cloudstack-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From mc...@apache.org
Subject [4/4] git commit: updated refs/heads/4.4-forward-iam-disabled to c9c7c8c
Date Wed, 14 May 2014 18:14:14 GMT
Restore same owner check in cmd and service layer.

Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/c9c7c8cb
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/c9c7c8cb
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/c9c7c8cb

Branch: refs/heads/4.4-forward-iam-disabled
Commit: c9c7c8cb49465595684968400459f1227c113242
Parents: 3c1fbb4
Author: Min Chen <min.chen@citrix.com>
Authored: Wed May 14 11:12:56 2014 -0700
Committer: Min Chen <min.chen@citrix.com>
Committed: Wed May 14 11:12:56 2014 -0700

----------------------------------------------------------------------
 api/src/com/cloud/user/AccountService.java      |   5 -
 .../address/AssociateIPAddrCmdByAdmin.java      |   5 +-
 .../command/admin/vm/AddNicToVMCmdByAdmin.java  |   1 +
 .../user/address/AssociateIPAddrCmd.java        |   1 -
 .../firewall/CreatePortForwardingRuleCmd.java   |   1 +
 .../AssignToLoadBalancerRuleCmd.java            |   9 +-
 .../ListLBStickinessPoliciesCmd.java            |   4 +-
 .../command/user/nat/EnableStaticNatCmd.java    |   8 +-
 .../user/snapshot/CreateSnapshotCmd.java        |   2 -
 .../api/command/user/vm/AddNicToVMCmd.java      |   1 -
 .../user/vmsnapshot/CreateVMSnapshotCmd.java    |   3 +-
 .../command/user/volume/CreateVolumeCmd.java    |   4 -
 .../lb/InternalLoadBalancerVMManagerImpl.java   |   9 +-
 .../contrail/management/MockAccountManager.java |  15 ---
 server/src/com/cloud/api/ApiResponseHelper.java |   2 +-
 .../cloud/api/dispatch/ParamProcessWorker.java  |   4 +-
 .../com/cloud/api/query/QueryManagerImpl.java   | 116 +++++++++++--------
 .../configuration/ConfigurationManagerImpl.java |   3 +-
 .../com/cloud/network/IpAddressManagerImpl.java |  17 +--
 .../src/com/cloud/network/NetworkModelImpl.java |   2 +-
 .../com/cloud/network/NetworkServiceImpl.java   |  26 ++---
 .../cloud/network/as/AutoScaleManagerImpl.java  |  10 +-
 .../network/firewall/FirewallManagerImpl.java   |  19 ++-
 .../lb/LoadBalancingRulesManagerImpl.java       |  40 ++++---
 .../VirtualNetworkApplianceManagerImpl.java     |  10 +-
 .../cloud/network/rules/RulesManagerImpl.java   |  30 +++--
 .../security/SecurityGroupManagerImpl.java      |   8 +-
 .../network/vpc/NetworkACLServiceImpl.java      |  22 ++--
 .../com/cloud/network/vpc/VpcManagerImpl.java   |  24 ++--
 .../network/vpn/RemoteAccessVpnManagerImpl.java |  18 +--
 .../network/vpn/Site2SiteVpnManagerImpl.java    |  29 +++--
 .../com/cloud/projects/ProjectManagerImpl.java  |  18 +--
 .../resourcelimit/ResourceLimitManagerImpl.java |   8 +-
 .../com/cloud/server/ManagementServerImpl.java  |  12 +-
 .../com/cloud/servlet/ConsoleProxyServlet.java  |   2 +-
 .../com/cloud/storage/VolumeApiServiceImpl.java |  22 ++--
 .../storage/snapshot/SnapshotManagerImpl.java   |  15 ++-
 .../cloud/tags/TaggedResourceManagerImpl.java   |   4 +-
 .../com/cloud/template/TemplateAdapterBase.java |   4 +-
 .../com/cloud/template/TemplateManagerImpl.java |  34 +++---
 .../src/com/cloud/user/AccountManagerImpl.java  |  36 ++----
 server/src/com/cloud/vm/UserVmManagerImpl.java  |  94 ++++++++++-----
 .../vm/snapshot/VMSnapshotManagerImpl.java      |  10 +-
 .../affinity/AffinityGroupServiceImpl.java      |  13 ++-
 .../lb/ApplicationLoadBalancerManagerImpl.java  |   9 +-
 .../cloudstack/network/lb/CertServiceImpl.java  |   8 +-
 .../GlobalLoadBalancingRulesServiceImpl.java    |  14 +--
 .../com/cloud/event/EventControlsUnitTest.java  |   2 +-
 .../com/cloud/user/MockAccountManagerImpl.java  |  10 --
 server/test/com/cloud/vm/UserVmManagerTest.java |   8 +-
 .../vm/snapshot/VMSnapshotManagerTest.java      |   2 +-
 51 files changed, 389 insertions(+), 384 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cloudstack/blob/c9c7c8cb/api/src/com/cloud/user/AccountService.java
----------------------------------------------------------------------
diff --git a/api/src/com/cloud/user/AccountService.java b/api/src/com/cloud/user/AccountService.java
index 52ce761..eac8a76 100755
--- a/api/src/com/cloud/user/AccountService.java
+++ b/api/src/com/cloud/user/AccountService.java
@@ -105,11 +105,6 @@ public interface AccountService {
 
     void checkAccess(Account account, Domain domain) throws PermissionDeniedException;
 
-    void checkAccess(Account account, AccessType accessType, ControlledEntity... entities) throws PermissionDeniedException;
-
-    void checkAccess(Account account, AccessType accessType, String apiName, ControlledEntity... entities) throws PermissionDeniedException;
-
-    // TODO: the following two interfaces will be deprecated by the above two counterparts when securityChecker implementation is in place
     void checkAccess(Account account, AccessType accessType, boolean sameOwner, ControlledEntity... entities) throws PermissionDeniedException;
 
     void checkAccess(Account account, AccessType accessType, boolean sameOwner, String apiName,

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/c9c7c8cb/api/src/org/apache/cloudstack/api/command/admin/address/AssociateIPAddrCmdByAdmin.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/admin/address/AssociateIPAddrCmdByAdmin.java b/api/src/org/apache/cloudstack/api/command/admin/address/AssociateIPAddrCmdByAdmin.java
index 494a6d6..dbff93f 100644
--- a/api/src/org/apache/cloudstack/api/command/admin/address/AssociateIPAddrCmdByAdmin.java
+++ b/api/src/org/apache/cloudstack/api/command/admin/address/AssociateIPAddrCmdByAdmin.java
@@ -31,11 +31,8 @@ import com.cloud.exception.InsufficientCapacityException;
 import com.cloud.exception.ResourceAllocationException;
 import com.cloud.exception.ResourceUnavailableException;
 import com.cloud.network.IpAddress;
-import com.cloud.network.vpc.Vpc;
 
-@APICommand(name = "associateIpAddress", description = "Acquires and associates a public IP to an account.", responseObject = IPAddressResponse.class, responseView = ResponseView.Full,
-        entityType = {IpAddress.class, Vpc.class},
-        requestHasSensitiveInfo = false, responseHasSensitiveInfo = false)
+@APICommand(name = "associateIpAddress", description = "Acquires and associates a public IP to an account.", responseObject = IPAddressResponse.class, responseView = ResponseView.Full)
 public class AssociateIPAddrCmdByAdmin extends AssociateIPAddrCmd {
     public static final Logger s_logger = Logger.getLogger(AssociateIPAddrCmdByAdmin.class.getName());
 

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/c9c7c8cb/api/src/org/apache/cloudstack/api/command/admin/vm/AddNicToVMCmdByAdmin.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/admin/vm/AddNicToVMCmdByAdmin.java b/api/src/org/apache/cloudstack/api/command/admin/vm/AddNicToVMCmdByAdmin.java
index 3dd22c1..945f849 100644
--- a/api/src/org/apache/cloudstack/api/command/admin/vm/AddNicToVMCmdByAdmin.java
+++ b/api/src/org/apache/cloudstack/api/command/admin/vm/AddNicToVMCmdByAdmin.java
@@ -33,6 +33,7 @@ import org.apache.cloudstack.context.CallContext;
 import com.cloud.uservm.UserVm;
 import com.cloud.vm.VirtualMachine;
 
+
 @APICommand(name = "addNicToVirtualMachine", description = "Adds VM to specified network by creating a NIC", responseObject = UserVmResponse.class, responseView = ResponseView.Full, entityType = {VirtualMachine.class},
         requestHasSensitiveInfo = false, responseHasSensitiveInfo = true)
 public class AddNicToVMCmdByAdmin extends AddNicToVMCmd {

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/c9c7c8cb/api/src/org/apache/cloudstack/api/command/user/address/AssociateIPAddrCmd.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/user/address/AssociateIPAddrCmd.java b/api/src/org/apache/cloudstack/api/command/user/address/AssociateIPAddrCmd.java
index 48fe43e..96174e1 100644
--- a/api/src/org/apache/cloudstack/api/command/user/address/AssociateIPAddrCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/user/address/AssociateIPAddrCmd.java
@@ -58,7 +58,6 @@ import com.cloud.projects.Project;
 import com.cloud.user.Account;
 
 @APICommand(name = "associateIpAddress", description = "Acquires and associates a public IP to an account.", responseObject = IPAddressResponse.class, responseView = ResponseView.Restricted,
-        entityType = {IpAddress.class, Vpc.class},
         requestHasSensitiveInfo = false, responseHasSensitiveInfo = false)
 public class AssociateIPAddrCmd extends BaseAsyncCreateCmd {
     public static final Logger s_logger = Logger.getLogger(AssociateIPAddrCmd.class.getName());

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/c9c7c8cb/api/src/org/apache/cloudstack/api/command/user/firewall/CreatePortForwardingRuleCmd.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/user/firewall/CreatePortForwardingRuleCmd.java b/api/src/org/apache/cloudstack/api/command/user/firewall/CreatePortForwardingRuleCmd.java
index 6fb120f..865cd1b 100644
--- a/api/src/org/apache/cloudstack/api/command/user/firewall/CreatePortForwardingRuleCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/user/firewall/CreatePortForwardingRuleCmd.java
@@ -49,6 +49,7 @@ import com.cloud.utils.net.Ip;
 import com.cloud.utils.net.NetUtils;
 import com.cloud.vm.VirtualMachine;
 
