You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by mc...@apache.org on 2014/05/20 00:46:27 UTC
[2/5] Revert "Disable IAM feature from 4.4 release."
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/server/src/com/cloud/resourcelimit/ResourceLimitManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/resourcelimit/ResourceLimitManagerImpl.java b/server/src/com/cloud/resourcelimit/ResourceLimitManagerImpl.java
index b6977c2..0c0c588 100755
--- a/server/src/com/cloud/resourcelimit/ResourceLimitManagerImpl.java
+++ b/server/src/com/cloud/resourcelimit/ResourceLimitManagerImpl.java
@@ -483,7 +483,7 @@ public class ResourceLimitManagerImpl extends ManagerBase implements ResourceLim
return limits;
}
- _accountMgr.checkAccess(caller, null, true, account);
+ _accountMgr.checkAccess(caller, null, account);
domainId = null;
}
}
@@ -503,7 +503,7 @@ public class ResourceLimitManagerImpl extends ManagerBase implements ResourceLim
if (id != null) {
ResourceLimitVO vo = _resourceLimitDao.findById(id);
if (vo.getAccountId() != null) {
- _accountMgr.checkAccess(caller, null, true, _accountDao.findById(vo.getAccountId()));
+ _accountMgr.checkAccess(caller, null, _accountDao.findById(vo.getAccountId()));
limits.add(vo);
} else if (vo.getDomainId() != null) {
_accountMgr.checkAccess(caller, _domainDao.findById(vo.getDomainId()));
@@ -656,9 +656,9 @@ public class ResourceLimitManagerImpl extends ManagerBase implements ResourceLim
}
if (account.getType() == Account.ACCOUNT_TYPE_PROJECT) {
- _accountMgr.checkAccess(caller, AccessType.ModifyProject, true, account);
+ _accountMgr.checkAccess(caller, AccessType.ModifyProject, account);
} else {
- _accountMgr.checkAccess(caller, null, true, account);
+ _accountMgr.checkAccess(caller, null, account);
}
ownerType = ResourceOwnerType.Account;
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/server/src/com/cloud/server/ManagementServerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/server/ManagementServerImpl.java b/server/src/com/cloud/server/ManagementServerImpl.java
index dd4ce0f..4a4c74a 100755
--- a/server/src/com/cloud/server/ManagementServerImpl.java
+++ b/server/src/com/cloud/server/ManagementServerImpl.java
@@ -952,7 +952,7 @@ public class ManagementServerImpl extends ManagerBase implements ManagementServe
List<EventVO> events = _eventDao.listToArchiveOrDeleteEvents(ids, cmd.getType(), cmd.getStartDate(), cmd.getEndDate(), permittedAccountIds);
ControlledEntity[] sameOwnerEvents = events.toArray(new ControlledEntity[events.size()]);
- _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, false, sameOwnerEvents);
+ _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, sameOwnerEvents);
if (ids != null && events.size() < ids.size()) {
result = false;
@@ -979,7 +979,7 @@ public class ManagementServerImpl extends ManagerBase implements ManagementServe
List<EventVO> events = _eventDao.listToArchiveOrDeleteEvents(ids, cmd.getType(), cmd.getStartDate(), cmd.getEndDate(), permittedAccountIds);
ControlledEntity[] sameOwnerEvents = events.toArray(new ControlledEntity[events.size()]);
- _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, false, sameOwnerEvents);
+ _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, sameOwnerEvents);
if (ids != null && events.size() < ids.size()) {
result = false;
@@ -1768,19 +1768,22 @@ public class ManagementServerImpl extends ManagerBase implements ManagementServe
SearchBuilder<IPAddressVO> sb = _publicIpAddressDao.createSearchBuilder();
Long domainId = null;
Boolean isRecursive = null;
+ List<Long> permittedDomains = new ArrayList<Long>();
List<Long> permittedAccounts = new ArrayList<Long>();
+ List<Long> permittedResources = new ArrayList<Long>();
+
ListProjectResourcesCriteria listProjectResourcesCriteria = null;
if (isAllocated) {
Account caller = CallContext.current().getCallingAccount();
Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean, ListProjectResourcesCriteria>(
cmd.getDomainId(), cmd.isRecursive(), null);
- _accountMgr.buildACLSearchParameters(caller, cmd.getId(), cmd.getAccountName(), cmd.getProjectId(), permittedAccounts,
- domainIdRecursiveListProject, cmd.listAll(), false);
- domainId = domainIdRecursiveListProject.first();
+ _accountMgr.buildACLSearchParameters(caller, cmd.getId(), cmd.getAccountName(), cmd.getProjectId(), permittedDomains, permittedAccounts, permittedResources,
+ domainIdRecursiveListProject, cmd.listAll(), false, "listPublicIpAddresses");
+ //domainId = domainIdRecursiveListProject.first();
isRecursive = domainIdRecursiveListProject.second();
listProjectResourcesCriteria = domainIdRecursiveListProject.third();
- _accountMgr.buildACLSearchBuilder(sb, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchBuilder(sb, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
}
sb.and("dataCenterId", sb.entity().getDataCenterId(), SearchCriteria.Op.EQ);
@@ -1835,7 +1838,7 @@ public class ManagementServerImpl extends ManagerBase implements ManagementServe
SearchCriteria<IPAddressVO> sc = sb.create();
if (isAllocated) {
- _accountMgr.buildACLSearchCriteria(sc, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchCriteria(sc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
}
sc.setJoinParameters("vlanSearch", "vlanType", vlanType);
@@ -3312,7 +3315,7 @@ public class ManagementServerImpl extends ManagerBase implements ManagementServe
}
// check permissions
- _accountMgr.checkAccess(caller, null, true, _accountMgr.getAccount(user.getAccountId()));
+ _accountMgr.checkAccess(caller, null, _accountMgr.getAccount(user.getAccountId()));
String cloudIdentifier = _configDao.getValue("cloud.identifier");
if (cloudIdentifier == null) {
@@ -3419,7 +3422,7 @@ public class ManagementServerImpl extends ManagerBase implements ManagementServe
throw ex;
}
- _accountMgr.checkAccess(caller, null, true, group);
+ _accountMgr.checkAccess(caller, null, group);
// Check if name is already in use by this account (exclude this group)
boolean isNameInUse = _vmGroupDao.isNameInUse(group.getAccountId(), groupName);
@@ -3578,21 +3581,22 @@ public class ManagementServerImpl extends ManagerBase implements ManagementServe
String fingerPrint = cmd.getFingerprint();
Account caller = CallContext.current().getCallingAccount();
+ List<Long> permittedDomains = new ArrayList<Long>();
List<Long> permittedAccounts = new ArrayList<Long>();
+ List<Long> permittedResources = new ArrayList<Long>();
Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean, ListProjectResourcesCriteria>(
cmd.getDomainId(), cmd.isRecursive(), null);
- _accountMgr.buildACLSearchParameters(caller, null, cmd.getAccountName(), cmd.getProjectId(), permittedAccounts, domainIdRecursiveListProject,
- cmd.listAll(), false);
- Long domainId = domainIdRecursiveListProject.first();
+ _accountMgr.buildACLSearchParameters(caller, null, cmd.getAccountName(), cmd.getProjectId(), permittedDomains, permittedAccounts, permittedResources,
+ domainIdRecursiveListProject, cmd.listAll(), false, "listSSHKeyPairs");
Boolean isRecursive = domainIdRecursiveListProject.second();
ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
SearchBuilder<SSHKeyPairVO> sb = _sshKeyPairDao.createSearchBuilder();
- _accountMgr.buildACLSearchBuilder(sb, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchBuilder(sb, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
Filter searchFilter = new Filter(SSHKeyPairVO.class, "id", false, cmd.getStartIndex(), cmd.getPageSizeVal());
SearchCriteria<SSHKeyPairVO> sc = sb.create();
- _accountMgr.buildACLSearchCriteria(sc, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchCriteria(sc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
if (name != null) {
sc.addAnd("name", SearchCriteria.Op.EQ, name);
@@ -3657,7 +3661,7 @@ public class ManagementServerImpl extends ManagerBase implements ManagementServe
}
// make permission check
- _accountMgr.checkAccess(caller, null, true, vm);
+ _accountMgr.checkAccess(caller, null, vm);
_userVmDao.loadDetails(vm);
String password = vm.getDetail("Encrypted.Password");
@@ -3830,7 +3834,7 @@ public class ManagementServerImpl extends ManagerBase implements ManagementServe
throw new InvalidParameterValueException("Unable to find SystemVm with id " + systemVmId);
}
- _accountMgr.checkAccess(caller, null, true, systemVm);
+ _accountMgr.checkAccess(caller, null, systemVm);
// Check that the specified service offering ID is valid
ServiceOfferingVO newServiceOffering = _offeringDao.findById(serviceOfferingId);
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/server/src/com/cloud/servlet/ConsoleProxyServlet.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/servlet/ConsoleProxyServlet.java b/server/src/com/cloud/servlet/ConsoleProxyServlet.java
index 60f32cf..16d7a32 100644
--- a/server/src/com/cloud/servlet/ConsoleProxyServlet.java
+++ b/server/src/com/cloud/servlet/ConsoleProxyServlet.java
