You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by pr...@apache.org on 2014/05/14 22:42:02 UTC
[1/2] git commit: updated refs/heads/4.4-forward-iam-disabled to
56b284f
Repository: cloudstack
Updated Branches:
refs/heads/4.4-forward-iam-disabled c9c7c8cb4 -> 56b284f7f
Disabling IAM: Handling isAdmin using AccountType
- Remove RoleBasedEntityAccessChecker from the list of SecurityCheckers
- Remove upgrade code to put iam_group_account_map
- DomainChecker should handle the isRootAdmin/isDomainAdmin/isResourceDomainAdmin using AccountType
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/94ddde33
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/94ddde33
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/94ddde33
Branch: refs/heads/4.4-forward-iam-disabled
Commit: 94ddde33d9fca3bbd19dbfcbd9ca902f0f8be95b
Parents: c9c7c8c
Author: Prachi Damle <pr...@cloud.com>
Authored: Wed May 14 11:43:26 2014 -0700
Committer: Prachi Damle <pr...@cloud.com>
Committed: Wed May 14 12:00:32 2014 -0700
----------------------------------------------------------------------
.../core/spring-core-registry-core-context.xml | 2 +-
.../com/cloud/upgrade/dao/Upgrade430to440.java | 74 ++++++++------------
server/src/com/cloud/acl/DomainChecker.java | 7 +-
3 files changed, 36 insertions(+), 47 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/94ddde33/core/resources/META-INF/cloudstack/core/spring-core-registry-core-context.xml
----------------------------------------------------------------------
diff --git a/core/resources/META-INF/cloudstack/core/spring-core-registry-core-context.xml b/core/resources/META-INF/cloudstack/core/spring-core-registry-core-context.xml
index 0f58d7d..d54823a 100644
--- a/core/resources/META-INF/cloudstack/core/spring-core-registry-core-context.xml
+++ b/core/resources/META-INF/cloudstack/core/spring-core-registry-core-context.xml
@@ -46,7 +46,7 @@
<property name="orderConfigKey" value="security.checkers.order" />
<property name="excludeKey" value="security.checkers.exclude" />
<property name="orderConfigDefault"
- value="RoleBasedEntityAccessChecker,AffinityGroupAccessChecker,DomainChecker" />
+ value="AffinityGroupAccessChecker,DomainChecker" />
</bean>
<bean id="resourceDiscoverersRegistry"
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/94ddde33/engine/schema/src/com/cloud/upgrade/dao/Upgrade430to440.java
----------------------------------------------------------------------
diff --git a/engine/schema/src/com/cloud/upgrade/dao/Upgrade430to440.java b/engine/schema/src/com/cloud/upgrade/dao/Upgrade430to440.java
index 26277dd..78db621 100644
--- a/engine/schema/src/com/cloud/upgrade/dao/Upgrade430to440.java
+++ b/engine/schema/src/com/cloud/upgrade/dao/Upgrade430to440.java
@@ -59,55 +59,39 @@ public class Upgrade430to440 implements DbUpgrade {
@Override
public void performDataMigration(Connection conn) {
- populateIAMGroupAccountMap(conn);
+ // populateIAMGroupAccountMap(conn);
secondaryIpsAccountAndDomainIdsUpdate(conn);
moveCidrsToTheirOwnTable(conn);
}
- // populate iam_group_account_map table for existing accounts
- private void populateIAMGroupAccountMap(Connection conn) {
- PreparedStatement acctInsert = null;
- PreparedStatement acctQuery = null;
- ResultSet rs = null;
-
- s_logger.debug("Populating iam_group_account_map table for existing accounts...");
- try {
- acctInsert = conn
- .prepareStatement("INSERT INTO `cloud`.`iam_group_account_map` (group_id, account_id, created) values(?, ?, Now())");
- acctQuery = conn
