskCommand.java @@ -93,7 +93,9 @@ protected boolean setAndValidateDiskProfiles() { return validate(DiskProfileHelper.setAndValidateDiskProfiles(Collections.singletonMap(getParameters().getDiskImage(), - getStorageDomainId()), getStoragePool().getcompatibility_version())); + getStorageDomainId()), + getStoragePool().getcompatibility_version(), + getCurrentUser())); } @Override diff --git a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/UpdateVmDiskCommand.java b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/UpdateVmDiskCommand.java index 238da5b..68c8ff4 100644 --- a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/UpdateVmDiskCommand.java +++ b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/UpdateVmDiskCommand.java @@ -586,10 +586,15 @@ protected boolean setAndValidateDiskProfiles() { if (isDiskImage()) { DiskImage diskImage = (DiskImage) getNewDisk(); + // when disk profile isn't updated, skip check. + if (diskImage.getDiskProfileId() != null + && diskImage.getDiskProfileId().equals(((DiskImage) getOldDisk()).getDiskProfileId())) { + return true; + } Map<DiskImage, Guid> map = new HashMap<>(); map.put(diskImage, diskImage.getStorageIds().get(0)); return validate(DiskProfileHelper.setAndValidateDiskProfiles(map, - getStoragePool().getcompatibility_version())); + getStoragePool().getcompatibility_version(), getCurrentUser())); } return true; } diff --git a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/lsm/LiveMigrateVmDisksCommand.java b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/lsm/LiveMigrateVmDisksCommand.java index 7ac2fc7..5b6b4d5 100644 --- a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/lsm/LiveMigrateVmDisksCommand.java +++ b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/lsm/LiveMigrateVmDisksCommand.java @@ -265,7 +265,7 @@ map.put(diskImage, diskImage.getStorageIds().get(0)); } return validate(DiskProfileHelper.setAndValidateDiskProfiles(map, - getStoragePool().getcompatibility_version())); + getStoragePool().getcompatibility_version(), getCurrentUser())); } @Override diff --git a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/profiles/AddDiskProfileCommand.java b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/profiles/AddDiskProfileCommand.java index c4eb735..94ef72b 100644 --- a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/profiles/AddDiskProfileCommand.java +++ b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/profiles/AddDiskProfileCommand.java @@ -3,10 +3,13 @@ import java.util.Collections; import java.util.List; +import org.ovirt.engine.core.bll.MultiLevelAdministrationHandler; +import org.ovirt.engine.core.bll.PredefinedRoles; import org.ovirt.engine.core.bll.utils.PermissionSubject; import org.ovirt.engine.core.common.AuditLogType; import org.ovirt.engine.core.common.VdcObjectType; import org.ovirt.engine.core.common.action.DiskProfileParameters; +import org.ovirt.engine.core.common.businessentities.Permissions; import org.ovirt.engine.core.common.businessentities.profiles.DiskProfile; import org.ovirt.engine.core.common.errors.VdcBllMessages; import org.ovirt.engine.core.dao.profiles.ProfilesDao; @@ -45,4 +48,17 @@ public AuditLogType getAuditLogTypeValue() { return getSucceeded() ? AuditLogType.USER_ADDED_DISK_PROFILE : AuditLogType.USER_FAILED_TO_ADD_DISK_PROFILE; } + + @Override + protected void executeCommand() { + super.executeCommand(); + addPermission(); + } + + private void