cloudstack-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From mc...@apache.org
Subject [3/6] git commit: updated refs/heads/master to 94ebc90
Date Fri, 04 Apr 2014 23:47:39 GMT
Remove usage of sameOwner checkAccess invocation, and convert to
OperateEntry IAM check.


Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/94ebc908
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/94ebc908
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/94ebc908

Branch: refs/heads/master
Commit: 94ebc908776fee97fc996db15044a1fefbff7fdf
Parents: df302bd
Author: Min Chen <min.chen@citrix.com>
Authored: Fri Apr 4 15:33:55 2014 -0700
Committer: Min Chen <min.chen@citrix.com>
Committed: Fri Apr 4 16:38:29 2014 -0700

----------------------------------------------------------------------
 api/src/com/cloud/network/NetworkModel.java     |   4 +
 api/src/com/cloud/user/AccountService.java      |   5 +
 .../address/AssociateIPAddrCmdByAdmin.java      |   5 +-
 .../command/admin/vm/AddNicToVMCmdByAdmin.java  |   4 +-
 .../user/address/AssociateIPAddrCmd.java        |   1 +
 .../firewall/CreatePortForwardingRuleCmd.java   |   4 +-
 .../AssignToLoadBalancerRuleCmd.java            |  16 ++-
 .../ListLBStickinessPoliciesCmd.java            |   4 +-
 .../command/user/nat/EnableStaticNatCmd.java    |   8 +-
 .../user/snapshot/CreateSnapshotCmd.java        |   2 +
 .../api/command/user/vm/AddNicToVMCmd.java      |   1 +
 .../user/vmsnapshot/CreateVMSnapshotCmd.java    |   3 +-
 .../command/user/volume/CreateVolumeCmd.java    |   3 +
 .../lb/InternalLoadBalancerVMManagerImpl.java   |   9 +-
 .../contrail/management/MockAccountManager.java |  12 ++
 server/src/com/cloud/api/ApiResponseHelper.java |   2 +-
 .../cloud/api/dispatch/ParamProcessWorker.java  |   4 +-
 .../com/cloud/api/query/QueryManagerImpl.java   |  17 +--
 .../configuration/ConfigurationManagerImpl.java |   4 +-
 .../com/cloud/network/IpAddressManagerImpl.java |  17 ++-
 .../src/com/cloud/network/NetworkModelImpl.java |  25 +++++
 .../com/cloud/network/NetworkServiceImpl.java   |  26 ++---
 .../cloud/network/as/AutoScaleManagerImpl.java  |  10 +-
 .../network/firewall/FirewallManagerImpl.java   |  19 ++--
 .../lb/LoadBalancingRulesManagerImpl.java       |  36 +++---
 .../VirtualNetworkApplianceManagerImpl.java     |  23 ++--
 .../cloud/network/rules/RulesManagerImpl.java   |  30 ++---
 .../security/SecurityGroupManagerImpl.java      |   8 +-
 .../network/vpc/NetworkACLServiceImpl.java      |  22 ++--
 .../com/cloud/network/vpc/VpcManagerImpl.java   |  24 ++--
 .../network/vpn/RemoteAccessVpnManagerImpl.java |  18 +--
 .../network/vpn/Site2SiteVpnManagerImpl.java    |  29 ++---
 .../com/cloud/projects/ProjectManagerImpl.java  |  18 +--
 .../resourcelimit/ResourceLimitManagerImpl.java |   8 +-
 .../com/cloud/server/ManagementServerImpl.java  |  12 +-
 .../com/cloud/servlet/ConsoleProxyServlet.java  |   2 +-
 .../com/cloud/storage/VolumeApiServiceImpl.java |  29 ++---
 .../storage/snapshot/SnapshotManagerImpl.java   |  15 +--
 .../cloud/tags/TaggedResourceManagerImpl.java   |   7 +-
 .../com/cloud/template/TemplateAdapterBase.java |   4 +-
 .../com/cloud/template/TemplateManagerImpl.java |  34 +++---
 .../src/com/cloud/user/AccountManagerImpl.java  |  34 ++++--
 server/src/com/cloud/vm/UserVmManagerImpl.java  | 109 ++++++-------------
 .../vm/snapshot/VMSnapshotManagerImpl.java      |  10 +-
 .../affinity/AffinityGroupServiceImpl.java      |  13 +--
 .../lb/ApplicationLoadBalancerManagerImpl.java  |   9 +-
 .../cloudstack/network/lb/CertServiceImpl.java  |   8 +-
 .../GlobalLoadBalancingRulesServiceImpl.java    |  14 +--
 .../com/cloud/event/EventControlsUnitTest.java  |   2 +-
 .../com/cloud/network/MockNetworkModelImpl.java |   9 ++
 .../com/cloud/user/MockAccountManagerImpl.java  |  11 ++
 server/test/com/cloud/vm/UserVmManagerTest.java |   8 +-
 .../vm/snapshot/VMSnapshotManagerTest.java      |   2 +-
 .../com/cloud/vpc/MockNetworkModelImpl.java     |   9 ++
 54 files changed, 416 insertions(+), 346 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cloudstack/blob/94ebc908/api/src/com/cloud/network/NetworkModel.java
----------------------------------------------------------------------
diff --git a/api/src/com/cloud/network/NetworkModel.java b/api/src/com/cloud/network/NetworkModel.java
index 1c40e87..f48bc9a 100644
--- a/api/src/com/cloud/network/NetworkModel.java
+++ b/api/src/com/cloud/network/NetworkModel.java
@@ -22,6 +22,8 @@ import java.util.List;
 import java.util.Map;
 import java.util.Set;
 
+import org.apache.cloudstack.acl.SecurityChecker.AccessType;
+
 import com.cloud.dc.Vlan;
 import com.cloud.exception.InsufficientAddressCapacityException;
 import com.cloud.exception.InvalidParameterValueException;
@@ -273,4 +275,6 @@ public interface NetworkModel {
     boolean isNetworkReadyForGc(long networkId);
 
     boolean getNetworkEgressDefaultPolicy(Long networkId);
+
+    void checkNetworkPermissions(Account owner, Network network, AccessType accessType);
 }
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/94ebc908/api/src/com/cloud/user/AccountService.java
----------------------------------------------------------------------
diff --git a/api/src/com/cloud/user/AccountService.java b/api/src/com/cloud/user/AccountService.java
index 7e37b38..4965270 100755
--- a/api/src/com/cloud/user/AccountService.java
+++ b/api/src/com/cloud/user/AccountService.java
@@ -106,6 +106,11 @@ public interface AccountService {
 
     void checkAccess(Account account, Domain domain) throws PermissionDeniedException;
 
+    void checkAccess(Account account, AccessType accessType, ControlledEntity... entities) throws PermissionDeniedException;
+
+    void checkAccess(Account account, AccessType accessType, String apiName, ControlledEntity... entities) throws PermissionDeniedException;
+
+    // TODO: the following two interfaces will be deprecated by the above two counterparts when securityChecker implementation is in place
     void checkAccess(Account account, AccessType accessType, boolean sameOwner, ControlledEntity... entities) throws PermissionDeniedException;
 
     void checkAccess(Account account, AccessType accessType, boolean sameOwner, String apiName,

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/94ebc908/api/src/org/apache/cloudstack/api/command/admin/address/AssociateIPAddrCmdByAdmin.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/admin/address/AssociateIPAddrCmdByAdmin.java b/api/src/org/apache/cloudstack/api/command/admin/address/AssociateIPAddrCmdByAdmin.java
index dbff93f..494a6d6 100644
--- a/api/src/org/apache/cloudstack/api/command/admin/address/AssociateIPAddrCmdByAdmin.java
+++ b/api/src/org/apache/cloudstack/api/command/admin/address/AssociateIPAddrCmdByAdmin.java
@@ -31,8 +31,11 @@ import com.cloud.exception.InsufficientCapacityException;
 import com.cloud.exception.ResourceAllocationException;
 import com.cloud.exception.ResourceUnavailableException;
 import com.cloud.network.IpAddress;
+import com.cloud.network.vpc.Vpc;
 
-@APICommand(name = "associateIpAddress", description = "Acquires and associates a public IP to an account.", responseObject = IPAddressResponse.class, responseView = ResponseView.Full)
+@APICommand(name = "associateIpAddress", description = "Acquires and associates a public IP to an account.", responseObject = IPAddressResponse.class, responseView = ResponseView.Full,
+        entityType = {IpAddress.class, Vpc.class},
+        requestHasSensitiveInfo = false, responseHasSensitiveInfo = false)
 public class AssociateIPAddrCmdByAdmin extends AssociateIPAddrCmd {
     public static final Logger s_logger = Logger.getLogger(AssociateIPAddrCmdByAdmin.class.getName());
 

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/94ebc908/api/src/org/apache/cloudstack/api/command/admin/vm/AddNicToVMCmdByAdmin.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/admin/vm/AddNicToVMCmdByAdmin.java b/api/src/org/apache/cloudstack/api/command/admin/vm/AddNicToVMCmdByAdmin.java
index 996d1bd..ee6d0e7 100644
--- a/api/src/org/apache/cloudstack/api/command/admin/vm/AddNicToVMCmdByAdmin.java
+++ b/api/src/org/apache/cloudstack/api/command/admin/vm/AddNicToVMCmdByAdmin.java
@@ -32,8 +32,8 @@ import org.apache.cloudstack.context.CallContext;
 
 import com.cloud.uservm.UserVm;
 
-@APICommand(name = "addNicToVirtualMachine", description = "Adds VM to specified network by creating a NIC", responseObject = UserVmResponse.class, responseView = ResponseView.Full)
-
+@APICommand(name = "addNicToVirtualMachine", description = "Adds VM to specified network by creating a NIC", responseObject = UserVmResponse.class, responseView = ResponseView.Full,
+        requestHasSensitiveInfo = false, responseHasSensitiveInfo = true)
 public class AddNicToVMCmdByAdmin extends AddNicToVMCmd {
     public static final Logger s_logger = Logger.getLogger(AddNicToVMCmdByAdmin.class);
 

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/94ebc908/api/src/org/apache/cloudstack/api/command/user/address/AssociateIPAddrCmd.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/user/address/AssociateIPAddrCmd.java b/api/src/org/apache/cloudstack/api/command/user/address/AssociateIPAddrCmd.java
index 3f0d246..091229f 100644
--- a/api/src/org/apache/cloudstack/api/command/user/address/AssociateIPAddrCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/user/address/AssociateIPAddrCmd.java
@@ -58,6 +58,7 @@ import com.cloud.projects.Project;
 import com.cloud.user.Account;
 
