Shahar Havivi has uploaded a new change for review. Change subject: RFE: Add Granular permissions for VM operations ......................................................................
RFE: Add Granular permissions for VM operations VM_BASIC_OPERATIONS aggregates the following permissions: REBOOT_VM, STOP_VM, SHUT_DOWN_VM, PAUSE_VM, HIBERNATE_VM, RUN_VM. This RFE remove VM_BASIC_OPERATIONS and instead add this new operations. Change-Id: I3ae2d6ad2ebc6c8e0948abe1c413362f4e3dbda7 Bug-Url: https://bugzilla.redhat.com/1084117 Signed-off-by: Shahar Havivi <[email protected]> --- M backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/action/VdcActionType.java M backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/businessentities/ActionGroup.java M backend/manager/modules/dal/src/test/java/org/ovirt/engine/core/dao/PermissionDAOTest.java M backend/manager/modules/dal/src/test/java/org/ovirt/engine/core/dao/RoleGroupMapDAOTest.java M backend/manager/modules/restapi/interface/definition/src/main/java/org/ovirt/engine/api/model/PermitType.java M frontend/webadmin/modules/uicommonweb/src/main/java/org/ovirt/engine/ui/uicommonweb/models/configure/roles_ui/RoleTreeView.java M frontend/webadmin/modules/uicompat/src/main/java/org/ovirt/engine/ui/uicompat/LocalizedEnums.java M frontend/webadmin/modules/uicompat/src/main/resources/org/ovirt/engine/ui/uicompat/LocalizedEnums.properties A packaging/dbscripts/upgrade/03_06_0520_INSERT_GRANULAR_VM_ROLES.sql 9 files changed, 78 insertions(+), 14 deletions(-) git pull ssh://gerrit.ovirt.org:29418/ovirt-engine refs/changes/06/35206/1 diff --git a/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/action/VdcActionType.java b/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/action/VdcActionType.java index e99a0ee..80090ce 100644 --- a/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/action/VdcActionType.java +++ b/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/action/VdcActionType.java @@ -12,14 +12,15 @@ AddVmFromScratch(3, ActionGroup.CREATE_VM, QuotaDependency.BOTH), RemoveVm(4, ActionGroup.DELETE_VM, QuotaDependency.STORAGE), UpdateVm(5, ActionGroup.EDIT_VM_PROPERTIES, QuotaDependency.VDS_GROUP), - RebootVm(6, ActionGroup.VM_BASIC_OPERATIONS, QuotaDependency.NONE), - StopVm(7, ActionGroup.VM_BASIC_OPERATIONS, QuotaDependency.BOTH), - ShutdownVm(8, ActionGroup.VM_BASIC_OPERATIONS, QuotaDependency.VDS_GROUP), + RebootVm(6, ActionGroup.REBOOT_VM, QuotaDependency.NONE), + StopVm(7, ActionGroup.STOP_VM, QuotaDependency.BOTH), + ShutdownVm(8, ActionGroup.SHUT_DOWN_VM, QuotaDependency.VDS_GROUP), ChangeDisk(9, ActionGroup.CHANGE_VM_CD, QuotaDependency.NONE), + //TODO: what about pausevm??? PauseVm(10, QuotaDependency.NONE), - HibernateVm(11, ActionGroup.VM_BASIC_OPERATIONS, QuotaDependency.NONE), - RunVm(12, ActionGroup.VM_BASIC_OPERATIONS, QuotaDependency.VDS_GROUP), - RunVmOnce(13, ActionGroup.VM_BASIC_OPERATIONS, QuotaDependency.BOTH), + HibernateVm(11, ActionGroup.HIBERNATE_VM, QuotaDependency.NONE), + RunVm(12, ActionGroup.RUN_VM, QuotaDependency.VDS_GROUP), + RunVmOnce(13, ActionGroup.RUN_VM, QuotaDependency.BOTH), MigrateVm(14, ActionGroup.MIGRATE_VM, QuotaDependency.NONE), InternalMigrateVm(15, QuotaDependency.NONE), MigrateVmToServer(16, ActionGroup.MIGRATE_VM, QuotaDependency.NONE), diff --git a/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/businessentities/ActionGroup.java b/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/businessentities/ActionGroup.java index ea9bb44..cba52e6 100644 --- a/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/businessentities/ActionGroup.java +++ b/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/businessentities/ActionGroup.java @@ -9,7 +9,12 @@ CREATE_VM(1, RoleType.USER, false, ApplicationMode.VirtOnly), DELETE_VM(2, RoleType.USER, true, ApplicationMode.VirtOnly), EDIT_VM_PROPERTIES(3, RoleType.USER, true, ApplicationMode.VirtOnly), - VM_BASIC_OPERATIONS(4, RoleType.USER, true, ApplicationMode.VirtOnly), + REBOOT_VM(17, RoleType.USER, true, ApplicationMode.VirtOnly), + STOP_VM(18, RoleType.USER, true, ApplicationMode.VirtOnly), + SHUT_DOWN_VM(19, RoleType.USER, true, ApplicationMode.VirtOnly), + PAUSE_VM(20, RoleType.USER, true, ApplicationMode.VirtOnly), + HIBERNATE_VM(21, RoleType.USER, true, ApplicationMode.VirtOnly), + RUN_VM(22, RoleType.USER, true, ApplicationMode.VirtOnly), CHANGE_VM_CD(5, RoleType.USER, true, ApplicationMode.VirtOnly), MIGRATE_VM(6, RoleType.USER, true, ApplicationMode.VirtOnly), diff --git a/backend/manager/modules/dal/src/test/java/org/ovirt/engine/core/dao/PermissionDAOTest.java b/backend/manager/modules/dal/src/test/java/org/ovirt/engine/core/dao/PermissionDAOTest.java index 26adf2c..4097ecd 100644 --- a/backend/manager/modules/dal/src/test/java/org/ovirt/engine/core/dao/PermissionDAOTest.java +++ b/backend/manager/modules/dal/src/test/java/org/ovirt/engine/core/dao/PermissionDAOTest.java @@ -537,7 +537,7 @@ public void testGetEntityPermissions() { // Should not return null since the user has the relevant permission assertNotNull(dao.getEntityPermissions(DIRECTORY_ELEMENT_ID_WITH_BASIC_PERMISSIONS, - ActionGroup.VM_BASIC_OPERATIONS, + ActionGroup.RUN_VM, VM_TEMPLATE_ENTITY_ID, VdcObjectType.VM)); @@ -553,7 +553,7 @@ // Should not return null since the user has the relevant permission assertNotNull(dao.getEntityPermissionsForUserAndGroups(Guid.newGuid(), DIRECTORY_ELEMENT_ID_WITH_BASIC_PERMISSIONS.toString(), - ActionGroup.VM_BASIC_OPERATIONS, + ActionGroup.RUN_VM, VM_TEMPLATE_ENTITY_ID, VdcObjectType.VM, false)); diff --git a/backend/manager/modules/dal/src/test/java/org/ovirt/engine/core/dao/RoleGroupMapDAOTest.java b/backend/manager/modules/dal/src/test/java/org/ovirt/engine/core/dao/RoleGroupMapDAOTest.java index 6396786..9085d9f 100644 --- a/backend/manager/modules/dal/src/test/java/org/ovirt/engine/core/dao/RoleGroupMapDAOTest.java +++ b/backend/manager/modules/dal/src/test/java/org/ovirt/engine/core/dao/RoleGroupMapDAOTest.java @@ -25,7 +25,7 @@ dao = dbFacade.getRoleGroupMapDao(); - existingRoleGroupMap = dao.getByActionGroupAndRole(ActionGroup.VM_BASIC_OPERATIONS, EXISTING_ROLE_ID); + existingRoleGroupMap = dao.getByActionGroupAndRole(ActionGroup.RUN_VM, EXISTING_ROLE_ID); actionGroup = ActionGroup.CONNECT_TO_VM; newRoleGroupMap = new RoleGroupMap(actionGroup, EXISTING_ROLE_ID); diff --git a/backend/manager/modules/restapi/interface/definition/src/main/java/org/ovirt/engine/api/model/PermitType.java b/backend/manager/modules/restapi/interface/definition/src/main/java/org/ovirt/engine/api/model/PermitType.java index 6ea1c7e..eb7eeb7 100644 --- a/backend/manager/modules/restapi/interface/definition/src/main/java/org/ovirt/engine/api/model/PermitType.java +++ b/backend/manager/modules/restapi/interface/definition/src/main/java/org/ovirt/engine/api/model/PermitType.java @@ -22,7 +22,12 @@ CREATE_VM, DELETE_VM, EDIT_VM_PROPERTIES, - VM_BASIC_OPERATIONS, + REBOOT_VM, + STOP_VM, + SHUT_DOWN_VM, + PAUSE_VM, + HIBERNATE_VM, + RUN_VM, CHANGE_VM_CD, MIGRATE_VM, CONNECT_TO_VM, diff --git a/frontend/webadmin/modules/uicommonweb/src/main/java/org/ovirt/engine/ui/uicommonweb/models/configure/roles_ui/RoleTreeView.java b/frontend/webadmin/modules/uicommonweb/src/main/java/org/ovirt/engine/ui/uicommonweb/models/configure/roles_ui/RoleTreeView.java index 85653f6..3fc244a 100644 --- a/frontend/webadmin/modules/uicommonweb/src/main/java/org/ovirt/engine/ui/uicommonweb/models/configure/roles_ui/RoleTreeView.java +++ b/frontend/webadmin/modules/uicommonweb/src/main/java/org/ovirt/engine/ui/uicommonweb/models/configure/roles_ui/RoleTreeView.java @@ -137,7 +137,17 @@ return new RoleNode(getConstants().vmRoleTree(), new RoleNode[] { new RoleNode(getConstants().basicOperationsRoleTree(), new RoleNode[] { - new RoleNode(ActionGroup.VM_BASIC_OPERATIONS, + new RoleNode(ActionGroup.REBOOT_VM, + getConstants().allowBasicVmOperationsRoleTreeTooltip()), + new RoleNode(ActionGroup.STOP_VM, + getConstants().allowBasicVmOperationsRoleTreeTooltip()), + new RoleNode(ActionGroup.SHUT_DOWN_VM, + getConstants().allowBasicVmOperationsRoleTreeTooltip()), + new RoleNode(ActionGroup.PAUSE_VM, + getConstants().allowBasicVmOperationsRoleTreeTooltip()), + new RoleNode(ActionGroup.HIBERNATE_VM, + getConstants().allowBasicVmOperationsRoleTreeTooltip()), + new RoleNode(ActionGroup.RUN_VM, getConstants().allowBasicVmOperationsRoleTreeTooltip()), new RoleNode(ActionGroup.CHANGE_VM_CD, getConstants().allowToAttachCdToTheVmRoleTreeTooltip()), diff --git a/frontend/webadmin/modules/uicompat/src/main/java/org/ovirt/engine/ui/uicompat/LocalizedEnums.java b/frontend/webadmin/modules/uicompat/src/main/java/org/ovirt/engine/ui/uicompat/LocalizedEnums.java index bdcbbc8..f32a888 100644 --- a/frontend/webadmin/modules/uicompat/src/main/java/org/ovirt/engine/ui/uicompat/LocalizedEnums.java +++ b/frontend/webadmin/modules/uicompat/src/main/java/org/ovirt/engine/ui/uicompat/LocalizedEnums.java @@ -134,7 +134,17 @@ String ActionGroup___CONFIGURE_VM_STORAGE(); - String ActionGroup___VM_BASIC_OPERATIONS(); + String ActionGroup___REBOOT_VM(); + + String ActionGroup___STOP_VM(); + + String ActionGroup___SHUT_DOWN_VM(); + + String ActionGroup___PAUSE_VM(); + + String ActionGroup___HIBERNATE_VM(); + + String