You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by mc...@apache.org on 2014/05/20 00:46:26 UTC
[1/5] Revert "Disable IAM feature from 4.4 release."
Repository: cloudstack
Updated Branches:
refs/heads/4.4-forward-iam [created] 26a6aa546
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/server/src/com/cloud/vm/UserVmManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/vm/UserVmManagerImpl.java b/server/src/com/cloud/vm/UserVmManagerImpl.java
index 58709ec..e7db877 100755
--- a/server/src/com/cloud/vm/UserVmManagerImpl.java
+++ b/server/src/com/cloud/vm/UserVmManagerImpl.java
@@ -35,9 +35,6 @@ import javax.ejb.Local;
import javax.inject.Inject;
import javax.naming.ConfigurationException;
-import org.apache.commons.codec.binary.Base64;
-import org.apache.log4j.Logger;
-
import org.apache.cloudstack.acl.ControlledEntity.ACLType;
import org.apache.cloudstack.acl.SecurityChecker.AccessType;
import org.apache.cloudstack.affinity.AffinityGroupService;
@@ -86,6 +83,8 @@ import org.apache.cloudstack.storage.command.DeleteCommand;
import org.apache.cloudstack.storage.command.DettachCommand;
import org.apache.cloudstack.storage.datastore.db.PrimaryDataStoreDao;
import org.apache.cloudstack.storage.datastore.db.StoragePoolVO;
+import org.apache.commons.codec.binary.Base64;
+import org.apache.log4j.Logger;
import com.cloud.agent.AgentManager;
import com.cloud.agent.api.Answer;
@@ -532,7 +531,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
throw new InvalidParameterValueException("Vm with id " + vmId + " is not in the right state");
}
- _accountMgr.checkAccess(caller, null, true, userVm);
+ _accountMgr.checkAccess(caller, null, userVm);
boolean result = resetVMPasswordInternal(vmId, password);
@@ -638,7 +637,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
+ " in specified domain id");
}
- _accountMgr.checkAccess(caller, null, true, userVm);
+ _accountMgr.checkAccess(caller, null, userVm);
String password = null;
String sshPublicKey = s.getPublicKey();
if (template != null && template.getEnablePassword()) {
@@ -778,7 +777,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
+ "; make sure the virtual machine is stopped");
}
- _accountMgr.checkAccess(caller, null, true, vmInstance);
+ _accountMgr.checkAccess(caller, null, vmInstance);
// Check resource limits for CPU and Memory.
Map<String, String> customParameters = cmd.getDetails();
@@ -892,7 +891,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
throw new InvalidParameterValueException("unable to find a virtual machine with id " + vmId);
}
- _accountMgr.checkAccess(caller, null, true, vmInstance);
+ _accountMgr.checkAccess(caller, null, vmInstance);
// Check resource limits for CPU and Memory.
ServiceOfferingVO newServiceOffering = _offeringDao.findById(svcOffId);
@@ -961,7 +960,6 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
Long vmId = cmd.getVmId();
Long networkId = cmd.getNetworkId();
String ipAddress = cmd.getIpAddress();
- Account caller = CallContext.current().getCallingAccount();
UserVmVO vmInstance = _vmDao.findById(vmId);
if (vmInstance == null) {
@@ -972,12 +970,6 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
throw new InvalidParameterValueException("unable to find a network with id " + networkId);
}
- if (caller.getType() != Account.ACCOUNT_TYPE_ADMIN) {
- if (!(network.getGuestType() == Network.GuestType.Shared && network.getAclType() == ACLType.Domain)
- && !(network.getAclType() == ACLType.Account && network.getAccountId() == vmInstance.getAccountId())) {
- throw new InvalidParameterValueException("only shared network or isolated network with the same account_id can be added to vmId: " + vmId);
- }
- }
List<NicVO> allNics = _nicDao.listByVmId(vmInstance.getId());
for (NicVO nic : allNics) {
@@ -990,18 +982,12 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
profile = new NicProfile(ipAddress, null);
}
- // Perform permission check on VM
- _accountMgr.checkAccess(caller, null, true, vmInstance);
-
// Verify that zone is not Basic
DataCenterVO dc = _dcDao.findById(vmInstance.getDataCenterId());
if (dc.getNetworkType() == DataCenter.NetworkType.Basic) {
throw new CloudRuntimeException("Zone " + vmInstance.getDataCenterId() + ", has a NetworkType of Basic. Can't add a new NIC to a VM on a Basic Network");
}
- // Perform account permission check on network
- _accountMgr.checkAccess(caller, AccessType.UseEntry, false, network);
-
//ensure network belongs in zone
if (network.getDataCenterId() != vmInstance.getDataCenterId()) {
throw new CloudRuntimeException(vmInstance + " is in zone:" + vmInstance.getDataCenterId() + " but " + network + " is in zone:" + network.getDataCenterId());
@@ -1060,7 +1046,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
}
// Perform permission check on VM
- _accountMgr.checkAccess(caller, null, true, vmInstance);
+ _accountMgr.checkAccess(caller, null, vmInstance);
// Verify that zone is not Basic
DataCenterVO dc = _dcDao.findById(vmInstance.getDataCenterId());
@@ -1074,7 +1060,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
}
// Perform account permission check on network
- _accountMgr.checkAccess(caller, AccessType.UseEntry, false, network);
+ _accountMgr.checkAccess(caller, AccessType.UseEntry, network);
boolean nicremoved = false;
@@ -1116,7 +1102,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
}
// Perform permission check on VM
- _accountMgr.checkAccess(caller, null, true, vmInstance);
+ _accountMgr.checkAccess(caller, null, vmInstance);
// Verify that zone is not Basic
DataCenterVO dc = _dcDao.findById(vmInstance.getDataCenterId());
@@ -1298,7 +1284,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
throw new InvalidParameterValueException("This operation not permitted for this hypervisor of the vm");
}
- _accountMgr.checkAccess(caller, null, true, vmInstance);
+ _accountMgr.checkAccess(caller, null, vmInstance);
//Check if its a scale "up"
ServiceOfferingVO newServiceOffering = _offeringDao.findById(newServiceOfferingId);
@@ -1507,7 +1493,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
}
// check permissions
- _accountMgr.checkAccess(caller, null, true, vm);
+ _accountMgr.checkAccess(caller, null, vm);
if (vm.getRemoved() != null) {
if (s_logger.isDebugEnabled()) {
@@ -1850,7 +1836,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
throw new InvalidParameterValueException("unable to find virtual machine with id " + id);
}
- _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, true, vmInstance);
+ _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, vmInstance);
//If the flag is specified and is changed
if (isDisplayVm != null && isDisplayVm != vmInstance.isDisplayVm()) {
@@ -2065,7 +2051,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
throw new InvalidParameterValueException("unable to find a virtual machine with id " + vmId);
}
- _accountMgr.checkAccess(caller, null, true, vmInstance);
+ _accountMgr.checkAccess(caller, null, vmInstance);
// If the VM is Volatile in nature, on reboot discard the VM's root disk and create a new root disk for it: by calling restoreVM
long serviceOfferingId = vmInstance.getServiceOfferingId();
@@ -2163,7 +2149,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
throw new InvalidParameterValueException("unable to find a vm group with id " + groupId);
}
- _accountMgr.checkAccess(caller, null, true, group);
+ _accountMgr.checkAccess(caller, null, group);
return deleteVmGroup(groupId);
}
@@ -2297,7 +2283,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
List<NetworkVO> networkList = new ArrayList<NetworkVO>();
// Verify that caller can perform actions in behalf of vm owner
- _accountMgr.checkAccess(caller, null, true, owner);
+ _accountMgr.checkAccess(caller, null, owner);
// Get default guest network in Basic zone
Network defaultNetwork = _networkModel.getExclusiveGuestNetwork(zone.getId());
@@ -2352,7 +2338,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
boolean isVmWare = (template.getHypervisorType() == HypervisorType.VMware || (hypervisor != null && hypervisor == HypervisorType.VMware));
// Verify that caller can perform actions in behalf of vm owner
- _accountMgr.checkAccess(caller, null, true, owner);
+ _accountMgr.checkAccess(caller, null, owner);
// If no network is specified, find system security group enabled network
if (networkIdList == null || networkIdList.isEmpty()) {
@@ -2410,7 +2396,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
// Perform account permission check
if (network.getAclType() == ACLType.Account) {
- _accountMgr.checkAccess(caller, AccessType.UseEntry, false, network);
+ _accountMgr.checkAccess(owner, AccessType.UseEntry, network);
}
networkList.add(network);
}
@@ -2456,7 +2442,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
List<NetworkVO> networkList = new ArrayList<NetworkVO>();
// Verify that caller can perform actions in behalf of vm owner
- _accountMgr.checkAccess(caller, null, true, owner);
+ _accountMgr.checkAccess(caller, null, owner);
List<HypervisorType> vpcSupportedHTypes = _vpcMgr.getSupportedVpcHypervisors();
if (networkIdList == null || networkIdList.isEmpty()) {
@@ -2521,7 +2507,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
}
}
- _networkModel.checkNetworkPermissions(owner, network);
+ _networkModel.checkNetworkPermissions(owner, network, AccessType.UseEntry);
// don't allow to use system networks
NetworkOffering networkOffering = _entityMgr.findById(NetworkOffering.class, network.getNetworkOfferingId());
@@ -2550,7 +2536,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
List<Long> affinityGroupIdList, Map<String, String> customParameters, String customId) throws InsufficientCapacityException, ResourceUnavailableException,
ConcurrentOperationException, StorageUnavailableException, ResourceAllocationException {
- _accountMgr.checkAccess(caller, null, true, owner);
+ _accountMgr.checkAccess(caller, null, owner);
if (owner.getState() == Account.State.disabled) {
throw new PermissionDeniedException("The owner of vm to deploy is disabled: " + owner);
@@ -2626,7 +2612,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
throw new InvalidParameterValueException("Unable to find security group by id " + securityGroupId);
} else {
// verify permissions
- _accountMgr.checkAccess(caller, null, true, owner, sg);
+ _accountMgr.checkAccess(owner, AccessType.UseEntry, sg);
}
}
}
@@ -2642,27 +2628,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
+ " , Please try again after removing the affinity group");
} else {
// verify permissions
- if (ag.getAclType() == ACLType.Domain) {
- _accountMgr.checkAccess(caller, null, false, owner, ag);
- // Root admin has access to both VM and AG by default,
- // but
- // make sure the owner of these entities is same
- if (caller.getId() == Account.ACCOUNT_ID_SYSTEM || _accountMgr.isRootAdmin(caller.getId())) {
- if (!_affinityGroupService.isAffinityGroupAvailableInDomain(ag.getId(), owner.getDomainId())) {
- throw new PermissionDeniedException("Affinity Group " + ag + " does not belong to the VM's domain");
- }
- }
- } else {
- _accountMgr.checkAccess(caller, null, true, owner, ag);
- // Root admin has access to both VM and AG by default,
- // but
- // make sure the owner of these entities is same
- if (caller.getId() == Account.ACCOUNT_ID_SYSTEM || _accountMgr.isRootAdmin(caller.getId())) {
- if (ag.getAccountId() != owner.getAccountId()) {
- throw new PermissionDeniedException("Affinity Group " + ag + " does not belong to the VM's account");
- }
- }
- }
+ _accountMgr.checkAccess(owner, AccessType.UseEntry, ag);
}
}
}
@@ -2688,10 +2654,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
}
// Check templates permissions
- if (!template.isPublicTemplate()) {
- Account templateOwner = _accountMgr.getAccount(template.getAccountId());
- _accountMgr.checkAccess(owner, null, true, templateOwner);
- }
+ _accountMgr.checkAccess(owner, AccessType.UseEntry, template);
// check if the user data is correct
validateUserData(userData, httpmethod);
@@ -2720,13 +2683,8 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
throw new InvalidParameterValueException("Network id=" + network.getId() + " doesn't belong to zone " + zone.getId());
}
- //relax the check if the caller is admin account
- if (caller.getType() != Account.ACCOUNT_TYPE_ADMIN) {
- if (!(network.getGuestType() == Network.GuestType.Shared && network.getAclType() == ACLType.Domain)
- && !(network.getAclType() == ACLType.Account && network.getAccountId() == accountId)) {
- throw new InvalidParameterValueException("only shared network or isolated network with the same account_id can be added to vm");
- }
- }
+ // Perform account permission check on network
+ _accountMgr.checkAccess(owner, AccessType.UseEntry, network);
IpAddresses requestedIpPair = null;
if (requestedIps != null && !requestedIps.isEmpty()) {
@@ -3349,7 +3307,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
throw new InvalidParameterValueException("unable to find a virtual machine with id " + vmId);
}
- _accountMgr.checkAccess(callerAccount, null, true, vm);
+ _accountMgr.checkAccess(callerAccount, null, vm);
Account owner = _accountDao.findById(vm.getAccountId());
@@ -3656,7 +3614,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
throw ex;
}
- _accountMgr.checkAccess(caller, null, true, vm);
+ _accountMgr.checkAccess(caller, null, vm);
boolean status;
@@ -4237,8 +4195,8 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
}
//check caller has access to both the old and new account
- _accountMgr.checkAccess(caller, null, true, oldAccount);
- _accountMgr.checkAccess(caller, null, true, newAccount);
+ _accountMgr.checkAccess(caller, null, oldAccount);
+ _accountMgr.checkAccess(caller, null, newAccount);
// make sure the accounts are not same
if (oldAccount.getAccountId() == newAccount.getAccountId()) {
@@ -4291,7 +4249,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
VirtualMachineTemplate template = _templateDao.findById(vm.getTemplateId());
if (!template.isPublicTemplate()) {
Account templateOwner = _accountMgr.getAccount(template.getAccountId());
- _accountMgr.checkAccess(newAccount, null, true, templateOwner);
+ _accountMgr.checkAccess(newAccount, null, templateOwner);
}
// VV 5: check the new account can create vm in the domain
@@ -4441,7 +4399,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
throw ex;
}
- _networkModel.checkNetworkPermissions(newAccount, network);
+ _networkModel.checkNetworkPermissions(newAccount, network, AccessType.UseEntry);
// don't allow to use system networks
NetworkOffering networkOffering = _entityMgr.findById(NetworkOffering.class, network.getNetworkOfferingId());
@@ -4548,7 +4506,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
throw ex;
}
- _accountMgr.checkAccess(caller, null, true, vm);
+ _accountMgr.checkAccess(caller, null, vm);
return restoreVMInternal(caller, vm, newTemplateId);
}
@@ -4598,7 +4556,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
//newTemplateId can be either template or ISO id. In the following snippet based on the vm deployment (from template or ISO) it is handled accordingly
if (newTemplateId != null) {
template = _templateDao.findById(newTemplateId);
- _accountMgr.checkAccess(caller, null, true, template);
+ _accountMgr.checkAccess(caller, null, template);
if (isISO) {
if (!template.getFormat().equals(ImageFormat.ISO)) {
throw new InvalidParameterValueException("Invalid ISO id provided to restore the VM ");
@@ -4779,6 +4737,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
// root.getPoolId() should be null if the VM we are detaching the disk from has never been started before
DataStore dataStore = root.getPoolId() != null ? _dataStoreMgr.getDataStore(root.getPoolId(), DataStoreRole.Primary) : null;
+
volumeMgr.disconnectVolumeFromHost(volFactory.getVolume(root.getId()), host, dataStore);
}
}
@@ -4826,7 +4785,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
}
//check permissions
- _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, true, vm);
+ _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, vm);
return vm.getUserData();
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/server/src/com/cloud/vm/snapshot/VMSnapshotManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/vm/snapshot/VMSnapshotManagerImpl.java b/server/src/com/cloud/vm/snapshot/VMSnapshotManagerImpl.java
index f5957ff..8dc2c18 100644
--- a/server/src/com/cloud/vm/snapshot/VMSnapshotManagerImpl.java
+++ b/server/src/com/cloud/vm/snapshot/VMSnapshotManagerImpl.java
@@ -169,7 +169,9 @@ public class VMSnapshotManagerImpl extends ManagerBase implements VMSnapshotMana
@Override
public List<VMSnapshotVO> listVMSnapshots(ListVMSnapshotCmd cmd) {
Account caller = getCaller();
+ List<Long> permittedDomains = new ArrayList<Long>();
List<Long> permittedAccounts = new ArrayList<Long>();
+ List<Long> permittedResources = new ArrayList<Long>();
boolean listAll = cmd.listAll();
Long id = cmd.getId();
@@ -182,15 +184,14 @@ public class VMSnapshotManagerImpl extends ManagerBase implements VMSnapshotMana
Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean, ListProjectResourcesCriteria>(
cmd.getDomainId(), cmd.isRecursive(), null);
- _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedAccounts, domainIdRecursiveListProject, listAll,
- false);
- Long domainId = domainIdRecursiveListProject.first();
+ _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedDomains, permittedAccounts, permittedResources,
+ domainIdRecursiveListProject, listAll, false, "listVMSnapshot");
Boolean isRecursive = domainIdRecursiveListProject.second();
ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
Filter searchFilter = new Filter(VMSnapshotVO.class, "created", false, cmd.getStartIndex(), cmd.getPageSizeVal());
SearchBuilder<VMSnapshotVO> sb = _vmSnapshotDao.createSearchBuilder();
- _accountMgr.buildACLSearchBuilder(sb, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchBuilder(sb, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
sb.and("vm_id", sb.entity().getVmId(), SearchCriteria.Op.EQ);
sb.and("domain_id", sb.entity().getDomainId(), SearchCriteria.Op.EQ);
@@ -202,7 +203,7 @@ public class VMSnapshotManagerImpl extends ManagerBase implements VMSnapshotMana
sb.done();
SearchCriteria<VMSnapshotVO> sc = sb.create();
- _accountMgr.buildACLSearchCriteria(sc, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchCriteria(sc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
if (accountName != null && cmd.getDomainId() != null) {
Account account = _accountMgr.getActiveAccountByName(accountName, cmd.getDomainId());
@@ -213,8 +214,8 @@ public class VMSnapshotManagerImpl extends ManagerBase implements VMSnapshotMana
sc.setParameters("vm_id", vmId);
}
- if (domainId != null) {
- sc.setParameters("domain_id", domainId);
+ if (cmd.getDomainId() != null) {
+ sc.setParameters("domain_id", cmd.getDomainId());
}
if (state == null) {
@@ -296,7 +297,7 @@ public class VMSnapshotManagerImpl extends ManagerBase implements VMSnapshotMana
}
// check access
- _accountMgr.checkAccess(caller, null, true, userVmVo);
+ //_accountMgr.checkAccess(caller, null, userVmVo);
// check max snapshot limit for per VM
if (_vmSnapshotDao.findByVm(vmId).size() >= _vmSnapshotMax) {
@@ -447,7 +448,7 @@ public class VMSnapshotManagerImpl extends ManagerBase implements VMSnapshotMana
throw new InvalidParameterValueException("unable to find the vm snapshot with id " + vmSnapshotId);
}
- _accountMgr.checkAccess(caller, null, true, vmSnapshot);
+ _accountMgr.checkAccess(caller, null, vmSnapshot);
// check VM snapshot states, only allow to delete vm snapshots in created and error state
if (VMSnapshot.State.Ready != vmSnapshot.getState() && VMSnapshot.State.Expunging != vmSnapshot.getState() && VMSnapshot.State.Error != vmSnapshot.getState()) {
@@ -512,7 +513,7 @@ public class VMSnapshotManagerImpl extends ManagerBase implements VMSnapshotMana
throw new InvalidParameterValueException("unable to find the vm snapshot with id " + vmSnapshotId);
}
- _accountMgr.checkAccess(caller, null, true, vmSnapshot);
+ _accountMgr.checkAccess(caller, null, vmSnapshot);
// check VM snapshot states, only allow to delete vm snapshots in created and error state
if (VMSnapshot.State.Ready != vmSnapshot.getState() && VMSnapshot.State.Expunging != vmSnapshot.getState() && VMSnapshot.State.Error != vmSnapshot.getState()) {
@@ -563,7 +564,7 @@ public class VMSnapshotManagerImpl extends ManagerBase implements VMSnapshotMana
}
Account caller = getCaller();
- _accountMgr.checkAccess(caller, null, true, vmSnapshotVo);
+ _accountMgr.checkAccess(caller, null, vmSnapshotVo);
// VM should be in running or stopped states
if (userVm.getState() != VirtualMachine.State.Running
@@ -645,7 +646,7 @@ public class VMSnapshotManagerImpl extends ManagerBase implements VMSnapshotMana
}
Account caller = getCaller();
- _accountMgr.checkAccess(caller, null, true, vmSnapshotVo);
+ _accountMgr.checkAccess(caller, null, vmSnapshotVo);
// VM should be in running or stopped states
if (userVm.getState() != VirtualMachine.State.Running && userVm.getState() != VirtualMachine.State.Stopped) {
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/server/src/org/apache/cloudstack/affinity/AffinityGroupServiceImpl.java
----------------------------------------------------------------------
diff --git a/server/src/org/apache/cloudstack/affinity/AffinityGroupServiceImpl.java b/server/src/org/apache/cloudstack/affinity/AffinityGroupServiceImpl.java
index 8e606ca..ef63692 100644
--- a/server/src/org/apache/cloudstack/affinity/AffinityGroupServiceImpl.java
+++ b/server/src/org/apache/cloudstack/affinity/AffinityGroupServiceImpl.java
@@ -262,7 +262,7 @@ public class AffinityGroupServiceImpl extends ManagerBase implements AffinityGro
affinityGroupId = group.getId();
}
// check permissions
- _accountMgr.checkAccess(caller, AccessType.OperateEntry, true, group);
+ _accountMgr.checkAccess(caller, AccessType.OperateEntry, group);
final Long affinityGroupIdFinal = affinityGroupId;
Transaction.execute(new TransactionCallbackNoReturn() {
@@ -353,7 +353,7 @@ public class AffinityGroupServiceImpl extends ManagerBase implements AffinityGro
if (userVM == null) {
throw new InvalidParameterValueException("Unable to list affinity groups for virtual machine instance " + vmId + "; instance not found.");
}
- _accountMgr.checkAccess(caller, null, true, userVM);
+ _accountMgr.checkAccess(caller, null, userVM);
// add join to affinity_groups_vm_map
groupSearch.join("vmInstanceSearch", vmInstanceSearch, groupSearch.entity().getId(), vmInstanceSearch.entity().getAffinityGroupId(),
JoinBuilder.JoinType.INNER);
@@ -477,14 +477,7 @@ public class AffinityGroupServiceImpl extends ManagerBase implements AffinityGro
throw new InvalidParameterValueException("Unable to find affinity group by id " + affinityGroupId);
} else {
// verify permissions
- _accountMgr.checkAccess(caller, null, true, owner, ag);
- // Root admin has access to both VM and AG by default, but make sure the
- // owner of these entities is same
- if (caller.getId() == Account.ACCOUNT_ID_SYSTEM || _accountMgr.isRootAdmin(caller.getId())) {
- if (ag.getAccountId() != owner.getAccountId()) {
- throw new PermissionDeniedException("Affinity Group " + ag + " does not belong to the VM's account");
- }
- }
+ _accountMgr.checkAccess(owner, AccessType.UseEntry, ag);
}
}
_affinityGroupVMMapDao.updateMap(vmId, affinityGroupIds);
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/server/src/org/apache/cloudstack/network/lb/ApplicationLoadBalancerManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/org/apache/cloudstack/network/lb/ApplicationLoadBalancerManagerImpl.java b/server/src/org/apache/cloudstack/network/lb/ApplicationLoadBalancerManagerImpl.java
index 6854347..ad1a2c4 100644
--- a/server/src/org/apache/cloudstack/network/lb/ApplicationLoadBalancerManagerImpl.java
+++ b/server/src/org/apache/cloudstack/network/lb/ApplicationLoadBalancerManagerImpl.java
@@ -115,7 +115,7 @@ public class ApplicationLoadBalancerManagerImpl extends ManagerBase implements A
}
Account caller = CallContext.current().getCallingAccount();
- _accountMgr.checkAccess(caller, AccessType.UseEntry, false, guestNtwk);
+ _accountMgr.checkAccess(caller, AccessType.UseEntry, guestNtwk);
Network sourceIpNtwk = _networkModel.getNetwork(sourceIpNetworkId);
if (sourceIpNtwk == null) {
@@ -389,19 +389,20 @@ public class ApplicationLoadBalancerManagerImpl extends ManagerBase implements A
Map<String, String> tags = cmd.getTags();
Account caller = CallContext.current().getCallingAccount();
+ List<Long> permittedDomains = new ArrayList<Long>();
List<Long> permittedAccounts = new ArrayList<Long>();
+ List<Long> permittedResources = new ArrayList<Long>();
Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean, ListProjectResourcesCriteria>(
cmd.getDomainId(), cmd.isRecursive(), null);
- _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedAccounts,
- domainIdRecursiveListProject, cmd.listAll(), false);
- Long domainId = domainIdRecursiveListProject.first();
+ _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedDomains, permittedAccounts, permittedResources,
+ domainIdRecursiveListProject, cmd.listAll(), false, "listLoadBalancers");
Boolean isRecursive = domainIdRecursiveListProject.second();
ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
Filter searchFilter = new Filter(ApplicationLoadBalancerRuleVO.class, "id", true, cmd.getStartIndex(), cmd.getPageSizeVal());
SearchBuilder<ApplicationLoadBalancerRuleVO> sb = _lbDao.createSearchBuilder();
- _accountMgr.buildACLSearchBuilder(sb, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchBuilder(sb, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
sb.and("id", sb.entity().getId(), SearchCriteria.Op.EQ);
sb.and("name", sb.entity().getName(), SearchCriteria.Op.EQ);
@@ -428,7 +429,7 @@ public class ApplicationLoadBalancerManagerImpl extends ManagerBase implements A
}
SearchCriteria<ApplicationLoadBalancerRuleVO> sc = sb.create();
- _accountMgr.buildACLSearchCriteria(sc, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchCriteria(sc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
if (keyword != null) {
SearchCriteria<ApplicationLoadBalancerRuleVO> ssc = _lbDao.createSearchCriteria();
@@ -546,7 +547,7 @@ public class ApplicationLoadBalancerManagerImpl extends ManagerBase implements A
if (rule == null) {
throw new InvalidParameterValueException("Unable to find load balancer " + id);
}
- _accountMgr.checkAccess(caller, null, true, rule);
+ _accountMgr.checkAccess(caller, null, rule);
if (customId != null) {
rule.setUuid(customId);
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/server/src/org/apache/cloudstack/network/lb/CertServiceImpl.java
----------------------------------------------------------------------
diff --git a/server/src/org/apache/cloudstack/network/lb/CertServiceImpl.java b/server/src/org/apache/cloudstack/network/lb/CertServiceImpl.java
index ba71d63..67f2c02 100644
--- a/server/src/org/apache/cloudstack/network/lb/CertServiceImpl.java
+++ b/server/src/org/apache/cloudstack/network/lb/CertServiceImpl.java
@@ -147,7 +147,7 @@ public class CertServiceImpl implements CertService {
if (certVO == null) {
throw new InvalidParameterValueException("Invalid certificate id: " + certId);
}
- _accountMgr.checkAccess(caller, SecurityChecker.AccessType.OperateEntry, true, certVO);
+ _accountMgr.checkAccess(caller, SecurityChecker.AccessType.OperateEntry, certVO);
List<LoadBalancerCertMapVO> lbCertRule = _lbCertDao.listByCertId(certId);
@@ -191,7 +191,7 @@ public class CertServiceImpl implements CertService {
throw new InvalidParameterValueException("Invalid certificate id: " + certId);
}
- _accountMgr.checkAccess(caller, SecurityChecker.AccessType.UseEntry, true, certVO);
+ _accountMgr.checkAccess(caller, SecurityChecker.AccessType.UseEntry, certVO);
certLbMap = _lbCertDao.listByCertId(certId);
@@ -206,7 +206,7 @@ public class CertServiceImpl implements CertService {
throw new InvalidParameterValueException("found no loadbalancer wth id: " + lbRuleId);
}
- _accountMgr.checkAccess(caller, SecurityChecker.AccessType.UseEntry, true, lb);
+ _accountMgr.checkAccess(caller, SecurityChecker.AccessType.UseEntry, lb);
// get the cert id
LoadBalancerCertMapVO lbCertMapRule;
@@ -229,7 +229,7 @@ public class CertServiceImpl implements CertService {
List<SslCertVO> certVOList = _sslCertDao.listByAccountId(accountId);
if (certVOList == null || certVOList.isEmpty())
return certResponseList;
- _accountMgr.checkAccess(caller, SecurityChecker.AccessType.UseEntry, true, certVOList.get(0));
+ _accountMgr.checkAccess(caller, SecurityChecker.AccessType.UseEntry, certVOList.get(0));
for (SslCertVO cert : certVOList) {
certLbMap = _lbCertDao.listByCertId(cert.getId());
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/server/src/org/apache/cloudstack/region/gslb/GlobalLoadBalancingRulesServiceImpl.java
----------------------------------------------------------------------
diff --git a/server/src/org/apache/cloudstack/region/gslb/GlobalLoadBalancingRulesServiceImpl.java b/server/src/org/apache/cloudstack/region/gslb/GlobalLoadBalancingRulesServiceImpl.java
index c84fea2..516b3ab 100644
--- a/server/src/org/apache/cloudstack/region/gslb/GlobalLoadBalancingRulesServiceImpl.java
+++ b/server/src/org/apache/cloudstack/region/gslb/GlobalLoadBalancingRulesServiceImpl.java
@@ -183,7 +183,7 @@ public class GlobalLoadBalancingRulesServiceImpl implements GlobalLoadBalancingR
throw new InvalidParameterValueException("Invalid global load balancer rule id: " + gslbRuleId);
}
- _accountMgr.checkAccess(caller, SecurityChecker.AccessType.OperateEntry, true, gslbRule);
+ _accountMgr.checkAccess(caller, SecurityChecker.AccessType.OperateEntry, gslbRule);
if (gslbRule.getState() == GlobalLoadBalancerRule.State.Revoke) {
throw new InvalidParameterValueException("global load balancer rule id: " + gslbRule.getUuid() + " is in revoked state");
@@ -224,7 +224,7 @@ public class GlobalLoadBalancingRulesServiceImpl implements GlobalLoadBalancingR
throw new InvalidParameterValueException("Specified load balancer rule ID does not exist.");
}
- _accountMgr.checkAccess(caller, null, true, loadBalancer);
+ _accountMgr.checkAccess(caller, null, loadBalancer);
if (gslbRule.getAccountId() != loadBalancer.getAccountId()) {
throw new InvalidParameterValueException("GSLB rule and load balancer rule does not belong to same account");
@@ -319,7 +319,7 @@ public class GlobalLoadBalancingRulesServiceImpl implements GlobalLoadBalancingR
throw new InvalidParameterValueException("Invalid global load balancer rule id: " + gslbRuleId);
}
- _accountMgr.checkAccess(caller, SecurityChecker.AccessType.OperateEntry, true, gslbRule);
+ _accountMgr.checkAccess(caller, SecurityChecker.AccessType.OperateEntry, gslbRule);
if (gslbRule.getState() == GlobalLoadBalancerRule.State.Revoke) {
throw new InvalidParameterValueException("global load balancer rule id: " + gslbRuleId + " is already in revoked state");
@@ -346,7 +346,7 @@ public class GlobalLoadBalancingRulesServiceImpl implements GlobalLoadBalancingR
throw new InvalidParameterValueException("Specified load balancer rule ID does not exist.");
}
- _accountMgr.checkAccess(caller, null, true, loadBalancer);
+ _accountMgr.checkAccess(caller, null, loadBalancer);
}
for (GlobalLoadBalancerLbRuleMapVO gslbLbMapVo : gslbLbMapVos) {
@@ -445,7 +445,7 @@ public class GlobalLoadBalancingRulesServiceImpl implements GlobalLoadBalancingR
throw new InvalidParameterValueException("Invalid global load balancer rule id: " + gslbRuleId);
}
- _accountMgr.checkAccess(caller, SecurityChecker.AccessType.OperateEntry, true, gslbRule);
+ _accountMgr.checkAccess(caller, SecurityChecker.AccessType.OperateEntry, gslbRule);
if (gslbRule.getState() == com.cloud.region.ha.GlobalLoadBalancerRule.State.Staged) {
if (s_logger.isDebugEnabled()) {
@@ -523,7 +523,7 @@ public class GlobalLoadBalancingRulesServiceImpl implements GlobalLoadBalancingR
CallContext ctx = CallContext.current();
Account caller = ctx.getCallingAccount();
- _accountMgr.checkAccess(caller, SecurityChecker.AccessType.OperateEntry, true, gslbRule);
+ _accountMgr.checkAccess(caller, SecurityChecker.AccessType.OperateEntry, gslbRule);
if (algorithm != null && !GlobalLoadBalancerRule.Algorithm.isValidAlgorithm(algorithm)) {
throw new InvalidParameterValueException("Invalid Algorithm: " + algorithm);
@@ -583,7 +583,7 @@ public class GlobalLoadBalancingRulesServiceImpl implements GlobalLoadBalancingR
if (gslbRule == null) {
throw new InvalidParameterValueException("Invalid gslb rule id specified");
}
- _accountMgr.checkAccess(caller, org.apache.cloudstack.acl.SecurityChecker.AccessType.UseEntry, false, gslbRule);
+ _accountMgr.checkAccess(caller, org.apache.cloudstack.acl.SecurityChecker.AccessType.UseEntry, gslbRule);
response.add(gslbRule);
return response;
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/server/test/com/cloud/event/EventControlsUnitTest.java
----------------------------------------------------------------------
diff --git a/server/test/com/cloud/event/EventControlsUnitTest.java b/server/test/com/cloud/event/EventControlsUnitTest.java
index 91dc921..0dc5742 100644
--- a/server/test/com/cloud/event/EventControlsUnitTest.java
+++ b/server/test/com/cloud/event/EventControlsUnitTest.java
@@ -60,7 +60,7 @@ public class EventControlsUnitTest extends TestCase {
MockitoAnnotations.initMocks(this);
_mgmtServer._eventDao = _eventDao;
_mgmtServer._accountMgr = _accountMgr;
- doNothing().when(_accountMgr).checkAccess(any(Account.class), any(AccessType.class), any(Boolean.class), any(ControlledEntity.class));
+ doNothing().when(_accountMgr).checkAccess(any(Account.class), any(AccessType.class), any(ControlledEntity.class));
when(_eventDao.listToArchiveOrDeleteEvents(anyList(), anyString(), any(Date.class), any(Date.class), anyList())).thenReturn(_events);
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/server/test/com/cloud/network/MockNetworkModelImpl.java
----------------------------------------------------------------------
diff --git a/server/test/com/cloud/network/MockNetworkModelImpl.java b/server/test/com/cloud/network/MockNetworkModelImpl.java
index 6c9e597..33387fa 100644
--- a/server/test/com/cloud/network/MockNetworkModelImpl.java
+++ b/server/test/com/cloud/network/MockNetworkModelImpl.java
@@ -25,6 +25,8 @@ import java.util.Set;
import javax.ejb.Local;
import javax.naming.ConfigurationException;
+import org.apache.cloudstack.acl.SecurityChecker.AccessType;
+
import com.cloud.dc.Vlan;
import com.cloud.exception.InsufficientAddressCapacityException;
import com.cloud.exception.InvalidParameterValueException;
@@ -878,4 +880,10 @@ public class MockNetworkModelImpl extends ManagerBase implements NetworkModel {
public boolean getNetworkEgressDefaultPolicy(Long networkId) {
return false; //To change body of implemented methods use File | Settings | File Templates.
}
+
+ @Override
+ public void checkNetworkPermissions(Account owner, Network network, AccessType accessType) {
+ // TODO Auto-generated method stub
+
+ }
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/server/test/com/cloud/user/MockAccountManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/test/com/cloud/user/MockAccountManagerImpl.java b/server/test/com/cloud/user/MockAccountManagerImpl.java
index cc8fbac..a2b8a85 100644
--- a/server/test/com/cloud/user/MockAccountManagerImpl.java
+++ b/server/test/com/cloud/user/MockAccountManagerImpl.java
@@ -32,7 +32,6 @@ import org.apache.cloudstack.api.command.admin.user.DeleteUserCmd;
import org.apache.cloudstack.api.command.admin.user.RegisterCmd;
import org.apache.cloudstack.api.command.admin.user.UpdateUserCmd;
-import com.cloud.api.query.vo.ControlledViewEntity;
import com.cloud.domain.Domain;
import com.cloud.exception.ConcurrentOperationException;
import com.cloud.exception.PermissionDeniedException;
@@ -219,10 +218,6 @@ public class MockAccountManagerImpl extends ManagerBase implements Manager, Acco
return null;
}
- @Override
- public void checkAccess(Account account, AccessType accessType, boolean sameOwner, ControlledEntity... entities) throws PermissionDeniedException {
- // TODO Auto-generated method stub
- }
@Override
@@ -257,50 +252,6 @@ public class MockAccountManagerImpl extends ManagerBase implements Manager, Acco
return false;
}
- @Override
- public void buildACLSearchBuilder(SearchBuilder<? extends ControlledEntity> sb, Long domainId, boolean isRecursive, List<Long> permittedAccounts,
- ListProjectResourcesCriteria listProjectResourcesCriteria) {
- // TODO Auto-generated method stub
-
- }
-
- @Override
- public void buildACLSearchCriteria(SearchCriteria<? extends ControlledEntity> sc, Long domainId, boolean isRecursive, List<Long> permittedAccounts,
- ListProjectResourcesCriteria listProjectResourcesCriteria) {
- // TODO Auto-generated method stub
-
- }
-
- @Override
- public void buildACLSearchParameters(Account caller, Long id, String accountName, Long projectId, List<Long> permittedAccounts, Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject, boolean listAll, boolean forProjectInvitation) {
- // TODO Auto-generated method stub
- }
-
- @Override
- public void buildACLViewSearchBuilder(SearchBuilder<? extends ControlledViewEntity> sb, Long domainId,
- boolean isRecursive, List<Long> permittedAccounts, ListProjectResourcesCriteria listProjectResourcesCriteria) {
- // TODO Auto-generated method stub
- }
-
- @Override
- public void buildACLViewSearchBuilder(SearchBuilder<? extends ControlledViewEntity> sb, Long domainId, boolean isRecursive, List<Long> permittedAccounts,
- ListProjectResourcesCriteria listProjectResourcesCriteria, List<Long> grantedIds, List<Long> revokedIds) {
- // TODO Auto-generated method stub
-
- }
-
- @Override
- public void buildACLViewSearchCriteria(SearchCriteria<? extends ControlledViewEntity> sc, Long domainId,
- boolean isRecursive, List<Long> permittedAccounts, ListProjectResourcesCriteria listProjectResourcesCriteria) {
- // TODO Auto-generated method stub
- }
-
- @Override
- public void buildACLViewSearchCriteria(SearchCriteria<? extends ControlledEntity> sc, Long domainId, boolean isRecursive, List<Long> permittedAccounts,
- ListProjectResourcesCriteria listProjectResourcesCriteria, List<Long> grantedIds, List<Long> revokedIds) {
- // TODO Auto-generated method stub
-
- }
/* (non-Javadoc)
* @see com.cloud.user.AccountService#getUserByApiKey(java.lang.String)
@@ -369,24 +320,42 @@ public class MockAccountManagerImpl extends ManagerBase implements Manager, Acco
}
+ @Override
+ public void buildACLSearchBuilder(SearchBuilder<? extends ControlledEntity> sb, boolean isRecursive, List<Long> permittedDomains, List<Long> permittedAccounts,
+ List<Long> permittedResources, ListProjectResourcesCriteria listProjectResourcesCriteria) {
+ // TODO Auto-generated method stub
+
+ }
@Override
- public List<String> listAclGroupsByAccount(Long accountId) {
+ public void buildACLSearchCriteria(SearchCriteria<? extends ControlledEntity> sc, boolean isRecursive, List<Long> permittedDomains, List<Long> permittedAccounts,
+ List<Long> permittedResources, ListProjectResourcesCriteria listProjectResourcesCriteria) {
// TODO Auto-generated method stub
- return null;
+
}
@Override
- public void checkAccess(Account account, AccessType accessType, boolean sameOwner, String apiName,
- ControlledEntity... entities) throws PermissionDeniedException {
+ public List<String> listAclGroupsByAccount(Long accountId) {
// TODO Auto-generated method stub
+ return null;
}
+
@Override
public Long finalyzeAccountId(String accountName, Long domainId, Long projectId, boolean enabledOnly) {
// TODO Auto-generated method stub
return null;
}
+ @Override
+ public void checkAccess(Account account, AccessType accessType, ControlledEntity... entities) throws PermissionDeniedException {
+ // TODO Auto-generated method stub
+ }
+
+ @Override
+ public void checkAccess(Account account, AccessType accessType, String apiName, ControlledEntity... entities) throws PermissionDeniedException {
+ // TODO Auto-generated method stub
+
+ }
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/server/test/com/cloud/vm/UserVmManagerTest.java
----------------------------------------------------------------------
diff --git a/server/test/com/cloud/vm/UserVmManagerTest.java b/server/test/com/cloud/vm/UserVmManagerTest.java
index b67c164..927d5e3 100755
--- a/server/test/com/cloud/vm/UserVmManagerTest.java
+++ b/server/test/com/cloud/vm/UserVmManagerTest.java
@@ -283,7 +283,7 @@ public class UserVmManagerTest {
doReturn(3L).when(_volumeMock).getTemplateId();
doReturn(ImageFormat.VHD).when(_templateMock).getFormat();
when(_templateDao.findById(anyLong())).thenReturn(_templateMock);
- doNothing().when(_accountMgr).checkAccess(_account, null, true, _templateMock);
+ doNothing().when(_accountMgr).checkAccess(_account, null, _templateMock);
when(_storageMgr.allocateDuplicateVolume(_volumeMock, 14L)).thenReturn(_volumeMock);
when(_templateMock.getGuestOSId()).thenReturn(5L);
doNothing().when(_vmMock).setGuestOSId(anyLong());
@@ -327,7 +327,7 @@ public class UserVmManagerTest {
doReturn(3L).when(_vmMock).getIsoId();
doReturn(ImageFormat.ISO).when(_templateMock).getFormat();
when(_templateDao.findById(anyLong())).thenReturn(_templateMock);
- doNothing().when(_accountMgr).checkAccess(_account, null, true, _templateMock);
+ doNothing().when(_accountMgr).checkAccess(_account, null, _templateMock);
when(_storageMgr.allocateDuplicateVolume(_volumeMock, null)).thenReturn(_volumeMock);
doNothing().when(_vmMock).setIsoId(14L);
when(_templateMock.getGuestOSId()).thenReturn(5L);
@@ -413,7 +413,7 @@ public class UserVmManagerTest {
doReturn(VirtualMachine.State.Running).when(_vmInstance).getState();
- doNothing().when(_accountMgr).checkAccess(_account, null, true, _templateMock);
+ doNothing().when(_accountMgr).checkAccess(_account, null, _templateMock);
doNothing().when(_itMgr).checkIfCanUpgrade(_vmMock, _offeringVo);
@@ -606,7 +606,7 @@ public class UserVmManagerTest {
when(_accountService.getActiveAccountByName(anyString(), anyLong())).thenReturn(newAccount);
- doThrow(new PermissionDeniedException("Access check failed")).when(_accountMgr).checkAccess(any(Account.class), any(AccessType.class), any(Boolean.class),
+ doThrow(new PermissionDeniedException("Access check failed")).when(_accountMgr).checkAccess(any(Account.class), any(AccessType.class),
any(ControlledEntity.class));
CallContext.register(user, caller);
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/server/test/com/cloud/vm/snapshot/VMSnapshotManagerTest.java
----------------------------------------------------------------------
diff --git a/server/test/com/cloud/vm/snapshot/VMSnapshotManagerTest.java b/server/test/com/cloud/vm/snapshot/VMSnapshotManagerTest.java
index 9d5c2b4..03afdbd 100644
--- a/server/test/com/cloud/vm/snapshot/VMSnapshotManagerTest.java
+++ b/server/test/com/cloud/vm/snapshot/VMSnapshotManagerTest.java
@@ -125,7 +125,7 @@ public class VMSnapshotManagerTest {
_vmSnapshotMgr._guestOSDao = _guestOSDao;
_vmSnapshotMgr._hypervisorCapabilitiesDao = _hypervisorCapabilitiesDao;
- doNothing().when(_accountMgr).checkAccess(any(Account.class), any(AccessType.class), any(Boolean.class), any(ControlledEntity.class));
+ doNothing().when(_accountMgr).checkAccess(any(Account.class), any(AccessType.class), any(ControlledEntity.class));
_vmSnapshotMgr._vmSnapshotMax = _vmSnapshotMax;
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/server/test/com/cloud/vpc/MockNetworkModelImpl.java
----------------------------------------------------------------------
diff --git a/server/test/com/cloud/vpc/MockNetworkModelImpl.java b/server/test/com/cloud/vpc/MockNetworkModelImpl.java
index 67ab8e8..c93584d 100644
--- a/server/test/com/cloud/vpc/MockNetworkModelImpl.java
+++ b/server/test/com/cloud/vpc/MockNetworkModelImpl.java
@@ -26,6 +26,8 @@ import javax.ejb.Local;
import javax.inject.Inject;
import javax.naming.ConfigurationException;
+import org.apache.cloudstack.acl.SecurityChecker.AccessType;
+
import com.cloud.dc.Vlan;
import com.cloud.exception.InsufficientAddressCapacityException;
import com.cloud.exception.InvalidParameterValueException;
@@ -893,4 +895,10 @@ public class MockNetworkModelImpl extends ManagerBase implements NetworkModel {
public boolean getNetworkEgressDefaultPolicy(Long networkId) {
return false; //To change body of implemented methods use File | Settings | File Templates.
