You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by mc...@apache.org on 2014/05/20 00:46:28 UTC
[3/5] Revert "Disable IAM feature from 4.4 release."
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/server/src/com/cloud/network/firewall/FirewallManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/firewall/FirewallManagerImpl.java b/server/src/com/cloud/network/firewall/FirewallManagerImpl.java
index 4f853b3..7306068 100644
--- a/server/src/com/cloud/network/firewall/FirewallManagerImpl.java
+++ b/server/src/com/cloud/network/firewall/FirewallManagerImpl.java
@@ -263,25 +263,26 @@ public class FirewallManagerImpl extends ManagerBase implements FirewallService,
Boolean display = cmd.getDisplay();
Account caller = CallContext.current().getCallingAccount();
+ List<Long> permittedDomains = new ArrayList<Long>();
List<Long> permittedAccounts = new ArrayList<Long>();
+ List<Long> permittedResources = new ArrayList<Long>();
if (ipId != null) {
IPAddressVO ipAddressVO = _ipAddressDao.findById(ipId);
if (ipAddressVO == null || !ipAddressVO.readyToUse()) {
throw new InvalidParameterValueException("Ip address id=" + ipId + " not ready for firewall rules yet");
}
- _accountMgr.checkAccess(caller, null, true, ipAddressVO);
+ _accountMgr.checkAccess(caller, null, ipAddressVO);
}
Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean, ListProjectResourcesCriteria>(cmd.getDomainId(), cmd.isRecursive(), null);
- _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedAccounts, domainIdRecursiveListProject, cmd.listAll(), false);
- Long domainId = domainIdRecursiveListProject.first();
+ _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedDomains, permittedAccounts, permittedResources, domainIdRecursiveListProject, cmd.listAll(), false, "listFirewallRules");
Boolean isRecursive = domainIdRecursiveListProject.second();
ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
Filter filter = new Filter(FirewallRuleVO.class, "id", false, cmd.getStartIndex(), cmd.getPageSizeVal());
SearchBuilder<FirewallRuleVO> sb = _firewallDao.createSearchBuilder();
- _accountMgr.buildACLSearchBuilder(sb, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchBuilder(sb, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
sb.and("id", sb.entity().getId(), Op.EQ);
sb.and("trafficType", sb.entity().getTrafficType(), Op.EQ);
@@ -303,7 +304,7 @@ public class FirewallManagerImpl extends ManagerBase implements FirewallService,
}
SearchCriteria<FirewallRuleVO> sc = sb.create();
- _accountMgr.buildACLSearchCriteria(sc, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchCriteria(sc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
if (id != null) {
sc.setParameters("id", id);
@@ -463,7 +464,7 @@ public class FirewallManagerImpl extends ManagerBase implements FirewallService,
}
// Validate ip address
- _accountMgr.checkAccess(caller, null, true, ipAddress);
+ _accountMgr.checkAccess(caller, null, ipAddress);
}
//network id either has to be passed explicitly, or implicitly as a part of ipAddress object
@@ -475,7 +476,7 @@ public class FirewallManagerImpl extends ManagerBase implements FirewallService,
assert network != null : "Can't create rule as network associated with public ip address is null?";
if (trafficType == FirewallRule.TrafficType.Egress) {
- _accountMgr.checkAccess(caller, null, true, network);
+ _accountMgr.checkAccess(caller, null, network);
}
// Verify that the network guru supports the protocol specified
@@ -638,7 +639,7 @@ public class FirewallManagerImpl extends ManagerBase implements FirewallService,
}
if (caller != null) {
- _accountMgr.checkAccess(caller, null, true, rules.toArray(new FirewallRuleVO[rules.size()]));
+ _accountMgr.checkAccess(caller, null, rules.toArray(new FirewallRuleVO[rules.size()]));
}
try {
@@ -692,7 +693,7 @@ public class FirewallManagerImpl extends ManagerBase implements FirewallService,
throw new InvalidParameterValueException("Only root admin can delete the system wide firewall rule");
}
- _accountMgr.checkAccess(caller, null, true, rule);
+ _accountMgr.checkAccess(caller, null, rule);
revokeRule(rule, caller, userId, false);
@@ -742,7 +743,7 @@ public class FirewallManagerImpl extends ManagerBase implements FirewallService,
throw new InvalidParameterValueException("Only root admin can update the system wide firewall rule");
}
- _accountMgr.checkAccess(caller, null, true, rule);
+ _accountMgr.checkAccess(caller, null, rule);
if (customId != null) {
rule.setUuid(customId);
@@ -761,7 +762,7 @@ public class FirewallManagerImpl extends ManagerBase implements FirewallService,
@DB
public void revokeRule(final FirewallRuleVO rule, Account caller, long userId, final boolean needUsageEvent) {
if (caller != null) {
- _accountMgr.checkAccess(caller, null, true, rule);
+ _accountMgr.checkAccess(caller, null, rule);
}
Transaction.execute(new TransactionCallbackNoReturn() {
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/server/src/com/cloud/network/lb/LoadBalancingRulesManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/lb/LoadBalancingRulesManagerImpl.java b/server/src/com/cloud/network/lb/LoadBalancingRulesManagerImpl.java
index 8225243..05fb325 100755
--- a/server/src/com/cloud/network/lb/LoadBalancingRulesManagerImpl.java
+++ b/server/src/com/cloud/network/lb/LoadBalancingRulesManagerImpl.java
@@ -30,11 +30,6 @@ import java.util.Set;
import javax.ejb.Local;
import javax.inject.Inject;
-import org.apache.log4j.Logger;
-
-import com.google.gson.Gson;
-import com.google.gson.reflect.TypeToken;
-
import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.command.user.loadbalancer.CreateLBHealthCheckPolicyCmd;
import org.apache.cloudstack.api.command.user.loadbalancer.CreateLBStickinessPolicyCmd;
@@ -50,6 +45,7 @@ import org.apache.cloudstack.engine.orchestration.service.NetworkOrchestrationSe
import org.apache.cloudstack.framework.config.dao.ConfigurationDao;
import org.apache.cloudstack.lb.ApplicationLoadBalancerRuleVO;
import org.apache.cloudstack.lb.dao.ApplicationLoadBalancerRuleDao;
+import org.apache.log4j.Logger;
import com.cloud.agent.api.to.LoadBalancerTO;
import com.cloud.configuration.ConfigurationManager;
@@ -169,6 +165,8 @@ import com.cloud.vm.VirtualMachine.State;
import com.cloud.vm.dao.NicDao;
import com.cloud.vm.dao.NicSecondaryIpDao;
import com.cloud.vm.dao.UserVmDao;
+import com.google.gson.Gson;
+import com.google.gson.reflect.TypeToken;
@Local(value = {LoadBalancingRulesManager.class, LoadBalancingRulesService.class})
public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements LoadBalancingRulesManager, LoadBalancingRulesService {
@@ -529,7 +527,7 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
throw new InvalidParameterValueException("Failed: LB rule id: " + cmd.getLbRuleId() + " not present ");
}
- _accountMgr.checkAccess(caller.getCallingAccount(), null, true, loadBalancer);
+ _accountMgr.checkAccess(caller.getCallingAccount(), null, loadBalancer);
if (loadBalancer.getState() == FirewallRule.State.Revoke) {
throw new InvalidParameterValueException("Failed: LB rule id: " + cmd.getLbRuleId() + " is in deleting state: ");
}
@@ -588,7 +586,7 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
throw new InvalidParameterValueException("Failed: LB rule id: " + cmd.getLbRuleId() + " not present ");
}
- _accountMgr.checkAccess(caller.getCallingAccount(), null, true, loadBalancer);
+ _accountMgr.checkAccess(caller.getCallingAccount(), null, loadBalancer);
if (loadBalancer.getState() == FirewallRule.State.Revoke) {
throw new InvalidParameterValueException("Failed: LB rule id: " + cmd.getLbRuleId() + " is in deleting state: ");
@@ -750,7 +748,7 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
}
long loadBalancerId = loadBalancer.getId();
FirewallRule.State backupState = loadBalancer.getState();
- _accountMgr.checkAccess(caller.getCallingAccount(), null, true, loadBalancer);
+ _accountMgr.checkAccess(caller.getCallingAccount(), null, loadBalancer);
if (apply) {
if (loadBalancer.getState() == FirewallRule.State.Active) {
@@ -803,7 +801,7 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
}
final long loadBalancerId = loadBalancer.getId();
FirewallRule.State backupState = loadBalancer.getState();
- _accountMgr.checkAccess(caller.getCallingAccount(), null, true, loadBalancer);
+ _accountMgr.checkAccess(caller.getCallingAccount(), null, loadBalancer);
if (apply) {
if (loadBalancer.getState() == FirewallRule.State.Active) {
@@ -1195,7 +1193,7 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
throw new InvalidParameterException("Invalid certificate id: " + certId);
}
- _accountMgr.checkAccess(caller.getCallingAccount(), null, true, loadBalancer);
+ _accountMgr.checkAccess(caller.getCallingAccount(), null, loadBalancer);
// check if LB and Cert belong to the same account
if (loadBalancer.getAccountId() != certVO.getAccountId()) {
