cloudstack-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From tall...@apache.org
Subject [44/60] [abbrv] Remove usage of sameOwner checkAccess invocation, and convert to OperateEntry IAM check.
Date Tue, 08 Apr 2014 12:25:59 GMT
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/94ebc908/server/src/com/cloud/network/vpc/VpcManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/vpc/VpcManagerImpl.java b/server/src/com/cloud/network/vpc/VpcManagerImpl.java
index f53eb1f..0c33fc6 100644
--- a/server/src/com/cloud/network/vpc/VpcManagerImpl.java
+++ b/server/src/com/cloud/network/vpc/VpcManagerImpl.java
@@ -38,6 +38,7 @@ import javax.naming.ConfigurationException;
 import org.apache.log4j.Logger;
 
 import org.apache.cloudstack.acl.ControlledEntity.ACLType;
+import org.apache.cloudstack.acl.SecurityChecker.AccessType;
 import org.apache.cloudstack.api.command.user.vpc.ListPrivateGatewaysCmd;
 import org.apache.cloudstack.api.command.user.vpc.ListStaticRoutesCmd;
 import org.apache.cloudstack.context.CallContext;
@@ -761,7 +762,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
         Account owner = _accountMgr.getAccount(vpcOwnerId);
 
         //Verify that caller can perform actions in behalf of vpc owner
-        _accountMgr.checkAccess(caller, null, false, owner);
+        _accountMgr.checkAccess(caller, null, owner);
 
         //check resource limit
         _resourceLimitMgr.checkResourceLimit(owner, ResourceType.vpc);
@@ -894,7 +895,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
         }
 
         //verify permissions
-        _accountMgr.checkAccess(ctx.getCallingAccount(), null, false, vpc);
+        _accountMgr.checkAccess(ctx.getCallingAccount(), null, vpc);
 
         return destroyVpc(vpc, ctx.getCallingAccount(), ctx.getCallingUserId());
     }
@@ -962,7 +963,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
             throw new InvalidParameterValueException("Unable to find vpc by id " + vpcId);
         }
 
-        _accountMgr.checkAccess(caller, null, false, vpcToUpdate);
+        _accountMgr.checkAccess(caller, null, vpcToUpdate);
 
         VpcVO vpc = _vpcDao.createForUpdate(vpcId);
 
@@ -1154,7 +1155,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
         }
 
         //permission check
-        _accountMgr.checkAccess(caller, null, false, vpc);
+        _accountMgr.checkAccess(caller, null, vpc);
 
         DataCenter dc = _entityMgr.findById(DataCenter.class, vpc.getZoneId());
 
@@ -1214,7 +1215,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
         }
 
         //permission check
-        _accountMgr.checkAccess(caller, null, false, vpc);
+        _accountMgr.checkAccess(caller, null, vpc);
 
         //shutdown provider
         s_logger.debug("Shutting down vpc " + vpc);
@@ -1480,7 +1481,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
             throw ex;
         }
 
-        _accountMgr.checkAccess(caller, null, false, vpc);
+        _accountMgr.checkAccess(caller, null, vpc);
 
         s_logger.debug("Restarting VPC " + vpc);
         boolean restartRequired = false;
@@ -1927,7 +1928,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
             throw new InvalidParameterValueException("Unable to find static route by id");
         }
 
-        _accountMgr.checkAccess(caller, null, false, route);
+        _accountMgr.checkAccess(caller, null, route);
 
         markStaticRouteForRevoke(route, caller);
 
@@ -1975,7 +1976,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
         if (vpc == null) {
             throw new InvalidParameterValueException("Can't add static route to VPC that is being deleted");
         }
-        _accountMgr.checkAccess(caller, null, false, vpc);
+        _accountMgr.checkAccess(caller, null, vpc);
 
         if (!NetUtils.isValidCIDR(cidr)) {
             throw new InvalidParameterValueException("Invalid format for cidr " + cidr);
@@ -2127,7 +2128,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
     protected void markStaticRouteForRevoke(StaticRouteVO route, Account caller) {
         s_logger.debug("Revoking static route " + route);
         if (caller != null) {
-            _accountMgr.checkAccess(caller, null, false, route);
+            _accountMgr.checkAccess(caller, null, route);
         }
 
         if (route.getState() == StaticRoute.State.Staged) {
@@ -2191,7 +2192,6 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
 
         IpAddress ipToAssoc = _ntwkModel.getIp(ipId);
         if (ipToAssoc != null) {
-            _accountMgr.checkAccess(caller, null, true, ipToAssoc);
             owner = _accountMgr.getAccount(ipToAssoc.getAllocatedToAccountId());
         } else {
             s_logger.debug("Unable to find ip address by id: " + ipId);
@@ -2204,7 +2204,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
         }
 
         // check permissions
-        _accountMgr.checkAccess(caller, null, true, owner, vpc);
+        _accountMgr.checkAccess(caller, AccessType.OperateEntry, ipToAssoc, vpc);
 
         boolean isSourceNat = false;
         if (getExistingSourceNatInVpc(owner.getId(), vpcId) == null) {
@@ -2284,7 +2284,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
             ex.addProxyObject(String.valueOf(vpcId), "VPC");
             throw ex;
         }
-        _accountMgr.checkAccess(caller, null, false, vpc);
+        _accountMgr.checkAccess(caller, null, vpc);
 
         if (networkDomain == null) {
             networkDomain = vpc.getNetworkDomain();

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/94ebc908/server/src/com/cloud/network/vpn/RemoteAccessVpnManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/vpn/RemoteAccessVpnManagerImpl.java b/server/src/com/cloud/network/vpn/RemoteAccessVpnManagerImpl.java
index 531adad..0f734dd 100755
--- a/server/src/com/cloud/network/vpn/RemoteAccessVpnManagerImpl.java
+++ b/server/src/com/cloud/network/vpn/RemoteAccessVpnManagerImpl.java
@@ -150,7 +150,7 @@ public class RemoteAccessVpnManagerImpl extends ManagerBase implements RemoteAcc
             throw new InvalidParameterValueException("Unable to create remote access vpn, invalid public IP address id" + publicIpId);
         }
 
-        _accountMgr.checkAccess(caller, null, true, ipAddr);
+        _accountMgr.checkAccess(caller, null, ipAddr);
 
         if (!ipAddr.readyToUse()) {
             throw new InvalidParameterValueException("The Ip address is not ready to be used yet: " + ipAddr.getAddress());
@@ -292,7 +292,7 @@ public class RemoteAccessVpnManagerImpl extends ManagerBase implements RemoteAcc
             return;
         }
 
-        _accountMgr.checkAccess(caller, AccessType.OperateEntry, true, vpn);
+        _accountMgr.checkAccess(caller, AccessType.OperateEntry, vpn);
 
         vpn.setState(RemoteAccessVpn.State.Removed);
         _remoteAccessVpnDao.update(vpn.getId(), vpn);
@@ -387,7 +387,7 @@ public class RemoteAccessVpnManagerImpl extends ManagerBase implements RemoteAcc
                 if (owner == null) {
                     throw new InvalidParameterValueException("Unable to add vpn user: Another operation active");
                 }
-                _accountMgr.checkAccess(caller, null, true, owner);
+                _accountMgr.checkAccess(caller, null, owner);
 
                 //don't allow duplicated user names for the same account
                 VpnUserVO vpnUser = _vpnUsersDao.findByAccountAndUsername(owner.getId(), username);
@@ -416,7 +416,7 @@ public class RemoteAccessVpnManagerImpl extends ManagerBase implements RemoteAcc
         if (user == null) {
             throw new InvalidParameterValueException("Could not find vpn user " + username);
         }
-        _accountMgr.checkAccess(caller, null, true, user);
+        _accountMgr.checkAccess(caller, null, user);
 
         Transaction.execute(new TransactionCallbackNoReturn() {
             @Override
@@ -435,7 +435,7 @@ public class RemoteAccessVpnManagerImpl extends ManagerBase implements RemoteAcc
     public List<? extends VpnUser> listVpnUsers(long vpnOwnerId, String userName) {
         Account caller = CallContext.current().getCallingAccount();
         Account owner = _accountDao.findById(vpnOwnerId);
-        _accountMgr.checkAccess(caller, null, true, owner);
+        _accountMgr.checkAccess(caller, null, owner);
         return _vpnUsersDao.listByAccount(vpnOwnerId);
     }
 
@@ -453,7 +453,7 @@ public class RemoteAccessVpnManagerImpl extends ManagerBase implements RemoteAcc
             openFirewall = false;
         }
 
-        _accountMgr.checkAccess(caller, null, true, vpn);
+        _accountMgr.checkAccess(caller, null, vpn);
 
         boolean started = false;
         try {
@@ -499,7 +499,7 @@ public class RemoteAccessVpnManagerImpl extends ManagerBase implements RemoteAcc
     public boolean applyVpnUsers(long vpnOwnerId, String userName) {
         Account caller = CallContext.current().getCallingAccount();
         Account owner = _accountDao.findById(vpnOwnerId);
-        _accountMgr.checkAccess(caller, null, true, owner);
+        _accountMgr.checkAccess(caller, null, owner);
 
         s_logger.debug("Applying vpn users for " + owner);
         List<RemoteAccessVpnVO> vpns = _remoteAccessVpnDao.findByAccount(vpnOwnerId);
@@ -636,7 +636,7 @@ public class RemoteAccessVpnManagerImpl extends ManagerBase implements RemoteAcc
                     throw new InvalidParameterValueException("Unable to list remote access vpns, IP address " + ipAddressId + " is not associated with an account.");
                 }
             }
-            _accountMgr.checkAccess(caller, null, true, publicIp);
+            _accountMgr.checkAccess(caller, null, publicIp);
         }
 
         Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean, ListProjectResourcesCriteria>(cmd.getDomainId(), cmd.isRecursive(), null);
@@ -747,7 +747,7 @@ public class RemoteAccessVpnManagerImpl extends ManagerBase implements RemoteAcc
             throw new InvalidParameterValueException("Can't find remote access vpn by id " + id);
         }
 
