cloudstack-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From d...@apache.org
Subject [2/2] git commit: updated refs/heads/4.4 to 4ca6549
Date Wed, 30 Apr 2014 08:38:26 GMT
CLOUDSTACK-6513: IAM - Templates - When templates are listed with
templatefilter="shared" is used , we see public templates also being
included in the list. This commit reverts listTemplates behavior to 4.3
old logic without using consistent interpretation of list parameters
adopted in new IAM model.


Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/4ca65496
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/4ca65496
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/4ca65496

Branch: refs/heads/4.4
Commit: 4ca65496c2605eb2264d0acc7a43c2c539a3d9b0
Parents: 2f35ef2
Author: Min Chen <min.chen@citrix.com>
Authored: Fri Apr 25 17:24:34 2014 -0700
Committer: Daan Hoogland <daan@onecht.net>
Committed: Wed Apr 30 10:38:02 2014 +0200

----------------------------------------------------------------------
 .../contrail/management/MockAccountManager.java |   7 +
 .../com/cloud/api/query/QueryManagerImpl.java   | 345 ++++++++++++++++++-
 server/src/com/cloud/user/AccountManager.java   |   5 +
 .../src/com/cloud/user/AccountManagerImpl.java  |  88 +++++
 .../com/cloud/user/MockAccountManagerImpl.java  |   6 +
 5 files changed, 445 insertions(+), 6 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cloudstack/blob/4ca65496/plugins/network-elements/juniper-contrail/test/org/apache/cloudstack/network/contrail/management/MockAccountManager.java
----------------------------------------------------------------------
diff --git a/plugins/network-elements/juniper-contrail/test/org/apache/cloudstack/network/contrail/management/MockAccountManager.java
b/plugins/network-elements/juniper-contrail/test/org/apache/cloudstack/network/contrail/management/MockAccountManager.java
index 4763cb7..3517cc9 100644
--- a/plugins/network-elements/juniper-contrail/test/org/apache/cloudstack/network/contrail/management/MockAccountManager.java
+++ b/plugins/network-elements/juniper-contrail/test/org/apache/cloudstack/network/contrail/management/MockAccountManager.java
@@ -388,4 +388,11 @@ public class MockAccountManager extends ManagerBase implements AccountManager
{
 
     }
 
+    @Override
+    public void buildACLSearchParameters(Account caller, Long id, String accountName, Long
projectId, List<Long> permittedAccounts,
+            Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject,
boolean listAll, boolean forProjectInvitation) {
+        // TODO Auto-generated method stub
+
+    }
+
 }

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/4ca65496/server/src/com/cloud/api/query/QueryManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/api/query/QueryManagerImpl.java b/server/src/com/cloud/api/query/QueryManagerImpl.java
index fb8b020..41b134f 100644
--- a/server/src/com/cloud/api/query/QueryManagerImpl.java
+++ b/server/src/com/cloud/api/query/QueryManagerImpl.java
@@ -26,6 +26,9 @@ import java.util.Set;
 import javax.ejb.Local;
 import javax.inject.Inject;
 
+import org.apache.log4j.Logger;
+import org.springframework.stereotype.Component;
+
 import org.apache.cloudstack.acl.ControlledEntity.ACLType;
 import org.apache.cloudstack.affinity.AffinityGroupDomainMapVO;
 import org.apache.cloudstack.affinity.AffinityGroupResponse;
@@ -95,8 +98,6 @@ import org.apache.cloudstack.engine.subsystem.api.storage.DataStoreManager;
 import org.apache.cloudstack.engine.subsystem.api.storage.TemplateState;
 import org.apache.cloudstack.framework.config.dao.ConfigurationDao;
 import org.apache.cloudstack.query.QueryService;
-import org.apache.log4j.Logger;
-import org.springframework.stereotype.Component;
 
 import com.cloud.api.query.dao.AccountJoinDao;
 import com.cloud.api.query.dao.AffinityGroupJoinDao;
@@ -2805,7 +2806,8 @@ public class QueryManagerImpl extends ManagerBase implements QueryService
{
         return response;
     }
 
