cloudstack-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From prachida...@apache.org
Subject [1/2] git commit: updated refs/heads/4.4-forward-iam-disabled to d5555aa
Date Thu, 15 May 2014 22:44:28 GMT
Repository: cloudstack
Updated Branches:
  refs/heads/4.4-forward-iam-disabled 986d2ddc7 -> d5555aa88


Revert the @ACL annotation processing back to 4.3 logic


Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/e30d9a99
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/e30d9a99
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/e30d9a99

Branch: refs/heads/4.4-forward-iam-disabled
Commit: e30d9a99f7589817e07cee7d779c9991487022a8
Parents: 986d2dd
Author: Prachi Damle <prachi@cloud.com>
Authored: Thu May 15 15:33:37 2014 -0700
Committer: Prachi Damle <prachi@cloud.com>
Committed: Thu May 15 15:33:37 2014 -0700

----------------------------------------------------------------------
 .../cloud/api/dispatch/ParamProcessWorker.java  | 110 +++----------------
 1 file changed, 15 insertions(+), 95 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cloudstack/blob/e30d9a99/server/src/com/cloud/api/dispatch/ParamProcessWorker.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/api/dispatch/ParamProcessWorker.java b/server/src/com/cloud/api/dispatch/ParamProcessWorker.java
index eb4c76b..f4e3cd4 100644
--- a/server/src/com/cloud/api/dispatch/ParamProcessWorker.java
+++ b/server/src/com/cloud/api/dispatch/ParamProcessWorker.java
@@ -35,10 +35,14 @@ import javax.inject.Inject;
 
 import org.apache.log4j.Logger;
 
+import org.apache.cloudstack.acl.ControlledEntity;
+import org.apache.cloudstack.acl.InfrastructureEntity;
 import org.apache.cloudstack.acl.SecurityChecker;
 import org.apache.cloudstack.acl.SecurityChecker.AccessType;
 import org.apache.cloudstack.api.ACL;
+import org.apache.cloudstack.api.APICommand;
 import org.apache.cloudstack.api.ApiErrorCode;
+import org.apache.cloudstack.api.BaseAsyncCreateCmd;
 import org.apache.cloudstack.api.BaseCmd;
 import org.apache.cloudstack.api.BaseCmd.CommandType;
 import org.apache.cloudstack.api.EntityReference;
@@ -53,6 +57,7 @@ import org.apache.cloudstack.api.command.user.event.ListEventsCmd;
 import org.apache.cloudstack.context.CallContext;
 
 import com.cloud.exception.InvalidParameterValueException;
+import com.cloud.user.Account;
 import com.cloud.user.AccountManager;
 import com.cloud.utils.DateUtil;
 import com.cloud.utils.db.EntityManager;
@@ -209,118 +214,33 @@ public class ParamProcessWorker implements DispatchWorker {
 
         }
 
-        // doAccessChecks(cmd, entitiesToAccess);
+        doAccessChecks(cmd, entitiesToAccess);
     }
 
 
-    /* IAM feature disabled.
-     * private void doAccessChecks(final BaseCmd cmd, final Map<Object, AccessType>
entitiesToAccess) {
+    private void doAccessChecks(BaseCmd cmd, Map<Object, AccessType> entitiesToAccess)
{
         Account caller = CallContext.current().getCallingAccount();
-        Account owner = _accountMgr.getAccount(cmd.getEntityOwnerId());
-        if (owner == null) {
-            owner = caller;
-        }
+        Account owner = _accountMgr.getActiveAccountById(cmd.getEntityOwnerId());
 
         if (cmd instanceof BaseAsyncCreateCmd) {
-            if (owner.getId() != caller.getId()) {
-                // mimic impersonation either by passing (account, domainId) or through derived
owner from other api parameters
-                // in this case, we should check access using the owner
-                _accountMgr.checkAccess(caller, null, true, owner);
-            }
-        } else {
-            // check access using the caller for other operational cmds
-            owner = caller;
+            // check that caller can access the owner account.
+            _accountMgr.checkAccess(caller, null, true, owner);
         }
 