 @APICommand(name = "associateIpAddress", description = "Acquires and associates a public IP to an account.", responseObject = IPAddressResponse.class, responseView = ResponseView.Restricted,
+        entityType = {IpAddress.class, Vpc.class},
         requestHasSensitiveInfo = false, responseHasSensitiveInfo = false)
 public class AssociateIPAddrCmd extends BaseAsyncCreateCmd {
     public static final Logger s_logger = Logger.getLogger(AssociateIPAddrCmd.class.getName());

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/94ebc908/api/src/org/apache/cloudstack/api/command/user/firewall/CreatePortForwardingRuleCmd.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/user/firewall/CreatePortForwardingRuleCmd.java b/api/src/org/apache/cloudstack/api/command/user/firewall/CreatePortForwardingRuleCmd.java
index 8d9aa6f..f18767e 100644
--- a/api/src/org/apache/cloudstack/api/command/user/firewall/CreatePortForwardingRuleCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/user/firewall/CreatePortForwardingRuleCmd.java
@@ -45,8 +45,10 @@ import com.cloud.network.rules.PortForwardingRule;
 import com.cloud.user.Account;
 import com.cloud.utils.net.Ip;
 import com.cloud.utils.net.NetUtils;
+import com.cloud.vm.VirtualMachine;
 
-@APICommand(name = "createPortForwardingRule", description = "Creates a port forwarding rule", responseObject = FirewallRuleResponse.class, entityType = {PortForwardingRule.class},
+@APICommand(name = "createPortForwardingRule", description = "Creates a port forwarding rule", responseObject = FirewallRuleResponse.class, entityType = {FirewallRule.class,
+        VirtualMachine.class},
         requestHasSensitiveInfo = false, responseHasSensitiveInfo = false)
 public class CreatePortForwardingRuleCmd extends BaseAsyncCreateCmd implements PortForwardingRule {
     public static final Logger s_logger = Logger.getLogger(CreatePortForwardingRuleCmd.class.getName());

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/94ebc908/api/src/org/apache/cloudstack/api/command/user/loadbalancer/AssignToLoadBalancerRuleCmd.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/user/loadbalancer/AssignToLoadBalancerRuleCmd.java b/api/src/org/apache/cloudstack/api/command/user/loadbalancer/AssignToLoadBalancerRuleCmd.java
index 6a69792..eb26ce6 100644
--- a/api/src/org/apache/cloudstack/api/command/user/loadbalancer/AssignToLoadBalancerRuleCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/user/loadbalancer/AssignToLoadBalancerRuleCmd.java
@@ -16,15 +16,17 @@
 // under the License.
 package org.apache.cloudstack.api.command.user.loadbalancer;
 
+import java.util.ArrayList;
+import java.util.Collection;
 import java.util.HashMap;
+import java.util.Iterator;
 import java.util.List;
 import java.util.Map;
-import java.util.Collection;
-import java.util.Iterator;
-import java.util.ArrayList;
 
 import org.apache.log4j.Logger;
 
+import org.apache.cloudstack.acl.SecurityChecker.AccessType;
+import org.apache.cloudstack.api.ACL;
 import org.apache.cloudstack.api.APICommand;
 import org.apache.cloudstack.api.ApiConstants;
 import org.apache.cloudstack.api.ApiErrorCode;
@@ -38,13 +40,15 @@ import org.apache.cloudstack.context.CallContext;
 
 import com.cloud.event.EventTypes;
 import com.cloud.exception.InvalidParameterValueException;
+import com.cloud.network.rules.FirewallRule;
 import com.cloud.network.rules.LoadBalancer;
 import com.cloud.user.Account;
 import com.cloud.utils.StringUtils;
+import com.cloud.vm.VirtualMachine;
 
 @APICommand(name = "assignToLoadBalancerRule",
             description = "Assigns virtual machine or a list of virtual machines to a load balancer rule.",
-            responseObject = SuccessResponse.class,
+        responseObject = SuccessResponse.class, entityType = {FirewallRule.class, VirtualMachine.class},
             requestHasSensitiveInfo = false,
             responseHasSensitiveInfo = false)
 public class AssignToLoadBalancerRuleCmd extends BaseAsyncCmd {
@@ -56,6 +60,7 @@ public class AssignToLoadBalancerRuleCmd extends BaseAsyncCmd {
     //////////////// API parameters /////////////////////
     /////////////////////////////////////////////////////
 
+    @ACL(accessType = AccessType.OperateEntry)
     @Parameter(name = ApiConstants.ID,
                type = CommandType.UUID,
                entityType = FirewallRuleResponse.class,
@@ -63,6 +68,7 @@ public class AssignToLoadBalancerRuleCmd extends BaseAsyncCmd {
                description = "the ID of the load balancer rule")
     private Long id;
 
+    @ACL(accessType = AccessType.OperateEntry)
     @Parameter(name = ApiConstants.VIRTUAL_MACHINE_IDS,
                type = CommandType.LIST,
                collectionType = CommandType.UUID,
@@ -157,7 +163,7 @@ public class AssignToLoadBalancerRuleCmd extends BaseAsyncCmd {
         boolean result = _lbService.assignToLoadBalancer(getLoadBalancerId(), virtualMachineIds, vmIdIpsMap);
         if (result) {
             SuccessResponse response = new SuccessResponse(getCommandName());
-            this.setResponseObject(response);
+            setResponseObject(response);
         } else {
             throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to assign load balancer rule");
         }

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/94ebc908/api/src/org/apache/cloudstack/api/command/user/loadbalancer/ListLBStickinessPoliciesCmd.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/user/loadbalancer/ListLBStickinessPoliciesCmd.java b/api/src/org/apache/cloudstack/api/command/user/loadbalancer/ListLBStickinessPoliciesCmd.java
index 2e7ae3c..1ceb214 100644
--- a/api/src/org/apache/cloudstack/api/command/user/loadbalancer/ListLBStickinessPoliciesCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/user/loadbalancer/ListLBStickinessPoliciesCmd.java
@@ -76,7 +76,7 @@ public class ListLBStickinessPoliciesCmd extends BaseListCmd {
         if (lb != null) {
             //check permissions
             Account caller = CallContext.current().getCallingAccount();
-            _accountService.checkAccess(caller, null, true, lb);
+            _accountService.checkAccess(caller, null, lb);
             List<? extends StickinessPolicy> stickinessPolicies = _lbService.searchForLBStickinessPolicies(this);
             LBStickinessResponse spResponse = _responseGenerator.createLBStickinessPolicyResponse(stickinessPolicies, lb);
             spResponses.add(spResponse);
@@ -84,7 +84,7 @@ public class ListLBStickinessPoliciesCmd extends BaseListCmd {
         }
 
         response.setResponseName(getCommandName());
-        this.setResponseObject(response);
+        setResponseObject(response);
     }
 
 }

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/94ebc908/api/src/org/apache/cloudstack/api/command/user/nat/EnableStaticNatCmd.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/user/nat/EnableStaticNatCmd.java b/api/src/org/apache/cloudstack/api/command/user/nat/EnableStaticNatCmd.java
index aa4e287..94699ac 100644
--- a/api/src/org/apache/cloudstack/api/command/user/nat/EnableStaticNatCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/user/nat/EnableStaticNatCmd.java
@@ -18,6 +18,8 @@ package org.apache.cloudstack.api.command.user.nat;
 
 import org.apache.log4j.Logger;
 
+import org.apache.cloudstack.acl.SecurityChecker.AccessType;
+import org.apache.cloudstack.api.ACL;
 import org.apache.cloudstack.api.APICommand;
 import org.apache.cloudstack.api.ApiConstants;
 import org.apache.cloudstack.api.ApiErrorCode;
@@ -35,8 +37,10 @@ import com.cloud.exception.ResourceUnavailableException;
 import com.cloud.network.IpAddress;
 import com.cloud.user.Account;
 import com.cloud.uservm.UserVm;
+import com.cloud.vm.VirtualMachine;
 
 @APICommand(name = "enableStaticNat", description = "Enables static nat for given ip address", responseObject = SuccessResponse.class,
+        entityType = {IpAddress.class, VirtualMachine.class},
         requestHasSensitiveInfo = false, responseHasSensitiveInfo = false)
 public class EnableStaticNatCmd extends BaseCmd {
     public static final Logger s_logger = Logger.getLogger(CreateIpForwardingRuleCmd.class.getName());
@@ -47,10 +51,12 @@ public class EnableStaticNatCmd extends BaseCmd {
     //////////////// API parameters /////////////////////
     /////////////////////////////////////////////////////
 
+    @ACL(accessType = AccessType.OperateEntry)
     @Parameter(name = ApiConstants.IP_ADDRESS_ID, type = CommandType.UUID, entityType = IPAddressResponse.class, required = true, description = "the public IP "
         + "address id for which static nat feature is being enabled")
     private Long ipAddressId;
 
+    @ACL(accessType = AccessType.OperateEntry)
     @Parameter(name = ApiConstants.VIRTUAL_MACHINE_ID, type = CommandType.UUID, entityType = UserVmResponse.class, required = true, description = "the ID of "
         + "the virtual machine for enabling static nat feature")
     private Long virtualMachineId;
@@ -133,7 +139,7 @@ public class EnableStaticNatCmd extends BaseCmd {
             boolean result = _rulesService.enableStaticNat(ipAddressId, virtualMachineId, getNetworkId(), getVmSecondaryIp());
             if (result) {
                 SuccessResponse response = new SuccessResponse(getCommandName());
-                this.setResponseObject(response);
+                setResponseObject(response);
             } else {
                 throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to enable static nat");
             }

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/94ebc908/api/src/org/apache/cloudstack/api/command/user/snapshot/CreateSnapshotCmd.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/user/snapshot/CreateSnapshotCmd.java b/api/src/org/apache/cloudstack/api/command/user/snapshot/CreateSnapshotCmd.java
index df7fe82..bd8662e 100644
--- a/api/src/org/apache/cloudstack/api/command/user/snapshot/CreateSnapshotCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/user/snapshot/CreateSnapshotCmd.java
@@ -18,6 +18,7 @@ package org.apache.cloudstack.api.command.user.snapshot;
 
 import org.apache.log4j.Logger;
 
+import org.apache.cloudstack.api.ACL;
 import org.apache.cloudstack.api.APICommand;
 import org.apache.cloudstack.api.ApiCommandJobType;
 import org.apache.cloudstack.api.ApiConstants;
@@ -62,6 +63,7 @@ public class CreateSnapshotCmd extends BaseAsyncCreateCmd {
             description = "The domain ID of the snapshot. If used with the account parameter, specifies a domain for the account associated with the disk volume.")
     private Long domainId;
 
+    @ACL
     @Parameter(name = ApiConstants.VOLUME_ID, type = CommandType.UUID, entityType = VolumeResponse.class, required = true, description = "The ID of the disk volume")
     private Long volumeId;
 

