Signed-off-by: Scott Seago sseago@redhat.com --- src/app/controllers/provider_controller.rb | 6 +++--- src/app/models/privilege.rb | 13 +++++++++---- src/db/migrate/20091008153046_create_privileges.rb | 2 +- src/db/migrate/20091008153058_create_roles.rb | 17 +++++++++++++++-- 4 files changed, 28 insertions(+), 10 deletions(-)
diff --git a/src/app/controllers/provider_controller.rb b/src/app/controllers/provider_controller.rb index b7e10a5..53056f5 100644 --- a/src/app/controllers/provider_controller.rb +++ b/src/app/controllers/provider_controller.rb @@ -52,16 +52,16 @@ class ProviderController < ApplicationController
def accounts @provider = Provider.find(params[:id]) - require_privilege(Privilege::PROVIDER_VIEW, @provider) + require_privilege(Privilege::ACCOUNT_VIEW, @provider) end
def new_account @provider = Provider.find(params[:id]) - require_privilege(Privilege::PROVIDER_VIEW, @provider) + require_privilege(Privilege::ACCOUNT_MODIFY, @provider) end
def create_account - require_privilege(Privilege::PROVIDER_MODIFY) + require_privilege(Privilege::ACCOUNT_MODIFY) @acct = CloudAccount.find_or_create(params[:account]) @provider = Provider.find(params[:account][:provider_id]) @provider.cloud_accounts << @acct diff --git a/src/app/models/privilege.rb b/src/app/models/privilege.rb index e314930..69f22b9 100644 --- a/src/app/models/privilege.rb +++ b/src/app/models/privilege.rb @@ -43,10 +43,15 @@ class Privilege < ActiveRecord::Base STATS_VIEW = "stats_view" # can view monitoring data for # instances
- # account privileges normally checked at the provider level, although - # account-specific overrides could be a future enhancement. + # to create(i.e. import) an account on a provider (but not added to + # a pool) needs ACCOUNT_MODIFY on the provider. + # to add a new provider account (i.e. import) to a pool needs + # ACCOUNT_ADD on the pool + # to add an existing provider account to a pool needs ACCOUNT_ADD + # on the pool _and_ ACCOUNT_ADD on the account. ACCOUNT_MODIFY = "account_modify" # can create or modify cloud accounts - ACCOUNT_VIEW = "account_view" # can create or modify cloud accounts + ACCOUNT_VIEW = "account_view" # can view cloud accounts + ACCOUNT_ADD = "account_add" # can add an account to a pool
# pool privileges normally checked at the provider level # (and at the account level for choosing which accounts are visible on the @@ -76,7 +81,7 @@ class Privilege < ActiveRecord::Base FULL_PRIVILEGE_LIST = [PERM_SET, PERM_VIEW, INSTANCE_MODIFY, INSTANCE_CONTROL, INSTANCE_VIEW, STATS_VIEW, - ACCOUNT_MODIFY, ACCOUNT_VIEW, + ACCOUNT_MODIFY, ACCOUNT_ADD, ACCOUNT_VIEW, POOL_MODIFY, POOL_VIEW, QUOTA_MODIFY, QUOTA_VIEW, PROVIDER_MODIFY, PROVIDER_VIEW, diff --git a/src/db/migrate/20091008153046_create_privileges.rb b/src/db/migrate/20091008153046_create_privileges.rb index 74932b0..12d94c6 100644 --- a/src/db/migrate/20091008153046_create_privileges.rb +++ b/src/db/migrate/20091008153046_create_privileges.rb @@ -30,7 +30,7 @@ class CreatePrivileges < ActiveRecord::Migration privileges = ["set_perms", "view_perms", "instance_modify", "instance_control", "instance_view", "stats_view", - "account_modify", "account_view", + "account_modify", "account_add", "account_view", "pool_modify", "pool_view", "quota_modify", "quota_view", "provider_modify", "provider_view", diff --git a/src/db/migrate/20091008153058_create_roles.rb b/src/db/migrate/20091008153058_create_roles.rb index 44c360d..d7776d3 100644 --- a/src/db/migrate/20091008153058_create_roles.rb +++ b/src/db/migrate/20091008153058_create_roles.rb @@ -63,7 +63,7 @@ class CreateRoles < ActiveRecord::Migration "quota_view", "set_perms", "view_perms", - "account_modify"]}, + "account_add"]}, "Pool Creator" => {:role_scope => "Provider", :privileges => ["provider_view", @@ -78,19 +78,31 @@ class CreateRoles < ActiveRecord::Migration "quota_view", "quota_modify", "account_view", + "account_add", "account_modify", "set_perms", "view_perms"]}, + "Provider Administrator" => + {:role_scope => "Provider", + :privileges => ["provider_modify", + "provider_view", + "account_modify", + "account_view"]}, "Account Administrator" => {:role_scope => "CloudAccount", :privileges => ["set_perms", "view_perms", "account_view", + "account_add", "account_modify"]}, "Account User" => {:role_scope => "CloudAccount", + :privileges => ["account_view", + "account_add"]}, + "Account Viewer" => + {:role_scope => "CloudAccount", :privileges => ["account_view"]}, - "Provider Administrator" => + "Provider Creator" => {:role_scope => "BasePortalObject", :privileges => ["provider_modify", "provider_view"]}, @@ -99,6 +111,7 @@ class CreateRoles < ActiveRecord::Migration :privileges => ["provider_modify", "provider_view", "account_modify", + "account_add", "account_view", "user_modify", "user_view",
On Tue, Mar 16, 2010 at 12:25:36PM -0400, Scott Seago wrote:
Signed-off-by: Scott Seago sseago@redhat.com