+
 @APICommand(name = "createPortForwardingRule", description = "Creates a port forwarding rule", responseObject = FirewallRuleResponse.class, entityType = {FirewallRule.class,
         VirtualMachine.class, IpAddress.class},
         requestHasSensitiveInfo = false, responseHasSensitiveInfo = false)

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/c9c7c8cb/api/src/org/apache/cloudstack/api/command/user/loadbalancer/AssignToLoadBalancerRuleCmd.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/user/loadbalancer/AssignToLoadBalancerRuleCmd.java b/api/src/org/apache/cloudstack/api/command/user/loadbalancer/AssignToLoadBalancerRuleCmd.java
index db4d70e..dd9adef 100644
--- a/api/src/org/apache/cloudstack/api/command/user/loadbalancer/AssignToLoadBalancerRuleCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/user/loadbalancer/AssignToLoadBalancerRuleCmd.java
@@ -23,11 +23,8 @@ import java.util.Iterator;
 import java.util.List;
 import java.util.Map;
 
-import com.cloud.utils.net.NetUtils;
 import org.apache.log4j.Logger;
 
-import org.apache.cloudstack.acl.SecurityChecker.AccessType;
-import org.apache.cloudstack.api.ACL;
 import org.apache.cloudstack.api.APICommand;
 import org.apache.cloudstack.api.ApiConstants;
 import org.apache.cloudstack.api.ApiErrorCode;
@@ -41,15 +38,15 @@ import org.apache.cloudstack.context.CallContext;
 
 import com.cloud.event.EventTypes;
 import com.cloud.exception.InvalidParameterValueException;
-import com.cloud.network.rules.FirewallRule;
 import com.cloud.network.rules.LoadBalancer;
 import com.cloud.user.Account;
 import com.cloud.utils.StringUtils;
+import com.cloud.utils.net.NetUtils;
 import com.cloud.vm.VirtualMachine;
 
 @APICommand(name = "assignToLoadBalancerRule",
             description = "Assigns virtual machine or a list of virtual machines to a load balancer rule.",
-        responseObject = SuccessResponse.class, entityType = {FirewallRule.class, VirtualMachine.class},
+            responseObject = SuccessResponse.class,
             requestHasSensitiveInfo = false,
             responseHasSensitiveInfo = false)
 public class AssignToLoadBalancerRuleCmd extends BaseAsyncCmd {
@@ -61,7 +58,6 @@ public class AssignToLoadBalancerRuleCmd extends BaseAsyncCmd {
     //////////////// API parameters /////////////////////
     /////////////////////////////////////////////////////
 
-    @ACL(accessType = AccessType.OperateEntry)
     @Parameter(name = ApiConstants.ID,
                type = CommandType.UUID,
                entityType = FirewallRuleResponse.class,
@@ -69,7 +65,6 @@ public class AssignToLoadBalancerRuleCmd extends BaseAsyncCmd {
                description = "the ID of the load balancer rule")
     private Long id;
 
-    @ACL(accessType = AccessType.OperateEntry)
     @Parameter(name = ApiConstants.VIRTUAL_MACHINE_IDS,
                type = CommandType.LIST,
                collectionType = CommandType.UUID,

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/c9c7c8cb/api/src/org/apache/cloudstack/api/command/user/loadbalancer/ListLBStickinessPoliciesCmd.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/user/loadbalancer/ListLBStickinessPoliciesCmd.java b/api/src/org/apache/cloudstack/api/command/user/loadbalancer/ListLBStickinessPoliciesCmd.java
index dd03191..9905c0b 100644
--- a/api/src/org/apache/cloudstack/api/command/user/loadbalancer/ListLBStickinessPoliciesCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/user/loadbalancer/ListLBStickinessPoliciesCmd.java
@@ -86,7 +86,7 @@ public class ListLBStickinessPoliciesCmd extends BaseListCmd {
         if (lb != null) {
             //check permissions
             Account caller = CallContext.current().getCallingAccount();
-            _accountService.checkAccess(caller, null, lb);
+            _accountService.checkAccess(caller, null, true, lb);
             List<? extends StickinessPolicy> stickinessPolicies = _lbService.searchForLBStickinessPolicies(this);
             LBStickinessResponse spResponse = _responseGenerator.createLBStickinessPolicyResponse(stickinessPolicies, lb);
             spResponses.add(spResponse);
@@ -94,7 +94,7 @@ public class ListLBStickinessPoliciesCmd extends BaseListCmd {
         }
 
         response.setResponseName(getCommandName());
-        setResponseObject(response);
+        this.setResponseObject(response);
     }
 
 }

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/c9c7c8cb/api/src/org/apache/cloudstack/api/command/user/nat/EnableStaticNatCmd.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/user/nat/EnableStaticNatCmd.java b/api/src/org/apache/cloudstack/api/command/user/nat/EnableStaticNatCmd.java
index 94699ac..aa4e287 100644
--- a/api/src/org/apache/cloudstack/api/command/user/nat/EnableStaticNatCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/user/nat/EnableStaticNatCmd.java
@@ -18,8 +18,6 @@ package org.apache.cloudstack.api.command.user.nat;
 
 import org.apache.log4j.Logger;
 
-import org.apache.cloudstack.acl.SecurityChecker.AccessType;
-import org.apache.cloudstack.api.ACL;
 import org.apache.cloudstack.api.APICommand;
 import org.apache.cloudstack.api.ApiConstants;
 import org.apache.cloudstack.api.ApiErrorCode;
@@ -37,10 +35,8 @@ import com.cloud.exception.ResourceUnavailableException;
 import com.cloud.network.IpAddress;
 import com.cloud.user.Account;
 import com.cloud.uservm.UserVm;
-import com.cloud.vm.VirtualMachine;
 
 @APICommand(name = "enableStaticNat", description = "Enables static nat for given ip address", responseObject = SuccessResponse.class,
-        entityType = {IpAddress.class, VirtualMachine.class},
         requestHasSensitiveInfo = false, responseHasSensitiveInfo = false)
 public class EnableStaticNatCmd extends BaseCmd {
     public static final Logger s_logger = Logger.getLogger(CreateIpForwardingRuleCmd.class.getName());
@@ -51,12 +47,10 @@ public class EnableStaticNatCmd extends BaseCmd {
     //////////////// API parameters /////////////////////
     /////////////////////////////////////////////////////
 
-    @ACL(accessType = AccessType.OperateEntry)
     @Parameter(name = ApiConstants.IP_ADDRESS_ID, type = CommandType.UUID, entityType = IPAddressResponse.class, required = true, description = "the public IP "
         + "address id for which static nat feature is being enabled")
     private Long ipAddressId;
 
-    @ACL(accessType = AccessType.OperateEntry)
     @Parameter(name = ApiConstants.VIRTUAL_MACHINE_ID, type = CommandType.UUID, entityType = UserVmResponse.class, required = true, description = "the ID of "
         + "the virtual machine for enabling static nat feature")
     private Long virtualMachineId;
@@ -139,7 +133,7 @@ public class EnableStaticNatCmd extends BaseCmd {
             boolean result = _rulesService.enableStaticNat(ipAddressId, virtualMachineId, getNetworkId(), getVmSecondaryIp());
             if (result) {
                 SuccessResponse response = new SuccessResponse(getCommandName());
-                setResponseObject(response);
+                this.setResponseObject(response);
             } else {
                 throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to enable static nat");
             }

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/c9c7c8cb/api/src/org/apache/cloudstack/api/command/user/snapshot/CreateSnapshotCmd.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/user/snapshot/CreateSnapshotCmd.java b/api/src/org/apache/cloudstack/api/command/user/snapshot/CreateSnapshotCmd.java
index bd8662e..df7fe82 100644
--- a/api/src/org/apache/cloudstack/api/command/user/snapshot/CreateSnapshotCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/user/snapshot/CreateSnapshotCmd.java
@@ -18,7 +18,6 @@ package org.apache.cloudstack.api.command.user.snapshot;
 
 import org.apache.log4j.Logger;
 
-import org.apache.cloudstack.api.ACL;
 import org.apache.cloudstack.api.APICommand;
 import org.apache.cloudstack.api.ApiCommandJobType;
 import org.apache.cloudstack.api.ApiConstants;
@@ -63,7 +62,6 @@ public class CreateSnapshotCmd extends BaseAsyncCreateCmd {
             description = "The domain ID of the snapshot. If used with the account parameter, specifies a domain for the account associated with the disk volume.")
     private Long domainId;
 
-    @ACL
     @Parameter(name = ApiConstants.VOLUME_ID, type = CommandType.UUID, entityType = VolumeResponse.class, required = true, description = "The ID of the disk volume")
     private Long volumeId;
 

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/c9c7c8cb/api/src/org/apache/cloudstack/api/command/user/vm/AddNicToVMCmd.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/user/vm/AddNicToVMCmd.java b/api/src/org/apache/cloudstack/api/command/user/vm/AddNicToVMCmd.java
index fd30152..f265ecf 100644
--- a/api/src/org/apache/cloudstack/api/command/user/vm/AddNicToVMCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/user/vm/AddNicToVMCmd.java
@@ -54,7 +54,6 @@ public class AddNicToVMCmd extends BaseAsyncCmd {
             required=true, description="Virtual Machine ID")
     private Long vmId;
 
-    @ACL
     @Parameter(name = ApiConstants.NETWORK_ID, type = CommandType.UUID, entityType = NetworkResponse.class, required = true, description = "Network ID")
     private Long netId;
 

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/c9c7c8cb/api/src/org/apache/cloudstack/api/command/user/vmsnapshot/CreateVMSnapshotCmd.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/user/vmsnapshot/CreateVMSnapshotCmd.java b/api/src/org/apache/cloudstack/api/command/user/vmsnapshot/CreateVMSnapshotCmd.java
index 1310ba5..10ff5cd 100644
--- a/api/src/org/apache/cloudstack/api/command/user/vmsnapshot/CreateVMSnapshotCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/user/vmsnapshot/CreateVMSnapshotCmd.java
@@ -19,6 +19,7 @@ package org.apache.cloudstack.api.command.user.vmsnapshot;
 
 import java.util.logging.Logger;
 
