You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by mc...@apache.org on 2014/05/23 03:27:45 UTC
[7/7] git commit: updated refs/heads/master to ba84808
Disable IAM feature from 4.4 release.
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/ba848087
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/ba848087
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/ba848087
Branch: refs/heads/master
Commit: ba848087f8333c2f54d8af362f60d159ea7dc02b
Parents: c0936fe
Author: Min Chen <mi...@citrix.com>
Authored: Thu May 22 18:27:08 2014 -0700
Committer: Min Chen <mi...@citrix.com>
Committed: Thu May 22 18:27:08 2014 -0700
----------------------------------------------------------------------
api/src/com/cloud/network/NetworkModel.java | 4 -
api/src/com/cloud/user/AccountService.java | 7 +-
.../apache/cloudstack/acl/SecurityChecker.java | 6 +-
.../address/AssociateIPAddrCmdByAdmin.java | 5 +-
.../command/admin/vm/AddNicToVMCmdByAdmin.java | 1 +
.../user/address/AssociateIPAddrCmd.java | 1 -
.../firewall/CreatePortForwardingRuleCmd.java | 1 +
.../AssignToLoadBalancerRuleCmd.java | 9 +-
.../ListLBStickinessPoliciesCmd.java | 4 +-
.../command/user/nat/DisableStaticNatCmd.java | 5 +-
.../command/user/nat/EnableStaticNatCmd.java | 9 +-
.../user/snapshot/CreateSnapshotCmd.java | 2 -
.../api/command/user/vm/AddNicToVMCmd.java | 1 -
.../user/vmsnapshot/CreateVMSnapshotCmd.java | 3 +-
.../command/user/volume/AttachVolumeCmd.java | 4 +-
.../command/user/volume/CreateVolumeCmd.java | 4 -
client/pom.xml | 10 -
client/tomcatconf/commands.properties.in | 15 -
.../core/spring-core-registry-core-context.xml | 2 +-
.../com/cloud/upgrade/dao/Upgrade430to440.java | 47 -
.../db/src/com/cloud/utils/db/SearchBase.java | 12 +-
.../lb/InternalLoadBalancerVMManagerImpl.java | 9 +-
.../contrail/management/MockAccountManager.java | 86 +-
server/src/com/cloud/acl/DomainChecker.java | 19 +-
server/src/com/cloud/api/ApiDispatcher.java | 22 +
server/src/com/cloud/api/ApiResponseHelper.java | 2 +-
.../cloud/api/dispatch/ParamProcessWorker.java | 107 +-
.../com/cloud/api/query/QueryManagerImpl.java | 743 ++-----
.../configuration/ConfigurationManagerImpl.java | 4 +-
.../com/cloud/network/IpAddressManagerImpl.java | 17 +-
.../src/com/cloud/network/NetworkModelImpl.java | 22 -
.../com/cloud/network/NetworkServiceImpl.java | 26 +-
.../cloud/network/as/AutoScaleManagerImpl.java | 38 +-
.../network/firewall/FirewallManagerImpl.java | 23 +-
.../lb/LoadBalancingRulesManagerImpl.java | 52 +-
.../VirtualNetworkApplianceManagerImpl.java | 10 +-
.../cloud/network/rules/RulesManagerImpl.java | 47 +-
.../security/SecurityGroupManagerImpl.java | 8 +-
.../network/vpc/NetworkACLServiceImpl.java | 56 +-
.../com/cloud/network/vpc/VpcManagerImpl.java | 65 +-
.../network/vpn/RemoteAccessVpnManagerImpl.java | 42 +-
.../network/vpn/Site2SiteVpnManagerImpl.java | 57 +-
.../com/cloud/projects/ProjectManagerImpl.java | 18 +-
.../resourcelimit/ResourceLimitManagerImpl.java | 8 +-
.../com/cloud/server/ManagementServerImpl.java | 36 +-
.../com/cloud/servlet/ConsoleProxyServlet.java | 2 +-
.../com/cloud/storage/VolumeApiServiceImpl.java | 22 +-
.../storage/snapshot/SnapshotManagerImpl.java | 26 +-
.../cloud/tags/TaggedResourceManagerImpl.java | 4 +-
.../com/cloud/template/TemplateAdapterBase.java | 4 +-
.../com/cloud/template/TemplateManagerImpl.java | 34 +-
server/src/com/cloud/user/AccountManager.java | 33 +-
.../src/com/cloud/user/AccountManagerImpl.java | 615 ++++--
server/src/com/cloud/vm/UserVmManagerImpl.java | 108 +-
.../vm/snapshot/VMSnapshotManagerImpl.java | 25 +-
.../affinity/AffinityGroupServiceImpl.java | 13 +-
.../lb/ApplicationLoadBalancerManagerImpl.java | 15 +-
.../cloudstack/network/lb/CertServiceImpl.java | 8 +-
.../GlobalLoadBalancingRulesServiceImpl.java | 14 +-
.../com/cloud/event/EventControlsUnitTest.java | 2 +-
.../com/cloud/network/MockNetworkModelImpl.java | 8 -
.../cloud/storage/VolumeApiServiceImplTest.java | 2 +-
.../com/cloud/user/MockAccountManagerImpl.java | 75 +-
server/test/com/cloud/vm/UserVmManagerTest.java | 8 +-
.../vm/snapshot/VMSnapshotManagerTest.java | 2 +-
.../com/cloud/vpc/MockNetworkModelImpl.java | 8 -
.../iam/RoleBasedEntityAccessChecker.java | 19 +-
.../iam/RoleBasedEntityQuerySelector.java | 36 +-
.../apache/cloudstack/iam/api/IAMService.java | 3 +-
.../cloudstack/iam/server/IAMServiceImpl.java | 1809 +++++++++---------
.../iam/server/dao/IAMPolicyPermissionDao.java | 2 +-
.../server/dao/IAMPolicyPermissionDaoImpl.java | 7 +-
services/pom.xml | 1 -
test/integration/smoke/test_vm_iam.py | 719 -------
74 files changed, 2121 insertions(+), 3172 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/ba848087/api/src/com/cloud/network/NetworkModel.java
----------------------------------------------------------------------
diff --git a/api/src/com/cloud/network/NetworkModel.java b/api/src/com/cloud/network/NetworkModel.java
index 468feb3..9ce024d 100644
--- a/api/src/com/cloud/network/NetworkModel.java
+++ b/api/src/com/cloud/network/NetworkModel.java
@@ -22,8 +22,6 @@ import java.util.List;
import java.util.Map;
import java.util.Set;
-import org.apache.cloudstack.acl.SecurityChecker.AccessType;
-
import com.cloud.dc.Vlan;
import com.cloud.exception.InsufficientAddressCapacityException;
import com.cloud.exception.InvalidParameterValueException;
@@ -277,6 +275,4 @@ public interface NetworkModel {
boolean isNetworkReadyForGc(long networkId);
boolean getNetworkEgressDefaultPolicy(Long networkId);
-
- void checkNetworkPermissions(Account owner, Network network, AccessType accessType);
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/ba848087/api/src/com/cloud/user/AccountService.java
----------------------------------------------------------------------
diff --git a/api/src/com/cloud/user/AccountService.java b/api/src/com/cloud/user/AccountService.java
index 6cc86cd..eac8a76 100755
--- a/api/src/com/cloud/user/AccountService.java
+++ b/api/src/com/cloud/user/AccountService.java
@@ -103,11 +103,12 @@ public interface AccountService {
RoleType getRoleType(Account account);
- void checkAccess(Account caller, Domain domain) throws PermissionDeniedException;
+ void checkAccess(Account account, Domain domain) throws PermissionDeniedException;
- void checkAccess(Account caller, AccessType accessType, ControlledEntity... entities) throws PermissionDeniedException;
+ void checkAccess(Account account, AccessType accessType, boolean sameOwner, ControlledEntity... entities) throws PermissionDeniedException;
- void checkAccess(Account caller, AccessType accessType, String apiName, ControlledEntity... entities) throws PermissionDeniedException;
+ void checkAccess(Account account, AccessType accessType, boolean sameOwner, String apiName,
+ ControlledEntity... entities) throws PermissionDeniedException;
Long finalyzeAccountId(String accountName, Long domainId, Long projectId, boolean enabledOnly);
