cloudstack-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From prachida...@apache.org
Subject [1/2] git commit: updated refs/heads/4.4-forward to 2e5b529
Date Thu, 01 May 2014 23:08:19 GMT
Repository: cloudstack
Updated Branches:
  refs/heads/4.4-forward 430d14b67 -> 2e5b52915


CLOUDSTACK-6558 IAM - Admin user is able to deploy VM in a regular user's Security Group.

Changes:
- Even for SecurityGroup, go through IAM to do permission checks for all type of accounts


Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/e89c6288
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/e89c6288
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/e89c6288

Branch: refs/heads/4.4-forward
Commit: e89c628843692c9e7046192f5b6d4893b7a45ec6
Parents: 430d14b
Author: Prachi Damle <prachi@cloud.com>
Authored: Thu May 1 12:18:23 2014 -0700
Committer: Prachi Damle <prachi@cloud.com>
Committed: Thu May 1 16:07:50 2014 -0700

----------------------------------------------------------------------
 .../com/cloud/network/security/SecurityGroupManagerImpl.java    | 4 ++--
 server/src/com/cloud/user/AccountManagerImpl.java               | 5 ++++-
 2 files changed, 6 insertions(+), 3 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cloudstack/blob/e89c6288/server/src/com/cloud/network/security/SecurityGroupManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/security/SecurityGroupManagerImpl.java b/server/src/com/cloud/network/security/SecurityGroupManagerImpl.java
index b4c67b8..a666ecd 100755
--- a/server/src/com/cloud/network/security/SecurityGroupManagerImpl.java
+++ b/server/src/com/cloud/network/security/SecurityGroupManagerImpl.java
@@ -612,7 +612,7 @@ public class SecurityGroupManagerImpl extends ManagerBase implements SecurityGro
         }
 
         // Verify permissions
-        _accountMgr.checkAccess(caller, null, securityGroup);
+        _accountMgr.checkAccess(caller, AccessType.OperateEntry, securityGroup);
         Long domainId = owner.getDomainId();
 
         if (protocol == null) {
@@ -1120,7 +1120,7 @@ public class SecurityGroupManagerImpl extends ManagerBase implements
SecurityGro
         }
 
         // check permissions
-        _accountMgr.checkAccess(caller, null, group);
+        _accountMgr.checkAccess(caller, AccessType.OperateEntry, group);
 
         return Transaction.execute(new TransactionCallbackWithException<Boolean, ResourceInUseException>()
{
             @Override

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/e89c6288/server/src/com/cloud/user/AccountManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/user/AccountManagerImpl.java b/server/src/com/cloud/user/AccountManagerImpl.java
index b5fdc3a..301dde4 100755
--- a/server/src/com/cloud/user/AccountManagerImpl.java
+++ b/server/src/com/cloud/user/AccountManagerImpl.java
@@ -102,6 +102,7 @@ import com.cloud.network.dao.NetworkVO;
 import com.cloud.network.dao.RemoteAccessVpnDao;
 import com.cloud.network.dao.RemoteAccessVpnVO;
 import com.cloud.network.dao.VpnUserDao;
+import com.cloud.network.security.SecurityGroup;
 import com.cloud.network.security.SecurityGroupManager;
 import com.cloud.network.security.dao.SecurityGroupDao;
 import com.cloud.network.vpc.Vpc;
@@ -497,7 +498,8 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager,
M
 
             for (ControlledEntity entity : entities) {
                 if (entity instanceof VirtualMachineTemplate || entity instanceof Network
-                        || entity instanceof AffinityGroup) {
+                        || entity instanceof AffinityGroup || entity instanceof SecurityGroup)
{
+                    // Go through IAM (SecurityCheckers)
                     for (SecurityChecker checker : _securityCheckers) {
                         if (checker.checkAccess(caller, accessType, apiName, entity)) {
                             if (s_logger.isDebugEnabled()) {
@@ -540,6 +542,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager,
M
 
             }
         } else {
+            // Go through IAM (SecurityCheckers)
             for (SecurityChecker checker : _securityCheckers) {
                 if (checker.checkAccess(caller, accessType, apiName, entities)) {
                     if (s_logger.isDebugEnabled()) {


Mime
View raw message