You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by al...@apache.org on 2013/12/04 21:03:09 UTC

git commit: updated refs/heads/master to f197334

Updated Branches:
  refs/heads/master b0a1528c5 -> f1973340d


CLOUDSTACK-5152: when deployVm with SG, verify that vm and sg belong to the same account. Do this verification even when the call is done by the ROOT admin

Conflicts:
	server/src/com/cloud/user/AccountManagerImpl.java


Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/f1973340
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/f1973340
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/f1973340

Branch: refs/heads/master
Commit: f1973340d30042ae39c7465adfbc5a9537b3e3fa
Parents: b0a1528
Author: Alena Prokharchyk <al...@citrix.com>
Authored: Wed Dec 4 11:36:33 2013 -0800
Committer: Alena Prokharchyk <al...@citrix.com>
Committed: Wed Dec 4 11:55:27 2013 -0800

----------------------------------------------------------------------
 .../src/com/cloud/user/AccountManagerImpl.java  | 32 ++++++++++++--------
 1 file changed, 19 insertions(+), 13 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cloudstack/blob/f1973340/server/src/com/cloud/user/AccountManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/user/AccountManagerImpl.java b/server/src/com/cloud/user/AccountManagerImpl.java
index 43dd622..fa441ae 100755
--- a/server/src/com/cloud/user/AccountManagerImpl.java
+++ b/server/src/com/cloud/user/AccountManagerImpl.java
@@ -39,7 +39,6 @@ import javax.naming.ConfigurationException;
 
 import org.apache.commons.codec.binary.Base64;
 import org.apache.log4j.Logger;
-
 import org.apache.cloudstack.acl.ControlledEntity;
 import org.apache.cloudstack.acl.RoleType;
 import org.apache.cloudstack.acl.SecurityChecker;
@@ -55,6 +54,8 @@ import org.apache.cloudstack.engine.orchestration.service.NetworkOrchestrationSe
 import org.apache.cloudstack.framework.config.dao.ConfigurationDao;
 import org.apache.cloudstack.managed.context.ManagedContextRunnable;
 import org.apache.cloudstack.region.gslb.GlobalLoadBalancerRuleDao;
+import org.apache.commons.codec.binary.Base64;
+import org.apache.log4j.Logger;
 
 import com.cloud.api.ApiDBUtils;
 import com.cloud.api.query.vo.ControlledViewEntity;
@@ -380,6 +381,22 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
 
     @Override
     public void checkAccess(Account caller, AccessType accessType, boolean sameOwner, ControlledEntity... entities) {
+        
+        //check for the same owner
+        Long ownerId = null;
+        ControlledEntity prevEntity = null;
+        if (sameOwner) {
+            for (ControlledEntity entity : entities) {
+                if (sameOwner) {
+                    if (ownerId == null) {
+                        ownerId = entity.getAccountId();
+                    } else if (ownerId.longValue() != entity.getAccountId()) {
+                        throw new PermissionDeniedException("Entity " + entity + " and entity " + prevEntity + " belong to different accounts");
+                    }
+                    prevEntity = entity;
+                }
+            } 
+        }
 
         if (caller.getId() == Account.ACCOUNT_ID_SYSTEM || isRootAdmin(caller.getType())) {
             // no need to make permission checks if the system/root admin makes the call
@@ -390,13 +407,11 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
         }
 
         HashMap<Long, List<ControlledEntity>> domains = new HashMap<Long, List<ControlledEntity>>();
-        Long ownerId = null;
-        ControlledEntity prevEntity = null;
 
         for (ControlledEntity entity : entities) {
             long domainId = entity.getDomainId();
             if (entity.getAccountId() != -1 && domainId == -1) { // If account exists domainId should too so calculate
-// it. This condition might be hit for templates or entities which miss domainId in their tables
+                // it. This condition might be hit for templates or entities which miss domainId in their tables
                 Account account = ApiDBUtils.findAccountById(entity.getAccountId());
                 domainId = account != null ? account.getDomainId() : -1;
             }
@@ -421,15 +436,6 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
                 }
             }
 
-            if (sameOwner) {
-                if (ownerId == null) {
-                    ownerId = entity.getAccountId();
-                } else if (ownerId.longValue() != entity.getAccountId()) {
-                    throw new PermissionDeniedException("Entity " + entity + " and entity " + prevEntity + " belong to different accounts");
-                }
-                prevEntity = entity;
-            }
-
             if (!granted) {
                 assert false : "How can all of the security checkers pass on checking this check: " + entity;
                 throw new PermissionDeniedException("There's no way to confirm " + caller + " has access to " + entity);