You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by bh...@apache.org on 2013/01/09 05:37:25 UTC
[20/50] [abbrv] git commit: server: Reformat DomainChecker
server: Reformat DomainChecker
Signed-off-by: Rohit Yadav <bh...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/commit/21d6cd30
Tree: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/tree/21d6cd30
Diff: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/diff/21d6cd30
Branch: refs/heads/master
Commit: 21d6cd304b9a32a5b09b7e96547903e8337c11cf
Parents: 6a112bd
Author: Rohit Yadav <bh...@apache.org>
Authored: Sat Jan 5 17:00:13 2013 -0800
Committer: Rohit Yadav <bh...@apache.org>
Committed: Sat Jan 5 17:00:13 2013 -0800
----------------------------------------------------------------------
server/src/com/cloud/acl/DomainChecker.java | 317 ++++++++++------------
1 files changed, 148 insertions(+), 169 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/21d6cd30/server/src/com/cloud/acl/DomainChecker.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/acl/DomainChecker.java b/server/src/com/cloud/acl/DomainChecker.java
index 5ae296e..290c7bf 100755
--- a/server/src/com/cloud/acl/DomainChecker.java
+++ b/server/src/com/cloud/acl/DomainChecker.java
@@ -21,7 +21,6 @@ import javax.ejb.Local;
import org.apache.cloudstack.api.BaseCmd;
import com.cloud.dc.DataCenter;
import com.cloud.domain.Domain;
-import com.cloud.domain.DomainVO;
import com.cloud.domain.dao.DomainDao;
import com.cloud.exception.PermissionDeniedException;
import com.cloud.network.Network;
@@ -39,27 +38,33 @@ import com.cloud.user.dao.AccountDao;
import com.cloud.utils.component.AdapterBase;
import com.cloud.utils.component.Inject;
-@Local(value=SecurityChecker.class)
+@Local(value = SecurityChecker.class)
public class DomainChecker extends AdapterBase implements SecurityChecker {
-
- @Inject DomainDao _domainDao;
- @Inject AccountDao _accountDao;
- @Inject LaunchPermissionDao _launchPermissionDao;
- @Inject ProjectManager _projectMgr;
- @Inject ProjectAccountDao _projecAccountDao;
- @Inject NetworkManager _networkMgr;
-
+
+ @Inject
+ DomainDao _domainDao;
+ @Inject
+ AccountDao _accountDao;
+ @Inject
+ LaunchPermissionDao _launchPermissionDao;
+ @Inject
+ ProjectManager _projectMgr;
+ @Inject
+ ProjectAccountDao _projecAccountDao;
+ @Inject
+ NetworkManager _networkMgr;
+
protected DomainChecker() {
super();
}
-
+
@Override
public boolean checkAccess(Account caller, Domain domain) throws PermissionDeniedException {
if (caller.getState() != Account.State.enabled) {
throw new PermissionDeniedException(caller + " is disabled.");
}
long domainId = domain.getId();
-
+
if (caller.getType() == Account.ACCOUNT_TYPE_NORMAL) {
if (caller.getDomainId() != domainId) {
throw new PermissionDeniedException(caller + " does not have permission to operate within domain id=" + domain.getId());
@@ -67,7 +72,7 @@ public class DomainChecker extends AdapterBase implements SecurityChecker {
} else if (!_domainDao.isChildDomain(caller.getDomainId(), domainId)) {
throw new PermissionDeniedException(caller + " does not have permission to operate within domain id=" + domain.getId());
}
-
+
return true;
}
@@ -83,15 +88,15 @@ public class DomainChecker extends AdapterBase implements SecurityChecker {
@Override
public boolean checkAccess(Account caller, ControlledEntity entity, AccessType accessType) throws PermissionDeniedException {
if (entity instanceof VirtualMachineTemplate) {
-
- VirtualMachineTemplate template = (VirtualMachineTemplate)entity;
+
+ VirtualMachineTemplate template = (VirtualMachineTemplate) entity;
Account owner = _accountDao.findById(template.getAccountId());
// validate that the template is usable by the account
if (!template.isPublicTemplate()) {
if (BaseCmd.isRootAdmin(caller.getType()) || (owner.getId() == caller.getId())) {
return true;
}
-
+
// since the current account is not the owner of the template, check the launch permissions table to see if the
// account can launch a VM from this template
LaunchPermissionVO permission = _launchPermissionDao.findByTemplateAndAccount(template.getId(), caller.getId());
@@ -106,31 +111,31 @@ public class DomainChecker extends AdapterBase implements SecurityChecker {
}
}
}
-
+
return true;
} else if (entity instanceof Network && accessType != null && accessType == AccessType.UseNetwork) {
- _networkMgr.checkNetworkPermissions(caller, (Network)entity);
+ _networkMgr.checkNetworkPermissions(caller, (Network) entity);
} else {
if (caller.getType() == Account.ACCOUNT_TYPE_NORMAL) {
Account account = _accountDao.findById(entity.getAccountId());
-
+
if (account != null && account.getType() == Account.ACCOUNT_TYPE_PROJECT) {