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/94ebc908/api/src/org/apache/cloudstack/api/command/user/vm/AddNicToVMCmd.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/user/vm/AddNicToVMCmd.java b/api/src/org/apache/cloudstack/api/command/user/vm/AddNicToVMCmd.java
index f265ecf..fd30152 100644
--- a/api/src/org/apache/cloudstack/api/command/user/vm/AddNicToVMCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/user/vm/AddNicToVMCmd.java
@@ -54,6 +54,7 @@ public class AddNicToVMCmd extends BaseAsyncCmd {
             required=true, description="Virtual Machine ID")
     private Long vmId;
 
+    @ACL
     @Parameter(name = ApiConstants.NETWORK_ID, type = CommandType.UUID, entityType = NetworkResponse.class, required = true, description = "Network ID")
     private Long netId;
 

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/94ebc908/api/src/org/apache/cloudstack/api/command/user/vmsnapshot/CreateVMSnapshotCmd.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/user/vmsnapshot/CreateVMSnapshotCmd.java b/api/src/org/apache/cloudstack/api/command/user/vmsnapshot/CreateVMSnapshotCmd.java
index 10ff5cd..1310ba5 100644
--- a/api/src/org/apache/cloudstack/api/command/user/vmsnapshot/CreateVMSnapshotCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/user/vmsnapshot/CreateVMSnapshotCmd.java
@@ -19,7 +19,6 @@ package org.apache.cloudstack.api.command.user.vmsnapshot;
 
 import java.util.logging.Logger;
 
-import org.apache.cloudstack.acl.SecurityChecker.AccessType;
 import org.apache.cloudstack.api.ACL;
 import org.apache.cloudstack.api.APICommand;
 import org.apache.cloudstack.api.ApiConstants;
@@ -43,7 +42,7 @@ public class CreateVMSnapshotCmd extends BaseAsyncCreateCmd {
     public static final Logger s_logger = Logger.getLogger(CreateVMSnapshotCmd.class.getName());
     private static final String s_name = "createvmsnapshotresponse";
 
-    @ACL(accessType = AccessType.OperateEntry)
+    @ACL
     @Parameter(name = ApiConstants.VIRTUAL_MACHINE_ID, type = CommandType.UUID, required = true, entityType = UserVmResponse.class, description = "The ID of the vm")
     private Long vmId;
 

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/94ebc908/api/src/org/apache/cloudstack/api/command/user/volume/CreateVolumeCmd.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/user/volume/CreateVolumeCmd.java b/api/src/org/apache/cloudstack/api/command/user/volume/CreateVolumeCmd.java
index 75c34a2..2a65159 100644
--- a/api/src/org/apache/cloudstack/api/command/user/volume/CreateVolumeCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/user/volume/CreateVolumeCmd.java
@@ -19,6 +19,7 @@ package org.apache.cloudstack.api.command.user.volume;
 import org.apache.log4j.Logger;
 
 import org.apache.cloudstack.acl.RoleType;
+import org.apache.cloudstack.api.ACL;
 import org.apache.cloudstack.api.APICommand;
 import org.apache.cloudstack.api.ApiCommandJobType;
 import org.apache.cloudstack.api.ApiConstants;
@@ -89,6 +90,7 @@ public class CreateVolumeCmd extends BaseAsyncCreateCustomIdCmd {
     @Parameter(name = ApiConstants.MAX_IOPS, type = CommandType.LONG, description = "max iops")
     private Long maxIops;
 
+    @ACL
     @Parameter(name = ApiConstants.SNAPSHOT_ID,
                type = CommandType.UUID,
                entityType = SnapshotResponse.class,
@@ -101,6 +103,7 @@ public class CreateVolumeCmd extends BaseAsyncCreateCustomIdCmd {
     @Parameter(name = ApiConstants.DISPLAY_VOLUME, type = CommandType.BOOLEAN, description = "an optional field, whether to display the volume to the end user or not.", authorized = {RoleType.Admin})
     private Boolean displayVolume;
 
+    @ACL
     @Parameter(name = ApiConstants.VIRTUAL_MACHINE_ID,
                type = CommandType.UUID,
                entityType = UserVmResponse.class,

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/94ebc908/plugins/network-elements/internal-loadbalancer/src/org/apache/cloudstack/network/lb/InternalLoadBalancerVMManagerImpl.java
----------------------------------------------------------------------
diff --git a/plugins/network-elements/internal-loadbalancer/src/org/apache/cloudstack/network/lb/InternalLoadBalancerVMManagerImpl.java b/plugins/network-elements/internal-loadbalancer/src/org/apache/cloudstack/network/lb/InternalLoadBalancerVMManagerImpl.java
index aa763d5..89707c9 100644
--- a/plugins/network-elements/internal-loadbalancer/src/org/apache/cloudstack/network/lb/InternalLoadBalancerVMManagerImpl.java
+++ b/plugins/network-elements/internal-loadbalancer/src/org/apache/cloudstack/network/lb/InternalLoadBalancerVMManagerImpl.java
@@ -27,11 +27,12 @@ import javax.ejb.Local;
 import javax.inject.Inject;
 import javax.naming.ConfigurationException;
 
+import org.apache.log4j.Logger;
+
 import org.apache.cloudstack.engine.orchestration.service.NetworkOrchestrationService;
 import org.apache.cloudstack.framework.config.dao.ConfigurationDao;
 import org.apache.cloudstack.lb.ApplicationLoadBalancerRuleVO;
 import org.apache.cloudstack.lb.dao.ApplicationLoadBalancerRuleDao;
-import org.apache.log4j.Logger;
 
 import com.cloud.agent.AgentManager;
 import com.cloud.agent.api.Answer;
@@ -519,7 +520,7 @@ public class InternalLoadBalancerVMManagerImpl extends ManagerBase implements In
             return true;
         }
 
-        _accountMgr.checkAccess(caller, null, true, internalLbVm);
+        _accountMgr.checkAccess(caller, null, internalLbVm);
 
         _itMgr.expunge(internalLbVm.getUuid());
         _internalLbVmDao.remove(internalLbVm.getId());
@@ -534,7 +535,7 @@ public class InternalLoadBalancerVMManagerImpl extends ManagerBase implements In
         }
 
         //check permissions
-        _accountMgr.checkAccess(caller, null, true, internalLbVm);
+        _accountMgr.checkAccess(caller, null, internalLbVm);
 
         return stopInternalLbVm(internalLbVm, forced, caller, callerUserId);
     }
@@ -912,7 +913,7 @@ public class InternalLoadBalancerVMManagerImpl extends ManagerBase implements In
         }
 
         //check permissions
-        _accountMgr.checkAccess(caller, null, true, internalLbVm);
+        _accountMgr.checkAccess(caller, null, internalLbVm);
 
         return startInternalLbVm(internalLbVm, caller, callerUserId, null);
     }

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/94ebc908/plugins/network-elements/juniper-contrail/test/org/apache/cloudstack/network/contrail/management/MockAccountManager.java
----------------------------------------------------------------------
diff --git a/plugins/network-elements/juniper-contrail/test/org/apache/cloudstack/network/contrail/management/MockAccountManager.java b/plugins/network-elements/juniper-contrail/test/org/apache/cloudstack/network/contrail/management/MockAccountManager.java
index 957f708..8fa6fed 100644
--- a/plugins/network-elements/juniper-contrail/test/org/apache/cloudstack/network/contrail/management/MockAccountManager.java
+++ b/plugins/network-elements/juniper-contrail/test/org/apache/cloudstack/network/contrail/management/MockAccountManager.java
@@ -381,4 +381,16 @@ public class MockAccountManager extends ManagerBase implements AccountManager {
         return null;
     }
 
+    @Override
+    public void checkAccess(Account account, AccessType accessType, ControlledEntity... entities) throws PermissionDeniedException {
+        // TODO Auto-generated method stub
+
+    }
+
+    @Override
+    public void checkAccess(Account account, AccessType accessType, String apiName, ControlledEntity... entities) throws PermissionDeniedException {
+        // TODO Auto-generated method stub
+
+    }
+
 }

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/94ebc908/server/src/com/cloud/api/ApiResponseHelper.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/api/ApiResponseHelper.java b/server/src/com/cloud/api/ApiResponseHelper.java
index 38f2f0b..ba1e91f 100755
--- a/server/src/com/cloud/api/ApiResponseHelper.java
+++ b/server/src/com/cloud/api/ApiResponseHelper.java
@@ -1543,7 +1543,7 @@ public class ApiResponseHelper implements ResponseGenerator {
                 throw new PermissionDeniedException("Account " + caller + " is not authorized to see job id=" + job.getId());
             }
         } else if (_accountMgr.isDomainAdmin(caller.getId())) {
-            _accountMgr.checkAccess(caller, null, true, jobOwner);
+            _accountMgr.checkAccess(caller, null, jobOwner);
         }
 
         return createAsyncJobResponse(_jobMgr.queryJob(cmd.getId(), true));

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/94ebc908/server/src/com/cloud/api/dispatch/ParamProcessWorker.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/api/dispatch/ParamProcessWorker.java b/server/src/com/cloud/api/dispatch/ParamProcessWorker.java
index 21932f7..c86689f 100644
--- a/server/src/com/cloud/api/dispatch/ParamProcessWorker.java
+++ b/server/src/com/cloud/api/dispatch/ParamProcessWorker.java
@@ -43,11 +43,11 @@ import org.apache.cloudstack.api.ACL;
 import org.apache.cloudstack.api.APICommand;
 import org.apache.cloudstack.api.ApiErrorCode;
 import org.apache.cloudstack.api.BaseCmd;
+import org.apache.cloudstack.api.BaseCmd.CommandType;
 import org.apache.cloudstack.api.EntityReference;
 import org.apache.cloudstack.api.InternalIdentity;
 import org.apache.cloudstack.api.Parameter;
 import org.apache.cloudstack.api.ServerApiException;
-import org.apache.cloudstack.api.BaseCmd.CommandType;
 import org.apache.cloudstack.api.command.admin.resource.ArchiveAlertsCmd;
 import org.apache.cloudstack.api.command.admin.resource.DeleteAlertsCmd;
 import org.apache.cloudstack.api.command.user.event.ArchiveEventsCmd;
@@ -244,7 +244,7 @@ public class ParamProcessWorker implements DispatchWorker {
                     if (AccessType.OperateEntry == entitiesToAccess.get(entity)) {
                         entitiesToOperate.add((ControlledEntity) entity);
                     } else {
-                        _accountMgr.checkAccess(caller, entitiesToAccess.get(entity), false, apiName,
+                        _accountMgr.checkAccess(caller, entitiesToAccess.get(entity), apiName,
                                 (ControlledEntity) entity);
                     }
                 } else if (entity instanceof InfrastructureEntity) {