+import org.apache.cloudstack.acl.SecurityChecker.AccessType;
 import org.apache.cloudstack.api.ACL;
 import org.apache.cloudstack.api.APICommand;
 import org.apache.cloudstack.api.ApiConstants;
@@ -42,7 +43,7 @@ public class CreateVMSnapshotCmd extends BaseAsyncCreateCmd {
     public static final Logger s_logger = Logger.getLogger(CreateVMSnapshotCmd.class.getName());
     private static final String s_name = "createvmsnapshotresponse";
 
-    @ACL
+    @ACL(accessType = AccessType.OperateEntry)
     @Parameter(name = ApiConstants.VIRTUAL_MACHINE_ID, type = CommandType.UUID, required = true, entityType = UserVmResponse.class, description = "The ID of the vm")
     private Long vmId;
 

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/c9c7c8cb/api/src/org/apache/cloudstack/api/command/user/volume/CreateVolumeCmd.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/user/volume/CreateVolumeCmd.java b/api/src/org/apache/cloudstack/api/command/user/volume/CreateVolumeCmd.java
index dc91261..1e3c01c 100644
--- a/api/src/org/apache/cloudstack/api/command/user/volume/CreateVolumeCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/user/volume/CreateVolumeCmd.java
@@ -19,8 +19,6 @@ package org.apache.cloudstack.api.command.user.volume;
 import org.apache.log4j.Logger;
 
 import org.apache.cloudstack.acl.RoleType;
-import org.apache.cloudstack.acl.SecurityChecker.AccessType;
-import org.apache.cloudstack.api.ACL;
 import org.apache.cloudstack.api.APICommand;
 import org.apache.cloudstack.api.ApiCommandJobType;
 import org.apache.cloudstack.api.ApiConstants;
@@ -93,7 +91,6 @@ public class CreateVolumeCmd extends BaseAsyncCreateCustomIdCmd {
     @Parameter(name = ApiConstants.MAX_IOPS, type = CommandType.LONG, description = "max iops")
     private Long maxIops;
 
-    @ACL
     @Parameter(name = ApiConstants.SNAPSHOT_ID,
                type = CommandType.UUID,
                entityType = SnapshotResponse.class,
@@ -106,7 +103,6 @@ public class CreateVolumeCmd extends BaseAsyncCreateCustomIdCmd {
     @Parameter(name = ApiConstants.DISPLAY_VOLUME, type = CommandType.BOOLEAN, description = "an optional field, whether to display the volume to the end user or not.", authorized = {RoleType.Admin})
     private Boolean displayVolume;
 
-    @ACL(accessType = AccessType.OperateEntry)
     @Parameter(name = ApiConstants.VIRTUAL_MACHINE_ID,
                type = CommandType.UUID,
                entityType = UserVmResponse.class,

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/c9c7c8cb/plugins/network-elements/internal-loadbalancer/src/org/apache/cloudstack/network/lb/InternalLoadBalancerVMManagerImpl.java
----------------------------------------------------------------------
diff --git a/plugins/network-elements/internal-loadbalancer/src/org/apache/cloudstack/network/lb/InternalLoadBalancerVMManagerImpl.java b/plugins/network-elements/internal-loadbalancer/src/org/apache/cloudstack/network/lb/InternalLoadBalancerVMManagerImpl.java
index 89707c9..aa763d5 100644
--- a/plugins/network-elements/internal-loadbalancer/src/org/apache/cloudstack/network/lb/InternalLoadBalancerVMManagerImpl.java
+++ b/plugins/network-elements/internal-loadbalancer/src/org/apache/cloudstack/network/lb/InternalLoadBalancerVMManagerImpl.java
@@ -27,12 +27,11 @@ import javax.ejb.Local;
 import javax.inject.Inject;
 import javax.naming.ConfigurationException;
 
-import org.apache.log4j.Logger;
-
 import org.apache.cloudstack.engine.orchestration.service.NetworkOrchestrationService;
 import org.apache.cloudstack.framework.config.dao.ConfigurationDao;
 import org.apache.cloudstack.lb.ApplicationLoadBalancerRuleVO;
 import org.apache.cloudstack.lb.dao.ApplicationLoadBalancerRuleDao;
+import org.apache.log4j.Logger;
 
 import com.cloud.agent.AgentManager;
 import com.cloud.agent.api.Answer;
@@ -520,7 +519,7 @@ public class InternalLoadBalancerVMManagerImpl extends ManagerBase implements In
             return true;
         }
 
-        _accountMgr.checkAccess(caller, null, internalLbVm);
+        _accountMgr.checkAccess(caller, null, true, internalLbVm);
 
         _itMgr.expunge(internalLbVm.getUuid());
         _internalLbVmDao.remove(internalLbVm.getId());
@@ -535,7 +534,7 @@ public class InternalLoadBalancerVMManagerImpl extends ManagerBase implements In
         }
 
         //check permissions
-        _accountMgr.checkAccess(caller, null, internalLbVm);
+        _accountMgr.checkAccess(caller, null, true, internalLbVm);
 
         return stopInternalLbVm(internalLbVm, forced, caller, callerUserId);
     }
@@ -913,7 +912,7 @@ public class InternalLoadBalancerVMManagerImpl extends ManagerBase implements In
         }
 
         //check permissions
-        _accountMgr.checkAccess(caller, null, internalLbVm);
+        _accountMgr.checkAccess(caller, null, true, internalLbVm);
 
         return startInternalLbVm(internalLbVm, caller, callerUserId, null);
     }

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/c9c7c8cb/plugins/network-elements/juniper-contrail/test/org/apache/cloudstack/network/contrail/management/MockAccountManager.java
----------------------------------------------------------------------
diff --git a/plugins/network-elements/juniper-contrail/test/org/apache/cloudstack/network/contrail/management/MockAccountManager.java b/plugins/network-elements/juniper-contrail/test/org/apache/cloudstack/network/contrail/management/MockAccountManager.java
index 8931cb7..c9c87c4 100644
--- a/plugins/network-elements/juniper-contrail/test/org/apache/cloudstack/network/contrail/management/MockAccountManager.java
+++ b/plugins/network-elements/juniper-contrail/test/org/apache/cloudstack/network/contrail/management/MockAccountManager.java
@@ -378,19 +378,4 @@ public class MockAccountManager extends ManagerBase implements AccountManager {
         // TODO Auto-generated method stub
         return null;
     }
-
-    @Override
-    public void checkAccess(Account account, AccessType accessType, ControlledEntity... entities) throws PermissionDeniedException {
-        // TODO Auto-generated method stub
-
-    }
-
-    @Override
-    public void checkAccess(Account account, AccessType accessType, String apiName, ControlledEntity... entities) throws PermissionDeniedException {
-        // TODO Auto-generated method stub
-
-    }
-
-
-
 }

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/c9c7c8cb/server/src/com/cloud/api/ApiResponseHelper.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/api/ApiResponseHelper.java b/server/src/com/cloud/api/ApiResponseHelper.java
index 7c342d8..60127b1 100755
--- a/server/src/com/cloud/api/ApiResponseHelper.java
+++ b/server/src/com/cloud/api/ApiResponseHelper.java
@@ -1811,7 +1811,7 @@ public class ApiResponseHelper implements ResponseGenerator {
                 throw new PermissionDeniedException("Account " + caller + " is not authorized to see job id=" + job.getId());
             }
         } else if (_accountMgr.isDomainAdmin(caller.getId())) {
-            _accountMgr.checkAccess(caller, null, jobOwner);
+            _accountMgr.checkAccess(caller, null, true, jobOwner);
         }
 
         return createAsyncJobResponse(_jobMgr.queryJob(cmd.getId(), true));

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/c9c7c8cb/server/src/com/cloud/api/dispatch/ParamProcessWorker.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/api/dispatch/ParamProcessWorker.java b/server/src/com/cloud/api/dispatch/ParamProcessWorker.java
index 183bd7d..addcf3f 100644
--- a/server/src/com/cloud/api/dispatch/ParamProcessWorker.java
+++ b/server/src/com/cloud/api/dispatch/ParamProcessWorker.java
@@ -233,7 +233,7 @@ public class ParamProcessWorker implements DispatchWorker {
             if (owner.getId() != caller.getId()) {
                 // mimic impersonation either by passing (account, domainId) or through derived owner from other api parameters
                 // in this case, we should check access using the owner
-                _accountMgr.checkAccess(caller, null, owner);
+                _accountMgr.checkAccess(caller, null, true, owner);
             }
         } else {
             // check access using the caller for other operational cmds
@@ -252,7 +252,7 @@ public class ParamProcessWorker implements DispatchWorker {
                     if (AccessType.OperateEntry == entitiesToAccess.get(entity)) {
                         entitiesToOperate.add((ControlledEntity) entity);
                     } else {
-                        _accountMgr.checkAccess(owner, entitiesToAccess.get(entity), apiName,
+                        _accountMgr.checkAccess(owner, entitiesToAccess.get(entity), false, apiName,
                                 (ControlledEntity) entity);
                     }
                 } else if (entity instanceof InfrastructureEntity) {

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/c9c7c8cb/server/src/com/cloud/api/query/QueryManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/api/query/QueryManagerImpl.java b/server/src/com/cloud/api/query/QueryManagerImpl.java
index 6848ba0..48c970b 100644
--- a/server/src/com/cloud/api/query/QueryManagerImpl.java
+++ b/server/src/com/cloud/api/query/QueryManagerImpl.java
@@ -1006,7 +1006,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
             if (userVM == null) {
                 throw new InvalidParameterValueException("Unable to list network groups for virtual machine instance " + instanceId + "; instance not found.");
             }
-            _accountMgr.checkAccess(caller, null, userVM);
+            _accountMgr.checkAccess(caller, null, true, userVM);
             return listSecurityGroupRulesByVM(instanceId.longValue(), cmd.getStartIndex(), cmd.getPageSizeVal());
         }
 
