You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by da...@apache.org on 2014/05/13 11:35:47 UTC
[1/7] git commit: updated refs/heads/4.4 to 68a44cf
Repository: cloudstack
Updated Branches:
refs/heads/4.4 820f8724f -> 68a44cf23
CLOUDSTACK-6600:IAM Security checker needs to have cache to improve
checkAccess performance.
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/ad8d2695
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/ad8d2695
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/ad8d2695
Branch: refs/heads/4.4
Commit: ad8d26958cb1951cfad4ab2489a9411a51cc7ec6
Parents: 820f872
Author: Min Chen <mi...@citrix.com>
Authored: Wed May 7 16:42:19 2014 -0700
Committer: Daan Hoogland <da...@onecht.net>
Committed: Tue May 13 11:19:23 2014 +0200
----------------------------------------------------------------------
.../iam/RoleBasedEntityAccessChecker.java | 98 ++++++++++++++++++--
services/iam/server/pom.xml | 4 +
.../core/spring-iam-server-context.xml | 9 +-
.../apache/cloudstack/iam/api/IAMService.java | 8 +-
.../cloudstack/iam/server/IAMServiceImpl.java | 88 +++++++++++++++++-
5 files changed, 193 insertions(+), 14 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/ad8d2695/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedEntityAccessChecker.java
----------------------------------------------------------------------
diff --git a/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedEntityAccessChecker.java b/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedEntityAccessChecker.java
index 63aa827..eaa4302 100644
--- a/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedEntityAccessChecker.java
+++ b/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedEntityAccessChecker.java
@@ -59,6 +59,22 @@ public class RoleBasedEntityAccessChecker extends DomainChecker implements Secur
return checkAccess(caller, entity, accessType, null);
}
+ private String buildAccessCacheKey(Account caller, ControlledEntity entity, AccessType accessType, String action) {
+ StringBuffer key = new StringBuffer();
+ key.append(caller.getAccountId());
+ key.append("-");
+ String entityType = null;
+ if (entity != null && entity.getEntityType() != null) {
+ entityType = entity.getEntityType().getSimpleName();
+ }
+ key.append(entityType != null ? entityType : "null");
+ key.append("-");
+ key.append(accessType != null ? accessType.toString() : "null");
+ key.append("-");
+ key.append(action != null ? action : "null");
+ return key.toString();
+ }
+
@Override
public boolean checkAccess(Account caller, ControlledEntity entity, AccessType accessType, String action)
throws PermissionDeniedException {
@@ -66,24 +82,46 @@ public class RoleBasedEntityAccessChecker extends DomainChecker implements Secur
if (caller == null) {
throw new InvalidParameterValueException("Caller cannot be passed as NULL to IAM!");
}
+
+ if (entity == null && action == null) {
+ throw new InvalidParameterValueException("Entity and action cannot be both NULL in checkAccess!");
+ }
+
+ // check IAM cache first
+ String accessKey = buildAccessCacheKey(caller, entity, accessType, action);
+ CheckAccessResult allowDeny = (CheckAccessResult)_iamSrv.getFromIAMCache(accessKey);
+ if (allowDeny != null) {
+ s_logger.debug("IAM access check for " + accessKey + " from cache");
+ if (allowDeny.isAllow()) {
+ return true;
+ } else {
+ if (allowDeny.getDenyMsg() != null) {
+ throw new PermissionDeniedException(allowDeny.getDenyMsg());
+ } else {
+ return false;
+ }
+ }
+ }
+
if (entity == null && action != null) {
// check if caller can do this action
List<IAMPolicy> policies = _iamSrv.listIAMPolicies(caller.getAccountId());
boolean isAllowed = _iamSrv.isActionAllowedForPolicies(action, policies);
if (!isAllowed) {
- throw new PermissionDeniedException("The action '" + action + "' not allowed for account " + caller);
+ String msg = "The action '" + action + "' not allowed for account " + caller;
+ _iamSrv.addToIAMCache(accessKey, new CheckAccessResult(msg));
+ throw new PermissionDeniedException(msg);
}
+ _iamSrv.addToIAMCache(accessKey, new CheckAccessResult(true));
return true;
}
- if (entity == null) {
- throw new InvalidParameterValueException("Entity and action cannot be both NULL in checkAccess!");
- }
// if a Project entity, skip
Account entityAccount = _accountService.getAccount(entity.getAccountId());
if (entityAccount != null && entityAccount.getType() == Account.ACCOUNT_TYPE_PROJECT) {
+ _iamSrv.addToIAMCache(accessKey, new CheckAccessResult(false));
return false;
}
@@ -96,8 +134,8 @@ public class RoleBasedEntityAccessChecker extends DomainChecker implements Secur
accessType = AccessType.UseEntry;
}
- // get all Policies of this caller w.r.t the entity
- List<IAMPolicy> policies = getEffectivePolicies(caller, entity);
+ // get all Policies of this caller by considering recursive domain group policy
+ List<IAMPolicy> policies = getEffectivePolicies(caller);
HashMap<IAMPolicy, Boolean> policyPermissionMap = new HashMap<IAMPolicy, Boolean>();
for (IAMPolicy policy : policies) {
@@ -128,6 +166,7 @@ public class RoleBasedEntityAccessChecker extends DomainChecker implements Secur
}
}
if (policyPermissionMap.containsKey(policy) && policyPermissionMap.get(policy)) {
+ _iamSrv.addToIAMCache(accessKey, new CheckAccessResult(true));
return true;
}
}
@@ -135,13 +174,16 @@ public class RoleBasedEntityAccessChecker extends DomainChecker implements Secur
if (!policies.isEmpty()) { // Since we reach this point, none of the
// roles granted access
