cloudstack-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From mc...@apache.org
Subject [4/4] git commit: updated refs/heads/master to 29f3914
Date Fri, 18 Apr 2014 01:40:27 GMT
Fix IAM list api implementation based on agreed interpretation for
listAll, isRecursive, domainId and account.


Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/29f39149
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/29f39149
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/29f39149

Branch: refs/heads/master
Commit: 29f39149b1022d9dbcc6a8a4d433d7e1c84da15b
Parents: c25332f
Author: Min Chen <min.chen@citrix.com>
Authored: Thu Apr 17 15:44:35 2014 -0700
Committer: Min Chen <min.chen@citrix.com>
Committed: Thu Apr 17 18:33:22 2014 -0700

----------------------------------------------------------------------
 .../com/cloud/api/query/QueryManagerImpl.java   |  2 +-
 .../src/com/cloud/user/AccountManagerImpl.java  | 44 +++++++++++++-------
 2 files changed, 31 insertions(+), 15 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cloudstack/blob/29f39149/server/src/com/cloud/api/query/QueryManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/api/query/QueryManagerImpl.java b/server/src/com/cloud/api/query/QueryManagerImpl.java
index f31b1f8..9b0fe1c 100644
--- a/server/src/com/cloud/api/query/QueryManagerImpl.java
+++ b/server/src/com/cloud/api/query/QueryManagerImpl.java
@@ -685,7 +685,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService
{
                 cmd.getDomainId(), cmd.isRecursive(), null);
         _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(),
permittedDomains, permittedAccounts, permittedResources,
                 domainIdRecursiveListProject, cmd.listAll(), false, "listInstanceGroups");
-        Long domainId = domainIdRecursiveListProject.first();
+        // Long domainId = domainIdRecursiveListProject.first();
         Boolean isRecursive = domainIdRecursiveListProject.second();
         ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
 

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/29f39149/server/src/com/cloud/user/AccountManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/user/AccountManagerImpl.java b/server/src/com/cloud/user/AccountManagerImpl.java
index b48f047..b7eb712 100755
--- a/server/src/com/cloud/user/AccountManagerImpl.java
+++ b/server/src/com/cloud/user/AccountManagerImpl.java
@@ -2165,8 +2165,8 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager,
M
             List<Long> permittedResources, Ternary<Long, Boolean, ListProjectResourcesCriteria>
domainIdRecursiveListProject, boolean listAll, boolean forProjectInvitation,
             String action) {
 
-        Account owner = null; // for impersonation
         Long domainId = domainIdRecursiveListProject.first();
+        Long accountId = null;
         if (id == null) {
             // if id is specified, it will ignore all other parameters
             if (domainId != null) {
@@ -2179,7 +2179,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager,
M
                 checkAccess(caller, domain);
             }
 
-            // specific account is specified, we need to impersonate that account instead
of caller
+            // specific account is specified, we need to filter contents to only show contents
owned by that account.
             if (accountName != null) {
                 if (projectId != null) {
                     throw new InvalidParameterValueException("Account and projectId can't
be specified together");
@@ -2198,7 +2198,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager,
M
                 if (userAccount != null) {
                     //check permissions
                     checkAccess(caller, null, userAccount);
-                    owner = userAccount;
+                    accountId = userAccount.getId();
                 } else {
                     throw new InvalidParameterValueException("could not find account " +
accountName + " in domain " + domain.getUuid());
                 }
@@ -2226,10 +2226,6 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager,
M
                 }
             }
         } else {
-            if (owner == null) {
-                // no impersonation, so we directly check permission for caller
-                owner = caller;
-            }
             AccessType accessType = AccessType.UseEntry;
             if (listAll || id != null) {
                 // listAll = true or id given should show all resources that owner has ListEntry
access type.
@@ -2245,18 +2241,37 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager,
M
                 return; // no futher filtering
 
             QuerySelector qs = _querySelectors.get(0);
-            boolean grantedAll = qs.isGrantedAll(owner, action, accessType);
+            boolean grantedAll = qs.isGrantedAll(caller, action, accessType);
+
             if ( grantedAll ){
-                if (domainId != null) {
+                if (accountId != null) {
+                    permittedAccounts.add(accountId);
+                    domainIdRecursiveListProject.second(false);  // isRecursive is only valid
if only domainId is passed.
+                } else if (domainId != null) {
                     permittedDomains.add(domainId);
+                } else {
+                    domainIdRecursiveListProject.second(false);  // isRecursive is only valid
if only domainId is passed.
                 }
             }
             else {
-                List<Long> grantedDomains = qs.getAuthorizedDomains(owner, action,
accessType);
-                List<Long> grantedAccounts = qs.getAuthorizedAccounts(owner, action,
accessType);
-                List<Long> grantedResources = qs.getAuthorizedResources(owner, action,
accessType);
-
-                if (domainId != null) {
+                List<Long> grantedDomains = qs.getAuthorizedDomains(caller, action,
accessType);
+                List<Long> grantedAccounts = qs.getAuthorizedAccounts(caller, action,
accessType);
+                List<Long> grantedResources = qs.getAuthorizedResources(caller, action,
accessType);
+
+                if (accountId != null) {
+                    // specific account filter is specified
+                    if (grantedAccounts.contains(accountId)) {
+                        permittedAccounts.add(accountId);
+                    } else {
+                        //TODO: we should also filter granted resources based on accountId
passed.
+                        // potential bug, if accountId is passed, it may show some granted
resources that may not be owned by that account.
+                        // to fix this, we need to change the interface to also pass ControlledEntity
class to use EntityManager to find
+                        // ControlledEntity instance to check accountId. But this has some
issues for those non controlled entities,
+                        // like NetworkACLItem
+                        permittedResources.addAll(grantedResources);
+                    }
+                    domainIdRecursiveListProject.second(false);  // isRecursive is only valid
if only domainId is passed.
+                } else if (domainId != null) {
                     // specific domain and no account is specified
                     if (grantedDomains.contains(domainId)) {
                         permittedDomains.add(domainId);
@@ -2279,6 +2294,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager,
M
                     permittedDomains.addAll(grantedDomains);
                     permittedAccounts.addAll(grantedAccounts);
                     permittedResources.addAll(grantedResources);
+                    domainIdRecursiveListProject.second(false);  // isRecursive is only valid
if only domainId is passed.
                 }
 
                 if (permittedDomains.isEmpty() && permittedAccounts.isEmpty() &
permittedResources.isEmpty()) {


Mime
View raw message