@@ -1258,7 +1256,7 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
throw new InvalidParameterException("No certificate is bound to lb with id: " + lbRuleId);
}
- _accountMgr.checkAccess(caller.getCallingAccount(), null, true, loadBalancer);
+ _accountMgr.checkAccess(caller.getCallingAccount(), null, loadBalancer);
boolean success = false;
FirewallRule.State backupState = loadBalancer.getState();
@@ -1302,7 +1300,7 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
throw new InvalidParameterException("Invalid load balancer value: " + loadBalancerId);
}
- _accountMgr.checkAccess(caller.getCallingAccount(), null, true, loadBalancer);
+ _accountMgr.checkAccess(caller.getCallingAccount(), null, loadBalancer);
if (instanceIds == null && vmIdIpMap.isEmpty()) {
throw new InvalidParameterValueException("Both instanceids and vmidipmap can't be null");
@@ -1464,7 +1462,7 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
if (rule == null) {
throw new InvalidParameterValueException("Unable to find load balancer rule " + loadBalancerId);
}
- _accountMgr.checkAccess(caller, null, true, rule);
+ _accountMgr.checkAccess(caller, null, rule);
boolean result = deleteLoadBalancerRule(loadBalancerId, apply, caller, ctx.getCallingUserId(), true);
if (!result) {
@@ -1688,7 +1686,7 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
throw ex;
}
- _accountMgr.checkAccess(caller.getCallingAccount(), null, true, ipAddr);
+ _accountMgr.checkAccess(caller.getCallingAccount(), null, ipAddr);
final Long networkId = ipAddr.getAssociatedWithNetworkId();
if (networkId == null) {
@@ -2062,7 +2060,7 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
}
// check permissions
- _accountMgr.checkAccess(caller, null, true, lb);
+ _accountMgr.checkAccess(caller, null, lb);
if (name != null) {
lb.setName(name);
@@ -2141,7 +2139,7 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
return null;
}
- _accountMgr.checkAccess(caller, null, true, loadBalancer);
+ _accountMgr.checkAccess(caller, null, loadBalancer);
List<UserVmVO> loadBalancerInstances = new ArrayList<UserVmVO>();
List<String> serviceStates = new ArrayList<String>();
@@ -2220,7 +2218,7 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
return null;
}
- _accountMgr.checkAccess(caller, null, true, loadBalancer);
+ _accountMgr.checkAccess(caller, null, loadBalancer);
List<LBStickinessPolicyVO> sDbpolicies = _lb2stickinesspoliciesDao.listByLoadBalancerIdAndDisplayFlag(cmd.getLbRuleId(), forDisplay);
@@ -2237,10 +2235,8 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
if (loadBalancer == null) {
return null;
}
-
- _accountMgr.checkAccess(caller, null, true, loadBalancer);
+ _accountMgr.checkAccess(caller, null, loadBalancer);
List<LBHealthCheckPolicyVO> hcDbpolicies = _lb2healthcheckDao.listByLoadBalancerIdAndDisplayFlag(cmd.getLbRuleId(), forDisplay);
-
return hcDbpolicies;
}
@@ -2257,19 +2253,21 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
Boolean forDisplay = cmd.getDisplay();
Account caller = CallContext.current().getCallingAccount();
+ List<Long> permittedDomains = new ArrayList<Long>();
List<Long> permittedAccounts = new ArrayList<Long>();
+ List<Long> permittedResources = new ArrayList<Long>();
Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean, ListProjectResourcesCriteria>(
cmd.getDomainId(), cmd.isRecursive(), null);
- _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedAccounts,
- domainIdRecursiveListProject, cmd.listAll(), false);
- Long domainId = domainIdRecursiveListProject.first();
+ _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedDomains, permittedAccounts, permittedResources,
+ domainIdRecursiveListProject, cmd.listAll(), false, "listLoadBalancerRules");
+ //Long domainId = domainIdRecursiveListProject.first();
Boolean isRecursive = domainIdRecursiveListProject.second();
ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
Filter searchFilter = new Filter(LoadBalancerVO.class, "id", true, cmd.getStartIndex(), cmd.getPageSizeVal());
SearchBuilder<LoadBalancerVO> sb = _lbDao.createSearchBuilder();
- _accountMgr.buildACLSearchBuilder(sb, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchBuilder(sb, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
sb.and("id", sb.entity().getId(), SearchCriteria.Op.EQ);
sb.and("name", sb.entity().getName(), SearchCriteria.Op.LIKE);
@@ -2303,7 +2301,7 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
}
SearchCriteria<LoadBalancerVO> sc = sb.create();
- _accountMgr.buildACLSearchCriteria(sc, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchCriteria(sc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
if (keyword != null) {
SearchCriteria<LoadBalancerVO> ssc = _lbDao.createSearchCriteria();
@@ -2486,7 +2484,7 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
throw new InvalidParameterException("Invalid Load balancer : " + policy.getLoadBalancerId() + " for Stickiness policy id: " + id);
}
- _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, true, loadBalancer);
+ _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, loadBalancer);
if (customId != null) {
policy.setUuid(customId);
@@ -2513,7 +2511,7 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
throw new InvalidParameterException("Invalid Load balancer : " + policy.getLoadBalancerId() + " for Stickiness policy id: " + id);
}
- _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, true, loadBalancer);
+ _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, loadBalancer);
if (customId != null) {
policy.setUuid(customId);
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java b/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java
index 05fbad3..be3e849 100755
--- a/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java
+++ b/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java
@@ -462,7 +462,7 @@ public class VirtualNetworkApplianceManagerImpl extends ManagerBase implements V
return null;
}
- _accountMgr.checkAccess(caller, null, true, router);
+ _accountMgr.checkAccess(caller, null, router);
_itMgr.expunge(router.getUuid());
_routerDao.remove(router.getId());
@@ -481,7 +481,7 @@ public class VirtualNetworkApplianceManagerImpl extends ManagerBase implements V
throw new InvalidParameterValueException("Unable to find router with id " + routerId);
}
- _accountMgr.checkAccess(caller, null, true, router);
+ _accountMgr.checkAccess(caller, null, router);
if (router.getServiceOfferingId() == serviceOfferingId) {
s_logger.debug("Router: " + routerId + "already has service offering: " + serviceOfferingId);
@@ -596,7 +596,7 @@ public class VirtualNetworkApplianceManagerImpl extends ManagerBase implements V
throw new InvalidParameterValueException("Unable to find router by id " + routerId + ".");
}
- _accountMgr.checkAccess(account, null, true, router);
+ _accountMgr.checkAccess(account, null, router);
final UserVO user = _userDao.findById(CallContext.current().getCallingUserId());
@@ -655,7 +655,7 @@ public class VirtualNetworkApplianceManagerImpl extends ManagerBase implements V
throw new InvalidParameterValueException("Unable to find domain router with id " + routerId + ".");
}
- _accountMgr.checkAccess(caller, null, true, router);
+ _accountMgr.checkAccess(caller, null, router);
// Can reboot domain router only in Running state
if (router == null || router.getState() != State.Running) {
@@ -3300,7 +3300,7 @@ public class VirtualNetworkApplianceManagerImpl extends ManagerBase implements V
if (router == null) {
throw new InvalidParameterValueException("Unable to find router by id " + routerId + ".");
}
- _accountMgr.checkAccess(caller, null, true, router);
+ _accountMgr.checkAccess(caller, null, router);
final Account owner = _accountMgr.getAccount(router.getAccountId());
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/server/src/com/cloud/network/rules/RulesManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/rules/RulesManagerImpl.java b/server/src/com/cloud/network/rules/RulesManagerImpl.java
index eea1262..f6a87bf 100755
--- a/server/src/com/cloud/network/rules/RulesManagerImpl.java
+++ b/server/src/com/cloud/network/rules/RulesManagerImpl.java
@@ -27,6 +27,7 @@ import javax.inject.Inject;
import org.apache.log4j.Logger;
+import org.apache.cloudstack.acl.SecurityChecker.AccessType;
import org.apache.cloudstack.api.command.user.firewall.ListPortForwardingRulesCmd;
import org.apache.cloudstack.context.CallContext;
import org.apache.cloudstack.engine.orchestration.service.NetworkOrchestrationService;
@@ -163,7 +164,7 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules
}
}
- _accountMgr.checkAccess(caller, null, true, ipAddress, userVm);
+ _accountMgr.checkAccess(caller, AccessType.OperateEntry, ipAddress, userVm);
// validate that IP address and userVM belong to the same account
if (ipAddress.getAllocatedToAccountId().longValue() != userVm.getAccountId()) {
