You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by mc...@apache.org on 2014/05/20 00:46:29 UTC
[4/5] Revert "Disable IAM feature from 4.4 release."
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/server/src/com/cloud/api/query/QueryManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/api/query/QueryManagerImpl.java b/server/src/com/cloud/api/query/QueryManagerImpl.java
index e675e83..a2437b8 100644
--- a/server/src/com/cloud/api/query/QueryManagerImpl.java
+++ b/server/src/com/cloud/api/query/QueryManagerImpl.java
@@ -478,7 +478,9 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
private Pair<List<EventJoinVO>, Integer> searchForEventsInternal(ListEventsCmd cmd) {
Account caller = CallContext.current().getCallingAccount();
+ List<Long> permittedDomains = new ArrayList<Long>();
List<Long> permittedAccounts = new ArrayList<Long>();
+ List<Long> permittedResources = new ArrayList<Long>();
Long id = cmd.getId();
String type = cmd.getType();
@@ -491,16 +493,14 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean, ListProjectResourcesCriteria>(
cmd.getDomainId(), cmd.isRecursive(), null);
- _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedAccounts,
- domainIdRecursiveListProject, cmd.listAll(), false);
- Long domainId = domainIdRecursiveListProject.first();
+ _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedDomains, permittedAccounts, permittedResources,
+ domainIdRecursiveListProject, cmd.listAll(), false, "listEvents");
+ //Long domainId = domainIdRecursiveListProject.first();
Boolean isRecursive = domainIdRecursiveListProject.second();
ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
Filter searchFilter = new Filter(EventJoinVO.class, "createDate", false, cmd.getStartIndex(), cmd.getPageSizeVal());
SearchBuilder<EventJoinVO> sb = _eventJoinDao.createSearchBuilder();
- _accountMgr.buildACLViewSearchBuilder(sb, domainId, isRecursive, permittedAccounts,
- listProjectResourcesCriteria);
sb.and("id", sb.entity().getId(), SearchCriteria.Op.EQ);
sb.and("levelL", sb.entity().getLevel(), SearchCriteria.Op.LIKE);
@@ -516,9 +516,9 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
sb.and("archived", sb.entity().getArchived(), SearchCriteria.Op.EQ);
SearchCriteria<EventJoinVO> sc = sb.create();
- // building ACL condition
- _accountMgr.buildACLViewSearchCriteria(sc, domainId, isRecursive, permittedAccounts,
- listProjectResourcesCriteria);
+ SearchCriteria<EventJoinVO> aclSc = _eventJoinDao.createSearchCriteria();
+ // building ACL search criteria
+ _accountMgr.buildACLViewSearchCriteria(sc, aclSc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
// For end users display only enabled events
if (!_accountMgr.isRootAdmin(caller.getId())) {
@@ -597,7 +597,9 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
private Pair<List<ResourceTagJoinVO>, Integer> listTagsInternal(ListTagsCmd cmd) {
Account caller = CallContext.current().getCallingAccount();
+ List<Long> permittedDomains = new ArrayList<Long>();
List<Long> permittedAccounts = new ArrayList<Long>();
+ List<Long> permittedResources = new ArrayList<Long>();
String key = cmd.getKey();
String value = cmd.getValue();
String resourceId = cmd.getResourceId();
@@ -608,16 +610,14 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject =
new Ternary<Long, Boolean, ListProjectResourcesCriteria>(cmd.getDomainId(), cmd.isRecursive(), null);
- _accountMgr.buildACLSearchParameters(caller, null, cmd.getAccountName(), cmd.getProjectId(), permittedAccounts,
- domainIdRecursiveListProject, listAll, false);
+ _accountMgr.buildACLSearchParameters(caller, null, cmd.getAccountName(), cmd.getProjectId(), permittedDomains, permittedAccounts, permittedResources,
+ domainIdRecursiveListProject, listAll, false, "listTags");
Long domainId = domainIdRecursiveListProject.first();
Boolean isRecursive = domainIdRecursiveListProject.second();
ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
Filter searchFilter = new Filter(ResourceTagJoinVO.class, "resourceType", false, cmd.getStartIndex(), cmd.getPageSizeVal());
SearchBuilder<ResourceTagJoinVO> sb = _resourceTagJoinDao.createSearchBuilder();
- _accountMgr.buildACLViewSearchBuilder(sb, domainId, isRecursive, permittedAccounts,
- listProjectResourcesCriteria);
sb.and("key", sb.entity().getKey(), SearchCriteria.Op.EQ);
sb.and("value", sb.entity().getValue(), SearchCriteria.Op.EQ);
@@ -633,8 +633,9 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
// now set the SC criteria...
SearchCriteria<ResourceTagJoinVO> sc = sb.create();
- _accountMgr.buildACLViewSearchCriteria(sc, domainId, isRecursive, permittedAccounts,
- listProjectResourcesCriteria);
+ SearchCriteria<ResourceTagJoinVO> aclSc = _resourceTagJoinDao.createSearchCriteria();
+ // building ACL search criteria
+ _accountMgr.buildACLViewSearchCriteria(sc, aclSc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
if (key != null) {
sc.setParameters("key", key);
@@ -676,28 +677,29 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
String keyword = cmd.getKeyword();
Account caller = CallContext.current().getCallingAccount();
+ List<Long> permittedDomains = new ArrayList<Long>();
List<Long> permittedAccounts = new ArrayList<Long>();
+ List<Long> permittedResources = new ArrayList<Long>();
Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean, ListProjectResourcesCriteria>(
cmd.getDomainId(), cmd.isRecursive(), null);
- _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedAccounts,
- domainIdRecursiveListProject, cmd.listAll(), false);
- Long domainId = domainIdRecursiveListProject.first();
+ _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedDomains, permittedAccounts, permittedResources,
+ domainIdRecursiveListProject, cmd.listAll(), false, "listInstanceGroups");
+ // Long domainId = domainIdRecursiveListProject.first();
Boolean isRecursive = domainIdRecursiveListProject.second();
ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
Filter searchFilter = new Filter(InstanceGroupJoinVO.class, "id", true, cmd.getStartIndex(), cmd.getPageSizeVal());
SearchBuilder<InstanceGroupJoinVO> sb = _vmGroupJoinDao.createSearchBuilder();
- _accountMgr.buildACLViewSearchBuilder(sb, domainId, isRecursive, permittedAccounts,
- listProjectResourcesCriteria);
sb.and("id", sb.entity().getId(), SearchCriteria.Op.EQ);
sb.and("name", sb.entity().getName(), SearchCriteria.Op.LIKE);
SearchCriteria<InstanceGroupJoinVO> sc = sb.create();
- _accountMgr.buildACLViewSearchCriteria(sc, domainId, isRecursive, permittedAccounts,
- listProjectResourcesCriteria);
+ SearchCriteria<InstanceGroupJoinVO> aclSc = _vmGroupJoinDao.createSearchCriteria();
+ // building ACL search criteria
+ _accountMgr.buildACLViewSearchCriteria(sc, aclSc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
if (keyword != null) {
@@ -994,7 +996,9 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
String securityGroup = cmd.getSecurityGroupName();
Long id = cmd.getId();
Object keyword = cmd.getKeyword();
+ List<Long> permittedDomains = new ArrayList<Long>();
List<Long> permittedAccounts = new ArrayList<Long>();
+ List<Long> permittedResources = new ArrayList<Long>();
Map<String, String> tags = cmd.getTags();
if (instanceId != null) {
@@ -1002,14 +1006,14 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
if (userVM == null) {
throw new InvalidParameterValueException("Unable to list network groups for virtual machine instance " + instanceId + "; instance not found.");
}
- _accountMgr.checkAccess(caller, null, true, userVM);
+ _accountMgr.checkAccess(caller, null, userVM);
return listSecurityGroupRulesByVM(instanceId.longValue(), cmd.getStartIndex(), cmd.getPageSizeVal());
}
Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean, ListProjectResourcesCriteria>(
cmd.getDomainId(), cmd.isRecursive(), null);
- _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedAccounts,
- domainIdRecursiveListProject, cmd.listAll(), false);
+ _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedDomains, permittedAccounts, permittedResources,
+ domainIdRecursiveListProject, cmd.listAll(), false, "listSecurityGroups");
Long domainId = domainIdRecursiveListProject.first();
Boolean isRecursive = domainIdRecursiveListProject.second();
ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
@@ -1018,15 +1022,13 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
SearchBuilder<SecurityGroupJoinVO> sb = _securityGroupJoinDao.createSearchBuilder();
sb.select(null, Func.DISTINCT, sb.entity().getId()); // select distinct
// ids
- _accountMgr.buildACLViewSearchBuilder(sb, domainId, isRecursive, permittedAccounts,