-        _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, true, vpn);
+        _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, vpn);
         if (customId != null) {
             vpn.setUuid(customId);
         }

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/94ebc908/server/src/com/cloud/network/vpn/Site2SiteVpnManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/vpn/Site2SiteVpnManagerImpl.java b/server/src/com/cloud/network/vpn/Site2SiteVpnManagerImpl.java
index fdb5bbf..1d6ed22 100644
--- a/server/src/com/cloud/network/vpn/Site2SiteVpnManagerImpl.java
+++ b/server/src/com/cloud/network/vpn/Site2SiteVpnManagerImpl.java
@@ -24,6 +24,9 @@ import javax.ejb.Local;
 import javax.inject.Inject;
 import javax.naming.ConfigurationException;
 
+import org.apache.log4j.Logger;
+import org.springframework.stereotype.Component;
+
 import org.apache.cloudstack.api.command.user.vpn.CreateVpnConnectionCmd;
 import org.apache.cloudstack.api.command.user.vpn.CreateVpnCustomerGatewayCmd;
 import org.apache.cloudstack.api.command.user.vpn.CreateVpnGatewayCmd;
@@ -37,8 +40,6 @@ import org.apache.cloudstack.api.command.user.vpn.ResetVpnConnectionCmd;
 import org.apache.cloudstack.api.command.user.vpn.UpdateVpnCustomerGatewayCmd;
 import org.apache.cloudstack.context.CallContext;
 import org.apache.cloudstack.framework.config.dao.ConfigurationDao;
-import org.apache.log4j.Logger;
-import org.springframework.stereotype.Component;
 
 import com.cloud.configuration.Config;
 import com.cloud.event.ActionEvent;
@@ -124,7 +125,7 @@ public class Site2SiteVpnManagerImpl extends ManagerBase implements Site2SiteVpn
         Account owner = _accountMgr.getAccount(cmd.getEntityOwnerId());
 
         //Verify that caller can perform actions in behalf of vpc owner
-        _accountMgr.checkAccess(caller, null, false, owner);
+        _accountMgr.checkAccess(caller, null, owner);
 
         Long vpcId = cmd.getVpcId();
         VpcVO vpc = _vpcDao.findById(vpcId);
@@ -174,7 +175,7 @@ public class Site2SiteVpnManagerImpl extends ManagerBase implements Site2SiteVpn
         Account owner = _accountMgr.getAccount(cmd.getEntityOwnerId());
 
         //Verify that caller can perform actions in behalf of vpc owner
-        _accountMgr.checkAccess(caller, null, false, owner);
+        _accountMgr.checkAccess(caller, null, owner);
 
         String name = cmd.getName();
         String gatewayIp = cmd.getGatewayIp();
@@ -242,21 +243,21 @@ public class Site2SiteVpnManagerImpl extends ManagerBase implements Site2SiteVpn
         Account owner = _accountMgr.getAccount(cmd.getEntityOwnerId());
 
         //Verify that caller can perform actions in behalf of vpc owner
-        _accountMgr.checkAccess(caller, null, false, owner);
+        _accountMgr.checkAccess(caller, null, owner);
 
         Long customerGatewayId = cmd.getCustomerGatewayId();
         Site2SiteCustomerGateway customerGateway = _customerGatewayDao.findById(customerGatewayId);
         if (customerGateway == null) {
             throw new InvalidParameterValueException("Unable to found specified Site to Site VPN customer gateway " + customerGatewayId + " !");
         }
-        _accountMgr.checkAccess(caller, null, false, customerGateway);
+        _accountMgr.checkAccess(caller, null, customerGateway);
 
         Long vpnGatewayId = cmd.getVpnGatewayId();
         Site2SiteVpnGateway vpnGateway = _vpnGatewayDao.findById(vpnGatewayId);
         if (vpnGateway == null) {
             throw new InvalidParameterValueException("Unable to found specified Site to Site VPN gateway " + vpnGatewayId + " !");
         }
-        _accountMgr.checkAccess(caller, null, false, vpnGateway);
+        _accountMgr.checkAccess(caller, null, vpnGateway);
 
         if (customerGateway.getAccountId() != vpnGateway.getAccountId() || customerGateway.getDomainId() != vpnGateway.getDomainId()) {
             throw new InvalidParameterValueException("VPN connection can only be esitablished between same account's VPN gateway and customer gateway!");
@@ -366,7 +367,7 @@ public class Site2SiteVpnManagerImpl extends ManagerBase implements Site2SiteVpn
         if (customerGateway == null) {
             throw new InvalidParameterValueException("Fail to find customer gateway with " + id + " !");
         }
-        _accountMgr.checkAccess(caller, null, false, customerGateway);
+        _accountMgr.checkAccess(caller, null, customerGateway);
 
         return doDeleteCustomerGateway(customerGateway);
     }
@@ -401,7 +402,7 @@ public class Site2SiteVpnManagerImpl extends ManagerBase implements Site2SiteVpn
             throw new InvalidParameterValueException("Fail to find vpn gateway with " + id + " !");
         }
 
-        _accountMgr.checkAccess(caller, null, false, vpnGateway);
+        _accountMgr.checkAccess(caller, null, vpnGateway);
 
         doDeleteVpnGateway(vpnGateway);
         return true;
@@ -418,7 +419,7 @@ public class Site2SiteVpnManagerImpl extends ManagerBase implements Site2SiteVpn
         if (gw == null) {
             throw new InvalidParameterValueException("Find to find customer gateway with id " + id);
         }
-        _accountMgr.checkAccess(caller, null, false, gw);
+        _accountMgr.checkAccess(caller, null, gw);
 
         List<Site2SiteVpnConnectionVO> conns = _vpnConnectionDao.listByCustomerGatewayId(id);
         if (conns != null) {
@@ -508,7 +509,7 @@ public class Site2SiteVpnManagerImpl extends ManagerBase implements Site2SiteVpn
             throw new InvalidParameterValueException("Fail to find site to site VPN connection " + id + " to delete!");
         }
 
-        _accountMgr.checkAccess(caller, null, false, conn);
+        _accountMgr.checkAccess(caller, null, conn);
 
         if (conn.getState() == State.Connected) {
             stopVpnConnection(id);
@@ -557,7 +558,7 @@ public class Site2SiteVpnManagerImpl extends ManagerBase implements Site2SiteVpn
         if (conn == null) {
             throw new InvalidParameterValueException("Fail to find site to site VPN connection " + id + " to reset!");
         }
-        _accountMgr.checkAccess(caller, null, false, conn);
+        _accountMgr.checkAccess(caller, null, conn);
 
         if (conn.getState() == State.Pending) {
             throw new InvalidParameterValueException("VPN connection " + id + " cannot be reseted when state is Pending!");
@@ -821,7 +822,7 @@ public class Site2SiteVpnManagerImpl extends ManagerBase implements Site2SiteVpn
             throw new InvalidParameterValueException("Fail to find site to site VPN connection " + id);
         }
 
-        _accountMgr.checkAccess(caller, null, false, conn);
+        _accountMgr.checkAccess(caller, null, conn);
         if (customId != null) {
             conn.setUuid(customId);
         }
@@ -844,7 +845,7 @@ public class Site2SiteVpnManagerImpl extends ManagerBase implements Site2SiteVpn
             throw new InvalidParameterValueException("Fail to find vpn gateway with " + id);
         }
 
-        _accountMgr.checkAccess(caller, null, false, vpnGateway);
+        _accountMgr.checkAccess(caller, null, vpnGateway);
         if (customId != null) {
             vpnGateway.setUuid(customId);
         }

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/94ebc908/server/src/com/cloud/projects/ProjectManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/projects/ProjectManagerImpl.java b/server/src/com/cloud/projects/ProjectManagerImpl.java
index d10c059..6aa5abc 100755
--- a/server/src/com/cloud/projects/ProjectManagerImpl.java
+++ b/server/src/com/cloud/projects/ProjectManagerImpl.java
@@ -244,7 +244,7 @@ public class ProjectManagerImpl extends ManagerBase implements ProjectManager {
             throw new InvalidParameterValueException("Unable to find project by id " + projectId);
         }
 
-        _accountMgr.checkAccess(caller, AccessType.ModifyProject, true, _accountMgr.getAccount(project.getProjectAccountId()));
+        _accountMgr.checkAccess(caller, AccessType.ModifyProject, _accountMgr.getAccount(project.getProjectAccountId()));
 
         //at this point enabling project doesn't require anything, so just update the state
         project.setState(State.Active);
@@ -264,7 +264,7 @@ public class ProjectManagerImpl extends ManagerBase implements ProjectManager {
             throw new InvalidParameterValueException("Unable to find project by id " + projectId);
         }
 
-        _accountMgr.checkAccess(ctx.getCallingAccount(), AccessType.ModifyProject, true, _accountMgr.getAccount(project.getProjectAccountId()));
+        _accountMgr.checkAccess(ctx.getCallingAccount(), AccessType.ModifyProject, _accountMgr.getAccount(project.getProjectAccountId()));
 
         return deleteProject(ctx.getCallingAccount(), ctx.getCallingUserId(), project);
     }
@@ -463,7 +463,7 @@ public class ProjectManagerImpl extends ManagerBase implements ProjectManager {
         }
 
         //verify permissions
-        _accountMgr.checkAccess(caller, AccessType.ModifyProject, true, _accountMgr.getAccount(project.getProjectAccountId()));
+        _accountMgr.checkAccess(caller, AccessType.ModifyProject, _accountMgr.getAccount(project.getProjectAccountId()));
 
         Transaction.execute(new TransactionCallbackWithExceptionNoReturn<ResourceAllocationException>() {
             @Override
@@ -550,7 +550,7 @@ public class ProjectManagerImpl extends ManagerBase implements ProjectManager {
             }
 
             //verify permissions - only project owner can assign
-            _accountMgr.checkAccess(caller, AccessType.ModifyProject, true, _accountMgr.getAccount(project.getProjectAccountId()));
+            _accountMgr.checkAccess(caller, AccessType.ModifyProject, _accountMgr.getAccount(project.getProjectAccountId()));
 
