<feature>[identity]: introduce resource-viewer roles

* Add resource-viewer roles for supporting to query
  all resources;
* Change multiple permission checks from
  “Administrator/Synchronization Call Detection Only
  to the broade
  “Full Resource Read Access / Read-Only API” detection.

Resolves: ZSV-11447

Change-Id: I6d666a686e776b70617474617767676175626d67

Author: Zhang Wenhao

header/src/main/java/org/zstack/header/RBACInfo.java

@@ -32,6 +32,11 @@ public void roles() {
                 .actions("org.zstack.header.**")
                 .build();
 
+        roleBuilder()
+                .name("resource-viewer")
+                .uuid(AccountConstant.ALL_RESOURCES_READABLE_ROLE_UUID)
+                .build();
+
         roleBuilder()
                 .name("sod-system-administrator")
                 .uuid(AccountConstant.SOD_SYSTEM_ADMIN_ROLE_UUID)

header/src/main/java/org/zstack/header/identity/AccountConstant.java

@@ -41,6 +41,12 @@ public interface AccountConstant {
     String OTHER_ROLE_UUID = "80315b1f85314917826b182bf6def552";
     String LEGACY_ROLE_UUID = "85cfac2138494b2db6501881e1e68045";
 
+    /**
+     * Allow querying all resources.
+     * Querying audit data is not allowed
+     */
+    String ALL_RESOURCES_READABLE_ROLE_UUID = "8550153cd5474c79850566787fe0f055";
+
     // for: Separation of Duties
     String SOD_SYSTEM_ADMIN_ROLE_UUID = "8550125df53c54edb33d1b8ae83ded55";
     String SOD_SECURITY_ADMIN_ROLE_UUID = "855013d87cf55944b4a6c6ae729b3f55";

header/src/main/java/org/zstack/header/message/APIMessage.java

@@ -223,6 +223,17 @@ private static void validateValue(String[] validValues, String value, String fie
         }
     }
 
+    public static boolean isReadOnlyApi(Class<?> apiClass) {
+        // TODO: will add RestRequest.readOnly()
+        // Note: APIGenerateSshKeyPairMsg is not a read-only api, but it is a sync api
+        if (apiClass.getSimpleName().equals("APIGenerateSshKeyPairMsg")
+                || apiClass.getSimpleName().equals("APIBatchSyncVolumeSizeMsg")
+                || apiClass.getSimpleName().equals("APICheckElaborationContentMsg")) {
+            return false;
+        }
+        return APISyncCallMessage.class.isAssignableFrom(apiClass);
+    }
+
     public String getOperator() {
         return null;
     }

identity/src/main/java/org/zstack/identity/Account.java

@@ -5,6 +5,7 @@
 import org.zstack.header.identity.role.RoleAccountRefVO;
 import org.zstack.header.identity.role.RoleAccountRefVO_;
 
+import static org.zstack.header.identity.AccountConstant.ALL_RESOURCES_READABLE_ROLE_UUID;
 import static org.zstack.header.identity.AccountConstant.SOD_AUDITOR_ROLE_UUID;
 import static org.zstack.header.identity.AccountConstant.SOD_SYSTEM_ADMIN_ROLE_UUID;
 
@@ -40,6 +41,21 @@ static boolean isAdmin(String accountUuid) {
         return AccountConstant.isAdmin(accountUuid);
     }
 
+    static boolean isAllResourcesReadable(SessionInventory session) {
+        return isAllResourcesReadable(session.getAccountUuid());
+    }
+
+    static boolean isAllResourcesReadable(String accountUuid) {
+        if (isAdminPermission(accountUuid)) {
+            return true;
+        }
+
+        return Q.New(RoleAccountRefVO.class)
+                    .eq(RoleAccountRefVO_.accountUuid, accountUuid)
+                    .eq(RoleAccountRefVO_.roleUuid, ALL_RESOURCES_READABLE_ROLE_UUID)
+                    .isExists();
+    }
+
     static boolean supportToQueryAuditsFromAllAccounts(SessionInventory session) {
         return supportToQueryAuditsFromAllAccounts(session.getAccountUuid());
     }

identity/src/main/java/org/zstack/identity/AccountSubQueryExtension.java

@@ -13,7 +13,7 @@ public class AccountSubQueryExtension extends AbstractMysqlQuerySubQueryExtensio
 
     @Override
     public String makeSubquery(APIQueryMessage msg, Class inventoryClass) {
-        if (Account.isAdminPermission(msg.getSession()))  {
+        if (Account.isAllResourcesReadable(msg.getSession()))  {
             return null;
         }
 

identity/src/main/java/org/zstack/identity/rbac/RBACAPIRequestChecker.java

@@ -76,6 +76,14 @@ public void check(APIMessage message) {
                     apiClass.getName()));
         }
 
+        if (APIMessage.isReadOnlyApi(apiClass) && Account.isAllResourcesReadable(session)) {
+            // exclude audits / event api
+            if (!"APIGetAuditDataMsg".equals(apiClass.getSimpleName())
+                    && !"APIGetEventDataMsg".equals(apiClass.getSimpleName())) {
+                return;
+            }
+        }
+
         if (!check()) {
             permissionDenied();
         }

identity/src/main/java/org/zstack/identity/rbac/RBACResourceRequestChecker.java

@@ -10,7 +10,6 @@
 import org.zstack.header.message.APIMessage;
 import org.zstack.header.message.APIParam;
 import org.zstack.header.message.APIResourceScope;
-import org.zstack.header.message.APISyncCallMessage;
 import org.zstack.header.tag.SystemTagVO;
 import org.zstack.header.tag.SystemTagVO_;
 import org.zstack.header.vo.ResourceVO;
@@ -107,7 +106,7 @@ private void checkOperationTarget(APIMessage.FieldParam param) {
                     return;
                 }
 
-                if (message instanceof APISyncCallMessage) {
+                if (APIMessage.isReadOnlyApi(message.getClass())) {
                     // no check to read api
                     return;
                 }