You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by da...@apache.org on 2014/05/02 18:53:58 UTC
[1/3] git commit: updated refs/heads/4.4 to 96cd858
Repository: cloudstack
Updated Branches:
refs/heads/4.4 c4ab1d577 -> 96cd858d9
CLOUDSTACK-6535: IAM:MS:API createVMSnapshot doesn't preserve access
rights.
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/4ebde835
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/4ebde835
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/4ebde835
Branch: refs/heads/4.4
Commit: 4ebde8351924ec14bab8fb9dae59c238ebbcd440
Parents: c4ab1d5
Author: Min Chen <mi...@citrix.com>
Authored: Thu May 1 12:12:52 2014 -0700
Committer: Daan Hoogland <da...@onecht.net>
Committed: Fri May 2 18:52:51 2014 +0200
----------------------------------------------------------------------
.../api/command/admin/vm/AddNicToVMCmdByAdmin.java | 3 ++-
.../command/admin/volume/CreateVolumeCmdByAdmin.java | 5 ++++-
.../api/command/user/volume/CreateVolumeCmd.java | 7 +++++--
.../src/com/cloud/api/dispatch/ParamProcessWorker.java | 12 ++++++++++++
4 files changed, 23 insertions(+), 4 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/4ebde835/api/src/org/apache/cloudstack/api/command/admin/vm/AddNicToVMCmdByAdmin.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/admin/vm/AddNicToVMCmdByAdmin.java b/api/src/org/apache/cloudstack/api/command/admin/vm/AddNicToVMCmdByAdmin.java
index ee6d0e7..3dd22c1 100644
--- a/api/src/org/apache/cloudstack/api/command/admin/vm/AddNicToVMCmdByAdmin.java
+++ b/api/src/org/apache/cloudstack/api/command/admin/vm/AddNicToVMCmdByAdmin.java
@@ -31,8 +31,9 @@ import org.apache.cloudstack.api.response.UserVmResponse;
import org.apache.cloudstack.context.CallContext;
import com.cloud.uservm.UserVm;
+import com.cloud.vm.VirtualMachine;
-@APICommand(name = "addNicToVirtualMachine", description = "Adds VM to specified network by creating a NIC", responseObject = UserVmResponse.class, responseView = ResponseView.Full,
+@APICommand(name = "addNicToVirtualMachine", description = "Adds VM to specified network by creating a NIC", responseObject = UserVmResponse.class, responseView = ResponseView.Full, entityType = {VirtualMachine.class},
requestHasSensitiveInfo = false, responseHasSensitiveInfo = true)
public class AddNicToVMCmdByAdmin extends AddNicToVMCmd {
public static final Logger s_logger = Logger.getLogger(AddNicToVMCmdByAdmin.class);
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/4ebde835/api/src/org/apache/cloudstack/api/command/admin/volume/CreateVolumeCmdByAdmin.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/admin/volume/CreateVolumeCmdByAdmin.java b/api/src/org/apache/cloudstack/api/command/admin/volume/CreateVolumeCmdByAdmin.java
index 5df7481..8ff3993 100644
--- a/api/src/org/apache/cloudstack/api/command/admin/volume/CreateVolumeCmdByAdmin.java
+++ b/api/src/org/apache/cloudstack/api/command/admin/volume/CreateVolumeCmdByAdmin.java
@@ -28,8 +28,11 @@ import org.apache.cloudstack.context.CallContext;
import com.cloud.storage.Snapshot;
import com.cloud.storage.Volume;
+import com.cloud.vm.VirtualMachine;
-@APICommand(name = "createVolume", responseObject = VolumeResponse.class, description = "Creates a disk volume from a disk offering. This disk volume must still be attached to a virtual machine to make use of it.", responseView = ResponseView.Full)
+@APICommand(name = "createVolume", responseObject = VolumeResponse.class, description = "Creates a disk volume from a disk offering. This disk volume must still be attached to a virtual machine to make use of it.", responseView = ResponseView.Full, entityType = {
+ Volume.class, VirtualMachine.class},
+ requestHasSensitiveInfo = false, responseHasSensitiveInfo = false)
public class CreateVolumeCmdByAdmin extends CreateVolumeCmd {
public static final Logger s_logger = Logger.getLogger(CreateVolumeCmdByAdmin.class.getName());
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/4ebde835/api/src/org/apache/cloudstack/api/command/user/volume/CreateVolumeCmd.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/user/volume/CreateVolumeCmd.java b/api/src/org/apache/cloudstack/api/command/user/volume/CreateVolumeCmd.java
index 0fa540c..90c1a16 100644
--- a/api/src/org/apache/cloudstack/api/command/user/volume/CreateVolumeCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/user/volume/CreateVolumeCmd.java
@@ -19,6 +19,7 @@ package org.apache.cloudstack.api.command.user.volume;
import org.apache.log4j.Logger;
import org.apache.cloudstack.acl.RoleType;
+import org.apache.cloudstack.acl.SecurityChecker.AccessType;
import org.apache.cloudstack.api.ACL;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiCommandJobType;
@@ -42,8 +43,10 @@ import com.cloud.event.EventTypes;
import com.cloud.exception.ResourceAllocationException;
import com.cloud.storage.Snapshot;
import com.cloud.storage.Volume;
+import com.cloud.vm.VirtualMachine;
-@APICommand(name = "createVolume", responseObject = VolumeResponse.class, description = "Creates a disk volume from a disk offering. This disk volume must still be attached to a virtual machine to make use of it.", responseView = ResponseView.Restricted, entityType = {Volume.class},