+ String msg = "Account " + caller + " does not have permission to access resource " + entity
+ + " for access type: " + accessType;
if (s_logger.isDebugEnabled()) {
- s_logger.debug("Account " + caller + " does not have permission to access resource " + entity
- + " for access type: " + accessType);
+ s_logger.debug(msg);
}
- throw new PermissionDeniedException(caller + " does not have permission to access resource " + entity);
+ _iamSrv.addToIAMCache(accessKey, new CheckAccessResult(msg));
+ throw new PermissionDeniedException(msg);
}
+ _iamSrv.addToIAMCache(accessKey, new CheckAccessResult(false));
return false;
}
@@ -225,7 +267,7 @@ public class RoleBasedEntityAccessChecker extends DomainChecker implements Secur
return false;
}
- private List<IAMPolicy> getEffectivePolicies(Account caller, ControlledEntity entity) {
+ private List<IAMPolicy> getEffectivePolicies(Account caller) {
List<IAMPolicy> policies = _iamSrv.listIAMPolicies(caller.getId());
@@ -240,4 +282,40 @@ public class RoleBasedEntityAccessChecker extends DomainChecker implements Secur
return policies;
}
+
+ private class CheckAccessResult {
+ boolean allow;
+ String denyMsg;
+
+ public CheckAccessResult(boolean allow) {
+ this(allow, null);
+ }
+
+ public CheckAccessResult(String msg) {
+ this(false, msg);
+ }
+
+ public CheckAccessResult(boolean allow, String msg) {
+ allow = allow;
+ denyMsg = msg;
+ }
+
+ public boolean isAllow() {
+ return allow;
+ }
+
+ public void setAllow(boolean allow) {
+ this.allow = allow;
+ }
+
+
+ public String getDenyMsg() {
+ return denyMsg;
+ }
+
+ public void setDenyMsg(String denyMsg) {
+ this.denyMsg = denyMsg;
+ }
+
+ }
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/ad8d2695/services/iam/server/pom.xml
----------------------------------------------------------------------
diff --git a/services/iam/server/pom.xml b/services/iam/server/pom.xml
index bed8811..77b2522 100644
--- a/services/iam/server/pom.xml
+++ b/services/iam/server/pom.xml
@@ -32,6 +32,10 @@
<artifactId>commons-io</artifactId>
</dependency>
<dependency>
+ <groupId>net.sf.ehcache</groupId>
+ <artifactId>ehcache-core</artifactId>
+ </dependency>
+ <dependency>
<groupId>org.apache.cloudstack</groupId>
<artifactId>cloud-utils</artifactId>
<version>${project.version}</version>
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/ad8d2695/services/iam/server/resources/META-INF/cloudstack/core/spring-iam-server-context.xml
----------------------------------------------------------------------
diff --git a/services/iam/server/resources/META-INF/cloudstack/core/spring-iam-server-context.xml b/services/iam/server/resources/META-INF/cloudstack/core/spring-iam-server-context.xml
index c9f383f..4994a34 100644
--- a/services/iam/server/resources/META-INF/cloudstack/core/spring-iam-server-context.xml
+++ b/services/iam/server/resources/META-INF/cloudstack/core/spring-iam-server-context.xml
@@ -35,6 +35,13 @@
<bean id="IAMAccountPolicyMapDaoImpl" class="org.apache.cloudstack.iam.server.dao.IAMAccountPolicyMapDaoImpl" />
- <bean id="IAMServiceImpl" class="org.apache.cloudstack.iam.server.IAMServiceImpl" />
+ <bean id="IAMServiceImpl" class="org.apache.cloudstack.iam.server.IAMServiceImpl" >
+ <property name="configParams">
+ <map>
+ <entry key="cache.size" value="5000" />
+ <entry key="cache.time.to.live" value="300" />
+ </map>
+ </property>
+ </bean>
</beans>
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/ad8d2695/services/iam/server/src/org/apache/cloudstack/iam/api/IAMService.java
----------------------------------------------------------------------
diff --git a/services/iam/server/src/org/apache/cloudstack/iam/api/IAMService.java b/services/iam/server/src/org/apache/cloudstack/iam/api/IAMService.java
index 20326e97..3a470ee 100644
--- a/services/iam/server/src/org/apache/cloudstack/iam/api/IAMService.java
+++ b/services/iam/server/src/org/apache/cloudstack/iam/api/IAMService.java
@@ -18,7 +18,6 @@ package org.apache.cloudstack.iam.api;
import java.util.List;
-
import org.apache.cloudstack.iam.api.IAMPolicyPermission.Permission;
import com.cloud.utils.Pair;
@@ -90,4 +89,11 @@ public interface IAMService {
List<IAMPolicy> listRecursiveIAMPoliciesByGroup(long groupId);
+ /* Interface used for cache IAM checkAccess result */
+ void addToIAMCache(Object accessKey, Object allowDeny);
+
+ Object getFromIAMCache(Object accessKey);
+
+ void invalidateIAMCache();
+
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/ad8d2695/services/iam/server/src/org/apache/cloudstack/iam/server/IAMServiceImpl.java
----------------------------------------------------------------------
diff --git a/services/iam/server/src/org/apache/cloudstack/iam/server/IAMServiceImpl.java b/services/iam/server/src/org/apache/cloudstack/iam/server/IAMServiceImpl.java
index c35ac1d..796ae43 100644
--- a/services/iam/server/src/org/apache/cloudstack/iam/server/IAMServiceImpl.java
+++ b/services/iam/server/src/org/apache/cloudstack/iam/server/IAMServiceImpl.java
@@ -18,9 +18,15 @@ package org.apache.cloudstack.iam.server;
import java.util.ArrayList;
import java.util.List;
+import java.util.Map;
import javax.ejb.Local;
import javax.inject.Inject;
+import javax.naming.ConfigurationException;
+
+import net.sf.ehcache.Cache;
+import net.sf.ehcache.CacheManager;
+import net.sf.ehcache.Element;
import org.apache.log4j.Logger;
@@ -38,6 +44,7 @@ import org.apache.cloudstack.iam.server.dao.IAMPolicyDao;
import org.apache.cloudstack.iam.server.dao.IAMPolicyPermissionDao;
