You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by mc...@apache.org on 2014/05/02 01:04:29 UTC
[01/10] git commit: updated refs/heads/master to 134a799
Repository: cloudstack
Updated Branches:
refs/heads/master 4f45c972c -> 134a7998c
CLOUDSTACK-6532:Affinity Groups - As admin user, not able to list all
affinity groups available for regular users by passing account and
domainId paramater. This is to revert IAM way of implementing
listAffinityGroupsCmd, will bring it back when we have implemented real
impersonation.
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/5521581b
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/5521581b
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/5521581b
Branch: refs/heads/master
Commit: 5521581b6ec5c2e9efc2718838501903d81059df
Parents: b42ad3c
Author: Min Chen <mi...@citrix.com>
Authored: Tue Apr 29 18:08:00 2014 -0700
Committer: Min Chen <mi...@citrix.com>
Committed: Thu May 1 15:57:27 2014 -0700
----------------------------------------------------------------------
.../com/cloud/api/query/QueryManagerImpl.java | 159 ++++++++++++++++++-
1 file changed, 157 insertions(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/5521581b/server/src/com/cloud/api/query/QueryManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/api/query/QueryManagerImpl.java b/server/src/com/cloud/api/query/QueryManagerImpl.java
index 41b134f..16c68b1 100644
--- a/server/src/com/cloud/api/query/QueryManagerImpl.java
+++ b/server/src/com/cloud/api/query/QueryManagerImpl.java
@@ -3489,6 +3489,161 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
if (vmId != null) {
UserVmVO userVM = _userVmDao.findById(vmId);
if (userVM == null) {
+ throw new InvalidParameterValueException("Unable to list affinity groups for virtual machine instance "
+ + vmId + "; instance not found.");
+ }
+ _accountMgr.checkAccess(caller, null, true, userVM);
+ return listAffinityGroupsByVM(vmId.longValue(), startIndex, pageSize);
+ }
+
+ List<Long> permittedAccounts = new ArrayList<Long>();
+ Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean, ListProjectResourcesCriteria>(
+ domainId, isRecursive, null);
+ _accountMgr.buildACLSearchParameters(caller, affinityGroupId, accountName, null, permittedAccounts,
+ domainIdRecursiveListProject, listAll, true);
+ domainId = domainIdRecursiveListProject.first();
+ isRecursive = domainIdRecursiveListProject.second();
+ ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
+
+ Filter searchFilter = new Filter(AffinityGroupJoinVO.class, "id", true, startIndex, pageSize);
+ SearchCriteria<AffinityGroupJoinVO> sc = buildAffinityGroupSearchCriteria(domainId, isRecursive,
+ permittedAccounts, listProjectResourcesCriteria, affinityGroupId, affinityGroupName, affinityGroupType, keyword);
+
+ Pair<List<AffinityGroupJoinVO>, Integer> uniqueGroupsPair = _affinityGroupJoinDao.searchAndCount(sc,
+ searchFilter);
+ // search group details by ids
+ List<AffinityGroupJoinVO> vrs = new ArrayList<AffinityGroupJoinVO>();
+ Integer count = uniqueGroupsPair.second();
+ if (count.intValue() != 0) {
+ List<AffinityGroupJoinVO> uniqueGroups = uniqueGroupsPair.first();
+ Long[] vrIds = new Long[uniqueGroups.size()];
+ int i = 0;
+ for (AffinityGroupJoinVO v : uniqueGroups) {
+ vrIds[i++] = v.getId();
+ }
+ vrs = _affinityGroupJoinDao.searchByIds(vrIds);
+ }
+
+ if (!permittedAccounts.isEmpty()) {
+ // add domain level affinity groups
+ if (domainId != null) {
+ SearchCriteria<AffinityGroupJoinVO> scDomain = buildAffinityGroupSearchCriteria(null, isRecursive,
+ new ArrayList<Long>(), listProjectResourcesCriteria, affinityGroupId, affinityGroupName,
+ affinityGroupType, keyword);
+ vrs.addAll(listDomainLevelAffinityGroups(scDomain, searchFilter, domainId));
+ } else {
+
+ for (Long permAcctId : permittedAccounts) {
+ Account permittedAcct = _accountDao.findById(permAcctId);
+ SearchCriteria<AffinityGroupJoinVO> scDomain = buildAffinityGroupSearchCriteria(
+ null, isRecursive, new ArrayList<Long>(),
+ listProjectResourcesCriteria, affinityGroupId, affinityGroupName, affinityGroupType, keyword);
+
+ vrs.addAll(listDomainLevelAffinityGroups(scDomain, searchFilter, permittedAcct.getDomainId()));
+ }
+ }
+ } else if (((permittedAccounts.isEmpty()) && (domainId != null) && isRecursive)) {
+ // list all domain level affinity groups for the domain admin case
+ SearchCriteria<AffinityGroupJoinVO> scDomain = buildAffinityGroupSearchCriteria(null, isRecursive,
+ new ArrayList<Long>(), listProjectResourcesCriteria, affinityGroupId, affinityGroupName,
+ affinityGroupType, keyword);
+ vrs.addAll(listDomainLevelAffinityGroups(scDomain, searchFilter, domainId));
+ }
+
+ return new Pair<List<AffinityGroupJoinVO>, Integer>(vrs, vrs.size());
+
+ }
+
+ private void buildAffinityGroupViewSearchBuilder(SearchBuilder<AffinityGroupJoinVO> sb, Long domainId,
+ boolean isRecursive, List<Long> permittedAccounts, ListProjectResourcesCriteria listProjectResourcesCriteria) {
+
+ sb.and("accountIdIN", sb.entity().getAccountId(), SearchCriteria.Op.IN);
+ sb.and("domainId", sb.entity().getDomainId(), SearchCriteria.Op.EQ);
+
+ if (((permittedAccounts.isEmpty()) && (domainId != null) && isRecursive)) {
+ // if accountId isn't specified, we can do a domain match for the
+ // admin case if isRecursive is true
+ sb.and("domainPath", sb.entity().getDomainPath(), SearchCriteria.Op.LIKE);
+ }
+
+ if (listProjectResourcesCriteria != null) {
+ if (listProjectResourcesCriteria == Project.ListProjectResourcesCriteria.ListProjectResourcesOnly) {
+ sb.and("accountType", sb.entity().getAccountType(), SearchCriteria.Op.EQ);