@@ -1835,19 +1835,53 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
 
     private Pair<List<AccountJoinVO>, Integer> searchForAccountsInternal(ListAccountsCmd cmd) {
         Account caller = CallContext.current().getCallingAccount();
-        List<Long> permittedDomains = new ArrayList<Long>();
-        List<Long> permittedAccounts = new ArrayList<Long>();
-        List<Long> permittedResources = new ArrayList<Long>();
-
-        boolean listAll = cmd.listAll();
-        Long id = cmd.getId();
+        Long domainId = cmd.getDomainId();
+        Long accountId = cmd.getId();
         String accountName = cmd.getSearchName();
-        Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean, ListProjectResourcesCriteria>(
-                cmd.getDomainId(), cmd.isRecursive(), null);
-        // ListAccountsCmd is not BaseListAccountResourcesCmd, so no (domainId, accountName) combination
-        _accountMgr.buildACLSearchParameters(caller, id, null, null, permittedDomains, permittedAccounts, permittedResources,
-                domainIdRecursiveListProject, listAll, false, "listAccounts");
-        Boolean isRecursive = domainIdRecursiveListProject.second();
+        boolean isRecursive = cmd.isRecursive();
+        boolean listAll = cmd.listAll();
+        Boolean listForDomain = false;
+
+        if (accountId != null) {
+            Account account = _accountDao.findById(accountId);
+            if (account == null || account.getId() == Account.ACCOUNT_ID_SYSTEM) {
+                throw new InvalidParameterValueException("Unable to find account by id " + accountId);
+            }
+
+            _accountMgr.checkAccess(caller, null, true, account);
+        }
+
+        if (domainId != null) {
+            Domain domain = _domainDao.findById(domainId);
+            if (domain == null) {
+                throw new InvalidParameterValueException("Domain id=" + domainId + " doesn't exist");
+            }
+
+            _accountMgr.checkAccess(caller, domain);
+
+            if (accountName != null) {
+                Account account = _accountDao.findActiveAccount(accountName, domainId);
+                if (account == null || account.getId() == Account.ACCOUNT_ID_SYSTEM) {
+                    throw new InvalidParameterValueException("Unable to find account by name " + accountName
+                            + " in domain " + domainId);
+                }
+                _accountMgr.checkAccess(caller, null, true, account);
+            }
+        }
+
+        if (accountId == null) {
+            if (_accountMgr.isAdmin(caller.getId()) && listAll && domainId == null) {
+                listForDomain = true;
+                isRecursive = true;
+                if (domainId == null) {
+                    domainId = caller.getDomainId();
+                }
+            } else if (_accountMgr.isAdmin(caller.getId()) && domainId != null) {
+                listForDomain = true;
+            } else {
+                accountId = caller.getAccountId();
+            }
+        }
 
         Filter searchFilter = new Filter(AccountJoinVO.class, "id", true, cmd.getStartIndex(), cmd.getPageSizeVal());
 
@@ -1858,6 +1892,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
 
         SearchBuilder<AccountJoinVO> sb = _accountJoinDao.createSearchBuilder();
         sb.and("accountName", sb.entity().getAccountName(), SearchCriteria.Op.EQ);
+        sb.and("domainId", sb.entity().getDomainId(), SearchCriteria.Op.EQ);
         sb.and("id", sb.entity().getId(), SearchCriteria.Op.EQ);
         sb.and("type", sb.entity().getType(), SearchCriteria.Op.EQ);
         sb.and("state", sb.entity().getState(), SearchCriteria.Op.EQ);
@@ -1865,32 +1900,12 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
         sb.and("typeNEQ", sb.entity().getType(), SearchCriteria.Op.NEQ);
         sb.and("idNEQ", sb.entity().getId(), SearchCriteria.Op.NEQ);
 
-        SearchCriteria<AccountJoinVO> sc = sb.create();
-        SearchCriteria<AccountJoinVO> aclSc = _accountJoinDao.createSearchCriteria();
-        // building ACL search criteria. Here we cannot use the common accountMgr.buildACLViewSearchCriteria because
-        // 1) AccountJoinVO does not have accountId field, permittedAccounts correspond to list of resource ids.
-        // 2) AccountJoinVO use type not accountType field to indicate its type
-        if (!permittedDomains.isEmpty() || !permittedAccounts.isEmpty() || !permittedResources.isEmpty()) {
-            if (!permittedDomains.isEmpty()) {
-                if (isRecursive) {
-                    for (int i = 0; i < permittedDomains.size(); i++) {
-                        Domain domain = _domainDao.findById(permittedDomains.get(i));
-                        aclSc.addOr("domainPath", SearchCriteria.Op.LIKE, domain.getPath() + "%");
-                    }
-                } else {
-                    aclSc.addOr("domainId", SearchCriteria.Op.IN, permittedDomains.toArray());
-                }
-            }
-            if (!permittedAccounts.isEmpty()) {
-                aclSc.addOr("id", SearchCriteria.Op.IN, permittedAccounts.toArray());
-            }
-            if (!permittedResources.isEmpty()) {
-                aclSc.addOr("id", SearchCriteria.Op.IN, permittedResources.toArray());
-            }
-
-            sc.addAnd("id", SearchCriteria.Op.SC, aclSc);
+        if (listForDomain && isRecursive) {
+            sb.and("path", sb.entity().getDomainPath(), SearchCriteria.Op.LIKE);
         }
 
+        SearchCriteria<AccountJoinVO> sc = sb.create();
+
         sc.setParameters("idNEQ", Account.ACCOUNT_ID_SYSTEM);
 
         if (keyword != null) {
@@ -1917,10 +1932,19 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
         }
 
         // don't return account of type project to the end user
-        sc.setParameters("typeNEQ", Account.ACCOUNT_TYPE_PROJECT);
+        sc.setParameters("typeNEQ", 5);
 
-        if (id != null) {
-            sc.setParameters("id", id);
+        if (accountId != null) {
+            sc.setParameters("id", accountId);
+        }
+
+        if (listForDomain) {
+            if (isRecursive) {
+                Domain domain = _domainDao.findById(domainId);
+                sc.setParameters("path", domain.getPath() + "%");
+            } else {
+                sc.setParameters("domainId", domainId);
+            }
         }
 
         return _accountJoinDao.searchAndCount(sc, searchFilter);
@@ -2466,7 +2490,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
                 throw ex;
             }
 
-            _accountMgr.checkAccess(caller, null, vmInstance);
+            _accountMgr.checkAccess(caller, null, true, vmInstance);
 
             ServiceOfferingVO offering = _srvOfferingDao.findByIdIncludingRemoved(vmInstance.getId(), vmInstance.getServiceOfferingId());
             sc.addAnd("id", SearchCriteria.Op.NEQ, offering.getId());
@@ -2893,7 +2917,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
             // if template is not public, perform permission check here
             if (!template.isPublicTemplate() && !_accountMgr.isRootAdmin(caller.getId())) {
                 Account owner = _accountMgr.getAccount(template.getAccountId());
-                _accountMgr.checkAccess(caller, null, owner);
+                _accountMgr.checkAccess(caller, null, true, owner);
             }
 
             // if templateId is specified, then we will just use the id to
@@ -3111,7 +3135,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
             }
 
             if (userAccount != null) {
-                _accountMgr.checkAccess(caller, null, userAccount);
+                _accountMgr.checkAccess(caller, null, true, userAccount);
                 // check permissions
                 permittedAccounts.add(userAccount.getId());
             } else {
@@ -3251,7 +3275,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
             // if template is not public, perform permission check here
             if (!template.isPublicTemplate() && caller.getType() != Account.ACCOUNT_TYPE_ADMIN) {
                 Account owner = _accountMgr.getAccount(template.getAccountId());
-                _accountMgr.checkAccess(caller, null, owner);
+                _accountMgr.checkAccess(caller, null, true, owner);
             }
 
             // if templateId is specified, then we will just use the id to
@@ -3576,7 +3600,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
                 throw new InvalidParameterValueException("Unable to list affinity groups for virtual machine instance "
                         + vmId + "; instance not found.");
             }
-            _accountMgr.checkAccess(caller, null, userVM);
+            _accountMgr.checkAccess(caller, null, true, userVM);
             return listAffinityGroupsByVM(vmId.longValue(), startIndex, pageSize);
         }
 
@@ -3730,7 +3754,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
             if (userVM == null) {
                 throw new InvalidParameterValueException("Unable to list affinity groups for virtual machine instance " + vmId + "; instance not found.");
             }
-            _accountMgr.checkAccess(caller, null, userVM);
+            _accountMgr.checkAccess(caller, null, true, userVM);
             return listAffinityGroupsByVM(vmId.longValue(), startIndex, pageSize);
         }
 

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/c9c7c8cb/server/src/com/cloud/configuration/ConfigurationManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/configuration/ConfigurationManagerImpl.java b/server/src/com/cloud/configuration/ConfigurationManagerImpl.java
index 231b5e1..3f79a76 100755
--- a/server/src/com/cloud/configuration/ConfigurationManagerImpl.java
+++ b/server/src/com/cloud/configuration/ConfigurationManagerImpl.java
@@ -39,7 +39,6 @@ import javax.naming.ConfigurationException;
 import org.apache.log4j.Logger;
 
 import org.apache.cloudstack.acl.SecurityChecker;
-import org.apache.cloudstack.acl.SecurityChecker.AccessType;
 import org.apache.cloudstack.affinity.AffinityGroup;
 import org.apache.cloudstack.affinity.AffinityGroupService;
 import org.apache.cloudstack.affinity.dao.AffinityGroupDao;
@@ -4328,7 +4327,7 @@ public class ConfigurationManagerImpl extends ManagerBase implements Configurati
                 throw new InvalidParameterValueException("Can't update system networks");
             }
 
-            _accountMgr.checkAccess(caller, AccessType.ListEntry, network);
+            _accountMgr.checkAccess(caller, null, true, network);
 
             List<Long> offeringIds = _networkModel.listNetworkOfferingsForUpgrade(networkId);
 

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/c9c7c8cb/server/src/com/cloud/network/IpAddressManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/IpAddressManagerImpl.java b/server/src/com/cloud/network/IpAddressManagerImpl.java
index 746221f..9b1f9bd 100644
--- a/server/src/com/cloud/network/IpAddressManagerImpl.java
+++ b/server/src/com/cloud/network/IpAddressManagerImpl.java
@@ -29,8 +29,6 @@ import java.util.UUID;
 
 import javax.inject.Inject;
 
