Signed-off-by: Scott Seago <sseago(a)redhat.com>
---
src/app/controllers/provider_controller.rb | 6 +++---
src/app/models/privilege.rb | 13 +++++++++----
src/db/migrate/20091008153046_create_privileges.rb | 2 +-
src/db/migrate/20091008153058_create_roles.rb | 17 +++++++++++++++--
4 files changed, 28 insertions(+), 10 deletions(-)
diff --git a/src/app/controllers/provider_controller.rb b/src/app/controllers/provider_controller.rb
index b7e10a5..53056f5 100644
--- a/src/app/controllers/provider_controller.rb
+++ b/src/app/controllers/provider_controller.rb
@@ -52,16 +52,16 @@ class ProviderController < ApplicationController
def accounts
@provider = Provider.find(params[:id])
- require_privilege(Privilege::PROVIDER_VIEW, @provider)
+ require_privilege(Privilege::ACCOUNT_VIEW, @provider)
end
def new_account
@provider = Provider.find(params[:id])
- require_privilege(Privilege::PROVIDER_VIEW, @provider)
+ require_privilege(Privilege::ACCOUNT_MODIFY, @provider)
end
def create_account
- require_privilege(Privilege::PROVIDER_MODIFY)
+ require_privilege(Privilege::ACCOUNT_MODIFY)
@acct = CloudAccount.find_or_create(params[:account])
@provider = Provider.find(params[:account][:provider_id])
@provider.cloud_accounts << @acct
diff --git a/src/app/models/privilege.rb b/src/app/models/privilege.rb
index e314930..69f22b9 100644
--- a/src/app/models/privilege.rb
+++ b/src/app/models/privilege.rb
@@ -43,10 +43,15 @@ class Privilege < ActiveRecord::Base
STATS_VIEW = "stats_view" # can view monitoring data for
# instances
- # account privileges normally checked at the provider level, although
- # account-specific overrides could be a future enhancement.
+ # to create(i.e. import) an account on a provider (but not added to
+ # a pool) needs ACCOUNT_MODIFY on the provider.
+ # to add a new provider account (i.e. import) to a pool needs
+ # ACCOUNT_ADD on the pool
+ # to add an existing provider account to a pool needs ACCOUNT_ADD
+ # on the pool _and_ ACCOUNT_ADD on the account.
ACCOUNT_MODIFY = "account_modify" # can create or modify cloud accounts
- ACCOUNT_VIEW = "account_view" # can create or modify cloud accounts
+ ACCOUNT_VIEW = "account_view" # can view cloud accounts
+ ACCOUNT_ADD = "account_add" # can add an account to a pool
# pool privileges normally checked at the provider level
# (and at the account level for choosing which accounts are visible on the
@@ -76,7 +81,7 @@ class Privilege < ActiveRecord::Base
FULL_PRIVILEGE_LIST = [PERM_SET, PERM_VIEW,
INSTANCE_MODIFY, INSTANCE_CONTROL, INSTANCE_VIEW,
STATS_VIEW,
- ACCOUNT_MODIFY, ACCOUNT_VIEW,
+ ACCOUNT_MODIFY, ACCOUNT_ADD, ACCOUNT_VIEW,
POOL_MODIFY, POOL_VIEW,
QUOTA_MODIFY, QUOTA_VIEW,
PROVIDER_MODIFY, PROVIDER_VIEW,
diff --git a/src/db/migrate/20091008153046_create_privileges.rb b/src/db/migrate/20091008153046_create_privileges.rb
index 74932b0..12d94c6 100644
--- a/src/db/migrate/20091008153046_create_privileges.rb
+++ b/src/db/migrate/20091008153046_create_privileges.rb
@@ -30,7 +30,7 @@ class CreatePrivileges < ActiveRecord::Migration
privileges = ["set_perms", "view_perms",
"instance_modify", "instance_control", "instance_view",
"stats_view",
- "account_modify", "account_view",
+ "account_modify", "account_add", "account_view",
"pool_modify", "pool_view",
"quota_modify", "quota_view",
"provider_modify", "provider_view",
diff --git a/src/db/migrate/20091008153058_create_roles.rb b/src/db/migrate/20091008153058_create_roles.rb
index 44c360d..d7776d3 100644
--- a/src/db/migrate/20091008153058_create_roles.rb
+++ b/src/db/migrate/20091008153058_create_roles.rb
@@ -63,7 +63,7 @@ class CreateRoles < ActiveRecord::Migration
"quota_view",
"set_perms",
"view_perms",
- "account_modify"]},
+ "account_add"]},
"Pool Creator" =>
{:role_scope => "Provider",
:privileges => ["provider_view",
@@ -78,19 +78,31 @@ class CreateRoles < ActiveRecord::Migration
"quota_view",
"quota_modify",
"account_view",
+ "account_add",
"account_modify",
"set_perms",
"view_perms"]},
+ "Provider Administrator" =>
+ {:role_scope => "Provider",
+ :privileges => ["provider_modify",
+ "provider_view",
+ "account_modify",
+ "account_view"]},
"Account Administrator" =>
{:role_scope => "CloudAccount",
:privileges => ["set_perms",
"view_perms",
"account_view",
+ "account_add",
"account_modify"]},
"Account User" =>
{:role_scope => "CloudAccount",
+ :privileges => ["account_view",
+ "account_add"]},
+ "Account Viewer" =>
+ {:role_scope => "CloudAccount",
:privileges => ["account_view"]},
- "Provider Administrator" =>
+ "Provider Creator" =>
{:role_scope => "BasePortalObject",
:privileges => ["provider_modify",
"provider_view"]},
@@ -99,6 +111,7 @@ class CreateRoles < ActiveRecord::Migration
:privileges => ["provider_modify",
"provider_view",
"account_modify",
+ "account_add",
"account_view",
"user_modify",
"user_view",
--
1.6.2.5