Return-Path: X-Original-To: apmail-cloudstack-commits-archive@www.apache.org Delivered-To: apmail-cloudstack-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 96150116BC for ; Thu, 15 May 2014 06:59:02 +0000 (UTC) Received: (qmail 90713 invoked by uid 500); 14 May 2014 23:59:16 -0000 Delivered-To: apmail-cloudstack-commits-archive@cloudstack.apache.org Received: (qmail 90679 invoked by uid 500); 14 May 2014 23:59:16 -0000 Mailing-List: contact commits-help@cloudstack.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cloudstack.apache.org Delivered-To: mailing list commits@cloudstack.apache.org Received: (qmail 90651 invoked by uid 99); 14 May 2014 23:59:16 -0000 Received: from tyr.zones.apache.org (HELO tyr.zones.apache.org) (140.211.11.114) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 14 May 2014 23:59:16 +0000 Received: by tyr.zones.apache.org (Postfix, from userid 65534) id 77EA79026F8; Wed, 14 May 2014 23:59:16 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: mchen@apache.org To: commits@cloudstack.apache.org Message-Id: X-Mailer: ASF-Git Admin Mailer Subject: git commit: updated refs/heads/4.4-forward-iam-disabled to 5020f78 Date: Wed, 14 May 2014 23:59:16 +0000 (UTC) Repository: cloudstack Updated Branches: refs/heads/4.4-forward-iam-disabled 5fc743c3f -> 5020f788d Revert listing db-view entities to not use IAM model. Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/5020f788 Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/5020f788 Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/5020f788 Branch: refs/heads/4.4-forward-iam-disabled Commit: 5020f788d260d65dd78a36c5384ce67bf150cf24 Parents: 5fc743c Author: Min Chen Authored: Wed May 14 16:58:29 2014 -0700 Committer: Min Chen Committed: Wed May 14 16:58:29 2014 -0700 ---------------------------------------------------------------------- .../contrail/management/MockAccountManager.java | 27 + .../com/cloud/api/query/QueryManagerImpl.java | 612 ++----------------- server/src/com/cloud/user/AccountManager.java | 16 +- .../src/com/cloud/user/AccountManagerImpl.java | 124 +++- .../com/cloud/user/MockAccountManagerImpl.java | 27 + 5 files changed, 237 insertions(+), 569 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cloudstack/blob/5020f788/plugins/network-elements/juniper-contrail/test/org/apache/cloudstack/network/contrail/management/MockAccountManager.java ---------------------------------------------------------------------- diff --git a/plugins/network-elements/juniper-contrail/test/org/apache/cloudstack/network/contrail/management/MockAccountManager.java b/plugins/network-elements/juniper-contrail/test/org/apache/cloudstack/network/contrail/management/MockAccountManager.java index 43dc4f6..1a29f9c 100644 --- a/plugins/network-elements/juniper-contrail/test/org/apache/cloudstack/network/contrail/management/MockAccountManager.java +++ b/plugins/network-elements/juniper-contrail/test/org/apache/cloudstack/network/contrail/management/MockAccountManager.java @@ -34,6 +34,7 @@ import org.apache.cloudstack.api.command.admin.user.RegisterCmd; import org.apache.cloudstack.api.command.admin.user.UpdateUserCmd; import org.apache.cloudstack.context.CallContext; +import com.cloud.api.query.vo.ControlledViewEntity; import com.cloud.configuration.ResourceLimit; import com.cloud.configuration.dao.ResourceCountDao; import com.cloud.domain.Domain; @@ -265,6 +266,32 @@ public class MockAccountManager extends ManagerBase implements AccountManager { } + @Override + public void buildACLViewSearchBuilder(SearchBuilder sb, Long domainId, boolean isRecursive, List permittedAccounts, + ListProjectResourcesCriteria listProjectResourcesCriteria) { + // TODO Auto-generated method stub + + } + + @Override + public void buildACLViewSearchBuilder(SearchBuilder sb, Long domainId, boolean isRecursive, List permittedAccounts, + ListProjectResourcesCriteria listProjectResourcesCriteria, List grantedIds, List revokedIds) { + // TODO Auto-generated method stub + } + + @Override + public void buildACLViewSearchCriteria(SearchCriteria sc, Long domainId, boolean isRecursive, List permittedAccounts, + ListProjectResourcesCriteria listProjectResourcesCriteria) { + // TODO Auto-generated method stub + + } + + @Override + public void buildACLViewSearchCriteria(SearchCriteria sc, Long domainId, boolean isRecursive, List permittedAccounts, + ListProjectResourcesCriteria listProjectResourcesCriteria, List grantedIds, List revokedIds) { + // TODO Auto-generated method stub + + } @Override public Long checkAccessAndSpecifyAuthority(Account arg0, Long arg1) { http://git-wip-us.apache.org/repos/asf/cloudstack/blob/5020f788/server/src/com/cloud/api/query/QueryManagerImpl.java ---------------------------------------------------------------------- diff --git a/server/src/com/cloud/api/query/QueryManagerImpl.java b/server/src/com/cloud/api/query/QueryManagerImpl.java index eaccd9f..4cc1c82 100644 --- a/server/src/com/cloud/api/query/QueryManagerImpl.java +++ b/server/src/com/cloud/api/query/QueryManagerImpl.java @@ -478,9 +478,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService { private Pair, Integer> searchForEventsInternal(ListEventsCmd cmd) { Account caller = CallContext.current().getCallingAccount(); - List permittedDomains = new ArrayList(); List permittedAccounts = new ArrayList(); - List permittedResources = new ArrayList(); Long id = cmd.getId(); String type = cmd.getType(); @@ -493,14 +491,16 @@ public class QueryManagerImpl extends ManagerBase implements QueryService { Ternary domainIdRecursiveListProject = new Ternary( cmd.getDomainId(), cmd.isRecursive(), null); - _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedDomains, permittedAccounts, permittedResources, - domainIdRecursiveListProject, cmd.listAll(), false, "listEvents"); - //Long domainId = domainIdRecursiveListProject.first(); + _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedAccounts, + domainIdRecursiveListProject, cmd.listAll(), false); + Long domainId = domainIdRecursiveListProject.first(); Boolean isRecursive = domainIdRecursiveListProject.second(); ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third(); Filter searchFilter = new Filter(EventJoinVO.class, "createDate", false, cmd.getStartIndex(), cmd.getPageSizeVal()); SearchBuilder sb = _eventJoinDao.createSearchBuilder(); + _accountMgr.buildACLViewSearchBuilder(sb, domainId, isRecursive, permittedAccounts, + listProjectResourcesCriteria); sb.and("id", sb.entity().getId(), SearchCriteria.Op.EQ); sb.and("levelL", sb.entity().getLevel(), SearchCriteria.Op.LIKE); @@ -516,9 +516,9 @@ public class QueryManagerImpl extends ManagerBase implements QueryService { sb.and("archived", sb.entity().getArchived(), SearchCriteria.Op.EQ); SearchCriteria sc = sb.create(); - SearchCriteria aclSc = _eventJoinDao.createSearchCriteria(); - // building ACL search criteria - _accountMgr.buildACLViewSearchCriteria(sc, aclSc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria); + // building ACL condition + _accountMgr.buildACLViewSearchCriteria(sc, domainId, isRecursive, permittedAccounts, + listProjectResourcesCriteria); // For end users display only enabled events if (!