- listProjectResourcesCriteria);
-
sb.and("id", sb.entity().getId(), SearchCriteria.Op.EQ);
sb.and("name", sb.entity().getName(), SearchCriteria.Op.EQ);
SearchCriteria<SecurityGroupJoinVO> sc = sb.create();
- _accountMgr.buildACLViewSearchCriteria(sc, domainId, isRecursive, permittedAccounts,
- listProjectResourcesCriteria);
+ SearchCriteria<SecurityGroupJoinVO> aclSc = _securityGroupJoinDao.createSearchCriteria();
+ // building ACL search criteria
+ _accountMgr.buildACLViewSearchCriteria(sc, aclSc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
if (id != null) {
sc.setParameters("id", id);
@@ -1118,12 +1120,19 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
Long podId, Long clusterId, Long hostId, String keyword, Long networkId, Long vpcId, Boolean forVpc, String role, String version) {
Account caller = CallContext.current().getCallingAccount();
+ List<Long> permittedDomains = new ArrayList<Long>();
List<Long> permittedAccounts = new ArrayList<Long>();
+ List<Long> permittedResources = new ArrayList<Long>();
Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean, ListProjectResourcesCriteria>(
cmd.getDomainId(), cmd.isRecursive(), null);
- _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedAccounts,
- domainIdRecursiveListProject, cmd.listAll(), false);
+ String action = "listRouters";
+ if (cmd instanceof ListInternalLBVMsCmd) {
+ action = "listInternalLoadBalancerVMs";
+ }
+ _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedDomains, permittedAccounts, permittedResources,
+ domainIdRecursiveListProject, cmd.listAll(), false, action);
+
Long domainId = domainIdRecursiveListProject.first();
Boolean isRecursive = domainIdRecursiveListProject.second();
ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
@@ -1136,8 +1145,6 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
// number of
// records with
// pagination
- _accountMgr.buildACLViewSearchBuilder(sb, domainId, isRecursive, permittedAccounts,
- listProjectResourcesCriteria);
sb.and("name", sb.entity().getInstanceName(), SearchCriteria.Op.LIKE);
sb.and("id", sb.entity().getId(), SearchCriteria.Op.EQ);
@@ -1164,8 +1171,9 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
}
SearchCriteria<DomainRouterJoinVO> sc = sb.create();
- _accountMgr.buildACLViewSearchCriteria(sc, domainId, isRecursive, permittedAccounts,
- listProjectResourcesCriteria);
+ SearchCriteria<DomainRouterJoinVO> aclSc = _routerJoinDao.createSearchCriteria();
+ // building ACL search criteria
+ _accountMgr.buildACLViewSearchCriteria(sc, aclSc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
if (keyword != null) {
SearchCriteria<DomainRouterJoinVO> ssc = _routerJoinDao.createSearchCriteria();
@@ -1398,20 +1406,21 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
boolean listAll = cmd.listAll();
Account caller = CallContext.current().getCallingAccount();
+ List<Long> permittedDomains = new ArrayList<Long>();
List<Long> permittedAccounts = new ArrayList<Long>();
+ List<Long> permittedResources = new ArrayList<Long>();
Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean, ListProjectResourcesCriteria>(
domainId, isRecursive, null);
- _accountMgr.buildACLSearchParameters(caller, id, accountName, projectId, permittedAccounts,
- domainIdRecursiveListProject, listAll, true);
- domainId = domainIdRecursiveListProject.first();
+ _accountMgr.buildACLSearchParameters(caller, id, accountName, projectId, permittedDomains, permittedAccounts, permittedResources,
+ domainIdRecursiveListProject, listAll, true, "listProjectInvitations");
+ //domainId = domainIdRecursiveListProject.first();
+
isRecursive = domainIdRecursiveListProject.second();
ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
Filter searchFilter = new Filter(ProjectInvitationJoinVO.class, "id", true, startIndex, pageSizeVal);
SearchBuilder<ProjectInvitationJoinVO> sb = _projectInvitationJoinDao.createSearchBuilder();
- _accountMgr.buildACLViewSearchBuilder(sb, domainId, isRecursive, permittedAccounts,
- listProjectResourcesCriteria);
sb.and("projectId", sb.entity().getProjectId(), SearchCriteria.Op.EQ);
sb.and("state", sb.entity().getState(), SearchCriteria.Op.EQ);
@@ -1419,8 +1428,9 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
sb.and("id", sb.entity().getId(), SearchCriteria.Op.EQ);
SearchCriteria<ProjectInvitationJoinVO> sc = sb.create();
- _accountMgr.buildACLViewSearchCriteria(sc, domainId, isRecursive, permittedAccounts,
- listProjectResourcesCriteria);
+ SearchCriteria<ProjectInvitationJoinVO> aclSc = _projectInvitationJoinDao.createSearchCriteria();
+ // building ACL search criteria
+ _accountMgr.buildACLViewSearchCriteria(sc, aclSc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
if (projectId != null) {
sc.setParameters("projectId", projectId);
@@ -1825,53 +1835,19 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
private Pair<List<AccountJoinVO>, Integer> searchForAccountsInternal(ListAccountsCmd cmd) {
Account caller = CallContext.current().getCallingAccount();
- Long domainId = cmd.getDomainId();
- Long accountId = cmd.getId();
- String accountName = cmd.getSearchName();
- boolean isRecursive = cmd.isRecursive();
- boolean listAll = cmd.listAll();
- Boolean listForDomain = false;
-
- if (accountId != null) {
- Account account = _accountDao.findById(accountId);
- if (account == null || account.getId() == Account.ACCOUNT_ID_SYSTEM) {
- throw new InvalidParameterValueException("Unable to find account by id " + accountId);
- }
-
- _accountMgr.checkAccess(caller, null, true, account);
- }
-
- if (domainId != null) {
- Domain domain = _domainDao.findById(domainId);
- if (domain == null) {
- throw new InvalidParameterValueException("Domain id=" + domainId + " doesn't exist");
- }
-
- _accountMgr.checkAccess(caller, domain);
-
- if (accountName != null) {
- Account account = _accountDao.findActiveAccount(accountName, domainId);
- if (account == null || account.getId() == Account.ACCOUNT_ID_SYSTEM) {
- throw new InvalidParameterValueException("Unable to find account by name " + accountName
- + " in domain " + domainId);
- }
- _accountMgr.checkAccess(caller, null, true, account);
- }
- }
+ List<Long> permittedDomains = new ArrayList<Long>();
+ List<Long> permittedAccounts = new ArrayList<Long>();
+ List<Long> permittedResources = new ArrayList<Long>();
- if (accountId == null) {
- if (_accountMgr.isAdmin(caller.getId()) && listAll && domainId == null) {
- listForDomain = true;
- isRecursive = true;
- if (domainId == null) {
- domainId = caller.getDomainId();
- }
- } else if (_accountMgr.isAdmin(caller.getId()) && domainId != null) {
- listForDomain = true;
- } else {
- accountId = caller.getAccountId();
- }
- }
+ boolean listAll = cmd.listAll();
+ Long id = cmd.getId();
+ String accountName = cmd.getSearchName();
+ Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean, ListProjectResourcesCriteria>(
+ cmd.getDomainId(), cmd.isRecursive(), null);
+ // ListAccountsCmd is not BaseListAccountResourcesCmd, so no (domainId, accountName) combination
+ _accountMgr.buildACLSearchParameters(caller, id, null, null, permittedDomains, permittedAccounts, permittedResources,
+ domainIdRecursiveListProject, listAll, false, "listAccounts");
+ Boolean isRecursive = domainIdRecursiveListProject.second();
Filter searchFilter = new Filter(AccountJoinVO.class, "id", true, cmd.getStartIndex(), cmd.getPageSizeVal());
@@ -1882,7 +1858,6 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
SearchBuilder<AccountJoinVO> sb = _accountJoinDao.createSearchBuilder();
sb.and("accountName", sb.entity().getAccountName(), SearchCriteria.Op.EQ);
- sb.and("domainId", sb.entity().getDomainId(), SearchCriteria.Op.EQ);
sb.and("id", sb.entity().getId(), SearchCriteria.Op.EQ);
sb.and("type", sb.entity().getType(), SearchCriteria.Op.EQ);
sb.and("state", sb.entity().getState(), SearchCriteria.Op.EQ);
@@ -1890,11 +1865,31 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
sb.and("typeNEQ", sb.entity().getType(), SearchCriteria.Op.NEQ);
sb.and("idNEQ", sb.entity().getId(), SearchCriteria.Op.NEQ);
- if (listForDomain && isRecursive) {
- sb.and("path", sb.entity().getDomainPath(), SearchCriteria.Op.LIKE);
- }
-
SearchCriteria<AccountJoinVO> sc = sb.create();
+ SearchCriteria<AccountJoinVO> aclSc = _accountJoinDao.createSearchCriteria();
+ // building ACL search criteria. Here we cannot use the common accountMgr.buildACLViewSearchCriteria because
+ // 1) AccountJoinVO does not have accountId field, permittedAccounts correspond to list of resource ids.
