You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by pr...@apache.org on 2014/05/02 01:08:19 UTC
[1/2] git commit: updated refs/heads/4.4-forward to 2e5b529
Repository: cloudstack
Updated Branches:
refs/heads/4.4-forward 430d14b67 -> 2e5b52915
CLOUDSTACK-6558 IAM - Admin user is able to deploy VM in a regular user's Security Group.
Changes:
- Even for SecurityGroup, go through IAM to do permission checks for all type of accounts
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/e89c6288
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/e89c6288
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/e89c6288
Branch: refs/heads/4.4-forward
Commit: e89c628843692c9e7046192f5b6d4893b7a45ec6
Parents: 430d14b
Author: Prachi Damle <pr...@cloud.com>
Authored: Thu May 1 12:18:23 2014 -0700
Committer: Prachi Damle <pr...@cloud.com>
Committed: Thu May 1 16:07:50 2014 -0700
----------------------------------------------------------------------
.../com/cloud/network/security/SecurityGroupManagerImpl.java | 4 ++--
server/src/com/cloud/user/AccountManagerImpl.java | 5 ++++-
2 files changed, 6 insertions(+), 3 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/e89c6288/server/src/com/cloud/network/security/SecurityGroupManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/security/SecurityGroupManagerImpl.java b/server/src/com/cloud/network/security/SecurityGroupManagerImpl.java
index b4c67b8..a666ecd 100755
--- a/server/src/com/cloud/network/security/SecurityGroupManagerImpl.java
+++ b/server/src/com/cloud/network/security/SecurityGroupManagerImpl.java
@@ -612,7 +612,7 @@ public class SecurityGroupManagerImpl extends ManagerBase implements SecurityGro
}
// Verify permissions
- _accountMgr.checkAccess(caller, null, securityGroup);
+ _accountMgr.checkAccess(caller, AccessType.OperateEntry, securityGroup);
Long domainId = owner.getDomainId();
if (protocol == null) {
@@ -1120,7 +1120,7 @@ public class SecurityGroupManagerImpl extends ManagerBase implements SecurityGro
}
// check permissions
- _accountMgr.checkAccess(caller, null, group);
+ _accountMgr.checkAccess(caller, AccessType.OperateEntry, group);
return Transaction.execute(new TransactionCallbackWithException<Boolean, ResourceInUseException>() {
@Override
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/e89c6288/server/src/com/cloud/user/AccountManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/user/AccountManagerImpl.java b/server/src/com/cloud/user/AccountManagerImpl.java
index b5fdc3a..301dde4 100755
--- a/server/src/com/cloud/user/AccountManagerImpl.java
+++ b/server/src/com/cloud/user/AccountManagerImpl.java
@@ -102,6 +102,7 @@ import com.cloud.network.dao.NetworkVO;
import com.cloud.network.dao.RemoteAccessVpnDao;
import com.cloud.network.dao.RemoteAccessVpnVO;
import com.cloud.network.dao.VpnUserDao;
+import com.cloud.network.security.SecurityGroup;
import com.cloud.network.security.SecurityGroupManager;
import com.cloud.network.security.dao.SecurityGroupDao;
import com.cloud.network.vpc.Vpc;
@@ -497,7 +498,8 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
for (ControlledEntity entity : entities) {
if (entity instanceof VirtualMachineTemplate || entity instanceof Network
- || entity instanceof AffinityGroup) {
+ || entity instanceof AffinityGroup || entity instanceof SecurityGroup) {
+ // Go through IAM (SecurityCheckers)
for (SecurityChecker checker : _securityCheckers) {
if (checker.checkAccess(caller, accessType, apiName, entity)) {
if (s_logger.isDebugEnabled()) {
@@ -540,6 +542,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
}
} else {
+ // Go through IAM (SecurityCheckers)
for (SecurityChecker checker : _securityCheckers) {
if (checker.checkAccess(caller, accessType, apiName, entities)) {
if (s_logger.isDebugEnabled()) {
[2/2] git commit: updated refs/heads/4.4-forward to 2e5b529
Posted by pr...@apache.org.
CLOUDSTACK-6560: IAM - Admin user is denied permission to create Egress rule for a user's network
Changes:
- CS 4.3 handled Network entity in two ways:
a) Specified "UseNetwork" access and did a strict check w.r.t who can use this network. Regular users and Domain Admin went through the strict check. Root admin got access always.
b) Specified "null" access and that meant admins can access this network for the calling API that passes null access.
- Fixing CS 4.4 IAM to handle this behavior:
a) "UseNetwork" is mapped to "UseEntry" and IAM check will be done only for domain admin and regular users when this access is specified. Root Admin is grated access.
b) If "null" access is specified, root and domain admin both are granted access. Regular users still go through IAM.
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/2e5b5291
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/2e5b5291
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/2e5b5291
Branch: refs/heads/4.4-forward
Commit: 2e5b5291574417e31b4e81a6cc170e77a0cd7f65
Parents: e89c628
Author: Prachi Damle <pr...@cloud.com>
Authored: Thu May 1 15:40:23 2014 -0700
Committer: Prachi Damle <pr...@cloud.com>
Committed: Thu May 1 16:07:52 2014 -0700
----------------------------------------------------------------------
server/src/com/cloud/template/TemplateManagerImpl.java | 2 +-
server/src/com/cloud/user/AccountManagerImpl.java | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/2e5b5291/server/src/com/cloud/template/TemplateManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/template/TemplateManagerImpl.java b/server/src/com/cloud/template/TemplateManagerImpl.java
index ea51af1..294748f 100755
--- a/server/src/com/cloud/template/TemplateManagerImpl.java
+++ b/server/src/com/cloud/template/TemplateManagerImpl.java
@@ -1133,7 +1133,7 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager,
}
if (!template.isPublicTemplate()) {
- _accountMgr.checkAccess(caller, null, template);
+ _accountMgr.checkAccess(caller, AccessType.ListEntry, template);
}
List<String> accountNames = new ArrayList<String>();
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/2e5b5291/server/src/com/cloud/user/AccountManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/user/AccountManagerImpl.java b/server/src/com/cloud/user/AccountManagerImpl.java
index 301dde4..4b78141 100755
--- a/server/src/com/cloud/user/AccountManagerImpl.java
+++ b/server/src/com/cloud/user/AccountManagerImpl.java
@@ -497,7 +497,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
&& (accessType == null || accessType == AccessType.UseEntry)) {
for (ControlledEntity entity : entities) {
- if (entity instanceof VirtualMachineTemplate || entity instanceof Network
+ if (entity instanceof VirtualMachineTemplate || (entity instanceof Network && accessType != null && (isDomainAdmin || isResourceDomainAdmin))
|| entity instanceof AffinityGroup || entity instanceof SecurityGroup) {
// Go through IAM (SecurityCheckers)
for (SecurityChecker checker : _securityCheckers) {