cloudstack-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From prachida...@apache.org
Subject git commit: updated refs/heads/4.4 to a5b9814
Date Tue, 25 Mar 2014 00:10:53 GMT
Repository: cloudstack
Updated Branches:
  refs/heads/4.4 0c2f808b7 -> a5b9814f7


Fixes to ensure Network entity checkAccess invokes the IAM service


Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/a5b9814f
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/a5b9814f
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/a5b9814f

Branch: refs/heads/4.4
Commit: a5b9814f7a94fd2d871b3148c2f0e53994427fd8
Parents: 0c2f808
Author: Prachi Damle <prachi@cloud.com>
Authored: Mon Mar 24 17:08:09 2014 -0700
Committer: Prachi Damle <prachi@cloud.com>
Committed: Mon Mar 24 17:09:43 2014 -0700

----------------------------------------------------------------------
 api/src/com/cloud/network/NetworkModel.java     |  4 +++
 .../src/com/cloud/network/dao/NetworkVO.java    |  2 +-
 .../contrail/management/ServiceManagerImpl.java |  5 ++--
 .../src/com/cloud/network/NetworkModelImpl.java | 26 +++++++++++++++++++-
 .../com/cloud/server/ManagementServerImpl.java  |  1 +
 server/src/com/cloud/vm/UserVmManagerImpl.java  | 19 +++-----------
 .../com/cloud/network/MockNetworkModelImpl.java |  8 ++++++
 .../com/cloud/vpc/MockNetworkModelImpl.java     |  8 ++++++
 .../cloudstack/iam/IAMApiServiceImpl.java       |  4 +--
 9 files changed, 56 insertions(+), 21 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cloudstack/blob/a5b9814f/api/src/com/cloud/network/NetworkModel.java
----------------------------------------------------------------------
diff --git a/api/src/com/cloud/network/NetworkModel.java b/api/src/com/cloud/network/NetworkModel.java
index f6555db..1e0a8e8 100644
--- a/api/src/com/cloud/network/NetworkModel.java
+++ b/api/src/com/cloud/network/NetworkModel.java
@@ -22,6 +22,8 @@ import java.util.List;
 import java.util.Map;
 import java.util.Set;
 
+import org.apache.cloudstack.acl.SecurityChecker.AccessType;
+
 import com.cloud.dc.Vlan;
 import com.cloud.exception.InsufficientAddressCapacityException;
 import com.cloud.exception.InvalidParameterValueException;
@@ -273,4 +275,6 @@ public interface NetworkModel {
     boolean isNetworkReadyForGc(long networkId);
 
     boolean getNetworkEgressDefaultPolicy(Long networkId);
+
+    void checkNetworkPermissions(Account owner, Network network, AccessType accessType);
 }
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/a5b9814f/engine/schema/src/com/cloud/network/dao/NetworkVO.java
----------------------------------------------------------------------
diff --git a/engine/schema/src/com/cloud/network/dao/NetworkVO.java b/engine/schema/src/com/cloud/network/dao/NetworkVO.java
index f1d7e7e..6bb3902 100644
--- a/engine/schema/src/com/cloud/network/dao/NetworkVO.java
+++ b/engine/schema/src/com/cloud/network/dao/NetworkVO.java
@@ -513,7 +513,7 @@ public class NetworkVO implements Network {
     @Override
     public String toString() {
         StringBuilder buf = new StringBuilder("Ntwk[");
-        buf.append(id).append("|").append(trafficType).append("|").append(networkOfferingId).append("]");
+        buf.append(uuid).append("|").append(trafficType).append("|").append(networkOfferingId).append("]");
         return buf.toString();
     }
 

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/a5b9814f/plugins/network-elements/juniper-contrail/src/org/apache/cloudstack/network/contrail/management/ServiceManagerImpl.java
----------------------------------------------------------------------
diff --git a/plugins/network-elements/juniper-contrail/src/org/apache/cloudstack/network/contrail/management/ServiceManagerImpl.java
b/plugins/network-elements/juniper-contrail/src/org/apache/cloudstack/network/contrail/management/ServiceManagerImpl.java
index f34eacc..acd9b4e 100644
--- a/plugins/network-elements/juniper-contrail/src/org/apache/cloudstack/network/contrail/management/ServiceManagerImpl.java
+++ b/plugins/network-elements/juniper-contrail/src/org/apache/cloudstack/network/contrail/management/ServiceManagerImpl.java
@@ -30,6 +30,7 @@ import javax.inject.Inject;
 import net.juniper.contrail.api.ApiConnector;
 import net.juniper.contrail.api.types.ServiceInstance;
 