import com.cloud.exception.InvalidParameterValueException;
+import com.cloud.utils.NumbersUtil;
import com.cloud.utils.Pair;
import com.cloud.utils.component.Manager;
import com.cloud.utils.component.ManagerBase;
@@ -82,6 +89,62 @@ public class IAMServiceImpl extends ManagerBase implements IAMService, Manager {
@Inject
IAMPolicyPermissionDao _policyPermissionDao;
+ private Cache _iamCache;
+
+ private void createIAMCache(final Map<String, ? extends Object> params) {
+ final String value = (String)params.get("cache.size");
+
+ if (value != null) {
+ final CacheManager cm = CacheManager.create();
+ final int maxElements = NumbersUtil.parseInt(value, 0);
+ final int live = NumbersUtil.parseInt((String)params.get("cache.time.to.live"), 300);
+ final int idle = NumbersUtil.parseInt((String)params.get("cache.time.to.idle"), 300);
+ _iamCache = new Cache(getName(), maxElements, false, live == -1, live == -1 ? Integer.MAX_VALUE : live, idle);
+ cm.addCache(_iamCache);
+ s_logger.info("IAM Cache created: " + _iamCache.toString());
+ } else {
+ _iamCache = null;
+ }
+ }
+
+ @Override
+ public void addToIAMCache(Object accessKey, Object allowDeny) {
+ if (_iamCache != null) {
+ try {
+ s_logger.debug("Put IAM access check for " + accessKey + " in cache");
+ _iamCache.put(new Element(accessKey, allowDeny));
+ } catch (final Exception e) {
+ s_logger.debug("Can't put " + accessKey + " to IAM cache", e);
+ }
+ }
+ }
+
+ @Override
+ public void invalidateIAMCache() {
+ //This may need to use event bus to publish to other MS, but event bus now is missing this functionality to handle PublishScope.GLOBAL
+ if (_iamCache != null) {
+ s_logger.debug("Invalidate IAM cache");
+ _iamCache.removeAll();
+ }
+ }
+
+ @Override
+ public Object getFromIAMCache(Object accessKey) {
+ if (_iamCache != null) {
+ final Element element = _iamCache.get(accessKey);
+ return element == null ? null : element.getObjectValue();
+ }
+ return null;
+ }
+
+ @Override
+ public boolean configure(final String name, final Map<String, Object> params) throws ConfigurationException {
+ boolean result = super.configure(name, params);
+ // create IAM cache
+ createIAMCache(params);
+ return result;
+ }
+
@DB
@Override
public IAMGroup createIAMGroup(String iamGroupName, String description, String path) {
@@ -111,7 +174,7 @@ public class IAMServiceImpl extends ManagerBase implements IAMService, Manager {
Transaction.execute(new TransactionCallbackNoReturn() {
@Override
public void doInTransactionWithoutResult(TransactionStatus status) {
- // remove this group related entry in acl_group_role_map
+ // remove this group related entry in acl_group_policy_map
List<IAMGroupPolicyMapVO> groupPolicyMap = _aclGroupPolicyMapDao.listByGroupId(grp.getId());
if (groupPolicyMap != null) {
for (IAMGroupPolicyMapVO gr : groupPolicyMap) {
@@ -132,6 +195,7 @@ public class IAMServiceImpl extends ManagerBase implements IAMService, Manager {
}
});
+ invalidateIAMCache();
return true;
}
@@ -184,6 +248,8 @@ public class IAMServiceImpl extends ManagerBase implements IAMService, Manager {
}
}
});
+
+ invalidateIAMCache();
return group;
}
@@ -210,6 +276,8 @@ public class IAMServiceImpl extends ManagerBase implements IAMService, Manager {
}
}
});
+
+ invalidateIAMCache();
return group;
}
@@ -345,7 +413,7 @@ public class IAMServiceImpl extends ManagerBase implements IAMService, Manager {
Transaction.execute(new TransactionCallbackNoReturn() {
@Override
public void doInTransactionWithoutResult(TransactionStatus status) {
- // remove this role related entry in acl_group_role_map
+ // remove this policy related entry in acl_group_policy_map
List<IAMGroupPolicyMapVO> groupPolicyMap = _aclGroupPolicyMapDao.listByPolicyId(policy.getId());
if (groupPolicyMap != null) {
for (IAMGroupPolicyMapVO gr : groupPolicyMap) {
@@ -374,6 +442,8 @@ public class IAMServiceImpl extends ManagerBase implements IAMService, Manager {
}
});
+ invalidateIAMCache();
+
return true;
}
@@ -536,6 +606,7 @@ public class IAMServiceImpl extends ManagerBase implements IAMService, Manager {
}
});
+ invalidateIAMCache();
return group;
}
@@ -568,6 +639,8 @@ public class IAMServiceImpl extends ManagerBase implements IAMService, Manager {
}
}
});
+
+ invalidateIAMCache();
return group;
}
@@ -594,6 +667,8 @@ public class IAMServiceImpl extends ManagerBase implements IAMService, Manager {
}
}
});
+
+ invalidateIAMCache();
}
@Override
@@ -617,6 +692,8 @@ public class IAMServiceImpl extends ManagerBase implements IAMService, Manager {
}
}
});
+
+ invalidateIAMCache();
}
@DB
@@ -639,6 +716,8 @@ public class IAMServiceImpl extends ManagerBase implements IAMService, Manager {
recursive);
_policyPermissionDao.persist(permit);
}
+
+ invalidateIAMCache();
return policy;
}
@@ -660,6 +739,8 @@ public class IAMServiceImpl extends ManagerBase implements IAMService, Manager {
// not removed yet
_policyPermissionDao.remove(permit.getId());
}
+
+ invalidateIAMCache();
return policy;
}
@@ -682,6 +763,8 @@ public class IAMServiceImpl extends ManagerBase implements IAMService, Manager {
}
}
});
+
+ invalidateIAMCache();
}
@DB
@@ -702,6 +785,7 @@ public class IAMServiceImpl extends ManagerBase implements IAMService, Manager {
permissionSC.setParameters("policyId", iamPolicyId);
_policyPermissionDao.expunge(permissionSC);
+ invalidateIAMCache();
return policy;
}
[2/7] git commit: updated refs/heads/4.4 to 68a44cf
Posted by da...@apache.org.
CLOUDSTACK-6598:IAM - listAccount() retrurns "Caller cannot be passed as
NULL to IAM!" when domain deletion is in progress.