_accountMgr.isRootAdmin(caller.getId())) { @@ -597,9 +597,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService { private Pair, Integer> listTagsInternal(ListTagsCmd cmd) { Account caller = CallContext.current().getCallingAccount(); - List permittedDomains = new ArrayList(); List permittedAccounts = new ArrayList(); - List permittedResources = new ArrayList(); String key = cmd.getKey(); String value = cmd.getValue(); String resourceId = cmd.getResourceId(); @@ -610,14 +608,16 @@ public class QueryManagerImpl extends ManagerBase implements QueryService { Ternary domainIdRecursiveListProject = new Ternary(cmd.getDomainId(), cmd.isRecursive(), null); - _accountMgr.buildACLSearchParameters(caller, null, cmd.getAccountName(), cmd.getProjectId(), permittedDomains, permittedAccounts, permittedResources, - domainIdRecursiveListProject, listAll, false, "listTags"); + _accountMgr.buildACLSearchParameters(caller, null, cmd.getAccountName(), cmd.getProjectId(), permittedAccounts, + domainIdRecursiveListProject, listAll, false); Long domainId = domainIdRecursiveListProject.first(); Boolean isRecursive = domainIdRecursiveListProject.second(); ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third(); Filter searchFilter = new Filter(ResourceTagJoinVO.class, "resourceType", false, cmd.getStartIndex(), cmd.getPageSizeVal()); SearchBuilder sb = _resourceTagJoinDao.createSearchBuilder(); + _accountMgr.buildACLViewSearchBuilder(sb, domainId, isRecursive, permittedAccounts, + listProjectResourcesCriteria); sb.and("key", sb.entity().getKey(), SearchCriteria.Op.EQ); sb.and("value", sb.entity().getValue(), SearchCriteria.Op.EQ); @@ -633,9 +633,8 @@ public class QueryManagerImpl extends ManagerBase implements QueryService { // now set the SC criteria... SearchCriteria sc = sb.create(); - SearchCriteria aclSc = _resourceTagJoinDao.createSearchCriteria(); - // building ACL search criteria - _accountMgr.buildACLViewSearchCriteria(sc, aclSc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria); + _accountMgr.buildACLViewSearchCriteria(sc, domainId, isRecursive, permittedAccounts, + listProjectResourcesCriteria); if (key != null) { sc.setParameters("key", key); @@ -677,29 +676,28 @@ public class QueryManagerImpl extends ManagerBase implements QueryService { String keyword = cmd.getKeyword(); Account caller = CallContext.current().getCallingAccount(); - List permittedDomains = new ArrayList(); List permittedAccounts = new ArrayList(); - List permittedResources = new ArrayList(); Ternary domainIdRecursiveListProject = new Ternary( cmd.getDomainId(), cmd.isRecursive(), null); - _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedDomains, permittedAccounts, permittedResources, - domainIdRecursiveListProject, cmd.listAll(), false, "listInstanceGroups"); - // Long domainId = domainIdRecursiveListProject.first(); + _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedAccounts, + domainIdRecursiveListProject, cmd.listAll(), false); + Long domainId = domainIdRecursiveListProject.first(); Boolean isRecursive = domainIdRecursiveListProject.second(); ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third(); Filter searchFilter = new Filter(InstanceGroupJoinVO.class, "id", true, cmd.getStartIndex(), cmd.getPageSizeVal()); SearchBuilder sb = _vmGroupJoinDao.createSearchBuilder(); + _accountMgr.buildACLViewSearchBuilder(sb, domainId, isRecursive, permittedAccounts, + listProjectResourcesCriteria); sb.and("id", sb.entity().getId(), SearchCriteria.Op.EQ); sb.and("name", sb.entity().getName(), SearchCriteria.Op.LIKE); SearchCriteria sc = sb.create(); - SearchCriteria aclSc = _vmGroupJoinDao.createSearchCriteria(); - // building ACL search criteria - _accountMgr.buildACLViewSearchCriteria(sc, aclSc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria); + _accountMgr.buildACLViewSearchCriteria(sc, domainId, isRecursive, permittedAccounts, + listProjectResourcesCriteria); if (keyword != null) { @@ -996,9 +994,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService { String securityGroup = cmd.getSecurityGroupName(); Long id = cmd.getId(); Object keyword = cmd.getKeyword(); - List permittedDomains = new ArrayList(); List permittedAccounts = new ArrayList(); - List permittedResources = new ArrayList(); Map tags = cmd.getTags(); if (instanceId != null) { @@ -1012,8 +1008,8 @@ public class QueryManagerImpl extends ManagerBase implements QueryService { Ternary domainIdRecursiveListProject = new Ternary( cmd.getDomainId(), cmd.isRecursive(), null); - _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedDomains, permittedAccounts, permittedResources, - domainIdRecursiveListProject, cmd.listAll(), false, "listSecurityGroups"); + _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedAccounts, + domainIdRecursiveListProject, cmd.listAll(), false); Long domainId = domainIdRecursiveListProject.first(); Boolean isRecursive = domainIdRecursiveListProject.second(); ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third(); @@ -1022,13 +1018,15 @@ public class QueryManagerImpl extends ManagerBase implements QueryService { SearchBuilder sb = _securityGroupJoinDao.createSearchBuilder(); sb.select(null, Func.DISTINCT, sb.entity().getId()); // select distinct // ids + _accountMgr.buildACLViewSearchBuilder(sb, domainId, isRecursive, permittedAccounts, + listProjectResourcesCriteria); + sb.and("id", sb.entity().getId(), SearchCriteria.Op.EQ); sb.and("name", sb.entity().getName(), SearchCriteria.Op.EQ); SearchCriteria sc = sb.create(); - SearchCriteria aclSc = _securityGroupJoinDao.createSearchCriteria(); - // building ACL search criteria - _accountMgr.buildACLViewSearchCriteria(sc, aclSc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria); + _accountMgr.buildACLViewSearchCriteria(sc, domainId, isRecursive, permittedAccounts, + listProjectResourcesCriteria); if (id != null) { sc.setParameters("id", id); @@ -1120,19 +1118,12 @@ public class QueryManagerImpl extends ManagerBase implements QueryService { Long podId, Long clusterId, Long hostId, String keyword, Long networkId, Long vpcId, Boolean forVpc, String role, String version) { Account caller = CallContext.current().getCallingAccount(); - List permittedDomains = new ArrayList(); List permittedAccounts = new ArrayList(); - List permittedResources = new ArrayList(); Ternary domainIdRecursiveListProject = new Ternary( cmd.getDomainId(), cmd.isRecursive(), null); - String action = "listRouters"; - if (cmd instanceof ListInternalLBVMsCmd) { - action = "listInternalLoadBalancerVMs"; - } - _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedDomains, permittedAccounts, permittedResources, - domainIdRecursiveListProject, cmd.listAll(), false, action); - + _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedAccounts, + domainIdRecursiveListProject, cmd.listAll(), false); Long domainId = domainIdRecursiveListProject.first(); Boolean isRecursive = domainIdRecursiveListProject.second(); ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third(); @@ -1145,6 +1136,8 @@ public class QueryManagerImpl extends ManagerBase implements QueryService { // number of // records with // pagination + _accountMgr.buildACLViewSearchBuilder(sb, domainId, isRecursive, permittedAccounts, + listProjectResourcesCriteria); sb.and("name", sb.entity().getInstanceName(), SearchCriteria.Op.LIKE); sb.and("id", sb.entity().getId(), SearchCriteria.Op.EQ); @@ -1171,9 +1164,8 @@ public class QueryManagerImpl extends ManagerBase implements QueryService { } SearchCriteria sc = sb.create(); - SearchCriteria aclSc = _routerJoinDao.createSearchCriteria(); - // building ACL search criteria - _accountMgr.buildACLViewSearchCriteria(sc, aclSc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria); + _accountMgr.buildACLViewSearchCriteria(sc, domainId, isRecursive, permittedAccounts, + listProjectResourcesCriteria); if (keyword != null) { SearchCriteria ssc = _routerJoinDao.createSearchCriteria(); @@ -1406,21 +1398,20 @@ public class QueryManagerImpl extends ManagerBase implements QueryService { boolean listAll = cmd.listAll(); Account caller = CallContext.current().getCallingAccount(); - List permittedDomains = new ArrayList(); List permittedAccounts = new ArrayList(); - List permittedResources = new ArrayList(); Ternary domainIdRecursiveListProject = new Ternary( domainId, isRecursive, null); - _accountMgr.buildACLSearchParameters(caller, id, accountName, projectId, permittedDomains, permittedAccounts, permittedResources, - domainIdRecursiveListProject, listAll, true, "listProjectInvitations"); - //domainId = domainIdRecursiveListProject.first(); - + _accountMgr.buildACLSearchParameters(caller, id, accountName, projectId, permittedAccounts, + domainIdRecursiveListProject, listAll, true); + domainId = domainIdRecursiveListProject.first(); isRecursive = domainIdRecursiveListProject.second(); ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third(); Filter searchFilter = new Filter(ProjectInvitationJoinVO.class, "id", true, startIndex, pageSizeVal); SearchBuilder sb = _projectInvitationJoinDao.createSearchBuilder(); + _accountMgr.buildACLViewSearchBuilder(sb, domainId, isRecursive, permittedAccounts, + listProjectResourcesCriteria); sb.and("projectId", sb.entity().getProjectId(), SearchCriteria.Op.EQ); sb.and("state", sb.entity().getState(), SearchCriteria.Op.EQ); @@ -1428,9 +1419,8 @@ public class QueryManagerImpl extends ManagerBase implements QueryService { sb.and("id", sb.entity().getId(), SearchCriteria.Op.EQ); SearchCriteria sc = sb.create(); - SearchCriteria aclSc = _projectInvitationJoinDao.createSearchCriteria(); - // building ACL search criteria - _accountMgr.buildACLViewSearchCriteria(sc, aclSc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria); + _accountMgr.buildACLViewSearchCriteria(sc, domainId, isRecursive, permittedAccounts, + listProjectResourcesCriteria); if (projectId != null) { sc.setParameters("projectId", projectId); @@ -2817,366 +2807,6 @@ public class QueryManagerImpl extends ManagerBase implements QueryService { return response; } - // Temporarily disable this method which used IAM model to do template list - private Pair, Integer> searchForTemplatesInternalIAM(ListTemplatesCmd cmd) { - TemplateFilter templateFilter = TemplateFilter.valueOf(cmd.getTemplateFilter()); - Long id = cmd.getId(); - Map tags = cmd.getTags(); - boolean showRemovedTmpl = cmd.getShowRemoved(); - Account caller = CallContext.current().getCallingAccount(); - - // TODO: listAll flag has some conflicts with TemplateFilter parameter - boolean listAll = false; - if (templateFilter != null && templateFilter == TemplateFilter.all) { - if (_accountMgr.isNormalUser(caller.getId())) { - throw new InvalidParameterValueException("Filter " + TemplateFilter.all - + " can be specified by admin only"); - } - listAll = true; - } - - List permittedDomains = new ArrayList(); - List permittedAccounts = new ArrayList(); - List permittedResources = new ArrayList(); - - Ternary domainIdRecursiveListProject = new Ternary( - cmd.getDomainId(), cmd.isRecursive(), null); - _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedDomains, permittedAccounts, permittedResources, - domainIdRecursiveListProject, listAll, false, "listTemplates"); - - Boolean isRecursive = domainIdRecursiveListProject.second(); - ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third(); - - boolean showDomr = ((templateFilter != TemplateFilter.selfexecutable) && (templateFilter != TemplateFilter.featured)); - HypervisorType hypervisorType = HypervisorType.getType(cmd.getHypervisor()); - - return searchForTemplatesInternalIAM(id, cmd.getTemplateName(), cmd.getKeyword(), templateFilter, false, null, - cmd.getPageSizeVal(), cmd.getStartIndex(), cmd.getZoneId(), hypervisorType, showDomr, - cmd.listInReadyState(), permittedDomains, permittedAccounts, permittedResources, isRecursive, caller, listProjectResourcesCriteria, tags, showRemovedTmpl); - } - - // Temporarily disable this method which used IAM model to do template list - private Pair, Integer> searchForTemplatesInternalIAM(Long templateId, String name, - String keyword, TemplateFilter templateFilter, boolean isIso, Boolean bootable, Long pageSize, - Long startIndex, Long zoneId, HypervisorType hyperType, boolean showDomr, boolean onlyReady, - List permittedDomains, List permittedAccounts, List permittedResources, boolean isRecursive, Account caller, - ListProjectResourcesCriteria