-    private Pair<List<TemplateJoinVO>, Integer> searchForTemplatesInternal(ListTemplatesCmd
cmd) {
+    // Temporarily disable this method which used IAM model to do template list
+    private Pair<List<TemplateJoinVO>, Integer> searchForTemplatesInternalIAM(ListTemplatesCmd
cmd) {
         TemplateFilter templateFilter = TemplateFilter.valueOf(cmd.getTemplateFilter());
         Long id = cmd.getId();
         Map<String, String> tags = cmd.getTags();
@@ -2837,12 +2839,13 @@ public class QueryManagerImpl extends ManagerBase implements QueryService
{
         boolean showDomr = ((templateFilter != TemplateFilter.selfexecutable) &&
(templateFilter != TemplateFilter.featured));
         HypervisorType hypervisorType = HypervisorType.getType(cmd.getHypervisor());
 
-        return searchForTemplatesInternal(id, cmd.getTemplateName(), cmd.getKeyword(), templateFilter,
false, null,
+        return searchForTemplatesInternalIAM(id, cmd.getTemplateName(), cmd.getKeyword(),
templateFilter, false, null,
                 cmd.getPageSizeVal(), cmd.getStartIndex(), cmd.getZoneId(), hypervisorType,
showDomr,
                 cmd.listInReadyState(), permittedDomains, permittedAccounts, permittedResources,
isRecursive, caller, listProjectResourcesCriteria, tags, showRemovedTmpl);
     }
 
-    private Pair<List<TemplateJoinVO>, Integer> searchForTemplatesInternal(Long
templateId, String name,
+    // Temporarily disable this method which used IAM model to do template list
+    private Pair<List<TemplateJoinVO>, Integer> searchForTemplatesInternalIAM(Long
templateId, String name,
             String keyword, TemplateFilter templateFilter, boolean isIso, Boolean bootable,
Long pageSize,
             Long startIndex, Long zoneId, HypervisorType hyperType, boolean showDomr, boolean
onlyReady,
             List<Long> permittedDomains, List<Long> permittedAccounts, List<Long>
permittedResources, boolean isRecursive, Account caller,
@@ -3078,6 +3081,302 @@ public class QueryManagerImpl extends ManagerBase implements QueryService
{
 