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/94ebc908/server/src/com/cloud/api/query/QueryManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/api/query/QueryManagerImpl.java b/server/src/com/cloud/api/query/QueryManagerImpl.java
index 3abb944..f31b1f8 100644
--- a/server/src/com/cloud/api/query/QueryManagerImpl.java
+++ b/server/src/com/cloud/api/query/QueryManagerImpl.java
@@ -26,6 +26,9 @@ import java.util.Set;
 import javax.ejb.Local;
 import javax.inject.Inject;
 
+import org.apache.log4j.Logger;
+import org.springframework.stereotype.Component;
+
 import org.apache.cloudstack.acl.ControlledEntity.ACLType;
 import org.apache.cloudstack.affinity.AffinityGroupDomainMapVO;
 import org.apache.cloudstack.affinity.AffinityGroupResponse;
@@ -95,8 +98,6 @@ import org.apache.cloudstack.engine.subsystem.api.storage.DataStoreManager;
 import org.apache.cloudstack.engine.subsystem.api.storage.TemplateState;
 import org.apache.cloudstack.framework.config.dao.ConfigurationDao;
 import org.apache.cloudstack.query.QueryService;
-import org.apache.log4j.Logger;
-import org.springframework.stereotype.Component;
 
 import com.cloud.api.query.dao.AccountJoinDao;
 import com.cloud.api.query.dao.AffinityGroupJoinDao;
@@ -1005,7 +1006,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
             if (userVM == null) {
                 throw new InvalidParameterValueException("Unable to list network groups for virtual machine instance " + instanceId + "; instance not found.");
             }
-            _accountMgr.checkAccess(caller, null, true, userVM);
+            _accountMgr.checkAccess(caller, null, userVM);
             return listSecurityGroupRulesByVM(instanceId.longValue(), cmd.getStartIndex(), cmd.getPageSizeVal());
         }
 
@@ -1847,7 +1848,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
                 throw new InvalidParameterValueException("Unable to find account by id " + accountId);
             }
 
-            _accountMgr.checkAccess(caller, null, true, account);
+            _accountMgr.checkAccess(caller, null, account);
         }
 
         if (domainId != null) {
@@ -1863,7 +1864,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
                 if (account == null || account.getId() == Account.ACCOUNT_ID_SYSTEM) {
                     throw new InvalidParameterValueException("Unable to find account by name " + accountName + " in domain " + domainId);
                 }
-                _accountMgr.checkAccess(caller, null, true, account);
+                _accountMgr.checkAccess(caller, null, account);
             }
         }
 
@@ -2488,7 +2489,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
                 throw ex;
             }
 
-            _accountMgr.checkAccess(caller, null, true, vmInstance);
+            _accountMgr.checkAccess(caller, null, vmInstance);
 
             ServiceOfferingVO offering = _srvOfferingDao.findByIdIncludingRemoved(vmInstance.getId(), vmInstance.getServiceOfferingId());
             sc.addAnd("id", SearchCriteria.Op.NEQ, offering.getId());
@@ -2913,7 +2914,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
             // if template is not public, perform permission check here
             if (!template.isPublicTemplate() && !_accountMgr.isRootAdmin(caller.getId())) {
                 Account owner = _accountMgr.getAccount(template.getAccountId());
-                _accountMgr.checkAccess(caller, null, true, owner);
+                _accountMgr.checkAccess(caller, null, owner);
             }
 
             // if templateId is specified, then we will just use the id to
@@ -3181,7 +3182,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
             if (userVM == null) {
                 throw new InvalidParameterValueException("Unable to list affinity groups for virtual machine instance " + vmId + "; instance not found.");
             }
-            _accountMgr.checkAccess(caller, null, true, userVM);
+            _accountMgr.checkAccess(caller, null, userVM);
             return listAffinityGroupsByVM(vmId.longValue(), startIndex, pageSize);
         }
 

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/94ebc908/server/src/com/cloud/configuration/ConfigurationManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/configuration/ConfigurationManagerImpl.java b/server/src/com/cloud/configuration/ConfigurationManagerImpl.java
index bdceed7..75f4d8a 100755
--- a/server/src/com/cloud/configuration/ConfigurationManagerImpl.java
+++ b/server/src/com/cloud/configuration/ConfigurationManagerImpl.java
@@ -16,7 +16,6 @@
 // under the License.
 package com.cloud.configuration;
 
-import com.cloud.network.element.NetworkElement;
 import java.net.URI;
 import java.sql.PreparedStatement;
 import java.sql.ResultSet;
@@ -154,6 +153,7 @@ import com.cloud.network.dao.PhysicalNetworkDao;
 import com.cloud.network.dao.PhysicalNetworkTrafficTypeDao;
 import com.cloud.network.dao.PhysicalNetworkTrafficTypeVO;
 import com.cloud.network.dao.PhysicalNetworkVO;
+import com.cloud.network.element.NetworkElement;
 import com.cloud.network.rules.LoadBalancerContainer.Scheme;
 import com.cloud.network.vpc.VpcManager;
 import com.cloud.offering.DiskOffering;
@@ -4337,7 +4337,7 @@ public class ConfigurationManagerImpl extends ManagerBase implements Configurati
                 throw new InvalidParameterValueException("Can't update system networks");
             }
 
-            _accountMgr.checkAccess(caller, null, true, network);
+            _accountMgr.checkAccess(caller, null, network);
 
             List<Long> offeringIds = _networkModel.listNetworkOfferingsForUpgrade(networkId);
 

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/94ebc908/server/src/com/cloud/network/IpAddressManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/IpAddressManagerImpl.java b/server/src/com/cloud/network/IpAddressManagerImpl.java
index 9b1f9bd..746221f 100644
--- a/server/src/com/cloud/network/IpAddressManagerImpl.java
+++ b/server/src/com/cloud/network/IpAddressManagerImpl.java
@@ -29,6 +29,8 @@ import java.util.UUID;
 
 import javax.inject.Inject;
 
+import org.apache.log4j.Logger;
+
 import org.apache.cloudstack.acl.ControlledEntity.ACLType;
 import org.apache.cloudstack.acl.SecurityChecker.AccessType;
 import org.apache.cloudstack.context.CallContext;
@@ -40,7 +42,6 @@ import org.apache.cloudstack.region.PortableIp;
 import org.apache.cloudstack.region.PortableIpDao;
 import org.apache.cloudstack.region.PortableIpVO;
 import org.apache.cloudstack.region.Region;
-import org.apache.log4j.Logger;
 
 import com.cloud.agent.AgentManager;
 import com.cloud.alert.AlertManager;
@@ -409,7 +410,7 @@ public class IpAddressManagerImpl extends ManagerBase implements IpAddressManage
         Account caller = CallContext.current().getCallingAccount();
         long callerUserId = CallContext.current().getCallingUserId();
         // check permissions
-        _accountMgr.checkAccess(caller, null, false, ipOwner);
+        _accountMgr.checkAccess(caller, null, ipOwner);
 
         DataCenter zone = _entityMgr.findById(DataCenter.class, zoneId);
 
@@ -1164,15 +1165,14 @@ public class IpAddressManagerImpl extends ManagerBase implements IpAddressManage
             if (zone.getNetworkType() == NetworkType.Advanced) {
                 if (network.getGuestType() == Network.GuestType.Shared) {
                     if (isSharedNetworkOfferingWithServices(network.getNetworkOfferingId())) {
-                        _accountMgr.checkAccess(CallContext.current().getCallingAccount(), AccessType.UseEntry, false,
-                                network);
+                        _accountMgr.checkAccess(CallContext.current().getCallingAccount(), AccessType.UseEntry, network);
                     } else {
                         throw new InvalidParameterValueException("IP can be associated with guest network of 'shared' type only if "
                                                                  + "network services Source Nat, Static Nat, Port Forwarding, Load balancing, firewall are enabled in the network");
                     }
                 }
             } else {
-                _accountMgr.checkAccess(caller, null, true, ipToAssoc);
+                _accountMgr.checkAccess(caller, null, ipToAssoc);
             }
             owner = _accountMgr.getAccount(ipToAssoc.getAllocatedToAccountId());
         } else {
@@ -1187,7 +1187,7 @@ public class IpAddressManagerImpl extends ManagerBase implements IpAddressManage
 
         Network network = _networksDao.findById(networkId);
         if (network != null) {
-            _accountMgr.checkAccess(owner, AccessType.UseEntry, false, network);
+            _accountMgr.checkAccess(owner, AccessType.UseEntry, network);
         } else {
             s_logger.debug("Unable to find ip address by id: " + ipId);
             return null;
@@ -1319,11 +1319,10 @@ public class IpAddressManagerImpl extends ManagerBase implements IpAddressManage
             if (zone.getNetworkType() == NetworkType.Advanced) {
                 if (network.getGuestType() == Network.GuestType.Shared) {
                     assert (isSharedNetworkOfferingWithServices(network.getNetworkOfferingId()));
-                    _accountMgr.checkAccess(CallContext.current().getCallingAccount(), AccessType.UseEntry, false,
-                            network);
+                    _accountMgr.checkAccess(CallContext.current().getCallingAccount(), AccessType.UseEntry, network);
                 }
             } else {
-                _accountMgr.checkAccess(caller, null, true, ipToAssoc);
+                _accountMgr.checkAccess(caller, null, ipToAssoc);
             }
             owner = _accountMgr.getAccount(ipToAssoc.getAllocatedToAccountId());
         } else {

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/94ebc908/server/src/com/cloud/network/NetworkModelImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/NetworkModelImpl.java b/server/src/com/cloud/network/NetworkModelImpl.java
index cdacf78..918ebf8 100755
--- a/server/src/com/cloud/network/NetworkModelImpl.java
+++ b/server/src/com/cloud/network/NetworkModelImpl.java
@@ -35,6 +35,7 @@ import javax.naming.ConfigurationException;
 import org.apache.log4j.Logger;
 
 import org.apache.cloudstack.acl.ControlledEntity.ACLType;
+import org.apache.cloudstack.acl.SecurityChecker.AccessType;
 import org.apache.cloudstack.framework.config.dao.ConfigurationDao;
 import org.apache.cloudstack.lb.dao.ApplicationLoadBalancerRuleDao;
 
@@ -97,6 +98,7 @@ import com.cloud.offerings.dao.NetworkOfferingServiceMapDao;
 import com.cloud.projects.dao.ProjectAccountDao;
 import com.cloud.server.ConfigurationServer;
 import com.cloud.user.Account;
+import com.cloud.user.AccountManager;
 import com.cloud.user.AccountVO;
 import com.cloud.user.DomainManager;
 import com.cloud.user.dao.AccountDao;
@@ -137,6 +139,8 @@ public class NetworkModelImpl extends ManagerBase implements NetworkModel {
     @Inject
     DomainDao _domainDao = null;
     @Inject
+    AccountManager _accountMgr;
+    @Inject
     ConfigurationDao _configDao;
 
