You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by mc...@apache.org on 2014/05/20 01:28:41 UTC
[6/7] Disable IAM feature from 4.4 release.
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/f748a552/server/src/com/cloud/api/query/QueryManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/api/query/QueryManagerImpl.java b/server/src/com/cloud/api/query/QueryManagerImpl.java
index a2437b8..e675e83 100644
--- a/server/src/com/cloud/api/query/QueryManagerImpl.java
+++ b/server/src/com/cloud/api/query/QueryManagerImpl.java
@@ -478,9 +478,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
private Pair<List<EventJoinVO>, Integer> searchForEventsInternal(ListEventsCmd cmd) {
Account caller = CallContext.current().getCallingAccount();
- List<Long> permittedDomains = new ArrayList<Long>();
List<Long> permittedAccounts = new ArrayList<Long>();
- List<Long> permittedResources = new ArrayList<Long>();
Long id = cmd.getId();
String type = cmd.getType();
@@ -493,14 +491,16 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean, ListProjectResourcesCriteria>(
cmd.getDomainId(), cmd.isRecursive(), null);
- _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedDomains, permittedAccounts, permittedResources,
- domainIdRecursiveListProject, cmd.listAll(), false, "listEvents");
- //Long domainId = domainIdRecursiveListProject.first();
+ _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedAccounts,
+ domainIdRecursiveListProject, cmd.listAll(), false);
+ Long domainId = domainIdRecursiveListProject.first();
Boolean isRecursive = domainIdRecursiveListProject.second();
ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
Filter searchFilter = new Filter(EventJoinVO.class, "createDate", false, cmd.getStartIndex(), cmd.getPageSizeVal());
SearchBuilder<EventJoinVO> sb = _eventJoinDao.createSearchBuilder();
+ _accountMgr.buildACLViewSearchBuilder(sb, domainId, isRecursive, permittedAccounts,
+ listProjectResourcesCriteria);
sb.and("id", sb.entity().getId(), SearchCriteria.Op.EQ);
sb.and("levelL", sb.entity().getLevel(), SearchCriteria.Op.LIKE);
@@ -516,9 +516,9 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
sb.and("archived", sb.entity().getArchived(), SearchCriteria.Op.EQ);
SearchCriteria<EventJoinVO> sc = sb.create();
- SearchCriteria<EventJoinVO> aclSc = _eventJoinDao.createSearchCriteria();
- // building ACL search criteria
- _accountMgr.buildACLViewSearchCriteria(sc, aclSc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
+ // building ACL condition
+ _accountMgr.buildACLViewSearchCriteria(sc, domainId, isRecursive, permittedAccounts,
+ listProjectResourcesCriteria);
// For end users display only enabled events
if (!_accountMgr.isRootAdmin(caller.getId())) {
@@ -597,9 +597,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
private Pair<List<ResourceTagJoinVO>, Integer> listTagsInternal(ListTagsCmd cmd) {
Account caller = CallContext.current().getCallingAccount();
- List<Long> permittedDomains = new ArrayList<Long>();
List<Long> permittedAccounts = new ArrayList<Long>();
- List<Long> permittedResources = new ArrayList<Long>();
String key = cmd.getKey();
String value = cmd.getValue();
String resourceId = cmd.getResourceId();
@@ -610,14 +608,16 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject =
new Ternary<Long, Boolean, ListProjectResourcesCriteria>(cmd.getDomainId(), cmd.isRecursive(), null);
- _accountMgr.buildACLSearchParameters(caller, null, cmd.getAccountName(), cmd.getProjectId(), permittedDomains, permittedAccounts, permittedResources,
- domainIdRecursiveListProject, listAll, false, "listTags");
+ _accountMgr.buildACLSearchParameters(caller, null, cmd.getAccountName(), cmd.getProjectId(), permittedAccounts,
+ domainIdRecursiveListProject, listAll, false);
Long domainId = domainIdRecursiveListProject.first();
Boolean isRecursive = domainIdRecursiveListProject.second();
ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
Filter searchFilter = new Filter(ResourceTagJoinVO.class, "resourceType", false, cmd.getStartIndex(), cmd.getPageSizeVal());
SearchBuilder<ResourceTagJoinVO> sb = _resourceTagJoinDao.createSearchBuilder();
+ _accountMgr.buildACLViewSearchBuilder(sb, domainId, isRecursive, permittedAccounts,
+ listProjectResourcesCriteria);
sb.and("key", sb.entity().getKey(), SearchCriteria.Op.EQ);
sb.and("value", sb.entity().getValue(), SearchCriteria.Op.EQ);
@@ -633,9 +633,8 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
// now set the SC criteria...
SearchCriteria<ResourceTagJoinVO> sc = sb.create();
- SearchCriteria<ResourceTagJoinVO> aclSc = _resourceTagJoinDao.createSearchCriteria();
- // building ACL search criteria
- _accountMgr.buildACLViewSearchCriteria(sc, aclSc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
+ _accountMgr.buildACLViewSearchCriteria(sc, domainId, isRecursive, permittedAccounts,
+ listProjectResourcesCriteria);
if (key != null) {
sc.setParameters("key", key);
@@ -677,29 +676,28 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
String keyword = cmd.getKeyword();
Account caller = CallContext.current().getCallingAccount();
- List<Long> permittedDomains = new ArrayList<Long>();
List<Long> permittedAccounts = new ArrayList<Long>();
- List<Long> permittedResources = new ArrayList<Long>();
Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean, ListProjectResourcesCriteria>(
cmd.getDomainId(), cmd.isRecursive(), null);
- _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedDomains, permittedAccounts, permittedResources,
- domainIdRecursiveListProject, cmd.listAll(), false, "listInstanceGroups");
- // Long domainId = domainIdRecursiveListProject.first();
+ _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedAccounts,
+ domainIdRecursiveListProject, cmd.listAll(), false);
+ Long domainId = domainIdRecursiveListProject.first();
Boolean isRecursive = domainIdRecursiveListProject.second();
ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
Filter searchFilter = new Filter(InstanceGroupJoinVO.class, "id", true, cmd.getStartIndex(), cmd.getPageSizeVal());
SearchBuilder<InstanceGroupJoinVO> sb = _vmGroupJoinDao.createSearchBuilder();
+ _accountMgr.buildACLViewSearchBuilder(sb, domainId, isRecursive, permittedAccounts,
+ listProjectResourcesCriteria);
sb.and("id", sb.entity().getId(), SearchCriteria.Op.EQ);
sb.and("name", sb.entity().getName(), SearchCriteria.Op.LIKE);
SearchCriteria<InstanceGroupJoinVO> sc = sb.create();
- SearchCriteria<InstanceGroupJoinVO> aclSc = _vmGroupJoinDao.createSearchCriteria();
- // building ACL search criteria
- _accountMgr.buildACLViewSearchCriteria(sc, aclSc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
+ _accountMgr.buildACLViewSearchCriteria(sc, domainId, isRecursive, permittedAccounts,
+ listProjectResourcesCriteria);
if (keyword != null) {
@@ -996,9 +994,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
String securityGroup = cmd.getSecurityGroupName();
Long id = cmd.getId();
Object keyword = cmd.getKeyword();
- List<Long> permittedDomains = new ArrayList<Long>();
List<Long> permittedAccounts = new ArrayList<Long>();
- List<Long> permittedResources = new ArrayList<Long>();
Map<String, String> tags = cmd.getTags();
if (instanceId != null) {
@@ -1006,14 +1002,14 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
if (userVM == null) {
throw new InvalidParameterValueException("Unable to list network groups for virtual machine instance " + instanceId + "; instance not found.");
}
- _accountMgr.checkAccess(caller, null, userVM);
+ _accountMgr.checkAccess(caller, null, true, userVM);
return listSecurityGroupRulesByVM(instanceId.longValue(), cmd.getStartIndex(), cmd.getPageSizeVal());
}
Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean, ListProjectResourcesCriteria>(
cmd.getDomainId(), cmd.isRecursive(), null);
- _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedDomains, permittedAccounts, permittedResources,
- domainIdRecursiveListProject, cmd.listAll(), false, "listSecurityGroups");
+ _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedAccounts,
+ domainIdRecursiveListProject, cmd.listAll(), false);
Long domainId = domainIdRecursiveListProject.first();
Boolean isRecursive = domainIdRecursiveListProject.second();
ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
@@ -1022,13 +1018,15 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
SearchBuilder<SecurityGroupJoinVO> sb = _securityGroupJoinDao.createSearchBuilder();
sb.select(null, Func.DISTINCT, sb.entity().getId()); // select distinct
