You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by mc...@apache.org on 2013/10/11 08:03:11 UTC
git commit: updated refs/heads/rbac to 00ad196
Updated Branches:
refs/heads/rbac 6b8cee5fc -> 00ad19601
Fix a bug in building acl condition, now we get previous default list
behavior for admin,domain admin and user.
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/00ad1960
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/00ad1960
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/00ad1960
Branch: refs/heads/rbac
Commit: 00ad19601b8bfb78241195e6c30fbc9036749601
Parents: 6b8cee5
Author: Min Chen <mi...@citrix.com>
Authored: Thu Oct 10 23:02:49 2013 -0700
Committer: Min Chen <mi...@citrix.com>
Committed: Thu Oct 10 23:02:49 2013 -0700
----------------------------------------------------------------------
.../com/cloud/api/query/QueryManagerImpl.java | 6 ++-
.../src/com/cloud/user/AccountManagerImpl.java | 51 ++++++++++++++------
2 files changed, 42 insertions(+), 15 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/00ad1960/server/src/com/cloud/api/query/QueryManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/api/query/QueryManagerImpl.java b/server/src/com/cloud/api/query/QueryManagerImpl.java
index 04d5964..80a2227 100644
--- a/server/src/com/cloud/api/query/QueryManagerImpl.java
+++ b/server/src/com/cloud/api/query/QueryManagerImpl.java
@@ -757,6 +757,8 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
// first search distinct vm id by using query criteria and pagination
SearchBuilder<UserVmJoinVO> sb = _userVmJoinDao.createSearchBuilder();
sb.select(null, Func.DISTINCT, sb.entity().getId()); // select distinct ids
+
+ // build acl search builder condition
_accountMgr.buildACLViewSearchBuilder(sb, domainId, isRecursive, permittedAccounts,
listProjectResourcesCriteria, grantedIds, revokedIds);
@@ -824,10 +826,12 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
sb.and("affinityGroupId", sb.entity().getAffinityGroupId(), SearchCriteria.Op.EQ);
}
+
+
// populate the search criteria with the values passed in
SearchCriteria<UserVmJoinVO> sc = sb.create();
- // building ACL condition
+ // building ACL search criteria
_accountMgr.buildACLViewSearchCriteria(sc, domainId, isRecursive, permittedAccounts,
listProjectResourcesCriteria);
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/00ad1960/server/src/com/cloud/user/AccountManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/user/AccountManagerImpl.java b/server/src/com/cloud/user/AccountManagerImpl.java
index db21b3d..03b51f4 100755
--- a/server/src/com/cloud/user/AccountManagerImpl.java
+++ b/server/src/com/cloud/user/AccountManagerImpl.java
@@ -2368,7 +2368,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
if (rolePerm.getScope() == PermissionScope.ACCOUNT || !listAll) {
// only resource owner can see it, only match account
permittedAccounts.add(caller.getId());
- } else {
+ } else if (rolePerm.getScope() == PermissionScope.DOMAIN) {
// match domain tree based on cmd.isRecursive flag or not
domainIdRecursiveListProject.first(caller.getDomainId());
}
@@ -2403,29 +2403,52 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
@Override
public void buildACLViewSearchBuilder(SearchBuilder<? extends ControlledViewEntity> sb, Long domainId, boolean isRecursive, List<Long> permittedAccounts,
ListProjectResourcesCriteria listProjectResourcesCriteria, List<Long> grantedIds, List<Long> revokedIds) {
- sb.and().op("accountIdIN", sb.entity().getAccountId(), SearchCriteria.Op.IN);
- sb.and("domainId", sb.entity().getDomainId(), SearchCriteria.Op.EQ);
- if (((permittedAccounts.isEmpty()) && (domainId != null) && isRecursive)) {
- // if accountId isn't specified, we can do a domain match for the
- // admin case if isRecursive is true
- sb.and("domainPath", sb.entity().getDomainPath(), SearchCriteria.Op.LIKE);
+ if (!revokedIds.isEmpty()) {
+ sb.and("idNIN", sb.entity().getId(), SearchCriteria.Op.NIN);
}
+ if (permittedAccounts.isEmpty() && domainId == null && listProjectResourcesCriteria == null) {
+ // caller role authorize him to access everything matching query criteria
+ return;
+
+ }
+ boolean hasOp = true;
+ if (!permittedAccounts.isEmpty()) {
+ sb.and().op("accountIdIN", sb.entity().getAccountId(), SearchCriteria.Op.IN);
+ } else if (domainId != null) {
+ if (isRecursive) {
+ // if accountId isn't specified, we can do a domain match for the
+ // admin case if isRecursive is true
+ sb.and().op("domainPath", sb.entity().getDomainPath(), SearchCriteria.Op.LIKE);
+ } else {
+ sb.and().op("domainId", sb.entity().getDomainId(), SearchCriteria.Op.EQ);
+ }
+ } else {
+ hasOp = false;
+ }
+
if (listProjectResourcesCriteria != null) {
- if (listProjectResourcesCriteria == Project.ListProjectResourcesCriteria.ListProjectResourcesOnly) {
- sb.and("accountType", sb.entity().getAccountType(), SearchCriteria.Op.EQ);
- } else if (listProjectResourcesCriteria == Project.ListProjectResourcesCriteria.SkipProjectResources) {
- sb.and("accountType", sb.entity().getAccountType(), SearchCriteria.Op.NEQ);
+ if (hasOp) {
+ if (listProjectResourcesCriteria == Project.ListProjectResourcesCriteria.ListProjectResourcesOnly) {
+ sb.and("accountType", sb.entity().getAccountType(), SearchCriteria.Op.EQ);
+ } else if (listProjectResourcesCriteria == Project.ListProjectResourcesCriteria.SkipProjectResources) {
+ sb.and("accountType", sb.entity().getAccountType(), SearchCriteria.Op.NEQ);
+ }
+ } else {
+ if (listProjectResourcesCriteria == Project.ListProjectResourcesCriteria.ListProjectResourcesOnly) {
+ sb.and().op("accountType", sb.entity().getAccountType(), SearchCriteria.Op.EQ);
+ } else if (listProjectResourcesCriteria == Project.ListProjectResourcesCriteria.SkipProjectResources) {
+ sb.and().op("accountType", sb.entity().getAccountType(), SearchCriteria.Op.NEQ);
+ }
}
}
+
if (!grantedIds.isEmpty()) {
sb.or("idIN", sb.entity().getId(), SearchCriteria.Op.IN);
}
sb.cp();
- if (!revokedIds.isEmpty()) {
- sb.and("idNIN", sb.entity().getId(), SearchCriteria.Op.NIN);
- }
+
}