+ // 2) AccountJoinVO use type not accountType field to indicate its type
+ if (!permittedDomains.isEmpty() || !permittedAccounts.isEmpty() || !permittedResources.isEmpty()) {
+ if (!permittedDomains.isEmpty()) {
+ if (isRecursive) {
+ for (int i = 0; i < permittedDomains.size(); i++) {
+ Domain domain = _domainDao.findById(permittedDomains.get(i));
+ aclSc.addOr("domainPath", SearchCriteria.Op.LIKE, domain.getPath() + "%");
+ }
+ } else {
+ aclSc.addOr("domainId", SearchCriteria.Op.IN, permittedDomains.toArray());
+ }
+ }
+ if (!permittedAccounts.isEmpty()) {
+ aclSc.addOr("id", SearchCriteria.Op.IN, permittedAccounts.toArray());
+ }
+ if (!permittedResources.isEmpty()) {
+ aclSc.addOr("id", SearchCriteria.Op.IN, permittedResources.toArray());
+ }
+
+ sc.addAnd("id", SearchCriteria.Op.SC, aclSc);
+ }
sc.setParameters("idNEQ", Account.ACCOUNT_ID_SYSTEM);
@@ -1922,19 +1917,10 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
}
// don't return account of type project to the end user
- sc.setParameters("typeNEQ", 5);
-
- if (accountId != null) {
- sc.setParameters("id", accountId);
- }
+ sc.setParameters("typeNEQ", Account.ACCOUNT_TYPE_PROJECT);
- if (listForDomain) {
- if (isRecursive) {
- Domain domain = _domainDao.findById(domainId);
- sc.setParameters("path", domain.getPath() + "%");
- } else {
- sc.setParameters("domainId", domainId);
- }
+ if (id != null) {
+ sc.setParameters("id", id);
}
return _accountJoinDao.searchAndCount(sc, searchFilter);
@@ -1953,17 +1939,20 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
Account caller = CallContext.current().getCallingAccount();
+ List<Long> permittedDomains = new ArrayList<Long>();
List<Long> permittedAccounts = new ArrayList<Long>();
+ List<Long> permittedResources = new ArrayList<Long>();
Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean, ListProjectResourcesCriteria>(
cmd.getDomainId(), cmd.isRecursive(), null);
- _accountMgr.buildACLSearchParameters(caller, null, cmd.getAccountName(), null, permittedAccounts,
- domainIdRecursiveListProject, cmd.listAll(), false);
+ _accountMgr.buildACLSearchParameters(caller, null, cmd.getAccountName(), null, permittedDomains, permittedAccounts, permittedResources, domainIdRecursiveListProject,
+ cmd.listAll(), false, "listAsyncJobs");
Long domainId = domainIdRecursiveListProject.first();
Boolean isRecursive = domainIdRecursiveListProject.second();
ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
Filter searchFilter = new Filter(AsyncJobJoinVO.class, "id", true, cmd.getStartIndex(), cmd.getPageSizeVal());
+ /*
SearchBuilder<AsyncJobJoinVO> sb = _jobJoinDao.createSearchBuilder();
sb.and("accountIdIN", sb.entity().getAccountId(), SearchCriteria.Op.IN);
boolean accountJoinIsDone = false;
@@ -1987,8 +1976,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
}
}
- Object keyword = cmd.getKeyword();
- Object startDate = cmd.getStartDate();
+
SearchCriteria<AsyncJobJoinVO> sc = sb.create();
if (listProjectResourcesCriteria != null) {
@@ -2005,6 +1993,17 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
sc.setParameters("domainId", domainId);
}
}
+ */
+
+ Object keyword = cmd.getKeyword();
+ Object startDate = cmd.getStartDate();
+
+ // populate the search criteria with the values passed in
+ SearchCriteria<AsyncJobJoinVO> sc = _jobJoinDao.createSearchCriteria();
+ SearchCriteria<AsyncJobJoinVO> aclSc = _jobJoinDao.createSearchCriteria();
+
+ // building ACL search criteria
+ _accountMgr.buildACLViewSearchCriteria(sc, aclSc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
if (keyword != null) {
sc.addAnd("cmd", SearchCriteria.Op.LIKE, "%" + keyword + "%");
@@ -2467,7 +2466,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
throw ex;
}
- _accountMgr.checkAccess(caller, null, true, vmInstance);
+ _accountMgr.checkAccess(caller, null, vmInstance);
ServiceOfferingVO offering = _srvOfferingDao.findByIdIncludingRemoved(vmInstance.getId(), vmInstance.getServiceOfferingId());
sc.addAnd("id", SearchCriteria.Op.NEQ, offering.getId());
@@ -2807,6 +2806,366 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
return response;
}
+ // Temporarily disable this method which used IAM model to do template list
+ private Pair<List<TemplateJoinVO>, Integer> searchForTemplatesInternalIAM(ListTemplatesCmd cmd) {
+ TemplateFilter templateFilter = TemplateFilter.valueOf(cmd.getTemplateFilter());
+ Long id = cmd.getId();
+ Map<String, String> tags = cmd.getTags();
+ boolean showRemovedTmpl = cmd.getShowRemoved();
+ Account caller = CallContext.current().getCallingAccount();
+
+ // TODO: listAll flag has some conflicts with TemplateFilter parameter
+ boolean listAll = false;
+ if (templateFilter != null && templateFilter == TemplateFilter.all) {
+ if (_accountMgr.isNormalUser(caller.getId())) {
+ throw new InvalidParameterValueException("Filter " + TemplateFilter.all
+ + " can be specified by admin only");
+ }
+ listAll = true;
+ }
+
+ List<Long> permittedDomains = new ArrayList<Long>();
+ List<Long> permittedAccounts = new ArrayList<Long>();
+ List<Long> permittedResources = new ArrayList<Long>();
+
+ Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean, ListProjectResourcesCriteria>(
+ cmd.getDomainId(), cmd.isRecursive(), null);
+ _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedDomains, permittedAccounts, permittedResources,
+ domainIdRecursiveListProject, listAll, false, "listTemplates");
+
+ Boolean isRecursive = domainIdRecursiveListProject.second();
+ ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
+
+ boolean showDomr = ((templateFilter != TemplateFilter.selfexecutable) && (templateFilter != TemplateFilter.featured));
+ HypervisorType hypervisorType = HypervisorType.getType(cmd.getHypervisor());
+
+ return searchForTemplatesInternalIAM(id, cmd.getTemplateName(), cmd.getKeyword(), templateFilter, false, null,
+ cmd.getPageSizeVal(), cmd.getStartIndex(), cmd.getZoneId(), hypervisorType, showDomr,
+ cmd.listInReadyState(), permittedDomains, permittedAccounts, permittedResources, isRecursive, caller, listProjectResourcesCriteria, tags, showRemovedTmpl);
+ }
+
+ // Temporarily disable this method which used IAM model to do template list
+ private Pair<List<TemplateJoinVO>, Integer> searchForTemplatesInternalIAM(Long templateId, String name,
+ String keyword, TemplateFilter templateFilter, boolean isIso, Boolean bootable, Long pageSize,
+ Long startIndex, Long zoneId, HypervisorType hyperType, boolean showDomr, boolean onlyReady,
+ List<Long> permittedDomains, List<Long> permittedAccounts, List<Long> permittedResources, boolean isRecursive, Account caller,
+ ListProjectResourcesCriteria listProjectResourcesCriteria,
+ Map<String, String> tags, boolean showRemovedTmpl) {
+
+ // check if zone is configured, if not, just return empty list
+ List<HypervisorType> hypers = null;
+ if (!isIso) {
+ hypers = _resourceMgr.listAvailHypervisorInZone(null, null);
+ if (hypers == null || hypers.isEmpty()) {
+ return new Pair<List<TemplateJoinVO>, Integer>(new ArrayList<TemplateJoinVO>(), 0);
+ }
+ }
+
+ VMTemplateVO template = null;
+
+ Boolean isAscending = Boolean.parseBoolean(_configDao.getValue("sortkey.algorithm"));
+ isAscending = (isAscending == null ? true : isAscending);
+ Filter searchFilter = new Filter(TemplateJoinVO.class, "sortKey", isAscending, startIndex, pageSize);
+
+ SearchBuilder<TemplateJoinVO> sb = _templateJoinDao.createSearchBuilder();
+ sb.select(null, Func.DISTINCT, sb.entity().getTempZonePair()); // select distinct (templateId, zoneId) pair
+ SearchCriteria<TemplateJoinVO> sc = sb.create();
+
+ // verify templateId parameter and specially handle it
+ if (templateId != null) {
+ template = _templateDao.findByIdIncludingRemoved(templateId); // Done for backward compatibility - Bug-5221
+ if (template == null) {
+ throw new InvalidParameterValueException("Please specify a valid template ID.");
+ }// If ISO requested then it should be ISO.
+ if (isIso && template.getFormat() != ImageFormat.ISO) {
+ s_logger.error("Template Id " + templateId + " is not an ISO");
+ InvalidParameterValueException ex = new InvalidParameterValueException("Specified Template Id is not an ISO");
+ ex.addProxyObject(template.getUuid(), "templateId");
+ throw ex;
+ }// If ISO not requested then it shouldn't be an ISO.
