You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by mc...@apache.org on 2014/05/20 01:28:40 UTC
[5/7] Disable IAM feature from 4.4 release.
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/f748a552/server/src/com/cloud/network/firewall/FirewallManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/firewall/FirewallManagerImpl.java b/server/src/com/cloud/network/firewall/FirewallManagerImpl.java
index 7306068..4f853b3 100644
--- a/server/src/com/cloud/network/firewall/FirewallManagerImpl.java
+++ b/server/src/com/cloud/network/firewall/FirewallManagerImpl.java
@@ -263,26 +263,25 @@ public class FirewallManagerImpl extends ManagerBase implements FirewallService,
Boolean display = cmd.getDisplay();
Account caller = CallContext.current().getCallingAccount();
- List<Long> permittedDomains = new ArrayList<Long>();
List<Long> permittedAccounts = new ArrayList<Long>();
- List<Long> permittedResources = new ArrayList<Long>();
if (ipId != null) {
IPAddressVO ipAddressVO = _ipAddressDao.findById(ipId);
if (ipAddressVO == null || !ipAddressVO.readyToUse()) {
throw new InvalidParameterValueException("Ip address id=" + ipId + " not ready for firewall rules yet");
}
- _accountMgr.checkAccess(caller, null, ipAddressVO);
+ _accountMgr.checkAccess(caller, null, true, ipAddressVO);
}
Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean, ListProjectResourcesCriteria>(cmd.getDomainId(), cmd.isRecursive(), null);
- _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedDomains, permittedAccounts, permittedResources, domainIdRecursiveListProject, cmd.listAll(), false, "listFirewallRules");
+ _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedAccounts, domainIdRecursiveListProject, cmd.listAll(), false);
+ Long domainId = domainIdRecursiveListProject.first();
Boolean isRecursive = domainIdRecursiveListProject.second();
ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
Filter filter = new Filter(FirewallRuleVO.class, "id", false, cmd.getStartIndex(), cmd.getPageSizeVal());
SearchBuilder<FirewallRuleVO> sb = _firewallDao.createSearchBuilder();
- _accountMgr.buildACLSearchBuilder(sb, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchBuilder(sb, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
sb.and("id", sb.entity().getId(), Op.EQ);
sb.and("trafficType", sb.entity().getTrafficType(), Op.EQ);
@@ -304,7 +303,7 @@ public class FirewallManagerImpl extends ManagerBase implements FirewallService,
}
SearchCriteria<FirewallRuleVO> sc = sb.create();
- _accountMgr.buildACLSearchCriteria(sc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchCriteria(sc, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
if (id != null) {
sc.setParameters("id", id);
@@ -464,7 +463,7 @@ public class FirewallManagerImpl extends ManagerBase implements FirewallService,
}
// Validate ip address
- _accountMgr.checkAccess(caller, null, ipAddress);
+ _accountMgr.checkAccess(caller, null, true, ipAddress);
}
//network id either has to be passed explicitly, or implicitly as a part of ipAddress object
@@ -476,7 +475,7 @@ public class FirewallManagerImpl extends ManagerBase implements FirewallService,
assert network != null : "Can't create rule as network associated with public ip address is null?";
if (trafficType == FirewallRule.TrafficType.Egress) {
- _accountMgr.checkAccess(caller, null, network);
+ _accountMgr.checkAccess(caller, null, true, network);
}
// Verify that the network guru supports the protocol specified
@@ -639,7 +638,7 @@ public class FirewallManagerImpl extends ManagerBase implements FirewallService,
}
if (caller != null) {
- _accountMgr.checkAccess(caller, null, rules.toArray(new FirewallRuleVO[rules.size()]));
+ _accountMgr.checkAccess(caller, null, true, rules.toArray(new FirewallRuleVO[rules.size()]));
}
try {
@@ -693,7 +692,7 @@ public class FirewallManagerImpl extends ManagerBase implements FirewallService,
throw new InvalidParameterValueException("Only root admin can delete the system wide firewall rule");
}
- _accountMgr.checkAccess(caller, null, rule);
+ _accountMgr.checkAccess(caller, null, true, rule);
revokeRule(rule, caller, userId, false);
@@ -743,7 +742,7 @@ public class FirewallManagerImpl extends ManagerBase implements FirewallService,
throw new InvalidParameterValueException("Only root admin can update the system wide firewall rule");
}
- _accountMgr.checkAccess(caller, null, rule);
+ _accountMgr.checkAccess(caller, null, true, rule);
if (customId != null) {
rule.setUuid(customId);
@@ -762,7 +761,7 @@ public class FirewallManagerImpl extends ManagerBase implements FirewallService,
@DB
public void revokeRule(final FirewallRuleVO rule, Account caller, long userId, final boolean needUsageEvent) {
if (caller != null) {
- _accountMgr.checkAccess(caller, null, rule);
+ _accountMgr.checkAccess(caller, null, true, rule);
}
Transaction.execute(new TransactionCallbackNoReturn() {
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/f748a552/server/src/com/cloud/network/lb/LoadBalancingRulesManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/lb/LoadBalancingRulesManagerImpl.java b/server/src/com/cloud/network/lb/LoadBalancingRulesManagerImpl.java
index 05fb325..8225243 100755
--- a/server/src/com/cloud/network/lb/LoadBalancingRulesManagerImpl.java
+++ b/server/src/com/cloud/network/lb/LoadBalancingRulesManagerImpl.java
@@ -30,6 +30,11 @@ import java.util.Set;
import javax.ejb.Local;
import javax.inject.Inject;
+import org.apache.log4j.Logger;
+
+import com.google.gson.Gson;
+import com.google.gson.reflect.TypeToken;
+
import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.command.user.loadbalancer.CreateLBHealthCheckPolicyCmd;
import org.apache.cloudstack.api.command.user.loadbalancer.CreateLBStickinessPolicyCmd;
@@ -45,7 +50,6 @@ import org.apache.cloudstack.engine.orchestration.service.NetworkOrchestrationSe
import org.apache.cloudstack.framework.config.dao.ConfigurationDao;
import org.apache.cloudstack.lb.ApplicationLoadBalancerRuleVO;
import org.apache.cloudstack.lb.dao.ApplicationLoadBalancerRuleDao;
-import org.apache.log4j.Logger;
import com.cloud.agent.api.to.LoadBalancerTO;
import com.cloud.configuration.ConfigurationManager;
@@ -165,8 +169,6 @@ import com.cloud.vm.VirtualMachine.State;
import com.cloud.vm.dao.NicDao;
import com.cloud.vm.dao.NicSecondaryIpDao;
import com.cloud.vm.dao.UserVmDao;
-import com.google.gson.Gson;
-import com.google.gson.reflect.TypeToken;
@Local(value = {LoadBalancingRulesManager.class, LoadBalancingRulesService.class})
public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements LoadBalancingRulesManager, LoadBalancingRulesService {
@@ -527,7 +529,7 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
throw new InvalidParameterValueException("Failed: LB rule id: " + cmd.getLbRuleId() + " not present ");
}
- _accountMgr.checkAccess(caller.getCallingAccount(), null, loadBalancer);
+ _accountMgr.checkAccess(caller.getCallingAccount(), null, true, loadBalancer);
if (loadBalancer.getState() == FirewallRule.State.Revoke) {
throw new InvalidParameterValueException("Failed: LB rule id: " + cmd.getLbRuleId() + " is in deleting state: ");
}
@@ -586,7 +588,7 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
throw new InvalidParameterValueException("Failed: LB rule id: " + cmd.getLbRuleId() + " not present ");
}
- _accountMgr.checkAccess(caller.getCallingAccount(), null, loadBalancer);
+ _accountMgr.checkAccess(caller.getCallingAccount(), null, true, loadBalancer);
if (loadBalancer.getState() == FirewallRule.State.Revoke) {
throw new InvalidParameterValueException("Failed: LB rule id: " + cmd.getLbRuleId() + " is in deleting state: ");
@@ -748,7 +750,7 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
}
long loadBalancerId = loadBalancer.getId();
FirewallRule.State backupState = loadBalancer.getState();
- _accountMgr.checkAccess(caller.getCallingAccount(), null, loadBalancer);
+ _accountMgr.checkAccess(caller.getCallingAccount(), null, true, loadBalancer);
if (apply) {
if (loadBalancer.getState() == FirewallRule.State.Active) {
@@ -801,7 +803,7 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
}
final long loadBalancerId = loadBalancer.getId();
FirewallRule.State backupState = loadBalancer.getState();
- _accountMgr.checkAccess(caller.getCallingAccount(), null, loadBalancer);
+ _accountMgr.checkAccess(caller.getCallingAccount(), null, true, loadBalancer);
if (apply) {
if (loadBalancer.getState() == FirewallRule.State.Active) {
@@ -1193,7 +1195,7 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
throw new InvalidParameterException("Invalid certificate id: " + certId);
}
- _accountMgr.checkAccess(caller.getCallingAccount(), null, loadBalancer);
+ _accountMgr.checkAccess(caller.getCallingAccount(), null, true, loadBalancer);
// check if LB and Cert belong to the same account
if (loadBalancer.getAccountId() != certVO.getAccountId()) {