             //Check if the account already added to the project
             ProjectAccount projectAccount =  _projectAccountDao.findByProjectIdAccountId(projectId, account.getId());
@@ -628,7 +628,7 @@ public class ProjectManagerImpl extends ManagerBase implements ProjectManager {
         }
 
         //verify permissions
-        _accountMgr.checkAccess(caller, AccessType.ModifyProject, true, _accountMgr.getAccount(project.getProjectAccountId()));
+        _accountMgr.checkAccess(caller, AccessType.ModifyProject, _accountMgr.getAccount(project.getProjectAccountId()));
 
         //Check if the account exists in the project
         ProjectAccount projectAccount =  _projectAccountDao.findByProjectIdAccountId(projectId, account.getId());
@@ -750,7 +750,7 @@ public class ProjectManagerImpl extends ManagerBase implements ProjectManager {
             }
 
             //verify permissions
-            _accountMgr.checkAccess(caller, null, true, account);
+            _accountMgr.checkAccess(caller, null, account);
 
             accountId = account.getId();
         } else {
@@ -830,7 +830,7 @@ public class ProjectManagerImpl extends ManagerBase implements ProjectManager {
         }
 
         //verify permissions
-        _accountMgr.checkAccess(caller, AccessType.ModifyProject, true, _accountMgr.getAccount(project.getProjectAccountId()));
+        _accountMgr.checkAccess(caller, AccessType.ModifyProject, _accountMgr.getAccount(project.getProjectAccountId()));
 
         //allow project activation only when it's in Suspended state
         Project.State currentState = project.getState();
@@ -870,7 +870,7 @@ public class ProjectManagerImpl extends ManagerBase implements ProjectManager {
             throw ex;
         }
 
-        _accountMgr.checkAccess(caller, AccessType.ModifyProject, true, _accountMgr.getAccount(project.getProjectAccountId()));
+        _accountMgr.checkAccess(caller, AccessType.ModifyProject, _accountMgr.getAccount(project.getProjectAccountId()));
 
         if (suspendProject(project)) {
             s_logger.debug("Successfully suspended project id=" + projectId);
@@ -1012,7 +1012,7 @@ public class ProjectManagerImpl extends ManagerBase implements ProjectManager {
         Project project = getProject(invitation.getProjectId());
 
         //check permissions - only project owner can remove the invitations
-        _accountMgr.checkAccess(caller, AccessType.ModifyProject, true, _accountMgr.getAccount(project.getProjectAccountId()));
+        _accountMgr.checkAccess(caller, AccessType.ModifyProject, _accountMgr.getAccount(project.getProjectAccountId()));
 
         if (_projectInvitationDao.remove(id)) {
             s_logger.debug("Project Invitation id=" + id + " is removed");

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/94ebc908/server/src/com/cloud/resourcelimit/ResourceLimitManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/resourcelimit/ResourceLimitManagerImpl.java b/server/src/com/cloud/resourcelimit/ResourceLimitManagerImpl.java
index 74cfc31..85ebe0a 100755
--- a/server/src/com/cloud/resourcelimit/ResourceLimitManagerImpl.java
+++ b/server/src/com/cloud/resourcelimit/ResourceLimitManagerImpl.java
@@ -480,7 +480,7 @@ public class ResourceLimitManagerImpl extends ManagerBase implements ResourceLim
                         return limits;
                     }
 
-                    _accountMgr.checkAccess(caller, null, true, account);
+                    _accountMgr.checkAccess(caller, null, account);
                     domainId = null;
                 }
             }
@@ -500,7 +500,7 @@ public class ResourceLimitManagerImpl extends ManagerBase implements ResourceLim
         if (id != null) {
             ResourceLimitVO vo = _resourceLimitDao.findById(id);
             if (vo.getAccountId() != null) {
-                _accountMgr.checkAccess(caller, null, true, _accountDao.findById(vo.getAccountId()));
+                _accountMgr.checkAccess(caller, null, _accountDao.findById(vo.getAccountId()));
                 limits.add(vo);
             } else if (vo.getDomainId() != null) {
                 _accountMgr.checkAccess(caller, _domainDao.findById(vo.getDomainId()));
@@ -650,9 +650,9 @@ public class ResourceLimitManagerImpl extends ManagerBase implements ResourceLim
             }
 
             if (account.getType() == Account.ACCOUNT_TYPE_PROJECT) {
-                _accountMgr.checkAccess(caller, AccessType.ModifyProject, true, account);
+                _accountMgr.checkAccess(caller, AccessType.ModifyProject, account);
             } else {
-                _accountMgr.checkAccess(caller, null, true, account);
+                _accountMgr.checkAccess(caller, null, account);
             }
 
             ownerType = ResourceOwnerType.Account;

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/94ebc908/server/src/com/cloud/server/ManagementServerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/server/ManagementServerImpl.java b/server/src/com/cloud/server/ManagementServerImpl.java
index bce2930..e33c7c7 100755
--- a/server/src/com/cloud/server/ManagementServerImpl.java
+++ b/server/src/com/cloud/server/ManagementServerImpl.java
@@ -953,7 +953,7 @@ public class ManagementServerImpl extends ManagerBase implements ManagementServe
 
         List<EventVO> events = _eventDao.listToArchiveOrDeleteEvents(ids, cmd.getType(), cmd.getStartDate(), cmd.getEndDate(), permittedAccountIds);
         ControlledEntity[] sameOwnerEvents = events.toArray(new ControlledEntity[events.size()]);
-        _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, false, sameOwnerEvents);
+        _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, sameOwnerEvents);
 
         if (ids != null && events.size() < ids.size()) {
             result = false;
@@ -980,7 +980,7 @@ public class ManagementServerImpl extends ManagerBase implements ManagementServe
 
         List<EventVO> events = _eventDao.listToArchiveOrDeleteEvents(ids, cmd.getType(), cmd.getStartDate(), cmd.getEndDate(), permittedAccountIds);
         ControlledEntity[] sameOwnerEvents = events.toArray(new ControlledEntity[events.size()]);
-        _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, false, sameOwnerEvents);
+        _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, sameOwnerEvents);
 
         if (ids != null && events.size() < ids.size()) {
             result = false;
@@ -3294,7 +3294,7 @@ public class ManagementServerImpl extends ManagerBase implements ManagementServe
         }
 
         // check permissions
-        _accountMgr.checkAccess(caller, null, true, _accountMgr.getAccount(user.getAccountId()));
+        _accountMgr.checkAccess(caller, null, _accountMgr.getAccount(user.getAccountId()));
 
         String cloudIdentifier = _configDao.getValue("cloud.identifier");
         if (cloudIdentifier == null) {
@@ -3401,7 +3401,7 @@ public class ManagementServerImpl extends ManagerBase implements ManagementServe
             throw ex;
         }
 
-        _accountMgr.checkAccess(caller, null, true, group);
+        _accountMgr.checkAccess(caller, null, group);
 
         // Check if name is already in use by this account (exclude this group)
         boolean isNameInUse = _vmGroupDao.isNameInUse(group.getAccountId(), groupName);
@@ -3646,7 +3646,7 @@ public class ManagementServerImpl extends ManagerBase implements ManagementServe
         }
 
         // make permission check
-        _accountMgr.checkAccess(caller, null, true, vm);
+        _accountMgr.checkAccess(caller, null, vm);
 
         _userVmDao.loadDetails(vm);
         String password = vm.getDetail("Encrypted.Password");
@@ -3819,7 +3819,7 @@ public class ManagementServerImpl extends ManagerBase implements ManagementServe
             throw new InvalidParameterValueException("Unable to find SystemVm with id " + systemVmId);
         }
 
-        _accountMgr.checkAccess(caller, null, true, systemVm);
+        _accountMgr.checkAccess(caller, null, systemVm);
 
         // Check that the specified service offering ID is valid
         ServiceOfferingVO newServiceOffering = _offeringDao.findById(serviceOfferingId);

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/94ebc908/server/src/com/cloud/servlet/ConsoleProxyServlet.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/servlet/ConsoleProxyServlet.java b/server/src/com/cloud/servlet/ConsoleProxyServlet.java
index 60f32cf..16d7a32 100644
--- a/server/src/com/cloud/servlet/ConsoleProxyServlet.java
+++ b/server/src/com/cloud/servlet/ConsoleProxyServlet.java
@@ -522,7 +522,7 @@ public class ConsoleProxyServlet extends HttpServlet {
         switch (vm.getType()) {
             case User:
             try {
-                _accountMgr.checkAccess(accountObj, null, true, vm);
+                _accountMgr.checkAccess(accountObj, null, vm);
             } catch (PermissionDeniedException ex) {
                 if (_accountMgr.isNormalUser(accountObj.getId())) {
                     if (s_logger.isDebugEnabled()) {

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/94ebc908/server/src/com/cloud/storage/VolumeApiServiceImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/storage/VolumeApiServiceImpl.java b/server/src/com/cloud/storage/VolumeApiServiceImpl.java
index cd3d897..c0741c5 100644
--- a/server/src/com/cloud/storage/VolumeApiServiceImpl.java
+++ b/server/src/com/cloud/storage/VolumeApiServiceImpl.java
@@ -26,6 +26,9 @@ import java.util.concurrent.ExecutionException;
 
 import javax.inject.Inject;
 
+import org.apache.log4j.Logger;
+
+import org.apache.cloudstack.acl.SecurityChecker.AccessType;
 import org.apache.cloudstack.api.command.user.volume.AttachVolumeCmd;
 import org.apache.cloudstack.api.command.user.volume.CreateVolumeCmd;
 import org.apache.cloudstack.api.command.user.volume.DetachVolumeCmd;
@@ -68,7 +71,6 @@ import org.apache.cloudstack.storage.datastore.db.VolumeDataStoreDao;
 import org.apache.cloudstack.storage.datastore.db.VolumeDataStoreVO;
 import org.apache.cloudstack.storage.image.datastore.ImageStoreEntity;
 import org.apache.cloudstack.utils.identity.ManagementServerNode;
-import org.apache.log4j.Logger;
 
 import com.cloud.agent.AgentManager;
 import com.cloud.agent.api.Answer;
@@ -263,7 +265,7 @@ public class VolumeApiServiceImpl extends ManagerBase implements VolumeApiServic
     private boolean validateVolume(Account caller, long ownerId, Long zoneId, String volumeName, String url, String format) throws ResourceAllocationException {
 