+ if (!isIso && template.getFormat() == ImageFormat.ISO) {
+ s_logger.error("Incorrect format of the template id " + templateId);
+ InvalidParameterValueException ex = new InvalidParameterValueException("Incorrect format " + template.getFormat() + " of the specified template id");
+ ex.addProxyObject(template.getUuid(), "templateId");
+ throw ex;
+ }
+
+ // if template is not public, perform permission check here
+ if (!template.isPublicTemplate() && !_accountMgr.isRootAdmin(caller.getId())) {
+ Account owner = _accountMgr.getAccount(template.getAccountId());
+ _accountMgr.checkAccess(caller, null, owner);
+ }
+
+ // if templateId is specified, then we will just use the id to
+ // search and ignore other query parameters
+ sc.addAnd("id", SearchCriteria.Op.EQ, templateId);
+ } else {
+ if (!isIso) {
+ // add hypervisor criteria for template case
+ if (hypers != null && !hypers.isEmpty()) {
+ String[] relatedHypers = new String[hypers.size()];
+ for (int i = 0; i < hypers.size(); i++) {
+ relatedHypers[i] = hypers.get(i).toString();
+ }
+ sc.addAnd("hypervisorType", SearchCriteria.Op.IN, relatedHypers);
+ }
+ }
+
+ // control different template filters
+ DomainVO callerDomain = _domainDao.findById(caller.getDomainId());
+ if (templateFilter == TemplateFilter.featured || templateFilter == TemplateFilter.community) {
+ sc.addAnd("publicTemplate", SearchCriteria.Op.EQ, true);
+ if (templateFilter == TemplateFilter.featured) {
+ sc.addAnd("featured", SearchCriteria.Op.EQ, true);
+ } else {
+ sc.addAnd("featured", SearchCriteria.Op.EQ, false);
+ }
+
+ /* We don't need this any more to check domain id, based on CLOUDSTACK-5987
+ // for public templates, we should get all public templates from all domains in the system
+ // get all parent domain ID's all the way till root domain
+ List<Long> domainTree = new ArrayList<Long>();
+ DomainVO domainTreeNode = _domainDao.findById(Domain.ROOT_DOMAIN); // fix for CLOUDSTACK-5987
+ domainTree.add(domainTreeNode.getId());
+
+ // get all child domain ID's under root
+ List<DomainVO> allChildDomains = _domainDao.findAllChildren(domainTreeNode.getPath(), domainTreeNode.getId());
+ for (DomainVO childDomain : allChildDomains) {
+ domainTree.add(childDomain.getId());
+ }
+
+ SearchCriteria<TemplateJoinVO> scc = _templateJoinDao.createSearchCriteria();
+ scc.addOr("domainId", SearchCriteria.Op.IN, domainTree.toArray());
+ scc.addOr("domainId", SearchCriteria.Op.NULL);
+ sc.addAnd("domainId", SearchCriteria.Op.SC, scc);
+ */
+ } else if (templateFilter == TemplateFilter.self || templateFilter == TemplateFilter.selfexecutable) {
+ if (permittedDomains.contains(caller.getDomainId())) {
+ // this caller acts like a domain admin
+
+ sc.addAnd("domainPath", SearchCriteria.Op.LIKE, callerDomain.getPath() + "%");
+ } else {
+ // only display templates owned by caller for resource owner only
+ sc.addAnd("accountId", SearchCriteria.Op.EQ, caller.getAccountId());
+ }
+ } else if (templateFilter == TemplateFilter.sharedexecutable || templateFilter == TemplateFilter.shared) {
+ // exclude the caller, only include those granted and not owned by self
+ permittedDomains.remove(caller.getDomainId());
+ permittedAccounts.remove(caller.getAccountId());
+ for (Long tid : permittedResources) {
+ // remove it if it is owned by the caller
+ VMTemplateVO tmpl = _templateDao.findById(tid);
+ if (tmpl != null && tmpl.getAccountId() == caller.getAccountId()) {
+ permittedResources.remove(tid);
+ }
+ }
+ // building ACL search criteria
+ SearchCriteria<TemplateJoinVO> aclSc = _templateJoinDao.createSearchCriteria();
+ _accountMgr.buildACLViewSearchCriteria(sc, aclSc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
+ } else if (templateFilter == TemplateFilter.executable) {
+ // public template + self template
+ SearchCriteria<TemplateJoinVO> scc = _templateJoinDao.createSearchCriteria();
+ scc.addOr("publicTemplate", SearchCriteria.Op.EQ, true);
+ // plus self owned templates or domain tree templates for domain admin
+ if (permittedDomains.contains(caller.getDomainId())) {
+ // this caller acts like a domain admin
+ sc.addOr("domainPath", SearchCriteria.Op.LIKE, callerDomain.getPath() + "%");
+ } else {
+ // only display templates owned by caller for resource owner only
+ sc.addOr("accountId", SearchCriteria.Op.EQ, caller.getAccountId());
+ }
+ sc.addAnd("publicTemplate", SearchCriteria.Op.SC, scc);
+ }
+
+ // add tags criteria
+ if (tags != null && !tags.isEmpty()) {
+ SearchCriteria<TemplateJoinVO> scc = _templateJoinDao.createSearchCriteria();
+ for (String key : tags.keySet()) {
+ SearchCriteria<TemplateJoinVO> scTag = _templateJoinDao.createSearchCriteria();
+ scTag.addAnd("tagKey", SearchCriteria.Op.EQ, key);
+ scTag.addAnd("tagValue", SearchCriteria.Op.EQ, tags.get(key));
+ if (isIso) {
+ scTag.addAnd("tagResourceType", SearchCriteria.Op.EQ, ResourceObjectType.ISO);
+ } else {
+ scTag.addAnd("tagResourceType", SearchCriteria.Op.EQ, ResourceObjectType.Template);
+ }
+ scc.addOr("tagKey", SearchCriteria.Op.SC, scTag);
+ }
+ sc.addAnd("tagKey", SearchCriteria.Op.SC, scc);
+ }
+
+ // other criteria
+
+ if (keyword != null) {
+ sc.addAnd("name", SearchCriteria.Op.LIKE, "%" + keyword + "%");
+ } else if (name != null) {
+ sc.addAnd("name", SearchCriteria.Op.EQ, name);
+ }
+
+ if (isIso) {
+ sc.addAnd("format", SearchCriteria.Op.EQ, "ISO");
+
+ } else {
+ sc.addAnd("format", SearchCriteria.Op.NEQ, "ISO");
+ }
+
+ if (!hyperType.equals(HypervisorType.None)) {
+ sc.addAnd("hypervisorType", SearchCriteria.Op.EQ, hyperType);
+ }
+
+ if (bootable != null) {
+ sc.addAnd("bootable", SearchCriteria.Op.EQ, bootable);
+ }
+
+ if (onlyReady) {
+ SearchCriteria<TemplateJoinVO> readySc = _templateJoinDao.createSearchCriteria();
+ readySc.addOr("state", SearchCriteria.Op.EQ, TemplateState.Ready);
+ readySc.addOr("format", SearchCriteria.Op.EQ, ImageFormat.BAREMETAL);
+ SearchCriteria<TemplateJoinVO> isoPerhostSc = _templateJoinDao.createSearchCriteria();
+ isoPerhostSc.addAnd("format", SearchCriteria.Op.EQ, ImageFormat.ISO);
+ isoPerhostSc.addAnd("templateType", SearchCriteria.Op.EQ, TemplateType.PERHOST);
+ readySc.addOr("templateType", SearchCriteria.Op.SC, isoPerhostSc);
+ sc.addAnd("state", SearchCriteria.Op.SC, readySc);
+ }
+
+ if (!showDomr) {
+ // excluding system template
+ sc.addAnd("templateType", SearchCriteria.Op.NEQ, Storage.TemplateType.SYSTEM);
+ }
+ }
+
+ if (zoneId != null) {
+ SearchCriteria<TemplateJoinVO> zoneSc = _templateJoinDao.createSearchCriteria();
+ zoneSc.addOr("dataCenterId", SearchCriteria.Op.EQ, zoneId);
+ zoneSc.addOr("dataStoreScope", SearchCriteria.Op.EQ, ScopeType.REGION);
+ // handle the case where xs-tools.iso and vmware-tools.iso do not
+ // have data_center information in template_view
+ SearchCriteria<TemplateJoinVO> isoPerhostSc = _templateJoinDao.createSearchCriteria();
+ isoPerhostSc.addAnd("format", SearchCriteria.Op.EQ, ImageFormat.ISO);
+ isoPerhostSc.addAnd("templateType", SearchCriteria.Op.EQ, TemplateType.PERHOST);
+ zoneSc.addOr("templateType", SearchCriteria.Op.SC, isoPerhostSc);
+ sc.addAnd("dataCenterId", SearchCriteria.Op.SC, zoneSc);
+ }
+
+ // don't return removed template, this should not be needed since we
+ // changed annotation for removed field in TemplateJoinVO.
+ // sc.addAnd("removed", SearchCriteria.Op.NULL);
+
+ // search unique templates and find details by Ids
+ Pair<List<TemplateJoinVO>, Integer> uniqueTmplPair = null;
+ if(showRemovedTmpl){
+ uniqueTmplPair = _templateJoinDao.searchIncludingRemovedAndCount(sc, searchFilter);
+ } else {
+ sc.addAnd("templateState", SearchCriteria.Op.EQ, State.Active);
+ uniqueTmplPair = _templateJoinDao.searchAndCount(sc, searchFilter);
+ }
+
+ Integer count = uniqueTmplPair.second();
+ if (count.intValue() == 0) {
+ // empty result
+ return uniqueTmplPair;
+ }
+ List<TemplateJoinVO> uniqueTmpls = uniqueTmplPair.first();
+ String[] tzIds = new String[uniqueTmpls.size()];
+ int i = 0;
+ for (TemplateJoinVO v : uniqueTmpls) {
+ tzIds[i++] = v.getTempZonePair();
+ }
+ List<TemplateJoinVO> vrs = _templateJoinDao.searchByTemplateZonePair(showRemovedTmpl, tzIds);
+ return new Pair<List<TemplateJoinVO>, Integer>(vrs, count);
+
+ // TODO: revisit the special logic for iso search in
+ // VMTemplateDaoImpl.searchForTemplates and understand why we need to
+ // specially handle ISO. The original logic is very twisted and no idea
+ // about what the code was doing.