@@ -1256,7 +1258,7 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
throw new InvalidParameterException("No certificate is bound to lb with id: " + lbRuleId);
}
- _accountMgr.checkAccess(caller.getCallingAccount(), null, loadBalancer);
+ _accountMgr.checkAccess(caller.getCallingAccount(), null, true, loadBalancer);
boolean success = false;
FirewallRule.State backupState = loadBalancer.getState();
@@ -1300,7 +1302,7 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
throw new InvalidParameterException("Invalid load balancer value: " + loadBalancerId);
}
- _accountMgr.checkAccess(caller.getCallingAccount(), null, loadBalancer);
+ _accountMgr.checkAccess(caller.getCallingAccount(), null, true, loadBalancer);
if (instanceIds == null && vmIdIpMap.isEmpty()) {
throw new InvalidParameterValueException("Both instanceids and vmidipmap can't be null");
@@ -1462,7 +1464,7 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
if (rule == null) {
throw new InvalidParameterValueException("Unable to find load balancer rule " + loadBalancerId);
}
- _accountMgr.checkAccess(caller, null, rule);
+ _accountMgr.checkAccess(caller, null, true, rule);
boolean result = deleteLoadBalancerRule(loadBalancerId, apply, caller, ctx.getCallingUserId(), true);
if (!result) {
@@ -1686,7 +1688,7 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
throw ex;
}
- _accountMgr.checkAccess(caller.getCallingAccount(), null, ipAddr);
+ _accountMgr.checkAccess(caller.getCallingAccount(), null, true, ipAddr);
final Long networkId = ipAddr.getAssociatedWithNetworkId();
if (networkId == null) {
@@ -2060,7 +2062,7 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
}
// check permissions
- _accountMgr.checkAccess(caller, null, lb);
+ _accountMgr.checkAccess(caller, null, true, lb);
if (name != null) {
lb.setName(name);
@@ -2139,7 +2141,7 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
return null;
}
- _accountMgr.checkAccess(caller, null, loadBalancer);
+ _accountMgr.checkAccess(caller, null, true, loadBalancer);
List<UserVmVO> loadBalancerInstances = new ArrayList<UserVmVO>();
List<String> serviceStates = new ArrayList<String>();
@@ -2218,7 +2220,7 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
return null;
}
- _accountMgr.checkAccess(caller, null, loadBalancer);
+ _accountMgr.checkAccess(caller, null, true, loadBalancer);
List<LBStickinessPolicyVO> sDbpolicies = _lb2stickinesspoliciesDao.listByLoadBalancerIdAndDisplayFlag(cmd.getLbRuleId(), forDisplay);
@@ -2235,8 +2237,10 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
if (loadBalancer == null) {
return null;
}
- _accountMgr.checkAccess(caller, null, loadBalancer);
+
+ _accountMgr.checkAccess(caller, null, true, loadBalancer);
List<LBHealthCheckPolicyVO> hcDbpolicies = _lb2healthcheckDao.listByLoadBalancerIdAndDisplayFlag(cmd.getLbRuleId(), forDisplay);
+
return hcDbpolicies;
}
@@ -2253,21 +2257,19 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
Boolean forDisplay = cmd.getDisplay();
Account caller = CallContext.current().getCallingAccount();
- List<Long> permittedDomains = new ArrayList<Long>();
List<Long> permittedAccounts = new ArrayList<Long>();
- List<Long> permittedResources = new ArrayList<Long>();
Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean, ListProjectResourcesCriteria>(
cmd.getDomainId(), cmd.isRecursive(), null);
- _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedDomains, permittedAccounts, permittedResources,
- domainIdRecursiveListProject, cmd.listAll(), false, "listLoadBalancerRules");
- //Long domainId = domainIdRecursiveListProject.first();
+ _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedAccounts,
+ domainIdRecursiveListProject, cmd.listAll(), false);
+ Long domainId = domainIdRecursiveListProject.first();
Boolean isRecursive = domainIdRecursiveListProject.second();
ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
Filter searchFilter = new Filter(LoadBalancerVO.class, "id", true, cmd.getStartIndex(), cmd.getPageSizeVal());
SearchBuilder<LoadBalancerVO> sb = _lbDao.createSearchBuilder();
- _accountMgr.buildACLSearchBuilder(sb, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchBuilder(sb, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
sb.and("id", sb.entity().getId(), SearchCriteria.Op.EQ);
sb.and("name", sb.entity().getName(), SearchCriteria.Op.LIKE);
@@ -2301,7 +2303,7 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
}
SearchCriteria<LoadBalancerVO> sc = sb.create();
- _accountMgr.buildACLSearchCriteria(sc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchCriteria(sc, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
if (keyword != null) {
SearchCriteria<LoadBalancerVO> ssc = _lbDao.createSearchCriteria();
@@ -2484,7 +2486,7 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
throw new InvalidParameterException("Invalid Load balancer : " + policy.getLoadBalancerId() + " for Stickiness policy id: " + id);
}
- _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, loadBalancer);
+ _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, true, loadBalancer);
if (customId != null) {
policy.setUuid(customId);
@@ -2511,7 +2513,7 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
throw new InvalidParameterException("Invalid Load balancer : " + policy.getLoadBalancerId() + " for Stickiness policy id: " + id);
}
- _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, loadBalancer);
+ _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, true, loadBalancer);
if (customId != null) {
policy.setUuid(customId);
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/f748a552/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java b/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java
index be3e849..05fbad3 100755
--- a/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java
+++ b/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java
@@ -462,7 +462,7 @@ public class VirtualNetworkApplianceManagerImpl extends ManagerBase implements V
return null;
}
- _accountMgr.checkAccess(caller, null, router);
+ _accountMgr.checkAccess(caller, null, true, router);
_itMgr.expunge(router.getUuid());
_routerDao.remove(router.getId());
@@ -481,7 +481,7 @@ public class VirtualNetworkApplianceManagerImpl extends ManagerBase implements V
throw new InvalidParameterValueException("Unable to find router with id " + routerId);
}
- _accountMgr.checkAccess(caller, null, router);
+ _accountMgr.checkAccess(caller, null, true, router);
if (router.getServiceOfferingId() == serviceOfferingId) {
s_logger.debug("Router: " + routerId + "already has service offering: " + serviceOfferingId);
@@ -596,7 +596,7 @@ public class VirtualNetworkApplianceManagerImpl extends ManagerBase implements V
throw new InvalidParameterValueException("Unable to find router by id " + routerId + ".");
}
- _accountMgr.checkAccess(account, null, router);
+ _accountMgr.checkAccess(account, null, true, router);
final UserVO user = _userDao.findById(CallContext.current().getCallingUserId());
@@ -655,7 +655,7 @@ public class VirtualNetworkApplianceManagerImpl extends ManagerBase implements V
throw new InvalidParameterValueException("Unable to find domain router with id " + routerId + ".");
}
- _accountMgr.checkAccess(caller, null, router);
+ _accountMgr.checkAccess(caller, null, true, router);
// Can reboot domain router only in Running state
if (router == null || router.getState() != State.Running) {
@@ -3300,7 +3300,7 @@ public class VirtualNetworkApplianceManagerImpl extends ManagerBase implements V
if (router == null) {
throw new InvalidParameterValueException("Unable to find router by id " + routerId + ".");
}
- _accountMgr.checkAccess(caller, null, router);
+ _accountMgr.checkAccess(caller, null, true, router);
final Account owner = _accountMgr.getAccount(router.getAccountId());
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/f748a552/server/src/com/cloud/network/rules/RulesManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/rules/RulesManagerImpl.java b/server/src/com/cloud/network/rules/RulesManagerImpl.java
index f6a87bf..eea1262 100755
--- a/server/src/com/cloud/network/rules/RulesManagerImpl.java
+++ b/server/src/com/cloud/network/rules/RulesManagerImpl.java
@@ -27,7 +27,6 @@ import javax.inject.Inject;
import org.apache.log4j.Logger;
-import org.apache.cloudstack.acl.SecurityChecker.AccessType;
import org.apache.cloudstack.api.command.user.firewall.ListPortForwardingRulesCmd;
import org.apache.cloudstack.context.CallContext;
import org.apache.cloudstack.engine.orchestration.service.NetworkOrchestrationService;
@@ -164,7 +163,7 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules
}
}
- _accountMgr.checkAccess(caller, AccessType.OperateEntry, ipAddress, userVm);
+ _accountMgr.checkAccess(caller, null, true, ipAddress, userVm);
// validate that IP address and userVM belong to the same account
if (ipAddress.getAllocatedToAccountId().longValue() != userVm.getAccountId()) {
