Versions Compared

Old Version 72

changes.mady.by.user Prachi Damle

Saved on

compared with

New Version 73

changes.mady.by.user Prachi Damle

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • As illustrated in the above access flow, the access checks get invoked when the resource Ids in the API Cmd are annotated.
  • Thus we will have to edit all existing API Cmds and add the relevant @ACL annotation on the primary resource Ids the command operates on.
  • For any other resources that the command works with, the current access checks placed in the service layer will invoke the SecurityChecker.
  • These current access checks pass the AccessType whereever needed or mostly pass null. Our SecurityChecker will interpret null as a 'Read' access. In the 'acl_permission' schema, all List* APIs will be marked as 'Read' AccessType entries to facilitate this access check.

Custom Group and Policy

Consider following example:

A Domain admin wants to create a 'Service Desk' group for his domain and allow 'ready only' access to the group for all VMs and Volumes within the Domain.

Steps:

  • createAclGroup('Service Desk', 'Service Desk group', $domainId of the admin)
  • createAclPolicy('Read Only Access', 'read only access to domain resources', $domainId of the admin)
  • createAclPermission('ListVirtualMachine', 'Allow', 'Domain', $domainId, 'VirtualMachine')
  • createAclPermission('ListVolumes', 'Allow', 'Domain', $domainId, 'Volume')
  • addAclPermissionToAclPolicy( UUID of the 'Read Only Access' policy, List<String> permissionIds of above permissions)
  • attachAclPolicyToAclGroup (groupId, policyId)
  • addAccountToAclGroup(groupId, List<String> accountIds)