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/ba848087/api/src/org/apache/cloudstack/acl/SecurityChecker.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/acl/SecurityChecker.java b/api/src/org/apache/cloudstack/acl/SecurityChecker.java
index 79366bd..4170871 100644
--- a/api/src/org/apache/cloudstack/acl/SecurityChecker.java
+++ b/api/src/org/apache/cloudstack/acl/SecurityChecker.java
@@ -31,10 +31,10 @@ import com.cloud.utils.component.Adapter;
public interface SecurityChecker extends Adapter {
public enum AccessType {
- ListEntry,
- UseEntry,
- OperateEntry,
ModifyProject,
+ OperateEntry,
+ UseEntry,
+ ListEntry
}
/**
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/ba848087/api/src/org/apache/cloudstack/api/command/admin/address/AssociateIPAddrCmdByAdmin.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/admin/address/AssociateIPAddrCmdByAdmin.java b/api/src/org/apache/cloudstack/api/command/admin/address/AssociateIPAddrCmdByAdmin.java
index 494a6d6..dbff93f 100644
--- a/api/src/org/apache/cloudstack/api/command/admin/address/AssociateIPAddrCmdByAdmin.java
+++ b/api/src/org/apache/cloudstack/api/command/admin/address/AssociateIPAddrCmdByAdmin.java
@@ -31,11 +31,8 @@ import com.cloud.exception.InsufficientCapacityException;
import com.cloud.exception.ResourceAllocationException;
import com.cloud.exception.ResourceUnavailableException;
import com.cloud.network.IpAddress;
-import com.cloud.network.vpc.Vpc;
-@APICommand(name = "associateIpAddress", description = "Acquires and associates a public IP to an account.", responseObject = IPAddressResponse.class, responseView = ResponseView.Full,
- entityType = {IpAddress.class, Vpc.class},
- requestHasSensitiveInfo = false, responseHasSensitiveInfo = false)
+@APICommand(name = "associateIpAddress", description = "Acquires and associates a public IP to an account.", responseObject = IPAddressResponse.class, responseView = ResponseView.Full)
public class AssociateIPAddrCmdByAdmin extends AssociateIPAddrCmd {
public static final Logger s_logger = Logger.getLogger(AssociateIPAddrCmdByAdmin.class.getName());
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/ba848087/api/src/org/apache/cloudstack/api/command/admin/vm/AddNicToVMCmdByAdmin.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/admin/vm/AddNicToVMCmdByAdmin.java b/api/src/org/apache/cloudstack/api/command/admin/vm/AddNicToVMCmdByAdmin.java
index 3dd22c1..945f849 100644
--- a/api/src/org/apache/cloudstack/api/command/admin/vm/AddNicToVMCmdByAdmin.java
+++ b/api/src/org/apache/cloudstack/api/command/admin/vm/AddNicToVMCmdByAdmin.java
@@ -33,6 +33,7 @@ import org.apache.cloudstack.context.CallContext;
import com.cloud.uservm.UserVm;
import com.cloud.vm.VirtualMachine;
+
@APICommand(name = "addNicToVirtualMachine", description = "Adds VM to specified network by creating a NIC", responseObject = UserVmResponse.class, responseView = ResponseView.Full, entityType = {VirtualMachine.class},
requestHasSensitiveInfo = false, responseHasSensitiveInfo = true)
public class AddNicToVMCmdByAdmin extends AddNicToVMCmd {
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/ba848087/api/src/org/apache/cloudstack/api/command/user/address/AssociateIPAddrCmd.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/user/address/AssociateIPAddrCmd.java b/api/src/org/apache/cloudstack/api/command/user/address/AssociateIPAddrCmd.java
index 48fe43e..96174e1 100644
--- a/api/src/org/apache/cloudstack/api/command/user/address/AssociateIPAddrCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/user/address/AssociateIPAddrCmd.java
@@ -58,7 +58,6 @@ import com.cloud.projects.Project;
import com.cloud.user.Account;
@APICommand(name = "associateIpAddress", description = "Acquires and associates a public IP to an account.", responseObject = IPAddressResponse.class, responseView = ResponseView.Restricted,
- entityType = {IpAddress.class, Vpc.class},
requestHasSensitiveInfo = false, responseHasSensitiveInfo = false)
public class AssociateIPAddrCmd extends BaseAsyncCreateCmd {
public static final Logger s_logger = Logger.getLogger(AssociateIPAddrCmd.class.getName());
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/ba848087/api/src/org/apache/cloudstack/api/command/user/firewall/CreatePortForwardingRuleCmd.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/user/firewall/CreatePortForwardingRuleCmd.java b/api/src/org/apache/cloudstack/api/command/user/firewall/CreatePortForwardingRuleCmd.java
index 6fb120f..865cd1b 100644
--- a/api/src/org/apache/cloudstack/api/command/user/firewall/CreatePortForwardingRuleCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/user/firewall/CreatePortForwardingRuleCmd.java
@@ -49,6 +49,7 @@ import com.cloud.utils.net.Ip;
import com.cloud.utils.net.NetUtils;
import com.cloud.vm.VirtualMachine;
+
@APICommand(name = "createPortForwardingRule", description = "Creates a port forwarding rule", responseObject = FirewallRuleResponse.class, entityType = {FirewallRule.class,
VirtualMachine.class, IpAddress.class},
requestHasSensitiveInfo = false, responseHasSensitiveInfo = false)
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/ba848087/api/src/org/apache/cloudstack/api/command/user/loadbalancer/AssignToLoadBalancerRuleCmd.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/user/loadbalancer/AssignToLoadBalancerRuleCmd.java b/api/src/org/apache/cloudstack/api/command/user/loadbalancer/AssignToLoadBalancerRuleCmd.java
index db4d70e..dd9adef 100644
--- a/api/src/org/apache/cloudstack/api/command/user/loadbalancer/AssignToLoadBalancerRuleCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/user/loadbalancer/AssignToLoadBalancerRuleCmd.java
@@ -23,11 +23,8 @@ import java.util.Iterator;
import java.util.List;
import java.util.Map;
-import com.cloud.utils.net.NetUtils;
import org.apache.log4j.Logger;
-import org.apache.cloudstack.acl.SecurityChecker.AccessType;
-import org.apache.cloudstack.api.ACL;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.ApiErrorCode;
@@ -41,15 +38,15 @@ import org.apache.cloudstack.context.CallContext;
import com.cloud.event.EventTypes;
import com.cloud.exception.InvalidParameterValueException;
-import com.cloud.network.rules.FirewallRule;
import com.cloud.network.rules.LoadBalancer;
import com.cloud.user.Account;
import com.cloud.utils.StringUtils;
+import com.cloud.utils.net.NetUtils;
import com.cloud.vm.VirtualMachine;
@APICommand(name = "assignToLoadBalancerRule",
description = "Assigns virtual machine or a list of virtual machines to a load balancer rule.",
- responseObject = SuccessResponse.class, entityType = {FirewallRule.class, VirtualMachine.class},
+ responseObject = SuccessResponse.class,
requestHasSensitiveInfo = false,
responseHasSensitiveInfo = false)
public class AssignToLoadBalancerRuleCmd extends BaseAsyncCmd {
@@ -61,7 +58,6 @@ public class AssignToLoadBalancerRuleCmd extends BaseAsyncCmd {
//////////////// API parameters /////////////////////
/////////////////////////////////////////////////////
- @ACL(accessType = AccessType.OperateEntry)
