http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6ba541af/server/src/com/cloud/vm/UserVmManagerImpl.java ---------------------------------------------------------------------- diff --git a/server/src/com/cloud/vm/UserVmManagerImpl.java b/server/src/com/cloud/vm/UserVmManagerImpl.java index e7db877..58709ec 100755 --- a/server/src/com/cloud/vm/UserVmManagerImpl.java +++ b/server/src/com/cloud/vm/UserVmManagerImpl.java @@ -35,6 +35,9 @@ import javax.ejb.Local; import javax.inject.Inject; import javax.naming.ConfigurationException; +import org.apache.commons.codec.binary.Base64; +import org.apache.log4j.Logger; + import org.apache.cloudstack.acl.ControlledEntity.ACLType; import org.apache.cloudstack.acl.SecurityChecker.AccessType; import org.apache.cloudstack.affinity.AffinityGroupService; @@ -83,8 +86,6 @@ import org.apache.cloudstack.storage.command.DeleteCommand; import org.apache.cloudstack.storage.command.DettachCommand; import org.apache.cloudstack.storage.datastore.db.PrimaryDataStoreDao; import org.apache.cloudstack.storage.datastore.db.StoragePoolVO; -import org.apache.commons.codec.binary.Base64; -import org.apache.log4j.Logger; import com.cloud.agent.AgentManager; import com.cloud.agent.api.Answer; @@ -531,7 +532,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir throw new InvalidParameterValueException("Vm with id " + vmId + " is not in the right state"); } - _accountMgr.checkAccess(caller, null, userVm); + _accountMgr.checkAccess(caller, null, true, userVm); boolean result = resetVMPasswordInternal(vmId, password); @@ -637,7 +638,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir + " in specified domain id"); } - _accountMgr.checkAccess(caller, null, userVm); + _accountMgr.checkAccess(caller, null, true, userVm); String password = null; String sshPublicKey = s.getPublicKey(); if (template != null && template.getEnablePassword()) { @@ -777,7 +778,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir + "; make sure the virtual machine is stopped"); } - _accountMgr.checkAccess(caller, null, vmInstance); + _accountMgr.checkAccess(caller, null, true, vmInstance); // Check resource limits for CPU and Memory. Map<String, String> customParameters = cmd.getDetails(); @@ -891,7 +892,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir throw new InvalidParameterValueException("unable to find a virtual machine with id " + vmId); } - _accountMgr.checkAccess(caller, null, vmInstance); + _accountMgr.checkAccess(caller, null, true, vmInstance); // Check resource limits for CPU and Memory. ServiceOfferingVO newServiceOffering = _offeringDao.findById(svcOffId); @@ -960,6 +961,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir Long vmId = cmd.getVmId(); Long networkId = cmd.getNetworkId(); String ipAddress = cmd.getIpAddress(); + Account caller = CallContext.current().getCallingAccount(); UserVmVO vmInstance = _vmDao.findById(vmId); if (vmInstance == null) { @@ -970,6 +972,12 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir throw new InvalidParameterValueException("unable to find a network with id " + networkId); } + if (caller.getType() != Account.ACCOUNT_TYPE_ADMIN) { + if (!(network.getGuestType() == Network.GuestType.Shared && network.getAclType() == ACLType.Domain) + && !(network.getAclType() == ACLType.Account && network.getAccountId() == vmInstance.getAccountId())) { + throw new InvalidParameterValueException("only shared network or isolated network with the same account_id can be added to vmId: " + vmId); + } + } List<NicVO> allNics = _nicDao.listByVmId(vmInstance.getId()); for (NicVO nic : allNics) { @@ -982,12 +990,18 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir profile = new NicProfile(ipAddress, null); } + // Perform permission check on VM + _accountMgr.checkAccess(caller, null, true, vmInstance); + // Verify that zone is not Basic DataCenterVO dc = _dcDao.findById(vmInstance.getDataCenterId()); if (dc.getNetworkType() == DataCenter.NetworkType.Basic) { throw new CloudRuntimeException("Zone " + vmInstance.getDataCenterId() + ", has a NetworkType of Basic. Can't add a new NIC to a VM on a Basic Network"); } + // Perform account permission check on network + _accountMgr.checkAccess(caller, AccessType.UseEntry, false, network); + //ensure network belongs in zone if (network.getDataCenterId() != vmInstance.getDataCenterId()) { throw new CloudRuntimeException(vmInstance + " is in zone:" + vmInstance.getDataCenterId() + " but " + network + " is in zone:" + network.getDataCenterId()); @@ -1046,7 +1060,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir } // Perform permission check on VM - _accountMgr.checkAccess(caller, null, vmInstance); + _accountMgr.checkAccess(caller, null, true, vmInstance); // Verify that zone is not Basic DataCenterVO dc = _dcDao.findById(vmInstance.getDataCenterId()); @@ -1060,7 +1074,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir } // Perform account permission check on network - _accountMgr.checkAccess(caller, AccessType.UseEntry, network); + _accountMgr.checkAccess(caller, AccessType.UseEntry, false, network); boolean nicremoved = false; @@ -1102,7 +1116,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir } // Perform permission check on VM - _accountMgr.checkAccess(caller, null, vmInstance); + _accountMgr.checkAccess(caller, null, true, vmInstance); // Verify that zone is not Basic DataCenterVO dc = _dcDao.findById(vmInstance.getDataCenterId()); @@ -1284,7 +1298,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir throw new InvalidParameterValueException("This operation not permitted for this hypervisor of the vm"); } - _accountMgr.checkAccess(caller, null, vmInstance); + _accountMgr.checkAccess(caller, null, true, vmInstance); //Check if its a scale "up" ServiceOfferingVO newServiceOffering = _offeringDao.findById(newServiceOfferingId); @@ -1493,7 +1507,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir } // check permissions - _accountMgr.checkAccess(caller, null, vm); + _accountMgr.checkAccess(caller, null, true, vm); if (vm.getRemoved() != null) { if (s_logger.isDebugEnabled()) { @@ -1836,7 +1850,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir throw new InvalidParameterValueException("unable to find virtual machine with id " + id); } - _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, vmInstance); + _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, true, vmInstance); //If the flag is specified and is changed if (isDisplayVm != null && isDisplayVm != vmInstance.isDisplayVm()) { @@ -2051,7 +2065,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir throw new InvalidParameterValueException("unable to find a virtual machine with id " + vmId); } - _accountMgr.checkAccess(caller, null, vmInstance); + _accountMgr.checkAccess(caller, null, true, vmInstance); // If the VM is Volatile in nature, on reboot discard the VM's root disk and create a new root disk for it: by calling restoreVM long serviceOfferingId = vmInstance.getServiceOfferingId(); @@ -2149,7 +2163,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir throw new InvalidParameterValueException("unable to find a vm group with id " + groupId); } - _accountMgr.checkAccess(caller, null, group); + _accountMgr.checkAccess(caller, null, true, group); return deleteVmGroup(groupId); } @@ -2283,7 +2297,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir List<NetworkVO> networkList = new ArrayList<NetworkVO>(); // Verify that caller can perform actions in behalf of vm owner - _accountMgr.checkAccess(caller, null, owner); + _accountMgr.checkAccess(caller, null, true, owner); // Get default guest network in Basic zone Network defaultNetwork = _networkModel.getExclusiveGuestNetwork(zone.getId()); @@ -2338,7 +2352,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir boolean isVmWare = (template.getHypervisorType() == HypervisorType.VMware || (hypervisor != null && hypervisor == HypervisorType.VMware)); // Verify that caller can perform actions in behalf of vm owner - _accountMgr.checkAccess(caller, null, owner); + _accountMgr.checkAccess(caller, null, true, owner); // If no network is specified, find system security group enabled network if (networkIdList == null || networkIdList.isEmpty()) { @@ -2396,7 +2410,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir // Perform account permission check if (network.getAclType() == ACLType.Account) { - _accountMgr.checkAccess(owner, AccessType.UseEntry, network); + _accountMgr.checkAccess(caller, AccessType.UseEntry, false, network); } networkList.add(network); } @@ -2442,7 +2456,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir List<NetworkVO> networkList = new ArrayList<NetworkVO>(); // Verify that caller can perform actions in behalf of vm owner - _accountMgr.checkAccess(caller, null, owner); + _accountMgr.checkAccess(caller, null, true, owner); List<HypervisorType> vpcSupportedHTypes = _vpcMgr.getSupportedVpcHypervisors(); if (networkIdList == null || networkIdList.isEmpty()) { @@ -2507,7 +2521,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir } } - _networkModel.checkNetworkPermissions(owner, network, AccessType.UseEntry); + _networkModel.checkNetworkPermissions(owner, network); // don't allow to use system networks NetworkOffering networkOffering = _entityMgr.findById(NetworkOffering.class, network.getNetworkOfferingId()); @@ -2536,7 +2550,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir List<Long> affinityGroupIdList, Map<String, String> customParameters, String customId) throws InsufficientCapacityException, ResourceUnavailableException, ConcurrentOperationException, StorageUnavailableException, ResourceAllocationException { - _accountMgr.checkAccess(caller, null, owner); + _accountMgr.checkAccess(caller, null, true, owner); if (owner.getState() == Account.State.disabled) { throw new PermissionDeniedException("The owner of vm to deploy is disabled: " + owner); @@ -2612,7 +2626,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir throw new InvalidParameterValueException("Unable to find security group by id " + securityGroupId); } else { // verify permissions - _accountMgr.checkAccess(owner, AccessType.UseEntry, sg); + _accountMgr.checkAccess(caller, null, true, owner, sg); } } } @@ -2628,7 +2642,27 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir + " , Please try again after removing the affinity group"); } else { // verify permissions - _accountMgr.checkAccess(owner, AccessType.UseEntry, ag); + if (ag.getAclType() == ACLType.Domain) { + _accountMgr.checkAccess(caller, null, false, owner, ag); + // Root admin has access to both VM and AG by default, + // but + // make sure the owner of these entities is same + if (caller.getId() == Account.ACCOUNT_ID_SYSTEM || _accountMgr.isRootAdmin(caller.getId())) { + if (!_affinityGroupService.isAffinityGroupAvailableInDomain(ag.getId(), owner.getDomainId())) { + throw new PermissionDeniedException("Affinity Group " + ag + " does not belong to the VM's domain"); + } + } + } else { + _accountMgr.checkAccess(caller, null, true, owner, ag); + // Root admin has access to both VM and AG by default, + // but + // make sure the owner of these entities is same + if (caller.getId() == Account.ACCOUNT_ID_SYSTEM || _accountMgr.isRootAdmin(caller.getId())) { + if (ag.getAccountId() != owner.getAccountId()) { + throw new PermissionDeniedException("Affinity Group " + ag + " does not belong to the VM's account"); + } + } + } } } } @@ -2654,7 +2688,10 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir } // Check templates permissions - _accountMgr.checkAccess(owner, AccessType.UseEntry, template); + if (!template.isPublicTemplate()) { + Account templateOwner = _accountMgr.getAccount(template.getAccountId()); + _accountMgr.checkAccess(owner, null, true, templateOwner); + } // check if the user data is correct validateUserData(userData, httpmethod); @@ -2683,8 +2720,13 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir throw new InvalidParameterValueException("Network id=" + network.getId() + " doesn't belong to zone " + zone.getId()); } - // Perform account permission check on network - _accountMgr.checkAccess(owner, AccessType.UseEntry, network); + //relax the check if the caller is admin account + if (caller.getType() != Account.ACCOUNT_TYPE_ADMIN) { + if (!