+ } else if (listProjectResourcesCriteria == Project.ListProjectResourcesCriteria.SkipProjectResources) {
+ sb.and("accountType", sb.entity().getAccountType(), SearchCriteria.Op.NEQ);
+ }
+ }
+
+ }
+
+ private void buildAffinityGroupViewSearchCriteria(SearchCriteria<AffinityGroupJoinVO> sc,
+ Long domainId, boolean isRecursive, List<Long> permittedAccounts, ListProjectResourcesCriteria listProjectResourcesCriteria) {
+
+ if (listProjectResourcesCriteria != null) {
+ sc.setParameters("accountType", Account.ACCOUNT_TYPE_PROJECT);
+ }
+
+ if (!permittedAccounts.isEmpty()) {
+ sc.setParameters("accountIdIN", permittedAccounts.toArray());
+ } else if (domainId != null) {
+ DomainVO domain = _domainDao.findById(domainId);
+ if (isRecursive) {
+ sc.setParameters("domainPath", domain.getPath() + "%");
+ } else {
+ sc.setParameters("domainId", domainId);
+ }
+ }
+ }
+
+ private SearchCriteria<AffinityGroupJoinVO> buildAffinityGroupSearchCriteria(Long domainId, boolean isRecursive,
+ List<Long> permittedAccounts, ListProjectResourcesCriteria listProjectResourcesCriteria,
+ Long affinityGroupId, String affinityGroupName, String affinityGroupType, String keyword) {
+
+ SearchBuilder<AffinityGroupJoinVO> groupSearch = _affinityGroupJoinDao.createSearchBuilder();
+ buildAffinityGroupViewSearchBuilder(groupSearch, domainId, isRecursive, permittedAccounts,
+ listProjectResourcesCriteria);
+
+ groupSearch.select(null, Func.DISTINCT, groupSearch.entity().getId()); // select
+ // distinct
+
+ SearchCriteria<AffinityGroupJoinVO> sc = groupSearch.create();
+ buildAffinityGroupViewSearchCriteria(sc, domainId, isRecursive, permittedAccounts,
+ listProjectResourcesCriteria);
+
+ if (affinityGroupId != null) {
+ sc.addAnd("id", SearchCriteria.Op.EQ, affinityGroupId);
+ }
+
+ if (affinityGroupName != null) {
+ sc.addAnd("name", SearchCriteria.Op.EQ, affinityGroupName);
+ }
+
+ if (affinityGroupType != null) {
+ sc.addAnd("type", SearchCriteria.Op.EQ, affinityGroupType);
+ }
+
+ if (keyword != null) {
+ SearchCriteria<AffinityGroupJoinVO> ssc = _affinityGroupJoinDao.createSearchCriteria();
+ ssc.addOr("name", SearchCriteria.Op.LIKE, "%" + keyword + "%");
+ ssc.addOr("type", SearchCriteria.Op.LIKE, "%" + keyword + "%");
+
+ sc.addAnd("name", SearchCriteria.Op.SC, ssc);
+ }
+
+ return sc;
+ }
+
+ public Pair<List<AffinityGroupJoinVO>, Integer> listAffinityGroupsInternalIAM(Long affinityGroupId,
+ String affinityGroupName, String affinityGroupType, Long vmId, String accountName, Long domainId,
+ boolean isRecursive, boolean listAll, Long startIndex, Long pageSize, String keyword) {
+
+ Account caller = CallContext.current().getCallingAccount();
+
+ caller.getAccountId();
+
+ if (vmId != null) {
+ UserVmVO userVM = _userVmDao.findById(vmId);
+ if (userVM == null) {
throw new InvalidParameterValueException("Unable to list affinity groups for virtual machine instance " + vmId + "; instance not found.");
}
_accountMgr.checkAccess(caller, null, userVM);
@@ -3507,7 +3662,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
Filter searchFilter = new Filter(AffinityGroupJoinVO.class, "id", true, startIndex, pageSize);
- SearchCriteria<AffinityGroupJoinVO> sc = buildAffinityGroupSearchCriteria(isRecursive,
+ SearchCriteria<AffinityGroupJoinVO> sc = buildAffinityGroupSearchCriteriaIAM(isRecursive,
permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria, affinityGroupId, affinityGroupName, affinityGroupType, keyword);
Pair<List<AffinityGroupJoinVO>, Integer> uniqueGroupsPair = _affinityGroupJoinDao.searchAndCount(sc, searchFilter);
@@ -3556,7 +3711,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
}
- private SearchCriteria<AffinityGroupJoinVO> buildAffinityGroupSearchCriteria(boolean isRecursive,
+ private SearchCriteria<AffinityGroupJoinVO> buildAffinityGroupSearchCriteriaIAM(boolean isRecursive,
List<Long> permittedDomains, List<Long> permittedAccounts, List<Long> permittedResources, ListProjectResourcesCriteria listProjectResourcesCriteria,
Long affinityGroupId, String affinityGroupName, String affinityGroupType, String keyword) {
[10/10] git commit: updated refs/heads/master to 134a799
Posted by mc...@apache.org.
CLOUDSTACK-6556: Deploy VM failing with error "does
not have permission to access resource Ntwk".
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/134a7998
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/134a7998
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/134a7998
Branch: refs/heads/master
Commit: 134a7998ce8eac7373532be2102e185fabefce0f
Parents: d7c5382
Author: Min Chen <mi...@citrix.com>
Authored: Thu May 1 15:07:36 2014 -0700
Committer: Min Chen <mi...@citrix.com>
Committed: Thu May 1 15:57:29 2014 -0700
----------------------------------------------------------------------
server/src/com/cloud/vm/UserVmManagerImpl.java | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/134a7998/server/src/com/cloud/vm/UserVmManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/vm/UserVmManagerImpl.java b/server/src/com/cloud/vm/UserVmManagerImpl.java
index de66b15..3d262b7 100755
--- a/server/src/com/cloud/vm/UserVmManagerImpl.java
+++ b/server/src/com/cloud/vm/UserVmManagerImpl.java
@@ -2394,7 +2394,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
// Perform account permission check
if (network.getAclType() == ACLType.Account) {
- _accountMgr.checkAccess(caller, AccessType.UseEntry, network);
+ _accountMgr.checkAccess(owner, AccessType.UseEntry, network);
}
networkList.add(network);
}
[05/10] git commit: updated refs/heads/master to 134a799
Posted by mc...@apache.org.