- .prepareStatement("select id, type from `cloud`.`account` where removed is null");
- rs = acctQuery.executeQuery();
-
- while (rs.next()) {
- Long acct_id = rs.getLong("id");
- short type = rs.getShort("type");
-
- // insert entry in iam_group_account_map table
- acctInsert.setLong(1, type + 1);
- acctInsert.setLong(2, acct_id);
- acctInsert.executeUpdate();
- }
- } catch (SQLException e) {
- String msg = "Unable to populate iam_group_account_map for existing accounts." + e.getMessage();
- s_logger.error(msg);
- throw new CloudRuntimeException(msg, e);
- } finally {
- try {
- if (rs != null) {
- rs.close();
- }
-
- if (acctInsert != null) {
- acctInsert.close();
- }
- if (acctQuery != null) {
- acctQuery.close();
- }
- } catch (SQLException e) {
- }
- }
- s_logger.debug("Completed populate iam_group_account_map for existing accounts.");
- }
+ /*
+ * populate iam_group_account_map table for existing accounts private void
+ * populateIAMGroupAccountMap(Connection conn) { PreparedStatement
+ * acctInsert = null; PreparedStatement acctQuery = null; ResultSet rs =
+ * null;
+ *
+ * s_logger.debug(
+ * "Populating iam_group_account_map table for existing accounts..."); try {
+ * acctInsert = conn .prepareStatement(
+ * "INSERT INTO `cloud`.`iam_group_account_map` (group_id, account_id, created) values(?, ?, Now())"
+ * ); acctQuery = conn .prepareStatement(
+ * "select id, type from `cloud`.`account` where removed is null"); rs =
+ * acctQuery.executeQuery();
+ *
+ * while (rs.next()) { Long acct_id = rs.getLong("id"); short type =
+ * rs.getShort("type");
+ *
+ * // insert entry in iam_group_account_map table acctInsert.setLong(1, type
+ * + 1); acctInsert.setLong(2, acct_id); acctInsert.executeUpdate(); } }
+ * catch (SQLException e) { String msg =
+ * "Unable to populate iam_group_account_map for existing accounts." +
+ * e.getMessage(); s_logger.error(msg); throw new CloudRuntimeException(msg,
+ * e); } finally { try { if (rs != null) { rs.close(); }
+ *
+ * if (acctInsert != null) { acctInsert.close(); } if (acctQuery != null) {
+ * acctQuery.close(); } } catch (SQLException e) { } } s_logger.debug(
+ * "Completed populate iam_group_account_map for existing accounts."); }
+ */
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/94ddde33/server/src/com/cloud/acl/DomainChecker.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/acl/DomainChecker.java b/server/src/com/cloud/acl/DomainChecker.java
index 9a1419d..729a0d1 100755
--- a/server/src/com/cloud/acl/DomainChecker.java
+++ b/server/src/com/cloud/acl/DomainChecker.java
@@ -332,15 +332,20 @@ public class DomainChecker extends AdapterBase implements SecurityChecker {
if (action != null && ("SystemCapability".equals(action))) {
if (caller != null && caller.getType() == Account.ACCOUNT_TYPE_ADMIN) {
return true;
+ } else {
+ return false;
}
-
} else if (action != null && ("DomainCapability".equals(action))) {
if (caller != null && caller.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) {
return true;
+ } else {
+ return false;
}
} else if (action != null && ("DomainResourceCapability".equals(action))) {
if (caller != null && caller.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN) {
return true;
+ } else {
+ return false;
}
}
return checkAccess(caller, entity, accessType);
[2/2] git commit: updated refs/heads/4.4-forward-iam-disabled to
56b284f
Posted by pr...@apache.org.
Revert "Fixes to ensure Network entity checkAccess invokes the IAM service"
This reverts commit a5b9814f7a94fd2d871b3148c2f0e53994427fd8.