     }
 
+    private Pair<List<TemplateJoinVO>, Integer> searchForTemplatesInternal(ListTemplatesCmd
cmd) {
+        TemplateFilter templateFilter = TemplateFilter.valueOf(cmd.getTemplateFilter());
+        Long id = cmd.getId();
+        Map<String, String> tags = cmd.getTags();
+        boolean showRemovedTmpl = cmd.getShowRemoved();
+        Account caller = CallContext.current().getCallingAccount();
+
+        boolean listAll = false;
+        if (templateFilter != null && templateFilter == TemplateFilter.all) {
+            if (caller.getType() == Account.ACCOUNT_TYPE_NORMAL) {
+                throw new InvalidParameterValueException("Filter " + TemplateFilter.all
+                        + " can be specified by admin only");
+            }
+            listAll = true;
+        }
+
+        List<Long> permittedAccountIds = new ArrayList<Long>();
+        Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject
= new Ternary<Long, Boolean, ListProjectResourcesCriteria>(
+                cmd.getDomainId(), cmd.isRecursive(), null);
+        _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(),
permittedAccountIds,
+                domainIdRecursiveListProject, listAll, false);
+        ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
+        List<Account> permittedAccounts = new ArrayList<Account>();
+        for (Long accountId : permittedAccountIds) {
+            permittedAccounts.add(_accountMgr.getAccount(accountId));
+        }
+
+        boolean showDomr = ((templateFilter != TemplateFilter.selfexecutable) &&
(templateFilter != TemplateFilter.featured));
+        HypervisorType hypervisorType = HypervisorType.getType(cmd.getHypervisor());
+
+        return searchForTemplatesInternal(id, cmd.getTemplateName(), cmd.getKeyword(), templateFilter,
false, null,
+                cmd.getPageSizeVal(), cmd.getStartIndex(), cmd.getZoneId(), hypervisorType,
showDomr,
+                cmd.listInReadyState(), permittedAccounts, caller, listProjectResourcesCriteria,
tags, showRemovedTmpl);
+    }
+
+    private Pair<List<TemplateJoinVO>, Integer> searchForTemplatesInternal(Long
templateId, String name,
+            String keyword, TemplateFilter templateFilter, boolean isIso, Boolean bootable,
Long pageSize,
+            Long startIndex, Long zoneId, HypervisorType hyperType, boolean showDomr, boolean
onlyReady,
+            List<Account> permittedAccounts, Account caller, ListProjectResourcesCriteria
listProjectResourcesCriteria,
+            Map<String, String> tags, boolean showRemovedTmpl) {
+
+        // check if zone is configured, if not, just return empty list
+        List<HypervisorType> hypers = null;
+        if (!isIso) {
+            hypers = _resourceMgr.listAvailHypervisorInZone(null, null);
+            if (hypers == null || hypers.isEmpty()) {
+                return new Pair<List<TemplateJoinVO>, Integer>(new ArrayList<TemplateJoinVO>(),
0);
+            }
+        }
+
+        VMTemplateVO template = null;
+
+        Boolean isAscending = Boolean.parseBoolean(_configDao.getValue("sortkey.algorithm"));
+        isAscending = (isAscending == null ? true : isAscending);
+        Filter searchFilter = new Filter(TemplateJoinVO.class, "sortKey", isAscending, startIndex,
pageSize);
+
+        SearchBuilder<TemplateJoinVO> sb = _templateJoinDao.createSearchBuilder();
+        sb.select(null, Func.DISTINCT, sb.entity().getTempZonePair()); // select distinct
(templateId, zoneId) pair
+        SearchCriteria<TemplateJoinVO> sc = sb.create();
+
+        // verify templateId parameter and specially handle it
+        if (templateId != null) {
+            template = _templateDao.findByIdIncludingRemoved(templateId); // Done for backward
compatibility - Bug-5221
+            if (template == null) {
+                throw new InvalidParameterValueException("Please specify a valid template
ID.");
+            }// If ISO requested then it should be ISO.
+            if (isIso && template.getFormat() != ImageFormat.ISO) {
+                s_logger.error("Template Id " + templateId + " is not an ISO");
+                InvalidParameterValueException ex = new InvalidParameterValueException(
+                        "Specified Template Id is not an ISO");
+                ex.addProxyObject(template.getUuid(), "templateId");
+                throw ex;
+            }// If ISO not requested then it shouldn't be an ISO.
+            if (!isIso && template.getFormat() == ImageFormat.ISO) {
+                s_logger.error("Incorrect format of the template id " + templateId);
+                InvalidParameterValueException ex = new InvalidParameterValueException("Incorrect
format "
+                        + template.getFormat() + " of the specified template id");
+                ex.addProxyObject(template.getUuid(), "templateId");
+                throw ex;
+            }
+
+            // if template is not public, perform permission check here
+            if (!template.isPublicTemplate() && caller.getType() != Account.ACCOUNT_TYPE_ADMIN)
{
+                Account owner = _accountMgr.getAccount(template.getAccountId());
+                _accountMgr.checkAccess(caller, null, true, owner);
+            }
+
+            // if templateId is specified, then we will just use the id to
+            // search and ignore other query parameters
+            sc.addAnd("id", SearchCriteria.Op.EQ, templateId);
+        } else {
+
+            DomainVO domain = null;
+            if (!permittedAccounts.isEmpty()) {