@Parameter(name = ApiConstants.ID,
type = CommandType.UUID,
entityType = FirewallRuleResponse.class,
@@ -69,7 +65,6 @@ public class AssignToLoadBalancerRuleCmd extends BaseAsyncCmd {
description = "the ID of the load balancer rule")
private Long id;
- @ACL(accessType = AccessType.OperateEntry)
@Parameter(name = ApiConstants.VIRTUAL_MACHINE_IDS,
type = CommandType.LIST,
collectionType = CommandType.UUID,
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/ba848087/api/src/org/apache/cloudstack/api/command/user/loadbalancer/ListLBStickinessPoliciesCmd.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/user/loadbalancer/ListLBStickinessPoliciesCmd.java b/api/src/org/apache/cloudstack/api/command/user/loadbalancer/ListLBStickinessPoliciesCmd.java
index dd03191..9905c0b 100644
--- a/api/src/org/apache/cloudstack/api/command/user/loadbalancer/ListLBStickinessPoliciesCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/user/loadbalancer/ListLBStickinessPoliciesCmd.java
@@ -86,7 +86,7 @@ public class ListLBStickinessPoliciesCmd extends BaseListCmd {
if (lb != null) {
//check permissions
Account caller = CallContext.current().getCallingAccount();
- _accountService.checkAccess(caller, null, lb);
+ _accountService.checkAccess(caller, null, true, lb);
List<? extends StickinessPolicy> stickinessPolicies = _lbService.searchForLBStickinessPolicies(this);
LBStickinessResponse spResponse = _responseGenerator.createLBStickinessPolicyResponse(stickinessPolicies, lb);
spResponses.add(spResponse);
@@ -94,7 +94,7 @@ public class ListLBStickinessPoliciesCmd extends BaseListCmd {
}
response.setResponseName(getCommandName());
- setResponseObject(response);
+ this.setResponseObject(response);
}
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/ba848087/api/src/org/apache/cloudstack/api/command/user/nat/DisableStaticNatCmd.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/user/nat/DisableStaticNatCmd.java b/api/src/org/apache/cloudstack/api/command/user/nat/DisableStaticNatCmd.java
index 2a9311e..1df77ec 100644
--- a/api/src/org/apache/cloudstack/api/command/user/nat/DisableStaticNatCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/user/nat/DisableStaticNatCmd.java
@@ -34,11 +34,8 @@ import com.cloud.exception.InvalidParameterValueException;
import com.cloud.exception.NetworkRuleConflictException;
import com.cloud.exception.ResourceUnavailableException;
import com.cloud.network.IpAddress;
-import com.cloud.network.vpc.Vpc;
-import com.cloud.vm.VirtualMachine;
@APICommand(name = "disableStaticNat", description = "Disables static rule for given ip address", responseObject = SuccessResponse.class,
- entityType = {IpAddress.class, VirtualMachine.class, Vpc.class},
requestHasSensitiveInfo = false, responseHasSensitiveInfo = false)
public class DisableStaticNatCmd extends BaseAsyncCmd {
public static final Logger s_logger = Logger.getLogger(DeletePortForwardingRuleCmd.class.getName());
@@ -92,7 +89,7 @@ public class DisableStaticNatCmd extends BaseAsyncCmd {
if (result) {
SuccessResponse response = new SuccessResponse(getCommandName());
- setResponseObject(response);
+ this.setResponseObject(response);
} else {
throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to disable static nat");
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/ba848087/api/src/org/apache/cloudstack/api/command/user/nat/EnableStaticNatCmd.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/user/nat/EnableStaticNatCmd.java b/api/src/org/apache/cloudstack/api/command/user/nat/EnableStaticNatCmd.java
index 9d88876..aa4e287 100644
--- a/api/src/org/apache/cloudstack/api/command/user/nat/EnableStaticNatCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/user/nat/EnableStaticNatCmd.java
@@ -18,8 +18,6 @@ package org.apache.cloudstack.api.command.user.nat;
import org.apache.log4j.Logger;
-import org.apache.cloudstack.acl.SecurityChecker.AccessType;
-import org.apache.cloudstack.api.ACL;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.ApiErrorCode;
@@ -35,13 +33,10 @@ import com.cloud.exception.InvalidParameterValueException;
import com.cloud.exception.NetworkRuleConflictException;
import com.cloud.exception.ResourceUnavailableException;
import com.cloud.network.IpAddress;
-import com.cloud.network.vpc.Vpc;
import com.cloud.user.Account;
import com.cloud.uservm.UserVm;
-import com.cloud.vm.VirtualMachine;
@APICommand(name = "enableStaticNat", description = "Enables static nat for given ip address", responseObject = SuccessResponse.class,
- entityType = {IpAddress.class, VirtualMachine.class, Vpc.class},
requestHasSensitiveInfo = false, responseHasSensitiveInfo = false)
public class EnableStaticNatCmd extends BaseCmd {
public static final Logger s_logger = Logger.getLogger(CreateIpForwardingRuleCmd.class.getName());
@@ -52,12 +47,10 @@ public class EnableStaticNatCmd extends BaseCmd {
//////////////// API parameters /////////////////////
/////////////////////////////////////////////////////
- @ACL(accessType = AccessType.OperateEntry)
@Parameter(name = ApiConstants.IP_ADDRESS_ID, type = CommandType.UUID, entityType = IPAddressResponse.class, required = true, description = "the public IP "
+ "address id for which static nat feature is being enabled")
private Long ipAddressId;
- @ACL(accessType = AccessType.OperateEntry)
@Parameter(name = ApiConstants.VIRTUAL_MACHINE_ID, type = CommandType.UUID, entityType = UserVmResponse.class, required = true, description = "the ID of "
+ "the virtual machine for enabling static nat feature")
private Long virtualMachineId;
@@ -140,7 +133,7 @@ public class EnableStaticNatCmd extends BaseCmd {
boolean result = _rulesService.enableStaticNat(ipAddressId, virtualMachineId, getNetworkId(), getVmSecondaryIp());
if (result) {
SuccessResponse response = new SuccessResponse(getCommandName());
- setResponseObject(response);
+ this.setResponseObject(response);
} else {
throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to enable static nat");
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/ba848087/api/src/org/apache/cloudstack/api/command/user/snapshot/CreateSnapshotCmd.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/user/snapshot/CreateSnapshotCmd.java b/api/src/org/apache/cloudstack/api/command/user/snapshot/CreateSnapshotCmd.java
index bd8662e..df7fe82 100644
--- a/api/src/org/apache/cloudstack/api/command/user/snapshot/CreateSnapshotCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/user/snapshot/CreateSnapshotCmd.java
@@ -18,7 +18,6 @@ package org.apache.cloudstack.api.command.user.snapshot;
import org.apache.log4j.Logger;
-import org.apache.cloudstack.api.ACL;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiCommandJobType;
import org.apache.cloudstack.api.ApiConstants;
@@ -63,7 +62,6 @@ public class CreateSnapshotCmd extends BaseAsyncCreateCmd {
description = "The domain ID of the snapshot. If used with the account parameter, specifies a domain for the account associated with the disk volume.")
