You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by pr...@apache.org on 2013/11/21 01:54:45 UTC
git commit: updated refs/heads/rbac to e0d2423
Updated Branches:
refs/heads/rbac 91e176cb0 -> e0d2423f0
Refactoring account_type for Domain_Admin and Normal_User types
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/e0d2423f
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/e0d2423f
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/e0d2423f
Branch: refs/heads/rbac
Commit: e0d2423f065847aefb5f0ea99757dcbeaa1e5c02
Parents: 91e176c
Author: Prachi Damle <pr...@cloud.com>
Authored: Wed Nov 20 16:53:59 2013 -0800
Committer: Prachi Damle <pr...@cloud.com>
Committed: Wed Nov 20 16:53:59 2013 -0800
----------------------------------------------------------------------
api/src/com/cloud/user/AccountService.java | 4 ++++
.../acl/dao/AclGroupAccountMapDao.java | 4 ++++
.../acl/dao/AclGroupAccountMapDaoImpl.java | 17 ++++++++++++++-
.../contrail/management/MockAccountManager.java | 12 ++++++++++
server/src/com/cloud/acl/DomainChecker.java | 16 +++++++++-----
server/src/com/cloud/api/ApiResponseHelper.java | 4 ++--
.../com/cloud/api/query/QueryManagerImpl.java | 20 ++++++++---------
.../com/cloud/network/NetworkServiceImpl.java | 4 ++--
.../com/cloud/projects/ProjectManagerImpl.java | 6 ++---
.../resourcelimit/ResourceLimitManagerImpl.java | 2 +-
.../com/cloud/server/ManagementServerImpl.java | 2 +-
.../com/cloud/servlet/ConsoleProxyServlet.java | 3 ++-
.../cloud/tags/TaggedResourceManagerImpl.java | 2 +-
.../src/com/cloud/usage/UsageServiceImpl.java | 2 +-
.../src/com/cloud/user/AccountManagerImpl.java | 23 +++++++++++++++++++-
server/src/com/cloud/vm/UserVmManagerImpl.java | 2 +-
.../com/cloud/user/MockAccountManagerImpl.java | 12 ++++++++++
17 files changed, 104 insertions(+), 31 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/e0d2423f/api/src/com/cloud/user/AccountService.java
----------------------------------------------------------------------
diff --git a/api/src/com/cloud/user/AccountService.java b/api/src/com/cloud/user/AccountService.java
index 89bbbd8..6773b24 100755
--- a/api/src/com/cloud/user/AccountService.java
+++ b/api/src/com/cloud/user/AccountService.java
@@ -89,6 +89,10 @@ public interface AccountService {
boolean isRootAdmin(long accountId);
+ boolean isDomainAdmin(long accountId);
+
+ boolean isNormalUser(long accountId);
+
User getActiveUserByRegistrationToken(String registrationToken);
void markUserRegistered(long userId);
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/e0d2423f/engine/schema/src/org/apache/cloudstack/acl/dao/AclGroupAccountMapDao.java
----------------------------------------------------------------------
diff --git a/engine/schema/src/org/apache/cloudstack/acl/dao/AclGroupAccountMapDao.java b/engine/schema/src/org/apache/cloudstack/acl/dao/AclGroupAccountMapDao.java
index 344a860..eb3e0c6 100644
--- a/engine/schema/src/org/apache/cloudstack/acl/dao/AclGroupAccountMapDao.java
+++ b/engine/schema/src/org/apache/cloudstack/acl/dao/AclGroupAccountMapDao.java
@@ -33,4 +33,8 @@ public interface AclGroupAccountMapDao extends GenericDao<AclGroupAccountMapVO,
AclGroupAccountMapVO findByGroupAndAccount(long groupId, long acctId);
void removeAccountFromGroups(long accountId);
+
+ AclGroupAccountMapVO findAccountInDomainAdminGroup(long accountId);
+
+ AclGroupAccountMapVO findAccountInUserGroup(long accountId);
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/e0d2423f/engine/schema/src/org/apache/cloudstack/acl/dao/AclGroupAccountMapDaoImpl.java
----------------------------------------------------------------------
diff --git a/engine/schema/src/org/apache/cloudstack/acl/dao/AclGroupAccountMapDaoImpl.java b/engine/schema/src/org/apache/cloudstack/acl/dao/AclGroupAccountMapDaoImpl.java
index 989dd6a..bae8578 100644
--- a/engine/schema/src/org/apache/cloudstack/acl/dao/AclGroupAccountMapDaoImpl.java