listProjectResourcesCriteria, - Map tags, boolean showRemovedTmpl) { - - // check if zone is configured, if not, just return empty list - List hypers = null; - if (!isIso) { - hypers = _resourceMgr.listAvailHypervisorInZone(null, null); - if (hypers == null || hypers.isEmpty()) { - return new Pair, Integer>(new ArrayList(), 0); - } - } - - VMTemplateVO template = null; - - Boolean isAscending = Boolean.parseBoolean(_configDao.getValue("sortkey.algorithm")); - isAscending = (isAscending == null ? true : isAscending); - Filter searchFilter = new Filter(TemplateJoinVO.class, "sortKey", isAscending, startIndex, pageSize); - - SearchBuilder sb = _templateJoinDao.createSearchBuilder(); - sb.select(null, Func.DISTINCT, sb.entity().getTempZonePair()); // select distinct (templateId, zoneId) pair - SearchCriteria sc = sb.create(); - - // verify templateId parameter and specially handle it - if (templateId != null) { - template = _templateDao.findByIdIncludingRemoved(templateId); // Done for backward compatibility - Bug-5221 - if (template == null) { - throw new InvalidParameterValueException("Please specify a valid template ID."); - }// If ISO requested then it should be ISO. - if (isIso && template.getFormat() != ImageFormat.ISO) { - s_logger.error("Template Id " + templateId + " is not an ISO"); - InvalidParameterValueException ex = new InvalidParameterValueException("Specified Template Id is not an ISO"); - ex.addProxyObject(template.getUuid(), "templateId"); - throw ex; - }// If ISO not requested then it shouldn't be an ISO. - if (!isIso && template.getFormat() == ImageFormat.ISO) { - s_logger.error("Incorrect format of the template id " + templateId); - InvalidParameterValueException ex = new InvalidParameterValueException("Incorrect format " + template.getFormat() + " of the specified template id"); - ex.addProxyObject(template.getUuid(), "templateId"); - throw ex; - } - - // if template is not public, perform permission check here - if (!template.isPublicTemplate() && !_accountMgr.isRootAdmin(caller.getId())) { - Account owner = _accountMgr.getAccount(template.getAccountId()); - _accountMgr.checkAccess(caller, null, true, owner); - } - - // if templateId is specified, then we will just use the id to - // search and ignore other query parameters - sc.addAnd("id", SearchCriteria.Op.EQ, templateId); - } else { - if (!isIso) { - // add hypervisor criteria for template case - if (hypers != null && !hypers.isEmpty()) { - String[] relatedHypers = new String[hypers.size()]; - for (int i = 0; i < hypers.size(); i++) { - relatedHypers[i] = hypers.get(i).toString(); - } - sc.addAnd("hypervisorType", SearchCriteria.Op.IN, relatedHypers); - } - } - - // control different template filters - DomainVO callerDomain = _domainDao.findById(caller.getDomainId()); - if (templateFilter == TemplateFilter.featured || templateFilter == TemplateFilter.community) { - sc.addAnd("publicTemplate", SearchCriteria.Op.EQ, true); - if (templateFilter == TemplateFilter.featured) { - sc.addAnd("featured", SearchCriteria.Op.EQ, true); - } else { - sc.addAnd("featured", SearchCriteria.Op.EQ, false); - } - - /* We don't need this any more to check domain id, based on CLOUDSTACK-5987 - // for public templates, we should get all public templates from all domains in the system - // get all parent domain ID's all the way till root domain - List domainTree = new ArrayList(); - DomainVO domainTreeNode = _domainDao.findById(Domain.ROOT_DOMAIN); // fix for CLOUDSTACK-5987 - domainTree.add(domainTreeNode.getId()); - - // get all child domain ID's under root - List allChildDomains = _domainDao.findAllChildren(domainTreeNode.getPath(), domainTreeNode.getId()); - for (DomainVO childDomain : allChildDomains) { - domainTree.add(childDomain.getId()); - } - - SearchCriteria scc = _templateJoinDao.createSearchCriteria(); - scc.addOr("domainId", SearchCriteria.Op.IN, domainTree.toArray()); - scc.addOr("domainId", SearchCriteria.Op.NULL); - sc.addAnd("domainId", SearchCriteria.Op.SC, scc); - */ - } else if (templateFilter == TemplateFilter.self || templateFilter == TemplateFilter.selfexecutable) { - if (permittedDomains.contains(caller.getDomainId())) { - // this caller acts like a domain admin - - sc.addAnd("domainPath", SearchCriteria.Op.LIKE, callerDomain.getPath() + "%"); - } else { - // only display templates owned by caller for resource owner only - sc.addAnd("accountId", SearchCriteria.Op.EQ, caller.getAccountId()); - } - } else if (templateFilter == TemplateFilter.sharedexecutable || templateFilter == TemplateFilter.shared) { - // exclude the caller, only include those granted and not owned by self - permittedDomains.remove(caller.getDomainId()); - permittedAccounts.remove(caller.getAccountId()); - for (Long tid : permittedResources) { - // remove it if it is owned by the caller - VMTemplateVO tmpl = _templateDao.findById(tid); - if (tmpl != null && tmpl.getAccountId() == caller.getAccountId()) { - permittedResources.remove(tid); - } - } - // building ACL search criteria - SearchCriteria aclSc = _templateJoinDao.createSearchCriteria(); - _accountMgr.buildACLViewSearchCriteria(sc, aclSc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria); - } else if (templateFilter == TemplateFilter.executable) { - // public template + self template - SearchCriteria scc = _templateJoinDao.createSearchCriteria(); - scc.addOr("publicTemplate", SearchCriteria.Op.EQ, true); - // plus self owned templates or domain tree templates for domain admin - if (permittedDomains.contains(caller.getDomainId())) { - // this caller acts like a domain admin - sc.addOr("domainPath", SearchCriteria.Op.LIKE, callerDomain.getPath() + "%"); - } else { - // only display templates owned by caller for resource owner only - sc.addOr("accountId", SearchCriteria.Op.EQ, caller.getAccountId()); - } - sc.addAnd("publicTemplate", SearchCriteria.Op.SC, scc); - } - - // add tags criteria - if (tags != null && !tags.isEmpty()) { - SearchCriteria scc = _templateJoinDao.createSearchCriteria(); - for (String key : tags.keySet()) { - SearchCriteria scTag = _templateJoinDao.createSearchCriteria(); - scTag.addAnd("tagKey", SearchCriteria.Op.EQ, key); - scTag.addAnd("tagValue", SearchCriteria.Op.EQ, tags.get(key)); - if (isIso) { - scTag.addAnd("tagResourceType", SearchCriteria.Op.EQ, ResourceObjectType.ISO); - } else { - scTag.addAnd("tagResourceType", SearchCriteria.Op.EQ, ResourceObjectType.Template); - } - scc.addOr("tagKey", SearchCriteria.Op.SC, scTag); - } - sc.addAnd("tagKey", SearchCriteria.Op.SC, scc); - } - - // other