+
+ }
+
+ // This method should only be used for keeping old listTemplates and listAffinityGroups behavior, PLEASE DON'T USE IT FOR USE LIST APIs
+ private void buildTemplateAffinityGroupSearchParameters(Account caller, Long id, String accountName, Long projectId, List<Long>
+ permittedAccounts, Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject,
+ boolean listAll, boolean forProjectInvitation) {
+ Long domainId = domainIdRecursiveListProject.first();
+ if (domainId != null) {
+ Domain domain = _domainDao.findById(domainId);
+ if (domain == null) {
+ throw new InvalidParameterValueException("Unable to find domain by id " + domainId);
+ }
+ // check permissions
+ _accountMgr.checkAccess(caller, domain);
+ }
+
+ if (accountName != null) {
+ if (projectId != null) {
+ throw new InvalidParameterValueException("Account and projectId can't be specified together");
+ }
+
+ Account userAccount = null;
+ Domain domain = null;
+ if (domainId != null) {
+ userAccount = _accountDao.findActiveAccount(accountName, domainId);
+ domain = _domainDao.findById(domainId);
+ } else {
+ userAccount = _accountDao.findActiveAccount(accountName, caller.getDomainId());
+ domain = _domainDao.findById(caller.getDomainId());
+ }
+
+ if (userAccount != null) {
+ _accountMgr.checkAccess(caller, null, userAccount);
+ // check permissions
+ permittedAccounts.add(userAccount.getId());
+ } else {
+ throw new InvalidParameterValueException("could not find account " + accountName + " in domain " + domain.getUuid());
+ }
+ }
+
+ // set project information
+ if (projectId != null) {
+ if (!forProjectInvitation) {
+ if (projectId.longValue() == -1) {
+ if (_accountMgr.isNormalUser(caller.getId())) {
+ permittedAccounts.addAll(_projectMgr.listPermittedProjectAccounts(caller.getId()));
+ } else {
+ domainIdRecursiveListProject.third(Project.ListProjectResourcesCriteria.ListProjectResourcesOnly);
+ }
+ } else {
+ Project project = _projectMgr.getProject(projectId);
+ if (project == null) {
+ throw new InvalidParameterValueException("Unable to find project by id " + projectId);
+ }
+ if (!_projectMgr.canAccessProjectAccount(caller, project.getProjectAccountId())) {
+ throw new PermissionDeniedException("Account " + caller + " can't access project id=" + projectId);
+ }
+ permittedAccounts.add(project.getProjectAccountId());
+ }
+ }
+ } else {
+ if (id == null) {
+ domainIdRecursiveListProject.third(Project.ListProjectResourcesCriteria.SkipProjectResources);
+ }
+ if (permittedAccounts.isEmpty() && domainId == null) {
+ if (_accountMgr.isNormalUser(caller.getId())) {
+ permittedAccounts.add(caller.getId());
+ } else if (!listAll) {
+ if (id == null) {
+ permittedAccounts.add(caller.getId());
+ } else if (!_accountMgr.isRootAdmin(caller.getId())) {
+ domainIdRecursiveListProject.first(caller.getDomainId());
+ domainIdRecursiveListProject.second(true);
+ }
+ } else if (domainId == null) {
+ if (_accountMgr.isDomainAdmin(caller.getId())) {
+ domainIdRecursiveListProject.first(caller.getDomainId());
+ domainIdRecursiveListProject.second(true);
+ }
+ }
+ } else if (domainId != null) {
+ if (_accountMgr.isNormalUser(caller.getId())) {
+ permittedAccounts.add(caller.getId());
+ }
+ }
+ }
+ }
private Pair<List<TemplateJoinVO>, Integer> searchForTemplatesInternal(ListTemplatesCmd cmd) {
TemplateFilter templateFilter = TemplateFilter.valueOf(cmd.getTemplateFilter());
@@ -2827,7 +3186,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
List<Long> permittedAccountIds = new ArrayList<Long>();
Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean, ListProjectResourcesCriteria>(
cmd.getDomainId(), cmd.isRecursive(), null);
- _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedAccountIds,
+ buildTemplateAffinityGroupSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedAccountIds,
domainIdRecursiveListProject, listAll, false);
ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
List<Account> permittedAccounts = new ArrayList<Account>();
@@ -2892,7 +3251,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
// if template is not public, perform permission check here
if (!template.isPublicTemplate() && caller.getType() != Account.ACCOUNT_TYPE_ADMIN) {
Account owner = _accountMgr.getAccount(template.getAccountId());
- _accountMgr.checkAccess(caller, null, true, owner);
+ _accountMgr.checkAccess(caller, null, owner);
}
// if templateId is specified, then we will just use the id to
@@ -2904,7 +3263,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
if (!permittedAccounts.isEmpty()) {
domain = _domainDao.findById(permittedAccounts.get(0).getDomainId());
} else {
- domain = _domainDao.findById(Domain.ROOT_DOMAIN);
+ domain = _domainDao.findById(DomainVO.ROOT_DOMAIN);
}
// List<HypervisorType> hypers = null;
@@ -3137,7 +3496,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
List<Long> permittedAccountIds = new ArrayList<Long>();
Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean, ListProjectResourcesCriteria>(
cmd.getDomainId(), cmd.isRecursive(), null);
- _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedAccountIds,
+ buildTemplateAffinityGroupSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedAccountIds,
domainIdRecursiveListProject, listAll, false);
ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
List<Account> permittedAccounts = new ArrayList<Account>();
@@ -3152,6 +3511,43 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
cmd.listInReadyState(), permittedAccounts, caller, listProjectResourcesCriteria, tags, showRemovedISO);
}
+ private Pair<List<TemplateJoinVO>, Integer> searchForIsosInternalIAM(ListIsosCmd cmd) {
+ TemplateFilter isoFilter = TemplateFilter.valueOf(cmd.getIsoFilter());
+ Long id = cmd.getId();
+ Map<String, String> tags = cmd.getTags();
+ boolean showRemovedISO = cmd.getShowRemoved();
+ Account caller = CallContext.current().getCallingAccount();
+
+ boolean listAll = false;
+ if (isoFilter != null && isoFilter == TemplateFilter.all) {
+ if (_accountMgr.isNormalUser(caller.getId())) {
+ throw new InvalidParameterValueException("Filter " + TemplateFilter.all
+ + " can be specified by admin only");
+ }
+ listAll = true;
+ }
+
+ List<Long> permittedDomains = new ArrayList<Long>();
+ List<Long> permittedAccounts = new ArrayList<Long>();
+ List<Long> permittedResources = new ArrayList<Long>();
+
+ Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean, ListProjectResourcesCriteria>(
+ cmd.getDomainId(), cmd.isRecursive(), null);
+ _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedDomains, permittedAccounts, permittedResources,
+ domainIdRecursiveListProject, cmd.listAll(), false, "listIsos");
+ Boolean isRecursive = domainIdRecursiveListProject.second();
+ ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
+// List<Account> permittedAccounts = new ArrayList<Account>();
+// for (Long accountId : permittedAccountIds) {
+// permittedAccounts.add(_accountMgr.getAccount(accountId));
+// }
+
+ HypervisorType hypervisorType = HypervisorType.getType(cmd.getHypervisor());
+
+ return searchForTemplatesInternalIAM(cmd.getId(), cmd.getIsoName(), cmd.getKeyword(), isoFilter, true,
+ cmd.isBootable(), cmd.getPageSizeVal(), cmd.getStartIndex(), cmd.getZoneId(), hypervisorType, true,
+ cmd.listInReadyState(), permittedDomains, permittedAccounts, permittedResources, isRecursive, caller, listProjectResourcesCriteria, tags, showRemovedISO);
+ }
@Override
public ListResponse<AffinityGroupResponse> listAffinityGroups(Long affinityGroupId, String affinityGroupName,
@@ -3180,14 +3576,14 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
throw new InvalidParameterValueException("Unable to list affinity groups for virtual machine instance "
+ vmId + "; instance not found.");
}
- _accountMgr.checkAccess(caller, null, true, userVM);
+ _accountMgr.checkAccess(caller, null, userVM);
return listAffinityGroupsByVM(vmId.longValue(), startIndex, pageSize);
}
List<Long> permittedAccounts = new ArrayList<Long>();
Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean, ListProjectResourcesCriteria>(
domainId, isRecursive, null);
- _accountMgr.buildACLSearchParameters(caller, affinityGroupId, accountName, null, permittedAccounts,
+ buildTemplateAffinityGroupSearchParameters(caller, affinityGroupId, accountName, null, permittedAccounts,
domainIdRecursiveListProject, listAll, true);
domainId = domainIdRecursiveListProject.first();
isRecursive = domainIdRecursiveListProject.second();
@@ -3321,6 +3717,121 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
return sc;
}
+ public Pair<List<AffinityGroupJoinVO>, Integer> listAffinityGroupsInternalIAM(Long affinityGroupId,
+ String affinityGroupName, String affinityGroupType, Long vmId, String accountName, Long domainId,
+ boolean isRecursive, boolean listAll, Long startIndex, Long pageSize, String keyword) {
+
+ Account caller = CallContext.current().getCallingAccount();
