Ravi Nori has uploaded a new change for review. Change subject: core : Modify MLA to use engine session info ......................................................................
core : Modify MLA to use engine session info Modify MLA queries to use engine session table with id instead of the user_flat_groups view Change-Id: I28f3853166fe635941e65ea2461f7ecda20f4a2a Bug-Url: https://bugzilla.redhat.com/1092744 Signed-off-by: Ravi Nori <[email protected]> --- M backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/AddQuotaCommand.java M backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/AddVmCommand.java M backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/AddVmTemplateCommand.java M backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/CommandBase.java M backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/GetPermissionsByAdElementIdQuery.java M backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/GetPermissionsForObjectQuery.java M backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/QueriesCommandBase.java M backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/aaa/SessionDataContainer.java M backend/manager/modules/bll/src/test/java/org/ovirt/engine/core/bll/AbstractUserQueryTest.java M backend/manager/modules/bll/src/test/java/org/ovirt/engine/core/bll/GetPermissionsByAdElementIdQueryTest.java M backend/manager/modules/bll/src/test/java/org/ovirt/engine/core/bll/GetPermissionsForObjectQueryTest.java M backend/manager/modules/dal/src/main/java/org/ovirt/engine/core/dao/PermissionDAO.java M backend/manager/modules/dal/src/main/java/org/ovirt/engine/core/dao/PermissionDAODbFacadeImpl.java M backend/manager/modules/dal/src/test/java/org/ovirt/engine/core/dao/BaseDAOTestCase.java M backend/manager/modules/dal/src/test/java/org/ovirt/engine/core/dao/PermissionDAOTest.java M backend/manager/modules/dal/src/test/resources/fixtures.xml M packaging/dbscripts/multi_level_administration_sp.sql A packaging/dbscripts/upgrade/03_06_0570_add_engine_session_user_flat_groups.sql 18 files changed, 149 insertions(+), 57 deletions(-) git pull ssh://gerrit.ovirt.org:29418/ovirt-engine refs/changes/62/35362/1 diff --git a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/AddQuotaCommand.java b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/AddQuotaCommand.java index 0004696..699160f 100644 --- a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/AddQuotaCommand.java +++ b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/AddQuotaCommand.java @@ -118,6 +118,7 @@ List<Permissions> vmPermissions = getDbFacade().getPermissionDao().getAllForEntity(getParameters().getQuotaId(), getCurrentUser().getId(), + getSessionId(), false); for (Permissions vmPermission : vmPermissions) { permissionsToAdd.addPermission(vmPermission.getad_element_id(), vmPermission.getrole_id(), diff --git a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/AddVmCommand.java b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/AddVmCommand.java index b25a036..44486e9 100644 --- a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/AddVmCommand.java +++ b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/AddVmCommand.java @@ -1226,7 +1226,7 @@ private void copyTemplatePermissions(UniquePermissionsSet permissionsToAdd) { PermissionDAO dao = getDbFacade().getPermissionDao(); - List<Permissions> templatePermissions = dao.getAllForEntity(getVmTemplateId(), getCurrentUser().getId(), false); + List<Permissions> templatePermissions = dao.getAllForEntity(getVmTemplateId(), getCurrentUser().getId(), getSessionId(), false); for (Permissions templatePermission : templatePermissions) { boolean templateOwnerRole = templatePermission.getrole_id().equals(PredefinedRoles.TEMPLATE_OWNER.getId()); diff --git a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/AddVmTemplateCommand.java b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/AddVmTemplateCommand.java index 46ca248..c07bdac 100644 --- a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/AddVmTemplateCommand.java +++ b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/AddVmTemplateCommand.java @@ -844,7 +844,7 @@ PermissionDAO dao = getDbFacade().getPermissionDao(); - List<Permissions> vmPermissions = dao.getAllForEntity(getVmId(), getCurrentUser().getId(), false); + List<Permissions> vmPermissions = dao.getAllForEntity(getVmId(), getCurrentUser().getId(), getSessionId(), false); for (Permissions vmPermission : vmPermissions) { permissionsToAdd.addPermission(vmPermission.getad_element_id(), vmPermission.getrole_id(), diff --git a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/CommandBase.java b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/CommandBase.java index 4345e51..7619199 100644 --- a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/CommandBase.java +++ b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/CommandBase.java @@ -2308,4 +2308,12 @@ protected MacPoolManagerStrategy getMacPool() { return MacPoolPerDcSingleton.getInstance().poolForDataCenter(getStoragePoolId()); } + + protected String getSessionId() { + String sessionId = null; + if (getContext() != null && getContext().getEngineContext() != null) { + sessionId = getContext().getEngineContext().getSessionId(); + } + return sessionId; + } } diff --git a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/GetPermissionsByAdElementIdQuery.java b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/GetPermissionsByAdElementIdQuery.java index 3acdd12..0687511 100644 --- a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/GetPermissionsByAdElementIdQuery.java +++ b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/GetPermissionsByAdElementIdQuery.java @@ -14,6 +14,7 @@ getDbFacade().getPermissionDao().getAllForAdElement (getParameters().getId(), getUserID(), + getEngineSessionId(), getParameters().isFiltered())); } } diff --git a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/GetPermissionsForObjectQuery.java b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/GetPermissionsForObjectQuery.java index 8b1b1c7..6bd3f99 100644 --- a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/GetPermissionsForObjectQuery.java +++ b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/GetPermissionsForObjectQuery.java @@ -19,11 +19,12 @@ PermissionDAO dao = getDbFacade().getPermissionDao(); List<Permissions> perms; if (getParameters().getDirectOnly()) { - perms = dao.getAllForEntity(objectId, getUserID(), getParameters().isFiltered(), getParameters().getAllUsersWithPermission()); + perms = dao.getAllForEntity(objectId, getUserID(), getEngineSessionId(), getParameters().isFiltered(), getParameters().getAllUsersWithPermission()); } else { perms = dao.getTreeForEntity(objectId, getParameters().getVdcObjectType(), getUserID(), + getEngineSessionId(), getParameters().isFiltered()); } getQueryReturnValue().setReturnValue(perms); diff --git a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/QueriesCommandBase.java b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/QueriesCommandBase.java index c35290b..7fe5302 100644 --- a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/QueriesCommandBase.java +++ b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/QueriesCommandBase.java @@ -184,6 +184,10 @@ return user.getId(); } + protected String getEngineSessionId() { + return engineContext.getSessionId(); + } + protected DbFacade getDbFacade() { return DbFacade.getInstance(); } diff --git a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/aaa/SessionDataContainer.java b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/aaa/SessionDataContainer.java index 24ad054..8521fb2 100644 --- a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/aaa/SessionDataContainer.java +++ b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/aaa/SessionDataContainer.java @@ -103,15 +103,15 @@ engineSession.setUserId(user.getId()); engineSession.setUserName(user.getLoginName()); engineSession.setGroupIds(user.getGroupIds()); - engineSession.setRoleIds(getSystemRolesForUser(user.getId(), user.isAdmin() ? false : true)); + engineSession.setRoleIds(getSystemRolesForUser(user.getId(), sessionId, user.isAdmin() ? false : true)); getDbFacade().getEngineSessionDao().save(engineSession); } } - private List<Guid> getSystemRolesForUser(Guid userId, boolean isFiltered) { + private List<Guid> getSystemRolesForUser(Guid userId, String sessionId, boolean