-import org.apache.log4j.Logger;
-
 import org.apache.cloudstack.acl.ControlledEntity.ACLType;
 import org.apache.cloudstack.acl.SecurityChecker.AccessType;
 import org.apache.cloudstack.context.CallContext;
@@ -42,6 +40,7 @@ import org.apache.cloudstack.region.PortableIp;
 import org.apache.cloudstack.region.PortableIpDao;
 import org.apache.cloudstack.region.PortableIpVO;
 import org.apache.cloudstack.region.Region;
+import org.apache.log4j.Logger;
 
 import com.cloud.agent.AgentManager;
 import com.cloud.alert.AlertManager;
@@ -410,7 +409,7 @@ public class IpAddressManagerImpl extends ManagerBase implements IpAddressManage
         Account caller = CallContext.current().getCallingAccount();
         long callerUserId = CallContext.current().getCallingUserId();
         // check permissions
-        _accountMgr.checkAccess(caller, null, ipOwner);
+        _accountMgr.checkAccess(caller, null, false, ipOwner);
 
         DataCenter zone = _entityMgr.findById(DataCenter.class, zoneId);
 
@@ -1165,14 +1164,15 @@ public class IpAddressManagerImpl extends ManagerBase implements IpAddressManage
             if (zone.getNetworkType() == NetworkType.Advanced) {
                 if (network.getGuestType() == Network.GuestType.Shared) {
                     if (isSharedNetworkOfferingWithServices(network.getNetworkOfferingId())) {
-                        _accountMgr.checkAccess(CallContext.current().getCallingAccount(), AccessType.UseEntry, network);
+                        _accountMgr.checkAccess(CallContext.current().getCallingAccount(), AccessType.UseEntry, false,
+                                network);
                     } else {
                         throw new InvalidParameterValueException("IP can be associated with guest network of 'shared' type only if "
                                                                  + "network services Source Nat, Static Nat, Port Forwarding, Load balancing, firewall are enabled in the network");
                     }
                 }
             } else {
-                _accountMgr.checkAccess(caller, null, ipToAssoc);
+                _accountMgr.checkAccess(caller, null, true, ipToAssoc);
             }
             owner = _accountMgr.getAccount(ipToAssoc.getAllocatedToAccountId());
         } else {
@@ -1187,7 +1187,7 @@ public class IpAddressManagerImpl extends ManagerBase implements IpAddressManage
 
         Network network = _networksDao.findById(networkId);
         if (network != null) {
-            _accountMgr.checkAccess(owner, AccessType.UseEntry, network);
+            _accountMgr.checkAccess(owner, AccessType.UseEntry, false, network);
         } else {
             s_logger.debug("Unable to find ip address by id: " + ipId);
             return null;
@@ -1319,10 +1319,11 @@ public class IpAddressManagerImpl extends ManagerBase implements IpAddressManage
             if (zone.getNetworkType() == NetworkType.Advanced) {
                 if (network.getGuestType() == Network.GuestType.Shared) {
                     assert (isSharedNetworkOfferingWithServices(network.getNetworkOfferingId()));
-                    _accountMgr.checkAccess(CallContext.current().getCallingAccount(), AccessType.UseEntry, network);
+                    _accountMgr.checkAccess(CallContext.current().getCallingAccount(), AccessType.UseEntry, false,
+                            network);
                 }
             } else {
-                _accountMgr.checkAccess(caller, null, ipToAssoc);
+                _accountMgr.checkAccess(caller, null, true, ipToAssoc);
             }
             owner = _accountMgr.getAccount(ipToAssoc.getAllocatedToAccountId());
         } else {

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/c9c7c8cb/server/src/com/cloud/network/NetworkModelImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/NetworkModelImpl.java b/server/src/com/cloud/network/NetworkModelImpl.java
index f84eccd..0de4c80 100755
--- a/server/src/com/cloud/network/NetworkModelImpl.java
+++ b/server/src/com/cloud/network/NetworkModelImpl.java
@@ -34,8 +34,8 @@ import javax.naming.ConfigurationException;
 
 import org.apache.log4j.Logger;
 
-import org.apache.cloudstack.acl.SecurityChecker;
 import org.apache.cloudstack.acl.ControlledEntity.ACLType;
+import org.apache.cloudstack.acl.SecurityChecker;
 import org.apache.cloudstack.acl.SecurityChecker.AccessType;
 import org.apache.cloudstack.framework.config.dao.ConfigurationDao;
 import org.apache.cloudstack.lb.dao.ApplicationLoadBalancerRuleDao;

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/c9c7c8cb/server/src/com/cloud/network/NetworkServiceImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/NetworkServiceImpl.java b/server/src/com/cloud/network/NetworkServiceImpl.java
index ec9fa12..95d3dec 100755
--- a/server/src/com/cloud/network/NetworkServiceImpl.java
+++ b/server/src/com/cloud/network/NetworkServiceImpl.java
@@ -542,7 +542,7 @@ public class NetworkServiceImpl extends ManagerBase implements  NetworkService {
                 // if shared network in the advanced zone, then check the caller against the network for 'AccessType.UseNetwork'
                 if (zone.getNetworkType() == NetworkType.Advanced) {
                     if (isSharedNetworkOfferingWithServices(network.getNetworkOfferingId())) {
-                        _accountMgr.checkAccess(caller, AccessType.UseEntry, network);
+                        _accountMgr.checkAccess(caller, AccessType.UseEntry, false, network);
                         if (s_logger.isDebugEnabled()) {
                             s_logger.debug("Associate IP address called by the user " + callerUserId + " account " + ipOwner.getId());
                         }
@@ -554,7 +554,7 @@ public class NetworkServiceImpl extends ManagerBase implements  NetworkService {
                 }
             }
         } else {
-            _accountMgr.checkAccess(caller, null, ipOwner);
+            _accountMgr.checkAccess(caller, null, false, ipOwner);
         }
 
         return _ipAddrMgr.allocateIp(ipOwner, false, caller, callerUserId, zone, displayIp);
@@ -585,7 +585,7 @@ public class NetworkServiceImpl extends ManagerBase implements  NetworkService {
                 // if shared network in the advanced zone, then check the caller against the network for 'AccessType.UseNetwork'
                 if (zone.getNetworkType() == NetworkType.Advanced) {
                     if (isSharedNetworkOfferingWithServices(network.getNetworkOfferingId())) {
-                        _accountMgr.checkAccess(caller, AccessType.UseEntry, network);
+                        _accountMgr.checkAccess(caller, AccessType.UseEntry, false, network);
                         if (s_logger.isDebugEnabled()) {
                             s_logger.debug("Associate IP address called by the user " + callerUserId + " account " + ipOwner.getId());
                         }
@@ -605,7 +605,7 @@ public class NetworkServiceImpl extends ManagerBase implements  NetworkService {
             }
         }
 
-        _accountMgr.checkAccess(caller, null, ipOwner);
+        _accountMgr.checkAccess(caller, null, false, ipOwner);
 
         return _ipAddrMgr.allocatePortableIp(ipOwner, caller, zoneId, null, null);
     }
@@ -671,7 +671,7 @@ public class NetworkServiceImpl extends ManagerBase implements  NetworkService {
         final Account ipOwner = _accountMgr.getAccount(vm.getAccountId());
 
         // verify permissions
-        _accountMgr.checkAccess(caller, null, vm);
+        _accountMgr.checkAccess(caller, null, true, vm);
 
         Network network = _networksDao.findById(networkId);
         if (network == null) {
@@ -767,7 +767,7 @@ public class NetworkServiceImpl extends ManagerBase implements  NetworkService {
             throw new InvalidParameterValueException("There is no vm with the given secondary ip");
         }
         // verify permissions
-        _accountMgr.checkAccess(caller, null, vm);
+        _accountMgr.checkAccess(caller, null, true, vm);
 
         Network network = _networksDao.findById(secIpVO.getNetworkId());
 
@@ -891,7 +891,7 @@ public class NetworkServiceImpl extends ManagerBase implements  NetworkService {
 
         // verify permissions
         if (ipVO.getAllocatedToAccountId() != null) {
-            _accountMgr.checkAccess(caller, null, ipVO);
+            _accountMgr.checkAccess(caller, null, true, ipVO);
         }
 
         if (ipVO.isSourceNat()) {
@@ -1432,7 +1432,7 @@ public class NetworkServiceImpl extends ManagerBase implements  NetworkService {
                     throw new InvalidParameterValueException("Unable to find account " + accountName + " in specified domain");
                 }
 
-                _accountMgr.checkAccess(caller, null, owner);
+                _accountMgr.checkAccess(caller, null, true, owner);
                 permittedAccounts.add(owner.getId());
             }
         }
@@ -1816,7 +1816,7 @@ public class NetworkServiceImpl extends ManagerBase implements  NetworkService {
         Account owner = _accountMgr.getAccount(network.getAccountId());
 
         // Perform permission check
-        _accountMgr.checkAccess(caller, null, network);
+        _accountMgr.checkAccess(caller, null, true, network);
 
         if (forced && !_accountMgr.isRootAdmin(caller.getId())) {
             throw new InvalidParameterValueException("Delete network with 'forced' option can only be called by root admins");
@@ -1860,7 +1860,7 @@ public class NetworkServiceImpl extends ManagerBase implements  NetworkService {
             throw new InvalidParameterException("Unable to restart a running SDN network.");
         }
 
-        _accountMgr.checkAccess(callerAccount, null, network);
+        _accountMgr.checkAccess(callerAccount, null, true, network);
 
         boolean success = _networkMgr.restartNetwork(networkId, callerAccount, callerUser, cleanup);
 
@@ -1996,7 +1996,7 @@ public class NetworkServiceImpl extends ManagerBase implements  NetworkService {
             throw new InvalidParameterValueException("Can't allow networks which traffic type is not " + TrafficType.Guest);
         }
 
-        _accountMgr.checkAccess(callerAccount, null, network);
+        _accountMgr.checkAccess(callerAccount, null, true, network);
 
         if (name != null) {
             network.setName(name);
@@ -4045,7 +4045,7 @@ public class NetworkServiceImpl extends ManagerBase implements  NetworkService {
                 throw ex;
             }
 
-        _accountMgr.checkAccess(caller, null, userVm);
+        _accountMgr.checkAccess(caller, null, true, userVm);
         return _networkMgr.listVmNics(vmId, nicId, networkId);
     }
 
@@ -4069,7 +4069,7 @@ public class NetworkServiceImpl extends ManagerBase implements  NetworkService {
 
         // verify permissions
         if (ipVO.getAllocatedToAccountId() != null) {
-            _accountMgr.checkAccess(caller, null, ipVO);
+            _accountMgr.checkAccess(caller, null, true, ipVO);
         } else if (caller.getType() != Account.ACCOUNT_TYPE_ADMIN) {
             throw new PermissionDeniedException("Only Root admin can update non-allocated ip addresses");
         }