+
+ caller.getAccountId();
+
+ if (vmId != null) {
+ UserVmVO userVM = _userVmDao.findById(vmId);
+ if (userVM == null) {
+ throw new InvalidParameterValueException("Unable to list affinity groups for virtual machine instance " + vmId + "; instance not found.");
+ }
+ _accountMgr.checkAccess(caller, null, userVM);
+ return listAffinityGroupsByVM(vmId.longValue(), startIndex, pageSize);
+ }
+
+ List<Long> permittedDomains = new ArrayList<Long>();
+ List<Long> permittedAccounts = new ArrayList<Long>();
+ List<Long> permittedResources = new ArrayList<Long>();
+ Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean, ListProjectResourcesCriteria>(
+ domainId, isRecursive, null);
+ _accountMgr.buildACLSearchParameters(caller, affinityGroupId, accountName, null, permittedDomains, permittedAccounts, permittedResources,
+ domainIdRecursiveListProject, listAll, true, "listAffinityGroups");
+ //domainId = domainIdRecursiveListProject.first();
+ isRecursive = domainIdRecursiveListProject.second();
+ ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
+
+ Filter searchFilter = new Filter(AffinityGroupJoinVO.class, "id", true, startIndex, pageSize);
+ SearchCriteria<AffinityGroupJoinVO> sc = buildAffinityGroupSearchCriteriaIAM(isRecursive,
+ permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria, affinityGroupId, affinityGroupName, affinityGroupType, keyword);
+
+ Pair<List<AffinityGroupJoinVO>, Integer> uniqueGroupsPair = _affinityGroupJoinDao.searchAndCount(sc, searchFilter);
+ // search group details by ids
+ List<AffinityGroupJoinVO> vrs = new ArrayList<AffinityGroupJoinVO>();
+ Integer count = uniqueGroupsPair.second();
+ if (count.intValue() != 0) {
+ List<AffinityGroupJoinVO> uniqueGroups = uniqueGroupsPair.first();
+ Long[] vrIds = new Long[uniqueGroups.size()];
+ int i = 0;
+ for (AffinityGroupJoinVO v : uniqueGroups) {
+ vrIds[i++] = v.getId();
+ }
+ vrs = _affinityGroupJoinDao.searchByIds(vrIds);
+ }
+
+ /* TODO: confirm with Prachi if we still need this complicated logic with new ACL model
+ if (!permittedAccounts.isEmpty()) {
+ // add domain level affinity groups
+ if (domainId != null) {
+ SearchCriteria<AffinityGroupJoinVO> scDomain = buildAffinityGroupSearchCriteria(null, isRecursive,
+ new ArrayList<Long>(), listProjectResourcesCriteria, affinityGroupId, affinityGroupName,
+ affinityGroupType, keyword);
+ vrs.addAll(listDomainLevelAffinityGroups(scDomain, searchFilter, domainId));
+ } else {
+
+ for (Long permAcctId : permittedAccounts) {
+ Account permittedAcct = _accountDao.findById(permAcctId);
+ SearchCriteria<AffinityGroupJoinVO> scDomain = buildAffinityGroupSearchCriteria(
+ null, isRecursive, new ArrayList<Long>(),
+ listProjectResourcesCriteria, affinityGroupId, affinityGroupName, affinityGroupType, keyword);
+
+ vrs.addAll(listDomainLevelAffinityGroups(scDomain, searchFilter, permittedAcct.getDomainId()));
+ }
+ }
+ } else if (((permittedAccounts.isEmpty()) && (domainId != null) && isRecursive)) {
+ // list all domain level affinity groups for the domain admin case
+ SearchCriteria<AffinityGroupJoinVO> scDomain = buildAffinityGroupSearchCriteria(null, isRecursive,
+ new ArrayList<Long>(), listProjectResourcesCriteria, affinityGroupId, affinityGroupName,
+ affinityGroupType, keyword);
+ vrs.addAll(listDomainLevelAffinityGroups(scDomain, searchFilter, domainId));
+ }
+ */
+
+ return new Pair<List<AffinityGroupJoinVO>, Integer>(vrs, vrs.size());
+
+ }
+
+ private SearchCriteria<AffinityGroupJoinVO> buildAffinityGroupSearchCriteriaIAM(boolean isRecursive,
+ List<Long> permittedDomains, List<Long> permittedAccounts, List<Long> permittedResources, ListProjectResourcesCriteria listProjectResourcesCriteria,
+ Long affinityGroupId, String affinityGroupName, String affinityGroupType, String keyword) {
+
+ SearchBuilder<AffinityGroupJoinVO> groupSearch = _affinityGroupJoinDao.createSearchBuilder();
+ groupSearch.select(null, Func.DISTINCT, groupSearch.entity().getId()); // select
+ // distinct
+
+ SearchCriteria<AffinityGroupJoinVO> sc = groupSearch.create();
+ SearchCriteria<AffinityGroupJoinVO> aclSc = _affinityGroupJoinDao.createSearchCriteria();
+ // building ACL search criteria
+ _accountMgr.buildACLViewSearchCriteria(sc, aclSc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
+
+ if (affinityGroupId != null) {
+ sc.addAnd("id", SearchCriteria.Op.EQ, affinityGroupId);
+ }
+
+ if (affinityGroupName != null) {
+ sc.addAnd("name", SearchCriteria.Op.EQ, affinityGroupName);
+ }
+
+ if (affinityGroupType != null) {
+ sc.addAnd("type", SearchCriteria.Op.EQ, affinityGroupType);
+ }
+
+ if (keyword != null) {
+ SearchCriteria<AffinityGroupJoinVO> ssc = _affinityGroupJoinDao.createSearchCriteria();
+ ssc.addOr("name", SearchCriteria.Op.LIKE, "%" + keyword + "%");
+ ssc.addOr("type", SearchCriteria.Op.LIKE, "%" + keyword + "%");
+
+ sc.addAnd("name", SearchCriteria.Op.SC, ssc);
+ }
+
+ return sc;
+
+ }
+
private Pair<List<AffinityGroupJoinVO>, Integer> listAffinityGroupsByVM(long vmId, long pageInd, long pageSize) {
Filter sf = new Filter(SecurityGroupVMMapVO.class, null, true, pageInd, pageSize);
Pair<List<AffinityGroupVMMapVO>, Integer> agVmMappingPair = _affinityGroupVMMapDao.listByInstanceId(vmId, sf);
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/server/src/com/cloud/configuration/ConfigurationManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/configuration/ConfigurationManagerImpl.java b/server/src/com/cloud/configuration/ConfigurationManagerImpl.java
index 3f79a76..231b5e1 100755
--- a/server/src/com/cloud/configuration/ConfigurationManagerImpl.java
+++ b/server/src/com/cloud/configuration/ConfigurationManagerImpl.java
@@ -39,6 +39,7 @@ import javax.naming.ConfigurationException;
import org.apache.log4j.Logger;
import org.apache.cloudstack.acl.SecurityChecker;
+import org.apache.cloudstack.acl.SecurityChecker.AccessType;
import org.apache.cloudstack.affinity.AffinityGroup;
import org.apache.cloudstack.affinity.AffinityGroupService;
import org.apache.cloudstack.affinity.dao.AffinityGroupDao;
@@ -4327,7 +4328,7 @@ public class ConfigurationManagerImpl extends ManagerBase implements Configurati
throw new InvalidParameterValueException("Can't update system networks");
}
- _accountMgr.checkAccess(caller, null, true, network);
+ _accountMgr.checkAccess(caller, AccessType.ListEntry, network);
List<Long> offeringIds = _networkModel.listNetworkOfferingsForUpgrade(networkId);
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/server/src/com/cloud/network/IpAddressManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/IpAddressManagerImpl.java b/server/src/com/cloud/network/IpAddressManagerImpl.java
index 9b1f9bd..746221f 100644
--- a/server/src/com/cloud/network/IpAddressManagerImpl.java
+++ b/server/src/com/cloud/network/IpAddressManagerImpl.java
@@ -29,6 +29,8 @@ import java.util.UUID;
import javax.inject.Inject;
+import org.apache.log4j.Logger;
+
import org.apache.cloudstack.acl.ControlledEntity.ACLType;
import org.apache.cloudstack.acl.SecurityChecker.AccessType;
import org.apache.cloudstack.context.CallContext;
@@ -40,7 +42,6 @@ import org.apache.cloudstack.region.PortableIp;
import org.apache.cloudstack.region.PortableIpDao;
import org.apache.cloudstack.region.PortableIpVO;
import org.apache.cloudstack.region.Region;
-import org.apache.log4j.Logger;
import com.cloud.agent.AgentManager;
import com.cloud.alert.AlertManager;
@@ -409,7 +410,7 @@ public class IpAddressManagerImpl extends ManagerBase implements IpAddressManage
Account caller = CallContext.current().getCallingAccount();
long callerUserId = CallContext.current().getCallingUserId();
// check permissions
- _accountMgr.checkAccess(caller, null, false, ipOwner);
+ _accountMgr.checkAccess(caller, null, ipOwner);
DataCenter zone = _entityMgr.findById(DataCenter.class, zoneId);
@@ -1164,15 +1165,14 @@ public class IpAddressManagerImpl extends ManagerBase implements IpAddressManage
if (zone.getNetworkType() == NetworkType.Advanced) {
if (network.getGuestType() == Network.GuestType.Shared) {
if (isSharedNetworkOfferingWithServices(network.getNetworkOfferingId())) {
- _accountMgr.checkAccess(CallContext.current().getCallingAccount(), AccessType.UseEntry, false,
- network);
+ _accountMgr.checkAccess(CallContext.current().getCallingAccount(), AccessType.UseEntry, network);
} else {
throw new InvalidParameterValueException("IP can be associated with guest network of 'shared' type only if "
+ "network services Source Nat, Static Nat, Port Forwarding, Load balancing, firewall are enabled in the network");
}
}
} else {
- _accountMgr.checkAccess(caller, null, true, ipToAssoc);
+ _accountMgr.checkAccess(caller, null, ipToAssoc);
}
owner = _accountMgr.getAccount(ipToAssoc.getAllocatedToAccountId());
} else {
@@ -1187,7 +1187,7 @@ public class IpAddressManagerImpl extends ManagerBase implements IpAddressManage