private Long domainId;
- @ACL
@Parameter(name = ApiConstants.VOLUME_ID, type = CommandType.UUID, entityType = VolumeResponse.class, required = true, description = "The ID of the disk volume")
private Long volumeId;
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/ba848087/api/src/org/apache/cloudstack/api/command/user/vm/AddNicToVMCmd.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/user/vm/AddNicToVMCmd.java b/api/src/org/apache/cloudstack/api/command/user/vm/AddNicToVMCmd.java
index fd30152..f265ecf 100644
--- a/api/src/org/apache/cloudstack/api/command/user/vm/AddNicToVMCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/user/vm/AddNicToVMCmd.java
@@ -54,7 +54,6 @@ public class AddNicToVMCmd extends BaseAsyncCmd {
required=true, description="Virtual Machine ID")
private Long vmId;
- @ACL
@Parameter(name = ApiConstants.NETWORK_ID, type = CommandType.UUID, entityType = NetworkResponse.class, required = true, description = "Network ID")
private Long netId;
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/ba848087/api/src/org/apache/cloudstack/api/command/user/vmsnapshot/CreateVMSnapshotCmd.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/user/vmsnapshot/CreateVMSnapshotCmd.java b/api/src/org/apache/cloudstack/api/command/user/vmsnapshot/CreateVMSnapshotCmd.java
index 1310ba5..10ff5cd 100644
--- a/api/src/org/apache/cloudstack/api/command/user/vmsnapshot/CreateVMSnapshotCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/user/vmsnapshot/CreateVMSnapshotCmd.java
@@ -19,6 +19,7 @@ package org.apache.cloudstack.api.command.user.vmsnapshot;
import java.util.logging.Logger;
+import org.apache.cloudstack.acl.SecurityChecker.AccessType;
import org.apache.cloudstack.api.ACL;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiConstants;
@@ -42,7 +43,7 @@ public class CreateVMSnapshotCmd extends BaseAsyncCreateCmd {
public static final Logger s_logger = Logger.getLogger(CreateVMSnapshotCmd.class.getName());
private static final String s_name = "createvmsnapshotresponse";
- @ACL
+ @ACL(accessType = AccessType.OperateEntry)
@Parameter(name = ApiConstants.VIRTUAL_MACHINE_ID, type = CommandType.UUID, required = true, entityType = UserVmResponse.class, description = "The ID of the vm")
private Long vmId;
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/ba848087/api/src/org/apache/cloudstack/api/command/user/volume/AttachVolumeCmd.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/user/volume/AttachVolumeCmd.java b/api/src/org/apache/cloudstack/api/command/user/volume/AttachVolumeCmd.java
index ab09203..7c2a329 100644
--- a/api/src/org/apache/cloudstack/api/command/user/volume/AttachVolumeCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/user/volume/AttachVolumeCmd.java
@@ -37,8 +37,7 @@ import com.cloud.storage.Volume;
import com.cloud.user.Account;
import com.cloud.vm.VirtualMachine;
-@APICommand(name = "attachVolume", description = "Attaches a disk volume to a virtual machine.", responseObject = VolumeResponse.class, responseView = ResponseView.Restricted, entityType = {
- VirtualMachine.class, Volume.class},
+@APICommand(name = "attachVolume", description = "Attaches a disk volume to a virtual machine.", responseObject = VolumeResponse.class, responseView = ResponseView.Restricted, entityType = {VirtualMachine.class},
requestHasSensitiveInfo = false, responseHasSensitiveInfo = false)
public class AttachVolumeCmd extends BaseAsyncCmd {
public static final Logger s_logger = Logger.getLogger(AttachVolumeCmd.class.getName());
@@ -53,7 +52,6 @@ public class AttachVolumeCmd extends BaseAsyncCmd {
+ "* 4 - /dev/xvde" + "* 5 - /dev/xvdf" + "* 6 - /dev/xvdg" + "* 7 - /dev/xvdh" + "* 8 - /dev/xvdi" + "* 9 - /dev/xvdj")
private Long deviceId;
- @ACL(accessType = AccessType.OperateEntry)
@Parameter(name = ApiConstants.ID, type = CommandType.UUID, entityType = VolumeResponse.class, required = true, description = "the ID of the disk volume")
private Long id;
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/ba848087/api/src/org/apache/cloudstack/api/command/user/volume/CreateVolumeCmd.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/user/volume/CreateVolumeCmd.java b/api/src/org/apache/cloudstack/api/command/user/volume/CreateVolumeCmd.java
index dc91261..1e3c01c 100644
--- a/api/src/org/apache/cloudstack/api/command/user/volume/CreateVolumeCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/user/volume/CreateVolumeCmd.java
@@ -19,8 +19,6 @@ package org.apache.cloudstack.api.command.user.volume;
import org.apache.log4j.Logger;
import org.apache.cloudstack.acl.RoleType;
-import org.apache.cloudstack.acl.SecurityChecker.AccessType;
-import org.apache.cloudstack.api.ACL;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiCommandJobType;
import org.apache.cloudstack.api.ApiConstants;
@@ -93,7 +91,6 @@ public class CreateVolumeCmd extends BaseAsyncCreateCustomIdCmd {
@Parameter(name = ApiConstants.MAX_IOPS, type = CommandType.LONG, description = "max iops")
private Long maxIops;
- @ACL
@Parameter(name = ApiConstants.SNAPSHOT_ID,
type = CommandType.UUID,
entityType = SnapshotResponse.class,
@@ -106,7 +103,6 @@ public class CreateVolumeCmd extends BaseAsyncCreateCustomIdCmd {
@Parameter(name = ApiConstants.DISPLAY_VOLUME, type = CommandType.BOOLEAN, description = "an optional field, whether to display the volume to the end user or not.", authorized = {RoleType.Admin})
private Boolean displayVolume;
- @ACL(accessType = AccessType.OperateEntry)
@Parameter(name = ApiConstants.VIRTUAL_MACHINE_ID,
type = CommandType.UUID,
entityType = UserVmResponse.class,
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/ba848087/client/pom.xml
----------------------------------------------------------------------
diff --git a/client/pom.xml b/client/pom.xml
index b3d857d..09daebc 100644
--- a/client/pom.xml
+++ b/client/pom.xml
@@ -228,16 +228,6 @@
</dependency>
<dependency>
<groupId>org.apache.cloudstack</groupId>
- <artifactId>cloud-plugin-iam</artifactId>
- <version>${project.version}</version>
- </dependency>
- <dependency>
- <groupId>org.apache.cloudstack</groupId>