ActionGroup___RUN_VM(); String ActionGroup___CHANGE_VM_CD(); diff --git a/frontend/webadmin/modules/uicompat/src/main/resources/org/ovirt/engine/ui/uicompat/LocalizedEnums.properties b/frontend/webadmin/modules/uicompat/src/main/resources/org/ovirt/engine/ui/uicompat/LocalizedEnums.properties index 4289f4b..f68dbba 100644 --- a/frontend/webadmin/modules/uicompat/src/main/resources/org/ovirt/engine/ui/uicompat/LocalizedEnums.properties +++ b/frontend/webadmin/modules/uicompat/src/main/resources/org/ovirt/engine/ui/uicompat/LocalizedEnums.properties @@ -62,7 +62,12 @@ ActionGroup___IMPORT_EXPORT_VM=Import/Export ActionGroup___CONFIGURE_VM_NETWORK=Assign vNIC Profile to VM ActionGroup___CONFIGURE_VM_STORAGE=Edit Storage -ActionGroup___VM_BASIC_OPERATIONS=Basic Operations +ActionGroup___REBOOT_VM=Reebot VM +ActionGroup___STOP_VM=Stop VM +ActionGroup___SHUT_DOWN_VM=Shut Down VM +ActionGroup___PAUSE_VM=Pause VM +ActionGroup___HIBERNATE_VM=Hibernate VM +ActionGroup___RUN_VM=Run VM ActionGroup___CHANGE_VM_CD=Change CD ActionGroup___CONNECT_TO_VM=Remote Log In ActionGroup___RECONNECT_TO_VM=Override opened console session diff --git a/packaging/dbscripts/upgrade/03_06_0520_INSERT_GRANULAR_VM_ROLES.sql b/packaging/dbscripts/upgrade/03_06_0520_INSERT_GRANULAR_VM_ROLES.sql new file mode 100644 index 0000000..a5369c3 --- /dev/null +++ b/packaging/dbscripts/upgrade/03_06_0520_INSERT_GRANULAR_VM_ROLES.sql @@ -0,0 +1,28 @@ +-- We change the VM permission to be more granular, +-- instead of grouping the reboot, stop, shut down, hibernate, run and run-once +-- into basic operation each is now a role group +CREATE OR REPLACE FUNCTION update_vm_basic_roles() +RETURNS void +AS $procedure$ +DECLARE + v_cur CURSOR FOR SELECT * FROM roles_groups WHERE action_group_id = 4; -- 4=VM_BASIC_OPERATIONS + v_record roles_groups%ROWTYPE; +BEGIN + OPEN v_cur; + LOOP + FETCH v_cur INTO v_record; + EXIT WHEN NOT FOUND; + insert into roles_groups (role_id, action_group_id) values (v_record.role_id, 17); -- 17=REBOOT_VM + insert into roles_groups (role_id, action_group_id) values (v_record.role_id, 18); -- 18=STOP_VM + insert into roles_groups (role_id, action_group_id) values (v_record.role_id, 19); -- 19=SHUT_DOWN_VM + insert into roles_groups (role_id, action_group_id) values (v_record.role_id, 20); -- 20=PAUSE_VM + insert into roles_groups (role_id, action_group_id) values (v_record.role_id, 21); -- 21=HIBERNATE_VM + insert into roles_groups (role_id, action_group_id) values (v_record.role_id, 22); -- 22=RUN_VM + END LOOP; + CLOSE v_cur; +END; $procedure$ +LANGUAGE plpgsql; + +SELECT * from update_vm_basic_roles(); +DROP FUNCTION update_vm_basic_roles(); + -- To view, visit http://gerrit.ovirt.org/35206 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I3ae2d6ad2ebc6c8e0948abe1c413362f4e3dbda7 Gerrit-PatchSet: 1 Gerrit-Project: ovirt-engine Gerrit-Branch: master Gerrit-Owner: Shahar Havivi <[email protected]> _______________________________________________ Engine-patches mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/engine-patches