}
+
+ @Override
+ public void checkNetworkPermissions(Account owner, Network network, AccessType accessType) {
+ // TODO Auto-generated method stub
+
+ }
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedEntityAccessChecker.java
----------------------------------------------------------------------
diff --git a/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedEntityAccessChecker.java b/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedEntityAccessChecker.java
index bb471c0..7b3d967 100644
--- a/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedEntityAccessChecker.java
+++ b/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedEntityAccessChecker.java
@@ -27,7 +27,6 @@ import org.apache.log4j.Logger;
import org.apache.cloudstack.acl.ControlledEntity;
import org.apache.cloudstack.acl.PermissionScope;
import org.apache.cloudstack.acl.SecurityChecker;
-import org.apache.cloudstack.acl.SecurityChecker.AccessType;
import org.apache.cloudstack.api.InternalIdentity;
import org.apache.cloudstack.iam.api.IAMGroup;
import org.apache.cloudstack.iam.api.IAMPolicy;
@@ -205,13 +204,15 @@ public class RoleBasedEntityAccessChecker extends DomainChecker implements Secur
boolean otherEntitiesAccess = true;
for (ControlledEntity otherEntity : entities) {
- if (otherEntity.getAccountId() == caller.getAccountId()
- || (checkAccess(caller, otherEntity, accessType, action) && otherEntity.getAccountId() == entity
- .getAccountId())) {
- continue;
- } else {
- otherEntitiesAccess = false;
- break;
+ if (otherEntity != entity) {
+ if (otherEntity.getAccountId() == caller.getAccountId()
+ || (checkAccess(caller, otherEntity, accessType, action) && otherEntity.getAccountId() == entity
+ .getAccountId())) {
+ continue;
+ } else {
+ otherEntitiesAccess = false;
+ break;
+ }
}
}
@@ -262,6 +263,8 @@ public class RoleBasedEntityAccessChecker extends DomainChecker implements Secur
if (_domainDao.isChildDomain(caller.getDomainId(), entity.getDomainId())) {
return true;
}
+ } else if (scope.equals(PermissionScope.ALL.name())) {
+ return true;
}
}
return false;
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/services/pom.xml
----------------------------------------------------------------------
diff --git a/services/pom.xml b/services/pom.xml
index def3027..a12a7b5 100644
--- a/services/pom.xml
+++ b/services/pom.xml
@@ -47,5 +47,6 @@
<module>console-proxy</module>
<module>console-proxy-rdp/rdpconsole</module>
<module>secondary-storage</module>
+ <module>iam</module>
</modules>
</project>
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/test/integration/smoke/test_vm_iam.py
----------------------------------------------------------------------
diff --git a/test/integration/smoke/test_vm_iam.py b/test/integration/smoke/test_vm_iam.py
new file mode 100644
index 0000000..be75a79
--- /dev/null
+++ b/test/integration/smoke/test_vm_iam.py
@@ -0,0 +1,719 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+""" BVT tests for Virtual Machine IAM effect
+"""
+#Import Local Modules
+import marvin
+from marvin.cloudstackTestCase import *
+from marvin.cloudstackAPI import *
+from marvin.lib.utils import *
+from marvin.lib.base import *
+from marvin.lib.common import *
+from marvin.codes import FAILED
+from nose.plugins.attrib import attr
+#Import System modules
+import time
+
+_multiprocess_shared_ = True
+class Services:
+ """Test VM Life Cycle Services
+ """
+
+ def __init__(self):
+ self.services = {
+ #data for domains and accounts
+ "domain1": {
+ "name": "Domain1",
+ },
+ "account1A": {
+ "email": "test1A@test.com",
+ "firstname": "test1A",
+ "lastname": "User",
+ "username": "test1A",
+ "password": "password",
+ },
+ "account1B": {
+ "email": "test1B@test.com",
+ "firstname": "test1B",
+ "lastname": "User",
+ "username": "test1B",
+ "password": "password",
+ },
+ "domain2": {
+ "name": "Domain2",
+ },
+ "account2A": {
+ "email": "test2A@test.com",
+ "firstname": "test2A",
+ "lastname": "User",
+ "username": "test2A",
+ "password": "password",
+ },
+ #data reqd for virtual machine creation
+ "virtual_machine1A" : {
+ "name" : "test1Avm",
+ "displayname" : "Test1A VM",
+ },
+ "virtual_machine1B" : {
+ "name" : "test1Bvm",
+ "displayname" : "Test1B VM",
+ },
+ "virtual_machine2A" : {
+ "name" : "test2Avm",
+ "displayname" : "Test2A VM",
+ },
+ #small service offering
+ "service_offering": {
+ "small": {
+ "name": "Small Instance",
+ "displaytext": "Small Instance",
+ "cpunumber": 1,
+ "cpuspeed": 100,
+ "memory": 128,
+ },
+ },
+ "ostype": 'CentOS 5.6 (64-bit)',
+ # iam group and policy information
+ "service_desk_iam_grp" : {
+ "name" : "Service Desk",
+ "description" : "Service Desk IAM Group"
+ },
+ "vm_readonly_iam_policy" : {
+ "name" : "VM Read Only Access",
+ "description" : "VM read only access iam policy"
+ },
+ }
+
+
+
+class TestVMIam(cloudstackTestCase):
+
+ @classmethod
+ def setUpClass(self):
+ testClient = super(TestVMIam, self).getClsTestClient()
+ self.apiclient = testClient.getApiClient()
+ self.services = Services().services
+
+ # backup default apikey and secretkey
+ self.default_apikey = self.apiclient.connection.apiKey
+ self.default_secretkey = self.apiclient.connection.securityKey
+
+ # Create domains and accounts etc
+ self.domain_1 = Domain.create(
+ self.apiclient,
+ self.services["domain1"]
+ )
+ self.domain_2 = Domain.create(
+ self.apiclient,
+ self.services["domain2"]
+ )
+ # Create two accounts for doamin_1
+ self.account_1A = Account.create(
+ self.apiclient,
+ self.services["account1A"],
+ admin=False,
+ domainid=self.domain_1.id
+ )
+
+ self.account_1B = Account.create(
+ self.apiclient,
+ self.services["account1B"],
+ admin=False,
+ domainid=self.domain_1.id
+ )
+
+ # Create an account for domain_2
+ self.account_2A = Account.create(
+ self.apiclient,
+ self.services["account2A"],
+ admin=False,
+ domainid=self.domain_2.id
+ )
+
+ # Fetch user details to register apiKey for them
+ self.user_1A = User.list(
+ self.apiclient,
+ account=self.account_1A.name,
+ domainid=self.account_1A.domainid
+ )[0]
+
+ user_1A_key = User.registerUserKeys(
+ self.apiclient,
+ self.user_1A.id
+ )
+ self.user_1A_apikey = user_1A_key.apikey
+ self.user_1A_secretkey = user_1A_key.secretkey
+
+
+ self.user_1B = User.list(
+ self.apiclient,
+ account=self.account_1B.name,
+ domainid=self.account_1B.domainid
+ )[0]
+
+ user_1B_key = User.registerUserKeys(
+ self.apiclient,
+ self.user_1B.id
+ )
+
+ self.user_1B_apikey = user_1B_key.apikey
+ self.user_1B_secretkey = user_1B_key.secretkey
+
+
+ self.user_2A = User.list(
+ self.apiclient,
+ account=self.account_2A.name,
+ domainid=self.account_2A.domainid
+ )[0]
+
+ user_2A_key = User.registerUserKeys(
+ self.apiclient,
+ self.user_2A.id
+ )
+ self.user_2A_apikey = user_2A_key.apikey
+ self.user_2A_secretkey = user_2A_key.secretkey
+
+ # create service offering
+ self.service_offering = ServiceOffering.create(
+ self.apiclient,
+ self.services["service_offering"]["small"]
+ )
+
+ self.zone = get_zone(self.apiclient, testClient.getZoneForTests())
+ self.services['mode'] = self.zone.networktype
+ self.template = get_template(self.apiclient, self.zone.id, self.services["ostype"])
+
+ # deploy 3 VMs for three accounts
+ self.virtual_machine_1A = VirtualMachine.create(
+ self.apiclient,
+ self.services["virtual_machine1A"],
+ accountid=self.account_1A.name,
+ zoneid=self.zone.id,
+ domainid=self.account_1A.domainid,
+ serviceofferingid=self.service_offering.id,
+ templateid=self.template.id
+ )
+
+ self.virtual_machine_1B = VirtualMachine.create(
+ self.apiclient,
+ self.services["virtual_machine1B"],
+ accountid=self.account_1B.name,
+ zoneid=self.zone.id,
+ domainid=self.account_1B.domainid,
+ serviceofferingid=self.service_offering.id,
+ templateid=self.template.id
+ )
+
+ self.virtual_machine_2A = VirtualMachine.create(
+ self.apiclient,
+ self.services["virtual_machine2A"],
+ accountid=self.account_2A.name,
+ zoneid=self.zone.id,
+ domainid=self.account_2A.domainid,
+ serviceofferingid=self.service_offering.id,
+ templateid=self.template.id
+ )
+
+ self.srv_desk_grp = IAMGroup.create(
+ self.apiclient,
+ self.services["service_desk_iam_grp"]
+ )
+
+ self.vm_read_policy = IAMPolicy.create(
+ self.apiclient,
+ self.services["vm_readonly_iam_policy"]
+ )
+
+ self.srv_desk_grp.attachPolicy(
+ self.apiclient, [self.vm_read_policy]
+ )
+
+ vm_grant_policy_params = {}
+ vm_grant_policy_params['name'] = "policyGrantVirtualMachine" + self.virtual_machine_1A.id
+ vm_grant_policy_params['description'] = "Policy to grant permission to VirtualMachine " + self.virtual_machine_1A.id
+ self.vm_grant_policy = IAMPolicy.create(
+ self.apiclient,
+ vm_grant_policy_params
+ )
+
+ self._cleanup = [
+ self.account_1A,
+ self.account_1B,
+ self.domain_1,
+ self.account_2A,
+ self.domain_2,
+ self.service_offering,
+ self.vm_read_policy,
+ self.srv_desk_grp,
+ self.vm_grant_policy
+ ]
+
+ @classmethod
+ def tearDownClass(self):
+ self.apiclient = super(TestVMIam, self).getClsTestClient().getApiClient()
+ cleanup_resources(self.apiclient, self._cleanup)
+ return
+
+ def setUp(self):
+ self.apiclient = self.testClient.getApiClient()
+ self.dbclient = self.testClient.getDbConnection()
+ self.cleanup = []
+
+ def tearDown(self):
+ # restore back default apikey and secretkey
+ self.apiclient.connection.apiKey = self.default_apikey
+ self.apiclient.connection.securityKey = self.default_secretkey
+ cleanup_resources(self.apiclient, self.cleanup)
+ return
+
+
+
+ @attr(tags = ["devcloud", "advanced", "advancedns", "smoke", "basic", "sg", "selfservice"])
+ def test_01_list_own_vm(self):
+ # listVM command should return owne's VM
+
+ self.debug("Listing VM for account: %s" % self.account_1A.name)
+
+ self.apiclient.connection.apiKey = self.user_1A_apikey
+ self.apiclient.connection.securityKey = self.user_1A_secretkey
+ list_vm_response = list_virtual_machines(
+ self.apiclient
+ )
+ self.assertEqual(
+ isinstance(list_vm_response, list),
+ True,
+ "Check list response returns a valid list"
+ )
+ self.assertEqual(
+ len(list_vm_response),
+ 1,
+ "Check VM available in List Virtual Machines"
+ )
+
+ self.assertEqual(
+ list_vm_response[0].name,
+ self.virtual_machine_1A.name,
+ "Virtual Machine names do not match"
+ )
+
+ self.debug("Listing VM for account: %s" % self.account_1B.name)
+ self.apiclient.connection.apiKey = self.user_1B_apikey
+ self.apiclient.connection.securityKey = self.user_1B_secretkey
+ list_vm_response = list_virtual_machines(
+ self.apiclient
+ )
+ self.assertEqual(
+ isinstance(list_vm_response, list),
+ True,
+ "Check list response returns a valid list"
+ )
+ self.assertEqual(
+ len(list_vm_response),
+ 1,
+ "Check VM available in List Virtual Machines"
+ )
+
+ self.assertEqual(
+ list_vm_response[0].name,
+ self.virtual_machine_1B.name,
+ "Virtual Machine names do not match"
+ )
+
+ self.debug("Listing VM for account: %s" % self.account_2A.name)
+
+ self.apiclient.connection.apiKey = self.user_2A_apikey
+ self.apiclient.connection.securityKey = self.user_2A_secretkey
+ list_vm_response = list_virtual_machines(
+ self.apiclient
+ )
+ self.assertEqual(
+ isinstance(list_vm_response, list),
+ True,
+ "Check list response returns a valid list"
+ )
+ self.assertEqual(
+ len(list_vm_response),
+ 1,
+ "Check VM available in List Virtual Machines"
+ )
+
+ self.assertEqual(
+ list_vm_response[0].name,
+ self.virtual_machine_2A.name,
+ "Virtual Machine names do not match"
+ )
+
+ return
+
+ @attr(tags = ["devcloud", "advanced", "advancedns", "smoke", "basic", "sg", "selfservice"])
+ def test_02_grant_domain_vm(self):
+
+ # Validate the following
+ # 1. Grant domain2 VM access to account_1B
+ # 2. listVM command should return account_1B and domain_2 VMs.
+
+ self.debug("Granting Domain %s VM read only access to account: %s" % (self.domain_2.name, self.account_1B.name))
+
+ self.srv_desk_grp.addAccount(self.apiclient, [self.account_1B])
+ domain_permission = {}
+ domain_permission['action'] = "listVirtualMachines"
+ domain_permission['entitytype'] = "VirtualMachine"
+ domain_permission['scope'] = "DOMAIN"
+ domain_permission['scopeid'] = self.domain_2.id
+ self.vm_read_policy.addPermission(self.apiclient, domain_permission)
+
+ self.debug("Listing VM for account: %s" % self.account_1B.name)
+ self.apiclient.connection.apiKey = self.user_1B_apikey
+ self.apiclient.connection.securityKey = self.user_1B_secretkey
+ list_vm_response = list_virtual_machines(
+ self.apiclient
+ )
+ self.assertEqual(
+ isinstance(list_vm_response, list),
+ True,
+ "Check list response returns a valid list"
+ )
+ self.assertEqual(
+ len(list_vm_response),
+ 2,
+ "Check VM available in List Virtual Machines"
+ )
+
+ list_vm_names = [list_vm_response[0].name, list_vm_response[1].name]
+
+ self.assertEqual( self.virtual_machine_1B.name in list_vm_names,
+ True,
+ "Accessible Virtual Machine names do not match"
+ )
+
+ self.assertEqual( self.virtual_machine_2A.name in list_vm_names,
+ True,
+ "Accessible Virtual Machine names do not match"
+ )
+
+ return
+
+
+ @attr(tags = ["devcloud", "advanced", "advancedns", "smoke", "basic", "sg", "selfservice"])
+ def test_03_grant_account_vm(self):
+
+ # Validate the following
+ # 1. Grant account_1A VM access to account_1B
+ # 2. listVM command should return account_1A and account_1B VMs.
+
+ self.debug("Granting Account %s VM read only access to account: %s" % (self.account_1A.name, self.account_1B.name))
+
+ account_permission = {}
+ account_permission['action'] = "listVirtualMachines"
+ account_permission['entitytype'] = "VirtualMachine"
+ account_permission['scope'] = "ACCOUNT"
+ account_permission['scopeid'] = self.account_1A.id
+ self.vm_read_policy.addPermission(self.apiclient, account_permission)
+
+ self.debug("Listing VM for account: %s" % self.account_1B.name)
+ self.apiclient.connection.apiKey = self.user_1B_apikey
+ self.apiclient.connection.securityKey = self.user_1B_secretkey
+ list_vm_response = list_virtual_machines(
+ self.apiclient
+ )
+ self.assertEqual(
+ isinstance(list_vm_response, list),
+ True,
+ "Check list response returns a valid list"
+ )
+ self.assertEqual(
+ len(list_vm_response),
+ 3,
+ "Check VM available in List Virtual Machines"
+ )
+
+ list_vm_names = [list_vm_response[0].name, list_vm_response[1].name, list_vm_response[2].name]
+
+ self.assertEqual( self.virtual_machine_1B.name in list_vm_names,
+ True,
+ "Accessible Virtual Machine names do not match"
+ )
+
+ self.assertEqual( self.virtual_machine_1A.name in list_vm_names,
+ True,
+ "Accessible Virtual Machine names do not match"
+ )
+
+ self.assertEqual( self.virtual_machine_2A.name in list_vm_names,
+ True,
+ "Accessible Virtual Machine names do not match"
+ )
+
+ return
+
+
+ @attr(tags = ["devcloud", "advanced", "advancedns", "smoke", "basic", "sg", "selfservice"])
+ def test_04_revoke_account_vm(self):
+
+ # Validate the following
+ # 1. Revoke account_1A VM access from account_1B
+ # 2. listVM command should not return account_1A VMs.
+
+ self.debug("Revoking Account %s VM read only access from account: %s" % (self.account_1A.name, self.account_1B.name))
+
+ account_permission = {}
+ account_permission['action'] = "listVirtualMachines"
+ account_permission['entitytype'] = "VirtualMachine"
+ account_permission['scope'] = "ACCOUNT"
+ account_permission['scopeid'] = self.account_1A.id
+ self.vm_read_policy.removePermission(self.apiclient, account_permission)
+
+ self.debug("Listing VM for account: %s" % self.account_1B.name)
+ self.apiclient.connection.apiKey = self.user_1B_apikey
+ self.apiclient.connection.securityKey = self.user_1B_secretkey
+ list_vm_response = list_virtual_machines(
+ self.apiclient
+ )
+ self.assertEqual(
+ isinstance(list_vm_response, list),
+ True,
+ "Check list response returns a valid list"
+ )
+ self.assertEqual(
+ len(list_vm_response),
+ 2,
+ "Check VM available in List Virtual Machines"
+ )
+
+ list_vm_names = [list_vm_response[0].name, list_vm_response[1].name]
+
+
+ self.assertEqual( self.virtual_machine_1A.name in list_vm_names,
+ False,
+ "Accessible Virtual Machine names do not match"
+ )
+ return
+
+
+ @attr(tags = ["devcloud", "advanced", "advancedns", "smoke", "basic", "sg", "selfservice"])
+ def test_05_revoke_domain_vm(self):
+
+ # Validate the following
+ # 1. Revoke account_1A VM access from account_1B
+ # 2. listVM command should not return account_1A VMs.
+
+ self.debug("Revoking Domain %s VM read only access from account: %s" % (self.domain_1.name, self.account_1B.name))
+
+ domain_permission = {}
+ domain_permission['action'] = "listVirtualMachines"
+ domain_permission['entitytype'] = "VirtualMachine"
+ domain_permission['scope'] = "DOMAIN"
+ domain_permission['scopeid'] = self.domain_2.id
+ self.vm_read_policy.removePermission(self.apiclient, domain_permission)
+
+ self.debug("Listing VM for account: %s" % self.account_1B.name)
+ self.apiclient.connection.apiKey = self.user_1B_apikey
+ self.apiclient.connection.securityKey = self.user_1B_secretkey
+ list_vm_response = list_virtual_machines(
+ self.apiclient
+ )
+ self.assertEqual(
+ isinstance(list_vm_response, list),
+ True,
+ "Check list response returns a valid list"
+ )
+ self.assertEqual(
+ len(list_vm_response),
+ 1,
+ "Check VM available in List Virtual Machines"
+ )
+
+ self.assertEqual(
+ list_vm_response[0].name,
+ self.virtual_machine_1B.name,
+ "Virtual Machine names do not match"
+ )
+
+ return
+
+ @attr(tags = ["devcloud", "advanced", "advancedns", "smoke", "basic", "sg", "selfservice"])
+ def test_06_grant_resource_vm(self):
+
+ # Validate the following
+ # 1. Grant a particular vm access to account_1B
+ # 2. listVM command should return account_1B VMs and granted VM.
+
+ self.debug("Granting VM %s read only access to account: %s" % (self.virtual_machine_1A.name, self.account_1B.name))
+
+ res_permission = {}
+ res_permission['action'] = "listVirtualMachines"
+ res_permission['entitytype'] = "VirtualMachine"
+ res_permission['scope'] = "RESOURCE"
+ res_permission['scopeid'] = self.virtual_machine_1A.id
+ self.vm_read_policy.addPermission(self.apiclient, res_permission)
+
+ self.debug("Listing VM for account: %s" % self.account_1B.name)
+ self.apiclient.connection.apiKey = self.user_1B_apikey
+ self.apiclient.connection.securityKey = self.user_1B_secretkey
+ list_vm_response = list_virtual_machines(
+ self.apiclient
+ )
+ self.assertEqual(
+ isinstance(list_vm_response, list),
+ True,
+ "Check list response returns a valid list"
+ )
+ self.assertEqual(
+ len(list_vm_response),
+ 2,
+ "Check VM available in List Virtual Machines"
+ )
+
+ list_vm_names = [list_vm_response[0].name, list_vm_response[1].name]
+
+ self.assertEqual( self.virtual_machine_1B.name in list_vm_names,
+ True,
+ "Accessible Virtual Machine names do not match"
+ )
+
+ self.assertEqual( self.virtual_machine_1A.name in list_vm_names,
+ True,
+ "Accessible Virtual Machine names do not match"
+ )
+
+ return
+
+ @attr(tags = ["devcloud", "advanced", "advancedns", "smoke", "basic", "sg", "selfservice"])
+ def test_07_revoke_resource_vm(self):
+
+ # Validate the following
+ # 1. Grant a particular vm access to account_1B
+ # 2. listVM command should return account_1B VMs and granted VM.
+
+ self.debug("Revoking VM %s read only access from account: %s" % (self.virtual_machine_1A.name, self.account_1B.name))
+
+ res_permission = {}
+ res_permission['action'] = "listVirtualMachines"
+ res_permission['entitytype'] = "VirtualMachine"
+ res_permission['scope'] = "RESOURCE"
+ res_permission['scopeid'] = self.virtual_machine_1A.id
+ self.vm_read_policy.removePermission(self.apiclient, res_permission)
+
+ self.debug("Listing VM for account: %s" % self.account_1B.id)
+ self.apiclient.connection.apiKey = self.user_1B_apikey
+ self.apiclient.connection.securityKey = self.user_1B_secretkey
+ list_vm_response = list_virtual_machines(
+ self.apiclient
+ )
+ self.assertEqual(
+ isinstance(list_vm_response, list),
+ True,
+ "Check list response returns a valid list"
+ )
+ self.assertEqual(
+ len(list_vm_response),
+ 1,
+ "Check VM available in List Virtual Machines"
+ )
+
+ self.assertEqual(
+ list_vm_response[0].name,
+ self.virtual_machine_1B.name,
+ "Virtual Machine names do not match"
+ )
+
+ return
+
+
+ @attr(tags = ["devcloud", "advanced", "advancedns", "smoke", "basic", "sg", "selfservice"])
+ def test_08_policy_attach_account(self):
+
+ # Validate the following
+ # 1. Grant a particular vm access to account_1B by directly attaching policy to account
+ # 2. listVM command should return account_1B VMs and granted VM.
+
+ self.debug("Granting VM %s read only access to account: %s by attaching policy to account" % (self.virtual_machine_1A.name, self.account_1B.name))
+
+ res_permission = {}
+ res_permission['action'] = "listVirtualMachines"
+ res_permission['entitytype'] = "VirtualMachine"
+ res_permission['scope'] = "RESOURCE"
+ res_permission['scopeid'] = self.virtual_machine_1A.id
+ self.vm_grant_policy.addPermission(self.apiclient, res_permission)
+ self.vm_grant_policy.attachAccount(self.apiclient, [self.account_1B])
+
+ self.debug("Listing VM for account: %s" % self.account_1B.id)
+ self.apiclient.connection.apiKey = self.user_1B_apikey
+ self.apiclient.connection.securityKey = self.user_1B_secretkey
+ list_vm_response = list_virtual_machines(
+ self.apiclient
+ )
+ self.assertEqual(
+ isinstance(list_vm_response, list),
+ True,
+ "Check list response returns a valid list"
+ )
+ self.assertEqual(
+ len(list_vm_response),
+ 2,
+ "Check VM available in List Virtual Machines"
+ )
+
+ list_vm_names = [list_vm_response[0].name, list_vm_response[1].name]
+
+ self.assertEqual( self.virtual_machine_1B.name in list_vm_names,
+ True,
+ "Accessible Virtual Machine names do not match"
+ )
+
+ self.assertEqual( self.virtual_machine_1A.name in list_vm_names,
+ True,
+ "Accessible Virtual Machine names do not match"
+ )
+
+ return
+
+ @attr(tags = ["devcloud", "advanced", "advancedns", "smoke", "basic", "sg", "selfservice"])
+ def test_09_policy_detach_account(self):
+
+ # Validate the following
+ # 1. Revoking a particular vm access from account_1B by detaching policy from account
+ # 2. listVM command should return account_1B VMs.
+
+ self.debug("Revoking VM %s read only access from account: %s by detaching policy from account" % (self.virtual_machine_1A.name, self.account_1B.name))
+
+ self.vm_grant_policy.detachAccount(self.apiclient, [self.account_1B])
+
+ self.debug("Listing VM for account: %s" % self.account_1B.id)
+ self.apiclient.connection.apiKey = self.user_1B_apikey
+ self.apiclient.connection.securityKey = self.user_1B_secretkey
+ list_vm_response = list_virtual_machines(
+ self.apiclient
+ )
+ self.assertEqual(
+ isinstance(list_vm_response, list),
+ True,
+ "Check list response returns a valid list"
+ )
+ self.assertEqual(
+ len(list_vm_response),
+ 1,
+ "Check VM available in List Virtual Machines"
+ )
+
+ self.assertEqual(
+ list_vm_response[0].name,
+ self.virtual_machine_1B.name,
+ "Virtual Machine names do not match"
+ )
+
+ return
\ No newline at end of file
[2/5] Revert "Disable IAM feature from 4.4 release."
Posted by mc...@apache.org.
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/server/src/com/cloud/resourcelimit/ResourceLimitManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/resourcelimit/ResourceLimitManagerImpl.java b/server/src/com/cloud/resourcelimit/ResourceLimitManagerImpl.java
index b6977c2..0c0c588 100755
--- a/server/src/com/cloud/resourcelimit/ResourceLimitManagerImpl.java
+++ b/server/src/com/cloud/resourcelimit/ResourceLimitManagerImpl.java
@@ -483,7 +483,7 @@ public class ResourceLimitManagerImpl extends ManagerBase implements ResourceLim
return limits;
}
- _accountMgr.checkAccess(caller, null, true, account);
+ _accountMgr.checkAccess(caller, null, account);
domainId = null;
}
}
@@ -503,7 +503,7 @@ public class ResourceLimitManagerImpl extends ManagerBase implements ResourceLim
if (id != null) {
ResourceLimitVO vo = _resourceLimitDao.findById(id);
if (vo.getAccountId() != null) {
- _accountMgr.checkAccess(caller, null, true, _accountDao.findById(vo.getAccountId()));
+ _accountMgr.checkAccess(caller, null, _accountDao.findById(vo.getAccountId()));
limits.add(vo);
} else if (vo.getDomainId() != null) {
_accountMgr.checkAccess(caller, _domainDao.findById(vo.getDomainId()));
@@ -656,9 +656,9 @@ public class ResourceLimitManagerImpl extends ManagerBase implements ResourceLim
}
if (account.getType() == Account.ACCOUNT_TYPE_PROJECT) {
- _accountMgr.checkAccess(caller, AccessType.ModifyProject, true, account);
+ _accountMgr.checkAccess(caller, AccessType.ModifyProject, account);
} else {
- _accountMgr.checkAccess(caller, null, true, account);
+ _accountMgr.checkAccess(caller, null, account);
}
ownerType = ResourceOwnerType.Account;
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/server/src/com/cloud/server/ManagementServerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/server/ManagementServerImpl.java b/server/src/com/cloud/server/ManagementServerImpl.java
index dd4ce0f..4a4c74a 100755
--- a/server/src/com/cloud/server/ManagementServerImpl.java
+++ b/server/src/com/cloud/server/ManagementServerImpl.java
@@ -952,7 +952,7 @@ public class ManagementServerImpl extends ManagerBase implements ManagementServe
List<EventVO> events = _eventDao.listToArchiveOrDeleteEvents(ids, cmd.getType(), cmd.getStartDate(), cmd.getEndDate(), permittedAccountIds);
ControlledEntity[] sameOwnerEvents = events.toArray(new ControlledEntity[events.size()]);
- _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, false, sameOwnerEvents);
+ _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, sameOwnerEvents);
if (ids != null && events.size() < ids.size()) {
result = false;
@@ -979,7 +979,7 @@ public class ManagementServerImpl extends ManagerBase implements ManagementServe
List<EventVO> events = _eventDao.listToArchiveOrDeleteEvents(ids, cmd.getType(), cmd.getStartDate(), cmd.getEndDate(), permittedAccountIds);
ControlledEntity[] sameOwnerEvents = events.toArray(new ControlledEntity[events.size()]);
- _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, false, sameOwnerEvents);
+ _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, sameOwnerEvents);
if (ids != null && events.size() < ids.size()) {
result = false;
@@ -1768,19 +1768,22 @@ public class ManagementServerImpl extends ManagerBase implements ManagementServe
SearchBuilder<IPAddressVO> sb = _publicIpAddressDao.createSearchBuilder();
Long domainId = null;
Boolean isRecursive = null;
+ List<Long> permittedDomains = new ArrayList<Long>();
List<Long> permittedAccounts = new ArrayList<Long>();
+ List<Long> permittedResources = new ArrayList<Long>();
+
ListProjectResourcesCriteria listProjectResourcesCriteria = null;
if (isAllocated) {
Account caller = CallContext.current().getCallingAccount();
Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean, ListProjectResourcesCriteria>(
cmd.getDomainId(), cmd.isRecursive(), null);
- _accountMgr.buildACLSearchParameters(caller, cmd.getId(), cmd.getAccountName(), cmd.getProjectId(), permittedAccounts,
- domainIdRecursiveListProject, cmd.listAll(), false);
- domainId = domainIdRecursiveListProject.first();
+ _accountMgr.buildACLSearchParameters(caller, cmd.getId(), cmd.getAccountName(), cmd.getProjectId(), permittedDomains, permittedAccounts, permittedResources,
+ domainIdRecursiveListProject, cmd.listAll(), false, "listPublicIpAddresses");
+ //domainId = domainIdRecursiveListProject.first();
isRecursive = domainIdRecursiveListProject.second();
listProjectResourcesCriteria = domainIdRecursiveListProject.third();
- _accountMgr.buildACLSearchBuilder(sb, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchBuilder(sb, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
}
sb.and("dataCenterId", sb.entity().getDataCenterId(), SearchCriteria.Op.EQ);
@@ -1835,7 +1838,7 @@ public class ManagementServerImpl extends ManagerBase implements ManagementServe
SearchCriteria<IPAddressVO> sc = sb.create();
if (isAllocated) {
- _accountMgr.buildACLSearchCriteria(sc, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchCriteria(sc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
}
sc.setJoinParameters("vlanSearch", "vlanType", vlanType);
@@ -3312,7 +3315,7 @@ public class ManagementServerImpl extends ManagerBase implements ManagementServe
}
// check permissions
- _accountMgr.checkAccess(caller, null, true, _accountMgr.getAccount(user.getAccountId()));
+ _accountMgr.checkAccess(caller, null, _accountMgr.getAccount(user.getAccountId()));
String cloudIdentifier = _configDao.getValue("cloud.identifier");
if (cloudIdentifier == null) {
@@ -3419,7 +3422,7 @@ public class ManagementServerImpl extends ManagerBase implements ManagementServe
throw ex;
}
- _accountMgr.checkAccess(caller, null, true, group);
+ _accountMgr.checkAccess(caller, null, group);
// Check if name is already in use by this account (exclude this group)
boolean isNameInUse = _vmGroupDao.isNameInUse(group.getAccountId(), groupName);
@@ -3578,21 +3581,22 @@ public class ManagementServerImpl extends ManagerBase implements ManagementServe
String fingerPrint = cmd.getFingerprint();
Account caller = CallContext.current().getCallingAccount();
+ List<Long> permittedDomains = new ArrayList<Long>();
List<Long> permittedAccounts = new ArrayList<Long>();
+ List<Long> permittedResources = new ArrayList<Long>();
Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean, ListProjectResourcesCriteria>(
cmd.getDomainId(), cmd.isRecursive(), null);
- _accountMgr.buildACLSearchParameters(caller, null, cmd.getAccountName(), cmd.getProjectId(), permittedAccounts, domainIdRecursiveListProject,
- cmd.listAll(), false);
- Long domainId = domainIdRecursiveListProject.first();
+ _accountMgr.buildACLSearchParameters(caller, null, cmd.getAccountName(), cmd.getProjectId(), permittedDomains, permittedAccounts, permittedResources,
+ domainIdRecursiveListProject, cmd.listAll(), false, "listSSHKeyPairs");
Boolean isRecursive = domainIdRecursiveListProject.second();
ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
SearchBuilder<SSHKeyPairVO> sb = _sshKeyPairDao.createSearchBuilder();
- _accountMgr.buildACLSearchBuilder(sb, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchBuilder(sb, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
Filter searchFilter = new Filter(SSHKeyPairVO.class, "id", false, cmd.getStartIndex(), cmd.getPageSizeVal());
SearchCriteria<SSHKeyPairVO> sc = sb.create();
- _accountMgr.buildACLSearchCriteria(sc, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchCriteria(sc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
if (name != null) {
sc.addAnd("name", SearchCriteria.Op.EQ, name);
@@ -3657,7 +3661,7 @@ public class ManagementServerImpl extends ManagerBase implements ManagementServe
}
// make permission check
- _accountMgr.checkAccess(caller, null, true, vm);
+ _accountMgr.checkAccess(caller, null, vm);
_userVmDao.loadDetails(vm);
String password = vm.getDetail("Encrypted.Password");
@@ -3830,7 +3834,7 @@ public class ManagementServerImpl extends ManagerBase implements ManagementServe
throw new InvalidParameterValueException("Unable to find SystemVm with id " + systemVmId);
}
- _accountMgr.checkAccess(caller, null, true, systemVm);
+ _accountMgr.checkAccess(caller, null, systemVm);
// Check that the specified service offering ID is valid
ServiceOfferingVO newServiceOffering = _offeringDao.findById(serviceOfferingId);
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/server/src/com/cloud/servlet/ConsoleProxyServlet.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/servlet/ConsoleProxyServlet.java b/server/src/com/cloud/servlet/ConsoleProxyServlet.java
index 60f32cf..16d7a32 100644
--- a/server/src/com/cloud/servlet/ConsoleProxyServlet.java
+++ b/server/src/com/cloud/servlet/ConsoleProxyServlet.java
@@ -522,7 +522,7 @@ public class ConsoleProxyServlet extends HttpServlet {
switch (vm.getType()) {
case User:
try {
- _accountMgr.checkAccess(accountObj, null, true, vm);
+ _accountMgr.checkAccess(accountObj, null, vm);
} catch (PermissionDeniedException ex) {
if (_accountMgr.isNormalUser(accountObj.getId())) {
if (s_logger.isDebugEnabled()) {
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/server/src/com/cloud/storage/VolumeApiServiceImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/storage/VolumeApiServiceImpl.java b/server/src/com/cloud/storage/VolumeApiServiceImpl.java
index 1650240..6db3a2d 100644
--- a/server/src/com/cloud/storage/VolumeApiServiceImpl.java
+++ b/server/src/com/cloud/storage/VolumeApiServiceImpl.java
@@ -28,6 +28,7 @@ import javax.inject.Inject;
import org.apache.log4j.Logger;
+import org.apache.cloudstack.acl.SecurityChecker.AccessType;
import org.apache.cloudstack.api.command.user.volume.AttachVolumeCmd;
import org.apache.cloudstack.api.command.user.volume.CreateVolumeCmd;
import org.apache.cloudstack.api.command.user.volume.DetachVolumeCmd;
@@ -272,7 +273,7 @@ public class VolumeApiServiceImpl extends ManagerBase implements VolumeApiServic
private boolean validateVolume(Account caller, long ownerId, Long zoneId, String volumeName, String url, String format) throws ResourceAllocationException {
// permission check
- _accountMgr.checkAccess(caller, null, true, _accountMgr.getActiveAccountById(ownerId));
+ _accountMgr.checkAccess(caller, null, _accountMgr.getActiveAccountById(ownerId));
// Check that the resource limit for volumes won't be exceeded
_resourceLimitMgr.checkResourceLimit(_accountMgr.getAccount(ownerId), ResourceType.volume);
@@ -382,10 +383,11 @@ public class VolumeApiServiceImpl extends ManagerBase implements VolumeApiServic
Boolean displayVolume = cmd.getDisplayVolume();
// permission check
- _accountMgr.checkAccess(caller, null, true, _accountMgr.getActiveAccountById(ownerId));
+ _accountMgr.checkAccess(caller, null, owner);
if (displayVolume == null) {
displayVolume = true;
+
} else {
if (!_accountMgr.isRootAdmin(caller.getId())) {
throw new PermissionDeniedException("Cannot update parameter displayvolume, only admin permitted ");
@@ -509,9 +511,6 @@ public class VolumeApiServiceImpl extends ManagerBase implements VolumeApiServic
size = snapshotCheck.getSize(); // ; disk offering is used for tags
// purposes
- // check snapshot permissions
- _accountMgr.checkAccess(caller, null, true, snapshotCheck);
-
// one step operation - create volume in VM's cluster and attach it
// to the VM
Long vmId = cmd.getVirtualMachineId();
@@ -526,9 +525,6 @@ public class VolumeApiServiceImpl extends ManagerBase implements VolumeApiServic
if (vm.getState() != State.Running && vm.getState() != State.Stopped) {
throw new InvalidParameterValueException("Please specify a VM that is either running or stopped.");
}
-
- // permission check
- _accountMgr.checkAccess(caller, null, false, vm);
}
}
@@ -775,7 +771,7 @@ public class VolumeApiServiceImpl extends ManagerBase implements VolumeApiServic
}
/* does the caller have the authority to act on this volume? */
- _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, true, volume);
+ _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, volume);
long currentSize = volume.getSize();
@@ -938,7 +934,7 @@ public class VolumeApiServiceImpl extends ManagerBase implements VolumeApiServic
throw new InvalidParameterValueException("There are snapshot creating on it, Unable to delete the volume");
}
- _accountMgr.checkAccess(caller, null, true, volume);
+ _accountMgr.checkAccess(caller, null, volume);
if (volume.getInstanceId() != null) {
throw new InvalidParameterValueException("Please specify a volume that is not attached to any VM.");
@@ -1131,7 +1127,8 @@ public class VolumeApiServiceImpl extends ManagerBase implements VolumeApiServic
}
// permission check
- _accountMgr.checkAccess(caller, null, true, volume, vm);
+ // TODO: remove this if we can annotate volume parameter in createVolumeCmd since this routine is used there as well.