- <artifactId>cloud-iam</artifactId>
- <version>${project.version}</version>
- </dependency>
- <dependency>
- <groupId>org.apache.cloudstack</groupId>
<artifactId>cloud-framework-ipc</artifactId>
<version>${project.version}</version>
</dependency>
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/ba848087/client/tomcatconf/commands.properties.in
----------------------------------------------------------------------
diff --git a/client/tomcatconf/commands.properties.in b/client/tomcatconf/commands.properties.in
index da3fbfc..d247aa0 100644
--- a/client/tomcatconf/commands.properties.in
+++ b/client/tomcatconf/commands.properties.in
@@ -732,21 +732,6 @@ listLdapUsers=3
ldapCreateAccount=3
importLdapUsers=3
-### IAM commands
-createIAMPolicy=1
-deleteIAMPolicy=1
-listIAMPolicies=1
-addIAMPermissionToIAMPolicy=1
-removeIAMPermissionFromIAMPolicy=1
-createIAMGroup=1
-deleteIAMGroup=1
-listIAMGroups=1
-addAccountToIAMGroup=1
-removeAccountFromIAMGroup=1
-attachIAMPolicyToIAMGroup=1
-removeIAMPolicyFromIAMGroup=1
-attachIAMPolicyToAccount=1
-removeIAMPolicyFromAccount=1
#### juniper-contrail commands
createServiceInstance=1
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/ba848087/core/resources/META-INF/cloudstack/core/spring-core-registry-core-context.xml
----------------------------------------------------------------------
diff --git a/core/resources/META-INF/cloudstack/core/spring-core-registry-core-context.xml b/core/resources/META-INF/cloudstack/core/spring-core-registry-core-context.xml
index 0f58d7d..d54823a 100644
--- a/core/resources/META-INF/cloudstack/core/spring-core-registry-core-context.xml
+++ b/core/resources/META-INF/cloudstack/core/spring-core-registry-core-context.xml
@@ -46,7 +46,7 @@
<property name="orderConfigKey" value="security.checkers.order" />
<property name="excludeKey" value="security.checkers.exclude" />
<property name="orderConfigDefault"
- value="RoleBasedEntityAccessChecker,AffinityGroupAccessChecker,DomainChecker" />
+ value="AffinityGroupAccessChecker,DomainChecker" />
</bean>
<bean id="resourceDiscoverersRegistry"
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/ba848087/engine/schema/src/com/cloud/upgrade/dao/Upgrade430to440.java
----------------------------------------------------------------------
diff --git a/engine/schema/src/com/cloud/upgrade/dao/Upgrade430to440.java b/engine/schema/src/com/cloud/upgrade/dao/Upgrade430to440.java
index 26277dd..da71d44 100644
--- a/engine/schema/src/com/cloud/upgrade/dao/Upgrade430to440.java
+++ b/engine/schema/src/com/cloud/upgrade/dao/Upgrade430to440.java
@@ -59,57 +59,10 @@ public class Upgrade430to440 implements DbUpgrade {
@Override
public void performDataMigration(Connection conn) {
- populateIAMGroupAccountMap(conn);
secondaryIpsAccountAndDomainIdsUpdate(conn);
moveCidrsToTheirOwnTable(conn);
}
- // populate iam_group_account_map table for existing accounts
- private void populateIAMGroupAccountMap(Connection conn) {
- PreparedStatement acctInsert = null;
- PreparedStatement acctQuery = null;
- ResultSet rs = null;
-
- s_logger.debug("Populating iam_group_account_map table for existing accounts...");
- try {
- acctInsert = conn
- .prepareStatement("INSERT INTO `cloud`.`iam_group_account_map` (group_id, account_id, created) values(?, ?, Now())");
- acctQuery = conn
- .prepareStatement("select id, type from `cloud`.`account` where removed is null");
- rs = acctQuery.executeQuery();
-
- while (rs.next()) {
- Long acct_id = rs.getLong("id");
- short type = rs.getShort("type");
-
- // insert entry in iam_group_account_map table
- acctInsert.setLong(1, type + 1);
- acctInsert.setLong(2, acct_id);
- acctInsert.executeUpdate();
- }
- } catch (SQLException e) {
- String msg = "Unable to populate iam_group_account_map for existing accounts." + e.getMessage();
- s_logger.error(msg);
- throw new CloudRuntimeException(msg, e);
- } finally {
- try {
- if (rs != null) {
- rs.close();
- }
-
- if (acctInsert != null) {
- acctInsert.close();
- }
- if (acctQuery != null) {
- acctQuery.close();
- }
- } catch (SQLException e) {
- }
- }
- s_logger.debug("Completed populate iam_group_account_map for existing accounts.");
- }
-
-
private void secondaryIpsAccountAndDomainIdsUpdate(Connection conn) {
PreparedStatement pstmt = null;
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/ba848087/framework/db/src/com/cloud/utils/db/SearchBase.java
----------------------------------------------------------------------
diff --git a/framework/db/src/com/cloud/utils/db/SearchBase.java b/framework/db/src/com/cloud/utils/db/SearchBase.java
index 4ec9a41..d19918a 100644
--- a/framework/db/src/com/cloud/utils/db/SearchBase.java
+++ b/framework/db/src/com/cloud/utils/db/SearchBase.java
@@ -235,17 +235,7 @@ public abstract class SearchBase<J extends SearchBase<?, T, K>, T, K> {
if (_entity == null || _specifiedAttrs == null || _specifiedAttrs.size() != 1) {
throw new RuntimeException("Now now, better specify an attribute or else we can't help you");
}
- if (_specifiedAttrs.size() > 0) {
- return _specifiedAttrs.get(0);
- }
- // look for attributes from joins
- for (JoinBuilder<SearchBase<?, ?, ?>> join : _joins.values()) {
- SearchBase<?, ?, ?> sb = join.getT();
- if (sb.getSpecifiedAttribute() != null) {
- return sb.getSpecifiedAttribute();
- }
- }
- throw new CloudRuntimeException("Unable to find any specified attributes. You sure you know what you're doing?");
+ return _specifiedAttrs.get(0);
}
protected List<Attribute> getSpecifiedAttributes() {
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/ba848087/plugins/network-elements/internal-loadbalancer/src/org/apache/cloudstack/network/lb/InternalLoadBalancerVMManagerImpl.java
----------------------------------------------------------------------
diff --git a/plugins/network-elements/internal-loadbalancer/src/org/apache/cloudstack/network/lb/InternalLoadBalancerVMManagerImpl.java b/plugins/network-elements/internal-loadbalancer/src/org/apache/cloudstack/network/lb/InternalLoadBalancerVMManagerImpl.java
index a794390..8b5b3e0 100644
