cloudstack-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From mc...@apache.org
Subject [1/5] Revert "Disable IAM feature from 4.4 release."
Date Mon, 19 May 2014 22:46:26 GMT
Repository: cloudstack
Updated Branches:
  refs/heads/4.4-forward-iam [created] 26a6aa546


http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/server/src/com/cloud/vm/UserVmManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/vm/UserVmManagerImpl.java b/server/src/com/cloud/vm/UserVmManagerImpl.java
index 58709ec..e7db877 100755
--- a/server/src/com/cloud/vm/UserVmManagerImpl.java
+++ b/server/src/com/cloud/vm/UserVmManagerImpl.java
@@ -35,9 +35,6 @@ import javax.ejb.Local;
 import javax.inject.Inject;
 import javax.naming.ConfigurationException;
 
-import org.apache.commons.codec.binary.Base64;
-import org.apache.log4j.Logger;
-
 import org.apache.cloudstack.acl.ControlledEntity.ACLType;
 import org.apache.cloudstack.acl.SecurityChecker.AccessType;
 import org.apache.cloudstack.affinity.AffinityGroupService;
@@ -86,6 +83,8 @@ import org.apache.cloudstack.storage.command.DeleteCommand;
 import org.apache.cloudstack.storage.command.DettachCommand;
 import org.apache.cloudstack.storage.datastore.db.PrimaryDataStoreDao;
 import org.apache.cloudstack.storage.datastore.db.StoragePoolVO;
+import org.apache.commons.codec.binary.Base64;
+import org.apache.log4j.Logger;
 
 import com.cloud.agent.AgentManager;
 import com.cloud.agent.api.Answer;
@@ -532,7 +531,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
             throw new InvalidParameterValueException("Vm with id " + vmId + " is not in the right state");
         }
 
-        _accountMgr.checkAccess(caller, null, true, userVm);
+        _accountMgr.checkAccess(caller, null, userVm);
 
         boolean result = resetVMPasswordInternal(vmId, password);
 
@@ -638,7 +637,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
                     + " in specified domain id");
         }
 
-        _accountMgr.checkAccess(caller, null, true, userVm);
+        _accountMgr.checkAccess(caller, null, userVm);
         String password = null;
         String sshPublicKey = s.getPublicKey();
         if (template != null && template.getEnablePassword()) {
@@ -778,7 +777,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
                     + "; make sure the virtual machine is stopped");
         }
 
-        _accountMgr.checkAccess(caller, null, true, vmInstance);
+        _accountMgr.checkAccess(caller, null, vmInstance);
 
         // Check resource limits for CPU and Memory.
         Map<String, String> customParameters = cmd.getDetails();
@@ -892,7 +891,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
             throw new InvalidParameterValueException("unable to find a virtual machine with id " + vmId);
         }
 
-        _accountMgr.checkAccess(caller, null, true, vmInstance);
+        _accountMgr.checkAccess(caller, null, vmInstance);
 
         // Check resource limits for CPU and Memory.
         ServiceOfferingVO newServiceOffering = _offeringDao.findById(svcOffId);
@@ -961,7 +960,6 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
         Long vmId = cmd.getVmId();
         Long networkId = cmd.getNetworkId();
         String ipAddress = cmd.getIpAddress();
-        Account caller = CallContext.current().getCallingAccount();
 
         UserVmVO vmInstance = _vmDao.findById(vmId);
         if (vmInstance == null) {
@@ -972,12 +970,6 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
             throw new InvalidParameterValueException("unable to find a network with id " + networkId);
         }
 
-        if (caller.getType() != Account.ACCOUNT_TYPE_ADMIN) {
-        if (!(network.getGuestType() == Network.GuestType.Shared && network.getAclType() == ACLType.Domain)
-                && !(network.getAclType() == ACLType.Account && network.getAccountId() == vmInstance.getAccountId())) {
-            throw new InvalidParameterValueException("only shared network or isolated network with the same account_id can be added to vmId: " + vmId);
-        }
-        }
 
         List<NicVO> allNics = _nicDao.listByVmId(vmInstance.getId());
         for (NicVO nic : allNics) {
@@ -990,18 +982,12 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
             profile = new NicProfile(ipAddress, null);
         }
 
-        // Perform permission check on VM
-        _accountMgr.checkAccess(caller, null, true, vmInstance);
-
         // Verify that zone is not Basic
         DataCenterVO dc = _dcDao.findById(vmInstance.getDataCenterId());
         if (dc.getNetworkType() == DataCenter.NetworkType.Basic) {
             throw new CloudRuntimeException("Zone " + vmInstance.getDataCenterId() + ", has a NetworkType of Basic. Can't add a new NIC to a VM on a Basic Network");
         }
 
-        // Perform account permission check on network
-        _accountMgr.checkAccess(caller, AccessType.UseEntry, false, network);
-
         //ensure network belongs in zone
         if (network.getDataCenterId() != vmInstance.getDataCenterId()) {
             throw new CloudRuntimeException(vmInstance + " is in zone:" + vmInstance.getDataCenterId() + " but " + network + " is in zone:" + network.getDataCenterId());
@@ -1060,7 +1046,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
         }
 
         // Perform permission check on VM
-        _accountMgr.checkAccess(caller, null, true, vmInstance);
+        _accountMgr.checkAccess(caller, null, vmInstance);
 
         // Verify that zone is not Basic
         DataCenterVO dc = _dcDao.findById(vmInstance.getDataCenterId());
@@ -1074,7 +1060,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
         }
 
         // Perform account permission check on network
-        _accountMgr.checkAccess(caller, AccessType.UseEntry, false, network);
+        _accountMgr.checkAccess(caller, AccessType.UseEntry, network);
 
         boolean nicremoved = false;
 
@@ -1116,7 +1102,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
         }
 
         // Perform permission check on VM
-        _accountMgr.checkAccess(caller, null, true, vmInstance);
+        _accountMgr.checkAccess(caller, null, vmInstance);
 
         // Verify that zone is not Basic
         DataCenterVO dc = _dcDao.findById(vmInstance.getDataCenterId());
@@ -1298,7 +1284,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
             throw new InvalidParameterValueException("This operation not permitted for this hypervisor of the vm");
         }
 
-        _accountMgr.checkAccess(caller, null, true, vmInstance);
+        _accountMgr.checkAccess(caller, null, vmInstance);
 
         //Check if its a scale "up"
         ServiceOfferingVO newServiceOffering = _offeringDao.findById(newServiceOfferingId);
@@ -1507,7 +1493,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
         }
 
         // check permissions
-        _accountMgr.checkAccess(caller, null, true, vm);
+        _accountMgr.checkAccess(caller, null, vm);
 
         if (vm.getRemoved() != null) {
             if (s_logger.isDebugEnabled()) {
@@ -1850,7 +1836,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
             throw new InvalidParameterValueException("unable to find virtual machine with id " + id);
         }
 
-        _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, true, vmInstance);
+        _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, vmInstance);
 
         //If the flag is specified and is changed
         if (isDisplayVm != null && isDisplayVm != vmInstance.isDisplayVm()) {
@@ -2065,7 +2051,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
             throw new InvalidParameterValueException("unable to find a virtual machine with id " + vmId);
         }
 
-        _accountMgr.checkAccess(caller, null, true, vmInstance);
+        _accountMgr.checkAccess(caller, null, vmInstance);
 
         // If the VM is Volatile in nature, on reboot discard the VM's root disk and create a new root disk for it: by calling restoreVM
         long serviceOfferingId = vmInstance.getServiceOfferingId();
@@ -2163,7 +2149,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
             throw new InvalidParameterValueException("unable to find a vm group with id " + groupId);
         }
 
-        _accountMgr.checkAccess(caller, null, true, group);
+        _accountMgr.checkAccess(caller, null, group);
 
         return deleteVmGroup(groupId);
     }
@@ -2297,7 +2283,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
         List<NetworkVO> networkList = new ArrayList<NetworkVO>();
 
         // Verify that caller can perform actions in behalf of vm owner
-        _accountMgr.checkAccess(caller, null, true, owner);
+        _accountMgr.checkAccess(caller, null, owner);
 
         // Get default guest network in Basic zone
         Network defaultNetwork = _networkModel.getExclusiveGuestNetwork(zone.getId());
@@ -2352,7 +2338,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
         boolean isVmWare = (template.getHypervisorType() == HypervisorType.VMware || (hypervisor != null && hypervisor == HypervisorType.VMware));
 
         // Verify that caller can perform actions in behalf of vm owner
-        _accountMgr.checkAccess(caller, null, true, owner);
+        _accountMgr.checkAccess(caller, null, owner);
 
         // If no network is specified, find system security group enabled network
         if (networkIdList == null || networkIdList.isEmpty()) {
@@ -2410,7 +2396,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
 
                 // Perform account permission check
                 if (network.getAclType() == ACLType.Account) {
-                    _accountMgr.checkAccess(caller, AccessType.UseEntry, false, network);
+                    _accountMgr.checkAccess(owner, AccessType.UseEntry, network);
                 }
                 networkList.add(network);
             }
@@ -2456,7 +2442,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
         List<NetworkVO> networkList = new ArrayList<NetworkVO>();
 
         // Verify that caller can perform actions in behalf of vm owner
-        _accountMgr.checkAccess(caller, null, true, owner);
+        _accountMgr.checkAccess(caller, null, owner);
 
         List<HypervisorType> vpcSupportedHTypes = _vpcMgr.getSupportedVpcHypervisors();
         if (networkIdList == null || networkIdList.isEmpty()) {
@@ -2521,7 +2507,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
                     }
                 }
 