addPermission() { + MultiLevelAdministrationHandler.addPermission(new Permissions(MultiLevelAdministrationHandler.EVERYONE_OBJECT_ID, + PredefinedRoles.DISK_PROFILE_USER.getId(), + getProfileId(), + VdcObjectType.DiskProfile)); + } } diff --git a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/profiles/DiskProfileHelper.java b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/profiles/DiskProfileHelper.java index 0d5337c..3acbcf4 100644 --- a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/profiles/DiskProfileHelper.java +++ b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/profiles/DiskProfileHelper.java @@ -1,18 +1,24 @@ package org.ovirt.engine.core.bll.profiles; import java.util.HashMap; +import java.util.HashSet; import java.util.List; import java.util.Map; import java.util.Map.Entry; +import java.util.Set; import org.ovirt.engine.core.bll.ValidationResult; import org.ovirt.engine.core.common.FeatureSupported; +import org.ovirt.engine.core.common.VdcObjectType; +import org.ovirt.engine.core.common.businessentities.ActionGroup; import org.ovirt.engine.core.common.businessentities.DiskImage; +import org.ovirt.engine.core.common.businessentities.aaa.DbUser; import org.ovirt.engine.core.common.businessentities.profiles.DiskProfile; import org.ovirt.engine.core.common.errors.VdcBllMessages; import org.ovirt.engine.core.compat.Guid; import org.ovirt.engine.core.compat.Version; import org.ovirt.engine.core.dal.dbbroker.DbFacade; +import org.ovirt.engine.core.dao.PermissionDAO; import org.ovirt.engine.core.dao.profiles.DiskProfileDao; public class DiskProfileHelper { @@ -29,31 +35,39 @@ return profile; } - public static ValidationResult setAndValidateDiskProfiles(Map<DiskImage, Guid> map, Version version) { + public static ValidationResult setAndValidateDiskProfiles(Map<DiskImage, Guid> map, Version version, DbUser user) { if (map == null || !FeatureSupported.storageQoS(version)) { return ValidationResult.VALID; } Map<Guid, List<DiskProfile>> storageDiskProfilesMap = new HashMap<>(); + // caching disk profile ids that was already checked. + Set<Guid> permittedDiskProfilesIds = new HashSet<>(); for (Entry<DiskImage, Guid> entry : map.entrySet()) { DiskImage diskImage = entry.getKey(); Guid storageDomainId = entry.getValue(); - if (diskImage.getDiskProfileId() == null && storageDomainId != null) { // set disk profile if there's only 1 for SD. + if (diskImage.getDiskProfileId() == null && storageDomainId != null) { List<DiskProfile> diskProfilesList = storageDiskProfilesMap.get(storageDomainId); if (diskProfilesList == null) { diskProfilesList = getDiskProfileDao().getAllForStorageDomain(storageDomainId); storageDiskProfilesMap.put(storageDomainId, diskProfilesList); } - if (diskProfilesList.size() == 1) { - diskImage.setDiskProfileId(diskProfilesList.get(0).getId()); - } else { - return new ValidationResult(VdcBllMessages.ACTION_TYPE_DISK_PROFILE_EMPTY); + // Set Disk Profile according to permissions + if (!updateDiskProfileForBackwardCompatibility(diskImage, + diskProfilesList, + permittedDiskProfilesIds, + user)) { + return new ValidationResult(VdcBllMessages.USER_NOT_AUTHORIZED_TO_ATTACH_DISK_PROFILE); } } else { + DiskProfile diskProfile = getDiskProfileDao().get(diskImage.getDiskProfileId()); ValidationResult result = - new DiskProfileValidator(getDiskProfileDao().get(diskImage.getDiskProfileId())).isParentEntityValid(storageDomainId); + new DiskProfileValidator(diskProfile).isParentEntityValid(storageDomainId); if (result != ValidationResult.VALID) { return result; + } + if (!isDiskProfilePermitted(diskProfile, permittedDiskProfilesIds, user)) { + return new ValidationResult(VdcBllMessages.USER_NOT_AUTHORIZED_TO_ATTACH_DISK_PROFILE); } } } @@ -61,7 +75,35 @@ return ValidationResult.VALID; } + private static boolean updateDiskProfileForBackwardCompatibility(DiskImage diskImage, + List<DiskProfile> diskProfilesList, + Set<Guid> permittedDiskProfilesIds, + DbUser user) { + for (DiskProfile diskProfile : diskProfilesList) { + if (isDiskProfilePermitted(diskProfile, permittedDiskProfilesIds, user)) { + permittedDiskProfilesIds.add(diskProfile.getId()); + diskImage.setDiskProfileId(diskProfile.getId()); + return true; + } + } + return false; + } + + private static boolean isDiskProfilePermitted(DiskProfile diskProfile, + Set<Guid> permittedDiskProfilesIds, + DbUser user) { + return permittedDiskProfilesIds.contains(diskProfile.getId()) + || getPermissionDAO().getEntityPermissions(user.getId(), + ActionGroup.ATTACH_DISK_PROFILE, + diskProfile.getId(), + VdcObjectType.DiskProfile) != null; + } + private static DiskProfileDao getDiskProfileDao() { return DbFacade.getInstance().getDiskProfileDao(); } + + private static PermissionDAO getPermissionDAO() { + return DbFacade.getInstance().getPermissionDao(); + } } diff --git a/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/businessentities/ActionGroup.java b/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/businessentities/ActionGroup.java index 6c4275d..c0758b8 100644 --- a/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/businessentities/ActionGroup.java +++ b/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/businessentities/ActionGroup.java @@ -137,8 +137,8 @@ // disk profiles CONFIGURE_STORAGE_DISK_PROFILE(1560, RoleType.ADMIN, true, ApplicationMode.VirtOnly), CREATE_STORAGE_DISK_PROFILE(1561, RoleType.ADMIN, true, ApplicationMode.VirtOnly), - DELETE_STORAGE_DISK_PROFILE(1562, RoleType.ADMIN, true, ApplicationMode.VirtOnly); - + DELETE_STORAGE_DISK_PROFILE(1562, RoleType.ADMIN, true, ApplicationMode.VirtOnly), + ATTACH_DISK_PROFILE(1563, RoleType.USER, true, ApplicationMode.VirtOnly); private int id; private RoleType roleType; diff --git a/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/errors/VdcBllMessages.java b/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/errors/VdcBllMessages.java index fa0e199..64e13a8 100644 --- a/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/errors/VdcBllMessages.java +++ b/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/errors/VdcBllMessages.java @@ -1045,6 +1045,7 @@ ACTION_TYPE_CPU_PROFILE_NOT_MATCH_CLUSTER(ErrorType.BAD_PARAMETERS), ACTION_TYPE_CANNOT_REMOVE_LAST_CPU_PROFILE_IN_CLUSTER(ErrorType.NOT_SUPPORTED), ACTION_TYPE_CANNOT_REMOVE_LAST_DISK_PROFILE_IN_STORAGE_DOMAIN(ErrorType.NOT_SUPPORTED), + USER_NOT_AUTHORIZED_TO_ATTACH_DISK_PROFILE(ErrorType.NO_PERMISSION), // Affinity Groups AFFINITY_GROUP_NAME_TOO_LONG(ErrorType.BAD_PARAMETERS), diff --git a/backend/manager/modules/dal/src/main/resources/bundles/AppErrors.properties b/backend/manager/modules/dal/src/main/resources/bundles/AppErrors.properties index b7ded7b..2a3b3af 100644 --- a/backend/manager/modules/dal/src/main/resources/bundles/AppErrors.properties +++ b/backend/manager/modules/dal/src/main/resources/bundles/AppErrors.properties @@ -1169,6 +1169,7 @@ ACTION_TYPE_CPU_PROFILE_NOT_MATCH_CLUSTER=Cannot ${action} ${type}. CPU Profile doesn't match provided Cluster. ACTION_TYPE_CANNOT_REMOVE_LAST_CPU_PROFILE_IN_CLUSTER=Cannot ${action} ${type}. Cannot remove last CPU profile in Cluster. ACTION_TYPE_CANNOT_REMOVE_LAST_DISK_PROFILE_IN_STORAGE_DOMAIN=Cannot ${action} ${type}. Cannot remove last Disk profile in Storage Domain. +USER_NOT_AUTHORIZED_TO_ATTACH_DISK_PROFILE=Cannot ${action} ${type}. The user doesn't have permissions to attach Disk Profile to the Disk. # cluster policy errors ACTION_TYPE_FAILED_CLUSTER_POLICY_PARAMETERS_INVALID=Cannot ${action} ${type}. Parameters are invalid. diff --git a/backend/manager/modules/dal/src/test/java/org/ovirt/engine/core/dao/RoleDAOTest.java b/backend/manager/modules/dal/src/test/java/org/ovirt/engine/core/dao/RoleDAOTest.java index 713caa2..8a381ae 100644 --- a/backend/manager/modules/dal/src/test/java/org/ovirt/engine/core/dao/RoleDAOTest.java +++ b/backend/manager/modules/dal/src/test/java/org/ovirt/engine/core/dao/RoleDAOTest.java @@ -18,7 +18,7 @@ private static final String GROUP_IDS = "26df4393-659b-4b8a-b0f6-3ee94d32e82f,08963ba9-b1c8-498d-989f-75cf8142eab7"; private static final Guid USER_ID = new Guid("9bf7c640-b620-456f-a550-0348f366544b"); private static final Guid OTHER_USER_ID = new Guid("9bf7c640-b620-456f-a550-0348f366544a"); - private static final int ROLE_COUNT = 5; + private static final int ROLE_COUNT = 6; private RoleDAO dao; private Role existingRole; diff --git a/backend/manager/modules/dal/src/test/resources/fixtures.xml b/backend/manager/modules/dal/src/test/resources/fixtures.xml index 2e416dd..3fd8918 100644 --- a/backend/manager/modules/dal/src/test/resources/fixtures.xml +++ b/backend/manager/modules/dal/src/test/resources/fixtures.xml @@ -4738,6 +4738,15 @@ <value>true</value> <value>1</value> </row> + <row> + <value>def00020-0000-0000-0000-abc000000010</value> + <value>profile_user_role</value> + <null /> + <value>0</value> + <value>2</value> + <value>true</value> + <value>1</value> + </row> </table> <table name="roles_groups"> @@ -4895,6 +4904,20 @@ <value>1b26a52b-b60f-44cb-9f46-3ef333b04a37</value> <value>19</value> </row> + <row> + <value>2d2f2522-afd2-4964-a3b1-001cca295e47</value> + <value>def00020-0000-0000-0000-abc000000010</value> + <value>9bf7c640-b620-456f-a550-0348f366544b</value> + <value>fd81f1e1-785b-4579-ab75-1419ebb87052</value> + <value>29</value> + </row> + <row> + <value>2d2f2522-afd2-4964-a3b1-001cca295e48</value> + <value>def00020-0000-0000-0000-abc000000010</value> + <value>9bf7c640-b620-456f-a550-0348f366544b</value> + <value>a667da39-27b0-47ec-a5fa-d4293a62b222</value> + <value>29</value> + </row> </table> <table name="event_map"> diff --git a/backend/manager/modules/restapi/interface/definition/src/main/java/org/ovirt/engine/api/model/PermitType.java b/backend/manager/modules/restapi/interface/definition/src/main/java/org/ovirt/engine/api/model/PermitType.java index 01e9dc4..47d0b04 100644 --- a/backend/manager/modules/restapi/interface/definition/src/main/java/org/ovirt/engine/api/model/PermitType.java +++ b/backend/manager/modules/restapi/interface/definition/src/main/java/org/ovirt/engine/api/model/PermitType.java @@ -120,7 +120,8 @@ // disk profile CONFIGURE_STORAGE_DISK_PROFILE, CREATE_STORAGE_DISK_PROFILE, - DELETE_STORAGE_DISK_PROFILE; + DELETE_STORAGE_DISK_PROFILE, + ATTACH_DISK_PROFILE; public String value() { diff --git a/backend/manager/modules/restapi/types/src/main/java/org/ovirt/engine/api/restapi/types/PermitMapper.java