+++ b/engine/schema/src/org/apache/cloudstack/acl/dao/AclGroupAccountMapDaoImpl.java
@@ -83,6 +83,22 @@ public class AclGroupAccountMapDaoImpl extends GenericDaoBase<AclGroupAccountMap
}
@Override
+ public AclGroupAccountMapVO findAccountInDomainAdminGroup(long accountId) {
+ SearchCriteria<AclGroupAccountMapVO> sc = _findByAccountAndGroupId.create();
+ sc.setParameters("accountId", accountId);
+ sc.setParameters("groupId", 3);
+ return findOneBy(sc);
+ }
+
+ @Override
+ public AclGroupAccountMapVO findAccountInUserGroup(long accountId) {
+ SearchCriteria<AclGroupAccountMapVO> sc = _findByAccountAndGroupId.create();
+ sc.setParameters("accountId", accountId);
+ sc.setParameters("groupId", 1);
+ return findOneBy(sc);
+ }
+
+ @Override
public AclGroupAccountMapVO findByGroupAndAccount(long groupId, long acctId) {
SearchCriteria<AclGroupAccountMapVO> sc = _findByAccountAndGroupId.create();
sc.setParameters("accountId", acctId);
@@ -100,5 +116,4 @@ public class AclGroupAccountMapDaoImpl extends GenericDaoBase<AclGroupAccountMap
s_logger.debug("Removed account id=" + accountId + " from " + rowsRemoved + " groups");
}
}
-
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/e0d2423f/plugins/network-elements/juniper-contrail/test/org/apache/cloudstack/network/contrail/management/MockAccountManager.java
----------------------------------------------------------------------
diff --git a/plugins/network-elements/juniper-contrail/test/org/apache/cloudstack/network/contrail/management/MockAccountManager.java b/plugins/network-elements/juniper-contrail/test/org/apache/cloudstack/network/contrail/management/MockAccountManager.java
index 4afc043..1b018f9 100644
--- a/plugins/network-elements/juniper-contrail/test/org/apache/cloudstack/network/contrail/management/MockAccountManager.java
+++ b/plugins/network-elements/juniper-contrail/test/org/apache/cloudstack/network/contrail/management/MockAccountManager.java
@@ -385,6 +385,18 @@ public class MockAccountManager extends ManagerBase implements AccountManager {
// TODO Auto-generated method stub
}
+
+ @Override
+ public boolean isDomainAdmin(long accountId) {
+ // TODO Auto-generated method stub
+ return false;
+ }
+
+ @Override
+ public boolean isNormalUser(long accountId) {
+ // TODO Auto-generated method stub
+ return false;
+ }
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/e0d2423f/server/src/com/cloud/acl/DomainChecker.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/acl/DomainChecker.java b/server/src/com/cloud/acl/DomainChecker.java
index a65e77b..4df968e 100755
--- a/server/src/com/cloud/acl/DomainChecker.java
+++ b/server/src/com/cloud/acl/DomainChecker.java
@@ -72,7 +72,7 @@ public class DomainChecker extends AdapterBase implements SecurityChecker {
}
long domainId = domain.getId();
- if (caller.getType() == Account.ACCOUNT_TYPE_NORMAL) {
+ if (_accountService.isNormalUser(caller.getId())) {
if (caller.getDomainId() != domainId) {
throw new PermissionDeniedException(caller + " does not have permission to operate within domain id=" + domain.getId());
}
@@ -132,7 +132,7 @@ public class DomainChecker extends AdapterBase implements SecurityChecker {
} else if (entity instanceof AffinityGroup) {
return false;
} else {
- if (caller.getType() == Account.ACCOUNT_TYPE_NORMAL) {
+ if (_accountService.isNormalUser(caller.getId())) {
Account account = _accountDao.findById(entity.getAccountId());
if (account != null && account.getType() == Account.ACCOUNT_TYPE_PROJECT) {
@@ -172,7 +172,9 @@ public class DomainChecker extends AdapterBase implements SecurityChecker {
}
//if account is normal user or domain admin
//check if account's domain is a child of zone's domain (Note: This is made consistent with the list command for disk offering)
- else if (account.getType() == Account.ACCOUNT_TYPE_NORMAL || account.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN || account.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) {
