cloudstack-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From d...@apache.org
Subject [1/2] git commit: updated refs/heads/4.4 to c4ab1d5
Date Fri, 02 May 2014 16:51:29 GMT
Repository: cloudstack
Updated Branches:
  refs/heads/4.4 1aff3a5f0 -> c4ab1d577


CLOUDSTACK-6558 IAM - Admin user is able to deploy VM in a regular user's Security Group.

Changes:
- Even for SecurityGroup, go through IAM to do permission checks for all type of accounts


Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/33c3752d
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/33c3752d
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/33c3752d

Branch: refs/heads/4.4
Commit: 33c3752d0e08d29962762872da845b66b0c04339
Parents: 1aff3a5
Author: Prachi Damle <prachi@cloud.com>
Authored: Thu May 1 12:18:23 2014 -0700
Committer: Daan Hoogland <daan@onecht.net>
Committed: Fri May 2 18:50:52 2014 +0200

----------------------------------------------------------------------
 .../com/cloud/network/security/SecurityGroupManagerImpl.java    | 4 ++--
 server/src/com/cloud/user/AccountManagerImpl.java               | 5 ++++-
 2 files changed, 6 insertions(+), 3 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cloudstack/blob/33c3752d/server/src/com/cloud/network/security/SecurityGroupManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/security/SecurityGroupManagerImpl.java b/server/src/com/cloud/network/security/SecurityGroupManagerImpl.java
index b4c67b8..a666ecd 100755
--- a/server/src/com/cloud/network/security/SecurityGroupManagerImpl.java
+++ b/server/src/com/cloud/network/security/SecurityGroupManagerImpl.java
@@ -612,7 +612,7 @@ public class SecurityGroupManagerImpl extends ManagerBase implements SecurityGro
         }
 
         // Verify permissions
-        _accountMgr.checkAccess(caller, null, securityGroup);
+        _accountMgr.checkAccess(caller, AccessType.OperateEntry, securityGroup);
         Long domainId = owner.getDomainId();
 
         if (protocol == null) {
@@ -1120,7 +1120,7 @@ public class SecurityGroupManagerImpl extends ManagerBase implements
SecurityGro
         }
 
         // check permissions
-        _accountMgr.checkAccess(caller, null, group);
+        _accountMgr.checkAccess(caller, AccessType.OperateEntry, group);
 
         return Transaction.execute(new TransactionCallbackWithException<Boolean, ResourceInUseException>()
{
             @Override

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/33c3752d/server/src/com/cloud/user/AccountManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/user/AccountManagerImpl.java b/server/src/com/cloud/user/AccountManagerImpl.java
index b5fdc3a..301dde4 100755
--- a/server/src/com/cloud/user/AccountManagerImpl.java
+++ b/server/src/com/cloud/user/AccountManagerImpl.java
@@ -102,6 +102,7 @@ import com.cloud.network.dao.NetworkVO;
 import com.cloud.network.dao.RemoteAccessVpnDao;
 import com.cloud.network.dao.RemoteAccessVpnVO;
 import com.cloud.network.dao.VpnUserDao;
+import com.cloud.network.security.SecurityGroup;
 import com.cloud.network.security.SecurityGroupManager;
 import com.cloud.network.security.dao.SecurityGroupDao;
 import com.cloud.network.vpc.Vpc;
@@ -497,7 +498,8 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager,
M
 
             for (ControlledEntity entity : entities) {
                 if (entity instanceof VirtualMachineTemplate || entity instanceof Network
-                        || entity instanceof AffinityGroup) {
+                        || entity instanceof AffinityGroup || entity instanceof SecurityGroup)
{
+                    // Go through IAM (SecurityCheckers)
                     for (SecurityChecker checker : _securityCheckers) {
                         if (checker.checkAccess(caller, accessType, apiName, entity)) {
                             if (s_logger.isDebugEnabled()) {
@@ -540,6 +542,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager,
M
 
             }
         } else {
+            // Go through IAM (SecurityCheckers)
             for (SecurityChecker checker : _securityCheckers) {
                 if (checker.checkAccess(caller, accessType, apiName, entities)) {
                     if (s_logger.isDebugEnabled()) {


Mime
View raw message