@@ -188,7 +189,7 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules
return;
}
- _accountMgr.checkAccess(caller, null, true, rule, userVm);
+ _accountMgr.checkAccess(caller, AccessType.OperateEntry, rule, userVm);
if (userVm.getState() == VirtualMachine.State.Destroyed || userVm.getState() == VirtualMachine.State.Expunging) {
throw new InvalidParameterValueException("Invalid user vm: " + userVm.getId());
@@ -682,7 +683,7 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules
throw new InvalidParameterValueException("Unable to find " + ruleId);
}
- _accountMgr.checkAccess(caller, null, true, rule);
+ _accountMgr.checkAccess(caller, null, rule);
if (!revokePortForwardingRuleInternal(ruleId, caller, ctx.getCallingUserId(), apply)) {
throw new CloudRuntimeException("Failed to delete port forwarding rule");
@@ -717,7 +718,7 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules
throw new InvalidParameterValueException("Unable to find " + ruleId);
}
- _accountMgr.checkAccess(caller, null, true, rule);
+ _accountMgr.checkAccess(caller, null, rule);
if (!revokeStaticNatRuleInternal(ruleId, caller, ctx.getCallingUserId(), apply)) {
throw new CloudRuntimeException("Failed to revoke forwarding rule");
@@ -784,25 +785,27 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules
Boolean display = cmd.getDisplay();
Account caller = CallContext.current().getCallingAccount();
+ List<Long> permittedDomains = new ArrayList<Long>();
List<Long> permittedAccounts = new ArrayList<Long>();
+ List<Long> permittedResources = new ArrayList<Long>();
if (ipId != null) {
IPAddressVO ipAddressVO = _ipAddressDao.findById(ipId);
if (ipAddressVO == null || !ipAddressVO.readyToUse()) {
throw new InvalidParameterValueException("Ip address id=" + ipId + " not ready for port forwarding rules yet");
}
- _accountMgr.checkAccess(caller, null, true, ipAddressVO);
+ _accountMgr.checkAccess(caller, null, ipAddressVO);
}
Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean, ListProjectResourcesCriteria>(cmd.getDomainId(), cmd.isRecursive(), null);
- _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedAccounts, domainIdRecursiveListProject, cmd.listAll(), false);
- Long domainId = domainIdRecursiveListProject.first();
+ _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedDomains, permittedAccounts, permittedResources,
+ domainIdRecursiveListProject, cmd.listAll(), false, "listPortForwardingRules");
Boolean isRecursive = domainIdRecursiveListProject.second();
ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
Filter filter = new Filter(PortForwardingRuleVO.class, "id", false, cmd.getStartIndex(), cmd.getPageSizeVal());
SearchBuilder<PortForwardingRuleVO> sb = _portForwardingDao.createSearchBuilder();
- _accountMgr.buildACLSearchBuilder(sb, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchBuilder(sb, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
sb.and("id", sb.entity().getId(), Op.EQ);
sb.and("ip", sb.entity().getSourceIpAddressId(), Op.EQ);
@@ -823,7 +826,7 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules
}
SearchCriteria<PortForwardingRuleVO> sc = sb.create();
- _accountMgr.buildACLSearchCriteria(sc, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchCriteria(sc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
if (id != null) {
sc.setParameters("id", id);
@@ -866,7 +869,7 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules
}
if (caller != null) {
- _accountMgr.checkAccess(caller, null, true, rules.toArray(new PortForwardingRuleVO[rules.size()]));
+ _accountMgr.checkAccess(caller, null, rules.toArray(new PortForwardingRuleVO[rules.size()]));
}
try {
@@ -895,7 +898,7 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules
}
if (caller != null) {
- _accountMgr.checkAccess(caller, null, true, staticNatRules.toArray(new StaticNatRule[staticNatRules.size()]));
+ _accountMgr.checkAccess(caller, null, staticNatRules.toArray(new StaticNatRule[staticNatRules.size()]));
}
try {
@@ -919,7 +922,7 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules
}
if (caller != null) {
- _accountMgr.checkAccess(caller, null, true, rules.toArray(new PortForwardingRuleVO[rules.size()]));
+ _accountMgr.checkAccess(caller, null, rules.toArray(new PortForwardingRuleVO[rules.size()]));
}
try {
@@ -945,7 +948,7 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules
}
if (caller != null) {
- _accountMgr.checkAccess(caller, null, true, rules.toArray(new FirewallRule[rules.size()]));
+ _accountMgr.checkAccess(caller, null, rules.toArray(new FirewallRule[rules.size()]));
}
for (FirewallRuleVO rule : rules) {
@@ -973,7 +976,7 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules
}
if (caller != null) {
- _accountMgr.checkAccess(caller, null, true, ips.toArray(new IPAddressVO[ips.size()]));
+ _accountMgr.checkAccess(caller, null, ips.toArray(new IPAddressVO[ips.size()]));
}
List<StaticNat> staticNats = new ArrayList<StaticNat>();
@@ -1000,25 +1003,28 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules
public Pair<List<? extends FirewallRule>, Integer> searchStaticNatRules(Long ipId, Long id, Long vmId, Long start, Long size, String accountName, Long domainId,
Long projectId, boolean isRecursive, boolean listAll) {
Account caller = CallContext.current().getCallingAccount();
+ List<Long> permittedDomains = new ArrayList<Long>();
List<Long> permittedAccounts = new ArrayList<Long>();
+ List<Long> permittedResources = new ArrayList<Long>();
if (ipId != null) {
IPAddressVO ipAddressVO = _ipAddressDao.findById(ipId);
if (ipAddressVO == null || !ipAddressVO.readyToUse()) {
throw new InvalidParameterValueException("Ip address id=" + ipId + " not ready for port forwarding rules yet");
}
- _accountMgr.checkAccess(caller, null, true, ipAddressVO);
+ _accountMgr.checkAccess(caller, null, ipAddressVO);
}
Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean, ListProjectResourcesCriteria>(domainId, isRecursive, null);
- _accountMgr.buildACLSearchParameters(caller, id, accountName, projectId, permittedAccounts, domainIdRecursiveListProject, listAll, false);
+ _accountMgr.buildACLSearchParameters(caller, id, accountName, projectId, permittedDomains, permittedAccounts, permittedResources, domainIdRecursiveListProject, listAll,
+ false, "listIpForwardingRules");
domainId = domainIdRecursiveListProject.first();
isRecursive = domainIdRecursiveListProject.second();
ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
Filter filter = new Filter(PortForwardingRuleVO.class, "id", false, start, size);
SearchBuilder<FirewallRuleVO> sb = _firewallDao.createSearchBuilder();
- _accountMgr.buildACLSearchBuilder(sb, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchBuilder(sb, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
sb.and("ip", sb.entity().getSourceIpAddressId(), Op.EQ);
sb.and("purpose", sb.entity().getPurpose(), Op.EQ);
@@ -1031,7 +1037,7 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules
}
SearchCriteria<FirewallRuleVO> sc = sb.create();
- _accountMgr.buildACLSearchCriteria(sc, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchCriteria(sc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
sc.setParameters("purpose", Purpose.StaticNat);
if (id != null) {
@@ -1383,7 +1389,7 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules
}
if (caller != null) {
- _accountMgr.checkAccess(caller, null, true, sourceIp);
+ _accountMgr.checkAccess(caller, null, sourceIp);
}
// create new static nat rule
@@ -1502,7 +1508,7 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules
if (rule == null) {
throw new InvalidParameterValueException("Unable to find " + id);
}
- _accountMgr.checkAccess(caller, null, true, rule);
+ _accountMgr.checkAccess(caller, null, rule);
if (customId != null) {
rule.setUuid(customId);
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/server/src/com/cloud/network/security/SecurityGroupManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/security/SecurityGroupManagerImpl.java b/server/src/com/cloud/network/security/SecurityGroupManagerImpl.java
index f60a746..a666ecd 100755
--- a/server/src/com/cloud/network/security/SecurityGroupManagerImpl.java
+++ b/server/src/com/cloud/network/security/SecurityGroupManagerImpl.java
@@ -612,7 +612,7 @@ public class SecurityGroupManagerImpl extends ManagerBase implements SecurityGro
}
// Verify permissions
- _accountMgr.checkAccess(caller, null, true, securityGroup);
+ _accountMgr.checkAccess(caller, AccessType.OperateEntry, securityGroup);
Long domainId = owner.getDomainId();
if (protocol == null) {
@@ -819,7 +819,7 @@ public class SecurityGroupManagerImpl extends ManagerBase implements SecurityGro
// Check permissions
SecurityGroup securityGroup = _securityGroupDao.findById(rule.getSecurityGroupId());
- _accountMgr.checkAccess(caller, AccessType.OperateEntry, true, securityGroup);
+ _accountMgr.checkAccess(caller, AccessType.OperateEntry, securityGroup);