@@ -522,7 +522,7 @@ public class ConsoleProxyServlet extends HttpServlet {
switch (vm.getType()) {
case User:
try {
- _accountMgr.checkAccess(accountObj, null, true, vm);
+ _accountMgr.checkAccess(accountObj, null, vm);
} catch (PermissionDeniedException ex) {
if (_accountMgr.isNormalUser(accountObj.getId())) {
if (s_logger.isDebugEnabled()) {
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/server/src/com/cloud/storage/VolumeApiServiceImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/storage/VolumeApiServiceImpl.java b/server/src/com/cloud/storage/VolumeApiServiceImpl.java
index 1650240..6db3a2d 100644
--- a/server/src/com/cloud/storage/VolumeApiServiceImpl.java
+++ b/server/src/com/cloud/storage/VolumeApiServiceImpl.java
@@ -28,6 +28,7 @@ import javax.inject.Inject;
import org.apache.log4j.Logger;
+import org.apache.cloudstack.acl.SecurityChecker.AccessType;
import org.apache.cloudstack.api.command.user.volume.AttachVolumeCmd;
import org.apache.cloudstack.api.command.user.volume.CreateVolumeCmd;
import org.apache.cloudstack.api.command.user.volume.DetachVolumeCmd;
@@ -272,7 +273,7 @@ public class VolumeApiServiceImpl extends ManagerBase implements VolumeApiServic
private boolean validateVolume(Account caller, long ownerId, Long zoneId, String volumeName, String url, String format) throws ResourceAllocationException {
// permission check
- _accountMgr.checkAccess(caller, null, true, _accountMgr.getActiveAccountById(ownerId));
+ _accountMgr.checkAccess(caller, null, _accountMgr.getActiveAccountById(ownerId));
// Check that the resource limit for volumes won't be exceeded
_resourceLimitMgr.checkResourceLimit(_accountMgr.getAccount(ownerId), ResourceType.volume);
@@ -382,10 +383,11 @@ public class VolumeApiServiceImpl extends ManagerBase implements VolumeApiServic
Boolean displayVolume = cmd.getDisplayVolume();
// permission check
- _accountMgr.checkAccess(caller, null, true, _accountMgr.getActiveAccountById(ownerId));
+ _accountMgr.checkAccess(caller, null, owner);
if (displayVolume == null) {
displayVolume = true;
+
} else {
if (!_accountMgr.isRootAdmin(caller.getId())) {
throw new PermissionDeniedException("Cannot update parameter displayvolume, only admin permitted ");
@@ -509,9 +511,6 @@ public class VolumeApiServiceImpl extends ManagerBase implements VolumeApiServic
size = snapshotCheck.getSize(); // ; disk offering is used for tags
// purposes
- // check snapshot permissions
- _accountMgr.checkAccess(caller, null, true, snapshotCheck);
-
// one step operation - create volume in VM's cluster and attach it
// to the VM
Long vmId = cmd.getVirtualMachineId();
@@ -526,9 +525,6 @@ public class VolumeApiServiceImpl extends ManagerBase implements VolumeApiServic
if (vm.getState() != State.Running && vm.getState() != State.Stopped) {
throw new InvalidParameterValueException("Please specify a VM that is either running or stopped.");
}
-
- // permission check
- _accountMgr.checkAccess(caller, null, false, vm);
}
}
@@ -775,7 +771,7 @@ public class VolumeApiServiceImpl extends ManagerBase implements VolumeApiServic
}
/* does the caller have the authority to act on this volume? */
- _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, true, volume);
+ _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, volume);
long currentSize = volume.getSize();
@@ -938,7 +934,7 @@ public class VolumeApiServiceImpl extends ManagerBase implements VolumeApiServic
throw new InvalidParameterValueException("There are snapshot creating on it, Unable to delete the volume");
}
- _accountMgr.checkAccess(caller, null, true, volume);
+ _accountMgr.checkAccess(caller, null, volume);
if (volume.getInstanceId() != null) {
throw new InvalidParameterValueException("Please specify a volume that is not attached to any VM.");
@@ -1131,7 +1127,8 @@ public class VolumeApiServiceImpl extends ManagerBase implements VolumeApiServic
}
// permission check
- _accountMgr.checkAccess(caller, null, true, volume, vm);
+ // TODO: remove this if we can annotate volume parameter in createVolumeCmd since this routine is used there as well.
+ _accountMgr.checkAccess(caller, AccessType.OperateEntry, volume, vm);
if (!(Volume.State.Allocated.equals(volume.getState()) || Volume.State.Ready.equals(volume.getState()) || Volume.State.Uploaded.equals(volume.getState()))) {
throw new InvalidParameterValueException("Volume state must be in Allocated, Ready or in Uploaded state");
@@ -1345,7 +1342,7 @@ public class VolumeApiServiceImpl extends ManagerBase implements VolumeApiServic
}
// Permissions check
- _accountMgr.checkAccess(caller, null, true, volume);
+ _accountMgr.checkAccess(caller, null, volume);
// Check that the volume is a data volume
if (volume.getVolumeType() != Volume.Type.DATADISK) {
@@ -1790,7 +1787,7 @@ public class VolumeApiServiceImpl extends ManagerBase implements VolumeApiServic
}
// perform permission check
- _accountMgr.checkAccess(account, null, true, volume);
+ _accountMgr.checkAccess(account, null, volume);
if (_dcDao.findById(zoneId) == null) {
throw new InvalidParameterValueException("Please specify a valid zone.");
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/server/src/com/cloud/storage/snapshot/SnapshotManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/storage/snapshot/SnapshotManagerImpl.java b/server/src/com/cloud/storage/snapshot/SnapshotManagerImpl.java
index 44bce1a..d19a0ed 100755
--- a/server/src/com/cloud/storage/snapshot/SnapshotManagerImpl.java
+++ b/server/src/com/cloud/storage/snapshot/SnapshotManagerImpl.java
@@ -286,7 +286,7 @@ public class SnapshotManagerImpl extends ManagerBase implements SnapshotManager,
boolean backedUp = false;
// does the caller have the authority to act on this volume
- _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, true, volume);
+ _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, volume);
SnapshotInfo snapshot = snapshotFactory.getSnapshot(snapshotId, DataStoreRole.Primary);
@@ -391,7 +391,7 @@ public class SnapshotManagerImpl extends ManagerBase implements SnapshotManager,
throw new InvalidParameterValueException("unable to find a snapshot with id " + snapshotId);
}
- _accountMgr.checkAccess(caller, null, true, snapshotCheck);
+ _accountMgr.checkAccess(caller, null, snapshotCheck);
SnapshotStrategy snapshotStrategy = _storageStrategyFactory.getSnapshotStrategy(snapshotCheck, SnapshotOperation.DELETE);
if (snapshotStrategy == null) {
s_logger.error("Unable to find snaphot strategy to handle snapshot with id '" + snapshotId + "'");
@@ -441,25 +441,28 @@ public class SnapshotManagerImpl extends ManagerBase implements SnapshotManager,
Map<String, String> tags = cmd.getTags();
Long zoneId = cmd.getZoneId();
Account caller = CallContext.current().getCallingAccount();
+ List<Long> permittedDomains = new ArrayList<Long>();
List<Long> permittedAccounts = new ArrayList<Long>();
+ List<Long> permittedResources = new ArrayList<Long>();
+
// Verify parameters
if (volumeId != null) {
VolumeVO volume = _volsDao.findById(volumeId);
if (volume != null) {
- _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, true, volume);
+ _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, volume);
}
}
Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean, ListProjectResourcesCriteria>(cmd.getDomainId(), cmd.isRecursive(), null);
- _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedAccounts, domainIdRecursiveListProject, cmd.listAll(), false);
- Long domainId = domainIdRecursiveListProject.first();
+ _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedDomains, permittedAccounts, permittedResources,
+ domainIdRecursiveListProject, cmd.listAll(), false, "listSnapshots");
Boolean isRecursive = domainIdRecursiveListProject.second();
ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
Filter searchFilter = new Filter(SnapshotVO.class, "created", false, cmd.getStartIndex(), cmd.getPageSizeVal());
SearchBuilder<SnapshotVO> sb = _snapshotDao.createSearchBuilder();
- _accountMgr.buildACLSearchBuilder(sb, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchBuilder(sb, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
sb.and("statusNEQ", sb.entity().getState(), SearchCriteria.Op.NEQ); //exclude those Destroyed snapshot, not showing on UI
sb.and("volumeId", sb.entity().getVolumeId(), SearchCriteria.Op.EQ);
@@ -482,7 +485,7 @@ public class SnapshotManagerImpl extends ManagerBase implements SnapshotManager,
}
SearchCriteria<SnapshotVO> sc = sb.create();
- _accountMgr.buildACLSearchCriteria(sc, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchCriteria(sc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
sc.setParameters("statusNEQ", Snapshot.State.Destroyed);
@@ -621,7 +624,7 @@ public class SnapshotManagerImpl extends ManagerBase implements SnapshotManager,
