You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by mc...@apache.org on 2013/10/11 08:03:11 UTC

git commit: updated refs/heads/rbac to 00ad196

Updated Branches:
  refs/heads/rbac 6b8cee5fc -> 00ad19601


Fix a bug in building acl condition, now we get previous default list
behavior for admin,domain admin and user.

Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/00ad1960
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/00ad1960
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/00ad1960

Branch: refs/heads/rbac
Commit: 00ad19601b8bfb78241195e6c30fbc9036749601
Parents: 6b8cee5
Author: Min Chen <mi...@citrix.com>
Authored: Thu Oct 10 23:02:49 2013 -0700
Committer: Min Chen <mi...@citrix.com>
Committed: Thu Oct 10 23:02:49 2013 -0700

----------------------------------------------------------------------
 .../com/cloud/api/query/QueryManagerImpl.java   |  6 ++-
 .../src/com/cloud/user/AccountManagerImpl.java  | 51 ++++++++++++++------
 2 files changed, 42 insertions(+), 15 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cloudstack/blob/00ad1960/server/src/com/cloud/api/query/QueryManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/api/query/QueryManagerImpl.java b/server/src/com/cloud/api/query/QueryManagerImpl.java
index 04d5964..80a2227 100644
--- a/server/src/com/cloud/api/query/QueryManagerImpl.java
+++ b/server/src/com/cloud/api/query/QueryManagerImpl.java
@@ -757,6 +757,8 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
         // first search distinct vm id by using query criteria and pagination
         SearchBuilder<UserVmJoinVO> sb = _userVmJoinDao.createSearchBuilder();
         sb.select(null, Func.DISTINCT, sb.entity().getId()); // select distinct ids
+
+        // build acl search builder condition
         _accountMgr.buildACLViewSearchBuilder(sb, domainId, isRecursive, permittedAccounts,
                 listProjectResourcesCriteria, grantedIds, revokedIds);
 
@@ -824,10 +826,12 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
             sb.and("affinityGroupId", sb.entity().getAffinityGroupId(), SearchCriteria.Op.EQ);
         }
 
+
+
         // populate the search criteria with the values passed in
         SearchCriteria<UserVmJoinVO> sc = sb.create();
 
-        // building ACL condition
+        // building ACL search criteria
         _accountMgr.buildACLViewSearchCriteria(sc, domainId, isRecursive, permittedAccounts,
                 listProjectResourcesCriteria);
 

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/00ad1960/server/src/com/cloud/user/AccountManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/user/AccountManagerImpl.java b/server/src/com/cloud/user/AccountManagerImpl.java
index db21b3d..03b51f4 100755
--- a/server/src/com/cloud/user/AccountManagerImpl.java
+++ b/server/src/com/cloud/user/AccountManagerImpl.java
@@ -2368,7 +2368,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
                 if (rolePerm.getScope() == PermissionScope.ACCOUNT || !listAll) {
                     // only resource owner can see it, only match account
                     permittedAccounts.add(caller.getId());
-                } else {
+                } else if (rolePerm.getScope() == PermissionScope.DOMAIN) {
                     // match domain tree based on cmd.isRecursive flag or not
                     domainIdRecursiveListProject.first(caller.getDomainId());
                 }
@@ -2403,29 +2403,52 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
     @Override
     public void buildACLViewSearchBuilder(SearchBuilder<? extends ControlledViewEntity> sb, Long domainId, boolean isRecursive, List<Long> permittedAccounts,
             ListProjectResourcesCriteria listProjectResourcesCriteria, List<Long> grantedIds, List<Long> revokedIds) {
-        sb.and().op("accountIdIN", sb.entity().getAccountId(), SearchCriteria.Op.IN);
-        sb.and("domainId", sb.entity().getDomainId(), SearchCriteria.Op.EQ);
 
-        if (((permittedAccounts.isEmpty()) && (domainId != null) && isRecursive)) {
-            // if accountId isn't specified, we can do a domain match for the
-            // admin case if isRecursive is true
-            sb.and("domainPath", sb.entity().getDomainPath(), SearchCriteria.Op.LIKE);
+        if (!revokedIds.isEmpty()) {
+            sb.and("idNIN", sb.entity().getId(), SearchCriteria.Op.NIN);
         }
+        if (permittedAccounts.isEmpty() && domainId == null && listProjectResourcesCriteria == null) {
+            // caller role authorize him to access everything matching query criteria
+            return;
+
+        }
+        boolean hasOp = true;
+        if (!permittedAccounts.isEmpty()) {
+            sb.and().op("accountIdIN", sb.entity().getAccountId(), SearchCriteria.Op.IN);
+        } else if (domainId != null) {
+            if (isRecursive) {
+                // if accountId isn't specified, we can do a domain match for the
+                // admin case if isRecursive is true
+                sb.and().op("domainPath", sb.entity().getDomainPath(), SearchCriteria.Op.LIKE);
+            } else {
+                sb.and().op("domainId", sb.entity().getDomainId(), SearchCriteria.Op.EQ);
+            }
+        } else {
+            hasOp = false;
+        }
+
 
         if (listProjectResourcesCriteria != null) {
-            if (listProjectResourcesCriteria == Project.ListProjectResourcesCriteria.ListProjectResourcesOnly) {
-                sb.and("accountType", sb.entity().getAccountType(), SearchCriteria.Op.EQ);
-            } else if (listProjectResourcesCriteria == Project.ListProjectResourcesCriteria.SkipProjectResources) {
-                sb.and("accountType", sb.entity().getAccountType(), SearchCriteria.Op.NEQ);
+            if (hasOp) {
+                if (listProjectResourcesCriteria == Project.ListProjectResourcesCriteria.ListProjectResourcesOnly) {
+                    sb.and("accountType", sb.entity().getAccountType(), SearchCriteria.Op.EQ);
+                } else if (listProjectResourcesCriteria == Project.ListProjectResourcesCriteria.SkipProjectResources) {
+                    sb.and("accountType", sb.entity().getAccountType(), SearchCriteria.Op.NEQ);
+                }
+            } else {
+                if (listProjectResourcesCriteria == Project.ListProjectResourcesCriteria.ListProjectResourcesOnly) {
+                    sb.and().op("accountType", sb.entity().getAccountType(), SearchCriteria.Op.EQ);
+                } else if (listProjectResourcesCriteria == Project.ListProjectResourcesCriteria.SkipProjectResources) {
+                    sb.and().op("accountType", sb.entity().getAccountType(), SearchCriteria.Op.NEQ);
+                }
             }
         }
+
         if (!grantedIds.isEmpty()) {
             sb.or("idIN", sb.entity().getId(), SearchCriteria.Op.IN);
         }
         sb.cp();
-        if (!revokedIds.isEmpty()) {
-            sb.and("idNIN", sb.entity().getId(), SearchCriteria.Op.NIN);
-        }
+
 
     }