-                _networkModel.checkNetworkPermissions(owner, network);
+                _networkModel.checkNetworkPermissions(owner, network, AccessType.UseEntry);
 
                 // don't allow to use system networks
                 NetworkOffering networkOffering = _entityMgr.findById(NetworkOffering.class, network.getNetworkOfferingId());
@@ -2550,7 +2536,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
             List<Long> affinityGroupIdList, Map<String, String> customParameters, String customId) throws InsufficientCapacityException, ResourceUnavailableException,
             ConcurrentOperationException, StorageUnavailableException, ResourceAllocationException {
 
-        _accountMgr.checkAccess(caller, null, true, owner);
+        _accountMgr.checkAccess(caller, null, owner);
 
         if (owner.getState() == Account.State.disabled) {
             throw new PermissionDeniedException("The owner of vm to deploy is disabled: " + owner);
@@ -2626,7 +2612,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
                     throw new InvalidParameterValueException("Unable to find security group by id " + securityGroupId);
                 } else {
                     // verify permissions
-                    _accountMgr.checkAccess(caller, null, true, owner, sg);
+                    _accountMgr.checkAccess(owner, AccessType.UseEntry, sg);
                 }
             }
         }
@@ -2642,27 +2628,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
                             + " , Please try again after removing the affinity group");
                 } else {
                     // verify permissions
-                    if (ag.getAclType() == ACLType.Domain) {
-                        _accountMgr.checkAccess(caller, null, false, owner, ag);
-                        // Root admin has access to both VM and AG by default,
-                        // but
-                        // make sure the owner of these entities is same
-                        if (caller.getId() == Account.ACCOUNT_ID_SYSTEM || _accountMgr.isRootAdmin(caller.getId())) {
-                            if (!_affinityGroupService.isAffinityGroupAvailableInDomain(ag.getId(), owner.getDomainId())) {
-                                throw new PermissionDeniedException("Affinity Group " + ag + " does not belong to the VM's domain");
-                            }
-                        }
-                    } else {
-                        _accountMgr.checkAccess(caller, null, true, owner, ag);
-                        // Root admin has access to both VM and AG by default,
-                        // but
-                        // make sure the owner of these entities is same
-                        if (caller.getId() == Account.ACCOUNT_ID_SYSTEM || _accountMgr.isRootAdmin(caller.getId())) {
-                            if (ag.getAccountId() != owner.getAccountId()) {
-                                throw new PermissionDeniedException("Affinity Group " + ag + " does not belong to the VM's account");
-                            }
-                        }
-                    }
+                    _accountMgr.checkAccess(owner, AccessType.UseEntry, ag);
                 }
             }
         }
@@ -2688,10 +2654,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
         }
 
         // Check templates permissions
-        if (!template.isPublicTemplate()) {
-            Account templateOwner = _accountMgr.getAccount(template.getAccountId());
-            _accountMgr.checkAccess(owner, null, true, templateOwner);
-        }
+        _accountMgr.checkAccess(owner, AccessType.UseEntry, template);
 
         // check if the user data is correct
         validateUserData(userData, httpmethod);
@@ -2720,13 +2683,8 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
                 throw new InvalidParameterValueException("Network id=" + network.getId() + " doesn't belong to zone " + zone.getId());
             }
 
-            //relax the check if the caller is admin account
-            if (caller.getType() != Account.ACCOUNT_TYPE_ADMIN) {
-            if (!(network.getGuestType() == Network.GuestType.Shared && network.getAclType() == ACLType.Domain)
-                    && !(network.getAclType() == ACLType.Account && network.getAccountId() == accountId)) {
-                throw new InvalidParameterValueException("only shared network or isolated network with the same account_id can be added to vm");
-            }
-            }
+            // Perform account permission check on network
+            _accountMgr.checkAccess(owner, AccessType.UseEntry, network);
 
             IpAddresses requestedIpPair = null;
             if (requestedIps != null && !requestedIps.isEmpty()) {
@@ -3349,7 +3307,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
             throw new InvalidParameterValueException("unable to find a virtual machine with id " + vmId);
         }
 
-        _accountMgr.checkAccess(callerAccount, null, true, vm);
+        _accountMgr.checkAccess(callerAccount, null, vm);
 
         Account owner = _accountDao.findById(vm.getAccountId());
 
@@ -3656,7 +3614,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
             throw ex;
         }
 
-        _accountMgr.checkAccess(caller, null, true, vm);
+        _accountMgr.checkAccess(caller, null, vm);
 
         boolean status;
 
@@ -4237,8 +4195,8 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
         }
 
         //check caller has access to both the old and new account
-        _accountMgr.checkAccess(caller, null, true, oldAccount);
-        _accountMgr.checkAccess(caller, null, true, newAccount);
+        _accountMgr.checkAccess(caller, null, oldAccount);
+        _accountMgr.checkAccess(caller, null, newAccount);
 
         // make sure the accounts are not same
         if (oldAccount.getAccountId() == newAccount.getAccountId()) {
@@ -4291,7 +4249,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
         VirtualMachineTemplate template = _templateDao.findById(vm.getTemplateId());
         if (!template.isPublicTemplate()) {
             Account templateOwner = _accountMgr.getAccount(template.getAccountId());
-            _accountMgr.checkAccess(newAccount, null, true, templateOwner);
+            _accountMgr.checkAccess(newAccount, null, templateOwner);
         }
 
         // VV 5: check the new account can create vm in the domain
@@ -4441,7 +4399,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
                             throw ex;
                         }
 
-                        _networkModel.checkNetworkPermissions(newAccount, network);
+                        _networkModel.checkNetworkPermissions(newAccount, network, AccessType.UseEntry);
 
                         // don't allow to use system networks
                         NetworkOffering networkOffering = _entityMgr.findById(NetworkOffering.class, network.getNetworkOfferingId());
@@ -4548,7 +4506,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
             throw ex;
         }
 
-        _accountMgr.checkAccess(caller, null, true, vm);
+        _accountMgr.checkAccess(caller, null, vm);
 
         return restoreVMInternal(caller, vm, newTemplateId);
     }
@@ -4598,7 +4556,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
         //newTemplateId can be either template or ISO id. In the following snippet based on the vm deployment (from template or ISO) it is handled accordingly
         if (newTemplateId != null) {
             template = _templateDao.findById(newTemplateId);
-            _accountMgr.checkAccess(caller, null, true, template);
+            _accountMgr.checkAccess(caller, null, template);
             if (isISO) {
                 if (!template.getFormat().equals(ImageFormat.ISO)) {
                     throw new InvalidParameterValueException("Invalid ISO id provided to restore the VM ");
@@ -4779,6 +4737,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
 
                 // root.getPoolId() should be null if the VM we are detaching the disk from has never been started before
                 DataStore dataStore = root.getPoolId() != null ? _dataStoreMgr.getDataStore(root.getPoolId(), DataStoreRole.Primary) : null;
+
                 volumeMgr.disconnectVolumeFromHost(volFactory.getVolume(root.getId()), host, dataStore);
             }
         }
@@ -4826,7 +4785,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
         }
 
         //check permissions
-        _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, true, vm);
+        _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, vm);
         return vm.getUserData();
     }
 

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/server/src/com/cloud/vm/snapshot/VMSnapshotManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/vm/snapshot/VMSnapshotManagerImpl.java b/server/src/com/cloud/vm/snapshot/VMSnapshotManagerImpl.java
index f5957ff..8dc2c18 100644
--- a/server/src/com/cloud/vm/snapshot/VMSnapshotManagerImpl.java
+++ b/server/src/com/cloud/vm/snapshot/VMSnapshotManagerImpl.java
@@ -169,7 +169,9 @@ public class VMSnapshotManagerImpl extends ManagerBase implements VMSnapshotMana
     @Override
     public List<VMSnapshotVO> listVMSnapshots(ListVMSnapshotCmd cmd) {
         Account caller = getCaller();
+        List<Long> permittedDomains = new ArrayList<Long>();
         List<Long> permittedAccounts = new ArrayList<Long>();
+        List<Long> permittedResources = new ArrayList<Long>();
 
         boolean listAll = cmd.listAll();
         Long id = cmd.getId();
@@ -182,15 +184,14 @@ public class VMSnapshotManagerImpl extends ManagerBase implements VMSnapshotMana
 
         Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean, ListProjectResourcesCriteria>(
                 cmd.getDomainId(), cmd.isRecursive(), null);
-        _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedAccounts, domainIdRecursiveListProject, listAll,
-                false);
-        Long domainId = domainIdRecursiveListProject.first();
+        _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedDomains, permittedAccounts, permittedResources,
+                domainIdRecursiveListProject, listAll, false, "listVMSnapshot");
         Boolean isRecursive = domainIdRecursiveListProject.second();
         ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
 
         Filter searchFilter = new Filter(VMSnapshotVO.class, "created", false, cmd.getStartIndex(), cmd.getPageSizeVal());
         SearchBuilder<VMSnapshotVO> sb = _vmSnapshotDao.createSearchBuilder();
-        _accountMgr.buildACLSearchBuilder(sb, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
+        _accountMgr.buildACLSearchBuilder(sb, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
 
         sb.and("vm_id", sb.entity().getVmId(), SearchCriteria.Op.EQ);
         sb.and("domain_id", sb.entity().getDomainId(), SearchCriteria.Op.EQ);
@@ -202,7 +203,7 @@ public class VMSnapshotManagerImpl extends ManagerBase implements VMSnapshotMana
         sb.done();
 