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/7ea168e9
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/7ea168e9
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/7ea168e9
Branch: refs/heads/4.4
Commit: 7ea168e91759c50a52f614c6b70617aaff362b0e
Parents: ad8d269
Author: Min Chen <mi...@citrix.com>
Authored: Thu May 8 15:19:23 2014 -0700
Committer: Daan Hoogland <da...@onecht.net>
Committed: Tue May 13 11:19:54 2014 +0200
----------------------------------------------------------------------
.../resourcelimit/ResourceLimitManagerImpl.java | 6 ++++
.../src/com/cloud/user/AccountManagerImpl.java | 31 ++++++++++++++++++--
2 files changed, 35 insertions(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/7ea168e9/server/src/com/cloud/resourcelimit/ResourceLimitManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/resourcelimit/ResourceLimitManagerImpl.java b/server/src/com/cloud/resourcelimit/ResourceLimitManagerImpl.java
index 2b5d976..0c0c588 100755
--- a/server/src/com/cloud/resourcelimit/ResourceLimitManagerImpl.java
+++ b/server/src/com/cloud/resourcelimit/ResourceLimitManagerImpl.java
@@ -325,6 +325,9 @@ public class ResourceLimitManagerImpl extends ManagerBase implements ResourceLim
}
Account account = _accountDao.findById(accountId);
+ if (account == null) {
+ return max;
+ }
// Check if limit is configured for account
if (limit != null) {
@@ -633,6 +636,9 @@ public class ResourceLimitManagerImpl extends ManagerBase implements ResourceLim
if (accountId != null) {
Account account = _entityMgr.findById(Account.class, accountId);
+ if (account == null) {
+ throw new InvalidParameterValueException("Unable to find account " + accountId);
+ }
if (account.getId() == Account.ACCOUNT_ID_SYSTEM) {
throw new InvalidParameterValueException("Can't update system account");
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/7ea168e9/server/src/com/cloud/user/AccountManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/user/AccountManagerImpl.java b/server/src/com/cloud/user/AccountManagerImpl.java
index 22be83c..3ff9bd2 100755
--- a/server/src/com/cloud/user/AccountManagerImpl.java
+++ b/server/src/com/cloud/user/AccountManagerImpl.java
@@ -363,6 +363,9 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
public boolean isAdmin(Long accountId) {
if (accountId != null) {
AccountVO acct = _accountDao.findById(accountId);
+ if (acct == null) {
+ return false; //account is deleted or does not exist
+ }
if ((isRootAdmin(accountId)) || (isDomainAdmin(accountId)) || (isResourceDomainAdmin(accountId))) {
return true;
} else if (acct.getType() == Account.ACCOUNT_TYPE_READ_ONLY_ADMIN) {
@@ -377,6 +380,9 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
public boolean isRootAdmin(Long accountId) {
if (accountId != null) {
AccountVO acct = _accountDao.findById(accountId);
+ if (acct == null) {
+ return false; //account is deleted or does not exist
+ }
for (SecurityChecker checker : _securityCheckers) {
try {
if (checker.checkAccess(acct, null, null, "SystemCapability")) {
@@ -397,6 +403,9 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
public boolean isDomainAdmin(Long accountId) {
if (accountId != null) {
AccountVO acct = _accountDao.findById(accountId);
+ if (acct == null) {
+ return false; //account is deleted or does not exist
+ }
for (SecurityChecker checker : _securityCheckers) {
try {
if (checker.checkAccess(acct, null, null, "DomainCapability")) {
@@ -425,6 +434,9 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
public boolean isResourceDomainAdmin(Long accountId) {
if (accountId != null) {
AccountVO acct = _accountDao.findById(accountId);
+ if (acct == null) {
+ return false; //account is deleted or does not exist
+ }
for (SecurityChecker checker : _securityCheckers) {
try {
if (checker.checkAccess(acct, null, null, "DomainResourceCapability")) {
@@ -443,6 +455,9 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
public boolean isInternalAccount(long accountId) {
Account account = _accountDao.findById(accountId);
+ if (account == null) {
+ return false; //account is deleted or does not exist
+ }
if (isRootAdmin(accountId) || (account.getType() == Account.ACCOUNT_ID_SYSTEM)) {
return true;
}
@@ -1138,6 +1153,9 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
// If the account is an admin type, return an error. We do not allow this
Account account = _accountDao.findById(user.getAccountId());
+ if (account == null) {
+ throw new InvalidParameterValueException("unable to find user account " + user.getAccountId());
+ }
// don't allow updating project account
if (account.getType() == Account.ACCOUNT_TYPE_PROJECT) {
@@ -1145,7 +1163,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
}
// don't allow updating system account
- if (account != null && (account.getId() == Account.ACCOUNT_ID_SYSTEM)) {
+ if (account.getId() == Account.ACCOUNT_ID_SYSTEM) {
throw new PermissionDeniedException("user id : " + id + " is system account, update is not allowed");
}
@@ -1252,6 +1270,9 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
}
Account account = _accountDao.findById(user.getAccountId());
+ if (account == null) {
+ throw new InvalidParameterValueException("unable to find user account " + user.getAccountId());
+ }
// don't allow disabling user belonging to project's account
if (account.getType() == Account.ACCOUNT_TYPE_PROJECT) {
@@ -1291,6 +1312,9 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
}
Account account = _accountDao.findById(user.getAccountId());
+ if (account == null) {
+ throw new InvalidParameterValueException("unable to find user account " + user.getAccountId());
+ }
if (account.getType() == Account.ACCOUNT_TYPE_PROJECT) {
throw new InvalidParameterValueException("Unable to find active user by id " + userId);
@@ -1339,6 +1363,9 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
}
Account account = _accountDao.findById(user.getAccountId());
+ if (account == null) {
+ throw new InvalidParameterValueException("unable to find user account " + user.getAccountId());
+ }
// don't allow to lock user of the account of type Project
if (account.getType() == Account.ACCOUNT_TYPE_PROJECT) {
@@ -1404,7 +1431,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
// If the user is a System user, return an error. We do not allow this
AccountVO account = _accountDao.findById(accountId);
- if (account.getRemoved() != null) {
+ if (account == null || account.getRemoved() != null) {
s_logger.info("The account:" + account.getAccountName() + " is already removed");
return true;
}
[6/7] git commit: updated refs/heads/4.4 to 68a44cf
Posted by da...@apache.org.
CLOUDSTACK-6628:[Automation] Create PF rulw API failing with error
"database id can only provided by VO objects".