@@ -189,7 +188,7 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules
return;
}
- _accountMgr.checkAccess(caller, AccessType.OperateEntry, rule, userVm);
+ _accountMgr.checkAccess(caller, null, true, rule, userVm);
if (userVm.getState() == VirtualMachine.State.Destroyed || userVm.getState() == VirtualMachine.State.Expunging) {
throw new InvalidParameterValueException("Invalid user vm: " + userVm.getId());
@@ -683,7 +682,7 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules
throw new InvalidParameterValueException("Unable to find " + ruleId);
}
- _accountMgr.checkAccess(caller, null, rule);
+ _accountMgr.checkAccess(caller, null, true, rule);
if (!revokePortForwardingRuleInternal(ruleId, caller, ctx.getCallingUserId(), apply)) {
throw new CloudRuntimeException("Failed to delete port forwarding rule");
@@ -718,7 +717,7 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules
throw new InvalidParameterValueException("Unable to find " + ruleId);
}
- _accountMgr.checkAccess(caller, null, rule);
+ _accountMgr.checkAccess(caller, null, true, rule);
if (!revokeStaticNatRuleInternal(ruleId, caller, ctx.getCallingUserId(), apply)) {
throw new CloudRuntimeException("Failed to revoke forwarding rule");
@@ -785,27 +784,25 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules
Boolean display = cmd.getDisplay();
Account caller = CallContext.current().getCallingAccount();
- List<Long> permittedDomains = new ArrayList<Long>();
List<Long> permittedAccounts = new ArrayList<Long>();
- List<Long> permittedResources = new ArrayList<Long>();
if (ipId != null) {
IPAddressVO ipAddressVO = _ipAddressDao.findById(ipId);
if (ipAddressVO == null || !ipAddressVO.readyToUse()) {
throw new InvalidParameterValueException("Ip address id=" + ipId + " not ready for port forwarding rules yet");
}
- _accountMgr.checkAccess(caller, null, ipAddressVO);
+ _accountMgr.checkAccess(caller, null, true, ipAddressVO);
}
Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean, ListProjectResourcesCriteria>(cmd.getDomainId(), cmd.isRecursive(), null);
- _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedDomains, permittedAccounts, permittedResources,
- domainIdRecursiveListProject, cmd.listAll(), false, "listPortForwardingRules");
+ _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedAccounts, domainIdRecursiveListProject, cmd.listAll(), false);
+ Long domainId = domainIdRecursiveListProject.first();
Boolean isRecursive = domainIdRecursiveListProject.second();
ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
Filter filter = new Filter(PortForwardingRuleVO.class, "id", false, cmd.getStartIndex(), cmd.getPageSizeVal());
SearchBuilder<PortForwardingRuleVO> sb = _portForwardingDao.createSearchBuilder();
- _accountMgr.buildACLSearchBuilder(sb, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchBuilder(sb, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
sb.and("id", sb.entity().getId(), Op.EQ);
sb.and("ip", sb.entity().getSourceIpAddressId(), Op.EQ);
@@ -826,7 +823,7 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules
}
SearchCriteria<PortForwardingRuleVO> sc = sb.create();
- _accountMgr.buildACLSearchCriteria(sc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchCriteria(sc, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
if (id != null) {
sc.setParameters("id", id);
@@ -869,7 +866,7 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules
}
if (caller != null) {
- _accountMgr.checkAccess(caller, null, rules.toArray(new PortForwardingRuleVO[rules.size()]));
+ _accountMgr.checkAccess(caller, null, true, rules.toArray(new PortForwardingRuleVO[rules.size()]));
}
try {
@@ -898,7 +895,7 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules
}
if (caller != null) {
- _accountMgr.checkAccess(caller, null, staticNatRules.toArray(new StaticNatRule[staticNatRules.size()]));
+ _accountMgr.checkAccess(caller, null, true, staticNatRules.toArray(new StaticNatRule[staticNatRules.size()]));
}
try {
@@ -922,7 +919,7 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules
}
if (caller != null) {
- _accountMgr.checkAccess(caller, null, rules.toArray(new PortForwardingRuleVO[rules.size()]));
+ _accountMgr.checkAccess(caller, null, true, rules.toArray(new PortForwardingRuleVO[rules.size()]));
}
try {
@@ -948,7 +945,7 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules
}
if (caller != null) {
- _accountMgr.checkAccess(caller, null, rules.toArray(new FirewallRule[rules.size()]));
+ _accountMgr.checkAccess(caller, null, true, rules.toArray(new FirewallRule[rules.size()]));
}
for (FirewallRuleVO rule : rules) {
@@ -976,7 +973,7 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules
}
if (caller != null) {
- _accountMgr.checkAccess(caller, null, ips.toArray(new IPAddressVO[ips.size()]));
+ _accountMgr.checkAccess(caller, null, true, ips.toArray(new IPAddressVO[ips.size()]));
}
List<StaticNat> staticNats = new ArrayList<StaticNat>();
@@ -1003,28 +1000,25 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules
public Pair<List<? extends FirewallRule>, Integer> searchStaticNatRules(Long ipId, Long id, Long vmId, Long start, Long size, String accountName, Long domainId,
Long projectId, boolean isRecursive, boolean listAll) {
Account caller = CallContext.current().getCallingAccount();
- List<Long> permittedDomains = new ArrayList<Long>();
List<Long> permittedAccounts = new ArrayList<Long>();
- List<Long> permittedResources = new ArrayList<Long>();
if (ipId != null) {
IPAddressVO ipAddressVO = _ipAddressDao.findById(ipId);
if (ipAddressVO == null || !ipAddressVO.readyToUse()) {
throw new InvalidParameterValueException("Ip address id=" + ipId + " not ready for port forwarding rules yet");
}
- _accountMgr.checkAccess(caller, null, ipAddressVO);
+ _accountMgr.checkAccess(caller, null, true, ipAddressVO);
}
Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean, ListProjectResourcesCriteria>(domainId, isRecursive, null);
- _accountMgr.buildACLSearchParameters(caller, id, accountName, projectId, permittedDomains, permittedAccounts, permittedResources, domainIdRecursiveListProject, listAll,
- false, "listIpForwardingRules");
+ _accountMgr.buildACLSearchParameters(caller, id, accountName, projectId, permittedAccounts, domainIdRecursiveListProject, listAll, false);
domainId = domainIdRecursiveListProject.first();
isRecursive = domainIdRecursiveListProject.second();
ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
Filter filter = new Filter(PortForwardingRuleVO.class, "id", false, start, size);
SearchBuilder<FirewallRuleVO> sb = _firewallDao.createSearchBuilder();
- _accountMgr.buildACLSearchBuilder(sb, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchBuilder(sb, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
sb.and("ip", sb.entity().getSourceIpAddressId(), Op.EQ);
sb.and("purpose", sb.entity().getPurpose(), Op.EQ);
@@ -1037,7 +1031,7 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules
}
SearchCriteria<FirewallRuleVO> sc = sb.create();
- _accountMgr.buildACLSearchCriteria(sc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchCriteria(sc, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
sc.setParameters("purpose", Purpose.StaticNat);
if (id != null) {
@@ -1389,7 +1383,7 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules
}
if (caller != null) {
- _accountMgr.checkAccess(caller, null, sourceIp);
+ _accountMgr.checkAccess(caller, null, true, sourceIp);
}
// create new static nat rule
@@ -1508,7 +1502,7 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules
if (rule == null) {
throw new InvalidParameterValueException("Unable to find " + id);
}
- _accountMgr.checkAccess(caller, null, rule);
+ _accountMgr.checkAccess(caller, null, true, rule);
if (customId != null) {
rule.setUuid(customId);
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/f748a552/server/src/com/cloud/network/security/SecurityGroupManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/security/SecurityGroupManagerImpl.java b/server/src/com/cloud/network/security/SecurityGroupManagerImpl.java
index a666ecd..f60a746 100755
--- a/server/src/com/cloud/network/security/SecurityGroupManagerImpl.java
+++ b/server/src/com/cloud/network/security/SecurityGroupManagerImpl.java
@@ -612,7 +612,7 @@ public class SecurityGroupManagerImpl extends ManagerBase implements SecurityGro
}
// Verify permissions
- _accountMgr.checkAccess(caller, AccessType.OperateEntry, securityGroup);
+ _accountMgr.checkAccess(caller, null, true, securityGroup);
Long domainId = owner.getDomainId();
if (protocol == null) {
@@ -819,7 +819,7 @@ public class SecurityGroupManagerImpl extends ManagerBase implements SecurityGro
// Check permissions
SecurityGroup securityGroup = _securityGroupDao.findById(rule.getSecurityGroupId());
- _accountMgr.checkAccess(caller, AccessType.OperateEntry, securityGroup);