+ _accountMgr.checkAccess(caller, AccessType.OperateEntry, volume, vm);
if (!(Volume.State.Allocated.equals(volume.getState()) || Volume.State.Ready.equals(volume.getState()) || Volume.State.Uploaded.equals(volume.getState()))) {
throw new InvalidParameterValueException("Volume state must be in Allocated, Ready or in Uploaded state");
@@ -1345,7 +1342,7 @@ public class VolumeApiServiceImpl extends ManagerBase implements VolumeApiServic
}
// Permissions check
- _accountMgr.checkAccess(caller, null, true, volume);
+ _accountMgr.checkAccess(caller, null, volume);
// Check that the volume is a data volume
if (volume.getVolumeType() != Volume.Type.DATADISK) {
@@ -1790,7 +1787,7 @@ public class VolumeApiServiceImpl extends ManagerBase implements VolumeApiServic
}
// perform permission check
- _accountMgr.checkAccess(account, null, true, volume);
+ _accountMgr.checkAccess(account, null, volume);
if (_dcDao.findById(zoneId) == null) {
throw new InvalidParameterValueException("Please specify a valid zone.");
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/server/src/com/cloud/storage/snapshot/SnapshotManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/storage/snapshot/SnapshotManagerImpl.java b/server/src/com/cloud/storage/snapshot/SnapshotManagerImpl.java
index 44bce1a..d19a0ed 100755
--- a/server/src/com/cloud/storage/snapshot/SnapshotManagerImpl.java
+++ b/server/src/com/cloud/storage/snapshot/SnapshotManagerImpl.java
@@ -286,7 +286,7 @@ public class SnapshotManagerImpl extends ManagerBase implements SnapshotManager,
boolean backedUp = false;
// does the caller have the authority to act on this volume
- _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, true, volume);
+ _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, volume);
SnapshotInfo snapshot = snapshotFactory.getSnapshot(snapshotId, DataStoreRole.Primary);
@@ -391,7 +391,7 @@ public class SnapshotManagerImpl extends ManagerBase implements SnapshotManager,
throw new InvalidParameterValueException("unable to find a snapshot with id " + snapshotId);
}
- _accountMgr.checkAccess(caller, null, true, snapshotCheck);
+ _accountMgr.checkAccess(caller, null, snapshotCheck);
SnapshotStrategy snapshotStrategy = _storageStrategyFactory.getSnapshotStrategy(snapshotCheck, SnapshotOperation.DELETE);
if (snapshotStrategy == null) {
s_logger.error("Unable to find snaphot strategy to handle snapshot with id '" + snapshotId + "'");
@@ -441,25 +441,28 @@ public class SnapshotManagerImpl extends ManagerBase implements SnapshotManager,
Map<String, String> tags = cmd.getTags();
Long zoneId = cmd.getZoneId();
Account caller = CallContext.current().getCallingAccount();
+ List<Long> permittedDomains = new ArrayList<Long>();
List<Long> permittedAccounts = new ArrayList<Long>();
+ List<Long> permittedResources = new ArrayList<Long>();
+
// Verify parameters
if (volumeId != null) {
VolumeVO volume = _volsDao.findById(volumeId);
if (volume != null) {
- _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, true, volume);
+ _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, volume);
}
}
Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean, ListProjectResourcesCriteria>(cmd.getDomainId(), cmd.isRecursive(), null);
- _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedAccounts, domainIdRecursiveListProject, cmd.listAll(), false);
- Long domainId = domainIdRecursiveListProject.first();
+ _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedDomains, permittedAccounts, permittedResources,
+ domainIdRecursiveListProject, cmd.listAll(), false, "listSnapshots");
Boolean isRecursive = domainIdRecursiveListProject.second();
ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
Filter searchFilter = new Filter(SnapshotVO.class, "created", false, cmd.getStartIndex(), cmd.getPageSizeVal());
SearchBuilder<SnapshotVO> sb = _snapshotDao.createSearchBuilder();
- _accountMgr.buildACLSearchBuilder(sb, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchBuilder(sb, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
sb.and("statusNEQ", sb.entity().getState(), SearchCriteria.Op.NEQ); //exclude those Destroyed snapshot, not showing on UI
sb.and("volumeId", sb.entity().getVolumeId(), SearchCriteria.Op.EQ);
@@ -482,7 +485,7 @@ public class SnapshotManagerImpl extends ManagerBase implements SnapshotManager,
}
SearchCriteria<SnapshotVO> sc = sb.create();
- _accountMgr.buildACLSearchCriteria(sc, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchCriteria(sc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
sc.setParameters("statusNEQ", Snapshot.State.Destroyed);
@@ -621,7 +624,7 @@ public class SnapshotManagerImpl extends ManagerBase implements SnapshotManager,
throw new InvalidParameterValueException("Failed to create snapshot policy, unable to find a volume with id " + volumeId);
}
- _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, true, volume);
+ _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, volume);
if (volume.getState() != Volume.State.Ready) {
throw new InvalidParameterValueException("VolumeId: " + volumeId + " is not in " + Volume.State.Ready + " state but " + volume.getState() +
@@ -720,7 +723,7 @@ public class SnapshotManagerImpl extends ManagerBase implements SnapshotManager,
if (volume == null) {
throw new InvalidParameterValueException("Unable to find a volume with id " + volumeId);
}
- _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, true, volume);
+ _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, volume);
Pair<List<SnapshotPolicyVO>, Integer> result = _snapshotPolicyDao.listAndCountByVolumeId(volumeId);
return new Pair<List<? extends SnapshotPolicy>, Integer>(result.first(), result.second());
}
@@ -996,7 +999,7 @@ public class SnapshotManagerImpl extends ManagerBase implements SnapshotManager,
throw new InvalidParameterValueException("Policy id given: " + policy + " does not belong to a valid volume");
}
- _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, true, volume);
+ _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, volume);
}
boolean success = true;
@@ -1027,12 +1030,9 @@ public class SnapshotManagerImpl extends ManagerBase implements SnapshotManager,
@Override
public Snapshot allocSnapshot(Long volumeId, Long policyId) throws ResourceAllocationException {
- Account caller = CallContext.current().getCallingAccount();
VolumeInfo volume = volFactory.getVolume(volumeId);
supportedByHypervisor(volume);
- // Verify permissions
- _accountMgr.checkAccess(caller, null, true, volume);
Type snapshotType = getSnapshotType(policyId);
Account owner = _accountMgr.getAccount(volume.getAccountId());
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/server/src/com/cloud/tags/TaggedResourceManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/tags/TaggedResourceManagerImpl.java b/server/src/com/cloud/tags/TaggedResourceManagerImpl.java
index fa7fcb7..cac12c6 100644
--- a/server/src/com/cloud/tags/TaggedResourceManagerImpl.java
+++ b/server/src/com/cloud/tags/TaggedResourceManagerImpl.java
@@ -227,7 +227,7 @@ public class TaggedResourceManagerImpl extends ManagerBase implements TaggedReso
Long domainId = accountDomainPair.second();
Long accountId = accountDomainPair.first();
if (accountId != null) {
- _accountMgr.checkAccess(caller, null, false, _accountMgr.getAccount(accountId));
+ _accountMgr.checkAccess(caller, null, _accountMgr.getAccount(accountId));
} else if (domainId != null && !_accountMgr.isNormalUser(caller.getId())) {
//check permissions;
_accountMgr.checkAccess(caller, _domainMgr.getDomain(domainId));
@@ -289,7 +289,7 @@ public class TaggedResourceManagerImpl extends ManagerBase implements TaggedReso
for (ResourceTag resourceTag : resourceTags) {
//1) validate the permissions
Account owner = _accountMgr.getAccount(resourceTag.getAccountId());
- _accountMgr.checkAccess(caller, null, false, owner);
+ _accountMgr.checkAccess(caller, null, owner);
//2) Only remove tag if it matches key value pairs
if (tags != null && !tags.isEmpty()) {
for (String key : tags.keySet()) {
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/server/src/com/cloud/template/TemplateAdapterBase.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/template/TemplateAdapterBase.java b/server/src/com/cloud/template/TemplateAdapterBase.java
index fcf15df..cb38075 100755
--- a/server/src/com/cloud/template/TemplateAdapterBase.java
+++ b/server/src/com/cloud/template/TemplateAdapterBase.java
@@ -254,7 +254,7 @@ public abstract class TemplateAdapterBase extends AdapterBase implements Templat
//check if the caller can operate with the template owner
Account caller = CallContext.current().getCallingAccount();
Account owner = _accountMgr.getAccount(cmd.getEntityOwnerId());
- _accountMgr.checkAccess(caller, null, true, owner);
+ _accountMgr.checkAccess(caller, null, owner);
boolean isRouting = (cmd.isRoutingType() == null) ? false : cmd.isRoutingType();
@@ -277,7 +277,7 @@ public abstract class TemplateAdapterBase extends AdapterBase implements Templat
//check if the caller can operate with the template owner
Account caller = CallContext.current().getCallingAccount();
Account owner = _accountMgr.getAccount(cmd.getEntityOwnerId());
- _accountMgr.checkAccess(caller, null, true, owner);
+ _accountMgr.checkAccess(caller, null, owner);
Long zoneId = cmd.getZoneId();
// ignore passed zoneId if we are using region wide image store
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/server/src/com/cloud/template/TemplateManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/template/TemplateManagerImpl.java b/server/src/com/cloud/template/TemplateManagerImpl.java
index 0cc7438..294748f 100755
--- a/server/src/com/cloud/template/TemplateManagerImpl.java
+++ b/server/src/com/cloud/template/TemplateManagerImpl.java
@@ -369,7 +369,7 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager,
throw new InvalidParameterValueException("Unable to find template id=" + templateId);
}
- _accountMgr.checkAccess(CallContext.current().getCallingAccount(), AccessType.OperateEntry, true, vmTemplate);
+ _accountMgr.checkAccess(CallContext.current().getCallingAccount(), AccessType.OperateEntry, vmTemplate);
prepareTemplateInAllStoragePools(vmTemplate, zoneId);
return vmTemplate;
@@ -415,7 +415,7 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager,
throw new InvalidParameterValueException("Unable to extract template id=" + templateId + " as it's not extractable");
}
- _accountMgr.checkAccess(caller, AccessType.OperateEntry, true, template);
+ _accountMgr.checkAccess(caller, AccessType.OperateEntry, template);
List<DataStore> ssStores = _dataStoreMgr.getImageStoresByScope(new ZoneScope(zoneId));
@@ -722,7 +722,7 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager,
return template;
}
- _accountMgr.checkAccess(caller, AccessType.OperateEntry, true, template);
+ _accountMgr.checkAccess(caller, AccessType.OperateEntry, template);
boolean success = copy(userId, template, srcSecStore, dstZone);
@@ -911,7 +911,7 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager,
throw new InvalidParameterValueException("Please specify a valid VM.");
}
- _accountMgr.checkAccess(caller, null, true, userVM);
+ _accountMgr.checkAccess(caller, null, userVM);
Long isoId = userVM.getIsoId();
if (isoId == null) {
@@ -952,12 +952,11 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager,
// check permissions
// check if caller has access to VM and ISO
- // and also check if the VM's owner has access to the ISO.
-
- _accountMgr.checkAccess(caller, null, false, iso, vm);
-
+ // and also check if the VM's owner has access to the ISO. This is a bit different from sameOwner check for attachVolumeToVM, where both volume and VM need
+ // OperateEntry access type. Here VM needs OperateEntry access type, ISO needs UseEntry access type.
+ _accountMgr.checkAccess(caller, null, iso, vm);
Account vmOwner = _accountDao.findById(vm.getAccountId());
- _accountMgr.checkAccess(vmOwner, null, false, iso, vm);
+ _accountMgr.checkAccess(vmOwner, null, iso);
State vmState = vm.getState();
if (vmState != State.Running && vmState != State.Stopped) {
@@ -1061,7 +1060,7 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager,
throw new InvalidParameterValueException("unable to find template with id " + templateId);
}
- _accountMgr.checkAccess(caller, AccessType.OperateEntry, true, template);
+ _accountMgr.checkAccess(caller, AccessType.OperateEntry, template);
if (template.getFormat() == ImageFormat.ISO) {
throw new InvalidParameterValueException("Please specify a valid template.");
@@ -1084,7 +1083,7 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager,
throw new InvalidParameterValueException("unable to find iso with id " + templateId);
}
- _accountMgr.checkAccess(caller, AccessType.OperateEntry, true, template);
+ _accountMgr.checkAccess(caller, AccessType.OperateEntry, template);
if (template.getFormat() != ImageFormat.ISO) {
throw new InvalidParameterValueException("Please specify a valid iso.");
@@ -1134,7 +1133,7 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager,
}
if (!template.isPublicTemplate()) {
- _accountMgr.checkAccess(caller, null, true, template);
+ _accountMgr.checkAccess(caller, AccessType.ListEntry, template);
}
List<String> accountNames = new ArrayList<String>();
@@ -1207,8 +1206,7 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager,
}
}
- //_accountMgr.checkAccess(caller, AccessType.ModifyEntry, true, template);
- _accountMgr.checkAccess(caller, AccessType.OperateEntry, true, template); //TODO: should we replace all ModifyEntry as OperateEntry?
+ _accountMgr.checkAccess(caller, AccessType.OperateEntry, template);
// If the template is removed throw an error.
if (template.getRemoved() != null) {
@@ -1489,7 +1487,7 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager,
Account caller = CallContext.current().getCallingAccount();
boolean isAdmin = (_accountMgr.isAdmin(caller.getId()));
- _accountMgr.checkAccess(caller, null, true, templateOwner);
+ _accountMgr.checkAccess(caller, null, templateOwner);
String name = cmd.getTemplateName();
if ((name == null) || (name.length() > 32)) {
@@ -1541,7 +1539,7 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager,
throw new InvalidParameterValueException("Failed to create private template record, unable to find volume " + volumeId);
}
// check permissions
- _accountMgr.checkAccess(caller, null, true, volume);
+ _accountMgr.checkAccess(caller, null, volume);
// If private template is created from Volume, check that the volume
// will not be active when the private template is
@@ -1564,7 +1562,7 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager,
volume = _volumeDao.findById(snapshot.getVolumeId());
// check permissions
- _accountMgr.checkAccess(caller, null, true, snapshot);
+ _accountMgr.checkAccess(caller, null, snapshot);
if (snapshot.getState() != Snapshot.State.BackedUp) {
throw new InvalidParameterValueException("Snapshot id=" + snapshotId + " is not in " + Snapshot.State.BackedUp +
@@ -1780,7 +1778,7 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager,
verifyTemplateId(id);
// do a permission check
- _accountMgr.checkAccess(account, AccessType.OperateEntry, true, template);
+ _accountMgr.checkAccess(account, AccessType.OperateEntry, template);
if (cmd.isRoutingType() != null) {
if (!_accountService.isRootAdmin(account.getId())) {
throw new PermissionDeniedException("Parameter isrouting can only be specified by a Root Admin, permission denied");
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/server/src/com/cloud/user/AccountManager.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/user/AccountManager.java b/server/src/com/cloud/user/AccountManager.java
index bee7029..03bf842 100755
--- a/server/src/com/cloud/user/AccountManager.java
+++ b/server/src/com/cloud/user/AccountManager.java
@@ -24,7 +24,6 @@ import org.apache.cloudstack.api.command.admin.account.UpdateAccountCmd;
import org.apache.cloudstack.api.command.admin.user.DeleteUserCmd;
import org.apache.cloudstack.api.command.admin.user.UpdateUserCmd;
-import com.cloud.api.query.vo.ControlledViewEntity;
import com.cloud.exception.ConcurrentOperationException;
import com.cloud.exception.ResourceUnavailableException;
import com.cloud.projects.Project.ListProjectResourcesCriteria;
@@ -85,35 +84,19 @@ public interface AccountManager extends AccountService {
boolean enableAccount(long accountId);
- void buildACLSearchBuilder(SearchBuilder<? extends ControlledEntity> sb, Long domainId,
- boolean isRecursive, List<Long> permittedAccounts, ListProjectResourcesCriteria listProjectResourcesCriteria);
-
- void buildACLViewSearchBuilder(SearchBuilder<? extends ControlledViewEntity> sb, Long domainId,
- boolean isRecursive, List<Long> permittedAccounts, ListProjectResourcesCriteria listProjectResourcesCriteria);
-
- void buildACLViewSearchBuilder(SearchBuilder<? extends ControlledViewEntity> sb, Long domainId,
- boolean isRecursive, List<Long> permittedAccounts, ListProjectResourcesCriteria listProjectResourcesCriteria, List<Long> grantedIds, List<Long> revokedIds);
-
- void buildACLSearchCriteria(SearchCriteria<? extends ControlledEntity> sc,
- Long domainId, boolean isRecursive, List<Long> permittedAccounts, ListProjectResourcesCriteria listProjectResourcesCriteria);
-
- void buildACLSearchParameters(Account caller, Long id,
- String accountName, Long projectId, List<Long> permittedAccounts, Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject, boolean listAll,
- boolean forProjectInvitation);
-
- void buildACLViewSearchCriteria(SearchCriteria<? extends ControlledViewEntity> sc,
- Long domainId, boolean isRecursive, List<Long> permittedAccounts, ListProjectResourcesCriteria listProjectResourcesCriteria);
-
- void buildACLViewSearchCriteria(SearchCriteria<? extends ControlledEntity> sc,
- Long domainId, boolean isRecursive, List<Long> permittedAccounts, ListProjectResourcesCriteria listProjectResourcesCriteria, List<Long> grantedIds,
- List<Long> revokedIds);
-
-
// new ACL model routine for query api based on db views
void buildACLSearchParameters(Account caller, Long id,
String accountName, Long projectId, List<Long> permittedDomains, List<Long> permittedAccounts, List<Long> permittedResources,
Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject, boolean listAll, boolean forProjectInvitation, String action);
+ void buildACLSearchBuilder(SearchBuilder<? extends ControlledEntity> sb, boolean isRecursive,
+ List<Long> permittedDomains,
+ List<Long> permittedAccounts, List<Long> permittedResources, ListProjectResourcesCriteria listProjectResourcesCriteria);
+
+ void buildACLSearchCriteria(SearchCriteria<? extends ControlledEntity> sc, boolean isRecursive,
+ List<Long> permittedDomains,
+ List<Long> permittedAccounts, List<Long> permittedResources, ListProjectResourcesCriteria listProjectResourcesCriteria);
+
void buildACLViewSearchCriteria(SearchCriteria<? extends ControlledEntity> sc, SearchCriteria<? extends ControlledEntity> aclSc, boolean isRecursive,
List<Long> permittedDomains, List<Long> permittedAccounts,
List<Long> permittedResources, ListProjectResourcesCriteria listProjectResourcesCriteria);
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/server/src/com/cloud/user/AccountManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/user/AccountManagerImpl.java b/server/src/com/cloud/user/AccountManagerImpl.java
index b6be648..3ff9bd2 100755
--- a/server/src/com/cloud/user/AccountManagerImpl.java
+++ b/server/src/com/cloud/user/AccountManagerImpl.java
@@ -48,6 +48,7 @@ import org.apache.cloudstack.acl.SecurityChecker;
import org.apache.cloudstack.acl.SecurityChecker.AccessType;
import org.apache.cloudstack.affinity.AffinityGroup;
import org.apache.cloudstack.affinity.dao.AffinityGroupDao;
+import org.apache.cloudstack.api.InternalIdentity;
import org.apache.cloudstack.api.command.admin.account.UpdateAccountCmd;
import org.apache.cloudstack.api.command.admin.user.DeleteUserCmd;
import org.apache.cloudstack.api.command.admin.user.RegisterCmd;
@@ -60,8 +61,6 @@ import org.apache.cloudstack.framework.messagebus.PublishScope;
import org.apache.cloudstack.managed.context.ManagedContextRunnable;
import org.apache.cloudstack.region.gslb.GlobalLoadBalancerRuleDao;
-import com.cloud.api.ApiDBUtils;
-import com.cloud.api.query.vo.ControlledViewEntity;
import com.cloud.configuration.Config;
import com.cloud.configuration.ConfigurationManager;
import com.cloud.configuration.Resource.ResourceOwnerType;
@@ -102,6 +101,7 @@ import com.cloud.network.dao.NetworkVO;
import com.cloud.network.dao.RemoteAccessVpnDao;
import com.cloud.network.dao.RemoteAccessVpnVO;
import com.cloud.network.dao.VpnUserDao;
+import com.cloud.network.security.SecurityGroup;
import com.cloud.network.security.SecurityGroupManager;
import com.cloud.network.security.dao.SecurityGroupDao;
import com.cloud.network.vpc.Vpc;
@@ -110,7 +110,6 @@ import com.cloud.network.vpn.RemoteAccessVpnService;
import com.cloud.network.vpn.Site2SiteVpnManager;
import com.cloud.projects.Project;
import com.cloud.projects.Project.ListProjectResourcesCriteria;
-import com.cloud.projects.ProjectInvitationVO;
import com.cloud.projects.ProjectManager;
import com.cloud.projects.ProjectVO;
import com.cloud.projects.dao.ProjectAccountDao;
@@ -387,8 +386,8 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
for (SecurityChecker checker : _securityCheckers) {
try {
if (checker.checkAccess(acct, null, null, "SystemCapability")) {
- if (s_logger.isTraceEnabled()) {
- s_logger.trace("Root Access granted to " + acct + " by " + checker.getName());
+ if (s_logger.isDebugEnabled()) {
+ s_logger.debug("Root Access granted to " + acct + " by " + checker.getName());
}
return true;
}
@@ -410,8 +409,8 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
for (SecurityChecker checker : _securityCheckers) {
try {
if (checker.checkAccess(acct, null, null, "DomainCapability")) {
- if (s_logger.isTraceEnabled()) {
- s_logger.trace("DomainAdmin Access granted to " + acct + " by " + checker.getName());
+ if (s_logger.isDebugEnabled()) {
+ s_logger.debug("DomainAdmin Access granted to " + acct + " by " + checker.getName());
}
return true;
}
@@ -441,8 +440,8 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
for (SecurityChecker checker : _securityCheckers) {
try {
if (checker.checkAccess(acct, null, null, "DomainResourceCapability")) {
- if (s_logger.isTraceEnabled()) {
- s_logger.trace("ResourceDomainAdmin Access granted to " + acct + " by " + checker.getName());
+ if (s_logger.isDebugEnabled()) {
+ s_logger.debug("ResourceDomainAdmin Access granted to " + acct + " by " + checker.getName());
}
return true;
}
@@ -482,89 +481,90 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
@Override
- public void checkAccess(Account caller, AccessType accessType, boolean sameOwner, ControlledEntity... entities) {
- checkAccess(caller, accessType, sameOwner, null, entities);
+ public void checkAccess(Account caller, AccessType accessType, ControlledEntity... entities) throws PermissionDeniedException {
+ checkAccess(caller, accessType, null, entities);
}
@Override
- public void checkAccess(Account caller, AccessType accessType, boolean sameOwner, String apiName, ControlledEntity... entities) {
- //check for the same owner
- Long ownerId = null;
- ControlledEntity prevEntity = null;
- if (sameOwner) {
- for (ControlledEntity entity : entities) {
- if (sameOwner) {
- if (ownerId == null) {
- ownerId = entity.getAccountId();
- } else if (ownerId.longValue() != entity.getAccountId()) {
- throw new PermissionDeniedException("Entity " + entity + " and entity " + prevEntity + " belong to different accounts");
- }
- prevEntity = entity;
- }
- }
+ public void checkAccess(Account caller, AccessType accessType, String apiName, ControlledEntity... entities) throws PermissionDeniedException {
+ boolean granted = false;
+ // construct entities identification string
+ StringBuffer entityBuf = new StringBuffer("{");
+ for (ControlledEntity ent : entities) {
+ entityBuf.append(ent.toString());
}
+ entityBuf.append("}");
+ String entityStr = entityBuf.toString();
- if (caller.getId() == Account.ACCOUNT_ID_SYSTEM || isRootAdmin(caller.getId())) {
- // no need to make permission checks if the system/root admin makes the call
- if (s_logger.isTraceEnabled()) {
- s_logger.trace("No need to make permission check for System/RootAdmin account, returning true");
- }
- return;
- }
+ boolean isRootAdmin = isRootAdmin(caller.getAccountId());
+ boolean isDomainAdmin = isDomainAdmin(caller.getAccountId());
+ boolean isResourceDomainAdmin = isResourceDomainAdmin(caller.getAccountId());
- HashMap<Long, List<ControlledEntity>> domains = new HashMap<Long, List<ControlledEntity>>();
+ if ((isRootAdmin || isDomainAdmin || isResourceDomainAdmin || caller.getId() == Account.ACCOUNT_ID_SYSTEM)
+ && (accessType == null || accessType == AccessType.UseEntry)) {
- for (ControlledEntity entity : entities) {
- long domainId = entity.getDomainId();
- if (entity.getAccountId() != -1 && domainId == -1) { // If account exists domainId should too so calculate
- // it. This condition might be hit for templates or entities which miss domainId in their tables
- Account account = ApiDBUtils.findAccountById(entity.getAccountId());
- domainId = account != null ? account.getDomainId() : -1;
- }
- if (entity.getAccountId() != -1 && domainId != -1 && !(entity instanceof VirtualMachineTemplate) &&
- !(entity instanceof Network && accessType != null && accessType == AccessType.UseEntry) && !(entity instanceof AffinityGroup)) {
- List<ControlledEntity> toBeChecked = domains.get(entity.getDomainId());
- // for templates, we don't have to do cross domains check
- if (toBeChecked == null) {
- toBeChecked = new ArrayList<ControlledEntity>();
- domains.put(domainId, toBeChecked);
+ for (ControlledEntity entity : entities) {
+ if (entity instanceof VirtualMachineTemplate || (entity instanceof Network && accessType != null && (isDomainAdmin || isResourceDomainAdmin))
+ || entity instanceof AffinityGroup || entity instanceof SecurityGroup) {
+ // Go through IAM (SecurityCheckers)
+ for (SecurityChecker checker : _securityCheckers) {
+ if (checker.checkAccess(caller, accessType, apiName, entity)) {
+ if (s_logger.isDebugEnabled()) {
+ s_logger.debug("Access to " + entityStr + " granted to " + caller + " by "
+ + checker.getName());
+ }
+ granted = true;
+ break;
+ }
+ }
+ } else {
+ if (isRootAdmin || caller.getId() == Account.ACCOUNT_ID_SYSTEM) {
+ // no need to make permission checks if the system/root
+ // admin makes the call
+ if (s_logger.isTraceEnabled()) {
+ s_logger.trace("No need to make permission check for System/RootAdmin account, returning true");
+ }
+ granted = true;
+ } else if (isDomainAdmin || isResourceDomainAdmin) {
+ Domain entityDomain = getEntityDomain(entity);
+ if (entityDomain != null) {
+ try {
+ checkAccess(caller, entityDomain);
+ granted = true;
+ } catch (PermissionDeniedException e) {
+ List<ControlledEntity> entityList = new ArrayList<ControlledEntity>();
+ entityList.add(entity);
+ e.addDetails(caller, entityList);
+ throw e;
+ }
+ }
+ }
+ }
+
+ if (!granted) {
+ assert false : "How can all of the security checkers pass on checking this check: " + entityStr;
+ throw new PermissionDeniedException("There's no way to confirm " + caller + " has access to "
+ + entityStr);
}
- toBeChecked.add(entity);
+
}
- boolean granted = false;
+ } else {
+ // Go through IAM (SecurityCheckers)
for (SecurityChecker checker : _securityCheckers) {
- if (checker.checkAccess(caller, entity, accessType, apiName)) {
+ if (checker.checkAccess(caller, accessType, apiName, entities)) {
if (s_logger.isDebugEnabled()) {
- s_logger.debug("Access to " + entity + " granted to " + caller + " by " + checker.getName());
+ s_logger.debug("Access to " + entityStr + " granted to " + caller + " by " + checker.getName());
}
granted = true;
break;
}
}
-
- if (!granted) {
- assert false : "How can all of the security checkers pass on checking this check: " + entity;
- throw new PermissionDeniedException("There's no way to confirm " + caller + " has access to " + entity);
- }
}
- for (Map.Entry<Long, List<ControlledEntity>> domain : domains.entrySet()) {
- for (SecurityChecker checker : _securityCheckers) {
- Domain d = _domainMgr.getDomain(domain.getKey());
- if (d == null || d.getRemoved() != null) {
- throw new PermissionDeniedException("Domain is not found.", caller, domain.getValue());
- }
- try {
- checker.checkAccess(caller, d);
- } catch (PermissionDeniedException e) {
- e.addDetails(caller, domain.getValue());
- throw e;
- }
- }
+ if (!granted) {
+ assert false : "How can all of the security checkers pass on checking this check: " + entityStr;
+ throw new PermissionDeniedException("There's no way to confirm " + caller + " has access to " + entityStr);
}
-
- // check that resources belong to the same account
-
}
private Domain getEntityDomain(ControlledEntity entity) {
@@ -1167,7 +1167,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
throw new PermissionDeniedException("user id : " + id + " is system account, update is not allowed");
}
- checkAccess(CallContext.current().getCallingAccount(), AccessType.OperateEntry, true, account);
+ checkAccess(CallContext.current().getCallingAccount(), AccessType.OperateEntry, account);
if (firstName != null) {
if (firstName.isEmpty()) {
@@ -1284,7 +1284,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
throw new InvalidParameterValueException("User id : " + userId + " is a system user, disabling is not allowed");
}
- checkAccess(caller, AccessType.OperateEntry, true, account);
+ checkAccess(caller, AccessType.OperateEntry, account);
boolean success = doSetUserStatus(userId, State.disabled);
if (success) {
@@ -1325,7 +1325,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
throw new InvalidParameterValueException("User id : " + userId + " is a system user, enabling is not allowed");
}
- checkAccess(caller, AccessType.OperateEntry, true, account);
+ checkAccess(caller, AccessType.OperateEntry, account);
boolean success = Transaction.execute(new TransactionCallback<Boolean>() {
@Override
@@ -1377,7 +1377,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
throw new PermissionDeniedException("user id : " + userId + " is a system user, locking is not allowed");
}
- checkAccess(caller, AccessType.OperateEntry, true, account);
+ checkAccess(caller, AccessType.OperateEntry, account);
// make sure the account is enabled too
// if the user is either locked already or disabled already, don't change state...only lock currently enabled
@@ -1441,7 +1441,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
throw new InvalidParameterValueException("The specified account does not exist in the system");
}
- checkAccess(caller, null, true, account);
+ checkAccess(caller, null, account);
// don't allow to delete default account (system and admin)
if (account.isDefault()) {
@@ -1486,7 +1486,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
// Check if user performing the action is allowed to modify this account
Account caller = CallContext.current().getCallingAccount();
- checkAccess(caller, AccessType.OperateEntry, true, account);
+ checkAccess(caller, AccessType.OperateEntry, account);
boolean success = enableAccount(account.getId());
if (success) {
@@ -1520,7 +1520,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
throw new PermissionDeniedException("Account id : " + accountId + " is a system account, lock is not allowed");
}
- checkAccess(caller, AccessType.OperateEntry, true, account);
+ checkAccess(caller, AccessType.OperateEntry, account);
if (lockAccount(account.getId())) {
CallContext.current().putContextParameter(Account.class, account.getUuid());
@@ -1550,7 +1550,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
throw new PermissionDeniedException("Account id : " + accountId + " is a system account, disable is not allowed");
}
- checkAccess(caller, AccessType.OperateEntry, true, account);
+ checkAccess(caller, AccessType.OperateEntry, account);
if (disableAccount(account.getId())) {
CallContext.current().putContextParameter(Account.class, account.getUuid());
@@ -1669,7 +1669,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
throw new InvalidParameterValueException("The user is default and can't be removed");
}
- checkAccess(CallContext.current().getCallingAccount(), AccessType.OperateEntry, true, account);
+ checkAccess(CallContext.current().getCallingAccount(), AccessType.OperateEntry, account);
CallContext.current().putContextParameter(User.class, user.getUuid());
return _userDao.remove(id);
}
@@ -2278,373 +2278,6 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
}
-
- @Override
- public void buildACLSearchBuilder(SearchBuilder<? extends ControlledEntity> sb,
- Long domainId, boolean isRecursive, List<Long> permittedAccounts, ListProjectResourcesCriteria listProjectResourcesCriteria) {
-
- if (sb.entity() instanceof IPAddressVO) {
- sb.and("accountIdIN", ((IPAddressVO) sb.entity()).getAllocatedToAccountId(), SearchCriteria.Op.IN);
- sb.and("domainId", ((IPAddressVO) sb.entity()).getAllocatedInDomainId(), SearchCriteria.Op.EQ);
- } else if (sb.entity() instanceof ProjectInvitationVO) {
- sb.and("accountIdIN", ((ProjectInvitationVO) sb.entity()).getForAccountId(), SearchCriteria.Op.IN);
- sb.and("domainId", ((ProjectInvitationVO) sb.entity()).getInDomainId(), SearchCriteria.Op.EQ);
- } else {
- sb.and("accountIdIN", sb.entity().getAccountId(), SearchCriteria.Op.IN);
- sb.and("domainId", sb.entity().getDomainId(), SearchCriteria.Op.EQ);
- }
-
- if (((permittedAccounts.isEmpty()) && (domainId != null) && isRecursive)) {
- // if accountId isn't specified, we can do a domain match for the admin case if isRecursive is true
- SearchBuilder<DomainVO> domainSearch = _domainDao.createSearchBuilder();
- domainSearch.and("path", domainSearch.entity().getPath(), SearchCriteria.Op.LIKE);
-
- if (sb.entity() instanceof IPAddressVO) {
- sb.join("domainSearch", domainSearch, ((IPAddressVO) sb.entity()).getAllocatedInDomainId(), domainSearch.entity().getId(), JoinBuilder.JoinType.INNER);
- } else if (sb.entity() instanceof ProjectInvitationVO) {
- sb.join("domainSearch", domainSearch, ((ProjectInvitationVO) sb.entity()).getInDomainId(), domainSearch.entity().getId(), JoinBuilder.JoinType.INNER);
- } else {
- sb.join("domainSearch", domainSearch, sb.entity().getDomainId(), domainSearch.entity().getId(), JoinBuilder.JoinType.INNER);
- }
-
- }
- if (listProjectResourcesCriteria != null) {
- SearchBuilder<AccountVO> accountSearch = _accountDao.createSearchBuilder();
- if (listProjectResourcesCriteria == Project.ListProjectResourcesCriteria.ListProjectResourcesOnly) {
- accountSearch.and("type", accountSearch.entity().getType(), SearchCriteria.Op.EQ);
- } else if (listProjectResourcesCriteria == Project.ListProjectResourcesCriteria.SkipProjectResources) {
- accountSearch.and("type", accountSearch.entity().getType(), SearchCriteria.Op.NEQ);
- }
-
- if (sb.entity() instanceof IPAddressVO) {
- sb.join("accountSearch", accountSearch, ((IPAddressVO) sb.entity()).getAllocatedToAccountId(), accountSearch.entity().getId(), JoinBuilder.JoinType.INNER);
- } else if (sb.entity() instanceof ProjectInvitationVO) {
- sb.join("accountSearch", accountSearch, ((ProjectInvitationVO) sb.entity()).getForAccountId(), accountSearch.entity().getId(), JoinBuilder.JoinType.INNER);
- } else {
- sb.join("accountSearch", accountSearch, sb.entity().getAccountId(), accountSearch.entity().getId(), JoinBuilder.JoinType.INNER);
- }
- }
- }
-
- @Override
- public void buildACLSearchCriteria(SearchCriteria<? extends ControlledEntity> sc,
- Long domainId, boolean isRecursive, List<Long> permittedAccounts, ListProjectResourcesCriteria listProjectResourcesCriteria) {
-
- if (listProjectResourcesCriteria != null) {
- sc.setJoinParameters("accountSearch", "type", Account.ACCOUNT_TYPE_PROJECT);
- }
-
- if (!permittedAccounts.isEmpty()) {
- sc.setParameters("accountIdIN", permittedAccounts.toArray());
- } else if (domainId != null) {
- DomainVO domain = _domainDao.findById(domainId);
- if (isRecursive) {
- sc.setJoinParameters("domainSearch", "path", domain.getPath() + "%");
- } else {
- sc.setParameters("domainId", domainId);
- }
- }
- }
-
-// @Override
-// public void buildACLSearchParameters(Account caller, Long id, String accountName, Long projectId, List<Long>
-// permittedAccounts, Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject,
-// boolean listAll, boolean forProjectInvitation) {
-// Long domainId = domainIdRecursiveListProject.first();
-// if (domainId != null) {
-// Domain domain = _domainDao.findById(domainId);
-// if (domain == null) {
-// throw new InvalidParameterValueException("Unable to find domain by id " + domainId);
-// }
-// // check permissions
-// checkAccess(caller, domain);
-// }
-//
-// if (accountName != null) {
-// if (projectId != null) {
-// throw new InvalidParameterValueException("Account and projectId can't be specified together");
-// }
-//
-// Account userAccount = null;
-// Domain domain = null;
-// if (domainId != null) {
-// userAccount = _accountDao.findActiveAccount(accountName, domainId);
-// domain = _domainDao.findById(domainId);
-// } else {
-// userAccount = _accountDao.findActiveAccount(accountName, caller.getDomainId());
-// domain = _domainDao.findById(caller.getDomainId());
-// }
-//
-// if (userAccount != null) {
-// checkAccess(caller, null, false, userAccount);
-// //check permissions
-// permittedAccounts.add(userAccount.getId());
-// } else {
-// throw new InvalidParameterValueException("could not find account " + accountName + " in domain " + domain.getUuid());
-// }
-// }
-//
-// // set project information
-// if (projectId != null) {
-// if (!forProjectInvitation) {
-// if (projectId.longValue() == -1) {
-// if (caller.getType() == Account.ACCOUNT_TYPE_NORMAL) {
-// permittedAccounts.addAll(_projectMgr.listPermittedProjectAccounts(caller.getId()));
-// } else {
-// domainIdRecursiveListProject.third(Project.ListProjectResourcesCriteria.ListProjectResourcesOnly);
-// }
-// } else {
-// Project project = _projectMgr.getProject(projectId);
-// if (project == null) {
-// throw new InvalidParameterValueException("Unable to find project by id " + projectId);
-// }
-// if (!_projectMgr.canAccessProjectAccount(caller, project.getProjectAccountId())) {
-// throw new PermissionDeniedException("Account " + caller + " can't access project id=" + projectId);
-// }
-// permittedAccounts.add(project.getProjectAccountId());
-// }
-// }
-// } else {
-// if (id == null) {
-// domainIdRecursiveListProject.third(Project.ListProjectResourcesCriteria.SkipProjectResources);
-// }
-// if (permittedAccounts.isEmpty() && domainId == null) {
-// if (caller.getType() == Account.ACCOUNT_TYPE_NORMAL) {
-// permittedAccounts.add(caller.getId());
-// } else if (!listAll) {
-// if (id == null) {
-// permittedAccounts.add(caller.getId());
-// } else if (!isRootAdmin(caller.getId())) {
-// domainIdRecursiveListProject.first(caller.getDomainId());
-// domainIdRecursiveListProject.second(true);
-// }
-// } else if (domainId == null) {
-// if (caller.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) {
-// domainIdRecursiveListProject.first(caller.getDomainId());
-// domainIdRecursiveListProject.second(true);
-// }
-// }
-// } else if (domainId != null) {
-// if (caller.getType() == Account.ACCOUNT_TYPE_NORMAL) {
-// permittedAccounts.add(caller.getId());
-// }
-// }
-//
-// }
-// }
-
- //TODO: deprecate this to use the new buildACLSearchParameters with permittedDomains, permittedAccounts, and permittedResources as return
- @Override
- public void buildACLSearchParameters(Account caller, Long id, String accountName, Long projectId, List<Long>
- permittedAccounts, Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject,
- boolean listAll, boolean forProjectInvitation) {
- Long domainId = domainIdRecursiveListProject.first();
- if (domainId != null) {
- Domain domain = _domainDao.findById(domainId);
- if (domain == null) {
- throw new InvalidParameterValueException("Unable to find domain by id " + domainId);
- }
- // check permissions
- checkAccess(caller, domain);
- }
-
- if (accountName != null) {
- if (projectId != null) {
- throw new InvalidParameterValueException("Account and projectId can't be specified together");
- }
-
- Account userAccount = null;
- Domain domain = null;
- if (domainId != null) {
- userAccount = _accountDao.findActiveAccount(accountName, domainId);
- domain = _domainDao.findById(domainId);
- } else {
- userAccount = _accountDao.findActiveAccount(accountName, caller.getDomainId());
- domain = _domainDao.findById(caller.getDomainId());
- }
-
- if (userAccount != null) {
- checkAccess(caller, null, false, userAccount);
- // check permissions
- permittedAccounts.add(userAccount.getId());
- } else {
- throw new InvalidParameterValueException("could not find account " + accountName + " in domain " + domain.getUuid());
- }
- }
-
- // set project information
- if (projectId != null) {
- if (!forProjectInvitation) {
- if (projectId.longValue() == -1) {
- if (caller.getType() == Account.ACCOUNT_TYPE_NORMAL) {
- permittedAccounts.addAll(_projectMgr.listPermittedProjectAccounts(caller.getId()));
- } else {
- domainIdRecursiveListProject.third(Project.ListProjectResourcesCriteria.ListProjectResourcesOnly);
- }
- } else {
- Project project = _projectMgr.getProject(projectId);
- if (project == null) {
- throw new InvalidParameterValueException("Unable to find project by id " + projectId);
- }
- if (!_projectMgr.canAccessProjectAccount(caller, project.getProjectAccountId())) {
- throw new PermissionDeniedException("Account " + caller + " can't access project id=" + projectId);
- }
- permittedAccounts.add(project.getProjectAccountId());
- }
- }
- } else {
- if (id == null) {
- domainIdRecursiveListProject.third(Project.ListProjectResourcesCriteria.SkipProjectResources);
- }
- if (permittedAccounts.isEmpty() && domainId == null) {
- if (caller.getType() == Account.ACCOUNT_TYPE_NORMAL) {
- permittedAccounts.add(caller.getId());
- } else if (!listAll) {
- if (id == null) {
- permittedAccounts.add(caller.getId());
- } else if (caller.getType() != Account.ACCOUNT_TYPE_ADMIN) {
- domainIdRecursiveListProject.first(caller.getDomainId());
- domainIdRecursiveListProject.second(true);
- }
- } else if (domainId == null) {
- if (caller.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) {
- domainIdRecursiveListProject.first(caller.getDomainId());
- domainIdRecursiveListProject.second(true);
- }
- }
- } else if (domainId != null) {
- if (caller.getType() == Account.ACCOUNT_TYPE_NORMAL) {
- permittedAccounts.add(caller.getId());
- }
- }
-
- }
-
- }
-
-
- @Override
- public void buildACLViewSearchBuilder(SearchBuilder<? extends ControlledViewEntity> sb, Long domainId,
- boolean isRecursive, List<Long> permittedAccounts, ListProjectResourcesCriteria listProjectResourcesCriteria) {
-
- sb.and("accountIdIN", sb.entity().getAccountId(), SearchCriteria.Op.IN);
- sb.and("domainId", sb.entity().getDomainId(), SearchCriteria.Op.EQ);
-
- if (((permittedAccounts.isEmpty()) && (domainId != null) && isRecursive)) {
- // if accountId isn't specified, we can do a domain match for the
- // admin case if isRecursive is true
- sb.and("domainPath", sb.entity().getDomainPath(), SearchCriteria.Op.LIKE);
- }
-
- if (listProjectResourcesCriteria != null) {
- if (listProjectResourcesCriteria == Project.ListProjectResourcesCriteria.ListProjectResourcesOnly) {
- sb.and("accountType", sb.entity().getAccountType(), SearchCriteria.Op.EQ);
- } else if (listProjectResourcesCriteria == Project.ListProjectResourcesCriteria.SkipProjectResources) {
- sb.and("accountType", sb.entity().getAccountType(), SearchCriteria.Op.NEQ);
- }
- }
-
- }
-
- @Override
- public void buildACLViewSearchBuilder(SearchBuilder<? extends ControlledViewEntity> sb, Long domainId, boolean isRecursive, List<Long> permittedAccounts,
- ListProjectResourcesCriteria listProjectResourcesCriteria, List<Long> grantedIds, List<Long> revokedIds) {
-
- if (!revokedIds.isEmpty()) {
- sb.and("idNIN", sb.entity().getId(), SearchCriteria.Op.NIN);
- }
- if (permittedAccounts.isEmpty() && domainId == null && listProjectResourcesCriteria == null) {
- // caller role authorize him to access everything matching query criteria
- return;
-
- }
- boolean hasOp = true;
- if (!permittedAccounts.isEmpty()) {
- sb.and().op("accountIdIN", sb.entity().getAccountId(), SearchCriteria.Op.IN);
- } else if (domainId != null) {
- if (isRecursive) {
- // if accountId isn't specified, we can do a domain match for the
- // admin case if isRecursive is true
- sb.and().op("domainPath", sb.entity().getDomainPath(), SearchCriteria.Op.LIKE);
- } else {
- sb.and().op("domainId", sb.entity().getDomainId(), SearchCriteria.Op.EQ);
- }
- } else {
- hasOp = false;
- }
-
-
- if (listProjectResourcesCriteria != null) {
- if (hasOp) {
- if (listProjectResourcesCriteria == Project.ListProjectResourcesCriteria.ListProjectResourcesOnly) {
- sb.and("accountType", sb.entity().getAccountType(), SearchCriteria.Op.EQ);
- } else if (listProjectResourcesCriteria == Project.ListProjectResourcesCriteria.SkipProjectResources) {
- sb.and("accountType", sb.entity().getAccountType(), SearchCriteria.Op.NEQ);
- }
- } else {
- if (listProjectResourcesCriteria == Project.ListProjectResourcesCriteria.ListProjectResourcesOnly) {
- sb.and().op("accountType", sb.entity().getAccountType(), SearchCriteria.Op.EQ);
- } else if (listProjectResourcesCriteria == Project.ListProjectResourcesCriteria.SkipProjectResources) {
- sb.and().op("accountType", sb.entity().getAccountType(), SearchCriteria.Op.NEQ);
- }
- }
- }
-
- if (!grantedIds.isEmpty()) {
- sb.or("idIN", sb.entity().getId(), SearchCriteria.Op.IN);
- }
- sb.cp();
-
-
- }
-
- @Override
- public void buildACLViewSearchCriteria(SearchCriteria<? extends ControlledViewEntity> sc,
- Long domainId, boolean isRecursive, List<Long> permittedAccounts, ListProjectResourcesCriteria listProjectResourcesCriteria) {
- if (listProjectResourcesCriteria != null) {
- sc.setParameters("accountType", Account.ACCOUNT_TYPE_PROJECT);
- }
-
- if (!permittedAccounts.isEmpty()) {
- sc.setParameters("accountIdIN", permittedAccounts.toArray());
- } else if (domainId != null) {
- DomainVO domain = _domainDao.findById(domainId);
- if (isRecursive) {
- sc.setParameters("domainPath", domain.getPath() + "%");
- } else {
- sc.setParameters("domainId", domainId);
- }
- }
-
- }
-
- @Override
- public void buildACLViewSearchCriteria(SearchCriteria<? extends ControlledEntity> sc, Long domainId, boolean isRecursive, List<Long> permittedAccounts,
- ListProjectResourcesCriteria listProjectResourcesCriteria, List<Long> grantedIds, List<Long> revokedIds) {
- if (!revokedIds.isEmpty()) {
- sc.setParameters("idNIN", revokedIds.toArray());
- }
-
- if (listProjectResourcesCriteria != null) {
- sc.setParameters("accountType", Account.ACCOUNT_TYPE_PROJECT);
- }
-
- if (!permittedAccounts.isEmpty()) {
- sc.setParameters("accountIdIN", permittedAccounts.toArray());
- } else if (domainId != null) {
- DomainVO domain = _domainDao.findById(domainId);
- if (isRecursive) {
- sc.setParameters("domainPath", domain.getPath() + "%");
- } else {
- sc.setParameters("domainId", domainId);
- }
- }
-
- if (!grantedIds.isEmpty()) {
- sc.setParameters("idIN", grantedIds.toArray());
- }
- }
-
@Override
public UserAccount getUserByApiKey(String apiKey) {
return _userAccountDao.getUserByApiKey(apiKey);
@@ -2688,8 +2321,8 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
if (userAccount != null) {
//check permissions
- checkAccess(caller, null, false, userAccount);
- permittedAccounts.add(userAccount.getId());
+ checkAccess(caller, null, userAccount);
+ accountId = userAccount.getId();
} else {
throw new InvalidParameterValueException("could not find account " + accountName + " in domain " + domain.getUuid());
}
@@ -2803,6 +2436,120 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
}
@Override
+ public void buildACLSearchBuilder(SearchBuilder<? extends ControlledEntity> sb, boolean isRecursive,
+ List<Long> permittedDomains,
+ List<Long> permittedAccounts, List<Long> permittedResources, ListProjectResourcesCriteria listProjectResourcesCriteria) {
+
+ if (listProjectResourcesCriteria != null) {
+ // add criteria for project or not
+ SearchBuilder<AccountVO> accountSearch = _accountDao.createSearchBuilder();
+ if (listProjectResourcesCriteria == Project.ListProjectResourcesCriteria.ListProjectResourcesOnly) {
+ accountSearch.and("type", accountSearch.entity().getType(), SearchCriteria.Op.EQ);
+ } else if (listProjectResourcesCriteria == Project.ListProjectResourcesCriteria.SkipProjectResources) {
+ accountSearch.and("type", accountSearch.entity().getType(), SearchCriteria.Op.NEQ);
+ }
+
+ if (sb.entity() instanceof IPAddressVO) {
+ sb.join("accountSearch", accountSearch, ((IPAddressVO)sb.entity()).getAllocatedToAccountId(), accountSearch.entity().getId(), JoinBuilder.JoinType.INNER);
+ } else {
+ sb.join("accountSearch", accountSearch, sb.entity().getAccountId(), accountSearch.entity().getId(), JoinBuilder.JoinType.INNER);
+ }
+ }
+ if (permittedDomains.isEmpty() && permittedAccounts.isEmpty() && permittedResources.isEmpty())
+ // can access everything
+ return;
+
+ if (!permittedAccounts.isEmpty() || !permittedResources.isEmpty()) {
+ if (!permittedAccounts.isEmpty()) {
+ if (sb.entity() instanceof IPAddressVO) {
+ sb.and().op("accountIdIn", ((IPAddressVO)sb.entity()).getAllocatedToAccountId(), SearchCriteria.Op.IN);
+ } else {
+ sb.and().op("accountIdIn", sb.entity().getAccountId(), SearchCriteria.Op.IN);
+ }
+ if (!permittedResources.isEmpty()) {
+ sb.or("idIn", ((InternalIdentity)sb.entity()).getId(), SearchCriteria.Op.IN);
+ }
+ } else {
+ // permittedResources is not empty
+ sb.and().op("idIn", ((InternalIdentity)sb.entity()).getId(), SearchCriteria.Op.IN);
+ }
+ if (!permittedDomains.isEmpty()) {
+ if (isRecursive) {
+ SearchBuilder<DomainVO> domainSearch = _domainDao.createSearchBuilder();
+ for (int i = 0; i < permittedDomains.size(); i++) {
+ domainSearch.or("path" + i, domainSearch.entity().getPath(), SearchCriteria.Op.LIKE);
+ }
+ if (sb.entity() instanceof IPAddressVO) {
+ sb.join("domainSearch", domainSearch, ((IPAddressVO)sb.entity()).getAllocatedInDomainId(), domainSearch.entity().getId(), JoinBuilder.JoinType.INNER);
+ } else {
+ sb.join("domainSearch", domainSearch, sb.entity().getDomainId(), domainSearch.entity().getId(), JoinBuilder.JoinType.INNER);
+ }
+ } else {
+ if (sb.entity() instanceof IPAddressVO) {
+ sb.or("domainIdIn", ((IPAddressVO)sb.entity()).getAllocatedInDomainId(), SearchCriteria.Op.IN);
+ } else {
+ sb.or("domainIdIn", sb.entity().getDomainId(), SearchCriteria.Op.IN);
+ }
+ }
+ }
+ sb.cp();
+ } else {
+ // permittedDomains is not empty
+ if (isRecursive) {
+ SearchBuilder<DomainVO> domainSearch = _domainDao.createSearchBuilder();
+ domainSearch.and().op("path0", domainSearch.entity().getPath(), SearchCriteria.Op.LIKE);
+ for (int i = 1; i < permittedDomains.size(); i++) {
+ domainSearch.or("path" + i, domainSearch.entity().getPath(), SearchCriteria.Op.LIKE);
+ }
+ domainSearch.cp();
+ if (sb.entity() instanceof IPAddressVO) {
+ sb.join("domainSearch", domainSearch, ((IPAddressVO)sb.entity()).getAllocatedInDomainId(), domainSearch.entity().getId(), JoinBuilder.JoinType.INNER);
+ } else {
+ sb.join("domainSearch", domainSearch, sb.entity().getDomainId(), domainSearch.entity().getId(), JoinBuilder.JoinType.INNER);
+ }
+ } else {
+ if (sb.entity() instanceof IPAddressVO) {
+ sb.and().op("domainIdIn", ((IPAddressVO)sb.entity()).getAllocatedInDomainId(), SearchCriteria.Op.IN);
+ } else {
+ sb.and().op("domainIdIn", sb.entity().getDomainId(), SearchCriteria.Op.IN);
+ }
+ sb.cp();
+ }
+ }
+ }
+
+ @Override
+ public void buildACLSearchCriteria(SearchCriteria<? extends ControlledEntity> sc, boolean isRecursive,
+ List<Long> permittedDomains,
+ List<Long> permittedAccounts, List<Long> permittedResources, ListProjectResourcesCriteria listProjectResourcesCriteria) {
+
+ if (listProjectResourcesCriteria != null) {
+ sc.setJoinParameters("accountSearch", "type", Account.ACCOUNT_TYPE_PROJECT);
+ }
+
+ if (permittedDomains.isEmpty() && permittedAccounts.isEmpty() && permittedResources.isEmpty())
+ // can access everything
+ return;
+
+ if (!permittedAccounts.isEmpty()) {
+ sc.setParameters("accountIdIn", permittedAccounts.toArray());
+ }
+ if (!permittedResources.isEmpty()) {
+ sc.setParameters("idIn", permittedResources.toArray());
+ }
+ if (!permittedDomains.isEmpty()) {
+ if (isRecursive) {
+ for (int i = 0; i < permittedDomains.size(); i++) {
+ DomainVO domain = _domainDao.findById(permittedDomains.get(i));
+ sc.setJoinParameters("domainSearch", "path" + i, domain.getPath() + "%");
+ }
+ } else {
+ sc.setParameters("domainIdIn", permittedDomains.toArray());
+ }
+ }
+ }
+
+ @Override
public void buildACLViewSearchCriteria(SearchCriteria<? extends ControlledEntity> sc, SearchCriteria<? extends ControlledEntity> aclSc, boolean isRecursive,
List<Long> permittedDomains,
List<Long> permittedAccounts, List<Long> permittedResources, ListProjectResourcesCriteria listProjectResourcesCriteria) {
[5/5] git commit: updated refs/heads/4.4-forward-iam to 26a6aa5
Posted by mc...@apache.org.