--- a/plugins/network-elements/internal-loadbalancer/src/org/apache/cloudstack/network/lb/InternalLoadBalancerVMManagerImpl.java
+++ b/plugins/network-elements/internal-loadbalancer/src/org/apache/cloudstack/network/lb/InternalLoadBalancerVMManagerImpl.java
@@ -27,12 +27,11 @@ import javax.ejb.Local;
import javax.inject.Inject;
import javax.naming.ConfigurationException;
-import org.apache.log4j.Logger;
-
import org.apache.cloudstack.engine.orchestration.service.NetworkOrchestrationService;
import org.apache.cloudstack.framework.config.dao.ConfigurationDao;
import org.apache.cloudstack.lb.ApplicationLoadBalancerRuleVO;
import org.apache.cloudstack.lb.dao.ApplicationLoadBalancerRuleDao;
+import org.apache.log4j.Logger;
import com.cloud.agent.AgentManager;
import com.cloud.agent.api.Answer;
@@ -522,7 +521,7 @@ public class InternalLoadBalancerVMManagerImpl extends ManagerBase implements In
return true;
}
- _accountMgr.checkAccess(caller, null, internalLbVm);
+ _accountMgr.checkAccess(caller, null, true, internalLbVm);
_itMgr.expunge(internalLbVm.getUuid());
_internalLbVmDao.remove(internalLbVm.getId());
@@ -537,7 +536,7 @@ public class InternalLoadBalancerVMManagerImpl extends ManagerBase implements In
}
//check permissions
- _accountMgr.checkAccess(caller, null, internalLbVm);
+ _accountMgr.checkAccess(caller, null, true, internalLbVm);
return stopInternalLbVm(internalLbVm, forced, caller, callerUserId);
}
@@ -915,7 +914,7 @@ public class InternalLoadBalancerVMManagerImpl extends ManagerBase implements In
}
//check permissions
- _accountMgr.checkAccess(caller, null, internalLbVm);
+ _accountMgr.checkAccess(caller, null, true, internalLbVm);
return startInternalLbVm(internalLbVm, caller, callerUserId, null);
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/ba848087/plugins/network-elements/juniper-contrail/test/org/apache/cloudstack/network/contrail/management/MockAccountManager.java
----------------------------------------------------------------------
diff --git a/plugins/network-elements/juniper-contrail/test/org/apache/cloudstack/network/contrail/management/MockAccountManager.java b/plugins/network-elements/juniper-contrail/test/org/apache/cloudstack/network/contrail/management/MockAccountManager.java
index a39fb43..1a29f9c 100644
--- a/plugins/network-elements/juniper-contrail/test/org/apache/cloudstack/network/contrail/management/MockAccountManager.java
+++ b/plugins/network-elements/juniper-contrail/test/org/apache/cloudstack/network/contrail/management/MockAccountManager.java
@@ -34,6 +34,7 @@ import org.apache.cloudstack.api.command.admin.user.RegisterCmd;
import org.apache.cloudstack.api.command.admin.user.UpdateUserCmd;
import org.apache.cloudstack.context.CallContext;
+import com.cloud.api.query.vo.ControlledViewEntity;
import com.cloud.configuration.ResourceLimit;
import com.cloud.configuration.dao.ResourceCountDao;
import com.cloud.domain.Domain;
@@ -101,6 +102,11 @@ public class MockAccountManager extends ManagerBase implements AccountManager {
}
@Override
+ public void checkAccess(Account arg0, AccessType arg1, boolean arg2, ControlledEntity... arg3) throws PermissionDeniedException {
+ // TODO Auto-generated method stub
+ }
+
+ @Override
public String[] createApiKeyAndSecretKey(RegisterCmd arg0) {
// TODO Auto-generated method stub
return null;
@@ -202,19 +208,7 @@ public class MockAccountManager extends ManagerBase implements AccountManager {
}
- @Override
- public void buildACLSearchBuilder(SearchBuilder<? extends ControlledEntity> sb, boolean isRecursive, List<Long> permittedDomains, List<Long> permittedAccounts,
- List<Long> permittedResources, ListProjectResourcesCriteria listProjectResourcesCriteria) {
- // TODO Auto-generated method stub
- }
-
- @Override
- public void buildACLSearchCriteria(SearchCriteria<? extends ControlledEntity> sc, boolean isRecursive, List<Long> permittedDomains, List<Long> permittedAccounts,
- List<Long> permittedResources, ListProjectResourcesCriteria listProjectResourcesCriteria) {
- // TODO Auto-generated method stub
-
- }
@Override
public void buildACLViewSearchCriteria(SearchCriteria<? extends ControlledEntity> sc, SearchCriteria<? extends ControlledEntity> aclSc, boolean isRecursive,
@@ -247,6 +241,57 @@ public class MockAccountManager extends ManagerBase implements AccountManager {
return null;
}
+ @Override
+ public void buildACLSearchBuilder(
+ SearchBuilder<? extends ControlledEntity> arg0, Long arg1,
+ boolean arg2, List<Long> arg3, ListProjectResourcesCriteria arg4) {
+ // TODO Auto-generated method stub
+
+ }
+
+ @Override
+ public void buildACLSearchCriteria(
+ SearchCriteria<? extends ControlledEntity> arg0, Long arg1,
+ boolean arg2, List<Long> arg3, ListProjectResourcesCriteria arg4) {
+ // TODO Auto-generated method stub
+
+ }
+
+ @Override
+ public void buildACLSearchParameters(Account arg0, Long arg1, String arg2,
+ Long arg3, List<Long> arg4,
+ Ternary<Long, Boolean, ListProjectResourcesCriteria> arg5,
+ boolean arg6, boolean arg7) {
+ // TODO Auto-generated method stub
+
+ }
+
+ @Override
+ public void buildACLViewSearchBuilder(SearchBuilder<? extends ControlledViewEntity> sb, Long domainId, boolean isRecursive, List<Long> permittedAccounts,
+ ListProjectResourcesCriteria listProjectResourcesCriteria) {
+ // TODO Auto-generated method stub
+
+ }
+
+ @Override
+ public void buildACLViewSearchBuilder(SearchBuilder<? extends ControlledViewEntity> sb, Long domainId, boolean isRecursive, List<Long> permittedAccounts,
+ ListProjectResourcesCriteria listProjectResourcesCriteria, List<Long> grantedIds, List<Long> revokedIds) {
+ // TODO Auto-generated method stub
+ }
+
+ @Override
+ public void buildACLViewSearchCriteria(SearchCriteria<? extends ControlledViewEntity> sc, Long domainId, boolean isRecursive, List<Long> permittedAccounts,
+ ListProjectResourcesCriteria listProjectResourcesCriteria) {
+ // TODO Auto-generated method stub
+
+ }
+
+ @Override
+ public void buildACLViewSearchCriteria(SearchCriteria<? extends ControlledEntity> sc, Long domainId, boolean isRecursive, List<Long> permittedAccounts,
+ ListProjectResourcesCriteria listProjectResourcesCriteria, List<Long> grantedIds, List<Long> revokedIds) {