isFiltered) { List<Guid> systemRoles = new ArrayList<>(); for (Permissions p : - DbFacade.getInstance().getPermissionDao().getAllForEntity(Guid.SYSTEM, userId, isFiltered)) { + DbFacade.getInstance().getPermissionDao().getAllForEntity(Guid.SYSTEM, userId, sessionId, isFiltered)) { systemRoles.add(p.getrole_id()); } diff --git a/backend/manager/modules/bll/src/test/java/org/ovirt/engine/core/bll/AbstractUserQueryTest.java b/backend/manager/modules/bll/src/test/java/org/ovirt/engine/core/bll/AbstractUserQueryTest.java index b636989..d2e65af 100644 --- a/backend/manager/modules/bll/src/test/java/org/ovirt/engine/core/bll/AbstractUserQueryTest.java +++ b/backend/manager/modules/bll/src/test/java/org/ovirt/engine/core/bll/AbstractUserQueryTest.java @@ -18,6 +18,7 @@ private DbUser user; private Guid userID; + protected final String UNPRIVILEGED_USER_SESSION_ID = "9ee57fd0-6f67-11e4-9e67-3c970e14c386"; @Before @Override diff --git a/backend/manager/modules/bll/src/test/java/org/ovirt/engine/core/bll/GetPermissionsByAdElementIdQueryTest.java b/backend/manager/modules/bll/src/test/java/org/ovirt/engine/core/bll/GetPermissionsByAdElementIdQueryTest.java index 7a67521..dd6510e 100644 --- a/backend/manager/modules/bll/src/test/java/org/ovirt/engine/core/bll/GetPermissionsByAdElementIdQueryTest.java +++ b/backend/manager/modules/bll/src/test/java/org/ovirt/engine/core/bll/GetPermissionsByAdElementIdQueryTest.java @@ -32,7 +32,7 @@ // Mock the DAOs PermissionDAO permissionDAOMock = mock(PermissionDAO.class); when(permissionDAOMock.getAllForAdElement - (adElementGuid, getUser().getId(), getQueryParameters().isFiltered())). + (adElementGuid, getUser().getId(), getQuery().getEngineSessionId(), getQueryParameters().isFiltered())). thenReturn(Collections.singletonList(expected)); when(getDbFacadeMockInstance().getPermissionDao()).thenReturn(permissionDAOMock); diff --git a/backend/manager/modules/bll/src/test/java/org/ovirt/engine/core/bll/GetPermissionsForObjectQueryTest.java b/backend/manager/modules/bll/src/test/java/org/ovirt/engine/core/bll/GetPermissionsForObjectQueryTest.java index 5f7fa64..0e6c030 100644 --- a/backend/manager/modules/bll/src/test/java/org/ovirt/engine/core/bll/GetPermissionsForObjectQueryTest.java +++ b/backend/manager/modules/bll/src/test/java/org/ovirt/engine/core/bll/GetPermissionsForObjectQueryTest.java @@ -38,7 +38,7 @@ @Test public void testExecuteQueryWithDirectOnly() { PermissionDAO permissionDAOMock = mock(PermissionDAO.class); - when(permissionDAOMock.getAllForEntity(objectID, getUser().getId(), getQueryParameters().isFiltered(), false)).thenReturn(mockedPermissions); + when(permissionDAOMock.getAllForEntity(objectID, getUser().getId(), UNPRIVILEGED_USER_SESSION_ID, getQueryParameters().isFiltered(), false)).thenReturn(mockedPermissions); when(getDbFacadeMockInstance().getPermissionDao()).thenReturn(permissionDAOMock); assertQueryDAOCall(true); @@ -53,6 +53,7 @@ when(permissionDAOMock.getTreeForEntity(objectID, type, getUser().getId(), + UNPRIVILEGED_USER_SESSION_ID, getQueryParameters().isFiltered())).thenReturn(mockedPermissions); when(getDbFacadeMockInstance().getPermissionDao()).thenReturn(permissionDAOMock); @@ -62,6 +63,7 @@ private void assertQueryDAOCall(boolean isDirectOnly) { when(getQueryParameters().getObjectId()).thenReturn(objectID); when(getQueryParameters().getDirectOnly()).thenReturn(isDirectOnly); + when(getQuery().getEngineSessionId()).thenReturn(UNPRIVILEGED_USER_SESSION_ID); getQuery().executeQueryCommand(); diff --git a/backend/manager/modules/dal/src/main/java/org/ovirt/engine/core/dao/PermissionDAO.java b/backend/manager/modules/dal/src/main/java/org/ovirt/engine/core/dao/PermissionDAO.java index 62c5dd3..5423ebf 100644 --- a/backend/manager/modules/dal/src/main/java/org/ovirt/engine/core/dao/PermissionDAO.java +++ b/backend/manager/modules/dal/src/main/java/org/ovirt/engine/core/dao/PermissionDAO.java @@ -71,7 +71,7 @@ * Whether the results should be filtered according to the user's permissions * @return the list of permissions */ - List<Permissions> getAllForAdElement(Guid id, Guid userID, boolean isFiltered); + List<Permissions> getAllForAdElement(Guid id, Guid userID, String