Page History
...
Besides SecurityChecker and APIChecker interface, IAM plugin will also implement another QueryChecker QuerySelector interface to allow CloudStack to do proper row filter in ListAPI based on caller's policy. In this phase, we only support explicitly grant permission, not deny permission.
| Code Block |
|---|
/** * QueryCheckerQuerySelector returns granted domain, or account or resources for caller. */ public interface QueryCheckerQuerySelector extends Adapter { ... /** * List granted domains for the caller, given a specific entity type. * * @param caller account to check against. * @param entityType entity type * @return list of domain Ids granted to the caller account. */ List<Long> getAuthorizedDomains(Account caller, String entityType); /** * List granted accounts for the caller, given a specific entity type. * * @param caller account to check against. * @param entityType entity type * @return list of domain Ids granted to the caller account. */ List<Long> getAuthorizedAccounts(Account caller, String entityType); /** * List granted resources for the caller, given a specific entity type. * * @param caller account to check against. * @param entityType entity type * @return list of domain Ids granted to the caller account. */ List<Long> getAuthorizedResources(Account caller, String entityType); /** * Check if this account is associated with a policy with scope of ALL * @param caller account to check * @param action action. * @return true if this account is attached with a policy for the given action of ALL scope. */ boolean isGrantedAll(Account caller, String action); /** * List of ACL group the given account belongs to * @param accountId account id. * @return ACL group names */ List<String> listAclGroupsByAccount(long accountId); |
By invoking these QuerySelector By invoking these QueryChecker APIs, CloudStack API engine can pre-construct proper SQL where clause to achieve proper row filter for accessibility control.
...
Overview
Content Tools
Apps