long securityGroupId = rule.getSecurityGroupId();
Boolean result = Transaction.execute(new TransactionCallback<Boolean>() {
@@ -1120,7 +1120,7 @@ public class SecurityGroupManagerImpl extends ManagerBase implements SecurityGro
}
// check permissions
- _accountMgr.checkAccess(caller, null, true, group);
+ _accountMgr.checkAccess(caller, AccessType.OperateEntry, group);
return Transaction.execute(new TransactionCallbackWithException<Boolean, ResourceInUseException>() {
@Override
@@ -1359,7 +1359,7 @@ public class SecurityGroupManagerImpl extends ManagerBase implements SecurityGro
}
// Verify permissions
- _accountMgr.checkAccess(caller, null, false, vm);
+ _accountMgr.checkAccess(caller, null, vm);
// Validate parameters
List<SecurityGroupVO> vmSgGrps = getSecurityGroupsForVm(vmId);
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/server/src/com/cloud/network/vpc/NetworkACLServiceImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/vpc/NetworkACLServiceImpl.java b/server/src/com/cloud/network/vpc/NetworkACLServiceImpl.java
index 19a26c1..72996d1 100644
--- a/server/src/com/cloud/network/vpc/NetworkACLServiceImpl.java
+++ b/server/src/com/cloud/network/vpc/NetworkACLServiceImpl.java
@@ -103,7 +103,7 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ
if (vpc == null) {
throw new InvalidParameterValueException("Unable to find VPC");
}
- _accountMgr.checkAccess(caller, null, true, vpc);
+ _accountMgr.checkAccess(caller, null, vpc);
return _networkAclMgr.createNetworkACL(name, description, vpcId, forDisplay);
}
@@ -161,7 +161,7 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ
if (vpc == null) {
throw new InvalidParameterValueException("Unable to find VPC");
}
- _accountMgr.checkAccess(caller, null, true, vpc);
+ _accountMgr.checkAccess(caller, null, vpc);
//Include vpcId 0 to list default ACLs
sc.setParameters("vpcId", vpcId, 0);
} else {
@@ -169,23 +169,26 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ
// VpcId is not specified. Find permitted VPCs for the caller
// and list ACLs belonging to the permitted VPCs
+ List<Long> permittedDomains = new ArrayList<Long>();
List<Long> permittedAccounts = new ArrayList<Long>();
+ List<Long> permittedResources = new ArrayList<Long>();
+
Long domainId = cmd.getDomainId();
boolean isRecursive = cmd.isRecursive();
String accountName = cmd.getAccountName();
Long projectId = cmd.getProjectId();
boolean listAll = cmd.listAll();
Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean,
- ListProjectResourcesCriteria>(domainId, isRecursive, null);
- _accountMgr.buildACLSearchParameters(caller, id, accountName, projectId, permittedAccounts, domainIdRecursiveListProject,
- listAll, false);
- domainId = domainIdRecursiveListProject.first();
+ ListProjectResourcesCriteria>(domainId, isRecursive, null);
+ _accountMgr.buildACLSearchParameters(caller, id, accountName, projectId, permittedDomains, permittedAccounts, permittedResources, domainIdRecursiveListProject,
+ listAll, false, "listNetworkACLLists");
+ //domainId = domainIdRecursiveListProject.first();
isRecursive = domainIdRecursiveListProject.second();
ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
SearchBuilder<VpcVO> sbVpc = _vpcDao.createSearchBuilder();
- _accountMgr.buildACLSearchBuilder(sbVpc, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchBuilder(sbVpc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
SearchCriteria<VpcVO> scVpc = sbVpc.create();
- _accountMgr.buildACLSearchCriteria(scVpc, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchCriteria(scVpc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
List<VpcVO> vpcs = _vpcDao.search(scVpc, null);
List<Long> vpcIds = new ArrayList<Long>();
for (VpcVO vpc : vpcs) {
@@ -222,7 +225,7 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ
if (vpc == null) {
throw new InvalidParameterValueException("Unable to find specified VPC associated with the ACL");
}
- _accountMgr.checkAccess(caller, null, true, vpc);
+ _accountMgr.checkAccess(caller, null, vpc);
return _networkAclMgr.deleteNetworkACL(acl);
}
@@ -253,14 +256,14 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ
if (vpc == null) {
throw new InvalidParameterValueException("Unable to find Vpc associated with the NetworkACL");
}
- _accountMgr.checkAccess(caller, null, true, vpc);
+ _accountMgr.checkAccess(caller, null, vpc);
if (!gateway.getVpcId().equals(acl.getVpcId())) {
throw new InvalidParameterValueException("private gateway: " + privateGatewayId + " and ACL: " + aclId + " do not belong to the same VPC");
}
}
PrivateGateway privateGateway = _vpcSvc.getVpcPrivateGateway(gateway.getId());
- _accountMgr.checkAccess(caller, null, true, privateGateway);
+ _accountMgr.checkAccess(caller, null, privateGateway);
return _networkAclMgr.replaceNetworkACLForPrivateGw(acl, privateGateway);
@@ -296,7 +299,7 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ
throw new InvalidParameterValueException("Unable to find Vpc associated with the NetworkACL");
}
- _accountMgr.checkAccess(caller, null, true, vpc);
+ _accountMgr.checkAccess(caller, null, vpc);
if (!network.getVpcId().equals(acl.getVpcId())) {
throw new InvalidParameterValueException("Network: " + networkId + " and ACL: " + aclId + " do not belong to the same VPC");
}
@@ -368,7 +371,7 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ
if (vpc == null) {
throw new InvalidParameterValueException("Unable to find Vpc associated with the NetworkACL");
}
- _accountMgr.checkAccess(caller, null, true, vpc);
+ _accountMgr.checkAccess(caller, null, vpc);
//Ensure that number is unique within the ACL
if (aclItemCmd.getNumber() != null) {
@@ -485,6 +488,7 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ
String action = cmd.getAction();
Map<String, String> tags = cmd.getTags();
Account caller = CallContext.current().getCallingAccount();
+ Boolean display = cmd.getDisplay();
Filter filter = new Filter(NetworkACLItemVO.class, "id", false, cmd.getStartIndex(), cmd.getPageSizeVal());
SearchBuilder<NetworkACLItemVO> sb = _networkACLItemDao.createSearchBuilder();
@@ -494,6 +498,7 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ
sb.and("trafficType", sb.entity().getTrafficType(), Op.EQ);
sb.and("protocol", sb.entity().getProtocol(), Op.EQ);
sb.and("action", sb.entity().getAction(), Op.EQ);
+ sb.and("display", sb.entity().isDisplay(), Op.EQ);
if (tags != null && !tags.isEmpty()) {
SearchBuilder<ResourceTagVO> tagSearch = _resourceTagDao.createSearchBuilder();
@@ -516,6 +521,10 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ
SearchCriteria<NetworkACLItemVO> sc = sb.create();
+ if (display != null) {
+ sc.setParameters("display", display);
+ }
+
if (id != null) {
sc.setParameters("id", id);
}
@@ -542,32 +551,33 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ
if (vpc == null) {
throw new InvalidParameterValueException("Unable to find VPC associated with acl");
}
- _accountMgr.checkAccess(caller, null, true, vpc);
+ _accountMgr.checkAccess(caller, null, vpc);
}
sc.setParameters("aclId", aclId);
} else {
//ToDo: Add accountId to network_acl_item table for permission check
-
// aclId is not specified
// List permitted VPCs and filter aclItems
+ List<Long> permittedDomains = new ArrayList<Long>();
List<Long> permittedAccounts = new ArrayList<Long>();
+ List<Long> permittedResources = new ArrayList<Long>();
Long domainId = cmd.getDomainId();
boolean isRecursive = cmd.isRecursive();
String accountName = cmd.getAccountName();
Long projectId = cmd.getProjectId();
boolean listAll = cmd.listAll();
Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean,
- ListProjectResourcesCriteria>(domainId, isRecursive, null);
- _accountMgr.buildACLSearchParameters(caller, id, accountName, projectId, permittedAccounts, domainIdRecursiveListProject,
- listAll, false);
+ ListProjectResourcesCriteria>(domainId, isRecursive, null);
+ _accountMgr.buildACLSearchParameters(caller, id, accountName, projectId, permittedDomains, permittedAccounts, permittedResources, domainIdRecursiveListProject,
+ listAll, false, "listNetworkACLs");
domainId = domainIdRecursiveListProject.first();
isRecursive = domainIdRecursiveListProject.second();
ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
SearchBuilder<VpcVO> sbVpc = _vpcDao.createSearchBuilder();
- _accountMgr.buildACLSearchBuilder(sbVpc, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchBuilder(sbVpc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
SearchCriteria<VpcVO> scVpc = sbVpc.create();
- _accountMgr.buildACLSearchCriteria(scVpc, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchCriteria(scVpc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
List<VpcVO> vpcs = _vpcDao.search(scVpc, null);
List<Long> vpcIds = new ArrayList<Long>();
for (VpcVO vpc : vpcs) {
@@ -610,7 +620,7 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ
