You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by mc...@apache.org on 2014/05/10 03:57:03 UTC
[1/3] git commit: updated refs/heads/master to daadc45
Repository: cloudstack
Updated Branches:
refs/heads/master f2d9d7184 -> daadc4512
CLOUDSTACK-6600: fix a bug in IAM cache in constructing cache key.
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/5f8641e9
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/5f8641e9
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/5f8641e9
Branch: refs/heads/master
Commit: 5f8641e908b16f0a3e7572a6e17e7bb6356c6112
Parents: f2d9d71
Author: Min Chen <mi...@citrix.com>
Authored: Fri May 9 11:10:26 2014 -0700
Committer: Min Chen <mi...@citrix.com>
Committed: Fri May 9 18:47:37 2014 -0700
----------------------------------------------------------------------
.../org/apache/cloudstack/iam/RoleBasedEntityAccessChecker.java | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/5f8641e9/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedEntityAccessChecker.java
----------------------------------------------------------------------
diff --git a/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedEntityAccessChecker.java b/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedEntityAccessChecker.java
index b384d7c..e8a41ef 100644
--- a/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedEntityAccessChecker.java
+++ b/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedEntityAccessChecker.java
@@ -66,6 +66,9 @@ public class RoleBasedEntityAccessChecker extends DomainChecker implements Secur
String entityType = null;
if (entity != null && entity.getEntityType() != null) {
entityType = entity.getEntityType().getSimpleName();
+ if (entity instanceof InternalIdentity) {
+ entityType += ((InternalIdentity)entity).getId();
+ }
}
key.append(entityType != null ? entityType : "null");
key.append("-");
@@ -91,7 +94,7 @@ public class RoleBasedEntityAccessChecker extends DomainChecker implements Secur
String accessKey = buildAccessCacheKey(caller, entity, accessType, action);
CheckAccessResult allowDeny = (CheckAccessResult)_iamSrv.getFromIAMCache(accessKey);
if (allowDeny != null) {
- s_logger.debug("IAM access check for " + accessKey + " from cache");
+ s_logger.debug("IAM access check for " + accessKey + " from cache: " + allowDeny.isAllow());
if (allowDeny.isAllow()) {
return true;
} else {
[3/3] git commit: updated refs/heads/master to daadc45
Posted by mc...@apache.org.
CLOUDSTACK-6628:[Automation] Create PF rulw API failing with error
"database id can only provided by VO objects".
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/daadc451
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/daadc451
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/daadc451
Branch: refs/heads/master
Commit: daadc45122b9ee6010f7cbe79d3b960b04a0efba
Parents: 5c3858b
Author: Min Chen <mi...@citrix.com>
Authored: Fri May 9 18:24:54 2014 -0700
Committer: Min Chen <mi...@citrix.com>
Committed: Fri May 9 18:48:08 2014 -0700
----------------------------------------------------------------------
.../command/user/firewall/CreatePortForwardingRuleCmd.java | 7 ++++++-
server/src/com/cloud/network/rules/RulesManagerImpl.java | 5 +++--
2 files changed, 9 insertions(+), 3 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/daadc451/api/src/org/apache/cloudstack/api/command/user/firewall/CreatePortForwardingRuleCmd.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/user/firewall/CreatePortForwardingRuleCmd.java b/api/src/org/apache/cloudstack/api/command/user/firewall/CreatePortForwardingRuleCmd.java
index f18767e..91146ac 100644
--- a/api/src/org/apache/cloudstack/api/command/user/firewall/CreatePortForwardingRuleCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/user/firewall/CreatePortForwardingRuleCmd.java
@@ -19,8 +19,11 @@ package org.apache.cloudstack.api.command.user.firewall;
import java.util.List;
import org.apache.log4j.Logger;
+import org.bouncycastle.util.IPAddress;
import org.apache.cloudstack.acl.RoleType;
+import org.apache.cloudstack.acl.SecurityChecker.AccessType;
+import org.apache.cloudstack.api.ACL;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiCommandJobType;
import org.apache.cloudstack.api.ApiConstants;
@@ -48,7 +51,7 @@ import com.cloud.utils.net.NetUtils;
import com.cloud.vm.VirtualMachine;
@APICommand(name = "createPortForwardingRule", description = "Creates a port forwarding rule", responseObject = FirewallRuleResponse.class, entityType = {FirewallRule.class,