CLOUDSTACK-6513: Optimize code by removing deprecated utility to
QueryManagerImpl as private method just used for listTemplates and
listAffinityGroups to avoid misuse by new list APIs.
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/a9072a66
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/a9072a66
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/a9072a66
Branch: refs/heads/master
Commit: a9072a66121df40867b2f6886a01f5adcefceab9
Parents: 5521581
Author: Min Chen <mi...@citrix.com>
Authored: Tue Apr 29 18:33:10 2014 -0700
Committer: Min Chen <mi...@citrix.com>
Committed: Thu May 1 15:57:28 2014 -0700
----------------------------------------------------------------------
.../contrail/management/MockAccountManager.java | 6 --
.../com/cloud/api/query/QueryManagerImpl.java | 92 +++++++++++++++++++-
server/src/com/cloud/user/AccountManager.java | 5 --
.../src/com/cloud/user/AccountManagerImpl.java | 87 ------------------
.../com/cloud/user/MockAccountManagerImpl.java | 7 --
5 files changed, 89 insertions(+), 108 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/a9072a66/plugins/network-elements/juniper-contrail/test/org/apache/cloudstack/network/contrail/management/MockAccountManager.java
----------------------------------------------------------------------
diff --git a/plugins/network-elements/juniper-contrail/test/org/apache/cloudstack/network/contrail/management/MockAccountManager.java b/plugins/network-elements/juniper-contrail/test/org/apache/cloudstack/network/contrail/management/MockAccountManager.java
index 3517cc9..e12a4bf 100644
--- a/plugins/network-elements/juniper-contrail/test/org/apache/cloudstack/network/contrail/management/MockAccountManager.java
+++ b/plugins/network-elements/juniper-contrail/test/org/apache/cloudstack/network/contrail/management/MockAccountManager.java
@@ -388,11 +388,5 @@ public class MockAccountManager extends ManagerBase implements AccountManager {
}
- @Override
- public void buildACLSearchParameters(Account caller, Long id, String accountName, Long projectId, List<Long> permittedAccounts,
- Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject, boolean listAll, boolean forProjectInvitation) {
- // TODO Auto-generated method stub
-
- }
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/a9072a66/server/src/com/cloud/api/query/QueryManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/api/query/QueryManagerImpl.java b/server/src/com/cloud/api/query/QueryManagerImpl.java
index 16c68b1..9c31f47 100644
--- a/server/src/com/cloud/api/query/QueryManagerImpl.java
+++ b/server/src/com/cloud/api/query/QueryManagerImpl.java
@@ -3081,6 +3081,92 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
}
+ // This method should only be used for keeping old listTemplates and listAffinityGroups behavior, PLEASE DON'T USE IT FOR USE LIST APIs
+ private void buildTemplateAffinityGroupSearchParameters(Account caller, Long id, String accountName, Long projectId, List<Long>
+ permittedAccounts, Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject,
+ boolean listAll, boolean forProjectInvitation) {
+ Long domainId = domainIdRecursiveListProject.first();
+ if (domainId != null) {
+ Domain domain = _domainDao.findById(domainId);
+ if (domain == null) {
+ throw new InvalidParameterValueException("Unable to find domain by id " + domainId);
+ }
+ // check permissions
+ _accountMgr.checkAccess(caller, domain);
+ }
+
+ if (accountName != null) {
+ if (projectId != null) {
+ throw new InvalidParameterValueException("Account and projectId can't be specified together");
+ }
+
+ Account userAccount = null;
+ Domain domain = null;
+ if (domainId != null) {
+ userAccount = _accountDao.findActiveAccount(accountName, domainId);
+ domain = _domainDao.findById(domainId);
+ } else {
+ userAccount = _accountDao.findActiveAccount(accountName, caller.getDomainId());
+ domain = _domainDao.findById(caller.getDomainId());
+ }
+
+ if (userAccount != null) {
+ _accountMgr.checkAccess(caller, null, false, userAccount);
+ // check permissions
+ permittedAccounts.add(userAccount.getId());
+ } else {
+ throw new InvalidParameterValueException("could not find account " + accountName + " in domain " + domain.getUuid());
+ }
+ }
+
+ // set project information
+ if (projectId != null) {
+ if (!forProjectInvitation) {
+ if (projectId.longValue() == -1) {
+ if (_accountMgr.isNormalUser(caller.getId())) {
+ permittedAccounts.addAll(_projectMgr.listPermittedProjectAccounts(caller.getId()));
+ } else {
+ domainIdRecursiveListProject.third(Project.ListProjectResourcesCriteria.ListProjectResourcesOnly);
+ }
+ } else {
+ Project project = _projectMgr.getProject(projectId);
+ if (project == null) {
+ throw new InvalidParameterValueException("Unable to find project by id " + projectId);
+ }
+ if (!_projectMgr.canAccessProjectAccount(caller, project.getProjectAccountId())) {
+ throw new PermissionDeniedException("Account " + caller + " can't access project id=" + projectId);
+ }
+ permittedAccounts.add(project.getProjectAccountId());
+ }
+ }
+ } else {
+ if (id == null) {
+ domainIdRecursiveListProject.third(Project.ListProjectResourcesCriteria.SkipProjectResources);
+ }
+ if (permittedAccounts.isEmpty() && domainId == null) {
+ if (_accountMgr.isNormalUser(caller.getId())) {
+ permittedAccounts.add(caller.getId());
+ } else if (!listAll) {
+ if (id == null) {
+ permittedAccounts.add(caller.getId());
+ } else if (!_accountMgr.isRootAdmin(caller.getId())) {
+ domainIdRecursiveListProject.first(caller.getDomainId());
+ domainIdRecursiveListProject.second(true);
+ }
+ } else if (domainId == null) {
+ if (_accountMgr.isDomainAdmin(caller.getId())) {
+ domainIdRecursiveListProject.first(caller.getDomainId());
+ domainIdRecursiveListProject.second(true);
+ }
+ }
+ } else if (domainId != null) {
+ if (_accountMgr.isNormalUser(caller.getId())) {
+ permittedAccounts.add(caller.getId());
+ }
+ }
+ }
+ }
+
private Pair<List<TemplateJoinVO>, Integer> searchForTemplatesInternal(ListTemplatesCmd cmd) {
TemplateFilter templateFilter = TemplateFilter.valueOf(cmd.getTemplateFilter());
Long id = cmd.getId();
@@ -3100,7 +3186,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
List<Long> permittedAccountIds = new ArrayList<Long>();
Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean, ListProjectResourcesCriteria>(
cmd.getDomainId(), cmd.isRecursive(), null);
- _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedAccountIds,
+ buildTemplateAffinityGroupSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedAccountIds,
domainIdRecursiveListProject, listAll, false);
ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
List<Account> permittedAccounts = new ArrayList<Account>();
@@ -3412,7 +3498,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