// ids
+ _accountMgr.buildACLViewSearchBuilder(sb, domainId, isRecursive, permittedAccounts,
+ listProjectResourcesCriteria);
+
sb.and("id", sb.entity().getId(), SearchCriteria.Op.EQ);
sb.and("name", sb.entity().getName(), SearchCriteria.Op.EQ);
SearchCriteria<SecurityGroupJoinVO> sc = sb.create();
- SearchCriteria<SecurityGroupJoinVO> aclSc = _securityGroupJoinDao.createSearchCriteria();
- // building ACL search criteria
- _accountMgr.buildACLViewSearchCriteria(sc, aclSc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
+ _accountMgr.buildACLViewSearchCriteria(sc, domainId, isRecursive, permittedAccounts,
+ listProjectResourcesCriteria);
if (id != null) {
sc.setParameters("id", id);
@@ -1120,19 +1118,12 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
Long podId, Long clusterId, Long hostId, String keyword, Long networkId, Long vpcId, Boolean forVpc, String role, String version) {
Account caller = CallContext.current().getCallingAccount();
- List<Long> permittedDomains = new ArrayList<Long>();
List<Long> permittedAccounts = new ArrayList<Long>();
- List<Long> permittedResources = new ArrayList<Long>();
Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean, ListProjectResourcesCriteria>(
cmd.getDomainId(), cmd.isRecursive(), null);
- String action = "listRouters";
- if (cmd instanceof ListInternalLBVMsCmd) {
- action = "listInternalLoadBalancerVMs";
- }
- _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedDomains, permittedAccounts, permittedResources,
- domainIdRecursiveListProject, cmd.listAll(), false, action);
-
+ _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedAccounts,
+ domainIdRecursiveListProject, cmd.listAll(), false);
Long domainId = domainIdRecursiveListProject.first();
Boolean isRecursive = domainIdRecursiveListProject.second();
ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
@@ -1145,6 +1136,8 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
// number of
// records with
// pagination
+ _accountMgr.buildACLViewSearchBuilder(sb, domainId, isRecursive, permittedAccounts,
+ listProjectResourcesCriteria);
sb.and("name", sb.entity().getInstanceName(), SearchCriteria.Op.LIKE);
sb.and("id", sb.entity().getId(), SearchCriteria.Op.EQ);
@@ -1171,9 +1164,8 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
}
SearchCriteria<DomainRouterJoinVO> sc = sb.create();
- SearchCriteria<DomainRouterJoinVO> aclSc = _routerJoinDao.createSearchCriteria();
- // building ACL search criteria
- _accountMgr.buildACLViewSearchCriteria(sc, aclSc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
+ _accountMgr.buildACLViewSearchCriteria(sc, domainId, isRecursive, permittedAccounts,
+ listProjectResourcesCriteria);
if (keyword != null) {
SearchCriteria<DomainRouterJoinVO> ssc = _routerJoinDao.createSearchCriteria();
@@ -1406,21 +1398,20 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
boolean listAll = cmd.listAll();
Account caller = CallContext.current().getCallingAccount();
- List<Long> permittedDomains = new ArrayList<Long>();
List<Long> permittedAccounts = new ArrayList<Long>();
- List<Long> permittedResources = new ArrayList<Long>();
Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean, ListProjectResourcesCriteria>(
domainId, isRecursive, null);
- _accountMgr.buildACLSearchParameters(caller, id, accountName, projectId, permittedDomains, permittedAccounts, permittedResources,
- domainIdRecursiveListProject, listAll, true, "listProjectInvitations");
- //domainId = domainIdRecursiveListProject.first();
-
+ _accountMgr.buildACLSearchParameters(caller, id, accountName, projectId, permittedAccounts,
+ domainIdRecursiveListProject, listAll, true);
+ domainId = domainIdRecursiveListProject.first();
isRecursive = domainIdRecursiveListProject.second();
ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
Filter searchFilter = new Filter(ProjectInvitationJoinVO.class, "id", true, startIndex, pageSizeVal);
SearchBuilder<ProjectInvitationJoinVO> sb = _projectInvitationJoinDao.createSearchBuilder();
+ _accountMgr.buildACLViewSearchBuilder(sb, domainId, isRecursive, permittedAccounts,
+ listProjectResourcesCriteria);
sb.and("projectId", sb.entity().getProjectId(), SearchCriteria.Op.EQ);
sb.and("state", sb.entity().getState(), SearchCriteria.Op.EQ);
@@ -1428,9 +1419,8 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
sb.and("id", sb.entity().getId(), SearchCriteria.Op.EQ);
SearchCriteria<ProjectInvitationJoinVO> sc = sb.create();
- SearchCriteria<ProjectInvitationJoinVO> aclSc = _projectInvitationJoinDao.createSearchCriteria();
- // building ACL search criteria
- _accountMgr.buildACLViewSearchCriteria(sc, aclSc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
+ _accountMgr.buildACLViewSearchCriteria(sc, domainId, isRecursive, permittedAccounts,
+ listProjectResourcesCriteria);
if (projectId != null) {
sc.setParameters("projectId", projectId);
@@ -1835,19 +1825,53 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
private Pair<List<AccountJoinVO>, Integer> searchForAccountsInternal(ListAccountsCmd cmd) {
Account caller = CallContext.current().getCallingAccount();
- List<Long> permittedDomains = new ArrayList<Long>();
- List<Long> permittedAccounts = new ArrayList<Long>();
- List<Long> permittedResources = new ArrayList<Long>();
-
- boolean listAll = cmd.listAll();
- Long id = cmd.getId();
+ Long domainId = cmd.getDomainId();
+ Long accountId = cmd.getId();
String accountName = cmd.getSearchName();
- Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean, ListProjectResourcesCriteria>(
- cmd.getDomainId(), cmd.isRecursive(), null);
- // ListAccountsCmd is not BaseListAccountResourcesCmd, so no (domainId, accountName) combination
- _accountMgr.buildACLSearchParameters(caller, id, null, null, permittedDomains, permittedAccounts, permittedResources,
- domainIdRecursiveListProject, listAll, false, "listAccounts");
- Boolean isRecursive = domainIdRecursiveListProject.second();
+ boolean isRecursive = cmd.isRecursive();
+ boolean listAll = cmd.listAll();
+ Boolean listForDomain = false;
+
+ if (accountId != null) {
+ Account account = _accountDao.findById(accountId);
+ if (account == null || account.getId() == Account.ACCOUNT_ID_SYSTEM) {
+ throw new InvalidParameterValueException("Unable to find account by id " + accountId);
+ }
+
+ _accountMgr.checkAccess(caller, null, true, account);
+ }
+
+ if (domainId != null) {
+ Domain domain = _domainDao.findById(domainId);
+ if (domain == null) {
+ throw new InvalidParameterValueException("Domain id=" + domainId + " doesn't exist");
+ }
+
+ _accountMgr.checkAccess(caller, domain);
+
+ if (accountName != null) {
+ Account account = _accountDao.findActiveAccount(accountName, domainId);
+ if (account == null || account.getId() == Account.ACCOUNT_ID_SYSTEM) {
+ throw new InvalidParameterValueException("Unable to find account by name " + accountName
+ + " in domain " + domainId);
+ }
+ _accountMgr.checkAccess(caller, null, true, account);
+ }
+ }
+
+ if (accountId == null) {
+ if (_accountMgr.isAdmin(caller.getId()) && listAll && domainId == null) {
+ listForDomain = true;
+ isRecursive = true;
+ if (domainId == null) {
+ domainId = caller.getDomainId();
+ }
+ } else if (_accountMgr.isAdmin(caller.getId()) && domainId != null) {
+ listForDomain = true;
+ } else {
+ accountId = caller.getAccountId();
+ }
+ }
Filter searchFilter = new Filter(AccountJoinVO.class, "id", true, cmd.getStartIndex(), cmd.getPageSizeVal());
@@ -1858,6 +1882,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
SearchBuilder<AccountJoinVO> sb = _accountJoinDao.createSearchBuilder();
sb.and("accountName", sb.entity().getAccountName(), SearchCriteria.Op.EQ);
+ sb.and("domainId", sb.entity().getDomainId(), SearchCriteria.Op.EQ);
sb.and("id", sb.entity().getId(), SearchCriteria.Op.EQ);
sb.and("type", sb.entity().getType(), SearchCriteria.Op.EQ);
sb.and("state", sb.entity().getState(), SearchCriteria.Op.EQ);
@@ -1865,32 +1890,12 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
sb.and("typeNEQ", sb.entity().getType(), SearchCriteria.Op.NEQ);
sb.and("idNEQ", sb.entity().getId(), SearchCriteria.Op.NEQ);
- SearchCriteria<AccountJoinVO> sc = sb.create();
- SearchCriteria<AccountJoinVO> aclSc = _accountJoinDao.createSearchCriteria();
- // building ACL search criteria. Here we cannot use the common accountMgr.buildACLViewSearchCriteria because
- // 1) AccountJoinVO does not have accountId field, permittedAccounts correspond to list of resource ids.