throw new InvalidParameterValueException("Failed to create snapshot policy, unable to find a volume with id " + volumeId);
}
- _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, true, volume);
+ _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, volume);
if (volume.getState() != Volume.State.Ready) {
throw new InvalidParameterValueException("VolumeId: " + volumeId + " is not in " + Volume.State.Ready + " state but " + volume.getState() +
@@ -720,7 +723,7 @@ public class SnapshotManagerImpl extends ManagerBase implements SnapshotManager,
if (volume == null) {
throw new InvalidParameterValueException("Unable to find a volume with id " + volumeId);
}
- _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, true, volume);
+ _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, volume);
Pair<List<SnapshotPolicyVO>, Integer> result = _snapshotPolicyDao.listAndCountByVolumeId(volumeId);
return new Pair<List<? extends SnapshotPolicy>, Integer>(result.first(), result.second());
}
@@ -996,7 +999,7 @@ public class SnapshotManagerImpl extends ManagerBase implements SnapshotManager,
throw new InvalidParameterValueException("Policy id given: " + policy + " does not belong to a valid volume");
}
- _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, true, volume);
+ _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, volume);
}
boolean success = true;
@@ -1027,12 +1030,9 @@ public class SnapshotManagerImpl extends ManagerBase implements SnapshotManager,
@Override
public Snapshot allocSnapshot(Long volumeId, Long policyId) throws ResourceAllocationException {
- Account caller = CallContext.current().getCallingAccount();
VolumeInfo volume = volFactory.getVolume(volumeId);
supportedByHypervisor(volume);
- // Verify permissions
- _accountMgr.checkAccess(caller, null, true, volume);
Type snapshotType = getSnapshotType(policyId);
Account owner = _accountMgr.getAccount(volume.getAccountId());
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/server/src/com/cloud/tags/TaggedResourceManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/tags/TaggedResourceManagerImpl.java b/server/src/com/cloud/tags/TaggedResourceManagerImpl.java
index fa7fcb7..cac12c6 100644
--- a/server/src/com/cloud/tags/TaggedResourceManagerImpl.java
+++ b/server/src/com/cloud/tags/TaggedResourceManagerImpl.java
@@ -227,7 +227,7 @@ public class TaggedResourceManagerImpl extends ManagerBase implements TaggedReso
Long domainId = accountDomainPair.second();
Long accountId = accountDomainPair.first();
if (accountId != null) {
- _accountMgr.checkAccess(caller, null, false, _accountMgr.getAccount(accountId));
+ _accountMgr.checkAccess(caller, null, _accountMgr.getAccount(accountId));
} else if (domainId != null && !_accountMgr.isNormalUser(caller.getId())) {
//check permissions;
_accountMgr.checkAccess(caller, _domainMgr.getDomain(domainId));
@@ -289,7 +289,7 @@ public class TaggedResourceManagerImpl extends ManagerBase implements TaggedReso
for (ResourceTag resourceTag : resourceTags) {
//1) validate the permissions
Account owner = _accountMgr.getAccount(resourceTag.getAccountId());
- _accountMgr.checkAccess(caller, null, false, owner);
+ _accountMgr.checkAccess(caller, null, owner);
//2) Only remove tag if it matches key value pairs
if (tags != null && !tags.isEmpty()) {
for (String key : tags.keySet()) {
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/server/src/com/cloud/template/TemplateAdapterBase.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/template/TemplateAdapterBase.java b/server/src/com/cloud/template/TemplateAdapterBase.java
index fcf15df..cb38075 100755
--- a/server/src/com/cloud/template/TemplateAdapterBase.java
+++ b/server/src/com/cloud/template/TemplateAdapterBase.java
@@ -254,7 +254,7 @@ public abstract class TemplateAdapterBase extends AdapterBase implements Templat
//check if the caller can operate with the template owner
Account caller = CallContext.current().getCallingAccount();
Account owner = _accountMgr.getAccount(cmd.getEntityOwnerId());
- _accountMgr.checkAccess(caller, null, true, owner);
+ _accountMgr.checkAccess(caller, null, owner);
boolean isRouting = (cmd.isRoutingType() == null) ? false : cmd.isRoutingType();
@@ -277,7 +277,7 @@ public abstract class TemplateAdapterBase extends AdapterBase implements Templat
//check if the caller can operate with the template owner
Account caller = CallContext.current().getCallingAccount();
Account owner = _accountMgr.getAccount(cmd.getEntityOwnerId());
- _accountMgr.checkAccess(caller, null, true, owner);
+ _accountMgr.checkAccess(caller, null, owner);
Long zoneId = cmd.getZoneId();
// ignore passed zoneId if we are using region wide image store
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/server/src/com/cloud/template/TemplateManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/template/TemplateManagerImpl.java b/server/src/com/cloud/template/TemplateManagerImpl.java
index 0cc7438..294748f 100755
--- a/server/src/com/cloud/template/TemplateManagerImpl.java
+++ b/server/src/com/cloud/template/TemplateManagerImpl.java
@@ -369,7 +369,7 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager,
throw new InvalidParameterValueException("Unable to find template id=" + templateId);
}
- _accountMgr.checkAccess(CallContext.current().getCallingAccount(), AccessType.OperateEntry, true, vmTemplate);
+ _accountMgr.checkAccess(CallContext.current().getCallingAccount(), AccessType.OperateEntry, vmTemplate);
prepareTemplateInAllStoragePools(vmTemplate, zoneId);
return vmTemplate;
@@ -415,7 +415,7 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager,
throw new InvalidParameterValueException("Unable to extract template id=" + templateId + " as it's not extractable");
}
- _accountMgr.checkAccess(caller, AccessType.OperateEntry, true, template);
+ _accountMgr.checkAccess(caller, AccessType.OperateEntry, template);
List<DataStore> ssStores = _dataStoreMgr.getImageStoresByScope(new ZoneScope(zoneId));
@@ -722,7 +722,7 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager,
return template;
}
- _accountMgr.checkAccess(caller, AccessType.OperateEntry, true, template);
+ _accountMgr.checkAccess(caller, AccessType.OperateEntry, template);
boolean success = copy(userId, template, srcSecStore, dstZone);
@@ -911,7 +911,7 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager,
throw new InvalidParameterValueException("Please specify a valid VM.");
}
- _accountMgr.checkAccess(caller, null, true, userVM);
+ _accountMgr.checkAccess(caller, null, userVM);
Long isoId = userVM.getIsoId();
if (isoId == null) {
@@ -952,12 +952,11 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager,
// check permissions
// check if caller has access to VM and ISO
- // and also check if the VM's owner has access to the ISO.
-
- _accountMgr.checkAccess(caller, null, false, iso, vm);
-
+ // and also check if the VM's owner has access to the ISO. This is a bit different from sameOwner check for attachVolumeToVM, where both volume and VM need
+ // OperateEntry access type. Here VM needs OperateEntry access type, ISO needs UseEntry access type.
+ _accountMgr.checkAccess(caller, null, iso, vm);
Account vmOwner = _accountDao.findById(vm.getAccountId());
- _accountMgr.checkAccess(vmOwner, null, false, iso, vm);
+ _accountMgr.checkAccess(vmOwner, null, iso);
State vmState = vm.getState();
if (vmState != State.Running && vmState != State.Stopped) {
@@ -1061,7 +1060,7 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager,
throw new InvalidParameterValueException("unable to find template with id " + templateId);
}
- _accountMgr.checkAccess(caller, AccessType.OperateEntry, true, template);
+ _accountMgr.checkAccess(caller, AccessType.OperateEntry, template);
if (template.getFormat() == ImageFormat.ISO) {
throw new InvalidParameterValueException("Please specify a valid template.");
@@ -1084,7 +1083,7 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager,
throw new InvalidParameterValueException("unable to find iso with id " + templateId);
}
- _accountMgr.checkAccess(caller, AccessType.OperateEntry, true, template);
+ _accountMgr.checkAccess(caller, AccessType.OperateEntry, template);
if (template.getFormat() != ImageFormat.ISO) {
throw new InvalidParameterValueException("Please specify a valid iso.");
@@ -1134,7 +1133,7 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager,
}
if (!template.isPublicTemplate()) {
- _accountMgr.checkAccess(caller, null, true, template);
+ _accountMgr.checkAccess(caller, AccessType.ListEntry, template);
}
List<String> accountNames = new ArrayList<String>();
@@ -1207,8 +1206,7 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager,
}
}
- //_accountMgr.checkAccess(caller, AccessType.ModifyEntry, true, template);
- _accountMgr.checkAccess(caller, AccessType.OperateEntry, true, template); //TODO: should we replace all ModifyEntry as OperateEntry?