List<Long> permittedAccountIds = new ArrayList<Long>();
Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean, ListProjectResourcesCriteria>(
cmd.getDomainId(), cmd.isRecursive(), null);
- _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedAccountIds,
+ buildTemplateAffinityGroupSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedAccountIds,
domainIdRecursiveListProject, listAll, false);
ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
List<Account> permittedAccounts = new ArrayList<Account>();
@@ -3499,7 +3585,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
List<Long> permittedAccounts = new ArrayList<Long>();
Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean, ListProjectResourcesCriteria>(
domainId, isRecursive, null);
- _accountMgr.buildACLSearchParameters(caller, affinityGroupId, accountName, null, permittedAccounts,
+ buildTemplateAffinityGroupSearchParameters(caller, affinityGroupId, accountName, null, permittedAccounts,
domainIdRecursiveListProject, listAll, true);
domainId = domainIdRecursiveListProject.first();
isRecursive = domainIdRecursiveListProject.second();
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/a9072a66/server/src/com/cloud/user/AccountManager.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/user/AccountManager.java b/server/src/com/cloud/user/AccountManager.java
index 748be2b2c..03bf842 100755
--- a/server/src/com/cloud/user/AccountManager.java
+++ b/server/src/com/cloud/user/AccountManager.java
@@ -102,11 +102,6 @@ public interface AccountManager extends AccountService {
List<Long> permittedResources, ListProjectResourcesCriteria listProjectResourcesCriteria);
- // deprecated methods that should only be used in listTemplates due to backwards compatibility of templateFilter.
- void buildACLSearchParameters(Account caller, Long id,
- String accountName, Long projectId, List<Long> permittedAccounts, Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject, boolean listAll,
- boolean forProjectInvitation);
-
/**
* Deletes a user by userId
*
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/a9072a66/server/src/com/cloud/user/AccountManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/user/AccountManagerImpl.java b/server/src/com/cloud/user/AccountManagerImpl.java
index 32e28f7..266a9ec 100755
--- a/server/src/com/cloud/user/AccountManagerImpl.java
+++ b/server/src/com/cloud/user/AccountManagerImpl.java
@@ -2176,93 +2176,6 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
return _userAccountDao.getUserByApiKey(apiKey);
}
- // NOTE: This method should only be used in listTemplates call, all other list calls should use the new buildACLSearchParameters which takes
- // "action" as extra parameter and uses new IAM model.
- @Override
- public void buildACLSearchParameters(Account caller, Long id, String accountName, Long projectId, List<Long>
- permittedAccounts, Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject,
- boolean listAll, boolean forProjectInvitation) {
- Long domainId = domainIdRecursiveListProject.first();
- if (domainId != null) {
- Domain domain = _domainDao.findById(domainId);
- if (domain == null) {
- throw new InvalidParameterValueException("Unable to find domain by id " + domainId);
- }
- // check permissions
- checkAccess(caller, domain);
- }
-
- if (accountName != null) {
- if (projectId != null) {
- throw new InvalidParameterValueException("Account and projectId can't be specified together");
- }
-
- Account userAccount = null;
- Domain domain = null;
- if (domainId != null) {
- userAccount = _accountDao.findActiveAccount(accountName, domainId);
- domain = _domainDao.findById(domainId);
- } else {
- userAccount = _accountDao.findActiveAccount(accountName, caller.getDomainId());
- domain = _domainDao.findById(caller.getDomainId());
- }
-
- if (userAccount != null) {
- checkAccess(caller, null, false, userAccount);
- // check permissions
- permittedAccounts.add(userAccount.getId());
- } else {
- throw new InvalidParameterValueException("could not find account " + accountName + " in domain " + domain.getUuid());
- }
- }
-
- // set project information
- if (projectId != null) {
- if (!forProjectInvitation) {
- if (projectId.longValue() == -1) {
- if (isNormalUser(caller.getId())) {
- permittedAccounts.addAll(_projectMgr.listPermittedProjectAccounts(caller.getId()));
- } else {
- domainIdRecursiveListProject.third(Project.ListProjectResourcesCriteria.ListProjectResourcesOnly);
- }
- } else {
- Project project = _projectMgr.getProject(projectId);
- if (project == null) {
- throw new InvalidParameterValueException("Unable to find project by id " + projectId);
- }
- if (!_projectMgr.canAccessProjectAccount(caller, project.getProjectAccountId())) {
- throw new PermissionDeniedException("Account " + caller + " can't access project id=" + projectId);
- }
- permittedAccounts.add(project.getProjectAccountId());
- }
- }
- } else {
- if (id == null) {
- domainIdRecursiveListProject.third(Project.ListProjectResourcesCriteria.SkipProjectResources);
- }
- if (permittedAccounts.isEmpty() && domainId == null) {
- if (isNormalUser(caller.getId())) {
- permittedAccounts.add(caller.getId());
- } else if (!listAll) {
- if (id == null) {
- permittedAccounts.add(caller.getId());
- } else if (!isRootAdmin(caller.getId())) {
- domainIdRecursiveListProject.first(caller.getDomainId());
- domainIdRecursiveListProject.second(true);
- }
- } else if (domainId == null) {
- if (isDomainAdmin(caller.getId())) {
- domainIdRecursiveListProject.first(caller.getDomainId());
- domainIdRecursiveListProject.second(true);
- }
- }
- } else if (domainId != null) {
- if (isNormalUser(caller.getId())) {
- permittedAccounts.add(caller.getId());
- }
- }
- }
- }
@Override
public void buildACLSearchParameters(Account caller, Long id, String accountName, Long projectId, List<Long> permittedDomains, List<Long> permittedAccounts,
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/a9072a66/server/test/com/cloud/user/MockAccountManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/test/com/cloud/user/MockAccountManagerImpl.java b/server/test/com/cloud/user/MockAccountManagerImpl.java
index 81ee1a4..4a7d4eb 100644
--- a/server/test/com/cloud/user/MockAccountManagerImpl.java
+++ b/server/test/com/cloud/user/MockAccountManagerImpl.java
@@ -364,11 +364,4 @@ public class MockAccountManagerImpl extends ManagerBase implements Manager, Acco
}
- @Override
- public void buildACLSearchParameters(Account caller, Long id, String accountName, Long projectId, List<Long> permittedAccounts,
- Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject, boolean listAll, boolean forProjectInvitation) {
- // TODO Auto-generated method stub
-
- }
-
}
[02/10] git commit: updated refs/heads/master to 134a799
Posted by mc...@apache.org.
