You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by da...@apache.org on 2014/05/02 18:51:30 UTC
[2/2] git commit: updated refs/heads/4.4 to c4ab1d5
CLOUDSTACK-6560: IAM - Admin user is denied permission to create Egress rule for a user's network
Changes:
- CS 4.3 handled Network entity in two ways:
a) Specified "UseNetwork" access and did a strict check w.r.t who can use this network. Regular users and Domain Admin went through the strict check. Root admin got access always.
b) Specified "null" access and that meant admins can access this network for the calling API that passes null access.
- Fixing CS 4.4 IAM to handle this behavior:
a) "UseNetwork" is mapped to "UseEntry" and IAM check will be done only for domain admin and regular users when this access is specified. Root Admin is grated access.
b) If "null" access is specified, root and domain admin both are granted access. Regular users still go through IAM.
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/c4ab1d57
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/c4ab1d57
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/c4ab1d57
Branch: refs/heads/4.4
Commit: c4ab1d57727af9b81c26a32a09137c06017f7777
Parents: 33c3752
Author: Prachi Damle <pr...@cloud.com>
Authored: Thu May 1 15:40:23 2014 -0700
Committer: Daan Hoogland <da...@onecht.net>
Committed: Fri May 2 18:51:19 2014 +0200
----------------------------------------------------------------------
server/src/com/cloud/template/TemplateManagerImpl.java | 2 +-
server/src/com/cloud/user/AccountManagerImpl.java | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/c4ab1d57/server/src/com/cloud/template/TemplateManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/template/TemplateManagerImpl.java b/server/src/com/cloud/template/TemplateManagerImpl.java
index ea51af1..294748f 100755
--- a/server/src/com/cloud/template/TemplateManagerImpl.java
+++ b/server/src/com/cloud/template/TemplateManagerImpl.java
@@ -1133,7 +1133,7 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager,
}
if (!template.isPublicTemplate()) {
- _accountMgr.checkAccess(caller, null, template);
+ _accountMgr.checkAccess(caller, AccessType.ListEntry, template);
}
List<String> accountNames = new ArrayList<String>();
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/c4ab1d57/server/src/com/cloud/user/AccountManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/user/AccountManagerImpl.java b/server/src/com/cloud/user/AccountManagerImpl.java
index 301dde4..4b78141 100755
--- a/server/src/com/cloud/user/AccountManagerImpl.java
+++ b/server/src/com/cloud/user/AccountManagerImpl.java
@@ -497,7 +497,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
&& (accessType == null || accessType == AccessType.UseEntry)) {
for (ControlledEntity entity : entities) {
- if (entity instanceof VirtualMachineTemplate || entity instanceof Network
+ if (entity instanceof VirtualMachineTemplate || (entity instanceof Network && accessType != null && (isDomainAdmin || isResourceDomainAdmin))
|| entity instanceof AffinityGroup || entity instanceof SecurityGroup) {
// Go through IAM (SecurityCheckers)
for (SecurityChecker checker : _securityCheckers) {