You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by nv...@apache.org on 2022/03/06 13:08:33 UTC

[cloudstack] branch 4.16 updated: Check the network access when deploying VM in Advanced Security Group. (#6050)

This is an automated email from the ASF dual-hosted git repository.

nvazquez pushed a commit to branch 4.16
in repository https://gitbox.apache.org/repos/asf/cloudstack.git


The following commit(s) were added to refs/heads/4.16 by this push:
     new 2820a36  Check the network access when deploying VM in Advanced Security Group. (#6050)
2820a36 is described below

commit 2820a36f86f06dbe7f85a5495fccc3ca8a2ae0aa
Author: Suresh Kumar Anaparti <su...@gmail.com>
AuthorDate: Sun Mar 6 18:37:57 2022 +0530

    Check the network access when deploying VM in Advanced Security Group. (#6050)
    
    * Check the network access when deploying VM in Advanced Security Group.
    
    * Removed comment
    
    * Removed redundant network access check, owner access check already exists
---
 server/src/main/java/com/cloud/vm/UserVmManagerImpl.java | 11 ++++-------
 1 file changed, 4 insertions(+), 7 deletions(-)

diff --git a/server/src/main/java/com/cloud/vm/UserVmManagerImpl.java b/server/src/main/java/com/cloud/vm/UserVmManagerImpl.java
index 58ea4e9..44cc2dd 100644
--- a/server/src/main/java/com/cloud/vm/UserVmManagerImpl.java
+++ b/server/src/main/java/com/cloud/vm/UserVmManagerImpl.java
@@ -1409,9 +1409,6 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
             throw new CloudRuntimeException("Zone " + vmInstance.getDataCenterId() + ", has a NetworkType of Basic. Can't add a new NIC to a VM on a Basic Network");
         }
 
-        // Perform account permission check on network
-        _accountMgr.checkAccess(caller, AccessType.UseEntry, false, network);
-
         //ensure network belongs in zone
         if (network.getDataCenterId() != vmInstance.getDataCenterId()) {
             throw new CloudRuntimeException(vmInstance + " is in zone:" + vmInstance.getDataCenterId() + " but " + network + " is in zone:" + network.getDataCenterId());
@@ -3533,6 +3530,8 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
                     throw new InvalidParameterValueException("Network is not security group enabled: " + network.getId());
                 }
 
+                _accountMgr.checkAccess(owner, AccessType.UseEntry, false, network);
+
                 networkList.add(network);
             }
             isSecurityGroupEnabledNetworkUsed = true;
@@ -3555,10 +3554,8 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
                     throw new InvalidParameterValueException("Can specify only Shared Guest networks when" + " deploy vm in Advance Security Group enabled zone");
                 }
 
-                // Perform account permission check
-                if (network.getAclType() == ACLType.Account) {
-                    _accountMgr.checkAccess(caller, AccessType.UseEntry, false, network);
-                }
+                _accountMgr.checkAccess(owner, AccessType.UseEntry, false, network);
+
                 networkList.add(network);
             }
         }