Account caller = CallContext.current().getCallingAccount();
- _accountMgr.checkAccess(caller, null, true, vpc);
+ _accountMgr.checkAccess(caller, null, vpc);
if((aclItem.getAclId() == NetworkACL.DEFAULT_ALLOW) || (aclItem.getAclId() == NetworkACL.DEFAULT_DENY)){
throw new InvalidParameterValueException("ACL Items in default ACL cannot be deleted");
@@ -637,7 +647,7 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ
Account caller = CallContext.current().getCallingAccount();
- _accountMgr.checkAccess(caller, null, true, vpc);
+ _accountMgr.checkAccess(caller, null, vpc);
if (number != null) {
//Check if ACL Item with specified number already exists
@@ -659,7 +669,7 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ
NetworkACLVO acl = _networkACLDao.findById(id);
Vpc vpc = _entityMgr.findById(Vpc.class, acl.getVpcId());
Account caller = CallContext.current().getCallingAccount();
- _accountMgr.checkAccess(caller, null, true, vpc);
+ _accountMgr.checkAccess(caller, null, vpc);
if (customId != null) {
acl.setUuid(customId);
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/server/src/com/cloud/network/vpc/VpcManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/vpc/VpcManagerImpl.java b/server/src/com/cloud/network/vpc/VpcManagerImpl.java
index 0d24544..9e02fd7 100644
--- a/server/src/com/cloud/network/vpc/VpcManagerImpl.java
+++ b/server/src/com/cloud/network/vpc/VpcManagerImpl.java
@@ -35,9 +35,8 @@ import javax.ejb.Local;
import javax.inject.Inject;
import javax.naming.ConfigurationException;
-import org.apache.log4j.Logger;
-
import org.apache.cloudstack.acl.ControlledEntity.ACLType;
+import org.apache.cloudstack.acl.SecurityChecker.AccessType;
import org.apache.cloudstack.api.command.user.vpc.ListPrivateGatewaysCmd;
import org.apache.cloudstack.api.command.user.vpc.ListStaticRoutesCmd;
import org.apache.cloudstack.context.CallContext;
@@ -45,6 +44,7 @@ import org.apache.cloudstack.engine.orchestration.service.NetworkOrchestrationSe
import org.apache.cloudstack.framework.config.ConfigDepot;
import org.apache.cloudstack.framework.config.dao.ConfigurationDao;
import org.apache.cloudstack.managed.context.ManagedContextRunnable;
+import org.apache.log4j.Logger;
import com.cloud.configuration.Config;
import com.cloud.configuration.ConfigurationManager;
@@ -761,7 +761,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
Account owner = _accountMgr.getAccount(vpcOwnerId);
//Verify that caller can perform actions in behalf of vpc owner
- _accountMgr.checkAccess(caller, null, false, owner);
+ _accountMgr.checkAccess(caller, null, owner);
//check resource limit
_resourceLimitMgr.checkResourceLimit(owner, ResourceType.vpc);
@@ -894,7 +894,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
}
//verify permissions
- _accountMgr.checkAccess(ctx.getCallingAccount(), null, false, vpc);
+ _accountMgr.checkAccess(ctx.getCallingAccount(), null, vpc);
return destroyVpc(vpc, ctx.getCallingAccount(), ctx.getCallingUserId());
}
@@ -962,7 +962,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
throw new InvalidParameterValueException("Unable to find vpc by id " + vpcId);
}
- _accountMgr.checkAccess(caller, null, false, vpcToUpdate);
+ _accountMgr.checkAccess(caller, null, vpcToUpdate);
VpcVO vpc = _vpcDao.createForUpdate(vpcId);
@@ -995,18 +995,20 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
String accountName, Long domainId, String keyword, Long startIndex, Long pageSizeVal, Long zoneId, Boolean isRecursive, Boolean listAll, Boolean restartRequired,
Map<String, String> tags, Long projectId, Boolean display) {
Account caller = CallContext.current().getCallingAccount();
+ List<Long> permittedDomains = new ArrayList<Long>();
List<Long> permittedAccounts = new ArrayList<Long>();
+ List<Long> permittedResources = new ArrayList<Long>();
+
Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean,
ListProjectResourcesCriteria>(domainId, isRecursive, null);
- _accountMgr.buildACLSearchParameters(caller, id, accountName, projectId, permittedAccounts, domainIdRecursiveListProject,
- listAll, false);
- domainId = domainIdRecursiveListProject.first();
+ _accountMgr.buildACLSearchParameters(caller, id, accountName, projectId, permittedDomains, permittedAccounts, permittedResources, domainIdRecursiveListProject, listAll,
+ false, "listVPCs");
isRecursive = domainIdRecursiveListProject.second();
ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
Filter searchFilter = new Filter(VpcVO.class, "created", false, startIndex, pageSizeVal);
SearchBuilder<VpcVO> sb = _vpcDao.createSearchBuilder();
- _accountMgr.buildACLSearchBuilder(sb, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchBuilder(sb, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
sb.and("name", sb.entity().getName(), SearchCriteria.Op.LIKE);
sb.and("id", sb.entity().getId(), SearchCriteria.Op.EQ);
@@ -1032,7 +1034,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
// now set the SC criteria...
SearchCriteria<VpcVO> sc = sb.create();
- _accountMgr.buildACLSearchCriteria(sc, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchCriteria(sc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
if (keyword != null) {
SearchCriteria<VpcVO> ssc = _vpcDao.createSearchCriteria();
@@ -1152,7 +1154,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
}
//permission check
- _accountMgr.checkAccess(caller, null, false, vpc);
+ _accountMgr.checkAccess(caller, null, vpc);
DataCenter dc = _entityMgr.findById(DataCenter.class, vpc.getZoneId());
@@ -1212,7 +1214,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
}
//permission check
- _accountMgr.checkAccess(caller, null, false, vpc);
+ _accountMgr.checkAccess(caller, null, vpc);
//shutdown provider
s_logger.debug("Shutting down vpc " + vpc);
@@ -1478,7 +1480,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
throw ex;
}
- _accountMgr.checkAccess(caller, null, false, vpc);
+ _accountMgr.checkAccess(caller, null, vpc);
s_logger.debug("Restarting VPC " + vpc);
boolean restartRequired = false;
@@ -1795,21 +1797,23 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
Long domainId = cmd.getDomainId();
String accountName = cmd.getAccountName();
Account caller = CallContext.current().getCallingAccount();
+ List<Long> permittedDomains = new ArrayList<Long>();
List<Long> permittedAccounts = new ArrayList<Long>();
+ List<Long> permittedResources = new ArrayList<Long>();
String state = cmd.getState();
Long projectId = cmd.getProjectId();
Filter searchFilter = new Filter(VpcGatewayVO.class, "id", false, cmd.getStartIndex(), cmd.getPageSizeVal());
Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean,
ListProjectResourcesCriteria>(domainId, isRecursive, null);
- _accountMgr.buildACLSearchParameters(caller, id, accountName, projectId, permittedAccounts, domainIdRecursiveListProject,
- listAll, false);
- domainId = domainIdRecursiveListProject.first();
+ _accountMgr.buildACLSearchParameters(caller, id, accountName, projectId, permittedDomains, permittedAccounts, permittedResources, domainIdRecursiveListProject, listAll,
+ false, "listPrivateGateways");
isRecursive = domainIdRecursiveListProject.second();
ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
SearchBuilder<VpcGatewayVO> sb = _vpcGatewayDao.createSearchBuilder();
- _accountMgr.buildACLSearchBuilder(sb, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchBuilder(sb, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
+
if (vlan != null) {
SearchBuilder<NetworkVO> ntwkSearch = _ntwkDao.createSearchBuilder();
ntwkSearch.and("vlan", ntwkSearch.entity().getBroadcastUri(), SearchCriteria.Op.EQ);
@@ -1817,7 +1821,8 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
}
SearchCriteria<VpcGatewayVO> sc = sb.create();
- _accountMgr.buildACLSearchCriteria(sc, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchCriteria(sc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
+
if (id != null) {
sc.addAnd("id", Op.EQ, id);
}
@@ -1929,7 +1934,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
throw new InvalidParameterValueException("Unable to find static route by id");
}
- _accountMgr.checkAccess(caller, null, false, route);
+ _accountMgr.checkAccess(caller, null, route);
markStaticRouteForRevoke(route, caller);
@@ -1977,7 +1982,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
if (vpc == null) {
throw new InvalidParameterValueException("Can't add static route to VPC that is being deleted");
}
- _accountMgr.checkAccess(caller, null, false, vpc);
+ _accountMgr.checkAccess(caller, null, vpc);
if (!NetUtils.isValidCIDR(cidr)) {
throw new InvalidParameterValueException("Invalid format for cidr " + cidr);
@@ -2045,21 +2050,23 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
Boolean listAll = cmd.listAll();
String accountName = cmd.getAccountName();
Account caller = CallContext.current().getCallingAccount();
+ List<Long> permittedDomains = new ArrayList<Long>();