Revert "Disable IAM feature from 4.4 release."
This reverts commit 9484328eb7bae480ed0c4ee90df9e717e27043f3.
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/26a6aa54
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/26a6aa54
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/26a6aa54
Branch: refs/heads/4.4-forward-iam
Commit: 26a6aa54602cc5507011142150a1c437f0341bd6
Parents: 9484328
Author: Min Chen <mi...@citrix.com>
Authored: Mon May 19 15:44:22 2014 -0700
Committer: Min Chen <mi...@citrix.com>
Committed: Mon May 19 15:44:22 2014 -0700
----------------------------------------------------------------------
api/src/com/cloud/network/NetworkModel.java | 4 +
api/src/com/cloud/user/AccountService.java | 7 +-
.../apache/cloudstack/acl/SecurityChecker.java | 6 +-
.../address/AssociateIPAddrCmdByAdmin.java | 5 +-
.../command/admin/vm/AddNicToVMCmdByAdmin.java | 1 -
.../user/address/AssociateIPAddrCmd.java | 1 +
.../firewall/CreatePortForwardingRuleCmd.java | 1 -
.../AssignToLoadBalancerRuleCmd.java | 9 +-
.../ListLBStickinessPoliciesCmd.java | 4 +-
.../command/user/nat/DisableStaticNatCmd.java | 5 +-
.../command/user/nat/EnableStaticNatCmd.java | 9 +-
.../user/snapshot/CreateSnapshotCmd.java | 2 +
.../api/command/user/vm/AddNicToVMCmd.java | 1 +
.../user/vmsnapshot/CreateVMSnapshotCmd.java | 3 +-
.../command/user/volume/AttachVolumeCmd.java | 4 +-
.../command/user/volume/CreateVolumeCmd.java | 4 +
client/pom.xml | 10 +
client/tomcatconf/commands.properties.in | 15 +
.../core/spring-core-registry-core-context.xml | 2 +-
.../com/cloud/upgrade/dao/Upgrade430to440.java | 47 ++
.../db/src/com/cloud/utils/db/SearchBase.java | 12 +-
.../lb/InternalLoadBalancerVMManagerImpl.java | 9 +-
.../contrail/management/ServiceManagerImpl.java | 5 +-
.../contrail/management/MockAccountManager.java | 86 +--
.../spring-server-core-managers-context.xml | 1 +
server/src/com/cloud/acl/DomainChecker.java | 19 +-
server/src/com/cloud/api/ApiDispatcher.java | 22 -
server/src/com/cloud/api/ApiResponseHelper.java | 2 +-
.../cloud/api/dispatch/ParamProcessWorker.java | 107 ++-
.../com/cloud/api/query/QueryManagerImpl.java | 743 ++++++++++++++++---
.../configuration/ConfigurationManagerImpl.java | 3 +-
.../com/cloud/network/IpAddressManagerImpl.java | 17 +-
.../src/com/cloud/network/NetworkModelImpl.java | 45 +-
.../com/cloud/network/NetworkServiceImpl.java | 26 +-
.../cloud/network/as/AutoScaleManagerImpl.java | 38 +-
.../network/firewall/FirewallManagerImpl.java | 23 +-
.../lb/LoadBalancingRulesManagerImpl.java | 52 +-
.../VirtualNetworkApplianceManagerImpl.java | 10 +-
.../cloud/network/rules/RulesManagerImpl.java | 46 +-
.../security/SecurityGroupManagerImpl.java | 8 +-
.../network/vpc/NetworkACLServiceImpl.java | 56 +-
.../com/cloud/network/vpc/VpcManagerImpl.java | 65 +-
.../network/vpn/RemoteAccessVpnManagerImpl.java | 42 +-
.../network/vpn/Site2SiteVpnManagerImpl.java | 57 +-
.../com/cloud/projects/ProjectManagerImpl.java | 18 +-
.../resourcelimit/ResourceLimitManagerImpl.java | 8 +-
.../com/cloud/server/ManagementServerImpl.java | 36 +-
.../com/cloud/servlet/ConsoleProxyServlet.java | 2 +-
.../com/cloud/storage/VolumeApiServiceImpl.java | 23 +-
.../storage/snapshot/SnapshotManagerImpl.java | 26 +-
.../cloud/tags/TaggedResourceManagerImpl.java | 4 +-
.../com/cloud/template/TemplateAdapterBase.java | 4 +-
.../com/cloud/template/TemplateManagerImpl.java | 34 +-
server/src/com/cloud/user/AccountManager.java | 33 +-
.../src/com/cloud/user/AccountManagerImpl.java | 649 +++++-----------
server/src/com/cloud/vm/UserVmManagerImpl.java | 111 +--
.../vm/snapshot/VMSnapshotManagerImpl.java | 25 +-
.../affinity/AffinityGroupServiceImpl.java | 13 +-
.../lb/ApplicationLoadBalancerManagerImpl.java | 15 +-
.../cloudstack/network/lb/CertServiceImpl.java | 8 +-
.../GlobalLoadBalancingRulesServiceImpl.java | 14 +-
.../com/cloud/event/EventControlsUnitTest.java | 2 +-
.../com/cloud/network/MockNetworkModelImpl.java | 8 +
.../com/cloud/user/MockAccountManagerImpl.java | 75 +-
server/test/com/cloud/vm/UserVmManagerTest.java | 8 +-
.../vm/snapshot/VMSnapshotManagerTest.java | 2 +-
.../com/cloud/vpc/MockNetworkModelImpl.java | 8 +
.../iam/RoleBasedEntityAccessChecker.java | 19 +-
services/pom.xml | 1 +
test/integration/smoke/test_vm_iam.py | 719 ++++++++++++++++++
70 files changed, 2318 insertions(+), 1181 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/api/src/com/cloud/network/NetworkModel.java
----------------------------------------------------------------------
diff --git a/api/src/com/cloud/network/NetworkModel.java b/api/src/com/cloud/network/NetworkModel.java
index f6555db..1e0a8e8 100644
--- a/api/src/com/cloud/network/NetworkModel.java
+++ b/api/src/com/cloud/network/NetworkModel.java
@@ -22,6 +22,8 @@ import java.util.List;
import java.util.Map;
import java.util.Set;
+import org.apache.cloudstack.acl.SecurityChecker.AccessType;
+
import com.cloud.dc.Vlan;
import com.cloud.exception.InsufficientAddressCapacityException;
import com.cloud.exception.InvalidParameterValueException;
@@ -273,4 +275,6 @@ public interface NetworkModel {
boolean isNetworkReadyForGc(long networkId);
boolean getNetworkEgressDefaultPolicy(Long networkId);
+
+ void checkNetworkPermissions(Account owner, Network network, AccessType accessType);
}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/api/src/com/cloud/user/AccountService.java
----------------------------------------------------------------------
diff --git a/api/src/com/cloud/user/AccountService.java b/api/src/com/cloud/user/AccountService.java
index eac8a76..6cc86cd 100755
--- a/api/src/com/cloud/user/AccountService.java
+++ b/api/src/com/cloud/user/AccountService.java
@@ -103,12 +103,11 @@ public interface AccountService {
RoleType getRoleType(Account account);
- void checkAccess(Account account, Domain domain) throws PermissionDeniedException;
+ void checkAccess(Account caller, Domain domain) throws PermissionDeniedException;
- void checkAccess(Account account, AccessType accessType, boolean sameOwner, ControlledEntity... entities) throws PermissionDeniedException;
+ void checkAccess(Account caller, AccessType accessType, ControlledEntity... entities) throws PermissionDeniedException;
- void checkAccess(Account account, AccessType accessType, boolean sameOwner, String apiName,
- ControlledEntity... entities) throws PermissionDeniedException;
+ void checkAccess(Account caller, AccessType accessType, String apiName, ControlledEntity... entities) throws PermissionDeniedException;
Long finalyzeAccountId(String accountName, Long domainId, Long projectId, boolean enabledOnly);
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/api/src/org/apache/cloudstack/acl/SecurityChecker.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/acl/SecurityChecker.java b/api/src/org/apache/cloudstack/acl/SecurityChecker.java
index 4170871..79366bd 100644
--- a/api/src/org/apache/cloudstack/acl/SecurityChecker.java
+++ b/api/src/org/apache/cloudstack/acl/SecurityChecker.java
@@ -31,10 +31,10 @@ import com.cloud.utils.component.Adapter;
public interface SecurityChecker extends Adapter {
public enum AccessType {
- ModifyProject,
- OperateEntry,
+ ListEntry,
UseEntry,
- ListEntry
+ OperateEntry,
+ ModifyProject,
}
/**
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/api/src/org/apache/cloudstack/api/command/admin/address/AssociateIPAddrCmdByAdmin.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/admin/address/AssociateIPAddrCmdByAdmin.java b/api/src/org/apache/cloudstack/api/command/admin/address/AssociateIPAddrCmdByAdmin.java
index dbff93f..494a6d6 100644
--- a/api/src/org/apache/cloudstack/api/command/admin/address/AssociateIPAddrCmdByAdmin.java
+++ b/api/src/org/apache/cloudstack/api/command/admin/address/AssociateIPAddrCmdByAdmin.java
@@ -31,8 +31,11 @@ import com.cloud.exception.InsufficientCapacityException;
import com.cloud.exception.ResourceAllocationException;
import com.cloud.exception.ResourceUnavailableException;
import com.cloud.network.IpAddress;
+import com.cloud.network.vpc.Vpc;
-@APICommand(name = "associateIpAddress", description = "Acquires and associates a public IP to an account.", responseObject = IPAddressResponse.class, responseView = ResponseView.Full)
+@APICommand(name = "associateIpAddress", description = "Acquires and associates a public IP to an account.", responseObject = IPAddressResponse.class, responseView = ResponseView.Full,
+ entityType = {IpAddress.class, Vpc.class},
+ requestHasSensitiveInfo = false, responseHasSensitiveInfo = false)
public class AssociateIPAddrCmdByAdmin extends AssociateIPAddrCmd {
public static final Logger s_logger = Logger.getLogger(AssociateIPAddrCmdByAdmin.class.getName());
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/api/src/org/apache/cloudstack/api/command/admin/vm/AddNicToVMCmdByAdmin.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/admin/vm/AddNicToVMCmdByAdmin.java b/api/src/org/apache/cloudstack/api/command/admin/vm/AddNicToVMCmdByAdmin.java
index 945f849..3dd22c1 100644
--- a/api/src/org/apache/cloudstack/api/command/admin/vm/AddNicToVMCmdByAdmin.java
+++ b/api/src/org/apache/cloudstack/api/command/admin/vm/AddNicToVMCmdByAdmin.java
@@ -33,7 +33,6 @@ import org.apache.cloudstack.context.CallContext;
import com.cloud.uservm.UserVm;
import com.cloud.vm.VirtualMachine;
-
@APICommand(name = "addNicToVirtualMachine", description = "Adds VM to specified network by creating a NIC", responseObject = UserVmResponse.class, responseView = ResponseView.Full, entityType = {VirtualMachine.class},
requestHasSensitiveInfo = false, responseHasSensitiveInfo = true)
public class AddNicToVMCmdByAdmin extends AddNicToVMCmd {
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/api/src/org/apache/cloudstack/api/command/user/address/AssociateIPAddrCmd.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/user/address/AssociateIPAddrCmd.java b/api/src/org/apache/cloudstack/api/command/user/address/AssociateIPAddrCmd.java
index 96174e1..48fe43e 100644
--- a/api/src/org/apache/cloudstack/api/command/user/address/AssociateIPAddrCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/user/address/AssociateIPAddrCmd.java
@@ -58,6 +58,7 @@ import com.cloud.projects.Project;
import com.cloud.user.Account;
@APICommand(name = "associateIpAddress", description = "Acquires and associates a public IP to an account.", responseObject = IPAddressResponse.class, responseView = ResponseView.Restricted,
+ entityType = {IpAddress.class, Vpc.class},
requestHasSensitiveInfo = false, responseHasSensitiveInfo = false)
public class AssociateIPAddrCmd extends BaseAsyncCreateCmd {
public static final Logger s_logger = Logger.getLogger(AssociateIPAddrCmd.class.getName());
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/api/src/org/apache/cloudstack/api/command/user/firewall/CreatePortForwardingRuleCmd.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/user/firewall/CreatePortForwardingRuleCmd.java b/api/src/org/apache/cloudstack/api/command/user/firewall/CreatePortForwardingRuleCmd.java
index 865cd1b..6fb120f 100644
--- a/api/src/org/apache/cloudstack/api/command/user/firewall/CreatePortForwardingRuleCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/user/firewall/CreatePortForwardingRuleCmd.java
@@ -49,7 +49,6 @@ import com.cloud.utils.net.Ip;
import com.cloud.utils.net.NetUtils;
import com.cloud.vm.VirtualMachine;
-
@APICommand(name = "createPortForwardingRule", description = "Creates a port forwarding rule", responseObject = FirewallRuleResponse.class, entityType = {FirewallRule.class,
VirtualMachine.class, IpAddress.class},
requestHasSensitiveInfo = false, responseHasSensitiveInfo = false)
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/api/src/org/apache/cloudstack/api/command/user/loadbalancer/AssignToLoadBalancerRuleCmd.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/user/loadbalancer/AssignToLoadBalancerRuleCmd.java b/api/src/org/apache/cloudstack/api/command/user/loadbalancer/AssignToLoadBalancerRuleCmd.java
index dd9adef..db4d70e 100644
--- a/api/src/org/apache/cloudstack/api/command/user/loadbalancer/AssignToLoadBalancerRuleCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/user/loadbalancer/AssignToLoadBalancerRuleCmd.java
@@ -23,8 +23,11 @@ import java.util.Iterator;
import java.util.List;
import java.util.Map;
+import com.cloud.utils.net.NetUtils;
import org.apache.log4j.Logger;
+import org.apache.cloudstack.acl.SecurityChecker.AccessType;
+import org.apache.cloudstack.api.ACL;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.ApiErrorCode;
@@ -38,15 +41,15 @@ import org.apache.cloudstack.context.CallContext;
import com.cloud.event.EventTypes;
import com.cloud.exception.InvalidParameterValueException;
+import com.cloud.network.rules.FirewallRule;
import com.cloud.network.rules.LoadBalancer;
import com.cloud.user.Account;
import com.cloud.utils.StringUtils;
-import com.cloud.utils.net.NetUtils;
import com.cloud.vm.VirtualMachine;
@APICommand(name = "assignToLoadBalancerRule",
description = "Assigns virtual machine or a list of virtual machines to a load balancer rule.",
- responseObject = SuccessResponse.class,
+ responseObject = SuccessResponse.class, entityType = {FirewallRule.class, VirtualMachine.class},
requestHasSensitiveInfo = false,
responseHasSensitiveInfo = false)
public class AssignToLoadBalancerRuleCmd extends BaseAsyncCmd {
@@ -58,6 +61,7 @@ public class AssignToLoadBalancerRuleCmd extends BaseAsyncCmd {
//////////////// API parameters /////////////////////
/////////////////////////////////////////////////////
+ @ACL(accessType = AccessType.OperateEntry)
@Parameter(name = ApiConstants.ID,
type = CommandType.UUID,
entityType = FirewallRuleResponse.class,
@@ -65,6 +69,7 @@ public class AssignToLoadBalancerRuleCmd extends BaseAsyncCmd {
description = "the ID of the load balancer rule")
private Long id;
+ @ACL(accessType = AccessType.OperateEntry)
@Parameter(name = ApiConstants.VIRTUAL_MACHINE_IDS,
type = CommandType.LIST,
collectionType = CommandType.UUID,
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/api/src/org/apache/cloudstack/api/command/user/loadbalancer/ListLBStickinessPoliciesCmd.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/user/loadbalancer/ListLBStickinessPoliciesCmd.java b/api/src/org/apache/cloudstack/api/command/user/loadbalancer/ListLBStickinessPoliciesCmd.java
index 9905c0b..dd03191 100644
--- a/api/src/org/apache/cloudstack/api/command/user/loadbalancer/ListLBStickinessPoliciesCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/user/loadbalancer/ListLBStickinessPoliciesCmd.java
@@ -86,7 +86,7 @@ public class ListLBStickinessPoliciesCmd extends BaseListCmd {
if (lb != null) {
//check permissions
Account caller = CallContext.current().getCallingAccount();
- _accountService.checkAccess(caller, null, true, lb);
+ _accountService.checkAccess(caller, null, lb);
List<? extends StickinessPolicy> stickinessPolicies = _lbService.searchForLBStickinessPolicies(this);
LBStickinessResponse spResponse = _responseGenerator.createLBStickinessPolicyResponse(stickinessPolicies, lb);
spResponses.add(spResponse);
@@ -94,7 +94,7 @@ public class ListLBStickinessPoliciesCmd extends BaseListCmd {
}
response.setResponseName(getCommandName());
- this.setResponseObject(response);
+ setResponseObject(response);
}
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/api/src/org/apache/cloudstack/api/command/user/nat/DisableStaticNatCmd.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/user/nat/DisableStaticNatCmd.java b/api/src/org/apache/cloudstack/api/command/user/nat/DisableStaticNatCmd.java
index 1df77ec..2a9311e 100644
--- a/api/src/org/apache/cloudstack/api/command/user/nat/DisableStaticNatCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/user/nat/DisableStaticNatCmd.java
@@ -34,8 +34,11 @@ import com.cloud.exception.InvalidParameterValueException;
import com.cloud.exception.NetworkRuleConflictException;
import com.cloud.exception.ResourceUnavailableException;
import com.cloud.network.IpAddress;
+import com.cloud.network.vpc.Vpc;
+import com.cloud.vm.VirtualMachine;
@APICommand(name = "disableStaticNat", description = "Disables static rule for given ip address", responseObject = SuccessResponse.class,
+ entityType = {IpAddress.class, VirtualMachine.class, Vpc.class},
requestHasSensitiveInfo = false, responseHasSensitiveInfo = false)
public class DisableStaticNatCmd extends BaseAsyncCmd {
public static final Logger s_logger = Logger.getLogger(DeletePortForwardingRuleCmd.class.getName());
@@ -89,7 +92,7 @@ public class DisableStaticNatCmd extends BaseAsyncCmd {
if (result) {
SuccessResponse response = new SuccessResponse(getCommandName());
- this.setResponseObject(response);
+ setResponseObject(response);
} else {
throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to disable static nat");
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/api/src/org/apache/cloudstack/api/command/user/nat/EnableStaticNatCmd.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/user/nat/EnableStaticNatCmd.java b/api/src/org/apache/cloudstack/api/command/user/nat/EnableStaticNatCmd.java
index aa4e287..9d88876 100644
--- a/api/src/org/apache/cloudstack/api/command/user/nat/EnableStaticNatCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/user/nat/EnableStaticNatCmd.java
@@ -18,6 +18,8 @@ package org.apache.cloudstack.api.command.user.nat;
import org.apache.log4j.Logger;
+import org.apache.cloudstack.acl.SecurityChecker.AccessType;
+import org.apache.cloudstack.api.ACL;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.ApiErrorCode;
@@ -33,10 +35,13 @@ import com.cloud.exception.InvalidParameterValueException;
import com.cloud.exception.NetworkRuleConflictException;
import com.cloud.exception.ResourceUnavailableException;
import com.cloud.network.IpAddress;
+import com.cloud.network.vpc.Vpc;
import com.cloud.user.Account;
import com.cloud.uservm.UserVm;
+import com.cloud.vm.VirtualMachine;
@APICommand(name = "enableStaticNat", description = "Enables static nat for given ip address", responseObject = SuccessResponse.class,
+ entityType = {IpAddress.class, VirtualMachine.class, Vpc.class},
requestHasSensitiveInfo = false, responseHasSensitiveInfo = false)
public class EnableStaticNatCmd extends BaseCmd {
public static final Logger s_logger = Logger.getLogger(CreateIpForwardingRuleCmd.class.getName());
@@ -47,10 +52,12 @@ public class EnableStaticNatCmd extends BaseCmd {
//////////////// API parameters /////////////////////
/////////////////////////////////////////////////////
+ @ACL(accessType = AccessType.OperateEntry)
@Parameter(name = ApiConstants.IP_ADDRESS_ID, type = CommandType.UUID, entityType = IPAddressResponse.class, required = true, description = "the public IP "
+ "address id for which static nat feature is being enabled")
private Long ipAddressId;
+ @ACL(accessType = AccessType.OperateEntry)
@Parameter(name = ApiConstants.VIRTUAL_MACHINE_ID, type = CommandType.UUID, entityType = UserVmResponse.class, required = true, description = "the ID of "
+ "the virtual machine for enabling static nat feature")
private Long virtualMachineId;
@@ -133,7 +140,7 @@ public class EnableStaticNatCmd extends BaseCmd {
boolean result = _rulesService.enableStaticNat(ipAddressId, virtualMachineId, getNetworkId(), getVmSecondaryIp());
if (result) {
SuccessResponse response = new SuccessResponse(getCommandName());
- this.setResponseObject(response);
+ setResponseObject(response);
} else {
throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to enable static nat");
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/api/src/org/apache/cloudstack/api/command/user/snapshot/CreateSnapshotCmd.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/user/snapshot/CreateSnapshotCmd.java b/api/src/org/apache/cloudstack/api/command/user/snapshot/CreateSnapshotCmd.java
index df7fe82..bd8662e 100644
--- a/api/src/org/apache/cloudstack/api/command/user/snapshot/CreateSnapshotCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/user/snapshot/CreateSnapshotCmd.java
@@ -18,6 +18,7 @@ package org.apache.cloudstack.api.command.user.snapshot;
import org.apache.log4j.Logger;
+import org.apache.cloudstack.api.ACL;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiCommandJobType;
import org.apache.cloudstack.api.ApiConstants;
@@ -62,6 +63,7 @@ public class CreateSnapshotCmd extends BaseAsyncCreateCmd {
description = "The domain ID of the snapshot. If used with the account parameter, specifies a domain for the account associated with the disk volume.")
private Long domainId;
+ @ACL
@Parameter(name = ApiConstants.VOLUME_ID, type = CommandType.UUID, entityType = VolumeResponse.class, required = true, description = "The ID of the disk volume")
private Long volumeId;
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/api/src/org/apache/cloudstack/api/command/user/vm/AddNicToVMCmd.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/user/vm/AddNicToVMCmd.java b/api/src/org/apache/cloudstack/api/command/user/vm/AddNicToVMCmd.java
index f265ecf..fd30152 100644
--- a/api/src/org/apache/cloudstack/api/command/user/vm/AddNicToVMCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/user/vm/AddNicToVMCmd.java
@@ -54,6 +54,7 @@ public class AddNicToVMCmd extends BaseAsyncCmd {
required=true, description="Virtual Machine ID")
private Long vmId;
+ @ACL
@Parameter(name = ApiConstants.NETWORK_ID, type = CommandType.UUID, entityType = NetworkResponse.class, required = true, description = "Network ID")
private Long netId;
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/api/src/org/apache/cloudstack/api/command/user/vmsnapshot/CreateVMSnapshotCmd.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/user/vmsnapshot/CreateVMSnapshotCmd.java b/api/src/org/apache/cloudstack/api/command/user/vmsnapshot/CreateVMSnapshotCmd.java
index 10ff5cd..1310ba5 100644
--- a/api/src/org/apache/cloudstack/api/command/user/vmsnapshot/CreateVMSnapshotCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/user/vmsnapshot/CreateVMSnapshotCmd.java
@@ -19,7 +19,6 @@ package org.apache.cloudstack.api.command.user.vmsnapshot;
import java.util.logging.Logger;
-import org.apache.cloudstack.acl.SecurityChecker.AccessType;
import org.apache.cloudstack.api.ACL;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiConstants;
@@ -43,7 +42,7 @@ public class CreateVMSnapshotCmd extends BaseAsyncCreateCmd {
public static final Logger s_logger = Logger.getLogger(CreateVMSnapshotCmd.class.getName());
private static final String s_name = "createvmsnapshotresponse";
- @ACL(accessType = AccessType.OperateEntry)
+ @ACL
@Parameter(name = ApiConstants.VIRTUAL_MACHINE_ID, type = CommandType.UUID, required = true, entityType = UserVmResponse.class, description = "The ID of the vm")
private Long vmId;
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/api/src/org/apache/cloudstack/api/command/user/volume/AttachVolumeCmd.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/user/volume/AttachVolumeCmd.java b/api/src/org/apache/cloudstack/api/command/user/volume/AttachVolumeCmd.java
index 467ffc4..8034745 100644
--- a/api/src/org/apache/cloudstack/api/command/user/volume/AttachVolumeCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/user/volume/AttachVolumeCmd.java
@@ -37,7 +37,8 @@ import com.cloud.storage.Volume;
import com.cloud.user.Account;
import com.cloud.vm.VirtualMachine;
-@APICommand(name = "attachVolume", description = "Attaches a disk volume to a virtual machine.", responseObject = VolumeResponse.class, responseView = ResponseView.Restricted, entityType = {VirtualMachine.class},
+@APICommand(name = "attachVolume", description = "Attaches a disk volume to a virtual machine.", responseObject = VolumeResponse.class, responseView = ResponseView.Restricted, entityType = {
+ VirtualMachine.class, Volume.class},
requestHasSensitiveInfo = false, responseHasSensitiveInfo = false)
public class AttachVolumeCmd extends BaseAsyncCmd {
public static final Logger s_logger = Logger.getLogger(AttachVolumeCmd.class.getName());
@@ -52,6 +53,7 @@ public class AttachVolumeCmd extends BaseAsyncCmd {
+ "* 4 - /dev/xvde" + "* 5 - /dev/xvdf" + "* 6 - /dev/xvdg" + "* 7 - /dev/xvdh" + "* 8 - /dev/xvdi" + "* 9 - /dev/xvdj")
private Long deviceId;
+ @ACL(accessType = AccessType.OperateEntry)
@Parameter(name = ApiConstants.ID, type = CommandType.UUID, entityType = VolumeResponse.class, required = true, description = "the ID of the disk volume")
private Long id;
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/api/src/org/apache/cloudstack/api/command/user/volume/CreateVolumeCmd.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/user/volume/CreateVolumeCmd.java b/api/src/org/apache/cloudstack/api/command/user/volume/CreateVolumeCmd.java
index 1e3c01c..dc91261 100644
--- a/api/src/org/apache/cloudstack/api/command/user/volume/CreateVolumeCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/user/volume/CreateVolumeCmd.java
@@ -19,6 +19,8 @@ package org.apache.cloudstack.api.command.user.volume;
import org.apache.log4j.Logger;
import org.apache.cloudstack.acl.RoleType;
+import org.apache.cloudstack.acl.SecurityChecker.AccessType;
+import org.apache.cloudstack.api.ACL;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiCommandJobType;
import org.apache.cloudstack.api.ApiConstants;
@@ -91,6 +93,7 @@ public class CreateVolumeCmd extends BaseAsyncCreateCustomIdCmd {
@Parameter(name = ApiConstants.MAX_IOPS, type = CommandType.LONG, description = "max iops")
private Long maxIops;
+ @ACL
@Parameter(name = ApiConstants.SNAPSHOT_ID,
type = CommandType.UUID,
entityType = SnapshotResponse.class,
@@ -103,6 +106,7 @@ public class CreateVolumeCmd extends BaseAsyncCreateCustomIdCmd {
@Parameter(name = ApiConstants.DISPLAY_VOLUME, type = CommandType.BOOLEAN, description = "an optional field, whether to display the volume to the end user or not.", authorized = {RoleType.Admin})
private Boolean displayVolume;
+ @ACL(accessType = AccessType.OperateEntry)
@Parameter(name = ApiConstants.VIRTUAL_MACHINE_ID,
type = CommandType.UUID,
entityType = UserVmResponse.class,
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/client/pom.xml
----------------------------------------------------------------------
diff --git a/client/pom.xml b/client/pom.xml
index 1a972c9..eda8a85 100644
--- a/client/pom.xml
+++ b/client/pom.xml
@@ -228,6 +228,16 @@
</dependency>
<dependency>
<groupId>org.apache.cloudstack</groupId>
+ <artifactId>cloud-plugin-iam</artifactId>
+ <version>${project.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.cloudstack</groupId>
+ <artifactId>cloud-iam</artifactId>
+ <version>${project.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.cloudstack</groupId>
<artifactId>cloud-framework-ipc</artifactId>
<version>${project.version}</version>
</dependency>
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/client/tomcatconf/commands.properties.in
----------------------------------------------------------------------
diff --git a/client/tomcatconf/commands.properties.in b/client/tomcatconf/commands.properties.in
index d247aa0..da3fbfc 100644
--- a/client/tomcatconf/commands.properties.in
+++ b/client/tomcatconf/commands.properties.in
@@ -732,6 +732,21 @@ listLdapUsers=3
ldapCreateAccount=3
importLdapUsers=3
+### IAM commands
+createIAMPolicy=1
+deleteIAMPolicy=1
+listIAMPolicies=1
+addIAMPermissionToIAMPolicy=1
+removeIAMPermissionFromIAMPolicy=1
+createIAMGroup=1
+deleteIAMGroup=1
+listIAMGroups=1
+addAccountToIAMGroup=1
+removeAccountFromIAMGroup=1
+attachIAMPolicyToIAMGroup=1
+removeIAMPolicyFromIAMGroup=1
+attachIAMPolicyToAccount=1
+removeIAMPolicyFromAccount=1
#### juniper-contrail commands
createServiceInstance=1
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/core/resources/META-INF/cloudstack/core/spring-core-registry-core-context.xml
----------------------------------------------------------------------
diff --git a/core/resources/META-INF/cloudstack/core/spring-core-registry-core-context.xml b/core/resources/META-INF/cloudstack/core/spring-core-registry-core-context.xml
index d54823a..0f58d7d 100644
--- a/core/resources/META-INF/cloudstack/core/spring-core-registry-core-context.xml
+++ b/core/resources/META-INF/cloudstack/core/spring-core-registry-core-context.xml
@@ -46,7 +46,7 @@
<property name="orderConfigKey" value="security.checkers.order" />
<property name="excludeKey" value="security.checkers.exclude" />
<property name="orderConfigDefault"
- value="AffinityGroupAccessChecker,DomainChecker" />
+ value="RoleBasedEntityAccessChecker,AffinityGroupAccessChecker,DomainChecker" />
</bean>
<bean id="resourceDiscoverersRegistry"
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/engine/schema/src/com/cloud/upgrade/dao/Upgrade430to440.java
----------------------------------------------------------------------
diff --git a/engine/schema/src/com/cloud/upgrade/dao/Upgrade430to440.java b/engine/schema/src/com/cloud/upgrade/dao/Upgrade430to440.java
index da71d44..26277dd 100644
--- a/engine/schema/src/com/cloud/upgrade/dao/Upgrade430to440.java
+++ b/engine/schema/src/com/cloud/upgrade/dao/Upgrade430to440.java
@@ -59,10 +59,57 @@ public class Upgrade430to440 implements DbUpgrade {
@Override
public void performDataMigration(Connection conn) {
+ populateIAMGroupAccountMap(conn);
secondaryIpsAccountAndDomainIdsUpdate(conn);
moveCidrsToTheirOwnTable(conn);
}
+ // populate iam_group_account_map table for existing accounts
+ private void populateIAMGroupAccountMap(Connection conn) {
+ PreparedStatement acctInsert = null;
+ PreparedStatement acctQuery = null;
+ ResultSet rs = null;
+
+ s_logger.debug("Populating iam_group_account_map table for existing accounts...");
+ try {
+ acctInsert = conn
+ .prepareStatement("INSERT INTO `cloud`.`iam_group_account_map` (group_id, account_id, created) values(?, ?, Now())");
+ acctQuery = conn
+ .prepareStatement("select id, type from `cloud`.`account` where removed is null");
+ rs = acctQuery.executeQuery();
+
+ while (rs.next()) {
+ Long acct_id = rs.getLong("id");
+ short type = rs.getShort("type");
+
+ // insert entry in iam_group_account_map table
+ acctInsert.setLong(1, type + 1);
+ acctInsert.setLong(2, acct_id);
+ acctInsert.executeUpdate();
+ }
+ } catch (SQLException e) {
+ String msg = "Unable to populate iam_group_account_map for existing accounts." + e.getMessage();
+ s_logger.error(msg);
+ throw new CloudRuntimeException(msg, e);
+ } finally {
+ try {
+ if (rs != null) {
+ rs.close();
+ }
+
+ if (acctInsert != null) {
+ acctInsert.close();
+ }
+ if (acctQuery != null) {
+ acctQuery.close();
+ }
+ } catch (SQLException e) {
+ }
+ }
+ s_logger.debug("Completed populate iam_group_account_map for existing accounts.");
+ }
+
+
private void secondaryIpsAccountAndDomainIdsUpdate(Connection conn) {
PreparedStatement pstmt = null;
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/framework/db/src/com/cloud/utils/db/SearchBase.java
----------------------------------------------------------------------
diff --git a/framework/db/src/com/cloud/utils/db/SearchBase.java b/framework/db/src/com/cloud/utils/db/SearchBase.java
index d19918a..4ec9a41 100644
--- a/framework/db/src/com/cloud/utils/db/SearchBase.java
+++ b/framework/db/src/com/cloud/utils/db/SearchBase.java
@@ -235,7 +235,17 @@ public abstract class SearchBase<J extends SearchBase<?, T, K>, T, K> {
if (_entity == null || _specifiedAttrs == null || _specifiedAttrs.size() != 1) {
throw new RuntimeException("Now now, better specify an attribute or else we can't help you");
}
- return _specifiedAttrs.get(0);
+ if (_specifiedAttrs.size() > 0) {
+ return _specifiedAttrs.get(0);
+ }
+ // look for attributes from joins
+ for (JoinBuilder<SearchBase<?, ?, ?>> join : _joins.values()) {
+ SearchBase<?, ?, ?> sb = join.getT();
+ if (sb.getSpecifiedAttribute() != null) {
+ return sb.getSpecifiedAttribute();
+ }
+ }
+ throw new CloudRuntimeException("Unable to find any specified attributes. You sure you know what you're doing?");
}
protected List<Attribute> getSpecifiedAttributes() {
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/plugins/network-elements/internal-loadbalancer/src/org/apache/cloudstack/network/lb/InternalLoadBalancerVMManagerImpl.java
----------------------------------------------------------------------
diff --git a/plugins/network-elements/internal-loadbalancer/src/org/apache/cloudstack/network/lb/InternalLoadBalancerVMManagerImpl.java b/plugins/network-elements/internal-loadbalancer/src/org/apache/cloudstack/network/lb/InternalLoadBalancerVMManagerImpl.java
index aa763d5..89707c9 100644
--- a/plugins/network-elements/internal-loadbalancer/src/org/apache/cloudstack/network/lb/InternalLoadBalancerVMManagerImpl.java
+++ b/plugins/network-elements/internal-loadbalancer/src/org/apache/cloudstack/network/lb/InternalLoadBalancerVMManagerImpl.java
@@ -27,11 +27,12 @@ import javax.ejb.Local;
import javax.inject.Inject;
import javax.naming.ConfigurationException;
+import org.apache.log4j.Logger;
+
import org.apache.cloudstack.engine.orchestration.service.NetworkOrchestrationService;
import org.apache.cloudstack.framework.config.dao.ConfigurationDao;
import org.apache.cloudstack.lb.ApplicationLoadBalancerRuleVO;
import org.apache.cloudstack.lb.dao.ApplicationLoadBalancerRuleDao;
-import org.apache.log4j.Logger;
import com.cloud.agent.AgentManager;
import com.cloud.agent.api.Answer;
@@ -519,7 +520,7 @@ public class InternalLoadBalancerVMManagerImpl extends ManagerBase implements In
return true;
}
- _accountMgr.checkAccess(caller, null, true, internalLbVm);
+ _accountMgr.checkAccess(caller, null, internalLbVm);
_itMgr.expunge(internalLbVm.getUuid());
_internalLbVmDao.remove(internalLbVm.getId());
@@ -534,7 +535,7 @@ public class InternalLoadBalancerVMManagerImpl extends ManagerBase implements In
}
//check permissions
- _accountMgr.checkAccess(caller, null, true, internalLbVm);
+ _accountMgr.checkAccess(caller, null, internalLbVm);
return stopInternalLbVm(internalLbVm, forced, caller, callerUserId);
}
@@ -912,7 +913,7 @@ public class InternalLoadBalancerVMManagerImpl extends ManagerBase implements In
}
//check permissions
- _accountMgr.checkAccess(caller, null, true, internalLbVm);
+ _accountMgr.checkAccess(caller, null, internalLbVm);
return startInternalLbVm(internalLbVm, caller, callerUserId, null);
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/plugins/network-elements/juniper-contrail/src/org/apache/cloudstack/network/contrail/management/ServiceManagerImpl.java
----------------------------------------------------------------------
diff --git a/plugins/network-elements/juniper-contrail/src/org/apache/cloudstack/network/contrail/management/ServiceManagerImpl.java b/plugins/network-elements/juniper-contrail/src/org/apache/cloudstack/network/contrail/management/ServiceManagerImpl.java
index f34eacc..acd9b4e 100644
--- a/plugins/network-elements/juniper-contrail/src/org/apache/cloudstack/network/contrail/management/ServiceManagerImpl.java
+++ b/plugins/network-elements/juniper-contrail/src/org/apache/cloudstack/network/contrail/management/ServiceManagerImpl.java
@@ -30,6 +30,7 @@ import javax.inject.Inject;
import net.juniper.contrail.api.ApiConnector;
import net.juniper.contrail.api.types.ServiceInstance;
+import org.apache.cloudstack.acl.SecurityChecker.AccessType;
import org.apache.cloudstack.context.CallContext;
import org.apache.cloudstack.network.contrail.api.response.ServiceInstanceResponse;
import org.apache.cloudstack.network.contrail.model.ServiceInstanceModel;
@@ -136,10 +137,10 @@ public class ServiceManagerImpl implements ServiceManager {
// TODO: permission model.
