Moti Asayag has uploaded a new change for review.
Change subject: engine: Update roles to support Network permissions
......................................................................
engine: Update roles to support Network permissions
The patch introduces a new role for network users:
NetworkUser which provides the user the permissions for
attaching a network to its VM.
In addition, the upgrade script contains the roles and permissions
updates as described on the feature page:
1. Separate CONFIGURE_STORAGE_POOL_NETWORK to three roles:
1.1. CREATE_STORAGE_POOL_NETWORK
1.2. DELETE_STORAGE_POOL_NETWORK
1.3. CONFIGURE_STORAGE_POOL_NETWORK - acts as EDIT action group
2. Associate ASSIGN_CLUSTER_NETWORK action group with SUPER_USER,
DATA_CENTER_ADMIN and NETWORK_ADMIN.
3. Update Network Admin role
4. Grant 'NetworkUser' permission to 'everyone' for all of the networks.
Change-Id: I5b1d13c7578e6c5fcbf0852cb63b1f6bc51a511d
Signed-off-by: Moti Asayag <masa...@redhat.com>
---
A backend/manager/dbscripts/upgrade/03_02_0020_add_permissions_on_networks.sql
M
backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/PredefinedRoles.java
2 files changed, 153 insertions(+), 1 deletion(-)
git pull ssh://gerrit.ovirt.org:29418/ovirt-engine refs/changes/39/9539/1
diff --git
a/backend/manager/dbscripts/upgrade/03_02_0020_add_permissions_on_networks.sql
b/backend/manager/dbscripts/upgrade/03_02_0020_add_permissions_on_networks.sql
new file mode 100644
index 0000000..cc3118a
--- /dev/null
+++
b/backend/manager/dbscripts/upgrade/03_02_0020_add_permissions_on_networks.sql
@@ -0,0 +1,151 @@
+-- Update existing roles with action groups and introduce new networks role
+
+-- Helper method for adding an action group to a role if doesn't exist
+CREATE OR REPLACE FUNCTION
__temp_add_action_group_to_role_03_02_0020(v_role_id UUID, v_action_group_id
INTEGER)
+RETURNS VOID
+AS $procedure$
+BEGIN
+ INSERT INTO roles_groups(role_id,action_group_id)
+ SELECT v_role_id, v_action_group_id
+ WHERE NOT EXISTS (SELECT 1
+ FROM roles_groups
+ WHERE role_id = v_role_id
+ AND action_group_id = v_action_group_id);
+RETURN;
+END; $procedure$
+LANGUAGE plpgsql;
+
+Create or replace FUNCTION __temp_insert_predefined_roles_03_02_0020()
+RETURNS VOID
+ AS $procedure$
+ DECLARE
+ v_SUPER_USER_ID_0001 UUID;
+ v_DATA_CENTER_ADMIN_ID UUID;
+ v_NETWORK_ADMIN_ID UUID;
+ v_NETWORK_USER_ID UUID;
+ v_everyone_object_id UUID;
+
+BEGIN
+ v_SUPER_USER_ID_0001 := '00000000-0000-0000-0000-000000000001';
+ v_DATA_CENTER_ADMIN_ID := 'DEF00002-0000-0000-0000-DEF000000002';
+ v_NETWORK_ADMIN_ID := 'DEF00005-0000-0000-0000-DEF000000005';
+ v_NETWORK_USER_ID := 'DEF0000A-0000-0000-0000-DEF000000010';
+
+
+------------------------------------------------
+--- Update existing roles with new Action Groups
+------------------------------------------------
+-- Add ActionGroup 704 (CREATE_STORAGE_POOL_NETWORK) to any role which
contains ActionGroup 703 (CONFIGURE_STORAGE_POOL_NETWORK)
+INSERT INTO roles_groups (role_id, action_group_id)
+SELECT DISTINCT role_id, 704
+FROM roles_groups a
+WHERE NOT EXISTS (SELECT 1
+ FROM roles_groups b
+ WHERE b.role_id = a.role_id
+ AND b.action_group_id = 704)
+AND EXISTS (SELECT 1
+ FROM roles_groups b
+ WHERE b.role_id = a.role_id
+ AND b.action_group_id = 703);
+
+-- Add ActionGroup 705 (DELETE_STORAGE_POOL_NETWORK) to any role which
contains ActionGroup 703 (CONFIGURE_STORAGE_POOL_NETWORK)
+INSERT INTO roles_groups (role_id, action_group_id)
+SELECT DISTINCT role_id, 705
+FROM roles_groups a
+WHERE NOT EXISTS (SELECT 1
+ FROM roles_groups b
+ WHERE b.role_id = a.role_id
+ AND b.action_group_id = 705)
+AND EXISTS (SELECT 1
+ FROM roles_groups b
+ WHERE b.role_id = a.role_id
+ AND b.action_group_id = 703);
+
+-------------------------
+--- Update SuperUser role
+-------------------------
+
+-- Add ASSIGN_CLUSTER_NETWORK