(network.getGuestType() == Network.GuestType.Shared && network.getAclType() == ACLType.Domain) + && !(network.getAclType() == ACLType.Account && network.getAccountId() == accountId)) { + throw new InvalidParameterValueException("only shared network or isolated network with the same account_id can be added to vm"); + } + } IpAddresses requestedIpPair = null; if (requestedIps != null && !requestedIps.isEmpty()) { @@ -3307,7 +3349,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir throw new InvalidParameterValueException("unable to find a virtual machine with id " + vmId); } - _accountMgr.checkAccess(callerAccount, null, vm); + _accountMgr.checkAccess(callerAccount, null, true, vm); Account owner = _accountDao.findById(vm.getAccountId()); @@ -3614,7 +3656,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir throw ex; } - _accountMgr.checkAccess(caller, null, vm); + _accountMgr.checkAccess(caller, null, true, vm); boolean status; @@ -4195,8 +4237,8 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir } //check caller has access to both the old and new account - _accountMgr.checkAccess(caller, null, oldAccount); - _accountMgr.checkAccess(caller, null, newAccount); + _accountMgr.checkAccess(caller, null, true, oldAccount); + _accountMgr.checkAccess(caller, null, true, newAccount); // make sure the accounts are not same if (oldAccount.getAccountId() == newAccount.getAccountId()) { @@ -4249,7 +4291,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir VirtualMachineTemplate template = _templateDao.findById(vm.getTemplateId()); if (!template.isPublicTemplate()) { Account templateOwner = _accountMgr.getAccount(template.getAccountId()); - _accountMgr.checkAccess(newAccount, null, templateOwner); + _accountMgr.checkAccess(newAccount, null, true, templateOwner); } // VV 5: check the new account can create vm in the domain @@ -4399,7 +4441,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir throw ex; } - _networkModel.checkNetworkPermissions(newAccount, network, AccessType.UseEntry); + _networkModel.checkNetworkPermissions(newAccount, network); // don't allow to use system networks NetworkOffering networkOffering = _entityMgr.findById(NetworkOffering.class, network.getNetworkOfferingId()); @@ -4506,7 +4548,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir throw ex; } - _accountMgr.checkAccess(caller, null, vm); + _accountMgr.checkAccess(caller, null, true, vm); return restoreVMInternal(caller, vm, newTemplateId); } @@ -4556,7 +4598,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir //newTemplateId can be either template or ISO id. In the following snippet based on the vm deployment (from template or ISO) it is handled accordingly if (newTemplateId != null) { template = _templateDao.findById(newTemplateId); - _accountMgr.checkAccess(caller, null, template); + _accountMgr.checkAccess(caller, null, true, template); if (isISO) { if (!template.getFormat().equals(ImageFormat.ISO)) { throw new InvalidParameterValueException("Invalid ISO id provided to restore the VM "); @@ -4737,7 +4779,6 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir // root.getPoolId() should be null if the VM we are detaching the disk from has never been started before DataStore dataStore = root.getPoolId() != null ? _dataStoreMgr.getDataStore(root.getPoolId(), DataStoreRole.Primary) : null; - volumeMgr.disconnectVolumeFromHost(volFactory.getVolume(root.getId()), host, dataStore); } } @@ -4785,7 +4826,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir } //check permissions - _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, vm); + _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, true, vm); return vm.getUserData(); }
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6ba541af/server/src/com/cloud/vm/snapshot/VMSnapshotManagerImpl.java ---------------------------------------------------------------------- diff --git a/server/src/com/cloud/vm/snapshot/VMSnapshotManagerImpl.java b/server/src/com/cloud/vm/snapshot/VMSnapshotManagerImpl.java index 8dc2c18..f5957ff 100644 --- a/server/src/com/cloud/vm/snapshot/VMSnapshotManagerImpl.java +++ b/server/src/com/cloud/vm/snapshot/VMSnapshotManagerImpl.java @@ -169,9 +169,7 @@ public class VMSnapshotManagerImpl extends ManagerBase implements VMSnapshotMana @Override public List<VMSnapshotVO> listVMSnapshots(ListVMSnapshotCmd cmd) { Account caller = getCaller(); - List<Long> permittedDomains = new ArrayList<Long>(); List<Long> permittedAccounts = new ArrayList<Long>(); - List<Long> permittedResources = new ArrayList<Long>(); boolean listAll = cmd.listAll(); Long id = cmd.getId(); @@ -184,14 +182,15 @@ public class VMSnapshotManagerImpl extends ManagerBase implements VMSnapshotMana Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean, ListProjectResourcesCriteria>( cmd.getDomainId(), cmd.isRecursive(), null); - _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedDomains, permittedAccounts, permittedResources, - domainIdRecursiveListProject, listAll, false, "listVMSnapshot"); + _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedAccounts, domainIdRecursiveListProject, listAll, + false); + Long domainId = domainIdRecursiveListProject.first(); Boolean isRecursive = domainIdRecursiveListProject.second(); ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third(); Filter searchFilter = new