- // 2) AccountJoinVO use type not accountType field to indicate its type
- if (!permittedDomains.isEmpty() || !permittedAccounts.isEmpty() || !permittedResources.isEmpty()) {
- if (!permittedDomains.isEmpty()) {
- if (isRecursive) {
- for (int i = 0; i < permittedDomains.size(); i++) {
- Domain domain = _domainDao.findById(permittedDomains.get(i));
- aclSc.addOr("domainPath", SearchCriteria.Op.LIKE, domain.getPath() + "%");
- }
- } else {
- aclSc.addOr("domainId", SearchCriteria.Op.IN, permittedDomains.toArray());
- }
- }
- if (!permittedAccounts.isEmpty()) {
- aclSc.addOr("id", SearchCriteria.Op.IN, permittedAccounts.toArray());
- }
- if (!permittedResources.isEmpty()) {
- aclSc.addOr("id", SearchCriteria.Op.IN, permittedResources.toArray());
- }
-
- sc.addAnd("id", SearchCriteria.Op.SC, aclSc);
+ if (listForDomain && isRecursive) {
+ sb.and("path", sb.entity().getDomainPath(), SearchCriteria.Op.LIKE);
}
+ SearchCriteria<AccountJoinVO> sc = sb.create();
+
sc.setParameters("idNEQ", Account.ACCOUNT_ID_SYSTEM);
if (keyword != null) {
@@ -1917,10 +1922,19 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
}
// don't return account of type project to the end user
- sc.setParameters("typeNEQ", Account.ACCOUNT_TYPE_PROJECT);
+ sc.setParameters("typeNEQ", 5);
- if (id != null) {
- sc.setParameters("id", id);
+ if (accountId != null) {
+ sc.setParameters("id", accountId);
+ }
+
+ if (listForDomain) {
+ if (isRecursive) {
+ Domain domain = _domainDao.findById(domainId);
+ sc.setParameters("path", domain.getPath() + "%");
+ } else {
+ sc.setParameters("domainId", domainId);
+ }
}
return _accountJoinDao.searchAndCount(sc, searchFilter);
@@ -1939,20 +1953,17 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
Account caller = CallContext.current().getCallingAccount();
- List<Long> permittedDomains = new ArrayList<Long>();
List<Long> permittedAccounts = new ArrayList<Long>();
- List<Long> permittedResources = new ArrayList<Long>();
Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean, ListProjectResourcesCriteria>(
cmd.getDomainId(), cmd.isRecursive(), null);
- _accountMgr.buildACLSearchParameters(caller, null, cmd.getAccountName(), null, permittedDomains, permittedAccounts, permittedResources, domainIdRecursiveListProject,
- cmd.listAll(), false, "listAsyncJobs");
+ _accountMgr.buildACLSearchParameters(caller, null, cmd.getAccountName(), null, permittedAccounts,
+ domainIdRecursiveListProject, cmd.listAll(), false);
Long domainId = domainIdRecursiveListProject.first();
Boolean isRecursive = domainIdRecursiveListProject.second();
ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
Filter searchFilter = new Filter(AsyncJobJoinVO.class, "id", true, cmd.getStartIndex(), cmd.getPageSizeVal());
- /*
SearchBuilder<AsyncJobJoinVO> sb = _jobJoinDao.createSearchBuilder();
sb.and("accountIdIN", sb.entity().getAccountId(), SearchCriteria.Op.IN);
boolean accountJoinIsDone = false;
@@ -1976,7 +1987,8 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
}
}
-
+ Object keyword = cmd.getKeyword();
+ Object startDate = cmd.getStartDate();
SearchCriteria<AsyncJobJoinVO> sc = sb.create();
if (listProjectResourcesCriteria != null) {
@@ -1993,17 +2005,6 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
sc.setParameters("domainId", domainId);
}
}
- */
-
- Object keyword = cmd.getKeyword();
- Object startDate = cmd.getStartDate();
-
- // populate the search criteria with the values passed in
- SearchCriteria<AsyncJobJoinVO> sc = _jobJoinDao.createSearchCriteria();
- SearchCriteria<AsyncJobJoinVO> aclSc = _jobJoinDao.createSearchCriteria();
-
- // building ACL search criteria
- _accountMgr.buildACLViewSearchCriteria(sc, aclSc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
if (keyword != null) {
sc.addAnd("cmd", SearchCriteria.Op.LIKE, "%" + keyword + "%");
@@ -2466,7 +2467,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
throw ex;
}
- _accountMgr.checkAccess(caller, null, vmInstance);
+ _accountMgr.checkAccess(caller, null, true, vmInstance);
ServiceOfferingVO offering = _srvOfferingDao.findByIdIncludingRemoved(vmInstance.getId(), vmInstance.getServiceOfferingId());
sc.addAnd("id", SearchCriteria.Op.NEQ, offering.getId());
@@ -2806,366 +2807,6 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
return response;
}
- // Temporarily disable this method which used IAM model to do template list
- private Pair<List<TemplateJoinVO>, Integer> searchForTemplatesInternalIAM(ListTemplatesCmd cmd) {
- TemplateFilter templateFilter = TemplateFilter.valueOf(cmd.getTemplateFilter());
- Long id = cmd.getId();
- Map<String, String> tags = cmd.getTags();
- boolean showRemovedTmpl = cmd.getShowRemoved();
- Account caller = CallContext.current().getCallingAccount();
-
- // TODO: listAll flag has some conflicts with TemplateFilter parameter
- boolean listAll = false;
- if (templateFilter != null && templateFilter == TemplateFilter.all) {
- if (_accountMgr.isNormalUser(caller.getId())) {
- throw new InvalidParameterValueException("Filter " + TemplateFilter.all
- + " can be specified by admin only");
- }
- listAll = true;
- }
-
- List<Long> permittedDomains = new ArrayList<Long>();
- List<Long> permittedAccounts = new ArrayList<Long>();
- List<Long> permittedResources = new ArrayList<Long>();
-
- Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean, ListProjectResourcesCriteria>(
- cmd.getDomainId(), cmd.isRecursive(), null);
- _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedDomains, permittedAccounts, permittedResources,
- domainIdRecursiveListProject, listAll, false, "listTemplates");
-
- Boolean isRecursive = domainIdRecursiveListProject.second();
- ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
-
- boolean showDomr = ((templateFilter != TemplateFilter.selfexecutable) && (templateFilter != TemplateFilter.featured));
- HypervisorType hypervisorType = HypervisorType.getType(cmd.getHypervisor());
-
- return searchForTemplatesInternalIAM(id, cmd.getTemplateName(), cmd.getKeyword(), templateFilter, false, null,
- cmd.getPageSizeVal(), cmd.getStartIndex(), cmd.getZoneId(), hypervisorType, showDomr,
- cmd.listInReadyState(), permittedDomains, permittedAccounts, permittedResources, isRecursive, caller, listProjectResourcesCriteria, tags, showRemovedTmpl);
- }
-
- // Temporarily disable this method which used IAM model to do template list
- private Pair<List<TemplateJoinVO>, Integer> searchForTemplatesInternalIAM(Long templateId, String name,
- String keyword, TemplateFilter templateFilter, boolean isIso, Boolean bootable, Long pageSize,
- Long startIndex, Long zoneId, HypervisorType hyperType, boolean showDomr, boolean onlyReady,
- List<Long> permittedDomains, List<Long> permittedAccounts, List<Long> permittedResources, boolean isRecursive, Account caller,
- ListProjectResourcesCriteria listProjectResourcesCriteria,
- Map<String, String> tags, boolean showRemovedTmpl) {
-
- // check if zone is configured, if not, just return empty list
- List<HypervisorType> hypers = null;
- if (!isIso) {
- hypers = _resourceMgr.listAvailHypervisorInZone(null, null);
- if (hypers == null || hypers.isEmpty()) {
- return new Pair<List<TemplateJoinVO>, Integer>(new ArrayList<TemplateJoinVO>(), 0);
- }
- }
-
- VMTemplateVO template = null;
-
- Boolean isAscending = Boolean.parseBoolean(_configDao.getValue("sortkey.algorithm"));
- isAscending = (isAscending == null ? true : isAscending);
- Filter searchFilter = new Filter(TemplateJoinVO.class, "sortKey", isAscending, startIndex, pageSize);
-
- SearchBuilder<TemplateJoinVO> sb = _templateJoinDao.createSearchBuilder();
- sb.select(null, Func.DISTINCT, sb.entity().getTempZonePair()); // select distinct (templateId, zoneId) pair
- SearchCriteria<TemplateJoinVO> sc = sb.create();
-
- // verify templateId parameter and specially handle it
- if (templateId != null) {
- template = _templateDao.findByIdIncludingRemoved(templateId); // Done for backward compatibility - Bug-5221
- if (template == null) {
- throw new InvalidParameterValueException("Please specify a valid template ID.");
- }// If ISO requested then it should be ISO.
- if (isIso && template.getFormat() != ImageFormat.ISO) {
- s_logger.error("Template Id " + templateId + " is not an ISO");
- InvalidParameterValueException ex = new InvalidParameterValueException("Specified Template Id is not an ISO");
- ex.addProxyObject(template.getUuid(), "templateId");
- throw ex;
- }// If ISO not requested then it shouldn't be an ISO.