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/aa2bbd45
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/aa2bbd45
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/aa2bbd45
Branch: refs/heads/4.4
Commit: aa2bbd455fad3d1f8bc1202f93a6f3de0c794345
Parents: 42e547c
Author: Min Chen <mi...@citrix.com>
Authored: Fri May 9 18:24:54 2014 -0700
Committer: Daan Hoogland <da...@onecht.net>
Committed: Tue May 13 11:34:55 2014 +0200
----------------------------------------------------------------------
.../command/user/firewall/CreatePortForwardingRuleCmd.java | 7 ++++++-
server/src/com/cloud/network/rules/RulesManagerImpl.java | 5 +++--
2 files changed, 9 insertions(+), 3 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/aa2bbd45/api/src/org/apache/cloudstack/api/command/user/firewall/CreatePortForwardingRuleCmd.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/user/firewall/CreatePortForwardingRuleCmd.java b/api/src/org/apache/cloudstack/api/command/user/firewall/CreatePortForwardingRuleCmd.java
index f18767e..91146ac 100644
--- a/api/src/org/apache/cloudstack/api/command/user/firewall/CreatePortForwardingRuleCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/user/firewall/CreatePortForwardingRuleCmd.java
@@ -19,8 +19,11 @@ package org.apache.cloudstack.api.command.user.firewall;
import java.util.List;
import org.apache.log4j.Logger;
+import org.bouncycastle.util.IPAddress;
import org.apache.cloudstack.acl.RoleType;
+import org.apache.cloudstack.acl.SecurityChecker.AccessType;
+import org.apache.cloudstack.api.ACL;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiCommandJobType;
import org.apache.cloudstack.api.ApiConstants;
@@ -48,7 +51,7 @@ import com.cloud.utils.net.NetUtils;
import com.cloud.vm.VirtualMachine;
@APICommand(name = "createPortForwardingRule", description = "Creates a port forwarding rule", responseObject = FirewallRuleResponse.class, entityType = {FirewallRule.class,
- VirtualMachine.class},
+ VirtualMachine.class, IPAddress.class},
requestHasSensitiveInfo = false, responseHasSensitiveInfo = false)
public class CreatePortForwardingRuleCmd extends BaseAsyncCreateCmd implements PortForwardingRule {
public static final Logger s_logger = Logger.getLogger(CreatePortForwardingRuleCmd.class.getName());
@@ -59,6 +62,7 @@ public class CreatePortForwardingRuleCmd extends BaseAsyncCreateCmd implements P
// ////////////// API parameters /////////////////////
// ///////////////////////////////////////////////////
+ @ACL(accessType = AccessType.OperateEntry)
@Parameter(name = ApiConstants.IP_ADDRESS_ID,
type = CommandType.UUID,
entityType = IPAddressResponse.class,
@@ -96,6 +100,7 @@ public class CreatePortForwardingRuleCmd extends BaseAsyncCreateCmd implements P
description = "the ending port of port forwarding rule's private port range")
private Integer publicEndPort;
+ @ACL(accessType = AccessType.OperateEntry)
@Parameter(name = ApiConstants.VIRTUAL_MACHINE_ID,
type = CommandType.UUID,
entityType = UserVmResponse.class,
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/aa2bbd45/server/src/com/cloud/network/rules/RulesManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/rules/RulesManagerImpl.java b/server/src/com/cloud/network/rules/RulesManagerImpl.java
index 573c820..f6a87bf 100755
--- a/server/src/com/cloud/network/rules/RulesManagerImpl.java
+++ b/server/src/com/cloud/network/rules/RulesManagerImpl.java
@@ -195,6 +195,7 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules
throw new InvalidParameterValueException("Invalid user vm: " + userVm.getId());
}
+ // This same owner check is actually not needed, since multiple entities OperateEntry trick guarantee that
if (rule.getAccountId() != userVm.getAccountId()) {
throw new InvalidParameterValueException("New rule " + rule + " and vm id=" + userVm.getId() + " belong to different accounts");
}
@@ -267,8 +268,8 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules
if (vm == null) {
throw new InvalidParameterValueException("Unable to create port forwarding rule on address " + ipAddress + ", invalid virtual machine id specified (" +
vmId + ").");
- } else {
- checkRuleAndUserVm(rule, vm, caller);
+ } else if (vm.getState() == VirtualMachine.State.Destroyed || vm.getState() == VirtualMachine.State.Expunging) {
+ throw new InvalidParameterValueException("Invalid user vm: " + vm.getId());
}
// Verify that vm has nic in the network
[3/7] git commit: updated refs/heads/4.4 to 68a44cf
Posted by da...@apache.org.
CLOUDSTACK-6613:IAM: authorizeSecurityGroupIngress fails when SG Name is
passed.
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/e865cf8d
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/e865cf8d
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/e865cf8d
Branch: refs/heads/4.4
Commit: e865cf8d2b7ae98fe0c27ff1661cc7aa88c37be6
Parents: 7ea168e
Author: Min Chen <mi...@citrix.com>
Authored: Thu May 8 23:08:32 2014 -0700
Committer: Daan Hoogland <da...@onecht.net>
Committed: Tue May 13 11:20:27 2014 +0200
----------------------------------------------------------------------
.../AuthorizeSecurityGroupEgressCmd.java | 3 +-
.../AuthorizeSecurityGroupIngressCmd.java | 3 +-
server/src/com/cloud/api/ApiServer.java | 52 +++++++++++---------
.../cloud/api/dispatch/ParamProcessWorker.java | 3 +-
4 files changed, 35 insertions(+), 26 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/e865cf8d/api/src/org/apache/cloudstack/api/command/user/securitygroup/AuthorizeSecurityGroupEgressCmd.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/user/securitygroup/AuthorizeSecurityGroupEgressCmd.java b/api/src/org/apache/cloudstack/api/command/user/securitygroup/AuthorizeSecurityGroupEgressCmd.java
index aef0a7c..9909bf3 100644
--- a/api/src/org/apache/cloudstack/api/command/user/securitygroup/AuthorizeSecurityGroupEgressCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/user/securitygroup/AuthorizeSecurityGroupEgressCmd.java
@@ -95,7 +95,8 @@ public class AuthorizeSecurityGroupEgressCmd extends BaseAsyncCmd {
@Parameter(name=ApiConstants.SECURITY_GROUP_ID, type=CommandType.UUID, description="The ID of the security group. Mutually exclusive with securityGroupName parameter", entityType=SecurityGroupResponse.class)
private Long securityGroupId;
- @ACL(accessType = AccessType.OperateEntry)
+ // This @ACL will not work, since we don't have a way to convert this parameter to the entity like securityGroupId.
+ //@ACL(accessType = AccessType.OperateEntry)
@Parameter(name=ApiConstants.SECURITY_GROUP_NAME, type=CommandType.STRING, description="The name of the security group. Mutually exclusive with securityGroupName parameter")
private String securityGroupName;
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/e865cf8d/api/src/org/apache/cloudstack/api/command/user/securitygroup/AuthorizeSecurityGroupIngressCmd.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/user/securitygroup/AuthorizeSecurityGroupIngressCmd.java b/api/src/org/apache/cloudstack/api/command/user/securitygroup/AuthorizeSecurityGroupIngressCmd.java
index 188df6e..3549d51 100644
--- a/api/src/org/apache/cloudstack/api/command/user/securitygroup/AuthorizeSecurityGroupIngressCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/user/securitygroup/AuthorizeSecurityGroupIngressCmd.java
@@ -95,7 +95,8 @@ public class AuthorizeSecurityGroupIngressCmd extends BaseAsyncCmd {
@Parameter(name=ApiConstants.SECURITY_GROUP_ID, type=CommandType.UUID, description="The ID of the security group. Mutually exclusive with securityGroupName parameter", entityType=SecurityGroupResponse.class)
private Long securityGroupId;
- @ACL(accessType = AccessType.OperateEntry)
+ // This @ACL will not work, since we don't have a way to convert this parameter to the entity like securityGroupId.