-        APICommand commandAnnotation = cmd.getClass().getAnnotation(APICommand.class);
-        String apiName = commandAnnotation != null ? commandAnnotation.name() : null;
-
         if (!entitiesToAccess.isEmpty()) {
-            List<ControlledEntity> entitiesToOperate = new ArrayList<ControlledEntity>();
-
+            // check that caller can access the owner account.
+            _accountMgr.checkAccess(caller, null, true, owner);
             for (Object entity : entitiesToAccess.keySet()) {
                 if (entity instanceof ControlledEntity) {
-
-                    if (AccessType.OperateEntry == entitiesToAccess.get(entity)) {
-                        entitiesToOperate.add((ControlledEntity) entity);
-                    } else {
-                        _accountMgr.checkAccess(owner, entitiesToAccess.get(entity), false,
apiName,
-                                (ControlledEntity) entity);
-                    }
+                    _accountMgr.checkAccess(caller, entitiesToAccess.get(entity), true, (ControlledEntity)
entity);
                 } else if (entity instanceof InfrastructureEntity) {
-                    if (entity instanceof DataCenter) {
-                        checkZoneAccess(owner, (DataCenter)entity);
-                    } else if (entity instanceof ServiceOffering) {
-                        checkServiceOfferingAccess(owner, (ServiceOffering)entity);
-                    } else if (entity instanceof DiskOffering) {
-                        checkDiskOfferingAccess(owner, (DiskOffering)entity);
-                    }
+                    // FIXME: Move this code in adapter, remove code from
+                    // Account manager
                 }
             }
-
-            if (!entitiesToOperate.isEmpty()) {
-                _accountMgr.checkAccess(owner, AccessType.OperateEntry, false, apiName,
-                        (ControlledEntity[]) entitiesToOperate.toArray());
-            }
-
         }
     }
 
-    private void checkDiskOfferingAccess(Account caller, DiskOffering dof) {
-        for (SecurityChecker checker : _secChecker) {
-            if (checker.checkAccess(caller, dof)) {
-                if (s_logger.isDebugEnabled()) {
-                    s_logger.debug("Access granted to " + caller + " to disk offering:" +
dof.getId() + " by "
-                            + checker.getName());
-                }
-                return;
-            } else {
-                throw new PermissionDeniedException("Access denied to " + caller + " by "
+ checker.getName());
-            }
-        }
-
-        assert false : "How can all of the security checkers pass on checking this caller?";
-        throw new PermissionDeniedException("There's no way to confirm " + caller + " has
access to disk offering:"
-                + dof.getId());
-    }
-
-    private void checkServiceOfferingAccess(Account caller, ServiceOffering sof) {
-        for (SecurityChecker checker : _secChecker) {
-            if (checker.checkAccess(caller, sof)) {
-                if (s_logger.isDebugEnabled()) {
-                    s_logger.debug("Access granted to " + caller + " to service offering:"
+ sof.getId() + " by "
-                            + checker.getName());
-                }
-                return;
-            } else {
-                throw new PermissionDeniedException("Access denied to " + caller + " by "
+ checker.getName());
-            }
-        }
-
-        assert false : "How can all of the security checkers pass on checking this caller?";
-        throw new PermissionDeniedException("There's no way to confirm " + caller + " has
access to service offering:"
-                + sof.getId());
-    }
-
-    private void checkZoneAccess(Account caller, DataCenter zone) {
-        for (SecurityChecker checker : _secChecker) {
-            if (checker.checkAccess(caller, zone)) {
-                if (s_logger.isDebugEnabled()) {
-                    s_logger.debug("Access granted to " + caller + " to zone:" + zone.getId()
+ " by "
-                            + checker.getName());
-                }
-                return;
-            } else {
-                throw new PermissionDeniedException("Access denied to " + caller + " by "
+ checker.getName()
-                        + " for zone " + zone.getId());
-            }
-        }
-
-        assert false : "How can all of the security checkers pass on checking this caller?";
-        throw new PermissionDeniedException("There's no way to confirm " + caller + " has
access to zone:"
-                + zone.getId());
-    }*/
-
     @SuppressWarnings({"unchecked", "rawtypes"})
     private void setFieldValue(final Field field, final BaseCmd cmdObj, final Object paramObj,
final Parameter annotation) throws IllegalArgumentException, ParseException {
         try {


Mime
View raw message