         SearchCriteria<VMSnapshotVO> sc = sb.create();
-        _accountMgr.buildACLSearchCriteria(sc, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
+        _accountMgr.buildACLSearchCriteria(sc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
 
         if (accountName != null && cmd.getDomainId() != null) {
             Account account = _accountMgr.getActiveAccountByName(accountName, cmd.getDomainId());
@@ -213,8 +214,8 @@ public class VMSnapshotManagerImpl extends ManagerBase implements VMSnapshotMana
             sc.setParameters("vm_id", vmId);
         }
 
-        if (domainId != null) {
-            sc.setParameters("domain_id", domainId);
+        if (cmd.getDomainId() != null) {
+            sc.setParameters("domain_id", cmd.getDomainId());
         }
 
         if (state == null) {
@@ -296,7 +297,7 @@ public class VMSnapshotManagerImpl extends ManagerBase implements VMSnapshotMana
         }
 
         // check access
-        _accountMgr.checkAccess(caller, null, true, userVmVo);
+        //_accountMgr.checkAccess(caller, null, userVmVo);
 
         // check max snapshot limit for per VM
         if (_vmSnapshotDao.findByVm(vmId).size() >= _vmSnapshotMax) {
@@ -447,7 +448,7 @@ public class VMSnapshotManagerImpl extends ManagerBase implements VMSnapshotMana
             throw new InvalidParameterValueException("unable to find the vm snapshot with id " + vmSnapshotId);
         }
 
-        _accountMgr.checkAccess(caller, null, true, vmSnapshot);
+        _accountMgr.checkAccess(caller, null, vmSnapshot);
 
         // check VM snapshot states, only allow to delete vm snapshots in created and error state
         if (VMSnapshot.State.Ready != vmSnapshot.getState() && VMSnapshot.State.Expunging != vmSnapshot.getState() && VMSnapshot.State.Error != vmSnapshot.getState()) {
@@ -512,7 +513,7 @@ public class VMSnapshotManagerImpl extends ManagerBase implements VMSnapshotMana
             throw new InvalidParameterValueException("unable to find the vm snapshot with id " + vmSnapshotId);
         }
 
-        _accountMgr.checkAccess(caller, null, true, vmSnapshot);
+        _accountMgr.checkAccess(caller, null, vmSnapshot);
 
         // check VM snapshot states, only allow to delete vm snapshots in created and error state
         if (VMSnapshot.State.Ready != vmSnapshot.getState() && VMSnapshot.State.Expunging != vmSnapshot.getState() && VMSnapshot.State.Error != vmSnapshot.getState()) {
@@ -563,7 +564,7 @@ public class VMSnapshotManagerImpl extends ManagerBase implements VMSnapshotMana
         }
 
         Account caller = getCaller();
-        _accountMgr.checkAccess(caller, null, true, vmSnapshotVo);
+        _accountMgr.checkAccess(caller, null, vmSnapshotVo);
 
         // VM should be in running or stopped states
         if (userVm.getState() != VirtualMachine.State.Running
@@ -645,7 +646,7 @@ public class VMSnapshotManagerImpl extends ManagerBase implements VMSnapshotMana
         }
 
         Account caller = getCaller();
-        _accountMgr.checkAccess(caller, null, true, vmSnapshotVo);
+        _accountMgr.checkAccess(caller, null, vmSnapshotVo);
 
         // VM should be in running or stopped states
         if (userVm.getState() != VirtualMachine.State.Running && userVm.getState() != VirtualMachine.State.Stopped) {

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/server/src/org/apache/cloudstack/affinity/AffinityGroupServiceImpl.java
----------------------------------------------------------------------
diff --git a/server/src/org/apache/cloudstack/affinity/AffinityGroupServiceImpl.java b/server/src/org/apache/cloudstack/affinity/AffinityGroupServiceImpl.java
index 8e606ca..ef63692 100644
--- a/server/src/org/apache/cloudstack/affinity/AffinityGroupServiceImpl.java
+++ b/server/src/org/apache/cloudstack/affinity/AffinityGroupServiceImpl.java
@@ -262,7 +262,7 @@ public class AffinityGroupServiceImpl extends ManagerBase implements AffinityGro
             affinityGroupId = group.getId();
         }
         // check permissions
-        _accountMgr.checkAccess(caller, AccessType.OperateEntry, true, group);
+        _accountMgr.checkAccess(caller, AccessType.OperateEntry, group);
 
         final Long affinityGroupIdFinal = affinityGroupId;
         Transaction.execute(new TransactionCallbackNoReturn() {
@@ -353,7 +353,7 @@ public class AffinityGroupServiceImpl extends ManagerBase implements AffinityGro
             if (userVM == null) {
                 throw new InvalidParameterValueException("Unable to list affinity groups for virtual machine instance " + vmId + "; instance not found.");
             }
-            _accountMgr.checkAccess(caller, null, true, userVM);
+            _accountMgr.checkAccess(caller, null, userVM);
             // add join to affinity_groups_vm_map
             groupSearch.join("vmInstanceSearch", vmInstanceSearch, groupSearch.entity().getId(), vmInstanceSearch.entity().getAffinityGroupId(),
                 JoinBuilder.JoinType.INNER);
@@ -477,14 +477,7 @@ public class AffinityGroupServiceImpl extends ManagerBase implements AffinityGro
                 throw new InvalidParameterValueException("Unable to find affinity group by id " + affinityGroupId);
             } else {
                 // verify permissions
-                _accountMgr.checkAccess(caller, null, true, owner, ag);
-                // Root admin has access to both VM and AG by default, but make sure the
-                // owner of these entities is same
-                if (caller.getId() == Account.ACCOUNT_ID_SYSTEM || _accountMgr.isRootAdmin(caller.getId())) {
-                    if (ag.getAccountId() != owner.getAccountId()) {
-                        throw new PermissionDeniedException("Affinity Group " + ag + " does not belong to the VM's account");
-                    }
-                }
+                _accountMgr.checkAccess(owner, AccessType.UseEntry, ag);
             }
         }
         _affinityGroupVMMapDao.updateMap(vmId, affinityGroupIds);

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/server/src/org/apache/cloudstack/network/lb/ApplicationLoadBalancerManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/org/apache/cloudstack/network/lb/ApplicationLoadBalancerManagerImpl.java b/server/src/org/apache/cloudstack/network/lb/ApplicationLoadBalancerManagerImpl.java
index 6854347..ad1a2c4 100644
--- a/server/src/org/apache/cloudstack/network/lb/ApplicationLoadBalancerManagerImpl.java
+++ b/server/src/org/apache/cloudstack/network/lb/ApplicationLoadBalancerManagerImpl.java
@@ -115,7 +115,7 @@ public class ApplicationLoadBalancerManagerImpl extends ManagerBase implements A
         }
 
         Account caller = CallContext.current().getCallingAccount();
-        _accountMgr.checkAccess(caller, AccessType.UseEntry, false, guestNtwk);
+        _accountMgr.checkAccess(caller, AccessType.UseEntry, guestNtwk);
 
         Network sourceIpNtwk = _networkModel.getNetwork(sourceIpNetworkId);
         if (sourceIpNtwk == null) {
@@ -389,19 +389,20 @@ public class ApplicationLoadBalancerManagerImpl extends ManagerBase implements A
         Map<String, String> tags = cmd.getTags();
 
         Account caller = CallContext.current().getCallingAccount();
+        List<Long> permittedDomains = new ArrayList<Long>();
         List<Long> permittedAccounts = new ArrayList<Long>();
+        List<Long> permittedResources = new ArrayList<Long>();
 
         Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean, ListProjectResourcesCriteria>(
                 cmd.getDomainId(), cmd.isRecursive(), null);
-        _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedAccounts,
-                domainIdRecursiveListProject, cmd.listAll(), false);
-        Long domainId = domainIdRecursiveListProject.first();
+        _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedDomains, permittedAccounts, permittedResources,
+                domainIdRecursiveListProject, cmd.listAll(), false, "listLoadBalancers");
         Boolean isRecursive = domainIdRecursiveListProject.second();
         ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
 
         Filter searchFilter = new Filter(ApplicationLoadBalancerRuleVO.class, "id", true, cmd.getStartIndex(), cmd.getPageSizeVal());
         SearchBuilder<ApplicationLoadBalancerRuleVO> sb = _lbDao.createSearchBuilder();
-        _accountMgr.buildACLSearchBuilder(sb, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
+        _accountMgr.buildACLSearchBuilder(sb, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
 
         sb.and("id", sb.entity().getId(), SearchCriteria.Op.EQ);
         sb.and("name", sb.entity().getName(), SearchCriteria.Op.EQ);
@@ -428,7 +429,7 @@ public class ApplicationLoadBalancerManagerImpl extends ManagerBase implements A
         }
 
         SearchCriteria<ApplicationLoadBalancerRuleVO> sc = sb.create();
-        _accountMgr.buildACLSearchCriteria(sc, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
+        _accountMgr.buildACLSearchCriteria(sc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
 
         if (keyword != null) {
             SearchCriteria<ApplicationLoadBalancerRuleVO> ssc = _lbDao.createSearchCriteria();
@@ -546,7 +547,7 @@ public class ApplicationLoadBalancerManagerImpl extends ManagerBase implements A
         if (rule == null) {
             throw new InvalidParameterValueException("Unable to find load balancer " + id);
         }
-        _accountMgr.checkAccess(caller, null, true, rule);
+        _accountMgr.checkAccess(caller, null, rule);
 
         if (customId != null) {
             rule.setUuid(customId);