Filter(VMSnapshotVO.class, "created", false, cmd.getStartIndex(), cmd.getPageSizeVal()); SearchBuilder<VMSnapshotVO> sb = _vmSnapshotDao.createSearchBuilder(); - _accountMgr.buildACLSearchBuilder(sb, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria); + _accountMgr.buildACLSearchBuilder(sb, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria); sb.and("vm_id", sb.entity().getVmId(), SearchCriteria.Op.EQ); sb.and("domain_id", sb.entity().getDomainId(), SearchCriteria.Op.EQ); @@ -203,7 +202,7 @@ public class VMSnapshotManagerImpl extends ManagerBase implements VMSnapshotMana sb.done(); SearchCriteria<VMSnapshotVO> sc = sb.create(); - _accountMgr.buildACLSearchCriteria(sc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria); + _accountMgr.buildACLSearchCriteria(sc, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria); if (accountName != null && cmd.getDomainId() != null) { Account account = _accountMgr.getActiveAccountByName(accountName, cmd.getDomainId()); @@ -214,8 +213,8 @@ public class VMSnapshotManagerImpl extends ManagerBase implements VMSnapshotMana sc.setParameters("vm_id", vmId); } - if (cmd.getDomainId() != null) { - sc.setParameters("domain_id", cmd.getDomainId()); + if (domainId != null) { + sc.setParameters("domain_id", domainId); } if (state == null) { @@ -297,7 +296,7 @@ public class VMSnapshotManagerImpl extends ManagerBase implements VMSnapshotMana } // check access - //_accountMgr.checkAccess(caller, null, userVmVo); + _accountMgr.checkAccess(caller, null, true, userVmVo); // check max snapshot limit for per VM if (_vmSnapshotDao.findByVm(vmId).size() >= _vmSnapshotMax) { @@ -448,7 +447,7 @@ public class VMSnapshotManagerImpl extends ManagerBase implements VMSnapshotMana throw new InvalidParameterValueException("unable to find the vm snapshot with id " + vmSnapshotId); } - _accountMgr.checkAccess(caller, null, vmSnapshot); + _accountMgr.checkAccess(caller, null, true, vmSnapshot); // check VM snapshot states, only allow to delete vm snapshots in created and error state if (VMSnapshot.State.Ready != vmSnapshot.getState() && VMSnapshot.State.Expunging != vmSnapshot.getState() && VMSnapshot.State.Error != vmSnapshot.getState()) { @@ -513,7 +512,7 @@ public class VMSnapshotManagerImpl extends ManagerBase implements VMSnapshotMana throw new InvalidParameterValueException("unable to find the vm snapshot with id " + vmSnapshotId); } - _accountMgr.checkAccess(caller, null, vmSnapshot); + _accountMgr.checkAccess(caller, null, true, vmSnapshot); // check VM snapshot states, only allow to delete vm snapshots in created and error state if (VMSnapshot.State.Ready != vmSnapshot.getState() && VMSnapshot.State.Expunging != vmSnapshot.getState() && VMSnapshot.State.Error != vmSnapshot.getState()) { @@ -564,7 +563,7 @@ public class VMSnapshotManagerImpl extends ManagerBase implements VMSnapshotMana } Account caller = getCaller(); - _accountMgr.checkAccess(caller, null, vmSnapshotVo); + _accountMgr.checkAccess(caller, null, true, vmSnapshotVo); // VM should be in running or stopped states if (userVm.getState() != VirtualMachine.State.Running @@ -646,7 +645,7 @@ public class VMSnapshotManagerImpl extends ManagerBase implements VMSnapshotMana } Account caller = getCaller(); - _accountMgr.checkAccess(caller, null, vmSnapshotVo); + _accountMgr.checkAccess(caller, null, true, vmSnapshotVo); // VM should be in running or stopped states if (userVm.getState() != VirtualMachine.State.Running && userVm.getState() != VirtualMachine.State.Stopped) { http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6ba541af/server/src/org/apache/cloudstack/affinity/AffinityGroupServiceImpl.java ---------------------------------------------------------------------- diff --git a/server/src/org/apache/cloudstack/affinity/AffinityGroupServiceImpl.java b/server/src/org/apache/cloudstack/affinity/AffinityGroupServiceImpl.java index ef63692..8e606ca 100644 --- a/server/src/org/apache/cloudstack/affinity/AffinityGroupServiceImpl.java +++ b/server/src/org/apache/cloudstack/affinity/AffinityGroupServiceImpl.java @@ -262,7 +262,7 @@ public class AffinityGroupServiceImpl extends ManagerBase implements AffinityGro affinityGroupId = group.getId(); } // check permissions - _accountMgr.checkAccess(caller, AccessType.OperateEntry, group); + _accountMgr.checkAccess(caller, AccessType.OperateEntry, true, group); final Long affinityGroupIdFinal = affinityGroupId; Transaction.execute(new TransactionCallbackNoReturn() { @@ -353,7 +353,7 @@ public class AffinityGroupServiceImpl extends ManagerBase implements AffinityGro if (userVM == null) { throw new InvalidParameterValueException("Unable to list affinity groups for virtual machine instance " + vmId + "; instance not found."); } - _accountMgr.checkAccess(caller, null, userVM); + _accountMgr.checkAccess(caller, null, true, userVM); // add join to affinity_groups_vm_map groupSearch.join("vmInstanceSearch", vmInstanceSearch, groupSearch.entity().getId(), vmInstanceSearch.entity().getAffinityGroupId(), JoinBuilder.JoinType.INNER); @@ -477,7 +477,14 @@ public class AffinityGroupServiceImpl extends ManagerBase implements AffinityGro throw new InvalidParameterValueException("Unable to find affinity group by id " + affinityGroupId); } else { // verify permissions - _accountMgr.checkAccess(owner, AccessType.UseEntry, ag); + _accountMgr.checkAccess(caller, null, true, owner, ag); + // Root admin has access to both VM and AG by default, but make sure the + // owner of these entities is same + if (caller.getId() == Account.ACCOUNT_ID_SYSTEM || _accountMgr.isRootAdmin(caller.getId())) { + if (ag.getAccountId() != owner.getAccountId()) { + throw new PermissionDeniedException("Affinity Group " + ag + " does not belong to the VM's account"); + } + } } } _affinityGroupVMMapDao.updateMap(vmId, affinityGroupIds); http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6ba541af/server/src/org/apache/cloudstack/network/lb/ApplicationLoadBalancerManagerImpl.java ---------------------------------------------------------------------- diff --git a/server/src/org/apache/cloudstack/network/lb/ApplicationLoadBalancerManagerImpl.java b/server/src/org/apache/cloudstack/network/lb/ApplicationLoadBalancerManagerImpl.java index ad1a2c4..6854347 100644 --- a/server/src/org/apache/cloudstack/network/lb/ApplicationLoadBalancerManagerImpl.java +++ b/server/src/org/apache/cloudstack/network/lb/ApplicationLoadBalancerManagerImpl.java @@ -115,7 +115,7 @@ public class ApplicationLoadBalancerManagerImpl extends ManagerBase implements A } Account caller = CallContext.current().getCallingAccount(); - _accountMgr.checkAccess(caller, AccessType.UseEntry, guestNtwk); + _accountMgr.checkAccess(caller, AccessType.UseEntry, false, guestNtwk); Network sourceIpNtwk = _networkModel.getNetwork(sourceIpNetworkId); if (sourceIpNtwk == null) { @@ -389,20 +389,19 @@ public class ApplicationLoadBalancerManagerImpl extends ManagerBase implements A Map<String, String> tags = cmd.getTags(); Account caller = CallContext.current().getCallingAccount(); - List<Long> permittedDomains = new ArrayList<Long>(); List<Long> permittedAccounts = new ArrayList<Long>(); - List<Long> permittedResources = new ArrayList<Long>(); Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean, ListProjectResourcesCriteria>( cmd.getDomainId(), cmd.isRecursive(), null); - _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedDomains, permittedAccounts, permittedResources, - domainIdRecursiveListProject, cmd.listAll(), false, "listLoadBalancers"); + _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedAccounts, + domainIdRecursiveListProject, cmd.listAll(), false); + Long domainId = domainIdRecursiveListProject.first(); Boolean isRecursive = domainIdRecursiveListProject.second(); ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third(); Filter searchFilter = new Filter(ApplicationLoadBalancerRuleVO.class, "id", true, cmd.getStartIndex(), cmd.getPageSizeVal()); SearchBuilder<ApplicationLoadBalancerRuleVO> sb = _lbDao.createSearchBuilder(); - _accountMgr.buildACLSearchBuilder(sb, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria); + _accountMgr.buildACLSearchBuilder(sb, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria); sb.and("id", sb.entity().getId(), SearchCriteria.Op.EQ); sb.and("name", sb.entity().getName(), SearchCriteria.Op.EQ); @@ -429,7 +428,7 @@ public class ApplicationLoadBalancerManagerImpl extends ManagerBase implements A } SearchCriteria<ApplicationLoadBalancerRuleVO> sc = sb.create(); - _accountMgr.buildACLSearchCriteria(sc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria); + _accountMgr.buildACLSearchCriteria(sc, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria); if (keyword != null) { SearchCriteria<ApplicationLoadBalancerRuleVO> ssc = _lbDao.createSearchCriteria(); @@ -547,7 +546,7 @@ public class ApplicationLoadBalancerManagerImpl extends ManagerBase implements A if (rule == null) { throw new InvalidParameterValueException("Unable to find load balancer " + id); } - _accountMgr.checkAccess(caller, null, rule); + _accountMgr.checkAccess(caller, null, true, rule); if (customId != null) { rule.setUuid(customId); http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6ba541af/server/src/org/apache/cloudstack/network/lb/CertServiceImpl.java ---------------------------------------------------------------------- diff --git a/server/src/org/apache/cloudstack/network/lb/CertServiceImpl.java b/server/src/org/apache/cloudstack/network/lb/CertServiceImpl.java index 67f2c02..ba71d63 100644 --- a/server/src/org/apache/cloudstack/network/lb/CertServiceImpl.java +++ b/server/src/org/apache/cloudstack/network/lb/CertServiceImpl.java @@ -147,7 +147,7 @@ public class CertServiceImpl implements CertService { if (certVO == null) { throw new InvalidParameterValueException("Invalid certificate id: " + certId); } - _accountMgr.checkAccess(caller, SecurityChecker.AccessType.OperateEntry, certVO); + _accountMgr.checkAccess(caller, SecurityChecker.AccessType.OperateEntry, true, certVO); List<LoadBalancerCertMapVO> lbCertRule = _lbCertDao.listByCertId(certId); @@ -191,7 +191,7 @@ public class CertServiceImpl implements CertService { throw new InvalidParameterValueException("Invalid certificate id: " + certId); } - _accountMgr.checkAccess(caller, SecurityChecker.AccessType.UseEntry, certVO); + _accountMgr.checkAccess(caller, SecurityChecker.AccessType.UseEntry, true, certVO); certLbMap = _lbCertDao.listByCertId(certId); @@ -206,7 +206,7 @@ public class CertServiceImpl implements CertService { throw new InvalidParameterValueException("found no loadbalancer wth id: " + lbRuleId); } - _accountMgr.checkAccess(caller, SecurityChecker.AccessType.UseEntry, lb); + _accountMgr.checkAccess(caller, SecurityChecker.AccessType.UseEntry, true, lb); // get the cert id LoadBalancerCertMapVO lbCertMapRule; @@ -229,7 +229,7 @@ public class CertServiceImpl implements CertService { List<SslCertVO> certVOList = _sslCertDao.listByAccountId(accountId); if (certVOList == null || certVOList.isEmpty()) return certResponseList; - _accountMgr.checkAccess(caller, SecurityChecker.AccessType.UseEntry, certVOList.get(0)); + _accountMgr.checkAccess(caller, SecurityChecker.AccessType.UseEntry, true, certVOList.get(0)); for (SslCertVO cert : certVOList) { certLbMap = _lbCertDao.listByCertId(cert.getId()); http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6ba541af/server/src/org/apache/cloudstack/region/gslb/GlobalLoadBalancingRulesServiceImpl.java ---------------------------------------------------------------------- diff --git a/server/src/org/apache/cloudstack/region/gslb/GlobalLoadBalancingRulesServiceImpl.java b/server/src/org/apache/cloudstack/region/gslb/GlobalLoadBalancingRulesServiceImpl.java index 516b3ab..c84fea2 100644 --- a/server/src/org/apache/cloudstack/region/gslb/GlobalLoadBalancingRulesServiceImpl.java +++ b/server/src/org/apache/cloudstack/region/gslb/GlobalLoadBalancingRulesServiceImpl.java @@ -183,7 +183,7 @@ public class GlobalLoadBalancingRulesServiceImpl implements GlobalLoadBalancingR throw new InvalidParameterValueException("Invalid global load balancer rule id: " + gslbRuleId); } - _accountMgr.checkAccess(caller, SecurityChecker.AccessType.OperateEntry, gslbRule); + _accountMgr.checkAccess(caller, SecurityChecker.AccessType.OperateEntry, true, gslbRule); if (gslbRule.getState() == GlobalLoadBalancerRule.State.Revoke) { throw new InvalidParameterValueException("global load balancer rule id: " + gslbRule.getUuid() + " is in revoked state"); @@ -224,7 +224,7 @@ public class GlobalLoadBalancingRulesServiceImpl implements GlobalLoadBalancingR throw new InvalidParameterValueException("Specified load balancer rule ID does not exist."); } - _accountMgr.checkAccess(caller, null, loadBalancer); + _accountMgr.checkAccess(caller, null, true, loadBalancer); if (gslbRule.getAccountId() != loadBalancer.getAccountId()) { throw new InvalidParameterValueException("GSLB rule and load balancer rule does not belong to same account"); @@ -319,7 +319,7 @@ public class GlobalLoadBalancingRulesServiceImpl implements GlobalLoadBalancingR throw new InvalidParameterValueException("Invalid global load balancer rule id: " + gslbRuleId); } - _accountMgr.checkAccess(caller, SecurityChecker.AccessType.OperateEntry, gslbRule); + _accountMgr.checkAccess(caller, SecurityChecker.AccessType.OperateEntry, true, gslbRule); if (gslbRule.getState() == GlobalLoadBalancerRule.State.Revoke) { throw new InvalidParameterValueException("global load balancer rule id: " + gslbRuleId + " is already in revoked state"); @@ -346,7 +346,7 @@ public class GlobalLoadBalancingRulesServiceImpl implements GlobalLoadBalancingR throw new InvalidParameterValueException("Specified load balancer rule ID does not exist."); } - _accountMgr.checkAccess(caller, null, loadBalancer); + _accountMgr.checkAccess(caller, null, true, loadBalancer); } for (GlobalLoadBalancerLbRuleMapVO gslbLbMapVo : gslbLbMapVos) { @@ -445,7 +445,7 @@ public class GlobalLoadBalancingRulesServiceImpl implements GlobalLoadBalancingR throw new InvalidParameterValueException("Invalid global load balancer rule id: " + gslbRuleId); } - _accountMgr.checkAccess(caller, SecurityChecker.AccessType.OperateEntry, gslbRule); + _accountMgr.checkAccess(caller, SecurityChecker.AccessType.OperateEntry, true, gslbRule); if (gslbRule.getState() == com.cloud.region.ha.GlobalLoadBalancerRule.State.Staged) { if (s_logger.isDebugEnabled()) { @@ -523,7 +523,7 @@ public class GlobalLoadBalancingRulesServiceImpl implements GlobalLoadBalancingR CallContext ctx = CallContext.current(); Account caller = ctx.getCallingAccount(); - _accountMgr.checkAccess(caller, SecurityChecker.AccessType.OperateEntry, gslbRule); + _accountMgr.checkAccess(caller, SecurityChecker.AccessType.OperateEntry, true, gslbRule); if (algorithm != null && !GlobalLoadBalancerRule.Algorithm.isValidAlgorithm(algorithm)) { throw new InvalidParameterValueException("Invalid Algorithm: " + algorithm); @@ -583,7 +583,7 @@ public class GlobalLoadBalancingRulesServiceImpl implements GlobalLoadBalancingR if (gslbRule == null) { throw new InvalidParameterValueException("Invalid gslb rule id specified"); } - _accountMgr.checkAccess(caller, org.apache.cloudstack.acl.SecurityChecker.AccessType.UseEntry, gslbRule); + _accountMgr.checkAccess(caller, org.apache.cloudstack.acl.SecurityChecker.AccessType.UseEntry, false, gslbRule); response.add(gslbRule); return response; http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6ba541af/server/test/com/cloud/event/EventControlsUnitTest.java ---------------------------------------------------------------------- diff --git a/server/test/com/cloud/event/EventControlsUnitTest.java b/server/test/com/cloud/event/EventControlsUnitTest.java index 0dc5742..91dc921 100644 --- a/server/test/com/cloud/event/EventControlsUnitTest.java +++ b/server/test/com/cloud/event/EventControlsUnitTest.java @@ -60,7 +60,7 @@ public class EventControlsUnitTest extends TestCase { MockitoAnnotations.initMocks(this); _mgmtServer._eventDao = _eventDao; _mgmtServer._accountMgr = _accountMgr; - doNothing().when(_accountMgr).checkAccess(any(Account.class), any(AccessType.class), any(ControlledEntity.class)); + doNothing().when(_accountMgr).checkAccess(any(Account.class), any(AccessType.class), any(Boolean.class), any(ControlledEntity.class)); when(_eventDao.listToArchiveOrDeleteEvents(anyList(), anyString(), any(Date.class), any(Date.class), anyList())).thenReturn(_events); } http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6ba541af/server/test/com/cloud/network/MockNetworkModelImpl.java ---------------------------------------------------------------------- diff --git a/server/test/com/cloud/network/MockNetworkModelImpl.java b/server/test/com/cloud/network/MockNetworkModelImpl.java index 33387fa..6c9e597 100644 --- a/server/test/com/cloud/network/MockNetworkModelImpl.java +++ b/server/test/com/cloud/network/MockNetworkModelImpl.java @@ -25,8 +25,6 @@ import java.util.Set; import javax.ejb.Local; import javax.naming.ConfigurationException; -import org.apache.cloudstack.acl.SecurityChecker.AccessType; - import com.cloud.dc.Vlan; import com.cloud.exception.InsufficientAddressCapacityException; import com.cloud.exception.InvalidParameterValueException; @@ -880,10 +878,4 @@ public class MockNetworkModelImpl extends ManagerBase implements NetworkModel { public boolean getNetworkEgressDefaultPolicy(Long networkId) { return false; //To change body of implemented methods use File | Settings | File Templates. } - - @Override - public void checkNetworkPermissions(Account owner, Network network, AccessType accessType) { - // TODO Auto-generated method stub - - } } http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6ba541af/server/test/com/cloud/user/MockAccountManagerImpl.java ---------------------------------------------------------------------- diff --git a/server/test/com/cloud/user/MockAccountManagerImpl.java b/server/test/com/cloud/user/MockAccountManagerImpl.java index a2b8a85..cc8fbac 100644 --- a/server/test/com/cloud/user/MockAccountManagerImpl.java +++ b/server/test/com/cloud/user/MockAccountManagerImpl.java @@ -32,6 +32,7 @@ import org.apache.cloudstack.api.command.admin.user.DeleteUserCmd; import org.apache.cloudstack.api.command.admin.user.RegisterCmd; import org.apache.cloudstack.api.command.admin.user.UpdateUserCmd; +import com.cloud.api.query.vo.ControlledViewEntity; import com.cloud.domain.Domain; import com.cloud.exception.ConcurrentOperationException; import com.cloud.exception.PermissionDeniedException; @@ -218,6 +219,10 @@ public class MockAccountManagerImpl extends ManagerBase implements Manager, Acco return null; } + @Override + public void checkAccess(Account account, AccessType accessType, boolean sameOwner, ControlledEntity... entities) throws PermissionDeniedException { + // TODO Auto-generated method stub + } @Override @@ -252,6 +257,50 @@ public class MockAccountManagerImpl extends ManagerBase implements Manager, Acco return false; } + @Override + public void buildACLSearchBuilder(SearchBuilder<? extends ControlledEntity> sb, Long domainId, boolean isRecursive, List<Long> permittedAccounts, + ListProjectResourcesCriteria listProjectResourcesCriteria) { + // TODO Auto-generated method stub + + } + + @Override + public void buildACLSearchCriteria(SearchCriteria<? extends ControlledEntity> sc, Long domainId, boolean isRecursive, List<Long> permittedAccounts, + ListProjectResourcesCriteria listProjectResourcesCriteria) { + // TODO Auto-generated method stub + + } + + @Override + public void buildACLSearchParameters(Account caller, Long id, String accountName, Long projectId, List<Long> permittedAccounts, Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject, boolean listAll, boolean forProjectInvitation) { + // TODO Auto-generated method stub + } + + @Override + public void buildACLViewSearchBuilder(SearchBuilder<? extends ControlledViewEntity> sb, Long domainId, + boolean isRecursive, List<Long> permittedAccounts, ListProjectResourcesCriteria listProjectResourcesCriteria) { + // TODO Auto-generated method stub + } + + @Override + public void buildACLViewSearchBuilder(SearchBuilder<? extends ControlledViewEntity> sb, Long domainId, boolean isRecursive, List<Long> permittedAccounts, + ListProjectResourcesCriteria listProjectResourcesCriteria, List<Long> grantedIds, List<Long> revokedIds) { + // TODO Auto-generated method stub + + } + + @Override + public void buildACLViewSearchCriteria(SearchCriteria<? extends ControlledViewEntity> sc, Long domainId, + boolean isRecursive, List<Long> permittedAccounts, ListProjectResourcesCriteria listProjectResourcesCriteria) { + // TODO Auto-generated method stub + } + + @Override + public void buildACLViewSearchCriteria(SearchCriteria<? extends ControlledEntity> sc, Long domainId, boolean isRecursive, List<Long> permittedAccounts, + ListProjectResourcesCriteria listProjectResourcesCriteria, List<Long> grantedIds, List<Long> revokedIds) { + // TODO Auto-generated method stub + + } /* (non-Javadoc) * @see com.cloud.user.AccountService#getUserByApiKey(java.lang.String) @@ -320,19 +369,6 @@ public class MockAccountManagerImpl extends ManagerBase implements Manager, Acco } - @Override - public void buildACLSearchBuilder(SearchBuilder<? extends ControlledEntity> sb, boolean isRecursive, List<Long> permittedDomains, List<Long> permittedAccounts, - List<Long> permittedResources, ListProjectResourcesCriteria listProjectResourcesCriteria) { - // TODO Auto-generated method stub - - } - - @Override - public void buildACLSearchCriteria(SearchCriteria<? extends ControlledEntity> sc, boolean isRecursive, List<Long> permittedDomains, List<Long> permittedAccounts, - List<Long> permittedResources, ListProjectResourcesCriteria listProjectResourcesCriteria) { - // TODO Auto-generated method stub - - } @Override public List<String> listAclGroupsByAccount(Long accountId) { @@ -340,22 +376,17 @@ public class MockAccountManagerImpl extends ManagerBase implements Manager, Acco return null; } - @Override - public Long finalyzeAccountId(String accountName, Long domainId, Long projectId, boolean enabledOnly) { + public void checkAccess(Account account, AccessType accessType, boolean sameOwner, String apiName, + ControlledEntity... entities) throws PermissionDeniedException { // TODO Auto-generated method stub - return null; } @Override - public void checkAccess(Account account, AccessType accessType, ControlledEntity... entities) throws PermissionDeniedException { + public Long finalyzeAccountId(String accountName, Long domainId, Long projectId, boolean enabledOnly) { // TODO Auto-generated method stub + return null; } - @Override - public void checkAccess(Account account, AccessType accessType, String apiName, ControlledEntity... entities) throws PermissionDeniedException { - // TODO Auto-generated method stub - - } } http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6ba541af/server/test/com/cloud/vm/UserVmManagerTest.java ---------------------------------------------------------------------- diff --git a/server/test/com/cloud/vm/UserVmManagerTest.java b/server/test/com/cloud/vm/UserVmManagerTest.java index 927d5e3..b67c164 100755 --- a/server/test/com/cloud/vm/UserVmManagerTest.java +++ b/server/test/com/cloud/vm/UserVmManagerTest.java @@ -283,7 +283,7 @@ public class UserVmManagerTest { doReturn(3L).when(_volumeMock).getTemplateId(); doReturn(ImageFormat.VHD).when(_templateMock).getFormat(); when(_templateDao.findById(anyLong())).thenReturn(_templateMock); - doNothing().when(_accountMgr).checkAccess(_account, null, _templateMock); + doNothing().when(_accountMgr).checkAccess(_account, null, true, _templateMock); when(_storageMgr.allocateDuplicateVolume(_volumeMock, 