+                domain = _domainDao.findById(permittedAccounts.get(0).getDomainId());
+            } else {
+                domain = _domainDao.findById(DomainVO.ROOT_DOMAIN);
+            }
+
+            // List<HypervisorType> hypers = null;
+            // if (!isIso) {
+            // hypers = _resourceMgr.listAvailHypervisorInZone(null, null);
+            // }
+
+            // add criteria for project or not
+            if (listProjectResourcesCriteria == ListProjectResourcesCriteria.SkipProjectResources)
{
+                sc.addAnd("accountType", SearchCriteria.Op.NEQ, Account.ACCOUNT_TYPE_PROJECT);
+            } else if (listProjectResourcesCriteria == ListProjectResourcesCriteria.ListProjectResourcesOnly)
{
+                sc.addAnd("accountType", SearchCriteria.Op.EQ, Account.ACCOUNT_TYPE_PROJECT);
+            }
+
+            // add criteria for domain path in case of domain admin
+            if ((templateFilter == TemplateFilter.self || templateFilter == TemplateFilter.selfexecutable)
+                    && (caller.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN ||
caller.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN)) {
+                sc.addAnd("domainPath", SearchCriteria.Op.LIKE, domain.getPath() + "%");
+            }
+
+            List<Long> relatedDomainIds = new ArrayList<Long>();
+            List<Long> permittedAccountIds = new ArrayList<Long>();
+            if (!permittedAccounts.isEmpty()) {
+                for (Account account : permittedAccounts) {
+                    permittedAccountIds.add(account.getId());
+                    boolean publicTemplates = (templateFilter == TemplateFilter.featured
|| templateFilter == TemplateFilter.community);
+
+                    // get all parent domain ID's all the way till root domain
+                    DomainVO domainTreeNode = null;
+                    //if template filter is featured, or community, all child domains should
be included in search
+                    if (publicTemplates) {
+                        domainTreeNode = _domainDao.findById(Domain.ROOT_DOMAIN);
+
+                    } else {
+                        domainTreeNode = _domainDao.findById(account.getDomainId());
+                    }
+                    relatedDomainIds.add(domainTreeNode.getId());
+                    while (domainTreeNode.getParent() != null) {
+                        domainTreeNode = _domainDao.findById(domainTreeNode.getParent());
+                        relatedDomainIds.add(domainTreeNode.getId());
+                    }
+
+                    // get all child domain ID's
+                    if (_accountMgr.isAdmin(account.getId()) || publicTemplates) {
+                        List<DomainVO> allChildDomains = _domainDao.findAllChildren(domainTreeNode.getPath(),
domainTreeNode.getId());
+                        for (DomainVO childDomain : allChildDomains) {
+                            relatedDomainIds.add(childDomain.getId());
+                        }
+                    }
+                }
+            }
+
+            if (!isIso) {
+                // add hypervisor criteria for template case
+                if (hypers != null && !hypers.isEmpty()) {
+                    String[] relatedHypers = new String[hypers.size()];
+                    for (int i = 0; i < hypers.size(); i++) {
+                        relatedHypers[i] = hypers.get(i).toString();
+                    }
+                    sc.addAnd("hypervisorType", SearchCriteria.Op.IN, relatedHypers);
+                }
+            }
+
+            // control different template filters
+            if (templateFilter == TemplateFilter.featured || templateFilter == TemplateFilter.community)
{
+                sc.addAnd("publicTemplate", SearchCriteria.Op.EQ, true);
+                if (templateFilter == TemplateFilter.featured) {
+                    sc.addAnd("featured", SearchCriteria.Op.EQ, true);
+                } else {
+                    sc.addAnd("featured", SearchCriteria.Op.EQ, false);
+                }
+                if (!permittedAccounts.isEmpty()) {
+                    SearchCriteria<TemplateJoinVO> scc = _templateJoinDao.createSearchCriteria();
+                    scc.addOr("domainId", SearchCriteria.Op.IN, relatedDomainIds.toArray());
+                    scc.addOr("domainId", SearchCriteria.Op.NULL);
+                    sc.addAnd("domainId", SearchCriteria.Op.SC, scc);
+                }
+            } else if (templateFilter == TemplateFilter.self || templateFilter == TemplateFilter.selfexecutable)
{
+                if (!permittedAccounts.isEmpty()) {
+                    sc.addAnd("accountId", SearchCriteria.Op.IN, permittedAccountIds.toArray());
+                }
+            } else if (templateFilter == TemplateFilter.sharedexecutable || templateFilter
== TemplateFilter.shared) {
+                SearchCriteria<TemplateJoinVO> scc = _templateJoinDao.createSearchCriteria();
+                scc.addOr("accountId", SearchCriteria.Op.IN, permittedAccountIds.toArray());
+                scc.addOr("sharedAccountId", SearchCriteria.Op.IN, permittedAccountIds.toArray());
+                sc.addAnd("accountId", SearchCriteria.Op.SC, scc);
+            } else if (templateFilter == TemplateFilter.executable) {
+                SearchCriteria<TemplateJoinVO> scc = _templateJoinDao.createSearchCriteria();
+                scc.addOr("publicTemplate", SearchCriteria.Op.EQ, true);
+                if (!permittedAccounts.isEmpty()) {