     @Inject
@@ -1567,6 +1571,27 @@ public class NetworkModelImpl extends ManagerBase implements NetworkModel {
     }
 
     @Override
+    public void checkNetworkPermissions(Account owner, Network network, AccessType accessType) {
+        if (network == null) {
+            throw new CloudRuntimeException("cannot check permissions on (Network) <null>");
+        }
+
+        AccountVO networkOwner = _accountDao.findById(network.getAccountId());
+        if (networkOwner == null) {
+            throw new PermissionDeniedException("Unable to use network with id= " + ((NetworkVO) network).getUuid()
+                    + ", network does not have an owner");
+        }
+        if (owner.getType() != Account.ACCOUNT_TYPE_PROJECT && networkOwner.getType() == Account.ACCOUNT_TYPE_PROJECT) {
+            if (!_projectAccountDao.canAccessProjectAccount(owner.getAccountId(), network.getAccountId())) {
+                throw new PermissionDeniedException("Unable to use network with id= " + ((NetworkVO) network).getUuid()
+                        + ", permission denied");
+            }
+        } else {
+            _accountMgr.checkAccess(owner, accessType, network);
+        }
+    }
+
+    @Override
     public String getDefaultPublicTrafficLabel(long dcId, HypervisorType hypervisorType) {
         try {
             PhysicalNetwork publicPhyNetwork = getOnePhysicalNetworkByZoneAndTrafficType(dcId, TrafficType.Public);

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/94ebc908/server/src/com/cloud/network/NetworkServiceImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/NetworkServiceImpl.java b/server/src/com/cloud/network/NetworkServiceImpl.java
index f23991c..c0791ae 100755
--- a/server/src/com/cloud/network/NetworkServiceImpl.java
+++ b/server/src/com/cloud/network/NetworkServiceImpl.java
@@ -40,7 +40,6 @@ import javax.ejb.Local;
 import javax.inject.Inject;
 import javax.naming.ConfigurationException;
 
-import com.cloud.network.lb.LoadBalancingRulesService;
 import org.apache.log4j.Logger;
 
 import org.apache.cloudstack.acl.ControlledEntity.ACLType;
@@ -123,6 +122,7 @@ import com.cloud.network.element.OvsProviderVO;
 import com.cloud.network.element.VirtualRouterElement;
 import com.cloud.network.element.VpcVirtualRouterElement;
 import com.cloud.network.guru.NetworkGuru;
+import com.cloud.network.lb.LoadBalancingRulesService;
 import com.cloud.network.rules.FirewallRule.Purpose;
 import com.cloud.network.rules.FirewallRuleVO;
 import com.cloud.network.rules.RulesManager;
@@ -542,7 +542,7 @@ public class NetworkServiceImpl extends ManagerBase implements  NetworkService {
                 // if shared network in the advanced zone, then check the caller against the network for 'AccessType.UseNetwork'
                 if (zone.getNetworkType() == NetworkType.Advanced) {
                     if (isSharedNetworkOfferingWithServices(network.getNetworkOfferingId())) {
-                        _accountMgr.checkAccess(caller, AccessType.UseEntry, false, network);
+                        _accountMgr.checkAccess(caller, AccessType.UseEntry, network);
                         if (s_logger.isDebugEnabled()) {
                             s_logger.debug("Associate IP address called by the user " + callerUserId + " account " + ipOwner.getId());
                         }
@@ -554,7 +554,7 @@ public class NetworkServiceImpl extends ManagerBase implements  NetworkService {
                 }
             }
         } else {
-            _accountMgr.checkAccess(caller, null, false, ipOwner);
+            _accountMgr.checkAccess(caller, null, ipOwner);
         }
 
         return _ipAddrMgr.allocateIp(ipOwner, false, caller, callerUserId, zone, displayIp);
@@ -585,7 +585,7 @@ public class NetworkServiceImpl extends ManagerBase implements  NetworkService {
                 // if shared network in the advanced zone, then check the caller against the network for 'AccessType.UseNetwork'
                 if (zone.getNetworkType() == NetworkType.Advanced) {
                     if (isSharedNetworkOfferingWithServices(network.getNetworkOfferingId())) {
-                        _accountMgr.checkAccess(caller, AccessType.UseEntry, false, network);
+                        _accountMgr.checkAccess(caller, AccessType.UseEntry, network);
                         if (s_logger.isDebugEnabled()) {
                             s_logger.debug("Associate IP address called by the user " + callerUserId + " account " + ipOwner.getId());
                         }
@@ -605,7 +605,7 @@ public class NetworkServiceImpl extends ManagerBase implements  NetworkService {
             }
         }
 
-        _accountMgr.checkAccess(caller, null, false, ipOwner);
+        _accountMgr.checkAccess(caller, null, ipOwner);
 
         return _ipAddrMgr.allocatePortableIp(ipOwner, caller, zoneId, null, null);
     }
@@ -671,7 +671,7 @@ public class NetworkServiceImpl extends ManagerBase implements  NetworkService {
         final Account ipOwner = _accountMgr.getAccount(vm.getAccountId());
 
         // verify permissions
-        _accountMgr.checkAccess(caller, null, true, vm);
+        _accountMgr.checkAccess(caller, null, vm);
 
         Network network = _networksDao.findById(networkId);
         if (network == null) {
@@ -767,7 +767,7 @@ public class NetworkServiceImpl extends ManagerBase implements  NetworkService {
             throw new InvalidParameterValueException("There is no vm with the given secondary ip");
         }
         // verify permissions
-        _accountMgr.checkAccess(caller, null, true, vm);
+        _accountMgr.checkAccess(caller, null, vm);
 
         Network network = _networksDao.findById(secIpVO.getNetworkId());
 
@@ -891,7 +891,7 @@ public class NetworkServiceImpl extends ManagerBase implements  NetworkService {
 
         // verify permissions
         if (ipVO.getAllocatedToAccountId() != null) {
-            _accountMgr.checkAccess(caller, null, true, ipVO);
+            _accountMgr.checkAccess(caller, null, ipVO);
         }
 
         if (ipVO.isSourceNat()) {
@@ -1620,7 +1620,7 @@ public class NetworkServiceImpl extends ManagerBase implements  NetworkService {
         Account owner = _accountMgr.getAccount(network.getAccountId());
 
         // Perform permission check
-        _accountMgr.checkAccess(caller, null, true, network);
+        _accountMgr.checkAccess(caller, null, network);
 
         if (forced && !_accountMgr.isRootAdmin(caller.getId())) {
             throw new InvalidParameterValueException("Delete network with 'forced' option can only be called by root admins");
@@ -1664,7 +1664,7 @@ public class NetworkServiceImpl extends ManagerBase implements  NetworkService {
             throw new InvalidParameterException("Unable to restart a running SDN network.");
         }
 
-        _accountMgr.checkAccess(callerAccount, null, true, network);
+        _accountMgr.checkAccess(callerAccount, null, network);
 
         boolean success = _networkMgr.restartNetwork(networkId, callerAccount, callerUser, cleanup);
 
@@ -1800,7 +1800,7 @@ public class NetworkServiceImpl extends ManagerBase implements  NetworkService {
             throw new InvalidParameterValueException("Can't allow networks which traffic type is not " + TrafficType.Guest);
         }
 
-        _accountMgr.checkAccess(callerAccount, null, true, network);
+        _accountMgr.checkAccess(callerAccount, null, network);
 
         if (name != null) {
             network.setName(name);
@@ -3845,7 +3845,7 @@ public class NetworkServiceImpl extends ManagerBase implements  NetworkService {
                 throw ex;
             }
 
-        _accountMgr.checkAccess(caller, null, true, userVm);
+        _accountMgr.checkAccess(caller, null, userVm);
         return _networkMgr.listVmNics(vmId, nicId, networkId);
     }
 
@@ -3869,7 +3869,7 @@ public class NetworkServiceImpl extends ManagerBase implements  NetworkService {
 
         // verify permissions
         if (ipVO.getAllocatedToAccountId() != null) {
-            _accountMgr.checkAccess(caller, null, true, ipVO);
+            _accountMgr.checkAccess(caller, null, ipVO);
         } else if (caller.getType() != Account.ACCOUNT_TYPE_ADMIN) {
             throw new PermissionDeniedException("Only Root admin can update non-allocated ip addresses");
         }

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/94ebc908/server/src/com/cloud/network/as/AutoScaleManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/as/AutoScaleManagerImpl.java b/server/src/com/cloud/network/as/AutoScaleManagerImpl.java
index c75dbba..09c6694 100644
--- a/server/src/com/cloud/network/as/AutoScaleManagerImpl.java
+++ b/server/src/com/cloud/network/as/AutoScaleManagerImpl.java
@@ -240,7 +240,7 @@ public class AutoScaleManagerImpl<Type> extends ManagerBase implements AutoScale
             throw new InvalidParameterValueException("Unable to find " + paramName);
         }
 
-        _accountMgr.checkAccess(caller, null, false, (ControlledEntity)vo);
+        _accountMgr.checkAccess(caller, null, (ControlledEntity)vo);
 
         return vo;
     }
@@ -342,7 +342,7 @@ public class AutoScaleManagerImpl<Type> extends ManagerBase implements AutoScale
 
         Account owner = _accountDao.findById(cmd.getAccountId());
         Account caller = CallContext.current().getCallingAccount();
-        _accountMgr.checkAccess(caller, null, true, owner);
+        _accountMgr.checkAccess(caller, null, owner);
 
         long zoneId = cmd.getZoneId();
         long serviceOfferingId = cmd.getServiceOfferingId();
@@ -527,7 +527,7 @@ public class AutoScaleManagerImpl<Type> extends ManagerBase implements AutoScale
 
                     ControlledEntity[] sameOwnerEntities = conditions.toArray(new ControlledEntity[conditions.size() + 1]);
                     sameOwnerEntities[sameOwnerEntities.length - 1] = autoScalePolicyVO;
-                    _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, true, sameOwnerEntities);
+                    _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, sameOwnerEntities);
 
                     if (conditionIds.size() != conditions.size()) {
                         // TODO report the condition id which could not be found
@@ -621,7 +621,7 @@ public class AutoScaleManagerImpl<Type> extends ManagerBase implements AutoScale
             idList.add(ApiDBUtils.findDomainById(domainId).getUuid());
             throw new InvalidParameterValueException("Unable to find account " + accountName + " in domain with specifed domainId");
         }
-        _accountMgr.checkAccess(caller, null, false, owner);
+        _accountMgr.checkAccess(caller, null, owner);
     }
 
     private class SearchWrapper<VO extends ControlledEntity> {
@@ -980,7 +980,7 @@ public class AutoScaleManagerImpl<Type> extends ManagerBase implements AutoScale
         ControlledEntity[] sameOwnerEntities = policies.toArray(new ControlledEntity[policies.size() + 2]);
         sameOwnerEntities[sameOwnerEntities.length - 2] = loadBalancer;
         sameOwnerEntities[sameOwnerEntities.length - 1] = profileVO;
-        _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, true, sameOwnerEntities);
+        _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, sameOwnerEntities);
 
         return Transaction.execute(new TransactionCallback<AutoScaleVmGroupVO>() {
             @Override