b/backend/manager/modules/restapi/types/src/main/java/org/ovirt/engine/api/restapi/types/PermitMapper.java index 6796250..5885918 100644 --- a/backend/manager/modules/restapi/types/src/main/java/org/ovirt/engine/api/restapi/types/PermitMapper.java +++ b/backend/manager/modules/restapi/types/src/main/java/org/ovirt/engine/api/restapi/types/PermitMapper.java @@ -198,6 +198,8 @@ return PermitType.CONFIGURE_STORAGE_DISK_PROFILE; case DELETE_STORAGE_DISK_PROFILE: return PermitType.DELETE_STORAGE_DISK_PROFILE; + case ATTACH_DISK_PROFILE: + return PermitType.ATTACH_DISK_PROFILE; default: return null; } @@ -360,6 +362,8 @@ return ActionGroup.CONFIGURE_STORAGE_DISK_PROFILE; case DELETE_STORAGE_DISK_PROFILE: return ActionGroup.DELETE_STORAGE_DISK_PROFILE; + case ATTACH_DISK_PROFILE: + return ActionGroup.ATTACH_DISK_PROFILE; default: return null; } diff --git a/frontend/webadmin/modules/frontend/src/main/java/org/ovirt/engine/ui/frontend/AppErrors.java b/frontend/webadmin/modules/frontend/src/main/java/org/ovirt/engine/ui/frontend/AppErrors.java index ef89427..5e80c26 100644 --- a/frontend/webadmin/modules/frontend/src/main/java/org/ovirt/engine/ui/frontend/AppErrors.java +++ b/frontend/webadmin/modules/frontend/src/main/java/org/ovirt/engine/ui/frontend/AppErrors.java @@ -3156,6 +3156,9 @@ @DefaultStringValue("Cannot ${action} ${type}. Cannot remove last Disk profile in Storage Domain.") String ACTION_TYPE_CANNOT_REMOVE_LAST_DISK_PROFILE_IN_STORAGE_DOMAIN(); + @DefaultStringValue("Cannot ${action} ${type}. The user doesn't have permissions to attach Disk Profile to the Disk.") + String USER_NOT_AUTHORIZED_TO_ATTACH_DISK_PROFILE(); + @DefaultStringValue("Cannot ${action}. New disk size cannot be smaller than the current.") String ACTION_TYPE_FAILED_REQUESTED_DISK_SIZE_IS_TOO_SMALL(); diff --git a/frontend/webadmin/modules/uicommonweb/src/main/java/org/ovirt/engine/ui/uicommonweb/models/configure/roles_ui/RoleTreeView.java b/frontend/webadmin/modules/uicommonweb/src/main/java/org/ovirt/engine/ui/uicommonweb/models/configure/roles_ui/RoleTreeView.java index f801756..a7c6c05 100644 --- a/frontend/webadmin/modules/uicommonweb/src/main/java/org/ovirt/engine/ui/uicommonweb/models/configure/roles_ui/RoleTreeView.java +++ b/frontend/webadmin/modules/uicommonweb/src/main/java/org/ovirt/engine/ui/uicommonweb/models/configure/roles_ui/RoleTreeView.java @@ -88,21 +88,29 @@ protected static RoleNode createDiskRoleTree() { return new RoleNode(getConstants().diskRoleTree(), - new RoleNode[] { new RoleNode(getConstants().provisioningOperationsRoleTree(), - getConstants().notePermissionsContainingOperationsRoleTreeTooltip(), - new RoleNode[] { - new RoleNode(ActionGroup.CREATE_DISK, getConstants().allowToCreateDiskRoleTreeTooltip()), - new RoleNode(ActionGroup.DELETE_DISK, getConstants().allowToDeleteDiskRoleTreeTooltip()), - new RoleNode(ActionGroup.CONFIGURE_DISK_STORAGE, - getConstants().allowToMoveDiskToAnotherStorageDomainRoleTreeTooltip()), - new RoleNode(ActionGroup.ATTACH_DISK, - getConstants().allowToAttachDiskToVmRoleTreeTooltip()), - new RoleNode(ActionGroup.EDIT_DISK_PROPERTIES, - getConstants().allowToChangePropertiesOfTheDiskRoleTreeTooltip()), - new RoleNode(ActionGroup.CONFIGURE_SCSI_GENERIC_IO, - getConstants().allowToChangeSGIORoleTreeTooltip()), - new RoleNode(ActionGroup.ACCESS_IMAGE_STORAGE, - getConstants().allowAccessImageDomainRoleTreeTooltip()) }) }); + new