Return-Path: X-Original-To: apmail-cloudstack-commits-archive@www.apache.org Delivered-To: apmail-cloudstack-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id E56381169D for ; Mon, 19 May 2014 23:28:37 +0000 (UTC) Received: (qmail 7913 invoked by uid 500); 19 May 2014 23:28:37 -0000 Delivered-To: apmail-cloudstack-commits-archive@cloudstack.apache.org Received: (qmail 7771 invoked by uid 500); 19 May 2014 23:28:37 -0000 Mailing-List: contact commits-help@cloudstack.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cloudstack.apache.org Delivered-To: mailing list commits@cloudstack.apache.org Received: (qmail 7302 invoked by uid 99); 19 May 2014 23:28:37 -0000 Received: from tyr.zones.apache.org (HELO tyr.zones.apache.org) (140.211.11.114) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 19 May 2014 23:28:37 +0000 Received: by tyr.zones.apache.org (Postfix, from userid 65534) id E1FDE9366FC; Mon, 19 May 2014 23:28:36 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: mchen@apache.org To: commits@cloudstack.apache.org Date: Mon, 19 May 2014 23:28:42 -0000 Message-Id: <5a86c8fcc0304f7fbd234561b7f9a7ce@git.apache.org> In-Reply-To: References: X-Mailer: ASF-Git Admin Mailer Subject: [7/7] git commit: updated refs/heads/4.4-forward to f748a55 Disable IAM feature from 4.4 release. Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/f748a552 Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/f748a552 Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/f748a552 Branch: refs/heads/4.4-forward Commit: f748a552e9546e91e18c574b375f3ea6c8d7e043 Parents: 378e1da Author: Min Chen Authored: Wed May 14 10:21:46 2014 -0700 Committer: Min Chen Committed: Mon May 19 16:27:50 2014 -0700 ---------------------------------------------------------------------- api/src/com/cloud/network/NetworkModel.java | 4 - api/src/com/cloud/user/AccountService.java | 7 +- .../apache/cloudstack/acl/SecurityChecker.java | 6 +- .../address/AssociateIPAddrCmdByAdmin.java | 5 +- .../command/admin/vm/AddNicToVMCmdByAdmin.java | 1 + .../user/address/AssociateIPAddrCmd.java | 1 - .../firewall/CreatePortForwardingRuleCmd.java | 1 + .../AssignToLoadBalancerRuleCmd.java | 9 +- .../ListLBStickinessPoliciesCmd.java | 4 +- .../command/user/nat/DisableStaticNatCmd.java | 5 +- .../command/user/nat/EnableStaticNatCmd.java | 9 +- .../user/snapshot/CreateSnapshotCmd.java | 2 - .../api/command/user/vm/AddNicToVMCmd.java | 1 - .../user/vmsnapshot/CreateVMSnapshotCmd.java | 3 +- .../command/user/volume/AttachVolumeCmd.java | 4 +- .../command/user/volume/CreateVolumeCmd.java | 4 - client/pom.xml | 10 - client/tomcatconf/commands.properties.in | 15 - .../core/spring-core-registry-core-context.xml | 2 +- .../com/cloud/upgrade/dao/Upgrade430to440.java | 47 - .../db/src/com/cloud/utils/db/SearchBase.java | 12 +- .../lb/InternalLoadBalancerVMManagerImpl.java | 9 +- .../contrail/management/ServiceManagerImpl.java | 5 +- .../contrail/management/MockAccountManager.java | 86 +- .../spring-server-core-managers-context.xml | 1 - server/src/com/cloud/acl/DomainChecker.java | 19 +- server/src/com/cloud/api/ApiDispatcher.java | 22 + server/src/com/cloud/api/ApiResponseHelper.java | 2 +- .../cloud/api/dispatch/ParamProcessWorker.java | 107 +- .../com/cloud/api/query/QueryManagerImpl.java | 743 ++----- .../configuration/ConfigurationManagerImpl.java | 3 +- .../com/cloud/network/IpAddressManagerImpl.java | 17 +- .../src/com/cloud/network/NetworkModelImpl.java | 45 +- .../com/cloud/network/NetworkServiceImpl.java | 26 +- .../cloud/network/as/AutoScaleManagerImpl.java | 38 +- .../network/firewall/FirewallManagerImpl.java | 23 +- .../lb/LoadBalancingRulesManagerImpl.java | 52 +- .../VirtualNetworkApplianceManagerImpl.java | 10 +- .../cloud/network/rules/RulesManagerImpl.java | 46 +- .../security/SecurityGroupManagerImpl.java | 8 +- .../network/vpc/NetworkACLServiceImpl.java | 56 +- .../com/cloud/network/vpc/VpcManagerImpl.java | 65 +- .../network/vpn/RemoteAccessVpnManagerImpl.java | 42 +- .../network/vpn/Site2SiteVpnManagerImpl.java | 57 +- .../com/cloud/projects/ProjectManagerImpl.java | 18 +- .../resourcelimit/ResourceLimitManagerImpl.java | 8 +- .../com/cloud/server/ManagementServerImpl.java | 36 +- .../com/cloud/servlet/ConsoleProxyServlet.java | 2 +- .../com/cloud/storage/VolumeApiServiceImpl.java | 23 +- .../storage/snapshot/SnapshotManagerImpl.java | 26 +- .../cloud/tags/TaggedResourceManagerImpl.java | 4 +- .../com/cloud/template/TemplateAdapterBase.java | 4 +- .../com/cloud/template/TemplateManagerImpl.java | 34 +- server/src/com/cloud/user/AccountManager.java | 33 +- .../src/com/cloud/user/AccountManagerImpl.java | 649 +++++-- server/src/com/cloud/vm/UserVmManagerImpl.java | 111 +- .../vm/snapshot/VMSnapshotManagerImpl.java | 25 +- .../affinity/AffinityGroupServiceImpl.java | 13 +- .../lb/ApplicationLoadBalancerManagerImpl.java | 15 +- .../cloudstack/network/lb/CertServiceImpl.java | 8 +- .../GlobalLoadBalancingRulesServiceImpl.java | 14 +- .../com/cloud/event/EventControlsUnitTest.java | 2 +- .../com/cloud/network/MockNetworkModelImpl.java | 8 - .../com/cloud/user/MockAccountManagerImpl.java | 75 +- server/test/com/cloud/vm/UserVmManagerTest.java | 8 +- .../vm/snapshot/VMSnapshotManagerTest.java | 2 +- .../com/cloud/vpc/MockNetworkModelImpl.java | 8 - .../iam/RoleBasedEntityAccessChecker.java | 19 +- .../cloudstack/iam/server/IAMServiceImpl.java | 1811 +++++++++--------- services/pom.xml | 1 - test/integration/smoke/test_vm_iam.py | 719 ------- 71 files changed, 2087 insertions(+), 3223 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cloudstack/blob/f748a552/api/src/com/cloud/network/NetworkModel.java ---------------------------------------------------------------------- diff --git a/api/src/com/cloud/network/NetworkModel.java b/api/src/com/cloud/network/NetworkModel.java index 1e0a8e8..f6555db 100644 --- a/api/src/com/cloud/network/NetworkModel.java +++ b/api/src/com/cloud/network/NetworkModel.java @@ -22,8 +22,6 @@ import java.util.List; import java.util.Map; import java.util.Set; -import org.apache.cloudstack.acl.SecurityChecker.AccessType; - import com.cloud.dc.Vlan; import com.cloud.exception.InsufficientAddressCapacityException; import com.cloud.exception.InvalidParameterValueException; @@ -275,6 +273,4 @@ public interface NetworkModel { boolean isNetworkReadyForGc(long networkId); boolean getNetworkEgressDefaultPolicy(Long networkId); - - void checkNetworkPermissions(Account owner, Network network, AccessType accessType); } \ No newline at end of file