engineSessionSeqId, boolean isFiltered); /** * Gets all permissions for the specified AD element only, excluding permissions of groups that it is in. @@ -133,18 +133,18 @@ * Whether the results should be filtered according to the user's permissions * @return the list of permissions */ - List<Permissions> getAllForEntity(Guid id, Guid userID, boolean isFiltered); + List<Permissions> getAllForEntity(Guid id, Guid userID, String engineSessionSeqId, boolean isFiltered); - public List<Permissions> getAllForEntity(Guid id, Guid userID, boolean isFiltered, boolean allUsersWithPermission); + public List<Permissions> getAllForEntity(Guid id, Guid userID, String engineSessionSeqId, boolean isFiltered, boolean allUsersWithPermission); - List<Permissions> getAllForEntity(Guid id, Guid userID, boolean isFiltered, boolean allUsersWithPermission, int appMode); + List<Permissions> getAllForEntity(Guid id, Guid userID, String engineSessionSeqId, boolean isFiltered, boolean allUsersWithPermission, int appMode); List<Permissions> getTreeForEntity(Guid id, VdcObjectType type); - List<Permissions> getTreeForEntity(Guid id, VdcObjectType type, Guid userID, boolean isFiltered); + List<Permissions> getTreeForEntity(Guid id, VdcObjectType type, Guid userID, String engineSessionSeqId, boolean isFiltered); - List<Permissions> getTreeForEntity(Guid id, VdcObjectType type, Guid userID, boolean isFiltered, int appMode); + List<Permissions> getTreeForEntity(Guid id, VdcObjectType type, Guid userID, String engineSessionSeqId, boolean isFiltered, int appMode); Guid getEntityPermissions(Guid adElementId, ActionGroup actionGroup, Guid objectId, VdcObjectType vdcObjectType); diff --git a/backend/manager/modules/dal/src/main/java/org/ovirt/engine/core/dao/PermissionDAODbFacadeImpl.java b/backend/manager/modules/dal/src/main/java/org/ovirt/engine/core/dao/PermissionDAODbFacadeImpl.java index f68d14e..f3532f3 100644 --- a/backend/manager/modules/dal/src/main/java/org/ovirt/engine/core/dao/PermissionDAODbFacadeImpl.java +++ b/backend/manager/modules/dal/src/main/java/org/ovirt/engine/core/dao/PermissionDAODbFacadeImpl.java @@ -7,11 +7,13 @@ import org.apache.commons.lang.NotImplementedException; import org.ovirt.engine.core.common.VdcObjectType; import org.ovirt.engine.core.common.businessentities.ActionGroup; +import org.ovirt.engine.core.common.businessentities.EngineSession; import org.ovirt.engine.core.common.businessentities.Permissions; import org.ovirt.engine.core.common.businessentities.RoleType; import org.ovirt.engine.core.common.config.Config; import org.ovirt.engine.core.common.config.ConfigValues; import org.ovirt.engine.core.compat.Guid; +import org.ovirt.engine.core.dal.dbbroker.DbFacade; import org.springframework.jdbc.core.RowMapper; import org.springframework.jdbc.core.namedparam.MapSqlParameterSource; @@ -64,18 +66,30 @@ parameterSource); } - @Override - public List<Permissions> getAllForAdElement(Guid id) { - return getAllForAdElement(id, null, false); + private long getEngineSessionId(String engineSessionId) { + long id = -1; + if (engineSessionId != null) { + EngineSession engineSession = DbFacade.getInstance().getEngineSessionDao().getBySessionId(engineSessionId); + if (engineSession != null) { + id = engineSession.getId(); + } + } + return id; } @Override - public List<Permissions> getAllForAdElement(Guid id, Guid userID, boolean isFiltered) { + public List<Permissions> getAllForAdElement(Guid id) { + return getAllForAdElement(id, null, null, false); + } + + @Override + public List<Permissions> getAllForAdElement(Guid id, Guid userID, String engineSessionSeqId, boolean isFiltered) { int appMode = Config.<Integer> getValue(ConfigValues.ApplicationMode); MapSqlParameterSource parameterSource = getCustomMapSqlParameterSource() .addValue("ad_element_id", id). addValue("user_id", userID). + addValue("engine_session_seq_id", getEngineSessionId(engineSessionSeqId)). addValue("is_filtered", isFiltered). addValue("app_mode", appMode); @@ -128,24 +142,27 @@ @Override public List<Permissions> getAllForEntity(Guid id) { - return getAllForEntity(id, null, false); + return getAllForEntity(id, null, null, false); } @Override - public List<Permissions> getAllForEntity(Guid id, Guid userID, boolean isFiltered) { - return getAllForEntity(id, userID, isFiltered, false); + public List<Permissions> getAllForEntity(Guid id, Guid userID, String engineSessionId, boolean isFiltered) { + return getAllForEntity(id, userID, engineSessionId, isFiltered, false); } @Override - public List<Permissions> getAllForEntity(Guid id, Guid userID, boolean isFiltered, boolean allUsersWithPermission) { + public List<Permissions> getAllForEntity(Guid id, Guid userID, String engineSessionId, boolean isFiltered, boolean allUsersWithPermission) { int appMode = Config.