+                    scc.addOr("accountId", SearchCriteria.Op.IN, permittedAccountIds.toArray());
+                }
+                sc.addAnd("publicTemplate", SearchCriteria.Op.SC, scc);
+            }
+
+            // add tags criteria
+            if (tags != null && !tags.isEmpty()) {
+                SearchCriteria<TemplateJoinVO> scc = _templateJoinDao.createSearchCriteria();
+                for (String key : tags.keySet()) {
+                    SearchCriteria<TemplateJoinVO> scTag = _templateJoinDao.createSearchCriteria();
+                    scTag.addAnd("tagKey", SearchCriteria.Op.EQ, key);
+                    scTag.addAnd("tagValue", SearchCriteria.Op.EQ, tags.get(key));
+                    if (isIso) {
+                        scTag.addAnd("tagResourceType", SearchCriteria.Op.EQ, ResourceObjectType.ISO);
+                    } else {
+                        scTag.addAnd("tagResourceType", SearchCriteria.Op.EQ, ResourceObjectType.Template);
+                    }
+                    scc.addOr("tagKey", SearchCriteria.Op.SC, scTag);
+                }
+                sc.addAnd("tagKey", SearchCriteria.Op.SC, scc);
+            }
+
+            // other criteria
+
+            if (keyword != null) {
+                sc.addAnd("name", SearchCriteria.Op.LIKE, "%" + keyword + "%");
+            } else if (name != null) {
+                sc.addAnd("name", SearchCriteria.Op.EQ, name);
+            }
+
+            if (isIso) {
+                sc.addAnd("format", SearchCriteria.Op.EQ, "ISO");
+
+            } else {
+                sc.addAnd("format", SearchCriteria.Op.NEQ, "ISO");
+            }
+
+            if (!hyperType.equals(HypervisorType.None)) {
+                sc.addAnd("hypervisorType", SearchCriteria.Op.EQ, hyperType);
+            }
+
+            if (bootable != null) {
+                sc.addAnd("bootable", SearchCriteria.Op.EQ, bootable);
+            }
+
+            if (onlyReady) {
+                SearchCriteria<TemplateJoinVO> readySc = _templateJoinDao.createSearchCriteria();
+                readySc.addOr("state", SearchCriteria.Op.EQ, TemplateState.Ready);
+                readySc.addOr("format", SearchCriteria.Op.EQ, ImageFormat.BAREMETAL);
+                SearchCriteria<TemplateJoinVO> isoPerhostSc = _templateJoinDao.createSearchCriteria();
+                isoPerhostSc.addAnd("format", SearchCriteria.Op.EQ, ImageFormat.ISO);
+                isoPerhostSc.addAnd("templateType", SearchCriteria.Op.EQ, TemplateType.PERHOST);
+                readySc.addOr("templateType", SearchCriteria.Op.SC, isoPerhostSc);
+                sc.addAnd("state", SearchCriteria.Op.SC, readySc);
+            }
+
+            if (!showDomr) {
+                // excluding system template
+                sc.addAnd("templateType", SearchCriteria.Op.NEQ, Storage.TemplateType.SYSTEM);
+            }
+        }
+
+        if (zoneId != null) {
+            SearchCriteria<TemplateJoinVO> zoneSc = _templateJoinDao.createSearchCriteria();
+            zoneSc.addOr("dataCenterId", SearchCriteria.Op.EQ, zoneId);
+            zoneSc.addOr("dataStoreScope", SearchCriteria.Op.EQ, ScopeType.REGION);
+            // handle the case where xs-tools.iso and vmware-tools.iso do not
+            // have data_center information in template_view
+            SearchCriteria<TemplateJoinVO> isoPerhostSc = _templateJoinDao.createSearchCriteria();
+            isoPerhostSc.addAnd("format", SearchCriteria.Op.EQ, ImageFormat.ISO);
+            isoPerhostSc.addAnd("templateType", SearchCriteria.Op.EQ, TemplateType.PERHOST);
+            zoneSc.addOr("templateType", SearchCriteria.Op.SC, isoPerhostSc);
+            sc.addAnd("dataCenterId", SearchCriteria.Op.SC, zoneSc);
+        }
+
+        // don't return removed template, this should not be needed since we
+        // changed annotation for removed field in TemplateJoinVO.
+        // sc.addAnd("removed", SearchCriteria.Op.NULL);
+
+        // search unique templates and find details by Ids
+        Pair<List<TemplateJoinVO>, Integer> uniqueTmplPair = null;
+        if (showRemovedTmpl) {
+            uniqueTmplPair = _templateJoinDao.searchIncludingRemovedAndCount(sc, searchFilter);
+        } else {
+            sc.addAnd("templateState", SearchCriteria.Op.EQ, State.Active);
+            uniqueTmplPair = _templateJoinDao.searchAndCount(sc, searchFilter);
+        }
+
+        Integer count = uniqueTmplPair.second();
+        if (count.intValue() == 0) {
+            // empty result
+            return uniqueTmplPair;
+        }
+        List<TemplateJoinVO> uniqueTmpls = uniqueTmplPair.first();
+        String[] tzIds = new String[uniqueTmpls.size()];
+        int i = 0;
+        for (TemplateJoinVO v : uniqueTmpls) {
+            tzIds[i++] = v.getTempZonePair();
+        }
+        List<TemplateJoinVO> vrs = _templateJoinDao.searchByTemplateZonePair(showRemovedTmpl,
tzIds);
+        return new Pair<List<TemplateJoinVO>, Integer>(vrs, count);
+
+        // TODO: revisit the special logic for iso search in
+        // VMTemplateDaoImpl.searchForTemplates and understand why we need to
+        // specially handle ISO. The original logic is very twisted and no idea
+        // about what the code was doing.
+
+    }
+
     @Override
     public ListResponse<TemplateResponse> listIsos(ListIsosCmd cmd) {
         Pair<List<TemplateJoinVO>, Integer> result = searchForIsosInternal(cmd);
@@ -3103,6 +3402,40 @@ public class QueryManagerImpl extends ManagerBase implements QueryService
{
 