//only project owner can delete/modify the project
if (accessType != null && accessType == AccessType.ModifyProject) {
if (!_projectMgr.canModifyProjectAccount(caller, account.getId())) {
throw new PermissionDeniedException(caller + " does not have permission to operate with resource " + entity);
}
- } else if (!_projectMgr.canAccessProjectAccount(caller, account.getId())){
+ } else if (!_projectMgr.canAccessProjectAccount(caller, account.getId())) {
throw new PermissionDeniedException(caller + " does not have permission to operate with resource " + entity);
}
} else {
if (caller.getId() != entity.getAccountId()) {
throw new PermissionDeniedException(caller + " does not have permission to operate with resource " + entity);
}
- }
+ }
}
}
-
+
return true;
}
@@ -140,168 +145,142 @@ public class DomainChecker extends AdapterBase implements SecurityChecker {
return checkAccess(account, entity, null);
}
- @Override
- public boolean checkAccess(Account account, DiskOffering dof) throws PermissionDeniedException
- {
- if(account == null || dof.getDomainId() == null)
- {//public offering
- return true;
- }
- else
- {
- //admin has all permissions
- if(account.getType() == Account.ACCOUNT_TYPE_ADMIN)
- {
- return true;
- }
- //if account is normal user or domain admin
- //check if account's domain is a child of zone's domain (Note: This is made consistent with the list command for disk offering)
- else if(account.getType() == Account.ACCOUNT_TYPE_NORMAL || account.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN || account.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN)
- {
- if(account.getDomainId() == dof.getDomainId())
- {
- return true; //disk offering and account at exact node
- }
- else
- {
- DomainVO domainRecord = _domainDao.findById(account.getDomainId());
- if(domainRecord != null)
- {
- while(true)
- {
- if(domainRecord.getId() == dof.getDomainId())
- {
- //found as a child
- return true;
- }
- if(domainRecord.getParent() != null) {
+ @Override
+ public boolean checkAccess(Account account, DiskOffering dof) throws PermissionDeniedException {
+ if (account == null || dof.getDomainId() == null) {//public offering
+ return true;
+ } else {
+ //admin has all permissions
+ if (account.getType() == Account.ACCOUNT_TYPE_ADMIN) {
+ return true;
+ }
+ //if account is normal user or domain admin
+ //check if account's domain is a child of zone's domain (Note: This is made consistent with the list command for disk offering)
+ else if (account.getType() == Account.ACCOUNT_TYPE_NORMAL || account.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN || account.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) {
+ if (account.getDomainId() == dof.getDomainId()) {
+ return true; //disk offering and account at exact node
+ } else {
+ Domain domainRecord = _domainDao.findById(account.getDomainId());
+ if (domainRecord != null) {
+ while (true) {
+ if (domainRecord.getId() == dof.getDomainId()) {
+ //found as a child
+ return true;
+ }
+ if (domainRecord.getParent() != null) {
domainRecord = _domainDao.findById(domainRecord.getParent());
} else {
break;
}
- }
- }
- }
- }
- }
- //not found
- return false;
- }
+ }
+ }
+ }
+ }
+ }
+ //not found
+ return false;
+ }
- @Override
- public boolean checkAccess(Account account, ServiceOffering so) throws PermissionDeniedException
- {
- if(account == null || so.getDomainId() == null)
- {//public offering
- return true;
- }
- else
- {
- //admin has all permissions
- if(account.getType() == Account.ACCOUNT_TYPE_ADMIN)
- {
- return true;
- }
- //if account is normal user or domain admin
- //check if account's domain is a child of zone's domain (Note: This is made consistent with the list command for service offering)
- else if(account.getType() == Account.ACCOUNT_TYPE_NORMAL || account.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN || account.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN)
- {
- if(account.getDomainId() == so.getDomainId())
- {
- return true; //service offering and account at exact node
- }
- else
- {
- DomainVO domainRecord = _domainDao.findById(account.getDomainId());
- if(domainRecord != null)
- {
- while(true)
- {
- if(domainRecord.getId() == so.getDomainId())
- {
- //found as a child
- return true;
- }
- if(domainRecord.getParent() != null) {
+ @Override
+ public boolean checkAccess(Account account, ServiceOffering so) throws PermissionDeniedException {
+ if (account == null || so.getDomainId() == null) {//public offering
+ return true;
+ } else {
+ //admin has all permissions
+ if (account.getType() == Account.ACCOUNT_TYPE_ADMIN) {
+ return true;
+ }
+ //if account is normal user or domain admin