+ _accountMgr.checkAccess(caller, AccessType.OperateEntry, template);
// If the template is removed throw an error.
if (template.getRemoved() != null) {
@@ -1489,7 +1487,7 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager,
Account caller = CallContext.current().getCallingAccount();
boolean isAdmin = (_accountMgr.isAdmin(caller.getId()));
- _accountMgr.checkAccess(caller, null, true, templateOwner);
+ _accountMgr.checkAccess(caller, null, templateOwner);
String name = cmd.getTemplateName();
if ((name == null) || (name.length() > 32)) {
@@ -1541,7 +1539,7 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager,
throw new InvalidParameterValueException("Failed to create private template record, unable to find volume " + volumeId);
}
// check permissions
- _accountMgr.checkAccess(caller, null, true, volume);
+ _accountMgr.checkAccess(caller, null, volume);
// If private template is created from Volume, check that the volume
// will not be active when the private template is
@@ -1564,7 +1562,7 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager,
volume = _volumeDao.findById(snapshot.getVolumeId());
// check permissions
- _accountMgr.checkAccess(caller, null, true, snapshot);
+ _accountMgr.checkAccess(caller, null, snapshot);
if (snapshot.getState() != Snapshot.State.BackedUp) {
throw new InvalidParameterValueException("Snapshot id=" + snapshotId + " is not in " + Snapshot.State.BackedUp +
@@ -1780,7 +1778,7 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager,
verifyTemplateId(id);
// do a permission check
- _accountMgr.checkAccess(account, AccessType.OperateEntry, true, template);
+ _accountMgr.checkAccess(account, AccessType.OperateEntry, template);
if (cmd.isRoutingType() != null) {
if (!_accountService.isRootAdmin(account.getId())) {
throw new PermissionDeniedException("Parameter isrouting can only be specified by a Root Admin, permission denied");
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/server/src/com/cloud/user/AccountManager.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/user/AccountManager.java b/server/src/com/cloud/user/AccountManager.java
index bee7029..03bf842 100755
--- a/server/src/com/cloud/user/AccountManager.java
+++ b/server/src/com/cloud/user/AccountManager.java
@@ -24,7 +24,6 @@ import org.apache.cloudstack.api.command.admin.account.UpdateAccountCmd;
import org.apache.cloudstack.api.command.admin.user.DeleteUserCmd;
import org.apache.cloudstack.api.command.admin.user.UpdateUserCmd;
-import com.cloud.api.query.vo.ControlledViewEntity;
import com.cloud.exception.ConcurrentOperationException;
import com.cloud.exception.ResourceUnavailableException;
import com.cloud.projects.Project.ListProjectResourcesCriteria;
@@ -85,35 +84,19 @@ public interface AccountManager extends AccountService {
boolean enableAccount(long accountId);
- void buildACLSearchBuilder(SearchBuilder<? extends ControlledEntity> sb, Long domainId,
- boolean isRecursive, List<Long> permittedAccounts, ListProjectResourcesCriteria listProjectResourcesCriteria);
-
- void buildACLViewSearchBuilder(SearchBuilder<? extends ControlledViewEntity> sb, Long domainId,
- boolean isRecursive, List<Long> permittedAccounts, ListProjectResourcesCriteria listProjectResourcesCriteria);
-
- void buildACLViewSearchBuilder(SearchBuilder<? extends ControlledViewEntity> sb, Long domainId,
- boolean isRecursive, List<Long> permittedAccounts, ListProjectResourcesCriteria listProjectResourcesCriteria, List<Long> grantedIds, List<Long> revokedIds);
-
- void buildACLSearchCriteria(SearchCriteria<? extends ControlledEntity> sc,
- Long domainId, boolean isRecursive, List<Long> permittedAccounts, ListProjectResourcesCriteria listProjectResourcesCriteria);
-
- void buildACLSearchParameters(Account caller, Long id,
- String accountName, Long projectId, List<Long> permittedAccounts, Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject, boolean listAll,
- boolean forProjectInvitation);
-
- void buildACLViewSearchCriteria(SearchCriteria<? extends ControlledViewEntity> sc,
- Long domainId, boolean isRecursive, List<Long> permittedAccounts, ListProjectResourcesCriteria listProjectResourcesCriteria);
-
- void buildACLViewSearchCriteria(SearchCriteria<? extends ControlledEntity> sc,
- Long domainId, boolean isRecursive, List<Long> permittedAccounts, ListProjectResourcesCriteria listProjectResourcesCriteria, List<Long> grantedIds,
- List<Long> revokedIds);
-
-
// new ACL model routine for query api based on db views
void buildACLSearchParameters(Account caller, Long id,
String accountName, Long projectId, List<Long> permittedDomains, List<Long> permittedAccounts, List<Long> permittedResources,
Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject, boolean listAll, boolean forProjectInvitation, String action);
+ void buildACLSearchBuilder(SearchBuilder<? extends ControlledEntity> sb, boolean isRecursive,
+ List<Long> permittedDomains,
+ List<Long> permittedAccounts, List<Long> permittedResources, ListProjectResourcesCriteria listProjectResourcesCriteria);
+
+ void buildACLSearchCriteria(SearchCriteria<? extends ControlledEntity> sc, boolean isRecursive,
+ List<Long> permittedDomains,
+ List<Long> permittedAccounts, List<Long> permittedResources, ListProjectResourcesCriteria listProjectResourcesCriteria);
+
void buildACLViewSearchCriteria(SearchCriteria<? extends ControlledEntity> sc, SearchCriteria<? extends ControlledEntity> aclSc, boolean isRecursive,
List<Long> permittedDomains, List<Long> permittedAccounts,
List<Long> permittedResources, ListProjectResourcesCriteria listProjectResourcesCriteria);
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/server/src/com/cloud/user/AccountManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/user/AccountManagerImpl.java b/server/src/com/cloud/user/AccountManagerImpl.java
index b6be648..3ff9bd2 100755
--- a/server/src/com/cloud/user/AccountManagerImpl.java
+++ b/server/src/com/cloud/user/AccountManagerImpl.java
@@ -48,6 +48,7 @@ import org.apache.cloudstack.acl.SecurityChecker;
import org.apache.cloudstack.acl.SecurityChecker.AccessType;
import org.apache.cloudstack.affinity.AffinityGroup;
import org.apache.cloudstack.affinity.dao.AffinityGroupDao;
+import org.apache.cloudstack.api.InternalIdentity;
import org.apache.cloudstack.api.command.admin.account.UpdateAccountCmd;
import org.apache.cloudstack.api.command.admin.user.DeleteUserCmd;
import org.apache.cloudstack.api.command.admin.user.RegisterCmd;
@@ -60,8 +61,6 @@ import org.apache.cloudstack.framework.messagebus.PublishScope;
import org.apache.cloudstack.managed.context.ManagedContextRunnable;
import org.apache.cloudstack.region.gslb.GlobalLoadBalancerRuleDao;
-import com.cloud.api.ApiDBUtils;
-import com.cloud.api.query.vo.ControlledViewEntity;
import com.cloud.configuration.Config;
import com.cloud.configuration.ConfigurationManager;
import com.cloud.configuration.Resource.ResourceOwnerType;
@@ -102,6 +101,7 @@ import com.cloud.network.dao.NetworkVO;
import com.cloud.network.dao.RemoteAccessVpnDao;
import com.cloud.network.dao.RemoteAccessVpnVO;
import com.cloud.network.dao.VpnUserDao;
+import com.cloud.network.security.SecurityGroup;
import com.cloud.network.security.SecurityGroupManager;
import com.cloud.network.security.dao.SecurityGroupDao;
import com.cloud.network.vpc.Vpc;
@@ -110,7 +110,6 @@ import com.cloud.network.vpn.RemoteAccessVpnService;
import com.cloud.network.vpn.Site2SiteVpnManager;
import com.cloud.projects.Project;
import com.cloud.projects.Project.ListProjectResourcesCriteria;
-import com.cloud.projects.ProjectInvitationVO;
import com.cloud.projects.ProjectManager;
import com.cloud.projects.ProjectVO;
import com.cloud.projects.dao.ProjectAccountDao;
@@ -387,8 +386,8 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
for (SecurityChecker checker : _securityCheckers) {
try {
if (checker.checkAccess(acct, null, null, "SystemCapability")) {
- if (s_logger.isTraceEnabled()) {