criteria - - if (keyword != null) { - sc.addAnd("name", SearchCriteria.Op.LIKE, "%" + keyword + "%"); - } else if (name != null) { - sc.addAnd("name", SearchCriteria.Op.EQ, name); - } - - if (isIso) { - sc.addAnd("format", SearchCriteria.Op.EQ, "ISO"); - - } else { - sc.addAnd("format", SearchCriteria.Op.NEQ, "ISO"); - } - - if (!hyperType.equals(HypervisorType.None)) { - sc.addAnd("hypervisorType", SearchCriteria.Op.EQ, hyperType); - } - - if (bootable != null) { - sc.addAnd("bootable", SearchCriteria.Op.EQ, bootable); - } - - if (onlyReady) { - SearchCriteria readySc = _templateJoinDao.createSearchCriteria(); - readySc.addOr("state", SearchCriteria.Op.EQ, TemplateState.Ready); - readySc.addOr("format", SearchCriteria.Op.EQ, ImageFormat.BAREMETAL); - SearchCriteria isoPerhostSc = _templateJoinDao.createSearchCriteria(); - isoPerhostSc.addAnd("format", SearchCriteria.Op.EQ, ImageFormat.ISO); - isoPerhostSc.addAnd("templateType", SearchCriteria.Op.EQ, TemplateType.PERHOST); - readySc.addOr("templateType", SearchCriteria.Op.SC, isoPerhostSc); - sc.addAnd("state", SearchCriteria.Op.SC, readySc); - } - - if (!showDomr) { - // excluding system template - sc.addAnd("templateType", SearchCriteria.Op.NEQ, Storage.TemplateType.SYSTEM); - } - } - - if (zoneId != null) { - SearchCriteria zoneSc = _templateJoinDao.createSearchCriteria(); - zoneSc.addOr("dataCenterId", SearchCriteria.Op.EQ, zoneId); - zoneSc.addOr("dataStoreScope", SearchCriteria.Op.EQ, ScopeType.REGION); - // handle the case where xs-tools.iso and vmware-tools.iso do not - // have data_center information in template_view - SearchCriteria isoPerhostSc = _templateJoinDao.createSearchCriteria(); - isoPerhostSc.addAnd("format", SearchCriteria.Op.EQ, ImageFormat.ISO); - isoPerhostSc.addAnd("templateType", SearchCriteria.Op.EQ, TemplateType.PERHOST); - zoneSc.addOr("templateType", SearchCriteria.Op.SC, isoPerhostSc); - sc.addAnd("dataCenterId", SearchCriteria.Op.SC, zoneSc); - } - - // don't return removed template, this should not be needed since we - // changed annotation for removed field in TemplateJoinVO. - // sc.addAnd("removed", SearchCriteria.Op.NULL); - - // search unique templates and find details by Ids - Pair, Integer> uniqueTmplPair = null; - if(showRemovedTmpl){ - uniqueTmplPair = _templateJoinDao.searchIncludingRemovedAndCount(sc, searchFilter); - } else { - sc.addAnd("templateState", SearchCriteria.Op.EQ, State.Active); - uniqueTmplPair = _templateJoinDao.searchAndCount(sc, searchFilter); - } - - Integer count = uniqueTmplPair.second(); - if (count.intValue() == 0) { - // empty result - return uniqueTmplPair; - } - List uniqueTmpls = uniqueTmplPair.first(); - String[] tzIds = new String[uniqueTmpls.size()]; - int i = 0; - for (TemplateJoinVO v : uniqueTmpls) { - tzIds[i++] = v.getTempZonePair(); - } - List vrs = _templateJoinDao.searchByTemplateZonePair(showRemovedTmpl, tzIds); - return new Pair, Integer>(vrs, count); - - // TODO: revisit the special logic for iso search in - // VMTemplateDaoImpl.searchForTemplates and understand why we need to - // specially handle ISO. The original logic is very twisted and no idea - // about what the code was doing. - - } - - // This method should only be used for keeping old listTemplates and listAffinityGroups behavior, PLEASE DON'T USE IT FOR USE LIST APIs - private void buildTemplateAffinityGroupSearchParameters(Account caller, Long id, String accountName, Long projectId, List - permittedAccounts, Ternary domainIdRecursiveListProject, - boolean listAll, boolean forProjectInvitation) { - Long domainId = domainIdRecursiveListProject.first(); - if (domainId != null) { - Domain domain = _domainDao.findById(domainId); - if (domain == null) { - throw new InvalidParameterValueException("Unable to find domain by id " + domainId); - } - // check permissions - _accountMgr.checkAccess(caller, domain); - } - - if (accountName != null) { - if (projectId != null) { - throw new InvalidParameterValueException("Account and projectId can't be specified together"); - } - - Account userAccount = null; - Domain domain = null; - if (domainId != null) { - userAccount = _accountDao.findActiveAccount(accountName, domainId); - domain = _domainDao.findById(domainId); - } else { - userAccount = _accountDao.findActiveAccount(accountName, caller.getDomainId()); - domain = _domainDao.findById(caller.getDomainId()); - } - - if (userAccount != null) { - _accountMgr.checkAccess(caller, null, true, userAccount); - // check permissions - permittedAccounts.add(userAccount.getId()); - } else { - throw new InvalidParameterValueException("could not find account " + accountName + " in domain " + domain.getUuid()); - } - } - - // set project information - if (projectId != null) { - if (!forProjectInvitation) { - if (projectId.longValue() == -1) { - if (_accountMgr.isNormalUser(caller.getId())) { - permittedAccounts.addAll(_projectMgr.listPermittedProjectAccounts(caller.getId())); - } else { - domainIdRecursiveListProject.third(Project.ListProjectResourcesCriteria.ListProjectResourcesOnly); - } - } else { - Project project = _projectMgr.getProject(projectId); - if (project == null) { - throw new InvalidParameterValueException("Unable to find project by id " + projectId); - } - if (!_projectMgr.canAccessProjectAccount(caller, project.getProjectAccountId())) { - throw new PermissionDeniedException("Account " + caller + " can't access project id=" + projectId); - } - permittedAccounts.add(project.getProjectAccountId()); - } - } - } else { - if (id == null) { - domainIdRecursiveListProject.third(Project.ListProjectResourcesCriteria.SkipProjectResources); - } - if (permittedAccounts.isEmpty() && domainId == null) { - if (_accountMgr.isNormalUser(caller.getId())) { - permittedAccounts.add(caller.getId()); - } else if (!listAll) { - if (id == null) { - permittedAccounts.add(caller.getId()); - } else if (!