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/c9c7c8cb/server/src/com/cloud/network/as/AutoScaleManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/as/AutoScaleManagerImpl.java b/server/src/com/cloud/network/as/AutoScaleManagerImpl.java
index 09c6694..c75dbba 100644
--- a/server/src/com/cloud/network/as/AutoScaleManagerImpl.java
+++ b/server/src/com/cloud/network/as/AutoScaleManagerImpl.java
@@ -240,7 +240,7 @@ public class AutoScaleManagerImpl<Type> extends ManagerBase implements AutoScale
             throw new InvalidParameterValueException("Unable to find " + paramName);
         }
 
-        _accountMgr.checkAccess(caller, null, (ControlledEntity)vo);
+        _accountMgr.checkAccess(caller, null, false, (ControlledEntity)vo);
 
         return vo;
     }
@@ -342,7 +342,7 @@ public class AutoScaleManagerImpl<Type> extends ManagerBase implements AutoScale
 
         Account owner = _accountDao.findById(cmd.getAccountId());
         Account caller = CallContext.current().getCallingAccount();
-        _accountMgr.checkAccess(caller, null, owner);
+        _accountMgr.checkAccess(caller, null, true, owner);
 
         long zoneId = cmd.getZoneId();
         long serviceOfferingId = cmd.getServiceOfferingId();
@@ -527,7 +527,7 @@ public class AutoScaleManagerImpl<Type> extends ManagerBase implements AutoScale
 
                     ControlledEntity[] sameOwnerEntities = conditions.toArray(new ControlledEntity[conditions.size() + 1]);
                     sameOwnerEntities[sameOwnerEntities.length - 1] = autoScalePolicyVO;
-                    _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, sameOwnerEntities);
+                    _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, true, sameOwnerEntities);
 
                     if (conditionIds.size() != conditions.size()) {
                         // TODO report the condition id which could not be found
@@ -621,7 +621,7 @@ public class AutoScaleManagerImpl<Type> extends ManagerBase implements AutoScale
             idList.add(ApiDBUtils.findDomainById(domainId).getUuid());
             throw new InvalidParameterValueException("Unable to find account " + accountName + " in domain with specifed domainId");
         }
-        _accountMgr.checkAccess(caller, null, owner);
+        _accountMgr.checkAccess(caller, null, false, owner);
     }
 
     private class SearchWrapper<VO extends ControlledEntity> {
@@ -980,7 +980,7 @@ public class AutoScaleManagerImpl<Type> extends ManagerBase implements AutoScale
         ControlledEntity[] sameOwnerEntities = policies.toArray(new ControlledEntity[policies.size() + 2]);
         sameOwnerEntities[sameOwnerEntities.length - 2] = loadBalancer;
         sameOwnerEntities[sameOwnerEntities.length - 1] = profileVO;
-        _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, sameOwnerEntities);
+        _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, true, sameOwnerEntities);
 
         return Transaction.execute(new TransactionCallback<AutoScaleVmGroupVO>() {
             @Override

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/c9c7c8cb/server/src/com/cloud/network/firewall/FirewallManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/firewall/FirewallManagerImpl.java b/server/src/com/cloud/network/firewall/FirewallManagerImpl.java
index 7306068..c312d3d 100644
--- a/server/src/com/cloud/network/firewall/FirewallManagerImpl.java
+++ b/server/src/com/cloud/network/firewall/FirewallManagerImpl.java
@@ -27,13 +27,12 @@ import javax.ejb.Local;
 import javax.inject.Inject;
 import javax.naming.ConfigurationException;
 
-import org.apache.log4j.Logger;
-import org.springframework.stereotype.Component;
-
 import org.apache.cloudstack.api.command.user.firewall.ListFirewallRulesCmd;
 import org.apache.cloudstack.context.CallContext;
 import org.apache.cloudstack.engine.orchestration.service.NetworkOrchestrationService;
 import org.apache.cloudstack.framework.config.dao.ConfigurationDao;
+import org.apache.log4j.Logger;
+import org.springframework.stereotype.Component;
 
 import com.cloud.configuration.Config;
 import com.cloud.domain.dao.DomainDao;
@@ -272,7 +271,7 @@ public class FirewallManagerImpl extends ManagerBase implements FirewallService,
             if (ipAddressVO == null || !ipAddressVO.readyToUse()) {
                 throw new InvalidParameterValueException("Ip address id=" + ipId + " not ready for firewall rules yet");
             }
-            _accountMgr.checkAccess(caller, null, ipAddressVO);
+            _accountMgr.checkAccess(caller, null, true, ipAddressVO);
         }
 
         Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean, ListProjectResourcesCriteria>(cmd.getDomainId(), cmd.isRecursive(), null);
@@ -464,7 +463,7 @@ public class FirewallManagerImpl extends ManagerBase implements FirewallService,
             }
 
             // Validate ip address
-            _accountMgr.checkAccess(caller, null, ipAddress);
+            _accountMgr.checkAccess(caller, null, true, ipAddress);
         }
 
         //network id either has to be passed explicitly, or implicitly as a part of ipAddress object
@@ -476,7 +475,7 @@ public class FirewallManagerImpl extends ManagerBase implements FirewallService,
         assert network != null : "Can't create rule as network associated with public ip address is null?";
 
         if (trafficType == FirewallRule.TrafficType.Egress) {
-            _accountMgr.checkAccess(caller, null, network);
+            _accountMgr.checkAccess(caller, null, true, network);
         }
 
         // Verify that the network guru supports the protocol specified
@@ -639,7 +638,7 @@ public class FirewallManagerImpl extends ManagerBase implements FirewallService,
         }
 
         if (caller != null) {
-            _accountMgr.checkAccess(caller, null, rules.toArray(new FirewallRuleVO[rules.size()]));
+            _accountMgr.checkAccess(caller, null, true, rules.toArray(new FirewallRuleVO[rules.size()]));
         }
 
         try {
@@ -693,7 +692,7 @@ public class FirewallManagerImpl extends ManagerBase implements FirewallService,
             throw new InvalidParameterValueException("Only root admin can delete the system wide firewall rule");
         }
 
-        _accountMgr.checkAccess(caller, null, rule);
+        _accountMgr.checkAccess(caller, null, true, rule);
 
         revokeRule(rule, caller, userId, false);
 
@@ -743,7 +742,7 @@ public class FirewallManagerImpl extends ManagerBase implements FirewallService,
             throw new InvalidParameterValueException("Only root admin can update the system wide firewall rule");
         }
 
-        _accountMgr.checkAccess(caller, null, rule);
+        _accountMgr.checkAccess(caller, null, true, rule);
 
         if (customId != null) {
             rule.setUuid(customId);
@@ -762,7 +761,7 @@ public class FirewallManagerImpl extends ManagerBase implements FirewallService,
     @DB
     public void revokeRule(final FirewallRuleVO rule, Account caller, long userId, final boolean needUsageEvent) {
         if (caller != null) {
-            _accountMgr.checkAccess(caller, null, rule);
+            _accountMgr.checkAccess(caller, null, true, rule);
         }
 
         Transaction.execute(new TransactionCallbackNoReturn() {

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/c9c7c8cb/server/src/com/cloud/network/lb/LoadBalancingRulesManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/lb/LoadBalancingRulesManagerImpl.java b/server/src/com/cloud/network/lb/LoadBalancingRulesManagerImpl.java
index 05fb325..c1d3a72 100755
--- a/server/src/com/cloud/network/lb/LoadBalancingRulesManagerImpl.java
+++ b/server/src/com/cloud/network/lb/LoadBalancingRulesManagerImpl.java
@@ -30,6 +30,11 @@ import java.util.Set;
 import javax.ejb.Local;
 import javax.inject.Inject;
 
+import org.apache.log4j.Logger;
+
+import com.google.gson.Gson;
+import com.google.gson.reflect.TypeToken;
+
 import org.apache.cloudstack.api.ApiConstants;
 import org.apache.cloudstack.api.command.user.loadbalancer.CreateLBHealthCheckPolicyCmd;
 import org.apache.cloudstack.api.command.user.loadbalancer.CreateLBStickinessPolicyCmd;
@@ -45,7 +50,6 @@ import org.apache.cloudstack.engine.orchestration.service.NetworkOrchestrationSe
 import org.apache.cloudstack.framework.config.dao.ConfigurationDao;
 import org.apache.cloudstack.lb.ApplicationLoadBalancerRuleVO;
 import org.apache.cloudstack.lb.dao.ApplicationLoadBalancerRuleDao;
-import org.apache.log4j.Logger;
 
 import com.cloud.agent.api.to.LoadBalancerTO;
 import com.cloud.configuration.ConfigurationManager;
@@ -165,8 +169,6 @@ import com.cloud.vm.VirtualMachine.State;
 import com.cloud.vm.dao.NicDao;
 import com.cloud.vm.dao.NicSecondaryIpDao;
 import com.cloud.vm.dao.UserVmDao;
-import com.google.gson.Gson;
-import com.google.gson.reflect.TypeToken;
 
 @Local(value = {LoadBalancingRulesManager.class, LoadBalancingRulesService.class})
 public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements LoadBalancingRulesManager, LoadBalancingRulesService {
@@ -527,7 +529,7 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
             throw new InvalidParameterValueException("Failed: LB rule id: " + cmd.getLbRuleId() + " not present ");
         }
 
-        _accountMgr.checkAccess(caller.getCallingAccount(), null, loadBalancer);
+        _accountMgr.checkAccess(caller.getCallingAccount(), null, true, loadBalancer);
         if (loadBalancer.getState() == FirewallRule.State.Revoke) {
             throw new InvalidParameterValueException("Failed:  LB rule id: " + cmd.getLbRuleId() + " is in deleting state: ");
         }
@@ -586,7 +588,7 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
             throw new InvalidParameterValueException("Failed: LB rule id: " + cmd.getLbRuleId() + " not present ");
         }
 