http://git-wip-us.apache.org/repos/asf/cloudstack/blob/f748a552/api/src/com/cloud/user/AccountService.java ---------------------------------------------------------------------- diff --git a/api/src/com/cloud/user/AccountService.java b/api/src/com/cloud/user/AccountService.java index 6cc86cd..eac8a76 100755 --- a/api/src/com/cloud/user/AccountService.java +++ b/api/src/com/cloud/user/AccountService.java @@ -103,11 +103,12 @@ public interface AccountService { RoleType getRoleType(Account account); - void checkAccess(Account caller, Domain domain) throws PermissionDeniedException; + void checkAccess(Account account, Domain domain) throws PermissionDeniedException; - void checkAccess(Account caller, AccessType accessType, ControlledEntity... entities) throws PermissionDeniedException; + void checkAccess(Account account, AccessType accessType, boolean sameOwner, ControlledEntity... entities) throws PermissionDeniedException; - void checkAccess(Account caller, AccessType accessType, String apiName, ControlledEntity... entities) throws PermissionDeniedException; + void checkAccess(Account account, AccessType accessType, boolean sameOwner, String apiName, + ControlledEntity... entities) throws PermissionDeniedException; Long finalyzeAccountId(String accountName, Long domainId, Long projectId, boolean enabledOnly); http://git-wip-us.apache.org/repos/asf/cloudstack/blob/f748a552/api/src/org/apache/cloudstack/acl/SecurityChecker.java ---------------------------------------------------------------------- diff --git a/api/src/org/apache/cloudstack/acl/SecurityChecker.java b/api/src/org/apache/cloudstack/acl/SecurityChecker.java index 79366bd..4170871 100644 --- a/api/src/org/apache/cloudstack/acl/SecurityChecker.java +++ b/api/src/org/apache/cloudstack/acl/SecurityChecker.java @@ -31,10 +31,10 @@ import com.cloud.utils.component.Adapter; public interface SecurityChecker extends Adapter { public enum AccessType { - ListEntry, - UseEntry, - OperateEntry, ModifyProject, + OperateEntry, + UseEntry, + ListEntry } /** http://git-wip-us.apache.org/repos/asf/cloudstack/blob/f748a552/api/src/org/apache/cloudstack/api/command/admin/address/AssociateIPAddrCmdByAdmin.java ---------------------------------------------------------------------- diff --git a/api/src/org/apache/cloudstack/api/command/admin/address/AssociateIPAddrCmdByAdmin.java b/api/src/org/apache/cloudstack/api/command/admin/address/AssociateIPAddrCmdByAdmin.java index 494a6d6..dbff93f 100644 --- a/api/src/org/apache/cloudstack/api/command/admin/address/AssociateIPAddrCmdByAdmin.java +++ b/api/src/org/apache/cloudstack/api/command/admin/address/AssociateIPAddrCmdByAdmin.java @@ -31,11 +31,8 @@ import com.cloud.exception.InsufficientCapacityException; import com.cloud.exception.ResourceAllocationException; import com.cloud.exception.ResourceUnavailableException; import com.cloud.network.IpAddress; -import com.cloud.network.vpc.Vpc; -@APICommand(name = "associateIpAddress", description = "Acquires and associates a public IP to an account.", responseObject = IPAddressResponse.class, responseView = ResponseView.Full, - entityType = {IpAddress.class, Vpc.class}, - requestHasSensitiveInfo = false, responseHasSensitiveInfo = false) +@APICommand(name = "associateIpAddress", description = "Acquires and associates a public IP to an account.", responseObject = IPAddressResponse.class, responseView = ResponseView.Full) public class AssociateIPAddrCmdByAdmin extends AssociateIPAddrCmd { public static final Logger s_logger = Logger.getLogger(AssociateIPAddrCmdByAdmin.class.getName()); http://git-wip-us.apache.org/repos/asf/cloudstack/blob/f748a552/api/src/org/apache/cloudstack/api/command/admin/vm/AddNicToVMCmdByAdmin.java ---------------------------------------------------------------------- diff --git a/api/src/org/apache/cloudstack/api/command/admin/vm/AddNicToVMCmdByAdmin.java b/api/src/org/apache/cloudstack/api/command/admin/vm/AddNicToVMCmdByAdmin.java index 3dd22c1..945f849 100644 --- a/api/src/org/apache/cloudstack/api/command/admin/vm/AddNicToVMCmdByAdmin.java +++ b/api/src/org/apache/cloudstack/api/command/admin/vm/AddNicToVMCmdByAdmin.java @@ -33,6 +33,7 @@ import org.apache.cloudstack.context.CallContext; import com.cloud.uservm.UserVm; import com.cloud.vm.VirtualMachine; + @APICommand(name = "addNicToVirtualMachine", description = "Adds VM to specified network by creating a NIC", responseObject = UserVmResponse.class, responseView = ResponseView.Full, entityType = {VirtualMachine.class}, requestHasSensitiveInfo = false, responseHasSensitiveInfo = true) public class AddNicToVMCmdByAdmin extends AddNicToVMCmd { http://git-wip-us.apache.org/repos/asf/cloudstack/blob/f748a552/api/src/org/apache/cloudstack/api/command/user/address/AssociateIPAddrCmd.java ---------------------------------------------------------------------- diff --git a/api/src/org/apache/cloudstack/api/command/user/address/AssociateIPAddrCmd.java b/api/src/org/apache/cloudstack/api/command/user/address/AssociateIPAddrCmd.java index 48fe43e..96174e1 100644 --- a/api/src/org/apache/cloudstack/api/command/user/address/AssociateIPAddrCmd.java +++ b/api/src/org/apache/cloudstack/api/command/user/address/AssociateIPAddrCmd.java @@ -58,7 +58,6 @@ import com.cloud.projects.Project; import com.cloud.user.Account; @APICommand(name = "associateIpAddress", description = "Acquires and associates a public IP to an account.", responseObject = IPAddressResponse.class, responseView = ResponseView.Restricted, - entityType = {IpAddress.class, Vpc.class}, requestHasSensitiveInfo = false, responseHasSensitiveInfo = false) public class AssociateIPAddrCmd extends BaseAsyncCreateCmd { public static final Logger s_logger = Logger.getLogger(AssociateIPAddrCmd.class.getName()); http://git-wip-us.apache.org/repos/asf/cloudstack/blob/f748a552/api/src/org/apache/cloudstack/api/command/user/firewall/CreatePortForwardingRuleCmd.java ---------------------------------------------------------------------- diff --git a/api/src/org/apache/cloudstack/api/command/user/firewall/CreatePortForwardingRuleCmd.java b/api/src/org/apache/cloudstack/api/command/user/firewall/CreatePortForwardingRuleCmd.java index 6fb120f..865cd1b 100644 --- a/api/src/org/apache/cloudstack/api/command/user/firewall/CreatePortForwardingRuleCmd.java +++ b/api/src/org/apache/cloudstack/api/command/user/firewall/CreatePortForwardingRuleCmd.java @@ -49,6 +49,7 @@ import com.cloud.utils.net.Ip; import com.cloud.utils.net.NetUtils; import com.cloud.vm.VirtualMachine; + @APICommand(name = "createPortForwardingRule", description = "Creates a