         boolean listAll = false;
         if (isoFilter != null && isoFilter == TemplateFilter.all) {
+            if (caller.getType() == Account.ACCOUNT_TYPE_NORMAL) {
+                throw new InvalidParameterValueException("Filter " + TemplateFilter.all
+                        + " can be specified by admin only");
+            }
+            listAll = true;
+        }
+
+        List<Long> permittedAccountIds = new ArrayList<Long>();
+        Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject
= new Ternary<Long, Boolean, ListProjectResourcesCriteria>(
+                cmd.getDomainId(), cmd.isRecursive(), null);
+        _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(),
permittedAccountIds,
+                domainIdRecursiveListProject, listAll, false);
+        ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
+        List<Account> permittedAccounts = new ArrayList<Account>();
+        for (Long accountId : permittedAccountIds) {
+            permittedAccounts.add(_accountMgr.getAccount(accountId));
+        }
+
+        HypervisorType hypervisorType = HypervisorType.getType(cmd.getHypervisor());
+
+        return searchForTemplatesInternal(cmd.getId(), cmd.getIsoName(), cmd.getKeyword(),
isoFilter, true,
+                cmd.isBootable(), cmd.getPageSizeVal(), cmd.getStartIndex(), cmd.getZoneId(),
hypervisorType, true,
+                cmd.listInReadyState(), permittedAccounts, caller, listProjectResourcesCriteria,
tags, showRemovedISO);
+    }
+
+    private Pair<List<TemplateJoinVO>, Integer> searchForIsosInternalIAM(ListIsosCmd
cmd) {
+        TemplateFilter isoFilter = TemplateFilter.valueOf(cmd.getIsoFilter());
+        Long id = cmd.getId();
+        Map<String, String> tags = cmd.getTags();
+        boolean showRemovedISO = cmd.getShowRemoved();
+        Account caller = CallContext.current().getCallingAccount();
+
+        boolean listAll = false;
+        if (isoFilter != null && isoFilter == TemplateFilter.all) {
             if (_accountMgr.isNormalUser(caller.getId())) {
                 throw new InvalidParameterValueException("Filter " + TemplateFilter.all
                         + " can be specified by admin only");
@@ -3127,7 +3460,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService
{
 