- if (!isIso && template.getFormat() == ImageFormat.ISO) {
- s_logger.error("Incorrect format of the template id " + templateId);
- InvalidParameterValueException ex = new InvalidParameterValueException("Incorrect format " + template.getFormat() + " of the specified template id");
- ex.addProxyObject(template.getUuid(), "templateId");
- throw ex;
- }
-
- // if template is not public, perform permission check here
- if (!template.isPublicTemplate() && !_accountMgr.isRootAdmin(caller.getId())) {
- Account owner = _accountMgr.getAccount(template.getAccountId());
- _accountMgr.checkAccess(caller, null, owner);
- }
-
- // if templateId is specified, then we will just use the id to
- // search and ignore other query parameters
- sc.addAnd("id", SearchCriteria.Op.EQ, templateId);
- } else {
- if (!isIso) {
- // add hypervisor criteria for template case
- if (hypers != null && !hypers.isEmpty()) {
- String[] relatedHypers = new String[hypers.size()];
- for (int i = 0; i < hypers.size(); i++) {
- relatedHypers[i] = hypers.get(i).toString();
- }
- sc.addAnd("hypervisorType", SearchCriteria.Op.IN, relatedHypers);
- }
- }
-
- // control different template filters
- DomainVO callerDomain = _domainDao.findById(caller.getDomainId());
- if (templateFilter == TemplateFilter.featured || templateFilter == TemplateFilter.community) {
- sc.addAnd("publicTemplate", SearchCriteria.Op.EQ, true);
- if (templateFilter == TemplateFilter.featured) {
- sc.addAnd("featured", SearchCriteria.Op.EQ, true);
- } else {
- sc.addAnd("featured", SearchCriteria.Op.EQ, false);
- }
-
- /* We don't need this any more to check domain id, based on CLOUDSTACK-5987
- // for public templates, we should get all public templates from all domains in the system
- // get all parent domain ID's all the way till root domain
- List<Long> domainTree = new ArrayList<Long>();
- DomainVO domainTreeNode = _domainDao.findById(Domain.ROOT_DOMAIN); // fix for CLOUDSTACK-5987
- domainTree.add(domainTreeNode.getId());
-
- // get all child domain ID's under root
- List<DomainVO> allChildDomains = _domainDao.findAllChildren(domainTreeNode.getPath(), domainTreeNode.getId());
- for (DomainVO childDomain : allChildDomains) {
- domainTree.add(childDomain.getId());
- }
-
- SearchCriteria<TemplateJoinVO> scc = _templateJoinDao.createSearchCriteria();
- scc.addOr("domainId", SearchCriteria.Op.IN, domainTree.toArray());
- scc.addOr("domainId", SearchCriteria.Op.NULL);
- sc.addAnd("domainId", SearchCriteria.Op.SC, scc);
- */
- } else if (templateFilter == TemplateFilter.self || templateFilter == TemplateFilter.selfexecutable) {
- if (permittedDomains.contains(caller.getDomainId())) {
- // this caller acts like a domain admin
-
- sc.addAnd("domainPath", SearchCriteria.Op.LIKE, callerDomain.getPath() + "%");
- } else {
- // only display templates owned by caller for resource owner only
- sc.addAnd("accountId", SearchCriteria.Op.EQ, caller.getAccountId());
- }
- } else if (templateFilter == TemplateFilter.sharedexecutable || templateFilter == TemplateFilter.shared) {
- // exclude the caller, only include those granted and not owned by self
- permittedDomains.remove(caller.getDomainId());
- permittedAccounts.remove(caller.getAccountId());
- for (Long tid : permittedResources) {
- // remove it if it is owned by the caller
- VMTemplateVO tmpl = _templateDao.findById(tid);
- if (tmpl != null && tmpl.getAccountId() == caller.getAccountId()) {
- permittedResources.remove(tid);
- }
- }
- // building ACL search criteria
- SearchCriteria<TemplateJoinVO> aclSc = _templateJoinDao.createSearchCriteria();
- _accountMgr.buildACLViewSearchCriteria(sc, aclSc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
- } else if (templateFilter == TemplateFilter.executable) {
- // public template + self template
- SearchCriteria<TemplateJoinVO> scc = _templateJoinDao.createSearchCriteria();
- scc.addOr("publicTemplate", SearchCriteria.Op.EQ, true);
- // plus self owned templates or domain tree templates for domain admin
- if (permittedDomains.contains(caller.getDomainId())) {
- // this caller acts like a domain admin
- sc.addOr("domainPath", SearchCriteria.Op.LIKE, callerDomain.getPath() + "%");
- } else {
- // only display templates owned by caller for resource owner only
- sc.addOr("accountId", SearchCriteria.Op.EQ, caller.getAccountId());
- }
- sc.addAnd("publicTemplate", SearchCriteria.Op.SC, scc);
- }
-
- // add tags criteria
- if (tags != null && !tags.isEmpty()) {
- SearchCriteria<TemplateJoinVO> scc = _templateJoinDao.createSearchCriteria();
- for (String key : tags.keySet()) {
- SearchCriteria<TemplateJoinVO> scTag = _templateJoinDao.createSearchCriteria();
- scTag.addAnd("tagKey", SearchCriteria.Op.EQ, key);
- scTag.addAnd("tagValue", SearchCriteria.Op.EQ, tags.get(key));
- if (isIso) {
- scTag.addAnd("tagResourceType", SearchCriteria.Op.EQ, ResourceObjectType.ISO);
- } else {
- scTag.addAnd("tagResourceType", SearchCriteria.Op.EQ, ResourceObjectType.Template);
- }
- scc.addOr("tagKey", SearchCriteria.Op.SC, scTag);
- }
- sc.addAnd("tagKey", SearchCriteria.Op.SC, scc);
- }
-
- // other criteria
-
- if (keyword != null) {
- sc.addAnd("name", SearchCriteria.Op.LIKE, "%" + keyword + "%");
- } else if (name != null) {
- sc.addAnd("name", SearchCriteria.Op.EQ, name);
- }
-
- if (isIso) {
- sc.addAnd("format", SearchCriteria.Op.EQ, "ISO");
-
- } else {
- sc.addAnd("format", SearchCriteria.Op.NEQ, "ISO");
- }
-
- if (!hyperType.equals(HypervisorType.None)) {
- sc.addAnd("hypervisorType", SearchCriteria.Op.EQ, hyperType);
- }
-
- if (bootable != null) {
- sc.addAnd("bootable", SearchCriteria.Op.EQ, bootable);
- }
-
- if (onlyReady) {
- SearchCriteria<TemplateJoinVO> readySc = _templateJoinDao.createSearchCriteria();
- readySc.addOr("state", SearchCriteria.Op.EQ, TemplateState.Ready);
- readySc.addOr("format", SearchCriteria.Op.EQ, ImageFormat.BAREMETAL);
- SearchCriteria<TemplateJoinVO> isoPerhostSc = _templateJoinDao.createSearchCriteria();
- isoPerhostSc.addAnd("format", SearchCriteria.Op.EQ, ImageFormat.ISO);
- isoPerhostSc.addAnd("templateType", SearchCriteria.Op.EQ, TemplateType.PERHOST);
- readySc.addOr("templateType", SearchCriteria.Op.SC, isoPerhostSc);
- sc.addAnd("state", SearchCriteria.Op.SC, readySc);
- }
-
- if (!showDomr) {
- // excluding system template
- sc.addAnd("templateType", SearchCriteria.Op.NEQ, Storage.TemplateType.SYSTEM);
- }
- }
-
- if (zoneId != null) {
- SearchCriteria<TemplateJoinVO> zoneSc = _templateJoinDao.createSearchCriteria();
- zoneSc.addOr("dataCenterId", SearchCriteria.Op.EQ, zoneId);
- zoneSc.addOr("dataStoreScope", SearchCriteria.Op.EQ, ScopeType.REGION);
- // handle the case where xs-tools.iso and vmware-tools.iso do not
- // have data_center information in template_view
- SearchCriteria<TemplateJoinVO> isoPerhostSc = _templateJoinDao.createSearchCriteria();
- isoPerhostSc.addAnd("format", SearchCriteria.Op.EQ, ImageFormat.ISO);
- isoPerhostSc.addAnd("templateType", SearchCriteria.Op.EQ, TemplateType.PERHOST);
- zoneSc.addOr("templateType", SearchCriteria.Op.SC, isoPerhostSc);
- sc.addAnd("dataCenterId", SearchCriteria.Op.SC, zoneSc);
- }
-
- // don't return removed template, this should not be needed since we
- // changed annotation for removed field in TemplateJoinVO.
- // sc.addAnd("removed", SearchCriteria.Op.NULL);
-
- // search unique templates and find details by Ids
- Pair<List<TemplateJoinVO>, Integer> uniqueTmplPair = null;
- if(showRemovedTmpl){
- uniqueTmplPair = _templateJoinDao.searchIncludingRemovedAndCount(sc, searchFilter);
- } else {
- sc.addAnd("templateState", SearchCriteria.Op.EQ, State.Active);
- uniqueTmplPair = _templateJoinDao.searchAndCount(sc, searchFilter);
- }
-
- Integer count = uniqueTmplPair.second();
- if (count.intValue() == 0) {
- // empty result
- return uniqueTmplPair;
- }
- List<TemplateJoinVO> uniqueTmpls = uniqueTmplPair.first();
- String[] tzIds = new String[uniqueTmpls.size()];
- int i = 0;
- for (TemplateJoinVO v : uniqueTmpls) {
- tzIds[i++] = v.getTempZonePair();
- }
- List<TemplateJoinVO> vrs = _templateJoinDao.searchByTemplateZonePair(showRemovedTmpl, tzIds);
- return new Pair<List<TemplateJoinVO>, Integer>(vrs, count);
-
- // TODO: revisit the special logic for iso search in
- // VMTemplateDaoImpl.searchForTemplates and understand why we need to
- // specially handle ISO. The original logic is very twisted and no idea
- // about what the code was doing.