// service instances need to be able to access the public network.
if (left.getTrafficType() == TrafficType.Guest) {
- _networkModel.checkNetworkPermissions(owner, left);
+ _networkModel.checkNetworkPermissions(owner, left, AccessType.UseEntry);
}
if (right.getTrafficType() == TrafficType.Guest) {
- _networkModel.checkNetworkPermissions(owner, right);
+ _networkModel.checkNetworkPermissions(owner, right, AccessType.UseEntry);
}
final ApiConnector api = _manager.getApiConnector();
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/plugins/network-elements/juniper-contrail/test/org/apache/cloudstack/network/contrail/management/MockAccountManager.java
----------------------------------------------------------------------
diff --git a/plugins/network-elements/juniper-contrail/test/org/apache/cloudstack/network/contrail/management/MockAccountManager.java b/plugins/network-elements/juniper-contrail/test/org/apache/cloudstack/network/contrail/management/MockAccountManager.java
index 1a29f9c..a39fb43 100644
--- a/plugins/network-elements/juniper-contrail/test/org/apache/cloudstack/network/contrail/management/MockAccountManager.java
+++ b/plugins/network-elements/juniper-contrail/test/org/apache/cloudstack/network/contrail/management/MockAccountManager.java
@@ -34,7 +34,6 @@ import org.apache.cloudstack.api.command.admin.user.RegisterCmd;
import org.apache.cloudstack.api.command.admin.user.UpdateUserCmd;
import org.apache.cloudstack.context.CallContext;
-import com.cloud.api.query.vo.ControlledViewEntity;
import com.cloud.configuration.ResourceLimit;
import com.cloud.configuration.dao.ResourceCountDao;
import com.cloud.domain.Domain;
@@ -102,11 +101,6 @@ public class MockAccountManager extends ManagerBase implements AccountManager {
}
@Override
- public void checkAccess(Account arg0, AccessType arg1, boolean arg2, ControlledEntity... arg3) throws PermissionDeniedException {
- // TODO Auto-generated method stub
- }
-
- @Override
public String[] createApiKeyAndSecretKey(RegisterCmd arg0) {
// TODO Auto-generated method stub
return null;
@@ -208,90 +202,51 @@ public class MockAccountManager extends ManagerBase implements AccountManager {
}
-
-
@Override
- public void buildACLViewSearchCriteria(SearchCriteria<? extends ControlledEntity> sc, SearchCriteria<? extends ControlledEntity> aclSc, boolean isRecursive,
- List<Long> permittedDomains, List<Long> permittedAccounts, List<Long> permittedResources, ListProjectResourcesCriteria listProjectResourcesCriteria) {
+ public void buildACLSearchBuilder(SearchBuilder<? extends ControlledEntity> sb, boolean isRecursive, List<Long> permittedDomains, List<Long> permittedAccounts,
+ List<Long> permittedResources, ListProjectResourcesCriteria listProjectResourcesCriteria) {
// TODO Auto-generated method stub
}
@Override
- public List<String> listAclGroupsByAccount(Long accountId) {
+ public void buildACLSearchCriteria(SearchCriteria<? extends ControlledEntity> sc, boolean isRecursive, List<Long> permittedDomains, List<Long> permittedAccounts,
+ List<Long> permittedResources, ListProjectResourcesCriteria listProjectResourcesCriteria) {
// TODO Auto-generated method stub
- return null;
- }
- @Override
- public UserAccount lockUser(long arg0) {
- // TODO Auto-generated method stub
- return null;
}
@Override
- public void markUserRegistered(long arg0) {
+ public void buildACLViewSearchCriteria(SearchCriteria<? extends ControlledEntity> sc, SearchCriteria<? extends ControlledEntity> aclSc, boolean isRecursive,
+ List<Long> permittedDomains, List<Long> permittedAccounts, List<Long> permittedResources, ListProjectResourcesCriteria listProjectResourcesCriteria) {
// TODO Auto-generated method stub
}
@Override
- public UserAccount authenticateUser(String arg0, String arg1, Long arg2, String arg3, Map<String, Object[]> arg4) {
+ public List<String> listAclGroupsByAccount(Long accountId) {
// TODO Auto-generated method stub
return null;
}
@Override
- public void buildACLSearchBuilder(
- SearchBuilder<? extends ControlledEntity> arg0, Long arg1,
- boolean arg2, List<Long> arg3, ListProjectResourcesCriteria arg4) {
- // TODO Auto-generated method stub
-
- }
-
- @Override
- public void buildACLSearchCriteria(
- SearchCriteria<? extends ControlledEntity> arg0, Long arg1,
- boolean arg2, List<Long> arg3, ListProjectResourcesCriteria arg4) {
- // TODO Auto-generated method stub
-
- }
-
- @Override
- public void buildACLSearchParameters(Account arg0, Long arg1, String arg2,
- Long arg3, List<Long> arg4,
- Ternary<Long, Boolean, ListProjectResourcesCriteria> arg5,
- boolean arg6, boolean arg7) {
+ public UserAccount lockUser(long arg0) {
// TODO Auto-generated method stub
-
+ return null;
}
@Override
- public void buildACLViewSearchBuilder(SearchBuilder<? extends ControlledViewEntity> sb, Long domainId, boolean isRecursive, List<Long> permittedAccounts,
- ListProjectResourcesCriteria listProjectResourcesCriteria) {
+ public void markUserRegistered(long arg0) {
// TODO Auto-generated method stub
}
@Override
- public void buildACLViewSearchBuilder(SearchBuilder<? extends ControlledViewEntity> sb, Long domainId, boolean isRecursive, List<Long> permittedAccounts,
- ListProjectResourcesCriteria listProjectResourcesCriteria, List<Long> grantedIds, List<Long> revokedIds) {
+ public UserAccount authenticateUser(String arg0, String arg1, Long arg2, String arg3, Map<String, Object[]> arg4) {
// TODO Auto-generated method stub
+ return null;
}
- @Override
- public void buildACLViewSearchCriteria(SearchCriteria<? extends ControlledViewEntity> sc, Long domainId, boolean isRecursive, List<Long> permittedAccounts,
- ListProjectResourcesCriteria listProjectResourcesCriteria) {
- // TODO Auto-generated method stub
-
- }
-
- @Override
- public void buildACLViewSearchCriteria(SearchCriteria<? extends ControlledEntity> sc, Long domainId, boolean isRecursive, List<Long> permittedAccounts,
- ListProjectResourcesCriteria listProjectResourcesCriteria, List<Long> grantedIds, List<Long> revokedIds) {
- // TODO Auto-generated method stub
-
- }
@Override
public Long checkAccessAndSpecifyAuthority(Account arg0, Long arg1) {
@@ -407,15 +362,24 @@ public class MockAccountManager extends ManagerBase implements AccountManager {
}
+
@Override
- public void checkAccess(Account account, AccessType accessType, boolean sameOwner, String apiName,
- ControlledEntity... entities) throws PermissionDeniedException {
+ public Long finalyzeAccountId(String accountName, Long domainId, Long projectId, boolean enabledOnly) {
// TODO Auto-generated method stub
+ return null;
}
@Override
- public Long finalyzeAccountId(String accountName, Long domainId, Long projectId, boolean enabledOnly) {
+ public void checkAccess(Account account, AccessType accessType, ControlledEntity... entities) throws PermissionDeniedException {
// TODO Auto-generated method stub
- return null;
+
}
+
+ @Override
+ public void checkAccess(Account account, AccessType accessType, String apiName, ControlledEntity... entities) throws PermissionDeniedException {
+ // TODO Auto-generated method stub
+
+ }
+
+
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/server/resources/META-INF/cloudstack/core/spring-server-core-managers-context.xml
----------------------------------------------------------------------
diff --git a/server/resources/META-INF/cloudstack/core/spring-server-core-managers-context.xml b/server/resources/META-INF/cloudstack/core/spring-server-core-managers-context.xml
index fc1c7e2..09abcb7 100644
--- a/server/resources/META-INF/cloudstack/core/spring-server-core-managers-context.xml
+++ b/server/resources/META-INF/cloudstack/core/spring-server-core-managers-context.xml
@@ -74,6 +74,7 @@
<bean id="networkModelImpl" class="com.cloud.network.NetworkModelImpl">
<property name="networkElements" value="#{networkElementsRegistry.registered}" />
+ <property name="securityCheckers" value="#{securityCheckersRegistry.registered}" />
</bean>
<bean id="configurationServerImpl" class="com.cloud.server.ConfigurationServerImpl" />
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/server/src/com/cloud/acl/DomainChecker.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/acl/DomainChecker.java b/server/src/com/cloud/acl/DomainChecker.java
index 729a0d1..9ee65db 100755
--- a/server/src/com/cloud/acl/DomainChecker.java
+++ b/server/src/com/cloud/acl/DomainChecker.java
@@ -19,6 +19,7 @@ package com.cloud.acl;
import javax.ejb.Local;
import javax.inject.Inject;
+import org.apache.log4j.Logger;
import org.springframework.stereotype.Component;
import org.apache.cloudstack.acl.ControlledEntity;
@@ -50,6 +51,8 @@ import com.cloud.utils.component.AdapterBase;
@Local(value = SecurityChecker.class)
public class DomainChecker extends AdapterBase implements SecurityChecker {
+ public static final Logger s_logger = Logger.getLogger(DomainChecker.class);
+
@Inject
DomainDao _domainDao;
@Inject
@@ -101,6 +104,15 @@ public class DomainChecker extends AdapterBase implements SecurityChecker {
@Override
public boolean checkAccess(Account caller, ControlledEntity entity, AccessType accessType)
throws PermissionDeniedException {
+
+ if (caller.getId() == Account.ACCOUNT_ID_SYSTEM || _accountService.isRootAdmin(caller.getId())) {
+ // no need to make permission checks if the system/root admin makes the call
+ if (s_logger.isTraceEnabled()) {
+ s_logger.trace("No need to make permission check for System/RootAdmin account, returning true");
+ }
+ return true;
+ }
+
if (entity instanceof VirtualMachineTemplate) {
VirtualMachineTemplate template = (VirtualMachineTemplate)entity;
@@ -332,20 +344,15 @@ public class DomainChecker extends AdapterBase implements SecurityChecker {
if (action != null && ("SystemCapability".equals(action))) {
if (caller != null && caller.getType() == Account.ACCOUNT_TYPE_ADMIN) {
return true;
- } else {
- return false;
}
+
} else if (action != null && ("DomainCapability".equals(action))) {
if (caller != null && caller.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) {
return true;
- } else {
- return false;
}
} else if (action != null && ("DomainResourceCapability".equals(action))) {
if (caller != null && caller.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN) {
return true;
- } else {
- return false;
}
}
return checkAccess(caller, entity, accessType);
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/server/src/com/cloud/api/ApiDispatcher.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/api/ApiDispatcher.java b/server/src/com/cloud/api/ApiDispatcher.java
index 3447662..b6b9b29 100755
--- a/server/src/com/cloud/api/ApiDispatcher.java
+++ b/server/src/com/cloud/api/ApiDispatcher.java
@@ -23,10 +23,6 @@ import javax.inject.Inject;
import org.apache.log4j.Logger;
-import org.apache.cloudstack.acl.ControlledEntity;
-import org.apache.cloudstack.acl.InfrastructureEntity;
-import org.apache.cloudstack.acl.SecurityChecker.AccessType;
-import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.BaseAsyncCmd;
import org.apache.cloudstack.api.BaseAsyncCreateCmd;
@@ -40,7 +36,6 @@ import org.apache.cloudstack.framework.jobs.AsyncJobManager;
import com.cloud.api.dispatch.DispatchChain;
import com.cloud.api.dispatch.DispatchChainFactory;
import com.cloud.api.dispatch.DispatchTask;
-import com.cloud.user.Account;
import com.cloud.user.AccountManager;
public class ApiDispatcher {
@@ -79,23 +74,6 @@ public class ApiDispatcher {
asyncCreationDispatchChain.dispatch(new DispatchTask(cmd, params));
}
- private void doAccessChecks(BaseCmd cmd, Map<Object, AccessType> entitiesToAccess) {
- Account caller = CallContext.current().getCallingAccount();
-
- APICommand commandAnnotation = cmd.getClass().getAnnotation(APICommand.class);
- String apiName = commandAnnotation != null ? commandAnnotation.name() : null;
-
- if (!entitiesToAccess.isEmpty()) {
- for (Object entity : entitiesToAccess.keySet()) {
- if (entity instanceof ControlledEntity) {
- _accountMgr.checkAccess(caller, entitiesToAccess.get(entity), false, apiName, (ControlledEntity) entity);
- } else if (entity instanceof InfrastructureEntity) {
- //FIXME: Move this code in adapter, remove code from Account manager
- }
- }
- }
- }
-
public void dispatch(final BaseCmd cmd, final Map<String, String> params, final boolean execute) throws Exception {
// Let the chain of responsibility dispatch gradually
standardDispatchChain.dispatch(new DispatchTask(cmd, params));
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/server/src/com/cloud/api/ApiResponseHelper.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/api/ApiResponseHelper.java b/server/src/com/cloud/api/ApiResponseHelper.java
index a4f08fd..6746c13 100755
--- a/server/src/com/cloud/api/ApiResponseHelper.java
+++ b/server/src/com/cloud/api/ApiResponseHelper.java
@@ -1855,7 +1855,7 @@ public class ApiResponseHelper implements ResponseGenerator {
throw new PermissionDeniedException("Account " + caller + " is not authorized to see job id=" + job.getId());
}
} else if (_accountMgr.isDomainAdmin(caller.getId())) {
- _accountMgr.checkAccess(caller, null, true, jobOwner);
+ _accountMgr.checkAccess(caller, null, jobOwner);
}
return createAsyncJobResponse(_jobMgr.queryJob(cmd.getId(), true));
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/server/src/com/cloud/api/dispatch/ParamProcessWorker.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/api/dispatch/ParamProcessWorker.java b/server/src/com/cloud/api/dispatch/ParamProcessWorker.java
index 0bb0220..ba5bebf 100644
--- a/server/src/com/cloud/api/dispatch/ParamProcessWorker.java
+++ b/server/src/com/cloud/api/dispatch/ParamProcessWorker.java
@@ -40,6 +40,7 @@ import org.apache.cloudstack.acl.InfrastructureEntity;
import org.apache.cloudstack.acl.SecurityChecker;
import org.apache.cloudstack.acl.SecurityChecker.AccessType;
import org.apache.cloudstack.api.ACL;
+import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiErrorCode;
import org.apache.cloudstack.api.BaseAsyncCreateCmd;
import org.apache.cloudstack.api.BaseCmd;
@@ -55,7 +56,11 @@ import org.apache.cloudstack.api.command.user.event.DeleteEventsCmd;
import org.apache.cloudstack.api.command.user.event.ListEventsCmd;
import org.apache.cloudstack.context.CallContext;
+import com.cloud.dc.DataCenter;
import com.cloud.exception.InvalidParameterValueException;
+import com.cloud.exception.PermissionDeniedException;
+import com.cloud.offering.DiskOffering;
+import com.cloud.offering.ServiceOffering;
import com.cloud.user.Account;
import com.cloud.user.AccountManager;
import com.cloud.utils.DateUtil;
@@ -217,27 +222,111 @@ public class ParamProcessWorker implements DispatchWorker {
}
- private void doAccessChecks(BaseCmd cmd, Map<Object, AccessType> entitiesToAccess) {
+ private void doAccessChecks(final BaseCmd cmd, final Map<Object, AccessType> entitiesToAccess) {
Account caller = CallContext.current().getCallingAccount();
- Account owner = _accountMgr.getActiveAccountById(cmd.getEntityOwnerId());
+ Account owner = _accountMgr.getAccount(cmd.getEntityOwnerId());
+ if (owner == null) {
+ owner = caller;
+ }
if (cmd instanceof BaseAsyncCreateCmd) {
- // check that caller can access the owner account.
- _accountMgr.checkAccess(caller, null, true, owner);
+ if (owner.getId() != caller.getId()) {
+ // mimic impersonation either by passing (account, domainId) or through derived owner from other api parameters
+ // in this case, we should check access using the owner
+ _accountMgr.checkAccess(caller, null, owner);
+ }
+ } else {
+ // check access using the caller for other operational cmds
+ owner = caller;
}
+ APICommand commandAnnotation = cmd.getClass().getAnnotation(APICommand.class);
+
+ String apiName = commandAnnotation != null ? commandAnnotation.name() : null;
+
if (!entitiesToAccess.isEmpty()) {
- // check that caller can access the owner account.
- _accountMgr.checkAccess(caller, null, true, owner);
+ List<ControlledEntity> entitiesToOperate = new ArrayList<ControlledEntity>();
for (Object entity : entitiesToAccess.keySet()) {
if (entity instanceof ControlledEntity) {
- _accountMgr.checkAccess(caller, entitiesToAccess.get(entity), true, (ControlledEntity) entity);
+
+ if (AccessType.OperateEntry == entitiesToAccess.get(entity)) {
+ entitiesToOperate.add((ControlledEntity) entity);
+ } else {
+ _accountMgr.checkAccess(owner, entitiesToAccess.get(entity), apiName,
+ (ControlledEntity) entity);
+ }
} else if (entity instanceof InfrastructureEntity) {
- // FIXME: Move this code in adapter, remove code from
- // Account manager
+ if (entity instanceof DataCenter) {
+ checkZoneAccess(owner, (DataCenter)entity);
+ } else if (entity instanceof ServiceOffering) {
+ checkServiceOfferingAccess(owner, (ServiceOffering)entity);
+ } else if (entity instanceof DiskOffering) {
+ checkDiskOfferingAccess(owner, (DiskOffering)entity);
+ }
+ }
+ }
+
+ if (!entitiesToOperate.isEmpty()) {
+ _accountMgr.checkAccess(owner, AccessType.OperateEntry, apiName,
+ entitiesToOperate.toArray(new ControlledEntity[entitiesToOperate.size()]));
+ }
+
+ }
+ }
+
+ private void checkDiskOfferingAccess(Account caller, DiskOffering dof) {
+ for (SecurityChecker checker : _secChecker) {
+ if (checker.checkAccess(caller, dof)) {
+ if (s_logger.isDebugEnabled()) {
+ s_logger.debug("Access granted to " + caller + " to disk offering:" + dof.getId() + " by "
+ + checker.getName());
+ }
+ return;
+ } else {
+ throw new PermissionDeniedException("Access denied to " + caller + " by " + checker.getName());
+ }
+ }
+
+ assert false : "How can all of the security checkers pass on checking this caller?";
+ throw new PermissionDeniedException("There's no way to confirm " + caller + " has access to disk offering:"
+ + dof.getId());
+ }
+
+ private void checkServiceOfferingAccess(Account caller, ServiceOffering sof) {
+ for (SecurityChecker checker : _secChecker) {
+ if (checker.checkAccess(caller, sof)) {
+ if (s_logger.isDebugEnabled()) {
+ s_logger.debug("Access granted to " + caller + " to service offering:" + sof.getId() + " by "
+ + checker.getName());
}
+ return;
+ } else {
+ throw new PermissionDeniedException("Access denied to " + caller + " by " + checker.getName());
}
}
+
+ assert false : "How can all of the security checkers pass on checking this caller?";
+ throw new PermissionDeniedException("There's no way to confirm " + caller + " has access to service offering:"
+ + sof.getId());
+ }
+
+ private void checkZoneAccess(Account caller, DataCenter zone) {
+ for (SecurityChecker checker : _secChecker) {
+ if (checker.checkAccess(caller, zone)) {
+ if (s_logger.isDebugEnabled()) {
+ s_logger.debug("Access granted to " + caller + " to zone:" + zone.getId() + " by "
+ + checker.getName());
+ }
+ return;
+ } else {
+ throw new PermissionDeniedException("Access denied to " + caller + " by " + checker.getName()
+ + " for zone " + zone.getId());
+ }
+ }
+
+ assert false : "How can all of the security checkers pass on checking this caller?";
+ throw new PermissionDeniedException("There's no way to confirm " + caller + " has access to zone:"
+ + zone.getId());
}
@SuppressWarnings({"unchecked", "rawtypes"})
[4/5] Revert "Disable IAM feature from 4.4 release."
Posted by mc...@apache.org.
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/server/src/com/cloud/api/query/QueryManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/api/query/QueryManagerImpl.java b/server/src/com/cloud/api/query/QueryManagerImpl.java
index e675e83..a2437b8 100644
--- a/server/src/com/cloud/api/query/QueryManagerImpl.java
+++ b/server/src/com/cloud/api/query/QueryManagerImpl.java
@@ -478,7 +478,9 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
private Pair<List<EventJoinVO>, Integer> searchForEventsInternal(ListEventsCmd cmd) {
Account caller = CallContext.current().getCallingAccount();
+ List<Long> permittedDomains = new ArrayList<Long>();
List<Long> permittedAccounts = new ArrayList<Long>();
+ List<Long> permittedResources = new ArrayList<Long>();
Long id = cmd.getId();
String type = cmd.getType();
@@ -491,16 +493,14 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean, ListProjectResourcesCriteria>(
cmd.getDomainId(), cmd.isRecursive(), null);
- _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedAccounts,
- domainIdRecursiveListProject, cmd.listAll(), false);
- Long domainId = domainIdRecursiveListProject.first();
+ _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedDomains, permittedAccounts, permittedResources,
+ domainIdRecursiveListProject, cmd.listAll(), false, "listEvents");
+ //Long domainId = domainIdRecursiveListProject.first();
Boolean isRecursive = domainIdRecursiveListProject.second();
ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
Filter searchFilter = new Filter(EventJoinVO.class, "createDate", false, cmd.getStartIndex(), cmd.getPageSizeVal());
SearchBuilder<EventJoinVO> sb = _eventJoinDao.createSearchBuilder();
- _accountMgr.buildACLViewSearchBuilder(sb, domainId, isRecursive, permittedAccounts,
- listProjectResourcesCriteria);
sb.and("id", sb.entity().getId(), SearchCriteria.Op.EQ);
sb.and("levelL", sb.entity().getLevel(), SearchCriteria.Op.LIKE);
@@ -516,9 +516,9 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
sb.and("archived", sb.entity().getArchived(), SearchCriteria.Op.EQ);
SearchCriteria<EventJoinVO> sc = sb.create();
- // building ACL condition
- _accountMgr.buildACLViewSearchCriteria(sc, domainId, isRecursive, permittedAccounts,
- listProjectResourcesCriteria);
+ SearchCriteria<EventJoinVO> aclSc = _eventJoinDao.createSearchCriteria();
+ // building ACL search criteria
+ _accountMgr.buildACLViewSearchCriteria(sc, aclSc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
// For end users display only enabled events
if (!_accountMgr.isRootAdmin(caller.getId())) {
@@ -597,7 +597,9 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
private Pair<List<ResourceTagJoinVO>, Integer> listTagsInternal(ListTagsCmd cmd) {
Account caller = CallContext.current().getCallingAccount();
+ List<Long> permittedDomains = new ArrayList<Long>();
List<Long> permittedAccounts = new ArrayList<Long>();
+ List<Long> permittedResources = new ArrayList<Long>();
String key = cmd.getKey();
String value = cmd.getValue();
String resourceId = cmd.getResourceId();
@@ -608,16 +610,14 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject =
new Ternary<Long, Boolean, ListProjectResourcesCriteria>(cmd.getDomainId(), cmd.isRecursive(), null);
- _accountMgr.buildACLSearchParameters(caller, null, cmd.getAccountName(), cmd.getProjectId(), permittedAccounts,
- domainIdRecursiveListProject, listAll, false);
+ _accountMgr.buildACLSearchParameters(caller, null, cmd.getAccountName(), cmd.getProjectId(), permittedDomains, permittedAccounts, permittedResources,
+ domainIdRecursiveListProject, listAll, false, "listTags");
Long domainId = domainIdRecursiveListProject.first();
Boolean isRecursive = domainIdRecursiveListProject.second();
ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
Filter searchFilter = new Filter(ResourceTagJoinVO.class, "resourceType", false, cmd.getStartIndex(), cmd.getPageSizeVal());
SearchBuilder<ResourceTagJoinVO> sb = _resourceTagJoinDao.createSearchBuilder();
- _accountMgr.buildACLViewSearchBuilder(sb, domainId, isRecursive, permittedAccounts,
- listProjectResourcesCriteria);
sb.and("key", sb.entity().getKey(), SearchCriteria.Op.EQ);
sb.and("value", sb.entity().getValue(), SearchCriteria.Op.EQ);
@@ -633,8 +633,9 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
// now set the SC criteria...
SearchCriteria<ResourceTagJoinVO> sc = sb.create();
- _accountMgr.buildACLViewSearchCriteria(sc, domainId, isRecursive, permittedAccounts,
- listProjectResourcesCriteria);
+ SearchCriteria<ResourceTagJoinVO> aclSc = _resourceTagJoinDao.createSearchCriteria();
+ // building ACL search criteria
+ _accountMgr.buildACLViewSearchCriteria(sc, aclSc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
if (key != null) {
sc.setParameters("key", key);
@@ -676,28 +677,29 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
String keyword = cmd.getKeyword();
Account caller = CallContext.current().getCallingAccount();
+ List<Long> permittedDomains = new ArrayList<Long>();
List<Long> permittedAccounts = new ArrayList<Long>();
+ List<Long> permittedResources = new ArrayList<Long>();
Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean, ListProjectResourcesCriteria>(
cmd.getDomainId(), cmd.isRecursive(), null);
- _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedAccounts,
- domainIdRecursiveListProject, cmd.listAll(), false);
- Long domainId = domainIdRecursiveListProject.first();
+ _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedDomains, permittedAccounts, permittedResources,
+ domainIdRecursiveListProject, cmd.listAll(), false, "listInstanceGroups");
+ // Long domainId = domainIdRecursiveListProject.first();
Boolean isRecursive = domainIdRecursiveListProject.second();
ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
Filter searchFilter = new Filter(InstanceGroupJoinVO.class, "id", true, cmd.getStartIndex(), cmd.getPageSizeVal());
SearchBuilder<InstanceGroupJoinVO> sb = _vmGroupJoinDao.createSearchBuilder();
- _accountMgr.buildACLViewSearchBuilder(sb, domainId, isRecursive, permittedAccounts,
- listProjectResourcesCriteria);
sb.and("id", sb.entity().getId(), SearchCriteria.Op.EQ);
sb.and("name", sb.entity().getName(), SearchCriteria.Op.LIKE);
SearchCriteria<InstanceGroupJoinVO> sc = sb.create();
- _accountMgr.buildACLViewSearchCriteria(sc, domainId, isRecursive, permittedAccounts,
- listProjectResourcesCriteria);
+ SearchCriteria<InstanceGroupJoinVO> aclSc = _vmGroupJoinDao.createSearchCriteria();
+ // building ACL search criteria
+ _accountMgr.buildACLViewSearchCriteria(sc, aclSc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
if (keyword != null) {
@@ -994,7 +996,9 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
String securityGroup = cmd.getSecurityGroupName();
Long id = cmd.getId();
Object keyword = cmd.getKeyword();
+ List<Long> permittedDomains = new ArrayList<Long>();
List<Long> permittedAccounts = new ArrayList<Long>();
+ List<Long> permittedResources = new ArrayList<Long>();
Map<String, String> tags = cmd.getTags();
if (instanceId != null) {
@@ -1002,14 +1006,14 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
if (userVM == null) {
throw new InvalidParameterValueException("Unable to list network groups for virtual machine instance " + instanceId + "; instance not found.");
}
- _accountMgr.checkAccess(caller, null, true, userVM);
+ _accountMgr.checkAccess(caller, null, userVM);
return listSecurityGroupRulesByVM(instanceId.longValue(), cmd.getStartIndex(), cmd.getPageSizeVal());
}
Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean, ListProjectResourcesCriteria>(
cmd.getDomainId(), cmd.isRecursive(), null);
- _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedAccounts,
- domainIdRecursiveListProject, cmd.listAll(), false);
+ _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedDomains, permittedAccounts, permittedResources,
+ domainIdRecursiveListProject, cmd.listAll(), false, "listSecurityGroups");
Long domainId = domainIdRecursiveListProject.first();
Boolean isRecursive = domainIdRecursiveListProject.second();
ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
@@ -1018,15 +1022,13 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
SearchBuilder<SecurityGroupJoinVO> sb = _securityGroupJoinDao.createSearchBuilder();
sb.select(null, Func.DISTINCT, sb.entity().getId()); // select distinct
// ids
- _accountMgr.buildACLViewSearchBuilder(sb, domainId, isRecursive, permittedAccounts,
- listProjectResourcesCriteria);
-
sb.and("id", sb.entity().getId(), SearchCriteria.Op.EQ);
sb.and("name", sb.entity().getName(), SearchCriteria.Op.EQ);
SearchCriteria<SecurityGroupJoinVO> sc = sb.create();
- _accountMgr.buildACLViewSearchCriteria(sc, domainId, isRecursive, permittedAccounts,
- listProjectResourcesCriteria);
+ SearchCriteria<SecurityGroupJoinVO> aclSc = _securityGroupJoinDao.createSearchCriteria();
+ // building ACL search criteria
+ _accountMgr.buildACLViewSearchCriteria(sc, aclSc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
if (id != null) {
sc.setParameters("id", id);
@@ -1118,12 +1120,19 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
Long podId, Long clusterId, Long hostId, String keyword, Long networkId, Long vpcId, Boolean forVpc, String role, String version) {
Account caller = CallContext.current().getCallingAccount();
+ List<Long> permittedDomains = new ArrayList<Long>();
List<Long> permittedAccounts = new ArrayList<Long>();
+ List<Long> permittedResources = new ArrayList<Long>();
Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean, ListProjectResourcesCriteria>(
cmd.getDomainId(), cmd.isRecursive(), null);
- _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedAccounts,
- domainIdRecursiveListProject, cmd.listAll(), false);
+ String action = "listRouters";
+ if (cmd instanceof ListInternalLBVMsCmd) {
+ action = "listInternalLoadBalancerVMs";
+ }
+ _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedDomains, permittedAccounts, permittedResources,
+ domainIdRecursiveListProject, cmd.listAll(), false, action);
+
Long domainId = domainIdRecursiveListProject.first();
Boolean isRecursive = domainIdRecursiveListProject.second();
ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
@@ -1136,8 +1145,6 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
// number of
// records with
// pagination
- _accountMgr.buildACLViewSearchBuilder(sb, domainId, isRecursive, permittedAccounts,
- listProjectResourcesCriteria);
sb.and("name", sb.entity().getInstanceName(), SearchCriteria.Op.LIKE);
sb.and("id", sb.entity().getId(), SearchCriteria.Op.EQ);
@@ -1164,8 +1171,9 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
}
SearchCriteria<DomainRouterJoinVO> sc = sb.create();
- _accountMgr.buildACLViewSearchCriteria(sc, domainId, isRecursive, permittedAccounts,
- listProjectResourcesCriteria);
+ SearchCriteria<DomainRouterJoinVO> aclSc = _routerJoinDao.createSearchCriteria();
+ // building ACL search criteria
+ _accountMgr.buildACLViewSearchCriteria(sc, aclSc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
if (keyword != null) {
SearchCriteria<DomainRouterJoinVO> ssc = _routerJoinDao.createSearchCriteria();
@@ -1398,20 +1406,21 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
boolean listAll = cmd.listAll();
Account caller = CallContext.current().getCallingAccount();
+ List<Long> permittedDomains = new ArrayList<Long>();
List<Long> permittedAccounts = new ArrayList<Long>();
+ List<Long> permittedResources = new ArrayList<Long>();
Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean, ListProjectResourcesCriteria>(
domainId, isRecursive, null);
- _accountMgr.buildACLSearchParameters(caller, id, accountName, projectId, permittedAccounts,
- domainIdRecursiveListProject, listAll, true);
- domainId = domainIdRecursiveListProject.first();
+ _accountMgr.buildACLSearchParameters(caller, id, accountName, projectId, permittedDomains, permittedAccounts, permittedResources,
+ domainIdRecursiveListProject, listAll, true, "listProjectInvitations");
+ //domainId = domainIdRecursiveListProject.first();
+
isRecursive = domainIdRecursiveListProject.second();
ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
Filter searchFilter = new Filter(ProjectInvitationJoinVO.class, "id", true, startIndex, pageSizeVal);
SearchBuilder<ProjectInvitationJoinVO> sb = _projectInvitationJoinDao.createSearchBuilder();
- _accountMgr.buildACLViewSearchBuilder(sb, domainId, isRecursive, permittedAccounts,
- listProjectResourcesCriteria);
sb.and("projectId", sb.entity().getProjectId(), SearchCriteria.Op.EQ);
sb.and("state", sb.entity().getState(), SearchCriteria.Op.EQ);
@@ -1419,8 +1428,9 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
sb.and("id", sb.entity().getId(), SearchCriteria.Op.EQ);
SearchCriteria<ProjectInvitationJoinVO> sc = sb.create();
- _accountMgr.buildACLViewSearchCriteria(sc, domainId, isRecursive, permittedAccounts,
- listProjectResourcesCriteria);
+ SearchCriteria<ProjectInvitationJoinVO> aclSc = _projectInvitationJoinDao.createSearchCriteria();
+ // building ACL search criteria
+ _accountMgr.buildACLViewSearchCriteria(sc, aclSc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
if (projectId != null) {
sc.setParameters("projectId", projectId);
@@ -1825,53 +1835,19 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
private Pair<List<AccountJoinVO>, Integer> searchForAccountsInternal(ListAccountsCmd cmd) {
Account caller = CallContext.current().getCallingAccount();
- Long domainId = cmd.getDomainId();
- Long accountId = cmd.getId();
- String accountName = cmd.getSearchName();
- boolean isRecursive = cmd.isRecursive();
- boolean listAll = cmd.listAll();
- Boolean listForDomain = false;
-
- if (accountId != null) {
- Account account = _accountDao.findById(accountId);
- if (account == null || account.getId() == Account.ACCOUNT_ID_SYSTEM) {
- throw new InvalidParameterValueException("Unable to find account by id " + accountId);
- }
-
- _accountMgr.checkAccess(caller, null, true, account);
- }
-
- if (domainId != null) {
- Domain domain = _domainDao.findById(domainId);
- if (domain == null) {
- throw new InvalidParameterValueException("Domain id=" + domainId + " doesn't exist");
- }
-
- _accountMgr.checkAccess(caller, domain);
-
- if (accountName != null) {
- Account account = _accountDao.findActiveAccount(accountName, domainId);
- if (account == null || account.getId() == Account.ACCOUNT_ID_SYSTEM) {
- throw new InvalidParameterValueException("Unable to find account by name " + accountName
- + " in domain " + domainId);
- }
- _accountMgr.checkAccess(caller, null, true, account);
- }
- }
+ List<Long> permittedDomains = new ArrayList<Long>();
+ List<Long> permittedAccounts = new ArrayList<Long>();
+ List<Long> permittedResources = new ArrayList<Long>();
- if (accountId == null) {
- if (_accountMgr.isAdmin(caller.getId()) && listAll && domainId == null) {
- listForDomain = true;
- isRecursive = true;
- if (domainId == null) {
- domainId = caller.getDomainId();
- }
- } else if (_accountMgr.isAdmin(caller.getId()) && domainId != null) {
- listForDomain = true;
- } else {
- accountId = caller.getAccountId();
- }
- }
+ boolean listAll = cmd.listAll();
+ Long id = cmd.getId();
+ String accountName = cmd.getSearchName();
+ Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean, ListProjectResourcesCriteria>(
+ cmd.getDomainId(), cmd.isRecursive(), null);
+ // ListAccountsCmd is not BaseListAccountResourcesCmd, so no (domainId, accountName) combination
+ _accountMgr.buildACLSearchParameters(caller, id, null, null, permittedDomains, permittedAccounts, permittedResources,
+ domainIdRecursiveListProject, listAll, false, "listAccounts");
+ Boolean isRecursive = domainIdRecursiveListProject.second();
Filter searchFilter = new Filter(AccountJoinVO.class, "id", true, cmd.getStartIndex(), cmd.getPageSizeVal());
@@ -1882,7 +1858,6 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
SearchBuilder<AccountJoinVO> sb = _accountJoinDao.createSearchBuilder();
sb.and("accountName", sb.entity().getAccountName(), SearchCriteria.Op.EQ);
- sb.and("domainId", sb.entity().getDomainId(), SearchCriteria.Op.EQ);
sb.and("id", sb.entity().getId(), SearchCriteria.Op.EQ);
sb.and("type", sb.entity().getType(), SearchCriteria.Op.EQ);
sb.and("state", sb.entity().getState(), SearchCriteria.Op.EQ);
@@ -1890,11 +1865,31 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
sb.and("typeNEQ", sb.entity().getType(), SearchCriteria.Op.NEQ);
sb.and("idNEQ", sb.entity().getId(), SearchCriteria.Op.NEQ);
- if (listForDomain && isRecursive) {
- sb.and("path", sb.entity().getDomainPath(), SearchCriteria.Op.LIKE);
- }
-
SearchCriteria<AccountJoinVO> sc = sb.create();
+ SearchCriteria<AccountJoinVO> aclSc = _accountJoinDao.createSearchCriteria();
+ // building ACL search criteria. Here we cannot use the common accountMgr.buildACLViewSearchCriteria because
+ // 1) AccountJoinVO does not have accountId field, permittedAccounts correspond to list of resource ids.