         // permission check
-        _accountMgr.checkAccess(caller, null, true, _accountMgr.getActiveAccountById(ownerId));
+        _accountMgr.checkAccess(caller, null, _accountMgr.getActiveAccountById(ownerId));
 
         // Check that the resource limit for volumes won't be exceeded
         _resourceLimitMgr.checkResourceLimit(_accountMgr.getAccount(ownerId), ResourceType.volume);
@@ -372,10 +374,11 @@ public class VolumeApiServiceImpl extends ManagerBase implements VolumeApiServic
         Boolean displayVolume = cmd.getDisplayVolume();
 
         // permission check
-        _accountMgr.checkAccess(caller, null, true, _accountMgr.getActiveAccountById(ownerId));
+        _accountMgr.checkAccess(caller, null, _accountMgr.getActiveAccountById(ownerId));
 
         if (displayVolume == null) {
             displayVolume = true;
+
         } else {
             if (!_accountMgr.isRootAdmin(caller.getId())) {
                 throw new PermissionDeniedException("Cannot update parameter displayvolume, only admin permitted ");
@@ -499,9 +502,6 @@ public class VolumeApiServiceImpl extends ManagerBase implements VolumeApiServic
             size = snapshotCheck.getSize(); // ; disk offering is used for tags
             // purposes
 
-            // check snapshot permissions
-            _accountMgr.checkAccess(caller, null, true, snapshotCheck);
-
             // one step operation - create volume in VM's cluster and attach it
             // to the VM
             Long vmId = cmd.getVirtualMachineId();
@@ -516,9 +516,6 @@ public class VolumeApiServiceImpl extends ManagerBase implements VolumeApiServic
                 if (vm.getState() != State.Running && vm.getState() != State.Stopped) {
                     throw new InvalidParameterValueException("Please specify a VM that is either running or stopped.");
                 }
-
-                // permission check
-                _accountMgr.checkAccess(caller, null, false, vm);
             }
 
         }
@@ -766,7 +763,7 @@ public class VolumeApiServiceImpl extends ManagerBase implements VolumeApiServic
         }
 
         /* does the caller have the authority to act on this volume? */
-        _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, true, volume);
+        _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, volume);
 
         long currentSize = volume.getSize();
 
@@ -929,7 +926,7 @@ public class VolumeApiServiceImpl extends ManagerBase implements VolumeApiServic
             throw new InvalidParameterValueException("There are snapshot creating on it, Unable to delete the volume");
         }
 
-        _accountMgr.checkAccess(caller, null, true, volume);
+        _accountMgr.checkAccess(caller, null, volume);
 
         if (volume.getInstanceId() != null) {
             throw new InvalidParameterValueException("Please specify a volume that is not attached to any VM.");
@@ -1136,7 +1133,11 @@ public class VolumeApiServiceImpl extends ManagerBase implements VolumeApiServic
             throw new InvalidParameterValueException("Unable to attach volume, please specify a VM that does not have VM snapshots");
         }
 
-        if (!(Volume.State.Allocated.equals(volumeToAttach.getState()) || Volume.State.Ready.equals(volumeToAttach.getState()) || Volume.State.Uploaded.equals(volumeToAttach.getState()))) {
+        // permission check
+        _accountMgr.checkAccess(caller, AccessType.OperateEntry, volumeToAttach, vm);
+
+        if (!(Volume.State.Allocated.equals(volumeToAttach.getState()) || Volume.State.Ready.equals(volumeToAttach.getState()) || Volume.State.Uploaded.equals(volumeToAttach
+                .getState()))) {
             throw new InvalidParameterValueException("Volume state must be in Allocated, Ready or in Uploaded state");
         }
 
@@ -1356,7 +1357,7 @@ public class VolumeApiServiceImpl extends ManagerBase implements VolumeApiServic
         }
 
         // Permissions check
-        _accountMgr.checkAccess(caller, null, true, volume);
+        _accountMgr.checkAccess(caller, null, volume);
 
 
         // Check that the volume is currently attached to a VM
@@ -1823,7 +1824,7 @@ public class VolumeApiServiceImpl extends ManagerBase implements VolumeApiServic
         }
 
         // perform permission check
-        _accountMgr.checkAccess(account, null, true, volume);
+        _accountMgr.checkAccess(account, null, volume);
 
         if (_dcDao.findById(zoneId) == null) {
             throw new InvalidParameterValueException("Please specify a valid zone.");

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/94ebc908/server/src/com/cloud/storage/snapshot/SnapshotManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/storage/snapshot/SnapshotManagerImpl.java b/server/src/com/cloud/storage/snapshot/SnapshotManagerImpl.java
index 388a952..c22e148 100755
--- a/server/src/com/cloud/storage/snapshot/SnapshotManagerImpl.java
+++ b/server/src/com/cloud/storage/snapshot/SnapshotManagerImpl.java
@@ -286,7 +286,7 @@ public class SnapshotManagerImpl extends ManagerBase implements SnapshotManager,
 
         boolean backedUp = false;
         // does the caller have the authority to act on this volume
-        _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, true, volume);
+        _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, volume);
 
         SnapshotInfo snapshot = snapshotFactory.getSnapshot(snapshotId, DataStoreRole.Primary);
 
@@ -391,7 +391,7 @@ public class SnapshotManagerImpl extends ManagerBase implements SnapshotManager,
             throw new InvalidParameterValueException("unable to find a snapshot with id " + snapshotId);
         }
 
-        _accountMgr.checkAccess(caller, null, true, snapshotCheck);
+        _accountMgr.checkAccess(caller, null, snapshotCheck);
         SnapshotStrategy snapshotStrategy = _storageStrategyFactory.getSnapshotStrategy(snapshotCheck, SnapshotOperation.DELETE);
         if (snapshotStrategy == null) {
             s_logger.error("Unable to find snaphot strategy to handle snapshot with id '" + snapshotId + "'");
@@ -450,7 +450,7 @@ public class SnapshotManagerImpl extends ManagerBase implements SnapshotManager,
         if (volumeId != null) {
             VolumeVO volume = _volsDao.findById(volumeId);
             if (volume != null) {
-                _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, true, volume);
+                _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, volume);
             }
         }
 
@@ -624,7 +624,7 @@ public class SnapshotManagerImpl extends ManagerBase implements SnapshotManager,
             throw new InvalidParameterValueException("Failed to create snapshot policy, unable to find a volume with id " + volumeId);
         }
 
-        _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, true, volume);
+        _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, volume);
 
         if (volume.getState() != Volume.State.Ready) {
             throw new InvalidParameterValueException("VolumeId: " + volumeId + " is not in " + Volume.State.Ready + " state but " + volume.getState() +
@@ -723,7 +723,7 @@ public class SnapshotManagerImpl extends ManagerBase implements SnapshotManager,
         if (volume == null) {
             throw new InvalidParameterValueException("Unable to find a volume with id " + volumeId);
         }
-        _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, true, volume);
+        _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, volume);
         Pair<List<SnapshotPolicyVO>, Integer> result = _snapshotPolicyDao.listAndCountByVolumeId(volumeId);
         return new Pair<List<? extends SnapshotPolicy>, Integer>(result.first(), result.second());
     }
@@ -999,7 +999,7 @@ public class SnapshotManagerImpl extends ManagerBase implements SnapshotManager,
                 throw new InvalidParameterValueException("Policy id given: " + policy + " does not belong to a valid volume");
             }
 
-            _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, true, volume);
+            _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, volume);
         }
 
         boolean success = true;
@@ -1030,12 +1030,9 @@ public class SnapshotManagerImpl extends ManagerBase implements SnapshotManager,
 
     @Override
     public Snapshot allocSnapshot(Long volumeId, Long policyId) throws ResourceAllocationException {
-        Account caller = CallContext.current().getCallingAccount();
         VolumeInfo volume = volFactory.getVolume(volumeId);
         supportedByHypervisor(volume);
 
-        // Verify permissions
-        _accountMgr.checkAccess(caller, null, true, volume);
         Type snapshotType = getSnapshotType(policyId);
         Account owner = _accountMgr.getAccount(volume.getAccountId());
 

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/94ebc908/server/src/com/cloud/tags/TaggedResourceManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/tags/TaggedResourceManagerImpl.java b/server/src/com/cloud/tags/TaggedResourceManagerImpl.java
index 900c822..71722a9 100644
--- a/server/src/com/cloud/tags/TaggedResourceManagerImpl.java
+++ b/server/src/com/cloud/tags/TaggedResourceManagerImpl.java
@@ -25,11 +25,12 @@ import javax.ejb.Local;
 import javax.inject.Inject;
 import javax.naming.ConfigurationException;
 
+import org.apache.log4j.Logger;
+
 import org.apache.cloudstack.api.Identity;
 import org.apache.cloudstack.api.InternalIdentity;
 import org.apache.cloudstack.context.CallContext;
 import org.apache.cloudstack.storage.datastore.db.StoragePoolVO;
-import org.apache.log4j.Logger;
 
 import com.cloud.api.query.dao.ResourceTagJoinDao;
 import com.cloud.dc.DataCenterVO;
@@ -222,7 +223,7 @@ public class TaggedResourceManagerImpl extends ManagerBase implements TaggedReso
                         Long domainId = accountDomainPair.second();
                         Long accountId = accountDomainPair.first();
                         if (accountId != null) {
-                            _accountMgr.checkAccess(caller, null, false, _accountMgr.getAccount(accountId));
+                            _accountMgr.checkAccess(caller, null, _accountMgr.getAccount(accountId));
                         } else if (domainId != null && !_accountMgr.isNormalUser(caller.getId())) {
                             //check permissions;
                             _accountMgr.checkAccess(caller, _domainMgr.getDomain(domainId));
@@ -284,7 +285,7 @@ public class TaggedResourceManagerImpl extends ManagerBase implements TaggedReso
         for (ResourceTag resourceTag : resourceTags) {
             //1) validate the permissions
             Account owner = _accountMgr.getAccount(resourceTag.getAccountId());
-            _accountMgr.checkAccess(caller, null, false, owner);
+            _accountMgr.checkAccess(caller, null, owner);
             //2) Only remove tag if it matches key value pairs
             if (tags != null && !tags.isEmpty()) {
                 for (String key : tags.keySet()) {