RoleNode[] { + new RoleNode(getConstants().provisioningOperationsRoleTree(), + getConstants().notePermissionsContainingOperationsRoleTreeTooltip(), + new RoleNode[] { + new RoleNode(ActionGroup.CREATE_DISK, + getConstants().allowToCreateDiskRoleTreeTooltip()), + new RoleNode(ActionGroup.DELETE_DISK, + getConstants().allowToDeleteDiskRoleTreeTooltip()), + new RoleNode(ActionGroup.CONFIGURE_DISK_STORAGE, + getConstants().allowToMoveDiskToAnotherStorageDomainRoleTreeTooltip()), + new RoleNode(ActionGroup.ATTACH_DISK, + getConstants().allowToAttachDiskToVmRoleTreeTooltip()), + new RoleNode(ActionGroup.EDIT_DISK_PROPERTIES, + getConstants().allowToChangePropertiesOfTheDiskRoleTreeTooltip()), + new RoleNode(ActionGroup.CONFIGURE_SCSI_GENERIC_IO, + getConstants().allowToChangeSGIORoleTreeTooltip()), + new RoleNode(ActionGroup.ACCESS_IMAGE_STORAGE, + getConstants().allowAccessImageDomainRoleTreeTooltip()) }), + new RoleNode(getConstants().attachDiskProfileRoleTree(), + getConstants().notePermissionsContainingDiskProfileOperationsRoleTreeTooltip(), + new RoleNode[] { + new RoleNode(ActionGroup.ATTACH_DISK_PROFILE, + getConstants().allowToAttachDiskProfileToDiskRoleTreeTooltip()) }) }); } protected static RoleNode createVmPoolRoleTree() { diff --git a/frontend/webadmin/modules/uicompat/src/main/java/org/ovirt/engine/ui/uicompat/LocalizedEnums.java b/frontend/webadmin/modules/uicompat/src/main/java/org/ovirt/engine/ui/uicompat/LocalizedEnums.java index a948793..1b391ad 100644 --- a/frontend/webadmin/modules/uicompat/src/main/java/org/ovirt/engine/ui/uicompat/LocalizedEnums.java +++ b/frontend/webadmin/modules/uicompat/src/main/java/org/ovirt/engine/ui/uicompat/LocalizedEnums.java @@ -214,6 +214,8 @@ String ActionGroup___DELETE_STORAGE_DISK_PROFILE(); + String ActionGroup___ATTACH_DISK_PROFILE(); + String EventNotificationEntity___Host(); String EventNotificationEntity___VdsGroup(); diff --git a/frontend/webadmin/modules/uicompat/src/main/java/org/ovirt/engine/ui/uicompat/UIConstants.java b/frontend/webadmin/modules/uicompat/src/main/java/org/ovirt/engine/ui/uicompat/UIConstants.java index bf7f134..9e7add3 100644 --- a/frontend/webadmin/modules/uicompat/src/main/java/org/ovirt/engine/ui/uicompat/UIConstants.java +++ b/frontend/webadmin/modules/uicompat/src/main/java/org/ovirt/engine/ui/uicompat/UIConstants.java @@ -1330,6 +1330,9 @@ @DefaultStringValue("Allow to access image domain") String allowAccessImageDomainRoleTreeTooltip(); + @DefaultStringValue("Allow to attach Disk Profile to a Disk") + String allowToAttachDiskProfile(); + @DefaultStringValue("No") String noAlerts(); @@ -1525,6 +1528,15 @@ @DefaultStringValue("VM Pool") String vmPoolRoleTree(); + @DefaultStringValue("Disk Profile") + String attachDiskProfileRoleTree(); + + @DefaultStringValue("Note: Permissions containing these operations should be associated with Disk Profile or Storage Domain Object (or above)") + String notePermissionsContainingDiskProfileOperationsRoleTreeTooltip(); + + @DefaultStringValue("Allow to attach Disk Profile to a Disk") + String allowToAttachDiskProfileToDiskRoleTreeTooltip(); + // Error @DefaultStringValue("This Network does not exist in the Cluster") String thisNetworkDoesNotExistInTheClusterErr(); diff --git a/frontend/webadmin/modules/uicompat/src/main/resources/org/ovirt/engine/ui/uicompat/LocalizedEnums.properties b/frontend/webadmin/modules/uicompat/src/main/resources/org/ovirt/engine/ui/uicompat/LocalizedEnums.properties