+ _accountMgr.checkAccess(caller, AccessType.OperateEntry, true, securityGroup);
long securityGroupId = rule.getSecurityGroupId();
Boolean result = Transaction.execute(new TransactionCallback<Boolean>() {
@@ -1120,7 +1120,7 @@ public class SecurityGroupManagerImpl extends ManagerBase implements SecurityGro
}
// check permissions
- _accountMgr.checkAccess(caller, AccessType.OperateEntry, group);
+ _accountMgr.checkAccess(caller, null, true, group);
return Transaction.execute(new TransactionCallbackWithException<Boolean, ResourceInUseException>() {
@Override
@@ -1359,7 +1359,7 @@ public class SecurityGroupManagerImpl extends ManagerBase implements SecurityGro
}
// Verify permissions
- _accountMgr.checkAccess(caller, null, vm);
+ _accountMgr.checkAccess(caller, null, false, vm);
// Validate parameters
List<SecurityGroupVO> vmSgGrps = getSecurityGroupsForVm(vmId);
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/f748a552/server/src/com/cloud/network/vpc/NetworkACLServiceImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/vpc/NetworkACLServiceImpl.java b/server/src/com/cloud/network/vpc/NetworkACLServiceImpl.java
index 72996d1..19a26c1 100644
--- a/server/src/com/cloud/network/vpc/NetworkACLServiceImpl.java
+++ b/server/src/com/cloud/network/vpc/NetworkACLServiceImpl.java
@@ -103,7 +103,7 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ
if (vpc == null) {
throw new InvalidParameterValueException("Unable to find VPC");
}
- _accountMgr.checkAccess(caller, null, vpc);
+ _accountMgr.checkAccess(caller, null, true, vpc);
return _networkAclMgr.createNetworkACL(name, description, vpcId, forDisplay);
}
@@ -161,7 +161,7 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ
if (vpc == null) {
throw new InvalidParameterValueException("Unable to find VPC");
}
- _accountMgr.checkAccess(caller, null, vpc);
+ _accountMgr.checkAccess(caller, null, true, vpc);
//Include vpcId 0 to list default ACLs
sc.setParameters("vpcId", vpcId, 0);
} else {
@@ -169,26 +169,23 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ
// VpcId is not specified. Find permitted VPCs for the caller
// and list ACLs belonging to the permitted VPCs
- List<Long> permittedDomains = new ArrayList<Long>();
List<Long> permittedAccounts = new ArrayList<Long>();
- List<Long> permittedResources = new ArrayList<Long>();
-
Long domainId = cmd.getDomainId();
boolean isRecursive = cmd.isRecursive();
String accountName = cmd.getAccountName();
Long projectId = cmd.getProjectId();
boolean listAll = cmd.listAll();
Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean,
- ListProjectResourcesCriteria>(domainId, isRecursive, null);
- _accountMgr.buildACLSearchParameters(caller, id, accountName, projectId, permittedDomains, permittedAccounts, permittedResources, domainIdRecursiveListProject,
- listAll, false, "listNetworkACLLists");
- //domainId = domainIdRecursiveListProject.first();
+ ListProjectResourcesCriteria>(domainId, isRecursive, null);
+ _accountMgr.buildACLSearchParameters(caller, id, accountName, projectId, permittedAccounts, domainIdRecursiveListProject,
+ listAll, false);
+ domainId = domainIdRecursiveListProject.first();
isRecursive = domainIdRecursiveListProject.second();
ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
SearchBuilder<VpcVO> sbVpc = _vpcDao.createSearchBuilder();
- _accountMgr.buildACLSearchBuilder(sbVpc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchBuilder(sbVpc, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
SearchCriteria<VpcVO> scVpc = sbVpc.create();
- _accountMgr.buildACLSearchCriteria(scVpc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchCriteria(scVpc, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
List<VpcVO> vpcs = _vpcDao.search(scVpc, null);
List<Long> vpcIds = new ArrayList<Long>();
for (VpcVO vpc : vpcs) {
@@ -225,7 +222,7 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ
if (vpc == null) {
throw new InvalidParameterValueException("Unable to find specified VPC associated with the ACL");
}
- _accountMgr.checkAccess(caller, null, vpc);
+ _accountMgr.checkAccess(caller, null, true, vpc);
return _networkAclMgr.deleteNetworkACL(acl);
}
@@ -256,14 +253,14 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ
if (vpc == null) {
throw new InvalidParameterValueException("Unable to find Vpc associated with the NetworkACL");
}
- _accountMgr.checkAccess(caller, null, vpc);
+ _accountMgr.checkAccess(caller, null, true, vpc);
if (!gateway.getVpcId().equals(acl.getVpcId())) {
throw new InvalidParameterValueException("private gateway: " + privateGatewayId + " and ACL: " + aclId + " do not belong to the same VPC");
}
}
PrivateGateway privateGateway = _vpcSvc.getVpcPrivateGateway(gateway.getId());
- _accountMgr.checkAccess(caller, null, privateGateway);
+ _accountMgr.checkAccess(caller, null, true, privateGateway);
return _networkAclMgr.replaceNetworkACLForPrivateGw(acl, privateGateway);
@@ -299,7 +296,7 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ
throw new InvalidParameterValueException("Unable to find Vpc associated with the NetworkACL");
}
- _accountMgr.checkAccess(caller, null, vpc);
+ _accountMgr.checkAccess(caller, null, true, vpc);
if (!network.getVpcId().equals(acl.getVpcId())) {
throw new InvalidParameterValueException("Network: " + networkId + " and ACL: " + aclId + " do not belong to the same VPC");
}
@@ -371,7 +368,7 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ
if (vpc == null) {
throw new InvalidParameterValueException("Unable to find Vpc associated with the NetworkACL");
}
- _accountMgr.checkAccess(caller, null, vpc);
+ _accountMgr.checkAccess(caller, null, true, vpc);
//Ensure that number is unique within the ACL
if (aclItemCmd.getNumber() != null) {
@@ -488,7 +485,6 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ
String action = cmd.getAction();
Map<String, String> tags = cmd.getTags();
Account caller = CallContext.current().getCallingAccount();
- Boolean display = cmd.getDisplay();
Filter filter = new Filter(NetworkACLItemVO.class, "id", false, cmd.getStartIndex(), cmd.getPageSizeVal());
SearchBuilder<NetworkACLItemVO> sb = _networkACLItemDao.createSearchBuilder();
@@ -498,7 +494,6 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ
sb.and("trafficType", sb.entity().getTrafficType(), Op.EQ);
sb.and("protocol", sb.entity().getProtocol(), Op.EQ);
sb.and("action", sb.entity().getAction(), Op.EQ);
- sb.and("display", sb.entity().isDisplay(), Op.EQ);
if (tags != null && !tags.isEmpty()) {
SearchBuilder<ResourceTagVO> tagSearch = _resourceTagDao.createSearchBuilder();
@@ -521,10 +516,6 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ
SearchCriteria<NetworkACLItemVO> sc = sb.create();
- if (display != null) {
- sc.setParameters("display", display);
- }
-
if (id != null) {
sc.setParameters("id", id);
}
@@ -551,33 +542,32 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ
if (vpc == null) {
throw new InvalidParameterValueException("Unable to find VPC associated with acl");
}
- _accountMgr.checkAccess(caller, null, vpc);
+ _accountMgr.checkAccess(caller, null, true, vpc);
}
sc.setParameters("aclId", aclId);
} else {
//ToDo: Add accountId to network_acl_item table for permission check
+
// aclId is not specified
// List permitted VPCs and filter aclItems
- List<Long> permittedDomains = new ArrayList<Long>();
List<Long> permittedAccounts = new ArrayList<Long>();
- List<Long> permittedResources = new ArrayList<Long>();
Long domainId = cmd.getDomainId();
boolean isRecursive = cmd.isRecursive();
String accountName = cmd.getAccountName();
Long projectId = cmd.getProjectId();
boolean listAll = cmd.listAll();
Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean,
- ListProjectResourcesCriteria>(domainId, isRecursive, null);
- _accountMgr.buildACLSearchParameters(caller, id, accountName, projectId, permittedDomains, permittedAccounts, permittedResources, domainIdRecursiveListProject,
- listAll, false, "listNetworkACLs");
+ ListProjectResourcesCriteria>(domainId, isRecursive, null);
+ _accountMgr.buildACLSearchParameters(caller, id, accountName, projectId, permittedAccounts, domainIdRecursiveListProject,
+ listAll, false);
domainId = domainIdRecursiveListProject.first();
isRecursive = domainIdRecursiveListProject.second();
ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
SearchBuilder<VpcVO> sbVpc = _vpcDao.createSearchBuilder();
- _accountMgr.buildACLSearchBuilder(sbVpc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchBuilder(sbVpc, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
SearchCriteria<VpcVO> scVpc = sbVpc.create();
- _accountMgr.buildACLSearchCriteria(scVpc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchCriteria(scVpc, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
List<VpcVO> vpcs = _vpcDao.search(scVpc, null);
List<Long> vpcIds = new ArrayList<Long>();
for (VpcVO vpc : vpcs) {
@@ -620,7 +610,7 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ
Account caller = CallContext.current().getCallingAccount();
- _accountMgr.checkAccess(caller, null, vpc);
+ _accountMgr.checkAccess(caller, null, true, vpc);
if((aclItem.getAclId() == NetworkACL.DEFAULT_ALLOW) || (aclItem.getAclId() == NetworkACL.DEFAULT_DENY)){
throw new InvalidParameterValueException("ACL Items in default ACL cannot be deleted");
@@ -647,7 +637,7 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ
Account caller = CallContext.current().getCallingAccount();
- _accountMgr.checkAccess(caller, null, vpc);
+ _accountMgr.checkAccess(caller, null, true, vpc);
if (number != null) {
//Check if ACL Item with specified number already exists
@@ -669,7 +659,7 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ
NetworkACLVO acl = _networkACLDao.findById(id);
Vpc vpc = _entityMgr.findById(Vpc.class, acl.getVpcId());
Account caller = CallContext.current().getCallingAccount();
- _accountMgr.checkAccess(caller, null, vpc);
+ _accountMgr.checkAccess(caller, null, true, vpc);
if (customId != null) {
acl.setUuid(customId);
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/f748a552/server/src/com/cloud/network/vpc/VpcManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/vpc/VpcManagerImpl.java b/server/src/com/cloud/network/vpc/VpcManagerImpl.java
index 9e02fd7..0d24544 100644
--- a/server/src/com/cloud/network/vpc/VpcManagerImpl.java
+++ b/server/src/com/cloud/network/vpc/VpcManagerImpl.java
@@ -35,8 +35,9 @@ import javax.ejb.Local;
import javax.inject.Inject;
import javax.naming.ConfigurationException;
+import org.apache.log4j.Logger;
+
import org.apache.cloudstack.acl.ControlledEntity.ACLType;
-import org.apache.cloudstack.acl.SecurityChecker.AccessType;
import org.apache.cloudstack.api.command.user.vpc.ListPrivateGatewaysCmd;
import org.apache.cloudstack.api.command.user.vpc.ListStaticRoutesCmd;
import org.apache.cloudstack.context.CallContext;
@@ -44,7 +45,6 @@ import org.apache.cloudstack.engine.orchestration.service.NetworkOrchestrationSe
import org.apache.cloudstack.framework.config.ConfigDepot;
import org.apache.cloudstack.framework.config.dao.ConfigurationDao;
import org.apache.cloudstack.managed.context.ManagedContextRunnable;
-import org.apache.log4j.Logger;
import com.cloud.configuration.Config;
import com.cloud.configuration.ConfigurationManager;
@@ -761,7 +761,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
Account owner = _accountMgr.getAccount(vpcOwnerId);
//Verify that caller can perform actions in behalf of vpc owner
- _accountMgr.checkAccess(caller, null, owner);
+ _accountMgr.checkAccess(caller, null, false, owner);
//check resource limit
_resourceLimitMgr.checkResourceLimit(owner, ResourceType.vpc);
@@ -894,7 +894,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
}
//verify permissions
- _accountMgr.checkAccess(ctx.getCallingAccount(), null, vpc);
+ _accountMgr.checkAccess(ctx.getCallingAccount(), null, false, vpc);
return destroyVpc(vpc, ctx.getCallingAccount(), ctx.getCallingUserId());
}
@@ -962,7 +962,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
throw new InvalidParameterValueException("Unable to find vpc by id " + vpcId);
}
- _accountMgr.checkAccess(caller, null, vpcToUpdate);
+ _accountMgr.checkAccess(caller, null, false, vpcToUpdate);
VpcVO vpc = _vpcDao.createForUpdate(vpcId);
@@ -995,20 +995,18 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
String accountName, Long domainId, String keyword, Long startIndex, Long pageSizeVal, Long zoneId, Boolean isRecursive, Boolean listAll, Boolean restartRequired,
Map<String, String> tags, Long projectId, Boolean display) {
Account caller = CallContext.current().getCallingAccount();
- List<Long> permittedDomains = new ArrayList<Long>();
List<Long> permittedAccounts = new ArrayList<Long>();
- List<Long> permittedResources = new ArrayList<Long>();
-
Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean,
ListProjectResourcesCriteria>(domainId, isRecursive, null);
- _accountMgr.buildACLSearchParameters(caller, id, accountName, projectId, permittedDomains, permittedAccounts, permittedResources, domainIdRecursiveListProject, listAll,
- false, "listVPCs");
+ _accountMgr.buildACLSearchParameters(caller, id, accountName, projectId, permittedAccounts, domainIdRecursiveListProject,
+ listAll, false);
+ domainId = domainIdRecursiveListProject.first();
isRecursive = domainIdRecursiveListProject.second();
ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
Filter searchFilter = new Filter(VpcVO.class, "created", false, startIndex, pageSizeVal);
SearchBuilder<VpcVO> sb = _vpcDao.createSearchBuilder();
- _accountMgr.buildACLSearchBuilder(sb, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchBuilder(sb, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
sb.and("name", sb.entity().getName(), SearchCriteria.Op.LIKE);
sb.and("id", sb.entity().getId(), SearchCriteria.Op.EQ);
@@ -1034,7 +1032,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
// now set the SC criteria...
SearchCriteria<VpcVO> sc = sb.create();
- _accountMgr.buildACLSearchCriteria(sc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchCriteria(sc, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
if (keyword != null) {
SearchCriteria<VpcVO> ssc = _vpcDao.createSearchCriteria();
@@ -1154,7 +1152,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
}
//permission check
- _accountMgr.checkAccess(caller, null, vpc);
+ _accountMgr.checkAccess(caller, null, false, vpc);
DataCenter dc = _entityMgr.findById(DataCenter.class, vpc.getZoneId());
@@ -1214,7 +1212,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
}
//permission check
- _accountMgr.checkAccess(caller, null, vpc);
+ _accountMgr.checkAccess(caller, null, false, vpc);
//shutdown provider
s_logger.debug("Shutting down vpc " + vpc);
@@ -1480,7 +1478,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
throw ex;
}
- _accountMgr.checkAccess(caller, null, vpc);
+ _accountMgr.checkAccess(caller, null, false, vpc);
s_logger.debug("Restarting VPC " + vpc);
boolean restartRequired = false;
@@ -1797,23 +1795,21 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
Long domainId = cmd.getDomainId();
String accountName = cmd.getAccountName();
Account caller = CallContext.current().getCallingAccount();
- List<Long> permittedDomains = new ArrayList<Long>();
List<Long> permittedAccounts = new ArrayList<Long>();
- List<Long> permittedResources = new ArrayList<Long>();
String state = cmd.getState();
Long projectId = cmd.getProjectId();
Filter searchFilter = new Filter(VpcGatewayVO.class, "id", false, cmd.getStartIndex(), cmd.getPageSizeVal());
Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean,
ListProjectResourcesCriteria>(domainId, isRecursive, null);
- _accountMgr.buildACLSearchParameters(caller, id, accountName, projectId, permittedDomains, permittedAccounts, permittedResources, domainIdRecursiveListProject, listAll,
- false, "listPrivateGateways");
+ _accountMgr.buildACLSearchParameters(caller, id, accountName, projectId, permittedAccounts, domainIdRecursiveListProject,
+ listAll, false);
+ domainId = domainIdRecursiveListProject.first();
isRecursive = domainIdRecursiveListProject.second();
ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
SearchBuilder<VpcGatewayVO> sb = _vpcGatewayDao.createSearchBuilder();
- _accountMgr.buildACLSearchBuilder(sb, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
-
+ _accountMgr.buildACLSearchBuilder(sb, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
if (vlan != null) {
SearchBuilder<NetworkVO> ntwkSearch = _ntwkDao.createSearchBuilder();
ntwkSearch.and("vlan", ntwkSearch.entity().getBroadcastUri(), SearchCriteria.Op.EQ);
@@ -1821,8 +1817,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
}
SearchCriteria<VpcGatewayVO> sc = sb.create();
- _accountMgr.buildACLSearchCriteria(sc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
-
+ _accountMgr.buildACLSearchCriteria(sc, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
if (id != null) {
sc.addAnd("id", Op.EQ, id);
}
@@ -1934,7 +1929,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
throw new InvalidParameterValueException("Unable to find static route by id");
}
- _accountMgr.checkAccess(caller, null, route);
+ _accountMgr.checkAccess(caller, null, false, route);
markStaticRouteForRevoke(route, caller);
@@ -1982,7 +1977,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
if (vpc == null) {
throw new InvalidParameterValueException("Can't add static route to VPC that is being deleted");
}
- _accountMgr.checkAccess(caller, null, vpc);
+ _accountMgr.checkAccess(caller, null, false, vpc);
if (!NetUtils.isValidCIDR(cidr)) {
throw new InvalidParameterValueException("Invalid format for cidr " + cidr);
@@ -2050,23 +2045,21 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
Boolean listAll = cmd.listAll();
String accountName = cmd.getAccountName();
Account caller = CallContext.current().getCallingAccount();
