You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by ya...@apache.org on 2013/07/22 07:37:24 UTC
[15/50] [abbrv] git commit: updated refs/heads/pvlan to ce299da
CLOUDSTACK-2365: Anti-Affinity - As admin , we are allowed to deploy a Vm in an affinity group that belongs to different user.
CLOUDSTACK-2349: Anti-Affinity - As admin user , using updateVMAffinityGroup() , we are allowed to update the affinity group of a Vm (that belongs to a regular user) to be set to admin's affinity group.
Changes:
- Even for root-admin make sure that the affinity group and the VM belong to same account
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/1851f7f7
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/1851f7f7
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/1851f7f7
Branch: refs/heads/pvlan
Commit: 1851f7f7f6bb4bcf3521ea44c51e9506cb86a72d
Parents: 7cae8ca
Author: Prachi Damle <pr...@cloud.com>
Authored: Fri May 17 15:32:21 2013 -0700
Committer: Prachi Damle <pr...@cloud.com>
Committed: Fri May 17 15:33:01 2013 -0700
----------------------------------------------------------------------
server/src/com/cloud/vm/UserVmManagerImpl.java | 8 ++++++++
.../cloudstack/affinity/AffinityGroupServiceImpl.java | 9 +++++++++
2 files changed, 17 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/1851f7f7/server/src/com/cloud/vm/UserVmManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/vm/UserVmManagerImpl.java b/server/src/com/cloud/vm/UserVmManagerImpl.java
index 860daaf..05ff6aa 100755
--- a/server/src/com/cloud/vm/UserVmManagerImpl.java
+++ b/server/src/com/cloud/vm/UserVmManagerImpl.java
@@ -2366,6 +2366,14 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Use
} else {
// verify permissions
_accountMgr.checkAccess(caller, null, true, owner, ag);
+ // Root admin has access to both VM and AG by default, but
+ // make sure the owner of these entities is same
+ if (caller.getId() == Account.ACCOUNT_ID_SYSTEM || _accountMgr.isRootAdmin(caller.getType())) {
+ if (ag.getAccountId() != owner.getAccountId()) {
+ throw new PermissionDeniedException("Affinity Group " + ag
+ + " does not belong to the VM's account");
+ }
+ }
}
}
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/1851f7f7/server/src/org/apache/cloudstack/affinity/AffinityGroupServiceImpl.java
----------------------------------------------------------------------
diff --git a/server/src/org/apache/cloudstack/affinity/AffinityGroupServiceImpl.java b/server/src/org/apache/cloudstack/affinity/AffinityGroupServiceImpl.java
index fc2cfcf..efe18c3 100644
--- a/server/src/org/apache/cloudstack/affinity/AffinityGroupServiceImpl.java
+++ b/server/src/org/apache/cloudstack/affinity/AffinityGroupServiceImpl.java
@@ -36,6 +36,7 @@ import com.cloud.deploy.DeploymentPlanner;
import com.cloud.event.ActionEvent;
import com.cloud.event.EventTypes;
import com.cloud.exception.InvalidParameterValueException;
+import com.cloud.exception.PermissionDeniedException;
import com.cloud.exception.ResourceInUseException;
import com.cloud.network.security.SecurityGroup;
import com.cloud.user.Account;
@@ -332,6 +333,14 @@ public class AffinityGroupServiceImpl extends ManagerBase implements AffinityGro
} else {
// verify permissions
_accountMgr.checkAccess(caller, null, true, owner, ag);
+ // Root admin has access to both VM and AG by default, but make sure the
+ // owner of these entities is same
+ if (caller.getId() == Account.ACCOUNT_ID_SYSTEM || _accountMgr.isRootAdmin(caller.getType())) {
+ if (ag.getAccountId() != owner.getAccountId()) {
+ throw new PermissionDeniedException("Affinity Group " + ag
+ + " does not belong to the VM's account");
+ }
+ }
}
}
_affinityGroupVMMapDao.updateMap(vmId, affinityGroupIds);