+ //check if account's domain is a child of zone's domain (Note: This is made consistent with the list command for service offering)
+ else if (account.getType() == Account.ACCOUNT_TYPE_NORMAL || account.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN || account.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) {
+ if (account.getDomainId() == so.getDomainId()) {
+ return true; //service offering and account at exact node
+ } else {
+ Domain domainRecord = _domainDao.findById(account.getDomainId());
+ if (domainRecord != null) {
+ while (true) {
+ if (domainRecord.getId() == so.getDomainId()) {
+ //found as a child
+ return true;
+ }
+ if (domainRecord.getParent() != null) {
domainRecord = _domainDao.findById(domainRecord.getParent());
} else {
break;
}
- }
- }
- }
- }
- }
- //not found
- return false;
- }
-
- @Override
- public boolean checkAccess(Account account, DataCenter zone) throws PermissionDeniedException {
- if(account == null || zone.getDomainId() == null){//public zone
- return true;
- }else{
- //admin has all permissions
- if(account.getType() == Account.ACCOUNT_TYPE_ADMIN){
- return true;
- }
- //if account is normal user
- //check if account's domain is a child of zone's domain
- else if(account.getType() == Account.ACCOUNT_TYPE_NORMAL || account.getType() == Account.ACCOUNT_TYPE_PROJECT){
- if(account.getDomainId() == zone.getDomainId()){
- return true; //zone and account at exact node
- }else{
- DomainVO domainRecord = _domainDao.findById(account.getDomainId());
- if(domainRecord != null)
- {
- while(true){
- if(domainRecord.getId() == zone.getDomainId()){
- //found as a child
- return true;
- }
- if(domainRecord.getParent() != null) {
+ }
+ }
+ }
+ }
+ }
+ //not found
+ return false;
+ }
+
+ @Override
+ public boolean checkAccess(Account account, DataCenter zone) throws PermissionDeniedException {
+ if (account == null || zone.getDomainId() == null) {//public zone
+ return true;
+ } else {
+ //admin has all permissions
+ if (account.getType() == Account.ACCOUNT_TYPE_ADMIN) {
+ return true;
+ }
+ //if account is normal user
+ //check if account's domain is a child of zone's domain
+ else if (account.getType() == Account.ACCOUNT_TYPE_NORMAL || account.getType() == Account.ACCOUNT_TYPE_PROJECT) {
+ if (account.getDomainId() == zone.getDomainId()) {
+ return true; //zone and account at exact node
+ } else {
+ Domain domainRecord = _domainDao.findById(account.getDomainId());
+ if (domainRecord != null) {
+ while (true) {
+ if (domainRecord.getId() == zone.getDomainId()) {
+ //found as a child
+ return true;
+ }
+ if (domainRecord.getParent() != null) {
domainRecord = _domainDao.findById(domainRecord.getParent());
} else {
break;
}
- }
- }
- }
- //not found
- return false;
- }
- //if account is domain admin
- //check if the account's domain is either child of zone's domain, or if zone's domain is child of account's domain
- else if(account.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN){
- if(account.getDomainId() == zone.getDomainId()){
- return true; //zone and account at exact node
- }else{
- DomainVO zoneDomainRecord = _domainDao.findById(zone.getDomainId());
- DomainVO accountDomainRecord = _domainDao.findById(account.getDomainId());
- if(accountDomainRecord != null)
- {
- DomainVO localRecord = accountDomainRecord;
- while(true){
- if(localRecord.getId() == zone.getDomainId()){
- //found as a child
- return true;
- }
- if(localRecord.getParent() != null) {
+ }
+ }
+ }
+ //not found
+ return false;
+ }
+ //if account is domain admin
+ //check if the account's domain is either child of zone's domain, or if zone's domain is child of account's domain
+ else if (account.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) {
+ if (account.getDomainId() == zone.getDomainId()) {
+ return true; //zone and account at exact node
+ } else {
+ Domain zoneDomainRecord = _domainDao.findById(zone.getDomainId());
+ Domain accountDomainRecord = _domainDao.findById(account.getDomainId());
+ if (accountDomainRecord != null) {
+ Domain localRecord = accountDomainRecord;
+ while (true) {
+ if (localRecord.getId() == zone.getDomainId()) {
+ //found as a child
+ return true;
+ }
+ if (localRecord.getParent() != null) {
localRecord = _domainDao.findById(localRecord.getParent());
} else {
break;
}
- }
- }
- //didn't find in upper tree
- if(zoneDomainRecord.getPath().contains(accountDomainRecord.getPath())){
- return true;
- }
- }
- //not found
- return false;
- }
- }
- return false;
- }
+ }
+ }
+ //didn't find in upper tree
+ if (zoneDomainRecord.getPath().contains(accountDomainRecord.getPath())) {
+ return true;
+ }
+ }
+ //not found
+ return false;
+ }
+ }
+ return false;
+ }
}