- List<Long> permittedDomains = new ArrayList<Long>();
List<Long> permittedAccounts = new ArrayList<Long>();
- List<Long> permittedResources = new ArrayList<Long>();
-
Map<String, String> tags = cmd.getTags();
Long projectId = cmd.getProjectId();
Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean,
ListProjectResourcesCriteria>(domainId, isRecursive, null);
- _accountMgr.buildACLSearchParameters(caller, id, accountName, projectId, permittedDomains, permittedAccounts, permittedResources, domainIdRecursiveListProject, listAll,
- false, "listStaticRoutes");
+ _accountMgr.buildACLSearchParameters(caller, id, accountName, projectId, permittedAccounts, domainIdRecursiveListProject,
+ listAll, false);
+ domainId = domainIdRecursiveListProject.first();
isRecursive = domainIdRecursiveListProject.second();
ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
Filter searchFilter = new Filter(StaticRouteVO.class, "created", false, cmd.getStartIndex(), cmd.getPageSizeVal());
SearchBuilder<StaticRouteVO> sb = _staticRouteDao.createSearchBuilder();
- _accountMgr.buildACLSearchBuilder(sb, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchBuilder(sb, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
sb.and("id", sb.entity().getId(), SearchCriteria.Op.EQ);
sb.and("vpcId", sb.entity().getVpcId(), SearchCriteria.Op.EQ);
@@ -2085,8 +2078,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
}
SearchCriteria<StaticRouteVO> sc = sb.create();
- _accountMgr.buildACLSearchCriteria(sc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
-
+ _accountMgr.buildACLSearchCriteria(sc, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
if (id != null) {
sc.addAnd("id", Op.EQ, id);
}
@@ -2134,7 +2126,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
protected void markStaticRouteForRevoke(StaticRouteVO route, Account caller) {
s_logger.debug("Revoking static route " + route);
if (caller != null) {
- _accountMgr.checkAccess(caller, null, route);
+ _accountMgr.checkAccess(caller, null, false, route);
}
if (route.getState() == StaticRoute.State.Staged) {
@@ -2193,6 +2185,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
IpAddress ipToAssoc = _ntwkModel.getIp(ipId);
if (ipToAssoc != null) {
+ _accountMgr.checkAccess(caller, null, true, ipToAssoc);
owner = _accountMgr.getAccount(ipToAssoc.getAllocatedToAccountId());
} else {
s_logger.debug("Unable to find ip address by id: " + ipId);
@@ -2205,7 +2198,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
}
// check permissions
- _accountMgr.checkAccess(caller, AccessType.OperateEntry, ipToAssoc, vpc);
+ _accountMgr.checkAccess(caller, null, true, owner, vpc);
boolean isSourceNat = false;
if (getExistingSourceNatInVpc(owner.getId(), vpcId) == null) {
@@ -2285,7 +2278,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
ex.addProxyObject(String.valueOf(vpcId), "VPC");
throw ex;
}
- _accountMgr.checkAccess(caller, null, vpc);
+ _accountMgr.checkAccess(caller, null, false, vpc);
if (networkDomain == null) {
networkDomain = vpc.getNetworkDomain();
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/f748a552/server/src/com/cloud/network/vpn/RemoteAccessVpnManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/vpn/RemoteAccessVpnManagerImpl.java b/server/src/com/cloud/network/vpn/RemoteAccessVpnManagerImpl.java
index 9d9118c..757f618 100755
--- a/server/src/com/cloud/network/vpn/RemoteAccessVpnManagerImpl.java
+++ b/server/src/com/cloud/network/vpn/RemoteAccessVpnManagerImpl.java
@@ -150,7 +150,7 @@ public class RemoteAccessVpnManagerImpl extends ManagerBase implements RemoteAcc
throw new InvalidParameterValueException("Unable to create remote access vpn, invalid public IP address id" + publicIpId);
}
- _accountMgr.checkAccess(caller, null, ipAddr);
+ _accountMgr.checkAccess(caller, null, true, ipAddr);
if (!ipAddr.readyToUse()) {
throw new InvalidParameterValueException("The Ip address is not ready to be used yet: " + ipAddr.getAddress());
@@ -292,7 +292,7 @@ public class RemoteAccessVpnManagerImpl extends ManagerBase implements RemoteAcc
return true;
}
- _accountMgr.checkAccess(caller, AccessType.OperateEntry, vpn);
+ _accountMgr.checkAccess(caller, AccessType.OperateEntry, true, vpn);
RemoteAccessVpn.State prevState = vpn.getState();
vpn.setState(RemoteAccessVpn.State.Removed);
@@ -395,7 +395,7 @@ public class RemoteAccessVpnManagerImpl extends ManagerBase implements RemoteAcc
if (owner == null) {
throw new InvalidParameterValueException("Unable to add vpn user: Another operation active");
}
- _accountMgr.checkAccess(caller, null, owner);
+ _accountMgr.checkAccess(caller, null, true, owner);
//don't allow duplicated user names for the same account
VpnUserVO vpnUser = _vpnUsersDao.findByAccountAndUsername(owner.getId(), username);
@@ -424,7 +424,7 @@ public class RemoteAccessVpnManagerImpl extends ManagerBase implements RemoteAcc
if (user == null) {
throw new InvalidParameterValueException("Could not find vpn user " + username);
}
- _accountMgr.checkAccess(caller, null, user);
+ _accountMgr.checkAccess(caller, null, true, user);
Transaction.execute(new TransactionCallbackNoReturn() {
@Override
@@ -443,7 +443,7 @@ public class RemoteAccessVpnManagerImpl extends ManagerBase implements RemoteAcc
public List<? extends VpnUser> listVpnUsers(long vpnOwnerId, String userName) {
Account caller = CallContext.current().getCallingAccount();
Account owner = _accountDao.findById(vpnOwnerId);
- _accountMgr.checkAccess(caller, null, owner);
+ _accountMgr.checkAccess(caller, null, true, owner);
return _vpnUsersDao.listByAccount(vpnOwnerId);
}
@@ -461,7 +461,7 @@ public class RemoteAccessVpnManagerImpl extends ManagerBase implements RemoteAcc
openFirewall = false;
}
- _accountMgr.checkAccess(caller, null, vpn);
+ _accountMgr.checkAccess(caller, null, true, vpn);
boolean started = false;
try {
@@ -507,7 +507,7 @@ public class RemoteAccessVpnManagerImpl extends ManagerBase implements RemoteAcc
public boolean applyVpnUsers(long vpnOwnerId, String userName) {
Account caller = CallContext.current().getCallingAccount();
Account owner = _accountDao.findById(vpnOwnerId);
- _accountMgr.checkAccess(caller, null, owner);
+ _accountMgr.checkAccess(caller, null, true, owner);
s_logger.debug("Applying vpn users for " + owner);
List<RemoteAccessVpnVO> vpns = _remoteAccessVpnDao.findByAccount(vpnOwnerId);
@@ -586,26 +586,24 @@ public class RemoteAccessVpnManagerImpl extends ManagerBase implements RemoteAcc
String username = cmd.getUsername();
Long id = cmd.getId();
Account caller = CallContext.current().getCallingAccount();
- List<Long> permittedDomains = new ArrayList<Long>();
List<Long> permittedAccounts = new ArrayList<Long>();
- List<Long> permittedResources = new ArrayList<Long>();
Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean, ListProjectResourcesCriteria>(cmd.getDomainId(), cmd.isRecursive(), null);
- _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedDomains, permittedAccounts, permittedResources,
- domainIdRecursiveListProject, cmd.listAll(), false, "listVpnUsers");
- //Long domainId = domainIdRecursiveListProject.first();
+ _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedAccounts, domainIdRecursiveListProject, cmd.listAll(), false);
+ Long domainId = domainIdRecursiveListProject.first();
Boolean isRecursive = domainIdRecursiveListProject.second();
ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
Filter searchFilter = new Filter(VpnUserVO.class, "username", true, cmd.getStartIndex(), cmd.getPageSizeVal());
SearchBuilder<VpnUserVO> sb = _vpnUsersDao.createSearchBuilder();
- _accountMgr.buildACLSearchBuilder(sb, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchBuilder(sb, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
+
sb.and("id", sb.entity().getId(), SearchCriteria.Op.EQ);
sb.and("username", sb.entity().getUsername(), SearchCriteria.Op.EQ);
sb.and("state", sb.entity().getState(), Op.IN);
SearchCriteria<VpnUserVO> sc = sb.create();
- _accountMgr.buildACLSearchCriteria(sc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchCriteria(sc, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
//list only active users
sc.setParameters("state", State.Active, State.Add);
@@ -627,9 +625,7 @@ public class RemoteAccessVpnManagerImpl extends ManagerBase implements RemoteAcc
// do some parameter validation
Account caller = CallContext.current().getCallingAccount();
Long ipAddressId = cmd.getPublicIpId();
- List<Long> permittedDomains = new ArrayList<Long>();
List<Long> permittedAccounts = new ArrayList<Long>();
- List<Long> permittedResources = new ArrayList<Long>();
Long vpnId = cmd.getId();
Long networkId = cmd.getNetworkId();
@@ -644,19 +640,18 @@ public class RemoteAccessVpnManagerImpl extends ManagerBase implements RemoteAcc
throw new InvalidParameterValueException("Unable to list remote access vpns, IP address " + ipAddressId + " is not associated with an account.");
