CLOUDSTACK-4337 Dedicated Resources: Zone dedicated to an account should only be visible and accessible to that account

Changes: - When listing a zone, add clause in the search to check the account_id for a dedicated zone - When listsing a zone with a domainid, add a similar clause. - DomainCheck:: checkAccess() for a zone should consider that zone can now be dediacted to a specific account and check access accordingly.
2013-08-14 16:11:24 -07:00 · 2013-08-14 16:11:24 -07:00 · 1260b97373
parent f71da1c4f5
commit 1260b97373
4 changed files with 49 additions and 3 deletions
--- a/server/src/com/cloud/acl/DomainChecker.java
+++ b/server/src/com/cloud/acl/DomainChecker.java
@ -26,6 +26,8 @@ import org.apache.cloudstack.api.BaseCmd;
 import org.springframework.stereotype.Component;

 import com.cloud.dc.DataCenter;
+import com.cloud.dc.DedicatedResourceVO;
+import com.cloud.dc.dao.DedicatedResourceDao;
 import com.cloud.domain.Domain;
 import com.cloud.domain.dao.DomainDao;
 import com.cloud.exception.PermissionDeniedException;
@ -53,6 +55,8 @@ public class DomainChecker extends AdapterBase implements SecurityChecker {
    @Inject ProjectManager _projectMgr;
    @Inject ProjectAccountDao _projecAccountDao;
    @Inject NetworkModel _networkMgr;
+    @Inject
+    private DedicatedResourceDao _dedicatedDao;
    
    protected DomainChecker() {
        super();
@ -238,6 +242,18 @@ public class DomainChecker extends AdapterBase implements SecurityChecker {
 			//if account is normal user
 			//check if account's domain is a child of zone's domain
            else if (account.getType() == Account.ACCOUNT_TYPE_NORMAL || account.getType() == Account.ACCOUNT_TYPE_PROJECT) {
+                // if zone is dedicated to an account check that the accountId
+                // matches.
+                DedicatedResourceVO dedicatedZone = _dedicatedDao.findByZoneId(zone.getId());
+                if (dedicatedZone != null) {
+                    if (dedicatedZone.getAccountId() != null) {
+                        if (dedicatedZone.getAccountId() == account.getId()) {
+                            return true;
+                        } else {
+                            return false;
+                        }
+                    }
+                }
                if (account.getDomainId() == zone.getDomainId()) {
 					return true; //zone and account at exact node
                } else {
--- a/server/src/com/cloud/api/query/QueryManagerImpl.java
+++ b/server/src/com/cloud/api/query/QueryManagerImpl.java
@ -2498,11 +2498,21 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
             * List all resources due to Explicit Dedication except the
             * dedicated resources of other account
             */
-            if (domainId != null && account.getType() == Account.ACCOUNT_TYPE_ADMIN) { //
+            if (domainId != null) { //
                // for domainId != null // right now, we made the decision to
-                // only
-                // / list zones associated // with this domain, private zone
+                // only list zones associated // with this domain, private zone
                sc.addAnd("domainId", SearchCriteria.Op.EQ, domainId);
+
+                if (account.getType() == Account.ACCOUNT_TYPE_NORMAL) {
+                    // accountId == null (zones dedicated to a domain) or
+                    // accountId = caller
+                    SearchCriteria<DataCenterJoinVO> sdc = _dcJoinDao.createSearchCriteria();
+                    sdc.addOr("accountId", SearchCriteria.Op.EQ, account.getId());
+                    sdc.addOr("accountId", SearchCriteria.Op.NULL);
+
+                    sc.addAnd("account", SearchCriteria.Op.SC, sdc);
+                }
+
            } else if (account.getType() == Account.ACCOUNT_TYPE_NORMAL) {
                // it was decided to return all zones for the user's domain, and
                // everything above till root
@ -2534,6 +2544,14 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
                // remove disabled zones
                sc.addAnd("allocationState", SearchCriteria.Op.NEQ, Grouping.AllocationState.Disabled);

+                // accountId == null (zones dedicated to a domain) or
+                // accountId = caller
+                SearchCriteria<DataCenterJoinVO> sdc2 = _dcJoinDao.createSearchCriteria();
+                sdc2.addOr("accountId", SearchCriteria.Op.EQ, account.getId());
+                sdc2.addOr("accountId", SearchCriteria.Op.NULL);
+
+                sc.addAnd("account", SearchCriteria.Op.SC, sdc2);
+
                // remove Dedicated zones not dedicated to this domainId or
                // subdomainId
                List<Long> dedicatedZoneIds = removeDedicatedZoneNotSuitabe(domainIds);
--- a/server/src/com/cloud/api/query/vo/DataCenterJoinVO.java
+++ b/server/src/com/cloud/api/query/vo/DataCenterJoinVO.java
@ -114,6 +114,9 @@ public class DataCenterJoinVO extends BaseViewVO implements InternalIdentity, Id
    @Column(name = "affinity_group_uuid")
    private String affinityGroupUuid;

+    @Column(name = "account_id")
+    private long accountId;
+

    public DataCenterJoinVO() {
    }
@ -315,4 +318,12 @@ public class DataCenterJoinVO extends BaseViewVO implements InternalIdentity, Id
    public String getAffinityGroupUuid() {
        return affinityGroupUuid;
    }
+
+    public long getAccountId() {
+        return accountId;
+    }
+
+    public void setAccountId(long accountId) {
+        this.accountId = accountId;
+    }
 }
--- a/setup/db/db/schema-412to420.sql
+++ b/setup/db/db/schema-412to420.sql
@ -2348,6 +2348,7 @@ CREATE VIEW `cloud`.`data_center_view` AS
        domain.name domain_name,
        domain.path domain_path,
 		dedicated_resources.affinity_group_id,
+		dedicated_resources.account_id,
 		affinity_group.uuid affinity_group_uuid
    from
        `cloud`.`data_center`