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/94ebc908/server/src/com/cloud/template/TemplateAdapterBase.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/template/TemplateAdapterBase.java b/server/src/com/cloud/template/TemplateAdapterBase.java
index f3c16ca..3465174 100755
--- a/server/src/com/cloud/template/TemplateAdapterBase.java
+++ b/server/src/com/cloud/template/TemplateAdapterBase.java
@@ -258,7 +258,7 @@ public abstract class TemplateAdapterBase extends AdapterBase implements Templat
         //check if the caller can operate with the template owner
         Account caller = CallContext.current().getCallingAccount();
         Account owner = _accountMgr.getAccount(cmd.getEntityOwnerId());
-        _accountMgr.checkAccess(caller, null, true, owner);
+        _accountMgr.checkAccess(caller, null, owner);
 
         boolean isRouting = (cmd.isRoutingType() == null) ? false : cmd.isRoutingType();
 
@@ -281,7 +281,7 @@ public abstract class TemplateAdapterBase extends AdapterBase implements Templat
         //check if the caller can operate with the template owner
         Account caller = CallContext.current().getCallingAccount();
         Account owner = _accountMgr.getAccount(cmd.getEntityOwnerId());
-        _accountMgr.checkAccess(caller, null, true, owner);
+        _accountMgr.checkAccess(caller, null, owner);
 
         Long zoneId = cmd.getZoneId();
         // ignore passed zoneId if we are using region wide image store

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/94ebc908/server/src/com/cloud/template/TemplateManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/template/TemplateManagerImpl.java b/server/src/com/cloud/template/TemplateManagerImpl.java
index 81dc198..0a32c8e 100755
--- a/server/src/com/cloud/template/TemplateManagerImpl.java
+++ b/server/src/com/cloud/template/TemplateManagerImpl.java
@@ -369,7 +369,7 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager,
             throw new InvalidParameterValueException("Unable to find template id=" + templateId);
         }
 
-        _accountMgr.checkAccess(CallContext.current().getCallingAccount(), AccessType.OperateEntry, true, vmTemplate);
+        _accountMgr.checkAccess(CallContext.current().getCallingAccount(), AccessType.OperateEntry, vmTemplate);
 
         prepareTemplateInAllStoragePools(vmTemplate, zoneId);
         return vmTemplate;
@@ -415,7 +415,7 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager,
             throw new InvalidParameterValueException("Unable to extract template id=" + templateId + " as it's not extractable");
         }
 
-        _accountMgr.checkAccess(caller, AccessType.OperateEntry, true, template);
+        _accountMgr.checkAccess(caller, AccessType.OperateEntry, template);
 
         List<DataStore> ssStores = _dataStoreMgr.getImageStoresByScope(new ZoneScope(zoneId));
 
@@ -722,7 +722,7 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager,
             return template;
         }
 
-        _accountMgr.checkAccess(caller, AccessType.OperateEntry, true, template);
+        _accountMgr.checkAccess(caller, AccessType.OperateEntry, template);
 
         boolean success = copy(userId, template, srcSecStore, dstZone);
 
@@ -911,7 +911,7 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager,
             throw new InvalidParameterValueException("Please specify a valid VM.");
         }
 
-        _accountMgr.checkAccess(caller, null, true, userVM);
+        _accountMgr.checkAccess(caller, null, userVM);
 
         Long isoId = userVM.getIsoId();
         if (isoId == null) {
@@ -952,12 +952,11 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager,
 
         // check permissions
         // check if caller has access to VM and ISO
-        // and also check if the VM's owner has access to the ISO.
-
-        _accountMgr.checkAccess(caller, null, false, iso, vm);
-
+        // and also check if the VM's owner has access to the ISO. This is a bit different from sameOwner check for attachVolumeToVM, where both volume and VM need
+        // OperateEntry access type. Here VM needs OperateEntry access type, ISO needs UseEntry access type.
+        _accountMgr.checkAccess(caller, null, iso, vm);
         Account vmOwner = _accountDao.findById(vm.getAccountId());
-        _accountMgr.checkAccess(vmOwner, null, false, iso, vm);
+        _accountMgr.checkAccess(vmOwner, null, iso);
 
         State vmState = vm.getState();
         if (vmState != State.Running && vmState != State.Stopped) {
@@ -1061,7 +1060,7 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager,
             throw new InvalidParameterValueException("unable to find template with id " + templateId);
         }
 
-        _accountMgr.checkAccess(caller, AccessType.OperateEntry, true, template);
+        _accountMgr.checkAccess(caller, AccessType.OperateEntry, template);
 
         if (template.getFormat() == ImageFormat.ISO) {
             throw new InvalidParameterValueException("Please specify a valid template.");
@@ -1084,7 +1083,7 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager,
             throw new InvalidParameterValueException("unable to find iso with id " + templateId);
         }
 
-        _accountMgr.checkAccess(caller, AccessType.OperateEntry, true, template);
+        _accountMgr.checkAccess(caller, AccessType.OperateEntry, template);
 
         if (template.getFormat() != ImageFormat.ISO) {
             throw new InvalidParameterValueException("Please specify a valid iso.");
@@ -1134,7 +1133,7 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager,
         }
 
         if (!template.isPublicTemplate()) {
-            _accountMgr.checkAccess(caller, null, true, template);
+            _accountMgr.checkAccess(caller, null, template);
         }
 
         List<String> accountNames = new ArrayList<String>();
@@ -1207,8 +1206,7 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager,
             }
         }
 
-        //_accountMgr.checkAccess(caller, AccessType.ModifyEntry, true, template);
-        _accountMgr.checkAccess(caller, AccessType.OperateEntry, true, template); //TODO: should we replace all ModifyEntry as OperateEntry?
+        _accountMgr.checkAccess(caller, AccessType.OperateEntry, template);
 
         // If the template is removed throw an error.
         if (template.getRemoved() != null) {
@@ -1489,7 +1487,7 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager,
         Account caller = CallContext.current().getCallingAccount();
         boolean isAdmin = (_accountMgr.isAdmin(caller.getType()));
 
-        _accountMgr.checkAccess(caller, null, true, templateOwner);
+        _accountMgr.checkAccess(caller, null, templateOwner);
 
         String name = cmd.getTemplateName();
         if ((name == null) || (name.length() > 32)) {
@@ -1541,7 +1539,7 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager,
                 throw new InvalidParameterValueException("Failed to create private template record, unable to find volume " + volumeId);
             }
             // check permissions
-            _accountMgr.checkAccess(caller, null, true, volume);
+            _accountMgr.checkAccess(caller, null, volume);
 
             // If private template is created from Volume, check that the volume
             // will not be active when the private template is
@@ -1564,7 +1562,7 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager,
             volume = _volumeDao.findById(snapshot.getVolumeId());
 
             // check permissions
-            _accountMgr.checkAccess(caller, null, true, snapshot);
+            _accountMgr.checkAccess(caller, null, snapshot);
 
             if (snapshot.getState() != Snapshot.State.BackedUp) {
                 throw new InvalidParameterValueException("Snapshot id=" + snapshotId + " is not in " + Snapshot.State.BackedUp +
@@ -1780,7 +1778,7 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager,
         verifyTemplateId(id);
 
         // do a permission check
-        _accountMgr.checkAccess(account, AccessType.OperateEntry, true, template);
+        _accountMgr.checkAccess(account, AccessType.OperateEntry, template);
         if (cmd.isRoutingType() != null) {
             if (!_accountService.isRootAdmin(account.getId())) {
                 throw new PermissionDeniedException("Parameter isrouting can only be specified by a Root Admin, permission denied");

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/94ebc908/server/src/com/cloud/user/AccountManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/user/AccountManagerImpl.java b/server/src/com/cloud/user/AccountManagerImpl.java
index 2070ee6..6de70c6 100755
--- a/server/src/com/cloud/user/AccountManagerImpl.java
+++ b/server/src/com/cloud/user/AccountManagerImpl.java
@@ -451,6 +451,20 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
     }
 
     @Override
+    public void checkAccess(Account account, AccessType accessType, ControlledEntity... entities) throws PermissionDeniedException {
+        // TODO this will eventually deprecate below sameOwner check interface.
+        // TO BE IMPLEMENTED when multiple controlled entity support interface is added into SecurityChecker
+        checkAccess(account, accessType, false, entities);
+    }
+
+    @Override
+    public void checkAccess(Account account, AccessType accessType, String apiName, ControlledEntity... entities) throws PermissionDeniedException {
+        // TODO this will eventually deprecate below sameOwner check interface.
+        // TO BE IMPLEMENTED when multiple controlled entity support interface is added into SecurityChecker
+        checkAccess(account, accessType, false, apiName, entities);
+    }
+
+    @Override
     public void checkAccess(Account caller, AccessType accessType, boolean sameOwner, ControlledEntity... entities) {
         checkAccess(caller, accessType, sameOwner, null, entities);
     }
@@ -1112,7 +1126,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
             throw new PermissionDeniedException("user id : " + id + " is system account, update is not allowed");
         }
 
-        checkAccess(CallContext.current().getCallingAccount(), AccessType.OperateEntry, true, account);
+        checkAccess(CallContext.current().getCallingAccount(), AccessType.OperateEntry, account);
 
         if (firstName != null) {
             if (firstName.isEmpty()) {
@@ -1226,7 +1240,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
             throw new InvalidParameterValueException("User id : " + userId + " is a system user, disabling is not allowed");
         }
 
-        checkAccess(caller, AccessType.OperateEntry, true, account);
+        checkAccess(caller, AccessType.OperateEntry, account);
 
         boolean success = doSetUserStatus(userId, State.disabled);
         if (success) {
@@ -1264,7 +1278,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
             throw new InvalidParameterValueException("User id : " + userId + " is a system user, enabling is not allowed");
         }
 