<Integer> getValue(ConfigValues.ApplicationMode); - return getAllForEntity(id, userID, isFiltered, allUsersWithPermission, appMode); + return getAllForEntity(id, userID, engineSessionId, isFiltered, allUsersWithPermission, appMode); } @Override - public List<Permissions> getAllForEntity(Guid id, Guid userID, boolean isFiltered, boolean allUsersWithPermission, int appMode) { + public List<Permissions> getAllForEntity(Guid id, Guid userID, String engineSessionSeqId, boolean isFiltered, boolean allUsersWithPermission, int appMode) { MapSqlParameterSource parameterSource = getCustomMapSqlParameterSource() - .addValue("id", id).addValue("user_id", userID).addValue("is_filtered", isFiltered) + .addValue("id", id) + .addValue("user_id", userID) + .addValue("engine_session_seq_id", getEngineSessionId(engineSessionSeqId)) + .addValue("is_filtered", isFiltered) .addValue("app_mode", appMode); String functionName = "GetPermissionsByEntityId"; if (allUsersWithPermission) { @@ -158,22 +175,23 @@ @Override public List<Permissions> getTreeForEntity(Guid id, VdcObjectType type) { - return getTreeForEntity(id, type, null, false); + return getTreeForEntity(id, type, null, null, false); } @Override - public List<Permissions> getTreeForEntity(Guid id, VdcObjectType type, Guid userID, boolean isFiltered) { + public List<Permissions> getTreeForEntity(Guid id, VdcObjectType type, Guid userID, String engineSessionSeqId, boolean isFiltered) { int appMode = Config.<Integer> getValue(ConfigValues.ApplicationMode); - return getTreeForEntity(id, type, userID, isFiltered, appMode); + return getTreeForEntity(id, type, userID, engineSessionSeqId, isFiltered, appMode); } @Override - public List<Permissions> getTreeForEntity(Guid id, VdcObjectType type, Guid userID, boolean isFiltered, int appMode) { + public List<Permissions> getTreeForEntity(Guid id, VdcObjectType type, Guid userID, String engineSessionSeqId, boolean isFiltered, int appMode) { MapSqlParameterSource parameterSource = getCustomMapSqlParameterSource() .addValue("id", id) .addValue("object_type_id", type.getValue()) .addValue("user_id", userID) + .addValue("engine_session_seq_id", getEngineSessionId(engineSessionSeqId)) .addValue("is_filtered", isFiltered) .addValue("app_mode", appMode); return getCallsHandler().executeReadList("GetPermissionsTreeByEntityId", diff --git a/backend/manager/modules/dal/src/test/java/org/ovirt/engine/core/dao/BaseDAOTestCase.java b/backend/manager/modules/dal/src/test/java/org/ovirt/engine/core/dao/BaseDAOTestCase.java index 6c79a52..633131a 100644 --- a/backend/manager/modules/dal/src/test/java/org/ovirt/engine/core/dao/BaseDAOTestCase.java +++ b/backend/manager/modules/dal/src/test/java/org/ovirt/engine/core/dao/BaseDAOTestCase.java @@ -44,7 +44,9 @@ @Transactional public abstract class BaseDAOTestCase { protected static final Guid PRIVILEGED_USER_ID = new Guid("9bf7c640-b620-456f-a550-0348f366544b"); + protected static final String PRIVILEGED_USER_SESSION_ID = "c6f975b2-6f67-11e4-8455-3c970e14c386"; protected static final Guid UNPRIVILEGED_USER_ID = new Guid("9bf7c640-b620-456f-a550-0348f366544a"); + protected static final String UNPRIVILEGED_USER_SESSION_ID = "9ee57fd0-6f67-11e4-9e67-3c970e14c386"; protected static DbFacade dbFacade; private static Object dataFactory; diff --git a/backend/manager/modules/dal/src/test/java/org/ovirt/engine/core/dao/PermissionDAOTest.java b/backend/manager/modules/dal/src/test/java/org/ovirt/engine/core/dao/PermissionDAOTest.java index 26adf2c..3ef53e2 100644 --- a/backend/manager/modules/dal/src/test/java/org/ovirt/engine/core/dao/PermissionDAOTest.java +++ b/backend/manager/modules/dal/src/test/java/org/ovirt/engine/core/dao/PermissionDAOTest.java @@ -156,7 +156,7 @@ */ @Test public void testGetAllForAdElementFilteredWithPermissions() { - List<Permissions> result = dao.getAllForAdElement(AD_ELEMENT_ID, PRIVILEGED_USER_ID, true); + List<Permissions> result = dao.getAllForAdElement(AD_ELEMENT_ID, PRIVILEGED_USER_ID, PRIVILEGED_USER_SESSION_ID, true); assertValidGetByAdElement(result); } @@ -166,7 +166,7 @@ */ @Test public void testGetAllForAdElementFilteredWithNoPermissions() { - List<Permissions> result = dao.getAllForAdElement(AD_ELEMENT_ID, UNPRIVILEGED_USER_ID, true); + List<Permissions> result = dao.getAllForAdElement(AD_ELEMENT_ID, UNPRIVILEGED_USER_ID, UNPRIVILEGED_USER_SESSION_ID, true); assertInvalidGetPermissionList(result); } @@ -227,7 +227,7 @@ */ @Test public void testGetAllForEntityFilteredWithPermissions() { - List<Permissions> result = dao.getAllForEntity(VM_ENTITY_ID, PRIVILEGED_USER_ID, true); + List<Permissions> result = dao.getAllForEntity(VM_ENTITY_ID, PRIVILEGED_USER_ID, PRIVILEGED_USER_SESSION_ID, true); assertGetAllForEntityResult(result); } @@ -237,7 +237,7 @@ */ @Test public void testGetAllForEntityFilteredWithNoPermissionsFilteringDisabled() { - List<Permissions> result = dao.getAllForEntity(VM_ENTITY_ID, UNPRIVILEGED_USER_ID, false); + List<Permissions> result = dao.getAllForEntity(VM_ENTITY_ID, UNPRIVILEGED_USER_ID, UNPRIVILEGED_USER_SESSION_ID, false); assertGetAllForEntityResult(result); } @@ -247,14 +247,14 @@ */ @Test public void testGetAllForEntityFilteredWithNoPermissions() { - List<Permissions> result = dao.getAllForEntity(VM_ENTITY_ID, UNPRIVILEGED_USER_ID, true); + List<Permissions> result = dao.getAllForEntity(VM_ENTITY_ID, UNPRIVILEGED_USER_ID, UNPRIVILEGED_USER_SESSION_ID, true); assertInvalidGetPermissionList(result); } @Test public void testGetAllUsersWithPermissionsOnEntity() { - List<Permissions> result = dao.getAllForEntity(VM_ENTITY_ID, PRIVILEGED_USER_ID, true, true); + List<Permissions> result = dao.getAllForEntity(VM_ENTITY_ID, PRIVILEGED_USER_ID, PRIVILEGED_USER_SESSION_ID, true, true); assertNotNull(result); assertEquals(2, result.size()); @@ -451,29 +451,29 @@ @Test public void testGetTreeForEntityWithRoleTypeFilteredWithPermissions() { - baseTestGetTreeForEntityFiltered(STORAGE_ENTITY_ID, VdcObjectType.Storage, PRIVILEGED_USER_ID, true); + baseTestGetTreeForEntityFiltered(STORAGE_ENTITY_ID, VdcObjectType.Storage, PRIVILEGED_USER_ID, PRIVILEGED_USER_SESSION_ID, true); } @Test public void testGetTreeForEntityWithRoleTypeFilteredWithNoPermissionsCheckDisabled() { - baseTestGetTreeForEntityFiltered(STORAGE_ENTITY_ID, VdcObjectType.Storage, UNPRIVILEGED_USER_ID, false); + baseTestGetTreeForEntityFiltered(STORAGE_ENTITY_ID, VdcObjectType.Storage, UNPRIVILEGED_USER_ID, UNPRIVILEGED_USER_SESSION_ID, false); } @Test public void testGetTreeForEntityWithRoleTypeFilteredWithNoPermissions() { List<Permissions> result = - dao.getTreeForEntity(STORAGE_ENTITY_ID, VdcObjectType.Storage, UNPRIVILEGED_USER_ID, true); + dao.getTreeForEntity(STORAGE_ENTITY_ID, VdcObjectType.Storage, UNPRIVILEGED_USER_ID, UNPRIVILEGED_USER_SESSION_ID, true); assertInvalidGetPermissionList(result); } @Test public void testGetTreeForEntityWithAppMode() { - List<Permissions> result = dao.getTreeForEntity(STORAGE_ENTITY_ID, VdcObjectType.Storage, PRIVILEGED_USER_ID, true, ApplicationMode.AllModes.getValue()); + List<Permissions> result = dao.getTreeForEntity(STORAGE_ENTITY_ID, VdcObjectType.Storage, PRIVILEGED_USER_ID, PRIVILEGED_USER_SESSION_ID, true, ApplicationMode.AllModes.getValue()); assertEquals(1, result.size()); - List<Permissions> result2 = dao.getTreeForEntity(STORAGE_ENTITY_ID, VdcObjectType.Storage, PRIVILEGED_USER_ID, true, ApplicationMode.VirtOnly.getValue()); + List<Permissions> result2 = dao.getTreeForEntity(STORAGE_ENTITY_ID, VdcObjectType.Storage, PRIVILEGED_USER_ID, PRIVILEGED_USER_SESSION_ID, true, ApplicationMode.VirtOnly.getValue()); assertEquals(1, result2.size()); - List<Permissions> result3 = dao.getTreeForEntity(STORAGE_ENTITY_ID, VdcObjectType.Storage, PRIVILEGED_USER_ID, true, ApplicationMode.GlusterOnly.getValue()); + List<Permissions> result3 = dao.getTreeForEntity(STORAGE_ENTITY_ID, VdcObjectType.Storage, PRIVILEGED_USER_ID, PRIVILEGED_USER_SESSION_ID, true, ApplicationMode.GlusterOnly.getValue()); assertEquals(1, result3.size()); } /** @@ -499,9 +499,10 @@ private void baseTestGetTreeForEntityFiltered(Guid entityID, VdcObjectType objectType, Guid userID, + String sessionId, boolean isFiltered, Guid... alternativeObjectIds) { - List<Permissions> result = dao.getTreeForEntity(entityID, objectType, userID, isFiltered); + List<Permissions> result = dao.getTreeForEntity(entityID, objectType, userID, sessionId, isFiltered); assertGetTreeForEntityResult(entityID, result, alternativeObjectIds); } diff --git a/backend/manager/modules/dal/src/test/resources/fixtures.xml b/backend/manager/modules/dal/src/test/resources/fixtures.xml index e92c476..56c3873 100644 --- a/backend/manager/modules/dal/src/test/resources/fixtures.xml +++ b/backend/manager/modules/dal/src/test/resources/fixtures.xml @@ -4775,6 +4775,28 @@ </row> </table> + <table name="engine_sessions"> + <column>id</column> + <column>engine_session_id</column> + <column>user_id</column> + <column>user_name</column> + <column>group_ids</column> + <row> + <value>1</value> + <value>9ee57fd0-6f67-11e4-9e67-3c970e14c386</value> + <value>9bf7c640-b620-456f-a550-0348f366544a</value> + <value>userportal2</value> + <value>35487601-05ef-43b0-932d-8663ea4c9495,fa63c7e0-d9d4-492f-9e4e-6ed8c4719364</value> + </row> + <row> + <value>2</value> + <value>c6f975b2-6f67-11e4-8455-3c970e14c386</value> + <value>9bf7c640-b620-456f-a550-0348f366544b</value> + <value>userportal3</value> + <value>26df4393-659b-4b8a-b0f6-3ee94d32e82f,08963ba9-b1c8-498d-989f-75cf8142eab7</value> + </row> + </table> + <table name="users"> <column>user_id</column> <column>external_id</column> diff --git a/packaging/dbscripts/multi_level_administration_sp.sql b/packaging/dbscripts/multi_level_administration_sp.sql index e6a4c94..c857e1d 100644 --- a/packaging/dbscripts/multi_level_administration_sp.sql +++ b/packaging/dbscripts/multi_level_administration_sp.sql @@ -102,7 +102,7 @@ LANGUAGE plpgsql; -Create or replace FUNCTION GetPermissionsByAdElementId(v_ad_element_id UUID, v_user_id UUID, v_is_filtered BOOLEAN, v_app_mode INTEGER) +Create or replace FUNCTION GetPermissionsByAdElementId(v_ad_element_id UUID, v_user_id UUID, v_engine_session_seq_id INTEGER, v_is_filtered BOOLEAN, v_app_mode INTEGER) RETURNS SETOF permissions_view STABLE AS $procedure$ BEGIN @@ -110,7 +110,7 @@ FROM permissions_view WHERE (permissions_view.app_mode & v_app_mode) > 0 AND (permissions_view.ad_element_id = v_ad_element_id - OR ad_element_id IN (SELECT * FROM getUserAndGroupsById(v_ad_element_id))) + OR ad_element_id IN (SELECT * FROM getSessionUserAndGroupsById(v_ad_element_id, v_engine_session_seq_id))) AND (NOT v_is_filtered OR EXISTS (SELECT 1 FROM user_permissions_permissions_view WHERE user_id = v_user_id)); END; $procedure$ @@ -455,7 +455,7 @@ -Create or replace FUNCTION GetPermissionsByEntityId(v_id UUID, v_user_id UUID, v_is_filtered BOOLEAN, v_app_mode INTEGER) +Create or replace FUNCTION GetPermissionsByEntityId(v_id UUID, v_user_id UUID, v_engine_session_seq_id INTEGER, v_is_filtered BOOLEAN, v_app_mode INTEGER) RETURNS SETOF permissions_view STABLE -- SET NOCOUNT ON added to prevent extra result sets from -- interfering with SELECT statements. @@ -466,12 +466,12 @@ WHERE (permissions_view.app_mode & v_app_mode) > 0 AND object_id = v_id AND (NOT v_is_filtered OR EXISTS (SELECT 1 - FROM GetUserPermissionsByEntityId(v_id, v_user_id, v_is_filtered))); + FROM GetUserPermissionsByEntityId(v_id, v_user_id, v_engine_session_seq_id, v_is_filtered))); END; $procedure$ LANGUAGE plpgsql; -Create or replace FUNCTION GetAllUsersWithPermissionsOnEntityByEntityId(v_id UUID, v_user_id UUID, v_is_filtered BOOLEAN, v_app_mode INTEGER) +Create or replace FUNCTION GetAllUsersWithPermissionsOnEntityByEntityId(v_id UUID, v_user_id UUID, v_engine_session_seq_id INTEGER, v_is_filtered BOOLEAN, v_app_mode INTEGER) RETURNS SETOF permissions_view STABLE AS $procedure$ BEGIN @@ -480,13 +480,13 @@ WHERE (permissions_view.app_mode & v_app_mode) > 0 AND object_id = v_id AND (NOT v_is_filtered OR EXISTS (SELECT 1 - FROM