+ // 2) AccountJoinVO use type not accountType field to indicate its type
+ if (!permittedDomains.isEmpty() || !permittedAccounts.isEmpty() || !permittedResources.isEmpty()) {
+ if (!permittedDomains.isEmpty()) {
+ if (isRecursive) {
+ for (int i = 0; i < permittedDomains.size(); i++) {
+ Domain domain = _domainDao.findById(permittedDomains.get(i));
+ aclSc.addOr("domainPath", SearchCriteria.Op.LIKE, domain.getPath() + "%");
+ }
+ } else {
+ aclSc.addOr("domainId", SearchCriteria.Op.IN, permittedDomains.toArray());
+ }
+ }
+ if (!permittedAccounts.isEmpty()) {
+ aclSc.addOr("id", SearchCriteria.Op.IN, permittedAccounts.toArray());
+ }
+ if (!permittedResources.isEmpty()) {
+ aclSc.addOr("id", SearchCriteria.Op.IN, permittedResources.toArray());
+ }
+
+ sc.addAnd("id", SearchCriteria.Op.SC, aclSc);
+ }
sc.setParameters("idNEQ", Account.ACCOUNT_ID_SYSTEM);
@@ -1922,19 +1917,10 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
}
// don't return account of type project to the end user
- sc.setParameters("typeNEQ", 5);
-
- if (accountId != null) {
- sc.setParameters("id", accountId);
- }
+ sc.setParameters("typeNEQ", Account.ACCOUNT_TYPE_PROJECT);
- if (listForDomain) {
- if (isRecursive) {
- Domain domain = _domainDao.findById(domainId);
- sc.setParameters("path", domain.getPath() + "%");
- } else {
- sc.setParameters("domainId", domainId);
- }
+ if (id != null) {
+ sc.setParameters("id", id);
}
return _accountJoinDao.searchAndCount(sc, searchFilter);
@@ -1953,17 +1939,20 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
Account caller = CallContext.current().getCallingAccount();
+ List<Long> permittedDomains = new ArrayList<Long>();
List<Long> permittedAccounts = new ArrayList<Long>();
+ List<Long> permittedResources = new ArrayList<Long>();
Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean, ListProjectResourcesCriteria>(
cmd.getDomainId(), cmd.isRecursive(), null);
- _accountMgr.buildACLSearchParameters(caller, null, cmd.getAccountName(), null, permittedAccounts,
- domainIdRecursiveListProject, cmd.listAll(), false);
+ _accountMgr.buildACLSearchParameters(caller, null, cmd.getAccountName(), null, permittedDomains, permittedAccounts, permittedResources, domainIdRecursiveListProject,
+ cmd.listAll(), false, "listAsyncJobs");
Long domainId = domainIdRecursiveListProject.first();
Boolean isRecursive = domainIdRecursiveListProject.second();
ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
Filter searchFilter = new Filter(AsyncJobJoinVO.class, "id", true, cmd.getStartIndex(), cmd.getPageSizeVal());
+ /*
SearchBuilder<AsyncJobJoinVO> sb = _jobJoinDao.createSearchBuilder();
sb.and("accountIdIN", sb.entity().getAccountId(), SearchCriteria.Op.IN);
boolean accountJoinIsDone = false;
@@ -1987,8 +1976,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
}
}
- Object keyword = cmd.getKeyword();
- Object startDate = cmd.getStartDate();
+
SearchCriteria<AsyncJobJoinVO> sc = sb.create();
if (listProjectResourcesCriteria != null) {
@@ -2005,6 +1993,17 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
sc.setParameters("domainId", domainId);
}
}
+ */
+
+ Object keyword = cmd.getKeyword();
+ Object startDate = cmd.getStartDate();
+
+ // populate the search criteria with the values passed in
+ SearchCriteria<AsyncJobJoinVO> sc = _jobJoinDao.createSearchCriteria();
+ SearchCriteria<AsyncJobJoinVO> aclSc = _jobJoinDao.createSearchCriteria();
+
+ // building ACL search criteria
+ _accountMgr.buildACLViewSearchCriteria(sc, aclSc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
if (keyword != null) {
sc.addAnd("cmd", SearchCriteria.Op.LIKE, "%" + keyword + "%");
@@ -2467,7 +2466,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
throw ex;
}
- _accountMgr.checkAccess(caller, null, true, vmInstance);
+ _accountMgr.checkAccess(caller, null, vmInstance);
ServiceOfferingVO offering = _srvOfferingDao.findByIdIncludingRemoved(vmInstance.getId(), vmInstance.getServiceOfferingId());
sc.addAnd("id", SearchCriteria.Op.NEQ, offering.getId());
@@ -2807,6 +2806,366 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
return response;
}
+ // Temporarily disable this method which used IAM model to do template list
+ private Pair<List<TemplateJoinVO>, Integer> searchForTemplatesInternalIAM(ListTemplatesCmd cmd) {
+ TemplateFilter templateFilter = TemplateFilter.valueOf(cmd.getTemplateFilter());
+ Long id = cmd.getId();
+ Map<String, String> tags = cmd.getTags();
+ boolean showRemovedTmpl = cmd.getShowRemoved();
+ Account caller = CallContext.current().getCallingAccount();
+
+ // TODO: listAll flag has some conflicts with TemplateFilter parameter
+ boolean listAll = false;
+ if (templateFilter != null && templateFilter == TemplateFilter.all) {
+ if (_accountMgr.isNormalUser(caller.getId())) {
+ throw new InvalidParameterValueException("Filter " + TemplateFilter.all
+ + " can be specified by admin only");
+ }
+ listAll = true;
+ }
+
+ List<Long> permittedDomains = new ArrayList<Long>();
+ List<Long> permittedAccounts = new ArrayList<Long>();
+ List<Long> permittedResources = new ArrayList<Long>();
+
+ Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean, ListProjectResourcesCriteria>(
+ cmd.getDomainId(), cmd.isRecursive(), null);
+ _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedDomains, permittedAccounts, permittedResources,
+ domainIdRecursiveListProject, listAll, false, "listTemplates");
+
+ Boolean isRecursive = domainIdRecursiveListProject.second();
+ ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
+
+ boolean showDomr = ((templateFilter != TemplateFilter.selfexecutable) && (templateFilter != TemplateFilter.featured));
+ HypervisorType hypervisorType = HypervisorType.getType(cmd.getHypervisor());
+
+ return searchForTemplatesInternalIAM(id, cmd.getTemplateName(), cmd.getKeyword(), templateFilter, false, null,
+ cmd.getPageSizeVal(), cmd.getStartIndex(), cmd.getZoneId(), hypervisorType, showDomr,
+ cmd.listInReadyState(), permittedDomains, permittedAccounts, permittedResources, isRecursive, caller, listProjectResourcesCriteria, tags, showRemovedTmpl);
+ }
+
+ // Temporarily disable this method which used IAM model to do template list
+ private Pair<List<TemplateJoinVO>, Integer> searchForTemplatesInternalIAM(Long templateId, String name,
+ String keyword, TemplateFilter templateFilter, boolean isIso, Boolean bootable, Long pageSize,
+ Long startIndex, Long zoneId, HypervisorType hyperType, boolean showDomr, boolean onlyReady,
+ List<Long> permittedDomains, List<Long> permittedAccounts, List<Long> permittedResources, boolean isRecursive, Account caller,
+ ListProjectResourcesCriteria listProjectResourcesCriteria,
+ Map<String, String> tags, boolean showRemovedTmpl) {
+
+ // check if zone is configured, if not, just return empty list
+ List<HypervisorType> hypers = null;
+ if (!isIso) {
+ hypers = _resourceMgr.listAvailHypervisorInZone(null, null);
+ if (hypers == null || hypers.isEmpty()) {
+ return new Pair<List<TemplateJoinVO>, Integer>(new ArrayList<TemplateJoinVO>(), 0);
+ }
+ }
+
+ VMTemplateVO template = null;
+
+ Boolean isAscending = Boolean.parseBoolean(_configDao.getValue("sortkey.algorithm"));
+ isAscending = (isAscending == null ? true : isAscending);
+ Filter searchFilter = new Filter(TemplateJoinVO.class, "sortKey", isAscending, startIndex, pageSize);
+
+ SearchBuilder<TemplateJoinVO> sb = _templateJoinDao.createSearchBuilder();
+ sb.select(null, Func.DISTINCT, sb.entity().getTempZonePair()); // select distinct (templateId, zoneId) pair
+ SearchCriteria<TemplateJoinVO> sc = sb.create();
+
+ // verify templateId parameter and specially handle it
+ if (templateId != null) {
+ template = _templateDao.findByIdIncludingRemoved(templateId); // Done for backward compatibility - Bug-5221
+ if (template == null) {
+ throw new InvalidParameterValueException("Please specify a valid template ID.");
+ }// If ISO requested then it should be ISO.
+ if (isIso && template.getFormat() != ImageFormat.ISO) {
+ s_logger.error("Template Id " + templateId + " is not an ISO");
+ InvalidParameterValueException ex = new InvalidParameterValueException("Specified Template Id is not an ISO");
+ ex.addProxyObject(template.getUuid(), "templateId");
+ throw ex;
+ }// If ISO not requested then it shouldn't be an ISO.
+ if (!isIso && template.getFormat() == ImageFormat.ISO) {
+ s_logger.error("Incorrect format of the template id " + templateId);
+ InvalidParameterValueException ex = new InvalidParameterValueException("Incorrect format " + template.getFormat() + " of the specified template id");
+ ex.addProxyObject(template.getUuid(), "templateId");
+ throw ex;
+ }
+
+ // if template is not public, perform permission check here
+ if (!template.isPublicTemplate() && !_accountMgr.isRootAdmin(caller.getId())) {
+ Account owner = _accountMgr.getAccount(template.getAccountId());
+ _accountMgr.checkAccess(caller, null, owner);
+ }
+
+ // if templateId is specified, then we will just use the id to
+ // search and ignore other query parameters
+ sc.addAnd("id", SearchCriteria.Op.EQ, templateId);
+ } else {
+ if (!isIso) {
+ // add hypervisor criteria for template case
+ if (hypers != null && !hypers.isEmpty()) {
+ String[] relatedHypers = new String[hypers.size()];
+ for (int i = 0; i < hypers.size(); i++) {
+ relatedHypers[i] = hypers.get(i).toString();
+ }
+ sc.addAnd("hypervisorType", SearchCriteria.Op.IN, relatedHypers);
+ }
+ }
+
+ // control different template filters
+ DomainVO callerDomain = _domainDao.findById(caller.getDomainId());
+ if (templateFilter == TemplateFilter.featured || templateFilter == TemplateFilter.community) {
+ sc.addAnd("publicTemplate", SearchCriteria.Op.EQ, true);
+ if (templateFilter == TemplateFilter.featured) {
+ sc.addAnd("featured", SearchCriteria.Op.EQ, true);
+ } else {
+ sc.addAnd("featured", SearchCriteria.Op.EQ, false);
+ }
+
+ /* We don't need this any more to check domain id, based on CLOUDSTACK-5987
+ // for public templates, we should get all public templates from all domains in the system
+ // get all parent domain ID's all the way till root domain
+ List<Long> domainTree = new ArrayList<Long>();
+ DomainVO domainTreeNode = _domainDao.findById(Domain.ROOT_DOMAIN); // fix for CLOUDSTACK-5987
+ domainTree.add(domainTreeNode.getId());
+
+ // get all child domain ID's under root
+ List<DomainVO> allChildDomains = _domainDao.findAllChildren(domainTreeNode.getPath(), domainTreeNode.getId());
+ for (DomainVO childDomain : allChildDomains) {
+ domainTree.add(childDomain.getId());
+ }
+
+ SearchCriteria<TemplateJoinVO> scc = _templateJoinDao.createSearchCriteria();
+ scc.addOr("domainId", SearchCriteria.Op.IN, domainTree.toArray());
+ scc.addOr("domainId", SearchCriteria.Op.NULL);
+ sc.addAnd("domainId", SearchCriteria.Op.SC, scc);
+ */
+ } else if (templateFilter == TemplateFilter.self || templateFilter == TemplateFilter.selfexecutable) {
+ if (permittedDomains.contains(caller.getDomainId())) {
+ // this caller acts like a domain admin
+
+ sc.addAnd("domainPath", SearchCriteria.Op.LIKE, callerDomain.getPath() + "%");
+ } else {
+ // only display templates owned by caller for resource owner only
+ sc.addAnd("accountId", SearchCriteria.Op.EQ, caller.getAccountId());
+ }
+ } else if (templateFilter == TemplateFilter.sharedexecutable || templateFilter == TemplateFilter.shared) {
+ // exclude the caller, only include those granted and not owned by self
+ permittedDomains.remove(caller.getDomainId());
+ permittedAccounts.remove(caller.getAccountId());
+ for (Long tid : permittedResources) {
+ // remove it if it is owned by the caller
+ VMTemplateVO tmpl = _templateDao.findById(tid);
+ if (tmpl != null && tmpl.getAccountId() == caller.getAccountId()) {
+ permittedResources.remove(tid);
+ }
+ }
+ // building ACL search criteria
+ SearchCriteria<TemplateJoinVO> aclSc = _templateJoinDao.createSearchCriteria();
+ _accountMgr.buildACLViewSearchCriteria(sc, aclSc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
+ } else if (templateFilter == TemplateFilter.executable) {
+ // public template + self template
+ SearchCriteria<TemplateJoinVO> scc = _templateJoinDao.createSearchCriteria();
+ scc.addOr("publicTemplate", SearchCriteria.Op.EQ, true);
+ // plus self owned templates or domain tree templates for domain admin
+ if (permittedDomains.contains(caller.getDomainId())) {
+ // this caller acts like a domain admin
+ sc.addOr("domainPath", SearchCriteria.Op.LIKE, callerDomain.getPath() + "%");
+ } else {
+ // only display templates owned by caller for resource owner only
+ sc.addOr("accountId", SearchCriteria.Op.EQ, caller.getAccountId());
+ }
+ sc.addAnd("publicTemplate", SearchCriteria.Op.SC, scc);
+ }
+
+ // add tags criteria
+ if (tags != null && !tags.isEmpty()) {
+ SearchCriteria<TemplateJoinVO> scc = _templateJoinDao.createSearchCriteria();
+ for (String key : tags.keySet()) {
+ SearchCriteria<TemplateJoinVO> scTag = _templateJoinDao.createSearchCriteria();
+ scTag.addAnd("tagKey", SearchCriteria.Op.EQ, key);
+ scTag.addAnd("tagValue", SearchCriteria.Op.EQ, tags.get(key));
+ if (isIso) {
+ scTag.addAnd("tagResourceType", SearchCriteria.Op.EQ, ResourceObjectType.ISO);
+ } else {
+ scTag.addAnd("tagResourceType", SearchCriteria.Op.EQ, ResourceObjectType.Template);
+ }
+ scc.addOr("tagKey", SearchCriteria.Op.SC, scTag);
+ }
+ sc.addAnd("tagKey", SearchCriteria.Op.SC, scc);
+ }
+
+ // other criteria
+
+ if (keyword != null) {
+ sc.addAnd("name", SearchCriteria.Op.LIKE, "%" + keyword + "%");
+ } else if (name != null) {
+ sc.addAnd("name", SearchCriteria.Op.EQ, name);
+ }
+
+ if (isIso) {
+ sc.addAnd("format", SearchCriteria.Op.EQ, "ISO");
+
+ } else {
+ sc.addAnd("format", SearchCriteria.Op.NEQ, "ISO");
+ }
+
+ if (!hyperType.equals(HypervisorType.None)) {
+ sc.addAnd("hypervisorType", SearchCriteria.Op.EQ, hyperType);
+ }
+
+ if (bootable != null) {
+ sc.addAnd("bootable", SearchCriteria.Op.EQ, bootable);
+ }
+
+ if (onlyReady) {
+ SearchCriteria<TemplateJoinVO> readySc = _templateJoinDao.createSearchCriteria();
+ readySc.addOr("state", SearchCriteria.Op.EQ, TemplateState.Ready);
+ readySc.addOr("format", SearchCriteria.Op.EQ, ImageFormat.BAREMETAL);
+ SearchCriteria<TemplateJoinVO> isoPerhostSc = _templateJoinDao.createSearchCriteria();
+ isoPerhostSc.addAnd("format", SearchCriteria.Op.EQ, ImageFormat.ISO);
+ isoPerhostSc.addAnd("templateType", SearchCriteria.Op.EQ, TemplateType.PERHOST);
+ readySc.addOr("templateType", SearchCriteria.Op.SC, isoPerhostSc);
+ sc.addAnd("state", SearchCriteria.Op.SC, readySc);
+ }
+
+ if (!showDomr) {
+ // excluding system template
+ sc.addAnd("templateType", SearchCriteria.Op.NEQ, Storage.TemplateType.SYSTEM);
+ }
+ }
+
+ if (zoneId != null) {
+ SearchCriteria<TemplateJoinVO> zoneSc = _templateJoinDao.createSearchCriteria();
+ zoneSc.addOr("dataCenterId", SearchCriteria.Op.EQ, zoneId);
+ zoneSc.addOr("dataStoreScope", SearchCriteria.Op.EQ, ScopeType.REGION);
+ // handle the case where xs-tools.iso and vmware-tools.iso do not
+ // have data_center information in template_view
+ SearchCriteria<TemplateJoinVO> isoPerhostSc = _templateJoinDao.createSearchCriteria();
+ isoPerhostSc.addAnd("format", SearchCriteria.Op.EQ, ImageFormat.ISO);
+ isoPerhostSc.addAnd("templateType", SearchCriteria.Op.EQ, TemplateType.PERHOST);
+ zoneSc.addOr("templateType", SearchCriteria.Op.SC, isoPerhostSc);
+ sc.addAnd("dataCenterId", SearchCriteria.Op.SC, zoneSc);
+ }
+
+ // don't return removed template, this should not be needed since we
+ // changed annotation for removed field in TemplateJoinVO.
+ // sc.addAnd("removed", SearchCriteria.Op.NULL);
+
+ // search unique templates and find details by Ids
+ Pair<List<TemplateJoinVO>, Integer> uniqueTmplPair = null;
+ if(showRemovedTmpl){
+ uniqueTmplPair = _templateJoinDao.searchIncludingRemovedAndCount(sc, searchFilter);
+ } else {
+ sc.addAnd("templateState", SearchCriteria.Op.EQ, State.Active);
+ uniqueTmplPair = _templateJoinDao.searchAndCount(sc, searchFilter);
+ }
+
+ Integer count = uniqueTmplPair.second();
+ if (count.intValue() == 0) {
+ // empty result
+ return uniqueTmplPair;
+ }
+ List<TemplateJoinVO> uniqueTmpls = uniqueTmplPair.first();
+ String[] tzIds = new String[uniqueTmpls.size()];
+ int i = 0;
+ for (TemplateJoinVO v : uniqueTmpls) {
+ tzIds[i++] = v.getTempZonePair();
+ }
+ List<TemplateJoinVO> vrs = _templateJoinDao.searchByTemplateZonePair(showRemovedTmpl, tzIds);
+ return new Pair<List<TemplateJoinVO>, Integer>(vrs, count);
+
+ // TODO: revisit the special logic for iso search in
+ // VMTemplateDaoImpl.searchForTemplates and understand why we need to
+ // specially handle ISO. The original logic is very twisted and no idea
+ // about what the code was doing.
+
+ }
+
+ // This method should only be used for keeping old listTemplates and listAffinityGroups behavior, PLEASE DON'T USE IT FOR USE LIST APIs
+ private void buildTemplateAffinityGroupSearchParameters(Account caller, Long id, String accountName, Long projectId, List<Long>
+ permittedAccounts, Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject,
+ boolean listAll, boolean forProjectInvitation) {
+ Long domainId = domainIdRecursiveListProject.first();
+ if (domainId != null) {
+ Domain domain = _domainDao.findById(domainId);
+ if (domain == null) {
+ throw new InvalidParameterValueException("Unable to find domain by id " + domainId);
+ }
+ // check permissions
+ _accountMgr.checkAccess(caller, domain);
+ }
+
+ if (accountName != null) {
+ if (projectId != null) {
+ throw new InvalidParameterValueException("Account and projectId can't be specified together");
+ }
+
+ Account userAccount = null;
+ Domain domain = null;
+ if (domainId != null) {
+ userAccount = _accountDao.findActiveAccount(accountName, domainId);
+ domain = _domainDao.findById(domainId);
+ } else {
+ userAccount = _accountDao.findActiveAccount(accountName, caller.getDomainId());
+ domain = _domainDao.findById(caller.getDomainId());
+ }
+
+ if (userAccount != null) {
+ _accountMgr.checkAccess(caller, null, userAccount);
+ // check permissions
+ permittedAccounts.add(userAccount.getId());
+ } else {
+ throw new InvalidParameterValueException("could not find account " + accountName + " in domain " + domain.getUuid());
+ }
+ }
+
+ // set project information
+ if (projectId != null) {
+ if (!forProjectInvitation) {
+ if (projectId.longValue() == -1) {
+ if (_accountMgr.isNormalUser(caller.getId())) {
+ permittedAccounts.addAll(_projectMgr.listPermittedProjectAccounts(caller.getId()));
+ } else {
+ domainIdRecursiveListProject.third(Project.ListProjectResourcesCriteria.ListProjectResourcesOnly);
+ }
+ } else {
+ Project project = _projectMgr.getProject(projectId);
+ if (project == null) {
+ throw new InvalidParameterValueException("Unable to find project by id " + projectId);
+ }
+ if (!_projectMgr.canAccessProjectAccount(caller, project.getProjectAccountId())) {
+ throw new PermissionDeniedException("Account " + caller + " can't access project id=" + projectId);
+ }
+ permittedAccounts.add(project.getProjectAccountId());
+ }
+ }
+ } else {
+ if (id == null) {
+ domainIdRecursiveListProject.third(Project.ListProjectResourcesCriteria.SkipProjectResources);
+ }
+ if (permittedAccounts.isEmpty() && domainId == null) {
+ if (_accountMgr.isNormalUser(caller.getId())) {
+ permittedAccounts.add(caller.getId());
+ } else if (!listAll) {
+ if (id == null) {
+ permittedAccounts.add(caller.getId());
+ } else if (!_accountMgr.isRootAdmin(caller.getId())) {
+ domainIdRecursiveListProject.first(caller.getDomainId());
+ domainIdRecursiveListProject.second(true);
+ }
+ } else if (domainId == null) {
+ if (_accountMgr.isDomainAdmin(caller.getId())) {
+ domainIdRecursiveListProject.first(caller.getDomainId());
+ domainIdRecursiveListProject.second(true);
+ }
+ }
+ } else if (domainId != null) {
+ if (_accountMgr.isNormalUser(caller.getId())) {
+ permittedAccounts.add(caller.getId());
+ }
+ }
+ }
+ }
private Pair<List<TemplateJoinVO>, Integer> searchForTemplatesInternal(ListTemplatesCmd cmd) {
TemplateFilter templateFilter = TemplateFilter.valueOf(cmd.getTemplateFilter());
@@ -2827,7 +3186,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
List<Long> permittedAccountIds = new ArrayList<Long>();
Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean, ListProjectResourcesCriteria>(
cmd.getDomainId(), cmd.isRecursive(), null);
- _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedAccountIds,
+ buildTemplateAffinityGroupSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedAccountIds,
domainIdRecursiveListProject, listAll, false);
ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
List<Account> permittedAccounts = new ArrayList<Account>();
@@ -2892,7 +3251,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
// if template is not public, perform permission check here
if (!template.isPublicTemplate() && caller.getType() != Account.ACCOUNT_TYPE_ADMIN) {
Account owner = _accountMgr.getAccount(template.getAccountId());
- _accountMgr.checkAccess(caller, null, true, owner);
+ _accountMgr.checkAccess(caller, null, owner);
}
// if templateId is specified, then we will just use the id to
@@ -2904,7 +3263,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
if (!permittedAccounts.isEmpty()) {
domain = _domainDao.findById(permittedAccounts.get(0).getDomainId());
} else {
- domain = _domainDao.findById(Domain.ROOT_DOMAIN);
+ domain = _domainDao.findById(DomainVO.ROOT_DOMAIN);
}
// List<HypervisorType> hypers = null;
@@ -3137,7 +3496,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
List<Long> permittedAccountIds = new ArrayList<Long>();
Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean, ListProjectResourcesCriteria>(
cmd.getDomainId(), cmd.isRecursive(), null);
- _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedAccountIds,
+ buildTemplateAffinityGroupSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedAccountIds,
domainIdRecursiveListProject, listAll, false);
ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
List<Account> permittedAccounts = new ArrayList<Account>();
@@ -3152,6 +3511,43 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
cmd.listInReadyState(), permittedAccounts, caller, listProjectResourcesCriteria, tags, showRemovedISO);
}
+ private Pair<List<TemplateJoinVO>, Integer> searchForIsosInternalIAM(ListIsosCmd cmd) {
+ TemplateFilter isoFilter = TemplateFilter.valueOf(cmd.getIsoFilter());
+ Long id = cmd.getId();
+ Map<String, String> tags = cmd.getTags();
+ boolean showRemovedISO = cmd.getShowRemoved();
+ Account caller = CallContext.current().getCallingAccount();
+
+ boolean listAll = false;
+ if (isoFilter != null && isoFilter == TemplateFilter.all) {
+ if (_accountMgr.isNormalUser(caller.getId())) {
+ throw new InvalidParameterValueException("Filter " + TemplateFilter.all
+ + " can be specified by admin only");
+ }
+ listAll = true;
+ }
+
+ List<Long> permittedDomains = new ArrayList<Long>();
+ List<Long> permittedAccounts = new ArrayList<Long>();
+ List<Long> permittedResources = new ArrayList<Long>();
+
+ Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean, ListProjectResourcesCriteria>(
+ cmd.getDomainId(), cmd.isRecursive(), null);
+ _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedDomains, permittedAccounts, permittedResources,
+ domainIdRecursiveListProject, cmd.listAll(), false, "listIsos");
+ Boolean isRecursive = domainIdRecursiveListProject.second();
+ ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
+// List<Account> permittedAccounts = new ArrayList<Account>();
+// for (Long accountId : permittedAccountIds) {
+// permittedAccounts.add(_accountMgr.getAccount(accountId));
+// }
+
+ HypervisorType hypervisorType = HypervisorType.getType(cmd.getHypervisor());
+
+ return searchForTemplatesInternalIAM(cmd.getId(), cmd.getIsoName(), cmd.getKeyword(), isoFilter, true,
+ cmd.isBootable(), cmd.getPageSizeVal(), cmd.getStartIndex(), cmd.getZoneId(), hypervisorType, true,
+ cmd.listInReadyState(), permittedDomains, permittedAccounts, permittedResources, isRecursive, caller, listProjectResourcesCriteria, tags, showRemovedISO);
+ }
@Override
public ListResponse<AffinityGroupResponse> listAffinityGroups(Long affinityGroupId, String affinityGroupName,
@@ -3180,14 +3576,14 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
throw new InvalidParameterValueException("Unable to list affinity groups for virtual machine instance "
+ vmId + "; instance not found.");
}
- _accountMgr.checkAccess(caller, null, true, userVM);
+ _accountMgr.checkAccess(caller, null, userVM);
return listAffinityGroupsByVM(vmId.longValue(), startIndex, pageSize);
}
List<Long> permittedAccounts = new ArrayList<Long>();
Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean, ListProjectResourcesCriteria>(
domainId, isRecursive, null);
- _accountMgr.buildACLSearchParameters(caller, affinityGroupId, accountName, null, permittedAccounts,
+ buildTemplateAffinityGroupSearchParameters(caller, affinityGroupId, accountName, null, permittedAccounts,
domainIdRecursiveListProject, listAll, true);
domainId = domainIdRecursiveListProject.first();
isRecursive = domainIdRecursiveListProject.second();
@@ -3321,6 +3717,121 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
return sc;
}
+ public Pair<List<AffinityGroupJoinVO>, Integer> listAffinityGroupsInternalIAM(Long affinityGroupId,
+ String affinityGroupName, String affinityGroupType, Long vmId, String accountName, Long domainId,
+ boolean isRecursive, boolean listAll, Long startIndex, Long pageSize, String keyword) {
+
+ Account caller = CallContext.current().getCallingAccount();
+
+ caller.getAccountId();
+
+ if (vmId != null) {
+ UserVmVO userVM = _userVmDao.findById(vmId);
+ if (userVM == null) {
+ throw new InvalidParameterValueException("Unable to list affinity groups for virtual machine instance " + vmId + "; instance not found.");
+ }
+ _accountMgr.checkAccess(caller, null, userVM);
+ return listAffinityGroupsByVM(vmId.longValue(), startIndex, pageSize);
+ }
+
+ List<Long> permittedDomains = new ArrayList<Long>();
+ List<Long> permittedAccounts = new ArrayList<Long>();
+ List<Long> permittedResources = new ArrayList<Long>();
+ Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean, ListProjectResourcesCriteria>(
+ domainId, isRecursive, null);
+ _accountMgr.buildACLSearchParameters(caller, affinityGroupId, accountName, null, permittedDomains, permittedAccounts, permittedResources,
+ domainIdRecursiveListProject, listAll, true, "listAffinityGroups");
+ //domainId = domainIdRecursiveListProject.first();
+ isRecursive = domainIdRecursiveListProject.second();
+ ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
+
+ Filter searchFilter = new Filter(AffinityGroupJoinVO.class, "id", true, startIndex, pageSize);
+ SearchCriteria<AffinityGroupJoinVO> sc = buildAffinityGroupSearchCriteriaIAM(isRecursive,
+ permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria, affinityGroupId, affinityGroupName, affinityGroupType, keyword);
+
+ Pair<List<AffinityGroupJoinVO>, Integer> uniqueGroupsPair = _affinityGroupJoinDao.searchAndCount(sc, searchFilter);
+ // search group details by ids
+ List<AffinityGroupJoinVO> vrs = new ArrayList<AffinityGroupJoinVO>();
+ Integer count = uniqueGroupsPair.second();
+ if (count.intValue() != 0) {
+ List<AffinityGroupJoinVO> uniqueGroups = uniqueGroupsPair.first();
+ Long[] vrIds = new Long[uniqueGroups.size()];
+ int i = 0;
+ for (AffinityGroupJoinVO v : uniqueGroups) {
+ vrIds[i++] = v.getId();
+ }
+ vrs = _affinityGroupJoinDao.searchByIds(vrIds);
+ }
+
+ /* TODO: confirm with Prachi if we still need this complicated logic with new ACL model
+ if (!permittedAccounts.isEmpty()) {
+ // add domain level affinity groups
+ if (domainId != null) {
+ SearchCriteria<AffinityGroupJoinVO> scDomain = buildAffinityGroupSearchCriteria(null, isRecursive,
+ new ArrayList<Long>(), listProjectResourcesCriteria, affinityGroupId, affinityGroupName,
+ affinityGroupType, keyword);
+ vrs.addAll(listDomainLevelAffinityGroups(scDomain, searchFilter, domainId));
+ } else {
+
+ for (Long permAcctId : permittedAccounts) {
+ Account permittedAcct = _accountDao.findById(permAcctId);
+ SearchCriteria<AffinityGroupJoinVO> scDomain = buildAffinityGroupSearchCriteria(
+ null, isRecursive, new ArrayList<Long>(),
+ listProjectResourcesCriteria, affinityGroupId, affinityGroupName, affinityGroupType, keyword);
+
+ vrs.addAll(listDomainLevelAffinityGroups(scDomain, searchFilter, permittedAcct.getDomainId()));
+ }
+ }
+ } else if (((permittedAccounts.isEmpty()) && (domainId != null) && isRecursive)) {
+ // list all domain level affinity groups for the domain admin case
+ SearchCriteria<AffinityGroupJoinVO> scDomain = buildAffinityGroupSearchCriteria(null, isRecursive,
+ new ArrayList<Long>(), listProjectResourcesCriteria, affinityGroupId, affinityGroupName,
+ affinityGroupType, keyword);
+ vrs.addAll(listDomainLevelAffinityGroups(scDomain, searchFilter, domainId));
+ }
+ */
+
+ return new Pair<List<AffinityGroupJoinVO>, Integer>(vrs, vrs.size());
+
+ }
+
+ private SearchCriteria<AffinityGroupJoinVO> buildAffinityGroupSearchCriteriaIAM(boolean isRecursive,
+ List<Long> permittedDomains, List<Long> permittedAccounts, List<Long> permittedResources, ListProjectResourcesCriteria listProjectResourcesCriteria,
+ Long affinityGroupId, String affinityGroupName, String affinityGroupType, String keyword) {
+
+ SearchBuilder<AffinityGroupJoinVO> groupSearch = _affinityGroupJoinDao.createSearchBuilder();
+ groupSearch.select(null, Func.DISTINCT, groupSearch.entity().getId()); // select
+ // distinct
+
+ SearchCriteria<AffinityGroupJoinVO> sc = groupSearch.create();
+ SearchCriteria<AffinityGroupJoinVO> aclSc = _affinityGroupJoinDao.createSearchCriteria();
+ // building ACL search criteria
+ _accountMgr.buildACLViewSearchCriteria(sc, aclSc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
+
+ if (affinityGroupId != null) {
+ sc.addAnd("id", SearchCriteria.Op.EQ, affinityGroupId);
+ }
+
+ if (affinityGroupName != null) {
+ sc.addAnd("name", SearchCriteria.Op.EQ, affinityGroupName);
+ }
+
+ if (affinityGroupType != null) {
+ sc.addAnd("type", SearchCriteria.Op.EQ, affinityGroupType);
+ }
+
+ if (keyword != null) {
+ SearchCriteria<AffinityGroupJoinVO> ssc = _affinityGroupJoinDao.createSearchCriteria();
+ ssc.addOr("name", SearchCriteria.Op.LIKE, "%" + keyword + "%");
+ ssc.addOr("type", SearchCriteria.Op.LIKE, "%" + keyword + "%");
+
+ sc.addAnd("name", SearchCriteria.Op.SC, ssc);
+ }
+
+ return sc;
+
+ }
+
private Pair<List<AffinityGroupJoinVO>, Integer> listAffinityGroupsByVM(long vmId, long pageInd, long pageSize) {
Filter sf = new Filter(SecurityGroupVMMapVO.class, null, true, pageInd, pageSize);
Pair<List<AffinityGroupVMMapVO>, Integer> agVmMappingPair = _affinityGroupVMMapDao.listByInstanceId(vmId, sf);
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/server/src/com/cloud/configuration/ConfigurationManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/configuration/ConfigurationManagerImpl.java b/server/src/com/cloud/configuration/ConfigurationManagerImpl.java
index 3f79a76..231b5e1 100755
--- a/server/src/com/cloud/configuration/ConfigurationManagerImpl.java
+++ b/server/src/com/cloud/configuration/ConfigurationManagerImpl.java
@@ -39,6 +39,7 @@ import javax.naming.ConfigurationException;
import org.apache.log4j.Logger;
import org.apache.cloudstack.acl.SecurityChecker;
+import org.apache.cloudstack.acl.SecurityChecker.AccessType;
import org.apache.cloudstack.affinity.AffinityGroup;
import org.apache.cloudstack.affinity.AffinityGroupService;
import org.apache.cloudstack.affinity.dao.AffinityGroupDao;
@@ -4327,7 +4328,7 @@ public class ConfigurationManagerImpl extends ManagerBase implements Configurati
throw new InvalidParameterValueException("Can't update system networks");
}
- _accountMgr.checkAccess(caller, null, true, network);
+ _accountMgr.checkAccess(caller, AccessType.ListEntry, network);
List<Long> offeringIds = _networkModel.listNetworkOfferingsForUpgrade(networkId);
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/server/src/com/cloud/network/IpAddressManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/IpAddressManagerImpl.java b/server/src/com/cloud/network/IpAddressManagerImpl.java
index 9b1f9bd..746221f 100644
--- a/server/src/com/cloud/network/IpAddressManagerImpl.java
+++ b/server/src/com/cloud/network/IpAddressManagerImpl.java
@@ -29,6 +29,8 @@ import java.util.UUID;
import javax.inject.Inject;
+import org.apache.log4j.Logger;
+
import org.apache.cloudstack.acl.ControlledEntity.ACLType;
import org.apache.cloudstack.acl.SecurityChecker.AccessType;
import org.apache.cloudstack.context.CallContext;
@@ -40,7 +42,6 @@ import org.apache.cloudstack.region.PortableIp;
import org.apache.cloudstack.region.PortableIpDao;
import org.apache.cloudstack.region.PortableIpVO;
import org.apache.cloudstack.region.Region;
-import org.apache.log4j.Logger;
import com.cloud.agent.AgentManager;
import com.cloud.alert.AlertManager;
@@ -409,7 +410,7 @@ public class IpAddressManagerImpl extends ManagerBase implements IpAddressManage
Account caller = CallContext.current().getCallingAccount();
long callerUserId = CallContext.current().getCallingUserId();
// check permissions
- _accountMgr.checkAccess(caller, null, false, ipOwner);
+ _accountMgr.checkAccess(caller, null, ipOwner);
DataCenter zone = _entityMgr.findById(DataCenter.class, zoneId);
@@ -1164,15 +1165,14 @@ public class IpAddressManagerImpl extends ManagerBase implements IpAddressManage
if (zone.getNetworkType() == NetworkType.Advanced) {
if (network.getGuestType() == Network.GuestType.Shared) {
if (isSharedNetworkOfferingWithServices(network.getNetworkOfferingId())) {
- _accountMgr.checkAccess(CallContext.current().getCallingAccount(), AccessType.UseEntry, false,
- network);
+ _accountMgr.checkAccess(CallContext.current().getCallingAccount(), AccessType.UseEntry, network);
} else {
throw new InvalidParameterValueException("IP can be associated with guest network of 'shared' type only if "
+ "network services Source Nat, Static Nat, Port Forwarding, Load balancing, firewall are enabled in the network");
}
}
} else {
- _accountMgr.checkAccess(caller, null, true, ipToAssoc);
+ _accountMgr.checkAccess(caller, null, ipToAssoc);
}
owner = _accountMgr.getAccount(ipToAssoc.getAllocatedToAccountId());
} else {
@@ -1187,7 +1187,7 @@ public class IpAddressManagerImpl extends ManagerBase implements IpAddressManage
Network network = _networksDao.findById(networkId);
if (network != null) {
- _accountMgr.checkAccess(owner, AccessType.UseEntry, false, network);
+ _accountMgr.checkAccess(owner, AccessType.UseEntry, network);
} else {
s_logger.debug("Unable to find ip address by id: " + ipId);
return null;
@@ -1319,11 +1319,10 @@ public class IpAddressManagerImpl extends ManagerBase implements IpAddressManage
if (zone.getNetworkType() == NetworkType.Advanced) {
if (network.getGuestType() == Network.GuestType.Shared) {
assert (isSharedNetworkOfferingWithServices(network.getNetworkOfferingId()));
- _accountMgr.checkAccess(CallContext.current().getCallingAccount(), AccessType.UseEntry, false,
- network);
+ _accountMgr.checkAccess(CallContext.current().getCallingAccount(), AccessType.UseEntry, network);
}
} else {
- _accountMgr.checkAccess(caller, null, true, ipToAssoc);
+ _accountMgr.checkAccess(caller, null, ipToAssoc);
}
owner = _accountMgr.getAccount(ipToAssoc.getAllocatedToAccountId());
} else {
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/server/src/com/cloud/network/NetworkModelImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/NetworkModelImpl.java b/server/src/com/cloud/network/NetworkModelImpl.java
index 7b4b2be..f84eccd 100755
--- a/server/src/com/cloud/network/NetworkModelImpl.java
+++ b/server/src/com/cloud/network/NetworkModelImpl.java
@@ -34,7 +34,9 @@ import javax.naming.ConfigurationException;
import org.apache.log4j.Logger;
+import org.apache.cloudstack.acl.SecurityChecker;
import org.apache.cloudstack.acl.ControlledEntity.ACLType;
+import org.apache.cloudstack.acl.SecurityChecker.AccessType;
import org.apache.cloudstack.framework.config.dao.ConfigurationDao;
import org.apache.cloudstack.lb.dao.ApplicationLoadBalancerRuleDao;
@@ -97,6 +99,7 @@ import com.cloud.offerings.dao.NetworkOfferingServiceMapDao;
import com.cloud.projects.dao.ProjectAccountDao;
import com.cloud.server.ConfigurationServer;
import com.cloud.user.Account;
+import com.cloud.user.AccountManager;
import com.cloud.user.AccountVO;
import com.cloud.user.DomainManager;
import com.cloud.user.dao.AccountDao;
@@ -173,7 +176,8 @@ public class NetworkModelImpl extends ManagerBase implements NetworkModel {
FirewallRulesDao _firewallDao;
@Inject
DomainManager _domainMgr;
-
+ @Inject
+ AccountManager _accountMgr;
@Inject
NetworkOfferingServiceMapDao _ntwkOfferingSrvcDao;
@Inject
@@ -216,6 +220,16 @@ public class NetworkModelImpl extends ManagerBase implements NetworkModel {
static HashMap<Service, List<Provider>> s_serviceToImplementedProvidersMap = new HashMap<Service, List<Provider>>();
static HashMap<String, String> s_providerToNetworkElementMap = new HashMap<String, String>();
+ List<SecurityChecker> _securityCheckers;
+
+ public List<SecurityChecker> getSecurityCheckers() {
+ return _securityCheckers;
+ }
+
+ public void setSecurityCheckers(List<SecurityChecker> securityCheckers) {
+ _securityCheckers = securityCheckers;
+ }
+
/**
*
*/
@@ -1567,6 +1581,35 @@ public class NetworkModelImpl extends ManagerBase implements NetworkModel {
}
@Override
+ public void checkNetworkPermissions(Account owner, Network network, AccessType accessType) {
+ if (network == null) {
+ throw new CloudRuntimeException("cannot check permissions on (Network) <null>");
+ }
+
+ AccountVO networkOwner = _accountDao.findById(network.getAccountId());
+ if (networkOwner == null) {
+ throw new PermissionDeniedException("Unable to use network with id= " + ((NetworkVO) network).getUuid()
+ + ", network does not have an owner");
+ }
+ if (owner.getType() != Account.ACCOUNT_TYPE_PROJECT && networkOwner.getType() == Account.ACCOUNT_TYPE_PROJECT) {
+ if (!_projectAccountDao.canAccessProjectAccount(owner.getAccountId(), network.getAccountId())) {
+ throw new PermissionDeniedException("Unable to use network with id= " + ((NetworkVO) network).getUuid()
+ + ", permission denied");
+ }
+ } else {
+ // Go through IAM (SecurityCheckers)
+ for (SecurityChecker checker : _securityCheckers) {
+ if (checker.checkAccess(owner, accessType, null, network)) {
+ if (s_logger.isDebugEnabled()) {
+ s_logger.debug("Access to " + network + " granted to " + owner + " by " + checker.getName());
+ }
+ break;
+ }
+ }
+ }
+ }
+
+ @Override
public String getDefaultPublicTrafficLabel(long dcId, HypervisorType hypervisorType) {
try {
PhysicalNetwork publicPhyNetwork = getOnePhysicalNetworkByZoneAndTrafficType(dcId, TrafficType.Public);
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/server/src/com/cloud/network/NetworkServiceImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/NetworkServiceImpl.java b/server/src/com/cloud/network/NetworkServiceImpl.java
index 95d3dec..ec9fa12 100755
--- a/server/src/com/cloud/network/NetworkServiceImpl.java
+++ b/server/src/com/cloud/network/NetworkServiceImpl.java
@@ -542,7 +542,7 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService {
// if shared network in the advanced zone, then check the caller against the network for 'AccessType.UseNetwork'
if (zone.getNetworkType() == NetworkType.Advanced) {
if (isSharedNetworkOfferingWithServices(network.getNetworkOfferingId())) {
- _accountMgr.checkAccess(caller, AccessType.UseEntry, false, network);
+ _accountMgr.checkAccess(caller, AccessType.UseEntry, network);
if (s_logger.isDebugEnabled()) {
s_logger.debug("Associate IP address called by the user " + callerUserId + " account " + ipOwner.getId());
}
@@ -554,7 +554,7 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService {
}
}
} else {
- _accountMgr.checkAccess(caller, null, false, ipOwner);
+ _accountMgr.checkAccess(caller, null, ipOwner);
}
return _ipAddrMgr.allocateIp(ipOwner, false, caller, callerUserId, zone, displayIp);
@@ -585,7 +585,7 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService {
// if shared network in the advanced zone, then check the caller against the network for 'AccessType.UseNetwork'
if (zone.getNetworkType() == NetworkType.Advanced) {
if (isSharedNetworkOfferingWithServices(network.getNetworkOfferingId())) {
- _accountMgr.checkAccess(caller, AccessType.UseEntry, false, network);
+ _accountMgr.checkAccess(caller, AccessType.UseEntry, network);
if (s_logger.isDebugEnabled()) {
s_logger.debug("Associate IP address called by the user " + callerUserId + " account " + ipOwner.getId());
}
@@ -605,7 +605,7 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService {
}
}
- _accountMgr.checkAccess(caller, null, false, ipOwner);
+ _accountMgr.checkAccess(caller, null, ipOwner);
return _ipAddrMgr.allocatePortableIp(ipOwner, caller, zoneId, null, null);
}
@@ -671,7 +671,7 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService {
final Account ipOwner = _accountMgr.getAccount(vm.getAccountId());
// verify permissions
- _accountMgr.checkAccess(caller, null, true, vm);
+ _accountMgr.checkAccess(caller, null, vm);
Network network = _networksDao.findById(networkId);
if (network == null) {
@@ -767,7 +767,7 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService {
throw new InvalidParameterValueException("There is no vm with the given secondary ip");
}
// verify permissions
- _accountMgr.checkAccess(caller, null, true, vm);
+ _accountMgr.checkAccess(caller, null, vm);
Network network = _networksDao.findById(secIpVO.getNetworkId());
@@ -891,7 +891,7 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService {
// verify permissions
if (ipVO.getAllocatedToAccountId() != null) {
- _accountMgr.checkAccess(caller, null, true, ipVO);
+ _accountMgr.checkAccess(caller, null, ipVO);
}
if (ipVO.isSourceNat()) {
@@ -1432,7 +1432,7 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService {
throw new InvalidParameterValueException("Unable to find account " + accountName + " in specified domain");
}
- _accountMgr.checkAccess(caller, null, true, owner);
+ _accountMgr.checkAccess(caller, null, owner);
permittedAccounts.add(owner.getId());
}
}
@@ -1816,7 +1816,7 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService {
Account owner = _accountMgr.getAccount(network.getAccountId());
// Perform permission check
- _accountMgr.checkAccess(caller, null, true, network);
+ _accountMgr.checkAccess(caller, null, network);
if (forced && !_accountMgr.isRootAdmin(caller.getId())) {
throw new InvalidParameterValueException("Delete network with 'forced' option can only be called by root admins");
@@ -1860,7 +1860,7 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService {
throw new InvalidParameterException("Unable to restart a running SDN network.");
}
- _accountMgr.checkAccess(callerAccount, null, true, network);
+ _accountMgr.checkAccess(callerAccount, null, network);
boolean success = _networkMgr.restartNetwork(networkId, callerAccount, callerUser, cleanup);
@@ -1996,7 +1996,7 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService {
throw new InvalidParameterValueException("Can't allow networks which traffic type is not " + TrafficType.Guest);
}
- _accountMgr.checkAccess(callerAccount, null, true, network);
+ _accountMgr.checkAccess(callerAccount, null, network);
if (name != null) {
network.setName(name);
@@ -4045,7 +4045,7 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService {
throw ex;
}
- _accountMgr.checkAccess(caller, null, true, userVm);
+ _accountMgr.checkAccess(caller, null, userVm);
return _networkMgr.listVmNics(vmId, nicId, networkId);
}
@@ -4069,7 +4069,7 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService {
// verify permissions
if (ipVO.getAllocatedToAccountId() != null) {
- _accountMgr.checkAccess(caller, null, true, ipVO);
+ _accountMgr.checkAccess(caller, null, ipVO);
} else if (caller.getType() != Account.ACCOUNT_TYPE_ADMIN) {
throw new PermissionDeniedException("Only Root admin can update non-allocated ip addresses");
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/server/src/com/cloud/network/as/AutoScaleManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/as/AutoScaleManagerImpl.java b/server/src/com/cloud/network/as/AutoScaleManagerImpl.java
index d4de462..09c6694 100644
--- a/server/src/com/cloud/network/as/AutoScaleManagerImpl.java
+++ b/server/src/com/cloud/network/as/AutoScaleManagerImpl.java
@@ -116,9 +116,9 @@ import com.cloud.utils.db.GenericDao;
import com.cloud.utils.db.JoinBuilder;
import com.cloud.utils.db.SearchBuilder;
import com.cloud.utils.db.SearchCriteria;
-import com.cloud.utils.db.TransactionCallback;
import com.cloud.utils.db.SearchCriteria.Op;
import com.cloud.utils.db.Transaction;
+import com.cloud.utils.db.TransactionCallback;
import com.cloud.utils.db.TransactionStatus;
import com.cloud.utils.net.NetUtils;
import com.cloud.vm.UserVmManager;
@@ -240,7 +240,7 @@ public class AutoScaleManagerImpl<Type> extends ManagerBase implements AutoScale
throw new InvalidParameterValueException("Unable to find " + paramName);
}
- _accountMgr.checkAccess(caller, null, false, (ControlledEntity)vo);
+ _accountMgr.checkAccess(caller, null, (ControlledEntity)vo);
return vo;
}
@@ -342,7 +342,7 @@ public class AutoScaleManagerImpl<Type> extends ManagerBase implements AutoScale
Account owner = _accountDao.findById(cmd.getAccountId());
Account caller = CallContext.current().getCallingAccount();
- _accountMgr.checkAccess(caller, null, true, owner);
+ _accountMgr.checkAccess(caller, null, owner);
long zoneId = cmd.getZoneId();
long serviceOfferingId = cmd.getServiceOfferingId();
@@ -461,7 +461,8 @@ public class AutoScaleManagerImpl<Type> extends ManagerBase implements AutoScale
Long zoneId = cmd.getZoneId();
Boolean display = cmd.getDisplay();
- SearchWrapper<AutoScaleVmProfileVO> searchWrapper = new SearchWrapper<AutoScaleVmProfileVO>(_autoScaleVmProfileDao, AutoScaleVmProfileVO.class, cmd, cmd.getId());
+ SearchWrapper<AutoScaleVmProfileVO> searchWrapper = new SearchWrapper<AutoScaleVmProfileVO>(_autoScaleVmProfileDao, AutoScaleVmProfileVO.class, cmd, cmd.getId(),