+PERFORM __temp_add_action_group_to_role_03_02_0020(v_SUPER_USER_ID_0001, 404);
+
+--------------------------------
+-- UPDATE DATA_CENTER_ADMIN role
+--------------------------------
+
+-- Add ASSIGN_CLUSTER_NETWORK
+PERFORM __temp_add_action_group_to_role_03_02_0020(v_DATA_CENTER_ADMIN_ID,
404);
+
+----------------------------
+-- UPDATE NETWORK_ADMIN role
+----------------------------
+
+-- Add ASSIGN_CLUSTER_NETWORK
+PERFORM __temp_add_action_group_to_role_03_02_0020(v_NETWORK_ADMIN_ID, 404);
+
+-- Add PORT_MIRRORING
+PERFORM __temp_add_action_group_to_role_03_02_0020(v_NETWORK_ADMIN_ID, 1200);
+
+-- Add CONFIGURE_STORAGE_POOL_NETWORK
+PERFORM __temp_add_action_group_to_role_03_02_0020(v_NETWORK_ADMIN_ID ,703);
+
+-- Add CREATE_STORAGE_POOL_NETWORK
+PERFORM __temp_add_action_group_to_role_03_02_0020(v_NETWORK_ADMIN_ID ,704);
+
+-- Add DELETE_STORAGE_POOL_NETWORK
+PERFORM __temp_add_action_group_to_role_03_02_0020(v_NETWORK_ADMIN_ID ,705);
+
+-- Add CONFIGURE_VM_NETWORK
+PERFORM __temp_add_action_group_to_role_03_02_0020(v_NETWORK_ADMIN_ID ,9);
+
+-- Add CONFIGURE_TEMPLATE_NETWORK
+PERFORM __temp_add_action_group_to_role_03_02_0020(v_NETWORK_ADMIN_ID ,204);
+
+-- Delete MANIPUTLATE_HOST
+DELETE FROM roles_groups WHERE role_id = v_NETWORK_ADMIN_ID AND
action_group_id = 103;
+
+------------------------
+-- ADD NETWORK_USER role
+------------------------
+DELETE FROM roles_groups WHERE role_id = v_NETWORK_USER_ID;
+INSERT INTO roles(id,name,description,is_readonly,role_type) SELECT
v_NETWORK_USER_ID, 'NetworkUser', 'Network User', true, 2
+WHERE NOT EXISTS (SELECT id,name,description,is_readonly,role_type
+ FROM roles
+ WHERE id = v_NETWORK_USER_ID
+ AND name='NetworkUser'
+ AND description='Network User'
+ AND is_readonly=true
+ AND role_type=2);
+
+-- Add CONFIGURE_VM_NETWORK
+PERFORM __temp_add_action_group_to_role_03_02_0020(v_NETWORK_USER_ID, 9);
+
+-- Add CONFIGURE_TEMPLATE_NETWORK
+PERFORM __temp_add_action_group_to_role_03_02_0020(v_NETWORK_USER_ID, 204);
+
+-------------------------------------------------------
+-- Grant NetworkUser role to 'everyone' on all networks
+-------------------------------------------------------
+v_everyone_object_id := getGlobalIds('everyone');
+
+INSERT INTO permissions (id,
+ role_id,
+ ad_element_id,
+ object_id,
+ object_type_id)
+ (SELECT uuid_generate_v1(),
+ v_NETWORK_USER_ID,
+ v_everyone_object_id,
+ id,
+ 20
+ FROM network);
+
+ RETURN;
+END; $procedure$
+LANGUAGE plpgsql;
+
+SELECT __temp_insert_predefined_roles_03_02_0020();
+DROP function __temp_insert_predefined_roles_03_02_0020();
+DROP function __temp_add_action_group_to_role_03_02_0020(UUID, INTEGER);
+
+
+
diff --git
a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/PredefinedRoles.java
b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/PredefinedRoles.java
index e698f49..ab11a46 100644
---
a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/PredefinedRoles.java
+++
b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/PredefinedRoles.java
@@ -20,7 +20,8 @@
DISK_CREATOR(new Guid("DEF0000A-0000-0000-0000-DEF00000000C")),
VM_CREATOR(new Guid("DEF0000A-0000-0000-0000-DEF00000000D")),
TEMPLATE_CREATOR(new Guid("DEF0000A-0000-0000-0000-DEF00000000E")),
- TEMPLATE_OWNER(new Guid("DEF0000A-0000-0000-0000-DEF00000000F"));
+ TEMPLATE_OWNER(new Guid("DEF0000A-0000-0000-0000-DEF00000000F")),
+ NETWORK_USER(new Guid("DEF0000A-0000-0000-0000-DEF000000010"));
private Guid id;
--
To view, visit http://gerrit.ovirt.org/9539
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I5b1d13c7578e6c5fcbf0852cb63b1f6bc51a511d
Gerrit-PatchSet: 1
Gerrit-Project: ovirt-engine
Gerrit-Branch: master
Gerrit-Owner: Moti Asayag <masa...@redhat.com>
_______________________________________________
Engine-patches mailing list
Engine-patches@ovirt.org
http://lists.ovirt.org/mailman/listinfo/engine-patches