index 19e6151..2ce4bce 100644 --- a/frontend/webadmin/modules/uicompat/src/main/resources/org/ovirt/engine/ui/uicompat/LocalizedEnums.properties +++ b/frontend/webadmin/modules/uicompat/src/main/resources/org/ovirt/engine/ui/uicompat/LocalizedEnums.properties @@ -102,6 +102,7 @@ ActionGroup___CONFIGURE_STORAGE_DISK_PROFILE=Manipulate Disk Profiles ActionGroup___CREATE_STORAGE_DISK_PROFILE=Create Disk Profiles ActionGroup___DELETE_STORAGE_DISK_PROFILE=Delete Disk Profiles +ActionGroup___ATTACH_DISK_PROFILE=Attach Disk Profile EventNotificationEntity___Host=General Host Events: EventNotificationEntity___VdsGroup=Cluster Events: EventNotificationEntity___VirtHost=Virt Host Events: diff --git a/frontend/webadmin/modules/userportal-gwtp/src/main/resources/org/ovirt/engine/ui/frontend/AppErrors.properties b/frontend/webadmin/modules/userportal-gwtp/src/main/resources/org/ovirt/engine/ui/frontend/AppErrors.properties index 21d77f7..46dcf2b 100644 --- a/frontend/webadmin/modules/userportal-gwtp/src/main/resources/org/ovirt/engine/ui/frontend/AppErrors.properties +++ b/frontend/webadmin/modules/userportal-gwtp/src/main/resources/org/ovirt/engine/ui/frontend/AppErrors.properties @@ -1066,4 +1066,5 @@ CPU_TYPE_UNSUPPORTED_FOR_THE_GUEST_OS=The guest OS doesn't support the following CPUs: ${unsupportedCpus}. Its possible to change the cluster cpu or set a different one per VM BALLOON_REQUESTED_ON_NOT_SUPPORTED_ARCH=Cannot ${action} ${type}. Balloon is not supported on '${clusterArch}' architecture. +USER_NOT_AUTHORIZED_TO_ATTACH_DISK_PROFILE=Cannot ${action} ${type}. The user doesn't have permissions to attach Disk Profile to the Disk. diff --git a/frontend/webadmin/modules/webadmin/src/main/resources/org/ovirt/engine/ui/frontend/AppErrors.properties b/frontend/webadmin/modules/webadmin/src/main/resources/org/ovirt/engine/ui/frontend/AppErrors.properties index f5b07b0..41f3644 100644 --- a/frontend/webadmin/modules/webadmin/src/main/resources/org/ovirt/engine/ui/frontend/AppErrors.properties +++ b/frontend/webadmin/modules/webadmin/src/main/resources/org/ovirt/engine/ui/frontend/AppErrors.properties @@ -1138,6 +1138,7 @@ ACTION_TYPE_CPU_PROFILE_NOT_MATCH_CLUSTER=Cannot ${action} ${type}. CPU Profile doesn't match provided Cluster. ACTION_TYPE_CANNOT_REMOVE_LAST_CPU_PROFILE_IN_CLUSTER=Cannot ${action} ${type}. Cannot remove last CPU profile in Cluster. ACTION_TYPE_CANNOT_REMOVE_LAST_DISK_PROFILE_IN_STORAGE_DOMAIN=Cannot ${action} ${type}. Cannot remove last Disk profile in Storage Domain. +USER_NOT_AUTHORIZED_TO_ATTACH_DISK_PROFILE=Cannot ${action} ${type}. The user doesn't have permissions to attach Disk Profile to the Disk. # cluster policy errors ACTION_TYPE_FAILED_CLUSTER_POLICY_PARAMETERS_INVALID=Cannot ${action} ${type}. Parameters are invalid. diff --git a/packaging/dbscripts/create_views.sql b/packaging/dbscripts/create_views.sql index 2532d62..e63f5c1 100644 --- a/packaging/dbscripts/create_views.sql +++ b/packaging/dbscripts/create_views.sql @@ -1701,6 +1701,20 @@ FROM user_network_permissions_view_base NATURAL JOIN user_flat_groups; +-- Permissions on disk profiles +-- The user has permissions on the disk profile directly +CREATE OR REPLACE VIEW user_disk_profile_permissions_view_base (entity_id, granted_id) +AS +SELECT object_id, ad_element_id +FROM internal_permissions_view +WHERE object_type_id = 29 AND role_type = 2; + +CREATE OR REPLACE VIEW user_disk_profile_permissions_view (entity_id, user_id) +AS +SELECT DISTINCT entity_id, user_id +FROM user_disk_profile_permissions_view_base +NATURAL JOIN user_flat_groups; + CREATE OR REPLACE VIEW gluster_volumes_view AS SELECT gluster_volumes.