-        checkAccess(caller, AccessType.OperateEntry, true, account);
+        checkAccess(caller, AccessType.OperateEntry, account);
 
         boolean success = Transaction.execute(new TransactionCallback<Boolean>() {
             @Override
@@ -1313,7 +1327,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
             throw new PermissionDeniedException("user id : " + userId + " is a system user, locking is not allowed");
         }
 
-        checkAccess(caller, AccessType.OperateEntry, true, account);
+        checkAccess(caller, AccessType.OperateEntry, account);
 
         // make sure the account is enabled too
         // if the user is either locked already or disabled already, don't change state...only lock currently enabled
@@ -1377,7 +1391,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
             throw new InvalidParameterValueException("The specified account does not exist in the system");
         }
 
-        checkAccess(caller, null, true, account);
+        checkAccess(caller, null, account);
 
         // don't allow to delete default account (system and admin)
         if (account.isDefault()) {
@@ -1422,7 +1436,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
 
         // Check if user performing the action is allowed to modify this account
         Account caller = CallContext.current().getCallingAccount();
-        checkAccess(caller, AccessType.OperateEntry, true, account);
+        checkAccess(caller, AccessType.OperateEntry, account);
 
         boolean success = enableAccount(account.getId());
         if (success) {
@@ -1456,7 +1470,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
             throw new PermissionDeniedException("Account id : " + accountId + " is a system account, lock is not allowed");
         }
 
-        checkAccess(caller, AccessType.OperateEntry, true, account);
+        checkAccess(caller, AccessType.OperateEntry, account);
 
         if (lockAccount(account.getId())) {
             CallContext.current().putContextParameter(Account.class, account.getUuid());
@@ -1486,7 +1500,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
             throw new PermissionDeniedException("Account id : " + accountId + " is a system account, disable is not allowed");
         }
 
-        checkAccess(caller, AccessType.OperateEntry, true, account);
+        checkAccess(caller, AccessType.OperateEntry, account);
 
         if (disableAccount(account.getId())) {
             CallContext.current().putContextParameter(Account.class, account.getUuid());
@@ -1605,7 +1619,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
             throw new InvalidParameterValueException("The user is default and can't be removed");
         }
 
-        checkAccess(CallContext.current().getCallingAccount(), AccessType.OperateEntry, true, account);
+        checkAccess(CallContext.current().getCallingAccount(), AccessType.OperateEntry, account);
         CallContext.current().putContextParameter(User.class, user.getUuid());
         return _userDao.remove(id);
     }
@@ -2252,7 +2266,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
 
             if (userAccount != null) {
                 //check permissions
-                checkAccess(caller, null, false, userAccount);
+                checkAccess(caller, null, userAccount);
                 permittedAccounts.add(userAccount.getId());
             } else {
                 throw new InvalidParameterValueException("could not find account " + accountName + " in domain " + domain.getUuid());

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/94ebc908/server/src/com/cloud/vm/UserVmManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/vm/UserVmManagerImpl.java b/server/src/com/cloud/vm/UserVmManagerImpl.java
index 741b21c..7a707ae 100755
--- a/server/src/com/cloud/vm/UserVmManagerImpl.java
+++ b/server/src/com/cloud/vm/UserVmManagerImpl.java
@@ -35,11 +35,9 @@ import javax.ejb.Local;
 import javax.inject.Inject;
 import javax.naming.ConfigurationException;
 
-
 import org.apache.commons.codec.binary.Base64;
 import org.apache.log4j.Logger;
 
-import com.cloud.storage.VolumeApiService;
 import org.apache.cloudstack.acl.ControlledEntity.ACLType;
 import org.apache.cloudstack.acl.SecurityChecker.AccessType;
 import org.apache.cloudstack.affinity.AffinityGroupService;
@@ -199,6 +197,7 @@ import com.cloud.server.ConfigurationServer;
 import com.cloud.service.ServiceOfferingVO;
 import com.cloud.service.dao.ServiceOfferingDao;
 import com.cloud.service.dao.ServiceOfferingDetailsDao;
+import com.cloud.storage.DataStoreRole;
 import com.cloud.storage.DiskOfferingVO;
 import com.cloud.storage.GuestOSCategoryVO;
 import com.cloud.storage.GuestOSVO;
@@ -206,13 +205,13 @@ import com.cloud.storage.SnapshotVO;
 import com.cloud.storage.Storage;
 import com.cloud.storage.Storage.ImageFormat;
 import com.cloud.storage.Storage.TemplateType;
-import com.cloud.storage.DataStoreRole;
 import com.cloud.storage.StorageManager;
 import com.cloud.storage.StoragePool;
 import com.cloud.storage.StoragePoolStatus;
 import com.cloud.storage.VMTemplateVO;
 import com.cloud.storage.VMTemplateZoneVO;
 import com.cloud.storage.Volume;
+import com.cloud.storage.VolumeApiService;
 import com.cloud.storage.VolumeVO;
 import com.cloud.storage.dao.DiskOfferingDao;
 import com.cloud.storage.dao.GuestOSCategoryDao;
@@ -533,7 +532,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
             throw new InvalidParameterValueException("Vm with id " + vmId + " is not in the right state");
         }
 
-        _accountMgr.checkAccess(caller, null, true, userVm);
+        _accountMgr.checkAccess(caller, null, userVm);
 
         boolean result = resetVMPasswordInternal(vmId, password);
 
@@ -639,7 +638,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
                     + " in specified domain id");
         }
 
-        _accountMgr.checkAccess(caller, null, true, userVm);
+        _accountMgr.checkAccess(caller, null, userVm);
         String password = null;
         String sshPublicKey = s.getPublicKey();
         if (template != null && template.getEnablePassword()) {
@@ -779,7 +778,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
                     + "; make sure the virtual machine is stopped");
         }
 
-        _accountMgr.checkAccess(caller, null, true, vmInstance);
+        _accountMgr.checkAccess(caller, null, vmInstance);
 
         // Check resource limits for CPU and Memory.
         Map<String, String> customParameters = cmd.getDetails();
@@ -893,7 +892,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
             throw new InvalidParameterValueException("unable to find a virtual machine with id " + vmId);
         }
 
-        _accountMgr.checkAccess(caller, null, true, vmInstance);
+        _accountMgr.checkAccess(caller, null, vmInstance);
 
         // Check resource limits for CPU and Memory.
         ServiceOfferingVO newServiceOffering = _offeringDao.findById(svcOffId);
@@ -962,7 +961,6 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
         Long vmId = cmd.getVmId();
         Long networkId = cmd.getNetworkId();
         String ipAddress = cmd.getIpAddress();
-        Account caller = CallContext.current().getCallingAccount();
 
         UserVmVO vmInstance = _vmDao.findById(vmId);
         if (vmInstance == null) {
@@ -973,12 +971,6 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
             throw new InvalidParameterValueException("unable to find a network with id " + networkId);
         }
 
-        if (caller.getType() != Account.ACCOUNT_TYPE_ADMIN) {
-        if (!(network.getGuestType() == Network.GuestType.Shared && network.getAclType() == ACLType.Domain)
-                && !(network.getAclType() == ACLType.Account && network.getAccountId() == vmInstance.getAccountId())) {
-            throw new InvalidParameterValueException("only shared network or isolated network with the same account_id can be added to vmId: " + vmId);
-        }
-        }
 
         List<NicVO> allNics = _nicDao.listByVmId(vmInstance.getId());
         for (NicVO nic : allNics) {
@@ -991,18 +983,12 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
             profile = new NicProfile(ipAddress, null);
         }
 
-        // Perform permission check on VM
-        _accountMgr.checkAccess(caller, null, true, vmInstance);
-
         // Verify that zone is not Basic
         DataCenterVO dc = _dcDao.findById(vmInstance.getDataCenterId());
         if (dc.getNetworkType() == DataCenter.NetworkType.Basic) {
             throw new CloudRuntimeException("Zone " + vmInstance.getDataCenterId() + ", has a NetworkType of Basic. Can't add a new NIC to a VM on a Basic Network");
         }
 
-        // Perform account permission check on network
-        _accountMgr.checkAccess(caller, AccessType.UseEntry, false, network);
-
         //ensure network belongs in zone
         if (network.getDataCenterId() != vmInstance.getDataCenterId()) {
             throw new CloudRuntimeException(vmInstance + " is in zone:" + vmInstance.getDataCenterId() + " but " + network + " is in zone:" + network.getDataCenterId());
@@ -1061,7 +1047,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
         }
 
         // Perform permission check on VM
-        _accountMgr.checkAccess(caller, null, true, vmInstance);
+        _accountMgr.checkAccess(caller, null, vmInstance);
 
         // Verify that zone is not Basic
         DataCenterVO dc = _dcDao.findById(vmInstance.getDataCenterId());
@@ -1075,7 +1061,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
         }
 
         // Perform account permission check on network
-        _accountMgr.checkAccess(caller, AccessType.UseEntry, false, network);
+        _accountMgr.checkAccess(caller, AccessType.UseEntry, network);
 
         boolean nicremoved = false;
 
@@ -1117,7 +1103,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
         }
 
         // Perform permission check on VM
-        _accountMgr.checkAccess(caller, null, true, vmInstance);
+        _accountMgr.checkAccess(caller, null, vmInstance);
 
         // Verify that zone is not Basic
         DataCenterVO dc = _dcDao.findById(vmInstance.getDataCenterId());
@@ -1299,7 +1285,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
             throw new InvalidParameterValueException("This operation not permitted for this hypervisor of the vm");
         }
 
-        _accountMgr.checkAccess(caller, null, true, vmInstance);
+        _accountMgr.checkAccess(caller, null, vmInstance);
 
         //Check if its a scale "up"
         ServiceOfferingVO newServiceOffering = _offeringDao.findById(newServiceOfferingId);
@@ -1508,7 +1494,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
         }
 
         // check permissions
-        _accountMgr.checkAccess(caller, null, true, vm);
+        _accountMgr.checkAccess(caller, null, vm);
 
         if (vm.getRemoved() != null) {
             if (s_logger.isDebugEnabled()) {
@@ -1851,7 +1837,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
             throw new InvalidParameterValueException("unable to find virtual machine with id " + id);
         }
 