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/server/src/org/apache/cloudstack/network/lb/CertServiceImpl.java
----------------------------------------------------------------------
diff --git a/server/src/org/apache/cloudstack/network/lb/CertServiceImpl.java b/server/src/org/apache/cloudstack/network/lb/CertServiceImpl.java
index ba71d63..67f2c02 100644
--- a/server/src/org/apache/cloudstack/network/lb/CertServiceImpl.java
+++ b/server/src/org/apache/cloudstack/network/lb/CertServiceImpl.java
@@ -147,7 +147,7 @@ public class CertServiceImpl implements CertService {
         if (certVO == null) {
             throw new InvalidParameterValueException("Invalid certificate id: " + certId);
         }
-        _accountMgr.checkAccess(caller, SecurityChecker.AccessType.OperateEntry, true, certVO);
+        _accountMgr.checkAccess(caller, SecurityChecker.AccessType.OperateEntry, certVO);
 
         List<LoadBalancerCertMapVO> lbCertRule = _lbCertDao.listByCertId(certId);
 
@@ -191,7 +191,7 @@ public class CertServiceImpl implements CertService {
                 throw new InvalidParameterValueException("Invalid certificate id: " + certId);
             }
 
-            _accountMgr.checkAccess(caller, SecurityChecker.AccessType.UseEntry, true, certVO);
+            _accountMgr.checkAccess(caller, SecurityChecker.AccessType.UseEntry, certVO);
 
             certLbMap = _lbCertDao.listByCertId(certId);
 
@@ -206,7 +206,7 @@ public class CertServiceImpl implements CertService {
                 throw new InvalidParameterValueException("found no loadbalancer  wth id: " + lbRuleId);
             }
 
-            _accountMgr.checkAccess(caller, SecurityChecker.AccessType.UseEntry, true, lb);
+            _accountMgr.checkAccess(caller, SecurityChecker.AccessType.UseEntry, lb);
 
             // get the cert id
             LoadBalancerCertMapVO lbCertMapRule;
@@ -229,7 +229,7 @@ public class CertServiceImpl implements CertService {
         List<SslCertVO> certVOList = _sslCertDao.listByAccountId(accountId);
         if (certVOList == null || certVOList.isEmpty())
             return certResponseList;
-        _accountMgr.checkAccess(caller, SecurityChecker.AccessType.UseEntry, true, certVOList.get(0));
+        _accountMgr.checkAccess(caller, SecurityChecker.AccessType.UseEntry, certVOList.get(0));
 
         for (SslCertVO cert : certVOList) {
             certLbMap = _lbCertDao.listByCertId(cert.getId());

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/server/src/org/apache/cloudstack/region/gslb/GlobalLoadBalancingRulesServiceImpl.java
----------------------------------------------------------------------
diff --git a/server/src/org/apache/cloudstack/region/gslb/GlobalLoadBalancingRulesServiceImpl.java b/server/src/org/apache/cloudstack/region/gslb/GlobalLoadBalancingRulesServiceImpl.java
index c84fea2..516b3ab 100644
--- a/server/src/org/apache/cloudstack/region/gslb/GlobalLoadBalancingRulesServiceImpl.java
+++ b/server/src/org/apache/cloudstack/region/gslb/GlobalLoadBalancingRulesServiceImpl.java
@@ -183,7 +183,7 @@ public class GlobalLoadBalancingRulesServiceImpl implements GlobalLoadBalancingR
             throw new InvalidParameterValueException("Invalid global load balancer rule id: " + gslbRuleId);
         }
 
-        _accountMgr.checkAccess(caller, SecurityChecker.AccessType.OperateEntry, true, gslbRule);
+        _accountMgr.checkAccess(caller, SecurityChecker.AccessType.OperateEntry, gslbRule);
 
         if (gslbRule.getState() == GlobalLoadBalancerRule.State.Revoke) {
             throw new InvalidParameterValueException("global load balancer rule id: " + gslbRule.getUuid() + " is in revoked state");
@@ -224,7 +224,7 @@ public class GlobalLoadBalancingRulesServiceImpl implements GlobalLoadBalancingR
                 throw new InvalidParameterValueException("Specified load balancer rule ID does not exist.");
             }
 
-            _accountMgr.checkAccess(caller, null, true, loadBalancer);
+            _accountMgr.checkAccess(caller, null, loadBalancer);
 
             if (gslbRule.getAccountId() != loadBalancer.getAccountId()) {
                 throw new InvalidParameterValueException("GSLB rule and load balancer rule does not belong to same account");
@@ -319,7 +319,7 @@ public class GlobalLoadBalancingRulesServiceImpl implements GlobalLoadBalancingR
             throw new InvalidParameterValueException("Invalid global load balancer rule id: " + gslbRuleId);
         }
 
-        _accountMgr.checkAccess(caller, SecurityChecker.AccessType.OperateEntry, true, gslbRule);
+        _accountMgr.checkAccess(caller, SecurityChecker.AccessType.OperateEntry, gslbRule);
 
         if (gslbRule.getState() == GlobalLoadBalancerRule.State.Revoke) {
             throw new InvalidParameterValueException("global load balancer rule id: " + gslbRuleId + " is already in revoked state");
@@ -346,7 +346,7 @@ public class GlobalLoadBalancingRulesServiceImpl implements GlobalLoadBalancingR
                 throw new InvalidParameterValueException("Specified load balancer rule ID does not exist.");
             }
 
-            _accountMgr.checkAccess(caller, null, true, loadBalancer);
+            _accountMgr.checkAccess(caller, null, loadBalancer);
         }
 
         for (GlobalLoadBalancerLbRuleMapVO gslbLbMapVo : gslbLbMapVos) {
@@ -445,7 +445,7 @@ public class GlobalLoadBalancingRulesServiceImpl implements GlobalLoadBalancingR
             throw new InvalidParameterValueException("Invalid global load balancer rule id: " + gslbRuleId);
         }
 
-        _accountMgr.checkAccess(caller, SecurityChecker.AccessType.OperateEntry, true, gslbRule);
+        _accountMgr.checkAccess(caller, SecurityChecker.AccessType.OperateEntry, gslbRule);
 
         if (gslbRule.getState() == com.cloud.region.ha.GlobalLoadBalancerRule.State.Staged) {
             if (s_logger.isDebugEnabled()) {
@@ -523,7 +523,7 @@ public class GlobalLoadBalancingRulesServiceImpl implements GlobalLoadBalancingR
         CallContext ctx = CallContext.current();
         Account caller = ctx.getCallingAccount();
 
-        _accountMgr.checkAccess(caller, SecurityChecker.AccessType.OperateEntry, true, gslbRule);
+        _accountMgr.checkAccess(caller, SecurityChecker.AccessType.OperateEntry, gslbRule);
 
         if (algorithm != null && !GlobalLoadBalancerRule.Algorithm.isValidAlgorithm(algorithm)) {
             throw new InvalidParameterValueException("Invalid Algorithm: " + algorithm);
@@ -583,7 +583,7 @@ public class GlobalLoadBalancingRulesServiceImpl implements GlobalLoadBalancingR
             if (gslbRule == null) {
                 throw new InvalidParameterValueException("Invalid gslb rule id specified");
             }
-            _accountMgr.checkAccess(caller, org.apache.cloudstack.acl.SecurityChecker.AccessType.UseEntry, false, gslbRule);
+            _accountMgr.checkAccess(caller, org.apache.cloudstack.acl.SecurityChecker.AccessType.UseEntry, gslbRule);
 
             response.add(gslbRule);
             return response;

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/server/test/com/cloud/event/EventControlsUnitTest.java
----------------------------------------------------------------------
diff --git a/server/test/com/cloud/event/EventControlsUnitTest.java b/server/test/com/cloud/event/EventControlsUnitTest.java
index 91dc921..0dc5742 100644
--- a/server/test/com/cloud/event/EventControlsUnitTest.java
+++ b/server/test/com/cloud/event/EventControlsUnitTest.java
@@ -60,7 +60,7 @@ public class EventControlsUnitTest extends TestCase {
         MockitoAnnotations.initMocks(this);
         _mgmtServer._eventDao = _eventDao;
         _mgmtServer._accountMgr = _accountMgr;
-        doNothing().when(_accountMgr).checkAccess(any(Account.class), any(AccessType.class), any(Boolean.class), any(ControlledEntity.class));
+        doNothing().when(_accountMgr).checkAccess(any(Account.class), any(AccessType.class), any(ControlledEntity.class));
         when(_eventDao.listToArchiveOrDeleteEvents(anyList(), anyString(), any(Date.class), any(Date.class), anyList())).thenReturn(_events);
     }
 

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/server/test/com/cloud/network/MockNetworkModelImpl.java
----------------------------------------------------------------------
diff --git a/server/test/com/cloud/network/MockNetworkModelImpl.java b/server/test/com/cloud/network/MockNetworkModelImpl.java
index 6c9e597..33387fa 100644
--- a/server/test/com/cloud/network/MockNetworkModelImpl.java
+++ b/server/test/com/cloud/network/MockNetworkModelImpl.java
@@ -25,6 +25,8 @@ import java.util.Set;
 import javax.ejb.Local;
 import javax.naming.ConfigurationException;
 
+import org.apache.cloudstack.acl.SecurityChecker.AccessType;
+
 import com.cloud.dc.Vlan;
 import com.cloud.exception.InsufficientAddressCapacityException;
 import com.cloud.exception.InvalidParameterValueException;
@@ -878,4 +880,10 @@ public class MockNetworkModelImpl extends ManagerBase implements NetworkModel {
     public boolean getNetworkEgressDefaultPolicy(Long networkId) {
         return false;  //To change body of implemented methods use File | Settings | File Templates.
     }
+
+    @Override
+    public void checkNetworkPermissions(Account owner, Network network, AccessType accessType) {
+        // TODO Auto-generated method stub
+
+    }
 }