CLOUDSTACK-6533: IAM - Templates - Public templates do not have
permissions to be used by ROOT group.
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/b42ad3cc
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/b42ad3cc
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/b42ad3cc
Branch: refs/heads/master
Commit: b42ad3ccaafa68810e8162d97ffa2a3187189ffa
Parents: 4f45c97
Author: Min Chen <mi...@citrix.com>
Authored: Tue Apr 29 11:48:45 2014 -0700
Committer: Min Chen <mi...@citrix.com>
Committed: Thu May 1 15:57:27 2014 -0700
----------------------------------------------------------------------
.../plugin/src/org/apache/cloudstack/iam/IAMApiServiceImpl.java | 5 ++++-
.../org/apache/cloudstack/iam/RoleBasedAPIAccessChecker.java | 2 ++
2 files changed, 6 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/b42ad3cc/services/iam/plugin/src/org/apache/cloudstack/iam/IAMApiServiceImpl.java
----------------------------------------------------------------------
diff --git a/services/iam/plugin/src/org/apache/cloudstack/iam/IAMApiServiceImpl.java b/services/iam/plugin/src/org/apache/cloudstack/iam/IAMApiServiceImpl.java
index c73aa3f..bf8b2e4 100644
--- a/services/iam/plugin/src/org/apache/cloudstack/iam/IAMApiServiceImpl.java
+++ b/services/iam/plugin/src/org/apache/cloudstack/iam/IAMApiServiceImpl.java
@@ -257,7 +257,10 @@ public class IAMApiServiceImpl extends ManagerBase implements IAMApiService, Man
public void onPublishMessage(String senderAddress, String subject, Object obj) {
Long templateId = (Long)obj;
if (templateId != null) {
- s_logger.debug("MessageBus message: new public template registered: " + templateId + ", grant permission to domain admin and normal user policies");
+ s_logger.debug("MessageBus message: new public template registered: " + templateId
+ + ", grant permission to default root admin, domain admin and normal user policies");
+ _iamSrv.addIAMPermissionToIAMPolicy(new Long(Account.ACCOUNT_TYPE_ADMIN + 1), VirtualMachineTemplate.class.getSimpleName(),
+ PermissionScope.RESOURCE.toString(), templateId, "listTemplates", AccessType.UseEntry.toString(), Permission.Allow, false);
_iamSrv.addIAMPermissionToIAMPolicy(new Long(Account.ACCOUNT_TYPE_DOMAIN_ADMIN + 1), VirtualMachineTemplate.class.getSimpleName(),
PermissionScope.RESOURCE.toString(), templateId, "listTemplates", AccessType.UseEntry.toString(), Permission.Allow, false);
_iamSrv.addIAMPermissionToIAMPolicy(new Long(Account.ACCOUNT_TYPE_NORMAL + 1), VirtualMachineTemplate.class.getSimpleName(),
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/b42ad3cc/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedAPIAccessChecker.java
----------------------------------------------------------------------
diff --git a/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedAPIAccessChecker.java b/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedAPIAccessChecker.java
index fe71912..3a3ba4d 100644
--- a/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedAPIAccessChecker.java
+++ b/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedAPIAccessChecker.java
@@ -132,6 +132,8 @@ public class RoleBasedAPIAccessChecker extends AdapterBase implements APIChecker
// add permissions for public templates
List<VMTemplateVO> pTmplts = _templateDao.listByPublic();
for (VMTemplateVO tmpl : pTmplts){
+ _iamSrv.addIAMPermissionToIAMPolicy(new Long(Account.ACCOUNT_TYPE_ADMIN + 1), VirtualMachineTemplate.class.getSimpleName(),
+ PermissionScope.RESOURCE.toString(), tmpl.getId(), "listTemplates", AccessType.UseEntry.toString(), Permission.Allow, false);
_iamSrv.addIAMPermissionToIAMPolicy(new Long(Account.ACCOUNT_TYPE_DOMAIN_ADMIN + 1), VirtualMachineTemplate.class.getSimpleName(),
PermissionScope.RESOURCE.toString(), tmpl.getId(), "listTemplates", AccessType.UseEntry.toString(), Permission.Allow, false);
_iamSrv.addIAMPermissionToIAMPolicy(new Long(Account.ACCOUNT_TYPE_NORMAL + 1), VirtualMachineTemplate.class.getSimpleName(),
[09/10] git commit: updated refs/heads/master to 134a799
Posted by mc...@apache.org.
CLOUDSTACK-6502:Remove trailing whitespaces.