-
- }
-
- // This method should only be used for keeping old listTemplates and listAffinityGroups behavior, PLEASE DON'T USE IT FOR USE LIST APIs
- private void buildTemplateAffinityGroupSearchParameters(Account caller, Long id, String accountName, Long projectId, List<Long>
- permittedAccounts, Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject,
- boolean listAll, boolean forProjectInvitation) {
- Long domainId = domainIdRecursiveListProject.first();
- if (domainId != null) {
- Domain domain = _domainDao.findById(domainId);
- if (domain == null) {
- throw new InvalidParameterValueException("Unable to find domain by id " + domainId);
- }
- // check permissions
- _accountMgr.checkAccess(caller, domain);
- }
-
- if (accountName != null) {
- if (projectId != null) {
- throw new InvalidParameterValueException("Account and projectId can't be specified together");
- }
-
- Account userAccount = null;
- Domain domain = null;
- if (domainId != null) {
- userAccount = _accountDao.findActiveAccount(accountName, domainId);
- domain = _domainDao.findById(domainId);
- } else {
- userAccount = _accountDao.findActiveAccount(accountName, caller.getDomainId());
- domain = _domainDao.findById(caller.getDomainId());
- }
-
- if (userAccount != null) {
- _accountMgr.checkAccess(caller, null, userAccount);
- // check permissions
- permittedAccounts.add(userAccount.getId());
- } else {
- throw new InvalidParameterValueException("could not find account " + accountName + " in domain " + domain.getUuid());
- }
- }
-
- // set project information
- if (projectId != null) {
- if (!forProjectInvitation) {
- if (projectId.longValue() == -1) {
- if (_accountMgr.isNormalUser(caller.getId())) {
- permittedAccounts.addAll(_projectMgr.listPermittedProjectAccounts(caller.getId()));
- } else {
- domainIdRecursiveListProject.third(Project.ListProjectResourcesCriteria.ListProjectResourcesOnly);
- }
- } else {
- Project project = _projectMgr.getProject(projectId);
- if (project == null) {
- throw new InvalidParameterValueException("Unable to find project by id " + projectId);
- }
- if (!_projectMgr.canAccessProjectAccount(caller, project.getProjectAccountId())) {
- throw new PermissionDeniedException("Account " + caller + " can't access project id=" + projectId);
- }
- permittedAccounts.add(project.getProjectAccountId());
- }
- }
- } else {
- if (id == null) {
- domainIdRecursiveListProject.third(Project.ListProjectResourcesCriteria.SkipProjectResources);
- }
- if (permittedAccounts.isEmpty() && domainId == null) {
- if (_accountMgr.isNormalUser(caller.getId())) {
- permittedAccounts.add(caller.getId());
- } else if (!listAll) {
- if (id == null) {
- permittedAccounts.add(caller.getId());
- } else if (!_accountMgr.isRootAdmin(caller.getId())) {
- domainIdRecursiveListProject.first(caller.getDomainId());
- domainIdRecursiveListProject.second(true);
- }
- } else if (domainId == null) {
- if (_accountMgr.isDomainAdmin(caller.getId())) {
- domainIdRecursiveListProject.first(caller.getDomainId());
- domainIdRecursiveListProject.second(true);
- }
- }
- } else if (domainId != null) {
- if (_accountMgr.isNormalUser(caller.getId())) {
- permittedAccounts.add(caller.getId());
- }
- }
- }
- }
private Pair<List<TemplateJoinVO>, Integer> searchForTemplatesInternal(ListTemplatesCmd cmd) {
TemplateFilter templateFilter = TemplateFilter.valueOf(cmd.getTemplateFilter());
@@ -3186,7 +2827,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
List<Long> permittedAccountIds = new ArrayList<Long>();
Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean, ListProjectResourcesCriteria>(
cmd.getDomainId(), cmd.isRecursive(), null);
- buildTemplateAffinityGroupSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedAccountIds,
+ _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedAccountIds,
domainIdRecursiveListProject, listAll, false);
ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
List<Account> permittedAccounts = new ArrayList<Account>();
@@ -3251,7 +2892,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
// if template is not public, perform permission check here
if (!template.isPublicTemplate() && caller.getType() != Account.ACCOUNT_TYPE_ADMIN) {
Account owner = _accountMgr.getAccount(template.getAccountId());
- _accountMgr.checkAccess(caller, null, owner);
+ _accountMgr.checkAccess(caller, null, true, owner);
}
// if templateId is specified, then we will just use the id to
@@ -3263,7 +2904,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
if (!permittedAccounts.isEmpty()) {
domain = _domainDao.findById(permittedAccounts.get(0).getDomainId());
} else {
- domain = _domainDao.findById(DomainVO.ROOT_DOMAIN);
+ domain = _domainDao.findById(Domain.ROOT_DOMAIN);
}
// List<HypervisorType> hypers = null;
@@ -3496,7 +3137,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
List<Long> permittedAccountIds = new ArrayList<Long>();
Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean, ListProjectResourcesCriteria>(
cmd.getDomainId(), cmd.isRecursive(), null);
- buildTemplateAffinityGroupSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedAccountIds,
+ _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedAccountIds,
domainIdRecursiveListProject, listAll, false);
ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
List<Account> permittedAccounts = new ArrayList<Account>();
@@ -3511,43 +3152,6 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
cmd.listInReadyState(), permittedAccounts, caller, listProjectResourcesCriteria, tags, showRemovedISO);
}
- private Pair<List<TemplateJoinVO>, Integer> searchForIsosInternalIAM(ListIsosCmd cmd) {
- TemplateFilter isoFilter = TemplateFilter.valueOf(cmd.getIsoFilter());
- Long id = cmd.getId();
- Map<String, String> tags = cmd.getTags();
- boolean showRemovedISO = cmd.getShowRemoved();
- Account caller = CallContext.current().getCallingAccount();
-
- boolean listAll = false;
- if (isoFilter != null && isoFilter == TemplateFilter.all) {
- if (_accountMgr.isNormalUser(caller.getId())) {
- throw new InvalidParameterValueException("Filter " + TemplateFilter.all
- + " can be specified by admin only");
- }
- listAll = true;
- }
-
- List<Long> permittedDomains = new ArrayList<Long>();
- List<Long> permittedAccounts = new ArrayList<Long>();
- List<Long> permittedResources = new ArrayList<Long>();
-
- Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean, ListProjectResourcesCriteria>(
- cmd.getDomainId(), cmd.isRecursive(), null);
- _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedDomains, permittedAccounts, permittedResources,
- domainIdRecursiveListProject, cmd.listAll(), false, "listIsos");
- Boolean isRecursive = domainIdRecursiveListProject.second();
- ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
-// List<Account> permittedAccounts = new ArrayList<Account>();
-// for (Long accountId : permittedAccountIds) {
-// permittedAccounts.add(_accountMgr.getAccount(accountId));
-// }
-
- HypervisorType hypervisorType = HypervisorType.getType(cmd.getHypervisor());
-
- return searchForTemplatesInternalIAM(cmd.getId(), cmd.getIsoName(), cmd.getKeyword(), isoFilter, true,
- cmd.isBootable(), cmd.getPageSizeVal(), cmd.getStartIndex(), cmd.getZoneId(), hypervisorType, true,
- cmd.listInReadyState(), permittedDomains, permittedAccounts, permittedResources, isRecursive, caller, listProjectResourcesCriteria, tags, showRemovedISO);
- }
@Override
public ListResponse<AffinityGroupResponse> listAffinityGroups(Long affinityGroupId, String affinityGroupName,
@@ -3576,14 +3180,14 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
throw new InvalidParameterValueException("Unable to list affinity groups for virtual machine instance "
+ vmId + "; instance not found.");
}
- _accountMgr.checkAccess(caller, null, userVM);
+ _accountMgr.checkAccess(caller, null, true, userVM);
return listAffinityGroupsByVM(vmId.longValue(), startIndex, pageSize);
}
List<Long> permittedAccounts = new ArrayList<Long>();
Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean, ListProjectResourcesCriteria>(
domainId, isRecursive, null);
- buildTemplateAffinityGroupSearchParameters(caller, affinityGroupId, accountName, null, permittedAccounts,
+ _accountMgr.buildACLSearchParameters(caller, affinityGroupId, accountName, null, permittedAccounts,
domainIdRecursiveListProject, listAll, true);
domainId = domainIdRecursiveListProject.first();
isRecursive = domainIdRecursiveListProject.second();
@@ -3717,121 +3321,6 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
return sc;
}
- public Pair<List<AffinityGroupJoinVO>, Integer> listAffinityGroupsInternalIAM(Long affinityGroupId,
- String affinityGroupName, String affinityGroupType, Long vmId, String accountName, Long domainId,
- boolean isRecursive, boolean listAll, Long startIndex, Long pageSize, String keyword) {
-
- Account caller = CallContext.current().getCallingAccount();