*, diff --git a/packaging/dbscripts/disk_profiles_sp.sql b/packaging/dbscripts/disk_profiles_sp.sql index 59331ec..e5f3f09 100644 --- a/packaging/dbscripts/disk_profiles_sp.sql +++ b/packaging/dbscripts/disk_profiles_sp.sql @@ -87,8 +87,8 @@ FROM disk_profiles WHERE storage_domain_id = v_storage_domain_id AND (NOT v_is_filtered OR EXISTS (SELECT 1 - FROM user_storage_domain_permissions_view - WHERE user_id = v_user_id AND entity_id = v_storage_domain_id)); + FROM user_disk_profile_permissions_view + WHERE user_id = v_user_id AND entity_id = disk_profiles.id)); END; $procedure$ LANGUAGE plpgsql; diff --git a/packaging/dbscripts/upgrade/03_05_1220_attach_disk_profile_permission.sql b/packaging/dbscripts/upgrade/03_05_1220_attach_disk_profile_permission.sql new file mode 100644 index 0000000..f03d650 --- /dev/null +++ b/packaging/dbscripts/upgrade/03_05_1220_attach_disk_profile_permission.sql @@ -0,0 +1,57 @@ +Create or replace FUNCTION __temp_set_disk_profiles_permissions() +RETURNS VOID + AS $procedure$ + DECLARE + v_DISK_PROFILE_USER_ID UUID; + +BEGIN + v_DISK_PROFILE_USER_ID := 'DEF00020-0000-0000-0000-ABC000000010'; + + -- Add disk_profile_user role + INSERT INTO roles(id,name,description,is_readonly,role_type, app_mode) SELECT v_DISK_PROFILE_USER_ID, 'DiskProfileUser', 'Disk Profile User', true, 2, 1 + WHERE NOT EXISTS (SELECT id,name,description,is_readonly,role_type + FROM roles + WHERE id = v_DISK_PROFILE_USER_ID + AND name='DiskProfileUser' + AND description='Disk Profile User' + AND is_readonly=true + AND role_type=2 + AND app_mode=1); + + -- Add 'Attach disk profile' action group to roles: + -- newly created disk profile user + PERFORM fn_db_add_action_group_to_role(v_DISK_PROFILE_USER_ID, 1563); + + -- Add action group to each role that contains CRUD action groups on disk profile + -- 1560- CONFIGURE_STORAGE_DISK_PROFILE, 1561- CREATE_STORAGE_DISK_PROFILE, 1562- DELETE_STORAGE_DISK_PROFILE + INSERT INTO roles_groups (role_id, action_group_id) + SELECT DISTINCT role_id, 1563 + FROM roles_groups a + WHERE NOT EXISTS (SELECT 1 + FROM roles_groups b + WHERE b.role_id = a.role_id + AND b.action_group_id = 1563) + AND EXISTS (SELECT 1 + FROM roles_groups b + WHERE b.role_id = a.role_id + AND (b.action_group_id = 1560 OR b.action_group_id = 1561 OR b.action_group_id = 1562)); + + -- Add permission EVERYONE on DiskProfileUser role on each disk profile. + INSERT INTO permissions(id, + role_id, + ad_element_id, + object_id, + object_type_id) + SELECT uuid_generate_v1(), + v_DISK_PROFILE_USER_ID, + 'EEE00000-0000-0000-0000-123456789EEE', -- Everyone + disk_profiles.id, + 29 -- disk profile object id + FROM disk_profiles; + +END; $procedure$ +LANGUAGE plpgsql; + +SELECT __temp_set_disk_profiles_permissions(); +DROP function __temp_set_disk_profiles_permissions(); + -- To view, visit http://gerrit.ovirt.org/36817 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Ie1910a086e46cbbf8eb2e40a6e6f185a2c5fa3aa Gerrit-PatchSet: 1 Gerrit-Project: ovirt-engine Gerrit-Branch: ovirt-engine-3.5 Gerrit-Owner: Gilad Chaplik <gchap...@redhat.com> _______________________________________________ Engine-patches mailing list Engine-patches@ovirt.org http://lists.ovirt.org/mailman/listinfo/engine-patches