- s_logger.trace("Root Access granted to " + acct + " by " + checker.getName());
+ if (s_logger.isDebugEnabled()) {
+ s_logger.debug("Root Access granted to " + acct + " by " + checker.getName());
}
return true;
}
@@ -410,8 +409,8 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
for (SecurityChecker checker : _securityCheckers) {
try {
if (checker.checkAccess(acct, null, null, "DomainCapability")) {
- if (s_logger.isTraceEnabled()) {
- s_logger.trace("DomainAdmin Access granted to " + acct + " by " + checker.getName());
+ if (s_logger.isDebugEnabled()) {
+ s_logger.debug("DomainAdmin Access granted to " + acct + " by " + checker.getName());
}
return true;
}
@@ -441,8 +440,8 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
for (SecurityChecker checker : _securityCheckers) {
try {
if (checker.checkAccess(acct, null, null, "DomainResourceCapability")) {
- if (s_logger.isTraceEnabled()) {
- s_logger.trace("ResourceDomainAdmin Access granted to " + acct + " by " + checker.getName());
+ if (s_logger.isDebugEnabled()) {
+ s_logger.debug("ResourceDomainAdmin Access granted to " + acct + " by " + checker.getName());
}
return true;
}
@@ -482,89 +481,90 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
@Override
- public void checkAccess(Account caller, AccessType accessType, boolean sameOwner, ControlledEntity... entities) {
- checkAccess(caller, accessType, sameOwner, null, entities);
+ public void checkAccess(Account caller, AccessType accessType, ControlledEntity... entities) throws PermissionDeniedException {
+ checkAccess(caller, accessType, null, entities);
}
@Override
- public void checkAccess(Account caller, AccessType accessType, boolean sameOwner, String apiName, ControlledEntity... entities) {
- //check for the same owner
- Long ownerId = null;
- ControlledEntity prevEntity = null;
- if (sameOwner) {
- for (ControlledEntity entity : entities) {
- if (sameOwner) {
- if (ownerId == null) {
- ownerId = entity.getAccountId();
- } else if (ownerId.longValue() != entity.getAccountId()) {
- throw new PermissionDeniedException("Entity " + entity + " and entity " + prevEntity + " belong to different accounts");
- }
- prevEntity = entity;
- }
- }
+ public void checkAccess(Account caller, AccessType accessType, String apiName, ControlledEntity... entities) throws PermissionDeniedException {
+ boolean granted = false;
+ // construct entities identification string
+ StringBuffer entityBuf = new StringBuffer("{");
+ for (ControlledEntity ent : entities) {
+ entityBuf.append(ent.toString());
}
+ entityBuf.append("}");
+ String entityStr = entityBuf.toString();
- if (caller.getId() == Account.ACCOUNT_ID_SYSTEM || isRootAdmin(caller.getId())) {
- // no need to make permission checks if the system/root admin makes the call
- if (s_logger.isTraceEnabled()) {
- s_logger.trace("No need to make permission check for System/RootAdmin account, returning true");
- }
- return;
- }
+ boolean isRootAdmin = isRootAdmin(caller.getAccountId());
+ boolean isDomainAdmin = isDomainAdmin(caller.getAccountId());
+ boolean isResourceDomainAdmin = isResourceDomainAdmin(caller.getAccountId());
- HashMap<Long, List<ControlledEntity>> domains = new HashMap<Long, List<ControlledEntity>>();
+ if ((isRootAdmin || isDomainAdmin || isResourceDomainAdmin || caller.getId() == Account.ACCOUNT_ID_SYSTEM)
+ && (accessType == null || accessType == AccessType.UseEntry)) {
- for (ControlledEntity entity : entities) {
- long domainId = entity.getDomainId();
- if (entity.getAccountId() != -1 && domainId == -1) { // If account exists domainId should too so calculate
- // it. This condition might be hit for templates or entities which miss domainId in their tables
- Account account = ApiDBUtils.findAccountById(entity.getAccountId());
- domainId = account != null ? account.getDomainId() : -1;
- }
- if (entity.getAccountId() != -1 && domainId != -1 && !(entity instanceof VirtualMachineTemplate) &&
- !(entity instanceof Network && accessType != null && accessType == AccessType.UseEntry) && !(entity instanceof AffinityGroup)) {
- List<ControlledEntity> toBeChecked = domains.get(entity.getDomainId());
- // for templates, we don't have to do cross domains check
- if (toBeChecked == null) {
- toBeChecked = new ArrayList<ControlledEntity>();
- domains.put(domainId, toBeChecked);
+ for (ControlledEntity entity : entities) {
+ if (entity instanceof VirtualMachineTemplate || (entity instanceof Network && accessType != null && (isDomainAdmin || isResourceDomainAdmin))
+ || entity instanceof AffinityGroup || entity instanceof SecurityGroup) {
+ // Go through IAM (SecurityCheckers)
+ for (SecurityChecker checker : _securityCheckers) {
+ if (checker.checkAccess(caller, accessType, apiName, entity)) {
+ if (s_logger.isDebugEnabled()) {
+ s_logger.debug("Access to " + entityStr + " granted to " + caller + " by "
+ + checker.getName());
+ }
+ granted = true;
+ break;
+ }
+ }
+ } else {
+ if (isRootAdmin || caller.getId() == Account.ACCOUNT_ID_SYSTEM) {
+ // no need to make permission checks if the system/root
+ // admin makes the call
+ if (s_logger.isTraceEnabled()) {
+ s_logger.trace("No need to make permission check for System/RootAdmin account, returning true");
+ }
+ granted = true;
+ } else if (isDomainAdmin || isResourceDomainAdmin) {
+ Domain entityDomain = getEntityDomain(entity);
+ if (entityDomain != null) {
+ try {
+ checkAccess(caller, entityDomain);
+ granted = true;
+ } catch (PermissionDeniedException e) {
+ List<ControlledEntity> entityList = new ArrayList<ControlledEntity>();
+ entityList.add(entity);
+ e.addDetails(caller, entityList);
+ throw e;
+ }
+ }
+ }
+ }
+
+ if (!granted) {
+ assert false : "How can all of the security checkers pass on checking this check: " + entityStr;
+ throw new PermissionDeniedException("There's no way to confirm " + caller + " has access to "
+ + entityStr);
}
- toBeChecked.add(entity);
+
}
- boolean granted = false;
+ } else {
+ // Go through IAM (SecurityCheckers)
for (SecurityChecker checker : _securityCheckers) {
- if (checker.checkAccess(caller, entity, accessType, apiName)) {
+ if (checker.checkAccess(caller, accessType, apiName, entities)) {
if (s_logger.isDebugEnabled()) {
- s_logger.debug("Access to " + entity + " granted to " + caller + " by " + checker.getName());
+ s_logger.debug("Access to " + entityStr + " granted to " + caller + " by " + checker.getName());
}
granted = true;
break;
}
}
-
- if (!granted) {
- assert false : "How can all of the security checkers pass on checking this check: " + entity;
- throw new PermissionDeniedException("There's no way to confirm " + caller + " has access to " + entity);
- }
}
- for (Map.Entry<Long, List<ControlledEntity>> domain : domains.entrySet()) {
- for (SecurityChecker checker : _securityCheckers) {
- Domain d = _domainMgr.getDomain(domain.getKey());
- if (d == null || d.getRemoved() != null) {
- throw new PermissionDeniedException("Domain is not found.", caller, domain.getValue());
- }
- try {
- checker.checkAccess(caller, d);
- } catch (PermissionDeniedException e) {
- e.addDetails(caller, domain.getValue());
- throw e;
- }
- }
+ if (!granted) {
+ assert false : "How can all of the security checkers pass on checking this check: " + entityStr;
+ throw new PermissionDeniedException("There's no way to confirm " + caller + " has access to " + entityStr);
}
-
- // check that resources belong to the same account
-
}
private Domain getEntityDomain(ControlledEntity entity) {
@@ -1167,7 +1167,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
throw new PermissionDeniedException("user id : " + id + " is system account, update is not allowed");
}
- checkAccess(CallContext.current().getCallingAccount(), AccessType.OperateEntry, true, account);
+ checkAccess(CallContext.current().getCallingAccount(), AccessType.OperateEntry, account);
if (firstName != null) {
if (firstName.isEmpty()) {
@@ -1284,7 +1284,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