List<Long> permittedAccounts = new ArrayList<Long>();
+ List<Long> permittedResources = new ArrayList<Long>();
+
Map<String, String> tags = cmd.getTags();
Long projectId = cmd.getProjectId();
Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean,
ListProjectResourcesCriteria>(domainId, isRecursive, null);
- _accountMgr.buildACLSearchParameters(caller, id, accountName, projectId, permittedAccounts, domainIdRecursiveListProject,
- listAll, false);
- domainId = domainIdRecursiveListProject.first();
+ _accountMgr.buildACLSearchParameters(caller, id, accountName, projectId, permittedDomains, permittedAccounts, permittedResources, domainIdRecursiveListProject, listAll,
+ false, "listStaticRoutes");
isRecursive = domainIdRecursiveListProject.second();
ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
Filter searchFilter = new Filter(StaticRouteVO.class, "created", false, cmd.getStartIndex(), cmd.getPageSizeVal());
SearchBuilder<StaticRouteVO> sb = _staticRouteDao.createSearchBuilder();
- _accountMgr.buildACLSearchBuilder(sb, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchBuilder(sb, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
sb.and("id", sb.entity().getId(), SearchCriteria.Op.EQ);
sb.and("vpcId", sb.entity().getVpcId(), SearchCriteria.Op.EQ);
@@ -2078,7 +2085,8 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
}
SearchCriteria<StaticRouteVO> sc = sb.create();
- _accountMgr.buildACLSearchCriteria(sc, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchCriteria(sc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
+
if (id != null) {
sc.addAnd("id", Op.EQ, id);
}
@@ -2126,7 +2134,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
protected void markStaticRouteForRevoke(StaticRouteVO route, Account caller) {
s_logger.debug("Revoking static route " + route);
if (caller != null) {
- _accountMgr.checkAccess(caller, null, false, route);
+ _accountMgr.checkAccess(caller, null, route);
}
if (route.getState() == StaticRoute.State.Staged) {
@@ -2185,7 +2193,6 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
IpAddress ipToAssoc = _ntwkModel.getIp(ipId);
if (ipToAssoc != null) {
- _accountMgr.checkAccess(caller, null, true, ipToAssoc);
owner = _accountMgr.getAccount(ipToAssoc.getAllocatedToAccountId());
} else {
s_logger.debug("Unable to find ip address by id: " + ipId);
@@ -2198,7 +2205,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
}
// check permissions
- _accountMgr.checkAccess(caller, null, true, owner, vpc);
+ _accountMgr.checkAccess(caller, AccessType.OperateEntry, ipToAssoc, vpc);
boolean isSourceNat = false;
if (getExistingSourceNatInVpc(owner.getId(), vpcId) == null) {
@@ -2278,7 +2285,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
ex.addProxyObject(String.valueOf(vpcId), "VPC");
throw ex;
}
- _accountMgr.checkAccess(caller, null, false, vpc);
+ _accountMgr.checkAccess(caller, null, vpc);
if (networkDomain == null) {
networkDomain = vpc.getNetworkDomain();
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/server/src/com/cloud/network/vpn/RemoteAccessVpnManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/vpn/RemoteAccessVpnManagerImpl.java b/server/src/com/cloud/network/vpn/RemoteAccessVpnManagerImpl.java
index 757f618..9d9118c 100755
--- a/server/src/com/cloud/network/vpn/RemoteAccessVpnManagerImpl.java
+++ b/server/src/com/cloud/network/vpn/RemoteAccessVpnManagerImpl.java
@@ -150,7 +150,7 @@ public class RemoteAccessVpnManagerImpl extends ManagerBase implements RemoteAcc
throw new InvalidParameterValueException("Unable to create remote access vpn, invalid public IP address id" + publicIpId);
}
- _accountMgr.checkAccess(caller, null, true, ipAddr);
+ _accountMgr.checkAccess(caller, null, ipAddr);
if (!ipAddr.readyToUse()) {
throw new InvalidParameterValueException("The Ip address is not ready to be used yet: " + ipAddr.getAddress());
@@ -292,7 +292,7 @@ public class RemoteAccessVpnManagerImpl extends ManagerBase implements RemoteAcc
return true;
}
- _accountMgr.checkAccess(caller, AccessType.OperateEntry, true, vpn);
+ _accountMgr.checkAccess(caller, AccessType.OperateEntry, vpn);
RemoteAccessVpn.State prevState = vpn.getState();
vpn.setState(RemoteAccessVpn.State.Removed);
@@ -395,7 +395,7 @@ public class RemoteAccessVpnManagerImpl extends ManagerBase implements RemoteAcc
if (owner == null) {
throw new InvalidParameterValueException("Unable to add vpn user: Another operation active");
}
- _accountMgr.checkAccess(caller, null, true, owner);
+ _accountMgr.checkAccess(caller, null, owner);
//don't allow duplicated user names for the same account
VpnUserVO vpnUser = _vpnUsersDao.findByAccountAndUsername(owner.getId(), username);
@@ -424,7 +424,7 @@ public class RemoteAccessVpnManagerImpl extends ManagerBase implements RemoteAcc
if (user == null) {
throw new InvalidParameterValueException("Could not find vpn user " + username);
}
- _accountMgr.checkAccess(caller, null, true, user);
+ _accountMgr.checkAccess(caller, null, user);
Transaction.execute(new TransactionCallbackNoReturn() {
@Override
@@ -443,7 +443,7 @@ public class RemoteAccessVpnManagerImpl extends ManagerBase implements RemoteAcc
public List<? extends VpnUser> listVpnUsers(long vpnOwnerId, String userName) {
Account caller = CallContext.current().getCallingAccount();
Account owner = _accountDao.findById(vpnOwnerId);
- _accountMgr.checkAccess(caller, null, true, owner);
+ _accountMgr.checkAccess(caller, null, owner);
return _vpnUsersDao.listByAccount(vpnOwnerId);
}
@@ -461,7 +461,7 @@ public class RemoteAccessVpnManagerImpl extends ManagerBase implements RemoteAcc
openFirewall = false;
}
- _accountMgr.checkAccess(caller, null, true, vpn);
+ _accountMgr.checkAccess(caller, null, vpn);
boolean started = false;
try {
@@ -507,7 +507,7 @@ public class RemoteAccessVpnManagerImpl extends ManagerBase implements RemoteAcc
public boolean applyVpnUsers(long vpnOwnerId, String userName) {
Account caller = CallContext.current().getCallingAccount();
Account owner = _accountDao.findById(vpnOwnerId);
- _accountMgr.checkAccess(caller, null, true, owner);
+ _accountMgr.checkAccess(caller, null, owner);
s_logger.debug("Applying vpn users for " + owner);
List<RemoteAccessVpnVO> vpns = _remoteAccessVpnDao.findByAccount(vpnOwnerId);
@@ -586,24 +586,26 @@ public class RemoteAccessVpnManagerImpl extends ManagerBase implements RemoteAcc
String username = cmd.getUsername();
Long id = cmd.getId();
Account caller = CallContext.current().getCallingAccount();
+ List<Long> permittedDomains = new ArrayList<Long>();
List<Long> permittedAccounts = new ArrayList<Long>();
+ List<Long> permittedResources = new ArrayList<Long>();
Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean, ListProjectResourcesCriteria>(cmd.getDomainId(), cmd.isRecursive(), null);
- _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedAccounts, domainIdRecursiveListProject, cmd.listAll(), false);
- Long domainId = domainIdRecursiveListProject.first();
+ _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedDomains, permittedAccounts, permittedResources,
+ domainIdRecursiveListProject, cmd.listAll(), false, "listVpnUsers");
+ //Long domainId = domainIdRecursiveListProject.first();
Boolean isRecursive = domainIdRecursiveListProject.second();
ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
Filter searchFilter = new Filter(VpnUserVO.class, "username", true, cmd.getStartIndex(), cmd.getPageSizeVal());
SearchBuilder<VpnUserVO> sb = _vpnUsersDao.createSearchBuilder();
- _accountMgr.buildACLSearchBuilder(sb, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
-
+ _accountMgr.buildACLSearchBuilder(sb, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
sb.and("id", sb.entity().getId(), SearchCriteria.Op.EQ);
sb.and("username", sb.entity().getUsername(), SearchCriteria.Op.EQ);
sb.and("state", sb.entity().getState(), Op.IN);
SearchCriteria<VpnUserVO> sc = sb.create();
- _accountMgr.buildACLSearchCriteria(sc, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchCriteria(sc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
//list only active users
sc.setParameters("state", State.Active, State.Add);
@@ -625,7 +627,9 @@ public class RemoteAccessVpnManagerImpl extends ManagerBase implements RemoteAcc
// do some parameter validation
Account caller = CallContext.current().getCallingAccount();
Long ipAddressId = cmd.getPublicIpId();
+ List<Long> permittedDomains = new ArrayList<Long>();
List<Long> permittedAccounts = new ArrayList<Long>();
+ List<Long> permittedResources = new ArrayList<Long>();
Long vpnId = cmd.getId();
Long networkId = cmd.getNetworkId();
@@ -640,18 +644,19 @@ public class RemoteAccessVpnManagerImpl extends ManagerBase implements RemoteAcc
throw new InvalidParameterValueException("Unable to list remote access vpns, IP address " + ipAddressId + " is not associated with an account.");
}
}