}
}
- _accountMgr.checkAccess(caller, null, publicIp);
+ _accountMgr.checkAccess(caller, null, true, publicIp);
}
Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean, ListProjectResourcesCriteria>(cmd.getDomainId(), cmd.isRecursive(), null);
- _accountMgr.buildACLSearchParameters(caller, null, cmd.getAccountName(), cmd.getProjectId(), permittedDomains, permittedAccounts, permittedResources,
- domainIdRecursiveListProject, cmd.listAll(), false, "listRemoteAccessVpns");
- //Long domainId = domainIdRecursiveListProject.first();
+ _accountMgr.buildACLSearchParameters(caller, null, cmd.getAccountName(), cmd.getProjectId(), permittedAccounts, domainIdRecursiveListProject, cmd.listAll(), false);
+ Long domainId = domainIdRecursiveListProject.first();
Boolean isRecursive = domainIdRecursiveListProject.second();
ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
Filter filter = new Filter(RemoteAccessVpnVO.class, "serverAddressId", false, cmd.getStartIndex(), cmd.getPageSizeVal());
SearchBuilder<RemoteAccessVpnVO> sb = _remoteAccessVpnDao.createSearchBuilder();
- _accountMgr.buildACLSearchBuilder(sb, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchBuilder(sb, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
sb.and("serverAddressId", sb.entity().getServerAddressId(), Op.EQ);
sb.and("id", sb.entity().getId(), Op.EQ);
@@ -665,7 +660,8 @@ public class RemoteAccessVpnManagerImpl extends ManagerBase implements RemoteAcc
sb.and("display", sb.entity().isDisplay(), Op.EQ);
SearchCriteria<RemoteAccessVpnVO> sc = sb.create();
- _accountMgr.buildACLSearchCriteria(sc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchCriteria(sc, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
+
sc.setParameters("state", RemoteAccessVpn.State.Running);
@@ -755,7 +751,7 @@ public class RemoteAccessVpnManagerImpl extends ManagerBase implements RemoteAcc
throw new InvalidParameterValueException("Can't find remote access vpn by id " + id);
}
- _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, vpn);
+ _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, true, vpn);
if (customId != null) {
vpn.setUuid(customId);
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/f748a552/server/src/com/cloud/network/vpn/Site2SiteVpnManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/vpn/Site2SiteVpnManagerImpl.java b/server/src/com/cloud/network/vpn/Site2SiteVpnManagerImpl.java
index a34aa6c..e6d0b12 100644
--- a/server/src/com/cloud/network/vpn/Site2SiteVpnManagerImpl.java
+++ b/server/src/com/cloud/network/vpn/Site2SiteVpnManagerImpl.java
@@ -125,7 +125,7 @@ public class Site2SiteVpnManagerImpl extends ManagerBase implements Site2SiteVpn
Account owner = _accountMgr.getAccount(cmd.getEntityOwnerId());
//Verify that caller can perform actions in behalf of vpc owner
- _accountMgr.checkAccess(caller, null, owner);
+ _accountMgr.checkAccess(caller, null, false, owner);
Long vpcId = cmd.getVpcId();
VpcVO vpc = _vpcDao.findById(vpcId);
@@ -175,7 +175,7 @@ public class Site2SiteVpnManagerImpl extends ManagerBase implements Site2SiteVpn
Account owner = _accountMgr.getAccount(cmd.getEntityOwnerId());
//Verify that caller can perform actions in behalf of vpc owner
- _accountMgr.checkAccess(caller, null, owner);
+ _accountMgr.checkAccess(caller, null, false, owner);
String name = cmd.getName();
String gatewayIp = cmd.getGatewayIp();
@@ -243,21 +243,21 @@ public class Site2SiteVpnManagerImpl extends ManagerBase implements Site2SiteVpn
Account owner = _accountMgr.getAccount(cmd.getEntityOwnerId());
//Verify that caller can perform actions in behalf of vpc owner
- _accountMgr.checkAccess(caller, null, owner);
+ _accountMgr.checkAccess(caller, null, false, owner);
Long customerGatewayId = cmd.getCustomerGatewayId();
Site2SiteCustomerGateway customerGateway = _customerGatewayDao.findById(customerGatewayId);
if (customerGateway == null) {
throw new InvalidParameterValueException("Unable to found specified Site to Site VPN customer gateway " + customerGatewayId + " !");
}
- _accountMgr.checkAccess(caller, null, customerGateway);
+ _accountMgr.checkAccess(caller, null, false, customerGateway);
Long vpnGatewayId = cmd.getVpnGatewayId();
Site2SiteVpnGateway vpnGateway = _vpnGatewayDao.findById(vpnGatewayId);
if (vpnGateway == null) {
throw new InvalidParameterValueException("Unable to found specified Site to Site VPN gateway " + vpnGatewayId + " !");
}
- _accountMgr.checkAccess(caller, null, vpnGateway);
+ _accountMgr.checkAccess(caller, null, false, vpnGateway);
if (customerGateway.getAccountId() != vpnGateway.getAccountId() || customerGateway.getDomainId() != vpnGateway.getDomainId()) {
throw new InvalidParameterValueException("VPN connection can only be esitablished between same account's VPN gateway and customer gateway!");
@@ -363,7 +363,7 @@ public class Site2SiteVpnManagerImpl extends ManagerBase implements Site2SiteVpn
if (customerGateway == null) {
throw new InvalidParameterValueException("Fail to find customer gateway with " + id + " !");
}
- _accountMgr.checkAccess(caller, null, customerGateway);
+ _accountMgr.checkAccess(caller, null, false, customerGateway);
return doDeleteCustomerGateway(customerGateway);
}
@@ -398,7 +398,7 @@ public class Site2SiteVpnManagerImpl extends ManagerBase implements Site2SiteVpn
throw new InvalidParameterValueException("Fail to find vpn gateway with " + id + " !");
}
- _accountMgr.checkAccess(caller, null, vpnGateway);
+ _accountMgr.checkAccess(caller, null, false, vpnGateway);
doDeleteVpnGateway(vpnGateway);
return true;
@@ -415,7 +415,7 @@ public class Site2SiteVpnManagerImpl extends ManagerBase implements Site2SiteVpn
if (gw == null) {
throw new InvalidParameterValueException("Find to find customer gateway with id " + id);
}
- _accountMgr.checkAccess(caller, null, gw);
+ _accountMgr.checkAccess(caller, null, false, gw);
List<Site2SiteVpnConnectionVO> conns = _vpnConnectionDao.listByCustomerGatewayId(id);
if (conns != null) {
@@ -505,7 +505,7 @@ public class Site2SiteVpnManagerImpl extends ManagerBase implements Site2SiteVpn
throw new InvalidParameterValueException("Fail to find site to site VPN connection " + id + " to delete!");
}
- _accountMgr.checkAccess(caller, null, conn);
+ _accountMgr.checkAccess(caller, null, false, conn);
if (conn.getState() == State.Connected) {
stopVpnConnection(id);
@@ -554,7 +554,7 @@ public class Site2SiteVpnManagerImpl extends ManagerBase implements Site2SiteVpn
if (conn == null) {
throw new InvalidParameterValueException("Fail to find site to site VPN connection " + id + " to reset!");
}
- _accountMgr.checkAccess(caller, null, conn);
+ _accountMgr.checkAccess(caller, null, false, conn);
if (conn.getState() == State.Pending) {
throw new InvalidParameterValueException("VPN connection " + id + " cannot be reseted when state is Pending!");
@@ -578,26 +578,23 @@ public class Site2SiteVpnManagerImpl extends ManagerBase implements Site2SiteVpn
long pageSizeVal = cmd.getPageSizeVal();
Account caller = CallContext.current().getCallingAccount();
- List<Long> permittedDomains = new ArrayList<Long>();
List<Long> permittedAccounts = new ArrayList<Long>();
- List<Long> permittedResources = new ArrayList<Long>();
Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean,
ListProjectResourcesCriteria>(domainId, isRecursive, null);
- _accountMgr.buildACLSearchParameters(caller, id, accountName, null, permittedDomains, permittedAccounts, permittedResources, domainIdRecursiveListProject, listAll, false,
- "listVpnCustomerGateways");
- //domainId = domainIdRecursiveListProject.first();
+ _accountMgr.buildACLSearchParameters(caller, id, accountName, null, permittedAccounts, domainIdRecursiveListProject, listAll, false);
+ domainId = domainIdRecursiveListProject.first();
isRecursive = domainIdRecursiveListProject.second();
ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
Filter searchFilter = new Filter(Site2SiteCustomerGatewayVO.class, "id", false, startIndex, pageSizeVal);
SearchBuilder<Site2SiteCustomerGatewayVO> sb = _customerGatewayDao.createSearchBuilder();
- _accountMgr.buildACLSearchBuilder(sb, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchBuilder(sb, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
sb.and("id", sb.entity().getId(), SearchCriteria.Op.EQ);
SearchCriteria<Site2SiteCustomerGatewayVO> sc = sb.create();
- _accountMgr.buildACLSearchCriteria(sc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchCriteria(sc, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
if (id != null) {
sc.addAnd("id", SearchCriteria.Op.EQ, id);
@@ -621,28 +618,25 @@ public class Site2SiteVpnManagerImpl extends ManagerBase implements Site2SiteVpn
long pageSizeVal = cmd.getPageSizeVal();
Account caller = CallContext.current().getCallingAccount();
- List<Long> permittedDomains = new ArrayList<Long>();
List<Long> permittedAccounts = new ArrayList<Long>();