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/94ebc908/server/src/com/cloud/network/firewall/FirewallManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/firewall/FirewallManagerImpl.java b/server/src/com/cloud/network/firewall/FirewallManagerImpl.java
index c312d3d..7306068 100644
--- a/server/src/com/cloud/network/firewall/FirewallManagerImpl.java
+++ b/server/src/com/cloud/network/firewall/FirewallManagerImpl.java
@@ -27,12 +27,13 @@ import javax.ejb.Local;
 import javax.inject.Inject;
 import javax.naming.ConfigurationException;
 
+import org.apache.log4j.Logger;
+import org.springframework.stereotype.Component;
+
 import org.apache.cloudstack.api.command.user.firewall.ListFirewallRulesCmd;
 import org.apache.cloudstack.context.CallContext;
 import org.apache.cloudstack.engine.orchestration.service.NetworkOrchestrationService;
 import org.apache.cloudstack.framework.config.dao.ConfigurationDao;
-import org.apache.log4j.Logger;
-import org.springframework.stereotype.Component;
 
 import com.cloud.configuration.Config;
 import com.cloud.domain.dao.DomainDao;
@@ -271,7 +272,7 @@ public class FirewallManagerImpl extends ManagerBase implements FirewallService,
             if (ipAddressVO == null || !ipAddressVO.readyToUse()) {
                 throw new InvalidParameterValueException("Ip address id=" + ipId + " not ready for firewall rules yet");
             }
-            _accountMgr.checkAccess(caller, null, true, ipAddressVO);
+            _accountMgr.checkAccess(caller, null, ipAddressVO);
         }
 
         Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean, ListProjectResourcesCriteria>(cmd.getDomainId(), cmd.isRecursive(), null);
@@ -463,7 +464,7 @@ public class FirewallManagerImpl extends ManagerBase implements FirewallService,
             }
 
             // Validate ip address
-            _accountMgr.checkAccess(caller, null, true, ipAddress);
+            _accountMgr.checkAccess(caller, null, ipAddress);
         }
 
         //network id either has to be passed explicitly, or implicitly as a part of ipAddress object
@@ -475,7 +476,7 @@ public class FirewallManagerImpl extends ManagerBase implements FirewallService,
         assert network != null : "Can't create rule as network associated with public ip address is null?";
 
         if (trafficType == FirewallRule.TrafficType.Egress) {
-            _accountMgr.checkAccess(caller, null, true, network);
+            _accountMgr.checkAccess(caller, null, network);
         }
 
         // Verify that the network guru supports the protocol specified
@@ -638,7 +639,7 @@ public class FirewallManagerImpl extends ManagerBase implements FirewallService,
         }
 
         if (caller != null) {
-            _accountMgr.checkAccess(caller, null, true, rules.toArray(new FirewallRuleVO[rules.size()]));
+            _accountMgr.checkAccess(caller, null, rules.toArray(new FirewallRuleVO[rules.size()]));
         }
 
         try {
@@ -692,7 +693,7 @@ public class FirewallManagerImpl extends ManagerBase implements FirewallService,
             throw new InvalidParameterValueException("Only root admin can delete the system wide firewall rule");
         }
 
-        _accountMgr.checkAccess(caller, null, true, rule);
+        _accountMgr.checkAccess(caller, null, rule);
 
         revokeRule(rule, caller, userId, false);
 
@@ -742,7 +743,7 @@ public class FirewallManagerImpl extends ManagerBase implements FirewallService,
             throw new InvalidParameterValueException("Only root admin can update the system wide firewall rule");
         }
 
-        _accountMgr.checkAccess(caller, null, true, rule);
+        _accountMgr.checkAccess(caller, null, rule);
 
         if (customId != null) {
             rule.setUuid(customId);
@@ -761,7 +762,7 @@ public class FirewallManagerImpl extends ManagerBase implements FirewallService,
     @DB
     public void revokeRule(final FirewallRuleVO rule, Account caller, long userId, final boolean needUsageEvent) {
         if (caller != null) {
-            _accountMgr.checkAccess(caller, null, true, rule);
+            _accountMgr.checkAccess(caller, null, rule);
         }
 
         Transaction.execute(new TransactionCallbackNoReturn() {

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/94ebc908/server/src/com/cloud/network/lb/LoadBalancingRulesManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/lb/LoadBalancingRulesManagerImpl.java b/server/src/com/cloud/network/lb/LoadBalancingRulesManagerImpl.java
index e67fdba..51c36b6 100755
--- a/server/src/com/cloud/network/lb/LoadBalancingRulesManagerImpl.java
+++ b/server/src/com/cloud/network/lb/LoadBalancingRulesManagerImpl.java
@@ -30,7 +30,11 @@ import java.util.Set;
 import javax.ejb.Local;
 import javax.inject.Inject;
 
-import com.cloud.vm.dao.NicSecondaryIpDao;
+import org.apache.log4j.Logger;
+
+import com.google.gson.Gson;
+import com.google.gson.reflect.TypeToken;
+
 import org.apache.cloudstack.api.ApiConstants;
 import org.apache.cloudstack.api.command.user.loadbalancer.CreateLBHealthCheckPolicyCmd;
 import org.apache.cloudstack.api.command.user.loadbalancer.CreateLBStickinessPolicyCmd;
@@ -46,7 +50,6 @@ import org.apache.cloudstack.engine.orchestration.service.NetworkOrchestrationSe
 import org.apache.cloudstack.framework.config.dao.ConfigurationDao;
 import org.apache.cloudstack.lb.ApplicationLoadBalancerRuleVO;
 import org.apache.cloudstack.lb.dao.ApplicationLoadBalancerRuleDao;
-import org.apache.log4j.Logger;
 
 import com.cloud.agent.api.to.LoadBalancerTO;
 import com.cloud.configuration.ConfigurationManager;
@@ -164,9 +167,8 @@ import com.cloud.vm.Nic;
 import com.cloud.vm.UserVmVO;
 import com.cloud.vm.VirtualMachine.State;
 import com.cloud.vm.dao.NicDao;
+import com.cloud.vm.dao.NicSecondaryIpDao;
 import com.cloud.vm.dao.UserVmDao;
-import com.google.gson.Gson;
-import com.google.gson.reflect.TypeToken;
 
 @Local(value = {LoadBalancingRulesManager.class, LoadBalancingRulesService.class})
 public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements LoadBalancingRulesManager, LoadBalancingRulesService {
@@ -527,7 +529,7 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
             throw new InvalidParameterValueException("Failed: LB rule id: " + cmd.getLbRuleId() + " not present ");
         }
 
-        _accountMgr.checkAccess(caller.getCallingAccount(), null, true, loadBalancer);
+        _accountMgr.checkAccess(caller.getCallingAccount(), null, loadBalancer);
         if (loadBalancer.getState() == FirewallRule.State.Revoke) {
             throw new InvalidParameterValueException("Failed:  LB rule id: " + cmd.getLbRuleId() + " is in deleting state: ");
         }
@@ -582,7 +584,7 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
             throw new InvalidParameterValueException("Failed: LB rule id: " + cmd.getLbRuleId() + " not present ");
         }
 
-        _accountMgr.checkAccess(caller.getCallingAccount(), null, true, loadBalancer);
+        _accountMgr.checkAccess(caller.getCallingAccount(), null, loadBalancer);
 
         if (loadBalancer.getState() == FirewallRule.State.Revoke) {
             throw new InvalidParameterValueException("Failed:  LB rule id: " + cmd.getLbRuleId() + " is in deleting state: ");
@@ -739,7 +741,7 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
         }
         long loadBalancerId = loadBalancer.getId();
         FirewallRule.State backupState = loadBalancer.getState();
-        _accountMgr.checkAccess(caller.getCallingAccount(), null, true, loadBalancer);
+        _accountMgr.checkAccess(caller.getCallingAccount(), null, loadBalancer);
 
         if (apply) {
             if (loadBalancer.getState() == FirewallRule.State.Active) {
@@ -792,7 +794,7 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
         }
         final long loadBalancerId = loadBalancer.getId();
         FirewallRule.State backupState = loadBalancer.getState();
-        _accountMgr.checkAccess(caller.getCallingAccount(), null, true, loadBalancer);
+        _accountMgr.checkAccess(caller.getCallingAccount(), null, loadBalancer);
 
         if (apply) {
             if (loadBalancer.getState() == FirewallRule.State.Active) {
@@ -1165,7 +1167,7 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
             throw new InvalidParameterException("Invalid certificate id: " + certId);
         }
 
-        _accountMgr.checkAccess(caller.getCallingAccount(), null, true, loadBalancer);
+        _accountMgr.checkAccess(caller.getCallingAccount(), null, loadBalancer);
 
         // check if LB and Cert belong to the same account
         if (loadBalancer.getAccountId() != certVO.getAccountId()) {
@@ -1228,7 +1230,7 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
             throw new InvalidParameterException("No certificate is bound to lb with id: " + lbRuleId);
         }
 
-        _accountMgr.checkAccess(caller.getCallingAccount(), null, true, loadBalancer);
+        _accountMgr.checkAccess(caller.getCallingAccount(), null, loadBalancer);
 
         boolean success = false;
         FirewallRule.State backupState = loadBalancer.getState();
@@ -1272,7 +1274,7 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
             throw new InvalidParameterException("Invalid load balancer value: " + loadBalancerId);
         }
 
-        _accountMgr.checkAccess(caller.getCallingAccount(), null, true, loadBalancer);
+        _accountMgr.checkAccess(caller.getCallingAccount(), null, loadBalancer);
 
         if (instanceIds == null && vmIdIpMap.isEmpty()) {
             throw new InvalidParameterValueException("Both instanceids and vmidipmap  can't be null");
@@ -1434,7 +1436,7 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
         if (rule == null) {
             throw new InvalidParameterValueException("Unable to find load balancer rule " + loadBalancerId);
         }
-        _accountMgr.checkAccess(caller, null, true, rule);
+        _accountMgr.checkAccess(caller, null, rule);
 
         boolean result = deleteLoadBalancerRule(loadBalancerId, apply, caller, ctx.getCallingUserId(), true);
         if (!result) {
@@ -1658,7 +1660,7 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
             throw ex;
         }
 