+import org.apache.cloudstack.acl.SecurityChecker.AccessType;
 import org.apache.cloudstack.context.CallContext;
 import org.apache.cloudstack.network.contrail.api.response.ServiceInstanceResponse;
 import org.apache.cloudstack.network.contrail.model.ServiceInstanceModel;
@@ -136,10 +137,10 @@ public class ServiceManagerImpl implements ServiceManager {
         // TODO: permission model.
         // service instances need to be able to access the public network.
         if (left.getTrafficType() == TrafficType.Guest) {
-            _networkModel.checkNetworkPermissions(owner, left);
+            _networkModel.checkNetworkPermissions(owner, left, AccessType.UseEntry);
         }
         if (right.getTrafficType() == TrafficType.Guest) {
-            _networkModel.checkNetworkPermissions(owner, right);
+            _networkModel.checkNetworkPermissions(owner, right, AccessType.UseEntry);
         }
 
         final ApiConnector api = _manager.getApiConnector();

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/a5b9814f/server/src/com/cloud/network/NetworkModelImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/NetworkModelImpl.java b/server/src/com/cloud/network/NetworkModelImpl.java
index 7b4b2be..531cf94 100755
--- a/server/src/com/cloud/network/NetworkModelImpl.java
+++ b/server/src/com/cloud/network/NetworkModelImpl.java
@@ -35,6 +35,7 @@ import javax.naming.ConfigurationException;
 import org.apache.log4j.Logger;
 
 import org.apache.cloudstack.acl.ControlledEntity.ACLType;
+import org.apache.cloudstack.acl.SecurityChecker.AccessType;
 import org.apache.cloudstack.framework.config.dao.ConfigurationDao;
 import org.apache.cloudstack.lb.dao.ApplicationLoadBalancerRuleDao;
 
@@ -97,6 +98,7 @@ import com.cloud.offerings.dao.NetworkOfferingServiceMapDao;
 import com.cloud.projects.dao.ProjectAccountDao;
 import com.cloud.server.ConfigurationServer;
 import com.cloud.user.Account;
+import com.cloud.user.AccountManager;
 import com.cloud.user.AccountVO;
 import com.cloud.user.DomainManager;
 import com.cloud.user.dao.AccountDao;
@@ -173,7 +175,8 @@ public class NetworkModelImpl extends ManagerBase implements NetworkModel
{
     FirewallRulesDao _firewallDao;
     @Inject
     DomainManager _domainMgr;
-
+    @Inject
+    AccountManager _accountMgr;
     @Inject
     NetworkOfferingServiceMapDao _ntwkOfferingSrvcDao;
     @Inject
@@ -1567,6 +1570,27 @@ public class NetworkModelImpl extends ManagerBase implements NetworkModel
{
     }
 
     @Override
+    public void checkNetworkPermissions(Account owner, Network network, AccessType accessType)
{
+        if (network == null) {
+            throw new CloudRuntimeException("cannot check permissions on (Network) <null>");
+        }
+
+        AccountVO networkOwner = _accountDao.findById(network.getAccountId());
+        if (networkOwner == null) {
+            throw new PermissionDeniedException("Unable to use network with id= " + ((NetworkVO)
network).getUuid()
+                    + ", network does not have an owner");
+        }
+        if (owner.getType() != Account.ACCOUNT_TYPE_PROJECT && networkOwner.getType()
== Account.ACCOUNT_TYPE_PROJECT) {
+            if (!_projectAccountDao.canAccessProjectAccount(owner.getAccountId(), network.getAccountId()))
{
+                throw new PermissionDeniedException("Unable to use network with id= " + ((NetworkVO)
network).getUuid()
+                        + ", permission denied");
+            }
+        } else {
+            _accountMgr.checkAccess(owner, accessType, true, network);
+        }
+    }
+
+    @Override
     public String getDefaultPublicTrafficLabel(long dcId, HypervisorType hypervisorType)
{
         try {
             PhysicalNetwork publicPhyNetwork = getOnePhysicalNetworkByZoneAndTrafficType(dcId,
TrafficType.Public);