         HypervisorType hypervisorType = HypervisorType.getType(cmd.getHypervisor());
 
-        return searchForTemplatesInternal(cmd.getId(), cmd.getIsoName(), cmd.getKeyword(),
isoFilter, true,
+        return searchForTemplatesInternalIAM(cmd.getId(), cmd.getIsoName(), cmd.getKeyword(),
isoFilter, true,
                 cmd.isBootable(), cmd.getPageSizeVal(), cmd.getStartIndex(), cmd.getZoneId(),
hypervisorType, true,
                 cmd.listInReadyState(), permittedDomains, permittedAccounts, permittedResources,
isRecursive, caller, listProjectResourcesCriteria, tags, showRemovedISO);
     }

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/4ca65496/server/src/com/cloud/user/AccountManager.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/user/AccountManager.java b/server/src/com/cloud/user/AccountManager.java
index 03bf842..748be2b2c 100755
--- a/server/src/com/cloud/user/AccountManager.java
+++ b/server/src/com/cloud/user/AccountManager.java
@@ -102,6 +102,11 @@ public interface AccountManager extends AccountService {
             List<Long> permittedResources, ListProjectResourcesCriteria listProjectResourcesCriteria);
 
 
+    // deprecated methods that should only be used in listTemplates due to backwards compatibility
of templateFilter.
+    void buildACLSearchParameters(Account caller, Long id,
+            String accountName, Long projectId, List<Long> permittedAccounts, Ternary<Long,
Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject, boolean listAll,
+            boolean forProjectInvitation);
+
     /**
      * Deletes a user by userId
      *

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/4ca65496/server/src/com/cloud/user/AccountManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/user/AccountManagerImpl.java b/server/src/com/cloud/user/AccountManagerImpl.java
index d43cf97..3ffcafc 100755
--- a/server/src/com/cloud/user/AccountManagerImpl.java
+++ b/server/src/com/cloud/user/AccountManagerImpl.java
@@ -2183,6 +2183,94 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager,
M
         return _userAccountDao.getUserByApiKey(apiKey);
     }
 