Conflicts:
server/src/com/cloud/network/NetworkModelImpl.java
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/56b284f7
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/56b284f7
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/56b284f7
Branch: refs/heads/4.4-forward-iam-disabled
Commit: 56b284f7fd74aa6808c53559495f9a22cb2b12af
Parents: 94ddde3
Author: Prachi Damle <pr...@cloud.com>
Authored: Wed May 14 13:41:34 2014 -0700
Committer: Prachi Damle <pr...@cloud.com>
Committed: Wed May 14 13:41:34 2014 -0700
----------------------------------------------------------------------
api/src/com/cloud/network/NetworkModel.java | 4 --
.../com/cloud/upgrade/dao/Upgrade430to440.java | 31 --------------
.../contrail/management/ServiceManagerImpl.java | 5 +--
.../src/com/cloud/network/NetworkModelImpl.java | 45 +-------------------
server/src/com/cloud/vm/UserVmManagerImpl.java | 19 +++++++--
.../com/cloud/network/MockNetworkModelImpl.java | 8 ----
.../com/cloud/vpc/MockNetworkModelImpl.java | 8 ----
7 files changed, 18 insertions(+), 102 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/56b284f7/api/src/com/cloud/network/NetworkModel.java
----------------------------------------------------------------------
diff --git a/api/src/com/cloud/network/NetworkModel.java b/api/src/com/cloud/network/NetworkModel.java
index 1e0a8e8..f6555db 100644
--- a/api/src/com/cloud/network/NetworkModel.java
+++ b/api/src/com/cloud/network/NetworkModel.java
@@ -22,8 +22,6 @@ import java.util.List;
import java.util.Map;
import java.util.Set;
-import org.apache.cloudstack.acl.SecurityChecker.AccessType;
-
import com.cloud.dc.Vlan;
import com.cloud.exception.InsufficientAddressCapacityException;
import com.cloud.exception.InvalidParameterValueException;
@@ -275,6 +273,4 @@ public interface NetworkModel {
boolean isNetworkReadyForGc(long networkId);
boolean getNetworkEgressDefaultPolicy(Long networkId);
-
- void checkNetworkPermissions(Account owner, Network network, AccessType accessType);
}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/56b284f7/engine/schema/src/com/cloud/upgrade/dao/Upgrade430to440.java
----------------------------------------------------------------------
diff --git a/engine/schema/src/com/cloud/upgrade/dao/Upgrade430to440.java b/engine/schema/src/com/cloud/upgrade/dao/Upgrade430to440.java
index 78db621..da71d44 100644
--- a/engine/schema/src/com/cloud/upgrade/dao/Upgrade430to440.java
+++ b/engine/schema/src/com/cloud/upgrade/dao/Upgrade430to440.java
@@ -59,41 +59,10 @@ public class Upgrade430to440 implements DbUpgrade {
@Override
public void performDataMigration(Connection conn) {
- // populateIAMGroupAccountMap(conn);
secondaryIpsAccountAndDomainIdsUpdate(conn);
moveCidrsToTheirOwnTable(conn);
}
- /*
- * populate iam_group_account_map table for existing accounts private void
- * populateIAMGroupAccountMap(Connection conn) { PreparedStatement
- * acctInsert = null; PreparedStatement acctQuery = null; ResultSet rs =
- * null;
- *
- * s_logger.debug(
- * "Populating iam_group_account_map table for existing accounts..."); try {
- * acctInsert = conn .prepareStatement(
- * "INSERT INTO `cloud`.`iam_group_account_map` (group_id, account_id, created) values(?, ?, Now())"
- * ); acctQuery = conn .prepareStatement(
- * "select id, type from `cloud`.`account` where removed is null"); rs =
- * acctQuery.executeQuery();
- *
- * while (rs.next()) { Long acct_id = rs.getLong("id"); short type =
- * rs.getShort("type");
- *
- * // insert entry in iam_group_account_map table acctInsert.setLong(1, type
- * + 1); acctInsert.setLong(2, acct_id); acctInsert.executeUpdate(); } }