+ else if (_accountService.isNormalUser(account.getId())
+ || account.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN
+ || _accountService.isDomainAdmin(account.getId())) {
if (account.getDomainId() == dof.getDomainId()) {
return true; //disk offering and account at exact node
} else {
@@ -208,7 +210,9 @@ public class DomainChecker extends AdapterBase implements SecurityChecker {
}
//if account is normal user or domain admin
//check if account's domain is a child of zone's domain (Note: This is made consistent with the list command for service offering)
- else if (account.getType() == Account.ACCOUNT_TYPE_NORMAL || account.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN || account.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) {
+ else if (_accountService.isNormalUser(account.getId())
+ || account.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN
+ || _accountService.isDomainAdmin(account.getId())) {
if (account.getDomainId() == so.getDomainId()) {
return true; //service offering and account at exact node
} else {
@@ -244,7 +248,7 @@ public class DomainChecker extends AdapterBase implements SecurityChecker {
}
//if account is normal user
//check if account's domain is a child of zone's domain
- else if (account.getType() == Account.ACCOUNT_TYPE_NORMAL || account.getType() == Account.ACCOUNT_TYPE_PROJECT) {
+ else if (_accountService.isNormalUser(account.getId()) || account.getType() == Account.ACCOUNT_TYPE_PROJECT) {
// if zone is dedicated to an account check that the accountId
// matches.
DedicatedResourceVO dedicatedZone = _dedicatedDao.findByZoneId(zone.getId());
@@ -280,7 +284,7 @@ public class DomainChecker extends AdapterBase implements SecurityChecker {
}
//if account is domain admin
//check if the account's domain is either child of zone's domain, or if zone's domain is child of account's domain
- else if (account.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) {
+ else if (_accountService.isDomainAdmin(account.getId())) {
if (account.getDomainId() == zone.getDomainId()) {
return true; //zone and account at exact node
} else {
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/e0d2423f/server/src/com/cloud/api/ApiResponseHelper.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/api/ApiResponseHelper.java b/server/src/com/cloud/api/ApiResponseHelper.java
index fd20f2b..6851473 100755
--- a/server/src/com/cloud/api/ApiResponseHelper.java
+++ b/server/src/com/cloud/api/ApiResponseHelper.java
@@ -1941,12 +1941,12 @@ public class ApiResponseHelper implements ResponseGenerator {
Account jobOwner = _accountMgr.getAccount(userJobOwner.getAccountId());
//check permissions
- if (caller.getType() == Account.ACCOUNT_TYPE_NORMAL) {
+ if (_accountMgr.isNormalUser(caller.getId())) {
//regular user can see only jobs he owns
if (caller.getId() != jobOwner.getId()) {
throw new PermissionDeniedException("Account " + caller + " is not authorized to see job id=" + job.getId());
}
- } else if (caller.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) {
+ } else if (_accountMgr.isDomainAdmin(caller.getId())) {
_accountMgr.checkAccess(caller, null, true, jobOwner);
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/e0d2423f/server/src/com/cloud/api/query/QueryManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/api/query/QueryManagerImpl.java b/server/src/com/cloud/api/query/QueryManagerImpl.java
index 367f418..882e406 100644
--- a/server/src/com/cloud/api/query/QueryManagerImpl.java
+++ b/server/src/com/cloud/api/query/QueryManagerImpl.java
@@ -1297,9 +1297,9 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
accountId = caller.getId();
}
- if (domainId == null && accountId == null && (caller.getType() == Account.ACCOUNT_TYPE_NORMAL || !listAll)) {
+ if (domainId == null && accountId == null && (_accountMgr.isNormalUser(caller.getId()) || !listAll)) {
accountId = caller.getId();