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/1b78a1c8
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/1b78a1c8
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/1b78a1c8
Branch: refs/heads/master
Commit: 1b78a1c87de42aa3d96e58c30e36fa7b5663da9d
Parents: 2521fd4
Author: Min Chen <mi...@citrix.com>
Authored: Wed Apr 30 10:20:12 2014 -0700
Committer: Min Chen <mi...@citrix.com>
Committed: Thu May 1 15:57:28 2014 -0700
----------------------------------------------------------------------
tools/marvin/marvin/lib/base.py | 30 +++++++++++++++---------------
1 file changed, 15 insertions(+), 15 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/1b78a1c8/tools/marvin/marvin/lib/base.py
----------------------------------------------------------------------
diff --git a/tools/marvin/marvin/lib/base.py b/tools/marvin/marvin/lib/base.py
index 9606532..966e8dc 100755
--- a/tools/marvin/marvin/lib/base.py
+++ b/tools/marvin/marvin/lib/base.py
@@ -3937,15 +3937,15 @@ class IAMGroup:
def list(cls, apiclient, **kwargs):
cmd = listIAMGroups.listIAMGroupsCmd()
[setattr(cmd, k, v) for k, v in kwargs.items()]
- return apiclient.listIAMGroups(cmd)
-
+ return apiclient.listIAMGroups(cmd)
+
def addAccount(self, apiclient, accts):
"""Add accounts to iam group"""
cmd = addAccountToIAMGroup.addAccountToIAMGroupCmd()
cmd.id = self.id
cmd.accounts = [str(acct.id) for acct in accts]
apiclient.addAccountToIAMGroup(cmd)
- return
+ return
def removeAccount(self, apiclient, accts):
""" Remove accounts from iam group"""
@@ -3953,24 +3953,24 @@ class IAMGroup:
cmd.id = self.id
cmd.accounts = [str(acct.id) for acct in accts]
apiclient.removeAccountFromIAMGroup(cmd)
- return
-
+ return
+
def attachPolicy(self, apiclient, policies):
"""Add policies to iam group"""
cmd = attachIAMPolicyToIAMGroup.attachIAMPolicyToIAMGroupCmd()
cmd.id = self.id
cmd.policies = [str(policy.id) for policy in policies]
apiclient.attachIAMPolicyToIAMGroup(cmd)
- return
-
+ return
+
def detachPolicy(self, apiclient, policies):
"""Remove policies from iam group"""
cmd = removeIAMPolicyFromIAMGroup.removeIAMPolicyFromIAMGroupCmd()
cmd.id = self.id
cmd.policies = [str(policy.id) for policy in policies]
apiclient.removeIAMPolicyFromIAMGroup(cmd)
- return
-
+ return
+
class IAMPolicy:
def __init__(self, items):
self.__dict__.update(items)
@@ -3998,7 +3998,7 @@ class IAMPolicy:
def list(cls, apiclient, **kwargs):
cmd = listIAMPolicies.listIAMPoliciesCmd()
[setattr(cmd, k, v) for k, v in kwargs.items()]
- return apiclient.listIAMPolicies(cmd)
+ return apiclient.listIAMPolicies(cmd)
def addPermission(self, apiclient, permission):
"""Add permission to iam policy"""
@@ -4009,7 +4009,7 @@ class IAMPolicy:
cmd.scope = permission['scope']
cmd.scopeid = permission['scopeid']
apiclient.addIAMPermissionToIAMPolicy(cmd)
- return
+ return
def removePermission(self, apiclient, permission):
"""Remove permission from iam policy"""
@@ -4020,16 +4020,16 @@ class IAMPolicy:
cmd.scope = permission['scope']
cmd.scopeid = permission['scopeid']
apiclient.removeIAMPermissionFromIAMPolicy(cmd)
- return
-
+ return
+
def attachAccount(self, apiclient, accts):
"""Attach iam policy to accounts"""
cmd = attachIAMPolicyToAccount.attachIAMPolicyToAccountCmd()
cmd.id = self.id
cmd.accounts = [str(acct.id) for acct in accts]
apiclient.attachIAMPolicyToAccount(cmd)
- return
-
+ return
+
def detachAccount(self, apiclient, accts):
"""Detach iam policy from accounts"""
cmd = removeIAMPolicyFromAccount.removeIAMPolicyFromAccountCmd()
[03/10] git commit: updated refs/heads/master to 134a799
Posted by mc...@apache.org.
CLOUDSTACK-6556: [Automation] Deploy VM failing with error "does not
have permission to access resource Ntwk".
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/95e9db2f
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/95e9db2f
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/95e9db2f
Branch: refs/heads/master
Commit: 95e9db2f91451e7b88458baf5b599fc19e2c29b2
Parents: 09c9f8d
Author: Min Chen <mi...@citrix.com>
Authored: Thu May 1 15:45:52 2014 -0700
Committer: Min Chen <mi...@citrix.com>
Committed: Thu May 1 15:57:28 2014 -0700
----------------------------------------------------------------------
server/src/com/cloud/vm/UserVmManagerImpl.java | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/95e9db2f/server/src/com/cloud/vm/UserVmManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/vm/UserVmManagerImpl.java b/server/src/com/cloud/vm/UserVmManagerImpl.java
index 642879f..de66b15 100755
--- a/server/src/com/cloud/vm/UserVmManagerImpl.java
+++ b/server/src/com/cloud/vm/UserVmManagerImpl.java
@@ -2682,7 +2682,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
}
// Perform account permission check on network
- _accountMgr.checkAccess(caller, AccessType.UseEntry, network);
+ _accountMgr.checkAccess(owner, AccessType.UseEntry, network);
IpAddresses requestedIpPair = null;
if (requestedIps != null && !requestedIps.isEmpty()) {
requestedIpPair = requestedIps.get(network.getId());
[08/10] git commit: updated refs/heads/master to 134a799
Posted by mc...@apache.org.
CLOUDSTACK-6443: [Automation] Two Test Cases failed on "test_volumes.py"
- AttributeError: VirtualMachine instance has no attribute 'hostid'.
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/09c9f8df
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/09c9f8df
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/09c9f8df
Branch: refs/heads/master
Commit: 09c9f8dfbd6a18fbb4672d7ff8bd651c110b0cb7
Parents: 1b78a1c
Author: Min Chen <mi...@citrix.com>
Authored: Thu May 1 10:05:16 2014 -0700
Committer: Min Chen <mi...@citrix.com>
Committed: Thu May 1 15:57:28 2014 -0700
----------------------------------------------------------------------
.../apache/cloudstack/api/command/admin/vm/DeployVMCmdByAdmin.java | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/09c9f8df/api/src/org/apache/cloudstack/api/command/admin/vm/DeployVMCmdByAdmin.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/admin/vm/DeployVMCmdByAdmin.java b/api/src/org/apache/cloudstack/api/command/admin/vm/DeployVMCmdByAdmin.java
index 99fec6b..77aa20f 100755
--- a/api/src/org/apache/cloudstack/api/command/admin/vm/DeployVMCmdByAdmin.java
+++ b/api/src/org/apache/cloudstack/api/command/admin/vm/DeployVMCmdByAdmin.java
@@ -68,7 +68,7 @@ public class DeployVMCmdByAdmin extends DeployVMCmd {
}
if (result != null) {
- UserVmResponse response = _responseGenerator.createUserVmResponse(ResponseView.Restricted, "virtualmachine", result).get(0);
+ UserVmResponse response = _responseGenerator.createUserVmResponse(ResponseView.Full, "virtualmachine", result).get(0);
response.setResponseName(getCommandName());
setResponseObject(response);
} else {
[07/10] git commit: updated refs/heads/master to 134a799
Posted by mc...@apache.org.