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/a5b9814f/server/src/com/cloud/server/ManagementServerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/server/ManagementServerImpl.java b/server/src/com/cloud/server/ManagementServerImpl.java
index 7431891..5d2f1ae 100755
--- a/server/src/com/cloud/server/ManagementServerImpl.java
+++ b/server/src/com/cloud/server/ManagementServerImpl.java
@@ -2756,6 +2756,7 @@ public class ManagementServerImpl extends ManagerBase implements ManagementServe
         cmdList.add(ListIpForwardingRulesCmd.class);
         cmdList.add(CreateNetworkACLCmd.class);
         cmdList.add(CreateNetworkCmd.class);
+        cmdList.add(CreateNetworkCmdByAdmin.class);
         cmdList.add(DeleteNetworkACLCmd.class);
         cmdList.add(DeleteNetworkCmd.class);
         cmdList.add(ListNetworkACLsCmd.class);

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/a5b9814f/server/src/com/cloud/vm/UserVmManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/vm/UserVmManagerImpl.java b/server/src/com/cloud/vm/UserVmManagerImpl.java
index a1dd6c9..62f4a53 100755
--- a/server/src/com/cloud/vm/UserVmManagerImpl.java
+++ b/server/src/com/cloud/vm/UserVmManagerImpl.java
@@ -972,12 +972,6 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager,
Vir
             throw new InvalidParameterValueException("unable to find a network with id "
+ networkId);
         }
 
-        if (caller.getType() != Account.ACCOUNT_TYPE_ADMIN) {
-        if (!(network.getGuestType() == Network.GuestType.Shared && network.getAclType()
== ACLType.Domain)
-                && !(network.getAclType() == ACLType.Account && network.getAccountId()
== vmInstance.getAccountId())) {
-            throw new InvalidParameterValueException("only shared network or isolated network
with the same account_id can be added to vmId: " + vmId);
-        }
-        }
 
         List<NicVO> allNics = _nicDao.listByVmId(vmInstance.getId());
         for (NicVO nic : allNics) {
@@ -2527,7 +2521,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager,
Vir
                     }
                 }
 
-                _networkModel.checkNetworkPermissions(owner, network);
+                _networkModel.checkNetworkPermissions(owner, network, AccessType.UseEntry);
 
                 // don't allow to use system networks
                 NetworkOffering networkOffering = _entityMgr.findById(NetworkOffering.class,
network.getNetworkOfferingId());
@@ -2726,13 +2720,8 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager,
Vir
                 throw new InvalidParameterValueException("Network id=" + network.getId()
+ " doesn't belong to zone " + zone.getId());
             }
 
-            //relax the check if the caller is admin account
-            if (caller.getType() != Account.ACCOUNT_TYPE_ADMIN) {
-            if (!(network.getGuestType() == Network.GuestType.Shared && network.getAclType()
== ACLType.Domain)
-                    && !(network.getAclType() == ACLType.Account && network.getAccountId()
== accountId)) {
-                throw new InvalidParameterValueException("only shared network or isolated
network with the same account_id can be added to vm");
-            }
-            }
+            // Perform account permission check on network
+            _accountMgr.checkAccess(caller, AccessType.UseEntry, false, network);
 
             IpAddresses requestedIpPair = null;
             if (requestedIps != null && !requestedIps.isEmpty()) {
@@ -4441,7 +4430,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager,
Vir
                             throw ex;
                         }
 
-                        _networkModel.checkNetworkPermissions(newAccount, network);
+                        _networkModel.checkNetworkPermissions(newAccount, network, AccessType.UseEntry);
 
                         // don't allow to use system networks
                         NetworkOffering networkOffering = _entityMgr.findById(NetworkOffering.class,
network.getNetworkOfferingId());