_accountMgr.isRootAdmin(caller.getId())) { - domainIdRecursiveListProject.first(caller.getDomainId()); - domainIdRecursiveListProject.second(true); - } - } else if (domainId == null) { - if (_accountMgr.isDomainAdmin(caller.getId())) { - domainIdRecursiveListProject.first(caller.getDomainId()); - domainIdRecursiveListProject.second(true); - } - } - } else if (domainId != null) { - if (_accountMgr.isNormalUser(caller.getId())) { - permittedAccounts.add(caller.getId()); - } - } - } - } private Pair, Integer> searchForTemplatesInternal(ListTemplatesCmd cmd) { TemplateFilter templateFilter = TemplateFilter.valueOf(cmd.getTemplateFilter()); @@ -3197,7 +2827,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService { List permittedAccountIds = new ArrayList(); Ternary domainIdRecursiveListProject = new Ternary( cmd.getDomainId(), cmd.isRecursive(), null); - buildTemplateAffinityGroupSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedAccountIds, + _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedAccountIds, domainIdRecursiveListProject, listAll, false); ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third(); List permittedAccounts = new ArrayList(); @@ -3274,7 +2904,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService { if (!permittedAccounts.isEmpty()) { domain = _domainDao.findById(permittedAccounts.get(0).getDomainId()); } else { - domain = _domainDao.findById(DomainVO.ROOT_DOMAIN); + domain = _domainDao.findById(Domain.ROOT_DOMAIN); } // List hypers = null; @@ -3507,7 +3137,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService { List permittedAccountIds = new ArrayList(); Ternary domainIdRecursiveListProject = new Ternary( cmd.getDomainId(), cmd.isRecursive(), null); - buildTemplateAffinityGroupSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedAccountIds, + _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedAccountIds, domainIdRecursiveListProject, listAll, false); ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third(); List permittedAccounts = new ArrayList(); @@ -3522,43 +3152,6 @@ public class QueryManagerImpl extends ManagerBase implements QueryService { cmd.listInReadyState(), permittedAccounts, caller, listProjectResourcesCriteria, tags, showRemovedISO); } - private Pair, Integer> searchForIsosInternalIAM(ListIsosCmd cmd) { - TemplateFilter isoFilter = TemplateFilter.valueOf(cmd.getIsoFilter()); - Long id = cmd.getId(); - Map tags = cmd.getTags(); - boolean showRemovedISO = cmd.getShowRemoved(); - Account caller = CallContext.current().getCallingAccount(); - - boolean listAll = false; - if (isoFilter != null && isoFilter == TemplateFilter.all) { - if (_accountMgr.isNormalUser(caller.getId())) { - throw new InvalidParameterValueException("Filter " + TemplateFilter.all - + " can be specified by admin only"); - } - listAll = true; - } - - List permittedDomains = new ArrayList(); - List permittedAccounts = new ArrayList(); - List permittedResources = new ArrayList(); - - Ternary domainIdRecursiveListProject = new Ternary( - cmd.getDomainId(), cmd.isRecursive(), null); - _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedDomains, permittedAccounts, permittedResources, - domainIdRecursiveListProject, cmd.listAll(), false, "listIsos"); - Boolean isRecursive = domainIdRecursiveListProject.second(); - ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third(); -// List permittedAccounts = new ArrayList(); -// for (Long accountId : permittedAccountIds) { -// permittedAccounts.add(_accountMgr.getAccount(accountId)); -// } - - HypervisorType hypervisorType = HypervisorType.getType(cmd.getHypervisor()); - - return searchForTemplatesInternalIAM(cmd.getId(), cmd.getIsoName(), cmd.getKeyword(), isoFilter, true, - cmd.isBootable(), cmd.getPageSizeVal(), cmd.getStartIndex(), cmd.getZoneId(), hypervisorType, true, - cmd.listInReadyState(), permittedDomains, permittedAccounts, permittedResources, isRecursive, caller, listProjectResourcesCriteria, tags, showRemovedISO); - } @Override public ListResponse listAffinityGroups(Long affinityGroupId, String affinityGroupName, @@ -3594,7 +3187,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService { List permittedAccounts = new ArrayList(); Ternary domainIdRecursiveListProject = new Ternary( domainId, isRecursive, null); - buildTemplateAffinityGroupSearchParameters(caller, affinityGroupId, accountName, null, permittedAccounts, + _accountMgr.buildACLSearchParameters(caller, affinityGroupId, accountName, null, permittedAccounts, domainIdRecursiveListProject, listAll, true); domainId = domainIdRecursiveListProject.first(); isRecursive = domainIdRecursiveListProject.second(); @@ -3728,121 +3321,6 @@ public class QueryManagerImpl extends ManagerBase implements QueryService { return sc; } - public Pair, Integer> listAffinityGroupsInternalIAM(Long affinityGroupId, - String affinityGroupName, String affinityGroupType, Long vmId, String accountName, Long domainId, - boolean isRecursive, boolean listAll, Long startIndex, Long pageSize, String keyword) { - - Account caller = CallContext.current().getCallingAccount(); - - caller.getAccountId(); - - if (vmId != null) { - UserVmVO userVM = _userVmDao.findById(vmId); - if (userVM == null) { - throw new InvalidParameterValueException("Unable to list affinity groups for virtual machine instance " + vmId + "; instance not found."); - } - _accountMgr.checkAccess(caller, null, true, userVM); - return listAffinityGroupsByVM(vmId.longValue(), startIndex, pageSize); - } - - List permittedDomains = new ArrayList(); - List permittedAccounts = new ArrayList(); - List permittedResources = new ArrayList(); - Ternary domainIdRecursiveListProject = new Ternary( - domainId, isRecursive, null); - _accountMgr.buildACLSearchParameters(caller, affinityGroupId, accountName, null, permittedDomains, permittedAccounts, permittedResources, - domainIdRecursiveListProject, listAll, true, "listAffinityGroups"); - //domainId = domainIdRecursiveListProject.first(); - isRecursive = domainIdRecursiveListProject.second(); - ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third(); - - Filter searchFilter = new Filter(AffinityGroupJoinVO.class, "id", true, startIndex, pageSize); - SearchCriteria sc = buildAffinityGroupSearchCriteriaIAM(isRecursive, - permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria, affinityGroupId, affinityGroupName, affinityGroupType, keyword); - - Pair, Integer> uniqueGroupsPair = _affinityGroupJoinDao.searchAndCount(sc, searchFilter); - // search group details by ids - List vrs = new ArrayList(); - Integer count = uniqueGroupsPair.second(); - if (count.intValue() != 0) { - List uniqueGroups = uniqueGroupsPair.first(); - Long[] vrIds = new Long[uniqueGroups.size()]; - int i = 0; - for (AffinityGroupJoinVO v : uniqueGroups) { - vrIds[i++] = v.getId(); - } - vrs = _affinityGroupJoinDao.searchByIds(vrIds); - } - - /* TODO: confirm with Prachi if we still need this complicated logic with new ACL model - if (!permittedAccounts.isEmpty()) { - // add domain level affinity groups - if (domainId != null) { - SearchCriteria scDomain = buildAffinityGroupSearchCriteria(null, isRecursive, - new