-        _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, true, vmInstance);
+        _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, vmInstance);
 
         //If the flag is specified and is changed
         if (isDisplayVm != null && isDisplayVm != vmInstance.isDisplayVm()) {
@@ -2066,7 +2052,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
             throw new InvalidParameterValueException("unable to find a virtual machine with id " + vmId);
         }
 
-        _accountMgr.checkAccess(caller, null, true, vmInstance);
+        _accountMgr.checkAccess(caller, null, vmInstance);
 
         // If the VM is Volatile in nature, on reboot discard the VM's root disk and create a new root disk for it: by calling restoreVM
         long serviceOfferingId = vmInstance.getServiceOfferingId();
@@ -2170,7 +2156,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
             throw new InvalidParameterValueException("unable to find a vm group with id " + groupId);
         }
 
-        _accountMgr.checkAccess(caller, null, true, group);
+        _accountMgr.checkAccess(caller, null, group);
 
         return deleteVmGroup(groupId);
     }
@@ -2304,7 +2290,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
         List<NetworkVO> networkList = new ArrayList<NetworkVO>();
 
         // Verify that caller can perform actions in behalf of vm owner
-        _accountMgr.checkAccess(caller, null, true, owner);
+        _accountMgr.checkAccess(caller, null, owner);
 
         // Get default guest network in Basic zone
         Network defaultNetwork = _networkModel.getExclusiveGuestNetwork(zone.getId());
@@ -2359,7 +2345,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
         boolean isVmWare = (template.getHypervisorType() == HypervisorType.VMware || (hypervisor != null && hypervisor == HypervisorType.VMware));
 
         // Verify that caller can perform actions in behalf of vm owner
-        _accountMgr.checkAccess(caller, null, true, owner);
+        _accountMgr.checkAccess(caller, null, owner);
 
         // If no network is specified, find system security group enabled network
         if (networkIdList == null || networkIdList.isEmpty()) {
@@ -2417,7 +2403,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
 
                 // Perform account permission check
                 if (network.getAclType() == ACLType.Account) {
-                    _accountMgr.checkAccess(caller, AccessType.UseEntry, false, network);
+                    _accountMgr.checkAccess(caller, AccessType.UseEntry, network);
                 }
                 networkList.add(network);
             }
@@ -2463,7 +2449,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
         List<NetworkVO> networkList = new ArrayList<NetworkVO>();
 
         // Verify that caller can perform actions in behalf of vm owner
-        _accountMgr.checkAccess(caller, null, true, owner);
+        _accountMgr.checkAccess(caller, null, owner);
 
         List<HypervisorType> vpcSupportedHTypes = _vpcMgr.getSupportedVpcHypervisors();
         if (networkIdList == null || networkIdList.isEmpty()) {
@@ -2557,7 +2543,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
             List<Long> affinityGroupIdList, Map<String, String> customParameters, String customId) throws InsufficientCapacityException, ResourceUnavailableException,
             ConcurrentOperationException, StorageUnavailableException, ResourceAllocationException {
 
-        _accountMgr.checkAccess(caller, null, true, owner);
+        _accountMgr.checkAccess(caller, null, owner);
 
         if (owner.getState() == Account.State.disabled) {
             throw new PermissionDeniedException("The owner of vm to deploy is disabled: " + owner);
@@ -2633,7 +2619,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
                     throw new InvalidParameterValueException("Unable to find security group by id " + securityGroupId);
                 } else {
                     // verify permissions
-                    _accountMgr.checkAccess(caller, null, true, owner, sg);
+                    _accountMgr.checkAccess(owner, AccessType.UseEntry, sg);
                 }
             }
         }
@@ -2649,27 +2635,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
                             + " , Please try again after removing the affinity group");
                 } else {
                     // verify permissions
-                    if (ag.getAclType() == ACLType.Domain) {
-                        _accountMgr.checkAccess(caller, null, false, owner, ag);
-                        // Root admin has access to both VM and AG by default,
-                        // but
-                        // make sure the owner of these entities is same
-                        if (caller.getId() == Account.ACCOUNT_ID_SYSTEM || _accountMgr.isRootAdmin(caller.getId())) {
-                            if (!_affinityGroupService.isAffinityGroupAvailableInDomain(ag.getId(), owner.getDomainId())) {
-                                throw new PermissionDeniedException("Affinity Group " + ag + " does not belong to the VM's domain");
-                            }
-                        }
-                    } else {
-                        _accountMgr.checkAccess(caller, null, true, owner, ag);
-                        // Root admin has access to both VM and AG by default,
-                        // but
-                        // make sure the owner of these entities is same
-                        if (caller.getId() == Account.ACCOUNT_ID_SYSTEM || _accountMgr.isRootAdmin(caller.getId())) {
-                            if (ag.getAccountId() != owner.getAccountId()) {
-                                throw new PermissionDeniedException("Affinity Group " + ag + " does not belong to the VM's account");
-                            }
-                        }
-                    }
+                    _accountMgr.checkAccess(owner, AccessType.UseEntry, ag);
                 }
             }
         }
@@ -2695,10 +2661,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
         }
 
         // Check templates permissions
-        if (!template.isPublicTemplate()) {
-            Account templateOwner = _accountMgr.getAccount(template.getAccountId());
-            _accountMgr.checkAccess(owner, null, true, templateOwner);
-        }
+        _accountMgr.checkAccess(owner, AccessType.UseEntry, template);
 
         // check if the user data is correct
         validateUserData(userData, httpmethod);
@@ -2727,14 +2690,8 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
                 throw new InvalidParameterValueException("Network id=" + network.getId() + " doesn't belong to zone " + zone.getId());
             }
 
-            //relax the check if the caller is admin account
-            if (caller.getType() != Account.ACCOUNT_TYPE_ADMIN) {
-            if (!(network.getGuestType() == Network.GuestType.Shared && network.getAclType() == ACLType.Domain)
-                    && !(network.getAclType() == ACLType.Account && network.getAccountId() == accountId)) {
-                throw new InvalidParameterValueException("only shared network or isolated network with the same account_id can be added to vm");
-            }
-            }
-
+            // Perform account permission check on network
+            _accountMgr.checkAccess(caller, AccessType.UseEntry, network);
             IpAddresses requestedIpPair = null;
             if (requestedIps != null && !requestedIps.isEmpty()) {
                 requestedIpPair = requestedIps.get(network.getId());
@@ -3356,7 +3313,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
             throw new InvalidParameterValueException("unable to find a virtual machine with id " + vmId);
         }
 
-        _accountMgr.checkAccess(callerAccount, null, true, vm);
+        _accountMgr.checkAccess(callerAccount, null, vm);
 
         Account owner = _accountDao.findById(vm.getAccountId());
 
@@ -3662,7 +3619,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
             throw ex;
         }
 
-        _accountMgr.checkAccess(caller, null, true, vm);
+        _accountMgr.checkAccess(caller, null, vm);
 
         boolean status;
 
@@ -4243,8 +4200,8 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
         }
 
         //check caller has access to both the old and new account
-        _accountMgr.checkAccess(caller, null, true, oldAccount);
-        _accountMgr.checkAccess(caller, null, true, newAccount);
+        _accountMgr.checkAccess(caller, null, oldAccount);
+        _accountMgr.checkAccess(caller, null, newAccount);
 
         // make sure the accounts are not same
         if (oldAccount.getAccountId() == newAccount.getAccountId()) {
@@ -4297,7 +4254,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
         VirtualMachineTemplate template = _templateDao.findById(vm.getTemplateId());
         if (!template.isPublicTemplate()) {
             Account templateOwner = _accountMgr.getAccount(template.getAccountId());
-            _accountMgr.checkAccess(newAccount, null, true, templateOwner);
+            _accountMgr.checkAccess(newAccount, null, templateOwner);
         }
 
         // VV 5: check the new account can create vm in the domain
@@ -4554,7 +4511,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
             throw ex;
         }
 
-        _accountMgr.checkAccess(caller, null, true, vm);
+        _accountMgr.checkAccess(caller, null, vm);
 
         return restoreVMInternal(caller, vm, newTemplateId);
     }
@@ -4604,7 +4561,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
         //newTemplateId can be either template or ISO id. In the following snippet based on the vm deployment (from template or ISO) it is handled accordingly
         if (newTemplateId != null) {
             template = _templateDao.findById(newTemplateId);
-            _accountMgr.checkAccess(caller, null, true, template);
+            _accountMgr.checkAccess(caller, null, template);
             if (isISO) {
                 if (!template.getFormat().equals(ImageFormat.ISO)) {
                     throw new InvalidParameterValueException("Invalid ISO id provided to restore the VM ");
@@ -4761,7 +4718,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
                 if (hostId != null) {
                     // root.getPoolId() should be null if the VM we are attaching the disk to has never been started before
                     DataStore dataStore = root.getPoolId() != null ? _dataStoreMgr.getDataStore(root.getPoolId(), DataStoreRole.Primary) : null;
-                    Host host = this._hostDao.findById(hostId);
+                    Host host = _hostDao.findById(hostId);
 
                     volumeMgr.disconnectVolumeFromHost(volFactory.getVolume(root.getId()), host, dataStore);
                 }
@@ -4811,7 +4768,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
         }
 
         //check permissions
-        _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, true, vm);
+        _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, vm);
         return vm.getUserData();
     }
 

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/94ebc908/server/src/com/cloud/vm/snapshot/VMSnapshotManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/vm/snapshot/VMSnapshotManagerImpl.java b/server/src/com/cloud/vm/snapshot/VMSnapshotManagerImpl.java
index b30fd14..7a2d0ad 100644
--- a/server/src/com/cloud/vm/snapshot/VMSnapshotManagerImpl.java
+++ b/server/src/com/cloud/vm/snapshot/VMSnapshotManagerImpl.java
@@ -297,7 +297,7 @@ public class VMSnapshotManagerImpl extends ManagerBase implements VMSnapshotMana
         }
 