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/server/test/com/cloud/user/MockAccountManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/test/com/cloud/user/MockAccountManagerImpl.java b/server/test/com/cloud/user/MockAccountManagerImpl.java
index cc8fbac..a2b8a85 100644
--- a/server/test/com/cloud/user/MockAccountManagerImpl.java
+++ b/server/test/com/cloud/user/MockAccountManagerImpl.java
@@ -32,7 +32,6 @@ import org.apache.cloudstack.api.command.admin.user.DeleteUserCmd;
 import org.apache.cloudstack.api.command.admin.user.RegisterCmd;
 import org.apache.cloudstack.api.command.admin.user.UpdateUserCmd;
 
-import com.cloud.api.query.vo.ControlledViewEntity;
 import com.cloud.domain.Domain;
 import com.cloud.exception.ConcurrentOperationException;
 import com.cloud.exception.PermissionDeniedException;
@@ -219,10 +218,6 @@ public class MockAccountManagerImpl extends ManagerBase implements Manager, Acco
         return null;
     }
 
-    @Override
-    public void checkAccess(Account account, AccessType accessType, boolean sameOwner, ControlledEntity... entities) throws PermissionDeniedException {
-        // TODO Auto-generated method stub
-    }
 
 
     @Override
@@ -257,50 +252,6 @@ public class MockAccountManagerImpl extends ManagerBase implements Manager, Acco
         return false;
     }
 
-    @Override
-    public void buildACLSearchBuilder(SearchBuilder<? extends ControlledEntity> sb, Long domainId, boolean isRecursive, List<Long> permittedAccounts,
-            ListProjectResourcesCriteria listProjectResourcesCriteria) {
-        // TODO Auto-generated method stub
-
-    }
-
-    @Override
-    public void buildACLSearchCriteria(SearchCriteria<? extends ControlledEntity> sc, Long domainId, boolean isRecursive, List<Long> permittedAccounts,
-            ListProjectResourcesCriteria listProjectResourcesCriteria) {
-        // TODO Auto-generated method stub
-
-    }
-
-    @Override
-    public void buildACLSearchParameters(Account caller, Long id, String accountName, Long projectId, List<Long> permittedAccounts, Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject, boolean listAll, boolean forProjectInvitation) {
-        // TODO Auto-generated method stub
-    }
-
-    @Override
-    public void buildACLViewSearchBuilder(SearchBuilder<? extends ControlledViewEntity> sb, Long domainId,
-            boolean isRecursive, List<Long> permittedAccounts, ListProjectResourcesCriteria listProjectResourcesCriteria) {
-        // TODO Auto-generated method stub
-    }
-
-    @Override
-    public void buildACLViewSearchBuilder(SearchBuilder<? extends ControlledViewEntity> sb, Long domainId, boolean isRecursive, List<Long> permittedAccounts,
-            ListProjectResourcesCriteria listProjectResourcesCriteria, List<Long> grantedIds, List<Long> revokedIds) {
-        // TODO Auto-generated method stub
-
-    }
-
-    @Override
-    public void buildACLViewSearchCriteria(SearchCriteria<? extends ControlledViewEntity> sc, Long domainId,
-            boolean isRecursive, List<Long> permittedAccounts, ListProjectResourcesCriteria listProjectResourcesCriteria) {
-        // TODO Auto-generated method stub
-    }
-
-    @Override
-    public void buildACLViewSearchCriteria(SearchCriteria<? extends ControlledEntity> sc, Long domainId, boolean isRecursive, List<Long> permittedAccounts,
-            ListProjectResourcesCriteria listProjectResourcesCriteria, List<Long> grantedIds, List<Long> revokedIds) {
-        // TODO Auto-generated method stub
-
-    }
 
     /* (non-Javadoc)
      * @see com.cloud.user.AccountService#getUserByApiKey(java.lang.String)
@@ -369,24 +320,42 @@ public class MockAccountManagerImpl extends ManagerBase implements Manager, Acco
 
     }
 
+    @Override
+    public void buildACLSearchBuilder(SearchBuilder<? extends ControlledEntity> sb, boolean isRecursive, List<Long> permittedDomains, List<Long> permittedAccounts,
+            List<Long> permittedResources, ListProjectResourcesCriteria listProjectResourcesCriteria) {
+        // TODO Auto-generated method stub
+
+    }
 
     @Override
-    public List<String> listAclGroupsByAccount(Long accountId) {
+    public void buildACLSearchCriteria(SearchCriteria<? extends ControlledEntity> sc, boolean isRecursive, List<Long> permittedDomains, List<Long> permittedAccounts,
+            List<Long> permittedResources, ListProjectResourcesCriteria listProjectResourcesCriteria) {
         // TODO Auto-generated method stub
-        return null;
+
     }
 
     @Override
-    public void checkAccess(Account account, AccessType accessType, boolean sameOwner, String apiName,
-            ControlledEntity... entities) throws PermissionDeniedException {
+    public List<String> listAclGroupsByAccount(Long accountId) {
         // TODO Auto-generated method stub
+        return null;
     }
 
+
     @Override
     public Long finalyzeAccountId(String accountName, Long domainId, Long projectId, boolean enabledOnly) {
         // TODO Auto-generated method stub
         return null;
     }
 
+    @Override
+    public void checkAccess(Account account, AccessType accessType, ControlledEntity... entities) throws PermissionDeniedException {
+        // TODO Auto-generated method stub
+    }
+
+    @Override
+    public void checkAccess(Account account, AccessType accessType, String apiName, ControlledEntity... entities) throws PermissionDeniedException {
+        // TODO Auto-generated method stub
+
+    }
 
 }

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/server/test/com/cloud/vm/UserVmManagerTest.java
----------------------------------------------------------------------
diff --git a/server/test/com/cloud/vm/UserVmManagerTest.java b/server/test/com/cloud/vm/UserVmManagerTest.java
index b67c164..927d5e3 100755
--- a/server/test/com/cloud/vm/UserVmManagerTest.java
+++ b/server/test/com/cloud/vm/UserVmManagerTest.java
@@ -283,7 +283,7 @@ public class UserVmManagerTest {
         doReturn(3L).when(_volumeMock).getTemplateId();
         doReturn(ImageFormat.VHD).when(_templateMock).getFormat();
         when(_templateDao.findById(anyLong())).thenReturn(_templateMock);
-        doNothing().when(_accountMgr).checkAccess(_account, null, true, _templateMock);
+        doNothing().when(_accountMgr).checkAccess(_account, null, _templateMock);
         when(_storageMgr.allocateDuplicateVolume(_volumeMock, 14L)).thenReturn(_volumeMock);
         when(_templateMock.getGuestOSId()).thenReturn(5L);
         doNothing().when(_vmMock).setGuestOSId(anyLong());
@@ -327,7 +327,7 @@ public class UserVmManagerTest {
         doReturn(3L).when(_vmMock).getIsoId();
         doReturn(ImageFormat.ISO).when(_templateMock).getFormat();
         when(_templateDao.findById(anyLong())).thenReturn(_templateMock);
-        doNothing().when(_accountMgr).checkAccess(_account, null, true, _templateMock);
+        doNothing().when(_accountMgr).checkAccess(_account, null, _templateMock);
         when(_storageMgr.allocateDuplicateVolume(_volumeMock, null)).thenReturn(_volumeMock);
         doNothing().when(_vmMock).setIsoId(14L);
         when(_templateMock.getGuestOSId()).thenReturn(5L);
@@ -413,7 +413,7 @@ public class UserVmManagerTest {
 
         doReturn(VirtualMachine.State.Running).when(_vmInstance).getState();
 
-        doNothing().when(_accountMgr).checkAccess(_account, null, true, _templateMock);
+        doNothing().when(_accountMgr).checkAccess(_account, null, _templateMock);
 
         doNothing().when(_itMgr).checkIfCanUpgrade(_vmMock, _offeringVo);
 
@@ -606,7 +606,7 @@ public class UserVmManagerTest {
 
         when(_accountService.getActiveAccountByName(anyString(), anyLong())).thenReturn(newAccount);
 
-        doThrow(new PermissionDeniedException("Access check failed")).when(_accountMgr).checkAccess(any(Account.class), any(AccessType.class), any(Boolean.class),
+        doThrow(new PermissionDeniedException("Access check failed")).when(_accountMgr).checkAccess(any(Account.class), any(AccessType.class),
             any(ControlledEntity.class));
 
         CallContext.register(user, caller);

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/server/test/com/cloud/vm/snapshot/VMSnapshotManagerTest.java
----------------------------------------------------------------------
diff --git a/server/test/com/cloud/vm/snapshot/VMSnapshotManagerTest.java b/server/test/com/cloud/vm/snapshot/VMSnapshotManagerTest.java
index 9d5c2b4..03afdbd 100644
--- a/server/test/com/cloud/vm/snapshot/VMSnapshotManagerTest.java
+++ b/server/test/com/cloud/vm/snapshot/VMSnapshotManagerTest.java
@@ -125,7 +125,7 @@ public class VMSnapshotManagerTest {
         _vmSnapshotMgr._guestOSDao = _guestOSDao;
         _vmSnapshotMgr._hypervisorCapabilitiesDao = _hypervisorCapabilitiesDao;
 
-        doNothing().when(_accountMgr).checkAccess(any(Account.class), any(AccessType.class), any(Boolean.class), any(ControlledEntity.class));
+        doNothing().when(_accountMgr).checkAccess(any(Account.class), any(AccessType.class), any(ControlledEntity.class));
 