+ //@ACL(accessType = AccessType.OperateEntry)
@Parameter(name=ApiConstants.SECURITY_GROUP_NAME, type=CommandType.STRING, description="The name of the security group. Mutually exclusive with securityGroupName parameter")
private String securityGroupName;
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/e865cf8d/server/src/com/cloud/api/ApiServer.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/api/ApiServer.java b/server/src/com/cloud/api/ApiServer.java
index a99d683..18eb4d9 100755
--- a/server/src/com/cloud/api/ApiServer.java
+++ b/server/src/com/cloud/api/ApiServer.java
@@ -96,10 +96,14 @@ import org.apache.cloudstack.api.BaseListCmd;
import org.apache.cloudstack.api.ResponseObject;
import org.apache.cloudstack.api.ResponseObject.ResponseView;
import org.apache.cloudstack.api.ServerApiException;
+import org.apache.cloudstack.api.command.admin.account.ListAccountsCmdByAdmin;
import org.apache.cloudstack.api.command.admin.host.ListHostsCmd;
import org.apache.cloudstack.api.command.admin.router.ListRoutersCmd;
import org.apache.cloudstack.api.command.admin.storage.ListStoragePoolsCmd;
import org.apache.cloudstack.api.command.admin.user.ListUsersCmd;
+import org.apache.cloudstack.api.command.admin.vm.ListVMsCmdByAdmin;
+import org.apache.cloudstack.api.command.admin.volume.ListVolumesCmdByAdmin;
+import org.apache.cloudstack.api.command.admin.zone.ListZonesCmdByAdmin;
import org.apache.cloudstack.api.command.user.account.ListAccountsCmd;
import org.apache.cloudstack.api.command.user.account.ListProjectAccountsCmd;
import org.apache.cloudstack.api.command.user.event.ListEventsCmd;
@@ -138,8 +142,8 @@ import com.cloud.domain.Domain;
import com.cloud.domain.DomainVO;
import com.cloud.domain.dao.DomainDao;
import com.cloud.event.ActionEventUtils;
-import com.cloud.event.EventTypes;
import com.cloud.event.EventCategory;
+import com.cloud.event.EventTypes;
import com.cloud.exception.AccountLimitException;
import com.cloud.exception.CloudAuthenticationException;
import com.cloud.exception.InsufficientCapacityException;
@@ -210,7 +214,7 @@ public class ApiServer extends ManagerBase implements HttpRequestHandler, ApiSer
private static Map<String, List<Class<?>>> s_apiNameCmdClassMap = new HashMap<String, List<Class<?>>>();
private static ExecutorService s_executor = new ThreadPoolExecutor(10, 150, 60, TimeUnit.SECONDS, new LinkedBlockingQueue<Runnable>(), new NamedThreadFactory(
- "ApiServer"));
+ "ApiServer"));
@Inject
MessageBus _messageBus;
@@ -442,7 +446,7 @@ public class ApiServer extends ManagerBase implements HttpRequestHandler, ApiSer
final Matcher matcher = pattern.matcher(value[0]);
if (matcher.find()) {
throw new ServerApiException(ApiErrorCode.PARAM_ERROR, "Received value " + value[0] + " for parameter " + key +
- " is invalid, contains illegal ASCII non-printable characters");
+ " is invalid, contains illegal ASCII non-printable characters");
}
}
stringMap.put(key, value[0]);
@@ -506,7 +510,7 @@ public class ApiServer extends ManagerBase implements HttpRequestHandler, ApiSer
StringUtils.cleanString(response));
}
else
- buildAuditTrail(auditTrailSb, command[0], response);
+ buildAuditTrail(auditTrailSb, command[0], response);
} else {
if (!command[0].equalsIgnoreCase("login") && !command[0].equalsIgnoreCase("logout")) {
final String errorString = "Unknown API command: " + command[0];
@@ -612,7 +616,7 @@ public class ApiServer extends ManagerBase implements HttpRequestHandler, ApiSer
objectUuid = createCmd.getEntityUuid();
params.put("id", objectId.toString());
Class entityClass = EventTypes.getEntityClassForEvent(createCmd.getEventType());
- if(entityClass != null)
+ if (entityClass != null)
ctx.putContextParameter(entityClass.getName(), objectId);
} else {
// Extract the uuid before params are processed and id reflects internal db id
@@ -628,7 +632,7 @@ public class ApiServer extends ManagerBase implements HttpRequestHandler, ApiSer
if (caller != null) {
params.put("ctxAccountId", String.valueOf(caller.getId()));
}
- if(objectUuid != null){
+ if (objectUuid != null) {
params.put("uuid", objectUuid);
}
@@ -637,14 +641,14 @@ public class ApiServer extends ManagerBase implements HttpRequestHandler, ApiSer
// Add the resource id in the call context, also add some other first class object ids (for now vm) if available.
// TODO - this should be done for all the uuids passed in the cmd - so should be moved where uuid to id conversion happens.
- if(EventTypes.getEntityForEvent(asyncCmd.getEventType()) != null){
+ if (EventTypes.getEntityForEvent(asyncCmd.getEventType()) != null) {
ctx.putContextParameter(EventTypes.getEntityForEvent(asyncCmd.getEventType()), objectUuid);
}
// save the scheduled event
final Long eventId =
- ActionEventUtils.onScheduledActionEvent((callerUserId == null) ? User.UID_SYSTEM : callerUserId, asyncCmd.getEntityOwnerId(), asyncCmd.getEventType(),
- asyncCmd.getEventDescription(), asyncCmd.isDisplay(), startEventId);
+ ActionEventUtils.onScheduledActionEvent((callerUserId == null) ? User.UID_SYSTEM : callerUserId, asyncCmd.getEntityOwnerId(), asyncCmd.getEventType(),
+ asyncCmd.getEventDescription(), asyncCmd.isDisplay(), startEventId);
if (startEventId == 0) {
// There was no create event before, set current event id as start eventId
startEventId = eventId;
@@ -681,13 +685,15 @@ public class ApiServer extends ManagerBase implements HttpRequestHandler, ApiSer
// if the command is of the listXXXCommand, we will need to also return the
// the job id and status if possible
// For those listXXXCommand which we have already created DB views, this step is not needed since async job is joined in their db views.
