You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by al...@apache.org on 2013/12/04 20:36:38 UTC
git commit: updated refs/heads/4.3 to 06d2e76
Updated Branches:
refs/heads/4.3 ee82870aa -> 06d2e768b
CLOUDSTACK-5152: when deployVm with SG, verify that vm and sg belong to the same account. Do this verification even when the call is done by the ROOT admin
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/06d2e768
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/06d2e768
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/06d2e768
Branch: refs/heads/4.3
Commit: 06d2e768b61890f69daa197f64d9fb4991523792
Parents: ee82870
Author: Alena Prokharchyk <al...@citrix.com>
Authored: Wed Dec 4 11:36:33 2013 -0800
Committer: Alena Prokharchyk <al...@citrix.com>
Committed: Wed Dec 4 11:37:24 2013 -0800
----------------------------------------------------------------------
.../src/com/cloud/user/AccountManagerImpl.java | 33 +++++++++++---------
1 file changed, 19 insertions(+), 14 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/06d2e768/server/src/com/cloud/user/AccountManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/user/AccountManagerImpl.java b/server/src/com/cloud/user/AccountManagerImpl.java
index f8c59e2..8ea495f 100755
--- a/server/src/com/cloud/user/AccountManagerImpl.java
+++ b/server/src/com/cloud/user/AccountManagerImpl.java
@@ -37,8 +37,6 @@ import javax.ejb.Local;
import javax.inject.Inject;
import javax.naming.ConfigurationException;
-import org.apache.commons.codec.binary.Base64;
-import org.apache.log4j.Logger;
import org.apache.cloudstack.acl.ControlledEntity;
import org.apache.cloudstack.acl.RoleType;
import org.apache.cloudstack.acl.SecurityChecker;
@@ -54,6 +52,8 @@ import org.apache.cloudstack.engine.orchestration.service.NetworkOrchestrationSe
import org.apache.cloudstack.framework.config.dao.ConfigurationDao;
import org.apache.cloudstack.managed.context.ManagedContextRunnable;
import org.apache.cloudstack.region.gslb.GlobalLoadBalancerRuleDao;
+import org.apache.commons.codec.binary.Base64;
+import org.apache.log4j.Logger;
import com.cloud.api.ApiDBUtils;
import com.cloud.api.query.vo.ControlledViewEntity;
@@ -379,6 +379,22 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
@Override
public void checkAccess(Account caller, AccessType accessType, boolean sameOwner, ControlledEntity... entities) {
+
+ //check for the same owner
+ Long ownerId = null;
+ ControlledEntity prevEntity = null;
+ if (sameOwner) {
+ for (ControlledEntity entity : entities) {
+ if (sameOwner) {
+ if (ownerId == null) {
+ ownerId = entity.getAccountId();
+ } else if (ownerId.longValue() != entity.getAccountId()) {
+ throw new PermissionDeniedException("Entity " + entity + " and entity " + prevEntity + " belong to different accounts");
+ }
+ prevEntity = entity;
+ }
+ }
+ }
if (caller.getId() == Account.ACCOUNT_ID_SYSTEM || isRootAdmin(caller.getType())) {
// no need to make permission checks if the system/root admin makes the call
@@ -389,13 +405,11 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
}
HashMap<Long, List<ControlledEntity>> domains = new HashMap<Long, List<ControlledEntity>>();
- Long ownerId = null;
- ControlledEntity prevEntity = null;
for (ControlledEntity entity : entities) {
long domainId = entity.getDomainId();
if (entity.getAccountId() != -1 && domainId == -1) { // If account exists domainId should too so calculate
-// it. This condition might be hit for templates or entities which miss domainId in their tables
+ // it. This condition might be hit for templates or entities which miss domainId in their tables
Account account = ApiDBUtils.findAccountById(entity.getAccountId());
domainId = account != null ? account.getDomainId() : -1;
}
@@ -421,15 +435,6 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
}
}
- if (sameOwner) {
- if (ownerId == null) {
- ownerId = entity.getAccountId();
- } else if (ownerId.longValue() != entity.getAccountId()) {
- throw new PermissionDeniedException("Entity " + entity + " and entity " + prevEntity + " belong to different accounts");
- }
- prevEntity = entity;
- }
-
if (!granted) {
assert false : "How can all of the security checkers pass on checking this check: " + entity;
throw new PermissionDeniedException("There's no way to confirm " + caller + " has access to " + entity);