Versions Compared

Old Version 61

changes.mady.by.user Prachi Damle

Saved on

compared with

New Version 62

changes.mady.by.user Prachi Damle

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Lets consider the StartVM API is being called by a user and run through the access control usecases for various out-of-box policiesusecase.

The StartVMCmd will contain an annotation on the field that needs to be checked for access:

Code Block
@APICommand(name = "startVirtualMachine", responseObject = UserVmResponse.class, description = "Starts a virtual machine.")
public class StartVMCmd extends BaseAsyncCmd {
    public static final Logger s_logger = Logger.getLogger(StartVMCmd.class.getName());

    private static final String s_name = "startvirtualmachineresponse";

    // ///////////////////////////////////////////////////
    // ////////////// API parameters /////////////////////
    // ///////////////////////////////////////////////////

    *@ACL(action="startVirtualMachine")*
    @Parameter(name = ApiConstants.ID, type = CommandType.UUID, entityType=UserVmResponse.class,
            required = true, description = "The ID of the virtual machine")
    private Long id;

Thus following will happen if the above regular Regular user 'domainUserA' calls this command for his own VM:

API access check

The APIlayer will call the APICheckers to see if the user is allowed to invoke this API. The PolicyBasedAccessChecker :: checkAccess(user, apiName) will check following:

...

  • The PolicyBasedAccessChecker figures allows the 'startVirtualMachine' access to this VM Id if any of the account's policy allows it for this VM.
  • In this case, since this is a regular user , if and the user is the owner of the VM, then he is granted access using policy Id 6.