- List<Long> permittedResources = new ArrayList<Long>();
Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean,
ListProjectResourcesCriteria>(domainId, isRecursive, null);
- _accountMgr.buildACLSearchParameters(caller, id, accountName, null, permittedDomains, permittedAccounts, permittedResources, domainIdRecursiveListProject, listAll, false,
- "listVpnGateways");
- //domainId = domainIdRecursiveListProject.first();
+ _accountMgr.buildACLSearchParameters(caller, id, accountName, null, permittedAccounts, domainIdRecursiveListProject, listAll, false);
+ domainId = domainIdRecursiveListProject.first();
isRecursive = domainIdRecursiveListProject.second();
ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
Filter searchFilter = new Filter(Site2SiteVpnGatewayVO.class, "id", false, startIndex, pageSizeVal);
SearchBuilder<Site2SiteVpnGatewayVO> sb = _vpnGatewayDao.createSearchBuilder();
- _accountMgr.buildACLSearchBuilder(sb, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchBuilder(sb, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
sb.and("id", sb.entity().getId(), SearchCriteria.Op.EQ);
sb.and("vpcId", sb.entity().getVpcId(), SearchCriteria.Op.EQ);
sb.and("display", sb.entity().isDisplay(), SearchCriteria.Op.EQ);
SearchCriteria<Site2SiteVpnGatewayVO> sc = sb.create();
- _accountMgr.buildACLSearchCriteria(sc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchCriteria(sc, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
if (id != null) {
sc.addAnd("id", SearchCriteria.Op.EQ, id);
@@ -674,21 +668,18 @@ public class Site2SiteVpnManagerImpl extends ManagerBase implements Site2SiteVpn
long pageSizeVal = cmd.getPageSizeVal();
Account caller = CallContext.current().getCallingAccount();
- List<Long> permittedDomains = new ArrayList<Long>();
List<Long> permittedAccounts = new ArrayList<Long>();
- List<Long> permittedResources = new ArrayList<Long>();
Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean,
ListProjectResourcesCriteria>(domainId, isRecursive, null);
- _accountMgr.buildACLSearchParameters(caller, id, accountName, null, permittedDomains, permittedAccounts, permittedResources, domainIdRecursiveListProject, listAll, false,
- "listVpnConnections");
- //domainId = domainIdRecursiveListProject.first();
+ _accountMgr.buildACLSearchParameters(caller, id, accountName, null, permittedAccounts, domainIdRecursiveListProject, listAll, false);
+ domainId = domainIdRecursiveListProject.first();
isRecursive = domainIdRecursiveListProject.second();
ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
Filter searchFilter = new Filter(Site2SiteVpnConnectionVO.class, "id", false, startIndex, pageSizeVal);
SearchBuilder<Site2SiteVpnConnectionVO> sb = _vpnConnectionDao.createSearchBuilder();
- _accountMgr.buildACLSearchBuilder(sb, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchBuilder(sb, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
sb.and("id", sb.entity().getId(), SearchCriteria.Op.EQ);
sb.and("display", sb.entity().isDisplay(), SearchCriteria.Op.EQ);
@@ -700,7 +691,7 @@ public class Site2SiteVpnManagerImpl extends ManagerBase implements Site2SiteVpn
}
SearchCriteria<Site2SiteVpnConnectionVO> sc = sb.create();
- _accountMgr.buildACLSearchCriteria(sc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchCriteria(sc, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
if (display != null) {
sc.setParameters("display", display);
@@ -818,7 +809,7 @@ public class Site2SiteVpnManagerImpl extends ManagerBase implements Site2SiteVpn
throw new InvalidParameterValueException("Fail to find site to site VPN connection " + id);
}
- _accountMgr.checkAccess(caller, null, conn);
+ _accountMgr.checkAccess(caller, null, false, conn);
if (customId != null) {
conn.setUuid(customId);
}
@@ -841,7 +832,7 @@ public class Site2SiteVpnManagerImpl extends ManagerBase implements Site2SiteVpn
throw new InvalidParameterValueException("Fail to find vpn gateway with " + id);
}
- _accountMgr.checkAccess(caller, null, vpnGateway);
+ _accountMgr.checkAccess(caller, null, false, vpnGateway);
if (customId != null) {
vpnGateway.setUuid(customId);
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/f748a552/server/src/com/cloud/projects/ProjectManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/projects/ProjectManagerImpl.java b/server/src/com/cloud/projects/ProjectManagerImpl.java
index 6aa5abc..d10c059 100755
--- a/server/src/com/cloud/projects/ProjectManagerImpl.java
+++ b/server/src/com/cloud/projects/ProjectManagerImpl.java
@@ -244,7 +244,7 @@ public class ProjectManagerImpl extends ManagerBase implements ProjectManager {
throw new InvalidParameterValueException("Unable to find project by id " + projectId);
}
- _accountMgr.checkAccess(caller, AccessType.ModifyProject, _accountMgr.getAccount(project.getProjectAccountId()));
+ _accountMgr.checkAccess(caller, AccessType.ModifyProject, true, _accountMgr.getAccount(project.getProjectAccountId()));
//at this point enabling project doesn't require anything, so just update the state
project.setState(State.Active);
@@ -264,7 +264,7 @@ public class ProjectManagerImpl extends ManagerBase implements ProjectManager {
throw new InvalidParameterValueException("Unable to find project by id " + projectId);
}
- _accountMgr.checkAccess(ctx.getCallingAccount(), AccessType.ModifyProject, _accountMgr.getAccount(project.getProjectAccountId()));
+ _accountMgr.checkAccess(ctx.getCallingAccount(), AccessType.ModifyProject, true, _accountMgr.getAccount(project.getProjectAccountId()));
return deleteProject(ctx.getCallingAccount(), ctx.getCallingUserId(), project);
}
@@ -463,7 +463,7 @@ public class ProjectManagerImpl extends ManagerBase implements ProjectManager {
}
//verify permissions
- _accountMgr.checkAccess(caller, AccessType.ModifyProject, _accountMgr.getAccount(project.getProjectAccountId()));
+ _accountMgr.checkAccess(caller, AccessType.ModifyProject, true, _accountMgr.getAccount(project.getProjectAccountId()));
Transaction.execute(new TransactionCallbackWithExceptionNoReturn<ResourceAllocationException>() {
@Override
@@ -550,7 +550,7 @@ public class ProjectManagerImpl extends ManagerBase implements ProjectManager {
}
//verify permissions - only project owner can assign
- _accountMgr.checkAccess(caller, AccessType.ModifyProject, _accountMgr.getAccount(project.getProjectAccountId()));
+ _accountMgr.checkAccess(caller, AccessType.ModifyProject, true, _accountMgr.getAccount(project.getProjectAccountId()));
//Check if the account already added to the project
ProjectAccount projectAccount = _projectAccountDao.findByProjectIdAccountId(projectId, account.getId());
@@ -628,7 +628,7 @@ public class ProjectManagerImpl extends ManagerBase implements ProjectManager {
}
//verify permissions
- _accountMgr.checkAccess(caller, AccessType.ModifyProject, _accountMgr.getAccount(project.getProjectAccountId()));
+ _accountMgr.checkAccess(caller, AccessType.ModifyProject, true, _accountMgr.getAccount(project.getProjectAccountId()));
//Check if the account exists in the project
ProjectAccount projectAccount = _projectAccountDao.findByProjectIdAccountId(projectId, account.getId());
@@ -750,7 +750,7 @@ public class ProjectManagerImpl extends ManagerBase implements ProjectManager {
}
//verify permissions
- _accountMgr.checkAccess(caller, null, account);
+ _accountMgr.checkAccess(caller, null, true, account);
accountId = account.getId();
} else {
@@ -830,7 +830,7 @@ public class ProjectManagerImpl extends ManagerBase implements ProjectManager {
}
//verify permissions
- _accountMgr.checkAccess(caller, AccessType.ModifyProject, _accountMgr.getAccount(project.getProjectAccountId()));
+ _accountMgr.checkAccess(caller, AccessType.ModifyProject, true, _accountMgr.getAccount(project.getProjectAccountId()));
//allow project activation only when it's in Suspended state
Project.State currentState = project.getState();
@@ -870,7 +870,7 @@ public class ProjectManagerImpl extends ManagerBase implements ProjectManager {
throw ex;
}
- _accountMgr.checkAccess(caller, AccessType.ModifyProject, _accountMgr.getAccount(project.getProjectAccountId()));
+ _accountMgr.checkAccess(caller, AccessType.ModifyProject, true, _accountMgr.getAccount(project.getProjectAccountId()));
if (suspendProject(project)) {
s_logger.debug("Successfully suspended project id=" + projectId);
@@ -1012,7 +1012,7 @@ public class ProjectManagerImpl extends ManagerBase implements ProjectManager {
Project project = getProject(invitation.getProjectId());
//check permissions - only project owner can remove the invitations
- _accountMgr.checkAccess(caller, AccessType.ModifyProject, _accountMgr.getAccount(project.getProjectAccountId()));
+ _accountMgr.checkAccess(caller, AccessType.ModifyProject, true, _accountMgr.getAccount(project.getProjectAccountId()));
if (_projectInvitationDao.remove(id)) {
s_logger.debug("Project Invitation id=" + id + " is removed");