src/app/controllers/provider_controller.rb | 6 +++--- src/app/models/privilege.rb | 13 +++++++++---- src/db/migrate/20091008153046_create_privileges.rb | 2 +- src/db/migrate/20091008153058_create_roles.rb | 17 +++++++++++++++-- 4 files changed, 28 insertions(+), 10 deletions(-)
diff --git a/src/app/controllers/provider_controller.rb b/src/app/controllers/provider_controller.rb index b7e10a5..53056f5 100644 --- a/src/app/controllers/provider_controller.rb +++ b/src/app/controllers/provider_controller.rb @@ -52,16 +52,16 @@ class ProviderController < ApplicationController
def accounts @provider = Provider.find(params[:id])
require_privilege(Privilege::PROVIDER_VIEW, @provider)
require_privilege(Privilege::ACCOUNT_VIEW, @provider)
end
def new_account @provider = Provider.find(params[:id])
require_privilege(Privilege::PROVIDER_VIEW, @provider)
require_privilege(Privilege::ACCOUNT_MODIFY, @provider)
end
def create_account
require_privilege(Privilege::PROVIDER_MODIFY)
require_privilege(Privilege::ACCOUNT_MODIFY) @acct = CloudAccount.find_or_create(params[:account]) @provider = Provider.find(params[:account][:provider_id]) @provider.cloud_accounts << @acct
diff --git a/src/app/models/privilege.rb b/src/app/models/privilege.rb index e314930..69f22b9 100644 --- a/src/app/models/privilege.rb +++ b/src/app/models/privilege.rb @@ -43,10 +43,15 @@ class Privilege < ActiveRecord::Base STATS_VIEW = "stats_view" # can view monitoring data for # instances
- # account privileges normally checked at the provider level, although
- # account-specific overrides could be a future enhancement.
- # to create(i.e. import) an account on a provider (but not added to
- # a pool) needs ACCOUNT_MODIFY on the provider.
- # to add a new provider account (i.e. import) to a pool needs
- # ACCOUNT_ADD on the pool
- # to add an existing provider account to a pool needs ACCOUNT_ADD
- # on the pool _and_ ACCOUNT_ADD on the account. ACCOUNT_MODIFY = "account_modify" # can create or modify cloud accounts
- ACCOUNT_VIEW = "account_view" # can create or modify cloud accounts
ACCOUNT_VIEW = "account_view" # can view cloud accounts
ACCOUNT_ADD = "account_add" # can add an account to a pool
# pool privileges normally checked at the provider level # (and at the account level for choosing which accounts are visible on the
@@ -76,7 +81,7 @@ class Privilege < ActiveRecord::Base FULL_PRIVILEGE_LIST = [PERM_SET, PERM_VIEW, INSTANCE_MODIFY, INSTANCE_CONTROL, INSTANCE_VIEW, STATS_VIEW,
ACCOUNT_MODIFY, ACCOUNT_VIEW,
ACCOUNT_MODIFY, ACCOUNT_ADD, ACCOUNT_VIEW, POOL_MODIFY, POOL_VIEW, QUOTA_MODIFY, QUOTA_VIEW, PROVIDER_MODIFY, PROVIDER_VIEW,
diff --git a/src/db/migrate/20091008153046_create_privileges.rb b/src/db/migrate/20091008153046_create_privileges.rb index 74932b0..12d94c6 100644 --- a/src/db/migrate/20091008153046_create_privileges.rb +++ b/src/db/migrate/20091008153046_create_privileges.rb @@ -30,7 +30,7 @@ class CreatePrivileges < ActiveRecord::Migration privileges = ["set_perms", "view_perms", "instance_modify", "instance_control", "instance_view", "stats_view",
"account_modify", "account_view",
"account_modify", "account_add", "account_view", "pool_modify", "pool_view", "quota_modify", "quota_view", "provider_modify", "provider_view",
diff --git a/src/db/migrate/20091008153058_create_roles.rb b/src/db/migrate/20091008153058_create_roles.rb index 44c360d..d7776d3 100644 --- a/src/db/migrate/20091008153058_create_roles.rb +++ b/src/db/migrate/20091008153058_create_roles.rb @@ -63,7 +63,7 @@ class CreateRoles < ActiveRecord::Migration "quota_view", "set_perms", "view_perms",
"account_modify"]},
"account_add"]}, "Pool Creator" => {:role_scope => "Provider", :privileges => ["provider_view",
@@ -78,19 +78,31 @@ class CreateRoles < ActiveRecord::Migration "quota_view", "quota_modify", "account_view",
"account_add", "account_modify", "set_perms", "view_perms"]},
"Provider Administrator" =>
{:role_scope => "Provider",
:privileges => ["provider_modify",
"provider_view",
"account_modify",
"account_view"]}, "Account Administrator" => {:role_scope => "CloudAccount", :privileges => ["set_perms", "view_perms", "account_view",
"account_add", "account_modify"]}, "Account User" => {:role_scope => "CloudAccount",
:privileges => ["account_view",
"account_add"]},
"Account Viewer" =>
{:role_scope => "CloudAccount", :privileges => ["account_view"]},
"Provider Administrator" =>
"Provider Creator" => {:role_scope => "BasePortalObject", :privileges => ["provider_modify", "provider_view"]},
@@ -99,6 +111,7 @@ class CreateRoles < ActiveRecord::Migration :privileges => ["provider_modify", "provider_view", "account_modify",
"account_add", "account_view", "user_modify", "user_view",
-- 1.6.2.5
deltacloud-devel mailing list deltacloud-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/deltacloud-devel
ACK to this. Please push!
Steve.
deltacloud-devel@lists.fedorahosted.org