14L)).thenReturn(_volumeMock); when(_templateMock.getGuestOSId()).thenReturn(5L); doNothing().when(_vmMock).setGuestOSId(anyLong()); @@ -327,7 +327,7 @@ public class UserVmManagerTest { doReturn(3L).when(_vmMock).getIsoId(); doReturn(ImageFormat.ISO).when(_templateMock).getFormat(); when(_templateDao.findById(anyLong())).thenReturn(_templateMock); - doNothing().when(_accountMgr).checkAccess(_account, null, _templateMock); + doNothing().when(_accountMgr).checkAccess(_account, null, true, _templateMock); when(_storageMgr.allocateDuplicateVolume(_volumeMock, null)).thenReturn(_volumeMock); doNothing().when(_vmMock).setIsoId(14L); when(_templateMock.getGuestOSId()).thenReturn(5L); @@ -413,7 +413,7 @@ public class UserVmManagerTest { doReturn(VirtualMachine.State.Running).when(_vmInstance).getState(); - doNothing().when(_accountMgr).checkAccess(_account, null, _templateMock); + doNothing().when(_accountMgr).checkAccess(_account, null, true, _templateMock); doNothing().when(_itMgr).checkIfCanUpgrade(_vmMock, _offeringVo); @@ -606,7 +606,7 @@ public class UserVmManagerTest { when(_accountService.getActiveAccountByName(anyString(), anyLong())).thenReturn(newAccount); - doThrow(new PermissionDeniedException("Access check failed")).when(_accountMgr).checkAccess(any(Account.class), any(AccessType.class), + doThrow(new PermissionDeniedException("Access check failed")).when(_accountMgr).checkAccess(any(Account.class), any(AccessType.class), any(Boolean.class), any(ControlledEntity.class)); CallContext.register(user, caller); http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6ba541af/server/test/com/cloud/vm/snapshot/VMSnapshotManagerTest.java ---------------------------------------------------------------------- diff --git a/server/test/com/cloud/vm/snapshot/VMSnapshotManagerTest.java b/server/test/com/cloud/vm/snapshot/VMSnapshotManagerTest.java index 03afdbd..9d5c2b4 100644 --- a/server/test/com/cloud/vm/snapshot/VMSnapshotManagerTest.java +++ b/server/test/com/cloud/vm/snapshot/VMSnapshotManagerTest.java @@ -125,7 +125,7 @@ public class VMSnapshotManagerTest { _vmSnapshotMgr._guestOSDao = _guestOSDao; _vmSnapshotMgr._hypervisorCapabilitiesDao = _hypervisorCapabilitiesDao; - doNothing().when(_accountMgr).checkAccess(any(Account.class), any(AccessType.class), any(ControlledEntity.class)); + doNothing().when(_accountMgr).checkAccess(any(Account.class), any(AccessType.class), any(Boolean.class), any(ControlledEntity.class)); _vmSnapshotMgr._vmSnapshotMax = _vmSnapshotMax; http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6ba541af/server/test/com/cloud/vpc/MockNetworkModelImpl.java ---------------------------------------------------------------------- diff --git a/server/test/com/cloud/vpc/MockNetworkModelImpl.java b/server/test/com/cloud/vpc/MockNetworkModelImpl.java index c93584d..67ab8e8 100644 --- a/server/test/com/cloud/vpc/MockNetworkModelImpl.java +++ b/server/test/com/cloud/vpc/MockNetworkModelImpl.java @@ -26,8 +26,6 @@ import javax.ejb.Local; import javax.inject.Inject; import javax.naming.ConfigurationException; -import org.apache.cloudstack.acl.SecurityChecker.AccessType; - import com.cloud.dc.Vlan; import com.cloud.exception.InsufficientAddressCapacityException; import com.cloud.exception.InvalidParameterValueException; @@ -895,10 +893,4 @@ public class MockNetworkModelImpl extends ManagerBase implements NetworkModel { public boolean getNetworkEgressDefaultPolicy(Long networkId) { return false; //To change body of implemented methods use File | Settings | File Templates. } - - @Override - public void checkNetworkPermissions(Account owner, Network network, AccessType accessType) { - // TODO Auto-generated method stub - - } } http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6ba541af/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedEntityAccessChecker.java ---------------------------------------------------------------------- diff --git a/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedEntityAccessChecker.java b/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedEntityAccessChecker.java index 7b3d967..bb471c0 100644 --- a/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedEntityAccessChecker.java +++ b/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedEntityAccessChecker.java @@ -27,6 +27,7 @@ import org.apache.log4j.Logger; import org.apache.cloudstack.acl.ControlledEntity; import org.apache.cloudstack.acl.PermissionScope; import org.apache.cloudstack.acl.SecurityChecker; +import org.apache.cloudstack.acl.SecurityChecker.AccessType; import org.apache.cloudstack.api.InternalIdentity; import org.apache.cloudstack.iam.api.IAMGroup; import org.apache.cloudstack.iam.api.IAMPolicy; @@ -204,15 +205,13 @@ public class RoleBasedEntityAccessChecker extends DomainChecker implements Secur boolean otherEntitiesAccess = true; for (ControlledEntity otherEntity : entities) { - if (otherEntity != entity) { - if (otherEntity.getAccountId() == caller.getAccountId() - || (checkAccess(caller, otherEntity, accessType, action) && otherEntity.getAccountId() == entity - .getAccountId())) { - continue; - } else { - otherEntitiesAccess = false; - break; - } + if (otherEntity.getAccountId() == caller.getAccountId() + || (checkAccess(caller, otherEntity, accessType, action) && otherEntity.getAccountId() == entity + .getAccountId())) { + continue; + } else { + otherEntitiesAccess = false; + break; } } @@ -263,8 +262,6 @@ public class RoleBasedEntityAccessChecker extends DomainChecker implements Secur if (_domainDao.isChildDomain(caller.getDomainId(), entity.getDomainId())) { return true; } - } else if (scope.equals(PermissionScope.ALL.name())) { - return true; } } return false;