- * catch (SQLException e) { String msg =
- * "Unable to populate iam_group_account_map for existing accounts." +
- * e.getMessage(); s_logger.error(msg); throw new CloudRuntimeException(msg,
- * e); } finally { try { if (rs != null) { rs.close(); }
- *
- * if (acctInsert != null) { acctInsert.close(); } if (acctQuery != null) {
- * acctQuery.close(); } } catch (SQLException e) { } } s_logger.debug(
- * "Completed populate iam_group_account_map for existing accounts."); }
- */
-
-
private void secondaryIpsAccountAndDomainIdsUpdate(Connection conn) {
PreparedStatement pstmt = null;
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/56b284f7/plugins/network-elements/juniper-contrail/src/org/apache/cloudstack/network/contrail/management/ServiceManagerImpl.java
----------------------------------------------------------------------
diff --git a/plugins/network-elements/juniper-contrail/src/org/apache/cloudstack/network/contrail/management/ServiceManagerImpl.java b/plugins/network-elements/juniper-contrail/src/org/apache/cloudstack/network/contrail/management/ServiceManagerImpl.java
index acd9b4e..f34eacc 100644
--- a/plugins/network-elements/juniper-contrail/src/org/apache/cloudstack/network/contrail/management/ServiceManagerImpl.java
+++ b/plugins/network-elements/juniper-contrail/src/org/apache/cloudstack/network/contrail/management/ServiceManagerImpl.java
@@ -30,7 +30,6 @@ import javax.inject.Inject;
import net.juniper.contrail.api.ApiConnector;
import net.juniper.contrail.api.types.ServiceInstance;
-import org.apache.cloudstack.acl.SecurityChecker.AccessType;
import org.apache.cloudstack.context.CallContext;
import org.apache.cloudstack.network.contrail.api.response.ServiceInstanceResponse;
import org.apache.cloudstack.network.contrail.model.ServiceInstanceModel;
@@ -137,10 +136,10 @@ public class ServiceManagerImpl implements ServiceManager {
// TODO: permission model.
// service instances need to be able to access the public network.
if (left.getTrafficType() == TrafficType.Guest) {
- _networkModel.checkNetworkPermissions(owner, left, AccessType.UseEntry);
+ _networkModel.checkNetworkPermissions(owner, left);
}
if (right.getTrafficType() == TrafficType.Guest) {
- _networkModel.checkNetworkPermissions(owner, right, AccessType.UseEntry);
+ _networkModel.checkNetworkPermissions(owner, right);
}
final ApiConnector api = _manager.getApiConnector();
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/56b284f7/server/src/com/cloud/network/NetworkModelImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/NetworkModelImpl.java b/server/src/com/cloud/network/NetworkModelImpl.java
index 0de4c80..7b4b2be 100755
--- a/server/src/com/cloud/network/NetworkModelImpl.java
+++ b/server/src/com/cloud/network/NetworkModelImpl.java
@@ -35,8 +35,6 @@ import javax.naming.ConfigurationException;
import org.apache.log4j.Logger;
import org.apache.cloudstack.acl.ControlledEntity.ACLType;
-import org.apache.cloudstack.acl.SecurityChecker;
-import org.apache.cloudstack.acl.SecurityChecker.AccessType;
import org.apache.cloudstack.framework.config.dao.ConfigurationDao;
import org.apache.cloudstack.lb.dao.ApplicationLoadBalancerRuleDao;
@@ -99,7 +97,6 @@ import com.cloud.offerings.dao.NetworkOfferingServiceMapDao;
import com.cloud.projects.dao.ProjectAccountDao;
import com.cloud.server.ConfigurationServer;
import com.cloud.user.Account;
-import com.cloud.user.AccountManager;
import com.cloud.user.AccountVO;
import com.cloud.user.DomainManager;
import com.cloud.user.dao.AccountDao;
@@ -176,8 +173,7 @@ public class NetworkModelImpl extends ManagerBase implements NetworkModel {