         _vmSnapshotMgr._vmSnapshotMax = _vmSnapshotMax;
 

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/server/test/com/cloud/vpc/MockNetworkModelImpl.java
----------------------------------------------------------------------
diff --git a/server/test/com/cloud/vpc/MockNetworkModelImpl.java b/server/test/com/cloud/vpc/MockNetworkModelImpl.java
index 67ab8e8..c93584d 100644
--- a/server/test/com/cloud/vpc/MockNetworkModelImpl.java
+++ b/server/test/com/cloud/vpc/MockNetworkModelImpl.java
@@ -26,6 +26,8 @@ import javax.ejb.Local;
 import javax.inject.Inject;
 import javax.naming.ConfigurationException;
 
+import org.apache.cloudstack.acl.SecurityChecker.AccessType;
+
 import com.cloud.dc.Vlan;
 import com.cloud.exception.InsufficientAddressCapacityException;
 import com.cloud.exception.InvalidParameterValueException;
@@ -893,4 +895,10 @@ public class MockNetworkModelImpl extends ManagerBase implements NetworkModel {
     public boolean getNetworkEgressDefaultPolicy(Long networkId) {
         return false;  //To change body of implemented methods use File | Settings | File Templates.
     }
+
+    @Override
+    public void checkNetworkPermissions(Account owner, Network network, AccessType accessType) {
+        // TODO Auto-generated method stub
+
+    }
 }

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedEntityAccessChecker.java
----------------------------------------------------------------------
diff --git a/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedEntityAccessChecker.java b/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedEntityAccessChecker.java
index bb471c0..7b3d967 100644
--- a/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedEntityAccessChecker.java
+++ b/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedEntityAccessChecker.java
@@ -27,7 +27,6 @@ import org.apache.log4j.Logger;
 import org.apache.cloudstack.acl.ControlledEntity;
 import org.apache.cloudstack.acl.PermissionScope;
 import org.apache.cloudstack.acl.SecurityChecker;
-import org.apache.cloudstack.acl.SecurityChecker.AccessType;
 import org.apache.cloudstack.api.InternalIdentity;
 import org.apache.cloudstack.iam.api.IAMGroup;
 import org.apache.cloudstack.iam.api.IAMPolicy;
@@ -205,13 +204,15 @@ public class RoleBasedEntityAccessChecker extends DomainChecker implements Secur
                 boolean otherEntitiesAccess = true;
 
                 for (ControlledEntity otherEntity : entities) {
-                    if (otherEntity.getAccountId() == caller.getAccountId()
-                            || (checkAccess(caller, otherEntity, accessType, action) && otherEntity.getAccountId() == entity
-                                    .getAccountId())) {
-                        continue;
-                    } else {
-                        otherEntitiesAccess = false;
-                        break;
+                    if (otherEntity != entity) {
+                        if (otherEntity.getAccountId() == caller.getAccountId()
+                                || (checkAccess(caller, otherEntity, accessType, action) && otherEntity.getAccountId() == entity
+                                        .getAccountId())) {
+                            continue;
+                        } else {
+                            otherEntitiesAccess = false;
+                            break;
+                        }
                     }
                 }
 
@@ -262,6 +263,8 @@ public class RoleBasedEntityAccessChecker extends DomainChecker implements Secur
                 if (_domainDao.isChildDomain(caller.getDomainId(), entity.getDomainId())) {
                     return true;
                 }
+            } else if (scope.equals(PermissionScope.ALL.name())) {
+                return true;
             }
         }
         return false;

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/services/pom.xml
----------------------------------------------------------------------
diff --git a/services/pom.xml b/services/pom.xml
index def3027..a12a7b5 100644
--- a/services/pom.xml
+++ b/services/pom.xml
@@ -47,5 +47,6 @@
     <module>console-proxy</module>
     <module>console-proxy-rdp/rdpconsole</module>
     <module>secondary-storage</module>
+    <module>iam</module>
   </modules>
 </project>