- } else if (caller.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN || (isRecursive && !listAll)) {
+ } else if (_accountMgr.isDomainAdmin(caller.getId()) || (isRecursive && !listAll)) {
DomainVO domain = _domainDao.findById(caller.getDomainId());
path = domain.getPath();
}
@@ -2290,7 +2290,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
List<Long> domainIds = null;
// For non-root users, only return all offerings for the user's domain,
// and everything above till root
- if ((account.getType() == Account.ACCOUNT_TYPE_NORMAL || account.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN)
+ if ((_accountMgr.isNormalUser(account.getId()) || _accountMgr.isDomainAdmin(account.getId()))
|| account.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN) {
// find all domain Id up to root domain for this account
domainIds = new ArrayList<Long>();
@@ -2436,7 +2436,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
}
// boolean includePublicOfferings = false;
- if ((caller.getType() == Account.ACCOUNT_TYPE_NORMAL || caller.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN)
+ if ((_accountMgr.isNormalUser(caller.getId()) || _accountMgr.isDomainAdmin(caller.getId()))
|| caller.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN) {
// For non-root users.
if (isSystem) {
@@ -2570,7 +2570,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
// only list zones associated // with this domain, private zone
sc.addAnd("domainId", SearchCriteria.Op.EQ, domainId);
- if (account.getType() == Account.ACCOUNT_TYPE_NORMAL) {
+ if (_accountMgr.isNormalUser(account.getId())) {
// accountId == null (zones dedicated to a domain) or
// accountId = caller
SearchCriteria<DataCenterJoinVO> sdc = _dcJoinDao.createSearchCriteria();
@@ -2580,7 +2580,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
sc.addAnd("accountId", SearchCriteria.Op.SC, sdc);
}
- } else if (account.getType() == Account.ACCOUNT_TYPE_NORMAL) {
+ } else if (_accountMgr.isNormalUser(account.getId())) {
// it was decided to return all zones for the user's domain, and
// everything above till root
// list all zones belonging to this domain, and all of its
@@ -2627,7 +2627,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
dedicatedZoneIds.toArray(new Object[dedicatedZoneIds.size()]));
}
- } else if (account.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN
+ } else if (_accountMgr.isDomainAdmin(account.getId())
|| account.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN) {
// it was decided to return all zones for the domain admin, and
// everything above till root, as well as zones till the domain
@@ -2765,7 +2765,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
boolean listAll = false;
if (templateFilter != null && templateFilter == TemplateFilter.all) {
- if (caller.getType() == Account.ACCOUNT_TYPE_NORMAL) {
+ if (_accountMgr.isNormalUser(caller.getId())) {
throw new InvalidParameterValueException("Filter " + TemplateFilter.all
+ " can be specified by admin only");
}
@@ -2869,7 +2869,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
// add criteria for domain path in case of domain admin
if ((templateFilter == TemplateFilter.self || templateFilter == TemplateFilter.selfexecutable)
- && (caller.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN || caller.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN)) {
+ && (_accountMgr.isDomainAdmin(caller.getId()) || caller.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN)) {
sc.addAnd("domainPath", SearchCriteria.Op.LIKE, domain.getPath() + "%");
}
@@ -3062,7 +3062,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
boolean listAll = false;
if (isoFilter != null && isoFilter == TemplateFilter.all) {
- if (caller.getType() == Account.ACCOUNT_TYPE_NORMAL) {
+ if (_accountMgr.isNormalUser(caller.getId())) {
throw new InvalidParameterValueException("Filter " + TemplateFilter.all
+ " can be specified by admin only");