throw new InvalidParameterValueException("User id : " + userId + " is a system user, disabling is not allowed");
}
- checkAccess(caller, AccessType.OperateEntry, true, account);
+ checkAccess(caller, AccessType.OperateEntry, account);
boolean success = doSetUserStatus(userId, State.disabled);
if (success) {
@@ -1325,7 +1325,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
throw new InvalidParameterValueException("User id : " + userId + " is a system user, enabling is not allowed");
}
- checkAccess(caller, AccessType.OperateEntry, true, account);
+ checkAccess(caller, AccessType.OperateEntry, account);
boolean success = Transaction.execute(new TransactionCallback<Boolean>() {
@Override
@@ -1377,7 +1377,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
throw new PermissionDeniedException("user id : " + userId + " is a system user, locking is not allowed");
}
- checkAccess(caller, AccessType.OperateEntry, true, account);
+ checkAccess(caller, AccessType.OperateEntry, account);
// make sure the account is enabled too
// if the user is either locked already or disabled already, don't change state...only lock currently enabled
@@ -1441,7 +1441,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
throw new InvalidParameterValueException("The specified account does not exist in the system");
}
- checkAccess(caller, null, true, account);
+ checkAccess(caller, null, account);
// don't allow to delete default account (system and admin)
if (account.isDefault()) {
@@ -1486,7 +1486,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
// Check if user performing the action is allowed to modify this account
Account caller = CallContext.current().getCallingAccount();
- checkAccess(caller, AccessType.OperateEntry, true, account);
+ checkAccess(caller, AccessType.OperateEntry, account);
boolean success = enableAccount(account.getId());
if (success) {
@@ -1520,7 +1520,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
throw new PermissionDeniedException("Account id : " + accountId + " is a system account, lock is not allowed");
}
- checkAccess(caller, AccessType.OperateEntry, true, account);
+ checkAccess(caller, AccessType.OperateEntry, account);
if (lockAccount(account.getId())) {
CallContext.current().putContextParameter(Account.class, account.getUuid());
@@ -1550,7 +1550,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
throw new PermissionDeniedException("Account id : " + accountId + " is a system account, disable is not allowed");
}
- checkAccess(caller, AccessType.OperateEntry, true, account);
+ checkAccess(caller, AccessType.OperateEntry, account);
if (disableAccount(account.getId())) {
CallContext.current().putContextParameter(Account.class, account.getUuid());
@@ -1669,7 +1669,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
throw new InvalidParameterValueException("The user is default and can't be removed");
}
- checkAccess(CallContext.current().getCallingAccount(), AccessType.OperateEntry, true, account);
+ checkAccess(CallContext.current().getCallingAccount(), AccessType.OperateEntry, account);
CallContext.current().putContextParameter(User.class, user.getUuid());
return _userDao.remove(id);
}
@@ -2278,373 +2278,6 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
}
-
- @Override
- public void buildACLSearchBuilder(SearchBuilder<? extends ControlledEntity> sb,
- Long domainId, boolean isRecursive, List<Long> permittedAccounts, ListProjectResourcesCriteria listProjectResourcesCriteria) {
-
- if (sb.entity() instanceof IPAddressVO) {
- sb.and("accountIdIN", ((IPAddressVO) sb.entity()).getAllocatedToAccountId(), SearchCriteria.Op.IN);
- sb.and("domainId", ((IPAddressVO) sb.entity()).getAllocatedInDomainId(), SearchCriteria.Op.EQ);
- } else if (sb.entity() instanceof ProjectInvitationVO) {
- sb.and("accountIdIN", ((ProjectInvitationVO) sb.entity()).getForAccountId(), SearchCriteria.Op.IN);
- sb.and("domainId", ((ProjectInvitationVO) sb.entity()).getInDomainId(), SearchCriteria.Op.EQ);
- } else {
- sb.and("accountIdIN", sb.entity().getAccountId(), SearchCriteria.Op.IN);
- sb.and("domainId", sb.entity().getDomainId(), SearchCriteria.Op.EQ);
- }
-
- if (((permittedAccounts.isEmpty()) && (domainId != null) && isRecursive)) {
- // if accountId isn't specified, we can do a domain match for the admin case if isRecursive is true
- SearchBuilder<DomainVO> domainSearch = _domainDao.createSearchBuilder();
- domainSearch.and("path", domainSearch.entity().getPath(), SearchCriteria.Op.LIKE);
-
- if (sb.entity() instanceof IPAddressVO) {
- sb.join("domainSearch", domainSearch, ((IPAddressVO) sb.entity()).getAllocatedInDomainId(), domainSearch.entity().getId(), JoinBuilder.JoinType.INNER);
- } else if (sb.entity() instanceof ProjectInvitationVO) {
- sb.join("domainSearch", domainSearch, ((ProjectInvitationVO) sb.entity()).getInDomainId(), domainSearch.entity().getId(), JoinBuilder.JoinType.INNER);
- } else {
- sb.join("domainSearch", domainSearch, sb.entity().getDomainId(), domainSearch.entity().getId(), JoinBuilder.JoinType.INNER);
- }
-
- }
- if (listProjectResourcesCriteria != null) {
- SearchBuilder<AccountVO> accountSearch = _accountDao.createSearchBuilder();
- if (listProjectResourcesCriteria == Project.ListProjectResourcesCriteria.ListProjectResourcesOnly) {
- accountSearch.and("type", accountSearch.entity().getType(), SearchCriteria.Op.EQ);
- } else if (listProjectResourcesCriteria == Project.ListProjectResourcesCriteria.SkipProjectResources) {
- accountSearch.and("type", accountSearch.entity().getType(), SearchCriteria.Op.NEQ);
- }
-
- if (sb.entity() instanceof IPAddressVO) {
- sb.join("accountSearch", accountSearch, ((IPAddressVO) sb.entity()).getAllocatedToAccountId(), accountSearch.entity().getId(), JoinBuilder.JoinType.INNER);
- } else if (sb.entity() instanceof ProjectInvitationVO) {
- sb.join("accountSearch", accountSearch, ((ProjectInvitationVO) sb.entity()).getForAccountId(), accountSearch.entity().getId(), JoinBuilder.JoinType.INNER);
- } else {
- sb.join("accountSearch", accountSearch, sb.entity().getAccountId(), accountSearch.entity().getId(), JoinBuilder.JoinType.INNER);
- }
- }
- }
-
- @Override
- public void buildACLSearchCriteria(SearchCriteria<? extends ControlledEntity> sc,
- Long domainId, boolean isRecursive, List<Long> permittedAccounts, ListProjectResourcesCriteria listProjectResourcesCriteria) {
-
- if (listProjectResourcesCriteria != null) {
- sc.setJoinParameters("accountSearch", "type", Account.ACCOUNT_TYPE_PROJECT);
- }
-
- if (!permittedAccounts.isEmpty()) {
- sc.setParameters("accountIdIN", permittedAccounts.toArray());
- } else if (domainId != null) {
- DomainVO domain = _domainDao.findById(domainId);
- if (isRecursive) {
- sc.setJoinParameters("domainSearch", "path", domain.getPath() + "%");
- } else {
- sc.setParameters("domainId", domainId);
- }
- }
- }
-
-// @Override
-// public void buildACLSearchParameters(Account caller, Long id, String accountName, Long projectId, List<Long>
-// permittedAccounts, Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject,
-// boolean listAll, boolean forProjectInvitation) {
-// Long domainId = domainIdRecursiveListProject.first();
-// if (domainId != null) {
-// Domain domain = _domainDao.findById(domainId);
-// if (domain == null) {
-// throw new InvalidParameterValueException("Unable to find domain by id " + domainId);
-// }
-// // check permissions
-// checkAccess(caller, domain);
-// }
-//
-// if (accountName != null) {
-// if (projectId != null) {
-// throw new InvalidParameterValueException("Account and projectId can't be specified together");
-// }
-//
-// Account userAccount = null;
-// Domain domain = null;
-// if (domainId != null) {
-// userAccount = _accountDao.findActiveAccount(accountName, domainId);
-// domain = _domainDao.findById(domainId);
-// } else {
-// userAccount = _accountDao.findActiveAccount(accountName, caller.getDomainId());
-// domain = _domainDao.findById(caller.getDomainId());