Network network = _networksDao.findById(networkId);
if (network != null) {
- _accountMgr.checkAccess(owner, AccessType.UseEntry, false, network);
+ _accountMgr.checkAccess(owner, AccessType.UseEntry, network);
} else {
s_logger.debug("Unable to find ip address by id: " + ipId);
return null;
@@ -1319,11 +1319,10 @@ public class IpAddressManagerImpl extends ManagerBase implements IpAddressManage
if (zone.getNetworkType() == NetworkType.Advanced) {
if (network.getGuestType() == Network.GuestType.Shared) {
assert (isSharedNetworkOfferingWithServices(network.getNetworkOfferingId()));
- _accountMgr.checkAccess(CallContext.current().getCallingAccount(), AccessType.UseEntry, false,
- network);
+ _accountMgr.checkAccess(CallContext.current().getCallingAccount(), AccessType.UseEntry, network);
}
} else {
- _accountMgr.checkAccess(caller, null, true, ipToAssoc);
+ _accountMgr.checkAccess(caller, null, ipToAssoc);
}
owner = _accountMgr.getAccount(ipToAssoc.getAllocatedToAccountId());
} else {
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/server/src/com/cloud/network/NetworkModelImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/NetworkModelImpl.java b/server/src/com/cloud/network/NetworkModelImpl.java
index 7b4b2be..f84eccd 100755
--- a/server/src/com/cloud/network/NetworkModelImpl.java
+++ b/server/src/com/cloud/network/NetworkModelImpl.java
@@ -34,7 +34,9 @@ import javax.naming.ConfigurationException;
import org.apache.log4j.Logger;
+import org.apache.cloudstack.acl.SecurityChecker;
import org.apache.cloudstack.acl.ControlledEntity.ACLType;
+import org.apache.cloudstack.acl.SecurityChecker.AccessType;
import org.apache.cloudstack.framework.config.dao.ConfigurationDao;
import org.apache.cloudstack.lb.dao.ApplicationLoadBalancerRuleDao;
@@ -97,6 +99,7 @@ import com.cloud.offerings.dao.NetworkOfferingServiceMapDao;
import com.cloud.projects.dao.ProjectAccountDao;
import com.cloud.server.ConfigurationServer;
import com.cloud.user.Account;
+import com.cloud.user.AccountManager;
import com.cloud.user.AccountVO;
import com.cloud.user.DomainManager;
import com.cloud.user.dao.AccountDao;
@@ -173,7 +176,8 @@ public class NetworkModelImpl extends ManagerBase implements NetworkModel {
FirewallRulesDao _firewallDao;
@Inject
DomainManager _domainMgr;
-
+ @Inject
+ AccountManager _accountMgr;
@Inject
NetworkOfferingServiceMapDao _ntwkOfferingSrvcDao;
@Inject
@@ -216,6 +220,16 @@ public class NetworkModelImpl extends ManagerBase implements NetworkModel {
static HashMap<Service, List<Provider>> s_serviceToImplementedProvidersMap = new HashMap<Service, List<Provider>>();
static HashMap<String, String> s_providerToNetworkElementMap = new HashMap<String, String>();
+ List<SecurityChecker> _securityCheckers;
+
+ public List<SecurityChecker> getSecurityCheckers() {
+ return _securityCheckers;
+ }
+
+ public void setSecurityCheckers(List<SecurityChecker> securityCheckers) {
+ _securityCheckers = securityCheckers;
+ }
+
/**
*
*/
@@ -1567,6 +1581,35 @@ public class NetworkModelImpl extends ManagerBase implements NetworkModel {
}
@Override
+ public void checkNetworkPermissions(Account owner, Network network, AccessType accessType) {
+ if (network == null) {
+ throw new CloudRuntimeException("cannot check permissions on (Network) <null>");
+ }
+
+ AccountVO networkOwner = _accountDao.findById(network.getAccountId());
+ if (networkOwner == null) {
+ throw new PermissionDeniedException("Unable to use network with id= " + ((NetworkVO) network).getUuid()
+ + ", network does not have an owner");
+ }
+ if (owner.getType() != Account.ACCOUNT_TYPE_PROJECT && networkOwner.getType() == Account.ACCOUNT_TYPE_PROJECT) {
+ if (!_projectAccountDao.canAccessProjectAccount(owner.getAccountId(), network.getAccountId())) {
+ throw new PermissionDeniedException("Unable to use network with id= " + ((NetworkVO) network).getUuid()
+ + ", permission denied");
+ }
+ } else {
+ // Go through IAM (SecurityCheckers)
+ for (SecurityChecker checker : _securityCheckers) {
+ if (checker.checkAccess(owner, accessType, null, network)) {
+ if (s_logger.isDebugEnabled()) {
+ s_logger.debug("Access to " + network + " granted to " + owner + " by " + checker.getName());
+ }
+ break;
+ }
+ }
+ }
+ }
+
+ @Override
public String getDefaultPublicTrafficLabel(long dcId, HypervisorType hypervisorType) {
try {
PhysicalNetwork publicPhyNetwork = getOnePhysicalNetworkByZoneAndTrafficType(dcId, TrafficType.Public);
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/server/src/com/cloud/network/NetworkServiceImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/NetworkServiceImpl.java b/server/src/com/cloud/network/NetworkServiceImpl.java
index 95d3dec..ec9fa12 100755
--- a/server/src/com/cloud/network/NetworkServiceImpl.java
+++ b/server/src/com/cloud/network/NetworkServiceImpl.java
@@ -542,7 +542,7 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService {
// if shared network in the advanced zone, then check the caller against the network for 'AccessType.UseNetwork'
if (zone.getNetworkType() == NetworkType.Advanced) {
if (isSharedNetworkOfferingWithServices(network.getNetworkOfferingId())) {
- _accountMgr.checkAccess(caller, AccessType.UseEntry, false, network);
+ _accountMgr.checkAccess(caller, AccessType.UseEntry, network);
if (s_logger.isDebugEnabled()) {
s_logger.debug("Associate IP address called by the user " + callerUserId + " account " + ipOwner.getId());
}
@@ -554,7 +554,7 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService {
}
}
} else {
- _accountMgr.checkAccess(caller, null, false, ipOwner);
+ _accountMgr.checkAccess(caller, null, ipOwner);
}
return _ipAddrMgr.allocateIp(ipOwner, false, caller, callerUserId, zone, displayIp);
@@ -585,7 +585,7 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService {
// if shared network in the advanced zone, then check the caller against the network for 'AccessType.UseNetwork'
if (zone.getNetworkType() == NetworkType.Advanced) {
if (isSharedNetworkOfferingWithServices(network.getNetworkOfferingId())) {
- _accountMgr.checkAccess(caller, AccessType.UseEntry, false, network);
+ _accountMgr.checkAccess(caller, AccessType.UseEntry, network);
if (s_logger.isDebugEnabled()) {
s_logger.debug("Associate IP address called by the user " + callerUserId + " account " + ipOwner.getId());
}
@@ -605,7 +605,7 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService {
}
}
- _accountMgr.checkAccess(caller, null, false, ipOwner);
+ _accountMgr.checkAccess(caller, null, ipOwner);
return _ipAddrMgr.allocatePortableIp(ipOwner, caller, zoneId, null, null);
}
@@ -671,7 +671,7 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService {
final Account ipOwner = _accountMgr.getAccount(vm.getAccountId());
// verify permissions
- _accountMgr.checkAccess(caller, null, true, vm);
+ _accountMgr.checkAccess(caller, null, vm);
Network network = _networksDao.findById(networkId);
if (network == null) {
@@ -767,7 +767,7 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService {
throw new InvalidParameterValueException("There is no vm with the given secondary ip");
}
// verify permissions
- _accountMgr.checkAccess(caller, null, true, vm);
+ _accountMgr.checkAccess(caller, null, vm);
Network network = _networksDao.findById(secIpVO.getNetworkId());
@@ -891,7 +891,7 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService {
// verify permissions
if (ipVO.getAllocatedToAccountId() != null) {
- _accountMgr.checkAccess(caller, null, true, ipVO);
+ _accountMgr.checkAccess(caller, null, ipVO);
}
if (ipVO.isSourceNat()) {
@@ -1432,7 +1432,7 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService {
throw new InvalidParameterValueException("Unable to find account " + accountName + " in specified domain");
}
- _accountMgr.checkAccess(caller, null, true, owner);
+ _accountMgr.checkAccess(caller, null, owner);
permittedAccounts.add(owner.getId());
}
}
@@ -1816,7 +1816,7 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService {
Account owner = _accountMgr.getAccount(network.getAccountId());
// Perform permission check
- _accountMgr.checkAccess(caller, null, true, network);
+ _accountMgr.checkAccess(caller, null, network);
if (forced && !_accountMgr.isRootAdmin(caller.getId())) {
throw new InvalidParameterValueException("Delete network with 'forced' option can only be called by root admins");
@@ -1860,7 +1860,7 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService {
throw new InvalidParameterException("Unable to restart a running SDN network.");
}
- _accountMgr.checkAccess(callerAccount, null, true, network);
+ _accountMgr.checkAccess(callerAccount, null, network);
boolean success = _networkMgr.restartNetwork(networkId, callerAccount, callerUser, cleanup);
@@ -1996,7 +1996,7 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService {
throw new InvalidParameterValueException("Can't allow networks which traffic type is not " + TrafficType.Guest);