         // check access
-        _accountMgr.checkAccess(caller, null, true, userVmVo);
+        //_accountMgr.checkAccess(caller, null, userVmVo);
 
         // check max snapshot limit for per VM
         if (_vmSnapshotDao.findByVm(vmId).size() >= _vmSnapshotMax) {
@@ -448,7 +448,7 @@ public class VMSnapshotManagerImpl extends ManagerBase implements VMSnapshotMana
             throw new InvalidParameterValueException("unable to find the vm snapshot with id " + vmSnapshotId);
         }
 
-        _accountMgr.checkAccess(caller, null, true, vmSnapshot);
+        _accountMgr.checkAccess(caller, null, vmSnapshot);
 
         // check VM snapshot states, only allow to delete vm snapshots in created and error state
         if (VMSnapshot.State.Ready != vmSnapshot.getState() && VMSnapshot.State.Expunging != vmSnapshot.getState() && VMSnapshot.State.Error != vmSnapshot.getState()) {
@@ -513,7 +513,7 @@ public class VMSnapshotManagerImpl extends ManagerBase implements VMSnapshotMana
             throw new InvalidParameterValueException("unable to find the vm snapshot with id " + vmSnapshotId);
         }
 
-        _accountMgr.checkAccess(caller, null, true, vmSnapshot);
+        _accountMgr.checkAccess(caller, null, vmSnapshot);
 
         // check VM snapshot states, only allow to delete vm snapshots in created and error state
         if (VMSnapshot.State.Ready != vmSnapshot.getState() && VMSnapshot.State.Expunging != vmSnapshot.getState() && VMSnapshot.State.Error != vmSnapshot.getState()) {
@@ -564,7 +564,7 @@ public class VMSnapshotManagerImpl extends ManagerBase implements VMSnapshotMana
         }
 
         Account caller = getCaller();
-        _accountMgr.checkAccess(caller, null, true, vmSnapshotVo);
+        _accountMgr.checkAccess(caller, null, vmSnapshotVo);
 
         // VM should be in running or stopped states
         if (userVm.getState() != VirtualMachine.State.Running
@@ -646,7 +646,7 @@ public class VMSnapshotManagerImpl extends ManagerBase implements VMSnapshotMana
         }
 
         Account caller = getCaller();
-        _accountMgr.checkAccess(caller, null, true, vmSnapshotVo);
+        _accountMgr.checkAccess(caller, null, vmSnapshotVo);
 
         // VM should be in running or stopped states
         if (userVm.getState() != VirtualMachine.State.Running && userVm.getState() != VirtualMachine.State.Stopped) {

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/94ebc908/server/src/org/apache/cloudstack/affinity/AffinityGroupServiceImpl.java
----------------------------------------------------------------------
diff --git a/server/src/org/apache/cloudstack/affinity/AffinityGroupServiceImpl.java b/server/src/org/apache/cloudstack/affinity/AffinityGroupServiceImpl.java
index 8e606ca..ef63692 100644
--- a/server/src/org/apache/cloudstack/affinity/AffinityGroupServiceImpl.java
+++ b/server/src/org/apache/cloudstack/affinity/AffinityGroupServiceImpl.java
@@ -262,7 +262,7 @@ public class AffinityGroupServiceImpl extends ManagerBase implements AffinityGro
             affinityGroupId = group.getId();
         }
         // check permissions
-        _accountMgr.checkAccess(caller, AccessType.OperateEntry, true, group);
+        _accountMgr.checkAccess(caller, AccessType.OperateEntry, group);
 
         final Long affinityGroupIdFinal = affinityGroupId;
         Transaction.execute(new TransactionCallbackNoReturn() {
@@ -353,7 +353,7 @@ public class AffinityGroupServiceImpl extends ManagerBase implements AffinityGro
             if (userVM == null) {
                 throw new InvalidParameterValueException("Unable to list affinity groups for virtual machine instance " + vmId + "; instance not found.");
             }
-            _accountMgr.checkAccess(caller, null, true, userVM);
+            _accountMgr.checkAccess(caller, null, userVM);
             // add join to affinity_groups_vm_map
             groupSearch.join("vmInstanceSearch", vmInstanceSearch, groupSearch.entity().getId(), vmInstanceSearch.entity().getAffinityGroupId(),
                 JoinBuilder.JoinType.INNER);
@@ -477,14 +477,7 @@ public class AffinityGroupServiceImpl extends ManagerBase implements AffinityGro
                 throw new InvalidParameterValueException("Unable to find affinity group by id " + affinityGroupId);
             } else {
                 // verify permissions
-                _accountMgr.checkAccess(caller, null, true, owner, ag);
-                // Root admin has access to both VM and AG by default, but make sure the
-                // owner of these entities is same
-                if (caller.getId() == Account.ACCOUNT_ID_SYSTEM || _accountMgr.isRootAdmin(caller.getId())) {
-                    if (ag.getAccountId() != owner.getAccountId()) {
-                        throw new PermissionDeniedException("Affinity Group " + ag + " does not belong to the VM's account");
-                    }
-                }
+                _accountMgr.checkAccess(owner, AccessType.UseEntry, ag);
             }
         }
         _affinityGroupVMMapDao.updateMap(vmId, affinityGroupIds);

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/94ebc908/server/src/org/apache/cloudstack/network/lb/ApplicationLoadBalancerManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/org/apache/cloudstack/network/lb/ApplicationLoadBalancerManagerImpl.java b/server/src/org/apache/cloudstack/network/lb/ApplicationLoadBalancerManagerImpl.java
index 73bf0d2..ad1a2c4 100644
--- a/server/src/org/apache/cloudstack/network/lb/ApplicationLoadBalancerManagerImpl.java
+++ b/server/src/org/apache/cloudstack/network/lb/ApplicationLoadBalancerManagerImpl.java
@@ -24,14 +24,15 @@ import java.util.Map;
 import javax.ejb.Local;
 import javax.inject.Inject;
 
+import org.apache.log4j.Logger;
+import org.springframework.stereotype.Component;
+
 import org.apache.cloudstack.acl.SecurityChecker.AccessType;
 import org.apache.cloudstack.api.command.user.loadbalancer.ListApplicationLoadBalancersCmd;
 import org.apache.cloudstack.context.CallContext;
 import org.apache.cloudstack.engine.orchestration.service.NetworkOrchestrationService;
 import org.apache.cloudstack.lb.ApplicationLoadBalancerRuleVO;
 import org.apache.cloudstack.lb.dao.ApplicationLoadBalancerRuleDao;
-import org.apache.log4j.Logger;
-import org.springframework.stereotype.Component;
 
 import com.cloud.event.ActionEvent;
 import com.cloud.event.EventTypes;
@@ -114,7 +115,7 @@ public class ApplicationLoadBalancerManagerImpl extends ManagerBase implements A
         }
 
         Account caller = CallContext.current().getCallingAccount();
-        _accountMgr.checkAccess(caller, AccessType.UseEntry, false, guestNtwk);
+        _accountMgr.checkAccess(caller, AccessType.UseEntry, guestNtwk);
 
         Network sourceIpNtwk = _networkModel.getNetwork(sourceIpNetworkId);
         if (sourceIpNtwk == null) {
@@ -546,7 +547,7 @@ public class ApplicationLoadBalancerManagerImpl extends ManagerBase implements A
         if (rule == null) {
             throw new InvalidParameterValueException("Unable to find load balancer " + id);
         }
-        _accountMgr.checkAccess(caller, null, true, rule);
+        _accountMgr.checkAccess(caller, null, rule);
 
         if (customId != null) {
             rule.setUuid(customId);

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/94ebc908/server/src/org/apache/cloudstack/network/lb/CertServiceImpl.java
----------------------------------------------------------------------
diff --git a/server/src/org/apache/cloudstack/network/lb/CertServiceImpl.java b/server/src/org/apache/cloudstack/network/lb/CertServiceImpl.java
index ba71d63..67f2c02 100644
--- a/server/src/org/apache/cloudstack/network/lb/CertServiceImpl.java
+++ b/server/src/org/apache/cloudstack/network/lb/CertServiceImpl.java
@@ -147,7 +147,7 @@ public class CertServiceImpl implements CertService {
         if (certVO == null) {
             throw new InvalidParameterValueException("Invalid certificate id: " + certId);
         }
-        _accountMgr.checkAccess(caller, SecurityChecker.AccessType.OperateEntry, true, certVO);
+        _accountMgr.checkAccess(caller, SecurityChecker.AccessType.OperateEntry, certVO);
 
         List<LoadBalancerCertMapVO> lbCertRule = _lbCertDao.listByCertId(certId);
 
@@ -191,7 +191,7 @@ public class CertServiceImpl implements CertService {
                 throw new InvalidParameterValueException("Invalid certificate id: " + certId);
             }
 
-            _accountMgr.checkAccess(caller, SecurityChecker.AccessType.UseEntry, true, certVO);
+            _accountMgr.checkAccess(caller, SecurityChecker.AccessType.UseEntry, certVO);
 
             certLbMap = _lbCertDao.listByCertId(certId);
 
@@ -206,7 +206,7 @@ public class CertServiceImpl implements CertService {
                 throw new InvalidParameterValueException("found no loadbalancer  wth id: " + lbRuleId);
             }
 
-            _accountMgr.checkAccess(caller, SecurityChecker.AccessType.UseEntry, true, lb);
+            _accountMgr.checkAccess(caller, SecurityChecker.AccessType.UseEntry, lb);
 
             // get the cert id
             LoadBalancerCertMapVO lbCertMapRule;
@@ -229,7 +229,7 @@ public class CertServiceImpl implements CertService {
         List<SslCertVO> certVOList = _sslCertDao.listByAccountId(accountId);
         if (certVOList == null || certVOList.isEmpty())
             return certResponseList;
-        _accountMgr.checkAccess(caller, SecurityChecker.AccessType.UseEntry, true, certVOList.get(0));
+        _accountMgr.checkAccess(caller, SecurityChecker.AccessType.UseEntry, certVOList.get(0));
 
         for (SslCertVO cert : certVOList) {
             certLbMap = _lbCertDao.listByCertId(cert.getId());


Mime
View raw message