-
- caller.getAccountId();
-
- if (vmId != null) {
- UserVmVO userVM = _userVmDao.findById(vmId);
- if (userVM == null) {
- throw new InvalidParameterValueException("Unable to list affinity groups for virtual machine instance " + vmId + "; instance not found.");
- }
- _accountMgr.checkAccess(caller, null, userVM);
- return listAffinityGroupsByVM(vmId.longValue(), startIndex, pageSize);
- }
-
- List<Long> permittedDomains = new ArrayList<Long>();
- List<Long> permittedAccounts = new ArrayList<Long>();
- List<Long> permittedResources = new ArrayList<Long>();
- Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean, ListProjectResourcesCriteria>(
- domainId, isRecursive, null);
- _accountMgr.buildACLSearchParameters(caller, affinityGroupId, accountName, null, permittedDomains, permittedAccounts, permittedResources,
- domainIdRecursiveListProject, listAll, true, "listAffinityGroups");
- //domainId = domainIdRecursiveListProject.first();
- isRecursive = domainIdRecursiveListProject.second();
- ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
-
- Filter searchFilter = new Filter(AffinityGroupJoinVO.class, "id", true, startIndex, pageSize);
- SearchCriteria<AffinityGroupJoinVO> sc = buildAffinityGroupSearchCriteriaIAM(isRecursive,
- permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria, affinityGroupId, affinityGroupName, affinityGroupType, keyword);
-
- Pair<List<AffinityGroupJoinVO>, Integer> uniqueGroupsPair = _affinityGroupJoinDao.searchAndCount(sc, searchFilter);
- // search group details by ids
- List<AffinityGroupJoinVO> vrs = new ArrayList<AffinityGroupJoinVO>();
- Integer count = uniqueGroupsPair.second();
- if (count.intValue() != 0) {
- List<AffinityGroupJoinVO> uniqueGroups = uniqueGroupsPair.first();
- Long[] vrIds = new Long[uniqueGroups.size()];
- int i = 0;
- for (AffinityGroupJoinVO v : uniqueGroups) {
- vrIds[i++] = v.getId();
- }
- vrs = _affinityGroupJoinDao.searchByIds(vrIds);
- }
-
- /* TODO: confirm with Prachi if we still need this complicated logic with new ACL model
- if (!permittedAccounts.isEmpty()) {
- // add domain level affinity groups
- if (domainId != null) {
- SearchCriteria<AffinityGroupJoinVO> scDomain = buildAffinityGroupSearchCriteria(null, isRecursive,
- new ArrayList<Long>(), listProjectResourcesCriteria, affinityGroupId, affinityGroupName,
- affinityGroupType, keyword);
- vrs.addAll(listDomainLevelAffinityGroups(scDomain, searchFilter, domainId));
- } else {
-
- for (Long permAcctId : permittedAccounts) {
- Account permittedAcct = _accountDao.findById(permAcctId);
- SearchCriteria<AffinityGroupJoinVO> scDomain = buildAffinityGroupSearchCriteria(
- null, isRecursive, new ArrayList<Long>(),
- listProjectResourcesCriteria, affinityGroupId, affinityGroupName, affinityGroupType, keyword);
-
- vrs.addAll(listDomainLevelAffinityGroups(scDomain, searchFilter, permittedAcct.getDomainId()));
- }
- }
- } else if (((permittedAccounts.isEmpty()) && (domainId != null) && isRecursive)) {
- // list all domain level affinity groups for the domain admin case
- SearchCriteria<AffinityGroupJoinVO> scDomain = buildAffinityGroupSearchCriteria(null, isRecursive,
- new ArrayList<Long>(), listProjectResourcesCriteria, affinityGroupId, affinityGroupName,
- affinityGroupType, keyword);
- vrs.addAll(listDomainLevelAffinityGroups(scDomain, searchFilter, domainId));
- }
- */
-
- return new Pair<List<AffinityGroupJoinVO>, Integer>(vrs, vrs.size());
-
- }
-
- private SearchCriteria<AffinityGroupJoinVO> buildAffinityGroupSearchCriteriaIAM(boolean isRecursive,
- List<Long> permittedDomains, List<Long> permittedAccounts, List<Long> permittedResources, ListProjectResourcesCriteria listProjectResourcesCriteria,
- Long affinityGroupId, String affinityGroupName, String affinityGroupType, String keyword) {
-
- SearchBuilder<AffinityGroupJoinVO> groupSearch = _affinityGroupJoinDao.createSearchBuilder();
- groupSearch.select(null, Func.DISTINCT, groupSearch.entity().getId()); // select
- // distinct
-
- SearchCriteria<AffinityGroupJoinVO> sc = groupSearch.create();
- SearchCriteria<AffinityGroupJoinVO> aclSc = _affinityGroupJoinDao.createSearchCriteria();
- // building ACL search criteria
- _accountMgr.buildACLViewSearchCriteria(sc, aclSc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
-
- if (affinityGroupId != null) {
- sc.addAnd("id", SearchCriteria.Op.EQ, affinityGroupId);
- }
-
- if (affinityGroupName != null) {
- sc.addAnd("name", SearchCriteria.Op.EQ, affinityGroupName);
- }
-
- if (affinityGroupType != null) {
- sc.addAnd("type", SearchCriteria.Op.EQ, affinityGroupType);
- }
-
- if (keyword != null) {
- SearchCriteria<AffinityGroupJoinVO> ssc = _affinityGroupJoinDao.createSearchCriteria();
- ssc.addOr("name", SearchCriteria.Op.LIKE, "%" + keyword + "%");
- ssc.addOr("type", SearchCriteria.Op.LIKE, "%" + keyword + "%");
-
- sc.addAnd("name", SearchCriteria.Op.SC, ssc);
- }
-
- return sc;
-
- }
-
private Pair<List<AffinityGroupJoinVO>, Integer> listAffinityGroupsByVM(long vmId, long pageInd, long pageSize) {
Filter sf = new Filter(SecurityGroupVMMapVO.class, null, true, pageInd, pageSize);
Pair<List<AffinityGroupVMMapVO>, Integer> agVmMappingPair = _affinityGroupVMMapDao.listByInstanceId(vmId, sf);
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/f748a552/server/src/com/cloud/configuration/ConfigurationManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/configuration/ConfigurationManagerImpl.java b/server/src/com/cloud/configuration/ConfigurationManagerImpl.java
index 231b5e1..3f79a76 100755
--- a/server/src/com/cloud/configuration/ConfigurationManagerImpl.java
+++ b/server/src/com/cloud/configuration/ConfigurationManagerImpl.java
@@ -39,7 +39,6 @@ import javax.naming.ConfigurationException;
import org.apache.log4j.Logger;
import org.apache.cloudstack.acl.SecurityChecker;
-import org.apache.cloudstack.acl.SecurityChecker.AccessType;
import org.apache.cloudstack.affinity.AffinityGroup;
import org.apache.cloudstack.affinity.AffinityGroupService;
import org.apache.cloudstack.affinity.dao.AffinityGroupDao;
@@ -4328,7 +4327,7 @@ public class ConfigurationManagerImpl extends ManagerBase implements Configurati
throw new InvalidParameterValueException("Can't update system networks");
}
- _accountMgr.checkAccess(caller, AccessType.ListEntry, network);
+ _accountMgr.checkAccess(caller, null, true, network);
List<Long> offeringIds = _networkModel.listNetworkOfferingsForUpgrade(networkId);
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/f748a552/server/src/com/cloud/network/IpAddressManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/IpAddressManagerImpl.java b/server/src/com/cloud/network/IpAddressManagerImpl.java
index 746221f..9b1f9bd 100644
--- a/server/src/com/cloud/network/IpAddressManagerImpl.java
+++ b/server/src/com/cloud/network/IpAddressManagerImpl.java
@@ -29,8 +29,6 @@ import java.util.UUID;
import javax.inject.Inject;
-import org.apache.log4j.Logger;
-
import org.apache.cloudstack.acl.ControlledEntity.ACLType;
import org.apache.cloudstack.acl.SecurityChecker.AccessType;
import org.apache.cloudstack.context.CallContext;
@@ -42,6 +40,7 @@ import org.apache.cloudstack.region.PortableIp;
import org.apache.cloudstack.region.PortableIpDao;
import org.apache.cloudstack.region.PortableIpVO;
import org.apache.cloudstack.region.Region;
+import org.apache.log4j.Logger;
import com.cloud.agent.AgentManager;
import com.cloud.alert.AlertManager;
@@ -410,7 +409,7 @@ public class IpAddressManagerImpl extends ManagerBase implements IpAddressManage
Account caller = CallContext.current().getCallingAccount();
long callerUserId = CallContext.current().getCallingUserId();
// check permissions
- _accountMgr.checkAccess(caller, null, ipOwner);
+ _accountMgr.checkAccess(caller, null, false, ipOwner);
DataCenter zone = _entityMgr.findById(DataCenter.class, zoneId);
@@ -1165,14 +1164,15 @@ public class IpAddressManagerImpl extends ManagerBase implements IpAddressManage
if (zone.getNetworkType() == NetworkType.Advanced) {
if (network.getGuestType() == Network.GuestType.Shared) {
if (isSharedNetworkOfferingWithServices(network.getNetworkOfferingId())) {
- _accountMgr.checkAccess(CallContext.current().getCallingAccount(), AccessType.UseEntry, network);
+ _accountMgr.checkAccess(CallContext.current().getCallingAccount(), AccessType.UseEntry, false,
+ network);
} else {
throw new InvalidParameterValueException("IP can be associated with guest network of 'shared' type only if "
+ "network services Source Nat, Static Nat, Port Forwarding, Load balancing, firewall are enabled in the network");
}
}
} else {
- _accountMgr.checkAccess(caller, null, ipToAssoc);
+ _accountMgr.checkAccess(caller, null, true, ipToAssoc);
}
owner = _accountMgr.getAccount(ipToAssoc.getAllocatedToAccountId());
} else {
@@ -1187,7 +1187,7 @@ public class IpAddressManagerImpl extends ManagerBase implements IpAddressManage