- if (cmdObj instanceof BaseListCmd && !(cmdObj instanceof ListVMsCmd) && !(cmdObj instanceof ListRoutersCmd) && !(cmdObj instanceof ListSecurityGroupsCmd) &&
- !(cmdObj instanceof ListTagsCmd) && !(cmdObj instanceof ListEventsCmd) && !(cmdObj instanceof ListVMGroupsCmd) && !(cmdObj instanceof ListProjectsCmd) &&
- !(cmdObj instanceof ListProjectAccountsCmd) && !(cmdObj instanceof ListProjectInvitationsCmd) && !(cmdObj instanceof ListHostsCmd) &&
- !(cmdObj instanceof ListVolumesCmd) && !(cmdObj instanceof ListUsersCmd) && !(cmdObj instanceof ListAccountsCmd) &&
- !(cmdObj instanceof ListStoragePoolsCmd) && !(cmdObj instanceof ListDiskOfferingsCmd) && !(cmdObj instanceof ListServiceOfferingsCmd) &&
- !(cmdObj instanceof ListZonesCmd)) {
- buildAsyncListResponse((BaseListCmd) cmdObj, caller);
+ if (cmdObj instanceof BaseListCmd && !(cmdObj instanceof ListVMsCmd) && !(cmdObj instanceof ListVMsCmdByAdmin) && !(cmdObj instanceof ListRoutersCmd)
+ && !(cmdObj instanceof ListSecurityGroupsCmd) &&
+ !(cmdObj instanceof ListTagsCmd) && !(cmdObj instanceof ListEventsCmd) && !(cmdObj instanceof ListVMGroupsCmd) && !(cmdObj instanceof ListProjectsCmd) &&
+ !(cmdObj instanceof ListProjectAccountsCmd) && !(cmdObj instanceof ListProjectInvitationsCmd) && !(cmdObj instanceof ListHostsCmd) &&
+ !(cmdObj instanceof ListVolumesCmd) && !(cmdObj instanceof ListVolumesCmdByAdmin) && !(cmdObj instanceof ListUsersCmd) && !(cmdObj instanceof ListAccountsCmd)
+ && !(cmdObj instanceof ListAccountsCmdByAdmin) &&
+ !(cmdObj instanceof ListStoragePoolsCmd) && !(cmdObj instanceof ListDiskOfferingsCmd) && !(cmdObj instanceof ListServiceOfferingsCmd) &&
+ !(cmdObj instanceof ListZonesCmd) && !(cmdObj instanceof ListZonesCmdByAdmin)) {
+ buildAsyncListResponse((BaseListCmd)cmdObj, caller);
}
SerializationContext.current().setUuidTranslation(true);
@@ -861,7 +867,7 @@ public class ApiServer extends ManagerBase implements HttpRequestHandler, ApiSer
if (user.getState() != Account.State.enabled || !account.getState().equals(Account.State.enabled)) {
s_logger.info("disabled or locked user accessing the api, userid = " + user.getId() + "; name = " + user.getUsername() + "; state: " + user.getState() +
- "; accountState: " + account.getState());
+ "; accountState: " + account.getState());
return false;
}
@@ -917,7 +923,7 @@ public class ApiServer extends ManagerBase implements HttpRequestHandler, ApiSer
@Override
public void loginUser(final HttpSession session, final String username, final String password, Long domainId, final String domainPath, final String loginIpAddress,
- final Map<String, Object[]> requestParameters) throws CloudAuthenticationException {
+ final Map<String, Object[]> requestParameters) throws CloudAuthenticationException {
// We will always use domainId first. If that does not exist, we will use domain name. If THAT doesn't exist
// we will default to ROOT
if (domainId == null) {
@@ -1006,7 +1012,7 @@ public class ApiServer extends ManagerBase implements HttpRequestHandler, ApiSer
}
if ((user == null) || (user.getRemoved() != null) || !user.getState().equals(Account.State.enabled) || (account == null) ||
- !account.getState().equals(Account.State.enabled)) {
+ !account.getState().equals(Account.State.enabled)) {
s_logger.warn("Deleted/Disabled/Locked user with id=" + userId + " attempting to access public API");
return false;
}
@@ -1102,10 +1108,10 @@ public class ApiServer extends ManagerBase implements HttpRequestHandler, ApiSer
_params = new BasicHttpParams();
_params.setIntParameter(CoreConnectionPNames.SO_TIMEOUT, 30000)
- .setIntParameter(CoreConnectionPNames.SOCKET_BUFFER_SIZE, 8 * 1024)
- .setBooleanParameter(CoreConnectionPNames.STALE_CONNECTION_CHECK, false)
- .setBooleanParameter(CoreConnectionPNames.TCP_NODELAY, true)
- .setParameter(CoreProtocolPNames.ORIGIN_SERVER, "HttpComponents/1.1");
+ .setIntParameter(CoreConnectionPNames.SOCKET_BUFFER_SIZE, 8 * 1024)
+ .setBooleanParameter(CoreConnectionPNames.STALE_CONNECTION_CHECK, false)
+ .setBooleanParameter(CoreConnectionPNames.TCP_NODELAY, true)
+ .setParameter(CoreProtocolPNames.ORIGIN_SERVER, "HttpComponents/1.1");
// Set up the HTTP protocol processor
final BasicHttpProcessor httpproc = new BasicHttpProcessor();
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/e865cf8d/server/src/com/cloud/api/dispatch/ParamProcessWorker.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/api/dispatch/ParamProcessWorker.java b/server/src/com/cloud/api/dispatch/ParamProcessWorker.java
index d862660..ba5bebf 100644
--- a/server/src/com/cloud/api/dispatch/ParamProcessWorker.java
+++ b/server/src/com/cloud/api/dispatch/ParamProcessWorker.java
@@ -155,7 +155,8 @@ public class ParamProcessWorker implements DispatchWorker {
// for maps, specify access to be checkd on key or value.
