cloudstack-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From mc...@apache.org
Subject git commit: updated refs/heads/4.4 to ba55002
Date Wed, 16 Apr 2014 17:20:08 GMT
Repository: cloudstack
Updated Branches:
  refs/heads/4.4 406c289d1 -> ba5500213


CLOUDSTACK-6428:IAM - Domain Admin - When his sub-domainId is passed to
the listVirtualMachine command, Vms from all the domains are being
listed.


Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/ba550021
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/ba550021
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/ba550021

Branch: refs/heads/4.4
Commit: ba55002132ebda2992c28d195feb2327d5f7f3b4
Parents: 406c289
Author: Min Chen <min.chen@citrix.com>
Authored: Wed Apr 16 10:09:49 2014 -0700
Committer: Min Chen <min.chen@citrix.com>
Committed: Wed Apr 16 10:10:45 2014 -0700

----------------------------------------------------------------------
 .../iam/RoleBasedEntityQuerySelector.java       | 20 ++++++++++++++++++--
 1 file changed, 18 insertions(+), 2 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cloudstack/blob/ba550021/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedEntityQuerySelector.java
----------------------------------------------------------------------
diff --git a/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedEntityQuerySelector.java
b/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedEntityQuerySelector.java
index a569403..40c8549 100644
--- a/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedEntityQuerySelector.java
+++ b/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedEntityQuerySelector.java
@@ -31,6 +31,8 @@ import org.apache.cloudstack.iam.api.IAMPolicy;
 import org.apache.cloudstack.iam.api.IAMPolicyPermission;
 import org.apache.cloudstack.iam.api.IAMService;
 
+import com.cloud.domain.DomainVO;
+import com.cloud.domain.dao.DomainDao;
 import com.cloud.user.Account;
 import com.cloud.utils.component.AdapterBase;
 
@@ -40,6 +42,8 @@ public class RoleBasedEntityQuerySelector extends AdapterBase implements
QuerySe
 
     @Inject
     IAMService _iamService;
+    @Inject
+    DomainDao _domainDao;
 
     @Override
     public List<Long> getAuthorizedDomains(Account caller, String action, AccessType
accessType) {
@@ -61,11 +65,23 @@ public class RoleBasedEntityQuerySelector extends AdapterBase implements
QuerySe
             if (pp != null) {
                 for (IAMPolicyPermission p : pp) {
                     if (p.getScopeId() != null) {
+                        Long domainId = null;
                         if (p.getScopeId().longValue() == -1) {
-                            domainIds.add(caller.getDomainId());
+                            domainId = caller.getDomainId();
+                            //domainIds.add(caller.getDomainId());
                         } else {
-                            domainIds.add(p.getScopeId());
+                            domainId = p.getScopeId();
+                            //domainIds.add(p.getScopeId());
+                        }
+                        domainIds.add(domainId);
+                        // add all the domain children from this domain. Like RoleBasedEntityAccessChecker,
we made an assumption, if DOMAIN scope is granted, it means that
+                        // the whole domain tree is granted access.
+                        DomainVO domain = _domainDao.findById(domainId);
+                        List<Long> childDomains = _domainDao.getDomainChildrenIds(domain.getPath());
+                        if (childDomains != null && childDomains.size() > 0) {
+                            domainIds.addAll(childDomains);
                         }
+
                     }
                 }
             }


Mime
View raw message