GetAllUsersWithPermissionsByEntityId(v_id, v_user_id, v_is_filtered))); + FROM GetAllUsersWithPermissionsByEntityId(v_id, v_user_id, v_engine_session_seq_id, v_is_filtered))); END; $procedure$ LANGUAGE plpgsql; -Create or replace FUNCTION GetUserPermissionsByEntityId(v_id UUID, v_user_id UUID, v_is_filtered BOOLEAN) +Create or replace FUNCTION GetUserPermissionsByEntityId(v_id UUID, v_user_id UUID, v_engine_session_seq_id INTEGER, v_is_filtered BOOLEAN) RETURNS SETOF permissions_view STABLE -- SET NOCOUNT ON added to prevent extra result sets from -- interfering with SELECT statements. @@ -496,15 +496,16 @@ FROM permissions_view p WHERE object_id = v_id AND (NOT v_is_filtered OR EXISTS (SELECT 1 - FROM user_flat_groups u + FROM engine_session_user_flat_groups u WHERE p.ad_element_id = u.granted_id - AND u.user_id = v_user_id)); + AND u.user_id = v_user_id + AND u.id = v_engine_session_seq_id)); END; $procedure$ LANGUAGE plpgsql; -Create or replace FUNCTION GetAllUsersWithPermissionsByEntityId(v_id UUID, v_user_id UUID, v_is_filtered BOOLEAN) +Create or replace FUNCTION GetAllUsersWithPermissionsByEntityId(v_id UUID, v_user_id UUID, v_engine_session_seq_id INTEGER, v_is_filtered BOOLEAN) RETURNS SETOF permissions_view STABLE AS $procedure$ declare r_type int4; @@ -515,9 +516,10 @@ FROM permissions_view p WHERE object_id in (select id from fn_get_entity_parents(v_id, r_type)) AND (NOT v_is_filtered OR EXISTS (SELECT 1 - FROM user_flat_groups u + FROM engine_session_user_flat_groups u WHERE p.ad_element_id = u.granted_id - AND u.user_id = v_user_id)); + AND u.user_id = v_user_id + AND u.id = v_engine_session_seq_id)); END LOOP; return; END; $procedure$ @@ -558,7 +560,7 @@ Create or replace FUNCTION GetPermissionsTreeByEntityId -(v_id UUID, v_object_type_id INTEGER, v_user_id UUID, v_is_filtered BOOLEAN, v_app_mode INTEGER) +(v_id UUID, v_object_type_id INTEGER, v_user_id UUID, v_engine_session_seq_id INTEGER, v_is_filtered BOOLEAN, v_app_mode INTEGER) RETURNS SETOF permissions_view STABLE -- SET NOCOUNT ON added to prevent extra result sets from -- interfering with SELECT statements. @@ -569,9 +571,10 @@ WHERE (p.app_mode & v_app_mode) > 0 AND object_id in(select id from fn_get_entity_parents(v_id,v_object_type_id)) AND (NOT v_is_filtered OR EXISTS (SELECT 1 - FROM user_flat_groups u + FROM engine_session_user_flat_groups u WHERE p.ad_element_id = u.granted_id - AND u.user_id = v_user_id)); + AND u.user_id = v_user_id + AND u.id = v_engine_session_seq_id)); END; $procedure$ LANGUAGE plpgsql; diff --git a/packaging/dbscripts/upgrade/03_06_0570_add_engine_session_user_flat_groups.sql b/packaging/dbscripts/upgrade/03_06_0570_add_engine_session_user_flat_groups.sql new file mode 100644 index 0000000..9d4adf0 --- /dev/null +++ b/packaging/dbscripts/upgrade/03_06_0570_add_engine_session_user_flat_groups.sql @@ -0,0 +1,28 @@ +-- Flatten all the objects a user can get permissions on them +CREATE OR REPLACE VIEW engine_session_user_flat_groups +AS +SELECT id AS id, user_id AS user_id, fnSplitterUuid(engine_sessions.group_ids) AS granted_id +FROM engine_sessions +UNION ALL +-- The user itself +SELECT id, user_id, user_id FROM engine_sessions +UNION ALL +-- user is also member of 'Everyone' +SELECT id, user_id, 'EEE00000-0000-0000-0000-123456789EEE' +FROM engine_sessions; + +CREATE OR REPLACE FUNCTION getSessionUserAndGroupsById(v_user_id UUID, v_id INTEGER) +RETURNS SETOF idUuidType STABLE + AS $function$ +BEGIN + RETURN QUERY + select ad_groups.ID from ad_groups,engine_sessions where engine_sessions.user_id = v_user_id + and engine_sessions.id = v_id + and ad_groups.id in(select * from fnsplitteruuid(engine_sessions.group_ids)) + UNION + select v_user_id + UNION + -- user is also member of 'Everyone' + select 'EEE00000-0000-0000-0000-123456789EEE'; +END; $function$ +LANGUAGE plpgsql; -- To view, visit http://gerrit.ovirt.org/35362 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I28f3853166fe635941e65ea2461f7ecda20f4a2a Gerrit-PatchSet: 1 Gerrit-Project: ovirt-engine Gerrit-Branch: master Gerrit-Owner: Ravi Nori <[email protected]> _______________________________________________ Engine-patches mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/engine-patches