+ // TODO Auto-generated method stub
+
+ }
@Override
public Long checkAccessAndSpecifyAuthority(Account arg0, Long arg1) {
@@ -362,24 +407,15 @@ public class MockAccountManager extends ManagerBase implements AccountManager {
}
-
- @Override
- public Long finalyzeAccountId(String accountName, Long domainId, Long projectId, boolean enabledOnly) {
- // TODO Auto-generated method stub
- return null;
- }
-
@Override
- public void checkAccess(Account account, AccessType accessType, ControlledEntity... entities) throws PermissionDeniedException {
+ public void checkAccess(Account account, AccessType accessType, boolean sameOwner, String apiName,
+ ControlledEntity... entities) throws PermissionDeniedException {
// TODO Auto-generated method stub
-
}
@Override
- public void checkAccess(Account account, AccessType accessType, String apiName, ControlledEntity... entities) throws PermissionDeniedException {
+ public Long finalyzeAccountId(String accountName, Long domainId, Long projectId, boolean enabledOnly) {
// TODO Auto-generated method stub
-
+ return null;
}
-
-
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/ba848087/server/src/com/cloud/acl/DomainChecker.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/acl/DomainChecker.java b/server/src/com/cloud/acl/DomainChecker.java
index 9ee65db..729a0d1 100755
--- a/server/src/com/cloud/acl/DomainChecker.java
+++ b/server/src/com/cloud/acl/DomainChecker.java
@@ -19,7 +19,6 @@ package com.cloud.acl;
import javax.ejb.Local;
import javax.inject.Inject;
-import org.apache.log4j.Logger;
import org.springframework.stereotype.Component;
import org.apache.cloudstack.acl.ControlledEntity;
@@ -51,8 +50,6 @@ import com.cloud.utils.component.AdapterBase;
@Local(value = SecurityChecker.class)
public class DomainChecker extends AdapterBase implements SecurityChecker {
- public static final Logger s_logger = Logger.getLogger(DomainChecker.class);
-
@Inject
DomainDao _domainDao;
@Inject
@@ -104,15 +101,6 @@ public class DomainChecker extends AdapterBase implements SecurityChecker {
@Override
public boolean checkAccess(Account caller, ControlledEntity entity, AccessType accessType)
throws PermissionDeniedException {
-
- if (caller.getId() == Account.ACCOUNT_ID_SYSTEM || _accountService.isRootAdmin(caller.getId())) {
- // no need to make permission checks if the system/root admin makes the call
- if (s_logger.isTraceEnabled()) {
- s_logger.trace("No need to make permission check for System/RootAdmin account, returning true");
- }
- return true;
- }
-
if (entity instanceof VirtualMachineTemplate) {
VirtualMachineTemplate template = (VirtualMachineTemplate)entity;
@@ -344,15 +332,20 @@ public class DomainChecker extends AdapterBase implements SecurityChecker {
if (action != null && ("SystemCapability".equals(action))) {
if (caller != null && caller.getType() == Account.ACCOUNT_TYPE_ADMIN) {
return true;
+ } else {
+ return false;
}
-
} else if (action != null && ("DomainCapability".equals(action))) {
if (caller != null && caller.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) {
return true;
+ } else {
+ return false;
}
} else if (action != null && ("DomainResourceCapability".equals(action))) {
if (caller != null && caller.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN) {
return true;
+ } else {
+ return false;
}
}
return checkAccess(caller, entity, accessType);
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/ba848087/server/src/com/cloud/api/ApiDispatcher.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/api/ApiDispatcher.java b/server/src/com/cloud/api/ApiDispatcher.java
index b6b9b29..3447662 100755
--- a/server/src/com/cloud/api/ApiDispatcher.java
+++ b/server/src/com/cloud/api/ApiDispatcher.java
@@ -23,6 +23,10 @@ import javax.inject.Inject;
import org.apache.log4j.Logger;
+import org.apache.cloudstack.acl.ControlledEntity;
+import org.apache.cloudstack.acl.InfrastructureEntity;
+import org.apache.cloudstack.acl.SecurityChecker.AccessType;
+import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.BaseAsyncCmd;
import org.apache.cloudstack.api.BaseAsyncCreateCmd;
@@ -36,6 +40,7 @@ import org.apache.cloudstack.framework.jobs.AsyncJobManager;
import com.cloud.api.dispatch.DispatchChain;
import com.cloud.api.dispatch.DispatchChainFactory;
import com.cloud.api.dispatch.DispatchTask;
+import com.cloud.user.Account;
import com.cloud.user.AccountManager;
public class ApiDispatcher {
@@ -74,6 +79,23 @@ public class ApiDispatcher {
asyncCreationDispatchChain.dispatch(new DispatchTask(cmd, params));
}
+ private void doAccessChecks(BaseCmd cmd, Map<Object, AccessType> entitiesToAccess) {
+ Account caller = CallContext.current().getCallingAccount();
+
+ APICommand commandAnnotation = cmd.getClass().getAnnotation(APICommand.class);
+ String apiName = commandAnnotation != null ? commandAnnotation.name() : null;
+
+ if (!entitiesToAccess.isEmpty()) {
+ for (Object entity : entitiesToAccess.keySet()) {
+ if (entity instanceof ControlledEntity) {
+ _accountMgr.checkAccess(caller, entitiesToAccess.get(entity), false, apiName, (ControlledEntity) entity);
+ } else if (entity instanceof InfrastructureEntity) {
+ //FIXME: Move this code in adapter, remove code from Account manager
+ }
+ }
+ }
+ }
+
public void dispatch(final BaseCmd cmd, final Map<String, String> params, final boolean execute) throws Exception {
// Let the chain of responsibility dispatch gradually
standardDispatchChain.dispatch(new DispatchTask(cmd, params));
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/ba848087/server/src/com/cloud/api/ApiResponseHelper.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/api/ApiResponseHelper.java b/server/src/com/cloud/api/ApiResponseHelper.java
index 3ec5abc..2a3c164 100755
--- a/server/src/com/cloud/api/ApiResponseHelper.java
+++ b/server/src/com/cloud/api/ApiResponseHelper.java
@@ -1587,7 +1587,7 @@ public class ApiResponseHelper implements ResponseGenerator {
throw new PermissionDeniedException("Account " + caller + " is not authorized to see job id=" + job.getId());
}
} else if (_accountMgr.isDomainAdmin(caller.getId())) {