ArrayList(), listProjectResourcesCriteria, affinityGroupId, affinityGroupName, - affinityGroupType, keyword); - vrs.addAll(listDomainLevelAffinityGroups(scDomain, searchFilter, domainId)); - } else { - - for (Long permAcctId : permittedAccounts) { - Account permittedAcct = _accountDao.findById(permAcctId); - SearchCriteria scDomain = buildAffinityGroupSearchCriteria( - null, isRecursive, new ArrayList(), - listProjectResourcesCriteria, affinityGroupId, affinityGroupName, affinityGroupType, keyword); - - vrs.addAll(listDomainLevelAffinityGroups(scDomain, searchFilter, permittedAcct.getDomainId())); - } - } - } else if (((permittedAccounts.isEmpty()) && (domainId != null) && isRecursive)) { - // list all domain level affinity groups for the domain admin case - SearchCriteria scDomain = buildAffinityGroupSearchCriteria(null, isRecursive, - new ArrayList(), listProjectResourcesCriteria, affinityGroupId, affinityGroupName, - affinityGroupType, keyword); - vrs.addAll(listDomainLevelAffinityGroups(scDomain, searchFilter, domainId)); - } - */ - - return new Pair, Integer>(vrs, vrs.size()); - - } - - private SearchCriteria buildAffinityGroupSearchCriteriaIAM(boolean isRecursive, - List permittedDomains, List permittedAccounts, List permittedResources, ListProjectResourcesCriteria listProjectResourcesCriteria, - Long affinityGroupId, String affinityGroupName, String affinityGroupType, String keyword) { - - SearchBuilder groupSearch = _affinityGroupJoinDao.createSearchBuilder(); - groupSearch.select(null, Func.DISTINCT, groupSearch.entity().getId()); // select - // distinct - - SearchCriteria sc = groupSearch.create(); - SearchCriteria aclSc = _affinityGroupJoinDao.createSearchCriteria(); - // building ACL search criteria - _accountMgr.buildACLViewSearchCriteria(sc, aclSc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria); - - if (affinityGroupId != null) { - sc.addAnd("id", SearchCriteria.Op.EQ, affinityGroupId); - } - - if (affinityGroupName != null) { - sc.addAnd("name", SearchCriteria.Op.EQ, affinityGroupName); - } - - if (affinityGroupType != null) { - sc.addAnd("type", SearchCriteria.Op.EQ, affinityGroupType); - } - - if (keyword != null) { - SearchCriteria ssc = _affinityGroupJoinDao.createSearchCriteria(); - ssc.addOr("name", SearchCriteria.Op.LIKE, "%" + keyword + "%"); - ssc.addOr("type", SearchCriteria.Op.LIKE, "%" + keyword + "%"); - - sc.addAnd("name", SearchCriteria.Op.SC, ssc); - } - - return sc; - - } - private Pair, Integer> listAffinityGroupsByVM(long vmId, long pageInd, long pageSize) { Filter sf = new Filter(SecurityGroupVMMapVO.class, null, true, pageInd, pageSize); Pair, Integer> agVmMappingPair = _affinityGroupVMMapDao.listByInstanceId(vmId, sf); http://git-wip-us.apache.org/repos/asf/cloudstack/blob/5020f788/server/src/com/cloud/user/AccountManager.java ---------------------------------------------------------------------- diff --git a/server/src/com/cloud/user/AccountManager.java b/server/src/com/cloud/user/AccountManager.java index 7fce2c3..bee7029 100755 --- a/server/src/com/cloud/user/AccountManager.java +++ b/server/src/com/cloud/user/AccountManager.java @@ -24,6 +24,7 @@ import org.apache.cloudstack.api.command.admin.account.UpdateAccountCmd; import org.apache.cloudstack.api.command.admin.user.DeleteUserCmd; import org.apache.cloudstack.api.command.admin.user.UpdateUserCmd; +import com.cloud.api.query.vo.ControlledViewEntity; import com.cloud.exception.ConcurrentOperationException; import com.cloud.exception.ResourceUnavailableException; import com.cloud.projects.Project.ListProjectResourcesCriteria; @@ -87,14 +88,27 @@ public interface AccountManager extends AccountService { void buildACLSearchBuilder(SearchBuilder sb, Long domainId, boolean isRecursive, List permittedAccounts, ListProjectResourcesCriteria listProjectResourcesCriteria); + void buildACLViewSearchBuilder(SearchBuilder sb, Long domainId, + boolean isRecursive, List permittedAccounts, ListProjectResourcesCriteria listProjectResourcesCriteria); + + void buildACLViewSearchBuilder(SearchBuilder sb, Long domainId, + boolean isRecursive, List permittedAccounts, ListProjectResourcesCriteria listProjectResourcesCriteria, List grantedIds, List revokedIds); + void buildACLSearchCriteria(SearchCriteria sc, Long domainId, boolean isRecursive, List permittedAccounts, ListProjectResourcesCriteria listProjectResourcesCriteria); - void buildACLSearchParameters(Account caller, Long id, String accountName, Long projectId, List permittedAccounts, Ternary domainIdRecursiveListProject, boolean listAll, boolean forProjectInvitation); + void buildACLViewSearchCriteria(SearchCriteria sc, + Long domainId, boolean isRecursive, List permittedAccounts, ListProjectResourcesCriteria listProjectResourcesCriteria); + + void buildACLViewSearchCriteria(SearchCriteria sc, + Long domainId, boolean isRecursive, List permittedAccounts, ListProjectResourcesCriteria listProjectResourcesCriteria, List grantedIds, + List revokedIds); + + // new ACL model routine for query api based on db views void buildACLSearchParameters(Account caller, Long id, String accountName, Long projectId, List permittedDomains, List permittedAccounts, List permittedResources, http://git-wip-us.apache.org/repos/asf/cloudstack/blob/5020f788/server/src/com/cloud/user/AccountManagerImpl.java ---------------------------------------------------------------------- diff --git a/server/src/com/cloud/user/AccountManagerImpl.java b/server/src/com/cloud/user/AccountManagerImpl.java index b16b0de..b85394f 100755 --- a/server/src/com/cloud/user/AccountManagerImpl.java +++ b/server/src/com/cloud/user/AccountManagerImpl.java @@ -61,6 +61,7 @@ import org.apache.cloudstack.managed.context.ManagedContextRunnable; import org.apache.cloudstack.region.gslb.GlobalLoadBalancerRuleDao; import com.cloud.api.ApiDBUtils; +import com.cloud.api.query.vo.ControlledViewEntity; import com.cloud.configuration.Config; import com.cloud.configuration.ConfigurationManager; import com.cloud.configuration.Resource.ResourceOwnerType; @@ -2523,6 +2524,128 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M @Override + public void buildACLViewSearchBuilder(SearchBuilder sb, Long domainId, + boolean isRecursive, List permittedAccounts, ListProjectResourcesCriteria listProjectResourcesCriteria) { + + sb.and("accountIdIN", sb.entity().getAccountId(), SearchCriteria.Op.IN); + sb.and("domainId", sb.entity().getDomainId(), SearchCriteria.Op.EQ); + + if (((permittedAccounts.isEmpty()) && (domainId != null) && isRecursive)) { + // if accountId