Network network = _networksDao.findById(networkId);
if (network != null) {
- _accountMgr.checkAccess(owner, AccessType.UseEntry, network);
+ _accountMgr.checkAccess(owner, AccessType.UseEntry, false, network);
} else {
s_logger.debug("Unable to find ip address by id: " + ipId);
return null;
@@ -1319,10 +1319,11 @@ public class IpAddressManagerImpl extends ManagerBase implements IpAddressManage
if (zone.getNetworkType() == NetworkType.Advanced) {
if (network.getGuestType() == Network.GuestType.Shared) {
assert (isSharedNetworkOfferingWithServices(network.getNetworkOfferingId()));
- _accountMgr.checkAccess(CallContext.current().getCallingAccount(), AccessType.UseEntry, network);
+ _accountMgr.checkAccess(CallContext.current().getCallingAccount(), AccessType.UseEntry, false,
+ network);
}
} else {
- _accountMgr.checkAccess(caller, null, ipToAssoc);
+ _accountMgr.checkAccess(caller, null, true, ipToAssoc);
}
owner = _accountMgr.getAccount(ipToAssoc.getAllocatedToAccountId());
} else {
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/f748a552/server/src/com/cloud/network/NetworkModelImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/NetworkModelImpl.java b/server/src/com/cloud/network/NetworkModelImpl.java
index f84eccd..7b4b2be 100755
--- a/server/src/com/cloud/network/NetworkModelImpl.java
+++ b/server/src/com/cloud/network/NetworkModelImpl.java
@@ -34,9 +34,7 @@ import javax.naming.ConfigurationException;
import org.apache.log4j.Logger;
-import org.apache.cloudstack.acl.SecurityChecker;
import org.apache.cloudstack.acl.ControlledEntity.ACLType;
-import org.apache.cloudstack.acl.SecurityChecker.AccessType;
import org.apache.cloudstack.framework.config.dao.ConfigurationDao;
import org.apache.cloudstack.lb.dao.ApplicationLoadBalancerRuleDao;
@@ -99,7 +97,6 @@ import com.cloud.offerings.dao.NetworkOfferingServiceMapDao;
import com.cloud.projects.dao.ProjectAccountDao;
import com.cloud.server.ConfigurationServer;
import com.cloud.user.Account;
-import com.cloud.user.AccountManager;
import com.cloud.user.AccountVO;
import com.cloud.user.DomainManager;
import com.cloud.user.dao.AccountDao;
@@ -176,8 +173,7 @@ public class NetworkModelImpl extends ManagerBase implements NetworkModel {
FirewallRulesDao _firewallDao;
@Inject
DomainManager _domainMgr;
- @Inject
- AccountManager _accountMgr;
+
@Inject
NetworkOfferingServiceMapDao _ntwkOfferingSrvcDao;
@Inject
@@ -220,16 +216,6 @@ public class NetworkModelImpl extends ManagerBase implements NetworkModel {
static HashMap<Service, List<Provider>> s_serviceToImplementedProvidersMap = new HashMap<Service, List<Provider>>();
static HashMap<String, String> s_providerToNetworkElementMap = new HashMap<String, String>();
- List<SecurityChecker> _securityCheckers;
-
- public List<SecurityChecker> getSecurityCheckers() {
- return _securityCheckers;
- }
-
- public void setSecurityCheckers(List<SecurityChecker> securityCheckers) {
- _securityCheckers = securityCheckers;
- }
-
/**
*
*/
@@ -1581,35 +1567,6 @@ public class NetworkModelImpl extends ManagerBase implements NetworkModel {
}
@Override
- public void checkNetworkPermissions(Account owner, Network network, AccessType accessType) {
- if (network == null) {
- throw new CloudRuntimeException("cannot check permissions on (Network) <null>");
- }
-
- AccountVO networkOwner = _accountDao.findById(network.getAccountId());
- if (networkOwner == null) {
- throw new PermissionDeniedException("Unable to use network with id= " + ((NetworkVO) network).getUuid()
- + ", network does not have an owner");
- }
- if (owner.getType() != Account.ACCOUNT_TYPE_PROJECT && networkOwner.getType() == Account.ACCOUNT_TYPE_PROJECT) {
- if (!_projectAccountDao.canAccessProjectAccount(owner.getAccountId(), network.getAccountId())) {
- throw new PermissionDeniedException("Unable to use network with id= " + ((NetworkVO) network).getUuid()
- + ", permission denied");
- }
- } else {
- // Go through IAM (SecurityCheckers)
- for (SecurityChecker checker : _securityCheckers) {
- if (checker.checkAccess(owner, accessType, null, network)) {
- if (s_logger.isDebugEnabled()) {
- s_logger.debug("Access to " + network + " granted to " + owner + " by " + checker.getName());
- }
- break;
- }
- }
- }
- }
-
- @Override
public String getDefaultPublicTrafficLabel(long dcId, HypervisorType hypervisorType) {
try {
PhysicalNetwork publicPhyNetwork = getOnePhysicalNetworkByZoneAndTrafficType(dcId, TrafficType.Public);
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/f748a552/server/src/com/cloud/network/NetworkServiceImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/NetworkServiceImpl.java b/server/src/com/cloud/network/NetworkServiceImpl.java
index ec9fa12..95d3dec 100755
--- a/server/src/com/cloud/network/NetworkServiceImpl.java
+++ b/server/src/com/cloud/network/NetworkServiceImpl.java
@@ -542,7 +542,7 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService {
// if shared network in the advanced zone, then check the caller against the network for 'AccessType.UseNetwork'
if (zone.getNetworkType() == NetworkType.Advanced) {
if (isSharedNetworkOfferingWithServices(network.getNetworkOfferingId())) {
- _accountMgr.checkAccess(caller, AccessType.UseEntry, network);
+ _accountMgr.checkAccess(caller, AccessType.UseEntry, false, network);
if (s_logger.isDebugEnabled()) {
s_logger.debug("Associate IP address called by the user " + callerUserId + " account " + ipOwner.getId());
}
@@ -554,7 +554,7 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService {
}
}
} else {
- _accountMgr.checkAccess(caller, null, ipOwner);
+ _accountMgr.checkAccess(caller, null, false, ipOwner);
}
return _ipAddrMgr.allocateIp(ipOwner, false, caller, callerUserId, zone, displayIp);
@@ -585,7 +585,7 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService {
// if shared network in the advanced zone, then check the caller against the network for 'AccessType.UseNetwork'
if (zone.getNetworkType() == NetworkType.Advanced) {
if (isSharedNetworkOfferingWithServices(network.getNetworkOfferingId())) {
- _accountMgr.checkAccess(caller, AccessType.UseEntry, network);
+ _accountMgr.checkAccess(caller, AccessType.UseEntry, false, network);
if (s_logger.isDebugEnabled()) {
s_logger.debug("Associate IP address called by the user " + callerUserId + " account " + ipOwner.getId());
}
@@ -605,7 +605,7 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService {
}
}
- _accountMgr.checkAccess(caller, null, ipOwner);
+ _accountMgr.checkAccess(caller, null, false, ipOwner);
return _ipAddrMgr.allocatePortableIp(ipOwner, caller, zoneId, null, null);
}
@@ -671,7 +671,7 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService {
final Account ipOwner = _accountMgr.getAccount(vm.getAccountId());
// verify permissions
- _accountMgr.checkAccess(caller, null, vm);
+ _accountMgr.checkAccess(caller, null, true, vm);
Network network = _networksDao.findById(networkId);
if (network == null) {
@@ -767,7 +767,7 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService {
throw new InvalidParameterValueException("There is no vm with the given secondary ip");
}
// verify permissions
- _accountMgr.checkAccess(caller, null, vm);
+ _accountMgr.checkAccess(caller, null, true, vm);
Network network = _networksDao.findById(secIpVO.getNetworkId());
@@ -891,7 +891,7 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService {
// verify permissions
if (ipVO.getAllocatedToAccountId() != null) {
- _accountMgr.checkAccess(caller, null, ipVO);
+ _accountMgr.checkAccess(caller, null, true, ipVO);
}
if (ipVO.isSourceNat()) {
@@ -1432,7 +1432,7 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService {
throw new InvalidParameterValueException("Unable to find account " + accountName + " in specified domain");
}
- _accountMgr.checkAccess(caller, null, owner);
+ _accountMgr.checkAccess(caller, null, true, owner);
permittedAccounts.add(owner.getId());
}
}
@@ -1816,7 +1816,7 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService {
Account owner = _accountMgr.getAccount(network.getAccountId());
// Perform permission check
- _accountMgr.checkAccess(caller, null, network);
+ _accountMgr.checkAccess(caller, null, true, network);
if (forced && !_accountMgr.isRootAdmin(caller.getId())) {
throw new InvalidParameterValueException("Delete network with 'forced' option can only be called by root admins");
@@ -1860,7 +1860,7 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService {
throw new InvalidParameterException("Unable to restart a running SDN network.");
}
- _accountMgr.checkAccess(callerAccount, null, network);
+ _accountMgr.checkAccess(callerAccount, null, true, network);
boolean success = _networkMgr.restartNetwork(networkId, callerAccount, callerUser, cleanup);
@@ -1996,7 +1996,7 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService {
throw new InvalidParameterValueException("Can't allow networks which traffic type is not " + TrafficType.Guest);