- _accountMgr.checkAccess(caller, null, true, publicIp);
+ _accountMgr.checkAccess(caller, null, publicIp);
}
Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean, ListProjectResourcesCriteria>(cmd.getDomainId(), cmd.isRecursive(), null);
- _accountMgr.buildACLSearchParameters(caller, null, cmd.getAccountName(), cmd.getProjectId(), permittedAccounts, domainIdRecursiveListProject, cmd.listAll(), false);
- Long domainId = domainIdRecursiveListProject.first();
+ _accountMgr.buildACLSearchParameters(caller, null, cmd.getAccountName(), cmd.getProjectId(), permittedDomains, permittedAccounts, permittedResources,
+ domainIdRecursiveListProject, cmd.listAll(), false, "listRemoteAccessVpns");
+ //Long domainId = domainIdRecursiveListProject.first();
Boolean isRecursive = domainIdRecursiveListProject.second();
ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
Filter filter = new Filter(RemoteAccessVpnVO.class, "serverAddressId", false, cmd.getStartIndex(), cmd.getPageSizeVal());
SearchBuilder<RemoteAccessVpnVO> sb = _remoteAccessVpnDao.createSearchBuilder();
- _accountMgr.buildACLSearchBuilder(sb, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchBuilder(sb, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
sb.and("serverAddressId", sb.entity().getServerAddressId(), Op.EQ);
sb.and("id", sb.entity().getId(), Op.EQ);
@@ -660,8 +665,7 @@ public class RemoteAccessVpnManagerImpl extends ManagerBase implements RemoteAcc
sb.and("display", sb.entity().isDisplay(), Op.EQ);
SearchCriteria<RemoteAccessVpnVO> sc = sb.create();
- _accountMgr.buildACLSearchCriteria(sc, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
-
+ _accountMgr.buildACLSearchCriteria(sc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
sc.setParameters("state", RemoteAccessVpn.State.Running);
@@ -751,7 +755,7 @@ public class RemoteAccessVpnManagerImpl extends ManagerBase implements RemoteAcc
throw new InvalidParameterValueException("Can't find remote access vpn by id " + id);
}
- _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, true, vpn);
+ _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, vpn);
if (customId != null) {
vpn.setUuid(customId);
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/server/src/com/cloud/network/vpn/Site2SiteVpnManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/vpn/Site2SiteVpnManagerImpl.java b/server/src/com/cloud/network/vpn/Site2SiteVpnManagerImpl.java
index e6d0b12..a34aa6c 100644
--- a/server/src/com/cloud/network/vpn/Site2SiteVpnManagerImpl.java
+++ b/server/src/com/cloud/network/vpn/Site2SiteVpnManagerImpl.java
@@ -125,7 +125,7 @@ public class Site2SiteVpnManagerImpl extends ManagerBase implements Site2SiteVpn
Account owner = _accountMgr.getAccount(cmd.getEntityOwnerId());
//Verify that caller can perform actions in behalf of vpc owner
- _accountMgr.checkAccess(caller, null, false, owner);
+ _accountMgr.checkAccess(caller, null, owner);
Long vpcId = cmd.getVpcId();
VpcVO vpc = _vpcDao.findById(vpcId);
@@ -175,7 +175,7 @@ public class Site2SiteVpnManagerImpl extends ManagerBase implements Site2SiteVpn
Account owner = _accountMgr.getAccount(cmd.getEntityOwnerId());
//Verify that caller can perform actions in behalf of vpc owner
- _accountMgr.checkAccess(caller, null, false, owner);
+ _accountMgr.checkAccess(caller, null, owner);
String name = cmd.getName();
String gatewayIp = cmd.getGatewayIp();
@@ -243,21 +243,21 @@ public class Site2SiteVpnManagerImpl extends ManagerBase implements Site2SiteVpn
Account owner = _accountMgr.getAccount(cmd.getEntityOwnerId());
//Verify that caller can perform actions in behalf of vpc owner
- _accountMgr.checkAccess(caller, null, false, owner);
+ _accountMgr.checkAccess(caller, null, owner);
Long customerGatewayId = cmd.getCustomerGatewayId();
Site2SiteCustomerGateway customerGateway = _customerGatewayDao.findById(customerGatewayId);
if (customerGateway == null) {
throw new InvalidParameterValueException("Unable to found specified Site to Site VPN customer gateway " + customerGatewayId + " !");
}
- _accountMgr.checkAccess(caller, null, false, customerGateway);
+ _accountMgr.checkAccess(caller, null, customerGateway);
Long vpnGatewayId = cmd.getVpnGatewayId();
Site2SiteVpnGateway vpnGateway = _vpnGatewayDao.findById(vpnGatewayId);
if (vpnGateway == null) {
throw new InvalidParameterValueException("Unable to found specified Site to Site VPN gateway " + vpnGatewayId + " !");
}
- _accountMgr.checkAccess(caller, null, false, vpnGateway);
+ _accountMgr.checkAccess(caller, null, vpnGateway);
if (customerGateway.getAccountId() != vpnGateway.getAccountId() || customerGateway.getDomainId() != vpnGateway.getDomainId()) {
throw new InvalidParameterValueException("VPN connection can only be esitablished between same account's VPN gateway and customer gateway!");
@@ -363,7 +363,7 @@ public class Site2SiteVpnManagerImpl extends ManagerBase implements Site2SiteVpn
if (customerGateway == null) {
throw new InvalidParameterValueException("Fail to find customer gateway with " + id + " !");
}
- _accountMgr.checkAccess(caller, null, false, customerGateway);
+ _accountMgr.checkAccess(caller, null, customerGateway);
return doDeleteCustomerGateway(customerGateway);
}
@@ -398,7 +398,7 @@ public class Site2SiteVpnManagerImpl extends ManagerBase implements Site2SiteVpn
throw new InvalidParameterValueException("Fail to find vpn gateway with " + id + " !");
}
- _accountMgr.checkAccess(caller, null, false, vpnGateway);
+ _accountMgr.checkAccess(caller, null, vpnGateway);
doDeleteVpnGateway(vpnGateway);
return true;
@@ -415,7 +415,7 @@ public class Site2SiteVpnManagerImpl extends ManagerBase implements Site2SiteVpn
if (gw == null) {
throw new InvalidParameterValueException("Find to find customer gateway with id " + id);
}
- _accountMgr.checkAccess(caller, null, false, gw);
+ _accountMgr.checkAccess(caller, null, gw);
List<Site2SiteVpnConnectionVO> conns = _vpnConnectionDao.listByCustomerGatewayId(id);
if (conns != null) {
@@ -505,7 +505,7 @@ public class Site2SiteVpnManagerImpl extends ManagerBase implements Site2SiteVpn
throw new InvalidParameterValueException("Fail to find site to site VPN connection " + id + " to delete!");
}
- _accountMgr.checkAccess(caller, null, false, conn);
+ _accountMgr.checkAccess(caller, null, conn);
if (conn.getState() == State.Connected) {
stopVpnConnection(id);
@@ -554,7 +554,7 @@ public class Site2SiteVpnManagerImpl extends ManagerBase implements Site2SiteVpn
if (conn == null) {
throw new InvalidParameterValueException("Fail to find site to site VPN connection " + id + " to reset!");
}
- _accountMgr.checkAccess(caller, null, false, conn);
+ _accountMgr.checkAccess(caller, null, conn);
if (conn.getState() == State.Pending) {
throw new InvalidParameterValueException("VPN connection " + id + " cannot be reseted when state is Pending!");
@@ -578,23 +578,26 @@ public class Site2SiteVpnManagerImpl extends ManagerBase implements Site2SiteVpn
long pageSizeVal = cmd.getPageSizeVal();
Account caller = CallContext.current().getCallingAccount();
+ List<Long> permittedDomains = new ArrayList<Long>();
List<Long> permittedAccounts = new ArrayList<Long>();
+ List<Long> permittedResources = new ArrayList<Long>();
Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean,
ListProjectResourcesCriteria>(domainId, isRecursive, null);
- _accountMgr.buildACLSearchParameters(caller, id, accountName, null, permittedAccounts, domainIdRecursiveListProject, listAll, false);
- domainId = domainIdRecursiveListProject.first();
+ _accountMgr.buildACLSearchParameters(caller, id, accountName, null, permittedDomains, permittedAccounts, permittedResources, domainIdRecursiveListProject, listAll, false,
+ "listVpnCustomerGateways");
+ //domainId = domainIdRecursiveListProject.first();
isRecursive = domainIdRecursiveListProject.second();
ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
Filter searchFilter = new Filter(Site2SiteCustomerGatewayVO.class, "id", false, startIndex, pageSizeVal);
SearchBuilder<Site2SiteCustomerGatewayVO> sb = _customerGatewayDao.createSearchBuilder();
- _accountMgr.buildACLSearchBuilder(sb, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchBuilder(sb, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
sb.and("id", sb.entity().getId(), SearchCriteria.Op.EQ);
SearchCriteria<Site2SiteCustomerGatewayVO> sc = sb.create();
- _accountMgr.buildACLSearchCriteria(sc, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchCriteria(sc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
if (id != null) {
sc.addAnd("id", SearchCriteria.Op.EQ, id);
@@ -618,25 +621,28 @@ public class Site2SiteVpnManagerImpl extends ManagerBase implements Site2SiteVpn
long pageSizeVal = cmd.getPageSizeVal();
Account caller = CallContext.current().getCallingAccount();
+ List<Long> permittedDomains = new ArrayList<Long>();
List<Long> permittedAccounts = new ArrayList<Long>();