FirewallRulesDao _firewallDao;
@Inject
DomainManager _domainMgr;
- @Inject
- AccountManager _accountMgr;
+
@Inject
NetworkOfferingServiceMapDao _ntwkOfferingSrvcDao;
@Inject
@@ -220,16 +216,6 @@ public class NetworkModelImpl extends ManagerBase implements NetworkModel {
static HashMap<Service, List<Provider>> s_serviceToImplementedProvidersMap = new HashMap<Service, List<Provider>>();
static HashMap<String, String> s_providerToNetworkElementMap = new HashMap<String, String>();
- List<SecurityChecker> _securityCheckers;
-
- public List<SecurityChecker> getSecurityCheckers() {
- return _securityCheckers;
- }
-
- public void setSecurityCheckers(List<SecurityChecker> securityCheckers) {
- _securityCheckers = securityCheckers;
- }
-
/**
*
*/
@@ -1581,35 +1567,6 @@ public class NetworkModelImpl extends ManagerBase implements NetworkModel {
}
@Override
- public void checkNetworkPermissions(Account owner, Network network, AccessType accessType) {
- if (network == null) {
- throw new CloudRuntimeException("cannot check permissions on (Network) <null>");
- }
-
- AccountVO networkOwner = _accountDao.findById(network.getAccountId());
- if (networkOwner == null) {
- throw new PermissionDeniedException("Unable to use network with id= " + ((NetworkVO) network).getUuid()
- + ", network does not have an owner");
- }
- if (owner.getType() != Account.ACCOUNT_TYPE_PROJECT && networkOwner.getType() == Account.ACCOUNT_TYPE_PROJECT) {
- if (!_projectAccountDao.canAccessProjectAccount(owner.getAccountId(), network.getAccountId())) {
- throw new PermissionDeniedException("Unable to use network with id= " + ((NetworkVO) network).getUuid()
- + ", permission denied");
- }
- } else {
- // Go through IAM (SecurityCheckers)
- for (SecurityChecker checker : _securityCheckers) {
- if (checker.checkAccess(owner, accessType, null, network)) {
- if (s_logger.isDebugEnabled()) {
- s_logger.debug("Access to " + network + " granted to " + owner + " by " + checker.getName());
- }
- break;
- }
- }
- }
- }
-
- @Override
public String getDefaultPublicTrafficLabel(long dcId, HypervisorType hypervisorType) {
try {
PhysicalNetwork publicPhyNetwork = getOnePhysicalNetworkByZoneAndTrafficType(dcId, TrafficType.Public);
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/56b284f7/server/src/com/cloud/vm/UserVmManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/vm/UserVmManagerImpl.java b/server/src/com/cloud/vm/UserVmManagerImpl.java
index d3f993e..e6f9709 100755
--- a/server/src/com/cloud/vm/UserVmManagerImpl.java
+++ b/server/src/com/cloud/vm/UserVmManagerImpl.java
@@ -972,6 +972,12 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
throw new InvalidParameterValueException("unable to find a network with id " + networkId);
}
+ if (caller.getType() != Account.ACCOUNT_TYPE_ADMIN) {
+ if (!(network.getGuestType() == Network.GuestType.Shared && network.getAclType() == ACLType.Domain)
+ && !(network.getAclType() == ACLType.Account && network.getAccountId() == vmInstance.getAccountId())) {
+ throw new InvalidParameterValueException("only shared network or isolated network with the same account_id can be added to vmId: " + vmId);
+ }
+ }
List<NicVO> allNics = _nicDao.listByVmId(vmInstance.getId());
for (NicVO nic : allNics) {
@@ -2506,7 +2512,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
}
}
- _networkModel.checkNetworkPermissions(owner, network, AccessType.UseEntry);
+ _networkModel.checkNetworkPermissions(owner, network);
// don't allow to use system networks
NetworkOffering networkOffering = _entityMgr.findById(NetworkOffering.class, network.getNetworkOfferingId());