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/26a6aa54/test/integration/smoke/test_vm_iam.py
----------------------------------------------------------------------
diff --git a/test/integration/smoke/test_vm_iam.py b/test/integration/smoke/test_vm_iam.py
new file mode 100644
index 0000000..be75a79
--- /dev/null
+++ b/test/integration/smoke/test_vm_iam.py
@@ -0,0 +1,719 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+# 
+#   http://www.apache.org/licenses/LICENSE-2.0
+# 
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+""" BVT tests for Virtual Machine IAM effect
+"""
+#Import Local Modules
+import marvin
+from marvin.cloudstackTestCase import *
+from marvin.cloudstackAPI import *
+from marvin.lib.utils import *
+from marvin.lib.base import *
+from marvin.lib.common import *
+from marvin.codes import FAILED
+from nose.plugins.attrib import attr
+#Import System modules
+import time
+
+_multiprocess_shared_ = True
+class Services:
+    """Test VM Life Cycle Services
+    """
+
+    def __init__(self):
+        self.services = {
+            #data for domains and accounts
+            "domain1": {
+                "name": "Domain1",
+             },
+            "account1A": {
+                "email": "test1A@test.com",
+                "firstname": "test1A",
+                "lastname": "User",
+                "username": "test1A",
+                "password": "password",
+            },
+            "account1B": {
+                "email": "test1B@test.com",
+                "firstname": "test1B",
+                "lastname": "User",
+                "username": "test1B",
+                "password": "password",
+            },                         
+            "domain2": {
+                "name": "Domain2",
+             },
+            "account2A": {
+                "email": "test2A@test.com",
+                "firstname": "test2A",
+                "lastname": "User",
+                "username": "test2A",
+                "password": "password",
+            },
+            #data reqd for virtual machine creation
+            "virtual_machine1A" : {
+                "name" : "test1Avm",
+                "displayname" : "Test1A  VM",
+            },
+            "virtual_machine1B" : {
+                "name" : "test1Bvm",
+                "displayname" : "Test1B  VM",
+            }, 
+            "virtual_machine2A" : {
+                "name" : "test2Avm",
+                "displayname" : "Test2A  VM",
+            },                                                 
+            #small service offering
+            "service_offering": {
+                "small": {
+                    "name": "Small Instance",
+                    "displaytext": "Small Instance",
+                    "cpunumber": 1,
+                    "cpuspeed": 100,
+                    "memory": 128,
+                },
+            },
+            "ostype": 'CentOS 5.6 (64-bit)',
+            # iam group and policy information
+            "service_desk_iam_grp" : {
+                "name" : "Service Desk",
+                "description" : "Service Desk IAM Group"
+            },
+            "vm_readonly_iam_policy" : {
+                "name" : "VM Read Only Access",
+                "description" : "VM read only access iam policy"
+            },
+        }
+
+
+
+class TestVMIam(cloudstackTestCase):
+
+    @classmethod
+    def setUpClass(self):
+        testClient = super(TestVMIam, self).getClsTestClient()
+        self.apiclient = testClient.getApiClient()
+        self.services = Services().services
+        
+        # backup default apikey and secretkey
+        self.default_apikey = self.apiclient.connection.apiKey
+        self.default_secretkey = self.apiclient.connection.securityKey
+
+        # Create domains and accounts etc
+        self.domain_1 = Domain.create(
+                                   self.apiclient,
+                                   self.services["domain1"]
+                                   )
+        self.domain_2 = Domain.create(
+                                   self.apiclient,
+                                   self.services["domain2"]
+                                   )
+        # Create two accounts for doamin_1
+        self.account_1A = Account.create(
+                            self.apiclient,
+                            self.services["account1A"],
+                            admin=False,
+                            domainid=self.domain_1.id
+                            )
+        
+        self.account_1B = Account.create(
+                            self.apiclient,
+                            self.services["account1B"],
+                            admin=False,
+                            domainid=self.domain_1.id
+                            )        
+
+        # Create an account for domain_2
+        self.account_2A = Account.create(
+                            self.apiclient,
+                            self.services["account2A"],
+                            admin=False,
+                            domainid=self.domain_2.id
+                            )
+        
+        # Fetch user details to register apiKey for them
+        self.user_1A = User.list(
+                          self.apiclient,
+                          account=self.account_1A.name,
+                          domainid=self.account_1A.domainid
+                          )[0]
+       
+        user_1A_key = User.registerUserKeys(
+                        self.apiclient,
+                        self.user_1A.id
+                      )  
+        self.user_1A_apikey = user_1A_key.apikey
+        self.user_1A_secretkey = user_1A_key.secretkey
+        
+                         
+        self.user_1B = User.list(
+                          self.apiclient,
+                          account=self.account_1B.name,
+                          domainid=self.account_1B.domainid
+                          )[0]
+       
+        user_1B_key = User.registerUserKeys(
+                        self.apiclient,
+                        self.user_1B.id
+                      )  
+       
+        self.user_1B_apikey = user_1B_key.apikey
+        self.user_1B_secretkey = user_1B_key.secretkey                    
+
+ 
+        self.user_2A = User.list(
+                          self.apiclient,
+                          account=self.account_2A.name,
+                          domainid=self.account_2A.domainid
+                          )[0]
+       
+        user_2A_key = User.registerUserKeys(
+                        self.apiclient,
+                        self.user_2A.id
+                      )  
+        self.user_2A_apikey = user_2A_key.apikey
+        self.user_2A_secretkey = user_2A_key.secretkey
+                
+        # create service offering
+        self.service_offering = ServiceOffering.create(
+                                self.apiclient,
+                                self.services["service_offering"]["small"]
+                                )
+        
+        self.zone = get_zone(self.apiclient, testClient.getZoneForTests())
+        self.services['mode'] = self.zone.networktype
+        self.template = get_template(self.apiclient, self.zone.id, self.services["ostype"])
+
+        # deploy 3 VMs for three accounts
+        self.virtual_machine_1A = VirtualMachine.create(
+            self.apiclient,
+            self.services["virtual_machine1A"],
+            accountid=self.account_1A.name,
+            zoneid=self.zone.id,
+            domainid=self.account_1A.domainid,
+            serviceofferingid=self.service_offering.id,
+            templateid=self.template.id
+        )  
+        
+        self.virtual_machine_1B = VirtualMachine.create(
+            self.apiclient,
+            self.services["virtual_machine1B"],
+            accountid=self.account_1B.name,
+            zoneid=self.zone.id,
+            domainid=self.account_1B.domainid,
+            serviceofferingid=self.service_offering.id,
+            templateid=self.template.id
+        )  
+        
+        self.virtual_machine_2A = VirtualMachine.create(
+            self.apiclient,
+            self.services["virtual_machine2A"],
+            accountid=self.account_2A.name,
+            zoneid=self.zone.id,
+            domainid=self.account_2A.domainid,
+            serviceofferingid=self.service_offering.id,
+            templateid=self.template.id
+        )   
+        
+        self.srv_desk_grp = IAMGroup.create(
+            self.apiclient, 
+            self.services["service_desk_iam_grp"]
+        )                             
+
+        self.vm_read_policy = IAMPolicy.create(
+            self.apiclient, 
+            self.services["vm_readonly_iam_policy"]
+        )
+        
+        self.srv_desk_grp.attachPolicy(
+            self.apiclient, [self.vm_read_policy]
+        )
+        
+        vm_grant_policy_params = {}
+        vm_grant_policy_params['name'] = "policyGrantVirtualMachine" + self.virtual_machine_1A.id
+        vm_grant_policy_params['description'] = "Policy to grant permission to VirtualMachine " + self.virtual_machine_1A.id
+        self.vm_grant_policy = IAMPolicy.create(
+            self.apiclient, 
+            vm_grant_policy_params
+        )   
+        
+        self._cleanup = [
+                        self.account_1A,
+                        self.account_1B,
+                        self.domain_1,
+                        self.account_2A,
+                        self.domain_2,
+                        self.service_offering,
+                        self.vm_read_policy,
+                        self.srv_desk_grp,
+                        self.vm_grant_policy
+                        ]
+
+    @classmethod
+    def tearDownClass(self):
+        self.apiclient = super(TestVMIam, self).getClsTestClient().getApiClient()
+        cleanup_resources(self.apiclient, self._cleanup)
+        return
+
+    def setUp(self):
+        self.apiclient = self.testClient.getApiClient()
+        self.dbclient = self.testClient.getDbConnection()
+        self.cleanup = []
+
+    def tearDown(self):
+        # restore back default apikey and secretkey
+        self.apiclient.connection.apiKey = self.default_apikey
+        self.apiclient.connection.securityKey = self.default_secretkey
+        cleanup_resources(self.apiclient, self.cleanup)
+        return
+
+    
+
+    @attr(tags = ["devcloud", "advanced", "advancedns", "smoke", "basic", "sg", "selfservice"])
+    def test_01_list_own_vm(self):
+        #  listVM command should return owne's VM
+
+        self.debug("Listing VM for account: %s" % self.account_1A.name)
+
+        self.apiclient.connection.apiKey = self.user_1A_apikey
+        self.apiclient.connection.securityKey = self.user_1A_secretkey
+        list_vm_response = list_virtual_machines(
+                                            self.apiclient
+                                            )
+        self.assertEqual(
+                            isinstance(list_vm_response, list),
+                            True,
+                            "Check list response returns a valid list"
+                        )
+        self.assertEqual(
+                            len(list_vm_response),
+                            1,
+                            "Check VM available in List Virtual Machines"
+                        )
+
+        self.assertEqual(
+            list_vm_response[0].name,
+            self.virtual_machine_1A.name,
+            "Virtual Machine names do not match"
+        )
+
+        self.debug("Listing VM for account: %s" % self.account_1B.name)
+        self.apiclient.connection.apiKey = self.user_1B_apikey
+        self.apiclient.connection.securityKey = self.user_1B_secretkey
+        list_vm_response = list_virtual_machines(
+                                            self.apiclient
+                                            )
+        self.assertEqual(
+                            isinstance(list_vm_response, list),
+                            True,
+                            "Check list response returns a valid list"
+                        )
+        self.assertEqual(
+                            len(list_vm_response),
+                            1,
+                            "Check VM available in List Virtual Machines"
+                        )
+
+        self.assertEqual(
+            list_vm_response[0].name,
+            self.virtual_machine_1B.name,
+            "Virtual Machine names do not match"
+        )
+        
+        self.debug("Listing VM for account: %s" % self.account_2A.name)
+
+        self.apiclient.connection.apiKey = self.user_2A_apikey
+        self.apiclient.connection.securityKey = self.user_2A_secretkey
+        list_vm_response = list_virtual_machines(
+                                            self.apiclient
+                                            )
+        self.assertEqual(
+                            isinstance(list_vm_response, list),
+                            True,
+                            "Check list response returns a valid list"
+                        )
+        self.assertEqual(
+                            len(list_vm_response),
+                            1,
+                            "Check VM available in List Virtual Machines"
+                        )
+
+        self.assertEqual(
+            list_vm_response[0].name,
+            self.virtual_machine_2A.name,
+            "Virtual Machine names do not match"
+        )
+                
+        return
+        
+    @attr(tags = ["devcloud", "advanced", "advancedns", "smoke", "basic", "sg", "selfservice"])
+    def test_02_grant_domain_vm(self):
+ 
+        # Validate the following
+        # 1. Grant domain2 VM access to account_1B
+        # 2. listVM command should return account_1B and domain_2 VMs.
+
+        self.debug("Granting Domain %s VM read only access to account: %s" % (self.domain_2.name, self.account_1B.name))
+        
+        self.srv_desk_grp.addAccount(self.apiclient, [self.account_1B])
+        domain_permission = {}
+        domain_permission['action'] = "listVirtualMachines"
+        domain_permission['entitytype'] = "VirtualMachine"
+        domain_permission['scope'] = "DOMAIN"
+        domain_permission['scopeid'] = self.domain_2.id
+        self.vm_read_policy.addPermission(self.apiclient, domain_permission)
+        
+        self.debug("Listing VM for account: %s" % self.account_1B.name)
+        self.apiclient.connection.apiKey = self.user_1B_apikey
+        self.apiclient.connection.securityKey = self.user_1B_secretkey
+        list_vm_response = list_virtual_machines(
+                                            self.apiclient
+                                            )
+        self.assertEqual(
+                            isinstance(list_vm_response, list),
+                            True,