}
- _accountMgr.checkAccess(callerAccount, null, network);
+ _accountMgr.checkAccess(callerAccount, null, true, network);
if (name != null) {
network.setName(name);
@@ -4045,7 +4045,7 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService {
throw ex;
}
- _accountMgr.checkAccess(caller, null, userVm);
+ _accountMgr.checkAccess(caller, null, true, userVm);
return _networkMgr.listVmNics(vmId, nicId, networkId);
}
@@ -4069,7 +4069,7 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService {
// verify permissions
if (ipVO.getAllocatedToAccountId() != null) {
- _accountMgr.checkAccess(caller, null, ipVO);
+ _accountMgr.checkAccess(caller, null, true, ipVO);
} else if (caller.getType() != Account.ACCOUNT_TYPE_ADMIN) {
throw new PermissionDeniedException("Only Root admin can update non-allocated ip addresses");
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/f748a552/server/src/com/cloud/network/as/AutoScaleManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/as/AutoScaleManagerImpl.java b/server/src/com/cloud/network/as/AutoScaleManagerImpl.java
index 09c6694..d4de462 100644
--- a/server/src/com/cloud/network/as/AutoScaleManagerImpl.java
+++ b/server/src/com/cloud/network/as/AutoScaleManagerImpl.java
@@ -116,9 +116,9 @@ import com.cloud.utils.db.GenericDao;
import com.cloud.utils.db.JoinBuilder;
import com.cloud.utils.db.SearchBuilder;
import com.cloud.utils.db.SearchCriteria;
+import com.cloud.utils.db.TransactionCallback;
import com.cloud.utils.db.SearchCriteria.Op;
import com.cloud.utils.db.Transaction;
-import com.cloud.utils.db.TransactionCallback;
import com.cloud.utils.db.TransactionStatus;
import com.cloud.utils.net.NetUtils;
import com.cloud.vm.UserVmManager;
@@ -240,7 +240,7 @@ public class AutoScaleManagerImpl<Type> extends ManagerBase implements AutoScale
throw new InvalidParameterValueException("Unable to find " + paramName);
}
- _accountMgr.checkAccess(caller, null, (ControlledEntity)vo);
+ _accountMgr.checkAccess(caller, null, false, (ControlledEntity)vo);
return vo;
}
@@ -342,7 +342,7 @@ public class AutoScaleManagerImpl<Type> extends ManagerBase implements AutoScale
Account owner = _accountDao.findById(cmd.getAccountId());
Account caller = CallContext.current().getCallingAccount();
- _accountMgr.checkAccess(caller, null, owner);
+ _accountMgr.checkAccess(caller, null, true, owner);
long zoneId = cmd.getZoneId();
long serviceOfferingId = cmd.getServiceOfferingId();
@@ -461,8 +461,7 @@ public class AutoScaleManagerImpl<Type> extends ManagerBase implements AutoScale
Long zoneId = cmd.getZoneId();
Boolean display = cmd.getDisplay();
- SearchWrapper<AutoScaleVmProfileVO> searchWrapper = new SearchWrapper<AutoScaleVmProfileVO>(_autoScaleVmProfileDao, AutoScaleVmProfileVO.class, cmd, cmd.getId(),
- "listAutoScaleVmProfiles");
+ SearchWrapper<AutoScaleVmProfileVO> searchWrapper = new SearchWrapper<AutoScaleVmProfileVO>(_autoScaleVmProfileDao, AutoScaleVmProfileVO.class, cmd, cmd.getId());
SearchBuilder<AutoScaleVmProfileVO> sb = searchWrapper.getSearchBuilder();
sb.and("id", sb.entity().getId(), SearchCriteria.Op.EQ);
@@ -527,7 +526,7 @@ public class AutoScaleManagerImpl<Type> extends ManagerBase implements AutoScale
ControlledEntity[] sameOwnerEntities = conditions.toArray(new ControlledEntity[conditions.size() + 1]);
sameOwnerEntities[sameOwnerEntities.length - 1] = autoScalePolicyVO;
- _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, sameOwnerEntities);
+ _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, true, sameOwnerEntities);
if (conditionIds.size() != conditions.size()) {
// TODO report the condition id which could not be found
@@ -621,7 +620,7 @@ public class AutoScaleManagerImpl<Type> extends ManagerBase implements AutoScale
idList.add(ApiDBUtils.findDomainById(domainId).getUuid());
throw new InvalidParameterValueException("Unable to find account " + accountName + " in domain with specifed domainId");
}
- _accountMgr.checkAccess(caller, null, owner);
+ _accountMgr.checkAccess(caller, null, false, owner);
}
private class SearchWrapper<VO extends ControlledEntity> {
@@ -630,14 +629,11 @@ public class AutoScaleManagerImpl<Type> extends ManagerBase implements AutoScale
SearchCriteria<VO> searchCriteria;
Long domainId;
boolean isRecursive;
- List<Long> permittedDomains = new ArrayList<Long>();
List<Long> permittedAccounts = new ArrayList<Long>();
- List<Long> permittedResources = new ArrayList<Long>();
-
ListProjectResourcesCriteria listProjectResourcesCriteria;
Filter searchFilter;
- public SearchWrapper(GenericDao<VO, Long> dao, Class<VO> entityClass, BaseListAccountResourcesCmd cmd, Long id, String action)
+ public SearchWrapper(GenericDao<VO, Long> dao, Class<VO> entityClass, BaseListAccountResourcesCmd cmd, Long id)
{
this.dao = dao;
this.searchBuilder = dao.createSearchBuilder();
@@ -651,12 +647,12 @@ public class AutoScaleManagerImpl<Type> extends ManagerBase implements AutoScale
Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean,
ListProjectResourcesCriteria>(domainId, isRecursive, null);
- _accountMgr.buildACLSearchParameters(caller, id, accountName, null, permittedDomains, permittedAccounts, permittedResources, domainIdRecursiveListProject, listAll,
- false, action);
- //domainId = domainIdRecursiveListProject.first();
+ _accountMgr.buildACLSearchParameters(caller, id, accountName, null, permittedAccounts, domainIdRecursiveListProject,
+ listAll, false);
+ domainId = domainIdRecursiveListProject.first();
isRecursive = domainIdRecursiveListProject.second();
ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
- _accountMgr.buildACLSearchBuilder(searchBuilder, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchBuilder(searchBuilder, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
searchFilter = new Filter(entityClass, "id", false, startIndex, pageSizeVal);
}
@@ -666,7 +662,7 @@ public class AutoScaleManagerImpl<Type> extends ManagerBase implements AutoScale
public SearchCriteria<VO> buildSearchCriteria() {
searchCriteria = searchBuilder.create();
- _accountMgr.buildACLSearchCriteria(searchCriteria, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchCriteria(searchCriteria, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
return searchCriteria;
}
@@ -677,8 +673,7 @@ public class AutoScaleManagerImpl<Type> extends ManagerBase implements AutoScale
@Override
public List<? extends AutoScalePolicy> listAutoScalePolicies(ListAutoScalePoliciesCmd cmd) {
- SearchWrapper<AutoScalePolicyVO> searchWrapper = new SearchWrapper<AutoScalePolicyVO>(_autoScalePolicyDao, AutoScalePolicyVO.class, cmd, cmd.getId(),
- "listAutoScalePolicies");
+ SearchWrapper<AutoScalePolicyVO> searchWrapper = new SearchWrapper<AutoScalePolicyVO>(_autoScalePolicyDao, AutoScalePolicyVO.class, cmd, cmd.getId());
SearchBuilder<AutoScalePolicyVO> sb = searchWrapper.getSearchBuilder();
Long id = cmd.getId();
Long conditionId = cmd.getConditionId();
@@ -884,8 +879,7 @@ public class AutoScaleManagerImpl<Type> extends ManagerBase implements AutoScale
Long zoneId = cmd.getZoneId();
Boolean forDisplay = cmd.getDisplay();
- SearchWrapper<AutoScaleVmGroupVO> searchWrapper = new SearchWrapper<AutoScaleVmGroupVO>(_autoScaleVmGroupDao, AutoScaleVmGroupVO.class, cmd, cmd.getId(),
- "listAutoScaleVmGroups");
+ SearchWrapper<AutoScaleVmGroupVO> searchWrapper = new SearchWrapper<AutoScaleVmGroupVO>(_autoScaleVmGroupDao, AutoScaleVmGroupVO.class, cmd, cmd.getId());
SearchBuilder<AutoScaleVmGroupVO> sb = searchWrapper.getSearchBuilder();
sb.and("id", sb.entity().getId(), SearchCriteria.Op.EQ);
@@ -980,7 +974,7 @@ public class AutoScaleManagerImpl<Type> extends ManagerBase implements AutoScale
ControlledEntity[] sameOwnerEntities = policies.toArray(new ControlledEntity[policies.size() + 2]);
sameOwnerEntities[sameOwnerEntities.length - 2] = loadBalancer;
sameOwnerEntities[sameOwnerEntities.length - 1] = profileVO;
- _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, sameOwnerEntities);
+ _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, true, sameOwnerEntities);
return Transaction.execute(new TransactionCallback<AutoScaleVmGroupVO>() {
@Override
@@ -1176,7 +1170,7 @@ public class AutoScaleManagerImpl<Type> extends ManagerBase implements AutoScale
Long id = cmd.getId();
Long counterId = cmd.getCounterId();
Long policyId = cmd.getPolicyId();
- SearchWrapper<ConditionVO> searchWrapper = new SearchWrapper<ConditionVO>(_conditionDao, ConditionVO.class, cmd, cmd.getId(), "listConditions");
+ SearchWrapper<ConditionVO> searchWrapper = new SearchWrapper<ConditionVO>(_conditionDao, ConditionVO.class, cmd, cmd.getId());
SearchBuilder<ConditionVO> sb = searchWrapper.getSearchBuilder();
if (policyId != null) {
SearchBuilder<AutoScalePolicyConditionMapVO> asPolicyConditionSearch = _autoScalePolicyConditionMapDao.createSearchBuilder();