isn't specified, we can do a domain match for the + // admin case if isRecursive is true + sb.and("domainPath", sb.entity().getDomainPath(), SearchCriteria.Op.LIKE); + } + + if (listProjectResourcesCriteria != null) { + if (listProjectResourcesCriteria == Project.ListProjectResourcesCriteria.ListProjectResourcesOnly) { + sb.and("accountType", sb.entity().getAccountType(), SearchCriteria.Op.EQ); + } else if (listProjectResourcesCriteria == Project.ListProjectResourcesCriteria.SkipProjectResources) { + sb.and("accountType", sb.entity().getAccountType(), SearchCriteria.Op.NEQ); + } + } + + } + + @Override + public void buildACLViewSearchBuilder(SearchBuilder sb, Long domainId, boolean isRecursive, List permittedAccounts, + ListProjectResourcesCriteria listProjectResourcesCriteria, List grantedIds, List revokedIds) { + + if (!revokedIds.isEmpty()) { + sb.and("idNIN", sb.entity().getId(), SearchCriteria.Op.NIN); + } + if (permittedAccounts.isEmpty() && domainId == null && listProjectResourcesCriteria == null) { + // caller role authorize him to access everything matching query criteria + return; + + } + boolean hasOp = true; + if (!permittedAccounts.isEmpty()) { + sb.and().op("accountIdIN", sb.entity().getAccountId(), SearchCriteria.Op.IN); + } else if (domainId != null) { + if (isRecursive) { + // if accountId isn't specified, we can do a domain match for the + // admin case if isRecursive is true + sb.and().op("domainPath", sb.entity().getDomainPath(), SearchCriteria.Op.LIKE); + } else { + sb.and().op("domainId", sb.entity().getDomainId(), SearchCriteria.Op.EQ); + } + } else { + hasOp = false; + } + + + if (listProjectResourcesCriteria != null) { + if (hasOp) { + if (listProjectResourcesCriteria == Project.ListProjectResourcesCriteria.ListProjectResourcesOnly) { + sb.and("accountType", sb.entity().getAccountType(), SearchCriteria.Op.EQ); + } else if (listProjectResourcesCriteria == Project.ListProjectResourcesCriteria.SkipProjectResources) { + sb.and("accountType", sb.entity().getAccountType(), SearchCriteria.Op.NEQ); + } + } else { + if (listProjectResourcesCriteria == Project.ListProjectResourcesCriteria.ListProjectResourcesOnly) { + sb.and().op("accountType", sb.entity().getAccountType(), SearchCriteria.Op.EQ); + } else if (listProjectResourcesCriteria == Project.ListProjectResourcesCriteria.SkipProjectResources) { + sb.and().op("accountType", sb.entity().getAccountType(), SearchCriteria.Op.NEQ); + } + } + } + + if (!grantedIds.isEmpty()) { + sb.or("idIN", sb.entity().getId(), SearchCriteria.Op.IN); + } + sb.cp(); + + + } + + @Override + public void buildACLViewSearchCriteria(SearchCriteria sc, + Long domainId, boolean isRecursive, List permittedAccounts, ListProjectResourcesCriteria listProjectResourcesCriteria) { + if (listProjectResourcesCriteria != null) { + sc.setParameters("accountType", Account.ACCOUNT_TYPE_PROJECT); + } + + if (!permittedAccounts.isEmpty()) { + sc.setParameters("accountIdIN", permittedAccounts.toArray()); + } else if (domainId != null) { + DomainVO domain = _domainDao.findById(domainId); + if (isRecursive) { + sc.setParameters("domainPath", domain.getPath() + "%"); + } else { + sc.setParameters("domainId", domainId); + } + } + + } + + @Override + public void buildACLViewSearchCriteria(SearchCriteria sc, Long domainId, boolean isRecursive, List permittedAccounts, + ListProjectResourcesCriteria listProjectResourcesCriteria, List grantedIds, List revokedIds) { + if (!revokedIds.isEmpty()) { + sc.setParameters("idNIN", revokedIds.toArray()); + } + + if (listProjectResourcesCriteria != null) { + sc.setParameters("accountType", Account.ACCOUNT_TYPE_PROJECT); + } + + if (!permittedAccounts.isEmpty()) { + sc.setParameters("accountIdIN", permittedAccounts.toArray()); + } else if (domainId != null) { + DomainVO domain = _domainDao.findById(domainId); + if (isRecursive) { + sc.setParameters("domainPath", domain.getPath() + "%"); + } else { + sc.setParameters("domainId", domainId); + } + } + + if (!grantedIds.isEmpty()) { + sc.setParameters("idIN", grantedIds.toArray()); + } + } + + @Override public UserAccount getUserByApiKey(String apiKey) { return _userAccountDao.getUserByApiKey(apiKey); } @@ -2679,7 +2802,6 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M } } - @Override public void buildACLViewSearchCriteria(SearchCriteria sc, SearchCriteria aclSc, boolean isRecursive, List permittedDomains, http://git-wip-us.apache.org/repos/asf/cloudstack/blob/5020f788/server/test/com/cloud/user/MockAccountManagerImpl.java ---------------------------------------------------------------------- diff --git a/server/test/com/cloud/user/MockAccountManagerImpl.java b/server/test/com/cloud/user/MockAccountManagerImpl.java index f017c84..cc8fbac 100644 --- a/server/test/com/cloud/user/MockAccountManagerImpl.java +++ b/server/test/com/cloud/user/MockAccountManagerImpl.java @@ -32,6 +32,7 @@ import org.apache.cloudstack.api.command.admin.user.DeleteUserCmd; import org.apache.cloudstack.api.command.admin.user.RegisterCmd; import org.apache.cloudstack.api.command.admin.user.UpdateUserCmd; +import com.cloud.api.query.vo.ControlledViewEntity; import com.cloud.domain.Domain; import com.cloud.exception.ConcurrentOperationException; import com.cloud.exception.PermissionDeniedException; @@ -275,6 +276,32 @@ public class MockAccountManagerImpl extends ManagerBase implements Manager, Acco // TODO Auto-generated method stub } + @Override + public void buildACLViewSearchBuilder(SearchBuilder sb, Long domainId, + boolean isRecursive, List permittedAccounts, ListProjectResourcesCriteria listProjectResourcesCriteria) { + // TODO Auto-generated method stub + } + + @Override + public void buildACLViewSearchBuilder(SearchBuilder sb, Long domainId, boolean isRecursive, List permittedAccounts, + ListProjectResourcesCriteria listProjectResourcesCriteria, List grantedIds, List revokedIds) { + // TODO Auto-generated method stub + + } + + @Override + public void buildACLViewSearchCriteria(SearchCriteria sc, Long domainId, + boolean isRecursive, List permittedAccounts, ListProjectResourcesCriteria listProjectResourcesCriteria) { + // TODO Auto-generated method stub + } + + @Override + public void buildACLViewSearchCriteria(SearchCriteria sc, Long domainId, boolean isRecursive, List permittedAccounts, + ListProjectResourcesCriteria listProjectResourcesCriteria, List grantedIds, List revokedIds) { + // TODO Auto-generated method stub + + } + /* (non-Javadoc) * @see com.cloud.user.AccountService#getUserByApiKey(java.lang.String) */