-        _accountMgr.checkAccess(caller.getCallingAccount(), null, true, ipAddr);
+        _accountMgr.checkAccess(caller.getCallingAccount(), null, ipAddr);
 
         final Long networkId = ipAddr.getAssociatedWithNetworkId();
         if (networkId == null) {
@@ -2032,7 +2034,7 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
         }
 
         // check permissions
-        _accountMgr.checkAccess(caller, null, true, lb);
+        _accountMgr.checkAccess(caller, null, lb);
 
         if (name != null) {
             lb.setName(name);
@@ -2111,7 +2113,7 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
             return null;
         }
 
-        _accountMgr.checkAccess(caller, null, true, loadBalancer);
+        _accountMgr.checkAccess(caller, null, loadBalancer);
 
         List<UserVmVO> loadBalancerInstances = new ArrayList<UserVmVO>();
         List<String> serviceStates = new ArrayList<String>();
@@ -2188,7 +2190,7 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
             return null;
         }
 
-        _accountMgr.checkAccess(caller, null, true, loadBalancer);
+        _accountMgr.checkAccess(caller, null, loadBalancer);
 
         List<LBStickinessPolicyVO> sDbpolicies = _lb2stickinesspoliciesDao.listByLoadBalancerId(cmd.getLbRuleId());
 
@@ -2203,7 +2205,7 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
         if (loadBalancer == null) {
             return null;
         }
-        _accountMgr.checkAccess(caller, null, true, loadBalancer);
+        _accountMgr.checkAccess(caller, null, loadBalancer);
         List<LBHealthCheckPolicyVO> hcDbpolicies = _lb2healthcheckDao.listByLoadBalancerId(cmd.getLbRuleId());
         return hcDbpolicies;
     }

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/94ebc908/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java b/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java
index c692491..0899f42 100755
--- a/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java
+++ b/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java
@@ -41,10 +41,14 @@ import java.util.concurrent.TimeUnit;
 import javax.ejb.Local;
 import javax.inject.Inject;
 import javax.naming.ConfigurationException;
+
 import org.apache.log4j.Logger;
+
+import org.apache.cloudstack.alert.AlertService.AlertType;
 import org.apache.cloudstack.api.command.admin.router.RebootRouterCmd;
 import org.apache.cloudstack.api.command.admin.router.UpgradeRouterCmd;
 import org.apache.cloudstack.api.command.admin.router.UpgradeRouterTemplateCmd;
+import org.apache.cloudstack.config.ApiServiceConfiguration;
 import org.apache.cloudstack.context.CallContext;
 import org.apache.cloudstack.engine.orchestration.service.NetworkOrchestrationService;
 import org.apache.cloudstack.framework.config.ConfigDepot;
@@ -55,7 +59,7 @@ import org.apache.cloudstack.framework.jobs.AsyncJobManager;
 import org.apache.cloudstack.framework.jobs.impl.AsyncJobVO;
 import org.apache.cloudstack.managed.context.ManagedContextRunnable;
 import org.apache.cloudstack.utils.identity.ManagementServerNode;
-import org.apache.cloudstack.alert.AlertService.AlertType;
+
 import com.cloud.agent.AgentManager;
 import com.cloud.agent.Listener;
 import com.cloud.agent.api.AgentControlAnswer;
@@ -69,13 +73,12 @@ import com.cloud.agent.api.CheckS2SVpnConnectionsCommand;
 import com.cloud.agent.api.Command;
 import com.cloud.agent.api.GetDomRVersionAnswer;
 import com.cloud.agent.api.GetDomRVersionCmd;
+import com.cloud.agent.api.GetRouterAlertsAnswer;
 import com.cloud.agent.api.ModifySshKeysCommand;
 import com.cloud.agent.api.NetworkUsageAnswer;
 import com.cloud.agent.api.NetworkUsageCommand;
 import com.cloud.agent.api.PvlanSetupCommand;
 import com.cloud.agent.api.StartupCommand;
-import com.cloud.agent.api.routing.GetRouterAlertsCommand;
-import com.cloud.agent.api.GetRouterAlertsAnswer;
 import com.cloud.agent.api.check.CheckSshAnswer;
 import com.cloud.agent.api.check.CheckSshCommand;
 import com.cloud.agent.api.routing.AggregationControlCommand;
@@ -84,6 +87,7 @@ import com.cloud.agent.api.routing.CreateIpAliasCommand;
 import com.cloud.agent.api.routing.DeleteIpAliasCommand;
 import com.cloud.agent.api.routing.DhcpEntryCommand;
 import com.cloud.agent.api.routing.DnsMasqConfigCommand;
+import com.cloud.agent.api.routing.GetRouterAlertsCommand;
 import com.cloud.agent.api.routing.IpAliasTO;
 import com.cloud.agent.api.routing.IpAssocCommand;
 import com.cloud.agent.api.routing.LoadBalancerConfigCommand;
@@ -183,6 +187,7 @@ import com.cloud.network.dao.MonitoringServiceVO;
 import com.cloud.network.dao.NetworkDao;
 import com.cloud.network.dao.NetworkVO;
 import com.cloud.network.dao.OpRouterMonitorServiceDao;
+import com.cloud.network.dao.OpRouterMonitorServiceVO;
 import com.cloud.network.dao.PhysicalNetworkServiceProviderDao;
 import com.cloud.network.dao.RemoteAccessVpnDao;
 import com.cloud.network.dao.Site2SiteCustomerGatewayDao;
@@ -192,7 +197,6 @@ import com.cloud.network.dao.Site2SiteVpnGatewayDao;
 import com.cloud.network.dao.UserIpv6AddressDao;
 import com.cloud.network.dao.VirtualRouterProviderDao;
 import com.cloud.network.dao.VpnUserDao;
-import com.cloud.network.dao.OpRouterMonitorServiceVO;
 import com.cloud.network.lb.LoadBalancingRule;
 import com.cloud.network.lb.LoadBalancingRule.LbDestination;
 import com.cloud.network.lb.LoadBalancingRule.LbHealthCheckPolicy;
@@ -281,7 +285,6 @@ import com.cloud.vm.dao.NicIpAliasVO;
 import com.cloud.vm.dao.UserVmDao;
 import com.cloud.vm.dao.UserVmDetailsDao;
 import com.cloud.vm.dao.VMInstanceDao;
-import org.apache.cloudstack.config.ApiServiceConfiguration;
 
 /**
  * VirtualNetworkApplianceManagerImpl manages the different types of virtual network appliances available in the Cloud Stack.
@@ -457,7 +460,7 @@ public class VirtualNetworkApplianceManagerImpl extends ManagerBase implements V
             return null;
         }
 
-        _accountMgr.checkAccess(caller, null, true, router);
+        _accountMgr.checkAccess(caller, null, router);
 
         _itMgr.expunge(router.getUuid());
         _routerDao.remove(router.getId());
@@ -476,7 +479,7 @@ public class VirtualNetworkApplianceManagerImpl extends ManagerBase implements V
             throw new InvalidParameterValueException("Unable to find router with id " + routerId);
         }
 
-        _accountMgr.checkAccess(caller, null, true, router);
+        _accountMgr.checkAccess(caller, null, router);
 
         if (router.getServiceOfferingId() == serviceOfferingId) {
             s_logger.debug("Router: " + routerId + "already has service offering: " + serviceOfferingId);
@@ -591,7 +594,7 @@ public class VirtualNetworkApplianceManagerImpl extends ManagerBase implements V
             throw new InvalidParameterValueException("Unable to find router by id " + routerId + ".");
         }
 
-        _accountMgr.checkAccess(account, null, true, router);
+        _accountMgr.checkAccess(account, null, router);
 
         final UserVO user = _userDao.findById(CallContext.current().getCallingUserId());
 
@@ -650,7 +653,7 @@ public class VirtualNetworkApplianceManagerImpl extends ManagerBase implements V
             throw new InvalidParameterValueException("Unable to find domain router with id " + routerId + ".");
         }
 
-        _accountMgr.checkAccess(caller, null, true, router);
+        _accountMgr.checkAccess(caller, null, router);
 
         // Can reboot domain router only in Running state
         if (router == null || router.getState() != State.Running) {
@@ -3252,7 +3255,7 @@ public class VirtualNetworkApplianceManagerImpl extends ManagerBase implements V
         if (router == null) {
             throw new InvalidParameterValueException("Unable to find router by id " + routerId + ".");
         }
-        _accountMgr.checkAccess(caller, null, true, router);
+        _accountMgr.checkAccess(caller, null, router);
 
         final Account owner = _accountMgr.getAccount(router.getAccountId());
 

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/94ebc908/server/src/com/cloud/network/rules/RulesManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/rules/RulesManagerImpl.java b/server/src/com/cloud/network/rules/RulesManagerImpl.java
index 13f6306..5d56451 100755
--- a/server/src/com/cloud/network/rules/RulesManagerImpl.java
+++ b/server/src/com/cloud/network/rules/RulesManagerImpl.java
@@ -25,10 +25,12 @@ import java.util.Set;
 import javax.ejb.Local;
 import javax.inject.Inject;
 
+import org.apache.log4j.Logger;
+
+import org.apache.cloudstack.acl.SecurityChecker.AccessType;
 import org.apache.cloudstack.api.command.user.firewall.ListPortForwardingRulesCmd;
 import org.apache.cloudstack.context.CallContext;
 import org.apache.cloudstack.engine.orchestration.service.NetworkOrchestrationService;
-import org.apache.log4j.Logger;
 
 import com.cloud.configuration.ConfigurationManager;
 import com.cloud.domain.dao.DomainDao;
@@ -162,7 +164,7 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules
             }
         }
 
-        _accountMgr.checkAccess(caller, null, true, ipAddress, userVm);
+        _accountMgr.checkAccess(caller, AccessType.OperateEntry, ipAddress, userVm);
 
         // validate that IP address and userVM belong to the same account
         if (ipAddress.getAllocatedToAccountId().longValue() != userVm.getAccountId()) {
@@ -187,7 +189,7 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules
             return;
         }
 
-        _accountMgr.checkAccess(caller, null, true, rule, userVm);
+        _accountMgr.checkAccess(caller, AccessType.OperateEntry, rule, userVm);
 
         if (userVm.getState() == VirtualMachine.State.Destroyed || userVm.getState() == VirtualMachine.State.Expunging) {
             throw new InvalidParameterValueException("Invalid user vm: " + userVm.getId());
@@ -680,7 +682,7 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules
             throw new InvalidParameterValueException("Unable to find " + ruleId);
         }
 
-        _accountMgr.checkAccess(caller, null, true, rule);
+        _accountMgr.checkAccess(caller, null, rule);
 
         if (!revokePortForwardingRuleInternal(ruleId, caller, ctx.getCallingUserId(), apply)) {
             throw new CloudRuntimeException("Failed to delete port forwarding rule");
@@ -715,7 +717,7 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules
             throw new InvalidParameterValueException("Unable to find " + ruleId);
         }
 