}
- _accountMgr.checkAccess(callerAccount, null, true, network);
+ _accountMgr.checkAccess(callerAccount, null, network);
if (name != null) {
network.setName(name);
@@ -4045,7 +4045,7 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService {
throw ex;
}
- _accountMgr.checkAccess(caller, null, true, userVm);
+ _accountMgr.checkAccess(caller, null, userVm);
return _networkMgr.listVmNics(vmId, nicId, networkId);
}
@@ -4069,7 +4069,7 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService {
// verify permissions
if (ipVO.getAllocatedToAccountId() != null) {
- _accountMgr.checkAccess(caller, null, true, ipVO);
+ _accountMgr.checkAccess(caller, null, ipVO);
} else if (caller.getType() != Account.ACCOUNT_TYPE_ADMIN) {
throw new PermissionDeniedException("Only Root admin can update non-allocated ip addresses");
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/server/src/com/cloud/network/as/AutoScaleManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/as/AutoScaleManagerImpl.java b/server/src/com/cloud/network/as/AutoScaleManagerImpl.java
index d4de462..09c6694 100644
--- a/server/src/com/cloud/network/as/AutoScaleManagerImpl.java
+++ b/server/src/com/cloud/network/as/AutoScaleManagerImpl.java
@@ -116,9 +116,9 @@ import com.cloud.utils.db.GenericDao;
import com.cloud.utils.db.JoinBuilder;
import com.cloud.utils.db.SearchBuilder;
import com.cloud.utils.db.SearchCriteria;
-import com.cloud.utils.db.TransactionCallback;
import com.cloud.utils.db.SearchCriteria.Op;
import com.cloud.utils.db.Transaction;
+import com.cloud.utils.db.TransactionCallback;
import com.cloud.utils.db.TransactionStatus;
import com.cloud.utils.net.NetUtils;
import com.cloud.vm.UserVmManager;
@@ -240,7 +240,7 @@ public class AutoScaleManagerImpl<Type> extends ManagerBase implements AutoScale
throw new InvalidParameterValueException("Unable to find " + paramName);
}
- _accountMgr.checkAccess(caller, null, false, (ControlledEntity)vo);
+ _accountMgr.checkAccess(caller, null, (ControlledEntity)vo);
return vo;
}
@@ -342,7 +342,7 @@ public class AutoScaleManagerImpl<Type> extends ManagerBase implements AutoScale
Account owner = _accountDao.findById(cmd.getAccountId());
Account caller = CallContext.current().getCallingAccount();
- _accountMgr.checkAccess(caller, null, true, owner);
+ _accountMgr.checkAccess(caller, null, owner);
long zoneId = cmd.getZoneId();
long serviceOfferingId = cmd.getServiceOfferingId();
@@ -461,7 +461,8 @@ public class AutoScaleManagerImpl<Type> extends ManagerBase implements AutoScale
Long zoneId = cmd.getZoneId();
Boolean display = cmd.getDisplay();
- SearchWrapper<AutoScaleVmProfileVO> searchWrapper = new SearchWrapper<AutoScaleVmProfileVO>(_autoScaleVmProfileDao, AutoScaleVmProfileVO.class, cmd, cmd.getId());
+ SearchWrapper<AutoScaleVmProfileVO> searchWrapper = new SearchWrapper<AutoScaleVmProfileVO>(_autoScaleVmProfileDao, AutoScaleVmProfileVO.class, cmd, cmd.getId(),
+ "listAutoScaleVmProfiles");
SearchBuilder<AutoScaleVmProfileVO> sb = searchWrapper.getSearchBuilder();
sb.and("id", sb.entity().getId(), SearchCriteria.Op.EQ);
@@ -526,7 +527,7 @@ public class AutoScaleManagerImpl<Type> extends ManagerBase implements AutoScale
ControlledEntity[] sameOwnerEntities = conditions.toArray(new ControlledEntity[conditions.size() + 1]);
sameOwnerEntities[sameOwnerEntities.length - 1] = autoScalePolicyVO;
- _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, true, sameOwnerEntities);
+ _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, sameOwnerEntities);
if (conditionIds.size() != conditions.size()) {
// TODO report the condition id which could not be found
@@ -620,7 +621,7 @@ public class AutoScaleManagerImpl<Type> extends ManagerBase implements AutoScale
idList.add(ApiDBUtils.findDomainById(domainId).getUuid());
throw new InvalidParameterValueException("Unable to find account " + accountName + " in domain with specifed domainId");
}
- _accountMgr.checkAccess(caller, null, false, owner);
+ _accountMgr.checkAccess(caller, null, owner);
}
private class SearchWrapper<VO extends ControlledEntity> {
@@ -629,11 +630,14 @@ public class AutoScaleManagerImpl<Type> extends ManagerBase implements AutoScale
SearchCriteria<VO> searchCriteria;
Long domainId;
boolean isRecursive;
+ List<Long> permittedDomains = new ArrayList<Long>();
List<Long> permittedAccounts = new ArrayList<Long>();
+ List<Long> permittedResources = new ArrayList<Long>();
+
ListProjectResourcesCriteria listProjectResourcesCriteria;
Filter searchFilter;
- public SearchWrapper(GenericDao<VO, Long> dao, Class<VO> entityClass, BaseListAccountResourcesCmd cmd, Long id)
+ public SearchWrapper(GenericDao<VO, Long> dao, Class<VO> entityClass, BaseListAccountResourcesCmd cmd, Long id, String action)
{
this.dao = dao;
this.searchBuilder = dao.createSearchBuilder();
@@ -647,12 +651,12 @@ public class AutoScaleManagerImpl<Type> extends ManagerBase implements AutoScale
Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean,
ListProjectResourcesCriteria>(domainId, isRecursive, null);
- _accountMgr.buildACLSearchParameters(caller, id, accountName, null, permittedAccounts, domainIdRecursiveListProject,
- listAll, false);
- domainId = domainIdRecursiveListProject.first();
+ _accountMgr.buildACLSearchParameters(caller, id, accountName, null, permittedDomains, permittedAccounts, permittedResources, domainIdRecursiveListProject, listAll,
+ false, action);
+ //domainId = domainIdRecursiveListProject.first();
isRecursive = domainIdRecursiveListProject.second();
ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
- _accountMgr.buildACLSearchBuilder(searchBuilder, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchBuilder(searchBuilder, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
searchFilter = new Filter(entityClass, "id", false, startIndex, pageSizeVal);
}
@@ -662,7 +666,7 @@ public class AutoScaleManagerImpl<Type> extends ManagerBase implements AutoScale
public SearchCriteria<VO> buildSearchCriteria() {
searchCriteria = searchBuilder.create();
- _accountMgr.buildACLSearchCriteria(searchCriteria, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchCriteria(searchCriteria, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
return searchCriteria;
}
@@ -673,7 +677,8 @@ public class AutoScaleManagerImpl<Type> extends ManagerBase implements AutoScale
@Override
public List<? extends AutoScalePolicy> listAutoScalePolicies(ListAutoScalePoliciesCmd cmd) {
- SearchWrapper<AutoScalePolicyVO> searchWrapper = new SearchWrapper<AutoScalePolicyVO>(_autoScalePolicyDao, AutoScalePolicyVO.class, cmd, cmd.getId());
+ SearchWrapper<AutoScalePolicyVO> searchWrapper = new SearchWrapper<AutoScalePolicyVO>(_autoScalePolicyDao, AutoScalePolicyVO.class, cmd, cmd.getId(),
+ "listAutoScalePolicies");
SearchBuilder<AutoScalePolicyVO> sb = searchWrapper.getSearchBuilder();
Long id = cmd.getId();
Long conditionId = cmd.getConditionId();
@@ -879,7 +884,8 @@ public class AutoScaleManagerImpl<Type> extends ManagerBase implements AutoScale
Long zoneId = cmd.getZoneId();
Boolean forDisplay = cmd.getDisplay();
- SearchWrapper<AutoScaleVmGroupVO> searchWrapper = new SearchWrapper<AutoScaleVmGroupVO>(_autoScaleVmGroupDao, AutoScaleVmGroupVO.class, cmd, cmd.getId());
+ SearchWrapper<AutoScaleVmGroupVO> searchWrapper = new SearchWrapper<AutoScaleVmGroupVO>(_autoScaleVmGroupDao, AutoScaleVmGroupVO.class, cmd, cmd.getId(),
+ "listAutoScaleVmGroups");
SearchBuilder<AutoScaleVmGroupVO> sb = searchWrapper.getSearchBuilder();
sb.and("id", sb.entity().getId(), SearchCriteria.Op.EQ);
@@ -974,7 +980,7 @@ public class AutoScaleManagerImpl<Type> extends ManagerBase implements AutoScale
ControlledEntity[] sameOwnerEntities = policies.toArray(new ControlledEntity[policies.size() + 2]);
sameOwnerEntities[sameOwnerEntities.length - 2] = loadBalancer;
sameOwnerEntities[sameOwnerEntities.length - 1] = profileVO;
- _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, true, sameOwnerEntities);
+ _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, sameOwnerEntities);
return Transaction.execute(new TransactionCallback<AutoScaleVmGroupVO>() {
@Override
@@ -1170,7 +1176,7 @@ public class AutoScaleManagerImpl<Type> extends ManagerBase implements AutoScale
Long id = cmd.getId();
Long counterId = cmd.getCounterId();
Long policyId = cmd.getPolicyId();
- SearchWrapper<ConditionVO> searchWrapper = new SearchWrapper<ConditionVO>(_conditionDao, ConditionVO.class, cmd, cmd.getId());
+ SearchWrapper<ConditionVO> searchWrapper = new SearchWrapper<ConditionVO>(_conditionDao, ConditionVO.class, cmd, cmd.getId(), "listConditions");
SearchBuilder<ConditionVO> sb = searchWrapper.getSearchBuilder();
if (policyId != null) {
SearchBuilder<AutoScalePolicyConditionMapVO> asPolicyConditionSearch = _autoScalePolicyConditionMapDao.createSearchBuilder();