You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by da...@apache.org on 2014/05/07 09:21:37 UTC
git commit: updated refs/heads/4.4 to 95efad3
Repository: cloudstack
Updated Branches:
refs/heads/4.4 8985b8bad -> 95efad359
CLOUDSTACK-6581: IAM - Shared Network -Root Admin user is allowed to deploy VM in a shared network that is scoped for a specific domain/account.
Changes:
- Strict access check in NetworkModel is needed as CS 4.3
- We cannot go through accountMgr since accountMgr is relaxed for rootAdmin
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/95efad35
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/95efad35
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/95efad35
Branch: refs/heads/4.4
Commit: 95efad359ef808a4b8755c8b6e0fe9efbb265e2b
Parents: 8985b8b
Author: Prachi Damle <pr...@cloud.com>
Authored: Tue May 6 15:58:05 2014 -0700
Committer: Daan Hoogland <da...@onecht.net>
Committed: Wed May 7 09:21:30 2014 +0200
----------------------------------------------------------------------
.../spring-server-core-managers-context.xml | 1 +
.../src/com/cloud/network/NetworkModelImpl.java | 21 +++++++++++++++++++-
2 files changed, 21 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/95efad35/server/resources/META-INF/cloudstack/core/spring-server-core-managers-context.xml
----------------------------------------------------------------------
diff --git a/server/resources/META-INF/cloudstack/core/spring-server-core-managers-context.xml b/server/resources/META-INF/cloudstack/core/spring-server-core-managers-context.xml
index fc1c7e2..09abcb7 100644
--- a/server/resources/META-INF/cloudstack/core/spring-server-core-managers-context.xml
+++ b/server/resources/META-INF/cloudstack/core/spring-server-core-managers-context.xml
@@ -74,6 +74,7 @@
<bean id="networkModelImpl" class="com.cloud.network.NetworkModelImpl">
<property name="networkElements" value="#{networkElementsRegistry.registered}" />
+ <property name="securityCheckers" value="#{securityCheckersRegistry.registered}" />
</bean>
<bean id="configurationServerImpl" class="com.cloud.server.ConfigurationServerImpl" />
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/95efad35/server/src/com/cloud/network/NetworkModelImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/NetworkModelImpl.java b/server/src/com/cloud/network/NetworkModelImpl.java
index 4267967..f84eccd 100755
--- a/server/src/com/cloud/network/NetworkModelImpl.java
+++ b/server/src/com/cloud/network/NetworkModelImpl.java
@@ -34,6 +34,7 @@ import javax.naming.ConfigurationException;
import org.apache.log4j.Logger;
+import org.apache.cloudstack.acl.SecurityChecker;
import org.apache.cloudstack.acl.ControlledEntity.ACLType;
import org.apache.cloudstack.acl.SecurityChecker.AccessType;
import org.apache.cloudstack.framework.config.dao.ConfigurationDao;
@@ -219,6 +220,16 @@ public class NetworkModelImpl extends ManagerBase implements NetworkModel {
static HashMap<Service, List<Provider>> s_serviceToImplementedProvidersMap = new HashMap<Service, List<Provider>>();
static HashMap<String, String> s_providerToNetworkElementMap = new HashMap<String, String>();
+ List<SecurityChecker> _securityCheckers;
+
+ public List<SecurityChecker> getSecurityCheckers() {
+ return _securityCheckers;
+ }
+
+ public void setSecurityCheckers(List<SecurityChecker> securityCheckers) {
+ _securityCheckers = securityCheckers;
+ }
+
/**
*
*/
@@ -1586,7 +1597,15 @@ public class NetworkModelImpl extends ManagerBase implements NetworkModel {
+ ", permission denied");
}
} else {
- _accountMgr.checkAccess(owner, accessType, network);
+ // Go through IAM (SecurityCheckers)
+ for (SecurityChecker checker : _securityCheckers) {
+ if (checker.checkAccess(owner, accessType, null, network)) {
+ if (s_logger.isDebugEnabled()) {
+ s_logger.debug("Access to " + network + " granted to " + owner + " by " + checker.getName());
+ }
+ break;
+ }
+ }
}
}