// Find the controlled entity DBid by uuid
- if (parameterAnnotation.entityType() != null) {
+ if (parameterAnnotation.entityType() != null && parameterAnnotation.entityType().length > 0
+ && parameterAnnotation.entityType()[0].getAnnotation(EntityReference.class) != null) {
final Class<?>[] entityList = parameterAnnotation.entityType()[0].getAnnotation(EntityReference.class).value();
// Check if the parameter type is a single
[4/7] git commit: updated refs/heads/4.4 to 68a44cf
Posted by da...@apache.org.
CLOUDSTACK-6600: fix a bug in IAM cache in constructing cache key.
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/89e0e632
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/89e0e632
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/89e0e632
Branch: refs/heads/4.4
Commit: 89e0e63253fffe886203af1617cea123097aa8ba
Parents: e865cf8
Author: Min Chen <mi...@citrix.com>
Authored: Fri May 9 11:10:26 2014 -0700
Committer: Daan Hoogland <da...@onecht.net>
Committed: Tue May 13 11:21:22 2014 +0200
----------------------------------------------------------------------
.../org/apache/cloudstack/iam/RoleBasedEntityAccessChecker.java | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/89e0e632/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedEntityAccessChecker.java
----------------------------------------------------------------------
diff --git a/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedEntityAccessChecker.java b/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedEntityAccessChecker.java
index eaa4302..f0df132 100644
--- a/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedEntityAccessChecker.java
+++ b/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedEntityAccessChecker.java
@@ -66,6 +66,9 @@ public class RoleBasedEntityAccessChecker extends DomainChecker implements Secur
String entityType = null;
if (entity != null && entity.getEntityType() != null) {
entityType = entity.getEntityType().getSimpleName();
+ if (entity instanceof InternalIdentity) {
+ entityType += ((InternalIdentity)entity).getId();
+ }
}
key.append(entityType != null ? entityType : "null");
key.append("-");
@@ -91,7 +94,7 @@ public class RoleBasedEntityAccessChecker extends DomainChecker implements Secur
String accessKey = buildAccessCacheKey(caller, entity, accessType, action);
CheckAccessResult allowDeny = (CheckAccessResult)_iamSrv.getFromIAMCache(accessKey);
if (allowDeny != null) {
- s_logger.debug("IAM access check for " + accessKey + " from cache");
+ s_logger.debug("IAM access check for " + accessKey + " from cache: " + allowDeny.isAllow());
if (allowDeny.isAllow()) {
return true;
} else {
[5/7] git commit: updated refs/heads/4.4 to 68a44cf
Posted by da...@apache.org.
CLOUDSTACK-6617: [Automation] detach / resize volume test cases failing
with permission error.
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/42e547cf
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/42e547cf
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/42e547cf
Branch: refs/heads/4.4
Commit: 42e547cf0276c0e8289886260390ff025abaaad6
Parents: 89e0e63
Author: Min Chen <mi...@citrix.com>
Authored: Fri May 9 16:39:23 2014 -0700
Committer: Daan Hoogland <da...@onecht.net>
Committed: Tue May 13 11:34:29 2014 +0200
----------------------------------------------------------------------
.../cloudstack/iam/RoleBasedEntityAccessChecker.java | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/42e547cf/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedEntityAccessChecker.java
----------------------------------------------------------------------
diff --git a/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedEntityAccessChecker.java b/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedEntityAccessChecker.java
index f0df132..7b3d967 100644
--- a/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedEntityAccessChecker.java
+++ b/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedEntityAccessChecker.java
@@ -290,16 +290,16 @@ public class RoleBasedEntityAccessChecker extends DomainChecker implements Secur
boolean allow;
String denyMsg;
- public CheckAccessResult(boolean allow) {
- this(allow, null);
+ public CheckAccessResult(boolean aw) {
+ this(aw, null);
}
public CheckAccessResult(String msg) {
this(false, msg);
}
- public CheckAccessResult(boolean allow, String msg) {
- allow = allow;
+ public CheckAccessResult(boolean aw, String msg) {
+ allow = aw;
denyMsg = msg;
}
@@ -307,8 +307,8 @@ public class RoleBasedEntityAccessChecker extends DomainChecker implements Secur
return allow;
}
- public void setAllow(boolean allow) {
- this.allow = allow;
+ public void setAllow(boolean aw) {
+ allow = aw;
}
[7/7] git commit: updated refs/heads/4.4 to 68a44cf
Posted by da...@apache.org.
CLOUDSTACK-6628: Fix IpAddress import typo.
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/68a44cf2
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/68a44cf2
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/68a44cf2
Branch: refs/heads/4.4
Commit: 68a44cf23b5764abef6fd1c4c6616823ed4f5eac
Parents: aa2bbd4
Author: Min Chen <mi...@citrix.com>
Authored: Sun May 11 23:12:35 2014 -0700
Committer: Daan Hoogland <da...@onecht.net>
Committed: Tue May 13 11:35:25 2014 +0200
----------------------------------------------------------------------
.../api/command/user/firewall/CreatePortForwardingRuleCmd.java | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/68a44cf2/api/src/org/apache/cloudstack/api/command/user/firewall/CreatePortForwardingRuleCmd.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/user/firewall/CreatePortForwardingRuleCmd.java b/api/src/org/apache/cloudstack/api/command/user/firewall/CreatePortForwardingRuleCmd.java
index 91146ac..6fb120f 100644
--- a/api/src/org/apache/cloudstack/api/command/user/firewall/CreatePortForwardingRuleCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/user/firewall/CreatePortForwardingRuleCmd.java
@@ -19,7 +19,6 @@ package org.apache.cloudstack.api.command.user.firewall;
import java.util.List;
import org.apache.log4j.Logger;
-import org.bouncycastle.util.IPAddress;
import org.apache.cloudstack.acl.RoleType;
import org.apache.cloudstack.acl.SecurityChecker.AccessType;
@@ -51,7 +50,7 @@ import com.cloud.utils.net.NetUtils;
import com.cloud.vm.VirtualMachine;
@APICommand(name = "createPortForwardingRule", description = "Creates a port forwarding rule", responseObject = FirewallRuleResponse.class, entityType = {FirewallRule.class,
- VirtualMachine.class, IPAddress.class},
+ VirtualMachine.class, IpAddress.class},
requestHasSensitiveInfo = false, responseHasSensitiveInfo = false)
public class CreatePortForwardingRuleCmd extends BaseAsyncCreateCmd implements PortForwardingRule {
public static final Logger s_logger = Logger.getLogger(CreatePortForwardingRuleCmd.class.getName());