- VirtualMachine.class},
+ VirtualMachine.class, IPAddress.class},
requestHasSensitiveInfo = false, responseHasSensitiveInfo = false)
public class CreatePortForwardingRuleCmd extends BaseAsyncCreateCmd implements PortForwardingRule {
public static final Logger s_logger = Logger.getLogger(CreatePortForwardingRuleCmd.class.getName());
@@ -59,6 +62,7 @@ public class CreatePortForwardingRuleCmd extends BaseAsyncCreateCmd implements P
// ////////////// API parameters /////////////////////
// ///////////////////////////////////////////////////
+ @ACL(accessType = AccessType.OperateEntry)
@Parameter(name = ApiConstants.IP_ADDRESS_ID,
type = CommandType.UUID,
entityType = IPAddressResponse.class,
@@ -96,6 +100,7 @@ public class CreatePortForwardingRuleCmd extends BaseAsyncCreateCmd implements P
description = "the ending port of port forwarding rule's private port range")
private Integer publicEndPort;
+ @ACL(accessType = AccessType.OperateEntry)
@Parameter(name = ApiConstants.VIRTUAL_MACHINE_ID,
type = CommandType.UUID,
entityType = UserVmResponse.class,
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/daadc451/server/src/com/cloud/network/rules/RulesManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/rules/RulesManagerImpl.java b/server/src/com/cloud/network/rules/RulesManagerImpl.java
index 5d56451..a0d6cd6 100755
--- a/server/src/com/cloud/network/rules/RulesManagerImpl.java
+++ b/server/src/com/cloud/network/rules/RulesManagerImpl.java
@@ -195,6 +195,7 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules
throw new InvalidParameterValueException("Invalid user vm: " + userVm.getId());
}
+ // This same owner check is actually not needed, since multiple entities OperateEntry trick guarantee that
if (rule.getAccountId() != userVm.getAccountId()) {
throw new InvalidParameterValueException("New rule " + rule + " and vm id=" + userVm.getId() + " belong to different accounts");
}
@@ -267,8 +268,8 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules
if (vm == null) {
throw new InvalidParameterValueException("Unable to create port forwarding rule on address " + ipAddress + ", invalid virtual machine id specified (" +
vmId + ").");
- } else {
- checkRuleAndUserVm(rule, vm, caller);
+ } else if (vm.getState() == VirtualMachine.State.Destroyed || vm.getState() == VirtualMachine.State.Expunging) {
+ throw new InvalidParameterValueException("Invalid user vm: " + vm.getId());
}
// Verify that vm has nic in the network
[2/3] git commit: updated refs/heads/master to daadc45
Posted by mc...@apache.org.
CLOUDSTACK-6617: [Automation] detach / resize volume test cases failing
with permission error.
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/5c3858b5
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/5c3858b5
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/5c3858b5
Branch: refs/heads/master
Commit: 5c3858b5045baaf627af8263cdddd821a57d0ce7
Parents: 5f8641e
Author: Min Chen <mi...@citrix.com>
Authored: Fri May 9 16:39:23 2014 -0700
Committer: Min Chen <mi...@citrix.com>
Committed: Fri May 9 18:47:51 2014 -0700
----------------------------------------------------------------------
.../cloudstack/iam/RoleBasedEntityAccessChecker.java | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/5c3858b5/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedEntityAccessChecker.java
----------------------------------------------------------------------
diff --git a/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedEntityAccessChecker.java b/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedEntityAccessChecker.java
index e8a41ef..d418c5a 100644
--- a/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedEntityAccessChecker.java
+++ b/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedEntityAccessChecker.java
@@ -298,16 +298,16 @@ public class RoleBasedEntityAccessChecker extends DomainChecker implements Secur
boolean allow;
String denyMsg;
- public CheckAccessResult(boolean allow) {
- this(allow, null);
+ public CheckAccessResult(boolean aw) {
+ this(aw, null);
}
public CheckAccessResult(String msg) {
this(false, msg);
}
- public CheckAccessResult(boolean allow, String msg) {
- allow = allow;
+ public CheckAccessResult(boolean aw, String msg) {
+ allow = aw;
denyMsg = msg;
}
@@ -315,8 +315,8 @@ public class RoleBasedEntityAccessChecker extends DomainChecker implements Secur
return allow;
}
- public void setAllow(boolean allow) {
- this.allow = allow;
+ public void setAllow(boolean aw) {
+ allow = aw;
}