cloudstack-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From d...@apache.org
Subject [2/2] git commit: updated refs/heads/4.4 to c4ab1d5
Date Fri, 02 May 2014 16:51:30 GMT
CLOUDSTACK-6560: IAM - Admin user is denied permission to create Egress rule for a user's network

Changes:
- CS 4.3 handled Network entity in two ways:
a) Specified "UseNetwork" access and did a strict check w.r.t who can use this network. Regular
users and Domain Admin went through the strict check. Root admin got access always.
b) Specified "null" access and that meant admins can access this network for the calling API
that passes null access.

- Fixing CS 4.4 IAM to handle this behavior:
a) "UseNetwork" is mapped to "UseEntry" and IAM check will be done only for domain admin and
regular users when this access is specified. Root Admin is grated access.
b) If "null" access is specified, root and domain admin both are granted access. Regular users
still go through IAM.


Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/c4ab1d57
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/c4ab1d57
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/c4ab1d57

Branch: refs/heads/4.4
Commit: c4ab1d57727af9b81c26a32a09137c06017f7777
Parents: 33c3752
Author: Prachi Damle <prachi@cloud.com>
Authored: Thu May 1 15:40:23 2014 -0700
Committer: Daan Hoogland <daan@onecht.net>
Committed: Fri May 2 18:51:19 2014 +0200

----------------------------------------------------------------------
 server/src/com/cloud/template/TemplateManagerImpl.java | 2 +-
 server/src/com/cloud/user/AccountManagerImpl.java      | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cloudstack/blob/c4ab1d57/server/src/com/cloud/template/TemplateManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/template/TemplateManagerImpl.java b/server/src/com/cloud/template/TemplateManagerImpl.java
index ea51af1..294748f 100755
--- a/server/src/com/cloud/template/TemplateManagerImpl.java
+++ b/server/src/com/cloud/template/TemplateManagerImpl.java
@@ -1133,7 +1133,7 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager,
         }
 
         if (!template.isPublicTemplate()) {
-            _accountMgr.checkAccess(caller, null, template);
+            _accountMgr.checkAccess(caller, AccessType.ListEntry, template);
         }
 
         List<String> accountNames = new ArrayList<String>();

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/c4ab1d57/server/src/com/cloud/user/AccountManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/user/AccountManagerImpl.java b/server/src/com/cloud/user/AccountManagerImpl.java
index 301dde4..4b78141 100755
--- a/server/src/com/cloud/user/AccountManagerImpl.java
+++ b/server/src/com/cloud/user/AccountManagerImpl.java
@@ -497,7 +497,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager,
M
                 && (accessType == null || accessType == AccessType.UseEntry)) {
 
             for (ControlledEntity entity : entities) {
-                if (entity instanceof VirtualMachineTemplate || entity instanceof Network
+                if (entity instanceof VirtualMachineTemplate || (entity instanceof Network
&& accessType != null && (isDomainAdmin || isResourceDomainAdmin))
                         || entity instanceof AffinityGroup || entity instanceof SecurityGroup)
{
                     // Go through IAM (SecurityCheckers)
                     for (SecurityChecker checker : _securityCheckers) {


Mime
View raw message