port forwarding rule", responseObject = FirewallRuleResponse.class, entityType = {FirewallRule.class, VirtualMachine.class, IpAddress.class}, requestHasSensitiveInfo = false, responseHasSensitiveInfo = false) http://git-wip-us.apache.org/repos/asf/cloudstack/blob/f748a552/api/src/org/apache/cloudstack/api/command/user/loadbalancer/AssignToLoadBalancerRuleCmd.java ---------------------------------------------------------------------- diff --git a/api/src/org/apache/cloudstack/api/command/user/loadbalancer/AssignToLoadBalancerRuleCmd.java b/api/src/org/apache/cloudstack/api/command/user/loadbalancer/AssignToLoadBalancerRuleCmd.java index db4d70e..dd9adef 100644 --- a/api/src/org/apache/cloudstack/api/command/user/loadbalancer/AssignToLoadBalancerRuleCmd.java +++ b/api/src/org/apache/cloudstack/api/command/user/loadbalancer/AssignToLoadBalancerRuleCmd.java @@ -23,11 +23,8 @@ import java.util.Iterator; import java.util.List; import java.util.Map; -import com.cloud.utils.net.NetUtils; import org.apache.log4j.Logger; -import org.apache.cloudstack.acl.SecurityChecker.AccessType; -import org.apache.cloudstack.api.ACL; import org.apache.cloudstack.api.APICommand; import org.apache.cloudstack.api.ApiConstants; import org.apache.cloudstack.api.ApiErrorCode; @@ -41,15 +38,15 @@ import org.apache.cloudstack.context.CallContext; import com.cloud.event.EventTypes; import com.cloud.exception.InvalidParameterValueException; -import com.cloud.network.rules.FirewallRule; import com.cloud.network.rules.LoadBalancer; import com.cloud.user.Account; import com.cloud.utils.StringUtils; +import com.cloud.utils.net.NetUtils; import com.cloud.vm.VirtualMachine; @APICommand(name = "assignToLoadBalancerRule", description = "Assigns virtual machine or a list of virtual machines to a load balancer rule.", - responseObject = SuccessResponse.class, entityType = {FirewallRule.class, VirtualMachine.class}, + responseObject = SuccessResponse.class, requestHasSensitiveInfo = false, responseHasSensitiveInfo = false) public class AssignToLoadBalancerRuleCmd extends BaseAsyncCmd { @@ -61,7 +58,6 @@ public class AssignToLoadBalancerRuleCmd extends BaseAsyncCmd { //////////////// API parameters ///////////////////// ///////////////////////////////////////////////////// - @ACL(accessType = AccessType.OperateEntry) @Parameter(name = ApiConstants.ID, type = CommandType.UUID, entityType = FirewallRuleResponse.class, @@ -69,7 +65,6 @@ public class AssignToLoadBalancerRuleCmd extends BaseAsyncCmd { description = "the ID of the load balancer rule") private Long id; - @ACL(accessType = AccessType.OperateEntry) @Parameter(name = ApiConstants.VIRTUAL_MACHINE_IDS, type = CommandType.LIST, collectionType = CommandType.UUID, http://git-wip-us.apache.org/repos/asf/cloudstack/blob/f748a552/api/src/org/apache/cloudstack/api/command/user/loadbalancer/ListLBStickinessPoliciesCmd.java ---------------------------------------------------------------------- diff --git a/api/src/org/apache/cloudstack/api/command/user/loadbalancer/ListLBStickinessPoliciesCmd.java b/api/src/org/apache/cloudstack/api/command/user/loadbalancer/ListLBStickinessPoliciesCmd.java index dd03191..9905c0b 100644 --- a/api/src/org/apache/cloudstack/api/command/user/loadbalancer/ListLBStickinessPoliciesCmd.java +++ b/api/src/org/apache/cloudstack/api/command/user/loadbalancer/ListLBStickinessPoliciesCmd.java @@ -86,7 +86,7 @@ public class ListLBStickinessPoliciesCmd extends BaseListCmd { if (lb != null) { //check permissions Account caller = CallContext.current().getCallingAccount(); - _accountService.checkAccess(caller, null, lb); + _accountService.checkAccess(caller, null, true, lb); List stickinessPolicies = _lbService.searchForLBStickinessPolicies(this); LBStickinessResponse spResponse = _responseGenerator.createLBStickinessPolicyResponse(stickinessPolicies, lb); spResponses.add(spResponse); @@ -94,7 +94,7 @@ public class ListLBStickinessPoliciesCmd extends BaseListCmd { } response.setResponseName(getCommandName()); - setResponseObject(response); + this.setResponseObject(response); } } http://git-wip-us.apache.org/repos/asf/cloudstack/blob/f748a552/api/src/org/apache/cloudstack/api/command/user/nat/DisableStaticNatCmd.java ---------------------------------------------------------------------- diff --git a/api/src/org/apache/cloudstack/api/command/user/nat/DisableStaticNatCmd.java b/api/src/org/apache/cloudstack/api/command/user/nat/DisableStaticNatCmd.java index 2a9311e..1df77ec 100644 --- a/api/src/org/apache/cloudstack/api/command/user/nat/DisableStaticNatCmd.java +++ b/api/src/org/apache/cloudstack/api/command/user/nat/DisableStaticNatCmd.java @@ -34,11 +34,8 @@ import com.cloud.exception.InvalidParameterValueException; import com.cloud.exception.NetworkRuleConflictException; import com.cloud.exception.ResourceUnavailableException; import com.cloud.network.IpAddress; -import com.cloud.network.vpc.Vpc; -import com.cloud.vm.VirtualMachine; @APICommand(name = "disableStaticNat", description = "Disables static rule for given ip address", responseObject = SuccessResponse.class, - entityType = {IpAddress.class, VirtualMachine.class, Vpc.class}, requestHasSensitiveInfo = false, responseHasSensitiveInfo = false) public class DisableStaticNatCmd extends BaseAsyncCmd { public static final Logger s_logger = Logger.getLogger(DeletePortForwardingRuleCmd.class.getName()); @@ -92,7 +89,7 @@ public class DisableStaticNatCmd extends BaseAsyncCmd { if (result) { SuccessResponse response = new SuccessResponse(getCommandName()); - setResponseObject(response); + this.setResponseObject(response); } else { throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to disable static nat"); } http://git-wip-us.apache.org/repos/asf/cloudstack/blob/f748a552/api/src/org/apache/cloudstack/api/command/user/nat/EnableStaticNatCmd.java ---------------------------------------------------------------------- diff --git a/api/src/org/apache/cloudstack/api/command/user/nat/EnableStaticNatCmd.java b/api/src/org/apache/cloudstack/api/command/user/nat/EnableStaticNatCmd.java index 9d88876..aa4e287 100644 --- a/api/src/org/apache/cloudstack/api/command/user/nat/EnableStaticNatCmd.java +++ b/api/src/org/apache/cloudstack/api/command/user/nat/EnableStaticNatCmd.java @@ -18,8 +18,6 @@ package org.apache.cloudstack.api.command.user.nat; import org.apache.log4j.Logger; -import org.apache.cloudstack.acl.SecurityChecker.AccessType; -import org.apache.cloudstack.api.ACL; import org.apache.cloudstack.api.APICommand; import org.apache.cloudstack.api.ApiConstants; import