+@APICommand(name = "createVolume", responseObject = VolumeResponse.class, description = "Creates a disk volume from a disk offering. This disk volume must still be attached to a virtual machine to make use of it.", responseView = ResponseView.Restricted, entityType = {
+ Volume.class, VirtualMachine.class},
requestHasSensitiveInfo = false, responseHasSensitiveInfo = false)
public class CreateVolumeCmd extends BaseAsyncCreateCustomIdCmd {
public static final Logger s_logger = Logger.getLogger(CreateVolumeCmd.class.getName());
@@ -103,7 +106,7 @@ public class CreateVolumeCmd extends BaseAsyncCreateCustomIdCmd {
@Parameter(name = ApiConstants.DISPLAY_VOLUME, type = CommandType.BOOLEAN, description = "an optional field, whether to display the volume to the end user or not.", authorized = {RoleType.Admin})
private Boolean displayVolume;
- @ACL
+ @ACL(accessType = AccessType.OperateEntry)
@Parameter(name = ApiConstants.VIRTUAL_MACHINE_ID,
type = CommandType.UUID,
entityType = UserVmResponse.class,
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/4ebde835/server/src/com/cloud/api/dispatch/ParamProcessWorker.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/api/dispatch/ParamProcessWorker.java b/server/src/com/cloud/api/dispatch/ParamProcessWorker.java
index 2fd7721..d862660 100644
--- a/server/src/com/cloud/api/dispatch/ParamProcessWorker.java
+++ b/server/src/com/cloud/api/dispatch/ParamProcessWorker.java
@@ -42,6 +42,7 @@ import org.apache.cloudstack.acl.SecurityChecker.AccessType;
import org.apache.cloudstack.api.ACL;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiErrorCode;
+import org.apache.cloudstack.api.BaseAsyncCreateCmd;
import org.apache.cloudstack.api.BaseCmd;
import org.apache.cloudstack.api.BaseCmd.CommandType;
import org.apache.cloudstack.api.EntityReference;
@@ -227,6 +228,17 @@ public class ParamProcessWorker implements DispatchWorker {
owner = caller;
}
+ if (cmd instanceof BaseAsyncCreateCmd) {
+ if (owner.getId() != caller.getId()) {
+ // mimic impersonation either by passing (account, domainId) or through derived owner from other api parameters
+ // in this case, we should check access using the owner
+ _accountMgr.checkAccess(caller, null, owner);
+ }
+ } else {
+ // check access using the caller for other operational cmds
+ owner = caller;
+ }
+
APICommand commandAnnotation = cmd.getClass().getAnnotation(APICommand.class);
String apiName = commandAnnotation != null ? commandAnnotation.name() : null;
[3/3] git commit: updated refs/heads/4.4 to 96cd858
Posted by da...@apache.org.
CLOUDSTACK-6556: Deploy VM failing with error "does
not have permission to access resource Ntwk".
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/96cd858d
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/96cd858d
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/96cd858d
Branch: refs/heads/4.4
Commit: 96cd858d97a06dde6f22d270363255706f1f2101
Parents: 9f79882
Author: Min Chen <mi...@citrix.com>
Authored: Thu May 1 15:07:36 2014 -0700
Committer: Daan Hoogland <da...@onecht.net>
Committed: Fri May 2 18:53:47 2014 +0200
----------------------------------------------------------------------
server/src/com/cloud/vm/UserVmManagerImpl.java | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/96cd858d/server/src/com/cloud/vm/UserVmManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/vm/UserVmManagerImpl.java b/server/src/com/cloud/vm/UserVmManagerImpl.java
index 44f0bbe..54b9c57 100755
--- a/server/src/com/cloud/vm/UserVmManagerImpl.java
+++ b/server/src/com/cloud/vm/UserVmManagerImpl.java
@@ -2394,7 +2394,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
// Perform account permission check
if (network.getAclType() == ACLType.Account) {
- _accountMgr.checkAccess(caller, AccessType.UseEntry, network);
+ _accountMgr.checkAccess(owner, AccessType.UseEntry, network);
}
networkList.add(network);
}
[2/3] git commit: updated refs/heads/4.4 to 96cd858
Posted by da...@apache.org.
CLOUDSTACK-6556: [Automation] Deploy VM failing with error "does not
have permission to access resource Ntwk".
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/9f798823
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/9f798823
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/9f798823
Branch: refs/heads/4.4
Commit: 9f798823effac147a4d02adc350c940bff2ec9f5
Parents: 4ebde83
Author: Min Chen <mi...@citrix.com>
Authored: Thu May 1 11:33:41 2014 -0700
Committer: Daan Hoogland <da...@onecht.net>
Committed: Fri May 2 18:53:22 2014 +0200
----------------------------------------------------------------------
server/src/com/cloud/vm/UserVmManagerImpl.java | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/9f798823/server/src/com/cloud/vm/UserVmManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/vm/UserVmManagerImpl.java b/server/src/com/cloud/vm/UserVmManagerImpl.java
index abc188e..44f0bbe 100755
--- a/server/src/com/cloud/vm/UserVmManagerImpl.java
+++ b/server/src/com/cloud/vm/UserVmManagerImpl.java
@@ -2682,7 +2682,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
}
// Perform account permission check on network
- _accountMgr.checkAccess(caller, AccessType.UseEntry, network);
+ _accountMgr.checkAccess(owner, AccessType.UseEntry, network);
IpAddresses requestedIpPair = null;
if (requestedIps != null && !requestedIps.isEmpty()) {