-// }
-//
-// if (userAccount != null) {
-// checkAccess(caller, null, false, userAccount);
-// //check permissions
-// permittedAccounts.add(userAccount.getId());
-// } else {
-// throw new InvalidParameterValueException("could not find account " + accountName + " in domain " + domain.getUuid());
-// }
-// }
-//
-// // set project information
-// if (projectId != null) {
-// if (!forProjectInvitation) {
-// if (projectId.longValue() == -1) {
-// if (caller.getType() == Account.ACCOUNT_TYPE_NORMAL) {
-// permittedAccounts.addAll(_projectMgr.listPermittedProjectAccounts(caller.getId()));
-// } else {
-// domainIdRecursiveListProject.third(Project.ListProjectResourcesCriteria.ListProjectResourcesOnly);
-// }
-// } else {
-// Project project = _projectMgr.getProject(projectId);
-// if (project == null) {
-// throw new InvalidParameterValueException("Unable to find project by id " + projectId);
-// }
-// if (!_projectMgr.canAccessProjectAccount(caller, project.getProjectAccountId())) {
-// throw new PermissionDeniedException("Account " + caller + " can't access project id=" + projectId);
-// }
-// permittedAccounts.add(project.getProjectAccountId());
-// }
-// }
-// } else {
-// if (id == null) {
-// domainIdRecursiveListProject.third(Project.ListProjectResourcesCriteria.SkipProjectResources);
-// }
-// if (permittedAccounts.isEmpty() && domainId == null) {
-// if (caller.getType() == Account.ACCOUNT_TYPE_NORMAL) {
-// permittedAccounts.add(caller.getId());
-// } else if (!listAll) {
-// if (id == null) {
-// permittedAccounts.add(caller.getId());
-// } else if (!isRootAdmin(caller.getId())) {
-// domainIdRecursiveListProject.first(caller.getDomainId());
-// domainIdRecursiveListProject.second(true);
-// }
-// } else if (domainId == null) {
-// if (caller.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) {
-// domainIdRecursiveListProject.first(caller.getDomainId());
-// domainIdRecursiveListProject.second(true);
-// }
-// }
-// } else if (domainId != null) {
-// if (caller.getType() == Account.ACCOUNT_TYPE_NORMAL) {
-// permittedAccounts.add(caller.getId());
-// }
-// }
-//
-// }
-// }
-
- //TODO: deprecate this to use the new buildACLSearchParameters with permittedDomains, permittedAccounts, and permittedResources as return
- @Override
- public void buildACLSearchParameters(Account caller, Long id, String accountName, Long projectId, List<Long>
- permittedAccounts, Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject,
- boolean listAll, boolean forProjectInvitation) {
- Long domainId = domainIdRecursiveListProject.first();
- if (domainId != null) {
- Domain domain = _domainDao.findById(domainId);
- if (domain == null) {
- throw new InvalidParameterValueException("Unable to find domain by id " + domainId);
- }
- // check permissions
- checkAccess(caller, domain);
- }
-
- if (accountName != null) {
- if (projectId != null) {
- throw new InvalidParameterValueException("Account and projectId can't be specified together");
- }
-
- Account userAccount = null;
- Domain domain = null;
- if (domainId != null) {
- userAccount = _accountDao.findActiveAccount(accountName, domainId);
- domain = _domainDao.findById(domainId);
- } else {
- userAccount = _accountDao.findActiveAccount(accountName, caller.getDomainId());
- domain = _domainDao.findById(caller.getDomainId());
- }
-
- if (userAccount != null) {
- checkAccess(caller, null, false, userAccount);
- // check permissions
- permittedAccounts.add(userAccount.getId());
- } else {
- throw new InvalidParameterValueException("could not find account " + accountName + " in domain " + domain.getUuid());
- }
- }
-
- // set project information
- if (projectId != null) {
- if (!forProjectInvitation) {
- if (projectId.longValue() == -1) {
- if (caller.getType() == Account.ACCOUNT_TYPE_NORMAL) {
- permittedAccounts.addAll(_projectMgr.listPermittedProjectAccounts(caller.getId()));
- } else {
- domainIdRecursiveListProject.third(Project.ListProjectResourcesCriteria.ListProjectResourcesOnly);
- }
- } else {
- Project project = _projectMgr.getProject(projectId);
- if (project == null) {
- throw new InvalidParameterValueException("Unable to find project by id " + projectId);
- }
- if (!_projectMgr.canAccessProjectAccount(caller, project.getProjectAccountId())) {
- throw new PermissionDeniedException("Account " + caller + " can't access project id=" + projectId);
- }
- permittedAccounts.add(project.getProjectAccountId());
- }
- }
- } else {
- if (id == null) {
- domainIdRecursiveListProject.third(Project.ListProjectResourcesCriteria.SkipProjectResources);
- }
- if (permittedAccounts.isEmpty() && domainId == null) {
- if (caller.getType() == Account.ACCOUNT_TYPE_NORMAL) {
- permittedAccounts.add(caller.getId());
- } else if (!listAll) {
- if (id == null) {
- permittedAccounts.add(caller.getId());
- } else if (caller.getType() != Account.ACCOUNT_TYPE_ADMIN) {
- domainIdRecursiveListProject.first(caller.getDomainId());
- domainIdRecursiveListProject.second(true);
- }
- } else if (domainId == null) {
- if (caller.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) {
- domainIdRecursiveListProject.first(caller.getDomainId());
- domainIdRecursiveListProject.second(true);
- }
- }
- } else if (domainId != null) {
- if (caller.getType() == Account.ACCOUNT_TYPE_NORMAL) {
- permittedAccounts.add(caller.getId());
- }
- }
-
- }
-
- }
-
-
- @Override
- public void buildACLViewSearchBuilder(SearchBuilder<? extends ControlledViewEntity> sb, Long domainId,
- boolean isRecursive, List<Long> permittedAccounts, ListProjectResourcesCriteria listProjectResourcesCriteria) {
-
- sb.and("accountIdIN", sb.entity().getAccountId(), SearchCriteria.Op.IN);
- sb.and("domainId", sb.entity().getDomainId(), SearchCriteria.Op.EQ);
-
- if (((permittedAccounts.isEmpty()) && (domainId != null) && isRecursive)) {
- // if accountId isn't specified, we can do a domain match for the
- // admin case if isRecursive is true
- sb.and("domainPath", sb.entity().getDomainPath(), SearchCriteria.Op.LIKE);
- }
-
- if (listProjectResourcesCriteria != null) {
- if (listProjectResourcesCriteria == Project.ListProjectResourcesCriteria.ListProjectResourcesOnly) {
- sb.and("accountType", sb.entity().getAccountType(), SearchCriteria.Op.EQ);
- } else if (listProjectResourcesCriteria == Project.ListProjectResourcesCriteria.SkipProjectResources) {
- sb.and("accountType", sb.entity().getAccountType(), SearchCriteria.Op.NEQ);
- }
- }
-
- }
-
- @Override
- public void buildACLViewSearchBuilder(SearchBuilder<? extends ControlledViewEntity> sb, Long domainId, boolean isRecursive, List<Long> permittedAccounts,
- ListProjectResourcesCriteria listProjectResourcesCriteria, List<Long> grantedIds, List<Long> revokedIds) {
-
- if (!revokedIds.isEmpty()) {
- sb.and("idNIN", sb.entity().getId(), SearchCriteria.Op.NIN);
- }
- if (permittedAccounts.isEmpty() && domainId == null && listProjectResourcesCriteria == null) {
- // caller role authorize him to access everything matching query criteria
- return;
-
- }
- boolean hasOp = true;
- if (!permittedAccounts.isEmpty()) {
- sb.and().op("accountIdIN", sb.entity().getAccountId(), SearchCriteria.Op.IN);
- } else if (domainId != null) {
- if (isRecursive) {
- // if accountId isn't specified, we can do a domain match for the
- // admin case if isRecursive is true
- sb.and().op("domainPath", sb.entity().getDomainPath(), SearchCriteria.Op.LIKE);
- } else {
- sb.and().op("domainId", sb.entity().getDomainId(), SearchCriteria.Op.EQ);
- }
- } else {
- hasOp = false;
- }
-
-
- if (listProjectResourcesCriteria != null) {
- if (hasOp) {
- if (listProjectResourcesCriteria == Project.ListProjectResourcesCriteria.ListProjectResourcesOnly) {
- sb.and("accountType", sb.entity().getAccountType(), SearchCriteria.Op.EQ);
- } else if (listProjectResourcesCriteria == Project.ListProjectResourcesCriteria.SkipProjectResources) {
- sb.and("accountType", sb.entity().getAccountType(), SearchCriteria.Op.NEQ);