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/a5b9814f/server/test/com/cloud/network/MockNetworkModelImpl.java
----------------------------------------------------------------------
diff --git a/server/test/com/cloud/network/MockNetworkModelImpl.java b/server/test/com/cloud/network/MockNetworkModelImpl.java
index 6c9e597..33387fa 100644
--- a/server/test/com/cloud/network/MockNetworkModelImpl.java
+++ b/server/test/com/cloud/network/MockNetworkModelImpl.java
@@ -25,6 +25,8 @@ import java.util.Set;
 import javax.ejb.Local;
 import javax.naming.ConfigurationException;
 
+import org.apache.cloudstack.acl.SecurityChecker.AccessType;
+
 import com.cloud.dc.Vlan;
 import com.cloud.exception.InsufficientAddressCapacityException;
 import com.cloud.exception.InvalidParameterValueException;
@@ -878,4 +880,10 @@ public class MockNetworkModelImpl extends ManagerBase implements NetworkModel
{
     public boolean getNetworkEgressDefaultPolicy(Long networkId) {
         return false;  //To change body of implemented methods use File | Settings | File
Templates.
     }
+
+    @Override
+    public void checkNetworkPermissions(Account owner, Network network, AccessType accessType)
{
+        // TODO Auto-generated method stub
+
+    }
 }

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/a5b9814f/server/test/com/cloud/vpc/MockNetworkModelImpl.java
----------------------------------------------------------------------
diff --git a/server/test/com/cloud/vpc/MockNetworkModelImpl.java b/server/test/com/cloud/vpc/MockNetworkModelImpl.java
index 67ab8e8..c93584d 100644
--- a/server/test/com/cloud/vpc/MockNetworkModelImpl.java
+++ b/server/test/com/cloud/vpc/MockNetworkModelImpl.java
@@ -26,6 +26,8 @@ import javax.ejb.Local;
 import javax.inject.Inject;
 import javax.naming.ConfigurationException;
 
+import org.apache.cloudstack.acl.SecurityChecker.AccessType;
+
 import com.cloud.dc.Vlan;
 import com.cloud.exception.InsufficientAddressCapacityException;
 import com.cloud.exception.InvalidParameterValueException;
@@ -893,4 +895,10 @@ public class MockNetworkModelImpl extends ManagerBase implements NetworkModel
{
     public boolean getNetworkEgressDefaultPolicy(Long networkId) {
         return false;  //To change body of implemented methods use File | Settings | File
Templates.
     }
+
+    @Override
+    public void checkNetworkPermissions(Account owner, Network network, AccessType accessType)
{
+        // TODO Auto-generated method stub
+
+    }
 }

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/a5b9814f/services/iam/plugin/src/org/apache/cloudstack/iam/IAMApiServiceImpl.java
----------------------------------------------------------------------
diff --git a/services/iam/plugin/src/org/apache/cloudstack/iam/IAMApiServiceImpl.java b/services/iam/plugin/src/org/apache/cloudstack/iam/IAMApiServiceImpl.java
index 5d35ee2..3dfcdda 100644
--- a/services/iam/plugin/src/org/apache/cloudstack/iam/IAMApiServiceImpl.java
+++ b/services/iam/plugin/src/org/apache/cloudstack/iam/IAMApiServiceImpl.java
@@ -363,10 +363,10 @@ public class IAMApiServiceImpl extends ManagerBase implements IAMApiService,
Man
         Boolean isRecursive = (Boolean) params.get(ApiConstants.SUBDOMAIN_ACCESS);
 
         if (entityType == Network.class) {
-            createPolicyAndAddToDomainGroup("DomainWideNetwork-" + entityId, "domain wide
network", entityType.toString(),
+            createPolicyAndAddToDomainGroup("DomainWideNetwork-" + entityId, "domain wide
network", entityType.getSimpleName(),
                     entityId, "listNetworks", AccessType.UseEntry, domainId, isRecursive);
         } else if (entityType == AffinityGroup.class) {
-            createPolicyAndAddToDomainGroup("DomainWideNetwork-" + entityId, "domain wide
affinityGroup", entityType.toString(),
+            createPolicyAndAddToDomainGroup("DomainWideNetwork-" + entityId, "domain wide
affinityGroup", entityType.getSimpleName(),
                     entityId, "listAffinityGroups", AccessType.UseEntry, domainId, isRecursive);
         }
 


Mime
View raw message