CLOUDSTACK-6535: IAM:MS:API createVMSnapshot doesn't preserve access
rights.
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/d7c5382c
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/d7c5382c
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/d7c5382c
Branch: refs/heads/master
Commit: d7c5382c58a87b68d356696349828ef44fdf80e2
Parents: 95e9db2
Author: Min Chen <mi...@citrix.com>
Authored: Thu May 1 12:12:52 2014 -0700
Committer: Min Chen <mi...@citrix.com>
Committed: Thu May 1 15:57:28 2014 -0700
----------------------------------------------------------------------
.../api/command/admin/vm/AddNicToVMCmdByAdmin.java | 3 ++-
.../command/admin/volume/CreateVolumeCmdByAdmin.java | 5 ++++-
.../api/command/user/volume/CreateVolumeCmd.java | 7 +++++--
.../src/com/cloud/api/dispatch/ParamProcessWorker.java | 12 ++++++++++++
4 files changed, 23 insertions(+), 4 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/d7c5382c/api/src/org/apache/cloudstack/api/command/admin/vm/AddNicToVMCmdByAdmin.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/admin/vm/AddNicToVMCmdByAdmin.java b/api/src/org/apache/cloudstack/api/command/admin/vm/AddNicToVMCmdByAdmin.java
index ee6d0e7..3dd22c1 100644
--- a/api/src/org/apache/cloudstack/api/command/admin/vm/AddNicToVMCmdByAdmin.java
+++ b/api/src/org/apache/cloudstack/api/command/admin/vm/AddNicToVMCmdByAdmin.java
@@ -31,8 +31,9 @@ import org.apache.cloudstack.api.response.UserVmResponse;
import org.apache.cloudstack.context.CallContext;
import com.cloud.uservm.UserVm;
+import com.cloud.vm.VirtualMachine;
-@APICommand(name = "addNicToVirtualMachine", description = "Adds VM to specified network by creating a NIC", responseObject = UserVmResponse.class, responseView = ResponseView.Full,
+@APICommand(name = "addNicToVirtualMachine", description = "Adds VM to specified network by creating a NIC", responseObject = UserVmResponse.class, responseView = ResponseView.Full, entityType = {VirtualMachine.class},
requestHasSensitiveInfo = false, responseHasSensitiveInfo = true)
public class AddNicToVMCmdByAdmin extends AddNicToVMCmd {
public static final Logger s_logger = Logger.getLogger(AddNicToVMCmdByAdmin.class);
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/d7c5382c/api/src/org/apache/cloudstack/api/command/admin/volume/CreateVolumeCmdByAdmin.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/admin/volume/CreateVolumeCmdByAdmin.java b/api/src/org/apache/cloudstack/api/command/admin/volume/CreateVolumeCmdByAdmin.java
index 5df7481..8ff3993 100644
--- a/api/src/org/apache/cloudstack/api/command/admin/volume/CreateVolumeCmdByAdmin.java
+++ b/api/src/org/apache/cloudstack/api/command/admin/volume/CreateVolumeCmdByAdmin.java
@@ -28,8 +28,11 @@ import org.apache.cloudstack.context.CallContext;
import com.cloud.storage.Snapshot;
import com.cloud.storage.Volume;
+import com.cloud.vm.VirtualMachine;
-@APICommand(name = "createVolume", responseObject = VolumeResponse.class, description = "Creates a disk volume from a disk offering. This disk volume must still be attached to a virtual machine to make use of it.", responseView = ResponseView.Full)
+@APICommand(name = "createVolume", responseObject = VolumeResponse.class, description = "Creates a disk volume from a disk offering. This disk volume must still be attached to a virtual machine to make use of it.", responseView = ResponseView.Full, entityType = {
+ Volume.class, VirtualMachine.class},
+ requestHasSensitiveInfo = false, responseHasSensitiveInfo = false)
public class CreateVolumeCmdByAdmin extends CreateVolumeCmd {
public static final Logger s_logger = Logger.getLogger(CreateVolumeCmdByAdmin.class.getName());
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/d7c5382c/api/src/org/apache/cloudstack/api/command/user/volume/CreateVolumeCmd.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/user/volume/CreateVolumeCmd.java b/api/src/org/apache/cloudstack/api/command/user/volume/CreateVolumeCmd.java
index 0fa540c..90c1a16 100644
--- a/api/src/org/apache/cloudstack/api/command/user/volume/CreateVolumeCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/user/volume/CreateVolumeCmd.java
@@ -19,6 +19,7 @@ package org.apache.cloudstack.api.command.user.volume;
import org.apache.log4j.Logger;
import org.apache.cloudstack.acl.RoleType;
+import org.apache.cloudstack.acl.SecurityChecker.AccessType;
import org.apache.cloudstack.api.ACL;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiCommandJobType;
@@ -42,8 +43,10 @@ import com.cloud.event.EventTypes;
import com.cloud.exception.ResourceAllocationException;
import com.cloud.storage.Snapshot;
import com.cloud.storage.Volume;
+import com.cloud.vm.VirtualMachine;
-@APICommand(name = "createVolume", responseObject = VolumeResponse.class, description = "Creates a disk volume from a disk offering. This disk volume must still be attached to a virtual machine to make use of it.", responseView = ResponseView.Restricted, entityType = {Volume.class},
+@APICommand(name = "createVolume", responseObject = VolumeResponse.class, description = "Creates a disk volume from a disk offering. This disk volume must still be attached to a virtual machine to make use of it.", responseView = ResponseView.Restricted, entityType = {
+ Volume.class, VirtualMachine.class},
requestHasSensitiveInfo = false, responseHasSensitiveInfo = false)
public class CreateVolumeCmd extends BaseAsyncCreateCustomIdCmd {
public static final Logger s_logger = Logger.getLogger(CreateVolumeCmd.class.getName());
@@ -103,7 +106,7 @@ public class CreateVolumeCmd extends BaseAsyncCreateCustomIdCmd {
@Parameter(name = ApiConstants.DISPLAY_VOLUME, type = CommandType.BOOLEAN, description = "an optional field, whether to display the volume to the end user or not.", authorized = {RoleType.Admin})
private Boolean displayVolume;
- @ACL