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/e0d2423f/server/src/com/cloud/network/NetworkServiceImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/NetworkServiceImpl.java b/server/src/com/cloud/network/NetworkServiceImpl.java
index 690365f..14ed6e2 100755
--- a/server/src/com/cloud/network/NetworkServiceImpl.java
+++ b/server/src/com/cloud/network/NetworkServiceImpl.java
@@ -1198,7 +1198,7 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService {
}
// Regular user can create Guest Isolated Source Nat enabled network only
- if (caller.getType() == Account.ACCOUNT_TYPE_NORMAL
+ if (_accountMgr.isNormalUser(caller.getId())
&& (ntwkOff.getTrafficType() != TrafficType.Guest || ntwkOff.getGuestType() != Network.GuestType.Isolated
&& areServicesSupportedByNetworkOffering(ntwkOff.getId(), Service.SourceNat))) {
throw new InvalidParameterValueException("Regular user can create a network only from the network" +
@@ -1407,7 +1407,7 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService {
// 1) default is system to false if not specified
// 2) reset parameter to false if it's specified by the regular user
- if ((isSystem == null || caller.getType() == Account.ACCOUNT_TYPE_NORMAL) && id == null) {
+ if ((isSystem == null || _accountMgr.isNormalUser(caller.getId())) && id == null) {
isSystem = false;
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/e0d2423f/server/src/com/cloud/projects/ProjectManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/projects/ProjectManagerImpl.java b/server/src/com/cloud/projects/ProjectManagerImpl.java
index b97f1e8..d16aba2 100755
--- a/server/src/com/cloud/projects/ProjectManagerImpl.java
+++ b/server/src/com/cloud/projects/ProjectManagerImpl.java
@@ -184,7 +184,7 @@ public class ProjectManagerImpl extends ManagerBase implements ProjectManager {
Account owner = caller;
//check if the user authorized to create the project
- if (caller.getType() == Account.ACCOUNT_TYPE_NORMAL && !_allowUserToCreateProject) {
+ if (_accountMgr.isNormalUser(caller.getId()) && !_allowUserToCreateProject) {
throw new PermissionDeniedException("Regular user is not permitted to create a project");
}
@@ -432,7 +432,7 @@ public class ProjectManagerImpl extends ManagerBase implements ProjectManager {
//ROOT admin always can access the project
if (_accountMgr.isRootAdmin(caller.getId())) {
return true;
- } else if (caller.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) {
+ } else if (_accountMgr.isDomainAdmin(caller.getId())) {
Account owner = _accountMgr.getAccount(accountId);
_accountMgr.checkAccess(caller, _domainDao.findById(owner.getDomainId()));
return true;
@@ -446,7 +446,7 @@ public class ProjectManagerImpl extends ManagerBase implements ProjectManager {
//ROOT admin always can access the project
if (_accountMgr.isRootAdmin(caller.getId())) {
return true;
- } else if (caller.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) {
+ } else if (_accountMgr.isDomainAdmin(caller.getId())) {
Account owner = _accountMgr.getAccount(accountId);
_accountMgr.checkAccess(caller, _domainDao.findById(owner.getDomainId()));
return true;
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/e0d2423f/server/src/com/cloud/resourcelimit/ResourceLimitManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/resourcelimit/ResourceLimitManagerImpl.java b/server/src/com/cloud/resourcelimit/ResourceLimitManagerImpl.java
index 55097ce..1ce76a9 100755
--- a/server/src/com/cloud/resourcelimit/ResourceLimitManagerImpl.java
+++ b/server/src/com/cloud/resourcelimit/ResourceLimitManagerImpl.java
@@ -614,7 +614,7 @@ public class ResourceLimitManagerImpl extends ManagerBase implements ResourceLim
}
if ((caller.getAccountId() == accountId.longValue()) &&
- (caller.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN ||
+ (_accountMgr.isDomainAdmin(caller.getId()) ||
caller.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN)) {
// If the admin is trying to update his own account, disallow.