org.apache.cloudstack.api.ApiErrorCode; @@ -35,13 +33,10 @@ import com.cloud.exception.InvalidParameterValueException; import com.cloud.exception.NetworkRuleConflictException; import com.cloud.exception.ResourceUnavailableException; import com.cloud.network.IpAddress; -import com.cloud.network.vpc.Vpc; import com.cloud.user.Account; import com.cloud.uservm.UserVm; -import com.cloud.vm.VirtualMachine; @APICommand(name = "enableStaticNat", description = "Enables static nat for given ip address", responseObject = SuccessResponse.class, - entityType = {IpAddress.class, VirtualMachine.class, Vpc.class}, requestHasSensitiveInfo = false, responseHasSensitiveInfo = false) public class EnableStaticNatCmd extends BaseCmd { public static final Logger s_logger = Logger.getLogger(CreateIpForwardingRuleCmd.class.getName()); @@ -52,12 +47,10 @@ public class EnableStaticNatCmd extends BaseCmd { //////////////// API parameters ///////////////////// ///////////////////////////////////////////////////// - @ACL(accessType = AccessType.OperateEntry) @Parameter(name = ApiConstants.IP_ADDRESS_ID, type = CommandType.UUID, entityType = IPAddressResponse.class, required = true, description = "the public IP " + "address id for which static nat feature is being enabled") private Long ipAddressId; - @ACL(accessType = AccessType.OperateEntry) @Parameter(name = ApiConstants.VIRTUAL_MACHINE_ID, type = CommandType.UUID, entityType = UserVmResponse.class, required = true, description = "the ID of " + "the virtual machine for enabling static nat feature") private Long virtualMachineId; @@ -140,7 +133,7 @@ public class EnableStaticNatCmd extends BaseCmd { boolean result = _rulesService.enableStaticNat(ipAddressId, virtualMachineId, getNetworkId(), getVmSecondaryIp()); if (result) { SuccessResponse response = new SuccessResponse(getCommandName()); - setResponseObject(response); + this.setResponseObject(response); } else { throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to enable static nat"); } http://git-wip-us.apache.org/repos/asf/cloudstack/blob/f748a552/api/src/org/apache/cloudstack/api/command/user/snapshot/CreateSnapshotCmd.java ---------------------------------------------------------------------- diff --git a/api/src/org/apache/cloudstack/api/command/user/snapshot/CreateSnapshotCmd.java b/api/src/org/apache/cloudstack/api/command/user/snapshot/CreateSnapshotCmd.java index bd8662e..df7fe82 100644 --- a/api/src/org/apache/cloudstack/api/command/user/snapshot/CreateSnapshotCmd.java +++ b/api/src/org/apache/cloudstack/api/command/user/snapshot/CreateSnapshotCmd.java @@ -18,7 +18,6 @@ package org.apache.cloudstack.api.command.user.snapshot; import org.apache.log4j.Logger; -import org.apache.cloudstack.api.ACL; import org.apache.cloudstack.api.APICommand; import org.apache.cloudstack.api.ApiCommandJobType; import org.apache.cloudstack.api.ApiConstants; @@ -63,7 +62,6 @@ public class CreateSnapshotCmd extends BaseAsyncCreateCmd { description = "The domain ID of the snapshot. If used with the account parameter, specifies a domain for the account associated with the disk volume.") private Long domainId; - @ACL @Parameter(name = ApiConstants.VOLUME_ID, type = CommandType.UUID, entityType = VolumeResponse.class, required = true, description = "The ID of the disk volume") private Long volumeId; http://git-wip-us.apache.org/repos/asf/cloudstack/blob/f748a552/api/src/org/apache/cloudstack/api/command/user/vm/AddNicToVMCmd.java ---------------------------------------------------------------------- diff --git a/api/src/org/apache/cloudstack/api/command/user/vm/AddNicToVMCmd.java b/api/src/org/apache/cloudstack/api/command/user/vm/AddNicToVMCmd.java index fd30152..f265ecf 100644 --- a/api/src/org/apache/cloudstack/api/command/user/vm/AddNicToVMCmd.java +++ b/api/src/org/apache/cloudstack/api/command/user/vm/AddNicToVMCmd.java @@ -54,7 +54,6 @@ public class AddNicToVMCmd extends BaseAsyncCmd { required=true, description="Virtual Machine ID") private Long vmId; - @ACL @Parameter(name = ApiConstants.NETWORK_ID, type = CommandType.UUID, entityType = NetworkResponse.class, required = true, description = "Network ID") private Long netId; http://git-wip-us.apache.org/repos/asf/cloudstack/blob/f748a552/api/src/org/apache/cloudstack/api/command/user/vmsnapshot/CreateVMSnapshotCmd.java ---------------------------------------------------------------------- diff --git a/api/src/org/apache/cloudstack/api/command/user/vmsnapshot/CreateVMSnapshotCmd.java b/api/src/org/apache/cloudstack/api/command/user/vmsnapshot/CreateVMSnapshotCmd.java index 1310ba5..10ff5cd 100644 --- a/api/src/org/apache/cloudstack/api/command/user/vmsnapshot/CreateVMSnapshotCmd.java +++ b/api/src/org/apache/cloudstack/api/command/user/vmsnapshot/CreateVMSnapshotCmd.java @@ -19,6 +19,7 @@ package org.apache.cloudstack.api.command.user.vmsnapshot; import java.util.logging.Logger; +import org.apache.cloudstack.acl.SecurityChecker.AccessType; import org.apache.cloudstack.api.ACL; import org.apache.cloudstack.api.APICommand; import org.apache.cloudstack.api.ApiConstants; @@ -42,7 +43,7 @@ public class CreateVMSnapshotCmd extends BaseAsyncCreateCmd { public static final Logger s_logger = Logger.getLogger(CreateVMSnapshotCmd.class.getName()); private static final String s_name = "createvmsnapshotresponse"; - @ACL + @ACL(accessType = AccessType.OperateEntry) @Parameter(name = ApiConstants.VIRTUAL_MACHINE_ID, type = CommandType.UUID, required = true, entityType = UserVmResponse.class, description = "The ID of the vm") private Long vmId; http://git-wip-us.apache.org/repos/asf/cloudstack/blob/f748a552/api/src/org/apache/cloudstack/api/command/user/volume/AttachVolumeCmd.java ---------------------------------------------------------------------- diff --git a/api/src/org/apache/cloudstack/api/command/user/volume/AttachVolumeCmd.java b/api/src/org/apache/cloudstack/api/command/user/volume/AttachVolumeCmd.java index 8034745..467ffc4 100644 --- a/api/src/org/apache/cloudstack/api/command/user/volume/AttachVolumeCmd.java +++ b/api/src/org/apache/cloudstack/api/command/user/volume/AttachVolumeCmd.java @@ -37,8 +37,7 @@ import com.cloud.storage.Volume; import com.cloud.user.Account; import com.cloud.vm.VirtualMachine; -@APICommand(name = "attachVolume", description = "Attaches a disk volume to a virtual machine.", responseObject = VolumeResponse.class, responseView = ResponseView.Restricted, entityType = { - VirtualMachine.class, Volume.class}, +@APICommand(name = "attachVolume", description = "Attaches a disk volume to a virtual machine.", responseObject = VolumeResponse.class, responseView = ResponseView.Restricted, entityType = {VirtualMachine.class}, requestHasSensitiveInfo = false, responseHasSensitiveInfo = false) public class AttachVolumeCmd extends BaseAsyncCmd { public static final Logger s_logger = Logger.getLogger(AttachVolumeCmd.class.getName()); @@ -53,7 +52,6 @@ public class AttachVolumeCmd extends BaseAsyncCmd { + "* 4 - /dev/xvde" + "* 5 - /dev/xvdf" + "* 6 - /dev/xvdg" + "* 7 - /dev/xvdh" + "* 8 - /dev/xvdi" + "* 9 - /dev/xvdj") private Long deviceId; - @ACL(accessType = AccessType.OperateEntry) @Parameter(name = ApiConstants.ID, type = CommandType.UUID, entityType = VolumeResponse.class, required = true, description = "the ID of the disk volume") private Long id; http://git-wip-us.apache.org/repos/asf/cloudstack/blob/f748a552/api/src/org/apache/cloudstack/api/command/user/volume/CreateVolumeCmd.java ---------------------------------------------------------------------- diff --git a/api/src/org/apache/cloudstack/api/command/user/volume/CreateVolumeCmd.java b/api/src/org/apache/cloudstack/api/command/user/volume/CreateVolumeCmd.java index dc91261..1e3c01c 100644 --- a/api/src/org/apache/cloudstack/api/command/user/volume/CreateVolumeCmd.java +++ b/api/src/org/apache/cloudstack/api/command/user/volume/CreateVolumeCmd.java @@ -19,8 +19,6 @@ package org.apache.cloudstack.api.command.user.volume; import org.apache.log4j.Logger; import org.apache.cloudstack.acl.RoleType; -import org.apache.cloudstack.acl.SecurityChecker.AccessType; -import org.apache.cloudstack.api.ACL; import org.apache.cloudstack.api.APICommand; import org.apache.cloudstack.api.ApiCommandJobType; import org.apache.cloudstack.api.ApiConstants; @@ -93,7 +91,6 @@ public class CreateVolumeCmd extends BaseAsyncCreateCustomIdCmd { @Parameter(name = ApiConstants.MAX_IOPS, type = CommandType.LONG, description = "max iops") private Long maxIops; - @ACL @Parameter(name = ApiConstants.SNAPSHOT_ID, type = CommandType.UUID, entityType = SnapshotResponse.class, @@ -106,7 +103,6 @@ public class CreateVolumeCmd extends BaseAsyncCreateCustomIdCmd { @Parameter(name = ApiConstants.DISPLAY_VOLUME, type = CommandType.BOOLEAN, description = "an optional field, whether to display the volume to the end user or not.", authorized = {RoleType.Admin}) private Boolean displayVolume; - @ACL(accessType = AccessType.OperateEntry) @Parameter(name = ApiConstants.VIRTUAL_MACHINE_ID, type = CommandType.UUID, entityType = UserVmResponse.class, http://git-wip-us.apache.org/repos/asf/cloudstack/blob/f748a552/client/pom.xml ---------------------------------------------------------------------- diff --git a/client/pom.xml b/client/pom.xml index eda8a85..1a972c9 100644 --- a/client/pom.xml +++ b/client/pom.xml @@ -228,16 +228,6 @@ org.apache.cloudstack - cloud-plugin-iam - ${project.version} - - - org.apache.cloudstack - cloud-iam - ${project.version} - - - org.apache.cloudstack cloud-framework-ipc ${project.version} http://git-wip-us.apache.org/repos/asf/cloudstack/blob/f748a552/client/tomcatconf/commands.properties.in ---------------------------------------------------------------------- diff --git a/client/tomcatconf/commands.properties.in b/client/tomcatconf/commands.properties.in index da3fbfc..d247aa0 100644 --- a/client/tomcatconf/commands.properties.in +++ b/client/tomcatconf/commands.properties.in @@ -732,21 +732,6 @@ listLdapUsers=3 ldapCreateAccount=3 importLdapUsers=3 -### IAM commands -createIAMPolicy=1 -deleteIAMPolicy=1 -listIAMPolicies=1 -addIAMPermissionToIAMPolicy=1 -removeIAMPermissionFromIAMPolicy=1 -createIAMGroup=1 -deleteIAMGroup=1 -listIAMGroups=1 -addAccountToIAMGroup=1 -removeAccountFromIAMGroup=1 -attachIAMPolicyToIAMGroup=1 -removeIAMPolicyFromIAMGroup=1 -attachIAMPolicyToAccount=1 -removeIAMPolicyFromAccount=1 #### juniper-contrail commands createServiceInstance=1 http://git-wip-us.apache.org/repos/asf/cloudstack/blob/f748a552/core/resources/META-INF/cloudstack/core/spring-core-registry-core-context.xml ---------------------------------------------------------------------- diff --git a/core/resources/META-INF/cloudstack/core/spring-core-registry-core-context.xml b/core/resources/META-INF/cloudstack/core/spring-core-registry-core-context.xml index 0f58d7d..d54823a 100644 --- a/core/resources/META-INF/cloudstack/core/spring-core-registry-core-context.xml +++ b/core/resources/META-INF/cloudstack/core/spring-core-registry-core-context.xml @@ -46,7 +46,7 @@ + value="AffinityGroupAccessChecker,DomainChecker" /> , T, K> { if (_entity == null || _specifiedAttrs == null || _specifiedAttrs.size() != 1) { throw new RuntimeException("Now now, better specify an attribute or else we can't help you"); } - if (_specifiedAttrs.size() > 0) { - return _specifiedAttrs.get(0); - } - // look for attributes from joins - for (JoinBuilder> join : _joins.values()) { - SearchBase sb = join.getT(); - if (sb.getSpecifiedAttribute() != null) { - return sb.getSpecifiedAttribute(); - } - } - throw new CloudRuntimeException("Unable to find any specified attributes. You sure you know what you're doing?"); + return _specifiedAttrs.get(0); } protected List getSpecifiedAttributes() { http://git-wip-us.apache.org/repos/asf/cloudstack/blob/f748a552/plugins/network-elements/internal-loadbalancer/src/org/apache/cloudstack/network/lb/InternalLoadBalancerVMManagerImpl.java ---------------------------------------------------------------------- diff --git a/plugins/network-elements/internal-loadbalancer/src/org/apache/cloudstack/network/lb/InternalLoadBalancerVMManagerImpl.java b/plugins/network-elements/internal-loadbalancer/src/org/apache/cloudstack/network/lb/InternalLoadBalancerVMManagerImpl.java index 89707c9..aa763d5 100644 --- a/plugins/network-elements/internal-loadbalancer/src/org/apache/cloudstack/network/lb/InternalLoadBalancerVMManagerImpl.java +++ b/plugins/network-elements/internal-loadbalancer/src/org/apache/cloudstack/network/lb/InternalLoadBalancerVMManagerImpl.java @@ -27,12 +27,11 @@ import javax.ejb.Local; import javax.inject.Inject; import javax.naming.ConfigurationException; -import org.apache.log4j.Logger; - import org.apache.cloudstack.engine.orchestration.service.NetworkOrchestrationService; import org.apache.cloudstack.framework.config.dao.ConfigurationDao; import org.apache.cloudstack.lb.ApplicationLoadBalancerRuleVO; import org.apache.cloudstack.lb.dao.ApplicationLoadBalancerRuleDao; +import org.apache.log4j.Logger; import com.cloud.agent.AgentManager; import com.cloud.agent.api.Answer; @@ -520,7 +519,7 @@ public class InternalLoadBalancerVMManagerImpl