You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by mc...@apache.org on 2014/03/14 00:55:37 UTC
[44/50] [abbrv] git commit: updated refs/heads/master to 8ff9460
After merge, fix isRootAdmin() calls to use accountId instead of type
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/d9696b26
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/d9696b26
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/d9696b26
Branch: refs/heads/master
Commit: d9696b26e101af6596b60bc3d22b01acf9e88677
Parents: 99bdc8d
Author: Prachi Damle <pr...@cloud.com>
Authored: Thu Mar 13 13:27:04 2014 -0700
Committer: Prachi Damle <pr...@cloud.com>
Committed: Thu Mar 13 13:28:40 2014 -0700
----------------------------------------------------------------------
api/src/com/cloud/user/AccountService.java | 4 +-
.../com/cloud/api/query/QueryManagerImpl.java | 2 +-
.../deploy/DeploymentPlanningManagerImpl.java | 2 +-
.../com/cloud/network/NetworkServiceImpl.java | 2 +-
.../com/cloud/storage/VolumeApiServiceImpl.java | 2 +-
.../src/com/cloud/user/AccountManagerImpl.java | 45 +++++++++++---------
.../com/cloud/uuididentity/UUIDManagerImpl.java | 2 +-
.../com/cloud/user/MockAccountManagerImpl.java | 5 ++-
.../iam/RoleBasedEntityAccessChecker.java | 3 ++
9 files changed, 37 insertions(+), 30 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/d9696b26/api/src/com/cloud/user/AccountService.java
----------------------------------------------------------------------
diff --git a/api/src/com/cloud/user/AccountService.java b/api/src/com/cloud/user/AccountService.java
index 85c71ca..7e37b38 100755
--- a/api/src/com/cloud/user/AccountService.java
+++ b/api/src/com/cloud/user/AccountService.java
@@ -88,9 +88,9 @@ public interface AccountService {
User getUserIncludingRemoved(long userId);
- boolean isRootAdmin(long accountId);
+ boolean isRootAdmin(Long accountId);
- boolean isDomainAdmin(long accountId);
+ boolean isDomainAdmin(Long accountId);
boolean isNormalUser(long accountId);
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/d9696b26/server/src/com/cloud/api/query/QueryManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/api/query/QueryManagerImpl.java b/server/src/com/cloud/api/query/QueryManagerImpl.java
index 0554e3a..b932d42 100644
--- a/server/src/com/cloud/api/query/QueryManagerImpl.java
+++ b/server/src/com/cloud/api/query/QueryManagerImpl.java
@@ -520,7 +520,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
_accountMgr.buildACLViewSearchCriteria(sc, aclSc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
// For end users display only enabled events
- if(!_accountMgr.isRootAdmin(caller.getType())){
+ if (!_accountMgr.isRootAdmin(caller.getId())) {
sc.setParameters("displayEvent", true);
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/d9696b26/server/src/com/cloud/deploy/DeploymentPlanningManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/deploy/DeploymentPlanningManagerImpl.java b/server/src/com/cloud/deploy/DeploymentPlanningManagerImpl.java
index 74c141e..c1f336c 100644
--- a/server/src/com/cloud/deploy/DeploymentPlanningManagerImpl.java
+++ b/server/src/com/cloud/deploy/DeploymentPlanningManagerImpl.java
@@ -508,7 +508,7 @@ public class DeploymentPlanningManagerImpl extends ManagerBase implements Deploy
// check if zone is dedicated. if yes check if vm owner has acess to it.
DedicatedResourceVO dedicatedZone = _dedicatedDao.findByZoneId(dc.getId());
- if (dedicatedZone != null && !_accountMgr.isRootAdmin(vmProfile.getOwner().getType())) {
+ if (dedicatedZone != null && !_accountMgr.isRootAdmin(vmProfile.getOwner().getId())) {
long accountDomainId = vmProfile.getOwner().getDomainId();
long accountId = vmProfile.getOwner().getAccountId();
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/d9696b26/server/src/com/cloud/network/NetworkServiceImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/NetworkServiceImpl.java b/server/src/com/cloud/network/NetworkServiceImpl.java
index be95a36..9185d84 100755
--- a/server/src/com/cloud/network/NetworkServiceImpl.java
+++ b/server/src/com/cloud/network/NetworkServiceImpl.java
@@ -1805,7 +1805,7 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService {
// Perform permission check
_accountMgr.checkAccess(caller, null, true, network);
- if (forced && !_accountMgr.isRootAdmin(caller.getType())) {
+ if (forced && !_accountMgr.isRootAdmin(caller.getId())) {
throw new InvalidParameterValueException("Delete network with 'forced' option can only be called by root admins");
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/d9696b26/server/src/com/cloud/storage/VolumeApiServiceImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/storage/VolumeApiServiceImpl.java b/server/src/com/cloud/storage/VolumeApiServiceImpl.java
index 5ce07f0..30b5479 100644
--- a/server/src/com/cloud/storage/VolumeApiServiceImpl.java
+++ b/server/src/com/cloud/storage/VolumeApiServiceImpl.java
@@ -386,7 +386,7 @@ public class VolumeApiServiceImpl extends ManagerBase implements VolumeApiServic
if (displayVolume == null) {
displayVolume = true;
} else {
- if (!_accountMgr.isRootAdmin(caller.getType())) {
+ if (!_accountMgr.isRootAdmin(caller.getId())) {
throw new PermissionDeniedException("Cannot update parameter displayvolume, only admin permitted ");
}