throw new PermissionDeniedException("Unable to update resource limit for his own account " + accountId + ", permission denied");
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/e0d2423f/server/src/com/cloud/server/ManagementServerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/server/ManagementServerImpl.java b/server/src/com/cloud/server/ManagementServerImpl.java
index 5af088d..6dfcdf9 100755
--- a/server/src/com/cloud/server/ManagementServerImpl.java
+++ b/server/src/com/cloud/server/ManagementServerImpl.java
@@ -896,7 +896,7 @@ public class ManagementServerImpl extends ManagerBase implements ManagementServe
boolean result =true;
List<Long> permittedAccountIds = new ArrayList<Long>();
- if (caller.getType() == Account.ACCOUNT_TYPE_NORMAL || caller.getType() == Account.ACCOUNT_TYPE_PROJECT) {
+ if (_accountService.isNormalUser(caller.getId()) || caller.getType() == Account.ACCOUNT_TYPE_PROJECT) {
permittedAccountIds.add(caller.getId());
} else {
DomainVO domain = _domainDao.findById(caller.getDomainId());
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/e0d2423f/server/src/com/cloud/servlet/ConsoleProxyServlet.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/servlet/ConsoleProxyServlet.java b/server/src/com/cloud/servlet/ConsoleProxyServlet.java
index b7f4b40..463f4a5 100644
--- a/server/src/com/cloud/servlet/ConsoleProxyServlet.java
+++ b/server/src/com/cloud/servlet/ConsoleProxyServlet.java
@@ -480,7 +480,8 @@ public class ConsoleProxyServlet extends HttpServlet {
s_logger.debug("VM access is denied. VM owner account " + vm.getAccountId()
+ " does not match the account id in session " + accountObj.getId() + " and caller is a normal user");
}
- } else if(accountObj.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN || accountObj.getType() == Account.ACCOUNT_TYPE_READ_ONLY_ADMIN) {
+ } else if (_accountMgr.isDomainAdmin(accountObj.getId())
+ || accountObj.getType() == Account.ACCOUNT_TYPE_READ_ONLY_ADMIN) {
if(s_logger.isDebugEnabled()) {
s_logger.debug("VM access is denied. VM owner account " + vm.getAccountId()
+ " does not match the account id in session " + accountObj.getId() + " and the domain-admin caller does not manage the target domain");
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/e0d2423f/server/src/com/cloud/tags/TaggedResourceManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/tags/TaggedResourceManagerImpl.java b/server/src/com/cloud/tags/TaggedResourceManagerImpl.java
index d8d2689..83e108d 100644
--- a/server/src/com/cloud/tags/TaggedResourceManagerImpl.java
+++ b/server/src/com/cloud/tags/TaggedResourceManagerImpl.java
@@ -279,7 +279,7 @@ public class TaggedResourceManagerImpl extends ManagerBase implements TaggedReso
Long accountId = accountDomainPair.first();
if (accountId != null) {
_accountMgr.checkAccess(caller, null, false, _accountMgr.getAccount(accountId));
- } else if (domainId != null && caller.getType() != Account.ACCOUNT_TYPE_NORMAL) {
+ } else if (domainId != null && !_accountMgr.isNormalUser(caller.getId())) {
//check permissions;
_accountMgr.checkAccess(caller, _domainMgr.getDomain(domainId));
} else {
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/e0d2423f/server/src/com/cloud/usage/UsageServiceImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/usage/UsageServiceImpl.java b/server/src/com/cloud/usage/UsageServiceImpl.java
index d22319b..226f721 100755
--- a/server/src/com/cloud/usage/UsageServiceImpl.java
+++ b/server/src/com/cloud/usage/UsageServiceImpl.java
@@ -164,7 +164,7 @@ public class UsageServiceImpl extends ManagerBase implements UsageService, Manag
//If account_id or account_name is explicitly mentioned, list records for the specified account only even if the caller is of type admin