extends ManagerBase implements In return true; } - _accountMgr.checkAccess(caller, null, internalLbVm); + _accountMgr.checkAccess(caller, null, true, internalLbVm); _itMgr.expunge(internalLbVm.getUuid()); _internalLbVmDao.remove(internalLbVm.getId()); @@ -535,7 +534,7 @@ public class InternalLoadBalancerVMManagerImpl extends ManagerBase implements In } //check permissions - _accountMgr.checkAccess(caller, null, internalLbVm); + _accountMgr.checkAccess(caller, null, true, internalLbVm); return stopInternalLbVm(internalLbVm, forced, caller, callerUserId); } @@ -913,7 +912,7 @@ public class InternalLoadBalancerVMManagerImpl extends ManagerBase implements In } //check permissions - _accountMgr.checkAccess(caller, null, internalLbVm); + _accountMgr.checkAccess(caller, null, true, internalLbVm); return startInternalLbVm(internalLbVm, caller, callerUserId, null); } http://git-wip-us.apache.org/repos/asf/cloudstack/blob/f748a552/plugins/network-elements/juniper-contrail/src/org/apache/cloudstack/network/contrail/management/ServiceManagerImpl.java ---------------------------------------------------------------------- diff --git a/plugins/network-elements/juniper-contrail/src/org/apache/cloudstack/network/contrail/management/ServiceManagerImpl.java b/plugins/network-elements/juniper-contrail/src/org/apache/cloudstack/network/contrail/management/ServiceManagerImpl.java index acd9b4e..f34eacc 100644 --- a/plugins/network-elements/juniper-contrail/src/org/apache/cloudstack/network/contrail/management/ServiceManagerImpl.java +++ b/plugins/network-elements/juniper-contrail/src/org/apache/cloudstack/network/contrail/management/ServiceManagerImpl.java @@ -30,7 +30,6 @@ import javax.inject.Inject; import net.juniper.contrail.api.ApiConnector; import net.juniper.contrail.api.types.ServiceInstance; -import org.apache.cloudstack.acl.SecurityChecker.AccessType; import org.apache.cloudstack.context.CallContext; import org.apache.cloudstack.network.contrail.api.response.ServiceInstanceResponse; import org.apache.cloudstack.network.contrail.model.ServiceInstanceModel; @@ -137,10 +136,10 @@ public class ServiceManagerImpl implements ServiceManager { // TODO: permission model. // service instances need to be able to access the public network. if (left.getTrafficType() == TrafficType.Guest) { - _networkModel.checkNetworkPermissions(owner, left, AccessType.UseEntry); + _networkModel.checkNetworkPermissions(owner, left); } if (right.getTrafficType() == TrafficType.Guest) { - _networkModel.checkNetworkPermissions(owner, right, AccessType.UseEntry); + _networkModel.checkNetworkPermissions(owner, right); } final ApiConnector api = _manager.getApiConnector(); http://git-wip-us.apache.org/repos/asf/cloudstack/blob/f748a552/plugins/network-elements/juniper-contrail/test/org/apache/cloudstack/network/contrail/management/MockAccountManager.java ---------------------------------------------------------------------- diff --git a/plugins/network-elements/juniper-contrail/test/org/apache/cloudstack/network/contrail/management/MockAccountManager.java b/plugins/network-elements/juniper-contrail/test/org/apache/cloudstack/network/contrail/management/MockAccountManager.java index a39fb43..1a29f9c 100644 --- a/plugins/network-elements/juniper-contrail/test/org/apache/cloudstack/network/contrail/management/MockAccountManager.java +++ b/plugins/network-elements/juniper-contrail/test/org/apache/cloudstack/network/contrail/management/MockAccountManager.java @@ -34,6 +34,7 @@ import org.apache.cloudstack.api.command.admin.user.RegisterCmd; import org.apache.cloudstack.api.command.admin.user.UpdateUserCmd; import org.apache.cloudstack.context.CallContext; +import com.cloud.api.query.vo.ControlledViewEntity; import com.cloud.configuration.ResourceLimit; import com.cloud.configuration.dao.ResourceCountDao; import com.cloud.domain.Domain; @@ -101,6 +102,11 @@ public class MockAccountManager extends ManagerBase implements AccountManager { } @Override + public void checkAccess(Account arg0, AccessType arg1, boolean arg2, ControlledEntity... arg3) throws PermissionDeniedException { + // TODO Auto-generated method stub + } + + @Override public String[] createApiKeyAndSecretKey(RegisterCmd arg0) { // TODO Auto-generated method stub return null; @@ -202,19 +208,7 @@ public class MockAccountManager extends ManagerBase implements AccountManager { } - @Override - public void buildACLSearchBuilder(SearchBuilder sb, boolean isRecursive, List permittedDomains, List permittedAccounts, - List permittedResources, ListProjectResourcesCriteria listProjectResourcesCriteria) { - // TODO Auto-generated method stub - } - - @Override - public void buildACLSearchCriteria(SearchCriteria sc, boolean isRecursive, List permittedDomains, List permittedAccounts, - List permittedResources, ListProjectResourcesCriteria listProjectResourcesCriteria) { - // TODO Auto-generated method stub - - } @Override public void buildACLViewSearchCriteria(SearchCriteria sc, SearchCriteria aclSc, boolean isRecursive, @@ -247,6 +241,57 @@ public class MockAccountManager extends ManagerBase implements AccountManager { return null; } + @Override + public void buildACLSearchBuilder( + SearchBuilder arg0, Long arg1, + boolean arg2, List arg3, ListProjectResourcesCriteria arg4) { + // TODO Auto-generated method stub + + } + + @Override + public void buildACLSearchCriteria( + SearchCriteria arg0, Long arg1, + boolean arg2, List arg3, ListProjectResourcesCriteria arg4) { + // TODO Auto-generated method stub + + } + + @Override + public void buildACLSearchParameters(Account arg0, Long arg1, String arg2, + Long arg3, List arg4, + Ternary arg5, + boolean arg6, boolean arg7) { + // TODO Auto-generated method stub + + } + + @Override + public void buildACLViewSearchBuilder(SearchBuilder sb, Long domainId, boolean isRecursive, List permittedAccounts, + ListProjectResourcesCriteria listProjectResourcesCriteria) { + // TODO Auto-generated method stub + + } + + @Override + public void buildACLViewSearchBuilder(SearchBuilder sb, Long domainId, boolean isRecursive, List permittedAccounts, + ListProjectResourcesCriteria listProjectResourcesCriteria, List grantedIds, List revokedIds) { + // TODO Auto-generated method stub + } + + @Override + public void buildACLViewSearchCriteria(SearchCriteria sc, Long domainId, boolean isRecursive, List permittedAccounts, + ListProjectResourcesCriteria listProjectResourcesCriteria) { + // TODO Auto-generated method stub + + } + + @Override + public void buildACLViewSearchCriteria(SearchCriteria sc, Long domainId, boolean