- _accountMgr.checkAccess(caller, null, jobOwner);
+ _accountMgr.checkAccess(caller, null, true, jobOwner);
}
return createAsyncJobResponse(_jobMgr.queryJob(cmd.getId(), true));
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/ba848087/server/src/com/cloud/api/dispatch/ParamProcessWorker.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/api/dispatch/ParamProcessWorker.java b/server/src/com/cloud/api/dispatch/ParamProcessWorker.java
index ba5bebf..0bb0220 100644
--- a/server/src/com/cloud/api/dispatch/ParamProcessWorker.java
+++ b/server/src/com/cloud/api/dispatch/ParamProcessWorker.java
@@ -40,7 +40,6 @@ import org.apache.cloudstack.acl.InfrastructureEntity;
import org.apache.cloudstack.acl.SecurityChecker;
import org.apache.cloudstack.acl.SecurityChecker.AccessType;
import org.apache.cloudstack.api.ACL;
-import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiErrorCode;
import org.apache.cloudstack.api.BaseAsyncCreateCmd;
import org.apache.cloudstack.api.BaseCmd;
@@ -56,11 +55,7 @@ import org.apache.cloudstack.api.command.user.event.DeleteEventsCmd;
import org.apache.cloudstack.api.command.user.event.ListEventsCmd;
import org.apache.cloudstack.context.CallContext;
-import com.cloud.dc.DataCenter;
import com.cloud.exception.InvalidParameterValueException;
-import com.cloud.exception.PermissionDeniedException;
-import com.cloud.offering.DiskOffering;
-import com.cloud.offering.ServiceOffering;
import com.cloud.user.Account;
import com.cloud.user.AccountManager;
import com.cloud.utils.DateUtil;
@@ -222,111 +217,27 @@ public class ParamProcessWorker implements DispatchWorker {
}
- private void doAccessChecks(final BaseCmd cmd, final Map<Object, AccessType> entitiesToAccess) {
+ private void doAccessChecks(BaseCmd cmd, Map<Object, AccessType> entitiesToAccess) {
Account caller = CallContext.current().getCallingAccount();
- Account owner = _accountMgr.getAccount(cmd.getEntityOwnerId());
- if (owner == null) {
- owner = caller;
- }
+ Account owner = _accountMgr.getActiveAccountById(cmd.getEntityOwnerId());
if (cmd instanceof BaseAsyncCreateCmd) {
- if (owner.getId() != caller.getId()) {
- // mimic impersonation either by passing (account, domainId) or through derived owner from other api parameters
- // in this case, we should check access using the owner
- _accountMgr.checkAccess(caller, null, owner);
- }
- } else {
- // check access using the caller for other operational cmds
- owner = caller;
+ // check that caller can access the owner account.
+ _accountMgr.checkAccess(caller, null, true, owner);
}
- APICommand commandAnnotation = cmd.getClass().getAnnotation(APICommand.class);
-
- String apiName = commandAnnotation != null ? commandAnnotation.name() : null;
-
if (!entitiesToAccess.isEmpty()) {
- List<ControlledEntity> entitiesToOperate = new ArrayList<ControlledEntity>();
+ // check that caller can access the owner account.
+ _accountMgr.checkAccess(caller, null, true, owner);
for (Object entity : entitiesToAccess.keySet()) {
if (entity instanceof ControlledEntity) {
-
- if (AccessType.OperateEntry == entitiesToAccess.get(entity)) {
- entitiesToOperate.add((ControlledEntity) entity);
- } else {
- _accountMgr.checkAccess(owner, entitiesToAccess.get(entity), apiName,
- (ControlledEntity) entity);
- }
+ _accountMgr.checkAccess(caller, entitiesToAccess.get(entity), true, (ControlledEntity) entity);
} else if (entity instanceof InfrastructureEntity) {
- if (entity instanceof DataCenter) {
- checkZoneAccess(owner, (DataCenter)entity);
- } else if (entity instanceof ServiceOffering) {
- checkServiceOfferingAccess(owner, (ServiceOffering)entity);
- } else if (entity instanceof DiskOffering) {
- checkDiskOfferingAccess(owner, (DiskOffering)entity);
- }
- }
- }
-
- if (!entitiesToOperate.isEmpty()) {
- _accountMgr.checkAccess(owner, AccessType.OperateEntry, apiName,
- entitiesToOperate.toArray(new ControlledEntity[entitiesToOperate.size()]));
- }
-
- }
- }
-
- private void checkDiskOfferingAccess(Account caller, DiskOffering dof) {
- for (SecurityChecker checker : _secChecker) {
- if (checker.checkAccess(caller, dof)) {
- if (s_logger.isDebugEnabled()) {
- s_logger.debug("Access granted to " + caller + " to disk offering:" + dof.getId() + " by "
- + checker.getName());
- }
- return;
- } else {
- throw new PermissionDeniedException("Access denied to " + caller + " by " + checker.getName());
- }
- }
-
- assert false : "How can all of the security checkers pass on checking this caller?";
- throw new PermissionDeniedException("There's no way to confirm " + caller + " has access to disk offering:"
- + dof.getId());
- }
-
- private void checkServiceOfferingAccess(Account caller, ServiceOffering sof) {
- for (SecurityChecker checker : _secChecker) {
- if (checker.checkAccess(caller, sof)) {
- if (s_logger.isDebugEnabled()) {
- s_logger.debug("Access granted to " + caller + " to service offering:" + sof.getId() + " by "
- + checker.getName());
+ // FIXME: Move this code in adapter, remove code from
+ // Account manager
}
- return;
- } else {
- throw new PermissionDeniedException("Access denied to " + caller + " by " + checker.getName());
}
}
-
- assert false : "How can all of the security checkers pass on checking this caller?";
- throw new PermissionDeniedException("There's no way to confirm " + caller + " has access to service offering:"
- + sof.getId());
- }
-
- private void checkZoneAccess(Account caller, DataCenter zone) {
- for (SecurityChecker checker : _secChecker) {
- if (checker.checkAccess(caller, zone)) {
- if (s_logger.isDebugEnabled()) {
- s_logger.debug("Access granted to " + caller + " to zone:" + zone.getId() + " by "
- + checker.getName());
- }
- return;
- } else {
- throw new PermissionDeniedException("Access denied to " + caller + " by " + checker.getName()
- + " for zone " + zone.getId());
- }
- }
-
- assert false : "How can all of the security checkers pass on checking this caller?";
- throw new PermissionDeniedException("There's no way to confirm " + caller + " has access to zone:"
- + zone.getId());
}
@SuppressWarnings({"unchecked", "rawtypes"})