+ @ACL(accessType = AccessType.OperateEntry)
@Parameter(name = ApiConstants.VIRTUAL_MACHINE_ID,
type = CommandType.UUID,
entityType = UserVmResponse.class,
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/d7c5382c/server/src/com/cloud/api/dispatch/ParamProcessWorker.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/api/dispatch/ParamProcessWorker.java b/server/src/com/cloud/api/dispatch/ParamProcessWorker.java
index 2fd7721..d862660 100644
--- a/server/src/com/cloud/api/dispatch/ParamProcessWorker.java
+++ b/server/src/com/cloud/api/dispatch/ParamProcessWorker.java
@@ -42,6 +42,7 @@ import org.apache.cloudstack.acl.SecurityChecker.AccessType;
import org.apache.cloudstack.api.ACL;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiErrorCode;
+import org.apache.cloudstack.api.BaseAsyncCreateCmd;
import org.apache.cloudstack.api.BaseCmd;
import org.apache.cloudstack.api.BaseCmd.CommandType;
import org.apache.cloudstack.api.EntityReference;
@@ -227,6 +228,17 @@ public class ParamProcessWorker implements DispatchWorker {
owner = caller;
}
+ if (cmd instanceof BaseAsyncCreateCmd) {
+ if (owner.getId() != caller.getId()) {
+ // mimic impersonation either by passing (account, domainId) or through derived owner from other api parameters
+ // in this case, we should check access using the owner
+ _accountMgr.checkAccess(caller, null, owner);
+ }
+ } else {
+ // check access using the caller for other operational cmds
+ owner = caller;
+ }
+
APICommand commandAnnotation = cmd.getClass().getAnnotation(APICommand.class);
String apiName = commandAnnotation != null ? commandAnnotation.name() : null;
[04/10] git commit: updated refs/heads/master to 134a799
Posted by mc...@apache.org.
CLOUDSTACK-6513: templateFilter=shared should not show self-owned
template.
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/db9aee45
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/db9aee45
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/db9aee45
Branch: refs/heads/master
Commit: db9aee45170ac0b5d637e09ffbd7422a533aa380
Parents: a9072a6
Author: Min Chen <mi...@citrix.com>
Authored: Tue Apr 29 19:02:57 2014 -0700
Committer: Min Chen <mi...@citrix.com>
Committed: Thu May 1 15:57:28 2014 -0700
----------------------------------------------------------------------
server/src/com/cloud/api/query/QueryManagerImpl.java | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/db9aee45/server/src/com/cloud/api/query/QueryManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/api/query/QueryManagerImpl.java b/server/src/com/cloud/api/query/QueryManagerImpl.java
index 9c31f47..8047ea6 100644
--- a/server/src/com/cloud/api/query/QueryManagerImpl.java
+++ b/server/src/com/cloud/api/query/QueryManagerImpl.java
@@ -3346,10 +3346,11 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
sc.addAnd("accountId", SearchCriteria.Op.IN, permittedAccountIds.toArray());
}
} else if (templateFilter == TemplateFilter.sharedexecutable || templateFilter == TemplateFilter.shared) {
- SearchCriteria<TemplateJoinVO> scc = _templateJoinDao.createSearchCriteria();
- scc.addOr("accountId", SearchCriteria.Op.IN, permittedAccountIds.toArray());
- scc.addOr("sharedAccountId", SearchCriteria.Op.IN, permittedAccountIds.toArray());
- sc.addAnd("accountId", SearchCriteria.Op.SC, scc);
+ sc.addAnd("sharedAccountId", SearchCriteria.Op.IN, permittedAccountIds.toArray());
+// SearchCriteria<TemplateJoinVO> scc = _templateJoinDao.createSearchCriteria();
+// scc.addOr("accountId", SearchCriteria.Op.IN, permittedAccountIds.toArray());
+// scc.addOr("sharedAccountId", SearchCriteria.Op.IN, permittedAccountIds.toArray());
+// sc.addAnd("accountId", SearchCriteria.Op.SC, scc);
} else if (templateFilter == TemplateFilter.executable) {
SearchCriteria<TemplateJoinVO> scc = _templateJoinDao.createSearchCriteria();
scc.addOr("publicTemplate", SearchCriteria.Op.EQ, true);
[06/10] git commit: updated refs/heads/master to 134a799
Posted by mc...@apache.org.
CLOUDSTACK-6513: remove commented code.
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/2521fd48
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/2521fd48
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/2521fd48
Branch: refs/heads/master
Commit: 2521fd482b74f8050c574a95bd3afa389e7650de
Parents: db9aee4
Author: Min Chen <mi...@citrix.com>
Authored: Wed Apr 30 10:03:06 2014 -0700
Committer: Min Chen <mi...@citrix.com>
Committed: Thu May 1 15:57:28 2014 -0700
----------------------------------------------------------------------
server/src/com/cloud/api/query/QueryManagerImpl.java | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/2521fd48/server/src/com/cloud/api/query/QueryManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/api/query/QueryManagerImpl.java b/server/src/com/cloud/api/query/QueryManagerImpl.java
index 8047ea6..8e020fc 100644
--- a/server/src/com/cloud/api/query/QueryManagerImpl.java
+++ b/server/src/com/cloud/api/query/QueryManagerImpl.java
@@ -3346,11 +3346,8 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
sc.addAnd("accountId", SearchCriteria.Op.IN, permittedAccountIds.toArray());
}
} else if (templateFilter == TemplateFilter.sharedexecutable || templateFilter == TemplateFilter.shared) {
+ // only show templates shared by others
sc.addAnd("sharedAccountId", SearchCriteria.Op.IN, permittedAccountIds.toArray());
-// SearchCriteria<TemplateJoinVO> scc = _templateJoinDao.createSearchCriteria();
-// scc.addOr("accountId", SearchCriteria.Op.IN, permittedAccountIds.toArray());
-// scc.addOr("sharedAccountId", SearchCriteria.Op.IN, permittedAccountIds.toArray());
-// sc.addAnd("accountId", SearchCriteria.Op.SC, scc);
} else if (templateFilter == TemplateFilter.executable) {
SearchCriteria<TemplateJoinVO> scc = _templateJoinDao.createSearchCriteria();
scc.addOr("publicTemplate", SearchCriteria.Op.EQ, true);