You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by no...@apache.org on 2013/02/28 15:56:03 UTC
[10/20] git commit: refs/heads/noa/packaging_rpm_fixes -
CLOUDSTACK-1418- As regular user ,
we are not allowed to deploy VM on a shared network.
CLOUDSTACK-1418- As regular user , we are not allowed to deploy VM on a shared network.
- Added the access type attribute to @acl
- Domainchecker needs the AccessType.UseNetwork value specified to check access to network
Project: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/commit/336d133f
Tree: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/tree/336d133f
Diff: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/diff/336d133f
Branch: refs/heads/noa/packaging_rpm_fixes
Commit: 336d133f942127447762328410a3cdcc25016051
Parents: 3e0e929
Author: Prachi Damle <pr...@cloud.com>
Authored: Wed Feb 27 16:56:14 2013 -0800
Committer: Prachi Damle <pr...@cloud.com>
Committed: Wed Feb 27 17:19:55 2013 -0800
----------------------------------------------------------------------
api/src/org/apache/cloudstack/api/ACL.java | 4 +++
.../api/command/user/vm/DeployVMCmd.java | 4 +-
server/src/com/cloud/api/ApiDispatcher.java | 20 ++++++++------
3 files changed, 17 insertions(+), 11 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/336d133f/api/src/org/apache/cloudstack/api/ACL.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/ACL.java b/api/src/org/apache/cloudstack/api/ACL.java
index 3623d1a..ce93b6a 100644
--- a/api/src/org/apache/cloudstack/api/ACL.java
+++ b/api/src/org/apache/cloudstack/api/ACL.java
@@ -22,10 +22,14 @@ import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
import java.lang.annotation.Target;
+import org.apache.cloudstack.acl.SecurityChecker.AccessType;
+
@Retention(RetentionPolicy.RUNTIME)
@Target({ FIELD })
public @interface ACL {
+ AccessType accessType() default AccessType.ListEntry;
+
boolean checkKeyAccess() default false;
boolean checkValueAccess() default false;
}
http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/336d133f/api/src/org/apache/cloudstack/api/command/user/vm/DeployVMCmd.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/user/vm/DeployVMCmd.java b/api/src/org/apache/cloudstack/api/command/user/vm/DeployVMCmd.java
index 0ac6476..21a45f8 100755
--- a/api/src/org/apache/cloudstack/api/command/user/vm/DeployVMCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/user/vm/DeployVMCmd.java
@@ -24,6 +24,7 @@ import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
+import org.apache.cloudstack.acl.SecurityChecker.AccessType;
import org.apache.cloudstack.api.ACL;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiConstants;
@@ -53,7 +54,6 @@ import com.cloud.exception.InvalidParameterValueException;
import com.cloud.exception.ResourceAllocationException;
import com.cloud.exception.ResourceUnavailableException;
import com.cloud.hypervisor.Hypervisor.HypervisorType;
-import com.cloud.network.IpAddress;
import com.cloud.network.Network;
import com.cloud.network.Network.IpAddresses;
import com.cloud.offering.DiskOffering;
@@ -103,7 +103,7 @@ public class DeployVMCmd extends BaseAsyncCreateCmd {
private Long domainId;
//Network information
- @ACL
+ @ACL(accessType = AccessType.UseNetwork)
@Parameter(name=ApiConstants.NETWORK_IDS, type=CommandType.LIST, collectionType=CommandType.UUID, entityType=NetworkResponse.class,
description="list of network ids used by virtual machine. Can't be specified with ipToNetworkList parameter")
private List<Long> networkIds;
http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/336d133f/server/src/com/cloud/api/ApiDispatcher.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/api/ApiDispatcher.java b/server/src/com/cloud/api/ApiDispatcher.java
index 94abe50..552dea5 100755
--- a/server/src/com/cloud/api/ApiDispatcher.java
+++ b/server/src/com/cloud/api/ApiDispatcher.java
@@ -24,6 +24,7 @@ import java.text.ParseException;
import java.util.ArrayList;
import java.util.Calendar;
import java.util.Date;
+import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Set;
@@ -35,6 +36,7 @@ import javax.inject.Inject;
import org.apache.cloudstack.acl.ControlledEntity;
import org.apache.cloudstack.acl.InfrastructureEntity;
+import org.apache.cloudstack.acl.SecurityChecker.AccessType;
import org.apache.cloudstack.api.ACL;
import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.ApiErrorCode;
@@ -87,7 +89,7 @@ public class ApiDispatcher {
public ApiDispatcher() {
}
-
+
@PostConstruct
void init() {
s_instance = this;
@@ -106,7 +108,7 @@ public class ApiDispatcher {
}
- private void doAccessChecks(BaseCmd cmd, List<Object> entitiesToAccess) {
+ private void doAccessChecks(BaseCmd cmd, Map<Object, AccessType> entitiesToAccess) {
Account caller = UserContext.current().getCaller();
Account owner = _accountMgr.getActiveAccountById(cmd.getEntityOwnerId());
@@ -118,9 +120,9 @@ public class ApiDispatcher {
if(!entitiesToAccess.isEmpty()){
//check that caller can access the owner account.
_accountMgr.checkAccess(caller, null, true, owner);
- for(Object entity : entitiesToAccess) {
+ for (Object entity : entitiesToAccess.keySet()) {
if (entity instanceof ControlledEntity) {
- _accountMgr.checkAccess(caller, null, true, (ControlledEntity) entity);
+ _accountMgr.checkAccess(caller, entitiesToAccess.get(entity), true, (ControlledEntity) entity);
}
else if (entity instanceof InfrastructureEntity) {
//FIXME: Move this code in adapter, remove code from Account manager
@@ -164,11 +166,11 @@ public class ApiDispatcher {
@SuppressWarnings({ "unchecked", "rawtypes" })
public static void processParameters(BaseCmd cmd, Map<String, String> params) {
- List<Object> entitiesToAccess = new ArrayList<Object>();
+ Map<Object, AccessType> entitiesToAccess = new HashMap<Object, AccessType>();
Map<String, Object> unpackedParams = cmd.unpackParams(params);
-
+
cmd = ComponentContext.getTargetObject(cmd);
-
+
if (cmd instanceof BaseListCmd) {
Object pageSizeObj = unpackedParams.get(ApiConstants.PAGE_SIZE);
Long pageSize = null;
@@ -260,7 +262,7 @@ public class ApiDispatcher {
List<Long> listParam = (List<Long>) field.get(cmd);
for (Long entityId : listParam) {
Object entityObj = s_instance._entityMgr.findById(entity, entityId);
- entitiesToAccess.add(entityObj);
+ entitiesToAccess.put(entityObj, checkAccess.accessType());
}
break;
/*
@@ -281,7 +283,7 @@ public class ApiDispatcher {
case LONG:
case UUID:
Object entityObj = s_instance._entityMgr.findById(entity, (Long) field.get(cmd));
- entitiesToAccess.add(entityObj);
+ entitiesToAccess.put(entityObj, checkAccess.accessType());
break;
default:
break;