+ List<Long> permittedResources = new ArrayList<Long>();
Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean,
ListProjectResourcesCriteria>(domainId, isRecursive, null);
- _accountMgr.buildACLSearchParameters(caller, id, accountName, null, permittedAccounts, domainIdRecursiveListProject, listAll, false);
- domainId = domainIdRecursiveListProject.first();
+ _accountMgr.buildACLSearchParameters(caller, id, accountName, null, permittedDomains, permittedAccounts, permittedResources, domainIdRecursiveListProject, listAll, false,
+ "listVpnGateways");
+ //domainId = domainIdRecursiveListProject.first();
isRecursive = domainIdRecursiveListProject.second();
ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
Filter searchFilter = new Filter(Site2SiteVpnGatewayVO.class, "id", false, startIndex, pageSizeVal);
SearchBuilder<Site2SiteVpnGatewayVO> sb = _vpnGatewayDao.createSearchBuilder();
- _accountMgr.buildACLSearchBuilder(sb, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchBuilder(sb, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
sb.and("id", sb.entity().getId(), SearchCriteria.Op.EQ);
sb.and("vpcId", sb.entity().getVpcId(), SearchCriteria.Op.EQ);
sb.and("display", sb.entity().isDisplay(), SearchCriteria.Op.EQ);
SearchCriteria<Site2SiteVpnGatewayVO> sc = sb.create();
- _accountMgr.buildACLSearchCriteria(sc, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchCriteria(sc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
if (id != null) {
sc.addAnd("id", SearchCriteria.Op.EQ, id);
@@ -668,18 +674,21 @@ public class Site2SiteVpnManagerImpl extends ManagerBase implements Site2SiteVpn
long pageSizeVal = cmd.getPageSizeVal();
Account caller = CallContext.current().getCallingAccount();
+ List<Long> permittedDomains = new ArrayList<Long>();
List<Long> permittedAccounts = new ArrayList<Long>();
+ List<Long> permittedResources = new ArrayList<Long>();
Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean,
ListProjectResourcesCriteria>(domainId, isRecursive, null);
- _accountMgr.buildACLSearchParameters(caller, id, accountName, null, permittedAccounts, domainIdRecursiveListProject, listAll, false);
- domainId = domainIdRecursiveListProject.first();
+ _accountMgr.buildACLSearchParameters(caller, id, accountName, null, permittedDomains, permittedAccounts, permittedResources, domainIdRecursiveListProject, listAll, false,
+ "listVpnConnections");
+ //domainId = domainIdRecursiveListProject.first();
isRecursive = domainIdRecursiveListProject.second();
ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
Filter searchFilter = new Filter(Site2SiteVpnConnectionVO.class, "id", false, startIndex, pageSizeVal);
SearchBuilder<Site2SiteVpnConnectionVO> sb = _vpnConnectionDao.createSearchBuilder();
- _accountMgr.buildACLSearchBuilder(sb, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchBuilder(sb, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
sb.and("id", sb.entity().getId(), SearchCriteria.Op.EQ);
sb.and("display", sb.entity().isDisplay(), SearchCriteria.Op.EQ);
@@ -691,7 +700,7 @@ public class Site2SiteVpnManagerImpl extends ManagerBase implements Site2SiteVpn
}
SearchCriteria<Site2SiteVpnConnectionVO> sc = sb.create();
- _accountMgr.buildACLSearchCriteria(sc, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchCriteria(sc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
if (display != null) {
sc.setParameters("display", display);
@@ -809,7 +818,7 @@ public class Site2SiteVpnManagerImpl extends ManagerBase implements Site2SiteVpn
throw new InvalidParameterValueException("Fail to find site to site VPN connection " + id);
}
- _accountMgr.checkAccess(caller, null, false, conn);
+ _accountMgr.checkAccess(caller, null, conn);
if (customId != null) {
conn.setUuid(customId);
}
@@ -832,7 +841,7 @@ public class Site2SiteVpnManagerImpl extends ManagerBase implements Site2SiteVpn
throw new InvalidParameterValueException("Fail to find vpn gateway with " + id);
}
- _accountMgr.checkAccess(caller, null, false, vpnGateway);
+ _accountMgr.checkAccess(caller, null, vpnGateway);
if (customId != null) {
vpnGateway.setUuid(customId);
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/server/src/com/cloud/projects/ProjectManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/projects/ProjectManagerImpl.java b/server/src/com/cloud/projects/ProjectManagerImpl.java
index d10c059..6aa5abc 100755
--- a/server/src/com/cloud/projects/ProjectManagerImpl.java
+++ b/server/src/com/cloud/projects/ProjectManagerImpl.java
@@ -244,7 +244,7 @@ public class ProjectManagerImpl extends ManagerBase implements ProjectManager {
throw new InvalidParameterValueException("Unable to find project by id " + projectId);
}
- _accountMgr.checkAccess(caller, AccessType.ModifyProject, true, _accountMgr.getAccount(project.getProjectAccountId()));
+ _accountMgr.checkAccess(caller, AccessType.ModifyProject, _accountMgr.getAccount(project.getProjectAccountId()));
//at this point enabling project doesn't require anything, so just update the state
project.setState(State.Active);
@@ -264,7 +264,7 @@ public class ProjectManagerImpl extends ManagerBase implements ProjectManager {
throw new InvalidParameterValueException("Unable to find project by id " + projectId);
}
- _accountMgr.checkAccess(ctx.getCallingAccount(), AccessType.ModifyProject, true, _accountMgr.getAccount(project.getProjectAccountId()));
+ _accountMgr.checkAccess(ctx.getCallingAccount(), AccessType.ModifyProject, _accountMgr.getAccount(project.getProjectAccountId()));
return deleteProject(ctx.getCallingAccount(), ctx.getCallingUserId(), project);
}
@@ -463,7 +463,7 @@ public class ProjectManagerImpl extends ManagerBase implements ProjectManager {
}
//verify permissions
- _accountMgr.checkAccess(caller, AccessType.ModifyProject, true, _accountMgr.getAccount(project.getProjectAccountId()));
+ _accountMgr.checkAccess(caller, AccessType.ModifyProject, _accountMgr.getAccount(project.getProjectAccountId()));
Transaction.execute(new TransactionCallbackWithExceptionNoReturn<ResourceAllocationException>() {
@Override
@@ -550,7 +550,7 @@ public class ProjectManagerImpl extends ManagerBase implements ProjectManager {
}
//verify permissions - only project owner can assign
- _accountMgr.checkAccess(caller, AccessType.ModifyProject, true, _accountMgr.getAccount(project.getProjectAccountId()));
+ _accountMgr.checkAccess(caller, AccessType.ModifyProject, _accountMgr.getAccount(project.getProjectAccountId()));
//Check if the account already added to the project
ProjectAccount projectAccount = _projectAccountDao.findByProjectIdAccountId(projectId, account.getId());
@@ -628,7 +628,7 @@ public class ProjectManagerImpl extends ManagerBase implements ProjectManager {
}
//verify permissions
- _accountMgr.checkAccess(caller, AccessType.ModifyProject, true, _accountMgr.getAccount(project.getProjectAccountId()));
+ _accountMgr.checkAccess(caller, AccessType.ModifyProject, _accountMgr.getAccount(project.getProjectAccountId()));
//Check if the account exists in the project
ProjectAccount projectAccount = _projectAccountDao.findByProjectIdAccountId(projectId, account.getId());
@@ -750,7 +750,7 @@ public class ProjectManagerImpl extends ManagerBase implements ProjectManager {
}
//verify permissions
- _accountMgr.checkAccess(caller, null, true, account);
+ _accountMgr.checkAccess(caller, null, account);
accountId = account.getId();
} else {
@@ -830,7 +830,7 @@ public class ProjectManagerImpl extends ManagerBase implements ProjectManager {
}
//verify permissions
- _accountMgr.checkAccess(caller, AccessType.ModifyProject, true, _accountMgr.getAccount(project.getProjectAccountId()));
+ _accountMgr.checkAccess(caller, AccessType.ModifyProject, _accountMgr.getAccount(project.getProjectAccountId()));
//allow project activation only when it's in Suspended state
Project.State currentState = project.getState();
@@ -870,7 +870,7 @@ public class ProjectManagerImpl extends ManagerBase implements ProjectManager {
throw ex;
}
- _accountMgr.checkAccess(caller, AccessType.ModifyProject, true, _accountMgr.getAccount(project.getProjectAccountId()));
+ _accountMgr.checkAccess(caller, AccessType.ModifyProject, _accountMgr.getAccount(project.getProjectAccountId()));
if (suspendProject(project)) {
s_logger.debug("Successfully suspended project id=" + projectId);
@@ -1012,7 +1012,7 @@ public class ProjectManagerImpl extends ManagerBase implements ProjectManager {
Project project = getProject(invitation.getProjectId());
//check permissions - only project owner can remove the invitations
- _accountMgr.checkAccess(caller, AccessType.ModifyProject, true, _accountMgr.getAccount(project.getProjectAccountId()));
+ _accountMgr.checkAccess(caller, AccessType.ModifyProject, _accountMgr.getAccount(project.getProjectAccountId()));
if (_projectInvitationDao.remove(id)) {
s_logger.debug("Project Invitation id=" + id + " is removed");