- }
- } else {
- if (listProjectResourcesCriteria == Project.ListProjectResourcesCriteria.ListProjectResourcesOnly) {
- sb.and().op("accountType", sb.entity().getAccountType(), SearchCriteria.Op.EQ);
- } else if (listProjectResourcesCriteria == Project.ListProjectResourcesCriteria.SkipProjectResources) {
- sb.and().op("accountType", sb.entity().getAccountType(), SearchCriteria.Op.NEQ);
- }
- }
- }
-
- if (!grantedIds.isEmpty()) {
- sb.or("idIN", sb.entity().getId(), SearchCriteria.Op.IN);
- }
- sb.cp();
-
-
- }
-
- @Override
- public void buildACLViewSearchCriteria(SearchCriteria<? extends ControlledViewEntity> sc,
- Long domainId, boolean isRecursive, List<Long> permittedAccounts, ListProjectResourcesCriteria listProjectResourcesCriteria) {
- if (listProjectResourcesCriteria != null) {
- sc.setParameters("accountType", Account.ACCOUNT_TYPE_PROJECT);
- }
-
- if (!permittedAccounts.isEmpty()) {
- sc.setParameters("accountIdIN", permittedAccounts.toArray());
- } else if (domainId != null) {
- DomainVO domain = _domainDao.findById(domainId);
- if (isRecursive) {
- sc.setParameters("domainPath", domain.getPath() + "%");
- } else {
- sc.setParameters("domainId", domainId);
- }
- }
-
- }
-
- @Override
- public void buildACLViewSearchCriteria(SearchCriteria<? extends ControlledEntity> sc, Long domainId, boolean isRecursive, List<Long> permittedAccounts,
- ListProjectResourcesCriteria listProjectResourcesCriteria, List<Long> grantedIds, List<Long> revokedIds) {
- if (!revokedIds.isEmpty()) {
- sc.setParameters("idNIN", revokedIds.toArray());
- }
-
- if (listProjectResourcesCriteria != null) {
- sc.setParameters("accountType", Account.ACCOUNT_TYPE_PROJECT);
- }
-
- if (!permittedAccounts.isEmpty()) {
- sc.setParameters("accountIdIN", permittedAccounts.toArray());
- } else if (domainId != null) {
- DomainVO domain = _domainDao.findById(domainId);
- if (isRecursive) {
- sc.setParameters("domainPath", domain.getPath() + "%");
- } else {
- sc.setParameters("domainId", domainId);
- }
- }
-
- if (!grantedIds.isEmpty()) {
- sc.setParameters("idIN", grantedIds.toArray());
- }
- }
-
@Override
public UserAccount getUserByApiKey(String apiKey) {
return _userAccountDao.getUserByApiKey(apiKey);
@@ -2688,8 +2321,8 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
if (userAccount != null) {
//check permissions
- checkAccess(caller, null, false, userAccount);
- permittedAccounts.add(userAccount.getId());
+ checkAccess(caller, null, userAccount);
+ accountId = userAccount.getId();
} else {
throw new InvalidParameterValueException("could not find account " + accountName + " in domain " + domain.getUuid());
}
@@ -2803,6 +2436,120 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
}
@Override
+ public void buildACLSearchBuilder(SearchBuilder<? extends ControlledEntity> sb, boolean isRecursive,
+ List<Long> permittedDomains,
+ List<Long> permittedAccounts, List<Long> permittedResources, ListProjectResourcesCriteria listProjectResourcesCriteria) {
+
+ if (listProjectResourcesCriteria != null) {
+ // add criteria for project or not
+ SearchBuilder<AccountVO> accountSearch = _accountDao.createSearchBuilder();
+ if (listProjectResourcesCriteria == Project.ListProjectResourcesCriteria.ListProjectResourcesOnly) {
+ accountSearch.and("type", accountSearch.entity().getType(), SearchCriteria.Op.EQ);
+ } else if (listProjectResourcesCriteria == Project.ListProjectResourcesCriteria.SkipProjectResources) {
+ accountSearch.and("type", accountSearch.entity().getType(), SearchCriteria.Op.NEQ);
+ }
+
+ if (sb.entity() instanceof IPAddressVO) {
+ sb.join("accountSearch", accountSearch, ((IPAddressVO)sb.entity()).getAllocatedToAccountId(), accountSearch.entity().getId(), JoinBuilder.JoinType.INNER);
+ } else {
+ sb.join("accountSearch", accountSearch, sb.entity().getAccountId(), accountSearch.entity().getId(), JoinBuilder.JoinType.INNER);
+ }
+ }
+ if (permittedDomains.isEmpty() && permittedAccounts.isEmpty() && permittedResources.isEmpty())
+ // can access everything
+ return;
+
+ if (!permittedAccounts.isEmpty() || !permittedResources.isEmpty()) {
+ if (!permittedAccounts.isEmpty()) {
+ if (sb.entity() instanceof IPAddressVO) {
+ sb.and().op("accountIdIn", ((IPAddressVO)sb.entity()).getAllocatedToAccountId(), SearchCriteria.Op.IN);
+ } else {
+ sb.and().op("accountIdIn", sb.entity().getAccountId(), SearchCriteria.Op.IN);
+ }
+ if (!permittedResources.isEmpty()) {
+ sb.or("idIn", ((InternalIdentity)sb.entity()).getId(), SearchCriteria.Op.IN);
+ }
+ } else {
+ // permittedResources is not empty
+ sb.and().op("idIn", ((InternalIdentity)sb.entity()).getId(), SearchCriteria.Op.IN);
+ }
+ if (!permittedDomains.isEmpty()) {
+ if (isRecursive) {
+ SearchBuilder<DomainVO> domainSearch = _domainDao.createSearchBuilder();
+ for (int i = 0; i < permittedDomains.size(); i++) {
+ domainSearch.or("path" + i, domainSearch.entity().getPath(), SearchCriteria.Op.LIKE);
+ }
+ if (sb.entity() instanceof IPAddressVO) {
+ sb.join("domainSearch", domainSearch, ((IPAddressVO)sb.entity()).getAllocatedInDomainId(), domainSearch.entity().getId(), JoinBuilder.JoinType.INNER);
+ } else {
+ sb.join("domainSearch", domainSearch, sb.entity().getDomainId(), domainSearch.entity().getId(), JoinBuilder.JoinType.INNER);
+ }
+ } else {
+ if (sb.entity() instanceof IPAddressVO) {
+ sb.or("domainIdIn", ((IPAddressVO)sb.entity()).getAllocatedInDomainId(), SearchCriteria.Op.IN);
+ } else {
+ sb.or("domainIdIn", sb.entity().getDomainId(), SearchCriteria.Op.IN);
+ }
+ }
+ }
+ sb.cp();
+ } else {
+ // permittedDomains is not empty
+ if (isRecursive) {
+ SearchBuilder<DomainVO> domainSearch = _domainDao.createSearchBuilder();
+ domainSearch.and().op("path0", domainSearch.entity().getPath(), SearchCriteria.Op.LIKE);
+ for (int i = 1; i < permittedDomains.size(); i++) {
+ domainSearch.or("path" + i, domainSearch.entity().getPath(), SearchCriteria.Op.LIKE);
+ }
+ domainSearch.cp();
+ if (sb.entity() instanceof IPAddressVO) {
+ sb.join("domainSearch", domainSearch, ((IPAddressVO)sb.entity()).getAllocatedInDomainId(), domainSearch.entity().getId(), JoinBuilder.JoinType.INNER);
+ } else {
+ sb.join("domainSearch", domainSearch, sb.entity().getDomainId(), domainSearch.entity().getId(), JoinBuilder.JoinType.INNER);
+ }
+ } else {
+ if (sb.entity() instanceof IPAddressVO) {
+ sb.and().op("domainIdIn", ((IPAddressVO)sb.entity()).getAllocatedInDomainId(), SearchCriteria.Op.IN);
+ } else {
+ sb.and().op("domainIdIn", sb.entity().getDomainId(), SearchCriteria.Op.IN);
+ }
+ sb.cp();
+ }
+ }
+ }
+
+ @Override
+ public void buildACLSearchCriteria(SearchCriteria<? extends ControlledEntity> sc, boolean isRecursive,
+ List<Long> permittedDomains,
+ List<Long> permittedAccounts, List<Long> permittedResources, ListProjectResourcesCriteria listProjectResourcesCriteria) {
+
+ if (listProjectResourcesCriteria != null) {
+ sc.setJoinParameters("accountSearch", "type", Account.ACCOUNT_TYPE_PROJECT);
+ }
+
+ if (permittedDomains.isEmpty() && permittedAccounts.isEmpty() && permittedResources.isEmpty())
+ // can access everything
+ return;
+
+ if (!permittedAccounts.isEmpty()) {
+ sc.setParameters("accountIdIn", permittedAccounts.toArray());
+ }
+ if (!permittedResources.isEmpty()) {
+ sc.setParameters("idIn", permittedResources.toArray());
+ }
+ if (!permittedDomains.isEmpty()) {
+ if (isRecursive) {
+ for (int i = 0; i < permittedDomains.size(); i++) {
+ DomainVO domain = _domainDao.findById(permittedDomains.get(i));
+ sc.setJoinParameters("domainSearch", "path" + i, domain.getPath() + "%");
+ }
+ } else {
+ sc.setParameters("domainIdIn", permittedDomains.toArray());
+ }
+ }
+ }
+
+ @Override
public void buildACLViewSearchCriteria(SearchCriteria<? extends ControlledEntity> sc, SearchCriteria<? extends ControlledEntity> aclSc, boolean isRecursive,
List<Long> permittedDomains,
List<Long> permittedAccounts, List<Long> permittedResources, ListProjectResourcesCriteria listProjectResourcesCriteria) {