+ "listAutoScaleVmProfiles");
SearchBuilder<AutoScaleVmProfileVO> sb = searchWrapper.getSearchBuilder();
sb.and("id", sb.entity().getId(), SearchCriteria.Op.EQ);
@@ -526,7 +527,7 @@ public class AutoScaleManagerImpl<Type> extends ManagerBase implements AutoScale
ControlledEntity[] sameOwnerEntities = conditions.toArray(new ControlledEntity[conditions.size() + 1]);
sameOwnerEntities[sameOwnerEntities.length - 1] = autoScalePolicyVO;
- _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, true, sameOwnerEntities);
+ _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, sameOwnerEntities);
if (conditionIds.size() != conditions.size()) {
// TODO report the condition id which could not be found
@@ -620,7 +621,7 @@ public class AutoScaleManagerImpl<Type> extends ManagerBase implements AutoScale
idList.add(ApiDBUtils.findDomainById(domainId).getUuid());
throw new InvalidParameterValueException("Unable to find account " + accountName + " in domain with specifed domainId");
}
- _accountMgr.checkAccess(caller, null, false, owner);
+ _accountMgr.checkAccess(caller, null, owner);
}
private class SearchWrapper<VO extends ControlledEntity> {
@@ -629,11 +630,14 @@ public class AutoScaleManagerImpl<Type> extends ManagerBase implements AutoScale
SearchCriteria<VO> searchCriteria;
Long domainId;
boolean isRecursive;
+ List<Long> permittedDomains = new ArrayList<Long>();
List<Long> permittedAccounts = new ArrayList<Long>();
+ List<Long> permittedResources = new ArrayList<Long>();
+
ListProjectResourcesCriteria listProjectResourcesCriteria;
Filter searchFilter;
- public SearchWrapper(GenericDao<VO, Long> dao, Class<VO> entityClass, BaseListAccountResourcesCmd cmd, Long id)
+ public SearchWrapper(GenericDao<VO, Long> dao, Class<VO> entityClass, BaseListAccountResourcesCmd cmd, Long id, String action)
{
this.dao = dao;
this.searchBuilder = dao.createSearchBuilder();
@@ -647,12 +651,12 @@ public class AutoScaleManagerImpl<Type> extends ManagerBase implements AutoScale
Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean,
ListProjectResourcesCriteria>(domainId, isRecursive, null);
- _accountMgr.buildACLSearchParameters(caller, id, accountName, null, permittedAccounts, domainIdRecursiveListProject,
- listAll, false);
- domainId = domainIdRecursiveListProject.first();
+ _accountMgr.buildACLSearchParameters(caller, id, accountName, null, permittedDomains, permittedAccounts, permittedResources, domainIdRecursiveListProject, listAll,
+ false, action);
+ //domainId = domainIdRecursiveListProject.first();
isRecursive = domainIdRecursiveListProject.second();
ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
- _accountMgr.buildACLSearchBuilder(searchBuilder, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchBuilder(searchBuilder, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
searchFilter = new Filter(entityClass, "id", false, startIndex, pageSizeVal);
}
@@ -662,7 +666,7 @@ public class AutoScaleManagerImpl<Type> extends ManagerBase implements AutoScale
public SearchCriteria<VO> buildSearchCriteria() {
searchCriteria = searchBuilder.create();
- _accountMgr.buildACLSearchCriteria(searchCriteria, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchCriteria(searchCriteria, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
return searchCriteria;
}
@@ -673,7 +677,8 @@ public class AutoScaleManagerImpl<Type> extends ManagerBase implements AutoScale
@Override
public List<? extends AutoScalePolicy> listAutoScalePolicies(ListAutoScalePoliciesCmd cmd) {
- SearchWrapper<AutoScalePolicyVO> searchWrapper = new SearchWrapper<AutoScalePolicyVO>(_autoScalePolicyDao, AutoScalePolicyVO.class, cmd, cmd.getId());
+ SearchWrapper<AutoScalePolicyVO> searchWrapper = new SearchWrapper<AutoScalePolicyVO>(_autoScalePolicyDao, AutoScalePolicyVO.class, cmd, cmd.getId(),
+ "listAutoScalePolicies");
SearchBuilder<AutoScalePolicyVO> sb = searchWrapper.getSearchBuilder();
Long id = cmd.getId();
Long conditionId = cmd.getConditionId();
@@ -879,7 +884,8 @@ public class AutoScaleManagerImpl<Type> extends ManagerBase implements AutoScale
Long zoneId = cmd.getZoneId();
Boolean forDisplay = cmd.getDisplay();
- SearchWrapper<AutoScaleVmGroupVO> searchWrapper = new SearchWrapper<AutoScaleVmGroupVO>(_autoScaleVmGroupDao, AutoScaleVmGroupVO.class, cmd, cmd.getId());
+ SearchWrapper<AutoScaleVmGroupVO> searchWrapper = new SearchWrapper<AutoScaleVmGroupVO>(_autoScaleVmGroupDao, AutoScaleVmGroupVO.class, cmd, cmd.getId(),
+ "listAutoScaleVmGroups");
SearchBuilder<AutoScaleVmGroupVO> sb = searchWrapper.getSearchBuilder();
sb.and("id", sb.entity().getId(), SearchCriteria.Op.EQ);
@@ -974,7 +980,7 @@ public class AutoScaleManagerImpl<Type> extends ManagerBase implements AutoScale
ControlledEntity[] sameOwnerEntities = policies.toArray(new ControlledEntity[policies.size() + 2]);
sameOwnerEntities[sameOwnerEntities.length - 2] = loadBalancer;
sameOwnerEntities[sameOwnerEntities.length - 1] = profileVO;
- _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, true, sameOwnerEntities);
+ _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, sameOwnerEntities);
return Transaction.execute(new TransactionCallback<AutoScaleVmGroupVO>() {
@Override
@@ -1170,7 +1176,7 @@ public class AutoScaleManagerImpl<Type> extends ManagerBase implements AutoScale
Long id = cmd.getId();
Long counterId = cmd.getCounterId();
Long policyId = cmd.getPolicyId();
- SearchWrapper<ConditionVO> searchWrapper = new SearchWrapper<ConditionVO>(_conditionDao, ConditionVO.class, cmd, cmd.getId());
+ SearchWrapper<ConditionVO> searchWrapper = new SearchWrapper<ConditionVO>(_conditionDao, ConditionVO.class, cmd, cmd.getId(), "listConditions");
SearchBuilder<ConditionVO> sb = searchWrapper.getSearchBuilder();
if (policyId != null) {
SearchBuilder<AutoScalePolicyConditionMapVO> asPolicyConditionSearch = _autoScalePolicyConditionMapDao.createSearchBuilder();
[3/5] Revert "Disable IAM feature from 4.4 release."
Posted by mc...@apache.org.
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/server/src/com/cloud/network/firewall/FirewallManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/firewall/FirewallManagerImpl.java b/server/src/com/cloud/network/firewall/FirewallManagerImpl.java
index 4f853b3..7306068 100644
--- a/server/src/com/cloud/network/firewall/FirewallManagerImpl.java
+++ b/server/src/com/cloud/network/firewall/FirewallManagerImpl.java
@@ -263,25 +263,26 @@ public class FirewallManagerImpl extends ManagerBase implements FirewallService,
Boolean display = cmd.getDisplay();
Account caller = CallContext.current().getCallingAccount();
+ List<Long> permittedDomains = new ArrayList<Long>();
List<Long> permittedAccounts = new ArrayList<Long>();
+ List<Long> permittedResources = new ArrayList<Long>();
if (ipId != null) {
IPAddressVO ipAddressVO = _ipAddressDao.findById(ipId);
if (ipAddressVO == null || !ipAddressVO.readyToUse()) {
throw new InvalidParameterValueException("Ip address id=" + ipId + " not ready for firewall rules yet");
}
- _accountMgr.checkAccess(caller, null, true, ipAddressVO);
+ _accountMgr.checkAccess(caller, null, ipAddressVO);
}
Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean, ListProjectResourcesCriteria>(cmd.getDomainId(), cmd.isRecursive(), null);
- _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedAccounts, domainIdRecursiveListProject, cmd.listAll(), false);
- Long domainId = domainIdRecursiveListProject.first();
+ _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedDomains, permittedAccounts, permittedResources, domainIdRecursiveListProject, cmd.listAll(), false, "listFirewallRules");
Boolean isRecursive = domainIdRecursiveListProject.second();
ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
Filter filter = new Filter(FirewallRuleVO.class, "id", false, cmd.getStartIndex(), cmd.getPageSizeVal());
SearchBuilder<FirewallRuleVO> sb = _firewallDao.createSearchBuilder();
- _accountMgr.buildACLSearchBuilder(sb, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchBuilder(sb, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
sb.and("id", sb.entity().getId(), Op.EQ);
sb.and("trafficType", sb.entity().getTrafficType(), Op.EQ);
@@ -303,7 +304,7 @@ public class FirewallManagerImpl extends ManagerBase implements FirewallService,
}
SearchCriteria<FirewallRuleVO> sc = sb.create();
- _accountMgr.buildACLSearchCriteria(sc, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchCriteria(sc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
if (id != null) {
sc.setParameters("id", id);
@@ -463,7 +464,7 @@ public class FirewallManagerImpl extends ManagerBase implements FirewallService,
}
// Validate ip address
- _accountMgr.checkAccess(caller, null, true, ipAddress);
+ _accountMgr.checkAccess(caller, null, ipAddress);
}
//network id either has to be passed explicitly, or implicitly as a part of ipAddress object
@@ -475,7 +476,7 @@ public class FirewallManagerImpl extends ManagerBase implements FirewallService,
assert network != null : "Can't create rule as network associated with public ip address is null?";
if (trafficType == FirewallRule.TrafficType.Egress) {
- _accountMgr.checkAccess(caller, null, true, network);
+ _accountMgr.checkAccess(caller, null, network);
}
// Verify that the network guru supports the protocol specified
@@ -638,7 +639,7 @@ public class FirewallManagerImpl extends ManagerBase implements FirewallService,
}
if (caller != null) {
- _accountMgr.checkAccess(caller, null, true, rules.toArray(new FirewallRuleVO[rules.size()]));
+ _accountMgr.checkAccess(caller, null, rules.toArray(new FirewallRuleVO[rules.size()]));
}
try {
@@ -692,7 +693,7 @@ public class FirewallManagerImpl extends ManagerBase implements FirewallService,
throw new InvalidParameterValueException("Only root admin can delete the system wide firewall rule");
}
- _accountMgr.checkAccess(caller, null, true, rule);
+ _accountMgr.checkAccess(caller, null, rule);
revokeRule(rule, caller, userId, false);
@@ -742,7 +743,7 @@ public class FirewallManagerImpl extends ManagerBase implements FirewallService,
throw new InvalidParameterValueException("Only root admin can update the system wide firewall rule");
}
- _accountMgr.checkAccess(caller, null, true, rule);
+ _accountMgr.checkAccess(caller, null, rule);
if (customId != null) {
rule.setUuid(customId);
@@ -761,7 +762,7 @@ public class FirewallManagerImpl extends ManagerBase implements FirewallService,
@DB
public void revokeRule(final FirewallRuleVO rule, Account caller, long userId, final boolean needUsageEvent) {
if (caller != null) {
- _accountMgr.checkAccess(caller, null, true, rule);
+ _accountMgr.checkAccess(caller, null, rule);
}
Transaction.execute(new TransactionCallbackNoReturn() {
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/server/src/com/cloud/network/lb/LoadBalancingRulesManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/lb/LoadBalancingRulesManagerImpl.java b/server/src/com/cloud/network/lb/LoadBalancingRulesManagerImpl.java
index 8225243..05fb325 100755
--- a/server/src/com/cloud/network/lb/LoadBalancingRulesManagerImpl.java
+++ b/server/src/com/cloud/network/lb/LoadBalancingRulesManagerImpl.java
@@ -30,11 +30,6 @@ import java.util.Set;
import javax.ejb.Local;
import javax.inject.Inject;
-import org.apache.log4j.Logger;
-
-import com.google.gson.Gson;
-import com.google.gson.reflect.TypeToken;
-
import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.command.user.loadbalancer.CreateLBHealthCheckPolicyCmd;
import org.apache.cloudstack.api.command.user.loadbalancer.CreateLBStickinessPolicyCmd;
@@ -50,6 +45,7 @@ import org.apache.cloudstack.engine.orchestration.service.NetworkOrchestrationSe
import org.apache.cloudstack.framework.config.dao.ConfigurationDao;
import org.apache.cloudstack.lb.ApplicationLoadBalancerRuleVO;
import org.apache.cloudstack.lb.dao.ApplicationLoadBalancerRuleDao;
+import org.apache.log4j.Logger;
import com.cloud.agent.api.to.LoadBalancerTO;
import com.cloud.configuration.ConfigurationManager;
@@ -169,6 +165,8 @@ import com.cloud.vm.VirtualMachine.State;
import com.cloud.vm.dao.NicDao;
import com.cloud.vm.dao.NicSecondaryIpDao;
import com.cloud.vm.dao.UserVmDao;
+import com.google.gson.Gson;
+import com.google.gson.reflect.TypeToken;
@Local(value = {LoadBalancingRulesManager.class, LoadBalancingRulesService.class})
public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements LoadBalancingRulesManager, LoadBalancingRulesService {
@@ -529,7 +527,7 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
throw new InvalidParameterValueException("Failed: LB rule id: " + cmd.getLbRuleId() + " not present ");
}
- _accountMgr.checkAccess(caller.getCallingAccount(), null, true, loadBalancer);
+ _accountMgr.checkAccess(caller.getCallingAccount(), null, loadBalancer);
if (loadBalancer.getState() == FirewallRule.State.Revoke) {
throw new InvalidParameterValueException("Failed: LB rule id: " + cmd.getLbRuleId() + " is in deleting state: ");
}
@@ -588,7 +586,7 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
throw new InvalidParameterValueException("Failed: LB rule id: " + cmd.getLbRuleId() + " not present ");
}
- _accountMgr.checkAccess(caller.getCallingAccount(), null, true, loadBalancer);
+ _accountMgr.checkAccess(caller.getCallingAccount(), null, loadBalancer);
if (loadBalancer.getState() == FirewallRule.State.Revoke) {
throw new InvalidParameterValueException("Failed: LB rule id: " + cmd.getLbRuleId() + " is in deleting state: ");
@@ -750,7 +748,7 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
}
long loadBalancerId = loadBalancer.getId();
FirewallRule.State backupState = loadBalancer.getState();
- _accountMgr.checkAccess(caller.getCallingAccount(), null, true, loadBalancer);
+ _accountMgr.checkAccess(caller.getCallingAccount(), null, loadBalancer);
if (apply) {
if (loadBalancer.getState() == FirewallRule.State.Active) {
@@ -803,7 +801,7 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
}
final long loadBalancerId = loadBalancer.getId();
FirewallRule.State backupState = loadBalancer.getState();
- _accountMgr.checkAccess(caller.getCallingAccount(), null, true, loadBalancer);
+ _accountMgr.checkAccess(caller.getCallingAccount(), null, loadBalancer);
if (apply) {
if (loadBalancer.getState() == FirewallRule.State.Active) {
@@ -1195,7 +1193,7 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
throw new InvalidParameterException("Invalid certificate id: " + certId);
}
- _accountMgr.checkAccess(caller.getCallingAccount(), null, true, loadBalancer);
+ _accountMgr.checkAccess(caller.getCallingAccount(), null, loadBalancer);
// check if LB and Cert belong to the same account
if (loadBalancer.getAccountId() != certVO.getAccountId()) {
@@ -1258,7 +1256,7 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
throw new InvalidParameterException("No certificate is bound to lb with id: " + lbRuleId);
}
- _accountMgr.checkAccess(caller.getCallingAccount(), null, true, loadBalancer);
+ _accountMgr.checkAccess(caller.getCallingAccount(), null, loadBalancer);
boolean success = false;
FirewallRule.State backupState = loadBalancer.getState();
@@ -1302,7 +1300,7 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
throw new InvalidParameterException("Invalid load balancer value: " + loadBalancerId);
}
- _accountMgr.checkAccess(caller.getCallingAccount(), null, true, loadBalancer);
+ _accountMgr.checkAccess(caller.getCallingAccount(), null, loadBalancer);
if (instanceIds == null && vmIdIpMap.isEmpty()) {
throw new InvalidParameterValueException("Both instanceids and vmidipmap can't be null");
@@ -1464,7 +1462,7 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
if (rule == null) {
throw new InvalidParameterValueException("Unable to find load balancer rule " + loadBalancerId);
}
- _accountMgr.checkAccess(caller, null, true, rule);
+ _accountMgr.checkAccess(caller, null, rule);
boolean result = deleteLoadBalancerRule(loadBalancerId, apply, caller, ctx.getCallingUserId(), true);
if (!result) {
@@ -1688,7 +1686,7 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
throw ex;
}
- _accountMgr.checkAccess(caller.getCallingAccount(), null, true, ipAddr);
+ _accountMgr.checkAccess(caller.getCallingAccount(), null, ipAddr);
final Long networkId = ipAddr.getAssociatedWithNetworkId();
if (networkId == null) {
@@ -2062,7 +2060,7 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
}
// check permissions
- _accountMgr.checkAccess(caller, null, true, lb);
+ _accountMgr.checkAccess(caller, null, lb);
if (name != null) {
lb.setName(name);
@@ -2141,7 +2139,7 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
return null;
}
- _accountMgr.checkAccess(caller, null, true, loadBalancer);
+ _accountMgr.checkAccess(caller, null, loadBalancer);
List<UserVmVO> loadBalancerInstances = new ArrayList<UserVmVO>();
List<String> serviceStates = new ArrayList<String>();
@@ -2220,7 +2218,7 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
return null;
}
- _accountMgr.checkAccess(caller, null, true, loadBalancer);
+ _accountMgr.checkAccess(caller, null, loadBalancer);
List<LBStickinessPolicyVO> sDbpolicies = _lb2stickinesspoliciesDao.listByLoadBalancerIdAndDisplayFlag(cmd.getLbRuleId(), forDisplay);
@@ -2237,10 +2235,8 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
if (loadBalancer == null) {
return null;
}
-
- _accountMgr.checkAccess(caller, null, true, loadBalancer);
+ _accountMgr.checkAccess(caller, null, loadBalancer);
List<LBHealthCheckPolicyVO> hcDbpolicies = _lb2healthcheckDao.listByLoadBalancerIdAndDisplayFlag(cmd.getLbRuleId(), forDisplay);
-
return hcDbpolicies;
}
@@ -2257,19 +2253,21 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
Boolean forDisplay = cmd.getDisplay();
Account caller = CallContext.current().getCallingAccount();
+ List<Long> permittedDomains = new ArrayList<Long>();
List<Long> permittedAccounts = new ArrayList<Long>();
+ List<Long> permittedResources = new ArrayList<Long>();
Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean, ListProjectResourcesCriteria>(
cmd.getDomainId(), cmd.isRecursive(), null);
- _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedAccounts,
- domainIdRecursiveListProject, cmd.listAll(), false);
- Long domainId = domainIdRecursiveListProject.first();
+ _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedDomains, permittedAccounts, permittedResources,
+ domainIdRecursiveListProject, cmd.listAll(), false, "listLoadBalancerRules");
+ //Long domainId = domainIdRecursiveListProject.first();
Boolean isRecursive = domainIdRecursiveListProject.second();
ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
Filter searchFilter = new Filter(LoadBalancerVO.class, "id", true, cmd.getStartIndex(), cmd.getPageSizeVal());
SearchBuilder<LoadBalancerVO> sb = _lbDao.createSearchBuilder();
- _accountMgr.buildACLSearchBuilder(sb, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchBuilder(sb, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
sb.and("id", sb.entity().getId(), SearchCriteria.Op.EQ);
sb.and("name", sb.entity().getName(), SearchCriteria.Op.LIKE);
@@ -2303,7 +2301,7 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
}
SearchCriteria<LoadBalancerVO> sc = sb.create();
- _accountMgr.buildACLSearchCriteria(sc, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchCriteria(sc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
if (keyword != null) {
SearchCriteria<LoadBalancerVO> ssc = _lbDao.createSearchCriteria();
@@ -2486,7 +2484,7 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
throw new InvalidParameterException("Invalid Load balancer : " + policy.getLoadBalancerId() + " for Stickiness policy id: " + id);
}
- _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, true, loadBalancer);
+ _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, loadBalancer);
if (customId != null) {
policy.setUuid(customId);
@@ -2513,7 +2511,7 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
throw new InvalidParameterException("Invalid Load balancer : " + policy.getLoadBalancerId() + " for Stickiness policy id: " + id);
}
- _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, true, loadBalancer);
+ _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, loadBalancer);
if (customId != null) {
policy.setUuid(customId);
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java b/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java
index 05fbad3..be3e849 100755
--- a/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java
+++ b/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java
@@ -462,7 +462,7 @@ public class VirtualNetworkApplianceManagerImpl extends ManagerBase implements V
return null;
}
- _accountMgr.checkAccess(caller, null, true, router);
+ _accountMgr.checkAccess(caller, null, router);
_itMgr.expunge(router.getUuid());
_routerDao.remove(router.getId());
@@ -481,7 +481,7 @@ public class VirtualNetworkApplianceManagerImpl extends ManagerBase implements V
throw new InvalidParameterValueException("Unable to find router with id " + routerId);
}
- _accountMgr.checkAccess(caller, null, true, router);
+ _accountMgr.checkAccess(caller, null, router);
if (router.getServiceOfferingId() == serviceOfferingId) {
s_logger.debug("Router: " + routerId + "already has service offering: " + serviceOfferingId);
@@ -596,7 +596,7 @@ public class VirtualNetworkApplianceManagerImpl extends ManagerBase implements V
throw new InvalidParameterValueException("Unable to find router by id " + routerId + ".");
}
- _accountMgr.checkAccess(account, null, true, router);
+ _accountMgr.checkAccess(account, null, router);
final UserVO user = _userDao.findById(CallContext.current().getCallingUserId());
@@ -655,7 +655,7 @@ public class VirtualNetworkApplianceManagerImpl extends ManagerBase implements V
throw new InvalidParameterValueException("Unable to find domain router with id " + routerId + ".");
}
- _accountMgr.checkAccess(caller, null, true, router);
+ _accountMgr.checkAccess(caller, null, router);
// Can reboot domain router only in Running state
if (router == null || router.getState() != State.Running) {
@@ -3300,7 +3300,7 @@ public class VirtualNetworkApplianceManagerImpl extends ManagerBase implements V
if (router == null) {
throw new InvalidParameterValueException("Unable to find router by id " + routerId + ".");
}
- _accountMgr.checkAccess(caller, null, true, router);
+ _accountMgr.checkAccess(caller, null, router);
final Account owner = _accountMgr.getAccount(router.getAccountId());
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/server/src/com/cloud/network/rules/RulesManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/rules/RulesManagerImpl.java b/server/src/com/cloud/network/rules/RulesManagerImpl.java
index eea1262..f6a87bf 100755
--- a/server/src/com/cloud/network/rules/RulesManagerImpl.java
+++ b/server/src/com/cloud/network/rules/RulesManagerImpl.java
@@ -27,6 +27,7 @@ import javax.inject.Inject;
import org.apache.log4j.Logger;
+import org.apache.cloudstack.acl.SecurityChecker.AccessType;
import org.apache.cloudstack.api.command.user.firewall.ListPortForwardingRulesCmd;
import org.apache.cloudstack.context.CallContext;
import org.apache.cloudstack.engine.orchestration.service.NetworkOrchestrationService;
@@ -163,7 +164,7 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules
}
}
- _accountMgr.checkAccess(caller, null, true, ipAddress, userVm);
+ _accountMgr.checkAccess(caller, AccessType.OperateEntry, ipAddress, userVm);
// validate that IP address and userVM belong to the same account
if (ipAddress.getAllocatedToAccountId().longValue() != userVm.getAccountId()) {
@@ -188,7 +189,7 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules
return;
}
- _accountMgr.checkAccess(caller, null, true, rule, userVm);
+ _accountMgr.checkAccess(caller, AccessType.OperateEntry, rule, userVm);
if (userVm.getState() == VirtualMachine.State.Destroyed || userVm.getState() == VirtualMachine.State.Expunging) {
throw new InvalidParameterValueException("Invalid user vm: " + userVm.getId());
@@ -682,7 +683,7 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules
throw new InvalidParameterValueException("Unable to find " + ruleId);
}
- _accountMgr.checkAccess(caller, null, true, rule);
+ _accountMgr.checkAccess(caller, null, rule);
if (!revokePortForwardingRuleInternal(ruleId, caller, ctx.getCallingUserId(), apply)) {
throw new CloudRuntimeException("Failed to delete port forwarding rule");
@@ -717,7 +718,7 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules
throw new InvalidParameterValueException("Unable to find " + ruleId);
}
- _accountMgr.checkAccess(caller, null, true, rule);
+ _accountMgr.checkAccess(caller, null, rule);
if (!revokeStaticNatRuleInternal(ruleId, caller, ctx.getCallingUserId(), apply)) {
throw new CloudRuntimeException("Failed to revoke forwarding rule");
@@ -784,25 +785,27 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules
Boolean display = cmd.getDisplay();
Account caller = CallContext.current().getCallingAccount();
+ List<Long> permittedDomains = new ArrayList<Long>();
List<Long> permittedAccounts = new ArrayList<Long>();
+ List<Long> permittedResources = new ArrayList<Long>();
if (ipId != null) {
IPAddressVO ipAddressVO = _ipAddressDao.findById(ipId);
if (ipAddressVO == null || !ipAddressVO.readyToUse()) {
throw new InvalidParameterValueException("Ip address id=" + ipId + " not ready for port forwarding rules yet");
}
- _accountMgr.checkAccess(caller, null, true, ipAddressVO);
+ _accountMgr.checkAccess(caller, null, ipAddressVO);
}
Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean, ListProjectResourcesCriteria>(cmd.getDomainId(), cmd.isRecursive(), null);
- _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedAccounts, domainIdRecursiveListProject, cmd.listAll(), false);
- Long domainId = domainIdRecursiveListProject.first();
+ _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedDomains, permittedAccounts, permittedResources,
+ domainIdRecursiveListProject, cmd.listAll(), false, "listPortForwardingRules");
Boolean isRecursive = domainIdRecursiveListProject.second();
ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
Filter filter = new Filter(PortForwardingRuleVO.class, "id", false, cmd.getStartIndex(), cmd.getPageSizeVal());
SearchBuilder<PortForwardingRuleVO> sb = _portForwardingDao.createSearchBuilder();
- _accountMgr.buildACLSearchBuilder(sb, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchBuilder(sb, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
sb.and("id", sb.entity().getId(), Op.EQ);
sb.and("ip", sb.entity().getSourceIpAddressId(), Op.EQ);
@@ -823,7 +826,7 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules
}
SearchCriteria<PortForwardingRuleVO> sc = sb.create();
- _accountMgr.buildACLSearchCriteria(sc, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchCriteria(sc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
if (id != null) {
sc.setParameters("id", id);
@@ -866,7 +869,7 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules
}
if (caller != null) {
- _accountMgr.checkAccess(caller, null, true, rules.toArray(new PortForwardingRuleVO[rules.size()]));
+ _accountMgr.checkAccess(caller, null, rules.toArray(new PortForwardingRuleVO[rules.size()]));
}
try {
@@ -895,7 +898,7 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules
}
if (caller != null) {
- _accountMgr.checkAccess(caller, null, true, staticNatRules.toArray(new StaticNatRule[staticNatRules.size()]));
+ _accountMgr.checkAccess(caller, null, staticNatRules.toArray(new StaticNatRule[staticNatRules.size()]));
}
try {
@@ -919,7 +922,7 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules
}
if (caller != null) {
- _accountMgr.checkAccess(caller, null, true, rules.toArray(new PortForwardingRuleVO[rules.size()]));
+ _accountMgr.checkAccess(caller, null, rules.toArray(new PortForwardingRuleVO[rules.size()]));
}
try {
@@ -945,7 +948,7 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules
}
if (caller != null) {
- _accountMgr.checkAccess(caller, null, true, rules.toArray(new FirewallRule[rules.size()]));
+ _accountMgr.checkAccess(caller, null, rules.toArray(new FirewallRule[rules.size()]));
}
for (FirewallRuleVO rule : rules) {
@@ -973,7 +976,7 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules
}
if (caller != null) {
- _accountMgr.checkAccess(caller, null, true, ips.toArray(new IPAddressVO[ips.size()]));
+ _accountMgr.checkAccess(caller, null, ips.toArray(new IPAddressVO[ips.size()]));
}
List<StaticNat> staticNats = new ArrayList<StaticNat>();
@@ -1000,25 +1003,28 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules
public Pair<List<? extends FirewallRule>, Integer> searchStaticNatRules(Long ipId, Long id, Long vmId, Long start, Long size, String accountName, Long domainId,
Long projectId, boolean isRecursive, boolean listAll) {
Account caller = CallContext.current().getCallingAccount();
+ List<Long> permittedDomains = new ArrayList<Long>();
List<Long> permittedAccounts = new ArrayList<Long>();
+ List<Long> permittedResources = new ArrayList<Long>();
if (ipId != null) {
IPAddressVO ipAddressVO = _ipAddressDao.findById(ipId);
if (ipAddressVO == null || !ipAddressVO.readyToUse()) {
throw new InvalidParameterValueException("Ip address id=" + ipId + " not ready for port forwarding rules yet");
}
- _accountMgr.checkAccess(caller, null, true, ipAddressVO);
+ _accountMgr.checkAccess(caller, null, ipAddressVO);
}
Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean, ListProjectResourcesCriteria>(domainId, isRecursive, null);
- _accountMgr.buildACLSearchParameters(caller, id, accountName, projectId, permittedAccounts, domainIdRecursiveListProject, listAll, false);
+ _accountMgr.buildACLSearchParameters(caller, id, accountName, projectId, permittedDomains, permittedAccounts, permittedResources, domainIdRecursiveListProject, listAll,
+ false, "listIpForwardingRules");
domainId = domainIdRecursiveListProject.first();
isRecursive = domainIdRecursiveListProject.second();
ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
Filter filter = new Filter(PortForwardingRuleVO.class, "id", false, start, size);
SearchBuilder<FirewallRuleVO> sb = _firewallDao.createSearchBuilder();
- _accountMgr.buildACLSearchBuilder(sb, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchBuilder(sb, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
sb.and("ip", sb.entity().getSourceIpAddressId(), Op.EQ);
sb.and("purpose", sb.entity().getPurpose(), Op.EQ);
@@ -1031,7 +1037,7 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules
}
SearchCriteria<FirewallRuleVO> sc = sb.create();
- _accountMgr.buildACLSearchCriteria(sc, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchCriteria(sc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
sc.setParameters("purpose", Purpose.StaticNat);
if (id != null) {
@@ -1383,7 +1389,7 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules
}
if (caller != null) {
- _accountMgr.checkAccess(caller, null, true, sourceIp);
+ _accountMgr.checkAccess(caller, null, sourceIp);
}
// create new static nat rule
@@ -1502,7 +1508,7 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules
if (rule == null) {
throw new InvalidParameterValueException("Unable to find " + id);
}
- _accountMgr.checkAccess(caller, null, true, rule);
+ _accountMgr.checkAccess(caller, null, rule);
if (customId != null) {
rule.setUuid(customId);
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/server/src/com/cloud/network/security/SecurityGroupManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/security/SecurityGroupManagerImpl.java b/server/src/com/cloud/network/security/SecurityGroupManagerImpl.java
index f60a746..a666ecd 100755
--- a/server/src/com/cloud/network/security/SecurityGroupManagerImpl.java
+++ b/server/src/com/cloud/network/security/SecurityGroupManagerImpl.java
@@ -612,7 +612,7 @@ public class SecurityGroupManagerImpl extends ManagerBase implements SecurityGro
}
// Verify permissions
- _accountMgr.checkAccess(caller, null, true, securityGroup);
+ _accountMgr.checkAccess(caller, AccessType.OperateEntry, securityGroup);
Long domainId = owner.getDomainId();
if (protocol == null) {
@@ -819,7 +819,7 @@ public class SecurityGroupManagerImpl extends ManagerBase implements SecurityGro
// Check permissions
SecurityGroup securityGroup = _securityGroupDao.findById(rule.getSecurityGroupId());
- _accountMgr.checkAccess(caller, AccessType.OperateEntry, true, securityGroup);
+ _accountMgr.checkAccess(caller, AccessType.OperateEntry, securityGroup);
long securityGroupId = rule.getSecurityGroupId();
Boolean result = Transaction.execute(new TransactionCallback<Boolean>() {
@@ -1120,7 +1120,7 @@ public class SecurityGroupManagerImpl extends ManagerBase implements SecurityGro
}
// check permissions
- _accountMgr.checkAccess(caller, null, true, group);
+ _accountMgr.checkAccess(caller, AccessType.OperateEntry, group);
return Transaction.execute(new TransactionCallbackWithException<Boolean, ResourceInUseException>() {
@Override
@@ -1359,7 +1359,7 @@ public class SecurityGroupManagerImpl extends ManagerBase implements SecurityGro
}
// Verify permissions
- _accountMgr.checkAccess(caller, null, false, vm);
+ _accountMgr.checkAccess(caller, null, vm);
// Validate parameters
List<SecurityGroupVO> vmSgGrps = getSecurityGroupsForVm(vmId);
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/server/src/com/cloud/network/vpc/NetworkACLServiceImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/vpc/NetworkACLServiceImpl.java b/server/src/com/cloud/network/vpc/NetworkACLServiceImpl.java
index 19a26c1..72996d1 100644
--- a/server/src/com/cloud/network/vpc/NetworkACLServiceImpl.java
+++ b/server/src/com/cloud/network/vpc/NetworkACLServiceImpl.java
@@ -103,7 +103,7 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ
if (vpc == null) {
throw new InvalidParameterValueException("Unable to find VPC");
}
- _accountMgr.checkAccess(caller, null, true, vpc);
+ _accountMgr.checkAccess(caller, null, vpc);
return _networkAclMgr.createNetworkACL(name, description, vpcId, forDisplay);
}
@@ -161,7 +161,7 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ
if (vpc == null) {
throw new InvalidParameterValueException("Unable to find VPC");
}
- _accountMgr.checkAccess(caller, null, true, vpc);
+ _accountMgr.checkAccess(caller, null, vpc);
//Include vpcId 0 to list default ACLs
sc.setParameters("vpcId", vpcId, 0);
} else {
@@ -169,23 +169,26 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ
// VpcId is not specified. Find permitted VPCs for the caller
// and list ACLs belonging to the permitted VPCs
+ List<Long> permittedDomains = new ArrayList<Long>();
List<Long> permittedAccounts = new ArrayList<Long>();
+ List<Long> permittedResources = new ArrayList<Long>();
+
Long domainId = cmd.getDomainId();
boolean isRecursive = cmd.isRecursive();
String accountName = cmd.getAccountName();
Long projectId = cmd.getProjectId();
boolean listAll = cmd.listAll();
Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean,
- ListProjectResourcesCriteria>(domainId, isRecursive, null);
- _accountMgr.buildACLSearchParameters(caller, id, accountName, projectId, permittedAccounts, domainIdRecursiveListProject,
- listAll, false);
- domainId = domainIdRecursiveListProject.first();
+ ListProjectResourcesCriteria>(domainId, isRecursive, null);
+ _accountMgr.buildACLSearchParameters(caller, id, accountName, projectId, permittedDomains, permittedAccounts, permittedResources, domainIdRecursiveListProject,
+ listAll, false, "listNetworkACLLists");
+ //domainId = domainIdRecursiveListProject.first();
isRecursive = domainIdRecursiveListProject.second();
ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
SearchBuilder<VpcVO> sbVpc = _vpcDao.createSearchBuilder();
- _accountMgr.buildACLSearchBuilder(sbVpc, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchBuilder(sbVpc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
SearchCriteria<VpcVO> scVpc = sbVpc.create();
- _accountMgr.buildACLSearchCriteria(scVpc, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchCriteria(scVpc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
List<VpcVO> vpcs = _vpcDao.search(scVpc, null);
List<Long> vpcIds = new ArrayList<Long>();
for (VpcVO vpc : vpcs) {
@@ -222,7 +225,7 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ
if (vpc == null) {
throw new InvalidParameterValueException("Unable to find specified VPC associated with the ACL");
}
- _accountMgr.checkAccess(caller, null, true, vpc);
+ _accountMgr.checkAccess(caller, null, vpc);
return _networkAclMgr.deleteNetworkACL(acl);
}
@@ -253,14 +256,14 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ
if (vpc == null) {
throw new InvalidParameterValueException("Unable to find Vpc associated with the NetworkACL");
}
- _accountMgr.checkAccess(caller, null, true, vpc);
+ _accountMgr.checkAccess(caller, null, vpc);
if (!gateway.getVpcId().equals(acl.getVpcId())) {
throw new InvalidParameterValueException("private gateway: " + privateGatewayId + " and ACL: " + aclId + " do not belong to the same VPC");
}
}
PrivateGateway privateGateway = _vpcSvc.getVpcPrivateGateway(gateway.getId());
- _accountMgr.checkAccess(caller, null, true, privateGateway);
+ _accountMgr.checkAccess(caller, null, privateGateway);
return _networkAclMgr.replaceNetworkACLForPrivateGw(acl, privateGateway);
@@ -296,7 +299,7 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ
throw new InvalidParameterValueException("Unable to find Vpc associated with the NetworkACL");
}
- _accountMgr.checkAccess(caller, null, true, vpc);
+ _accountMgr.checkAccess(caller, null, vpc);
if (!network.getVpcId().equals(acl.getVpcId())) {
throw new InvalidParameterValueException("Network: " + networkId + " and ACL: " + aclId + " do not belong to the same VPC");
}
@@ -368,7 +371,7 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ
if (vpc == null) {
throw new InvalidParameterValueException("Unable to find Vpc associated with the NetworkACL");
}
- _accountMgr.checkAccess(caller, null, true, vpc);
+ _accountMgr.checkAccess(caller, null, vpc);
//Ensure that number is unique within the ACL
if (aclItemCmd.getNumber() != null) {
@@ -485,6 +488,7 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ
String action = cmd.getAction();
Map<String, String> tags = cmd.getTags();
Account caller = CallContext.current().getCallingAccount();
+ Boolean display = cmd.getDisplay();
Filter filter = new Filter(NetworkACLItemVO.class, "id", false, cmd.getStartIndex(), cmd.getPageSizeVal());
SearchBuilder<NetworkACLItemVO> sb = _networkACLItemDao.createSearchBuilder();
@@ -494,6 +498,7 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ
sb.and("trafficType", sb.entity().getTrafficType(), Op.EQ);
sb.and("protocol", sb.entity().getProtocol(), Op.EQ);
sb.and("action", sb.entity().getAction(), Op.EQ);
+ sb.and("display", sb.entity().isDisplay(), Op.EQ);
if (tags != null && !tags.isEmpty()) {
SearchBuilder<ResourceTagVO> tagSearch = _resourceTagDao.createSearchBuilder();
@@ -516,6 +521,10 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ
SearchCriteria<NetworkACLItemVO> sc = sb.create();
+ if (display != null) {
+ sc.setParameters("display", display);
+ }
+
if (id != null) {
sc.setParameters("id", id);
}
@@ -542,32 +551,33 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ
if (vpc == null) {
throw new InvalidParameterValueException("Unable to find VPC associated with acl");
}
- _accountMgr.checkAccess(caller, null, true, vpc);
+ _accountMgr.checkAccess(caller, null, vpc);
}
sc.setParameters("aclId", aclId);
} else {
//ToDo: Add accountId to network_acl_item table for permission check
-
// aclId is not specified
// List permitted VPCs and filter aclItems
+ List<Long> permittedDomains = new ArrayList<Long>();
List<Long> permittedAccounts = new ArrayList<Long>();
+ List<Long> permittedResources = new ArrayList<Long>();
Long domainId = cmd.getDomainId();
boolean isRecursive = cmd.isRecursive();
String accountName = cmd.getAccountName();
Long projectId = cmd.getProjectId();
boolean listAll = cmd.listAll();
Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean,
- ListProjectResourcesCriteria>(domainId, isRecursive, null);
- _accountMgr.buildACLSearchParameters(caller, id, accountName, projectId, permittedAccounts, domainIdRecursiveListProject,
- listAll, false);
+ ListProjectResourcesCriteria>(domainId, isRecursive, null);
+ _accountMgr.buildACLSearchParameters(caller, id, accountName, projectId, permittedDomains, permittedAccounts, permittedResources, domainIdRecursiveListProject,
+ listAll, false, "listNetworkACLs");
domainId = domainIdRecursiveListProject.first();
isRecursive = domainIdRecursiveListProject.second();
ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
SearchBuilder<VpcVO> sbVpc = _vpcDao.createSearchBuilder();
- _accountMgr.buildACLSearchBuilder(sbVpc, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchBuilder(sbVpc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
SearchCriteria<VpcVO> scVpc = sbVpc.create();
- _accountMgr.buildACLSearchCriteria(scVpc, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchCriteria(scVpc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
List<VpcVO> vpcs = _vpcDao.search(scVpc, null);
List<Long> vpcIds = new ArrayList<Long>();
for (VpcVO vpc : vpcs) {
@@ -610,7 +620,7 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ
Account caller = CallContext.current().getCallingAccount();
- _accountMgr.checkAccess(caller, null, true, vpc);
+ _accountMgr.checkAccess(caller, null, vpc);
if((aclItem.getAclId() == NetworkACL.DEFAULT_ALLOW) || (aclItem.getAclId() == NetworkACL.DEFAULT_DENY)){
throw new InvalidParameterValueException("ACL Items in default ACL cannot be deleted");
@@ -637,7 +647,7 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ
Account caller = CallContext.current().getCallingAccount();
- _accountMgr.checkAccess(caller, null, true, vpc);
+ _accountMgr.checkAccess(caller, null, vpc);
if (number != null) {
//Check if ACL Item with specified number already exists
@@ -659,7 +669,7 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ
NetworkACLVO acl = _networkACLDao.findById(id);
Vpc vpc = _entityMgr.findById(Vpc.class, acl.getVpcId());
Account caller = CallContext.current().getCallingAccount();
- _accountMgr.checkAccess(caller, null, true, vpc);
+ _accountMgr.checkAccess(caller, null, vpc);
if (customId != null) {
acl.setUuid(customId);
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/server/src/com/cloud/network/vpc/VpcManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/vpc/VpcManagerImpl.java b/server/src/com/cloud/network/vpc/VpcManagerImpl.java
index 0d24544..9e02fd7 100644
--- a/server/src/com/cloud/network/vpc/VpcManagerImpl.java
+++ b/server/src/com/cloud/network/vpc/VpcManagerImpl.java
@@ -35,9 +35,8 @@ import javax.ejb.Local;
import javax.inject.Inject;
import javax.naming.ConfigurationException;
-import org.apache.log4j.Logger;
-
import org.apache.cloudstack.acl.ControlledEntity.ACLType;
+import org.apache.cloudstack.acl.SecurityChecker.AccessType;
import org.apache.cloudstack.api.command.user.vpc.ListPrivateGatewaysCmd;
import org.apache.cloudstack.api.command.user.vpc.ListStaticRoutesCmd;
import org.apache.cloudstack.context.CallContext;
@@ -45,6 +44,7 @@ import org.apache.cloudstack.engine.orchestration.service.NetworkOrchestrationSe
import org.apache.cloudstack.framework.config.ConfigDepot;
import org.apache.cloudstack.framework.config.dao.ConfigurationDao;
import org.apache.cloudstack.managed.context.ManagedContextRunnable;
+import org.apache.log4j.Logger;
import com.cloud.configuration.Config;
import com.cloud.configuration.ConfigurationManager;
@@ -761,7 +761,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
Account owner = _accountMgr.getAccount(vpcOwnerId);
//Verify that caller can perform actions in behalf of vpc owner
- _accountMgr.checkAccess(caller, null, false, owner);
+ _accountMgr.checkAccess(caller, null, owner);
//check resource limit
_resourceLimitMgr.checkResourceLimit(owner, ResourceType.vpc);
@@ -894,7 +894,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
}
//verify permissions
- _accountMgr.checkAccess(ctx.getCallingAccount(), null, false, vpc);
+ _accountMgr.checkAccess(ctx.getCallingAccount(), null, vpc);
return destroyVpc(vpc, ctx.getCallingAccount(), ctx.getCallingUserId());
}
@@ -962,7 +962,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
throw new InvalidParameterValueException("Unable to find vpc by id " + vpcId);
}
- _accountMgr.checkAccess(caller, null, false, vpcToUpdate);
+ _accountMgr.checkAccess(caller, null, vpcToUpdate);
VpcVO vpc = _vpcDao.createForUpdate(vpcId);
@@ -995,18 +995,20 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
String accountName, Long domainId, String keyword, Long startIndex, Long pageSizeVal, Long zoneId, Boolean isRecursive, Boolean listAll, Boolean restartRequired,
Map<String, String> tags, Long projectId, Boolean display) {
Account caller = CallContext.current().getCallingAccount();
+ List<Long> permittedDomains = new ArrayList<Long>();
List<Long> permittedAccounts = new ArrayList<Long>();
+ List<Long> permittedResources = new ArrayList<Long>();
+
Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean,
ListProjectResourcesCriteria>(domainId, isRecursive, null);
- _accountMgr.buildACLSearchParameters(caller, id, accountName, projectId, permittedAccounts, domainIdRecursiveListProject,
- listAll, false);
- domainId = domainIdRecursiveListProject.first();
+ _accountMgr.buildACLSearchParameters(caller, id, accountName, projectId, permittedDomains, permittedAccounts, permittedResources, domainIdRecursiveListProject, listAll,
+ false, "listVPCs");
isRecursive = domainIdRecursiveListProject.second();
ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
Filter searchFilter = new Filter(VpcVO.class, "created", false, startIndex, pageSizeVal);
SearchBuilder<VpcVO> sb = _vpcDao.createSearchBuilder();
- _accountMgr.buildACLSearchBuilder(sb, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchBuilder(sb, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
sb.and("name", sb.entity().getName(), SearchCriteria.Op.LIKE);
sb.and("id", sb.entity().getId(), SearchCriteria.Op.EQ);
@@ -1032,7 +1034,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
// now set the SC criteria...