isRecursive, List permittedAccounts, + ListProjectResourcesCriteria listProjectResourcesCriteria, List grantedIds, List revokedIds) { + // TODO Auto-generated method stub + + } @Override public Long checkAccessAndSpecifyAuthority(Account arg0, Long arg1) { @@ -362,24 +407,15 @@ public class MockAccountManager extends ManagerBase implements AccountManager { } - - @Override - public Long finalyzeAccountId(String accountName, Long domainId, Long projectId, boolean enabledOnly) { - // TODO Auto-generated method stub - return null; - } - @Override - public void checkAccess(Account account, AccessType accessType, ControlledEntity... entities) throws PermissionDeniedException { + public void checkAccess(Account account, AccessType accessType, boolean sameOwner, String apiName, + ControlledEntity... entities) throws PermissionDeniedException { // TODO Auto-generated method stub - } @Override - public void checkAccess(Account account, AccessType accessType, String apiName, ControlledEntity... entities) throws PermissionDeniedException { + public Long finalyzeAccountId(String accountName, Long domainId, Long projectId, boolean enabledOnly) { // TODO Auto-generated method stub - + return null; } - - } http://git-wip-us.apache.org/repos/asf/cloudstack/blob/f748a552/server/resources/META-INF/cloudstack/core/spring-server-core-managers-context.xml ---------------------------------------------------------------------- diff --git a/server/resources/META-INF/cloudstack/core/spring-server-core-managers-context.xml b/server/resources/META-INF/cloudstack/core/spring-server-core-managers-context.xml index 09abcb7..fc1c7e2 100644 --- a/server/resources/META-INF/cloudstack/core/spring-server-core-managers-context.xml +++ b/server/resources/META-INF/cloudstack/core/spring-server-core-managers-context.xml @@ -74,7 +74,6 @@ - http://git-wip-us.apache.org/repos/asf/cloudstack/blob/f748a552/server/src/com/cloud/acl/DomainChecker.java ---------------------------------------------------------------------- diff --git a/server/src/com/cloud/acl/DomainChecker.java b/server/src/com/cloud/acl/DomainChecker.java index 9ee65db..729a0d1 100755 --- a/server/src/com/cloud/acl/DomainChecker.java +++ b/server/src/com/cloud/acl/DomainChecker.java @@ -19,7 +19,6 @@ package com.cloud.acl; import javax.ejb.Local; import javax.inject.Inject; -import org.apache.log4j.Logger; import org.springframework.stereotype.Component; import org.apache.cloudstack.acl.ControlledEntity; @@ -51,8 +50,6 @@ import com.cloud.utils.component.AdapterBase; @Local(value = SecurityChecker.class) public class DomainChecker extends AdapterBase implements SecurityChecker { - public static final Logger s_logger = Logger.getLogger(DomainChecker.class); - @Inject DomainDao _domainDao; @Inject @@ -104,15 +101,6 @@ public class DomainChecker extends AdapterBase implements SecurityChecker { @Override public boolean checkAccess(Account caller, ControlledEntity entity, AccessType accessType) throws PermissionDeniedException { - - if (caller.getId() == Account.ACCOUNT_ID_SYSTEM || _accountService.isRootAdmin(caller.getId())) { - // no need to make permission checks if the system/root admin makes the call - if (s_logger.isTraceEnabled()) { - s_logger.trace("No need to make permission check for System/RootAdmin account, returning true"); - } - return true; - } - if (entity instanceof VirtualMachineTemplate) { VirtualMachineTemplate template = (VirtualMachineTemplate)entity; @@ -344,15 +332,20 @@ public class DomainChecker extends AdapterBase implements SecurityChecker { if (action != null && ("SystemCapability".equals(action))) { if (caller != null && caller.getType() == Account.ACCOUNT_TYPE_ADMIN) { return true; + } else { + return false; } - } else if (action != null && ("DomainCapability".equals(action))) { if (caller != null && caller.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) { return true; + } else { + return false; } } else if (action != null && ("DomainResourceCapability".equals(action))) { if (caller != null && caller.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN) { return true; + } else { + return false; } } return checkAccess(caller, entity, accessType); http://git-wip-us.apache.org/repos/asf/cloudstack/blob/f748a552/server/src/com/cloud/api/ApiDispatcher.java ---------------------------------------------------------------------- diff --git a/server/src/com/cloud/api/ApiDispatcher.java b/server/src/com/cloud/api/ApiDispatcher.java index b6b9b29..3447662 100755 --- a/server/src/com/cloud/api/ApiDispatcher.java +++ b/server/src/com/cloud/api/ApiDispatcher.java @@ -23,6 +23,10 @@ import javax.inject.Inject; import org.apache.log4j.Logger; +import org.apache.cloudstack.acl.ControlledEntity; +import org.apache.cloudstack.acl.InfrastructureEntity; +import org.apache.cloudstack.acl.SecurityChecker.AccessType; +import org.apache.cloudstack.api.APICommand; import org.apache.cloudstack.api.ApiConstants; import org.apache.cloudstack.api.BaseAsyncCmd; import org.apache.cloudstack.api.BaseAsyncCreateCmd; @@ -36,6 +40,7 @@ import org.apache.cloudstack.framework.jobs.AsyncJobManager; import com.cloud.api.dispatch.DispatchChain; import com.cloud.api.dispatch.DispatchChainFactory; import com.cloud.api.dispatch.DispatchTask; +import com.cloud.user.Account; import com.cloud.user.AccountManager; public class ApiDispatcher { @@ -74,6 +79,23 @@ public class ApiDispatcher { asyncCreationDispatchChain.dispatch(new DispatchTask(cmd, params)); } + private void doAccessChecks(BaseCmd cmd, Map entitiesToAccess) { + Account caller = CallContext.current().getCallingAccount(); + + APICommand commandAnnotation = cmd.getClass().getAnnotation(APICommand.class); + String apiName = commandAnnotation != null ? commandAnnotation.name() : null; + + if (!entitiesToAccess.isEmpty()) { + for (Object entity : entitiesToAccess.keySet()) { + if (entity instanceof ControlledEntity) { + _accountMgr.checkAccess(caller, entitiesToAccess.get(entity), false, apiName, (ControlledEntity) entity); + } else if (entity instanceof InfrastructureEntity) { + //FIXME: Move this code in adapter, remove code from Account manager + } + } + } + } + public void dispatch(final BaseCmd cmd, final Map params, final boolean execute) throws Exception { // Let the chain of responsibility dispatch gradually standardDispatchChain.dispatch(new DispatchTask(cmd, params)); http://git-wip-us.apache.org/repos/asf/cloudstack/blob/f748a552/server/src/com/cloud/api/ApiResponseHelper.java ---------------------------------------------------------------------- diff --git