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/d9696b26/server/src/com/cloud/user/AccountManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/user/AccountManagerImpl.java b/server/src/com/cloud/user/AccountManagerImpl.java
index 04d3e23..1b68b0c 100755
--- a/server/src/com/cloud/user/AccountManagerImpl.java
+++ b/server/src/com/cloud/user/AccountManagerImpl.java
@@ -366,37 +366,40 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
}
@Override
- public boolean isRootAdmin(long accountId) {
- AccountVO acct = _accountDao.findById(accountId);
- for (SecurityChecker checker : _securityCheckers) {
- try {
- if (checker.checkAccess(acct, null, null, "SystemCapability")) {
- if (s_logger.isDebugEnabled()) {
- s_logger.debug("Root Access granted to " + acct + " by " + checker.getName());
+ public boolean isRootAdmin(Long accountId) {
+ if (accountId != null) {
+ AccountVO acct = _accountDao.findById(accountId);
+ for (SecurityChecker checker : _securityCheckers) {
+ try {
+ if (checker.checkAccess(acct, null, null, "SystemCapability")) {
+ if (s_logger.isDebugEnabled()) {
+ s_logger.debug("Root Access granted to " + acct + " by " + checker.getName());
+ }
+ return true;
}
- return true;
+ } catch (PermissionDeniedException ex) {
+ return false;
}
- } catch (PermissionDeniedException ex) {
- return false;
}
}
-
return false;
}
@Override
- public boolean isDomainAdmin(long accountId) {
- AccountVO acct = _accountDao.findById(accountId);
- for (SecurityChecker checker : _securityCheckers) {
- try {
- if (checker.checkAccess(acct, null, null, "DomainCapability")) {
- if (s_logger.isDebugEnabled()) {
- s_logger.debug("Root Access granted to " + acct + " by " + checker.getName());
+ public boolean isDomainAdmin(Long accountId) {
+ if (accountId != null) {
+ AccountVO acct = _accountDao.findById(accountId);
+ for (SecurityChecker checker : _securityCheckers) {
+ try {
+ if (checker.checkAccess(acct, null, null, "DomainCapability")) {
+ if (s_logger.isDebugEnabled()) {
+ s_logger.debug("Root Access granted to " + acct + " by " + checker.getName());
+ }
+ return true;
}
- return true;
+ } catch (PermissionDeniedException ex) {
+ return false;
}
- } catch (PermissionDeniedException ex) {
- return false;
}
}
return false;
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/d9696b26/server/src/com/cloud/uuididentity/UUIDManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/uuididentity/UUIDManagerImpl.java b/server/src/com/cloud/uuididentity/UUIDManagerImpl.java
index c514746..a1d1452 100644
--- a/server/src/com/cloud/uuididentity/UUIDManagerImpl.java
+++ b/server/src/com/cloud/uuididentity/UUIDManagerImpl.java
@@ -50,7 +50,7 @@ public class UUIDManagerImpl implements UUIDManager {
Account caller = CallContext.current().getCallingAccount();
// Only admin and system allowed to do this
- if (!(caller.getId() == Account.ACCOUNT_ID_SYSTEM || _accountMgr.isRootAdmin(caller.getType()))) {
+ if (!(caller.getId() == Account.ACCOUNT_ID_SYSTEM || _accountMgr.isRootAdmin(caller.getId()))) {
throw new PermissionDeniedException("Please check your permissions, you are not allowed to create/update custom id");
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/d9696b26/server/test/com/cloud/user/MockAccountManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/test/com/cloud/user/MockAccountManagerImpl.java b/server/test/com/cloud/user/MockAccountManagerImpl.java
index b411b18..f373cba 100644
--- a/server/test/com/cloud/user/MockAccountManagerImpl.java
+++ b/server/test/com/cloud/user/MockAccountManagerImpl.java
@@ -162,7 +162,7 @@ public class MockAccountManagerImpl extends ManagerBase implements Manager, Acco
}
@Override
- public boolean isRootAdmin(long accountId) {
+ public boolean isRootAdmin(Long accountId) {
// TODO Auto-generated method stub
return false;
}
@@ -298,7 +298,7 @@ public class MockAccountManagerImpl extends ManagerBase implements Manager, Acco
}
@Override
- public boolean isDomainAdmin(long accountId) {
+ public boolean isDomainAdmin(Long accountId) {
// TODO Auto-generated method stub
return false;
}
@@ -356,4 +356,5 @@ public class MockAccountManagerImpl extends ManagerBase implements Manager, Acco
return null;
}
+
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/d9696b26/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedEntityAccessChecker.java
----------------------------------------------------------------------
diff --git a/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedEntityAccessChecker.java b/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedEntityAccessChecker.java
index 02bb702..3fe854a 100644
--- a/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedEntityAccessChecker.java
+++ b/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedEntityAccessChecker.java
@@ -63,6 +63,9 @@ public class RoleBasedEntityAccessChecker extends DomainChecker implements Secur
public boolean checkAccess(Account caller, ControlledEntity entity, AccessType accessType, String action)
throws PermissionDeniedException {
+ if (caller == null) {
+ throw new InvalidParameterValueException("Caller cannot be passed as NULL to IAM!");
+ }
if (entity == null && action != null) {
// check if caller can do this action
List<IAMPolicy> policies = _iamSrv.listIAMPolicies(caller.getAccountId());