if (_accountService.isRootAdmin(caller.getId())) {
isAdmin = true;
- } else if(caller.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN){
+ } else if (_accountService.isDomainAdmin(caller.getId())) {
isDomainAdmin = true;
}
s_logger.debug("Account details not available. Using userContext accountId: " + accountId);
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/e0d2423f/server/src/com/cloud/user/AccountManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/user/AccountManagerImpl.java b/server/src/com/cloud/user/AccountManagerImpl.java
index d8f2ae6..6a5b29c 100755
--- a/server/src/com/cloud/user/AccountManagerImpl.java
+++ b/server/src/com/cloud/user/AccountManagerImpl.java
@@ -375,6 +375,26 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
return false;
}
+ @Override
+ public boolean isDomainAdmin(long accountId) {
+ // refer to account_group_map and check if account is in Domain 'Admin' group
+ AclGroupAccountMapVO domainAdminGroupMember = _aclGroupAccountDao.findAccountInDomainAdminGroup(accountId);
+ if (domainAdminGroupMember != null) {
+ return true;
+ }
+ return false;
+ }
+
+ @Override
+ public boolean isNormalUser(long accountId) {
+ // refer to account_group_map and check if account is in 'User' group
+ AclGroupAccountMapVO user = _aclGroupAccountDao.findAccountInUserGroup(accountId);
+ if (user != null) {
+ return true;
+ }
+ return false;
+ }
+
public boolean isResourceDomainAdmin(short accountType) {
return (accountType == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN);
}
@@ -2352,7 +2372,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
if (projectId != null) {
if (!forProjectInvitation) {
if (projectId.longValue() == -1) {
- if (caller.getType() == Account.ACCOUNT_TYPE_NORMAL) {
+ if (isNormalUser(caller.getId())) {
permittedAccounts.addAll(_projectMgr.listPermittedProjectAccounts(caller.getId()));
} else {
domainIdRecursiveListProject.third(Project.ListProjectResourcesCriteria.ListProjectResourcesOnly);
@@ -2516,4 +2536,5 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
public UserAccount getUserByApiKey(String apiKey) {
return _userAccountDao.getUserByApiKey(apiKey);
}
+
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/e0d2423f/server/src/com/cloud/vm/UserVmManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/vm/UserVmManagerImpl.java b/server/src/com/cloud/vm/UserVmManagerImpl.java
index 224c30e..d7d4e70 100755
--- a/server/src/com/cloud/vm/UserVmManagerImpl.java
+++ b/server/src/com/cloud/vm/UserVmManagerImpl.java
@@ -4203,7 +4203,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
// VV 1: verify the two users
Account caller = CallContext.current().getCallingAccount();
if (!_accountMgr.isRootAdmin(caller.getId())
- && caller.getType() != Account.ACCOUNT_TYPE_DOMAIN_ADMIN) { // only
+ && !_accountMgr.isDomainAdmin(caller.getId())) { // only
// root
// admin
// can
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/e0d2423f/server/test/com/cloud/user/MockAccountManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/test/com/cloud/user/MockAccountManagerImpl.java b/server/test/com/cloud/user/MockAccountManagerImpl.java
index 756abee..085670c 100644
--- a/server/test/com/cloud/user/MockAccountManagerImpl.java
+++ b/server/test/com/cloud/user/MockAccountManagerImpl.java
@@ -350,4 +350,16 @@ public class MockAccountManagerImpl extends ManagerBase implements Manager, Acco
return null;
}
+ @Override
+ public boolean isDomainAdmin(long accountId) {
+ // TODO Auto-generated method stub
+ return false;
+ }
+
+ @Override
+ public boolean isNormalUser(long accountId) {
+ // TODO Auto-generated method stub
+ return false;
+ }
+
}