+                            "Check list response returns a valid list"
+                        )
+        self.assertEqual(
+                            len(list_vm_response),
+                            2,
+                            "Check VM available in List Virtual Machines"
+                        )
+
+        list_vm_names = [list_vm_response[0].name, list_vm_response[1].name]
+        
+        self.assertEqual( self.virtual_machine_1B.name in list_vm_names,
+                          True,
+                          "Accessible Virtual Machine names do not match"
+                          )
+        
+        self.assertEqual( self.virtual_machine_2A.name in list_vm_names,
+                          True,
+                          "Accessible Virtual Machine names do not match"
+                          )        
+        
+        return
+
+
+    @attr(tags = ["devcloud", "advanced", "advancedns", "smoke", "basic", "sg", "selfservice"])
+    def test_03_grant_account_vm(self):
+ 
+        # Validate the following
+        # 1. Grant account_1A VM access to account_1B
+        # 2. listVM command should return account_1A and account_1B VMs.
+
+        self.debug("Granting Account %s VM read only access to account: %s" % (self.account_1A.name, self.account_1B.name))
+        
+        account_permission = {}
+        account_permission['action'] = "listVirtualMachines"
+        account_permission['entitytype'] = "VirtualMachine"
+        account_permission['scope'] = "ACCOUNT"
+        account_permission['scopeid'] = self.account_1A.id
+        self.vm_read_policy.addPermission(self.apiclient, account_permission)
+        
+        self.debug("Listing VM for account: %s" % self.account_1B.name)
+        self.apiclient.connection.apiKey = self.user_1B_apikey
+        self.apiclient.connection.securityKey = self.user_1B_secretkey
+        list_vm_response = list_virtual_machines(
+                                            self.apiclient
+                                            )
+        self.assertEqual(
+                            isinstance(list_vm_response, list),
+                            True,
+                            "Check list response returns a valid list"
+                        )
+        self.assertEqual(
+                            len(list_vm_response),
+                            3,
+                            "Check VM available in List Virtual Machines"
+                        )
+
+        list_vm_names = [list_vm_response[0].name, list_vm_response[1].name, list_vm_response[2].name]
+        
+        self.assertEqual( self.virtual_machine_1B.name in list_vm_names,
+                          True,
+                          "Accessible Virtual Machine names do not match"
+                          )
+        
+        self.assertEqual( self.virtual_machine_1A.name in list_vm_names,
+                          True,
+                          "Accessible Virtual Machine names do not match"
+                          )    
+                
+        self.assertEqual( self.virtual_machine_2A.name in list_vm_names,
+                          True,
+                          "Accessible Virtual Machine names do not match"
+                          )        
+        
+        return
+
+
+    @attr(tags = ["devcloud", "advanced", "advancedns", "smoke", "basic", "sg", "selfservice"])
+    def test_04_revoke_account_vm(self):
+ 
+        # Validate the following
+        # 1. Revoke account_1A VM access from account_1B
+        # 2. listVM command should not return account_1A VMs.
+
+        self.debug("Revoking Account %s VM read only access from account: %s" % (self.account_1A.name, self.account_1B.name))
+        
+        account_permission = {}
+        account_permission['action'] = "listVirtualMachines"
+        account_permission['entitytype'] = "VirtualMachine"
+        account_permission['scope'] = "ACCOUNT"
+        account_permission['scopeid'] = self.account_1A.id
+        self.vm_read_policy.removePermission(self.apiclient, account_permission)
+        
+        self.debug("Listing VM for account: %s" % self.account_1B.name)
+        self.apiclient.connection.apiKey = self.user_1B_apikey
+        self.apiclient.connection.securityKey = self.user_1B_secretkey
+        list_vm_response = list_virtual_machines(
+                                            self.apiclient
+                                            )
+        self.assertEqual(
+                            isinstance(list_vm_response, list),
+                            True,
+                            "Check list response returns a valid list"
+                        )
+        self.assertEqual(
+                            len(list_vm_response),
+                            2,
+                            "Check VM available in List Virtual Machines"
+                        )
+
+        list_vm_names = [list_vm_response[0].name, list_vm_response[1].name]
+        
+       
+        self.assertEqual( self.virtual_machine_1A.name in list_vm_names,
+                          False,
+                          "Accessible Virtual Machine names do not match"
+                          )    
+        return
+    
+    
+    @attr(tags = ["devcloud", "advanced", "advancedns", "smoke", "basic", "sg", "selfservice"])
+    def test_05_revoke_domain_vm(self):
+ 
+        # Validate the following
+        # 1. Revoke account_1A VM access from account_1B
+        # 2. listVM command should not return account_1A VMs.
+
+        self.debug("Revoking Domain %s VM read only access from account: %s" % (self.domain_1.name, self.account_1B.name))
+        
+        domain_permission = {}
+        domain_permission['action'] = "listVirtualMachines"
+        domain_permission['entitytype'] = "VirtualMachine"
+        domain_permission['scope'] = "DOMAIN"
+        domain_permission['scopeid'] = self.domain_2.id
+        self.vm_read_policy.removePermission(self.apiclient, domain_permission)
+        
+        self.debug("Listing VM for account: %s" % self.account_1B.name)
+        self.apiclient.connection.apiKey = self.user_1B_apikey
+        self.apiclient.connection.securityKey = self.user_1B_secretkey
+        list_vm_response = list_virtual_machines(
+                                            self.apiclient
+                                            )
+        self.assertEqual(
+                            isinstance(list_vm_response, list),
+                            True,
+                            "Check list response returns a valid list"
+                        )
+        self.assertEqual(
+                            len(list_vm_response),
+                            1,
+                            "Check VM available in List Virtual Machines"
+                        )
+
+        self.assertEqual(
+            list_vm_response[0].name,
+            self.virtual_machine_1B.name,
+            "Virtual Machine names do not match"
+        )
+         
+        return    
+    
+    @attr(tags = ["devcloud", "advanced", "advancedns", "smoke", "basic", "sg", "selfservice"])
+    def test_06_grant_resource_vm(self):
+ 
+        # Validate the following
+        # 1. Grant a particular vm access to account_1B
+        # 2. listVM command should return account_1B VMs and granted VM.
+
+        self.debug("Granting VM %s read only access to account: %s" % (self.virtual_machine_1A.name, self.account_1B.name))
+        
+        res_permission = {}
+        res_permission['action'] = "listVirtualMachines"
+        res_permission['entitytype'] = "VirtualMachine"
+        res_permission['scope'] = "RESOURCE"
+        res_permission['scopeid'] = self.virtual_machine_1A.id
+        self.vm_read_policy.addPermission(self.apiclient, res_permission)
+        
+        self.debug("Listing VM for account: %s" % self.account_1B.name)
+        self.apiclient.connection.apiKey = self.user_1B_apikey
+        self.apiclient.connection.securityKey = self.user_1B_secretkey
+        list_vm_response = list_virtual_machines(
+                                            self.apiclient
+                                            )
+        self.assertEqual(
+                            isinstance(list_vm_response, list),
+                            True,
+                            "Check list response returns a valid list"
+                        )
+        self.assertEqual(
+                            len(list_vm_response),
+                            2,
+                            "Check VM available in List Virtual Machines"
+                        )
+
+        list_vm_names = [list_vm_response[0].name, list_vm_response[1].name]
+        
+        self.assertEqual( self.virtual_machine_1B.name in list_vm_names,
+                          True,
+                          "Accessible Virtual Machine names do not match"
+                          )
+        
+        self.assertEqual( self.virtual_machine_1A.name in list_vm_names,
+                          True,
+                          "Accessible Virtual Machine names do not match"
+                          )    
+                
+        return    
+    
+    @attr(tags = ["devcloud", "advanced", "advancedns", "smoke", "basic", "sg", "selfservice"])
+    def test_07_revoke_resource_vm(self):
+ 
+        # Validate the following
+        # 1. Grant a particular vm access to account_1B
+        # 2. listVM command should return account_1B VMs and granted VM.
+
+        self.debug("Revoking VM %s read only access from account: %s" % (self.virtual_machine_1A.name, self.account_1B.name))
+        
+        res_permission = {}
+        res_permission['action'] = "listVirtualMachines"
+        res_permission['entitytype'] = "VirtualMachine"
+        res_permission['scope'] = "RESOURCE"
+        res_permission['scopeid'] = self.virtual_machine_1A.id
+        self.vm_read_policy.removePermission(self.apiclient, res_permission)
+        
+        self.debug("Listing VM for account: %s" % self.account_1B.id)
+        self.apiclient.connection.apiKey = self.user_1B_apikey
+        self.apiclient.connection.securityKey = self.user_1B_secretkey
+        list_vm_response = list_virtual_machines(
+                                            self.apiclient
+                                            )
+        self.assertEqual(
+                            isinstance(list_vm_response, list),
+                            True,
+                            "Check list response returns a valid list"
+                        )
+        self.assertEqual(
+                            len(list_vm_response),
+                            1,
+                            "Check VM available in List Virtual Machines"
+                        )
+
+        self.assertEqual(
+            list_vm_response[0].name,
+            self.virtual_machine_1B.name,
+            "Virtual Machine names do not match"
+        )
+        
+        return      
+    
+    
+    @attr(tags = ["devcloud", "advanced", "advancedns", "smoke", "basic", "sg", "selfservice"])
+    def test_08_policy_attach_account(self):
+ 
+        # Validate the following
+        # 1. Grant a particular vm access to account_1B by directly attaching policy to account
+        # 2. listVM command should return account_1B VMs and granted VM.
+
+        self.debug("Granting VM %s read only access to account: %s by attaching policy to account" % (self.virtual_machine_1A.name, self.account_1B.name))
+        
+        res_permission = {}
+        res_permission['action'] = "listVirtualMachines"
+        res_permission['entitytype'] = "VirtualMachine"
+        res_permission['scope'] = "RESOURCE"
+        res_permission['scopeid'] = self.virtual_machine_1A.id
+        self.vm_grant_policy.addPermission(self.apiclient, res_permission)
+        self.vm_grant_policy.attachAccount(self.apiclient, [self.account_1B])
+        
+        self.debug("Listing VM for account: %s" % self.account_1B.id)
+        self.apiclient.connection.apiKey = self.user_1B_apikey
+        self.apiclient.connection.securityKey = self.user_1B_secretkey
+        list_vm_response = list_virtual_machines(
+                                            self.apiclient
+                                            )
+        self.assertEqual(
+                            isinstance(list_vm_response, list),
+                            True,
+                            "Check list response returns a valid list"
+                        )
+        self.assertEqual(
+                            len(list_vm_response),
+                            2,
+                            "Check VM available in List Virtual Machines"
+                        )
+
+        list_vm_names = [list_vm_response[0].name, list_vm_response[1].name]
+        
+        self.assertEqual( self.virtual_machine_1B.name in list_vm_names,
+                          True,
+                          "Accessible Virtual Machine names do not match"
+                          )
+        
+        self.assertEqual( self.virtual_machine_1A.name in list_vm_names,
+                          True,
+                          "Accessible Virtual Machine names do not match"
+                          )    
+                
+        return     
+    
+    @attr(tags = ["devcloud", "advanced", "advancedns", "smoke", "basic", "sg", "selfservice"])
+    def test_09_policy_detach_account(self):
+ 
+        # Validate the following
+        # 1. Revoking a particular vm access from account_1B by detaching policy from account
+        # 2. listVM command should return account_1B VMs.
+
+        self.debug("Revoking VM %s read only access from account: %s by detaching policy from account" % (self.virtual_machine_1A.name, self.account_1B.name))
+        
+        self.vm_grant_policy.detachAccount(self.apiclient, [self.account_1B])
+        
+        self.debug("Listing VM for account: %s" % self.account_1B.id)
+        self.apiclient.connection.apiKey = self.user_1B_apikey
+        self.apiclient.connection.securityKey = self.user_1B_secretkey
+        list_vm_response = list_virtual_machines(
+                                            self.apiclient
+                                            )
+        self.assertEqual(
+                            isinstance(list_vm_response, list),
+                            True,
+                            "Check list response returns a valid list"
+                        )
+        self.assertEqual(
+                            len(list_vm_response),
+                            1,
+                            "Check VM available in List Virtual Machines"
+                        )
+
+        self.assertEqual(
+            list_vm_response[0].name,
+            self.virtual_machine_1B.name,
+            "Virtual Machine names do not match"
+        )
+        
+        return         
\ No newline at end of file


Mime
View raw message