-        _accountMgr.checkAccess(caller, null, true, rule);
+        _accountMgr.checkAccess(caller, null, rule);
 
         if (!revokeStaticNatRuleInternal(ruleId, caller, ctx.getCallingUserId(), apply)) {
             throw new CloudRuntimeException("Failed to revoke forwarding rule");
@@ -791,7 +793,7 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules
             if (ipAddressVO == null || !ipAddressVO.readyToUse()) {
                 throw new InvalidParameterValueException("Ip address id=" + ipId + " not ready for port forwarding rules yet");
             }
-            _accountMgr.checkAccess(caller, null, true, ipAddressVO);
+            _accountMgr.checkAccess(caller, null, ipAddressVO);
         }
 
         Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean, ListProjectResourcesCriteria>(cmd.getDomainId(), cmd.isRecursive(), null);
@@ -866,7 +868,7 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules
         }
 
         if (caller != null) {
-            _accountMgr.checkAccess(caller, null, true, rules.toArray(new PortForwardingRuleVO[rules.size()]));
+            _accountMgr.checkAccess(caller, null, rules.toArray(new PortForwardingRuleVO[rules.size()]));
         }
 
         try {
@@ -895,7 +897,7 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules
         }
 
         if (caller != null) {
-            _accountMgr.checkAccess(caller, null, true, staticNatRules.toArray(new StaticNatRule[staticNatRules.size()]));
+            _accountMgr.checkAccess(caller, null, staticNatRules.toArray(new StaticNatRule[staticNatRules.size()]));
         }
 
         try {
@@ -919,7 +921,7 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules
         }
 
         if (caller != null) {
-            _accountMgr.checkAccess(caller, null, true, rules.toArray(new PortForwardingRuleVO[rules.size()]));
+            _accountMgr.checkAccess(caller, null, rules.toArray(new PortForwardingRuleVO[rules.size()]));
         }
 
         try {
@@ -945,7 +947,7 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules
         }
 
         if (caller != null) {
-            _accountMgr.checkAccess(caller, null, true, rules.toArray(new FirewallRule[rules.size()]));
+            _accountMgr.checkAccess(caller, null, rules.toArray(new FirewallRule[rules.size()]));
         }
 
         for (FirewallRuleVO rule : rules) {
@@ -973,7 +975,7 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules
         }
 
         if (caller != null) {
-            _accountMgr.checkAccess(caller, null, true, ips.toArray(new IPAddressVO[ips.size()]));
+            _accountMgr.checkAccess(caller, null, ips.toArray(new IPAddressVO[ips.size()]));
         }
 
         List<StaticNat> staticNats = new ArrayList<StaticNat>();
@@ -1009,7 +1011,7 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules
             if (ipAddressVO == null || !ipAddressVO.readyToUse()) {
                 throw new InvalidParameterValueException("Ip address id=" + ipId + " not ready for port forwarding rules yet");
             }
-            _accountMgr.checkAccess(caller, null, true, ipAddressVO);
+            _accountMgr.checkAccess(caller, null, ipAddressVO);
         }
 
         Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean, ListProjectResourcesCriteria>(domainId, isRecursive, null);
@@ -1385,7 +1387,7 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules
         }
 
         if (caller != null) {
-            _accountMgr.checkAccess(caller, null, true, sourceIp);
+            _accountMgr.checkAccess(caller, null, sourceIp);
         }
 
         // create new static nat rule
@@ -1504,7 +1506,7 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules
         if (rule == null) {
             throw new InvalidParameterValueException("Unable to find " + id);
         }
-        _accountMgr.checkAccess(caller, null, true, rule);
+        _accountMgr.checkAccess(caller, null, rule);
 
         if (customId != null) {
             rule.setUuid(customId);

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/94ebc908/server/src/com/cloud/network/security/SecurityGroupManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/security/SecurityGroupManagerImpl.java b/server/src/com/cloud/network/security/SecurityGroupManagerImpl.java
index f60a746..b4c67b8 100755
--- a/server/src/com/cloud/network/security/SecurityGroupManagerImpl.java
+++ b/server/src/com/cloud/network/security/SecurityGroupManagerImpl.java
@@ -612,7 +612,7 @@ public class SecurityGroupManagerImpl extends ManagerBase implements SecurityGro
         }
 
         // Verify permissions
-        _accountMgr.checkAccess(caller, null, true, securityGroup);
+        _accountMgr.checkAccess(caller, null, securityGroup);
         Long domainId = owner.getDomainId();
 
         if (protocol == null) {
@@ -819,7 +819,7 @@ public class SecurityGroupManagerImpl extends ManagerBase implements SecurityGro
 
         // Check permissions
         SecurityGroup securityGroup = _securityGroupDao.findById(rule.getSecurityGroupId());
-        _accountMgr.checkAccess(caller, AccessType.OperateEntry, true, securityGroup);
+        _accountMgr.checkAccess(caller, AccessType.OperateEntry, securityGroup);
 
         long securityGroupId = rule.getSecurityGroupId();
         Boolean result = Transaction.execute(new TransactionCallback<Boolean>() {
@@ -1120,7 +1120,7 @@ public class SecurityGroupManagerImpl extends ManagerBase implements SecurityGro
         }
 
         // check permissions
-        _accountMgr.checkAccess(caller, null, true, group);
+        _accountMgr.checkAccess(caller, null, group);
 
         return Transaction.execute(new TransactionCallbackWithException<Boolean, ResourceInUseException>() {
             @Override
@@ -1359,7 +1359,7 @@ public class SecurityGroupManagerImpl extends ManagerBase implements SecurityGro
         }
 
         // Verify permissions
-        _accountMgr.checkAccess(caller, null, false, vm);
+        _accountMgr.checkAccess(caller, null, vm);
 
         // Validate parameters
         List<SecurityGroupVO> vmSgGrps = getSecurityGroupsForVm(vmId);

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/94ebc908/server/src/com/cloud/network/vpc/NetworkACLServiceImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/vpc/NetworkACLServiceImpl.java b/server/src/com/cloud/network/vpc/NetworkACLServiceImpl.java
index e024fbe..d2aa617 100644
--- a/server/src/com/cloud/network/vpc/NetworkACLServiceImpl.java
+++ b/server/src/com/cloud/network/vpc/NetworkACLServiceImpl.java
@@ -103,7 +103,7 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ
         if (vpc == null) {
             throw new InvalidParameterValueException("Unable to find VPC");
         }
-        _accountMgr.checkAccess(caller, null, true, vpc);
+        _accountMgr.checkAccess(caller, null, vpc);
         return _networkAclMgr.createNetworkACL(name, description, vpcId, forDisplay);
     }
 
@@ -161,7 +161,7 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ
             if (vpc == null) {
                 throw new InvalidParameterValueException("Unable to find VPC");
             }
-            _accountMgr.checkAccess(caller, null, true, vpc);
+            _accountMgr.checkAccess(caller, null, vpc);
             //Include vpcId 0 to list default ACLs
             sc.setParameters("vpcId", vpcId, 0);
         } else {
@@ -225,7 +225,7 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ
         if (vpc == null) {
             throw new InvalidParameterValueException("Unable to find specified VPC associated with the ACL");
         }
-        _accountMgr.checkAccess(caller, null, true, vpc);
+        _accountMgr.checkAccess(caller, null, vpc);
         return _networkAclMgr.deleteNetworkACL(acl);
     }
 
@@ -256,14 +256,14 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ
             if (vpc == null) {
                 throw new InvalidParameterValueException("Unable to find Vpc associated with the NetworkACL");
             }
-            _accountMgr.checkAccess(caller, null, true, vpc);
+            _accountMgr.checkAccess(caller, null, vpc);
             if (!gateway.getVpcId().equals(acl.getVpcId())) {
                 throw new InvalidParameterValueException("private gateway: " + privateGatewayId + " and ACL: " + aclId + " do not belong to the same VPC");
             }
         }
 
         PrivateGateway privateGateway = _vpcSvc.getVpcPrivateGateway(gateway.getId());
-        _accountMgr.checkAccess(caller, null, true, privateGateway);
+        _accountMgr.checkAccess(caller, null, privateGateway);
 
         return  _networkAclMgr.replaceNetworkACLForPrivateGw(acl, privateGateway);
 
@@ -299,7 +299,7 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ
                 throw new InvalidParameterValueException("Unable to find Vpc associated with the NetworkACL");
             }
 
-            _accountMgr.checkAccess(caller, null, true, vpc);
+            _accountMgr.checkAccess(caller, null, vpc);
             if (!network.getVpcId().equals(acl.getVpcId())) {
                 throw new InvalidParameterValueException("Network: " + networkId + " and ACL: " + aclId + " do not belong to the same VPC");
             }
@@ -371,7 +371,7 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ
         if (vpc == null) {
             throw new InvalidParameterValueException("Unable to find Vpc associated with the NetworkACL");
         }
-        _accountMgr.checkAccess(caller, null, true, vpc);
+        _accountMgr.checkAccess(caller, null, vpc);
 
         //Ensure that number is unique within the ACL
         if (aclItemCmd.getNumber() != null) {
@@ -546,7 +546,7 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ
                 if (vpc == null) {
                     throw new InvalidParameterValueException("Unable to find VPC associated with acl");
                 }
-                _accountMgr.checkAccess(caller, null, true, vpc);
+                _accountMgr.checkAccess(caller, null, vpc);
             }
             sc.setParameters("aclId", aclId);
         } else {
@@ -615,7 +615,7 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ
 
             Account caller = CallContext.current().getCallingAccount();
 
-            _accountMgr.checkAccess(caller, null, true, vpc);
+            _accountMgr.checkAccess(caller, null, vpc);
 
             if((aclItem.getAclId() == NetworkACL.DEFAULT_ALLOW) || (aclItem.getAclId() == NetworkACL.DEFAULT_DENY)){
                 throw new InvalidParameterValueException("ACL Items in default ACL cannot be deleted");
@@ -642,7 +642,7 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ
 
         Account caller = CallContext.current().getCallingAccount();
 
-        _accountMgr.checkAccess(caller, null, true, vpc);
+        _accountMgr.checkAccess(caller, null, vpc);
 
         if (number != null) {
             //Check if ACL Item with specified number already exists
@@ -664,7 +664,7 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ
         NetworkACLVO acl = _networkACLDao.findById(id);
         Vpc vpc = _entityMgr.findById(Vpc.class, acl.getVpcId());
         Account caller = CallContext.current().getCallingAccount();
-        _accountMgr.checkAccess(caller, null, true, vpc);
+        _accountMgr.checkAccess(caller, null, vpc);
 
         if (customId != null) {
             acl.setUuid(customId);


Mime
View raw message