a/server/src/com/cloud/api/ApiResponseHelper.java b/server/src/com/cloud/api/ApiResponseHelper.java index 6746c13..a4f08fd 100755 --- a/server/src/com/cloud/api/ApiResponseHelper.java +++ b/server/src/com/cloud/api/ApiResponseHelper.java @@ -1855,7 +1855,7 @@ public class ApiResponseHelper implements ResponseGenerator { throw new PermissionDeniedException("Account " + caller + " is not authorized to see job id=" + job.getId()); } } else if (_accountMgr.isDomainAdmin(caller.getId())) { - _accountMgr.checkAccess(caller, null, jobOwner); + _accountMgr.checkAccess(caller, null, true, jobOwner); } return createAsyncJobResponse(_jobMgr.queryJob(cmd.getId(), true)); http://git-wip-us.apache.org/repos/asf/cloudstack/blob/f748a552/server/src/com/cloud/api/dispatch/ParamProcessWorker.java ---------------------------------------------------------------------- diff --git a/server/src/com/cloud/api/dispatch/ParamProcessWorker.java b/server/src/com/cloud/api/dispatch/ParamProcessWorker.java index ba5bebf..0bb0220 100644 --- a/server/src/com/cloud/api/dispatch/ParamProcessWorker.java +++ b/server/src/com/cloud/api/dispatch/ParamProcessWorker.java @@ -40,7 +40,6 @@ import org.apache.cloudstack.acl.InfrastructureEntity; import org.apache.cloudstack.acl.SecurityChecker; import org.apache.cloudstack.acl.SecurityChecker.AccessType; import org.apache.cloudstack.api.ACL; -import org.apache.cloudstack.api.APICommand; import org.apache.cloudstack.api.ApiErrorCode; import org.apache.cloudstack.api.BaseAsyncCreateCmd; import org.apache.cloudstack.api.BaseCmd; @@ -56,11 +55,7 @@ import org.apache.cloudstack.api.command.user.event.DeleteEventsCmd; import org.apache.cloudstack.api.command.user.event.ListEventsCmd; import org.apache.cloudstack.context.CallContext; -import com.cloud.dc.DataCenter; import com.cloud.exception.InvalidParameterValueException; -import com.cloud.exception.PermissionDeniedException; -import com.cloud.offering.DiskOffering; -import com.cloud.offering.ServiceOffering; import com.cloud.user.Account; import com.cloud.user.AccountManager; import com.cloud.utils.DateUtil; @@ -222,111 +217,27 @@ public class ParamProcessWorker implements DispatchWorker { } - private void doAccessChecks(final BaseCmd cmd, final Map entitiesToAccess) { + private void doAccessChecks(BaseCmd cmd, Map entitiesToAccess) { Account caller = CallContext.current().getCallingAccount(); - Account owner = _accountMgr.getAccount(cmd.getEntityOwnerId()); - if (owner == null) { - owner = caller; - } + Account owner = _accountMgr.getActiveAccountById(cmd.getEntityOwnerId()); if (cmd instanceof BaseAsyncCreateCmd) { - if (owner.getId() != caller.getId()) { - // mimic impersonation either by passing (account, domainId) or through derived owner from other api parameters - // in this case, we should check access using the owner - _accountMgr.checkAccess(caller, null, owner); - } - } else { - // check access using the caller for other operational cmds - owner = caller; + // check that caller can access the owner account. + _accountMgr.checkAccess(caller, null, true, owner); } - APICommand commandAnnotation = cmd.getClass().getAnnotation(APICommand.class); - - String apiName = commandAnnotation != null ? commandAnnotation.name() : null; - if (!entitiesToAccess.isEmpty()) { - List entitiesToOperate = new ArrayList(); + // check that caller can access the owner account. + _accountMgr.checkAccess(caller, null, true, owner); for (Object entity : entitiesToAccess.keySet()) { if (entity instanceof ControlledEntity) { - - if (AccessType.OperateEntry == entitiesToAccess.get(entity)) { - entitiesToOperate.add((ControlledEntity) entity); - } else { - _accountMgr.checkAccess(owner, entitiesToAccess.get(entity), apiName, - (ControlledEntity) entity); - } + _accountMgr.checkAccess(caller, entitiesToAccess.get(entity), true, (ControlledEntity) entity); } else if (entity instanceof InfrastructureEntity) { - if (entity instanceof DataCenter) { - checkZoneAccess(owner, (DataCenter)entity); - } else if (entity instanceof ServiceOffering) { - checkServiceOfferingAccess(owner, (ServiceOffering)entity); - } else if (entity instanceof DiskOffering) { - checkDiskOfferingAccess(owner, (DiskOffering)entity); - } - } - } - - if (!entitiesToOperate.isEmpty()) { - _accountMgr.checkAccess(owner, AccessType.OperateEntry, apiName, - entitiesToOperate.toArray(new ControlledEntity[entitiesToOperate.size()])); - } - - } - } - - private void checkDiskOfferingAccess(Account caller, DiskOffering dof) { - for (SecurityChecker checker : _secChecker) { - if (checker.checkAccess(caller, dof)) { - if (s_logger.isDebugEnabled()) { - s_logger.debug("Access granted to " + caller + " to disk offering:" + dof.getId() + " by " - + checker.getName()); - } - return; - } else { - throw new PermissionDeniedException("Access denied to " + caller + " by " + checker.getName()); - } - } - - assert false : "How can all of the security checkers pass on checking this caller?"; - throw new PermissionDeniedException("There's no way to confirm " + caller + " has access to disk offering:" - + dof.getId()); - } - - private void checkServiceOfferingAccess(Account caller, ServiceOffering sof) { - for (SecurityChecker checker : _secChecker) { - if (checker.checkAccess(caller, sof)) { - if (s_logger.isDebugEnabled()) { - s_logger.debug("Access granted to " + caller + " to service offering:" + sof.getId() + " by " - + checker.getName()); + // FIXME: Move this code in adapter, remove code from + // Account manager } - return; - } else { - throw new PermissionDeniedException("Access denied to " + caller + " by " + checker.getName()); } } - - assert false : "How can all of the security checkers pass on checking this caller?"; - throw new PermissionDeniedException("There's no way to confirm " + caller + " has access to service offering:" - + sof.getId()); - } - - private void checkZoneAccess(Account caller, DataCenter zone) { - for (SecurityChecker checker : _secChecker) { - if (checker.checkAccess(caller, zone)) { - if (s_logger.isDebugEnabled()) { - s_logger.debug("Access granted to " + caller + " to zone:" + zone.getId() + " by " - + checker.getName()); - } - return; - } else { - throw new PermissionDeniedException("Access denied to " + caller + " by " + checker.getName() - + " for zone " + zone.getId()); - } - } - - assert false : "How can all of the security checkers pass on checking this caller?"; - throw new PermissionDeniedException("There's no way to confirm " + caller + " has access to zone:" - + zone.getId()); } @SuppressWarnings({"unchecked", "rawtypes"})