+    // NOTE: This method should only be used in listTemplates call, all other list calls
should use the new buildACLSearchParameters which takes
+    // "action" as extra parameter and uses new IAM model.
+    @Override
+    public void buildACLSearchParameters(Account caller, Long id, String accountName, Long
projectId, List<Long>
+            permittedAccounts, Ternary<Long, Boolean, ListProjectResourcesCriteria>
domainIdRecursiveListProject,
+            boolean listAll, boolean forProjectInvitation) {
+        Long domainId = domainIdRecursiveListProject.first();
+        if (domainId != null) {
+            Domain domain = _domainDao.findById(domainId);
+            if (domain == null) {
+                throw new InvalidParameterValueException("Unable to find domain by id " +
domainId);
+            }
+            // check permissions
+            checkAccess(caller, domain);
+        }
+
+        if (accountName != null) {
+            if (projectId != null) {
+                throw new InvalidParameterValueException("Account and projectId can't be
specified together");
+            }
+
+            Account userAccount = null;
+            Domain domain = null;
+            if (domainId != null) {
+                userAccount = _accountDao.findActiveAccount(accountName, domainId);
+                domain = _domainDao.findById(domainId);
+            } else {
+                userAccount = _accountDao.findActiveAccount(accountName, caller.getDomainId());
+                domain = _domainDao.findById(caller.getDomainId());
+            }
+
+            if (userAccount != null) {
+                checkAccess(caller, null, false, userAccount);
+                // check permissions
+                permittedAccounts.add(userAccount.getId());
+            } else {
+                throw new InvalidParameterValueException("could not find account " + accountName
+ " in domain " + domain.getUuid());
+            }
+        }
+
+        // set project information
+        if (projectId != null) {
+            if (!forProjectInvitation) {
+                if (projectId.longValue() == -1) {
+                    if (isNormalUser(caller.getId())) {
+                        permittedAccounts.addAll(_projectMgr.listPermittedProjectAccounts(caller.getId()));
+                    } else {
+                        domainIdRecursiveListProject.third(Project.ListProjectResourcesCriteria.ListProjectResourcesOnly);
+                    }
+                } else {
+                    Project project = _projectMgr.getProject(projectId);
+                    if (project == null) {
+                        throw new InvalidParameterValueException("Unable to find project
by id " + projectId);
+                    }
+                    if (!_projectMgr.canAccessProjectAccount(caller, project.getProjectAccountId()))
{
+                        throw new PermissionDeniedException("Account " + caller + " can't
access project id=" + projectId);
+                    }
+                    permittedAccounts.add(project.getProjectAccountId());
+                }
+            }
+        } else {
+            if (id == null) {
+                domainIdRecursiveListProject.third(Project.ListProjectResourcesCriteria.SkipProjectResources);
+            }
+            if (permittedAccounts.isEmpty() && domainId == null) {
+                if (isNormalUser(caller.getId())) {
+                    permittedAccounts.add(caller.getId());
+                } else if (!listAll) {
+                    if (id == null) {
+                        permittedAccounts.add(caller.getId());
+                    } else if (!isRootAdmin(caller.getId())) {
+                        domainIdRecursiveListProject.first(caller.getDomainId());
+                        domainIdRecursiveListProject.second(true);
+                    }
+                } else if (domainId == null) {
+                    if (isDomainAdmin(caller.getId())) {
+                        domainIdRecursiveListProject.first(caller.getDomainId());
+                        domainIdRecursiveListProject.second(true);
+                    }
+                }
+            } else if (domainId != null) {
+                if (isNormalUser(caller.getId())) {
+                    permittedAccounts.add(caller.getId());
+                }
+            }
+        }
+    }
+
     @Override
     public void buildACLSearchParameters(Account caller, Long id, String accountName, Long
projectId, List<Long> permittedDomains, List<Long> permittedAccounts,
             List<Long> permittedResources, Ternary<Long, Boolean, ListProjectResourcesCriteria>
domainIdRecursiveListProject, boolean listAll, boolean forProjectInvitation,

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/4ca65496/server/test/com/cloud/user/MockAccountManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/test/com/cloud/user/MockAccountManagerImpl.java b/server/test/com/cloud/user/MockAccountManagerImpl.java
index f444c89..81ee1a4 100644
--- a/server/test/com/cloud/user/MockAccountManagerImpl.java
+++ b/server/test/com/cloud/user/MockAccountManagerImpl.java
@@ -364,5 +364,11 @@ public class MockAccountManagerImpl extends ManagerBase implements Manager,
Acco
 
     }
 
+    @Override
+    public void buildACLSearchParameters(Account caller, Long id, String accountName, Long
projectId, List<Long> permittedAccounts,
+            Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject,
boolean listAll, boolean forProjectInvitation) {
+        // TODO Auto-generated method stub
+
+    }
 
 }


Mime
View raw message