[deltacloud-devel] [PATCH portal] added 'account_add' privilege, a couple privilege/role fixes.

Scott Seago Tue, 16 Mar 2010 09:24:51 -0700

Signed-off-by: Scott Seago <[email protected]>
---
 src/app/controllers/provider_controller.rb         |    6 +++---
 src/app/models/privilege.rb                        |   13 +++++++++----
 src/db/migrate/20091008153046_create_privileges.rb |    2 +-
 src/db/migrate/20091008153058_create_roles.rb      |   17 +++++++++++++++--
 4 files changed, 28 insertions(+), 10 deletions(-)


diff --git a/src/app/controllers/provider_controller.rb 
b/src/app/controllers/provider_controller.rb
index b7e10a5..53056f5 100644
--- a/src/app/controllers/provider_controller.rb
+++ b/src/app/controllers/provider_controller.rb
@@ -52,16 +52,16 @@ class ProviderController < ApplicationController
 
   def accounts
      @provider = Provider.find(params[:id])
-     require_privilege(Privilege::PROVIDER_VIEW, @provider)
+     require_privilege(Privilege::ACCOUNT_VIEW, @provider)
   end
 
   def new_account
      @provider = Provider.find(params[:id])
-     require_privilege(Privilege::PROVIDER_VIEW, @provider)
+     require_privilege(Privilege::ACCOUNT_MODIFY, @provider)
   end
 
   def create_account
-     require_privilege(Privilege::PROVIDER_MODIFY)
+     require_privilege(Privilege::ACCOUNT_MODIFY)
      @acct = CloudAccount.find_or_create(params[:account])
      @provider = Provider.find(params[:account][:provider_id])
      @provider.cloud_accounts << @acct
diff --git a/src/app/models/privilege.rb b/src/app/models/privilege.rb
index e314930..69f22b9 100644
--- a/src/app/models/privilege.rb
+++ b/src/app/models/privilege.rb
@@ -43,10 +43,15 @@ class Privilege < ActiveRecord::Base
   STATS_VIEW        = "stats_view"        # can view monitoring data for
                                           # instances
 
-  # account privileges normally checked at the provider level, although
-  # account-specific overrides could be a future enhancement.
+  # to create(i.e. import) an account on a provider (but not added to
+  # a pool) needs ACCOUNT_MODIFY on the provider.
+  # to add a new provider account (i.e. import) to a pool needs
+  # ACCOUNT_ADD on  the pool
+  # to add an existing provider account to a pool needs ACCOUNT_ADD
+  # on the pool _and_ ACCOUNT_ADD on the account.
   ACCOUNT_MODIFY    = "account_modify"    # can create or modify cloud accounts
-  ACCOUNT_VIEW      = "account_view"      # can create or modify cloud accounts
+  ACCOUNT_VIEW      = "account_view"      # can view cloud accounts
+  ACCOUNT_ADD       = "account_add"       # can add an account to a pool
 
   # pool privileges normally checked at the provider level
   # (and at the account level for choosing which accounts are visible on the
@@ -76,7 +81,7 @@ class Privilege < ActiveRecord::Base
   FULL_PRIVILEGE_LIST = [PERM_SET, PERM_VIEW,
                          INSTANCE_MODIFY, INSTANCE_CONTROL, INSTANCE_VIEW,
                          STATS_VIEW,
-                         ACCOUNT_MODIFY, ACCOUNT_VIEW,
+                         ACCOUNT_MODIFY, ACCOUNT_ADD, ACCOUNT_VIEW,
                          POOL_MODIFY, POOL_VIEW,
                          QUOTA_MODIFY, QUOTA_VIEW,
                          PROVIDER_MODIFY, PROVIDER_VIEW,
diff --git a/src/db/migrate/20091008153046_create_privileges.rb 
b/src/db/migrate/20091008153046_create_privileges.rb
index 74932b0..12d94c6 100644
--- a/src/db/migrate/20091008153046_create_privileges.rb
+++ b/src/db/migrate/20091008153046_create_privileges.rb
@@ -30,7 +30,7 @@ class CreatePrivileges < ActiveRecord::Migration
     privileges = ["set_perms", "view_perms",
                   "instance_modify", "instance_control", "instance_view",
                   "stats_view",
-                  "account_modify", "account_view",
+                  "account_modify", "account_add", "account_view",
                   "pool_modify", "pool_view",
                   "quota_modify", "quota_view",
                   "provider_modify", "provider_view",
diff --git a/src/db/migrate/20091008153058_create_roles.rb 
b/src/db/migrate/20091008153058_create_roles.rb
index 44c360d..d7776d3 100644
--- a/src/db/migrate/20091008153058_create_roles.rb
+++ b/src/db/migrate/20091008153058_create_roles.rb
@@ -63,7 +63,7 @@ class CreateRoles < ActiveRecord::Migration
                                   "quota_view",
                                   "set_perms",
                                   "view_perms",
-                                  "account_modify"]},
+                                  "account_add"]},
              "Pool Creator" =>
                  {:role_scope => "Provider",
                   :privileges => ["provider_view",
@@ -78,19 +78,31 @@ class CreateRoles < ActiveRecord::Migration
                                   "quota_view",
                                   "quota_modify",
                                   "account_view",
+                                  "account_add",
                                   "account_modify",
                                   "set_perms",
                                   "view_perms"]},
+             "Provider Administrator" =>
+                 {:role_scope => "Provider",
+                  :privileges => ["provider_modify",
+                                  "provider_view",
+                                  "account_modify",
+                                  "account_view"]},
              "Account Administrator" =>
                  {:role_scope => "CloudAccount",
                   :privileges => ["set_perms",
                                   "view_perms",
                                   "account_view",
+                                  "account_add",
                                   "account_modify"]},
              "Account User" =>
                  {:role_scope => "CloudAccount",
+                  :privileges => ["account_view",
+                                  "account_add"]},
+             "Account Viewer" =>
+                 {:role_scope => "CloudAccount",
                   :privileges => ["account_view"]},
-             "Provider Administrator" =>
+             "Provider Creator" =>
                  {:role_scope => "BasePortalObject",
                   :privileges => ["provider_modify",
                                   "provider_view"]},
@@ -99,6 +111,7 @@ class CreateRoles < ActiveRecord::Migration
                   :privileges => ["provider_modify",
                                   "provider_view",
                                   "account_modify",
+                                  "account_add",
                                   "account_view",
                                   "user_modify",
                                   "user_view",
-- 
1.6.2.5

_______________________________________________
deltacloud-devel mailing list
[email protected]
https://fedorahosted.org/mailman/listinfo/deltacloud-devel

[deltacloud-devel] [PATCH portal] added 'account_add' privilege, a couple privilege/role fixes.

Reply via email to