@@ -2705,8 +2711,13 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
throw new InvalidParameterValueException("Network id=" + network.getId() + " doesn't belong to zone " + zone.getId());
}
- // Perform account permission check on network
- _accountMgr.checkAccess(caller, AccessType.UseEntry, false, network);
+ //relax the check if the caller is admin account
+ if (caller.getType() != Account.ACCOUNT_TYPE_ADMIN) {
+ if (!(network.getGuestType() == Network.GuestType.Shared && network.getAclType() == ACLType.Domain)
+ && !(network.getAclType() == ACLType.Account && network.getAccountId() == accountId)) {
+ throw new InvalidParameterValueException("only shared network or isolated network with the same account_id can be added to vm");
+ }
+ }
IpAddresses requestedIpPair = null;
if (requestedIps != null && !requestedIps.isEmpty()) {
@@ -4421,7 +4432,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
throw ex;
}
- _networkModel.checkNetworkPermissions(newAccount, network, AccessType.UseEntry);
+ _networkModel.checkNetworkPermissions(newAccount, network);
// don't allow to use system networks
NetworkOffering networkOffering = _entityMgr.findById(NetworkOffering.class, network.getNetworkOfferingId());
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/56b284f7/server/test/com/cloud/network/MockNetworkModelImpl.java
----------------------------------------------------------------------
diff --git a/server/test/com/cloud/network/MockNetworkModelImpl.java b/server/test/com/cloud/network/MockNetworkModelImpl.java
index 33387fa..6c9e597 100644
--- a/server/test/com/cloud/network/MockNetworkModelImpl.java
+++ b/server/test/com/cloud/network/MockNetworkModelImpl.java
@@ -25,8 +25,6 @@ import java.util.Set;
import javax.ejb.Local;
import javax.naming.ConfigurationException;
-import org.apache.cloudstack.acl.SecurityChecker.AccessType;
-
import com.cloud.dc.Vlan;
import com.cloud.exception.InsufficientAddressCapacityException;
import com.cloud.exception.InvalidParameterValueException;
@@ -880,10 +878,4 @@ public class MockNetworkModelImpl extends ManagerBase implements NetworkModel {
public boolean getNetworkEgressDefaultPolicy(Long networkId) {
return false; //To change body of implemented methods use File | Settings | File Templates.
}
-
- @Override
- public void checkNetworkPermissions(Account owner, Network network, AccessType accessType) {
- // TODO Auto-generated method stub
-
- }
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/56b284f7/server/test/com/cloud/vpc/MockNetworkModelImpl.java
----------------------------------------------------------------------
diff --git a/server/test/com/cloud/vpc/MockNetworkModelImpl.java b/server/test/com/cloud/vpc/MockNetworkModelImpl.java
index c93584d..67ab8e8 100644
--- a/server/test/com/cloud/vpc/MockNetworkModelImpl.java
+++ b/server/test/com/cloud/vpc/MockNetworkModelImpl.java
@@ -26,8 +26,6 @@ import javax.ejb.Local;
import javax.inject.Inject;
import javax.naming.ConfigurationException;
-import org.apache.cloudstack.acl.SecurityChecker.AccessType;
-
import com.cloud.dc.Vlan;
import com.cloud.exception.InsufficientAddressCapacityException;
import com.cloud.exception.InvalidParameterValueException;
@@ -895,10 +893,4 @@ public class MockNetworkModelImpl extends ManagerBase implements NetworkModel {
public boolean getNetworkEgressDefaultPolicy(Long networkId) {
return false; //To change body of implemented methods use File | Settings | File Templates.
}
-
- @Override
- public void checkNetworkPermissions(Account owner, Network network, AccessType accessType) {
- // TODO Auto-generated method stub
-
- }
}