SearchCriteria<VpcVO> sc = sb.create();
- _accountMgr.buildACLSearchCriteria(sc, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchCriteria(sc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
if (keyword != null) {
SearchCriteria<VpcVO> ssc = _vpcDao.createSearchCriteria();
@@ -1152,7 +1154,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
}
//permission check
- _accountMgr.checkAccess(caller, null, false, vpc);
+ _accountMgr.checkAccess(caller, null, vpc);
DataCenter dc = _entityMgr.findById(DataCenter.class, vpc.getZoneId());
@@ -1212,7 +1214,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
}
//permission check
- _accountMgr.checkAccess(caller, null, false, vpc);
+ _accountMgr.checkAccess(caller, null, vpc);
//shutdown provider
s_logger.debug("Shutting down vpc " + vpc);
@@ -1478,7 +1480,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
throw ex;
}
- _accountMgr.checkAccess(caller, null, false, vpc);
+ _accountMgr.checkAccess(caller, null, vpc);
s_logger.debug("Restarting VPC " + vpc);
boolean restartRequired = false;
@@ -1795,21 +1797,23 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
Long domainId = cmd.getDomainId();
String accountName = cmd.getAccountName();
Account caller = CallContext.current().getCallingAccount();
+ List<Long> permittedDomains = new ArrayList<Long>();
List<Long> permittedAccounts = new ArrayList<Long>();
+ List<Long> permittedResources = new ArrayList<Long>();
String state = cmd.getState();
Long projectId = cmd.getProjectId();
Filter searchFilter = new Filter(VpcGatewayVO.class, "id", false, cmd.getStartIndex(), cmd.getPageSizeVal());
Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean,
ListProjectResourcesCriteria>(domainId, isRecursive, null);
- _accountMgr.buildACLSearchParameters(caller, id, accountName, projectId, permittedAccounts, domainIdRecursiveListProject,
- listAll, false);
- domainId = domainIdRecursiveListProject.first();
+ _accountMgr.buildACLSearchParameters(caller, id, accountName, projectId, permittedDomains, permittedAccounts, permittedResources, domainIdRecursiveListProject, listAll,
+ false, "listPrivateGateways");
isRecursive = domainIdRecursiveListProject.second();
ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
SearchBuilder<VpcGatewayVO> sb = _vpcGatewayDao.createSearchBuilder();
- _accountMgr.buildACLSearchBuilder(sb, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchBuilder(sb, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
+
if (vlan != null) {
SearchBuilder<NetworkVO> ntwkSearch = _ntwkDao.createSearchBuilder();
ntwkSearch.and("vlan", ntwkSearch.entity().getBroadcastUri(), SearchCriteria.Op.EQ);
@@ -1817,7 +1821,8 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
}
SearchCriteria<VpcGatewayVO> sc = sb.create();
- _accountMgr.buildACLSearchCriteria(sc, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchCriteria(sc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
+
if (id != null) {
sc.addAnd("id", Op.EQ, id);
}
@@ -1929,7 +1934,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
throw new InvalidParameterValueException("Unable to find static route by id");
}
- _accountMgr.checkAccess(caller, null, false, route);
+ _accountMgr.checkAccess(caller, null, route);
markStaticRouteForRevoke(route, caller);
@@ -1977,7 +1982,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
if (vpc == null) {
throw new InvalidParameterValueException("Can't add static route to VPC that is being deleted");
}
- _accountMgr.checkAccess(caller, null, false, vpc);
+ _accountMgr.checkAccess(caller, null, vpc);
if (!NetUtils.isValidCIDR(cidr)) {
throw new InvalidParameterValueException("Invalid format for cidr " + cidr);
@@ -2045,21 +2050,23 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
Boolean listAll = cmd.listAll();
String accountName = cmd.getAccountName();
Account caller = CallContext.current().getCallingAccount();
+ List<Long> permittedDomains = new ArrayList<Long>();
List<Long> permittedAccounts = new ArrayList<Long>();
+ List<Long> permittedResources = new ArrayList<Long>();
+
Map<String, String> tags = cmd.getTags();
Long projectId = cmd.getProjectId();
Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean,
ListProjectResourcesCriteria>(domainId, isRecursive, null);
- _accountMgr.buildACLSearchParameters(caller, id, accountName, projectId, permittedAccounts, domainIdRecursiveListProject,
- listAll, false);
- domainId = domainIdRecursiveListProject.first();
+ _accountMgr.buildACLSearchParameters(caller, id, accountName, projectId, permittedDomains, permittedAccounts, permittedResources, domainIdRecursiveListProject, listAll,
+ false, "listStaticRoutes");
isRecursive = domainIdRecursiveListProject.second();
ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
Filter searchFilter = new Filter(StaticRouteVO.class, "created", false, cmd.getStartIndex(), cmd.getPageSizeVal());
SearchBuilder<StaticRouteVO> sb = _staticRouteDao.createSearchBuilder();
- _accountMgr.buildACLSearchBuilder(sb, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchBuilder(sb, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
sb.and("id", sb.entity().getId(), SearchCriteria.Op.EQ);
sb.and("vpcId", sb.entity().getVpcId(), SearchCriteria.Op.EQ);
@@ -2078,7 +2085,8 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
}
SearchCriteria<StaticRouteVO> sc = sb.create();
- _accountMgr.buildACLSearchCriteria(sc, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchCriteria(sc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
+
if (id != null) {
sc.addAnd("id", Op.EQ, id);
}
@@ -2126,7 +2134,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
protected void markStaticRouteForRevoke(StaticRouteVO route, Account caller) {
s_logger.debug("Revoking static route " + route);
if (caller != null) {
- _accountMgr.checkAccess(caller, null, false, route);
+ _accountMgr.checkAccess(caller, null, route);
}
if (route.getState() == StaticRoute.State.Staged) {
@@ -2185,7 +2193,6 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
IpAddress ipToAssoc = _ntwkModel.getIp(ipId);
if (ipToAssoc != null) {
- _accountMgr.checkAccess(caller, null, true, ipToAssoc);
owner = _accountMgr.getAccount(ipToAssoc.getAllocatedToAccountId());
} else {
s_logger.debug("Unable to find ip address by id: " + ipId);
@@ -2198,7 +2205,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
}
// check permissions
- _accountMgr.checkAccess(caller, null, true, owner, vpc);
+ _accountMgr.checkAccess(caller, AccessType.OperateEntry, ipToAssoc, vpc);
boolean isSourceNat = false;
if (getExistingSourceNatInVpc(owner.getId(), vpcId) == null) {
@@ -2278,7 +2285,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
ex.addProxyObject(String.valueOf(vpcId), "VPC");
throw ex;
}
- _accountMgr.checkAccess(caller, null, false, vpc);
+ _accountMgr.checkAccess(caller, null, vpc);
if (networkDomain == null) {
networkDomain = vpc.getNetworkDomain();
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/server/src/com/cloud/network/vpn/RemoteAccessVpnManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/vpn/RemoteAccessVpnManagerImpl.java b/server/src/com/cloud/network/vpn/RemoteAccessVpnManagerImpl.java
index 757f618..9d9118c 100755
--- a/server/src/com/cloud/network/vpn/RemoteAccessVpnManagerImpl.java
+++ b/server/src/com/cloud/network/vpn/RemoteAccessVpnManagerImpl.java
@@ -150,7 +150,7 @@ public class RemoteAccessVpnManagerImpl extends ManagerBase implements RemoteAcc
throw new InvalidParameterValueException("Unable to create remote access vpn, invalid public IP address id" + publicIpId);
}
- _accountMgr.checkAccess(caller, null, true, ipAddr);
+ _accountMgr.checkAccess(caller, null, ipAddr);
if (!ipAddr.readyToUse()) {
throw new InvalidParameterValueException("The Ip address is not ready to be used yet: " + ipAddr.getAddress());
@@ -292,7 +292,7 @@ public class RemoteAccessVpnManagerImpl extends ManagerBase implements RemoteAcc
return true;
}
- _accountMgr.checkAccess(caller, AccessType.OperateEntry, true, vpn);
+ _accountMgr.checkAccess(caller, AccessType.OperateEntry, vpn);
RemoteAccessVpn.State prevState = vpn.getState();
vpn.setState(RemoteAccessVpn.State.Removed);
@@ -395,7 +395,7 @@ public class RemoteAccessVpnManagerImpl extends ManagerBase implements RemoteAcc
if (owner == null) {
throw new InvalidParameterValueException("Unable to add vpn user: Another operation active");
}
- _accountMgr.checkAccess(caller, null, true, owner);
+ _accountMgr.checkAccess(caller, null, owner);
//don't allow duplicated user names for the same account
VpnUserVO vpnUser = _vpnUsersDao.findByAccountAndUsername(owner.getId(), username);
@@ -424,7 +424,7 @@ public class RemoteAccessVpnManagerImpl extends ManagerBase implements RemoteAcc
if (user == null) {
throw new InvalidParameterValueException("Could not find vpn user " + username);
}
- _accountMgr.checkAccess(caller, null, true, user);
+ _accountMgr.checkAccess(caller, null, user);
Transaction.execute(new TransactionCallbackNoReturn() {
@Override
@@ -443,7 +443,7 @@ public class RemoteAccessVpnManagerImpl extends ManagerBase implements RemoteAcc
public List<? extends VpnUser> listVpnUsers(long vpnOwnerId, String userName) {
Account caller = CallContext.current().getCallingAccount();
Account owner = _accountDao.findById(vpnOwnerId);
- _accountMgr.checkAccess(caller, null, true, owner);
+ _accountMgr.checkAccess(caller, null, owner);
return _vpnUsersDao.listByAccount(vpnOwnerId);
}
@@ -461,7 +461,7 @@ public class RemoteAccessVpnManagerImpl extends ManagerBase implements RemoteAcc
openFirewall = false;
}
- _accountMgr.checkAccess(caller, null, true, vpn);
+ _accountMgr.checkAccess(caller, null, vpn);
boolean started = false;
try {
@@ -507,7 +507,7 @@ public class RemoteAccessVpnManagerImpl extends ManagerBase implements RemoteAcc
public boolean applyVpnUsers(long vpnOwnerId, String userName) {
Account caller = CallContext.current().getCallingAccount();
Account owner = _accountDao.findById(vpnOwnerId);
- _accountMgr.checkAccess(caller, null, true, owner);
+ _accountMgr.checkAccess(caller, null, owner);
s_logger.debug("Applying vpn users for " + owner);
List<RemoteAccessVpnVO> vpns = _remoteAccessVpnDao.findByAccount(vpnOwnerId);
@@ -586,24 +586,26 @@ public class RemoteAccessVpnManagerImpl extends ManagerBase implements RemoteAcc
String username = cmd.getUsername();
Long id = cmd.getId();
Account caller = CallContext.current().getCallingAccount();
+ List<Long> permittedDomains = new ArrayList<Long>();
List<Long> permittedAccounts = new ArrayList<Long>();
+ List<Long> permittedResources = new ArrayList<Long>();
Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean, ListProjectResourcesCriteria>(cmd.getDomainId(), cmd.isRecursive(), null);
- _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedAccounts, domainIdRecursiveListProject, cmd.listAll(), false);
- Long domainId = domainIdRecursiveListProject.first();
+ _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedDomains, permittedAccounts, permittedResources,
+ domainIdRecursiveListProject, cmd.listAll(), false, "listVpnUsers");
+ //Long domainId = domainIdRecursiveListProject.first();
Boolean isRecursive = domainIdRecursiveListProject.second();
ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
Filter searchFilter = new Filter(VpnUserVO.class, "username", true, cmd.getStartIndex(), cmd.getPageSizeVal());
SearchBuilder<VpnUserVO> sb = _vpnUsersDao.createSearchBuilder();
- _accountMgr.buildACLSearchBuilder(sb, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
-
+ _accountMgr.buildACLSearchBuilder(sb, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
sb.and("id", sb.entity().getId(), SearchCriteria.Op.EQ);
sb.and("username", sb.entity().getUsername(), SearchCriteria.Op.EQ);
sb.and("state", sb.entity().getState(), Op.IN);
SearchCriteria<VpnUserVO> sc = sb.create();
- _accountMgr.buildACLSearchCriteria(sc, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchCriteria(sc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
//list only active users
sc.setParameters("state", State.Active, State.Add);
@@ -625,7 +627,9 @@ public class RemoteAccessVpnManagerImpl extends ManagerBase implements RemoteAcc
// do some parameter validation
Account caller = CallContext.current().getCallingAccount();
Long ipAddressId = cmd.getPublicIpId();
+ List<Long> permittedDomains = new ArrayList<Long>();
List<Long> permittedAccounts = new ArrayList<Long>();
+ List<Long> permittedResources = new ArrayList<Long>();
Long vpnId = cmd.getId();
Long networkId = cmd.getNetworkId();
@@ -640,18 +644,19 @@ public class RemoteAccessVpnManagerImpl extends ManagerBase implements RemoteAcc
throw new InvalidParameterValueException("Unable to list remote access vpns, IP address " + ipAddressId + " is not associated with an account.");
}
}
- _accountMgr.checkAccess(caller, null, true, publicIp);
+ _accountMgr.checkAccess(caller, null, publicIp);
}
Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean, ListProjectResourcesCriteria>(cmd.getDomainId(), cmd.isRecursive(), null);
- _accountMgr.buildACLSearchParameters(caller, null, cmd.getAccountName(), cmd.getProjectId(), permittedAccounts, domainIdRecursiveListProject, cmd.listAll(), false);
- Long domainId = domainIdRecursiveListProject.first();
+ _accountMgr.buildACLSearchParameters(caller, null, cmd.getAccountName(), cmd.getProjectId(), permittedDomains, permittedAccounts, permittedResources,
+ domainIdRecursiveListProject, cmd.listAll(), false, "listRemoteAccessVpns");
+ //Long domainId = domainIdRecursiveListProject.first();
Boolean isRecursive = domainIdRecursiveListProject.second();
ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
Filter filter = new Filter(RemoteAccessVpnVO.class, "serverAddressId", false, cmd.getStartIndex(), cmd.getPageSizeVal());
SearchBuilder<RemoteAccessVpnVO> sb = _remoteAccessVpnDao.createSearchBuilder();
- _accountMgr.buildACLSearchBuilder(sb, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchBuilder(sb, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
sb.and("serverAddressId", sb.entity().getServerAddressId(), Op.EQ);
sb.and("id", sb.entity().getId(), Op.EQ);
@@ -660,8 +665,7 @@ public class RemoteAccessVpnManagerImpl extends ManagerBase implements RemoteAcc
sb.and("display", sb.entity().isDisplay(), Op.EQ);
SearchCriteria<RemoteAccessVpnVO> sc = sb.create();
- _accountMgr.buildACLSearchCriteria(sc, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
-
+ _accountMgr.buildACLSearchCriteria(sc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
sc.setParameters("state", RemoteAccessVpn.State.Running);
@@ -751,7 +755,7 @@ public class RemoteAccessVpnManagerImpl extends ManagerBase implements RemoteAcc
throw new InvalidParameterValueException("Can't find remote access vpn by id " + id);
}
- _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, true, vpn);
+ _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, vpn);
if (customId != null) {
vpn.setUuid(customId);
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/server/src/com/cloud/network/vpn/Site2SiteVpnManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/vpn/Site2SiteVpnManagerImpl.java b/server/src/com/cloud/network/vpn/Site2SiteVpnManagerImpl.java
index e6d0b12..a34aa6c 100644
--- a/server/src/com/cloud/network/vpn/Site2SiteVpnManagerImpl.java
+++ b/server/src/com/cloud/network/vpn/Site2SiteVpnManagerImpl.java
@@ -125,7 +125,7 @@ public class Site2SiteVpnManagerImpl extends ManagerBase implements Site2SiteVpn
Account owner = _accountMgr.getAccount(cmd.getEntityOwnerId());
//Verify that caller can perform actions in behalf of vpc owner
- _accountMgr.checkAccess(caller, null, false, owner);
+ _accountMgr.checkAccess(caller, null, owner);
Long vpcId = cmd.getVpcId();
VpcVO vpc = _vpcDao.findById(vpcId);
@@ -175,7 +175,7 @@ public class Site2SiteVpnManagerImpl extends ManagerBase implements Site2SiteVpn
Account owner = _accountMgr.getAccount(cmd.getEntityOwnerId());
//Verify that caller can perform actions in behalf of vpc owner
- _accountMgr.checkAccess(caller, null, false, owner);
+ _accountMgr.checkAccess(caller, null, owner);
String name = cmd.getName();
String gatewayIp = cmd.getGatewayIp();
@@ -243,21 +243,21 @@ public class Site2SiteVpnManagerImpl extends ManagerBase implements Site2SiteVpn
Account owner = _accountMgr.getAccount(cmd.getEntityOwnerId());
//Verify that caller can perform actions in behalf of vpc owner
- _accountMgr.checkAccess(caller, null, false, owner);
+ _accountMgr.checkAccess(caller, null, owner);
Long customerGatewayId = cmd.getCustomerGatewayId();
Site2SiteCustomerGateway customerGateway = _customerGatewayDao.findById(customerGatewayId);
if (customerGateway == null) {
throw new InvalidParameterValueException("Unable to found specified Site to Site VPN customer gateway " + customerGatewayId + " !");
}
- _accountMgr.checkAccess(caller, null, false, customerGateway);
+ _accountMgr.checkAccess(caller, null, customerGateway);
Long vpnGatewayId = cmd.getVpnGatewayId();
Site2SiteVpnGateway vpnGateway = _vpnGatewayDao.findById(vpnGatewayId);
if (vpnGateway == null) {
throw new InvalidParameterValueException("Unable to found specified Site to Site VPN gateway " + vpnGatewayId + " !");
}
- _accountMgr.checkAccess(caller, null, false, vpnGateway);
+ _accountMgr.checkAccess(caller, null, vpnGateway);
if (customerGateway.getAccountId() != vpnGateway.getAccountId() || customerGateway.getDomainId() != vpnGateway.getDomainId()) {
throw new InvalidParameterValueException("VPN connection can only be esitablished between same account's VPN gateway and customer gateway!");
@@ -363,7 +363,7 @@ public class Site2SiteVpnManagerImpl extends ManagerBase implements Site2SiteVpn
if (customerGateway == null) {
throw new InvalidParameterValueException("Fail to find customer gateway with " + id + " !");
}
- _accountMgr.checkAccess(caller, null, false, customerGateway);
+ _accountMgr.checkAccess(caller, null, customerGateway);
return doDeleteCustomerGateway(customerGateway);
}
@@ -398,7 +398,7 @@ public class Site2SiteVpnManagerImpl extends ManagerBase implements Site2SiteVpn
throw new InvalidParameterValueException("Fail to find vpn gateway with " + id + " !");
}
- _accountMgr.checkAccess(caller, null, false, vpnGateway);
+ _accountMgr.checkAccess(caller, null, vpnGateway);
doDeleteVpnGateway(vpnGateway);
return true;
@@ -415,7 +415,7 @@ public class Site2SiteVpnManagerImpl extends ManagerBase implements Site2SiteVpn
if (gw == null) {
throw new InvalidParameterValueException("Find to find customer gateway with id " + id);
}
- _accountMgr.checkAccess(caller, null, false, gw);
+ _accountMgr.checkAccess(caller, null, gw);
List<Site2SiteVpnConnectionVO> conns = _vpnConnectionDao.listByCustomerGatewayId(id);
if (conns != null) {
@@ -505,7 +505,7 @@ public class Site2SiteVpnManagerImpl extends ManagerBase implements Site2SiteVpn
throw new InvalidParameterValueException("Fail to find site to site VPN connection " + id + " to delete!");
}
- _accountMgr.checkAccess(caller, null, false, conn);
+ _accountMgr.checkAccess(caller, null, conn);
if (conn.getState() == State.Connected) {
stopVpnConnection(id);
@@ -554,7 +554,7 @@ public class Site2SiteVpnManagerImpl extends ManagerBase implements Site2SiteVpn
if (conn == null) {
throw new InvalidParameterValueException("Fail to find site to site VPN connection " + id + " to reset!");
}
- _accountMgr.checkAccess(caller, null, false, conn);
+ _accountMgr.checkAccess(caller, null, conn);
if (conn.getState() == State.Pending) {
throw new InvalidParameterValueException("VPN connection " + id + " cannot be reseted when state is Pending!");
@@ -578,23 +578,26 @@ public class Site2SiteVpnManagerImpl extends ManagerBase implements Site2SiteVpn
long pageSizeVal = cmd.getPageSizeVal();
Account caller = CallContext.current().getCallingAccount();
+ List<Long> permittedDomains = new ArrayList<Long>();
List<Long> permittedAccounts = new ArrayList<Long>();
+ List<Long> permittedResources = new ArrayList<Long>();
Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean,
ListProjectResourcesCriteria>(domainId, isRecursive, null);
- _accountMgr.buildACLSearchParameters(caller, id, accountName, null, permittedAccounts, domainIdRecursiveListProject, listAll, false);
- domainId = domainIdRecursiveListProject.first();
+ _accountMgr.buildACLSearchParameters(caller, id, accountName, null, permittedDomains, permittedAccounts, permittedResources, domainIdRecursiveListProject, listAll, false,
+ "listVpnCustomerGateways");
+ //domainId = domainIdRecursiveListProject.first();
isRecursive = domainIdRecursiveListProject.second();
ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
Filter searchFilter = new Filter(Site2SiteCustomerGatewayVO.class, "id", false, startIndex, pageSizeVal);
SearchBuilder<Site2SiteCustomerGatewayVO> sb = _customerGatewayDao.createSearchBuilder();
- _accountMgr.buildACLSearchBuilder(sb, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchBuilder(sb, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
sb.and("id", sb.entity().getId(), SearchCriteria.Op.EQ);
SearchCriteria<Site2SiteCustomerGatewayVO> sc = sb.create();
- _accountMgr.buildACLSearchCriteria(sc, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchCriteria(sc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
if (id != null) {
sc.addAnd("id", SearchCriteria.Op.EQ, id);
@@ -618,25 +621,28 @@ public class Site2SiteVpnManagerImpl extends ManagerBase implements Site2SiteVpn
long pageSizeVal = cmd.getPageSizeVal();
Account caller = CallContext.current().getCallingAccount();
+ List<Long> permittedDomains = new ArrayList<Long>();
List<Long> permittedAccounts = new ArrayList<Long>();
+ List<Long> permittedResources = new ArrayList<Long>();
Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean,
ListProjectResourcesCriteria>(domainId, isRecursive, null);
- _accountMgr.buildACLSearchParameters(caller, id, accountName, null, permittedAccounts, domainIdRecursiveListProject, listAll, false);
- domainId = domainIdRecursiveListProject.first();
+ _accountMgr.buildACLSearchParameters(caller, id, accountName, null, permittedDomains, permittedAccounts, permittedResources, domainIdRecursiveListProject, listAll, false,
+ "listVpnGateways");
+ //domainId = domainIdRecursiveListProject.first();
isRecursive = domainIdRecursiveListProject.second();
ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
Filter searchFilter = new Filter(Site2SiteVpnGatewayVO.class, "id", false, startIndex, pageSizeVal);
SearchBuilder<Site2SiteVpnGatewayVO> sb = _vpnGatewayDao.createSearchBuilder();
- _accountMgr.buildACLSearchBuilder(sb, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchBuilder(sb, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
sb.and("id", sb.entity().getId(), SearchCriteria.Op.EQ);
sb.and("vpcId", sb.entity().getVpcId(), SearchCriteria.Op.EQ);
sb.and("display", sb.entity().isDisplay(), SearchCriteria.Op.EQ);
SearchCriteria<Site2SiteVpnGatewayVO> sc = sb.create();
- _accountMgr.buildACLSearchCriteria(sc, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchCriteria(sc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
if (id != null) {
sc.addAnd("id", SearchCriteria.Op.EQ, id);
@@ -668,18 +674,21 @@ public class Site2SiteVpnManagerImpl extends ManagerBase implements Site2SiteVpn
long pageSizeVal = cmd.getPageSizeVal();
Account caller = CallContext.current().getCallingAccount();
+ List<Long> permittedDomains = new ArrayList<Long>();
List<Long> permittedAccounts = new ArrayList<Long>();
+ List<Long> permittedResources = new ArrayList<Long>();
Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean,
ListProjectResourcesCriteria>(domainId, isRecursive, null);
- _accountMgr.buildACLSearchParameters(caller, id, accountName, null, permittedAccounts, domainIdRecursiveListProject, listAll, false);
- domainId = domainIdRecursiveListProject.first();
+ _accountMgr.buildACLSearchParameters(caller, id, accountName, null, permittedDomains, permittedAccounts, permittedResources, domainIdRecursiveListProject, listAll, false,
+ "listVpnConnections");
+ //domainId = domainIdRecursiveListProject.first();
isRecursive = domainIdRecursiveListProject.second();
ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
Filter searchFilter = new Filter(Site2SiteVpnConnectionVO.class, "id", false, startIndex, pageSizeVal);
SearchBuilder<Site2SiteVpnConnectionVO> sb = _vpnConnectionDao.createSearchBuilder();
- _accountMgr.buildACLSearchBuilder(sb, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchBuilder(sb, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
sb.and("id", sb.entity().getId(), SearchCriteria.Op.EQ);
sb.and("display", sb.entity().isDisplay(), SearchCriteria.Op.EQ);
@@ -691,7 +700,7 @@ public class Site2SiteVpnManagerImpl extends ManagerBase implements Site2SiteVpn
}
SearchCriteria<Site2SiteVpnConnectionVO> sc = sb.create();
- _accountMgr.buildACLSearchCriteria(sc, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
+ _accountMgr.buildACLSearchCriteria(sc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
if (display != null) {
sc.setParameters("display", display);
@@ -809,7 +818,7 @@ public class Site2SiteVpnManagerImpl extends ManagerBase implements Site2SiteVpn
throw new InvalidParameterValueException("Fail to find site to site VPN connection " + id);
}
- _accountMgr.checkAccess(caller, null, false, conn);
+ _accountMgr.checkAccess(caller, null, conn);
if (customId != null) {
conn.setUuid(customId);
}
@@ -832,7 +841,7 @@ public class Site2SiteVpnManagerImpl extends ManagerBase implements Site2SiteVpn
throw new InvalidParameterValueException("Fail to find vpn gateway with " + id);
}
- _accountMgr.checkAccess(caller, null, false, vpnGateway);
+ _accountMgr.checkAccess(caller, null, vpnGateway);
if (customId != null) {
vpnGateway.setUuid(customId);
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/server/src/com/cloud/projects/ProjectManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/projects/ProjectManagerImpl.java b/server/src/com/cloud/projects/ProjectManagerImpl.java
index d10c059..6aa5abc 100755
--- a/server/src/com/cloud/projects/ProjectManagerImpl.java
+++ b/server/src/com/cloud/projects/ProjectManagerImpl.java
@@ -244,7 +244,7 @@ public class ProjectManagerImpl extends ManagerBase implements ProjectManager {
throw new InvalidParameterValueException("Unable to find project by id " + projectId);
}
- _accountMgr.checkAccess(caller, AccessType.ModifyProject, true, _accountMgr.getAccount(project.getProjectAccountId()));
+ _accountMgr.checkAccess(caller, AccessType.ModifyProject, _accountMgr.getAccount(project.getProjectAccountId()));
//at this point enabling project doesn't require anything, so just update the state
project.setState(State.Active);
@@ -264,7 +264,7 @@ public class ProjectManagerImpl extends ManagerBase implements ProjectManager {
throw new InvalidParameterValueException("Unable to find project by id " + projectId);
}
- _accountMgr.checkAccess(ctx.getCallingAccount(), AccessType.ModifyProject, true, _accountMgr.getAccount(project.getProjectAccountId()));
+ _accountMgr.checkAccess(ctx.getCallingAccount(), AccessType.ModifyProject, _accountMgr.getAccount(project.getProjectAccountId()));
return deleteProject(ctx.getCallingAccount(), ctx.getCallingUserId(), project);
}
@@ -463,7 +463,7 @@ public class ProjectManagerImpl extends ManagerBase implements ProjectManager {
}
//verify permissions
- _accountMgr.checkAccess(caller, AccessType.ModifyProject, true, _accountMgr.getAccount(project.getProjectAccountId()));
+ _accountMgr.checkAccess(caller, AccessType.ModifyProject, _accountMgr.getAccount(project.getProjectAccountId()));
Transaction.execute(new TransactionCallbackWithExceptionNoReturn<ResourceAllocationException>() {
@Override
@@ -550,7 +550,7 @@ public class ProjectManagerImpl extends ManagerBase implements ProjectManager {
}
//verify permissions - only project owner can assign
- _accountMgr.checkAccess(caller, AccessType.ModifyProject, true, _accountMgr.getAccount(project.getProjectAccountId()));
+ _accountMgr.checkAccess(caller, AccessType.ModifyProject, _accountMgr.getAccount(project.getProjectAccountId()));
//Check if the account already added to the project
ProjectAccount projectAccount = _projectAccountDao.findByProjectIdAccountId(projectId, account.getId());
@@ -628,7 +628,7 @@ public class ProjectManagerImpl extends ManagerBase implements ProjectManager {
}
//verify permissions
- _accountMgr.checkAccess(caller, AccessType.ModifyProject, true, _accountMgr.getAccount(project.getProjectAccountId()));
+ _accountMgr.checkAccess(caller, AccessType.ModifyProject, _accountMgr.getAccount(project.getProjectAccountId()));
//Check if the account exists in the project
ProjectAccount projectAccount = _projectAccountDao.findByProjectIdAccountId(projectId, account.getId());
@@ -750,7 +750,7 @@ public class ProjectManagerImpl extends ManagerBase implements ProjectManager {
}
//verify permissions
- _accountMgr.checkAccess(caller, null, true, account);
+ _accountMgr.checkAccess(caller, null, account);
accountId = account.getId();
} else {
@@ -830,7 +830,7 @@ public class ProjectManagerImpl extends ManagerBase implements ProjectManager {
}
//verify permissions
- _accountMgr.checkAccess(caller, AccessType.ModifyProject, true, _accountMgr.getAccount(project.getProjectAccountId()));
+ _accountMgr.checkAccess(caller, AccessType.ModifyProject, _accountMgr.getAccount(project.getProjectAccountId()));
//allow project activation only when it's in Suspended state
Project.State currentState = project.getState();
@@ -870,7 +870,7 @@ public class ProjectManagerImpl extends ManagerBase implements ProjectManager {
throw ex;
}
- _accountMgr.checkAccess(caller, AccessType.ModifyProject, true, _accountMgr.getAccount(project.getProjectAccountId()));
+ _accountMgr.checkAccess(caller, AccessType.ModifyProject, _accountMgr.getAccount(project.getProjectAccountId()));
if (suspendProject(project)) {
s_logger.debug("Successfully suspended project id=" + projectId);
@@ -1012,7 +1012,7 @@ public class ProjectManagerImpl extends ManagerBase implements ProjectManager {
Project project = getProject(invitation.getProjectId());
//check permissions - only project owner can remove the invitations
- _accountMgr.checkAccess(caller, AccessType.ModifyProject, true, _accountMgr.getAccount(project.getProjectAccountId()));
+ _accountMgr.checkAccess(caller, AccessType.ModifyProject, _accountMgr.getAccount(project.getProjectAccountId()));
if (_projectInvitationDao.remove(id)) {
s_logger.debug("Project Invitation id=" + id + " is removed");