-        _accountMgr.checkAccess(caller.getCallingAccount(), null, loadBalancer);
+        _accountMgr.checkAccess(caller.getCallingAccount(), null, true, loadBalancer);
 
         if (loadBalancer.getState() == FirewallRule.State.Revoke) {
             throw new InvalidParameterValueException("Failed:  LB rule id: " + cmd.getLbRuleId() + " is in deleting state: ");
@@ -748,7 +750,7 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
         }
         long loadBalancerId = loadBalancer.getId();
         FirewallRule.State backupState = loadBalancer.getState();
-        _accountMgr.checkAccess(caller.getCallingAccount(), null, loadBalancer);
+        _accountMgr.checkAccess(caller.getCallingAccount(), null, true, loadBalancer);
 
         if (apply) {
             if (loadBalancer.getState() == FirewallRule.State.Active) {
@@ -801,7 +803,7 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
         }
         final long loadBalancerId = loadBalancer.getId();
         FirewallRule.State backupState = loadBalancer.getState();
-        _accountMgr.checkAccess(caller.getCallingAccount(), null, loadBalancer);
+        _accountMgr.checkAccess(caller.getCallingAccount(), null, true, loadBalancer);
 
         if (apply) {
             if (loadBalancer.getState() == FirewallRule.State.Active) {
@@ -1193,7 +1195,7 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
             throw new InvalidParameterException("Invalid certificate id: " + certId);
         }
 
-        _accountMgr.checkAccess(caller.getCallingAccount(), null, loadBalancer);
+        _accountMgr.checkAccess(caller.getCallingAccount(), null, true, loadBalancer);
 
         // check if LB and Cert belong to the same account
         if (loadBalancer.getAccountId() != certVO.getAccountId()) {
@@ -1256,7 +1258,7 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
             throw new InvalidParameterException("No certificate is bound to lb with id: " + lbRuleId);
         }
 
-        _accountMgr.checkAccess(caller.getCallingAccount(), null, loadBalancer);
+        _accountMgr.checkAccess(caller.getCallingAccount(), null, true, loadBalancer);
 
         boolean success = false;
         FirewallRule.State backupState = loadBalancer.getState();
@@ -1300,7 +1302,7 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
             throw new InvalidParameterException("Invalid load balancer value: " + loadBalancerId);
         }
 
-        _accountMgr.checkAccess(caller.getCallingAccount(), null, loadBalancer);
+        _accountMgr.checkAccess(caller.getCallingAccount(), null, true, loadBalancer);
 
         if (instanceIds == null && vmIdIpMap.isEmpty()) {
             throw new InvalidParameterValueException("Both instanceids and vmidipmap  can't be null");
@@ -1462,7 +1464,7 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
         if (rule == null) {
             throw new InvalidParameterValueException("Unable to find load balancer rule " + loadBalancerId);
         }
-        _accountMgr.checkAccess(caller, null, rule);
+        _accountMgr.checkAccess(caller, null, true, rule);
 
         boolean result = deleteLoadBalancerRule(loadBalancerId, apply, caller, ctx.getCallingUserId(), true);
         if (!result) {
@@ -1686,7 +1688,7 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
             throw ex;
         }
 
-        _accountMgr.checkAccess(caller.getCallingAccount(), null, ipAddr);
+        _accountMgr.checkAccess(caller.getCallingAccount(), null, true, ipAddr);
 
         final Long networkId = ipAddr.getAssociatedWithNetworkId();
         if (networkId == null) {
@@ -2060,7 +2062,7 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
         }
 
         // check permissions
-        _accountMgr.checkAccess(caller, null, lb);
+        _accountMgr.checkAccess(caller, null, true, lb);
 
         if (name != null) {
             lb.setName(name);
@@ -2139,7 +2141,7 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
             return null;
         }
 
-        _accountMgr.checkAccess(caller, null, loadBalancer);
+        _accountMgr.checkAccess(caller, null, true, loadBalancer);
 
         List<UserVmVO> loadBalancerInstances = new ArrayList<UserVmVO>();
         List<String> serviceStates = new ArrayList<String>();
@@ -2218,7 +2220,7 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
             return null;
         }
 
-        _accountMgr.checkAccess(caller, null, loadBalancer);
+        _accountMgr.checkAccess(caller, null, true, loadBalancer);
 
         List<LBStickinessPolicyVO> sDbpolicies = _lb2stickinesspoliciesDao.listByLoadBalancerIdAndDisplayFlag(cmd.getLbRuleId(), forDisplay);
 
@@ -2235,8 +2237,10 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
         if (loadBalancer == null) {
             return null;
         }
-        _accountMgr.checkAccess(caller, null, loadBalancer);
+
+        _accountMgr.checkAccess(caller, null, true, loadBalancer);
         List<LBHealthCheckPolicyVO> hcDbpolicies = _lb2healthcheckDao.listByLoadBalancerIdAndDisplayFlag(cmd.getLbRuleId(), forDisplay);
+
         return hcDbpolicies;
     }
 
@@ -2484,7 +2488,7 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
             throw new InvalidParameterException("Invalid Load balancer : " + policy.getLoadBalancerId() + " for Stickiness policy id: " + id);
         }
 
-        _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, loadBalancer);
+        _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, true, loadBalancer);
 
         if (customId != null) {
             policy.setUuid(customId);
@@ -2511,7 +2515,7 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
             throw new InvalidParameterException("Invalid Load balancer : " + policy.getLoadBalancerId() + " for Stickiness policy id: " + id);
         }
 
-        _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, loadBalancer);
+        _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, true, loadBalancer);
 
         if (customId != null) {
             policy.setUuid(customId);

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/c9c7c8cb/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java b/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java
index be3e849..05fbad3 100755
--- a/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java
+++ b/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java
@@ -462,7 +462,7 @@ public class VirtualNetworkApplianceManagerImpl extends ManagerBase implements V
             return null;
         }
 
-        _accountMgr.checkAccess(caller, null, router);
+        _accountMgr.checkAccess(caller, null, true, router);
 
         _itMgr.expunge(router.getUuid());
         _routerDao.remove(router.getId());
@@ -481,7 +481,7 @@ public class VirtualNetworkApplianceManagerImpl extends ManagerBase implements V
             throw new InvalidParameterValueException("Unable to find router with id " + routerId);
         }
 
-        _accountMgr.checkAccess(caller, null, router);
+        _accountMgr.checkAccess(caller, null, true, router);
 
         if (router.getServiceOfferingId() == serviceOfferingId) {
             s_logger.debug("Router: " + routerId + "already has service offering: " + serviceOfferingId);
@@ -596,7 +596,7 @@ public class VirtualNetworkApplianceManagerImpl extends ManagerBase implements V
             throw new InvalidParameterValueException("Unable to find router by id " + routerId + ".");
         }
 
-        _accountMgr.checkAccess(account, null, router);
+        _accountMgr.checkAccess(account, null, true, router);
 
         final UserVO user = _userDao.findById(CallContext.current().getCallingUserId());
 
@@ -655,7 +655,7 @@ public class VirtualNetworkApplianceManagerImpl extends ManagerBase implements V
             throw new InvalidParameterValueException("Unable to find domain router with id " + routerId + ".");
         }
 
-        _accountMgr.checkAccess(caller, null, router);
+        _accountMgr.checkAccess(caller, null, true, router);
 
         // Can reboot domain router only in Running state
         if (router == null || router.getState() != State.Running) {
@@ -3300,7 +3300,7 @@ public class VirtualNetworkApplianceManagerImpl extends ManagerBase implements V
         if (router == null) {
             throw new InvalidParameterValueException("Unable to find router by id " + routerId + ".");
         }
-        _accountMgr.checkAccess(caller, null, router);
+        _accountMgr.checkAccess(caller, null, true, router);
 
         final Account owner = _accountMgr.getAccount(router.getAccountId());
 

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/c9c7c8cb/server/src/com/cloud/network/rules/RulesManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/rules/RulesManagerImpl.java b/server/src/com/cloud/network/rules/RulesManagerImpl.java
index f6a87bf..a6dc345 100755
--- a/server/src/com/cloud/network/rules/RulesManagerImpl.java
+++ b/server/src/com/cloud/network/rules/RulesManagerImpl.java
@@ -25,12 +25,10 @@ import java.util.Set;
 import javax.ejb.Local;
 import javax.inject.Inject;
 
-import org.apache.log4j.Logger;
-
-import org.apache.cloudstack.acl.SecurityChecker.AccessType;
 import org.apache.cloudstack.api.command.user.firewall.ListPortForwardingRulesCmd;
 import org.apache.cloudstack.context.CallContext;
 import org.apache.cloudstack.engine.orchestration.service.NetworkOrchestrationService;
+import org.apache.log4j.Logger;
 
 import com.cloud.configuration.ConfigurationManager;
 import com.cloud.domain.dao.DomainDao;
@@ -164,7 +162,7 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules
             }
         }
 
-        _accountMgr.checkAccess(caller, AccessType.OperateEntry, ipAddress, userVm);
+        _accountMgr.checkAccess(caller, null, true, ipAddress, userVm);
 
         // validate that IP address and userVM belong to the same account
         if (ipAddress.getAllocatedToAccountId().longValue() != userVm.getAccountId()) {
@@ -189,7 +187,7 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules
             return;
         }
 
-        _accountMgr.checkAccess(caller, AccessType.OperateEntry, rule, userVm);
+        _accountMgr.checkAccess(caller, null, true, rule, userVm);
 
         if (userVm.getState() == VirtualMachine.State.Destroyed || userVm.getState() == VirtualMachine.State.Expunging) {
             throw new InvalidParameterValueException("Invalid user vm: " + userVm.getId());
@@ -683,7 +681,7 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules
             throw new InvalidParameterValueException("Unable to find " + ruleId);
         }
 
-        _accountMgr.checkAccess(caller, null, rule);
+        _accountMgr.checkAccess(caller, null, true, rule);
 
         if (!revokePortForwardingRuleInternal(ruleId, caller, ctx.getCallingUserId(), apply)) {
             throw new CloudRuntimeException("Failed to delete port forwarding rule");
@@ -718,7 +716,7 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules
             throw new InvalidParameterValueException("Unable to find " + ruleId);
         }
 
-        _accountMgr.checkAccess(caller, null, rule);
+        _accountMgr.checkAccess(caller, null, true, rule);
 
         if (!revokeStaticNatRuleInternal(ruleId, caller, ctx.getCallingUserId(), apply)) {
             throw new CloudRuntimeException("Failed to revoke forwarding rule");
@@ -794,7 +792,7 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules
             if (ipAddressVO == null || !ipAddressVO.readyToUse()) {
                 throw new InvalidParameterValueException("Ip address id=" + ipId + " not ready for port forwarding rules yet");
             }
-            _accountMgr.checkAccess(caller, null, ipAddressVO);
+            _accountMgr.checkAccess(caller, null, true, ipAddressVO);
         }
 
         Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean, ListProjectResourcesCriteria>(cmd.getDomainId(), cmd.isRecursive(), null);
@@ -869,7 +867,7 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules
         }
 
         if (caller != null) {
-            _accountMgr.checkAccess(caller, null, rules.toArray(new PortForwardingRuleVO[rules.size()]));
+            _accountMgr.checkAccess(caller, null, true, rules.toArray(new PortForwardingRuleVO[rules.size()]));
         }
 
         try {
@@ -898,7 +896,7 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules
         }
 
         if (caller != null) {
-            _accountMgr.checkAccess(caller, null, staticNatRules.toArray(new StaticNatRule[staticNatRules.size()]));
+            _accountMgr.checkAccess(caller, null, true, staticNatRules.toArray(new StaticNatRule[staticNatRules.size()]));
         }
 
         try {
@@ -922,7 +920,7 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules
         }
 
         if (caller != null) {
-            _accountMgr.checkAccess(caller, null, rules.toArray(new PortForwardingRuleVO[rules.size()]));
+            _accountMgr.checkAccess(caller, null, true, rules.toArray(new PortForwardingRuleVO[rules.size()]));
         }
 
         try {
@@ -948,7 +946,7 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules
         }
 
         if (caller != null) {
-            _accountMgr.checkAccess(caller, null, rules.toArray(new FirewallRule[rules.size()]));
+            _accountMgr.checkAccess(caller, null, true, rules.toArray(new FirewallRule[rules.size()]));
         }
 
         for (FirewallRuleVO rule : rules) {
@@ -976,7 +974,7 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules
         }
 
         if (caller != null) {
-            _accountMgr.checkAccess(caller, null, ips.toArray(new IPAddressVO[ips.size()]));
+            _accountMgr.checkAccess(caller, null, true, ips.toArray(new IPAddressVO[ips.size()]));
         }
 
         List<StaticNat> staticNats = new ArrayList<StaticNat>();
@@ -1012,7 +1010,7 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules
             if (ipAddressVO == null || !ipAddressVO.readyToUse()) {
                 throw new InvalidParameterValueException("Ip address id=" + ipId + " not ready for port forwarding rules yet");
             }
-            _accountMgr.checkAccess(caller, null, ipAddressVO);
+            _accountMgr.checkAccess(caller, null, true, ipAddressVO);
         }
 
         Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean, ListProjectResourcesCriteria>(domainId, isRecursive, null);
@@ -1389,7 +1387,7 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules
         }
 
         if (caller != null) {
-            _accountMgr.checkAccess(caller, null, sourceIp);
+            _accountMgr.checkAccess(caller, null, true, sourceIp);
         }
 
         // create new static nat rule
@@ -1508,7 +1506,7 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules
         if (rule == null) {
             throw new InvalidParameterValueException("Unable to find " + id);
         }
-        _accountMgr.checkAccess(caller, null, rule);
+        _accountMgr.checkAccess(caller, null, true, rule);
 
         if (customId != null) {
             rule.setUuid(customId);

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/c9c7c8cb/server/src/com/cloud/network/security/SecurityGroupManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/security/SecurityGroupManagerImpl.java b/server/src/com/cloud/network/security/SecurityGroupManagerImpl.java
index a666ecd..f60a746 100755
--- a/server/src/com/cloud/network/security/SecurityGroupManagerImpl.java
+++ b/server/src/com/cloud/network/security/SecurityGroupManagerImpl.java
@@ -612,7 +612,7 @@ public class SecurityGroupManagerImpl extends ManagerBase implements SecurityGro
         }
 
         // Verify permissions
-        _accountMgr.checkAccess(caller, AccessType.OperateEntry, securityGroup);
+        _accountMgr.checkAccess(caller, null, true, securityGroup);
         Long domainId = owner.getDomainId();
 
         if (protocol == null) {
@@ -819,7 +819,7 @@ public class SecurityGroupManagerImpl extends ManagerBase implements SecurityGro
 
         // Check permissions
         SecurityGroup securityGroup = _securityGroupDao.findById(rule.getSecurityGroupId());
-        _accountMgr.checkAccess(caller, AccessType.OperateEntry, securityGroup);
+        _accountMgr.checkAccess(caller, AccessType.OperateEntry, true, securityGroup);
 
         long securityGroupId = rule.getSecurityGroupId();
         Boolean result = Transaction.execute(new TransactionCallback<Boolean>() {
@@ -1120,7 +1120,7 @@ public class SecurityGroupManagerImpl extends ManagerBase implements SecurityGro
         }
 
         // check permissions
-        _accountMgr.checkAccess(caller, AccessType.OperateEntry, group);
+        _accountMgr.checkAccess(caller, null, true, group);
 
         return Transaction.execute(new TransactionCallbackWithException<Boolean, ResourceInUseException>() {
             @Override
@@ -1359,7 +1359,7 @@ public class SecurityGroupManagerImpl extends ManagerBase implements SecurityGro
         }
 
         // Verify permissions
-        _accountMgr.checkAccess(caller, null, vm);
+        _accountMgr.checkAccess(caller, null, false, vm);
 
         // Validate parameters
         List<SecurityGroupVO> vmSgGrps = getSecurityGroupsForVm(vmId);

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/c9c7c8cb/server/src/com/cloud/network/vpc/NetworkACLServiceImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/vpc/NetworkACLServiceImpl.java b/server/src/com/cloud/network/vpc/NetworkACLServiceImpl.java
index 72996d1..c82ab5a 100644
--- a/server/src/com/cloud/network/vpc/NetworkACLServiceImpl.java
+++ b/server/src/com/cloud/network/vpc/NetworkACLServiceImpl.java
@@ -103,7 +103,7 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ
         if (vpc == null) {
             throw new InvalidParameterValueException("Unable to find VPC");
         }
-        _accountMgr.checkAccess(caller, null, vpc);
+        _accountMgr.checkAccess(caller, null, true, vpc);
         return _networkAclMgr.createNetworkACL(name, description, vpcId, forDisplay);
     }
 
@@ -161,7 +161,7 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ
             if (vpc == null) {
                 throw new InvalidParameterValueException("Unable to find VPC");
             }
-            _accountMgr.checkAccess(caller, null, vpc);
+            _accountMgr.checkAccess(caller, null, true, vpc);
             //Include vpcId 0 to list default ACLs
             sc.setParameters("vpcId", vpcId, 0);
         } else {
@@ -225,7 +225,7 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ
         if (vpc == null) {
             throw new InvalidParameterValueException("Unable to find specified VPC associated with the ACL");
         }
-        _accountMgr.checkAccess(caller, null, vpc);
+        _accountMgr.checkAccess(caller, null, true, vpc);
         return _networkAclMgr.deleteNetworkACL(acl);
     }
 
@@ -256,14 +256,14 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ
             if (vpc == null) {
                 throw new InvalidParameterValueException("Unable to find Vpc associated with the NetworkACL");
             }
-            _accountMgr.checkAccess(caller, null, vpc);
+            _accountMgr.checkAccess(caller, null, true, vpc);
             if (!gateway.getVpcId().equals(acl.getVpcId())) {
                 throw new InvalidParameterValueException("private gateway: " + privateGatewayId + " and ACL: " + aclId + " do not belong to the same VPC");
             }
         }
 
         PrivateGateway privateGateway = _vpcSvc.getVpcPrivateGateway(gateway.getId());
-        _accountMgr.checkAccess(caller, null, privateGateway);
+        _accountMgr.checkAccess(caller, null, true, privateGateway);
 
         return  _networkAclMgr.replaceNetworkACLForPrivateGw(acl, privateGateway);
 
@@ -299,7 +299,7 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ
                 throw new InvalidParameterValueException("Unable to find Vpc associated with the NetworkACL");
             }
 
-            _accountMgr.checkAccess(caller, null, vpc);
+            _accountMgr.checkAccess(caller, null, true, vpc);
             if (!network.getVpcId().equals(acl.getVpcId())) {
                 throw new InvalidParameterValueException("Network: " + networkId + " and ACL: " + aclId + " do not belong to the same VPC");
             }
@@ -371,7 +371,7 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ
         if (vpc == null) {
             throw new InvalidParameterValueException("Unable to find Vpc associated with the NetworkACL");
         }
-        _accountMgr.checkAccess(caller, null, vpc);
+        _accountMgr.checkAccess(caller, null, true, vpc);
 
         //Ensure that number is unique within the ACL
         if (aclItemCmd.getNumber() != null) {
@@ -551,7 +551,7 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ
                 if (vpc == null) {
                     throw new InvalidParameterValueException("Unable to find VPC associated with acl");
                 }
-                _accountMgr.checkAccess(caller, null, vpc);
+                _accountMgr.checkAccess(caller, null, true, vpc);
             }
             sc.setParameters("aclId", aclId);
         } else {
@@ -620,7 +620,7 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ
 
             Account caller = CallContext.current().getCallingAccount();
 
-            _accountMgr.checkAccess(caller, null, vpc);
+            _accountMgr.checkAccess(caller, null, true, vpc);
 
             if((aclItem.getAclId() == NetworkACL.DEFAULT_ALLOW) || (aclItem.getAclId() == NetworkACL.DEFAULT_DENY)){
                 throw new InvalidParameterValueException("ACL Items in default ACL cannot be deleted");
@@ -647,7 +647,7 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ
 
         Account caller = CallContext.current().getCallingAccount();
 
-        _accountMgr.checkAccess(caller, null, vpc);
+        _accountMgr.checkAccess(caller, null, true, vpc);
 
         if (number != null) {
             //Check if ACL Item with specified number already exists
@@ -669,7 +669,7 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ
         NetworkACLVO acl = _networkACLDao.findById(id);
         Vpc vpc = _entityMgr.findById(Vpc.class, acl.getVpcId());
         Account caller = CallContext.current().getCallingAccount();
-        _accountMgr.checkAccess(caller, null, vpc);
+        _accountMgr.checkAccess(caller, null, true, vpc);
 
         if (customId != null) {
             acl.setUuid(customId);


Mime
View raw message